[dev] S/MIME verification

Jan Schneider jan@horde.org
Mon Nov 18 21:53:40 2002


Zitat von Cliff Green <green@UMDNJ.EDU>:

> Quoting Jan Schneider <jan@horde.org>:
> 
> > Zitat von Cliff Green <green@UMDNJ.EDU>:
> >
> > > Quoting Jan Schneider <jan@horde.org>:
> > >
> > > > I just looked back at the archives but couldn't find any useful
> hint.
> > > > Did anyone ever succeed in verifying an s/mime signed message?
> > >
> > > Yes.
> > >
> > > > Verification of the message itself does actually work, but the
> senders
> > > cert
> > > > can never be verified.
> > > >
> > > > I tried to put my openssl distribution's certs directory as well as
> > > > mod_ssl's ca-bundle.crt file into $conf['utils']['openssl_cafile'].
> > >
> > > I currently only have:
> > >  $conf['utils']['openssl_cafile'] = '/usr/share/ssl/certs/';  (though
> > > usually I
> > > install ssl in /usr/local/ssl and therefore the certs in
> > > /usr/local/ssl/certs -
> > > YMMV).
> > >
> > > I've stored all of the certs I care to check against in pem format,
> and
> > > have hashed the files in that directory with c_hash (if you have
> c_rehash,
> > > it'll do the whole directory for you).
> >
> > That's what I have, besides that my certs (pem and hashed) are in
> > /etc/ssl/certs/. It still doesn't work. Can you verify the cert your
> own
> > message? I couldn't.
> 
> Well, see the attached screenscrape for what I *think* indicates the kind
> of
> verification you're asking about.

That's what I expected though of course I couldn't expect this for _your_
message as I don't have your organisations crt.
 
> On the other hand (now that I've shot myself in the foot in public), I
> double-checked and found that I can only verify signatures made with
> certs from
> our public hierarchy, not from our private hierarchy.  The msg I signed
> and sent
> you used my cert from our public hierarchy.  IIRC, there was a change in
> the way
> Crypt/smime.php should handle either a hashed directory or a single
> cafile, but
> so far I haven't divined the all-inclusive method either.

It's not smime.php but the called openssl function that _should_ handle both
directories and ca files. smime.php was only changed to expect a single path
as well as an array of paths.

Jan.

--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft


More information about the dev mailing list