#5667 Decrypt messages in Thunderbird (#5824)

* wip: refactor

* wip: Register content script for Thunderbird

* refactor: move Thunderbird event handler and content script registration to an appropriate Class

* wip: update manifest.json

* wip

* wip

* wip

* wip

* wip

* wip

* added functionality to obtain pgp message from a background script

* fix openpgp undefined in content-script

* wip

* Add "thunderbird_get_current_user" to BrowserMsg

* Add "thunderbird_msg_decrypt" to BrowserMsg

* fix BrowserMsg listener names

* wip

* wip

* fix missing opgp reference in Thunderbird port

* Added pgp message decryption

* fix failing test

* run element replacer in heartbeat (runIntervalFunctionsPeriodically)

* Improved decrypted message rendering in Thunderbird

* Add cleartext signed message detection

* wip

* Add signature verification in Thunderbird (cleartext message)

* wip

* wip: Better signature verification handling

* wip

* wip

* cleanup

* Add passphrase dialog prompt in Thunderbird

* Add autoclose for completely unlock passphrase in Thunderbird

* add another case for encrypted message detection

* fix unsafe assignment of an any value

* better content script bundling

* cleanup

* Add todo in preparation for post thunderbird development

* inject scripts to thunderbird

* exclude sweetalert2 from thunderbird build

* wip

* wip

* code improvements

---------

Co-authored-by: martgil <[email protected]>
Co-authored-by: Mart <[email protected]>

Author: sosnovsky

extension/chrome/elements/passphrase.ts

@@ -200,6 +200,18 @@ View.run(
       BrowserMsg.send.passphraseEntry({ entered, initiatorFrameId });
     };
 
+    private closeDialogPageOpenedExternally = async () => {
+      if (Catch.isThunderbirdMail() && window.top === window.self) {
+        const currentTab = await messenger.tabs.query({ active: true, currentWindow: true });
+        if (currentTab.length > 0) {
+          const tabId = currentTab[0].id;
+          if (tabId) {
+            await messenger.tabs.remove(tabId);
+          }
+        }
+      }
+    };
+
     private submitHandler = async () => {
       if (await this.bruteForceProtection.shouldDisablePassphraseCheck()) {
         return;
@@ -237,10 +249,12 @@ View.run(
       }
       if (unlockCount && allPrivateKeys.length > 1) {
         Ui.toast(`${unlockCount} of ${allPrivateKeys.length} keys ${unlockCount > 1 ? 'were' : 'was'} unlocked by this pass phrase`);
+        await this.closeDialogPageOpenedExternally();
       }
       if (atLeastOneMatched) {
         await this.bruteForceProtection.passphraseCheckSucceed();
         this.closeDialog(true, this.initiatorFrameId);
+        await this.closeDialogPageOpenedExternally();
       } else {
         await this.bruteForceProtection.passphraseCheckFailed();
         this.renderFailedEntryPpPrompt();

extension/css/cryptup.css

@@ -1428,7 +1428,7 @@ td {
 .backup_neutral {
   border: none;
   border-left: 4px solid #989898;
-  padding-left: 10px;
+  padding: 6px 10px;
 }
 
 .pgp_neutral .error_container {

extension/js/common/browser/browser-msg.ts

@@ -96,6 +96,7 @@ export namespace Bm {
   export type ReRenderRecipient = { email: string };
   export type PgpBlockRetry = { frameId: string; messageSender: Dest };
   export type PgpBlockReady = { frameId: string; messageSender: Dest };
+  export type ThunderbirdOpenPassphraseDialog = { acctEmail: string; longids: string };
 
   export namespace Res {
     export type GetActiveTabInfo = {
@@ -112,6 +113,9 @@ export namespace Bm {
     export type ExpirationCacheGet<V> = Promise<V | undefined>;
     export type ExpirationCacheSet = Promise<void>;
     export type ExpirationCacheDeleteExpired = Promise<void>;
+    export type ThunderbirdGetCurrentUser = string | undefined;
+    export type ThunderbirdMsgGet = messenger.messages.MessagePart | undefined;
+    export type ThunderbirdOpenPassphraseDialog = Promise<void>;
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     export type Db = any; // not included in Any below
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -128,7 +132,8 @@ export namespace Bm {
       | ExpirationCacheSet
       | ExpirationCacheDeleteExpired
       | AjaxGmailAttachmentGetChunk
-      | ConfirmationResult;
+      | ConfirmationResult
+      | ThunderbirdMsgGet;
   }
 
   export type AnyRequest =
@@ -169,6 +174,7 @@ export namespace Bm {
     | PgpBlockReady
     | PgpBlockRetry
     | ConfirmationResult
+    | ThunderbirdOpenPassphraseDialog
     | Ajax;
 
   export type AsyncRespondingHandler = (req: AnyRequest) => Promise<Res.Any>;
@@ -232,6 +238,11 @@ export class BrowserMsg {
           BrowserMsg.sendAwait(undefined, 'expirationCacheSet', bm, true) as Promise<Bm.Res.ExpirationCacheSet>,
         expirationCacheDeleteExpired: (bm: Bm.ExpirationCacheDeleteExpired) =>
           BrowserMsg.sendAwait(undefined, 'expirationCacheDeleteExpired', bm, true) as Promise<Bm.Res.ExpirationCacheDeleteExpired>,
+        thunderbirdGetCurrentUser: () =>
+          BrowserMsg.sendAwait(undefined, 'thunderbirdGetCurrentUser', undefined, true) as Promise<Bm.Res.ThunderbirdGetCurrentUser>,
+        thunderbirdMsgGet: () => BrowserMsg.sendAwait(undefined, 'thunderbirdMsgGet', undefined, true) as Promise<Bm.Res.ThunderbirdMsgGet>,
+        thunderbirdOpenPassphraseDiaglog: (bm: Bm.ThunderbirdOpenPassphraseDialog) =>
+          BrowserMsg.sendAwait(undefined, 'thunderbirdOpenPassphraseDialog', bm, true) as Promise<Bm.Res.ThunderbirdOpenPassphraseDialog>,
       },
     },
     passphraseEntry: (bm: Bm.PassphraseEntry) => {

extension/js/common/browser/env.ts

@@ -61,7 +61,7 @@ export class Env {
   }
 
   public static async webmails(): Promise<WebMailName[]> {
-    return ['gmail']; // async because storage may be involved in the future
+    return ['gmail', 'thunderbird']; // async because storage may be involved in the future
   }
 
   public static getBaseUrl() {

extension/js/common/inject.ts

@@ -57,9 +57,11 @@ export class Injector {
   }
 
   public meta = () => {
-    this.S.cached('body')
-      .addClass(`cryptup_${this.webmailName} cryptup_${this.webmailName}_${this.webmailVariant} ${Catch.browser().name}`)
-      .append(this.factory.metaStylesheet('webmail') + this.factory.metaNotificationContainer()); // xss-safe-factory
+    if (this.webmailName === 'gmail') {
+      this.S.cached('body')
+        .addClass(`cryptup_${this.webmailName} cryptup_${this.webmailName}_${this.webmailVariant} ${Catch.browser().name}`)
+        .append(this.factory.metaStylesheet('webmail') + this.factory.metaNotificationContainer()); // xss-safe-factory
+    }
   };
 
   public openComposeWin = (draftId?: string, openInFullScreen?: boolean, thunderbirdMsgId?: number, replyOption?: string, replyMsgId?: string): boolean => {

extension/js/content_scripts/webmail/generic/setup-webmail-content-script.ts

@@ -37,7 +37,7 @@ export type WebmailVariantObject = {
 type WebmailSpecificInfo = {
   name: WebMailName;
   variant: WebmailVariantString;
-  getUserAccountEmail: () => string | undefined;
+  getUserAccountEmail: () => Promise<string> | string | undefined;
   getUserFullName: () => string | undefined;
   getReplacer: () => WebmailElementReplacer;
   start: (
@@ -74,7 +74,7 @@ export const contentScriptSetupIfVacant = async (webmailSpecific: WebmailSpecifi
     let acctEmailInterval = 1000;
     const webmails = await Env.webmails();
     while (true) {
-      const acctEmail = webmailSpecific.getUserAccountEmail();
+      const acctEmail = await webmailSpecific.getUserAccountEmail();
       if (typeof acctEmail !== 'undefined') {
         win.account_email_global = acctEmail;
         if (webmails.includes(webmailSpecific.name)) {
@@ -444,20 +444,22 @@ export const contentScriptSetupIfVacant = async (webmailSpecific: WebmailSpecifi
       }
       const acctEmail = await waitForAcctEmail();
       const { tabId, notifications, factory, inject } = await initInternalVars(acctEmail);
-      await showNotificationsAndWaitTilAcctSetUp(acctEmail, notifications);
-      Catch.setHandledTimeout(() => updateClientConfiguration(acctEmail), 0);
       const ppEvent: { entered?: boolean } = {};
       const relayManager = new RelayManager();
-      browserMsgListen(acctEmail, tabId, inject, factory, notifications, relayManager, ppEvent);
       const clientConfiguration = await ClientConfiguration.newInstance(acctEmail);
-      await startPullingKeysFromEkm(
-        acctEmail,
-        clientConfiguration,
-        factory,
-        ppEvent,
-        notifications,
-        Catch.try(() => notifyExpiringKeys(acctEmail, clientConfiguration, notifications))
-      );
+      if (webmailSpecific.name === 'gmail') {
+        Catch.setHandledTimeout(() => updateClientConfiguration(acctEmail), 0);
+        await showNotificationsAndWaitTilAcctSetUp(acctEmail, notifications);
+        browserMsgListen(acctEmail, tabId, inject, factory, notifications, relayManager, ppEvent);
+        await startPullingKeysFromEkm(
+          acctEmail,
+          clientConfiguration,
+          factory,
+          ppEvent,
+          notifications,
+          Catch.try(() => notifyExpiringKeys(acctEmail, clientConfiguration, notifications))
+        );
+      }
       await webmailSpecific.start(acctEmail, clientConfiguration, inject, notifications, factory, relayManager);
     } catch (e) {
       if (e instanceof TabIdRequiredError) {
@@ -509,7 +511,11 @@ export const contentScriptSetupIfVacant = async (webmailSpecific: WebmailSpecifi
     };
 
     win.vacant = () => {
-      return !$('.' + win.destroyable_class).length;
+      if (Catch.isThunderbirdMail()) {
+        return true;
+      } else {
+        return !$('.' + win.destroyable_class).length;
+      }
     };
 
     win.TrySetDestroyableInterval = (code, ms) => {

extension/js/content_scripts/webmail/thunderbird/thunderbird-element-replacer.ts

@@ -2,12 +2,144 @@
 
 'use strict';
 
-import { IntervalFunction, WebmailElementReplacer } from '../generic/webmail-element-replacer';
+import { BrowserMsg } from '../../../common/browser/browser-msg.js';
+import { KeyUtil } from '../../../common/core/crypto/key.js';
+import { DecryptError, DecryptErrTypes, MsgUtil } from '../../../common/core/crypto/pgp/msg-util.js';
+import { OpenPGPKey } from '../../../common/core/crypto/pgp/openpgp-key.js';
+import { PgpArmor } from '../../../common/core/crypto/pgp/pgp-armor';
+import { Catch } from '../../../common/platform/catch';
+import { ContactStore } from '../../../common/platform/store/contact-store.js';
+import { KeyStore } from '../../../common/platform/store/key-store.js';
+import { Xss } from '../../../common/platform/xss.js';
+import { IntervalFunction, WebmailElementReplacer } from '../generic/webmail-element-replacer.js';
+import * as openpgp from 'openpgp';
 
 export class ThunderbirdElementReplacer extends WebmailElementReplacer {
-  public getIntervalFunctions: () => IntervalFunction[];
   public setReplyBoxEditable: () => Promise<void>;
   public reinsertReplyBox: (replyMsgId: string) => void;
   public scrollToReplyBox: (replyMsgId: string) => void;
   public scrollToCursorInReplyBox: (replyMsgId: string, cursorOffsetTop: number) => void;
+  private emailBodyFromThunderbirdMail: string;
+
+  public getIntervalFunctions = (): IntervalFunction[] => {
+    return [{ interval: 2000, handler: () => this.replaceThunderbirdMsgPane() }];
+  };
+
+  public replaceThunderbirdMsgPane = async () => {
+    if (Catch.isThunderbirdMail()) {
+      const fullMsg = await BrowserMsg.send.bg.await.thunderbirdMsgGet();
+      if (!fullMsg) {
+        return;
+      } else {
+        const acctEmail = await BrowserMsg.send.bg.await.thunderbirdGetCurrentUser();
+        const parsedPubs = (await ContactStore.getOneWithAllPubkeys(undefined, String(acctEmail)))?.sortedPubkeys ?? [];
+        const signerKeys = parsedPubs.map(key => KeyUtil.armor(key.pubkey));
+        if (this.isPublicKeyEncryptedMsg(fullMsg)) {
+          const result = await MsgUtil.decryptMessage({
+            kisWithPp: await KeyStore.getAllWithOptionalPassPhrase(String(acctEmail)),
+            encryptedData: this.emailBodyFromThunderbirdMail,
+            verificationPubs: signerKeys,
+          });
+          if (result.success && result.content) {
+            const decryptedMsg = result.content.toUtfStr();
+            const encryptionStatus = result.isEncrypted ? 'encrypted' : 'not encrypted';
+            let verificationStatus = '';
+            if (result?.signature) {
+              if (result.signature.match) {
+                verificationStatus = 'signed';
+              } else if (result.signature.error) {
+                verificationStatus = `could not verify signature: ${result.signature.error}`;
+              } else {
+                verificationStatus = 'not signed';
+              }
+            }
+            const pgpBlock = this.generatePgpBlockTemplate(encryptionStatus, verificationStatus, decryptedMsg);
+            $('body').html(pgpBlock); // xss-sanitized
+          } else {
+            const decryptErr = result as DecryptError;
+            let decryptionErrorMsg = '';
+            if (decryptErr.error && decryptErr.error.type === DecryptErrTypes.needPassphrase) {
+              const acctEmail = String(await BrowserMsg.send.bg.await.thunderbirdGetCurrentUser());
+              const longids = decryptErr.longids.needPassphrase.join(',');
+              decryptionErrorMsg = `decrypt error: private key needs to be unlocked by your passphrase.`;
+              await BrowserMsg.send.bg.await.thunderbirdOpenPassphraseDiaglog({ acctEmail, longids });
+            } else {
+              decryptionErrorMsg = `decrypt error: ${(result as DecryptError).error.message}`;
+            }
+            const pgpBlock = this.generatePgpBlockTemplate(decryptionErrorMsg, 'not signed', this.emailBodyFromThunderbirdMail);
+            $('body').html(pgpBlock); // xss-sanitized
+          }
+        } else if (this.isCleartextMsg(fullMsg)) {
+          const message = await openpgp.readCleartextMessage({ cleartextMessage: this.emailBodyFromThunderbirdMail });
+          const result = await OpenPGPKey.verify(message, await ContactStore.getPubkeyInfos(undefined, signerKeys));
+          let verificationStatus = '';
+          let signedMessage = '';
+          if (result.match && result.content) {
+            verificationStatus = 'signed';
+            signedMessage = result.content.toUtfStr();
+          } else if (result.error) {
+            verificationStatus = `could not verify signature: ${result.error}`;
+          }
+          const pgpBlock = this.generatePgpBlockTemplate('not encrypted', verificationStatus, signedMessage);
+          $('body').html(pgpBlock); // xss-sanitized
+        }
+        // todo: detached signed message via https://github.com/FlowCrypt/flowcrypt-browser/issues/5668
+      }
+    }
+  };
+
+  private generatePgpBlockTemplate = (encryptionStatus: string, verificationStatus: string, messageToRender: string): string => {
+    return `
+      <div ${encryptionStatus === 'encrypted' ? 'class="pgp_secure"' : 'class="pgp_neutral"'}>
+        <div>
+          <div id="pgp_encryption" class="pgp_badge short ${encryptionStatus === 'encrypted' ? 'green_label' : 'red_label'}">${encryptionStatus}</div>
+          <div id="pgp_signature" class="pgp_badge short ${verificationStatus === 'signed' ? 'green_label' : 'red_label'}">${verificationStatus}</div>
+        </div>
+        <div class="pgp_block">
+        <pre>${Xss.escape(messageToRender)}</pre>
+        </div>
+      </div>`;
+  };
+
+  private isCleartextMsg = (fullMsg: messenger.messages.MessagePart): boolean => {
+    return (
+      (fullMsg.headers &&
+        'openpgp' in fullMsg.headers &&
+        fullMsg.parts &&
+        fullMsg.parts[0]?.parts?.length === 1 &&
+        fullMsg.parts[0].parts[0].contentType === 'text/plain' &&
+        this.resemblesCleartextMsg(fullMsg.parts[0].parts[0].body?.trim() || '')) ||
+      false
+    );
+  };
+
+  private resemblesCleartextMsg = (body: string) => {
+    this.emailBodyFromThunderbirdMail = body;
+    return (
+      body.startsWith(PgpArmor.ARMOR_HEADER_DICT.signedMsg.begin) &&
+      body.includes(String(PgpArmor.ARMOR_HEADER_DICT.signedMsg.middle)) &&
+      body.endsWith(String(PgpArmor.ARMOR_HEADER_DICT.signedMsg.end))
+    );
+  };
+
+  private isPublicKeyEncryptedMsg = (fullMsg: messenger.messages.MessagePart): boolean => {
+    if (fullMsg.headers && 'openpgp' in fullMsg.headers && fullMsg.parts) {
+      return (
+        (fullMsg.parts[0]?.parts?.length === 2 &&
+          fullMsg.parts[0]?.parts[1].contentType === 'application/pgp-encrypted' &&
+          this.resemblesAsciiArmoredMsg(fullMsg.parts[0]?.parts[0].body?.trim() || '')) ||
+        (fullMsg.parts[0]?.parts?.length === 1 &&
+          fullMsg.parts[0]?.contentType === 'multipart/mixed' &&
+          this.resemblesAsciiArmoredMsg(fullMsg.parts[0]?.parts[0].body?.trim() || '')) ||
+        (fullMsg.parts.length === 1 && fullMsg.parts[0]?.contentType === 'text/plain' && this.resemblesAsciiArmoredMsg(fullMsg.parts[0]?.body?.trim() || '')) ||
+        false
+      );
+    }
+    return false;
+  };
+
+  private resemblesAsciiArmoredMsg = (body: string): boolean => {
+    this.emailBodyFromThunderbirdMail = body;
+    return body.startsWith(PgpArmor.ARMOR_HEADER_DICT.encryptedMsg.begin) && body.endsWith(PgpArmor.ARMOR_HEADER_DICT.encryptedMsg.end as string);
+  };
 }

extension/js/content_scripts/webmail/thunderbird/thunderbird-webmail-startup.ts

@@ -1,38 +1,29 @@
 /* ©️ 2016 - present FlowCrypt a.s. Limitations apply. Contact [email protected] */
-import { ClientConfiguration } from '../../../common/client-configuration';
-import { Injector } from '../../../common/inject';
-import { Notifications } from '../../../common/notifications';
+import { BrowserMsg } from '../../../common/browser/browser-msg';
 import { contentScriptSetupIfVacant } from '../generic/setup-webmail-content-script';
-import { GmailElementReplacer } from '../gmail/gmail-element-replacer';
 import { ThunderbirdElementReplacer } from './thunderbird-element-replacer';
 
 export class ThunderbirdWebmailStartup {
-  private replacer: GmailElementReplacer;
+  private replacer: ThunderbirdElementReplacer;
 
   public asyncConstructor = async () => {
     await contentScriptSetupIfVacant({
       name: 'thunderbird',
       variant: undefined,
-      getUserAccountEmail: () => undefined, // todo, but can start with undefined
+      getUserAccountEmail: async () => String(await BrowserMsg.send.bg.await.thunderbirdGetCurrentUser()),
       getUserFullName: () => undefined, // todo, but can start with undefined
-      getReplacer: () => new ThunderbirdElementReplacer(), // todo - add this class empty, methods do nothing
+      getReplacer: () => this.replacer,
       start: this.start,
     });
   };
 
-  private start = async (
-    acctEmail: string,
-    clientConfiguration: ClientConfiguration,
-    injector: Injector,
-    notifications: Notifications
-    // factory: XssSafeFactory, // todo in another issue
-    // relayManager: RelayManager // todo in another issue
-  ) => {
-    // injector.btns(); // todo in another issue - add compose button
+  private start = async () => {
+    this.replacer = new ThunderbirdElementReplacer();
     this.replacer.runIntervalFunctionsPeriodically();
-    await notifications.showInitial(acctEmail);
-    notifications.show(
-      'FlowCrypt Thunderbird support is still in early development, and not expected to function properly yet. Support will be gradually added in upcoming versions.'
-    );
+    // todo: show notification using Thunderbird Notification as contentscript notification or such does not work.
+    // await notifications.showInitial(acctEmail);
+    // notifications.show(
+    //   'FlowCrypt Thunderbird support is still in early development, and not expected to function properly yet. Support will be gradually added in upcoming versions.'
+    // );
   };
 }

extension/js/content_scripts/webmail/webmail.ts

@@ -17,8 +17,7 @@ declare global {
 
 Catch.try(async () => {
   // when we support more webmails, there will be if/else here to figure out which one to run
-  const browserName = Catch.browser().name;
-  if (browserName === 'thunderbird') {
+  if (Catch.isThunderbirdMail()) {
     await new ThunderbirdWebmailStartup().asyncConstructor();
   } else {
     await new GmailWebmailStartup().asyncConstructor();

extension/js/service_worker/background.ts

@@ -70,8 +70,11 @@ console.info('background.js service worker starting');
   await BgHandlers.updateUninstallUrl({});
   injectFcIntoWebmail();
 
-  // Thunderbird event handlers
   if (Catch.isThunderbirdMail()) {
-    BrowserMsg.thunderbirdSecureComposeHandler();
+    BgHandlers.thunderbirdSecureComposeHandler();
+    await BgHandlers.thunderbirdContentScriptRegistration();
+    BrowserMsg.bgAddListener('thunderbirdGetCurrentUser', BgHandlers.thunderbirdGetCurrentUserHandler);
+    BrowserMsg.bgAddListener('thunderbirdMsgGet', BgHandlers.thunderbirdMsgGetHandler);
+    BrowserMsg.bgAddListener('thunderbirdOpenPassphraseDialog', BgHandlers.thunderbirdOpenPassphraseDialog);
   }
 })().catch(Catch.reportErr);