New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S/MIME signature: "Content-Type: text/plain" added to message (39.0.0) #8298
Comments
Thanks for the report. This is our bug. In 39 we rewrote part of the S/MIME code and introduced this issue. We canonicalize the input in text mode (which consists of converting line endings to We'll get a fix up soon. |
I'm not sure I understand why our verification tests still pass here. |
They pass because we sign the right thing but embed the wrong thing into the larger smime payload and then the verify call doesn't use what's in the smime payload. The test is cryptography/tests/hazmat/primitives/test_pkcs7.py Lines 495 to 506 in d90ed2b
but it should be: assert sig_pem.count(b"text/plain") == 1
# Parse the message to get the signed data, which is the
# first payload in the message
message = email.parser.BytesParser().parsebytes(sig_pem)
signed_data = message.get_payload()[0].as_bytes()
_pkcs7_verify(...) Either of the changes to the test above would have caught this bug. |
Gotcha,thanks.
…On Wed, Feb 15, 2023 at 7:15 PM Paul Kehrer ***@***.***> wrote:
They pass because we sign the right thing but embed the wrong thing into
the larger smime payload and then the verify call doesn't use what's in the
smime payload. The test is
https://github.com/pyca/cryptography/blob/d90ed2b2bc6d02720191d6449be098451677b3fd/tests/hazmat/primitives/test_pkcs7.py#L495-L506
but it should be:
assert sig_pem.count(b"text/plain") == 1
# Parse the message to get the signed data, which is the
# first payload in the message
message = email.parser.BytesParser().parsebytes(sig_pem)
signed_data = message.get_payload()[0].as_bytes()
_pkcs7_verify(...)
Either of the changes to the test above would have caught this bug.
—
Reply to this email directly, view it on GitHub
<#8298 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCYZE3NAQRXF4AFSVDWXVWT3ANCNFSM6AAAAAAU47XZFU>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
@reaperhulk Thanks for the answer and explanation! |
Hey,
I'm observing a weird behavior when signing with S/MIME since version 39.0.0: it seems like an additional "Content-Type: text/plain" is added to the message after signing it.
My code looks like this:
With
cryptography 38.0.4
, the relevant part isand
openssl smime -verify -in /tmp/msg.txt -noverify
is successful.With
cryptography 39.0.0
, I getand the verification with
openssl
fails.After manually removing the additional "Content-Type: text/plain" from the file, it succeeds again.
The text was updated successfully, but these errors were encountered: