File: smime-notes.txt

package info (click to toggle)
neomutt 20250510%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 23,372 kB
  • sloc: ansic: 171,730; sh: 5,357; perl: 1,121; tcl: 1,065; python: 443; makefile: 48
file content (96 lines) | stat: -rw-r--r-- 4,455 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
How to use neomutt's S/MIME capabilities

- Add the contents of contrib/smime.rc to your .muttrc. Don't worry about
  changing the smime_default_key line at this point -- you'll change it later.

- Run 'smime_keys init'.

- Download and install OpenSSL.

- Get yourself a certificate. (You can get one for free from Comodo, or
  pay for one from VeriSign or one of its competitors) The way the process
  generally works, the certificate will be installed "into" your web
  browser.

- Assuming you are using Firefox, follow the instructions at
  https://www.sslsupportdesk.com/2016/04/15/export-certificate-firefox/
  to export the certificate into a file called cert.p12. If you don't use
  Firefox, you're on your own.

- Run "smime_keys add_p12 cert.p12"

    * When the script asks for the "Import password", enter the one you
      provided when you exported the certificate.

    * When it asks for a "PEM pass phrase", make up a new password. Every
      time you sign or decrypt a message, neomutt will ask for the PEM pass
      phrase.

    * Finally, when the script asks for a label, enter an easy-to-remember
      name for the certificate, such as "me". The script output will include
      a line like:

      added private key: /home/raldi/.smime/keys/12345678.0 for raldi@verisignlabs.com

      The number (including the ".0" at the end) is your keyid. You will
      need this number in the next step.

- Edit the smime_default_key line in your muttrc, replacing the keyid with your
  own.

- There is no more ca-bundle.crt file with the trusted roots to import shipped
  in neomutt. The upstream file is out-dated and user is encouraged to use
  ca-bundle.crt from ca-certificate package.  This makes you trust anything
  that was ultimately signed by one of them. You can use "smime_keys add_root"
  to do so, or just copy ca-bundle.crt into the place you point neomutt's
  smime_ca_location variable to.


Other notes

Key management is done in a way similar to OpenSSL's CA directory. Private
keys and certificates are stored in different directories, as OpenSSL
expects either to be supplied in a (distinct) file. Each directory contains
an unsorted file named '.index' wherein each line has several fields:
mailbox, keyid, label, id of the intermediate certificate and keyflags.

    * Keyid is a hashvalue derived from the subject field of a certificate
      and supplied by OpenSSL.

    * The mailbox address is derived from either From or Sender field of the
      message, and matched with the email field of the certificate. Non
      matching address pairs get rejected, as get certificates not
      containing a mailbox address at all. (These are security issues, that
      perhaps should be configurable.)

    * Label is set by the perl script (it will ask you to supply one), when
      you add your keypair to the database. So are the remaining two fields.

    * keyflags are set with certificate verification option of the perl
      script. It may take as value one of the following: i: invalid
      (verification failed), r: revoked, e: expired, u: unverified, v:
      successfully verified and finally t: trusted, in case it was
      successfully verified and you chose to trust the certificate (the
      script will ask you). NeoMutt will not use invalid, revoked or expired
      certificates for signing or encryption. It will ask for confirmation
      before using unverified certificates, and finally it will issue a
      warning before using successfully verified but untrusted certificates.

The purpose fields of a certificate do not get verified yet, also there is
no real check if the given file is a certificate at all.

Key retrieval is done obviously by searching the index file for a given
mailbox. If none is found, the user is presented a list of available keys
and asked to select one of those.

The certificate and key directories specified in muttrc have to exist. NeoMutt
will not create them. If you wish to sign messages yourself, note that this
neomutt does not address any PKCS10 or PKCS12 issues (yet?); that is, you have
to get a valid certificate outside of neomutt. (See above)

A certificate can be viewed by adding the following to your ~/.mailcap:

application/pkcs7-signature;openssl pkcs7 -in %s -inform der -noout \
-print_certs -text | less; needsterminal
application/x-pkcs7-signature;openssl pkcs7 -in %s -inform der -noout \
-print_certs -text | less; needsterminal