(feat) added support for S/MIME opaque signing (fixes #4582)

Alinto · Aug 19, 2019 · 676d2e6 · 676d2e6
1 parent b52abfc
commit 676d2e6
Show file tree

Hide file tree

Showing 15 changed files with 568 additions and 32 deletions.
diff --git a/NEWS b/NEWS
@@ -4,6 +4,7 @@
 New features
  - [core] Debian 10 (Buster) support for x86_64 (#4775)
  - [core] now possible to specify which domains you can forward your mails to
+ - [core] added support for S/MIME opaque signing (#4582)
 
 Enhancements
  - [web] avoid saving an empty calendar name

diff --git a/SOPE/GDLContentStore/GCSFolder.m b/SOPE/GDLContentStore/GCSFolder.m
@@ -1,7 +1,7 @@
 /*
   Copyright (C) 2004-2007 SKYRIX Software AG
   Copyright (C) 2007      Helge Hess
-  Copyright (c) 2008-2014 Inverse inc.
+  Copyright (c) 2008-2019 Inverse inc.
 
   This file is part of SOGo.
 

diff --git a/SoObjects/Mailer/NSData+SMIME.h b/SoObjects/Mailer/NSData+SMIME.h
@@ -31,6 +31,8 @@
 - (NSData *) encryptUsingCertificate: (NSData *) theData;
 - (NSData *) decryptUsingCertificate: (NSData *) theData;
 - (NGMimeMessage *) messageFromEncryptedDataAndCertificate: (NSData *) theCertificate;
+- (NSData *) embeddedContent;
+- (NGMimeMessage *) messageFromOpaqueSignedData;
 - (NSData *) convertPKCS12ToPEMUsingPassword: (NSString *) thePassword;
 - (NSData *) signersFromPKCS7;
 - (NSDictionary *) certificateDescription;

diff --git a/SoObjects/Mailer/NSData+SMIME.m b/SoObjects/Mailer/NSData+SMIME.m
@@ -1,6 +1,6 @@
 /* NSData+SMIME.m - this file is part of SOGo
  *
- * Copyright (C) 2017-2018 Inverse inc.
+ * Copyright (C) 2017-2019 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -296,10 +296,86 @@ - (NGMimeMessage *) messageFromEncryptedDataAndCertificate: (NSData *) theCertif
   NGMimeMessageParser *parser;
   NGMimeMessage *message;
   NSData *decryptedData; 
+  NGMimeType *contentType;
+  NSString *type, *subtype, *smimetype;
 
   decryptedData = [self decryptUsingCertificate: theCertificate];
   parser = [[NGMimeMessageParser alloc] init];
   message = [parser parsePartFromData: decryptedData];
+
+  // Extract contents if the encrypted messages contains opaque signed data
+  contentType = [message contentType];
+  type = [[contentType type] lowercaseString];
+  subtype = [[contentType subType] lowercaseString];
+  if ([type isEqualToString: @"application"])
+    {
+      if ([subtype isEqualToString: @"x-pkcs7-mime"] ||
+          [subtype isEqualToString: @"pkcs7-mime"])
+	{
+	  smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString];
+	  if ([smimetype isEqualToString: @"signed-data"])
+	    {
+	      message = [decryptedData messageFromOpaqueSignedData];
+	    }
+	}
+    }
+
+  RELEASE(parser);
+
+  return message;
+}
+
+- (NSData *) embeddedContent
+{
+  NSData *output = NULL;
+
+  BIO *sbio, *obio;
+  BUF_MEM *bptr;
+  PKCS7 *p7 = NULL;
+
+  sbio = BIO_new_mem_buf((void *)[self bytes], [self length]);
+
+  p7 = SMIME_read_PKCS7(sbio, NULL);
+
+  if (!p7)
+    {
+      NSLog(@"FATAL: could not read the signature");
+      goto cleanup;
+    }
+
+  // We output the S/MIME encrypted message
+  obio = BIO_new(BIO_s_mem());
+
+  if (!PKCS7_verify(p7, NULL, NULL, NULL, obio, PKCS7_NOVERIFY|PKCS7_NOSIGS))
+    {
+      NSLog(@"FATAL: could not extract content");
+      goto cleanup;
+    }
+
+  BIO_get_mem_ptr(obio, &bptr);
+
+  output = [NSData dataWithBytes: bptr->data  length: bptr->length];
+
+ cleanup:
+  PKCS7_free(p7);
+  BIO_free(sbio);
+  BIO_free(obio);
+
+  return output;
+}
+
+//
+//
+//
+- (NGMimeMessage *) messageFromOpaqueSignedData
+{
+  NGMimeMessageParser *parser;
+  NGMimeMessage *message;
+  NSData *extractedData;
+
+  extractedData = [self embeddedContent];
+  parser = [[NGMimeMessageParser alloc] init];
+  message = [parser parsePartFromData: extractedData];
   RELEASE(parser);
 
   return message;

diff --git a/SoObjects/Mailer/SOGoDraftObject.m b/SoObjects/Mailer/SOGoDraftObject.m
@@ -872,6 +872,18 @@ - (void) _fetchAttachmentsFromEncryptedMail: (SOGoMailObject *) sourceMail
 }
 
 
+//
+//
+//
+- (void) _fetchAttachmentsFromOpaqueSignedMail: (SOGoMailObject *) sourceMail
+{
+  NGMimeMessage *m;
+
+  m = [[sourceMail content] messageFromOpaqueSignedData];
+  [self _fileAttachmentsFromPart: [m body]];
+}
+
+
 //
 //
 //
@@ -1007,6 +1019,8 @@ - (void) fetchMailForForwarding: (SOGoMailObject *) sourceMail
       [self setText: [sourceMail contentForInlineForward]];
       if ([sourceMail isEncrypted])
         [self _fetchAttachmentsFromEncryptedMail: sourceMail];
+      else if ([sourceMail isOpaqueSigned])
+        [self _fetchAttachmentsFromOpaqueSignedMail: sourceMail];
       else
         [self _fetchAttachmentsFromMail: sourceMail];
     }

diff --git a/SoObjects/Mailer/SOGoMailBaseObject.m b/SoObjects/Mailer/SOGoMailBaseObject.m
@@ -197,9 +197,7 @@ - (NGImap4Connection *) _createIMAP4Connection
 - (NGImap4Connection *) imap4Connection
 {
   NSString *cacheKey, *login;
-
   SOGoCache *sogoCache;
-
 
   if (!imap4)
     {

diff --git a/SoObjects/Mailer/SOGoMailBodyPart.m b/SoObjects/Mailer/SOGoMailBodyPart.m
@@ -210,6 +210,28 @@ - (id) lookupImap4BodyPartKey: (NSString *) key
                                                inContext: localContext];
       obj = [clazz objectWithName:key inContainer: self];
     }
+  else if ([o isOpaqueSigned])
+    {
+      NGMimeMessage *m;
+      id part;
+
+      int i;
+
+      m = [[o content] messageFromOpaqueSignedData];
+      part = [m body];
+
+      for (i = 0; i < [[self bodyPartPath] count]; i++)
+        {
+          nbr = [[[self bodyPartPath] objectAtIndex: i] intValue]-1;
+          part = [[part parts] objectAtIndex: nbr];;
+        }
+
+      part = [[part parts] objectAtIndex: ([key intValue]-1)];
+      mimeType = [[part contentType] stringValue];
+      clazz = [SOGoMailBodyPart bodyPartClassForMimeType: mimeType
+                                               inContext: localContext];
+      obj = [clazz objectWithName:key inContainer: self];
+    }
   else
     {
       infos = [self partInfo];
@@ -353,6 +375,24 @@ - (NSData *) fetchBLOB
       m = [[o content] messageFromEncryptedDataAndCertificate: certificate];
       part = [m body];
 
+      for (i = 0; i < [[self bodyPartPath] count]; i++)
+        {
+          nbr = [[[self bodyPartPath] objectAtIndex: i] intValue]-1;
+          part = [[part parts] objectAtIndex: nbr];;
+        }
+
+      return [part body];
+    }
+  else if ([o isOpaqueSigned])
+    {
+      NGMimeMessage *m;
+      id part;
+
+      unsigned int i, nbr;
+
+      m = [[o content] messageFromOpaqueSignedData];
+      part = [m body];
+
       for (i = 0; i < [[self bodyPartPath] count]; i++)
         {
           nbr = [[[self bodyPartPath] objectAtIndex: i] intValue]-1;

diff --git a/SoObjects/Mailer/SOGoMailObject+Draft.m b/SoObjects/Mailer/SOGoMailObject+Draft.m
@@ -238,6 +238,24 @@ - (NSString *) _contentForEditingFromEncryptedMail
   return nil;
 }
 
+
+//
+//
+//
+- (NSString *) _contentForEditingFromOpaqueSignedMail
+{
+  SOGoUserDefaults *ud;
+  NGMimeMessage *m;
+
+  m = [[self content] messageFromOpaqueSignedData];
+  ud = [[context activeUser] userDefaults];
+
+  return [self _preferredContentFromPart: [m body]
+                               favorHTML: [[ud mailComposeMessageType] isEqualToString: @"html"]];
+
+  return nil;
+}
+
 //
 //
 //
@@ -250,6 +268,8 @@ - (NSString *) contentForEditing
 
   if ([self isEncrypted])
     output = [self _contentForEditingFromEncryptedMail];
+  else if ([self isOpaqueSigned])
+    output = [self _contentForEditingFromOpaqueSignedMail];
 
   // If not encrypted or if decryption failed, we fallback
   // to the normal content fetching code.

diff --git a/SoObjects/Mailer/SOGoMailObject.h b/SoObjects/Mailer/SOGoMailObject.h
@@ -124,7 +124,8 @@ NSArray *SOGoMailCoreInfoKeys;
 - (BOOL) replied;     /* \Answered */
 - (BOOL) forwarded;   /* $forwarded */
 - (BOOL) deleted;     /* \Deleted */
-- (BOOL) isSigned;    /* S/MIME signed message */
+- (BOOL) isSigned;       /* S/MIME signed message (detached signature) */
+- (BOOL) isOpaqueSigned; /* S/MIME signed message (embedded content) */
 - (BOOL) isEncrypted; /* S/MIME encrypted message */
 
 /* deletion */

diff --git a/SoObjects/Mailer/SOGoMailObject.m b/SoObjects/Mailer/SOGoMailObject.m
@@ -1201,6 +1201,19 @@ - (id) lookupImap4BodyPartKey: (NSString *) _key
           return [clazz objectWithName:_key inContainer: self];
         }
     }
+  else if ([self isOpaqueSigned])
+    {
+      NGMimeMessage *m;
+      id part;
+
+      m = [[self content] messageFromOpaqueSignedData];
+
+      part = [[[m body] parts] objectAtIndex: ([_key intValue]-1)];
+      mimeType = [[part contentType] stringValue];
+      clazz = [SOGoMailBodyPart bodyPartClassForMimeType: mimeType
+                                               inContext: _ctx];
+      return [clazz objectWithName:_key inContainer: self];
+    }
 
   parts = [[self bodyStructure] objectForKey: @"parts"];
 
@@ -1738,18 +1751,47 @@ - (BOOL) isSigned
            [protocol isEqualToString: @"application/pkcs7-signature"]));
 }
 
+- (BOOL) isOpaqueSigned
+{
+  NSString *type, *subtype, *smimetype;
+  NGMimeType *contentType;
+
+  contentType = [[self mailHeaders] objectForKey: @"content-type"];
+  type = [[contentType type] lowercaseString];
+  subtype = [[contentType subType] lowercaseString];
+
+  if ([type isEqualToString: @"application"])
+    {
+      if ([subtype isEqualToString: @"x-pkcs7-mime"] ||
+          [subtype isEqualToString: @"pkcs7-mime"])
+        {
+          smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString];
+          if ([smimetype isEqualToString: @"signed-data"])
+              return YES;
+        }
+    }
+
+  return NO;
+}
+
 - (BOOL) isEncrypted
 {
-  NSString *type, *subtype;
+  NSString *type, *subtype, *smimetype;
+  NGMimeType *contentType;
 
-  type = [[[[self mailHeaders] objectForKey: @"content-type"] type] lowercaseString];
-  subtype = [[[[self mailHeaders] objectForKey: @"content-type"] subType] lowercaseString];
+  contentType = [[self mailHeaders] objectForKey: @"content-type"];
+  type = [[contentType type] lowercaseString];
+  subtype = [[contentType subType] lowercaseString];
 
   if ([type isEqualToString: @"application"])
     {
       if ([subtype isEqualToString: @"x-pkcs7-mime"] ||
           [subtype isEqualToString: @"pkcs7-mime"])
-        return YES;
+        {
+          smimetype = [[contentType valueOfParameter: @"smime-type"] lowercaseString];
+          if ([smimetype isEqualToString: @"enveloped-data"])
+              return YES;
+        }
     }
 
   return NO;

diff --git a/UI/MailPartViewers/UIxMailPartEncryptedViewer.h b/UI/MailPartViewers/UIxMailPartEncryptedViewer.h
@@ -28,8 +28,20 @@
 
 @interface UIxMailPartEncryptedViewer : UIxMailPartViewer
 {
+  BOOL processed;
+  BOOL encrypted;
+  BOOL opaqueSigned;
+  BOOL validSignature;
+  NSMutableArray *certificates;
+  NSString *validationMessage;
 }
 
+- (BOOL) validSignature;
+- (NSString *) validationMessage;
+- (NSArray *) smimeCertificates;
+- (NSDictionary *) certificateForSubject: (NSString *) subject
+                               andIssuer: (NSString *) issuer;
+
 @end
 
 #endif /* UIXMAILPARTENCRYPTEDVIEWER_H */