From: Daiki Ueno <ueno@unixuser.org>
To: ding@gnus.org
Subject: Re: Decoding application/x-pkcs7-mime?
Date: Wed, 17 Sep 2008 16:16:57 +0900 [thread overview]
Message-ID: <87r67jqm1i.fsf@broken.deisui.org> (raw)
In-Reply-To: <kz4p4giicc.fsf@kafka.physik3.gwdg.de> (David Engster's message of "Tue, 16 Sep 2008 10:51:47 +0200")
[-- Attachment #1: Type: text/plain, Size: 3223 bytes --]
>>>>> In <kz4p4giicc.fsf@kafka.physik3.gwdg.de>
>>>>> David Engster <deng@randomsample.de> wrote:
> I also remember trying to use EPG and gnutls, but it didn't work at
> that time. If someone succesfully uses S/MIME with those, I'd love to
> see an example setup.
Well, S/MIME may have several different formats (see RFC2633 3.8). As
of now Gnus' gpgsm backend does not handle all of them. In summary:
* sign using multipart/signed - supported
* verify using multipart/signed - supported
* verify using application/x-pkcs7-mime - not supported
* encrypt using application/pkcs7-mime - supported
* decrypt using application/pkcs7-mime - not supported
Other combinations of operations and formats such as:
* sign using application/pkcs7-mime
* decrypt using application/octet-stream
are not even supported by the OpenSSL backend.
By the way, for those who are interested in playing around gpgsm, I
wrote a short instruction to setup gpgsm with CAcert's client
certificates. After the setup, you can use it from Gnus with:
(setq mml-smime-use 'epg)
0. Install gpgsm, dirmngr, etc.
I'm using the following packages from Debian:
ii dirmngr 1.0.2-1 server for managing certificate revocation
ii gnupg-agent 2.0.9-3 GNU privacy guard - password agent
ii gpgsm 2.0.9-3 GNU privacy guard - S/MIME version
ii iceweasel 3.0.1-1 lightweight web browser based on Mozilla
1. Create your client certificate with Firefox.
1.1. Go to http://www.cacert.org and create an account.
1.2. Login with the account and make your client certificate.
1.3. Once the certificate is installed into the browser, you can
export it with:
Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->
Your Certificates -> Backup
We will call the file `cacert.p12' hereafter.
2. Setup gpgsm to use your certificate.
2.1. Start gpg-agent if it is not running.
$ eval `gpg-agent --daemon --sh`
2.2. Import the certificate into the gpgsm's keyring.
$ gpgsm --import cacert.p12
$ gpgsm --list-keys
2.3. Import CRL for the root certificate.
$ gpgsm --dump-keys cacert | grep crlDP
crlDP: https://www.cacert.org/revoke.crl
$ wget -O ~/revoke.crl https://www.cacert.org/revoke.crl
$ gpgsm --call-dirmngr loadcrl ~/revoke.crl
2.4. Mark the CA certificate as trusted.
Add the following line to ~/.gnupg/trustlist.txt.
135CEC36F49CB8E93B1AB270CD80884676CE8F33 S
The first column is the fingerprint of the root certificate (see
the output of `gpgsm --list-keys').
2.5. Try to create a digital signature with gpgsm.
$ echo test test test > test.txt
$ gpgsm -u 0xE4438BB4 --output test.txt.sig --sign test.txt
0xE4438BB4 is the keygrip of your certificate (see the output of
`gpgsm --list-keys').
$ gpgsm --output - --verify test.txt.sig
test test test
gpgsm: Signature made 2008-09-17 06:23:52 using certificate ID 0xE4438BB4
gpgsm: Good signature from "/CN=CAcert WoT User/EMail=ueno@unixuser.org"
gpgsm: aka "ueno@unixuser.org"
Regards,
--
Daiki Ueno
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 1695 bytes --]
next prev parent reply other threads:[~2008-09-17 7:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-15 14:24 Norman Walsh
2008-09-16 8:15 ` Steinar Bang
2008-09-16 8:23 ` Steinar Bang
2008-09-16 8:51 ` David Engster
2008-09-16 9:23 ` Rupert Swarbrick
2008-09-16 9:34 ` David Engster
2008-09-16 9:42 ` Rupert Swarbrick
2008-09-17 7:16 ` Daiki Ueno [this message]
2008-09-17 10:34 ` David Engster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r67jqm1i.fsf@broken.deisui.org \
--to=ueno@unixuser.org \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).