Error encrypting mail with MailMessage.Encrypt

Question

I get the following error when encrypting a mail with MailMessage.Encrypt, but couldn't find anything in the source or online regarding this error message:

"No recipient has a certificate with correct key usage for encryption."

The certificate is valid and has the following purposes listed (the first would read "Protects E-Mail messages" in English):

"Schützt E-Mail-Nachrichten
1.3.6.1.4.1.22177.300.1.1.4"

Any idea what's causing this and how I can circumvent it?

Answer 1

According to RFC 5652 - section 6.2.1:

a recipient X.509 version 3 certificate that contains a key usage
extension MUST assert the keyEncipherment bit

Please, check the Key Usage of your certificate. It should contain:

Key Encipherment (20)

Also, the mentioned OID 1.3.6.1.4.1.22177.300.1.1.4 does not refer to Email protection, it refers to "Global security levels". The correct OID for Email protection is 1.3.6.1.5.5.7.3.4 (defined by RFC 5280 - section 4.2.1.12).

---

Note:

Key usage check can be disabled by setting:

mail.Settings.SkipCertificateUsageCheck = true;

However, it is not suggested, because the produced message will be inconsistent with RFC and some mail readers can fail to decrypt (or validate the signature of) the message due to the wrong key usage.

Correct solution is to use valid certificate intended for this use.

Comments

Ok, thanks for the clarification. Is there any onboard mechanism that I can use to check if the certificate is valid for e-mail encryption? Right now I'm only checking if it is valid, but that seems to not be enough in this case :-(

---

There is no built-in method to check this, because certificates are not used for S/MIME only. However you can do simple check:

bool hasEncryptionUsage = (cert.GetIntendedUsage() & KeyUses.KeyEncipherment) != 0;

string[] enhancedUsageOids = cert.GetEnhancedUsage();
bool hasMailProtection = enhancedUsageOids == null ||
                            enhancedUsageOids.Contains(ExtendedUsageOids.EmailProtection) ||
                            enhancedUsageOids.Contains(ExtendedUsageOids.AnyPurpose);

The certificate can be used to encrypt an email if both `hasEncryptionUsage` and `hasMailProtection` are TRUE.

To complete the list, for signing an email, you should check:

bool hasSigningUsage = (cert.GetIntendedUsage() & KeyUses.DigitalSignature) != 0;

---

Thanks, that was exactly what I needed! :-)

---

I've a certificate and wanted to use it to encrypt the MailMessage for creating a smime message.
Certificate recipient = Certificate.LoadPfx(certificateKey, certificatePassword);            
var message = new MailMessage();
string[] enhancedUsageOids = recipient.GetEnhancedUsage();

message.Attachments.Add(new Attachment(encryptFilePath));
message.Encrypt( recipient);

However, the enhancedUsageOids  = "1.3.6.1.5.5.7.3.1" and so when I use message.Encrypt I got the same error "No recipient has a certificate with correct key usage for encryption".
I can create a smime message with EnvelopedCms (.net framework), encrypted using upper certificate.
My question is can I archived the same thing with Rebex ? Cause when using EnvelopedCMS to generate the smime message, I have to use Reflection for getting the message.
Thanks

---

Yes, you can achieve the same thing using Rebex Mail, but please note that the produced message will be inconsistent with RFC. Some mail readers can fail to decrypt the message because of the wrong key usage.

To disable key usage check, just set:

  message.Settings.SkipCertificateUsageCheck = true

---

Thankyou. Sorry for not reading carefully the previous response (you already mentioned that usage)