eToken, Personal certificate and the Mozilla suite

Recently I have a personal certificate also known as a Digital ID on a smart card (Aladdin eToken) to access a secure web service. While installing the certificate I noticed it is also possible to use it to digitally sign and encrypt email with the same certificate, so I fired up Thunderbird and added the PCKS#11 security device to configure signing using S/MIME. See the steps below.

“PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards.” (Source: http://en.wikipedia.org/wiki/PKCS11)

I assume you already have installed the eToken software. In case you haven’t, take a look at this article I wrote earlier.

Open Thunderbird and go to Preferences -> Advanced -> Encryption -> Security Devices

Click on “Load” and enter a Module name or choose the default like I did, which is “New PKCS#11 Module” and browse for the ‘libeTPkcs11.so’ library. This file probably sits in ‘/usr/lib’ or ‘/usr/lib64’. Be sure to pick the right one, because you need the 64bit version if you’re using 64bit Firefox.

Open Account Settings -> Security

Select the certificate on your smart card you like to use.

Thunderbird and Firefox are not bundled with the needed CA’s to support GlobalSign PersonalSign Class 2 out-of-the-box. You have to Import the GlobalSign Primary Class 2 CA (http://secure.globalsign.net/cacert/PrimClass2.crt) and GlobalSign PersonalSign Class 2 CA (http://secure.globalsign.net/cacert/PersonalSignClass2.crt) to make it work in Thunderbird, otherwise you’ll notice you’re not able to send digitally signed email.

Thunderbird MIME mixup

Today I decided it was time to introduce my iPhone to the campus wireless network, instead of using the slow GPRS network of my carrier. I’m still a happy user of the first generation iPhone, so I’m stuck with GPRS and that’s why I like WIFI.

So I downloaded the already made VU-iphone.mobileconfig file to my workstation and fired up my favorite MUA, what happens to be Mozilla Thunderbird to mail the configuration as a attachment, just like the way the online manual described. But as soon as I opened up the mail app on the phone the message looked like normal text and there was no attachment to open. I decided to use Mutt as an alternative and repeated the steps described above. This time the attachment showed up as it should be. So I was able to import the wireless configuration and finished the wireless setup.

Now I’m happy being wireless connected but still curious why the attachment send by Thunderbird did not show up correctly in the mobile mail app. So I compared both mail clients MIME behaviour and it appears that Thunderbird is not behaving correctly according to rfc2183. As you can see it uses Content-Disposition type ‘inline’ instead of the correct ‘attachment’ type.

I have stripped the irrelevant header and body information of the message.

Thunderbird:
[code lang=”text”]
User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”————070008030904000701030203″

This is a multi-part message in MIME format.
————–070008030904000701030203
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

————–070008030904000701030203
Content-Type: text/xml;
name=”VU-iphone.mobileconfig”
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename=”VU-iphone.mobileconfig”

[/code]

Mutt:
[code lang=”text”]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=”WIyZ46R2i8wDzkSu”
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)

–WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

–WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=”VU-iphone.mobileconfig”

[/code]

This looks like a bug..