Maya wrote: >When I create signed or encrypted message, I get as input param SMTP header + MIME message. >Do I have to signed and encrypt both (SMTP header + MIME message) or just the second part? >What should be the SMTP header of the Signed or(and) Encrypted message?
As others have noted, you have to be careful about cr-lf "\r\n" versus just linefeed "\n". Some tools (network libraries or sendmail) will convert lf to cr-lf, so you don't necessarily need to do anything. What you called SMTP headers are actually RFC822 headers. In general, you want to have at least From, To, Subject, and Date. Message-ID is also highly recommended. Besides RFC 2822, other helpful references to these headers is http://cr.yp.to/immhf.html and RFC 2076 For signing, sign just the MIME message, then add any RFC822 headers (From, To, Subject, Date). Note that this means that RFC822 headers are not signed. Some consider this a flaw in the S/MIME standard. You can encapsulate a whole message including headers as an attachment to a wrapper message if you want the headers to be signed. For encryption, you should already have RFC822 headers as well as MIME headers, but those are not visible after encryption, so you probably want to add them again--but note that headers added after encryption are not secure. You can use dummy headers here if you want. If you want to sign and encrypt, the proper sequence is sign the S/MIME body with the sender's private key add RFC822 headers encrypt the result with recipient's public key add RFC822 headers send the result via SMTP Here are some notes I wrote about using the command-line tool: For secure email, you need to have MIME and/or RFC822 headers RFC822 (now RFC2822): http://www.rfc-editor.org/rfc/rfc2822.txt MIME- RFC2045: http://www.rfc-editor.org/rfc/rfc2045.txt Also relevant are RFCs 2046-2049, 2183, 2184, 2231, 2387 You probably do not want to read the S/MIME specifications, but if you do, see RFCs 2630 - 2633 For "smime -sign", the input file must be in MIME format, with MIME headers, but without RFC822 headers. If the file is going to be directly submitted to sendmail, the RFC822 headers need to be added. You can include "-from", "-to" and "-subject" options on the command line with "openssl smime -sign", and the headers will be added after signing. (Input to "openssl smime -sign" cannot be a pipe.) For "smime -encrypt", the input file must be in MIME format and should have RFC822 headers. If the file is going to be directly submitted to sendmail, the RFC822 headers need to be added, but remember, the headers are added after encryption and are in PLAIN TEXT when the mail is transmitted. That is, headers added after encryption are not secure. You can include "-from", "-to" and "-subject" options on the command line with "openssl smime -encrypt", and the headers will be added after signing. You can combine the signing and encryption operations as follows: hdrs="-from [EMAIL PROTECTED] -to [EMAIL PROTECTED] -subject 'Test'" openssl smime -sign -signer kenssignkey.pem -in message.txt $hdrs | openssl smime -encrypt $hdrs larryscert.pem The output of that could be piped to "sendmail -t". If the file is just plain text, you can get openssl to include the minimal MIME header of "Content-type: text/plain" by using the "-text" option (for either "smime -sign" or "smime -encrypt") So, this would work: hdrs="-from [EMAIL PROTECTED] -to [EMAIL PROTECTED] -subject 'Test'" echo Hi, Larry >t1 openssl smime -encrypt -in t1 -text $hdrs larryscert.pem | sendmail -t ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
