Yubico Forum :: View topic - [HELP] Unable to sign emails (xubuntu thunderbird)

sudo yubico-piv-tool -a import-cert -a import-key -s 9d -K PKCS12 -i smime.p12 -p pass

yubico-piv-tool -a status
CHUID: No data available
Slot 9a: No data available.
Slot 9c: No data available.
Slot 9d:
Algorithm: RSA2048
Subject DN: xxx
Issuer DN: xxx
Fingerprint: xxx
Not Before: Jan 18 13:36:27 2016 GMT
Not After: Jan 17 13:36:27 2019 GMT
Slot 9e: No data available.
PIN tries left: 3

opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00

pkcs15-tool --list-data-objects
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
<snip>
Data object 'X.509 Certificate for Key Management'
applicationName: X.509 Certificate for Key Management
applicationOID: 2.16.840.1.101.3.7.2.1.2
Path: 0102
Data (1448 bytes): 538XXXXXXXX0FE00
<snap>

/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.

Author:	tzn [ Thu Jan 28, 2016 3:25 pm ]
Post subject:	[HELP] Unable to sign emails (xubuntu thunderbird)
Hello all, i am trying to use the Yubikey NEO as a smart card holding my x509 S/MIME certificate and use that as a security device in both thunderbird 38.5.1and firefox 44.0 on xUbuntu 15.10. I have imported the key and cert to the yubikey: Code: sudo yubico-piv-tool -a import-cert -a import-key -s 9d -K PKCS12 -i smime.p12 -p pass Key is loaded to the card: Code: yubico-piv-tool -a status CHUID: No data available Slot 9a: No data available. Slot 9c: No data available. Slot 9d: Algorithm: RSA2048 Subject DN: xxx Issuer DN: xxx Fingerprint: xxx Not Before: Jan 18 13:36:27 2016 GMT Not After: Jan 17 13:36:27 2019 GMT Slot 9e: No data available. PIN tries left: 3 Opensc detects the reader: Code: opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00 Pkcs-tool lists the certificate: Code: pkcs15-tool --list-data-objects Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00 <snip> Data object 'X.509 Certificate for Key Management' applicationName: X.509 Certificate for Key Management applicationOID: 2.16.840.1.101.3.7.2.1.2 Path: 0102 Data (1448 bytes): 538XXXXXXXX0FE00 <snap> I imported the certificate chain in firefox and thunderbird and set trustlevels to trust them with everything. I then loaded a new security device trying the two modules Code: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Login with my pin works and I see my certificate and am able to set it in thunderbirds security dialog for digital signing and encryption. However, whenever I try to send a signed message, sending fails with the following error: Code: Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail. Curiously, decryption of emails sent to me does indeed work, meaning, the certificate is stored and accessed correctly. I found a post somewhere that claims this is an issue with trust somewhere in the certificate chain. This cannot be the case here, I checked the chain and its trust multiple times, including reseting trust levels, deleting and reimporting the chain, and so on. I'm stuck now. Has anybody any idea why signing does not work? TL;DR Sending signed mails with thunderbird using yubikey as a security device does not work. Decryption, however, works as expected. Any idea why? Thank you all for any insights

Author:	tzn [ Fri Jan 29, 2016 9:18 am ]
Post subject:	Re: [HELP] Unable to sign emails (xubuntu thunderbird)
I sort of figured it out. The certificate also has to be stored in slot 9c for signing. To be able to both sign outgoing mails and decrypt incoming mails the certificate has to be stored in 2 slots, namely 9c and 9d. I don't know if there is a technical necessity for that, but it's a bit confusing and also seems to lead to further problems. I am only able to send one (1) signed message. The first message I send can be signed. Thunderbird asks for the pin, signs the message, and sends it out. But any subsequent attempt to sign mails leads to the same error as stated above. Code: Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail. I have to either restart thunderbird or reinsert the yubikey every time I want to sign a message, which is basically for every new mail. That's not really usable. Has anybody else seen that problem and maybe even has a solution? Thank you all.

Author:	fil9o [ Wed Feb 15, 2017 5:56 pm ]
Post subject:	Re: [HELP] Unable to sign emails (xubuntu thunderbird)
I have exactly same issue on both OS X and Ubuntu 16.10. Emails are properly decrypted, Trying to send signed message causes same error. Certificate signed by external CA [EDIT] I have yubikey 4

Author:	fil9o [ Wed Feb 15, 2017 6:04 pm ]
Post subject:	Re: [HELP] Unable to sign emails (xubuntu thunderbird)
Adding certificate to both 9c and 9d causes pin prompt every time i read a message. However i can send signed emails (after two pin prompts).

Yubico Forum https://forum.yubico.com/

[HELP] Unable to sign emails (xubuntu thunderbird) https://forum.yubico.com/viewtopic.php?f=26&t=2186	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/