138519 – verisign not Validated signture

Bug 138519 - verisign not Validated signture

Summary: verisign not Validated signture

Status:	RESOLVED NOT A BUG

Alias:	None

Product:	kleopatra
Classification:	Applications
Component:	general (show other bugs)
Version:	0.40 (KDE 3.x)
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-12-08 00:04 UTC by Zbigniew Luszpinski
Modified:	2008-09-01 15:20 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Zbigniew Luszpinski 2006-12-08 00:04:24 UTC

Version:           0.40 (using KDE 3.5.5, compiled sources)
Compiler:          gcc version 3.4.6
OS:                Linux (i686) release 2.6.18.5

KMail can not verify s/mime digitally signed emails. The signature is Verisign certified.

KMail display such email in yellow background with the following information:
Not enough information to check signature. [Details]
Status: No information about status.

After clicking [Details] Kleopatra opens and I see after clicking on certificate details:

Serial number: 6D4FA064A0FBA13CD77610ECF2A0724D
       Issuer: CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated,OU=www.verisign.com/repository/RPA Incorp. By Ref.\,LIAB.LTD(c)98,OU=VeriSign Trust Network,O=VeriSign\, Inc.
      Subject: 1.2.840.113549.1.9.1=#6B6F6E74616B74406D62616E6B2E706C,CN=mBank\, Bankowosc Detaliczna BRE Banku SA,OU=Digital ID Class 1 - Microsoft Full Service,OU=Persona Not Validated,OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98,OU=VeriSign Trust Network,O=VeriSign\, Inc.
     sha1_fpr: 07:21:6C:32:EB:A0:19:AC:AA:3F:6D:51:E5:3F:2B:58:56:79:88:8F
      md5_fpr: EA:52:CF:75:19:14:DB:59:FB:2B:83:97:11:60:5F:AF
       certid: 400D1595C2934986CB4FF49DAAD76017E02FAD1E.6D4FA064A0FBA13CD77610ECF2A0724D
      keygrip: 97168B1F27E61A4CAF447023B9AE7292F6CE579C
    notBefore: 2005-12-16 00:00:00
     notAfter: 2006-12-30 23:59:59
     hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
      keyType: 1024 bit RSA
    subjKeyId: [none]
    authKeyId: [none]
     keyUsage: digitalSignature keyEncipherment
  extKeyUsage: emailProtection (suggested)
               clientAuth (suggested)
     policies: 2.16.840.1.113733.1.7.23.3
  chainLength: not a CA
        crlDP: http://crl.verisign.com/class1.crl
               issuer: none
     authInfo: [none]
     subjInfo: [none]
         extn: 2.16.840.1.113733.1.6.7  [6 octets]


'String' tab shows in grey the root issuer with the following message:
"Certificate issuer not found ( OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US)"

Microsoft Outlook Express verifies such email without problem so digital signature is valid and working. How to fix KMail to correctly validate VeriSign certified digital signatures?

I tried to import p7c certificate downloaded from verisign website with the following result:
Total number  of processed: 2
Imported: 0
Not changed: 2

The imported certificate is displayed in Kleopatra but this does nothing to signed emails which are still displayed on yellow background. I do not know what I could do more to fix this up.

I have gnupg 2.0.1 with gpgme installed. The KMail has working gpg i gpgsm plugins. Only Chiasmus plugin has (error).

Comment 1 Zbigniew Luszpinski 2007-06-11 16:43:12 UTC

Looking at certificate path the top one is missing making all sub certificates not valid.

The top one, missing certificate is:
Certificate issuer not found ( OU=Class 1 Public Primary Certification Authority, O=Verisign, Inc.,C=US)

Where I can download this missing main Verisign certificate?
I exported all certificates from MS Outlook Express and imported to kleopatra. However all (except top one) were imported. Nothing happened.
Then I tried K->Control Center->Security and Privacy->Cryptography->SSL Signatures. And again imported certificates from outlook. The top one was not imported because KDE claimed it is already on the list. The rest of certificates were imported fine. Everytime KDE asked me if KMail is allowed to
use imported certificates I said Yes. Still nothing.

Comment 2 Zbigniew Luszpinski 2007-06-18 06:01:25 UTC

The problem still exist in KMail 1.9.7/KDE 3.4.7.

There is problem with S/MIME signed e-mails KMail 1.9.7, Kleopatra 0.40:
"issuer certificate is not found (OU=Class 1 Public Primary Certification
Authority,O=VeriSign, Inc.,C=US)" - signed mail is displayed in yellow colour,
with text: "Not enough information to check signature. [Details]
Status: No status information available."

I saved the signed mail gone to windows and checked e-mail in outlook.
All was fine message is signed and valid. Then checked certificate path - it
was full. So exported all certificates from path to files.

Gone to Linux. Thunderbird 2.0.0.0 complained about missing certificates. So
imported all of them. Thunderbird said that has the top one because it is
already built in Thunderbird so it was not imported. Then I opened saved e-mail
and signature was verified - the certificate path was full.

Next tried KMail. I imported all certificates using Kleopatra. The situation
was the same like with Thunderbird (KMail said that has the top one is already
built in so it was not imported). The rest of certificates appeared in
Kleopatra window as local certificates. Then I chosen check for both
certificates - all was valid.
Then I reopened KMail - the signed mail is still yellow. The certificate path
is broken - the top certificate (the built in one): "issuer certificate is not
found (OU=Class 1 Public Primary Certification Authority,O=VeriSign,
Inc.,C=US)" is not found.

Please fix connection between the top (built in) certificate and those
subcertificates which are imported later. I think when the connection will be
fixed the path will be full and my signed mail will become green and valid.

I checked Thunderbird and KMail. The difference is only in broken certificate
path between built in/top/master certificate and the first first imported/lower/sub one in KMail. All more imported/lower/further certificates are correctly connected together both in KMail and Thunderbird.

I also imported certificates to Konqueror. It asked me to make them available
to KMail too - I clicked YES. All certificates were imported except the
master/top one - it was already present in Konqueror's list. Nothing
helped/changed - my signed mail is still yellow.

Comment 3 Yuval Hager 2007-12-06 07:03:03 UTC

I can confirm the exact behavior with Kleopatra 0.40 (KDE 3.5.7).

Comment 4 Marc Mutz 2008-06-17 00:30:50 UTC

S/MIME trust is hierarchical, so you need to have the root certificate imported, and have it trusted, for signatures to verify correctly.

As for where to get that certificate, you have to ask Verisign.

It seems like you've tried to import the certificates from Outlook. Please make sure you have a file with only the root certificate in it, and try to import that into Kleopatra. If it doesn't work (says '1 considered, 0 imported'), then please try to import it on the command line:
 gpgsm --import < file
and paste the error you get there.

If either of the two worked out, make sure the root is trusted. If it is not, set gpg-agent.conf:allow-mark-trusted (via config file, or in the GUI -> Configure GnuPG Backend -> Gpg Agent -> [x] Allow clients to mark keys as "trusted", then do a validating keylisting (Shift-F5). The agent should ask you whether you trust the root cert. After that, the signature should verify. You might have to disable crl checks ("never consult a CRL"), too.

Comment 5 Marc Mutz 2008-09-01 15:20:47 UTC

No response, old version.