On Mon, Nov 17, 2003, Alex Marandon wrote:
> Hello,
>
> I have a problem to decrypt S/MIME email produced by a third party
> application and I hope you'll be able to bring me some light.
>
> The problem happens when X509_NAME_ENTRY's of the local certificate are
> compared with those of the matching certificate included in the message
> (function X509_NAME_cmp() of crypto/x509/x509_cmp.c, at line 270)
>
> With messages produced by openssl itself or, for example, Outlook
> Express, X509_NAME_ENTRY's are viewed by OpenSSL as being of the
> V_ASN1_PRINTABLESTRING type, even if they have latin characters. But
> with with the particular application I'm dealing with, entries with
> latin characters are viewed as being of the V_ASN1_T61STRING type by
> OpenSSL. Consequently, X509_NAME_cmp()'s type comparison fails, because
> openssl find V_ASN1_PRINTABLESTRING in the local certificate and
> V_ASN1_T61STRING in the provides message.
>
> For example I was able to decrypt by adding
>
> if ( nb->value->type == V_ASN1_T61STRING ) {
> nb->value->type = V_ASN1_PRINTABLESTRING;
> }
>
> before the type comparison (you'll probably laugh at such a poor
> workaround, I'm open to better ones)
>
> I wonder if this is a problem in the third party software, and I'll be
> interested to know if you know what they are doing wrong.
>
> I attach a tarball with the message and the key pair which brings the
> problem.
>
> Here is the output of openssl smime when I run it on these files :
>
X509_NAME_cmp() doesn't have anything to do with the message content as such
its associated with the certificate matching code which finds the appropriate
recipient certificate.
The PrintableString types does *not* permits latin characters in fact it has a
very limited character range (excluding characters such as '@'). OpenSSL
should never produce latin characters in PrintableStrings but it will tolerate
them in supplied certificates at least in current versions.
I'd say from the example that the certificate and/or of the third party
software is broken if it produces latin characters in PrintableStrings.
On top of that it looks broken in that it doesn't correctly include the issuer
name in the PKCS#7 structure. The only really safe way to do this is to copy
the Name structure verbatim.
If you could send me the message and certificate (not the private key!) I'll
confirm that.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
