Smart card certificate for S/MIME signatures
European governments issue eID cards which can be used for authentication and signing. I have a PKCS#11 shared object which works as middleware under Firefox to authenticate to some web sites. Thunderbird supports a similar interface to load a shared object (a.k.a. dll). After loading it, I can log in.
When I go to Manage S/MIME Certificate"" I see the corresponding certificate. I can view it. If I try to backup it I get Failed to create the PKCS #12 backup file for unknown reasons. TB asks for a new password. The s.o. logs something about unsupported function C_UnwrapKey(). I can investigate further, but this is not important.
The important thing is when I hit Select... for Personal certificate for digital signing. I immediately get Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <MY@ADDR.ESS>. In this case, the s.o. log shows no error.
My address is not written in the certificate, which probably means I cannot use it to get encrypted messages. Indeed, the certificate says:
Key Usage: Digital Signature. Extended Key Usage: Client Authentication.
Encryption is not mentioned. And the gov. application allows to sign or verify pdf and other files, not to encrypt or decrypt them.
I think signing the message body with S/MIME should be possible. Is it? If not, how can I determine whether the bug is in Thunderbird or in the shared object?
All Replies (4)
Did you set up the cert for signing in your Account Settings - End-To-End Encryption for the desired account?
No. As I said, when I hit Select... for Personal certificate for digital signing. I immediately get Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <MY@ADDR.ESS>.
I am no expert, but I do use free Actalis certificates and observe the following when looking at mine for examples.
Your key usage would need to explicitly state it is for Digital Signatures if it was to sign emails. As well as have extended key usages of Client Authentication, E-mail Protection. As s/mime uses the same digital certificate to encrypt as it does to sign, I can not see it working as a signature if it is not valid for e-mail protection. The certificate is also issued for a specific email address. The Common name is the email address. You say yours does not have that.
The certificate is issued by the Italian Ministry of Interior. The email address is not part of the basic personal data. Although data group 22 of the card spec (BSI TR-03110) provides for a probably empty email address field, the certificate does not mention it. Is it needed?
I never used S/MIME, but AFAIK, unlike GPG, it is keyed on CAs rather than email addresses. In this respect, I didn't find the Italian Country Signing Certification Authority (CSCA) among the Authorities that TB's Certificate Manager lists. However, that should prevent verifying, not signing.