Главная Обзор Помощь
Вход
SMusatov
/
zammad
зеркало из https://github.com/zammad/zammad.git
1
0
Ответвить 0
Файлы
Ветка: stable-5.3
Ветки Метки
zammad
/
lib
/
secure_mailing
/
smime
/
outgoing.rb

outgoing.rb 4.0 KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. class SecureMailing::SMIME::Outgoing < SecureMailing::Backend::Handler
    4. 

  4. 

  5.   def initialize(mail, security)
    6. 

  6.     super()
    7. 

  7. 

  8.     @mail     = mail
    9. 

  9.     @security = security
    10. 

  10.   end
    11. 

  11. 

  12.   def process
    13. 

  13.     return if !process?
    14. 

  14. 

  15.     @mail = workaround_mail_bit_encoding_issue(@mail)
    16. 

  16. 

  17.     if @security[:sign][:success] && @security[:encryption][:success]
    18. 

  18.       processed = encrypt(signed)
    19. 

  19.       log('sign', 'success')
    20. 

  20.       log('encryption', 'success')
    21. 

  21.     elsif @security[:sign][:success]
    22. 

  22.       processed = Mail.new(signed)
    23. 

  23.       log('sign', 'success')
    24. 

  24.     elsif @security[:encryption][:success]
    25. 

  25.       processed = encrypt(@mail.encoded)
    26. 

  26.       log('encryption', 'success')
    27. 

  27.     end
    28. 

  28. 

  29.     overwrite_mail(processed)
    30. 

  30.   end
    31. 

  31. 

  32.   def process?
    33. 

  33.     return false if @security.blank?
    34. 

  34.     return false if @security[:type] != 'S/MIME'
    35. 

  35. 

  36.     @security[:sign][:success] || @security[:encryption][:success]
    37. 

  37.   end
    38. 

  38. 

  39.   # S/MIME signing fails because of message encoding #3147
    40. 

  40.   # workaround for https://github.com/mikel/mail/issues/1190
    41. 

  41.   def workaround_mail_bit_encoding_issue(mail)
    42. 

  42. 

  43.     # change 7bit/8bit encoding to binary so that
    44. 

  44.     # base64 will be used to encode the content
    45. 

  45.     if mail.body.encoding.include?('bit')
    46. 

  46.       mail.body.encoding = :binary
    47. 

  47.     end
    48. 

  48. 

  49.     # go into recursion for nested parts
    50. 

  50.     mail.parts&.each do |part|
    51. 

  51.       workaround_mail_bit_encoding_issue(part)
    52. 

  52.     end
    53. 

  53. 

  54.     mail
    55. 

  55.   end
    56. 

  56. 

  57.   def overwrite_mail(processed)
    58. 

  58.     @mail.body = nil
    59. 

  59.     @mail.body = processed.body.encoded
    60. 

  60. 

  61.     @mail.content_disposition       = processed.content_disposition
    62. 

  62.     @mail.content_transfer_encoding = processed.content_transfer_encoding
    63. 

  63.     @mail.content_type              = processed.content_type
    64. 

  64.   end
    65. 

  65. 

  66.   def signed
    67. 

  67.     from       = @mail.from.first
    68. 

  68.     cert_model = SMIMECertificate.for_sender_email_address(from)
    69. 

  69.     raise "Unable to find ssl private key for '#{from}'" if !cert_model
    70. 

  70.     raise "Expired certificate for #{from} (fingerprint #{cert_model.fingerprint}) with #{cert_model.not_before_at} to #{cert_model.not_after_at}" if !@security[:sign][:allow_expired] && cert_model.expired?
    71. 

  71. 

  72.     private_key = OpenSSL::PKey::RSA.new(cert_model.private_key, cert_model.private_key_secret)
    73. 

  73. 

  74.     OpenSSL::PKCS7.write_smime(OpenSSL::PKCS7.sign(cert_model.parsed, private_key, @mail.encoded, chain(cert_model), OpenSSL::PKCS7::DETACHED))
    75. 

  75.   rescue => e
    76. 

  76.     log('sign', 'failed', e.message)
    77. 

  77.     raise
    78. 

  78.   end
    79. 

  79. 

  80.   def chain(cert)
    81. 

  81.     lookup_issuer = cert.parsed.issuer.to_s
    82. 

  82. 

  83.     result = []
    84. 

  84.     loop do
    85. 

  85.       found_cert = SMIMECertificate.find_by(subject: lookup_issuer)
    86. 

  86.       break if found_cert.blank?
    87. 

  87. 

  88.       subject       = found_cert.parsed.subject.to_s
    89. 

  89.       lookup_issuer = found_cert.parsed.issuer.to_s
    90. 

  90. 

  91.       result.push(found_cert.parsed)
    92. 

  92. 

  93.       # we've reached the root CA
    94. 

  94.       break if subject == lookup_issuer
    95. 

  95.     end
    96. 

  96.     result
    97. 

  97.   end
    98. 

  98. 

  99.   def encrypt(data)
    100. 

  100.     expired_cert = certificates.detect(&:expired?)
    101. 

  101.     raise "Expired certificates for cert with #{expired_cert.not_before_at} to #{expired_cert.not_after_at}" if !@security[:encryption][:allow_expired] && expired_cert.present?
    102. 

  102. 

  103.     Mail.new(OpenSSL::PKCS7.write_smime(OpenSSL::PKCS7.encrypt(certificates.map(&:parsed), data, cipher)))
    104. 

  104.   rescue => e
    105. 

  105.     log('encryption', 'failed', e.message)
    106. 

  106.     raise
    107. 

  107.   end
    108. 

  108. 

  109.   def cipher
    110. 

  110.     @cipher ||= OpenSSL::Cipher.new('AES-128-CBC')
    111. 

  111.   end
    112. 

  112. 

  113.   def log(action, status, error = nil)
    114. 

  114.     recipients = %i[to cc].map { |recipient| @mail[recipient] }.join(' ').strip!
    115. 

  115.     HttpLog.create(
    116. 

  116.       direction:     'out',
    117. 

  117.       facility:      'S/MIME',
    118. 

  118.       url:           "#{@mail[:from]} -> #{recipients}",
    119. 

  119.       status:        status,
    120. 

  120.       ip:            nil,
    121. 

  121.       request:       @security,
    122. 

  122.       response:      { error: error },
    123. 

  123.       method:        action,
    124. 

  124.       created_by_id: 1,
    125. 

  125.       updated_by_id: 1,
    126. 

  126.     )
    127. 

  127.   end
    128. 

  128. 

  129.   private
    130. 

  130. 

  131.   def certificates
    132. 

  132.     certificates = []
    133. 

  133.     %w[to cc].each do |recipient|
    134. 

  134.       addresses = @mail.send(recipient)
    135. 

  135.       next if !addresses
    136. 

  136. 

  137.       certificates += SMIMECertificate.for_recipipent_email_addresses!(addresses)
    138. 

  138.     end
    139. 

  139.     certificates
    140. 

  140.   end
    141. 

  141. end
    142.