[ python-Bugs-968430 ] error flattening complex smime signed message

SourceForge.net noreply at sourceforge.net
Thu Sep 8 08:16:01 CEST 2005 

Bugs item #968430, was opened at 2004-06-07 20:34
Message generated for change (Comment added) made by hta
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=968430&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Ludovico Magnocavallo (ludo)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: error flattening complex smime signed message

Initial Comment:
Python 2.3.3 [GCC 3.2.2] on linux2
email version 2.5.5

Complex SMIME signed messages parsed and flattened
again do not pass SMIME verification. I have noticed
this with messages that have as message/rfc822
attachment another SMIME signed message.

A diff between an "original" SMIME signed messaged
passign openssl smime -verify verification and the same
message parsed (message_from_file) and flattened
(as_string(False)) by the email library:
diff -bB bugmsg_signed.eml bugmsg_signed_parsed.eml
2c2,3
< Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature"; micalg=sha1;
boundary="----381546B4549948B9F93D885A82884C49"
---
> Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
>       micalg=sha1;
boundary="----381546B4549948B9F93D885A82884C49"

The email-parsed message splits the signature header
into two lines, thus rendering the message non-valid.

Attached to this bug a .zip archive with:

- msg #1: the non-signed message (with a signed message
as attachment)
- msg #2: message #1 signed by openssl
- msg #3: message #2 parsed and flattened as described
above
- the CA certificate file used for smime verification

openssl command used to verify #2 and #3:

openssl smime -verify -in bugmsg_signed.eml -CAfile
cacert.pem

openssl smime -verify -in bugmsg_signed_parsed.eml
-CAfile cacert.pem



----------------------------------------------------------------------

Comment By: Harald Tveit Alvestrand (hta)
Date: 2005-09-08 06:16

Message:
Logged In: YES 
user_id=12193

Adding my voice that the bug is important. 
This is now the chief culprit in breaking signed messages in my usage of 
signed email on the net; that "signtures are so often broken" is one 
argument people often use against using signed email. 
 

----------------------------------------------------------------------

Comment By: Bas Wijnen (shevek)
Date: 2005-01-25 09:37

Message:
Logged In: YES 
user_id=42389

In case it is any help, I tried to find the problem in the
source.  I don't speak python, so I can't fix anything, but
I do speak C, so it's quite readable. :-)

It seems to me that the problem is in Lib/email/Message.py,
in particular in _parseparam and _get_params_preserve.  Both
these functions call strip() on the object several times
(which seems a bit overdone anyway ;-) ), which I presume
removes all whitespace around them.

I think the whitespace should somehow be saved (not
stripping will probably break many programs, so that's not a
good idea), so it can be used again when the header is
written.  set_param should of course also fill this value,
so new params get a defined separation (although the empty
string is quite acceptable).

How this should be implemented I gladly leave to someone who
actually speaks Python. :-)

----------------------------------------------------------------------

Comment By: Bas Wijnen (shevek)
Date: 2005-01-24 11:43

Message:
Logged In: YES 
user_id=42389

I would like to add that I think this bug is quite
important, as mailman uses python.  This means that many
mailing lists invalidate signatures when signed e-mails with
attachments are sent through them.  As attachments are often
code patches, it is quite important that the signatures are
working correctly.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=968430&group_id=5470

More information about the Python-bugs-list mailing list