class SecureMailing::SMIME::Incoming < SecureMailing::Backend::Handler EXPRESSION_MIME = %r{application/(x-pkcs7|pkcs7)-mime}i.freeze EXPRESSION_SIGNATURE = %r{application/(x-pkcs7|pkcs7)-signature}i.freeze OPENSSL_PKCS7_VERIFY_FLAGS = OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN def initialize(mail) super() @mail = mail @content_type = @mail[:mail_instance].content_type end def process return if !process? initialize_article_preferences decrypt verify_signature log end def initialize_article_preferences article_preferences[:security] = { type: 'S/MIME', sign: { success: false, comment: nil, }, encryption: { success: false, comment: nil, } } end def article_preferences @article_preferences ||= begin key = :'x-zammad-article-preferences' @mail[ key ] ||= {} @mail[ key ] end end def process? signed? || smime? end def signed?(content_type = @content_type) EXPRESSION_SIGNATURE.match?(content_type) end def smime?(content_type = @content_type) EXPRESSION_MIME.match?(content_type) end def decrypt return if !smime? success = false comment = 'Unable to find private key to decrypt' ::SMIMECertificate.where.not(private_key: [nil, '']).find_each do |cert| key = OpenSSL::PKey::RSA.new(cert.private_key, cert.private_key_secret) begin decrypted_data = p7enc.decrypt(key, cert.parsed) rescue next end @mail[:mail_instance].header['Content-Type'] = nil @mail[:mail_instance].header['Content-Disposition'] = nil @mail[:mail_instance].header['Content-Transfer-Encoding'] = nil @mail[:mail_instance].header['Content-Description'] = nil new_raw_mail = "#{@mail[:mail_instance].header}#{decrypted_data}" mail_new = Channel::EmailParser.new.parse(new_raw_mail) mail_new.each do |local_key, local_value| @mail[local_key] = local_value end success = true comment = cert.subject if cert.expired? comment += " (Certificate #{cert.fingerprint} with start date #{cert.not_before_at} and end date #{cert.not_after_at} expired!)" end # overwrite content_type for signature checking @content_type = @mail[:mail_instance].content_type break end article_preferences[:security][:encryption] = { success: success, comment: comment, } end def verify_signature return if !signed? success = false comment = 'Unable to find certificate for verification' result = verify_certificate_chain(p7enc.certificates) if result.present? success = true comment = result @mail[:attachments].delete_if do |attachment| signed?(attachment.dig(:preferences, 'Content-Type')) end end article_preferences[:security][:sign] = { success: success, comment: comment, } end def verify_certificate_chain(certificates) return if certificates.blank? subjects = p7enc.certificates.map(&:subject).map(&:to_s) return if subjects.blank? existing_certs = ::SMIMECertificate.where(subject: subjects).sort_by do |certificate| # ensure that we have the same order as the certificates in the mail subjects.index(certificate.subject) end return if existing_certs.blank? if subjects.size > existing_certs.size Rails.logger.debug { "S/MIME mail signed with chain '#{subjects.join(', ')}' but only found '#{existing_certs.map(&:subject).join(', ')}' in database." } end begin existing_certs_store = OpenSSL::X509::Store.new existing_certs.each do |existing_cert| existing_certs_store.add_cert(existing_cert.parsed) end success = p7enc.verify(p7enc.certificates, existing_certs_store, nil, OPENSSL_PKCS7_VERIFY_FLAGS) return if !success existing_certs.map do |existing_cert| result = existing_cert.subject if existing_cert.expired? result += " (Certificate #{existing_cert.fingerprint} with start date #{existing_cert.not_before_at} and end date #{existing_cert.not_after_at} expired!)" end result end.join(', ') rescue => e Rails.logger.error "Error while verifying mail with S/MIME certificate subjects: #{subjects}" Rails.logger.error e nil end end def p7enc OpenSSL::PKCS7.read_smime(@mail[:raw]) end def log %i[sign encryption].each do |action| result = article_preferences[:security][action] next if result.blank? if result[:success] status = 'success' elsif result[:comment].blank? # means not performed next else status = 'failed' end HttpLog.create( direction: 'in', facility: 'S/MIME', url: "#{@mail[:from]} -> #{@mail[:to]}", status: status, ip: nil, request: { message_id: @mail[:message_id], }, response: article_preferences[:security], method: action, created_by_id: 1, updated_by_id: 1, ) end end end