Verify the integrity of a s/mime message

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Verify the integrity of a s/mime message

Simon Hain
I have an issue where my bouncycastle code verifies an email signature that Outlook and another library see as incorrect (mismatching hash value).

My code (on java/Android):

MimeMultipart mimeMultipart = (MimeMultipart) mimeMessage.getContent();
SMIMESignedParser smimeSignedParser = new SMIMESignedParser(new BcDigestCalculatorProvider(), mimeMultipart);
Provider bcprovider = new BouncyCastleProvider();
Collection<SignerInformation> signerInformations = smimeSignedParser.getSignerInfos().getSigners();
Store certs = smimeSignedParser.getCertificates();
Iterator signerIterator = signerInformations.iterator();
if (signerIterator.hasNext()) {
        SignerInformation signer = (SignerInformation) signerIterator.next();
        Collection<X509CertificateHolder> signerCert = certs.getMatches(signer.getSID());
        Iterator<X509CertificateHolder> signerCertIt = signerCert.iterator();
        if (!signerCert.isEmpty()) {
                //check and verify the first certificate
                X509CertificateHolder x509CertificateHolder = signerCertIt.next();
                boolean verified = signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(bcprovider).build(x509CertificateHolder));
                result.setVerified(verified);
        }
}

What step am I missing to verify the integrity of the message?

Cheers,
Simon

Reply | Threaded
Open this post in threaded view
|

Re: Verify the integrity of a s/mime message

martijn.list
On 21-02-18 11:47, Simon Hain wrote:

> I have an issue where my bouncycastle code verifies an email signature that Outlook and another library see as incorrect (mismatching hash value).
>
> My code (on java/Android):
>
> MimeMultipart mimeMultipart = (MimeMultipart) mimeMessage.getContent();
> SMIMESignedParser smimeSignedParser = new SMIMESignedParser(new BcDigestCalculatorProvider(), mimeMultipart);
> Provider bcprovider = new BouncyCastleProvider();
> Collection<SignerInformation> signerInformations = smimeSignedParser.getSignerInfos().getSigners();
> Store certs = smimeSignedParser.getCertificates();
> Iterator signerIterator = signerInformations.iterator();
> if (signerIterator.hasNext()) {
> SignerInformation signer = (SignerInformation) signerIterator.next();
> Collection<X509CertificateHolder> signerCert = certs.getMatches(signer.getSID());
> Iterator<X509CertificateHolder> signerCertIt = signerCert.iterator();
> if (!signerCert.isEmpty()) {
> //check and verify the first certificate
> X509CertificateHolder x509CertificateHolder = signerCertIt.next();
> boolean verified = signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(bcprovider).build(x509CertificateHolder));
> result.setVerified(verified);
> }
> }
>
> What step am I missing to verify the integrity of the message?

Are you 100% certain that the signature of the message is invalid? It
could well be that the message is signed with an algorithm not supported
by Outlook. For example RSASSA-PSS.

Kind regards,

Martijn Brinkers

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Reply | Threaded
Open this post in threaded view
|

Re: Re: [dev-crypto] Verify the integrity of a s/mime message

Simon Hain
The message was signed with RSA/SHA1

Cheers,
Simon
 

Gesendet: Mittwoch, 21. Februar 2018 um 12:14 Uhr
Von: "martijn.list" <[hidden email]>
An: dev-crypto <[hidden email]>
Betreff: Re: [dev-crypto] Verify the integrity of a s/mime message
On 21-02-18 11:47, Simon Hain wrote:

> I have an issue where my bouncycastle code verifies an email signature that Outlook and another library see as incorrect (mismatching hash value).
>
> My code (on java/Android):
>
> MimeMultipart mimeMultipart = (MimeMultipart) mimeMessage.getContent();
> SMIMESignedParser smimeSignedParser = new SMIMESignedParser(new BcDigestCalculatorProvider(), mimeMultipart);
> Provider bcprovider = new BouncyCastleProvider();
> Collection<SignerInformation> signerInformations = smimeSignedParser.getSignerInfos().getSigners();
> Store certs = smimeSignedParser.getCertificates();
> Iterator signerIterator = signerInformations.iterator();
> if (signerIterator.hasNext()) {
> SignerInformation signer = (SignerInformation) signerIterator.next();
> Collection<X509CertificateHolder> signerCert = certs.getMatches(signer.getSID());
> Iterator<X509CertificateHolder> signerCertIt = signerCert.iterator();
> if (!signerCert.isEmpty()) {
> //check and verify the first certificate
> X509CertificateHolder x509CertificateHolder = signerCertIt.next();
> boolean verified = signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(bcprovider).build(x509CertificateHolder));
> result.setVerified(verified);
> }
> }
>
> What step am I missing to verify the integrity of the message?

Are you 100% certain that the signature of the message is invalid? It
could well be that the message is signed with an algorithm not supported
by Outlook. For example RSASSA-PSS.

Kind regards,

Martijn Brinkers

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail[http://twitter.com/CipherMail]
 

Reply | Threaded
Open this post in threaded view
|

Re: Verify the integrity of a s/mime message

David Hook-3
In reply to this post by Simon Hain

The code looks okay. I'd have to see the message to be able to tell any
more.

The message is unlikely to verify by accident, but I can think of a few
things in this situation that might confuse a client trying to do a
verification.

Regards,

David

On 21/02/18 21:47, Simon Hain wrote:

> I have an issue where my bouncycastle code verifies an email signature that Outlook and another library see as incorrect (mismatching hash value).
>
> My code (on java/Android):
>
> MimeMultipart mimeMultipart = (MimeMultipart) mimeMessage.getContent();
> SMIMESignedParser smimeSignedParser = new SMIMESignedParser(new BcDigestCalculatorProvider(), mimeMultipart);
> Provider bcprovider = new BouncyCastleProvider();
> Collection<SignerInformation> signerInformations = smimeSignedParser.getSignerInfos().getSigners();
> Store certs = smimeSignedParser.getCertificates();
> Iterator signerIterator = signerInformations.iterator();
> if (signerIterator.hasNext()) {
> SignerInformation signer = (SignerInformation) signerIterator.next();
> Collection<X509CertificateHolder> signerCert = certs.getMatches(signer.getSID());
> Iterator<X509CertificateHolder> signerCertIt = signerCert.iterator();
> if (!signerCert.isEmpty()) {
> //check and verify the first certificate
> X509CertificateHolder x509CertificateHolder = signerCertIt.next();
> boolean verified = signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(bcprovider).build(x509CertificateHolder));
> result.setVerified(verified);
> }
> }
>
> What step am I missing to verify the integrity of the message?
>
> Cheers,
> Simon
>
>