[imp] Help with SMIME

Cliff Green green at UMDNJ.EDU
Tue Jan 7 17:24:09 PST 2003 

Quoting Sebastian Calero Laguia <scalero at datadec.es>:

> I have got a file keys.pem results of:
>  /usr/local/ssl/bin/openssl pkcs12 -in myfile.pfx -out keys.pem

FWIW, unless there's a cut'n'paste error below, this doesn't look quite right.

> 
> but I don´t detect the Public Key inside it, this is the readable format of
> my keys.pem:
[munch]

> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,D0B71A34891DBD79
> 
> AAAAAAAAAAAAAAAAA
> -----END RSA PRIVATE KEY-----

Including the BEGIN/END PRIVATE KEY lines, the above would be your private key.

> Bag Attributes
>     localKeyID: 01 00 00 00
> subject=/O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. by
> Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
> Microsoft/CN=mypymicu/emailAddress=micuenta at mypyme.net
> issuer=/O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. By
> Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not
> Validated
> -----BEGIN CERTIFICATE-----
> BBBBBBBBBBBBBBBBBBBBB
> -----END CERTIFICATE-----

In my private hierarchy certificates, this is where my certificate shows up,
between the first BEGIN/END CERTIFICATE lines.  In my Verisign cert, it comes
after our intermediate CA and VS' Class 2 signing cert.  Note the CN and email
address bound in this cert (micuenta at mypyme.net) as part of the subject field. 
Is this you?

Also, notice at the end of that data: "CN=VeriSign Class 1 CA Individual
Subscriber-Persona Not Validated", which means this is probably one of their
freebie trial certs, and they couldn't positively vouch for your identity.  This
isn't a high-assurance cert, and they may have a policy to not identify you any
more than that.  Dunno.

Regardless, if that email address is the one you used when registering, then
this may be the cert you want to use.

> Bag Attributes
>     friendlyName: VeriSign Class 1 Primary CA
> subject=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
> Authority
> issuer=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
> Authority
> -----BEGIN CERTIFICATE-----
> CCCCCCCCCCCCCCCCCCCCC
> -----END CERTIFICATE-----
> Bag Attributes: <Empty Attributes>
> subject=/O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=www.verisign.com/repository/RPA Incorp. By
> Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not
> Validated
> issuer=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
> Authority
> -----BEGIN CERTIFICATE-----
> DDDDDDDDDDDDDDDDDDD
> -----END CERTIFICATE-----

CCCCCCCCCCCCCCC and
DDDDDDDDDDDDDDD

look like the signing cert and intermediate signing cert for that VS CA.  If I
had to make a guess, I'd venture that CCCCCCCC is the intermediate CA and
DDDDDDD is the root for that CA.  I suppose you could dig into your cert store
in your browser to match one of them up, if it were important.  Probably isn't.


> Any of the items:
> AAAAAAAAAAAAAAAAA
> BBBBBBBBBBBBBBBBBBBBB
> CCCCCCCCCCCCCCCCCCCCC
> DDDDDDDDDDDDDDDDDDD
> 
> is the Plublic Key I have to paste in the field of the "Import Personal
> Public S/MIME Key" IMP form?

I'd say BBBBBBBB, based on the info above, but since that email address doesn't
match to the one you list below, it may be mucked up somehow.

> By other hand I follow with this error in my logs when I import the Public
> Key of a signed message:
>    [Tue Jan  7 11:44:04 2003] [error] PHP Notice:  Undefined index:  Email
> in /u01/hosting/mymensajes/horde/imp/lib/SMIME.php on line 191
>    /u01/hosting/mymensajes/horde/imp/lib/SMIME.php(191) : Notice - Undefined
> index:  Email

I don't get this.  What versions of imp/horde do you have, and are your config
files and preferences backend all up to date?


> 
> this is the message show in IMP:
> /////////////////////////////////////////////////////////////
>   This message has been digitally signed via S/MIME.
> 
> 
>   The message has been verified.
> 
> 
>   unnamed  text/plain  0.00 KB
> 
> There was no text in this message part.
>   Click to Save S/MIME certificate in your Address book.
> Show S/MIME certificate details.

Ummm, was this an empty, signed message?

[munch]

> Asunto:
>   Organisation: VeriSign, Inc.
>   Organisational Unit: Digital ID Class 1 - Microsoft
>   Common Name: Sebastian
>   Email Address: scalero at datadec.es

Well, it's you here.  I wonder what they're doing?  For me, this would match the
address bound into my Subject field.  And has been on every valid cert I've seen. 

In fact, when I searched for you in their directory I got the following for your
Subject field:
E = scalero at datadec.es
CN = Sebastian
OU = Digital ID Class 1 - Microsoft
OU = Persona Not Validated
OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
OU = VeriSign Trust Network
O = VeriSign, Inc.

Interestingly, when I searched for micuenta at mypyme.net, I also got a hit for
this address, too:
E = micuenta at mypyme.net
CN = mypymicu
OU = Digital ID Class 1 - Microsoft
OU = Persona Not Validated
OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
OU = VeriSign Trust Network
O = VeriSign, Inc.


Which kind of implies that something went wrong when you used openssl to convert
your pkcs12 file, or you have somehow mingled data from two certs?


> 
> Issuer:
>   Organisation: VeriSign, Inc.
>   Organisational Unit: www.verisign.com/repository/RPA Incorp. By
> Ref.,LIAB.LTD(c)98
>   Common Name: VeriSign Class 1 CA Individual Subscriber-Persona Not
> Validated
> 
> Validity:
>   Not Before: 12/23/02 00:00:00
>   Not After: 02/21/03 23:59:59

Yeah, this looks like one of their low-assurance freebies.

c
-- 
Cliff Green
Academic Computing Services - UMDNJ
Signature under NDA

More information about the imp mailing list