Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[openssl.org #828] [PATCH] "openssl smime -verify" on binary files

3 views
Skip to first unread message

Robert Reitenbach via RT

unread,
Feb 16, 2004, 9:52:09 AM2/16/04
to

Hello OpenSSL dev team,

attached you'll find a patch, that allows to correctly verify files,
that have been created by the command:

openssl smime -sign -binary ...

Other change concerns signatures, that are not encrypted as base64 but
are attached binary.

Following changes have been made:

apps/smime.c
Calling SMIME_read_PKCS7 with the additional argument that holds
the option flags.
crypto/pkcs7/pk7_mime.c
Function SMIME_read_PKCS7 needs an additional argument flags,
that should hold the options given to the smime command.
Calls multi_split_binary when the option -binary was used.
Reads the signature as is, when the mime parameter
Content-Transfer-Encoding is not set to base64.

Added a function starts_with_linebreak, find_boundary_start and
multi_split_binary

crypto/pkcs7/pkcs7.h and
include/openssl/pkcs7.h
Changed declaration of the function SMIME_read_PKCS7.

It will split a S/MIME envelope in parts - like the old function did -
with the only difference, that the resulting parts are not in canonical
form and can also be binary files.

I made tests on different files from some bytes up to 14 MB and it
seems, that the verification of binary contents works faster than the
verification of canonical contents.

Could you please add this change or a similar one, that would allow the
verification of signed binary files as this seems to be used quite often
by other S/MIME implementations (even if we know, that it is not
correct).

Thanks in advance.

Keep up your great work.

Best Regards

Robert Reitenbach

--
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

--
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

Stephen Henson via RT

unread,
Feb 16, 2004, 12:22:32 PM2/16/04
to

[rei...@gmx.net - Mon Feb 16 15:17:43 2004]:

This couldn't be added to OpenSSL 0.9.7X but it could be added to
because it would break binary compatibility (the extra function
argument) it could be added to 0.9.8 though.

I *think* the way to handle this is to perform the canonical conversion
based on the MIME headers. OpenSSL currently always does the EOL=CR+LF
conversion which is OK for text/* but other types may have different
conversion or indeed none at all.

Where it gets tricky is if the signed data is multipart/mixed and
contains a mixture of text and binary message parts. I don't know what
other implementations do though.

These kind of complications are why I've given the advice in the past
that any kind of complex MIME type should be handled with an external
MIME parser. At the time the S/MIME code was written I couldn't find any
usable cross platform (or any platform) MIME parser that didn't break
multipart/signed signatures so I added a primitive one.

Steve.

0 new messages