decrypting S/MIME messages

decrypting S/MIME messages

[Vladimir Volovich]

Hi!

when i receive an encrypted S/MIME message, gnus diaplays something
like

  From: someone@somewhere
  Subject: something
  To: Vladimir Volovich <vvv@vsu.ru>
  Date: Fri, 27 Jul 2001 20:01:57 +0400

  [1. S/MIME Encrypted Message --- application/x-pkcs7-mime; smime.p7m]...

and when i press on the button, gnus proposes to save the
base64-encoded encrypted message body into a file! (instead of
proposing to decrypt the message).

If i raw-preview the message (C-u g), copy all the contents into some
buffer, and call M-x smime-decrypt-buffer, i see the decrypted message
body just fine, but of course non-formatted.

or, if i save the raw message in a file, and run
openssl smime -decrypt -recip /home/noc/vvv/.certs/vvv-cert.pem < message.txt
i also see the correctly decryptes message.

The question is: how should i view encrypted s/mime messages? why
there are no calls to smime-decrypt-buffer done by gnus automatically?

Is it just not-yet-implemented, but all framework is there already?

Best,
v.

Re: decrypting S/MIME messages

[Simon Josefsson]

Vladimir Volovich <vvv@vsu.ru> writes:

> The question is: how should i view encrypted s/mime messages? why
> there are no calls to smime-decrypt-buffer done by gnus automatically?
> 
> Is it just not-yet-implemented, but all framework is there already?

You're right, the framework is there but the glue is missing.

There was a minor problem adding the glue, application/pkcs7-mime is a
catch-all MIME tag and it can be almost any PKCS#7 blob.  To find out
what kind of operation should be performed (decryption, verification,
or simple unwrapping) one need to look inside the PKCS#7 blob.  I
wrote a ASN.1 parser in elisp and had everything almost working some
moons ago, but lost it in a harddisk crash.  The ASN.1 parser isn't
really necessary, a carefully constructed `looking-at' invocation is
sufficient, and unless I get very bored I won't write another ASN.1
parser so the `looking-at' approach is probably the way to go.  I've
almost finished this, and I'll try to get some time to commit it this
tomorrow.

Re: decrypting S/MIME messages

[Simon Josefsson]

Vladimir Volovich <vvv@vsu.ru> writes:

> The question is: how should i view encrypted s/mime messages? why
> there are no calls to smime-decrypt-buffer done by gnus automatically?
> 
> Is it just not-yet-implemented, but all framework is there already?

Ok, S/MIME decryption work for me now, tell me if it work for you.

S/MIME signatures using opaque PKCS#7 blobs isn't implemented, if
someone encounter these I'd prefer a bug report to find out what
mailer creates such beasts. (Adding support for them in Gnus is a
five-liner.)

Re: decrypting S/MIME messages

[Vladimir Volovich]

"SJ" == Simon Josefsson writes:

 SJ> Ok, S/MIME decryption work for me now, tell me if it work for
 SJ> you.

Not yet. when viewing such S/MIME encrypted messages (even generated
by gnus itself), i get an error:

  signal(error ("Could not identify PKCS#7 type"))
  error("Could not identify PKCS#7 type")
  mm-view-pkcs7-get-type((#<buffer  *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
  mm-view-pkcs7((#<buffer  *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
  mm-display-inline((#<buffer  *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
  mm-display-part((#<buffer  *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil) t)
  byte-code("..." [ignored type handle not-attachment display text string-match throw nil mm-inline-override-p 4 "inline" mm-attachment-override-p mm-automatic-display-p mm-inlinable-p mm-inlined-p mm-automatic-external-display-p t split-string mm-handle-media-type "/" "text" gnus-unbuttonized-mime-type-p gnus-insert-mime-button gnus-article-insert-newline -1 (set-buffer gnus-summary-buffer) ((error)) mm-display-part mm-insert-inline mm-get-part gnus-treat-article bufferp 1 gnus-article-mime-handle-alist beg id move gnus-newsgroup-charset gnus-newsgroup-ignored-charsets mail-parse-ignored-charsets mail-parse-charset gnus-article-mime-handles] 7)
  gnus-mime-display-single((#<buffer  *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
  gnus-mime-display-part((#<buffer  *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
  gnus-display-mime()
  gnus-article-prepare-display()
  gnus-article-prepare(466 nil)
  gnus-summary-display-article(466 nil)
  gnus-summary-select-article(nil force)
  gnus-summary-show-article(nil)
  call-interactively(gnus-summary-show-article)

(as previously, if i manually call smime-decrypt-buffer, i could read
the decrypted message).

 SJ> S/MIME signatures using opaque PKCS#7 blobs isn't implemented, if
 SJ> someone encounter these I'd prefer a bug report to find out what
 SJ> mailer creates such beasts. (Adding support for them in Gnus is a
 SJ> five-liner.)

BTW, i also has to modify smime.el to make it work for me. Here is the
patch (it is very simplistic, and needs customization):

--- smime.el	Sun Jul 29 14:05:20 2001
+++ /opt/local/vvv/emacs/gnus/lisp/smime.el	Sun Jul 29 14:12:34 2001
@@ -201,7 +201,7 @@
 ;; OpenSSL wrappers.
 
 (defun smime-call-openssl-region (b e buf &rest args)
-  (case (apply 'call-process-region b e smime-openssl-program nil buf nil args)
+  (case (apply 'call-process-region b e smime-openssl-program nil (list buf nil) nil args)
     (0 t)
     (1 (message "OpenSSL: An error occurred parsing the command options.") nil)
     (2 (message "OpenSSL: One of the input files could not be read.") nil)
@@ -229,7 +229,7 @@
     (if passphrase
 	(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
     (prog1
-	(when (apply 'smime-call-openssl-region b e buffer "smime" "-sign"
+	(when (apply 'smime-call-openssl-region b e buffer "smime" "-sign" "-rand" "/etc/entropy"
 		     "-signer" (expand-file-name keyfile)
 		     (append
 		      (smime-make-certfiles certfiles)
@@ -254,7 +254,7 @@
 is expected to contain of a PEM encoded certificate."
   (let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*"))))
     (prog1
-	(when (apply 'smime-call-openssl-region b e buffer "smime" "-encrypt"
+	(when (apply 'smime-call-openssl-region b e buffer "smime" "-rand" "/etc/entropy" "-encrypt"
 		     smime-encrypt-cipher (mapcar 'expand-file-name certfiles))
 	  (delete-region b e)
 	  (insert-buffer buffer)

The first hunk makes stderr ignored from openssl process. otherwise, i
get messages like

255 semi-random bytes loaded

into the generated MIME messages when encrypting or signing my
messages.

Other hunks add "-rand" "/etc/entropy" to openssl arguments in a few
places (maybe some other places will also need similar changes, but
not all -- e.g. decrypting and verifying do not require access to
/etc/entropy). On Solaris, there is no /dev/random, and we had to
install a /etc/entropy -- see PRNGD - Pseudo Random Number Generator
Daemon:
http://www.aet.TU-Cottbus.DE/personen/jaenicke/postfix_tls/prngd.html

Maybe, such arguments should not be added unconditionally, but better
via some variable (e.g. smime-openssl-rand-argument) which defaults to
nil but could be set to "/etc/entropy" or whatever.

Best,
v.

Re: decrypting S/MIME messages

[Amos Gouaux]

>>>>> On Sun, 29 Jul 2001 17:00:59 +0400,
>>>>> Vladimir Volovich <vvv@vsu.ru> (vv) writes:

vv> Maybe, such arguments should not be added unconditionally, but better
vv> via some variable (e.g. smime-openssl-rand-argument) which defaults to
vv> nil but could be set to "/etc/entropy" or whatever.

My brain is so scattered.  I can't find the reference now, but I
recall reading that openssl will at some future release by default
check for the existence of /var/run/egd-pool if /dev/random can't be
found.


-- 
Amos

Re: decrypting S/MIME messages

[Simon Josefsson]

Vladimir Volovich <vvv@vsu.ru> writes:

> "SJ" == Simon Josefsson writes:
> 
> SJ> Ok, S/MIME decryption work for me now, tell me if it work for
> SJ> you.
> 
> Not yet. when viewing such S/MIME encrypted messages (even generated
> by gnus itself), i get an error:
> 
>   signal(error ("Could not identify PKCS#7 type"))
>   error("Could not identify PKCS#7 type")

I had no problem with XEmacs 21.4 or Emacs 21.0.104, do you have some
special mule setting?  It might be some mule interference, the code
compares buffer contents with a string.  Please try this patch and
tell if it works or not:

--- mm-view.el.~6.13.~	Sun Jul 29 03:01:59 2001
+++ mm-view.el	Sun Jul 29 18:02:13 2001
@@ -338,7 +338,7 @@
 			?\x86 ?\xf7 ?\x0d ?\x01 ?\x07 ?\x03)))))
   
 (defun mm-view-pkcs7-get-type (handle)
-  (with-temp-buffer
+  (mm-with-unibyte-buffer
     (mm-insert-part handle)
     (cond ((looking-at (regexp-quote mm-pkcs7-enveloped-magic))
 	   'enveloped)

>  (defun smime-call-openssl-region (b e buf &rest args)
> -  (case (apply 'call-process-region b e smime-openssl-program nil buf nil args)
>+  (case (apply 'call-process-region b e smime-openssl-program nil (list buf nil) nil args)

I applied this, thanks.  I hope OpenSSL error messages are still
handled correctly, otherwise we'll have to come up with some other
solution.

> -	(when (apply 'smime-call-openssl-region b e buffer "smime" "-sign"
>+	(when (apply 'smime-call-openssl-region b e buffer "smime" "-sign" "-rand" "/etc/entropy"

I added `smime-extra-arguments' instead.  Is it sufficient?

Re: decrypting S/MIME messages

[Vladimir Volovich]

"SJ" == Simon Josefsson writes:

 SJ> I had no problem with XEmacs 21.4 or Emacs 21.0.104, do you have
 SJ> some special mule setting?  It might be some mule interference,
 SJ> the code compares buffer contents with a string.  Please try this
 SJ> patch and tell if it works or not:

 SJ> --- mm-view.el.~6.13.~ Sun Jul 29 03:01:59 2001 +++ mm-view.el
 SJ> Sun Jul 29 18:02:13 2001 @@ -338,7 +338,7 @@ ?\x86 ?\xf7 ?\x0d
 SJ> ?\x01 ?\x07 ?\x03)))))
   
 SJ>  (defun mm-view-pkcs7-get-type (handle) - (with-temp-buffer +
 SJ> (mm-with-unibyte-buffer (mm-insert-part handle) (cond
 SJ> ((looking-at (regexp-quote mm-pkcs7-enveloped-magic)) 'enveloped)

no, it does not help. i'm sending a separate s/mime-encrypted email to
you. (i used public key of someone else, but you should still get the
same error?)

BTW, is s/mime encryption only supposed to work for the whole message?
if i put the tag <part encrypt=smime certfile="~/.certs/someones-cert.pem">
not at the beginning of the message (to encrypt only some parts of the
MIME message), gnus generates an incorrect MIME message.

Best,
v.

Re: decrypting S/MIME messages

[Simon Josefsson]

Vladimir Volovich <vvv@vsu.ru> writes:

> no, it does not help. i'm sending a separate s/mime-encrypted email to
> you.

Thanks.  I committed a bunch of S/MIME related updates, it should work
better now.