[imp] Verifying smime signatures not working?

Tue, 29 Apr 2014 19:20:26 -0700

I am receiving email from a friend who uses Lotus Notes and is signing his emails. After much effort, I finally figured out how to extract the certificate from the smime.p7s file and import it into imp (since you can't just import the smime.p7s file directly). Now I am able to encrypt email to him, and imp successfully decrypts email from him (getting a key and sending him my public key was simple compared to importing the smime.p7s cert).
However, one thing I have not been able to figure out yet: I can not find any indication whether the signed email from him is valid or not. The only way I know it is signed is because of the attached smime.p7s file, but imp gives no hint that it has actually checked whether the message and signature has been checked. For an encrypted message, I figure I can safely assume it is intact, but what about an unencrypted message? 


If I view the source of a signed, non-encrypted email and save the  
source to a text file and run openssl_pkcs7_verify against it, it  
checks out, and if I make even a slight change to the message text,  
openssl returns errors, as expected. But imp just gives me the  
signature as an attachment and gives no hint whether the message is  
valid or not.



I am using Horde Groupware Webmail Edition and just upgraded to 5.1.4  
in the hopes there was a bug that had been fixed, but no luck. What am  
I missing in imp?



Here is the test php code I am using that shows whether my email is  
intact or tampered with:


<?php
function processCert($filename)
{
        $ret = false;
        $tmp_cert = tempnam ("", "crt");

        $res = openssl_pkcs7_verify($filename, 0, $tmp_cert,  
array("/etc/ssl/certs", ""));

        if ($res === false)
                echo("\nFALSE - does not verify\n");
        else if ($res === -1)
                echo("\nNEGATIVE - error\n");
        else if ($res === true)
        {
                echo("\nTRUE - verified\n");
                echo("\nSubject = \n");
                $cert_info = openssl_x509_parse("file://$tmp_cert");
                print_r($cert_info['subject']);
        }
        else
                echo("\nUNKNOWN ERROR\n");

        $ret = true;
        unlink($tmp_cert);
        return $ret;
}
?>
<HTML>
<HEAD>
<TITLE>PHP CERT TEST</TITLE>
</HEAD>
<BODY>
<pre>
<?php
processCert('email.txt');
processCert('modified.txt');
?>
</pre>
</BODY>
</HTML>


I saved the full source of the email from imp into the file email.txt  
in the same folder as the test.php code, then copied it to  
modified.txt and changed one character of the email message. I did  
have to download Verisign's root CA cert into the /etc/ssl/certs  
directory and hash it. When I load test.php in my browser, email.txt  
verifies and returns the subject info, and modified.txt does not verify.


Thanks in advance,
Edward Burr
--
"In television it is a cardinal sin to allow the viewer a
single moment when his ears and eyes are not assaulted by
sound and fury" -- Alfred Hitchcock, announcing a commercial
break in "Hangover" aired 12/06/1962 and just as true today



Attachment:
smime.p7s

Description: S/MIME Signature


-- 
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org





















					Reply via email to