Yubico Forum
https://forum.yubico.com/

[HELP] Unable to sign emails (xubuntu thunderbird)
https://forum.yubico.com/viewtopic.php?f=26&t=2186
Page 1 of 1

Author:  tzn [ Thu Jan 28, 2016 3:25 pm ]
Post subject:  [HELP] Unable to sign emails (xubuntu thunderbird)

Hello all,

i am trying to use the Yubikey NEO as a smart card holding my x509 S/MIME certificate and use that as a security device in both thunderbird 38.5.1and firefox 44.0 on xUbuntu 15.10.

I have imported the key and cert to the yubikey:

Code:
sudo yubico-piv-tool -a import-cert -a import-key -s 9d -K PKCS12 -i smime.p12 -p pass


Key is loaded to the card:

Code:
yubico-piv-tool -a status
CHUID:   No data available
Slot 9a:   No data available.
Slot 9c:   No data available.
Slot 9d:   
   Algorithm:   RSA2048
   Subject DN:   xxx
   Issuer DN:            xxx
   Fingerprint:   xxx
   Not Before:   Jan 18 13:36:27 2016 GMT
   Not After:   Jan 17 13:36:27 2019 GMT
Slot 9e:   No data available.
PIN tries left:   3


Opensc detects the reader:

Code:
opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey NEO OTP+U2F+CCID 00 00


Pkcs-tool lists the certificate:
Code:
pkcs15-tool --list-data-objects
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
<snip>
Data object 'X.509 Certificate for Key Management'
   applicationName: X.509 Certificate for Key Management
   applicationOID:  2.16.840.1.101.3.7.2.1.2
   Path:            0102
   Data (1448 bytes): 538XXXXXXXX0FE00
<snap>


I imported the certificate chain in firefox and thunderbird and set trustlevels to trust them with everything.
I then loaded a new security device trying the two modules
Code:
/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


Login with my pin works and I see my certificate and am able to set it in thunderbirds security dialog for digital signing and encryption.

However, whenever I try to send a signed message, sending fails with the following error:

Code:
Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.


Curiously, decryption of emails sent to me does indeed work, meaning, the certificate is stored and accessed correctly.
I found a post somewhere that claims this is an issue with trust somewhere in the certificate chain. This cannot be the case here, I checked the chain and its trust multiple times, including reseting trust levels, deleting and reimporting the chain, and so on.

I'm stuck now.

Has anybody any idea why signing does not work?

TL;DR
Sending signed mails with thunderbird using yubikey as a security device does not work. Decryption, however, works as expected. Any idea why?

Thank you all for any insights

Author:  tzn [ Fri Jan 29, 2016 9:18 am ]
Post subject:  Re: [HELP] Unable to sign emails (xubuntu thunderbird)

I sort of figured it out. The certificate also has to be stored in slot 9c for signing.
To be able to both sign outgoing mails and decrypt incoming mails the certificate has to be stored in 2 slots, namely 9c and 9d. I don't know if there is a technical necessity for that, but it's a bit confusing and also seems to lead to further problems.

I am only able to send one (1) signed message. The first message I send can be signed. Thunderbird asks for the pin, signs the message, and sends it out. But any subsequent attempt to sign mails leads to the same error as stated above.
Code:
Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.

I have to either restart thunderbird or reinsert the yubikey every time I want to sign a message, which is basically for every new mail. That's not really usable.

Has anybody else seen that problem and maybe even has a solution?


Thank you all.

Author:  fil9o [ Wed Feb 15, 2017 5:56 pm ]
Post subject:  Re: [HELP] Unable to sign emails (xubuntu thunderbird)

I have exactly same issue on both OS X and Ubuntu 16.10.
Emails are properly decrypted,
Trying to send signed message causes same error.
Certificate signed by external CA
[EDIT]
I have yubikey 4

Author:  fil9o [ Wed Feb 15, 2017 6:04 pm ]
Post subject:  Re: [HELP] Unable to sign emails (xubuntu thunderbird)

Adding certificate to both 9c and 9d causes pin prompt every time i read a message.
However i can send signed emails (after two pin prompts).

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/