Fixes #4457 - Error while processing S/MIME signed emails when the sender name is different than CN.

doc/developer_manual/cookbook/how-to-setup-smime-integration.md

@@ -12,30 +12,34 @@ Navigate to the **System > Integrations > S/MIME** section in GUI, and turn on t
 2. Paste the following text in the **Paste Certificate** box:
 
    ```crt
-   -----BEGIN CERTIFICATE-----
-   MIIEHDCCAwSgAwIBAgIJAM62PKRKUf2uMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
-   VQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xFDASBgNV
-   BAoMC1phbW1hZCBHbWJIMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwP
-   WmFtbWFkIEhlbHBkZXNrMR8wHQYJKoZIhvcNAQkBFhB6YW1tYWRAbG9jYWxob3N0
-   MB4XDTIzMDEwNDE1MTcxOFoXDTIzMDIwMzE1MTcxOFowgZYxCzAJBgNVBAYTAkRF
-   MQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEUMBIGA1UECgwLWmFt
-   bWFkIEdtYkgxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA9aYW1tYWQg
-   SGVscGRlc2sxHzAdBgkqhkiG9w0BCQEWEHphbW1hZEBsb2NhbGhvc3QwggEiMA0G
-   CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd7ExEQqbNisuu/OB48dMZ+dYWOFgY
-   C3z/JAiDexPYNzcZz6JWajaGwJTR2cYJxiyVrNhKusb7YaqOi20D1X4PKn8Siq2H
-   WIMzg5MCR/IQs7tu6f86+pZS6Hyce89ttHEhj3gcv6Ms0ii6XpIAYUK2O7ZMaCiC
-   piUmmCwwcmv79GYOaFwfDt5WIhFuyKroxAXAqObgNai4xu4K8pj3SXed0W+YVJ1I
-   +jCbY2V25iKLs0w9DaPUrhlbGeKezEwRURGDlGlIGX86BXB8tLFEG2qLhKYrokUD
-   ltIU+99Z/GiFhZRuuyL8BUv8kBbPI+YyhiP+e990WC0uipu0sorrAfbTAgMBAAGj
-   azBpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQulBRC4PUBK0Vl
-   Rb1XgRSx3PNMbTAbBgNVHREEFDASgRB6YW1tYWRAbG9jYWxob3N0MBMGA1UdJQQM
-   MAoGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQAwnTs6//5tku3bnZfjoWAN
-   x+AerlhM4tVr/FmyupqhF8Mu8LKqMJ7g4ViBRZmT2a14VzEnzBbbfpARHv0sC0kR
-   xkLfk8yyozmpgipCMtiPQkaCOC/oq4zDc7KVN0w9UpIAl5V/855x2WxDMlmi1d55
-   NwbpVUqC1tPbPhDcC8LifJrovyo8oIvuzVP3ahKdRj5qKYTCThbxEniuKPLXmL+c
-   z19ctAnbEMhxUc9GnVOigB0qGg89w0xNK+Zxc4+HgOn5V36Lp7dPzQjSbs5OPKC5
-   FxzRszDJvJEnF1WOeHNW/K8SlOHM0W0ZvgmVPwqYcWJ5S1yug7MwiiFTecec7k2t
-   -----END CERTIFICATE-----
+   -----BEGIN TRUSTED CERTIFICATE-----
+   MIIEmTCCA4GgAwIBAgIJAOOVkfcMlOvoMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+   BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEaMBgGA1UE
+   CgwRWmFtbWFkIEZvdW5kYXRpb24xFDASBgNVBAsMC0RldmVsb3BtZW50MRMwEQYD
+   VQQDDAp6YW1tYWQub3JnMB4XDTIzMDExMTEwNDUwMloXDTMzMDEwODEwNDUwMlow
+   gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxp
+   bjEaMBgGA1UECgwRWmFtbWFkIEZvdW5kYXRpb24xFDASBgNVBAsMC0RldmVsb3Bt
+   ZW50MRgwFgYDVQQDDA9aYW1tYWQgSGVscGRlc2sxHzAdBgkqhkiG9w0BCQEWEHph
+   bW1hZEBsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd
+   7ExEQqbNisuu/OB48dMZ+dYWOFgYC3z/JAiDexPYNzcZz6JWajaGwJTR2cYJxiyV
+   rNhKusb7YaqOi20D1X4PKn8Siq2HWIMzg5MCR/IQs7tu6f86+pZS6Hyce89ttHEh
+   j3gcv6Ms0ii6XpIAYUK2O7ZMaCiCpiUmmCwwcmv79GYOaFwfDt5WIhFuyKroxAXA
+   qObgNai4xu4K8pj3SXed0W+YVJ1I+jCbY2V25iKLs0w9DaPUrhlbGeKezEwRURGD
+   lGlIGX86BXB8tLFEG2qLhKYrokUDltIU+99Z/GiFhZRuuyL8BUv8kBbPI+YyhiP+
+   e990WC0uipu0sorrAfbTAgMBAAGjggEBMIH+MAkGA1UdEwQCMAAwCwYDVR0PBAQD
+   AgXgMB0GA1UdDgQWBBQulBRC4PUBK0VlRb1XgRSx3PNMbTAbBgNVHREEFDASgRB6
+   YW1tYWRAbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMEMIGSBgNVHSMEgYow
+   gYeheqR4MHYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcM
+   BkJlcmxpbjEaMBgGA1UECgwRWmFtbWFkIEZvdW5kYXRpb24xFDASBgNVBAsMC0Rl
+   dmVsb3BtZW50MRMwEQYDVQQDDAp6YW1tYWQub3JnggkAoyQmhzPcTqcwDQYJKoZI
+   hvcNAQELBQADggEBAFSPJoakV7qsq8+0SSSp82O59kAmD2xMojzdv9wu+99Y5d4r
+   Z/oN0S2ZYBu4d0v+RNysIaCSbxt8DKbZ67slhSLl7vON9pkbq9RbvYlVIcB0As+y
+   a3MODFKLPOE6UfszW8TGsyWJrUXufucb4MxBICTa2ZQF+vmg9XSngO6emgo9UQWM
+   Ojl/J0ETQK/oDVO0QtcCv12dnefK6maHuAHA6+MQ+PsxTFRa7VPPsMKM0sRMmyP8
+   Nm154jJaJIb/QLdhPZ73aBmSopOIUOfc7Q39cd7TXaFHBMwe0wXVeuS4N7M+2a+s
+   +Wmv1N+1HnB5/NT7GF3lmrB+PF/oPuMkOIcmbXMwIjAKBggrBgEFBQcDBKAUBggr
+   BgEFBQcDAgYIKwYBBQUHAwE=
+   -----END TRUSTED CERTIFICATE-----
    ```
 
 3. Click on the **Add** button.
@@ -81,39 +85,75 @@ The test sender certificate above was generated for the following sender email a
 ### Upload Recipient Certificate
 
 1. In the same screen, click again on the **Add Certificate** button.
+2. Paste the following text in the **Paste Certificate** box:
+
+   ```crt
+   -----BEGIN TRUSTED CERTIFICATE-----
+   MIIEpTCCA42gAwIBAgIJAOOVkfcMlOvnMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+   BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEaMBgGA1UE
+   CgwRWmFtbWFkIEZvdW5kYXRpb24xFDASBgNVBAsMC0RldmVsb3BtZW50MRMwEQYD
+   VQQDDAp6YW1tYWQub3JnMB4XDTIzMDExMTA4NTExNloXDTMzMDEwODA4NTExNlow
+   gaAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxp
+   bjEaMBgGA1UECgwRWmFtbWFkIEZvdW5kYXRpb24xFDASBgNVBAsMC0RldmVsb3Bt
+   ZW50MRUwEwYDVQQDDAxOaWNvbGUgQnJhdW4xJjAkBgkqhkiG9w0BCQEWF25pY29s
+   ZS5icmF1bkB6YW1tYWQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+   AQEAq1/HC+dh0UoRvuMB/7pkydTLcivyxt5OVgmGsKT32YNrmJctYs38It2jiTzJ
+   SIWMeAqTaAaRjjy3P3dUv9FAZFTEPI+zc2tuWCaXnO7ccvpz8QBTZsZZC0gKmXqo
+   4/+qrfUJqC72DeuZlTg2iwaSp63Yeet5ShuVbF+gTgO+vMlRnaKMXNuIJM14Auzb
+   Fsdc+0vMPE52arWORK9woajOCUn1xfGTu917+D24gX6Xic9gnLJKXNYyL7wctVS+
+   US3FPdJLqeNNb2rJyZcrLBtzWXIiVJYnHx4knrWP1m+c3ThQEPeQef/DDws3+3Ub
+   8WYay7oqO7eujYSFBTX1xlPeQwIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
+   HQ8EBAMCBeAwHQYDVR0OBBYEFFC5iaStg5uoFcetE2u+7rgffdKtMCIGA1UdEQQb
+   MBmBF25pY29sZS5icmF1bkB6YW1tYWQub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwME
+   MIGSBgNVHSMEgYowgYeheqR4MHYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJs
+   aW4xDzANBgNVBAcMBkJlcmxpbjEaMBgGA1UECgwRWmFtbWFkIEZvdW5kYXRpb24x
+   FDASBgNVBAsMC0RldmVsb3BtZW50MRMwEQYDVQQDDAp6YW1tYWQub3JnggkAoyQm
+   hzPcTqcwDQYJKoZIhvcNAQELBQADggEBAEgk7pW68d88cgD38oyHaMqQdQ0Odtzh
+   78a6u2Bki2BtYK+4AwCWdeb+lZLKj6W/CPOWPJriFRMqiRQ6N6eIPRc4x70Q0fMJ
+   JXAWQA4eliHFGLzA+YMyBKiW1EfLU6pIkvWONLG3oVch4gAccHgY6h436OmHtoRr
+   VPiz25xCSe5YZWpLY1KeZ7Ucv51qaMlRHNdwB4ixETFG54bbK6mATiSCw2Wtwqlj
+   qKX2l5VYSxhC51lveLQaVlQHy3nj1M2uGQN6Jv1wc0Pe6Twu3itqYZrJnTJdoq4K
+   ty1IuHWXx7wJ64xa+Rbx5MHXsz1jsML8+UL9DgSw0zjL+BJcF+wuaEEwIjAKBggr
+   BgEFBQcDBKAUBggrBgEFBQcDAgYIKwYBBQUHAwE=
+   -----END TRUSTED CERTIFICATE-----
+   ```
+
+3. Click on the **Add** button.
+
+The test recipient certificate above was generated for the following customer email address: `nicole.braun@zammad.org`. In case your recipient address is different, please see below how to re-generate it.
+
+### Upload CA Certificate
+
+1. In the same screen, click on the **Add Certificate** button.
 2. Paste the following text in the **Paste Certificate** box:
 
    ```crt
    -----BEGIN CERTIFICATE-----
-   MIIENzCCAx+gAwIBAgIJAIzJal+S+jSEMA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
-   VQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xGjAYBgNV
-   BAoMEVphbW1hZCBGb3VuZGF0aW9uMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEVMBMG
-   A1UEAwwMTmljb2xlIEJyYXVuMSYwJAYJKoZIhvcNAQkBFhduaWNvbGUuYnJhdW5A
-   emFtbWFkLm9yZzAeFw0yMzAxMDQxNTI0NDlaFw0yMzAyMDMxNTI0NDlaMIGgMQsw
-   CQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xGjAY
-   BgNVBAoMEVphbW1hZCBGb3VuZGF0aW9uMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEV
-   MBMGA1UEAwwMTmljb2xlIEJyYXVuMSYwJAYJKoZIhvcNAQkBFhduaWNvbGUuYnJh
-   dW5AemFtbWFkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtf
-   xwvnYdFKEb7jAf+6ZMnUy3Ir8sbeTlYJhrCk99mDa5iXLWLN/CLdo4k8yUiFjHgK
-   k2gGkY48tz93VL/RQGRUxDyPs3Nrblgml5zu3HL6c/EAU2bGWQtICpl6qOP/qq31
-   Cagu9g3rmZU4NosGkqet2HnreUoblWxfoE4DvrzJUZ2ijFzbiCTNeALs2xbHXPtL
-   zDxOdmq1jkSvcKGozglJ9cXxk7vde/g9uIF+l4nPYJyySlzWMi+8HLVUvlEtxT3S
-   S6njTW9qycmXKywbc1lyIlSWJx8eJJ61j9ZvnN04UBD3kHn/ww8LN/t1G/FmGsu6
-   Kju3ro2EhQU19cZT3kMCAwEAAaNyMHAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
-   HQYDVR0OBBYEFFC5iaStg5uoFcetE2u+7rgffdKtMCIGA1UdEQQbMBmBF25pY29s
-   ZS5icmF1bkB6YW1tYWQub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA0GCSqGSIb3
-   DQEBCwUAA4IBAQB/x3YH6AJkXpcr7JLi2eLg5Jdt0MpkoBaXRWrPiQgM//geGJxN
-   mu3P0iH/KjzSpVihEm7LBs0vCpQ1mWv85WznKFtBOip5M0I0l7eyqDkuIHkwhrlS
-   2j6wLAMwCi2LbVGzzvn1wEwMTH0ayBuETy68CQrLXEf2du/QfnFFTbJDqN/DGzP0
-   jxelvRfyPWTHho2LxRgizTW/FS79W53b4a7a6lTOAV019hAA6H/Pghzdl7b80G5m
-   h4YVZxK5uydGHaJL1KZ0H0JiLYH22FYjfll6DDwnBbPvppA0bwDgni/i9fS7yP7O
-   LuqgJdzlTyOjoH7ooCm80CNNl3YpA813q7GZ
+   MIIDaDCCAlACCQCjJCaHM9xOpzANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJE
+   RTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xGjAYBgNVBAoMEVph
+   bW1hZCBGb3VuZGF0aW9uMRQwEgYDVQQLDAtEZXZlbG9wbWVudDETMBEGA1UEAwwK
+   emFtbWFkLm9yZzAeFw0yMzAxMTEwNzQ5MDRaFw0zMzAxMDgwNzQ5MDRaMHYxCzAJ
+   BgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEaMBgG
+   A1UECgwRWmFtbWFkIEZvdW5kYXRpb24xFDASBgNVBAsMC0RldmVsb3BtZW50MRMw
+   EQYDVQQDDAp6YW1tYWQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+   AQEA2K/NXzrMeKrbHebm9QIpQLOGVy9Apv76/jSciJ4lYrm/MVbSMnlhKM2GZsgp
+   JQZgUgKFDxfu8WcMYTY9hYMj8HCqMKLjAa/JD1WKgqBuXq82dw+K+xrhON9yFHc7
+   pGwDd+M362ps/dTdwDP9yddGj6JuPgnLfE7KwI/qHGo/Wvt6hTD1kbJ0wzOASvh+
+   wa7FRBKzo3iO40NAJET/5o/dcHwIi+eHTR0KVoZVmaT+aPzewWel2JJCys55Abal
+   NcgjibX6m/DeBDx7VuaArTFY1307ob54gZnjAxvk8dHlia2SMsVN77AujsRvB8BL
+   2vv906nZG+YtoI/U23xpLoS6eQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB2CR8n
+   km6J7HXpbjZh3/fFklM1cb7L2vB4JWMYnbCgaDU4vqXRXezAsi56ZdypofdAZ8C/
+   jIVry+gWCCVXKLbpyWkqJyboOJnHMU93VHg+yAREVI7NmMle0DYRqKgcmXMtJXzc
+   54dO0MxK0n+zUsT08a8e9HHNh++FZLJr7r3AvYvRRV0K2eMX4WETUIIfv1eqhHp1
+   /kdVvaz52eK01Z7D6eE/2mE3nDwaokV/28B6pj4G9mS+68kUul+BhcSNqkeBBvKh
+   4bH8QYop51x5VbUMFZBNjJ5ZkfjmF6G/+pyOeZtH2frPu2Ccxkr3NX/zZ1yKjf9j
+   cdO0kbfpSLHCRbZ0
    -----END CERTIFICATE-----
    ```
 
 3. Click on the **Add** button.
 
-The test recipient certificate above was generated for the following customer email address: `nicole.braun@zammad.org`. In case your recipient address is different, please see below how to re-generate it.
+The test CA certificate above was used to sign both the test sender and test recipient certificates.
 
 ## Create a Test Email Ticket with Encrypted & Signed Content
 
@@ -131,6 +171,49 @@ The test recipient certificate above was generated for the following customer em
 
 You will need an installation of a recent `openssl` utility for the following commands.
 
+### Generate CA Certificate & Private Key
+
+1. Navigate to an empty directory.
+2. Create a text configuration file called `ca.conf` with the following content:
+
+   ```ini
+   [req]
+   distinguished_name = req_distinguished_name
+
+   [req_distinguished_name]
+   countryName = Country Name (2 letter code)
+   countryName_default = DE
+   countryName_min = 2
+   countryName_max = 2
+   stateOrProvinceName = State or Province Name (full name)
+   stateOrProvinceName_default = Berlin
+   stateOrProvinceName_max = 32
+   localityName = Locality Name (eg, city)
+   localityName_default = Berlin
+   0.organizationName = Organization Name (eg, company)
+   0.organizationName_default = Zammad Foundation
+   organizationalUnitName = Organizational Unit Name (eg, section)
+   organizationalUnitName_default = Development
+   commonName = Common Name (e.g. server FQDN or YOUR name)
+   commonName_default = zammad.org
+   commonName_max = 64
+   emailAddress = Email Address
+   emailAddress_default =
+   emailAddress_max = 40
+   ```
+
+   Adjust all `*_default` values to match desired settings, except `emailAddress_default`. Please leave it empty.
+
+3. Run the following command in the same directory:
+
+   ```sh
+   openssl req -x509 -new -nodes -days 3650 -config ca.conf -keyout ca.key -out ca.crt
+   ```
+
+   Confirm each field with a return (the value will be pre-populated from the configuration file).
+
+You can now upload your new test CA certificate. Either upload the actual text file (`ca.crt`) or paste its content in appropriate box. Note that in this case you should NOT upload the generated private key since the certificate may be used only for the trust chain verification.
+
 ### Generate Sender Certificate & Private Key
 
 1. Navigate to an empty directory.
@@ -156,7 +239,7 @@ You will need an installation of a recent `openssl` utility for the following co
    organizationalUnitName = Organizational Unit Name (eg, section)
    organizationalUnitName_default = Development
    commonName = Common Name (e.g. server FQDN or YOUR name)
-   commonName_default = Zammad Helpdesk
+   commonName_default = Zammad Foundation
    commonName_max = 64
    emailAddress = Email Address
    emailAddress_default = zammad@localhost
@@ -172,16 +255,32 @@ You will need an installation of a recent `openssl` utility for the following co
 
    Adjust all `*_default` values to match desired settings. The most important is `emailAddress_default` which must match your sender's email address.
 
-3. Run the following command in the same directory:
+3. Run the following command in the same directory to generate the certificate request:
 
    ```sh
-   openssl req -x509 -new -nodes -config sender.conf -keyout sender.key -out sender.crt
+   openssl req -new -nodes -keyout sender.key -out sender.csr -config sender.conf
    ```
 
-   When prompted, enter the pass phrase of the private key from the previous step.
-
    Confirm each field with a return (the value will be pre-populated from the configuration file).
 
+4. Create a text configuration file called `v3_ca.conf`  with the following content:
+
+   ```ini
+   [v3_ca]
+   basicConstraints = CA:FALSE
+   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+   subjectKeyIdentifier = hash
+   subjectAltName = email:copy
+   extendedKeyUsage = emailProtection
+   authorityKeyIdentifier = keyid,issuer
+   ```
+
+5. Run the following command in the same directory to generate and sign the certificate:
+
+   ```sh
+   openssl x509 -req -days 3650 -in sender.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sender.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extensions v3_ca -extfile v3_ca.conf
+   ```
+
 You can now upload your new test sender certificate & private key. Either upload the actual text files (`sender.crt` and `sender.key`) or paste their contents in appropriate boxes. Remember to omit the input for the private key secret since it was not defined during the re-generation, but don't skip the private key upload since the certificate may be used for signing and decryption.
 
 ### Generate Recipient Certificate & Private Key
@@ -224,14 +323,44 @@ You can now upload your new test sender certificate & private key. Either upload
 
    Adjust all `*_default` values to match desired settings. The most important is `emailAddress_default` which must match your recipient's email address.
 
-3. Run the following command in the same directory:
+3. Run the following command in the same directory to generate the certificate request:
 
    ```sh
-   openssl req -x509 -new -nodes -config recipient.conf -keyout recipient.key -out recipient.crt
+   openssl req -new -nodes -keyout recipient.key -out recipient.csr -config recipient.conf
    ```
 
-   When prompted, enter the pass phrase of the private key from the previous step.
-
    Confirm each field with a return (the value will be pre-populated from the configuration file).
 
+4. Create a text configuration file called `v3_ca.conf`  with the following content:
+
+   ```ini
+   [v3_ca]
+   basicConstraints = CA:FALSE
+   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+   subjectKeyIdentifier = hash
+   subjectAltName = email:copy
+   extendedKeyUsage = emailProtection
+   authorityKeyIdentifier = keyid,issuer
+   ```
+
+5. Run the following command in the same directory to generate and sign the certificate:
+
+   ```sh
+   openssl x509 -req -days 3650 -in recipient.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out recipient.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extensions v3_ca -extfile v3_ca.conf
+   ```
+
 You can now upload your new test recipient certificate. Either upload the actual text file (`recipient.crt`) or paste its content in appropriate box. Note that in this case you should NOT upload the generated private key since the certificate may be used only for encryption.
+
+## Other Useful OpenSSL commands
+
+### Dump the Text Content of a Certificate
+
+```sh
+openssl x509 -in sender.crt -text
+```
+
+### Export Certificate to PKCS12 for Usage in Email Clients
+
+```sh
+openssl pkcs12 -export -in sender.crt -inkey sender.key -out sender.p12
+```

lib/secure_mailing/smime/incoming.rb

@@ -229,14 +229,32 @@ class SecureMailing::SMIME::Incoming < SecureMailing::Backend::Handler
   end
 
   def sender_is_signer?
-    signers = @verify_sign_p7enc.certificates.map do |cert|
-      email = cert.subject.to_s.match(%r{emailAddress=(?<address>[^/]+)})
-      email[:address]
-    end
+    signers = email_addresses_from_subject_alt_name
 
     result = signers.include?(mail[:mail_instance].from.first)
     Rails.logger.warn { "S/MIME mail #{mail[:message_id]} signed by #{signers.join(', ')} but sender is #{mail[:mail_instance].from.first}" } if !result
 
     result
   end
+
+  def email_addresses_from_subject_alt_name
+    result = []
+
+    @verify_sign_p7enc.certificates.each do |cert|
+      subject_alt_name = cert.extensions.detect { |extension| extension.oid == 'subjectAltName' }
+      next if subject_alt_name.nil?
+
+      entries = subject_alt_name.value.split(%r{,\s?})
+      entries.each do |entry|
+        identifier, email_address = entry.split(':').map(&:downcase)
+
+        next if identifier.exclude?('email') && identifier.exclude?('rfc822')
+        next if !EmailAddressValidation.new(email_address).valid?
+
+        result.push(email_address)
+      end
+    end
+
+    result
+  end
 end

spec/fixtures/files/smime/SenderNameCA.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmECFF0v7lAxUPG11+IFRdjhMmOY/DlXMA0GCSqGSIb3DQEBCwUAMHgx
+CzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEZ
+MBcGA1UECgwQRXhhbXBsZSBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVu
+dDEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjMwMTExMTQyNDMzWhgPMjIyMjEx
+MjQxNDI0MzNaMHgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNV
+BAcMBkJlcmxpbjEZMBcGA1UECgwQRXhhbXBsZSBTZWN1cml0eTEWMBQGA1UECwwN
+SVQgRGVwYXJ0bWVudDEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCmWPg4vDOFj/k0P/kuqO94gNaaA2v6o0/tKV/9
+q5K3BEEne2sMLxn32F8xPbIjh6LhjHOkJpfPImDsSAupoqab+IWTkJkOHRK56aTB
+Jvo4lTJ1XUB399hHonr50PfMUfByDOxKINMefw0GS0D9IJef724RgGOffgNYUkV4
+femJj0k5JJKTM5NJVqf0SZPXJ6/SFtlqhXSky/sSTN+KUH1PP29RPzWHtXl4idBm
+FqqOjBkxa89Hk6ob2qgLFkA8vE5hlovbZJ2zoi1hRDal657GsGd/bRyJLaNFCyHt
+IcI7E+JttrA2QaN29le+p+PCPIlY7yNNVQqulRmI4mUMOR2LAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAHj7Mg87tMqEILXTf+Mom1q46jCOBIBQlbM9gikW6FvYd18o
+OJ5lAH2rhwvg1boBeHs7edzGoHujHCwfIoHUSlsMudEgV7zAurLd2JIm7BA4Gfz7
+PDZzcYP5kJirHQ3QoWQwlLNnfcqXUnde9OP8CBjCsQZbBsX9hSkknjyNN8WBniS0
+hIBVbDHR34ad4w0w/Oj1eP7yf72Y346SBoCIj+6s7FvqH0gtuRK5CPkOMuBVtlOA
+f1DanK7OjD6FZ+i5PxCmGDg9O0MZuMW38Dpp5iVzf0i+dHIlQ994XnCx0G+Tf/Df
+JxbmgZ/oufA+M5l84mPZV3B2VxgtoHtG7lLD0A8=
+-----END CERTIFICATE-----

spec/fixtures/files/smime/SenderNameCA.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmWPg4vDOFj/k0
+P/kuqO94gNaaA2v6o0/tKV/9q5K3BEEne2sMLxn32F8xPbIjh6LhjHOkJpfPImDs
+SAupoqab+IWTkJkOHRK56aTBJvo4lTJ1XUB399hHonr50PfMUfByDOxKINMefw0G
+S0D9IJef724RgGOffgNYUkV4femJj0k5JJKTM5NJVqf0SZPXJ6/SFtlqhXSky/sS
+TN+KUH1PP29RPzWHtXl4idBmFqqOjBkxa89Hk6ob2qgLFkA8vE5hlovbZJ2zoi1h
+RDal657GsGd/bRyJLaNFCyHtIcI7E+JttrA2QaN29le+p+PCPIlY7yNNVQqulRmI
+4mUMOR2LAgMBAAECggEBAIrpcR+vyjaW7Dw90BCu8otmy88BXIKJLo2WJ5rmVDaR
+TvdxkQszqjPWdGfiZYhWFCbV6xwBPnSy+M1XvKWENi25c5KvBaFLlf+6pOLHcd0e
+emyX2uZUCkCH5roHT2dIZcpYEFo23xZwcqf23+aB+RyODRSAarEdwh1XVrwwKX28
+2WgqeUXtlLmGy5ks10OMe4nHThJuH0NUXnp3MunSpglxyAxMVlKN7YhTSNA8QQHm
+jRkInrAa4/2BSAGBjB4mKPJfMraJLOVD2XiVLCerYGw9ZFKmYEzTlB8JrzIMVmiz
+C3mzra+Jua/S/bGJ6yzz7q+cZEY2LZbahtx77HzIwIECgYEA0mDiqVk/76g2osFn
+B7L+e1uz2I/zEgOBxoUusL1QSMQSmEej5Rf7pK5eGBVmIFu1lzxzZh+9tD2Qbhx2
+Z956RCDNCtoBdxl7gi49MmlbfEKCZFYaQusNhNfJocuE4FMCyA1jSTmWDI89w63+
+Qa9smpshnEX5zyzJaUftRtteookCgYEAymu3mD6Y6s8jEJzJGUsGOFzG9OiCqQzl
+m6cZZ7bIrCkrVg4KEcK+givf0vFagI1v8LBZoghk90naFf6YmLc8SAiKwwcFDqjk
+QGpOIe0xwe70Cz6HadMrwKLtr01hHkf4nCGvr7gd8ZHt4MuVoMTeGSkmiOzQKBlj
+qug334tGynMCgYBU2uNRr0AMqGqxJxUpk9b1Zr2ZwiYmw+dabWmxvApf70YYyfyf
+cRb9C5/EUw1IS/VotOdO78qSoqpY334a0y+5vwk1MU2Z/ltE3OWuKbTO3/y7/8bD
+6w8e3/LiIbbMzG64xj2f0WxmUHh3Lvz4/YruqVfbMpZaLBRpNKvOArmfEQKBgQCw
+iB6WjMkJxtn6y/FpuI9VKjxtLDV/Pvsjsygp1jPOSR09MINBmAhTN/Y8XjaidDcS
+vol9ETsUmviyQ9ZLIUpWO/TgP0f+z/Y34z3+woCpdD6ra73m4b5/gtgtERvIr9W2
+PH6ejcC3g5/kc0gr7GURplyv/29N+U59p4XK1AlJ1wKBgHTlUEysMnbpMX8+F+zm
+Hmutpxf0cb0rBFEOsoOMj4skem3Yy4TxCWMB/HvaC/xQTTvgVpm4d8Scyj182JPb
+qTaqri4HGqVWevXbPIniLSDkBFQGXkTDw6pmVQMQedgflwm5mcJWKiXnRjZxOkTq
+tMpefmhft333mPcmlX2PsCZd
+-----END PRIVATE KEY-----

spec/fixtures/files/smime/SenderNameCA.secret

@@ -0,0 +1 @@
+1234

spec/fixtures/files/smime/generate/config/sender_name.cnf

@@ -0,0 +1,20 @@
+[req]
+distinguished_name = subject
+x509_extensions = v3_req
+prompt = no
+
+[subject]
+countryName            = DE
+stateOrProvinceName    = Berlin
+localityName           = Berlin
+organizationName       = Example Security
+organizationalUnitName = IT Department
+commonName             = Sender Name
+emailAddress           = smime-sender-name@example.com
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+subjectAltName = email:copy
+extendedKeyUsage = emailProtection

spec/fixtures/files/smime/generate/config/sender_name_ca.cnf

@@ -0,0 +1,11 @@
+[req]
+distinguished_name = subject
+prompt = no
+
+[subject]
+countryName            = DE
+stateOrProvinceName    = Berlin
+localityName           = Berlin
+organizationName       = Example Security
+organizationalUnitName = IT Department
+commonName             = example.com

spec/fixtures/files/smime/generate/config/v3_ca.cnf

@@ -0,0 +1,7 @@
+[v3_ca]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+subjectAltName = email:copy
+extendedKeyUsage = emailProtection
+authorityKeyIdentifier = keyid,issuer

spec/fixtures/files/smime/generate/docker-entrypoint.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -x
+
 echo "Zammad S/MIME test certificate generation"
 
 if [[ ! -e "$CERT_DIR/RootCA.key" ]] || [[ ! -e "$CERT_DIR/RootCA.crt" ]]
@@ -159,5 +161,30 @@ do
   fi
 done
 
+echo "Generating sender name CA certificate"
+
+if [[ ! -e "$CERT_DIR/SenderNameCA.key" ]] || [[ ! -e "$CERT_DIR/SenderNameCA.crt" ]]
+then
+  echo "Generating SenderNameCA.key and SenderNameCA.crt"
+  openssl req -x509 -new -nodes -days 73000 -keyout $CERT_DIR/SenderNameCA.key -out $CERT_DIR/SenderNameCA.crt -config sender_name_ca.cnf
+
+  echo "Generating SenderNameCA.secret"
+  cp pass.secret $CERT_DIR/SenderNameCA.secret
+fi
+
+EMAIL_ADDRESS="smime-sender-name@example.com"
+
+if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
+then
+  echo "Generating $EMAIL_ADDRESS.key and $EMAIL_ADDRESS.csr (certificate signing request)"
+  openssl req -new -nodes -keyout $CERT_DIR/$EMAIL_ADDRESS.key -out $CERT_DIR/$EMAIL_ADDRESS.csr -config sender_name.cnf
+
+  echo "Generating $EMAIL_ADDRESS.crt (certificate)"
+  openssl x509 -req -days 73000 -in $CERT_DIR/$EMAIL_ADDRESS.csr -CA $CERT_DIR/SenderNameCA.crt -CAkey $CERT_DIR/SenderNameCA.key -CAcreateserial -CAserial /tmp/SenderNameCA.seq -out $CERT_DIR/$EMAIL_ADDRESS.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extensions v3_ca -extfile v3_ca.cnf -passin file:pass.secret
+
+  echo "Generating $EMAIL_ADDRESS.secret"
+  cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
+fi
+
 # run command passed to docker run
 exec "$@"

spec/fixtures/files/smime/generate/run.sh

@@ -3,6 +3,6 @@
 set -o errexit
 set -o pipefail
 
-docker build --no-cache -t zammad/smime-test-certificates:latest .
+docker build -t zammad/smime-test-certificates:latest . #--no-cache 
 
 docker run --rm -v "$(pwd)/../:/etc/ssl/certs" zammad/smime-test-certificates:latest