nextcloud
Importing SMIME certs with multiple email addresses
Steps to reproduce
- Attempt to import .p12 that has multiple emails (like [email protected] and [email protected] as alternate
- fails
- This is the log message:
[mail] Error: OCA\Mail\Model\SmimeCertificateInfo::__construct(): Argument #2 ($emailAddress) must be of type ?string, array given, called in /var/www/nextcloud/apps/mail/lib/Service/SmimeService.php on line 170 in file '/var/www/nextcloud/apps/mail/lib/Model/SmimeCertificateInfo.php' line 22 POST /apps/mail/api/smime/certificates from 192.168.101.82 by xxxxx at Sep 24, 2025, 9:51:50 AM
The hint that let me isolate this is that it was passing an array and a string was expected.
Expected behavior
Should not be a problem having an alias.
Actual behavior
[mail] Error: OCA\Mail\Model\SmimeCertificateInfo::__construct(): Argument #2 ($emailAddress) must be of type ?string, array given, called in /var/www/nextcloud/apps/mail/lib/Service/SmimeService.php on line 170 in file '/var/www/nextcloud/apps/mail/lib/Model/SmimeCertificateInfo.php' line 22 POST /apps/mail/api/smime/certificates from 192.168.101.82 by xxxxxx at Sep 24, 2025, 9:51:50 AM
Mail app version
5.2.0
Nextcloud version
31.0.8
Mailserver or service
N/A
Operating system
N/A
PHP engine version
Other
Nextcloud memory caching
N/A
Web server
Other
Database
Other
Additional info
SMIME certs can have multiple addresses so nextcloud mail should support that.
Thanks for your issue 👍
I didn't reproduce it myself, but there's an todo in our code to add support for multiple email addresses per certificate and thus it seems valid: https://github.com/nextcloud/mail/blob/0a4626154b91370e3a527eac7b1994fdc2d06e79/lib/Service/SmimeService.php#L144
Probably something like that would make it work (at least for the first email addr):
Index: lib/Service/SmimeService.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/lib/Service/SmimeService.php b/lib/Service/SmimeService.php
--- a/lib/Service/SmimeService.php (revision 6b64cc57aa20959f7505e460d116637b3d2651f5)
+++ b/lib/Service/SmimeService.php (date 1758731463721)
@@ -153,6 +153,12 @@
throw new SmimeCertificateParserException('Certificate does not contain an email address');
}
+ if (is_array($certificateData['subject']['emailAddress'])) {
+ $emailAddress = array_shift($certificateData['subject']['emailAddress']);
+ } else {
+ $emailAddress = $certificateData['subject']['emailAddress'];
+ }
+
$purposes = new SmimeCertificatePurposes(false, false);
foreach ($certificateData['purposes'] as $purpose) {
[$state, $_, $name] = $purpose;
@@ -169,7 +175,7 @@
$caBundle = [$this->certificateManager->getAbsoluteBundlePath()];
return new SmimeCertificateInfo(
$certificateData['subject']['CN'] ?? null,
- $certificateData['subject']['emailAddress'] ?? $certificateData['subject']['CN'],
+ $emailAddress ?? $certificateData['subject']['CN'],
$certificateData['validTo_time_t'],
$purposes,
openssl_x509_checkpurpose($certificate, X509_PURPOSE_ANY, $caBundle, $decryptedCertificateFile) === true,
This isn't about multiple email addresses but, it goes along with parsing certificates. Most US Government organizations do not put the email address where the mail.app expects, thus, I can not import a government certificate and encrypt email to the sender. The email address is actually kept in the Subject Alternative Name: email: field. for example:
X509v3 Extended Key Usage:
E-mail Protection, 1.3.6.1.4.1.311.10.3.12, 1.2.840.113583.1.1.5
X509v3 Subject Alternative Name:
email:[email protected]
X509v3 CRL Distribution Points:
Full Name:
A normal certificate from ssl.com or where ever you get your smime certs from, the email address is listed in the Subject and the SAN.
Should I open a new ticket or will this ticket fix what I am describing?
Nevermind, I looked at the file and found the following comment:
// TODO: support parsing email addresses from SANs
This would fix the issue I am seeing. I will look for the issue and add myself to the updates.
Thank You!