-
Notifications
You must be signed in to change notification settings - Fork 0
/
mutt_cms_smime.rc
124 lines (90 loc) · 4.39 KB
/
mutt_cms_smime.rc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
## The following options are only available if you have
## compiled in S/MIME support
# If you compiled mutt with support for both PGP and S/MIME, PGP
# will be the default method unless the following option is set
set smime_is_default
# Uncomment this if you don't want to set labels for certificates you add.
# unset smime_ask_cert_label
# Passphrase expiration
set smime_timeout=300
# Global crypto options -- these affect PGP operations as well.
set crypt_autosign = yes
set crypt_replyencrypt = yes
set crypt_replysign = yes
set crypt_replysignencrypted = yes
set crypt_verify_sig = yes
# Section A: Key Management
# The default keyfile for encryption (used by $smime_self_encrypt and
# $postpone_encrypt).
#
# It will also be used for decryption unless
# $smime_decrypt_use_default_key is unset.
#
# It will additionally be used for signing unless $smime_sign_as is
# set to a key.
#
# Unless your key does not have encryption capability, uncomment this
# line and replace the keyid with your own.
#
set smime_default_key="12345678.0"
# If you have a separate signing key, or your key _only_ has signing
# capability, uncomment this line and replace the keyid with your
# signing keyid.
#
# set smime_sign_as="12345678.0"
# Uncomment to make mutt ask what key to use when trying to decrypt a message.
# It will use the default key above (if that was set) else.
# unset smime_decrypt_use_default_key
# Path to a file or directory with trusted certificates
set smime_ca_location="~/.smime/ca-bundle.crt"
# Path to where all known certificates go. (must exist!)
set smime_certificates="~/.smime/certificates"
# Path to where all private keys go. (must exist!)
set smime_keys="~/.smime/keys"
# These are used to extract a certificate from a message.
# First generate a PKCS#7 structure from the message.
# Edit copy message.
set smime_pk7out_command="cat %f"
# Extract the included certificate(s) from a PKCS#7 structure.
# Edit extract certificates
set smime_get_cert_command="openssl cms -cmsout -in %f -certsout /dev/stdout -noout "
# Extract the signer's certificate only from a S/MIME signature (sender verification)
set smime_get_signer_cert_command="openssl cms -verify -in %f -noverify -signer %c -out /dev/null"
# This is used to get the email address the certificate was issued to.
set smime_get_cert_email_command="openssl x509 -in %f -noout -email"
# Add a certificate to the database using smime_keys.
set smime_import_cert_command="smime_keys add_cert %f"
# Section B: Outgoing messages
# Algorithm to use for encryption.
# valid choices are aes128, aes192, aes256, rc2-40, rc2-64, rc2-128, des, des3
set smime_encrypt_with="aes-256-cbc"
# Encrypt a message. Input file is a MIME entity.
#set smime_encrypt_command="openssl cms -encrypt -%a -outform DER -in %f -keyopt rsa_padding_mode:oaep -recip %c"
# Using a helper for this since %c expands to a list of certs.
set smime_encrypt_command="cmsenchelper.sh -alg %a -in %f -recips %c"
# Algorithm for the signature message digest.
# Valid choices are md5, sha1, sha224, sha256, sha384, sha512.
set smime_sign_digest_alg="sha256"
# Sign.
set smime_sign_command="openssl cms -sign -md %d -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER"
# Mutt doesn't use the following command but I'm leaving it here anyway.
set smime_sign_opaque_command="openssl cms -stream -nodetach -sign -md %d -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER"
# Section C: Incoming messages
# Decrypt a message. Output is a MIME entity.
set smime_decrypt_command="openssl cms -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c"
# Verify a signature of type multipart/signed
set smime_verify_command="openssl cms -verify -inform DER -in %s %C -content %f"
# Verify a signature of type application/x-pkcs7-mime
set smime_verify_opaque_command="\
openssl cms -verify -inform DER -in %s %C || \
openssl cms -verify -inform DER -in %s -noverify 2>/dev/null"
# Section D: Alternatives
# Sign. If you wish to NOT include the certificate your CA used in signing
# your public key, use this command instead.
# set smime_sign_command="openssl smime -sign -md %d -signer %c -inkey %k -passin stdin -in %f -outform DER"
#
# In order to verify the signature only and skip checking the certificate chain:
#
# set smime_verify_command="openssl smime -verify -inform DER -in %s -content %f -noverify"
# set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s -noverify"
#