initiate

seahub/settings.py

@@ -941,6 +941,8 @@ SEND_EMAIL_ON_ADDING_SYSTEM_MEMBER = True # Whether to send email when a system
 SEND_EMAIL_ON_RESETTING_USER_PASSWD = True # Whether to send email when a system staff resetting user's password.
 
 
+ENABLE_SMIME = False
+
 ##########################
 # Settings for seadoc    #
 ##########################

seahub/utils/__init__.py

@@ -18,6 +18,7 @@ from urllib.parse import urlparse
 
 from constance import config
 import seaserv
+from django.core.mail.backends.smtp import EmailBackend
 from seaserv import seafile_api, ccnet_api
 
 from django.urls import reverse
@@ -39,6 +40,7 @@ from seahub.settings import MEDIA_URL, LOGO_PATH, \
 from seahub.constants import PERMISSION_READ_WRITE
 from seahub.utils.db_api import SeafileDB
 from seahub.onlyoffice.settings import ENABLE_ONLYOFFICE, ONLYOFFICE_FILE_EXTENSION
+from seahub.utils.mail import add_smime_sign
 
 try:
     from seahub.settings import EVENTS_CONFIG_FILE
@@ -1023,6 +1025,10 @@ def send_html_email(subject, con_template, con_context, from_email, to_email,
     msg = EmailMessage(subject, t.render(con_context), from_email,
                        to_email, headers=headers)
     msg.content_subtype = "html"
+
+    sig_part = add_smime_sign(msg)
+    if sig_part:
+        msg.attach(sig_part)
     msg.send()
 
 def gen_dir_share_link(token):

seahub/utils/mail.py

@@ -1,16 +1,69 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
 import os
 import logging
+from email.mime.text import MIMEText
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.serialization import pkcs7
+from cryptography import x509
+import base64
 from django.template import loader
 from django.core.mail import EmailMessage
 
 from seahub.utils import get_site_scheme_and_netloc, get_site_name
 from seahub.settings import MEDIA_URL, LOGO_PATH, \
-        MEDIA_ROOT, CUSTOM_LOGO_PATH
+        MEDIA_ROOT, CUSTOM_LOGO_PATH, ENABLE_SMIME
+
+from seahub import settings
 
 logger = logging.getLogger(__name__)
 
 
+def add_smime_sign(msg):
+    if not ENABLE_SMIME:
+        return None
+    
+    CERTS_DIR = getattr(settings, 'SMIME_CERTS_DIR', '/opt/seafile/seahub-data/certs')
+    cert_file = os.path.join(CERTS_DIR, 'cert.pem')
+    key_file = os.path.join(CERTS_DIR, 'private_key.pem')
+    if not os.path.exists(cert_file):
+        logger.warning('smime cert file %s does not exists.' % cert_file)
+        return None
+    
+    if not os.path.exists(key_file):
+        logger.warning('smime key file %s does not exists.' % key_file)
+        return None
+    
+    # Load the private key
+    with open(key_file, "rb") as f:
+        private_key = serialization.load_pem_private_key(f.read(), password=None)
+    
+    # Load the certificate
+    with open(cert_file, "rb") as f:
+        certificate = x509.load_pem_x509_certificate(f.read())
+    
+    msg_payload = msg.message().as_string().encode()
+    
+    builder = pkcs7.PKCS7SignatureBuilder() \
+        .set_data(msg_payload) \
+        .add_signer(certificate, private_key, hashes.SHA256())
+    pkcs7_signature = builder.sign(serialization.Encoding.SMIME, [pkcs7.PKCS7Options.DetachedSignature])
+    
+    # Base64 encode the signature for S/MIME
+    signature_b64 = base64.b64encode(pkcs7_signature).decode()
+    
+    # Create the S/MIME signature part
+    sig_part = MIMEText(
+        signature_b64,
+        "pkcs7-signature",
+        _charset="utf-8"
+    )
+    sig_part.set_param("name", "smime.p7s")
+    sig_part.add_header("Content-Disposition", "attachment", filename="smime.p7s")
+    
+    return sig_part
+
+
+
 def send_html_email_with_dj_template(recipients, subject, dj_template, context={}):
     """
 
@@ -42,6 +95,9 @@ def send_html_email_with_dj_template(recipients, subject, dj_template, context={
     mail.content_subtype = "html"
 
     try:
+        sig_part = add_smime_sign(mail)
+        if sig_part:
+            mail.attach(sig_part)
         mail.send()
         return True
     except Exception as e: