Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cms.verify_message should validate the value of Received-Content-MIC for unsigned sent files or fail when MIC is missing. #19

Open
adiroiban opened this issue Aug 7, 2020 · 2 comments

Comments

@adiroiban
Copy link
Contributor

When validating a MDN, the current code only checks for a valid signature.

But I think that it should also read the Received-Content-MIC value and make sure it is the expected value.

Also, I think that the docstring has a copy/paste error.

def verify_message(data_to_verify, signature, verify_cert):
    """Function parses an ASN.1 encrypted message and extracts/decrypts the original message.

I guess that the verify_message arguments should be extended to also pass the expected MIC value.

Thanks!

@abhishek-ram
Copy link
Owner

Yes indeed the doc string is copy pasted, my bad :)
The validation of the mic happens in Mdn.parse

@adiroiban adiroiban changed the title cms.verify_message should validate the value of Received-Content-MIC cms.verify_message should validate the value of Received-Content-MIC for unsigned sent files or fail when MIC is missing. Aug 7, 2020
@adiroiban
Copy link
Contributor Author

adiroiban commented Aug 7, 2020

Thanks for your comment regarding MIC validaion.

But there are still a few cases in which the MIC is not validated.


If for example the MDN does not contains the MIC header, the AS2 GUI shows a green message: Message has been successfully send to Partner.

RReceived-Content-MIC: //YQQNyuwhG5rPAFDvjPK832wCI=, sha1
Disposition: automatic-action/MDN-sent-automatically; processed

Also, when sending a plain file, without signature, but requesting a signed MDN, the MIC is also not checked since I guess the orig_message.mic does not have a MIC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants