tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs

The documentation for message mode clearly states that EasyPG (which
uses GnuPG) is the default and recommended way to use S/MIME with
mml-secure:

[0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html

To ensure that this mode works, we just need to import the secret key
in question into gpgsm in addition to the public key.  gpgsm should be
able pick the right keys+certificates to use based on To/From headers,
so we don't have to specify anything manually in the #secure mml tag.

The import process from the OpenSSL-preferred form (cert+secretkey) is
rather ugly, because gpgsm wants to see a PKCS#12 object when
importing secret keys.

Note that EasyPG generates the more modern Content-Type:
application/pkcs7-signature instead of application/x-pkcs7-signature
for the detached signature.

We are also obliged to manually set gpgsm's include-certs setting to 1
because gpgsm defaults to send "everything but the root cert".  In our
weird test case, the certificate we're using is self-signed, so it
*is* the root cert, which means that gpgsm doesn't include it by
default.  Setting it to 1 forces inclusion of the signer's cert, which
satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878
for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

diff --git a/test/T355-smime.sh b/test/T355-smime.sh
index 84be515a4ba4a21eb2a2f16cbf1b37195ff786e9..9debf2da37fba8199bc86e8f0bc9d5b0a0422ac9 100755 (executable)
--- a/test/T355-smime.sh
+++ b/test/T355-smime.sh
@@ -24,7 +24,7 @@ test_begin_subtest "emacs delivery of S/MIME encrypted + signed message"
 test_expect_success \
 'emacs_fcc_message \
     "test encrypted message 001" \
-    "<#secure method=smime mode=signencrypt keyfile=\\\"test_suite.pem\\\" certfile=\\\"test_suite.pem\\\">\nThis is a test encrypted message.\n"'
+    "<#secure method=smime mode=signencrypt>\nThis is a test encrypted message.\n"'
 
 test_begin_subtest "Signature verification (openssl)"
 notmuch show --format=raw subject:"test signed message 001" |\
@@ -65,7 +65,7 @@ expected='[[[{"id": "XXXXX",
   "content-disposition": "attachment",
   "content-length": "NONZERO",
   "content-transfer-encoding": "base64",
-  "content-type": "application/x-pkcs7-signature",
+  "content-type": "application/pkcs7-signature",
   "filename": "smime.p7s"}]}]},
  []]]]'
 test_expect_equal_json \

diff --git a/test/test-lib.el b/test/test-lib.el
index 3ae7a0906efac2f2015492cce1286f188edd9e58..b47b388e018846815a761cf681c4203f326446ff 100644 (file)
--- a/test/test-lib.el
+++ b/test/test-lib.el
@@ -193,13 +193,3 @@ nothing."
 ;; environments
 
 (setq mm-text-html-renderer 'html2text)
-
-;; Set some variables for S/MIME tests.
-
-(setq smime-keys '(("" "test_suite.pem" nil)))
-
-(setq mml-smime-use 'openssl)
-
-;; all test keys are without passphrase
-(eval-after-load 'smime
-  '(defun smime-ask-passphrase (cache)  nil))

diff --git a/test/test-lib.sh b/test/test-lib.sh
index 31f37ed70bb908464ee4006fb96e586c4c2836b4..ac1b9315d44f4d0851ee06ddf6ecc74c6589abd3 100644 (file)
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -136,11 +136,15 @@ add_gpgsm_home ()
     _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
     at_exit_function _gnupg_exit
     mkdir -m 0700 "$GNUPGHOME"
-    gpgsm --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/test.crt >"$GNUPGHOME"/import.log 2>&1
+    openssl pkcs12 -export -passout pass: -inkey "$NOTMUCH_SRCDIR/test/smime/key+cert.pem" \
+        < "$NOTMUCH_SRCDIR/test/smime/test.crt" | \
+        gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \
+              --disable-dirmngr --import  >"$GNUPGHOME"/import.log 2>&1 3<<<''
     fpr=$(gpgsm --batch --list-key test_suite@notmuchmail.org | sed -n 's/.*fingerprint: //p')
     echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt"
     gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
     echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
+    echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm
     test_debug "cat $GNUPGHOME/import.log"
 }