Trouble receiving signed messages over Blackberry Internet Service
by Volker Weber
Last week I found something that does not work on the Blackberry. I was receiving a message from Thomas Lang. The body was empty. I was suspecting that the message was encrypted and that I could not read it, because nobody had the private key, neither the device, nor the mail gateway.
When I checked my mail with Apple Mail, I found that the message was indeed S/MIME, but it was only signed. I was puzzled, since I had received (clear-)signed messages before on the Blackberry without problems. Looking at the raw message source of messages I was able to read, I found this stucture:
--Apple-Mail-6-605332454
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowedTest
--Apple-Mail-6-605332454
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Disposition: attachment;
filename=smime.p7s... big block of junk goes here ...
--Apple-Mail-6-605332454--
As you can see there is a boundary (--Apple-Mail-6-605332454) between the different parts of the message. The first block contains the message itself, the second part contains the signature that I cut out because it is just a big block of base64 code anyway. However, the message from Thomas was different. It was coming in from Notes 7.0 looked like this:
This is an S/MIME signed message.---------z59229_boundary_sign
Content-Type: multipart/alternative; boundary="=_alternative 0022904DC1257093_="This is a multipart message in MIME format.
--=_alternative 0022904DC1257093_=
Content-Type: text/plain; charset="US-ASCII"Test
--=_alternative 0022904DC1257093_=
Content-Type: text/html; charset="US-ASCII"<br><font size=2 face="sans-serif">Test</font>
--=_alternative 0022904DC1257093_=-----------z59229_boundary_sign
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature... big block of junk goes here ...
---------z59229_boundary_sign--
We tried the same with Notes 6.5, and it uses exactly the same format. I suspect that the Blackberry Internet Service chokes on the two level boundaries. The first one (---------z59229_boundary_sign--) separates the message from the signature, whereas the second one (--=_alternative 0022904DC1257093_=--) separates the two different MIME parts which contain the message as both text and HTML.
Sending the same message to a Blackberry Enterprise Server does not cause any trouble. The BES is able to send a readable message to the client, where the BIS fails.
Does anybody know enough about the two different formats to explain?
Comments
Don't know if this is related but I remember a case where someone complained about the MIME encoding of Notes because it adds blank lines before and/or after the boundaries. Somehow he had problems with these attachments and insisted these blank lines shouldn't be there. I didn't find any specification which forbids this, though.
Yes, I can explain but I think you already have it.
The difference between the two is that the Notes message has text and HTML alternatives. If you try sending a signed message in plain text only from Notes, you will see that the structure is very similar to your Apple Mail example and I expect the BIS server would have no trouble with it.
The faulty behaviour here is in BIS, not Notes.
Chris, we just tested this, and you are right. When Notes is set to send Text Only or HTML Only, then BIS does not have have a problem. It is only when Notes send Text and HTML, and the user signs a messages, BIS is no longer able to decode it. We shall report this to RIM as a bug.