|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
GET the real content of a .p7m file with CAPICOMHi all,
I receive a certified email with an attachment in .p7m extension. How can I retrieve the original content after verifying the sign with CAPICOM? The EnvelopedData failed when I try to Decrypt it. I am under .NET using C#, and I need to save the original content in a db or in a shared folder. Thank you in advance! Riccardo This is a Visual Basic .NET (no Capicom) Sample:
Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef clearContent() As Byte) As Boolean Dim signedCms As SignedCms Try ' Prepare an object in which to decode and verify. signedCms = New SignedCms() signedCms.Decode(signedContent) ' Verifico la firma signedCms.CheckSignature(False) ' Recupero il messaggio originale clearContent = signedCms.ContentInfo.Content Return True Catch e As System.Security.Cryptography.CryptographicException Return False End Try End Function Ciao, Alessandro <rdavi***@gmail.com> ha scritto nel messaggio Show quoteHide quote news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > Hi all, > > I receive a certified email with an attachment in .p7m extension. > How can I retrieve the original content after verifying the sign with > CAPICOM? > The EnvelopedData failed when I try to Decrypt it. > > I am under .NET using C#, and I need to save the original content in a > db or in a shared folder. > > Thank you in advance! > > Riccardo > To avoid any issues with .net 1.1 CAPICOM marshalling, it is best to use
..NET 2 support for pkcs7. See sample at: http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx C# verification code extracted from above with content extraction, and similar to VB.net code below works properly on your provided p7m binary blob: --------- start snippet ------------- static public bool VerifyMsg(byte[] encodedSignedCms) { SignedCms signedCms = new SignedCms(); try { // try to decode as pkcs7 signature signedCms.Decode(encodedSignedCms); // Verify signature. Do not validate signer // certificate for the purposes of this example. // Note that in a production environment, validating // the signer certificate chain will probably // be necessary. Console.Write("Checking signature on message ... "); signedCms.CheckSignature(true); Console.WriteLine("Done."); byte[] incontent = signedCms.ContentInfo.Content; // process content; write to file or DB etc..; } catch (System.Security.Cryptography.CryptographicException e) { Console.WriteLine("VerifyMsg caught exception: {0}", e.Message); .... return false; } return true; } ----------- end snippet ------------- - Mitch Show quoteHide quote "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... > This is a Visual Basic .NET (no Capicom) Sample: > > Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef > clearContent() As Byte) As Boolean > Dim signedCms As SignedCms > Try > > ' Prepare an object in which to decode and verify. > signedCms = New SignedCms() > signedCms.Decode(signedContent) > ' Verifico la firma > signedCms.CheckSignature(False) > ' Recupero il messaggio originale > clearContent = signedCms.ContentInfo.Content > Return True > Catch e As System.Security.Cryptography.CryptographicException > Return False > End Try > End Function > > Ciao, Alessandro > > > <rdavi***@gmail.com> ha scritto nel messaggio > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> Hi all, >> >> I receive a certified email with an attachment in .p7m extension. >> How can I retrieve the original content after verifying the sign with >> CAPICOM? >> The EnvelopedData failed when I try to Decrypt it. >> >> I am under .NET using C#, and I need to save the original content in a >> db or in a shared folder. >> >> Thank you in advance! >> >> Riccardo >> > > Hi mitch, thank you very much.
Unfortunatly I am under .NET 1.1. But I found the way by converting the SignedData.Content to string using UnicodeEncoding. Thank you for all. See you on the group. Riccardo Mitch Gallant wrote: Show quoteHide quote > To avoid any issues with .net 1.1 CAPICOM marshalling, it is best to use > .NET 2 support for pkcs7. > See sample at: > http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx > C# verification code extracted from above with content extraction, and > similar to VB.net code below works properly on your provided p7m binary > blob: > > --------- start snippet ------------- > static public bool VerifyMsg(byte[] encodedSignedCms) > { > SignedCms signedCms = new SignedCms(); > > try > { > // try to decode as pkcs7 signature > signedCms.Decode(encodedSignedCms); > > // Verify signature. Do not validate signer > // certificate for the purposes of this example. > // Note that in a production environment, validating > // the signer certificate chain will probably > // be necessary. > Console.Write("Checking signature on message ... "); > signedCms.CheckSignature(true); > Console.WriteLine("Done."); > byte[] incontent = signedCms.ContentInfo.Content; > // process content; write to file or DB etc..; > } > catch (System.Security.Cryptography.CryptographicException e) > { > Console.WriteLine("VerifyMsg caught exception: {0}", > e.Message); > .... > return false; > } > > return true; > } > ----------- end snippet ------------- > > - Mitch > > > "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message > news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... > > This is a Visual Basic .NET (no Capicom) Sample: > > > > Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef > > clearContent() As Byte) As Boolean > > Dim signedCms As SignedCms > > Try > > > > ' Prepare an object in which to decode and verify. > > signedCms = New SignedCms() > > signedCms.Decode(signedContent) > > ' Verifico la firma > > signedCms.CheckSignature(False) > > ' Recupero il messaggio originale > > clearContent = signedCms.ContentInfo.Content > > Return True > > Catch e As System.Security.Cryptography.CryptographicException > > Return False > > End Try > > End Function > > > > Ciao, Alessandro > > > > > > <rdavi***@gmail.com> ha scritto nel messaggio > > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> Hi all, > >> > >> I receive a certified email with an attachment in .p7m extension. > >> How can I retrieve the original content after verifying the sign with > >> CAPICOM? > >> The EnvelopedData failed when I try to Decrypt it. > >> > >> I am under .NET using C#, and I need to save the original content in a > >> db or in a shared folder. > >> > >> Thank you in advance! > >> > >> Riccardo > >> > > > > I think that approach will only work when the actual binary content is an
exact even number of bytes (which yours is 24258). If the signed content size is odd, then you will get COM interop marshalling truncation problems. This is documented and is a general problem with how CAPICOM methods inplement the content extraction and string conversion (even before you do any further conversions) ... you can search deja.com for fixes. - Mitch Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... > Hi mitch, thank you very much. > > Unfortunatly I am under .NET 1.1. But I found the way by converting the > SignedData.Content to string using UnicodeEncoding. > > Thank you for all. > > See you on the group. > > Riccardo > > Mitch Gallant wrote: >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is best to use >> .NET 2 support for pkcs7. >> See sample at: >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx >> C# verification code extracted from above with content extraction, and >> similar to VB.net code below works properly on your provided p7m binary >> blob: >> >> --------- start snippet ------------- >> static public bool VerifyMsg(byte[] encodedSignedCms) >> { >> SignedCms signedCms = new SignedCms(); >> >> try >> { >> // try to decode as pkcs7 signature >> signedCms.Decode(encodedSignedCms); >> >> // Verify signature. Do not validate signer >> // certificate for the purposes of this example. >> // Note that in a production environment, validating >> // the signer certificate chain will probably >> // be necessary. >> Console.Write("Checking signature on message ... "); >> signedCms.CheckSignature(true); >> Console.WriteLine("Done."); >> byte[] incontent = signedCms.ContentInfo.Content; >> // process content; write to file or DB etc..; >> } >> catch (System.Security.Cryptography.CryptographicException e) >> { >> Console.WriteLine("VerifyMsg caught exception: {0}", >> e.Message); >> .... >> return false; >> } >> >> return true; >> } >> ----------- end snippet ------------- >> >> - Mitch >> >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... >> > This is a Visual Basic .NET (no Capicom) Sample: >> > >> > Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef >> > clearContent() As Byte) As Boolean >> > Dim signedCms As SignedCms >> > Try >> > >> > ' Prepare an object in which to decode and verify. >> > signedCms = New SignedCms() >> > signedCms.Decode(signedContent) >> > ' Verifico la firma >> > signedCms.CheckSignature(False) >> > ' Recupero il messaggio originale >> > clearContent = signedCms.ContentInfo.Content >> > Return True >> > Catch e As System.Security.Cryptography.CryptographicException >> > Return False >> > End Try >> > End Function >> > >> > Ciao, Alessandro >> > >> > >> > <rdavi***@gmail.com> ha scritto nel messaggio >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> Hi all, >> >> >> >> I receive a certified email with an attachment in .p7m extension. >> >> How can I retrieve the original content after verifying the sign with >> >> CAPICOM? >> >> The EnvelopedData failed when I try to Decrypt it. >> >> >> >> I am under .NET using C#, and I need to save the original content in a >> >> db or in a shared folder. >> >> >> >> Thank you in advance! >> >> >> >> Riccardo >> >> >> > >> > > Hi mitch,
I tried also with odd size and it works fine. Maybe you are right, marshalling problems are known. If it will happens I will go to another solution. Thank you for the help, Riccardo Mitch Gallant wrote: Show quoteHide quote > I think that approach will only work when the actual binary content is an > exact even number of bytes (which yours is 24258). > If the signed content size is odd, then you will get COM interop marshalling > truncation problems. > This is documented and is a general problem with how CAPICOM methods > inplement the content extraction and string conversion (even before you do > any further conversions) > .. you can search deja.com for fixes. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... > > Hi mitch, thank you very much. > > > > Unfortunatly I am under .NET 1.1. But I found the way by converting the > > SignedData.Content to string using UnicodeEncoding. > > > > Thank you for all. > > > > See you on the group. > > > > Riccardo > > > > Mitch Gallant wrote: > >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is best to use > >> .NET 2 support for pkcs7. > >> See sample at: > >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx > >> C# verification code extracted from above with content extraction, and > >> similar to VB.net code below works properly on your provided p7m binary > >> blob: > >> > >> --------- start snippet ------------- > >> static public bool VerifyMsg(byte[] encodedSignedCms) > >> { > >> SignedCms signedCms = new SignedCms(); > >> > >> try > >> { > >> // try to decode as pkcs7 signature > >> signedCms.Decode(encodedSignedCms); > >> > >> // Verify signature. Do not validate signer > >> // certificate for the purposes of this example. > >> // Note that in a production environment, validating > >> // the signer certificate chain will probably > >> // be necessary. > >> Console.Write("Checking signature on message ... "); > >> signedCms.CheckSignature(true); > >> Console.WriteLine("Done."); > >> byte[] incontent = signedCms.ContentInfo.Content; > >> // process content; write to file or DB etc..; > >> } > >> catch (System.Security.Cryptography.CryptographicException e) > >> { > >> Console.WriteLine("VerifyMsg caught exception: {0}", > >> e.Message); > >> .... > >> return false; > >> } > >> > >> return true; > >> } > >> ----------- end snippet ------------- > >> > >> - Mitch > >> > >> > >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message > >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... > >> > This is a Visual Basic .NET (no Capicom) Sample: > >> > > >> > Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef > >> > clearContent() As Byte) As Boolean > >> > Dim signedCms As SignedCms > >> > Try > >> > > >> > ' Prepare an object in which to decode and verify. > >> > signedCms = New SignedCms() > >> > signedCms.Decode(signedContent) > >> > ' Verifico la firma > >> > signedCms.CheckSignature(False) > >> > ' Recupero il messaggio originale > >> > clearContent = signedCms.ContentInfo.Content > >> > Return True > >> > Catch e As System.Security.Cryptography.CryptographicException > >> > Return False > >> > End Try > >> > End Function > >> > > >> > Ciao, Alessandro > >> > > >> > > >> > <rdavi***@gmail.com> ha scritto nel messaggio > >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> Hi all, > >> >> > >> >> I receive a certified email with an attachment in .p7m extension. > >> >> How can I retrieve the original content after verifying the sign with > >> >> CAPICOM? > >> >> The EnvelopedData failed when I try to Decrypt it. > >> >> > >> >> I am under .NET using C#, and I need to save the original content in a > >> >> db or in a shared folder. > >> >> > >> >> Thank you in advance! > >> >> > >> >> Riccardo > >> >> > >> > > >> > > > ok let's be very specific about this:
I'm talking about a pkcs7 signed message where the included content is an odd number of bytes (i.e. it is not unicode or b64 encoded BEFORE it is signed). So with this .NET 1.1 CAPICOM interop relevant code: -------------- oSignedData = new SignedDataClass() ; .... oSignedData.Verify(pkcsig, false, CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) ; ... String content = oSignedData.Content; ------------------ how are you recovering an odd number of content bytes from within .NET 1.1/CAPICOM interop? - Mitch Gallant Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1159519559.322291.157750@c28g2000cwb.googlegroups.com... > Hi mitch, > > I tried also with odd size and it works fine. Maybe you are right, > marshalling problems are known. If it will happens I will go to another > solution. > > Thank you for the help, > > Riccardo > > Mitch Gallant wrote: >> I think that approach will only work when the actual binary content is an >> exact even number of bytes (which yours is 24258). >> If the signed content size is odd, then you will get COM interop >> marshalling >> truncation problems. >> This is documented and is a general problem with how CAPICOM methods >> inplement the content extraction and string conversion (even before you >> do >> any further conversions) >> .. you can search deja.com for fixes. >> - Mitch >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... >> > Hi mitch, thank you very much. >> > >> > Unfortunatly I am under .NET 1.1. But I found the way by converting the >> > SignedData.Content to string using UnicodeEncoding. >> > >> > Thank you for all. >> > >> > See you on the group. >> > >> > Riccardo >> > >> > Mitch Gallant wrote: >> >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is best to >> >> use >> >> .NET 2 support for pkcs7. >> >> See sample at: >> >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx >> >> C# verification code extracted from above with content extraction, and >> >> similar to VB.net code below works properly on your provided p7m >> >> binary >> >> blob: >> >> >> >> --------- start snippet ------------- >> >> static public bool VerifyMsg(byte[] encodedSignedCms) >> >> { >> >> SignedCms signedCms = new SignedCms(); >> >> >> >> try >> >> { >> >> // try to decode as pkcs7 signature >> >> signedCms.Decode(encodedSignedCms); >> >> >> >> // Verify signature. Do not validate signer >> >> // certificate for the purposes of this example. >> >> // Note that in a production environment, validating >> >> // the signer certificate chain will probably >> >> // be necessary. >> >> Console.Write("Checking signature on message ... "); >> >> signedCms.CheckSignature(true); >> >> Console.WriteLine("Done."); >> >> byte[] incontent = signedCms.ContentInfo.Content; >> >> // process content; write to file or DB etc..; >> >> } >> >> catch (System.Security.Cryptography.CryptographicException >> >> e) >> >> { >> >> Console.WriteLine("VerifyMsg caught exception: {0}", >> >> e.Message); >> >> .... >> >> return false; >> >> } >> >> >> >> return true; >> >> } >> >> ----------- end snippet ------------- >> >> >> >> - Mitch >> >> >> >> >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message >> >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... >> >> > This is a Visual Basic .NET (no Capicom) Sample: >> >> > >> >> > Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef >> >> > clearContent() As Byte) As Boolean >> >> > Dim signedCms As SignedCms >> >> > Try >> >> > >> >> > ' Prepare an object in which to decode and verify. >> >> > signedCms = New SignedCms() >> >> > signedCms.Decode(signedContent) >> >> > ' Verifico la firma >> >> > signedCms.CheckSignature(False) >> >> > ' Recupero il messaggio originale >> >> > clearContent = signedCms.ContentInfo.Content >> >> > Return True >> >> > Catch e As System.Security.Cryptography.CryptographicException >> >> > Return False >> >> > End Try >> >> > End Function >> >> > >> >> > Ciao, Alessandro >> >> > >> >> > >> >> > <rdavi***@gmail.com> ha scritto nel messaggio >> >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >> Hi all, >> >> >> >> >> >> I receive a certified email with an attachment in .p7m extension. >> >> >> How can I retrieve the original content after verifying the sign >> >> >> with >> >> >> CAPICOM? >> >> >> The EnvelopedData failed when I try to Decrypt it. >> >> >> >> >> >> I am under .NET using C#, and I need to save the original content >> >> >> in a >> >> >> db or in a shared folder. >> >> >> >> >> >> Thank you in advance! >> >> >> >> >> >> Riccardo >> >> >> >> >> > >> >> > >> > > Are you saying that is impossible?
I don't know a lot about this troubles... Mitch Gallant ha scritto: Show quoteHide quote > ok let's be very specific about this: > I'm talking about a pkcs7 signed message where the included content is an > odd number of bytes (i.e. it is not unicode or b64 encoded BEFORE it is > signed). > > So with this .NET 1.1 CAPICOM interop relevant code: > -------------- > oSignedData = new SignedDataClass() ; > .... > oSignedData.Verify(pkcsig, false, > CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) ; > ... > String content = oSignedData.Content; > ------------------ > > how are you recovering an odd number of content bytes from within .NET > 1.1/CAPICOM interop? > > - Mitch Gallant > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1159519559.322291.157750@c28g2000cwb.googlegroups.com... > > Hi mitch, > > > > I tried also with odd size and it works fine. Maybe you are right, > > marshalling problems are known. If it will happens I will go to another > > solution. > > > > Thank you for the help, > > > > Riccardo > > > > Mitch Gallant wrote: > >> I think that approach will only work when the actual binary content is an > >> exact even number of bytes (which yours is 24258). > >> If the signed content size is odd, then you will get COM interop > >> marshalling > >> truncation problems. > >> This is documented and is a general problem with how CAPICOM methods > >> inplement the content extraction and string conversion (even before you > >> do > >> any further conversions) > >> .. you can search deja.com for fixes. > >> - Mitch > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... > >> > Hi mitch, thank you very much. > >> > > >> > Unfortunatly I am under .NET 1.1. But I found the way by converting the > >> > SignedData.Content to string using UnicodeEncoding. > >> > > >> > Thank you for all. > >> > > >> > See you on the group. > >> > > >> > Riccardo > >> > > >> > Mitch Gallant wrote: > >> >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is best to > >> >> use > >> >> .NET 2 support for pkcs7. > >> >> See sample at: > >> >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx > >> >> C# verification code extracted from above with content extraction, and > >> >> similar to VB.net code below works properly on your provided p7m > >> >> binary > >> >> blob: > >> >> > >> >> --------- start snippet ------------- > >> >> static public bool VerifyMsg(byte[] encodedSignedCms) > >> >> { > >> >> SignedCms signedCms = new SignedCms(); > >> >> > >> >> try > >> >> { > >> >> // try to decode as pkcs7 signature > >> >> signedCms.Decode(encodedSignedCms); > >> >> > >> >> // Verify signature. Do not validate signer > >> >> // certificate for the purposes of this example. > >> >> // Note that in a production environment, validating > >> >> // the signer certificate chain will probably > >> >> // be necessary. > >> >> Console.Write("Checking signature on message ... "); > >> >> signedCms.CheckSignature(true); > >> >> Console.WriteLine("Done."); > >> >> byte[] incontent = signedCms.ContentInfo.Content; > >> >> // process content; write to file or DB etc..; > >> >> } > >> >> catch (System.Security.Cryptography.CryptographicException > >> >> e) > >> >> { > >> >> Console.WriteLine("VerifyMsg caught exception: {0}", > >> >> e.Message); > >> >> .... > >> >> return false; > >> >> } > >> >> > >> >> return true; > >> >> } > >> >> ----------- end snippet ------------- > >> >> > >> >> - Mitch > >> >> > >> >> > >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message > >> >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... > >> >> > This is a Visual Basic .NET (no Capicom) Sample: > >> >> > > >> >> > Public Function DecodeMessage(ByVal signedContent() As Byte, ByRef > >> >> > clearContent() As Byte) As Boolean > >> >> > Dim signedCms As SignedCms > >> >> > Try > >> >> > > >> >> > ' Prepare an object in which to decode and verify. > >> >> > signedCms = New SignedCms() > >> >> > signedCms.Decode(signedContent) > >> >> > ' Verifico la firma > >> >> > signedCms.CheckSignature(False) > >> >> > ' Recupero il messaggio originale > >> >> > clearContent = signedCms.ContentInfo.Content > >> >> > Return True > >> >> > Catch e As System.Security.Cryptography.CryptographicException > >> >> > Return False > >> >> > End Try > >> >> > End Function > >> >> > > >> >> > Ciao, Alessandro > >> >> > > >> >> > > >> >> > <rdavi***@gmail.com> ha scritto nel messaggio > >> >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> Hi all, > >> >> >> > >> >> >> I receive a certified email with an attachment in .p7m extension. > >> >> >> How can I retrieve the original content after verifying the sign > >> >> >> with > >> >> >> CAPICOM? > >> >> >> The EnvelopedData failed when I try to Decrypt it. > >> >> >> > >> >> >> I am under .NET using C#, and I need to save the original content > >> >> >> in a > >> >> >> db or in a shared folder. > >> >> >> > >> >> >> Thank you in advance! > >> >> >> > >> >> >> Riccardo > >> >> >> > >> >> > > >> >> > > >> > > > You didn't answer my question. How did you (please show your code) recover
the content, using .NET CAPICOM interop, when the signature generated contained an ODD number of bytes? There is a workaround, but it involves diss/reassembling the COM interop library. There is a description of the problem and workaround here: http://www.codeproject.com/dotnet/CapicomUTF8.asp?df=100 Another potential workaround is to make sure everything that needs to be a string in CAPICOM and converted to .NET is an exact EVEN number of bytes. The only way I can see this is to make sure possible argument that is marshalled from CAPICOM to .NET is b64 encoded. My experience, trying this out, is that data sizes, including the pkcs#7 get bloated pretty fast and is not really a workable solution. - Mitch Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1160058483.318071.73110@e3g2000cwe.googlegroups.com... > Are you saying that is impossible? > > I don't know a lot about this troubles... > > Mitch Gallant ha scritto: > >> ok let's be very specific about this: >> I'm talking about a pkcs7 signed message where the included content is an >> odd number of bytes (i.e. it is not unicode or b64 encoded BEFORE it is >> signed). >> >> So with this .NET 1.1 CAPICOM interop relevant code: >> -------------- >> oSignedData = new SignedDataClass() ; >> .... >> oSignedData.Verify(pkcsig, false, >> CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) >> ; >> ... >> String content = oSignedData.Content; >> ------------------ >> >> how are you recovering an odd number of content bytes from within .NET >> 1.1/CAPICOM interop? >> >> - Mitch Gallant >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> news:1159519559.322291.157750@c28g2000cwb.googlegroups.com... >> > Hi mitch, >> > >> > I tried also with odd size and it works fine. Maybe you are right, >> > marshalling problems are known. If it will happens I will go to another >> > solution. >> > >> > Thank you for the help, >> > >> > Riccardo >> > >> > Mitch Gallant wrote: >> >> I think that approach will only work when the actual binary content is >> >> an >> >> exact even number of bytes (which yours is 24258). >> >> If the signed content size is odd, then you will get COM interop >> >> marshalling >> >> truncation problems. >> >> This is documented and is a general problem with how CAPICOM methods >> >> inplement the content extraction and string conversion (even before >> >> you >> >> do >> >> any further conversions) >> >> .. you can search deja.com for fixes. >> >> - Mitch >> >> >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> >> news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... >> >> > Hi mitch, thank you very much. >> >> > >> >> > Unfortunatly I am under .NET 1.1. But I found the way by converting >> >> > the >> >> > SignedData.Content to string using UnicodeEncoding. >> >> > >> >> > Thank you for all. >> >> > >> >> > See you on the group. >> >> > >> >> > Riccardo >> >> > >> >> > Mitch Gallant wrote: >> >> >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is best >> >> >> to >> >> >> use >> >> >> .NET 2 support for pkcs7. >> >> >> See sample at: >> >> >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx >> >> >> C# verification code extracted from above with content extraction, >> >> >> and >> >> >> similar to VB.net code below works properly on your provided p7m >> >> >> binary >> >> >> blob: >> >> >> >> >> >> --------- start snippet ------------- >> >> >> static public bool VerifyMsg(byte[] encodedSignedCms) >> >> >> { >> >> >> SignedCms signedCms = new SignedCms(); >> >> >> >> >> >> try >> >> >> { >> >> >> // try to decode as pkcs7 signature >> >> >> signedCms.Decode(encodedSignedCms); >> >> >> >> >> >> // Verify signature. Do not validate signer >> >> >> // certificate for the purposes of this example. >> >> >> // Note that in a production environment, validating >> >> >> // the signer certificate chain will probably >> >> >> // be necessary. >> >> >> Console.Write("Checking signature on message ... "); >> >> >> signedCms.CheckSignature(true); >> >> >> Console.WriteLine("Done."); >> >> >> byte[] incontent = signedCms.ContentInfo.Content; >> >> >> // process content; write to file or DB etc..; >> >> >> } >> >> >> catch >> >> >> (System.Security.Cryptography.CryptographicException >> >> >> e) >> >> >> { >> >> >> Console.WriteLine("VerifyMsg caught exception: >> >> >> {0}", >> >> >> e.Message); >> >> >> .... >> >> >> return false; >> >> >> } >> >> >> >> >> >> return true; >> >> >> } >> >> >> ----------- end snippet ------------- >> >> >> >> >> >> - Mitch >> >> >> >> >> >> >> >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message >> >> >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... >> >> >> > This is a Visual Basic .NET (no Capicom) Sample: >> >> >> > >> >> >> > Public Function DecodeMessage(ByVal signedContent() As Byte, >> >> >> > ByRef >> >> >> > clearContent() As Byte) As Boolean >> >> >> > Dim signedCms As SignedCms >> >> >> > Try >> >> >> > >> >> >> > ' Prepare an object in which to decode and verify. >> >> >> > signedCms = New SignedCms() >> >> >> > signedCms.Decode(signedContent) >> >> >> > ' Verifico la firma >> >> >> > signedCms.CheckSignature(False) >> >> >> > ' Recupero il messaggio originale >> >> >> > clearContent = signedCms.ContentInfo.Content >> >> >> > Return True >> >> >> > Catch e As System.Security.Cryptography.CryptographicException >> >> >> > Return False >> >> >> > End Try >> >> >> > End Function >> >> >> > >> >> >> > Ciao, Alessandro >> >> >> > >> >> >> > >> >> >> > <rdavi***@gmail.com> ha scritto nel messaggio >> >> >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >> >> Hi all, >> >> >> >> >> >> >> >> I receive a certified email with an attachment in .p7m >> >> >> >> extension. >> >> >> >> How can I retrieve the original content after verifying the sign >> >> >> >> with >> >> >> >> CAPICOM? >> >> >> >> The EnvelopedData failed when I try to Decrypt it. >> >> >> >> >> >> >> >> I am under .NET using C#, and I need to save the original >> >> >> >> content >> >> >> >> in a >> >> >> >> db or in a shared folder. >> >> >> >> >> >> >> >> Thank you in advance! >> >> >> >> >> >> >> >> Riccardo >> >> >> >> >> >> >> > >> >> >> > >> >> > >> > > I receive, as you know a b64 encoded pkcs7 just signed, pdfStr. Then I
do that: capicomNET.SignedData sd = new capicomNET.SignedDataClass(); sd.Verify(pdfStr,false,capicomNET.CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_ONLY); pdf = (new System.Text.UnicodeEncoding()).GetBytes(sd.Content); I store this stream of byte in a DB or in the fileSystem and I open it as a regular pdf, indifferently if it is ODD or EVEN in bytes. Riccardo Mitch Gallant ha scritto: Show quoteHide quote > You didn't answer my question. How did you (please show your code) recover > the content, using .NET CAPICOM interop, when the signature generated > contained an ODD number of bytes? > > There is a workaround, but it involves diss/reassembling the COM interop > library. > There is a description of the problem and workaround here: > http://www.codeproject.com/dotnet/CapicomUTF8.asp?df=100 > > Another potential workaround is to make sure everything that needs to be a > string in CAPICOM and converted to .NET is an exact EVEN number of bytes. > The only way I can see this is to make sure possible argument that is > marshalled from CAPICOM to .NET is b64 encoded. My experience, trying this > out, is that data sizes, including the pkcs#7 get bloated pretty fast and is > not really a workable solution. > > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1160058483.318071.73110@e3g2000cwe.googlegroups.com... > > Are you saying that is impossible? > > > > I don't know a lot about this troubles... > > > > Mitch Gallant ha scritto: > > > >> ok let's be very specific about this: > >> I'm talking about a pkcs7 signed message where the included content is an > >> odd number of bytes (i.e. it is not unicode or b64 encoded BEFORE it is > >> signed). > >> > >> So with this .NET 1.1 CAPICOM interop relevant code: > >> -------------- > >> oSignedData = new SignedDataClass() ; > >> .... > >> oSignedData.Verify(pkcsig, false, > >> CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) > >> ; > >> ... > >> String content = oSignedData.Content; > >> ------------------ > >> > >> how are you recovering an odd number of content bytes from within .NET > >> 1.1/CAPICOM interop? > >> > >> - Mitch Gallant > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1159519559.322291.157750@c28g2000cwb.googlegroups.com... > >> > Hi mitch, > >> > > >> > I tried also with odd size and it works fine. Maybe you are right, > >> > marshalling problems are known. If it will happens I will go to another > >> > solution. > >> > > >> > Thank you for the help, > >> > > >> > Riccardo > >> > > >> > Mitch Gallant wrote: > >> >> I think that approach will only work when the actual binary content is > >> >> an > >> >> exact even number of bytes (which yours is 24258). > >> >> If the signed content size is odd, then you will get COM interop > >> >> marshalling > >> >> truncation problems. > >> >> This is documented and is a general problem with how CAPICOM methods > >> >> inplement the content extraction and string conversion (even before > >> >> you > >> >> do > >> >> any further conversions) > >> >> .. you can search deja.com for fixes. > >> >> - Mitch > >> >> > >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> >> news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... > >> >> > Hi mitch, thank you very much. > >> >> > > >> >> > Unfortunatly I am under .NET 1.1. But I found the way by converting > >> >> > the > >> >> > SignedData.Content to string using UnicodeEncoding. > >> >> > > >> >> > Thank you for all. > >> >> > > >> >> > See you on the group. > >> >> > > >> >> > Riccardo > >> >> > > >> >> > Mitch Gallant wrote: > >> >> >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is best > >> >> >> to > >> >> >> use > >> >> >> .NET 2 support for pkcs7. > >> >> >> See sample at: > >> >> >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx > >> >> >> C# verification code extracted from above with content extraction, > >> >> >> and > >> >> >> similar to VB.net code below works properly on your provided p7m > >> >> >> binary > >> >> >> blob: > >> >> >> > >> >> >> --------- start snippet ------------- > >> >> >> static public bool VerifyMsg(byte[] encodedSignedCms) > >> >> >> { > >> >> >> SignedCms signedCms = new SignedCms(); > >> >> >> > >> >> >> try > >> >> >> { > >> >> >> // try to decode as pkcs7 signature > >> >> >> signedCms.Decode(encodedSignedCms); > >> >> >> > >> >> >> // Verify signature. Do not validate signer > >> >> >> // certificate for the purposes of this example. > >> >> >> // Note that in a production environment, validating > >> >> >> // the signer certificate chain will probably > >> >> >> // be necessary. > >> >> >> Console.Write("Checking signature on message ... "); > >> >> >> signedCms.CheckSignature(true); > >> >> >> Console.WriteLine("Done."); > >> >> >> byte[] incontent = signedCms.ContentInfo.Content; > >> >> >> // process content; write to file or DB etc..; > >> >> >> } > >> >> >> catch > >> >> >> (System.Security.Cryptography.CryptographicException > >> >> >> e) > >> >> >> { > >> >> >> Console.WriteLine("VerifyMsg caught exception: > >> >> >> {0}", > >> >> >> e.Message); > >> >> >> .... > >> >> >> return false; > >> >> >> } > >> >> >> > >> >> >> return true; > >> >> >> } > >> >> >> ----------- end snippet ------------- > >> >> >> > >> >> >> - Mitch > >> >> >> > >> >> >> > >> >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in message > >> >> >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... > >> >> >> > This is a Visual Basic .NET (no Capicom) Sample: > >> >> >> > > >> >> >> > Public Function DecodeMessage(ByVal signedContent() As Byte, > >> >> >> > ByRef > >> >> >> > clearContent() As Byte) As Boolean > >> >> >> > Dim signedCms As SignedCms > >> >> >> > Try > >> >> >> > > >> >> >> > ' Prepare an object in which to decode and verify. > >> >> >> > signedCms = New SignedCms() > >> >> >> > signedCms.Decode(signedContent) > >> >> >> > ' Verifico la firma > >> >> >> > signedCms.CheckSignature(False) > >> >> >> > ' Recupero il messaggio originale > >> >> >> > clearContent = signedCms.ContentInfo.Content > >> >> >> > Return True > >> >> >> > Catch e As System.Security.Cryptography.CryptographicException > >> >> >> > Return False > >> >> >> > End Try > >> >> >> > End Function > >> >> >> > > >> >> >> > Ciao, Alessandro > >> >> >> > > >> >> >> > > >> >> >> > <rdavi***@gmail.com> ha scritto nel messaggio > >> >> >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> >> Hi all, > >> >> >> >> > >> >> >> >> I receive a certified email with an attachment in .p7m > >> >> >> >> extension. > >> >> >> >> How can I retrieve the original content after verifying the sign > >> >> >> >> with > >> >> >> >> CAPICOM? > >> >> >> >> The EnvelopedData failed when I try to Decrypt it. > >> >> >> >> > >> >> >> >> I am under .NET using C#, and I need to save the original > >> >> >> >> content > >> >> >> >> in a > >> >> >> >> db or in a shared folder. > >> >> >> >> > >> >> >> >> Thank you in advance! > >> >> >> >> > >> >> >> >> Riccardo > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> > > >> > > > That code "sd.Content" will marshal to string in .NET and chop off the final
byte if there was an odd number of bytes in the actual content Are you SURE the content in the pkcs7 was in fact an ODD number of bytes? Show me a sample of yoru pkcs7 with an ODD number of bytes in the signature. - Mitch Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1160063626.311675.22590@i3g2000cwc.googlegroups.com... >I receive, as you know a b64 encoded pkcs7 just signed, pdfStr. Then I > do that: > > capicomNET.SignedData sd = new capicomNET.SignedDataClass(); > sd.Verify(pdfStr,false,capicomNET.CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_ONLY); > pdf = (new System.Text.UnicodeEncoding()).GetBytes(sd.Content); > > I store this stream of byte in a DB or in the fileSystem and I open it > as a regular pdf, indifferently if it is ODD or EVEN in bytes. > > Riccardo > > Mitch Gallant ha scritto: > >> You didn't answer my question. How did you (please show your code) >> recover >> the content, using .NET CAPICOM interop, when the signature generated >> contained an ODD number of bytes? >> >> There is a workaround, but it involves diss/reassembling the COM interop >> library. >> There is a description of the problem and workaround here: >> http://www.codeproject.com/dotnet/CapicomUTF8.asp?df=100 >> >> Another potential workaround is to make sure everything that needs to be >> a >> string in CAPICOM and converted to .NET is an exact EVEN number of bytes. >> The only way I can see this is to make sure possible argument that is >> marshalled from CAPICOM to .NET is b64 encoded. My experience, trying >> this >> out, is that data sizes, including the pkcs#7 get bloated pretty fast and >> is >> not really a workable solution. >> >> - Mitch >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> news:1160058483.318071.73110@e3g2000cwe.googlegroups.com... >> > Are you saying that is impossible? >> > >> > I don't know a lot about this troubles... >> > >> > Mitch Gallant ha scritto: >> > >> >> ok let's be very specific about this: >> >> I'm talking about a pkcs7 signed message where the included content is >> >> an >> >> odd number of bytes (i.e. it is not unicode or b64 encoded BEFORE it >> >> is >> >> signed). >> >> >> >> So with this .NET 1.1 CAPICOM interop relevant code: >> >> -------------- >> >> oSignedData = new SignedDataClass() ; >> >> .... >> >> oSignedData.Verify(pkcsig, false, >> >> CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) >> >> ; >> >> ... >> >> String content = oSignedData.Content; >> >> ------------------ >> >> >> >> how are you recovering an odd number of content bytes from within .NET >> >> 1.1/CAPICOM interop? >> >> >> >> - Mitch Gallant >> >> >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> >> news:1159519559.322291.157750@c28g2000cwb.googlegroups.com... >> >> > Hi mitch, >> >> > >> >> > I tried also with odd size and it works fine. Maybe you are right, >> >> > marshalling problems are known. If it will happens I will go to >> >> > another >> >> > solution. >> >> > >> >> > Thank you for the help, >> >> > >> >> > Riccardo >> >> > >> >> > Mitch Gallant wrote: >> >> >> I think that approach will only work when the actual binary content >> >> >> is >> >> >> an >> >> >> exact even number of bytes (which yours is 24258). >> >> >> If the signed content size is odd, then you will get COM interop >> >> >> marshalling >> >> >> truncation problems. >> >> >> This is documented and is a general problem with how CAPICOM >> >> >> methods >> >> >> inplement the content extraction and string conversion (even before >> >> >> you >> >> >> do >> >> >> any further conversions) >> >> >> .. you can search deja.com for fixes. >> >> >> - Mitch >> >> >> >> >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> >> >> news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... >> >> >> > Hi mitch, thank you very much. >> >> >> > >> >> >> > Unfortunatly I am under .NET 1.1. But I found the way by >> >> >> > converting >> >> >> > the >> >> >> > SignedData.Content to string using UnicodeEncoding. >> >> >> > >> >> >> > Thank you for all. >> >> >> > >> >> >> > See you on the group. >> >> >> > >> >> >> > Riccardo >> >> >> > >> >> >> > Mitch Gallant wrote: >> >> >> >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is >> >> >> >> best >> >> >> >> to >> >> >> >> use >> >> >> >> .NET 2 support for pkcs7. >> >> >> >> See sample at: >> >> >> >> >> >> >> >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx >> >> >> >> C# verification code extracted from above with content >> >> >> >> extraction, >> >> >> >> and >> >> >> >> similar to VB.net code below works properly on your provided p7m >> >> >> >> binary >> >> >> >> blob: >> >> >> >> >> >> >> >> --------- start snippet ------------- >> >> >> >> static public bool VerifyMsg(byte[] encodedSignedCms) >> >> >> >> { >> >> >> >> SignedCms signedCms = new SignedCms(); >> >> >> >> >> >> >> >> try >> >> >> >> { >> >> >> >> // try to decode as pkcs7 signature >> >> >> >> signedCms.Decode(encodedSignedCms); >> >> >> >> >> >> >> >> // Verify signature. Do not validate signer >> >> >> >> // certificate for the purposes of this example. >> >> >> >> // Note that in a production environment, validating >> >> >> >> // the signer certificate chain will probably >> >> >> >> // be necessary. >> >> >> >> Console.Write("Checking signature on message ... "); >> >> >> >> signedCms.CheckSignature(true); >> >> >> >> Console.WriteLine("Done."); >> >> >> >> byte[] incontent = signedCms.ContentInfo.Content; >> >> >> >> // process content; write to file or DB etc..; >> >> >> >> } >> >> >> >> catch >> >> >> >> (System.Security.Cryptography.CryptographicException >> >> >> >> e) >> >> >> >> { >> >> >> >> Console.WriteLine("VerifyMsg caught exception: >> >> >> >> {0}", >> >> >> >> e.Message); >> >> >> >> .... >> >> >> >> return false; >> >> >> >> } >> >> >> >> >> >> >> >> return true; >> >> >> >> } >> >> >> >> ----------- end snippet ------------- >> >> >> >> >> >> >> >> - Mitch >> >> >> >> >> >> >> >> >> >> >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in >> >> >> >> message >> >> >> >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... >> >> >> >> > This is a Visual Basic .NET (no Capicom) Sample: >> >> >> >> > >> >> >> >> > Public Function DecodeMessage(ByVal signedContent() As Byte, >> >> >> >> > ByRef >> >> >> >> > clearContent() As Byte) As Boolean >> >> >> >> > Dim signedCms As SignedCms >> >> >> >> > Try >> >> >> >> > >> >> >> >> > ' Prepare an object in which to decode and verify. >> >> >> >> > signedCms = New SignedCms() >> >> >> >> > signedCms.Decode(signedContent) >> >> >> >> > ' Verifico la firma >> >> >> >> > signedCms.CheckSignature(False) >> >> >> >> > ' Recupero il messaggio originale >> >> >> >> > clearContent = signedCms.ContentInfo.Content >> >> >> >> > Return True >> >> >> >> > Catch e As >> >> >> >> > System.Security.Cryptography.CryptographicException >> >> >> >> > Return False >> >> >> >> > End Try >> >> >> >> > End Function >> >> >> >> > >> >> >> >> > Ciao, Alessandro >> >> >> >> > >> >> >> >> > >> >> >> >> > <rdavi***@gmail.com> ha scritto nel messaggio >> >> >> >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >> >> >> Hi all, >> >> >> >> >> >> >> >> >> >> I receive a certified email with an attachment in .p7m >> >> >> >> >> extension. >> >> >> >> >> How can I retrieve the original content after verifying the >> >> >> >> >> sign >> >> >> >> >> with >> >> >> >> >> CAPICOM? >> >> >> >> >> The EnvelopedData failed when I try to Decrypt it. >> >> >> >> >> >> >> >> >> >> I am under .NET using C#, and I need to save the original >> >> >> >> >> content >> >> >> >> >> in a >> >> >> >> >> db or in a shared folder. >> >> >> >> >> >> >> >> >> >> Thank you in advance! >> >> >> >> >> >> >> >> >> >> Riccardo >> >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> > >> >> > >> > > Simple test case:
original content is bytes {1, 2, 3, 4, 7} i.e. 5 bytes Signed as pkcs7 with that content. Following code: oSignedData.Verify(pkcsig, false, CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) ; byte[] cntnt = (new System.Text.UnicodeEncoding()).GetBytes(oSignedData.Content); Returns cntnt = {1, 2, 3, 4} so the odd end byte (0x7) is chopped off. In SOME cases, depending on what the content actually IS .. you might be able to get away with loosing a final byte .. but generally this will be disastrous. You just can't get around this CAPICOM --> .NET string marshalling and truncation problem. - Mitch Gallant Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1160063626.311675.22590@i3g2000cwc.googlegroups.com... >I receive, as you know a b64 encoded pkcs7 just signed, pdfStr. Then I > do that: > > capicomNET.SignedData sd = new capicomNET.SignedDataClass(); > sd.Verify(pdfStr,false,capicomNET.CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_ONLY); > pdf = (new System.Text.UnicodeEncoding()).GetBytes(sd.Content); > > I store this stream of byte in a DB or in the fileSystem and I open it > as a regular pdf, indifferently if it is ODD or EVEN in bytes. > > Riccardo > > Mitch Gallant ha scritto: > >> You didn't answer my question. How did you (please show your code) >> recover >> the content, using .NET CAPICOM interop, when the signature generated >> contained an ODD number of bytes? >> >> There is a workaround, but it involves diss/reassembling the COM interop >> library. >> There is a description of the problem and workaround here: >> http://www.codeproject.com/dotnet/CapicomUTF8.asp?df=100 >> >> Another potential workaround is to make sure everything that needs to be >> a >> string in CAPICOM and converted to .NET is an exact EVEN number of bytes. >> The only way I can see this is to make sure possible argument that is >> marshalled from CAPICOM to .NET is b64 encoded. My experience, trying >> this >> out, is that data sizes, including the pkcs#7 get bloated pretty fast and >> is >> not really a workable solution. >> >> - Mitch >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> news:1160058483.318071.73110@e3g2000cwe.googlegroups.com... >> > Are you saying that is impossible? >> > >> > I don't know a lot about this troubles... >> > >> > Mitch Gallant ha scritto: >> > >> >> ok let's be very specific about this: >> >> I'm talking about a pkcs7 signed message where the included content is >> >> an >> >> odd number of bytes (i.e. it is not unicode or b64 encoded BEFORE it >> >> is >> >> signed). >> >> >> >> So with this .NET 1.1 CAPICOM interop relevant code: >> >> -------------- >> >> oSignedData = new SignedDataClass() ; >> >> .... >> >> oSignedData.Verify(pkcsig, false, >> >> CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) >> >> ; >> >> ... >> >> String content = oSignedData.Content; >> >> ------------------ >> >> >> >> how are you recovering an odd number of content bytes from within .NET >> >> 1.1/CAPICOM interop? >> >> >> >> - Mitch Gallant >> >> >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> >> news:1159519559.322291.157750@c28g2000cwb.googlegroups.com... >> >> > Hi mitch, >> >> > >> >> > I tried also with odd size and it works fine. Maybe you are right, >> >> > marshalling problems are known. If it will happens I will go to >> >> > another >> >> > solution. >> >> > >> >> > Thank you for the help, >> >> > >> >> > Riccardo >> >> > >> >> > Mitch Gallant wrote: >> >> >> I think that approach will only work when the actual binary content >> >> >> is >> >> >> an >> >> >> exact even number of bytes (which yours is 24258). >> >> >> If the signed content size is odd, then you will get COM interop >> >> >> marshalling >> >> >> truncation problems. >> >> >> This is documented and is a general problem with how CAPICOM >> >> >> methods >> >> >> inplement the content extraction and string conversion (even before >> >> >> you >> >> >> do >> >> >> any further conversions) >> >> >> .. you can search deja.com for fixes. >> >> >> - Mitch >> >> >> >> >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> >> >> news:1158823581.681980.197100@e3g2000cwe.googlegroups.com... >> >> >> > Hi mitch, thank you very much. >> >> >> > >> >> >> > Unfortunatly I am under .NET 1.1. But I found the way by >> >> >> > converting >> >> >> > the >> >> >> > SignedData.Content to string using UnicodeEncoding. >> >> >> > >> >> >> > Thank you for all. >> >> >> > >> >> >> > See you on the group. >> >> >> > >> >> >> > Riccardo >> >> >> > >> >> >> > Mitch Gallant wrote: >> >> >> >> To avoid any issues with .net 1.1 CAPICOM marshalling, it is >> >> >> >> best >> >> >> >> to >> >> >> >> use >> >> >> >> .NET 2 support for pkcs7. >> >> >> >> See sample at: >> >> >> >> >> >> >> >> http://windowssdk.msdn.microsoft.com/en-us/library/ms180956.aspx >> >> >> >> C# verification code extracted from above with content >> >> >> >> extraction, >> >> >> >> and >> >> >> >> similar to VB.net code below works properly on your provided p7m >> >> >> >> binary >> >> >> >> blob: >> >> >> >> >> >> >> >> --------- start snippet ------------- >> >> >> >> static public bool VerifyMsg(byte[] encodedSignedCms) >> >> >> >> { >> >> >> >> SignedCms signedCms = new SignedCms(); >> >> >> >> >> >> >> >> try >> >> >> >> { >> >> >> >> // try to decode as pkcs7 signature >> >> >> >> signedCms.Decode(encodedSignedCms); >> >> >> >> >> >> >> >> // Verify signature. Do not validate signer >> >> >> >> // certificate for the purposes of this example. >> >> >> >> // Note that in a production environment, validating >> >> >> >> // the signer certificate chain will probably >> >> >> >> // be necessary. >> >> >> >> Console.Write("Checking signature on message ... "); >> >> >> >> signedCms.CheckSignature(true); >> >> >> >> Console.WriteLine("Done."); >> >> >> >> byte[] incontent = signedCms.ContentInfo.Content; >> >> >> >> // process content; write to file or DB etc..; >> >> >> >> } >> >> >> >> catch >> >> >> >> (System.Security.Cryptography.CryptographicException >> >> >> >> e) >> >> >> >> { >> >> >> >> Console.WriteLine("VerifyMsg caught exception: >> >> >> >> {0}", >> >> >> >> e.Message); >> >> >> >> .... >> >> >> >> return false; >> >> >> >> } >> >> >> >> >> >> >> >> return true; >> >> >> >> } >> >> >> >> ----------- end snippet ------------- >> >> >> >> >> >> >> >> - Mitch >> >> >> >> >> >> >> >> >> >> >> >> "Alessandro Sorcinelli" <asorcine***@itconsult.it> wrote in >> >> >> >> message >> >> >> >> news:eecGeoM2GHA.3576@TK2MSFTNGP03.phx.gbl... >> >> >> >> > This is a Visual Basic .NET (no Capicom) Sample: >> >> >> >> > >> >> >> >> > Public Function DecodeMessage(ByVal signedContent() As Byte, >> >> >> >> > ByRef >> >> >> >> > clearContent() As Byte) As Boolean >> >> >> >> > Dim signedCms As SignedCms >> >> >> >> > Try >> >> >> >> > >> >> >> >> > ' Prepare an object in which to decode and verify. >> >> >> >> > signedCms = New SignedCms() >> >> >> >> > signedCms.Decode(signedContent) >> >> >> >> > ' Verifico la firma >> >> >> >> > signedCms.CheckSignature(False) >> >> >> >> > ' Recupero il messaggio originale >> >> >> >> > clearContent = signedCms.ContentInfo.Content >> >> >> >> > Return True >> >> >> >> > Catch e As >> >> >> >> > System.Security.Cryptography.CryptographicException >> >> >> >> > Return False >> >> >> >> > End Try >> >> >> >> > End Function >> >> >> >> > >> >> >> >> > Ciao, Alessandro >> >> >> >> > >> >> >> >> > >> >> >> >> > <rdavi***@gmail.com> ha scritto nel messaggio >> >> >> >> > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >> >> >> Hi all, >> >> >> >> >> >> >> >> >> >> I receive a certified email with an attachment in .p7m >> >> >> >> >> extension. >> >> >> >> >> How can I retrieve the original content after verifying the >> >> >> >> >> sign >> >> >> >> >> with >> >> >> >> >> CAPICOM? >> >> >> >> >> The EnvelopedData failed when I try to Decrypt it. >> >> >> >> >> >> >> >> >> >> I am under .NET using C#, and I need to save the original >> >> >> >> >> content >> >> >> >> >> in a >> >> >> >> >> db or in a shared folder. >> >> >> >> >> >> >> >> >> >> Thank you in advance! >> >> >> >> >> >> >> >> >> >> Riccardo >> >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> > >> >> > >> > > If you are talking about CAPICOM COM-interop with .NET, then there are some
issues with marshalling strings from COM to .NET in the CAPICOM fns for binary data files which have some workarounds based on dis/reass the capicom.dll interop lib. Better (as other posted stated) to use .NET 2 pkcs7 support. Alternately, Pinvoking to capi (for decrypting and sig verif) is possible if not a bit messy : http://www.jensign.com/JavaScience/dotnet/DecEnvelop What mail program was used to envelope (sign and encrypt to recipient) ?? I think OE/O both sign and THEN encrypt the signed blob with the usual SMIME wrapping. For email attachments, for detached signatures, you need to know what content you are verifying the signature against. http://www.jensign.com/JavaScience/verify/smimenote.html - Mitch Gallant MVP Security <rdavi***@gmail.com> wrote in message Show quoteHide quote news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > Hi all, > > I receive a certified email with an attachment in .p7m extension. > How can I retrieve the original content after verifying the sign with > CAPICOM? > The EnvelopedData failed when I try to Decrypt it. > > I am under .NET using C#, and I need to save the original content in a > db or in a shared folder. > > Thank you in advance! > > Riccardo > The other thing I would add to this is that since OP said he tried
EnvelopedData initially and it failed on Decrypt, there is no reason to suspect that CAPICOM will solve this problem anyway. If he used the class correctly and can't decrypt, that should mean he doesn't have the right certificate/private key combo available in that execution context. CAPICOM can't do anything any better here. If the problem was operator error, EnvelopedData is still the better way to go. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Mitch Gallant" <jensigner@community.nospam> wrote in message news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > If you are talking about CAPICOM COM-interop with .NET, then there are > some issues with marshalling strings from COM to .NET in the CAPICOM fns > for binary data files which have some workarounds based on dis/reass the > capicom.dll interop lib. > > Better (as other posted stated) to use .NET 2 pkcs7 support. > Alternately, Pinvoking to capi (for decrypting and sig verif) is possible > if not a bit messy : http://www.jensign.com/JavaScience/dotnet/DecEnvelop > > What mail program was used to envelope (sign and encrypt to recipient) ?? > I think OE/O both sign and THEN encrypt the signed blob with the usual > SMIME wrapping. > For email attachments, for detached signatures, you need to know what > content you are verifying the signature against. > http://www.jensign.com/JavaScience/verify/smimenote.html > > - Mitch Gallant > MVP Security > > <rdavi***@gmail.com> wrote in message > news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> Hi all, >> >> I receive a certified email with an attachment in .p7m extension. >> How can I retrieve the original content after verifying the sign with >> CAPICOM? >> The EnvelopedData failed when I try to Decrypt it. >> >> I am under .NET using C#, and I need to save the original content in a >> db or in a shared folder. >> >> Thank you in advance! >> >> Riccardo >> > > I just checked encrypted+signed S-MIME messages created by both OE6 and
Outlook 2003 and both these mail clients create .p7m as signed first and then encrypted. Both can be decrypted (first) using the .net DecEnvelop.exe utility on the b64-encoded .p7m blob from the message source. Try that first. This will ensure that you have properly configured access to your RSA keypair. - Mitch Show quoteHide quote "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > The other thing I would add to this is that since OP said he tried > EnvelopedData initially and it failed on Decrypt, there is no reason to > suspect that CAPICOM will solve this problem anyway. If he used the class > correctly and can't decrypt, that should mean he doesn't have the right > certificate/private key combo available in that execution context. > CAPICOM can't do anything any better here. > > If the problem was operator error, EnvelopedData is still the better way > to go. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services > Programming" > http://www.directoryprogramming.net > -- > "Mitch Gallant" <jensigner@community.nospam> wrote in message > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... >> If you are talking about CAPICOM COM-interop with .NET, then there are >> some issues with marshalling strings from COM to .NET in the CAPICOM fns >> for binary data files which have some workarounds based on dis/reass the >> capicom.dll interop lib. >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. >> Alternately, Pinvoking to capi (for decrypting and sig verif) is possible >> if not a bit messy : http://www.jensign.com/JavaScience/dotnet/DecEnvelop >> >> What mail program was used to envelope (sign and encrypt to recipient) ?? >> I think OE/O both sign and THEN encrypt the signed blob with the usual >> SMIME wrapping. >> For email attachments, for detached signatures, you need to know what >> content you are verifying the signature against. >> http://www.jensign.com/JavaScience/verify/smimenote.html >> >> - Mitch Gallant >> MVP Security >> >> <rdavi***@gmail.com> wrote in message >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >>> Hi all, >>> >>> I receive a certified email with an attachment in .p7m extension. >>> How can I retrieve the original content after verifying the sign with >>> CAPICOM? >>> The EnvelopedData failed when I try to Decrypt it. >>> >>> I am under .NET using C#, and I need to save the original content in a >>> db or in a shared folder. >>> >>> Thank you in advance! >>> >>> Riccardo >>> >> >> > > Hi Mitch,
I will try your decenvelop.exe on my file that is a pdf in a p7m format (I think signed and then encrypted as you said) and we will see. Thank you. Riccardo Mitch Gallant ha scritto: Show quoteHide quote > I just checked encrypted+signed S-MIME messages created by both OE6 and > Outlook 2003 and both these mail clients create .p7m as signed first and > then encrypted. > > Both can be decrypted (first) using the .net DecEnvelop.exe utility on the > b64-encoded .p7m blob from the message source. > Try that first. This will ensure that you have properly configured access to > your RSA keypair. > > - Mitch > > "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message > news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > > The other thing I would add to this is that since OP said he tried > > EnvelopedData initially and it failed on Decrypt, there is no reason to > > suspect that CAPICOM will solve this problem anyway. If he used the class > > correctly and can't decrypt, that should mean he doesn't have the right > > certificate/private key combo available in that execution context. > > CAPICOM can't do anything any better here. > > > > If the problem was operator error, EnvelopedData is still the better way > > to go. > > > > Joe K. > > > > -- > > Joe Kaplan-MS MVP Directory Services Programming > > Co-author of "The .NET Developer's Guide to Directory Services > > Programming" > > http://www.directoryprogramming.net > > -- > > "Mitch Gallant" <jensigner@community.nospam> wrote in message > > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> If you are talking about CAPICOM COM-interop with .NET, then there are > >> some issues with marshalling strings from COM to .NET in the CAPICOM fns > >> for binary data files which have some workarounds based on dis/reass the > >> capicom.dll interop lib. > >> > >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> Alternately, Pinvoking to capi (for decrypting and sig verif) is possible > >> if not a bit messy : http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> > >> What mail program was used to envelope (sign and encrypt to recipient) ?? > >> I think OE/O both sign and THEN encrypt the signed blob with the usual > >> SMIME wrapping. > >> For email attachments, for detached signatures, you need to know what > >> content you are verifying the signature against. > >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> > >> - Mitch Gallant > >> MVP Security > >> > >> <rdavi***@gmail.com> wrote in message > >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >>> Hi all, > >>> > >>> I receive a certified email with an attachment in .p7m extension. > >>> How can I retrieve the original content after verifying the sign with > >>> CAPICOM? > >>> The EnvelopedData failed when I try to Decrypt it. > >>> > >>> I am under .NET using C#, and I need to save the original content in a > >>> db or in a shared folder. > >>> > >>> Thank you in advance! > >>> > >>> Riccardo > >>> > >> > >> > > > > Another think you can do without actually decrypting the p7m: you can
check the "recipients" who are capable of decryping the message. e.g this .net tool (using Pinvoke to CryptoAPI again): http://www.jensign.com/JavaScience/dotnet/EnvelInfo (note that CAPICOM does NOT allow you to extract this info without actually decrypting the p7s first!). If the .p7s is a valid enveloped data blob, then this utility will show details of certs (with associated private keys) that must be available to decrypt the message. It also shows the symmetric key algorithm (for the secret key to be recovered, if you had decrypted the message). Typical output of envelinfo.exe (there are 2 recipients because it was sent to myself and sender is always included in recipient list from mail clients; also it is self-signed cert .. hence issuer ID): C:\....\desktop>envelinfo sigencrypt.txt File 'sigencrypt.txt' (4478 bytes) Base64 encoded enveloped data Enveloped message has 2 recipients ------ Recipient 1 ---------- SerialNumber: 37 53 84 ab 30 ba 7e 7d IssuerName: 2.5.4.3 CN=Mitch Gallant 2.5.4.10 O=JavaScience Consulting 2.5.4.6 C=CA 1.2.840.113549.1.9.1 E=neut***@istar.ca ------ Recipient 2 ---------- SerialNumber: 37 53 84 ab 30 ba 7e 7d IssuerName: 2.5.4.3 CN=Mitch Gallant 2.5.4.10 O=JavaScience Consulting 2.5.4.6 C=CA 1.2.840.113549.1.9.1 E=neut***@istar.ca --- CRYPT_ALGORITHM_IDENTIFIER members --- OID: 1.2.840.113549.3.7 3des ------------------------------------------ - Mitch Gallant MVP Security <rdavi***@gmail.com> wrote in message Show quoteHide quote news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > Hi Mitch, > > I will try your decenvelop.exe on my file that is a pdf in a p7m format > (I think signed and then encrypted as you said) and we will see. > > Thank you. > > Riccardo > > > Mitch Gallant ha scritto: > >> I just checked encrypted+signed S-MIME messages created by both OE6 and >> Outlook 2003 and both these mail clients create .p7m as signed first and >> then encrypted. >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility on >> the >> b64-encoded .p7m blob from the message source. >> Try that first. This will ensure that you have properly configured access >> to >> your RSA keypair. >> >> - Mitch >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... >> > The other thing I would add to this is that since OP said he tried >> > EnvelopedData initially and it failed on Decrypt, there is no reason to >> > suspect that CAPICOM will solve this problem anyway. If he used the >> > class >> > correctly and can't decrypt, that should mean he doesn't have the right >> > certificate/private key combo available in that execution context. >> > CAPICOM can't do anything any better here. >> > >> > If the problem was operator error, EnvelopedData is still the better >> > way >> > to go. >> > >> > Joe K. >> > >> > -- >> > Joe Kaplan-MS MVP Directory Services Programming >> > Co-author of "The .NET Developer's Guide to Directory Services >> > Programming" >> > http://www.directoryprogramming.net >> > -- >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... >> >> If you are talking about CAPICOM COM-interop with .NET, then there are >> >> some issues with marshalling strings from COM to .NET in the CAPICOM >> >> fns >> >> for binary data files which have some workarounds based on dis/reass >> >> the >> >> capicom.dll interop lib. >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is >> >> possible >> >> if not a bit messy : >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop >> >> >> >> What mail program was used to envelope (sign and encrypt to recipient) >> >> ?? >> >> I think OE/O both sign and THEN encrypt the signed blob with the usual >> >> SMIME wrapping. >> >> For email attachments, for detached signatures, you need to know what >> >> content you are verifying the signature against. >> >> http://www.jensign.com/JavaScience/verify/smimenote.html >> >> >> >> - Mitch Gallant >> >> MVP Security >> >> >> >> <rdavi***@gmail.com> wrote in message >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >>> Hi all, >> >>> >> >>> I receive a certified email with an attachment in .p7m extension. >> >>> How can I retrieve the original content after verifying the sign with >> >>> CAPICOM? >> >>> The EnvelopedData failed when I try to Decrypt it. >> >>> >> >>> I am under .NET using C#, and I need to save the original content in >> >>> a >> >>> db or in a shared folder. >> >>> >> >>> Thank you in advance! >> >>> >> >>> Riccardo >> >>> >> >> >> >> >> > >> > > Hello Mitch,
i tried both your applications docEnveloped e EnvelInfo but with no success... 1) DecEnveloped tell me that "the file cannot be decrypted". 2) EnvelInfo tell me: "M10i70.pdf.p7m (25766 bytes) Error message: Invalid cryptographic message type (Code: 0x80004005) Error message: Invalid cryptographic message type (Code: 0x80004005)" Well is that possible? I receive this attachment from a certified mail, I don't know what is used to encrypt or sign it. But I know it's possible to validate and extract the original pdf file because if I use one of the online tools like this: http://www.digitaltrust.it/verifier/popup1.html it opens my p7m file, verify the sign and let me possible to save the original content. I am under .NET 1.1, I cannot use 2.0. Any ideas? Thank you very much! Riccardo Mitch Gallant wrote: Show quoteHide quote > Another think you can do without actually decrypting the p7m: you can > check the "recipients" who are capable of decryping the message. > e.g this .net tool (using Pinvoke to CryptoAPI again): > http://www.jensign.com/JavaScience/dotnet/EnvelInfo > (note that CAPICOM does NOT allow you to extract this info without actually > decrypting the p7s first!). > > If the .p7s is a valid enveloped data blob, then this utility will show > details of certs (with associated private keys) that must be available to > decrypt the message. It also shows the symmetric key algorithm (for the > secret key to be recovered, if you had decrypted the message). > Typical output of envelinfo.exe (there are 2 recipients because it was sent > to myself and sender is always included in recipient list from mail clients; > also it is self-signed cert .. hence issuer ID): > > C:\....\desktop>envelinfo sigencrypt.txt > File 'sigencrypt.txt' (4478 bytes) > Base64 encoded enveloped data > Enveloped message has 2 recipients > > ------ Recipient 1 ---------- > SerialNumber: > 37 53 84 ab 30 ba 7e 7d > IssuerName: > 2.5.4.3 CN=Mitch Gallant > 2.5.4.10 O=JavaScience Consulting > 2.5.4.6 C=CA > 1.2.840.113549.1.9.1 E=neut***@istar.ca > > ------ Recipient 2 ---------- > SerialNumber: > 37 53 84 ab 30 ba 7e 7d > IssuerName: > 2.5.4.3 CN=Mitch Gallant > 2.5.4.10 O=JavaScience Consulting > 2.5.4.6 C=CA > 1.2.840.113549.1.9.1 E=neut***@istar.ca > > --- CRYPT_ALGORITHM_IDENTIFIER members --- > OID: 1.2.840.113549.3.7 3des > ------------------------------------------ > > - Mitch Gallant > MVP Security > > <rdavi***@gmail.com> wrote in message > news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > > Hi Mitch, > > > > I will try your decenvelop.exe on my file that is a pdf in a p7m format > > (I think signed and then encrypted as you said) and we will see. > > > > Thank you. > > > > Riccardo > > > > > > Mitch Gallant ha scritto: > > > >> I just checked encrypted+signed S-MIME messages created by both OE6 and > >> Outlook 2003 and both these mail clients create .p7m as signed first and > >> then encrypted. > >> > >> Both can be decrypted (first) using the .net DecEnvelop.exe utility on > >> the > >> b64-encoded .p7m blob from the message source. > >> Try that first. This will ensure that you have properly configured access > >> to > >> your RSA keypair. > >> > >> - Mitch > >> > >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message > >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> > The other thing I would add to this is that since OP said he tried > >> > EnvelopedData initially and it failed on Decrypt, there is no reason to > >> > suspect that CAPICOM will solve this problem anyway. If he used the > >> > class > >> > correctly and can't decrypt, that should mean he doesn't have the right > >> > certificate/private key combo available in that execution context. > >> > CAPICOM can't do anything any better here. > >> > > >> > If the problem was operator error, EnvelopedData is still the better > >> > way > >> > to go. > >> > > >> > Joe K. > >> > > >> > -- > >> > Joe Kaplan-MS MVP Directory Services Programming > >> > Co-author of "The .NET Developer's Guide to Directory Services > >> > Programming" > >> > http://www.directoryprogramming.net > >> > -- > >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> If you are talking about CAPICOM COM-interop with .NET, then there are > >> >> some issues with marshalling strings from COM to .NET in the CAPICOM > >> >> fns > >> >> for binary data files which have some workarounds based on dis/reass > >> >> the > >> >> capicom.dll interop lib. > >> >> > >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> possible > >> >> if not a bit messy : > >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> > >> >> What mail program was used to envelope (sign and encrypt to recipient) > >> >> ?? > >> >> I think OE/O both sign and THEN encrypt the signed blob with the usual > >> >> SMIME wrapping. > >> >> For email attachments, for detached signatures, you need to know what > >> >> content you are verifying the signature against. > >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> > >> >> - Mitch Gallant > >> >> MVP Security > >> >> > >> >> <rdavi***@gmail.com> wrote in message > >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >>> Hi all, > >> >>> > >> >>> I receive a certified email with an attachment in .p7m extension. > >> >>> How can I retrieve the original content after verifying the sign with > >> >>> CAPICOM? > >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >>> > >> >>> I am under .NET using C#, and I need to save the original content in > >> >>> a > >> >>> db or in a shared folder. > >> >>> > >> >>> Thank you in advance! > >> >>> > >> >>> Riccardo > >> >>> > >> >> > >> >> > >> > > >> > > > Was the file signed with some tool from DigitalTrust? I am not familiar with
that product. Perhaps the file is encrypted first and then signed. Did you say you managed to FIRST verify the signature on the p7m with CAPICOM? If you send a sample of the .p7m we can take a look. - Mitch Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > Hello Mitch, > > i tried both your applications docEnveloped e EnvelInfo but with no > success... > > 1) DecEnveloped tell me that "the file cannot be decrypted". > > 2) EnvelInfo tell me: > "M10i70.pdf.p7m (25766 bytes) > Error message: Invalid cryptographic message type (Code: 0x80004005) > Error message: Invalid cryptographic message type (Code: 0x80004005)" > > Well is that possible? > I receive this attachment from a certified mail, I don't know what is > used to encrypt or sign it. But I know it's possible to validate and > extract the original pdf file because if I use one of the online tools > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > p7m file, verify the sign and let me possible to save the original > content. > > I am under .NET 1.1, I cannot use 2.0. > > Any ideas? > > Thank you very much! > > Riccardo > > > Mitch Gallant wrote: >> Another think you can do without actually decrypting the p7m: you can >> check the "recipients" who are capable of decryping the message. >> e.g this .net tool (using Pinvoke to CryptoAPI again): >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo >> (note that CAPICOM does NOT allow you to extract this info without >> actually >> decrypting the p7s first!). >> >> If the .p7s is a valid enveloped data blob, then this utility will show >> details of certs (with associated private keys) that must be available to >> decrypt the message. It also shows the symmetric key algorithm (for the >> secret key to be recovered, if you had decrypted the message). >> Typical output of envelinfo.exe (there are 2 recipients because it was >> sent >> to myself and sender is always included in recipient list from mail >> clients; >> also it is self-signed cert .. hence issuer ID): >> >> C:\....\desktop>envelinfo sigencrypt.txt >> File 'sigencrypt.txt' (4478 bytes) >> Base64 encoded enveloped data >> Enveloped message has 2 recipients >> >> ------ Recipient 1 ---------- >> SerialNumber: >> 37 53 84 ab 30 ba 7e 7d >> IssuerName: >> 2.5.4.3 CN=Mitch Gallant >> 2.5.4.10 O=JavaScience Consulting >> 2.5.4.6 C=CA >> 1.2.840.113549.1.9.1 E=neut***@istar.ca >> >> ------ Recipient 2 ---------- >> SerialNumber: >> 37 53 84 ab 30 ba 7e 7d >> IssuerName: >> 2.5.4.3 CN=Mitch Gallant >> 2.5.4.10 O=JavaScience Consulting >> 2.5.4.6 C=CA >> 1.2.840.113549.1.9.1 E=neut***@istar.ca >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- >> OID: 1.2.840.113549.3.7 3des >> ------------------------------------------ >> >> - Mitch Gallant >> MVP Security >> >> <rdavi***@gmail.com> wrote in message >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... >> > Hi Mitch, >> > >> > I will try your decenvelop.exe on my file that is a pdf in a p7m format >> > (I think signed and then encrypted as you said) and we will see. >> > >> > Thank you. >> > >> > Riccardo >> > >> > >> > Mitch Gallant ha scritto: >> > >> >> I just checked encrypted+signed S-MIME messages created by both OE6 >> >> and >> >> Outlook 2003 and both these mail clients create .p7m as signed first >> >> and >> >> then encrypted. >> >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility on >> >> the >> >> b64-encoded .p7m blob from the message source. >> >> Try that first. This will ensure that you have properly configured >> >> access >> >> to >> >> your RSA keypair. >> >> >> >> - Mitch >> >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in >> >> message >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... >> >> > The other thing I would add to this is that since OP said he tried >> >> > EnvelopedData initially and it failed on Decrypt, there is no reason >> >> > to >> >> > suspect that CAPICOM will solve this problem anyway. If he used the >> >> > class >> >> > correctly and can't decrypt, that should mean he doesn't have the >> >> > right >> >> > certificate/private key combo available in that execution context. >> >> > CAPICOM can't do anything any better here. >> >> > >> >> > If the problem was operator error, EnvelopedData is still the better >> >> > way >> >> > to go. >> >> > >> >> > Joe K. >> >> > >> >> > -- >> >> > Joe Kaplan-MS MVP Directory Services Programming >> >> > Co-author of "The .NET Developer's Guide to Directory Services >> >> > Programming" >> >> > http://www.directoryprogramming.net >> >> > -- >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... >> >> >> If you are talking about CAPICOM COM-interop with .NET, then there >> >> >> are >> >> >> some issues with marshalling strings from COM to .NET in the >> >> >> CAPICOM >> >> >> fns >> >> >> for binary data files which have some workarounds based on >> >> >> dis/reass >> >> >> the >> >> >> capicom.dll interop lib. >> >> >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is >> >> >> possible >> >> >> if not a bit messy : >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop >> >> >> >> >> >> What mail program was used to envelope (sign and encrypt to >> >> >> recipient) >> >> >> ?? >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the >> >> >> usual >> >> >> SMIME wrapping. >> >> >> For email attachments, for detached signatures, you need to know >> >> >> what >> >> >> content you are verifying the signature against. >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html >> >> >> >> >> >> - Mitch Gallant >> >> >> MVP Security >> >> >> >> >> >> <rdavi***@gmail.com> wrote in message >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >>> Hi all, >> >> >>> >> >> >>> I receive a certified email with an attachment in .p7m extension. >> >> >>> How can I retrieve the original content after verifying the sign >> >> >>> with >> >> >>> CAPICOM? >> >> >>> The EnvelopedData failed when I try to Decrypt it. >> >> >>> >> >> >>> I am under .NET using C#, and I need to save the original content >> >> >>> in >> >> >>> a >> >> >>> db or in a shared folder. >> >> >>> >> >> >>> Thank you in advance! >> >> >>> >> >> >>> Riccardo >> >> >>> >> >> >> >> >> >> >> >> > >> >> > >> > > Hi Mitch,
infact if I try, first of all, to verify it with CAPICOM using SignedClass.Verify against the base64 p7m file it goes without raise any error, so it verifies correctly it. This suggest to you something? How can I send to you the p7m file? Thx, Riccardo Mitch Gallant wrote: Show quoteHide quote > Was the file signed with some tool from DigitalTrust? I am not familiar with > that product. > Perhaps the file is encrypted first and then signed. Did you say you managed > to FIRST verify the signature on the p7m with CAPICOM? > If you send a sample of the .p7m we can take a look. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > > Hello Mitch, > > > > i tried both your applications docEnveloped e EnvelInfo but with no > > success... > > > > 1) DecEnveloped tell me that "the file cannot be decrypted". > > > > 2) EnvelInfo tell me: > > "M10i70.pdf.p7m (25766 bytes) > > Error message: Invalid cryptographic message type (Code: 0x80004005) > > Error message: Invalid cryptographic message type (Code: 0x80004005)" > > > > Well is that possible? > > I receive this attachment from a certified mail, I don't know what is > > used to encrypt or sign it. But I know it's possible to validate and > > extract the original pdf file because if I use one of the online tools > > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > > p7m file, verify the sign and let me possible to save the original > > content. > > > > I am under .NET 1.1, I cannot use 2.0. > > > > Any ideas? > > > > Thank you very much! > > > > Riccardo > > > > > > Mitch Gallant wrote: > >> Another think you can do without actually decrypting the p7m: you can > >> check the "recipients" who are capable of decryping the message. > >> e.g this .net tool (using Pinvoke to CryptoAPI again): > >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo > >> (note that CAPICOM does NOT allow you to extract this info without > >> actually > >> decrypting the p7s first!). > >> > >> If the .p7s is a valid enveloped data blob, then this utility will show > >> details of certs (with associated private keys) that must be available to > >> decrypt the message. It also shows the symmetric key algorithm (for the > >> secret key to be recovered, if you had decrypted the message). > >> Typical output of envelinfo.exe (there are 2 recipients because it was > >> sent > >> to myself and sender is always included in recipient list from mail > >> clients; > >> also it is self-signed cert .. hence issuer ID): > >> > >> C:\....\desktop>envelinfo sigencrypt.txt > >> File 'sigencrypt.txt' (4478 bytes) > >> Base64 encoded enveloped data > >> Enveloped message has 2 recipients > >> > >> ------ Recipient 1 ---------- > >> SerialNumber: > >> 37 53 84 ab 30 ba 7e 7d > >> IssuerName: > >> 2.5.4.3 CN=Mitch Gallant > >> 2.5.4.10 O=JavaScience Consulting > >> 2.5.4.6 C=CA > >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> > >> ------ Recipient 2 ---------- > >> SerialNumber: > >> 37 53 84 ab 30 ba 7e 7d > >> IssuerName: > >> 2.5.4.3 CN=Mitch Gallant > >> 2.5.4.10 O=JavaScience Consulting > >> 2.5.4.6 C=CA > >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> > >> --- CRYPT_ALGORITHM_IDENTIFIER members --- > >> OID: 1.2.840.113549.3.7 3des > >> ------------------------------------------ > >> > >> - Mitch Gallant > >> MVP Security > >> > >> <rdavi***@gmail.com> wrote in message > >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > >> > Hi Mitch, > >> > > >> > I will try your decenvelop.exe on my file that is a pdf in a p7m format > >> > (I think signed and then encrypted as you said) and we will see. > >> > > >> > Thank you. > >> > > >> > Riccardo > >> > > >> > > >> > Mitch Gallant ha scritto: > >> > > >> >> I just checked encrypted+signed S-MIME messages created by both OE6 > >> >> and > >> >> Outlook 2003 and both these mail clients create .p7m as signed first > >> >> and > >> >> then encrypted. > >> >> > >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility on > >> >> the > >> >> b64-encoded .p7m blob from the message source. > >> >> Try that first. This will ensure that you have properly configured > >> >> access > >> >> to > >> >> your RSA keypair. > >> >> > >> >> - Mitch > >> >> > >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in > >> >> message > >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> >> > The other thing I would add to this is that since OP said he tried > >> >> > EnvelopedData initially and it failed on Decrypt, there is no reason > >> >> > to > >> >> > suspect that CAPICOM will solve this problem anyway. If he used the > >> >> > class > >> >> > correctly and can't decrypt, that should mean he doesn't have the > >> >> > right > >> >> > certificate/private key combo available in that execution context. > >> >> > CAPICOM can't do anything any better here. > >> >> > > >> >> > If the problem was operator error, EnvelopedData is still the better > >> >> > way > >> >> > to go. > >> >> > > >> >> > Joe K. > >> >> > > >> >> > -- > >> >> > Joe Kaplan-MS MVP Directory Services Programming > >> >> > Co-author of "The .NET Developer's Guide to Directory Services > >> >> > Programming" > >> >> > http://www.directoryprogramming.net > >> >> > -- > >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> >> If you are talking about CAPICOM COM-interop with .NET, then there > >> >> >> are > >> >> >> some issues with marshalling strings from COM to .NET in the > >> >> >> CAPICOM > >> >> >> fns > >> >> >> for binary data files which have some workarounds based on > >> >> >> dis/reass > >> >> >> the > >> >> >> capicom.dll interop lib. > >> >> >> > >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> >> possible > >> >> >> if not a bit messy : > >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> >> > >> >> >> What mail program was used to envelope (sign and encrypt to > >> >> >> recipient) > >> >> >> ?? > >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the > >> >> >> usual > >> >> >> SMIME wrapping. > >> >> >> For email attachments, for detached signatures, you need to know > >> >> >> what > >> >> >> content you are verifying the signature against. > >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> >> > >> >> >> - Mitch Gallant > >> >> >> MVP Security > >> >> >> > >> >> >> <rdavi***@gmail.com> wrote in message > >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >>> Hi all, > >> >> >>> > >> >> >>> I receive a certified email with an attachment in .p7m extension. > >> >> >>> How can I retrieve the original content after verifying the sign > >> >> >>> with > >> >> >>> CAPICOM? > >> >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >> >>> > >> >> >>> I am under .NET using C#, and I need to save the original content > >> >> >>> in > >> >> >>> a > >> >> >>> db or in a shared folder. > >> >> >>> > >> >> >>> Thank you in advance! > >> >> >>> > >> >> >>> Riccardo > >> >> >>> > >> >> >> > >> >> >> > >> >> > > >> >> > > >> > > > Then the content you want to encrypt is encrypted first and then signed. Did
you recover the encrypted content (included signature apparently) when the signature was verified? I sent you separate email re: receiving sample of p7m. - Mitch Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... > Hi Mitch, > > infact if I try, first of all, to verify it with CAPICOM using > SignedClass.Verify against the base64 p7m file it goes without raise > any error, so it verifies correctly it. This suggest to you something? > > How can I send to you the p7m file? > > Thx, > > Riccardo > > Mitch Gallant wrote: >> Was the file signed with some tool from DigitalTrust? I am not familiar >> with >> that product. >> Perhaps the file is encrypted first and then signed. Did you say you >> managed >> to FIRST verify the signature on the p7m with CAPICOM? >> If you send a sample of the .p7m we can take a look. >> - Mitch >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... >> > Hello Mitch, >> > >> > i tried both your applications docEnveloped e EnvelInfo but with no >> > success... >> > >> > 1) DecEnveloped tell me that "the file cannot be decrypted". >> > >> > 2) EnvelInfo tell me: >> > "M10i70.pdf.p7m (25766 bytes) >> > Error message: Invalid cryptographic message type (Code: 0x80004005) >> > Error message: Invalid cryptographic message type (Code: 0x80004005)" >> > >> > Well is that possible? >> > I receive this attachment from a certified mail, I don't know what is >> > used to encrypt or sign it. But I know it's possible to validate and >> > extract the original pdf file because if I use one of the online tools >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my >> > p7m file, verify the sign and let me possible to save the original >> > content. >> > >> > I am under .NET 1.1, I cannot use 2.0. >> > >> > Any ideas? >> > >> > Thank you very much! >> > >> > Riccardo >> > >> > >> > Mitch Gallant wrote: >> >> Another think you can do without actually decrypting the p7m: you >> >> can >> >> check the "recipients" who are capable of decryping the message. >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo >> >> (note that CAPICOM does NOT allow you to extract this info without >> >> actually >> >> decrypting the p7s first!). >> >> >> >> If the .p7s is a valid enveloped data blob, then this utility will >> >> show >> >> details of certs (with associated private keys) that must be available >> >> to >> >> decrypt the message. It also shows the symmetric key algorithm (for >> >> the >> >> secret key to be recovered, if you had decrypted the message). >> >> Typical output of envelinfo.exe (there are 2 recipients because it was >> >> sent >> >> to myself and sender is always included in recipient list from mail >> >> clients; >> >> also it is self-signed cert .. hence issuer ID): >> >> >> >> C:\....\desktop>envelinfo sigencrypt.txt >> >> File 'sigencrypt.txt' (4478 bytes) >> >> Base64 encoded enveloped data >> >> Enveloped message has 2 recipients >> >> >> >> ------ Recipient 1 ---------- >> >> SerialNumber: >> >> 37 53 84 ab 30 ba 7e 7d >> >> IssuerName: >> >> 2.5.4.3 CN=Mitch Gallant >> >> 2.5.4.10 O=JavaScience Consulting >> >> 2.5.4.6 C=CA >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca >> >> >> >> ------ Recipient 2 ---------- >> >> SerialNumber: >> >> 37 53 84 ab 30 ba 7e 7d >> >> IssuerName: >> >> 2.5.4.3 CN=Mitch Gallant >> >> 2.5.4.10 O=JavaScience Consulting >> >> 2.5.4.6 C=CA >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca >> >> >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- >> >> OID: 1.2.840.113549.3.7 3des >> >> ------------------------------------------ >> >> >> >> - Mitch Gallant >> >> MVP Security >> >> >> >> <rdavi***@gmail.com> wrote in message >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... >> >> > Hi Mitch, >> >> > >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m >> >> > format >> >> > (I think signed and then encrypted as you said) and we will see. >> >> > >> >> > Thank you. >> >> > >> >> > Riccardo >> >> > >> >> > >> >> > Mitch Gallant ha scritto: >> >> > >> >> >> I just checked encrypted+signed S-MIME messages created by both OE6 >> >> >> and >> >> >> Outlook 2003 and both these mail clients create .p7m as signed >> >> >> first >> >> >> and >> >> >> then encrypted. >> >> >> >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility >> >> >> on >> >> >> the >> >> >> b64-encoded .p7m blob from the message source. >> >> >> Try that first. This will ensure that you have properly configured >> >> >> access >> >> >> to >> >> >> your RSA keypair. >> >> >> >> >> >> - Mitch >> >> >> >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in >> >> >> message >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... >> >> >> > The other thing I would add to this is that since OP said he >> >> >> > tried >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no >> >> >> > reason >> >> >> > to >> >> >> > suspect that CAPICOM will solve this problem anyway. If he used >> >> >> > the >> >> >> > class >> >> >> > correctly and can't decrypt, that should mean he doesn't have the >> >> >> > right >> >> >> > certificate/private key combo available in that execution >> >> >> > context. >> >> >> > CAPICOM can't do anything any better here. >> >> >> > >> >> >> > If the problem was operator error, EnvelopedData is still the >> >> >> > better >> >> >> > way >> >> >> > to go. >> >> >> > >> >> >> > Joe K. >> >> >> > >> >> >> > -- >> >> >> > Joe Kaplan-MS MVP Directory Services Programming >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services >> >> >> > Programming" >> >> >> > http://www.directoryprogramming.net >> >> >> > -- >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then >> >> >> >> there >> >> >> >> are >> >> >> >> some issues with marshalling strings from COM to .NET in the >> >> >> >> CAPICOM >> >> >> >> fns >> >> >> >> for binary data files which have some workarounds based on >> >> >> >> dis/reass >> >> >> >> the >> >> >> >> capicom.dll interop lib. >> >> >> >> >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is >> >> >> >> possible >> >> >> >> if not a bit messy : >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop >> >> >> >> >> >> >> >> What mail program was used to envelope (sign and encrypt to >> >> >> >> recipient) >> >> >> >> ?? >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the >> >> >> >> usual >> >> >> >> SMIME wrapping. >> >> >> >> For email attachments, for detached signatures, you need to know >> >> >> >> what >> >> >> >> content you are verifying the signature against. >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html >> >> >> >> >> >> >> >> - Mitch Gallant >> >> >> >> MVP Security >> >> >> >> >> >> >> >> <rdavi***@gmail.com> wrote in message >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >> >>> Hi all, >> >> >> >>> >> >> >> >>> I receive a certified email with an attachment in .p7m >> >> >> >>> extension. >> >> >> >>> How can I retrieve the original content after verifying the >> >> >> >>> sign >> >> >> >>> with >> >> >> >>> CAPICOM? >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. >> >> >> >>> >> >> >> >>> I am under .NET using C#, and I need to save the original >> >> >> >>> content >> >> >> >>> in >> >> >> >>> a >> >> >> >>> db or in a shared folder. >> >> >> >>> >> >> >> >>> Thank you in advance! >> >> >> >>> >> >> >> >>> Riccardo >> >> >> >>> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> > >> > > I setn to you by email the example.
Yes the property Content has a value after Verify the p7m. I wait for your suggestions, thx. Riccardo Mitch Gallant wrote: Show quoteHide quote > Then the content you want to encrypt is encrypted first and then signed. Did > you recover the encrypted content (included signature apparently) when the > signature was verified? I sent you separate email re: receiving sample of > p7m. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... > > Hi Mitch, > > > > infact if I try, first of all, to verify it with CAPICOM using > > SignedClass.Verify against the base64 p7m file it goes without raise > > any error, so it verifies correctly it. This suggest to you something? > > > > How can I send to you the p7m file? > > > > Thx, > > > > Riccardo > > > > Mitch Gallant wrote: > >> Was the file signed with some tool from DigitalTrust? I am not familiar > >> with > >> that product. > >> Perhaps the file is encrypted first and then signed. Did you say you > >> managed > >> to FIRST verify the signature on the p7m with CAPICOM? > >> If you send a sample of the .p7m we can take a look. > >> - Mitch > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > >> > Hello Mitch, > >> > > >> > i tried both your applications docEnveloped e EnvelInfo but with no > >> > success... > >> > > >> > 1) DecEnveloped tell me that "the file cannot be decrypted". > >> > > >> > 2) EnvelInfo tell me: > >> > "M10i70.pdf.p7m (25766 bytes) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005)" > >> > > >> > Well is that possible? > >> > I receive this attachment from a certified mail, I don't know what is > >> > used to encrypt or sign it. But I know it's possible to validate and > >> > extract the original pdf file because if I use one of the online tools > >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > >> > p7m file, verify the sign and let me possible to save the original > >> > content. > >> > > >> > I am under .NET 1.1, I cannot use 2.0. > >> > > >> > Any ideas? > >> > > >> > Thank you very much! > >> > > >> > Riccardo > >> > > >> > > >> > Mitch Gallant wrote: > >> >> Another think you can do without actually decrypting the p7m: you > >> >> can > >> >> check the "recipients" who are capable of decryping the message. > >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): > >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo > >> >> (note that CAPICOM does NOT allow you to extract this info without > >> >> actually > >> >> decrypting the p7s first!). > >> >> > >> >> If the .p7s is a valid enveloped data blob, then this utility will > >> >> show > >> >> details of certs (with associated private keys) that must be available > >> >> to > >> >> decrypt the message. It also shows the symmetric key algorithm (for > >> >> the > >> >> secret key to be recovered, if you had decrypted the message). > >> >> Typical output of envelinfo.exe (there are 2 recipients because it was > >> >> sent > >> >> to myself and sender is always included in recipient list from mail > >> >> clients; > >> >> also it is self-signed cert .. hence issuer ID): > >> >> > >> >> C:\....\desktop>envelinfo sigencrypt.txt > >> >> File 'sigencrypt.txt' (4478 bytes) > >> >> Base64 encoded enveloped data > >> >> Enveloped message has 2 recipients > >> >> > >> >> ------ Recipient 1 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> ------ Recipient 2 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- > >> >> OID: 1.2.840.113549.3.7 3des > >> >> ------------------------------------------ > >> >> > >> >> - Mitch Gallant > >> >> MVP Security > >> >> > >> >> <rdavi***@gmail.com> wrote in message > >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > >> >> > Hi Mitch, > >> >> > > >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m > >> >> > format > >> >> > (I think signed and then encrypted as you said) and we will see. > >> >> > > >> >> > Thank you. > >> >> > > >> >> > Riccardo > >> >> > > >> >> > > >> >> > Mitch Gallant ha scritto: > >> >> > > >> >> >> I just checked encrypted+signed S-MIME messages created by both OE6 > >> >> >> and > >> >> >> Outlook 2003 and both these mail clients create .p7m as signed > >> >> >> first > >> >> >> and > >> >> >> then encrypted. > >> >> >> > >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility > >> >> >> on > >> >> >> the > >> >> >> b64-encoded .p7m blob from the message source. > >> >> >> Try that first. This will ensure that you have properly configured > >> >> >> access > >> >> >> to > >> >> >> your RSA keypair. > >> >> >> > >> >> >> - Mitch > >> >> >> > >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in > >> >> >> message > >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> >> >> > The other thing I would add to this is that since OP said he > >> >> >> > tried > >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no > >> >> >> > reason > >> >> >> > to > >> >> >> > suspect that CAPICOM will solve this problem anyway. If he used > >> >> >> > the > >> >> >> > class > >> >> >> > correctly and can't decrypt, that should mean he doesn't have the > >> >> >> > right > >> >> >> > certificate/private key combo available in that execution > >> >> >> > context. > >> >> >> > CAPICOM can't do anything any better here. > >> >> >> > > >> >> >> > If the problem was operator error, EnvelopedData is still the > >> >> >> > better > >> >> >> > way > >> >> >> > to go. > >> >> >> > > >> >> >> > Joe K. > >> >> >> > > >> >> >> > -- > >> >> >> > Joe Kaplan-MS MVP Directory Services Programming > >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> > Programming" > >> >> >> > http://www.directoryprogramming.net > >> >> >> > -- > >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then > >> >> >> >> there > >> >> >> >> are > >> >> >> >> some issues with marshalling strings from COM to .NET in the > >> >> >> >> CAPICOM > >> >> >> >> fns > >> >> >> >> for binary data files which have some workarounds based on > >> >> >> >> dis/reass > >> >> >> >> the > >> >> >> >> capicom.dll interop lib. > >> >> >> >> > >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> >> >> possible > >> >> >> >> if not a bit messy : > >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> >> >> > >> >> >> >> What mail program was used to envelope (sign and encrypt to > >> >> >> >> recipient) > >> >> >> >> ?? > >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the > >> >> >> >> usual > >> >> >> >> SMIME wrapping. > >> >> >> >> For email attachments, for detached signatures, you need to know > >> >> >> >> what > >> >> >> >> content you are verifying the signature against. > >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> >> >> > >> >> >> >> - Mitch Gallant > >> >> >> >> MVP Security > >> >> >> >> > >> >> >> >> <rdavi***@gmail.com> wrote in message > >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> >>> Hi all, > >> >> >> >>> > >> >> >> >>> I receive a certified email with an attachment in .p7m > >> >> >> >>> extension. > >> >> >> >>> How can I retrieve the original content after verifying the > >> >> >> >>> sign > >> >> >> >>> with > >> >> >> >>> CAPICOM? > >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >> >> >>> > >> >> >> >>> I am under .NET using C#, and I need to save the original > >> >> >> >>> content > >> >> >> >>> in > >> >> >> >>> a > >> >> >> >>> db or in a shared folder. > >> >> >> >>> > >> >> >> >>> Thank you in advance! > >> >> >> >>> > >> >> >> >>> Riccardo > >> >> >> >>> > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> > > >> > > > Sent again the file to your email...
Let me know if you receive it this time. Cheers, Riccardo Mitch Gallant wrote: Show quoteHide quote > Then the content you want to encrypt is encrypted first and then signed. Did > you recover the encrypted content (included signature apparently) when the > signature was verified? I sent you separate email re: receiving sample of > p7m. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... > > Hi Mitch, > > > > infact if I try, first of all, to verify it with CAPICOM using > > SignedClass.Verify against the base64 p7m file it goes without raise > > any error, so it verifies correctly it. This suggest to you something? > > > > How can I send to you the p7m file? > > > > Thx, > > > > Riccardo > > > > Mitch Gallant wrote: > >> Was the file signed with some tool from DigitalTrust? I am not familiar > >> with > >> that product. > >> Perhaps the file is encrypted first and then signed. Did you say you > >> managed > >> to FIRST verify the signature on the p7m with CAPICOM? > >> If you send a sample of the .p7m we can take a look. > >> - Mitch > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > >> > Hello Mitch, > >> > > >> > i tried both your applications docEnveloped e EnvelInfo but with no > >> > success... > >> > > >> > 1) DecEnveloped tell me that "the file cannot be decrypted". > >> > > >> > 2) EnvelInfo tell me: > >> > "M10i70.pdf.p7m (25766 bytes) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005)" > >> > > >> > Well is that possible? > >> > I receive this attachment from a certified mail, I don't know what is > >> > used to encrypt or sign it. But I know it's possible to validate and > >> > extract the original pdf file because if I use one of the online tools > >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > >> > p7m file, verify the sign and let me possible to save the original > >> > content. > >> > > >> > I am under .NET 1.1, I cannot use 2.0. > >> > > >> > Any ideas? > >> > > >> > Thank you very much! > >> > > >> > Riccardo > >> > > >> > > >> > Mitch Gallant wrote: > >> >> Another think you can do without actually decrypting the p7m: you > >> >> can > >> >> check the "recipients" who are capable of decryping the message. > >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): > >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo > >> >> (note that CAPICOM does NOT allow you to extract this info without > >> >> actually > >> >> decrypting the p7s first!). > >> >> > >> >> If the .p7s is a valid enveloped data blob, then this utility will > >> >> show > >> >> details of certs (with associated private keys) that must be available > >> >> to > >> >> decrypt the message. It also shows the symmetric key algorithm (for > >> >> the > >> >> secret key to be recovered, if you had decrypted the message). > >> >> Typical output of envelinfo.exe (there are 2 recipients because it was > >> >> sent > >> >> to myself and sender is always included in recipient list from mail > >> >> clients; > >> >> also it is self-signed cert .. hence issuer ID): > >> >> > >> >> C:\....\desktop>envelinfo sigencrypt.txt > >> >> File 'sigencrypt.txt' (4478 bytes) > >> >> Base64 encoded enveloped data > >> >> Enveloped message has 2 recipients > >> >> > >> >> ------ Recipient 1 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> ------ Recipient 2 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- > >> >> OID: 1.2.840.113549.3.7 3des > >> >> ------------------------------------------ > >> >> > >> >> - Mitch Gallant > >> >> MVP Security > >> >> > >> >> <rdavi***@gmail.com> wrote in message > >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > >> >> > Hi Mitch, > >> >> > > >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m > >> >> > format > >> >> > (I think signed and then encrypted as you said) and we will see. > >> >> > > >> >> > Thank you. > >> >> > > >> >> > Riccardo > >> >> > > >> >> > > >> >> > Mitch Gallant ha scritto: > >> >> > > >> >> >> I just checked encrypted+signed S-MIME messages created by both OE6 > >> >> >> and > >> >> >> Outlook 2003 and both these mail clients create .p7m as signed > >> >> >> first > >> >> >> and > >> >> >> then encrypted. > >> >> >> > >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility > >> >> >> on > >> >> >> the > >> >> >> b64-encoded .p7m blob from the message source. > >> >> >> Try that first. This will ensure that you have properly configured > >> >> >> access > >> >> >> to > >> >> >> your RSA keypair. > >> >> >> > >> >> >> - Mitch > >> >> >> > >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in > >> >> >> message > >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> >> >> > The other thing I would add to this is that since OP said he > >> >> >> > tried > >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no > >> >> >> > reason > >> >> >> > to > >> >> >> > suspect that CAPICOM will solve this problem anyway. If he used > >> >> >> > the > >> >> >> > class > >> >> >> > correctly and can't decrypt, that should mean he doesn't have the > >> >> >> > right > >> >> >> > certificate/private key combo available in that execution > >> >> >> > context. > >> >> >> > CAPICOM can't do anything any better here. > >> >> >> > > >> >> >> > If the problem was operator error, EnvelopedData is still the > >> >> >> > better > >> >> >> > way > >> >> >> > to go. > >> >> >> > > >> >> >> > Joe K. > >> >> >> > > >> >> >> > -- > >> >> >> > Joe Kaplan-MS MVP Directory Services Programming > >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> > Programming" > >> >> >> > http://www.directoryprogramming.net > >> >> >> > -- > >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then > >> >> >> >> there > >> >> >> >> are > >> >> >> >> some issues with marshalling strings from COM to .NET in the > >> >> >> >> CAPICOM > >> >> >> >> fns > >> >> >> >> for binary data files which have some workarounds based on > >> >> >> >> dis/reass > >> >> >> >> the > >> >> >> >> capicom.dll interop lib. > >> >> >> >> > >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> >> >> possible > >> >> >> >> if not a bit messy : > >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> >> >> > >> >> >> >> What mail program was used to envelope (sign and encrypt to > >> >> >> >> recipient) > >> >> >> >> ?? > >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the > >> >> >> >> usual > >> >> >> >> SMIME wrapping. > >> >> >> >> For email attachments, for detached signatures, you need to know > >> >> >> >> what > >> >> >> >> content you are verifying the signature against. > >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> >> >> > >> >> >> >> - Mitch Gallant > >> >> >> >> MVP Security > >> >> >> >> > >> >> >> >> <rdavi***@gmail.com> wrote in message > >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> >>> Hi all, > >> >> >> >>> > >> >> >> >>> I receive a certified email with an attachment in .p7m > >> >> >> >>> extension. > >> >> >> >>> How can I retrieve the original content after verifying the > >> >> >> >>> sign > >> >> >> >>> with > >> >> >> >>> CAPICOM? > >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >> >> >>> > >> >> >> >>> I am under .NET using C#, and I need to save the original > >> >> >> >>> content > >> >> >> >>> in > >> >> >> >>> a > >> >> >> >>> db or in a shared folder. > >> >> >> >>> > >> >> >> >>> Thank you in advance! > >> >> >> >>> > >> >> >> >>> Riccardo > >> >> >> >>> > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> > > >> > > > Did you receive the last email this time?
It's seemed very strange... Let me know, Riccardo Mitch Gallant wrote: Show quoteHide quote > Then the content you want to encrypt is encrypted first and then signed. Did > you recover the encrypted content (included signature apparently) when the > signature was verified? I sent you separate email re: receiving sample of > p7m. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... > > Hi Mitch, > > > > infact if I try, first of all, to verify it with CAPICOM using > > SignedClass.Verify against the base64 p7m file it goes without raise > > any error, so it verifies correctly it. This suggest to you something? > > > > How can I send to you the p7m file? > > > > Thx, > > > > Riccardo > > > > Mitch Gallant wrote: > >> Was the file signed with some tool from DigitalTrust? I am not familiar > >> with > >> that product. > >> Perhaps the file is encrypted first and then signed. Did you say you > >> managed > >> to FIRST verify the signature on the p7m with CAPICOM? > >> If you send a sample of the .p7m we can take a look. > >> - Mitch > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > >> > Hello Mitch, > >> > > >> > i tried both your applications docEnveloped e EnvelInfo but with no > >> > success... > >> > > >> > 1) DecEnveloped tell me that "the file cannot be decrypted". > >> > > >> > 2) EnvelInfo tell me: > >> > "M10i70.pdf.p7m (25766 bytes) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005)" > >> > > >> > Well is that possible? > >> > I receive this attachment from a certified mail, I don't know what is > >> > used to encrypt or sign it. But I know it's possible to validate and > >> > extract the original pdf file because if I use one of the online tools > >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > >> > p7m file, verify the sign and let me possible to save the original > >> > content. > >> > > >> > I am under .NET 1.1, I cannot use 2.0. > >> > > >> > Any ideas? > >> > > >> > Thank you very much! > >> > > >> > Riccardo > >> > > >> > > >> > Mitch Gallant wrote: > >> >> Another think you can do without actually decrypting the p7m: you > >> >> can > >> >> check the "recipients" who are capable of decryping the message. > >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): > >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo > >> >> (note that CAPICOM does NOT allow you to extract this info without > >> >> actually > >> >> decrypting the p7s first!). > >> >> > >> >> If the .p7s is a valid enveloped data blob, then this utility will > >> >> show > >> >> details of certs (with associated private keys) that must be available > >> >> to > >> >> decrypt the message. It also shows the symmetric key algorithm (for > >> >> the > >> >> secret key to be recovered, if you had decrypted the message). > >> >> Typical output of envelinfo.exe (there are 2 recipients because it was > >> >> sent > >> >> to myself and sender is always included in recipient list from mail > >> >> clients; > >> >> also it is self-signed cert .. hence issuer ID): > >> >> > >> >> C:\....\desktop>envelinfo sigencrypt.txt > >> >> File 'sigencrypt.txt' (4478 bytes) > >> >> Base64 encoded enveloped data > >> >> Enveloped message has 2 recipients > >> >> > >> >> ------ Recipient 1 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> ------ Recipient 2 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- > >> >> OID: 1.2.840.113549.3.7 3des > >> >> ------------------------------------------ > >> >> > >> >> - Mitch Gallant > >> >> MVP Security > >> >> > >> >> <rdavi***@gmail.com> wrote in message > >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > >> >> > Hi Mitch, > >> >> > > >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m > >> >> > format > >> >> > (I think signed and then encrypted as you said) and we will see. > >> >> > > >> >> > Thank you. > >> >> > > >> >> > Riccardo > >> >> > > >> >> > > >> >> > Mitch Gallant ha scritto: > >> >> > > >> >> >> I just checked encrypted+signed S-MIME messages created by both OE6 > >> >> >> and > >> >> >> Outlook 2003 and both these mail clients create .p7m as signed > >> >> >> first > >> >> >> and > >> >> >> then encrypted. > >> >> >> > >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility > >> >> >> on > >> >> >> the > >> >> >> b64-encoded .p7m blob from the message source. > >> >> >> Try that first. This will ensure that you have properly configured > >> >> >> access > >> >> >> to > >> >> >> your RSA keypair. > >> >> >> > >> >> >> - Mitch > >> >> >> > >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in > >> >> >> message > >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> >> >> > The other thing I would add to this is that since OP said he > >> >> >> > tried > >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no > >> >> >> > reason > >> >> >> > to > >> >> >> > suspect that CAPICOM will solve this problem anyway. If he used > >> >> >> > the > >> >> >> > class > >> >> >> > correctly and can't decrypt, that should mean he doesn't have the > >> >> >> > right > >> >> >> > certificate/private key combo available in that execution > >> >> >> > context. > >> >> >> > CAPICOM can't do anything any better here. > >> >> >> > > >> >> >> > If the problem was operator error, EnvelopedData is still the > >> >> >> > better > >> >> >> > way > >> >> >> > to go. > >> >> >> > > >> >> >> > Joe K. > >> >> >> > > >> >> >> > -- > >> >> >> > Joe Kaplan-MS MVP Directory Services Programming > >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> > Programming" > >> >> >> > http://www.directoryprogramming.net > >> >> >> > -- > >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then > >> >> >> >> there > >> >> >> >> are > >> >> >> >> some issues with marshalling strings from COM to .NET in the > >> >> >> >> CAPICOM > >> >> >> >> fns > >> >> >> >> for binary data files which have some workarounds based on > >> >> >> >> dis/reass > >> >> >> >> the > >> >> >> >> capicom.dll interop lib. > >> >> >> >> > >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> >> >> possible > >> >> >> >> if not a bit messy : > >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> >> >> > >> >> >> >> What mail program was used to envelope (sign and encrypt to > >> >> >> >> recipient) > >> >> >> >> ?? > >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the > >> >> >> >> usual > >> >> >> >> SMIME wrapping. > >> >> >> >> For email attachments, for detached signatures, you need to know > >> >> >> >> what > >> >> >> >> content you are verifying the signature against. > >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> >> >> > >> >> >> >> - Mitch Gallant > >> >> >> >> MVP Security > >> >> >> >> > >> >> >> >> <rdavi***@gmail.com> wrote in message > >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> >>> Hi all, > >> >> >> >>> > >> >> >> >>> I receive a certified email with an attachment in .p7m > >> >> >> >>> extension. > >> >> >> >>> How can I retrieve the original content after verifying the > >> >> >> >>> sign > >> >> >> >>> with > >> >> >> >>> CAPICOM? > >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >> >> >>> > >> >> >> >>> I am under .NET using C#, and I need to save the original > >> >> >> >>> content > >> >> >> >>> in > >> >> >> >>> a > >> >> >> >>> db or in a shared folder. > >> >> >> >>> > >> >> >> >>> Thank you in advance! > >> >> >> >>> > >> >> >> >>> Riccardo > >> >> >> >>> > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> > > >> > > > Have you receive the simple text mail from me?
I don't want to public the file here in a public group. Thank you, Riccardo Mitch Gallant wrote: Show quoteHide quote > Then the content you want to encrypt is encrypted first and then signed. Did > you recover the encrypted content (included signature apparently) when the > signature was verified? I sent you separate email re: receiving sample of > p7m. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... > > Hi Mitch, > > > > infact if I try, first of all, to verify it with CAPICOM using > > SignedClass.Verify against the base64 p7m file it goes without raise > > any error, so it verifies correctly it. This suggest to you something? > > > > How can I send to you the p7m file? > > > > Thx, > > > > Riccardo > > > > Mitch Gallant wrote: > >> Was the file signed with some tool from DigitalTrust? I am not familiar > >> with > >> that product. > >> Perhaps the file is encrypted first and then signed. Did you say you > >> managed > >> to FIRST verify the signature on the p7m with CAPICOM? > >> If you send a sample of the .p7m we can take a look. > >> - Mitch > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > >> > Hello Mitch, > >> > > >> > i tried both your applications docEnveloped e EnvelInfo but with no > >> > success... > >> > > >> > 1) DecEnveloped tell me that "the file cannot be decrypted". > >> > > >> > 2) EnvelInfo tell me: > >> > "M10i70.pdf.p7m (25766 bytes) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005)" > >> > > >> > Well is that possible? > >> > I receive this attachment from a certified mail, I don't know what is > >> > used to encrypt or sign it. But I know it's possible to validate and > >> > extract the original pdf file because if I use one of the online tools > >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > >> > p7m file, verify the sign and let me possible to save the original > >> > content. > >> > > >> > I am under .NET 1.1, I cannot use 2.0. > >> > > >> > Any ideas? > >> > > >> > Thank you very much! > >> > > >> > Riccardo > >> > > >> > > >> > Mitch Gallant wrote: > >> >> Another think you can do without actually decrypting the p7m: you > >> >> can > >> >> check the "recipients" who are capable of decryping the message. > >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): > >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo > >> >> (note that CAPICOM does NOT allow you to extract this info without > >> >> actually > >> >> decrypting the p7s first!). > >> >> > >> >> If the .p7s is a valid enveloped data blob, then this utility will > >> >> show > >> >> details of certs (with associated private keys) that must be available > >> >> to > >> >> decrypt the message. It also shows the symmetric key algorithm (for > >> >> the > >> >> secret key to be recovered, if you had decrypted the message). > >> >> Typical output of envelinfo.exe (there are 2 recipients because it was > >> >> sent > >> >> to myself and sender is always included in recipient list from mail > >> >> clients; > >> >> also it is self-signed cert .. hence issuer ID): > >> >> > >> >> C:\....\desktop>envelinfo sigencrypt.txt > >> >> File 'sigencrypt.txt' (4478 bytes) > >> >> Base64 encoded enveloped data > >> >> Enveloped message has 2 recipients > >> >> > >> >> ------ Recipient 1 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> ------ Recipient 2 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- > >> >> OID: 1.2.840.113549.3.7 3des > >> >> ------------------------------------------ > >> >> > >> >> - Mitch Gallant > >> >> MVP Security > >> >> > >> >> <rdavi***@gmail.com> wrote in message > >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > >> >> > Hi Mitch, > >> >> > > >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m > >> >> > format > >> >> > (I think signed and then encrypted as you said) and we will see. > >> >> > > >> >> > Thank you. > >> >> > > >> >> > Riccardo > >> >> > > >> >> > > >> >> > Mitch Gallant ha scritto: > >> >> > > >> >> >> I just checked encrypted+signed S-MIME messages created by both OE6 > >> >> >> and > >> >> >> Outlook 2003 and both these mail clients create .p7m as signed > >> >> >> first > >> >> >> and > >> >> >> then encrypted. > >> >> >> > >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility > >> >> >> on > >> >> >> the > >> >> >> b64-encoded .p7m blob from the message source. > >> >> >> Try that first. This will ensure that you have properly configured > >> >> >> access > >> >> >> to > >> >> >> your RSA keypair. > >> >> >> > >> >> >> - Mitch > >> >> >> > >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in > >> >> >> message > >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> >> >> > The other thing I would add to this is that since OP said he > >> >> >> > tried > >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no > >> >> >> > reason > >> >> >> > to > >> >> >> > suspect that CAPICOM will solve this problem anyway. If he used > >> >> >> > the > >> >> >> > class > >> >> >> > correctly and can't decrypt, that should mean he doesn't have the > >> >> >> > right > >> >> >> > certificate/private key combo available in that execution > >> >> >> > context. > >> >> >> > CAPICOM can't do anything any better here. > >> >> >> > > >> >> >> > If the problem was operator error, EnvelopedData is still the > >> >> >> > better > >> >> >> > way > >> >> >> > to go. > >> >> >> > > >> >> >> > Joe K. > >> >> >> > > >> >> >> > -- > >> >> >> > Joe Kaplan-MS MVP Directory Services Programming > >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> > Programming" > >> >> >> > http://www.directoryprogramming.net > >> >> >> > -- > >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then > >> >> >> >> there > >> >> >> >> are > >> >> >> >> some issues with marshalling strings from COM to .NET in the > >> >> >> >> CAPICOM > >> >> >> >> fns > >> >> >> >> for binary data files which have some workarounds based on > >> >> >> >> dis/reass > >> >> >> >> the > >> >> >> >> capicom.dll interop lib. > >> >> >> >> > >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> >> >> possible > >> >> >> >> if not a bit messy : > >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> >> >> > >> >> >> >> What mail program was used to envelope (sign and encrypt to > >> >> >> >> recipient) > >> >> >> >> ?? > >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the > >> >> >> >> usual > >> >> >> >> SMIME wrapping. > >> >> >> >> For email attachments, for detached signatures, you need to know > >> >> >> >> what > >> >> >> >> content you are verifying the signature against. > >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> >> >> > >> >> >> >> - Mitch Gallant > >> >> >> >> MVP Security > >> >> >> >> > >> >> >> >> <rdavi***@gmail.com> wrote in message > >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> >>> Hi all, > >> >> >> >>> > >> >> >> >>> I receive a certified email with an attachment in .p7m > >> >> >> >>> extension. > >> >> >> >>> How can I retrieve the original content after verifying the > >> >> >> >>> sign > >> >> >> >>> with > >> >> >> >>> CAPICOM? > >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >> >> >>> > >> >> >> >>> I am under .NET using C#, and I need to save the original > >> >> >> >>> content > >> >> >> >>> in > >> >> >> >>> a > >> >> >> >>> db or in a shared folder. > >> >> >> >>> > >> >> >> >>> Thank you in advance! > >> >> >> >>> > >> >> >> >>> Riccardo > >> >> >> >>> > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> > > >> > > > Hi again.
I receive your emails to my google account. I tried to send you the email by another provider (libero.it), have you received it? LEt me know otherwise I will found the system by a web directory. Riccardo Mitch Gallant wrote: Show quoteHide quote > Then the content you want to encrypt is encrypted first and then signed. Did > you recover the encrypted content (included signature apparently) when the > signature was verified? I sent you separate email re: receiving sample of > p7m. > - Mitch > > "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... > > Hi Mitch, > > > > infact if I try, first of all, to verify it with CAPICOM using > > SignedClass.Verify against the base64 p7m file it goes without raise > > any error, so it verifies correctly it. This suggest to you something? > > > > How can I send to you the p7m file? > > > > Thx, > > > > Riccardo > > > > Mitch Gallant wrote: > >> Was the file signed with some tool from DigitalTrust? I am not familiar > >> with > >> that product. > >> Perhaps the file is encrypted first and then signed. Did you say you > >> managed > >> to FIRST verify the signature on the p7m with CAPICOM? > >> If you send a sample of the .p7m we can take a look. > >> - Mitch > >> > >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message > >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... > >> > Hello Mitch, > >> > > >> > i tried both your applications docEnveloped e EnvelInfo but with no > >> > success... > >> > > >> > 1) DecEnveloped tell me that "the file cannot be decrypted". > >> > > >> > 2) EnvelInfo tell me: > >> > "M10i70.pdf.p7m (25766 bytes) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005) > >> > Error message: Invalid cryptographic message type (Code: 0x80004005)" > >> > > >> > Well is that possible? > >> > I receive this attachment from a certified mail, I don't know what is > >> > used to encrypt or sign it. But I know it's possible to validate and > >> > extract the original pdf file because if I use one of the online tools > >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens my > >> > p7m file, verify the sign and let me possible to save the original > >> > content. > >> > > >> > I am under .NET 1.1, I cannot use 2.0. > >> > > >> > Any ideas? > >> > > >> > Thank you very much! > >> > > >> > Riccardo > >> > > >> > > >> > Mitch Gallant wrote: > >> >> Another think you can do without actually decrypting the p7m: you > >> >> can > >> >> check the "recipients" who are capable of decryping the message. > >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): > >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo > >> >> (note that CAPICOM does NOT allow you to extract this info without > >> >> actually > >> >> decrypting the p7s first!). > >> >> > >> >> If the .p7s is a valid enveloped data blob, then this utility will > >> >> show > >> >> details of certs (with associated private keys) that must be available > >> >> to > >> >> decrypt the message. It also shows the symmetric key algorithm (for > >> >> the > >> >> secret key to be recovered, if you had decrypted the message). > >> >> Typical output of envelinfo.exe (there are 2 recipients because it was > >> >> sent > >> >> to myself and sender is always included in recipient list from mail > >> >> clients; > >> >> also it is self-signed cert .. hence issuer ID): > >> >> > >> >> C:\....\desktop>envelinfo sigencrypt.txt > >> >> File 'sigencrypt.txt' (4478 bytes) > >> >> Base64 encoded enveloped data > >> >> Enveloped message has 2 recipients > >> >> > >> >> ------ Recipient 1 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> ------ Recipient 2 ---------- > >> >> SerialNumber: > >> >> 37 53 84 ab 30 ba 7e 7d > >> >> IssuerName: > >> >> 2.5.4.3 CN=Mitch Gallant > >> >> 2.5.4.10 O=JavaScience Consulting > >> >> 2.5.4.6 C=CA > >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca > >> >> > >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- > >> >> OID: 1.2.840.113549.3.7 3des > >> >> ------------------------------------------ > >> >> > >> >> - Mitch Gallant > >> >> MVP Security > >> >> > >> >> <rdavi***@gmail.com> wrote in message > >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... > >> >> > Hi Mitch, > >> >> > > >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m > >> >> > format > >> >> > (I think signed and then encrypted as you said) and we will see. > >> >> > > >> >> > Thank you. > >> >> > > >> >> > Riccardo > >> >> > > >> >> > > >> >> > Mitch Gallant ha scritto: > >> >> > > >> >> >> I just checked encrypted+signed S-MIME messages created by both OE6 > >> >> >> and > >> >> >> Outlook 2003 and both these mail clients create .p7m as signed > >> >> >> first > >> >> >> and > >> >> >> then encrypted. > >> >> >> > >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe utility > >> >> >> on > >> >> >> the > >> >> >> b64-encoded .p7m blob from the message source. > >> >> >> Try that first. This will ensure that you have properly configured > >> >> >> access > >> >> >> to > >> >> >> your RSA keypair. > >> >> >> > >> >> >> - Mitch > >> >> >> > >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in > >> >> >> message > >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... > >> >> >> > The other thing I would add to this is that since OP said he > >> >> >> > tried > >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no > >> >> >> > reason > >> >> >> > to > >> >> >> > suspect that CAPICOM will solve this problem anyway. If he used > >> >> >> > the > >> >> >> > class > >> >> >> > correctly and can't decrypt, that should mean he doesn't have the > >> >> >> > right > >> >> >> > certificate/private key combo available in that execution > >> >> >> > context. > >> >> >> > CAPICOM can't do anything any better here. > >> >> >> > > >> >> >> > If the problem was operator error, EnvelopedData is still the > >> >> >> > better > >> >> >> > way > >> >> >> > to go. > >> >> >> > > >> >> >> > Joe K. > >> >> >> > > >> >> >> > -- > >> >> >> > Joe Kaplan-MS MVP Directory Services Programming > >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> > Programming" > >> >> >> > http://www.directoryprogramming.net > >> >> >> > -- > >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message > >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... > >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then > >> >> >> >> there > >> >> >> >> are > >> >> >> >> some issues with marshalling strings from COM to .NET in the > >> >> >> >> CAPICOM > >> >> >> >> fns > >> >> >> >> for binary data files which have some workarounds based on > >> >> >> >> dis/reass > >> >> >> >> the > >> >> >> >> capicom.dll interop lib. > >> >> >> >> > >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. > >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) is > >> >> >> >> possible > >> >> >> >> if not a bit messy : > >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop > >> >> >> >> > >> >> >> >> What mail program was used to envelope (sign and encrypt to > >> >> >> >> recipient) > >> >> >> >> ?? > >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with the > >> >> >> >> usual > >> >> >> >> SMIME wrapping. > >> >> >> >> For email attachments, for detached signatures, you need to know > >> >> >> >> what > >> >> >> >> content you are verifying the signature against. > >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html > >> >> >> >> > >> >> >> >> - Mitch Gallant > >> >> >> >> MVP Security > >> >> >> >> > >> >> >> >> <rdavi***@gmail.com> wrote in message > >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... > >> >> >> >>> Hi all, > >> >> >> >>> > >> >> >> >>> I receive a certified email with an attachment in .p7m > >> >> >> >>> extension. > >> >> >> >>> How can I retrieve the original content after verifying the > >> >> >> >>> sign > >> >> >> >>> with > >> >> >> >>> CAPICOM? > >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. > >> >> >> >>> > >> >> >> >>> I am under .NET using C#, and I need to save the original > >> >> >> >>> content > >> >> >> >>> in > >> >> >> >>> a > >> >> >> >>> db or in a shared folder. > >> >> >> >>> > >> >> >> >>> Thank you in advance! > >> >> >> >>> > >> >> >> >>> Riccardo > >> >> >> >>> > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> > > >> > > > I looked at the p7m and it is just an included-content valid signed pkcs7
message. The signed content is in fact not encrypted. It is just the binary pdf file. So, the first response in this thread should work. However since you have binary content (and not text content) as the raw signed content, CAPICOM methods might have trouble extracting that content ... unless you manage the binary extraction of the content properly. - Mitch Show quoteHide quote "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message news:1158756100.482546.78680@m7g2000cwm.googlegroups.com... > Hi again. > > I receive your emails to my google account. > I tried to send you the email by another provider (libero.it), have you > received it? > > LEt me know otherwise I will found the system by a web directory. > > Riccardo > > Mitch Gallant wrote: >> Then the content you want to encrypt is encrypted first and then signed. >> Did >> you recover the encrypted content (included signature apparently) when >> the >> signature was verified? I sent you separate email re: receiving sample of >> p7m. >> - Mitch >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> news:1158585018.368369.98340@b28g2000cwb.googlegroups.com... >> > Hi Mitch, >> > >> > infact if I try, first of all, to verify it with CAPICOM using >> > SignedClass.Verify against the base64 p7m file it goes without raise >> > any error, so it verifies correctly it. This suggest to you something? >> > >> > How can I send to you the p7m file? >> > >> > Thx, >> > >> > Riccardo >> > >> > Mitch Gallant wrote: >> >> Was the file signed with some tool from DigitalTrust? I am not >> >> familiar >> >> with >> >> that product. >> >> Perhaps the file is encrypted first and then signed. Did you say you >> >> managed >> >> to FIRST verify the signature on the p7m with CAPICOM? >> >> If you send a sample of the .p7m we can take a look. >> >> - Mitch >> >> >> >> "Riccardo Daviddi" <rdavi***@gmail.com> wrote in message >> >> news:1158571210.630910.96380@e3g2000cwe.googlegroups.com... >> >> > Hello Mitch, >> >> > >> >> > i tried both your applications docEnveloped e EnvelInfo but with no >> >> > success... >> >> > >> >> > 1) DecEnveloped tell me that "the file cannot be decrypted". >> >> > >> >> > 2) EnvelInfo tell me: >> >> > "M10i70.pdf.p7m (25766 bytes) >> >> > Error message: Invalid cryptographic message type (Code: >> >> > 0x80004005) >> >> > Error message: Invalid cryptographic message type (Code: >> >> > 0x80004005)" >> >> > >> >> > Well is that possible? >> >> > I receive this attachment from a certified mail, I don't know what >> >> > is >> >> > used to encrypt or sign it. But I know it's possible to validate and >> >> > extract the original pdf file because if I use one of the online >> >> > tools >> >> > like this: http://www.digitaltrust.it/verifier/popup1.html it opens >> >> > my >> >> > p7m file, verify the sign and let me possible to save the original >> >> > content. >> >> > >> >> > I am under .NET 1.1, I cannot use 2.0. >> >> > >> >> > Any ideas? >> >> > >> >> > Thank you very much! >> >> > >> >> > Riccardo >> >> > >> >> > >> >> > Mitch Gallant wrote: >> >> >> Another think you can do without actually decrypting the p7m: you >> >> >> can >> >> >> check the "recipients" who are capable of decryping the message. >> >> >> e.g this .net tool (using Pinvoke to CryptoAPI again): >> >> >> http://www.jensign.com/JavaScience/dotnet/EnvelInfo >> >> >> (note that CAPICOM does NOT allow you to extract this info without >> >> >> actually >> >> >> decrypting the p7s first!). >> >> >> >> >> >> If the .p7s is a valid enveloped data blob, then this utility will >> >> >> show >> >> >> details of certs (with associated private keys) that must be >> >> >> available >> >> >> to >> >> >> decrypt the message. It also shows the symmetric key algorithm (for >> >> >> the >> >> >> secret key to be recovered, if you had decrypted the message). >> >> >> Typical output of envelinfo.exe (there are 2 recipients because it >> >> >> was >> >> >> sent >> >> >> to myself and sender is always included in recipient list from mail >> >> >> clients; >> >> >> also it is self-signed cert .. hence issuer ID): >> >> >> >> >> >> C:\....\desktop>envelinfo sigencrypt.txt >> >> >> File 'sigencrypt.txt' (4478 bytes) >> >> >> Base64 encoded enveloped data >> >> >> Enveloped message has 2 recipients >> >> >> >> >> >> ------ Recipient 1 ---------- >> >> >> SerialNumber: >> >> >> 37 53 84 ab 30 ba 7e 7d >> >> >> IssuerName: >> >> >> 2.5.4.3 CN=Mitch Gallant >> >> >> 2.5.4.10 O=JavaScience Consulting >> >> >> 2.5.4.6 C=CA >> >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca >> >> >> >> >> >> ------ Recipient 2 ---------- >> >> >> SerialNumber: >> >> >> 37 53 84 ab 30 ba 7e 7d >> >> >> IssuerName: >> >> >> 2.5.4.3 CN=Mitch Gallant >> >> >> 2.5.4.10 O=JavaScience Consulting >> >> >> 2.5.4.6 C=CA >> >> >> 1.2.840.113549.1.9.1 E=neut***@istar.ca >> >> >> >> >> >> --- CRYPT_ALGORITHM_IDENTIFIER members --- >> >> >> OID: 1.2.840.113549.3.7 3des >> >> >> ------------------------------------------ >> >> >> >> >> >> - Mitch Gallant >> >> >> MVP Security >> >> >> >> >> >> <rdavi***@gmail.com> wrote in message >> >> >> news:1158399415.805306.22940@i42g2000cwa.googlegroups.com... >> >> >> > Hi Mitch, >> >> >> > >> >> >> > I will try your decenvelop.exe on my file that is a pdf in a p7m >> >> >> > format >> >> >> > (I think signed and then encrypted as you said) and we will see. >> >> >> > >> >> >> > Thank you. >> >> >> > >> >> >> > Riccardo >> >> >> > >> >> >> > >> >> >> > Mitch Gallant ha scritto: >> >> >> > >> >> >> >> I just checked encrypted+signed S-MIME messages created by both >> >> >> >> OE6 >> >> >> >> and >> >> >> >> Outlook 2003 and both these mail clients create .p7m as signed >> >> >> >> first >> >> >> >> and >> >> >> >> then encrypted. >> >> >> >> >> >> >> >> Both can be decrypted (first) using the .net DecEnvelop.exe >> >> >> >> utility >> >> >> >> on >> >> >> >> the >> >> >> >> b64-encoded .p7m blob from the message source. >> >> >> >> Try that first. This will ensure that you have properly >> >> >> >> configured >> >> >> >> access >> >> >> >> to >> >> >> >> your RSA keypair. >> >> >> >> >> >> >> >> - Mitch >> >> >> >> >> >> >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in >> >> >> >> message >> >> >> >> news:%23a6ilzN2GHA.1304@TK2MSFTNGP05.phx.gbl... >> >> >> >> > The other thing I would add to this is that since OP said he >> >> >> >> > tried >> >> >> >> > EnvelopedData initially and it failed on Decrypt, there is no >> >> >> >> > reason >> >> >> >> > to >> >> >> >> > suspect that CAPICOM will solve this problem anyway. If he >> >> >> >> > used >> >> >> >> > the >> >> >> >> > class >> >> >> >> > correctly and can't decrypt, that should mean he doesn't have >> >> >> >> > the >> >> >> >> > right >> >> >> >> > certificate/private key combo available in that execution >> >> >> >> > context. >> >> >> >> > CAPICOM can't do anything any better here. >> >> >> >> > >> >> >> >> > If the problem was operator error, EnvelopedData is still the >> >> >> >> > better >> >> >> >> > way >> >> >> >> > to go. >> >> >> >> > >> >> >> >> > Joe K. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > Joe Kaplan-MS MVP Directory Services Programming >> >> >> >> > Co-author of "The .NET Developer's Guide to Directory Services >> >> >> >> > Programming" >> >> >> >> > http://www.directoryprogramming.net >> >> >> >> > -- >> >> >> >> > "Mitch Gallant" <jensigner@community.nospam> wrote in message >> >> >> >> > news:e9h7L5M2GHA.1256@TK2MSFTNGP02.phx.gbl... >> >> >> >> >> If you are talking about CAPICOM COM-interop with .NET, then >> >> >> >> >> there >> >> >> >> >> are >> >> >> >> >> some issues with marshalling strings from COM to .NET in the >> >> >> >> >> CAPICOM >> >> >> >> >> fns >> >> >> >> >> for binary data files which have some workarounds based on >> >> >> >> >> dis/reass >> >> >> >> >> the >> >> >> >> >> capicom.dll interop lib. >> >> >> >> >> >> >> >> >> >> Better (as other posted stated) to use .NET 2 pkcs7 support. >> >> >> >> >> Alternately, Pinvoking to capi (for decrypting and sig verif) >> >> >> >> >> is >> >> >> >> >> possible >> >> >> >> >> if not a bit messy : >> >> >> >> >> http://www.jensign.com/JavaScience/dotnet/DecEnvelop >> >> >> >> >> >> >> >> >> >> What mail program was used to envelope (sign and encrypt to >> >> >> >> >> recipient) >> >> >> >> >> ?? >> >> >> >> >> I think OE/O both sign and THEN encrypt the signed blob with >> >> >> >> >> the >> >> >> >> >> usual >> >> >> >> >> SMIME wrapping. >> >> >> >> >> For email attachments, for detached signatures, you need to >> >> >> >> >> know >> >> >> >> >> what >> >> >> >> >> content you are verifying the signature against. >> >> >> >> >> http://www.jensign.com/JavaScience/verify/smimenote.html >> >> >> >> >> >> >> >> >> >> - Mitch Gallant >> >> >> >> >> MVP Security >> >> >> >> >> >> >> >> >> >> <rdavi***@gmail.com> wrote in message >> >> >> >> >> news:1158326179.502075.220840@i3g2000cwc.googlegroups.com... >> >> >> >> >>> Hi all, >> >> >> >> >>> >> >> >> >> >>> I receive a certified email with an attachment in .p7m >> >> >> >> >>> extension. >> >> >> >> >>> How can I retrieve the original content after verifying the >> >> >> >> >>> sign >> >> >> >> >>> with >> >> >> >> >>> CAPICOM? >> >> >> >> >>> The EnvelopedData failed when I try to Decrypt it. >> >> >> >> >>> >> >> >> >> >>> I am under .NET using C#, and I need to save the original >> >> >> >> >>> content >> >> >> >> >>> in >> >> >> >> >>> a >> >> >> >> >>> db or in a shared folder. >> >> >> >> >>> >> >> >> >> >>> Thank you in advance! >> >> >> >> >>> >> >> >> >> >>> Riccardo >> >> >> >> >>> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> > >> >> > >> > > 
Other interesting topics
IIS 6.0 Bug?
SecurityExcepion inside DLL linked in an HTML tag OBJECT System.UnauthorizedAccessException - Using win forms application opening file - Urgent Data Acess aplication block Saving config file - System.UnauthorizedAccessException RSACryptoServiceProvider Active Directory User Creation Issues Remoting IPCChannel security with Service PKI in .net Program Help-Please!!! |
|||||||||||||||||||||||
