From 1bf2f04067252ae3f887d9369138e930a5533e02 Mon Sep 17 00:00:00 2001
From: tsz <tsz@afb.de>
Date: Fri, 8 Jan 2021 19:57:03 +0100
Subject: [PATCH 1/4] Enable S/MIME signing of e-mails

Use existing PHPMailer functionality to allow MantisBT to sign outgoing
e-mail notifications.

Fixes #25764

Signed-off-by: Damien Regad <dregad@mantisbt.org>

TomekAP's original contribution was modified as follows:
- Fix inconsistent naming of 'g_email_signing_sign_extracerts_file' in
  config_defaults_inc.php, referenced everywhere else as
  'g_email_signing_extracerts_file'
- Rename configs with prefix 'smime' instead of 'signing', to avoid any
  confusion with DKIM which is also about signing
- Use suffix '_file' instead of '_filename'
- Fix whitespace
---
 config_defaults_inc.php | 34 +++++++++++++++++++++++++++++++++-
 core/email_api.php      |  7 +++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 5b73c87c93..a0bb50fd66 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -756,6 +756,36 @@
  */
 $g_email_dkim_identity = 'noreply@example.com';
 
+/**
+ * Path to mail certification file
+ *
+ * @global string $g_email_smime_cert_file
+ */
+$g_email_smime_cert_file = '';
+
+/**
+ * Path to mail private key file
+ *
+ * @see $g_email_smime_cert_file
+ *
+ * @global string $g_email_smime_key_file
+ */
+$g_email_smime_key_file = '';
+
+/**
+ * mail private key pass
+ *
+ * @global string $g_email_smime_key_password
+ */
+$g_email_smime_key_password = '';
+
+/**
+ * Path to mail extra certification file
+ *
+ * @global string $g_email_smime_extracerts_file
+ */
+$g_email_smime_extracerts_file = '';
+
 /**
  * It is recommended to use a cronjob or a scheduler task to send emails. The
  * cronjob should typically run every 5 minutes.  If no cronjob is used,then
@@ -4326,7 +4356,9 @@
 	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool',
 	'ldap_server', 'ldap_root_dn', 'ldap_organization', 'ldap_protocol_version',
 	'ldap_network_timeout', 'ldap_follow_referrals', 'ldap_bind_dn', 'ldap_bind_passwd',
-	'ldap_uid_field', 'ldap_realname_field', 'use_ldap_realname', 'use_ldap_email'
+	'ldap_uid_field', 'ldap_realname_field', 'use_ldap_realname', 'use_ldap_email',
+	'email_smime_cert_file', 'email_smime_key_file', 'email_smime_key_password',
+	'email_smime_extracerts_file',
 );
 
 /**
diff --git a/core/email_api.php b/core/email_api.php
index 26cda3c336..33d68e16c8 100644
--- a/core/email_api.php
+++ b/core/email_api.php
@@ -1332,6 +1332,13 @@ function email_send( EmailData $p_email_data ) {
 
 			$t_mail->Port = config_get( 'smtp_port' );
 
+			$t_mail->sign(
+				config_get_global( 'email_smime_cert_file' ),
+				config_get_global( 'email_smime_key_file' ),
+				config_get_global( 'email_smime_key_password' ),
+				config_get_global( 'email_smime_extracerts_file' )
+			);
+
 			break;
 	}
 

From 741d91f53c1aeeb77dd6606442a0850d887dbfc9 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 8 Jan 2021 19:59:25 +0100
Subject: [PATCH 2/4] Updated PHPDoc and added new configs in Admin Guide

Created a new 'S/MIME signature' section under Config / Email.

Issue #25764
---
 config_defaults_inc.php                    | 19 ++++-
 docbook/Admin_Guide/en-US/config/email.xml | 91 ++++++++++++++++++++++
 2 files changed, 106 insertions(+), 4 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index a0bb50fd66..a41ead3cc9 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -757,14 +757,18 @@
 $g_email_dkim_identity = 'noreply@example.com';
 
 /**
- * Path to mail certification file
+ * Path to the S/MIME certificate.
+ *
+ * The file must contain a PEM-encoded certificate.
  *
  * @global string $g_email_smime_cert_file
  */
 $g_email_smime_cert_file = '';
 
 /**
- * Path to mail private key file
+ * Path to the S/MIME private key file.
+ *
+ * The file must contain a PEM-encoded private key matching the S/MIME certificate.
  *
  * @see $g_email_smime_cert_file
  *
@@ -773,14 +777,21 @@
 $g_email_smime_key_file = '';
 
 /**
- * mail private key pass
+ * Password for the S/MIME private key.
+ *
+ * Leave blank if the private key is not protected by a passphrase.
+ * @see $g_email_smime_key_file
  *
  * @global string $g_email_smime_key_password
  */
 $g_email_smime_key_password = '';
 
 /**
- * Path to mail extra certification file
+ * Optional path to S/MIME extra certificates.
+ *
+ * The file must contain one (or more) PEM-encoded certificates, which will be
+ * included in the signature to help the recipient verify the certificate
+ * specified in {@see $g_email_smime_cert_file} ("CA Chain").
  *
  * @global string $g_email_smime_extracerts_file
  */
diff --git a/docbook/Admin_Guide/en-US/config/email.xml b/docbook/Admin_Guide/en-US/config/email.xml
index 79e6a409c0..00aa674410 100644
--- a/docbook/Admin_Guide/en-US/config/email.xml
+++ b/docbook/Admin_Guide/en-US/config/email.xml
@@ -554,4 +554,95 @@ $g_notify_flags['new'] = array(
 			</listitem>
 		</itemizedlist>
 	</para>
+
+	<section id="admin.config.email.smime">
+		<title>S/MIME signature</title>
+
+		<variablelist>
+			<varlistentry>
+				<term>$g_email_smime_cert_file</term>
+				<listitem>
+					<para>Path to the
+						<ulink url="https://en.wikipedia.org/wiki/S/MIME">S/MIME</ulink>
+						certificate.
+					</para>
+					<para>The file must contain a
+						<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM-encoded</ulink>
+						certificate.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_key_file</term>
+				<listitem>
+					<para>Path to the S/MIME private key file.</para>
+					<para>The file must contain a PEM-encoded private key
+						matching the S/MIME certificate.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_key_password</term>
+				<listitem>
+					<para>Password for the S/MIME private key.</para>
+					<para>Leave blank if the private key is not protected
+						by a passphrase.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_extracerts_file</term>
+				<listitem>
+					<para>Optional path to S/MIME extra certificates.</para>
+					<para>The file must contain one (or more) PEM-encoded
+						certificates, which will be included in the signature to
+						help the recipient verify the certificate specified in
+						<emphasis>$g_email_smime_cert_file</emphasis>
+						("CA Chain").
+					</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+
+		<note>
+			<para>MantisBT expects the S/MIME certificates and the private key
+				files to be in
+				<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM</ulink>
+				format.
+				If you have a <ulink url="https://en.wikipedia.org/wiki/PKCS_12">PKCS12</ulink>
+				encrypted certificate (typically with a .pfx or .p12 extension),
+				you may use the following <literal>openssl</literal> commands
+				to extract and convert the individual elements:
+			</para>
+			<itemizedlist>
+				<listitem>
+					<para>Certificate</para>
+					<programlisting>
+openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt
+</programlisting>
+				</listitem>
+				<listitem>
+					<para>Extra certificates ("CA chain")</para>
+					<programlisting>
+openssl pkcs12 -in cert.pfx -cacerts -nokeys -out ca-chain.crt
+</programlisting>
+				</listitem>
+				<listitem>
+					<para>Private key
+						(<literal>-passout</literal> specifies the private key's password)
+					</para>
+					<programlisting>
+openssl pkcs12 -in cert.pfx -nocerts -out cert.key -passout pass:
+</programlisting>
+				</listitem>
+			</itemizedlist>
+			<para>If the input file is protected, openssl will ask for the password;
+				alternatively, you can specify it on the command-line with the
+				<emphasis>-passin</emphasis> option, e.g.
+				<literal>-passin pass:PASSWORD</literal>
+			</para>
+		</note>
+
+	</section>
+
 </section>

From cb13a049b63e57791ac080074ce4d0dd3201782c Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 8 Jan 2021 20:05:46 +0100
Subject: [PATCH 3/4] Allow S/MIME signature for all mail methods

The original implementation only enabled S/MIME signature for
PHPMAILER_METHOD_SMTP.

Moving the call to PHPMailer::sign() out of the switch() statement, so
it is also called when mail method is PHPMAILER_METHOD_SENDMAIL or
PHPMAILER_METHOD_MAIL.

Fixes #25764
---
 core/email_api.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/core/email_api.php b/core/email_api.php
index 33d68e16c8..0f52b4000c 100644
--- a/core/email_api.php
+++ b/core/email_api.php
@@ -1332,16 +1332,17 @@ function email_send( EmailData $p_email_data ) {
 
 			$t_mail->Port = config_get( 'smtp_port' );
 
-			$t_mail->sign(
-				config_get_global( 'email_smime_cert_file' ),
-				config_get_global( 'email_smime_key_file' ),
-				config_get_global( 'email_smime_key_password' ),
-				config_get_global( 'email_smime_extracerts_file' )
-			);
-
 			break;
 	}
 
+	# S/MIME signature
+	$t_mail->sign(
+		config_get_global( 'email_smime_cert_file' ),
+		config_get_global( 'email_smime_key_file' ),
+		config_get_global( 'email_smime_key_password' ),
+		config_get_global( 'email_smime_extracerts_file' )
+	);
+
 	#apply DKIM settings
 	if( config_get( 'email_dkim_enable' ) ) {
 		$t_mail->DKIM_domain = config_get( 'email_dkim_domain' );

From e09ea350a849a3d5b6d6ffda66d4033576287c0f Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 8 Jan 2021 20:21:22 +0100
Subject: [PATCH 4/4] Add new $g_email_smime_enable setting

This allows calling PHPMailer::sign() only if necessary, and avoids
4 unnecessary config_get_global() calls if not.

Fixes #25764
---
 config_defaults_inc.php                    | 11 +++++++++--
 core/email_api.php                         | 14 ++++++++------
 docbook/Admin_Guide/en-US/config/email.xml | 18 ++++++++++++++----
 3 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index a41ead3cc9..888ad019c4 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -756,6 +756,13 @@
  */
 $g_email_dkim_identity = 'noreply@example.com';
 
+/**
+ * Enable S/MIME signature.
+ *
+ * @global integer $g_email_smime_enable
+ */
+$g_email_smime_enable = OFF;
+
 /**
  * Path to the S/MIME certificate.
  *
@@ -4368,8 +4375,8 @@
 	'ldap_server', 'ldap_root_dn', 'ldap_organization', 'ldap_protocol_version',
 	'ldap_network_timeout', 'ldap_follow_referrals', 'ldap_bind_dn', 'ldap_bind_passwd',
 	'ldap_uid_field', 'ldap_realname_field', 'use_ldap_realname', 'use_ldap_email',
-	'email_smime_cert_file', 'email_smime_key_file', 'email_smime_key_password',
-	'email_smime_extracerts_file',
+	'email_smime_enable', 'email_smime_cert_file', 'email_smime_key_file',
+	'email_smime_key_password', 'email_smime_extracerts_file',
 );
 
 /**
diff --git a/core/email_api.php b/core/email_api.php
index 0f52b4000c..e71ba20d1a 100644
--- a/core/email_api.php
+++ b/core/email_api.php
@@ -1336,12 +1336,14 @@ function email_send( EmailData $p_email_data ) {
 	}
 
 	# S/MIME signature
-	$t_mail->sign(
-		config_get_global( 'email_smime_cert_file' ),
-		config_get_global( 'email_smime_key_file' ),
-		config_get_global( 'email_smime_key_password' ),
-		config_get_global( 'email_smime_extracerts_file' )
-	);
+	if( ON == config_get_global( 'email_smime_enable' ) ) {
+		$t_mail->sign(
+			config_get_global( 'email_smime_cert_file' ),
+			config_get_global( 'email_smime_key_file' ),
+			config_get_global( 'email_smime_key_password' ),
+			config_get_global( 'email_smime_extracerts_file' )
+		);
+	}
 
 	#apply DKIM settings
 	if( config_get( 'email_dkim_enable' ) ) {
diff --git a/docbook/Admin_Guide/en-US/config/email.xml b/docbook/Admin_Guide/en-US/config/email.xml
index 00aa674410..acf9324ad4 100644
--- a/docbook/Admin_Guide/en-US/config/email.xml
+++ b/docbook/Admin_Guide/en-US/config/email.xml
@@ -558,14 +558,24 @@ $g_notify_flags['new'] = array(
 	<section id="admin.config.email.smime">
 		<title>S/MIME signature</title>
 
+		<para>This sections describes the necessary settings to enable
+			<ulink url="https://en.wikipedia.org/wiki/S/MIME">S/MIME</ulink>
+			signature for outgoing MantisBT e-mails.
+		</para>
+
 		<variablelist>
 			<varlistentry>
-				<term>$g_email_smime_cert_file</term>
+				<term>$g_email_smime_enable</term>
 				<listitem>
-					<para>Path to the
-						<ulink url="https://en.wikipedia.org/wiki/S/MIME">S/MIME</ulink>
-						certificate.
+					<para>Enables S/MIME signature.
 					</para>
+					<para>Defaults to OFF.</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_cert_file</term>
+				<listitem>
+					<para>Path to the S/MIME certificate.</para>
 					<para>The file must contain a
 						<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM-encoded</ulink>
 						certificate.