S/MIME

Mew’s S/MIME support is based on gpgsm which is included in GnuPG version 2. Mew supports GnuPG version 2.0 but not support version 2.1 at this moment.

Mew assumes that your certificate (signed public key) and your secrete key are generated by your company. They are included in a PKCS 12 file.

Architecture

• gpgsm is a program to handle S/MIME.
• gpg-agent is a cache daemon of passphrases
• pinentry is a front end to ask a passphrase to a user. Mew provides mew-pinentry.
• dirmngr is a cache daemon of CRL.

gpgsm --> gpg-agent --> mew-pinentry --> a user
  |
  +-----> dirmngr   --> CRL servers

Please refer to Project Agypten in detail.

• Mew requires gpgsm and gpg-agent. They are included in the GnuPG 2 package.
• dirmngr is optional. It is included in a separate package.

Note that dirmngr does not work well in my environment at this moment.

Installation

Obtain the GnuPG 2 package and install it. You can find gpgsm and gpg-agent. Optionally, install dirmngr if you want to check CRL.

Also install mew-pinentry found in the “bin” directory of the Mew package.

mew-pinentry is called by gpg-agent. You may need to configure “~/.gnupg/gpg-agent.conf” to tell gpg-agent the path.

pinentry-program /usr/local/bin/mew-pinentry

Importing your private key into your private keyring

First of all, you should obtain a PKCS 12 file, which includes your certificate and your secret key, from your company. Let’s call this file “keycert.p12”.

First you should convert “keycert.p12” to PEM, say “keycert.pem”.

% openssl pkcs12 -in keycert.p12 -out keycert.pem -nodes

and type the passphrase which protects “keycert.p12”.

Then extract your private key.

% openssl pkcs12 -in keycert.pem -export -out key.p12 -nocerts -nodes

and type a new temporary passphrase to protect “key.p12”, and type the new temporary passphrase again.

And import your private key into your private keyring.

% gpg-agent --daemon gpgsm --call-protect-tool --p12-import --store key.p12

and type the new temporary passpharse, and type a new passphrase to protect your private key in the private keyring, and type the new passphrase again.

Importing your public key into your public keyring

Extract certificates from “keycert.p12”.

% openssl pkcs12 -in keycert.p12 -out certs.pem -nokeys

and type the passphrase which protects “keycert.p12”.

Then import the certificates into your public keyring.

% gpgsm --import certs.pem

Trusting your root CA

Put the fingerprint of your root CA to “~/.gnupg/trustlist.txt”.

This gets things out of sequence but if you verify an S/MIME signature with Mew, used certificates are automatically registered into “~/.gnupg/pubring.kbx”. Thus, you can tell fingerprint values as follows:

% gpgsm -kv
Serial number: 7DD9FE07CFA81EB7107967FBA78934C6
       Issuer: /OU=VeriSign Trust Network/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=Class 3 Public Primary Certification Authority - G2/O=VeriSign
, Inc./C=US
      Subject: /OU=VeriSign Trust Network/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=Class 3 Public Primary Certification Authority - G2/O=VeriSign
, Inc./C=US
     validity: 1998-05-18 00:00:00 through 2028-08-01 23:59:59
     key type: 1024 bit RSA
 chain length: none
  fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F

As the example above, if Issuer and Subject are the same, it is a certificate of a root CA. If it has “key usage”, its version is 3. Otherwise, its version is 1.

If the version of root CA’s certificate is 3, just copy its fingerprint value into a line of “trustlist.txt”. If the version of root CA’s certificate is 1, you need to append ” S relax” to the fingerprint.

For instance, the example above is root CA’s certificate whose version is 1, the following line should be written in “trustlist.txt”.

85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F S relax

Testing

To ensure that both gpgsm and gpg-agent work well, create a detach signature as follows:

% gpgsm --detach-sign file > sig

and type the new passphrase.

You may see the following warning.

dirmngr[nnnn]: no CRL available for issuer id NNNNN....

This is because the CRL server is not running or CRL files are not available on the CRL server.

If dirmngr does not work well, you can disable CRL checks by putting the following to “~/.gnupg/gpgsm.conf”.

disable-crl-checks

Again type

% gpgsm --detach-sign file > sig

and type the new passphrase.

If a detached signature is created, congratulation!

To verify the signature, type

% gpgsm --verify sig file

Using S/MIME with Mew

Putting the “SS” mark (S/MIME signature) onto a part in the attachments region, type M-s.

Putting the “SE” mark (S/MIME encryption) onto a part in the attachments region, type M-e.

If you want to C-cC-s, C-cC-e, C-cC-b, and C-cC-r for S/MIME (not for PGP), configure as follows:

(setq mew-draft-privacy-method 'smime)

The following values can be set to mew-protect-privacy-always-type.

• smime-signature
• smime-encryption
• smime-signature-encryption
• smie-encryption-signature

For instance, if you want to sign messages always when typing C-cC-c or C-cC-m, configure as follows:

(setq mew-protect-privacy-always t)
(setq mew-protect-privacy-always-type 'smime-signature)

gpg-agent

Because Mew has a mechanism to cache passphrases, you need not to run gpg-agent. But if you want to use gpgsm in a command line and omit your passphase, execute gpg-agent as follows:

% gpg-agent --use-standard-socket --daemon

You can execute gpgsm from everywhere. (It is not necessary for gpgsm to be a child of gpg-agent.)

Note

Again, dirmngr does not work well in my environment at this moment.