;;; smime.el --- S/MIME support library
-;; Copyright (c) 2000, 2001, 2003 Free Software Foundation, Inc.
+
+;; Copyright (C) 2000-2016 Free Software Foundation, Inc.
;; Author: Simon Josefsson <simon@josefsson.org>
;; Keywords: SMIME X.509 PEM OpenSSL
;; This file is part of GNU Emacs.
-;; GNU Emacs is free software; you can redistribute it and/or modify
-;; it under the terms of the GNU General Public License as published
-;; by the Free Software Foundation; either version 2, or (at your
-;; option) any later version.
+;; GNU Emacs is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published by
+;; the Free Software Foundation, either version 3 of the License, or
+;; (at your option) any later version.
-;; GNU Emacs is distributed in the hope that it will be useful, but
-;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-;; General Public License for more details.
+;; GNU Emacs is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; GNU General Public License for more details.
;; You should have received a copy of the GNU General Public License
-;; along with GNU Emacs; see the file COPYING. If not, write to the
-;; Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-;; Boston, MA 02111-1307, USA.
+;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
;;; Commentary:
;; This library perform S/MIME operations from within Emacs.
;;
;; Functions for fetching certificates from public repositories are
-;; provided, currently only from DNS. LDAP support (via EUDC) is planned.
+;; provided, currently from DNS and LDAP.
;;
;; It uses OpenSSL (tested with version 0.9.5a and 0.9.6) for signing,
;; encryption and decryption.
;; done on messages encoded in these formats. The terminology chosen
;; reflect this.
;;
-;; The home of this file is in Gnus CVS, but also available from
+;; The home of this file is in Gnus, but also available from
;; http://josefsson.org/smime.html.
;;; Quick introduction:
;;
;; Now you should be able to sign messages! Create a buffer and write
;; something and run M-x smime-sign-buffer RET RET and you should see
-;; your message MIME armoured and a signature. Encryption, M-x
+;; your message MIME armored and a signature. Encryption, M-x
;; smime-encrypt-buffer, should also work.
;;
;; To be able to verify messages you need to build up trust with
;;
;; I would include pointers to introductory text on concepts used in
;; this library here, but the material I've read are so horrible I
-;; don't want to recomend them.
+;; don't want to recommend them.
;;
;; Why can't someone write a simple introduction to all this stuff?
;; Until then, much of this resemble security by obscurity.
;; 2000-06-05 initial version, committed to Gnus CVS contrib/
;; 2000-10-28 retrieve certificates via DNS CERT RRs
;; 2001-10-14 posted to gnu.emacs.sources
+;; 2005-02-13 retrieve certificates via LDAP
;;; Code:
(require 'dig)
+
+(if (locate-library "password-cache")
+ (require 'password-cache)
+ (require 'password))
+
(eval-when-compile (require 'cl))
+(eval-and-compile
+ (cond
+ ((fboundp 'replace-in-string)
+ (defalias 'smime-replace-in-string 'replace-in-string))
+ ((fboundp 'replace-regexp-in-string)
+ (defun smime-replace-in-string (string regexp newtext &optional literal)
+ "Replace all matches for REGEXP with NEWTEXT in STRING.
+If LITERAL is non-nil, insert NEWTEXT literally. Return a new
+string containing the replacements.
+
+This is a compatibility function for different Emacsen."
+ (replace-regexp-in-string regexp newtext string nil literal)))))
+
(defgroup smime nil
- "S/MIME configuration.")
+ "S/MIME configuration."
+ :group 'mime)
(defcustom smime-keys nil
"*Map mail addresses to a file containing Certificate (and private key).
Directory should contain files (in PEM format) named to the X.509
hash of the certificate. This can be done using OpenSSL such as:
-$ ln -s ca.pem `openssl x509 -noout -hash -in ca.pem`.0
+$ ln -s ca.pem \\=`openssl x509 -noout -hash -in ca.pem\\=`.0
where `ca.pem' is the file containing a PEM encoded X.509 CA
certificate."
(defcustom smime-CA-file nil
"*Files containing certificates for CAs you trust.
File should contain certificates in PEM format."
+ :version "22.1"
:type '(choice (const :tag "none" nil)
file)
:group 'smime)
(defcustom smime-certificate-directory "~/Mail/certs/"
"*Directory containing other people's certificates.
It should contain files named to the X.509 hash of the certificate,
-and the files themself should be in PEM format."
+and the files themselves should be in PEM format."
;The S/MIME library provide simple functionality for fetching
;certificates into this directory, so there is no need to populate it
;manually.
(defcustom smime-encrypt-cipher "-des3"
"*Cipher algorithm used for encryption."
+ :version "22.1"
:type '(choice (const :tag "Triple DES" "-des3")
(const :tag "DES" "-des")
(const :tag "RC2 40 bits" "-rc2-40")
:group 'smime)
(defcustom smime-crl-check nil
- "*Check revocation status of signers certificate using CRLs."
+ "*Check revocation status of signers certificate using CRLs.
+Enabling this will have OpenSSL check the signers certificate
+against a certificate revocation list (CRL).
+
+For this to work the CRL must be up-to-date and since they are
+normally updated quite often (i.e., several times a day) you
+probably need some tool to keep them up-to-date. Unfortunately
+Gnus cannot do this for you.
+
+The CRL should either be appended (in PEM format) to your
+`smime-CA-file' or be located in a file (also in PEM format) in
+your `smime-certificate-directory' named to the X.509 hash of the
+certificate with .r0 as file name extension.
+
+At least OpenSSL version 0.9.7 is required for this to work."
:type '(choice (const :tag "No check" nil)
(const :tag "Check certificate" "-crl_check")
(const :tag "Check certificate chain" "-crl_check_all"))
(defcustom smime-dns-server nil
"*DNS server to query certificates from.
If nil, use system defaults."
+ :version "22.1"
:type '(choice (const :tag "System defaults")
string)
:group 'smime)
+(defcustom smime-ldap-host-list nil
+ "A list of LDAP hosts with S/MIME user certificates.
+If needed search base, binddn, passwd, etc. for the LDAP host
+must be set in `ldap-host-parameters-alist'."
+ :type '(repeat (string :tag "Host name"))
+ :version "23.1" ;; No Gnus
+ :group 'smime)
+
(defvar smime-details-buffer "*OpenSSL output*")
;; Use mm-util?
temporary-file-directory))))))
;; Password dialog function
+(declare-function password-read-and-add "password-cache" (prompt &optional key))
-(defun smime-ask-passphrase ()
- "Asks the passphrase to unlock the secret key."
+(defun smime-ask-passphrase (&optional cache-key)
+ "Asks the passphrase to unlock the secret key.
+If `cache-key' and `password-cache' is non-nil then cache the
+password under `cache-key'."
(let ((passphrase
- (read-passwd
- "Passphrase for secret key (RET for no passphrase): ")))
+ (password-read-and-add
+ "Passphrase for secret key (RET for no passphrase): " cache-key)))
(if (string= passphrase "")
nil
passphrase)))
included, KEYFILE may be the file containing the PEM encoded private
key and certificate itself."
(smime-new-details-buffer)
- (let ((keyfile (or (car-safe keyfile) keyfile))
- (certfiles (and (cdr-safe keyfile) (cadr keyfile)))
- (buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))
- (passphrase (smime-ask-passphrase))
- (tmpfile (smime-make-temp-file "smime")))
+ (let* ((certfiles (and (cdr-safe keyfile) (cadr keyfile)))
+ (keyfile (or (car-safe keyfile) keyfile))
+ (buffer (generate-new-buffer " *smime*"))
+ (passphrase (smime-ask-passphrase (expand-file-name keyfile)))
+ (tmpfile (smime-make-temp-file "smime")))
(if passphrase
(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
(prog1
have proper MIME tags. CERTFILES is a list of filenames, each file
is expected to contain of a PEM encoded certificate."
(smime-new-details-buffer)
- (let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))
+ (let ((buffer (generate-new-buffer " *smime*"))
(tmpfile (smime-make-temp-file "smime")))
(prog1
(when (prog1
KEYFILE should contain a PEM encoded key and certificate."
(interactive)
(with-current-buffer (or buffer (current-buffer))
- (smime-sign-region
- (point-min) (point-max)
- (if keyfile
- keyfile
- (smime-get-key-with-certs-by-email
- (completing-read
- (concat "Sign using which key? "
- (if smime-keys (concat "(default " (caar smime-keys) ") ")
- ""))
- smime-keys nil nil (car-safe (car-safe smime-keys))))))))
+ (unless (smime-sign-region
+ (point-min) (point-max)
+ (if keyfile
+ keyfile
+ (smime-get-key-with-certs-by-email
+ (gnus-completing-read
+ "Sign using key"
+ smime-keys nil (car-safe (car-safe smime-keys))))))
+ (error "Signing failed"))))
(defun smime-encrypt-buffer (&optional certfiles buffer)
"S/MIME encrypt BUFFER for recipients specified in CERTFILES.
nil."
(interactive)
(with-current-buffer (or buffer (current-buffer))
- (smime-encrypt-region
- (point-min) (point-max)
- (or certfiles
- (list (read-file-name "Recipient's S/MIME certificate: "
- smime-certificate-directory nil))))))
+ (unless (smime-encrypt-region
+ (point-min) (point-max)
+ (or certfiles
+ (list (read-file-name "Recipient's S/MIME certificate: "
+ smime-certificate-directory nil))))
+ (error "Encryption failed"))))
;; Verify+decrypt region
(insert-buffer-substring smime-details-buffer)
nil))
-(eval-when-compile
- (defvar from))
-
-(defun smime-decrypt-region (b e keyfile)
+(defun smime-decrypt-region (b e keyfile &optional from)
"Decrypt S/MIME message in region between B and E with key in KEYFILE.
+Optional FROM specifies sender's mail address.
On success, replaces region with decrypted data and return non-nil.
Any details (stderr on success, stdout and stderr on error) are left
in the buffer specified by `smime-details-buffer'."
(smime-new-details-buffer)
- (let ((buffer (generate-new-buffer (generate-new-buffer-name " *smime*")))
- CAs (passphrase (smime-ask-passphrase))
+ (let ((buffer (generate-new-buffer " *smime*"))
+ ;; CAs -- unused? --SY.
+ (passphrase (smime-ask-passphrase (expand-file-name keyfile)))
(tmpfile (smime-make-temp-file "smime")))
(if passphrase
(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
(delete-file tmpfile)))
(progn
(delete-region b e)
- (when (boundp 'from)
- ;; `from' is dynamically bound in mm-dissect.
+ (when from
(insert "From: " from "\n"))
(insert-buffer-substring buffer)
(kill-buffer buffer)
(expand-file-name
(or keyfile
(smime-get-key-by-email
- (completing-read
- (concat "Decipher using which key? "
- (if smime-keys (concat "(default " (caar smime-keys) ") ")
- ""))
- smime-keys nil nil (car-safe (car-safe smime-keys)))))))))
+ (gnus-completing-read
+ "Decipher using key"
+ smime-keys nil (car-safe (car-safe smime-keys)))))))))
;; Various operations
(caddr curkey)
(smime-get-certfiles keyfile otherkeys)))))
-;; Use mm-util?
-(eval-and-compile
- (defalias 'smime-point-at-eol
- (if (fboundp 'point-at-eol)
- 'point-at-eol
- 'line-end-position)))
-
(defun smime-buffer-as-string-region (b e)
"Return each line in region between B and E as a list of strings."
(save-excursion
(goto-char b)
(let (res)
(while (< (point) e)
- (let ((str (buffer-substring (point) (smime-point-at-eol))))
+ (let ((str (buffer-substring (point) (point-at-eol))))
(unless (string= "" str)
(push str res)))
(forward-line))
mailaddr))
(defun smime-cert-by-dns (mail)
+ "Find certificate via DNS for address MAIL."
(let* ((dig-dns-server smime-dns-server)
(digbuf (dig-invoke (smime-mail-to-domain mail) "cert" nil nil "+vc"))
(retbuf (generate-new-buffer (format "*certificate for %s*" mail)))
(kill-buffer digbuf)
retbuf))
+(declare-function ldap-search "ldap"
+ (filter &optional host attributes attrsonly withdn))
+
+(defun smime-cert-by-ldap-1 (mail host)
+ "Get certificate for MAIL from the ldap server at HOST."
+ (let ((ldapresult
+ (funcall
+ (if (featurep 'xemacs)
+ (progn
+ (require 'smime-ldap)
+ 'smime-ldap-search)
+ (progn
+ (require 'ldap)
+ 'ldap-search))
+ (concat "mail=" mail)
+ host '("userCertificate") nil))
+ (retbuf (generate-new-buffer (format "*certificate for %s*" mail)))
+ cert)
+ (if (and (>= (length ldapresult) 1)
+ (> (length (cadaar ldapresult)) 0))
+ (with-current-buffer retbuf
+ ;; Certificates on LDAP servers _should_ be in DER format,
+ ;; but there are some servers out there that distributes the
+ ;; certificates in PEM format (with or without
+ ;; header/footer) so we try to handle them anyway.
+ (if (or (string= (substring (cadaar ldapresult) 0 27)
+ "-----BEGIN CERTIFICATE-----")
+ (string= (substring (cadaar ldapresult) 0 3)
+ "MII"))
+ (setq cert
+ (smime-replace-in-string
+ (cadaar ldapresult)
+ (concat "\\(\n\\|\r\\|-----BEGIN CERTIFICATE-----\\|"
+ "-----END CERTIFICATE-----\\)")
+ "" t))
+ (setq cert (base64-encode-string (cadaar ldapresult) t)))
+ (insert "-----BEGIN CERTIFICATE-----\n")
+ (let ((i 0) (len (length cert)))
+ (while (> (- len 64) i)
+ (insert (substring cert i (+ i 64)) "\n")
+ (setq i (+ i 64)))
+ (insert (substring cert i len) "\n"))
+ (insert "-----END CERTIFICATE-----\n"))
+ (kill-buffer retbuf)
+ (setq retbuf nil))
+ retbuf))
+
+(defun smime-cert-by-ldap (mail)
+ "Find certificate via LDAP for address MAIL."
+ (if smime-ldap-host-list
+ (catch 'certbuf
+ (dolist (host smime-ldap-host-list)
+ (let ((retbuf (smime-cert-by-ldap-1 mail host)))
+ (when retbuf
+ (throw 'certbuf retbuf)))))))
+
;; User interface.
(defvar smime-buffer "*SMIME*")
-(defvar smime-mode-map nil)
-(put 'smime-mode 'mode-class 'special)
-
-(unless smime-mode-map
- (setq smime-mode-map (make-sparse-keymap))
- (suppress-keymap smime-mode-map)
+(defvar smime-mode-map
+ (let ((map (make-sparse-keymap)))
+ (suppress-keymap map)
+ (define-key map "q" 'smime-exit)
+ (define-key map "f" 'smime-certificate-info)
+ map))
- (define-key smime-mode-map "q" 'smime-exit)
- (define-key smime-mode-map "f" 'smime-certificate-info))
+(autoload 'gnus-completing-read "gnus-util")
-(defun smime-mode ()
+(put 'smime-mode 'mode-class 'special)
+(define-derived-mode smime-mode fundamental-mode ;special-mode
+ "SMIME"
"Major mode for browsing, viewing and fetching certificates.
All normal editing commands are switched off.
The following commands are available:
\\{smime-mode-map}"
- (interactive)
- (kill-all-local-variables)
- (setq major-mode 'smime-mode)
- (setq mode-name "SMIME")
(setq mode-line-process nil)
- (use-local-map smime-mode-map)
(buffer-disable-undo)
(setq truncate-lines t)
(setq buffer-read-only t))
"x509" "-in" (expand-file-name certfile) "-text")
(fundamental-mode)
(set-buffer-modified-p nil)
- (toggle-read-only t)
+ (setq buffer-read-only t)
(goto-char (point-min))))
(defun smime-draw-buffer ()
(dolist (key smime-keys)
(insert
(format "\t\t%s: %s\n" (car key) (cadr key))))
- (insert "\nTrusted Certificate Authoritys:\n")
+ (insert "\nTrusted Certificate Authorities:\n")
(insert "\nKnown Certificates:\n"))))
(defun smime ()
"Go to the SMIME buffer."
(interactive)
(unless (get-buffer smime-buffer)
- (save-excursion
- (set-buffer (get-buffer-create smime-buffer))
+ (with-current-buffer (get-buffer-create smime-buffer)
(smime-mode)))
(smime-draw-buffer)
(switch-to-buffer smime-buffer))
projects / gnus / blobdiff