S/MIME

Mew's S/MIME support is based on "gpgsm" which is included in GnuPG version 2.

Mew assumes that your certificate (signed public key) and your secrete key are generated by your company. They are included in a PKCS 12 file.

Architecture

gpgsm --> gpg-agent --> mew-pinentry --> a user
  |
  +-----> dirmngr   --> CRL servers

Please refer to Project Agypten in detail.

Note that "dirmngr" does not work well in my environment at this moment.

Installation

Obtain the GnuPG 2 package and install it. You can find "gpgsm" and "gpg-agent". Optionally, install "dirmngr" if you want to check CRL.

Also install "mew-pinentry" found in the "bin" directory of the Mew package.

"mew-pinentry" is called by "gpg-agent". You may need to configure "~/.gnupg/gpg-agent.conf" to tell "gpg-agent" the path.

pinentry-program /usr/local/bin/mew-pinentry

Importing your private key into your private keyring

First of all, you should obtain a PKCS 12 file, which includes your certificate and your secret key, from your company. Let's call this file "keycert.p12".

First you should convert "keycert.p12" to PEM, say "keycert.pem".

% openssl pkcs12 -in keycert.p12 -out keycert.pem -nodes

and type the passphrase which protects "keycert.p12".

Then extract your private key.

% openssl pkcs12 -in keycert.pem -export -out key.p12 -nocerts -nodes

and type a new temporary passphrase to protect "key.p12", and type the new temporary passphrase again.

And import your private key into your private keyring.

% gpg-agent --daemon gpgsm --call-protect-tool --p12-import --store key.p12

and type the new temporary passpharse, and type a new passphrase to protect your private key in the private keyring, and type the new passphrase again.

Importing your public key into your public keyring

Extract certificates from "keycert.p12".

% openssl pkcs12 -in keycert.p12 -out certs.pem -nokeys

and type the passphrase which protects "keycert.p12".

Then import the certificates into your public keyring.

% gpgsm --import certs.pem

Trusting your root CA

Put the fingerprint of your root CA to "~/.gnupg/trustlist.txt".

This gets things out of sequence but if you verify an S/MIME signature with Mew, used certificates are automatically registered into "~/.gnupg/pubring.kbx". Thus, you can tell fingerprint values as follows:

% gpgsm -kv
Serial number: 7DD9FE07CFA81EB7107967FBA78934C6
       Issuer: /OU=VeriSign Trust Network/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=Class 3 Public Primary Certification Authority - G2/O=VeriSign
, Inc./C=US
      Subject: /OU=VeriSign Trust Network/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=Class 3 Public Primary Certification Authority - G2/O=VeriSign
, Inc./C=US
     validity: 1998-05-18 00:00:00 through 2028-08-01 23:59:59
     key type: 1024 bit RSA
 chain length: none
  fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F

As the example above, if Issuer and Subject are the same, it is a certificate of a root CA. If it has "key usage", its version is 3. Otherwise, its version is 1.

If the version of root CA's certificate is 3, just copy its fingerprint value into a line of "trustlist.txt". If the version of root CA's certificate is 1, you need to append " S relax" to the fingerprint.

For instance, the example above is root CA's certificate whose version is 1, the following line should be written in "trustlist.txt".

85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F S relax

Testing

To ensure that both "gpgsm" and "gpg-agent" work well, create a detach signature as follows:

% gpgsm --detach-sign file > sig

and type the new passphrase.

You may see the following warning.

dirmngr[nnnn]: no CRL available for issuer id NNNNN....

This is because the CRL server is not running or CRL files are not available on the CRL server.

If "dirmngr" does not work well, you can disable CRL checks by putting the following to "~/.gnupg/gpgsm.conf".

disable-crl-checks

Again type

% gpgsm --detach-sign file > sig

and type the new passphrase.

If a detached signature is created, congratulation!

To verify the signature, type

% gpgsm --verify sig file

Using S/MIME with Mew

Putting the "SS" mark (S/MIME signature) onto a part in the attachments region, type 'M-s'.

Putting the "SE" mark (S/MIME encryption) onto a part in the attachments region, type 'M-e'.

If you want to 'C-cC-s', 'C-cC-e', 'C-cC-b', and 'C-cC-r' for S/MIME (not for PGP), configure as follows:

(setq mew-draft-privacy-method 'smime)

The following values can be set to 'mew-protect-privacy-always-type'.

For instance, if you want to sign messages always when typing 'C-cC-c' or 'C-cC-m', configure as follows:

(setq mew-protect-privacy-always t)
(setq mew-protect-privacy-always-type 'smime-signature)

gpg-agent

Because Mew has a mechanism to cache passphrases, you need not to run "gpg-agent". But if you want to use "gpgsm" in a command line and omit your passphase, execute "gpg-agent" as follows:

% gpg-agent --use-standard-socket --daemon

You can execute "gpgsm" from everywhere. (It is not necessary for "gpgsm" to be a child of "gpg-agent".)

Note

Again, "dirmngr" does not work well in my environment at this moment.