mirror of
https://git.notmuchmail.org/git/notmuch
synced 2024-11-22 02:48:08 +01:00
tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs
The documentation for message mode clearly states that EasyPG (which uses GnuPG) is the default and recommended way to use S/MIME with mml-secure: [0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html To ensure that this mode works, we just need to import the secret key in question into gpgsm in addition to the public key. gpgsm should be able pick the right keys+certificates to use based on To/From headers, so we don't have to specify anything manually in the #secure mml tag. The import process from the OpenSSL-preferred form (cert+secretkey) is rather ugly, because gpgsm wants to see a PKCS#12 object when importing secret keys. Note that EasyPG generates the more modern Content-Type: application/pkcs7-signature instead of application/x-pkcs7-signature for the detached signature. We are also obliged to manually set gpgsm's include-certs setting to 1 because gpgsm defaults to send "everything but the root cert". In our weird test case, the certificate we're using is self-signed, so it *is* the root cert, which means that gpgsm doesn't include it by default. Setting it to 1 forces inclusion of the signer's cert, which satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878 for more details. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
parent
f7921e6e1c
commit
2e351d10c2
3 changed files with 7 additions and 13 deletions
|
@ -24,7 +24,7 @@ test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"
|
||||||
test_expect_success \
|
test_expect_success \
|
||||||
'emacs_fcc_message \
|
'emacs_fcc_message \
|
||||||
"test encrypted message 001" \
|
"test encrypted message 001" \
|
||||||
"<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"'
|
"<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"'
|
||||||
|
|
||||||
test_begin_subtest "Signature verification (openssl)"
|
test_begin_subtest "Signature verification (openssl)"
|
||||||
notmuch show --format=raw subject:"test signed message 001" |\
|
notmuch show --format=raw subject:"test signed message 001" |\
|
||||||
|
@ -65,7 +65,7 @@ expected='[[[{"id": "XXXXX",
|
||||||
"content-disposition": "attachment",
|
"content-disposition": "attachment",
|
||||||
"content-length": "NONZERO",
|
"content-length": "NONZERO",
|
||||||
"content-transfer-encoding": "base64",
|
"content-transfer-encoding": "base64",
|
||||||
"content-type": "application/x-pkcs7-signature",
|
"content-type": "application/pkcs7-signature",
|
||||||
"filename": "smime.p7s"}]}]},
|
"filename": "smime.p7s"}]}]},
|
||||||
[]]]]'
|
[]]]]'
|
||||||
test_expect_equal_json \
|
test_expect_equal_json \
|
||||||
|
|
|
@ -193,13 +193,3 @@ nothing."
|
||||||
;; environments
|
;; environments
|
||||||
|
|
||||||
(setq mm-text-html-renderer 'html2text)
|
(setq mm-text-html-renderer 'html2text)
|
||||||
|
|
||||||
;; Set some variables for S/MIME tests.
|
|
||||||
|
|
||||||
(setq smime-keys '(("" "test_suite.pem" nil)))
|
|
||||||
|
|
||||||
(setq mml-smime-use 'openssl)
|
|
||||||
|
|
||||||
;; all test keys are without passphrase
|
|
||||||
(eval-after-load 'smime
|
|
||||||
'(defun smime-ask-passphrase (cache) nil))
|
|
||||||
|
|
|
@ -136,11 +136,15 @@ add_gpgsm_home ()
|
||||||
_gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
|
_gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
|
||||||
at_exit_function _gnupg_exit
|
at_exit_function _gnupg_exit
|
||||||
mkdir -m 0700 "$GNUPGHOME"
|
mkdir -m 0700 "$GNUPGHOME"
|
||||||
gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1
|
openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \
|
||||||
|
< "$NOTMUCH_SRCDIR/test/smime/test.crt" | \
|
||||||
|
gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \
|
||||||
|
--disable-dirmngr --import >"$GNUPGHOME"/import.log 2>&1 3<<<''
|
||||||
fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
|
fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
|
||||||
echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt"
|
echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt"
|
||||||
gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
|
gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
|
||||||
echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
|
echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
|
||||||
|
echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm
|
||||||
test_debug "cat $GNUPGHOME/import.log"
|
test_debug "cat $GNUPGHOME/import.log"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue