[Rt-commit] rt branch 5.0/openssl3 created. rt-5.0.3-125-g0a083afab9
BPS Git Server
git at git.bestpractical.com
Fri Oct 7 15:27:57 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/openssl3 has been created
at 0a083afab9ef313e6b49af173dd8adf51c8a6a27 (commit)
- Log -----------------------------------------------------------------
commit 0a083afab9ef313e6b49af173dd8adf51c8a6a27
Author: Brian Conry <bconry at bestpractical.com>
Date: Wed Jul 20 08:26:37 2022 -0500
Allow selection of SSL providers with SMIME
This change allows the set of providers to be specified for OpenSSL for
use with the main SMIME operations.
This is needed when a non-default provider is desired, such as when
using OpenSSL 3 and needing to validate certificates using deprecated
algorithms.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index bd9c001d28..8fc4a05ca2 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -4011,6 +4011,12 @@ Set C<Passphrase> to a scalar (to use for all keys), an anonymous
function, or a hash (to look up by address). If the hash is used, the
'' key is used as a default.
+Set C<Providers> to a list of cryptographic providers to use. Intended for use
+with OpenSSL 3 and should be left empty for all earlier versions. With OpenSSL
+3, when empty only the library default will be used (subject to system
+configuration). If adding another provider, such as 'legacy', the default will
+not be available unless also explicitly added (this is OpenSSL's behavior).
+
Set C<OtherCertificatesToSend> to path to a PEM-formatted certificate file.
Certificates in the file will be include in outgoing signed emails.
@@ -4037,6 +4043,7 @@ Set( %SMIME,
CAPath => undef,
AcceptUntrustedCAs => undef,
Passphrase => undef,
+ Providers => [],
OtherCertificatesToSend => undef,
CheckCRL => 0,
CheckOCSP => 0,
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 3b20cff3de..382bbe5276 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -390,6 +390,8 @@ sub _SignEncrypt {
my $opts = RT->Config->Get('SMIME');
+ my @providers = map { ( '-provider', $_ ) } @{ $opts->{'Providers'} };
+
my @commands;
if ( $args{'Sign'} ) {
my $file = $self->CheckKeyring( Key => $args{'Signer'}, For => 'Signing' );
@@ -408,7 +410,10 @@ sub _SignEncrypt {
$args{OtherCertificatesToSend} //= $opts->{OtherCertificatesToSend};
push @commands, [
- $self->OpenSSLPath, qw(smime -sign),
+ $self->OpenSSLPath,
+ 'smime',
+ @providers,
+ '-sign',
-signer => $file,
-inkey => $file,
$args{OtherCertificatesToSend} ? ( -certfile => $args{OtherCertificatesToSend} ) : (),
@@ -488,13 +493,20 @@ sub Verify {
my $msg = $args{'Data'}->as_string;
+ my $opts = RT->Config->Get('SMIME');
+
+ my @providers = map { ( '-provider', $_ ) } @{ $opts->{'Providers'} };
+
my %res;
my $buf;
my $keyfh = File::Temp->new;
{
local $SIG{CHLD} = 'DEFAULT';
my $cmd = [
- $self->OpenSSLPath, qw(smime -verify -noverify),
+ $self->OpenSSLPath,
+ 'smime',
+ @providers,
+ qw(-verify -noverify),
'-signer', $keyfh->filename,
];
safe_run_child { run3( $cmd, \$msg, \$buf, \$res{'stderr'} ) };
@@ -526,7 +538,7 @@ sub Verify {
$signer = $info{info}[0];
last unless $signer and $signer->{User}[0]{String};
- unless ( $info{info}[0]{TrustLevel} > 0 or RT->Config->Get('SMIME')->{AcceptUntrustedCAs}) {
+ unless ( $info{info}[0]{TrustLevel} > 0 or $opts->{AcceptUntrustedCAs}) {
# We don't trust it; give it the finger
$res{exit_code} = 1;
$res{'message'} = "Validation failed";
@@ -647,12 +659,16 @@ sub _Decrypt {
grep !$seen{lc $_}++, map $_->address, map Email::Address->parse($_),
grep length && defined, @{$args{'Recipients'}};
+ my $opts = RT->Config->Get('SMIME');
+
+ my @providers = map { ( '-provider', $_ ) } @{ $opts->{'Providers'} };
+
my ($buf, $encrypted_to, %res);
foreach my $address ( @addresses ) {
my $file = $self->CheckKeyring( Key => $address, For => 'Encryption' );
unless ( $file ) {
- my $keyring = RT->Config->Get('SMIME')->{'Keyring'};
+ my $keyring = $opts->{'Keyring'};
$RT::Logger->debug("No key found for $address in $keyring directory");
next;
}
@@ -661,7 +677,9 @@ sub _Decrypt {
local $SIG{CHLD} = 'DEFAULT';
my $cmd = [
$self->OpenSSLPath,
- qw(smime -decrypt),
+ 'smime',
+ @providers,
+ '-decrypt',
-recip => $file,
(defined $ENV{'SMIME_PASS'} && length $ENV{'SMIME_PASS'})
? (qw(-passin env:SMIME_PASS))
diff --git a/t/mail/smime/realmail.t b/t/mail/smime/realmail.t
index 6676de5f2e..a5e3973747 100644
--- a/t/mail/smime/realmail.t
+++ b/t/mail/smime/realmail.t
@@ -4,6 +4,22 @@ use warnings;
use RT::Test::Crypt SMIME => 1, tests => undef;
use Digest::MD5 qw(md5_hex);
+use IPC::Run3 0.036 'run3';
+use RT::Util 'safe_run_child';
+
+{
+ my ($in,$out,$err) = ('','','');
+
+ safe_run_child { run3(
+ [ RT::Crypt::SMIME::OpenSSLPath(), 'version' ],
+ \$in, \$out, \$err,
+ ) };
+
+ if ($out =~ / 3/) {
+ push @{ RT->Config->Get('SMIME')->{Providers} }, 'default', 'legacy';
+ }
+}
+
my $test = 'RT::Test::Crypt';
my $mails = $test->smime_mail_set_path;
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list