MIME-canonicalization

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

MIME-canonicalization

etc@coderhacks.com
Hi!

I am facing some problems with a SMIME where the content is binary
encoded AND a linefeed (LF) (0x0a) is used for line-separator.
The CMS_verify failes (CMS
routines:CMS_SignerInfo_verify_content:verification failure).

It works fine if CRLF (0x0d 0x0a) is line-separator or even if only CR
is used - but not with LF only.
It is also ok if the content is not in binary but base64 encoded.

I tried with and without CMS_BINARY flag set.

I think it is about the canonicalization of MIME if the content is not
base64.

Is OpenSSL doing this canonicalization (where?).

I think CMS_BINARY should disable it - I tried to change any LF to CRLF
before the verify but that did not help.

Any ideas?

Thanks!
Chris

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: MIME-canonicalization

etc@coderhacks.com
I think I found the reason for the problem.

SMIME_read_CMS does convert any single LF to a CRLF.

If I compare the input to the CMS I get out of SMIME_read_CMS then there
are all LFs replaced with CRLFs.

Thats the problem with the verify. If I manually replace the added CRs
in the CMS and then give it to CMS_verify all is fine.

So... can I disable this canonicalization in SMIME_read_CMS??

Thanks for help!


On 2018-03-14 07:43, [hidden email] wrote:

> Hi!
>
> I am facing some problems with a SMIME where the content is binary
> encoded AND a linefeed (LF) (0x0a) is used for line-separator.
> The CMS_verify failes (CMS
> routines:CMS_SignerInfo_verify_content:verification failure).
>
> It works fine if CRLF (0x0d 0x0a) is line-separator or even if only CR
> is used - but not with LF only.
> It is also ok if the content is not in binary but base64 encoded.
>
> I tried with and without CMS_BINARY flag set.
>
> I think it is about the canonicalization of MIME if the content is not
> base64.
>
> Is OpenSSL doing this canonicalization (where?).
>
> I think CMS_BINARY should disable it - I tried to change any LF to
> CRLF before the verify but that did not help.
>
> Any ideas?
>
> Thanks!
> Chris
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: MIME-canonicalization

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of [hidden email]
> Sent: Wednesday, March 14, 2018 02:33
> To: [hidden email]
> Subject: Re: [openssl-users] MIME-canonicalization
>
> I think I found the reason for the problem.
>
> SMIME_read_CMS does convert any single LF to a CRLF.

Have you verified that the file actually contains bare LFs, and not CRLFs?

If you're running on Windows, beware the CRLF conversions done by the C library. For example, if you write a file using a file BIO that was created using a FILE* from a text-mode fopen, that file will have LFs converted to CRLF on output. You need to open the file in binary mode, or call _setmode on the FILE* before writing to it.

SMIME_read_CMS just calls SMIME_read_ASN1, which ultimately does a bunch of BIO_gets, which calls the gets method on the BIO object. A file BIO's gets method just calls fgets. So if there's translation happening, it would appear to be in the C runtime.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: MIME-canonicalization

etc@coderhacks.com
I have verified in comparing the orginal file that is going into
SIME_read_CMS with
the content of the the 2nd argument (bcont) it get out of it.

I check manually. The file with a hex-editor.
bcont with BIO_read and then print it to the screen.

The file does have LFs, the bcont does have CRLFs.

The file is going directly into SMIME_read_CMS via BIO_read_filename.
So I use the filename to address the content-file - no string or
something with a previous parsing.

I am running a debian buster.

Best regards,
Chris




On 2018-03-14 17:25, Michael Wojcik wrote:

>> From: openssl-users [mailto:[hidden email]] On Behalf
>> Of [hidden email]
>> Sent: Wednesday, March 14, 2018 02:33
>> To: [hidden email]
>> Subject: Re: [openssl-users] MIME-canonicalization
>>
>> I think I found the reason for the problem.
>>
>> SMIME_read_CMS does convert any single LF to a CRLF.
> Have you verified that the file actually contains bare LFs, and not CRLFs?
>
> If you're running on Windows, beware the CRLF conversions done by the C library. For example, if you write a file using a file BIO that was created using a FILE* from a text-mode fopen, that file will have LFs converted to CRLF on output. You need to open the file in binary mode, or call _setmode on the FILE* before writing to it.
>
> SMIME_read_CMS just calls SMIME_read_ASN1, which ultimately does a bunch of BIO_gets, which calls the gets method on the BIO object. A file BIO's gets method just calls fgets. So if there's translation happening, it would appear to be in the C runtime.
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: MIME-canonicalization

Viktor Dukhovni
In reply to this post by etc@coderhacks.com


> On Mar 14, 2018, at 2:43 AM, [hidden email] wrote:
>
> I am facing some problems with a SMIME where the content is binary encoded AND a linefeed (LF) (0x0a) is used for line-separator.
> The CMS_verify failes (CMS routines:CMS_SignerInfo_verify_content:verification failure).
>
> It works fine if CRLF (0x0d 0x0a) is line-separator or even if only CR is used - but not with LF only.
> It is also ok if the content is not in binary but base64 encoded.
>
> I tried with and without CMS_BINARY flag set.

S/MIME is not compatible with non-line-oriented binary MIME.
Your message MUST have CRLF-terminated input lines.

If you want true binary data, use CMS, not S/MIME.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users