[Rt-commit] rt branch, 4.2/smime, repushed
Alex Vandiver
alexmv at bestpractical.com
Tue Sep 3 01:49:57 EDT 2013
The branch 4.2/smime was deleted and repushed:
was 9d6481c4c7c980a96e256a43c6f42e0aeade362f
now 8b8fecc466395694b97f6cee1b246c69c119c8af
1: 81da587 = 1: 81da587 Process Sign/Encrypt values later on update
2: ac0d3a1 = 2: ac0d3a1 Refactor code which calls GPG::Interface to elimate duplicate code
3: bcb1f89 = 3: bcb1f89 Generalize CallGnuPG slightly more, allowing more code reuse
4: b0dba81 = 4: b0dba81 Minor cleanups to Probe, the one remaining non-CallGnuPG gpg interaction
5: 0da7281 = 5: 0da7281 Catch errors on close()
6: 80c0798 = 6: 80c0798 Rename Key to Signer for clarity and consistency
7: 1194665 = 7: 1194665 Rename Method to Command for clarity; "--foo" is not a "method"
8: 079e3e1 = 8: 079e3e1 Only set the default key if we actually have one
9: 8938e19 = 9: 8938e19 Only set the passphrase if we have one
10: 312cb6e = 10: 312cb6e Split IO::Handle::CRLF into its own file in RT::Crypt::GnuPG::CRLFHandle
11: 09d54d2 = 11: 09d54d2 Switch out RT::Crypt::GnuPG function calls for class methods
12: 6b99048 = 12: 6b99048 Create a generic RT::Crypt class to dispatch methods from
13: 6d2312e = 13: 6d2312e Move data-storage UseKeyFor... methods onto RT::Crypt
14: aad107d = 14: aad107d Provide a RT::Crypt->LoadImplementation method to load RT::Crypt::...
15: 30ab442 = 15: 30ab442 Add RT::Crypt->Protocols, to return the supported encryption protocols
16: 3ffc9fd = 16: 3ffc9fd Make protocol loading case-insensitive
17: 217e572 = 17: 217e572 Add a role for encryption classes
18: 57c195c = 18: 57c195c Move GetPassphrase onto the role
19: 967cfef = 19: 967cfef Move SignEncrypt to dispatch from RT::Crypt
20: d0ecfdc = 20: d0ecfdc Do not error if no From address is provided
21: b3a3025 = 21: b3a3025 Turn FindProtectedParts into a two-step process
22: d24d92e = 22: d24d92e Move FindProtectedParts into RT::Crypt
23: 621a397 = 23: 621a397 Unclaimed multipart/signed or multipart/encrypted parts should be skipped
24: 23c6432 = 24: 23c6432 Assume multipart/{signed,encrypted} parts may be GPG-encrypted
25: cf8ee45 = 25: cf8ee45 Move VerifyDecrypt to dispatch from RT::Crypt
26: acdfefb = 26: acdfefb Fix which part is labelled "Top" in signature attachments
27: 9dca0e0 = 27: 9dca0e0 Remove Top argument from where it is not needed
28: f24b69f = 28: f24b69f Merge two identical AddStatus/SetStatus blocks into one
29: 24f5c2a = 29: 24f5c2a Remove unused Detach argument
30: 8c935dc = 30: 8c935dc Remove unnecessary passing of SetStatus to VerifyRFC3156
31: bd32d0a = 31: bd32d0a Remove AddStatus/SetStatus arguments to VerifyDecrypt
32: e5db507 = 32: e5db507 Move status header setting into RT::Crypt
33: 73d06cf = 33: 73d06cf Move alteration of Top component into Verify/Decrypt methods
34: 5a31c00 = 34: 5a31c00 Move ParseStatus to dispatch from RT::Crypt
35: 084345c = 35: 084345c Move key retrieval to dispatch from RT::Crypt
36: a397c66 = 36: a397c66 Refactor UseKeyFor* and GetKeysFor* for generic use
37: 3522a04 = 37: 3522a04 Add Protocol information to GetPublicKeyInfo call
38: f0a5142 = 38: f0a5142 Move DrySign into RT::Crypt
39: b65c6eb = 39: b65c6eb move ParseDate method into RT::Crypt::Role to allow re-use
40: 30beaa8 = 40: 30beaa8 Move CheckRecipients into RT::Crypt
41: 86d3d32 = 41: 86d3d32 Move logic from RT::Interface::Email::Auth::GnuPG into ::Crypt
42: 602dc5a = 42: 602dc5a Warn about Auth::GnuPG and Auth::SMIME MailPlugins, and switch to Auth::Crypt
43: f81211a = 43: f81211a Remove unnecessary GnuPG disabling during testing
44: dad0e76 = 44: dad0e76 Generalize RT::Interface::Email::Auth::Crypt for multiple protocols
45: 64a9b43 = 45: 64a9b43 By default, VerifyDecrypt should iterate to fixed-point
46: 1c68fcb = 46: 1c68fcb Generalize GnuPG re-verification
47: 71a39b4 = 47: 71a39b4 Remove an unused variable
48: 45002d0 = 48: 45002d0 Abstract out a general Crypt setting, and split incoming and outgoing
49: c6d664d = 49: c6d664d Handle if the incoming protocol is but a scalar
50: 32147d9 = 50: 32147d9 Move GnuPG enabling/disabling to GnuPG PostLoadCheck
51: b4b6f18 = 51: b4b6f18 Move canonicalization of GnuPG homedir to PostLoadCheck
52: 9aed02a = 52: 9aed02a Ensure that RT->Config->Options returns keys in consistent order
53: d5c6da1 = 53: d5c6da1 Add "Probe" as a requirement of RT::Crypt::Role
54: e03e44b = 54: e03e44b Allow safe_run_child to run before ConnectToDatabase runs
55: 8b9d934 = 55: 8b9d934 Genericize loading and ->Probe of RT::Crypt::* classes during PostLoadCheck
56: 9cf1908 = 56: 9cf1908 Don't load crypt implementations upon RT::Crypt load
57: 12bd3b0 = 57: 12bd3b0 Drop extraneous "require RT::Crypt" lines
58: 66826e7 = 58: 66826e7 Switch iterations over all protocols to merely enabled ones
59: 90d1eef = 59: 90d1eef Place Passphrase configuration on individual configurations
60: a7b88b0 = 60: a7b88b0 Move RejectOnMissingPrivateKey and RejectOnBadData to generic Crypt settings
61: c0e3f4b = 61: c0e3f4b Ensure that ContentType is only updated after successful encryption/decryption
62: 086b633 = 62: 086b633 Refactor encryption of attachment content into the role, and move config
63: c7cfc5a = 63: c7cfc5a Switch to generic Crypt checks instead of GnuPG
64: 79e541e = 64: 79e541e All outgoing defaults should default to UseForOutgoing, not GnuPG
65: f44e951 = 65: f44e951 Fix a typo in a comment
66: 5dd001a = 66: 5dd001a Don't report unsafe permissions on gpg tests
67: bc0e44b = 67: bc0e44b One entity may have information about multiple crypt runs
68: 34ac88b = 68: 34ac88b Rename "bad data" template to not be GnuPG-specific
69: 7f3785e = 69: 7f3785e Move non-GPG specific docs to RT::Crypt
70: 82e3e61 = 70: 82e3e61 Wording fixes for RT::Crypt::GnuPG documentation
71: e854b0c = 71: e854b0c Add a 'configure' option to enable SMIME support
72: 782b13f = 72: 782b13f Add the skeleton of SMIME support, in RT::Crypt::SMIME
73: f751318 = 73: f751318 SMIME: Store the path to openssl in a configuration option
74: 7825d71 = 74: 7825d71 SMIME: probe for openssl existance, and smime subcommand
75: 5ccb49b = 75: 5ccb49b SMIME: part detection
76: 80e63c5 = 76: 80e63c5 SMIME: Format status into headers
77: f1b1536 ! 77: 2ad222d SMIME: Read and parse key content from a Keyring directory
@@ -32,7 +32,7 @@
use RT::Crypt;
use IPC::Run3 0.036 'run3';
use RT::Util 'safe_run_child';
-+use Crypt::OpenSSL::X509;
++use Crypt::X509;
=head1 NAME
@@ -125,39 +125,49 @@
+ @_,
+ );
+
-+ my $cert = eval { Crypt::OpenSSL::X509->new_from_string( $args{Certificate} ) };
-+ return ( exit_code => 1, stderr => "$@" ) unless $cert;
++ if ($args{Certificate} =~ /^-----BEGIN \s+ CERTIFICATE-----$
++ (.*?)
++ ^-----END \s+ CERTIFICATE-----$/smx) {
++ $args{Certificate} = MIME::Base64::decode_base64($1);
++ }
++
++ my $cert = Crypt::X509->new( cert => $args{Certificate} );
++ return ( exit_code => 1, stderr => $cert->error ) if $cert->error;
+
+ my %USER_MAP = (
-+ Country => 'countryName',
-+ StateOrProvince => 'stateOrProvinceName',
-+ Organization => 'organizationName',
-+ OrganizationUnit => 'organizationalUnitName',
-+ Name => 'commonName',
-+ EmailAddress => 'emailAddress',
++ Country => 'country',
++ StateOrProvince => 'state',
++ Organization => 'org',
++ OrganizationUnit => 'ou',
++ Name => 'cn',
++ EmailAddress => 'email',
+ );
+ my $canonicalize = sub {
-+ my $name = shift;
++ my $type = shift;
+ my %data;
+ for (keys %USER_MAP) {
-+ my $v = $name->get_entry_by_long_type($USER_MAP{$_});
-+ $data{$_} = $v ? $v->value : undef;
++ my $method = $type . "_" . $USER_MAP{$_};
++ $data{$_} = $cert->$method if $cert->can($method);
+ }
+ $data{String} = Email::Address->new( @data{'Name', 'EmailAddress'} )->format
+ if $data{EmailAddress};
+ return \%data;
+ };
+
++ my $PEM = "-----BEGIN CERTIFICATE-----\n"
++ . MIME::Base64::encode_base64( $args{Certificate} )
++ . "-----END CERTIFICATE-----\n";
++
+ my %data = (
-+ Content => $args{Certificate},
++ Content => $PEM,
+ TrustLevel => 1,
-+ Fingerprint => $cert->fingerprint_sha1,
++ Fingerprint => Digest::SHA::sha1_hex($args{Certificate}),
+ 'Serial Number' => $cert->serial,
-+ Created => $self->ParseDate( $cert->notBefore ),
-+ Expire => $self->ParseDate( $cert->notAfter ),
-+ Version => sprintf("%d (0x%x)",hex($cert->version)+1, hex($cert->version)),
-+ Issuer => [ $canonicalize->( $cert->issuer_name ) ],
-+ User => [ $canonicalize->( $cert->subject_name ) ],
++ Created => $self->ParseDate( $cert->not_before ),
++ Expire => $self->ParseDate( $cert->not_after ),
++ Version => sprintf("%d (0x%x)",hex($cert->version || 0)+1, hex($cert->version || 0)),
++ Issuer => [ $canonicalize->( 'issuer' ) ],
++ User => [ $canonicalize->( 'subject' ) ],
+ );
+ return ( exit_code => 0, info => [ \%data ], stderr => '' );
}
@@ -192,7 +202,7 @@
.
+$deps{'SMIME'} = [ text_to_hash( << '.') ];
-+Crypt::OpenSSL::X509
++Crypt::X509
+.
+
$deps{'ICAL'} = [ text_to_hash( << '.') ];
78: a5383fa = 78: c271d3b SMIME: Ensure that the keyring path is absolute, and exists
79: 2db873e = 79: 9c1b6a4 SMIME: Store user keys in a user column
80: d12d753 = 80: 232ee2e SMIME: Message verification
81: f65e4ac = 81: fdd25ac SMIME: Import signing keys after verification
82: 02f5845 ! 82: 0e2dab6 SMIME: Verifying the signing entity of SMIME certificates
@@ -128,30 +128,30 @@
return %res;
@@
- return \%data;
- };
+ . MIME::Base64::encode_base64( $args{Certificate} )
+ . "-----END CERTIFICATE-----\n";
- my %data = (
-- Content => $args{Certificate},
+- Content => $PEM,
- TrustLevel => 1,
-- Fingerprint => $cert->fingerprint_sha1,
+- Fingerprint => Digest::SHA::sha1_hex($args{Certificate}),
- 'Serial Number' => $cert->serial,
-- Created => $self->ParseDate( $cert->notBefore ),
-- Expire => $self->ParseDate( $cert->notAfter ),
-- Version => sprintf("%d (0x%x)",hex($cert->version)+1, hex($cert->version)),
-- Issuer => [ $canonicalize->( $cert->issuer_name ) ],
-- User => [ $canonicalize->( $cert->subject_name ) ],
+- Created => $self->ParseDate( $cert->not_before ),
+- Expire => $self->ParseDate( $cert->not_after ),
+- Version => sprintf("%d (0x%x)",hex($cert->version || 0)+1, hex($cert->version || 0)),
+- Issuer => [ $canonicalize->( 'issuer' ) ],
+- User => [ $canonicalize->( 'subject' ) ],
+ my %res = (
+ exit_code => 0,
+ info => [ {
-+ Content => $args{Certificate},
-+ Fingerprint => $cert->fingerprint_sha1,
++ Content => $PEM,
++ Fingerprint => Digest::SHA::sha1_hex($args{Certificate}),
+ 'Serial Number' => $cert->serial,
-+ Created => $self->ParseDate( $cert->notBefore ),
-+ Expire => $self->ParseDate( $cert->notAfter ),
-+ Version => sprintf("%d (0x%x)",hex($cert->version)+1, hex($cert->version)),
-+ Issuer => [ $canonicalize->( $cert->issuer_name ) ],
-+ User => [ $canonicalize->( $cert->subject_name ) ],
++ Created => $self->ParseDate( $cert->not_before ),
++ Expire => $self->ParseDate( $cert->not_after ),
++ Version => sprintf("%d (0x%x)",hex($cert->version || 0)+1, hex($cert->version || 0)),
++ Issuer => [ $canonicalize->( 'issuer' ) ],
++ User => [ $canonicalize->( 'subject' ) ],
+ } ],
+ stderr => ''
);
@@ -173,7 +173,7 @@
+ 'verify', @ca_verify,
+ ];
+ my $buf = '';
-+ safe_run_child { run3( $cmd, \$args{Certificate}, \$buf, \$res{stderr} ) };
++ safe_run_child { run3( $cmd, \$PEM, \$buf, \$res{stderr} ) };
+ if ( $? ) {
+ $res{exit_code} = $?;
+ $res{message} = "openssl exited with error code ". ($? >> 8)
83: 93df8fc = 83: 3a1651d SMIME: Allow an insecure mode which accepts untrusted certificates
84: 03df19e = 84: 1a0cefb SMIME: Document passphrase loading
85: fe3e256 = 85: 88f4bf3 Pass queue and actions into mail plugins, and thence to VerifyDecrypt
86: c56f040 = 86: 41310a4 SMIME: Message decryption
87: 7acc2d8 = 87: fae26f6 SMIME: Testing keys and certificates
88: 3c3f958 = 88: caa921e Factor out find_relocatable_path
89: c102a7f = 89: 220a37f SMIME: Add a testing module
90: b46b7d3 = 90: 7b1ac17 SMIME: Test incoming mail verification and encryption
91: 37f1d2a ! 91: 277f7a9 SMIME: Message signing and encryption
@@ -8,7 +8,7 @@
@@
use IPC::Run3 0.036 'run3';
use RT::Util 'safe_run_child';
- use Crypt::OpenSSL::X509;
+ use Crypt::X509;
+use String::ShellQuote 'shell_quote';
=head1 NAME
@@ -148,7 +148,7 @@
@@
$deps{'SMIME'} = [ text_to_hash( << '.') ];
- Crypt::OpenSSL::X509
+ Crypt::X509
+String::ShellQuote
.
92: f289b2f = 92: 0b0e047 SMIME: If passphrase is empty, then don't provide -passin
93: 49fc5c4 = 93: c82c041 SMIME: Test outgoing mail
94: 62a59a6 = 94: 2e75f53 SMIME: Test parsing of real mail
95: 01d750d = 95: 79c0f13 Always pass Top entity when we detecting crypto parts
96: a98efb3 = 96: 4d10bf3 SMIME: Improve recipient detection by examining all possibilities
97: b7c47ef = 97: 78d03d1 SMIME: Be more verbose on how it looks for, and fails to find, private keys
98: 30be6a5 = 98: 6040ae1 SMIME: Encrypting and decrypting attachments in the database
99: 5186f9a = 99: 5727814 Upgrade script for users of RT::Extension::SMIME and ::Crypt
100: b1ad243 = 100: f5ecaa4 Factor out sending templated errors for convenient future use
101: f7e861a = 101: 4883f17 Add RejectOnUnencrypted to force all incoming messages to be encrypted
102: 70a3f5a = 102: cadae6d Allow encryption/signing of dashboards
103: 8982b44 = 103: 78f6d57 Refactor common delegation code
104: 278b990 = 104: 1df8a47 Only GnuPG supports multiple private keys per user; restrict PrivateKey
105: 7a25437 = 105: 1bb8662 SMIME: Admin interface for updating SMIME keys
106: 4bdeb9d = 106: 99aaf1d /Admin/Users/GnuPG.html is no longer just GPG, but all secret keys
107: a100e31 = 107: 6fc86d6 Rename GnuPG mason components to Crypt
108: da8523b = 108: ba0b4d6 Reword UI messages implying the GnuPG is the only form of encryption
109: d79a53c = 109: f5bd26b Display Created and Expire dates in the user's preferred format by setting CurrentUser
110: bc4b1b1 = 110: 50e51e2 On UIDs with neither expiration nor created dates (SMIME), skip the dates
111: ff42449 = 111: d4d986c Display GnuPG/SMIME issues box in yellow, much like results
112: 5750602 = 112: b72dbaf Resolve SMIME/GnuPG inconsistency when asking for non-existent keys
113: 9d6481c = 113: 8b8fecc Visualize trust level of signing entity
More information about the Rt-commit
mailing list