Quantcast

S/MIME for non-email

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

S/MIME for non-email

Dennis Sosnoski
Hi all,

I'm working on implementing S/MIME support for signed XML message exchanges using BC, initially just verifying the signatures on some captured data. Here's the start of the data I'm trying to verify:

MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1";
 boundary="_D23272F1-8B2F-4C02-99C4-254E38041AA8_"
--_D23272F1-8B2F-4C02-99C4-254E38041AA8_
Content-Type: multipart/related; start=1ca9aec96b6844b68c18ee2dbb12c518;
    type="application/xml"; boundary="_CA43163A-0A83-4085-89C4-03AEDE40A753_"
--_CA43163A-0A83-4085-89C4-03AEDE40A753_
MIME-Version: 1.0
Content-Type: application/xml; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

OpenSSL has no problem with this, and confirms the signature is valid when I run:

openssl smime -verify -in signed.txt -out signedout.txt -CAfile signer.pem

BC give an error:

The signer certificate is not usable for email signatures: it contains no email address.

Inside SignedMailValidator.validateSignatures() the signer.verify() call returns validSignature = true, so I know the basic verification is working okay and I can always just copy the code and modify to skip the email check, but I'm wondering if there's a better way around this.

Thanks,

  - Dennis

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: S/MIME for non-email

Lothar Kimmeringer-4
Hi,

Am 01.12.2016 um 23:04 schrieb Dennis Sosnoski:

> I'm working on implementing S/MIME support for signed XML message exchanges using BC,
>  initially just verifying the signatures on some captured data.
>
> BC give an error:
>
>     The signer certificate is not usable for email signatures: it contains no email address.
>
>
> Inside SignedMailValidator.validateSignatures() the signer.verify() call returns
>  validSignature = true, so I know the basic verification is working okay and I
>  can always just copy the code and modify to skip the email check, but I'm
>  wondering if there's a better way around this.

Maybe there is some setting in SignedMailValidator allowing you to control
the checks being done on the certificate. I don't know that class so that's
somebody else might show you. If that doesn't happen you can still put
the MimeBodyPart into an instance of SMIMESigned and use that to do the
certificate-verification yourself.

I'm using BC for AS2 and OFTP2 (OFTP2 uses CMS and not S/MIME so the
implementation differs a bit there) and use SMIMESigned successfully here.


Cheers, Lothar

Loading...