Archived Forum Post

Index of archived forum posts

Question:

Decrypt with expired root certificate?

Dec 07 '12 at 10:50

I am trying to decrypt a mail message using a certificate (.cer) and a private key (.pfx). The certificate have a root certificate.

But I have problems decrypting the mail. But I can see that both the root certificate and the private key has expired. The certificate however is valid. Is this the reason I can't decrypt? What would be the error message from the MailMan in that case? I can't get the exact error message right now, since I forgot to bring it from the customer (it says something in the line that it has a certificate but it can't find a valid private key). All the certificates are installed in the current user's Private key store (as I see it in Certificate Manager in Windows).

We have another software package which uses the same certificates, and they can decrypt it nicely. Is it possible that that software can ignore the fact that some of the certificates has expired?


Answer

To get detailed information about the cause of a problem, examine the contents of the LastErrorText property immediately after the method call that fails.


Answer

Ok, I just hoped that you had some theory about the issue. I'll have the exact error message tomorrow.


Answer

I have now the error message. There are three e-mails here, but they are all almost completely equal. They are all from the same sender. I have added the private certificate by doubleclicking the PFX-file and entering the password correctly. It's been installed in the default store for Current User and in Local Machine. But as I say, this certificate is expired. Would MailMan report "Found matching certificate, but no private key is available" if it was just expired, or would it be another message? Or do I just have the private certificate in a place where the user doesn't reach it? I have tried running the service as Local System, Network Service and local administrator account.

2012-12-07 15:02:45.6126|Trace|Pop3MonitorService|------------ Timer elapsed ------------
2012-12-07 15:02:45.6126|Trace|Pop3MonitorService|Running account 1 : Eurodac on 163.174.72.131 with account napnotest using FitPlusServer handler
2012-12-07 15:02:45.7532|Trace|MailProcessor|"ChilkatLog:
  CopyMail:
    DllDate: Aug  5 2012
    UnlockPrefix: STERIAMAILQ
    Username: BIOMETRATEST:Administrator
    Architecture: Little Endian; 32-bit
    Language: .NET 4.0
    VerboseLogging: 0
    Pop3Connect:
      Connecting to POP3 server
      hostname: 163.174.72.131
      port: 110
      ssl: 0
      connectTimeoutMs: 30000
      heartbeatMs: 0
      ConnectTimeoutMs_1: 30000
      calling ConnectSocket2
      IPV6 enabled connect with NO heartbeat.
      This is an IPV4 numeric address...
      AddrInfoList:
        AddrInfo:
          ai_flags: 4
          ai_family: 2
          ai_socktype: 1
          ai_protocol: 0
          ai_addrlen: 16
          ai_canonname: (NULL)
        --AddrInfo
      --AddrInfoList
      Connect using IPV4.
      ipAddress1: 163.174.72.131
      myIP_3: 163.174.72.104
      myPort_3: 3868
      connect successful (2)
      Connected to POP3 server
      PopCmdResp: +OK Microsoft Exchange Server 2003 POP3 server version 6.5.6944.0 (nap.nap01.dac.no.eu-admin.net) ready.
      greeting: +OK Microsoft Exchange Server 2003 POP3 server version 6.5.6944.0 (nap.nap01.dac.no.eu-admin.net) ready.
      ConnectionType: Unencrypted TCP/IP
    --Pop3Connect
    Pop3Authenticate:
      username: napnotest
      popSPA: 0
      PopCmdSent: USER napnotest
      PopCmdResp: +OK
      PopCmdSent: PASS ****
      PopCmdResp: +OK User successfully logged on.
      POP3 authentication success
    --Pop3Authenticate
    PopCmdSent: STAT
    PopCmdResp: +OK 3 19630
    statResponse: +OK 3 19630
    numMessages: 3
    PopCmdSent: LIST
    PopCmdResp: +OK 3 19630
1 6613
2 6416
3 6601
.
    PopCmdSent: UIDL
    PopCmdResp: +OK
    PopCmdResp: 1 AAgfgBCAAAQSZZloxceZMSUJL0jFzYRF
2 AAwfgBCAAAQSZZloxceZMSUJL0jFzYRF
3 AAAggBCAAAQSZZloxceZMSUJL0jFzYRF
.
    FetchFullEmail:
      PopCmdSent: RETR 1
      PopCmdResp: +OK
      mimeCompleteToEmailObject:
        createFromPop3:
          createFromMimeObject5:
            unwrapSecurity:
              Unwrapping enveloped (encrypted or signed)...
              unwrapEnveloped:
                loadPkcs7Der_3:
                  DerParseTimeMs: Elapsed time: 0 millisec
                  Pkcs7_loadXml:
                    Pkcs7_EnvelopedData:
                      encryptionAlgorithmOid: 1.2.840.113549.3.7
                      IV: w9mfZpUxxV4=
                      numRecipients: 2
                      RecipientInfo:
                        IssuerAndSerialNumber:
                          serialNumber1: 4E805610
                          issuerCommonName: Postecom CS1
                          issuerCountry: IT
                          issuerState: 
                          issuerLocality: 
                          issuerOrganization: Postecom s.p.a.
                        --IssuerAndSerialNumber
                        encryptedKeyNumBytes: 128
                      --RecipientInfo
                      RecipientInfo:
                        IssuerAndSerialNumber:
                          serialNumber1: 4E8AE834
                          issuerCommonName: Postecom CS1
                          issuerCountry: IT
                          issuerState: 
                          issuerLocality: 
                          issuerOrganization: Postecom s.p.a.
                        --IssuerAndSerialNumber
                        encryptedKeyNumBytes: 128
                      --RecipientInfo
                    --Pkcs7_EnvelopedData
                  --Pkcs7_loadXml
                  Pkcs7XmlLoadTimeMs: Elapsed time: 0 millisec
                --loadPkcs7Der_3
                UnEnvelope3:
                  FindPrivateKeyFromSystemCerts:
                    NumRecipientInfos: 2
                    certSerialNumber: 4E805610
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                    certSerialNumber: 4E8AE834
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                  --FindPrivateKeyFromSystemCerts
                  No certificate with private key found.
                --UnEnvelope3
                Failed to unenvelope message
              --unwrapEnveloped
              An encrypted email was received
              Not all data was decrypted
              num_parts_encrypted: 1
            --unwrapSecurity
            from: no01@cap02.dac.cec.eu-admin.net
            message_id: 201212071240.qB7CeG9f843886@cap02.dac.cec.eu-admin.net
          --createFromMimeObject5
        --createFromPop3
      --mimeCompleteToEmailObject
    --FetchFullEmail
    FetchFullEmail:
      PopCmdSent: RETR 2
      PopCmdResp: +OK
      mimeCompleteToEmailObject:
        createFromPop3:
          createFromMimeObject5:
            unwrapSecurity:
              Unwrapping enveloped (encrypted or signed)...
              unwrapEnveloped:
                loadPkcs7Der_3:
                  DerParseTimeMs: Elapsed time: 0 millisec
                  Pkcs7_loadXml:
                    Pkcs7_EnvelopedData:
                      encryptionAlgorithmOid: 1.2.840.113549.3.7
                      IV: ktjtpMT4gpc=
                      numRecipients: 2
                      RecipientInfo:
                        IssuerAndSerialNumber:
                          serialNumber1: 4E805610
                          issuerCommonName: Postecom CS1
                          issuerCountry: IT
                          issuerState: 
                          issuerLocality: 
                          issuerOrganization: Postecom s.p.a.
                        --IssuerAndSerialNumber
                        encryptedKeyNumBytes: 128
                      --RecipientInfo
                      RecipientInfo:
                        IssuerAndSerialNumber:
                          serialNumber1: 4E8AE834
                          issuerCommonName: Postecom CS1
                          issuerCountry: IT
                          issuerState: 
                          issuerLocality: 
                          issuerOrganization: Postecom s.p.a.
                        --IssuerAndSerialNumber
                        encryptedKeyNumBytes: 128
                      --RecipientInfo
                    --Pkcs7_EnvelopedData
                  --Pkcs7_loadXml
                  Pkcs7XmlLoadTimeMs: Elapsed time: 0 millisec
                --loadPkcs7Der_3
                UnEnvelope3:
                  FindPrivateKeyFromSystemCerts:
                    NumRecipientInfos: 2
                    certSerialNumber: 4E805610
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                    certSerialNumber: 4E8AE834
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                  --FindPrivateKeyFromSystemCerts
                  No certificate with private key found.
                --UnEnvelope3
                Failed to unenvelope message
              --unwrapEnveloped
              An encrypted email was received
              Not all data was decrypted
              num_parts_encrypted: 1
            --unwrapSecurity
            from: no01@cap02.dac.cec.eu-admin.net
            message_id: 201212071254.qB7CsSVP409824@cap02.dac.cec.eu-admin.net
          --createFromMimeObject5
        --createFromPop3
      --mimeCompleteToEmailObject
    --FetchFullEmail
    FetchFullEmail:
      PopCmdSent: RETR 3
      PopCmdResp: +OK
      mimeCompleteToEmailObject:
        createFromPop3:
          createFromMimeObject5:
            unwrapSecurity:
              Unwrapping enveloped (encrypted or signed)...
              unwrapEnveloped:
                loadPkcs7Der_3:
                  DerParseTimeMs: Elapsed time: 0 millisec
                  Pkcs7_loadXml:
                    Pkcs7_EnvelopedData:
                      encryptionAlgorithmOid: 1.2.840.113549.3.7
                      IV: q+hA7W5t0Cw=
                      numRecipients: 2
                      RecipientInfo:
                        IssuerAndSerialNumber:
                          serialNumber1: 4E805610
                          issuerCommonName: Postecom CS1
                          issuerCountry: IT
                          issuerState: 
                          issuerLocality: 
                          issuerOrganization: Postecom s.p.a.
                        --IssuerAndSerialNumber
                        encryptedKeyNumBytes: 128
                      --RecipientInfo
                      RecipientInfo:
                        IssuerAndSerialNumber:
                          serialNumber1: 4E8AE834
                          issuerCommonName: Postecom CS1
                          issuerCountry: IT
                          issuerState: 
                          issuerLocality: 
                          issuerOrganization: Postecom s.p.a.
                        --IssuerAndSerialNumber
                        encryptedKeyNumBytes: 128
                      --RecipientInfo
                    --Pkcs7_EnvelopedData
                  --Pkcs7_loadXml
                  Pkcs7XmlLoadTimeMs: Elapsed time: 0 millisec
                --loadPkcs7Der_3
                UnEnvelope3:
                  FindPrivateKeyFromSystemCerts:
                    NumRecipientInfos: 2
                    certSerialNumber: 4E805610
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                    certSerialNumber: 4E8AE834
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                  --FindPrivateKeyFromSystemCerts
                  No certificate with private key found.
                --UnEnvelope3
                Failed to unenvelope message
              --unwrapEnveloped
              An encrypted email was received
              Not all data was decrypted
              num_parts_encrypted: 1
            --unwrapSecurity
            from: no01@cap02.dac.cec.eu-admin.net
            message_id: 201212071355.qB7DtktZ634902@cap02.dac.cec.eu-admin.net
          --createFromMimeObject5
        --createFromPop3
      --mimeCompleteToEmailObject
    --FetchFullEmail
    Success.
  --CopyMail
--ChilkatLog
"
2012-12-07 15:02:45.7532|Info|MailProcessor|Found 3 messages in Eurodac on 163.174.72.131 with account napnotest using FitPlusServer handler
2012-12-07 15:02:45.7532|Trace|MailProcessor|Message number 0. Subject is: NOT1250002200T
2012-12-07 15:02:45.7688|Trace|MailProcessor|Processing 1 attachments
2012-12-07 15:02:45.8001|Warn|MailProcessor|Found non nist file in attachment number 0
2012-12-07 15:02:45.8001|Error|MailProcessor|Could not decrypt e-mail

Answer

It is the recipient's certificate + private key that is used for decryption. The specific certificate(s) required for decryption is indicated within the PKCS7 of the encrypted email. If there are multiple recipients, then there may be multiple certs that can be used for decryption. Any one cert + private key listed in the RecipientInfos may be used for decryption. Chilkat tries to find one of them. For example, in the last email, you'll see this:

                UnEnvelope3:
                  FindPrivateKeyFromSystemCerts:
                    NumRecipientInfos: 2
                    certSerialNumber: 4E805610
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                    certSerialNumber: 4E8AE834
                    certIssuerCN: Postecom CS1
                    subjectKeyIdentifier: 
                    Found matching certificate, but no private key is available.
                  --FindPrivateKeyFromSystemCerts
                  No certificate with private key found.
                --UnEnvelope3
There are 2 possible certs that can be used, both identified by serial number and issuerCN. Chilkat finds both of them, but neither has the associated private key installed. You need to make sure these certs are installed w/ the private key.