From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Illia Ostapyshyn <illia@yshyn.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#67931: [PATCH] Use S/MIME key from content for mail signing via
 OpenSSL
Date: Mon, 06 May 2024 20:46:33 +0200
Message-ID: <k8ur0eelqwm.fsf@yshyn.com>
References: <8734vx6mk7.fsf@yshyn.com>
 <CADwFkmnTan0CHsY7EEBD8XH4cuZa8OpXN6paSFzHg4q1stoGFg@mail.gmail.com>
 <k8uy18mlr1b.fsf@yshyn.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="15292"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: Lars Ingebrigtsen <larsi@gnus.org>, 17780@debbugs.gnu.org,
 Stefan Kangas <stefankangas@gmail.com>, Jan Beich <jbeich@vfemail.net>,
 67931@debbugs.gnu.org
To: Illia Ostapyshyn <illia@yshyn.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue May 07 06:13:24 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1s4CCg-0003nE-EQ
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 07 May 2024 06:13:22 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1s4CC3-0007a8-Ed; Tue, 07 May 2024 00:12:43 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s4CC0-0007Z3-0j
 for bug-gnu-emacs@gnu.org; Tue, 07 May 2024 00:12:40 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s4CBz-00075d-OY
 for bug-gnu-emacs@gnu.org; Tue, 07 May 2024 00:12:39 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s4CCO-0003mD-9O
 for bug-gnu-emacs@gnu.org; Tue, 07 May 2024 00:13:04 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Illia Ostapyshyn <illia@yshyn.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 07 May 2024 04:13:04 +0000
Resent-Message-ID: <handler.67931.B67931.171505513914467@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 67931
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 67931-submit@debbugs.gnu.org id=B67931.171505513914467
 (code B ref 67931); Tue, 07 May 2024 04:13:04 +0000
Original-Received: (at 67931) by debbugs.gnu.org; 7 May 2024 04:12:19 +0000
Original-Received: from localhost ([127.0.0.1]:41984 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1s4CBf-0003lA-3z
 for submit@debbugs.gnu.org; Tue, 07 May 2024 00:12:19 -0400
Original-Received: from phoenix.uberspace.de ([95.143.172.135]:39626)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <illia@yshyn.com>) id 1s43Mg-0005mr-5r
 for 67931@debbugs.gnu.org; Mon, 06 May 2024 14:47:06 -0400
Original-Received: (qmail 23861 invoked by uid 988); 6 May 2024 18:46:40 -0000
Authentication-Results: phoenix.uberspace.de;
	auth=pass (plain)
Original-Received: from unknown (HELO unkown) (::1)
 by phoenix.uberspace.de (Haraka/3.0.1) with ESMTPSA;
 Mon, 06 May 2024 20:46:40 +0200
In-Reply-To: <k8uy18mlr1b.fsf@yshyn.com> (Illia Ostapyshyn's message of "Mon, 
 06 May 2024 20:43:44 +0200")
X-Rspamd-Bar: ---
X-Rspamd-Report: BAYES_HAM(-3) MIME_GOOD(-0.1)
X-Rspamd-Score: -3.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yshyn.com; s=uberspace; 
 h=from:to:cc:subject:date;
 bh=vVx/heUuk/B9hgfh7L+yZpFbGzuSsmDd1rpI57A1WuU=;
 b=un7/2ciLmugA3MoByBcf8bKHZtWmOz7c1YAzj1QriWUC1Wc2rP+iMV4KtYKpSZwtWkaHRAF4oK
 cW0C/GB8j/q6zhKXEyWi5k4G6Agt05IYEeO5W7aEmLWYDLzlKf0Ht8zfUwuLcx7BuDhkbiGkdJe7
 WIzXaRY2LuandzMWRHWgBzZVsROewmu3RlKEZM2Pr6V2edjAeQTedz2MHNm4dr7ITRVF3inNhxRp
 wXzFPFbn+PZOcReDopkYhArRRZNOl6AE0RIePZsDBlMSVxEqfD3X3ee+Gf0HGQsFAYShJdbxhzx1
 5T2rtk41skplL/aYozIHwbsM/HUkXnZOgiaZh1oQ==
X-Mailman-Approved-At: Tue, 07 May 2024 00:12:13 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:284622
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/284622>

--=-=-=
Content-Type: text/plain

Sorry, forgot to attach the patch, sending it with this email.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-Use-proper-smime-keys-entry-for-S-MIME-signatures-us.patch
Content-Description: PATCH

>From b228ee97f41911f2aba7b98ae1b5d1226e95e099 Mon Sep 17 00:00:00 2001
From: Illia Ostapyshyn <illia@yshyn.com>
Date: Mon, 6 May 2024 20:24:22 +0200
Subject: [PATCH] Use proper smime-keys entry for S/MIME signatures using
 OpenSSL

* lisp/gnus/mml-smime.el (mml-smime-openssl-sign-query): Include the
additional certificates from smime-keys in plist for MML tag generation.
(mml-smime-openssl-sign): Forward certfile entries from the MML tag to
smime-sign-buffer.
* doc/misc/emacs-mime.texi (MML Definition): certfile parameter is now
common to both sign and encrypt.  Clarify that certfile entries can be
repeated.
; * lisp/gnus/smime.el (smime-sign-region): Fix typo in documentation.
; (smime-sign-buffer): Improve documentation to match smime-sign-region.
---
 doc/misc/emacs-mime.texi | 11 +++-------
 lisp/gnus/mml-smime.el   | 46 +++++++++++++++++++++++-----------------
 lisp/gnus/smime.el       |  7 ++++--
 3 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/doc/misc/emacs-mime.texi b/doc/misc/emacs-mime.texi
index 96a6328cd47..e3e33bad8b4 100644
--- a/doc/misc/emacs-mime.texi
+++ b/doc/misc/emacs-mime.texi
@@ -780,21 +780,16 @@ MML Definition
 
 @end table
 
-Parameters for @samp{sign=smime}:
+Parameters for @samp{sign=smime} and @samp{encrypt=smime}:
 
 @table @samp
 
 @item keyfile
 File containing key and certificate for signer.
 
-@end table
-
-Parameters for @samp{encrypt=smime}:
-
-@table @samp
-
 @item certfile
-File containing certificate for recipient.
+File containing certificate for recipient.  May appear multiple times
+for multiple certificates.
 
 @end table
 
diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
index 3064c46d2a3..17b338755e3 100644
--- a/lisp/gnus/mml-smime.el
+++ b/lisp/gnus/mml-smime.el
@@ -129,11 +129,15 @@ mml-smime-verify-test
     (if func
 	(funcall func handle ctl))))
 
-(defun mml-smime-openssl-sign (_cont)
-  (when (null smime-keys)
-    (customize-variable 'smime-keys)
-    (error "No S/MIME keys configured, use customize to add your key"))
-  (smime-sign-buffer (cdar smime-keys))
+(defun mml-smime-openssl-sign (cont)
+  (smime-sign-buffer
+   ;; List with key and certificate as its car, and a list of additional
+   ;; certificates to include in its cadr for smime-sign-region
+   (list
+    (cdr (assq 'keyfile cont))
+    (mapcar #'cdr (cl-remove-if-not (apply-partially #'equal 'certfile)
+                                    cont
+                                    :key #'car-safe))))
   (goto-char (point-min))
   (while (search-forward "\r\n" nil t)
     (replace-match "\n" t t))
@@ -167,21 +171,23 @@ mml-smime-openssl-sign-query
   (when (null smime-keys)
     (customize-variable 'smime-keys)
     (error "No S/MIME keys configured, use customize to add your key"))
-  (list 'keyfile
-	(if (= (length smime-keys) 1)
-	    (cadar smime-keys)
-	  (or (let ((from (cadr (mail-extract-address-components
-				 (or (save-excursion
-				       (save-restriction
-					 (message-narrow-to-headers)
-					 (message-fetch-field "from")))
-				     "")))))
-		(and from (smime-get-key-by-email from)))
-	      (smime-get-key-by-email
-	       (gnus-completing-read "Sign this part with what signature"
-                                     (mapcar #'car smime-keys) nil nil nil
-                                     (and (listp (car-safe smime-keys))
-                                          (caar smime-keys))))))))
+  (let ((key-with-certs
+	 (if (= (length smime-keys) 1)
+	     (cdar smime-keys)
+	   (or (let ((from (cadr (mail-extract-address-components
+				  (or (save-excursion
+				        (save-restriction
+					  (message-narrow-to-headers)
+					  (message-fetch-field "from")))
+				      "")))))
+		 (and from (smime-get-key-with-certs-by-email from)))
+	       (smime-get-key-with-certs-by-email
+	        (gnus-completing-read "Sign this part with what signature"
+                                      (mapcar #'car smime-keys) nil nil nil
+                                      (and (listp (car-safe smime-keys))
+                                           (caar smime-keys))))))))
+    (append (list 'keyfile (car key-with-certs))
+            (mapcan (apply-partially #'list 'certfile) (cadr key-with-certs)))))
 
 (defun mml-smime-get-file-cert ()
   (ignore-errors
diff --git a/lisp/gnus/smime.el b/lisp/gnus/smime.el
index b61579912dd..987bc7273db 100644
--- a/lisp/gnus/smime.el
+++ b/lisp/gnus/smime.el
@@ -261,7 +261,7 @@ smime-sign-region
 If signing fails, the buffer is not modified.  Region is assumed to
 have proper MIME tags.  KEYFILE is expected to contain a PEM encoded
 private key and certificate as its car, and a list of additional
-certificates to include in its caar.  If no additional certificates is
+certificates to include in its cadr.  If no additional certificates are
 included, KEYFILE may be the file containing the PEM encoded private
 key and certificate itself."
   (smime-new-details-buffer)
@@ -327,7 +327,10 @@ smime-encrypt-region
 
 (defun smime-sign-buffer (&optional keyfile buffer)
   "S/MIME sign BUFFER with key in KEYFILE.
-KEYFILE should contain a PEM encoded key and certificate."
+KEYFILE is expected to contain a PEM encoded private key and certificate
+as its car, and a list of additional certificates to include in its
+cadr.  If no additional certificates are included, KEYFILE may be the
+file containing the PEM encoded private key and certificate itself."
   (interactive)
   (with-current-buffer (or buffer (current-buffer))
     (unless (smime-sign-region
-- 
2.39.2


--=-=-=--