Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 795
  • Last Modified:

Multipart Mime Message with Digital Signing problem

Hi,

I am manually constructing a Mime email message using Python. I am
attempting to clearsign the message, but I have no idea which part of
the message to use to create the digital signature.

I have created the certificate and private key using openssl. The
message structure is something like this:

------------------start code---------------------
Content-Type: multipart/signed;
    boundary="----=_NextPart_000_0158_01C172B1.77748F70";
    micalg="SHA1";
    protocol="application/x-pkcs7-signature"
From: "tester" <testfrom@test.com>
To: "tester" <testto@test.com>
Subject: Test 1
MIME-Version: 1.0

------=_NextPart_000_0158_01C172B1.77748F70
Content-Type: multipart/mixed;
    boundary="----=_NextPart_001_0159_01C172B1.77748F70"

------=_NextPart_001_0159_01C172B1.77748F70
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

this is a test

------=_NextPart_001_0159_01C172B1.77748F70
Content-Type: text/plain;
        name="TestAttach.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
        filename="TestAttach.txt"

Attachment 1
------=_NextPart_001_0159_01C172B1.77748F70--

------=_NextPart_000_0158_01C172B1.77748F70            
Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="smime.p7s"

MIIFWQYJKoZIhvcNAQcCoIIFSjCCBUYCAQExCzAJBgUrDgMCGgUAMDkGCSqGSIb3
DQEHAaAsBCpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4NCg0KdGhpcyBpcyBhIHRl
c3SgggMlMIIDITCCAoqgAwIBAgIBADANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQG
EwJaQTELMAkGA1UECBMCV1AxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMG
U0FFQkVYMQ4wDAYDVQQDEwVTQUVCMDEeMBwGCSqGSIb3DQEJARYPbmVpbEBzYWVi
ZXguY29tMB4XDTAzMDExMzExMzQxNVoXDTA0MDExMzExMzQxNVowbzELMAkGA1UE
BhMCWkExCzAJBgNVBAgTAldQMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoT
BlNBRUJFWDEOMAwGA1UEAxMFU0FFQjAxHjAcBgkqhkiG9w0BCQEWD25laWxAc2Fl
YmV4LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7nia4ln91JlklwUt
QRRQ+PZQyIWGwlkI6yBDpdC8vd23VyP+jYC5z+AJSA8qWvr+T/d6np2Jm+8Rr6H7
8WKZzpXs+y9jf8e5n8e0KGIPWR5IygCnl40205lPro49UMf8DnTwmzWICa8xUVRK
D60Yb9/9ZzDNBbgcYz/zAMz3KIkCAwEAAaOBzDCByTAdBgNVHQ4EFgQUjklA8Nxx
NuJ6sHIQahiY1zYfGHkwgZkGA1UdIwsBkTCBjoAUjklA8NxxNuJ6sHIQihiY1zYf
GHmhc6RxMG8xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJXUDESMBAGA1UEBxMJQ2Fw
ZSBUb3duMQ8wDQYDVQQKEwZTQUVCRVgxDjAMBgNVBAMTBVNBRUIwMR4wHAYJKoZI
hvcNAQkBFg9uZWlsQHNhZWJleC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQCb1hF7/qL/nOeepoNkFJfpqgpE0+w2/hZHW3pNtsdpG/ybIl/X
Xf9ksFCXbTPbWRIgvYWMbYg+Ss+99b6OmqhNxWpcsSlDCZ3TgJ6gW9jhmckwW4OH
+T7UNfaNehNplanuUClmLf1vdIDISS9ybyhsdYV7SHmRd5NQhLZz0/j0IjGCAc4w
ggHKAgEBMHQwbzELMAkGA1UEBhMCWkExCzAJBgNVBAgTAldQMRIwEAYDVQQHEwlD
YXBlIFRvd24xDzANBgNVBAoTBlNBRUJFWDEOMAwGA1UEAxMFU0FFQjAxHjAcBgkq
hkiG9w0BCQEWD25laWxAc2FlYmV4LmNvbQIBADAJBgUrDgMCGgUAoIGxMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMDEyMDA4MjQz
NVowIwYJKoZIhvcNAQkEMRYEFHXBswJT7RjB7MvybDmerPQr054EMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIGAvLZc
gZMTxBhB3dEzadpTk+dfN2kEuSl85ZBmfzyOba9HeFVK0HawKQ0zJBCDDd1nWsim
VfGYxexPKErXugdlGoTGE1X+VS6Xjks1a5hGvAOpmrrRijav8bOcCmoWEZZ0MeL5
tQgLEVcy46l3a2bHfMTrdfXhymqpcfkH9iquS18=

------=_NextPart_000_0158_01C172B1.77748F70--

------------------end code---------------------

I am (according to other examples) using the actual message text
('this is a test') to create the signature with.  The result of this
when opened is that the certificate is readable, but says that the
message content has been altered. Obviously I am not using the correct
part of the message to create the signature with.

Can someone please tell me which part of the message I should be using
to create the signature with.

Thanks for any help
Neil
0
vast
Asked:
vast
  • 3
1 Solution
 
Jason_DeckardCommented:
Neil,

The signature in a multipart/signed is an encrypted digest of the first body, including its MIME headers.  If you're only creating a digest of the message text "this is a test", you're missing the headers (which is why your email client balks).

RFC 1847 has the details on creating multipart/signed messages.  The best part is it's quick reading (only eleven pages long, not bad for an RFC).  RFC 1847 can be found here: ftp://ftp.rfc-editor.org/in-notes/rfc1847.txt

Best of luck,
Jason Deckard
0
 
vastAuthor Commented:
I'm not sure I'm interpreting the RFC correctly.

Should I be converting the seperate nodes (the plain text part and the attachment part) to base64 and then use everything from (and including):
'Content-Type: multipart/signed;' to:
'------=_NextPart_001_0159_01C172B1.77748F70--'
to create the encrypted digest??

I have tried this but it has exactly the same result.
0
 
Jason_DeckardCommented:
Neil,

RFC 1847 is not the only document you need, and I apologize for not pointing that out earlier.  RFC 1847 describes the basic framework for generating multipart/signed messages, but does not go into detail on how the message should actually be signed.  The S/MIME RFC does that.

RFC 2633, S/MIME Version 3 Message Specification, is at ftp://ftp.rfc-editor.org/in-notes/rfc2633.txt

To answer your question, base64 encoding is required if you are not using 7-bit encoding.  If base64 is required, it should be done prior to signing.  Page 4 of RFC 1847 begins to list the steps that must be taken to create the multipart/signed body part, and step 1 describes when base64 must be used.

This example is from RFC 2633:

  Content-Type: multipart/signed;
  protocol="application/pkcs7-signature";
  micalg=sha1; boundary=boundary42

  --boundary42
  Content-Type: text/plain

  This is a clear-signed message.

  --boundary42
  Content-Type: application/pkcs7-signature; name=smime.p7s
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment; filename=smime.p7s

  ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
  4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
  n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
  7GhIGfHfYT64VQbnj756

  --boundary42--

What's being signed is the Content-Type header, the blank line, and the text "This is a clear-signed message."

I hope this helps,
Jason Deckard
0
 
Jason_DeckardCommented:
I missed your second question.  The answer is no, you should not be including the boundary in your digest.
0
 
zenlion420Commented:
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now