Enigma hybrid decryption

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Enigma hybrid decryption

Kyle Francis
Hey everyone,

So I'm mostly finished with the implementation of the hybrid decryption
model.  So far I have the following working:

enigma.js calls a mailvelope API I added for decrypting session key out
of a PGP message
   - decrypted session key and PGP message get posted (over https) back
to the enigma plugin
enigma.php catches posted data and decrypts PGP message with session key
   - modified Crypt_GPG to additionally utilize GPG's
"--override-session-key"

So I can write the decrypted email to a file on the server, but I'd like
to replace the body of the email and reload.  When doing this while
decrypting S/MIME it was simple since the replacing occurred before the
message was completely loaded and rendered out as html.

Is there any way to replace the body (and subsequently parse the body
structure) after all the plugin hooks have run?  I tried calling
exec_hook for message_part_body, but as far as I can tell I would need
to pass the rcube_message object as an argument to do this but I don't
have access to it.

Any thoughts would be greatly appreciated.

-Kyle

_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
On 08/30/2016 03:53 PM, Kyle Francis wrote:
> So I'm mostly finished with the implementation of the hybrid decryption
> model.  So far I have the following working:
>
> enigma.js calls a mailvelope API I added for decrypting session key out
> of a PGP message
>   - decrypted session key and PGP message get posted (over https) back
> to the enigma plugin
> enigma.php catches posted data and decrypts PGP message with session key

You post the message body? I thought you'd post only the session-key. We
can get the body from IMAP, so I wouldn't post it.

>   - modified Crypt_GPG to additionally utilize GPG's
> "--override-session-key"

This calls for a PR to Crypt_GPG library.

> So I can write the decrypted email to a file on the server, but I'd like
> to replace the body of the email and reload.  When doing this while
> decrypting S/MIME it was simple since the replacing occurred before the
> message was completely loaded and rendered out as html.
>
> Is there any way to replace the body (and subsequently parse the body
> structure) after all the plugin hooks have run?  I tried calling
> exec_hook for message_part_body, but as far as I can tell I would need
> to pass the rcube_message object as an argument to do this but I don't
> have access to it.

I think it should go through the message parser. So, load the message as
before with all enigma's hooks parsing the message but where decryption
is supposed to be executed use the session-key instead of key/password.
I suppose you'd have to store the session-key in Roundcube session for
some time, as we normally do with private keys passwords.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis
On 08/30/2016 01:52 PM, A.L.E.C wrote:

> On 08/30/2016 03:53 PM, Kyle Francis wrote:
>> So I'm mostly finished with the implementation of the hybrid decryption
>> model.  So far I have the following working:
>>
>> enigma.js calls a mailvelope API I added for decrypting session key out
>> of a PGP message
>>    - decrypted session key and PGP message get posted (over https) back
>> to the enigma plugin
>> enigma.php catches posted data and decrypts PGP message with session key
> You post the message body? I thought you'd post only the session-key. We
> can get the body from IMAP, so I wouldn't post it.
I was going to only post the session-key, but I have been unable to find
how to locate the message after I post the session-key back to
enigma.php.  I would need the messages UID to pull from IMAP, correct?  
I could post that back with the session-key as that is available in
enigma.js via rcmail.env.uid
>>    - modified Crypt_GPG to additionally utilize GPG's
>> "--override-session-key"
> This calls for a PR to Crypt_GPG library.
Will do!

>
>> So I can write the decrypted email to a file on the server, but I'd like
>> to replace the body of the email and reload.  When doing this while
>> decrypting S/MIME it was simple since the replacing occurred before the
>> message was completely loaded and rendered out as html.
>>
>> Is there any way to replace the body (and subsequently parse the body
>> structure) after all the plugin hooks have run?  I tried calling
>> exec_hook for message_part_body, but as far as I can tell I would need
>> to pass the rcube_message object as an argument to do this but I don't
>> have access to it.
> I think it should go through the message parser. So, load the message as
> before with all enigma's hooks parsing the message but where decryption
> is supposed to be executed use the session-key instead of key/password.
> I suppose you'd have to store the session-key in Roundcube session for
> some time, as we normally do with private keys passwords.
>
How do I 'load the message as before'?  The first time it is loaded is
by selecting the message from the inbox.  If I post back the session-key
and message UID, can I go about 're-loading' the message and then have
access to the plugin hooks and message parser?

-Kyle
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
On 08/30/2016 09:08 PM, Kyle Francis wrote:
> How do I 'load the message as before'?  The first time it is loaded is
> by selecting the message from the inbox.  If I post back the session-key
> and message UID, can I go about 're-loading' the message and then have
> access to the plugin hooks and message parser?

I was thinking about simple:

rcmail.location_href(location.href + '&_session_key=XXX');

but that would be GET, if you want POST you'd need to create a hidden
form and submit it, I suppose.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis

There's a wrapper for HTTP post in rcmail (rcmail.http_post).  I'll try that out and let you know how it works.  Thanks!

-Kyle


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
On 30.08.2016 22:02, Kyle Francis wrote:
> There's a wrapper for HTTP post in rcmail (rcmail.http_post).  I'll try
> that out and let you know how it works.  Thanks!

This is for ajax requests, but we want to reload the page here. So, I
wouldn't use it.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis
On 08/31/2016 02:08 AM, A.L.E.C wrote:
This is for ajax requests, but we want to reload the page here. So, I wouldn't use it.
Good call.  I'm trying the following:

// post the decrypted session key back to server
var form = $('<form action="'+location.href+'" method="post"></form>').appendTo('body');
$(form).append('<input type="hidden" name="sessionKey" value="'+dsk+'">');
$(form).submit();

This successfully reloads the page (I think), but I'm getting a "Request Check Failed" response.  I'm assuming this has to do with the session token since it talks about preventing CSRF. How I would need to pass the session token in my post above to comply?

-Kyle

_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis
Answered my own question.  Sometimes you get lucky like that.

On 08/31/2016 03:23 PM, Kyle Francis wrote:
On 08/31/2016 02:08 AM, A.L.E.C wrote:
This is for ajax requests, but we want to reload the page here. So, I wouldn't use it.
Good call.  I'm trying the following:

// post the decrypted session key back to server
var form = $('<form action="'+location.href+'" method="post"></form>').appendTo('body');
$(form).append('<input type="hidden" name="sessionKey" value="'+dsk+'">');
Add here:
    $(form).append('<input type="hidden" name="_token" value="'+rcmail.env.request_token+'">');
$(form).submit();

This successfully reloads the page (I think), but I'm getting a "Request Check Failed" response.  I'm assuming this has to do with the session token since it talks about preventing CSRF. How I would need to pass the session token in my post above to comply?

-Kyle


_______________________________________________ Roundcube Development discussion mailing list [hidden email] http://lists.roundcube.net/mailman/listinfo/dev


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
In reply to this post by Kyle Francis
On 08/31/2016 09:23 PM, Kyle Francis wrote:

> // post the decrypted session key back to server
> var form = $('<form action="'+location.href+'"
> method="post"></form>').appendTo('body');
> $(form).append('<input type="hidden" name="sessionKey" value="'+dsk+'">');
> $(form).submit();
>
> This successfully reloads the page (I think), but I'm getting a "Request
> Check Failed" response.  I'm assuming this has to do with the session
> token since it talks about preventing CSRF. How I would need to pass the
> session token in my post above to comply?

$(form).append('<input type="hidden" name="_token"
value="'+rcmail.env.request_token+'">');


--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis

Sweet Jesus I got it working!!  Being passed through part_body, parsed and everything!

Now the question is, how should the user be able to enable/disable this functionality?  Should it be an option on the enigma settings page? Or maybe a button in a banner on top of the email like when choosing to download external images?

-Kyle


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Vladimir Gorpenko

Both, of course.

The behavior by default is set in settings. When writing the letter there shall be an opportunity to make an exception.

Best regards,

    Vladimir.

 

 

Kyle Francis писал 2016-09-01 09:19:

Sweet Jesus I got it working!!  Being passed through part_body, parsed and everything!

Now the question is, how should the user be able to enable/disable this functionality?  Should it be an option on the enigma settings page? Or maybe a button in a banner on top of the email like when choosing to download external images?

-Kyle


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev

_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
In reply to this post by Kyle Francis
On 30.08.2016 15:53, Kyle Francis wrote:
> Hey everyone,
>
> So I'm mostly finished with the implementation of the hybrid decryption
> model.  So far I have the following working:

Ok, now when you have decryption covered, I have a question. What's
next? As I understand the main reason for this is to keep secret keys on
the client. So, if we keep them in Mailvelope store how do we implement
creating signed messages? Mailvelope API does not support signing yet.
Even if it would have it, how do we implement sign+encrypt, if we do
this in Mailvelope we'd need to sync public keys from Enigma to
Mailvelope. Did you consider this?

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Template Objects

Aurélio de Souza Ribeiro Neto
Hi All,

     Where I can found a list of template objects?

     I can't foun it in Wiki and the link is broken.

Thanks

Aurelio
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis
In reply to this post by Kyle Francis

On Sep 1, 2016 2:43 AM, "A.L.E.C" <[hidden email]> wrote:
>
> On 30.08.2016 15:53, Kyle Francis wrote:
> > Hey everyone,
> >
> > So I'm mostly finished with the implementation of the hybrid decryption
> > model.  So far I have the following working:
>
> Ok, now when you have decryption covered, I have a question. What's
> next? As I understand the main reason for this is to keep secret keys on
> the client. So, if we keep them in Mailvelope store how do we implement
> creating signed messages? Mailvelope API does not support signing yet.
> Even if it would have it, how do we implement sign+encrypt, if we do
> this in Mailvelope we'd need to sync public keys from Enigma to
> Mailvelope. Did you consider this?

So the scope of work for my project was just for decryption.  However it would be interesting to tackle signing and encrypting. 

Signing should not be terribly complicated.  We could make a call to Mailvelope via enigma.js for the public key (api call already exists, export PublicKey) and then pass to Crypt_GPG for signing.

For encrypting it should be possible to encrypt the message with only a symmetric key server side.  If we then passed the session key to Mailvelope it should be possible to encrypt the session key with the applicable public keys from there by adding an api call. Then prepend those public key encrypted session keys to the message. No syncing should be required.

Thoughts?


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
On 09/01/2016 02:21 PM, Kyle Francis wrote:
> Signing should not be terribly complicated.  We could make a call to
> Mailvelope via enigma.js for the public key (api call already exists,
> export PublicKey) and then pass to Crypt_GPG for signing.

To sign a message you need a private key. For encryption you need only
public keys.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

Kyle Francis
In reply to this post by Kyle Francis

On Sep 1, 2016 8:41 AM, "A.L.E.C" <[hidden email]> wrote:
>
> On 09/01/2016 02:21 PM, Kyle Francis wrote:
> > Signing should not be terribly complicated.  We could make a call to
> > Mailvelope via enigma.js for the public key (api call already exists,
> > export PublicKey) and then pass to Crypt_GPG for signing.
>
> To sign a message you need a private key. For encryption you need only
> public keys.

That would be correct, haha.  So I wonder if it would be possible to hash the message server side, then encrypt the hash with the private key on the client side.


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Template Objects

Thomas Bruederli-2
In reply to this post by Aurélio de Souza Ribeiro Neto
On Thu, Sep 1, 2016 at 1:55 PM, Aurélio de Souza Ribeiro Neto
<[hidden email]> wrote:
> Hi All,
>
>     Where I can found a list of template objects?
>
>     I can't foun it in Wiki and the link is broken.

The wiki has moved. The skin templates are explained here:
https://github.com/roundcube/roundcubemail/wiki/Skin-Markup#content-objects

Best,
Thomas
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Enigma hybrid decryption

A.L.E.C
In reply to this post by Kyle Francis
On 09/01/2016 04:00 PM, Kyle Francis wrote:
>> To sign a message you need a private key. For encryption you need only
>> public keys.
>
> That would be correct, haha.  So I wonder if it would be possible to
> hash the message server side, then encrypt the hash with the private key
> on the client side.

I have no idea. We could at least disable/hide signing features when
server-side has no private key(s).

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Template Objects

Aurélio de Souza Ribeiro Neto
In reply to this post by Thomas Bruederli-2
Thanks Thomas!

Em 01/09/2016 12:59, Thomas Bruederli escreveu:

> On Thu, Sep 1, 2016 at 1:55 PM, Aurélio de Souza Ribeiro Neto
> <[hidden email]> wrote:
>> Hi All,
>>
>>      Where I can found a list of template objects?
>>
>>      I can't foun it in Wiki and the link is broken.
> The wiki has moved. The skin templates are explained here:
> https://github.com/roundcube/roundcubemail/wiki/Skin-Markup#content-objects
>
> Best,
> Thomas
> _______________________________________________
> Roundcube Development discussion mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/dev



_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Labels as HTML

Aurélio de Souza Ribeiro Neto
In reply to this post by Thomas Bruederli-2
Hello Everyone,

I'm devoloping a Plugin, and I have 2 questions:

1) How can I user a $label['variable']  content as HTML and not as Plain
Text?
2) I can use a <roundcube:include file=......> to include a file from my
plugin templates directory?

Thanks

Aurelio


_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev
12