How to encyrpt a message using someone’s SSL smime.p7s file

cryptographyencryptionopenssl

I need to send a private key file to someone (a trusted sysadmin) securely. I suggested a couple options, but he replied as follows:

Hi, I don't have neither LastPass nor GnuPGP but I'm using ssl
certificates – this message is signed with such so you will be able to
send a message to me and encrypt it with my public key.

I used openssl to obtain his certificate:

openssl pkcs7 -in smime.p7s -inform DER -print_certs

The certificate is issued by:

issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org

(Firefox doesn't have a root certificate from cacert.org.)

Now, how do I encrypt the key file I wish to send to him? I prefer to use a command line tool available in Ubuntu.

@lgeorget:

$ openssl pkcs7 -inform DER -outform PEM -in smime.p7s -out smime.pem
$ openssl smime -encrypt -text -in /home/myuser/.ssh/mykeyfile smime.pem 
unable to load certificate
139709295335072:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

and

$ openssl pkcs7 -in smime.p7s -inform DER -print_certs
subject=/CN=Wojciech Kapcia/emailAddress=someone@example.com/emailAddress=someone@example.com
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
MIIFzjCCA7agAwIBAgIDDR9oMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
dEBjYWNlcnQub3JnMB4XDTEzMDQxODA3NDEzNFoXDTE1MDQxODA3NDEzNFowcDEY
MBYGA1UEAxMPV29qY2llY2ggS2FwY2lhMSkwJwYJKoZIhvcNAQkBFhp3b2pjaWVj
[snip]
N1lNLq5jrGhqMzA2ge57cW2eDgCL941kMmIPDUyx+pKAYj1I7IibN3wcP1orOys3
amWMrFRa30LBu6jPYy2TeeoQetKnabefMNE3Jv81gn41mPOs3ToPXEUmYU18VZ75
Efd/qu4SV/3SMdySSNmPAVQdXYAxBEXoN5b5FpUW7KeZnjoX4fkEUPeBnNwcptTC
d1w=
-----END CERTIFICATE-----

Best Answer

You can do

openssl smime -encrypt -text -in <file> smime.p7s

where <file> is the file you want to encrypt. If the file smime.p7s is in DER format instead of PEM, you will have to convert it with :

openssl pkcs7 -inform DER -outform PEM -in smime.p7s -out smime.pem

You obtain a file you can send to your sysadmin. If you are brave enough you can remove -text and play with the option -to, -subject, etc. to get a valid email file you can directly send to a SMTP server.

If the root certificate of the certificate you use to encrypt is not recognized by your operating system but YOU trust it, you can add it to the certificate base.

cp smime.pem /usr/local/share/ca-certificates/certificate.crt
sudo update-ca-certificates

The certificate must have the .crt extension. Details here.

Related Solutions

How to decrypt a message using openssl’s CLI

I think you're looking for something like this:

openssl yourcipher -d < yourfile

For example if the file was encrypted using des3 cipher, and the file is /path/to/file.des3 then:

openssl des3 -d < /path/to/file.des3

It will ask you for the passphrase.

If the file is base64 encoded, then you should be able decode and decrypt like this:

openssl enc -base64 -d < /path/to/file | openssl yourcipher -d

How to encrypt a large file with OpenSSL using RSA keys

This could be used to encrpyt a file mypic.png, given you already have a private/public keypair in ccbild-key.pem/ccbild-crt.pem. (You can find a guide to creating a keypair in this answer.)

# encrypt
openssl smime -encrypt -aes-256-cbc -binary -in mypic.png -outform DER -out mypic.png.der ccbild-crt.pem

# decrypt
openssl smime -decrypt -binary -in mypic.png.der -inform DER -out mypic.png -inkey ccbild-key.pem

Note that the settings may not reflect best practice in selection of crypto standard (in particular if you read this in the future), also it might not be a good choice performance-wise. (We only use it for sub-1M files in our application.)

Best Answer

Related Solutions

How to decrypt a message using openssl’s CLI

How to encrypt a large file with OpenSSL using RSA keys

Related Question