openssl smime -verify doesn't validate that the From field's email address
matches the email address in the signer's certificate.
It should. In fact, per RFC 2312 section 3.1, it MUST:
"Receiving agents MUST check that the address in the From header of a mail
message matches an Internet mail address in the signer's certificate. "
This check ensures that an email "From: Your Banker <ban...@example.com>", but
signed by "Fred Q. Hacker <hacks.r...@example.net>" does NOT verify.
The squirrelmail smime plugin, for one, depends on openssl smime -verify to do
all the required checks - so this bug has real consequences...
Here is an example/test case (in this case, the certificate used is that of a
wiki administrator). This email should fail verification, but succeeds.
openssl smime -verify
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="----B6C8DA2F2DE88321DDBEEEACCB9027C9"
Date: Mon, 06 Jul 2009 04:07:06 GMT
From: Your Banker <big.commerical.b...@example.com>
To: tlhack...@example.net
Subject: Hack test
This is an S/MIME signed message
------B6C8DA2F2DE88321DDBEEEACCB9027C9
Subject: Hack test
This is from Your Banker, but signed by wikiadmin.
------B6C8DA2F2DE88321DDBEEEACCB9027C9
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIHfAYJKoZIhvcNAQcCoIIHbTCCB2kCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCBTEwggUtMIIElqADAgECAgFqMA0GCSqGSIb3DQEBBQUAMIGyMR0wGwYD
VQQDExRsaXR0cy5uZXQgVHJ1c3QgUm9vdDESMBAGA1UEChMJbGl0dHMubmV0MR8w
HQYDVQQLExZOZXR3b3JrIEFkbWluaXN0cmF0aW9uMTkwNwYDVQQLEzBDb3B5cmln
aHQgKGMpIDIwMDUgbGl0dHMubmV0IEFsbCBSaWdodHMgUmVzZXJ2ZWQxITAfBgkq
hkiG9w0BCQEWEnNlY3VyaXR5QGxpdHRzLm5ldDAeFw0wODEyMTUxMjQ3NDNaFw0x
NTEyMjkxMjU3MDBaMIGyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz
ZXR0czEVMBMGA1UEBxMMU291dGhib3JvdWdoMRIwEAYDVQQKEwlsaXR0cy5uZXQx
HzAdBgNVBAsTFk5ldHdvcmsgQWRtaW5pc3RyYXRpb24xGzAZBgNVBAMTEldpa2kg
QWRtaW5pc3RyYXRvcjEiMCAGCSqGSIb3DQEJARYTd2lraWFkbWluQGxpdHRzLm5l
dDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8x4beXoqcHkA+zHyF0JJRp2Z
tgHi9XP3g/Jls2TX1TQyxeKg61j1JudmL+k8VeW2sQbOnt4O5gXD08cHCjQO2tld
Rf9nITcluZfK6HJUd40DaofnZ/0pWR500tGXvq13vxLM573ZlOyWht7/jQCoQuY/
B1+aaJ7vr+wpb/kxUtMCAwEAAaOCAk8wggJLMAkGA1UdEwQCMAAwHQYDVR0OBBYE
FERGcagwR22cyf8VyO8WC0CKAo0ZMIHnBgNVHSMEgd8wgdyAFAybr/h+80JfC/l7
pWhYdH81ZGKBoYG4pIG1MIGyMR0wGwYDVQQDExRsaXR0cy5uZXQgVHJ1c3QgUm9v
dDESMBAGA1UEChMJbGl0dHMubmV0MR8wHQYDVQQLExZOZXR3b3JrIEFkbWluaXN0
cmF0aW9uMTkwNwYDVQQLEzBDb3B5cmlnaHQgKGMpIDIwMDUgbGl0dHMubmV0IEFs
bCBSaWdodHMgUmVzZXJ2ZWQxITAfBgkqhkiG9w0BCQEWEnNlY3VyaXR5QGxpdHRz
Lm5ldIIJAOCcuGBTar9IMB0GA1UdEgQWMBSBEnNlY3VyaXR5QGxpdHRzLm5ldDAt
BgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY3JsLmxpdHRzLm5ldC9jcmwuY3JsMCsG
CWCGSAGG+EIBBAQeFhxodHRwOi8vY3JsLmxpdHRzLm5ldC9jcmwuY3JsMFsGCWCG
SAGG+EIBDQROFkxSb290IGNlcnRpZmljYXRlczogaHR0cDovL3NlY3VyaXR5MS5s
aXR0cy5uZXQgYW5kIGh0dHA6Ly9zZWN1cml0eTIubGl0dHMubmV0MB4GA1UdEQQX
MBWBE3dpa2lhZG1pbkBsaXR0cy5uZXQwCwYDVR0PBAQDAgP4MB0GA1UdJQQWMBQG
CCsGAQUFBwMEBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBaAwDQYJKoZIhvcN
AQEFBQADgYEAozS/pFOZ4lgaQV/N6c9hP2finqwEdjVfZ6lcDPDtUCnkwJRfSifX
wj2r57hWGEU+0mO3UD+Fpzi4TqqO6qSN+RoGZaLiDtNOto3+Afdg21fP20gaMBSk
YodrMwhS5OczJHi8cmB7ecfW8H7lvaPgRubXrx1R1Loi+4HB0q+cf1YxggITMIIC
DwIBATCBuDCBsjEdMBsGA1UEAxMUbGl0dHMubmV0IFRydXN0IFJvb3QxEjAQBgNV
BAoTCWxpdHRzLm5ldDEfMB0GA1UECxMWTmV0d29yayBBZG1pbmlzdHJhdGlvbjE5
MDcGA1UECxMwQ29weXJpZ2h0IChjKSAyMDA1IGxpdHRzLm5ldCBBbGwgUmlnaHRz
IFJlc2VydmVkMSEwHwYJKoZIhvcNAQkBFhJzZWN1cml0eUBsaXR0cy5uZXQCAWow
CQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0wOTA3MDkxMjQxMzBaMCMGCSqGSIb3DQEJBDEWBBTUe8S+tW/bfUhL
wiKjw17lM2ZRIDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAN
BgkqhkiG9w0BAQEFAASBgDLAkaf1yNRRrSU++dDCs3m/fq+Dv3tLZep/6fjPbzlD
+nLS/ctpytaI7b5TBTIY0MibqBKfXYQ6qoa5YIk0tT22hTaz2m3RefsKtgDc0ZOt
80JRiPToZVol9diGVycYpQgGYcrp3XStcxeC5prezLB340j4g5jtJelSJLtybQH4
------B6C8DA2F2DE88321DDBEEEACCB9027C9--
Subject: Hack test
This is from Your Banker, but signed by wikiadmin.
Verification successful
openssl version
OpenSSL 0.9.8b 04 May 2006
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
