Decoding application/x-pkcs7-mime?

Decoding application/x-pkcs7-mime?

[Norman Walsh]

[-- Attachment #1: Type: text/plain, Size: 699 bytes --]

One of my colleagues has started sending mail signed as follows:

  Content-Type: application/x-pkcs7-mime;smime-type=signed-data;name=smime.p7m;
  	smime-type=signed-data;
	name="smime.p7m"
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment;
	filename="smime.p7m"
  Content-class: urn:content-classes:message

Which, alas, I see as a base64 blob. Can someone point me to the
instructions for setting up gnus to automatically decode this, please?

                                        Be seeing you,
                                          norm

-- 
Norman Walsh <ndw@nwalsh.com> | Everything the same; everything
http://nwalsh.com/            | distinct.

[-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --]

Re: Decoding application/x-pkcs7-mime?

[Steinar Bang]

>>>>> Norman Walsh <ndw@nwalsh.com>:

> One of my colleagues has started sending mail signed as follows:
>   Content-Type: application/x-pkcs7-mime;smime-type=signed-data;name=smime.p7m;
[snip!]

> Which, alas, I see as a base64 blob. Can someone point me to the
> instructions for setting up gnus to automatically decode this, please?

Hmm... grepping through the Gnus source, file mm-decode.el lists
"x-pkcs7-mime" in the variables mm-inline-media-tests, in
mm-inlined-types, in mm-automatic-display, in
mm-attachment-override-types and in the function
mm-possibly-verify-or-decrypt.

So I'm guessing there is support for handling this in Gnus.

Could there be some MIME header errors in the message you receive?
(something obscure like a LF where there should be CR LF, perhaps?)

Do you have any changes to mm-automatic-display?  (I used to have a
removal of "text/html" that is now taken over by adding "text/html" to
mm-discouraged-alternatives)

Re: Decoding application/x-pkcs7-mime?

[Steinar Bang]

>>>>> Steinar Bang <sb@dod.no>:

> Hmm... grepping through the Gnus source, file mm-decode.el lists
> "x-pkcs7-mime" in the variables mm-inline-media-tests, in
> mm-inlined-types, in mm-automatic-display, in
> mm-attachment-override-types and in the function
> mm-possibly-verify-or-decrypt.

Simon wrote that stuff back in 2001 annotate tells me, and he's still
around. :-)

Re: Decoding application/x-pkcs7-mime?

[David Engster]

Norman Walsh <ndw@nwalsh.com> writes:
> One of my colleagues has started sending mail signed as follows:
>
>   Content-Type: application/x-pkcs7-mime;smime-type=signed-data;name=smime.p7m;
>   	smime-type=signed-data;
> 	name="smime.p7m"
>   Content-Transfer-Encoding: base64
>   Content-Disposition: attachment;
> 	filename="smime.p7m"
>   Content-class: urn:content-classes:message

This looks like signed and encrypted? A purely signed message usually
has a part

Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

Anyway. Do you have something like

(add-to-list 'gnus-newsgroup-variables '(gnus-buttonized-mime-types . '("multipart/encrypted" "multipart/signed" "multipart/alternative")))
(setq mm-decrypt-option 'always)
(setq mm-verify-option 'always)

in your .gnus?

Some time ago, I've written up my quest to get S/MIME to work in Gnus on
the EmacsWiki:

http://www.emacswiki.org/cgi-bin/wiki/GnusSMIME

I guess this is not up-to-date anymore, but it might still work. I also
remember trying to use EPG and gnutls, but it didn't work at that
time. If someone succesfully uses S/MIME with those, I'd love to see an
example setup.

-David

Re: Decoding application/x-pkcs7-mime?

[Rupert Swarbrick]

[-- Attachment #1.1: Type: text/plain, Size: 319 bytes --]

David Engster <deng@randomsample.de> writes:

> I guess this is not up-to-date anymore, but it might still work. I also
> remember trying to use EPG and gnutls, but it didn't work at that
> time. If someone succesfully uses S/MIME with those, I'd love to see an
> example setup.
>

The following seems to work for me:


[-- Attachment #1.2: Type: application/emacs-lisp, Size: 185 bytes --]

[-- Attachment #1.3: Type: text/plain, Size: 274 bytes --]


Amazingly that seems to be all you need to do! (although you have to
install epg somewhere in your load path.

Erm, only thing is that my config is spread across quite a lot of files
in a directory tree so I might have forgotten something... but I think
that's it!

Rupert

[-- Attachment #2: Type: application/pgp-signature, Size: 314 bytes --]

Re: Decoding application/x-pkcs7-mime?

[David Engster]

Rupert Swarbrick <rswarbrick@googlemail.com> writes:
> The following seems to work for me:
>;; Automatically sign
>(add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-pgpmime)
>(add-hook 'gnus-message-setup-hook 'mml-secure-message-encrypt-pgpmime)
>
>(require 'epa-setup)
>
> Amazingly that seems to be all you need to do! (although you have to
> install epg somewhere in your load path.

Thanks, but I guess that's for PGP/MIME, not S/MIME?

-David

Re: Decoding application/x-pkcs7-mime?

[Rupert Swarbrick]

[-- Attachment #1: Type: text/plain, Size: 169 bytes --]

David Engster <deng@randomsample.de> writes:
> Thanks, but I guess that's for PGP/MIME, not S/MIME?
>
> -David

... er that's a good point. Sorry for the noise!

Rupert

[-- Attachment #2: Type: application/pgp-signature, Size: 314 bytes --]

Re: Decoding application/x-pkcs7-mime?

[Daiki Ueno]

[-- Attachment #1: Type: text/plain, Size: 3223 bytes --]

>>>>> In <kz4p4giicc.fsf@kafka.physik3.gwdg.de> 
>>>>>	David Engster <deng@randomsample.de> wrote:

> I also remember trying to use EPG and gnutls, but it didn't work at
> that time. If someone succesfully uses S/MIME with those, I'd love to
> see an example setup.

Well, S/MIME may have several different formats (see RFC2633 3.8).  As
of now Gnus' gpgsm backend does not handle all of them.  In summary:

* sign using multipart/signed - supported
* verify using multipart/signed - supported
* verify using application/x-pkcs7-mime - not supported
* encrypt using application/pkcs7-mime - supported
* decrypt using application/pkcs7-mime - not supported

Other combinations of operations and formats such as:

* sign using application/pkcs7-mime
* decrypt using application/octet-stream

are not even supported by the OpenSSL backend.

By the way, for those who are interested in playing around gpgsm, I
wrote a short instruction to setup gpgsm with CAcert's client
certificates.  After the setup, you can use it from Gnus with:

(setq mml-smime-use 'epg)

0. Install gpgsm, dirmngr, etc.

   I'm using the following packages from Debian:

   ii  dirmngr        1.0.2-1        server for managing certificate revocation
   ii  gnupg-agent    2.0.9-3        GNU privacy guard - password agent
   ii  gpgsm          2.0.9-3        GNU privacy guard - S/MIME version
   ii  iceweasel      3.0.1-1        lightweight web browser based on Mozilla

1. Create your client certificate with Firefox.

1.1. Go to http://www.cacert.org and create an account.

1.2. Login with the account and make your client certificate.

1.3. Once the certificate is installed into the browser, you can
     export it with:

   Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->
   	Your Certificates -> Backup

   We will call the file `cacert.p12' hereafter.

2. Setup gpgsm to use your certificate.

2.1. Start gpg-agent if it is not running.

   $ eval `gpg-agent --daemon --sh`

2.2. Import the certificate into the gpgsm's keyring.

   $ gpgsm --import cacert.p12

   $ gpgsm --list-keys

2.3. Import CRL for the root certificate.

   $ gpgsm --dump-keys cacert | grep crlDP
        crlDP: https://www.cacert.org/revoke.crl

   $ wget -O ~/revoke.crl https://www.cacert.org/revoke.crl

   $ gpgsm --call-dirmngr loadcrl ~/revoke.crl

2.4. Mark the CA certificate as trusted.

   Add the following line to ~/.gnupg/trustlist.txt.

   135CEC36F49CB8E93B1AB270CD80884676CE8F33 S

   The first column is the fingerprint of the root certificate (see
   the output of `gpgsm --list-keys').

2.5. Try to create a digital signature with gpgsm.

   $ echo test test test > test.txt

   $ gpgsm -u 0xE4438BB4 --output test.txt.sig --sign test.txt

   0xE4438BB4 is the keygrip of your certificate (see the output of
   `gpgsm --list-keys').

   $ gpgsm --output - --verify test.txt.sig
   test test test
   gpgsm: Signature made 2008-09-17 06:23:52 using certificate ID 0xE4438BB4
   gpgsm: Good signature from "/CN=CAcert WoT User/EMail=ueno@unixuser.org"
   gpgsm:                 aka "ueno@unixuser.org"

Regards,
-- 
Daiki Ueno

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 1695 bytes --]

Re: Decoding application/x-pkcs7-mime?

[David Engster]

[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]

Daiki Ueno <ueno@unixuser.org> writes:
> Well, S/MIME may have several different formats (see RFC2633 3.8).  As
> of now Gnus' gpgsm backend does not handle all of them.  In summary:
>
> * sign using multipart/signed - supported
> * verify using multipart/signed - supported
> * verify using application/x-pkcs7-mime - not supported
> * encrypt using application/pkcs7-mime - supported
> * decrypt using application/pkcs7-mime - not supported
>
> Other combinations of operations and formats such as:
>
> * sign using application/pkcs7-mime
> * decrypt using application/octet-stream
>
> are not even supported by the OpenSSL backend.

Thank you for that overview.

> By the way, for those who are interested in playing around gpgsm, I
> wrote a short instruction to setup gpgsm with CAcert's client
> certificates.  After the setup, you can use it from Gnus with:
>
> (setq mml-smime-use 'epg)
>
> 0. Install gpgsm, dirmngr, etc.
[...]

This works! Thank you for that HOWTO, it is very helpful.

As you state above, signing and verifying with mulipart/signed works
without problems. I can also encrypt, but not decrypt with
application/pkcs7-mime.

I only noted one problem: I often get signed mails which have a protocol
"application/x-pkcs7-signature", instead of
"application/pkcs7-signature". I usually get those "x-pkcs7-signature"
from people using MS Exchange. It isn't even mentioned in the RFC - is
this a standard? Otherwise, they don't seem to be different in any way
from those messages with a "pkcs7-signature" part.

Anyway, I attached a patch for mml-smime.el which also checks for
"x-pkcs7-signature". I'm not familiar with this part of Gnus, so
I'd appreciate any comments regarding this issue.

Regards,
David


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: mml-smime-x-pkcs7-patch.diff --]
[-- Type: text/x-diff, Size: 696 bytes --]

--- mml-smime.el.~7.23.~	2008-05-19 10:47:42.000000000 +0200
+++ mml-smime.el	2008-09-17 11:56:12.000000000 +0200
@@ -520,10 +520,14 @@
 					   ctl 'protocol)
 					  "application/pkcs7-signature")
 				  t)))
-		(null (setq signature (mm-find-part-by-type
-				       (cdr handle)
-				       "application/pkcs7-signature"
-				       nil t))))
+		(null (setq signature (or (mm-find-part-by-type
+					   (cdr handle)
+					   "application/pkcs7-signature"
+					   nil t)
+					  (mm-find-part-by-type
+					   (cdr handle)
+					   "application/x-pkcs7-signature"
+					   nil t)))))
 	(mm-set-handle-multipart-parameter
 	 mm-security-handle 'gnus-info "Corrupted")
 	(throw 'error handle))