OWA S/MIME Decryption with Ubuntu & Firefox
NOTE: This is still being refined.
I'm not sure if I had any pre-existing packages that were necessary or if all of the ones I list are necessary.
If you have any feedback, please let me know.
sudo apt install opensc opensc-pkcs11 libssl-dev
This currently works using libp11-0.4.9
./configure && make && sudo make install
pkcs11 openssl configuration
sudo sed -ie '1s/^/openssl_conf = openssl_init\n/' /etc/ssl/openssl.cnf
echo "[openssl_init] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so default_algorithms = ALL init = 0" | sudo tee -a /etc/ssl/openssl.cnf
NOTE: The above
MODULE_PATH may vary. If you're having issues, check that these aren't located elsewhere.
openssl engine pkcs11 -t -c
You should see:
(pkcs11) pkcs11 engine [RSA, rsaEncryption, id-ecPublicKey] [ available ]
Find your Key Management ID
pkcs11-tool --list-objects --type cert 2>&1 | grep -A 1 "Certificate for Key Management" | grep "ID:" | tr -s "[:blank:]" | cut -d' ' -f 3
Ultimately, you're just using
pkcs11-tool --list-objects --type cert and finding the ID of your Key Management Certificate.
Download the message from OWA
Drag the encrypted message into new email draft.
This will cause it to be added as an attachment with an option to download it.
Save it anywhere you want. Keep OWA open!
openssl cms -decrypt -inkey id_<cert_id> -keyform engine -engine pkcs11 -in <email_path> -out <output_path>
Fill in the above command with the following:
cert_id: The ID of the Key Management Cert you found above. For example, if yours is 03, you would use
email_path: Path to the encrypted email you downloaded. It's probably named 'eml' unless you renamed it.
output_path: Path to write the decrypted message. It must end with .eml. Example: decrypted.eml
Open up another new message and drag in your newly-decrypted message.
You can't view it outside of OWA because it is still signed and needs the sender's public key which is provided by OWA.