Is it possible to retrieve MailEncryptionParameters of an encrypted Rebex.Mail.MailMessage-Object?

Question

It is possible to retrieve MailSignatureParameters of a signed mail. Is this possible for MailEncryptionParameters (PaddingScheme, Hashalgorithm) similary?
We are evaluating to buy the Rebex Secure Mail Suite. The only functionality we miss until now is to check if an email is encrypted using RSA with OAEP (RSAES-OAEP).

Answer 1

Yes, this is possible. These parameters are accessible through MailMessage object's Recipients property that includes a collection of SubjectInfo objects. They provide information related to recipients of the message and include the EncryptionParameters property that returns MailEncryptionParameters used to encrypt the message for the recipient:

// load an encrypted message
var mail = new MailMessage();
mail.Load("mail.eml");

// show list of all padding schemes used by this message
foreach (SubjectInfo recipient in mail.Recipients)
{
    Console.WriteLine("{0} {1}",
        recipient.EncryptionParameters.PaddingScheme,
        recipient.EncryptionParameters.HashAlgorithm);
}

Please note that this really is per-recipient info - it's possible for a single message to use RSAES-OAEP to encrypt the message some recipients and RSAES-PKCS1-v1_5 for others.

Comments

Thank you for this info. Maybe you have infos to some other things too.

In all of my cases Rebex.Mail.Message.EncryptionAlgorithm is different to recipient.EncryptionParameters.EncryptionAlgorithm. The last one is always 3DES. Is this explainable?

  message.EncryptionAlgorithm: AES192
  recipient.EncryptionParameters.EncryptionAlgorithm: TripleDES
  recipient.EncryptionParameters.HashAlgorithm: SHA256
  recipient.EncryptionParameters.PaddingScheme: Oaep


Furthermore I have many cases where I have one real recipients (message.To.Count = 1) but multiple SubjectsInfos in message.Recipients. That's confusing.
Can I somehow conclude from a message.To MailAddress to the corresponding message.Recipients SubjectInfo? Is there any connection left?

Thank you very much.

---

The difference in those two properties is apparently a bug. Unlike the rest of recipient.EncryptionParameters, the EncryptionAlgorithm property is not properly initialized when loading the mail message and therefore keeps its default value of TripleDES. We will fix this as well, thanks for bringing this to our attention!

---

More SubjectInfos in message.Recipients than the number of mail recipients (message.To) is a common practice - mail agents usually encrypt the message for the sender as well (to make it possible for the sender to decrypt the message later), and this appears as additional SubjectInfo in message.Recipients. This reflects the relationship between S/MIME and CMS (PKCS#7), where the two layers are independent but the whole thing relies on them being in sync.

The only connection is actually recipient.Certificate which features GetMailAddresses() method to retrieve a list of certificate owner's e-mail addresses. This can be then used to map the recipient info to a particular recipient in message.To, message.Cc (or a sender in message.From or message.Sender). However, this is somewhat complicated by the fact that these certificates don't have to be embedded in the encrypted message (although it's a good practice to embed them). If they are not embedded in the message and not found in relevant Windows certificate stores when loading the message, it is not be possible to match CMS recipients to S/MIME recipients.

---

This bug has been fixed in Rebex Secure Mail 2017 R3: https://rebex.net/secure-mail.net/history.aspx#2017R6.3