x-pkcs7-mime verification?

x-pkcs7-mime verification?

[Milan Zamazal]

Gnus apparently doesn't provide interface to x-pkcs7-mime signature
verification.  I can't believe nobody uses it :-), so I'm asking whether
somebody has written the pkcs7-mime verification interface?

If nobody does, I'll try to implement it myself.  Since
smime-verify-buffer works well with the raw buffer, I think it shouldn't
be too difficult, right?

Thanks,

Milan Zamazal

-- 
The seeker after truth should be humbler than the dust.  The world crushes the
dust under its feet, but the seeker after truth should so humble himself that
even the dust could crush him.                                 -- M. K. Gandhi

Re: x-pkcs7-mime verification?

[David S. Goldberg]

SMIME verification is there in CVS gnus and I think it's been there
for quite a while.  I believe it requires openssl to operate.

-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: x-pkcs7-mime verification?

[Arne Jørgensen]

Milan Zamazal <pdm@brailcom.org> writes:

> Gnus apparently doesn't provide interface to x-pkcs7-mime signature
> verification.  I can't believe nobody uses it :-), so I'm asking whether
> somebody has written the pkcs7-mime verification interface?
>
> If nobody does, I'll try to implement it myself.  Since
> smime-verify-buffer works well with the raw buffer, I think it shouldn't
> be too difficult, right?

This should be working in the CVS version of Gnus. Both on the trunk
and in the v5-10 branch.

I don't know if or when a release is planned or expected.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>

Re: x-pkcs7-mime verification?

[Milan Zamazal]

>>>>> "DSG" == David S Goldberg <david.goldberg6@verizon.net> writes:

    DSG> SMIME verification is there in CVS gnus and I think it's been
    DSG> there for quite a while.

>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:

    AJ> This should be working in the CVS version of Gnus. Both on the
    AJ> trunk and in the v5-10 branch.

I should probably clarify that x-pkcs7-signature verification works for
me, but x-pkcs7-mime verification does not.

When I try to display an x-pkcs7-mime verification message, Gnus first
asks me whether it should be decrypted (it actually means decoding, not
decrypting) and after a positive answer it displays the message and
reports "Verify signed PKCS#7 message is unimplemented.".  This happens
with both CVS Emacs and Gnus CVS snapshot in Debian.  Looking into the
current Gnus CVS, the verification is still missing in
mm-view-pkcs7-verify in mm-view.el.

Thanks,

Regards,

Milan Zamazal

-- 
The world is not something you can wrap your head around without needing years
of experience.                              -- Kent M. Pitman in comp.lang.lisp

Re: x-pkcs7-mime verification?

[Arne Jørgensen]

Milan Zamazal <pdm@brailcom.org> writes:

> When I try to display an x-pkcs7-mime verification message, Gnus first
> asks me whether it should be decrypted (it actually means decoding, not
> decrypting) 

What is the difference/why isn't it decsrypting? (I'm not good at
using the correct terminology.)

> and after a positive answer it displays the message and
> reports "Verify signed PKCS#7 message is unimplemented.".  This happens
> with both CVS Emacs and Gnus CVS snapshot in Debian.  Looking into the
> current Gnus CVS, the verification is still missing in
> mm-view-pkcs7-verify in mm-view.el.

I can find the message in the source code but I never see the message
myself. When I read a message that is both encrypted and signed I'm
asked the same question as you (whether the message should be
decrypted or not). On a positive answer I see the decrypted message
and if I verify it (`W s') it succeeds too.

So either I don't understand your question (possible) or there is
something in your setup.

As far as I remember this also was working/should be working in the
released 5.10.x versions og Gnus.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>

Re: x-pkcs7-mime verification?

[Milan Zamazal]

>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:

    AJ> What is the difference/why isn't it decsrypting?

It's a clear text message encoded in base64, not a message encrypted
with the recipient's key.

    AJ> I can find the message in the source code but I never see the
    AJ> message myself. When I read a message that is both encrypted and
    AJ> signed I'm asked the same question as you (whether the message
    AJ> should be decrypted or not). On a positive answer I see the
    AJ> decrypted message and if I verify it (`W s') it succeeds too.

And do the headers contain the application/x-pkcs7-mime MIME type?

The mail I have problems with is produced by Outlook and contains the
following content-type headers in the main mail headers:

  Content-Type: application/x-pkcs7-mime; name="smime.p7m"
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment; filename="smime.p7m"

The mail body is base64 encoded and contains a signed message in the
PKCS7 (I assume) format.  The Gnus function handling it is:

  (defun mm-possibly-verify-or-decrypt (parts ctl)
    (let ((type (car ctl))
          (subtype (cadr (split-string (car ctl) "/")))
          (mm-security-handle ctl) ;; (car CTL) is the type.
          protocol func functest)
      (cond
       ((or (equal type "application/x-pkcs7-mime")
            (equal type "application/pkcs7-mime"))
        (with-temp-buffer
          (when (and (cond
                      ((eq mm-decrypt-option 'never) nil)
                      ((eq mm-decrypt-option 'always) t)
                      ((eq mm-decrypt-option 'known) t)
                      (t (y-or-n-p
                          (format "Decrypt (S/MIME) part? "))))
                     (mm-view-pkcs7 parts))
           ...

mm-view-pkcs7 leads to the "unimplemented" message I've seen.

Regards,

Milan Zamazal

-- 
The seeker after truth should be humbler than the dust.  The world crushes the
dust under its feet, but the seeker after truth should so humble himself that
even the dust could crush him.                                 -- M. K. Gandhi

Re: x-pkcs7-mime verification?

[Arne Jørgensen]

Milan Zamazal <pdm@brailcom.org> writes:

>>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:
>
>     AJ> What is the difference/why isn't it decsrypting?
>
> It's a clear text message encoded in base64, not a message encrypted
> with the recipient's key.
>
>     AJ> I can find the message in the source code but I never see the
>     AJ> message myself. When I read a message that is both encrypted and
>     AJ> signed I'm asked the same question as you (whether the message
>     AJ> should be decrypted or not). On a positive answer I see the
>     AJ> decrypted message and if I verify it (`W s') it succeeds too.
>
> And do the headers contain the application/x-pkcs7-mime MIME type?

Yes.

> The mail I have problems with is produced by Outlook and contains the
> following content-type headers in the main mail headers:
>
>   Content-Type: application/x-pkcs7-mime; name="smime.p7m"
>   Content-Transfer-Encoding: base64
>   Content-Disposition: attachment; filename="smime.p7m"
>
> The mail body is base64 encoded and contains a signed message in the
> PKCS7 (I assume) format.  The Gnus function handling it is:

I think I finally understand a bit about what this is about. I didn't
know that a message with a  application/x-pkcs7-mime MIME type could
be just a signed (not encrypted) message until I read some of RFC
2311. Part of why I it was difficult for me to understand this is
because Gnus doesn't generate that kind of signed mails, but used
multipart/signed instead.

Milan Zamazal <pdm@brailcom.org> writes:

> The following patch against Emacs CVS makes Gnus verify pkcs7-mime
> signatures:
>
> --- mm-view.el.orig	2005-04-05 18:05:25.599196219 +0200
> +++ mm-view.el	2005-04-05 18:03:59.177559850 +0200
> @@ -538,18 +538,24 @@
>  
>  (defun mm-view-pkcs7-verify (handle)
>    ;; A bogus implementation of PKCS#7. FIXME::
> -  (mm-insert-part handle)
> -  (goto-char (point-min))
> -  (if (search-forward "Content-Type: " nil t)
> -      (delete-region (point-min) (match-beginning 0)))
> -  (goto-char (point-max))
> -  (if (re-search-backward "--\r?\n?" nil t)
> -      (delete-region (match-end 0) (point-max)))
> +  (let ((verified nil))
> +    (with-temp-buffer
> +      (insert "MIME-Version: 1.0\n")
> +      (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m")
> +      (insert-buffer-substring (mm-handle-buffer handle))
> +      (setq verified (smime-verify-region (point-min) (point-max))))
> +    (goto-char (point-min))
> +    (mm-insert-part handle)
> +    (if (search-forward "Content-Type: " nil t)
> +        (delete-region (point-min) (match-beginning 0)))
> +    (goto-char (point-max))
> +    (if (re-search-backward "--\r?\n?" nil t)
> +        (delete-region (match-end 0) (point-max)))
> +    (unless verified
> +      (insert-buffer-substring smime-details-buffer)))
>    (goto-char (point-min))
>    (while (search-forward "\r\n" nil t)
>      (replace-match "\n"))
> -  (message "Verify signed PKCS#7 message is unimplemented.")
> -  (sit-for 1)
>    t)
>  
>  (autoload 'gnus-completing-read-maybe-default "gnus-util" nil nil 'macro)

I have tested your patch with the messages in my test colection and
your patch doesn't break any of these.

So if it works with your messages (and I guess it does since you
posted it) I think it would be worth installing it in Gnus.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>

Re: x-pkcs7-mime verification?

[Milan Zamazal]

>>>>> "AJ" == Arne Jørgensen <arne@arnested.dk> writes:

    AJ> I have tested your patch with the messages in my test colection
    AJ> and your patch doesn't break any of these.

    AJ> So if it works with your messages (and I guess it does since you
    AJ> posted it) I think it would be worth installing it in Gnus.

Thanks for help and testing, I'll forward the patch to the Gnus
maintainers.

Regards,

Milan Zamazal

-- 
It is the reformer, who is anxious for the reform, and not society, from which
he should expect nothing better than opposition, abhorrence and even mortal
persecution.                                                   -- M. K. Gandhi