cli: crypto: S/MIME verification support

notmuch-show --verify will now also process S/MIME multiparts if
encountered. Requires gmime-2.6 and gpgsm.

Based on work by Jameson Graef Rollins <jrollins@finestructure.net>.
This commit is contained in:
Jani Nikula 2015-08-16 19:41:14 +02:00 committed by David Bremner
parent a530a1706a
commit 2355f1522a
3 changed files with 40 additions and 3 deletions

View file

@ -43,6 +43,28 @@ create_gpg_context (notmuch_crypto_t *crypto)
return gpgctx; return gpgctx;
} }
/* Create a PKCS7 context (GMime 2.6) */
static notmuch_crypto_context_t *
create_pkcs7_context (notmuch_crypto_t *crypto)
{
notmuch_crypto_context_t *pkcs7ctx;
if (crypto->pkcs7ctx)
return crypto->pkcs7ctx;
/* TODO: GMimePasswordRequestFunc */
pkcs7ctx = g_mime_pkcs7_context_new (NULL);
if (! pkcs7ctx) {
fprintf (stderr, "Failed to construct pkcs7 context.\n");
return NULL;
}
crypto->pkcs7ctx = pkcs7ctx;
g_mime_pkcs7_context_set_always_trust ((GMimePkcs7Context *) pkcs7ctx,
FALSE);
return pkcs7ctx;
}
static const struct { static const struct {
const char *protocol; const char *protocol;
notmuch_crypto_context_t *(*get_context) (notmuch_crypto_t *crypto); notmuch_crypto_context_t *(*get_context) (notmuch_crypto_t *crypto);
@ -55,6 +77,14 @@ static const struct {
.protocol = "application/pgp-encrypted", .protocol = "application/pgp-encrypted",
.get_context = create_gpg_context, .get_context = create_gpg_context,
}, },
{
.protocol = "application/pkcs7-signature",
.get_context = create_pkcs7_context,
},
{
.protocol = "application/x-pkcs7-signature",
.get_context = create_pkcs7_context,
},
}; };
/* for the specified protocol return the context pointer (initializing /* for the specified protocol return the context pointer (initializing
@ -95,5 +125,10 @@ notmuch_crypto_cleanup (notmuch_crypto_t *crypto)
crypto->gpgctx = NULL; crypto->gpgctx = NULL;
} }
if (crypto->pkcs7ctx) {
g_object_unref (crypto->pkcs7ctx);
crypto->pkcs7ctx = NULL;
}
return 0; return 0;
} }

View file

@ -31,6 +31,8 @@
#include <gmime/gmime.h> #include <gmime/gmime.h>
typedef GMimeCryptoContext notmuch_crypto_context_t; typedef GMimeCryptoContext notmuch_crypto_context_t;
/* This is automatically included only since gmime 2.6.10 */
#include <gmime/gmime-pkcs7-context.h>
#include "notmuch.h" #include "notmuch.h"
@ -70,6 +72,7 @@ typedef struct notmuch_show_format {
typedef struct notmuch_crypto { typedef struct notmuch_crypto {
notmuch_crypto_context_t* gpgctx; notmuch_crypto_context_t* gpgctx;
notmuch_crypto_context_t* pkcs7ctx;
notmuch_bool_t verify; notmuch_bool_t verify;
notmuch_bool_t decrypt; notmuch_bool_t decrypt;
const char *gpgpath; const char *gpgpath;
@ -407,8 +410,8 @@ struct mime_node {
/* Construct a new MIME node pointing to the root message part of /* Construct a new MIME node pointing to the root message part of
* message. If crypto->verify is true, signed child parts will be * message. If crypto->verify is true, signed child parts will be
* verified. If crypto->decrypt is true, encrypted child parts will be * verified. If crypto->decrypt is true, encrypted child parts will be
* decrypted. If crypto->gpgctx is NULL, it will be lazily * decrypted. If the crypto contexts (crypto->gpgctx or
* initialized. * crypto->pkcs7) are NULL, they will be lazily initialized.
* *
* Return value: * Return value:
* *

View file

@ -44,7 +44,6 @@ EOF
test_expect_equal_file EXPECTED OUTPUT test_expect_equal_file EXPECTED OUTPUT
test_begin_subtest "signature verification (notmuch CLI)" test_begin_subtest "signature verification (notmuch CLI)"
test_subtest_known_broken
output=$(notmuch show --format=json --verify subject:"test signed message 001" \ output=$(notmuch show --format=json --verify subject:"test signed message 001" \
| notmuch_json_show_sanitize \ | notmuch_json_show_sanitize \
| sed -e 's|"created": [-1234567890]*|"created": 946728000|' \ | sed -e 's|"created": [-1234567890]*|"created": 946728000|' \