From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67400
Path: news.gmane.org!not-for-mail
From: Daiki Ueno <ueno@unixuser.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Decoding application/x-pkcs7-mime?
Date: Wed, 17 Sep 2008 16:16:57 +0900
Message-ID: <87r67jqm1i.fsf@broken.deisui.org>
References: <m2zlm9sd07.fsf@nwalsh.com> <kz4p4giicc.fsf@kafka.physik3.gwdg.de>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=sha1; protocol="application/pkcs7-signature"
X-Trace: ger.gmane.org 1221635892 32578 80.91.229.12 (17 Sep 2008 07:18:12 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 17 Sep 2008 07:18:12 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M15851@lists.math.uh.edu Wed Sep 17 09:19:08 2008
Return-path: <ding-owner+M15851@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1KfrJb-0001dp-U8
	for ding-account@gmane.org; Wed, 17 Sep 2008 09:19:08 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M15851@lists.math.uh.edu>)
	id 1KfrHl-0004Od-Ta; Wed, 17 Sep 2008 02:17:13 -0500
Original-Received: from mx1.math.uh.edu ([129.7.128.32])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <daiki.ueno@gmail.com>)
	id 1KfrHj-0004OH-Ls
	for ding@lists.math.uh.edu; Wed, 17 Sep 2008 02:17:11 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx1.math.uh.edu with esmtp (Exim 4.69)
	(envelope-from <daiki.ueno@gmail.com>)
	id 1KfrHf-0003pI-Jl
	for ding@lists.math.uh.edu; Wed, 17 Sep 2008 02:17:11 -0500
Original-Received: from wf-out-1314.google.com ([209.85.200.172])
	by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian))
	id 1KfrHj-00043v-00
	for <ding@gnus.org>; Wed, 17 Sep 2008 09:17:11 +0200
Original-Received: by wf-out-1314.google.com with SMTP id 26so2856701wfd.26
        for <ding@gnus.org>; Wed, 17 Sep 2008 00:17:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:from:to:subject:references
         :date:in-reply-to:message-id:user-agent:mime-version:content-type
         :sender;
        bh=4NqXrDYQ9dm0h2LD5DxfEOFw+g2ywMDxaTQVBJ9Echk=;
        b=GNPin0F0Q6Mir9uO2yJY2MICPFH1NDgiEAYnRZlYmVR8bd2G/wJqJIBO1j0v5M/B9q
         85E9v4ilzlh/pQv1Hut5QjaLqu3rXT4c1tCdldjBnojkjquuFrDuGq1QVfjdkaNGe22J
         3EV1HxBsgdyNFZHRq2Ncza6AyiFFgpTTORUSE=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=from:to:subject:references:date:in-reply-to:message-id:user-agent
         :mime-version:content-type:sender;
        b=LOjPcnzalhr5CF9Eb4I4NKjmELWNs1nZFioBO/a0c7i7XC8L28Ex4oePFvoZFe4d/w
         c6BUo+x38oWvPIfFgbgi3F1aZS3QBwcmeObJFnc6D6Q2or0+E9iwv9SUdhSr0hYljYeW
         97v33qkgoe/XLejqR52uElkpsuNkSCSrkZrYE=
Original-Received: by 10.142.180.11 with SMTP id c11mr728672wff.159.1221635823569;
        Wed, 17 Sep 2008 00:17:03 -0700 (PDT)
Original-Received: from p360 ( [150.82.173.253])
        by mx.google.com with ESMTPS id 30sm607044wfa.10.2008.09.17.00.16.59
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 17 Sep 2008 00:17:00 -0700 (PDT)
In-Reply-To: <kz4p4giicc.fsf@kafka.physik3.gwdg.de> (David Engster's message
	of "Tue, 16 Sep 2008 10:51:47 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux)
X-Spam-Score: -2.6 (--)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:67400
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/67400>

--=-=-=
Content-Transfer-Encoding: quoted-printable

>>>>> In <kz4p4giicc.fsf@kafka.physik3.gwdg.de>=20
>>>>>	David Engster <deng@randomsample.de> wrote:

> I also remember trying to use EPG and gnutls, but it didn't work at
> that time. If someone succesfully uses S/MIME with those, I'd love to
> see an example setup.

Well, S/MIME may have several different formats (see RFC2633 3.8).  As
of now Gnus' gpgsm backend does not handle all of them.  In summary:

* sign using multipart/signed - supported
* verify using multipart/signed - supported
* verify using application/x-pkcs7-mime - not supported
* encrypt using application/pkcs7-mime - supported
* decrypt using application/pkcs7-mime - not supported

Other combinations of operations and formats such as:

* sign using application/pkcs7-mime
* decrypt using application/octet-stream

are not even supported by the OpenSSL backend.

By the way, for those who are interested in playing around gpgsm, I
wrote a short instruction to setup gpgsm with CAcert's client
certificates.  After the setup, you can use it from Gnus with:

(setq mml-smime-use 'epg)

0. Install gpgsm, dirmngr, etc.

   I'm using the following packages from Debian:

   ii  dirmngr        1.0.2-1        server for managing certificate revoca=
tion
   ii  gnupg-agent    2.0.9-3        GNU privacy guard - password agent
   ii  gpgsm          2.0.9-3        GNU privacy guard - S/MIME version
   ii  iceweasel      3.0.1-1        lightweight web browser based on Mozil=
la

1. Create your client certificate with Firefox.

1.1. Go to http://www.cacert.org and create an account.

1.2. Login with the account and make your client certificate.

1.3. Once the certificate is installed into the browser, you can
     export it with:

   Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->
   	Your Certificates -> Backup

   We will call the file `cacert.p12' hereafter.

2. Setup gpgsm to use your certificate.

2.1. Start gpg-agent if it is not running.

   $ eval `gpg-agent --daemon --sh`

2.2. Import the certificate into the gpgsm's keyring.

   $ gpgsm --import cacert.p12

   $ gpgsm --list-keys

2.3. Import CRL for the root certificate.

   $ gpgsm --dump-keys cacert | grep crlDP
        crlDP: https://www.cacert.org/revoke.crl

   $ wget -O ~/revoke.crl https://www.cacert.org/revoke.crl

   $ gpgsm --call-dirmngr loadcrl ~/revoke.crl

2.4. Mark the CA certificate as trusted.

   Add the following line to ~/.gnupg/trustlist.txt.

   135CEC36F49CB8E93B1AB270CD80884676CE8F33 S

   The first column is the fingerprint of the root certificate (see
   the output of `gpgsm --list-keys').

2.5. Try to create a digital signature with gpgsm.

   $ echo test test test > test.txt

   $ gpgsm -u 0xE4438BB4 --output test.txt.sig --sign test.txt

   0xE4438BB4 is the keygrip of your certificate (see the output of
   `gpgsm --list-keys').

   $ gpgsm --output - --verify test.txt.sig
   test test test
   gpgsm: Signature made 2008-09-17 06:23:52 using certificate ID 0xE4438BB4
   gpgsm: Good signature from "/CN=3DCAcert WoT User/EMail=3Dueno@unixuser.=
org"
   gpgsm:                 aka "ueno@unixuser.org"

Regards,
=2D-=20
Daiki Ueno

--=-=-=
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEsDCCBKww
ggKUoAMCAQICAwXE8zANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wODA5MTcwMzQxMzJaFw0w
OTAzMTYwMzQxMzJaMDwxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEgMB4GCSqGSIb3DQEJARYR
dWVub0B1bml4dXNlci5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7AUS26KdecCzKb
6R5m6m3PqzN+Xgpmd+/AYBtRg/lAEGXZ9ZnfV8qNBWHO+aGpdz2CN2d4oijjLbfAFy4oFRyqv6zl
w2VbZW1YdQGnC5QISni2cwAhJ5eAC6FKZGlqVyR0vDsDrsEWl7LXap487Ys5pVfqqCzVpu3id77c
EMCFAgMBAAGjgf0wgfowDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIg
b3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5v
cmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMD
BglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNl
cnQub3JnMBwGA1UdEQQVMBOBEXVlbm9AdW5peHVzZXIub3JnMA0GCSqGSIb3DQEBBQUAA4ICAQBU
3vveOernYqckr/gAWyNsZRtOtGfmwEk7BUM783zngzLOwuD2q5caclGMADhw3olpMXWebsnXKeEy
BVKuxyZW/GrTWP9UQklNzT3pUG9TzL6Jyg7mlj6Z/QG+V5exZxs/eZ8/aO/U6fLVT/5qb4nVWjrN
AimB1ubpjDJot9VGIRx5bZaOShjWMc9P3HYxPZlvM1yqPcZKt0OCigRrh22Do6P3Y6TPL97tAgrP
Q9+Q5pMsc9GaEg0/h2tMz9VTlXtaZ/2K0E8bfYN6QdUGGEfF+GXHJhULdFkeYFyhXuFLRu/rWLQn
ykwmik/n+Xeth54NtrBb2Jzbyc6D/Ok6NveaVFYwcrvUsvYTxcTFmfwGNj8xl+ODB2WKsaZq2hQ1
1PQo+/JmVwlzAOArnPHMjV50JHjvyHvp9xtTMXlaNMZlrDfzxGuBvvVsjcaJSxy/ku+YNywPl1MB
j01DXGeQU4HHGajHWIlbDRNb3fWKw25KUiCZX4sZ84n6fKRKCp6XCdocpu7WgCtX8lbQHFbJY/ZX
67MLRJPVksV29Vejg78w8m06ecPn+EazgJ1Vz2YlNeGY/o73C644hR6zo+L55jAnyRCE5fM92cVt
QdFVJSHqr1lQFMPGRiAhcL9/GLfvi15uqN47sWi4lKJ3t7KPxSQsO+jO+QK3sMK6xu0tqfa6hjGC
AbEwggGtAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2Fj
ZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnAgMFxPMwBwYFKw4DAhqggYswGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwOTE3MDcxNjU3WjAjBgkqhkiG9w0BCQQxFgQURRgL
1m6QY98gRWixOfDda7359wswLAYJKoZIhvcNAQkPMR8wHTANBglghkgBZQMEAQIFADAMBggqhkiG
9w0DBwUAMAsGCSqGSIb3DQEBAQSBgEcj0r2BYbbAyK7YhqqBekRArHm6sv7utA/RZrqz1XpHU9EI
qruYnQL2hLRImqokQLxHV6NoXW+EFGTIyz/F1V9DxI+VLemfJ61jFS/3JwXXkXlzNBzH9+oEffjZ
KwC6Qr95j5OiPvIeKggMauL1fmf7S/DJg1mbJ0b/wn9V2NCgAAAAAAAA
--=-=-=--