Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
How to decrypt an SMIME PKCS7 mail using a PKI key card

Make sure the openssl pkcs11 engine provided by OpenSC/libp11 can talk to your PKI card:

  $ openssl engine pkcs11 -t -c -pre MODULE_PATH:/path/to/your/
  (pkcs11) pkcs11 engine
  [Success]: MODULE_PATH:/path/to/your/
  [ available ]

Now create an openssl config file to pass the MODULE_PATH parameter to the pkcs11 engine like this:

cat > pkcs11_engine.conf <<EOF
    openssl_conf = openssl_init

    engines = engine_section

    pkcs11 = pkcs11_section

    engine_id = pkcs11
    dynamic_path = /usr/lib64/engines/
    MODULE_PATH = /path/to/your/
    init = 0

OPENSSL_CONF=pkcs11_engine.conf openssl engine -t -c pkcs11

than check the keys present on your card with either:

pkcs15-tool --list-keys


pkcs11-tool -O

and then use the key id to decrypting the smime pkcs7 file like this:

export OPENSSL_CONF=pkcs11_engine.conf 
openssl smime -decrypt -inform der -in email.p7m -engine pkcs11 -keyform engine -inkey the-key-id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.