From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <notmuch-bounces@notmuchmail.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id SKbUMkp9qF5WIAAA0tVLHw
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Tue, 28 Apr 2020 19:00:26 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id sFNJNVJ9qF5yQwAA1q6Kng
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Tue, 28 Apr 2020 19:00:34 +0000
Received: from arlo.cworth.org (arlo.cworth.org [50.126.95.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 24F29941A68
	for <larch@yhetil.org>; Tue, 28 Apr 2020 19:00:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by arlo.cworth.org (Postfix) with ESMTP id 5F9156DE13D5;
	Tue, 28 Apr 2020 11:59:29 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
Received: from arlo.cworth.org ([127.0.0.1])
	by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 1RVkZeJQKhT1; Tue, 28 Apr 2020 11:59:28 -0700 (PDT)
Received: from arlo.cworth.org (localhost [IPv6:::1])
	by arlo.cworth.org (Postfix) with ESMTP id DECDF6DE13E9;
	Tue, 28 Apr 2020 11:58:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id D3B6B6DE137E
 for <notmuch@notmuchmail.org>; Tue, 28 Apr 2020 11:58:26 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id W5p0qpke8Rqc for <notmuch@notmuchmail.org>;
 Tue, 28 Apr 2020 11:58:26 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117])
 by arlo.cworth.org (Postfix) with ESMTPS id 8B2256DE0F6E
 for <notmuch@notmuchmail.org>; Tue, 28 Apr 2020 11:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple;
 d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019;
 t=1588100297; h=from : to : subject : date : message-id : in-reply-to
 : references : mime-version : content-transfer-encoding : from;
 bh=9yT/6rtkOomsuVmnu+NRvJKuQrEiAVVYGYnM8gS7Nq0=;
 b=SPymoPuh9aSgZJwuRfKocWNZCuAIK/zEeC7h1YTjcI0rZrAUz/+z1hyeQpC8UEiyKNGy6
 qkQ33dFgosZnZNhCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net;
 i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1588100297; h=from : to
 : subject : date : message-id : in-reply-to : references :
 mime-version : content-transfer-encoding : from;
 bh=9yT/6rtkOomsuVmnu+NRvJKuQrEiAVVYGYnM8gS7Nq0=;
 b=2GQuZmVB1zb0klHEp4Fd/fKxY4qfFLNwa4SpVjJ3jxgllIhR1+i+EZ3jgj2+wKW2SQ545
 zo4oax7CISYZzkhGtY2bQ5s/RLuohPuhK9h7i5mq70OP1H81AyYke8eeeSqhop5j1x4af3M
 FO1FuxpX4Xb7bqonfNhlSGK4hJxvzME3XKLsN8b0siYjPqCaZ5tkJaLxEmRO/7bsRxmaUyv
 hlajn8sbk6h1VojwLaX6e8tn38ltTBgq39QhSPmprlHZuRSlqtpisdO0b0snZPx62CKwJHR
 H9ZDi2Z62Imn1PqZBiRILx/4XxatRsInEA8/e8g2A+XIwNoil1t2IEe/cKJQ==
Received: from fifthhorseman.net (unknown [108.58.6.98])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits))
 (No client certificate requested)
 by che.mayfirst.org (Postfix) with ESMTPSA id ADC1DF9B1
 for <notmuch@notmuchmail.org>; Tue, 28 Apr 2020 14:58:17 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 1745821B01; Tue, 28 Apr 2020 14:57:32 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH 03/15] tests/smime: Include the Sample LAMPS Certificate
 Authority
Date: Tue, 28 Apr 2020 14:57:11 -0400
Message-Id: <20200428185723.660184-4-dkg@fifthhorseman.net>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200428185723.660184-1-dkg@fifthhorseman.net>
References: <20200428185723.660184-1-dkg@fifthhorseman.net>
MIME-Version: 1.0
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: notmuch-bounces@notmuchmail.org
Sender: "notmuch" <notmuch-bounces@notmuchmail.org>
X-Scanner: scn0
X-Spam-Score: 1.09
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019 header.b=SPymoPuh;
	dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019rsa header.b=2GQuZmVB;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=fifthhorseman.net (policy=none);
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 50.126.95.6 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Scan-Result: default: False [1.09 / 13.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 GENERIC_REPUTATION(0.00)[-0.46273852722586];
	 DWL_DNSWL_FAIL(0.00)[50.126.95.6:server fail];
	 IP_REPUTATION_HAM(0.00)[asn: 27017(-0.19), country: US(-0.00), ip: 50.126.95.6(-0.46)];
	 R_SPF_ALLOW(-0.20)[+a:c];
	 R_DKIM_REJECT(1.00)[fifthhorseman.net:s=2019,fifthhorseman.net:s=2019rsa];
	 TO_DN_ALL(0.00)[];
	 DKIM_TRACE(0.00)[fifthhorseman.net:-];
	 MX_GOOD(-0.50)[cached: notmuchmail.org];
	 MAILLIST(-0.20)[mailman];
	 RCVD_IN_DNSWL_FAIL(0.00)[50.126.95.6:server fail];
	 MIME_TRACE(0.00)[0:+];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:27017, ipnet:50.126.64.0/18, country:US];
	 FROM_NEQ_ENVFROM(0.00)[dkg@fifthhorseman.net,notmuch-bounces@notmuchmail.org];
	 ARC_NA(0.00)[];
	 URIBL_BLOCKED(0.00)[ietf.org:url,notmuchmail.org:email,fifthhorseman.net:email];
	 FROM_HAS_DN(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[notmuch@notmuchmail.org];
	 HAS_LIST_UNSUB(-0.01)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 MID_CONTAINS_FROM(1.00)[];
	 RCVD_COUNT_SEVEN(0.00)[8];
	 FORGED_SENDER_MAILLIST(0.00)[];
	 DMARC_POLICY_SOFTFAIL(0.10)[fifthhorseman.net : SPF not aligned (relaxed),none]
X-TUID: fIg9pQlbxYHt

This CA is useful for test suites and the like, but is not an
actually-secure CA, because its secret key material is also published.

I plan to use it for its intended purpose in the notmuch test suite.

It was copied from this Internet Draft:

https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/smime/README |  2 ++
 test/smime/ca.crt | 20 ++++++++++++++++++++
 test/test-lib.sh  |  2 ++
 3 files changed, 24 insertions(+)
 create mode 100644 test/smime/ca.crt

diff --git a/test/smime/README b/test/smime/README
index 46211922..88633bcc 100644
--- a/test/smime/README
+++ b/test/smime/README
@@ -5,3 +5,5 @@ key+cert.pem: cert + unencryped private
     % gpgsm --import test.crt
     % gpgsm --export-private-key-p12 -out foo.p12  (no passphrase)
     % openssl pkcs12 -in ns.p12 -clcerts -nodes > key+cert.pem
+
+ca.crt: from https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi
diff --git a/test/smime/ca.crt b/test/smime/ca.crt
new file mode 100644
index 00000000..b33d087f
--- /dev/null
+++ b/test/smime/ca.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLTCCAhWgAwIBAgIULXcNXGI2bZp38sV7cF6VcQfnKDwwDQYJKoZIhvcNAQEN
+BQAwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowLTErMCkGA1UEAxMi
+U2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMUfZ8+NYSh6h36zQcXBo5B6ficAcBJ1f3aLxyN8
+QXB83XuP8aDRWQ9uJvJpQkWVH4zx96/E/zI0t0lDMYtZNqra16h+gxbHJgoq2pRw
+RCOiyYu/p2vzvvZ1dtFTMc/mIigjA/73kokui62j1EFy//fNVIihkVS3rAweq+fI
+8qJHSMhdc2aYa9wOP0eGe/HTiDYgT4L4f2HTGMGGwQgj1vub0gpR4YHmNqr0GyEA
+63mHUQUZpnmN1FEl+nVFA5Ntu4uF++qf/tkTji89/eXYBdKX2yUdTeTIKoCI65IL
+EXxezjTc8aFjf/8E0aWGVZR/DtCsjWOh/s/mV7n/YPyb4+ECAwEAAaNDMEEwDwYD
+VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBS3Uk1zwIg9
+ssN6WgzzlPf3gKJ32zANBgkqhkiG9w0BAQ0FAAOCAQEALsU91Bmhc6EgCNr7inY2
+2gYPnosJ+kZ1eC0hvHIK9e0Tx74RmhTOe8M2C9YXQKehHpRaX+DLcjup6scoH/bT
+u0THbmzeOy29TTiFcyV9BK+SEKQWW4s98Fwdk9fPWcflHtYvqxjooAV3vHbt6Xmp
+KrKDz/jdg7t0ptI4zSqAf3wNppiJoswlOHBUnH2W1MIYkWQ4jYj5socblVlklHOr
+ykKUiEZAbjU+C1+0FhT4HgLjBB9R4H1H0JRKsggWiZBBJ6UpN0dTN4iD0mDVa0jy
+sJqqWnIViy/xaSDcNaWJmU3o2KmkMkdpinoJ5uLkAHQqXjFaujdU1PkufeA7v3uG
+Rw==
+-----END CERTIFICATE-----
diff --git a/test/test-lib.sh b/test/test-lib.sh
index d4fcea5a..1ffedb25 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -139,6 +139,8 @@ add_gpgsm_home ()
     gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1
     fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
     echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt
+    gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
+    echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
     test_debug "cat $GNUPGHOME/import.log"
 }
 
-- 
2.26.2