[imp] Verifying smime signatures not working?

Edward Burr egburr at burr.cc
Tue Apr 29 15:07:50 UTC 2014 

I am receiving email from a friend who uses Lotus Notes and is signing  
his emails. After much effort, I finally figured out how to extract  
the certificate from the smime.p7s file and import it into imp (since  
you can't just import the smime.p7s file directly). Now I am able to  
encrypt email to him, and imp successfully decrypts email from him  
(getting a key and sending him my public key was simple compared to  
importing the smime.p7s cert).

However, one thing I have not been able to figure out yet: I can not  
find any indication whether the signed email from him is valid or not.  
The only way I know it is signed is because of the attached smime.p7s  
file, but imp gives no hint that it has actually checked whether the  
message and signature has been checked. For an encrypted message, I  
figure I can safely assume it is intact, but what about an unencrypted  
message?

If I view the source of a signed, non-encrypted email and save the  
source to a text file and run openssl_pkcs7_verify against it, it  
checks out, and if I make even a slight change to the message text,  
openssl returns errors, as expected. But imp just gives me the  
signature as an attachment and gives no hint whether the message is  
valid or not.

I am using Horde Groupware Webmail Edition and just upgraded to 5.1.4  
in the hopes there was a bug that had been fixed, but no luck. What am  
I missing in imp?

Here is the test php code I am using that shows whether my email is  
intact or tampered with:

<?php
function processCert($filename)
{
         $ret = false;
         $tmp_cert = tempnam ("", "crt");
         $res = openssl_pkcs7_verify($filename, 0, $tmp_cert,  
array("/etc/ssl/certs", ""));
         if ($res === false)
                 echo("\nFALSE - does not verify\n");
         else if ($res === -1)
                 echo("\nNEGATIVE - error\n");
         else if ($res === true)
         {
                 echo("\nTRUE - verified\n");
                 echo("\nSubject = \n");
                 $cert_info = openssl_x509_parse("file://$tmp_cert");
                 print_r($cert_info['subject']);
         }
         else
                 echo("\nUNKNOWN ERROR\n");

         $ret = true;
         unlink($tmp_cert);
         return $ret;
}
?>
<HTML>
<HEAD>
<TITLE>PHP CERT TEST</TITLE>
</HEAD>
<BODY>
<pre>
<?php
processCert('email.txt');
processCert('modified.txt');
?>
</pre>
</BODY>
</HTML>

I saved the full source of the email from imp into the file email.txt  
in the same folder as the test.php code, then copied it to  
modified.txt and changed one character of the email message. I did  
have to download Verisign's root CA cert into the /etc/ssl/certs  
directory and hash it. When I load test.php in my browser, email.txt  
verifies and returns the subject info, and modified.txt does not verify.

Thanks in advance,
Edward Burr
-- 
"In television it is a cardinal sin to allow the viewer a
single moment when his ears and eyes are not assaulted by
sound and fury" -- Alfred Hitchcock, announcing a commercial
break in "Hangover" aired 12/06/1962 and just as true today
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5633 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/imp/attachments/20140429/8c93fea3/attachment.bin>

More information about the imp mailing list