Re: [PATCH 01/15] tests: move add_gpgsm_home to test-lib.sh
Daniel Kahn Gillmor writes: > This allows us to test S/MIME messages in other tests. > pushed the revised series. Actually I had to cherry-pick the last patch from the gitlab branch for some reason (probably lack of rebasing after earlier patches were changed). d ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 7/9] crypto: handle PKCS#7 envelopedData in _notmuch_crypto_decrypt
In the two places where _notmuch_crypto_decrypt handles
multipart/encrypted messages (PGP/MIME), we should also handle PKCS#7
envelopedData (S/MIME).
This is insufficient for fully handling S/MIME encrypted data because
_notmuch_crypto_decrypt isn't yet actually invoked for envelopedData
parts, but that will happen in the following changes.
Signed-off-by: Daniel Kahn Gillmor
---
util/crypto.c | 32 ++--
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/util/crypto.c b/util/crypto.c
index fbd5f011..c09f467b 100644
--- a/util/crypto.c
+++ b/util/crypto.c
@@ -55,10 +55,21 @@ _notmuch_crypto_decrypt (bool *attempted,
}
if (attempted)
*attempted = true;
- ret = g_mime_multipart_encrypted_decrypt (GMIME_MULTIPART_ENCRYPTED
(part),
- GMIME_DECRYPT_NONE,
-
notmuch_message_properties_value (list),
- decrypt_result, err);
+ if (GMIME_IS_MULTIPART_ENCRYPTED (part)) {
+ ret = g_mime_multipart_encrypted_decrypt
(GMIME_MULTIPART_ENCRYPTED (part),
+ GMIME_DECRYPT_NONE,
+
notmuch_message_properties_value (list),
+ decrypt_result, err);
+ } else if (GMIME_IS_APPLICATION_PKCS7_MIME (part)) {
+ GMimeApplicationPkcs7Mime *pkcs7 = GMIME_APPLICATION_PKCS7_MIME
(part);
+ GMimeSecureMimeType type =
g_mime_application_pkcs7_mime_get_smime_type (pkcs7);
+ if (type == GMIME_SECURE_MIME_TYPE_ENVELOPED_DATA) {
+ ret = g_mime_application_pkcs7_mime_decrypt (pkcs7,
+
GMIME_DECRYPT_NONE,
+
notmuch_message_properties_value (list),
+
decrypt_result, err);
+ }
+ }
if (ret)
break;
}
@@ -81,8 +92,17 @@ _notmuch_crypto_decrypt (bool *attempted,
GMimeDecryptFlags flags = GMIME_DECRYPT_NONE;
if (decrypt == NOTMUCH_DECRYPT_TRUE && decrypt_result)
flags |= GMIME_DECRYPT_EXPORT_SESSION_KEY;
-ret = g_mime_multipart_encrypted_decrypt (GMIME_MULTIPART_ENCRYPTED
(part), flags, NULL,
- decrypt_result, err);
+if (GMIME_IS_MULTIPART_ENCRYPTED (part)) {
+ ret = g_mime_multipart_encrypted_decrypt (GMIME_MULTIPART_ENCRYPTED
(part), flags, NULL,
+ decrypt_result, err);
+} else if (GMIME_IS_APPLICATION_PKCS7_MIME (part)) {
+ GMimeApplicationPkcs7Mime *pkcs7 = GMIME_APPLICATION_PKCS7_MIME (part);
+ GMimeSecureMimeType p7type =
g_mime_application_pkcs7_mime_get_smime_type (pkcs7);
+ if (p7type == GMIME_SECURE_MIME_TYPE_ENVELOPED_DATA) {
+ ret = g_mime_application_pkcs7_mime_decrypt (pkcs7, flags, NULL,
+decrypt_result, err);
+ }
+}
return ret;
}
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 3/9] cli: include wrapped part of PKCS#7 SignedData in the MIME tree
Unwrap a PKCS#7 SignedData part unconditionally when the cli is
traversing the MIME tree, and return it as a "child" of what would
otherwise be a leaf in the tree.
Unfortunately, this also breaks the JSON output. We will fix that
next.
Signed-off-by: Daniel Kahn Gillmor
---
mime-node.c| 23 +--
test/T355-smime.sh | 2 +-
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/mime-node.c b/mime-node.c
index ff6805bf..b6431e3b 100644
--- a/mime-node.c
+++ b/mime-node.c
@@ -220,8 +220,17 @@ node_verify (mime_node_t *node, GMimeObject *part)
notmuch_status_t status;
node->verify_attempted = true;
-node->sig_list = g_mime_multipart_signed_verify (
- GMIME_MULTIPART_SIGNED (part), GMIME_VERIFY_NONE, &err);
+if (GMIME_IS_APPLICATION_PKCS7_MIME (part))
+ node->sig_list = g_mime_application_pkcs7_mime_verify (
+ GMIME_APPLICATION_PKCS7_MIME (part), GMIME_VERIFY_NONE,
&node->unwrapped_child, &err);
+else
+ node->sig_list = g_mime_multipart_signed_verify (
+ GMIME_MULTIPART_SIGNED (part), GMIME_VERIFY_NONE, &err);
+
+if (node->unwrapped_child) {
+ node->nchildren = 1;
+ set_unwrapped_child_destructor (node);
+}
if (node->sig_list)
set_signature_list_destructor (node);
@@ -376,6 +385,12 @@ _mime_node_set_up_part (mime_node_t *node, GMimeObject
*part, int numchild)
} else {
node_verify (node, part);
}
+} else if (GMIME_IS_APPLICATION_PKCS7_MIME (part) &&
+ GMIME_SECURE_MIME_TYPE_SIGNED_DATA ==
g_mime_application_pkcs7_mime_get_smime_type (GMIME_APPLICATION_PKCS7_MIME
(part))) {
+ /* If node->ctx->crypto->verify is false, it would be better
+* to just unwrap (instead of verifying), but
+* https://github.com/jstedfast/gmime/issues/67 */
+ node_verify (node, part);
} else {
if (_notmuch_message_crypto_potential_payload (node->ctx->msg_crypto,
part, node->parent ? node->parent->part : NULL, numchild) &&
node->ctx->msg_crypto->decryption_status ==
NOTMUCH_MESSAGE_DECRYPTED_FULL) {
@@ -409,6 +424,10 @@ mime_node_child (mime_node_t *parent, int child)
GMIME_MULTIPART (parent->part), child);
} else if (GMIME_IS_MESSAGE (parent->part)) {
sub = g_mime_message_get_mime_part (GMIME_MESSAGE (parent->part));
+} else if (GMIME_IS_APPLICATION_PKCS7_MIME (parent->part) &&
+ parent->unwrapped_child &&
+ child == 0) {
+ sub = parent->unwrapped_child;
} else {
/* This should have been caught by _mime_node_set_up_part */
INTERNAL_ERROR ("Unexpected GMimeObject type: %s",
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 0d78f262..710e51ec 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -142,7 +142,6 @@ expected='#notmuch-dump batch-tag:3 config,properties,tags
test_expect_equal "$expected" "$output"
test_begin_subtest "show contents of PKCS#7 SignedData message"
-test_subtest_known_broken
output=$(notmuch show --format=raw --part=2
id:smime-onepart-signed@protected-headers.example)
whitespace=' '
expected="Bob, we need to cancel this contract.
@@ -178,6 +177,7 @@ On Tue, 26 Nov 2019 20:11:29 -0400, Alice Lovelace
wrote:
test_expect_equal "$expected" "$output"
test_begin_subtest "show PKCS#7 SignedData outputs valid JSON"
+test_subtest_known_broken
output=$(notmuch show --format=json
id:smime-onepart-signed@protected-headers.example)
test_valid_json "$output"
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 6/9] crypto: Make _notmuch_crypto_decrypt take a GMimeObject
As we prepare to handle S/MIME-encrypted PKCS#7 EnvelopedData (which
is not multipart), we don't want to be limited to passing only
GMimeMultipartEncrypted MIME parts to _notmuch_crypto_decrypt.
There is no functional change here, just a matter of adjusting how we
pass arguments internally.
Signed-off-by: Daniel Kahn Gillmor
---
lib/index.cc | 8
mime-node.c | 3 +--
util/crypto.c | 6 +++---
util/crypto.h | 2 +-
4 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/lib/index.cc b/lib/index.cc
index f029b334..da9a3abe 100644
--- a/lib/index.cc
+++ b/lib/index.cc
@@ -369,7 +369,7 @@ _index_content_type (notmuch_message_t *message,
GMimeObject *part)
static void
_index_encrypted_mime_part (notmuch_message_t *message, notmuch_indexopts_t
*indexopts,
- GMimeMultipartEncrypted *part,
+ GMimeObject *part,
_notmuch_message_crypto_t *msg_crypto);
static void
@@ -439,7 +439,7 @@ _index_mime_part (notmuch_message_t *message,
g_mime_multipart_get_part (multipart, i));
if (i == GMIME_MULTIPART_ENCRYPTED_CONTENT) {
_index_encrypted_mime_part (message, indexopts,
- GMIME_MULTIPART_ENCRYPTED
(part),
+ part,
msg_crypto);
} else {
if (i != GMIME_MULTIPART_ENCRYPTED_VERSION) {
@@ -551,7 +551,7 @@ _index_mime_part (notmuch_message_t *message,
static void
_index_encrypted_mime_part (notmuch_message_t *message,
notmuch_indexopts_t *indexopts,
- GMimeMultipartEncrypted *encrypted_data,
+ GMimeObject *encrypted_data,
_notmuch_message_crypto_t *msg_crypto)
{
notmuch_status_t status;
@@ -603,7 +603,7 @@ _index_encrypted_mime_part (notmuch_message_t *message,
g_object_unref (decrypt_result);
}
GMimeObject *toindex = clear;
-if (_notmuch_message_crypto_potential_payload (msg_crypto, clear,
GMIME_OBJECT (encrypted_data), GMIME_MULTIPART_ENCRYPTED_CONTENT) &&
+if (_notmuch_message_crypto_potential_payload (msg_crypto, clear,
encrypted_data, GMIME_MULTIPART_ENCRYPTED_CONTENT) &&
msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_FULL) {
toindex = _notmuch_repair_crypto_payload_skip_legacy_display (clear);
if (toindex != clear)
diff --git a/mime-node.c b/mime-node.c
index b6431e3b..c2ee858d 100644
--- a/mime-node.c
+++ b/mime-node.c
@@ -253,7 +253,6 @@ node_decrypt_and_verify (mime_node_t *node, GMimeObject
*part)
GError *err = NULL;
GMimeDecryptResult *decrypt_result = NULL;
notmuch_status_t status;
-GMimeMultipartEncrypted *encrypteddata = GMIME_MULTIPART_ENCRYPTED (part);
notmuch_message_t *message = NULL;
if (! node->unwrapped_child) {
@@ -266,7 +265,7 @@ node_decrypt_and_verify (mime_node_t *node, GMimeObject
*part)
node->unwrapped_child = _notmuch_crypto_decrypt
(&node->decrypt_attempted,
node->ctx->crypto->decrypt,
message,
-encrypteddata,
&decrypt_result, &err);
+part, &decrypt_result,
&err);
if (node->unwrapped_child)
set_unwrapped_child_destructor (node);
}
diff --git a/util/crypto.c b/util/crypto.c
index 0bb6f526..fbd5f011 100644
--- a/util/crypto.c
+++ b/util/crypto.c
@@ -34,7 +34,7 @@ GMimeObject *
_notmuch_crypto_decrypt (bool *attempted,
notmuch_decryption_policy_t decrypt,
notmuch_message_t *message,
-GMimeMultipartEncrypted *part,
+GMimeObject *part,
GMimeDecryptResult **decrypt_result,
GError **err)
{
@@ -55,7 +55,7 @@ _notmuch_crypto_decrypt (bool *attempted,
}
if (attempted)
*attempted = true;
- ret = g_mime_multipart_encrypted_decrypt (part,
+ ret = g_mime_multipart_encrypted_decrypt (GMIME_MULTIPART_ENCRYPTED
(part),
GMIME_DECRYPT_NONE,
notmuch_message_properties_value (list),
decrypt_result, err);
@@ -81,7 +81,7 @@ _notmuch_crypto_decrypt (bool *attempted,
GMimeDecryptFlags flags = GMIME_DECRYPT_NONE;
if (decrypt == NOTMUCH_DECRYPT_TRUE && decrypt_result)
flags |= GMIME_DECRYPT_EXPORT_SESSION_KEY;
-ret = g_mime_multipart_encrypted_decrypt (part, flags, NULL,
+ret = g_mime_multipart_encrypted_decrypt
[PATCH 2/9] smime: Identify encrypted S/MIME parts during indexing
We don't handle them correctly yet, but we can at least mark them as
being encrypted.
Signed-off-by: Daniel Kahn Gillmor
---
lib/index.cc | 4
test/T355-smime.sh | 1 -
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/index.cc b/lib/index.cc
index bbf13dc5..f029b334 100644
--- a/lib/index.cc
+++ b/lib/index.cc
@@ -654,6 +654,10 @@ _index_pkcs7_part (notmuch_message_t *message,
notmuch_message_add_property (message, "index.repaired",
"skip-protected-headers-legacy-display");
}
_index_mime_part (message, indexopts, toindex, msg_crypto);
+} else if (p7type == GMIME_SECURE_MIME_TYPE_ENVELOPED_DATA) {
+ _notmuch_message_add_term (message, "tag", "encrypted");
+ if (notmuch_indexopts_get_decrypt_policy (indexopts) !=
NOTMUCH_DECRYPT_FALSE)
+ _notmuch_database_log (notmuch, "Cannot decrypt PKCS#7
envelopedData (S/MIME encrypted messages)\n");
} else {
_notmuch_database_log (notmuch, "Cannot currently handle PKCS#7
smime-type '%s'\n",
g_mime_object_get_content_type_parameter (part,
"smime-type"));
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 01e53e33..0d78f262 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -98,7 +98,6 @@ test_json_nodes <<<"$output" \
'crypto_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Notmuch
Test Suite"'
test_begin_subtest "encrypted+signed message is known to be encrypted, but
signature is unknown"
-test_subtest_known_broken
output=$(notmuch search subject:"test encrypted message 001")
test_expect_equal "$output" "thread:0002 2000-01-01 [1/1]
Notmuch Test Suite; test encrypted message 001 (encrypted inbox)"
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 4/9] cli/show: If a leaf part has children, show them instead of omitting
Until we did PKCS#7 unwrapping, no leaf MIME part could have a child.
Now, we treat the unwrapped MIME part as the child of the PKCS#7
SignedData object. So in that case, we want to show it instead of
deliberately omitting the content.
This fixes the test of the protected subject in
id:smime-onepart-signed@protected-headers.example.
Signed-off-by: Daniel Kahn Gillmor
---
notmuch-show.c | 11 ++-
test/T355-smime.sh | 2 --
test/T356-protected-headers.sh | 1 -
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/notmuch-show.c b/notmuch-show.c
index ab1cd144..36265043 100644
--- a/notmuch-show.c
+++ b/notmuch-show.c
@@ -759,7 +759,16 @@ format_part_sprinter (const void *ctx, sprinter_t *sp,
mime_node_t *node,
sp->string_len (sp, (char *) part_content->data, part_content->len);
g_object_unref (stream_memory);
} else {
- format_omitted_part_meta_sprinter (sp, meta, GMIME_PART
(node->part));
+ /* if we have a child part despite being a standard
+* (non-multipart) MIME part, that means there is
+* something to unwrap, which we will present in
+* content: */
+ if (node->nchildren) {
+ sp->map_key (sp, "content");
+ sp->begin_list (sp);
+ nclose = 1;
+ } else
+ format_omitted_part_meta_sprinter (sp, meta, GMIME_PART
(node->part));
}
} else if (GMIME_IS_MULTIPART (node->part)) {
sp->map_key (sp, "content");
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 710e51ec..099a3df7 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -177,12 +177,10 @@ On Tue, 26 Nov 2019 20:11:29 -0400, Alice Lovelace
wrote:
test_expect_equal "$expected" "$output"
test_begin_subtest "show PKCS#7 SignedData outputs valid JSON"
-test_subtest_known_broken
output=$(notmuch show --format=json
id:smime-onepart-signed@protected-headers.example)
test_valid_json "$output"
test_begin_subtest "Verify signature on PKCS#7 SignedData message"
-test_subtest_known_broken
output=$(notmuch show --format=json
id:smime-onepart-signed@protected-headers.example)
test_json_nodes <<<"$output" \
'crypto:[0][0][0]["crypto"]["signed"]["status"][0]={
diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index 520cb71c..bca50e29 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -157,7 +157,6 @@ test_expect_equal "$output"
id:protected-with-legacy-display@crypto.notmuchmail.
for variant in multipart-signed onepart-signed; do
test_begin_subtest "verify signed PKCS#7 subject ($variant)"
-[ "$variant" = multipart-signed ] || test_subtest_known_broken
output=$(notmuch show --verify --format=json
"id:smime-${variant}@protected-headers.example")
test_json_nodes <<<"$output" \
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 9/9] smime: Index cleartext of envelopedData when requested
Signed-off-by: Daniel Kahn Gillmor
---
lib/index.cc | 5 +++--
test/T355-smime.sh | 2 --
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/lib/index.cc b/lib/index.cc
index da9a3abe..826aa341 100644
--- a/lib/index.cc
+++ b/lib/index.cc
@@ -656,8 +656,9 @@ _index_pkcs7_part (notmuch_message_t *message,
_index_mime_part (message, indexopts, toindex, msg_crypto);
} else if (p7type == GMIME_SECURE_MIME_TYPE_ENVELOPED_DATA) {
_notmuch_message_add_term (message, "tag", "encrypted");
- if (notmuch_indexopts_get_decrypt_policy (indexopts) !=
NOTMUCH_DECRYPT_FALSE)
- _notmuch_database_log (notmuch, "Cannot decrypt PKCS#7
envelopedData (S/MIME encrypted messages)\n");
+ _index_encrypted_mime_part (message, indexopts,
+ part,
+ msg_crypto);
} else {
_notmuch_database_log (notmuch, "Cannot currently handle PKCS#7
smime-type '%s'\n",
g_mime_object_get_content_type_parameter (part,
"smime-type"));
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 0d32a7d5..3573b5ee 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -107,12 +107,10 @@ test_begin_subtest "Reindex cleartext"
test_expect_success "notmuch reindex --decrypt=true subject:'test encrypted
message 001'"
test_begin_subtest "signature is now known"
-test_subtest_known_broken
output=$(notmuch search subject:"test encrypted message 001")
test_expect_equal "$output" "thread:0002 2000-01-01 [1/1]
Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)"
test_begin_subtest "Encrypted body is indexed"
-test_subtest_known_broken
output=$(notmuch search 'this is a test encrypted message')
test_expect_equal "$output" "thread:0002 2000-01-01 [1/1]
Notmuch Test Suite; test encrypted message 001 (encrypted inbox signed)"
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
Handle PKCS#7 S/MIME messages
This series applies after the "Add tests for S/MIME PKCS#7 messages" series, which was introduced in id:20200428185723.660184-1-...@fifthhorseman.net With this series applied, notmuch handles standard PKCS#7 S/MIME messages (using GnuPG's gpgsm as a backend, as mediated by GMime's use of GPGME) as well as it handles PGP/MIME messages. In addition to showing and replying to these messages, the series covers indexing the cleartext of encrypted messages, and understanding protected headers. --dkg ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 1/9] lib: index PKCS7 SignedData parts
When we are indexing, we should treat SignedData parts the same way
that we treat a multipart object, indexing the wrapped part as a
distinct MIME object.
Unfortunately, this means doing some sort of cryptographic
verification whose results we throw away, because GMime doesn't offer
us any way to unwrap without doing signature verification.
I've opened https://github.com/jstedfast/gmime/issues/67 to request
the capability from GMime but for now, we'll just accept the
additional performance hit.
As we do this indexing, we also apply the "signed" tag, by analogy
with how we handle multipart/signed messages. These days, that kind
of change should probably be done with a property instead, but that's
a different set of changes. This one is just for consistency.
Note that we are currently *only* handling signedData parts, which are
basically clearsigned messages. PKCS#7 parts can also be
envelopedData and authEnvelopedData (which are effectively encryption
layers), and compressedData (which afaict isn't implemented anywhere,
i've never encountered it). We're laying the groundwork for indexing
these other S/MIME types here, but we're only dealing with signedData
for now.
Signed-off-by: Daniel Kahn Gillmor
---
lib/index.cc | 57 ++
test/T355-smime.sh | 2 --
2 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/lib/index.cc b/lib/index.cc
index 158ba5cf..bbf13dc5 100644
--- a/lib/index.cc
+++ b/lib/index.cc
@@ -372,6 +372,12 @@ _index_encrypted_mime_part (notmuch_message_t *message,
notmuch_indexopts_t *ind
GMimeMultipartEncrypted *part,
_notmuch_message_crypto_t *msg_crypto);
+static void
+_index_pkcs7_part (notmuch_message_t *message,
+ notmuch_indexopts_t *indexopts,
+ GMimeObject *part,
+ _notmuch_message_crypto_t *msg_crypto);
+
/* Callback to generate terms for each mime part of a message. */
static void
_index_mime_part (notmuch_message_t *message,
@@ -466,6 +472,11 @@ _index_mime_part (notmuch_message_t *message,
goto DONE;
}
+if (GMIME_IS_APPLICATION_PKCS7_MIME (part)) {
+ _index_pkcs7_part (message, indexopts, part, msg_crypto);
+ goto DONE;
+}
+
if (! (GMIME_IS_PART (part))) {
_notmuch_database_log (notmuch_message_get_database (message),
"Warning: Not indexing unknown mime part: %s.\n",
@@ -608,6 +619,52 @@ _index_encrypted_mime_part (notmuch_message_t *message,
}
+static void
+_index_pkcs7_part (notmuch_message_t *message,
+ notmuch_indexopts_t *indexopts,
+ GMimeObject *part,
+ _notmuch_message_crypto_t *msg_crypto)
+{
+GMimeApplicationPkcs7Mime *pkcs7;
+GMimeSecureMimeType p7type;
+GMimeObject *mimeobj = NULL;
+GMimeSignatureList *sigs = NULL;
+GError *err = NULL;
+notmuch_database_t *notmuch = NULL;
+
+pkcs7 = GMIME_APPLICATION_PKCS7_MIME (part);
+p7type = g_mime_application_pkcs7_mime_get_smime_type (pkcs7);
+notmuch = notmuch_message_get_database (message);
+_index_content_type (message, part);
+
+if (p7type == GMIME_SECURE_MIME_TYPE_SIGNED_DATA) {
+ sigs = g_mime_application_pkcs7_mime_verify (pkcs7, GMIME_VERIFY_NONE,
&mimeobj, &err);
+ if (sigs == NULL) {
+ _notmuch_database_log (notmuch, "Failed to verify PKCS#7 SignedData
during indexing. (%d:%d) [%s]\n",
+ err->domain, err->code, err->message);
+ g_error_free (err);
+ goto DONE;
+ }
+ _notmuch_message_add_term (message, "tag", "signed");
+ GMimeObject *toindex = mimeobj;
+ if (_notmuch_message_crypto_potential_payload (msg_crypto, mimeobj,
part, 0) &&
+ msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_FULL) {
+ toindex = _notmuch_repair_crypto_payload_skip_legacy_display
(mimeobj);
+ if (toindex != mimeobj)
+ notmuch_message_add_property (message, "index.repaired",
"skip-protected-headers-legacy-display");
+ }
+ _index_mime_part (message, indexopts, toindex, msg_crypto);
+} else {
+ _notmuch_database_log (notmuch, "Cannot currently handle PKCS#7
smime-type '%s'\n",
+ g_mime_object_get_content_type_parameter (part,
"smime-type"));
+}
+ DONE:
+if (mimeobj)
+ g_object_unref (mimeobj);
+if (sigs)
+ g_object_unref (sigs);
+}
+
static notmuch_status_t
_notmuch_message_index_user_headers (notmuch_message_t *message, GMimeMessage
*mime_message)
{
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 117fa2b9..01e53e33 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -132,13 +132,11 @@ expected=''
test_expect_equal "$expected" "$output"
test_begin_subtest "know the MIME type of the embedded part in PKCS#7
SignedData"
-test_subtest_known_
[PATCH 5/9] cli/reply: Ignore PKCS#7 wrapper parts when replying
When composing a reply, no one wants to see this line in the proposed
message:
Non-text part: application/pkcs7-mime
So we hide it, the same way we hide PGP/MIME cruft.
Signed-off-by: Daniel Kahn Gillmor
---
notmuch-reply.c| 5 +++--
test/T355-smime.sh | 1 -
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/notmuch-reply.c b/notmuch-reply.c
index 2c30f6f9..ceb4f39b 100644
--- a/notmuch-reply.c
+++ b/notmuch-reply.c
@@ -65,8 +65,9 @@ format_part_reply (GMimeStream *stream, mime_node_t *node)
GMimeContentDisposition *disposition =
g_mime_object_get_content_disposition (node->part);
if (g_mime_content_type_is_type (content_type, "application",
"pgp-encrypted") ||
- g_mime_content_type_is_type (content_type, "application",
"pgp-signature")) {
- /* Ignore PGP/MIME cruft parts */
+ g_mime_content_type_is_type (content_type, "application",
"pgp-signature") ||
+ g_mime_content_type_is_type (content_type, "application",
"pkcs7-mime")) {
+ /* Ignore PGP/MIME and S/MIME cruft parts */
} else if (g_mime_content_type_is_type (content_type, "text", "*") &&
! g_mime_content_type_is_type (content_type, "text",
"html")) {
show_text_part_content (node->part, stream,
NOTMUCH_SHOW_TEXT_PART_REPLY);
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 099a3df7..4b67a559 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -156,7 +156,6 @@ OpenPGP Example Corp"
test_expect_equal "$expected" "$output"
test_begin_subtest "reply to PKCS#7 SignedData message with proper quoting and
attribution"
-test_subtest_known_broken
output=$(notmuch reply id:smime-onepart-signed@protected-headers.example)
expected="From: Notmuch Test Suite
Subject: Re: The FooCorp contract
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 8/9] smime: Pass PKCS#7 envelopedData to node_decrypt_and_verify
This change means we can support "notmuch show --decrypt=true" for
S/MIME encrypted messages, resolving several outstanding broken tests,
including all the remaining S/MIME protected header examples.
We do not yet handle indexing the cleartext of S/MIME encrypted
messages, though.
Signed-off-by: Daniel Kahn Gillmor
---
mime-node.c| 6 ++
test/T355-smime.sh | 2 --
test/T356-protected-headers.sh | 2 --
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/mime-node.c b/mime-node.c
index c2ee858d..f552e03a 100644
--- a/mime-node.c
+++ b/mime-node.c
@@ -390,6 +390,12 @@ _mime_node_set_up_part (mime_node_t *node, GMimeObject
*part, int numchild)
* to just unwrap (instead of verifying), but
* https://github.com/jstedfast/gmime/issues/67 */
node_verify (node, part);
+} else if (GMIME_IS_APPLICATION_PKCS7_MIME (part) &&
+ GMIME_SECURE_MIME_TYPE_ENVELOPED_DATA ==
g_mime_application_pkcs7_mime_get_smime_type (GMIME_APPLICATION_PKCS7_MIME
(part)) &&
+ (node->ctx->crypto->decrypt != NOTMUCH_DECRYPT_FALSE)) {
+ node_decrypt_and_verify (node, part);
+ if (node->unwrapped_child && node->nchildren == 0)
+ node->nchildren = 1;
} else {
if (_notmuch_message_crypto_potential_payload (node->ctx->msg_crypto,
part, node->parent ? node->parent->part : NULL, numchild) &&
node->ctx->msg_crypto->decryption_status ==
NOTMUCH_MESSAGE_DECRYPTED_FULL) {
diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 4b67a559..0d32a7d5 100755
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -80,7 +80,6 @@ EOF
test_expect_equal_file EXPECTED OUTPUT
test_begin_subtest "Decryption (notmuch CLI)"
-test_subtest_known_broken
notmuch show --decrypt=true subject:"test encrypted message 001" |\
grep "^This is a" > OUTPUT
cat < EXPECTED
@@ -89,7 +88,6 @@ EOF
test_expect_equal_file EXPECTED OUTPUT
test_begin_subtest "Cryptographic message status (encrypted+signed)"
-test_subtest_known_broken
output=$(notmuch show --format=json --decrypt=true subject:"test encrypted
message 001")
test_json_nodes <<<"$output" \
'crypto_encrypted:[0][0][0]["crypto"]["decrypted"]["status"]="full"' \
diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index bca50e29..547b0c9a 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -168,7 +168,6 @@ done
for variant in sign+enc sign+enc+legacy-disp; do
test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant)"
-test_subtest_known_broken
output=$(notmuch show --decrypt=true --format=json
"id:smime-${variant}@protected-headers.example")
test_json_nodes <<<"$output" \
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
@@ -179,7 +178,6 @@ for variant in sign+enc sign+enc+legacy-disp; do
done
test_begin_subtest "confirm encryption-protected PKCS#7 subject
(enc+legacy-disp)"
-test_subtest_known_broken
output=$(notmuch show --decrypt=true --format=json
"id:smime-enc+legacy-disp@protected-headers.example")
test_json_nodes <<<"$output" \
'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}'
\
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 07/15 v2] test: Allow tests to have both gpg and gpgsm active at once
Without this fix, we couldn't run both add_gnupg_home and
add_gpgsm_home in the same test script.
Signed-off-by: Daniel Kahn Gillmor
---
test/test-lib.sh | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/test/test-lib.sh b/test/test-lib.sh
index ac1b9315..1baa2d20 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -110,10 +110,10 @@ unset ALTERNATE_EDITOR
add_gnupg_home ()
{
local output
-[ -d ${GNUPGHOME} ] && return
+[ -e "${GNUPGHOME}/gpg.conf" ] && return
_gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
at_exit_function _gnupg_exit
-mkdir -m 0700 "$GNUPGHOME"
+mkdir -p -m 0700 "$GNUPGHOME"
gpg --no-tty --import <$NOTMUCH_SRCDIR/test/gnupg-secret-key.asc
>"$GNUPGHOME"/import.log 2>&1
test_debug "cat $GNUPGHOME/import.log"
if (gpg --quick-random --version >/dev/null 2>&1) ; then
@@ -132,10 +132,10 @@ add_gnupg_home ()
add_gpgsm_home ()
{
local fpr
-[ -d "$GNUPGHOME" ] && return
+[ -e "$GNUPGHOME/gpgsm.conf" ] && return
_gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
at_exit_function _gnupg_exit
-mkdir -m 0700 "$GNUPGHOME"
+mkdir -p -m 0700 "$GNUPGHOME"
openssl pkcs12 -export -passout pass: -inkey
"$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \
< "$NOTMUCH_SRCDIR/test/smime/test.crt" | \
gpgsm --batch --no-tty --no-common-certs-import
--pinentry-mode=loopback --passphrase-fd 3 \
--
2.26.2
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
[PATCH 08/15 v2] tests/smime: include secret key material for Bob
This is taken from the same Internet Draft that test/smime/ca.crt comes from. See that draft for more details. https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-pkcs12-object-for-bob We don't use it yet, but it will be used to decrypt other messages in the test suite. Note that we include it here with an empty passphrase, rather than with the passphrase "bob" that it is supplied with in the I-D. The underlying cryptographic material is the same, but this way we can import cleanly into gpgsm without having a passphrase set on it (gpgsm converts an empty-string passphrase into no passphrase at all on import). Signed-off-by: Daniel Kahn Gillmor --- test/smime/bob.p12 | 58 ++ test/test-lib.sh | 2 ++ 2 files changed, 60 insertions(+) create mode 100644 test/smime/bob.p12 diff --git a/test/smime/bob.p12 b/test/smime/bob.p12 new file mode 100644 index ..774c77d0 --- /dev/null +++ b/test/smime/bob.p12 @@ -0,0 +1,58 @@ +-BEGIN PKCS12- +MIIKWAIBAzCCCh4GCSqGSIb3DQEHAaCCCg8EggoLMIIKBzCCBGcGCSqGSIb3DQEH +BqCCBFgwggRUAgEAMIIETQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQICE8J +3kMad9UCAggAgIIEIPvHjK0eRQrnowMUsz1z1x/IxslNvG6DjPZjNHCkNYYmiRsg +Leu5nqKf4emWVvYpnlh+4Gql7pyJm3G3zSNhobPkW+P1Eh80tTBoUk7TIvvvmtrE +YEc/nRR1p1MgjISq4Q/CM6ccCCw6YEiQcj/0mSS7gmHUegD5glcWbVuqAT8M/p1z +98OP3z37G8ARRLNj1yyp0SVlt59Sx3WNbmYBqkQ96iukjMJvmjV7o6BFYUx46Llb +tphhdRgKXbK2r1R0TUlvE659TUwlrpGlaFpaGj1kLdzVAnjh1ZWnWO2a2BSj0LzG +qRyiLwqDFPLJLQEckfV+RPWiRrSewME8URNKdk6eewtHdhrehMo4ZJnOIum8qcSz +giW61SSyZJsFvILpmMYghIxWmPd/8cNIHBrdFEa7z3QKh5jcJNTCxz6yO9f8F830 +d+WDK7DbGkUW4mVTGg/lEYnCFZDF6S1mr0hx+cew1FbKjLpxfQllIIrLf5d2BF8H +0STpuylQDVVBFdTRHyeS6td5nulANgOProrRzy3aAKQmZ6iullKl+i2t/2TwfVP/ +gG+yszpOEf8U9txuvbiZ7j4XV158zdaaGiduDqMKLOvbdctwHAsR9ecx5C3NTRDl +ZlttNoXN9zhT4CkWk1w4sFk2KUurjVraIcjWVT7yOreaaK+6N09M0tnLPDJDTrow +8WwP/rZhA+t+CMrhqkFBxXsyo5VTM0jWJGO/NLpYXPhDPBsRq8rs1OCrUoVr34aR +cpUTNhyXkvJUarWDHs88lg0ps0G9/1dXI1AbEsQQg8u+QT2ztGYrg2OQxQyi1Mo4 +u/FkAcEbtlYYLmJjj/S2qVRPJgBALVjw9k5hnYRdAXWVDCJ96PMn1SKORvlMxnZ7 +djlhaztOhTLsiDzywVDYWLvQElunWcAGeDZykWNytwcEagc0VjWKHMibc0JOZQ1T +crGyOzTlt09xHj1NrItYefIwdtKuJfkAh03B5xI6rJ9ZbK9xidcVxyeRX0lEqdo9 +WHQrhHefAmeyo0TlfsN67kFDp5FLpwEtNaN0lyzpkl30aWZdtP5vkvtfmy5ugYIO +bXoVa+tO6k5V/VfUFUKdaY7xAX7XRzUUg4jB0D0CuaX+YS+GL+5wuQwIY1y2ihBb +CuCxlcP1lVEU4CVQba60VTudJtWyE7QpPhf+y81f1wRjwIihFvwzpUFWf8JVEppe +v3Yot3OWGBmhEqLkC9LELth8o5gLfyYHaXTYNd9aRTiI+0ZC5U3O4wUwYLTG3exM +rIDTzEMk/p4DYIHkNKVUiRJfGYdAwuRxf3IMcYWARTXlSzl1C3hWmZfvTPlKs1bB +OHTHP/P+qdOFjxOh+fbyqXPJauBAhHvHgrp3iI6t834wJou26oWNihM7OnWuyQRt +9DVxG4l+1VjtbQZfTDCCBZgGCSqGSIb3DQEHAaCCBYkEggWFMIIFgTCCBX0GCyqG +SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAjqo0x2p5SqLAICCAAE +ggTIe6Ws+lu0CoNlCXGM2BEPV09wuRHTJe+KnesrmRbXPF9linG3d6G++tTkBHz/ +yr77/DV5aDYciV1pGAbLuX2lMwuqdxzJ4OBPBAjuX5H+IPRaTbxfHYYIwhG8oZzy +aHyVhHr9j0h7lzW7xSTYJuBNEJ58L42dfzpNRw9dyRPmcuhZqW14Z3xyDm8yjHfB +2p99y9/A4qSyJJSUM3O3nLdtIar3ktSTRAijgqq+s9wnsfozQRzWpYaqiRrdzwfO +HqXk54l3/lMSyLpfPl9LW7er6JbGI4jEyQ3x8WijATM5h/lkZKejh/mOaWCvs6G6 +fGzV4P35EsToYbOk9GX4jl4SyDBt3iEHYm5teDUhJmTcR39lAQuAfxN6rOn/TkoO +YLxtdD5DLiTfYZPCFyavLEsamr8A4p93torF6Rs7GsaHE6PmCcprzqx71KV0DZKv +tMY86RoiWPKLFxZcYt1yz9/95c1SO1s4i1GvLpJTEgQxLM2OhfEwDNKd2rMJoq1I +YIRPSP204dIVwwNdXN1vB2slhN2+/QMOqsEkWtTOpW2QoTGSze49hfmJGdu+91jd +XZBBMJQfY4q066/eE4IOW7ZZId5uMYxDRnGdEQjJsxyW8YHWLRGQvBC8gMkdbj8e +0wkXbe+jML7vG7t3hDhLEbj5sTquIMTWrTirPw4SxLCuGZAyJHFN3/nCaOSMFlCG +wEZHrAozgQXPBYU7p+uIkJ4lDc2ZtW8NM8U15gKZLDFfAE6Vg0jAtfFMqvNnX630 +xfo1z4jBd7VXbBFrPzrmvlTnb1XxNFcPycowzW9tgtN4YnNroCq98VpMC914tdpJ ++C/PI0eJ7M2ir3ajN0RabSm02JO9Hdwoa5OgqLwPYDwiFyQvKFGKqAF8Ph6pSEiZ +10OnH+DVgEY70A+Le+ZSDosMdrhZfHbCcIFitZJ3sYV/7Q118QckW3szcjmLHS5g +M6Whl2HhjLsAfsmCnoRlIwjx4g0TiuZcb4hGysq8QjD3Z8qqFK28m6OMHbASQfWg +U+Qg3vmEvVsnBxStFEIImS3QYQoaT0pk6zKUYsI/fOBnEgxsY0XwTfXzVw7hZDct +yhNIQVWmfgVZwUw0wLoNu3A5hupjUwQzQr4TPnKkFPI8qHmRrJgP8EA0U0019y3W +MlK0h/LAJEaUBS0goLJCJ8+1EWr6femjnyuU5hMizOm+3j0JexjWz5TQttioS7Q/ +vcxt5pA9yAWQdH9j72saKEoKmDi+kIPr4mimKJz99LhKp9A6Hj0f1P2V3As8JWyW +ZKmJKW7qMMCFADlALolobqzA60j6Zeo5jiEj/j2lVlUPPz47WO+uKeb+rx+hgTUc +Xrhq0+an5tvEXt/8wy3PJFqP+qqHGhOIuPLuhqPyzNowuXirIXsiWnI44/X48W91 +HPEoL3xaebQ6oyTP8dI4CCkkHgiLWL5mskjHMEXvcdR6k0ygmu8DGQCPfUweUZqZ +wfkhD/jwbVpLR5Y3chpatW0cJ2bsAWdxwtuxF05+fVEePUsR0x+2/v/8eDEHKYwt +aYlAhI48nyrKKVMmqvqcXnzmJlUaq05GnEcglFbv4MUExL7CxClls6QnVNiZFPrV +ffVsYT2A300xrm4pan89n3nuavjJn7L1JJdmMXwwVQYJKoZIhvcNAQkUMUgeRgBH +AG4AdQBQAEcAIABlAHgAcABvAHIAdABlAGQAIABjAGUAcgB0AGkAZgBpAGMAYQB0 +AGUAIAA0ADIAYgBiADIANAAwADYwIwYJKoZIhvcNAQkVMRYEFGaI9k+ZdE9/rxBZ +4rSdH1BCuyQGMDEwITAJBgUrDgMCGgUABBRJfL4XyIHpXmjbziCGCbSAOK9jKgQI +drOMeIgXcCYCAggA +-END PKCS12- diff --git a/test/test-lib.sh b/test/test-lib.sh index 1baa2d20..cb5bb894 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -145,6 +145,8 @@ add_gpgsm_home () gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:
[PATCH 03/15 v2] tests/smime: Include the Sample LAMPS Certificate Authority
This CA is useful for test suites and the like, but is not an actually-secure CA, because its secret key material is also published. I plan to use it for its intended purpose in the notmuch test suite. It was copied from this Internet Draft: https://tools.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi Signed-off-by: Daniel Kahn Gillmor --- test/smime/README | 2 ++ test/smime/ca.crt | 20 test/test-lib.sh | 2 ++ 3 files changed, 24 insertions(+) create mode 100644 test/smime/ca.crt diff --git a/test/smime/README b/test/smime/README index 46211922..6f276398 100644 --- a/test/smime/README +++ b/test/smime/README @@ -5,3 +5,5 @@ key+cert.pem: cert + unencryped private % gpgsm --import test.crt % gpgsm --export-private-key-p12 -out foo.p12 (no passphrase) % openssl pkcs12 -in ns.p12 -clcerts -nodes > key+cert.pem + +ca.crt: from https://tools.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi diff --git a/test/smime/ca.crt b/test/smime/ca.crt new file mode 100644 index ..b33d087f --- /dev/null +++ b/test/smime/ca.crt @@ -0,0 +1,20 @@ +-BEGIN CERTIFICATE- +MIIDLTCCAhWgAwIBAgIULXcNXGI2bZp38sV7cF6VcQfnKDwwDQYJKoZIhvcNAQEN +BQAwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0 +eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowLTErMCkGA1UEAxMi +U2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMUfZ8+NYSh6h36zQcXBo5B6ficAcBJ1f3aLxyN8 +QXB83XuP8aDRWQ9uJvJpQkWVH4zx96/E/zI0t0lDMYtZNqra16h+gxbHJgoq2pRw +RCOiyYu/p2vzvvZ1dtFTMc/mIigjA/73kokui62j1EFy//fNVIihkVS3rAweq+fI +8qJHSMhdc2aYa9wOP0eGe/HTiDYgT4L4f2HTGMGGwQgj1vub0gpR4YHmNqr0GyEA +63mHUQUZpnmN1FEl+nVFA5Ntu4uF++qf/tkTji89/eXYBdKX2yUdTeTIKoCI65IL +EXxezjTc8aFjf/8E0aWGVZR/DtCsjWOh/s/mV7n/YPyb4+ECAwEAAaNDMEEwDwYD +VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBS3Uk1zwIg9 +ssN6WgzzlPf3gKJ32zANBgkqhkiG9w0BAQ0FAAOCAQEALsU91Bmhc6EgCNr7inY2 +2gYPnosJ+kZ1eC0hvHIK9e0Tx74RmhTOe8M2C9YXQKehHpRaX+DLcjup6scoH/bT +u0THbmzeOy29TTiFcyV9BK+SEKQWW4s98Fwdk9fPWcflHtYvqxjooAV3vHbt6Xmp +KrKDz/jdg7t0ptI4zSqAf3wNppiJoswlOHBUnH2W1MIYkWQ4jYj5socblVlklHOr +ykKUiEZAbjU+C1+0FhT4HgLjBB9R4H1H0JRKsggWiZBBJ6UpN0dTN4iD0mDVa0jy +sJqqWnIViy/xaSDcNaWJmU3o2KmkMkdpinoJ5uLkAHQqXjFaujdU1PkufeA7v3uG +Rw== +-END CERTIFICATE- diff --git a/test/test-lib.sh b/test/test-lib.sh index d4fcea5a..1ffedb25 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -139,6 +139,8 @@ add_gpgsm_home () gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1 fpr=$(gpgsm --batch --list-key test_su...@notmuchmail.org | sed -n 's/.*fingerprint: //p') echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt +gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt +echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" test_debug "cat $GNUPGHOME/import.log" } -- 2.26.2 ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: [PATCH 15/15] tests: disable CRL checks from gpgsm
On Wed 2020-04-29 23:12:33 +0300, Tomi Ollila wrote: > Rest of the series look tolerable to me. That one missing > "inconsistent quotes" is inconsistent with added quotes > in one of the changes in previous email (which just did that) > > Otherwise OK (provided that tests pass) > (except that https://www.ietf.org/id/draft-dkg-lamps-samples-01.html > if not found (by me either, like David) I've updated the series to address Tomi's quote inconsistency points, and to repoint the URL in the commit message to the tools.ietf.org address (which will continue to host expired drafts, unlike www.ietf.org). It's on the "smime-tests" branch on https://gitlab.com/dkg/notmuch.git I'll send the three updated patches to the list here as well. --dkg signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: [PATCH 07/15] test: Allow tests to have both gpg and gpgsm active at once
On Wed 2020-04-29 23:02:19 +0300, Tomi Ollila wrote:
> On Tue, Apr 28 2020, Daniel Kahn Gillmor wrote:
>
>> Without this fix, we couldn't run both add_gnupg_home and
>> add_gpgsm_home in the same test script.
>>
>> Signed-off-by: Daniel Kahn Gillmor
>> ---
>> test/test-lib.sh | 8
>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/test/test-lib.sh b/test/test-lib.sh
>> index ac1b9315..d9997b27 100644
>> --- a/test/test-lib.sh
>> +++ b/test/test-lib.sh
>> @@ -110,10 +110,10 @@ unset ALTERNATE_EDITOR
>> add_gnupg_home ()
>> {
>> local output
>> -[ -d ${GNUPGHOME} ] && return
>> +[ -e ${GNUPGHOME}/gpg.conf ] && return
>
> So far so good (except perhaps David's comment not "url" not found)
>
> But here this change could include "consistently quoted" variable
> (or/and have it done in that one commit earlier...)
agreed, quoting this would be good.
--dkg
signature.asc
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
Re: Inconsistencies in handling command flags: `--flag=value` different than `--flag value`
On Wed 2020-04-29 08:33:24 -0700, Jameson Graef Rollins wrote: > On Tue, Apr 28 2020, Daniel Kahn Gillmor wrote: >> One final way we could normalize everything and make it less >> idiosyncratic, with shorter, simpler man pages: deprecate and then drop >> the --booloption/--no-booloption mechanisms, requiring --booloption=true >> or --booloption=false instead. Once they're dropped, allow whitespace >> between "--booloption true" and "--booloption false" just like every >> other type of option. > > Or we could just use only --booloption/--no-booloption... I'd be sad about that, because it seems like a pretty idiosyncratic thing to have options of a certain type behave so differently from others. we've seen boolean options turn into non-boolean options in the past, and changing the syntax of how they're invoked when that happens feels ugly (though i guess this is at least in part an aesthetic preference). --dkg signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: [PATCH 08/15] tests/smime: include secret key material for Bob
On Wed 2020-04-29 23:05:03 +0300, Tomi Ollila wrote: > Now that I started w/ consistenly quotes -- "$NOTMUCH_SRCDIR/..." > > Or maybe not, is this variable consistently unquoted -- or something ;) there are lots of places where NOTMUCH_SRCDIR is unquoted, and some where it is. I guess i should probably not introduce any more unquoted instances, though. I'll try to fix that. --dkg signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: [PATCH 03/15] tests/smime: Include the Sample LAMPS Certificate Authority
On Tue 2020-04-28 22:43:10 -0300, David Bremner wrote: > Daniel Kahn Gillmor writes: > >> This CA is useful for test suites and the like, but is not an >> actually-secure CA, because its secret key material is also published. >> >> I plan to use it for its intended purpose in the notmuch test suite. >> >> It was copied from this Internet Draft: >> >> https://www.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi > > This page is not found for me. hm, it has been superceded by https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-certificate-authority-certi (which has the same content for the relevant section). the IETF tools interface also has a non-expiring version of the drafts: https://tools.ietf.org/id/draft-dkg-lamps-samples-02.html#name-certificate-authority-certi feel free to amend the commit message if that would help. --dkg signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
