RC 1.2.1 - Enigma signed e-mail validation failure

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

RC 1.2.1 - Enigma signed e-mail validation failure

sgironella

Hi. I’m facing a strange behaviour on latest RC version.

I’ve enabled Enigma plugin and I’m able to create my key pairs, sign and encrypt messages.

The strange thing is I couldn’t verify signed messages at all, even if decryption in perfectly working.

I’ve debugged GPG class (vendor/pear-pear.php.net/Crypt_GPG/Crypt/GPG.php) to verify what he was doing and why sign validation always fails.



Within _sign() method, I’ve added following lines to log what he was going to sign:

$rc = rcmail::get_instance();
$rc->console('---------------------------------');
$rc->console('SIGN INPUT');
$rc->console($input);
$rc->console('---------------------------------‘);



Same thing within _verify() method, to log what is going to verify:

$rc = rcmail::get_instance();
$rc->console('---------------------------------');
$rc->console('VERIFY INPUT');
$rc->console($input);
$rc->console('---------------------------------');
$rc->console('VERIFY SIGNATURE');
$rc->console($signature);
$rc->console('---------------------------------‘);


Here is my full output for the sequence:

  1. user send a new signed email to himself
  2. user goes to inbox and open signed e-mail

I’ve noticed that the signed message has an extra newline between main headers and body (take a look at the highlited rows) so I thing that’s why sign verification fails (content doesn’t match with original message).


[27-Jul-2016 15:10:38 +0200]: <cmnloql4> ---------------------------------
[27-Jul-2016 15:10:38 +0200]: <cmnloql4> SIGN INPUT
[27-Jul-2016 15:10:38 +0200]: <cmnloql4> Content-Type: multipart/alternative;
 boundary="=_944cbd90b0d51928ff049222817a4b03"

--=_944cbd90b0d51928ff049222817a4b03
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

This is an HTML content...
--=_944cbd90b0d51928ff049222817a4b03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p>This is an HTML content...</p>
</body></html>

--=_944cbd90b0d51928ff049222817a4b03--


[27-Jul-2016 15:10:38 +0200]: <cmnloql4> ---------------------------------
[27-Jul-2016 15:10:45 +0200]: <cmnloql4> ---------------------------------
[27-Jul-2016 15:10:45 +0200]: <cmnloql4> VERIFY INPUT
[27-Jul-2016 15:10:45 +0200]: <cmnloql4> Content-Type: multipart/alternative;
 boundary="=_944cbd90b0d51928ff049222817a4b03"


--=_944cbd90b0d51928ff049222817a4b03
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

This is an HTML content...
--=_944cbd90b0d51928ff049222817a4b03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p>This is an HTML content...</p>
</body></html>

--=_944cbd90b0d51928ff049222817a4b03--


[27-Jul-2016 15:10:45 +0200]: <cmnloql4> ---------------------------------
[27-Jul-2016 15:10:45 +0200]: <cmnloql4> VERIFY SIGNATURE
[27-Jul-2016 15:10:45 +0200]: <cmnloql4> -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXmLLOAAoJEB1v3mO3A8Wpz6QH/015jrt7YkfGT8pE1nyjpHHe
JoCEmugkpmEgJ6wjTgU1SHQos5l1mKqFhsrzpdNghO11yqB/NxOjxOpqSkE9c9c1
dXr/H53cLfqPULMD5dqGBFua180BUdLAQ0Nvyll7kD8Y/irU5ccrwA1e3Cb9RYp0
sGplLYcD7pPKthCGQfFzPslL9Fj82MBJigm46cKa7pqYhJDNkM4q4zsqtNXcTUqB
HcFhEL3+Q21bAbie+B8hDw2SUYGEZORf+sLUrW1oQLLG5ld6XZywCDDKdpq6F+ET
OzVaXta8cMIg5dwP/10VALlqYavlzjY/0h7lBmEgm5W/ehs7XuReur45LsS1KJg=
=Q6j9
-----END PGP SIGNATURE-----

[27-Jul-2016 15:10:45 +0200]: <cmnloql4> ————————————————



Anyone is facing the same issue?

Maybe it’s not an Enigma related issue but a Roundcube behaviour because it happes even on not signed e-mails (but in this case it doesn't bother at all).

Any help would be really appreciate.

Thanks.

 

Stefano


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: RC 1.2.1 - Enigma signed e-mail validation failure

A.L.E.C
On 07/27/2016 04:11 PM, [hidden email] wrote:
> I’ve noticed that the signed message has an extra newline between main
> headers and body (take a look at the highlited rows) so I thing that’s
> why sign verification fails (content doesn’t match with original message).

Works for me, but I have an idea that it could be some IMAP response
parsing issue or IMAP server issue. Could you provide imap_debug log for
the moment when you open the message?

And this is the relevant part of the code, in case you'd like to work on
this by yourself.

https://github.com/roundcube/roundcubemail/blob/release-1.2/plugins/enigma/lib/enigma_engine.php#L1185-L1187

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: RC 1.2.1 - Enigma signed e-mail validation failure

sgironella

Enabled IMAP and SMTP debug (see attachments) and tested against a DBMail internal mail server and an external one (GMail to simplify test repeatability).

Attached files are related to the GMail session.

As you can see, IMAP response differs on main mime part headers structure, so i think that's the reason for sign verification failure.

Any idea on how to fix this?

Thanks!

Stefano

 

SMTP log

....... cut .......

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--=_12a667e67cfa1dc2752a3a26a0315da3
Content-Type: multipart/mixed;
 boundary="=_6252574eb3ef7a89798cdb7924177af2"

....... cut .......

 

IMAP log (response)

....... cut .......

[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] C: A0008 UID FETCH 9460 (BODY.PEEK[1.MIME])
[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] S: * 31 FETCH (UID 9460 BODY[1.MIME] {80}
[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] S: Content-Type: multipart/mixed; boundary="=_6252574eb3ef7a89798cdb7924177af2"
[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] S:
[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] S: )
[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] S: A0008 OK Success
[28-Jul-2016 10:23:17 +0200]: <ml905lhg> [17EE] C: A0009 UID FETCH 9460 (BODY.PEEK[1])

....... cut .......

 

Parsed IMAP response

....... cut .......

Content-Type: multipart/mixed; boundary="=_6252574eb3ef7a89798cdb7924177af2"

....... cut .......

 

 

 

Il 2016-07-28 08:34 A.L.E.C ha scritto:

On 07/27/2016 04:11 PM, [hidden email] wrote:
I've noticed that the signed message has an extra newline between main
headers and body (take a look at the highlited rows) so I thing that's
why sign verification fails (content doesn't match with original message).

Works for me, but I have an idea that it could be some IMAP response
parsing issue or IMAP server issue. Could you provide imap_debug log for
the moment when you open the message?

And this is the relevant part of the code, in case you'd like to work on
this by yourself.

https://github.com/roundcube/roundcubemail/blob/release-1.2/plugins/enigma/lib/enigma_engine.php#L1185-L1187

_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev

console.log (8K) Download Attachment
imap_response.log (13K) Download Attachment
smtp_send.log (6K) Download Attachment
imap_send.log (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RC 1.2.1 - Enigma signed e-mail validation failure

A.L.E.C
On 07/28/2016 10:54 AM, [hidden email] wrote:
> Enabled IMAP and SMTP debug (see attachments) and tested against a
> DBMail internal mail server and an external one (GMail to simplify test
> repeatability).
>
> Attached files are related to the GMail session.
>
> As you can see, IMAP response differs on main mime part headers
> structure, so i think that's the reason for sign verification failure.

I created a ticket for this issue
https://github.com/roundcube/roundcubemail/issues/5371

I don't see a simple workaround now, we'd need to get the whole signed
message body and parse it instead of fetching headers and body of the
first part separately. I'll take a look at this over the weekend.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: RC 1.2.1 - Enigma signed e-mail validation failure

Andrea Brancatelli

Hello Alec,

just as a confirm of your hypothesis, if you look at the raw source of the message within Roundcube (Action -> show source) it's layout is different from the one that gets thrown at gpg.

This is the very same mail:

Raw source:

[....]

Message-ID: <[hidden email]>
X-Sender: [hidden email]
User-Agent: Roundcube Webmail/1.2.1

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--=_ad16315c31f34b75fe12de9a5f6ff9c3
Content-Type: multipart/mixed;
 boundary="=_0c2026a878accfb67f4729bf2f2a522d"

--=_0c2026a878accfb67f4729bf2f2a522d
Content-Type: multipart/alternative;
 boundary="=_4f6a45d8f3d31b8528676bb2b9630c46"

--=_4f6a45d8f3d31b8528676bb2b9630c46
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

[...]

 

Console LOG:

[...]

[28-Jul-2016 15:19:22 +0200]: <s4r01i4d> ---------------------------------
[28-Jul-2016 15:19:22 +0200]: <s4r01i4d> VERIFY INPUT
[28-Jul-2016 15:19:22 +0200]: <s4r01i4d> Content-Type: multipart/mixed; boundary="=_0c2026a878accfb67f4729bf2f2a522d"^M
^M
--=_0c2026a878accfb67f4729bf2f2a522d^M
Content-Type: multipart/alternative;^M
boundary="=_4f6a45d8f3d31b8528676bb2b9630c46"^M
^M
--=_4f6a45d8f3d31b8528676bb2b9630c46^M
Content-Transfer-Encoding: 7bit^M
Content-Type: text/plain; charset=US-ASCII^M
^M
Mail firmata mandata tramite potassio.^M
--=_4f6a45d8f3d31b8528676bb2b9630c46^M
Content-Transfer-Encoding: quoted-printable^M
Content-Type: text/html; charset=UTF-8^M

[...]

---
Andrea Brancatelli
Schema31 S.p.a.
Responsabile IT
ROMA - BO - FI - PA ITALY Tel: +39.06.98.358.472 Cell: +39.331.2488468 Fax: +39.055.71.880.466 Società del Gruppo SC31 ITALIA

 

Il 2016-07-28 11:28 A.L.E.C ha scritto:

On 07/28/2016 10:54 AM, [hidden email] wrote:
Enabled IMAP and SMTP debug (see attachments) and tested against a
DBMail internal mail server and an external one (GMail to simplify test
repeatability).

Attached files are related to the GMail session.

As you can see, IMAP response differs on main mime part headers
structure, so i think that's the reason for sign verification failure.

I created a ticket for this issue
https://github.com/roundcube/roundcubemail/issues/5371

I don't see a simple workaround now, we'd need to get the whole signed
message body and parse it instead of fetching headers and body of the
first part separately. I'll take a look at this over the weekend.

_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev