bug#40397: 28.0.50; epg decrypt does not verify signed content in smime

[Sebastian Fieber]

On Mo, Apr 06 2020, Noam Postavsky <npostavs@gmail.com> wrote:

> This hunk looks a bit suspicious to me as well, I don't think you can
> apply operators like "?" to anchors.
>
> @@ -759,7 +782,7 @@ MIME-Version header before proceeding."
>          (mb enable-multibyte-characters)
>          beg)
>      (goto-char (point-min))
> -    (search-forward-regexp "^\n" nil 'move) ;; There might be no body.
> +    (search-forward-regexp "^?\n" nil 'move) ;; There might be no body.
>      (setq beg (point))
>      (with-current-buffer
>            (generate-new-buffer " *mm*")
>

Yes, this sections is also wrong.

>> Since you have looked over the patch: What do you think about the
>> approach to internally structure application/pkcs7-mime parts like
>> multipart parts containing the mime type with text properties until the
>> decrypted, maybe verified singlepart in the car of the handle?
> Sorry, I'm not familiar enough with how this code is currently
> structured to say anything intelligent about that.

No problem :)

I have attached a new patch which fixes the problem and also does
implement support for the security buttons for application/pkcs7-mime
parts.  This is quite nice as application/pkcs7-mime parts are not
handled automatically by default in gnus.  ATM you have to set
mm-decrypt-option and mm-verify-option at least to 'ask.  So with this
supported it should now work out of the box even without setting
mm-decrypt-option and mm-verify-option because now gnus shows the
buttons properly and one can click on them and decrypt/verify the part
"manually".

This time the patch should be clean and was tested properly at least
with mml-smime-use 'epg.  I'm not quite sure if the patch breaks using
openssl as I didn't get this running.  Maybe someone can test this? If
this does break using openssl modifying mm-views decrypt and verify
function should suffice to fix any problems.

The gist of the patch is: treat application/pkcs7-mime like multipart
mails and especially multipart/encrypted with protocol
application/pgp-encrypted and change not more stuff than necessary.

Here is the commit message which is a bit more detailed (also found in
the patch):

"This fixes S/MIME encrypted AND signed mails where in the encrypted
pkcs7 envelope is a signed pkcs7 structure.

Also this patch enables proper security-buttons for pkcs7-mime
encrypted and/or signed mails.

Changes:
- don't force Content-type header to text/plain in front of decrypted
  content for smime decryption using mm-view-pkcs7.  This fixes the
  initial bug where the signed part was not verified due to the wrong
  content type header.

- structure the result of mm-dissect-buffer of application/pkcs7-mime
  like a multipart mail so there is no loosing of information of
  verification and decryption results which can now be displayed by
  gnus-mime-display-security

- adjust gnus-mime-display-part to handle application/pkcs7-mime like
  multipart/encrypted or multipart/signed

- add dummy entries to mm-verify-function-alist and
  mm-decrypt-function-alist so gnus-mime-display-security correctly
  displays "S/MIME" and not "unknown protocol"

- don't just check for multipart/signed in
  gnus-insert-mime-security-button but also for the pkcs7-mime mimetypes
  to print "Encrypted" or "Signed" accordingly in the security button

- adjust mm-possibly-verify-or-decrypt to check for smime-type to ask
  wether to verify or decrypt the part and not to always ask to decrypt

- adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so
  success information can be displayed by gnus-mime-display-security

- in mm-view-pkcs7-verify also remove carriage returns like in
  mm-view-pkcs7-decrypt

- adjust gnus-mime-security-verify-or-decrypt to handle pkcs7-mime
  right with the done changes

TODO: mm-view-pkcs7-decrypt and verify error handling and
reporting. ATM there is only the good case implemented - at least for
reporting with gnus-mime-display-security."

0001-fix-bug-40397.patch
Description: Text Data