SMIME: intermediate certificates are not sent

SMIME: intermediate certificates are not sent

[Christoph Groth]

Hi,

I’ve recently setup Gnus to use my S/MIME key from work.  I observe the
following problem described in 2007 by David Eng:
http://article.gmane.org/gmane.emacs.gnus.general/64881.  There used to
be an emacs bug about this issue, but it has been closed apparently
without the bug ever being fixed:
https://lists.gnu.org/archive/html/emacs-bug-tracker/2011-01/msg00118.html.

For now I’m using the workaround of David (deleting keyfile="..." from
the #secure tag).  Am I missing some way in which that issue has been
resolved?

Is S/MIME really that unpopular with Gnus users?

Thanks,
Christoph

Re: SMIME: intermediate certificates are not sent

[Uwe Brauer]

[-- Attachment #1: Type: text/plain, Size: 972 bytes --]

>> "Christoph" == Christoph Groth <christoph@grothesque.org> writes:

   > Hi,

   > I’ve recently setup Gnus to use my S/MIME key from work. I observe
   > the following problem described in 2007 by David Eng:
   > http://article.gmane.org/gmane.emacs.gnus.general/64881. There used
   > to be an emacs bug about this issue, but it has been closed
   > apparently without the bug ever being fixed:
   > https://lists.gnu.org/archive/html/emacs-bug-tracker/2011-01/msg00118.html.

   > For now I’m using the workaround of David (deleting keyfile="..." 
   > From the #secure tag). Am I missing some way in which that issue
   > has been resolved?


   > Is S/MIME really that unpopular with Gnus users?


Hm I am using s/mime since almost 2 years without any problems, however
I use 


epg and gpgsm 

as described in 

http://www.emacswiki.org/emacs/GnusSMIME#toc8

Works much better this way.
   > Thanks,
   > Christoph


Uwe Brauer 

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5556 bytes --]

Re: SMIME: intermediate certificates are not sent

[Christoph Groth]

Hi Uwe,

Thanks, epg and gpgsm works for me as well.  I suggest moving the
section you added to http://www.emacswiki.org/emacs/GnusSMIME to 
the top
of the page – I didn’t notice it.

Christoph

[PATCH] Re: SMIME: intermediate certificates are not sent

[Christoph Groth]

Just in case someone is motivated to fix the S/MIME with openssl bug
(which is still the default S/MIME method in Gnus):
I've found the following workaround:
http://www.normalesup.org/~martinez/emacs/#sign_additional_certificates

The following code is equivalent, only cleaned up a bit and merged with
the current Gnus codebase.  Adding it to ~/.gnus solves the issue, but
perhaps the function changes could be commited to Gnus?

--8<---------------cut here---------------start------------->8---
;; Patch to smime-sign-buffer and mml-smime-openssl-sign-query to put
;; the email address in the keyfile argument of <#secure> tag instead
;; of the key filename to take additional certificates into account when
;; signing a message.

(require 'smime) ; smime-sign-buffer comes from here

(defun smime-sign-buffer (&optional keyfile buffer)
  "S/MIME sign BUFFER with key in KEYFILE.
KEYFILE should contain a PEM encoded key and certificate."
  (interactive)
  (with-current-buffer (or buffer (current-buffer))
    (unless (smime-sign-region
             (point-min) (point-max)
             (if keyfile
                 (smime-get-key-with-certs-by-email keyfile)
               (smime-get-key-with-certs-by-email
                (gnus-completing-read
                 "Sign using key"
                 smime-keys nil (car-safe (car-safe smime-keys))))))
      (error "Signing failed"))))


(require 'mml-smime) ; mml-smime-openssl-sign-query comes from here

(defun mml-smime-openssl-sign-query ()
  ;; query information (what certificate) from user when MML tag is
  ;; added, for use later by the signing process
  (when (null smime-keys)
    (customize-variable 'smime-keys)
    (error "No S/MIME keys configured, use customize to add your key"))
  (list 'keyfile
        (if (= (length smime-keys) 1)
            (caar smime-keys)
          (or (cadr (funcall (if (boundp
                                  'gnus-extract-address-components)
                                 gnus-extract-address-components
                               'mail-extract-address-components)
                             (or (save-excursion
                                   (save-restriction
                                     (message-narrow-to-headers)
                                     (message-fetch-field "from")))
                                 "")))
              (gnus-completing-read "Sign this part with what signature"
                                    (mapcar 'car smime-keys) nil nil nil
                                    (and (listp (car-safe smime-keys))
                                         (caar smime-keys)))))))
--8<---------------cut here---------------end--------------->8---

Re: [PATCH] Re: SMIME: intermediate certificates are not sent

[Lars Ingebrigtsen]

Christoph Groth <christoph@grothesque.org> writes:

> Just in case someone is motivated to fix the S/MIME with openssl bug
> (which is still the default S/MIME method in Gnus):
> I've found the following workaround:
> http://www.normalesup.org/~martinez/emacs/#sign_additional_certificates
>
> The following code is equivalent, only cleaned up a bit and merged with
> the current Gnus codebase.  Adding it to ~/.gnus solves the issue, but
> perhaps the function changes could be commited to Gnus?

Could you submit a patch for this change?

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/