GNU bug report logs - #17780
mml-smime/openssl fails to include intermediate certificates

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs,gnus; Reported by: Jan Beich <jbeich@HIDDEN>; dated Sat, 14 Jun 2014 17:00:03 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
bug No longer marked as found in versions 5.13. Request was from Lars Ingebrigtsen <larsi@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
bug reassigned from package 'gnus' to 'emacs,gnus'. Request was from Lars Ingebrigtsen <larsi@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 17780 <at> debbugs.gnu.org:


Received: (at 17780) by debbugs.gnu.org; 25 Jan 2017 17:45:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 25 12:45:21 2017
Received: from localhost ([127.0.0.1]:43247 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWRdI-0005xA-N9
	for submit <at> debbugs.gnu.org; Wed, 25 Jan 2017 12:45:21 -0500
Received: from hermes.netfonds.no ([80.91.224.195]:42458)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1cWRdG-0005u7-GP
 for 17780 <at> debbugs.gnu.org; Wed, 25 Jan 2017 12:45:18 -0500
Received: from 2.150.50.220.tmi.telenormobil.no ([2.150.50.220] helo=mouse)
 by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <larsi@HIDDEN>)
 id 1cWRdD-0000YZ-JO; Wed, 25 Jan 2017 18:45:17 +0100
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Jan Beich <jbeich@HIDDEN>
Subject: Re: bug#17780: mml-smime/openssl fails to include intermediate
 certificates
In-Reply-To: <ppib-lljo-wny@HIDDEN> (Jan Beich's message of "Sat, 14 Jun
 2014 14:31:39 +0200")
Date: Wed, 25 Jan 2017 18:44:08 +0100
Message-ID: <871svrrq53.fsf@HIDDEN>
References: <ppib-lljo-wny@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 17780
Cc: 17780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Jan Beich <jbeich@HIDDEN> writes:

> mml-smime-openssl-sign-query only returns user certificate from
> smime-keys. If user certificate requires other intermediate
> certificates to verify it mml-smime-openssl-sign doesn't include them
> when signing a message. Later, upon reading such message openssl
> binary fails with
>
>   Verification failure
>   34380500552:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unable to get local issuer certificate
>
> To reproduce compose a mail with C-c RET S s (mml-secure-sign-smime) using
> the following settings, send it and read while looking at S/MIME button.
>
>   ;; adapted from http://www.emacswiki.org/emacs/GnusSMIME
>   (setq mm-verify-option 'always)
>   (setq gnus-buttonized-mime-types '("multipart/signed"))
>   (setq mml-smime-use 'openssl)
>   (setq smime-CA-file "/etc/ssl/cert.pem")
>   (setq smime-keys '(("foo@bar" "~/mycert.pem"
>                          ("~/mychain.pem"))))
>
> Here's a quick workaround.
>
> diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
> index caa1380..0fde8f5 100644
> --- a/lisp/gnus/mml-smime.el
> +++ b/lisp/gnus/mml-smime.el
> @@ -118,9 +118,9 @@
>  (defun mml-smime-openssl-sign (cont)
>    (when (null smime-keys)
>      (customize-variable 'smime-keys)
>      (error "No S/MIME keys configured, use customize to add your key"))
> -  (smime-sign-buffer (cdr (assq 'keyfile cont)))
> +  (smime-sign-buffer (cdar smime-keys))
>    (goto-char (point-min))
>    (while (search-forward "\r\n" nil t)
>      (replace-match "\n" t t))
>    (goto-char (point-max)))

Sorry for the late response; the bug report has been sitting in a part
of the bug tracker that nobody has looked at due to a misunderstanding.

I'm not familiar at all with the smime code, so I can't really say
whether this change is the best one.  Are there any adverse side-effects
to this change?

Does anybody who knows this code want to weigh in?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bugs@HIDDEN:
bug#17780; Package gnus. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 14 Jun 2014 16:59:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 14 12:59:19 2014
Received: from localhost ([127.0.0.1]:47914 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1WvrIU-00064d-Ex
	for submit <at> debbugs.gnu.org; Sat, 14 Jun 2014 12:59:19 -0400
Received: from nine.vfemail.net ([108.76.175.9]:57309 helo=vfemail.net)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <jbeich@HIDDEN>) id 1Wvn9f-0005FB-KD
 for submit <at> debbugs.gnu.org; Sat, 14 Jun 2014 08:33:56 -0400
Received: (qmail 803 invoked by uid 89); 14 Jun 2014 12:33:54 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
 by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP;
 14 Jun 2014 12:33:54 -0000
Received: (qmail 785 invoked by uid 89); 14 Jun 2014 12:33:37 -0000
Received: by simscan 1.3.1 ppid: 783, pid: 784, t: 0.1009s scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
 by FreeQueue with SMTP; 14 Jun 2014 12:33:36 -0000
Received: (qmail 25459 invoked by uid 89); 14 Jun 2014 12:33:36 -0000
Received: by simscan 1.4.0 ppid: 25436, pid: 25449, t: 0.7141s scanners:none
Received: from unknown (HELO nil) (amJlaWNoQHZmZW1haWwubmV0@HIDDEN)
 by 172.16.100.62 with ESMTPA; 14 Jun 2014 12:33:36 -0000
From: Jan Beich <jbeich@HIDDEN>
To: submit <at> debbugs.gnu.org (The Gnus Bugfixing Girls + Boys)
Subject: mml-smime/openssl fails to include intermediate certificates
Date: Sat, 14 Jun 2014 14:31:39 +0200
Message-ID: <ppib-lljo-wny@HIDDEN>
X-Debbugs-Version: 5.13
X-Debbugs-Package: gnus
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Sat, 14 Jun 2014 12:59:16 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

mml-smime-openssl-sign-query only returns user certificate from
smime-keys. If user certificate requires other intermediate
certificates to verify it mml-smime-openssl-sign doesn't include them
when signing a message. Later, upon reading such message openssl
binary fails with

  Verification failure
  34380500552:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:openssl/crypto/pkcs7/pk7_smime.c:342:Verify error:unable to get local issuer certificate

To reproduce compose a mail with C-c RET S s (mml-secure-sign-smime) using
the following settings, send it and read while looking at S/MIME button.

  ;; adapted from http://www.emacswiki.org/emacs/GnusSMIME
  (setq mm-verify-option 'always)
  (setq gnus-buttonized-mime-types '("multipart/signed"))
  (setq mml-smime-use 'openssl)
  (setq smime-CA-file "/etc/ssl/cert.pem")
  (setq smime-keys '(("foo@bar" "~/mycert.pem"
                         ("~/mychain.pem"))))

Here's a quick workaround.

diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
index caa1380..0fde8f5 100644
--- a/lisp/gnus/mml-smime.el
+++ b/lisp/gnus/mml-smime.el
@@ -118,9 +118,9 @@
 (defun mml-smime-openssl-sign (cont)
   (when (null smime-keys)
     (customize-variable 'smime-keys)
     (error "No S/MIME keys configured, use customize to add your key"))
-  (smime-sign-buffer (cdr (assq 'keyfile cont)))
+  (smime-sign-buffer (cdar smime-keys))
   (goto-char (point-min))
   (while (search-forward "\r\n" nil t)
     (replace-match "\n" t t))
   (goto-char (point-max)))

-------------------------------------------------

VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  




Acknowledgement sent to Jan Beich <jbeich@HIDDEN>:
New bug report received and forwarded. Copy sent to bugs@HIDDEN. Full text available.
Report forwarded to bugs@HIDDEN:
bug#17780; Package gnus. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 25 Jan 2017 18:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.