S/MIME
Mew's S/MIME support is based on "gpgsm" which is included in GnuPG version 2. Mew supports GnuPG version 2.0 but not support version 2.1 at this moment.
Mew assumes that your certificate (signed public key) and your secrete key are generated by your company. They are included in a PKCS 12 file.
Architecture
- "gpgsm" is a program to handle S/MIME.
- "gpg-agent" is a cache daemon of passphrases
- 'pinentry' is a front end to ask a passphrase to a user. Mew provides "mew-pinentry".
- "dirmngr" is a cache daemon of CRL.
gpgsm --> gpg-agent --> mew-pinentry --> a user | +-----> dirmngr --> CRL servers
Please refer to Project Agypten in detail.
- Mew requires "gpgsm" and "gpg-agent". They are included in the GnuPG 2 package.
- "dirmngr" is optional. It is included in a separate package.
Note that "dirmngr" does not work well in my environment at this moment.
Installation
Obtain the GnuPG 2 package and install it. You can find "gpgsm" and "gpg-agent". Optionally, install "dirmngr" if you want to check CRL.
Also install "mew-pinentry" found in the "bin" directory of the Mew package.
"mew-pinentry" is called by "gpg-agent". You may need to configure "~/.gnupg/gpg-agent.conf" to tell "gpg-agent" the path.
pinentry-program /usr/local/bin/mew-pinentry
Importing your private key into your private keyring
First of all, you should obtain a PKCS 12 file, which includes your certificate and your secret key, from your company. Let's call this file "keycert.p12".
First you should convert "keycert.p12" to PEM, say "keycert.pem".
% openssl pkcs12 -in keycert.p12 -out keycert.pem -nodes
and type the passphrase which protects "keycert.p12".
Then extract your private key.
% openssl pkcs12 -in keycert.pem -export -out key.p12 -nocerts -nodes
and type a new temporary passphrase to protect "key.p12", and type the new temporary passphrase again.
And import your private key into your private keyring.
% gpg-agent --daemon gpgsm --call-protect-tool --p12-import --store key.p12
and type the new temporary passpharse, and type a new passphrase to protect your private key in the private keyring, and type the new passphrase again.
Importing your public key into your public keyring
Extract certificates from "keycert.p12".
% openssl pkcs12 -in keycert.p12 -out certs.pem -nokeys
and type the passphrase which protects "keycert.p12".
Then import the certificates into your public keyring.
% gpgsm --import certs.pem
Trusting your root CA
Put the fingerprint of your root CA to "~/.gnupg/trustlist.txt".
This gets things out of sequence but if you verify an S/MIME signature with Mew, used certificates are automatically registered into "~/.gnupg/pubring.kbx". Thus, you can tell fingerprint values as follows:
% gpgsm -kv
Serial number: 7DD9FE07CFA81EB7107967FBA78934C6
Issuer: /OU=VeriSign Trust Network/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=Class 3 Public Primary Certification Authority - G2/O=VeriSign
, Inc./C=US
Subject: /OU=VeriSign Trust Network/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=Class 3 Public Primary Certification Authority - G2/O=VeriSign
, Inc./C=US
validity: 1998-05-18 00:00:00 through 2028-08-01 23:59:59
key type: 1024 bit RSA
chain length: none
fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
As the example above, if Issuer and Subject are the same, it is a certificate of a root CA. If it has "key usage", its version is 3. Otherwise, its version is 1.
If the version of root CA's certificate is 3, just copy its fingerprint value into a line of "trustlist.txt". If the version of root CA's certificate is 1, you need to append " S relax" to the fingerprint.
For instance, the example above is root CA's certificate whose version is 1, the following line should be written in "trustlist.txt".
85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F S relax
Testing
To ensure that both "gpgsm" and "gpg-agent" work well, create a detach signature as follows:
% gpgsm --detach-sign file > sig
and type the new passphrase.
You may see the following warning.
dirmngr[nnnn]: no CRL available for issuer id NNNNN....
This is because the CRL server is not running or CRL files are not available on the CRL server.
If "dirmngr" does not work well, you can disable CRL checks by putting the following to "~/.gnupg/gpgsm.conf".
disable-crl-checks
Again type
% gpgsm --detach-sign file > sig
and type the new passphrase.
If a detached signature is created, congratulation!
To verify the signature, type
% gpgsm --verify sig file
Using S/MIME with Mew
Putting the "SS" mark (S/MIME signature) onto a part in the attachments region, type 'M-s'.
Putting the "SE" mark (S/MIME encryption) onto a part in the attachments region, type 'M-e'.
If you want to 'C-cC-s', 'C-cC-e', 'C-cC-b', and 'C-cC-r' for S/MIME (not for PGP), configure as follows:
(setq mew-draft-privacy-method 'smime)
The following values can be set to 'mew-protect-privacy-always-type'.
- smime-signature
- smime-encryption
- smime-signature-encryption
- smie-encryption-signature
For instance, if you want to sign messages always when typing 'C-cC-c' or 'C-cC-m', configure as follows:
(setq mew-protect-privacy-always t) (setq mew-protect-privacy-always-type 'smime-signature)
gpg-agent
Because Mew has a mechanism to cache passphrases, you need not to run "gpg-agent". But if you want to use "gpgsm" in a command line and omit your passphase, execute "gpg-agent" as follows:
% gpg-agent --use-standard-socket --daemon
You can execute "gpgsm" from everywhere. (It is not necessary for "gpgsm" to be a child of "gpg-agent".)
Note
Again, "dirmngr" does not work well in my environment at this moment.