SMIME: intermediate certificates are not sent

Discussion:

Christoph Groth

2014-09-22 11:59:43 UTC

Hi,

I’ve recently setup Gnus to use my S/MIME key from work. I observe the
following problem described in 2007 by David Eng:
http://article.gmane.org/gmane.emacs.gnus.general/64881. There used to
be an emacs bug about this issue, but it has been closed apparently
without the bug ever being fixed:
https://lists.gnu.org/archive/html/emacs-bug-tracker/2011-01/msg00118.html.

For now I’m using the workaround of David (deleting keyfile="..." from
the #secure tag). Am I missing some way in which that issue has been
resolved?

Is S/MIME really that unpopular with Gnus users?

Thanks,
Christoph

Uwe Brauer

2014-09-22 12:13:25 UTC

Permalink

Hi,
I¢ve recently setup Gnus to use my S/MIME key from work. I observe
http://article.gmane.org/gmane.emacs.gnus.general/64881. There used
to be an emacs bug about this issue, but it has been closed
https://lists.gnu.org/archive/html/emacs-bug-tracker/2011-01/msg00118.html.
For now I¢m using the workaround of David (deleting keyfile="..."
From the #secure tag). Am I missing some way in which that issue
has been resolved?
Is S/MIME really that unpopular with Gnus users?

Hm I am using s/mime since almost 2 years without any problems, however
I use

epg and gpgsm

as described in

http://www.emacswiki.org/emacs/GnusSMIME#toc8

Works much better this way.

Thanks,
Christoph

Uwe Brauer

Christoph Groth

2014-09-22 12:50:57 UTC

Permalink

Hi Uwe,

Thanks, epg and gpgsm works for me as well. I suggest moving the
section you added to http://www.emacswiki.org/emacs/GnusSMIME to
the top
of the page – I didn’t notice it.

Christoph

Christoph Groth

2014-09-22 12:58:42 UTC

Permalink

Just in case someone is motivated to fix the S/MIME with openssl bug
(which is still the default S/MIME method in Gnus):
I've found the following workaround:
http://www.normalesup.org/~martinez/emacs/#sign_additional_certificates

The following code is equivalent, only cleaned up a bit and merged with
the current Gnus codebase. Adding it to ~/.gnus solves the issue, but
perhaps the function changes could be commited to Gnus?

--8<---------------cut here---------------start------------->8---
;; Patch to smime-sign-buffer and mml-smime-openssl-sign-query to put
;; the email address in the keyfile argument of <#secure> tag instead
;; of the key filename to take additional certificates into account when
;; signing a message.

(require 'smime) ; smime-sign-buffer comes from here

(defun smime-sign-buffer (&optional keyfile buffer)
"S/MIME sign BUFFER with key in KEYFILE.
KEYFILE should contain a PEM encoded key and certificate."
(interactive)
(with-current-buffer (or buffer (current-buffer))
(unless (smime-sign-region
(point-min) (point-max)
(if keyfile
(smime-get-key-with-certs-by-email keyfile)
(smime-get-key-with-certs-by-email
(gnus-completing-read
"Sign using key"
smime-keys nil (car-safe (car-safe smime-keys))))))
(error "Signing failed"))))

(require 'mml-smime) ; mml-smime-openssl-sign-query comes from here

(defun mml-smime-openssl-sign-query ()
;; query information (what certificate) from user when MML tag is
;; added, for use later by the signing process
(when (null smime-keys)
(customize-variable 'smime-keys)
(error "No S/MIME keys configured, use customize to add your key"))
(list 'keyfile
(if (= (length smime-keys) 1)
(caar smime-keys)
(or (cadr (funcall (if (boundp
'gnus-extract-address-components)
gnus-extract-address-components
'mail-extract-address-components)
(or (save-excursion
(save-restriction
(message-narrow-to-headers)
(message-fetch-field "from")))
"")))
(gnus-completing-read "Sign this part with what signature"
(mapcar 'car smime-keys) nil nil nil
(and (listp (car-safe smime-keys))
(caar smime-keys)))))))
--8<---------------cut here---------------end--------------->8---

Lars Ingebrigtsen

2015-01-27 03:11:49 UTC

Permalink

Post by Christoph Groth
Just in case someone is motivated to fix the S/MIME with openssl bug
http://www.normalesup.org/~martinez/emacs/#sign_additional_certificates
The following code is equivalent, only cleaned up a bit and merged with
the current Gnus codebase. Adding it to ~/.gnus solves the issue, but
perhaps the function changes could be commited to Gnus?

Could you submit a patch for this change?

--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/