Bug 643559 - Sending digitally signed email with S/MIME is broken.
Sending digitally signed email with S/MIME is broken.
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
6.1
All Linux
low Severity medium
: rc
: ---
Assigned To: Elio Maldonado Batiz
BaseOS QE Security Team
: Reopened
Depends On: 603313 612269 630101 643132
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-15 19:19 EDT by Elio Maldonado Batiz
Modified: 2010-11-15 09:21 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 612269
Environment:
Last Closed: 2010-11-15 09:21:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Elio Maldonado Batiz 2010-10-15 19:19:55 EDT
+++ This bug was initially created as a clone of Bug #612269 +++

Description of problem:
After applying the latest evolution update in Fedora, I am no longer able to send digitally signed emails.

Version-Release number of selected component (if applicable):
evolution-2.30.2-1.fc13.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Import personal certificate and select my cert in the Security section of the Account Editor under the Secure MIME (S/MIME) area.
2. Compose an email.
3. Make sure this is enabled: Options->S/MIME Sign
3. Hit the Send button.
  
Actual results:
A popup dialog appears with the following error message:
Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to select different mail options.

Expected results:
Email should be sent with my signature.

Additional info:
I have had the digital signature option enabled in evolution for the last 1-2 years and it has always worked without problem, until I updated to the latest version in F13, 2.30.2.

--- Additional comment from mcrha@redhat.com on 2010-07-08 09:12:36 EDT ---

Thanks for a bug report. I can reproduce this too, there seems to be two issues:
a) certificate name changed, thus one needs to change his/her certificate chosen in account preferences, otherwise there is shown an error about "not able to find the certificate".

b) even when I select the right certificate, then it fails to sign with it, with an error "Failed to encode data".

Finally, I cannot import a certificate to MY store with a new version, as I guess I do not know the password for it. I saw there also my evolution certificates for the first run, its name had Evolution prefix, but I do not see them now, only if I downgrade to the previous version, to 2.30.1.

I reopened the upstream bug [1], where I guess comes the issue from. Let's move with any further discussion there.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=585301

--- Additional comment from dwmw2@infradead.org on 2010-07-08 12:29:57 EDT ---

This could well be an NSS bug -- NSS in Fedora enables the 'shared system database' by default, but it doesn't really work without some NSS patches that I don't think have made it into updates yet.

As root, please run 'setup-nsssysinit.sh off'.

--- Additional comment from dwmw2@infradead.org on 2010-07-08 12:42:29 EDT ---

FWIW, I've tested this myself with the shared database disabled, and also with it enabled and with the patch from https://bugzilla.redhat.com/show_bug.cgi?id=603313#c10 applied. Both worked fine.

--- Additional comment from smithj4@bnl.gov on 2010-08-11 17:14:47 EDT ---

Any chance this might get updated soon?  One month later and not even an rpm in testing to try out.

--- Additional comment from dwmw2@infradead.org on 2010-08-11 17:35:06 EDT ---

As indicated by comments #2 and #3, please test this again and confirm whether you still have issues either with:
 - The fixed NSS packages (see bug 603313), or
 - The shared system database turned off

--- Additional comment from smithj4@bnl.gov on 2010-08-12 10:35:56 EDT ---

I didn't know you were waiting for me to respond since you replied to your own comment and seemed to be confirming the problem and a working solution.

I tried the first solution "setup-nsssysinit.sh off" but I get the exact same error message.

As for the suggested patch from bug #603313, has the nss-3.12.6-11.fc13 rpm made it into the testing repo yet and does it contain the necessary patch?  I can't find it.  It would be much easier for me to try installing that test rpm, rather that trying to patch and rebuild myself.

--- Additional comment from emaldona@redhat.com on 2010-08-12 10:53:10 EDT ---

I pushed a new update with an additional fix Yesterday wich obsoleted the previous one, see https://admin.fedoraproject.org/updates/nss-3.12.6-11.fc13
Give it a day or two for the notification to show up on bug #603313 (hopefully here as well as I marked that one a blocker of this one)

--- Additional comment from dwmw2@infradead.org on 2010-08-12 11:04:14 EDT ---

(In reply to comment #6)
> I tried the first solution "setup-nsssysinit.sh off" but I get the exact same
> error message.

Ok, that's interesting. That was working for me, as I said. Is there something different about your key store? Does it have a master password?

Can you show the output of 'certutil -d $HOME/.evolution -L' and
'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of /etc/pki/nssdb/pkcs11.txt

--- Additional comment from smithj4@bnl.gov on 2010-08-12 11:27:21 EDT ---

(In reply to comment #8)
> Ok, that's interesting. That was working for me, as I said. Is there something
> different about your key store? Does it have a master password?

Yes, the first time I try to send a signed email, I get prompted with "Enter the password for `NSS User Private Key and Certificate Services'".

> Can you show the output of 'certutil -d $HOME/.evolution -L' and
> 'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of
> /etc/pki/nssdb/pkcs11.txt    

Do you need the full contents, it looks like it contains the email address of a lot of people that have sent me signed email.  A few key lines, related only to me are (I assume I am listed 3 times because my x509 cert expires every year and I have imported it 3 times over the past few years):

$ certutil -d $HOME/.evolution -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u
DOEGrids CA 1 - ESnet                                        CT,C,C


$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOEGrids CA 1 - ESnet                                        CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u


$ cat /etc/pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

--- Additional comment from smithj4@bnl.gov on 2010-08-16 10:11:24 EDT ---

I tried the nss packages (nss-3.12.6-11.fc13.x86_64) in the testing repo (yum --enablerepo=updates-testing update nss), turned it back on since it didn't help for me (setup-nsssysinit.sh on), restarted evolution and tried to send a signed email.  First, it looked like the password prompt changed: "Enter the password for `NSS Application Slot 00000004'", and then I got the exact same error message:

Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to
select different mail options.

PS. I also just noticed that there is a spelling mistake in the error message: Uknown.

--- Additional comment from fedora-admin-xmlrpc@redhat.com on 2010-09-07 16:54:02 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Milan Crha 2010-10-18 02:46:01 EDT
It would be surprising to see this same bug in RHEL6, at least in Evolution, because the 2.28.3 is not using system DB from nss, it uses its own certificate database (also accessed through nss library). (As a side note, it was a horrible mistake to allow this change in 2.30, but it's too late for claiming anyway.)
Comment 3 David Woodhouse 2010-10-18 06:21:44 EDT
(In reply to comment #2)
> (As a side note, it was a horrible mistake to allow this change in 2.30, but 
> it's too late for claiming anyway.)

Yeah. The Evolution side was simple and safe, and fixed other bugs... but I didn't realise how horridly broken NSS itself was.
Comment 4 Milan Crha 2010-11-15 09:21:02 EST
Works for me. Tested with:

nss-3.12.6-3.el6.x86_64
evolution-2.28.3-8.el6.x86_64
evolution-data-server-2.28.3-9.el6.x86_64

I created a certificate at http://www.cacert.org, imported it to Evolution as a personal certificate, set it on my IMAP account for signing and encrypting, then composed a new message to the address the certificate was created for, and when I receive that message, or view it under Sent folder, then I see it as encrypted, and evolution shows it decrypted, just like expected.

Note You need to log in before you can comment on or make changes to this bug.