From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/59834
Path: main.gmane.org!not-for-mail
From: =?utf-8?Q?Arne_J=C3=B8rgensen?= <arne@arnested.dk>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Get certificate from LDAP for S/MIME encryption (patch)
Date: Fri, 18 Feb 2005 00:32:52 +0100
Organization: Arne Joergensen -- http://arnested.dk/
Message-ID: <87zmy2ahjv.fsf@seamus.arnested.dk>
References: <87u0ohv8vg.fsf@seamus.arnested.dk>
	<iluwttdtijs.fsf@latte.josefsson.org>
	<878y5sfnk9.fsf@seamus.arnested.dk>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: sea.gmane.org 1108683489 15209 80.91.229.2 (17 Feb 2005 23:38:09 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Thu, 17 Feb 2005 23:38:09 +0000 (UTC)
Original-X-From: ding-owner+M8376@lists.math.uh.edu Fri Feb 18 00:38:08 2005
Original-Received: from malifon.math.uh.edu ([129.7.128.13] ident=mail)
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1D1vCI-0006A9-SJ
	for ding-account@gmane.org; Fri, 18 Feb 2005 00:36:39 +0100
Original-Received: from localhost
	([127.0.0.1] helo=lists.math.uh.edu ident=lists)
	by malifon.math.uh.edu with smtp (Exim 3.20 #1)
	id 1D1v9P-0004dL-00; Thu, 17 Feb 2005 17:33:39 -0600
Original-Received: from util2.math.uh.edu ([129.7.128.23])
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 1D1v9K-0004dG-00
	for ding@lists.math.uh.edu; Thu, 17 Feb 2005 17:33:34 -0600
Original-Received: from quimby.gnus.org ([80.91.224.244])
	by util2.math.uh.edu with esmtp (Exim 4.30)
	id 1D1v9D-00067E-49
	for ding@lists.math.uh.edu; Thu, 17 Feb 2005 17:33:27 -0600
Original-Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org)
	by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian))
	id 1D1v9A-0002ZN-00
	for <ding@gnus.org>; Fri, 18 Feb 2005 00:33:24 +0100
Original-Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1D1v6B-00059I-IR
	for ding@gnus.org; Fri, 18 Feb 2005 00:30:19 +0100
Original-Received: from 213.237.94.152 ([213.237.94.152])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Fri, 18 Feb 2005 00:30:19 +0100
Original-Received: from arne by 213.237.94.152 with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Fri, 18 Feb 2005 00:30:19 +0100
X-Injected-Via-Gmane: http://gmane.org/
Original-To: ding@gnus.org
Original-Lines: 131
Original-X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 213.237.94.152
X-Face: 5t,7/Y$&<1A_t.$vC2{pWZ{m@3_06;kcm]no{hgEL/}Uz(>XV6cl4}xO\v?-h3%>znNaZtq
 `~rf,GY1T%r=a.zH`hOb(-]'x)nI088Z&|e;V^h;/TShou
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)
Cancel-Lock: sha1:fFjAOlMH2FAlpUO2LyDKdxiMqfE=
X-Spam-Score: -4.9 (----)
Precedence: bulk
Original-Sender: ding-owner@lists.math.uh.edu
X-MailScanner-From: ding-owner+m8376@lists.math.uh.edu
X-MailScanner-To: ding-account@gmane.org
Xref: main.gmane.org gmane.emacs.gnus.general:59834
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:59834

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Arne Jørgensen <arne@arnested.dk> writes:

>  - havent verified this recently, but I think gnus will send a message
>    even though openssl fails (ie because of a typo in the password).
>    This should probably be considered a security bug.

It will send a mail unsigned if you make an error typing your
password.

The attach patch will avoid this (and also if encryption fails).

The patch also adds a bit to the doc for `smime-ldap-host-list'.

And since the PEM format is just a base64 of DER there is really no
reason to call openssl to do the conversion so I rewrote
`smime-cert-by-ldap-1' to use `base64-encode-string' instead. Also in
the patch.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline; filename=smime.patch

Index: lisp/smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 7.8
diff -u -p -r7.8 smime.el
--- lisp/smime.el	14 Feb 2005 15:24:44 -0000	7.8
+++ lisp/smime.el	17 Feb 2005 23:16:37 -0000
@@ -218,7 +218,9 @@ If nil, use system defaults."
   :group 'smime)
 
 (defcustom smime-ldap-host-list nil
-  "A list of LDAP hosts with S/MIME user certificates."
+  "A list of LDAP hosts with S/MIME user certificates.
+If needed search base, binddn, passwd, etc. for the LDAP host
+must be set in `ldap-host-parameters-alist'."
   :type '(repeat (string :tag "Host name"))
   :group 'smime)
 
@@ -339,16 +341,17 @@ is expected to contain of a PEM encoded 
 KEYFILE should contain a PEM encoded key and certificate."
   (interactive)
   (with-current-buffer (or buffer (current-buffer))
-    (smime-sign-region
-     (point-min) (point-max)
-     (if keyfile
-	 keyfile
-       (smime-get-key-with-certs-by-email
-	(completing-read
-	 (concat "Sign using which key? "
-		 (if smime-keys (concat "(default " (caar smime-keys) ") ")
-		   ""))
-	 smime-keys nil nil (car-safe (car-safe smime-keys))))))))
+    (unless (smime-sign-region
+	     (point-min) (point-max)
+	     (if keyfile
+		 keyfile
+	       (smime-get-key-with-certs-by-email
+		(completing-read
+		 (concat "Sign using which key? "
+			 (if smime-keys (concat "(default " (caar smime-keys) ") ")
+			   ""))
+		 smime-keys nil nil (car-safe (car-safe smime-keys))))))
+      (error "Signing failed"))))
 
 (defun smime-encrypt-buffer (&optional certfiles buffer)
   "S/MIME encrypt BUFFER for recipients specified in CERTFILES.
@@ -357,11 +360,12 @@ a PEM encoded key and certificate.  Uses
 nil."
   (interactive)
   (with-current-buffer (or buffer (current-buffer))
-    (smime-encrypt-region
-     (point-min) (point-max)
-     (or certfiles
-	 (list (read-file-name "Recipient's S/MIME certificate: "
-			       smime-certificate-directory nil))))))
+    (unless (smime-encrypt-region
+	     (point-min) (point-max)
+	     (or certfiles
+		 (list (read-file-name "Recipient's S/MIME certificate: "
+				       smime-certificate-directory nil))))
+      (error "Encryption failed"))))
 
 ;; Verify+decrypt region
 
@@ -567,21 +571,21 @@ A string or a list of strings is returne
   "Get cetificate for MAIL from the ldap server at HOST."
   (let ((ldapresult (smime-ldap-search (concat "mail=" mail)
 				       host '("userCertificate") nil))
-	(retbuf (generate-new-buffer (format "*certificate for %s*" mail))))
+	(retbuf (generate-new-buffer (format "*certificate for %s*" mail)))
+	cert)
     (if (> (length ldapresult) 1)
 	(with-current-buffer retbuf
-	  (set-buffer-multibyte nil)
-	  (insert (nth 1 (car (nth 1 ldapresult))))
-	  (goto-char (point-min))
-	  (if (smime-call-openssl-region (point-min) (point-max) t "x509"
-					 "-inform" "DER" "-outform" "PEM")
-	      (progn
-		(delete-region (point) (point-max))
-		retbuf)
-	    (kill-buffer retbuf)
-	    nil))
+	  (setq cert (base64-encode-string (nth 1 (car (nth 1 ldapresult))) t))
+	  (insert "-----BEGIN CERTIFICATE-----\n")
+	  (let ((i 0) (len (length cert)))
+	    (while (> (- len 64) i)
+	      (insert (substring cert i (+ i 64)) "\n")
+	      (setq i (+ i 64)))
+	    (insert (substring cert i len) "\n"))
+	  (insert "-----END CERTIFICATE-----\n"))
       (kill-buffer retbuf)
-      nil)))
+      (setq retbuf nil))
+    retbuf))
 
 (defun smime-cert-by-ldap (mail)
   "Find certificate via LDAP for address MAIL."

--=-=-=--