From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yb94BqQksV7OfAAA0tVLHw (envelope-from ) for ; Tue, 05 May 2020 08:32:36 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id YO9IIa8ksV77TgAAbx9fmQ (envelope-from ) for ; Tue, 05 May 2020 08:32:47 +0000 Received: from arlo.cworth.org (arlo.cworth.org [50.126.95.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 19FBA94458D for ; Tue, 5 May 2020 08:32:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 15F8F6DE092B; Tue, 5 May 2020 01:32:42 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zoXQeqAMmT2J; Tue, 5 May 2020 01:32:41 -0700 (PDT) Received: from arlo.cworth.org (localhost [IPv6:::1]) by arlo.cworth.org (Postfix) with ESMTP id B52A26DE0F3B; Tue, 5 May 2020 01:32:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 2C1136DE0F3B for ; Tue, 5 May 2020 01:32:39 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkb_-SDl4tgi for ; Tue, 5 May 2020 01:32:38 -0700 (PDT) Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [212.16.98.55]) by arlo.cworth.org (Postfix) with ESMTPS id B121B6DE092B for ; Tue, 5 May 2020 01:32:36 -0700 (PDT) Received: from guru.guru-group.fi (unknown [IPv6:2a02:2380:1:9:5054:ff:feb7:a4bc]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: too) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 3D6571B00368; Tue, 5 May 2020 11:32:29 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1588667549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7lvTuqPxNf5A6rf3ri06ROvbn013K+SkexU27L+/TKg=; b=hN+lTDsPBrv0kz3AGnJoyOT5N+65Zyh7v6lZBSnqd3DSTUBSpdtpF1sEA5tse2J8xrESgL sLpEf9L1vond036HFF27ZmOb4trmOYB++pR7uaI89bKiQ3iVWuWE4EpSkYlpCg/u5nLS83 aAhbfIZ9NsH4y65s0JlwChV6W5grX/qawbfiqzMHSoTR9KlSPuNRpiOwvGa/W7/B7i+wD1 laYt/LjeZqxtWv2T/qylzxVrdwHIUJmuYE36Iu2DSQChcHorSKAS9ucu4YqUMQYGPYUXaR MnX49cjmNzc20/2PwXdLF7e1Bo69/By6ViXCNwAklOHomncqrknZcpaUYZtXcw== From: Tomi Ollila To: Daniel Kahn Gillmor , Notmuch Mail Subject: Re: Handle PKCS#7 S/MIME messages In-Reply-To: <87a72nv7cx.fsf@fifthhorseman.net> References: <20200430201328.725651-1-dkg@fifthhorseman.net> <87a72nv7cx.fsf@fifthhorseman.net> User-Agent: Notmuch/0.28.3+84~g41389bb (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) X-Face: HhBM'cA~ MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1588667549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7lvTuqPxNf5A6rf3ri06ROvbn013K+SkexU27L+/TKg=; b=XwbNZN2+eFaFvTimwI5cOgs5Ezlk1oc+CFr1YhOds/IPv54q4g7Yr2c2Ox8gyifpbf4H32 E62g59hA2HbjnEJVz0C15zhjJWbmRP5eqNtoFiSs+slrsmPRdLxYlSwjzeNRrHIJcY0zXu qALW9tAvkpRpW+Zw2RdPln0NSdZP7MtskUlpY8XFxy7oQdk9RANyQb/81EN4SBKTM86SGe 83Ws8zUTBZytq47ryjCp2FzTkWX7sP0PsrCVzoAL5BWXEbUscrb0hNMduixbBIhlY2iM+i pzFd6Zxbq0Bc2PsOxGyxr46IIzto7AY8mNHeviNk2n0V7m4phfwTGSOdehd3og== ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1588667549; a=rsa-sha256; cv=none; b=CaRq7szoZk5K4vqV/H8JWQKIsOOYIEe3HEnnyVtfI8kA6NjevtLXw1xqUtJy+7NyVyLSgS 6yWNrWGFKQOc9s+AbB3OkB4ufShTeJg4o5Asdvp6QBwKb+1+gxIoulhPFhODEvH/+um10d yMX5+fPavX6ppnhHx/AyXZZEEWoszFX0/xAtrHV30ja/iliKeAiBt/tZ9q4miMeQnzEn9u r8OwdmvfNY0ur/6DC3ZtG3hOuU+60RhbbaVqr7UEqOXr5YfQM97zNgPs6reEJXZuna6+mT xcTrS5Tsd9uO4oFTaBc8+MnYWETPiDMjS/Ja8mQrTtxE/k1TAIrcMkW7VAS/Ug== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=too smtp.mailfrom=tomi.ollila@iki.fi X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: notmuch-bounces@notmuchmail.org Sender: "notmuch" X-Scanner: scn0 X-Spam-Score: 1.99 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=iki.fi header.s=lahtoruutu header.b=hN+lTDsP; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 50.126.95.6 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Scan-Result: default: False [1.99 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.46667614778602]; DWL_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; IP_REPUTATION_HAM(0.00)[asn: 27017(-0.18), country: US(-0.00), ip: 50.126.95.6(-0.47)]; R_DKIM_REJECT(1.00)[iki.fi:s=lahtoruutu]; R_SPF_ALLOW(-0.20)[+a]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:iki.fi:reject}]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.50)[cached: notmuchmail.org]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[iki.fi:-]; MAILLIST(-0.20)[mailman]; RCVD_IN_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:27017, ipnet:50.126.64.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[tomi.ollila@iki.fi,notmuch-bounces@notmuchmail.org]; URIBL_BLOCKED(0.00)[notmuchmail.org:email]; FROM_HAS_DN(0.00)[]; SPF_REPUTATION_HAM(0.00)[-0.44441595903425]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[notmuch@notmuchmail.org]; DMARC_NA(0.00)[iki.fi]; HAS_LIST_UNSUB(-0.01)[]; RCVD_COUNT_SEVEN(0.00)[8]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: UglntvAapCrO On Mon, May 04 2020, Daniel Kahn Gillmor wrote: > Hi Tomi-- > > On Sat 2020-05-02 00:15:57 +0300, Tomi Ollila wrote: >> I did not see anything suspicious in code, but >> >> I got these test failures: >> >> in ubuntu 19.10 native environment, and >> >> in debian 10 (podman) container running in fedora 31 system >> >> >> T355-smime: Testing S/MIME signature verification and decryption >> FAIL Verify signature on PKCS#7 SignedData message >> crypto: value not equal: data[0][0][0]["crypto"]["signed"]["status"][0] = >> {'status': 'good', >> 'fingerprint': '702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB', >> 'created': 1574813489, >> 'expires': 2611032858} != >> {'created': 1574813489, >> 'expires': 2611032858, >> 'fingerprint': '702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB', >> 'userid': 'CN=Alice Lovelace', >> 'status': 'good'} >> >> T356-protected-headers: Testing Message decryption with protected headers >> FAIL verify signed PKCS#7 subject (multipart-signed) >> sig_uid: object not found: data[0][0][0]["crypto"]["signed"]["status"][0]["userid"] >> FAIL verify signed PKCS#7 subject (onepart-signed) >> sig_uid: object not found: data[0][0][0]["crypto"]["signed"]["status"][0]["userid"] >> FAIL confirm signed and encrypted PKCS#7 subject (sign+enc) >> sig_uid: object not found: data[0][0][0]["crypto"]["signed"]["status"][0]["userid"] >> FAIL confirm signed and encrypted PKCS#7 subject (sign+enc+legacy-disp) >> sig_uid: object not found: data[0][0][0]["crypto"]["signed"]["status"][0]["userid"] > > Thanks for identifying these. These are problems related to a bug in > the released version of GMime on those platforms. Unfixed versions of > gmime cannot report *any* certificate validity for X.509 certificates: > > https://github.com/jstedfast/gmime/pull/90 > > The fix for gmime is pretty simple, but it's not something we can > address directly in notmuch. > > The fix was first released in GMime version 3.2.7, but it was first in > debian in gmime 3.2.6-2, and should be relatively easy to backport for > any distro that wants it (i suppose i could probably get it into the > next point release for debian 10 as well, since it is a bugfix for an > already-exposed API). > > So, how should we deal with this in notmuch? It seems a bit silly to > bump our required version of gmime to the (relatively new) version > 3.2.7, for a fix for a cornercase of a novel use case. > > Maybe the test suite should change based on version of GMime? That > would cause problems for distros that backport the GMime fix, though. > > I guess i could write a reproducer for the gmime issue and we could > include it in ./configure, and modify the test suite on that basis. Reproducer in case gmime version is less than 3.2.7 -- with newer gmimes that has to work so if that ever broke in newer gmimes we'd notice (reproducer could hide that). > > Any other suggestions? > > --dkg Tomi