PKCS7 encryption

Question

I require your support. I wanted to do pkcs encryption using my certificate and third party certificate.

I have below components and wanted to have pkcs7 encrypted output file.

Source file : PayFile_143_2300000004_20170508_161457.txt My certificate for signin :

mycertificate.cer and its private key is keyfile.key Third party bank certifiate(public) : public_2017-2018_base64enc.cer

So, If I use below command

openssl smime -sign -signer mycertificate.cer -inkey keyfile.key -in PayFile_143_2300000004_20170508_161457.txt | openssl smime -encrypt -out PayFile_143_2300000004_20170508_161457.txt.smime public_2017-2018_base64enc.cer mycertificate.cer

Will I have the correct output PKCS7 encrypted output file. Kindly let me know.

But when the bank is decrypting it at thier end, they are facing the issue with the header

Below are the logs of decryption provided by the bank

starting ReceiveMsg...
logging in...
login successful
getting decryption key and verification certificate...
decryption key and verification certificate extracted
creating mime session
session created
opening mime envelope
message Content-Type [application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"]
message Content-Description [null]
message Content-Disposition [attachment]
message Content-Transfer-Encoding [base64]
getting mime message content
content handler [oracle.security.crypto.smime.SmimeEnveloped]
---------------------------------------
processing encrypted content
content decrypted
decrypted Content-Type [multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----DA713A069014AEA715F4E38046E2CA0F"]
content handler [oracle.security.crypto.smime.SmimeMultipartSigned]
-Multipart 1-
Multipart Content-Type [multipart/signed; protocol="application/pkcs7-signature";
      boundary="SMS:gW4H/s2Z6GzgMG1DTTNnUi3TmH8="]
Multipart contains [2] body parts
Part 0 Content-Type [text/plain]
Part 0 Content-Description [null]
Part 0 Content-Disposition [null]
Part 0 Content-Transfer-Encoding [null]
Part 0 Content-ID [null]
Part 0 Content-Language [null]
Part 0 Content-MD5 [null]
Part 0 File-Name [null]
Part 0 Header name [], value [20:61]
Part 0 Header name [], value [23B:CRED]
Part 0 Header name [], value [32A:170508RUB100,00]
Part 0 Header name [], value [50K:/40702810200101102376]
Part 0 Header name [???7743170710.???774301001], value [???7743170710.???774301001]
Part 0 Header name [], value [57D://RU044525460.40702840401735933455]
Part 0 Header name [??? ?????????], value [??? ?????????]
Part 0 Header name [115054, ?????????? ???????, ??? 2, ?????], value [115054, ?????????? ???????, ??? 2, ?????]
Part 0 Header name [??????,,RU,], value [??????,,RU,]
Part 0 Header name [], value [59:/40702840401735933455]
Part 0 Header name [???7704662571.???770901001], value [???7704662571.???770901001]
Part 0 Header name [??? "????? ?????? ????? ???????"], value [??? "????? ?????? ????? ???????"]
Part 0 Header name [,??.???????? ???,9], value [,??.???????? ???,9]
Part 0 Header name [??????,,RU,105064], value [??????,,RU,105064]
Part 0 Header name [], value [70:??????????, ???????? ???? ????????? ? ????????????]
Part 0 Header name [], value [71A:SHA]
Part 0 Header name [], value [72:/RPP/61.170508.3.ELEK.170508]
content handler [java.lang.String]
-Multipart 1-
Content-Type=Cp1251
charset=null
writing text mime data to file 
data length=0
data =
done...

Can you please check and let me know where the issue is

Appreciate your help !! Thanks Nikhil

Deathgrip · Answer 1 · 2017-06-05T18:42:08.933

Looks like the bank is decrypting, but cannot parse the SMIME representing the signed file. Is this being sent via email? Have you tried changing the format of the signed file using "-outform PEM"?

openssl smime -sign -signer mycertificate.cer -inkey keyfile.key -in PayFile_143_2300000004_20170508_161457.txt -outform PEM | openssl smime -encrypt -out PayFile_143_2300000004_20170508_161457.txt.smime public_2017-2018_base64enc.cer mycertificate.cer

Here is a short script that sends signed and encrypted messages. Replace the environment variables with the values for you and your bank. Also note I use cert.pem and key.pem. Just my preference so I can easily identify if certificate and key files are in PEM or DER format. This was written and tested on CentOS 7, with OpenSSL 1.0.1e-fips 11 Feb 2013. Postfix is the MTA, so the 'sendmail' command is the 'Postfix to Sendmail compatibility interface'.

#!/bin/bash

FROM="Your Name <email@domain.com>"
FROMCERT=cert.pem
FROMKEY=key.pem
TO=recipient@bank.com
TOCERTS="bankcert.pem cert.pem"
SUBJECT="Signed and Encrypted Email Test - $(date)"

(echo -e "Content-Type: text/plain; charset=windows-1251\n"; cat file.txt) \
| openssl smime -sign \
  -signer ${FROMCERT} \
  -inkey ${FROMKEY} \
| openssl smime -encrypt \
  -from "${FROM}" \
  -to "${TO}" \
  -subject "${SUBJECT}" \
  -des3 \
  ${TOCERTS} \
| sendmail -t -f "${FROM}" -F "${FROM}"

Comments are not for extended discussion; this conversation has been moved to chat. — terdon, Jun 07 '17 at 23:22

PKCS7 encryption

1 Answers1