On 22 Jan 2019, at 17:02, Jan Münnich wrote:
Apparently MailMate uses SHA1 for S/MIME signatures:
Content-Type: multipart/signed;
boundary="=_MailMate_9C9B7CEB-A063-4594-B53C-4CA40977FBE0_=";
micalg=sha1;
SHA1 is not considered as secure anymore
(https://en.wikipedia.org/wiki/SHA-1). I also noticed that Gmail
doesn't verify SHA1-signed messages anymore: 'The signature uses an
unsupported algorithm. The digital signature is not valid.'
My memory might be failing me here, but if I remember correctly then I
did look into this a long time ago. I'm not really specifying which
hashing method to use in the code. This is left to the Apple framework
and I *think* this uses whatever is stated by the certificate itself,
but I'm not 100% sure I ever verified that. I did look into how I could
get the hashing method of the certificate and this was (at the time)
ridiculously complicated. The idea was that I would then put that in the
Content-Type header, but when I checked Apple Mail it didn't do this. It
had sha1 in the header like above for a certificate which stated sha256.
I'll note to look into it again and see if the above is completely wrong
:-)
I don't know if you use a macOS library for S/MIME?
I use the one provided by Apple. CMSEncode() is the main function and,
if I remember correctly, it provides no way to control the hash function
used.
A test from iOS Mail used SHA256:
Content-Type: multipart/signed;
boundary=Apple-Mail-2496A2C0-AD94-4608-8970-57B8A409367C;
protocol="application/pkcs7-signature"; micalg=sha-256
Ok, that's good to know.
--
Benny
_______________________________________________
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate
