GNU bug report logs - #17780
mml-smime/openssl fails to include intermediate certificates

Previous Next

Packages: gnus, emacs;

Reported by: Jan Beich <jbeich <at> vfemail.net>

Date: Sat, 14 Jun 2014 17:00:03 UTC

Severity: normal

Tags: fixed

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Jan Beich <jbeich <at> vfemail.net>
Cc: 17780 <at> debbugs.gnu.org
Subject: bug#17780: mml-smime/openssl fails to include intermediate certificates
Date: Wed, 25 Jan 2017 18:44:08 +0100

Jan Beich <jbeich <at> vfemail.net> writes:

> mml-smime-openssl-sign-query only returns user certificate from
> smime-keys. If user certificate requires other intermediate
> certificates to verify it mml-smime-openssl-sign doesn't include them
> when signing a message. Later, upon reading such message openssl
> binary fails with
>
>   Verification failure
>   34380500552:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unable to get local issuer certificate
>
> To reproduce compose a mail with C-c RET S s (mml-secure-sign-smime) using
> the following settings, send it and read while looking at S/MIME button.
>
>   ;; adapted from http://www.emacswiki.org/emacs/GnusSMIME
>   (setq mm-verify-option 'always)
>   (setq gnus-buttonized-mime-types '("multipart/signed"))
>   (setq mml-smime-use 'openssl)
>   (setq smime-CA-file "/etc/ssl/cert.pem")
>   (setq smime-keys '(("foo <at> bar" "~/mycert.pem"
>                          ("~/mychain.pem"))))
>
> Here's a quick workaround.
>
> diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
> index caa1380..0fde8f5 100644
> --- a/lisp/gnus/mml-smime.el
> +++ b/lisp/gnus/mml-smime.el
> @@ -118,9 +118,9 @@
>  (defun mml-smime-openssl-sign (cont)
>    (when (null smime-keys)
>      (customize-variable 'smime-keys)
>      (error "No S/MIME keys configured, use customize to add your key"))
> -  (smime-sign-buffer (cdr (assq 'keyfile cont)))
> +  (smime-sign-buffer (cdar smime-keys))
>    (goto-char (point-min))
>    (while (search-forward "\r\n" nil t)
>      (replace-match "\n" t t))
>    (goto-char (point-max)))

Sorry for the late response; the bug report has been sitting in a part
of the bug tracker that nobody has looked at due to a misunderstanding.

I'm not familiar at all with the smime code, so I can't really say
whether this change is the best one.  Are there any adverse side-effects
to this change?

Does anybody who knows this code want to weigh in?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 5 years and 300 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.