Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Thunderbird 68.10.0 Sign/Encrypt of Mails is not working on Windows 10

more options

Hi,

As part of unit testing of our addon with Thunderbird 68.10.0 on Windows 10 ,we are facing issues while Sign/Encrypt the mail using our Smart Card. It has Authentication,Sign and Encryption Certificates.

To provide more details of about the addon,basically it provides a PKCS library to Sign/Encrypt the mails and in fact we are trying to automatically integrate the same as part of Thunderbird.

Regarding the setup of Thunderbird for testing this feature, we followed the below instructions to configure our CA since it was not listed and In fact our Signing/Encryption certificates have been issued by the same Microsoft CA.

Instructions:


In order for the certificate authority (CA) to be trusted or your personal certificate, the CA that signed your certificate must have its certificate installed under Authorities in your certificate store. Thunderbird comes with some built in certificate authorities, but the list is hardly complete. It seems that there is a slant towards the major CAs whose first language is English and issue certificates to people in the U.S.

If your CA is not one of the built in certificate authorities and you are under Windows and have Internet Explorer (IE), you could import the certificate in this way:

Open IE and go to "Tools -> Internet Options -> Content -> Certificates -> Trusted Root Certificate Authorities". Highlight the certificate(s) that you would like to export. Click on "Export" and complete the export wizard. (DER encoded binary ".cer" files work as a file format.) While completing the wizard, remember where you saved the certificate. Now, open Thunderbird and go to "Tools -> Options -> Advanced -> Certificates -> Manage Certificates... -> Authorities". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates... -> Authorities".) Select "Import", select the file you saved above, and click "Open". Read the warning and select for what purpose you trust the certificate. Click "OK" if you trust it. It should now be installed. Optionally, you may want to delete the ".cer" file. If that is not possible, because the CA isn't there, you will need to contact your CA and see if they can give you their authorities public certificate.

Following is the error we are facing during Signing and also I have attached the snapshot of the same. "Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail."

As part of further analysis of the logs we figured out the APIs used by Thunderbird while performing Signing operation.

1. C_OpenSession 2. C_SignInit 3. C_GetAttributeValue (CRSAPrivateKey::GetOneAttributeValue - CKA_ALWAYS_AUTHENTICATE:) 4. C_Logout 5. C_Login (userType = CKU_USER) 6. C_Sign (SignKey = NULL)

Among the above APIs C_Logout is performed, not sure why after C_SignInit. Also if you look at the option to get SignKey CKA_ALWAYS_AUTHENTICATE, which forces the user to provide the PIN, in fact we are providing the same. But When C_Sign is called after Login, it seems the SignKey is NULL, due to earlier Logout operation.

Normally as per the PKCS standard with CKA_ALWAYS_AUTHENTICATE this would be the callflow.

1. C_OpenSession 2. C_SignInit 3. C_GetAttributeValue (CRSAPrivateKey::GetOneAttributeValue - CKA_ALWAYS_AUTHENTICATE:) 4. C_Login (userType = CKU_CONTEXT_SPECIFIC) 5. C_Sign (SignKey)

If PrivateKey with CKA_ALWAYS_AUTHENTICATE is used then C_Login should be immediately called with CKU_CONTEXT_SPECIFIC after C_SignInit operation. Please refer more details about the same from the PKCS standards.

“The CKA_ALWAYS_AUTHENTICATE attribute can be used to force re-authentication (i.e. force the user to provide a PIN) for each use of a private key. "Use" in this case means a cryptographic operation such as sign or decrypt. This attribute may only be set to CK_TRUE when CKA_PRIVATE is also CK_TRUE. Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit). In this call, the actual user type is implicitly given by the usage requirements of the active key. If C_Login returns CKR_OK the user was successfully authenticated and this sets the active key in an authenticated state that lasts until the cryptographic operation has successfully or unsuccessfully been completed (e.g. by C_Sign, C_SignFinal,..).”

Hence it would be great from Thunderbird community to help us to figure out the issue.

Please let me know if i am missing something.

Hi, As part of unit testing of our addon with Thunderbird 68.10.0 on Windows 10 ,we are facing issues while Sign/Encrypt the mail using our Smart Card. It has Authentication,Sign and Encryption Certificates. To provide more details of about the addon,basically it provides a PKCS library to Sign/Encrypt the mails and in fact we are trying to automatically integrate the same as part of Thunderbird. Regarding the setup of Thunderbird for testing this feature, we followed the below instructions to configure our CA since it was not listed and In fact our Signing/Encryption certificates have been issued by the same Microsoft CA. Instructions: ------------ In order for the certificate authority (CA) to be trusted or your personal certificate, the CA that signed your certificate must have its certificate installed under Authorities in your certificate store. Thunderbird comes with some built in certificate authorities, but the list is hardly complete. It seems that there is a slant towards the major CAs whose first language is English and issue certificates to people in the U.S. If your CA is not one of the built in certificate authorities and you are under Windows and have Internet Explorer (IE), you could import the certificate in this way: Open IE and go to "Tools -> Internet Options -> Content -> Certificates -> Trusted Root Certificate Authorities". Highlight the certificate(s) that you would like to export. Click on "Export" and complete the export wizard. (DER encoded binary ".cer" files work as a file format.) While completing the wizard, remember where you saved the certificate. Now, open Thunderbird and go to "Tools -> Options -> Advanced -> Certificates -> Manage Certificates... -> Authorities". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates... -> Authorities".) Select "Import", select the file you saved above, and click "Open". Read the warning and select for what purpose you trust the certificate. Click "OK" if you trust it. It should now be installed. Optionally, you may want to delete the ".cer" file. If that is not possible, because the CA isn't there, you will need to contact your CA and see if they can give you their authorities public certificate. Following is the error we are facing during Signing and also I have attached the snapshot of the same. '''"Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail."''' As part of further analysis of the logs we figured out the APIs used by Thunderbird while performing Signing operation. 1. C_OpenSession 2. C_SignInit 3. C_GetAttributeValue (CRSAPrivateKey::GetOneAttributeValue - CKA_ALWAYS_AUTHENTICATE:) 4. C_Logout 5. C_Login (userType = CKU_USER) 6. C_Sign (SignKey = NULL) Among the above APIs C_Logout is performed, not sure why after C_SignInit. Also if you look at the option to get SignKey CKA_ALWAYS_AUTHENTICATE, which forces the user to provide the PIN, in fact we are providing the same. But When C_Sign is called after Login, it seems the SignKey is NULL, due to earlier Logout operation. Normally as per the PKCS standard with CKA_ALWAYS_AUTHENTICATE this would be the callflow. 1. C_OpenSession 2. C_SignInit 3. C_GetAttributeValue (CRSAPrivateKey::GetOneAttributeValue - CKA_ALWAYS_AUTHENTICATE:) 4. C_Login (userType = CKU_CONTEXT_SPECIFIC) 5. C_Sign (SignKey) If PrivateKey with CKA_ALWAYS_AUTHENTICATE is used then C_Login should be immediately called with CKU_CONTEXT_SPECIFIC after C_SignInit operation. Please refer more details about the same from the PKCS standards. “The CKA_ALWAYS_AUTHENTICATE attribute can be used to force re-authentication (i.e. force the user to provide a PIN) for each use of a private key. "Use" in this case means a cryptographic operation such as sign or decrypt. This attribute may only be set to CK_TRUE when CKA_PRIVATE is also CK_TRUE. Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit). In this call, the actual user type is implicitly given by the usage requirements of the active key. If C_Login returns CKR_OK the user was successfully authenticated and this sets the active key in an authenticated state that lasts until the cryptographic operation has successfully or unsuccessfully been completed (e.g. by C_Sign, C_SignFinal,..).” Hence it would be great from Thunderbird community to help us to figure out the issue. Please let me know if i am missing something.
Attached screenshots

Modified by vishal.babu

All Replies (2)

more options

Lets back up a bit. Thunderbird does not use windows certificate store, unless you change hidden preferences to make it so. To enable this setting the security.enterprise_roots.enabled must be set to true using the config editor. Have you done that?

Have you updated your certificates in the Mozilla store at Options > advanced > Certificates > manage certificates? Once installed in Thunderbird you can then specify them in the account settings > Security.

I found I had to restate the certificates in account settings at one point after one of the 60.X updates. I assume the Mozilla group that maintain that component made some changes. I did not need to reinstall the certificates, just click the select box and then Ok the already chosen selection. In the process got what looked like a GUID added to the certificate to use when signing dialog.

more options

Thanks Matt for your reply.

The setting you mentioned security.enterprise_roots.enabled is enabled by default in Thunderbird 68.10.0, please find the snapshot attached. Yes the certificates (Authentication,digital and encryption) are set as part of the of manager certificates and in account settings->security Sign and encrytion certificates are set.

As part of Signing operation before selecting the certificate (add-on)throws a PIN prompt to authenticate the user,immediately right after this Thunderbird reports the following error.

"Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail."

Please let know if i am missing something.