Hi David, Thanks for testing my patch so quickly.
David J. Weller-Fahy wrote: > It does handle all the certificates, but does not end up using the label > entered in mutt for all the certificates, nor does it allow the user to > enter labels for the certificates individually when used from within > mutt. Ah. I see my mistake. I didn't realize mutt was prompting for the label first. The current patch added a prompt for *each* certificate leaf+chain, but that won't work. I will change it to prompt only once for the whole thing. Before replying below, let me describe the current behavior. Given a cert file with: Leaf-Inter1-Inter2-Inter3-Root the "smime_keys add_cert" will create two files: 1. Leaf 2. Inter1-Inter2-Inter3-Root. and one entry in the index: leaf-email leaf-hash label inter-hash validity I believe the "hash" command only looks at the first cert in the file, but the verify command will read the entire file, so this works out well for verifying the cert. Currently I have left the root cert inside the intermediary file. If this is bad or wrong behaviour, I can change it, it was just easier that way. I noticed the add_pem stripped out the root *unless* there were no intermediaries, and the patch at http://kb.wisc.edu/middleware/page.php?id=4091 was dumping all the certs in, so I didn't figure it was too bad. > First, the patch: I noticed that all four certificates (the root, > intermediate, and two leaves) were all being included in the processing, > when (I think) only the two leaves should be included. Hopefully the above makes it clearer. This should have added three files: "leaf1", "leaf2", and "intermediate+root". It will add two entries in the index, one for each leaf, along with the intermediate hash so the verify works. > I also noted that the "subject" of the certificate was not being > printed as specified on line 888 of the `smime_keys` script. Both > resulted from the lack of the "Bag Attributes" string in the output of > my openssl command (above) to extract PEM format certificates. Would you mind sending me a private mail with the PEM you generated? The "Bag Attributes" behavior was already in the script, so I'd like to take a look before changing that. Without the "Bag Attributes", the script won't find Subject or Issuer and so won't be able to determine the chains, so each cert would be added separately, as if it were a leaf. > Third, the suggestion: I would suggest letting the perl script ask for > input instead of trying to get the label(s) inside mutt. Perhaps this > could be a S/MIME only thing as I'm not sure how common this would be in > the PGP/GPG realm. I'm not emotionally attached to this idea, though, > so anything that let's the labels be set for each added leaf certificate > would be excellent. I'm not sure the is doable in current form. We may have to settle for one label for all the leafs. -Kevin
signature.asc
Description: PGP signature
