[openssl-dev] [openssl.org #4082] Patch: Unable to read SMIME message if there is no signer

František Bořánek via RT Thu, 08 Oct 2015 12:06:31 -0700

Hi,
I found that Outook for MAC can generate (depends on setting) signed message 
where is not included sender's certificate. It works pretty good, but 
verification requires that recipients must already have sender certificate. 
Such message is attached.
Problem is that such message cannot be read by openssl. Normally, if a message 
has a sender certificate, following command print encapsulated message in 
smime.p7m.




    $ openssl smime -verify -noverify -nosigs -in ~/workspace/00000004.eml 
     --- content of messge ---
    Verification successful


however the current behaviour is that error is reported instead the content of 
message



    $ openssl smime -verify -noverify -in ~/workspace/00000005.eml 
    Verification failure
    139741085296288:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer 
certificate not found:pk7_smime.c:462:


The attached patch solve this issue. The signer certificate is not look up if 
there is no need for that. Here and results after what patch was applied.



    $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify
    Verification failure
    139737181419168:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer 
certificate not found:pk7_smime.c:472:    


   $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify -noverify
     --- content of message ---
    Verification failure
    139737181419168:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer 
certificate not found:pk7_smime.c:472:


    $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify 
-noverify -nosigs
     --- content of message ---
    Verification successful


The result for arguments -verify -noverify corresponds with behaviour where 
there is certificate but the signature is not valid. The message write out, but 
openssl return error.
 
---------------------------
Version: OpenSSL 1.0.1m 19 Mar 2015
OS: all affected


Regards,
František Bořánek
developer - Kerio Connect
.................................................................
Kerio Technologies s. r. o.
Anglicke nabrezi 1, 301 49 Plzen
Czech Republic
tel. +420 378 225 158
http://www.kerio.com
.................................................................
Connect. Communicate. Collaborate. Securely.

smime.p7m
Description: S/MIME encrypted message

diff --git a/OpenSSL/crypto/pkcs7/pk7_smime.c b/OpenSSL/crypto/pkcs7/pk7_smime.c
index dbd4100..60ce734 100644
--- a/OpenSSL/crypto/pkcs7/pk7_smime.c
+++ b/OpenSSL/crypto/pkcs7/pk7_smime.c
@@ -249,7 +249,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, 
PKCS7_SIGNER_INFO *si)
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                  BIO *indata, BIO *out, int flags)
 {
-    STACK_OF(X509) *signers;
+    STACK_OF(X509) *signers = 0;
     X509 *signer;
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
     PKCS7_SIGNER_INFO *si;
@@ -294,14 +294,17 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, 
X509_STORE *store,
         return 0;
     }
 
-    signers = PKCS7_get0_signers(p7, certs, flags);
-
-    if (!signers)
-        return 0;
+    if(!(flags & PKCS7_NOSIGS) || !(flags & PKCS7_NOVERIFY)) {
+        /* allow to read encapsulated data even if there is no signer */
+        signers = PKCS7_get0_signers(p7, certs, flags);
+    }
 
     /* Now verify the certificates */
-
-    if (!(flags & PKCS7_NOVERIFY))
+    if (!(flags & PKCS7_NOVERIFY)) {
+        if (!signers) {
+            return 0;
+        }
+        
         for (k = 0; k < sk_X509_num(signers); k++) {
             signer = sk_X509_value(signers, k);
             if (!(flags & PKCS7_NOCHAIN)) {
@@ -333,6 +336,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, 
X509_STORE *store,
             }
             /* Check for revocation status here */
         }
+    }
 
     /*
      * Performance optimization: if the content is a memory BIO then store
@@ -384,7 +388,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, 
X509_STORE *store,
     }
 
     /* Now Verify All Signatures */
-    if (!(flags & PKCS7_NOSIGS))
+    if (!(flags & PKCS7_NOSIGS)) {
+        if (!signers) {
+            return 0;
+        }
+        
         for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
             si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
             signer = sk_X509_value(signers, i);
@@ -394,6 +402,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, 
X509_STORE *store,
                 goto err;
             }
         }
+    }
 
     ret = 1;
 
@@ -405,7 +414,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, 
X509_STORE *store,
     }
     BIO_free_all(p7bio);
 
-    sk_X509_free(signers);
+    if (signers)
+        sk_X509_free(signers);
 
     return ret;
 }

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4082] Patch: Unable to read SMIME message if there is no signer

Reply via email to