#252: Fix support for legacy S/MIME signing envelope

Author: bbottema

modules/core-module/src/main/java/org/simplejavamail/api/internal/smimesupport/builder/SmimeParseResult.java

@@ -1,12 +1,16 @@
 package org.simplejavamail.api.internal.smimesupport.builder;
 
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.simplejavamail.api.email.AttachmentResource;
 import org.simplejavamail.api.email.OriginalSmimeDetails;
+import org.simplejavamail.api.internal.smimesupport.model.AttachmentDecryptionResult;
 
 import java.util.List;
 
 public interface SmimeParseResult {
-	OriginalSmimeDetails getOriginalSmimeDetails();
-	AttachmentResource getSmimeSignedEmail();
-	List<AttachmentResource> getDecryptedAttachments();
-}
+	@NotNull OriginalSmimeDetails getOriginalSmimeDetails();
+	@Nullable AttachmentResource getSmimeSignedEmail();
+	@NotNull List<AttachmentDecryptionResult> getDecryptedAttachmentResults();
+	@NotNull List<AttachmentResource> getDecryptedAttachments();
+}

modules/core-module/src/main/java/org/simplejavamail/api/internal/smimesupport/model/AttachmentDecryptionResult.java

@@ -0,0 +1,12 @@
+package org.simplejavamail.api.internal.smimesupport.model;
+
+import org.simplejavamail.api.email.AttachmentResource;
+import org.simplejavamail.api.email.OriginalSmimeDetails;
+
+/**
+ * Used by the S/MIME module to return the decrypted content as well as the indication of how the content was encrypted / signed.
+ */
+public interface AttachmentDecryptionResult {
+	OriginalSmimeDetails.SmimeMode getSmimeMode();
+	AttachmentResource getAttachmentResource();
+}

modules/core-module/src/main/java/org/simplejavamail/internal/modules/SMIMEModule.java

@@ -5,6 +5,7 @@
 import org.simplejavamail.api.email.OriginalSmimeDetails;
 import org.simplejavamail.api.internal.outlooksupport.model.OutlookMessage;
 import org.simplejavamail.api.internal.smimesupport.builder.SmimeParseResult;
+import org.simplejavamail.api.internal.smimesupport.model.AttachmentDecryptionResult;
 import org.simplejavamail.api.internal.smimesupport.model.SmimeDetails;
 import org.simplejavamail.api.mailer.config.Pkcs12Config;
 
@@ -37,7 +38,7 @@ public interface SMIMEModule {
 	 * @return A copy of given original 'true' attachments, with S/MIME encrypted / signed attachments replaced with the actual attachment.
 	 */
 	@NotNull
-	List<AttachmentResource> decryptAttachments(@NotNull List<AttachmentResource> attachments, @Nullable Pkcs12Config pkcs12Config, @NotNull OriginalSmimeDetails messageSmimeDetails);
+	List<AttachmentDecryptionResult> decryptAttachments(@NotNull List<AttachmentResource> attachments, @Nullable Pkcs12Config pkcs12Config, @NotNull OriginalSmimeDetails messageSmimeDetails);
 
 	/**
 	 * @return Whether the given attachment is S/MIME signed / encrypted. Defers to {@code SmimeRecognitionUtil.isSmimeAttachment(..)}.

modules/simple-java-mail/src/main/java/org/simplejavamail/converter/EmailConverter.java

@@ -1,5 +1,7 @@
 package org.simplejavamail.converter;
 
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.simplejavamail.api.email.CalendarMethod;
 import org.simplejavamail.api.email.Email;
 import org.simplejavamail.api.email.EmailPopulatingBuilder;
@@ -19,8 +21,6 @@
 import org.simplejavamail.internal.smimesupport.model.OriginalSmimeDetailsImpl;
 
 import javax.activation.DataSource;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 import javax.mail.MessagingException;
 import javax.mail.Session;
 import javax.mail.internet.InternetAddress;
@@ -217,7 +217,7 @@ private static EmailPopulatingBuilder decryptAttachments(final EmailPopulatingBu
 		if (ModuleLoader.smimeModuleAvailable()) {
 			SmimeParseResult smimeParseResult = loadSmimeModule().decryptAttachments(emailBuilder.getAttachments(), outlookMessage, pkcs12Config);
 			handleSmimeParseResult((InternalEmailPopulatingBuilder) emailBuilder, smimeParseResult);
-			updateEmailIfBothSignedAndEncrypted(emailBuilder);
+			updateEmailIfBothSignedAndEncrypted(emailBuilder, smimeParseResult);
 		}
 		return emailBuilder;
 	}
@@ -226,7 +226,7 @@ private static EmailPopulatingBuilder decryptAttachments(final EmailPopulatingBu
 		if (ModuleLoader.smimeModuleAvailable()) {
 			SmimeParseResult smimeParseResult = loadSmimeModule().decryptAttachments(emailBuilder.getAttachments(), mimeMessage, pkcs12Config);
 			handleSmimeParseResult((InternalEmailPopulatingBuilder) emailBuilder, smimeParseResult);
-			updateEmailIfBothSignedAndEncrypted(emailBuilder);
+			updateEmailIfBothSignedAndEncrypted(emailBuilder, smimeParseResult);
 		}
 		return emailBuilder;
 	}
@@ -235,12 +235,15 @@ private static EmailPopulatingBuilder decryptAttachments(final EmailPopulatingBu
 	 * if we have both an encrypted and signed part in the email, have the
 	 * top-level email reflect this as {@link SmimeMode#SIGNED_ENCRYPTED}.
 	 */
-	private static void updateEmailIfBothSignedAndEncrypted(final EmailPopulatingBuilder emailBuilder) {
+	private static void updateEmailIfBothSignedAndEncrypted(final EmailPopulatingBuilder emailBuilder, final SmimeParseResult smimeParseResult) {
 		if (emailBuilder.getSmimeSignedEmail() != null) {
 			OriginalSmimeDetails nestedSmime = emailBuilder.getSmimeSignedEmail().getOriginalSmimeDetails();
 			OriginalSmimeDetailsImpl originalSmimeDetails = (OriginalSmimeDetailsImpl) emailBuilder.getOriginalSmimeDetails();
 			if (nestedSmime.getSmimeMode() != PLAIN && nestedSmime.getSmimeMode() != originalSmimeDetails.getSmimeMode()) {
 				originalSmimeDetails.completeWithSmimeMode(SmimeMode.SIGNED_ENCRYPTED);
+			} else if (smimeParseResult.getDecryptedAttachmentResults().size() == 1) {
+				final SmimeMode smimeMode = smimeParseResult.getDecryptedAttachmentResults().get(0).getSmimeMode();
+				originalSmimeDetails.completeWithSmimeMode(smimeMode);
 			}
 		}
 	}

modules/simple-java-mail/src/main/java/org/simplejavamail/converter/internal/mimemessage/MimeMessageParser.java

@@ -269,8 +269,7 @@ private static String parseResourceNameOrUnnamed(@Nullable final String possible
 	@NotNull
 	private static String parseResourceName(@Nullable String possibleWrappedContentID, @NotNull String fileName) {
 		if (valueNullOrEmpty(fileName) && !valueNullOrEmpty(possibleWrappedContentID)) {
-			// https://regex101.com/r/46ulb2/1
-			return possibleWrappedContentID.replaceAll("^<?(.*?)>?$", "$1");
+			return possibleWrappedContentID.replaceAll("^<?(.*?)>?$", "$1"); // https://regex101.com/r/46ulb2/1
 		} else {
 			return fileName;
 		}

modules/smime-module/src/main/java/org/simplejavamail/internal/smimesupport/AttachmentDecryptionResultImpl.java

@@ -0,0 +1,24 @@
+package org.simplejavamail.internal.smimesupport;
+
+import org.simplejavamail.api.email.AttachmentResource;
+import org.simplejavamail.api.email.OriginalSmimeDetails;
+import org.simplejavamail.api.internal.smimesupport.model.AttachmentDecryptionResult;
+
+// FIXME lombok
+class AttachmentDecryptionResultImpl implements AttachmentDecryptionResult {
+	private final OriginalSmimeDetails.SmimeMode smimeMode;
+	private final AttachmentResource attachmentResource;
+
+	public AttachmentDecryptionResultImpl(final OriginalSmimeDetails.SmimeMode smimeMode, final AttachmentResource attachmentResource) {
+		this.smimeMode = smimeMode;
+		this.attachmentResource = attachmentResource;
+	}
+
+	public OriginalSmimeDetails.SmimeMode getSmimeMode() {
+		return smimeMode;
+	}
+
+	public AttachmentResource getAttachmentResource() {
+		return attachmentResource;
+	}
+}

modules/smime-module/src/main/java/org/simplejavamail/internal/smimesupport/SMIMESupport.java

@@ -2,7 +2,6 @@
 
 import net.markenwerk.utils.mail.smime.SmimeKey;
 import net.markenwerk.utils.mail.smime.SmimeKeyStore;
-import net.markenwerk.utils.mail.smime.SmimeState;
 import net.markenwerk.utils.mail.smime.SmimeUtil;
 import org.bouncycastle.asn1.x500.RDN;
 import org.bouncycastle.asn1.x500.X500Name;
@@ -29,9 +28,11 @@
 import org.simplejavamail.api.internal.outlooksupport.model.OutlookMessage;
 import org.simplejavamail.api.internal.outlooksupport.model.OutlookSmime.OutlookSmimeApplicationSmime;
 import org.simplejavamail.api.internal.outlooksupport.model.OutlookSmime.OutlookSmimeMultipartSigned;
+import org.simplejavamail.api.internal.smimesupport.model.AttachmentDecryptionResult;
 import org.simplejavamail.api.internal.smimesupport.model.SmimeDetails;
 import org.simplejavamail.api.mailer.config.Pkcs12Config;
 import org.simplejavamail.internal.modules.SMIMEModule;
+import org.simplejavamail.internal.smimesupport.SmimeUtilFixed.SmimeStateFixed;
 import org.simplejavamail.internal.smimesupport.builder.SmimeParseResultBuilder;
 import org.simplejavamail.internal.smimesupport.model.OriginalSmimeDetailsImpl;
 import org.simplejavamail.internal.smimesupport.model.SmimeDetailsImpl;
@@ -59,8 +60,6 @@
 
 import static java.lang.String.format;
 import static java.util.Arrays.asList;
-import static net.markenwerk.utils.mail.smime.SmimeState.ENCRYPTED;
-import static net.markenwerk.utils.mail.smime.SmimeState.SIGNED;
 import static org.simplejavamail.internal.smimesupport.SmimeException.ERROR_DECRYPTING_SMIME_SIGNED_ATTACHMENT;
 import static org.simplejavamail.internal.smimesupport.SmimeException.ERROR_DETERMINING_SMIME_SIGNER;
 import static org.simplejavamail.internal.smimesupport.SmimeException.ERROR_EXTRACTING_SIGNEDBY_FROM_SMIME_SIGNED_ATTACHMENT;
@@ -171,15 +170,15 @@ private boolean checkSignature(@NotNull final MimeMessage mimeMessage, @Nullable
 	private void decryptAttachments(@NotNull final SmimeParseResultBuilder smimeBuilder, @NotNull final List<AttachmentResource> attachments,
 			@Nullable final Pkcs12Config pkcs12Config) {
 		LOGGER.debug("checking for S/MIME signed / encrypted attachments...");
-		List<AttachmentResource> decryptedAttachments = decryptAttachments(attachments, pkcs12Config, smimeBuilder.getOriginalSmimeDetails());
+		List<AttachmentDecryptionResult> decryptedAttachments = decryptAttachments(attachments, pkcs12Config, smimeBuilder.getOriginalSmimeDetails());
 		smimeBuilder.addDecryptedAttachments(decryptedAttachments);
 
 		if (attachments.size() == 1) {
 			final AttachmentResource onlyAttachment = attachments.get(0);
-			final AttachmentResource onlyAttachmentDecrypted = smimeBuilder.getDecryptedAttachments().get(0);
-			if (isSmimeAttachment(onlyAttachment) && isMimeMessageAttachment(onlyAttachmentDecrypted)) {
+			final AttachmentDecryptionResult onlyAttachmentDecrypted = smimeBuilder.getDecryptedAttachmentResults().get(0);
+			if (isSmimeAttachment(onlyAttachment) && isMimeMessageAttachment(onlyAttachmentDecrypted.getAttachmentResource())) {
 				smimeBuilder.getOriginalSmimeDetails().completeWith(determineSmimeDetails(onlyAttachment));
-				smimeBuilder.setSmimeSignedEmailToProcess(onlyAttachmentDecrypted);
+				smimeBuilder.setSmimeSignedEmailToProcess(onlyAttachmentDecrypted.getAttachmentResource());
 			}
 		}
 	}
@@ -204,24 +203,24 @@ private OriginalSmimeDetailsImpl determineSmimeDetails(final AttachmentResource
 	 */
 	@NotNull
 	@Override
-	public List<AttachmentResource> decryptAttachments(
+	public List<AttachmentDecryptionResult> decryptAttachments(
 			@NotNull final List<AttachmentResource> attachments,
 			@Nullable final Pkcs12Config pkcs12Config,
 			@NotNull final OriginalSmimeDetails messageSmimeDetails) {
-		final List<AttachmentResource> decryptedAttachments;
-		decryptedAttachments = new ArrayList<>(attachments);
-
-		for (int i = 0; i < decryptedAttachments.size(); i++) {
-			final AttachmentResource attachment = decryptedAttachments.get(i);
+		final List<AttachmentDecryptionResult> decryptedAttachments = new ArrayList<>();
+		for (final AttachmentResource attachment : attachments) {
 			if (isSmimeAttachment(attachment)) {
 				try {
 					LOGGER.debug("decrypting S/MIME signed attachment '{}'...", attachment.getName());
-					decryptedAttachments.set(i, decryptAndUnsignAttachment(attachment, pkcs12Config, messageSmimeDetails));
+					decryptedAttachments.add(decryptAndUnsignAttachment(attachment, pkcs12Config, messageSmimeDetails));
 				} catch (Exception e) {
 					throw new SmimeException(format(ERROR_DECRYPTING_SMIME_SIGNED_ATTACHMENT, attachment), e);
 				}
+			} else {
+				decryptedAttachments.add(new AttachmentDecryptionResultImpl(SmimeMode.PLAIN, attachment));
 			}
 		}
+
 		return decryptedAttachments;
 	}
 
@@ -233,42 +232,58 @@ public boolean isSmimeAttachment(@NotNull final AttachmentResource attachment) {
 		return SMIME_MIMETYPES.contains(attachment.getDataSource().getContentType());
 	}
 
-	private AttachmentResource decryptAndUnsignAttachment(
+	private AttachmentDecryptionResult decryptAndUnsignAttachment(
 			@NotNull final AttachmentResource attachment,
 			@Nullable final Pkcs12Config pkcs12Config,
 			@NotNull final OriginalSmimeDetails messageSmimeDetails) {
 		try {
-			final InternetHeaders internetHeaders = new InternetHeaders();
-			internetHeaders.addHeader("Content-Type", restoreSmimeContentType(attachment, messageSmimeDetails));
-			final MimeBodyPart mimeBodyPart = new MimeBodyPart(internetHeaders, attachment.readAllBytes());
-
-			AttachmentResource liberatedContent = null;
-
-			SmimeState smimeState = determineStatus(mimeBodyPart, messageSmimeDetails);
-			if (smimeState == SIGNED) {
-				if (SmimeUtil.checkSignature(mimeBodyPart)) {
-					MimeBodyPart liberatedBodyPart = SmimeUtil.getSignedContent(mimeBodyPart);
-					liberatedContent = handleLiberatedContent(liberatedBodyPart.getContent());
-				} else {
-					LOGGER.warn("Content is S/MIME signed, but signature is not valid; skipping S/MIME interpeter...");
-				}
-			} else if (smimeState == ENCRYPTED) {
-				if (pkcs12Config != null) {
-					LOGGER.warn("Message was encrypted, but no Pkcs12Config was given to decrypt it with, skipping attachment...");
-					SmimeKey smimeKey = retrieveSmimeKeyFromPkcs12Keystore(pkcs12Config);
-					MimeBodyPart liberatedBodyPart = SmimeUtil.decrypt(mimeBodyPart, smimeKey);
-					liberatedContent = handleLiberatedContent(liberatedBodyPart.getContent());
-				}
+			final MimeBodyPart mimeBodyPart = new MimeBodyPart(new InternetHeaders(), attachment.readAllBytes());
+			mimeBodyPart.addHeader("Content-Type", restoreSmimeContentType(attachment, messageSmimeDetails));
+
+			AttachmentDecryptionResult liberatedContent = null;
+
+			final SmimeStateFixed smimeState = determineStatus(mimeBodyPart, messageSmimeDetails);
+			if (smimeState == SmimeStateFixed.ENCRYPTED) {
+				liberatedContent = getEncryptedContent(pkcs12Config, mimeBodyPart);
+			} else if (smimeState == SmimeStateFixed.SIGNED) {
+				liberatedContent = getSignedContent(mimeBodyPart);
 			}
 
-			return liberatedContent != null
-					? decryptAndUnsignAttachment(liberatedContent, pkcs12Config, messageSmimeDetails)
-					: attachment;
+			return liberatedContent != null ? liberatedContent : new AttachmentDecryptionResultImpl(SmimeMode.PLAIN, attachment);
 		} catch (MessagingException | IOException e) {
 			throw new SmimeException(format(ERROR_DECRYPTING_SMIME_SIGNED_ATTACHMENT, attachment), e);
 		}
 	}
 
+	@Nullable
+	private AttachmentDecryptionResult getEncryptedContent(final @Nullable Pkcs12Config pkcs12Config, final MimeBodyPart mimeBodyPart)
+			throws MessagingException, IOException {
+		if (pkcs12Config != null) {
+			MimeBodyPart liberatedBodyPart = SmimeUtil.decrypt(mimeBodyPart, retrieveSmimeKeyFromPkcs12Keystore(pkcs12Config));
+			if (SmimeUtilFixed.getStatus(liberatedBodyPart) == SmimeStateFixed.SIGNED_ENVELOPED) {
+				final AttachmentDecryptionResult signedContent = getSignedContent(liberatedBodyPart);
+				if (signedContent != null) {
+					return new AttachmentDecryptionResultImpl(SmimeMode.SIGNED_ENCRYPTED, signedContent.getAttachmentResource());
+				}
+				// apparently the sign was invalid, so ignore and continue with the decrypted attachment instead
+			}
+			return new AttachmentDecryptionResultImpl(SmimeMode.ENCRYPTED, handleLiberatedContent(liberatedBodyPart.getContent()));
+		}
+		LOGGER.warn("Message was encrypted, but no Pkcs12Config was given to decrypt it with, skipping attachment...");
+		return null;
+	}
+
+	@Nullable
+	private AttachmentDecryptionResult getSignedContent(final MimeBodyPart mimeBodyPart)
+			throws MessagingException, IOException {
+		if (SmimeUtil.checkSignature(mimeBodyPart)) {
+			MimeBodyPart liberatedBodyPart = SmimeUtil.getSignedContent(mimeBodyPart);
+			return new AttachmentDecryptionResultImpl(SmimeMode.SIGNED, handleLiberatedContent(liberatedBodyPart.getContent()));
+		}
+		LOGGER.warn("Content is S/MIME signed, but signature is not valid; skipping S/MIME interpeter...");
+		return null;
+	}
+
 	private String restoreSmimeContentType(@NotNull final AttachmentResource attachment, final OriginalSmimeDetails originalSmimeDetails) {
 		String contentType = attachment.getDataSource().getContentType();
 		if (contentType.contains("multipart/signed") && !contentType.contains("protocol") && originalSmimeDetails.getSmimeProtocol() != null) {
@@ -299,10 +314,13 @@ protected void updateMessageID() throws MessagingException {
 		return null;
 	}
 
-	private SmimeState determineStatus(@NotNull final MimePart mimeBodyPart, @NotNull final OriginalSmimeDetails messageSmimeDetails) {
-		SmimeState status = SmimeUtil.getStatus(mimeBodyPart);
-		boolean trustStatus = status != ENCRYPTED || messageSmimeDetails.getSmimeMode() == SmimeMode.PLAIN;
-		return trustStatus ? status : "signed-data".equals(messageSmimeDetails.getSmimeType()) ? SIGNED : ENCRYPTED;
+	private SmimeStateFixed determineStatus(@NotNull final MimePart mimeBodyPart, @NotNull final OriginalSmimeDetails messageSmimeDetails) {
+		SmimeStateFixed status = SmimeUtilFixed.getStatus(mimeBodyPart);
+		boolean trustStatus = status != SmimeStateFixed.ENCRYPTED || messageSmimeDetails.getSmimeMode() == SmimeMode.PLAIN;
+		if (trustStatus) {
+			return status;
+		}
+		return "signed-data".equals(messageSmimeDetails.getSmimeType()) ? SmimeStateFixed.SIGNED : SmimeStateFixed.ENCRYPTED;
 	}
 
 	/**
@@ -346,7 +364,7 @@ public String getSignedByAddress(@NotNull MimePart mimePart) {
 	}
 
 	public boolean verifyValidSignature(@NotNull MimeMessage mimeMessage, @NotNull OriginalSmimeDetails messageSmimeDetails) {
-		return determineStatus(mimeMessage, messageSmimeDetails) != SIGNED || SmimeUtil.checkSignature(mimeMessage);
+		return determineStatus(mimeMessage, messageSmimeDetails) != SmimeStateFixed.SIGNED || SmimeUtil.checkSignature(mimeMessage);
 	}
 
 	@NotNull