[EMAIL PROTECTED] - Mon Feb 16 15:17:43 2004]: > Hello OpenSSL dev team, > > attached you'll find a patch, that allows to correctly verify files, > that have been created by the command: > > openssl smime -sign -binary ... > > Other change concerns signatures, that are not encrypted as base64 but > are attached binary. > > Following changes have been made: > > apps/smime.c > Calling SMIME_read_PKCS7 with the additional argument that holds > the option flags. > crypto/pkcs7/pk7_mime.c > Function SMIME_read_PKCS7 needs an additional argument flags, > that should hold the options given to the smime command. > Calls multi_split_binary when the option -binary was used. > Reads the signature as is, when the mime parameter > Content-Transfer-Encoding is not set to base64. > > Added a function starts_with_linebreak, find_boundary_start and > multi_split_binary > > crypto/pkcs7/pkcs7.h and > include/openssl/pkcs7.h > Changed declaration of the function SMIME_read_PKCS7. > > It will split a S/MIME envelope in parts - like the old function did - > with the only difference, that the resulting parts are not in canonical > form and can also be binary files. > > I made tests on different files from some bytes up to 14 MB and it > seems, that the verification of binary contents works faster than the > verification of canonical contents. > > Could you please add this change or a similar one, that would allow the > verification of signed binary files as this seems to be used quite often > by other S/MIME implementations (even if we know, that it is not > correct). >
This couldn't be added to OpenSSL 0.9.7X but it could be added to because it would break binary compatibility (the extra function argument) it could be added to 0.9.8 though. I *think* the way to handle this is to perform the canonical conversion based on the MIME headers. OpenSSL currently always does the EOL=CR+LF conversion which is OK for text/* but other types may have different conversion or indeed none at all. Where it gets tricky is if the signed data is multipart/mixed and contains a mixture of text and binary message parts. I don't know what other implementations do though. These kind of complications are why I've given the advice in the past that any kind of complex MIME type should be handled with an external MIME parser. At the time the S/MIME code was written I couldn't find any usable cross platform (or any platform) MIME parser that didn't break multipart/signed signatures so I added a primitive one. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
