Hi, I found that Outook for MAC can generate (depends on setting) signed message where is not included sender's certificate. It works pretty good, but verification requires that recipients must already have sender certificate. Such message is attached. Problem is that such message cannot be read by openssl. Normally, if a message has a sender certificate, following command print encapsulated message in smime.p7m.
$ openssl smime -verify -noverify -nosigs -in ~/workspace/00000004.eml --- content of messge --- Verification successful however the current behaviour is that error is reported instead the content of message $ openssl smime -verify -noverify -in ~/workspace/00000005.eml Verification failure 139741085296288:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:462: The attached patch solve this issue. The signer certificate is not look up if there is no need for that. Here and results after what patch was applied. $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify Verification failure 139737181419168:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:472: $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify -noverify --- content of message --- Verification failure 139737181419168:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:472: $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify -noverify -nosigs --- content of message --- Verification successful The result for arguments -verify -noverify corresponds with behaviour where there is certificate but the signature is not valid. The message write out, but openssl return error. --------------------------- Version: OpenSSL 1.0.1m 19 Mar 2015 OS: all affected Regards, František Bořánek developer - Kerio Connect ................................................................. Kerio Technologies s. r. o. Anglicke nabrezi 1, 301 49 Plzen Czech Republic tel. +420 378 225 158 http://www.kerio.com ................................................................. Connect. Communicate. Collaborate. Securely.
smime.p7m
Description: S/MIME encrypted message
diff --git a/OpenSSL/crypto/pkcs7/pk7_smime.c b/OpenSSL/crypto/pkcs7/pk7_smime.c index dbd4100..60ce734 100644 --- a/OpenSSL/crypto/pkcs7/pk7_smime.c +++ b/OpenSSL/crypto/pkcs7/pk7_smime.c @@ -249,7 +249,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si) int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags) { - STACK_OF(X509) *signers; + STACK_OF(X509) *signers = 0; X509 *signer; STACK_OF(PKCS7_SIGNER_INFO) *sinfos; PKCS7_SIGNER_INFO *si; @@ -294,14 +294,17 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, return 0; } - signers = PKCS7_get0_signers(p7, certs, flags); - - if (!signers) - return 0; + if(!(flags & PKCS7_NOSIGS) || !(flags & PKCS7_NOVERIFY)) { + /* allow to read encapsulated data even if there is no signer */ + signers = PKCS7_get0_signers(p7, certs, flags); + } /* Now verify the certificates */ - - if (!(flags & PKCS7_NOVERIFY)) + if (!(flags & PKCS7_NOVERIFY)) { + if (!signers) { + return 0; + } + for (k = 0; k < sk_X509_num(signers); k++) { signer = sk_X509_value(signers, k); if (!(flags & PKCS7_NOCHAIN)) { @@ -333,6 +336,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } /* Check for revocation status here */ } + } /* * Performance optimization: if the content is a memory BIO then store @@ -384,7 +388,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } /* Now Verify All Signatures */ - if (!(flags & PKCS7_NOSIGS)) + if (!(flags & PKCS7_NOSIGS)) { + if (!signers) { + return 0; + } + for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); signer = sk_X509_value(signers, i); @@ -394,6 +402,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, goto err; } } + } ret = 1; @@ -405,7 +414,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } BIO_free_all(p7bio); - sk_X509_free(signers); + if (signers) + sk_X509_free(signers); return ret; }
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev