search

bcgit / bc-java

Bouncy Castle Java Distribution (Mirror)
https://www.bouncycastle.org/java.html
MIT License
2.28k stars 1.13k forks source link

CMSSignerDigestMismatchException: message-digest attribute value does not match calculated value #1333

Open Horcrux7 opened 1 year ago

Horcrux7 commented 1 year ago

I get the follow exception if I verify an IMAP MimeMessage directly.

org.bouncycastle.cms.CMSSignerDigestMismatchException: message-digest attribute value does not match calculated value
    at org.bouncycastle.cms.SignerInformation.verifyMessageDigestAttribute(Unknown Source)
    at org.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
    at org.bouncycastle.cms.SignerInformation.verify(Unknown Source)

If I copy the message or load the saved message with the follow line then it is working

mail = new MimeMessage( (MimeMessage)mail );

The difference that I see is that the result of the follow expression is a com.sun.mail.imap.IMAPBodyPart or javax.mail.internet.MimeBodyPart :

BodyPart bodyPart = ((MimeMultipart)mail.getContent()).getBodyPart(0)

My verify code look like:

        SMIMESigned smime = new SMIMESigned( (MimeMultipart)mail.getContent() );
        Store<X509CertificateHolder> certs = smime.getCertificates();
        SignerInformationStore signers = smime.getSignerInfos();
        Collection<SignerInformation> c = signers.getSigners();
        Iterator<SignerInformation> it = c.iterator();
        while( it.hasNext() ) {
            SignerInformation signer = it.next();
            Collection<X509CertificateHolder> certCollection = certs.getMatches( signer.getSID() );

            Iterator<X509CertificateHolder> certIt = certCollection.iterator();
            X509Certificate cert = new JcaX509CertificateConverter().setProvider( getProvider() ).getCertificate( (X509CertificateHolder)certIt.next() );
            try {
                if( signer.verify( new JcaSimpleSignerInfoVerifierBuilder().setProvider( getProvider() ).build( cert ) ) ) {
                    return cert;
                }
            } catch( CMSException ex ) {
                LOGGER.error( ex );
            }
        }

        return null;

I use the library versions:

Is this a bug? Can I use the workaround without risk?

testmail.zip

dghgit commented 1 year ago

Okay, hmm. I assume you're using bcjmail not bcmail, the workaround's okay - I wouldn't say what you're seeing is a feature, it's just rather difficult to work out who's bug it is - com.sun.mail.imap is way out of our jurisdiction.

Horcrux7 commented 1 year ago

I assume you're using bcjmail not bcmail

No, we use currently bcmail with the old javax package. The jakarta is required first for version 2.x of the jakarta.mail. Good to know that there are also two package names here. I had overlooked this until now.

com.sun.mail.imap is way out of our jurisdiction.

This was also my first thought. But the content data, the message text was 100% identical for both. Which data are part of the message-digest?

Because there are no line number information in the library it is difficult to debug. I also does not understand what is going on in the library.