notmuch/test/T356-protected-headers.sh

#!/usr/bin/env bash

# TODO:
#  * check S/MIME as well as PGP/MIME

test_description='Message decryption with protected headers'
. $(dirname "$0")/test-lib.sh || exit 1

##################################################

add_gnupg_home

add_email_corpus protected-headers

test_begin_subtest "verify protected header is not visible without decryption"
output=$(notmuch show --format=json id:protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'no_crypto_info:[0][0][0]["crypto"]={}' \
                'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'

test_begin_subtest "verify protected header is visible with decryption"
output=$(notmuch show --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'

test_begin_subtest "when no external header is present, show masked subject as null"
output=$(notmuch show --decrypt=true --format=json id:subjectless-protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": null}}}' \
                'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'

test_begin_subtest "misplaced protected headers should not be made visible during decryption"
output=$(notmuch show --decrypt=true --format=json id:misplaced-protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
                'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'

test_begin_subtest "verify double-wrapped phony protected header is not visible when inner decryption fails"
output=$(notmuch show --decrypt=true --format=json id:double-wrapped-with-phony-protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
                'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'

test_begin_subtest "cleartext phony protected headers should not be made visible when decryption fails"
output=$(notmuch show --decrypt=true --format=json id:phony-protected-header-bad-encryption@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'no_crypto_info:[0][0][0]["crypto"]={}' \
                'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'

test_begin_subtest "wrapped protected headers should not be made visible during decryption"
output=$(notmuch show --decrypt=true --format=json id:wrapped-protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "partial"}}' \
                'subject:[0][0][0]["headers"]["Subject"]="[mailing-list] Subject Unavailable"'

test_begin_subtest "internal headers without protected-header attribute should be skipped"
output=$(notmuch show --decrypt=true --format=json id:no-protected-header-attribute@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
                'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'

test_begin_subtest "verify nested message/rfc822 protected header is visible"
output=$(notmuch show --decrypt=true --format=json id:nested-rfc822-message@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                'subject:[0][0][0]["headers"]["Subject"]="This is a message using draft-melnikov-smime-header-signing"'

test_begin_subtest "show cryptographic envelope on signed mail"
output=$(notmuch show --verify --format=json id:simple-signed-mail@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525609971, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}]}}'

test_begin_subtest "verify signed protected header"
output=$(notmuch show --verify --format=json id:signed-protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525350527, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}], "headers": ["Subject"]}}'

test_begin_subtest "protected subject does not leak by default in replies"
output=$(notmuch reply --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:["original"]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
                'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'

test_begin_subtest "protected subject is not indexed by default"
output=$(notmuch search --output=messages 'subject:"This is a protected header"')
test_expect_equal "$output" ''

test_begin_subtest "reindex message with protected header"
test_expect_success 'notmuch reindex --decrypt=true id:protected-header@crypto.notmuchmail.org'

test_begin_subtest "protected subject is indexed when cleartext is indexed"
output=$(notmuch search --output=messages 'subject:"This is a protected header"')
test_expect_equal "$output" 'id:protected-header@crypto.notmuchmail.org'

test_begin_subtest "indexed protected subject is visible in search"
output=$(notmuch search --format=json 'id:protected-header@crypto.notmuchmail.org')
test_json_nodes <<<"$output" \
                'subject:[0]["subject"]="This is a protected header"'

test_begin_subtest "indexed protected subject is not visible in reply header"
output=$(notmuch reply --format=json 'id:protected-header@crypto.notmuchmail.org')
test_json_nodes <<<"$output" \
                'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
                'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'

test_begin_subtest "verify correct protected header when submessage exists"
output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                'subject:[0][0][0]["headers"]["Subject"]="This is the cryptographic envelope subject"'

test_begin_subtest "verify protected header is both signed and encrypted"
output=$(notmuch show --decrypt=true --format=json id:encrypted-signed@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={
                   "signed":{"status": [{"status": "good", "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "created": 1525812676}],
                   "encrypted": true, "headers": ["Subject"]},"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
                'subject:[0][0][0]["headers"]["Subject"]="Rhinoceros dinner"'

test_begin_subtest "verify protected header is signed even when not masked"
output=$(notmuch show --decrypt=true --format=json id:encrypted-signed-not-masked@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
                'crypto:[0][0][0]["crypto"]={
                   "signed":{"status": [{"status": "good", "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "created": 1525812676}],
                   "encrypted": true, "headers": ["Subject"]},"decrypted": {"status": "full"}}' \
                'subject:[0][0][0]["headers"]["Subject"]="Rhinoceros dinner"'

test_begin_subtest "reindex everything, ensure headers are as expected"
notmuch reindex --decrypt=true from:test_suite@notmuchmail.org
output=$(notmuch search --output=messages 'subject:"protected header" or subject:"Rhinoceros" or subject:"draft-melnikov-smime-header-signing" or subject:"valid"' | sort)
test_expect_equal "$output" 'id:encrypted-signed-not-masked@crypto.notmuchmail.org
id:encrypted-signed@crypto.notmuchmail.org
id:nested-rfc822-message@crypto.notmuchmail.org
id:protected-header@crypto.notmuchmail.org
id:subjectless-protected-header@crypto.notmuchmail.org'

test_done
cli/show: add tests for viewing protected headers Here we add several variant e-mail messages, some of which have correctly-structured protected headers, and some of which do not. The goal of the tests is to ensure that the right protected subjects get reported. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:15:57 +02:00			`#!/usr/bin/env bash`

			`# TODO:`
			`# * check S/MIME as well as PGP/MIME`

			`test_description='Message decryption with protected headers'`
			`. $(dirname "$0")/test-lib.sh \|\| exit 1`

			`##################################################`

			`add_gnupg_home`

			`add_email_corpus protected-headers`

			`test_begin_subtest "verify protected header is not visible without decryption"`
			`output=$(notmuch show --format=json id:protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'no_crypto_info:[0][0][0]["crypto"]={}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'`

			`test_begin_subtest "verify protected header is visible with decryption"`
			`output=$(notmuch show --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
cli/show: add information about which headers were protected The header-mask member of the per-message crypto object allows a clever UI frontend to mark whether a header was protected (or not). And if it was protected, it contains enough information to show useful detail to an interested user. For example, an MUA could offer a "show what this message's Subject looked like on the wire" feature in expert mode. As before, we only handle Subject for now, but we might be able to handle other headers in the future. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Amended by db: tweaked schemata notation. 2019-05-28 00:14:16 +02:00			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \`
cli/show: add tests for viewing protected headers Here we add several variant e-mail messages, some of which have correctly-structured protected headers, and some of which do not. The goal of the tests is to ensure that the right protected subjects get reported. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:15:57 +02:00			`'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'`

test: add test for missing external subject Adding another test to ensure that we handle protected headers gracefully when no external subject is present. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:00 +02:00			`test_begin_subtest "when no external header is present, show masked subject as null"`
			`output=$(notmuch show --decrypt=true --format=json id:subjectless-protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": null}}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'`

cli/show: add tests for viewing protected headers Here we add several variant e-mail messages, some of which have correctly-structured protected headers, and some of which do not. The goal of the tests is to ensure that the right protected subjects get reported. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:15:57 +02:00			`test_begin_subtest "misplaced protected headers should not be made visible during decryption"`
			`output=$(notmuch show --decrypt=true --format=json id:misplaced-protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'`

			`test_begin_subtest "verify double-wrapped phony protected header is not visible when inner decryption fails"`
			`output=$(notmuch show --decrypt=true --format=json id:double-wrapped-with-phony-protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'`

			`test_begin_subtest "cleartext phony protected headers should not be made visible when decryption fails"`
			`output=$(notmuch show --decrypt=true --format=json id:phony-protected-header-bad-encryption@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'no_crypto_info:[0][0][0]["crypto"]={}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'`

			`test_begin_subtest "wrapped protected headers should not be made visible during decryption"`
			`output=$(notmuch show --decrypt=true --format=json id:wrapped-protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "partial"}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="[mailing-list] Subject Unavailable"'`

			`test_begin_subtest "internal headers without protected-header attribute should be skipped"`
			`output=$(notmuch show --decrypt=true --format=json id:no-protected-header-attribute@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'`

			`test_begin_subtest "verify nested message/rfc822 protected header is visible"`
			`output=$(notmuch show --decrypt=true --format=json id:nested-rfc822-message@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
cli/show: add information about which headers were protected The header-mask member of the per-message crypto object allows a clever UI frontend to mark whether a header was protected (or not). And if it was protected, it contains enough information to show useful detail to an interested user. For example, an MUA could offer a "show what this message's Subject looked like on the wire" feature in expert mode. As before, we only handle Subject for now, but we might be able to handle other headers in the future. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Amended by db: tweaked schemata notation. 2019-05-28 00:14:16 +02:00			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \`
cli/show: add tests for viewing protected headers Here we add several variant e-mail messages, some of which have correctly-structured protected headers, and some of which do not. The goal of the tests is to ensure that the right protected subjects get reported. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:15:57 +02:00			`'subject:[0][0][0]["headers"]["Subject"]="This is a message using draft-melnikov-smime-header-signing"'`

test: show cryptographic envelope information for signed mails Make sure that we emit the correct cryptographic envelope status for cleartext signed messages. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:01 +02:00			`test_begin_subtest "show cryptographic envelope on signed mail"`
			`output=$(notmuch show --verify --format=json id:simple-signed-mail@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525609971, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}]}}'`

			`test_begin_subtest "verify signed protected header"`
			`output=$(notmuch show --verify --format=json id:signed-protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525350527, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}], "headers": ["Subject"]}}'`

cli/reply: ensure encrypted Subject: line does not leak in the clear Now that we can decrypt headers, we want to make sure that clients using "notmuch reply" to prepare a reply don't leak cleartext in their subject lines. In particular, the ["reply-headers"]["Subject"] should by default show the external Subject. A replying MUA that intends to protect the Subject line should show the user the Subject from ["original"]["headers"]["Subject"] instead of using ["reply-headers"]["Subject"]. This minor asymmetry with "notmuch show" is intentional. While both tools always render the cleartext subject line when they know it (in ["headers"]["Subject"] for "notmuch show" and in ["original"]["headers"]["Subject"] for "notmuch reply"), "notmuch reply" should never leak something that should stay under encrypted cover in "reply-headers". Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:02 +02:00			`test_begin_subtest "protected subject does not leak by default in replies"`
			`output=$(notmuch reply --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:["original"]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \`
			`'subject:["original"]["headers"]["Subject"]="This is a protected header"' \`
			`'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'`

indexing: record protected subject when indexing cleartext When indexing the cleartext of an encrypted message, record any protected subject in the database, which should make it findable and visible in search. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-28 00:40:28 +02:00			`test_begin_subtest "protected subject is not indexed by default"`
			`output=$(notmuch search --output=messages 'subject:"This is a protected header"')`
			`test_expect_equal "$output" ''`

			`test_begin_subtest "reindex message with protected header"`
			`test_expect_success 'notmuch reindex --decrypt=true id:protected-header@crypto.notmuchmail.org'`

			`test_begin_subtest "protected subject is indexed when cleartext is indexed"`
			`output=$(notmuch search --output=messages 'subject:"This is a protected header"')`
			`test_expect_equal "$output" 'id:protected-header@crypto.notmuchmail.org'`

			`test_begin_subtest "indexed protected subject is visible in search"`
			`output=$(notmuch search --format=json 'id:protected-header@crypto.notmuchmail.org')`
			`test_json_nodes <<<"$output" \`
			`'subject:[0]["subject"]="This is a protected header"'`

test: reply (in cli and emacs) should protect indexed sensitive headers These tests are currently broken! When a protected subject is indexed in the clear, it leaks in the reply headers :( For emacs, we set up separate tests for when the protected header is indexed in the clear and when it is unindexed. neither case should leak, but the former wasn't tested yet. We will fix the two broken tests in a subsequent patch. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:09 +02:00			`test_begin_subtest "indexed protected subject is not visible in reply header"`
			`output=$(notmuch reply --format=json 'id:protected-header@crypto.notmuchmail.org')`
			`test_json_nodes <<<"$output" \`
			`'subject:["original"]["headers"]["Subject"]="This is a protected header"' \`
			`'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'`

test: try indexing nested messages and protected headers We want to make sure that internally-forwarded messages don't end up "bubbling up" when they aren't actually the cryptographic payload. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:06 +02:00			`test_begin_subtest "verify correct protected header when submessage exists"`
			`output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="This is the cryptographic envelope subject"'`

test: protected headers should work when both encrypted and signed. Up to this point, we've tested protected headers on messages that have either been encrypted or signed, but not both. This adds a couple tests of signed+encrypted messages, one where the subject line is masked (outside subject line is "Subject Unavailable") and another where it is not (outside Subject: matches inner Subject:) See the discussion at https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#protected-headers for more details about the nuances between signed, stripped, and stubbed headers. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:04 +02:00			`test_begin_subtest "verify protected header is both signed and encrypted"`
			`output=$(notmuch show --decrypt=true --format=json id:encrypted-signed@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={`
			`"signed":{"status": [{"status": "good", "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "created": 1525812676}],`
			`"encrypted": true, "headers": ["Subject"]},"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Rhinoceros dinner"'`

			`test_begin_subtest "verify protected header is signed even when not masked"`
			`output=$(notmuch show --decrypt=true --format=json id:encrypted-signed-not-masked@crypto.notmuchmail.org)`
			`test_json_nodes <<<"$output" \`
			`'crypto:[0][0][0]["crypto"]={`
			`"signed":{"status": [{"status": "good", "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "created": 1525812676}],`
			`"encrypted": true, "headers": ["Subject"]},"decrypted": {"status": "full"}}' \`
			`'subject:[0][0][0]["headers"]["Subject"]="Rhinoceros dinner"'`

test: after reindexing, only legitimate protected subjects are searchable This test scans for all the possible protected headers (including bogus/broken ones) that are present in the protected-headers corpus, trying to make sure that only the ones that are not broken or malformed show up in a search after re-indexing. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:16:05 +02:00			`test_begin_subtest "reindex everything, ensure headers are as expected"`
			`notmuch reindex --decrypt=true from:test_suite@notmuchmail.org`
			`output=$(notmuch search --output=messages 'subject:"protected header" or subject:"Rhinoceros" or subject:"draft-melnikov-smime-header-signing" or subject:"valid"' \| sort)`
			`test_expect_equal "$output" 'id:encrypted-signed-not-masked@crypto.notmuchmail.org`
			`id:encrypted-signed@crypto.notmuchmail.org`
			`id:nested-rfc822-message@crypto.notmuchmail.org`
			`id:protected-header@crypto.notmuchmail.org`
			`id:subjectless-protected-header@crypto.notmuchmail.org'`

cli/show: add tests for viewing protected headers Here we add several variant e-mail messages, some of which have correctly-structured protected headers, and some of which do not. The goal of the tests is to ensure that the right protected subjects get reported. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-27 00:15:57 +02:00			`test_done`