headers
Ezequiel Garzón | 13 May 2012 01:46
Picon

Is nail supposed to verify S/MIME messages out of the box?

Hello! I know this is the second question I raise in a short time,
which is in turn related to the first. I promise there won't be a
third on this topic, but I wanted to pose the question more broadly.

Is nail supposed to verify S/MIME messages out of the box? If not, for
those of you who can successfully verif(y) messages, what changes have
you made to your settings? For example, I see in the man page
ssl-ca-dir, ssl-ca-file, ssl-cert, smime-ca-dir, smime-ca-file... and
I get the feeling that this out-of-the-box expectation may be
wishful/ignorant thinking... Needless to say, I am not very familiar
with all the concepts related to S/MIME.

Thanks and cheers!

Ezequiel

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Martin Neitzel | 14 May 2012 16:46
Picon
Favicon

Re: Is nail supposed to verify S/MIME messages out of the box?

Hello Ezequiel,

GL> Is nail supposed to verify S/MIME messages out of the box?

If you habe the required libs (openssl or nss) on your system,
nail will provide all S/MIME-related functions (en/decrypt,
sign, verify) out of the box.  Unlike a few other systems,
it doesn't come with a preconfigured set of trusted root CAs,
and IMHO that's a good thing -- you better select yourself whom
you like to trust to provide CA services.

GL> I get the feeling that this out-of-the-box expectation may be
GL> wishful/ignorant thinking... Needless to say, I am not very familiar
GL> with all the concepts related to S/MIME.

Yes, you'll need to have an understanding how X509 certificates work,
i.e., what is a private+public key pair, what is a certificate, what is
a certificate chain, what is a trust anchor.  (This holds for any mailer,
not just nail.  And any tutorial will do.)

You'll also need some basic familiarity with a tool to inspect
certificate files.   Most probably,

	openssl x509 -text -noout < somecert.pem | more

will cover most of your needs.

Nail provides just a very thin veneer on top of the openssl library.
In particular, messages about failed checks or errors are passed on
to the user without being dressed up in any nice way.
(Continue reading)

Permalink | Reply |
headers
Martin Neitzel | 15 May 2012 17:35
Picon
Favicon

Re: Is nail supposed to verify S/MIME messages out of the box?

While analyzing the sign/verify steps together with Ezequiel, it
turns out that nail has a rather severe restriction at the moment:
it can't include additional certificate material along with the
pkcs7 signature.  For openssl, nail is signing thusly:

[openssl, line 479-480:]
	if ((pkcs7 = PKCS7_sign(cert, pkey, NULL, bb,
			PKCS7_DETACHED)) == NULL) {

That third, currently NULL argument for the "certs" parameter could be made
better use of:

        PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey,
			STACK_OF(X509) *certs, BIO *data, int flags);

       PKCS7_sign() creates and returns a PKCS#7 signedData structure.
       signcert is the certificate to sign with, pkey is the corresponsding
       private key.  certs is an optional additional set of certificates to
       include in the PKCS#7 structure (for example any intermediate CAs in
       the chain).

I'm just familiar with the Thawte/Verisign CA business but it
is my overall impression that flat CA hierachies are increasingly
decommissioned, making it more and more necessary to supply lower-level
CA material along with end user certificates.

This shortcoming doesn't bite most small private CAs, but makes
life difficult for those relying on public CAs (be for themselves
or correspondents).  It would be nice if someone could hack up support
for an "smime-include-certs" option.  I *may* find enough time within
(Continue reading)

Permalink | Reply |
headers
Martin Neitzel | 18 May 2012 16:02
Picon
Favicon

Re: Is nail supposed to verify S/MIME messages out of the box?

I had written earlier in this thread:

> Unlike a few other systems, it [nail] doesn't come with a
> preconfigured set of trusted root CAs,

This turned out to be rubbish.  openssl will make use of a set of
system-wide installed certificates (reachable via /etc/ssl/certs or some
such) if present (with debian, pkg "ca-certificates" will provide this).
(This is what can be inhibited in nail by setting "smime-no-default-ca".)

Both Ezequiel and and I had standard set of some 140 root CAs
at hand this way.  Ezequiel's Comodo-cert-based signed emails
didn't verify as long as the intermediate CA certificates were
missing.

						Martin

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Steffen Daode Nurpmeso | 22 May 2012 14:26

Re: Is nail supposed to verify S/MIME messages out of the box?

Martin Neitzel <neitzel <at> gaertner.de> wrote:

 |While analyzing the sign/verify steps together with Ezequiel, it
 |turns out that nail has a rather severe restriction at the moment:
 |it can't include additional certificate material along with the
 |pkcs7 signature.  For openssl, nail is signing thusly:

Should work fine.
Testing still appreciated.

--steffen
Forza Figa!

    Add *smime-sign-include-certs* (and *-user <at> host*) options..

    Those can be used to specify additional certificates which are
    to be included in the S/MIME message in addition to the main one
    given in *smime-sign-cert*.
    They are interpreted as lists of comma-separated filenames, each
    of which containing a single certificate in PEM format.
    The filenames are expanded as usual so that +/~ prefixes work.

    This missing feature was discovered and analyzed by
    Ezequiel Garzón (garzon (DOT) lucero (AT) gmail (DOT) com) and
    Martin Neitzel (neitzel (AT) gaertner (DOT) de).
    The author of the changeset was left alone in a horrible way in
    the test phase.

    P.S.:
    the error execution paths in openssl.c could be made *much*
(Continue reading)

Permalink | Reply |
headers
Martin Neitzel | 22 May 2012 18:19
Picon
Favicon

Re: Is nail supposed to verify S/MIME messages out of the box?

Hi Steffen,

>  |include additional certificate material along with the
>  |pkcs7 signature.
> Testing still appreciated.

I tested this public patch and it applies & works just great.

>     The author of the changeset was left alone in a horrible way in
>     the test phase.

One committed but faithless tester was originally scheduled for attending
a funeral on Saturday but after that date got re-scheduled and wheather
was nice and sunny, opted for cycling 400km in the last four days instead.
Sorry for that.  I'll be taking a break today, i.e. ride just some recomb
and do some work on nail today...

								Martin

PS:  One not-so-nice thing during testing smime issues is that my main
home machine is still a 486 running FreeBSD-4.7.  This OS comes with an
early openssl-9.8.0 as part of base and it is buggy enough that nail
will core-dump during smime signing.  If others need a remedy, too,
let me know, and I might try harder to address this.

[Likewise, about half of the emails I read with nail on this platform are
completely mangled (all line breaks get lost, and this is particularly
nasty for patches.)    I'm suspecting a deficient iconv(3) implementation,
messages in both nail and trn are suffering from this effect.]
(Continue reading)

Permalink | Reply |
headers
Steffen Daode Nurpmeso | 22 May 2012 23:32

Re: Is nail supposed to verify S/MIME messages out of the box?

Martin Neitzel <neitzel@...> wrote:

 |Hi Steffen,
 |
 |>  |include additional certificate material along with the
 |>  |pkcs7 signature.
 |> Testing still appreciated.
 |
 |I tested this public patch and it applies & works just great.

Great!
(Yes, there was one more iteration - the manual i've found in the
book sounded better, and i also wanted to catch the rather unusual
error of specifying an empty list to work it all out.)

 |>     The author of the changeset was left alone in a horrible way in
 |>     the test phase.
 |
 |One committed but faithless tester was originally scheduled for attending
 |a funeral on Saturday but after that date got re-scheduled and wheather
 |was nice and sunny, opted for cycling 400km in the last four days instead.

This is heartbreak hotel.
Here: thunderstorms, with very intensive lightning (also at the
very moment, again).

 |Sorry for that.  I'll be taking a break today, i.e. ride just some recomb
 |and do some work on nail today...
 |								Martin
 |
(Continue reading)

Permalink | Reply |
headers
Ezequiel Garzón | 24 May 2012 12:12
Picon

Re: Is nail supposed to verify S/MIME messages out of the box?

> Should work fine.
> Testing still appreciated.

After much help from Martin, I can say that I works for me too. Thank
you for the patch! Any idea about how long it takes for it to be
applied to the official source code? Just curious.

Best regards,

Ezequiel

On Tue, May 22, 2012 at 2:26 PM, Steffen Daode Nurpmeso
<sdaoden@...> wrote:
> Martin Neitzel <neitzel@...> wrote:
>
>  |While analyzing the sign/verify steps together with Ezequiel, it
>  |turns out that nail has a rather severe restriction at the moment:
>  |it can't include additional certificate material along with the
>  |pkcs7 signature.  For openssl, nail is signing thusly:
>
> Should work fine.
> Testing still appreciated.
>
> --steffen
> Forza Figa!
>
>    Add *smime-sign-include-certs* (and *-user <at> host*) options..
>
>    Those can be used to specify additional certificates which are
>    to be included in the S/MIME message in addition to the main one
(Continue reading)

Permalink | Reply |

Gmane