Bug 643559

Summary: Sending digitally signed email with S/MIME is broken.
Product: Red Hat Enterprise Linux 6 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: dwmw2, emaldona, kdudka, kengert, lucilanga, mbarnes, mcrha, smithj4
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 612269 Environment:
Last Closed: 2010-11-15 14:21:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 603313, 612269, 630101, 643132    
Bug Blocks:    

Description Elio Maldonado Batiz 2010-10-15 23:19:55 UTC 
+++ This bug was initially created as a clone of Bug #612269 +++

Description of problem:
After applying the latest evolution update in Fedora, I am no longer able to send digitally signed emails.

Version-Release number of selected component (if applicable):
evolution-2.30.2-1.fc13.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Import personal certificate and select my cert in the Security section of the Account Editor under the Secure MIME (S/MIME) area.
2. Compose an email.
3. Make sure this is enabled: Options->S/MIME Sign
3. Hit the Send button.
  
Actual results:
A popup dialog appears with the following error message:
Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to select different mail options.

Expected results:
Email should be sent with my signature.

Additional info:
I have had the digital signature option enabled in evolution for the last 1-2 years and it has always worked without problem, until I updated to the latest version in F13, 2.30.2.

--- Additional comment from mcrha on 2010-07-08 09:12:36 EDT ---

Thanks for a bug report. I can reproduce this too, there seems to be two issues:
a) certificate name changed, thus one needs to change his/her certificate chosen in account preferences, otherwise there is shown an error about "not able to find the certificate".

b) even when I select the right certificate, then it fails to sign with it, with an error "Failed to encode data".

Finally, I cannot import a certificate to MY store with a new version, as I guess I do not know the password for it. I saw there also my evolution certificates for the first run, its name had Evolution prefix, but I do not see them now, only if I downgrade to the previous version, to 2.30.1.

I reopened the upstream bug [1], where I guess comes the issue from. Let's move with any further discussion there.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=585301

--- Additional comment from dwmw2 on 2010-07-08 12:29:57 EDT ---

This could well be an NSS bug -- NSS in Fedora enables the 'shared system database' by default, but it doesn't really work without some NSS patches that I don't think have made it into updates yet.

As root, please run 'setup-nsssysinit.sh off'.

--- Additional comment from dwmw2 on 2010-07-08 12:42:29 EDT ---

FWIW, I've tested this myself with the shared database disabled, and also with it enabled and with the patch from https://bugzilla.redhat.com/show_bug.cgi?id=603313#c10 applied. Both worked fine.

--- Additional comment from smithj4 on 2010-08-11 17:14:47 EDT ---

Any chance this might get updated soon?  One month later and not even an rpm in testing to try out.

--- Additional comment from dwmw2 on 2010-08-11 17:35:06 EDT ---

As indicated by comments #2 and #3, please test this again and confirm whether you still have issues either with:
 - The fixed NSS packages (see bug 603313), or
 - The shared system database turned off

--- Additional comment from smithj4 on 2010-08-12 10:35:56 EDT ---

I didn't know you were waiting for me to respond since you replied to your own comment and seemed to be confirming the problem and a working solution.

I tried the first solution "setup-nsssysinit.sh off" but I get the exact same error message.

As for the suggested patch from bug #603313, has the nss-3.12.6-11.fc13 rpm made it into the testing repo yet and does it contain the necessary patch?  I can't find it.  It would be much easier for me to try installing that test rpm, rather that trying to patch and rebuild myself.

--- Additional comment from emaldona on 2010-08-12 10:53:10 EDT ---

I pushed a new update with an additional fix Yesterday wich obsoleted the previous one, see https://admin.fedoraproject.org/updates/nss-3.12.6-11.fc13
Give it a day or two for the notification to show up on bug #603313 (hopefully here as well as I marked that one a blocker of this one)

--- Additional comment from dwmw2 on 2010-08-12 11:04:14 EDT ---

(In reply to comment #6)
> I tried the first solution "setup-nsssysinit.sh off" but I get the exact same
> error message.

Ok, that's interesting. That was working for me, as I said. Is there something different about your key store? Does it have a master password?

Can you show the output of 'certutil -d $HOME/.evolution -L' and
'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of /etc/pki/nssdb/pkcs11.txt

--- Additional comment from smithj4 on 2010-08-12 11:27:21 EDT ---

(In reply to comment #8)
> Ok, that's interesting. That was working for me, as I said. Is there something
> different about your key store? Does it have a master password?

Yes, the first time I try to send a signed email, I get prompted with "Enter the password for `NSS User Private Key and Certificate Services'".

> Can you show the output of 'certutil -d $HOME/.evolution -L' and
> 'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of
> /etc/pki/nssdb/pkcs11.txt    

Do you need the full contents, it looks like it contains the email address of a lot of people that have sent me signed email.  A few key lines, related only to me are (I assume I am listed 3 times because my x509 cert expires every year and I have imported it 3 times over the past few years):

$ certutil -d $HOME/.evolution -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u
DOEGrids CA 1 - ESnet                                        CT,C,C


$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOEGrids CA 1 - ESnet                                        CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u


$ cat /etc/pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

--- Additional comment from smithj4 on 2010-08-16 10:11:24 EDT ---

I tried the nss packages (nss-3.12.6-11.fc13.x86_64) in the testing repo (yum --enablerepo=updates-testing update nss), turned it back on since it didn't help for me (setup-nsssysinit.sh on), restarted evolution and tried to send a signed email.  First, it looked like the password prompt changed: "Enter the password for `NSS Application Slot 00000004'", and then I got the exact same error message:

Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to
select different mail options.

PS. I also just noticed that there is a spelling mistake in the error message: Uknown.

--- Additional comment from fedora-admin-xmlrpc on 2010-09-07 16:54:02 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Milan Crha 2010-10-18 06:46:01 UTC 
It would be surprising to see this same bug in RHEL6, at least in Evolution, because the 2.28.3 is not using system DB from nss, it uses its own certificate database (also accessed through nss library). (As a side note, it was a horrible mistake to allow this change in 2.30, but it's too late for claiming anyway.)
Comment 3 David Woodhouse 2010-10-18 10:21:44 UTC 
(In reply to comment #2)
> (As a side note, it was a horrible mistake to allow this change in 2.30, but 
> it's too late for claiming anyway.)

Yeah. The Evolution side was simple and safe, and fixed other bugs... but I didn't realise how horridly broken NSS itself was.
Comment 4 Milan Crha 2010-11-15 14:21:02 UTC 
Works for me. Tested with:

nss-3.12.6-3.el6.x86_64
evolution-2.28.3-8.el6.x86_64
evolution-data-server-2.28.3-9.el6.x86_64

I created a certificate at http://www.cacert.org, imported it to Evolution as a personal certificate, set it on my IMAP account for signing and encrypting, then composed a new message to the address the certificate was created for, and when I receive that message, or view it under Sent folder, then I see it as encrypted, and evolution shows it decrypted, just like expected.