Secure mail throws exception while decrypting AES192

0 votes
asked Jun 14 by minam (210 points)


This happens while trying to decrypt an EML file. The same file can be decrypted by other 3rd party component.
Could someone help me on this?

Encryption Status:

The message is encrypted.
The message can be decrypted.
Rebex.Security.Certificates.CertificateException: Unable to decrypt data (00000057).
at Rebex.Security.Certificates.Certificate.QY(Byte[] C, Boolean V)
at Rebex.Security.Certificates.Certificate.Decrypt(Byte[] rgb, Boolean silent)
at Rebex.Security.Cryptography.Pkcs.KeyTransRecipientInfo.GW(Boolean C)
at Rebex.Security.Cryptography.Pkcs.EnvelopedData.GetSymmetricKey()
at Rebex.Security.Cryptography.Pkcs.EnvelopedData.RH()
at Rebex.Security.Cryptography.Pkcs.EnvelopedData.Decrypt()
at Rebex.Mime.MimeEntity.Decrypt()
at Rebex.Mail.MailMessage.Decrypt()
at at.Mime.Program.UseRebex(String sourcePath) in C:\Users\inm\Documents\Visual Studio 2017\Projects\at.Mime\at.Mime\Program.cs:line 118

Applies to: Rebex Secure Mail

2 Answers

0 votes
answered Jun 15 by Lukas Pokorny (85,590 points)

Hi, thanks for bringing this issue to our attention. Which version of Rebex Secure Mail do you currently use?

In any case, please try to decrypt the EML file using the latest beta build of Rebex Secure Mail. The decryption code has been improved and it would be very useful to determine whether the issue still persists.

commented Jun 16 by minam (210 points)
I have the version 2017R3, which I believe is the latest. I have tested the beta build you mentioned. Unfortunately, it's throwing the same exception.
+1 vote
answered Jun 19 by Lukas Pokorny (85,590 points)

We have looked into this and the most likely explanation is that the mail was encrypted using OAEP, which is not supported yet. Please download a development build with partial OAEP support and give it a try as well. This should either work, or at least provide a more meaningful error message.

commented Jun 22 by minam (210 points)
It seems this Beta works with the EML file. I'm now able to decrypt the Email message. As for OAEP, there is no way for me to determine whether the Email was encrypted with OAEP padding. Is there a tool or way you know of?

When are you planning to release this beta?

Thanks for the support and I'm looking forward to hearing from you.
commented Jun 22 by Lukas Pokorny (85,590 points)
Thanks a lot for giving this a try! This beta is at an early stage of development, and the public API is not yet updated to cover OAEP. The beta doesn't even support OAEP when encrypting e-mails.
However, to determine whether RSA with OAEP padding was used to encrypt a the symmetric private key, you can already load the EML file into a MimeMessage object and see whether message.EnvelopedContentInfo.RecipientInfos[index].KeyEncryptionAlgorithm.Oid.Value == "1.2.840.113549.1.1.7" for each recipient. (The OID value is id-RSAES-OAEP defined by RFC 3560).
commented Jun 26 by minam (210 points)
Ok. I need to use this Beta in my service. My customers are keep sending Emails with OAEP, which they are not supposed to. At least, not yet. How is the licensing in this case? I need to obtain Trial license key for this Beta assemblies.

commented Jun 27 by Lukas Pokorny (85,590 points)
Adding the following trial license key would ensure that the trial beta works until 2017-07-27:

Rebex.Licensing.Key = "==AX505cTaHyYxOTKSzknA0s92u2KolMo/plBOzqQ+GDOQ==";

If you decide to renew your support contract before Rebex Secure Mail with OAEP support is released, we would provide a non-trial version of the beta upon request.
commented Jun 28 by minam (210 points)
We already have a license for Total Pack. I can send the relevant information per Email. Can I please have the non-trial version of the beta. What's the development cadence for this beta?
commented Jun 28 by Lukas Pokorny (85,590 points)
Thanks! I just mailed you a link to a non-trial version. We plan to finish adding support for OAEP encryption/decryption with SHA-1 and SHA-2 by the end of August (on Windows and .NET Core).
commented Jul 10 by minam (210 points)
This version throws exceptions for certain EML files:

System.Security.Cryptography.CryptographicException: OAEP with SHA256 not is supported for this key.
   at Rebex.Security.Cryptography.EB.QJ(Byte[] J, PB D)
   at Rebex.Security.Cryptography.VD.CJ(Byte[] J, PB D)
   at Rebex.Security.Cryptography.AsymmetricKeyAlgorithm.R(Byte[] J, XB D)
   at Rebex.Security.Certificates.Certificate.TL(Byte[] J, XB D)
   at Rebex.Security.Cryptography.Pkcs.KeyTransRecipientInfo.KS(Boolean J)
   at Rebex.Security.Cryptography.Pkcs.EnvelopedData.GetSymmetricKey()
   at Rebex.Security.Cryptography.Pkcs.EnvelopedData.LM()
   at Rebex.Security.Cryptography.Pkcs.EnvelopedData.Decrypt()
   at Rebex.Mime.MimeEntity.Decrypt()
   at Rebex.Mail.MailMessage.Decrypt()
   at at.Mime.Program.Main(String[] args) in C:\\TFS\\inm\\Prototyping\\dev\\inm\\at.Mime\\at.Mime\\Program.cs:line 54

Is there a new version?
commented Jul 11 by Lukas Pokorny (85,590 points)
Yes, the latest build adds support for OAEP with SHA-2 (still decryption-only). Please give it a try, I just mailed the download link to you.
commented Aug 10 by Lukas Pokorny (85,590 points)
We have released Rebex Secure Mail 2017 R4.1 that adds decryption-only support for OAEP with SHA-2:
(Encryption support will appear in one of the next releases.)