Question:
I am trying to decrypt a mail message using a certificate (.cer) and a private key (.pfx). The certificate have a root certificate.
But I have problems decrypting the mail. But I can see that both the root certificate and the private key has expired. The certificate however is valid. Is this the reason I can't decrypt? What would be the error message from the MailMan in that case? I can't get the exact error message right now, since I forgot to bring it from the customer (it says something in the line that it has a certificate but it can't find a valid private key). All the certificates are installed in the current user's Private key store (as I see it in Certificate Manager in Windows).
We have another software package which uses the same certificates, and they can decrypt it nicely. Is it possible that that software can ignore the fact that some of the certificates has expired?
To get detailed information about the cause of a problem, examine the contents of the LastErrorText property immediately after the method call that fails.
Ok, I just hoped that you had some theory about the issue. I'll have the exact error message tomorrow.
I have now the error message. There are three e-mails here, but they are all almost completely equal. They are all from the same sender. I have added the private certificate by doubleclicking the PFX-file and entering the password correctly. It's been installed in the default store for Current User and in Local Machine. But as I say, this certificate is expired. Would MailMan report "Found matching certificate, but no private key is available" if it was just expired, or would it be another message? Or do I just have the private certificate in a place where the user doesn't reach it? I have tried running the service as Local System, Network Service and local administrator account.
2012-12-07 15:02:45.6126|Trace|Pop3MonitorService|------------ Timer elapsed ------------
2012-12-07 15:02:45.6126|Trace|Pop3MonitorService|Running account 1 : Eurodac on 163.174.72.131 with account napnotest using FitPlusServer handler
2012-12-07 15:02:45.7532|Trace|MailProcessor|"ChilkatLog:
CopyMail:
DllDate: Aug 5 2012
UnlockPrefix: STERIAMAILQ
Username: BIOMETRATEST:Administrator
Architecture: Little Endian; 32-bit
Language: .NET 4.0
VerboseLogging: 0
Pop3Connect:
Connecting to POP3 server
hostname: 163.174.72.131
port: 110
ssl: 0
connectTimeoutMs: 30000
heartbeatMs: 0
ConnectTimeoutMs_1: 30000
calling ConnectSocket2
IPV6 enabled connect with NO heartbeat.
This is an IPV4 numeric address...
AddrInfoList:
AddrInfo:
ai_flags: 4
ai_family: 2
ai_socktype: 1
ai_protocol: 0
ai_addrlen: 16
ai_canonname: (NULL)
--AddrInfo
--AddrInfoList
Connect using IPV4.
ipAddress1: 163.174.72.131
myIP_3: 163.174.72.104
myPort_3: 3868
connect successful (2)
Connected to POP3 server
PopCmdResp: +OK Microsoft Exchange Server 2003 POP3 server version 6.5.6944.0 (nap.nap01.dac.no.eu-admin.net) ready.
greeting: +OK Microsoft Exchange Server 2003 POP3 server version 6.5.6944.0 (nap.nap01.dac.no.eu-admin.net) ready.
ConnectionType: Unencrypted TCP/IP
--Pop3Connect
Pop3Authenticate:
username: napnotest
popSPA: 0
PopCmdSent: USER napnotest
PopCmdResp: +OK
PopCmdSent: PASS ****
PopCmdResp: +OK User successfully logged on.
POP3 authentication success
--Pop3Authenticate
PopCmdSent: STAT
PopCmdResp: +OK 3 19630
statResponse: +OK 3 19630
numMessages: 3
PopCmdSent: LIST
PopCmdResp: +OK 3 19630
1 6613
2 6416
3 6601
.
PopCmdSent: UIDL
PopCmdResp: +OK
PopCmdResp: 1 AAgfgBCAAAQSZZloxceZMSUJL0jFzYRF
2 AAwfgBCAAAQSZZloxceZMSUJL0jFzYRF
3 AAAggBCAAAQSZZloxceZMSUJL0jFzYRF
.
FetchFullEmail:
PopCmdSent: RETR 1
PopCmdResp: +OK
mimeCompleteToEmailObject:
createFromPop3:
createFromMimeObject5:
unwrapSecurity:
Unwrapping enveloped (encrypted or signed)...
unwrapEnveloped:
loadPkcs7Der_3:
DerParseTimeMs: Elapsed time: 0 millisec
Pkcs7_loadXml:
Pkcs7_EnvelopedData:
encryptionAlgorithmOid: 1.2.840.113549.3.7
IV: w9mfZpUxxV4=
numRecipients: 2
RecipientInfo:
IssuerAndSerialNumber:
serialNumber1: 4E805610
issuerCommonName: Postecom CS1
issuerCountry: IT
issuerState:
issuerLocality:
issuerOrganization: Postecom s.p.a.
--IssuerAndSerialNumber
encryptedKeyNumBytes: 128
--RecipientInfo
RecipientInfo:
IssuerAndSerialNumber:
serialNumber1: 4E8AE834
issuerCommonName: Postecom CS1
issuerCountry: IT
issuerState:
issuerLocality:
issuerOrganization: Postecom s.p.a.
--IssuerAndSerialNumber
encryptedKeyNumBytes: 128
--RecipientInfo
--Pkcs7_EnvelopedData
--Pkcs7_loadXml
Pkcs7XmlLoadTimeMs: Elapsed time: 0 millisec
--loadPkcs7Der_3
UnEnvelope3:
FindPrivateKeyFromSystemCerts:
NumRecipientInfos: 2
certSerialNumber: 4E805610
certIssuerCN: Postecom CS1
subjectKeyIdentifier:
Found matching certificate, but no private key is available.
certSerialNumber: 4E8AE834
certIssuerCN: Postecom CS1
subjectKeyIdentifier:
Found matching certificate, but no private key is available.
--FindPrivateKeyFromSystemCerts
No certificate with private key found.
--UnEnvelope3
Failed to unenvelope message
--unwrapEnveloped
An encrypted email was received
Not all data was decrypted
num_parts_encrypted: 1
--unwrapSecurity
from: no01@cap02.dac.cec.eu-admin.net
message_id: 201212071240.qB7CeG9f843886@cap02.dac.cec.eu-admin.net
--createFromMimeObject5
--createFromPop3
--mimeCompleteToEmailObject
--FetchFullEmail
FetchFullEmail:
PopCmdSent: RETR 2
PopCmdResp: +OK
mimeCompleteToEmailObject:
createFromPop3:
createFromMimeObject5:
unwrapSecurity:
Unwrapping enveloped (encrypted or signed)...
unwrapEnveloped:
loadPkcs7Der_3:
DerParseTimeMs: Elapsed time: 0 millisec
Pkcs7_loadXml:
Pkcs7_EnvelopedData:
encryptionAlgorithmOid: 1.2.840.113549.3.7
IV: ktjtpMT4gpc=
numRecipients: 2
RecipientInfo:
IssuerAndSerialNumber:
serialNumber1: 4E805610
issuerCommonName: Postecom CS1
issuerCountry: IT
issuerState:
issuerLocality:
issuerOrganization: Postecom s.p.a.
--IssuerAndSerialNumber
encryptedKeyNumBytes: 128
--RecipientInfo
RecipientInfo:
IssuerAndSerialNumber:
serialNumber1: 4E8AE834
issuerCommonName: Postecom CS1
issuerCountry: IT
issuerState:
issuerLocality:
issuerOrganization: Postecom s.p.a.
--IssuerAndSerialNumber
encryptedKeyNumBytes: 128
--RecipientInfo
--Pkcs7_EnvelopedData
--Pkcs7_loadXml
Pkcs7XmlLoadTimeMs: Elapsed time: 0 millisec
--loadPkcs7Der_3
UnEnvelope3:
FindPrivateKeyFromSystemCerts:
NumRecipientInfos: 2
certSerialNumber: 4E805610
certIssuerCN: Postecom CS1
subjectKeyIdentifier:
Found matching certificate, but no private key is available.
certSerialNumber: 4E8AE834
certIssuerCN: Postecom CS1
subjectKeyIdentifier:
Found matching certificate, but no private key is available.
--FindPrivateKeyFromSystemCerts
No certificate with private key found.
--UnEnvelope3
Failed to unenvelope message
--unwrapEnveloped
An encrypted email was received
Not all data was decrypted
num_parts_encrypted: 1
--unwrapSecurity
from: no01@cap02.dac.cec.eu-admin.net
message_id: 201212071254.qB7CsSVP409824@cap02.dac.cec.eu-admin.net
--createFromMimeObject5
--createFromPop3
--mimeCompleteToEmailObject
--FetchFullEmail
FetchFullEmail:
PopCmdSent: RETR 3
PopCmdResp: +OK
mimeCompleteToEmailObject:
createFromPop3:
createFromMimeObject5:
unwrapSecurity:
Unwrapping enveloped (encrypted or signed)...
unwrapEnveloped:
loadPkcs7Der_3:
DerParseTimeMs: Elapsed time: 0 millisec
Pkcs7_loadXml:
Pkcs7_EnvelopedData:
encryptionAlgorithmOid: 1.2.840.113549.3.7
IV: q+hA7W5t0Cw=
numRecipients: 2
RecipientInfo:
IssuerAndSerialNumber:
serialNumber1: 4E805610
issuerCommonName: Postecom CS1
issuerCountry: IT
issuerState:
issuerLocality:
issuerOrganization: Postecom s.p.a.
--IssuerAndSerialNumber
encryptedKeyNumBytes: 128
--RecipientInfo
RecipientInfo:
IssuerAndSerialNumber:
serialNumber1: 4E8AE834
issuerCommonName: Postecom CS1
issuerCountry: IT
issuerState:
issuerLocality:
issuerOrganization: Postecom s.p.a.
--IssuerAndSerialNumber
encryptedKeyNumBytes: 128
--RecipientInfo
--Pkcs7_EnvelopedData
--Pkcs7_loadXml
Pkcs7XmlLoadTimeMs: Elapsed time: 0 millisec
--loadPkcs7Der_3
UnEnvelope3:
FindPrivateKeyFromSystemCerts:
NumRecipientInfos: 2
certSerialNumber: 4E805610
certIssuerCN: Postecom CS1
subjectKeyIdentifier:
Found matching certificate, but no private key is available.
certSerialNumber: 4E8AE834
certIssuerCN: Postecom CS1
subjectKeyIdentifier:
Found matching certificate, but no private key is available.
--FindPrivateKeyFromSystemCerts
No certificate with private key found.
--UnEnvelope3
Failed to unenvelope message
--unwrapEnveloped
An encrypted email was received
Not all data was decrypted
num_parts_encrypted: 1
--unwrapSecurity
from: no01@cap02.dac.cec.eu-admin.net
message_id: 201212071355.qB7DtktZ634902@cap02.dac.cec.eu-admin.net
--createFromMimeObject5
--createFromPop3
--mimeCompleteToEmailObject
--FetchFullEmail
Success.
--CopyMail
--ChilkatLog
"
2012-12-07 15:02:45.7532|Info|MailProcessor|Found 3 messages in Eurodac on 163.174.72.131 with account napnotest using FitPlusServer handler
2012-12-07 15:02:45.7532|Trace|MailProcessor|Message number 0. Subject is: NOT1250002200T
2012-12-07 15:02:45.7688|Trace|MailProcessor|Processing 1 attachments
2012-12-07 15:02:45.8001|Warn|MailProcessor|Found non nist file in attachment number 0
2012-12-07 15:02:45.8001|Error|MailProcessor|Could not decrypt e-mail
It is the recipient's certificate + private key that is used for decryption. The specific certificate(s) required for decryption is indicated within the PKCS7 of the encrypted email. If there are multiple recipients, then there may be multiple certs that can be used for decryption. Any one cert + private key listed in the RecipientInfos may be used for decryption. Chilkat tries to find one of them. For example, in the last email, you'll see this:
UnEnvelope3: FindPrivateKeyFromSystemCerts: NumRecipientInfos: 2 certSerialNumber: 4E805610 certIssuerCN: Postecom CS1 subjectKeyIdentifier: Found matching certificate, but no private key is available. certSerialNumber: 4E8AE834 certIssuerCN: Postecom CS1 subjectKeyIdentifier: Found matching certificate, but no private key is available. --FindPrivateKeyFromSystemCerts No certificate with private key found. --UnEnvelope3There are 2 possible certs that can be used, both identified by serial number and issuerCN. Chilkat finds both of them, but neither has the associated private key installed. You need to make sure these certs are installed w/ the private key.