unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* SMIME signature verification patches, v4
@ 2016-01-24 16:21 David Bremner
  2016-01-24 16:21 ` [Patch v4 1/5] test: initial tests for S/MIME and notmuch-emacs David Bremner
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: David Bremner @ 2016-01-24 16:21 UTC (permalink / raw)
  To: notmuch

This is a simple rebase of

     id:1450100337-31655-1-git-send-email-david@tethera.net

The first 3 patches of that series are now in master.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Patch v4 1/5] test: initial tests for S/MIME and notmuch-emacs
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
@ 2016-01-24 16:21 ` David Bremner
  2016-01-24 16:21 ` [Patch v4 2/5] test: add broken S/MIME signature verification test for notmuch CLI David Bremner
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: David Bremner @ 2016-01-24 16:21 UTC (permalink / raw)
  To: notmuch

Test the ability of notmuch-mua-mail to send S/MIME signed (and
encrypted) messages; this really relies on existing functionality in
message-mode.

The generated keys and messages will later be useful for testing the
notmuch CLI.
---
 test/T355-smime.sh      | 42 +++++++++++++++++++++++++++++++++++++
 test/smime/README       |  7 +++++++
 test/smime/key+cert.pem | 56 +++++++++++++++++++++++++++++++++++++++++++++++++
 test/smime/test.crt     | 19 +++++++++++++++++
 test/test-lib.el        | 10 +++++++++
 test/test-lib.sh        |  1 +
 6 files changed, 135 insertions(+)
 create mode 100755 test/T355-smime.sh
 create mode 100644 test/smime/README
 create mode 100644 test/smime/key+cert.pem
 create mode 100644 test/smime/test.crt

diff --git a/test/T355-smime.sh b/test/T355-smime.sh
new file mode 100755
index 0000000..a1b7c09
--- /dev/null
+++ b/test/T355-smime.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+test_description='S/MIME signature verification and decryption'
+. ./test-lib.sh || exit 1
+
+test_require_external_prereq openssl
+test_require_external_prereq gpgsm
+
+cp $TEST_DIRECTORY/smime/key+cert.pem test_suite.pem
+
+FINGERPRINT=$(openssl x509 -fingerprint -in test_suite.pem -noout | sed -e 's/^.*=//' -e s/://g)
+
+test_expect_success 'emacs delivery of S/MIME signed message' \
+     'emacs_fcc_message \
+     "test signed message 001" \
+     "This is a test signed message." \
+     "(mml-secure-message-sign \"smime\")"'
+
+# Hard code the MML to avoid several interactive questions
+test_expect_success 'emacs delivery of S/MIME encrypted + signed message' \
+'emacs_fcc_message \
+    "test encrypted message 001" \
+    "<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"'
+
+test_begin_subtest "Signature verification (openssl)"
+notmuch show --format=raw subject:"test signed message 001" |\
+    openssl smime -verify -CAfile $TEST_DIRECTORY/smime/test.crt 2>OUTPUT
+cat <<EOF > EXPECTED
+Verification successful
+EOF
+test_expect_equal_file EXPECTED OUTPUT
+
+test_begin_subtest "Decryption and signature verification (openssl)"
+notmuch show --format=raw subject:"test encrypted message 001" |\
+    openssl smime -decrypt -recip test_suite.pem |\
+    openssl smime -verify -CAfile $TEST_DIRECTORY/smime/test.crt 2>OUTPUT
+cat <<EOF > EXPECTED
+Verification successful
+EOF
+test_expect_equal_file EXPECTED OUTPUT
+
+test_done
diff --git a/test/smime/README b/test/smime/README
new file mode 100644
index 0000000..92803c7
--- /dev/null
+++ b/test/smime/README
@@ -0,0 +1,7 @@
+test.crt: self signed certificated
+    % gpgsm --gen-key # needs gpgsm 2.1
+
+key+cert.pem: cert + unencryped private
+    % gpsm --import test.crt
+    % gpgsm --export-private-key-p12 -out foo.p12  (no passphrase)
+    % openssl pkcs12 -in ns.p12 -clcerts -nodes > key+cert.pem
diff --git a/test/smime/key+cert.pem b/test/smime/key+cert.pem
new file mode 100644
index 0000000..6ee30cf
--- /dev/null
+++ b/test/smime/key+cert.pem
@@ -0,0 +1,56 @@
+Bag Attributes
+    friendlyName: GnuPG exported certificate e0972a47
+    localKeyID: 61 6F 46 CD 73 83 4C 63 84 77 56 AF 0D FB 64 A6 E0 97 2A 47 
+subject=/CN=Notmuch Test Suite
+issuer=/CN=Notmuch Test Suite
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAfOgAwIBAgIIb3SMlL0MZ6kwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UE
+AxMSTm90bXVjaCBUZXN0IFN1aXRlMCAXDTE1MTIxNDAyMDgxMFoYDzIwNjMwNDA1
+MTcwMDAwWjAdMRswGQYDVQQDExJOb3RtdWNoIFRlc3QgU3VpdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7vH1/lkENTAJRbyq2036K7Pw+imSIhB5T
+U0WnAgVGWOemY1Eppi9Dk6rjDxuuUKOCQ5el2wmFZN57Fi/4leBH7x217BnnqWNU
+QV88DxEfV+sk8dSb4a5FOOyfhFJmZso/0lK8x0fBcCNjmRFIjB1afSSXWnCvRpAR
+v+O9trLJuIjbbmXg1gltjuB5yDw8/OLEI7G7YSIop9FxopWJL5rW/o2WEfRPGpYe
+HNRLObCRIvbyDd6XjaCrKBuIrhN7R7mmIa9PUyl8TiY+pCMWs9dHmOsiC73/+P6E
+AhsTOY1bfbGQXBAGZ/FL+SgC5wEcPr2u3+y8y5gw2bpaVhQnu6YLAgMBAAGjTTBL
+MCUGA1UdEQQeMByBGnRlc3Rfc3VpdGVAbm90bXVjaG1haWwub3JnMBEGCisGAQQB
+2kcCAgEEAwEB/zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBb
+XP5OnRVplrEdlnivx3CbCLWO13fcMWXfvKxLGsKFwKuxtpvINFUKM+jDr0kVdQ3d
+u3DJe2hNFQMILK/KrGyN5qEz2YBdHNvdkkvWA+3WHr/tiNr6Rly6QuxBzouxzmRu
+MmnUhsOzZaHT3GmLSVJlwie8KqSfKVGwyBmCyHbUQkMrSEV6QDESN6KyWt85gokB
+56Bc/wVq073xS1nFbfF1M3Z5q5BlLZK4IOerKTQx/oSfR4EX6B7rW2pttWsUCyEj
+LljaA8ehxR9B29m08IGGl43pHEpC1WnOHvsEGs99mPpjWbUgVv5KY7OuS/8iVw6v
+/Yy5Z+JBwlMzTBaUXXl3
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: GnuPG exported certificate e0972a47
+    localKeyID: 61 6F 46 CD 73 83 4C 63 84 77 56 AF 0D FB 64 A6 E0 97 2A 47 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7vH1/lkENTAJR
+byq2036K7Pw+imSIhB5TU0WnAgVGWOemY1Eppi9Dk6rjDxuuUKOCQ5el2wmFZN57
+Fi/4leBH7x217BnnqWNUQV88DxEfV+sk8dSb4a5FOOyfhFJmZso/0lK8x0fBcCNj
+mRFIjB1afSSXWnCvRpARv+O9trLJuIjbbmXg1gltjuB5yDw8/OLEI7G7YSIop9Fx
+opWJL5rW/o2WEfRPGpYeHNRLObCRIvbyDd6XjaCrKBuIrhN7R7mmIa9PUyl8TiY+
+pCMWs9dHmOsiC73/+P6EAhsTOY1bfbGQXBAGZ/FL+SgC5wEcPr2u3+y8y5gw2bpa
+VhQnu6YLAgMBAAECggEAVhtHCHz3C01Ahu9RDRgGI1w8+cZqA/9tFVTNTqNrne9r
+GHLXKB4z8W/KYmhsjtAnnri31neXb1prfNMZX5AGlZfD7cwDubCEgYGWV6qldNXT
+YVeV54VkdBV+2k9Lp/Ifc5RZJILWk4+Ge8kaF0dEs1tQrCbsJkhcDfgQUdR5PnGe
+6cKv/8HJo0ep6u5cJloIluit8yF3z4+aHixMQBvQKm/8tug+EsrQZ3IVXbh1hONO
+AZ68z9CrU2pJ/0w/jwwcM5feRfTMC7bZ3vkQb1mQKYFJrvN77TGroUtAZFWqJw7M
+r0f2MShdVjfEdJ1ySnCyKF24cSSPSQsLZUe4UlFyQQKBgQDlqr9ajaUzc6Lyma2e
+Q1IJapbX2OZQtf5tlKVCVtZOlu5r97YMOK96XsQFKtdxhAhrGvvTJwPmwhj+fqfR
+XltNrmUBpHCMsm9nloADvBS83KTP5tw9TMT0VZpt+m5XmvutdyQbSKwy+KMy+GZz
+/XBQCfTEoiDS4grGFftvZuRB4QKBgQDRQvsVFMh2NOnVGqczHJNGjvbDueUJmPUN
+3VxZc/FpBGLRSoN7uxQ4dGNnwyvXHs+pLAAC6xZpFCos9c3R8EPvoMyUehoDSAKW
+CMD4C+K8z7n4ducE5a0NrGIgQvnXtteKr3ZwK8V7cscyTCyjXdrQmQ5XHeue8asR
+758g+dG9awKBgEWuZJho2XKe5xWMIu0dp8pLmLCsklRyo1tD+lACYMs/Z99CLO3Q
+VQ1fq0GWGf/K+3LjoPwTnk9pHIQ6kVgotLMA8oxpA+zsRni7ZOO9MN2MZETf2nqO
+zEMFpfEwRkI2N54Nw9qzVeuxHHLegtc2Udk27BisyCCzjGlFSiAmq6KBAoGAFGfE
+RXjcvT65HX8Gaya+wtugFB8BRx0JX7dI6OLk5ZKLmq0ykH2bQepgnWermmU4we77
+0Dvtfa3u0YjZ/24XXg2YbSpWiWps0Y2/C7AyAAzq12/1OGcX5qk4Tbd0f+QkIset
+qxzmt4XcAKw50J+Vf3DmbYQ1M/BftCZcTm0ShHcCgYEAxp8mjE8iIHxFrm7nHMS0
+2/iWxO8DYaAZ0OLfjaZELHchVvTwa+DynbkwvOc3l4cbNTVaf9O6nmHTkLyBLBNr
+2htPKm1vi9TzNdvGqobFO3ijfvdGvq1rjQl86ns0cf395REmEaVX3zcw2v+GyC5n
+qE6Aa5bvdZ9Yykg6aoFo1mY=
+-----END PRIVATE KEY-----
diff --git a/test/smime/test.crt b/test/smime/test.crt
new file mode 100644
index 0000000..e5d1e82
--- /dev/null
+++ b/test/smime/test.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAfOgAwIBAgIIb3SMlL0MZ6kwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UE
+AxMSTm90bXVjaCBUZXN0IFN1aXRlMCAXDTE1MTIxNDAyMDgxMFoYDzIwNjMwNDA1
+MTcwMDAwWjAdMRswGQYDVQQDExJOb3RtdWNoIFRlc3QgU3VpdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7vH1/lkENTAJRbyq2036K7Pw+imSIhB5T
+U0WnAgVGWOemY1Eppi9Dk6rjDxuuUKOCQ5el2wmFZN57Fi/4leBH7x217BnnqWNU
+QV88DxEfV+sk8dSb4a5FOOyfhFJmZso/0lK8x0fBcCNjmRFIjB1afSSXWnCvRpAR
+v+O9trLJuIjbbmXg1gltjuB5yDw8/OLEI7G7YSIop9FxopWJL5rW/o2WEfRPGpYe
+HNRLObCRIvbyDd6XjaCrKBuIrhN7R7mmIa9PUyl8TiY+pCMWs9dHmOsiC73/+P6E
+AhsTOY1bfbGQXBAGZ/FL+SgC5wEcPr2u3+y8y5gw2bpaVhQnu6YLAgMBAAGjTTBL
+MCUGA1UdEQQeMByBGnRlc3Rfc3VpdGVAbm90bXVjaG1haWwub3JnMBEGCisGAQQB
+2kcCAgEEAwEB/zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBb
+XP5OnRVplrEdlnivx3CbCLWO13fcMWXfvKxLGsKFwKuxtpvINFUKM+jDr0kVdQ3d
+u3DJe2hNFQMILK/KrGyN5qEz2YBdHNvdkkvWA+3WHr/tiNr6Rly6QuxBzouxzmRu
+MmnUhsOzZaHT3GmLSVJlwie8KqSfKVGwyBmCyHbUQkMrSEV6QDESN6KyWt85gokB
+56Bc/wVq073xS1nFbfF1M3Z5q5BlLZK4IOerKTQx/oSfR4EX6B7rW2pttWsUCyEj
+LljaA8ehxR9B29m08IGGl43pHEpC1WnOHvsEGs99mPpjWbUgVv5KY7OuS/8iVw6v
+/Yy5Z+JBwlMzTBaUXXl3
+-----END CERTIFICATE-----
diff --git a/test/test-lib.el b/test/test-lib.el
index 04c8d63..596a705 100644
--- a/test/test-lib.el
+++ b/test/test-lib.el
@@ -188,3 +188,13 @@ nothing."
 ;; environments
 
 (setq mm-text-html-renderer 'html2text)
+
+;; Set some variables for S/MIME tests.
+
+(setq smime-keys '(("" "test_suite.pem" nil)))
+
+(setq mml-smime-use 'openssl)
+
+;; all test keys are without passphrase
+(eval-after-load 'smime
+  '(defun smime-ask-passphrase (cache)  nil))
diff --git a/test/test-lib.sh b/test/test-lib.sh
index 270c718..41710e7 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -1328,4 +1328,5 @@ test_declare_external_prereq emacs
 test_declare_external_prereq ${TEST_EMACSCLIENT}
 test_declare_external_prereq gdb
 test_declare_external_prereq gpg
+test_declare_external_prereq openssl
 test_declare_external_prereq ${NOTMUCH_PYTHON}
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Patch v4 2/5] test: add broken S/MIME signature verification test for notmuch CLI
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
  2016-01-24 16:21 ` [Patch v4 1/5] test: initial tests for S/MIME and notmuch-emacs David Bremner
@ 2016-01-24 16:21 ` David Bremner
  2016-01-24 16:21 ` [Patch v4 3/5] cli: crypto: S/MIME verification support David Bremner
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: David Bremner @ 2016-01-24 16:21 UTC (permalink / raw)
  To: notmuch

The test is pretty much cut and paste from the PGP/MIME version, with
obvious updates taken from notmuch output.  This also requires setting
up gpgsm infrastucture.
---
 test/T355-smime.sh | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 test/test-lib.sh   |  1 +
 2 files changed, 50 insertions(+)

diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index a1b7c09..a059fac 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -3,6 +3,17 @@
 test_description='S/MIME signature verification and decryption'
 . ./test-lib.sh || exit 1
 
+add_gpgsm_home ()
+{
+    local fpr
+    [ -d ${GNUPGHOME} ] && return
+    mkdir -m 0700 "$GNUPGHOME"
+    gpgsm --no-tty --no-common-certs-import --disable-dirmngr --import < $TEST_DIRECTORY/smime/test.crt >"$GNUPGHOME"/import.log 2>&1
+    fpr=$(gpgsm  --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
+    echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt
+    test_debug "cat $GNUPGHOME/import.log"
+}
+
 test_require_external_prereq openssl
 test_require_external_prereq gpgsm
 
@@ -10,6 +21,8 @@ cp $TEST_DIRECTORY/smime/key+cert.pem test_suite.pem
 
 FINGERPRINT=$(openssl x509 -fingerprint -in test_suite.pem -noout | sed -e 's/^.*=//' -e s/://g)
 
+add_gpgsm_home
+
 test_expect_success 'emacs delivery of S/MIME signed message' \
      'emacs_fcc_message \
      "test signed message 001" \
@@ -30,6 +43,42 @@ Verification successful
 EOF
 test_expect_equal_file EXPECTED OUTPUT
 
+test_begin_subtest "signature verification (notmuch CLI)"
+test_subtest_known_broken
+output=$(notmuch show --format=json --verify subject:"test signed message 001" \
+    | notmuch_json_show_sanitize \
+    | sed -e 's|"created": [-1234567890]*|"created": 946728000|' \
+	  -e 's|"expires": [-1234567890]*|"expires": 424242424|' )
+expected='[[[{"id": "XXXXX",
+ "match": true,
+ "excluded": false,
+ "filename": "YYYYY",
+ "timestamp": 946728000,
+ "date_relative": "2000-01-01",
+ "tags": ["inbox","signed"],
+ "headers": {"Subject": "test signed message 001",
+ "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
+ "To": "test_suite@notmuchmail.org",
+ "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
+ "body": [{"id": 1,
+ "sigstatus": [{"status": "good",
+ "fingerprint": "'$FINGERPRINT'",
+ "expires": 424242424,
+ "created": 946728000}],
+ "content-type": "multipart/signed",
+ "content": [{"id": 2,
+ "content-type": "text/plain",
+ "content": "This is a test signed message.\n"},
+ {"id": 3,
+  "content-length": 1922,
+  "content-transfer-encoding": "base64",
+  "content-type": "application/x-pkcs7-signature",
+  "filename": "smime.p7s"}]}]},
+ []]]]'
+test_expect_equal_json \
+    "$output" \
+    "$expected"
+
 test_begin_subtest "Decryption and signature verification (openssl)"
 notmuch show --format=raw subject:"test encrypted message 001" |\
     openssl smime -decrypt -recip test_suite.pem |\
diff --git a/test/test-lib.sh b/test/test-lib.sh
index 41710e7..6b7854a 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -1329,4 +1329,5 @@ test_declare_external_prereq ${TEST_EMACSCLIENT}
 test_declare_external_prereq gdb
 test_declare_external_prereq gpg
 test_declare_external_prereq openssl
+test_declare_external_prereq gpgsm
 test_declare_external_prereq ${NOTMUCH_PYTHON}
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Patch v4 3/5] cli: crypto: S/MIME verification support
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
  2016-01-24 16:21 ` [Patch v4 1/5] test: initial tests for S/MIME and notmuch-emacs David Bremner
  2016-01-24 16:21 ` [Patch v4 2/5] test: add broken S/MIME signature verification test for notmuch CLI David Bremner
@ 2016-01-24 16:21 ` David Bremner
  2016-01-24 16:21 ` [Patch v4 4/5] debian: Recommend gpgsm for S/MIME support David Bremner
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: David Bremner @ 2016-01-24 16:21 UTC (permalink / raw)
  To: notmuch

From: Jani Nikula <jani@nikula.org>

notmuch-show --verify will now also process S/MIME multiparts if
encountered. Requires gmime-2.6 and gpgsm.

Based on work by Jameson Graef Rollins <jrollins@finestructure.net>.
---
 crypto.c           | 35 +++++++++++++++++++++++++++++++++++
 notmuch-client.h   |  7 +++++--
 test/T355-smime.sh |  1 -
 3 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/crypto.c b/crypto.c
index feae949..3dabc97 100644
--- a/crypto.c
+++ b/crypto.c
@@ -43,6 +43,28 @@ create_gpg_context (notmuch_crypto_t *crypto)
     return gpgctx;
 }
 
+/* Create a PKCS7 context (GMime 2.6) */
+static notmuch_crypto_context_t *
+create_pkcs7_context (notmuch_crypto_t *crypto)
+{
+    notmuch_crypto_context_t *pkcs7ctx;
+
+    if (crypto->pkcs7ctx)
+	return crypto->pkcs7ctx;
+
+    /* TODO: GMimePasswordRequestFunc */
+    pkcs7ctx = g_mime_pkcs7_context_new (NULL);
+    if (! pkcs7ctx) {
+	fprintf (stderr, "Failed to construct pkcs7 context.\n");
+	return NULL;
+    }
+    crypto->pkcs7ctx = pkcs7ctx;
+
+    g_mime_pkcs7_context_set_always_trust ((GMimePkcs7Context *) pkcs7ctx,
+					   FALSE);
+
+    return pkcs7ctx;
+}
 static const struct {
     const char *protocol;
     notmuch_crypto_context_t *(*get_context) (notmuch_crypto_t *crypto);
@@ -55,6 +77,14 @@ static const struct {
 	.protocol = "application/pgp-encrypted",
 	.get_context = create_gpg_context,
     },
+    {
+	.protocol = "application/pkcs7-signature",
+	.get_context = create_pkcs7_context,
+    },
+    {
+	.protocol = "application/x-pkcs7-signature",
+	.get_context = create_pkcs7_context,
+    },
 };
 
 /* for the specified protocol return the context pointer (initializing
@@ -95,5 +125,10 @@ notmuch_crypto_cleanup (notmuch_crypto_t *crypto)
 	crypto->gpgctx = NULL;
     }
 
+    if (crypto->pkcs7ctx) {
+	g_object_unref (crypto->pkcs7ctx);
+	crypto->pkcs7ctx = NULL;
+    }
+
     return 0;
 }
diff --git a/notmuch-client.h b/notmuch-client.h
index 3bd2903..18e6c60 100644
--- a/notmuch-client.h
+++ b/notmuch-client.h
@@ -31,6 +31,8 @@
 #include <gmime/gmime.h>
 
 typedef GMimeCryptoContext notmuch_crypto_context_t;
+/* This is automatically included only since gmime 2.6.10 */
+#include <gmime/gmime-pkcs7-context.h>
 
 #include "notmuch.h"
 
@@ -70,6 +72,7 @@ typedef struct notmuch_show_format {
 
 typedef struct notmuch_crypto {
     notmuch_crypto_context_t* gpgctx;
+    notmuch_crypto_context_t* pkcs7ctx;
     notmuch_bool_t verify;
     notmuch_bool_t decrypt;
     const char *gpgpath;
@@ -407,8 +410,8 @@ struct mime_node {
 /* Construct a new MIME node pointing to the root message part of
  * message. If crypto->verify is true, signed child parts will be
  * verified. If crypto->decrypt is true, encrypted child parts will be
- * decrypted.  If crypto->gpgctx is NULL, it will be lazily
- * initialized.
+ * decrypted.  If the crypto contexts (crypto->gpgctx or
+ * crypto->pkcs7) are NULL, they will be lazily initialized.
  *
  * Return value:
  *
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index a059fac..d942412 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -44,7 +44,6 @@ EOF
 test_expect_equal_file EXPECTED OUTPUT
 
 test_begin_subtest "signature verification (notmuch CLI)"
-test_subtest_known_broken
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
     | notmuch_json_show_sanitize \
     | sed -e 's|"created": [-1234567890]*|"created": 946728000|' \
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Patch v4 4/5] debian: Recommend gpgsm for S/MIME support
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
                   ` (2 preceding siblings ...)
  2016-01-24 16:21 ` [Patch v4 3/5] cli: crypto: S/MIME verification support David Bremner
@ 2016-01-24 16:21 ` David Bremner
  2016-01-24 16:21 ` [Patch v4 5/5] debian: add gpgsm as build dependency David Bremner
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: David Bremner @ 2016-01-24 16:21 UTC (permalink / raw)
  To: notmuch

From: Jameson Graef Rollins <jrollins@finestructure.net>

---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 7e6a548..3e71ee4 100644
--- a/debian/control
+++ b/debian/control
@@ -31,7 +31,7 @@ Vcs-Browser: http://git.notmuchmail.org/git/notmuch
 Package: notmuch
 Architecture: any
 Depends: libnotmuch4 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
-Recommends: notmuch-emacs | notmuch-vim | notmuch-mutt | alot,  gnupg-agent
+Recommends: notmuch-emacs | notmuch-vim | notmuch-mutt | alot,  gnupg-agent, gpgsm
 Description: thread-based email index, search and tagging
  Notmuch is a system for indexing, searching, reading, and tagging
  large collections of email messages in maildir or mh format. It uses
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Patch v4 5/5] debian: add gpgsm as build dependency
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
                   ` (3 preceding siblings ...)
  2016-01-24 16:21 ` [Patch v4 4/5] debian: Recommend gpgsm for S/MIME support David Bremner
@ 2016-01-24 16:21 ` David Bremner
  2016-01-28  6:56 ` SMIME signature verification patches, v4 Daniel Kahn Gillmor
  2016-01-30  0:29 ` David Bremner
  6 siblings, 0 replies; 8+ messages in thread
From: David Bremner @ 2016-01-24 16:21 UTC (permalink / raw)
  To: notmuch

It's not needed for the actual build, but it is needed to run the
SMIME tests; <!nocheck> means it can be omitted if the tests are not
going to be run.
---
 debian/control | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/control b/debian/control
index 3e71ee4..d08951c 100644
--- a/debian/control
+++ b/debian/control
@@ -22,6 +22,7 @@ Build-Depends:
  emacs23-nox | emacs23 (>=23~) | emacs23-lucid (>=23~),
  gdb [!s390x !ia64 !armel !ppc64el !mips !mipsel !mips64el],
  dtach (>= 0.8),
+ gpgsm <!nocheck>,
  bash-completion (>=1.9.0~)
 Standards-Version: 3.9.6
 Homepage: http://notmuchmail.org/
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: SMIME signature verification patches, v4
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
                   ` (4 preceding siblings ...)
  2016-01-24 16:21 ` [Patch v4 5/5] debian: add gpgsm as build dependency David Bremner
@ 2016-01-28  6:56 ` Daniel Kahn Gillmor
  2016-01-30  0:29 ` David Bremner
  6 siblings, 0 replies; 8+ messages in thread
From: Daniel Kahn Gillmor @ 2016-01-28  6:56 UTC (permalink / raw)
  To: David Bremner, notmuch

[-- Attachment #1: Type: text/plain, Size: 2054 bytes --]

On Sun 2016-01-24 11:21:14 -0500, David Bremner wrote:
> This is a simple rebase of
>
>      id:1450100337-31655-1-git-send-email-david@tethera.net
>
> The first 3 patches of that series are now in master.

FWIW, i'm now running with this patch series, and i can verify S/MIME
signatures with it.

When verifying a correct signature, though, the only thing i seem to get
in notmuch-emacs (or in the notmuch show --verify output) is the view of
some kind of fingerprint of the key, with no human-readable name or
e-mail address associated with it.

for example:

                  "sigstatus" : [
                     {
                        "created" : 1453962340,
                        "status" : "good",
                        "fingerprint" : "3E65C58C306C1C42CA5056903B4E6C3C7DF15AD8",
                        "expires" : 1485215999
                     }
                  ],

whereas the OpenPGP PGP/MIME cleartext signature show:

                 "sigstatus" : [
                     {
                        "status" : "good",
                        "userid" : " Daniel Kahn Gillmor <dkg@fifthhorseman.net>",
                        "fingerprint" : "EDB2E74F56FCF2B67297B73524ECFF5AFF68370A",
                        "created" : 1453925746
                     }

This lack of userid be a function of my own S/MIME setup (i'm not sure
whether i've got the keys and certs set up exactly right), or of a
failure in gmime's pkcs7 signature handling code.  But this is an
improvement over the unpatched notmuch anyway.

Note that none of this deals with S/MIME-enveloped (encrypted) e-mails
yet either.

My e-mail certificates and things are now set up within emacs (i'm using
EPG instead of openssl) -- i should be able to sign this mail,
and anyone else running this series should be able to verify it.

I've rebased my own crypto series (indexing cleartext) on top of this
series, and it also works fine (though there were a few commits that
were tricky to rebase).  I'd like it if this S/MIME patch series would
get upstreamed!

    --dkg

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3244 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: SMIME signature verification patches, v4
  2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
                   ` (5 preceding siblings ...)
  2016-01-28  6:56 ` SMIME signature verification patches, v4 Daniel Kahn Gillmor
@ 2016-01-30  0:29 ` David Bremner
  6 siblings, 0 replies; 8+ messages in thread
From: David Bremner @ 2016-01-30  0:29 UTC (permalink / raw)
  To: notmuch

David Bremner <david@tethera.net> writes:

> This is a simple rebase of
>
>      id:1450100337-31655-1-git-send-email-david@tethera.net
>
> The first 3 patches of that series are now in master.
>

I have pushed this series to master

d

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2016-01-30  0:30 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-24 16:21 SMIME signature verification patches, v4 David Bremner
2016-01-24 16:21 ` [Patch v4 1/5] test: initial tests for S/MIME and notmuch-emacs David Bremner
2016-01-24 16:21 ` [Patch v4 2/5] test: add broken S/MIME signature verification test for notmuch CLI David Bremner
2016-01-24 16:21 ` [Patch v4 3/5] cli: crypto: S/MIME verification support David Bremner
2016-01-24 16:21 ` [Patch v4 4/5] debian: Recommend gpgsm for S/MIME support David Bremner
2016-01-24 16:21 ` [Patch v4 5/5] debian: add gpgsm as build dependency David Bremner
2016-01-28  6:56 ` SMIME signature verification patches, v4 Daniel Kahn Gillmor
2016-01-30  0:29 ` David Bremner

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).