X-Git-Url: http://cgit.sxemacs.org/?a=blobdiff_plain;f=lisp%2Fsmime.el;h=6ef06b62dd2050cd9a77d9053bd624a94e3fc67c;hb=78fb54ccd668ba345d10ac2cc860a79a155d1e13;hp=b14e24a29146086dc972e4662bc105411ba2b270;hpb=781b0f756cd42d1e99cf38b60144b75cae1adea9;p=gnus diff --git a/lisp/smime.el b/lisp/smime.el index b14e24a29..6ef06b62d 100644 --- a/lisp/smime.el +++ b/lisp/smime.el @@ -1,5 +1,7 @@ ;;; smime.el --- S/MIME support library -;; Copyright (c) 2000, 2001, 2003 Free Software Foundation, Inc. + +;; Copyright (C) 2000, 2001, 2002, 2003, 2004, +;; 2005, 2006 Free Software Foundation, Inc. ;; Author: Simon Josefsson ;; Keywords: SMIME X.509 PEM OpenSSL @@ -18,15 +20,15 @@ ;; You should have received a copy of the GNU General Public License ;; along with GNU Emacs; see the file COPYING. If not, write to the -;; Free Software Foundation, Inc., 59 Temple Place - Suite 330, -;; Boston, MA 02111-1307, USA. +;; Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +;; Boston, MA 02110-1301, USA. ;;; Commentary: ;; This library perform S/MIME operations from within Emacs. ;; ;; Functions for fetching certificates from public repositories are -;; provided, currently only from DNS. LDAP support (via EUDC) is planned. +;; provided, currently from DNS and LDAP. ;; ;; It uses OpenSSL (tested with version 0.9.5a and 0.9.6) for signing, ;; encryption and decryption. @@ -115,14 +117,31 @@ ;; 2000-06-05 initial version, committed to Gnus CVS contrib/ ;; 2000-10-28 retrieve certificates via DNS CERT RRs ;; 2001-10-14 posted to gnu.emacs.sources +;; 2005-02-13 retrieve certificates via LDAP ;;; Code: (require 'dig) +(require 'smime-ldap) +(require 'password) (eval-when-compile (require 'cl)) +(eval-and-compile + (cond + ((fboundp 'replace-in-string) + (defalias 'smime-replace-in-string 'replace-in-string)) + ((fboundp 'replace-regexp-in-string) + (defun smime-replace-in-string (string regexp newtext &optional literal) + "Replace all matches for REGEXP with NEWTEXT in STRING. +If LITERAL is non-nil, insert NEWTEXT literally. Return a new +string containing the replacements. + +This is a compatibility function for different Emacsen." + (replace-regexp-in-string regexp newtext string nil literal))))) + (defgroup smime nil - "S/MIME configuration.") + "S/MIME configuration." + :group 'mime) (defcustom smime-keys nil "*Map mail addresses to a file containing Certificate (and private key). @@ -150,6 +169,7 @@ certificate." (defcustom smime-CA-file nil "*Files containing certificates for CAs you trust. File should contain certificates in PEM format." + :version "22.1" :type '(choice (const :tag "none" nil) file) :group 'smime) @@ -177,6 +197,7 @@ and the files themself should be in PEM format." (defcustom smime-encrypt-cipher "-des3" "*Cipher algorithm used for encryption." + :version "22.1" :type '(choice (const :tag "Triple DES" "-des3") (const :tag "DES" "-des") (const :tag "RC2 40 bits" "-rc2-40") @@ -184,13 +205,43 @@ and the files themself should be in PEM format." (const :tag "RC2 128 bits" "-rc2-128")) :group 'smime) +(defcustom smime-crl-check nil + "*Check revocation status of signers certificate using CRLs. +Enabling this will have OpenSSL check the signers certificate +against a certificate revocation list (CRL). + +For this to work the CRL must be up-to-date and since they are +normally updated quite often (ie. several times a day) you +probably need some tool to keep them up-to-date. Unfortunately +Gnus cannot do this for you. + +The CRL should either be appended (in PEM format) to your +`smime-CA-file' or be located in a file (also in PEM format) in +your `smime-certificate-directory' named to the X.509 hash of the +certificate with .r0 as file name extension. + +At least OpenSSL version 0.9.7 is required for this to work." + :type '(choice (const :tag "No check" nil) + (const :tag "Check certificate" "-crl_check") + (const :tag "Check certificate chain" "-crl_check_all")) + :group 'smime) + (defcustom smime-dns-server nil "*DNS server to query certificates from. If nil, use system defaults." + :version "22.1" :type '(choice (const :tag "System defaults") string) :group 'smime) +(defcustom smime-ldap-host-list nil + "A list of LDAP hosts with S/MIME user certificates. +If needed search base, binddn, passwd, etc. for the LDAP host +must be set in `ldap-host-parameters-alist'." + :type '(repeat (string :tag "Host name")) + :version "23.0" ;; No Gnus + :group 'smime) + (defvar smime-details-buffer "*OpenSSL output*") ;; Use mm-util? @@ -207,11 +258,13 @@ If nil, use system defaults." ;; Password dialog function -(defun smime-ask-passphrase () - "Asks the passphrase to unlock the secret key." +(defun smime-ask-passphrase (&optional cache-key) + "Asks the passphrase to unlock the secret key. +If `cache-key' and `password-cache' is non-nil then cache the +password under `cache-key'." (let ((passphrase - (read-passwd - "Passphrase for secret key (RET for no passphrase): "))) + (password-read-and-add + "Passphrase for secret key (RET for no passphrase): " cache-key))) (if (string= passphrase "") nil passphrase))) @@ -243,11 +296,11 @@ certificates to include in its caar. If no additional certificates is included, KEYFILE may be the file containing the PEM encoded private key and certificate itself." (smime-new-details-buffer) - (let ((keyfile (or (car-safe keyfile) keyfile)) - (certfiles (and (cdr-safe keyfile) (cadr keyfile))) - (buffer (generate-new-buffer (generate-new-buffer-name " *smime*"))) - (passphrase (smime-ask-passphrase)) - (tmpfile (smime-make-temp-file "smime"))) + (let* ((certfiles (and (cdr-safe keyfile) (cadr keyfile))) + (keyfile (or (car-safe keyfile) keyfile)) + (buffer (generate-new-buffer (generate-new-buffer-name " *smime*"))) + (passphrase (smime-ask-passphrase (expand-file-name keyfile))) + (tmpfile (smime-make-temp-file "smime"))) (if passphrase (setenv "GNUS_SMIME_PASSPHRASE" passphrase)) (prog1 @@ -308,16 +361,18 @@ is expected to contain of a PEM encoded certificate." KEYFILE should contain a PEM encoded key and certificate." (interactive) (with-current-buffer (or buffer (current-buffer)) - (smime-sign-region - (point-min) (point-max) - (if keyfile - keyfile - (smime-get-key-with-certs-by-email - (completing-read - (concat "Sign using which key? " - (if smime-keys (concat "(default " (caar smime-keys) ") ") - "")) - smime-keys nil nil (car-safe (car-safe smime-keys)))))))) + (unless (smime-sign-region + (point-min) (point-max) + (if keyfile + keyfile + (smime-get-key-with-certs-by-email + (completing-read + (concat "Sign using key" + (if smime-keys + (concat " (default " (caar smime-keys) "): ") + ": ")) + smime-keys nil nil (car-safe (car-safe smime-keys)))))) + (error "Signing failed")))) (defun smime-encrypt-buffer (&optional certfiles buffer) "S/MIME encrypt BUFFER for recipients specified in CERTFILES. @@ -326,11 +381,12 @@ a PEM encoded key and certificate. Uses current buffer if BUFFER is nil." (interactive) (with-current-buffer (or buffer (current-buffer)) - (smime-encrypt-region - (point-min) (point-max) - (or certfiles - (list (read-file-name "Recipient's S/MIME certificate: " - smime-certificate-directory nil)))))) + (unless (smime-encrypt-region + (point-min) (point-max) + (or certfiles + (list (read-file-name "Recipient's S/MIME certificate: " + smime-certificate-directory nil)))) + (error "Encryption failed")))) ;; Verify+decrypt region @@ -348,6 +404,8 @@ Any details (stdout and stderr) are left in the buffer specified by (expand-file-name smime-CA-directory)))))) (unless CAs (error "No CA configured")) + (if smime-crl-check + (add-to-list 'CAs smime-crl-check)) (if (apply 'smime-call-openssl-region b e (list smime-details-buffer t) "smime" "-verify" "-out" "/dev/null" CAs) t @@ -376,7 +434,7 @@ Any details (stderr on success, stdout and stderr on error) are left in the buffer specified by `smime-details-buffer'." (smime-new-details-buffer) (let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*"))) - CAs (passphrase (smime-ask-passphrase)) + CAs (passphrase (smime-ask-passphrase (expand-file-name keyfile))) (tmpfile (smime-make-temp-file "smime"))) (if passphrase (setenv "GNUS_SMIME_PASSPHRASE" passphrase)) @@ -441,9 +499,9 @@ in the buffer specified by `smime-details-buffer'." (or keyfile (smime-get-key-by-email (completing-read - (concat "Decipher using which key? " - (if smime-keys (concat "(default " (caar smime-keys) ") ") - "")) + (concat "Decipher using key" + (if smime-keys (concat " (default " (caar smime-keys) "): ") + ": ")) smime-keys nil nil (car-safe (car-safe smime-keys))))))))) ;; Various operations @@ -489,20 +547,13 @@ A string or a list of strings is returned." (caddr curkey) (smime-get-certfiles keyfile otherkeys))))) -;; Use mm-util? -(eval-and-compile - (defalias 'smime-point-at-eol - (if (fboundp 'point-at-eol) - 'point-at-eol - 'line-end-position))) - (defun smime-buffer-as-string-region (b e) "Return each line in region between B and E as a list of strings." (save-excursion (goto-char b) (let (res) (while (< (point) e) - (let ((str (buffer-substring (point) (smime-point-at-eol)))) + (let ((str (buffer-substring (point) (point-at-eol)))) (unless (string= "" str) (push str res))) (forward-line)) @@ -516,6 +567,7 @@ A string or a list of strings is returned." mailaddr)) (defun smime-cert-by-dns (mail) + "Find certificate via DNS for address MAIL." (let* ((dig-dns-server smime-dns-server) (digbuf (dig-invoke (smime-mail-to-domain mail) "cert" nil nil "+vc")) (retbuf (generate-new-buffer (format "*certificate for %s*" mail))) @@ -536,6 +588,49 @@ A string or a list of strings is returned." (kill-buffer digbuf) retbuf)) +(defun smime-cert-by-ldap-1 (mail host) + "Get cetificate for MAIL from the ldap server at HOST." + (let ((ldapresult (smime-ldap-search (concat "mail=" mail) + host '("userCertificate") nil)) + (retbuf (generate-new-buffer (format "*certificate for %s*" mail))) + cert) + (if (>= (length ldapresult) 1) + (with-current-buffer retbuf + ;; Certificates on LDAP servers _should_ be in DER format, + ;; but there are some servers out there that distributes the + ;; certificates in PEM format (with or without + ;; header/footer) so we try to handle them anyway. + (if (or (string= (substring (cadaar ldapresult) 0 27) + "-----BEGIN CERTIFICATE-----") + (string= (substring (cadaar ldapresult) 0 3) + "MII")) + (setq cert + (smime-replace-in-string + (cadaar ldapresult) + (concat "\\(\n\\|\r\\|-----BEGIN CERTIFICATE-----\\|" + "-----END CERTIFICATE-----\\)") + "" t)) + (setq cert (base64-encode-string (cadaar ldapresult) t))) + (insert "-----BEGIN CERTIFICATE-----\n") + (let ((i 0) (len (length cert))) + (while (> (- len 64) i) + (insert (substring cert i (+ i 64)) "\n") + (setq i (+ i 64))) + (insert (substring cert i len) "\n")) + (insert "-----END CERTIFICATE-----\n")) + (kill-buffer retbuf) + (setq retbuf nil)) + retbuf)) + +(defun smime-cert-by-ldap (mail) + "Find certificate via LDAP for address MAIL." + (if smime-ldap-host-list + (catch 'certbuf + (dolist (host smime-ldap-host-list) + (let ((retbuf (smime-cert-by-ldap-1 mail host))) + (when retbuf + (throw 'certbuf retbuf))))))) + ;; User interface. (defvar smime-buffer "*SMIME*") @@ -567,7 +662,8 @@ The following commands are available: (use-local-map smime-mode-map) (buffer-disable-undo) (setq truncate-lines t) - (setq buffer-read-only t)) + (setq buffer-read-only t) + (gnus-run-mode-hooks 'smime-mode-hook)) (defun smime-certificate-info (certfile) (interactive "fCertificate file: ") @@ -617,4 +713,5 @@ The following commands are available: (provide 'smime) +;;; arch-tag: e3f9b938-5085-4510-8a11-6625269c9a9e ;;; smime.el ends here