Home > Archive > Java Security > August 2005 > JavaMail Crypto and Digital IDs.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
JavaMail Crypto and Digital IDs.
|
|
| smirks 2005-08-11, 5:04 pm |
| Hi everyone,
I am using JavaMail-Crypto together with BouncyCastle's S/MIME
implementation to send signed email messages from within a Java
application.
I use the following code to send a signed message:
// Get session
Properties props = System.getProperties();
props.setProperty("mail.smtp.host", "myhost");
Session session = Session.getInstance(props, null);
// Create message
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress(from));
String[] recipients = to.split(",");
for (String recipient : recipients)
{
message.addRecipient(Message.RecipientType.TO, new
InternetAddress(recipient));
}
message.setSubject(subject);
// Add message body
message.setText(body);
// Digitally sign email
EncryptionUtils smimeUtils =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
EncryptionKeyManager smimeKeyMgr = smimeUtils.createKeyManager();
char[] smimePw = new String("my_password").toCharArray();
smimeKeyMgr.loadPrivateKeystore(new FileInputStream(new
File("mycert.pfx")), smimePw);
Key smimeKey = smimeKeyMgr.getPrivateKey("mykey", smimePw);
EncryptionUtils eu =
EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
message = eu.signMessage(session, message, smimeKey);
// Send email
Transport.send(message);
I exported the PFX file from Internet Explorer and it includes my
private key.
The above code seems to work. When I send a mail to myself and check my
mail from within Outlook on the machine where my Thawte digital ID
certificate is installed, Outlook recognises the signed message
correctly and states that the digital Id is valid.
On the other hand, when I send my signed message to any other user that
does not have my public key certificate installed, Outlook recognises
the mail as signed but states that it cannot validate the signature.
The exact error I get is:
Error:
The system cannot validate the certificate used to create this
signature because the issuer's certificate is either unavailable or
invalid.
The system cannot determine whether the certificate used to create this
signature is trusted or not.
Signed by myaddress@mycompany.com using RSA/SHA1 at 13:43:39
04/08/2005.
The strange thing is that if I send a digitally signed email from
within Outlook (rather than from my code) to another person who does
NOT have my public key certificate installed, it works fine!
I noticed that Outlook also sends the required public key certificate
with each email but I couldn't find a way of doing that from within my
code. I tried to make the email a multipart message and to attach a
public key certificate (.p7b) exported from the system as a body part
within the message, but couldn't quite get it to work.
Could anyone please help? I can't quite figure out what I'm doing
wrong...
Regards,
Clyde
| |
| Roedy Green 2005-08-11, 5:04 pm |
| On 11 Aug 2005 09:03:10 -0700, "smirks" <clyde.ellul@gmail.com> wrote
or quoted :
>On the other hand, when I send my signed message to any other user that
>does not have my public key certificate installed, Outlook recognises
>the mail as signed but states that it cannot validate the signature.
>The exact error I get is:
does not S/MIME optionally send the public key with each message?
Perhaps that is the problem.
| |
| Roedy Green 2005-08-12, 4:02 am |
| On 11 Aug 2005 09:03:10 -0700, "smirks" <clyde.ellul@gmail.com> wrote
or quoted :
>I noticed that Outlook also sends the required public key certificate
>with each email but I couldn't find a way of doing that from within my
>code. I tried to make the email a multipart message and to attach a
>public key certificate (.p7b) exported from the system as a body part
>within the message, but couldn't quite get it to work.
Use JavaMail to discover the format of that message that outlook sends
which includes the public key. That may give you a hint. It may just
be a part to the multipart message with some special mime encoding.
Sorry I can't help you more specifically. I use Eudora which does not
support S/MIME. All the plug-in vendors seem to have died or withdrawn
their Eudora products.
| |
| Mike Amling 2005-08-15, 5:03 pm |
| smirks wrote:
> Hi everyone,
>
> I am using JavaMail-Crypto together with BouncyCastle's S/MIME
> implementation to send signed email messages from within a Java
> application.
>
> I use the following code to send a signed message:
>
> // Get session
> Properties props = System.getProperties();
> props.setProperty("mail.smtp.host", "myhost");
> Session session = Session.getInstance(props, null);
>
> // Create message
> MimeMessage message = new MimeMessage(session);
> message.setFrom(new InternetAddress(from));
> String[] recipients = to.split(",");
> for (String recipient : recipients)
> {
> message.addRecipient(Message.RecipientType.TO, new
> InternetAddress(recipient));
> }
> message.setSubject(subject);
>
> // Add message body
> message.setText(body);
>
> // Digitally sign email
> EncryptionUtils smimeUtils =
> EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
> EncryptionKeyManager smimeKeyMgr = smimeUtils.createKeyManager();
> char[] smimePw = new String("my_password").toCharArray();
> smimeKeyMgr.loadPrivateKeystore(new FileInputStream(new
> File("mycert.pfx")), smimePw);
> Key smimeKey = smimeKeyMgr.getPrivateKey("mykey", smimePw);
> EncryptionUtils eu =
> EncryptionManager.getEncryptionUtils(EncryptionManager.SMIME);
> message = eu.signMessage(session, message, smimeKey);
>
> // Send email
> Transport.send(message);
>
> I exported the PFX file from Internet Explorer and it includes my
> private key.
>
> The above code seems to work. When I send a mail to myself and check my
> mail from within Outlook on the machine where my Thawte digital ID
> certificate is installed, Outlook recognises the signed message
> correctly and states that the digital Id is valid.
>
> On the other hand, when I send my signed message to any other user that
> does not have my public key certificate installed, Outlook recognises
> the mail as signed but states that it cannot validate the signature.
> The exact error I get is:
>
> Error:
> The system cannot validate the certificate used to create this
> signature because the issuer's certificate is either unavailable or
> invalid.
> The system cannot determine whether the certificate used to create this
> signature is trusted or not.
> Signed by myaddress@mycompany.com using RSA/SHA1 at 13:43:39
> 04/08/2005.
If the receiver doesn't have (either received with the message or
known beforehand) the entire certificate chain, or if the receiver does
not have the Certificate Authority's certificate in its list of trusted
Certificate Authority certificates, then the receiver should not regard
the message's signature as verified. Of course, there may be
implementations that deviate from good practice.
> The strange thing is that if I send a digitally signed email from
> within Outlook (rather than from my code) to another person who does
> NOT have my public key certificate installed, it works fine!
Do both receivers trust the entire chain of certificates?
> I noticed that Outlook also sends the required public key certificate
> with each email but I couldn't find a way of doing that from within my
> code.
You could look at the data sent by the implementation that works.
E.g., use with a cooperative e-mail server or through a logging proxy.
> I tried to make the email a multipart message and to attach a
> public key certificate (.p7b) exported from the system as a body part
> within the message, but couldn't quite get it to work.
Is that technique from the S/MIME RFC?
--Mike Amling
| |
| Mike Amling 2005-08-15, 5:04 pm |
| Roedy Green wrote:
> On 11 Aug 2005 09:03:10 -0700, "smirks" <clyde.ellul@gmail.com> wrote
> or quoted :
>
>
>
>
> does not S/MIME optionally send the public key with each message?
> Perhaps that is the problem.
S/MIME won't send just the public key (which could be altered in
transit). It can send the certificate of the sender, and optionally the
entire certificate chain up through the Certificate Authority's
self-signed certificate. That Certificate Authority may or may not be
trusted by the receiver.
--Mike Amling
|
|
|
|
|