Reading encrypted+signed S/MIME messages

Reading encrypted+signed S/MIME messages

[Milan Zamazal]

When I send an S/MIME message encrypted and signed in Gnus with the `C-c
C-m c s' command, the same Gnus version (current CVS Emacs) can't read
it.  It first asks whether to decrypt the message and after the `y'
answer it reports: Could not identify PKCS#7 type.  openssl decrypts and
verifies the received message fine.

I can see the beginning of the message doesn't match the contents of
mm-pkcs7-signed-magic nor mm-pkcs7-enveloped-magic.  FWIW, here is the
beginning of the message, base64 encoded:

  MIIKQwYJKoZIhvcNAQcDoIIKNDCCCjACAQAxggEAMIH9AgEAMIGmMIGYMQswCQYD

How is it possible that Gnus can't read its own messages?

Thanks for any clue.

Milan Zamazal

-- 
http://www.zamazal.org

Re: Reading encrypted+signed S/MIME messages

[Arne Jørgensen]

Milan Zamazal <pdm@brailcom.org> writes:

> When I send an S/MIME message encrypted and signed in Gnus with the `C-c
> C-m c s' command, the same Gnus version (current CVS Emacs) can't read
> it.  It first asks whether to decrypt the message and after the `y'
> answer it reports: Could not identify PKCS#7 type.  openssl decrypts and
> verifies the received message fine.
>
> I can see the beginning of the message doesn't match the contents of
> mm-pkcs7-signed-magic nor mm-pkcs7-enveloped-magic.  FWIW, here is the
> beginning of the message, base64 encoded:
>
>   MIIKQwYJKoZIhvcNAQcDoIIKNDCCCjACAQAxggEAMIH9AgEAMIGmMIGYMQswCQYD
>
> How is it possible that Gnus can't read its own messages?
>
> Thanks for any clue.
>
> Milan Zamazal

What version of openssl do you have

I know there have been problems with some versions of openssl's smime
handling. I think it was in 0.9.7d , but I don't know whether it was
the above mentioned problem.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>

Re: Reading encrypted+signed S/MIME messages

[Milan Zamazal]

>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:

    AJ> Milan Zamazal <pdm@brailcom.org> writes:
    >> When I send an S/MIME message encrypted and signed in Gnus with
    >> the `C-c C-m c s' command, the same Gnus version (current CVS
    >> Emacs) can't read it.  It first asks whether to decrypt the
    >> message and after the `y' answer it reports: Could not identify
    >> PKCS#7 type.  openssl decrypts and verifies the received message
    >> fine.

[...]

    AJ> What version of openssl do you have

0.9.7e-3 (Debian testing/unstable).

Regards,

Milan Zamazal

-- 
Life.  Don't talk to me about life.              -- Marvin the Paranoid Android

Re: Reading encrypted+signed S/MIME messages

[David S. Goldberg]

I had the same problem with 0.9.7e (cygwin).  It works for me now with 0.9.7f.
-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: Reading encrypted+signed S/MIME messages

[Arne Jørgensen]

Milan Zamazal <pdm@brailcom.org> writes:

>>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:
>
>     AJ> Milan Zamazal <pdm@brailcom.org> writes:
>     >> When I send an S/MIME message encrypted and signed in Gnus with
>     >> the `C-c C-m c s' command, the same Gnus version (current CVS
>     >> Emacs) can't read it.  It first asks whether to decrypt the
>     >> message and after the `y' answer it reports: Could not identify
>     >> PKCS#7 type.  openssl decrypts and verifies the received message
>     >> fine.
>
> [...]
>
>     AJ> What version of openssl do you have
>
> 0.9.7e-3 (Debian testing/unstable).

Exact same version here and I have no problems.

Are you using the Gnus that comes with CVS Emacs? And have you tried
with CVS Gnus?

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>

Re: Reading encrypted+signed S/MIME messages

[David S. Goldberg]

>>>>> On Thu, 07 Apr 2005 09:50:17 -0400, david.goldberg6@verizon.net
>>>>> (David S. Goldberg) said:

> I had the same problem with 0.9.7e (cygwin).  It works for me now
> with 0.9.7f.

I take it back.  It worked in some limited testing for me with 0.9.7f
but when using it to either cc myself or gcc on an email with more
than one recipient, it still failed.  Same issue too: can't determine
the pkcs7 type, presumably due to the magic number issue, but running
openssl on the command line properly decrypts and verifies it.
Therefore I still find myself requiring the multipart hack I posted
here and on the ding list a month or so ago.

-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: Reading encrypted+signed S/MIME messages

[Milan Zamazal]

>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:

    AJ> Exact same version here and I have no problems.

Thanks for encouragement.  Since we have the same software, something is
probably wrong with the certificates.  It seems to me that the problem
appears when I use a self-signed certificate as keyfile.  Certificate
signed by a CA certificate seems to work fine.

    AJ> Are you using the Gnus that comes with CVS Emacs? And have you
    AJ> tried with CVS Gnus?

Yes and yes.

Regards,

Milan Zamazal

-- 
All programmers are optimists.  Perhaps this modern sorcery especially attracts
those who believe in happy endings and fairy godmothers.  Perhaps the hundreds
of nitty frustrations drive away all but those who habitually focus on the end
goal.                     -- Frederick P. Brooks, Jr. in The Mythical Man-Month

Re: Reading encrypted+signed S/MIME messages

[Milan Zamazal]

>>>>> "DSG" == David S Goldberg <david.goldberg6@verizon.net> writes:

    DSG> It worked in some limited testing for me with
    DSG> 0.9.7f but when using it to either cc myself or gcc on an email
    DSG> with more than one recipient, it still failed.  

AFAICT, both the OpenSSL versions produce the same results on my
machine.  It's more likely to have something to do with particular
certificates.

Regards,

Milan Zamazal

-- 
Omigod, it's a flame war about a flame war.  You know, a meta-flame war!
                                                 Kenny Tilton in comp.lang.lisp

Re: Reading encrypted+signed S/MIME messages

[Arne Jørgensen]

Milan Zamazal <pdm@brailcom.org> writes:

> It seems to me that the problem appears when I use a self-signed
> certificate as keyfile. Certificate signed by a CA certificate seems
> to work fine.

Indeed.

I just created a self-signed certificate and tested.

Gnus fails to decrypt the self-signed certificate whereas it works
fine with my CA-signed.

And as David metioned it seems to be that the mm-pkcs7-enveloped-magic
is different from that of a message encrypted with a self-signed
certificate.

So. Why is the magic diffrent? And where are thos magics documented?

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>