Re: [Mutt] #2428: S/MIME opaque signed mails unverified or undisplayed

Subject: Re: [Mutt] #2428: S/MIME opaque signed mails unverified or undisplayed
From: Mutt <fleas@xxxxxxxx>
Date: Mon, 02 Apr 2007 03:17:36 -0000
Cc: mutt-dev@xxxxxxxx
In-reply-to: <063.8bbffa1c62f73d848f987ed1c1052f86@xxxxxxxx>
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
References: <063.8bbffa1c62f73d848f987ed1c1052f86@xxxxxxxx>
Reply-to: fleas@xxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx

#2428: S/MIME opaque signed mails unverified or undisplayed

Changes (by brendan):

  * component:  mutt => crypto

Old description:

> {{{
>
> Hello ALL and others,
>
>     When displaying S/MIME opaque signed mails, of type
> application/x-pkcs7-mime; smime-type=signed-data, Mutt 1.5.13 with
> default smime.rc has one or the other of 2 problems:
>
> | $ mutt-1.5.13-stock -nF ~/.mutt/smime.rc -Rf /tmp/smime-opaque.mbox
>

>  - If signature is GOOD: The mail text appears, but there is no OpenSSL
> output, no uppercase "S" in index, Mutt errors "S/MIME signature could
> NOT be verified.", and $beeps:
>
> | [-- The following data is S/MIME signed --]
> | test S/MIME opaque signature.
> |
> | [-- End of S/MIME signed data. --]
> |
> | S/MIME signature could NOT be verified.
>

>  - If signature is BAD (expired, lacking CA, whatever): The same hints
> of error do appear, rightly. But there is still no OpenSSL output to
> show the error reason, and the mail text does *not* appear.
>
> | [-- The following data is S/MIME signed --]
> |
> | [-- End of S/MIME signed data. --]
> |
> | S/MIME signature could NOT be verified.
>

>     The attached smime-opaque.mbox contains 2 such signed mails, one
> expired, and one valid. You'll also need the CAcert root certificate
> from <URL:http://www.CAcert.org/>.
>

>     The default $smime_verify_opaque_command is "openssl smime -verify
> -inform DER -in %s %C". Adding "-noverify" and removing "%C" displays
> mail text always, but does not verify. I haven't found yet one command
> that both verifies and always outputs text. Manual verifications:
>
> | $ openssl smime -verify -in smime2.p7m -inform DER \
> |  -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
> | stdout> test S/MIME opaque signature.
> | stderr> Verification successful
> | return> 0
> |
> | $ openssl smime -verify -in smime1.p7m -inform DER \
> |  -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
> | stderr> Verification failure
> | stderr> 29361:error:21075075:PKCS7 routines:PKCS7_verify:certificate \
> |         verify error:pk7_smime.c:222:Verify error:certificate has
> expired
> | return> 4
>
>     ...gives nothing to stdout when verification failed. Hum... The
> following double call ugly hack always displays text, and verifies to
> stderr. But Mutt doesn't display stderr...
>
> | set smime_verify_opaque_command="\
> | openssl smime -verify -inform DER -in %s %C ||\
> | openssl smime -verify -inform DER -in %s -noverify 2>/dev/null"
>

>     Note this was already reported in a MU thread at 1.5.5.1 times:
>
> | Date: Fri, 2 Jan 2004 13:03:33 +0100 (CET)
> | From: Alain Bench <messtic@xxxxxxxxx>
> | To: Mutt users ml <mutt-users@xxxxxxxx>
> | Subject: S/MIME app/x-pkcs7-mime signed-data
> | Message-ID: <20040102120332.GA18510@xxxxxxxxx>
>
>     The other problem discussed there, about Apple Mail 2.612, seem now
> solved. And the old mailcap workaround can be updated to:
>
> | # auto_view in pager: display mail's body, without header, and
> verification status
> | application/x-pkcs7-mime ;\
> |  ( openssl smime -verify -text -inform DER -in %s -CAfile ~/.smime/ca-
> bundle.crt ||\
> |  openssl smime -verify -text -inform DER -in %s -noverify 2>/dev/null )
> |\
> |  fromdos ;\
> |  nametemplate=%s.p7m ;\
> |  test=test %{smime-type} == signed-data ;\
> |  copiousoutput
>

> Bye!    Alain.
> >How-To-Repeat:
> >Fix:
> }}}

New description:

 {{{

 Hello ALL and others,

     When displaying S/MIME opaque signed mails, of type
 application/x-pkcs7-mime; smime-type=signed-data, Mutt 1.5.13 with
 default smime.rc has one or the other of 2 problems:

 | $ mutt-1.5.13-stock -nF ~/.mutt/smime.rc -Rf /tmp/smime-opaque.mbox


  - If signature is GOOD: The mail text appears, but there is no OpenSSL
 output, no uppercase "S" in index, Mutt errors "S/MIME signature could
 NOT be verified.", and $beeps:

 | [-- The following data is S/MIME signed --]
 | test S/MIME opaque signature.
 |
 | [-- End of S/MIME signed data. --]
 |
 | S/MIME signature could NOT be verified.


  - If signature is BAD (expired, lacking CA, whatever): The same hints
 of error do appear, rightly. But there is still no OpenSSL output to
 show the error reason, and the mail text does *not* appear.

 | [-- The following data is S/MIME signed --]
 |
 | [-- End of S/MIME signed data. --]
 |
 | S/MIME signature could NOT be verified.


     The attached smime-opaque.mbox contains 2 such signed mails, one
 expired, and one valid. You'll also need the CAcert root certificate
 from <URL:http://www.CAcert.org/>.


     The default $smime_verify_opaque_command is "openssl smime -verify
 -inform DER -in %s %C". Adding "-noverify" and removing "%C" displays
 mail text always, but does not verify. I haven't found yet one command
 that both verifies and always outputs text. Manual verifications:

 | $ openssl smime -verify -in smime2.p7m -inform DER \
 |  -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
 | stdout> test S/MIME opaque signature.
 | stderr> Verification successful
 | return> 0
 |
 | $ openssl smime -verify -in smime1.p7m -inform DER \
 |  -CAfile ~/.smime/ca-bundle.crt -text ; echo $?
 | stderr> Verification failure
 | stderr> 29361:error:21075075:PKCS7 routines:PKCS7_verify:certificate \
 |         verify error:pk7_smime.c:222:Verify error:certificate has
 expired
 | return> 4

     ...gives nothing to stdout when verification failed. Hum... The
 following double call ugly hack always displays text, and verifies to
 stderr. But Mutt doesn't display stderr...

 | set smime_verify_opaque_command="\
 | openssl smime -verify -inform DER -in %s %C ||\
 | openssl smime -verify -inform DER -in %s -noverify 2>/dev/null"


     Note this was already reported in a MU thread at 1.5.5.1 times:

 | Date: Fri, 2 Jan 2004 13:03:33 +0100 (CET)
 | From: Alain Bench <messtic@xxxxxxxxx>
 | To: Mutt users ml <mutt-users@xxxxxxxx>
 | Subject: S/MIME app/x-pkcs7-mime signed-data
 | Message-ID: <20040102120332.GA18510@xxxxxxxxx>

     The other problem discussed there, about Apple Mail 2.612, seem now
 solved. And the old mailcap workaround can be updated to:

 | # auto_view in pager: display mail's body, without header, and
 verification status
 | application/x-pkcs7-mime ;\
 |  ( openssl smime -verify -text -inform DER -in %s -CAfile ~/.smime/ca-
 bundle.crt ||\
 |  openssl smime -verify -text -inform DER -in %s -noverify 2>/dev/null )
 |\
 |  fromdos ;\
 |  nametemplate=%s.p7m ;\
 |  test=test %{smime-type} == signed-data ;\
 |  copiousoutput


 Bye!    Alain.
 >How-To-Repeat:
 >Fix:
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2428#comment:2>

Prev by Date: Re: [Mutt] #2172: crashes (double free) when closing externally
Next by Date: Re: [Mutt] #2183: Messages marked as old even though mark_old set
Previous by thread: Re: [Mutt] #2172: crashes (double free) when closing externally
Next by thread: Re: [Mutt] #2428: S/MIME opaque signed mails unverified or undisplayed
Index(es):
- Date
- Thread