Patch to enable CRL check when verifying S/MIME signed articles

Patch to enable CRL check when verifying S/MIME signed articles

[Arne Jørgensen]

[-- Attachment #1: Type: text/plain, Size: 282 bytes --]

Hi,

This patch will have Gnus/OpenSSL check the revocation status of a
signers certificate when verifying an signed signed article (it passes
the -crl_check option on to openssl).

At least OpenSSL version 0.9.7 is requiered (the -crl_check option
was not present prior to this).


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Enable CRL check when verifying S/MIME signed articles --]
[-- Type: text/x-patch, Size: 1786 bytes --]

Index: smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 6.31
diff -c -r6.31 smime.el
*** smime.el	25 Jul 2003 00:53:09 -0000	6.31
--- smime.el	4 Dec 2003 21:19:07 -0000
***************
*** 184,189 ****
--- 184,210 ----
  		 (const :tag "RC2 128 bits" "-rc2-128"))
    :group 'smime)
  
+ (defcustom smime-crl-check nil
+   "*Check revocation status of signers certificate using CRLs.
+ Enabling this will have OpenSSL check the signers certificate
+ against a certificate revocation list (CRL).
+ 
+ For this to work you the CRL must be up-to-date and since they
+ are normally updated quite often (ie. several times a day) you
+ probably need some tool to keep them up-to-date. Unfortunately
+ Gnus cannot do this for you.
+ 
+ The CRL should either be appended (in PEM format) to your
+ `smime-CA-file' or be located in a file (also in PEM format) in
+ your `smime-certificate-directory' named to the X.509 hash of the
+ certificate with .r0 as file name extension.
+ 
+ At least OpenSSL version 0.9.7 is required for this to work."
+   :type '(choice (const :tag "No check" nil)
+ 		 (const :tag "Check certificate" "-crl_check")
+ 		 (const :tag "Check certificate chain" "-crl_check_all"))
+   :group 'smime)
+ 
  (defcustom smime-dns-server nil
    "*DNS server to query certificates from.
  If nil, use system defaults."
***************
*** 348,353 ****
--- 369,376 ----
  			       (expand-file-name smime-CA-directory))))))
      (unless CAs
        (error "No CA configured"))
+     (if smime-crl-check
+ 	(add-to-list 'CAs  smime-crl-check))
      (if (apply 'smime-call-openssl-region b e (list smime-details-buffer t)
  	       "smime" "-verify" "-out" "/dev/null" CAs)
  	t

[-- Attachment #3: Type: text/plain, Size: 187 bytes --]


Kind regards,
-- 
Arne Jørgensen
Valby Langgade 272, 1. tv., DK-2500 Valby, Denmark
phone: +45 36 44 18 03, mobile: +45 21 65 01 13
email: arne@arnested.dk, <http://arnested.dk/>

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Simon Josefsson]

Arne Jørgensen <arne@arnested.dk> writes:

> Hi,
>
> This patch will have Gnus/OpenSSL check the revocation status of a
> signers certificate when verifying an signed signed article (it passes
> the -crl_check option on to openssl).

Thanks for the contribution.  Would you be willing to assign the
copyright to the FSF, so it can be installed?  It was mostly
documentation, but it is close to the limit of 10-15 lines of code, so
assignment might be needed.  (If someone else has a more authoritative
opinion, please advice.)

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Arne Jørgensen]

[-- Attachment #1: Type: text/plain, Size: 435 bytes --]

Arne Jørgensen <arne@arnested.dk> writes:

> Hi,
>
> This patch will have Gnus/OpenSSL check the revocation status of a
> signers certificate when verifying an signed signed article (it passes
> the -crl_check option on to openssl).
>
> At least OpenSSL version 0.9.7 is requiered (the -crl_check option
> was not present prior to this).

This patch fixes the documentation (better english but probably not
perfect :-).


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Enable CRL check when verifying S/MIME signed articles --]
[-- Type: text/x-patch, Size: 1783 bytes --]

Index: smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 6.31
diff -c -r6.31 smime.el
*** smime.el	25 Jul 2003 00:53:09 -0000	6.31
--- smime.el	10 Dec 2003 22:11:13 -0000
***************
*** 184,189 ****
--- 184,210 ----
  		 (const :tag "RC2 128 bits" "-rc2-128"))
    :group 'smime)
  
+ (defcustom smime-crl-check nil
+   "*Check revocation status of signers certificate using CRLs.
+ Enabling this will have OpenSSL check the signers certificate
+ against a certificate revocation list (CRL).
+ 
+ For this to work the CRL must be up-to-date and since they are
+ normally updated quite often (ie. several times a day) you
+ probably need some tool to keep them up-to-date. Unfortunately
+ Gnus cannot do this for you.
+ 
+ The CRL should either be appended (in PEM format) to your
+ `smime-CA-file' or be located in a file (also in PEM format) in
+ your `smime-certificate-directory' named to the X.509 hash of the
+ certificate with .r0 as file name extension.
+ 
+ At least OpenSSL version 0.9.7 is required for this to work."
+   :type '(choice (const :tag "No check" nil)
+ 		 (const :tag "Check certificate" "-crl_check")
+ 		 (const :tag "Check certificate chain" "-crl_check_all"))
+   :group 'smime)
+ 
  (defcustom smime-dns-server nil
    "*DNS server to query certificates from.
  If nil, use system defaults."
***************
*** 348,353 ****
--- 369,376 ----
  			       (expand-file-name smime-CA-directory))))))
      (unless CAs
        (error "No CA configured"))
+     (if smime-crl-check
+ 	(add-to-list 'CAs  smime-crl-check))
      (if (apply 'smime-call-openssl-region b e (list smime-details-buffer t)
  	       "smime" "-verify" "-out" "/dev/null" CAs)
  	t

[-- Attachment #3: Type: text/plain, Size: 187 bytes --]


Kind regards,
-- 
Arne Jørgensen
Valby Langgade 272, 1. tv., DK-2500 Valby, Denmark
phone: +45 36 44 18 03, mobile: +45 21 65 01 13
email: arne@arnested.dk, <http://arnested.dk/>

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Lars Magne Ingebrigtsen]

Simon Josefsson <jas@extundo.com> writes:

> Thanks for the contribution.  Would you be willing to assign the
> copyright to the FSF, so it can be installed?  It was mostly
> documentation, but it is close to the limit of 10-15 lines of code, so
> assignment might be needed.  (If someone else has a more authoritative
> opinion, please advice.)

I think assignment papers are necessary.

Here's the standard copyright assignment request mail:

-----------------------------

Please email the following information to fsf-records@gnu.org, and we
will send you the assignment form for your past and future changes.
Please use your full name as the subject line of the message.


[What is the name of the program or package you're contributing to?]


[Did you copy any files or text written by someone else in these changes?
Even if that material is free software, we need to know about it.]


[Do you have an employer who might have a basis to claim to own
your changes?  Do you attend a school which might make such a claim?]


[For the copyright registration, what country are you a citizen of?]


[What year were you born?]


[Please write your email address here.]


[Please write your postal address here.]





[Which files have you changed so far, and which new files have you written
so far?]


-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Arne Jørgensen]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> Simon Josefsson <jas@extundo.com> writes:
>
>> Thanks for the contribution.  Would you be willing to assign the
>> copyright to the FSF, so it can be installed?  It was mostly
>> documentation, but it is close to the limit of 10-15 lines of code, so
>> assignment might be needed.  (If someone else has a more authoritative
>> opinion, please advice.)
>
> I think assignment papers are necessary.

Simon already instructed me on this. The papers where signed and
returned just before Christmas.

Kind regards,
-- 
Arne Jørgensen
Valby Langgade 272, 1. tv., DK-2500 Valby, Denmark
phone: +45 36 44 18 03, mobile: +45 21 65 01 13
email: arne@arnested.dk, <http://arnested.dk/>

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Lars Magne Ingebrigtsen]

Arne Jørgensen <arne@arnested.dk> writes:

> Simon already instructed me on this. The papers where signed and
> returned just before Christmas.

Ok.  Could you send me a new patch; the old one doesn't apply any
more, apparently..

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Arne Jørgensen]

[-- Attachment #1: Type: text/plain, Size: 476 bytes --]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> Arne Jørgensen <arne@arnested.dk> writes:
>
>> Simon already instructed me on this. The papers where signed and
>> returned just before Christmas.
>
> Ok.  Could you send me a new patch; the old one doesn't apply any
> more, apparently..

That's because Simon applied the patch without most of the
documentation (until we were sure the papers had arrived at the FSF).

This patch add the full documentation:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: smime_crl.patch --]
[-- Type: text/x-patch, Size: 1526 bytes --]

Index: smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 6.32
diff -c -r6.32 smime.el
*** smime.el	30 Dec 2003 21:10:19 -0000	6.32
--- smime.el	30 Dec 2003 22:37:17 -0000
***************
*** 185,191 ****
    :group 'smime)
  
  (defcustom smime-crl-check nil
!   "*Check revocation status of signers certificate using CRLs."
    :type '(choice (const :tag "No check" nil)
  		 (const :tag "Check certificate" "-crl_check")
  		 (const :tag "Check certificate chain" "-crl_check_all"))
--- 185,205 ----
    :group 'smime)
  
  (defcustom smime-crl-check nil
!   "*Check revocation status of signers certificate using CRLs.
! Enabling this will have OpenSSL check the signers certificate
! against a certificate revocation list (CRL).
! 
! For this to work the CRL must be up-to-date and since they are
! normally updated quite often (ie. several times a day) you
! probably need some tool to keep them up-to-date. Unfortunately
! Gnus cannot do this for you.
! 
! The CRL should either be appended (in PEM format) to your
! `smime-CA-file' or be located in a file (also in PEM format) in
! your `smime-certificate-directory' named to the X.509 hash of the
! certificate with .r0 as file name extension.
! 
! At least OpenSSL version 0.9.7 is required for this to work."
    :type '(choice (const :tag "No check" nil)
  		 (const :tag "Check certificate" "-crl_check")
  		 (const :tag "Check certificate chain" "-crl_check_all"))

[-- Attachment #3: Type: text/plain, Size: 187 bytes --]


Kind regards,
-- 
Arne Jørgensen
Valby Langgade 272, 1. tv., DK-2500 Valby, Denmark
phone: +45 36 44 18 03, mobile: +45 21 65 01 13
email: arne@arnested.dk, <http://arnested.dk/>

Re: Patch to enable CRL check when verifying S/MIME signed articles

[Lars Magne Ingebrigtsen]

Arne Jørgensen <arne@arnested.dk> writes:

> That's because Simon applied the patch without most of the
> documentation (until we were sure the papers had arrived at the FSF).
>
> This patch add the full documentation:

Thanks for the patch; I've applied it to Gnus v5.10.4 (i. e., CVS).

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen