Comments (16)
shred
commented on June 8, 2024
1
Just after the unit tests are completed. Hopefully next week.
from acme4j.
shred
commented on June 8, 2024
Thank you... Yes, S/MIME validation and signature should be part of acme4j. I will have a look into that.
from acme4j.
shred
commented on June 8, 2024
In v2.15 I released today, S/MIME signature validation and header protection checks are now available, see the documentation.
I'm sorry that it took so long. There were technical and also personal problems that have been resolved by now.
from acme4j.
augjoh
commented on June 8, 2024
@shred : Thanks for adding this feature to acme4j π. Unfortunately I wasn't able to use it as is. There are some obstacles to overcome. Perhaps you can shed some light on this and pin the errors.
The first point is a question about the signCert needed to verify the incoming email. Where do I get this certificate from? I assume, that it is the signer certificate of the challenge, but if so, how do I specify intermediate CA certificates? Regarding RFC8550:
Sending agents SHOULD include any certificates for the user's public
key(s) and associated issuer certificates. This increases the
likelihood that the intended recipient can establish trust in the
originator's public key(s).
So I suppose it is safe to assume, that a CA include all certificates (except the root certificate of he chain) to verify the incoming challenge email. The root certificate should be part of java's truststore, I guess. Perhaps you can sort out the certificates inside acme4j.
The second point is, that I can't see, why the following S/MIME challenge cannot be processed with acme4j regardless of the strict setting. Both invocations of the code snippet from the documentation, throw org.shredzone.acme4j.smime.exception.AcmeInvalidMessageException: Invalid S/MIME mail.
Please have a look at the following challenge email:
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from [127.0.0.1] (acme-ca-02.dc-bsd.my.corp [10.70.15.231])
by mail.dc-bsd.my.corp (Postfix) with ESMTP id 0119D9CC22
for <[email protected]>; Sat, 26 Nov 2022 21:09:39 +0000 (UTC)
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha256; boundary="--_NmP-1d902f4d1e8a735a-Part_1"
Auto-Submitted: auto-generated; type=acme
From: [email protected]
To: [email protected]
Subject: ACME: ABxfL5s4bjvmyVRvl6y-Y_GhdzTdWpKqlmrKAIVe
Message-ID: <[email protected]>
Date: Sat, 26 Nov 2022 21:09:38 +0000
MIME-Version: 1.0
----_NmP-1d902f4d1e8a735a-Part_1
Content-Type: multipart/alternative;
boundary="--_NmP-1d902f4d1e8a735a-Part_2"
----_NmP-1d902f4d1e8a735a-Part_2
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><p>This is an automatically generated ACME challenge for email =
address <em>[email protected]</em>. If you haven't requested an S/MIME =
certificate generation for this email address, be very afraid. If you did =
request it, your email client might be able to process this request =
automatically, or you might have to paste the first token part into an =
external program.</p> <p>Please reply to this mail and fill out the =
following template: <pre>-----BEGIN ACME RESPONSE-----
<fill in challengeResponse here>
-----END ACME RESPONSE-----
</pre>Use the value of the following calculation inside the ACME response:
<pre> token =3D (decodeBase64url(token-part1) || decodeBase64url(token-par=
t2))
keyAuthorization =3D base64url(token) || '.' || base64url(Thumbprint(acco=
untKey))
challengeResponse =3D base64url(SHA256(keyAuthorization))
</pre>Where can I find all the ingredients for this?<ul><li>token-part1 is =
in the subject of this email after 'ACME: ',</li><li>token-part2 can be =
found in your challenge request (over https),</li><li>accountKey has been =
generated in your ACME client.</li></ul></p></html>
----_NmP-1d902f4d1e8a735a-Part_2
Content-Type: application/json; charset=utf8
Content-Encoding: utf8
{ "token-part1": "001c5f2f9b386e3be6c9546f97acbe63f1a17734dd5a92aa966aca00855e" }
----_NmP-1d902f4d1e8a735a-Part_2--
----_NmP-1d902f4d1e8a735a-Part_1
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7s
MIIUXQYJKoZIhvcNAQcCoIIUTjCCFEoCAQExDzANBglghkgBZQMEAgEFADCCBkkGCSqGSIb3DQEH
AaCCBjoEggY2Q29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7DQogYm91bmRhcnk9
Ii0tX05tUC0xZDkwMmY0ZDFlOGE3MzVhLVBhcnRfMiINCg0KLS0tLV9ObVAtMWQ5MDJmNGQxZThh
NzM1YS1QYXJ0XzINCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04DQpDb250
ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBxdW90ZWQtcHJpbnRhYmxlDQoNCjxodG1sPjxwPlRoaXMg
aXMgYW4gYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgQUNNRSBjaGFsbGVuZ2UgZm9yIGVtYWlsID0N
CmFkZHJlc3MgPGVtPmdpdGxhYkBkYy1ic2QubXkuY29ycDwvZW0+LiBJZiB5b3UgaGF2ZW4ndCBy
ZXF1ZXN0ZWQgYW4gUy9NSU1FID0NCmNlcnRpZmljYXRlIGdlbmVyYXRpb24gZm9yIHRoaXMgZW1h
aWwgYWRkcmVzcywgYmUgdmVyeSBhZnJhaWQuIElmIHlvdSBkaWQgPQ0KcmVxdWVzdCBpdCwgeW91
ciBlbWFpbCBjbGllbnQgbWlnaHQgYmUgYWJsZSB0byBwcm9jZXNzIHRoaXMgcmVxdWVzdCA9DQph
dXRvbWF0aWNhbGx5LCBvciB5b3UgbWlnaHQgaGF2ZSB0byBwYXN0ZSB0aGUgZmlyc3QgdG9rZW4g
cGFydCBpbnRvIGFuID0NCmV4dGVybmFsIHByb2dyYW0uPC9wPiA8cD5QbGVhc2UgcmVwbHkgdG8g
dGhpcyBtYWlsIGFuZCBmaWxsIG91dCB0aGUgPQ0KZm9sbG93aW5nIHRlbXBsYXRlOiA8cHJlPi0t
LS0tQkVHSU4gQUNNRSBSRVNQT05TRS0tLS0tDQombHQ7ZmlsbCBpbiBjaGFsbGVuZ2VSZXNwb25z
ZSBoZXJlJmd0Ow0KLS0tLS1FTkQgQUNNRSBSRVNQT05TRS0tLS0tDQo8L3ByZT5Vc2UgdGhlIHZh
bHVlIG9mIHRoZSBmb2xsb3dpbmcgY2FsY3VsYXRpb24gaW5zaWRlIHRoZSBBQ01FIHJlc3BvbnNl
Og0KPHByZT4gIHRva2VuID0zRCAoZGVjb2RlQmFzZTY0dXJsKHRva2VuLXBhcnQxKSB8fCBkZWNv
ZGVCYXNlNjR1cmwodG9rZW4tcGFyPQ0KdDIpKQ0KICBrZXlBdXRob3JpemF0aW9uID0zRCBiYXNl
NjR1cmwodG9rZW4pIHx8ICcuJyB8fCBiYXNlNjR1cmwoVGh1bWJwcmludChhY2NvPQ0KdW50S2V5
KSkNCiAgY2hhbGxlbmdlUmVzcG9uc2UgPTNEIGJhc2U2NHVybChTSEEyNTYoa2V5QXV0aG9yaXph
dGlvbikpDQo8L3ByZT5XaGVyZSBjYW4gSSBmaW5kIGFsbCB0aGUgaW5ncmVkaWVudHMgZm9yIHRo
aXM/PHVsPjxsaT50b2tlbi1wYXJ0MSBpcyA9DQppbiB0aGUgc3ViamVjdCBvZiB0aGlzIGVtYWls
IGFmdGVyICdBQ01FOiAnLDwvbGk+PGxpPnRva2VuLXBhcnQyIGNhbiBiZSA9DQpmb3VuZCBpbiB5
b3VyIGNoYWxsZW5nZSByZXF1ZXN0IChvdmVyIGh0dHBzKSw8L2xpPjxsaT5hY2NvdW50S2V5IGhh
cyBiZWVuID0NCmdlbmVyYXRlZCBpbiB5b3VyIEFDTUUgY2xpZW50LjwvbGk+PC91bD48L3A+PC9o
dG1sPg0KLS0tLV9ObVAtMWQ5MDJmNGQxZThhNzM1YS1QYXJ0XzINCkNvbnRlbnQtVHlwZTogYXBw
bGljYXRpb24vanNvbjsgY2hhcnNldD11dGY4DQpDb250ZW50LUVuY29kaW5nOiB1dGY4DQoNCnsg
InRva2VuLXBhcnQxIjogIjAwMWM1ZjJmOWIzODZlM2JlNmM5NTQ2Zjk3YWNiZTYzZjFhMTc3MzRk
ZDVhOTJhYTk2NmFjYTAwODU1ZSIgfQ0KLS0tLV9ObVAtMWQ5MDJmNGQxZThhNzM1YS1QYXJ0XzIt
LQ0KoIIK5DCCBI8wggQUoAMCAQICFGFq2BiR4ebW84K3/HrjMpkODKUtMAoGCCqGSM49BAMDMEkx
CzAJBgNVBAYTAkpQMQ4wDAYDVQQHDAVUb2tpbzEQMA4GA1UECgwHTXkuQ29ycDEYMBYGA1UEAwwP
Um9vdCBDQSAyMDIyIEcxMB4XDTIyMTEyNDIxNDAxN1oXDTI1MDUyODIxNDAxNlowSDELMAkGA1UE
BhMCSlAxDjAMBgNVBAcMBVRva2lvMRAwDgYDVQQKDAdNeS5Db3JwMRcwFQYDVQQDDA5TdWIgQ0Eg
MjAyMiBHMTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAIILhCsJsrzhrAELwxAbrKaH
ALeP7liQqUiPDbN+JfRvqyEBpBG8JBkGC76uM5TIQ+f+28IBIs0YwdjIiCNPeew/nAPZ1aNZEYco
vQ7G3CQ7mUAhFkeGKOVaS+2LOqvmdry5p1SKlC0ziw/Yf3dD1KSQ4sBPBa7gOp8pDpe9YKX/j/fX
k83iSTFvrp1LTe4BILMh9YzVAukKR5A3WgVkrR156gLoV6Rew6uSwHAOtl4JAYBclRohmvbjU/FP
k2kX8h6NK+V21HXD0inhyI/NnyVPxEO+n2isnrrtz/R6t2pUPn28xhNjbnFEBk8KZ4fQH23/BRtA
cIibh3dzetVRJdoVZEjoYmZdveMB6TqsJJtlSSHTVIKcWNUFKAiqS5wSHVaX2XnjdVgqkQU3j5kD
JBCwPG47KpoNdTTa4JWQwI9G57kGAvPomj+6ljYSavzfCeQ8nxwkoRhG0eXjalpOnjUPAxowqhmE
mRYTg7hzIFPXYInhFIvHwd4zFkPh8HOa7wIDAQABo4IBjjCCAYowEgYDVR0TAQH/BAgwBgEB/wIB
ADAOBgNVHQ8BAf8EBAMCAYYwHgYDVR0gBBcwFTAIBgZngQwBAgEwCQYHZ4EMAQUBAjB+BggrBgEF
BQcBAQRyMHAwbgYIKwYBBQUHMAKGYmh0dHA6Ly9hY21lLWNhLTAxLmRjLWJzZC5teS5jb3JwL2Rv
d25sb2FkL1Jvb3QvNTQ1MWYxOWZkZDg5MmNjYmU5YmU3ODM1ODc2NjcwZmQxYjY5OTllOC9jYS5j
cnQuY2VyMGwGA1UdHwRlMGMwYaBfoF2GW2h0dHA6Ly9hY21lLWNhLTAxLmRjLWJzZC5teS5jb3Jw
L2Rvd25sb2FkL1Jvb3QvNTQ1MWYxOWZkZDg5MmNjYmU5YmU3ODM1ODc2NjcwZmQxYjY5OTllOC5j
cmwwKwYDVR0jBCQwIoAgxGqTGFlSJtP48rVLeyMc58TIb5WWC/mBW4AKc0OmIm0wKQYDVR0OBCIE
INUBWh3giyFeu6hqGeExhD+S2sWYkeQcsGY6tX6AUgULMAoGCCqGSM49BAMDA2kAMGYCMQDW0NKq
k5JJl+DQvDBAVWZ99LFzKP2y9H8RHNynK2g+VlF6h2141+SWO+ev2GAFj5kCMQC8HuhmB1g+aYuP
wcuBtpOSZGrdTHXFmRubI/rb4K8rZTgP/FQXzbK81Mctv1V+AxgwggZNMIIEtaADAgECAhRTWC34
33N0r2EkwdKjLxrvITOOgDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJKUDEOMAwGA1UEBwwF
VG9raW8xEDAOBgNVBAoMB015LkNvcnAxFzAVBgNVBAMMDlN1YiBDQSAyMDIyIEcxMB4XDTIyMTEy
NDIxNDExNVoXDTIzMDIyMjIxNDExNFowVzELMAkGA1UEBhMCSlAxDjAMBgNVBAcMBVRva2lvMRAw
DgYDVQQKDAdNeS5Db3JwMSYwJAYDVQQDFh1hY21lLWNoYWxsZW5nZUBkYy1ic2QubXkuY29ycDCC
AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAInbq8HuIIHbaSgUP5jMSZuIt82r34Cbd4b6
C1OgzJWW2CY++t1wkwmAA4NRHZEesm3c6AsqfYbbvifdAlll4bDuQXAtMDphyICgllLqyvdhI7ya
FjhMzTyGHKXKztbjNyLwz9gFP/g6v/44EsPdagaFaVjFGeaBGr/JSih2cdBo8oICaEFhRymtARQP
95mu+A0bV16zE2JnSqvN6ivIrN2uHQjlo0uymWRXJsK3Jv3Xm71vnKiESclkYQHNXi7PyA1GuOEO
oxSln7FQhzXYYurGenjzg9WAemtPPVw3jcMg9rM1k+Lkns/VLj3VTXhDZg1Ye6CsmTpUEmVo3seu
vM2Y8GyTndmNt/tVAwiD77Ok5BRbSCBzQkopwMuzajg5PYXd0VGjhMUOxfgZavZGGFpjwPkEqY7s
hhSwp5Wmq5OBehpPmh47ILHgUrctjALcgWgc4gaLwTVeDOOvHA0IbQBAFqD1mxNb1i4gSEJc9dUa
lxc4LGa6ubhVLsNg9n7mdQIDAQABo4ICHjCCAhowCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
FgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwKAYDVR0RBCEwH4EdYWNtZS1jaGFsbGVuZ2VAZGMtYnNk
Lm15LmNvcnAwEwYDVR0gBAwwCjAIBgZngQwBAgIwgeAGCCsGAQUFBwEBBIHTMIHQMF8GCCsGAQUF
BzABhlNodHRwOi8vYWNtZS1jYS0wMS5kYy1ic2QubXkuY29ycC9vY3NwL1N1Yi82MTZhZDgxODkx
ZTFlNmQ2ZjM4MmI3ZmM3YWUzMzI5OTBlMGNhNTJkLzBtBggrBgEFBQcwAoZhaHR0cDovL2FjbWUt
Y2EtMDEuZGMtYnNkLm15LmNvcnAvZG93bmxvYWQvU3ViLzYxNmFkODE4OTFlMWU2ZDZmMzgyYjdm
YzdhZTMzMjk5MGUwY2E1MmQvY2EuY3J0LmNlcjBrBgNVHR8EZDBiMGCgXqBchlpodHRwOi8vYWNt
ZS1jYS0wMS5kYy1ic2QubXkuY29ycC9kb3dubG9hZC9TdWIvNjE2YWQ4MTg5MWUxZTZkNmYzODJi
N2ZjN2FlMzMyOTkwZTBjYTUyZC5jcmwwKwYDVR0jBCQwIoAg1QFaHeCLIV67qGoZ4TGEP5LaxZiR
5BywZjq1foBSBQswKQYDVR0OBCIEIFWVbzWpC2IKkBu6DBLEtmO/1GjEXKJaYigKZkkPYBsgMA0G
CSqGSIb3DQEBCwUAA4IBgQAFvMhQ3dpIYwXch5Op0v3qhnRpZFpZh/3DCjLAQt2d+O71nVGGt6Bj
jsiewHU6Dtl5zxDZfz9cQTaRhEWfXka2byFWKfYw3xq64cmr5a7+9RynvtrSBjx9a+IOVNAylyjK
xnNdWVZLa0Qna1Qqngz32i7aXxENuES2kZcBTnLDEaA3WBuGdlqBsFn1T0A6pP20/np8TS4Q17hR
GEAE9jrhcmRcbP7ABqDz7+Jcq0qnpXE8zJwm9DsR4HJ1Cudsm3iIz3BSDOchUMPPcOOG+JltYOus
eaheeNFDdyxKIx4TZkRwI+avl27DJ4O2n/OKqDQZTYcg/HxH2xWwNfq2/Z08YeH/I4xJnlPxZSDG
DjvVNcQMsAwOdG2O55Lq7q4wmp7ZH2JVA97vekBAJwltjyy3APDOeqi4CnzlaZcOn0GRg7MasQmF
AYbOlo8Ti8oe4U65w8Y2q4ip1EbiwfNMrAkcaAVGIJm2pTapp9nOraed68uMogF7xPhucJLA7Zer
WMMxggL9MIIC+QIBATBgMEgxCzAJBgNVBAYTAkpQMQ4wDAYDVQQHDAVUb2tpbzEQMA4GA1UECgwH
TXkuQ29ycDEXMBUGA1UEAwwOU3ViIENBIDIwMjIgRzECFFNYLfjfc3SvYSTB0qMvGu8hM46AMA0G
CWCGSAFlAwQCAQUAoIHvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwLwYJKoZIhvcNAQkEMSIE
IIbuwptDlJ0DVnN9vhoyQl6l6BeOjhuVjyRkfKXrS2bSMIGhBgsqhkiG9w0BCRACNzGBkTGBjgoB
ATCBiDA8GgdTdWJqZWN0DC5BQ01FOiBBQnhmTDVzNGJqdm15VlJ2bDZ5LVlfR2hkelRkV3BLcWxt
cktBSVZlAgEAMB4aAlRvDBVnaXRsYWJAZGMtYnNkLm15LmNvcnACAQAwKBoERnJvbQwdYWNtZS1j
aGFsbGVuZ2VAZGMtYnNkLm15LmNvcnACAQAwDQYJKoZIhvcNAQELBQAEggGAGUyk3DnAEFJeB3xS
qbgx6NdbkP3G1ah9el01wEez4jQC1pvRe07dMApkJImlSxnOB5Lp/06a14YvAu/rGdmTIAZjeuXV
VPxo+urSTUj4dZB26HNKHyUwXvKWgIhfwlrc/kK+sXyYXk8cNNtAuOQlTJyU1B1NG5nFKTi4UOZI
9B1Lc0MktnrAntB70bOVcT0Lz5Qgslc8jwIUePJLyGKohKTe/744QPqZAz7nQaXS9E30yd1oTB7I
FH4Fg9GjWnD8rLvdCR/S54zEqsdIX/YCmky5DzyjLthY1Al4AJwaodd5gPQn2xhtkxssHLg48/X+
3Se+JTyad6MXmMixnlJFL8DoL8r/BcfZbT4b8oLWMrbURooMPVnxYbTx67IOGxuIYFolM9d9F39P
GBcFkTGIbcVUOIyV2vGH0fXOiVx4ktm4j3Ds843KZ8hj52SZr7RBAsgileucs713UOjfhrQqkbZh
nF5r9fOKs8ky8tSePQ8izk/jXC6PY5D7xyELoPrh
----_NmP-1d902f4d1e8a735a-Part_1--
It verifies fine with openssl(1) (1.1.1o) (and Thunderbird):
% openssl cms -in acme-challenge.eml -verify -CAfile RootCA2022G1.crt > /dev/null
Verification successful
The root of the CA hierarchy is:
% cat RootCA2022G1.crt
-----BEGIN CERTIFICATE-----
MIICMjCCAbigAwIBAgIUVFHxn92JLMvpvng1h2Zw/RtpmegwCgYIKoZIzj0EAwMw
STELMAkGA1UEBhMCSlAxDjAMBgNVBAcMBVRva2lvMRAwDgYDVQQKDAdNeS5Db3Jw
MRgwFgYDVQQDDA9Sb290IENBIDIwMjIgRzEwHhcNMjIxMTI0MjEzNjQxWhcNMzIx
MTIzMjEzNjQwWjBJMQswCQYDVQQGEwJKUDEOMAwGA1UEBwwFVG9raW8xEDAOBgNV
BAoMB015LkNvcnAxGDAWBgNVBAMMD1Jvb3QgQ0EgMjAyMiBHMTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABPOY6vOhMPItGqUJvY4lkfzze/PPJU0+kI7hapoX1x5GgfxV
c7JQ+0PyyxuUp5t22ygksHbgZgDhclC1CcEh2B4G51SjG0UZUnCFkjHCpiz+Ww1z
ZOSZijve1V3mjG9kqqNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwEQYDVR0gBAowCDAGBgRVHSAAMCkGA1UdDgQiBCDEapMYWVIm0/jytUt7Ixzn
xMhvlZYL+YFbgApzQ6YibTAKBggqhkjOPQQDAwNoADBlAjEAiJVdY293qebKtBT2
JMzLcJ+0orgNZKj6dj6hrRFUUWDh0uWMTStWcSAAXmWjhhEvAjAn70Kx7WBOKvhb
5TPdIh9chDFczoiSPhneLLwQiroxL3mGA5tX1rOCE19lACe7N7c=
-----END CERTIFICATE-----
from acme4j.
shred
commented on June 8, 2024
So I suppose it is safe to assume, that a CA include all certificates (except the root certificate of he chain) to verify the incoming challenge email. The root certificate should be part of java's truststore, I guess. Perhaps you can sort out the certificates inside acme4j.
The original idea was that the CA's signing key must be fetched from the CA before, and then passed in as a separate argument. But you are right, acme4j should use and verify the given signature key. I will add that.
The second point is, that I can't see, why the following S/MIME challenge cannot be processed with acme4j regardless of the
strictsetting.
RFC8823 says that "Either way, [the challenge message] MUST use S/MIME header protection." (3.1. point 7). More about header protection can be found here. acme4j expects the "wrapped message" header protection. This is, the signed part of the message must be an RFC822 message by itself, so the mail headers are part of the signature. In your example mail, the signed body is just plain Content-Type: text/html. acme4j refuses to process this mail because there are no protected headers.
from acme4j.
augjoh
commented on June 8, 2024
Indeed, the headers are needed. Please find the secured header fields inside the smime.p7s:
4650:d=6 hl=3 l= 161 cons: SEQUENCE
4653:d=7 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.55
4666:d=7 hl=3 l= 145 cons: SET
4669:d=8 hl=3 l= 142 cons: SET
4672:d=9 hl=2 l= 1 prim: ENUMERATED :01
4675:d=9 hl=3 l= 136 cons: SEQUENCE
4678:d=10 hl=2 l= 60 cons: SEQUENCE
4680:d=11 hl=2 l= 7 prim: VISIBLESTRING :Subject
4689:d=11 hl=2 l= 46 prim: UTF8STRING :ACME: ABxfL5s4bjvmyVRvl6y-Y_GhdzTdWpKqlmrKAIVe
4737:d=11 hl=2 l= 1 prim: INTEGER :00
4740:d=10 hl=2 l= 30 cons: SEQUENCE
4742:d=11 hl=2 l= 2 prim: VISIBLESTRING :To
4746:d=11 hl=2 l= 21 prim: UTF8STRING :[email protected]
4769:d=11 hl=2 l= 1 prim: INTEGER :00
4772:d=10 hl=2 l= 40 cons: SEQUENCE
4774:d=11 hl=2 l= 4 prim: VISIBLESTRING :From
4780:d=11 hl=2 l= 29 prim: UTF8STRING :[email protected]
4811:d=11 hl=2 l= 1 prim: INTEGER :00
from acme4j.
augjoh
commented on June 8, 2024
Please see "Securing Header Fields with S/MIME" (RFC 7508) for more information.
from acme4j.
shred
commented on June 8, 2024
Thank you for the pointer! The tricky part is rather to use BouncyCastle for the S/MIME mail validation, and for the extraction of the protected headers from the signature. But I'm making progress there.
from acme4j.
shred
commented on June 8, 2024
It was tricky to find a correct way to verify secured mail headers, as many parts were not covered by BouncyCastle and had to be written by me. π
Now I have just pushed the changes. With EmailProcessor.signedMessage() you can use your S/MIME mail for the challenge. It checks the signing certificate against Java's cacert truststore, so the certificate must have been signed by a standard public CA.
For self-signed certificates, you can use EmailProcessor.builder().build(message), and use methods like trustStore() or certificate() before invoking build() to pass in your CA's certificate for verification.
What's still missing is a bunch of unit tests. That's the next thing I will take care of.
I appreciate your feedback. But I was able to make it work using your provided email and CA certificate, so I am quite confident it is working.
from acme4j.
augjoh
commented on June 8, 2024
These are fantastic news! I'm burning to test the latest version of acme4j. When do you plan to release a new version with these changes?
from acme4j.
shred
commented on June 8, 2024
I cannot find a way to generate S/MIME signed messages with secure headers enclosed in the signature via command line. Is it okay if I use your example email for unit tests?
from acme4j.
augjoh
commented on June 8, 2024
Sure, keep in mind that the used S/MIME certificate has a limited lifetime. β
from acme4j.
shred
commented on June 8, 2024
Thank you! Yes, it will only be temporary until I found a way to generate these kind of S/MIME mails. But I don't want to delay the next release because of that.
from acme4j.
shred
commented on June 8, 2024
I just released v2.16. It's available in the release section, and will be available on Maven Central in the next couple of hours.
This version should finally enable to read and validate RFC-7508 style protected headers. The unit tests are green with the email you provided here, so I'm confident. π
I will close this issue, but feel free to reopen it if there are still related issues. Thank you for your help and your patience!
from acme4j.
augjoh
commented on June 8, 2024
@shred LGTM, I've run some tests with good cases and acme4j accepted all server sent messages so far! Thank you very much.
from acme4j.
shred
commented on June 8, 2024
That's good news! Thank you for your feedback.
from acme4j.
Related Issues (20)
- Remove service loader mechanism HOT 3
- Did you find any provider for RFC8823 support / email-reply-00 challenges? HOT 4
- The challenge status is always "INVALID" HOT 5
- The challenge status was always "INVALID" HOT 13
- http://${domain}/.well-known/acme-challenge/${token}
- acme4j example is creating zero- length crt files HOT 10
- preferred-chain attribute, for alternate chains HOT 2
- Can only parse traditional files HOT 2
- EAB HMAC keys with arbitrary lengths HOT 5
- CVE-2023-33201 from Bouncy Castle HOT 8
- add utils to do pre validation or help
- How to check if certificate needs renewal without ordering a new one? HOT 8
- Is there a way to keep txt unchanged and verify twiceοΌ HOT 2
- New account registration HOT 1
- Bouncy Castel dependency? HOT 9
- Allow to pass query parameters in directory URL HOT 2
- Provide example showing how to save and load existing certificates HOT 2
- AcmeJsonResource#update throws AcmeRetryAfterException even if resource is ready HOT 3
- Abstract away certificate renewal HOT 6
- response is not reading correctly HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme4j.