624851 – Evolution mail client: Unable to load encryption cert from the smart card to send/receive encrypted messages.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 624851 - Evolution mail client: Unable to load encryption cert from the smart card to send/receive encrypted messages.

Summary: Evolution mail client: Unable to load encryption cert from the smart card to ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	evolution
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Barnes
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	674653 (view as bug list)
Depends On:	674653
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-17 22:28 UTC by Asha Akkiangady
Modified:	2013-11-21 04:58 UTC (History)
CC List:	10 users (show)
Fixed In Version:	evolution-2.32.3-9.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	647519 674653 (view as bug list)
Environment:
Last Closed:	2013-11-21 04:58:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
proposed evo patch (734 bytes, patch) 2010-11-04 09:15 UTC, Milan Crha	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1540	0	normal	SHIPPED_LIVE	Low: evolution security, bug fix, and enhancement update	2013-11-21 00:40:51 UTC

Description Asha Akkiangady 2010-08-17 22:28:20 UTC

Description of problem:
Unable to load encryption cert from the smart card to send/receive encrypted messages in the 'Security' settings Secure MIME (S/MIME).

Version-Release number of selected component (if applicable):
evolution-2.28.3-10.el6

How reproducible:
Always

Steps to Reproduce:
1. A smart card is enrolled for a desktop user. Make sure smart card is loaded with an encryption and a signing cert.

2. Setup an account in evolution for this user.

3. Configure security device by loading libcoolkeypk11.so library: Since no gui support for this in evolution, use 'modutil' from the NSS security tools package. 
example: $ modutil -add "libcoolkey" -libfile /usr/lib/libcoolkeypk11.so -dbdir ~/.evolution 

4. Import CA certificate to evolution.

5. Edit 'evolution preference' for this account with the  signing and encryption certificate on the smart card.
-Edit->Preference->Select the account and click Edit -> Security.
-In Secure MIME (S/MIME)->Signing certificate:-> Click Select, loads the signing certificate on the token.
-In Secure MIME (S/MIME)->Encryption certificate:-> Click Select.
  
Actual results:
Unable to load Encryption certificate.

Expected results:
Should able to Select and load encryption cert in order to send/receive encrypted e-mail. 

Additional info:

Comment 2 RHEL Program Management 2010-08-17 22:58:05 UTC

This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 3 RHEL Program Management 2010-08-18 21:21:35 UTC

Thank you for your bug report. This issue was evaluated for inclusion
in the current release of Red Hat Enterprise Linux. Unfortunately, we
are unable to address this request in the current release. Because we
are in the final stage of Red Hat Enterprise Linux 6 development, only
significant, release-blocking issues involving serious regressions and
data corruption can be considered.

If you believe this issue meets the release blocking criteria as
defined and communicated to you by your Red Hat Support representative,
please ask your representative to file this issue as a blocker for the
current release. Otherwise, ask that it be evaluated for inclusion in
the next minor release of Red Hat Enterprise Linux.

Comment 4 Milan Crha 2010-10-29 09:51:42 UTC

Thanks for a bug report. If I got it right then the signing certificate loading works correctly, thus the smart card support works as expected, only that encryption certificate is not shown in the UI, the "Select" dialog doesn't show any available certificate?

From the code I see it should show you the same list of certificates for both signing and encrypting part, and the certificate should have set certUsageEmailSigner, otherwise it's skipped.

The thing is, when you are signing, then there is used your private key to create a signature, but when encrypting, then the public key of the recipient is used. Encryption certificate in account preferences "only" means to select your public key to be used when you have chosen "Also encrypt to self when sending encrypted messages", in all other cases should be used recipient's public key, even when you are sending messages to yourself.

With this it seems to me like NotABug, but maybe I misunderstood something.

Comment 5 Asha Akkiangady 2010-11-03 17:11:50 UTC

Milan, on a "Select", the dialog only shows signing certificate that's on the token. What I expected is how Thunderbird supports; "Select" for signing certificate allow user to select signing certificate and "Select" for encryption certificate allow user to select encryption certificate from the smart card.

Comment 6 Milan Crha 2010-11-04 09:15:03 UTC

Created attachment 457737 [details]
proposed evo patch

for evolution;

Would this do it? It's still in the upstream code (and this patch is against actual git master of evolution), but the change is pretty simple.

Comment 7 Milan Crha 2011-01-31 12:33:15 UTC

Asha, if I build a test package, are you able to give it a try, please?

Comment 8 Asha Akkiangady 2011-01-31 14:48:03 UTC

Milan, I don't have a Rhel 6.1 set-up yet, how soon should this be tested?

Comment 9 Milan Crha 2011-01-31 15:56:21 UTC

Deadline for erratas is this Friday, as far as I know.

Comment 10 Asha Akkiangady 2011-01-31 20:12:37 UTC

There is no ISO for RHEL 6.1 yet, I am awaiting for that.

Comment 11 Milan Crha 2011-01-31 20:47:25 UTC

OK, when you get to it, I built test packages for you [1], though I would recommend not waiting for an ISO, neither for the 6.1, you can install this rpm on 6.0 too, and check whether you'll be able to select correct certificates for both signing and encrypting.

[1] https://brewweb.devel.redhat.com/taskinfo?taskID=3077347

Comment 12 Asha Akkiangady 2011-02-02 17:09:33 UTC

Tested on a RHEL 6.0 desktop with the evolution test build, in the account security setting (S/MIME) I am able to select encryption and signing cert from the smartcard.

Tried to send an encrypted e-mail to self by selecting "S/MIME Encrypt" in the new mail message window, evolution error is thrown "Could not create message. Because 'Can not find certificate for "aakkiang", you may need to select different mail options.'".

Comment 13 Milan Crha 2011-02-02 19:26:31 UTC

(In reply to comment #12)
> Tried to send an encrypted e-mail to self by selecting "S/MIME Encrypt" in the
> new mail message window, evolution error is thrown "Could not create message.
> Because 'Can not find certificate for "aakkiang", you may need to
> select different mail options.'".

Hrm, then a clone of this bug for evolution-data-server will be required, because this error comes from there.

Comment 14 Milan Crha 2011-02-02 20:10:30 UTC

Actually, I can be wrong. The above was just a quick thought. On sending is searched for a certificate with the given email address, which is the recipient. It's enough to have a public key for such user/email. I suppose your certificate is set for this email, right?

Comment 15 Asha Akkiangady 2011-02-02 20:41:19 UTC

Milan,

I created a clone of this bug, bz 674653. Yes, my certificate is set for the e-mail, in thunderbird using the same smart card and the certificates I am able to send/read encrypted e-mail.

Comment 16 Asha Akkiangady 2011-03-14 16:39:06 UTC

Installed a RHEL 6.1 desktop and tested with "evolution-2.28.3-19.el6.x86_64" from https://brewweb.devel.redhat.com/taskinfo?taskID=3077347, unable to select encryption certificate from the smart card.

Comment 17 Milan Crha 2011-03-15 08:12:20 UTC

I suppose it's 19.1, right? As that build is cleaned and doesn't provide packages any more.

Comment 18 RHEL Program Management 2011-04-04 01:52:23 UTC

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 19 Milan Crha 2013-05-09 17:31:05 UTC

Devel-acking, patch(es, see bug #674653 for eds part) available.

Comment 26 Roshni 2013-05-24 16:20:03 UTC

Test the bug with builds in comment 25 with a smart card token with both encryption and signing certs. Evolution gives the option of selecting only the signing cert and not the encryption cert. The bug does not seem to be fixed.

Comment 27 Milan Crha 2013-05-29 10:34:09 UTC

(In reply to Roshni from comment #26)
> Test the bug with builds in comment 25 with a smart card token with both
> encryption and signing certs. Evolution gives the option of selecting only
> the signing cert and not the encryption cert. The bug does not seem to be
> fixed.

I will have some cards for testing locally, which should help with providing proper patch, but I'd like to ask you for a help to setup/enable the smart card in evolution, please? I suppose there are needed certain steps to have it done right, and I only found [1], where the responder claims that he had no luck with evolution 2.32 (which is the version to be included in the next rhel 6). I guess it was more about nss version, than about evolution in the time of the reply on the list.

[1] https://mail.gnome.org/archives/evolution-list/2010-November/msg00151.html

Comment 31 Roshni 2013-06-13 19:24:43 UTC

I tried installing the builds mentioned in comment 28 but am seeing dependency issues on RHEL 6.4

Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libedataserver-1.2.so.14()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libcamel-provider-1.2.so.19()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libebook-1.2.so.10()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libedataserverui-1.2.so.11()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libgtkhtml-editor-3.14.so.0()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libcamel-1.2.so.19()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: evolution-data-server >= 2.32.3

Comment 32 Milan Crha 2013-06-13 20:51:11 UTC

Oh, true, Matthew is currently updating the repo, to get brew builds, instead of Fedora 14 packages, and it's not complete yet. If you've time, just search for latest .el6 packages in brew [1], and grab them for your architecture there. You might need (if I skip those in Matthew's repo as of now):
   gtkhtml3
   evolution-data-server
   gnome-panel
   control-center
   pidgin
   ekiga
and possibly some more, in case you've them already installed. Or just wait until Matthew has the repo updated with latest brew builds. I can rebuild a test package for you then, to get higher version of evolution than will be available in Matthew's repository (evolution-2.32.3-5 is still affected).

[1] https://brewweb.devel.redhat.com/

Comment 36 Milan Crha 2013-06-24 12:10:28 UTC

Roshi, I'll include a patch in more recent evolution package, I'll build it by today, then we can reiterate, if it'll not work for you.

Comment 38 David Jaša 2013-08-01 11:28:53 UTC

The fix works. There are several caveats though and some stuff has changed since evo 2.28 days:
1) evolution now uses standard combo of system sql:/etc/pki/nssdb and user sql:$HOME/.pki/nssdb databases
2) evolution runs as regular user but nss tools (modutil, nss-gui) remove read access from /etc/pki/nssdb/pkcs11.txt (bug 990631). The net result is that evolution is unaware of the module unless the permissions are back to 0644 or the module is added to user's database as well
3) evolution only reads certificates upon it's start so you have to restart evo after you plug the card in

So the steps for coolkey-based cards are:
1) (as root) add coolkey module to your nssdb:
# modutil -dbdir sql:/etc/pki/nssdb -add "CoolKey PKCS#11 Module" -libfile /usr/lib64/pkcs11/libcoolkeypk11.so
2) (as root) fix the file permissions again:
# chmod 0644 /etc/pki/nssdb/pkcs11.txt
3) plug in the reader & card if you haven't done so yet
4) restart evolution
5) go to Preferences - Certificates and you should see the certificates that reside on the smartcard

Comment 41 Milan Crha 2013-08-01 12:02:31 UTC

Thanks for the testing and confirmation, with a great summary what to do.

Comment 42 Milan Crha 2013-08-02 04:30:40 UTC

*** Bug 674653 has been marked as a duplicate of this bug. ***

Comment 43 Roshni 2013-09-06 17:07:09 UTC

David,

I am using nss-3.14.3-37.el6.i686, coolkey-1.1.0-29.el6.i686 and pam_pkcs11.0.6.2-13.el6.i686, evolution-2.32.3-25.el6.i686. I followed the steps you have described in comment 38 but evolution does not show the certs in the smart card.

Comment 46 errata-xmlrpc 2013-11-21 04:58:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1540.html

Note You need to log in before you can comment on or make changes to this bug.