* Patch for smime-stuff
@ 2005-02-22 16:24 Arne Jørgensen
2005-02-22 16:54 ` Simon Josefsson
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Arne Jørgensen @ 2005-02-22 16:24 UTC (permalink / raw)
[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]
Hi,
The attached patch has some changes for the S/MIME handling i Gnus
(inncluding the changes in the patch I posted four days ago).
From the ChangeLog:
* smime.el (smime-ldap-host-list): Doc fix.
(smime-ask-passphrase): Use `password-read-and-add' to read (and
cache) password.
(smime-sign-region): Use it.
(smime-decrypt-region): Use it.
(smime-sign-buffer): Signal an error if `smime-sign-region' fails.
(smime-encrypt-buffer): Signal an error if `smime-encrypt-region'
fails.
(smime-cert-by-ldap-1): Use `base64-encode-string' to convert
certificate from DER to PEM format rather than calling openssl.
* mml-smime.el (mml-smime-encrypt-query): Remove obsolete comment.
* mml-sec.el (mml-secure-message): Insert keyfile/certfile tags
for signing/encryption.
* mml.el (mml-parse-1): Use them.
The changes to mml-sec.el and mml.el makes "S/MIME Sign" and "S/MIME
Encrypt" work like "S/MIME Sign Part" and "S/MIME Encrypt Part" (it
will fetch the certificates). Maybe that will be removed later if we/I
postpone this until we send the message (as discussed ealier).
Kind regards,
--
Arne Jørgensen <http://arnested.dk/>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: smime.patch --]
[-- Type: text/x-patch, Size: 9867 bytes --]
Index: lisp/ChangeLog
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/ChangeLog,v
retrieving revision 7.637
diff -u -p -r7.637 ChangeLog
--- lisp/ChangeLog 21 Feb 2005 15:51:07 -0000 7.637
+++ lisp/ChangeLog 21 Feb 2005 23:30:08 -0000
@@ -1,3 +1,23 @@
+2005-02-22 Arne J^[,Ax^[(Brgensen <arne@arnested.dk>
+
+ * smime.el (smime-ldap-host-list): Doc fix.
+ (smime-ask-passphrase): Use `password-read-and-add' to read (and
+ cache) password.
+ (smime-sign-region): Use it.
+ (smime-decrypt-region): Use it.
+ (smime-sign-buffer): Signal an error if `smime-sign-region' fails.
+ (smime-encrypt-buffer): Signal an error if `smime-encrypt-region'
+ fails.
+ (smime-cert-by-ldap-1): Use `base64-encode-string' to convert
+ certificate from DER to PEM format rather than calling openssl.
+
+ * mml-smime.el (mml-smime-encrypt-query): Remove obsolete comment.
+
+ * mml-sec.el (mml-secure-message): Insert keyfile/certfile tags
+ for signing/encryption.
+
+ * mml.el (mml-parse-1): Use them.
+
2005-02-21 Arne J^[,Ax^[(Brgensen <arne@arnested.dk>
* nnrss.el (nnrss-verbose): Removed.
Index: lisp/mml-sec.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/mml-sec.el,v
retrieving revision 7.6
diff -u -p -r7.6 mml-sec.el
--- lisp/mml-sec.el 13 Feb 2005 04:44:40 -0000 7.6
+++ lisp/mml-sec.el 21 Feb 2005 23:30:08 -0000
@@ -1,5 +1,5 @@
;;; mml-sec.el --- A package with security functions for MML documents
-;; Copyright (C) 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+;; Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
;; Author: Simon Josefsson <simon@josefsson.org>
@@ -224,6 +224,13 @@ You can also customize or set `mml-signe
;; defuns that add the proper <#secure ...> tag to the top of the message body
(defun mml-secure-message (method &optional modesym)
(let ((mode (prin1-to-string modesym))
+ (tags (append
+ (if (or (eq modesym 'sign)
+ (eq modesym 'signencrypt))
+ (funcall (nth 2 (assoc method mml-sign-alist))))
+ (if (or (eq modesym 'encrypt)
+ (eq modesym 'signencrypt))
+ (funcall (nth 2 (assoc method mml-encrypt-alist))))))
insert-loc)
(mml-unsecure-message)
(save-excursion
@@ -232,8 +239,8 @@ You can also customize or set `mml-signe
(concat "^" (regexp-quote mail-header-separator) "\n") nil t)
(goto-char (setq insert-loc (match-end 0)))
(unless (looking-at "<#secure")
- (mml-insert-tag
- 'secure 'method method 'mode mode)))
+ (apply 'mml-insert-tag
+ 'secure 'method method 'mode mode tags)))
(t (error
"The message is corrupted. No mail header separator"))))
(when (eql insert-loc (point))
Index: lisp/mml-smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/mml-smime.el,v
retrieving revision 7.5
diff -u -p -r7.5 mml-smime.el
--- lisp/mml-smime.el 14 Feb 2005 15:22:17 -0000 7.5
+++ lisp/mml-smime.el 21 Feb 2005 23:30:08 -0000
@@ -135,7 +135,6 @@
result))
(defun mml-smime-encrypt-query ()
- ;; todo: add ldap support (xemacs ldap api?)
;; todo: try dns/ldap automatically first, before prompting user
(let (certs done)
(while (not done)
Index: lisp/mml.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/mml.el,v
retrieving revision 7.24
diff -u -p -r7.24 mml.el
--- lisp/mml.el 19 Feb 2005 01:23:10 -0000 7.24
+++ lisp/mml.el 21 Feb 2005 23:30:09 -0000
@@ -158,6 +158,8 @@ one charsets.")
;; included in the message
(let* (secure-mode
(taginfo (mml-read-tag))
+ (keyfile (cdr (assq 'keyfile taginfo)))
+ (certfile (cdr (assq 'certfile taginfo)))
(recipients (cdr (assq 'recipients taginfo)))
(sender (cdr (assq 'sender taginfo)))
(location (cdr (assq 'tag-location taginfo)))
@@ -181,6 +183,10 @@ one charsets.")
(setq tags (list "sign" method "encrypt" method))))
(eval `(mml-insert-tag ,secure-mode
,@tags
+ ,(if keyfile "keyfile")
+ ,keyfile
+ ,(if certfile "certfile")
+ ,certfile
,(if recipients "recipients")
,recipients
,(if sender "sender")
Index: lisp/smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 7.8
diff -u -p -r7.8 smime.el
--- lisp/smime.el 14 Feb 2005 15:24:44 -0000 7.8
+++ lisp/smime.el 21 Feb 2005 23:30:10 -0000
@@ -121,6 +121,7 @@
(require 'dig)
(require 'smime-ldap)
+(require 'password)
(eval-when-compile (require 'cl))
(defgroup smime nil
@@ -218,7 +219,9 @@ If nil, use system defaults."
:group 'smime)
(defcustom smime-ldap-host-list nil
- "A list of LDAP hosts with S/MIME user certificates."
+ "A list of LDAP hosts with S/MIME user certificates.
+If needed search base, binddn, passwd, etc. for the LDAP host
+must be set in `ldap-host-parameters-alist'."
:type '(repeat (string :tag "Host name"))
:group 'smime)
@@ -238,11 +241,13 @@ If nil, use system defaults."
;; Password dialog function
-(defun smime-ask-passphrase ()
- "Asks the passphrase to unlock the secret key."
+(defun smime-ask-passphrase (&optional cache-key)
+ "Asks the passphrase to unlock the secret key.
+If `cache-key' and `password-cache' is non-nil then cache the
+password under `cache-key'."
(let ((passphrase
- (read-passwd
- "Passphrase for secret key (RET for no passphrase): ")))
+ (password-read-and-add
+ "Passphrase for secret key (RET for no passphrase): " cache-key)))
(if (string= passphrase "")
nil
passphrase)))
@@ -274,11 +279,11 @@ certificates to include in its caar. If
included, KEYFILE may be the file containing the PEM encoded private
key and certificate itself."
(smime-new-details-buffer)
- (let ((keyfile (or (car-safe keyfile) keyfile))
- (certfiles (and (cdr-safe keyfile) (cadr keyfile)))
- (buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))
- (passphrase (smime-ask-passphrase))
- (tmpfile (smime-make-temp-file "smime")))
+ (let* ((certfiles (and (cdr-safe keyfile) (cadr keyfile)))
+ (keyfile (or (car-safe keyfile) keyfile))
+ (buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))
+ (passphrase (smime-ask-passphrase (expand-file-name keyfile)))
+ (tmpfile (smime-make-temp-file "smime")))
(if passphrase
(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
(prog1
@@ -339,16 +344,17 @@ is expected to contain of a PEM encoded
KEYFILE should contain a PEM encoded key and certificate."
(interactive)
(with-current-buffer (or buffer (current-buffer))
- (smime-sign-region
- (point-min) (point-max)
- (if keyfile
- keyfile
- (smime-get-key-with-certs-by-email
- (completing-read
- (concat "Sign using which key? "
- (if smime-keys (concat "(default " (caar smime-keys) ") ")
- ""))
- smime-keys nil nil (car-safe (car-safe smime-keys))))))))
+ (unless (smime-sign-region
+ (point-min) (point-max)
+ (if keyfile
+ keyfile
+ (smime-get-key-with-certs-by-email
+ (completing-read
+ (concat "Sign using which key? "
+ (if smime-keys (concat "(default " (caar smime-keys) ") ")
+ ""))
+ smime-keys nil nil (car-safe (car-safe smime-keys))))))
+ (error "Signing failed"))))
(defun smime-encrypt-buffer (&optional certfiles buffer)
"S/MIME encrypt BUFFER for recipients specified in CERTFILES.
@@ -357,11 +363,12 @@ a PEM encoded key and certificate. Uses
nil."
(interactive)
(with-current-buffer (or buffer (current-buffer))
- (smime-encrypt-region
- (point-min) (point-max)
- (or certfiles
- (list (read-file-name "Recipient's S/MIME certificate: "
- smime-certificate-directory nil))))))
+ (unless (smime-encrypt-region
+ (point-min) (point-max)
+ (or certfiles
+ (list (read-file-name "Recipient's S/MIME certificate: "
+ smime-certificate-directory nil))))
+ (error "Encryption failed"))))
;; Verify+decrypt region
@@ -409,7 +416,7 @@ Any details (stderr on success, stdout a
in the buffer specified by `smime-details-buffer'."
(smime-new-details-buffer)
(let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))
- CAs (passphrase (smime-ask-passphrase))
+ CAs (passphrase (smime-ask-passphrase (expand-file-name keyfile)))
(tmpfile (smime-make-temp-file "smime")))
(if passphrase
(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
@@ -567,21 +574,21 @@ A string or a list of strings is returne
"Get cetificate for MAIL from the ldap server at HOST."
(let ((ldapresult (smime-ldap-search (concat "mail=" mail)
host '("userCertificate") nil))
- (retbuf (generate-new-buffer (format "*certificate for %s*" mail))))
+ (retbuf (generate-new-buffer (format "*certificate for %s*" mail)))
+ cert)
(if (> (length ldapresult) 1)
(with-current-buffer retbuf
- (set-buffer-multibyte nil)
- (insert (nth 1 (car (nth 1 ldapresult))))
- (goto-char (point-min))
- (if (smime-call-openssl-region (point-min) (point-max) t "x509"
- "-inform" "DER" "-outform" "PEM")
- (progn
- (delete-region (point) (point-max))
- retbuf)
- (kill-buffer retbuf)
- nil))
+ (setq cert (base64-encode-string (nth 1 (car (nth 1 ldapresult))) t))
+ (insert "-----BEGIN CERTIFICATE-----\n")
+ (let ((i 0) (len (length cert)))
+ (while (> (- len 64) i)
+ (insert (substring cert i (+ i 64)) "\n")
+ (setq i (+ i 64)))
+ (insert (substring cert i len) "\n"))
+ (insert "-----END CERTIFICATE-----\n"))
(kill-buffer retbuf)
- nil)))
+ (setq retbuf nil))
+ retbuf))
(defun smime-cert-by-ldap (mail)
"Find certificate via LDAP for address MAIL."
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for smime-stuff
2005-02-22 16:24 Patch for smime-stuff Arne Jørgensen
@ 2005-02-22 16:54 ` Simon Josefsson
2005-02-22 17:07 ` password-cache-expiry and encrypt-password-cache-expiry (was: Patch for smime-stuff) Arne Jørgensen
2005-02-22 22:21 ` Patch for smime-stuff Arne Jørgensen
2 siblings, 0 replies; 7+ messages in thread
From: Simon Josefsson @ 2005-02-22 16:54 UTC (permalink / raw)
Cc: ding
Arne Jørgensen <arne@arnested.dk> writes:
> The attached patch has some changes for the S/MIME handling i Gnus
Awesome!
Installed.
> The changes to mml-sec.el and mml.el makes "S/MIME Sign" and "S/MIME
> Encrypt" work like "S/MIME Sign Part" and "S/MIME Encrypt Part" (it
> will fetch the certificates). Maybe that will be removed later if we/I
> postpone this until we send the message (as discussed ealier).
Yup.
^ permalink raw reply [flat|nested] 7+ messages in thread
* password-cache-expiry and encrypt-password-cache-expiry (was: Patch for smime-stuff)
2005-02-22 16:24 Patch for smime-stuff Arne Jørgensen
2005-02-22 16:54 ` Simon Josefsson
@ 2005-02-22 17:07 ` Arne Jørgensen
2005-02-22 17:23 ` password-cache-expiry and encrypt-password-cache-expiry Simon Josefsson
2005-02-22 22:21 ` Patch for smime-stuff Arne Jørgensen
2 siblings, 1 reply; 7+ messages in thread
From: Arne Jørgensen @ 2005-02-22 17:07 UTC (permalink / raw)
Arne Jørgensen <arne@arnested.dk> writes:
> (smime-ask-passphrase): Use `password-read-and-add' to read (and
> cache) password.
I noticed that `encrypt-password-cache-expiry' defaults to 200 seconds
_and_ when set, sets `password-cache-expiry' (default value 16
seconds) too.
Since both are loaded by gnus the value of `password-cache-expiry'
ends up being 200 seconds. Is this wise?
Kind regards,
--
Arne Jørgensen <http://arnested.dk/>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: password-cache-expiry and encrypt-password-cache-expiry
2005-02-22 17:07 ` password-cache-expiry and encrypt-password-cache-expiry (was: Patch for smime-stuff) Arne Jørgensen
@ 2005-02-22 17:23 ` Simon Josefsson
2005-02-24 17:47 ` Ted Zlatanov
0 siblings, 1 reply; 7+ messages in thread
From: Simon Josefsson @ 2005-02-22 17:23 UTC (permalink / raw)
Cc: ding, Teodor Zlatanov
Arne Jørgensen <arne@arnested.dk> writes:
> Arne Jørgensen <arne@arnested.dk> writes:
>
>> (smime-ask-passphrase): Use `password-read-and-add' to read (and
>> cache) password.
>
> I noticed that `encrypt-password-cache-expiry' defaults to 200 seconds
> _and_ when set, sets `password-cache-expiry' (default value 16
> seconds) too.
>
> Since both are loaded by gnus the value of `password-cache-expiry'
> ends up being 200 seconds. Is this wise?
I don't think so.
I removed e-p-c-e, it wasn't used except as part of the custom group,
and added the password-* variables to the defgroup MEMBERS parameter,
so they will end up in the encrypt custom group as well.
Ok, Ted?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for smime-stuff
2005-02-22 16:24 Patch for smime-stuff Arne Jørgensen
2005-02-22 16:54 ` Simon Josefsson
2005-02-22 17:07 ` password-cache-expiry and encrypt-password-cache-expiry (was: Patch for smime-stuff) Arne Jørgensen
@ 2005-02-22 22:21 ` Arne Jørgensen
2005-02-22 23:51 ` Simon Josefsson
2 siblings, 1 reply; 7+ messages in thread
From: Arne Jørgensen @ 2005-02-22 22:21 UTC (permalink / raw)
[-- Attachment #1: Type: text/plain, Size: 423 bytes --]
Arne Jørgensen <arne@arnested.dk> writes:
> (smime-sign-buffer): Signal an error if `smime-sign-region' fails.
> (smime-encrypt-buffer): Signal an error if `smime-encrypt-region'
> fails.
Since this above changes is actually a security fix they should also
be commited to the v5-10 branch I think.
A patch for the v5-10 branch is attached.
Kind regards,
--
Arne Jørgensen <http://arnested.dk/>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: smime_v5-10.patch --]
[-- Type: text/x-patch, Size: 2552 bytes --]
Index: lisp/ChangeLog
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/ChangeLog,v
retrieving revision 6.2771.2.115
diff -u -p -r6.2771.2.115 ChangeLog
--- lisp/ChangeLog 21 Feb 2005 13:38:17 -0000 6.2771.2.115
+++ lisp/ChangeLog 22 Feb 2005 22:16:09 -0000
@@ -1,3 +1,10 @@
+2005-02-22 Arne J^[,Ax^[(Brgensen <arne@arnested.dk>
+
+ * smime.el (smime-sign-buffer): Signal an error if
+ `smime-sign-region' fails.
+ (smime-encrypt-buffer): Signal an error if `smime-encrypt-region'
+ fails.
+
2005-02-21 Reiner Steib <Reiner.Steib@gmx.de>
* gnus-art.el (gnus-parse-news-url, gnus-button-handle-news):
Index: lisp/smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 6.33.2.3
diff -u -p -r6.33.2.3 smime.el
--- lisp/smime.el 13 Feb 2005 04:46:05 -0000 6.33.2.3
+++ lisp/smime.el 22 Feb 2005 22:16:10 -0000
@@ -332,16 +332,17 @@ is expected to contain of a PEM encoded
KEYFILE should contain a PEM encoded key and certificate."
(interactive)
(with-current-buffer (or buffer (current-buffer))
- (smime-sign-region
- (point-min) (point-max)
- (if keyfile
- keyfile
- (smime-get-key-with-certs-by-email
- (completing-read
- (concat "Sign using which key? "
- (if smime-keys (concat "(default " (caar smime-keys) ") ")
- ""))
- smime-keys nil nil (car-safe (car-safe smime-keys))))))))
+ (unless (smime-sign-region
+ (point-min) (point-max)
+ (if keyfile
+ keyfile
+ (smime-get-key-with-certs-by-email
+ (completing-read
+ (concat "Sign using which key? "
+ (if smime-keys (concat "(default " (caar smime-keys) ") ")
+ ""))
+ smime-keys nil nil (car-safe (car-safe smime-keys))))))
+ (error "Signing failed"))))
(defun smime-encrypt-buffer (&optional certfiles buffer)
"S/MIME encrypt BUFFER for recipients specified in CERTFILES.
@@ -350,11 +351,12 @@ a PEM encoded key and certificate. Uses
nil."
(interactive)
(with-current-buffer (or buffer (current-buffer))
- (smime-encrypt-region
- (point-min) (point-max)
- (or certfiles
- (list (read-file-name "Recipient's S/MIME certificate: "
- smime-certificate-directory nil))))))
+ (unless (smime-encrypt-region
+ (point-min) (point-max)
+ (or certfiles
+ (list (read-file-name "Recipient's S/MIME certificate: "
+ smime-certificate-directory nil))))
+ (error "Encryption failed"))))
;; Verify+decrypt region
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for smime-stuff
2005-02-22 22:21 ` Patch for smime-stuff Arne Jørgensen
@ 2005-02-22 23:51 ` Simon Josefsson
0 siblings, 0 replies; 7+ messages in thread
From: Simon Josefsson @ 2005-02-22 23:51 UTC (permalink / raw)
Cc: ding
Arne Jørgensen <arne@arnested.dk> writes:
> Arne Jørgensen <arne@arnested.dk> writes:
>
>> (smime-sign-buffer): Signal an error if `smime-sign-region' fails.
>> (smime-encrypt-buffer): Signal an error if `smime-encrypt-region'
>> fails.
>
> Since this above changes is actually a security fix they should also
> be commited to the v5-10 branch I think.
Right.
> A patch for the v5-10 branch is attached.
Applied. Thanks!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: password-cache-expiry and encrypt-password-cache-expiry
2005-02-22 17:23 ` password-cache-expiry and encrypt-password-cache-expiry Simon Josefsson
@ 2005-02-24 17:47 ` Ted Zlatanov
0 siblings, 0 replies; 7+ messages in thread
From: Ted Zlatanov @ 2005-02-24 17:47 UTC (permalink / raw)
Cc: Arne Jørgensen, ding
On Tue, 22 Feb 2005, jas@extundo.com wrote:
> Arne Jørgensen <arne@arnested.dk> writes:
>
>> Arne Jørgensen <arne@arnested.dk> writes:
>>
>>> (smime-ask-passphrase): Use `password-read-and-add' to read (and
>>> cache) password.
>>
>> I noticed that `encrypt-password-cache-expiry' defaults to 200 seconds
>> _and_ when set, sets `password-cache-expiry' (default value 16
>> seconds) too.
>>
>> Since both are loaded by gnus the value of `password-cache-expiry'
>> ends up being 200 seconds. Is this wise?
>
> I don't think so.
>
> I removed e-p-c-e, it wasn't used except as part of the custom group,
> and added the password-* variables to the defgroup MEMBERS parameter,
> so they will end up in the encrypt custom group as well.
This is fine. I meant to fix it, myself, but forgot about it. Sorry.
Thanks for catching it, Arne.
Ted
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-02-24 17:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-02-22 16:24 Patch for smime-stuff Arne Jørgensen
2005-02-22 16:54 ` Simon Josefsson
2005-02-22 17:07 ` password-cache-expiry and encrypt-password-cache-expiry (was: Patch for smime-stuff) Arne Jørgensen
2005-02-22 17:23 ` password-cache-expiry and encrypt-password-cache-expiry Simon Josefsson
2005-02-24 17:47 ` Ted Zlatanov
2005-02-22 22:21 ` Patch for smime-stuff Arne Jørgensen
2005-02-22 23:51 ` Simon Josefsson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).