Merge 3154649420 into 077c85bea0

2024-11-23 06:10:48 +01:00 · 2024-09-26 09:38:07 +00:00 · 2024-09-26 09:38:07 +00:00 · 1e3f4fe757
commit 1e3f4fe757
parent 077c85bea0 3154649420
11 changed files with 277 additions and 2 deletions
--- a/encoding.go
+++ b/encoding.go
@ -149,6 +149,7 @@ const (
 	TypePGPEncrypted         ContentType = "application/pgp-encrypted"
 	TypeTextHTML             ContentType = "text/html"
 	TypeTextPlain            ContentType = "text/plain"
+	typeSMimeSigned          ContentType = `application/pkcs7-signature; name="smime.p7s"`
 )

 // List of MIMETypes
@ -156,6 +157,7 @@ const (
 	MIMEAlternative MIMEType = "alternative"
 	MIMEMixed       MIMEType = "mixed"
 	MIMERelated     MIMEType = "related"
+	MIMESMime       MIMEType = `signed; protocol="application/pkcs7-signature"; micalg=sha256`
 )

 // String is a standard method to convert an Charset into a printable format
--- a/encoding_test.go
+++ b/encoding_test.go
@ -61,6 +61,11 @@ func TestContentType_String(t *testing.T) {
 			"ContentType: application/pgp-encrypted", TypePGPEncrypted,
 			"application/pgp-encrypted",
 		},
+
+		{
+			"ContentType: pkcs7-signature", typeSMimeSigned,
+			`application/pkcs7-signature; name="smime.p7s"`,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/go.mod
+++ b/go.mod
@ -5,3 +5,5 @@
 module github.com/wneessen/go-mail

 go 1.16
+
+require go.mozilla.org/pkcs7 v0.9.0
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,2 @@
+go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI=
+go.mozilla.org/pkcs7 v0.9.0/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
--- a/msg.go
+++ b/msg.go
@ -7,6 +7,8 @@ package mail
 import (
 	"bytes"
 	"context"
+	"crypto/rsa"
+	"crypto/x509"
 	"embed"
 	"errors"
 	"fmt"
@ -120,6 +122,9 @@ type Msg struct {

 	// noDefaultUserAgent indicates whether the default User Agent will be excluded for the Msg when it's sent.
 	noDefaultUserAgent bool
+
+	// SMime represents a middleware used to sign messages with S/MIME
+	sMime *SMime
 }

 // SendmailPath is the default system path to the sendmail binary
@ -202,6 +207,16 @@ func WithNoDefaultUserAgent() MsgOption {
 	}
 }

+// SignWithSMime configures the Msg to be signed with S/MIME
+func (m *Msg) SignWithSMime(privateKey *rsa.PrivateKey, certificate *x509.Certificate) error {
+	sMime, err := NewSMime(privateKey, certificate)
+	if err != nil {
+		return err
+	}
+	m.sMime = sMime
+	return nil
+}
+
 // SetCharset sets the encoding charset of the Msg
 func (m *Msg) SetCharset(c Charset) {
 	m.charset = c
@ -979,10 +994,47 @@ func (m *Msg) applyMiddlewares(msg *Msg) *Msg {
 	return msg
 }

+// signMessage sign the Msg with S/MIME
+func (m *Msg) signMessage(msg *Msg) (*Msg, error) {
+	currentPart := m.GetParts()[0]
+	currentPart.SetEncoding(EncodingUSASCII)
+	currentPart.SetContentType(TypeTextPlain)
+	content, err := currentPart.GetContent()
+	if err != nil {
+		return nil, errors.New("failed to extract content from part")
+	}
+
+	signedContent, err := m.sMime.Sign(content)
+	if err != nil {
+		return nil, errors.New("failed to sign message")
+	}
+
+	signedPart := msg.newPart(
+		typeSMimeSigned,
+		WithPartEncoding(EncodingB64),
+		WithContentDisposition(DispositionSMime),
+	)
+	signedPart.SetContent(*signedContent)
+	msg.parts = append(msg.parts, signedPart)
+
+	return msg, nil
+}
+
 // WriteTo writes the formated Msg into a give io.Writer and satisfies the io.WriteTo interface
 func (m *Msg) WriteTo(writer io.Writer) (int64, error) {
 	mw := &msgWriter{writer: writer, charset: m.charset, encoder: m.encoder}
-	mw.writeMsg(m.applyMiddlewares(m))
+	msg := m.applyMiddlewares(m)
+
+	if m.sMime != nil {
+		signedMsg, err := m.signMessage(msg)
+		if err != nil {
+			return 0, err
+		}
+		msg = signedMsg
+	}
+
+	mw.writeMsg(msg)
+
 	return mw.bytesWritten, mw.err
 }

@ -1177,6 +1229,11 @@ func (m *Msg) hasMixed() bool {
 	return m.pgptype == 0 && ((len(m.parts) > 0 && len(m.attachments) > 0) || len(m.attachments) > 1)
 }

+// hasSMime returns true if the Msg has should be signed with S/MIME
+func (m *Msg) hasSMime() bool {
+	return m.sMime != nil
+}
+
 // hasRelated returns true if the Msg has related parts
 func (m *Msg) hasRelated() bool {
 	return m.pgptype == 0 && ((len(m.parts) > 0 && len(m.embeds) > 0) || len(m.embeds) > 1)
--- a/msg_test.go
+++ b/msg_test.go
@ -3246,6 +3246,36 @@ func TestNewMsgWithNoDefaultUserAgent(t *testing.T) {
 	}
 }

+// TestWithSMimeSinging_ValidPrivateKey tests WithSMimeSinging with given privateKey
+func TestWithSMimeSinging_ValidPrivateKey(t *testing.T) {
+	privateKey, err := getDummyPrivateKey()
+	if err != nil {
+		t.Errorf("failed to load dummy private key: %s", err)
+	}
+	certificate, err := getDummyCertificate(privateKey)
+	if err != nil {
+		t.Errorf("failed to load dummy certificate: %s", err)
+	}
+
+	m := NewMsg()
+	if err := m.SignWithSMime(privateKey, certificate); err != nil {
+		t.Errorf("failed to set sMime. Cause: %v", err)
+	}
+	if m.sMime.privateKey != privateKey {
+		t.Errorf("WithSMimeSinging. Expected %v, got: %v", privateKey, m.sMime.privateKey)
+	}
+}
+
+// TestWithSMimeSinging_InvalidPrivateKey tests WithSMimeSinging with given invalid privateKey
+func TestWithSMimeSinging_InvalidPrivateKey(t *testing.T) {
+	m := NewMsg()
+
+	err := m.SignWithSMime(nil, nil)
+	if !errors.Is(err, ErrInvalidPrivateKey) {
+		t.Errorf("failed to check sMimeAuthConfig values correctly: %s", err)
+	}
+}
+
 // Fuzzing tests
 func FuzzMsg_Subject(f *testing.F) {
 	f.Add("Testsubject")
--- a/msgwriter.go
+++ b/msgwriter.go
@ -88,6 +88,10 @@ func (mw *msgWriter) writeMsg(msg *Msg) {
 		}
 	}

+	if msg.hasSMime() {
+		mw.startMP(MIMESMime, msg.boundary)
+		mw.writeString(DoubleNewLine)
+	}
 	if msg.hasMixed() {
 		mw.startMP(MIMEMixed, msg.boundary)
 		mw.writeString(DoubleNewLine)
@ -96,7 +100,7 @@ func (mw *msgWriter) writeMsg(msg *Msg) {
 		mw.startMP(MIMERelated, msg.boundary)
 		mw.writeString(DoubleNewLine)
 	}
-	if msg.hasAlt() {
+	if msg.hasAlt() && !msg.hasSMime() {
 		mw.startMP(MIMEAlternative, msg.boundary)
 		mw.writeString(DoubleNewLine)
 	}
--- a/part.go
+++ b/part.go
@ -20,6 +20,7 @@ type Part struct {
 	encoding    Encoding
 	isDeleted   bool
 	writeFunc   func(io.Writer) (int64, error)
+	smime       bool
 }

 // GetContent executes the WriteFunc of the Part and returns the content as byte slice
@ -56,6 +57,11 @@ func (p *Part) GetDescription() string {
 	return p.description
 }

+// IsSMimeSigned returns true if the Part should be singed with S/MIME
+func (p *Part) IsSMimeSigned() bool {
+	return p.smime
+}
+
 // SetContent overrides the content of the Part with the given string
 func (p *Part) SetContent(content string) {
 	buffer := bytes.NewBufferString(content)
@ -82,6 +88,11 @@ func (p *Part) SetDescription(description string) {
 	p.description = description
 }

+// SetIsSMimeSigned sets the flag for signing the Part with S/MIME
+func (p *Part) SetIsSMimeSigned(smime bool) {
+	p.smime = smime
+}
+
 // SetWriteFunc overrides the WriteFunc of the Part
 func (p *Part) SetWriteFunc(writeFunc func(io.Writer) (int64, error)) {
 	p.writeFunc = writeFunc
@ -113,3 +124,10 @@ func WithPartContentDescription(description string) PartOption {
 		p.description = description
 	}
 }
+
+// WithSMimeSinging overrides the flag for signing the Part with S/MIME
+func WithSMimeSinging() PartOption {
+	return func(p *Part) {
+		p.smime = true
+	}
+}
--- a/part_test.go
+++ b/part_test.go
@ -102,6 +102,24 @@ func TestPart_WithPartContentDescription(t *testing.T) {
 	}
 }

+// TestPart_WithSMimeSinging tests the WithSMimeSinging method
+func TestPart_WithSMimeSinging(t *testing.T) {
+	m := NewMsg()
+	part := m.newPart(TypeTextPlain, WithSMimeSinging())
+	if part == nil {
+		t.Errorf("newPart() WithSMimeSinging() failed: no part returned")
+		return
+	}
+	if part.smime != true {
+		t.Errorf("newPart() WithSMimeSinging() failed: expected: %v, got: %v", true, part.smime)
+	}
+	part.smime = true
+	part.SetIsSMimeSigned(false)
+	if part.smime != false {
+		t.Errorf("newPart() SetIsSMimeSigned() failed: expected: %v, got: %v", false, part.smime)
+	}
+}
+
 // TestPartContentType tests Part.SetContentType
 func TestPart_SetContentType(t *testing.T) {
 	tests := []struct {
@ -245,6 +263,32 @@ func TestPart_GetContentBroken(t *testing.T) {
 	}
 }

+// TestPart_IsSMimeSigned tests Part.IsSMimeSigned
+func TestPart_IsSMimeSigned(t *testing.T) {
+	tests := []struct {
+		name string
+		want bool
+	}{
+		{"smime:", true},
+		{"smime:", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := NewMsg()
+			pl, err := getPartList(m)
+			if err != nil {
+				t.Errorf("failed: %s", err)
+				return
+			}
+			pl[0].SetIsSMimeSigned(tt.want)
+			smime := pl[0].IsSMimeSigned()
+			if smime != tt.want {
+				t.Errorf("SetContentType failed. Got: %v, expected: %v", smime, tt.want)
+			}
+		})
+	}
+}
+
 // TestPart_SetWriteFunc tests Part.SetWriteFunc
 func TestPart_SetWriteFunc(t *testing.T) {
 	c := "This is a test with ümläutß"
--- a/sime.go
+++ b/sime.go
@ -0,0 +1,70 @@
+package mail
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"errors"
+	"go.mozilla.org/pkcs7"
+)
+
+var (
+	// ErrInvalidPrivateKey should be used if private key is invalid
+	ErrInvalidPrivateKey = errors.New("invalid private key")
+
+	// ErrInvalidCertificate should be used if certificate is invalid
+	ErrInvalidCertificate = errors.New("invalid certificate")
+
+	// ErrCouldNotInitialize should be used if the signed data could not initialize
+	ErrCouldNotInitialize = errors.New("could not initialize signed data")
+
+	// ErrCouldNotAddSigner should be used if the signer could not be added
+	ErrCouldNotAddSigner = errors.New("could not add signer message")
+
+	// ErrCouldNotFinishSigning should be used if the signing could not be finished
+	ErrCouldNotFinishSigning = errors.New("could not finish signing")
+)
+
+// SMime is used to sign messages with S/MIME
+type SMime struct {
+	privateKey  *rsa.PrivateKey
+	certificate *x509.Certificate
+}
+
+// NewSMime construct a new instance of SMime with a provided *rsa.PrivateKey
+func NewSMime(privateKey *rsa.PrivateKey, certificate *x509.Certificate) (*SMime, error) {
+	if privateKey == nil {
+		return nil, ErrInvalidPrivateKey
+	}
+
+	if certificate == nil {
+		return nil, ErrInvalidCertificate
+	}
+
+	return &SMime{
+		privateKey:  privateKey,
+		certificate: certificate,
+	}, nil
+}
+
+// Sign the content with the given privateKey of the method NewSMime
+func (sm *SMime) Sign(content []byte) (*string, error) {
+	toBeSigned, err := pkcs7.NewSignedData(content)
+
+	toBeSigned.SetDigestAlgorithm(pkcs7.OIDDigestAlgorithmSHA256)
+	if err != nil {
+		return nil, ErrCouldNotInitialize
+	}
+
+	if err = toBeSigned.AddSigner(sm.certificate, sm.privateKey, pkcs7.SignerInfoConfig{}); err != nil {
+		return nil, ErrCouldNotAddSigner
+	}
+
+	signed, err := toBeSigned.Finish()
+	if err != nil {
+		return nil, ErrCouldNotFinishSigning
+	}
+
+	signedData := string(signed)
+
+	return &signedData, nil
+}
--- a/util_test.go
+++ b/util_test.go
@ -0,0 +1,41 @@
+package mail
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"time"
+)
+
+func getDummyPrivateKey() (*rsa.PrivateKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	return privateKey, nil
+}
+
+func getDummyCertificate(privateKey *rsa.PrivateKey) (*x509.Certificate, error) {
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1234),
+		Subject:      pkix.Name{Organization: []string{"My Organization"}},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(1, 0, 0),
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := x509.ParseCertificate(certDER)
+	if err != nil {
+		return nil, err
+	}
+
+	return cert, nil
+}