False positive SMIME verification

False positive SMIME verification Tue, 07 Oct 2008 04:43:19 -0400 http://bugs.horde.org/ticket/6323 False positive SMIME verification In file framework/Crypt/Crypt/smime.php,v 1.49.2.14 line 215 In file framework/Crypt/Crypt/smime.php,v 1.49.2.14 line 215 212:/* Try again without verfying the signer's cert */ 213: $result = openssl_pkcs7_verify($input, PKCS7_NOVERIFY, $output); 214: 215: if (($result === true) || ($result === -1)) { 216: [Verification OK] 217: } else { 218: [Verification KO] 219: } Verification is OK if "$result === -1" but "openssl_pkcs7_verify" documentation specify that "[openssl_pkcs7_verify] Returns [...] -1 on error." Why do you consider -1 a valid verification ??? In my case, I had malformed smime signature which lead to an encouraging message "valid message verification, but unknown issuer"... Tue, 26 Feb 2008 11:25:34 -0500 http://bugs.horde.org/ticket/6323#t43109 > Why do you consider -1 a valid verification ??? Because > Why do you consider -1 a valid verification ??? Because, if the signature was really invalid, it would have returned false. The commit message that allowed -1 as a valid return, says: "openssl_pkcs7_verify returns -1 when the signature is ok but there are no certificates to return." Tue, 26 Feb 2008 16:22:01 -0500 http://bugs.horde.org/ticket/6323#t43144 Then there is a problem in openssl's function : I wrote th Then there is a problem in openssl's function : I wrote the signature function that caused invalid signature production and I had two problem : Invalid signature syntax AND invalid signature When facing both problems the function returs -1 as the invalid signature is unparsable ... but still invalid Wed, 27 Feb 2008 07:57:04 -0500 http://bugs.horde.org/ticket/6323#t43192 I suggest that we return two different error messages in tho I suggest that we return two different error messages in those cases. Wed, 05 Mar 2008 19:32:11 -0500 http://bugs.horde.org/ticket/6323#t43436 I ran a few tests on my own, there is no way to differenciat I ran a few tests on my own, there is no way to differenciate both cases (output is not filled). If you want to raise two different messages, we need to contact PHP's openssl team and ask for a third return code Thu, 06 Mar 2008 05:36:30 -0500 http://bugs.horde.org/ticket/6323#t43485 With both cases I meant -1 which means an error during verif With both cases I meant -1 which means an error during verification, and false which means an invalid cert. Thu, 06 Mar 2008 05:45:45 -0500 http://bugs.horde.org/ticket/6323#t43492 Try this patch. Also, do you have a few sample messages I c Try this patch. Also, do you have a few sample messages I can use for testing? How did you break the message to get openssl_pkcs7_verify() to return -1? Thu, 13 Mar 2008 02:00:47 -0400 http://bugs.horde.org/ticket/6323#t43790 Thomas confirmed this as working. Fixed in HEAD and RC4. Thomas confirmed this as working. Fixed in HEAD and RC4. Fri, 14 Mar 2008 09:43:32 -0400 http://bugs.horde.org/ticket/6323#t43833