8000 [Mailer][Mime] Refactor S/MIME encryption handling in `SMimeEncryptionListener` by Spomky · Pull Request #59831 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Mailer][Mime] Refactor S/MIME encryption handling in SMimeEncryptionListener #59831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 26, 2025
Merged

[Mailer][Mime] Refactor S/MIME encryption handling in SMimeEncryptionListener #59831

merged 1 commit into from
Mar 26, 2025
+115 −24

Conversation

Spomky
Copy link
Contributor
@Spomky Spomky commented Feb 21, 2025
edited
Loading
Q A
Branch? 7.3
Bug fix? yes
New feature? yes
Deprecations? no
Issues
License MIT

It appears that the smime_encrypter introduced in #58501 is incorrect, as the email is encrypted only for the sender instead of being encrypted per recipient.
This PR introduces a new SmimeCertificateRepositoryInterface, responsible for retrieving recipient certificates.

An email is encrypted under the following conditions:

  • A certificate is found for all recipients.
  • The custom header X-SMime-Encrypt is present.
    If either of these conditions is not met, the email is sent unencrypted.

Example of usage:

<?php

namespace App\Security;

use Symfony\Component\DependencyInjection\Attribute\Autowire;
use Symfony\Component\Mailer\EventListener\SmimeCertificateRepositoryInterface;

class LocalFileCertificateRepository implements SmimeCertificateRepositoryInterface
{
    public function __construct(
        #[Autowire(param: 'kernel.project_dir')]
        private readonly string $projectDir
    ){}

    public function findCertificatePathFor(string $email): ?string
    {
        $hash = hash('sha256', strtolower(trim($email)));
        $path = sprintf('%s/storage/%s.crt', $this->projectDir, $hash);

        return file_exists($path) ? $path : null;
    }
}

@carsonbot carsonbot added this to the 7.3 milestone Feb 21, 2025
@Spomky Spomky force-pushed the fix-smime-encryption-listener branch 2 times, most recently from c3a8318 to eb8e560 Compare February 21, 2025 15:31
@carsonbot carsonbot changed the title Refactor S/MIME encryption handling in Mailer SMimeEncryptionListener [Mailer][Mime] Refactor S/MIME encryption handling in Mailer SMimeEncryptionListener Feb 21, 2025
@Spomky Spomky force-pushed the fix-smime-encryption-listener branch 4 times, most recently from 204c36f to 6499c8a Compare February 21, 2025 16:16
@Spomky Spomky changed the title [Mailer][Mime] Refactor S/MIME encryption handling in Mailer SMimeEncryptionListener [Mailer] Refactor S/MIME encryption handling in Mailer SMimeEncryptionListener Feb 21, 2025
@Spomky
Refactor S/MIME encrypter to use certificate repository < 8000 /div>
7c76c54 
Replaces direct certificate path usage with a repository interface for managing S/MIME certificates. This improves flexibility by allowing custom certificate retrieval logic through `SmimeCertificateRepositoryInterface`. Adjusted related tests, configuration, and event listener implementation accordingly.
@Spomky Spomky force-pushed the fix-smime-encryption-listener branch from 6499c8a to 7c76c54 Compare February 21, 2025 16:40
@Spomky
Copy link
Contributor Author
Spomky commented Feb 22, 2025
edited
Loading

It is important to mention in the documentation that caution should be exercised when sending encrypted emails to multiple recipients. And indeed, all recipients are used here and therefore the main recipients as well as those in BCC. It is therefore possible to know these recipients depending on the encryption method used.

@Spomky Spomky requested a review from stof March 2, 2025 11:06
fabpot
fabpot reviewed Mar 3, 2025
View reviewed changes
src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -2314,8 +2314,8 @@ private function addMailerSection(ArrayNodeDefinition $rootNode, callable $enabl
->canBeEnabled()
->info('S/MIME encrypter configuration')
->children()
->scalarNode('certificate')
->info('Path to certificate (in PEM format without the `file://` prefix)')
->scalarNode('repository')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For reviewers, this change is fine as this feature has been introduced in 7.3, so not yet released

@OskarStark OskarStark changed the title [Mailer] Refactor S/MIME encryption handling in Mailer SMimeEncryptionListener [Mailer] Refactor S/MIME encryption handling in SMimeEncryptionListener Mar 3, 2025
@carsonbot carsonbot changed the title [Mailer] Refactor S/MIME encryption handling in SMimeEncryptionListener [Mailer][Mime] Refactor S/MIME encryption handling in SMimeEncryptionListener Mar 26, 2025
@fabpot
Copy link
Member
fabpot commented Mar 26, 2025

Thank you @Spomky.

@fabpot fabpot merged commit 7100c7b into symfony:7.3 Mar 26, 2025
10 of 11 checks passed
@fabpot fabpot mentioned this pull request Mar 26, 2025
Closed
@fabpot fabpot mentioned this pull request May 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have 6E64 an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@stof stof Awaiting requested review from stof

Assignees
No one assigned
Labels
Bug Feature Mailer Mime Status: Reviewed
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.
5 participants
@Spomky @fabpot @stof @OskarStark @carsonbot
0