~mcepl/m2crypto#223: 
FLAGS_DETACHED no longer create signatures data with recent Openssl versions.

Migrated from: https://gitlab.com/m2crypto/m2crypto/-/issues/223
Created by: Laël Cellier (@ytrezq)
Created at: 2018-07-05T03:24:27.906Z

The following code from https://tools.ietf.org/doc/python-m2crypto/howto.smime.html

from M2Crypto import BIO, Rand, SMIME
def makebuf(text):
    return BIO.MemoryBuffer(text)
# Make a MemoryBuffer of the message.
buf = makebuf('a sign of our times')

# Instantiate an SMIME object; set it up; sign the buffer.
s = SMIME.SMIME()
s.load_key('signer_key.pem', 'signer.pem')
p7 = s.sign(buf)
# Recreate buf.
buf = makebuf('a sign of our times')
# Output p7 in mail-friendly format.
out = BIO.MemoryBuffer()
out.write('From: sender@example.dom\n')
out.write('To: recipient@example.dom\n')
out.write('Subject: M2Crypto S/MIME testing\n')
s.write(out, p7, buf)
print out.read()

now output :

From: sender@example.dom
To: recipient@example.dom
Subject: M2Crypto S/MIME testing
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----2F6FE82964BDB60F32300A1BA189C0AF"

This is an S/MIME signed message

------2F6FE82964BDB60F32300A1BA189C0AF
a sign of our times

The signature part is empty whereas it shoudln’t, thus leaving the e‑mail unsigned.

Status
REPORTED
Submitter
~mcepl
Assigned to
No-one
Submitted
7 months ago
Updated
7 months ago
Labels
smime

~mcepl referenced this from #164 7 months ago

~mcepl referenced this from #164 7 months ago

~mcepl referenced this from #222 7 months ago

~mcepl referenced this from #222 7 months ago

~mcepl referenced this from #222 7 months ago

~mcepl 7 months ago

Changed on 2018-07-05T03:25:10.515Z by Laël Cellier:

mentioned in issue #222

~mcepl 7 months ago

On 2018-07-05T05:21:17.534Z, Matěj Cepl wrote:

OK, so what do you suggest? I really don't understand S/MIME that much. The relevant modules should be SMIME for Python and pkcs7 for C.

~mcepl 7 months ago

On 2018-07-05T08:39:27.944Z, Laël Cellier wrote:

@mcepl me too, I have no idea about what the problem is, but this is really blocking on every recent distributions : this prevent sending e‑mails in ʜᴛᴍʟ format.

I tried different flags but with the same effect. I also don’t know with which version it worked previously.

What’s sure is the m2cryto code needs to be modified : this is likely because of small openssl ᴀᴘɪ changes this no longer works.

(Last edited at 2018-07-05T13:11:06.635Z.)

~mcepl 7 months ago

Changed on 2018-10-02T12:09:10.968Z by Matěj Cepl:

changed milestone to 0.32

~mcepl 7 months ago

Changed on 2019-03-05T07:59:18.383Z by Matěj Cepl:

changed milestone to 0.33

~mcepl 7 months ago

Changed on 2019-04-26T14:29:59.852Z by Matěj Cepl:

changed milestone to 0.34

~mcepl 7 months ago

Changed on 2019-05-30T19:58:12.343Z by Matěj Cepl:

changed milestone to 0.35

(Last edited at 2019-05-30T19:58:12.346Z.)

~mcepl 7 months ago

Changed on 2019-06-08T06:32:44.745Z by Matěj Cepl:

changed milestone to 0.36

(Last edited at 2019-06-08T06:32:44.749Z.)

~mcepl 7 months ago

On 2023-01-30T15:49:28.807Z, Mohd Saquib wrote:

Well this doesn't seem to be a code issue. Since S/MIME signatures are detached you have to sign the message while providing the appropriate flag. So instead of p7 = s.sign(buf) it should be p7 = s.sign(buf, SMIME.PKCS7_DETACHED) rest of the code looks okay.

From the source code it can be confirmed that s.write(out, p7, buf) write method of SMIME object is enabling PKCS7_DETACHED flag by default --> https://gitlab.com/m2crypto/m2crypto/-/blob/master/src/SWIG/_pkcs7.i#L202

Output (with signature present) after doing above modification in the test code:

leap@lpvm-01:~> python3 test.py
From: sender@example.dom
To: recipient@example.dom
Subject: M2Crypto S/MIME testing
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----CCE7A0961B28D014C49384845A10A1E5"

This is an S/MIME signed message

------CCE7A0961B28D014C49384845A10A1E5
a sign of our times
------CCE7A0961B28D014C49384845A10A1E5
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIEkAYJKoZIhvcNAQcCoIIEgTCCBH0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCAnEwggJtMIICE6ADAgECAhRi07UFvF6Bm8MvLybTBXlJ5NxsVDAKBggq
hkjOPQQDAjCBizELMAkGA1UEBhMCSW4xDjAMBgNVBAgMBURlbGhpMQ4wDAYDVQQH
DAVEZWxoaTENMAsGA1UECgwEU3VzZTEXMBUGA1UECwwOVGVhbUlubm92YXRpb24x
DzANBgNVBAMMBlNhcXVpYjEjMCEGCSqGSIb3DQEJARYUbW9oZC5zYXF1aWJAc3Vz
ZS5jb20wHhcNMjMwMTMwMTExNjAxWhcNMjQwMTI1MTExNjAxWjCBizELMAkGA1UE
BhMCSW4xDjAMBgNVBAgMBURlbGhpMQ4wDAYDVQQHDAVEZWxoaTENMAsGA1UECgwE
U3VzZTEXMBUGA1UECwwOVGVhbUlubm92YXRpb24xDzANBgNVBAMMBlNhcXVpYjEj
MCEGCSqGSIb3DQEJARYUbW9oZC5zYXF1aWJAc3VzZS5jb20wWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATPvM6/DdNQ0tam/eHj71LhSpOTgvqjUoPhezSRRpxDRwHF
WZpdLuAC9e+pu6eiUPuJ8vRCC+6L+Vy81KT4T6Xto1MwUTAdBgNVHQ4EFgQUoE2K
pftZx/S+uV3ssOjo00xo2tEwHwYDVR0jBBgwFoAUoE2KpftZx/S+uV3ssOjo00xo
2tEwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBWONL2UDbK30q4
2ui4tLCo2yrKksViJm7DUOGvhOb8ZwIhAOQXth4Oo9vRaTEIaUq7rXa0C8oqAkG6
0BKaruR2XHZLMYIB5zCCAeMCAQEwgaQwgYsxCzAJBgNVBAYTAkluMQ4wDAYDVQQI
DAVEZWxoaTEOMAwGA1UEBwwFRGVsaGkxDTALBgNVBAoMBFN1c2UxFzAVBgNVBAsM
DlRlYW1Jbm5vdmF0aW9uMQ8wDQYDVQQDDAZTYXF1aWIxIzAhBgkqhkiG9w0BCQEW
FG1vaGQuc2FxdWliQHN1c2UuY29tAhRi07UFvF6Bm8MvLybTBXlJ5NxsVDAJBgUr
DgMCGgUAoIHYMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTIzMDEzMDE1Mjg0MlowIwYJKoZIhvcNAQkEMRYEFOoeRUd8ExIYXfQq8BTF
uKWrSP3iMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQB
FjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqG
SIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAkGByqGSM49BAEERjBE
AiBTk2saIyiNFQNzr2skdQAZM+VdiHUtWok4u0Zl0fIoSwIgV5MiR2cObKlORziU
xO4Z7EBDgmxe1fZiJQdczKX+iJY=

------CCE7A0961B28D014C49384845A10A1E5--

From Wikipedia:

S/MIME signatures are usually "detached signatures": the signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature.

(Last edited at 2023-01-31T16:58:07.176Z.)

~mcepl 7 months ago

On 2023-01-30T15:49:43.862Z, Mohd Saquib wrote:

Please confirm once. I think this issue can be closed

~mcepl 7 months ago

On 2023-01-30T20:56:02.607Z, Laël Cellier wrote:

My original post is about example code which worked before but does no longer works. Default flags are in the C python wrapper code. They should be changed, or the example code should be changed.

(Last edited at 2023-02-02T10:04:42.779Z.)

~mcepl 7 months ago

On 2023-01-31T16:58:07.077Z, Matěj Cepl wrote:

s.sign(buf, SMIME.PKCS7_DETACHED)

@m5aquib Do you want to say that .sign method should have SMIME.PKCS7_DETACHED as default, or that the code example should be changed?

~mcepl 7 months ago

On 2023-02-01T09:02:28.851Z, Mohd Saquib wrote:

@mcepl Yes, I think code example should be changed. It is also evident from the doc which has the same example in M2Crypto.SMIME section.

# Instantiate an SMIME object; set it up; sign the buffer.
s = SMIME.SMIME()
s.load_key('signer_key.pem', 'signer.pem')
p7 = s.sign(buf, SMIME.PKCS7_DETACHED)

https://gitlab.com/m2crypto/m2crypto/-/blob/master/doc/howto.smime.rst

~mcepl 7 months ago

On 2023-02-02T10:04:42.695Z, Matěj Cepl wrote:

Could you please provide MR against the current master with what you want to have changed, please? I still don’t understand.

Also, the current version of documentation is on https://m2crypto.readthedocs.io/en/latest/howto.smime.html and I just don’t see the setting of SMIME.PKCS7_DETACHED missing. The same goes for smimeplus.py.

What’s the problem?

~mcepl 7 months ago

Changed on 2023-02-03T15:44:48.889Z by Matěj Cepl:

marked #164 as a duplicate of this issue

(Last edited at 2023-02-03T15:44:48.891Z.)

~mcepl 7 months ago

Changed on 2023-02-03T15:44:49.245Z by Matěj Cepl:

marked this issue as related to #164

(Last edited at 2023-02-03T15:44:49.247Z.)

~mcepl 7 months ago

Changed on 2023-02-03T15:51:19.463Z by Matěj Cepl:

marked #222 as a duplicate of this issue

(Last edited at 2023-02-03T15:51:19.465Z.)

~mcepl 7 months ago

Changed on 2023-02-03T15:51:19.762Z by Matěj Cepl:

marked this issue as related to #222

(Last edited at 2023-02-03T15:51:19.764Z.)

Register here or Log in to comment, or comment via email.