Problem with smime-CA-directory

Problem with smime-CA-directory

[Arne Jørgensen]

Hi,

I have tried to install a root certificate in Gnus and had some
problems with smime-CA-directory.

When I set smime-CA-directory to nil and and let smime-CA-file point
directly to the certificate I am able to verify (with sender trusted)
a signed email.

When I set smime-CA-file to nil and let the smime-CA-directory point
to the directory where I keep the certificate I am able to verify, but
not trust the sender and I get an error from openssl.

The *OpenSSL output* only contains the address from the certificate
(jgu@kmd.dk) and in the *Message* I get the following error message:

   OpenSSL: An error occurred decrypting or verifying the message.

I have named the root certificate as explained in smime.el (the
certificate gets the name b415d336).

Below is the result from verifying the email.

Is this a bug in smime.el or have I done something wrong?

I'm using Emacs/20.7, Gnus from CVS and openssl v. 0.9.6c.


    /arne



[[S/MIME Signed Part:Ok (sender not trusted)]
Sender claimed to be: JGU@kmd.dk
Addresses in certificate: jgu@kmd.dk

OpenSSL output:
---------------
Verification Failure
14779:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:213:Verify error:self signed certificate in certificate chain

Certificate(s) inside S/MIME signature:
---------------------------------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 974849029 (0x3a1b0405)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Kvalificeret Person
        Validity
            Not Before: Nov 21 23:24:59 2000 GMT
            Not After : Nov 22 23:24:59 2015 GMT
        Subject: C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Kvalificeret Person
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:da:e2:17:85:dd:eb:20:fb:66:50:44:df:5e:d4:
                    04:33:9b:9f:eb:d1:31:57:3a:a7:7c:0d:40:e0:dd:
                    10:32:5e:db:3d:67:70:2c:fd:34:9b:e1:a0:b1:9d:
                    38:98:72:83:b5:55:3e:1d:0f:d9:cf:8a:67:d5:88:
                    f6:65:8e:29:92:36:6e:9d:96:90:b8:ee:8c:27:31:
                    6e:14:eb:ba:b6:37:59:f7:3a:83:02:c1:aa:a1:55:
                    f3:05:a0:69:92:a6:bd:55:a2:ce:3c:3d:2b:28:b6:
                    e5:fd:f2:5f:87:ce:86:8e:90:ab:69:6f:55:bb:9b:
                    b6:f5:45:5c:07:79:d4:62:7e:ff:66:1e:77:e6:b8:
                    3a:bd:9b:cf:64:5c:a8:74:bc:d4:1d:e9:cb:0b:03:
                    e2:68:09:47:9c:51:12:fe:63:a8:f7:f0:34:ff:95:
                    ed:b9:1c:5f:ea:5f:3b:89:15:85:9f:d5:fb:c3:12:
                    3d:d4:07:81:c5:7f:88:1d:f0:3f:69:b0:81:6c:88:
                    04:d7:35:ad:e0:62:74:64:e2:cf:cb:a7:9d:6b:b9:
                    e6:17:0d:7e:cb:ed:2c:96:d3:b3:d3:87:86:c4:7b:
                    9d:a4:6e:cb:e4:b8:d3:69:c3:9c:3e:6f:9c:e3:4e:
                    14:4b:22:1e:7e:3a:c3:e4:f4:ae:db:bb:87:a8:f8:
                    3a:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                79:62:EA:9A:12:38:D8:9C:63:EC:38:9F:0E:C5:BE:0E:54:21:28:3D
            X509v3 Authority Key Identifier: 
                keyid:79:62:EA:9A:12:38:D8:9C:63:EC:38:9F:0E:C5:BE:0E:54:21:28:3D

    Signature Algorithm: sha1WithRSAEncryption
        d3:0b:fc:fe:36:3a:e2:7d:69:45:7f:d1:f2:2d:b8:8c:9c:d4:
        98:6a:5a:f4:aa:9f:96:d7:8f:ef:5e:c8:47:a0:72:9f:1b:1c:
        b1:d8:e3:60:f5:3b:ec:f4:94:d8:a9:76:36:0f:49:d3:09:d3:
        06:4e:11:48:6b:fb:5e:74:49:d0:d0:d4:ff:f3:40:bf:00:51:
        a2:c4:06:44:6d:ed:97:73:5c:f5:47:dc:f1:11:aa:77:fd:22:
        ba:58:06:49:d9:29:f0:80:a1:57:21:03:a4:6b:f5:65:37:49:
        df:1b:32:84:5f:30:b2:a0:f1:cd:0c:f0:6e:84:3f:00:93:70:
        e1:6b:89:29:1b:b6:f3:46:cd:df:2b:f0:8f:96:7d:46:08:37:
        fa:7c:0c:8f:49:4f:da:9f:8d:53:83:9d:83:d1:31:49:ba:28:
        fb:ea:db:b4:ec:ac:6a:ee:2a:ba:b2:69:5f:78:91:67:3c:72:
        8f:00:bf:7c:c5:2d:e0:ad:82:1b:d4:89:10:5d:c7:ef:10:ee:
        6e:6d:e0:29:2e:4a:bd:16:20:da:ea:8c:83:c5:5b:64:2b:33:
        5a:fc:db:2d:3d:15:dd:7a:46:4a:8b:e0:b3:a0:2e:1e:af:07:
        92:a7:4c:0a:6f:eb:6a:d6:77:0e:f3:5b:06:27:8d:8e:bf:bd:
        76:18:d4:0c
-----BEGIN CERTIFICATE-----
MIIDdjCCAl6gAwIBAgIEOhsEBTANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJE
SzEMMAoGA1UEChMDS01EMQ8wDQYDVQQLEwZLTUQtQ0ExIzAhBgNVBAMTGktNRC1D
QSBLdmFsaWZpY2VyZXQgUGVyc29uMB4XDTAwMTEyMTIzMjQ1OVoXDTE1MTEyMjIz
MjQ1OVowUTELMAkGA1UEBhMCREsxDDAKBgNVBAoTA0tNRDEPMA0GA1UECxMGS01E
LUNBMSMwIQYDVQQDExpLTUQtQ0EgS3ZhbGlmaWNlcmV0IFBlcnNvbjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANriF4Xd6yD7ZlBE317UBDObn+vRMVc6
p3wNQODdEDJe2z1ncCz9NJvhoLGdOJhyg7VVPh0P2c+KZ9WI9mWOKZI2bp2WkLju
jCcxbhTrurY3Wfc6gwLBqqFV8wWgaZKmvVWizjw9Kyi25f3yX4fOho6Qq2lvVbub
tvVFXAd51GJ+/2Yed+a4Or2bz2RcqHS81B3pywsD4mgJR5xREv5jqPfwNP+V7bkc
X+pfO4kVhZ/V+8MSPdQHgcV/iB3wP2mwgWyIBNc1reBidGTiz8unnWu55hcNfsvt
LJbTs9OHhsR7naRuy+S402nDnD5vnONOFEsiHn46w+T0rtu7h6j4OvkCAwEAAaNW
MFQwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUeWLqmhI42Jxj7DifDsW+
DlQhKD0wHwYDVR0jBBgwFoAUeWLqmhI42Jxj7DifDsW+DlQhKD0wDQYJKoZIhvcN
AQEFBQADggEBANML/P42OuJ9aUV/0fItuIyc1JhqWvSqn5bXj+9eyEegcp8bHLHY
42D1O+z0lNipdjYPSdMJ0wZOEUhr+150SdDQ1P/zQL8AUaLEBkRt7ZdzXPVH3PER
qnf9IrpYBknZKfCAoVchA6Rr9WU3Sd8bMoRfMLKg8c0M8G6EPwCTcOFriSkbtvNG
zd8r8I+WfUYIN/p8DI9JT9qfjVODnYPRMUm6KPvq27TsrGruKrqyaV94kWc8co8A
v3zFLeCtghvUiRBdx+8Q7m5t4CkuSr0WINrqjIPFW2QrM1r82y09Fd16RkqL4LOg
Lh6vB5KnTApv62rWdw7zWwYnjY6/vXYY1Aw=
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1001321384 (0x3baef3a8)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Kvalificeret Person
        Validity
            Not Before: Sep 24 08:49:44 2001 GMT
            Not After : Sep 24 07:49:44 2002 GMT
        Subject: C=DK, O=Kommunedata A/S // CVR:19435075, OU=USE/USS, CN=IT Sikkerhedsarkitekt Joern Guldberg // RID:JGU/Email=jgu@kmd.dk, SN=CVR:19435075-JGU
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ba:f8:44:7f:4f:f2:35:93:88:92:54:2e:d6:55:
                    7a:a7:3b:65:a1:e7:b9:ca:f7:a4:4f:0c:5b:7d:12:
                    b7:32:6d:d3:99:3f:0e:8f:06:0c:74:87:30:2b:84:
                    0f:57:8e:d6:e7:e6:f3:15:a8:36:f3:21:ee:48:2a:
                    cc:78:2e:fc:2f:5e:ac:c9:fb:6b:60:d7:c5:47:8f:
                    dc:4f:72:2b:92:c8:eb:cf:4b:64:b3:6c:c3:bf:51:
                    6c:19:be:bf:69:e8:4b:e4:67:f6:eb:66:10:bc:d8:
                    a3:a0:f1:af:4e:55:fa:83:6d:5f:d9:fb:77:2e:01:
                    a2:2f:a5:1e:40:33:f1:02:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.4239.4.1.2
                  User Notice:
                    Explicit Text: Dette kvalificerede certifikat er udstedt efter KMD-CAs Kvalificeret Medarbejderpolitik. Maa ikke anvendes til personretlige dispositioner. Maa ikke anvendes til dispositioner, der indeholder transaktionsbeloeb.
                  CPS: http://www.kmd-ca.dk/cps.htm

            X509v3 Basic Constraints: 
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
        1b:53:ed:7e:99:59:8e:87:55:69:f1:1a:c1:10:8d:29:83:e4:
        94:95:0a:d7:0d:27:d4:83:d2:15:fa:84:10:db:fd:da:bb:0e:
        38:cb:5e:5e:97:e3:15:45:9a:0e:0c:a4:89:ca:83:b4:c0:6d:
        17:b4:4e:c7:39:f9:36:8a:f0:bc:cb:fa:ba:b2:8f:0f:ba:9b:
        35:88:63:8a:a2:cb:04:31:a4:99:da:18:e0:08:7a:45:d1:de:
        ac:30:ce:30:d6:bd:21:dd:28:1a:9b:75:fa:70:ae:13:62:60:
        b5:08:19:ad:02:ad:85:66:e2:df:b1:0e:5b:14:f4:ee:36:af:
        f9:f8:b7:4f:5a:98:2f:83:72:40:a6:24:84:c5:c4:a2:7b:4f:
        72:9a:71:41:e3:44:6d:d2:ef:0c:c7:13:ef:04:37:75:63:1c:
        2e:5f:e9:b9:d8:2f:1a:2c:e0:ae:0c:7e:52:23:3e:52:83:05:
        a2:a7:41:30:a3:29:53:7c:84:c6:03:4f:bd:67:83:c2:f2:1b:
        54:ef:06:0f:93:6f:7e:20:1e:c4:f4:93:60:29:51:63:fb:92:
        fe:e0:77:0a:8f:c1:1d:85:bf:36:da:0d:df:42:aa:32:48:e8:
        ee:10:da:67:38:d2:6d:a7:4a:24:15:7e:cb:97:0a:5d:b6:fc:
        9c:cc:c7:de
-----BEGIN CERTIFICATE-----
MIIEWzCCA0OgAwIBAgIEO67zqDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJE
SzEMMAoGA1UEChMDS01EMQ8wDQYDVQQLEwZLTUQtQ0ExIzAhBgNVBAMTGktNRC1D
QSBLdmFsaWZpY2VyZXQgUGVyc29uMB4XDTAxMDkyNDA4NDk0NFoXDTAyMDkyNDA3
NDk0NFowgbkxCzAJBgNVBAYTAkRLMSgwJgYDVQQKEx9Lb21tdW5lZGF0YSBBL1Mg
Ly8gQ1ZSOjE5NDM1MDc1MRAwDgYDVQQLEwdVU0UvVVNTMTgwNgYDVQQDEy9JVCBT
aWtrZXJoZWRzYXJraXRla3QgSm9lcm4gR3VsZGJlcmcgLy8gUklEOkpHVTEZMBcG
CSqGSIb3DQEJARYKamd1QGttZC5kazEZMBcGA1UEBRMQQ1ZSOjE5NDM1MDc1LUpH
VTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuvhEf0/yNZOIklQu1lV6pztl
oee5yvekTwxbfRK3Mm3TmT8OjwYMdIcwK4QPV47W5+bzFag28yHuSCrMeC78L16s
yftrYNfFR4/cT3Irksjrz0tks2zDv1FsGb6/aehL5Gf262YQvNijoPGvTlX6g21f
2ft3LgGiL6UeQDPxAkECAwEAAaOCAVQwggFQMA4GA1UdDwEB/wQEAwID+DCCATEG
A1UdIASCASgwggEkMIIBIAYKKwYBBAGhDwQBAjCCARAwgeMGCCsGAQUFBwICMIHW
GoHTRGV0dGUga3ZhbGlmaWNlcmVkZSBjZXJ0aWZpa2F0IGVyIHVkc3RlZHQgZWZ0
ZXIgS01ELUNBcyBLdmFsaWZpY2VyZXQgTWVkYXJiZWpkZXJwb2xpdGlrLiBNYWEg
aWtrZSBhbnZlbmRlcyB0aWwgcGVyc29ucmV0bGlnZSBkaXNwb3NpdGlvbmVyLiBN
YWEgaWtrZSBhbnZlbmRlcyB0aWwgZGlzcG9zaXRpb25lciwgZGVyIGluZGVob2xk
ZXIgdHJhbnNha3Rpb25zYmVsb2ViLjAoBggrBgEFBQcCARYcaHR0cDovL3d3dy5r
bWQtY2EuZGsvY3BzLmh0bTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAb
U+1+mVmOh1Vp8RrBEI0pg+SUlQrXDSfUg9IV+oQQ2/3auw44y15el+MVRZoODKSJ
yoO0wG0XtE7HOfk2ivC8y/q6so8Pups1iGOKossEMaSZ2hjgCHpF0d6sMM4w1r0h
3Sgam3X6cK4TYmC1CBmtAq2FZuLfsQ5bFPTuNq/5+LdPWpgvg3JApiSExcSie09y
mnFB40Rt0u8MxxPvBDd1YxwuX+m52C8aLOCuDH5SIz5SgwWip0EwoylTfITGA0+9
Z4PC8htU7wYPk29+IB7E9JNgKVFj+5L+4HcKj8Edhb822g3fQqoySOjuENpnONJt
p0okFX7LlwpdtvyczMfe
-----END CERTIFICATE-----


]


-- 
stud. scient. Arne Jørgensen
Kollegium 5, 2., v. 222, Universitetsparken, 8000 Århus C
tlf: 89 42 72 22, mobil: 21 65 01 13
e-post: arne@daimi.au.dk, http://www.daimi.au.dk/~arne/

Re: Problem with smime-CA-directory

[Simon Josefsson]

On Thu, 4 Apr 2002, Arne Jørgensen wrote:

> I have named the root certificate as explained in smime.el (the
> certificate gets the name b415d336).

I think the name should be b415d336.0.

The normal approach I use is to strace OpenSSL when it verifies a message
and then put the CA cert in the file it tries to open.

Re: Problem with smime-CA-directory

[Arne Jørgensen]

Simon Josefsson <jas@extundo.com> writes:

> On Thu, 4 Apr 2002, Arne Jørgensen wrote:
>
>> I have named the root certificate as explained in smime.el (the
>> certificate gets the name b415d336).
>
> I think the name should be b415d336.0.
>
> The normal approach I use is to strace OpenSSL when it verifies a message
> and then put the CA cert in the file it tries to open.

It worked. Maybe this should be documented or explained somewhere?

Thanks.

        /arne
-- 
stud. scient. Arne Jørgensen
Kollegium 5, 2., v. 222, Universitetsparken, 8000 Århus C
tlf: 89 42 72 22, mobil: 21 65 01 13
e-post: arne@daimi.au.dk, http://www.daimi.au.dk/~arne/

Re: Problem with smime-CA-directory

[Simon Josefsson]

On Thu, 4 Apr 2002, Arne Jørgensen wrote:

> Simon Josefsson <jas@extundo.com> writes:
> 
> > On Thu, 4 Apr 2002, Arne Jørgensen wrote:
> >
> >> I have named the root certificate as explained in smime.el (the
> >> certificate gets the name b415d336).
> >
> > I think the name should be b415d336.0.
> >
> > The normal approach I use is to strace OpenSSL when it verifies a message
> > and then put the CA cert in the file it tries to open.
> 
> It worked. Maybe this should be documented or explained somewhere?

Yes.  The OpenSSL manual should include it, but I guess we could add it to 
the S/MIME step-by-step stuff in the Message manual as well.  Ideally we 
should use the Aegypten S/MIME stuff instead, once it matures.

Re: Problem with smime-CA-directory

[Arne Jørgensen]

Simon Josefsson <jas@extundo.com> writes:

> On Thu, 4 Apr 2002, Arne Jørgensen wrote:
>
>> Simon Josefsson <jas@extundo.com> writes:
>> 
>> > On Thu, 4 Apr 2002, Arne Jørgensen wrote:
>> >
>> >> I have named the root certificate as explained in smime.el (the
>> >> certificate gets the name b415d336).
>> >
>> > I think the name should be b415d336.0.
>> >
>> > The normal approach I use is to strace OpenSSL when it verifies a message
>> > and then put the CA cert in the file it tries to open.
>> 
>> It worked. Maybe this should be documented or explained somewhere?
>
> Yes.  The OpenSSL manual should include it,

Yes. I was just reading through the openssl man pages. It actually
sounds like a bug in openssl? Or is it just an unexplained "feature".

> but I guess we could add it to the S/MIME step-by-step stuff in the
> Message manual as well.

Good idea. I think the manual misses more about how to get S/MIME up
and running in the first place. I've been looking through both the
Gnus and Message manuals and smime.el to learn what I know today.

What I'm preparing at the moment is a chapter for a danish tutorial on
how to get Gnus working with the danish CA Kommunedata. Maybe I could
easily turn this into a more general description for the manual or a
howto -- althogh my spare time is limited.

> Ideally we should use the Aegypten S/MIME stuff instead, once it
> matures.

Never heard of it. Maybe I'll take a look at it some other day.


      /arne
-- 
stud. scient. Arne Jørgensen
Kollegium 5, 2. v. 222, Universitetsparken, DK-8000 Aarhus C, Denmark
phone: +45 89 42 72 22, mobile: +45 21 65 01 13
email: arne@daimi.au.dk, http://www.daimi.au.dk/~arne/

Re: Problem with smime-CA-directory

[David S. Goldberg]

One thing I found strange in my environment at work is that following
the instructions in smime.el for creating the link (openssl verify
-noout -hash -in <file>) creates a hash that works great for verifying
a certificate file, but when verifying messages, openssl is trying to
find another hash, the generation of which I cannot figure out.  I
managed to figure it out by trussing an openssl verify session.  So
end up with two links to my company's root CA file, one for verifying
email messages, the other for verifying cert files.  Why verify cert
files?  I've added some stuff to EUDC for grabbing certs from our LDAP
server and verify them before saving (well, saving for future use :-)
since the server occasionally has a not yet valid cert on it as well
as a current cert for some users whose certs are close to expiration
and I want to make sure I grab the right one.  I haven't managed to
integrate this with gnus yet but I'm working on it.
-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: Problem with smime-CA-directory

[Simon Josefsson]

On Thursday 04 April 2002 17:53, Arne Jørgensen wrote:

> > Yes.  The OpenSSL manual should include it,
>
> Yes. I was just reading through the openssl man pages. It actually
> sounds like a bug in openssl? Or is it just an unexplained "feature".

Probably, OpenSSL documentation is not perfect.

> > but I guess we could add it to the S/MIME step-by-step stuff in the
> > Message manual as well.
>
> Good idea. I think the manual misses more about how to get S/MIME up
> and running in the first place. I've been looking through both the
> Gnus and Message manuals and smime.el to learn what I know today.
>
> What I'm preparing at the moment is a chapter for a danish tutorial on
> how to get Gnus working with the danish CA Kommunedata. Maybe I could
> easily turn this into a more general description for the manual or a
> howto -- althogh my spare time is limited.

Feel free to rewrite the current section completely, currently the 
documentation is scattered throughout the MML, Message and Gnus manual.

> > Ideally we should use the Aegypten S/MIME stuff instead, once it
> > matures.
>
> Never heard of it. Maybe I'll take a look at it some other day.

There isn't a elisp interface to it, yet, but it looks like it could provide a 
GNU S/MIME library. The OpenSSL license isn't very good.