#############
# PGP Checks
#############
sub pgp_check($$$)
{
my ($entity,$fname,$type) = @_;

use Mail::GPG;
my $pass;

open(PASS,"</home/defang/.gpgpass") || (md_syslog('warning',"Cannot open GNUPG passphrase file") && return -1);

$pass=<PASS>;
my $gpg = Mail::GPG->new(default_key_id=>'E3AA17BD', default_passphrase=>$pass,
debug=>1,
gnupg_hash_init=>{ armor   => 1,
                   batch   => 1,
				      homedir => '/home/defang/.gnupg' });


# try to use GNUPG to work out the keyholders (!)
$encrypted = $gpg->is_encrypted (entity => $entity);
md_syslog('debug',"PGP_CHECK debug - $fname($type) encrypted = $encrypted");

if ( $fname =~ /.pgp$/i )
  {
  $encrypted=1;		# assume any .PGP file is encrypted
  md_syslog('debug',"$MsgID: PGP - return 0 on $fname($type), .PGP attachment assumed to be OK, $Sender to @Recipients, Subject=$Subject\n");
  return 0;
  }

# get the entity body as an array of lines so we can examine it
my $body = $entity->bodyhandle;
my @bodylines = $body->as_lines;
my $bodysize= scalar @bodylines;

# very small parts are unlikely to be a security risk, so ignore them
if ( $bodysize < 3 )
  {
  md_syslog('debug',"PGP_CHECK - minimal body, return -1, bodylines=$bodysize");
  return -1;
  }

my $pgpstart = scalar grep /--BEGIN/,@bodylines;
$pgpstart += scalar grep / PGP /,@bodylines;
$pgpstart -= scalar grep / PGP SIGN/,@bodylines;
my $pgpend = scalar grep /--END/,@bodylines;

if ( $pgpstart > 5 )
  {
  md_syslog('debug',"PGP_CHECK - PGP found, but too far into message - pgpstart=$pgpstart, pgpend=$pgpend, bodylines=$bodysize");
  return -2;
  }

if ( $type eq "text/html" )
  {
  # encrypted if PGP boundaries found
  if ( ($pgpstart + $pgpend > 2)  && ($pgpstart < $pgpend) )
    {
    $encrypted=1;
    md_syslog('debug',"PGP_CHECK - return 0, html part detected to be encrypted with pgpstart=$pgpstart, pgpend=$pgpend, bodylines=$bodysize");
    return 0 ;
    }
  else
    {
    $encrypted=0;
    md_syslog('debug',"PGP_CHECK - html part NOT encrypted, return -3, pgpstart=$pgpstart, pgpend=$pgpend, bodylines=$bodysize");
    return -3 ;
    }
  }

if ( $encrypted)
  {
  md_syslog('info',"$MsgID: PGP_CHECK detected encrypted part from $Sender, $fname,$ext,$type");
  ($decrypted_entity, $result) = $gpg->decrypt (
             entity     => $entity,
             passphrase => $pass 
             );
	     
  md_syslog('info',"$MsgID: PGP_CHECK decryption completed on $fname,$ext,$type");
  $stderr_sref         = $result->get_gpg_stderr;
  $decryption_ok       = $result->get_enc_ok;
  if ( defined ($decrypted_entity))
    {
    md_syslog('debug',"Entity defined - Decryption: $decryption_ok, STDERR: $$stderr_sref");
    }
  else
    {
    md_syslog('debug',"Entity NOT defined - Decryption: $decryption_ok, STDERR: $$stderr_sref");
    }
  
  if ( defined ($decrypted_entity))
    {
    $decryption_ok       = $result->get_enc_ok;
    $encryption_key_id   = $result->get_enc_key_id;
    $encryption_mail     = $result->get_enc_mail;
    $signed              = $result->get_is_signed;
    $signature_ok        = $result->get_sign_ok;
    $signed_key          = $result->get_sign_key_id;
    $signed_mail         = $result->get_sign_mail;
    $signed_mail_aliases = $result->get_sign_mail_aliases;
    $stdout_sref         = $result->get_gpg_stdout;
    $stderr_sref         = $result->get_gpg_stderr;
    $gpg_exit_code       = $result->get_gpg_rc;
    md_syslog('info',"$MsgID: PGP_CHECK decrypted part from $Sender, Subj=$Subject, $fname,$ext,$type, result=$decryption_ok, keyid=$encryption_key_id,keymail=$encryption_mail");
  
    if ($decryption_ok)
      {
      ($key_id, $key_mail) = $gpg->query_keyring ( search => $encryption_key_id );
      $encrypter="$key_mail/$encrytion_mail/$key_id";
      if ($signed)
        {
        $signer="$signed_mail/$signed_key";
        }
      $i=1;
      $keyrecips="";
      foreach $line( split(/\n/,$$stderr_sref) )
        {
        if ( $line =~ /encrypted with/ )
          {
          @words = split / /, $line;
          $key= $words[7];
          $key=~ s/,//g;
	  if ( defined ($key) )
	    {
            $keyrecips=$keyrecips."$i: $key";
	    }
	  else
	    {
	    $keyrecips=$keyrecips."$i: unknown key";
	    }
          ($key_id, $key_mail) = $gpg->query_keyring ( search => $key );
          $keyrecips=$keyrecips."/$key_mail ";
          $i++;
          }
        }
      md_syslog('debug',"$MsgID: PGP - $Sender,@Recipients,$Subject,$encrypter,$signer,$keyrecips");
      if ($keyrecips =~ /Ionix Pharmaceuticals Ltd/ )
	{
        md_syslog('debug',"$MsgID: PGP - return 0 on $fname($type), Ionix key decrypts $Sender to @Recipients, Subject=$Subject\n");
        return 0;
	}
      else
	{
        md_syslog('debug',"$MsgID: PGP - return 2 on $fname($type), No key to decrypt $Sender to @Recipients, Subject=$Subject\n");
        return 2;
	}
      }
    else
      {
      md_syslog('debug',"$MsgID: PGP_CHECK - return 1 on $fname($type), cannot decrypt");
      return 1;	
      }
    }	# if decrypted OK
  else
    {
    md_syslog('debug',"$MsgID: PGP - return 2 on $fname($type), No key to decrypt $Sender to @Recipients, Subject=$Subject\n");
    return 2;
    }
  }
else
  {
  md_syslog('debug',"$MsgID: PGP - return -3 on $fname($type), not encrypted (encrypted=$encrypted) $Sender to @Recipients, Subject=$Subject ");
  return -3;
  }
}