Re: send encrypted s/mime message for Netscape to read?

Mon, 15 Feb 1999 18:23:27 -0500 

Theodore Hope wrote:
> 
> I need to send a message to a Netscape user (S/MIME), and encrypt
> it using the cert he's sent me in a signed message.   (In other
> words, I'm want my script to behave like another Netscape Mail).
> I'm using SSLeay 0.9.0b.
> 
> Presumably I would extract his public key from the PKCS-7 Signature
> (smime.p7s) using "ssleay pkcs7".  What would be the steps involved here?
> 
> I know the answer to this is very simple, but I find myself unable
> to put together all the appropriate pieces.
> 

I know encrypted S/MIME mail is not supported in SSLeay 0.9.X: to
support it I had to write a (commercial) external library. 

I haven't had a chance to check OpenSSL, theres *something* unusual
looking in crypto/pkcs7 I'm not sure if it works. I'm pretty sure it
can't handle RC2 though because the ASN.1 stuff is broken. It might
handle 3DES but I haven't had a chance to test it.

There isn't a simple command line utility to do it though.

The technique goes something like this: find the signing certificate
from the signed PKCS#7 structure and get its public key, verify (at
least part) of the signature and extract the supported algorithms from
the authenticated (signed) attributes.

Then select the most appropriate (usually strongest) supported
encryption. Generate a random secret symmetric key and IV and encrypt
the content with it. Insert the IV and various bits into an
AlgorithmIdentifier and encrypt the secret key with the certificate
public key. Add all these bits into a PKCS#7 envelopedData structure,
base64 encode and add MIME headers. It is normal practice to also add an
equivalent structure for the senders certificate so the sender can read
it later.

Some (most?) of this may be already in place but I haven't had a chance
to look over it yet.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
NOTE NEW (13/12/98) PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to