mirror of
https://git.notmuchmail.org/git/notmuch
synced 2024-11-25 20:38:08 +01:00
b14d9ae204
When checking cryptographic signatures, Notmuch relies on GMime to tell it whether the certificate that signs a message has a valid User ID or not. If the User ID is not valid, then notmuch does not report the signer's User ID to the user. This means that the consumer of notmuch's cryptographic summary of a message (or of its protected headers) can be confident in relaying the reported identity to the user. However, some versions of GMime before 3.2.7 cannot report Certificate validity for X.509 certificates. This is resolved upstream in GMime at https://github.com/jstedfast/gmime/pull/90. We adapt to this by marking tests of reported User IDs for S/MIME-signed messages as known-broken if GMime is older than 3.2.7 and has not been patched. If GMime >= 3.2.7 and certificate validity still doesn't work for X.509 certs, then there has likely been a regression in GMime and we should fail early, during ./configure. To break out these specific User ID checks from other checks, i had to split some tests into two parts, and reuse $output across the two subtests. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
209 lines
12 KiB
Bash
Executable file
209 lines
12 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
test_description='Message decryption with protected headers'
|
|
. $(dirname "$0")/test-lib.sh || exit 1
|
|
|
|
##################################################
|
|
|
|
test_require_external_prereq gpgsm
|
|
|
|
add_gnupg_home
|
|
add_gpgsm_home
|
|
|
|
add_email_corpus protected-headers
|
|
|
|
test_begin_subtest "verify protected header is not visible without decryption"
|
|
output=$(notmuch show --format=json id:protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'no_crypto_info:[0][0][0]["crypto"]={}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'
|
|
|
|
test_begin_subtest "verify protected header is visible with decryption"
|
|
output=$(notmuch show --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'
|
|
|
|
test_begin_subtest "when no external header is present, show masked subject as null"
|
|
output=$(notmuch show --decrypt=true --format=json id:subjectless-protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": null}}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="This is a protected header"'
|
|
|
|
test_begin_subtest "misplaced protected headers should not be made visible during decryption"
|
|
output=$(notmuch show --decrypt=true --format=json id:misplaced-protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'
|
|
|
|
test_begin_subtest "verify double-wrapped phony protected header is not visible when inner decryption fails"
|
|
output=$(notmuch show --decrypt=true --format=json id:double-wrapped-with-phony-protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'
|
|
|
|
test_begin_subtest "cleartext phony protected headers should not be made visible when decryption fails"
|
|
output=$(notmuch show --decrypt=true --format=json id:phony-protected-header-bad-encryption@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'no_crypto_info:[0][0][0]["crypto"]={}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'
|
|
|
|
test_begin_subtest "wrapped protected headers should not be made visible during decryption"
|
|
output=$(notmuch show --decrypt=true --format=json id:wrapped-protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "partial"}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="[mailing-list] Subject Unavailable"'
|
|
|
|
test_begin_subtest "internal headers without protected-header attribute should be skipped"
|
|
output=$(notmuch show --decrypt=true --format=json id:no-protected-header-attribute@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full"}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Subject Unavailable"'
|
|
|
|
test_begin_subtest "verify nested message/rfc822 protected header is visible"
|
|
output=$(notmuch show --decrypt=true --format=json id:nested-rfc822-message@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="This is a message using draft-melnikov-smime-header-signing"'
|
|
|
|
test_begin_subtest "show cryptographic envelope on signed mail"
|
|
output=$(notmuch show --verify --format=json id:simple-signed-mail@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525609971, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}]}}'
|
|
|
|
test_begin_subtest "verify signed protected header"
|
|
output=$(notmuch show --verify --format=json id:signed-protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525350527, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}], "headers": ["Subject"]}}'
|
|
|
|
test_begin_subtest "protected subject does not leak by default in replies"
|
|
output=$(notmuch reply --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:["original"]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
|
|
'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
|
|
'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'
|
|
|
|
test_begin_subtest "protected subject is not indexed by default"
|
|
output=$(notmuch search --output=messages 'subject:"This is a protected header"')
|
|
test_expect_equal "$output" ''
|
|
|
|
test_begin_subtest "reindex message with protected header"
|
|
test_expect_success 'notmuch reindex --decrypt=true id:protected-header@crypto.notmuchmail.org'
|
|
|
|
test_begin_subtest "protected subject is indexed when cleartext is indexed"
|
|
output=$(notmuch search --output=messages 'subject:"This is a protected header"')
|
|
test_expect_equal "$output" 'id:protected-header@crypto.notmuchmail.org'
|
|
|
|
test_begin_subtest "indexed protected subject is visible in search"
|
|
output=$(notmuch search --format=json 'id:protected-header@crypto.notmuchmail.org')
|
|
test_json_nodes <<<"$output" \
|
|
'subject:[0]["subject"]="This is a protected header"'
|
|
|
|
test_begin_subtest "indexed protected subject is not visible in reply header"
|
|
output=$(notmuch reply --format=json 'id:protected-header@crypto.notmuchmail.org')
|
|
test_json_nodes <<<"$output" \
|
|
'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
|
|
'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'
|
|
|
|
test_begin_subtest "verify correct protected header when submessage exists"
|
|
output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="This is the cryptographic envelope subject"'
|
|
|
|
test_begin_subtest "verify protected header is both signed and encrypted"
|
|
output=$(notmuch show --decrypt=true --format=json id:encrypted-signed@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={
|
|
"signed":{"status": [{"status": "good", "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "created": 1525812676}],
|
|
"encrypted": true, "headers": ["Subject"]},"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Rhinoceros dinner"'
|
|
|
|
test_begin_subtest "verify protected header is signed even when not masked"
|
|
output=$(notmuch show --decrypt=true --format=json id:encrypted-signed-not-masked@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'crypto:[0][0][0]["crypto"]={
|
|
"signed":{"status": [{"status": "good", "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "created": 1525812676}],
|
|
"encrypted": true, "headers": ["Subject"]},"decrypted": {"status": "full"}}' \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Rhinoceros dinner"'
|
|
|
|
test_begin_subtest "reindex everything, ensure headers are as expected"
|
|
notmuch reindex --decrypt=true from:test_suite@notmuchmail.org
|
|
output=$(notmuch search --output=messages 'subject:"protected header" or subject:"Rhinoceros" or subject:"draft-melnikov-smime-header-signing" or subject:"valid"' | sort)
|
|
test_expect_equal "$output" 'id:encrypted-signed-not-masked@crypto.notmuchmail.org
|
|
id:encrypted-signed@crypto.notmuchmail.org
|
|
id:nested-rfc822-message@crypto.notmuchmail.org
|
|
id:protected-header@crypto.notmuchmail.org
|
|
id:subjectless-protected-header@crypto.notmuchmail.org'
|
|
|
|
test_begin_subtest "when rendering protected headers, avoid rendering legacy-display part"
|
|
output=$(notmuch show --format=json id:protected-with-legacy-display@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'subject:[0][0][0]["headers"]["Subject"]="Interrupting Cow"' \
|
|
'no_legacy_display:[0][0][0]["body"][0]["content"][1]["content-type"]="text/plain"'
|
|
|
|
test_begin_subtest "when replying, avoid rendering legacy-display part"
|
|
output=$(notmuch reply --format=json id:protected-with-legacy-display@crypto.notmuchmail.org)
|
|
test_json_nodes <<<"$output" \
|
|
'no_legacy_display:["original"]["body"][0]["content"][1]["content-type"]="text/plain"'
|
|
|
|
test_begin_subtest "do not treat legacy-display part as body when indexing"
|
|
output=$(notmuch search --output=messages body:interrupting)
|
|
test_expect_equal "$output" ''
|
|
|
|
test_begin_subtest "identify message that had a legacy display part skipped during indexing"
|
|
output=$(notmuch search --output=messages property:index.repaired=skip-protected-headers-legacy-display)
|
|
test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.org
|
|
|
|
for variant in multipart-signed onepart-signed; do
|
|
test_begin_subtest "verify signed PKCS#7 subject ($variant)"
|
|
[ "$variant" = multipart-signed ] || test_subtest_known_broken
|
|
output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example")
|
|
test_json_nodes <<<"$output" \
|
|
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
|
|
'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
|
|
'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
|
|
'not_encrypted:[0][0][0]["crypto"]!"decrypted"'
|
|
test_begin_subtest "verify signed PKCS#7 subject ($variant) signer User ID"
|
|
if [ $NOTMUCH_GMIME_X509_CERT_VALIDITY -ne 1 ] || [ "$variant" != multipart-signed ]; then
|
|
test_subtest_known_broken
|
|
fi
|
|
test_json_nodes <<<"$output" \
|
|
'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"'
|
|
done
|
|
|
|
for variant in sign+enc sign+enc+legacy-disp; do
|
|
test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant)"
|
|
test_subtest_known_broken
|
|
output=$(notmuch show --decrypt=true --format=json "id:smime-${variant}@protected-headers.example")
|
|
test_json_nodes <<<"$output" \
|
|
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
|
|
'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
|
|
'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
|
|
'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}'
|
|
test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant) signer User ID"
|
|
test_subtest_known_broken
|
|
test_json_nodes <<<"$output" \
|
|
'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"'
|
|
|
|
done
|
|
|
|
test_begin_subtest "confirm encryption-protected PKCS#7 subject (enc+legacy-disp)"
|
|
test_subtest_known_broken
|
|
output=$(notmuch show --decrypt=true --format=json "id:smime-enc+legacy-disp@protected-headers.example")
|
|
test_json_nodes <<<"$output" \
|
|
'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' \
|
|
'no_sig:[0][0][0]["crypto"]!"signed"'
|
|
|
|
|
|
# TODO: test that a part that looks like a legacy-display in
|
|
# multipart/signed, but not encrypted, is indexed and not stripped.
|
|
|
|
# TODO: test that a legacy-display in a decrypted subpart (not in the
|
|
# cryptographic payload) is indexed and not stripped.
|
|
|
|
# TODO: test that a legacy-display inside multiple MIME layers that
|
|
# include an encryption layer (e.g. multipart/encrypted around
|
|
# multipart/signed) is stripped and not indexed.
|
|
|
|
test_done
|