View Issue Details

IDProjectCategoryView StatusLast Update
0005407SOGoWeb Mailpublic2021-12-03 22:38
ReporterChristian Mack Assigned Tofrancis  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.2.0 
Target Version5.3.0Fixed in Version5.4.0 
Summary0005407: When using identities, you can sign with a not matching S/MIME certificate
Description

The problem is twofold.
1) When you use an identity with a completely different email address, then still the S/MIME certificate for the primary email address is used in SOGo to sign that email.
As the certificate does not match the From address, that signature will be invalid!

2) When you receive in SOGo such an invalid signed email, it will be shown as validly signed!
You have to unfold the signature info in order to see that the signature does not match the From address.
This is a security relevant fault.
To show, that there is a problem with the signature, it should display a caution sign.

Steps To Reproduce

1) userA uploads certificate for his primary email address
2) create Identity in userA with different email address
3) send signed email to userB with that Identity
=> it will be send
It should at least be warned that the certificate doesn't match the From address.
4) check email signature in userB INBOX
=> signature is displayed as OK.
It should warn, that the signature is valid, but the From is not matching

TagsNo tags attached.

Activities

Christian Mack

Christian Mack

2021-10-22 09:05

developer   ~0015570

Just to show the mismatch, here a screenshot

francis

francis

2021-10-29 20:41

administrator   ~0015594

The viewer is fixed; a proper message is displayed if the certificate doesn't match the sender address.

schmirl

schmirl

2021-11-01 21:16

reporter   ~0015596

The fix looks for the email address in the CN attribute. This is wrong. The email address is either in the SubjectAltName (nowadays the prefered place) or in the emailAddress attribute. In many S/MIME certificates the CN field is either missing or contains the name of the certificate holder.

From https://datatracker.ietf.org/doc/html/rfc8550#section-3
Receiving agents MUST recognize
both ASCII and internationalized email addresses in the
subjectAltName extension. Receiving agents MUST recognize email
addresses in the distinguished name field in the PKCS 0000009 [RFC2985]
emailAddress attribute:

francis

francis

2021-11-02 12:29

administrator   ~0015597

Can you share the JSON payload of the server response when viewing a signed message? I would like to see the content of .parts.certificates.

schmirl

schmirl

2021-11-02 14:06

reporter   ~0015598

Here we go...

with_cn.json (347 bytes)   
{
	"certificates": [
		{
			"issuer": [
				[
					"countryName",
					"DE"
				],
				[
					"organizationName",
					"Deutsche Post AG"
				],
				[
					"commonName",
					"DPDHL User CA I5"
				]
			],
			"subject": [
				[
					"commonName",
					"noreply, DHL, BN"
				],
				[
					"emailAddress",
					"noreply@dhl.de"
				]
			]
		}
	]
}
with_cn.json (347 bytes)   
without_cn.json (440 bytes)   
{
	"certificates": [
		{
			"issuer": [
				[
					"countryName",
					"GB"
				],
				[
					"stateOrProvinceName",
					"Greater Manchester"
				],
				[
					"localityName",
					"Salford"
				],
				[
					"organizationName",
					"COMODO CA Limited"
				],
				[
					"commonName",
					"COMODO RSA Client Authentication and Secure Email CA"
				]
			],
			"subject": [
				[
					"emailAddress",
					"XX@XXXX.de"
				]
			]
		}
	]
}
without_cn.json (440 bytes)   
francis

francis

2021-11-02 17:13

administrator   ~0015599

I'm closing the issue, but SubjectAltName could actually store multiple email addresses. We're not handling this case for now. I would need the JSON payload of such a certificate to properly add support.

Christian Mack

Christian Mack

2021-12-02 14:45

developer   ~0015665

I created a S/MIME certificate with 2 alternate addresses for a test user.
Then i created 3 Identities.
2 with those 2 alternate addresses and one with an invalid address.
See attach signed emails send from that test user to herself.

Christian Mack

Christian Mack

2021-12-02 14:46

developer   ~0015666

Subjects specify which is which.

Email to myself.eml (10,550 bytes)
schmirl

schmirl

2021-12-02 15:58

reporter   ~0015667

Thanks for the testmails. I can confirm that the email address check works as expected with the commit of 2021-11-22 (which is not part of SOGo 5.3.0 but should be included in the nightly builds): Only the third one fails the address check. The address test of the other two mails succeeded.

For the first mail I got a "Message has been modified". Turned out that the umlauts got mangled. Corrected them manually and the mail got verified ok.

schmirl

schmirl

2021-12-02 16:02

reporter   ~0015668

The second part of the ticket (sign only if the certificate's mail addresses match the selected identity) has not been addressed yet.

francis

francis

2021-12-03 22:38

administrator   ~0015671

Signing a message using an address that is not part of the certificate will now fail.

Related Changesets

sogo: master 6eb5e971

2021-10-29 16:34

francis


Details Diff
fix(mail): check if smime certificate matches sender address

Fixes 0005407
Affected Issues
0005407
mod - UI/MailPartViewers/UIxMailPartEncryptedViewer.m Diff File
mod - UI/MailPartViewers/UIxMailPartSignedViewer.m Diff File
mod - UI/MailerUI/English.lproj/Localizable.strings Diff File

sogo: master ab67e7d2

2021-11-02 11:04

francis


Details Diff
fix(mail): check if smime certificate matches sender address

Fixes 0005407
Affected Issues
0005407
mod - UI/MailPartViewers/UIxMailPartSignedViewer.m Diff File

sogo: master e85576cb

2021-11-22 15:31

francis


Details Diff
fix(mail): check if smime certificate matches sender address

Fixes 0005407
Affected Issues
0005407
mod - UI/MailPartViewers/UIxMailPartEncryptedViewer.m Diff File
mod - UI/MailPartViewers/UIxMailPartSignedViewer.m Diff File
mod - UI/MailerUI/English.lproj/Localizable.strings Diff File

sogo: master 4ad21055

2021-12-03 16:54

francis


Details Diff
fix(mail): sign and send only if smime certificate matches sender address

Fixes 0005407
Affected Issues
0005407
mod - SoObjects/Mailer/SOGoDraftObject.m Diff File
mod - UI/MailerUI/English.lproj/Localizable.strings Diff File

Issue History

Date Modified Username Field Change
2021-10-15 11:52 Christian Mack New Issue
2021-10-22 09:05 Christian Mack Note Added: 0015570
2021-10-22 09:05 Christian Mack File Added: sogo-spoofed-signed-valid-details.png
2021-10-29 20:36 francis Changeset attached => sogo master 6eb5e971
2021-10-29 20:36 francis Assigned To => francis
2021-10-29 20:36 francis Resolution open => fixed
2021-10-29 20:41 francis Note Added: 0015594
2021-11-01 21:16 schmirl Note Added: 0015596
2021-11-02 12:29 francis Note Added: 0015597
2021-11-02 14:06 schmirl Note Added: 0015598
2021-11-02 14:06 schmirl File Added: with_cn.json
2021-11-02 14:06 schmirl File Added: without_cn.json
2021-11-02 15:04 francis Changeset attached => sogo master ab67e7d2
2021-11-02 17:13 francis Status new => resolved
2021-11-02 17:13 francis Note Added: 0015599
2021-11-02 17:13 francis Product Version 5.3.0 => 5.2.0
2021-11-02 17:13 francis Target Version => 5.3.0
2021-11-22 20:32 francis Changeset attached => sogo master e85576cb
2021-12-02 14:45 Christian Mack Status resolved => feedback
2021-12-02 14:45 Christian Mack Resolution fixed => reopened
2021-12-02 14:45 Christian Mack Note Added: 0015665
2021-12-02 14:46 Christian Mack Note Added: 0015666
2021-12-02 14:46 Christian Mack File Added: Email to myself.eml
2021-12-02 14:46 Christian Mack File Added: message to myself alternate email address.eml
2021-12-02 14:46 Christian Mack File Added: message to myself with not matching from.eml
2021-12-02 14:46 Christian Mack Status feedback => assigned
2021-12-02 15:58 schmirl Note Added: 0015667
2021-12-02 16:02 schmirl Note Added: 0015668
2021-12-03 21:55 francis Changeset attached => sogo master 4ad21055
2021-12-03 21:55 francis Resolution reopened => fixed
2021-12-03 22:38 francis Status assigned => resolved
2021-12-03 22:38 francis Fixed in Version => 5.4.0
2021-12-03 22:38 francis Note Added: 0015671