From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CHVDIUF9qF7uVAAA0tVLHw (envelope-from ) for ; Tue, 28 Apr 2020 19:00:17 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id +MLfI0l9qF5yQwAA1q6Kng (envelope-from ) for ; Tue, 28 Apr 2020 19:00:25 +0000 Received: from arlo.cworth.org (arlo.cworth.org [50.126.95.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B423A942A5E for ; Tue, 28 Apr 2020 19:00:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 1B1F76DE13B6; Tue, 28 Apr 2020 11:59:24 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oW2N2MtjD9-k; Tue, 28 Apr 2020 11:59:23 -0700 (PDT) Received: from arlo.cworth.org (localhost [IPv6:::1]) by arlo.cworth.org (Postfix) with ESMTP id 45A0D6DE13D2; Tue, 28 Apr 2020 11:58:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 230CD6DE136D for ; Tue, 28 Apr 2020 11:58:26 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09fjVS2ibKke for ; Tue, 28 Apr 2020 11:58:24 -0700 (PDT) Received: from che.mayfirst.org (unknown [162.247.75.117]) by arlo.cworth.org (Postfix) with ESMTPS id BF00B6DE0F8A for ; Tue, 28 Apr 2020 11:58:18 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1588100296; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=MnNKg3lyTNLgiASgkyV4nVSSGbmrjyiJ7dgg3vbBrsw=; b=8pvMOs0iS8oV8qTg9v6B+6RpsgfemoAlXC7Dlcwmi5pJcl3KlZYvs8ICv/QdiMQnepbNK PvEbtEzmdq5K5K4AQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1588100296; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=MnNKg3lyTNLgiASgkyV4nVSSGbmrjyiJ7dgg3vbBrsw=; b=o2qWTLSwwuX81ib4nmLhweJtB+Tlvc41p2J7uqhhj0ov5dHelh4I9/sJMtypKwYQqBoA2 AKZSB/WZ181w4a1D5JKtVJSBNWHw+uSbiwigHBzR2CcU7PwP7ZY/Jps/QBT4c9jH/x8rNTz +WD/IeNSUaQbyTVvbaGAjmokZORtINzENbwpyh+hMih8BkrTLB82Tf/WoHmMEtAIBSeDNw2 Kwb4oon6sBnoj8lYcvCGiLL+whl4aTOZyM/6CELCzJluoOX9gtSv3JtiOsl/ABUCycaSWLU u58AUYQusZ6r7TyrKWEjCPMxlsOREijek6OSq2tTtQ0kCi4X93pDTWB2mKDg== Received: from fifthhorseman.net (unknown [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 64DC6F9AA for ; Tue, 28 Apr 2020 14:58:16 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 222042201F; Tue, 28 Apr 2020 14:57:32 -0400 (EDT) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: [PATCH 05/15] tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs Date: Tue, 28 Apr 2020 14:57:13 -0400 Message-Id: <20200428185723.660184-6-dkg@fifthhorseman.net> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428185723.660184-1-dkg@fifthhorseman.net> References: <20200428185723.660184-1-dkg@fifthhorseman.net> MIME-Version: 1.0 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: notmuch-bounces@notmuchmail.org Sender: "notmuch" X-Scanner: scn0 X-Spam-Score: 1.09 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019 header.b=8pvMOs0i; dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019rsa header.b=o2qWTLSw; dmarc=fail reason="SPF not aligned (relaxed)" header.from=fifthhorseman.net (policy=none); spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 50.126.95.6 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Scan-Result: default: False [1.09 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.46273865969169]; DWL_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_REJECT(1.00)[fifthhorseman.net:s=2019,fifthhorseman.net:s=2019rsa]; IP_REPUTATION_HAM(0.00)[asn: 27017(-0.19), country: US(-0.00), ip: 50.126.95.6(-0.46)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[fifthhorseman.net:-]; MX_GOOD(-0.50)[cached: notmuchmail.org]; MAILLIST(-0.20)[mailman]; RCVD_IN_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:27017, ipnet:50.126.64.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[dkg@fifthhorseman.net,notmuch-bounces@notmuchmail.org]; ARC_NA(0.00)[]; URIBL_BLOCKED(0.00)[notmuchmail.org:email,fifthhorseman.net:email,gnu.org:url,gnupg.org:url]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[notmuch@notmuchmail.org]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_SEVEN(0.00)[8]; FORGED_SENDER_MAILLIST(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[fifthhorseman.net : SPF not aligned (relaxed),none] X-TUID: xaw7I96mNtC2 The documentation for message mode clearly states that EasyPG (which uses GnuPG) is the default and recommended way to use S/MIME with mml-secure: [0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html To ensure that this mode works, we just need to import the secret key in question into gpgsm in addition to the public key. gpgsm should be able pick the right keys+certificates to use based on To/From headers, so we don't have to specify anything manually in the #secure mml tag. The import process from the OpenSSL-preferred form (cert+secretkey) is rather ugly, because gpgsm wants to see a PKCS#12 object when importing secret keys. Note that EasyPG generates the more modern Content-Type: application/pkcs7-signature instead of application/x-pkcs7-signature for the detached signature. We are also obliged to manually set gpgsm's include-certs setting to 1 because gpgsm defaults to send "everything but the root cert". In our weird test case, the certificate we're using is self-signed, so it *is* the root cert, which means that gpgsm doesn't include it by default. Setting it to 1 forces inclusion of the signer's cert, which satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878 for more details. Signed-off-by: Daniel Kahn Gillmor --- test/T355-smime.sh | 4 ++-- test/test-lib.el | 10 ---------- test/test-lib.sh | 6 +++++- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/test/T355-smime.sh b/test/T355-smime.sh index 84be515a..9debf2da 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -24,7 +24,7 @@ test_begin_subtest "emacs delivery of S/MIME encrypted + signed message" test_expect_success \ 'emacs_fcc_message \ "test encrypted message 001" \ - "<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"' + "<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"' test_begin_subtest "Signature verification (openssl)" notmuch show --format=raw subject:"test signed message 001" |\ @@ -65,7 +65,7 @@ expected='[[[{"id": "XXXXX", "content-disposition": "attachment", "content-length": "NONZERO", "content-transfer-encoding": "base64", - "content-type": "application/x-pkcs7-signature", + "content-type": "application/pkcs7-signature", "filename": "smime.p7s"}]}]}, []]]]' test_expect_equal_json \ diff --git a/test/test-lib.el b/test/test-lib.el index 3ae7a090..b47b388e 100644 --- a/test/test-lib.el +++ b/test/test-lib.el @@ -193,13 +193,3 @@ nothing." ;; environments (setq mm-text-html-renderer 'html2text) - -;; Set some variables for S/MIME tests. - -(setq smime-keys '(("" "test_suite.pem" nil))) - -(setq mml-smime-use 'openssl) - -;; all test keys are without passphrase -(eval-after-load 'smime - '(defun smime-ask-passphrase (cache) nil)) diff --git a/test/test-lib.sh b/test/test-lib.sh index 31f37ed7..ac1b9315 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -136,11 +136,15 @@ add_gpgsm_home () _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit mkdir -m 0700 "$GNUPGHOME" - gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 + openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \ + < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \ + gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ + --disable-dirmngr --import >"$GNUPGHOME"/import.log 2>&1 3<<<'' fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt" gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" + echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2