From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dkg@fifthhorseman.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 76C806DE12EB
 for <notmuch@notmuchmail.org>; Sun, 26 May 2019 15:16:24 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.176
X-Spam-Level: 
X-Spam-Status: No, score=-0.176 tagged_above=-999 required=5 tests=[AWL=0.025, 
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
 autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id vozDGYpUYaha for <notmuch@notmuchmail.org>;
 Sun, 26 May 2019 15:16:23 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118])
 by arlo.cworth.org (Postfix) with ESMTPS id 273C86DE138C
 for <notmuch@notmuchmail.org>; Sun, 26 May 2019 15:16:20 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; 
 d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; 
 s=2019; t=1558908979; h=from : to : subject : date : 
 message-id : in-reply-to : references : mime-version : 
 content-transfer-encoding : from; 
 bh=MaqevW74kdN/mA80hIpOdWUhTzUg8apIqNEAmq2UJ4o=; 
 b=HmzS8Qy3E8iQ812ONEdIznKwpxWdOASCskbejcIIMj9I78LfS/qBOL64
 R5untY3FpS5kIsfENPYAlG9ZLguBAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; 
 i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1558908978; 
 h=from : to : subject : date : message-id : in-reply-to : 
 references : mime-version : content-transfer-encoding : 
 from; bh=MaqevW74kdN/mA80hIpOdWUhTzUg8apIqNEAmq2UJ4o=; 
 b=V2N6yhVkbIRRp2+ZoD8eVBM4McD2zhOa5IcrL8QEXj8+MRS83RyyfRHy
 hXndcDcsfHmRfGOMYCECsGhBsheRsdrRfcNoKdSWFdttwEy1FjvymLFpYv
 ysAAsAonjE7OMrxRUrbP/LNjJDcvJmOxCU95DEg3IG73VvbBjIMgkMXGU1
 HcFTd6JBUevSZlkw7fZWvOOzK3Jv3auVlZUOX703NMeMEUlg4dtzAgN1OZ
 0UnuXhgWiSDz9KTKhLug+7E13pnehoU/O/k6Zl/C2zG3upK7ykACwceKwq
 eWjT7fJ5CroqwKWk4cMCczCLw6RozmUde0ZAyWWTxQMf2uvVWokrNA==
Received: from fifthhorseman.net (cpe-74-71-53-242.nyc.res.rr.com
 [74.71.53.242])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by che.mayfirst.org (Postfix) with ESMTPSA id D8A76F9AD
 for <notmuch@notmuchmail.org>; Sun, 26 May 2019 18:16:18 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 5AE8B20D4B; Sun, 26 May 2019 18:16:14 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH v2 06/17] cli/show: add information about which headers were
 protected
Date: Sun, 26 May 2019 18:15:59 -0400
Message-Id: <20190526221610.2833-7-dkg@fifthhorseman.net>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190526221610.2833-1-dkg@fifthhorseman.net>
References: <20190526221610.2833-1-dkg@fifthhorseman.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Sun, 26 May 2019 22:16:24 -0000

The header-mask member of the per-message crypto object allows a
clever UI frontend to mark whether a header was protected (or not).
And if it was protected, it contains enough information to show useful
detail to an interested user.  For example, an MUA could offer a "show
what this message's Subject looked like on the wire" feature in expert
mode.

As before, we only handle Subject for now, but we might be able to
handle other headers in the future.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 devel/schemata                 |  6 ++++++
 notmuch-show.c                 | 21 +++++++++++++++++++++
 test/T356-protected-headers.sh |  4 ++--
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/devel/schemata b/devel/schemata
index 72feb7b7..9d3c8d30 100644
--- a/devel/schemata
+++ b/devel/schemata
@@ -88,9 +88,15 @@ crypto = {
                   status:      sigstatus,
                   # was the set of signatures described under encrypted cover?
                   encrypted:   bool,
+                  # which of the headers is covered by sigstatus?
+                  headers:     [header_name*]
                 },
     decrypted?: {
                   status: msgdecstatus,
+                  # map encrypted headers that differed from the outside headers.
+                  # the value of each item in the map is what that field showed externally
+                  # (maybe null if it was not present in the external headers).
+                  header-mask:  { header_name: string|null,*}
                 }
 }
 
diff --git a/notmuch-show.c b/notmuch-show.c
index b1f6a4bb..4dfe9c1d 100644
--- a/notmuch-show.c
+++ b/notmuch-show.c
@@ -645,6 +645,12 @@ format_part_sprinter (const void *ctx, sprinter_t *sp, mime_node_t *node,
 			sp->map_key (sp, "encrypted");
 			sp->boolean (sp, msg_crypto->signature_encrypted);
 		    }
+		    if (msg_crypto->payload_subject) {
+			sp->map_key (sp, "headers");
+			sp->begin_list (sp);
+			sp->string (sp, "Subject");
+			sp->end (sp);
+		    }
 		    sp->end (sp);
 		}
 		if (msg_crypto->decryption_status != NOTMUCH_MESSAGE_DECRYPTED_NONE) {
@@ -652,6 +658,21 @@ format_part_sprinter (const void *ctx, sprinter_t *sp, mime_node_t *node,
 		    sp->begin_map (sp);
 		    sp->map_key (sp, "status");
 		    sp->string (sp, msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_FULL ? "full" : "partial");
+
+		    if (msg_crypto->payload_subject) {
+			const char *subject = g_mime_message_get_subject GMIME_MESSAGE (node->part);
+			if (subject == NULL || strcmp (subject, msg_crypto->payload_subject)) {
+			    /* protected subject differs from the external header */
+			    sp->map_key (sp, "header-mask");
+			    sp->begin_map (sp);
+			    sp->map_key (sp, "Subject");
+			    if (subject == NULL)
+				sp->null (sp);
+			    else
+				sp->string (sp, subject);
+			    sp->end (sp);
+			}
+		    }
 		    sp->end (sp);
 		}
 	    }
diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index 8a8fef6a..68d431e9 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -22,7 +22,7 @@ test_json_nodes <<<"$output" \
 test_begin_subtest "verify protected header is visible with decryption"
 output=$(notmuch show --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
 test_json_nodes <<<"$output" \
-                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
+                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                 'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'
 
 test_begin_subtest "misplaced protected headers should not be made visible during decryption"
@@ -58,7 +58,7 @@ test_json_nodes <<<"$output" \
 test_begin_subtest "verify nested message/rfc822 protected header is visible"
 output=$(notmuch show --decrypt=true --format=json id:nested-rfc822-message@crypto.notmuchmail.org)
 test_json_nodes <<<"$output" \
-                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
+                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                 'subject:[0][0][0]["headers"]["Subject"]="This is a message using draft-melnikov-smime-header-signing"'
 
 test_done
-- 
2.20.1