* Kevin J. McCarthy <ke...@8t8.us> [2015-05-18 18:10 -0400]:
Okay. That's good to know, so the add_cert should allow multiple leafs and a possibly shared intermediate cert.I have more carefully reviewed the code in smime.c and have found nothing that appears to check the purpose of the certs. If it finds multiple matching certs for a email address, it appears to ask about the *second* match (and all subsequent matches) before finally asking about the first match. I don't understand this behavior but can only guess it may have had something to do with the order of leafs getting imported into the index at some time.
A guess (based on your description, and not actually looking at the code) is that at one time most of the smime clients put the signing key first and the encryption key second when attaching to emails. This code would make sense if the second key to be added when extracting the keys would most always be the encryption key. However, that's really not important right now.
Just to make sure I'm not crazy, would you mind swapping the order of the lines in your .index file and double checking it asks about the second match each time? (To make it even clearer, try setting the flags to 'u' [unverified] to force it to ask for each cert).
You're not crazy: it asks for the second cert. In fact, it asks for the second cert *twice*, and never asks for the first cert. I tried without changing anything in my configuration, after modifying the index file, and after removing both certificates and adding them in reverse order (encryption first, then signing). All three times the second key was asked for twice.
I think it would be a good idea to add a "purpose" field to the index for keys and cert, with 's' and 'e' set for the "S/MIME signing" and "S/MIME encryption" output from openssl x509 -purpose. Does that sound reasonable?
That sounds very reasonable, thanks! Regards, -- dave [ please don't CC me ]
signature.asc
Description: PGP signature
