From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YI0qBqJ1tF5HIgAA0tVLHw (envelope-from ) for ; Thu, 07 May 2020 20:54:58 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id wO1GGq51tF7OFgAAB5/wlQ (envelope-from ) for ; Thu, 07 May 2020 20:55:10 +0000 Received: from arlo.cworth.org (arlo.cworth.org [50.126.95.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A4E39940C62 for ; Thu, 7 May 2020 20:55:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 3CBE26DE13AD; Thu, 7 May 2020 13:55:01 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T-F8c4fmv4zE; Thu, 7 May 2020 13:55:00 -0700 (PDT) Received: from arlo.cworth.org (localhost [IPv6:::1]) by arlo.cworth.org (Postfix) with ESMTP id 70DBB6DE0C7A; Thu, 7 May 2020 13:54:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 671E96DE0C7A for ; Thu, 7 May 2020 13:54:58 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nriswqUZrh7 for ; Thu, 7 May 2020 13:54:56 -0700 (PDT) Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [212.16.98.55]) by arlo.cworth.org (Postfix) with ESMTPS id 248036DE0A42 for ; Thu, 7 May 2020 13:54:54 -0700 (PDT) Received: from guru.guru-group.fi (unknown [IPv6:2a02:2380:1:9:5054:ff:feb7:a4bc]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: too) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 9B8581B00663; Thu, 7 May 2020 23:54:48 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1588884888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=eq6FNALGlsmCLQu8p2nnq/ymgSUHKdD1N0EX+U28IFc=; b=FHps//A8lKbgjnW6AvcEzvM4lBxoNf0+LpuCQfu87SAz4/mI1v8AP5/kFhna/n642mFFaI xrURDVEW1jaUFi5syAqVyoiyQn9CAVIs67Oj77gmP4/F3y4Mxc2Brd2BoNlF0/n5gRiqy4 3MaCYjfuNRmctHjRPNWPr+Xoeuq4AGIchtm6jNrxnk2xrMF9u5DjPy0iYaw4V63pERn+Vg vI9caVwIlWYevzV52f4KMsQXGox7nE0swuwQHImZ/V3lMzrOeJ8uOEqbQw+HT90/U46W52 BUzcX8izl5KwpN10CLrsw76I46+ch6dKqJfYwg5ftsu6Wg7Vxx+U8y9O4XSAww== From: Tomi Ollila To: Daniel Kahn Gillmor , Notmuch Mail Subject: Re: [PATCH 2/2] smime: tests of X.509 certificate validity are known-broken on GMime < 3.2.7 In-Reply-To: <20200506235438.100518-2-dkg@fifthhorseman.net> References: <20200506235438.100518-1-dkg@fifthhorseman.net> <20200506235438.100518-2-dkg@fifthhorseman.net> User-Agent: Notmuch/0.28.3+84~g41389bb (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) X-Face: HhBM'cA~ MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1588884888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=eq6FNALGlsmCLQu8p2nnq/ymgSUHKdD1N0EX+U28IFc=; b=X0UFXdnqtXYY1i+gcBAgbr0OAEjRKiEoweD8UyKSHqd/kvDA73q7fZwzsuJj1ADi/tryll r0i+qC/qT/PyyKAS7HImzZRT9zMsIQ+194vkk59X1pPVdDGfbZzq5c/8DdBAwj2s2SGuNX D3CtQrVQErNJwiRAZzzqjWAXL1Oexquo0dyUo3XgD0Y2h4p+5HfwR8n6yJTjI1eVrSizT9 MiP3Jnh69SRdUsuXRDYuRkAyVewhPdmNjIQzrfq+klbivoCC3T36k06FhzlPfolGSogA/q d4QaMFHtRyqH0zSKMYVEqyiBqMm5+nkajLfsSFO/IhIsbLnJ8v+SPywZdYlibw== ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1588884888; a=rsa-sha256; cv=none; b=slmUgyYtG6wkeP5r6l1zavhLRhACYJdLS9vD67BPyvK/Le14nJK4+1U+xEVXCKgc7z/jTn Mptj9TsvOhcqGEwSpZMRqiMHxnMy4ogMSa7w0655BJZliyywq4emksk7hpL4Toa85dYvj8 RbnDmTI7s35kxzzGgiY9OFUBGPi+8/R7UZcNIuZxyiVQDEW8qaSOpRhL38fhm+txiAWHJB 8IpmFSlEPI8e2KPwREjWiKndV1Uo/RGTR3kzlXOLbK8DTMofMY4gkaP1+u/9dlG/FxqRPi N+X95hxMs0edUDXCcV1332ysS9dUl0JFth2cBTQOM4glxo7xOJH+S17Ktn6uiQ== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=too smtp.mailfrom=tomi.ollila@iki.fi X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: notmuch-bounces@notmuchmail.org Sender: "notmuch" X-Scanner: scn0 X-Spam-Score: 1.99 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=iki.fi header.s=lahtoruutu header.b=FHps//A8; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 50.126.95.6 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Scan-Result: default: False [1.99 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.45911312538237]; DWL_DNSWL_BLOCKED(0.00)[50.126.95.6:from]; IP_REPUTATION_HAM(0.00)[asn: 27017(-0.18), country: US(-0.00), ip: 50.126.95.6(-0.46)]; R_DKIM_REJECT(1.00)[iki.fi:s=lahtoruutu]; R_SPF_ALLOW(-0.20)[+a]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:iki.fi:reject}]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.50)[cached: notmuchmail.org]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[iki.fi:-]; MAILLIST(-0.20)[mailman]; RCVD_IN_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:27017, ipnet:50.126.64.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[tomi.ollila@iki.fi,notmuch-bounces@notmuchmail.org]; URIBL_BLOCKED(0.00)[notmuchmail.org:email,fifthhorseman.net:email]; FROM_HAS_DN(0.00)[]; SPF_REPUTATION_HAM(0.00)[-0.43924483023282]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[notmuch@notmuchmail.org]; DMARC_NA(0.00)[iki.fi]; HAS_LIST_UNSUB(-0.01)[]; RCVD_COUNT_SEVEN(0.00)[8]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: LQyOLNFa6Liz On Wed, May 06 2020, Daniel Kahn Gillmor wrote: > When checking cryptographic signatures, Notmuch relies on GMime to > tell it whether the certificate that signs a message has a valid User > ID or not. > > If the User ID is not valid, then notmuch does not report the signer's > User ID to the user. This means that the consumer of notmuch's > cryptographic summary of a message (or of its protected headers) can > be confident in relaying the reported identity to the user. > > However, some versions of GMime before 3.2.7 cannot report Certificate > validity for X.509 certificates. This is resolved upstream in GMime > at https://github.com/jstedfast/gmime/pull/90. > > We adapt to this by marking tests of reported User IDs for > S/MIME-signed messages as known-broken if GMime is older than 3.2.7 > and has not been patched. > > If GMime >= 3.2.7 and certificate validity still doesn't work for > X.509 certs, then there has likely been a regression in GMime and we > should fail early, during ./configure. > > To break out these specific User ID checks from other checks, i had to > split some tests into two parts, and reuse $output across the two > subtests. This works, on top of the previous series -- I skipped git am:ing 1/2, so thos works without it -- it is good stuff just IMO requires some changes) Tomi > > Signed-off-by: Daniel Kahn Gillmor > --- > configure | 79 ++++++++++++++++++++++++++++++++++ > test/T355-smime.sh | 19 +++++--- > test/T356-protected-headers.sh | 15 ++++++- > 3 files changed, 104 insertions(+), 9 deletions(-) > > diff --git a/configure b/configure > index 0cfdaa6f..92e5bd1b 100755 > --- a/configure > +++ b/configure > @@ -536,6 +536,82 @@ EOF > if [ -n "$TEMP_GPG" -a -d "$TEMP_GPG" ]; then > rm -rf "$TEMP_GPG" > fi > + > + # see https://github.com/jstedfast/gmime/pull/90 > + # should be fixed in GMime in 3.2.7, but some distros might patch > + printf "Checking for GMime X.509 certificate validity... " > + > + cat > _check_x509_validity.c < +#include > +#include > + > +int main () { > + GError *error = NULL; > + GMimeParser *parser = NULL; > + GMimeApplicationPkcs7Mime *body = NULL; > + GMimeSignatureList *sig_list = NULL; > + GMimeSignature *sig = NULL; > + GMimeCertificate *cert = NULL; > + GMimeObject *output = NULL; > + GMimeValidity validity = GMIME_VALIDITY_UNKNOWN; > + int len; > + > + g_mime_init (); > + parser = g_mime_parser_new (); > + g_mime_parser_init_with_stream (parser, g_mime_stream_file_open("test/corpora/pkcs7/smime-onepart-signed.eml", "r", &error)); > + if (error) return !! fprintf (stderr, "failed to instantiate parser with test/corpora/pkcs7/smime-onepart-signed.eml\n"); > + > + body = GMIME_APPLICATION_PKCS7_MIME(g_mime_message_get_mime_part (g_mime_parser_construct_message (parser, NULL))); > + if (body == NULL) return !! fprintf (stderr, "did not find a application/pkcs7 message\n"); > + > + sig_list = g_mime_application_pkcs7_mime_verify (body, GMIME_VERIFY_NONE, &output, &error); > + if (error || output == NULL) return !! fprintf (stderr, "verify failed\n"); > + > + if (sig_list == NULL) return !! fprintf (stderr, "no GMimeSignatureList found\n"); > + len = g_mime_signature_list_length (sig_list); > + if (len != 1) return !! fprintf (stderr, "expected 1 signature, got %d\n", len); > + sig = g_mime_signature_list_get_signature (sig_list, 0); > + if (sig == NULL) return !! fprintf (stderr, "no GMimeSignature found at position 0\n"); > + cert = g_mime_signature_get_certificate (sig); > + if (cert == NULL) return !! fprintf (stderr, "no GMimeCertificate found\n"); > + validity = g_mime_certificate_get_id_validity (cert); > + if (validity != GMIME_VALIDITY_FULL) return !! fprintf (stderr, "Got validity %d, expected %d\n", validity, GMIME_VALIDITY_FULL); > + > + return 0; > +} > +EOF > + if ! TEMP_GPG=$(mktemp -d "${TMPDIR:-/tmp}/notmuch.XXXXXX"); then > + printf 'No.\nCould not make tempdir for testing X.509 certificate validity support.\n' > + errors=$((errors + 1)) > + elif ${CC} ${CFLAGS} ${gmime_cflags} _check_x509_validity.c ${gmime_ldflags} -o _check_x509_validity \ > + && echo disable-crl-checks > "$TEMP_GPG/gpgsm.conf" \ > + && echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$TEMP_GPG/trustlist.txt" \ > + && GNUPGHOME=${TEMP_GPG} gpgsm --batch --quiet --import < "$srcdir"/test/smime/ca.crt > + then > + if GNUPGHOME=${TEMP_GPG} ./_check_x509_validity; then > + gmime_x509_cert_validity=1 > + printf "Yes.\n" > + else > + gmime_x509_cert_validity=0 > + printf "No.\n" > + if pkg-config --exists "gmime-3.0 >= 3.2.7"; then > + cat < +*** Error: GMime fails to calculate X.509 certificate validity, and > +is later than 3.2.7, which should have fixed this issue. > + > +Please follow up on https://github.com/jstedfast/gmime/pull/90 with > +more details. > +EOF > + errors=$((errors + 1)) > + fi > + fi > + else > + printf 'No.\nFailed to set up gpgsm for testing X.509 certificate validity support.\n' > + errors=$((errors + 1)) > + fi > + if [ -n "$TEMP_GPG" -a -d "$TEMP_GPG" ]; then > + rm -rf "$TEMP_GPG" > + fi > else > have_gmime=0 > printf "No.\n" > @@ -1334,6 +1410,9 @@ NOTMUCH_HAVE_XAPIAN_DB_RETRY_LOCK=${WITH_RETRY_LOCK} > # Which backend will Xapian use by default? > NOTMUCH_DEFAULT_XAPIAN_BACKEND=${default_xapian_backend} > > +# Whether GMime can verify X.509 certificate validity > +NOTMUCH_GMIME_X509_CERT_VALIDITY=${gmime_x509_cert_validity} > + > # do we have man pages? > NOTMUCH_HAVE_MAN=$((have_sphinx)) > > diff --git a/test/T355-smime.sh b/test/T355-smime.sh > index 3573b5ee..170f8649 100755 > --- a/test/T355-smime.sh > +++ b/test/T355-smime.sh > @@ -177,13 +177,18 @@ test_valid_json "$output" > > test_begin_subtest "Verify signature on PKCS#7 SignedData message" > output=$(notmuch show --format=json id:smime-onepart-signed@protected-headers.example) > + > +test_json_nodes <<<"$output" \ > + 'created:[0][0][0]["crypto"]["signed"]["status"][0]["created"]=1574813489' \ > + 'expires:[0][0][0]["crypto"]["signed"]["status"][0]["expires"]=2611032858' \ > + 'fingerprint:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \ > + 'status:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' > + > +test_begin_subtest "Verify signature on PKCS#7 SignedData message signer User ID" > +if [ $NOTMUCH_GMIME_X509_CERT_VALIDITY -ne 1 ]; then > + test_subtest_known_broken > +fi > test_json_nodes <<<"$output" \ > - 'crypto:[0][0][0]["crypto"]["signed"]["status"][0]={ > - "created" : 1574813489, > - "expires" : 2611032858, > - "fingerprint" : "702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB", > - "userid" : "CN=Alice Lovelace", > - "status" : "good" > - }' > + 'userid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' > > test_done > diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh > index 547b0c9a..074a2345 100755 > --- a/test/T356-protected-headers.sh > +++ b/test/T356-protected-headers.sh > @@ -162,8 +162,13 @@ for variant in multipart-signed onepart-signed; do > 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ > 'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \ > 'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \ > - 'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \ > 'not_encrypted:[0][0][0]["crypto"]!"decrypted"' > + test_begin_subtest "verify signed PKCS#7 subject ($variant) signer User ID" > + if [ $NOTMUCH_GMIME_X509_CERT_VALIDITY -ne 1 ]; then > + test_subtest_known_broken > + fi > + test_json_nodes <<<"$output" \ > + 'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' > done > > for variant in sign+enc sign+enc+legacy-disp; do > @@ -173,8 +178,14 @@ for variant in sign+enc sign+enc+legacy-disp; do > 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ > 'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \ > 'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \ > - 'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \ > 'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' > + test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant) signer User ID" > + if [ $NOTMUCH_GMIME_X509_CERT_VALIDITY -ne 1 ]; then > + test_subtest_known_broken > + fi > + test_json_nodes <<<"$output" \ > + 'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' > + > done > > test_begin_subtest "confirm encryption-protected PKCS#7 subject (enc+legacy-disp)" > -- > 2.26.2 > > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > https://notmuchmail.org/mailman/listinfo/notmuch