Getting the raw part from a multipart/signed email

[MartijnBraam]

I'm trying to build a webmail client using this library that supports PGP messages. The clearsigned emails are easily implemented but I'm having a problem with multipart/signed messages.

To verify the signature I need to get the signature part and the raw first part of the message (including child parts and headers) as a string. I cannot find a method to do this in the library or am I missing something?

[postme]

Hi Martijn,

you can do the following (copied out of my own code):

/* read email into parser */
$mailParser = new \ZBateson\MailMimeParser\MailMimeParser();
$handle = fopen('php://memory','r+');
fwrite($handle, $input);
rewind($handle);
$message = $mailParser->parse($handle);
fclose($handle);

/* Get the complete body of the email (including attachments) for signing */
$message->setAsMultipartSigned('pgp-sha256', 'application/pgp-signature');
$contentToSign = $message->getSignableBody();

// TO DO: Create your PGP signature and put the resulting signature into $signature

/* Add signature to message */
$message->createSignaturePart($signature);

/* Dump complete message, including signed mime part */
$signedEmail = $message->__toString();

That should do the trick (at least it works for me)

Kind regards
Meint

[MartijnBraam]

I'm trying to do the reverse, I get something that looks right now with:

$contents = $parsed->getSignableBody();
$signature = $parsed->getSignaturePart()->getContent();
$valid = $this->verifyPGP($contents, $signature);

But I get a bad signature from gpg now so something is off. Enigmail in thunderbird verifies this e-mail fine.

[postme]

Ah, sorry didn't read that right.
There's no getSignaturePart() function, only a createSignaturePart.

What you could do is get all attachment parts with getAllAttachmentParts(), loop through the collection of attachment parts and get the content-type header of each content part until you find the attachment part with the header that matches with application/pgp-signature or application/pgp-encrypted and then extract that mime part.

There are couple of examples in the closed issues that will give you the basic code for getting the attachments and looping through them.

[MartijnBraam]

There is a getSignaturePart it seems

    /**
     * Returns the signed part or null if not set.
     * 
     * @return \ZBateson\MailMimeParser\Message\MimePart
     */
    public function getSignaturePart()
    {
        return $this->getChild(0, new PartFilter([ 'signedpart' => PartFilter::FILTER_INCLUDE ]));
    }

The result I get from my function calls above is:

array(2) {
  ["text"]=>
  string(434) "Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[removed text]"
  ["signature"]=>
  string(199) "-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

[the signature]
-----END PGP SIGNATURE-----

"
}

For some reason it's still not working when I decode it with gpg --verify signature.txt text.txt

[postme]

Hey that's news to me :-)

Is the email that contains the signature quoted-printable encoded? If so is the test.txt file you're using also in quoted-printable? In other words are email source and verification source exactly the same?

Other issue might be newlines when getting the signature part, perhaps trim the result of getSignaturePart?

[zbateson]

Hi @MartijnBraam --

Unfortunately 'getSignableBody' is to retrieve the content part of the body assuming you 'want to sign' the email, rather than 'you want to verify'. The difference being that it uses the same 'write' functions used to write out the email (to guarantee the results are the same after being signed). The write functions however don't guarantee the results to be the same as what was /read/ in the email -- so it may trim extra whitespace or change the email from using "\n" to "\r\n" for instance. More destructively, it reads encoded data and re-encodes it as it writes -- so the resulting quoted-printable may look completely different from what the email originally contained.

So unfortunately as it is, you can't get the results you'd like directly using MMP. Thinking about this, it should be relatively easy to add though -- I'm already looking at boundaries and using them to create 'part streams' derived from the original stream and attaching decoder streams, etc... I think without too much difficulty I should be able to include a stream containing 'original part contents' for that very purpose. I'll give it some thought -- I'm hoping to have a release for a few fixes (latest HHVM breaking) early-to-mid July.

In the meantime unfortunately you'd have to find the content part yourself to verify it using the original stream.

All the best,
Zaahid

[MartijnBraam]

Thanks for the explanation. For now my clearsign verification works so I'll focus on writing encrypted / signed email first.

[zbateson]

Hi @MartijnBraam --

I released a solution for this. In 0.4.4 there's a new Message::getOriginalMessageStringForSignatureVerification that returns the 'signed' part of the original message that you should be able to use to verify the signature part returned in getSignaturePart.

All the best,
Zaahid