2012.05.23
Schwab
FB32.59 x18.9541.54
VWO38.25 x18.9547.20

Total 88.74

Fidelity
VTI68.00 x17.9575.95

Total 75.95
2012.05.18
Mew を使ってて気がついたのが、三井住友銀行からの S/MIME で署名されたメールが、
X-Mew: <body> Good S/MIME sign <SMBC_service@dn.smbc.co.jp> UNDEFINED
というように "UNDEFINED" って表示されてることだった。

どういう意味なのか mew-smime.el を読むと、
(defun mew-smime-verify-check ()
(let (addr warning result trust ret)
[...]
;; xxx error code check for TRUST_UNDEFINED/NEVER?
(if (re-search-forward "TRUST_\\([A-Z]*\\)" nil t)
(setq trust (mew-match-string 1)))
(setq ret result)
(if addr (setq ret (concat ret " <" addr ">")))
(if trust (setq ret (concat ret " " trust)))
(if warning (setq ret (concat ret " -" warning)))
ret))
どうやら、gpgsm の出力の TRUST_xxx という部分を切り取って表示しているようだ。試しに Mew が生成する中間ファイルをコピーして、実際に gpgsm を使って試してみると、
$ gpgsm --verify --include-certs 3 --status-fd 1 ./mew36121HRL.sig ./mew36121HRL
[GNUPG:] NEWSIG
gpgsm: Signature made 2012-05-16 23:40:53 using certificate ID 0xFFFFFFFFCA8FEB6C
gpgsm: note: non-critical certificate policy not allowed
dirmngr[55990.0]: permanently loaded certificates: 0
dirmngr[55990.0]: runtime cached certificates: 0
gpgsm: note: non-critical certificate policy not allowed
[GNUPG:] PROGRESS starting_agent ? 0 0
[GNUPG:] GOODSIG 3C7271D19643E865FB58B036A1F20578CA8FEB6C /CN=SUMITOMO MITSUI BANKING CORPORATION/OU=Class 3
Organizational E-Mail Certificate/OU=Terms of use at https:\x2f\x2fwww.verisign.com\x2frpa (c)11/OU=Mass Retail Dept.,Consumer Banking Unit/O=SUMITOMO MITSUI BANKING CORPORATION/L=Chiyoda-ku/ST=Tokyo/C=JP/EMail=SMBC_service@dn.smbc.co.jp
[GNUPG:] VALIDSIG 3C7271D19643E865FB58B036A1F20578CA8FEB6C 2012-05-16 20120516T234053 20120922T235959 0 0 1 2 00
gpgsm: invalid certification chain: No value
[GNUPG:] TRUST_UNDEFINED 26
確かに最後のところで TRUST_UNDEFINED と表示されている。("invalid certification chain" とも表示されていることに注意)

gnupg-2.0.19/sm/verify.c を読むと、
      audit_log_ok (ctrl->audit, AUDIT_CHAIN_STATUS, rc);
if (rc) /* of validate_chain */
{
log_error ("invalid certification chain: %s\n", gpg_strerror (rc));
if (gpg_err_code (rc) == GPG_ERR_BAD_CERT_CHAIN
|| gpg_err_code (rc) == GPG_ERR_BAD_CERT
|| gpg_err_code (rc) == GPG_ERR_BAD_CA_CERT
|| gpg_err_code (rc) == GPG_ERR_CERT_REVOKED)
gpgsm_status_with_err_code (ctrl, STATUS_TRUST_NEVER, NULL,
gpg_err_code (rc));
else
gpgsm_status_with_err_code (ctrl, STATUS_TRUST_UNDEFINED, NULL,
gpg_err_code (rc));
audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "bad");
goto next_signer;
}
どうやら証明書の連鎖が検証できなかった際のエラーのようだ。そもそも S/MIME なので root の証明書(とその信頼)はどうやって設定してるんだっけなぁ、と古い記憶(とメール)を掘り起こしてみると、trustlist.txt に信頼する root の証明書の fingerprint を列挙すればよかったようだ。( http://www.mew.org/ja/feature/smime.html )

とりあえず、gpgsm(1) を見ると -k で現在持ってる証明書の鍵を表示できるようなので実行してみたところ、自動的にデフォルトの鍵(gnupg の配布パッケージに含まれるもの)が読み込まれたようだ。
$ grep com-cert /usr/ports/security/gnupg/pkg-plist 
%%PORTDOCS%%%%DATADIR%%/com-certs.pem
$ gpgsm -k | & head -4
gpgsm: keybox `/home/user/.gnupg/pubring.kbx' created
gpgsm: importing common certificates `/usr/local/share/gnupg/com-certs.pem'
gpgsm: total number processed: 15
gpgsm: imported: 15
そこで、この gpgsm が持ってる証明書の捺印を trustlist.txt へ書きだせばよい。
$ gpgsm -k --status-fd 1 | grep fingerprint: | awk '{print $2 " S"}' > ~/.gnupg/trustlist.txt

なお、上記 Mew のページに、
ルート CA の証明書のバージョンが 1 の場合、拇印の最後に " S relax" と書く必要があります。
とある(次の cert.pem は "Root certificates from certificate authorities included in the Mozilla NSS library")が、
$ egrep "(^Certificate:|Version:|Subject:)" /etc/ssl/cert.pem | grep -A1 -B1 "Version: 1"
の結果を見るに、VeriSign の証明書などがバージョン1なので、適宜 "relax" をつける必要がある。たとえば、"Class 3 Public Primary Certification Authority - G2" に relax をつけるためにはこんな感じ。
$ diff -u .gnupg/trustlist.txt{.orig,}
--- .gnupg/trustlist.txt.orig 2012-05-16 21:49:56.000000000 -0400
+++ .gnupg/trustlist.txt 2012-05-16 21:48:21.000000000 -0400
@@ -14,7 +14,7 @@
C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA S
D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B S
D7:92:BC:E6:B6:8A:5C:C0:7F:17:08:A0:94:CB:46:8D:29:6B:75:55 S
-85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F S
+85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F S relax
3C:72:71:D1:96:43:E8:65:FB:58:B0:36:A1:F2:05:78:CA:8F:EB:6C S
08:A8:3F:43:90:9E:9C:98:18:FC:78:D3:78:B3:B2:DE:B9:79:EB:C0 S
84:98:C8:6C:88:19:CD:3C:1C:58:D7:BF:8F:DA:FA:1B:6C:4F:0D:5E S
(ちなみに、ここら辺の経緯は http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/thread.html の "Subject: x509 v1 certificate" で見られる。)

これをした後、再度 gpgsm で検証をしてみると、
$ gpgsm --verify --include-certs 3 --status-fd 1 mew36121HRL.sig mew36121HRL
[GNUPG:] NEWSIG
gpgsm: Signature made 2012-05-16 23:40:53 using certificate ID 0xFFFFFFFFCA8FEB6C
gpgsm: note: non-critical certificate policy not allowed
dirmngr[55999.0]: permanently loaded certificates: 0
dirmngr[55999.0]: runtime cached certificates: 0
gpgsm: note: non-critical certificate policy not allowed
[GNUPG:] PROGRESS starting_agent ? 0 0
[GNUPG:] GOODSIG 3C7271D19643E865FB58B036A1F20578CA8FEB6C /CN=SUMITOMO MITSUI BANKING CORPORATION/OU=Class 3 Organizational E-Mail Certificate/OU=Terms of use at https:\x2f\x2fwww.verisign.com\x2frpa (c)11/OU=Mass Retail Dept.,Consumer Banking Unit/O=SUMITOMO MITSUI BANKING CORPORATION/L=Chiyoda-ku/ST=Tokyo/C=JP/EMail=SMBC_service@dn.smbc.co.jp
[GNUPG:] VALIDSIG 3C7271D19643E865FB58B036A1F20578CA8FEB6C 2012-05-16 20120516T234053 20120922T235959 0 0 1 2 00
gpgsm: Good signature from "/CN=SUMITOMO MITSUI BANKING CORPORATION/OU=Class 3 Organizational E-Mail Certificate/OU=Terms of use at https:\x2f\x2fwww.verisign.com\x2frpa (c)11/OU=Mass Retail Dept.,Consumer Banking Unit/O=SUMITOMO MITSUI BANKING CORPORATION/L=Chiyoda-ku/ST=Tokyo/C=JP/EMail=SMBC_service@dn.smbc.co.jp"
gpgsm: aka "SMBC_service@dn.smbc.co.jp"
[GNUPG:] TRUST_FULLY 0 shell
無事 TRUST_UNDEFINED が TRUST_FULLY に変わり、Mew 上でも当然、
X-Mew: <body> Good S/MIME sign <SMBC_service@dn.smbc.co.jp> FULLY
に変わった。

分かってみると簡単な話だけど、以外とややこしかった。
2012.05.16
JunOS 11.410 sec
JunOS 10.420 sec
IOS3 sec
IOS-XR3 sec
2012.05.05
今のところカメラにかかった金額

LUMIX GX1 (DMC-GX1X-S)59,000円 (10%ポイント)ビックカメラ
GX1マニュアル (日本カメラムック)1,995円Amazon.co.jp
Kenko 37mm PRO1D プロテクター1,680円 (ポイントで購入)ビックカメラ
SanDisk 16GB SDHC Card (SDSDX-016G-X46)$28.08Amazon.com
Transcend 16GB SDHC Card (TS16GSDHC6)$14.95Abe's of Maine
Battery for GX1 (DMW-BLD10PP)$39.95eBay
20mm F1.7 Pancake Lens (H-H020)$339.95Samy's
Camera Bag$19.99buy.com
Marumi DHG Super C-PL 46 mm$53.95eBay
Hoya Linear PL 46 mm$28.20Amazon.com

合計 $1,286.50 (102,920 円) ($1 = 80円)

ちなみに、SDSDX-016G-X46 が $28.08 から $21.30 になり $6.78 損したが、20mm/F1.7 が $339.95 から $359.00 になり $19.05 得したので、今のところ差し引き $12.27 得してる。:-)
2012.05.02
mozc が pkg-config で OpenSSL を探すから security/openssl を入れるようにした( http://www.freebsd.org/cgi/cvsweb.cgi/ports/japanese/mozc-server/Makefile.diff?r1=1.27;r2=1.28;f=h )みたいだけど、どうせならもともと入ってる OpenSSL を使いたかったので、少し patch を当ててインストールした。(あと、郵便番号辞書も一緒に入れた)

(May 3, 2012 追記:http://www.freebsd.org/cgi/cvsweb.cgi/ports/japanese/mozc-server/Makefile.diff?r1=1.28;r2=1.29;f=h で使わないように変更したみたいだ。)

# pwd
/usr/ports/japanese/mozc-server
# make extract
===> License check disabled, port has not defined LICENSE
===> Extracting for ja-mozc-server-1.5.1053.102
===> License check disabled, port has not defined LICENSE
=> SHA256 Checksum OK for mozc-1.5.1053.102.tar.bz2.
# cat -t /root/patch
--- Makefile.orig^I2012-05-01 16:58:57.000000000 -0400
+++ Makefile^I2012-05-01 16:59:04.000000000 -0400
@@ -18,8 +18,7 @@
LIB_DEPENDS=^Icurl.6:${PORTSDIR}/ftp/curl \
^I^Igtest.0:${PORTSDIR}/devel/googletest \
^I^Iprotobuf.7:${PORTSDIR}/devel/protobuf \
-^I^Izinnia.0:${PORTSDIR}/japanese/zinnia \
-^I^Issl.8:${PORTSDIR}/security/openssl
+^I^Izinnia.0:${PORTSDIR}/japanese/zinnia
RUN_DEPENDS=^Ixdg-open:${PORTSDIR}/devel/xdg-utils

USE_BZIP2=^Iyes
--- work/mozc-1.5.1053.102/base/base.gyp.orig 2012-05-01 16:51:47.000000000 -0400
+++ work/mozc-1.5.1053.102/base/base.gyp 2012-05-01 16:52:26.000000000 -0400
@@ -227,23 +227,14 @@
}
}],
['OS=="linux" and target_platform!="Android"', {
- 'cflags': [
- '<!@(<(pkg_config_command) --cflags-only-other openssl)',
- ],
'defines': [
'HAVE_OPENSSL=1',
],
- 'include_dirs': [
- '<!@(<(pkg_config_command) --cflags-only-I openssl)',
- ],
'link_settings': {
- 'ldflags': [
- '<!@(<(pkg_config_command) --libs-only-L openssl)',
- ],
'libraries': [
- '<!@(<(pkg_config_command) --libs-only-l openssl)',
+ '-lssl -lcrypto',
],
- },
+ }
}],
],
},
# patch < /root/patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- Makefile.orig 2012-05-01 16:58:57.000000000 -0400
|+++ Makefile 2012-05-01 16:59:04.000000000 -0400
--------------------------
Patching file Makefile using Plan A...
Hunk #1 succeeded at 18.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- work/mozc-1.5.1053.102/base/base.gyp.orig 2012-05-01 16:51:47.000000000 -0400
|+++ work/mozc-1.5.1053.102/base/base.gyp 2012-05-01 16:52:26.000000000 -0400
--------------------------
Patching file work/mozc-1.5.1053.102/base/base.gyp using Plan A...
Hunk #1 succeeded at 227.
done
# cd work/mozc-1.5.1053.102/data/dictionary/
# fetch http://www.post.japanpost.jp/zipcode/dl/kogaki/zip/ken_all.zip
ken_all.zip 100% of 1798 kB 377 kBps
# fetch http://www.post.japanpost.jp/zipcode/dl/jigyosyo/zip/jigyosyo.zip
jigyosyo.zip 100% of 753 kB 276 kBps
# unzip ken_all.zip
Archive: ken_all.zip
extracting: KEN_ALL.CSV
# unzip jigyosyo.zip
Archive: jigyosyo.zip
extracting: JIGYOSYO.CSV
# python ../../dictionary/gen_zip_code_seed.py --zip_code=KEN_ALL.CSV --jigyosyo=JIGYOSYO.CSV >> dictionary09.txt
# cd ../../../..
# pwd
/usr/ports/japanese/mozc-server
# make
===> Patching for ja-mozc-server-1.5.1053.102
===> Applying FreeBSD patches for ja-mozc-server-1.5.1053.102
[...]
CXX(target) out_linux/Release/obj.target/mozc_server/server/server_main.o
LINK(target) out_linux/Release/mozc_server
Running: /usr/local/bin/python2.7 build_tools/binary_size_checker.py --target_directory out_linux/Release
# make deinstall
===> Deinstalling for japanese/mozc-server
===> Deinstalling ja-mozc-server-1.5.1053.102
pkg_delete: package 'ja-mozc-server-1.5.1053.102' is required by these other packages
and may not be deinstalled (but I'll delete it anyway):
ja-mozc-el-emacs23-1.5.1053.102_1
# make reinstall
===> Installing for ja-mozc-server-1.5.1053.102
===> ja-mozc-server-1.5.1053.102 depends on executable: xdg-open - found
===> ja-mozc-server-1.5.1053.102 depends on file: /usr/local/bin/python2.7 - found
===> ja-mozc-server-1.5.1053.102 depends on shared library: curl.6 - found
===> ja-mozc-server-1.5.1053.102 depends on shared library: gtest.0 - found
===> ja-mozc-server-1.5.1053.102 depends on shared library: protobuf.7 - found
===> ja-mozc-server-1.5.1053.102 depends on shared library: zinnia.0 - found
===> ja-mozc-server-1.5.1053.102 depends on shared library: iconv.3 - found
===> Generating temporary packing list
===> Checking if japanese/mozc-server already installed
===> Registering installation for ja-mozc-server-1.5.1053.102
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/mozc_server

If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.

For more information, and contact details about the security
status of this software, see the following webpage:
http://code.google.com/p/mozc/
#
Rebuild at 2017/11/22 16:20
×

この広告は1年以上新しい記事の投稿がないブログに表示されております。