[Gpg4win-devel] Structure of an S/MIME email (Re: Broken claws mail from gpg4win package on the site)

Bernhard Reiter bernhard at intevation.de
Fri Jan 10 09:26:16 CET 2014 

Hi Peter,

On Thursday 09 January 2014 at 23:55:19, Dr. Peter Voigt wrote:
> > Overall it is a good idea in this situation, to try to send an
> > attachment which has the same cryptographic properties, e.g.
> > encrypted to X,Y, signed by Z and then try gpgsm on the saved
> > attachment.
> >
> > You can make it possible to decode the MIME part for a signed
> > messages, but it is not that easy.
>
> Thanks, Bernhard for clarifying this. I just couldn't believe that
> decrypting or verifying an S/MIME mail should be that simple. I quick
> view into the "source code" of an S/MIME mail did not even reveal to me,
> which encoding out of Quoted-printable, Base64 or Radix64 is used for
> which part of the mail.

It is a regular MIME email, so MIME encoding rules apply.
You do see an Content-Transfer-Encoding: header for each MIME part.

Of course inside of the S/MIME part it is going to be CMS.

> Nevertheless, if you should have some minutes left, I would like to get
> a rough insight into this.

There are three versions basically:
a) encrypted email. That is an attachment which properly MIME decoded
give you a binary CMS file that gpgsm can directly decoded.
b) multipart/signed : you get two mime parts, e.g.
  
--===============1838778857==
Content-Type: multipart/signed;
  boundary="nextPart12991707.QleQFXgr9i";
  protocol="application/pkcs7-signature";
  micalg=sha1
Content-Transfer-Encoding: 7bit

--nextPart12991707.QleQFXgr9i
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 08 January 2014 at 23:13:05, Cristian Baboi wrote:
> >It would prob
[..]
--nextPart12991707.QleQFXgr9i
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQE
[..]

The smime.p7s attachment is a detached signature for the text/plain part.
If you save the text/plain properly, you could be able to verify it
with gpgsm on the command line. The Problem is: You need to have the right 
line endings, spaces and the end of lines and number of lines. There are some 
rules somewhere probably within the PGP/MIME or S/MIME rfcs.

c) none-mime (aka opaque) signature. Again you have a CMS attachment
and you can directly decode it using gpgsm -d. (It is not encrypted.)

Of course it is possible to have a signature within the encrypted part
again embedded or as a nother mime structure.

> PS.: I cannot verify the signature of your last email for unknown
> reason. Did you recently change your X.509 certificate? 

No my x509 cert is the same since mid 2012.

> I checked it 
> with Claws Mail, Thunderbird and GNU Emacs/Gnus. GNU Emacs/Gnus even
> hangs forever and had to be interrupted leaving me with a plain base64
> message which is very hard to read :-).

Bernhard


-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20140110/9e030254/attachment-0001.sig>

More information about the Gpg4win-devel mailing list