S/MIME messages that use PKCS#7 are not currently well-handled by notmuch. This series introduces a set of tests that cover such messages, most of which are initially broken. A future (shorter) series will resolve these tests. Some S/MIME messages *are* handled correctly by notmuch already: in particular, multipart/signed messages where the detached signature is a PKCS#7 signature object (as opposed to one-part S/MIME SignedData messages) are already working. There should be no functional change to notmuch from applying this series, just a more complete test suite. Comments and feedback welcome, as always! Regards, --dkg
This allows us to test S/MIME messages in other tests. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T355-smime.sh | 13 ------------- test/test-lib.sh | 13 +++++++++++++ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/test/T355-smime.sh b/test/T355-smime.sh index 11a4d6cd..84be515a 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -3,19 +3,6 @@ test_description='S/MIME signature verification and decryption' . $(dirname "$0")/test-lib.sh || exit 1 -add_gpgsm_home () -{ - local fpr - [ -d ${GNUPGHOME} ] && return - _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } - at_exit_function _gnupg_exit - mkdir -m 0700 "$GNUPGHOME" - gpgsm --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 - fpr=$(gpgsm --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') - echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt - test_debug "cat $GNUPGHOME/import.log" -} - test_require_external_prereq openssl test_require_external_prereq gpgsm diff --git a/test/test-lib.sh b/test/test-lib.sh index 7f8a3a4d..6a62b5c1 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -129,6 +129,19 @@ add_gnupg_home () printf '%s:6:\n' "$FINGERPRINT" | gpg --quiet --batch --no-tty --import-ownertrust } +add_gpgsm_home () +{ + local fpr + [ -d ${GNUPGHOME} ] && return + _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } + at_exit_function _gnupg_exit + mkdir -m 0700 "$GNUPGHOME" + gpgsm --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 + fpr=$(gpgsm --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') + echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt + test_debug "cat $GNUPGHOME/import.log" +} + # Each test should start with something like this, after copyright notices: # # test_description='Description of this test... -- 2.26.2
GnuPG's gpgsm, like gpg, should always be used with --batch when it is invoked in a non-interactive environment. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/test-lib.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test-lib.sh b/test/test-lib.sh index 6a62b5c1..d4fcea5a 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -136,8 +136,8 @@ add_gpgsm_home () _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit mkdir -m 0700 "$GNUPGHOME" - gpgsm --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 - fpr=$(gpgsm --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') + gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 + fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2
This CA is useful for test suites and the like, but is not an actually-secure CA, because its secret key material is also published. I plan to use it for its intended purpose in the notmuch test suite. It was copied from this Internet Draft: https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/smime/README | 2 ++ test/smime/ca.crt | 20 ++++++++++++++++++++ test/test-lib.sh | 2 ++ 3 files changed, 24 insertions(+) create mode 100644 test/smime/ca.crt diff --git a/test/smime/README b/test/smime/README index 46211922..88633bcc 100644 --- a/test/smime/README +++ b/test/smime/README @@ -5,3 +5,5 @@ key+cert.pem: cert + unencryped private % gpgsm --import test.crt % gpgsm --export-private-key-p12 -out foo.p12 (no passphrase) % openssl pkcs12 -in ns.p12 -clcerts -nodes > key+cert.pem + +ca.crt: from https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi diff --git a/test/smime/ca.crt b/test/smime/ca.crt new file mode 100644 index 00000000..b33d087f --- /dev/null +++ b/test/smime/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLTCCAhWgAwIBAgIULXcNXGI2bZp38sV7cF6VcQfnKDwwDQYJKoZIhvcNAQEN +BQAwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0 +eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowLTErMCkGA1UEAxMi +U2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMUfZ8+NYSh6h36zQcXBo5B6ficAcBJ1f3aLxyN8 +QXB83XuP8aDRWQ9uJvJpQkWVH4zx96/E/zI0t0lDMYtZNqra16h+gxbHJgoq2pRw +RCOiyYu/p2vzvvZ1dtFTMc/mIigjA/73kokui62j1EFy//fNVIihkVS3rAweq+fI +8qJHSMhdc2aYa9wOP0eGe/HTiDYgT4L4f2HTGMGGwQgj1vub0gpR4YHmNqr0GyEA +63mHUQUZpnmN1FEl+nVFA5Ntu4uF++qf/tkTji89/eXYBdKX2yUdTeTIKoCI65IL +EXxezjTc8aFjf/8E0aWGVZR/DtCsjWOh/s/mV7n/YPyb4+ECAwEAAaNDMEEwDwYD +VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBS3Uk1zwIg9 +ssN6WgzzlPf3gKJ32zANBgkqhkiG9w0BAQ0FAAOCAQEALsU91Bmhc6EgCNr7inY2 +2gYPnosJ+kZ1eC0hvHIK9e0Tx74RmhTOe8M2C9YXQKehHpRaX+DLcjup6scoH/bT +u0THbmzeOy29TTiFcyV9BK+SEKQWW4s98Fwdk9fPWcflHtYvqxjooAV3vHbt6Xmp +KrKDz/jdg7t0ptI4zSqAf3wNppiJoswlOHBUnH2W1MIYkWQ4jYj5socblVlklHOr +ykKUiEZAbjU+C1+0FhT4HgLjBB9R4H1H0JRKsggWiZBBJ6UpN0dTN4iD0mDVa0jy +sJqqWnIViy/xaSDcNaWJmU3o2KmkMkdpinoJ5uLkAHQqXjFaujdU1PkufeA7v3uG +Rw== +-----END CERTIFICATE----- diff --git a/test/test-lib.sh b/test/test-lib.sh index d4fcea5a..1ffedb25 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -139,6 +139,8 @@ add_gpgsm_home () gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt + gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt + echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/test-lib.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test-lib.sh b/test/test-lib.sh index 1ffedb25..31f37ed7 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -132,13 +132,13 @@ add_gnupg_home () add_gpgsm_home () { local fpr - [ -d ${GNUPGHOME} ] && return + [ -d "$GNUPGHOME" ] && return _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit mkdir -m 0700 "$GNUPGHOME" gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') - echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt + echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt" gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" test_debug "cat $GNUPGHOME/import.log" -- 2.26.2
The documentation for message mode clearly states that EasyPG (which uses GnuPG) is the default and recommended way to use S/MIME with mml-secure: [0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html To ensure that this mode works, we just need to import the secret key in question into gpgsm in addition to the public key. gpgsm should be able pick the right keys+certificates to use based on To/From headers, so we don't have to specify anything manually in the #secure mml tag. The import process from the OpenSSL-preferred form (cert+secretkey) is rather ugly, because gpgsm wants to see a PKCS#12 object when importing secret keys. Note that EasyPG generates the more modern Content-Type: application/pkcs7-signature instead of application/x-pkcs7-signature for the detached signature. We are also obliged to manually set gpgsm's include-certs setting to 1 because gpgsm defaults to send "everything but the root cert". In our weird test case, the certificate we're using is self-signed, so it *is* the root cert, which means that gpgsm doesn't include it by default. Setting it to 1 forces inclusion of the signer's cert, which satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878 for more details. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T355-smime.sh | 4 ++-- test/test-lib.el | 10 ---------- test/test-lib.sh | 6 +++++- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/test/T355-smime.sh b/test/T355-smime.sh index 84be515a..9debf2da 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -24,7 +24,7 @@ test_begin_subtest "emacs delivery of S/MIME encrypted + signed message" test_expect_success \ 'emacs_fcc_message \ "test encrypted message 001" \ - "<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"' + "<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"' test_begin_subtest "Signature verification (openssl)" notmuch show --format=raw subject:"test signed message 001" |\ @@ -65,7 +65,7 @@ expected='[[[{"id": "XXXXX", "content-disposition": "attachment", "content-length": "NONZERO", "content-transfer-encoding": "base64", - "content-type": "application/x-pkcs7-signature", + "content-type": "application/pkcs7-signature", "filename": "smime.p7s"}]}]}, []]]]' test_expect_equal_json \ diff --git a/test/test-lib.el b/test/test-lib.el index 3ae7a090..b47b388e 100644 --- a/test/test-lib.el +++ b/test/test-lib.el @@ -193,13 +193,3 @@ nothing." ;; environments (setq mm-text-html-renderer 'html2text) - -;; Set some variables for S/MIME tests. - -(setq smime-keys '(("" "test_suite.pem" nil))) - -(setq mml-smime-use 'openssl) - -;; all test keys are without passphrase -(eval-after-load 'smime - '(defun smime-ask-passphrase (cache) nil)) diff --git a/test/test-lib.sh b/test/test-lib.sh index 31f37ed7..ac1b9315 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -136,11 +136,15 @@ add_gpgsm_home () _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit mkdir -m 0700 "$GNUPGHOME" - gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 + openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \ + < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \ + gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ + --disable-dirmngr --import >"$GNUPGHOME"/import.log 2>&1 3<<<'' fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt" gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" + echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2
No functional change. We no longer need to identify the key and cert to mml-mode when sending an S/MIME message, so making a copy of key+cert.pem to test_suite.pem is superfluous. Get rid of the extra file. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T355-smime.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/test/T355-smime.sh b/test/T355-smime.sh index 9debf2da..e92a7b16 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -6,9 +6,7 @@ test_description='S/MIME signature verification and decryption' test_require_external_prereq openssl test_require_external_prereq gpgsm -cp $NOTMUCH_SRCDIR/test/smime/key+cert.pem test_suite.pem - -FINGERPRINT=$(openssl x509 -fingerprint -in test_suite.pem -noout | sed -e 's/^.*=//' -e s/://g) +FINGERPRINT=$(openssl x509 -fingerprint -in "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" -noout | sed -e 's/^.*=//' -e s/://g) add_gpgsm_home @@ -74,7 +72,7 @@ test_expect_equal_json \ test_begin_subtest "Decryption and signature verification (openssl)" notmuch show --format=raw subject:"test encrypted message 001" |\ - openssl smime -decrypt -recip test_suite.pem |\ + openssl smime -decrypt -recip $NOTMUCH_SRCDIR/test/smime/key+cert.pem |\ openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT cat <<EOF > EXPECTED Verification successful -- 2.26.2
Without this fix, we couldn't run both add_gnupg_home and add_gpgsm_home in the same test script. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/test-lib.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/test-lib.sh b/test/test-lib.sh index ac1b9315..d9997b27 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -110,10 +110,10 @@ unset ALTERNATE_EDITOR add_gnupg_home () { local output - [ -d ${GNUPGHOME} ] && return + [ -e ${GNUPGHOME}/gpg.conf ] && return _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit - mkdir -m 0700 "$GNUPGHOME" + mkdir -p -m 0700 "$GNUPGHOME" gpg --no-tty --import <$NOTMUCH_SRCDIR/test/gnupg-secret-key.asc >"$GNUPGHOME"/import.log 2>&1 test_debug "cat $GNUPGHOME/import.log" if (gpg --quick-random --version >/dev/null 2>&1) ; then @@ -132,10 +132,10 @@ add_gnupg_home () add_gpgsm_home () { local fpr - [ -d "$GNUPGHOME" ] && return + [ -e "$GNUPGHOME/gpgsm.conf" ] && return _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit - mkdir -m 0700 "$GNUPGHOME" + mkdir -p -m 0700 "$GNUPGHOME" openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \ < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \ gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ -- 2.26.2
This is taken from the same Internet Draft that test/smime/ca.crt comes from. See that draft for more details. https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-pkcs12-object-for-bob We don't use it yet, but it will be used to decrypt other messages in the test suite. Note that we include it here with an empty passphrase, rather than with the passphrase "bob" that it is supplied with in the I-D. The underlying cryptographic material is the same, but this way we can import cleanly into gpgsm without having a passphrase set on it (gpgsm converts an empty-string passphrase into no passphrase at all on import). Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/smime/bob.p12 | 58 ++++++++++++++++++++++++++++++++++++++++++++++ test/test-lib.sh | 2 ++ 2 files changed, 60 insertions(+) create mode 100644 test/smime/bob.p12 diff --git a/test/smime/bob.p12 b/test/smime/bob.p12 new file mode 100644 index 00000000..774c77d0 --- /dev/null +++ b/test/smime/bob.p12 @@ -0,0 +1,58 @@ +-----BEGIN PKCS12----- +MIIKWAIBAzCCCh4GCSqGSIb3DQEHAaCCCg8EggoLMIIKBzCCBGcGCSqGSIb3DQEH +BqCCBFgwggRUAgEAMIIETQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQICE8J +3kMad9UCAggAgIIEIPvHjK0eRQrnowMUsz1z1x/IxslNvG6DjPZjNHCkNYYmiRsg +Leu5nqKf4emWVvYpnlh+4Gql7pyJm3G3zSNhobPkW+P1Eh80tTBoUk7TIvvvmtrE +YEc/nRR1p1MgjISq4Q/CM6ccCCw6YEiQcj/0mSS7gmHUegD5glcWbVuqAT8M/p1z +98OP3z37G8ARRLNj1yyp0SVlt59Sx3WNbmYBqkQ96iukjMJvmjV7o6BFYUx46Llb +tphhdRgKXbK2r1R0TUlvE659TUwlrpGlaFpaGj1kLdzVAnjh1ZWnWO2a2BSj0LzG +qRyiLwqDFPLJLQEckfV+RPWiRrSewME8URNKdk6eewtHdhrehMo4ZJnOIum8qcSz +giW61SSyZJsFvILpmMYghIxWmPd/8cNIHBrdFEa7z3QKh5jcJNTCxz6yO9f8F830 +d+WDK7DbGkUW4mVTGg/lEYnCFZDF6S1mr0hx+cew1FbKjLpxfQllIIrLf5d2BF8H +0STpuylQDVVBFdTRHyeS6td5nulANgOProrRzy3aAKQmZ6iullKl+i2t/2TwfVP/ +gG+yszpOEf8U9txuvbiZ7j4XV158zdaaGiduDqMKLOvbdctwHAsR9ecx5C3NTRDl +ZlttNoXN9zhT4CkWk1w4sFk2KUurjVraIcjWVT7yOreaaK+6N09M0tnLPDJDTrow +8WwP/rZhA+t+CMrhqkFBxXsyo5VTM0jWJGO/NLpYXPhDPBsRq8rs1OCrUoVr34aR +cpUTNhyXkvJUarWDHs88lg0ps0G9/1dXI1AbEsQQg8u+QT2ztGYrg2OQxQyi1Mo4 +u/FkAcEbtlYYLmJjj/S2qVRPJgBALVjw9k5hnYRdAXWVDCJ96PMn1SKORvlMxnZ7 +djlhaztOhTLsiDzywVDYWLvQElunWcAGeDZykWNytwcEagc0VjWKHMibc0JOZQ1T +crGyOzTlt09xHj1NrItYefIwdtKuJfkAh03B5xI6rJ9ZbK9xidcVxyeRX0lEqdo9 +WHQrhHefAmeyo0TlfsN67kFDp5FLpwEtNaN0lyzpkl30aWZdtP5vkvtfmy5ugYIO +bXoVa+tO6k5V/VfUFUKdaY7xAX7XRzUUg4jB0D0CuaX+YS+GL+5wuQwIY1y2ihBb +CuCxlcP1lVEU4CVQba60VTudJtWyE7QpPhf+y81f1wRjwIihFvwzpUFWf8JVEppe +v3Yot3OWGBmhEqLkC9LELth8o5gLfyYHaXTYNd9aRTiI+0ZC5U3O4wUwYLTG3exM +rIDTzEMk/p4DYIHkNKVUiRJfGYdAwuRxf3IMcYWARTXlSzl1C3hWmZfvTPlKs1bB +OHTHP/P+qdOFjxOh+fbyqXPJauBAhHvHgrp3iI6t834wJou26oWNihM7OnWuyQRt +9DVxG4l+1VjtbQZfTDCCBZgGCSqGSIb3DQEHAaCCBYkEggWFMIIFgTCCBX0GCyqG +SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAjqo0x2p5SqLAICCAAE +ggTIe6Ws+lu0CoNlCXGM2BEPV09wuRHTJe+KnesrmRbXPF9linG3d6G++tTkBHz/ +yr77/DV5aDYciV1pGAbLuX2lMwuqdxzJ4OBPBAjuX5H+IPRaTbxfHYYIwhG8oZzy +aHyVhHr9j0h7lzW7xSTYJuBNEJ58L42dfzpNRw9dyRPmcuhZqW14Z3xyDm8yjHfB +2p99y9/A4qSyJJSUM3O3nLdtIar3ktSTRAijgqq+s9wnsfozQRzWpYaqiRrdzwfO +HqXk54l3/lMSyLpfPl9LW7er6JbGI4jEyQ3x8WijATM5h/lkZKejh/mOaWCvs6G6 +fGzV4P35EsToYbOk9GX4jl4SyDBt3iEHYm5teDUhJmTcR39lAQuAfxN6rOn/TkoO +YLxtdD5DLiTfYZPCFyavLEsamr8A4p93torF6Rs7GsaHE6PmCcprzqx71KV0DZKv +tMY86RoiWPKLFxZcYt1yz9/95c1SO1s4i1GvLpJTEgQxLM2OhfEwDNKd2rMJoq1I +YIRPSP204dIVwwNdXN1vB2slhN2+/QMOqsEkWtTOpW2QoTGSze49hfmJGdu+91jd +XZBBMJQfY4q066/eE4IOW7ZZId5uMYxDRnGdEQjJsxyW8YHWLRGQvBC8gMkdbj8e +0wkXbe+jML7vG7t3hDhLEbj5sTquIMTWrTirPw4SxLCuGZAyJHFN3/nCaOSMFlCG +wEZHrAozgQXPBYU7p+uIkJ4lDc2ZtW8NM8U15gKZLDFfAE6Vg0jAtfFMqvNnX630 +xfo1z4jBd7VXbBFrPzrmvlTnb1XxNFcPycowzW9tgtN4YnNroCq98VpMC914tdpJ ++C/PI0eJ7M2ir3ajN0RabSm02JO9Hdwoa5OgqLwPYDwiFyQvKFGKqAF8Ph6pSEiZ +10OnH+DVgEY70A+Le+ZSDosMdrhZfHbCcIFitZJ3sYV/7Q118QckW3szcjmLHS5g +M6Whl2HhjLsAfsmCnoRlIwjx4g0TiuZcb4hGysq8QjD3Z8qqFK28m6OMHbASQfWg +U+Qg3vmEvVsnBxStFEIImS3QYQoaT0pk6zKUYsI/fOBnEgxsY0XwTfXzVw7hZDct +yhNIQVWmfgVZwUw0wLoNu3A5hupjUwQzQr4TPnKkFPI8qHmRrJgP8EA0U0019y3W +MlK0h/LAJEaUBS0goLJCJ8+1EWr6femjnyuU5hMizOm+3j0JexjWz5TQttioS7Q/ +vcxt5pA9yAWQdH9j72saKEoKmDi+kIPr4mimKJz99LhKp9A6Hj0f1P2V3As8JWyW +ZKmJKW7qMMCFADlALolobqzA60j6Zeo5jiEj/j2lVlUPPz47WO+uKeb+rx+hgTUc +Xrhq0+an5tvEXt/8wy3PJFqP+qqHGhOIuPLuhqPyzNowuXirIXsiWnI44/X48W91 +HPEoL3xaebQ6oyTP8dI4CCkkHgiLWL5mskjHMEXvcdR6k0ygmu8DGQCPfUweUZqZ +wfkhD/jwbVpLR5Y3chpatW0cJ2bsAWdxwtuxF05+fVEePUsR0x+2/v/8eDEHKYwt +aYlAhI48nyrKKVMmqvqcXnzmJlUaq05GnEcglFbv4MUExL7CxClls6QnVNiZFPrV +ffVsYT2A300xrm4pan89n3nuavjJn7L1JJdmMXwwVQYJKoZIhvcNAQkUMUgeRgBH +AG4AdQBQAEcAIABlAHgAcABvAHIAdABlAGQAIABjAGUAcgB0AGkAZgBpAGMAYQB0 +AGUAIAA0ADIAYgBiADIANAAwADYwIwYJKoZIhvcNAQkVMRYEFGaI9k+ZdE9/rxBZ +4rSdH1BCuyQGMDEwITAJBgUrDgMCGgUABBRJfL4XyIHpXmjbziCGCbSAOK9jKgQI +drOMeIgXcCYCAggA +-----END PKCS12----- diff --git a/test/test-lib.sh b/test/test-lib.sh index d9997b27..dd7fdfaa 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -145,6 +145,8 @@ add_gpgsm_home () gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm + gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ + --disable-dirmngr --import $NOTMUCH_SRCDIR/test/smime/bob.p12 >>"$GNUPGHOME"/import.log 2>&1 3<<<'' test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2
These sample messages are taken directly from the Protected Headers draft: https://www.ietf.org/id/draft-autocrypt-lamps-protected-headers-02.html Note that this commit doesn't strictly pass the common git pre-commit hook due to introducing some trailing whitespace. That's just the nature of the corpus, though. We should have that trailing whitespace, so I've made this commit with --no-verify. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- .../smime-enc+legacy-disp.eml | 50 +++++++++ .../smime-multipart-signed.eml | 68 ++++++++++++ .../smime-onepart-signed.eml | 54 ++++++++++ .../smime-sign+enc+legacy-disp.eml | 102 ++++++++++++++++++ .../protected-headers/smime-sign+enc.eml | 95 ++++++++++++++++ 5 files changed, 369 insertions(+) create mode 100644 test/corpora/protected-headers/smime-enc+legacy-disp.eml create mode 100644 test/corpora/protected-headers/smime-multipart-signed.eml create mode 100644 test/corpora/protected-headers/smime-onepart-signed.eml create mode 100644 test/corpora/protected-headers/smime-sign+enc+legacy-disp.eml create mode 100644 test/corpora/protected-headers/smime-sign+enc.eml diff --git a/test/corpora/protected-headers/smime-enc+legacy-disp.eml b/test/corpora/protected-headers/smime-enc+legacy-disp.eml new file mode 100644 index 00000000..6f5c9417 --- /dev/null +++ b/test/corpora/protected-headers/smime-enc+legacy-disp.eml @@ -0,0 +1,50 @@ +Received: from localhost (localhost [127.0.0.1]); Wed, 27 Nov 2019 + 01:27:28 -0700 (UTC-07:00) +MIME-Version: 1.0 +Content-Transfer-Encoding: base64 +Content-Type: application/pkcs7-mime; name="smime.p7m"; + smime-type="enveloped-data" +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Wed, 27 Nov 2019 01:27:00 -0700 +Message-ID: <smime-enc+legacy-disp@protected-headers.example> +Subject: ... + +MIIG5QYJKoZIhvcNAQcDoIIG1jCCBtICAQAxggLCMIIBXQIBADBFMC0xKzApBgNV +BAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCFCJT7jBtAgsf +As31ycE+Ot95phvCMA0GCSqGSIb3DQEBAQUABIIBADEhlzhFzYj6tUAdsRCrSiLl +d9cgKtlAesJ4cDY4szFWAbnwrCmEcFxjFDUOjbfQCYCG80Sxd+xntni73I7PI2rR +QLjk3w9VhLwFRyzy7qyJi2CavjKTxysX9f36+FXA+THfVQRM5ypiyYJg91X51PNX +hJj3DHrnxqKeSl/z1hdt9r+s6XAUCBSvL99BGnODWhNIZtPDzt8fMNcgarfw+D5F +IZJb6+wX30tkztHkpHHKrrDPveyfnlS/p06Gi3ekrrhBtMQMRb9PA/E+ivDPktsm +aKg0Oauw4oZSKW3f4ukYhbnndbbagNsnTfs/QFy/p+hhKTrfCd0h1N8mTzedVX0w +ggFdAgEAMEUwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1 +dGhvcml0eQIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQEBBQAEggEA +FaK5QaPXJ133D2uybQt//oeDm6PkCAFW9YVOgjnLLz6FD54Dt2i1KCQu1Xlg9W3P +1zJdYXOftDgilylNfmt/muEsvbRfFtMWUq0VGirHz//BWmY2cW/ocinFO514iviL +MLE1umsXRNwVIVIk/uh7AmqXjPkRZgRgIMUbSbtmW4DDja+ZM0vmqFQ1iUIlApth +FpjFfPDHHD8isLTbGi2iK6dEN3DIJFGbg5o3nK6yAhVZ7x3LfFNSNVDDSY5mPFG9 +Vm6uRgEE3Y5P6DbXXo6MHTgg0XY2f4y6MEWhOg37NT9aFAfzBBxJ1oSBWpOOfZnV +K1DvAwPaemSRz9oWDcBM8DCCBAUGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIsFkN +8DEx8muAggPgWGF2WsPq3/a9jUa5GA0YFPiINuETCGTNaEXiVxnT0h0CF+EhZ0T2 +HFCiZEM0dzO05zt9WdVvAREaCSh7ZWG9D9wJF9x+tqQbzMuJ2AdKuoOH73kClvkx +pHxANLhkY7hzIqRb/eLG5D7Xh8iCDiFecXDh7EHqD/R+sfLN9aHKOcKyY36kesBQ +R8aHZbbFnnD+oXSDNIPcntGG3BSGMxsWuOp+rpTKeIHWFIungDNKsLIy3kWleENw +FVIcjUF6QhI1HYW6BeXuVq40GV2OOkmB24rYEW1Jg0hAtY+5rn2mRoyxvUC87bjQ +hLu6xgPmhun9J324eM5aYVwkmVBnRW9hyxClZ7Sv0zlL7lGQ0VQG+zWHeJ+h/M2j +mQpLgAUEGxxNCm5ASHuXPIN6pSvrOVplrT8kKLPpmMYEwmTX2/rBO4P8I8uNrqYD +AyX8p0/l2ArczkWzGTz2luBahrD+cTZPApe5SeyXOxWBl1Lmb0G8o4twBeeBLiHP +XwYvttx0JYG/hc/lmMpEemJqwj9uZ3wGD03dIhhDX2Oj4ek/7jT6yqJh8C1H+PqA ++HNfNXsFQDrRORoqJS8YVEiYRDQNyePy2ugzLTh88nPtJp92hY7bk9zl3AYaiVFH ++szlLoyzfM9D+geZemR8XfI2ijGnrWMlnyPah/zA6J6RwemhuiMklZGYG85hMU9H +K4CFVM+m7xYxKpwFVnmkVZjzWInirJhehElhtCXpx/IFGxH9CPbCyEZV1WVStrl/ +0fWTGicMXez6hVQCadWCXy96/eLIXOrC54gSoIJX2TD6jdVEu1YptutyGI6KdQ2p +yXwhs98Uj7DM3nmFeAcjjN3e8pPoX7aG8eP+MfmHlWN6jA44jMaJmIdp9J20g74J +MdjvnHa/cGibW/RamPiFObN0F94A83vcpUfU/zZ8cFHi/3/lN6Rm9+3/giGRZa9E +Y6e2/CEq1cUbPQ09fPwRJmjZCfDce71DKe+ZFGdYtFR7JwDEeZ6BB4Ff4rXctcWD +PgUJqUGv/SXBcFn4cNUK9MYYqVu1ovd/T7FMf+i3c5MH6BRCvft/i5aeBR+A26Gk +2awtBPYdHW6+AslrFjncBbtPDlU6vX9AWuC0k0MQYnNkTWS8gTvsriXJZ6Zu5iFE +ExNuFz7YcnMKnguOn2ph5azzeMm83AYzWXzZPu3mdr5Siuu/Ke38oADKP+BZ08Za +XVvKvvfnRPXO9kG9hgvEMRU9KOcxn82XoGPNZib+9SPa2zYx5P6HX1Bqe/cmKAen +FKEiJLSTP2/pc6AWAICqJl978HaUHfMFiN7jEUppAifpAWqNcIGSW5w= + diff --git a/test/corpora/protected-headers/smime-multipart-signed.eml b/test/corpora/protected-headers/smime-multipart-signed.eml new file mode 100644 index 00000000..f05d2d98 --- /dev/null +++ b/test/corpora/protected-headers/smime-multipart-signed.eml @@ -0,0 +1,68 @@ +Received: from localhost (localhost [127.0.0.1]); Tue, 26 Nov 2019 + 20:03:17 -0400 (UTC-04:00) +MIME-Version: 1.0 +Content-Type: multipart/signed; boundary="179"; + protocol="application/pkcs7-signature"; micalg="sha-256" +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Tue, 26 Nov 2019 20:03:00 -0400 +Subject: The FooCorp contract +Message-ID: <smime-multipart-signed@protected-headers.example> + +--179 +Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Tue, 26 Nov 2019 20:03:00 -0400 +Subject: The FooCorp contract +Message-ID: <smime-multipart-signed@protected-headers.example> + +Bob, we need to cancel this contract. + +Please start the necessary processes to make that happen today. + +(this is the 'smime-multipart-signed' message) + +Thanks, Alice +-- +Alice Lovelace +President +Example Corp + +--179 +Content-Transfer-Encoding: base64 +Content-Type: application/pkcs7-signature; name="smime.p7s" + +MIIFhQYJKoZIhvcNAQcCoIIFdjCCBXICAQExDTALBglghkgBZQMEAgEwCwYJKoZI +hvcNAQcBoIIDcjCCA24wggJWoAMCAQICFGeCtFlzUkvB9HFHGWrw/RGKqkwLMA0G +CSqGSIb3DQEBDQUAMC0xKzApBgNVBAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0 +ZSBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMBkx +FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAw+6t+WXRtiQM8yRjWQ2fbFewCodIZUX6BY02TeZuEXoEAGEsmoON +6LlotcUTdGr39FE2K8IytOKkXVexswgAqBCqv8YjVDrI3yV82wrm5Td32TDlw7IS +igak4ZSu+UowPQs8YO3oxqImP4onZNHvdZ3it9EggmgUyZX0dmQ6z5O9yDzHpLMa +E2rXxfYcPXQwPvx4tcqbTf2htEP7PYnBa8a+sts0F7I7kD5ozGYI9dGg/XGs1lYE +WAoH5YZgNFdbkJdcKG2FPAwFcVZ/hoGm6soxkDKMrYSCtBp+fqH8MV11DP821PoO +vtSEnaF8UURbaths2yKpAB2WUJvgW5xa4QIDAQABo4GXMIGUMAwGA1UdEwEB/wQC +MAAwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr +BgEFBQcDBDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSsLlRapP1VGK8u6GZE +ONEl0dcAeTAfBgNVHSMEGDAWgBS3Uk1zwIg9ssN6WgzzlPf3gKJ32zANBgkqhkiG +9w0BAQ0FAAOCAQEAe+qOGM+8q1UhXKV6i63BrXSOKvd2iglxAggszUC6eMnrIem6 +6mmRzSbcGHCeU6m1MpvYSe9IiROIxjTfsgGUdZbbXtBxSmCASjOBCbphvvtoam1G +i8+LZdOgR2kDwr//TYjWO6vUfXPwerNWMx4cKpFobdmvgLYCeAZKRvoPjJmTEFfw +KO0cCxSifTpTFiwZhFxXKSCTdB6T2rE9JxJfzJqLUrvvEZwpQIt8hX8kym/vKw+1 +cbsl3rag2enVP/f4qg/0mUuzkCI8sLXd+N5gAs9wdUZRcTB0gOnUAH9m7RrpqkdC +ogKdypGEQHj6GiamJAe2WndOp4BZdBtBRzjfuzGCAdkwggHVAgEBMEUwLTErMCkG +A1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eQIUZ4K0WXNS +S8H0cUcZavD9EYqqTAswCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG +SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkxMTI3MDAwMzAwWjAvBgkqhkiG9w0B +CQQxIgQgGeoQw8WDmjB606EKGR5n1oMuV7Te1VjfA2oB2ebW390wDQYJKoZIhvcN +AQEBBQAEggEABblYEWSnYyzL3jTS3AoPr93YKksIZr5q/b8Y5/1rMxdYxPm+iReO +RHRgpbFQeiqZXzRXtMohfoIkh7RmdQoSV4OpwiUmNU+f0ZEAu8cMVJM6gdyUD+1D +JwDNr+YNLV/1UUGhqx0FExOa/4O92KYBD4eRQw4KDWrkfh9dlSj0Bsl4thrZYGLz +e7ut3FN5TBruZfmqMy50xZ9yUW91YyQUBLiIcuF185y5ZW/aQCxBKBbrNNGXLJbo +8yKFJqSPiWZvwUmVQvfgL182hg823OJTtP4VImcUakTF0+k+BM//qqKXYrlX/tZn +QzG+4ZH/XM1vgHl7ShjHS6TSOHz2ODqD6Q== + +--179-- + diff --git a/test/corpora/protected-headers/smime-onepart-signed.eml b/test/corpora/protected-headers/smime-onepart-signed.eml new file mode 100644 index 00000000..028e02c8 --- /dev/null +++ b/test/corpora/protected-headers/smime-onepart-signed.eml @@ -0,0 +1,54 @@ +Received: from localhost (localhost [127.0.0.1]); Tue, 26 Nov 2019 + 20:06:17 -0400 (UTC-04:00) +Content-Transfer-Encoding: base64 +Content-Type: application/pkcs7-mime; name="smime.p7m"; + smime-type="signed-data" +MIME-Version: 1.0 +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Tue, 26 Nov 2019 20:06:00 -0400 +Subject: The FooCorp contract +Message-ID: <smime-onepart-signed@protected-headers.example> + +MIIHhQYJKoZIhvcNAQcCoIIHdjCCB3ICAQExDTALBglghkgBZQMEAgEwggIJBgkq +hkiG9w0BBwGgggH6BIIB9kNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNl +dD0idXMtYXNjaWkiOyBwcm90ZWN0ZWQtaGVhZGVycz0idjEiDQpGcm9tOiBBbGlj +ZSBMb3ZlbGFjZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgQmFiYmFn +ZSA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBUdWUsIDI2IE5vdiAyMDE5IDIw +OjA2OjAwIC0wNDAwDQpTdWJqZWN0OiBUaGUgRm9vQ29ycCBjb250cmFjdA0KTWVz +c2FnZS1JRDogPHNtaW1lLW9uZXBhcnQtc2lnbmVkQHByb3RlY3RlZC1oZWFkZXJz +LmV4YW1wbGU+DQoNCkJvYiwgd2UgbmVlZCB0byBjYW5jZWwgdGhpcyBjb250cmFj +dC4NCg0KUGxlYXNlIHN0YXJ0IHRoZSBuZWNlc3NhcnkgcHJvY2Vzc2VzIHRvIG1h +a2UgdGhhdCBoYXBwZW4gdG9kYXkuDQoNCih0aGlzIGlzIHRoZSAnc21pbWUtb25l +cGFydC1zaWduZWQnIG1lc3NhZ2UpDQoNClRoYW5rcywgQWxpY2UNCi0tIA0KQWxp +Y2UgTG92ZWxhY2UNClByZXNpZGVudA0KRXhhbXBsZSBDb3JwDQqgggNyMIIDbjCC +AlagAwIBAgIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQENBQAwLTEr +MCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0x +OTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowGTEXMBUGA1UEAxMOQWxpY2Ug +TG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD7q35ZdG2 +JAzzJGNZDZ9sV7AKh0hlRfoFjTZN5m4RegQAYSyag43ouWi1xRN0avf0UTYrwjK0 +4qRdV7GzCACoEKq/xiNUOsjfJXzbCublN3fZMOXDshKKBqThlK75SjA9Czxg7ejG +oiY/iidk0e91neK30SCCaBTJlfR2ZDrPk73IPMeksxoTatfF9hw9dDA+/Hi1yptN +/aG0Q/s9icFrxr6y2zQXsjuQPmjMZgj10aD9cazWVgRYCgflhmA0V1uQl1wobYU8 +DAVxVn+GgabqyjGQMoythIK0Gn5+ofwxXXUM/zbU+g6+1ISdoXxRRFtq2GzbIqkA +HZZQm+BbnFrhAgMBAAGjgZcwgZQwDAYDVR0TAQH/BAIwADAeBgNVHREEFzAVgRNh +bGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB +/wQFAwMHoAAwHQYDVR0OBBYEFKwuVFqk/VUYry7oZkQ40SXR1wB5MB8GA1UdIwQY +MBaAFLdSTXPAiD2yw3paDPOU9/eAonfbMA0GCSqGSIb3DQEBDQUAA4IBAQB76o4Y +z7yrVSFcpXqLrcGtdI4q93aKCXECCCzNQLp4yesh6brqaZHNJtwYcJ5TqbUym9hJ +70iJE4jGNN+yAZR1ltte0HFKYIBKM4EJumG++2hqbUaLz4tl06BHaQPCv/9NiNY7 +q9R9c/B6s1YzHhwqkWht2a+AtgJ4BkpG+g+MmZMQV/Ao7RwLFKJ9OlMWLBmEXFcp +IJN0HpPasT0nEl/MmotSu+8RnClAi3yFfyTKb+8rD7VxuyXetqDZ6dU/9/iqD/SZ +S7OQIjywtd343mACz3B1RlFxMHSA6dQAf2btGumqR0KiAp3KkYRAePoaJqYkB7Za +d06ngFl0G0FHON+7MYIB2TCCAdUCAQEwRTAtMSswKQYDVQQDEyJTYW1wbGUgTEFN +UFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5AhRngrRZc1JLwfRxRxlq8P0RiqpMCzAL +BglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 +DQEJBTEPFw0xOTExMjcwMDA2MDBaMC8GCSqGSIb3DQEJBDEiBCAKDM98nuDl98sK +i4SDvP2xlxr2SdV/xNVYs6SeGCBRuTANBgkqhkiG9w0BAQEFAASCAQAcryWkSIbG +rrc/aDF1Z4KRnoRpr+fOutQSLV7k0Tgezt+X/kJCIiuLvjUxLrTux1yUWCKUPb6T +KLYASPJpwDXrNzqmGs1pJmWHTZwUhbFVXt16FaQZkDSATtvhQU39Rsot2j1pP/UV +J7+5FPQwNc4dt7MFW7jU4TBHo2VrzjZ2K8ioELPxsixOCAp3ytkhf1Umw6bC5M/u +oWjsa6xzAl4fw5+pxZw0JdbrYn5kmPiekSsYy2/+yOwzrtIYtHW5dY7DoWWXDXtD +cmCGHkO8qry+MnMy3PwvXiX0warQo1fnhXB5tlk2K9YdiDcOtnAshEBXAudnxlPK +JGzeJVUfbfM0 + diff --git a/test/corpora/protected-headers/smime-sign+enc+legacy-disp.eml b/test/corpora/protected-headers/smime-sign+enc+legacy-disp.eml new file mode 100644 index 00000000..7ec33968 --- /dev/null +++ b/test/corpora/protected-headers/smime-sign+enc+legacy-disp.eml @@ -0,0 +1,102 @@ +Received: from localhost (localhost [127.0.0.1]); Wed, 27 Nov 2019 + 01:24:28 -0700 (UTC-07:00) +MIME-Version: 1.0 +Content-Transfer-Encoding: base64 +Content-Type: application/pkcs7-mime; name="smime.p7m"; + smime-type="enveloped-data" +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Wed, 27 Nov 2019 01:24:00 -0700 +Message-ID: <smime-sign+enc+legacy-disp@protected-headers.example> +Subject: ... + +MIIQjQYJKoZIhvcNAQcDoIIQfjCCEHoCAQAxggLCMIIBXQIBADBFMC0xKzApBgNV +BAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCFCJT7jBtAgsf +As31ycE+Ot95phvCMA0GCSqGSIb3DQEBAQUABIIBAFbDR6j4ZB/Mo9BQygYItwFc +P+4rO4d1ak51hc1DpSqyhiMcGahA3yxDRbZ4W1rbmC/s3d5+OWXKYgs1nNMQJ48F +f45BtNTNslPZ1+NZVbkoVJO8Bxv1rjB8/qWuSUsroqzn9enS8DUBxxPL5aSWKQQN +G2IaH9BUkMXLPUYA46GATly94IS4fZqwBtNNBP5eiIIPc9Ogjy+7At5GG7rVMN0M +G5FL0oq52SYUe1167jp378JI+2dkA1q5+Cru/ZE2Rdw3DrMDAFO5GwC7fWKg4zPm +IHZj92caVj1IyfTmGogT2o5tLMqn61BkptqxZwHDr3FI/aYo4vcHgmlKR/TdbHww +ggFdAgEAMEUwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1 +dGhvcml0eQIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQEBBQAEggEA +hXeYVSUsT1EBZ/+AjwyEcnlM0kuFMaNvGlBMhAZzAsy012rrZTWbqWkcA3abgm/M +CuZX7mQL0I79KZdmClGpLx6gQFjLemHaClQV0ZNdX4DxakWuME/kCMqbo4MZXStT +a0MHlKUdoMt72Rz4YBzNQCL7ePaii5w6Nd2KD7yJAirLYUMJEjVweVaMI9y9LmbO +vb0g0iuoUe0vp9B20LRcIX37nN5D1GG4tHLPjBD43gC8iqxZQf0uah2cWD1mAG5R +oBgIDKXPy2eVbcMdSaOirDKYZ49WFe9Lad9q3mHHbFs6K6/yuBm/thMEdCJKZTHo +jiPvYdYF8IJfEd368I+DujCCDa0GCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIsb1a +JX/RU9aAgg2I0VXWfs5fc/Yad2qvawUVNX+LObjA6/+t9WxuV2emOeBYzQGjo7q+ +xaIXQwbbF1ej27efGhxUYDwBNS56c0uI0Ta7jxv5OFZhzQGLRzoFp0bbZ+uVC4eP +bFHarRQiPzlg900XASO0RW+UOtqN5raZ3Ry2lKwXxuStZ0pX666Rz4c8PrmMb4/B +aQYn6iKcT6fDU2TpSbWY9iph6kZczSeewK+pIj9nXfjDKXScs8D2Raezev2ciq/V +ZRpRH8JxieimI2yeBmEzTCq11TDYycDfMHB6reGaiCGX//8kAWtskzRyNlV61unY +ZKSNhVKLwKmCQh1V1Nd3oLApT41EeM2oWedUqNBYqB+XGCD4DUYdm1e+4h73d4dn +JTkCdadxEn+9RRvZ4YMlw3mvT997Dy3rTXT29dj14TstZZf2O63pY0TpYy0HZy6Z +Jug1qoe/vdcJ9SPOSfJE6VWCeVjxB+eGgheFLKqzK8Hs/Bm0/wDKpSFgEpOPnkJ4 +HJ2Uzgn1Emo6gBDJt+qn3s2UnowcMsTgellhKvgzVq59LTyRyWL5U8XMBsXT4qjm +0LkRvDkOIjMQH7kqvWbpPlnWpLKo/VVoxifldEegWAqFVrP7f5Y+nNQttAYV79uk +MXvR+5YFkvmQAerfllPqXBJdbB65ovikSVsy/kAboGpRG1oAZ4ODdwdGyiGIzyyc +lE0x/8+gY8BqWzRtWX4GySKyZ50/+xkJe5ss0IXPCgq/09bdihsRn57v4V4SpdDO +k3g/Dce+LzCRL8uTbUhrhZnjKSjRc3fFaD/BpLYjEDbnGF0ICslN3vb2xWUK1u4M +uUH9r7lH/DCb0+TxIBtxOnP7W02bz8gGJAxEVEqk6pjxxOYqfS9/uBrrAY8P21Y9 +PFLdeHzEdYemq3il+4S7OU3uNUuAYijxmCRs7JQxZ9puA0iaTME9gK1yikzsLtVZ +f+9osk2nYgfXvlL0AiYabd5cU2GNW33TkdDMNBsB7lx77J9erVLZpPKNo4vgHA7b +owrDaYe0AgcZm79fvmR0RdtIZI91MouEhkdhaPiXmypmszjR/M0Ot3Y+oU/ks+yV +Sle0S0h4V8wJRJYG/9VVurm8012ke2U3EGFlVnSv/IYtpssC+U4McRCmakKCrGU7 +OhL5JKBQN/DFTu4pV39IQlLLhg3wzA2FSkyIL5gEbS6sP9GTPo5LlNm2nYfJQX9A +sHKSrfh68dvjSNExxi/8hdmFnnRwbAnUCI/WObGOkKdheOfdQ1AAHtLO7G65X1Cx +RctbAJWa93M+iRUN6qnB+vIbPPnI1Mc7i6mPYzgtPrM9bYqEZz69pQtHcGTfxOrU +tm+/h36CRzJBfXodBZbwQ9mZAzfkKdlArlZYIeBUw3ORQnQ7UlJgG8KsZpUhTxCc +gvMoExtlvkXcYLRUBFfZWyOi6FePzQjuCK1w58OdweJgXprEAWSvyxhmVdg4jUpX +MYKE0tZI9xwujyWjACO0myYqTdmsqyds+BgfBn96XiA9OFUH2C0/GAomhNs8uPSO +T3Gt7Ld/FByxEVrtl9A37X6bAwZO01j5tHmdXFPmMVep0R8zsWtPn3RyGAjcgcq6 +50wJRwhvofdI7wilZ0KUBsAaPj3MK52cRyD19VXKNNwt2bLDV6gcWQ8+QEMusxfp +1Dc9N9DSs+w3lGsFfpoeQ53/fXcVNJm6Bv89bH9anLGYdCdRGvZsvw+xRuglykqb +xLtL2lB6wzlRFREJoWTzCVsdpIZ8znPmk1cB0wDlbMeu6sddHmv+6fpyuvQfQmdj +D8WLRTuyxax94TmBlhJCFYxmO/y4Ivlx5C60GIRTkHpBYL/M0RjrbIszXEqcogzU +bdwjLIhdEnpJ5vy0uXwhltce8BDpenmHE7y1kHvPBiUG3vB7AIXqhohFsJU3AYUj +d1TvFKS2AsizUTLuq0Ydbnz3AxMfmnZe8qYkNu2zRygL2xTa58f/MwsHKakk3OmS +9JFZLrkkVWZKXoARctuahYtWBAsykaWVNnB6zGcdX1MGVccl930Z6QWHyydtZpQc +ivNdEGdGv9B0K7/ngNdVgD5Wd29AMMFnS8+55mLfRZDCjUmshSySaf6Ein4HD9Hr +vk6dJvBPjnI5UjeUPjmH+wcZKIjLHW/aV/6/zoxzBh61rWFlr/daec+CFZE/+epr +LRRYSmv8oY47fF4duDDhoexcvP/CH+A2Hr40OfciL4vKy3nuUDCNa59xO9JWv4NL +n3MQypC9bcaVPkXa7TK3ECq1Jgv8gwfdh5/ovG5OdZA4uIcO+aqcskt/PD252c63 +0Znww3RXXf46KT4GdKO5A377ixkUMkznnCMvottmkPxjnhQjAsQg3bJeQk8EoX8f +Pq0If4i7SRBSDtb2OH1pPmk0RVPtxlRDTVj3vS3Lci4xADFgC09n9nIvPO/55aau +O6StbJtLmpubS5giuDH3uftwuyRiLqm3gtbSKPdoTk+dJhHXbbpBknL4XYTPxSsR +IIaRds6w30vf7/IscyunMcquJlsO929SSa93UevKEIZbqbV9oGIqwkiUMdVZK09g +rW0F//Ts4a5nYdEQth/fq3JnwqeHvvUfKdasK4TtrTnUBX7qZk/K3Y1fZwjKdd/8 +t9t1z7Kb2d9hWwtY7xP8liDluVFTsq8NM54ZC2218X5ViWz1yFmF2LXvRixsmYJv +Tz8lUUnC2B/Etm1kkU4zrYK0/L77EikKVl+B7BXfEqx6ow41j7e1YZYaqmZ9mph+ +UieSdzqVYxhPwT25DrkU3r74iS28gKsbFhUaNklaFOO5iDWsKgBXT+wdZqlYQ6Fo +oPe66025iJMwK8t+d53jEduHezHO2sTMAuf2hpdaZo7+rP/hRTReAR6CmI7nkWhP +z5Kno9S+XhiSP+WTSpsoA4ubx0T94mL8NOVvSZA76TZ3ObVAP5VI/bwv6Grighor +Kpsjt7dhSJRv+RHv95sAWBeW1Fgv8XOPSAZOmpJV2qc3x3Qmj0MXIR+7+3GlUr8+ +Dit3CE1hwtxgOW0tc8kuBTfQD+wNSa9r0eUyFscEBBljpEVbLjgjVdNv4Hc+fsbT +g1JzZuUIDQZoEO2xLjxD+I7vLZKQa0J1JeZ7O+NqmSxsvSnwCWtJEWNMMxYNfwsP +rdj1zPLqn3rzSBqhroNbaDGn86BTwIqfhr+AKbvevxS6bI8IbyKm9u3BFr9cuawx +Sp1QM3NtqNStV67qR4A6U/ZyPUJdO1bxo8F3oRmJqOt7Jc93rFgkhBJ2+eMtrA75 +Om5tB9LBVSl5U5yLP0COO1QE5pqk5yuhJLT9Dyss8bWDRbSWKj83e4YXhPnq71Bm +001czylLVNUlDc69Tf7FXjtIxh2yjvOT3zeLBPXOjU0it+gAma4vgrh8/mMXnNiq +OLsVow8aKqm+Ofd6m13K5riDFgXgNI9lbvPKUSWlEqDMEqXk1oAqD4Nb5NTGSFpQ +Q4G+cHAxJCu7vcXBaZnP8uMP5IAkdg5jIPvvMRwg/aqkl/KbL98oYZ5+1xrOMuKA +LT1uCJ4MMB0lWsa1He4jPe8LneSupw7vAXlbo2VzcOI6oCSY5hV+cGQRY+LjW81q +Cu5nLq8bwgnZMSlPmwr0YrKmvh8YKyGOrmTadxykC5IC+XbrLDsw2Jd9mLIjUQ/V +4ibjeb+e0QGob22WOplCLnHGW/SnYei8KG1dxs/ahS+8vQdrI880ZJx2QJnrz0Ej +ux6tKv4mvUkqYA5hlTFeT3PTr54yA+YLcCLMfBDx4ykPQnYUBj7ONHuNSUYt1CJy +faZ7cWAbhgH+wlTFdVBVeW5D4FRbM8dMTPXyfC5ygwTJOiDu3vQKyyDkmiX7sEaC +P1JN2V55uacyR8ZAG5+Mlc4ZMx83kAIZZXTCdqa1EX8yda31FI2rDHmvW/82bmjL +pvI4Nnn9+zzJtDVCJ0B2VAZ3Edov5GzPikm3un4+mvyhUZpH4sbT0+VhPCsr1+zn +bDJyNw4AswxaaJKh2+7wBiU6h+9TP/lI8SAJHtZL7zHBH8tD10ptksLRWDs9vYqp +/3T86S2vxJL5DvLFJSAZrYOE3InS+keGmTMCdAl9I8zIworC/8uQp0N8ESebEVjA +aHotBk59lj/OW4JZ3tQkcdQWkpnUfW/x9xE2wthacHlRzYDDsFByjEqkQr0MU8VF +EGij9RCC97zyFrhv0xJm1C6wX0pcuEcuPTNBf38WyBTIfmVHHz/I5YKk5cdWG7Hq +fmccV5GKrs2BseR683HM+/u50sq0km9UrqjgFR1DjfDoRKp0guP9PqkJAnwG2nv1 +hmNtXumzkF0otP5LDKLJ84MGP8Wnb006iEdD48Lra+clRAIIuLX4A0wRQjViDp7n +OByI6ZcQd4DTMHnFPRvMkNMLYn13LghD6P9TTjQZ0KCOCwmc2TMCIhJlvzOYX6Cc +wJZYLO1ltgfnHEuh8ijv0u3d/BUpsknYKBSJGUyMEZ9iUtbFPVfXBGSTi3gcWHtl +IrM7wjswJwHWSvZKWUs+YWWJTwj0apG6ViGllwOAqR9C48uLKgFWPbMoTpolnp69 +eiij5ZHxB0i7SI80D+r65b+fqaFzVIJXVEI0zu/mIilbYBnGkhLI/Naw1m2e1qVJ +mi1JBjXLAT3pEJDh8b3Lpgw= + diff --git a/test/corpora/protected-headers/smime-sign+enc.eml b/test/corpora/protected-headers/smime-sign+enc.eml new file mode 100644 index 00000000..aa09d19f --- /dev/null +++ b/test/corpora/protected-headers/smime-sign+enc.eml @@ -0,0 +1,95 @@ +Received: from localhost (localhost [127.0.0.1]); Wed, 27 Nov 2019 + 01:15:28 -0700 (UTC-07:00) +MIME-Version: 1.0 +Content-Transfer-Encoding: base64 +Content-Type: application/pkcs7-mime; name="smime.p7m"; + smime-type="enveloped-data" +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Wed, 27 Nov 2019 01:15:00 -0700 +Message-ID: <smime-sign+enc@protected-headers.example> +Subject: ... + +MIIPVQYJKoZIhvcNAQcDoIIPRjCCD0ICAQAxggLCMIIBXQIBADBFMC0xKzApBgNV +BAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCFCJT7jBtAgsf +As31ycE+Ot95phvCMA0GCSqGSIb3DQEBAQUABIIBAKswTlBs+STeesZIYAf7Gqsj +Za0rdUeDTSxt8RCa010EHb2lqKzHRwwPJkClLm6Glb09nYnQiFrEl6jbWTG3hMRD +OSt9kyqeg+MxXr2g4LoXAT+8hg/qBoF//tX+bzxhx0gx8wjxBc3bvp4esCJro7Aq +tx56BtVsIO6TA0NT0CaOcnMhIo09raR6JQX+DoPynKeXihny6TFDP7eopCgorCfR +o59O3ZMvaui6Q9KixZy3Yae8fa0ZdJu3FahIZTPdBHzbmirLxcYgp+cbTpW+Yno2 +X5GJ8eq8Y0qcc/8r6Xd3REarUxO2YbO2D6cgDj+aNnnsoG1/9psaYl8W1MSc2/Qw +ggFdAgEAMEUwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1 +dGhvcml0eQIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQEBBQAEggEA +RHhTarDqNLzXSaBokp2L3EwDv11KiGtMSMUQuPelNoC2nNYU1yzAF4jd+1UUo4Uu +quiHg5Hn44a9MejrVmQRLd5IEJiZGD8m5JguuOjn0ooyA6EEWUpMn6hOAKlaCiXd +kwTivKfhQFJe9Eb6TKqtvT2IEu3kXFfJKi+VyQw49+RXBmajDKJoHtumMJs8k4Ll +kJah+wD+snwHg2LCiJeSVHmpf4RvSiIJSvk206IeTxN3JecNbBpKLtIoy/CjWEZv +G3Pj/zkBbb+XhHbXo+Zk/e3aLToVG/cldx6Ti8zArOYNAzgt1G7dmJ3mnNPitEwN +O4qIozhT2Qn8P95AEV5PsDCCDHUGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIUzdf +vwulBs+AggxQMK121v6lO7W1r96RW0rsOHzsIvGyfyRTT1UuZRxVL09BQZstI5ss +5Zv8BogoKA0mLaNBKM755joUbzF5f/jMYhkW3q0Het9/HRH0mOnCSnoT4i2yzNdi +0tj8ixPT4sgPe9FOTkke9CzoJ967kj9D8u7Ik2goojttt3ViJkv3a1qrWDMiJRIJ +gOTTA6ZaQep5L92vtCobhD+i7iaktEpmbYucXs8jjMmwyxCFxHXGD/fwDk3UDgeu +8a5f66YepZdbLKB61A3rBwJMvQubuXEIEb04tG0Fgwx3Ao2NshN+XRk/y+uhQKdC +5ZduTxk5sokA+H4nzVv0IUkAAI+8FwY5ZWFGlncKUM/wvrGHQq3R/utChFauOHxD +7vZQLM91TcQzVWdHfJGPtp+ekjRlu9UqatQgc1ogObw3PGYlJc90Gl7AZHAsYncU +jsMbdsweuFuYNHJ8lR5VMo6L4bCNMy+tQBOfYTF1el+i9S3r3SWdBP+uLiKgDQ52 +/o4shxoi+YOf9k8wRR0iDKqwzcJuABplpgA9qjsQNqBKF5t5p3l3ihH1mfh8FaPL +ab0aDC7uunY5g44qXcG9YS+j5wUFuxgYyGkVcJq3xIit9YbEy8uPxJFz4g0vNC+r +uUSsztbLyHkhv7vnCTAlmjgG9eDpW/tEC/85pLOV1HUooD05eRfkjU+1XsccX8DG +iCax2C6W3cc1SC/d3a1+27OcgvPdDcb7zuL3v6qgqbN+7GDrcQHQRFMd2vd6+xGk +NWZQMBZVHmdCcKGl9YaH0RgkGH5beTRKEV1wBafuVOwTEwl/FuZzD4oHrOaP3GLO +cLxi44her/hNxtxDc2Lw0VQcxD8A55OkCt9+u9M5/YPj41FWyH6kdh86p958gzF5 +EpwCnQDe+s7OrwFVV00DEJhqtEcxRCSSW8dS4hVEhVxQJ56liJP+VZ+LTUJBelt4 +mfSpSqxeJnmyY0nmhEbZKVbK95a1WYMJCEpk2n1g/bQGqJKRryGwbEF9WqqHuvPo +Bv/BfinoUL3Kd3g+hgSCR4mCg5EhEsCx21jEqEggzb2XMcA+knGUYxSWj322pZfW +LDh50gkL3GQSmm9fOvjdK40GwZv8HUdLXuAQ/J19PafMaDkd4jzRi37VBqdDgLY3 +u6K+oFKhG4oqQYa/er+ZGAqqldTmu8HGCsjm6kGZvSAocJg0UnLPBNI0/iB0BYGf +KJk302jy8kfAXGSiWrYDNbTuDzFMD0zsbHbM07AOOROGwKv5TxAF1EHHTxGb3IKI +jRkVBL7QdRtDH03zlxv0lnFwiuCrzLrQdUuEG/0wt8RaNr+p8hAo0YEGbB9jmbax +CSLLWeNbMOo8eIi3Mft4qmDXp3TEuHHru8kbvA36vQ8+dunSf2BcecyM6UAYBqaw +SCcxQmEcyMuyjSLVerVfMl5lwlmM+qabxHq0hpJHnCR3Vl2qX3CiRWpVlNaBVyTf +793bAm7DU7G+Tzt5gdgE4s41aZt8fFXyclhH1QLPNSnctxJjuW1gJJ0h51iCQJp2 +TgzDw35oqvBxbN3yqCFjScsQXPXYErGWkLrAkUurff4x/ZAizFkmjjdpyaIK9JBw +QRyrYYQ8pJhXJe9BrP3OS6evFlsWZW1MaoQcOUMWsuVucE0e4AQRGlPixDjJWW7L +I6AQ3KUW6ggzDJksaYHDiuEoBa7vcYoTar+/AhNjYMjkQX/3kptQryqy+xke0t8O +EPQER0Wur2IpvM6YsvI/SoeFwxMb4Zm5AFvvibiCCmmoJc4A9E1tZ/sMstHyZ5iu +tJqu1M5B0DIoFdB5pzbZYCkgN2n7EY23JS7E/ozOrzYuOIVUJVtB5awqmuSLmI+N +R91g4FMEfLYC1HYKYlaknX2zmrx8+Z8MEJNM2K0q8wPBnm86OpGeJmlZhFwT2x0R +eJpKcfLGroXYh2Gb6BxwIfKjOOTXCoIFP02JbTJ7clc/2ei0BN6JxywPkH4renaP +SkuNBgbexfZGBhMTlR+CtKLEUmw5bxBTDwjjcvzWDPhy/VurLQxhOqYnbhZW21SV +4qMrJ4uGXEhylnP0FD+HR4mB2epYcW3dFj4cGN3B2Y5NnOTw0Z7fi4S0BPdvYjP9 +LL5WZ6p90mII9wcunGCRnLUUYumRnIbhVHIBTTIRI5PUSVFfEuotrDZ9oZcwYkO7 +fQX21gJCzvJyp8ft01HX4Kc4mN/FMPgGcmq70N335yQ4mQ/eSvTNn7E+35ZGn9f8 +PI7QPJRhdUkBZCnwyv+OwK2VzySxnqNfPaZk168foGRd9eFCw80L4U+SuLDQH6ZT +o++VKk4Ce2jx1khoig16wic0dVFwt4bmybNz4u/qdobYr5fs7dKPHHO02SBvAl60 +16foheiBtV2VA8mEBA1BhcNmKYegu+RGhmGfNDuZB8XdbPQ6M+N+ilEj/6rr+wgD +gcmEyAGNwJkmWpbyrm9M4lDtzemv5N5V32ppGizEt6c0xlkiULllwGdWey3+YRez +7b+Kl/uIpDuRbp5Tf43dyPsy/cx4DNm5kAB4CcyyVlXPaqXm0llEPYBmaMW3O+D2 +5v4Wj1qwIRO5qgI8FyVnX6sm/oucfg5l172edaCG8f42gIMNfQBgWVMsSG7Nt00x +dJo/OGtACwnY47ohMFG0BejWueAksdnqVWCIto989iBHgegNx5jUCycB/YOm0xh0 +pfeNjA9PwZMUpjlqrjDFIan/UFYAZH5ISSV7G30oRKJ3TTEshShXP2K3cn7Fa9W+ +H/jyTEQGfCiTq7Xx5FrOIJBmKjylkF7oGlIBxJgKKRm0iD/sGNTaSJ6Pl8/K6dEz +zsMwEFTawnWVq32Xn3d6/+FADZ9lGhC5WwVgaQHRb/9Ejt1mBdptmXjEj5w0YOib +xFer54LrQgvBWEYRqDneh3bI53BudbTl7YitqULVGETe+k1T0NbcyElrr2Y/NKHk +rPMarAfByookkJrDtVh3VrAm2ows7OwvKGyoNybjlyczjt7xosatZ1xkgb9mtR5i +E2l9ajSR4SzQjHoboRyOCwl5ZgLV/+yp3jTkNcUkFDRtkVbGfascBIMe0ifUGfvP +mJ9AQHZxdfm99KlQjCZzR8CBUvR+zsT43jr91CQKSSEvPMl6vVRV2thiWw3VGgP+ +c8i5zj6+zCnlEdSWiIeFwOJ9/ewKSdU9pGrA0OQtXbYQlDCKuGK1Vgy6jJCeglDH +T6gVNy5ip593wWWfOVxVEWUygi6JCdS27b5+P/wlNjTrzpZ4yWDCpyogyrT1gf1/ +GgvdGuWWinKSLOyh1fJ1p9WoDWcqH98QhJXLV+X3OC+tmMofytmHgXN8jjVsWSRa +VWrFUarMs2hZDWf6e6ncwvMC8QliiszrKXQNckxvBuh5hug9WKurVj4CIWnoqXFh +OqlO+VbqZSj+TT5pCN//370vsIZIn5UbrpDmUP0rUvdTGz9iWQRUl6R2g2h286s6 +pAGHv9luXCoPJ5uPTwcbBSl/js6J+K5McyqRl4fucacfVFnMuDpET/tT1eAROP3F +DOBKqV5YOO0rWMexzMLJUEQ/eGSwfp7wv8on7jeGxAexMqyWCrhRk9G2ZwiT4L7Q +rX4NIDj6oujCCkeFUATs0pGKwEFGmpbEUfDOsioWoVYJZPsO9kAGq6bhbKACOkeZ +v95ha/3CleYXGUUNtzLsCx+c9Zp/Wl+0PcT3ZSWhmRbXiIvz+ntHVe47PHxbvH6a +ZG7YGc/9u3jTvJJyYtQO54uGET/eFWSxCUo5/VfsheOuLdXN7JnVi6ooF+c7WUZd +61FwfDwNf8z0GWs3EotozrWyBgKS5VFP99vZM64nSqu9v5PSzmb0AY/Zc5KhVXVY +zQqmO3keXq92Fejtgyd/O9ITZf5GkMQVU7+IT52JxFRQplkbTHJj4HRGtGHtIyPW +Rmf9qSZz8QgVyAUKK1k+kLBJTHN3CWIB6S9hO42HWEFvLVl8wPWW5aLYTsVMGnMU +aZ35M35odjrvY9B0INMpL53Hm7qH1w/h9QCv+xsFmanYsoylwbuKW2TcSnWB74C7 +Wy0NmCkaM+JweOgygffWicLGJ3jKWccykTUZtodz1ectNHh24puZICnvfzwjte+n +eSQqJfHMsra6V8BcshpwmvPylHnkU+2KyhQ8430OR/qaXAYJ7EWRBEFe4EIpxzfL +zQF0LwbhpAstpcjOlJfEHmQiWx8ASzE1LMSfZo148sXYEWsJL7t5tWs= + -- 2.26.2
When consuming a signed+encrypted S/MIME message generated by emacs, we expect to see the same cryptographic properties for the message as a whole. This is not done correctly yet, so the test is marked as known broken. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T355-smime.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/T355-smime.sh b/test/T355-smime.sh index e92a7b16..f3956a34 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -88,4 +88,13 @@ This is a test encrypted message. EOF test_expect_equal_file EXPECTED OUTPUT +test_begin_subtest "Cryptographic message status (encrypted+signed)" +test_subtest_known_broken +output=$(notmuch show --format=json --decrypt=true subject:"test encrypted message 001") +test_json_nodes <<<"$output" \ + 'crypto_encrypted:[0][0][0]["crypto"]["decrypted"]["status"]="full"' \ + 'crypto_sigok:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \ + 'crypto_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="616F46CD73834C63847756AF0DFB64A6E0972A47"' \ + 'crypto_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Notmuch Test Suite"' + test_done -- 2.26.2
These tests describe some simple behavior we would expect to work if we were to correctly index the cleartext of encrypted S/MIME messages (PKCS#7 envelopedData). Of course, they don't currently pass, so we mark them known-broken. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T355-smime.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/test/T355-smime.sh b/test/T355-smime.sh index f3956a34..14e4531d 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -97,4 +97,26 @@ test_json_nodes <<<"$output" \ 'crypto_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="616F46CD73834C63847756AF0DFB64A6E0972A47"' \ 'crypto_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Notmuch Test Suite"' +test_begin_subtest "encrypted+signed message is known to be encrypted, but signature is unknown" +test_subtest_known_broken +output=$(notmuch search subject:"test encrypted message 001") +test_expect_equal "$output" "thread:0000000000000002 2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox)" + +test_begin_subtest "Encrypted body is not indexed" +output=$(notmuch search 'this is a test encrypted message') +test_expect_equal "$output" "" + +test_begin_subtest "Reindex cleartext" +test_expect_success "notmuch reindex --decrypt=true subject:'test encrypted message 001'" + +test_begin_subtest "signature is now known" +test_subtest_known_broken +output=$(notmuch search subject:"test encrypted message 001") +test_expect_equal "$output" "thread:0000000000000002 2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)" + +test_begin_subtest "Encrypted body is indexed" +test_subtest_known_broken +output=$(notmuch search 'this is a test encrypted message') +test_expect_equal "$output" "thread:0000000000000002 2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)" + test_done -- 2.26.2
This test does exactly what it says on the tin. It expects JSON data to be parseable by Python, at least. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/test-lib.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/test-lib.sh b/test/test-lib.sh index dd7fdfaa..6f47994e 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -524,6 +524,12 @@ test_expect_equal_json () { test_expect_equal "$output" "$expected" "$@" } +# Ensure that the argument is valid JSON data. +test_valid_json () { + PYTHONIOENCODING=utf-8 $NOTMUCH_PYTHON -c "import sys, json; json.load(sys.stdin)" <<<"$1" + test_expect_equal "$?" 0 +} + # Sort the top-level list of JSON data from stdin. test_sort_json () { PYTHONIOENCODING=utf-8 $NOTMUCH_PYTHON -c \ -- 2.26.2
Add a simple S/MIME SignedData message, taken from an upcoming draft of https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/ RFC 8551 describes a SignedData, a one-part clearsigned object that is more resistant to common patterns of MTA message munging than multipart/signed (but has the downside that it is only readable by clients that implement S/MIME). To make sure sure notmuch can handle this kind of object, we want to know a few things: Already working: - Is the content of the SignedData object indexed? It actually is right now because of dumb luck -- i think we're indexing the raw CMS object and it happens to contain the cleartext of the message in a way that we can consume it before passing it on to Xapian. - Are we accidentally indexing the embedded PKCS#7 certificates? We don't want to, and for some reason I don't understand, our indexing is actually skipping the embedded certificates already. That's good! Still need fixing: - do we know the MIME type of the embedded part? - do we know that the message is signed? - can notmuch-show read its content? - can notmuch-show indicate the signature validity? - can notmuch-reply properly quote and attribute content? Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T355-smime.sh | 77 +++++++++++++++++++++ test/corpora/pkcs7/smime-onepart-signed.eml | 51 ++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 test/corpora/pkcs7/smime-onepart-signed.eml diff --git a/test/T355-smime.sh b/test/T355-smime.sh index 14e4531d..117fa2b9 100755 --- a/test/T355-smime.sh +++ b/test/T355-smime.sh @@ -119,4 +119,81 @@ test_subtest_known_broken output=$(notmuch search 'this is a test encrypted message') test_expect_equal "$output" "thread:0000000000000002 2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)" +add_email_corpus pkcs7 + +test_begin_subtest "index PKCS#7 SignedData message" +output=$(notmuch search --output=messages Thanks) +expected=id:smime-onepart-signed@protected-headers.example +test_expect_equal "$expected" "$output" + +test_begin_subtest "do not index embedded certificates from PKCS#7 SignedData" +output=$(notmuch search --output=messages 'LAMPS Certificate') +expected='' +test_expect_equal "$expected" "$output" + +test_begin_subtest "know the MIME type of the embedded part in PKCS#7 SignedData" +test_subtest_known_broken +output=$(notmuch search --output=messages 'mimetype:text/plain') +expected=id:smime-onepart-signed@protected-headers.example +test_expect_equal "$expected" "$output" + +test_begin_subtest "PKCS#7 SignedData message is tagged 'signed'" +test_subtest_known_broken +output=$(notmuch dump id:smime-onepart-signed@protected-headers.example) +expected='#notmuch-dump batch-tag:3 config,properties,tags ++inbox +signed +unread -- id:smime-onepart-signed@protected-headers.example' +test_expect_equal "$expected" "$output" + +test_begin_subtest "show contents of PKCS#7 SignedData message" +test_subtest_known_broken +output=$(notmuch show --format=raw --part=2 id:smime-onepart-signed@protected-headers.example) +whitespace=' ' +expected="Bob, we need to cancel this contract. + +Please start the necessary processes to make that happen today. + +Thanks, Alice +--${whitespace} +Alice Lovelace +President +OpenPGP Example Corp" +test_expect_equal "$expected" "$output" + +test_begin_subtest "reply to PKCS#7 SignedData message with proper quoting and attribution" +test_subtest_known_broken +output=$(notmuch reply id:smime-onepart-signed@protected-headers.example) +expected="From: Notmuch Test Suite <test_suite@notmuchmail.org> +Subject: Re: The FooCorp contract +To: Alice Lovelace <alice@smime.example>, Bob Babbage <bob@smime.example> +In-Reply-To: <smime-onepart-signed@protected-headers.example> +References: <smime-onepart-signed@protected-headers.example> + +On Tue, 26 Nov 2019 20:11:29 -0400, Alice Lovelace <alice@smime.example> wrote: +> Bob, we need to cancel this contract. +>${whitespace} +> Please start the necessary processes to make that happen today. +>${whitespace} +> Thanks, Alice +> --${whitespace} +> Alice Lovelace +> President +> OpenPGP Example Corp" +test_expect_equal "$expected" "$output" + +test_begin_subtest "show PKCS#7 SignedData outputs valid JSON" +output=$(notmuch show --format=json id:smime-onepart-signed@protected-headers.example) +test_valid_json "$output" + +test_begin_subtest "Verify signature on PKCS#7 SignedData message" +test_subtest_known_broken +output=$(notmuch show --format=json id:smime-onepart-signed@protected-headers.example) +test_json_nodes <<<"$output" \ + 'crypto:[0][0][0]["crypto"]["signed"]["status"][0]={ + "created" : 1574813489, + "expires" : 2611032858, + "fingerprint" : "702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB", + "userid" : "CN=Alice Lovelace", + "status" : "good" + }' + test_done diff --git a/test/corpora/pkcs7/smime-onepart-signed.eml b/test/corpora/pkcs7/smime-onepart-signed.eml new file mode 100644 index 00000000..070303b7 --- /dev/null +++ b/test/corpora/pkcs7/smime-onepart-signed.eml @@ -0,0 +1,51 @@ +Received: from localhost (localhost [127.0.0.1]); Tue, 26 Nov 2019 + 20:11:46 -0400 (UTC-04:00) +Content-Transfer-Encoding: base64 +Content-Type: application/pkcs7-mime; name="smime.p7m"; + smime-type="signed-data" +MIME-Version: 1.0 +From: Alice Lovelace <alice@smime.example> +To: Bob Babbage <bob@smime.example> +Date: Tue, 26 Nov 2019 20:11:29 -0400 +Subject: The FooCorp contract +Message-ID: <smime-onepart-signed@protected-headers.example> + +MIIHRQYJKoZIhvcNAQcCoIIHNjCCBzICAQExDTALBglghkgBZQMEAgEwggHJBgkq +hkiG9w0BBwGgggG6BIIBtkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNl +dD0idXMtYXNjaWkiDQpGcm9tOiBBbGljZSBMb3ZlbGFjZSA8YWxpY2VAc21pbWUu +ZXhhbXBsZT4NClRvOiBCb2IgQmFiYmFnZSA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpE +YXRlOiBUdWUsIDI2IE5vdiAyMDE5IDIwOjExOjI5IC0wNDAwDQpTdWJqZWN0OiBU +aGUgRm9vQ29ycCBjb250cmFjdA0KTWVzc2FnZS1JRDogPHNtaW1lLW9uZXBhcnQt +c2lnbmVkQHByb3RlY3RlZC1oZWFkZXJzLmV4YW1wbGU+DQoNCkJvYiwgd2UgbmVl +ZCB0byBjYW5jZWwgdGhpcyBjb250cmFjdC4NCg0KUGxlYXNlIHN0YXJ0IHRoZSBu +ZWNlc3NhcnkgcHJvY2Vzc2VzIHRvIG1ha2UgdGhhdCBoYXBwZW4gdG9kYXkuDQoN +ClRoYW5rcywgQWxpY2UNCi0tIA0KQWxpY2UgTG92ZWxhY2UNClByZXNpZGVudA0K +T3BlblBHUCBFeGFtcGxlIENvcnANCqCCA3IwggNuMIICVqADAgECAhRngrRZc1JL +wfRxRxlq8P0RiqpMCzANBgkqhkiG9w0BAQ0FADAtMSswKQYDVQQDEyJTYW1wbGUg +TEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIw +NTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPurfll0bYkDPMkY1kNn2xXsAqHSGVF ++gWNNk3mbhF6BABhLJqDjei5aLXFE3Rq9/RRNivCMrTipF1XsbMIAKgQqr/GI1Q6 +yN8lfNsK5uU3d9kw5cOyEooGpOGUrvlKMD0LPGDt6MaiJj+KJ2TR73Wd4rfRIIJo +FMmV9HZkOs+Tvcg8x6SzGhNq18X2HD10MD78eLXKm039obRD+z2JwWvGvrLbNBey +O5A+aMxmCPXRoP1xrNZWBFgKB+WGYDRXW5CXXChthTwMBXFWf4aBpurKMZAyjK2E +grQafn6h/DFddQz/NtT6Dr7UhJ2hfFFEW2rYbNsiqQAdllCb4FucWuECAwEAAaOB +lzCBlDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1w +bGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4E +FgQUrC5UWqT9VRivLuhmRDjRJdHXAHkwHwYDVR0jBBgwFoAUt1JNc8CIPbLDeloM +85T394Cid9swDQYJKoZIhvcNAQENBQADggEBAHvqjhjPvKtVIVyleoutwa10jir3 +dooJcQIILM1AunjJ6yHpuuppkc0m3BhwnlOptTKb2EnvSIkTiMY037IBlHWW217Q +cUpggEozgQm6Yb77aGptRovPi2XToEdpA8K//02I1jur1H1z8HqzVjMeHCqRaG3Z +r4C2AngGSkb6D4yZkxBX8CjtHAsUon06UxYsGYRcVykgk3Qek9qxPScSX8yai1K7 +7xGcKUCLfIV/JMpv7ysPtXG7Jd62oNnp1T/3+KoP9JlLs5AiPLC13fjeYALPcHVG +UXEwdIDp1AB/Zu0a6apHQqICncqRhEB4+hompiQHtlp3TqeAWXQbQUc437sxggHZ +MIIB1QIBATBFMC0xKzApBgNVBAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkCFGeCtFlzUkvB9HFHGWrw/RGKqkwLMAsGCWCGSAFlAwQCAaBpMBgG +CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE5MTEyNzAw +MTEyOVowLwYJKoZIhvcNAQkEMSIEILsI9kL3zfZiVOEDjAUWrbjHjGMLoGUwEqYH +pOA9XZ+QMA0GCSqGSIb3DQEBAQUABIIBAGDat8UYN9MShlKEw3hYVVUk6HKO6Xjp +rdgCBKpoyoWJy0VJis0xHxaT2gn/+TPu8a5l6RslgeALjMyflzyzAmrqnknQQG8K +bvbt/MwpU/TxnmxT+2oP9TVmAx/IQOq4pQ35uK7peSPck2CcTvZjHTeVBWcsLVEk +hELoSD8XFRBo34qdinBzW0/sMlyK1XnlN7khKry1g7uaXcurVqptRA1rWOvCOt72 +aElKG/Q7OoVgHxbUpdzV3Hqe9/UeTRDUqCs++on2pLlA0TA0Pq8RQ0hDHD/p0t41 +1RAT1/RbnGQiVfRilMan+VGT4shokb1RoANy/1rOO9ZKlyWToYdRl9E= -- 2.26.2
Recognize the protected subject for S/MIME example protected header messages. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T356-protected-headers.sh | 38 +++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh index 925805df..b7a83715 100755 --- a/test/T356-protected-headers.sh +++ b/test/T356-protected-headers.sh @@ -1,14 +1,14 @@ #!/usr/bin/env bash -# TODO: -# * check S/MIME as well as PGP/MIME - test_description='Message decryption with protected headers' . $(dirname "$0")/test-lib.sh || exit 1 ################################################## +test_require_external_prereq gpgsm + add_gnupg_home +add_gpgsm_home add_email_corpus protected-headers @@ -155,6 +155,38 @@ test_begin_subtest "identify message that had a legacy display part skipped duri output=$(notmuch search --output=messages property:index.repaired=skip-protected-headers-legacy-display) test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.org +for variant in multipart-signed onepart-signed; do + test_begin_subtest "verify signed PKCS#7 subject ($variant)" + test_subtest_known_broken + output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example") + test_json_nodes <<<"$output" \ + 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ + 'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \ + 'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \ + 'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \ + 'not_encrypted:[0][0][0]["crypto"]!"decrypted"' +done + +for variant in sign+enc sign+enc+legacy-disp; do + test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant)" + test_subtest_known_broken + output=$(notmuch show --decrypt=true --format=json "id:smime-${variant}@protected-headers.example") + test_json_nodes <<<"$output" \ + 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ + 'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \ + 'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \ + 'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \ + 'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' +done + +test_begin_subtest "confirm encryption-protected PKCS#7 subject (enc+legacy-disp)" +test_subtest_known_broken +output=$(notmuch show --decrypt=true --format=json "id:smime-enc+legacy-disp@protected-headers.example") +test_json_nodes <<<"$output" \ + 'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' \ + 'no_sig:[0][0][0]["crypto"]!"signed"' + + # TODO: test that a part that looks like a legacy-display in # multipart/signed, but not encrypted, is indexed and not stripped. -- 2.26.2
GPGME has a strange failure mode when it is in offline mode, and/or when certificates don't have any CRLs: in particular, it refuses to accept the validity of any certificate other than a "root" cert. This can be worked around by setting the `disable-crl-checks` configuration variable for gpgsm. I've reported this to the GPGME upstream at https://dev.gnupg.org/T4883, but I have no idea how it will be resolved. In the meantime, we'll just work around it. Note that this fixes the test for verification of id:smime-multipart-signed@protected-headers.example, because multipart/signed messages are already handled correctly (one-part PKCS#7 messages will get fixed later). Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/T356-protected-headers.sh | 2 +- test/test-lib.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh index b7a83715..520cb71c 100755 --- a/test/T356-protected-headers.sh +++ b/test/T356-protected-headers.sh @@ -157,7 +157,7 @@ test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail. for variant in multipart-signed onepart-signed; do test_begin_subtest "verify signed PKCS#7 subject ($variant)" - test_subtest_known_broken + [ "$variant" = multipart-signed ] || test_subtest_known_broken output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example") test_json_nodes <<<"$output" \ 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ diff --git a/test/test-lib.sh b/test/test-lib.sh index 6f47994e..2a7cbbb1 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -144,7 +144,7 @@ add_gpgsm_home () echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt" gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" - echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm + printf '%s::1\n' include-certs disable-crl-checks | gpgconf --output /dev/null --change-options gpgsm gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ --disable-dirmngr --import $NOTMUCH_SRCDIR/test/smime/bob.p12 >>"$GNUPGHOME"/import.log 2>&1 3<<<'' test_debug "cat $GNUPGHOME/import.log" -- 2.26.2
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> This CA is useful for test suites and the like, but is not an
> actually-secure CA, because its secret key material is also published.
>
> I plan to use it for its intended purpose in the notmuch test suite.
>
> It was copied from this Internet Draft:
>
> https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi
This page is not found for me.
d
On Tue, Apr 28 2020, Daniel Kahn Gillmor wrote: > Without this fix, we couldn't run both add_gnupg_home and > add_gpgsm_home in the same test script. > > Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> > --- > test/test-lib.sh | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/test/test-lib.sh b/test/test-lib.sh > index ac1b9315..d9997b27 100644 > --- a/test/test-lib.sh > +++ b/test/test-lib.sh > @@ -110,10 +110,10 @@ unset ALTERNATE_EDITOR > add_gnupg_home () > { > local output > - [ -d ${GNUPGHOME} ] && return > + [ -e ${GNUPGHOME}/gpg.conf ] && return So far so good (except perhaps David's comment not "url" not found) But here this change could include "consistently quoted" variable (or/and have it done in that one commit earlier...) So LGTM 1-7, provided that tests pass... Tomi > _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } > at_exit_function _gnupg_exit > - mkdir -m 0700 "$GNUPGHOME" > + mkdir -p -m 0700 "$GNUPGHOME" > gpg --no-tty --import <$NOTMUCH_SRCDIR/test/gnupg-secret-key.asc >"$GNUPGHOME"/import.log 2>&1 > test_debug "cat $GNUPGHOME/import.log" > if (gpg --quick-random --version >/dev/null 2>&1) ; then > @@ -132,10 +132,10 @@ add_gnupg_home () > add_gpgsm_home () > { > local fpr > - [ -d "$GNUPGHOME" ] && return > + [ -e "$GNUPGHOME/gpgsm.conf" ] && return > _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } > at_exit_function _gnupg_exit > - mkdir -m 0700 "$GNUPGHOME" > + mkdir -p -m 0700 "$GNUPGHOME" > openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \ > < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \ > gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ > -- > 2.26.2 > > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > https://notmuchmail.org/mailman/listinfo/notmuch
On Tue, Apr 28 2020, Daniel Kahn Gillmor wrote: > This is taken from the same Internet Draft that test/smime/ca.crt > comes from. See that draft for more details. > https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-pkcs12-object-for-bob > > We don't use it yet, but it will be used to decrypt other messages in > the test suite. > > Note that we include it here with an empty passphrase, rather than > with the passphrase "bob" that it is supplied with in the I-D. The > underlying cryptographic material is the same, but this way we can > import cleanly into gpgsm without having a passphrase set on it (gpgsm > converts an empty-string passphrase into no passphrase at all on > import). > > Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> > --- // stuff deleted // > diff --git a/test/test-lib.sh b/test/test-lib.sh > index d9997b27..dd7fdfaa 100644 > --- a/test/test-lib.sh > +++ b/test/test-lib.sh > @@ -145,6 +145,8 @@ add_gpgsm_home () > gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt > echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" > echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm > + gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ > + --disable-dirmngr --import $NOTMUCH_SRCDIR/test/smime/bob.p12 >>"$GNUPGHOME"/import.log 2>&1 3<<<'' Now that I started w/ consistenly quotes -- "$NOTMUCH_SRCDIR/..." Or maybe not, is this variable consistently unquoted -- or something ;) Tomi > test_debug "cat $GNUPGHOME/import.log" > } > > -- > 2.26.2
On Tue, Apr 28 2020, Daniel Kahn Gillmor wrote: > GPGME has a strange failure mode when it is in offline mode, and/or > when certificates don't have any CRLs: in particular, it refuses to > accept the validity of any certificate other than a "root" cert. > > This can be worked around by setting the `disable-crl-checks` > configuration variable for gpgsm. > > I've reported this to the GPGME upstream at > https://dev.gnupg.org/T4883, but I have no idea how it will be > resolved. In the meantime, we'll just work around it. > > Note that this fixes the test for verification of > id:smime-multipart-signed@protected-headers.example, because > multipart/signed messages are already handled correctly (one-part > PKCS#7 messages will get fixed later). > > Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Rest of the series look tolerable to me. That one missing "inconsistent quotes" is inconsistent with added quotes in one of the changes in previous email (which just did that) Otherwise OK (provided that tests pass) (except that https://www.ietf.org/id/draft-dkg-lamps-samples-01.html if not found (by me either, like David) Tomi
[-- Attachment #1.1: Type: text/plain, Size: 914 bytes --] On Tue 2020-04-28 22:43:10 -0300, David Bremner wrote: > Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > >> This CA is useful for test suites and the like, but is not an >> actually-secure CA, because its secret key material is also published. >> >> I plan to use it for its intended purpose in the notmuch test suite. >> >> It was copied from this Internet Draft: >> >> https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi > > This page is not found for me. hm, it has been superceded by https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-certificate-authority-certi (which has the same content for the relevant section). the IETF tools interface also has a non-expiring version of the drafts: https://tools.ietf.org/id/draft-dkg-lamps-samples-02.html#name-certificate-authority-certi feel free to amend the commit message if that would help. --dkg [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --]
[-- Attachment #1.1: Type: text/plain, Size: 939 bytes --] On Wed 2020-04-29 23:02:19 +0300, Tomi Ollila wrote: > On Tue, Apr 28 2020, Daniel Kahn Gillmor wrote: > >> Without this fix, we couldn't run both add_gnupg_home and >> add_gpgsm_home in the same test script. >> >> Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> >> --- >> test/test-lib.sh | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/test/test-lib.sh b/test/test-lib.sh >> index ac1b9315..d9997b27 100644 >> --- a/test/test-lib.sh >> +++ b/test/test-lib.sh >> @@ -110,10 +110,10 @@ unset ALTERNATE_EDITOR >> add_gnupg_home () >> { >> local output >> - [ -d ${GNUPGHOME} ] && return >> + [ -e ${GNUPGHOME}/gpg.conf ] && return > > So far so good (except perhaps David's comment not "url" not found) > > But here this change could include "consistently quoted" variable > (or/and have it done in that one commit earlier...) agreed, quoting this would be good. --dkg [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --]
[-- Attachment #1.1: Type: text/plain, Size: 398 bytes --] On Wed 2020-04-29 23:05:03 +0300, Tomi Ollila wrote: > Now that I started w/ consistenly quotes -- "$NOTMUCH_SRCDIR/..." > > Or maybe not, is this variable consistently unquoted -- or something ;) there are lots of places where NOTMUCH_SRCDIR is unquoted, and some where it is. I guess i should probably not introduce any more unquoted instances, though. I'll try to fix that. --dkg [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --]
[-- Attachment #1.1: Type: text/plain, Size: 772 bytes --] On Wed 2020-04-29 23:12:33 +0300, Tomi Ollila wrote: > Rest of the series look tolerable to me. That one missing > "inconsistent quotes" is inconsistent with added quotes > in one of the changes in previous email (which just did that) > > Otherwise OK (provided that tests pass) > (except that https://www.ietf.org/id/draft-dkg-lamps-samples-01.html > if not found (by me either, like David) I've updated the series to address Tomi's quote inconsistency points, and to repoint the URL in the commit message to the tools.ietf.org address (which will continue to host expired drafts, unlike www.ietf.org). It's on the "smime-tests" branch on https://gitlab.com/dkg/notmuch.git I'll send the three updated patches to the list here as well. --dkg [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --]
This CA is useful for test suites and the like, but is not an actually-secure CA, because its secret key material is also published. I plan to use it for its intended purpose in the notmuch test suite. It was copied from this Internet Draft: https://tools.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/smime/README | 2 ++ test/smime/ca.crt | 20 ++++++++++++++++++++ test/test-lib.sh | 2 ++ 3 files changed, 24 insertions(+) create mode 100644 test/smime/ca.crt diff --git a/test/smime/README b/test/smime/README index 46211922..6f276398 100644 --- a/test/smime/README +++ b/test/smime/README @@ -5,3 +5,5 @@ key+cert.pem: cert + unencryped private % gpgsm --import test.crt % gpgsm --export-private-key-p12 -out foo.p12 (no passphrase) % openssl pkcs12 -in ns.p12 -clcerts -nodes > key+cert.pem + +ca.crt: from https://tools.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi diff --git a/test/smime/ca.crt b/test/smime/ca.crt new file mode 100644 index 00000000..b33d087f --- /dev/null +++ b/test/smime/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLTCCAhWgAwIBAgIULXcNXGI2bZp38sV7cF6VcQfnKDwwDQYJKoZIhvcNAQEN +BQAwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0 +eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowLTErMCkGA1UEAxMi +U2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMUfZ8+NYSh6h36zQcXBo5B6ficAcBJ1f3aLxyN8 +QXB83XuP8aDRWQ9uJvJpQkWVH4zx96/E/zI0t0lDMYtZNqra16h+gxbHJgoq2pRw +RCOiyYu/p2vzvvZ1dtFTMc/mIigjA/73kokui62j1EFy//fNVIihkVS3rAweq+fI +8qJHSMhdc2aYa9wOP0eGe/HTiDYgT4L4f2HTGMGGwQgj1vub0gpR4YHmNqr0GyEA +63mHUQUZpnmN1FEl+nVFA5Ntu4uF++qf/tkTji89/eXYBdKX2yUdTeTIKoCI65IL +EXxezjTc8aFjf/8E0aWGVZR/DtCsjWOh/s/mV7n/YPyb4+ECAwEAAaNDMEEwDwYD +VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBS3Uk1zwIg9 +ssN6WgzzlPf3gKJ32zANBgkqhkiG9w0BAQ0FAAOCAQEALsU91Bmhc6EgCNr7inY2 +2gYPnosJ+kZ1eC0hvHIK9e0Tx74RmhTOe8M2C9YXQKehHpRaX+DLcjup6scoH/bT +u0THbmzeOy29TTiFcyV9BK+SEKQWW4s98Fwdk9fPWcflHtYvqxjooAV3vHbt6Xmp +KrKDz/jdg7t0ptI4zSqAf3wNppiJoswlOHBUnH2W1MIYkWQ4jYj5socblVlklHOr +ykKUiEZAbjU+C1+0FhT4HgLjBB9R4H1H0JRKsggWiZBBJ6UpN0dTN4iD0mDVa0jy +sJqqWnIViy/xaSDcNaWJmU3o2KmkMkdpinoJ5uLkAHQqXjFaujdU1PkufeA7v3uG +Rw== +-----END CERTIFICATE----- diff --git a/test/test-lib.sh b/test/test-lib.sh index d4fcea5a..1ffedb25 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -139,6 +139,8 @@ add_gpgsm_home () gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p') echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt + gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt + echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2
Without this fix, we couldn't run both add_gnupg_home and add_gpgsm_home in the same test script. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/test-lib.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/test-lib.sh b/test/test-lib.sh index ac1b9315..1baa2d20 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -110,10 +110,10 @@ unset ALTERNATE_EDITOR add_gnupg_home () { local output - [ -d ${GNUPGHOME} ] && return + [ -e "${GNUPGHOME}/gpg.conf" ] && return _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit - mkdir -m 0700 "$GNUPGHOME" + mkdir -p -m 0700 "$GNUPGHOME" gpg --no-tty --import <$NOTMUCH_SRCDIR/test/gnupg-secret-key.asc >"$GNUPGHOME"/import.log 2>&1 test_debug "cat $GNUPGHOME/import.log" if (gpg --quick-random --version >/dev/null 2>&1) ; then @@ -132,10 +132,10 @@ add_gnupg_home () add_gpgsm_home () { local fpr - [ -d "$GNUPGHOME" ] && return + [ -e "$GNUPGHOME/gpgsm.conf" ] && return _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; } at_exit_function _gnupg_exit - mkdir -m 0700 "$GNUPGHOME" + mkdir -p -m 0700 "$GNUPGHOME" openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \ < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \ gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ -- 2.26.2
This is taken from the same Internet Draft that test/smime/ca.crt comes from. See that draft for more details. https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-pkcs12-object-for-bob We don't use it yet, but it will be used to decrypt other messages in the test suite. Note that we include it here with an empty passphrase, rather than with the passphrase "bob" that it is supplied with in the I-D. The underlying cryptographic material is the same, but this way we can import cleanly into gpgsm without having a passphrase set on it (gpgsm converts an empty-string passphrase into no passphrase at all on import). Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- test/smime/bob.p12 | 58 ++++++++++++++++++++++++++++++++++++++++++++++ test/test-lib.sh | 2 ++ 2 files changed, 60 insertions(+) create mode 100644 test/smime/bob.p12 diff --git a/test/smime/bob.p12 b/test/smime/bob.p12 new file mode 100644 index 00000000..774c77d0 --- /dev/null +++ b/test/smime/bob.p12 @@ -0,0 +1,58 @@ +-----BEGIN PKCS12----- +MIIKWAIBAzCCCh4GCSqGSIb3DQEHAaCCCg8EggoLMIIKBzCCBGcGCSqGSIb3DQEH +BqCCBFgwggRUAgEAMIIETQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQICE8J +3kMad9UCAggAgIIEIPvHjK0eRQrnowMUsz1z1x/IxslNvG6DjPZjNHCkNYYmiRsg +Leu5nqKf4emWVvYpnlh+4Gql7pyJm3G3zSNhobPkW+P1Eh80tTBoUk7TIvvvmtrE +YEc/nRR1p1MgjISq4Q/CM6ccCCw6YEiQcj/0mSS7gmHUegD5glcWbVuqAT8M/p1z +98OP3z37G8ARRLNj1yyp0SVlt59Sx3WNbmYBqkQ96iukjMJvmjV7o6BFYUx46Llb +tphhdRgKXbK2r1R0TUlvE659TUwlrpGlaFpaGj1kLdzVAnjh1ZWnWO2a2BSj0LzG +qRyiLwqDFPLJLQEckfV+RPWiRrSewME8URNKdk6eewtHdhrehMo4ZJnOIum8qcSz +giW61SSyZJsFvILpmMYghIxWmPd/8cNIHBrdFEa7z3QKh5jcJNTCxz6yO9f8F830 +d+WDK7DbGkUW4mVTGg/lEYnCFZDF6S1mr0hx+cew1FbKjLpxfQllIIrLf5d2BF8H +0STpuylQDVVBFdTRHyeS6td5nulANgOProrRzy3aAKQmZ6iullKl+i2t/2TwfVP/ +gG+yszpOEf8U9txuvbiZ7j4XV158zdaaGiduDqMKLOvbdctwHAsR9ecx5C3NTRDl +ZlttNoXN9zhT4CkWk1w4sFk2KUurjVraIcjWVT7yOreaaK+6N09M0tnLPDJDTrow +8WwP/rZhA+t+CMrhqkFBxXsyo5VTM0jWJGO/NLpYXPhDPBsRq8rs1OCrUoVr34aR +cpUTNhyXkvJUarWDHs88lg0ps0G9/1dXI1AbEsQQg8u+QT2ztGYrg2OQxQyi1Mo4 +u/FkAcEbtlYYLmJjj/S2qVRPJgBALVjw9k5hnYRdAXWVDCJ96PMn1SKORvlMxnZ7 +djlhaztOhTLsiDzywVDYWLvQElunWcAGeDZykWNytwcEagc0VjWKHMibc0JOZQ1T +crGyOzTlt09xHj1NrItYefIwdtKuJfkAh03B5xI6rJ9ZbK9xidcVxyeRX0lEqdo9 +WHQrhHefAmeyo0TlfsN67kFDp5FLpwEtNaN0lyzpkl30aWZdtP5vkvtfmy5ugYIO +bXoVa+tO6k5V/VfUFUKdaY7xAX7XRzUUg4jB0D0CuaX+YS+GL+5wuQwIY1y2ihBb +CuCxlcP1lVEU4CVQba60VTudJtWyE7QpPhf+y81f1wRjwIihFvwzpUFWf8JVEppe +v3Yot3OWGBmhEqLkC9LELth8o5gLfyYHaXTYNd9aRTiI+0ZC5U3O4wUwYLTG3exM +rIDTzEMk/p4DYIHkNKVUiRJfGYdAwuRxf3IMcYWARTXlSzl1C3hWmZfvTPlKs1bB +OHTHP/P+qdOFjxOh+fbyqXPJauBAhHvHgrp3iI6t834wJou26oWNihM7OnWuyQRt +9DVxG4l+1VjtbQZfTDCCBZgGCSqGSIb3DQEHAaCCBYkEggWFMIIFgTCCBX0GCyqG +SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAjqo0x2p5SqLAICCAAE +ggTIe6Ws+lu0CoNlCXGM2BEPV09wuRHTJe+KnesrmRbXPF9linG3d6G++tTkBHz/ +yr77/DV5aDYciV1pGAbLuX2lMwuqdxzJ4OBPBAjuX5H+IPRaTbxfHYYIwhG8oZzy +aHyVhHr9j0h7lzW7xSTYJuBNEJ58L42dfzpNRw9dyRPmcuhZqW14Z3xyDm8yjHfB +2p99y9/A4qSyJJSUM3O3nLdtIar3ktSTRAijgqq+s9wnsfozQRzWpYaqiRrdzwfO +HqXk54l3/lMSyLpfPl9LW7er6JbGI4jEyQ3x8WijATM5h/lkZKejh/mOaWCvs6G6 +fGzV4P35EsToYbOk9GX4jl4SyDBt3iEHYm5teDUhJmTcR39lAQuAfxN6rOn/TkoO +YLxtdD5DLiTfYZPCFyavLEsamr8A4p93torF6Rs7GsaHE6PmCcprzqx71KV0DZKv +tMY86RoiWPKLFxZcYt1yz9/95c1SO1s4i1GvLpJTEgQxLM2OhfEwDNKd2rMJoq1I +YIRPSP204dIVwwNdXN1vB2slhN2+/QMOqsEkWtTOpW2QoTGSze49hfmJGdu+91jd +XZBBMJQfY4q066/eE4IOW7ZZId5uMYxDRnGdEQjJsxyW8YHWLRGQvBC8gMkdbj8e +0wkXbe+jML7vG7t3hDhLEbj5sTquIMTWrTirPw4SxLCuGZAyJHFN3/nCaOSMFlCG +wEZHrAozgQXPBYU7p+uIkJ4lDc2ZtW8NM8U15gKZLDFfAE6Vg0jAtfFMqvNnX630 +xfo1z4jBd7VXbBFrPzrmvlTnb1XxNFcPycowzW9tgtN4YnNroCq98VpMC914tdpJ ++C/PI0eJ7M2ir3ajN0RabSm02JO9Hdwoa5OgqLwPYDwiFyQvKFGKqAF8Ph6pSEiZ +10OnH+DVgEY70A+Le+ZSDosMdrhZfHbCcIFitZJ3sYV/7Q118QckW3szcjmLHS5g +M6Whl2HhjLsAfsmCnoRlIwjx4g0TiuZcb4hGysq8QjD3Z8qqFK28m6OMHbASQfWg +U+Qg3vmEvVsnBxStFEIImS3QYQoaT0pk6zKUYsI/fOBnEgxsY0XwTfXzVw7hZDct +yhNIQVWmfgVZwUw0wLoNu3A5hupjUwQzQr4TPnKkFPI8qHmRrJgP8EA0U0019y3W +MlK0h/LAJEaUBS0goLJCJ8+1EWr6femjnyuU5hMizOm+3j0JexjWz5TQttioS7Q/ +vcxt5pA9yAWQdH9j72saKEoKmDi+kIPr4mimKJz99LhKp9A6Hj0f1P2V3As8JWyW +ZKmJKW7qMMCFADlALolobqzA60j6Zeo5jiEj/j2lVlUPPz47WO+uKeb+rx+hgTUc +Xrhq0+an5tvEXt/8wy3PJFqP+qqHGhOIuPLuhqPyzNowuXirIXsiWnI44/X48W91 +HPEoL3xaebQ6oyTP8dI4CCkkHgiLWL5mskjHMEXvcdR6k0ygmu8DGQCPfUweUZqZ +wfkhD/jwbVpLR5Y3chpatW0cJ2bsAWdxwtuxF05+fVEePUsR0x+2/v/8eDEHKYwt +aYlAhI48nyrKKVMmqvqcXnzmJlUaq05GnEcglFbv4MUExL7CxClls6QnVNiZFPrV +ffVsYT2A300xrm4pan89n3nuavjJn7L1JJdmMXwwVQYJKoZIhvcNAQkUMUgeRgBH +AG4AdQBQAEcAIABlAHgAcABvAHIAdABlAGQAIABjAGUAcgB0AGkAZgBpAGMAYQB0 +AGUAIAA0ADIAYgBiADIANAAwADYwIwYJKoZIhvcNAQkVMRYEFGaI9k+ZdE9/rxBZ +4rSdH1BCuyQGMDEwITAJBgUrDgMCGgUABBRJfL4XyIHpXmjbziCGCbSAOK9jKgQI +drOMeIgXcCYCAggA +-----END PKCS12----- diff --git a/test/test-lib.sh b/test/test-lib.sh index 1baa2d20..cb5bb894 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -145,6 +145,8 @@ add_gpgsm_home () gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm + gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ + --disable-dirmngr --import "$NOTMUCH_SRCDIR/test/smime/bob.p12" >>"$GNUPGHOME"/import.log 2>&1 3<<<'' test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> This allows us to test S/MIME messages in other tests.
>
pushed the revised series. Actually I had to cherry-pick the last patch
from the gitlab branch for some reason (probably lack of rebasing after
earlier patches were changed).
d