test/protected-headers: Add tests for S/MIME protected headers
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Tue, 28 Apr 2020 18:57:22 +0000 (14:57 -0400)
committerDavid Bremner <david@tethera.net>
Thu, 30 Apr 2020 20:57:37 +0000 (17:57 -0300)
Recognize the protected subject for S/MIME example protected header
messages.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
test/T356-protected-headers.sh

index 925805df16e8349df2144db03e53cb9d450e0bf5..b7a83715c247daf2e1f3c034611bae3d61153ba0 100755 (executable)
@@ -1,14 +1,14 @@
 #!/usr/bin/env bash
 
-# TODO:
-#  * check S/MIME as well as PGP/MIME
-
 test_description='Message decryption with protected headers'
 . $(dirname "$0")/test-lib.sh || exit 1
 
 ##################################################
 
+test_require_external_prereq gpgsm
+
 add_gnupg_home
+add_gpgsm_home
 
 add_email_corpus protected-headers
 
@@ -155,6 +155,38 @@ test_begin_subtest "identify message that had a legacy display part skipped duri
 output=$(notmuch search --output=messages property:index.repaired=skip-protected-headers-legacy-display)
 test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.org
 
+for variant in multipart-signed onepart-signed; do
+    test_begin_subtest "verify signed PKCS#7 subject ($variant)"
+    test_subtest_known_broken
+    output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example")
+    test_json_nodes <<<"$output" \
+                    'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
+                    'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
+                    'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
+                    'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \
+                    'not_encrypted:[0][0][0]["crypto"]!"decrypted"'
+done
+
+for variant in sign+enc sign+enc+legacy-disp; do
+    test_begin_subtest "confirm signed and encrypted PKCS#7 subject ($variant)"
+    test_subtest_known_broken
+    output=$(notmuch show --decrypt=true --format=json "id:smime-${variant}@protected-headers.example")
+    test_json_nodes <<<"$output" \
+                    'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
+                    'sig_good:[0][0][0]["crypto"]["signed"]["status"][0]["status"]="good"' \
+                    'sig_fpr:[0][0][0]["crypto"]["signed"]["status"][0]["fingerprint"]="702BA4B157F1E2B7D16B0C6A5FFC8A7DE2057DEB"' \
+                    'sig_uid:[0][0][0]["crypto"]["signed"]["status"][0]["userid"]="CN=Alice Lovelace"' \
+                    'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}'
+done
+
+test_begin_subtest "confirm encryption-protected PKCS#7 subject (enc+legacy-disp)"
+test_subtest_known_broken
+output=$(notmuch show --decrypt=true --format=json "id:smime-enc+legacy-disp@protected-headers.example")
+test_json_nodes <<<"$output" \
+                'encrypted:[0][0][0]["crypto"]["decrypted"]={"status":"full","header-mask":{"Subject":"..."}}' \
+                'no_sig:[0][0][0]["crypto"]!"signed"'
+
+
 # TODO: test that a part that looks like a legacy-display in
 # multipart/signed, but not encrypted, is indexed and not stripped.