cli: crypto: S/MIME verification support

notmuch-show --verify will now also process S/MIME multiparts if
encountered. Requires gmime-2.6 and gpgsm.

Based on work by Jameson Graef Rollins <jrollins@finestructure.net>.

diff --git a/crypto.c b/crypto.c
index feae9494714edebbe77a7c650bf33b50789de97b..3dabc97b4346f6304f2e0fbf925efabf87d03d8c 100644 (file)
--- a/crypto.c
+++ b/crypto.c
@@ -43,6 +43,28 @@ create_gpg_context (notmuch_crypto_t *crypto)
     return gpgctx;
 }
 
+/* Create a PKCS7 context (GMime 2.6) */
+static notmuch_crypto_context_t *
+create_pkcs7_context (notmuch_crypto_t *crypto)
+{
+    notmuch_crypto_context_t *pkcs7ctx;
+
+    if (crypto->pkcs7ctx)
+       return crypto->pkcs7ctx;
+
+    /* TODO: GMimePasswordRequestFunc */
+    pkcs7ctx = g_mime_pkcs7_context_new (NULL);
+    if (! pkcs7ctx) {
+       fprintf (stderr, "Failed to construct pkcs7 context.\n");
+       return NULL;
+    }
+    crypto->pkcs7ctx = pkcs7ctx;
+
+    g_mime_pkcs7_context_set_always_trust ((GMimePkcs7Context *) pkcs7ctx,
+                                          FALSE);
+
+    return pkcs7ctx;
+}
 static const struct {
     const char *protocol;
     notmuch_crypto_context_t *(*get_context) (notmuch_crypto_t *crypto);
@@ -55,6 +77,14 @@ static const struct {
        .protocol = "application/pgp-encrypted",
        .get_context = create_gpg_context,
     },
+    {
+       .protocol = "application/pkcs7-signature",
+       .get_context = create_pkcs7_context,
+    },
+    {
+       .protocol = "application/x-pkcs7-signature",
+       .get_context = create_pkcs7_context,
+    },
 };
 
 /* for the specified protocol return the context pointer (initializing
@@ -95,5 +125,10 @@ notmuch_crypto_cleanup (notmuch_crypto_t *crypto)
        crypto->gpgctx = NULL;
     }
 
+    if (crypto->pkcs7ctx) {
+       g_object_unref (crypto->pkcs7ctx);
+       crypto->pkcs7ctx = NULL;
+    }
+
     return 0;
 }

diff --git a/notmuch-client.h b/notmuch-client.h
index 3bd2903ec54aba42ec09a90e3ecc02dbd5648538..18e6c60ba6ceb688f3303308247a4c70dd3c1d2a 100644 (file)
--- a/notmuch-client.h
+++ b/notmuch-client.h
@@ -31,6 +31,8 @@
 #include <gmime/gmime.h>
 
 typedef GMimeCryptoContext notmuch_crypto_context_t;
+/* This is automatically included only since gmime 2.6.10 */
+#include <gmime/gmime-pkcs7-context.h>
 
 #include "notmuch.h"
 
@@ -70,6 +72,7 @@ typedef struct notmuch_show_format {
 
 typedef struct notmuch_crypto {
     notmuch_crypto_context_t* gpgctx;
+    notmuch_crypto_context_t* pkcs7ctx;
     notmuch_bool_t verify;
     notmuch_bool_t decrypt;
     const char *gpgpath;
@@ -407,8 +410,8 @@ struct mime_node {
 /* Construct a new MIME node pointing to the root message part of
  * message. If crypto->verify is true, signed child parts will be
  * verified. If crypto->decrypt is true, encrypted child parts will be
- * decrypted.  If crypto->gpgctx is NULL, it will be lazily
- * initialized.
+ * decrypted.  If the crypto contexts (crypto->gpgctx or
+ * crypto->pkcs7) are NULL, they will be lazily initialized.
  *
  * Return value:
  *

diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index a059fac50cd3cab25d438cf93d9871cfd7238ee2..d942412510cbaeb71821b4f1e897267cc2994191 100755 (executable)
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -44,7 +44,6 @@ EOF
 test_expect_equal_file EXPECTED OUTPUT
 
 test_begin_subtest "signature verification (notmuch CLI)"
-test_subtest_known_broken
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
     | notmuch_json_show_sanitize \
     | sed -e 's|"created": [-1234567890]*|"created": 946728000|' \