[Rt-commit] rt branch, 4.4-trunk, updated. rt-4.4.4-139-g69bfd11c84

Jim Brandt jbrandt at bestpractical.com
Wed Sep 2 14:54:12 EDT 2020


The branch, 4.4-trunk has been updated
       via  69bfd11c84eb860d0c6f10aead91e5e91fe11f25 (commit)
       via  5857fdf9f92fcb914560a6d1a17ad9f68378c159 (commit)
       via  b47c88327557c63aec2721f8fb3b1ea80d33ca43 (commit)
      from  f336a221215cc624c0a3ae21638d34e414900141 (commit)

Summary of changes:
 etc/RT_Config.pm.in         |  4 +++
 lib/RT/Crypt/SMIME.pm       | 13 ++++++++++
 t/crypt/smime/other-certs.t | 62 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 t/crypt/smime/other-certs.t

- Log -----------------------------------------------------------------
commit b47c88327557c63aec2721f8fb3b1ea80d33ca43
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Feb 2 22:28:39 2018 +0800

    OtherCertificatesToSend option for SMIME

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 44e8ce56d1..f8f7866c02 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -3057,6 +3057,9 @@ Set C<Passphrase> to a scalar (to use for all keys), an anonymous
 function, or a hash (to look up by address).  If the hash is used, the
 '' key is used as a default.
 
+Set C<OtherCertificatesToSend> to path to a PEM-formatted certificate file.
+Certificates in the file will be include in outgoing signed emails.
+
 See L<RT::Crypt::SMIME> for details.
 
 =back
@@ -3070,6 +3073,7 @@ Set( %SMIME,
     CAPath => undef,
     AcceptUntrustedCAs => undef,
     Passphrase => undef,
+    OtherCertificatesToSend => undef,
 );
 
 =head2 GnuPG configuration
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 4075b8f95b..5ea826327c 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -81,6 +81,7 @@ You should start from reading L<RT::Crypt>.
             'queue.address at example.com' => 'passphrase',
             '' => 'fallback',
         },
+        OtherCertificatesToSend => '/opt/rt4/var/data/smime/other-certs.pem',
     );
 
 =head3 OpenSSL
@@ -119,6 +120,14 @@ C<Passphrase> may be set to a scalar (to use for all keys), an anonymous
 function, or a hash (to look up by address).  If the hash is used, the
 '' key is used as a default.
 
+=head3 OtherCertificatesToSend
+
+C<OtherCertificatesToSend> is a path to a PEM-formatted certificate file.
+Certificates in the file will be include in outgoing signed emails.
+
+Depending on use cases, you might need to include a chain of certificates so
+receiving agents can verify. CA could also be included here.
+
 =head2 Keyring configuration
 
 RT looks for keys in the directory configured in the L</Keyring> option
@@ -216,6 +225,7 @@ sub SignEncrypt {
         Sign => 1,
         Signer => undef,
         Passphrase => undef,
+        OtherCertificatesToSend => undef,
 
         Encrypt => 1,
         Recipients => undef,
@@ -280,6 +290,7 @@ sub _SignEncrypt {
         Sign => 1,
         Signer => undef,
         Passphrase => undef,
+        OtherCertificatesToSend => undef,
 
         Encrypt => 1,
         Recipients => [],
@@ -351,10 +362,12 @@ sub _SignEncrypt {
         $args{'Passphrase'} = $self->GetPassphrase( Address => $args{'Signer'} )
             unless defined $args{'Passphrase'};
 
+        $args{OtherCertificatesToSend} //= $opts->{OtherCertificatesToSend};
         push @commands, [
             $self->OpenSSLPath, qw(smime -sign),
             -signer => $file,
             -inkey  => $file,
+            $args{OtherCertificatesToSend} ? ( -certfile => $args{OtherCertificatesToSend} ) : (),
             (defined $args{'Passphrase'} && length $args{'Passphrase'})
                 ? (qw(-passin env:SMIME_PASS))
                 : (),

commit 5857fdf9f92fcb914560a6d1a17ad9f68378c159
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Sat Feb 3 01:21:54 2018 +0800

    tests OtherCertificatesToSend option

diff --git a/t/crypt/smime/other-certs.t b/t/crypt/smime/other-certs.t
new file mode 100644
index 0000000000..1b4407586b
--- /dev/null
+++ b/t/crypt/smime/other-certs.t
@@ -0,0 +1,62 @@
+use strict;
+use warnings;
+
+use RT::Test::SMIME tests => undef;
+use IPC::Run3 'run3';
+
+RT::Test::SMIME->import_key( 'sender at example.com' );
+
+diag "No OtherCertificatesToSend";
+
+my $mime = MIME::Entity->build(
+    From => 'sender at example.com',
+    Type => 'text/plain',
+    Data => ["this is body\n"],
+);
+
+RT::Crypt::SMIME->SignEncrypt( Entity => $mime, Signer => 'sender at example.com', Sign => 1, Encrypt => 0 );
+
+my ( $pk7, $err, $cert );
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(smime -pk7out) ], \$mime->as_string, \$pk7, \$err );
+ok( $pk7,  'got pk7 signature' );
+ok( !$err, 'no errors' );
+
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(pkcs7 -print_certs -text) ], \$pk7, \$cert, \$err );
+ok( $cert, 'got cert' );
+ok( !$err, 'no errors' );
+
+chomp $cert;
+open my $fh, '<', RT::Test::SMIME->key_path( 'sender at example.com.crt' ) or die $!;
+my $sender_cert = do { local $/; <$fh> };
+is( $cert, $sender_cert, 'cert is the same one' );
+
+diag "Has OtherCertificatesToSend";
+
+RT->Config->Get( 'SMIME' )->{OtherCertificatesToSend} = RT::Test::SMIME->key_path( 'demoCA', 'cacert.pem' );
+
+$mime = MIME::Entity->build(
+    From => 'sender at example.com',
+    Type => 'text/plain',
+    Data => ["this is body\n"],
+);
+
+RT::Crypt::SMIME->SignEncrypt( Entity => $mime, Signer => 'sender at example.com', Sign => 1, Encrypt => 0 );
+
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(smime -pk7out) ], \$mime->as_string, \$pk7, \$err );
+ok( $pk7,  'got pk7 signature' );
+ok( !$err, 'no errors' );
+
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(pkcs7 -print_certs -text) ], \$pk7, \$cert, \$err );
+ok( $cert, 'got cert' );
+ok( !$err, 'no errors' );
+
+chomp $cert;
+my @certs = split /\n(?=Certificate:)/, $cert;
+is( scalar @certs, 2, 'found 2 certs' );
+
+open $fh, '<', RT::Test::SMIME->key_path( 'demoCA', 'cacert.pem' ) or die $!;
+my $ca_cert = do { local $/; <$fh> };
+is( $certs[0], $ca_cert,     'got ca cert' );
+is( $certs[1], $sender_cert, 'got sender cert' );
+
+done_testing;

commit 69bfd11c84eb860d0c6f10aead91e5e91fe11f25
Merge: f336a22121 5857fdf9f9
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Wed Sep 2 14:40:51 2020 -0400

    Merge branch '4.4/smime-send-other-certs' into 4.4-trunk


-----------------------------------------------------------------------


More information about the rt-commit mailing list