Wim,
Thanks for you tip, I am going to try it out when I get the monkey off
my back.
I have done a workaround for now and am not using opensll, but using
outlook200 to send the mails,
but using a perlscript to send them.
Here is the example code : Of course the outlook is being used to sign
all outgoing mails.
Right now I am fighting to figure out how to validate from inside of
outlook.
------------------------------------------------------------------------
----------------------------------------
my $Outlook = Win32::OLE->new('Outlook.Application'); # , 'Quit'
my $ol = Win32::OLE::Const->Load($Outlook);
my $namespace = $Outlook->GetNamespace("MAPI");
my $Folder = $namespace->GetDefaultFolder(olFolderOutbox);
my $MyItem = $Outlook->CreateItem(olMailItem); #' Create new item.
my $objRecipient =
$MyItem->Recipients()->Add("michael.dupont\@mciworldcom.de");
$objRecipient->Resolve();
my $objAttachment =
$MyItem->Attachments->Add('c:\temp\SOME_FILE.tx', olByValue, 1, "Bogus
File");
$MyItem->{Subject}="Test File";
$MyItem->{Body}="This is a test body";
$MyItem->Save();
$MyItem->Send();
------------------------------------------------------------------------
----------------------------------------
As soon as I get some more time, I will be trying out your technique in
detail.
I wish that It was easier to use SMIME, and I think alot of potential
users are scared away from
the complexity of OPENSLL.
I think the best thing for the world is come up with a unification of
the smime tool, openssl and the MIME toolkit.
Not all of the DLLs provide a nice user interface, but the Outlook
Client gives one a really
good Programmatic interface to email (BUt not security).
A GOOD and EASY to use Security API is missing from outlook, perl and
openssl.
For the openssl world, some of the user interface from outlook would be
nice,
and a easier API would be great.
Java has what seems to be an easier API :
http://java.sun.com/products/jdk/1.2/docs/guide/security/index.html
http://java.sun.com/docs/books/tutorial/security1.2/apisign/vstep4.html
"boolean verifies = sig.verify(sigToVerify);"
If an IDL were to be defined, one could create language bindings for all
languages.
Is there an OpenSSL IDL, to provide a higher level easier to use api to
opensll?
That would be interesting.
Another thought would be look at the current microsoft crypto
implementation structure for ideas on how
the openssl can be made more friendly to win2k/winnt.
I have been looking into the microsoft DLL structure used by Outlook to
provide the service.
Interestingly enough some of these dlls are provided by WINE.
The key function is WinVerifyTrust, of course this is a cryptic
function.
------------------------------------------------------------------------
---------------------
Here is the result of what I found :
DLL Description
------------------------------------------------------------------------
---------------------
WINTRUST.DLL WINDOWS TRUST VERIFICATION APIS * THIS IS a KEY User DLL
------------------------------------------------------------------------
---------------------
CRYPT32.DLL CRYPTO API32
CRYPTDLG.DLL MICROSOFT COMMON CERTIFICATE DIALOGS
CRYPTNET.DLL CRYPTO NETWORK RELATED APIS
DIGEST.DLL DIGEST SSPI AUTHENTICATION PACKAGE
EXSEC32.DLL DIGSIG32
MSAPPSSPC.DLL DPA SECURITY PACKAGE
MSASN1.DLL ANS.1 RUNTIME API
MSNSSPC.DLL MSN SECURITY PACKAGE
MSOERT2.DLL MICROSOFT OUTLOOK EXPRESS RT LIB
MSV1_0.DLL MICROSOFT AUTHENTICATION PACKAGE V1.0
OUTLMIME.DLL OUTLOOK MAPI/MIME CONVERTER
RSAENH.DLL MICROSOFT ENHANCED CRYPTOGRAPHIC PROVIDER
US/CANADY ONLY NOT FOR EXPORT
SECUR32.DLL SECURITY SUPORT PROVIDER INTERFACE
SECURITY.DLL SECURITY SUPPORT PROVIDER INTERFACE
WLDSAP32.DLL W32 LDAP API DLL
------------------------------------------------------------------------
---------------------
INETCOM.DLL MICROSOFT INTERNET MESSAGING API
INETRES.DLL MICROSOFT INTERNET MESSAGING API RESOURCES
MSLS31.DLL MICROSOFT LINE SERVICES LIB FILE
------------------------------------------------------------------------
---------------------
Anyway,
this is just a brain dump of what I have been thinking about,
maybe it is of interest?
Mike
-----Original Message-----
From: Wim Kerkhoff [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 19. April 2001 17:31
To: [EMAIL PROTECTED]
Subject: Re: yet another newbie: SMIME sign corrupting messages with
multipleattachments
"Dupont, Michael" wrote:
>
> Hello,
>
> This is the newest installment in the series of absolute beginner
> questions about openssl.
>
> I have a question about using openssl smime on a file with multiple
> attachments :
>
> We are using perl MIME::Lite to create a file with lots of
attachments,
> then signing it with "OpenSSL smime -sign".
> The original mail is packaged as a plain text mime in the signed
> message, and the attachments are not properly displayed.
>
> There is a smime tool for perl that can be used, but do I have to use
> it?
> SMIME TOOL 29.10.1999, 17.11.1999, Sampo Kellomaki <[EMAIL PROTECTED]>
>
> Thanks for the tip in advance.
> Mike
I've been using MIME::Entity. After looking at MIME::Lite's man page
briefly, I'd say the way I use MIME::Entity isn't much "heavier" than
use of MIME::Lite.
Basically what I do is create a multipart/mixed MIME structure, which
holds both the original message and the attachments, with their
appropriate Dispositions and encodings and Filenames and so forth. Of
this, I use just the multipart/mixed MIME structure, not the main
headers. I then call 'openssl smime -sign -in tmpfile -out signedfiled
-signer privatekey.pem'. For the actual
To/From/Subject/Reply-To/X-Mailer/etc headers, I use a separate
MIME::Entity, from which I take only the headers. These headers plus the
MIME structure makes a working signed message. This message is piped to
'sendmail -t'.
I was having problems lately, where if there were no attachments,
Outlook Express would barf and give a 'low memory or disk space' error
when attempting to view the message. I traced this down, and it ownly
happened when I was greating multipart/mixed MIME messages, but with
only one text/html part (the original message). So, in that case I don't
bother creating a multipart message, I just use one simple single
text/html part. So, now that problem is fixed, and I have
signing/encrypting/decrypting/verifying fully working between NS Mail,
OE, and acmemail (web based IMAP client). Oh, and I'm starting to sign
all messages that automatically get sent out by scripts on our website.
Is the way I'm doing it kludgy? Probably. Is there a better way? I
dunno... 'openssl smime' doesn't handle the creation of complex
multipart MIME structures very well. Yet, you can't just create a normal
email with full headers + multipart/whatever body, as it will sign the
whole thing, and can't be sent out. It took me a while to piece this all
together, but now that it works I don't want to touch it :-)
Things that tripped me up for hours, giving me corrupted messages:
- bad line endings... I was doing \r\n in some places, but \n seems to
be enough now.
- OE would only work nicely with multipart/mixed, not /related or
/alternative
- spaces between headers, "This is an S/MIME signed message", and the
multipart/* structure
- getting openssl to play nicely with passphrases (ended up using
'-passin file:tmp_passphrase_file')
- conflicting headers between what 'openssl smime' creates and what
MIME::Entity creates and what email clients expect
Here's a little snip of code that creates the MIME structure for
signing, using MIME::Entity:
# the MIME structure that will be used for signing,
# afterwards the full headers get stuck on top
# only used when there are attachments...
# things are undef'd here to force MIME::Entity not to create those
headers
# when ->stringify is called
# It does make sense in the context of the rest of my code.
my $skimpy_top = MIME::Entity->build(
To => undef,
Subject => undef,
From => undef,
'Reply-To' => undef,
Cc => undef,
Bcc => undef,
'In-Reply-To' => undef,
'Return-Path' => undef,
'X-Mailer' => undef,
'Mime-Version' => undef,
'Content-Transfer-Encoding' => undef,
boundary => undef,
Type => "multipart/mixed"
#Type => "multipart/related" # OE doesn't play nice with
/related
);
# make the main body a MIME attachment
$skimpy_top->attach(
Data => [ $body ],
Type => "text/plain",
Charset => "us-ascii",
Encoding => "7bit"
);
# attach the attachment... here is where you can loop through
# and attach multiple attachments
$skimpy_top->attach(Data => $attachment,
Filename => $filename,
Type => $attachment_type,
Disposition => 'attachment',
Encoding => '-SUGGEST'
);
# create the MIME structure
$unsigned_data = $skimpy_top->stringify;
So I hope all that helps you out somehow :-)
--
Regards,
Wim Kerkhoff, Software Engineer
Merilus, Inc. -|- http://www.merilus.com
Email: [EMAIL PROTECTED]
smime.p7s