Hello,
I've been searching the mail archives for days and pouring over the examples
in the /demo projects and can't seem to figure this one out on my own. I'm
trying to use OpenSSL to encrypt and decrypt S/MIME messages. I'd be happy
with decrypt at this point! I am a rookie with encryption and SMIME so
forgive the massive post but I wanted to try and explain my situation as
best I could.
I have an smime.p7m signed and encrypted file generated by Outlook and a
encrypt.p12 with the user certificate, public & private keys. What I've
managed to cobble together based from many posts in these archives, the
demos and documentation is the following.
PKCS12 *p12 = NULL;
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
CMS_ContentInfo *cms = NULL;
PKCS7 *p7 = NULL;
char *password = "password";
char *p12filename = (char*) "encrypt.p12";
char *p7mfilename = (char*) "smime.p7m";
BIO *bioP12 = BIO_new (BIO_s_file ());
if (!bioP12) printf("error BIO_new");
if (BIO_read_filename (bioP12, p12filename) <= 0) printf("error
BIO_read_filename");
// read in p12 file
if ((p12 = d2i_PKCS12_bio(bioP12, &p12)) == NULL) printf("p12 error");
BIO *bioP7M = BIO_new (BIO_s_file ());
if (!bioP7M) printf("error BIO_new");
if (BIO_read_filename (bioP7M, p7mfilename) <= 0) printf("error
BIO_read_filename");
// read in p7m file
if ((cms = d2i_CMS_bio(bioP7M, &cms)) == NULL) printf("smime error");
// verify the password and extract the private key and certificate
if (!PKCS12_verify_mac (p12, password, -1)) printf(@"bad password");
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) printf(@"parse failed"
);
BIO *bioSMIME = BIO_new (BIO_s_mem ());
BIO_set_mem_eof_return(bioSMIME, 0);
if (!bioSMIME) printf(@"error BIO_new");
// decrypt to the data
if (CMS_decrypt(cms, pkey, cert, NULL, bioSMIME, 0) <= 0) printf("error
decrypting");
Up to this point, everything works well. If I use a File BIO for bioSMIME
the CMS_decrypt() produces a text file like this (though I'm using an Memory
BIO to try and avoid character encoding issues). I have a sneaking
suspicion that the base64 encoding here could be an issue, but not sure how
to handle it.
Content-Type: application/x-pkcs7-mime; name=smime.p7m;
smime-type=signed-data
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEakNvbnRl
bnQtVHlwZTogdGV4dC9wbGFpbjsNCgljaGFyc2V0PSJ1cy1hc2NpaSINCkNvbnRlbnQtVHJhbnNm
ZXItRW5jb2Rpbmc6IDdiaXQNCg0KVGVzdCBlbmNyeXB0ZWQgbWFpbA0KDQoAAAAAAACgghZKMIIE
OjCCAyKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5T
[more of the same here]
Here's where I'm stumped. I've tried using the following but the output
file is empty. The SMIME demos suggest this should be pretty simple so I'm
not sure if I'm just missing something obvious.
if ((cms = SMIME_read_CMS(bioSMIME, &cont)) == NULL) printf("smime error");
int flags =
(CMS_NO_SIGNER_CERT_VERIFY|CMS_NO_ATTR_VERIFY|CMS_NO_CONTENT_VERIFY);
if (!CMS_verify(dcms, NULL, store, NULL, bioPlain, flags)) printf("error
verifying SMIME");
I've also tried the /demo approach of using a PKCS7 object like so, but
didn't have any luck there either.
p7 = SMIME_read_PKCS7(bioSMIME, NULL);
if (!PKCS7_decrypt(p7, key, cert, bioPLAIN, 0)) printf("pkcs7 error");
I even attempted to extract the raw contents but I couldn't figure out how
do decrypt or convert the ASN1_OCTET string to anything readable.
BIO *bout = BIO_new(BIO_s_mem());
char *r;
long len = BIO_get_mem_data(bout, &r);
ASN1_OCTET_STRING **content = CMS_get0_content(dcms);
i2d_ASN1_bio_stream(bout, (ASN1_VALUE*) content, NULL, 0,
ASN1_ITEM_rptr(ASN1_OCTET_STRING));
ASN1_STRING_length(*content);
Sorry for the massive post, but I've been at this for days and I'm just not
clear on the right direction.
Thank you!
Toby
