6.0.0-beta1
7/14/25

[#6323] False positive SMIME verification
Summary False positive SMIME verification
Queue Horde Framework Packages
Queue Version FRAMEWORK_3
Type Bug
State Resolved
Priority 2. Medium
Owners Horde Developers (at) , selsky (at) columbia (dot) edu
Requester thomas.belot (at) atosorigin (dot) com
Created 02/26/2008 (6348 days ago)
Due
Updated 03/14/2008 (6331 days ago)
Assigned 03/13/2008 (6332 days ago)
Resolved 03/14/2008 (6331 days ago)
Github Issue Link
Github Pull Request
Milestone 3.2
Patch No

History
03/14/2008 01:43:32 PM Matt Selsky Comment #8
Assigned to Matt Selsky
State ⇒ Resolved		 Reply to this comment
Thomas confirmed this as working.  Fixed in HEAD and RC4.
03/13/2008 03:50:29 PM Chuck Hagenbuch State ⇒ Feedback
 
03/13/2008 06:00:47 AM Matt Selsky Comment #7
New Attachment: smime.patch Download		 Reply to this comment
Try this patch.  Also, do you have a few sample messages I can use for 
testing?  How did you break the message to get openssl_pkcs7_verify() 
to return -1?
03/06/2008 10:45:45 AM Jan Schneider Comment #6 Reply to this comment
With both cases I meant -1 which means an error during verification, 
and false which means an invalid cert.
03/06/2008 10:36:30 AM thomas (dot) belot (at) atosorigin (dot) com Comment #5 Reply to this comment
I ran a few tests on my own, there is no way to differenciate both 
cases (output is not filled).

If you want to raise two different messages, we need to contact PHP's 
openssl team and ask for a third return code
03/06/2008 12:32:11 AM Jan Schneider Comment #4
State ⇒ Assigned
Assigned to Horde DevelopersHorde Developers
Milestone ⇒ 3.2		 Reply to this comment
I suggest that we return two different error messages in those cases.
02/27/2008 12:57:04 PM thomas (dot) belot (at) atosorigin (dot) com Comment #3 Reply to this comment
Then there is a problem in openssl's function :

I wrote the signature function that caused invalid signature 
production and I had two problem : Invalid signature syntax AND 
invalid signature

When facing both problems the function returs -1 as the invalid 
signature is unparsable ... but still invalid
02/26/2008 09:22:01 PM Jan Schneider Comment #2
State ⇒ Feedback
Priority ⇒ 2. Medium		 Reply to this comment
Why do you consider -1 a valid verification ???
Because, if the signature was really invalid, it would have returned 
false. The commit message that allowed -1 as a valid return, says: 
"openssl_pkcs7_verify returns -1 when the signature is ok but there 
are no certificates to return."
02/26/2008 04:25:34 PM thomas (dot) belot (at) atosorigin (dot) com Comment #1
Priority ⇒ 3. High
State ⇒ Unconfirmed
Queue ⇒ Horde Framework Packages
Summary ⇒ False positive SMIME verification
Type ⇒ Bug		 Reply to this comment
In file framework/Crypt/Crypt/smime.php,v 1.49.2.14 line 215

212:/* Try again without verfying the signer's cert */

213:        $result = openssl_pkcs7_verify($input, PKCS7_NOVERIFY, $output);

214:

215:        if (($result === true) || ($result === -1)) {

216:            [Verification OK]

217:        } else {

218:            [Verification KO]

219:        }



Verification is OK if "$result === -1" but "openssl_pkcs7_verify" 
documentation specify that "[openssl_pkcs7_verify] Returns [...] -1 on 
error."

Why do you consider -1 a valid verification ???



In my case, I had malformed smime signature which lead to an 
encouraging message "valid message verification, but unknown issuer"...
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers