Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#14 smime signature verification fails for chained certs

open
nobody
None
5
2013-08-14
2012-05-16
Dave Funk
No

The s/mime signature that alpine generates fails to include any intermediate chained CA certs when the user's personal cert
was created from an intermediate CA. This causes signature verification failures at the recipients, unless the recipients happen
to have the necessary intermediate chained CAs in their local CA store. ("Couldn't verify S/MIME signature: certificate verify error").
In the file "pith/smime.c" the call to "PKCS7_sign" has the third argument set to "NULL". This should be a "STACK_OF(X509)" structure
populated with intermediate chained CA certs for the case that the user's signing cert has them.

Discussion

  • Can you provide a patch?

     
    • Kaspar
      Kaspar
      2014-04-30

      Here is a proof of concept, with the limitation that it only works for file-based certificates - i.e., neither "Container"-based storage in an IMAP folder is supported, nor does it work with keychain-based certificates on OS X.

      Additional certificates to be included in the S/MIME signature must be appended to the user's .crt file (PEM formatted) in the certificates' directory (~/.alpine-smime/public by default). To verify that additional certificates are indeed included in the signature, start with -d 9 and look for sign_outgoing_message: adding ... in the debug log.

      I'm offering the patch as-is, since I'm not really a user of re-alpine (but was asked by someone to have a look at it). Feel free to ignore, or to tweak further.