RE: S/MIME support

Subject: RE: S/MIME support

Date: Tue, 10 Jul 2012 00:40:03 -0700

To: Bryant, Daniel B., Notmuch Mail


From: Jameson Graef Rollins

On Mon, Jul 09 2012, "Bryant, Daniel B." <> wrote:
> I was able to get signature verification working with your patchset
> (with a caveat) but not decryption.

Hi, Daniel.  I guess I'm only partially happy to hear that!  I
definitely do appreciate the feedback, though.

> The caveat is that GMime is still borked with handling signatures with
> content type application/x-pkcs7-signature
> (vs. application/pkcs7-signature, which works fine). This is upstream
> GNOME bug #674032 that was supposed to have been fixed in GMime 2.6.9,
> but that original fix is also broken.

Ah, I didn't notice that:

Encouragingly, it sounds like Jeffery is working on it.

> One possible workaround is to twiddle the content-type of the
> signature part (and the corresponding protocol in the multipart/signed
> part). I implemented this by looping over each message part in
> mime_node_open() and modifying as necessary using the following logic:
>     GMimeContentType *content_type = g_mime_object_get_content_type (part);
>     const char *subtype = g_mime_content_type_get_media_subtype (content_type);
>     const char *protocol = g_mime_content_type_get_parameter (content_type, "protocol");
>     if (!strcmp(subtype, "x-pkcs7-signature")) {
>         g_mime_content_type_set_media_subtype (content_type, "pkcs7-signature");
>     }
>     if (protocol && !strcmp(protocol, "application/x-pkcs7-signature")) {
>         g_mime_content_type_set_parameter (content_type, "protocol","application/pkcs7-signature");
>     }    

We could do this, but I would certainly prefer that we fix gmime to
handle both types properly.

> All of my S/MIME encrypted mail consists of single part messages with
> content-type "application/x-pkcs7-mime". These conform to RFC3851,
> section 3.3/3.4. (sample messages are included in the RFC as
> well). This fails to be decrypted by notmuch because the mime node
> traversal code assumes that every encrypted message is
> multipart/encrypted, which appears to only be true for PGP/MIME.

Thanks for the great example of why we need tests!

Would you (or anyone) be willing to start putting together some tests
that include messages encrypted according to this RFC?  I think adding
some tests to the test/crypto script would be a great place to start.

part-000.sig (application/pgp-signature)