Closed Bug 629965 (Outlook2011) Opened 14 years ago Closed 14 years ago

MIME decoder doesn't recognize signed messages from MS Outlook 2011

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: nelson, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase)

Attachments

(2 files)

Sample email message
(deleted), text/plain
Details
Nth Permutation root CA
(deleted), application/octet-stream
Details 
When they receive a signed S/MIME email message from MS Outlook 2011, 
neither TB nor SM recognize it as an S/MIME message at all.  This is seen
on both MacOSX and WinXP.  

The problem is entirely in the MIME decoding (or encoding by Outlook).

NSS's CMS decoder is never invoked to decode (and verify) the signature for messages sent by MS Outlook 2011.  If I hand-decode the MIME into component parts and feed them separately into NSS's CMS decoder via NSS's cmsutil QA 
test program, NSS correctly verifies the signature.   

My employer uses SMIME email.  IT supports only Outlook, and even installs
it on all company PCs and Macs.  Despite this, many users quietly use TB.
TB survives because (until now) it has been so interoperable with Outlook.
Next week, IT is going to roll out Outlook 2011 to all company computers
(Windows and Macs).  All non-TB (and non-SM) users will switch to it.  
If TB can no longer interoperate (via SMIME) with the new version of OutLook used by the majority of the employees, TB's users will have little choice but to switch to Outlook.  

Please don't let that happen.

I will make copies of some sample messages available privately to those who 
may be willing to diagnose and/or patch it.  I'll attach a sample message 
here when (if) I get permission.
Seen with latest released TB for Mac and also with older SM for Windows.
Summary: MIME decode doesn't recognize signed messages from MS Outlook 2011 → MIME decoder doesn't recognize signed messages from MS Outlook 2011
(In reply to comment #0)
> The problem is entirely in the MIME decoding (or encoding by Outlook).
[...]
> I will make copies of some sample messages available privately to those who 
> may be willing to diagnose and/or patch it.  I'll attach a sample message 
> here when (if) I get permission.

Can you post the relevant MIME headers of such a message? Below are samples from two messages from Outlook 2010 (i.e., the latest Windows version - both are successfully processed by Tb 3.1.7).

What format does the Mac version use by default (and what micalg)?


a) sample with detached signature (Outlook 2010)

Content-Type: multipart/signed;
	boundary="----=_NextPart_000_0006_01CBC05C.33DFA490";
	protocol="application/x-pkcs7-signature";
	micalg=SHA1

This is a multipart message in MIME format.

------=_NextPart_000_0006_01CBC05C.33DFA490
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

[... (message text here)]

------=_NextPart_000_0006_01CBC05C.33DFA490
Content-Type: application/pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

[... (Base64 encoded signature here)]

===================================================================

b) sample of an opaquely signed message (Outlook 2010)

Content-Type: application/pkcs7-mime;
	smime-type=signed-data;
	name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7m"

[... (Base64 encoded CMS message here)]
This is probably what you want:

> user-agent: Microsoft-MacOutlook/14.2.0.101115
> Content-Type: multipart/signed; protocol="application/pkcs7-signature";
> 	micalg=sha256; boundary="B_3379070561_9985034"
> MIME-Version: 1.0
> 
> --B_3379070561_9985034
> Content-type: multipart/alternative;
> 	boundary="B_3379070561_9978903"

[...]

> --B_3379070561_9985034
> Content-Type: application/pkcs7-signature; name="smime.p7s"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="smime.p7s"

[...]

> --B_3379070561_9985034--
(In reply to comment #3)
> > Content-Type: multipart/signed; protocol="application/pkcs7-signature";
> > 	micalg=sha256; boundary="B_3379070561_9985034"

Ok, so it's using detached signatures with SHA-256. I'm somewhat surprised that this doesn't work with the latest released version of Tb on OS X, as support for recognizing SHA-2 hashes in detached signatures was added with bug 541334. Can you also try with Tb 3.1.7 on Windows?
(In reply to comment #4)
> Can you also try with Tb 3.1.7 on Windows?
Nelson ?
Attached file Sample email message (deleted) — 
Here is a message that demonstrates the problem.
I am unable to test on Windows with TB-latest at this time.
No problem with displaying the S/MIME signature of this message in Tb 3.1.7 on Windows. As mentioned above, this was fixed with bug 541334, i.e. in Tb 3.1 and later (http://hg.mozilla.org/releases/comm-1.9.2/log/d0c07b6fe194/mailnews/mime/src/mimei.cpp). Seamonkey will get it with the 2.1 release, I assume.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Not working on TB 3.1.7 on Mac OS/X.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Status: REOPENED → NEW
(In reply to comment #8)
> Not working on TB 3.1.7 on Mac OS/X.

What do you mean by "not working"? With Tb 3.1.7 on OS X, it says "Digital Signature Is Not Valid" when I'm opening the 629965a.txt file through File -> Open Saved Message. (To make it appear as a valid signature, you would have to import the "Root" cert of the "Nth Permutation" org and set it to trusted for e-mail, but that's certainly not the issue you described in comment 0).
I can reproduce this at will with TB 3.1.7 on my Mac, which is where I 
initially saw this bug.  If it's not a problem on Windows, I'm glad to hear it, but it's definitely reproducible on Mac OS/X.

In reply to comment 9, 
Again, the problem is that TB 3.1.7 does not even notice that the email is 
signed.  It does not show that the email is signed with a valid or invalid 
signature.  It simply behaves as if the email is not signed at all.

I have imported the Nth Permutation root CA cert into all my systems because 
we use that CA at work.  I can attach a copy of it.  Again, when I detach the
signature from the email and run it through NSS's cmsutil program, the 
signature is shown to be valid.
Attached file Nth Permutation root CA (deleted) — 
Here's the root CA cert in binary (DER).
(In reply to comment #10)
> I can reproduce this at will with TB 3.1.7 on my Mac, which is where I 
> initially saw this bug.

Well, maybe we are using different versions of Tb 3.1.7 on OS X? Here's what I have:

$ shasum /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 
1b75d2f098efce59a316d75656f30487b24550b6  /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin

$ stat -f "%N %z %Sm" /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 
/Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 35087860 Dec 10 07:48:50 2010
> stat -f "%N %z %Sm" /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 
> /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 35087860 Dec  7 09:50:02 2010
> sum /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 
> 459 34266 /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin

Sorry, don't have shasum
(In reply to comment #13)
> Sorry, don't have shasum

That's part of OS X. But of course you're free to use any other tool which can calculate a SHA1-sum over /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin.
Maybe an OS version difference?  I'm running 10.5.8
Maybe it comes with Xcode, not sure. This one should work on earlier version of OS X, too, however:

$ md5 /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin 
MD5 (/Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin) = 5713c6099d0a2f79daebd1728ede3023
Yes, that matches.
> (In reply to comment #8)
> > Not working on TB 3.1.7 on Mac OS/X.
> 
> What do you mean by "not working"? With Tb 3.1.7 on OS X, it says "Digital
> Signature Is Not Valid" when I'm opening the 629965a.txt file through File ->
> Open Saved Message. (To make it appear as a valid signature, you would have to
> import the "Root" cert of the "Nth Permutation" org and set it to trusted for
> e-mail, but that's certainly not the issue you described in comment 0).

I'm seeing this too.
 Nelson what happens when you start TB in -safe-mode ? (could it be a bug in one of your extension (wild guess compact header))
Keywords: testcase
I just tested this again in Tb ("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8", to be precise).

- created a new profile
- imported the root cert in attachment 511649 [details], checked the
  "Trust this CA to identify email users." check box
- opened the message (attachment 511407 [details]) through File -> Open Saved Message...

Result: Tb shows the signature icon, clicking on it brings up the text "Message Is Signed - This message includes a valid digital signature. The message has not been altered since it was sent. Signed by: [...]".

Again resolving as WFM. I suspect it's related to your specific profile / extensions / cert DB. Or are you able to reproduce with a fresh profile?
Severity: major → normal
Status: NEW → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: