[Rt-commit] rt branch, 4.2/smime-untrusted-certificates, created. rt-4.2.0rc1-9-g17ea5b4
Alex Vandiver
alexmv at bestpractical.com
Wed Sep 18 18:05:31 EDT 2013
The branch, 4.2/smime-untrusted-certificates has been created
at 17ea5b473dca0dfcbc9fdeeef4a483435eae3319 (commit)
- Log -----------------------------------------------------------------
commit 17ea5b473dca0dfcbc9fdeeef4a483435eae3319
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Wed Sep 18 17:29:28 2013 -0400
Allow S/MIME enccryption to untrusted users with AcceptUntrustedCAs
gpg is incapable of sending mail to untrusted keys in its keyring. For
this purpose, RT forbids sending mail to keys which have a trust level
of "unknown." This limitation can be worked around by setting
'trust-model' to 'always' in GnuPGOptions, which forces all keys in the
keyring to be seen as 'ultimitely trusted' -- with the unfortunate
side-effect in such configurations that actually-trusted keys cannot be
differentiated from keys which are not.
S/MIME does not posess the limitation that untrusted keys cannot be used
for encryption. In the case of AcceptUntrustedCAs, it is in fact a
somewhat expected workflow that an signed but untrusted S/MIME email is
injected, which may wish to be replied to with encryption.
Rather than implement the same solution as GPG (and suffer the
consequent loss of information as to signing trust), omit the TrustLevel
check if AcceptUntrustedCAs is set.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index e4a82a5..da50ec3 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2393,6 +2393,9 @@ trusted certificate authorities. This configuration is generally
insecure, as it allows the possibility of accepting forged mail signed
by an untrusted certificate authority.
+Setting C<AcceptUntrustedCAs> also allows encryption to users with
+certificates created by untrusted CAs.
+
Set C<Passphrase> to a scalar (to use for all keys), an anonymous
function, or a hash (to look up by address). If the hash is used, the
'' key is used as a default.
diff --git a/lib/RT/Crypt.pm b/lib/RT/Crypt.pm
index 660a9ba..7554aab 100644
--- a/lib/RT/Crypt.pm
+++ b/lib/RT/Crypt.pm
@@ -662,11 +662,19 @@ sub CheckRecipients {
my ($status, @issues) = (1, ());
+ my $trust = sub { 1 };
+ if ( $self->UseForOutgoing eq 'SMIME' ) {
+ $trust = sub { $_[0]->{'TrustLevel'} > 0 or RT->Config->Get('SMIME')->{AcceptUntrustedCAs} };
+ } elsif ( $self->UseForOutgoing eq 'GnuPG' ) {
+ $trust = sub { $_[0]->{'TrustLevel'} > 0 };
+ }
+
my %seen;
foreach my $address ( grep !$seen{ lc $_ }++, map $_->address, @recipients ) {
my %res = $self->GetKeysForEncryption( Recipient => $address );
- if ( $res{'info'} && @{ $res{'info'} } == 1 && $res{'info'}[0]{'TrustLevel'} > 0 ) {
- # good, one suitable and trusted key
+ if ( $res{'info'} && @{ $res{'info'} } == 1 and $trust->($res{'info'}[0]) ) {
+ # One key, which is trusted, or we can sign with an
+ # untrusted key (aka SMIME with AcceptUntrustedCAs)
next;
}
my $user = RT::User->new( RT->SystemUser );
@@ -678,7 +686,7 @@ sub CheckRecipients {
if ( $res{'info'} && @{ $res{'info'} } ) {
next if
grep lc $_->{'Fingerprint'} eq lc $fpr,
- grep $_->{'TrustLevel'} > 0,
+ grep $trust->($_),
@{ $res{'info'} };
}
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 7c41701..2f953a7 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -110,6 +110,9 @@ used to mark which mails are signed by trusted certificate authorities.
This configuration is generally insecure, as it allows the possibility
of accepting forged mail signed by an untrusted certificate authority.
+Setting this option also allows encryption to users with certificates
+created by untrusted CAs.
+
=head3 Passphrase
C<Passphrase> may be set to a scalar (to use for all keys), an anonymous
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list