Normally I use PGP/GnuPG to send signed/encrypted e-mail, but today I wanted to send someone 'from the other camp' an encrypted e-mail. He uses S/MIME, which means every mail he sends me has his public certificate included. So I configured mutt to understand s/mime with the following in .muttrc:set smime_certificates="/home/koos/.mutt-smime/certs" set smime_keys="/home/koos/.mutt-smime/keys" set smime_ca_location="/etc/ssl/certs/ca-certificates.crt"The last line means I use the system wide ca-certificates as trust base.
The rest of the config I copied from this sample of smime.rc for Mutt.First I want the certificate from one of the previous mails. To be sure I did this by hand. I copied a previous message to the file 'importkey'. These commands are from Signing and Encrypting S/MIME Messages with mutt. First extract the PKCS#7 object:$ openssl smime -verify -in importkey -noverify -pk7out > henk.pk7And dump the certificates in that file:$ openssl pkcs7 -print_certs -in henk.pk7 > henk.pemNow I have extracted the certificate, but it isn't seen as valid:$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem henk.pem: /O=Persona Not Validated/CN=StartCom Free Certificate Member/emailAddress=henk@... error 20 at 0 depth lookup:unable to get local issuer certificateI looked at the startcom webpages but all the explanation is for the https certificates. But I found the StartSSL root certificate and the StartSSL intermediate certificate. I added these to the ubuntu certificate repository, and now:$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem henk.pem: OKI initialized the s/mime store:$ smime_keys initAnd try to add the key:$ smime_keys add_cert henk.pem You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: henk certificate 74ab03d9.0 (henk) for henk@... added. ==> about to verify certificate of henk@... error opening the file, /home/koos/.mutt-smime/certs/74ab03d9.0 Error loading untrusted file /home/koos/.mutt-smime/certs/74ab03d9.0 675:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/home/koos/.mutt-smime/certs/74ab03d9.0','r') 675:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper '/usr/bin/openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -purpose smimesign -purpose smimeencrypt -untrusted ~/.mutt-smime/certs/74ab03d9.0 ~/.mutt-smime/certs/74ab03d9.0' returned 256 at /usr/bin/smime_keys line 838,It seems smime_keys does something REALLY stupid:
line 1.$ ls -l /home/koos/.mutt-smime ls: cannot access /home/koos/.mutt-smime: No such file or directory $ ls -l /home/koos/~/.mutt-smime total 8 drwx------ 2 koos users 4096 2011-04-29 10:19 certs drwx------ 2 koos users 4096 2011-04-29 10:18 keysSomewhere ~ is used without shell-expansion. The icky workaround:$ ln -s ./~/.mutt-smime .mutt-smimeNow I can redo the whole trick knowing this:$ smime_keys add_cert henk.pem You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: henk certificate 74ab03d9.0 (henk) for henk@... added. ==> about to verify certificate of henk@... /home/koos/.mutt-smime/certs/74ab03d9.0: OKAnd now I can send an e-mail!
Update 2011-05-01: Ok, the other side is (no surprise there) Henk van de Kamer who wrote about his experience receiving my S/MIME encrypted but not signed e-mail, in Dutch. He did install GPG / the enigmail plugin in the past but I just couldn't find his pgp key.
As I joked: just documenting all this and writing it down gives enough material for one or two 'Het Lab' articles.