Re: smime_keys: bug or me ???

To: mutt-users mailing list <mutt-users@xxxxxxxx>
Subject: Re: smime_keys: bug or me ???
From: Michael D Schleif <mds@xxxxxxxxxxx>
Date: Sun, 11 Jan 2004 13:40:17 -0600
In-reply-to: <20040111104436.GA18595@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-users-request@mutt.org?body=unsubscribe>
Mail-followup-to: mutt-users mailing list <mutt-users@xxxxxxxx>
References: <20040110222520.GD15674@xxxxxxxxxxxxxxxxxxxxx> <20040111104436.GA18595@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-mutt-users@xxxxxxxx
User-agent: Mutt/1.5.4i

Christoph =>

Thank you, for your `smime_keys' -- where did you get that particular
instance of it?  I am running Mutt 1.5.4i (2003-03-19) on Debian, and my
version gives all sorts of errors; but, yours works for me -- once I do
two (2) things:

[1] My openssl is in a different location:

   my $opensslbin = "/opt/bin/openssl";
   my $opensslbin = "/usr/bin/openssl";


[2] Out of the box (gunzip ;), it get this:

   # ~/dLoad/computers/mutt/smime_keys.cludwig 
   bash: /home/mds/dLoad/computers/mutt/smime_keys.cludwig: /usr/bin/perl:
   bad interpreter: Permission denied

Somehow, the copy I received has some weird character buried somewhere
inside ;<  I got it to work this way, and /tmp/tmp.pl works:

   grep -v '^\([        ]*#\|$\)' ./smime_keys.cludwig > /tmp/tmp.pl


Christoph Ludwig <cludwig@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> 
[2004:01:11:11:44:36+0100] scribed:
> On Sat, Jan 10, 2004 at 04:25:20PM -0600, Michael D Schleif wrote:
<snip />

> > [1] I get an odd error on verify; but, I think that doc/smime-notes.txt
> > answers this with ``purpose fields of a certificate do not get verified
> > yet'':
> > 
> >    # /usr/lib/mutt/smime_keys verify 0da0f5fe.0
> >    ==> about to verify certificate of mds@xxxxxxxxxxx
> >    /home/mds/.smime/certificates/0da0f5fe.0: /CN=Thawte Freemail \
> >       Member/emailAddress=mds@xxxxxxxxxxx
> >    error 26 at 0 depth lookup:unsupported certificate purpose
> >    OK
> 
> I never encountered this particular error. But then, I never had to
> verify Thawte certificates... Can you send us the certificate chain?
> (If you didn't change the S/MIME related config variables copied from
> contrib/smime.rc then sending a signed message should be sufficient.)

An associate has problems encrypting to me, and we suspect that the
extensions that I added to my Thawte certificate caused his problems:

   Data Encipherment
   Digital Signature

Currently, I am using a Thawte certificate _without_ extensions, and I
get these results:

   # /usr/lib/mutt/smime_keys.ORIG verify 0da0f5fe.0
   Use of uninitialized value in string eq at /usr/lib/mutt/smime_keys.ORIG 
line 956.
   Use of uninitialized value in string eq at /usr/lib/mutt/smime_keys.ORIG 
line 961.
   ==> about to verify certificate of mds@xxxxxxxxxxx
   /home/mds/.smime/certificates/0da0f5fe.0: OK

   # /tmp/tmp.pl verify 0da0f5fe.0
   ==> about to verify certificate of mds@xxxxxxxxxxx
   /home/mds/.smime/certificates/0da0f5fe.0: OK

Clearly, that script that came in my distribution is seriously flawed ;<

> Perhaps it is possible to tweak the OpenSSL configuration to accept
> this extension.
> 
> > [2] smime_keys stumbles badly at `list':
> > 
> >    # /usr/lib/mutt/smime_keys.ORIG list
> >    0da0f5fe.0: Issued for: mds@xxxxxxxxxxx "thawte-personal" (Trusted)
> >    Use of uninitialized value in string eq at /usr/lib/mutt/smime_keys.ORIG 
> > \
> >       line 961, <F> line 1.
> >    unable to load certificate
> >    13958:error:0906D06C:PEM routines:PEM_read_bio:no start \
> >       line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
> >    '/usr/bin/openssl x509 -subject -issuer -dates -noout -in \
> >       /tmp/smime/cert_tmp.list -inform PEM' returned 256 at i\
> >       /usr/lib/mutt/smime_keys.ORIG line 320, <F> line 1.
> > 
> > 
> > Partly, this is due to smime_keys _not_ following the function template
> > that it sets _twice_:
> > 
> >    # grep -n 'newfile *(' /usr/lib/mutt/smime_keys.ORIG | grep -v ','
> >    29:sub newfile ($;$$);
> >    735:    my $newindex = newfile("$path/.index.tmp");
> >    952:sub newfile ($;$$) {
> >    958:            $tmpdir = newfile("$tmpdir/smime");
> > 
> > 
> > However, even with this:
> > 
> >    # diff -u /usr/lib/mutt/smime_keys.ORIG /usr/lib/mutt/smime_keys
> >    +++ /usr/lib/mutt/smime_keys    2004-01-10 15:58:46.000000000 -0600
> >    @@ -953,6 +953,8 @@
> >            # returns a file name which does not exist for tmp file creation
> >            my $filename = shift;
> >            my $option = shift;
> >    +       defined $option
> >    +               or $option = "";
> >            if (! $tmpdir and $option eq "temp") {
> >                    $tmpdir = mutt_Q 'tmpdir';
> >                    $tmpdir = newfile("$tmpdir/smime");
> 
> I already reported this minor bug on mutt-dev and submitted a
> patch. Unfortunately, it was not commited to CVS, don't ask me why. 
> 
> The missing check for undefined $option causes a warning from the Perl
> interpreter but has nothing to do with the failure of smime_keys list.
> 
> > I still get these errors:
> > 
> >    # /usr/lib/mutt/smime_keys list
> >    0da0f5fe.0: Issued for: mds@xxxxxxxxxxx "thawte-personal" (Trusted)
>      ^^^^^^^^^^^(1)
> >    unable to load certificate
> >    18868:error:0906D06C:PEM routines:PEM_read_bio:no start \
> >       line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
> >    '/usr/bin/openssl x509 -subject -issuer -dates -noout -in \
> >       /tmp/smime/cert_tmp.list -inform PEM' returned 256 at
>         ^^^^^^^^^^^^^^^^^^^^^^^^(2)
> >       /usr/lib/mutt/smime_keys line 320, <F> line 1.
> > 
> > 
> > What do you think?
> 
> I am surprised - if I look at my copy of smime_keys then I don't
> understand how you can get this error message. The output marked
> (1) is the value of $fields[1]; the output marked (2) is the value of
> $certfile, set to "$certificates_path/$fields[1]". Therefore, (2)
> should be similar to $HOME/.smime/certificates/0da0f5fe.0. You can't
> blame openssl for failing if it is given the wrong file...
> 
> I don't get any errors with "smime_keys list", but the line number
> reported in the error message above does not match with my smime_keys,
> either. I attached my copy - perhaps a diff shows the reason for your
> problem. 

Your script appears to behave correctly:

   # /tmp/tmp.pl list
   0da0f5fe.0: Issued for: mds@xxxxxxxxxxx "thawte-personal-2" (Trusted)
               Subject: Thawte Freemail Member
               Issued by: Thawte Personal Freemail Issuing CA
               Certificate is not valid before Jan 11 06:21:33 2004 GMT
                                     or after  Jan 10 06:21:33 2005 GMT
                - Matching private key installed -
               Certificate purposes: (displays S/MIME options only)
                 S/MIME signing 
                 S/MIME encryption 

Which version of mutt are you using?  Where did you get that copy of the
script?

Thank you, again.

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- smime_keys: bug or me ???
  - From: Michael D Schleif
- Re: smime_keys: bug or me ???
  - From: Christoph Ludwig

Prev by Date: Re: send-hook: check In-Reply-To
Next by Date: Re: Strip SIG on reply
Previous by thread: Re: smime_keys: bug or me ???
Next by thread: default send-hook
Index(es):
- Date
- Thread