From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/37232 Path: main.gmane.org!not-for-mail From: Vladimir Volovich Newsgroups: gmane.emacs.gnus.general Subject: Re: decrypting S/MIME messages Date: Sun, 29 Jul 2001 17:00:59 +0400 Message-ID: References: NNTP-Posting-Host: coloc-standby.netfonds.no Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: main.gmane.org 1035172683 12787 80.91.224.250 (21 Oct 2002 03:58:03 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Mon, 21 Oct 2002 03:58:03 +0000 (UTC) Return-Path: Return-Path: Original-Received: (qmail 14390 invoked from network); 29 Jul 2001 13:01:02 -0000 Original-Received: from relay1.vsu.ru (HELO vsu.ru) (62.76.169.14) by gnus.org with SMTP; 29 Jul 2001 13:01:02 -0000 Original-Received: from [62.76.169.38] (HELO video) by vsu.ru (CommuniGate Pro SMTP 3.5b3) with ESMTP id 3661520 for ding@gnus.org; Sun, 29 Jul 2001 17:00:58 +0400 Original-To: ding@gnus.org In-Reply-To: (Simon Josefsson's message of "Sun, 29 Jul 2001 03:13:23 +0200") User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.0.103 Original-Lines: 88 Xref: main.gmane.org gmane.emacs.gnus.general:37232 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:37232 "SJ" == Simon Josefsson writes: SJ> Ok, S/MIME decryption work for me now, tell me if it work for SJ> you. Not yet. when viewing such S/MIME encrypted messages (even generated by gnus itself), i get an error: signal(error ("Could not identify PKCS#7 type")) error("Could not identify PKCS#7 type") mm-view-pkcs7-get-type((# ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil)) mm-view-pkcs7((# ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil)) mm-display-inline((# ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil)) mm-display-part((# ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil) t) byte-code("..." [ignored type handle not-attachment display text string-match throw nil mm-inline-override-p 4 "inline" mm-attachment-override-p mm-automatic-display-p mm-inlinable-p mm-inlined-p mm-automatic-external-display-p t split-string mm-handle-media-type "/" "text" gnus-unbuttonized-mime-type-p gnus-insert-mime-button gnus-article-insert-newline -1 (set-buffer gnus-summary-buffer) ((error)) mm-display-part mm-insert-inline mm-get-part gnus-treat-article bufferp 1 gnus-article-mime-handle-alist beg id move gnus-newsgroup-charset gnus-newsgroup-ignored-charsets mail-parse-ignored-charsets mail-parse-charset gnus-article-mime-handles] 7) gnus-mime-display-single((# ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil)) gnus-mime-display-part((# ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil)) gnus-display-mime() gnus-article-prepare-display() gnus-article-prepare(466 nil) gnus-summary-display-article(466 nil) gnus-summary-select-article(nil force) gnus-summary-show-article(nil) call-interactively(gnus-summary-show-article) (as previously, if i manually call smime-decrypt-buffer, i could read the decrypted message). SJ> S/MIME signatures using opaque PKCS#7 blobs isn't implemented, if SJ> someone encounter these I'd prefer a bug report to find out what SJ> mailer creates such beasts. (Adding support for them in Gnus is a SJ> five-liner.) BTW, i also has to modify smime.el to make it work for me. Here is the patch (it is very simplistic, and needs customization): --- smime.el Sun Jul 29 14:05:20 2001 +++ /opt/local/vvv/emacs/gnus/lisp/smime.el Sun Jul 29 14:12:34 2001 @@ -201,7 +201,7 @@ ;; OpenSSL wrappers. (defun smime-call-openssl-region (b e buf &rest args) - (case (apply 'call-process-region b e smime-openssl-program nil buf nil args) + (case (apply 'call-process-region b e smime-openssl-program nil (list buf nil) nil args) (0 t) (1 (message "OpenSSL: An error occurred parsing the command options.") nil) (2 (message "OpenSSL: One of the input files could not be read.") nil) @@ -229,7 +229,7 @@ (if passphrase (setenv "GNUS_SMIME_PASSPHRASE" passphrase)) (prog1 - (when (apply 'smime-call-openssl-region b e buffer "smime" "-sign" + (when (apply 'smime-call-openssl-region b e buffer "smime" "-sign" "-rand" "/etc/entropy" "-signer" (expand-file-name keyfile) (append (smime-make-certfiles certfiles) @@ -254,7 +254,7 @@ is expected to contain of a PEM encoded certificate." (let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))) (prog1 - (when (apply 'smime-call-openssl-region b e buffer "smime" "-encrypt" + (when (apply 'smime-call-openssl-region b e buffer "smime" "-rand" "/etc/entropy" "-encrypt" smime-encrypt-cipher (mapcar 'expand-file-name certfiles)) (delete-region b e) (insert-buffer buffer) The first hunk makes stderr ignored from openssl process. otherwise, i get messages like 255 semi-random bytes loaded into the generated MIME messages when encrypting or signing my messages. Other hunks add "-rand" "/etc/entropy" to openssl arguments in a few places (maybe some other places will also need similar changes, but not all -- e.g. decrypting and verifying do not require access to /etc/entropy). On Solaris, there is no /dev/random, and we had to install a /etc/entropy -- see PRNGD - Pseudo Random Number Generator Daemon: http://www.aet.TU-Cottbus.DE/personen/jaenicke/postfix_tls/prngd.html Maybe, such arguments should not be added unconditionally, but better via some variable (e.g. smime-openssl-rand-argument) which defaults to nil but could be set to "/etc/entropy" or whatever. Best, v.