JavaMail Crypto and Digital IDs.

[smirks]

Hi everyone,

I am using JavaMail-Crypto together with BouncyCastle's S/MIME
implementation to send signed email messages from within a Java
application.

I use the following code to send a signed message:

// Get session
Properties props = System.getProperties();
props.setProperty("mail.smtp.host", "myhost");
Session session = Session.getInstance(props, null);

// Create message
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress(from));
String[] recipients = to.split(",");
for (String recipient : recipients)
{
message.addRecipient(Message.RecipientType.TO, new
InternetAddress(recipient));
}
message.setSubject(subject);

// Add message body
message.setText(body);

// Digitally sign email
EncryptionUtils smimeUtils =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
EncryptionKeyManager smimeKeyMgr = smimeUtils.createKeyManager();
char[] smimePw = new String("my_password").toCharArray();
smimeKeyMgr.loadPrivateKeystore(new FileInputStream(new
File("mycert.pfx")), smimePw);
Key smimeKey = smimeKeyMgr.getPrivateKey("mykey", smimePw);
EncryptionUtils eu =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
message = eu.signMessage(session, message, smimeKey);

// Send email
Transport.send(message);

I exported the PFX file from Internet Explorer and it includes my
private key.

The above code seems to work. When I send a mail to myself and check my
mail from within Outlook on the machine where my Thawte digital ID
certificate is installed, Outlook recognises the signed message
correctly and states that the digital Id is valid.

On the other hand, when I send my signed message to any other user that
does not have my public key certificate installed, Outlook recognises
the mail as signed but states that it cannot validate the signature.
The exact error I get is:

Error:
The system cannot validate the certificate used to create this
signature because the issuer's certificate is either unavailable or
invalid.
The system cannot determine whether the certificate used to create this
signature is trusted or not.
Signed by (e-mail address removed) using RSA/SHA1 at 13:43:39
04/08/2005.

The strange thing is that if I send a digitally signed email from
within Outlook (rather than from my code) to another person who does
NOT have my public key certificate installed, it works fine!

I noticed that Outlook also sends the required public key certificate
with each email but I couldn't find a way of doing that from within my
code. I tried to make the email a multipart message and to attach a
public key certificate (.p7b) exported from the system as a body part
within the message, but couldn't quite get it to work.

Could anyone please help? I can't quite figure out what I'm doing
wrong...

Regards,
Clyde

 

[Roedy Green]

On the other hand, when I send my signed message to any other user that
does not have my public key certificate installed, Outlook recognises
the mail as signed but states that it cannot validate the signature.
The exact error I get is:

does not S/MIME optionally send the public key with each message?
Perhaps that is the problem.

 

[Roedy Green]

I noticed that Outlook also sends the required public key certificate
with each email but I couldn't find a way of doing that from within my
code. I tried to make the email a multipart message and to attach a
public key certificate (.p7b) exported from the system as a body part
within the message, but couldn't quite get it to work.

Use JavaMail to discover the format of that message that outlook sends
which includes the public key. That may give you a hint. It may just
be a part to the multipart message with some special mime encoding.

Sorry I can't help you more specifically. I use Eudora which does not
support S/MIME. All the plug-in vendors seem to have died or withdrawn
their Eudora products.

 

[Mike Amling]

Hi everyone,

I am using JavaMail-Crypto together with BouncyCastle's S/MIME
implementation to send signed email messages from within a Java
application.

I use the following code to send a signed message:

// Get session
Properties props = System.getProperties();
props.setProperty("mail.smtp.host", "myhost");
Session session = Session.getInstance(props, null);

// Create message
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress(from));
String[] recipients = to.split(",");
for (String recipient : recipients)
{
message.addRecipient(Message.RecipientType.TO, new
InternetAddress(recipient));
}
message.setSubject(subject);

// Add message body
message.setText(body);

// Digitally sign email
EncryptionUtils smimeUtils =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
EncryptionKeyManager smimeKeyMgr = smimeUtils.createKeyManager();
char[] smimePw = new String("my_password").toCharArray();
smimeKeyMgr.loadPrivateKeystore(new FileInputStream(new
File("mycert.pfx")), smimePw);
Key smimeKey = smimeKeyMgr.getPrivateKey("mykey", smimePw);
EncryptionUtils eu =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
message = eu.signMessage(session, message, smimeKey);

// Send email
Transport.send(message);

I exported the PFX file from Internet Explorer and it includes my
private key.

The above code seems to work. When I send a mail to myself and check my
mail from within Outlook on the machine where my Thawte digital ID
certificate is installed, Outlook recognises the signed message
correctly and states that the digital Id is valid.

On the other hand, when I send my signed message to any other user that
does not have my public key certificate installed, Outlook recognises
the mail as signed but states that it cannot validate the signature.
The exact error I get is:

Error:
The system cannot validate the certificate used to create this
signature because the issuer's certificate is either unavailable or
invalid.
The system cannot determine whether the certificate used to create this
signature is trusted or not.
Signed by (e-mail address removed) using RSA/SHA1 at 13:43:39
04/08/2005.

If the receiver doesn't have (either received with the message or
known beforehand) the entire certificate chain, or if the receiver does
not have the Certificate Authority's certificate in its list of trusted
Certificate Authority certificates, then the receiver should not regard
the message's signature as verified. Of course, there may be
implementations that deviate from good practice.

The strange thing is that if I send a digitally signed email from
within Outlook (rather than from my code) to another person who does
NOT have my public key certificate installed, it works fine!

Do both receivers trust the entire chain of certificates?

I noticed that Outlook also sends the required public key certificate
with each email but I couldn't find a way of doing that from within my
code.

You could look at the data sent by the implementation that works.
E.g., use with a cooperative e-mail server or through a logging proxy.

I tried to make the email a multipart message and to attach a
public key certificate (.p7b) exported from the system as a body part
within the message, but couldn't quite get it to work.

Is that technique from the S/MIME RFC?

--Mike Amling

 

[Mike Amling]

does not S/MIME optionally send the public key with each message?
Perhaps that is the problem.

S/MIME won't send just the public key (which could be altered in
transit). It can send the certificate of the sender, and optionally the
entire certificate chain up through the Certificate Authority's
self-signed certificate. That Certificate Authority may or may not be
trusted by the receiver.

--Mike Amling

 

[shichling]

javamail-crypto

I've some problem about javamail-crypto, would someone please send an example to me: (e-mail address removed), or MSN: (e-mail address removed)

Thanks everyone.