mirror of
https://git.notmuchmail.org/git/notmuch
synced 2024-11-22 10:58:10 +01:00
4cb789aa09
This allows MUAs that don't want to think about per-mime-part cryptographic status to have a simple high-level overview of the message's cryptographic state. Sensibly structured encrypted and/or signed messages will work fine with this. The only requirement for the simplest encryption + signing is that the message have all of its encryption and signing protection (the "cryptographic envelope") in a contiguous set of MIME layers at the very outside of the message itself. This is because messages with some subparts signed or encrypted, but with other subparts with no cryptographic protection is very difficult to reason about, and even harder for the user to make sense of or work with. For further characterization of the Cryptographic Envelope and some of the usability tradeoffs, see here: https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope
97 lines
3.5 KiB
Bash
Executable file
97 lines
3.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
test_description='S/MIME signature verification and decryption'
|
|
. $(dirname "$0")/test-lib.sh || exit 1
|
|
|
|
add_gpgsm_home ()
|
|
{
|
|
local fpr
|
|
[ -d ${GNUPGHOME} ] && return
|
|
_gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
|
|
at_exit_function _gnupg_exit
|
|
mkdir -m 0700 "$GNUPGHOME"
|
|
gpgsm --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1
|
|
fpr=$(gpgsm --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
|
|
echo "$fpr S relax" >> $GNUPGHOME/trustlist.txt
|
|
test_debug "cat $GNUPGHOME/import.log"
|
|
}
|
|
|
|
test_require_external_prereq openssl
|
|
test_require_external_prereq gpgsm
|
|
|
|
cp $NOTMUCH_SRCDIR/test/smime/key+cert.pem test_suite.pem
|
|
|
|
FINGERPRINT=$(openssl x509 -fingerprint -in test_suite.pem -noout | sed -e 's/^.*=//' -e s/://g)
|
|
|
|
add_gpgsm_home
|
|
|
|
test_begin_subtest "emacs delivery of S/MIME signed message"
|
|
test_expect_success \
|
|
'emacs_fcc_message \
|
|
"test signed message 001" \
|
|
"This is a test signed message." \
|
|
"(mml-secure-message-sign \"smime\")"'
|
|
|
|
test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"
|
|
# Hard code the MML to avoid several interactive questions
|
|
test_expect_success \
|
|
'emacs_fcc_message \
|
|
"test encrypted message 001" \
|
|
"<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"'
|
|
|
|
test_begin_subtest "Signature verification (openssl)"
|
|
notmuch show --format=raw subject:"test signed message 001" |\
|
|
openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT
|
|
cat <<EOF > EXPECTED
|
|
Verification successful
|
|
EOF
|
|
test_expect_equal_file EXPECTED OUTPUT
|
|
|
|
test_begin_subtest "signature verification (notmuch CLI)"
|
|
output=$(notmuch show --format=json --verify subject:"test signed message 001" \
|
|
| notmuch_json_show_sanitize \
|
|
| sed -e 's|"created": [-1234567890]*|"created": 946728000|g' \
|
|
-e 's|"expires": [-1234567890]*|"expires": 424242424|g' )
|
|
expected='[[[{"id": "XXXXX",
|
|
"match": true,
|
|
"excluded": false,
|
|
"filename": ["YYYYY"],
|
|
"timestamp": 946728000,
|
|
"date_relative": "2000-01-01",
|
|
"tags": ["inbox","signed"],
|
|
"crypto": {"signed": {"status": [{"fingerprint": "'$FINGERPRINT'", "status": "good","userid": "CN=Notmuch Test Suite","expires": 424242424, "created": 946728000}]}},
|
|
"headers": {"Subject": "test signed message 001",
|
|
"From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
|
|
"To": "test_suite@notmuchmail.org",
|
|
"Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
|
|
"body": [{"id": 1,
|
|
"sigstatus": [{"fingerprint": "'$FINGERPRINT'",
|
|
"status": "good",
|
|
"userid": "CN=Notmuch Test Suite",
|
|
"expires": 424242424,
|
|
"created": 946728000}],
|
|
"content-type": "multipart/signed",
|
|
"content": [{"id": 2,
|
|
"content-type": "text/plain",
|
|
"content": "This is a test signed message.\n"},
|
|
{"id": 3,
|
|
"content-disposition": "attachment",
|
|
"content-length": "NONZERO",
|
|
"content-transfer-encoding": "base64",
|
|
"content-type": "application/x-pkcs7-signature",
|
|
"filename": "smime.p7s"}]}]},
|
|
[]]]]'
|
|
test_expect_equal_json \
|
|
"$output" \
|
|
"$expected"
|
|
|
|
test_begin_subtest "Decryption and signature verification (openssl)"
|
|
notmuch show --format=raw subject:"test encrypted message 001" |\
|
|
openssl smime -decrypt -recip test_suite.pem |\
|
|
openssl smime -verify -CAfile $NOTMUCH_SRCDIR/test/smime/test.crt 2>OUTPUT
|
|
cat <<EOF > EXPECTED
|
|
Verification successful
|
|
EOF
|
|
test_expect_equal_file EXPECTED OUTPUT
|
|
|
|
test_done
|