On Sat, Jan 17 2015, David Bremner <david@tethera.net> wrote:
>> But do we really need to test the message output of openssl?  It seems
>> like it's broken, and if it ever gets fixed we'll need to change this
>> test.
>
> I think it's not so much broken as "canonical". There is some discussion
> in the openssl-smime man page that pointed me to RFC5751
> para 3.1.1
>
>    MIME entities of major type "text" MUST have both their line endings
>    and character set canonicalized.  The line ending MUST be the pair of
>    characters <CR><LF>

Interesting, and oh well.  Not going to fall down that rabbit hole!

>> But all we really care about is that openssl is properly verifying the
>> message, yes?  Why not just test that and forget about the rest of
>> openssl's output?
>
> Maybe it doesn't add too much as long as the message is using the "clear
> signed" multipart/signed format. On the other hand there is an opaque
> signed format (application/pkcs7-mime with Signeddata) too, where it
> would be interesting to check for mangling of the text. Similarly, when
> we add a similar test for encryption, I think we do want to check the
> content, so we'll have to figure this out at some point.

But at any point are we using the output of the message piped through
openssl?  Does gmime (possibly via gpgsm) actually pipe the message
through openssl before further parsing it?  If so, then I guess we do
care about what openssl does to the original message.  If not, then I'm
still not sure we care.

jamie.