Unable to decrypt S/MIME message

Question

Hello,

I am currently evaluating REBEX S/MIME product and I am facing the following problem; while i can decrypt some messages, for some others I receive the following exception:

Rebex.Security.Certificates.CertificateException: Unable to acquire private key. at Rebex.Security.Certificates.Certificate.Decrypt(Byte[] rgb, Boolean silent) at Rebex.Security.Cryptography.Pkcs.KeyTransRecipientInfo.AxOrqg(Boolean ) at Rebex.Security.Cryptography.Pkcs.EnvelopedData.GetSymmetricKey() at Rebex.Security.Cryptography.Pkcs.EnvelopedData.GetSymmetricAlgorithm() at Rebex.Security.Cryptography.Pkcs.EnvelopedData.Decrypt() at Rebex.Mime.MimeEntity.Decrypt() at Rebex.Samples.MimeExplorer.MimeExplorer.DecryptCommand() at Rebex.Samples.MimeExplorer.MimeExplorer.viewTree_DoubleClick(Object sender, EventArgs e) at System.Windows.Forms.Control.OnDoubleClick(EventArgs e) at System.Windows.Forms.TreeView.WndProc(Message& m) at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m) at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

The message is loaded from disk using the following code:

Dim message As New MailMessage

'load the message from a local disk file message.Load(msgPath) 'decrypt the message if it is encrypted If message.IsEncrypted Then MessageBox.Show("Message from " & message.From(0).Address & "[Subject: " & message.Subject & "] is enrypted") End If If Not message.CanDecrypt Then Throw New ApplicationException _ ( _ "Message cannot be decrypted. You do not have the private key." _ ) End If Try message.Decrypt() Catch ex As Exception MessageBox.Show("Unable to decrypt message from " & message.From(0).Address & ": " & ex.Message)

End Try

The e-mail message has previously been saved to disk, using Pop3.GetMessage() method.

I have also tried explicitly loading the .pfx file containing the user certificate using the following code:

Dim userCert As Certificate = Certificate.LoadPfx("C:PATH_TO_USER_CERT.pfx", "PFX_PASSWORD") Dim subcacert As Certificate = Certificate.LoadDer("C:PATH_TO_SUBCA.cer") Dim rootcacert As Certificate = Certificate.LoadDer("C:PATH_TO_ROOTCA.cer") Dim cch As New CertificateChain cch.Add(userCert) cch.Add(subcacert) cch.Add(rootcacert) message.CertificateFinder = CertificateFinder.CreateFinder(cch)

Calling message.Decrypt() threw the same Exception. Additionally, calling userCert.HasPrivateKey returns true, and I am also able to sign an MD-5 hash using the userCert.signHash method.

Finally, Outlook will correctly decrypt the message.

Any clues on what the problem might be?

Thanks

Answer 1

Thanks for reporting this issue! Although nothing is certain a this point, this might be caused by some problem in the our CryptoAPI wrapper.

The problem is located in Certificate object's Decrypt mehod. First, let's try a code that is as simple as possible and calls this method. The following code snippet can be used:

Imports System.Text
Imports System.Security.Cryptography
Imports Rebex.Security.Certificates
...

    ' load the certificate
    Dim userCert As Certificate = Certificate.LoadPfx("C:\PATH_TO_USER_CERT.pfx", "PFX_PASSWORD")

    ' define some test data
    Dim testData() As Byte = Encoding.UTF8.GetBytes("test data")

    ' make sure that 'sign' operation works
    Dim hash() As Byte = MD5.Create().ComputeHash(testData)
    userCert.SignHash(hash, SignatureHashAlgorithm.MD5, False)

    ' encrypt data (no private key needed for this)
    Dim encryptedData() As Byte = userCert.Encrypt(testData)

    ' decrypt encrypted data (this is what seems to fail)
    ' (is there any difference if False is used as the second argument?)
    Dim decryptedData() As Byte = userCert.Decrypt(encryptedData, True)

Does this fail as well? Does it fail at SignHash method, Decrypt method, or elsewhere?

Answer 2

Hello Lukas,

Thank you for your prompt reply!

I was able to run the code snippet you sent me without a problem. The encrypted Data was properly decrypted (and output to the Console) using either ‘True’ or ‘False’ as the second argument in the Certificate object’s Decrypt method.

Comments

This proves that my guess was wrong and the problem is not in the Decrypt method. It looks like we try decrypting using a wrong certificate in some cases. Fortunately, fixing this bug should be easy. Please check your company e-mail for further instructions.