Enigma smime signed messages verification

plugins/enigma/config.inc.php.dist

@@ -58,6 +58,13 @@ $config['enigma_attach_pubkey'] = false;
 // When set to 0 passwords will be stored for the whole session.
 $config['enigma_password_time'] = 5;
 
+// Trusted Root CAs
+// When this array is filled with root(!) CA files,
+// enigma will first try to use these CAs to verify a signature.
+// If this fails, verification with default system CAs will still be attempted,
+// but lower trust will be signalled to user.
+$config['enigma_smime_ca'] = array();
+
 // With this option you can lock composing options
 // of the plugin forcing the user to use configured settings.
 // The array accepts: 'sign', 'encrypt', 'pubkey'.

plugins/enigma/lib/enigma_driver_phpssl.php

@@ -20,6 +20,7 @@ class enigma_driver_phpssl extends enigma_driver
     private $rc;
     private $homedir;
     private $user;
+    private $cainfo;
 
     function __construct($user)
     {
@@ -37,6 +38,7 @@ function __construct($user)
     function init()
     {
         $homedir = $this->rc->config->get('enigma_smime_homedir', INSTALL_PATH . '/plugins/enigma/home');
+        $this->cainfo = $this->rc->config->get('enigma_smime_ca', array());
 
         if (!$homedir)
             return new enigma_error(enigma_error::INTERNAL,
@@ -65,6 +67,15 @@ function init()
 
         $this->homedir = $homedir;
 
+        #XXX: Workaround for https://bugs.php.net/bug.php?id=75494
+        if (count($this->cainfo) > 0) {
+            $dummy_cert_dir = $this->homedir . '/' . 'cert_dummy';
+            if (!file_exists($dummy_cert_dir)) {
+                mkdir($dummy_cert_dir, 0700);
+            }
+            $this->cainfo[] = $dummy_cert_dir;
+        }
+
     }
 
     function encrypt($text, $keys, $sign_key = null)
@@ -96,11 +107,16 @@ function verify($struct, $message)
         fclose($fh);
 
         // @TODO: use stored certificates
-
-        // try with certificate verification
-        $sig      = openssl_pkcs7_verify($msg_file, 0, $cert_file);
+        // try with global config'd certificates
+        $sig      = openssl_pkcs7_verify($msg_file, 0, $cert_file, $this->cainfo);
         $validity = true;
 
+        if ($sig !== true) {
+            // try with server trusted certificate verification
+            $sig      = openssl_pkcs7_verify($msg_file, 0, $cert_file);
+            $validity = enigma_error::SERVER_VERIFIED;
+        }
+
         if ($sig !== true) {
             // try without certificate verification
             $sig      = openssl_pkcs7_verify($msg_file, PKCS7_NOVERIFY, $cert_file);
@@ -229,6 +245,8 @@ private function parse_sig_cert($file, $validity)
 //        $data->comment     = '';
         $data->email       = $cert['subject']['emailAddress'];
 
+        rcube::write_log('errors', 'Decrypted sig: ' . $data->name);
+
         return $data;
     }
 }

plugins/enigma/lib/enigma_engine.php

@@ -685,7 +685,24 @@ private function parse_smime_signed(&$p, $body = null)
             return;
         }
 
-        // @TODO
+        if ($this->rc->action != 'show' && $this->rc->action != 'preview' && $this->rc->action != 'print') {
+            return;
+        }
+
+        $this->load_smime_driver();
+        $struct = $p['structure'];
+
+        $msg_part = $struct->parts[0];
+
+        $sig = $this->smime_driver->verify($struct, $p['object']);
+
+        if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) {
+            self::raise_error($sig, __LINE__);
+        } else {
+            // Store signature data for display
+            $this->signatures[$struct->mime_id] = $sig;
+            $this->signatures[$msg_part->mime_id] = $sig;
+        }
     }
 
     /**

plugins/enigma/lib/enigma_error.php

@@ -30,6 +30,7 @@ class enigma_error
     const BADPASS     = 5;
     const EXPIRED     = 6;
     const UNVERIFIED  = 7;
+    const SERVER_VERIFIED  = 8;
 
 
     function __construct($code = null, $message = '', $data = array())

plugins/enigma/lib/enigma_mime_message.php

@@ -19,6 +19,8 @@ class enigma_mime_message extends Mail_mime
 {
     const PGP_SIGNED    = 1;
     const PGP_ENCRYPTED = 2;
+    const SMIME_SIGNED  = 3;
+    const SMIME_ENCRYPTED = 4;
 
     protected $type;
     protected $message;

plugins/enigma/lib/enigma_ui.php

@@ -984,6 +984,12 @@ function status_message($p)
                     $msg = str_replace('$keyid', $sig->id, $msg);
                     $msg = rcube::Q($msg);
                 }
+                else if ($sig->valid === enigma_error::SERVER_VERIFIED) {
+                    $attrib['class'] = 'enigmawarning';
+                    $msg = str_replace('$sender', $sender, $this->enigma->gettext('sigserververified'));
+                    $msg = str_replace('$keyid', $sig->id, $msg);
+                    $msg = rcube::Q($msg);
+                }
                 else if ($sig->valid) {
                     $attrib['class'] = $sig->partial ? 'enigmawarning' : 'enigmanotice';
                     $label = 'sigvalid' . ($sig->partial ? 'partial' : '');

plugins/enigma/localization/en_US.inc

@@ -98,6 +98,7 @@ $messages = array();
 $messages['sigvalid'] = 'Verified signature from $sender.';
 $messages['sigvalidpartial'] = 'Verified signature from $sender, but part of the body was not signed.';
 $messages['siginvalid'] = 'Invalid signature from $sender.';
+$messages['sigserververified'] = 'Server-verified signature. Certificate ID: $keyid.';
 $messages['sigunverified'] = 'Unverified signature. Certificate not verified. Certificate ID: $keyid.';
 $messages['signokey'] = 'Unverified signature. Public key not found. Key ID: $keyid.';
 $messages['sigerror'] = 'Unverified signature. Internal error.';