feat(smime): add S/MIME companion-app API and integration

Adds support for delegating S/MIME crypto operations to a separate
companion app over an AIDL service, paralleling the existing OpenPGP /
OpenKeychain integration. The reference provider is CipherMail
(com.ciphermail.android); other providers can implement the same API.

API surface (new module `plugins/smime-api/smime-api/`)
  - ISmimeService AIDL — execute(Intent, ParcelFileDescriptor, int) +
    createOutputPipe(int) for streaming bulk MIME data.
  - SmimeApi helper (sync + async execution wrappers, pipe management).
  - SmimeServiceConnection (bind lifecycle helper).
  - Parcelables: SmimeError, SmimeSignatureResult, SmimeDecryptionResult,
    SmimeCertificateInfo. All carry PARCELABLE_VERSION = 1.
  - Actions: CHECK_PERMISSION, DECRYPT_VERIFY, SIGN_AND_ENCRYPT,
    GET_CERTIFICATES, IMPORT_CERTIFICATE.

Receive-side integration
  - SmimeCryptoHelper (parallels MessageCryptoHelper for OpenPGP):
    detects S/MIME parts, binds to the provider, dispatches DECRYPT_VERIFY,
    surfaces RESULT_CODE_USER_INTERACTION_REQUIRED via PendingIntent so
    the host can launch the provider's passphrase dialog.
  - MessageCryptoStructureDetector.isSmimePart and helpers — detect
    application/pkcs7-mime and PKCS#7 multipart/signed.
  - CryptoResultAnnotation: new S/MIME fields and createSmime* factories.
  - MessageCryptoDisplayStatus: S/MIME signature/encryption mappings to
    the existing display-status badges.
  - MessageLoaderHelper, MessageCryptoPresenter, MessageViewInfoExtractor
    wired through.

Send-side integration
  - SmimeMessageBuilder (parallels PgpMessageBuilder): binds to the
    provider on a background thread, calls SIGN_AND_ENCRYPT, returns the
    wrapped MIME message for SMTP transport. Drafts bypass crypto.
  - MessageCompose: S/MIME branch in createMessageBuilder(), checked
    before PGP.
  - RecipientPresenter.asyncUpdateSmimeCertStatus: calls
    GET_CERTIFICATES on recipient changes; drives the compose lock-icon
    state (green = all certs present, red = missing).

Per-account configuration
  - LegacyAccount / LegacyAccountDto: smimeProvider field +
    isSmimeProviderConfigured.
  - LegacyAccountStorageHandler + DefaultLegacyAccountDataMapper:
    persist smimeProvider.
  - AccountSettingsFragment: S/MIME PreferenceScreen + provider picker.
  - SmimeAppSelectDialog: enumerates installed providers via
    SmimeApi.SERVICE_INTENT and lets the user choose. Binding always
    uses setPackage(account.smimeProvider) to avoid intent-filter
    interception.

Manifest plumbing
  - app-k9mail and app-thunderbird AndroidManifest: <queries> for
    ISmimeService discovery on Android 11+.
  - legacy/ui/legacy AndroidManifest: register SmimeAppSelectDialog.

Cross-process passphrase handshake
  - When the provider's keystore is locked it returns
    RESULT_CODE_USER_INTERACTION_REQUIRED with an immutable PendingIntent
    for its passphrase activity. Thunderbird launches via
    startIntentSenderForResult and retries on RESULT_OK. No inline
    prompting, no IPC timeouts.

Send/receive UX and per-identity signing
  - User-controllable Sign / Encrypt toggles with per-account defaults;
    S/MIME-enabled is persisted separately and a message is never sent
    silently unencrypted.
  - Encrypt-implies-sign enforced (no encrypt without a signature).
  - Per-identity signing: EXTRA_FROM carries the composing account's
    address on SIGN_AND_ENCRYPT so the provider signs with the matching
    certificate.
  - Separate signed / encrypted status icons and an "open in provider"
    action to view any encrypted or signed message in CipherMail.
  - Provider-unavailable handling: never lose a message; gate composer
    close on save completion; offer Drafts-folder assignment.
  - Send failures surface in a dismissible dialog rather than a Toast.
  - Set the intent extras class loader before reading Parcelable extras.
  - Test: RecipientPresenter.onSmimeCertCheckResult result branches.

Author: christine-ciphermail

app-k9mail/src/main/AndroidManifest.xml

@@ -19,6 +19,12 @@
             android:theme="@style/Theme.K9.DayNight.Dialog.Translucent"
             />
 
+        <activity
+            android:name="com.fsck.k9.ui.settings.account.SmimeAppSelectDialog"
+            android:configChanges="locale"
+            android:theme="@style/Theme.K9.DayNight.Dialog.Translucent"
+            />
+
         <activity
             android:name="com.fsck.k9.ui.notification.DeleteConfirmationActivity"
             android:excludeFromRecents="true"

app-thunderbird/src/main/AndroidManifest.xml

@@ -18,6 +18,12 @@
             android:theme="@style/Theme.Thunderbird.DayNight.Dialog.Translucent"
             />
 
+        <activity
+            android:name="com.fsck.k9.ui.settings.account.SmimeAppSelectDialog"
+            android:configChanges="locale"
+            android:theme="@style/Theme.Thunderbird.DayNight.Dialog.Translucent"
+            />
+
         <activity
             android:name="com.fsck.k9.ui.notification.DeleteConfirmationActivity"
             android:excludeFromRecents="true"

core/android/account/src/main/kotlin/net/thunderbird/core/android/account/LegacyAccount.kt

@@ -86,6 +86,19 @@ data class LegacyAccount(
     val isStripSignature: Boolean = false,
     val isSyncRemoteDeletions: Boolean = false,
     val openPgpProvider: String? = null,
+    /**
+     * Package name of the installed S/MIME provider app (e.g.
+     * `"com.ciphermail.android"`) selected for this account, or `null` if
+     * S/MIME is not enabled. Used to target `ISmimeService` binds with an
+     * explicit `setPackage()`, avoiding intent-filter ambiguity when more
+     * than one provider is installed.
+     */
+    val smimeProvider: String? = null,
+    /** Whether S/MIME is turned on for this account; see LegacyAccountDto.smimeEnabled. */
+    val smimeEnabled: Boolean = false,
+    /** Last S/MIME sign/encrypt choice in the composer; see LegacyAccountDto. */
+    val smimeSign: Boolean = true,
+    val smimeEncrypt: Boolean = true,
     val openPgpKey: Long = 0,
     val autocryptPreferEncryptMutual: Boolean = false,
     val isOpenPgpHideSignOnly: Boolean = false,

core/android/account/src/main/kotlin/net/thunderbird/core/android/account/LegacyAccountDto.kt

@@ -320,6 +320,53 @@ open class LegacyAccountDto(
             field = value?.takeIf { it.isNotEmpty() }
         }
 
+    /**
+     * Package name of the S/MIME provider app this account uses (e.g.
+     * `"com.ciphermail.android"`), or `null` if S/MIME is not enabled.
+     *
+     * Setting an empty string is normalised to `null` so callers can
+     * unset the provider by writing the result of a possibly-empty
+     * EditText without first checking for emptiness.
+     */
+    @get:Synchronized
+    @set:Synchronized
+    var smimeProvider: String? = null
+        set(value) {
+            field = value?.takeIf { it.isNotEmpty() }
+        }
+
+    /**
+     * Whether the user has turned S/MIME on for this account. Independent of
+     * [smimeProvider]: S/MIME can be enabled while no provider app is installed
+     * (provider unresolved). In that state outgoing mail is blocked at send
+     * time rather than silently sent unencrypted.
+     */
+    @get:Synchronized
+    @set:Synchronized
+    var smimeEnabled: Boolean = false
+
+    /**
+     * Per-account memory of the user's last S/MIME sign / encrypt choice in the
+     * composer. Defaults to true (sign and encrypt). When both are false an
+     * S/MIME-enabled account sends a plain message.
+     */
+    @get:Synchronized
+    @set:Synchronized
+    var smimeSign: Boolean = true
+
+    @get:Synchronized
+    @set:Synchronized
+    var smimeEncrypt: Boolean = true
+
+    /**
+     * True iff S/MIME is turned on for this account (see [smimeEnabled]).
+     * Note: enabled does not imply a provider is installed/resolved — callers
+     * that actually perform crypto must additionally check [smimeProvider] and
+     * that its package is installed.
+     */
+    val isSmimeProviderConfigured: Boolean
+        get() = smimeEnabled
+
     @get:Synchronized
     @set:Synchronized
     var openPgpKey: Long = 0

feature/account/storage/legacy/src/main/kotlin/net/thunderbird/feature/account/storage/legacy/LegacyAccountStorageHandler.kt

@@ -226,6 +226,12 @@ class LegacyAccountStorageHandler(
             replaceIdentities(loadIdentities(data.id, storage))
 
             openPgpProvider = storage.getStringOrDefault(keyGen.create("openPgpProvider"), "")
+            smimeProvider = storage.getStringOrDefault(keyGen.create("smimeProvider"), "")
+            // Default true for legacy accounts that already had a provider set,
+            // so upgrading keeps S/MIME enabled.
+            smimeEnabled = storage.getBoolean(keyGen.create("smimeEnabled"), smimeProvider != null)
+            smimeSign = storage.getBoolean(keyGen.create("smimeSign"), true)
+            smimeEncrypt = storage.getBoolean(keyGen.create("smimeEncrypt"), true)
             openPgpKey = storage.getLong(keyGen.create("cryptoKey"), AccountDefaultsProvider.Companion.NO_OPENPGP_KEY)
             isOpenPgpHideSignOnly = storage.getBoolean(keyGen.create("openPgpHideSignOnly"), true)
             isOpenPgpEncryptSubject = storage.getBoolean(keyGen.create("openPgpEncryptSubject"), true)
@@ -395,6 +401,10 @@ class LegacyAccountStorageHandler(
             editor.putBoolean(keyGen.create("openPgpEncryptSubject"), isOpenPgpEncryptSubject)
             editor.putBoolean(keyGen.create("openPgpEncryptAllDrafts"), isOpenPgpEncryptAllDrafts)
             editor.putString(keyGen.create("openPgpProvider"), openPgpProvider)
+            editor.putString(keyGen.create("smimeProvider"), smimeProvider)
+            editor.putBoolean(keyGen.create("smimeEnabled"), smimeEnabled)
+            editor.putBoolean(keyGen.create("smimeSign"), smimeSign)
+            editor.putBoolean(keyGen.create("smimeEncrypt"), smimeEncrypt)
             editor.putBoolean(keyGen.create("autocryptMutualMode"), autocryptPreferEncryptMutual)
             editor.putBoolean(keyGen.create("remoteSearchFullText"), isRemoteSearchFullText)
             editor.putInt(keyGen.create("remoteSearchNumResults"), remoteSearchNumResults)
@@ -507,6 +517,10 @@ class LegacyAccountStorageHandler(
         editor.remove(keyGen.create("cryptoKey"))
         editor.remove(keyGen.create("cryptoSupportSignOnly"))
         editor.remove(keyGen.create("openPgpProvider"))
+        editor.remove(keyGen.create("smimeProvider"))
+        editor.remove(keyGen.create("smimeEnabled"))
+        editor.remove(keyGen.create("smimeSign"))
+        editor.remove(keyGen.create("smimeEncrypt"))
         editor.remove(keyGen.create("openPgpHideSignOnly"))
         editor.remove(keyGen.create("openPgpEncryptSubject"))
         editor.remove(keyGen.create("openPgpEncryptAllDrafts"))

feature/account/storage/legacy/src/main/kotlin/net/thunderbird/feature/account/storage/legacy/mapper/DefaultLegacyAccountDataMapper.kt

@@ -81,6 +81,10 @@ internal class DefaultLegacyAccountDataMapper : LegacyAccountDataMapper {
             isStripSignature = dto.isStripSignature,
             isSyncRemoteDeletions = dto.isSyncRemoteDeletions,
             openPgpProvider = dto.openPgpProvider,
+            smimeProvider = dto.smimeProvider,
+            smimeEnabled = dto.smimeEnabled,
+            smimeSign = dto.smimeSign,
+            smimeEncrypt = dto.smimeEncrypt,
             openPgpKey = dto.openPgpKey,
             autocryptPreferEncryptMutual = dto.autocryptPreferEncryptMutual,
             isOpenPgpHideSignOnly = dto.isOpenPgpHideSignOnly,
@@ -187,6 +191,10 @@ internal class DefaultLegacyAccountDataMapper : LegacyAccountDataMapper {
             isStripSignature = domain.isStripSignature
             isSyncRemoteDeletions = domain.isSyncRemoteDeletions
             openPgpProvider = domain.openPgpProvider
+            smimeProvider = domain.smimeProvider
+            smimeEnabled = domain.smimeEnabled
+            smimeSign = domain.smimeSign
+            smimeEncrypt = domain.smimeEncrypt
             openPgpKey = domain.openPgpKey
             autocryptPreferEncryptMutual = domain.autocryptPreferEncryptMutual
             isOpenPgpHideSignOnly = domain.isOpenPgpHideSignOnly

legacy/common/src/main/AndroidManifest.xml

@@ -263,6 +263,7 @@
             android:name="com.fsck.k9.provider.RawMessageProvider"
             android:authorities="${applicationId}.rawmessageprovider"
             android:exported="false"
+            android:grantUriPermissions="true"
             >
 
             <meta-data

legacy/core/build.gradle.kts

@@ -29,6 +29,7 @@ dependencies {
     implementation(projects.feature.notification.api)
 
     implementation(projects.plugins.openpgpApiLib.openpgpApi)
+    implementation(projects.plugins.smimeApi.smimeApi)
     implementation(projects.feature.telemetry.api)
     implementation(projects.core.featureflag)
     implementation(projects.core.logging.implComposite)

legacy/core/src/main/java/com/fsck/k9/crypto/MessageCryptoStructureDetector.java

@@ -36,6 +36,11 @@ public class MessageCryptoStructureDetector {
     // APPLICATION/PGP is a special case which occurs from mutt. see http://www.mutt.org/doc/PGP-Notes.txt
     private static final String APPLICATION_PGP = "application/pgp";
 
+    private static final String APPLICATION_PKCS7_MIME = "application/pkcs7-mime";
+    private static final String APPLICATION_X_PKCS7_MIME = "application/x-pkcs7-mime";
+    private static final String APPLICATION_PKCS7_SIGNATURE = "application/pkcs7-signature";
+    private static final String APPLICATION_X_PKCS7_SIGNATURE = "application/x-pkcs7-signature";
+
     private static final String PGP_INLINE_START_MARKER = "-----BEGIN PGP MESSAGE-----";
     private static final String PGP_INLINE_SIGNED_START_MARKER = "-----BEGIN PGP SIGNED MESSAGE-----";
     private static final int TEXT_LENGTH_FOR_INLINE_CHECK = 36;
@@ -211,7 +216,43 @@ public static byte[] getSignatureData(Part part) throws IOException, MessagingEx
     }
 
     private static boolean isPartEncryptedOrSigned(Part part) {
-        return isPartMultipartEncrypted(part) || isPartMultipartSigned(part) || isPartPgpInlineEncryptedOrSigned(part);
+        return isPartMultipartEncrypted(part) || isPartMultipartSigned(part) ||
+               isPartPgpInlineEncryptedOrSigned(part) || isSmimePart(part);
+    }
+
+    /**
+     * @return true if {@code part} is an S/MIME part — either an opaque
+     *         {@code application/pkcs7-mime} blob (encrypted, or
+     *         CMS-wrapped signed data) or a {@code multipart/signed} part
+     *         declaring the PKCS#7 detached-signature protocol.
+     */
+    public static boolean isSmimePart(Part part) {
+        return isSmimeEncryptedOrSignedData(part) || isSmimeSignedMultipart(part);
+    }
+
+    /**
+     * @return true for {@code application/pkcs7-mime} (RFC 8551) or its
+     *         legacy {@code x-pkcs7-mime} alias. Covers both encrypted
+     *         envelopedData and signed CMS data.
+     */
+    public static boolean isSmimeEncryptedOrSignedData(Part part) {
+        return isSameMimeType(part.getMimeType(), APPLICATION_PKCS7_MIME) ||
+               isSameMimeType(part.getMimeType(), APPLICATION_X_PKCS7_MIME);
+    }
+
+    /**
+     * @return true for a {@code multipart/signed} part whose
+     *         {@code protocol} parameter is
+     *         {@code application/pkcs7-signature} (or its {@code x-} alias),
+     *         i.e. an S/MIME detached signature.
+     */
+    public static boolean isSmimeSignedMultipart(Part part) {
+        if (!isSameMimeType(part.getMimeType(), MULTIPART_SIGNED)) {
+            return false;
+        }
+        String protocol = MimeUtility.getHeaderParameter(part.getContentType(), PROTOCOL_PARAMETER);
+        return isSameMimeType(protocol, APPLICATION_PKCS7_SIGNATURE) ||
+               isSameMimeType(protocol, APPLICATION_X_PKCS7_SIGNATURE);
     }
 
     private static boolean isPartMultipartSigned(Part part) {

legacy/core/src/main/java/com/fsck/k9/mailstore/CryptoResultAnnotation.java

@@ -5,6 +5,9 @@
 import androidx.annotation.NonNull;
 import androidx.annotation.Nullable;
 
+import com.ciphermail.smime.api.SmimeDecryptionResult;
+import com.ciphermail.smime.api.SmimeError;
+import com.ciphermail.smime.api.SmimeSignatureResult;
 import com.fsck.k9.mail.internet.MimeBodyPart;
 
 import org.openintents.openpgp.OpenPgpDecryptionResult;
@@ -23,6 +26,11 @@ public final class CryptoResultAnnotation {
     private final PendingIntent openPgpInsecureWarningPendingIntent;
     private final boolean overrideCryptoWarning;
 
+    @Nullable private final SmimeDecryptionResult smimeDecryptionResult;
+    @Nullable private final SmimeSignatureResult smimeSignatureResult;
+    @Nullable private final SmimeError smimeError;
+    @Nullable private final PendingIntent smimePendingIntent;
+
     private final CryptoResultAnnotation encapsulatedResult;
 
     private CryptoResultAnnotation(@NonNull CryptoError errorType, MimeBodyPart replacementData,
@@ -42,6 +50,33 @@ private CryptoResultAnnotation(@NonNull CryptoError errorType, MimeBodyPart repl
         this.openPgpInsecureWarningPendingIntent = openPgpInsecureWarningPendingIntent;
         this.overrideCryptoWarning = overrideCryptoWarning;
 
+        this.smimeDecryptionResult = null;
+        this.smimeSignatureResult = null;
+        this.smimeError = null;
+        this.smimePendingIntent = null;
+        this.encapsulatedResult = null;
+    }
+
+    private CryptoResultAnnotation(@NonNull CryptoError errorType, MimeBodyPart replacementData,
+            SmimeDecryptionResult smimeDecryptionResult,
+            SmimeSignatureResult smimeSignatureResult,
+            PendingIntent smimePendingIntent,
+            SmimeError smimeError,
+            boolean overrideCryptoWarning) {
+        this.errorType = errorType;
+        this.replacementData = replacementData;
+
+        this.smimeDecryptionResult = smimeDecryptionResult;
+        this.smimeSignatureResult = smimeSignatureResult;
+        this.smimePendingIntent = smimePendingIntent;
+        this.smimeError = smimeError;
+        this.overrideCryptoWarning = overrideCryptoWarning;
+
+        this.openPgpDecryptionResult = null;
+        this.openPgpSignatureResult = null;
+        this.openPgpPendingIntent = null;
+        this.openPgpInsecureWarningPendingIntent = null;
+        this.openPgpError = null;
         this.encapsulatedResult = null;
     }
 
@@ -60,6 +95,11 @@ private CryptoResultAnnotation(CryptoResultAnnotation annotation, CryptoResultAn
         this.openPgpError = annotation.openPgpError;
         this.overrideCryptoWarning = annotation.overrideCryptoWarning;
 
+        this.smimeDecryptionResult = annotation.smimeDecryptionResult;
+        this.smimeSignatureResult = annotation.smimeSignatureResult;
+        this.smimePendingIntent = annotation.smimePendingIntent;
+        this.smimeError = annotation.smimeError;
+
         this.encapsulatedResult = encapsulatedResult;
     }
 
@@ -95,6 +135,53 @@ public static CryptoResultAnnotation createOpenPgpEncryptionErrorAnnotation(Open
                 CryptoError.OPENPGP_ENCRYPTED_API_ERROR, null, null, null, null, null, error, false);
     }
 
+    /**
+     * Build a success annotation for an S/MIME decrypt/verify operation.
+     *
+     * @param smimeDecryptionResult outcome of decryption (may indicate the
+     *                              part was signed-only or plain).
+     * @param smimeSignatureResult  outcome of signature verification.
+     * @param smimePendingIntent    follow-up interaction (e.g. view signer
+     *                              certificate); nullable.
+     * @param replacementData       the decrypted inner MIME part to
+     *                              substitute for the wrapped one; nullable
+     *                              for sign-only inputs.
+     * @param overrideCryptoWarning {@code true} to suppress the "encrypted
+     *                              content not verified" badge.
+     */
+    public static CryptoResultAnnotation createSmimeResultAnnotation(
+            SmimeDecryptionResult smimeDecryptionResult,
+            SmimeSignatureResult smimeSignatureResult,
+            @Nullable PendingIntent smimePendingIntent,
+            @Nullable MimeBodyPart replacementData,
+            boolean overrideCryptoWarning) {
+        return new CryptoResultAnnotation(CryptoError.SMIME_OK, replacementData,
+                smimeDecryptionResult, smimeSignatureResult, smimePendingIntent, null,
+                overrideCryptoWarning);
+    }
+
+    /**
+     * Build an error annotation for a failed S/MIME decryption. The
+     * message view will show an "encrypted content unavailable" badge with
+     * the {@link SmimeError} as the cause.
+     */
+    public static CryptoResultAnnotation createSmimeEncryptionErrorAnnotation(SmimeError error) {
+        return new CryptoResultAnnotation(CryptoError.SMIME_ENCRYPTED_API_ERROR, null,
+                (SmimeDecryptionResult) null, null, null, error, false);
+    }
+
+    /**
+     * Build an error annotation for a failed S/MIME signature verification.
+     * Unlike encryption errors, {@code replacementData} can still carry the
+     * inner MIME body so the user can read the (now-untrusted) message
+     * content alongside the signature-error badge.
+     */
+    public static CryptoResultAnnotation createSmimeSignatureErrorAnnotation(
+            SmimeError error, @Nullable MimeBodyPart replacementData) {
+        return new CryptoResultAnnotation(CryptoError.SMIME_SIGNED_API_ERROR, replacementData,
+                (SmimeDecryptionResult) null, null, null, error, false);
+    }
+
     public boolean isOpenPgpResult() {
         return openPgpDecryptionResult != null && openPgpSignatureResult != null;
     }
@@ -162,6 +249,30 @@ public MimeBodyPart getReplacementData() {
         return replacementData;
     }
 
+    public boolean isSmimeResult() {
+        return smimeDecryptionResult != null && smimeSignatureResult != null;
+    }
+
+    @Nullable
+    public SmimeDecryptionResult getSmimeDecryptionResult() {
+        return smimeDecryptionResult;
+    }
+
+    @Nullable
+    public SmimeSignatureResult getSmimeSignatureResult() {
+        return smimeSignatureResult;
+    }
+
+    @Nullable
+    public SmimeError getSmimeError() {
+        return smimeError;
+    }
+
+    @Nullable
+    public PendingIntent getSmimePendingIntent() {
+        return smimePendingIntent;
+    }
+
     public boolean isOverrideSecurityWarning() {
         return overrideCryptoWarning;
     }
@@ -189,5 +300,9 @@ public enum CryptoError {
         SIGNED_BUT_UNSUPPORTED,
         ENCRYPTED_BUT_UNSUPPORTED,
         OPENPGP_ENCRYPTED_NO_PROVIDER,
+        SMIME_OK,
+        SMIME_SIGNED_API_ERROR,
+        SMIME_ENCRYPTED_API_ERROR,
+        SMIME_ENCRYPTED_NO_PROVIDER,
     }
 }