Bug 612269 - Sending digitally signed email with S/MIME is broken.
Sending digitally signed email with S/MIME is broken.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Elio Maldonado Batiz
Fedora Extras Quality Assurance
: Reopened
Depends On: 603313 630101 643132
Blocks: 643559
  Show dependency treegraph
 
Reported: 2010-07-07 13:55 EDT by Jason Smith
Modified: 2011-06-01 14:19 EDT (History)
7 users (show)

See Also:
Fixed In Version: nss-3.12.9-8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 643559 (view as bug list)
Environment:
Last Closed: 2011-06-01 14:19:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 585301 None None None Never

  None (edit)
Description Jason Smith 2010-07-07 13:55:39 EDT
Description of problem:
After applying the latest evolution update in Fedora, I am no longer able to send digitally signed emails.

Version-Release number of selected component (if applicable):
evolution-2.30.2-1.fc13.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Import personal certificate and select my cert in the Security section of the Account Editor under the Secure MIME (S/MIME) area.
2. Compose an email.
3. Make sure this is enabled: Options->S/MIME Sign
3. Hit the Send button.
  
Actual results:
A popup dialog appears with the following error message:
Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to select different mail options.

Expected results:
Email should be sent with my signature.

Additional info:
I have had the digital signature option enabled in evolution for the last 1-2 years and it has always worked without problem, until I updated to the latest version in F13, 2.30.2.
Comment 1 Milan Crha 2010-07-08 09:12:36 EDT
Thanks for a bug report. I can reproduce this too, there seems to be two issues:
a) certificate name changed, thus one needs to change his/her certificate chosen in account preferences, otherwise there is shown an error about "not able to find the certificate".

b) even when I select the right certificate, then it fails to sign with it, with an error "Failed to encode data".

Finally, I cannot import a certificate to MY store with a new version, as I guess I do not know the password for it. I saw there also my evolution certificates for the first run, its name had Evolution prefix, but I do not see them now, only if I downgrade to the previous version, to 2.30.1.

I reopened the upstream bug [1], where I guess comes the issue from. Let's move with any further discussion there.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=585301
Comment 2 David Woodhouse 2010-07-08 12:29:57 EDT
This could well be an NSS bug -- NSS in Fedora enables the 'shared system database' by default, but it doesn't really work without some NSS patches that I don't think have made it into updates yet.

As root, please run 'setup-nsssysinit.sh off'.
Comment 3 David Woodhouse 2010-07-08 12:42:29 EDT
FWIW, I've tested this myself with the shared database disabled, and also with it enabled and with the patch from https://bugzilla.redhat.com/show_bug.cgi?id=603313#c10 applied. Both worked fine.
Comment 4 Jason Smith 2010-08-11 17:14:47 EDT
Any chance this might get updated soon?  One month later and not even an rpm in testing to try out.
Comment 5 David Woodhouse 2010-08-11 17:35:06 EDT
As indicated by comments #2 and #3, please test this again and confirm whether you still have issues either with:
 - The fixed NSS packages (see bug 603313), or
 - The shared system database turned off
Comment 6 Jason Smith 2010-08-12 10:35:56 EDT
I didn't know you were waiting for me to respond since you replied to your own comment and seemed to be confirming the problem and a working solution.

I tried the first solution "setup-nsssysinit.sh off" but I get the exact same error message.

As for the suggested patch from bug #603313, has the nss-3.12.6-11.fc13 rpm made it into the testing repo yet and does it contain the necessary patch?  I can't find it.  It would be much easier for me to try installing that test rpm, rather that trying to patch and rebuild myself.
Comment 7 Elio Maldonado Batiz 2010-08-12 10:53:10 EDT
I pushed a new update with an additional fix Yesterday wich obsoleted the previous one, see https://admin.fedoraproject.org/updates/nss-3.12.6-11.fc13
Give it a day or two for the notification to show up on bug #603313 (hopefully here as well as I marked that one a blocker of this one)
Comment 8 David Woodhouse 2010-08-12 11:04:14 EDT
(In reply to comment #6)
> I tried the first solution "setup-nsssysinit.sh off" but I get the exact same
> error message.

Ok, that's interesting. That was working for me, as I said. Is there something different about your key store? Does it have a master password?

Can you show the output of 'certutil -d $HOME/.evolution -L' and
'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of /etc/pki/nssdb/pkcs11.txt
Comment 9 Jason Smith 2010-08-12 11:27:21 EDT
(In reply to comment #8)
> Ok, that's interesting. That was working for me, as I said. Is there something
> different about your key store? Does it have a master password?

Yes, the first time I try to send a signed email, I get prompted with "Enter the password for `NSS User Private Key and Certificate Services'".

> Can you show the output of 'certutil -d $HOME/.evolution -L' and
> 'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of
> /etc/pki/nssdb/pkcs11.txt    

Do you need the full contents, it looks like it contains the email address of a lot of people that have sent me signed email.  A few key lines, related only to me are (I assume I am listed 3 times because my x509 cert expires every year and I have imported it 3 times over the past few years):

$ certutil -d $HOME/.evolution -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u
DOEGrids CA 1 - ESnet                                        CT,C,C


$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOEGrids CA 1 - ESnet                                        CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u


$ cat /etc/pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
Comment 10 Jason Smith 2010-08-16 10:11:24 EDT
I tried the nss packages (nss-3.12.6-11.fc13.x86_64) in the testing repo (yum --enablerepo=updates-testing update nss), turned it back on since it didn't help for me (setup-nsssysinit.sh on), restarted evolution and tried to send a signed email.  First, it looked like the password prompt changed: "Enter the password for `NSS Application Slot 00000004'", and then I got the exact same error message:

Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to
select different mail options.

PS. I also just noticed that there is a spelling mistake in the error message: Uknown.
Comment 11 Fedora Admin XMLRPC Client 2010-09-07 16:54:02 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 12 Elio Maldonado Batiz 2011-03-13 17:01:31 EDT
Using: evolution-2.32.2-1.fc14.x86_64, nss-3.12.9-8.fc14
I sent s/mime signed messages to myself from my home accounts to my work account and back. I also sent those messages to people on the cc list to this bug. Hope we can find out soon here from those received the messages and could reply in kind.
Comment 13 Milan Crha 2011-03-14 02:58:16 EDT
I'm not sure why I was on the CC of that email, and why it was sent, but anyway, the message is signed and evolution shows the signature as a correct one.
Comment 14 Bug Zapper 2011-06-01 10:30:46 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Elio Maldonado Batiz 2011-06-01 14:19:43 EDT
. (In reply to comment #13)
> I'm not sure why I was on the CC of that email, and why it was sent, but
> anyway, the message is signed and evolution shows the signature as a correct
> one.

Thanks, I will close this bug then.

Note You need to log in before you can comment on or make changes to this bug.