0 votes
by (270 points)

It is about version 2017 R6. "CanDecrypt" method returns false for a certificate even though it is in store. Decryption works for other certificates.

I've seen that certain components have logging support. Is there one for MailMessage? How can I find out why "CanDecrypt" returns false?

Thanks,

Applies to: Rebex Secure Mail

1 Answer

0 votes
by (3.9k points)
edited by

Hello,

the MailMessage does not support logging yet. Can you try to call Decrypt() method omitting the CanDecrypt check? This shall generate an error, by which we might be able to determine what is causing the problem.

You can also create custom certificate finder by implementing ICertificateFinder interface in custom created class and output some more information which goes to log file. It can be done the following way:

class CertFinder : ICertificateFinder
    {
        public CertificateChain Find(SubjectIdentifier subjectIdentifier, CertificateStore additionalStore)
        {

            if (subjectIdentifier.Issuer != null)
            {
                Console.WriteLine("Issuer:");
                Console.WriteLine(subjectIdentifier.Issuer.ToString());
            }

            if (subjectIdentifier.SerialNumber != null)
            {
                Console.WriteLine("Sub identifier:");
                Console.WriteLine(Convert.ToBase64String(subjectIdentifier.SerialNumber));
            }

            if (subjectIdentifier.SubjectKeyIdentifier != null) {
                Console.WriteLine("Sub key:");
                Console.WriteLine(Convert.ToBase64String(subjectIdentifier.SubjectKeyIdentifier));
            }

            if (subjectIdentifier.PublicKey != null)
            {
                Console.WriteLine("Pub key:");
                Console.WriteLine(Convert.ToBase64String(subjectIdentifier.PublicKey));
            }

            if (subjectIdentifier.PublicKeyAlgorithm != null)
            {
                Console.WriteLine("Pub key alg:");
                Console.WriteLine(subjectIdentifier.PublicKeyAlgorithm.ToString());
            }

            return CertificateFinder.Default.Find(subjectIdentifier, additionalStore);
        }
    }

And then add the code below to your code:

using (var ssh = new Ssh())
            {
                MailMessage mail = new MailMessage();

                mail.Load(@"c:\email.eml");

                mail.CertificateFinder = new CertFinder();

                if (mail.IsEncrypted)
                {
                    Console.WriteLine("Encrypted mail");
                    Console.WriteLine("CanDecrypt: {0}", mail.CanDecrypt);
                    try
                    {
                        mail.Decrypt();
                    }
                    catch (Exception x)
                    {
                        Console.WriteLine(x);
                    }
                }
                else
                {
                    Console.WriteLine("Can not be decrypted");
                }           
            }
by (270 points)
Hi,

If I directly use "Decrypt" method, the following exception is thrown:

System.Security.Cryptography.CryptographicException: Cannot retrieve the symmetric key.
   at Rebex.Security.Cryptography.Pkcs.EnvelopedData.Decrypt()
   at Rebex.Mime.MimeEntity.Decrypt()
   at Rebex.Mail.MailMessage.Decrypt()
   at at.Mime.Program.Main(String[] args) in C:\TFS\inm\Proto\dev\inm\at.Mime\at.Mime\Program.cs:line 96

Another strange behavior I've encountered is the way MailMessage obtains SubjectIdentifier for EML files that it cannot decrypt. For example, if I want decrypt two diffetent EML files with each their own certificates, the CertFinder receives a Find request with the same SubjectIdentifier (Issuer and SerialNumber). If you give me an Email adress, I can send the screenshot.

By the way, the decrypting this EML file works without any problem with the version 5171. This issue is urgen for us.

Sincerely,
...