unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
blob 170f864985aa5096c8699a844dd2706c8bddccdb 8147 bytes (raw)
name: test/T355-smime.sh 	 # note: path name is non-authoritative(*)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
 
#!/usr/bin/env bash

test_description='S/MIME signature verification and decryption'
. $(dirname "$0")/test-lib.sh || exit 1

test_require_external_prereq openssl
test_require_external_prereq gpgsm

FINGERPRINT=$(openssl x509 -fingerprint -in "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" -noout | sed -e 's/^.*=//' -e s/://g)

add_gpgsm_home

test_begin_subtest "emacs delivery of S/MIME signed message"
test_expect_success \
     'emacs_fcc_message \
     "test signed message 001" \
     "This is a test signed message." \
     "(mml-secure-message-sign \"smime\")"'

test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"
# Hard code the MML to avoid several interactive questions
test_expect_success \
'emacs_fcc_message \
    "test encrypted message 001" \
    "<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"'

test_begin_subtest "Signature verification (openssl)"
notmuch show --format=raw subject:"test signed message 001" |\
    openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT
cat <<EOF > EXPECTED
Verification successful
EOF
test_expect_equal_file EXPECTED OUTPUT

test_begin_subtest "signature verification (notmuch CLI)"
output=$(notmuch show --format=json --verify subject:"test signed message 001" \
    | notmuch_json_show_sanitize \
    | sed -e 's|"created": [-1234567890]*|"created": 946728000|g' \
	  -e 's|"expires": [-1234567890]*|"expires": 424242424|g' )
expected='[[[{"id": "XXXXX",
 "match": true,
 "excluded": false,
 "filename": ["YYYYY"],
 "timestamp": 946728000,
 "date_relative": "2000-01-01",
 "tags": ["inbox","signed"],
 "crypto": {"signed": {"status": [{"fingerprint": "'$FINGERPRINT'", "status": "good","userid": "CN=Notmuch Test Suite","expires": 424242424, "created": 946728000}]}},
 "headers": {"Subject": "test signed message 001",
 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
 "To": "test_suite@notmuchmail.org",
 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
 "body": [{"id": 1,
 "sigstatus": [{"fingerprint": "'$FINGERPRINT'",
 "status": "good",
 "userid": "CN=Notmuch Test Suite",
 "expires": 424242424,
 "created": 946728000}],
 "content-type": "multipart/signed",
 "content": [{"id": 2,
 "content-type": "text/plain",
 "content": "This is a test signed message.\n"},
 {"id": 3,
  "content-disposition": "attachment",
  "content-length": "NONZERO",
  "content-transfer-encoding": "base64",
  "content-type": "application/pkcs7-signature",
  "filename": "smime.p7s"}]}]},
 []]]]'
test_expect_equal_json \
    "$output" \
    "$expected"

test_begin_subtest "Decryption and signature verification (openssl)"
notmuch show --format=raw subject:"test encrypted message 001" |\
    openssl smime -decrypt -recip $NOTMUCH_SRCDIR/test/smime/key+cert.pem |\
    openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT
cat <<EOF > EXPECTED
Verification successful
EOF
test_expect_equal_file EXPECTED OUTPUT

test_begin_subtest "Decryption (notmuch CLI)"
notmuch show --decrypt=true subject:"test encrypted message 001" |\
    grep "^This is a" > OUTPUT
cat <<EOF > EXPECTED
This is a test encrypted message.
EOF
test_expect_equal_file EXPECTED OUTPUT

test_begin_subtest "Cryptographic message status (encrypted+signed)"
output=$(notmuch show --format=json --decrypt=true subject:"test encrypted message 001")
test_json_nodes <<<"$output" \
                'crypto_encrypted:[0][0][0]["crypto"]["decrypted"]["status"]="full"' \
                'crypto_sigok:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
                'crypto_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="616F46CD73834C63847756AF0DFB64A6E0972A47"' \
                'crypto_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Notmuch Test Suite"'

test_begin_subtest "encrypted+signed message is known to be encrypted, but signature is unknown"
output=$(notmuch search subject:"test encrypted message 001")
test_expect_equal "$output" "thread:0000000000000002   2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox)"

test_begin_subtest "Encrypted body is not indexed"
output=$(notmuch search 'this is a test encrypted message')
test_expect_equal "$output" ""

test_begin_subtest "Reindex cleartext"
test_expect_success "notmuch reindex --decrypt=true subject:'test encrypted message 001'"

test_begin_subtest "signature is now known"
output=$(notmuch search subject:"test encrypted message 001")
test_expect_equal "$output" "thread:0000000000000002   2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)"

test_begin_subtest "Encrypted body is indexed"
output=$(notmuch search 'this is a test encrypted message')
test_expect_equal "$output" "thread:0000000000000002   2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)"

add_email_corpus pkcs7

test_begin_subtest "index PKCS#7 SignedData message"
output=$(notmuch search --output=messages Thanks)
expected=id:smime-onepart-signed@protected-headers.example
test_expect_equal "$expected" "$output"

test_begin_subtest "do not index embedded certificates from PKCS#7 SignedData"
output=$(notmuch search --output=messages 'LAMPS Certificate')
expected=''
test_expect_equal "$expected" "$output"

test_begin_subtest "know the MIME type of the embedded part in PKCS#7 SignedData"
output=$(notmuch search --output=messages 'mimetype:text/plain')
expected=id:smime-onepart-signed@protected-headers.example
test_expect_equal "$expected" "$output"

test_begin_subtest "PKCS#7 SignedData message is tagged 'signed'"
output=$(notmuch dump id:smime-onepart-signed@protected-headers.example)
expected='#notmuch-dump batch-tag:3 config,properties,tags
+inbox +signed +unread -- id:smime-onepart-signed@protected-headers.example'
test_expect_equal "$expected" "$output"

test_begin_subtest "show contents of PKCS#7 SignedData message"
output=$(notmuch show --format=raw --part=2 id:smime-onepart-signed@protected-headers.example)
whitespace=' '
expected="Bob, we need to cancel this contract.

Please start the necessary processes to make that happen today.

Thanks, Alice
--${whitespace}
Alice Lovelace
President
OpenPGP Example Corp"
test_expect_equal "$expected" "$output"

test_begin_subtest "reply to PKCS#7 SignedData message with proper quoting and attribution"
output=$(notmuch reply id:smime-onepart-signed@protected-headers.example)
expected="From: Notmuch Test Suite <test_suite@notmuchmail.org>
Subject: Re: The FooCorp contract
To: Alice Lovelace <alice@smime.example>, Bob Babbage <bob@smime.example>
In-Reply-To: <smime-onepart-signed@protected-headers.example>
References: <smime-onepart-signed@protected-headers.example>

On Tue, 26 Nov 2019 20:11:29 -0400, Alice Lovelace <alice@smime.example> wrote:
> Bob, we need to cancel this contract.
>${whitespace}
> Please start the necessary processes to make that happen today.
>${whitespace}
> Thanks, Alice
> --${whitespace}
> Alice Lovelace
> President
> OpenPGP Example Corp"
test_expect_equal "$expected" "$output"

test_begin_subtest "show PKCS#7 SignedData outputs valid JSON"
output=$(notmuch show --format=json id:smime-onepart-signed@protected-headers.example)
test_valid_json "$output"

test_begin_subtest "Verify signature on PKCS#7 SignedData message"
output=$(notmuch show --format=json id:smime-onepart-signed@protected-headers.example)

test_json_nodes <<<"$output" \
                'created:[0][0][0]["crypto"]["signed"]["status"][0]["created"]=1574813489' \
                'expires:[0][0][0]["crypto"]["signed"]["status"][0]["expires"]=2611032858' \
                'fingerprint:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
                'status:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"'

test_begin_subtest "Verify signature on PKCS#7 SignedData message signer User ID"
if [ $NOTMUCH_GMIME_X509_CERT_VALIDITY -ne 1 ]; then
    test_subtest_known_broken
fi
test_json_nodes <<<"$output" \
                'userid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"'

test_done

debug log:

solving 170f8649 ...
found 170f8649 in https://yhetil.org/notmuch.git/

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).