0004582: Signed and encrypted messages sent from Outlook can't be opened - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0004582	SOGo	Web Mail	public	2018-10-26 09:02	2019-08-19 14:41

Reporter	Elektor	Assigned To	ludovic
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	[Server] Linux	OS	Ubuntu	OS Version	16.04 LTS
Product Version	4.0.3
Fixed in Version	4.1.0

Summary	0004582: Signed and encrypted messages sent from Outlook can't be opened
Description	A message send from Outlook, which is digitally signed and encrypted, can't be opened in SOGo Webmail. SOGo starts to open the message, but than runs into a timeout. If the message is ONLY signed or ONLY encrypted, it can be opened. Also, there are no problems with messages sent from e.g. Thunderbird.
Steps To Reproduce	Always reproducable.
Tags	No tags attached.

ludovic 2019-02-19 18:32 administrator ~0013390	Please attach a sample email. I realize I won't be able to decrypt it but that's not the point.

schmirl 2019-02-20 09:28 reporter ~0013401	If I may barge in... The problem with Outlook is that it uses opaque signing when also encrypting the mail, i.e. you don't have message text and signature as two separate MIME parts. The message text is embedded in the signature instead. You can create an opaque signed message with openssl using the -nodetach option: openssl cms -sign -nodetach -in some.msg -signer some.crt -inkey some.key MIME headers of an opaque signed message are: Content-Disposition: attachment; filename="smime.p7m" Content-Type: application/pkcs7-mime; smime-type=signed-data; name="smime.p7m" I attached samples in the usual detached format and in opaque format, both signed at the same time, so that all data including the signature is equal. Run both messages through the following openssl command and compare the output: openssl cms -in the.msg -noout -cmsout -print

schmirl 2019-02-20 09:29 reporter	detached.msg (3,370 bytes)

schmirl 2019-02-20 09:29 reporter	opaque.msg (3,162 bytes)

Elektor 2019-02-22 09:12 reporter ~0013413	We have generated three different messages sent from Outlook, signed, encrypted and sigened_encrypted. As already mentioned, the first to can be read with SoGo without problems, only the third on, signed_encrypted, can't be opened.

Elektor 2019-02-22 09:12 reporter	encrypted (7,602 bytes) Return-Path: <thomas.zerna@tu-dresden.de> From: "Zerna" <thomas.zerna@tu-dresden.de> To: "'Swen Tyrian'" <swen.tyrian@tu-dresden.de> Subject: Encrypted message Date: Fri, 22 Feb 2019 09:36:08 +0100 Message-ID: <00fd01d4ca89$a8750a80$f95f1f80$@tu-dresden.de> MIME-Version: 1.0 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" Thread-Index: AdTKiZmVwYJUGY+lTOO4YF3UIC0eig== Content-Language: de

Elektor 2019-02-22 09:12 reporter	signed (16,269 bytes) Return-Path: <thomas.zerna@tu-dresden.de> Received: from deliver ([unix socket]) by mail (Cyrus v2.4.17-caldav-beta9-Debian-2.4.17+caldav~beta9-3) with LMTPA; Fri, 22 Feb 2019 09:35:34 +0100 X-Sieve: CMU Sieve 2.4 Received: from eiet20.et.tu-dresden.de (eiet20.et.tu-dresden.de [141.30.122.20]) by mail.avt.et.tu-dresden.de (Postfix) with ESMTP id 6F0C1E02E7 for <tyrian@avt.et.tu-dresden.de>; Fri, 22 Feb 2019 09:35:34 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by eiet20.et.tu-dresden.de (Postfix) with ESMTP id 3C485300999 for <tyrian@avt.et.tu-dresden.de>; Fri, 22 Feb 2019 09:35:34 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at eiet20.et.tu-dresden.de Received: from eiet20.et.tu-dresden.de ([127.0.0.1]) by localhost (eiet20.et.tu-dresden.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deOt6b_sUvqL for <tyrian@avt.et.tu-dresden.de>; Fri, 22 Feb 2019 09:35:29 +0100 (CET) Received: from mailin6.zih.tu-dresden.de (mailin6.zih.tu-dresden.de [141.30.67.69]) by eiet20.et.tu-dresden.de (Postfix) with ESMTPS id 0988B30077A for <tyrian@avt.et.tu-dresden.de>; Fri, 22 Feb 2019 09:35:29 +0100 (CET) Received: from eiet20.et.tu-dresden.de ([141.30.122.20]) by mailin6.zih.tu-dresden.de with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <thomas.zerna@tu-dresden.de>) id 1gx6Iq-0003M3-RX for swen.tyrian@tu-dresden.de; Fri, 22 Feb 2019 09:35:28 +0100 Received: from localhost (localhost [127.0.0.1]) by eiet20.et.tu-dresden.de (Postfix) with ESMTP id A0A6F300999 for <swen.tyrian@tu-dresden.de>; Fri, 22 Feb 2019 09:35:28 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at eiet20.et.tu-dresden.de Received: from eiet20.et.tu-dresden.de ([127.0.0.1]) by localhost (eiet20.et.tu-dresden.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gov__bT_1DJ8 for <swen.tyrian@tu-dresden.de>; Fri, 22 Feb 2019 09:35:23 +0100 (CET) Received: from mail.avt.et.tu-dresden.de (eiet50.et.tu-dresden.de [141.30.122.50]) by eiet20.et.tu-dresden.de (Postfix) with ESMTP id C592330077A for <swen.tyrian@tu-dresden.de>; Fri, 22 Feb 2019 09:35:23 +0100 (CET) Received: from zmp122175 (unknown [192.168.122.175]) by mail.avt.et.tu-dresden.de (Postfix) with ESMTP id D11BFE02E7 for <swen.tyrian@tu-dresden.de>; Fri, 22 Feb 2019 09:35:23 +0100 (CET) From: "Zerna" <thomas.zerna@tu-dresden.de> To: "'Swen Tyrian'" <swen.tyrian@tu-dresden.de> Subject: Signed message Date: Fri, 22 Feb 2019 09:35:24 +0100 Message-ID: <00f501d4ca89$8e17ed10$aa47c730$@tu-dresden.de> X-Mailer: Microsoft Outlook 15.0 MIME-Version: 1.0 Thread-Index: AdTKiXrQPpjZglT5SR6eTx6srMudsQ== Content-Language: de Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_00ED_01D4CA91.EFC4AE60" X-TUD-Virus-Scanned: mailin6.zih.tu-dresden.de X-TUD-Spam-Status: No, hits=2.7 required=5 tests=[DOS_OUTLOOK_TO_MX=1.449, FSL_HELO_NON_FQDN_1=0.001, HTML_MESSAGE=0.001, RDNS_NONE=1.274] X-TUD-Spam-Level: ** This is a multipart message in MIME format. ------=_NextPart_000_00ED_01D4CA91.EFC4AE60 Content-Type: multipart/alternative; boundary="----=_NextPart_001_00EE_01D4CA91.EFC4AE60" ------=_NextPart_001_00EE_01D4CA91.EFC4AE60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit This is a signed message sent from Outlook. ------=_NextPart_001_00EE_01D4CA91.EFC4AE60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META = HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 15 = (filtered medium)"><style><!-- /* Font Definitions / @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} / Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} span.E-MailFormatvorlage17 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;} @page WordSection1 {size:612.0pt 792.0pt; margin:70.85pt 70.85pt 2.0cm 70.85pt;} div.WordSection1 {page:WordSection1;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--></head><body lang=3DDE = link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p = class=3DMsoNormal><span lang=3DEN-US>This is a signed message sent from = Outlook.<o:p></o:p></span></p><p class=3DMsoNormal><span = lang=3DEN-US><o:p> </o:p></span></p><p class=3DMsoNormal><span = lang=3DEN-US = style=3D'mso-fareast-language:DE'><o:p> </o:p></span></p><p = class=3DMsoNormal><span lang=3DEN-US = style=3D'mso-fareast-language:DE'><o:p> </o:p></span></p></div></bod= y></html> ------=_NextPart_001_00EE_01D4CA91.EFC4AE60-- ------=_NextPart_000_00ED_01D4CA91.EFC4AE60 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIZPDCCA58w ggKHoAMCAQICASYwDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE0RldXRz Y2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQtVGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMT GkRldXRzY2hlIFRlbGVrb20gUm9vdCBDQSAyMB4XDTk5MDcwOTEyMTEwMFoXDTE5MDcwOTIzNTkw MFowcTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsT FlQtVGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20gUm9vdCBD QSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqwujNeCLKRSxFIWvPBDkOW81XUqu 3ephjZVJ9G9koxpgZqSpQCKE2dSl5XiTDmgBrblNXDrO07ioQkDfz6O6gllqkhusHJraCCslJ/lp I0fx4Ossepv1EwLQfjR8wp48AFmr9doM9TI8K6xQ2tbD3oOUyqgMmTIOCEhWW2r72uFYWAFJX3JB PBUGAY5draq4k7TNnuun6GotUjTbOu9cdVHa2/Mx+e5xmDLEVBVEDPmbVe2t3xgIoKOGiknuUwWP GUzV3lh5m9JqHEKrxdWnz2gPluThYZh2YciRfNY+AOKRUIfhnQrmrZfSHcY6fcu82gM01Y5bAfVq B7cWtm5KfwIDAQABo0IwQDAdBgNVHQ4EFgQUMcN5G7r1U9cX4Il6LRdsCrMrnTMwDwYDVR0TBAgw BgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAJRkWa05ZOcp6xP+WsOL E1fIBCTwdHfAYONn++mJpoO/loJ8btTDPe+egG67KbSYerE7VOs5F0d+Go4L/B8xWTEEss4X8yzH YjZV4iLYiVW0mEiqZPrWHDbYRHhaWiM6V5f1ejBPrp9qTEsrjqAD4z7gqdTSe9KzqOJyPK2e/4BZ 5JtFtPY7sM05GZgy5eohYZDkMSGONLH3LzVKhRDa54o3Ib5ZY+DyhYgxU9RUFIVwefQuBncndS8f uIr5/sW62Dbkg+znZbe/Y1rzRq+BlDfUQYzWI9Yez/VoG0Rjolq6pzVZoeVwBZsOI1eZlAptujlj KIaS8xiE2PvRzwVWZFcwggUSMIID+qADAgECAgkA4wvV+K8l2YEwDQYJKoZIhvcNAQELBQAwgYIx CzAJBgNVBAYTAkRFMSswKQYDVQQKDCJULVN5c3RlbXMgRW50ZXJwcmlzZSBTZXJ2aWNlcyBHbWJI MR8wHQYDVQQLDBZULVN5c3RlbXMgVHJ1c3QgQ2VudGVyMSUwIwYDVQQDDBxULVRlbGVTZWMgR2xv YmFsUm9vdCBDbGFzcyAyMB4XDTE2MDIyMjEzMzgyMloXDTMxMDIyMjIzNTk1OVowgZUxCzAJBgNV BAYTAkRFMUUwQwYDVQQKEzxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZv cnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsTB0RGTi1QS0kxLTArBgNVBAMTJERGTi1WZXJl aW4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMtg1/9moUHN0vqHl4pzq5lN6mc5WqFggEcVToyVsuXPztNXS43O+FZsFVV2B+pG/cgDRWM+ cNSrVICxI5y+NyipCf8FXRgPxJiZN7Mg9mZ4F4fCnQ7MSjLnFp2uDo0peQcAIFTcFV9Kltd4tjTT wXS1nem/wHdN6r1ZB+BaL2w8pQDcNb1lDY9/Mm3yWmpLYgHurDg0WUU2SQXaeMpqbVvAgWsRzNI8 qIv4cRrKO+KA3Ra0Z3qLNupOkSk9s1FcragMvp0049ENF4N1xDkesJQLEvHVaY4l9Lg9K7/AjsMe O6W/VRCrKq4Xl14zzsjz9AkH4wKGMUZrAcUQDBHHWekCAwEAAaOCAXQwggFwMA4GA1UdDwEB/wQE AwIBBjAdBgNVHQ4EFgQUk+PYMiba1fFKpZFK4OpL4qIMz+EwHwYDVR0jBBgwFoAUv1kgNgB5oKAi a4zV8mHSuCzLgkowEgYDVR0TAQH/BAgwBgEB/wIBAjAzBgNVHSAELDAqMA8GDSsGAQQBga0hgiwB AQQwDQYLKwYBBAGBrSGCLB4wCAYGZ4EMAQICMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kw MzM2LnRlbGVzZWMuZGUvcmwvVGVsZVNlY19HbG9iYWxSb290X0NsYXNzXzIuY3JsMIGGBggrBgEF BQcBAQR6MHgwLAYIKwYBBQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMEgG CCsGAQUFBzAChjxodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9UZWxlU2VjX0dsb2JhbFJv b3RfQ2xhc3NfMi5jZXIwDQYJKoZIhvcNAQELBQADggEBAIcL/z4Cm2XIVi3WO5qYi3FP2ropqiH5 Ri71sqQPrhE4eTizDnS6dl2e6BiClmLbTDPo3flq3zK9LExHYFV/53RrtCyD2HlrtrdNUAtmB7Xt s5et6u5/MOaZ/SLick0+hFvu+c+Z6n/XUjkurJgARH5pO7917tALOxrN5fcPImxHhPalR6D90Bo0 fa3SPXez7vTXTf/D6OWST1k+kEcQSrCFWMBvf/iu7QhCnh7U3xQuTY+8npTD5+32GPg8SecmqKc2 2CzeIs2LgtjZeOJVEqM7h0S2EQvVDFKvaYwPBt/QolOLV5h7z/0HJPT8vcP9SpIClxvyt7bPZYoa orVyGTkwggU1MIIEHaADAgECAggRnBSMwawOlTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0 IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTYwNDI1MDkw MTM5WhcNMTkwNzA5MjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBF bnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIx JTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/J IPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05 l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOl bpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjggG9MIIBuTAP BgNVHRMBAf8EBTADAQH/MD8GA1UdIAQ4MDYwNAYJKwYBBAG9Rw0VMCcwJQYIKwYBBQUHAgEWGWh0 dHA6Ly93d3cudGVsZXNlYy5kZS9jcHMwDgYDVR0PAQH/BAQDAgEGMIHYBgNVHR8EgdAwgc0wL6At oCuGKWh0dHA6Ly9wa2kudGVsZXNlYy5kZS9ybC9EVF9ST09UX0NBXzIuY3JsMIGZoIGWoIGThoGQ bGRhcDovL3BraS50ZWxlc2VjLmRlL0NOPURldXRzY2hlJTIwVGVsZWtvbSUyMFJvb3QlMjBDQSUy MDIsT1U9VC1UZWxlU2VjJTIwVHJ1c3QlMjBDZW50ZXIsTz1EZXV0c2NoZSUyMFRlbGVrb20lMjBB RyxDPURFP0F1dGhvcml0eVJldm9jYXRpb25MaXN0MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcw AYYeaHR0cDovL29jc3AwMi50ZWxlc2VjLmRlL29jc3ByMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXy YdK4LMuCSjAfBgNVHSMEGDAWgBQxw3kbuvVT1xfgiXotF2wKsyudMzANBgkqhkiG9w0BAQsFAAOC AQEABo+KajB2EGBo5lWqUw9f2tMDDZind4kkbKLEZeqFJVSIR8GNXwxqCjPvX0xk9NjPifMp6ADG BRgj8FgBwqOirlITD/VNmJVJcur2WiuW8j+lo+ZNSA4hkuBO6/oiV14HlNHgf+r0KEKceL+FAXSh OBdcqobbzGHXazqD5hccDqbjLjwfh/j85A30EGEOx6KKXDR9PO4gCOI0DgX9xGywMkCwrqvwQqOZ 4/Qw8ZKtWTPz/JMwnoXJiFQZB5YyrrnN1WRfGGsfmhecApqoJ6y7VR4IfQoI8DLetqgEOO20QwcG A2M3a/MMPijMSQuzI5HVzZ0DIERiqnzuWndF5qAChzCCBZYwggR+oAMCAQICDBxuNCQ/OtgsG8yR NTANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9l cmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECxMH REZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4X DTE2MTIxMjE0MzkxNloXDTMxMDIyMjIzNTk1OVowczELMAkGA1UEBhMCREUxEDAOBgNVBAgMB1Nh Y2hzZW4xEDAOBgNVBAcMB0RyZXNkZW4xKDAmBgNVBAoMH1RlY2huaXNjaGUgVW5pdmVyc2l0YWV0 IERyZXNkZW4xFjAUBgNVBAMMDVRVIERyZXNkZW4gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDn4IJzjZjX7Qnm2kBJY9JjH/Q/GqP3s/UN3MJtOHdfCmlGwAy2o3BLyxPGAcyZs0Ci XXy3cSoiRMf+JJcSF3lx/o5LIe6ZVuC9lO+MyH9ztHdUZmLCqKaWGTj9QlXydU++svbga6QPXtGy /6It7kyx7scgwnt71yICt0IFXlbqST/k7bj9mG20gSz/YjeLwxOUagFp6w2CRTL9xFoDSHDUEFOs Nt8rW+FvFX8JZv5zPLQXQzlbfUtOgate7CgWuGCCflf8usVe8Jvz/3D6NKTxbMa8nDoyU8ZcfC5N +N/uh6L9LSPuIerl/IgfeUSznwziTDGUtWK/atzcomRNfnGZAgMBAAGjggIFMIICATASBgNVHRMB Af8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNVHSAEIjAgMA0GCysGAQQBga0hgiweMA8G DSsGAQQBga0hgiwBAQQwHQYDVR0OBBYEFFL+vrckwhsKHUZSjkQkKvRIQD0BMB8GA1UdIwQYMBaA FJPj2DIm2tXxSqWRSuDqS+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBj YS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0dHA6 Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0G CCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1At U2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJv b3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5w Y2EuZGZuLmRlL2dsb2JhbC1yb290LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG 9w0BAQsFAAOCAQEATNhE/LA4aX/Bn8x3PaAsMxs7f1/v6JBytU9HL+VuOMu37Rui5qLzFOPUj035 bhk6EbDDnmBcw06cGIqi44N01xrNPFbr6CUDj7kr1vGQAq72SX0nZ7OlwzDU81MUVxLXIb62EZBO 27L7dLd8jpUh/GL5FrAWuL2wLvTXSpLdHA5KGaGwuTeISOUNDXzTOQHOx169Ye3Wy8Aumqxz7sNw e4/4yBi+SjD/W7Iene/J5MT0ruF3Fx9fBFD0iR4Kj3EslR7KS6iyqtM5A17hjDiE+Gsl9G2jIf3Z IWp15l6dV5Tr6uSq56/rVfd8+L7/JKlQ4bJY92CA3rltDzUTycsVhTCCBawwggSUoAMCAQICDB/V KQmttKlCFLEhETANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2FjaHNl bjEQMA4GA1UEBwwHRHJlc2RlbjEoMCYGA1UECgwfVGVjaG5pc2NoZSBVbml2ZXJzaXRhZXQgRHJl c2RlbjEWMBQGA1UEAwwNVFUgRHJlc2RlbiBDQTAeFw0xODEwMDQwNTU2MTJaFw0yMTEwMDMwNTU2 MTJaMFwxCzAJBgNVBAYTAkRFMSgwJgYDVQQKDB9UZWNobmlzY2hlIFVuaXZlcnNpdGFldCBEcmVz ZGVuMQwwCgYDVQQLDANabVAxFTATBgNVBAMMDFRob21hcyBaZXJuYTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANO7IlILoFH4EVLQF4mE1XzXeXyHi3wPgeJkZg58510H6IbvMOUIeFGm aPfwMuDARa3UYej8ea8yxe3WWkxehdRffi4r7OXeCXCzvJFCN0/0qNvSkAtb9x3FeRAolO4HOTcM SEP/s/q2LIDhSIYGfXx4kasGhIgWIVoqRFAuT/fkpTEWO+d4xKedVfla28KJ/AEeKUNMmVG8MdrR GPExBmlatg6y15UJVskcCYcLCTRuX6I/7+cpb/5tKttz7MHKV/yEXSO3m8HUdLqVA0PNtXzwroee ASEr4gWTMg+AsCtyNW/AlAsXFDImnDrw/Lsu/a9HTPt7gAUCcoy4hiZOPoECAwEAAaOCAlUwggJR MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD BDAdBgNVHQ4EFgQU2WsKt8pqz8TL7O+mH+sLHAMS4lIwHwYDVR0jBBgwFoAUUv6+tyTCGwodRlKO RCQq9EhAPQEwJQYDVR0RBB4wHIEadGhvbWFzLnplcm5hQHR1LWRyZXNkZW4uZGUwgY0GA1UdHwSB hTCBgjA/oD2gO4Y5aHR0cDovL2NkcDEucGNhLmRmbi5kZS90dS1kcmVzZGVuLWcyLWNhL3B1Yi9j cmwvY2FjcmwuY3JsMD+gPaA7hjlodHRwOi8vY2RwMi5wY2EuZGZuLmRlL3R1LWRyZXNkZW4tZzIt Y2EvcHViL2NybC9jYWNybC5jcmwwgdsGCCsGAQUFBwEBBIHOMIHLMDMGCCsGAQUFBzABhidodHRw Oi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSQYIKwYBBQUHMAKGPWh0dHA6Ly9j ZHAxLnBjYS5kZm4uZGUvdHUtZHJlc2Rlbi1nMi1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwSQYI KwYBBQUHMAKGPWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdHUtZHJlc2Rlbi1nMi1jYS9wdWIvY2Fj ZXJ0L2NhY2VydC5jcnQwQAYDVR0gBDkwNzAPBg0rBgEEAYGtIYIsAQEEMBEGDysGAQQBga0hgiwB AQQDCDARBg8rBgEEAYGtIYIsAgEEAwgwDQYJKoZIhvcNAQELBQADggEBALGKebdGnWf+FFah0yvZ PqqxSHv96DCmNz4AbGJ8YUb0fDKAsr3FoAnmxZA4K1narUZPY9FrixLqvheTIO0hKxlIR8xvKjrk M9YitQFS5eFI8bY8UkPPOM8BJlIN9/u9JYJZwheQwn4pvEFxnll0T5muU5R9mB/eBOt2Seo13/3O aYY4733dX2POgyeiHq5qZzgXyUjNIKe0KDDld4jYvtcwomlHUfd9B0CiQ65NCfVAD36j+UCmK5+/ AHf+3TOr6df4gZXaOc7skv4p77/Y2tEOoNbaNZxQ9oD816cUYGsuJJ4ZS0GAnX57NtNMj/PupPYc D3LUnFS+tT4bP/L4OiExggPSMIIDzgIBATCBgzBzMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjEoMCYGA1UECgwfVGVjaG5pc2NoZSBVbml2ZXJzaXRhZXQg RHJlc2RlbjEWMBQGA1UEAwwNVFUgRHJlc2RlbiBDQQIMH9UpCa20qUIUsSERMAkGBSsOAwIaBQCg ggIjMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE5MDIyMjA4MzUy NFowIwYJKoZIhvcNAQkEMRYEFLuDdPpZaf7sNR2NXZqs4Nyn6iD5MIGTBgkqhkiG9w0BCQ8xgYUw gYIwCwYJYIZIAWUDBAEqMAoGCCqGSIb3DQMHMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwDgYI KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIaMAsGCWCGSAFlAwQCAzALBglghkgB ZQMEAgIwCwYJYIZIAWUDBAIBMIGUBgkrBgEEAYI3EAQxgYYwgYMwczELMAkGA1UEBhMCREUxEDAO BgNVBAgMB1NhY2hzZW4xEDAOBgNVBAcMB0RyZXNkZW4xKDAmBgNVBAoMH1RlY2huaXNjaGUgVW5p dmVyc2l0YWV0IERyZXNkZW4xFjAUBgNVBAMMDVRVIERyZXNkZW4gQ0ECDB/VKQmttKlCFLEhETCB lgYLKoZIhvcNAQkQAgsxgYaggYMwczELMAkGA1UEBhMCREUxEDAOBgNVBAgMB1NhY2hzZW4xEDAO BgNVBAcMB0RyZXNkZW4xKDAmBgNVBAoMH1RlY2huaXNjaGUgVW5pdmVyc2l0YWV0IERyZXNkZW4x FjAUBgNVBAMMDVRVIERyZXNkZW4gQ0ECDB/VKQmttKlCFLEhETANBgkqhkiG9w0BAQEFAASCAQB1 185YslMDbIWKXNptRXWXbTEQjIEfMFpEy0Pybnagl7YsBtZc6R3FV4w+wEttHVULVEf8nXBc+12O SQ7V/ZcD4uXxeMMnirtltJoi2k4nnDqB9mCXGdEebHe6pjQluePUhE8uckfcIy1znbK8xn4UnGzW v1YqBp7fcrUOrLiU26HYdDGGj4a36/x01vG3hmTl6uIO+/JnT+D5sq6in8Su37hk2VuD7x4IRQn9 joCYlCszg9bmJyekA7gJGjWU3ZuXj7hhFdFUJhZPw3ZkhDr2kQSDx0O0RWimlczYrgSdMe6yos16 QbxuAZv/Uz2EzvdnxxSUlMt82GTsNdF0l4X0AAAAAAAA ------=_NextPart_000_00ED_01D4CA91.EFC4AE60-- signed (16,269 bytes)

Elektor 2019-02-22 09:12 reporter	signed_encrypted (23,080 bytes) Return-Path: <thomas.zerna@tu-dresden.de> From: "Zerna" <thomas.zerna@tu-dresden.de> To: "'Swen Tyrian'" <swen.tyrian@tu-dresden.de> Subject: Signed and encrypted Date: Fri, 22 Feb 2019 10:03:32 +0100 Message-ID: <013b01d4ca8d$7c8b9930$75a2cb90$@tu-dresden.de> MIME-Version: 1.0 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" Thread-Index: AdTKjXxmqDPjupRnQ6WjQNvG4CnfVg== Content-Language: de

schmirl 2019-05-05 20:34 reporter ~0013562	I prepared a patch which adds support for opaque signed messages to SOGo.

schmirl 2019-05-05 20:34 reporter	SOGo-4.0.6-smime.patch (26,031 bytes) --- SOGo-4.0.6.orig/SoObjects/Mailer/NSData+SMIME.h 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/NSData+SMIME.h 2019-05-05 21:41:45.462408407 +0200 @@ -31,6 +31,8 @@ - (NSData ) encryptUsingCertificate: (NSData ) theData; - (NSData ) decryptUsingCertificate: (NSData ) theData; - (NGMimeMessage ) messageFromEncryptedDataAndCertificate: (NSData ) theCertificate; +- (NSData ) embeddedContent; +- (NGMimeMessage ) messageFromOpaqueSignedData; - (NSData ) convertPKCS12ToPEMUsingPassword: (NSString ) thePassword; - (NSData ) convertPKCS7ToPEM; - (NSDictionary ) certificateDescription; --- SOGo-4.0.6.orig/SoObjects/Mailer/NSData+SMIME.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/NSData+SMIME.m 2019-05-05 21:46:24.630420372 +0200 @@ -292,10 +292,86 @@ NGMimeMessageParser parser; NGMimeMessage message; NSData decryptedData; + NGMimeType contentType; + NSString type, subtype, smimetype; decryptedData = [self decryptUsingCertificate: theCertificate]; parser = [[NGMimeMessageParser alloc] init]; message = [parser parsePartFromData: decryptedData]; + + // Extract contents if the encrypted messages contains opaque signed data + contentType = [message contentType]; + type = [[contentType type] lowercaseString]; + subtype = [[contentType subType] lowercaseString]; + if ([type isEqualToString: @"application"]) + { + if ([subtype isEqualToString: @"x-pkcs7-mime"] \|\| + [subtype isEqualToString: @"pkcs7-mime"]) + { + smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString]; + if ([smimetype isEqualToString: @"signed-data"]) + { + message = [decryptedData messageFromOpaqueSignedData]; + } + } + } + + RELEASE(parser); + + return message; +} + +- (NSData ) embeddedContent +{ + NSData output = NULL; + + BIO sbio, obio; + BUF_MEM bptr; + PKCS7 p7 = NULL; + + sbio = BIO_new_mem_buf((void )[self bytes], [self length]); + + p7 = SMIME_read_PKCS7(sbio, NULL); + + if (!p7) + { + NSLog(@"FATAL: could not read the signature"); + goto cleanup; + } + + // We output the S/MIME encrypted message + obio = BIO_new(BIO_s_mem()); + + if (!PKCS7_verify(p7, NULL, NULL, NULL, obio, PKCS7_NOVERIFY\|PKCS7_NOSIGS)) + { + NSLog(@"FATAL: could not extract content"); + goto cleanup; + } + + BIO_get_mem_ptr(obio, &bptr); + + output = [NSData dataWithBytes: bptr->data length: bptr->length]; + + cleanup: + PKCS7_free(p7); + BIO_free(sbio); + BIO_free(obio); + + return output; +} + +// +// +// +- (NGMimeMessage ) messageFromOpaqueSignedData +{ + NGMimeMessageParser parser; + NGMimeMessage message; + NSData extractedData; + + extractedData = [self embeddedContent]; + parser = [[NGMimeMessageParser alloc] init]; + message = [parser parsePartFromData: extractedData]; RELEASE(parser); return message; --- SOGo-4.0.6.orig/SoObjects/Mailer/SOGoDraftObject.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/SOGoDraftObject.m 2019-05-05 21:47:53.650424188 +0200 @@ -875,6 +875,18 @@ // // // +- (void) _fetchAttachmentsFromOpaqueSignedMail: (SOGoMailObject ) sourceMail +{ + NGMimeMessage m; + + m = [[sourceMail content] messageFromOpaqueSignedData]; + [self _fileAttachmentsFromPart: [m body]]; +} + + +// +// +// - (void) fetchMailForEditing: (SOGoMailObject ) sourceMail { NSString subject, msgid; @@ -1007,6 +1019,8 @@ [self setText: [sourceMail contentForInlineForward]]; if ([sourceMail isEncrypted]) [self _fetchAttachmentsFromEncryptedMail: sourceMail]; + else if ([sourceMail isOpaqueSigned]) + [self _fetchAttachmentsFromOpaqueSignedMail: sourceMail]; else [self _fetchAttachmentsFromMail: sourceMail]; } --- SOGo-4.0.6.orig/SoObjects/Mailer/SOGoMailBodyPart.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/SOGoMailBodyPart.m 2019-05-05 21:58:43.746452051 +0200 @@ -210,6 +210,28 @@ inContext: localContext]; obj = [clazz objectWithName:key inContainer: self]; } + else if ([o isOpaqueSigned]) + { + NGMimeMessage m; + id part; + + int i; + + m = [[o content] messageFromOpaqueSignedData]; + part = [m body]; + + for (i = 0; i < [[self bodyPartPath] count]; i++) + { + nbr = [[[self bodyPartPath] objectAtIndex: i] intValue]-1; + part = [[part parts] objectAtIndex: nbr];; + } + + part = [[part parts] objectAtIndex: ([key intValue]-1)]; + mimeType = [[part contentType] stringValue]; + clazz = [SOGoMailBodyPart bodyPartClassForMimeType: mimeType + inContext: localContext]; + obj = [clazz objectWithName:key inContainer: self]; + } else { infos = [self partInfo]; @@ -354,6 +376,24 @@ part = [m body]; for (i = 0; i < [[self bodyPartPath] count]; i++) + { + nbr = [[[self bodyPartPath] objectAtIndex: i] intValue]-1; + part = [[part parts] objectAtIndex: nbr];; + } + + return [part body]; + } + else if ([o isOpaqueSigned]) + { + NGMimeMessage m; + id part; + + unsigned int i, nbr; + + m = [[o content] messageFromOpaqueSignedData]; + part = [m body]; + + for (i = 0; i < [[self bodyPartPath] count]; i++) { nbr = [[[self bodyPartPath] objectAtIndex: i] intValue]-1; part = [[part parts] objectAtIndex: nbr];; --- SOGo-4.0.6.orig/SoObjects/Mailer/SOGoMailObject+Draft.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/SOGoMailObject+Draft.m 2019-05-05 21:48:46.038426433 +0200 @@ -238,6 +238,24 @@ return nil; } + +// +// +// +- (NSString ) _contentForEditingFromOpaqueSignedMail +{ + SOGoUserDefaults ud; + NGMimeMessage m; + + m = [[self content] messageFromOpaqueSignedData]; + ud = [[context activeUser] userDefaults]; + + return [self _preferredContentFromPart: [m body] + favorHTML: [[ud mailComposeMessageType] isEqualToString: @"html"]]; + + return nil; +} + // // // @@ -250,6 +268,8 @@ if ([self isEncrypted]) output = [self _contentForEditingFromEncryptedMail]; + else if ([self isOpaqueSigned]) + output = [self _contentForEditingFromOpaqueSignedMail]; // If not encrypted or if decryption failed, we fallback // to the normal content fetching code. --- SOGo-4.0.6.orig/SoObjects/Mailer/SOGoMailObject.h 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/SOGoMailObject.h 2019-05-05 21:41:45.462408407 +0200 @@ -124,7 +124,8 @@ - (BOOL) replied; /* \Answered / - (BOOL) forwarded; / $forwarded / - (BOOL) deleted; / \Deleted / -- (BOOL) isSigned; / S/MIME signed message / +- (BOOL) isSigned; / S/MIME signed message (detached signature) / +- (BOOL) isOpaqueSigned; / S/MIME signed message (embedded content) / - (BOOL) isEncrypted; / S/MIME encrypted message / / deletion / --- SOGo-4.0.6.orig/SoObjects/Mailer/SOGoMailObject.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/SoObjects/Mailer/SOGoMailObject.m 2019-05-05 21:50:58.394432106 +0200 @@ -1201,6 +1201,19 @@ return [clazz objectWithName:_key inContainer: self]; } } + else if ([self isOpaqueSigned]) + { + NGMimeMessage m; + id part; + + m = [[self content] messageFromOpaqueSignedData]; + + part = [[[m body] parts] objectAtIndex: ([_key intValue]-1)]; + mimeType = [[part contentType] stringValue]; + clazz = [SOGoMailBodyPart bodyPartClassForMimeType: mimeType + inContext: _ctx]; + return [clazz objectWithName:_key inContainer: self]; + } parts = [[self bodyStructure] objectForKey: @"parts"]; @@ -1738,18 +1751,47 @@ [protocol isEqualToString: @"application/pkcs7-signature"])); } +- (BOOL) isOpaqueSigned +{ + NSString type, subtype, smimetype; + NGMimeType contentType; + + contentType = [[self mailHeaders] objectForKey: @"content-type"]; + type = [[contentType type] lowercaseString]; + subtype = [[contentType subType] lowercaseString]; + + if ([type isEqualToString: @"application"]) + { + if ([subtype isEqualToString: @"x-pkcs7-mime"] \|\| + [subtype isEqualToString: @"pkcs7-mime"]) + { + smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString]; + if ([smimetype isEqualToString: @"signed-data"]) + return YES; + } + } + + return NO; +} + - (BOOL) isEncrypted { - NSString type, subtype; + NSString type, subtype, smimetype; + NGMimeType contentType; - type = [[[[self mailHeaders] objectForKey: @"content-type"] type] lowercaseString]; - subtype = [[[[self mailHeaders] objectForKey: @"content-type"] subType] lowercaseString]; + contentType = [[self mailHeaders] objectForKey: @"content-type"]; + type = [[contentType type] lowercaseString]; + subtype = [[contentType subType] lowercaseString]; if ([type isEqualToString: @"application"]) { if ([subtype isEqualToString: @"x-pkcs7-mime"] \|\| [subtype isEqualToString: @"pkcs7-mime"]) - return YES; + { + smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString]; + if ([smimetype isEqualToString: @"enveloped-data"]) + return YES; + } } return NO; --- SOGo-4.0.6.orig/UI/MailPartViewers/UIxMailRenderingContext.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/UI/MailPartViewers/UIxMailRenderingContext.m 2019-05-05 21:52:06.986435046 +0200 @@ -256,10 +256,18 @@ if ([st isEqualToString: @"x-pkcs7-mime"] \|\| [st isEqualToString: @"pkcs7-mime"]) { - // If the mail account has a valid certificate, we try to decode - // the encrypted email. Otherwise, we fallback to a link viewer - if ([[[viewer clientObject] mailAccountFolder] certificate]) - return [self encryptedViewer]; + NSString smt = [[[_info objectForKey:@"parameterList"] valueForKey:@"smime-type"] lowercaseString]; + if ([smt isEqualToString:@"signed-data"]) + { + return [self encryptedViewer]; + } + else if ([smt isEqualToString:@"enveloped-data"]) + { + // If the mail account has a valid certificate, we try to decode + // the encrypted email. Otherwise, we fallback to a link viewer + if ([[[viewer clientObject] mailAccountFolder] certificate]) + return [self encryptedViewer]; + } } #if 0 / the link viewer looks better than plain text ;-) / --- SOGo-4.0.6.orig/UI/WebServerResources/js/Mailer/Message.service.js 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/UI/WebServerResources/js/Mailer/Message.service.js 2019-05-05 21:41:45.466408407 +0200 @@ -321,13 +321,22 @@ }; } else if (part.type == 'UIxMailPartEncryptedViewer') { - _this.encrypted = { - valid: part.valid - }; - if (part.valid) - _this.encrypted.message = l("This message is encrypted"); - else - _this.encrypted.message = l("This message can't be decrypted. Please make sure you have uploaded your S/MIME certificate from the mail preferences module."); + if (part.encrypted) { + _this.encrypted = { + valid: part.decrypted + }; + if (part.decrypted) + _this.encrypted.message = l("This message is encrypted"); + else + _this.encrypted.message = l("This message can't be decrypted. Please make sure you have uploaded your S/MIME certificate from the mail preferences module."); + } + if (part.opaqueSigned) { + _this.signed = { + valid: part.valid, + certificate: part.certificates[part.certificates.length - 1], + message: part.message + }; + } } _.forEach(part.content, function(mixedPart) { _visit(mixedPart); --- SOGo-4.0.6.orig/UI/MailPartViewers/UIxMailPartEncryptedViewer.h 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/UI/MailPartViewers/UIxMailPartEncryptedViewer.h 2019-05-05 21:41:45.466408407 +0200 @@ -28,8 +28,20 @@ @interface UIxMailPartEncryptedViewer : UIxMailPartViewer { + BOOL processed; + BOOL encrypted; + BOOL opaqueSigned; + BOOL validSignature; + NSMutableArray certificates; + NSString validationMessage; } +- (BOOL) validSignature; +- (NSString ) validationMessage; +- (NSArray ) smimeCertificates; +- (NSDictionary ) certificateForSubject: (NSString ) subject + andIssuer: (NSString ) issuer; + @end #endif /* UIXMAILPARTENCRYPTEDVIEWER_H / --- SOGo-4.0.6.orig/UI/MailPartViewers/UIxMailPartEncryptedViewer.m 2019-02-21 16:11:07.000000000 +0100 +++ SOGo-4.0.6/UI/MailPartViewers/UIxMailPartEncryptedViewer.m 2019-05-05 21:55:08.426442823 +0200 @@ -19,6 +19,14 @@ 02111-1307, USA. / +#if defined(HAVE_OPENSSL) \|\| defined(HAVE_GNUTLS) +#include <openssl/ssl.h> +#include <openssl/bio.h> +#include <openssl/err.h> +#include <openssl/pkcs7.h> +#include <openssl/x509.h> +#endif + #import <Foundation/NSDictionary.h> #import <Foundation/NSNull.h> #import <Foundation/NSValue.h> @@ -36,11 +44,222 @@ #import <SoObjects/Mailer/SOGoMailObject.h> #import <UI/MailerUI/WOContext+UIxMailer.h> +#import <SOGo/NSString+Utilities.h> + #import "UIxMailRenderingContext.h" #import "UIxMailPartEncryptedViewer.h" @implementation UIxMailPartEncryptedViewer +#if defined(HAVE_OPENSSL) \|\| defined(HAVE_GNUTLS) +- (X509_STORE ) _setupVerify +{ + X509_STORE store; + X509_LOOKUP lookup; + BOOL success; + + success = NO; + + store = X509_STORE_new(); + OpenSSL_add_all_algorithms(); + + if (store) + { + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup) + { + X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); + if (lookup) + { + X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); + ERR_clear_error(); + success = YES; + } + } + } + + if (!success) + { + if (store) + { + X509_STORE_free(store); + store = NULL; + } + } + + return store; +} + +- (NSData ) _processMessageWith: (NSData ) signedData +{ + NSData output; + + STACK_OF(X509) certs; + X509_STORE x509Store; + BIO msgBio, obio; + PKCS7 p7; + int err, i; + + ERR_clear_error(); + + msgBio = BIO_new_mem_buf ((void ) [signedData bytes], [signedData length]); + + p7 = SMIME_read_PKCS7(msgBio, NULL); + + certs = NULL; + certificates = [NSMutableArray array]; + validationMessage = nil; + + if (p7) + { + if (OBJ_obj2nid(p7->type) == NID_pkcs7_signed) + { + NSString subject, issuer; + X509 x; + + certs = p7->d.sign->cert; + + for (i = 0; i < sk_X509_num(certs); i++) + { + BIO buf; + char p[1024]; + + x = sk_X509_value(certs, i); + + memset(p, 0, 1024); + buf = BIO_new(BIO_s_mem()); + X509_NAME_print_ex(buf, X509_get_subject_name(x), 0, + ASN1_STRFLGS_ESC_CTRL \| XN_FLAG_SEP_MULTILINE \| XN_FLAG_FN_LN); + BIO_read(buf, p, 1024); + subject = [NSString stringWithUTF8String: p]; + BIO_free(buf); + + memset(p, 0, 1024); + buf = BIO_new(BIO_s_mem()); + X509_NAME_print_ex(buf, X509_get_issuer_name(x), 0, + ASN1_STRFLGS_ESC_CTRL \| XN_FLAG_SEP_MULTILINE \| XN_FLAG_FN_LN); + BIO_read(buf, p, 1024); + issuer = [NSString stringWithUTF8String: p]; + BIO_free(buf); + + [certificates addObject: [self certificateForSubject: subject + andIssuer: issuer]]; + } + } + + err = ERR_get_error(); + if (err) + { + validSignature = NO; + } + else + { + x509Store = [self _setupVerify]; + obio = BIO_new(BIO_s_mem()); + + validSignature = (PKCS7_verify(p7, NULL, x509Store, NULL, + obio, 0) == 1); + + err = ERR_get_error(); + + if (x509Store) + X509_STORE_free (x509Store); + } + + if (err) + { +#ifdef HAVE_GNUTLS + const char* sslError; + ERR_load_crypto_strings(); + SSL_load_error_strings(); + sslError = ERR_reason_error_string(err); + validationMessage = [[self labelForKey: [NSString stringWithUTF8String: sslError ? sslError : @"No error information available"]] retain]; +#elif OPENSSL_VERSION_NUMBER < 0x10100000L + const char* sslError; + ERR_load_crypto_strings(); + SSL_load_error_strings(); + sslError = ERR_reason_error_string(err); + validationMessage = [[self labelForKey: [NSString stringWithUTF8String: sslError ? sslError : @"No error information available"]] retain]; +#else + validationMessage = [[self labelForKey: @"No error information available"] retain]; +#endif /* HAVE_GNUTLS / + + BUF_MEM bptr; //DEL + BIO_get_mem_ptr(obio, &bptr); //DEL + // extract contents without validation + output = [ signedData embeddedContent ]; + } + else + { + BUF_MEM bptr; + BIO_get_mem_ptr(obio, &bptr); + output = [NSData dataWithBytes: bptr->data length: bptr->length]; + } + } + + PKCS7_free(p7); + BIO_free (msgBio); + BIO_free (obio); + + if (validSignature) + validationMessage = [NSString stringWithString: [self labelForKey: @"Message is signed"]]; + else if (!validationMessage) + validationMessage = [NSString stringWithString: [self labelForKey: @"Digital signature is not valid"]]; + + processed = YES; + opaqueSigned = YES; + return output; +} + +- (BOOL) validSignature +{ + if (!processed) + NSLog(@"ERROR: validSignature called but not processed yet"); + //[self _processMessage]; + + return validSignature; +} + +- (NSDictionary ) certificateForSubject: (NSString ) subject + andIssuer: (NSString ) issuer +{ + return [NSDictionary dictionaryWithObjectsAndKeys: + [subject componentsFromMultilineDN], @"subject", + [issuer componentsFromMultilineDN], @"issuer", + nil]; +} + +- (NSArray ) smimeCertificates +{ + return certificates; +} + +- (NSString ) validationMessage +{ + if (!processed) + NSLog(@"ERROR: validationMessage called but not processed yet"); + //[self _processMessage]; + + return validationMessage; +} +#else +- (NSArray ) smimeCertificates +{ + return nil; +} + +- (BOOL) validSignature +{ + return NO; +} + +- (NSString ) validationMessage +{ + return nil; +} +#endif + - (void) _attachmentIdsFromBodyPart: (id) thePart partPath: (NSString ) thePartPath { @@ -91,26 +310,107 @@ - (id) renderedPart { + SOGoMailObject mailObject; NSData certificate, decryptedData, encryptedData; id info, viewer; - certificate = [[[self clientObject] mailAccountFolder] certificate]; - encryptedData = [[self clientObject] content]; - decryptedData = [encryptedData decryptUsingCertificate: certificate]; + mailObject = [[self clientObject] mailObject]; + if ([mailObject isEncrypted]) + { + encrypted = YES; + certificate = [[[self clientObject] mailAccountFolder] certificate]; + encryptedData = [[self clientObject] content]; + decryptedData = [encryptedData decryptUsingCertificate: certificate]; - if (decryptedData) + if (decryptedData) + { + NGMimeMessageParser parser; + NGMimeMessage message; + NGMimeType contentType; + NSString type, subtype, smimetype; + id part; + + parser = [[NGMimeMessageParser alloc] init]; + message = [parser parsePartFromData: decryptedData]; + + // Extract contents if the encrypted messages contains opaque signed data + contentType = [message contentType]; + type = [[contentType type] lowercaseString]; + subtype = [[contentType subType] lowercaseString]; + if ([type isEqualToString: @"application"]) + { + if ([subtype isEqualToString: @"x-pkcs7-mime"] \|\| + [subtype isEqualToString: @"pkcs7-mime"]) + { + smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString]; + if ([smimetype isEqualToString: @"signed-data"]) + { + NGMimeMessageParser parser; + opaqueSigned = YES; + NSData extractedData = [self _processMessageWith: decryptedData]; + if (extractedData) + { + parser = [[NGMimeMessageParser alloc] init]; + message = [parser parsePartFromData: extractedData]; + decryptedData = extractedData; + RELEASE(parser); + } + } + } + } + + processed = YES; + part = [message retain]; + + info = [NSDictionary dictionaryWithObjectsAndKeys: [[part contentType] type], @"type", + [[part contentType] subType], @"subtype", + [[part contentType] parametersAsDictionary], @"parameterList", nil]; + viewer = [[[self context] mailRenderingContext] viewerForBodyInfo: info]; + [viewer setBodyInfo: info]; + [viewer setFlatContent: decryptedData]; + [viewer setDecodedContent: [part body]]; + + // attachmentIds is empty in an ecrypted email as the IMAP body structure + // is of course not available for file attachments + [self _attachmentIdsFromBodyPart: [part body] partPath: @""]; + [viewer setAttachmentIds: attachmentIds]; + + return [NSDictionary dictionaryWithObjectsAndKeys: + [self className], @"type", + [NSNumber numberWithBool: YES], @"encrypted", + [NSNumber numberWithBool: YES], @"decrypted", + [NSNumber numberWithBool: opaqueSigned], @"opaqueSigned", + [NSNumber numberWithBool: [self validSignature]], @"valid", + [NSArray arrayWithObject: [viewer renderedPart]], @"content", + [self smimeCertificates], @"certificates", + [self validationMessage], @"message", + nil]; + } + } + else if ([mailObject isOpaqueSigned]) { NGMimeMessageParser parser; + NGMimeMessage message; id part; + opaqueSigned = YES; + encryptedData = [[self clientObject] content]; + NSData extractedData = [self _processMessageWith: encryptedData]; + if (extractedData) + { + parser = [[NGMimeMessageParser alloc] init]; + message = [parser parsePartFromData: extractedData]; + RELEASE(parser); + } - parser = [[NGMimeMessageParser alloc] init]; - part = [[parser parsePartFromData: decryptedData] retain]; + processed = YES; + part = [message retain]; info = [NSDictionary dictionaryWithObjectsAndKeys: [[part contentType] type], @"type", - [[part contentType] subType], @"subtype", nil]; + [[part contentType] subType], @"subtype", + [[part contentType] parametersAsDictionary], @"parameterList", nil]; viewer = [[[self context] mailRenderingContext] viewerForBodyInfo: info]; [viewer setBodyInfo: info]; - [viewer setFlatContent: decryptedData]; + [viewer setFlatContent: extractedData]; [viewer setDecodedContent: [part body]]; // attachmentIds is empty in an ecrypted email as the IMAP body structure @@ -120,8 +420,12 @@ return [NSDictionary dictionaryWithObjectsAndKeys: [self className], @"type", - [NSNumber numberWithBool: YES], @"valid", + [NSNumber numberWithBool: NO], @"encrypted", + [NSNumber numberWithBool: YES], @"opaqueSigned", + [NSNumber numberWithBool: [self validSignature]], @"valid", [NSArray arrayWithObject: [viewer renderedPart]], @"content", + [self smimeCertificates], @"certificates", + [self validationMessage], @"message", nil]; } @@ -129,7 +433,9 @@ // Decryption failed, let's return something else... return [NSDictionary dictionaryWithObjectsAndKeys: [self className], @"type", - [NSNumber numberWithBool: NO], @"valid", + [NSNumber numberWithBool: encrypted], @"encrypted", + [NSNumber numberWithBool: NO], @"decrypted", + [NSNumber numberWithBool: NO], @"opaqueSigned", [NSArray array], @"content", nil]; } SOGo-4.0.6-smime.patch (26,031 bytes)

sogo: master 676d2e67 2019-08-19 10:37 ludovic Details Diff	(feat) added support for S/MIME opaque signing (fixes 0004582)	Affected Issues 0004582
	mod - NEWS	Diff File
	mod - SOPE/GDLContentStore/GCSFolder.m	Diff File
	mod - SoObjects/Mailer/NSData+SMIME.h	Diff File
	mod - SoObjects/Mailer/NSData+SMIME.m	Diff File
	mod - SoObjects/Mailer/SOGoDraftObject.m	Diff File
	mod - SoObjects/Mailer/SOGoMailBaseObject.m	Diff File
	mod - SoObjects/Mailer/SOGoMailBodyPart.m	Diff File
	mod - SoObjects/Mailer/SOGoMailObject+Draft.m	Diff File
	mod - SoObjects/Mailer/SOGoMailObject.h	Diff File
	mod - SoObjects/Mailer/SOGoMailObject.m	Diff File
	mod - UI/MailPartViewers/UIxMailPartEncryptedViewer.h	Diff File
	mod - UI/MailPartViewers/UIxMailPartEncryptedViewer.m	Diff File
	mod - UI/MailPartViewers/UIxMailRenderingContext.m	Diff File
	mod - UI/MailerUI/UIxMailView.m	Diff File
	mod - UI/WebServerResources/js/Mailer/Message.service.js	Diff File

Date Modified	Username	Field	Change
2018-10-26 09:02	Elektor	New Issue
2019-02-19 18:31	ludovic	Severity	major => minor
2019-02-19 18:32	ludovic	Note Added: 0013390
2019-02-20 09:28	schmirl	Note Added: 0013401
2019-02-20 09:29	schmirl	File Added: detached.msg
2019-02-20 09:29	schmirl	File Added: opaque.msg
2019-02-22 09:12	Elektor	Note Added: 0013413
2019-02-22 09:12	Elektor	File Added: encrypted
2019-02-22 09:12	Elektor	File Added: signed
2019-02-22 09:12	Elektor	File Added: signed_encrypted
2019-05-05 20:34	schmirl	Note Added: 0013562
2019-05-05 20:34	schmirl	File Added: SOGo-4.0.6-smime.patch
2019-08-19 14:41	ludovic	Changeset attached	=> sogo master 676d2e67
2019-08-19 14:41	ludovic	Assigned To	=> ludovic
2019-08-19 14:41	ludovic	Resolution	open => fixed
2019-08-19 14:41	ludovic	Status	new => resolved
2019-08-19 14:41	ludovic	Fixed in Version	=> 4.1.0

View Issue Details

Activities

Related Changesets

Issue History