Skip to content

Instantly share code, notes, and snippets.

@kpe

kpe/How to decrypt an SMIME PKCS7 mail using a PKI key card.md

Last active May 28, 2024 01:29
Show Gist options
  • Save kpe/15dcfc7ed46321347320faa65eacfb7d to your computer and use it in GitHub Desktop.
Save kpe/15dcfc7ed46321347320faa65eacfb7d to your computer and use it in GitHub Desktop.
Download ZIP
How to decrypt an SMIME PKCS7 mail using a PKI key card
Raw
How to decrypt an SMIME PKCS7 mail using a PKI key card.md

Make sure the openssl pkcs11 engine provided by OpenSC/libp11 can talk to your PKI card:

  $ openssl engine pkcs11 -t -c -pre MODULE_PATH:/path/to/your/opensc-pkcs11-plugin-module.so
  (pkcs11) pkcs11 engine
  [Success]: MODULE_PATH:/path/to/your/OpenSC-pkcs11-plugin-module.so
  [RSA]
  [ available ]

Now create an openssl config file to pass the MODULE_PATH parameter to the pkcs11 engine like this:

cat > pkcs11_engine.conf <<EOF
    openssl_conf = openssl_init

    [openssl_init]
    engines = engine_section

    [engine_section]
    pkcs11 = pkcs11_section

    [pkcs11_section]
    engine_id = pkcs11
    dynamic_path = /usr/lib64/engines/libpkcs11.so
    MODULE_PATH = /path/to/your/opensc-pkcs11-plugin-module.so
    init = 0
EOF

OPENSSL_CONF=pkcs11_engine.conf openssl engine -t -c pkcs11

than check the keys present on your card with either:

pkcs15-tool --list-keys

or:

pkcs11-tool -O

and then use the key id to decrypting the smime pkcs7 file like this:

export OPENSSL_CONF=pkcs11_engine.conf 
openssl smime -decrypt -inform der -in email.p7m -engine pkcs11 -keyform engine -inkey the-key-id
@Et7f3
Copy link

Et7f3 commented May 28, 2024
edited
Loading

Have yoy a version with openssl 3 and providers ? I can use https://github.com/latchset/pkcs11-provider for other application (storeutl show correctly my cert on smard card) but can't manage to decipher mail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment