Bug in smime -verify
Hi all I think I've encountered a bug in openssl smime. I try to verify a mail signed with outlook using the option not to include the certificate in the signature. From what I can figure out, this should be possible with openssl using the options: openssl smime -verify -signer tim.crt -in message.txt -nointern -CAfile cas.crt or openssl smime -verify -noverify -signer tim.crt -in message.txt -nointern However, I always get the error: 2278:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:317: It seems openssl always tries to retrieve the signers certificate, althought I explicitely override this with -nointern. Is this a known bug and/or even already fixed in the openssl 0.9.7 betas? Attached is my test case. Bye Tin From: Tim Tassonis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Eine sehr kurze Meldung Date: Fri, 27 Dec 2002 21:05:21 +0100 MIME-Version: 1.0 Content-Type: multipart/signed; protocol=application/x-pkcs7-signature; micalg=SHA1; boundary==_NextPart_000_000D_01C2ADEB.AAE04720 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 27 Dec 2002 20:04:18.0390 (UTC) FILETIME=[2375CF60:01C2ADE3] This is a multi-part message in MIME format. --=_NextPart_000_000D_01C2ADEB.AAE04720 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hallo Tim Nur zum Test. Tim --=_NextPart_000_000D_01C2ADEB.AAE04720 Content-Type: application/x-pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAMYICQjCCAj4C AQEwgd4wgckxCzAJBgNVBAYTAkNIMRQwEgYDVQQKEwtUcml2YWRpcyBBRzEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3 LnZlcmlzaWduLmNvbS9ycGEgKGMpMDIxMDAuBgNVBAsTJ0NsYXNzIDIgT25TaXRlIEluZGl2aWR1 YWwgU3Vic2NyaWJlciBDQTEUMBIGA1UEAxMLVHJpdmFkaXMgQ0ECEGx4jqcK2t21YlVqOLEtUhQw CQYFKw4DAhoFAKCBujAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w MjEyMjcyMDA1MjFaMCMGCSqGSIb3DQEJBDEWBBR61aEMmfHlZiWDvkTAVDZClZT2qjBbBgkqhkiG 9w0BCQ8xTjBMMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCHTANBgkqhkiG9w0BAQEFAASBgJFbghLQ2SajBoSP zb8M727Ix7/16CaADa/URESJLU74ovnB0vk3Z+WnX9tWx/42EZjj0E/IPQbZ8GBdjuHb14i/bOW4 Rtv4T+ad/LpihiEbDw0Zv4QRKUAcO76QcEWDKN+YmWBHharkbsVoXK00rexwzCyT4DvZvm6PeUXb nzG0 --=_NextPart_000_000D_01C2ADEB.AAE04720-- cas.crt Description: Binary data tim.crt Description: Binary data
S/MIME Library
Hi I'm currently writing an S/MIME Gateway which transarently signs/encypts/verifies/decrypts mail messages. As input, I get the raw mail, including all headers and mime parts. I already successfully parsed a pkcs12 and signed a message, however, a few things are open: SMIME_write_PKCS7(out_bio_buffer, p7,in_bio_buffer, flags); lets me write the signature to a out_bio_buffer. I assume out_bio_buffer can be a memory buffer as well: char *out_buffer; BIO *out_bio_buffer; out_buffer = malloc(the_size_of_the_buffer); out_bio_buffer = BIO_new_mem_buf(out_buffer,the_size_of_the_buffer); SMIME_write_PKCS7(out_bio_buffer, p7,in_bio_buffer, flags); - If this is correct, how can I find out the_size_of_the_buffer? - If this is correct, can I then access the signature directly by reading out_buffer? The other question is: Is there a function in the smime part of openssl that lets me extract the header from the body part of a message, so I can simply: - extract header and body - sign body - put together header and signed body and then get a valid signed mail? If not, does anybody know of a small library doing this. gmime is a bit buggy in this respect (sorry for being a bit off-topic). Bye Tim __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL Formats
At least Netscape 4.nn however requires mime type "application/x-pkcs7-crl" together with a DER formatted crl, as in openssl crl. It will refuse a pkcs7 crl, at least in DER Format. Is Netscape just horribly wrong or what is the defined crl format for "application/x-pkcs7-crl"? The Nestcape format is AFAIK not officially documented anywhere. I only saw that MIME type in a dark corner of one of the online manuals to some version of NS certificate server and did some experiments with it. I could only get a DER encoded CRL to work. But the question is rather: is the "application/x-pkcs7-crl" officially documented somewhere or is this a netscape specific mime type. At least apache/mod_ssl uses it as well for crls: AddType application/x-pkcs7-crl.crl My problem is that I have to provide crls and get quite unsure what format to deliver to which client using which mime type, so I would welcome if there was a definition what a x-pkcs7-crl really is supposed to be. I can always have a workaround for non-standard clients, but it would be nice to at least have a standard as the default: Outlook Express/2000 and IE5 accept a DER CRL as application/pkix-crl. Netscape accepts a DER CRL as application/x-pkcs7-crl. Verisign CRL Distribution Point delivers a DER CRL as application/pkix-crl. Is there anywhere a definition what these mime types are supposed to contain? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Create PKCS#7
Is anyone have an example of the method to create a PKCS#7 EnveloppedData when the different component of the PKCS#7 EnveloppedData comes from an particular application : - recipient certificate. - Encrypt Data. - Wrapped Session Key. I just know how to create a PKCS7 with the command line utility: openssl crl2pkcs7 -certfile infile.pem -nocrl -out outfile.p7 where infile.pem is the file holding the PEM- encoded components and outfile.p7 will contain the resulting pkcs7 file. Works great for certificate chains at least. Bye Tim __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
bad mac decode in ssl handshake
Hi When I try to contact the following SSL site with s_client, I cannot connect: www.genowebpayment.de:443 I haven't got an idea what web server they're using, but I can connect successfully with Netscape Communicator 4.75 under Linux for instance. The error occurs under 0.95a and 0.9.6-beta3 at least. This is the command I set up: openssl s_client -debug -connect www.genowebpayment.de:443 And this is the output (after the verify) I get: verify return:0 read from 0814B978 [08150F20] (5 bytes = 5 (0x5)) - 16 03 00 00 04. read from 0814B978 [08150F25] (4 bytes = 4 (0x4)) - 0e. 0004 - SPACES/NULS write to 0814B978 [0815A370] (137 bytes = 137 (0x89)) - 16 03 00 00 84 10 00 00-80 3f c3 0e 89 e0 fc 15 .?.. 0010 - c6 40 24 98 b6 f0 8a f0-2f f5 38 da f0 0e 3d 99 .@$./.8...=. 0020 - ec d9 a7 b0 35 79 92 07-07 ad 3c 1d 1e 3f 0f a0 5y..?.. 0030 - 08 59 e4 f9 98 2f 58 10-9d 51 4a af ea 70 f3 64 .Y.../X..QJ..p.d 0040 - 40 44 3c dd 1d ce 76 41-f7 35 60 5f f3 38 03 75 @D...vA.5`_.8.u 0050 - 6b 03 22 4f 8e 2f c1 41-09 cd be 3a e5 82 d2 a3 k."O./.A...: 0060 - 69 ae 4b 1b 99 ad 09 39-4b dd 82 e2 95 b8 eb 15 i.K9K... 0070 - 9c 9d f5 e4 f6 f2 ab 3b-08 25 5a 69 7f 5b 58 ab ...;.%Zi.[X. 0080 - 55 b4 0a b8 00 c7 9a f4-7aU...z write to 0814B978 [0815A370] (6 bytes = 6 (0x6)) - 14 03 00 00 01 01 .. write to 0814B978 [0815A370] (61 bytes = 61 (0x3D)) - 16 03 00 00 38 06 d3 88-fe e8 e0 2e e7 d4 fb 37 8..7 0010 - ca e2 ec d3 4c 3d 8d 78-0b 0f 02 c5 4e 2e 22 4d L=.xN."M 0020 - 29 e0 e8 33 bc a8 f7 40-c6 7d a6 00 f2 cc 0b 5b )..3...@.}.[ 0030 - 7d 9f 99 05 c8 47 17 a6-9a a8 20 dc 9e}G .. read from 0814B978 [08150F20] (5 bytes = 5 (0x5)) - 14 03 00 00 01. read from 0814B978 [08150F25] (1 bytes = 1 (0x1)) - 01. read from 0814B978 [08150F20] (5 bytes = 5 (0x5)) - 15 03 00 00 12. read from 0814B978 [08150F25] (18 bytes = 18 (0x12)) - 76 4e 6e 26 cc b7 62 08-69 a5 61 f1 b1 05 3e d1 vNn..b.i.a 0010 - c3 4d .M write to 0814B978 [0815A370] (23 bytes = 23 (0x17)) - 15 03 00 00 12 80 33 d5-37 ca 49 35 81 53 72 b5 ..3.7.I5.Sr. 0010 - a7 f9 0b f7 b8 79 72 .yr 11479:error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode:s3_pkt.c:383: Any ideas, anybody Thanks Tim __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]