* Decoding application/x-pkcs7-mime?
@ 2008-09-15 14:24 Norman Walsh
2008-09-16 8:15 ` Steinar Bang
2008-09-16 8:51 ` David Engster
0 siblings, 2 replies; 9+ messages in thread
From: Norman Walsh @ 2008-09-15 14:24 UTC (permalink / raw)
To: ding
[-- Attachment #1: Type: text/plain, Size: 699 bytes --]
One of my colleagues has started sending mail signed as follows:
Content-Type: application/x-pkcs7-mime;smime-type=signed-data;name=smime.p7m;
smime-type=signed-data;
name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7m"
Content-class: urn:content-classes:message
Which, alas, I see as a base64 blob. Can someone point me to the
instructions for setting up gnus to automatically decode this, please?
Be seeing you,
norm
--
Norman Walsh <ndw@nwalsh.com> | Everything the same; everything
http://nwalsh.com/ | distinct.
[-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-15 14:24 Decoding application/x-pkcs7-mime? Norman Walsh
@ 2008-09-16 8:15 ` Steinar Bang
2008-09-16 8:23 ` Steinar Bang
2008-09-16 8:51 ` David Engster
1 sibling, 1 reply; 9+ messages in thread
From: Steinar Bang @ 2008-09-16 8:15 UTC (permalink / raw)
To: ding
>>>>> Norman Walsh <ndw@nwalsh.com>:
> One of my colleagues has started sending mail signed as follows:
> Content-Type: application/x-pkcs7-mime;smime-type=signed-data;name=smime.p7m;
[snip!]
> Which, alas, I see as a base64 blob. Can someone point me to the
> instructions for setting up gnus to automatically decode this, please?
Hmm... grepping through the Gnus source, file mm-decode.el lists
"x-pkcs7-mime" in the variables mm-inline-media-tests, in
mm-inlined-types, in mm-automatic-display, in
mm-attachment-override-types and in the function
mm-possibly-verify-or-decrypt.
So I'm guessing there is support for handling this in Gnus.
Could there be some MIME header errors in the message you receive?
(something obscure like a LF where there should be CR LF, perhaps?)
Do you have any changes to mm-automatic-display? (I used to have a
removal of "text/html" that is now taken over by adding "text/html" to
mm-discouraged-alternatives)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-16 8:15 ` Steinar Bang
@ 2008-09-16 8:23 ` Steinar Bang
0 siblings, 0 replies; 9+ messages in thread
From: Steinar Bang @ 2008-09-16 8:23 UTC (permalink / raw)
To: ding
>>>>> Steinar Bang <sb@dod.no>:
> Hmm... grepping through the Gnus source, file mm-decode.el lists
> "x-pkcs7-mime" in the variables mm-inline-media-tests, in
> mm-inlined-types, in mm-automatic-display, in
> mm-attachment-override-types and in the function
> mm-possibly-verify-or-decrypt.
Simon wrote that stuff back in 2001 annotate tells me, and he's still
around. :-)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-15 14:24 Decoding application/x-pkcs7-mime? Norman Walsh
2008-09-16 8:15 ` Steinar Bang
@ 2008-09-16 8:51 ` David Engster
2008-09-16 9:23 ` Rupert Swarbrick
2008-09-17 7:16 ` Daiki Ueno
1 sibling, 2 replies; 9+ messages in thread
From: David Engster @ 2008-09-16 8:51 UTC (permalink / raw)
To: ding
Norman Walsh <ndw@nwalsh.com> writes:
> One of my colleagues has started sending mail signed as follows:
>
> Content-Type: application/x-pkcs7-mime;smime-type=signed-data;name=smime.p7m;
> smime-type=signed-data;
> name="smime.p7m"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="smime.p7m"
> Content-class: urn:content-classes:message
This looks like signed and encrypted? A purely signed message usually
has a part
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Anyway. Do you have something like
(add-to-list 'gnus-newsgroup-variables '(gnus-buttonized-mime-types . '("multipart/encrypted" "multipart/signed" "multipart/alternative")))
(setq mm-decrypt-option 'always)
(setq mm-verify-option 'always)
in your .gnus?
Some time ago, I've written up my quest to get S/MIME to work in Gnus on
the EmacsWiki:
http://www.emacswiki.org/cgi-bin/wiki/GnusSMIME
I guess this is not up-to-date anymore, but it might still work. I also
remember trying to use EPG and gnutls, but it didn't work at that
time. If someone succesfully uses S/MIME with those, I'd love to see an
example setup.
-David
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-16 8:51 ` David Engster
@ 2008-09-16 9:23 ` Rupert Swarbrick
2008-09-16 9:34 ` David Engster
2008-09-17 7:16 ` Daiki Ueno
1 sibling, 1 reply; 9+ messages in thread
From: Rupert Swarbrick @ 2008-09-16 9:23 UTC (permalink / raw)
To: ding
[-- Attachment #1.1: Type: text/plain, Size: 319 bytes --]
David Engster <deng@randomsample.de> writes:
> I guess this is not up-to-date anymore, but it might still work. I also
> remember trying to use EPG and gnutls, but it didn't work at that
> time. If someone succesfully uses S/MIME with those, I'd love to see an
> example setup.
>
The following seems to work for me:
[-- Attachment #1.2: Type: application/emacs-lisp, Size: 185 bytes --]
[-- Attachment #1.3: Type: text/plain, Size: 274 bytes --]
Amazingly that seems to be all you need to do! (although you have to
install epg somewhere in your load path.
Erm, only thing is that my config is spread across quite a lot of files
in a directory tree so I might have forgotten something... but I think
that's it!
Rupert
[-- Attachment #2: Type: application/pgp-signature, Size: 314 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-16 9:23 ` Rupert Swarbrick
@ 2008-09-16 9:34 ` David Engster
2008-09-16 9:42 ` Rupert Swarbrick
0 siblings, 1 reply; 9+ messages in thread
From: David Engster @ 2008-09-16 9:34 UTC (permalink / raw)
To: ding
Rupert Swarbrick <rswarbrick@googlemail.com> writes:
> The following seems to work for me:
>;; Automatically sign
>(add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-pgpmime)
>(add-hook 'gnus-message-setup-hook 'mml-secure-message-encrypt-pgpmime)
>
>(require 'epa-setup)
>
> Amazingly that seems to be all you need to do! (although you have to
> install epg somewhere in your load path.
Thanks, but I guess that's for PGP/MIME, not S/MIME?
-David
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-16 8:51 ` David Engster
2008-09-16 9:23 ` Rupert Swarbrick
@ 2008-09-17 7:16 ` Daiki Ueno
2008-09-17 10:34 ` David Engster
1 sibling, 1 reply; 9+ messages in thread
From: Daiki Ueno @ 2008-09-17 7:16 UTC (permalink / raw)
To: ding
[-- Attachment #1: Type: text/plain, Size: 3223 bytes --]
>>>>> In <kz4p4giicc.fsf@kafka.physik3.gwdg.de>
>>>>> David Engster <deng@randomsample.de> wrote:
> I also remember trying to use EPG and gnutls, but it didn't work at
> that time. If someone succesfully uses S/MIME with those, I'd love to
> see an example setup.
Well, S/MIME may have several different formats (see RFC2633 3.8). As
of now Gnus' gpgsm backend does not handle all of them. In summary:
* sign using multipart/signed - supported
* verify using multipart/signed - supported
* verify using application/x-pkcs7-mime - not supported
* encrypt using application/pkcs7-mime - supported
* decrypt using application/pkcs7-mime - not supported
Other combinations of operations and formats such as:
* sign using application/pkcs7-mime
* decrypt using application/octet-stream
are not even supported by the OpenSSL backend.
By the way, for those who are interested in playing around gpgsm, I
wrote a short instruction to setup gpgsm with CAcert's client
certificates. After the setup, you can use it from Gnus with:
(setq mml-smime-use 'epg)
0. Install gpgsm, dirmngr, etc.
I'm using the following packages from Debian:
ii dirmngr 1.0.2-1 server for managing certificate revocation
ii gnupg-agent 2.0.9-3 GNU privacy guard - password agent
ii gpgsm 2.0.9-3 GNU privacy guard - S/MIME version
ii iceweasel 3.0.1-1 lightweight web browser based on Mozilla
1. Create your client certificate with Firefox.
1.1. Go to http://www.cacert.org and create an account.
1.2. Login with the account and make your client certificate.
1.3. Once the certificate is installed into the browser, you can
export it with:
Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->
Your Certificates -> Backup
We will call the file `cacert.p12' hereafter.
2. Setup gpgsm to use your certificate.
2.1. Start gpg-agent if it is not running.
$ eval `gpg-agent --daemon --sh`
2.2. Import the certificate into the gpgsm's keyring.
$ gpgsm --import cacert.p12
$ gpgsm --list-keys
2.3. Import CRL for the root certificate.
$ gpgsm --dump-keys cacert | grep crlDP
crlDP: https://www.cacert.org/revoke.crl
$ wget -O ~/revoke.crl https://www.cacert.org/revoke.crl
$ gpgsm --call-dirmngr loadcrl ~/revoke.crl
2.4. Mark the CA certificate as trusted.
Add the following line to ~/.gnupg/trustlist.txt.
135CEC36F49CB8E93B1AB270CD80884676CE8F33 S
The first column is the fingerprint of the root certificate (see
the output of `gpgsm --list-keys').
2.5. Try to create a digital signature with gpgsm.
$ echo test test test > test.txt
$ gpgsm -u 0xE4438BB4 --output test.txt.sig --sign test.txt
0xE4438BB4 is the keygrip of your certificate (see the output of
`gpgsm --list-keys').
$ gpgsm --output - --verify test.txt.sig
test test test
gpgsm: Signature made 2008-09-17 06:23:52 using certificate ID 0xE4438BB4
gpgsm: Good signature from "/CN=CAcert WoT User/EMail=ueno@unixuser.org"
gpgsm: aka "ueno@unixuser.org"
Regards,
--
Daiki Ueno
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 1695 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Decoding application/x-pkcs7-mime?
2008-09-17 7:16 ` Daiki Ueno
@ 2008-09-17 10:34 ` David Engster
0 siblings, 0 replies; 9+ messages in thread
From: David Engster @ 2008-09-17 10:34 UTC (permalink / raw)
To: ding
[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]
Daiki Ueno <ueno@unixuser.org> writes:
> Well, S/MIME may have several different formats (see RFC2633 3.8). As
> of now Gnus' gpgsm backend does not handle all of them. In summary:
>
> * sign using multipart/signed - supported
> * verify using multipart/signed - supported
> * verify using application/x-pkcs7-mime - not supported
> * encrypt using application/pkcs7-mime - supported
> * decrypt using application/pkcs7-mime - not supported
>
> Other combinations of operations and formats such as:
>
> * sign using application/pkcs7-mime
> * decrypt using application/octet-stream
>
> are not even supported by the OpenSSL backend.
Thank you for that overview.
> By the way, for those who are interested in playing around gpgsm, I
> wrote a short instruction to setup gpgsm with CAcert's client
> certificates. After the setup, you can use it from Gnus with:
>
> (setq mml-smime-use 'epg)
>
> 0. Install gpgsm, dirmngr, etc.
[...]
This works! Thank you for that HOWTO, it is very helpful.
As you state above, signing and verifying with mulipart/signed works
without problems. I can also encrypt, but not decrypt with
application/pkcs7-mime.
I only noted one problem: I often get signed mails which have a protocol
"application/x-pkcs7-signature", instead of
"application/pkcs7-signature". I usually get those "x-pkcs7-signature"
from people using MS Exchange. It isn't even mentioned in the RFC - is
this a standard? Otherwise, they don't seem to be different in any way
from those messages with a "pkcs7-signature" part.
Anyway, I attached a patch for mml-smime.el which also checks for
"x-pkcs7-signature". I'm not familiar with this part of Gnus, so
I'd appreciate any comments regarding this issue.
Regards,
David
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: mml-smime-x-pkcs7-patch.diff --]
[-- Type: text/x-diff, Size: 696 bytes --]
--- mml-smime.el.~7.23.~ 2008-05-19 10:47:42.000000000 +0200
+++ mml-smime.el 2008-09-17 11:56:12.000000000 +0200
@@ -520,10 +520,14 @@
ctl 'protocol)
"application/pkcs7-signature")
t)))
- (null (setq signature (mm-find-part-by-type
- (cdr handle)
- "application/pkcs7-signature"
- nil t))))
+ (null (setq signature (or (mm-find-part-by-type
+ (cdr handle)
+ "application/pkcs7-signature"
+ nil t)
+ (mm-find-part-by-type
+ (cdr handle)
+ "application/x-pkcs7-signature"
+ nil t)))))
(mm-set-handle-multipart-parameter
mm-security-handle 'gnus-info "Corrupted")
(throw 'error handle))
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-09-17 10:34 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-09-15 14:24 Decoding application/x-pkcs7-mime? Norman Walsh
2008-09-16 8:15 ` Steinar Bang
2008-09-16 8:23 ` Steinar Bang
2008-09-16 8:51 ` David Engster
2008-09-16 9:23 ` Rupert Swarbrick
2008-09-16 9:34 ` David Engster
2008-09-16 9:42 ` Rupert Swarbrick
2008-09-17 7:16 ` Daiki Ueno
2008-09-17 10:34 ` David Engster
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).