[gmime-devel] gmime and S/MIME

[Jeffrey Stedfast]

Hi David,

On 1/29/2015 7:42 AM, David Bremner wrote:
> With a few others, I've been attempting to get S/MIME supported in
> notmuch (which as you might or might not remember is using gmime
> underneath). The signature verification part is working OK, but I've
> gotten a bit bogged down trying to get decryption working.
>
> What I have learned is that according RFC5751, smime message (parts)
> look like
>
>     Media type:  application/pkcs7-mime
>     parameters:  any
>     file suffix: any
>
>     Media type:  multipart/signed
>     parameters:  protocol="application/pkcs7-signature"
>     file suffix: any
>
>     Media type:  application/octet-stream
>     parameters:  any
>     file suffix: p7m, p7s, p7c, p7z
>
> Unless I miss something, out of the box there is only support for
> decrypting multipart/encrypted.  In particular the gmime tests for
> S/MIME use this "container format" [1].

Correct, I don't think I ever got around to implementing the 
GMimeApplicationPkcs7Mime class.

>
> So I'm wondering if I'm confused about the RFC(s), or about GMIME, or is
> one suppose to write analogs of g_mime_multipart_encrypted_decrypt for
> other top level parts?

You are not confused. I would probably hesitate to say that it was my 
*intention* for everyone to implement their own S/MIME class for 
pkcs7-mime, but in any case, that is what needs to be done right now :(

FWIW, I've written another library called MimeKit in C# which shares a 
similar design to GMime that is hosted on GitHub that implements the 
pkcs7-mime class:

https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/ApplicationPkcs7Mime.cs

Hopefully that helps provide you with ideas on how to implement the same 
sort of thing using GMime for notmuch.

(btw, if you end up implementing this, I'd love to accept your patches 
into GMime proper)

Jeff