Page MenuHome GnuPG
Create Task
Maniphest T7267

Kleoaptra shows unknown validity for fully trusted S/MIME certificate in multipart/signed mail
Open, NormalPublic
Actions

Description

When testing GpgOL I noticed that one multipart/signed S/MIME Mail was displayed in the sent mail folder as invalid signed, when one of the attachments contained a Unicode-6 character.

To check if the mimetreeparser is also affected I saved this mail with kmail to the filesystem an opened it with Kleopatra. There it is shown as valid but the certificates not as validated, even though the root CA is trusted and the user cert is trusted.
So the Ticket is about that it shows the red box, even though when clicking on details everything is valid.:

Here is the mail:

S_MIME multipart signed☃ attach.mbox5 KBDownload

Here the certificate chain:

andre-chain.pem3 KBDownload

Event Timeline

aheinecke triaged this task as Normal priority.Aug 23 2024, 10:52 AM
aheinecke created this task.
CarlSchwan moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 23 2024, 11:12 AM

I can reproduce

aheinecke added a comment.Aug 23 2024, 1:34 PM

Btw. GpgOL also parses the mail as having a bad signature. Also gpgparsemail from gnupg. I wonder if the creation side of that mail is broken or the verification code. :)

gpgparsemail --crypto ~/dev/main/div/S_MIME\ multipart\ signed☃\ attach.mbox
.From: Andre Heinecke <andre@heinecke.or.at>
.To: berta.boss@demo.gnupg.com, edward.tester@demo.gnupg.com,
. andre.heinecke@demo.gnupg.com
.Subject: S/MIME multipart =?UTF-8?B?c2lnbmVk4piD?= attach
.Date: Fri, 23 Aug 2024 10:32:57 +0200
.Message-ID: <6852800.4vTCxPXJkl@esus>
.X-KMail-Identity: 2136111546
.X-KMail-Transport: 598470833
.X-KMail-Fcc: 31
.X-KMail-Identity-Name: Andre
.X-KMail-Transport-Name: heinecke
.MIME-Version: 1.0
.Content-Type: multipart/signed; boundary="nextPart3705879.V25eIC5XRa";
. micalg="sha256"; protocol="application/pkcs7-signature"
h media: multipart signed
h signed.protocol: application/pkcs7-signature
b down
b part
:--nextPart3705879.V25eIC5XRa
c begin_hash
.Content-Type: multipart/mixed; boundary="nextPart39334019.10thIPus4b"
.Content-Transfer-Encoding: 7Bit
h media:   multipart mixed
b down
b part
:--nextPart39334019.10thIPus4b
.Content-Transfer-Encoding: 7Bit
.Content-Type: text/plain; charset="utf-8"
h media:     text plain
 Hello
b part
:--nextPart39334019.10thIPus4b
.Content-Disposition: attachment; filename*=UTF-8''edward%20%E2%98%83%2Etxt
.Content-Transfer-Encoding: 7Bit
.Content-Type: text/plain; charset="x-UTF_8J";
. name*=utf-8''edward%20%E2%98%83%2Etxt
h media:     text plain
 Its snowing
 
b last
b up
:--nextPart39334019.10thIPus4b--
b part
c end_hash
:--nextPart3705879.V25eIC5XRa
.Content-Type: application/pkcs7-signature; name="smime.p7s"
.Content-Disposition: attachment; filename="smime.p7s"
.Content-Transfer-Encoding: base64
h media:   application pkcs7-signature
c begin_signature
 MIIK3AYJKoZIhvcNAQcCoIIKzTCCCskCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
 gggtMIIEEDCCAnigAwIBAgIILSrsVoDnQS0wDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAxMOVGVz
 dFJvb3RBbmRyZTIwIBcNMjQwODE0MTgyODQ3WhgPMjA2MTA0MDUxNzAwMDBaMBkxFzAVBgNVBAMT
 DlRlc3RSb290QW5kcmUyMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEApZYXjMk5uWLe
 mi6wFT9qo7mP8b+I3JSVan/vdoV+jlbKGqDiFYC5CUQNoHDzJZDa4i0KD+KfDQhL8qwjE2uZM1Na
 O0EAzx1ql8E6P6fSk5y5AqvPFPm1W4ExWhAzabtLn8qGyAwljAGG0mNrofCy0blhFPZKrWSWRC3t
 gUR1jNFnIuE2WSNBea6vWZvcjFRpwkQn5VlPaHNuTAFc+8c1qYw1AH4e+HZaOgSr+z4w67y9nJ0P
 aR76DJJxIJdyfMazLbe+BGNhV8LkKMB/uHG5dSd2NSPQfkxbr6nsHS+lrZkRNld7WceguWgwUYGa
 5RWnNazzN/9gjw8Dd7xPcGCY8L7x5kzNXlm0CWNAu/NN9JWWGNX17W8KRqh/bRr7fXKkvUgJhGbq
 tPGyLQ6yUwPkp+tuQzimy6vXyIsNUYKP/9+p5DugcBQlWVQq3MdPHrfpH9Pm79S4DwdZ1zrvACAq
 vfw8KZ69Nby5f5CauHmoh9r2HENzirl4G4200Vra5iqdAgMBAAGjWjBYMCIGA1UdEQQbMBmBF3Rl
 c3Ryb290QGhlaW5lY2tlLm9yLmF0MBEGCisGAQQB2kcCAgEEAwEB/zAPBgNVHRMBAf8EBTADAQH/
 MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAYEATSGVdGrgyqzkgabkwYtUFi/6xzYo
 lcW6lFmdCZAhvcKYxkArsqfBjuaLNR6GL9fqAMFSJYpXZwSYPr8W6SNcaXHv5HSLt/bZEb+2Q9Dx
 EPIg+mPByfWBqaQd1OAqw6G0Vn5Kgz9vHk0iTnZfW5cvVpQ7SluMzHLZ09Fsbcbm5QRzb8ZJqnFI
 8ALfvkFaIo0JDDBvdhodmSM55e0fwk/3h61ld5cTEyk/wpq0m/PVsaoLwboZ5zq0Dc6gWyiXUA/N
 wg/xxkyZHEfrf+GtEk6BlBA+5wQ/Zr7q6FXsA1s82yruARPfL3ESXhVj/s7SC0pmoIYjcm1LMy9x
 OI1Av1ljKDrFBd0E4jPvgf8JCI6BTuwcvRUawu2SYs/yprwhi/2zbK6LxgKBpIVs6p5DAux39HnA
 35QG6BAgTrfIlgF4G4q2yVAgInCz1kvbuZAed4sZzfn6Ogym36htysLb6DD/1eTSBdviVk+orBfb
 hiT33IxV6yuOzCyxwPeqRALGLWGrMIIEFTCCAn2gAwIBAgIIeIvZosGWyxMwDQYJKoZIhvcNAQEL
 BQAwGTEXMBUGA1UEAxMOVGVzdFJvb3RBbmRyZTIwIBcNMjQwODE0MTgzMDA4WhgPMjA2MTA0MDUx
 NzAwMDBaMDAxCzAJBgNVBAYTAmRlMRAwDgYDVQQKEwdnMTBjb2RlMQ8wDQYDVQQDEwZBbmRyZTIw
 ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC+US3IAroo+wTt1i3nNH+Os8OU0mnsDauE
 N+ca8gHqnmPP1Y6TqqNTFyYyaNgX7A2gN0EDTGUgkUAPf+TlEdQ2AFpTEXhz8QJRaGQDHBDmlZrq
 5jKwcRlgb+cDXMsI8lwqe0afuNN7BRjaey0te8ylk2UQuPYC7BDtsgp0WpAmJtYTTsaIUVkNNm6S
 I2J1MVGWboXR27KOwAtuv341ygAzCxNwuj3W59YPYZOcRp9cvQx7I/jYixVZuB/T54VH7QP2edVa
 o2JtO2RUIaH3tLfbIMn0b3DluhGvuCijIrj9H8c/mfF0Y4ipvTD+ZYT71t1UVMUD3AQR3xcLJOF/
 Xba2EWcr/olCnXL6Ox46XCfbhOlcfI4tntoFr1k3z2AuBDbzVWYndXe7jrPxv8NO8U8fEzv/YgLV
 gQx+V1HE7Z2ML0O2sNWnH0W/Qp9W833B1PgE3L5ic+Q7aX4JEATvJ/yP/e+0F4994LN1mqogs4Mo
 RPpW9uWQTNNKcUNOE2cTdOUCAwEAAaNIMEYwNAYDVR0RBC0wK4EUYW5kcmVAaGVpbmVja2Uub3Iu
 YXSBE2FoZWluZWNrZUBnbnVwZy5jb20wDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUAA4IB
 gQBj5+2Mbo1pINy/Z9cFaaMdiriJYTNnZSXehbdx5Oy+PQ6b9reKeXUTDigJx6v4A4bOQnqHjLE/
 GuPfwWYv1k1niIu8GKI4Ccg2LfA/4WhGabcsrBvroYqKRDi6oQ1bY2WyrQCtEbq1O0Jk1FKUSI1a
 9hPSqaH1B11v62yQFKW/wYo21EVWDbCaNR4416PPXZq5DH+KLSbEj7Y/sQZPplqlWgfVFwsQUmgo
 pwPCuv2zhYnbru3FWyg8wgR754rb2HavxKgSi5x48XVaQZs27CH/WUr4Jpp/4gnjF0o8IRt/D9xE
 X+42lJfkdHxE1+gXbBCElVQSb2GRrn+5H9qiRbB6z7i//eh586GEgnF7eSiofsgQm/IhDEm37e7V
 DInED8AaAFnWyyohBtbUo2jg1CTQeA+/PMwkGcB2o5UnqiOaCIDGLvlpuIy83DP2NUzJTWIQUDN2
 Yo0UY3rNqNDU2Q/Ae5SkyhwyIqqvzQiNpwF42yqz9uOyeJT0xHU9v9IfJtgxggJzMIICbwIBATAl
 MBkxFzAVBgNVBAMTDlRlc3RSb290QW5kcmUyAgh4i9miwZbLEzANBglghkgBZQMEAgEFAKCBoDAY
 BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yNDA4MjMwODMyNTdaMC8G
 CSqGSIb3DQEJBDEiBCDmtVqmZbHt+DhfC1ibCB16C+FNrFPELXCt8s2B9X2cbTA1BgkqhkiG9w0B
 CQ8xKDAmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEB
 BQAEggGAPR+Wu61bv0EAnHmAld1Kekuw5yLttt4JrAhvt5mUB+y308NigqomCn4cqz47ndnMQSqq
 EctNWWbpnLCk2rMg/zZevQ6wZm/AVsnapFg+Wlf/E1Q1JhciYQIQpmEsenf+x7t7ZX9j8HQp16jM
 6eejKkGkWeDC+rrQGfiDr4gNsriEbbdFsgyGgfCIR9cBOW5sP54JXhto6qhfgL30hGksS906ignM
 qBpKc4CNz1BF9Bsfz1uF53ZbgaYsHWxajI2dhypwcCv5HC3O7JPLi1AhA4j6XWFqa5TUuljjCZaI
 UXy1L+OQBYw7PE6KiL/5+/WcBAZI0nzBcUPm8cZJ80OK/phtHM3VHs4ICSp8OJI0GuIS+S9UOoxN
 u0Rk8wG5m9Mo/+ukCIOFc16leheuxWWVo+OZpm7wM9MLILnYKd24NwrI0AKTBa9NIuzYyH/esoSf
 25GzQEqibMrH7y/efA6GQzrhB1L5yaBSbyVAF8H6GQAjX/OhVCx8pKeOvvj38vmv
 
 
b last
c end_signature
b up
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: enabled debug flags: ipc
gpgsm: enabled compatibility flags:
gpgsm: detached signature
c [GNUPG:] NEWSIG
gpgsm: Signature made 2024-08-23 08:32:57 UTC
gpgsm:                using rsa3072 key C40BF0B05E5F40ED3E630AB27C2C37D32430424E
gpgsm: algorithm: RSA + SHA256
gpgsm: invalid signature: message digest attribute does not match computed one
c [GNUPG:] BADSIG C40BF0B05E5F40ED3E630AB27C2C37D32430424E /CN=Andre2/O=g10code/C=de
secmem usage: 0/16384 bytes in 0 blocks
:--nextPart3705879.V25eIC5XRa--
CarlSchwan added a comment.Aug 26 2024, 9:40 AM

There is two issues:

CarlSchwan added a comment.Aug 30 2024, 2:15 PM

Now the message box for KMail, MimeTreeParser and Kleopatra are all using the same code in Libkleo.

Second question is why the signature doesn't match the content. The good news is that I was able to reproduce this issue with S/MIME signatures but not openPGP signatures and also with attachment who don't contains unicode in their name. The resulting MIME content is exactly the same outside of the signature part:

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

for the pgp message

and

Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

for the smime message.

The code responsible for this is here https://invent.kde.org/pim/messagelib/-/blob/master/messagecomposer/src/job/signjob.cpp?ref_type=heads#L169 but I don't see any noticable difference between non inline OpenPGP and non opaque S/MIME