[Rt-commit] rt branch, 4.2/smime-subjectaltname, created. rt-4.2.14-9-g9aa066f
Alex Vandiver
alexmv at bestpractical.com
Thu Sep 7 06:02:37 EDT 2017
The branch, 4.2/smime-subjectaltname has been created
at 9aa066f271b9359887a1ea4de2123834ddf82f8c (commit)
- Log -----------------------------------------------------------------
commit 5f8c2c57e26b5fc9c4fc01f2ad45f4c7aaeea621
Author: Alex Vandiver <alex at chmrr.net>
Date: Thu Sep 7 02:48:06 2017 -0700
Add a framework for generating SMIME certificates
This expands on the existing CA directories, by adding all relevant
parts of them, and adding a simple tool to generate more certificates
in the future.
diff --git a/t/data/smime/keys/.gitignore b/t/data/smime/keys/.gitignore
new file mode 100644
index 0000000..12106ed
--- /dev/null
+++ b/t/data/smime/keys/.gitignore
@@ -0,0 +1,2 @@
+demoCA/*.old
+otherCA/*.old
diff --git a/t/data/smime/keys/add-cert b/t/data/smime/keys/add-cert
new file mode 100755
index 0000000..86d3b83
--- /dev/null
+++ b/t/data/smime/keys/add-cert
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -eu
+
+if [ "$#" -ne 1 ]; then
+ echo "Usage: add-cert username"
+ exit 1
+fi
+
+export CERTNAME=$1
+
+# Generate the key and CSR
+openssl req -config ./openssl.cnf -new -newkey rsa \
+ -keyout ${CERTNAME}@example.com.key \
+ -out ${CERTNAME}@example.com.csr \
+ -passout pass:123456
+
+# Sign it as the CA
+openssl ca -config ./openssl.cnf -passin pass:123456 -batch \
+ -out ${CERTNAME}@example.com.crt \
+ -infiles ${CERTNAME}@example.com.csr
+
+# Stitch both halves together
+cat ${CERTNAME}@example.com.crt ${CERTNAME}@example.com.key > ${CERTNAME}@example.com.pem
+
+# Update git
+git add ${CERTNAME}@example.com.{key,csr,crt,pem} demoCA/
diff --git a/t/data/smime/keys/demoCA/certs/.gitignore b/t/data/smime/keys/demoCA/certs/.gitignore
new file mode 100644
index 0000000..0bb9ebc
--- /dev/null
+++ b/t/data/smime/keys/demoCA/certs/.gitignore
@@ -0,0 +1,2 @@
+# The CA wants a place to store the certs it generates; we name them better and store them in t/data/smime/keys/ so we don't care about the ones the CA "stores." This whole directory is thus ignored.
+*.pem
diff --git a/t/data/smime/keys/demoCA/index.txt b/t/data/smime/keys/demoCA/index.txt
new file mode 100644
index 0000000..90146c6
--- /dev/null
+++ b/t/data/smime/keys/demoCA/index.txt
@@ -0,0 +1,2 @@
+V 230828214107Z 8A6ACD51BE94A015 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Enoch Root/emailAddress=root at example.com
+V 230828214145Z 8A6ACD51BE94A016 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=sender/emailAddress=sender at example.com
diff --git a/t/data/smime/keys/demoCA/index.txt.attr b/t/data/smime/keys/demoCA/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/t/data/smime/keys/demoCA/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/t/data/smime/keys/openssl.cnf b/t/data/smime/keys/openssl.cnf
new file mode 100644
index 0000000..4f319d7
--- /dev/null
+++ b/t/data/smime/keys/openssl.cnf
@@ -0,0 +1,71 @@
+# This is the OpenSSL configuration file used for the demo CA. It
+# contains the parts necessary to make SMIME private keys and CSRs,
+# followed by the configuration for the CA to sign such.
+#
+# To make a new username at example.com SMIME certificate, run:
+# ./add-cert username
+
+
+# --------------------------------------------------------------------
+# shared configuration
+# --------------------------------------------------------------------
+[ cert_extensions ] # Referenced by `req` and `demo_ca`
+basicConstraints = critical,CA:FALSE # We never generate or sign CA certificates
+# subjectAltName = email:move # Uncomment to move any emailaddress property into subjectAltName
+
+
+# --------------------------------------------------------------------
+# openssl req
+# --------------------------------------------------------------------
+[ req ]
+default_bits = 512 # Small to keep things fast
+prompt = no # DN section contains defaults
+distinguished_name = req_dn # Ref below
+x509_extensions = cert_extensions # Ref above
+
+[ req_dn ]
+countryName = AU # These values are for back-compat with earlier certs
+stateOrProvinceName = Some-State
+organizationName = Internet Widgits Pty Ltd
+commonName = ${ENV::CERTNAME} # Pull name and email from environment var
+emailAddress = ${ENV::CERTNAME}@example.com
+
+
+# --------------------------------------------------------------------
+# openssl ca
+# --------------------------------------------------------------------
+[ ca ]
+default_ca = demo_ca # Ref below
+
+[ demo_ca ]
+dir = ./demoCA # Where everything is kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/certs/ # This is gitignored
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem# The private key
+x509_extensions = cert_extensions # Ref above
+default_days = 3650 # Make these very long-lived, as test certs
+default_md = default # Use public key default MD
+policy = policy_match # Ref below
+
+
+[ other_ca ] # A duplicate of demo_ca, but with a different root
+dir = ./otherCA # Pass `-name other_ca` to sign with this CA
+database = $dir/index.txt
+new_certs_dir = $dir/certs/
+certificate = $dir/cacert.pem
+serial = $dir/serial
+private_key = $dir/private/cakey.pem
+x509_extensions = cert_extensions # Ref above
+default_days = 3650
+default_md = default
+policy = policy_match # Ref below
+
+
+[ policy_match ] # What CSR attributes must match the CA's
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+commonName = supplied
+emailAddress = optional
diff --git a/t/data/smime/keys/otherCA/certs/.gitignore b/t/data/smime/keys/otherCA/certs/.gitignore
new file mode 100644
index 0000000..0bb9ebc
--- /dev/null
+++ b/t/data/smime/keys/otherCA/certs/.gitignore
@@ -0,0 +1,2 @@
+# The CA wants a place to store the certs it generates; we name them better and store them in t/data/smime/keys/ so we don't care about the ones the CA "stores." This whole directory is thus ignored.
+*.pem
diff --git a/t/data/smime/keys/otherCA/index.txt b/t/data/smime/keys/otherCA/index.txt
new file mode 100644
index 0000000..e69de29
diff --git a/t/data/smime/keys/otherCA/index.txt.attr b/t/data/smime/keys/otherCA/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/t/data/smime/keys/otherCA/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
commit 9aa066f271b9359887a1ea4de2123834ddf82f8c
Author: Alex Vandiver <alex at chmrr.net>
Date: Thu Sep 7 02:54:55 2017 -0700
Add a failing test with a subjectAltName SMIME certificate
Many certificates in the wild to not have emailAddress set, but rather
have one or more subjectAltName attributes, with email addresses
therein. Add such a certificate, and a failing test based on it.
diff --git a/t/data/smime/keys/altuser at example.com.crt b/t/data/smime/keys/altuser at example.com.crt
new file mode 100644
index 0000000..ed8a857
--- /dev/null
+++ b/t/data/smime/keys/altuser at example.com.crt
@@ -0,0 +1,49 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9974010075738841111 (0x8a6acd51be94a017)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=CA Owner/emailAddress=ca.owner at example.com
+ Validity
+ Not Before: Sep 7 09:54:21 2017 GMT
+ Not After : Sep 5 09:54:21 2027 GMT
+ Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=altuser
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (512 bit)
+ Modulus:
+ 00:eb:38:ac:b0:ef:cb:5a:45:02:69:19:cb:9a:f8:
+ 2d:1a:2a:b1:92:ec:15:fb:65:06:78:46:9e:f3:0a:
+ 8d:be:34:e6:5b:f3:c7:20:01:55:e5:db:26:4f:d8:
+ 79:da:87:eb:2c:04:39:0b:26:45:06:d7:81:1e:45:
+ e2:24:61:c6:0f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Alternative Name:
+ email:altuser at example.com
+ Signature Algorithm: sha256WithRSAEncryption
+ 45:8c:44:78:a6:d8:55:26:f1:e1:3f:a2:44:90:6e:51:90:5a:
+ 3a:d5:8a:87:d5:d7:5b:07:cd:23:79:50:05:f8:bd:14:f7:ad:
+ 68:f2:45:71:b8:05:b2:d0:d0:bd:83:76:c4:bf:36:f4:8c:9a:
+ c7:ca:41:4f:b3:40:2e:7f:31:a7:12:27:08:71:6a:0f:0d:fa:
+ 43:85:37:46:8f:3c:7e:5d:97:cf:18:e6:50:57:39:65:22:db:
+ 95:22:e4:5c:19:3c:53:0d:ce:e5:bb:df:5c:d6:77:96:f8:b4:
+ a2:63:b2:21:15:36:e7:3c:5f:b4:01:b8:aa:db:2e:bf:d3:fd:
+ a4:35
+-----BEGIN CERTIFICATE-----
+MIICPjCCAaegAwIBAgIJAIpqzVG+lKAXMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxETAPBgNVBAMMCENBIE93bmVyMSMwIQYJKoZIhvcNAQkB
+FhRjYS5vd25lckBleGFtcGxlLmNvbTAeFw0xNzA5MDcwOTU0MjFaFw0yNzA5MDUw
+OTU0MjFaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2FsdHVzZXIw
+XDANBgkqhkiG9w0BAQEFAANLADBIAkEA6zissO/LWkUCaRnLmvgtGiqxkuwV+2UG
+eEae8wqNvjTmW/PHIAFV5dsmT9h52ofrLAQ5CyZFBteBHkXiJGHGDwIDAQABozAw
+LjAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsdHVzZXJAZXhhbXBsZS5jb20w
+DQYJKoZIhvcNAQELBQADgYEARYxEeKbYVSbx4T+iRJBuUZBaOtWKh9XXWwfNI3lQ
+Bfi9FPetaPJFcbgFstDQvYN2xL829Iyax8pBT7NALn8xpxInCHFqDw36Q4U3Ro88
+fl2XzxjmUFc5ZSLblSLkXBk8Uw3O5bvfXNZ3lvi0omOyIRU25zxftAG4qtsuv9P9
+pDU=
+-----END CERTIFICATE-----
diff --git a/t/data/smime/keys/altuser at example.com.csr b/t/data/smime/keys/altuser at example.com.csr
new file mode 100644
index 0000000..37d10e9
--- /dev/null
+++ b/t/data/smime/keys/altuser at example.com.csr
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBNTCB4AIBADB7MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEh
+MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDDAdhbHR1
+c2VyMSIwIAYJKoZIhvcNAQkBFhNhbHR1c2VyQGV4YW1wbGUuY29tMFwwDQYJKoZI
+hvcNAQEBBQADSwAwSAJBAOs4rLDvy1pFAmkZy5r4LRoqsZLsFftlBnhGnvMKjb40
+5lvzxyABVeXbJk/YedqH6ywEOQsmRQbXgR5F4iRhxg8CAwEAAaAAMA0GCSqGSIb3
+DQEBCwUAA0EABio8gb8fzS6EnZFL0Fz1iCkJnVMRcUfRPS5yecXgHFIt9jbnna5k
+vteS0JeZAGxKd+t5kvp3cP1BwgquFKCcbA==
+-----END CERTIFICATE REQUEST-----
diff --git a/t/data/smime/keys/altuser at example.com.key b/t/data/smime/keys/altuser at example.com.key
new file mode 100644
index 0000000..38bc319
--- /dev/null
+++ b/t/data/smime/keys/altuser at example.com.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI+M0ZcEOTF4kCAggA
+MBQGCCqGSIb3DQMHBAjEFYW8d2JAGwSCAWD3RHzkKQyIuwTywjrvag/HP+HRdpzK
+jtSFUdHqcuDHGcU0W36kvqc6RG2AeovspW5QckiDGfP0Bbg3o1wS6AaY0sIi4Zdj
+6mvfeyJJ3mk3kzkgnxvsRx8wq+T5ihV+g6HOEgUFRWmNwHLaIwkBDqaKiqebu4Qy
+jL1bLprVrSNarJ1DZ0YNRDamLtTkZfrsM7hK8oCK7Fp2l+ifiNlgFekxkpdP3viP
+7aQ0F7CtC8QkQuW2KRTWCR9KHrRqpBRd4WYrSaVJPDZqVQgwcLHiDr9Pn4GWbeKY
+8Fosd5utTif19i+BYelK4PwFxUCTuY+x5qPtNhaNOSNui0OTanpRrKiIcIRDHhKP
+yopzmX6vfCsFX5264HxrFXOsAESJXIFozeKtA3T3yaU4jPVxWj12QHezJ4LHg79y
+XyezM6YlOEJSIHbuDQRAomMuRxuwmJ/JvsIFglJppZkHudgctHzdj3xf
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/t/data/smime/keys/altuser at example.com.pem b/t/data/smime/keys/altuser at example.com.pem
new file mode 100644
index 0000000..de0602e
--- /dev/null
+++ b/t/data/smime/keys/altuser at example.com.pem
@@ -0,0 +1,60 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9974010075738841111 (0x8a6acd51be94a017)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=CA Owner/emailAddress=ca.owner at example.com
+ Validity
+ Not Before: Sep 7 09:54:21 2017 GMT
+ Not After : Sep 5 09:54:21 2027 GMT
+ Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=altuser
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (512 bit)
+ Modulus:
+ 00:eb:38:ac:b0:ef:cb:5a:45:02:69:19:cb:9a:f8:
+ 2d:1a:2a:b1:92:ec:15:fb:65:06:78:46:9e:f3:0a:
+ 8d:be:34:e6:5b:f3:c7:20:01:55:e5:db:26:4f:d8:
+ 79:da:87:eb:2c:04:39:0b:26:45:06:d7:81:1e:45:
+ e2:24:61:c6:0f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Alternative Name:
+ email:altuser at example.com
+ Signature Algorithm: sha256WithRSAEncryption
+ 45:8c:44:78:a6:d8:55:26:f1:e1:3f:a2:44:90:6e:51:90:5a:
+ 3a:d5:8a:87:d5:d7:5b:07:cd:23:79:50:05:f8:bd:14:f7:ad:
+ 68:f2:45:71:b8:05:b2:d0:d0:bd:83:76:c4:bf:36:f4:8c:9a:
+ c7:ca:41:4f:b3:40:2e:7f:31:a7:12:27:08:71:6a:0f:0d:fa:
+ 43:85:37:46:8f:3c:7e:5d:97:cf:18:e6:50:57:39:65:22:db:
+ 95:22:e4:5c:19:3c:53:0d:ce:e5:bb:df:5c:d6:77:96:f8:b4:
+ a2:63:b2:21:15:36:e7:3c:5f:b4:01:b8:aa:db:2e:bf:d3:fd:
+ a4:35
+-----BEGIN CERTIFICATE-----
+MIICPjCCAaegAwIBAgIJAIpqzVG+lKAXMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxETAPBgNVBAMMCENBIE93bmVyMSMwIQYJKoZIhvcNAQkB
+FhRjYS5vd25lckBleGFtcGxlLmNvbTAeFw0xNzA5MDcwOTU0MjFaFw0yNzA5MDUw
+OTU0MjFaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2FsdHVzZXIw
+XDANBgkqhkiG9w0BAQEFAANLADBIAkEA6zissO/LWkUCaRnLmvgtGiqxkuwV+2UG
+eEae8wqNvjTmW/PHIAFV5dsmT9h52ofrLAQ5CyZFBteBHkXiJGHGDwIDAQABozAw
+LjAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsdHVzZXJAZXhhbXBsZS5jb20w
+DQYJKoZIhvcNAQELBQADgYEARYxEeKbYVSbx4T+iRJBuUZBaOtWKh9XXWwfNI3lQ
+Bfi9FPetaPJFcbgFstDQvYN2xL829Iyax8pBT7NALn8xpxInCHFqDw36Q4U3Ro88
+fl2XzxjmUFc5ZSLblSLkXBk8Uw3O5bvfXNZ3lvi0omOyIRU25zxftAG4qtsuv9P9
+pDU=
+-----END CERTIFICATE-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI+M0ZcEOTF4kCAggA
+MBQGCCqGSIb3DQMHBAjEFYW8d2JAGwSCAWD3RHzkKQyIuwTywjrvag/HP+HRdpzK
+jtSFUdHqcuDHGcU0W36kvqc6RG2AeovspW5QckiDGfP0Bbg3o1wS6AaY0sIi4Zdj
+6mvfeyJJ3mk3kzkgnxvsRx8wq+T5ihV+g6HOEgUFRWmNwHLaIwkBDqaKiqebu4Qy
+jL1bLprVrSNarJ1DZ0YNRDamLtTkZfrsM7hK8oCK7Fp2l+ifiNlgFekxkpdP3viP
+7aQ0F7CtC8QkQuW2KRTWCR9KHrRqpBRd4WYrSaVJPDZqVQgwcLHiDr9Pn4GWbeKY
+8Fosd5utTif19i+BYelK4PwFxUCTuY+x5qPtNhaNOSNui0OTanpRrKiIcIRDHhKP
+yopzmX6vfCsFX5264HxrFXOsAESJXIFozeKtA3T3yaU4jPVxWj12QHezJ4LHg79y
+XyezM6YlOEJSIHbuDQRAomMuRxuwmJ/JvsIFglJppZkHudgctHzdj3xf
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/t/data/smime/keys/demoCA/index.txt b/t/data/smime/keys/demoCA/index.txt
index 90146c6..14a223c 100644
--- a/t/data/smime/keys/demoCA/index.txt
+++ b/t/data/smime/keys/demoCA/index.txt
@@ -1,2 +1,3 @@
V 230828214107Z 8A6ACD51BE94A015 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Enoch Root/emailAddress=root at example.com
V 230828214145Z 8A6ACD51BE94A016 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=sender/emailAddress=sender at example.com
+V 270905095421Z 8A6ACD51BE94A017 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=altuser
diff --git a/t/data/smime/keys/demoCA/serial b/t/data/smime/keys/demoCA/serial
index 7c39862..6376d1b 100644
--- a/t/data/smime/keys/demoCA/serial
+++ b/t/data/smime/keys/demoCA/serial
@@ -1 +1 @@
-8A6ACD51BE94A017
+8A6ACD51BE94A018
diff --git a/t/mail/smime/subjectaltname.t b/t/mail/smime/subjectaltname.t
new file mode 100644
index 0000000..a1d6e2e
--- /dev/null
+++ b/t/mail/smime/subjectaltname.t
@@ -0,0 +1,100 @@
+use strict;
+use warnings;
+
+use RT::Test::SMIME tests => undef;
+my $test = 'RT::Test::SMIME';
+
+use IPC::Run3 'run3';
+use String::ShellQuote 'shell_quote';
+use RT::Tickets;
+use Test::Warn;
+
+# configure key for General queue
+RT::Test::SMIME->import_key('sender at example.com');
+my $queue = RT::Test->load_or_create_queue(
+ Name => 'General',
+ CorrespondAddress => 'sender at example.com',
+ CommentAddress => 'sender at example.com',
+);
+ok $queue && $queue->id, 'loaded or created queue';
+
+# Make sure the new user can create tickets
+my $everyone;
+{
+ $everyone = RT::Group->new( $RT::SystemUser );
+ $everyone->LoadSystemInternalGroup('Everyone');
+ ok $everyone->id, "loaded 'everyone' group";
+}
+RT::Test->set_rights(
+ Principal => $everyone,
+ Right => ['CreateTicket'],
+);
+
+# Generate a signed message
+my $buf = '';
+run3(
+ shell_quote(
+ RT->Config->Get('SMIME')->{'OpenSSL'},
+ qw( smime -sign -passin pass:123456),
+ -signer => $test->key_path('altuser at example.com.crt'),
+ -inkey => $test->key_path('altuser at example.com.key'),
+ ),
+ \"Content-type: text/plain\n\nThis is the body",
+ \$buf,
+ \*STDERR
+);
+$buf = "Subject: Signed email\n"
+ . "From: altuser\@example.com\n"
+ . $buf;
+
+my $send_mail = sub {
+ my %args = ( CAPath => undef, @_ );
+
+ RT->Config->Get('SMIME')->{$_} = $args{$_} for keys %args;
+
+ my ($status, $tid) = RT::Test->send_via_mailgate( $buf );
+
+ my $tick = RT::Ticket->new( $RT::SystemUser );
+ $tick->Load( $tid );
+ ok( $tick->Id, "found ticket " . $tick->Id );
+ is( $tick->Subject, 'Signed email',
+ "Created the ticket"
+ );
+
+ my $txn = $tick->Transactions->First;
+ my ($msg, $attach, $orig) = @{$txn->Attachments->ItemsArrayRef};
+
+ ($status) = RT::Crypt->ParseStatus(
+ Protocol => 'SMIME',
+ Status => $msg->GetHeader('X-RT-SMIME-Status')
+ );
+
+ return ($msg, $status);
+};
+
+# Test with no CA path; should not be marked as signed
+warning_like {
+ my ($msg, $status) = $send_mail->( CAPath => undef );
+ is( $msg->GetHeader('X-RT-Incoming-Signature'),
+ undef,
+ "Message was not marked as signed"
+ );
+
+ is($status->{Operation}, "Verify", "Found the Verify operation");
+ is($status->{Status}, "BAD", "Verify was a failure");
+ is($status->{Trust}, "NONE", "Noted the no trust level");
+ like($status->{Message}, qr/not trusted/, "Verify was a failure");
+} qr/Failure during SMIME verify: The signing CA was not trusted/;
+
+# Test with the correct CA path; marked as signed, trusted
+{
+ my ($msg, $status) = $send_mail->( CAPath => $test->key_path . "/demoCA/cacert.pem" );
+ is( $msg->GetHeader('X-RT-Incoming-Signature'),
+ '"altuser" <altuser at example.com>', "Message is signed" );
+
+ is($status->{Operation}, "Verify", "Found the Verify operation");
+ is($status->{Status}, "DONE", "Verify was a success");
+ is($status->{Trust}, "FULL", "Noted the full trust level");
+}
+
+done_testing;
-----------------------------------------------------------------------
More information about the rt-commit
mailing list