#3559: smime_keys.pl considers only first certificate of a chain
--------------------+-------------------------------------------------------
Reporter: andy | Owner: mutt-dev
Type: defect | Status: new
Priority: minor | Milestone:
Component: crypto | Version: 1.5.21
Keywords: |
--------------------+-------------------------------------------------------
When smime_keys.pl is used as smime_import_cert_command to add keys via
the extract-keys function (Ctrl-K), it gets the whole certificate chain
from the pkcs7 data (via smime_pk7out_command and smime_get_cert_command).
Before 1.5.21, smime_keys.pl split the certificates and handled them as
separate user certificates, which was wrong. Now it takes the chain as a
whole, which is better (best would be automatically splitting it into leaf
certificate and intermediate chain certificates, but that would be asking
too much), but since it now calls openssl to extract information from the
whole chain (e.g. "$opensslbin x509 -email" in line 469), it gets
information for the first certificate in the chain, which may or may not
be the user's certificate - mutt appends the intermediate certificates to
the user certificate, other MUAs start the chain with the root CA, the
user's certificate being last. This results in (at least) no .index entry
if the root CA certificate has no associated email address, or even a
wrong .index entry. A solution would require to split up the chain of
certificates, to reconstruct the correct order and to apply the single-
certificate-commands to the user's certificate - well, then we're almost
at the aforementioned automatic handling of intermediate chain
certificates.
If you see this as a valid point, but are in need of someone to code it,
I'd volunteer to give it a try...
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3559>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
