;;; mml-smime.el --- S/MIME support for MML
-;; Copyright (c) 2000 Free Software Foundation, Inc.
+;; Copyright (c) 2000, 2001 Free Software Foundation, Inc.
;; Author: Simon Josefsson <simon@josefsson.org>
;; Keywords: Gnus, MIME, S/MIME, MML
(require 'mm-decode)
(defun mml-smime-sign (cont)
- (smime-sign-buffer (cdr (assq 'keyfile cont))))
+ (when (null smime-keys)
+ (customize-variable 'smime-keys)
+ (error "No S/MIME keys configured, use customize to add your key"))
+ (smime-sign-buffer (cdr (assq 'keyfile cont)))
+ (goto-char (point-max)))
(defun mml-smime-encrypt (cont)
(let (certnames certfiles tmp file tmpfiles)
(if (not (and (not (file-exists-p tmp))
(get-buffer tmp)))
(push tmp certfiles)
- (setq file (make-temp-name mm-tmp-directory))
+ (setq file (mm-make-temp-file (expand-file-name "mml."
+ mm-tmp-directory)))
(with-current-buffer tmp
(write-region (point-min) (point-max) file))
(push file certfiles)
t)
(while (setq tmp (pop tmpfiles))
(delete-file tmp))
- nil)))
+ nil))
+ (goto-char (point-max)))
(defun mml-smime-sign-query ()
;; query information (what certificate) from user when MML tag is
(smime-get-key-by-email
(completing-read "Sign this part with what signature? "
smime-keys nil nil
- (and (listp (car-safe smime-keys))
+ (and (listp (car-safe smime-keys))
(caar smime-keys))))))))
(defun mml-smime-get-file-cert ()
(while (not result)
(setq who (read-from-minibuffer
(format "%sLookup certificate for: " (or bad ""))
- (cadr (funcall gnus-extract-address-components
+ (cadr (funcall gnus-extract-address-components
(or (save-excursion
(save-restriction
(message-narrow-to-headers)
;; todo: try dns/ldap automatically first, before prompting user
(let (certs done)
(while (not done)
- (ecase (read (gnus-completing-read "dns" "Fetch certificate from"
- '(("dns") ("file")) nil t))
+ (ecase (read (gnus-completing-read-with-default
+ "dns" "Fetch certificate from"
+ '(("dns") ("file")) nil t))
(dns (setq certs (append certs
(mml-smime-get-dns-cert))))
(file (setq certs (append certs
certs))
(defun mml-smime-verify (handle ctl)
- (with-current-buffer (mm-handle-multipart-original-buffer ctl)
- ;; xxx modifies buffer -- noone else uses the buffer, so what the heck
+ (with-temp-buffer
+ (insert-buffer-substring (mm-handle-multipart-original-buffer ctl))
(goto-char (point-min))
(insert (format "Content-Type: %s; " (mm-handle-media-type ctl)))
- (insert (format "protocol=\"%s\"; "
+ (insert (format "protocol=\"%s\"; "
(mm-handle-multipart-ctl-parameter ctl 'protocol)))
- (insert (format "micalg=\"%s\"; "
+ (insert (format "micalg=\"%s\"; "
(mm-handle-multipart-ctl-parameter ctl 'micalg)))
(insert (format "boundary=\"%s\"\n\n"
(mm-handle-multipart-ctl-parameter ctl 'boundary)))
(when (get-buffer smime-details-buffer)
(kill-buffer smime-details-buffer))
- (if (smime-verify-buffer)
+ (let ((buf (current-buffer))
+ (good-signature (smime-noverify-buffer))
+ (good-certificate (and (or smime-CA-file smime-CA-directory)
+ (smime-verify-buffer)))
+ addresses openssl-output)
+ (setq openssl-output (with-current-buffer smime-details-buffer
+ (buffer-string)))
+ (if (not good-signature)
+ (progn
+ ;; we couldn't verify message, fail with openssl output as message
+ (mm-set-handle-multipart-parameter
+ mm-security-handle 'gnus-info "Failed")
+ (mm-set-handle-multipart-parameter
+ mm-security-handle 'gnus-details
+ (concat "OpenSSL failed to verify message integrity:\n"
+ "-------------------------------------------\n"
+ openssl-output)))
;; verify mail addresses in mail against those in certificate
(when (and (smime-pkcs7-region (point-min) (point-max))
(smime-pkcs7-certificates-region (point-min) (point-max)))
(with-temp-buffer
- (insert-buffer-substring (mm-handle-multipart-original-buffer ctl))
- (if (not (member from (and (smime-pkcs7-email-region
- (point-min) (point-max))
- (smime-buffer-as-string-region
- (point-min) (point-max)))))
- (progn
- (mm-set-handle-multipart-parameter
- mm-security-handle 'gnus-info "Sender forged")
- (mm-set-handle-multipart-parameter
- mm-security-handle 'gnus-details
- (with-current-buffer
- (mm-handle-multipart-original-buffer ctl)
- (buffer-string))))
- (mm-set-handle-multipart-parameter
- mm-security-handle 'gnus-info "OK")
- (kill-buffer smime-details-buffer))))
- (mm-set-handle-multipart-parameter
- mm-security-handle 'gnus-info "Failed")
- (mm-set-handle-multipart-parameter
- mm-security-handle 'gnus-details
- (with-current-buffer smime-details-buffer
- (buffer-string))))
- handle))
+ (insert-buffer-substring buf)
+ (goto-char (point-min))
+ (while (re-search-forward "-----END CERTIFICATE-----" nil t)
+ (when (smime-pkcs7-email-region (point-min) (point))
+ (setq addresses (append (smime-buffer-as-string-region
+ (point-min) (point)) addresses)))
+ (delete-region (point-min) (point)))
+ (setq addresses (mapcar 'downcase addresses))))
+ (if (not (member (downcase (or (mm-handle-multipart-from ctl) "")) addresses))
+ (mm-set-handle-multipart-parameter
+ mm-security-handle 'gnus-info "Sender address forged")
+ (if good-certificate
+ (mm-set-handle-multipart-parameter
+ mm-security-handle 'gnus-info "Ok (sender authenticated)")
+ (mm-set-handle-multipart-parameter
+ mm-security-handle 'gnus-info "Ok (sender not trusted)")))
+ (mm-set-handle-multipart-parameter
+ mm-security-handle 'gnus-details
+ (concat "Sender claimed to be: " (mm-handle-multipart-from ctl) "\n"
+ (if addresses
+ (concat "Addresses in certificate: "
+ (mapconcat 'identity addresses ", "))
+ "No addresses found in certificate. (Requires OpenSSL 0.9.6 or later.)")
+ "\n" "\n"
+ "OpenSSL output:\n"
+ "---------------\n" openssl-output "\n"
+ "Certificate(s) inside S/MIME signature:\n"
+ "---------------------------------------\n"
+ (buffer-string) "\n")))))
+ handle)
(defun mml-smime-verify-test (handle ctl)
smime-openssl-program)