[RCD] S/MIME encryption and signing plugin

Владимир Горпенко vgo at stels.ru
Fri Jan 15 09:31:30 CET 2016


------ Исходное сообщение ------
От: "A.L.E.C" <alec �� alec.pl>
Кому: dev �� lists.roundcube.net
Отправлено: 14.01.2016 23:13:12
Тема: Re: [RCD] S/MIME encryption and signing plugin

>On 01/12/2016 03:15 PM, Владимир Горпенко wrote:
There was a question 2, I'd like to get answer on it too.

"2. If I correctly understood, the driver processes only a message body. 
But it is also necessary to work with headers - to remove one, to add 
others. How it is offered to be realized?"


>>  3. php openssl works with private keys and certificates. And the 
>>driver
>>  receives only keys. Whether it is possible to build in this scheme 
>>work
>>  with certificates?
>
>Sorry, I don't have enough knowledge about S/MIME yet to provide help 
>here.
If I correctly understand, keys of PGP is only keys.
The certificate contains, except a public key, a lot of other 
information. This information not only is of interest to the recipient, 
but also allows to check the certificate. The certificate is signed, and 
in the certificate is specified with whom exactly it is signed.

I can specify the following features of work with certificates.

1. The certificate of the sender is often attached to the signed letter. 
In that case for verification of the signature it is necessary to use 
this certificate. Yes, openssl will make it automatically.

2. It is useful to be able to store this certificate in base. However it 
is attached to the letter not as a standard attachment, at verification 
of the signature php openssl will take it from the letter. Therefore for 
saving of the certificate attached to the letter the main program needs 
to provide possibility of getting of the taken certificates from the 
driver. Or again to attach it to the letter already as a standard 
attachment that isn't quite trivial.

3. Php openssl carries out independent verification of the certificate 
in procedure of verification of the signature. I don't know precisely, 
which check it carries out, but the power of attorney CA, signed the 
certificate is checked. Check of integrity of the certificate, an 
expiration date, whether the certificate is withdrawn are essentially 
possible.
Respectively after openssl verification additional information which 
needs to be told to the user will be received.

4. For check, whether the certificate is signed with the entrusted CA, 
openssl demands additional information, namely certificates of the 
entrusted CA. This information also has to be transferred to the driver 
somehow.

5. Part of information containing in the certificate it is necessary to 
tell to the recipient of the letter. It is right both for a case of the 
attached certificate, and for a case of the certificate received from 
the RC base. The driver has to provide means for transfer of this 
information to the main program.

>There's currently no option to attach a key to messages being sent.
It does openssl sign if it isn't forbidden specially.

>>  5. The certificate attached to the signed message can be invalid or 
>>not
>>  entrusted. For verification of the power of attorney of the 
>>certificate
>>  the base of the entrusted CA is necessary. It can be realized in the
>>  driver?
>
>Well, probably some changes will be needed, but PGP keys can also be
>entrusted or invalid or expired, etc. Not all is implemented yet.
I meant another: openssl verify can recognize the certificate as 
incorrect or not entrusted, and with this information it is necessary to 
do something right after verification of the signature.

      Vladimir Gorpenko



More information about the dev mailing list