* decrypting S/MIME messages
@ 2001-07-27 16:26 Vladimir Volovich
2001-07-28 2:29 ` Simon Josefsson
0 siblings, 1 reply; 8+ messages in thread
From: Vladimir Volovich @ 2001-07-27 16:26 UTC (permalink / raw)
Hi!
when i receive an encrypted S/MIME message, gnus diaplays something
like
From: someone@somewhere
Subject: something
To: Vladimir Volovich <vvv@vsu.ru>
Date: Fri, 27 Jul 2001 20:01:57 +0400
[1. S/MIME Encrypted Message --- application/x-pkcs7-mime; smime.p7m]...
and when i press on the button, gnus proposes to save the
base64-encoded encrypted message body into a file! (instead of
proposing to decrypt the message).
If i raw-preview the message (C-u g), copy all the contents into some
buffer, and call M-x smime-decrypt-buffer, i see the decrypted message
body just fine, but of course non-formatted.
or, if i save the raw message in a file, and run
openssl smime -decrypt -recip /home/noc/vvv/.certs/vvv-cert.pem < message.txt
i also see the correctly decryptes message.
The question is: how should i view encrypted s/mime messages? why
there are no calls to smime-decrypt-buffer done by gnus automatically?
Is it just not-yet-implemented, but all framework is there already?
Best,
v.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-27 16:26 decrypting S/MIME messages Vladimir Volovich
@ 2001-07-28 2:29 ` Simon Josefsson
2001-07-29 1:13 ` Simon Josefsson
0 siblings, 1 reply; 8+ messages in thread
From: Simon Josefsson @ 2001-07-28 2:29 UTC (permalink / raw)
Cc: ding
Vladimir Volovich <vvv@vsu.ru> writes:
> The question is: how should i view encrypted s/mime messages? why
> there are no calls to smime-decrypt-buffer done by gnus automatically?
>
> Is it just not-yet-implemented, but all framework is there already?
You're right, the framework is there but the glue is missing.
There was a minor problem adding the glue, application/pkcs7-mime is a
catch-all MIME tag and it can be almost any PKCS#7 blob. To find out
what kind of operation should be performed (decryption, verification,
or simple unwrapping) one need to look inside the PKCS#7 blob. I
wrote a ASN.1 parser in elisp and had everything almost working some
moons ago, but lost it in a harddisk crash. The ASN.1 parser isn't
really necessary, a carefully constructed `looking-at' invocation is
sufficient, and unless I get very bored I won't write another ASN.1
parser so the `looking-at' approach is probably the way to go. I've
almost finished this, and I'll try to get some time to commit it this
tomorrow.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-28 2:29 ` Simon Josefsson
@ 2001-07-29 1:13 ` Simon Josefsson
2001-07-29 13:00 ` Vladimir Volovich
0 siblings, 1 reply; 8+ messages in thread
From: Simon Josefsson @ 2001-07-29 1:13 UTC (permalink / raw)
Cc: ding
Vladimir Volovich <vvv@vsu.ru> writes:
> The question is: how should i view encrypted s/mime messages? why
> there are no calls to smime-decrypt-buffer done by gnus automatically?
>
> Is it just not-yet-implemented, but all framework is there already?
Ok, S/MIME decryption work for me now, tell me if it work for you.
S/MIME signatures using opaque PKCS#7 blobs isn't implemented, if
someone encounter these I'd prefer a bug report to find out what
mailer creates such beasts. (Adding support for them in Gnus is a
five-liner.)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-29 1:13 ` Simon Josefsson
@ 2001-07-29 13:00 ` Vladimir Volovich
2001-07-29 14:44 ` Amos Gouaux
2001-07-29 20:14 ` Simon Josefsson
0 siblings, 2 replies; 8+ messages in thread
From: Vladimir Volovich @ 2001-07-29 13:00 UTC (permalink / raw)
"SJ" == Simon Josefsson writes:
SJ> Ok, S/MIME decryption work for me now, tell me if it work for
SJ> you.
Not yet. when viewing such S/MIME encrypted messages (even generated
by gnus itself), i get an error:
signal(error ("Could not identify PKCS#7 type"))
error("Could not identify PKCS#7 type")
mm-view-pkcs7-get-type((#<buffer *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
mm-view-pkcs7((#<buffer *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
mm-display-inline((#<buffer *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
mm-display-part((#<buffer *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil) t)
byte-code("..." [ignored type handle not-attachment display text string-match throw nil mm-inline-override-p 4 "inline" mm-attachment-override-p mm-automatic-display-p mm-inlinable-p mm-inlined-p mm-automatic-external-display-p t split-string mm-handle-media-type "/" "text" gnus-unbuttonized-mime-type-p gnus-insert-mime-button gnus-article-insert-newline -1 (set-buffer gnus-summary-buffer) ((error)) mm-display-part mm-insert-inline mm-get-part gnus-treat-article bufferp 1 gnus-article-mime-handle-alist beg id move gnus-newsgroup-charset gnus-newsgroup-ignored-charsets mail-parse-ignored-charsets mail-parse-charset gnus-article-mime-handles] 7)
gnus-mime-display-single((#<buffer *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
gnus-mime-display-part((#<buffer *mm*> ("application/x-pkcs7-mime" (name . "smime.p7m")) base64 nil ("attachment" (filename . "smime.p7m")) "S/MIME Encrypted Message" nil nil))
gnus-display-mime()
gnus-article-prepare-display()
gnus-article-prepare(466 nil)
gnus-summary-display-article(466 nil)
gnus-summary-select-article(nil force)
gnus-summary-show-article(nil)
call-interactively(gnus-summary-show-article)
(as previously, if i manually call smime-decrypt-buffer, i could read
the decrypted message).
SJ> S/MIME signatures using opaque PKCS#7 blobs isn't implemented, if
SJ> someone encounter these I'd prefer a bug report to find out what
SJ> mailer creates such beasts. (Adding support for them in Gnus is a
SJ> five-liner.)
BTW, i also has to modify smime.el to make it work for me. Here is the
patch (it is very simplistic, and needs customization):
--- smime.el Sun Jul 29 14:05:20 2001
+++ /opt/local/vvv/emacs/gnus/lisp/smime.el Sun Jul 29 14:12:34 2001
@@ -201,7 +201,7 @@
;; OpenSSL wrappers.
(defun smime-call-openssl-region (b e buf &rest args)
- (case (apply 'call-process-region b e smime-openssl-program nil buf nil args)
+ (case (apply 'call-process-region b e smime-openssl-program nil (list buf nil) nil args)
(0 t)
(1 (message "OpenSSL: An error occurred parsing the command options.") nil)
(2 (message "OpenSSL: One of the input files could not be read.") nil)
@@ -229,7 +229,7 @@
(if passphrase
(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
(prog1
- (when (apply 'smime-call-openssl-region b e buffer "smime" "-sign"
+ (when (apply 'smime-call-openssl-region b e buffer "smime" "-sign" "-rand" "/etc/entropy"
"-signer" (expand-file-name keyfile)
(append
(smime-make-certfiles certfiles)
@@ -254,7 +254,7 @@
is expected to contain of a PEM encoded certificate."
(let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*"))))
(prog1
- (when (apply 'smime-call-openssl-region b e buffer "smime" "-encrypt"
+ (when (apply 'smime-call-openssl-region b e buffer "smime" "-rand" "/etc/entropy" "-encrypt"
smime-encrypt-cipher (mapcar 'expand-file-name certfiles))
(delete-region b e)
(insert-buffer buffer)
The first hunk makes stderr ignored from openssl process. otherwise, i
get messages like
255 semi-random bytes loaded
into the generated MIME messages when encrypting or signing my
messages.
Other hunks add "-rand" "/etc/entropy" to openssl arguments in a few
places (maybe some other places will also need similar changes, but
not all -- e.g. decrypting and verifying do not require access to
/etc/entropy). On Solaris, there is no /dev/random, and we had to
install a /etc/entropy -- see PRNGD - Pseudo Random Number Generator
Daemon:
http://www.aet.TU-Cottbus.DE/personen/jaenicke/postfix_tls/prngd.html
Maybe, such arguments should not be added unconditionally, but better
via some variable (e.g. smime-openssl-rand-argument) which defaults to
nil but could be set to "/etc/entropy" or whatever.
Best,
v.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-29 13:00 ` Vladimir Volovich
@ 2001-07-29 14:44 ` Amos Gouaux
2001-07-29 20:14 ` Simon Josefsson
1 sibling, 0 replies; 8+ messages in thread
From: Amos Gouaux @ 2001-07-29 14:44 UTC (permalink / raw)
>>>>> On Sun, 29 Jul 2001 17:00:59 +0400,
>>>>> Vladimir Volovich <vvv@vsu.ru> (vv) writes:
vv> Maybe, such arguments should not be added unconditionally, but better
vv> via some variable (e.g. smime-openssl-rand-argument) which defaults to
vv> nil but could be set to "/etc/entropy" or whatever.
My brain is so scattered. I can't find the reference now, but I
recall reading that openssl will at some future release by default
check for the existence of /var/run/egd-pool if /dev/random can't be
found.
--
Amos
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-29 13:00 ` Vladimir Volovich
2001-07-29 14:44 ` Amos Gouaux
@ 2001-07-29 20:14 ` Simon Josefsson
2001-07-30 9:39 ` Vladimir Volovich
1 sibling, 1 reply; 8+ messages in thread
From: Simon Josefsson @ 2001-07-29 20:14 UTC (permalink / raw)
Cc: ding
Vladimir Volovich <vvv@vsu.ru> writes:
> "SJ" == Simon Josefsson writes:
>
> SJ> Ok, S/MIME decryption work for me now, tell me if it work for
> SJ> you.
>
> Not yet. when viewing such S/MIME encrypted messages (even generated
> by gnus itself), i get an error:
>
> signal(error ("Could not identify PKCS#7 type"))
> error("Could not identify PKCS#7 type")
I had no problem with XEmacs 21.4 or Emacs 21.0.104, do you have some
special mule setting? It might be some mule interference, the code
compares buffer contents with a string. Please try this patch and
tell if it works or not:
--- mm-view.el.~6.13.~ Sun Jul 29 03:01:59 2001
+++ mm-view.el Sun Jul 29 18:02:13 2001
@@ -338,7 +338,7 @@
?\x86 ?\xf7 ?\x0d ?\x01 ?\x07 ?\x03)))))
(defun mm-view-pkcs7-get-type (handle)
- (with-temp-buffer
+ (mm-with-unibyte-buffer
(mm-insert-part handle)
(cond ((looking-at (regexp-quote mm-pkcs7-enveloped-magic))
'enveloped)
> (defun smime-call-openssl-region (b e buf &rest args)
> - (case (apply 'call-process-region b e smime-openssl-program nil buf nil args)
>+ (case (apply 'call-process-region b e smime-openssl-program nil (list buf nil) nil args)
I applied this, thanks. I hope OpenSSL error messages are still
handled correctly, otherwise we'll have to come up with some other
solution.
> - (when (apply 'smime-call-openssl-region b e buffer "smime" "-sign"
>+ (when (apply 'smime-call-openssl-region b e buffer "smime" "-sign" "-rand" "/etc/entropy"
I added `smime-extra-arguments' instead. Is it sufficient?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-29 20:14 ` Simon Josefsson
@ 2001-07-30 9:39 ` Vladimir Volovich
2001-07-30 22:26 ` Simon Josefsson
0 siblings, 1 reply; 8+ messages in thread
From: Vladimir Volovich @ 2001-07-30 9:39 UTC (permalink / raw)
"SJ" == Simon Josefsson writes:
SJ> I had no problem with XEmacs 21.4 or Emacs 21.0.104, do you have
SJ> some special mule setting? It might be some mule interference,
SJ> the code compares buffer contents with a string. Please try this
SJ> patch and tell if it works or not:
SJ> --- mm-view.el.~6.13.~ Sun Jul 29 03:01:59 2001 +++ mm-view.el
SJ> Sun Jul 29 18:02:13 2001 @@ -338,7 +338,7 @@ ?\x86 ?\xf7 ?\x0d
SJ> ?\x01 ?\x07 ?\x03)))))
SJ> (defun mm-view-pkcs7-get-type (handle) - (with-temp-buffer +
SJ> (mm-with-unibyte-buffer (mm-insert-part handle) (cond
SJ> ((looking-at (regexp-quote mm-pkcs7-enveloped-magic)) 'enveloped)
no, it does not help. i'm sending a separate s/mime-encrypted email to
you. (i used public key of someone else, but you should still get the
same error?)
BTW, is s/mime encryption only supposed to work for the whole message?
if i put the tag <part encrypt=smime certfile="~/.certs/someones-cert.pem">
not at the beginning of the message (to encrypt only some parts of the
MIME message), gnus generates an incorrect MIME message.
Best,
v.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: decrypting S/MIME messages
2001-07-30 9:39 ` Vladimir Volovich
@ 2001-07-30 22:26 ` Simon Josefsson
0 siblings, 0 replies; 8+ messages in thread
From: Simon Josefsson @ 2001-07-30 22:26 UTC (permalink / raw)
Cc: ding
Vladimir Volovich <vvv@vsu.ru> writes:
> no, it does not help. i'm sending a separate s/mime-encrypted email to
> you.
Thanks. I committed a bunch of S/MIME related updates, it should work
better now.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2001-07-30 22:26 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-07-27 16:26 decrypting S/MIME messages Vladimir Volovich
2001-07-28 2:29 ` Simon Josefsson
2001-07-29 1:13 ` Simon Josefsson
2001-07-29 13:00 ` Vladimir Volovich
2001-07-29 14:44 ` Amos Gouaux
2001-07-29 20:14 ` Simon Josefsson
2001-07-30 9:39 ` Vladimir Volovich
2001-07-30 22:26 ` Simon Josefsson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).