Normally I use PGP/GnuPG to send signed/ ... / 2011-04-29

2011-04-29 Normally I use PGP/GnuPG to send signed/ ...
Normally I use PGP/GnuPG to send signed/encrypted e-mail, but today I wanted to send someone 'from the other camp' an encrypted e-mail. He uses S/MIME, which means every mail he sends me has his public certificate included. So I configured mutt to understand s/mime with the following in .muttrc:
set smime_certificates="/home/koos/.mutt-smime/certs"
set smime_keys="/home/koos/.mutt-smime/keys"
set smime_ca_location="/etc/ssl/certs/ca-certificates.crt"
The last line means I use the system wide ca-certificates as trust base.

The rest of the config I copied from this sample of smime.rc for Mutt.

First I want the certificate from one of the previous mails. To be sure I did this by hand. I copied a previous message to the file 'importkey'. These commands are from Signing and Encrypting S/MIME Messages with mutt. First extract the PKCS#7 object:
$ openssl smime -verify -in importkey -noverify -pk7out > henk.pk7
And dump the certificates in that file:
$ openssl pkcs7 -print_certs -in henk.pk7 > henk.pem
Now I have extracted the certificate, but it isn't seen as valid:
$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem
henk.pem: /O=Persona Not Validated/CN=StartCom Free Certificate Member/emailAddress=henk@...
error 20 at 0 depth lookup:unable to get local issuer certificate
I looked at the startcom webpages but all the explanation is for the https certificates. But I found the StartSSL root certificate and the StartSSL intermediate certificate. I added these to the ubuntu certificate repository, and now:
$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem 
henk.pem: OK
I initialized the s/mime store:
$ smime_keys init
And try to add the key:
$ smime_keys add_cert henk.pem

You may assign a label to this key, so you don't have to remember
the key ID. This has to be _one_ word (no whitespaces).

Enter label: henk

certificate 74ab03d9.0 (henk) for henk@... added.

==> about to verify certificate of henk@...
error opening the file, /home/koos/.mutt-smime/certs/74ab03d9.0
Error loading untrusted file /home/koos/.mutt-smime/certs/74ab03d9.0
675:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/home/koos/.mutt-smime/certs/74ab03d9.0','r')
675:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
'/usr/bin/openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -purpose smimesign -purpose smimeencrypt -untrusted ~/.mutt-smime/certs/74ab03d9.0 ~/.mutt-smime/certs/74ab03d9.0' returned 256 at /usr/bin/smime_keys line 838,  line 1.
It seems smime_keys does something REALLY stupid:
$ ls -l /home/koos/.mutt-smime
ls: cannot access /home/koos/.mutt-smime: No such file or directory
$ ls -l /home/koos/~/.mutt-smime
total 8
drwx------ 2 koos users 4096 2011-04-29 10:19 certs
drwx------ 2 koos users 4096 2011-04-29 10:18 keys
Somewhere ~ is used without shell-expansion. The icky workaround:
$ ln -s ./~/.mutt-smime .mutt-smime
Now I can redo the whole trick knowing this:
$ smime_keys add_cert henk.pem 

You may assign a label to this key, so you don't have to remember
the key ID. This has to be _one_ word (no whitespaces).

Enter label: henk

certificate 74ab03d9.0 (henk) for henk@... added.

==> about to verify certificate of henk@...

/home/koos/.mutt-smime/certs/74ab03d9.0: OK
And now I can send an e-mail!
Update 2011-05-01: Ok, the other side is (no surprise there) Henk van de Kamer who wrote about his experience receiving my S/MIME encrypted but not signed e-mail, in Dutch. He did install GPG / the enigmail plugin in the past but I just couldn't find his pgp key.

As I joked: just documenting all this and writing it down gives enough material for one or two 'Het Lab' articles.

Tags: ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.57 2022/02/15 21:48:18 koos Exp $ in 0.006766 seconds.