View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005257SOGoApple iPhone OSpublic2021-02-08 11:282021-02-09 14:25
Reportercyb0rg8311 Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
PlatformiPhone 11OSiOSOS Version14.4
Product Version5.0.1 
Summary0005257: S/MIME Digital Signature is not valid when sending via iOS Mail
Description

When I send S/MIME signed Mails to a SOGo Mailbox with the iOS Mail App from my iPhone or iPad the Signature is marked in SOGo as not valid.
But when i send a Mail signed with the same Certificate from the same Mail-Address through Thunderbird or Outlook the Digital Signature is marked as valid.

Additional Information

I could reproduce this with another Certificate from another Issuer, so the Problem is not only with Sectigo Certificates.

TagsS/MIME

Activities

cyb0rg8311

cyb0rg8311

2021-02-08 11:28

reporter  

send_from_iphone_ed.png (140,563 bytes)   
send_from_iphone_ed.png (140,563 bytes)   
send_from_thunderbird_ed.png (139,386 bytes)   
send_from_thunderbird_ed.png (139,386 bytes)   
schmirl

schmirl

2021-02-09 07:33

reporter   ~0015075

Could you provide the eml files, please?
cyb0rg8311

cyb0rg8311

2021-02-09 07:41

reporter   ~0015076

Here the eml files.
2233.eml was send through Thunderbird
2234.eml was send with an iPhone 11 with iOS 14.4
2235.eml was send with an iPad Pro 11" with iPad OS 14.3

2234.eml (5,078 bytes)
2233.eml (7,462 bytes)
2235.eml (5,055 bytes)
schmirl

schmirl

2021-02-09 08:05

reporter   ~0015077

openssl cms -verify -in 2233.eml -certsout 2233.pem results in "Verification successful".
2233.pem then contains your personal certificate plus the intermediate certificate "Sectigo RSA Client Authentication and Secure Email CA"

openssl cms -verify -in 2234.eml -certsout 2234.pem results in "Verification failure":
3073455808:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:unable to get local issuer certificate
2234.pem contains only your personal certificate

So SOGo can't verify the iOS mails as the client doesn't include the intermediate certificate in the signature (note the difference in size: 2233.eml is about 1400 byte larger). Though it's not forbidden send the leaf certificate only, it is bad practice as on the recipient side many clients lack the functionality to download missing intermediate certificates from the CAs themselves.

Please check the key file you imported to your iOS clients (probably an .p12 or .pfx file): Does it include the intermediate certificate? If not, this might be the mistake. Re-import the key from a file which includes the intermediate CA. I'm not familiar with the iOS certificate store. Maybe you can import the intermediate certificate there to have the mailclient add it to the signature.

For your reference I attached the intermediate certificate extracted from 2233.eml.

2233-2.pem (2,163 bytes)    
-----BEGIN CERTIFICATE-----
MIIGEDCCA/igAwIBAgIQTZQsENQ74JQJxYEtOisGTzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBljELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT4wPAYDVQQDEzVTZWN0aWdvIFJTQSBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMo87ZQKQf/e+Ua56NY75tqSvysQTqoavIK9viYc
KSoq0s2cUIE/bZQu85eoZ9X140qOTKl1HyLTJbazGl6nBEibivHbSuejQkq6uIgy
miqvTcTlxZql19szfBxxo0Nm9l79L9S+TZNTEDygNfcXlkHKRhBhVFHdJDfqB6Mf
i/Wlda43zYgo92yZOpCWjj2mz4tudN55/yE1+XvFnz5xsOFbme/SoY9WAa39uJOR
HtbC0x7C7aYivToxuIkEQXaumf05Vcf4RgHs+Yd+mwSTManRy6XcCFJE6k/LHt3n
dD3sA3If/JBz6OX2ZebtQdHnKav7Azf+bAhudg7PkFOTuRMCAwEAAaOCAWQwggFg
MB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBQJwPL8
C9qU21/+K9+omULPyeCtADAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAG
BgRVHSAAMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEF
BQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9V
U0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29j
c3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAQUR1AKs5whX13o6V
bTJxaIwA3RfXehwQOJDI47G9FzGR87bjgrShfsbMIYdhqpFuSUKzPM1ZVPgNlT+9
istp5UQNRsJiD4KLu+E2f102qxxvM3TEoGg65FWM89YN5yFTvSB5PelcLGnCLwRf
CX6iLPvGlh9j30lKzcT+mLO1NLGWMeK1w+vnKhav2VuQVHwpTf64ZNnXUF8p+5JJ
pGtkUG/XfdJ5jR3YCq8H0OPZkNoVkDQ5CSSF8Co2AOlVEf32VBXglIrHQ3v9AAS0
yPo4Xl1FdXqGFe5TcDQSqXh3TbjugGnG+d9yZX3lB8bwc/Tn2FlIl7tPbDAL4jNd
UNA7jGee+tAnTtlZ6bFz+CsWmCIb6j6lDFqkXVsp+3KyLTZGXq6F2nnBtN4t5jO3
ZIj2gpIKHAYNBAWLG2Q2fG7Bt2tPC8BLC9WIM90gbMhAmtMGquITn/2fORdsNmaV
3z/sPKuIn8DvdEhmWVfh0fyYeqxGlTw0RfwhBlakdYYrkDmdWC+XszE19GUi8K8p
lBNKcIvyg2omAdebrMIHiAHAOiczxX/aS5ABRVrNUDcjfvp4hYbDOO6qHcfzy/uY
0fO5ssebmHQREJJA3PpSgdVnLernF6pthJrGkNDPeUI05svqw1o5A2HcNzLOpklh
NwZ+4uWYLcAi14ACHuVvJsmzNic=
-----END CERTIFICATE-----
2233-2.pem (2,163 bytes)   
cyb0rg8311

cyb0rg8311

2021-02-09 08:43

reporter   ~0015078

I checked it and the .pfx Certificate contains the Complete Chain.
SOGo and Thunderbird import the Certificate Chain complete, but iOS does not install the complete Chain. It installs only the Certificate.
I exported all Certificates above in the Chain and imported all of them on my iPhone and iPad.
Now it works and the signed Mails are marked as Valid.

Thank you very much for your Time.

Issue History

Date Modified Username Field Change
2021-02-08 11:28 cyb0rg8311 New Issue
2021-02-08 11:28 cyb0rg8311 Tag Attached: S/MIME
2021-02-08 11:28 cyb0rg8311 File Added: send_from_iphone_ed.png
2021-02-08 11:28 cyb0rg8311 File Added: send_from_thunderbird_ed.png
2021-02-09 07:33 schmirl Note Added: 0015075
2021-02-09 07:41 cyb0rg8311 Note Added: 0015076
2021-02-09 07:41 cyb0rg8311 File Added: 2234.eml
2021-02-09 07:41 cyb0rg8311 File Added: 2233.eml
2021-02-09 07:41 cyb0rg8311 File Added: 2235.eml
2021-02-09 08:05 schmirl Note Added: 0015077
2021-02-09 08:05 schmirl File Added: 2233-2.pem
2021-02-09 08:43 cyb0rg8311 Note Added: 0015078
2021-02-09 14:25 francis Assigned To => francis
2021-02-09 14:25 francis Status new => closed
2021-02-09 14:25 francis Resolution open => no change required