unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH 05/15] tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs
Date: Tue, 28 Apr 2020 14:57:13 -0400	[thread overview]
Message-ID: <20200428185723.660184-6-dkg@fifthhorseman.net> (raw)
In-Reply-To: <20200428185723.660184-1-dkg@fifthhorseman.net>

The documentation for message mode clearly states that EasyPG (which
uses GnuPG) is the default and recommended way to use S/MIME with
mml-secure:

[0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html

To ensure that this mode works, we just need to import the secret key
in question into gpgsm in addition to the public key.  gpgsm should be
able pick the right keys+certificates to use based on To/From headers,
so we don't have to specify anything manually in the #secure mml tag.

The import process from the OpenSSL-preferred form (cert+secretkey) is
rather ugly, because gpgsm wants to see a PKCS#12 object when
importing secret keys.

Note that EasyPG generates the more modern Content-Type:
application/pkcs7-signature instead of application/x-pkcs7-signature
for the detached signature.

We are also obliged to manually set gpgsm's include-certs setting to 1
because gpgsm defaults to send "everything but the root cert".  In our
weird test case, the certificate we're using is self-signed, so it
*is* the root cert, which means that gpgsm doesn't include it by
default.  Setting it to 1 forces inclusion of the signer's cert, which
satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878
for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T355-smime.sh |  4 ++--
 test/test-lib.el   | 10 ----------
 test/test-lib.sh   |  6 +++++-
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 84be515a..9debf2da 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -24,7 +24,7 @@ test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"
 test_expect_success \
 'emacs_fcc_message \
     "test encrypted message 001" \
-    "<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"'
+    "<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"'
 
 test_begin_subtest "Signature verification (openssl)"
 notmuch show --format=raw subject:"test signed message 001" |\
@@ -65,7 +65,7 @@ expected='[[[{"id": "XXXXX",
   "content-disposition": "attachment",
   "content-length": "NONZERO",
   "content-transfer-encoding": "base64",
-  "content-type": "application/x-pkcs7-signature",
+  "content-type": "application/pkcs7-signature",
   "filename": "smime.p7s"}]}]},
  []]]]'
 test_expect_equal_json \
diff --git a/test/test-lib.el b/test/test-lib.el
index 3ae7a090..b47b388e 100644
--- a/test/test-lib.el
+++ b/test/test-lib.el
@@ -193,13 +193,3 @@ nothing."
 ;; environments
 
 (setq mm-text-html-renderer 'html2text)
-
-;; Set some variables for S/MIME tests.
-
-(setq smime-keys '(("" "test_suite.pem" nil)))
-
-(setq mml-smime-use 'openssl)
-
-;; all test keys are without passphrase
-(eval-after-load 'smime
-  '(defun smime-ask-passphrase (cache)  nil))
diff --git a/test/test-lib.sh b/test/test-lib.sh
index 31f37ed7..ac1b9315 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -136,11 +136,15 @@ add_gpgsm_home ()
     _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
     at_exit_function _gnupg_exit
     mkdir -m 0700 "$GNUPGHOME"
-    gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1
+    openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \
+        < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \
+        gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \
+              --disable-dirmngr --import  >"$GNUPGHOME"/import.log 2>&1 3<<<''
     fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
     echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt"
     gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
     echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
+    echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm
     test_debug "cat $GNUPGHOME/import.log"
 }
 
-- 
2.26.2

  parent reply	other threads:[~2020-04-28 19:00 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-28 18:57 Add tests for S/MIME PKCS#7 messages Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 01/15] tests: move add_gpgsm_home to test-lib.sh Daniel Kahn Gillmor
2020-04-30 21:29   ` David Bremner
2020-04-28 18:57 ` [PATCH 02/15] tests/smime: Always use --batch with gpgsm Daniel Kahn Gillmor
2020-04-30 19:33   ` [PATCH 03/15 v2] tests/smime: Include the Sample LAMPS Certificate Authority Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 03/15] " Daniel Kahn Gillmor
2020-04-29  1:43   ` David Bremner
2020-04-30 16:51     ` Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 04/15] tests/smime: consistently quote $GNUPGHOME Daniel Kahn Gillmor
2020-04-28 18:57 ` Daniel Kahn Gillmor [this message]
2020-04-28 18:57 ` [PATCH 06/15] tests/smime: avoid copying the key+cert.pem around Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 07/15] test: Allow tests to have both gpg and gpgsm active at once Daniel Kahn Gillmor
2020-04-29 20:02   ` Tomi Ollila
2020-04-30 16:53     ` Daniel Kahn Gillmor
2020-04-30 19:34   ` [PATCH 07/15 v2] " Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 08/15] tests/smime: include secret key material for Bob Daniel Kahn Gillmor
2020-04-29 20:05   ` Tomi Ollila
2020-04-30 16:56     ` Daniel Kahn Gillmor
2020-04-30 19:35   ` [PATCH 08/15 v2] " Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 09/15] tests: Add S/MIME messages to protected-headers corpus Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 10/15] tests/smime: Verify cryptographic message status Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 11/15] tests/smime: Test indexing cleartext of envelopedData Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 12/15] test-lib.sh: add test_valid_json Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 13/15] tests/smime: add tests for S/MIME SignedData Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 14/15] test/protected-headers: Add tests for S/MIME protected headers Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 15/15] tests: disable CRL checks from gpgsm Daniel Kahn Gillmor
2020-04-29 20:12   ` Tomi Ollila
2020-04-30 19:00     ` Daniel Kahn Gillmor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://notmuchmail.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200428185723.660184-6-dkg@fifthhorseman.net \
    --to=dkg@fifthhorseman.net \
    --cc=notmuch@notmuchmail.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).