* Kevin J. McCarthy <ke...@8t8.us> [2015-05-22 17:21 -0400]:
Attached is a patch which hopefully implements better certificate chain handling for add_cert. Although I've tried to test it, I am not a S/MIME user and don't have access to a large number of certificates to play with. I would greatly appreciate if smime_keys users would help me test this out.
Thank you for the patch!
Note that this patch should handle the case of multiple leafs in the certificate, but again I could use some help testing this.
I ran it under two scenarios: the first from within mutt, the second from the command line (both on the same message). In between the scenarios I removed the certificates added by the first. I have sanitized the output, but if that is a problem let me know and we'll communicate privately. First scenario: It does handle all the certificates, but does not end up using the label entered in mutt for all the certificates, nor does it allow the user to enter labels for the certificates individually when used from within mutt. Here is the behavior I see when I use the patched version of mutt (hg default branch tip). I navigate to a message that's been signed by someone whose key I want to keep. I press Ctrl-k, and receive a prompt for the label I want to give to this key (from within mutt). I enter a label (call it "dajdad"), and then I see the output in attached file 'scenario1output.txt'. Note that it determines the issuing certificates are already part of the certificate store, and does not try to add them to the store. Second scenario: I save this signature from a signed message by viewing the MIME structure and saving the 'smime.p7s' portion to a file. I then execute the following to get the certs in PEM format. #v+ openssl pkcs7 -in smime.p7s -inform DER -print_certs > smime.PEM #v- Finally, I execute `smime_keys add_cert smime.PEM`, which results in the output in attached file 'scenario2output.txt'. I have one patch, one request, and one suggestion. First, the patch: I noticed that all four certificates (the root, intermediate, and two leaves) were all being included in the processing, when (I think) only the two leaves should be included. I also noted that the "subject" of the certificate was not being printed as specified on line 888 of the `smime_keys` script. Both resulted from the lack of the "Bag Attributes" string in the output of my openssl command (above) to extract PEM format certificates. The attached patch fixes both problems by handling the lack of "Bag Attributes" string, and results in two certificate chains being identified (properly) by smime_keys, and in the two leaf and one intermediate certificates being added to the store. Please check it over (it is intended to be used after your patch is in place). Second, the request: For some reason the patch results in the intermediate *and* root certificates ending up in the file in which the intermediate certificate should be placed. I believe this is because the code is only adding all the certificates except the root certificate to the store, but am not sure why. If you see where the error is, I'd appreciate a fix to this (I tried to figure it out, but my perl is rusty). Third, the suggestion: I would suggest letting the perl script ask for input instead of trying to get the label(s) inside mutt. Perhaps this could be a S/MIME only thing as I'm not sure how common this would be in the PGP/GPG realm. I'm not emotionally attached to this idea, though, so anything that let's the labels be set for each added leaf certificate would be excellent. Hope all that makes sense, and let me know if you need more information. Regards, -- dave [ please don't CC me ]
Found 4 certificate chains Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: certificate 11111111.0 (dajdad) for dajdad.df...@example.com added. ==> about to verify certificate of dajdad.df...@example.com /home/dave/.smime/certificates/11111111.0: C = US, O = Mine, OU = People, CN = Dajdad.Dfafj.A.23982743 error 26 at 0 depth lookup:unsupported certificate purpose OK Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: Certificate: /home/dave/.smime/certificates/22222222.0 already installed. Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: Certificate: /home/dave/.smime/certificates/33333333.0 already installed. Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: certificate 11111111.1 (-) for dajdad.df...@example.com added. ==> about to verify certificate of dajdad.df...@example.com /home/dave/.smime/certificates/11111111.1: OK
Found 4 certificate chains Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: dajdad certificate 11111111.0 (dajdad) for dajdad.df...@example.com added. ==> about to verify certificate of dajdad.df...@example.com /home/dave/.smime/certificates/11111111.0: C = US, O = Mine, OU = People, CN = Dajdad.Dfafj.A.23982743 error 26 at 0 depth lookup:unsupported certificate purpose OK Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: dajdad Certificate: /home/dave/.smime/certificates/22222222.0 already installed. Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: dajdad Certificate: /home/dave/.smime/certificates/33333333.0 already installed. Processing chain: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: dajdad certificate 11111111.1 (dajdad) for dajdad.df...@example.com added. ==> about to verify certificate of dajdad.df...@example.com /home/dave/.smime/certificates/11111111.1: OK
--- smime_keys.pl.old 2015-05-23 13:50:26.180350640 -0400
+++ smime_keys.pl 2015-05-23 13:49:03.031723310 -0400
@@ -540,17 +540,17 @@
$state = 1;
}
- if ($state == 1) {
- if (/localKeyID:\s*(.*)/) {
- $cert_data->{localKeyID} = $1;
+ if ($state == 1 || /(localKeyID|subject|issuer)=\s*(.*)/) {
+ if ($1 eq "localKeyID") {
+ $cert_data->{localKeyID} = $2;
}
- if (/subject=\s*(.*)/) {
- $cert_data->{subject} = $1;
+ if ($1 eq "subject") {
+ $cert_data->{subject} = $2;
}
- if (/issuer=\s*(.*)/) {
- $cert_data->{issuer} = $1;
+ if ($1 eq "issuer") {
+ $cert_data->{issuer} = $2;
}
}
signature.asc
Description: PGP signature
