[Rt-commit] rt branch, 4.4/smime-send-other-certs, created. rt-4.4.2-69-gd16f96695

? sunnavy sunnavy at bestpractical.com
Fri Feb 2 10:34:07 EST 2018 

The branch, 4.4/smime-send-other-certs has been created
        at  d16f96695a217546618250e87440abad7976ab97 (commit)

- Log -----------------------------------------------------------------
commit d16f96695a217546618250e87440abad7976ab97
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Feb 2 22:28:39 2018 +0800

    OtherCertificatesToSend option for SMIME

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 4ef8f0979..784cc9d55 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2913,6 +2913,9 @@ Set C<Passphrase> to a scalar (to use for all keys), an anonymous
 function, or a hash (to look up by address).  If the hash is used, the
 '' key is used as a default.
 
+Set C<OtherCertificatesToSend> to path to a PEM-formatted certificate file.
+Certificates in the file will be include in outgoing signed emails.
+
 See L<RT::Crypt::SMIME> for details.
 
 =back
@@ -2926,6 +2929,7 @@ Set( %SMIME,
     CAPath => undef,
     AcceptUntrustedCAs => undef,
     Passphrase => undef,
+    OtherCertificatesToSend => undef,
 );
 
 =head2 GnuPG configuration
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 244f0aad5..ae5ccf637 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -81,6 +81,7 @@ You should start from reading L<RT::Crypt>.
             'queue.address at example.com' => 'passphrase',
             '' => 'fallback',
         },
+        OtherCertificatesToSend => '/opt/rt4/var/data/smime/other-certs.pem',
     );
 
 =head3 OpenSSL
@@ -119,6 +120,14 @@ C<Passphrase> may be set to a scalar (to use for all keys), an anonymous
 function, or a hash (to look up by address).  If the hash is used, the
 '' key is used as a default.
 
+=head3 OtherCertificatesToSend
+
+C<OtherCertificatesToSend> is a path to a PEM-formatted certificate file.
+Certificates in the file will be include in outgoing signed emails.
+
+Depending on use cases, you might need to include a chain of certificates so
+receiving agents can verify. CA could also be included here.
+
 =head2 Keyring configuration
 
 RT looks for keys in the directory configured in the L</Keyring> option
@@ -216,6 +225,7 @@ sub SignEncrypt {
         Sign => 1,
         Signer => undef,
         Passphrase => undef,
+        OtherCertificatesToSend => undef,
 
         Encrypt => 1,
         Recipients => undef,
@@ -280,6 +290,7 @@ sub _SignEncrypt {
         Sign => 1,
         Signer => undef,
         Passphrase => undef,
+        OtherCertificatesToSend => undef,
 
         Encrypt => 1,
         Recipients => [],
@@ -351,10 +362,12 @@ sub _SignEncrypt {
         $args{'Passphrase'} = $self->GetPassphrase( Address => $args{'Signer'} )
             unless defined $args{'Passphrase'};
 
+        $args{OtherCertificatesToSend} //= $opts->{OtherCertificatesToSend};
         push @commands, [
             $self->OpenSSLPath, qw(smime -sign),
             -signer => $file,
             -inkey  => $file,
+            $args{OtherCertificatesToSend} ? ( -certfile => $args{OtherCertificatesToSend} ) : (),
             (defined $args{'Passphrase'} && length $args{'Passphrase'})
                 ? (qw(-passin env:SMIME_PASS))
                 : (),

-----------------------------------------------------------------------

More information about the rt-commit mailing list