Bug 618500

Summary: S/MIME signing does not work
Product: [Fedora] Fedora Reporter: Maximiliano Bertacchini <maxiberta>
Component: m2cryptoAssignee: Miloslav Trmač <mitr>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 13CC: mitr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: m2crypto-0.21.1-3.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-15 21:28:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 691513    
Bug Blocks:    

Description Maximiliano Bertacchini 2010-07-27 05:27:01 UTC 
Description of problem:
Signing an S/MIME message generates a truncated message without any signature. Tried on fc13 i686 and x86_64 and got the same result. However it works in Ubuntu 10.04 with package version python-m2crypto-0.20.1.

Version-Release number of selected component (if applicable):
m2crypto-0.20.2-7.fc13

How reproducible:
Follow this tutorial up to the "Sign" section:
http://sandbox.rulemaker.net/ngps/m2/howto.smime.html

Steps to Reproduce:
1.Generate some example keys and certificates:
openssl req -newkey rsa:1024 -nodes -x509 -days 365 -out signer.pem
mv privkey.pem signer_key.pem

2.Run the following python script:
    from M2Crypto import BIO, Rand, SMIME

    def makebuf(text):
        return BIO.MemoryBuffer(text)

    # Make a MemoryBuffer of the message.
    buf = makebuf('a sign of our times')

    # Seed the PRNG.
    Rand.load_file('randpool.dat', -1)

    # Instantiate an SMIME object; set it up; sign the buffer.
    s = SMIME.SMIME()
    s.load_key('signer_key.pem', 'signer.pem')
    p7 = s.sign(buf)

    # Recreate buf.
    buf = makebuf('a sign of our times')

    # Output p7 in mail-friendly format.
    out = BIO.MemoryBuffer()
    out.write('From: sender\n')
    out.write('To: recipient\n')
    out.write('Subject: M2Crypto S/MIME testing\n')
    s.write(out, p7, buf)

    print out.read()
  

Actual results:

From: sender
To: recipient
Subject: M2Crypto S/MIME testing
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----03D6C4E70DC75EF73B1EC56752C7DB8D"

This is an S/MIME signed message

------03D6C4E70DC75EF73B1EC56752C7DB8D
a sign of our times


Expected results:

From: sender
To: recipient
Subject: M2Crypto S/MIME testing
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----3F7BF7C54B3B0FC83AA1763644002CC8"

This is an S/MIME signed message

------3F7BF7C54B3B0FC83AA1763644002CC8
a sign of our times
------3F7BF7C54B3B0FC83AA1763644002CC8
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIETgYJKoZIhvcNAQcCoIIEPzCCBDsCAQExCzAJBgUrDgMCGgUAMCIGCSqGSIb3
DQEHAaAVBBNhIHNpZ24gb2Ygb3VyIHRpbWVzoIICVjCCAlIwggG7oAMCAQICCQC9
Y/e4Pl4ZJTANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJBUjEVMBMGA1UEBwwM
RGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMB4XDTEw
MDcyNzA0MjU1N1oXDTExMDcyNzA0MjU1N1owQjELMAkGA1UEBhMCQVIxFTATBgNV
BAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoHf/k7EBVl0QW7ATFl2CSNOm7ySt
ox0h8ALp5SxnTnm6Qz8pUdzmEUN807yeQlnSnLfPUi5TaCXKxeTYlNLlgJulX0gq
iWdra3HoTMPZXgEoDuiFZiSht8UlCun3oFaNaIgDKfMP98/9hs2/wQkkA6jLYerw
GTTeOfRij6u0GJcCAwEAAaNQME4wHQYDVR0OBBYEFAXpYtAarwExEPMUfeD5JK+b
XWsKMB8GA1UdIwQYMBaAFAXpYtAarwExEPMUfeD5JK+bXWsKMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQEFBQADgYEAB3InA3/jTJEN9j4X+h0P3CjkCSuvYoXHRg5d
8jP79koq/+jO5nk5SZqg4nkY2tmlfjfAlzunAAVeGYNNFnj12/2ZKuWBLUz8kgao
nqhJ419hdPyyRkT2a7Uw/k7Ru9z4grV/SD/j5KXq/amieMnY0efYLtGt+T9Z8K8K
Ny2iPW8xggGpMIIBpQIBATBPMEIxCzAJBgNVBAYTAkFSMRUwEwYDVQQHDAxEZWZh
dWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQCCQC9Y/e4Pl4Z
JTAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTEwMDcyNzA1MTcxNlowIwYJKoZIhvcNAQkEMRYEFOoeRUd8ExIY
XfQq8BTFuKWrSP3iMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MA0GCSqGSIb3DQEBAQUABIGAVMV/v8qdH9zFuOjtfXMIyP3UHhL9In2Zm1J+G8Pi
V6ilTiCSipubnlkuOb6AC5g5pIObIzdl1MYJBdKYRVNIn1ScTpHnvQuNFwjA2yJw
Ojqnq1NZvsGQru6ksKxO4kdjKUhEB5C69K49Tphnhsoc8wKilMYeX/T0ft4TBJAO
uhk=

------3F7BF7C54B3B0FC83AA1763644002CC8--
Comment 1 Miloslav Trmač 2010-07-27 17:49:53 UTC 
Thanks for your report.

I'm afraid the HOWTO is incorrect, at least for current versions of OpenSSL.

Both "s.sign" and "s.write" must use the same value of the SMIME.PKCS7_DETACHED flag; passing a third argument to SMIME.write implies SMIMEl.PKCS7_DETACHED.

I get something looking like the expected result after replacing the "s.sign" line
with
   p7 = s.sign(buf, SMIME.PKCS7_DETACHED)


Scripts from the howto are shipped in the m2crypto package and should be fixed; I'll keep this bug open to track that.
Comment 2 Maximiliano Bertacchini 2010-07-27 18:39:08 UTC 
That fixed the issue. Thanks!
Comment 3 Miloslav Trmač 2011-03-28 17:55:15 UTC 
Patch submitted upstream:
https://bugzilla.osafoundation.org/show_bug.cgi?id=13020
Comment 4 Fedora Update System 2011-04-05 22:07:08 UTC 
m2crypto-0.21.1-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/m2crypto-0.21.1-3.fc15
Comment 5 Fedora Update System 2011-04-07 02:19:52 UTC 
Package m2crypto-0.21.1-3.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing m2crypto-0.21.1-3.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/m2crypto-0.21.1-3.fc15
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2011-04-15 21:28:33 UTC 
m2crypto-0.21.1-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2011-05-20 16:20:35 UTC 
python26-m2crypto-0.21.1-5.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/python26-m2crypto-0.21.1-5.el5
Comment 8 Fedora Update System 2011-06-15 14:59:05 UTC 
python26-m2crypto-0.21.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.