GNU bug report logs - #67931
[PATCH] Use S/MIME key from content for mail signing via OpenSSL

Previous Next

Full log

View this message in rfc822 format

From: Illia Ostapyshyn <illia <at> yshyn.com>
To: Eric Abrahamsen <eric <at> ericabrahamsen.net>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 67931 <at> debbugs.gnu.org, Illia Ostapyshyn <illia <at> yshyn.com>, larsi <at> gnus.org, stefankangas <at> gmail.com
Subject: bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL
Date: Wed, 08 May 2024 14:28:37 +0200

Eric Abrahamsen <eric <at> ericabrahamsen.net> writes:

> The patch seems to work as intended -- I won't claim to know enough
> about SMIME to know if it does the right thing or not. Can you briefly
> explain what the additional certificates actually do, and why they're
> useful in signing but not in encryption?

End-user SMIME certificates are signed by the (intermediate) CAs that
issued them.  The issuer's certificate can be in turn signed by another
CA up the hierarchy, resulting in a chain that ends with the implicitly
trusted root authority.  When signing a message, you can include the
intermediate CA certificates, allowing the recipient to verify the whole
chain.  With openssl, this is done via the -certfile argument [1]:

-certfile file
    Allows additional certificates to be specified. When signing these
    will be included with the message. When verifying these will be
    searched for the signers certificates. ...

Encryption is orthogonal to this: it only uses the public keys of your
recipients from their certificates, the chain is irrelevant.

The MML tag parameter names are a bit unfortunate here: the new
`chainfile' parameter translates to "-cerfile" arguments and the
existing `certfile' parameters translate to positional "recipcert"
arguments of openssl [1].

[1] https://www.openssl.org/docs/manmaster/man1/openssl-smime.html

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.