False positive SMIME verification

False positive SMIME verification Fri, 10 Apr 2026 07:03:43 +0000 https://bugs.horde.org/ticket/6323 False positive SMIME verification In file framework/Crypt/Crypt/smime.php,v 1.49.2.14 line 215 In file framework/Crypt/Crypt/smime.php,v 1.49.2.14 line 215 212:/* Try again without verfying the signer's cert */ 213: $result = openssl_pkcs7_verify($input, PKCS7_NOVERIFY, $output); 214: 215: if (($result === true) || ($result === -1)) { 216: [Verification OK] 217: } else { 218: [Verification KO] 219: } Verification is OK if "$result === -1" but "openssl_pkcs7_verify" documentation specify that "[openssl_pkcs7_verify] Returns [...] -1 on error." Why do you consider -1 a valid verification ??? In my case, I had malformed smime signature which lead to an encouraging message "valid message verification, but unknown issuer"... Tue, 26 Feb 2008 16:25:34 +0000 https://bugs.horde.org/ticket/6323#t43109 > Why do you consider -1 a valid verification ??? Because > Why do you consider -1 a valid verification ??? Because, if the signature was really invalid, it would have returned false. The commit message that allowed -1 as a valid return, says: "openssl_pkcs7_verify returns -1 when the signature is ok but there are no certificates to return." Tue, 26 Feb 2008 21:22:01 +0000 https://bugs.horde.org/ticket/6323#t43144 Then there is a problem in openssl's function : I wrote th Then there is a problem in openssl's function : I wrote the signature function that caused invalid signature production and I had two problem : Invalid signature syntax AND invalid signature When facing both problems the function returs -1 as the invalid signature is unparsable ... but still invalid Wed, 27 Feb 2008 12:57:04 +0000 https://bugs.horde.org/ticket/6323#t43192 I suggest that we return two different error messages in tho I suggest that we return two different error messages in those cases. Thu, 06 Mar 2008 00:32:11 +0000 https://bugs.horde.org/ticket/6323#t43436 I ran a few tests on my own, there is no way to differenciat I ran a few tests on my own, there is no way to differenciate both cases (output is not filled). If you want to raise two different messages, we need to contact PHP's openssl team and ask for a third return code Thu, 06 Mar 2008 10:36:30 +0000 https://bugs.horde.org/ticket/6323#t43485 With both cases I meant -1 which means an error during verif With both cases I meant -1 which means an error during verification, and false which means an invalid cert. Thu, 06 Mar 2008 10:45:45 +0000 https://bugs.horde.org/ticket/6323#t43492 Try this patch. Also, do you have a few sample messages I c Try this patch. Also, do you have a few sample messages I can use for testing? How did you break the message to get openssl_pkcs7_verify() to return -1? Thu, 13 Mar 2008 06:00:47 +0000 https://bugs.horde.org/ticket/6323#t43790 Thomas confirmed this as working. Fixed in HEAD and RC4. Thomas confirmed this as working. Fixed in HEAD and RC4. Fri, 14 Mar 2008 13:43:32 +0000 https://bugs.horde.org/ticket/6323#t43833