From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <notmuch-bounces@notmuchmail.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id eLRPEF99qF4yYAAA0tVLHw
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Tue, 28 Apr 2020 19:00:47 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 8Km8CGd9qF7kXQAAB5/wlQ
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Tue, 28 Apr 2020 19:00:55 +0000
Received: from arlo.cworth.org (arlo.cworth.org [50.126.95.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 7714D941BD3
	for <larch@yhetil.org>; Tue, 28 Apr 2020 19:00:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by arlo.cworth.org (Postfix) with ESMTP id D85EB6DE10D2;
	Tue, 28 Apr 2020 11:59:42 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
Received: from arlo.cworth.org ([127.0.0.1])
	by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 1n7lI9S4NQM9; Tue, 28 Apr 2020 11:59:42 -0700 (PDT)
Received: from arlo.cworth.org (localhost [IPv6:::1])
	by arlo.cworth.org (Postfix) with ESMTP id 019AD6DE1410;
	Tue, 28 Apr 2020 11:58:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 0A9716DE10B1
 for <notmuch@notmuchmail.org>; Tue, 28 Apr 2020 11:58:55 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id cEYTSZr0GBb4 for <notmuch@notmuchmail.org>;
 Tue, 28 Apr 2020 11:58:54 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117])
 by arlo.cworth.org (Postfix) with ESMTPS id 009806DE10B3
 for <notmuch@notmuchmail.org>; Tue, 28 Apr 2020 11:58:24 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple;
 d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019;
 t=1588100303; h=from : to : subject : date : message-id : in-reply-to
 : references : mime-version : content-transfer-encoding : from;
 bh=Yr5qSMI/wmlCmQtf2cbo1R+eLAkaEY2RBqfYOpO5L8Y=;
 b=+nW/dKWJWYJ3cOqD48I+OQV+HIYCDO1EKdgqWepRRUD7hZvbSJATIwvKFmMx9k+4z38ZP
 swadW+B1+zFwawdBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net;
 i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1588100303; h=from : to
 : subject : date : message-id : in-reply-to : references :
 mime-version : content-transfer-encoding : from;
 bh=Yr5qSMI/wmlCmQtf2cbo1R+eLAkaEY2RBqfYOpO5L8Y=;
 b=hMncP+SJ1MHQ0Fs3LvR10MKLFI5P8oW6HkQlXHJZ1PMFoH3cCYgDOeT3vOIf6rohGckHp
 gfZsWjYOnYg92a0SQnQZp1+58G/1RbM9kpFm81GfqucfggS2sUljmSLKh1vv+p48Arib8gk
 07HHaPq7XwxzRJynfTr0Inreu/3MDqzRFWFcOegsk7zWFg8tnuFdg7qddgS4LNwVd7EAa3O
 H1uuH3HsnDBzGMXlX5xCGPJw990hYusub9EGe/SGh9KLCilK/wnosEJmR728Ua37ih1IyEz
 P3DRRpjw6MV17wxvfNBeMmKKU9wIErquyJ5nlc2FPr30zXzuimwqopFEoF8Q==
Received: from fifthhorseman.net (unknown
 [IPv6:2001:470:1f07:60d:f2de:f1ff:fec3:d109])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits))
 (No client certificate requested)
 by che.mayfirst.org (Postfix) with ESMTPSA id 2CCF4F9A5
 for <notmuch@notmuchmail.org>; Tue, 28 Apr 2020 14:58:23 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 54054228BB; Tue, 28 Apr 2020 14:57:32 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH 14/15] test/protected-headers: Add tests for S/MIME protected
 headers
Date: Tue, 28 Apr 2020 14:57:22 -0400
Message-Id: <20200428185723.660184-15-dkg@fifthhorseman.net>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200428185723.660184-1-dkg@fifthhorseman.net>
References: <20200428185723.660184-1-dkg@fifthhorseman.net>
MIME-Version: 1.0
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: notmuch-bounces@notmuchmail.org
Sender: "notmuch" <notmuch-bounces@notmuchmail.org>
X-Scanner: scn0
X-Spam-Score: 1.09
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019 header.b=+nW/dKWJ;
	dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019rsa header.b=hMncP+SJ;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=fifthhorseman.net (policy=none);
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 50.126.95.6 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Scan-Result: default: False [1.09 / 13.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 GENERIC_REPUTATION(0.00)[-0.46273785707924];
	 DWL_DNSWL_FAIL(0.00)[50.126.95.6:server fail];
	 R_SPF_ALLOW(-0.20)[+a:c];
	 R_DKIM_REJECT(1.00)[fifthhorseman.net:s=2019,fifthhorseman.net:s=2019rsa];
	 IP_REPUTATION_HAM(0.00)[asn: 27017(-0.19), country: US(-0.00), ip: 50.126.95.6(-0.46)];
	 TO_DN_ALL(0.00)[];
	 DKIM_TRACE(0.00)[fifthhorseman.net:-];
	 MX_GOOD(-0.50)[cached: notmuchmail.org];
	 MAILLIST(-0.20)[mailman];
	 RCVD_IN_DNSWL_FAIL(0.00)[50.126.95.6:server fail];
	 MIME_TRACE(0.00)[0:+];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:27017, ipnet:50.126.64.0/18, country:US];
	 FROM_NEQ_ENVFROM(0.00)[dkg@fifthhorseman.net,notmuch-bounces@notmuchmail.org];
	 ARC_NA(0.00)[];
	 URIBL_BLOCKED(0.00)[fifthhorseman.net:email,notmuchmail.org:email];
	 FROM_HAS_DN(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[notmuch@notmuchmail.org];
	 HAS_LIST_UNSUB(-0.01)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 MID_CONTAINS_FROM(1.00)[];
	 RCVD_COUNT_SEVEN(0.00)[8];
	 FORGED_SENDER_MAILLIST(0.00)[];
	 DMARC_POLICY_SOFTFAIL(0.10)[fifthhorseman.net : SPF not aligned (relaxed),none]
X-TUID: N6V1gfyXkYec

Recognize the protected subject for S/MIME example protected header
messages.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T356-protected-headers.sh | 38 +++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index 925805df..b7a83715 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -1,14 +1,14 @@
 #!/usr/bin/env bash
 
-# TODO:
-#  * check S/MIME as well as PGP/MIME
-
 test_description='Message decryption with protected headers'
 . $(dirname "$0")/test-lib.sh || exit 1
 
 ##################################################
 
+test_require_external_prereq gpgsm
+
 add_gnupg_home
+add_gpgsm_home
 
 add_email_corpus protected-headers
 
@@ -155,6 +155,38 @@ test_begin_subtest "identify message that had a legacy display part skipped duri
 output=$(notmuch search --output=messages property:index.repaired=skip-protected-headers-legacy-display)
 test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.org
 
+for variant in multipart-signed onepart-signed; do
+    test_begin_subtest "verify signed PKCS#7 subject ($variant)"
+    test_subtest_known_broken
+    output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example")
+    test_json_nodes <<<"$output" \
+                    'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
+                    'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
+                    'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
+                    'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \
+                    'not_encrypted:[0][0][0]["crypto"]!"decrypted"'
+done
+
+for variant in sign+enc sign+enc+legacy-disp; do
+    test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant)"
+    test_subtest_known_broken
+    output=$(notmuch show --decrypt=true --format=json "id:smime-${variant}@protected-headers.example")
+    test_json_nodes <<<"$output" \
+                    'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
+                    'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
+                    'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
+                    'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \
+                    'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}'
+done
+
+test_begin_subtest "confirm encryption-protected PKCS#7 subject (enc+legacy-disp)"
+test_subtest_known_broken
+output=$(notmuch show --decrypt=true --format=json "id:smime-enc+legacy-disp@protected-headers.example")
+test_json_nodes <<<"$output" \
+                'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' \
+                'no_sig:[0][0][0]["crypto"]!"signed"'
+
+
 # TODO: test that a part that looks like a legacy-display in
 # multipart/signed, but not encrypted, is indexed and not stripped.
 
-- 
2.26.2