OWA not verifying emails signed and encrypted by OpenSSL
I am trying to create an android app which can send sign and encrypted
mails using OpenSSL.
So far I am able to send Signed Emails and verify them using both web
browsers and my android apps.
Same is the case with Encryption and Decryption.
But now when I am trying to send signed+encrypted mails from my android
app. The Exchange server is unable to verify/decrypt the mails send from my
android app.
When I am trying to open open these mails using OWA I get this error:
One or more errors occurred while the message was being loaded. Error:
(0x800ccef6)
The digital signature of this message couldn't be validated because an
error occurred while the message was being loaded.
Encryption and signing code:
*Sign Code:*
public static boolean Java_PKCS7Sign(File inputFile, File outputFile,
PrivateKey privateKey, X509Certificate certificate, String
signingAlgorithm) {
try {
String inputFilePath = inputFile.getAbsolutePath();
String outputFilePath = outputFile.getAbsolutePath();
byte arr[] = android.security.Credentials.convertToPem(certificate);
InputStream certIs = new ByteArrayInputStream(arr);
OpenSSLX509Certificate openSSLcert =
OpenSSLX509Certificate.fromX509PemInputStream(certIs);
byte openSSLcertEncoded[] = openSSLcert.getEncoded();
long signCertRef = NativeCrypto.d2i_X509(openSSLcertEncoded);
OpenSSLKey oKey = OpenSSLKey.fromPrivateKey(privateKey);
long evpKeyRef = oKey.getPkeyContext();
//boolean res = PKCS7Sign(signCertRef, pkeyRef, certs, bioRef,
flags, a, b)
long arr1[] = new long[0];
return PKCS7Sign(inputFilePath, signCertRef, evpKeyRef, arr1,
outputFilePath);
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
In the above code PKCS7Sign is a JNI call to OpenSSL. And the flags used
are for signing are: int flgs = PKCS7_STREAM | PKCS7_DETACHED |
PKCS7_BINARY ;
*Encrypt Code:*
public static boolean Java_PKCS7encrypt(File inputData, File output,
X509Certificate[] recipientCertificates, String encryptionAlgorithm) {
if(!inputData.exists() || !output.exists())
return false;
try {
fis = new FileInputStream(inputData);
OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(fis);
long bioRef = NativeCrypto.create_BIO_InputStream(bis);
int certsRefArrLength = recipientCertificates.length;
long certsRefArr[] = new long[certsRefArrLength];
for (int i = 0; i certsRefArrLength; i++) {
byte arr[] =
android.security.Credentials.convertToPem(recipientCertificates[i]);
InputStream certIs = new ByteArrayInputStream(arr);
OpenSSLX509Certificate openSSLcert =
OpenSSLX509Certificate.fromX509PemInputStream(certIs);
byte openSSLcertEncoded[] = openSSLcert.getEncoded();
certsRefArr[i] = NativeCrypto.d2i_X509(openSSLcertEncoded);
}
String outputFilePath = output.getAbsolutePath();
return PKCS7encrypt(bioRef, certsRefArr, outputFilePath,
encryptionAlgorithm);
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (CertificateEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
Same as in case of sign PKCS7encrypt is a JNI call to OpenSSL. And flags
used are:
int flags = PKCS7_STREAM | PKCS7_BINARY;
And cipher used for encryption is cipher = EVP_rc2_40_cbc();
Any pointers about my mistake?
Dynamically User Selection of signing algorithm.
Hi All, I am creating an android app which can perform basic email security operations like encryption, decryption, signing and verification. So far I am able to perform all 4 operations successfully. But one thing I still haven't figured out is how to specify Signing Algorithm at runtime. I mean I want to have a drop downlist from which the user can select the signing algorithm algorithm. I know how to do this in case of encryption. But for signing we are not specifying any algorithm in the PKCS7_Sign function call. So how do I mention which signing algorithm I should use while signing the mail. Thanks in advance!
How to decrypt smime.p7m file in DER format using OpenSSL in C code.
Hi All, I am trying to decrypt emails using openssl. I am getting smime.p7m file from the server. But it is in DER format. I can decrypt this file using command prompt, with the command openssl smime -decrypt -in openssl_working_smime.p7m -inform DER -inkey mycert.pem dec_mail.eml But now I want to do this using C code. Right now I am trying to do using - SMIME_read_PKCS7() But this returns null with SMIME_read_ASN1:no content type:asn_mime.c:451: error Any ideas how to do it?
Re: OpenSSL Bouncy Castle Compatibilty Problem
);
byte openSSLcertEncoded[] =
openSSLcert.getEncoded();
long certRef =
NativeCrypto.d2i_X509(openSSLcertEncoded);
OpenSSLKey oKey = OpenSSLKey.fromPrivateKey(privateKey);
long evpKeyRef = oKey.getPkeyContext();
String outfile = /storage/sdcard0/decrypt_output.txt;
int flags = 0;
int ret = PKCS7decrypt(inFile, evpKeyRef, certRef, outfile, flags,
23, 54);
Log.i(TAG, Decrypt Returns: + ret);
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
* Native Code*
JNIEXPORT int JNICALL Java_xyz_MainActivity_PKCS7decrypt(JNIEnv *env,
jobject thiz, jstring inFile, jlong pKeyRef, jlong certRef, jstring
outfile, jint flags, jint a, jint b) {
const char* nativeInFile = env-GetStringUTFChars(inFile, 0);
const char* nativeOutFile = env-GetStringUTFChars(outfile, 0);
__android_log_print(ANDROID_LOG_DEBUG, OpenSSLJni, \npKeyRef: %lu,
(long)pKeyRef);
__android_log_print(ANDROID_LOG_DEBUG, OpenSSLJni, \ncertRef: %lu,
(long)certRef);
__android_log_print(ANDROID_LOG_DEBUG, OpenSSLJni, \nbioRef: %s,
nativeOutFile);
__android_log_print(ANDROID_LOG_DEBUG, OpenSSLJni, \nflags: %lu,
(long)flags);
PKCS7 *p7;// = SMIME_read_PKCS7(input, NULL);
EVP_PKEY *pKey = reinterpret_castEVP_PKEY
*(static_castuintptr_t((long)pKeyRef));
X509* cert = reinterpret_castX509*(static_castuintptr_t((long)certRef));
//FILE *fp
BIO *in = BIO_new_file(nativeInFile, r);
p7 = SMIME_read_PKCS7(in, NULL);
FILE *fp = fopen(nativeOutFile, w);
BIO* out = BIO_new_file(nativeOutFile, w);
int flgs = 0;
int res = PKCS7_decrypt(p7, pKey, cert, out, flgs);
int biof = BIO_flush(out);
if(biof != 1) {
__android_log_print(ANDROID_LOG_DEBUG, OpenSSLJni, \nBio_flush
failure.);
} else {
__android_log_print(ANDROID_LOG_DEBUG, OpenSSLJni, \nBio_flush
success.);
}
if(res) {
return (int)a + (int)b;
} else {
printError();
return -1;
}
}
Is there anything else that you can think of that might help identify where
the problem actually is?
On Tue, Jun 3, 2014 at 3:13 AM, Kyle Hamilton aerow...@gmail.com wrote:
My understanding from what you're saying is that you can successfully
encrypt with OpenSSL, but BouncyCastle is failing to decrypt it.
What is the version of OpenSSL that you're using?
What is the version of BouncyCastle that you're using? What version of
javamail are you using with it?
Which crypto library is the server is using, and what version?
Have you ensured that the private key to the certificate you're using is
available in every place you're trying to decrypt it?
Can you decrypt the mail with OpenSSL in the place where you have
encrypted it (not using the command line, but using the API)?
Can you encrypt with BouncyCastle and have OpenSSL decrypt it? What kind
of keypair and certificate are you using? What tool was used to create
it? Does the certificate chain verify?
What are the error messages (or exceptions) you're receiving?
What is the command line that you're using to decrypt it? What is the
code you're using to encrypt the mail? What is the code you're using to
decrypt the mail?
Is there anything else that you can think of that might help identify
where the problem actually is?
BouncyCastle relies on javamail for mail parsing. You may need to include
email headers and wrap the entire thing in a MIME-formatted wrapper to
avoid choking javamail. If this is the case, I perceive it is a bug in
BouncyCastle, as it explicitly exceeds the scope of the BER structures that
CMS and prior S/MIME versions work with. I also perceive it as not a bug
in OpenSSL, for the same reason.
-Kyle H
On Mon, Jun 2, 2014 at 2:30 AM, Yash Dosi yashd...@gmail.com wrote:
Hi All,
I am trying to replace Bouncy Castle with OpenSSL for some of the
operation in my android app.
Right now, I can successfully encrypt a mail using OpenSSL and send it.
But the problem comes when you are trying to decrypt the same email. I
cant decrypt it on both the server as well as using bouncy castle.
I am using the same certificate for both encryption and decryption. And
when I try to decrypt OpenSSL encrypted content using OpenSSL Command Line,
I dont face any problem.
Any ideas what could be the issue?
--
Yash Dosi.
OpenSSL Bouncy Castle Compatibilty Problem
Hi All, I am trying to replace Bouncy Castle with OpenSSL for some of the operation in my android app. Right now, I can successfully encrypt a mail using OpenSSL and send it. But the problem comes when you are trying to decrypt the same email. I cant decrypt it on both the server as well as using bouncy castle. I am using the same certificate for both encryption and decryption. And when I try to decrypt OpenSSL encrypted content using OpenSSL Command Line, I dont face any problem. Any ideas what could be the issue? -- Yash Dosi.
