Skip to content

Instantly share code, notes, and snippets.

@cetaSYN

cetaSYN/linux_smime.md

Last active April 4, 2024 18:07
Show Gist options
  • Save cetaSYN/8b4ad3be53cbbeb3d18b597aff61882c to your computer and use it in GitHub Desktop.
Save cetaSYN/8b4ad3be53cbbeb3d18b597aff61882c to your computer and use it in GitHub Desktop.
Download ZIP
OWA S/MIME Decryption with Linux & Firefox
Raw
linux_smime.md

OWA S/MIME Decryption with Ubuntu & Firefox

NOTE: This is still being refined.
I'm not sure if I had any pre-existing packages that were necessary or if all of the ones I list are necessary.
If you have any feedback, please let me know.
Thank you!

Prerequisites

Distro Packages

sudo apt install opensc opensc-pkcs11 libssl-dev

libp11

This currently works using libp11-0.4.9

https://github.com/OpenSC/libp11/releases

Install Instructions: https://github.com/OpenSC/libp11/blob/master/INSTALL.md TL;DR: ./configure && make && sudo make install

pkcs11 openssl configuration

https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line TL;DR: sudo sed -ie '1s/^/openssl_conf = openssl_init\n/' /etc/ssl/openssl.cnf

echo "[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
default_algorithms = ALL
init = 0" | sudo tee -a /etc/ssl/openssl.cnf

NOTE: The above dynamic_path and MODULE_PATH may vary. If you're having issues, check that these aren't located elsewhere.

verify configuration

openssl engine pkcs11 -t -c

You should see:

(pkcs11) pkcs11 engine
 [RSA, rsaEncryption, id-ecPublicKey]
     [ available ]

Usage

Find your Key Management ID Quick: pkcs11-tool --list-objects --type cert 2>&1 | grep -A 1 "Certificate for Key Management" | grep "ID:" | tr -s "[:blank:]" | cut -d' ' -f 3 Ultimately, you're just using pkcs11-tool --list-objects --type cert and finding the ID of your Key Management Certificate.

Download the message from OWA Drag the encrypted message into new email draft.
This will cause it to be added as an attachment with an option to download it.
Save it anywhere you want. Keep OWA open!

Decrypt it openssl cms -decrypt -inkey id_<cert_id> -keyform engine -engine pkcs11 -in <email_path> -out <output_path> Fill in the above command with the following: cert_id: The ID of the Key Management Cert you found above. For example, if yours is 03, you would use id_03.
email_path: Path to the encrypted email you downloaded. It's probably named 'eml' unless you renamed it.
output_path: Path to write the decrypted message. It must end with .eml. Example: decrypted.eml

View it Open up another new message and drag in your newly-decrypted message.
You can't view it outside of OWA because it is still signed and needs the sender's public key which is provided by OWA.

@dirtyb15
Copy link

I am having trouble decrypting, getting this error
Error decrypting CMS using private key
139972677080384:error:2E08306B:CMS routines:cms_get0_enveloped:content type not enveloped data:../crypto/cms/cms_env.c:26:
139972677080384:error:2E072084:CMS routines:CMS_decrypt_set1_pkey:no matching recipient:../crypto/cms/cms_smime.c:667:
any ideas?

@schorschii
Copy link

You might want to try out OWA-SMIME4Linux. I would appreciate feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment