[MlMt] S/MIME algorithm

[Benny Kjær Nielsen]

On 22 Jan 2019, at 17:02, Jan Münnich wrote:

> Apparently MailMate uses SHA1 for S/MIME signatures:
> Content-Type: multipart/signed; 
> boundary="=_MailMate_9C9B7CEB-A063-4594-B53C-4CA40977FBE0_="; 
> micalg=sha1;
>
> SHA1 is not considered as secure anymore 
> (https://en.wikipedia.org/wiki/SHA-1). I also noticed that Gmail 
> doesn't verify SHA1-signed messages anymore: 'The signature uses an 
> unsupported algorithm. The digital signature is not valid.'

My memory might be failing me here, but if I remember correctly then I 
did look into this a long time ago. I'm not really specifying which 
hashing method to use in the code. This is left to the Apple framework 
and I *think* this uses whatever is stated by the certificate itself, 
but I'm not 100% sure I ever verified that. I did look into how I could 
get the hashing method of the certificate and this was (at the time) 
ridiculously complicated. The idea was that I would then put that in the 
Content-Type header, but when I checked Apple Mail it didn't do this. It 
had sha1 in the header like above for a certificate which stated sha256.

I'll note to look into it again and see if the above is completely wrong 
:-)

> I don't know if you use a macOS library for S/MIME?

I use the one provided by Apple. CMSEncode() is the main function and, 
if I remember correctly, it provides no way to control the hash function 
used.

> A test from iOS Mail used SHA256:
> Content-Type: multipart/signed; 
> boundary=Apple-Mail-2496A2C0-AD94-4608-8970-57B8A409367C; 
> protocol="application/pkcs7-signature"; micalg=sha-256

Ok, that's good to know.

-- 
Benny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20190124/214866cb/attachment.html>