The implementation code is available in our code repository.
The Halon platform features support for PKCS7 signing which can be used to create S/MIME signatures. In the simplest and most common implementation you will sign the messages' body (including all the the MIME parts), restructuring the message by wrapping the original message body in a new MIME part and attaching an additional pkcs7-signature (this is commonly know as a detached signature).
In order to do this transformation safely (and keep MIME the structure of the original message) some headers needs to be copied from the original message body the new MIME part and some needs to added to the message header. That is; the Content-Type, Content-Transfer-Encoding, Content-Disposition and MIME-Version headers needs to be copied to the new MIME body and the Content-Transfer-Encoding and Content-Disposition headers should be removed from the message header. A new Content-Type (and MIME-Version) header also needs to be added.
The text in blue is what is protected in the S/MIME signature.
Subject: Hello
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------68C49DC2C23AB181018F6038"
This is a multi-part message in MIME format.
--------------68C49DC2C23AB181018F6038
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
World
--------------68C49DC2C23AB181018F6038
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>World</p>
</body>
</html>
--------------68C49DC2C23AB181018F6038--
|
Subject: Hello
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg="sha-256"; boundary="b5d1c118-2e05-11e9-93ef-0050569a4c9c"
--b5d1c118-2e05-11e9-93ef-0050569a4c9c
Content-Type: multipart/alternative;
boundary="------------68C49DC2C23AB181018F6038"
MIME-Version: 1.0
This is a multi-part message in MIME format.
--------------68C49DC2C23AB181018F6038
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
World
--------------68C49DC2C23AB181018F6038
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>World</p>
</body>
</html>
--------------68C49DC2C23AB181018F6038--
--b5d1c118-2e05-11e9-93ef-0050569a4c9c
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
<signature data>
--b5d1c118-2e05-11e9-93ef-0050569a4c9c--
|
The following code may be added to the DATA script in order to do the signing. Keep in mind that for S/MIME to validate properly the From header needs to match the certificate's S/MIME email address and you might need to include intermediate certificates as well.
smime_sign($mail, $pki);
Comments
0 comments
Article is closed for comments.