S/MIME support

Jameson Graef Rollins jrollins at finestructure.net
Tue Jul 10 00:40:03 PDT 2012


On Mon, Jul 09 2012, "Bryant, Daniel B." <Dan.Bryant at jhuapl.edu> wrote:
> I was able to get signature verification working with your patchset
> (with a caveat) but not decryption.

Hi, Daniel.  I guess I'm only partially happy to hear that!  I
definitely do appreciate the feedback, though.

> The caveat is that GMime is still borked with handling signatures with
> content type application/x-pkcs7-signature
> (vs. application/pkcs7-signature, which works fine). This is upstream
> GNOME bug #674032 that was supposed to have been fixed in GMime 2.6.9,
> but that original fix is also broken.

Ah, I didn't notice that:

https://bugzilla.gnome.org/show_bug.cgi?id=674032

Encouragingly, it sounds like Jeffery is working on it.

> One possible workaround is to twiddle the content-type of the
> signature part (and the corresponding protocol in the multipart/signed
> part). I implemented this by looping over each message part in
> mime_node_open() and modifying as necessary using the following logic:
>
>
>     GMimeContentType *content_type = g_mime_object_get_content_type (part);
>
>     const char *subtype = g_mime_content_type_get_media_subtype (content_type);
>     const char *protocol = g_mime_content_type_get_parameter (content_type, "protocol");
>
>     if (!strcmp(subtype, "x-pkcs7-signature")) {
>         g_mime_content_type_set_media_subtype (content_type, "pkcs7-signature");
>     }
>
>     if (protocol && !strcmp(protocol, "application/x-pkcs7-signature")) {
>         g_mime_content_type_set_parameter (content_type, "protocol","application/pkcs7-signature");
>     }    

We could do this, but I would certainly prefer that we fix gmime to
handle both types properly.

> All of my S/MIME encrypted mail consists of single part messages with
> content-type "application/x-pkcs7-mime". These conform to RFC3851,
> section 3.3/3.4. (sample messages are included in the RFC as
> well). This fails to be decrypted by notmuch because the mime node
> traversal code assumes that every encrypted message is
> multipart/encrypted, which appears to only be true for PGP/MIME.

Thanks for the great example of why we need tests!

Would you (or anyone) be willing to start putting together some tests
that include messages encrypted according to this RFC?  I think adding
some tests to the test/crypto script would be a great place to start.

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20120710/7606e81b/attachment-0001.pgp>


More information about the notmuch mailing list