?
Solved

Multipart Mime Message with Digital Signing problem

Posted on 2003-02-25
7
Medium Priority
?
776 Views
Last Modified: 2010-03-05
Hi,

I am manually constructing a Mime email message using Python. I am
attempting to clearsign the message, but I have no idea which part of
the message to use to create the digital signature.

I have created the certificate and private key using openssl. The
message structure is something like this:

------------------start code---------------------
Content-Type: multipart/signed;
    boundary="----=_NextPart_000_0158_01C172B1.77748F70";
    micalg="SHA1";
    protocol="application/x-pkcs7-signature"
From: "tester" <testfrom@test.com>
To: "tester" <testto@test.com>
Subject: Test 1
MIME-Version: 1.0

------=_NextPart_000_0158_01C172B1.77748F70
Content-Type: multipart/mixed;
    boundary="----=_NextPart_001_0159_01C172B1.77748F70"

------=_NextPart_001_0159_01C172B1.77748F70
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

this is a test

------=_NextPart_001_0159_01C172B1.77748F70
Content-Type: text/plain;
        name="TestAttach.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
        filename="TestAttach.txt"

Attachment 1
------=_NextPart_001_0159_01C172B1.77748F70--

------=_NextPart_000_0158_01C172B1.77748F70            
Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="smime.p7s"

MIIFWQYJKoZIhvcNAQcCoIIFSjCCBUYCAQExCzAJBgUrDgMCGgUAMDkGCSqGSIb3
DQEHAaAsBCpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4NCg0KdGhpcyBpcyBhIHRl
c3SgggMlMIIDITCCAoqgAwIBAgIBADANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQG
EwJaQTELMAkGA1UECBMCV1AxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMG
U0FFQkVYMQ4wDAYDVQQDEwVTQUVCMDEeMBwGCSqGSIb3DQEJARYPbmVpbEBzYWVi
ZXguY29tMB4XDTAzMDExMzExMzQxNVoXDTA0MDExMzExMzQxNVowbzELMAkGA1UE
BhMCWkExCzAJBgNVBAgTAldQMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoT
BlNBRUJFWDEOMAwGA1UEAxMFU0FFQjAxHjAcBgkqhkiG9w0BCQEWD25laWxAc2Fl
YmV4LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7nia4ln91JlklwUt
QRRQ+PZQyIWGwlkI6yBDpdC8vd23VyP+jYC5z+AJSA8qWvr+T/d6np2Jm+8Rr6H7
8WKZzpXs+y9jf8e5n8e0KGIPWR5IygCnl40205lPro49UMf8DnTwmzWICa8xUVRK
D60Yb9/9ZzDNBbgcYz/zAMz3KIkCAwEAAaOBzDCByTAdBgNVHQ4EFgQUjklA8Nxx
NuJ6sHIQahiY1zYfGHkwgZkGA1UdIwsBkTCBjoAUjklA8NxxNuJ6sHIQihiY1zYf
GHmhc6RxMG8xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJXUDESMBAGA1UEBxMJQ2Fw
ZSBUb3duMQ8wDQYDVQQKEwZTQUVCRVgxDjAMBgNVBAMTBVNBRUIwMR4wHAYJKoZI
hvcNAQkBFg9uZWlsQHNhZWJleC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQCb1hF7/qL/nOeepoNkFJfpqgpE0+w2/hZHW3pNtsdpG/ybIl/X
Xf9ksFCXbTPbWRIgvYWMbYg+Ss+99b6OmqhNxWpcsSlDCZ3TgJ6gW9jhmckwW4OH
+T7UNfaNehNplanuUClmLf1vdIDISS9ybyhsdYV7SHmRd5NQhLZz0/j0IjGCAc4w
ggHKAgEBMHQwbzELMAkGA1UEBhMCWkExCzAJBgNVBAgTAldQMRIwEAYDVQQHEwlD
YXBlIFRvd24xDzANBgNVBAoTBlNBRUJFWDEOMAwGA1UEAxMFU0FFQjAxHjAcBgkq
hkiG9w0BCQEWD25laWxAc2FlYmV4LmNvbQIBADAJBgUrDgMCGgUAoIGxMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMDEyMDA4MjQz
NVowIwYJKoZIhvcNAQkEMRYEFHXBswJT7RjB7MvybDmerPQr054EMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIGAvLZc
gZMTxBhB3dEzadpTk+dfN2kEuSl85ZBmfzyOba9HeFVK0HawKQ0zJBCDDd1nWsim
VfGYxexPKErXugdlGoTGE1X+VS6Xjks1a5hGvAOpmrrRijav8bOcCmoWEZZ0MeL5
tQgLEVcy46l3a2bHfMTrdfXhymqpcfkH9iquS18=

------=_NextPart_000_0158_01C172B1.77748F70--

------------------end code---------------------

I am (according to other examples) using the actual message text
('this is a test') to create the signature with.  The result of this
when opened is that the certificate is readable, but says that the
message content has been altered. Obviously I am not using the correct
part of the message to create the signature with.

Can someone please tell me which part of the message I should be using
to create the signature with.

Thanks for any help
Neil
0
Comment
Question by:vast
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 2

Expert Comment

by:Jason_Deckard
ID: 8016043
Neil,

The signature in a multipart/signed is an encrypted digest of the first body, including its MIME headers.  If you're only creating a digest of the message text "this is a test", you're missing the headers (which is why your email client balks).

RFC 1847 has the details on creating multipart/signed messages.  The best part is it's quick reading (only eleven pages long, not bad for an RFC).  RFC 1847 can be found here: ftp://ftp.rfc-editor.org/in-notes/rfc1847.txt

Best of luck,
Jason Deckard
0
 

Author Comment

by:vast
ID: 8016576
I'm not sure I'm interpreting the RFC correctly.

Should I be converting the seperate nodes (the plain text part and the attachment part) to base64 and then use everything from (and including):
'Content-Type: multipart/signed;' to:
'------=_NextPart_001_0159_01C172B1.77748F70--'
to create the encrypted digest??

I have tried this but it has exactly the same result.
0
 
LVL 2

Accepted Solution

by:
Jason_Deckard earned 2000 total points
ID: 8018076
Neil,

RFC 1847 is not the only document you need, and I apologize for not pointing that out earlier.  RFC 1847 describes the basic framework for generating multipart/signed messages, but does not go into detail on how the message should actually be signed.  The S/MIME RFC does that.

RFC 2633, S/MIME Version 3 Message Specification, is at ftp://ftp.rfc-editor.org/in-notes/rfc2633.txt

To answer your question, base64 encoding is required if you are not using 7-bit encoding.  If base64 is required, it should be done prior to signing.  Page 4 of RFC 1847 begins to list the steps that must be taken to create the multipart/signed body part, and step 1 describes when base64 must be used.

This example is from RFC 2633:

  Content-Type: multipart/signed;
  protocol="application/pkcs7-signature";
  micalg=sha1; boundary=boundary42

  --boundary42
  Content-Type: text/plain

  This is a clear-signed message.

  --boundary42
  Content-Type: application/pkcs7-signature; name=smime.p7s
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment; filename=smime.p7s

  ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
  4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
  n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
  7GhIGfHfYT64VQbnj756

  --boundary42--

What's being signed is the Content-Type header, the blank line, and the text "This is a clear-signed message."

I hope this helps,
Jason Deckard
0
 
LVL 2

Expert Comment

by:Jason_Deckard
ID: 8018414
I missed your second question.  The answer is no, you should not be including the boundary in your digest.
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9954224
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question