Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Error using openssl smime

240 views

Skip to first unread message

Liam Walker

unread,

Mar 7, 2002, 4:44:44 PM3/7/02

This is a multi-part message in MIME format.

------=_NextPart_000_038A_01C1C5DC.B8515720
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi everyone,

Having some trouble with openssl smime...

Goal: To use openssl to create smime messages so that I can send =
encrypted email to people from the command line with aid of sendmail or =
something similar.

Problem: I'm getting errors using openssl smime and I don't know why. =
Below is a description of what I have done.

The Details
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Get certificates in appropriate format; convert .p7b file to .pem file =
using openssl
-------------------------------------------------------------------------=
-------------------------------------------

I have certificates for people in outlook express. Using that tool I =
can send them encrypted emails. I exported their certificates into the =
.p7b format (pkcs7). To use openssl it seems PEM is the preferred =
format so I converted the certs from .p7b to .pem via the following =
command:

$ openssl pkcs7 -in LiamWalker.p7b -inform DER -out LiamWalker.pem =
-outform PEM

This generated the appropriate output files so I assume they are ok. =
openssl pkcs7 with -print_certs was able to read these files.

Attempted to produce a email message in SMIME format:
-------------------------------------------------------------------------=
----------

I then was experimenting with with the openssl smime command to try and =
generate a properly formatted file to myself from myself. Later I would =
use sendmail or somethign to actually deliver the message. I used the =
following command:

$ openssl smime -encrypt -des3 -nointern -nosigs -noverify -recip =
LiamWalker.pem -in msg.txt -out msg.enc -to "lwa...@2keys.ca" -from =
"lwa...@2keys.ca" -subject "Test using openssl" LiamWalker.pem

The output for this command was as follows:

Loading 'screen' into random state - done
unable to load certificate
360:error:0906D06C:PEM routines:PEM_read_bio:no start =
line:.\crypto\pem\pem_lib.
c:662:Expecting: TRUSTED CERTIFICATE
Can't read recipient certificate file ./LiamWalker.pem

The -to email address matches the email address in the certificate =
specified by -recip and the -from email address matches the email =
address in the last option (LiamWalker.pem).

Can anyone give me a hint as to what is going on here?

Thanks,
.maiL

P.S. I assume that you use multiple -to and -recip options to have the =
message encrypted to multiple people?

------=_NextPart_000_038A_01C1C5DC.B8515720
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi everyone,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Having some trouble with openssl=20
smime...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Goal: To use openssl to create smime =
messages so=20
that I can send encrypted email to people from the command line with aid =
of=20
sendmail or something similar.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Problem: I'm getting errors using =
openssl smime and=20
I don't know why.  Below  is  a description of what I =
have=20
done.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The Details</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Get certificates in appropriate format; =
convert=20
.p7b file to .pem file using openssl</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>----------------------------------------------------------------=
----------------------------------------------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I have certificates for people in =
outlook=20
express.  Using that tool I can send them encrypted emails.  I =

exported their certificates into the .p7b format (pkcs7).  =
</FONT><FONT=20
face=3DArial size=3D2>To use openssl it seems PEM is the preferred =
format so I=20
converted the certs from .p7b to .pem via the following =
command:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$ openssl pkcs7 -in LiamWalker.p7b =
-inform DER -out=20
LiamWalker.pem -outform PEM</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This generated the appropriate output =
files so I=20
assume they are ok.  openssl pkcs7 with -print_certs was able to =
read these=20
files.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Attempted to produce a email message in =
SMIME=20
format:</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>----------------------------------------------------------------=
-------------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I then was experimenting with with the =
openssl=20
smime command to try and generate a properly formatted file to myself =
from=20
myself.  Later I would use sendmail or somethign to =
actually deliver=20
the message.  I used the following command:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$ openssl smime -encrypt -des3 =
-nointern -nosigs=20
-noverify -recip LiamWalker.pem </FONT><FONT face=3DArial size=3D2>-in =
msg.txt -out=20
msg.enc -to "<A href=3D"mailto:lwa...@2keys.ca">lwa...@2keys.ca</A>" =
-from "<A=20
href=3D"mailto:lwa...@2keys.ca">lwa...@2keys.ca</A>" -subject "Test =
using=20
openssl" LiamWalker.pem</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The output for this command was as =
follows:</DIV>
<DIV><BR>Loading 'screen' into random state - done<BR>unable to load=20
certificate<BR>360:error:0906D06C:PEM routines:PEM_read_bio:no start=20
line:.\crypto\pem\pem_lib.<BR>c:662:Expecting: TRUSTED =
CERTIFICATE<BR>Can't read=20
recipient certificate file ./LiamWalker.pem</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The -to email address matches the =
email=20
address in the certificate specified by -recip and the -from email =
address=20
matches the email address in the last option =
(LiamWalker.pem).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Can anyone give me a hint as to what is =
going on=20
here?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>.maiL</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>P.S.  I assume that you use =
multiple -to and=20
-recip options to have the message encrypted to multiple=20
people?</FONT></DIV></BODY></HTML>

------=_NextPart_000_038A_01C1C5DC.B8515720--
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr S N Henson

unread,

Mar 7, 2002, 6:18:19 PM3/7/02

> Liam Walker wrote:
>
>
> $ openssl pkcs7 -in LiamWalker.p7b -inform DER -out LiamWalker.pem

> -outform PEM
>

This command is converting a PKCS#7 structure from DER to PEM format...

> This generated the appropriate output files so I assume they are ok.

> openssl pkcs7 with -print_certs was able to read these files.
>

If you include -print_certs it will output certificates in PEM format...

>
> Attempted to produce a email message in SMIME format:

> -----------------------------------------------------------------------------------

>
> I then was experimenting with with the openssl smime command to try

> and generate a properly formatted file to myself from myself. Later I
> would use sendmail or somethign to actually deliver the message. I
> used the following command:

>
> $ openssl smime -encrypt -des3 -nointern -nosigs -noverify -recip

> LiamWalker.pem -in msg.txt -out msg.enc -to "lwa...@2keys.ca" -from

> "lwa...@2keys.ca" -subject "Test using openssl" LiamWalker.pem
>

The smime command is expecting certificates in PEM format not PKCS#7
structures.

You've also got a load of options which aren't used by the -encrypt
option. In particular -nointern -nosigs -noverify -recip.

>
> The output for this command was as follows:
>
> Loading 'screen' into random state - done
> unable to load certificate
> 360:error:0906D06C:PEM routines:PEM_read_bio:no start

> line:.\crypto\pem\pem_lib.
> c:662:Expecting: TRUSTED CERTIFICATE
> Can't read recipient certificate file ./LiamWalker.pem
>
>
> The -to email address matches the email address in the certificate

> specified by -recip and the -from email address matches the email

> address in the last option (LiamWalker.pem).
>
> Can anyone give me a hint as to what is going on here?
>

Include the -print_certs option when you convert the .p7b file
containing the certificates. If you get more than one certificate you'll
have to sort out which is the actual user certificate, though its
normally the first.

>
> Thanks,
> .maiL
>
> P.S. I assume that you use multiple -to and -recip options to have

> the message encrypted to multiple people?

No. The -to command is just a convenience that produces something
resembling the correct MIME format for an email message. If you want
something readable by multiple certificates then include them on the
command line to smime: you'll have to format the email message headers
yourself or use one -to option and include manually include like CC:

As I mentioned above -recip isn't use with smime -encrypt.

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: stephen...@gemplus.com PGP key: via homepage.

0 new messages