Discussion:
Question about how to export certificates for S/MIME
Jeff Stedfast
2013-11-03 02:47:27 UTC
Permalink
Hey all,

It's taken me longer than I had hoped to implement S/MIME in MimeKit using
Bouncy Castle, but I'm getting there...

I'm presently stuck on importing and exporting certificates from a
"certs-only" message.

rfc2633 says this about generating a certs-only application/pkcs7-mime part:

3.6 Creating a Certificates-only Message
The certificates only message or MIME entity is used to transport
certificates, such as in response to a registration request. This
format can also be used to convey CRLs.
Step 1. The certificates are made available to the CMS generating
process which creates a CMS object of type signedData. The signedData
encapContentInfo eContent field MUST be absent and signerInfos field
MUST be empty.
Step 2. The CMS signedData object is enclosed in an
application/pkcs7-mime MIME entity
The smime-type parameter for a certs-only message is "certs-only".
The file extension for this type of message is ".p7c".
As far as I understand it, I need to use a CmsSignedDataGenerator like this:

var cms = new CmsSignedDataGenerator ();
cms.AddCertificates (certificates);

var signedData = cms.Generate (new CmsProcessableByteArray (new byte[0]));
var rawData = signedData.GetEncoded ();

I can then stuff that raw data into an application/pkcs7-mime;
smime-type=certs-only mime part.

Assuming that is correct, I've got the following code to parse that raw
data:

var parser = new CmsSignedDataParser (rawData);
var certs = parser.GetCertificates ("Collection");
var store = parser.GetSignerInfos ();

foreach (SignerInformation signerInfo in store.GetSigners ()) {
var matches = certs.GetMatches (signerInfo.SignerID);

foreach (X509Certificate certificate in matches) {
certificates.Add (certificate);
}
}

The problem I'm running into is that I'm hitting the following exception in
the CmsSignedDataParser constructor:

Org.BouncyCastle.Cms.CmsException: no digests could be created for message.
at Org.BouncyCastle.Cms.CmsSignedDataParser..ctor(CmsTypedStream
signedContent, Stream sigData) in
C:\Users\jeff\Documents\Projects\bc-csharp\crypto\src\cms\CMSSignedDataParser.cs:line
176
at Org.BouncyCastle.Cms.CmsSignedDataParser..ctor(Stream sigData) in
C:\Users\jeff\Documents\Projects\bc-csharp\crypto\src\cms\CMSSignedDataParser.cs:line
92
at Org.BouncyCastle.Cms.CmsSignedDataParser..ctor(Byte[] sigBlock) in
C:\Users\jeff\Documents\Projects\bc-csharp\crypto\src\cms\CMSSignedDataParser.cs:line
76
at UnitTests.DummySecureMimeContext.ImportKeys(Byte[] rawData) in
c:\Users\jeff\Documents\Projects\MimeKit\UnitTests\DummySecureMimeContext.cs:line
174
at MimeKit.Cryptography.ApplicationPkcs7Mime.Import(CryptographyContext
ctx) in
c:\Users\jeff\Documents\Projects\MimeKit\MimeKit\Cryptography\ApplicationPkcs7Mime.cs:line
214
at UnitTests.SecureMimeTests.TestSecureMimeImportExport() in
c:\Users\jeff\Documents\Projects\MimeKit\UnitTests\SecureMimeTests.cs:line
247


Any ideas?

Thanks for any help you guys can offer me,

Jeff
Jeff Stedfast
2013-11-09 15:58:44 UTC
Permalink
Hi all,

Any thoughts on this? Unfortunately I still haven't figured this one out
yet. I'm not sure if I'm misinterpreting the specification, misusing Bouncy
Castle, some combination of the above, or something else entirely.

I'm not sure how common "application/pkcs7-mime; smime-type=certs-only" is
and I haven't figured out how to get Thunderbird to send that type of
message, so all I can go by is my understanding of what the specification
is talking about, which to me, is unfortunately a little vague and
confusing.

Thanks,

Jeff
Post by Jeff Stedfast
Hey all,
It's taken me longer than I had hoped to implement S/MIME in MimeKit using
Bouncy Castle, but I'm getting there...
I'm presently stuck on importing and exporting certificates from a
"certs-only" message.
3.6 Creating a Certificates-only Message
The certificates only message or MIME entity is used to transport
certificates, such as in response to a registration request. This
format can also be used to convey CRLs.
Step 1. The certificates are made available to the CMS generating
process which creates a CMS object of type signedData. The signedData
encapContentInfo eContent field MUST be absent and signerInfos field
MUST be empty.
Step 2. The CMS signedData object is enclosed in an
application/pkcs7-mime MIME entity
The smime-type parameter for a certs-only message is "certs-only".
The file extension for this type of message is ".p7c".
var cms = new CmsSignedDataGenerator ();
cms.AddCertificates (certificates);
var signedData = cms.Generate (new CmsProcessableByteArray (new byte[0]));
var rawData = signedData.GetEncoded ();
I can then stuff that raw data into an application/pkcs7-mime;
smime-type=certs-only mime part.
Assuming that is correct, I've got the following code to parse that raw
var parser = new CmsSignedDataParser (rawData);
var certs = parser.GetCertificates ("Collection");
var store = parser.GetSignerInfos ();
foreach (SignerInformation signerInfo in store.GetSigners ()) {
var matches = certs.GetMatches (signerInfo.SignerID);
foreach (X509Certificate certificate in matches) {
certificates.Add (certificate);
}
}
The problem I'm running into is that I'm hitting the following exception
Org.BouncyCastle.Cms.CmsException: no digests could be created for message.
at Org.BouncyCastle.Cms.CmsSignedDataParser..ctor(CmsTypedStream
signedContent, Stream sigData) in
C:\Users\jeff\Documents\Projects\bc-csharp\crypto\src\cms\CMSSignedDataParser.cs:line
176
at Org.BouncyCastle.Cms.CmsSignedDataParser..ctor(Stream sigData) in
C:\Users\jeff\Documents\Projects\bc-csharp\crypto\src\cms\CMSSignedDataParser.cs:line
92
at Org.BouncyCastle.Cms.CmsSignedDataParser..ctor(Byte[] sigBlock) in
C:\Users\jeff\Documents\Projects\bc-csharp\crypto\src\cms\CMSSignedDataParser.cs:line
76
at UnitTests.DummySecureMimeContext.ImportKeys(Byte[] rawData) in
c:\Users\jeff\Documents\Projects\MimeKit\UnitTests\DummySecureMimeContext.cs:line
174
at MimeKit.Cryptography.ApplicationPkcs7Mime.Import(CryptographyContext
ctx) in
c:\Users\jeff\Documents\Projects\MimeKit\MimeKit\Cryptography\ApplicationPkcs7Mime.cs:line
214
at UnitTests.SecureMimeTests.TestSecureMimeImportExport() in
c:\Users\jeff\Documents\Projects\MimeKit\UnitTests\SecureMimeTests.cs:line
247
Any ideas?
Thanks for any help you guys can offer me,
Jeff
Peter Dettman
2013-11-10 08:08:38 UTC
Permalink
Hi Jeff,
I'll take a look at it. I think what you are trying to do should be
fine, so there may well be some sort of bug here.

Regards,
Pete Dettman.
Post by Jeff Stedfast
Hi all,
Any thoughts on this? Unfortunately I still haven't figured this one
out yet. I'm not sure if I'm misinterpreting the specification,
misusing Bouncy Castle, some combination of the above, or something
else entirely.
Jeff Stedfast
2013-11-10 12:18:50 UTC
Permalink
Thanks Peter, I really appreciate it!

Jeff



On Sun, Nov 10, 2013 at 3:08 AM, Peter Dettman <
Post by Peter Dettman
Hi Jeff,
I'll take a look at it. I think what you are trying to do should be fine,
so there may well be some sort of bug here.
Regards,
Pete Dettman.
Post by Jeff Stedfast
Hi all,
Any thoughts on this? Unfortunately I still haven't figured this one out
yet. I'm not sure if I'm misinterpreting the specification, misusing Bouncy
Castle, some combination of the above, or something else entirely.
Peter Dettman
2013-11-11 04:38:13 UTC
Permalink
Indeed I have fixed what was a bug artificially insisting on there being
at least one digest. Github should have the fix by now (it was a problem
in the Java build too), and there's test coverage for this case now too.
Thanks for reporting it.

Regards,
Pete Dettman
Post by Jeff Stedfast
Thanks Peter, I really appreciate it!
Jeff
On Sun, Nov 10, 2013 at 3:08 AM, Peter Dettman
Hi Jeff,
I'll take a look at it. I think what you are trying to do should
be fine, so there may well be some sort of bug here.
Regards,
Pete Dettman.
Hi all,
Any thoughts on this? Unfortunately I still haven't figured
this one out yet. I'm not sure if I'm misinterpreting the
specification, misusing Bouncy Castle, some combination of the
above, or something else entirely.
Jeff Stedfast
2013-11-11 12:10:35 UTC
Permalink
Awesome! Thanks Peter!

Jeff



On Sun, Nov 10, 2013 at 11:38 PM, Peter Dettman <
Post by Peter Dettman
Indeed I have fixed what was a bug artificially insisting on there being
at least one digest. Github should have the fix by now (it was a problem in
the Java build too), and there's test coverage for this case now too.
Thanks for reporting it.
Regards,
Pete Dettman
Thanks Peter, I really appreciate it!
Jeff
On Sun, Nov 10, 2013 at 3:08 AM, Peter Dettman <
Post by Peter Dettman
Hi Jeff,
I'll take a look at it. I think what you are trying to do should be fine,
so there may well be some sort of bug here.
Regards,
Pete Dettman.
Post by Jeff Stedfast
Hi all,
Any thoughts on this? Unfortunately I still haven't figured this one out
yet. I'm not sure if I'm misinterpreting the specification, misusing Bouncy
Castle, some combination of the above, or something else entirely.
Loading...