aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/mailman_pgp/pgp/inline.py7
-rw-r--r--src/mailman_pgp/pgp/mime.py16
-rw-r--r--src/mailman_pgp/pgp/mime_multisig.py171
-rw-r--r--src/mailman_pgp/pgp/tests/data/messages/mime_multisig.eml65
-rw-r--r--src/mailman_pgp/pgp/tests/data/messages/mime_multisig_invalid.eml65
-rw-r--r--src/mailman_pgp/pgp/tests/test_mime_multisig.py96
-rw-r--r--src/mailman_pgp/pgp/wrapper.py3
7 files changed, 416 insertions, 7 deletions
diff --git a/src/mailman_pgp/pgp/inline.py b/src/mailman_pgp/pgp/inline.py
index 81e0839..2fe22cf 100644
--- a/src/mailman_pgp/pgp/inline.py
+++ b/src/mailman_pgp/pgp/inline.py
@@ -218,8 +218,11 @@ class InlineWrapper:
out = copy.deepcopy(self.msg)
for part in walk(out):
if not part.is_multipart():
- payload = str(part.get_payload())
- pmsg = PGPMessage.new(payload, cleartext=True)
+ if self._is_signed(part):
+ pmsg = PGPMessage.from_blob(part.get_payload())
+ else:
+ payload = str(part.get_payload())
+ pmsg = PGPMessage.new(payload, cleartext=True)
smsg = self._sign(pmsg, key, hash)
part.set_payload(str(smsg))
return out
diff --git a/src/mailman_pgp/pgp/mime.py b/src/mailman_pgp/pgp/mime.py
index bdb7943..33ec93e 100644
--- a/src/mailman_pgp/pgp/mime.py
+++ b/src/mailman_pgp/pgp/mime.py
@@ -24,7 +24,7 @@ from email.mime.application import MIMEApplication
from email.utils import collapse_rfc2231_value
from mailman.email.message import Message, MultipartDigestMessage
-from pgpy import PGPKey, PGPMessage, PGPSignature
+from pgpy import PGPDetachedSignature, PGPKey, PGPMessage
from pgpy.constants import HashAlgorithm, SymmetricKeyAlgorithm
from public import public
@@ -98,13 +98,14 @@ class MIMEWrapper:
"""
:return:
- :rtype: typing.Generator[pgpy.PGPSignature]
+ :rtype: typing.Generator[pgpy.PGPDetachedSignature]
"""
try:
- msg = PGPSignature.from_blob(self.msg.get_payload(1).get_payload())
+ sig = PGPDetachedSignature.from_blob(
+ self.msg.get_payload(1).get_payload())
except:
return
- yield msg
+ yield sig
def is_encrypted(self):
"""
@@ -229,6 +230,13 @@ class MIMEWrapper:
return 'pgp-' + algs[hash_algo]
def _wrap_signed(self, msg, signature):
+ """
+ As per RFC1847 and RFC3156.
+
+ :param msg:
+ :param signature:
+ :return:
+ """
micalg = self._micalg(signature.hash_algorithm)
out = MultipartDigestMessage('signed', micalg=micalg,
protocol=MIMEWrapper._signed_type)
diff --git a/src/mailman_pgp/pgp/mime_multisig.py b/src/mailman_pgp/pgp/mime_multisig.py
new file mode 100644
index 0000000..c7edf60
--- /dev/null
+++ b/src/mailman_pgp/pgp/mime_multisig.py
@@ -0,0 +1,171 @@
+# Copyright (C) 2017 Jan Jancar
+#
+# This file is a part of the Mailman PGP plugin.
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""MIMEWrapper with multiple signature as per draft-ietf-openpgp-multsig-02."""
+import copy
+from email import message_from_string
+from email.encoders import encode_7or8bit
+from email.mime.application import MIMEApplication
+from email.mime.multipart import MIMEMultipart
+from email.utils import collapse_rfc2231_value
+
+from mailman.email.message import Message, MultipartDigestMessage
+from pgpy import PGPDetachedSignature, PGPSignature
+
+from mailman_pgp.pgp.mime import MIMEWrapper
+from mailman_pgp.utils.email import copy_headers
+
+
+class MIMEMultiSigWrapper(MIMEWrapper):
+ """https://tools.ietf.org/html/draft-ietf-openpgp-multsig-02"""
+
+ _signature_preamble = \
+ 'This is an OpepPGP/MIME signed message' \
+ '(RFC 4880, 3156 and draft-ietf-openpgp-multsig).\n' \
+ 'see https://tools.ietf.org/html/draft-ietf-openpgp-multsig-02' \
+ 'for more details.'
+
+ def is_signed(self):
+ """
+ Whether the message is signed as per draft-ietf-openpgp-multsig-02.
+
+ :return: If the message is MIME signed.
+ :rtype: bool
+ """
+ if not self._is_mime():
+ return False
+ second_part = self.msg.get_payload(1)
+ second_type = second_part.get_content_type()
+ protocol_param = collapse_rfc2231_value(self.msg.get_param('protocol',
+ ''))
+ content_subtype = self.msg.get_content_subtype()
+
+ return (second_part.is_multipart() and
+ second_type == 'multipart/mixed' and
+ content_subtype == 'signed' and
+ protocol_param == 'multipart/mixed' and
+ all(part.get_content_type() == MIMEWrapper._signed_type
+ for part in second_part.get_payload()))
+
+ def get_signature(self):
+ """
+
+ :return:
+ :rtype: typing.Generator[pgpy.PGPSignature]
+ """
+ for part in self.msg.get_payload(1).get_payload():
+ try:
+ sig = PGPSignature.from_blob(part.get_payload())
+ except:
+ continue
+ yield sig
+
+ def _wrap_signed_multiple(self, msg, payload_msg, signatures, signature):
+ """
+ As per draft-ietf-openpgp-multsig-02.
+
+ :param msg:
+ :param payload_msg:
+ :param signatures:
+ :param signature:
+ :return:
+ """
+ micalg = ', '.join(self._micalg(sig.hash_algorithm)
+ for sig in signature)
+ out = MultipartDigestMessage('signed', micalg=micalg,
+ protocol='multipart/mixed')
+ out.preamble = MIMEMultiSigWrapper._signature_preamble
+
+ second_part = MIMEMultipart()
+ for sig in signatures:
+ second_part.attach(copy.deepcopy(sig))
+
+ sig_part = MIMEApplication(_data=str(signature),
+ _subtype=MIMEWrapper._signature_subtype,
+ _encoder=encode_7or8bit,
+ name='signature.asc')
+ sig_part.add_header('Content-Description',
+ 'OpenPGP digital signature')
+ sig_part.add_header('Content-Disposition', 'attachment',
+ filename='signature.asc')
+ second_part.attach(sig_part)
+ out.attach(copy.deepcopy(payload_msg))
+ out.attach(second_part)
+ copy_headers(msg, out)
+ return out
+
+ def sign(self, key, hash=None):
+ """
+ Sign a message with key.
+
+ :param key: The key to sign with.
+ :type key: pgpy.PGPKey
+ :param hash:
+ :type hash: pgpy.constants.HashAlgorithm
+ :return: The signed message.
+ :rtype: mailman.email.message.Message
+ """
+
+ if self.is_signed():
+ payload_msg = self.msg.get_payload(0)
+ signatures = [part for part in self.msg.get_payload(1)]
+ else:
+ payload_msg = self.msg
+ signatures = []
+ signature = PGPDetachedSignature()
+ signature |= key.sign(payload_msg.as_string(), hash=hash)
+ return self._wrap_signed_multiple(self.msg, payload_msg, signatures,
+ signature)
+
+ def verify(self, key):
+ """
+ Verify the signatures of this message with key.
+
+ :param key: The key to verify with.
+ :type key: pgpy.PGPKey
+ :return: The verified signature.
+ :rtype: Generator[pgpy.types.SignatureVerification]
+ """
+ clear_text = next(iter(self.get_signed()))
+ for signature in self.get_signature():
+ try:
+ verification = key.verify(clear_text, signature)
+ except:
+ continue
+ yield verification
+
+ def decrypt(self, key):
+ """
+ Decrypt this message with key.
+
+ :param key: The key to decrypt with.
+ :type key: pgpy.PGPKey
+ :return: The decrypted message.
+ :rtype: mailman.email.message.Message
+ """
+ pmsg = next(iter(self.get_encrypted()))
+ decrypted = key.decrypt(pmsg)
+
+ dmsg = decrypted.message
+ if isinstance(dmsg, bytearray):
+ dmsg = dmsg.decode(decrypted.charset or 'utf-8')
+
+ out = message_from_string(dmsg, _class=Message)
+ if decrypted.is_signed:
+ out = self._wrap_signed_multiple(out, decrypted.detached_signature)
+ copy_headers(self.msg, out)
+ return out
diff --git a/src/mailman_pgp/pgp/tests/data/messages/mime_multisig.eml b/src/mailman_pgp/pgp/tests/data/messages/mime_multisig.eml
new file mode 100644
index 0000000..555411f
--- /dev/null
+++ b/src/mailman_pgp/pgp/tests/data/messages/mime_multisig.eml
@@ -0,0 +1,65 @@
+To: nobody@example.org
+From: RSA 1024b example <RSA-1024b@example.org>
+Subject: Some subject.
+Message-ID: <76a591ed-bfc4-d08b-73d3-fc2489148fd7@example.org>
+Date: Wed, 21 Jun 2017 13:50:59 +0200
+User-Agent: Mutt/1.7.2 (2016-11-26)
+MIME-Version: 1.0
+Content-Type: multipart/signed; micalg="pgp-sha256, pgp-sha256";
+ protocol="multipart/mixed";
+ boundary="haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj"
+
+This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
+--haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj
+Content-Type: multipart/mixed; boundary="A8WMQ249PdQmpiQhW1ELOnL2UctI16T1g";
+ protected-headers="v1"
+From: RSA 1024b example <RSA-1024b@example.org>
+To: nobody@example.org
+Message-ID: <76a591ed-bfc4-d08b-73d3-fc2489148fd7@example.org>
+Subject: Some subject.
+
+--A8WMQ249PdQmpiQhW1ELOnL2UctI16T1g
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: quoted-printable
+
+Some signed text.
+
+
+--A8WMQ249PdQmpiQhW1ELOnL2UctI16T1g--
+
+--haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj
+Content-Type: multipart/mixed; boundary="abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs"
+
+--abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs
+Content-Type: application/pgp-signature; name="signature.asc"
+Content-Description: OpenPGP digital signature
+Content-Disposition: attachment; filename="signature.asc"
+
+-----BEGIN PGP SIGNATURE-----
+
+iMoEAQEIADQWIQTUqUiGscoglqZFjlxH8QwIeIS3WAUCWUpjIBYccnNhLTEwMjRi
+QGV4YW1wbGUub3JnAAoJEEfxDAh4hLdYb8wD/0AlaGxAhVGQqrXBuVXSDm4c49VI
+6+DG8cMOCZEin6P96hrLbs4SAm61xivJHPueIRRQ1PfWTcElPn97WuQ48e+/5hhw
+CZevF5CmyODGfriC78LwLRRvq2nF5n9iRww0lINPDyqrBr3mdY8QG+s8qBkTi7IG
+dBBQH0jA6p2OJV72
+=1tln
+-----END PGP SIGNATURE-----
+
+--abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs
+Content-Type: application/pgp-signature; name="signature.asc"
+Content-Description: OpenPGP digital signature
+Content-Disposition: attachment; filename="signature.asc"
+
+-----BEGIN PGP SIGNATURE-----
+
+iMoEAQEIADQWIQTUqUiGscoglqZFjlxH8QwIeIS3WAUCWUpjIBYccnNhLTEwMjRi
+QGV4YW1wbGUub3JnAAoJEEfxDAh4hLdYb8wD/0AlaGxAhVGQqrXBuVXSDm4c49VI
+6+DG8cMOCZEin6P96hrLbs4SAm61xivJHPueIRRQ1PfWTcElPn97WuQ48e+/5hhw
+CZevF5CmyODGfriC78LwLRRvq2nF5n9iRww0lINPDyqrBr3mdY8QG+s8qBkTi7IG
+dBBQH0jA6p2OJV72
+=1tln
+-----END PGP SIGNATURE-----
+
+--abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs--
+
+--haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj--
diff --git a/src/mailman_pgp/pgp/tests/data/messages/mime_multisig_invalid.eml b/src/mailman_pgp/pgp/tests/data/messages/mime_multisig_invalid.eml
new file mode 100644
index 0000000..a13c1df
--- /dev/null
+++ b/src/mailman_pgp/pgp/tests/data/messages/mime_multisig_invalid.eml
@@ -0,0 +1,65 @@
+To: nobody@example.org
+From: RSA 1024b example <RSA-1024b@example.org>
+Subject: Some subject.
+Message-ID: <76a591ed-bfc4-d08b-73d3-fc2489148fd7@example.org>
+Date: Wed, 21 Jun 2017 13:50:59 +0200
+User-Agent: Mutt/1.7.2 (2016-11-26)
+MIME-Version: 1.0
+Content-Type: multipart/signed; micalg="pgp-sha256, pgp-sha256";
+ protocol="multipart/mixed";
+ boundary="haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj"
+
+This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
+--haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj
+Content-Type: multipart/mixed; boundary="A8WMQ249PdQmpiQhW1ELOnL2UctI16T1g";
+ protected-headers="v1"
+From: RSA 1024b example <RSA-1024b@example.org>
+To: nobody@example.org
+Message-ID: <76a591ed-bfc4-d08b-73d3-fc2489148fd7@example.org>
+Subject: Some subject.
+
+--A8WMQ249PdQmpiQhW1ELOnL2UctI16T1g
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: quoted-printable
+
+Some signed text. With some INVALID text added!!
+
+
+--A8WMQ249PdQmpiQhW1ELOnL2UctI16T1g--
+
+--haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj
+Content-Type: multipart/mixed; boundary="abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs"
+
+--abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs
+Content-Type: application/pgp-signature; name="signature.asc"
+Content-Description: OpenPGP digital signature
+Content-Disposition: attachment; filename="signature.asc"
+
+-----BEGIN PGP SIGNATURE-----
+
+iMoEAQEIADQWIQTUqUiGscoglqZFjlxH8QwIeIS3WAUCWUpjIBYccnNhLTEwMjRi
+QGV4YW1wbGUub3JnAAoJEEfxDAh4hLdYb8wD/0AlaGxAhVGQqrXBuVXSDm4c49VI
+6+DG8cMOCZEin6P96hrLbs4SAm61xivJHPueIRRQ1PfWTcElPn97WuQ48e+/5hhw
+CZevF5CmyODGfriC78LwLRRvq2nF5n9iRww0lINPDyqrBr3mdY8QG+s8qBkTi7IG
+dBBQH0jA6p2OJV72
+=1tln
+-----END PGP SIGNATURE-----
+
+--abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs
+Content-Type: application/pgp-signature; name="signature.asc"
+Content-Description: OpenPGP digital signature
+Content-Disposition: attachment; filename="signature.asc"
+
+-----BEGIN PGP SIGNATURE-----
+
+iMoEAQEIADQWIQTUqUiGscoglqZFjlxH8QwIeIS3WAUCWUpjIBYccnNhLTEwMjRi
+QGV4YW1wbGUub3JnAAoJEEfxDAh4hLdYb8wD/0AlaGxAhVGQqrXBuVXSDm4c49VI
+6+DG8cMOCZEin6P96hrLbs4SAm61xivJHPueIRRQ1PfWTcElPn97WuQ48e+/5hhw
+CZevF5CmyODGfriC78LwLRRvq2nF5n9iRww0lINPDyqrBr3mdY8QG+s8qBkTi7IG
+dBBQH0jA6p2OJV72
+=1tln
+-----END PGP SIGNATURE-----
+
+--abjqkjsfwqsfa546qw2wfq6sdq2sqwr56qqs--
+
+--haWP9JQ7TiajUxWjooGlinHgq3IhJGnaj--
diff --git a/src/mailman_pgp/pgp/tests/test_mime_multisig.py b/src/mailman_pgp/pgp/tests/test_mime_multisig.py
new file mode 100644
index 0000000..2c02a97
--- /dev/null
+++ b/src/mailman_pgp/pgp/tests/test_mime_multisig.py
@@ -0,0 +1,96 @@
+# Copyright (C) 2017 Jan Jancar
+#
+# This file is a part of the Mailman PGP plugin.
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""Tests for the MultiSig wrapper."""
+from parameterized import parameterized
+
+from mailman_pgp.pgp.mime_multisig import MIMEMultiSigWrapper
+from mailman_pgp.pgp.tests.base import load_key, load_message, WrapperTestCase
+
+
+class MultiSigWrapperTestCase(WrapperTestCase):
+ wrapper = MIMEMultiSigWrapper
+
+
+class TestSigning(MultiSigWrapperTestCase):
+ @parameterized.expand([
+ (load_message('mime_signed.eml'),
+ False),
+ (load_message('mime_signed_invalid.eml'),
+ False),
+ (load_message('mime_multisig.eml'),
+ True),
+ (load_message('mime_multisig_invalid.eml'),
+ True),
+ (load_message('clear.eml'),
+ False),
+ (load_message('clear_multipart.eml'),
+ False)
+ ])
+ def test_is_signed(self, message, signed):
+ self.is_signed(message, signed)
+
+ @parameterized.expand([
+ (load_message('mime_signed.eml'),
+ False),
+ (load_message('mime_signed_invalid.eml'),
+ False),
+ (load_message('mime_multisig.eml'),
+ True),
+ (load_message('mime_multisig_invalid.eml'),
+ True),
+ (load_message('clear.eml'),
+ False),
+ (load_message('clear_multipart.eml'),
+ False)
+ ])
+ def test_has_signature(self, message, has):
+ self.has_signature(message, has)
+
+ @parameterized.expand([
+ (load_message('clear.eml'),
+ load_key('rsa_1024.priv.asc')),
+ (load_message('clear_multipart.eml'),
+ load_key('ecc_p256.priv.asc'))
+ ])
+ def test_sign(self, message, key):
+ self.sign(message, key)
+
+ @parameterized.expand([
+ (load_message('clear.eml'),
+ load_key('rsa_1024.priv.asc'),
+ load_key('rsa_1024.pub.asc')),
+ (load_message('clear_multipart.eml'),
+ load_key('ecc_p256.priv.asc'),
+ load_key('ecc_p256.pub.asc')),
+ (load_message('mime_multisig.eml'),
+ load_key('ecc_p256.priv.asc'),
+ load_key('ecc_p256.pub.asc'))
+ ])
+ def test_sign_verify(self, message, priv, pub):
+ self.sign_verify(message, priv, pub)
+
+ @parameterized.expand([
+ (load_message('mime_multisig.eml'),
+ load_key('rsa_1024.pub.asc'),
+ True),
+ (load_message('mime_multisig_invalid.eml'),
+ load_key('rsa_1024.pub.asc'),
+ False)
+ ])
+ def test_verify(self, message, key, valid):
+ self.verify(message, key, valid)
diff --git a/src/mailman_pgp/pgp/wrapper.py b/src/mailman_pgp/pgp/wrapper.py
index af6ce44..59f0fdd 100644
--- a/src/mailman_pgp/pgp/wrapper.py
+++ b/src/mailman_pgp/pgp/wrapper.py
@@ -85,7 +85,8 @@ class PGPWrapper():
"""
:return:
- :rtype: typing.Generator[pgpy.PGPMessage|pgpy.PGPSignature]
+ :rtype: typing.Generator[pgpy.PGPMessage|pgpy.PGPSignature|
+ pgpy.PGPDetachedSignature]
"""
if self.mime.is_signed():
yield from self.mime.get_signature()
generated by cgit v1.2.3-70-g09d2 (git 2.51.2) at 2025-11-08 13:41:01 +0000