Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: a85d811dbb
Branches Tags
zammad
/
lib
/
secure_mailing
/
smime
/
outgoing.rb

outgoing.rb 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. class SecureMailing::SMIME::Outgoing < SecureMailing::Backend::HandlerOutgoing
    4. 

  4.   def type
    5. 

  5.     'S/MIME'
    6. 

  6.   end
    7. 

  7. 

  8.   def signed
    9. 

  9.     from       = mail.from.first
    10. 

  10.     cert_model = SMIMECertificate.find_by_email_address(from, filter: { key: 'private', usage: :signature, ignore_usable: true }).first
    11. 

  11.     raise "Unable to find ssl private key for '#{from}'" if !cert_model
    12. 

  12.     raise "Expired certificate for #{from} (fingerprint #{cert_model.fingerprint}) with #{cert_model.parsed.not_before} to #{cert_model.parsed.not_after}" if !security[:sign][:allow_expired] && !cert_model.parsed.usable?
    13. 

  13. 

  14.     private_key = OpenSSL::PKey::RSA.new(cert_model.private_key, cert_model.private_key_secret)
    15. 

  15. 

  16.     Mail.new(OpenSSL::PKCS7.write_smime(OpenSSL::PKCS7.sign(cert_model.parsed, private_key, mail.encoded, chain(cert_model), OpenSSL::PKCS7::DETACHED)))
    17. 

  17.   rescue => e
    18. 

  18.     log('sign', 'failed', e.message)
    19. 

  19.     raise
    20. 

  20.   end
    21. 

  21. 

  22.   def chain(cert)
    23. 

  23.     lookup_issuer_hash = cert.parsed.issuer_hash
    24. 

  24. 

  25.     result = []
    26. 

  26.     loop do
    27. 

  27.       found_cert = SMIMECertificate.find_by(subject_hash: lookup_issuer_hash)
    28. 

  28.       break if found_cert.blank?
    29. 

  29. 

  30.       subject_hash       = found_cert.parsed.subject_hash
    31. 

  31.       lookup_issuer_hash = found_cert.parsed.issuer_hash
    32. 

  32. 

  33.       result.push(found_cert.parsed)
    34. 

  34. 

  35.       # we've reached the root CA
    36. 

  36.       break if subject_hash == lookup_issuer_hash
    37. 

  37.     end
    38. 

  38.     result
    39. 

  39.   end
    40. 

  40. 

  41.   def encrypt(data)
    42. 

  42.     unusable_cert = certificates.detect { |cert| !cert.parsed.usable? }
    43. 

  43.     raise "Unusable certificates for cert with #{unusable_cert.parsed.not_before} to #{unusable_cert.parsed.not_after}" if !security[:encryption][:allow_expired] && unusable_cert.present?
    44. 

  44. 

  45.     Mail.new(OpenSSL::PKCS7.write_smime(OpenSSL::PKCS7.encrypt(certificates.map(&:parsed), data, cipher)))
    46. 

  46.   rescue => e
    47. 

  47.     log('encryption', 'failed', e.message)
    48. 

  48.     raise
    49. 

  49.   end
    50. 

  50. 

  51.   def cipher
    52. 

  52.     @cipher ||= OpenSSL::Cipher.new('AES-128-CBC')
    53. 

  53.   end
    54. 

  54. 

  55.   private
    56. 

  56. 

  57.   def certificates
    58. 

  58.     certificates = []
    59. 

  59.     %w[to cc].each do |recipient|
    60. 

  60.       addresses = mail.send(recipient)
    61. 

  61.       next if !addresses
    62. 

  62. 

  63.       certificates += SMIMECertificate.find_for_multiple_email_addresses!(addresses, filter: { key: 'public', ignore_usable: true, usage: :encryption }, blame: true)
    64. 

  64.     end
    65. 

  65.     certificates
    66. 

  66.   end
    67. 

  67. end
    68.