Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to decrypt an SMIME PKCS7 mail using a PKI key card

Make sure the openssl pkcs11 engine provided by OpenSC/libp11 can talk to your PKI card:

  $ openssl engine pkcs11 -t -c -pre MODULE_PATH:/path/to/your/opensc-pkcs11-plugin-module.so
  (pkcs11) pkcs11 engine
  [Success]: MODULE_PATH:/path/to/your/OpenSC-pkcs11-plugin-module.so
  [RSA]
  [ available ]

Now create an openssl config file to pass the MODULE_PATH parameter to the pkcs11 engine like this:

cat > pkcs11_engine.conf <<EOF
    openssl_conf = openssl_init

    [openssl_init]
    engines = engine_section

    [engine_section]
    pkcs11 = pkcs11_section

    [pkcs11_section]
    engine_id = pkcs11
    dynamic_path = /usr/lib64/engines/libpkcs11.so
    MODULE_PATH = /path/to/your/opensc-pkcs11-plugin-module.so
    init = 0
EOF

OPENSSL_CONF=pkcs11_engine.conf openssl engine -t -c pkcs11

than check the keys present on your card with either:

pkcs15-tool --list-keys

or:

pkcs11-tool -O

and then use the key id to decrypting the smime pkcs7 file like this:

export OPENSSL_CONF=pkcs11_engine.conf 
openssl smime -decrypt -inform der -in email.p7m -engine pkcs11 -keyform engine -inkey the-key-id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.