Migrated from: https://gitlab.com/m2crypto/m2crypto/-/issues/223
Created by: Laël Cellier (@ytrezq)
Created at: 2018-07-05T03:24:27.906Z
The following code from https://tools.ietf.org/doc/python-m2crypto/howto.smime.html
from M2Crypto import BIO, Rand, SMIME
def makebuf(text):
return BIO.MemoryBuffer(text)
# Make a MemoryBuffer of the message.
buf = makebuf('a sign of our times')
# Instantiate an SMIME object; set it up; sign the buffer.
s = SMIME.SMIME()
s.load_key('signer_key.pem', 'signer.pem')
p7 = s.sign(buf)
# Recreate buf.
buf = makebuf('a sign of our times')
# Output p7 in mail-friendly format.
out = BIO.MemoryBuffer()
out.write('From: sender@example.dom\n')
out.write('To: recipient@example.dom\n')
out.write('Subject: M2Crypto S/MIME testing\n')
s.write(out, p7, buf)
print out.read()
now output :
From: sender@example.dom
To: recipient@example.dom
Subject: M2Crypto S/MIME testing
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----2F6FE82964BDB60F32300A1BA189C0AF"
This is an S/MIME signed message
------2F6FE82964BDB60F32300A1BA189C0AF
a sign of our times
The signature part is empty whereas it shoudln’t, thus leaving the e‑mail unsigned.
Changed on 2018-07-05T03:25:10.515Z by Laël Cellier:
mentioned in issue #222
On 2018-07-05T08:39:27.944Z, Laël Cellier wrote:
@mcepl me too, I have no idea about what the problem is, but this is really blocking on every recent distributions : this prevent sending e‑mails in ʜᴛᴍʟ format.
I tried different flags but with the same effect. I also don’t know with which version it worked previously.
What’s sure is the m2cryto code needs to be modified : this is likely because of small openssl ᴀᴘɪ changes this no longer works.
(Last edited at 2018-07-05T13:11:06.635Z.)
Changed on 2018-10-02T12:09:10.968Z by Matěj Cepl:
changed milestone to 0.32
Changed on 2019-03-05T07:59:18.383Z by Matěj Cepl:
changed milestone to 0.33
Changed on 2019-04-26T14:29:59.852Z by Matěj Cepl:
changed milestone to 0.34
Changed on 2019-05-30T19:58:12.343Z by Matěj Cepl:
changed milestone to 0.35
(Last edited at 2019-05-30T19:58:12.346Z.)
Changed on 2019-06-08T06:32:44.745Z by Matěj Cepl:
changed milestone to 0.36
(Last edited at 2019-06-08T06:32:44.749Z.)
On 2023-01-30T15:49:28.807Z, Mohd Saquib wrote:
Well this doesn't seem to be a code issue. Since S/MIME signatures are detached you have to sign the message while providing the appropriate flag. So instead of
p7 = s.sign(buf)
it should bep7 = s.sign(buf, SMIME.PKCS7_DETACHED)
rest of the code looks okay.From the source code it can be confirmed that
s.write(out, p7, buf)
write method of SMIME object is enabling PKCS7_DETACHED flag by default --> https://gitlab.com/m2crypto/m2crypto/-/blob/master/src/SWIG/_pkcs7.i#L202Output (with signature present) after doing above modification in the test code:
leap@lpvm-01:~> python3 test.py From: sender@example.dom To: recipient@example.dom Subject: M2Crypto S/MIME testing MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----CCE7A0961B28D014C49384845A10A1E5" This is an S/MIME signed message ------CCE7A0961B28D014C49384845A10A1E5 a sign of our times ------CCE7A0961B28D014C49384845A10A1E5 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIEkAYJKoZIhvcNAQcCoIIEgTCCBH0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCAnEwggJtMIICE6ADAgECAhRi07UFvF6Bm8MvLybTBXlJ5NxsVDAKBggq hkjOPQQDAjCBizELMAkGA1UEBhMCSW4xDjAMBgNVBAgMBURlbGhpMQ4wDAYDVQQH DAVEZWxoaTENMAsGA1UECgwEU3VzZTEXMBUGA1UECwwOVGVhbUlubm92YXRpb24x DzANBgNVBAMMBlNhcXVpYjEjMCEGCSqGSIb3DQEJARYUbW9oZC5zYXF1aWJAc3Vz ZS5jb20wHhcNMjMwMTMwMTExNjAxWhcNMjQwMTI1MTExNjAxWjCBizELMAkGA1UE BhMCSW4xDjAMBgNVBAgMBURlbGhpMQ4wDAYDVQQHDAVEZWxoaTENMAsGA1UECgwE U3VzZTEXMBUGA1UECwwOVGVhbUlubm92YXRpb24xDzANBgNVBAMMBlNhcXVpYjEj MCEGCSqGSIb3DQEJARYUbW9oZC5zYXF1aWJAc3VzZS5jb20wWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAATPvM6/DdNQ0tam/eHj71LhSpOTgvqjUoPhezSRRpxDRwHF WZpdLuAC9e+pu6eiUPuJ8vRCC+6L+Vy81KT4T6Xto1MwUTAdBgNVHQ4EFgQUoE2K pftZx/S+uV3ssOjo00xo2tEwHwYDVR0jBBgwFoAUoE2KpftZx/S+uV3ssOjo00xo 2tEwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBWONL2UDbK30q4 2ui4tLCo2yrKksViJm7DUOGvhOb8ZwIhAOQXth4Oo9vRaTEIaUq7rXa0C8oqAkG6 0BKaruR2XHZLMYIB5zCCAeMCAQEwgaQwgYsxCzAJBgNVBAYTAkluMQ4wDAYDVQQI DAVEZWxoaTEOMAwGA1UEBwwFRGVsaGkxDTALBgNVBAoMBFN1c2UxFzAVBgNVBAsM DlRlYW1Jbm5vdmF0aW9uMQ8wDQYDVQQDDAZTYXF1aWIxIzAhBgkqhkiG9w0BCQEW FG1vaGQuc2FxdWliQHN1c2UuY29tAhRi07UFvF6Bm8MvLybTBXlJ5NxsVDAJBgUr DgMCGgUAoIHYMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTIzMDEzMDE1Mjg0MlowIwYJKoZIhvcNAQkEMRYEFOoeRUd8ExIYXfQq8BTF uKWrSP3iMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQB FjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqG SIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAkGByqGSM49BAEERjBE AiBTk2saIyiNFQNzr2skdQAZM+VdiHUtWok4u0Zl0fIoSwIgV5MiR2cObKlORziU xO4Z7EBDgmxe1fZiJQdczKX+iJY= ------CCE7A0961B28D014C49384845A10A1E5--
From Wikipedia:
S/MIME signatures are usually "detached signatures": the signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature.
(Last edited at 2023-01-31T16:58:07.176Z.)
On 2023-01-30T15:49:43.862Z, Mohd Saquib wrote:
Please confirm once. I think this issue can be closed
On 2023-01-30T20:56:02.607Z, Laël Cellier wrote:
My original post is about example code which worked before but does no longer works. Default flags are in the C python wrapper code. They should be changed, or the example code should be changed.
(Last edited at 2023-02-02T10:04:42.779Z.)
On 2023-01-31T16:58:07.077Z, Matěj Cepl wrote:
s.sign(buf, SMIME.PKCS7_DETACHED)
@m5aquib Do you want to say that
.sign
method should haveSMIME.PKCS7_DETACHED
as default, or that the code example should be changed?
On 2023-02-01T09:02:28.851Z, Mohd Saquib wrote:
@mcepl Yes, I think code example should be changed. It is also evident from the doc which has the same example in M2Crypto.SMIME section.
# Instantiate an SMIME object; set it up; sign the buffer. s = SMIME.SMIME() s.load_key('signer_key.pem', 'signer.pem') p7 = s.sign(buf, SMIME.PKCS7_DETACHED)
https://gitlab.com/m2crypto/m2crypto/-/blob/master/doc/howto.smime.rst
On 2023-02-02T10:04:42.695Z, Matěj Cepl wrote:
Could you please provide MR against the current master with what you want to have changed, please? I still don’t understand.
Also, the current version of documentation is on https://m2crypto.readthedocs.io/en/latest/howto.smime.html and I just don’t see the setting of
SMIME.PKCS7_DETACHED
missing. The same goes for smimeplus.py.What’s the problem?
Changed on 2023-02-03T15:44:48.889Z by Matěj Cepl:
marked #164 as a duplicate of this issue
(Last edited at 2023-02-03T15:44:48.891Z.)
Changed on 2023-02-03T15:44:49.245Z by Matěj Cepl:
marked this issue as related to #164
(Last edited at 2023-02-03T15:44:49.247Z.)
Changed on 2023-02-03T15:51:19.463Z by Matěj Cepl:
marked #222 as a duplicate of this issue
(Last edited at 2023-02-03T15:51:19.465Z.)
Changed on 2023-02-03T15:51:19.762Z by Matěj Cepl:
marked this issue as related to #222
(Last edited at 2023-02-03T15:51:19.764Z.)