Re: x-pkcs7-mime verification?

["Arne Jørgensen" <arne@arnested.dk>]

Milan Zamazal <pdm@brailcom.org> writes:

>>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:
>
>     AJ> What is the difference/why isn't it decsrypting?
>
> It's a clear text message encoded in base64, not a message encrypted
> with the recipient's key.
>
>     AJ> I can find the message in the source code but I never see the
>     AJ> message myself. When I read a message that is both encrypted and
>     AJ> signed I'm asked the same question as you (whether the message
>     AJ> should be decrypted or not). On a positive answer I see the
>     AJ> decrypted message and if I verify it (`W s') it succeeds too.
>
> And do the headers contain the application/x-pkcs7-mime MIME type?

Yes.

> The mail I have problems with is produced by Outlook and contains the
> following content-type headers in the main mail headers:
>
>   Content-Type: application/x-pkcs7-mime; name="smime.p7m"
>   Content-Transfer-Encoding: base64
>   Content-Disposition: attachment; filename="smime.p7m"
>
> The mail body is base64 encoded and contains a signed message in the
> PKCS7 (I assume) format.  The Gnus function handling it is:

I think I finally understand a bit about what this is about. I didn't
know that a message with a  application/x-pkcs7-mime MIME type could
be just a signed (not encrypted) message until I read some of RFC
2311. Part of why I it was difficult for me to understand this is
because Gnus doesn't generate that kind of signed mails, but used
multipart/signed instead.

Milan Zamazal <pdm@brailcom.org> writes:

> The following patch against Emacs CVS makes Gnus verify pkcs7-mime
> signatures:
>
> --- mm-view.el.orig	2005-04-05 18:05:25.599196219 +0200
> +++ mm-view.el	2005-04-05 18:03:59.177559850 +0200
> @@ -538,18 +538,24 @@
>  
>  (defun mm-view-pkcs7-verify (handle)
>    ;; A bogus implementation of PKCS#7. FIXME::
> -  (mm-insert-part handle)
> -  (goto-char (point-min))
> -  (if (search-forward "Content-Type: " nil t)
> -      (delete-region (point-min) (match-beginning 0)))
> -  (goto-char (point-max))
> -  (if (re-search-backward "--\r?\n?" nil t)
> -      (delete-region (match-end 0) (point-max)))
> +  (let ((verified nil))
> +    (with-temp-buffer
> +      (insert "MIME-Version: 1.0\n")
> +      (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m")
> +      (insert-buffer-substring (mm-handle-buffer handle))
> +      (setq verified (smime-verify-region (point-min) (point-max))))
> +    (goto-char (point-min))
> +    (mm-insert-part handle)
> +    (if (search-forward "Content-Type: " nil t)
> +        (delete-region (point-min) (match-beginning 0)))
> +    (goto-char (point-max))
> +    (if (re-search-backward "--\r?\n?" nil t)
> +        (delete-region (match-end 0) (point-max)))
> +    (unless verified
> +      (insert-buffer-substring smime-details-buffer)))
>    (goto-char (point-min))
>    (while (search-forward "\r\n" nil t)
>      (replace-match "\n"))
> -  (message "Verify signed PKCS#7 message is unimplemented.")
> -  (sit-for 1)
>    t)
>  
>  (autoload 'gnus-completing-read-maybe-default "gnus-util" nil nil 'macro)

I have tested your patch with the messages in my test colection and
your patch doesn't break any of these.

So if it works with your messages (and I guess it does since you
posted it) I think it would be worth installing it in Gnus.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>