Skip to content

Commit

Permalink
Upload whole certificate chain when uploading a certificate for S/MIM…
Browse files Browse the repository at this point in the history 
…E in pkcs12 format. Include whole certificate chain in signed messages. Use whole certificate chain to verify certificates.

Fixes #9190

Signed-off-by: Patrick Bender <[email protected]>
  • Loading branch information
@IchbinkeinReh
IchbinkeinReh committed May 23, 2024
1 parent 3351645 commit 7bbe53b
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
10 changes: 8 additions & 2 deletions lib/Service/SmimeService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,13 +182,16 @@ public function parseCertificate(string $certificate): SmimeCertificateInfo {
}
}

$decryptedCertificateFile = $this->tempManager->getTemporaryFile();
file_put_contents($decryptedCertificateFile, $certificate);

$caBundle = [$this->certificateManager->getAbsoluteBundlePath()];
return new SmimeCertificateInfo(
$certificateData['subject']['CN'] ?? null,
$certificateData['subject']['emailAddress'] ?? $certificateData['subject']['CN'],
$certificateData['validTo_time_t'],
$purposes,
openssl_x509_checkpurpose($certificate, X509_PURPOSE_ANY, $caBundle) === true,
openssl_x509_checkpurpose($certificate, X509_PURPOSE_ANY, $caBundle, $decryptedCertificateFile) === true,
);
}

Expand Down Expand Up @@ -376,13 +379,16 @@ public function signMimePart(Horde_Mime_Part $part,
);
}

$decryptedCertificateFile = $this->tempManager->getTemporaryFile();
file_put_contents($decryptedCertificateFile, $decryptedCertificate);

$inPath = $this->tempManager->getTemporaryFile();
$outPath = $this->tempManager->getTemporaryFile();
file_put_contents($inPath, $part->toString([
'canonical' => true,
'headers' => true,
]));
if (!openssl_pkcs7_sign($inPath, $outPath, $decryptedCertificate, $decryptedKey, null)) {
if (!openssl_pkcs7_sign($inPath, $outPath, $decryptedCertificate, $decryptedKey, null, PKCS7_DETACHED, $decryptedCertificateFile)) {
throw new SmimeSignException('Failed to sign MIME part');
}

Expand Down
2 changes: 1 addition & 1 deletion src/util/pkcs12.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ export function convertPkcs12ToPem(pkcs12Der, password) {
}

return {
certificate: forge.pki.certificateToPem(certBags[0].cert),
certificate: certBags.map((a) => forge.pki.certificateToPem(a.cert)).join('\n'),
privateKey: forge.pki.privateKeyToPem(keyBags[0].key),
}
}
Expand Down

0 comments on commit 7bbe53b

Please sign in to comment.