From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eric Abrahamsen Newsgroups: gmane.emacs.bugs Subject: bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL Date: Thu, 09 May 2024 16:47:13 -0700 Message-ID: <87fruqsg3i.fsf@ericabrahamsen.net> References: <8734vx6mk7.fsf@yshyn.com> <86y18lajgd.fsf@gnu.org> <87wmo5rq93.fsf@ericabrahamsen.net> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="22468"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: larsi@gnus.org, Eli Zaretskii , 67931@debbugs.gnu.org, stefankangas@gmail.com To: Illia Ostapyshyn Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri May 10 01:48:29 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1s5DUy-0005fF-MT for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 10 May 2024 01:48:28 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s5DUb-0000E9-0B; Thu, 09 May 2024 19:48:05 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s5DUa-0000CZ-A3 for bug-gnu-emacs@gnu.org; Thu, 09 May 2024 19:48:04 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s5DUZ-0001yy-W2 for bug-gnu-emacs@gnu.org; Thu, 09 May 2024 19:48:04 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s5DUX-0003Pu-SW for bug-gnu-emacs@gnu.org; Thu, 09 May 2024 19:48:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eric Abrahamsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 09 May 2024 23:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67931 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 67931-submit@debbugs.gnu.org id=B67931.171529845813120 (code B ref 67931); Thu, 09 May 2024 23:48:01 +0000 Original-Received: (at 67931) by debbugs.gnu.org; 9 May 2024 23:47:38 +0000 Original-Received: from localhost ([127.0.0.1]:41405 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s5DUA-0003PY-8N for submit@debbugs.gnu.org; Thu, 09 May 2024 19:47:38 -0400 Original-Received: from mail.ericabrahamsen.net ([52.70.2.18]:34572) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s5DU5-0003PS-7L for 67931@debbugs.gnu.org; Thu, 09 May 2024 19:47:36 -0400 Original-Received: from localhost (71-212-21-65.tukw.qwest.net [71.212.21.65]) (Authenticated sender: eric@ericabrahamsen.net) by mail.ericabrahamsen.net (Postfix) with ESMTPSA id C8560FA09E; Thu, 9 May 2024 23:47:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericabrahamsen.net; s=mail; t=1715298448; bh=MNfjDmZYpONAWerFqEKAmb2JclDSbmpluzRE5/zlpPA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=kR5m1C/M6ewgTxC9aknZl9dY/zZFkHqbs5hiVENt6fZ5Q9O4Ojzfj7/Un7qoTZmH7 5rET6PXta5gBLAcGMc2U9O0cGWsSw3o0Rddb/hg5Zja9P1wQFgzJUFIL5xUdPahALf kuLOqT8CUr9yvQ8ZoyAuaWvwBL1cQQMJr9FBGB9I= In-Reply-To: (Illia Ostapyshyn's message of "Wed, 08 May 2024 14:28:37 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:284783 Archived-At: Illia Ostapyshyn writes: > Eric Abrahamsen writes: > >> The patch seems to work as intended -- I won't claim to know enough >> about SMIME to know if it does the right thing or not. Can you briefly >> explain what the additional certificates actually do, and why they're >> useful in signing but not in encryption? > > End-user SMIME certificates are signed by the (intermediate) CAs that > issued them. The issuer's certificate can be in turn signed by another > CA up the hierarchy, resulting in a chain that ends with the implicitly > trusted root authority. When signing a message, you can include the > intermediate CA certificates, allowing the recipient to verify the whole > chain. With openssl, this is done via the -certfile argument [1]: > > -certfile file > Allows additional certificates to be specified. When signing these > will be included with the message. When verifying these will be > searched for the signers certificates. ... Thanks! So basically like TLS cert chaining. > Encryption is orthogonal to this: it only uses the public keys of your > recipients from their certificates, the chain is irrelevant. I'm mostly trying to understand how broken this was, prior to this patch. Obviously there was the hard-coding of the key, the original issue. Has encryption been broken this whole time, too? Encryption is a separate MML tag, right? And also a separate cert (the recipient's, not the user's). Why would additional certificates on your own certfile interfere with the process of encrypting to the user? I'm not trying to be difficult, I'd just like to have a better grasp of what's going on here! > The MML tag parameter names are a bit unfortunate here: the new > `chainfile' parameter translates to "-cerfile" arguments and the > existing `certfile' parameters translate to positional "recipcert" > arguments of openssl [1]. I'm not too concerned about that, the vast majority of the time this process should be automatic. Eric