Support of ECC and RSA certificates
Hello, I just got a signature Smartcard from TeleSec (German qualified signature provider accredited for eIDAS). On this PKS Smartcard, there is a specific email signature certificate (advanced certificate). This card (TCOS 3.0 based) uses exclusively elliptic curves cryptography (ECC), and does not support RSA.
I know that the qualified signature based on a brainpool curve specifically parametrized by the German BSI is not recognized by any international software. But the advanced signature is a NIST parametrized curve and works for example in Adobe Acrobat.
Since I was not able to make my smartcard to work with Thunderbird, I would like to know precisely the list of the supported kind of email signature and encryption certificates and algorithms.
Further, the root certificate TeleSec GlobalRoot 2 certificate is present and trusted in Mozilla Thunderbird. Under this root certificate, I have to add another certificate in the chain to verify the smartcard advanced signature (something like TeleSec PKS CA 8). This certificate seems to support and work with ECC perfectly in the Windows 10 64but certificate store, but gets the mention "verification failed fir an unknown raison" in Thunderbird 64bit. My guess is that Mozilla Thunderbird 64bit in its latest release version dies not support the ECC algorithms used by TeleSec. Could somebody confirm my guess?
I precise that I was able to sign my emails previously with another smartcard, from D-TRUST, which was using RSA.
Thanks in advance for your assistance. Best regards Vincent
Additional System Details
- User Agent: Mozilla/5.0 (Linux; Android 10; SM-N975F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.116 Mobile Safari/537.36
I was not able to make my smartcard to work with Thunderbird
Please explain in detail
- what you were doing
- what happened
- what you were expecting to happen
My guess is that Mozilla Thunderbird 64bit in its latest release version dies not support the ECC algorithms used by TeleSec.
Firefox does support TLS 1.3 cipher suites since version 63, and so does Thunderbird. More details here. https://wiki.mozilla.org/Security/Server_Side_TLS
I have no idea what curve TeleSec are using.
Ok, I will try to explain in another way.
I am using Thunderbird version 68.4.1 (64bit) with Gmail. I want to digitally sign (and sometimes encrypt) my outgoing Emails. I have ordered a PKS signature Smartcard from TeleSec in Germany. This Smartcard contains several keys:
1. Qualified Signature Key (eIDAS): key type is ECC ; curve type is brainpoolP256r1 2. Authentication Key: key type is ECC ; curve type is NISTp256r1 3. Advanced Signature Key: key type is ECC ; curve type is NISTp256r1 4. Encryption Key: key type is ECC ; curve type is NISTp256r1
To use the "Advanced Signature Key", I have first imported the required certificates ("T-Telesec Global Root Class 2" ; "TeleSec PKS CA 8") downloaded from the following page: https://www.telesec.de/de/otp/165-faq/pks/pks-zertifikate-unter-windows (search for the "CA-Zertifikate.zip" file).
Aften havingI imported the "TeleSec PKS CA 8" certificate in Thunderbird (Tools --> Options --> Advanced --> Manage Certificates), I want to view it, therefore I click on it to select it, and click on the View button. In the "General" tab of the windows that opens, it is written "Could not verify this certificate for unknown reasons."
I think that Thunderbird does not support the certificate, and therefore it is also not able to be used with the key on my Smartcard to sign the email.
What I would really like to know is, why Thunderbird is not able to verify the "TeleSec PKS CA 8" certificate, and why I am not able to sign my emails with the Advanced Signature Key from my Smartcard.
"Could not verify this certificate for unknown reasons."
I do see the same behavior here with this cert. To be honest, I don't know why the verification fails. My best guess is that Thunderbird does run an OCSP check, and that fails, for whatever reason. This may also be the reason why signing of messages doesn't work. I'd be curious about the error you get upon signing though. Is there anything in the error console (Ctrl-Shift-J)?
3. Advanced Signature Key: key type is ECC ; curve type is NISTp256r1
I'd say Thunderbird supports the curves, as the curve type is shown when inspecting the cert - see screenshot below.
Dear Chris1, many thanks for your tests and answer.
When I sign an EMail and then save it (i.e., not sending it, just saving), I get the following message:
"Unable to save your message as a draft: You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired".
I precise that I have configured properly the signature certificate to be used in my specific email account. Thunderbird does not give any error message when I configure this.
In the error console, I have the following when I sign and save the email: see screenshot.
I'm not sure what else to suggest. You may want to raise a bug in Bugzilla for the NS_NOINTERFACE and NS_ERROR_FAILURE error messages. Then please post the bug id to this topic. Thank you.