signing multipart email

Hello,
I have problem with signing multipart mail. If I try send simple signed
mail it is delivered and Thunderbird says its signed and correct. But if
I send multipart mail it is delivered but Thunderbird says the mail was
signed but the signature doesn't match the content. Where's problem? Is
it possible to sign multipart mail? Same problem I have if use
javamail-crypto with BC provider or only BC

Code that does sending:
public void test() throws MessagingException {
        Properties props = new Properties();
        Session session = Session.getInstance(props);
        MimeMessage msg = new MimeMessage(session);
        msg.setFrom(new InternetAddress("test@..."));
        msg.setRecipient(Message.RecipientType.TO, new
InternetAddress("tom.vojtech@..."));
        msg.setSubject("Testovaci podepsany mail");

        // create and fill the first message part
        MimeBodyPart mbp1 = new MimeBodyPart();
        mbp1.setText("Text testovaciho podepsaneho mailu");
        msg.setContent("Testovaci podepsany mail", "text/plain");

        // create the second message part
        MimeBodyPart mbp2 = new MimeBodyPart();

        // attach the file to the message
        FileDataSource fds = new FileDataSource(new
File("oracle_prereq.sh"));
        mbp2.setDataHandler(new DataHandler(fds));
        mbp2.setFileName(fds.getName());

        // create the Multipart and add its parts to it
        Multipart mp = new MimeMultipart();
        mp.addBodyPart(mbp1);
        mp.addBodyPart(mbp2);

        // add the Multipart to the message
        msg.setContent(mp);

        // set the Date: header
        msg.setSentDate(new Date());
        msg.saveChanges();

        msg = signMessage(msg, session);

        Transport transport = session.getTransport("smtp");
        transport.connect("smtp.server", null, null);

        transport.sendMessage(msg, msg.getAllRecipients());
    }

    protected MimeMessage signMessage(MimeMessage mimeMessage, Session
session) throws MailException {
        try {
            // Getting of the S/MIME EncryptionUtilities.
            EncryptionUtils encUtils =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);

            // Loading of the S/MIME keystore from the file (stored as
resource).
            char[] keystorePass = getCertificatePassword().toCharArray();
            EncryptionKeyManager encKeyManager =
encUtils.createKeyManager();
           
encKeyManager.loadPrivateKeystore(getClass().getResourceAsStream("aaa.p12"),
keystorePass);

            // Getting of the S/MIME private key for signing.
            Key privateKey =
encKeyManager.getPrivateKey(getPrivateKeyAlias(), keystorePass);

            // Signing the message.
            return encUtils.signMessage(session, mimeMessage, privateKey);
        } catch (Exception e) {
            throw new MailPreparationException(e);
        }
    }

    private String getPrivateKeyAlias() {
        return "alias";
    }

    private String getCertificatePassword() {
        return "password";
    }

Thanks
TV

Tomas Vojtech schrieb:

> But if I send multipart mail it is delivered but Thunderbird says
> the mail was signed but the signature doesn't match the content.
> Where's problem?
[...]
>            return encUtils.signMessage(session, mimeMessage, privateKey);

I think, here is your problem ;-)

How should somebody be able to tell more? My first guess would be
that in general the public certificate is sent together with the
signature but if Thunderbird accepts your single-part-message, that
reason seems to be unlikely.


Regards, Lothar

Sorry,
I don't know what should I send.

libraries:
javamail-crypto-bouncycastle-smime_060622.jar
javamail-crypto_060622.jar
bcmail-jdk15-140.jar
bcprov-jdk15-140.jar
javamail 1.4
activation 1.1

message source:

From - Fri Oct 30 15:20:58 2009
X-Account-Key: account3
X-UIDL: M6635S6290T1256912282
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:                                                                                
Reply-To: aaa@...
Received: (qmail 10092 invoked by uid 0); 30 Oct 2009 14:18:02 -0000
X-Spam-Checker-Version: szn-spamassassin 2009-06-26
X-Spam-Status: score=-5.9
Received: from smtp.casablanca.cz (smtp.casablanca.cz [217.11.225.65])
        by email-smtpd7.go.seznam.cz (Seznam SMTPD 1.1.10@14229) with ESMTP;
        Fri, 30 Oct 2009 15:18:02 +0100 (CET)
Received: from [81.0.211.200] (helo=tvojtech-laptop)
        by smtp.casablanca.cz with esmtp (Exim 4.63)
        (envelope-from <aaa@...>)
        id 1N3sHo-0001nP-Vy
        for tom.vojtech@...; Fri, 30 Oct 2009 15:17:05 +0100
Message-Id: <20435088.31256912225035.JavaMail.tvojtech@tvojtech-laptop>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1;
        boundary="----=_Part_1_7896426.1256912224811"
Date: Fri, 30 Oct 2009 15:17:04 +0100 (CET)
From: taaa@...
To: tom.vojtech@...
Subject: =?us-ascii?Q?Testovaci=20podepsany=20mail?=
X-Smtp-Casablanca-Cz-Mailscanner: Found to be clean
X-Smtp-Casablanca-Cz-Mailscanner-Spamcheck: not spam,
        SpamAssassin (not cached, score=2.999, required 7,
        autolearn=disabled, RDNS_NONE 0.10, TVD_SPACE_RATIO 2.90)
X-Smtp-Casablanca-Cz-Mailscanner-Spamscore: ss
X-Smtp-Casablanca-Cz-Mailscanner-From: aaa@...
X-Smtpd: 1.1.10@14229
X-Nod32result: clean (vdv=4556)


------=_Part_1_7896426.1256912224811
Date: Fri, 30 Oct 2009 15:17:04 +0100 (GMT+01:00)
From: aaa@...
To: tom.vojtech@...
Subject: Testovaci podepsany mail
Content-Type: multipart/mixed;
        boundary="----=_Part_0_26460367.1256912224625"


------=_Part_0_26460367.1256912224625
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Text testovaciho podepsaneho mailu
------=_Part_0_26460367.1256912224625
Content-Type: application/octet-stream; name=oracle_prereq.sh
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=oracle_prereq.sh

#!/bin/bash

zypper install gcc gcc-c++ glibc libaio libaio-devel make openmotif-libs ocfs2-tools ocfs2-tools-devel ocfs2console # instalace potrebnych balicku

# vytvoreni uzivatelu a skupin
/usr/sbin/groupadd -g 501 oinstall
/usr/sbin/groupadd -g 502 dba
/usr/sbin/useradd -m -u 501 -g oinstall -G dba oracle
passwd oracle # nastaveni hesla uzivateli oracle

###############################################################################
###### nastaveni parametru kernelu a limity uzivatele oracle ##################
###############################################################################

# Configure the Hangcheck Timer
modprobe hangcheck-timer hangcheck_tick=30 hangcheck_margin=180
cat >> /etc/init.d/boot.local << EOF
modprobe hangcheck-timer hangcheck_tick=30 hangcheck_margin=180
EOF

cat >> /etc/sysctl.conf << EOF
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 658576
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 1048536
net.core.wmem_max = 1048536
EOF

/sbin/sysctl -p

cat >> /etc/security/limits.conf << EOF
oracle soft nproc 2047
oracle hard nproc 16384
oracle soft nofile 1024
oracle hard nofile 65536
EOF

cat >> /etc/pam.d/login << EOF
session required /lib/security/pam_limits.so
EOF

cat >> /etc/profile.local << EOF
if [ \$USER = "oracle" ]; then
 if [ \$SHELL = "/bin/ksh" ]; then
 ulimit -p 16384
 ulimit -n 65536
 else
 ulimit -u 16384 -n 65536
 fi
 umask 022
fi
EOF

cat >> /etc/csh.login.local << EOF
if ( \$USER == "oracle" ) then
 limit maxproc 16384
 limit descriptors 65536
 umask 022
endif
EOF



------=_Part_0_26460367.1256912224625--

------=_Part_1_7896426.1256912224811
Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIAwggOmMIID
D6ADAgECAgMQABEwDQYJKoZIhvcNAQEFBQAwgYMxCzAJBgNVBAYTAkNTMRcwFQYDVQQIEw5DemVj
aCBSZXB1YmxpYzElMCMGA1UEChMcTm92ZWxsIFByb2Zlc3Npb25hbCBTZXJ2aWNlczEgMB4GA1UE
CxMXQXBwbGljYXRpb24gRGV2ZWxvcG1lbnQxEjAQBgNVBAMTCU5vdmVsbCBDQTAeFw0wOTEwMjkx
NDUxMzNaFw0xMTEwMjkxNDUxMzNaMIGNMQswCQYDVQQGEwJDUzEXMBUGA1UECBMOQ3plY2ggUmVw
dWJsaWMxJTAjBgNVBAoTHE5vdmVsbCBQcm9mZXNzaW9uYWwgU2VydmljZXMxIDAeBgNVBAsTF0Fw
cGxpY2F0aW9uIERldmVsb3BtZW50MRwwGgYDVQQDFBN0dm9qdGVjaEBub3ZlbGwuY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+rcp4YheyoFEyWYF6OMsxZFWyCgDIZqx056OjIXLxIxyd
FQp/ZlBGF17p4GurkrwU5kLFR1FchmOQd6FxcmFTL9Vih+gQmtHcixV/nBCSEnuMP9bKIy+MoZd2
chRzZHQUw8GCuK3EMt3q2+Cy90wzJGzoJfytfbRLHLtUGUwqJQIDAQABo4IBGjCCARYwCQYDVR0T
BAIwADAdBgNVHQ4EFgQUbkQiFv4yrSKVlsfL/z/oXlFdvy4wgekGA1UdIwSB4TCB3oAUbTOuPz3L
GSYp6HNswPMDr5pOQ9ShgcCkgb0wgboxJTAjBgNVBAoTHE5vdmVsbCBQcm9mZXNzaW9uYWwgU2Vy
dmljZXMxHzAdBgNVBAsTFkFwcGxpY2F0aW9uIERldmVsb3BlcnMxIDAeBgkqhkiG9w0BCQEWEW5v
cmVwbHlAbm92ZWxsLmN6MQ8wDQYDVQQHEwZQcmFndWUxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGlj
MQswCQYDVQQGEwJDUzEXMBUGA1UEAxMOTm92ZWxsIFJvb3QgQ0GCAxAAATANBgkqhkiG9w0BAQUF
AAOBgQCJbqI7htANu+rvR0M9gTg9S0oyx5XQ2wJdR1PvzwV2rT+qy5bxgly8V80pAV/XbLxfz/Ya
KuhiY+fkPux+XZxD0M2xiUo8vHKDD46z8R7YgTam+RrvJuGV1tbPUAHht85fsbhtdOB3+IbbIues
eg2OstsZU8FW2s9GNd3R+roH7wAAMYICajCCAmYCAQEwgYswgYMxCzAJBgNVBAYTAkNTMRcwFQYD
VQQIEw5DemVjaCBSZXB1YmxpYzElMCMGA1UEChMcTm92ZWxsIFByb2Zlc3Npb25hbCBTZXJ2aWNl
czEgMB4GA1UECxMXQXBwbGljYXRpb24gRGV2ZWxvcG1lbnQxEjAQBgNVBAMTCU5vdmVsbCBDQQID
EAARMAkGBSsOAwIaBQCgggE0MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTA5MTAzMDE0MTcwNVowIwYJKoZIhvcNAQkEMRYEFBCWYMC85GOwhCWvAk23Wu/r3bOuMDQG
CSqGSIb3DQEJDzEnMCUwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMIGeBgsq
hkiG9w0BCRACCzGBjqCBizCBgzELMAkGA1UEBhMCQ1MxFzAVBgNVBAgMDkN6ZWNoIFJlcHVibGlj
MSUwIwYDVQQKDBxOb3ZlbGwgUHJvZmVzc2lvbmFsIFNlcnZpY2VzMSAwHgYDVQQLDBdBcHBsaWNh
dGlvbiBEZXZlbG9wbWVudDESMBAGA1UEAwwJTm92ZWxsIENBAgMQABEwDQYJKoZIhvcNAQEBBQAE
gYAeA6+9KLXgdebXL1XoXV8CFdzK4Lb/w2dWWTFISmYd/nUE2snXA1n/jsdHvDNLPNXJPM7prVla
c6jaIdQcP28vsk0hvfAEXjX+PpnH2dmGVKnQro1CVi7qt3U6CdoxbGJz4GIF+SMEHGDRV/KkmBYF
t4r8QixXw+gUtSMeLqnxmwAAAAAAAA==
------=_Part_1_7896426.1256912224811--

tell what should I send

thx



Lothar Kimmeringer wrote:

Tomas Vojtech schrieb:

> I don't know what should I send.
>
> libraries:
> javamail-crypto-bouncycastle-smime_060622.jar
> javamail-crypto_060622.jar
> bcmail-jdk15-140.jar
> bcprov-jdk15-140.jar
> javamail 1.4
> activation 1.1

I'm note sure what the first two libraries are but look quite
old. The last four libraries should be enought for signing
data.

> message source:

The format itself looks OK.

> tell what should I send

The source of EncryptionUtils.signMessage for a start.

Have you tried to check the signature with something else than
Thunderbird, e.g. with the EncryptionTools? Does it succeed or
what is the error-message?


Regards, Lothar