From 976dbba542732071a478a79d93a7e3bec26ef5d8 Mon Sep 17 00:00:00 2001
From: Loris Zinsou <the-lz-himself@orange.fr>
Date: Sat, 5 Mar 2022 14:30:30 +0100
Subject: [PATCH] Add support for rfc2633 sMIME capabilities signed attr (#215)

* Support sMIME capabilities signed attribute
* Reference rfc2633 sMIME capabilities section
* Allow non-algorithm OIDs in sMIME capabilities
* Add sMIME capabilities parse test
---
 asn1crypto/cms.py                             |  18 ++++++
 ...ime-signature-generated-by-thunderbird.p7s | Bin 0 -> 2865 bytes
 tests/test_cms.py                             |  54 ++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 tests/fixtures/smime-signature-generated-by-thunderbird.p7s

diff --git a/asn1crypto/cms.py b/asn1crypto/cms.py
index 7ce583d..9c8b6db 100644
--- a/asn1crypto/cms.py
+++ b/asn1crypto/cms.py
@@ -100,6 +100,8 @@ class CMSAttributeType(ObjectIdentifier):
         '1.2.840.113549.1.9.4': 'message_digest',
         '1.2.840.113549.1.9.5': 'signing_time',
         '1.2.840.113549.1.9.6': 'counter_signature',
+        # https://datatracker.ietf.org/doc/html/rfc2633#section-2.5.2
+        '1.2.840.113549.1.9.15': 'smime_capabilities',
         # https://tools.ietf.org/html/rfc2633#page-26
         '1.2.840.113549.1.9.16.2.11': 'encrypt_key_pref',
         # https://tools.ietf.org/html/rfc3161#page-20
@@ -946,6 +948,21 @@ class SMIMEEncryptionKeyPreferences(SetOf):
     _child_spec = SMIMEEncryptionKeyPreference
 
 
+class SMIMECapabilityIdentifier(Sequence):
+    _fields = [
+        ('capability_id', ObjectIdentifier),
+        ('parameters', Any, {'optional': True}),
+    ]
+
+
+class SMIMECapabilites(SequenceOf):
+    _child_spec = SMIMECapabilityIdentifier
+
+
+class SetOfSMIMECapabilites(SetOf):
+    _child_spec = SMIMECapabilites
+
+
 ContentInfo._oid_specs = {
     'data': OctetString,
     'signed_data': SignedData,
@@ -981,4 +998,5 @@ class SMIMEEncryptionKeyPreferences(SetOf):
     'microsoft_nested_signature': SetOfContentInfo,
     'microsoft_time_stamp_token': SetOfContentInfo,
     'encrypt_key_pref': SMIMEEncryptionKeyPreferences,
+    'smime_capabilities': SetOfSMIMECapabilites,
 }
diff --git a/tests/fixtures/smime-signature-generated-by-thunderbird.p7s b/tests/fixtures/smime-signature-generated-by-thunderbird.p7s
new file mode 100644
index 0000000000000000000000000000000000000000..c75b2a9636b662fee7536a7e4b24024b0cddf9df
GIT binary patch
literal 2865
zcmdT`c|6o>7oYjfX3UtelP-pdJ6V5|gqLdzS+b`obg2~c+BIZvW*AFF))-~$wM1Se
zYlTmCDy9;VQI-~Dr;CVJ_ige1@&14B^Vjn|=RD^*pXWK}dk#oPq7`CHV^;W}C?Jmx
z(g7%xj0gFUXxA81=ouIsfFU5@4kIW8lE*}pfJ{Uo$b=;T!d_l{4E?H@@}%ii<D)v$
z3Oa?-Wna&K^9sdmpJybJF(4WVbATg-024bh4#a*1JXnOy$pGrP?-=zR%Yf2f^}JYd
zGauTS0G~570)^`4PNkhA*w8`<hiPtP5m4x>2@H!p?7QuP;7Ij3=Nm|t1BpMbMngqK
zy+Z$#>-z=x(tLfqPg1>9PWyU;Qeu4j_JRAz`^cK=YM_?mHdNaI|9Sy40ok383PnI*
zOaKo7nE)@q1fY-y!X)BSRu60luF|2_q)1*adLe5lkf^e2`1&W?_E7QnLCUK@@u*%n
zd%bmnWL4@NDQ|C5A75Ri-Dj%ck>@&J6Mbr{GCnP%^))a!bwNAXg<_E197t@6t@%}y
z$a7<uGb_hpn>lV(L=S6rjg5!IF3ZoOcvJ#wgYcZvK6qThia@RYV7j@9x!Bw#pX+T!
zB7IR0<fI$qN$&nnLI*U$uIsCyPsbG*j9;8aDXLX$-3~otyfx&AnKwUxt-P*S*7?r$
z?7(ln4h9W64oCdpC&wHra*{iNsPh>KlqdSAJlf(!e{R3*zdq72veCE(Z^E3%ueWN1
zTtw<$(#6(S97B2;dZcjkrHt~*dh5j3w-D++tFIsPgs1f0u_!3g3o7?WH5#6c?NUsP
z-sm298p+1G2NVxawmX~Ft6Q~7>?KBM@<0hw3!f%UAw05kuT3{Yk`&5hZm)XG&EnVf
zE^giBdG(x47M&k2;J*;ZwDTTDl~AjmTe9#Y;TW}e+Kf1dzkC7a=ag^sD!@(~j%`E;
zHz}FFe<wu{{KZ9S>r~`Y&gS|b+&+oBckBeMgb>RXM}xP}o$|$p)KZ#mP{KxzF!rZc
zv#QGav#xGtof721I&@azR^oIxZtl{~5>2?pqb^-#9KEEr_3%Mumiv;VoD;2f4KZLV
z{wM)}K_Sqc8M0k=+Zh6dpz7Jw4{fi%IJeH5C=yFv+%K@fcT$uCt6naN;6LjYMSiLm
zvAwvbQTCZr$;$@eR_V=v<QN|MC6Wb~x+a}IC@J`5Z>}TU=q-0)hE8bi`DZvmWY3tP
zkS-%vW;&KXG_2{Ef#H_clfDvn)ykgHEX<`qGfG>8Kp8r<;LWfzU+dGU^tJLqH*ckd
zLA93Dy%sKMMrOGlS4UplWREwL-fWzbRq+~nAPTk0QjI-kqq$yQ-<-M{R5P?Yl=5Lz
zxZ-fSyI)ve<z>7d25GRH)0}C2^myuo<>M_9<)938)2C+5jg|5ne~Ts|qB1t%u!PdJ
z=40=aGXSaM16pevG79sB`}3}tPbz#$;Jz_I-_JM21<ni~+Eh&#nXq2)Jf)!HT`DEX
znbA66kIJ6FWZh>D2$h9JdX5Jl`rWP~Unf_?jL8qH+xI;FG-G~d+R}4&OsD){u6XV&
zSm1f7?MvU=HwID$6XAxLo*PKlr>rFMSwxz)HmqY{Pf{;~>JK>&DYD~J&RiMG8c28=
zjyr(}ZbVhJ7)Clh1RofQ*;Be(q^)%uE^)Ye<9qO~F^wTT*WW0OL|$7osOao@=oPD8
zrzfh^%^?Rbme?u|J=I+LHz)bd+8Ulpq-$Lbb_;wISp2Lpj!5zC<t^U0pb^?Z<J`C9
zC(;IDkY6N`oFFn2VX{ruhTFUjGK&9l#P<LD$BzD!#{_&q@t?d7BV&F56cqgB2S6jp
z_#e!!MONRh?g(1{)WXSzaD6AAdw>pRjrhkT#Tdu!O@CL(wA4X7b1FQUzsUPhGSLmT
znJ_Qxx^ZOr>K98{zo-ijEhe!c=Pe%TpSTlkFKh*R{d9;YyMQOa?O?tI3su+&0FW2S
z^WQcILxH#-djJ3+^zB;xt^)w5K8Qjh6mc*B^}liw$f!f26_HRll&QfFCo@X_MxV&I
zkHmbN0?_;bW;^)2zf}f)pJ29|Eu0BJ&b~6-{D<JRNv#{RT!a+ET}f45l-%WfueN`>
zxR#U>Ezsm2(GA#3*!Z2YP;`&3X|%IsP^`_OdLvsiA*_>Fws$JGJ(<{{BGINYv5R%(
z;UxQ6R?>Op>1(XMWmuZa2(Qg95esouHYK=Drfs5wo0A^dJyWgLlf+<!75aEoWG8hM
zXGoJeb1X@QOP=iw@!*+9?wfW>t9k`!F0OJWXe!2lCI61KdrG$|@UwI15NkK_cG}zm
zj~Cr|{dC-z$2};$KG?1P{fD$iy8Y{KFT6RAbIab~WcLa5CKAm3jY<ygs!KwfD9Z{~
zJYIy0{Z1GqSe0hc&q@!43hWtmQU(>ARGgz?`sH$%vhvxvA~)??G7c9CU3^d_Bi<69
z_Vy#|ID28ftx4<iM(&KTgG+Ra04=zCzCFzIwpqs=WBzsxoZ@GQv7dtd@hsi<W&Wxa
zCMC&3$1@`=k^y<ygj+Zt!Kw`N{F{&8e#p!kt*+FQiED3O5G^O25J{S*UM`)PpW})L
zRCF#x)Ug?PM{5TX(l*I{b=oq&blp8LJ7+Xm+^?Ic;q35GqA(sbN39C**05jo#|IDV
z<=ZNiD+%NzwqK4HOI25GIJ?N9<n5p47MxIO>Ag~N<r7xA+D9%WrP@{U$RfHej}g5>
YhK#MCSesFYaQ?;XZT{xVkU!Ud0A<W$6#xJL

literal 0
HcmV?d00001

diff --git a/tests/test_cms.py b/tests/test_cms.py
index 52d852e..2f503fc 100644
--- a/tests/test_cms.py
+++ b/tests/test_cms.py
@@ -911,6 +911,60 @@ def test_parse_content_info_pkcs7_signed_digested_data(self):
             signer['signature'].native
         )
 
+    def test_parse_content_info_smime_capabilities(self):
+        with open(os.path.join(fixtures_dir, 'smime-signature-generated-by-thunderbird.p7s'), 'rb') as f:
+            info = cms.ContentInfo.load(f.read())
+
+        signed_attrs = info['content']['signer_infos'][0]['signed_attrs']
+
+        self.assertEqual(
+            'smime_capabilities',
+            signed_attrs[3]['type'].native
+        )
+        smime_capabilities = signed_attrs[3]
+
+        self.assertEqual(
+            1,
+            len(smime_capabilities['values'])
+        )
+        self.assertEqual(
+            7,
+            len(smime_capabilities['values'][0])
+        )
+        self.assertEqual(
+            [capability.native for capability in smime_capabilities['values'][0]],
+            [
+                util.OrderedDict([
+                    ('capability_id', '2.16.840.1.101.3.4.1.42'),
+                    ('parameters', None),
+                ]),
+                util.OrderedDict([
+                    ('capability_id', '2.16.840.1.101.3.4.1.2'),
+                    ('parameters', None),
+                ]),
+                util.OrderedDict([
+                    ('capability_id', '1.2.840.113549.3.7'),
+                    ('parameters', None),
+                ]),
+                util.OrderedDict([
+                    ('capability_id', '1.2.840.113549.3.2'),
+                    ('parameters', 128),
+                ]),
+                util.OrderedDict([
+                    ('capability_id', '1.2.840.113549.3.2'),
+                    ('parameters', 64),
+                ]),
+                util.OrderedDict([
+                    ('capability_id', '1.3.14.3.2.7'),
+                    ('parameters', None),
+                ]),
+                util.OrderedDict([
+                    ('capability_id', '1.2.840.113549.3.2'),
+                    ('parameters', 40),
+                ]),
+            ]
+        )
+
     def test_bad_teletex_inside_pkcs7(self):
         with open(os.path.join(fixtures_dir, 'mozilla-generated-by-openssl.pkcs7.der'), 'rb') as f:
             content = cms.ContentInfo.load(f.read())['content']