#2428: S/MIME opaque signed mails unverified or undisplayed
Changes (by brendan):
* component: mutt => crypto
Old description:
> {{{
>
> Hello ALL and others,
>
> When displaying S/MIME opaque signed mails, of type
> application/x-pkcs7-mime; smime-type=signed-data, Mutt 1.5.13 with
> default smime.rc has one or the other of 2 problems:
>
> | $ mutt-1.5.13-stock -nF ~/.mutt/smime.rc -Rf /tmp/smime-opaque.mbox
>
> - If signature is GOOD: The mail text appears, but there is no OpenSSL
> output, no uppercase "S" in index, Mutt errors "S/MIME signature could
> NOT be verified.", and $beeps:
>
> | [-- The following data is S/MIME signed --]
> | test S/MIME opaque signature.
> |
> | [-- End of S/MIME signed data. --]
> |
> | S/MIME signature could NOT be verified.
>
> - If signature is BAD (expired, lacking CA, whatever): The same hints
> of error do appear, rightly. But there is still no OpenSSL output to
> show the error reason, and the mail text does *not* appear.
>
> | [-- The following data is S/MIME signed --]
> |
> | [-- End of S/MIME signed data. --]
> |
> | S/MIME signature could NOT be verified.
>
> The attached smime-opaque.mbox contains 2 such signed mails, one
> expired, and one valid. You'll also need the CAcert root certificate
> from <URL:http://www.CAcert.org/>.
>
> The default $smime_verify_opaque_command is "openssl smime -verify
> -inform DER -in %s %C". Adding "-noverify" and removing "%C" displays
> mail text always, but does not verify. I haven't found yet one command
> that both verifies and always outputs text. Manual verifications:
>
> | $ openssl smime -verify -in smime2.p7m -inform DER \
> | -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
> | stdout> test S/MIME opaque signature.
> | stderr> Verification successful
> | return> 0
> |
> | $ openssl smime -verify -in smime1.p7m -inform DER \
> | -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
> | stderr> Verification failure
> | stderr> 29361:error:21075075:PKCS7 routines:PKCS7_verify:certificate \
> | verify error:pk7_smime.c:222:Verify error:certificate has
> expired
> | return> 4
>
> ...gives nothing to stdout when verification failed. Hum... The
> following double call ugly hack always displays text, and verifies to
> stderr. But Mutt doesn't display stderr...
>
> | set smime_verify_opaque_command="\
> | openssl smime -verify -inform DER -in %s %C ||\
> | openssl smime -verify -inform DER -in %s -noverify 2>/dev/null"
>
> Note this was already reported in a MU thread at 1.5.5.1 times:
>
> | Date: Fri, 2 Jan 2004 13:03:33 +0100 (CET)
> | From: Alain Bench <[EMAIL PROTECTED]>
> | To: Mutt users ml <mutt-users@mutt.org>
> | Subject: S/MIME app/x-pkcs7-mime signed-data
> | Message-ID: <[EMAIL PROTECTED]>
>
> The other problem discussed there, about Apple Mail 2.612, seem now
> solved. And the old mailcap workaround can be updated to:
>
> | # auto_view in pager: display mail's body, without header, and
> verification status
> | application/x-pkcs7-mime ;\
> | ( openssl smime -verify -text -inform DER -in %s -CAfile ~/.smime/ca-
> bundle.crt ||\
> | openssl smime -verify -text -inform DER -in %s -noverify 2>/dev/null )
> |\
> | fromdos ;\
> | nametemplate=%s.p7m ;\
> | test=test %{smime-type} == signed-data ;\
> | copiousoutput
>
> Bye! Alain.
> >How-To-Repeat:
> >Fix:
> }}}
New description:
{{{
Hello ALL and others,
When displaying S/MIME opaque signed mails, of type
application/x-pkcs7-mime; smime-type=signed-data, Mutt 1.5.13 with
default smime.rc has one or the other of 2 problems:
| $ mutt-1.5.13-stock -nF ~/.mutt/smime.rc -Rf /tmp/smime-opaque.mbox
- If signature is GOOD: The mail text appears, but there is no OpenSSL
output, no uppercase "S" in index, Mutt errors "S/MIME signature could
NOT be verified.", and $beeps:
| [-- The following data is S/MIME signed --]
| test S/MIME opaque signature.
|
| [-- End of S/MIME signed data. --]
|
| S/MIME signature could NOT be verified.
- If signature is BAD (expired, lacking CA, whatever): The same hints
of error do appear, rightly. But there is still no OpenSSL output to
show the error reason, and the mail text does *not* appear.
| [-- The following data is S/MIME signed --]
|
| [-- End of S/MIME signed data. --]
|
| S/MIME signature could NOT be verified.
The attached smime-opaque.mbox contains 2 such signed mails, one
expired, and one valid. You'll also need the CAcert root certificate
from <URL:http://www.CAcert.org/>.
The default $smime_verify_opaque_command is "openssl smime -verify
-inform DER -in %s %C". Adding "-noverify" and removing "%C" displays
mail text always, but does not verify. I haven't found yet one command
that both verifies and always outputs text. Manual verifications:
| $ openssl smime -verify -in smime2.p7m -inform DER \
| -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
| stdout> test S/MIME opaque signature.
| stderr> Verification successful
| return> 0
|
| $ openssl smime -verify -in smime1.p7m -inform DER \
| -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
| stderr> Verification failure
| stderr> 29361:error:21075075:PKCS7 routines:PKCS7_verify:certificate \
| verify error:pk7_smime.c:222:Verify error:certificate has
expired
| return> 4
...gives nothing to stdout when verification failed. Hum... The
following double call ugly hack always displays text, and verifies to
stderr. But Mutt doesn't display stderr...
| set smime_verify_opaque_command="\
| openssl smime -verify -inform DER -in %s %C ||\
| openssl smime -verify -inform DER -in %s -noverify 2>/dev/null"
Note this was already reported in a MU thread at 1.5.5.1 times:
| Date: Fri, 2 Jan 2004 13:03:33 +0100 (CET)
| From: Alain Bench <[EMAIL PROTECTED]>
| To: Mutt users ml <mutt-users@mutt.org>
| Subject: S/MIME app/x-pkcs7-mime signed-data
| Message-ID: <[EMAIL PROTECTED]>
The other problem discussed there, about Apple Mail 2.612, seem now
solved. And the old mailcap workaround can be updated to:
| # auto_view in pager: display mail's body, without header, and
verification status
| application/x-pkcs7-mime ;\
| ( openssl smime -verify -text -inform DER -in %s -CAfile ~/.smime/ca-
bundle.crt ||\
| openssl smime -verify -text -inform DER -in %s -noverify 2>/dev/null )
|\
| fromdos ;\
| nametemplate=%s.p7m ;\
| test=test %{smime-type} == signed-data ;\
| copiousoutput
Bye! Alain.
>How-To-Repeat:
>Fix:
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2428#comment:2>
