Accepting x-pkcs7-signature

Accepting x-pkcs7-signature

[David Engster]

I still have this old patch lying around, which lets Gnus accept
signatures with a x-pkcs7-signature MIME type, instead of just
"pkcs7-signature". Though RFC 2311 declares this as

C.1 Early MIME Types

   Some early implementations of S/MIME agents used the following MIME
   types: [...] application/x-pkcs7-signature [...] 
   In each case, the "x-" subtypes correspond to the subtypes described
   in this document without the "x-".

a quick look through my inbox actually shows more messages with those
"x-pkcs" types than plain "pkcs"; seems to be some kind of Exchange
thingy, so this will likely not change soon...

Does anyone see a problem with this patch?

--- mml-smime.el.~7.23.~	2008-05-19 10:47:42.000000000 +0200
+++ mml-smime.el	2008-09-17 11:56:12.000000000 +0200
@@ -520,10 +520,14 @@
 					   ctl 'protocol)
 					  "application/pkcs7-signature")
 				  t)))
-		(null (setq signature (mm-find-part-by-type
-				       (cdr handle)
-				       "application/pkcs7-signature"
-				       nil t))))
+		(null (setq signature (or (mm-find-part-by-type
+					   (cdr handle)
+					   "application/pkcs7-signature"
+					   nil t)
+					  (mm-find-part-by-type
+					   (cdr handle)
+					   "application/x-pkcs7-signature"
+					   nil t)))))
 	(mm-set-handle-multipart-parameter
 	 mm-security-handle 'gnus-info "Corrupted")
 	(throw 'error handle))


Regards,
David

Re: Accepting x-pkcs7-signature

[Daiki Ueno]

Hi David,

David Engster <deng@randomsample.de> writes:

> I still have this old patch lying around, which lets Gnus accept
> signatures with a x-pkcs7-signature MIME type, instead of just
> "pkcs7-signature".

Agreed.

> Does anyone see a problem with this patch?

I admittedly have not tested it yet, but:

> --- mml-smime.el.~7.23.~	2008-05-19 10:47:42.000000000 +0200
> +++ mml-smime.el	2008-09-17 11:56:12.000000000 +0200
> @@ -520,10 +520,14 @@
>  					   ctl 'protocol)
>  					  "application/pkcs7-signature")

^^ this line should also be changed to accept "x-pkcs7-signature"?

>  				  t)))
> -		(null (setq signature (mm-find-part-by-type
> -				       (cdr handle)
> -				       "application/pkcs7-signature"
> -				       nil t))))
> +		(null (setq signature (or (mm-find-part-by-type
> +					   (cdr handle)
> +					   "application/pkcs7-signature"
> +					   nil t)
> +					  (mm-find-part-by-type
> +					   (cdr handle)
> +					   "application/x-pkcs7-signature"
> +					   nil t)))))

Regards,
-- 
Daiki Ueno

Re: Accepting x-pkcs7-signature

[David Engster]

Daiki Ueno writes:
> David Engster <deng@randomsample.de> writes:
>> Does anyone see a problem with this patch?
>
> I admittedly have not tested it yet, but:
>
>> --- mml-smime.el.~7.23.~	2008-05-19 10:47:42.000000000 +0200
>> +++ mml-smime.el	2008-09-17 11:56:12.000000000 +0200
>> @@ -520,10 +520,14 @@
>>  					   ctl 'protocol)
>>  					  "application/pkcs7-signature")
>
> ^^ this line should also be changed to accept "x-pkcs7-signature"?

The full sexp is this:

 (setq part (mm-find-raw-part-by-type
				  ctl (or (mm-handle-multipart-ctl-parameter
					   ctl 'protocol)
					  "application/pkcs7-signature")
				  t)))

So I thought this would just be used as a fallback?

BTW, since I'm slowly migrating from openssl to gpgsm and therefore
GnuPG v2, I hope you don't mind me hijacking this thread and asking some
further questions regarding EPG. I have an encrypted authinfo.gpg file,
containing several different credentials for different servers. Since
gpgsm requires me to use gpg-agent, decrypting authinfo.gpg at startup
is now handled using the agent, since EPG will automatically detect that
there's one running.

Without the agent and GnuPG v1, I was only asked once at start-up for
the password (using epa-file-cache-passphrase-for-symmetric-encryption),
now I get queried for each server I might(!) need credentials for. Is
there some way to avoid that? I know I could somehow use public key
encryption for this, but to me this seems a bit excessive for such a
small task. I'd already be happy if I could get EPG to just use gpgv1
without the agent for encrypted files, but it seems this is not
possible?

Also, do you know of any way to let Emacs communicate with one of
gpg-agent's pinentry programs? I found a message from you regarding that
issue from '08, so I wonder if you made any progress on that front.

Regards,
David

Re: Accepting x-pkcs7-signature

[Daiki Ueno]

David Engster <deng@randomsample.de> writes:

>>>  					   ctl 'protocol)
>>>  					  "application/pkcs7-signature")
>>
>> ^^ this line should also be changed to accept "x-pkcs7-signature"?
>
> The full sexp is this:
>
>  (setq part (mm-find-raw-part-by-type
> 				  ctl (or (mm-handle-multipart-ctl-parameter
> 					   ctl 'protocol)
> 					  "application/pkcs7-signature")
> 				  t)))
>
> So I thought this would just be used as a fallback?

Well, I looked at the following code and thought that PART was
signed material:

(setq plain (epg-verify-string context (mm-get-part signature) part)

Regards,
-- 
Daiki Ueno

Re: Accepting x-pkcs7-signature

[David Engster]

Daiki Ueno writes:
> David Engster <deng@randomsample.de> writes:
>
>>>>  					   ctl 'protocol)
>>>>  					  "application/pkcs7-signature")
>>>
>>> ^^ this line should also be changed to accept "x-pkcs7-signature"?
>>
>> The full sexp is this:
>>
>>  (setq part (mm-find-raw-part-by-type
>> 				  ctl (or (mm-handle-multipart-ctl-parameter
>> 					   ctl 'protocol)
>> 					  "application/pkcs7-signature")
>> 				  t)))
>>
>> So I thought this would just be used as a fallback?
>
> Well, I looked at the following code and thought that PART was
> signed material:
>
> (setq plain (epg-verify-string context (mm-get-part signature) part)

To be honest, I really have problems understanding what all that
'mm'-code does. It seems to me the HANDLE structure already has all the
information that's needed, including pointers to the buffers containing
the text and the detached signature, but somehow it extracts them
again. I also don't understand the above fallback for
"application/pkcs7-signature", since multipart/signed must have a
'protocol' parameter in the Content-Type anyway, otherwise it's just
broken.

Regards,
David

Re: Accepting x-pkcs7-signature

[Daiki Ueno]

David Engster <deng@randomsample.de> writes:

> I also don't understand the above fallback for
> "application/pkcs7-signature", since multipart/signed must have a
> 'protocol' parameter in the Content-Type anyway, otherwise it's just
> broken.

Ah, sorry.  You are right and I was totally missing the point.
(I'm reading RFC2311 again after a long time :-)

Could you commit your original patch?

Regards,
-- 
Daiki Ueno