GNU bug report logs -
#17780
mml-smime/openssl fails to include intermediate certificates
Previous Next
Reported by: Jan Beich <jbeich <at> vfemail.net>
Date: Sat, 14 Jun 2014 17:00:03 UTC
Severity: normal
Tags: fixed
Fixed in version 27.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 17780 in the body.
You can then email your comments to 17780 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bugs <at> gnus.org:
bug#17780; Package
gnus.
(Sat, 14 Jun 2014 17:00:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jan Beich <jbeich <at> vfemail.net>:
New bug report received and forwarded. Copy sent to
bugs <at> gnus.org.
(Sat, 14 Jun 2014 17:00:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
mml-smime-openssl-sign-query only returns user certificate from
smime-keys. If user certificate requires other intermediate
certificates to verify it mml-smime-openssl-sign doesn't include them
when signing a message. Later, upon reading such message openssl
binary fails with
Verification failure
34380500552:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unable to get local issuer certificate
To reproduce compose a mail with C-c RET S s (mml-secure-sign-smime) using
the following settings, send it and read while looking at S/MIME button.
;; adapted from http://www.emacswiki.org/emacs/GnusSMIME
(setq mm-verify-option 'always)
(setq gnus-buttonized-mime-types '("multipart/signed"))
(setq mml-smime-use 'openssl)
(setq smime-CA-file "/etc/ssl/cert.pem")
(setq smime-keys '(("foo <at> bar" "~/mycert.pem"
("~/mychain.pem"))))
Here's a quick workaround.
diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
index caa1380..0fde8f5 100644
--- a/lisp/gnus/mml-smime.el
+++ b/lisp/gnus/mml-smime.el
@@ -118,9 +118,9 @@
(defun mml-smime-openssl-sign (cont)
(when (null smime-keys)
(customize-variable 'smime-keys)
(error "No S/MIME keys configured, use customize to add your key"))
- (smime-sign-buffer (cdr (assq 'keyfile cont)))
+ (smime-sign-buffer (cdar smime-keys))
(goto-char (point-min))
(while (search-forward "\r\n" nil t)
(replace-match "\n" t t))
(goto-char (point-max)))
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Information forwarded
to
bugs <at> gnus.org:
bug#17780; Package
gnus.
(Wed, 25 Jan 2017 17:46:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 17780 <at> debbugs.gnu.org (full text, mbox):
Jan Beich <jbeich <at> vfemail.net> writes:
> mml-smime-openssl-sign-query only returns user certificate from
> smime-keys. If user certificate requires other intermediate
> certificates to verify it mml-smime-openssl-sign doesn't include them
> when signing a message. Later, upon reading such message openssl
> binary fails with
>
> Verification failure
> 34380500552:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unable to get local issuer certificate
>
> To reproduce compose a mail with C-c RET S s (mml-secure-sign-smime) using
> the following settings, send it and read while looking at S/MIME button.
>
> ;; adapted from http://www.emacswiki.org/emacs/GnusSMIME
> (setq mm-verify-option 'always)
> (setq gnus-buttonized-mime-types '("multipart/signed"))
> (setq mml-smime-use 'openssl)
> (setq smime-CA-file "/etc/ssl/cert.pem")
> (setq smime-keys '(("foo <at> bar" "~/mycert.pem"
> ("~/mychain.pem"))))
>
> Here's a quick workaround.
>
> diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
> index caa1380..0fde8f5 100644
> --- a/lisp/gnus/mml-smime.el
> +++ b/lisp/gnus/mml-smime.el
> @@ -118,9 +118,9 @@
> (defun mml-smime-openssl-sign (cont)
> (when (null smime-keys)
> (customize-variable 'smime-keys)
> (error "No S/MIME keys configured, use customize to add your key"))
> - (smime-sign-buffer (cdr (assq 'keyfile cont)))
> + (smime-sign-buffer (cdar smime-keys))
> (goto-char (point-min))
> (while (search-forward "\r\n" nil t)
> (replace-match "\n" t t))
> (goto-char (point-max)))
Sorry for the late response; the bug report has been sitting in a part
of the bug tracker that nobody has looked at due to a misunderstanding.
I'm not familiar at all with the smime code, so I can't really say
whether this change is the best one. Are there any adverse side-effects
to this change?
Does anybody who knows this code want to weigh in?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug reassigned from package 'gnus' to 'emacs,gnus'.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 25 Jan 2017 17:46:02 GMT)
Full text and
rfc822 format available.
bug No longer marked as found in versions 5.13.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 25 Jan 2017 17:46:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#17780; Package
emacs,gnus.
(Mon, 23 Sep 2019 20:14:01 GMT)
Full text and
rfc822 format available.
Message #15 received at 17780 <at> debbugs.gnu.org (full text, mbox):
Jan Beich <jbeich <at> vfemail.net> writes:
> (defun mml-smime-openssl-sign (cont)
> (when (null smime-keys)
> (customize-variable 'smime-keys)
> (error "No S/MIME keys configured, use customize to add your key"))
> - (smime-sign-buffer (cdr (assq 'keyfile cont)))
> + (smime-sign-buffer (cdar smime-keys))
> (goto-char (point-min))
I've tried to follow the logic of the code here, and I think this looks
correct: (assq 'keyfile cont) has only they first key, while (cdar
smime-keys) has all the keys (for this identifier).
So I've applied this patch to the Emacs trunk now. There may be
repercussions I'm not seeing, though, so feel free to revert.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Mon, 23 Sep 2019 20:14:02 GMT)
Full text and
rfc822 format available.
bug marked as fixed in version 27.1, send any further explanations to
17780 <at> debbugs.gnu.org and Jan Beich <jbeich <at> vfemail.net>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Mon, 23 Sep 2019 20:14:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 22 Oct 2019 11:24:10 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 299 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.