Re: send encrypted s/mime message for Netscape to read?

Wed, 17 Feb 1999 09:55:28 -0500 

Hi Steve,

> > I need to send a message to a Netscape user (S/MIME), and encrypt
> > it using the cert he's sent me in a signed message.   (In other
> > words, I'm want my script to behave like another Netscape Mail).
> > I'm using SSLeay 0.9.0b.
> > 
> > Presumably I would extract his public key from the PKCS-7 Signature
> > (smime.p7s) using "ssleay pkcs7".  What would be the steps involved here?


Thanks for your detailed message on this subject.  I didn't realize
it was such a complicated matter (frankly, I assumed someone was
already doing this!)

At the moment I don't have the wherewithal do put this together myself,
so I may have to resort to PGP (ugh).  It would be really nice to be
able to send encrypted mail to a NS(S/MIME) user, using her cert.

Again, thanks,
 -Ted.



> I know encrypted S/MIME mail is not supported in SSLeay 0.9.X: to
> support it I had to write a (commercial) external library. 
> 
> I haven't had a chance to check OpenSSL, theres *something* unusual
> looking in crypto/pkcs7 I'm not sure if it works. I'm pretty sure it
> can't handle RC2 though because the ASN.1 stuff is broken. It might
> handle 3DES but I haven't had a chance to test it.
> 
> There isn't a simple command line utility to do it though.
> 
> The technique goes something like this: find the signing certificate
> from the signed PKCS#7 structure and get its public key, verify (at
> least part) of the signature and extract the supported algorithms from
> the authenticated (signed) attributes.
> 
> Then select the most appropriate (usually strongest) supported
> encryption. Generate a random secret symmetric key and IV and encrypt
> the content with it. Insert the IV and various bits into an
> AlgorithmIdentifier and encrypt the secret key with the certificate
> public key. Add all these bits into a PKCS#7 envelopedData structure,
> base64 encode and add MIME headers. It is normal practice to also add an
> equivalent structure for the senders certificate so the sender can read
> it later.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to