mirror of
https://git.notmuchmail.org/git/notmuch
synced 2024-11-22 02:48:08 +01:00
smime: Pass PKCS#7 envelopedData to node_decrypt_and_verify
This change means we can support "notmuch show --decrypt=true" for S/MIME encrypted messages, resolving several outstanding broken tests, including all the remaining S/MIME protected header examples. We do not yet handle indexing the cleartext of S/MIME encrypted messages, though. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
parent
1a34f68a58
commit
cb88b51fe5
3 changed files with 9 additions and 5 deletions
|
@ -390,6 +390,12 @@ _mime_node_set_up_part (mime_node_t *node, GMimeObject *part, int numchild)
|
|||
* to just unwrap (instead of verifying), but
|
||||
* https://github.com/jstedfast/gmime/issues/67 */
|
||||
node_verify (node, part);
|
||||
} else if (GMIME_IS_APPLICATION_PKCS7_MIME (part) &&
|
||||
GMIME_SECURE_MIME_TYPE_ENVELOPED_DATA == g_mime_application_pkcs7_mime_get_smime_type (GMIME_APPLICATION_PKCS7_MIME (part)) &&
|
||||
(node->ctx->crypto->decrypt != NOTMUCH_DECRYPT_FALSE)) {
|
||||
node_decrypt_and_verify (node, part);
|
||||
if (node->unwrapped_child && node->nchildren == 0)
|
||||
node->nchildren = 1;
|
||||
} else {
|
||||
if (_notmuch_message_crypto_potential_payload (node->ctx->msg_crypto, part, node->parent ? node->parent->part : NULL, numchild) &&
|
||||
node->ctx->msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_FULL) {
|
||||
|
|
|
@ -80,7 +80,6 @@ EOF
|
|||
test_expect_equal_file EXPECTED OUTPUT
|
||||
|
||||
test_begin_subtest "Decryption (notmuch CLI)"
|
||||
test_subtest_known_broken
|
||||
notmuch show --decrypt=true subject:"test encrypted message 001" |\
|
||||
grep "^This is a" > OUTPUT
|
||||
cat <<EOF > EXPECTED
|
||||
|
@ -89,7 +88,6 @@ EOF
|
|||
test_expect_equal_file EXPECTED OUTPUT
|
||||
|
||||
test_begin_subtest "Cryptographic message status (encrypted+signed)"
|
||||
test_subtest_known_broken
|
||||
output=$(notmuch show --format=json --decrypt=true subject:"test encrypted message 001")
|
||||
test_json_nodes <<<"$output" \
|
||||
'crypto_encrypted:[0][0][0]["crypto"]["decrypted"]["status"]="full"' \
|
||||
|
|
|
@ -173,7 +173,6 @@ done
|
|||
|
||||
for variant in sign+enc sign+enc+legacy-disp; do
|
||||
test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant)"
|
||||
test_subtest_known_broken
|
||||
output=$(notmuch show --decrypt=true --format=json "id:smime-${variant}@protected-headers.example")
|
||||
test_json_nodes <<<"$output" \
|
||||
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
|
||||
|
@ -181,14 +180,15 @@ for variant in sign+enc sign+enc+legacy-disp; do
|
|||
'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
|
||||
'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}'
|
||||
test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant) signer User ID"
|
||||
if [ $NOTMUCH_GMIME_X509_CERT_VALIDITY -ne 1 ]; then
|
||||
test_subtest_known_broken
|
||||
fi
|
||||
test_json_nodes <<<"$output" \
|
||||
'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"'
|
||||
|
||||
done
|
||||
|
||||
test_begin_subtest "confirm encryption-protected PKCS#7 subject (enc+legacy-disp)"
|
||||
test_subtest_known_broken
|
||||
output=$(notmuch show --decrypt=true --format=json "id:smime-enc+legacy-disp@protected-headers.example")
|
||||
test_json_nodes <<<"$output" \
|
||||
'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' \
|
||||
|
|
Loading…
Reference in a new issue