------ Исходное сообщение ------ От: "A.L.E.C" alec@alec.pl Кому: dev@lists.roundcube.net Отправлено: 14.01.2016 23:13:12 Тема: Re: [RCD] S/MIME encryption and signing plugin
On 01/12/2016 03:15 PM, Владимир Горпенко wrote:
There was a question 2, I'd like to get answer on it too.
"2. If I correctly understood, the driver processes only a message body. But it is also necessary to work with headers - to remove one, to add others. How it is offered to be realized?"
- php openssl works with private keys and certificates. And the
driver receives only keys. Whether it is possible to build in this scheme work with certificates?
Sorry, I don't have enough knowledge about S/MIME yet to provide help here.
If I correctly understand, keys of PGP is only keys. The certificate contains, except a public key, a lot of other information. This information not only is of interest to the recipient, but also allows to check the certificate. The certificate is signed, and in the certificate is specified with whom exactly it is signed.
I can specify the following features of work with certificates.
- The certificate of the sender is often attached to the signed letter.
In that case for verification of the signature it is necessary to use this certificate. Yes, openssl will make it automatically.
- It is useful to be able to store this certificate in base. However it
is attached to the letter not as a standard attachment, at verification of the signature php openssl will take it from the letter. Therefore for saving of the certificate attached to the letter the main program needs to provide possibility of getting of the taken certificates from the driver. Or again to attach it to the letter already as a standard attachment that isn't quite trivial.
- Php openssl carries out independent verification of the certificate
in procedure of verification of the signature. I don't know precisely, which check it carries out, but the power of attorney CA, signed the certificate is checked. Check of integrity of the certificate, an expiration date, whether the certificate is withdrawn are essentially possible. Respectively after openssl verification additional information which needs to be told to the user will be received.
- For check, whether the certificate is signed with the entrusted CA,
openssl demands additional information, namely certificates of the entrusted CA. This information also has to be transferred to the driver somehow.
- Part of information containing in the certificate it is necessary to
tell to the recipient of the letter. It is right both for a case of the attached certificate, and for a case of the certificate received from the RC base. The driver has to provide means for transfer of this information to the main program.
There's currently no option to attach a key to messages being sent.
It does openssl sign if it isn't forbidden specially.
- The certificate attached to the signed message can be invalid or
not entrusted. For verification of the power of attorney of the certificate the base of the entrusted CA is necessary. It can be realized in the driver?
Well, probably some changes will be needed, but PGP keys can also be entrusted or invalid or expired, etc. Not all is implemented yet.
I meant another: openssl verify can recognize the certificate as incorrect or not entrusted, and with this information it is necessary to do something right after verification of the signature.
Vladimir Gorpenko