notmuch/test/T355-smime.sh

#!/usr/bin/env bash

test_description='S/MIME signature verification and decryption'
. $(dirname "$0")/test-lib.sh || exit 1

test_require_external_prereq openssl
test_require_external_prereq gpgsm

cp $NOTMUCH_SRCDIR/test/smime/key+cert.pem test_suite.pem

FINGERPRINT=$(openssl x509 -fingerprint -in test_suite.pem -noout | sed -e 's/^.*=//' -e s/://g)

add_gpgsm_home

test_begin_subtest "emacs delivery of S/MIME signed message"
test_expect_success \
     'emacs_fcc_message \
     "test signed message 001" \
     "This is a test signed message." \
     "(mml-secure-message-sign \"smime\")"'

test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"
# Hard code the MML to avoid several interactive questions
test_expect_success \
'emacs_fcc_message \
    "test encrypted message 001" \
    "<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"'

test_begin_subtest "Signature verification (openssl)"
notmuch show --format=raw subject:"test signed message 001" |\
    openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT
cat <<EOF > EXPECTED
Verification successful
EOF
test_expect_equal_file EXPECTED OUTPUT

test_begin_subtest "signature verification (notmuch CLI)"
output=$(notmuch show --format=json --verify subject:"test signed message 001" \
    | notmuch_json_show_sanitize \
    | sed -e 's|"created": [-1234567890]*|"created": 946728000|g' \
	  -e 's|"expires": [-1234567890]*|"expires": 424242424|g' )
expected='[[[{"id": "XXXXX",
 "match": true,
 "excluded": false,
 "filename": ["YYYYY"],
 "timestamp": 946728000,
 "date_relative": "2000-01-01",
 "tags": ["inbox","signed"],
 "crypto": {"signed": {"status": [{"fingerprint": "'$FINGERPRINT'", "status": "good","userid": "CN=Notmuch Test Suite","expires": 424242424, "created": 946728000}]}},
 "headers": {"Subject": "test signed message 001",
 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
 "To": "test_suite@notmuchmail.org",
 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
 "body": [{"id": 1,
 "sigstatus": [{"fingerprint": "'$FINGERPRINT'",
 "status": "good",
 "userid": "CN=Notmuch Test Suite",
 "expires": 424242424,
 "created": 946728000}],
 "content-type": "multipart/signed",
 "content": [{"id": 2,
 "content-type": "text/plain",
 "content": "This is a test signed message.\n"},
 {"id": 3,
  "content-disposition": "attachment",
  "content-length": "NONZERO",
  "content-transfer-encoding": "base64",
  "content-type": "application/pkcs7-signature",
  "filename": "smime.p7s"}]}]},
 []]]]'
test_expect_equal_json \
    "$output" \
    "$expected"

test_begin_subtest "Decryption and signature verification (openssl)"
notmuch show --format=raw subject:"test encrypted message 001" |\
    openssl smime -decrypt -recip test_suite.pem |\
    openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT
cat <<EOF > EXPECTED
Verification successful
EOF
test_expect_equal_file EXPECTED OUTPUT

test_begin_subtest "Decryption (notmuch CLI)"
test_subtest_known_broken
notmuch show --decrypt=true subject:"test encrypted message 001" |\
    grep "^This is a" > OUTPUT
cat <<EOF > EXPECTED
This is a test encrypted message.
EOF
test_expect_equal_file EXPECTED OUTPUT

test_done
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`#!/usr/bin/env bash`

			`test_description='S/MIME signature verification and decryption'`
test: use $(dirname "$0") for sourcing test-lib.sh Don't assume the tests are always run from within the source tree. 2017-09-25 22:38:19 +02:00			`. $(dirname "$0")/test-lib.sh \|\| exit 1`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00
			`test_require_external_prereq openssl`
			`test_require_external_prereq gpgsm`

test: use source and build paths in T355-smime.sh Make a distinction between source and build directories. 2017-09-25 22:38:33 +02:00			`cp $NOTMUCH_SRCDIR/test/smime/key+cert.pem test_suite.pem`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00
			`FINGERPRINT=$(openssl x509 -fingerprint -in test_suite.pem -noout \| sed -e 's/^.*=//' -e s/://g)`

test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`add_gpgsm_home`

test: require test_begin_subtest before test_expect_success Unify the subtests by requiring test_begin_subtest before test_expect_success. (Similar change for test_expect_code will follow.) This increases clarity in the test scripts by having a separate line for the start of the subtest with the heading, and makes it possible to simplify the test infrastructure by making all subtests similar. 2017-02-26 14:43:00 +01:00			`test_begin_subtest "emacs delivery of S/MIME signed message"`
			`test_expect_success \`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`'emacs_fcc_message \`
			`"test signed message 001" \`
			`"This is a test signed message." \`
			`"(mml-secure-message-sign \"smime\")"'`

test: require test_begin_subtest before test_expect_success Unify the subtests by requiring test_begin_subtest before test_expect_success. (Similar change for test_expect_code will follow.) This increases clarity in the test scripts by having a separate line for the start of the subtest with the heading, and makes it possible to simplify the test infrastructure by making all subtests similar. 2017-02-26 14:43:00 +01:00			`test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`# Hard code the MML to avoid several interactive questions`
test: require test_begin_subtest before test_expect_success Unify the subtests by requiring test_begin_subtest before test_expect_success. (Similar change for test_expect_code will follow.) This increases clarity in the test scripts by having a separate line for the start of the subtest with the heading, and makes it possible to simplify the test infrastructure by making all subtests similar. 2017-02-26 14:43:00 +01:00			`test_expect_success \`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`'emacs_fcc_message \`
			`"test encrypted message 001" \`
tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs The documentation for message mode clearly states that EasyPG (which uses GnuPG) is the default and recommended way to use S/MIME with mml-secure: [0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html To ensure that this mode works, we just need to import the secret key in question into gpgsm in addition to the public key. gpgsm should be able pick the right keys+certificates to use based on To/From headers, so we don't have to specify anything manually in the #secure mml tag. The import process from the OpenSSL-preferred form (cert+secretkey) is rather ugly, because gpgsm wants to see a PKCS#12 object when importing secret keys. Note that EasyPG generates the more modern Content-Type: application/pkcs7-signature instead of application/x-pkcs7-signature for the detached signature. We are also obliged to manually set gpgsm's include-certs setting to 1 because gpgsm defaults to send "everything but the root cert". In our weird test case, the certificate we're using is self-signed, so it is the root cert, which means that gpgsm doesn't include it by default. Setting it to 1 forces inclusion of the signer's cert, which satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878 for more details. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2020-04-28 20:57:13 +02:00			`"<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"'`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00
			`test_begin_subtest "Signature verification (openssl)"`
			`notmuch show --format=raw subject:"test signed message 001" \|\`
test: use source and build paths in T355-smime.sh Make a distinction between source and build directories. 2017-09-25 22:38:33 +02:00			`openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`cat <<EOF > EXPECTED`
			`Verification successful`
			`EOF`
			`test_expect_equal_file EXPECTED OUTPUT`

test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`test_begin_subtest "signature verification (notmuch CLI)"`
			`output=$(notmuch show --format=json --verify subject:"test signed message 001" \`
			`\| notmuch_json_show_sanitize \`
cli/show: emit new whole-message crypto status output This allows MUAs that don't want to think about per-mime-part cryptographic status to have a simple high-level overview of the message's cryptographic state. Sensibly structured encrypted and/or signed messages will work fine with this. The only requirement for the simplest encryption + signing is that the message have all of its encryption and signing protection (the "cryptographic envelope") in a contiguous set of MIME layers at the very outside of the message itself. This is because messages with some subparts signed or encrypted, but with other subparts with no cryptographic protection is very difficult to reason about, and even harder for the user to make sense of or work with. For further characterization of the Cryptographic Envelope and some of the usability tradeoffs, see here: https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope 2019-05-25 20:04:06 +02:00			`\| sed -e 's\|"created": [-1234567890]*\|"created": 946728000\|g' \`
			`-e 's\|"expires": [-1234567890]*\|"expires": 424242424\|g' )`
test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`expected='[[[{"id": "XXXXX",`
			`"match": true,`
			`"excluded": false,`
cli/show: list all filenames of a message in the formatted output Instead of just having the first filename for the message, list all duplicate filenames of the message as a list in the formatted outputs. This bumps the format version to 3. 2017-02-25 14:31:31 +01:00			`"filename": ["YYYYY"],`
test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`"timestamp": 946728000,`
			`"date_relative": "2000-01-01",`
			`"tags": ["inbox","signed"],`
cli/show: emit new whole-message crypto status output This allows MUAs that don't want to think about per-mime-part cryptographic status to have a simple high-level overview of the message's cryptographic state. Sensibly structured encrypted and/or signed messages will work fine with this. The only requirement for the simplest encryption + signing is that the message have all of its encryption and signing protection (the "cryptographic envelope") in a contiguous set of MIME layers at the very outside of the message itself. This is because messages with some subparts signed or encrypted, but with other subparts with no cryptographic protection is very difficult to reason about, and even harder for the user to make sense of or work with. For further characterization of the Cryptographic Envelope and some of the usability tradeoffs, see here: https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope 2019-05-25 20:04:06 +02:00			`"crypto": {"signed": {"status": [{"fingerprint": "'$FINGERPRINT'", "status": "good","userid": "CN=Notmuch Test Suite","expires": 424242424, "created": 946728000}]}},`
test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`"headers": {"Subject": "test signed message 001",`
			`"From": "Notmuch Test Suite <test_suite@notmuchmail.org>",`
			`"To": "test_suite@notmuchmail.org",`
			`"Date": "Sat, 01 Jan 2000 12:00:00 +0000"},`
			`"body": [{"id": 1,`
cli: implement structured output version 4 Since the error field is unused by the emacs front end, no changes are needed other than bumping the format version number. As it is, this is a bit overengineered, but it will reduce duplication when we support gmime 3.0 2017-06-03 19:47:34 +02:00			`"sigstatus": [{"fingerprint": "'$FINGERPRINT'",`
gmime-cleanup: simplify T355-smime.sh GMime 3.0 and later can handle User ID as expected. signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-02 15:19:39 +02:00			`"status": "good",`
			`"userid": "CN=Notmuch Test Suite",`
test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`"expires": 424242424,`
			`"created": 946728000}],`
			`"content-type": "multipart/signed",`
			`"content": [{"id": 2,`
			`"content-type": "text/plain",`
			`"content": "This is a test signed message.\n"},`
			`{"id": 3,`
cli/show: add content-disposition to structured output message parts Help the clients decide how to display parts. Test updates by Mark Walters <markwalters1009@gmail.com>. One more test fix by db 2017-02-26 19:33:48 +01:00			`"content-disposition": "attachment",`
tests: account for varying-size cryptographic signatures GnuPG 2.1.16 is now injecting the full issuer fingerprint in its signatures, which makes them about 32 octets larger when ascii-armored. This change in size means that the size of the MIME parts will vary depending on the version of gpg that the user has installed. at any rate, the signature part should be non-zero (this is true for basically any MIME part), so we just test for that instead of an exact size. 2016-11-23 18:57:22 +01:00			`"content-length": "NONZERO",`
test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`"content-transfer-encoding": "base64",`
tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs The documentation for message mode clearly states that EasyPG (which uses GnuPG) is the default and recommended way to use S/MIME with mml-secure: [0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html To ensure that this mode works, we just need to import the secret key in question into gpgsm in addition to the public key. gpgsm should be able pick the right keys+certificates to use based on To/From headers, so we don't have to specify anything manually in the #secure mml tag. The import process from the OpenSSL-preferred form (cert+secretkey) is rather ugly, because gpgsm wants to see a PKCS#12 object when importing secret keys. Note that EasyPG generates the more modern Content-Type: application/pkcs7-signature instead of application/x-pkcs7-signature for the detached signature. We are also obliged to manually set gpgsm's include-certs setting to 1 because gpgsm defaults to send "everything but the root cert". In our weird test case, the certificate we're using is self-signed, so it is the root cert, which means that gpgsm doesn't include it by default. Setting it to 1 forces inclusion of the signer's cert, which satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878 for more details. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2020-04-28 20:57:13 +02:00			`"content-type": "application/pkcs7-signature",`
test: add broken S/MIME signature verification test for notmuch CLI The test is pretty much cut and paste from the PGP/MIME version, with obvious updates taken from notmuch output. This also requires setting up gpgsm infrastucture. 2015-08-16 19:41:13 +02:00			`"filename": "smime.p7s"}]}]},`
			`[]]]]'`
			`test_expect_equal_json \`
			`"$output" \`
			`"$expected"`

test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`test_begin_subtest "Decryption and signature verification (openssl)"`
			`notmuch show --format=raw subject:"test encrypted message 001" \|\`
			`openssl smime -decrypt -recip test_suite.pem \|\`
test: use source and build paths in T355-smime.sh Make a distinction between source and build directories. 2017-09-25 22:38:33 +02:00			`openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT`
test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`cat <<EOF > EXPECTED`
			`Verification successful`
			`EOF`
			`test_expect_equal_file EXPECTED OUTPUT`

test: add a known broken test for S/MIME decryption This should serve to clarify this feature is not implimented in notmuch yet. 2019-11-18 02:58:12 +01:00			`test_begin_subtest "Decryption (notmuch CLI)"`
			`test_subtest_known_broken`
			`notmuch show --decrypt=true subject:"test encrypted message 001" \|\`
			`grep "^This is a" > OUTPUT`
			`cat <<EOF > EXPECTED`
			`This is a test encrypted message.`
			`EOF`
			`test_expect_equal_file EXPECTED OUTPUT`

test: initial tests for S/MIME and notmuch-emacs Test the ability of notmuch-mua-mail to send S/MIME signed (and encrypted) messages; this really relies on existing functionality in message-mode. The generated keys and messages will later be useful for testing the notmuch CLI. 2015-08-16 19:41:12 +02:00			`test_done`