Re: [PATCH] smime_keys: Handle certificate chains in add_cert. (closes #3339)

Sun, 24 May 2015 10:31:22 -0700 

* Kevin J. McCarthy <[email protected]> [2015-05-23 16:20 -0400]:

Thanks for testing my patch so quickly.


No worries.


Before replying below, let me describe the current behavior.  Given a
cert file with:
 Leaf-Inter1-Inter2-Inter3-Root
the "smime_keys add_cert" will create two files:
 1. Leaf
 2. Inter1-Inter2-Inter3-Root.
and one entry in the index:
 leaf-email leaf-hash label inter-hash validity


That makes sense, and matches what I saw with either my patch or your
(simpler) second patch.


Currently I have left the root cert inside the intermediary file.  If
this is bad or wrong behaviour, I can change it, it was just easier
that way.


I do not think that is bad behavior.


I also noted that the "subject" of the certificate was not being
printed as specified on line 888 of the `smime_keys` script.  Both
resulted from the lack of the "Bag Attributes" string in the output of
my openssl command (above) to extract PEM format certificates.


Would you mind sending me a private mail with the PEM you generated?
The "Bag Attributes" behavior was already in the script, so I'd like to
take a look before changing that.  Without the "Bag Attributes", the
script won't find Subject or Issuer and so won't be able to determine
the chains, so each cert would be added separately, as if it were a
leaf.


Let me know if you still need the PEM, but I believe the second patch
you sent solves the problem.


I would suggest letting the perl script ask for input instead of
trying to get the label(s) inside mutt.


I'm not sure the is doable in current form.  We may have to settle for
one label for all the leafs.


That sounds reasonable: the only reason I wanted to be able to label
each one individually was to avoid labeling the issuer certificates with
the name of the leaf certificate.  Given that the issuer certificates
are no longer treated as leaves, that is no longer a problem.


* Kevin J. McCarthy <[email protected]> [2015-05-23 17:31 -0400]:

Here's a revised patch loosening up the attributes parsing and changing
it to only prompt once for a label.


I just tried the new patch and everything works as it should, thanks!

Now the only problem is mutt prompting to use the second key every time
when trying to encrypt.

Regards,
--
dave [ please don't CC me ]



Attachment:
signature.asc

Description: PGP signature






















					Reply via email to