Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OWA S/MIME Decryption with Linux & Firefox

OWA S/MIME Decryption with Ubuntu & Firefox

NOTE: This is still being refined.
I'm not sure if I had any pre-existing packages that were necessary or if all of the ones I list are necessary.
If you have any feedback, please let me know.
Thank you!

Prerequisites

Distro Packages

sudo apt install opensc opensc-pkcs11 libssl-dev

libp11

This currently works using libp11-0.4.9

https://github.com/OpenSC/libp11/releases

Install Instructions: https://github.com/OpenSC/libp11/blob/master/INSTALL.md TL;DR: ./configure && make && sudo make install

pkcs11 openssl configuration

https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line TL;DR: sudo sed -ie '1s/^/openssl_conf = openssl_init\n/' /etc/ssl/openssl.cnf

echo "[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
default_algorithms = ALL
init = 0" | sudo tee -a /etc/ssl/openssl.cnf

NOTE: The above dynamic_path and MODULE_PATH may vary. If you're having issues, check that these aren't located elsewhere.

verify configuration

openssl engine pkcs11 -t -c

You should see:

(pkcs11) pkcs11 engine
 [RSA, rsaEncryption, id-ecPublicKey]
     [ available ]

Usage

Find your Key Management ID Quick: pkcs11-tool --list-objects --type cert 2>&1 | grep -A 1 "Certificate for Key Management" | grep "ID:" | tr -s "[:blank:]" | cut -d' ' -f 3 Ultimately, you're just using pkcs11-tool --list-objects --type cert and finding the ID of your Key Management Certificate.

Download the message from OWA Drag the encrypted message into new email draft.
This will cause it to be added as an attachment with an option to download it.
Save it anywhere you want. Keep OWA open!

Decrypt it openssl cms -decrypt -inkey id_<cert_id> -keyform engine -engine pkcs11 -in <email_path> -out <output_path> Fill in the above command with the following: cert_id: The ID of the Key Management Cert you found above. For example, if yours is 03, you would use id_03.
email_path: Path to the encrypted email you downloaded. It's probably named 'eml' unless you renamed it.
output_path: Path to write the decrypted message. It must end with .eml. Example: decrypted.eml

View it Open up another new message and drag in your newly-decrypted message.
You can't view it outside of OWA because it is still signed and needs the sender's public key which is provided by OWA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment