From d662def2246b0c4c41c1b2eaf7e4c41ebb2f1cd5 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Wed, 3 May 2023 12:39:24 +0200
Subject: evo-I#2345 - Wrong S/MIME certificate selection for encrypted email

Related to https://gitlab.gnome.org/GNOME/evolution/-/issues/2345
---
 src/addressbook/libebook/CMakeLists.txt |  3 +++
 src/addressbook/libebook/e-book-utils.c | 20 ++++++++++++++++++++
 src/camel/camel-smime-context.c         |  4 +++-
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/addressbook/libebook/CMakeLists.txt b/src/addressbook/libebook/CMakeLists.txt
index d0bda7d5d..3a22618cc 100644
--- a/src/addressbook/libebook/CMakeLists.txt
+++ b/src/addressbook/libebook/CMakeLists.txt
@@ -61,6 +61,7 @@ target_compile_definitions(ebook PRIVATE
 
 target_compile_options(ebook PUBLIC
 	${ADDRESSBOOK_CFLAGS}
+	${CAMEL_CFLAGS}
 )
 
 target_include_directories(ebook PUBLIC
@@ -74,11 +75,13 @@ target_include_directories(ebook PUBLIC
 	${CMAKE_CURRENT_BINARY_DIR}
 	${CMAKE_CURRENT_SOURCE_DIR}
 	${ADDRESSBOOK_INCLUDE_DIRS}
+	${CAMEL_INCLUDE_DIRS}
 )
 
 target_link_libraries(ebook
 	${DEPENDENCIES}
 	${ADDRESSBOOK_LDFLAGS}
+	${CAMEL_LDFLAGS}
 )
 
 install(TARGETS ebook
diff --git a/src/addressbook/libebook/e-book-utils.c b/src/addressbook/libebook/e-book-utils.c
index 08d4b8ed0..de69fcc59 100644
--- a/src/addressbook/libebook/e-book-utils.c
+++ b/src/addressbook/libebook/e-book-utils.c
@@ -18,6 +18,10 @@
 
 #include "evolution-data-server-config.h"
 
+#ifdef ENABLE_SMIME
+#include <cert.h>
+#endif
+
 #include "camel/camel.h"
 #include "libebook-contacts/libebook-contacts.h"
 
@@ -135,6 +139,22 @@ book_utils_get_recipient_certificates_thread (gpointer data,
 
 									decoded = e_vcard_attribute_get_value_decoded (cattr);
 									if (decoded && decoded->len) {
+										#ifdef ENABLE_SMIME
+										if (field_id == E_CONTACT_X509_CERT) {
+											CERTCertificate *nss_cert;
+											gboolean usable;
+
+											nss_cert = CERT_DecodeCertFromPackage (decoded->str, decoded->len);
+											usable = nss_cert && (nss_cert->keyUsage & certificateUsageEmailRecipient) != 0;
+											if (nss_cert)
+												CERT_DestroyCertificate (nss_cert);
+
+											if (!usable) {
+												g_string_free (decoded, TRUE);
+												continue;
+											}
+										}
+										#endif
 										base64_data = g_base64_encode ((const guchar *) decoded->str, decoded->len);
 										g_string_free (decoded, TRUE);
 										break;
diff --git a/src/camel/camel-smime-context.c b/src/camel/camel-smime-context.c
index c7831335e..0128b65d6 100644
--- a/src/camel/camel-smime-context.c
+++ b/src/camel/camel-smime-context.c
@@ -1269,6 +1269,7 @@ camel_smime_find_recipients_certs (CERTCertificate *cert,
 
 	/* Cannot short-circuit when frd->certs_missing is 0, because there can be better certificates */
 	if (!frd->recipients_table ||
+	    !(cert->keyUsage & certificateUsageEmailRecipient) ||
 	    CERT_CheckCertValidTimes (cert, frd->now, PR_FALSE) != secCertTimeValid) {
 		return SECFailure;
 	}
@@ -1421,7 +1422,8 @@ smime_context_encrypt_sync (CamelCipherContext *context,
 
 			/* Default to the provided certificate, if valid */
 			if (cert) {
-				if (CERT_CheckCertValidTimes (cert, frd.now, PR_FALSE) == secCertTimeValid) {
+				if ((cert->keyUsage & certificateUsageEmailRecipient) != 0 &&
+				    CERT_CheckCertValidTimes (cert, frd.now, PR_FALSE) == secCertTimeValid) {
 					recipient_certs[i] = cert;
 					frd.certs_missing--;
 				} else {
-- 
cgit v1.2.1