[Bug 289677] New: KMail2 S/MIME signed-only emails are formed incorrectly, non-SMIME email clients unable to display them

Nicholas Sushkin nsushkin at sushkins.net
Fri Dec 23 16:22:06 GMT 2011 

https://bugs.kde.org/show_bug.cgi?id=289677

           Summary: KMail2 S/MIME signed-only emails are formed
                    incorrectly, non-SMIME email clients unable to display
                    them
           Product: kmail2
           Version: 2.1.1
          Platform: Slackware Packages
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: crypto
        AssignedTo: kdepim-bugs at kde.org
        ReportedBy: nsushkin at sushkins.net


Version:           2.1.1 (using KDE 4.6.5) 
OS:                Linux

When sending an S/MIME clear-signed (signed but not encrypted) message, KMail2
doesn't follow S/MIME RFC correctly, resulting in a non compliant MIME header
usage. Some mail clients like iPad and Outlook Web Access are unable to show
the email body. They show empty message with a single smime.p7m attachment.

Per S/MIME RFC 2633 (http://tools.ietf.org/html/rfc2633#section-3.4), there are
two ways to send a signed-only message: application/pkcs7-mime with SignedData,
and multipart/signed. Apparently, KMail2 can send both, controlled by menu
Options/Cryptographic Message Format/SMIME Opaque or (just) SMIME.

The multipart/signed is governed by Section 3.4.3
(http://tools.ietf.org/html/rfc2633#section-3.4.3). 

RFC provides a sample of a clear-signed email in
http://tools.ietf.org/html/rfc2633#section-3.4.3.3

"""
3.4.3.3 Sample multipart/signed Message


       Content-Type: multipart/signed;
          protocol="application/pkcs7-signature";
          micalg=sha1; boundary=boundary42

       --boundary42
       Content-Type: text/plain

       This is a clear-signed message.

       --boundary42
       Content-Type: application/pkcs7-signature; name=smime.p7s
       Content-Transfer-Encoding: base64
       Content-Disposition: attachment; filename=smime.p7s

       ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
       4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
       n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
       7GhIGfHfYT64VQbnj756

       --boundary42--
"""

However, KMail2 generates the following:

Content-Type: multipart/signed; boundary="nextPart3571509.Xs4gzcKTgc";
micalg="sha1"; protocol="application/pkcs7-signature"
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: 7Bit


--nextPart3571509.Xs4gzcKTgc
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

This is a clear-signed message
--nextPart3571509.Xs4gzcKTgc
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILWzCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
…
kAAAAAAAAA==

--nextPart3571509.Xs4gzcKTgc--



Reproducible: Always

Steps to Reproduce:
(Assuming an identify with a valid S/MIME certificate is configured)
New Message. 
Options/Sign Message - selected
Options/Encrypt Message  - unselected
Options/Formatting (HTML) - unselected
Options/Cryptiographic Message Format - S/MIME

In the message body - type "This is a clear-signed message"

Send


Actual Results:  
Content-Type: multipart/signed; boundary="nextPart3571509.Xs4gzcKTgc";
micalg="sha1"; protocol="application/pkcs7-signature"
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: 7Bit


--nextPart3571509.Xs4gzcKTgc
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

This is a clear-signed message
--nextPart3571509.Xs4gzcKTgc
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILWzCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
…
kAAAAAAAAA==

--nextPart3571509.Xs4gzcKTgc--


Expected Results:  
Content-Type: multipart/signed; boundary="nextPart3571509.Xs4gzcKTgc";
micalg="sha1"; protocol="application/pkcs7-signature"
Content-Transfer-Encoding: 7Bit


--nextPart3571509.Xs4gzcKTgc
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

This is a clear-signed message
--nextPart3571509.Xs4gzcKTgc
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILWzCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
…
kAAAAAAAAA==

--nextPart3571509.Xs4gzcKTgc--


This bug is a duplicate of Bug 280245, but maybe explains better.

This bug doesn't cause a crash, but recipients with at least iPad, iPhone, and
Outlook Web are unable to read these messages.

gpg2 developer Werner Koch says it's not a problem with gpg, but with KMail
regression. http://markmail.org/message/li3nvwhg2mh7kv5n

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list