Re: Decoding application/x-pkcs7-mime?

[Daiki Ueno <ueno@unixuser.org>]

[-- Attachment #1: Type: text/plain, Size: 3223 bytes --]

>>>>> In <kz4p4giicc.fsf@kafka.physik3.gwdg.de> 
>>>>>	David Engster <deng@randomsample.de> wrote:

> I also remember trying to use EPG and gnutls, but it didn't work at
> that time. If someone succesfully uses S/MIME with those, I'd love to
> see an example setup.

Well, S/MIME may have several different formats (see RFC2633 3.8).  As
of now Gnus' gpgsm backend does not handle all of them.  In summary:

* sign using multipart/signed - supported
* verify using multipart/signed - supported
* verify using application/x-pkcs7-mime - not supported
* encrypt using application/pkcs7-mime - supported
* decrypt using application/pkcs7-mime - not supported

Other combinations of operations and formats such as:

* sign using application/pkcs7-mime
* decrypt using application/octet-stream

are not even supported by the OpenSSL backend.

By the way, for those who are interested in playing around gpgsm, I
wrote a short instruction to setup gpgsm with CAcert's client
certificates.  After the setup, you can use it from Gnus with:

(setq mml-smime-use 'epg)

0. Install gpgsm, dirmngr, etc.

   I'm using the following packages from Debian:

   ii  dirmngr        1.0.2-1        server for managing certificate revocation
   ii  gnupg-agent    2.0.9-3        GNU privacy guard - password agent
   ii  gpgsm          2.0.9-3        GNU privacy guard - S/MIME version
   ii  iceweasel      3.0.1-1        lightweight web browser based on Mozilla

1. Create your client certificate with Firefox.

1.1. Go to http://www.cacert.org and create an account.

1.2. Login with the account and make your client certificate.

1.3. Once the certificate is installed into the browser, you can
     export it with:

   Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->
   	Your Certificates -> Backup

   We will call the file `cacert.p12' hereafter.

2. Setup gpgsm to use your certificate.

2.1. Start gpg-agent if it is not running.

   $ eval `gpg-agent --daemon --sh`

2.2. Import the certificate into the gpgsm's keyring.

   $ gpgsm --import cacert.p12

   $ gpgsm --list-keys

2.3. Import CRL for the root certificate.

   $ gpgsm --dump-keys cacert | grep crlDP
        crlDP: https://www.cacert.org/revoke.crl

   $ wget -O ~/revoke.crl https://www.cacert.org/revoke.crl

   $ gpgsm --call-dirmngr loadcrl ~/revoke.crl

2.4. Mark the CA certificate as trusted.

   Add the following line to ~/.gnupg/trustlist.txt.

   135CEC36F49CB8E93B1AB270CD80884676CE8F33 S

   The first column is the fingerprint of the root certificate (see
   the output of `gpgsm --list-keys').

2.5. Try to create a digital signature with gpgsm.

   $ echo test test test > test.txt

   $ gpgsm -u 0xE4438BB4 --output test.txt.sig --sign test.txt

   0xE4438BB4 is the keygrip of your certificate (see the output of
   `gpgsm --list-keys').

   $ gpgsm --output - --verify test.txt.sig
   test test test
   gpgsm: Signature made 2008-09-17 06:23:52 using certificate ID 0xE4438BB4
   gpgsm: Good signature from "/CN=CAcert WoT User/EMail=ueno@unixuser.org"
   gpgsm:                 aka "ueno@unixuser.org"

Regards,
-- 
Daiki Ueno

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 1695 bytes --]