[Rt-commit] rt branch, 4.4-trunk, updated. rt-4.4.4-139-g69bfd11c84
Jim Brandt
jbrandt at bestpractical.com
Wed Sep 2 14:54:12 EDT 2020
The branch, 4.4-trunk has been updated
via 69bfd11c84eb860d0c6f10aead91e5e91fe11f25 (commit)
via 5857fdf9f92fcb914560a6d1a17ad9f68378c159 (commit)
via b47c88327557c63aec2721f8fb3b1ea80d33ca43 (commit)
from f336a221215cc624c0a3ae21638d34e414900141 (commit)
Summary of changes:
etc/RT_Config.pm.in | 4 +++
lib/RT/Crypt/SMIME.pm | 13 ++++++++++
t/crypt/smime/other-certs.t | 62 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
create mode 100644 t/crypt/smime/other-certs.t
- Log -----------------------------------------------------------------
commit b47c88327557c63aec2721f8fb3b1ea80d33ca43
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Feb 2 22:28:39 2018 +0800
OtherCertificatesToSend option for SMIME
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 44e8ce56d1..f8f7866c02 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -3057,6 +3057,9 @@ Set C<Passphrase> to a scalar (to use for all keys), an anonymous
function, or a hash (to look up by address). If the hash is used, the
'' key is used as a default.
+Set C<OtherCertificatesToSend> to path to a PEM-formatted certificate file.
+Certificates in the file will be include in outgoing signed emails.
+
See L<RT::Crypt::SMIME> for details.
=back
@@ -3070,6 +3073,7 @@ Set( %SMIME,
CAPath => undef,
AcceptUntrustedCAs => undef,
Passphrase => undef,
+ OtherCertificatesToSend => undef,
);
=head2 GnuPG configuration
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 4075b8f95b..5ea826327c 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -81,6 +81,7 @@ You should start from reading L<RT::Crypt>.
'queue.address at example.com' => 'passphrase',
'' => 'fallback',
},
+ OtherCertificatesToSend => '/opt/rt4/var/data/smime/other-certs.pem',
);
=head3 OpenSSL
@@ -119,6 +120,14 @@ C<Passphrase> may be set to a scalar (to use for all keys), an anonymous
function, or a hash (to look up by address). If the hash is used, the
'' key is used as a default.
+=head3 OtherCertificatesToSend
+
+C<OtherCertificatesToSend> is a path to a PEM-formatted certificate file.
+Certificates in the file will be include in outgoing signed emails.
+
+Depending on use cases, you might need to include a chain of certificates so
+receiving agents can verify. CA could also be included here.
+
=head2 Keyring configuration
RT looks for keys in the directory configured in the L</Keyring> option
@@ -216,6 +225,7 @@ sub SignEncrypt {
Sign => 1,
Signer => undef,
Passphrase => undef,
+ OtherCertificatesToSend => undef,
Encrypt => 1,
Recipients => undef,
@@ -280,6 +290,7 @@ sub _SignEncrypt {
Sign => 1,
Signer => undef,
Passphrase => undef,
+ OtherCertificatesToSend => undef,
Encrypt => 1,
Recipients => [],
@@ -351,10 +362,12 @@ sub _SignEncrypt {
$args{'Passphrase'} = $self->GetPassphrase( Address => $args{'Signer'} )
unless defined $args{'Passphrase'};
+ $args{OtherCertificatesToSend} //= $opts->{OtherCertificatesToSend};
push @commands, [
$self->OpenSSLPath, qw(smime -sign),
-signer => $file,
-inkey => $file,
+ $args{OtherCertificatesToSend} ? ( -certfile => $args{OtherCertificatesToSend} ) : (),
(defined $args{'Passphrase'} && length $args{'Passphrase'})
? (qw(-passin env:SMIME_PASS))
: (),
commit 5857fdf9f92fcb914560a6d1a17ad9f68378c159
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Feb 3 01:21:54 2018 +0800
tests OtherCertificatesToSend option
diff --git a/t/crypt/smime/other-certs.t b/t/crypt/smime/other-certs.t
new file mode 100644
index 0000000000..1b4407586b
--- /dev/null
+++ b/t/crypt/smime/other-certs.t
@@ -0,0 +1,62 @@
+use strict;
+use warnings;
+
+use RT::Test::SMIME tests => undef;
+use IPC::Run3 'run3';
+
+RT::Test::SMIME->import_key( 'sender at example.com' );
+
+diag "No OtherCertificatesToSend";
+
+my $mime = MIME::Entity->build(
+ From => 'sender at example.com',
+ Type => 'text/plain',
+ Data => ["this is body\n"],
+);
+
+RT::Crypt::SMIME->SignEncrypt( Entity => $mime, Signer => 'sender at example.com', Sign => 1, Encrypt => 0 );
+
+my ( $pk7, $err, $cert );
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(smime -pk7out) ], \$mime->as_string, \$pk7, \$err );
+ok( $pk7, 'got pk7 signature' );
+ok( !$err, 'no errors' );
+
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(pkcs7 -print_certs -text) ], \$pk7, \$cert, \$err );
+ok( $cert, 'got cert' );
+ok( !$err, 'no errors' );
+
+chomp $cert;
+open my $fh, '<', RT::Test::SMIME->key_path( 'sender at example.com.crt' ) or die $!;
+my $sender_cert = do { local $/; <$fh> };
+is( $cert, $sender_cert, 'cert is the same one' );
+
+diag "Has OtherCertificatesToSend";
+
+RT->Config->Get( 'SMIME' )->{OtherCertificatesToSend} = RT::Test::SMIME->key_path( 'demoCA', 'cacert.pem' );
+
+$mime = MIME::Entity->build(
+ From => 'sender at example.com',
+ Type => 'text/plain',
+ Data => ["this is body\n"],
+);
+
+RT::Crypt::SMIME->SignEncrypt( Entity => $mime, Signer => 'sender at example.com', Sign => 1, Encrypt => 0 );
+
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(smime -pk7out) ], \$mime->as_string, \$pk7, \$err );
+ok( $pk7, 'got pk7 signature' );
+ok( !$err, 'no errors' );
+
+run3( [ RT::Crypt::SMIME->OpenSSLPath, qw(pkcs7 -print_certs -text) ], \$pk7, \$cert, \$err );
+ok( $cert, 'got cert' );
+ok( !$err, 'no errors' );
+
+chomp $cert;
+my @certs = split /\n(?=Certificate:)/, $cert;
+is( scalar @certs, 2, 'found 2 certs' );
+
+open $fh, '<', RT::Test::SMIME->key_path( 'demoCA', 'cacert.pem' ) or die $!;
+my $ca_cert = do { local $/; <$fh> };
+is( $certs[0], $ca_cert, 'got ca cert' );
+is( $certs[1], $sender_cert, 'got sender cert' );
+
+done_testing;
commit 69bfd11c84eb860d0c6f10aead91e5e91fe11f25
Merge: f336a22121 5857fdf9f9
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Wed Sep 2 14:40:51 2020 -0400
Merge branch '4.4/smime-send-other-certs' into 4.4-trunk
-----------------------------------------------------------------------
More information about the rt-commit
mailing list