From 3510d4f37069c9eba7406123f91aaa63ecbf9b23 Mon Sep 17 00:00:00 2001 From: yamaoka Date: Mon, 15 Jan 2001 22:11:53 +0000 Subject: [PATCH] Synch with Oort Gnus. --- lisp/ChangeLog | 17 +++++++++++++++++ lisp/mml-smime.el | 29 +++++++++++++++++++---------- lisp/smime.el | 39 +++++++++++++++++++++++++++++++-------- texi/ChangeLog | 8 ++++++++ texi/gnus-ja.texi | 13 +++++++------ texi/gnus.texi | 14 +++++++------- texi/message-ja.texi | 11 ++++++----- texi/message.texi | 11 ++++++----- 8 files changed, 101 insertions(+), 41 deletions(-) diff --git a/lisp/ChangeLog b/lisp/ChangeLog index bdde421..96aa9d0 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -1,3 +1,20 @@ +2001-01-15 Simon Josefsson + + * smime.el (smime-CA-directory, smime-CA-file): Change default to + nil, improve documentation. + (smime-certificate-directory): Comment out false hints (until it + is implemented). + + * mml-smime.el (mml-smime-sign): Place user in customize buffer if + there aren't any keys. + (mml-smime-verify): If smime-CA-{file,directory} set, also try to + verify certificate. Default is changed to only check integrity. + Improved security status texts. If a certificate doesn't contain + a email address, don't fail. + + * smime.el (smime-noverify-region): + (smime-noverify-buffer): New functions. Verifies integrity only. + 2001-01-12 22:00:00 ShengHuo ZHU * gnus-group.el (gnus-group-sort-by-score): Reverse order. diff --git a/lisp/mml-smime.el b/lisp/mml-smime.el index 835516a..7ebc439 100644 --- a/lisp/mml-smime.el +++ b/lisp/mml-smime.el @@ -29,6 +29,9 @@ (require 'mm-decode) (defun mml-smime-sign (cont) + (when (null smime-keys) + (customize-variable 'smime-keys) + (error "No S/MIME keys configured, use customize to add your key")) (smime-sign-buffer (cdr (assq 'keyfile cont)))) (defun mml-smime-encrypt (cont) @@ -130,7 +133,9 @@ (when (get-buffer smime-details-buffer) (kill-buffer smime-details-buffer)) (let ((buf (current-buffer)) - (good-signature (smime-verify-buffer)) + (good-signature (smime-noverify-buffer)) + (good-certificate (and (or smime-CA-file smime-CA-directory) + (smime-verify-buffer))) addresses openssl-output) (setq openssl-output (with-current-buffer smime-details-buffer (buffer-string))) @@ -151,22 +156,26 @@ (insert-buffer-substring buf) (goto-char (point-min)) (while (re-search-forward "-----END CERTIFICATE-----" nil t) - (smime-pkcs7-email-region (point-min) (point)) - (setq addresses (append (smime-buffer-as-string-region - (point-min) (point)) addresses)) - (delete-region (point-min) (point))))) - (if (not (member mm-security-from addresses)) + (when (smime-pkcs7-email-region (point-min) (point)) + (setq addresses (append (smime-buffer-as-string-region + (point-min) (point)) addresses))) + (delete-region (point-min) (point))) + (setq addresses (mapcar 'downcase addresses)))) + (if (not (member (downcase mm-security-from) addresses)) (mm-set-handle-multipart-parameter - mm-security-handle 'gnus-info "Sender forged") - (mm-set-handle-multipart-parameter - mm-security-handle 'gnus-info "OK")) + mm-security-handle 'gnus-info "Sender address forged") + (if good-certificate + (mm-set-handle-multipart-parameter + mm-security-handle 'gnus-info "Ok (sender authenticated)") + (mm-set-handle-multipart-parameter + mm-security-handle 'gnus-info "Integrity OK (sender unknown)"))) (mm-set-handle-multipart-parameter mm-security-handle 'gnus-details (concat "Sender clamed to be: " mm-security-from "\n" (if addresses (concat "Addresses in certificate: " (mapconcat 'identity addresses ", ")) - "No addresses found in certificate.") + "No addresses found in certificate. (Requires OpenSSL 0.9.6 or later.)") "\n" "\n" "OpenSSL output:\n" "---------------\n" openssl-output "\n" diff --git a/lisp/smime.el b/lisp/smime.el index 0653b56..2143a91 100644 --- a/lisp/smime.el +++ b/lisp/smime.el @@ -120,17 +120,22 @@ The file is assumed to be in PEM format and not encrypted." (file :tag "File name"))) :group 'smime) -(defcustom smime-CA-directory "" +(defcustom smime-CA-directory nil "Directory containing certificates for CAs you trust. Directory should contain files (in PEM format) named to the X.509 -hash of the certificate." +hash of the certificate. This can be done using OpenSSL such as: + +$ ln -s ca.pem `openssl x509 -noout -hash -in ca.pem` + +where `ca.pem' is the file containing a PEM encoded X.509 CA +certificate." :type '(choice (const :tag "none" nil) directory) :group 'smime) -(defcustom smime-CA-file "" +(defcustom smime-CA-file nil "Files containing certificates for CAs you trust. -File should be in PEM format." +File should contain certificates in PEM format." :type '(choice (const :tag "none" nil) file) :group 'smime) @@ -138,10 +143,10 @@ File should be in PEM format." (defcustom smime-certificate-directory "~/Mail/certs/" "Directory containing other people's certificates. It should contain files named to the X.509 hash of the certificate, -and the files themself should be in PEM format. -The S/MIME library provide simple functionality for fetching -certificates into this directory, so there is no need to populate it -manually." +and the files themself should be in PEM format." +;The S/MIME library provide simple functionality for fetching +;certificates into this directory, so there is no need to populate it +;manually. :type 'directory :group 'smime) @@ -260,6 +265,16 @@ nil." (message "S/MIME message NOT verified successfully.") nil))) +(defun smime-noverify-region (b e) + (let ((buffer (get-buffer-create smime-details-buffer))) + (with-current-buffer buffer + (erase-buffer)) + (if (apply 'smime-call-openssl-region b e buffer "smime" "-verify" + "-noverify" "-out" '("/dev/null")) + (message "S/MIME message verified succesfully.") + (message "S/MIME message NOT verified successfully.") + nil))) + (defun smime-decrypt-region (b e keyfile) (let ((buffer (generate-new-buffer (generate-new-buffer-name "*smime*"))) CAs) @@ -281,6 +296,14 @@ Uses current buffer if BUFFER is nil." (with-current-buffer (or buffer (current-buffer)) (smime-verify-region (point-min) (point-max)))) +(defun smime-noverify-buffer (&optional buffer) + "Verify integrity of S/MIME message in BUFFER. +Uses current buffer if BUFFER is nil. +Does NOT verify validity of certificate." + (interactive) + (with-current-buffer (or buffer (current-buffer)) + (smime-noverify-region (point-min) (point-max)))) + (defun smime-decrypt-buffer (&optional buffer keyfile) "Decrypt S/MIME message in BUFFER using KEYFILE. Uses current buffer if BUFFER is nil, queries user of KEYFILE is nil." diff --git a/texi/ChangeLog b/texi/ChangeLog index bc21a5e..c0ad7dd 100644 --- a/texi/ChangeLog +++ b/texi/ChangeLog @@ -1,3 +1,11 @@ +2001-01-15 16:00:00 ShengHuo ZHU + + * gnus.texi (Using GPG): Doc fix. + +2001-01-15 Simon Josefsson + + * message.texi (Security): Requires OpenSSL 0.9.6+. + 2001-01-13 Kai Gro,A_(Bjohann * gnus.texi (Mail): Move explanation of diff --git a/texi/gnus-ja.texi b/texi/gnus-ja.texi index ba4eab1..f2a2fc7 100644 --- a/texi/gnus-ja.texi +++ b/texi/gnus-ja.texi @@ -9581,16 +9581,17 @@ Gnus $B$O30$X=P$F9T$/A4$F$N%a%C%;!<%8$K!"0l$D$+$=$l0J>e$N$=$N%5!<%P!<$N%0(B @section Using GPG @cindex using gpg -Gnus has an ALPHA support to GPG that's provided by @file{gpg.el} and -@file{mml2015.el}. When viewing signed or encrypted messages, Gnus automatically -asks if you want to verify or decrypt them. +Gnus has an ALPHA support to GPG that's provided by @file{gpg.el}. See +@code{mm-verify-option} and @code{mm-decrypt-option} to enable Gnus to +verify or decrypt messages accordingly. To use this correctly with GPG, you'll need the following lisp code in your @file{~/.emacs} or @file{~/.gnus}: @lisp +(require 'gpg) (setq mml2015-use 'gpg) -(setq gpg-temp-directory "~/.gnupg/tmp") +(setq gpg-temp-directory (expand-file-name "~/.gnupg/tmp")) @end lisp The @code{gpg-temp-directory} need to point to a directory with permissions set @@ -9616,8 +9617,8 @@ To sign or encrypt your message you may choose to use the MML Security menu or message using S/MIME. There's also @kbd{M-m c p} to encrypt your message with PGP/MIME and @kbd{M-m c s} to encrypt using S/MIME. -Gnus will ask for your passphrase three times and then it will send your -message, if you've typed it correctly. +Gnus will ask for your passphrase and then it will send your message, if +you've typed it correctly. @end ignore @node Select Methods diff --git a/texi/gnus.texi b/texi/gnus.texi index be39854..20be195 100644 --- a/texi/gnus.texi +++ b/texi/gnus.texi @@ -10025,16 +10025,17 @@ typically enter that group and send all the articles off. @section Using GPG @cindex using gpg -Gnus has an ALPHA support to GPG that's provided by @file{gpg.el} and -@file{mml2015.el}. When viewing signed or encrypted messages, Gnus automatically -asks if you want to verify or decrypt them. +Gnus has an ALPHA support to GPG that's provided by @file{gpg.el}. See +@code{mm-verify-option} and @code{mm-decrypt-option} to enable Gnus to +verify or decrypt messages accordingly. To use this correctly with GPG, you'll need the following lisp code in your @file{~/.emacs} or @file{~/.gnus}: @lisp +(require 'gpg) (setq mml2015-use 'gpg) -(setq gpg-temp-directory "~/.gnupg/tmp") +(setq gpg-temp-directory (expand-file-name "~/.gnupg/tmp")) @end lisp The @code{gpg-temp-directory} need to point to a directory with permissions set @@ -10060,9 +10061,8 @@ To sign or encrypt your message you may choose to use the MML Security menu or message using S/MIME. There's also @kbd{M-m c p} to encrypt your message with PGP/MIME and @kbd{M-m c s} to encrypt using S/MIME. -Gnus will ask for your passphrase three times and then it will send your -message, if you've typed it correctly. - +Gnus will ask for your passphrase and then it will send your message, if +you've typed it correctly. @node Select Methods @chapter Select Methods diff --git a/texi/message-ja.texi b/texi/message-ja.texi index a81e5b2..aa7ae82 100644 --- a/texi/message-ja.texi +++ b/texi/message-ja.texi @@ -653,11 +653,12 @@ RFC1036bis $B$O!"=pL>$O$=$NA0$K(B @samp{-- } $B$N(B3$BJ8;z$@$1$N9T$,$"$k$Y$ @c The S/MIME support in Message (and MML) require OpenSSL. OpenSSL @c perform the actual S/MIME sign/encrypt operations. OpenSSL can be found -@c at @code{http://www.openssl.org/}. OpenSSL 0.9.5a and later should -@c work. However, version 0.9.5a insert a spurious CR character into MIME -@c separators so you may wish to avoid it if you would like to avoid being -@c regarded as someone who send strange mail. (Although by sending S/MIME -@c messages you've probably already lost that contest.) +@c at @code{http://www.openssl.org/}. OpenSSL 0.9.6 and later should work. +@c Version 0.9.5a cannot extract mail addresses from certificates, and it +@c insert a spurious CR character into MIME separators so you may wish to +@c avoid it if you would like to avoid being regarded as someone who send +@c strange mail. (Although by sending S/MIME messages you've probably +@c already lost that contest.) @c To be able to send encrypted mail, a personal certificate is not @c required. Message (MML) need a certificate for the person to whom you diff --git a/texi/message.texi b/texi/message.texi index 0780a66..ffe8fa0 100644 --- a/texi/message.texi +++ b/texi/message.texi @@ -671,11 +671,12 @@ modern cryptography, S/MIME, various PKCS standards, OpenSSL and so on. The S/MIME support in Message (and MML) require OpenSSL. OpenSSL perform the actual S/MIME sign/encrypt operations. OpenSSL can be found -at @code{http://www.openssl.org/}. OpenSSL 0.9.5a and later should -work. However, version 0.9.5a insert a spurious CR character into MIME -separators so you may wish to avoid it if you would like to avoid being -regarded as someone who send strange mail. (Although by sending S/MIME -messages you've probably already lost that contest.) +at @code{http://www.openssl.org/}. OpenSSL 0.9.6 and later should work. +Version 0.9.5a cannot extract mail addresses from certificates, and it +insert a spurious CR character into MIME separators so you may wish to +avoid it if you would like to avoid being regarded as someone who send +strange mail. (Although by sending S/MIME messages you've probably +already lost that contest.) To be able to send encrypted mail, a personal certificate is not required. Message (MML) need a certificate for the person to whom you -- 1.7.10.4