lib: index PKCS7 SignedData parts
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Tue, 12 May 2020 22:29:31 +0000 (18:29 -0400)
committerDavid Bremner <david@tethera.net>
Sat, 23 May 2020 01:10:46 +0000 (22:10 -0300)
commit38bd0df922aa1c9ac98154f6d3dc3e30255ad47e
treebcd895f759c2c77bfac26f82d84df6e174b1f184
parent78800929641fb79e758baa60d02216ed2ea941d0
lib: index PKCS7 SignedData parts

When we are indexing, we should treat SignedData parts the same way
that we treat a multipart object, indexing the wrapped part as a
distinct MIME object.

Unfortunately, this means doing some sort of cryptographic
verification whose results we throw away, because GMime doesn't offer
us any way to unwrap without doing signature verification.

I've opened https://github.com/jstedfast/gmime/issues/67 to request
the capability from GMime but for now, we'll just accept the
additional performance hit.

As we do this indexing, we also apply the "signed" tag, by analogy
with how we handle multipart/signed messages.  These days, that kind
of change should probably be done with a property instead, but that's
a different set of changes.  This one is just for consistency.

Note that we are currently *only* handling signedData parts, which are
basically clearsigned messages.  PKCS#7 parts can also be
envelopedData and authEnvelopedData (which are effectively encryption
layers), and compressedData (which afaict isn't implemented anywhere,
i've never encountered it).  We're laying the groundwork for indexing
these other S/MIME types here, but we're only dealing with signedData
for now.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
lib/index.cc
test/T355-smime.sh