David J. Weller-Fahy wrote: > * Kevin J. McCarthy <[email protected]> [2015-05-17 19:39 -0400]: > >I didn't realize there might be more than one leaf in a single file, and > >wasn't aware there would be a problem separating out the sign-vs-encrypt > >certs later. > > Yep, that's what started me down this road. When I import certificates > from signed emails there is a root certificate, an intermediate issuer > certificate, and two leaf certificates (one for encryption and one for > signing). I don't know the use of including the signing certificate > (perhaps it's my ignorance of S/MIME, but I don't think I'd even need it > around), but I hesitate to not import it if its offered, under the > assumption that they wouldn't offer it if I didn't need it.
Okay. That's good to know, so the add_cert should allow multiple leafs and a possibly shared intermediate cert. > >Looking inside smime.c, I don't see any indication that mutt > >distinguishes between function when you are looking for keys to encrypt > >an email. How do you (or mutt) currently deal with this? > > If I then try to encrypt a message to you the one that can be used for > encryption is presented as the one to use. If that were the second > certificate, then the prompt would be as follows. I have more carefully reviewed the code in smime.c and have found nothing that appears to check the purpose of the certs. If it finds multiple matching certs for a email address, it appears to ask about the *second* match (and all subsequent matches) before finally asking about the first match. I don't understand this behavior but can only guess it may have had something to do with the order of leafs getting imported into the index at some time. Just to make sure I'm not crazy, would you mind swapping the order of the lines in your .index file and double checking it asks about the second match each time? (To make it even clearer, try setting the flags to 'u' [unverified] to force it to ask for each cert). I think it would be a good idea to add a "purpose" field to the index for keys and cert, with 's' and 'e' set for the "S/MIME signing" and "S/MIME encryption" output from openssl x509 -purpose. Does that sound reasonable? -Kevin
signature.asc
Description: PGP signature
