jstedfast
commented
4 years ago I think this seems like a reasonable feature to have.
Open dkg opened 4 years ago
jstedfast
commented
4 years ago I think this seems like a reasonable feature to have.
jstedfast
commented
4 years ago unwrap, extricate, extract, or unseal... I was thinking unencapsulate but apparently that's not a word ;-) It's also kinda long...
I'm leaning toward unwrap or extract. Internally I've used the word extract in some comments.
I was thinking of adding a GMimeVerifyFlags, but then I'd have to return NULL for the GMimeSignatureList which is the same as the value returned on error, so that feels like a bad API.
Unfortunately, adding a new virtual method on GMimeCryptoContext would break API/ABI, so this would be a good candidate for a GMime v4.0 API.
dkg
commented
4 years ago I prefer unwrap over extract, i think, but i'd be happy with either.
As for the API/ABI break, i think i'm a bit confused:
adding a new value for GMimeVerifyFlags seems like it would be a subtle API/ABI break itself (see #71).
I was unaware that adding a new virtual method breaks API! is that code really part of the practical API/ABI surface? Is the idea that some other GMimeCryptoContext implementation out there might break because it can't fulfill that API? Do we know of other GMimeCryptoContext implementations?
Also: PKCS#7 SignedData will only ever be handled by GMimeApplicationPkcs7Mime objects, not by generic GMimeCryptoContext -- does it need to use the CryptoContext at all?
jstedfast
commented
4 years ago Adding new VerifyFlags doesn't break API/ABI.
Adding a new virtual method breaks ABI because the struct size changes.
Balsa implements their own GMimeCryptoContext subclasses (or used to). I hope they don't find the need to anymore now that GMime uses GpgME.
GMimeApplicationPkcs7Mime uses GMimeCryptoContext to do encryption/decryption/signing/verifying/etc and should also use it to unwrap the signed-data since it would use GpgME to do so. The point of GMimeCryptoContext is to allow consumers of GMime to plug in their own crypto backend (which, admittedly, is less needed now that GMime uses GpgME... but it's there for historical reasons).
dkg
commented
4 years ago When i say that a new VerifyFlag breaks API, I'm using "API" as a description of the semantic behavior of a piece of software with respect to its stated programming interface.
While a new VerifyFlag doesn't change the structure of the API, it does change the semantics, particularly when that flag is supplied.
Anyway, if this can't be done without a API or ABI break, so be it :) -- i just wanted to explore the range of options we have available.
In some circumstances, I don't care about the cryptographic signature on a MIME part, and doing proper signature verification is more expensive than i'd like.
For example, if it's only a proper subpart of a message that is signed (as opposed to a signature in the cryptographic payload), there is no way for me to sanely present the signature to the user. Or, i might have some sort of stashed information about the signature and there is no need to recompute it.
Rendering a lengthy thread under these conditions shouldn't require verifying signatures. But in the case of a PKCS#7 SignedData part, the only way that GMime offers for me to get access to the inner wrapped MIME part is
g_mime_application_pkcs7_verify, which by default does perform the asymmetric cryptographic operations.I would like to have a way to just "unwrap" the part without verifying it, if possible.