feat(smime): allow selection of untrusted certs

Signed-off-by: Richard Steinmetz <[email protected]>

Author: st3iny

lib/Model/EnrichedSmimeCertificate.php

@@ -32,19 +32,14 @@
 class EnrichedSmimeCertificate implements JsonSerializable {
 	private SmimeCertificate $certificate;
 	private SmimeCertificateInfo $info;
-	private SmimeCertificatePurposes $purposes;
 
 	/**
 	 * @param SmimeCertificate $certificate
 	 * @param SmimeCertificateInfo $info
-	 * @param SmimeCertificatePurposes $purposes
 	 */
-	public function __construct(SmimeCertificate         $certificate,
-		SmimeCertificateInfo     $info,
-		SmimeCertificatePurposes $purposes) {
+	public function __construct(SmimeCertificate $certificate, SmimeCertificateInfo $info) {
 		$this->certificate = $certificate;
 		$this->info = $info;
-		$this->purposes = $purposes;
 	}
 
 	/**
@@ -75,25 +70,10 @@ public function setInfo(SmimeCertificateInfo $info): void {
 		$this->info = $info;
 	}
 
-	/**
-	 * @return SmimeCertificatePurposes
-	 */
-	public function getPurposes(): SmimeCertificatePurposes {
-		return $this->purposes;
-	}
-
-	/**
-	 * @param SmimeCertificatePurposes $purposes
-	 */
-	public function setPurposes(SmimeCertificatePurposes $purposes): void {
-		$this->purposes = $purposes;
-	}
-
 	#[ReturnTypeWillChange]
 	public function jsonSerialize() {
 		$json = $this->certificate->jsonSerialize();
 		$json['info'] = $this->info->jsonSerialize();
-		$json['purposes'] = $this->purposes->jsonSerialize();
 		return $json;
 	}
 }

lib/Model/SmimeCertificateInfo.php

@@ -32,13 +32,19 @@ class SmimeCertificateInfo implements JsonSerializable {
 	private ?string $commonName;
 	private ?string $emailAddress;
 	private int $notAfter;
+	private SmimeCertificatePurposes $purposes;
+	private bool $isChainVerified;
 
 	public function __construct(?string $commonName,
 		?string $emailAddress,
-		int $notAfter) {
+		int $notAfter,
+		SmimeCertificatePurposes $purposes,
+		bool $isChainVerified) {
 		$this->commonName = $commonName;
 		$this->emailAddress = $emailAddress;
 		$this->notAfter = $notAfter;
+		$this->purposes = $purposes;
+		$this->isChainVerified = $isChainVerified;
 	}
 
 	/**
@@ -83,12 +89,30 @@ public function setNotAfter(int $notAfter): void {
 		$this->notAfter = $notAfter;
 	}
 
+	public function getPurposes(): SmimeCertificatePurposes {
+		return $this->purposes;
+	}
+
+	public function setPurposes(SmimeCertificatePurposes $purposes): void {
+		$this->purposes = $purposes;
+	}
+
+	public function isChainVerified(): bool {
+		return $this->isChainVerified;
+	}
+
+	public function setIsChainVerified(bool $isChainVerified): void {
+		$this->isChainVerified = $isChainVerified;
+	}
+
 	#[ReturnTypeWillChange]
 	public function jsonSerialize() {
 		return [
 			'commonName' => $this->commonName,
 			'emailAddress' => $this->emailAddress,
 			'notAfter' => $this->notAfter,
+			'purposes' => $this->purposes->jsonSerialize(),
+			'isChainVerified' => $this->isChainVerified,
 		];
 	}
 }

lib/Service/SmimeService.php

@@ -172,24 +172,23 @@ public function parseCertificate(string $certificate): SmimeCertificateInfo {
 			throw new SmimeCertificateParserException('Certificate does not contain an email address');
 		}
 
+		$purposes = new SmimeCertificatePurposes(false, false);
+		foreach ($certificateData['purposes'] as $purpose) {
+			[$state, $_, $name] = $purpose;
+			if ($name === 'smimesign') {
+				$purposes->setSign((bool)$state);
+			} elseif ($name === 'smimeencrypt') {
+				$purposes->setEncrypt((bool)$state);
+			}
+		}
+
+		$caBundle = [$this->certificateManager->getAbsoluteBundlePath()];
 		return new SmimeCertificateInfo(
 			$certificateData['subject']['CN'] ?? null,
 			$certificateData['subject']['emailAddress'] ?? $certificateData['subject']['CN'],
 			$certificateData['validTo_time_t'],
-		);
-	}
-
-	/**
-	 * Get S/MIME related certificate purposes of the given certificate.
-	 *
-	 * @param string $certificate X509 certificate encoded as PEM
-	 * @return SmimeCertificatePurposes
-	 */
-	public function getCertificatePurposes(string $certificate): SmimeCertificatePurposes {
-		$caBundle = [$this->certificateManager->getAbsoluteBundlePath()];
-		return new SmimeCertificatePurposes(
-			openssl_x509_checkpurpose($certificate, X509_PURPOSE_SMIME_SIGN, $caBundle),
-			openssl_x509_checkpurpose($certificate, X509_PURPOSE_SMIME_ENCRYPT, $caBundle),
+			$purposes,
+			openssl_x509_checkpurpose($certificate, X509_PURPOSE_ANY, $caBundle) === true,
 		);
 	}
 
@@ -216,7 +215,6 @@ public function enrichCertificate(SmimeCertificate $certificate): EnrichedSmimeC
 		return new EnrichedSmimeCertificate(
 			$certificate,
 			$this->parseCertificate($decryptedCertificate),
-			$this->getCertificatePurposes($decryptedCertificate),
 		);
 	}
 

src/components/CertificateSettings.vue

@@ -21,8 +21,9 @@
   -->
 
 <template>
-	<div>
+	<div class="certificate-settings">
 		<NcSelect v-model="alias"
+			class="certificate-settings__alias"
 			:options="aliases"
 			:searchable="false"
 			:placeholder="t('mail', 'Select an alias')"
@@ -31,31 +32,43 @@
 			@input="savedCertificate = null" />
 		<NcSelect v-if="alias !== null"
 			v-model="savedCertificate"
+			class="certificate-settings__certificate"
 			:options="smimeCertOptions"
 			:aria-label-combobox="t('mail', 'Select certificates')"
 			:searchable="false" />
-		<ButtonVue type="primary"
+		<NcButton type="primary"
+			class="certificate-settings__submit"
 			:disabled="certificate === null"
 			:aria-label="t('mail', 'Update Certificate')"
 			@click="updateSmimeCertificate">
 			{{ t('mail', 'Update Certificate') }}
-		</ButtonVue>
+		</NcButton>
+		<NcNoteCard v-if="alias && !savedCertificate.isChainVerified"
+			type="warning">
+			<p>{{ t('mail', 'The selected certificate is not trusted by the server. Recipients might not be able to verify your signature.') }}</p>
+		</NcNoteCard>
 	</div>
 </template>
 
 <script>
-import { NcSelect, NcButton as ButtonVue } from '@nextcloud/vue'
+import { NcSelect, NcButton, NcNoteCard } from '@nextcloud/vue'
 import { compareSmimeCertificates } from '../util/smime.js'
 import { mapGetters } from 'vuex'
 import { showError, showSuccess } from '@nextcloud/dialogs'
 import Logger from '../logger.js'
 import moment from '@nextcloud/moment'
 
+const noCertificateOption = () => ({
+	label: t('mail', 'No certificate'),
+	isChainVerified: true,
+})
+
 export default {
 	name: 'CertificateSettings',
 	components: {
 		NcSelect,
-		ButtonVue,
+		NcButton,
+		NcNoteCard,
 	},
 	props: {
 		account: {
@@ -79,7 +92,7 @@ export default {
 					return this.certificate
 				}
 				const saved = this.smimeCertOptions.find(certificate => this.alias.smimeCertificateId === certificate.id)
-				return saved || { label: t('mail', 'No certificate') }
+				return saved || noCertificateOption()
 			},
 			set(newVal) {
 				this.certificate = newVal
@@ -116,13 +129,13 @@ export default {
 					return cert.hasKey
 						&& cert.emailAddress === this.alias.alias
 						&& cert.info.notAfter >= now
-						&& cert.purposes.sign
-						&& cert.purposes.encrypt
+						&& cert.info.purposes.sign
+						&& cert.info.purposes.encrypt
 						// TODO: select a separate certificate for encryption?!
 				})
 				.map(this.mapCertificateToOption)
 				.sort(compareSmimeCertificates)
-			certs.push({ label: t('mail', 'No certificate') })
+			certs.push(noCertificateOption())
 
 			return certs
 		},
@@ -169,19 +182,37 @@ export default {
 				commonName: cert.info.commonName ?? cert.info.emailAddress,
 				expiryDate: moment.unix(cert.info.notAfter).format('LL'),
 			})
-			return { ...cert, label }
+			return {
+				...cert,
+				label,
+				isChainVerified: cert.info.isChainVerified,
+			}
 		},
 	},
 }
 </script>
 
 <style lang="scss" scoped>
-.multiselect--single {
-  width: 100%;
-  margin-bottom: 4px;
-}
+.certificate-settings {
+	&__alias,
+	&__certificate {
+		width: 100%;
+	}
+
+	&__alias + &__certificate {
+		margin-top: 5px
+	}
+
+	&__submit {
+		margin-top: 1rem;
+	}
 
-.button-vue {
-	margin-top: 4px !important;
+	&__warning {
+		display: flex;
+		align-items: center;
+		margin-top: 10px;
+		gap: 10px;
+		color: var(--color-warning-text);
+	}
 }
 </style>

tests/Unit/Service/SmimeServiceTest.php

@@ -37,6 +37,7 @@
 use OCA\Mail\Db\SmimeCertificate;
 use OCA\Mail\Db\SmimeCertificateMapper;
 use OCA\Mail\Model\SmimeCertificateInfo;
+use OCA\Mail\Model\SmimeCertificatePurposes;
 use OCA\Mail\Service\SmimeService;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\ICertificateManager;
@@ -398,6 +399,8 @@ public function provideParseCertificateData(): array {
 					'user',
 					'[email protected]',
 					4862017735,
+					new SmimeCertificatePurposes(true, true),
+					true,
 				),
 			],
 			[
@@ -406,6 +409,18 @@ public function provideParseCertificateData(): array {
 					'cn-only',
 					'[email protected]',
 					4862017727,
+					new SmimeCertificatePurposes(true, true),
+					true,
+				),
+			],
+			[
+				$this->getTestCertificate('[email protected]'),
+				new SmimeCertificateInfo(
+					'user',
+					'[email protected]',
+					4862017705,
+					new SmimeCertificatePurposes(true, true),
+					false,
 				),
 			],
 		];
@@ -416,6 +431,10 @@ public function provideParseCertificateData(): array {
 	 */
 	public function testParseCertificate(SmimeCertificate $certificate,
 		SmimeCertificateInfo $expected): void {
+		$this->certificateManager->expects(self::once())
+			->method('getAbsoluteBundlePath')
+			->willReturn(__DIR__ . '/../../data/smime-certs/imap.localhost.ca.crt');
+
 		$this->assertEquals(
 			$expected,
 			$this->smimeService->parseCertificate($certificate->getCertificate()),