diff --git a/encoding.go b/encoding.go index 47213da..77243fc 100644 --- a/encoding.go +++ b/encoding.go @@ -149,6 +149,7 @@ const ( TypePGPEncrypted ContentType = "application/pgp-encrypted" TypeTextHTML ContentType = "text/html" TypeTextPlain ContentType = "text/plain" + typeSMimeSigned ContentType = `application/pkcs7-signature; name="smime.p7s"` ) // List of MIMETypes @@ -156,6 +157,7 @@ const ( MIMEAlternative MIMEType = "alternative" MIMEMixed MIMEType = "mixed" MIMERelated MIMEType = "related" + MIMESMime MIMEType = `signed; protocol="application/pkcs7-signature"; micalg=sha256` ) // String is a standard method to convert an Charset into a printable format diff --git a/encoding_test.go b/encoding_test.go index 14711b7..11bf991 100644 --- a/encoding_test.go +++ b/encoding_test.go @@ -61,6 +61,11 @@ func TestContentType_String(t *testing.T) { "ContentType: application/pgp-encrypted", TypePGPEncrypted, "application/pgp-encrypted", }, + + { + "ContentType: pkcs7-signature", typeSMimeSigned, + `application/pkcs7-signature; name="smime.p7s"`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/go.mod b/go.mod index b155b9b..a59f78a 100644 --- a/go.mod +++ b/go.mod @@ -5,3 +5,5 @@ module github.com/wneessen/go-mail go 1.16 + +require go.mozilla.org/pkcs7 v0.9.0 diff --git a/go.sum b/go.sum index e69de29..4ca3691 100644 --- a/go.sum +++ b/go.sum @@ -0,0 +1,2 @@ +go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI= +go.mozilla.org/pkcs7 v0.9.0/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= diff --git a/msg.go b/msg.go index b66bffe..003c086 100644 --- a/msg.go +++ b/msg.go @@ -7,6 +7,8 @@ package mail import ( "bytes" "context" + "crypto/rsa" + "crypto/x509" "embed" "errors" "fmt" @@ -120,6 +122,9 @@ type Msg struct { // noDefaultUserAgent indicates whether the default User Agent will be excluded for the Msg when it's sent. noDefaultUserAgent bool + + // SMime represents a middleware used to sign messages with S/MIME + sMime *SMime } // SendmailPath is the default system path to the sendmail binary @@ -202,6 +207,16 @@ func WithNoDefaultUserAgent() MsgOption { } } +// SignWithSMime configures the Msg to be signed with S/MIME +func (m *Msg) SignWithSMime(privateKey *rsa.PrivateKey, certificate *x509.Certificate) error { + sMime, err := NewSMime(privateKey, certificate) + if err != nil { + return err + } + m.sMime = sMime + return nil +} + // SetCharset sets the encoding charset of the Msg func (m *Msg) SetCharset(c Charset) { m.charset = c @@ -979,10 +994,47 @@ func (m *Msg) applyMiddlewares(msg *Msg) *Msg { return msg } +// signMessage sign the Msg with S/MIME +func (m *Msg) signMessage(msg *Msg) (*Msg, error) { + currentPart := m.GetParts()[0] + currentPart.SetEncoding(EncodingUSASCII) + currentPart.SetContentType(TypeTextPlain) + content, err := currentPart.GetContent() + if err != nil { + return nil, errors.New("failed to extract content from part") + } + + signedContent, err := m.sMime.Sign(content) + if err != nil { + return nil, errors.New("failed to sign message") + } + + signedPart := msg.newPart( + typeSMimeSigned, + WithPartEncoding(EncodingB64), + WithContentDisposition(DispositionSMime), + ) + signedPart.SetContent(*signedContent) + msg.parts = append(msg.parts, signedPart) + + return msg, nil +} + // WriteTo writes the formated Msg into a give io.Writer and satisfies the io.WriteTo interface func (m *Msg) WriteTo(writer io.Writer) (int64, error) { mw := &msgWriter{writer: writer, charset: m.charset, encoder: m.encoder} - mw.writeMsg(m.applyMiddlewares(m)) + msg := m.applyMiddlewares(m) + + if m.sMime != nil { + signedMsg, err := m.signMessage(msg) + if err != nil { + return 0, err + } + msg = signedMsg + } + + mw.writeMsg(msg) + return mw.bytesWritten, mw.err } @@ -1177,6 +1229,11 @@ func (m *Msg) hasMixed() bool { return m.pgptype == 0 && ((len(m.parts) > 0 && len(m.attachments) > 0) || len(m.attachments) > 1) } +// hasSMime returns true if the Msg has should be signed with S/MIME +func (m *Msg) hasSMime() bool { + return m.sMime != nil +} + // hasRelated returns true if the Msg has related parts func (m *Msg) hasRelated() bool { return m.pgptype == 0 && ((len(m.parts) > 0 && len(m.embeds) > 0) || len(m.embeds) > 1) diff --git a/msg_test.go b/msg_test.go index f570b02..8577230 100644 --- a/msg_test.go +++ b/msg_test.go @@ -3246,6 +3246,36 @@ func TestNewMsgWithNoDefaultUserAgent(t *testing.T) { } } +// TestWithSMimeSinging_ValidPrivateKey tests WithSMimeSinging with given privateKey +func TestWithSMimeSinging_ValidPrivateKey(t *testing.T) { + privateKey, err := getDummyPrivateKey() + if err != nil { + t.Errorf("failed to load dummy private key: %s", err) + } + certificate, err := getDummyCertificate(privateKey) + if err != nil { + t.Errorf("failed to load dummy certificate: %s", err) + } + + m := NewMsg() + if err := m.SignWithSMime(privateKey, certificate); err != nil { + t.Errorf("failed to set sMime. Cause: %v", err) + } + if m.sMime.privateKey != privateKey { + t.Errorf("WithSMimeSinging. Expected %v, got: %v", privateKey, m.sMime.privateKey) + } +} + +// TestWithSMimeSinging_InvalidPrivateKey tests WithSMimeSinging with given invalid privateKey +func TestWithSMimeSinging_InvalidPrivateKey(t *testing.T) { + m := NewMsg() + + err := m.SignWithSMime(nil, nil) + if !errors.Is(err, ErrInvalidPrivateKey) { + t.Errorf("failed to check sMimeAuthConfig values correctly: %s", err) + } +} + // Fuzzing tests func FuzzMsg_Subject(f *testing.F) { f.Add("Testsubject") diff --git a/msgwriter.go b/msgwriter.go index ff1b47b..372e1e1 100644 --- a/msgwriter.go +++ b/msgwriter.go @@ -88,6 +88,10 @@ func (mw *msgWriter) writeMsg(msg *Msg) { } } + if msg.hasSMime() { + mw.startMP(MIMESMime, msg.boundary) + mw.writeString(DoubleNewLine) + } if msg.hasMixed() { mw.startMP(MIMEMixed, msg.boundary) mw.writeString(DoubleNewLine) @@ -96,7 +100,7 @@ func (mw *msgWriter) writeMsg(msg *Msg) { mw.startMP(MIMERelated, msg.boundary) mw.writeString(DoubleNewLine) } - if msg.hasAlt() { + if msg.hasAlt() && !msg.hasSMime() { mw.startMP(MIMEAlternative, msg.boundary) mw.writeString(DoubleNewLine) } diff --git a/part.go b/part.go index 7c76b7d..035b342 100644 --- a/part.go +++ b/part.go @@ -20,6 +20,7 @@ type Part struct { encoding Encoding isDeleted bool writeFunc func(io.Writer) (int64, error) + smime bool } // GetContent executes the WriteFunc of the Part and returns the content as byte slice @@ -56,6 +57,11 @@ func (p *Part) GetDescription() string { return p.description } +// IsSMimeSigned returns true if the Part should be singed with S/MIME +func (p *Part) IsSMimeSigned() bool { + return p.smime +} + // SetContent overrides the content of the Part with the given string func (p *Part) SetContent(content string) { buffer := bytes.NewBufferString(content) @@ -82,6 +88,11 @@ func (p *Part) SetDescription(description string) { p.description = description } +// SetIsSMimeSigned sets the flag for signing the Part with S/MIME +func (p *Part) SetIsSMimeSigned(smime bool) { + p.smime = smime +} + // SetWriteFunc overrides the WriteFunc of the Part func (p *Part) SetWriteFunc(writeFunc func(io.Writer) (int64, error)) { p.writeFunc = writeFunc @@ -113,3 +124,10 @@ func WithPartContentDescription(description string) PartOption { p.description = description } } + +// WithSMimeSinging overrides the flag for signing the Part with S/MIME +func WithSMimeSinging() PartOption { + return func(p *Part) { + p.smime = true + } +} diff --git a/part_test.go b/part_test.go index a196986..2b9725f 100644 --- a/part_test.go +++ b/part_test.go @@ -102,6 +102,24 @@ func TestPart_WithPartContentDescription(t *testing.T) { } } +// TestPart_WithSMimeSinging tests the WithSMimeSinging method +func TestPart_WithSMimeSinging(t *testing.T) { + m := NewMsg() + part := m.newPart(TypeTextPlain, WithSMimeSinging()) + if part == nil { + t.Errorf("newPart() WithSMimeSinging() failed: no part returned") + return + } + if part.smime != true { + t.Errorf("newPart() WithSMimeSinging() failed: expected: %v, got: %v", true, part.smime) + } + part.smime = true + part.SetIsSMimeSigned(false) + if part.smime != false { + t.Errorf("newPart() SetIsSMimeSigned() failed: expected: %v, got: %v", false, part.smime) + } +} + // TestPartContentType tests Part.SetContentType func TestPart_SetContentType(t *testing.T) { tests := []struct { @@ -245,6 +263,32 @@ func TestPart_GetContentBroken(t *testing.T) { } } +// TestPart_IsSMimeSigned tests Part.IsSMimeSigned +func TestPart_IsSMimeSigned(t *testing.T) { + tests := []struct { + name string + want bool + }{ + {"smime:", true}, + {"smime:", false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + m := NewMsg() + pl, err := getPartList(m) + if err != nil { + t.Errorf("failed: %s", err) + return + } + pl[0].SetIsSMimeSigned(tt.want) + smime := pl[0].IsSMimeSigned() + if smime != tt.want { + t.Errorf("SetContentType failed. Got: %v, expected: %v", smime, tt.want) + } + }) + } +} + // TestPart_SetWriteFunc tests Part.SetWriteFunc func TestPart_SetWriteFunc(t *testing.T) { c := "This is a test with ümläutß" diff --git a/sime.go b/sime.go new file mode 100644 index 0000000..f230a69 --- /dev/null +++ b/sime.go @@ -0,0 +1,70 @@ +package mail + +import ( + "crypto/rsa" + "crypto/x509" + "errors" + "go.mozilla.org/pkcs7" +) + +var ( + // ErrInvalidPrivateKey should be used if private key is invalid + ErrInvalidPrivateKey = errors.New("invalid private key") + + // ErrInvalidCertificate should be used if certificate is invalid + ErrInvalidCertificate = errors.New("invalid certificate") + + // ErrCouldNotInitialize should be used if the signed data could not initialize + ErrCouldNotInitialize = errors.New("could not initialize signed data") + + // ErrCouldNotAddSigner should be used if the signer could not be added + ErrCouldNotAddSigner = errors.New("could not add signer message") + + // ErrCouldNotFinishSigning should be used if the signing could not be finished + ErrCouldNotFinishSigning = errors.New("could not finish signing") +) + +// SMime is used to sign messages with S/MIME +type SMime struct { + privateKey *rsa.PrivateKey + certificate *x509.Certificate +} + +// NewSMime construct a new instance of SMime with a provided *rsa.PrivateKey +func NewSMime(privateKey *rsa.PrivateKey, certificate *x509.Certificate) (*SMime, error) { + if privateKey == nil { + return nil, ErrInvalidPrivateKey + } + + if certificate == nil { + return nil, ErrInvalidCertificate + } + + return &SMime{ + privateKey: privateKey, + certificate: certificate, + }, nil +} + +// Sign the content with the given privateKey of the method NewSMime +func (sm *SMime) Sign(content []byte) (*string, error) { + toBeSigned, err := pkcs7.NewSignedData(content) + + toBeSigned.SetDigestAlgorithm(pkcs7.OIDDigestAlgorithmSHA256) + if err != nil { + return nil, ErrCouldNotInitialize + } + + if err = toBeSigned.AddSigner(sm.certificate, sm.privateKey, pkcs7.SignerInfoConfig{}); err != nil { + return nil, ErrCouldNotAddSigner + } + + signed, err := toBeSigned.Finish() + if err != nil { + return nil, ErrCouldNotFinishSigning + } + + signedData := string(signed) + + return &signedData, nil +} diff --git a/util_test.go b/util_test.go new file mode 100644 index 0000000..efc088c --- /dev/null +++ b/util_test.go @@ -0,0 +1,41 @@ +package mail + +import ( + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "math/big" + "time" +) + +func getDummyPrivateKey() (*rsa.PrivateKey, error) { + privateKey, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, err + } + return privateKey, nil +} + +func getDummyCertificate(privateKey *rsa.PrivateKey) (*x509.Certificate, error) { + template := &x509.Certificate{ + SerialNumber: big.NewInt(1234), + Subject: pkix.Name{Organization: []string{"My Organization"}}, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(1, 0, 0), + KeyUsage: x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + } + + certDER, err := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey) + if err != nil { + return nil, err + } + + cert, err := x509.ParseCertificate(certDER) + if err != nil { + return nil, err + } + + return cert, nil +}