Normally I use PGP/GnuPG to send signed/ ... / 2011-04-29

2011-04-29 Normally I use PGP/GnuPG to send signed/ ... 9 years ago
Normally I use PGP/GnuPG to send signed/encrypted e-mail, but today I wanted to send someone 'from the other camp' an encrypted e-mail. He uses S/MIME, which means every mail he sends me has his public certificate included. So I configured mutt to understand s/mime with the following in .muttrc:
set smime_certificates="/home/koos/.mutt-smime/certs"
set smime_keys="/home/koos/.mutt-smime/keys"
set smime_ca_location="/etc/ssl/certs/ca-certificates.crt"
The last line means I use the system wide ca-certificates as trust base.

The rest of the config I copied from this sample of smime.rc for Mutt.

First I want the certificate from one of the previous mails. To be sure I did this by hand. I copied a previous message to the file 'importkey'. These commands are from Signing and Encrypting S/MIME Messages with mutt. First extract the PKCS#7 object:
$ openssl smime -verify -in importkey -noverify -pk7out > henk.pk7
And dump the certificates in that file:
$ openssl pkcs7 -print_certs -in henk.pk7 > henk.pem
Now I have extracted the certificate, but it isn't seen as valid:
$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem
henk.pem: /O=Persona Not Validated/CN=StartCom Free Certificate Member/emailAddress=henk@...
error 20 at 0 depth lookup:unable to get local issuer certificate
I looked at the startcom webpages but all the explanation is for the https certificates. But I found the StartSSL root certificate and the StartSSL intermediate certificate. I added these to the ubuntu certificate repository, and now:
$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem 
henk.pem: OK
I initialized the s/mime store:
$ smime_keys init
And try to add the key:
$ smime_keys add_cert henk.pem

You may assign a label to this key, so you don't have to remember
the key ID. This has to be _one_ word (no whitespaces).

Enter label: henk

certificate 74ab03d9.0 (henk) for henk@... added.

==> about to verify certificate of henk@...
error opening the file, /home/koos/.mutt-smime/certs/74ab03d9.0
Error loading untrusted file /home/koos/.mutt-smime/certs/74ab03d9.0
675:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/home/koos/.mutt-smime/certs/74ab03d9.0','r')
675:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
'/usr/bin/openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -purpose smimesign -purpose smimeencrypt -untrusted ~/.mutt-smime/certs/74ab03d9.0 ~/.mutt-smime/certs/74ab03d9.0' returned 256 at /usr/bin/smime_keys line 838,  line 1.
It seems smime_keys does something REALLY stupid:
$ ls -l /home/koos/.mutt-smime
ls: cannot access /home/koos/.mutt-smime: No such file or directory
$ ls -l /home/koos/~/.mutt-smime
total 8
drwx------ 2 koos users 4096 2011-04-29 10:19 certs
drwx------ 2 koos users 4096 2011-04-29 10:18 keys
Somewhere ~ is used without shell-expansion. The icky workaround:
$ ln -s ./~/.mutt-smime .mutt-smime
Now I can redo the whole trick knowing this:
$ smime_keys add_cert henk.pem 

You may assign a label to this key, so you don't have to remember
the key ID. This has to be _one_ word (no whitespaces).

Enter label: henk

certificate 74ab03d9.0 (henk) for henk@... added.

==> about to verify certificate of henk@...

/home/koos/.mutt-smime/certs/74ab03d9.0: OK
And now I can send an e-mail!
Update 2011-05-01: Ok, the other side is (no surprise there) Henk van de Kamer who wrote about his experience receiving my S/MIME encrypted but not signed e-mail, in Dutch. He did install GPG / the enigmail plugin in the past but I just couldn't find his pgp key.

As I joked: just documenting all this and writing it down gives enough material for one or two 'Het Lab' articles.

Tags: ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004790 seconds.