Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S/MIME: Extracting certificate with multiple email values fails #1196

Closed
urz-hgw opened this issue Jun 16, 2021 · 5 comments · Fixed by #1197
Closed

S/MIME: Extracting certificate with multiple email values fails #1196

urz-hgw opened this issue Jun 16, 2021 · 5 comments · Fixed by #1197
Assignees
@ikedas
Labels
bug
Milestone
6.2.64

Comments

@urz-hgw
Copy link

urz-hgw commented Jun 16, 2021

Version

Tested with version 6.2.40

Installation method

Installed in Debian Buster using default Debian repo

Expected behavior

The signed mail should be accepted by Sympa and delivered to the list members.

Actual behavior

The mail is rejected by sympa with the following error message:

sympa,3,sympa_msg[853]: err main::#243 >
Sympa::Spindle::spin#83 > Sympa::Spindle::ProcessIncoming::_twist#204 >
Sympa::Message::check_smime_signature#1323 Sympa::Message
<destination@listen.example.com.1623673874.9819>: 
Could not extract certificate for mailaddress@example.com

Additional information

The used mailing list only accepts signed mails. The certificate in use has multiple email values due to the fact that each user in our organization has at least one primary and one alternative email address. One of the email values does match the sender address so the verification is correct. When I remove all email aliases from the certificate except the one I use as sender for the mailing list, the mail is correctly delivered to the members.

Best regards
Daniel
@ikedas
Copy link
Member

ikedas commented Jun 16, 2021

@urz-hgw , could you please show us any example of the certificate "with multiple email values"?

(Sensitive information, e.g. subject and issuer of the certificate, actual emails in any attributes etc., should be masked.)

@urz-hgw
Copy link
Author

urz-hgw commented Jun 16, 2021

Hi @ikedas

Sure, here is the output of
openssl x509 -in cert.pem -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
        Validity
            Not Before: Jun 16 11:44:10 2021 GMT
            Not After : Jun 15 11:44:10 2024 GMT
        Subject: C = DE, ST = STATE, L = CITY, O = ORGNAME, SN = SN, GN = Daniel, CN = Daniel SN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    ca:0e:db:18:1b:95:3d:37:79:fd:f4:0a:71:b4:37:
                    df:a8:f3:0d:a1:80:2f:0d:a9:2d:c3:f4:73:b5:62:
                    ...
                    ...
                    ...
                    3b:2d:42:f0:6f:80:fc:8b:bf:e1:09:5d:47:80:3d:
                    34:70:eb:06:98:5f:fa:36:8a:6c:b0:02:54:1a:3d:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.22177.300.1.1.4
                Policy: 1.3.6.1.4.1.22177.300.1.1.4.8
                Policy: 1.3.6.1.4.1.22177.300.2.1.4.8

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Key Identifier: 
                BE:0D:A9:40:08:BE:0D:A9:BE:0D:A9:BE:0D:A9:79:57:BE:0D:A9:F2
            X509v3 Authority Key Identifier: 
                keyid:BE:0D:A9:A1:F9:F2:BE:0D:A9:E0:AD:BE:0D:A9:09:1F:E8:BE:0D:A9:

            X509v3 Subject Alternative Name: 
                email:alias1@example.com, email:alias2@example.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl

                Full Name:
                  URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.pca.dfn.de/OCSP-Server/OCSP
                CA Issuers - URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.crt
                CA Issuers - URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.crt

    Signature Algorithm: sha256WithRSAEncryption
         3b:b5:29:77:1b:8b:d5:c1:4e:6b:1d:4d:d2:5d:e7:e2:5f:f6:
         53:94:85:6e:c4:b5:89:0e:b0:dc:84:ef:c6:91:5b:9e:a5:f9:
         ...
         ...
         34:be:ad:69:98:42:a6:0a:61:12:0a:7c:2f:81:c1:da:9b:53:
         3b:b5:29:77:1b:8b:d5:c1:4e:6b
-----BEGIN CERTIFICATE-----
#####
#####
#####
-----END CERTIFICATE-----

The important section is at X509v3 Subject Alternative Name.

Best regards
Daniel

@ikedas ikedas added the bug label Jun 17, 2021
@ikedas ikedas self-assigned this Jun 17, 2021
@ikedas ikedas added this to the 6.2.64 milestone Jun 17, 2021
ikedas added a commit to ikedas/sympa that referenced this issue Jun 17, 2021
@ikedas
Decode subjectAltName extension correctly (sympa-community#1196)
019e4b6
@ikedas ikedas mentioned this issue Jun 17, 2021
Merged
ikedas added a commit to ikedas/sympa that referenced this issue Jun 17, 2021
@ikedas
Use recent version of Crypt::OpenSSL::X509 (1.808 or later) to make s…
2b5dd1a 
…ubjectAltName extension in S/MIME certificates be parsed properly (sympa-community#1196)
@ikedas
Copy link
Member

ikedas commented Jun 17, 2021

@urz-hgw , could you please apply this patch and check if the problem will be solved (and certificate with single email will also be processed properly)?

@urz-hgw
Copy link
Author

urz-hgw commented Jun 18, 2021

Hi @ikedas

thanks for the immediate patch. I tested it and the problem seems to be solved.
Mails are sent correctly using certificates with single and multiple email values.

ikedas added a commit that referenced this issue Jun 18, 2021
@ikedas
Merge pull request #1197 from ikedas/issue-1196 by ikedas
6d4e74a 
S/MIME: subjectAltName in certificate couldn't be parsed properly (#1196)
@ikedas
Copy link
Member

ikedas commented Jun 18, 2021

@urz-hgw , thank yor for confirming! This fix will be included in the next stable release, 6.2.64.

@ikedas ikedas mentioned this issue Sep 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ikedas ikedas

Labels
bug
Projects
None yet
Milestone
6.2.64
Development

Successfully merging a pull request may close this issue.

S/MIME: subjectAltName in certificate couldn't be parsed properly (#1196) ikedas/sympa
2 participants
@ikedas @urz-hgw