[Rt-commit] rt branch 5.0/openssl3 created. rt-5.0.3-24-gf6d535b087
BPS Git Server
git at git.bestpractical.com
Wed Jul 20 14:57:50 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/openssl3 has been created
at f6d535b08736112e174d6d49f59538bd2273378c (commit)
- Log -----------------------------------------------------------------
commit f6d535b08736112e174d6d49f59538bd2273378c
Author: Brian Conry <bconry at bestpractical.com>
Date: Wed Jul 20 08:26:37 2022 -0500
Allow selection of SSL providers with SMIME
This change allows the set of providers to be specified for OpenSSL for
use with the main SMIME operations.
This is needed when a non-default provider is desired, such as when
using OpenSSL 3 and needing to validate certificates using deprecated
algorithms.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index c6320ac8c5..8576ab8917 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -3999,6 +3999,10 @@ Set C<Passphrase> to a scalar (to use for all keys), an anonymous
function, or a hash (to look up by address). If the hash is used, the
'' key is used as a default.
+Set C<Providers> to a list of cryptographic providers to use. If empty only
+the library default will be used. If adding another provider, such as
+'legacy', the default will not be available unless also explicitly added.
+
Set C<OtherCertificatesToSend> to path to a PEM-formatted certificate file.
Certificates in the file will be include in outgoing signed emails.
@@ -4025,6 +4029,7 @@ Set( %SMIME,
CAPath => undef,
AcceptUntrustedCAs => undef,
Passphrase => undef,
+ Providers => [],
OtherCertificatesToSend => undef,
CheckCRL => 0,
CheckOCSP => 0,
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 3b20cff3de..382bbe5276 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -390,6 +390,8 @@ sub _SignEncrypt {
my $opts = RT->Config->Get('SMIME');
+ my @providers = map { ( '-provider', $_ ) } @{ $opts->{'Providers'} };
+
my @commands;
if ( $args{'Sign'} ) {
my $file = $self->CheckKeyring( Key => $args{'Signer'}, For => 'Signing' );
@@ -408,7 +410,10 @@ sub _SignEncrypt {
$args{OtherCertificatesToSend} //= $opts->{OtherCertificatesToSend};
push @commands, [
- $self->OpenSSLPath, qw(smime -sign),
+ $self->OpenSSLPath,
+ 'smime',
+ @providers,
+ '-sign',
-signer => $file,
-inkey => $file,
$args{OtherCertificatesToSend} ? ( -certfile => $args{OtherCertificatesToSend} ) : (),
@@ -488,13 +493,20 @@ sub Verify {
my $msg = $args{'Data'}->as_string;
+ my $opts = RT->Config->Get('SMIME');
+
+ my @providers = map { ( '-provider', $_ ) } @{ $opts->{'Providers'} };
+
my %res;
my $buf;
my $keyfh = File::Temp->new;
{
local $SIG{CHLD} = 'DEFAULT';
my $cmd = [
- $self->OpenSSLPath, qw(smime -verify -noverify),
+ $self->OpenSSLPath,
+ 'smime',
+ @providers,
+ qw(-verify -noverify),
'-signer', $keyfh->filename,
];
safe_run_child { run3( $cmd, \$msg, \$buf, \$res{'stderr'} ) };
@@ -526,7 +538,7 @@ sub Verify {
$signer = $info{info}[0];
last unless $signer and $signer->{User}[0]{String};
- unless ( $info{info}[0]{TrustLevel} > 0 or RT->Config->Get('SMIME')->{AcceptUntrustedCAs}) {
+ unless ( $info{info}[0]{TrustLevel} > 0 or $opts->{AcceptUntrustedCAs}) {
# We don't trust it; give it the finger
$res{exit_code} = 1;
$res{'message'} = "Validation failed";
@@ -647,12 +659,16 @@ sub _Decrypt {
grep !$seen{lc $_}++, map $_->address, map Email::Address->parse($_),
grep length && defined, @{$args{'Recipients'}};
+ my $opts = RT->Config->Get('SMIME');
+
+ my @providers = map { ( '-provider', $_ ) } @{ $opts->{'Providers'} };
+
my ($buf, $encrypted_to, %res);
foreach my $address ( @addresses ) {
my $file = $self->CheckKeyring( Key => $address, For => 'Encryption' );
unless ( $file ) {
- my $keyring = RT->Config->Get('SMIME')->{'Keyring'};
+ my $keyring = $opts->{'Keyring'};
$RT::Logger->debug("No key found for $address in $keyring directory");
next;
}
@@ -661,7 +677,9 @@ sub _Decrypt {
local $SIG{CHLD} = 'DEFAULT';
my $cmd = [
$self->OpenSSLPath,
- qw(smime -decrypt),
+ 'smime',
+ @providers,
+ '-decrypt',
-recip => $file,
(defined $ENV{'SMIME_PASS'} && length $ENV{'SMIME_PASS'})
? (qw(-passin env:SMIME_PASS))
diff --git a/t/mail/smime/realmail.t b/t/mail/smime/realmail.t
index 6676de5f2e..575dbef191 100644
--- a/t/mail/smime/realmail.t
+++ b/t/mail/smime/realmail.t
@@ -4,6 +4,8 @@ use warnings;
use RT::Test::Crypt SMIME => 1, tests => undef;
use Digest::MD5 qw(md5_hex);
+push @{ RT->Config->Get('SMIME')->{Providers} }, 'default', 'legacy';
+
my $test = 'RT::Test::Crypt';
my $mails = $test->smime_mail_set_path;
commit b6e8f92eaec487ecb6940d96654ef92963ae3a34
Author: Brian Conry <bconry at bestpractical.com>
Date: Wed Jul 20 08:06:22 2022 -0500
Make github actions prove recursively
Previously the github actions were not operating recursively, causing
some tests to be missed in the automated testing.
diff --git a/.github/workflows/github-action.yml b/.github/workflows/github-action.yml
index f706368ad6..b6f0c814ca 100644
--- a/.github/workflows/github-action.yml
+++ b/.github/workflows/github-action.yml
@@ -29,7 +29,7 @@ jobs:
docker exec rt bash -c "cd /rt && ./configure.ac --with-db-type=SQLite --with-my-user-group --enable-layout=inplace --enable-developer --enable-externalauth --enable-gpg --enable-smime && mkdir -p /rt/var && make testdeps"
- name: Run RT tests
shell: bash
- run: docker exec -e RT_TEST_PARALLEL=1 rt bash -c "cd /rt && prove -lj6 t/*"
+ run: docker exec -e RT_TEST_PARALLEL=1 rt bash -c "cd /rt && prove -rlj6 t/"
- name: Get run time
shell: bash
run: |
@@ -85,7 +85,7 @@ jobs:
RT_DBA_PASSWORD: password
DB_VERSION_TAG: 10.3
shell: bash
- run: docker exec -e RT_TEST_PARALLEL=1 -e RT_DBA_USER=root -e RT_DBA_PASSWORD=password rt bash -c "cd /rt && prove -lj6 t/*"
+ run: docker exec -e RT_TEST_PARALLEL=1 -e RT_DBA_USER=root -e RT_DBA_PASSWORD=password rt bash -c "cd /rt && prove -rlj6 t/"
- name: Get run time
shell: bash
run: |
@@ -146,7 +146,7 @@ jobs:
RT_TEST_APACHE: /usr/sbin/apache2
RT_TEST_APACHE_MODULES: /usr/lib/apache2/modules
shell: bash
- run: docker exec -e RT_TEST_PARALLEL=1 -e RT_DBA_USER=postgres -e RT_DBA_PASSWORD=password -u rt-user rt bash -c "cd /rt && prove -lj6 t/*"
+ run: docker exec -e RT_TEST_PARALLEL=1 -e RT_DBA_USER=postgres -e RT_DBA_PASSWORD=password -u rt-user rt bash -c "cd /rt && prove -rlj6 t/"
- name: Get run time
shell: bash
run: |
commit 501db9b3c1a5f407ed94716a5e54fd5be3c8fcc4
Author: Brian Conry <bconry at bestpractical.com>
Date: Tue Jul 19 16:41:09 2022 -0500
Temporary Dockerfile Changes
This change contains temporary changes to Dockerfile to allow testing
with OpenSSL 3.
It is intended that this can be removed/changed once we have published
an image based on Debian Bookworm.
diff --git a/Dockerfile b/Dockerfile
index e14f34877b..7a557cdf83 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,162 @@
# This Dockerfile is for testing only.
-FROM bpssysadmin/rt-base-debian-stretch
+#FROM bpssysadmin/rt-base:bookworm
+FROM debian:bookworm-slim
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+ apache2 \
+ cpanminus \
+ curl \
+ gcc \
+ gnupg \
+ vim \
+ git \
+ # RT core dependencies
+ libapache2-mod-fcgid \
+ libapache-session-perl \
+ libbusiness-hours-perl \
+ libc-dev \
+ libcgi-emulate-psgi-perl \
+ libcgi-psgi-perl \
+ libconvert-color-perl \
+ libcrypt-eksblowfish-perl \
+ libcrypt-ssleay-perl \
+ libcrypt-x509-perl \
+ libcss-minifier-xs-perl \
+ libcss-squish-perl \
+ libdata-guid-perl \
+ libdata-ical-perl \
+ libdata-page-pageset-perl \
+ libdata-page-perl \
+ libdate-extract-perl \
+ libdate-manip-perl \
+ libdatetime-format-natural-perl \
+ libdbd-sqlite3-perl \
+ libdevel-globaldestruction-perl \
+ libemail-address-list-perl \
+ libemail-address-perl \
+ libencode-perl \
+ libfcgi-perl \
+ libfcgi-procmanager-perl \
+ libfile-sharedir-install-perl \
+ libfile-sharedir-perl \
+ libgd-graph-perl \
+ libgraphviz-perl \
+ libhtml-formattext-withlinks-andtables-perl \
+ libhtml-formattext-withlinks-perl \
+ libhtml-mason-perl \
+ libhtml-mason-psgihandler-perl \
+ libhtml-quoted-perl \
+ libhtml-rewriteattributes-perl \
+ libhtml-scrubber-perl \
+ libipc-run3-perl \
+ libipc-signal-perl \
+ libjavascript-minifier-xs-perl \
+ libjson-perl \
+ liblocale-maketext-fuzzy-perl \
+ liblocale-maketext-lexicon-perl \
+ liblog-dispatch-perl \
+ libmailtools-perl \
+ libmime-tools-perl \
+ libmime-types-perl \
+ libmodule-refresh-perl \
+ libmodule-signature-perl \
+ libmodule-versions-report-perl \
+ libnet-cidr-perl \
+ libnet-ip-perl \
+ libparallel-forkmanager-perl \
+ libplack-perl \
+ libregexp-common-net-cidr-perl \
+ libregexp-common-perl \
+ libregexp-ipv6-perl \
+ librole-basic-perl \
+ libscope-upper-perl \
+ libserver-starter-perl \
+ libsymbol-global-name-perl \
+ libterm-readkey-perl \
+ libtext-password-pronounceable-perl \
+ libtext-quoted-perl \
+ libtext-template-perl \
+ libtext-wikiformat-perl \
+ libtext-wrapper-perl \
+ libtime-parsedate-perl \
+ libtree-simple-perl \
+ libuniversal-require-perl \
+ libxml-rss-perl \
+ make \
+ perl-doc \
+ starlet \
+ w3m \
+ # RT developer dependencies
+ libemail-abstract-perl \
+ libfile-which-perl \
+ liblocale-po-perl \
+ liblog-dispatch-perl-perl \
+ libmojolicious-perl \
+ libperlio-eol-perl \
+ libplack-middleware-test-stashwarnings-perl \
+ libset-tiny-perl \
+ libstring-shellquote-perl \
+ libtest-deep-perl \
+ libtest-email-perl \
+ libtest-expect-perl \
+ libtest-longstring-perl \
+ libtest-mocktime-perl \
+ libtest-nowarnings-perl \
+ libtest-pod-perl \
+ libtest-warn-perl \
+ libtest-www-mechanize-perl \
+ libtest-www-mechanize-psgi-perl \
+ libwww-mechanize-perl \
+ libxml-simple-perl \
+ autoconf \
+ libnet-ldap-server-test-perl \
+ libencode-hanextra-perl \
+ libgumbo1 \
+ build-essential \
+ libhtml-formatexternal-perl \
+ libtext-worddiff-perl \
+ libdbd-mysql-perl \
+ libpq-dev \
+&& rm -rf /var/lib/apt/lists/*
+
+# Install from backports to get newer gpg
+#RUN echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/backports.list
+#RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \
+# gnupg \
+#&& rm -rf /var/lib/apt/lists/*
+
+RUN gpg --version
+
+RUN cpanm \
+ # RT dependencies
+ # Install Module::Install first because after perl 5.26 "." fails to find
+ # it in inc for older modules.
+ Module::Install \
+ Email::Address \
+ Email::Address::List \
+ Mozilla::CA \
+ Encode::Detect::Detector \
+ HTML::Gumbo \
+ GnuPG::Interface \
+ Module::Path \
+ Moose \
+ MooseX::NonMoose \
+ MooseX::Role::Parameterized \
+ Path::Dispatcher \
+ Web::Machine \
+ capitalization \
+ DBIx::SearchBuilder \
+ Parallel::ForkManager \
+ # DBD::Pg version 3.15 fails tests when run as root. There is a merged fix
+ DBD::Pg \
+ # RT extension development dependencies
+ ExtUtils::MakeMaker \
+ Pod::Select \
+ Test::WWW::Mechanize at 1.54 \
+&& rm -rf /root/.cpanm
+
+RUN openssl version
ENV RT_TEST_PARALLEL 1
ENV RT_TEST_DEVEL 1
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list