Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® OS Smartphones

Reply
Highlighted
New Member
Posts: 1
Registered: ‎02-16-2009
My Device: Not Specified

Email cannot be read when it is only digitally signed

I, and my boss (using a Curve) have been having continuous trouble with reading emails that have been digitally signed.  Now, before people start running down the basics, here's what I have done so far:

 

1.  Installed latest ROM for both devices, still waiting on 4.5 for my 8830...

2.  Installed S/MIME application on both devices

3.  Installed latest Desktop OS on both machines and synchronized certificates from desktop to device and back


Here is the systems we are using:

 

1.  Exchange 2003

2.  BlackBerry Enterprise Server (version unknown, not my department)

3.  Verisign certificates, managed on-site

 

Here are some of the caveats we are experiencing.

 

1.  We can read signed and/or encrypted messages from Outlook (03/07), Entourage (04/08), and Thunderbird problem-free

2.  We can read signed AND encrypted, or encrypted ONLY, messages from Mulberry, but we cannot read signed ONLY messages from Mulberry

 

There is no error message, in fact everything "looks" normal, we are just unable to view the body of the emails.  What we do see is similar to this:

 

Received Using: <mailbox> (S/MIME)

Message Status: Opened

To: <me>

Sent: <date>

From: <Mulberry User>

Subject: <subject>

------------------------------------------

<img><img> Trusted

------------------------------------------

[1 Attachment]

------------------------------------------

------------------------------------------

application: Unknown (2K)

 

The <Mulberry User> did some research and sent me the following information:

 

***

This is a signed message sent from Outlook:

MIME-Version: 1.0
Content-Type: multipart/signed;
        boundary="----=_NextPart_000_00CE_01C99022.D841F9A0";
        protocol="application/x-pkcs7-signature";
        micalg=SHA1

This is a signed message sent from Mulberry:

MIME-Version: 1.0
Content-Type: multipart/signed; micalg=sha1;
 protocol="application/pkcs7-signature";
 boundary="==========45CF5864B8BBBF80D9D4=========="

See any difference between those two?

According to the RFC, the "application/x-pkcs7-signature" MIME type is supposed to be handled, by clients, the same as the "application/pkcs7-signature" MIME type, which is the "correct" MIME type.  So Mulberry handles it correctly.  Outlook does not.  And neither does the Blackberry.  Because *all* clients *should* honor both types.

http://www.ietf.org/proceedings/05nov/RFCs/rfc2311.txt

"C.1 Early MIME Types

 

Some early implementations of S/MIME agents used the following MIME types:

   application/x-pkcs7-mime
   application/x-pkcs7-signature
   application/x-pkcs10

 

In each case, the "x-" subtypes correspond to the subtypes described in this document without the "x-"."

"This memo also discusses how to use the multipart/signed MIME type defined in [MIME-SECURE] to transport S/MIME signed messages. This memo also defines the application/pkcs7-signature MIME type, which is also used to transport S/MIME signed messages. This specification is compatible with PKCS #7 in that it uses the data types defined by PKCS #7."

3.4.1 Choosing a Format for Signed-only Messages

There are no hard-and-fast rules when a particular signed-only format should be chosen because it depends on the capabilities of all the receivers and the relative importance of receivers with S/MIME facilities being able to verify the signature versus the importance of receivers without S/MIME software being able to view the message.

Messages signed using the multipart/signed format can always be viewed by the receiver whether they have S/MIME software or not. They can also be viewed whether they are using a MIME-native user agent or they have messages translated by a gateway. In this context, "be viewed" means the ability to process the message essentially as if it were not a signed message, including any other MIME structure the message might have."

This means that the Blackberry is required, by RFC, to be able to read a signed message even without the aid of S/MIME capable software.  The fact that it does not is a failure of the Blackberry.

***

 

The above email was in reference to the fact that all of these emails that cannot be read on the devices, can be read in Outlook, and when a signed message is sent from Outlook, it can be read on the devices.  Furthermore, this is not to say that the information above is 100% valid and correct, but I am hoping that it sparks some discussion and hopefully a resolution can be found.

 

Thanks for your time in reading this.

Andrew
BB8830
New Contributor
Posts: 3
Registered: ‎11-25-2008
My Device: Not Specified

Re: Email cannot be read when it is only digitally signed

Well not 100% sure but in my experience the following setting is the problem "Enable S/MIME Encryption on Signed or Weakly encrypted messages". This setting is a per server setting and is found in the general options of the server.

 

When this is set to true the BES encryptes the message again over the signed message...but then for some reason unknown it doesn't decrypt it back when the client reads it.

 

Maybe you could ask your admins and try it out and see if it works...