| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| README.md | 2019-12-27 | 4.1 kB | |
| Overview.txt | 2019-06-20 | 3.9 kB | |
| Totals: 2 Items | 8.1 kB | 0 |
SSL Signature Check
Tentative Perl Module Name
Mail:SSLSigCheck
Dependencies
Perl Modules
- Crypt::OpenSSL::PKCS7 (Needs to be written)
- Crypt::OpenSSL::X509
C Libraries
- libcrypto
- libssl
User Directory Structure
.sslsigcheck/
cacerts/
trustedcacerts.pem
untrustedcacerts.pem
usercerts/
trustedusers.pem
untrustedusers.pem
db? DBD::SQLite - using the cert subject as key?
Headers inserted into email message
- X-SSLSigCheck-signed: Yes or No: if No, no other headers added to email message Check for content type "application/x-pkcs7-signature" do not check recursively - that would check for sigs in an attached valid email message
- X-SSLSigCheck-valid: Yes or No: if No, maybe no other headers added to email message This is from the output of "openssl smime -verify..." which checks that the signature is valid for the message body A signature might not be valid because we do not have the appropriate CA cert in either cacert bundle. Discussion needed
- X-SSLSigCheck-ca: -1, 0, 1: -1 if the signer of the user cert was found in the untrustedcacerts.pem file. "openssl verify -CAfile .sslsigcheck/cacerts/untrustedcacerts.pem..." 0 if the ca cert was not in either. 1 if the signer of the user cert was found in the trustedcacerts.pem file. "openssl verify -CAfile .sslsigcheck/cacerts/trustedcacerts.pem..."
- X-SSLSigCheck-user: -1, 0, 1: -1 is the user cert is in the untrustedusers.pem, 1 if the cert is in the trustedusers.pem, 0 if neither. Instead of comparing to the pem files, perhaps this is where a database (or flat file of cet 'subjects') would be useful.
Message Checks
-
Look for the content type "application/x-pkcs7-signature" in the email message. If not, set X-SSLSigCheck-signed: to 'No', insert it in the message and exit.
-
Use .sslsigcheck/tmp as place to keep working files. Name temporary files using message id? Use MIME::Tools to grab the smime.p7s file from the message. Use "openssl pkcs7..." to create a pem file from that. We now have a certificate file to use in the other openssl commands.
-
Run "openssl smime -verify..." to check that the message and signature are actually correct (message not modified). We might need two runs using trusted (which may have all certs) and untrusted (just the cacerts we don't like) CA certificate bundles. Set X-SSLSigCheck-valid appropriately, insert into message and maybe finish if 'No'.
-
Now from the previous openssl commands, we know if we have the appropriate cacert in our files. Grab the 'issuer' from the user cert, and see if it's in the untrusted file. Set email headr appropriately and continue.
-
Check the actual user cert from the signature against the local files (or the db?). Set header, insert, cleanup and exit.
Standalone Utility
We need to be able to run sslsigcheck standalone to add the user cert to our list of trusted or untrusted users (db?).
We need to add a cacert to one of the bundles (or both) in two ways. 1: with a cacert supplied, and 2: somehow getting the cacert from the internet.
More as I think of them... ;)
Caviats
The openssl commands don't return error codes. :( So a good or bad verify returns 0. We need to check actual command output and do regular expression matching.
Order of checking for if the signature is valid for the message body and if we have the cacert on hand might have to be done in the reverse order.
Other Possibilties
Expired certs, I should make some certs that expire in a day or so to see how "openssl smime -verify..." and "openssl verify ..." report this.
Revoked certs. We could try to build in OCSP capability, or give the user the option of downloading CRLs from various CAs. I have not dug to deep into this yet.