[openssl-dev] [openssl.org #4082] Patch: Unable to read SMIME message if there is no signer

František Bořánek via RT rt at openssl.org
Thu Oct 8 19:05:51 UTC 2015 

Hi,
I found that Outook for MAC can generate (depends on setting) signed message where is not included sender's certificate. It works pretty good, but verification requires that recipients must already have sender certificate. Such message is attached.
Problem is that such message cannot be read by openssl. Normally, if a message has a sender certificate, following command print encapsulated message in smime.p7m.



    $ openssl smime -verify -noverify -nosigs -in ~/workspace/00000004.eml 
     --- content of messge ---
    Verification successful


however the current behaviour is that error is reported instead the content of message



    $ openssl smime -verify -noverify -in ~/workspace/00000005.eml 
    Verification failure
    139741085296288:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:462:


The attached patch solve this issue. The signer certificate is not look up if there is no need for that. Here and results after what patch was applied.



    $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify
    Verification failure
    139737181419168:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:472:    


   $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify -noverify
     --- content of message ---
    Verification failure
    139737181419168:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:472:


    $ ./external/bin/openssl smime -in ~/workspace/00000005.eml -verify -noverify -nosigs
     --- content of message ---
    Verification successful


The result for arguments -verify -noverify corresponds with behaviour where there is certificate but the signature is not valid. The message write out, but openssl return error.
 
---------------------------
Version: OpenSSL 1.0.1m 19 Mar 2015
OS: all affected


Regards,
František Bořánek
developer - Kerio Connect
.................................................................
Kerio Technologies s. r. o.
Anglicke nabrezi 1, 301 49 Plzen
Czech Republic
tel. +420 378 225 158
http://www.kerio.com
.................................................................
Connect. Communicate. Collaborate. Securely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7m
Type: application/pkcs7-mime
Size: 1483 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151008/c92e673b/attachment.p7c>
-------------- next part --------------
diff --git a/OpenSSL/crypto/pkcs7/pk7_smime.c b/OpenSSL/crypto/pkcs7/pk7_smime.c
index dbd4100..60ce734 100644
--- a/OpenSSL/crypto/pkcs7/pk7_smime.c
+++ b/OpenSSL/crypto/pkcs7/pk7_smime.c
@@ -249,7 +249,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                  BIO *indata, BIO *out, int flags)
 {
-    STACK_OF(X509) *signers;
+    STACK_OF(X509) *signers = 0;
     X509 *signer;
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
     PKCS7_SIGNER_INFO *si;
@@ -294,14 +294,17 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         return 0;
     }
 
-    signers = PKCS7_get0_signers(p7, certs, flags);
-
-    if (!signers)
-        return 0;
+    if(!(flags & PKCS7_NOSIGS) || !(flags & PKCS7_NOVERIFY)) {
+        /* allow to read encapsulated data even if there is no signer */
+        signers = PKCS7_get0_signers(p7, certs, flags);
+    }
 
     /* Now verify the certificates */
-
-    if (!(flags & PKCS7_NOVERIFY))
+    if (!(flags & PKCS7_NOVERIFY)) {
+        if (!signers) {
+            return 0;
+        }
+        
         for (k = 0; k < sk_X509_num(signers); k++) {
             signer = sk_X509_value(signers, k);
             if (!(flags & PKCS7_NOCHAIN)) {
@@ -333,6 +336,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
             }
             /* Check for revocation status here */
         }
+    }
 
     /*
      * Performance optimization: if the content is a memory BIO then store
@@ -384,7 +388,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     }
 
     /* Now Verify All Signatures */
-    if (!(flags & PKCS7_NOSIGS))
+    if (!(flags & PKCS7_NOSIGS)) {
+        if (!signers) {
+            return 0;
+        }
+        
         for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
             si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
             signer = sk_X509_value(signers, i);
@@ -394,6 +402,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                 goto err;
             }
         }
+    }
 
     ret = 1;
 
@@ -405,7 +414,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     }
     BIO_free_all(p7bio);
 
-    sk_X509_free(signers);
+    if (signers)
+        sk_X509_free(signers);
 
     return ret;
 }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3295 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151008/c92e673b/attachment.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list