{"id":4423,"date":"2014-02-03T11:39:29","date_gmt":"2014-02-03T09:39:29","guid":{"rendered":"http:\/\/www.limilabs.com\/blog\/?p=4423"},"modified":"2014-04-09T14:54:39","modified_gmt":"2014-04-09T12:54:39","slug":"envelopedcms-decrypt-problem","status":"publish","type":"post","link":"https:\/\/www.limilabs.com\/blog\/envelopedcms-decrypt-problem","title":{"rendered":"EnvelopedCms decrypt problem"},"content":{"rendered":"<p>.NET&#8217;s <em>EnvelopedCms<\/em> class represents a CMS\/PKCS #7 structure for enveloped data. Such data are for example used in S\/MIME encrypted messages.<\/p>\n<p><em>EnvelopedCms<\/em> class contains several <em>Decrypt<\/em> method overloads:<\/p>\n<ul>\n<li><em>Decrypt()<\/em><\/li>\n<li><em>Decrypt(RecipientInfo)<\/em><\/li>\n<li><em>Decrypt(X509Certificate2Collection)<\/em><\/li>\n<li><em>Decrypt(RecipientInfo, X509Certificate2Collection)<\/em><\/li>\n<\/ul>\n<p>Each <em>Decrypt<\/em> method decrypts the contents of the decoded enveloped CMS\/PKCS #7 data. Each searches the current user and local machine <em>My<\/em> stores for the appropriate certificate and private key.<\/p>\n<p>Last two overloads allow passing additional collection of X509 certificates, that should be searched to find matching certificate for decryption.<\/p>\n<p>There are 2 most common errors that can occur while decrypting:<\/p>\n<ul>\n<li>\n&#8220;The enveloped-data message does not contain the specified recipient.&#8221; &#8211; Which means that <strong>no matching certificate was found<\/strong> in My stores and in the additional certificate collection.\n<\/li>\n<li>\n&#8220;Cannot find object or property.&#8221;  &#8211; Certificate was found, but <strong>there is no private key<\/strong> in it, so it can not be used to decryped the enveloped data.\n<\/li>\n<\/ul>\n<p>There are 3 ways of adding certificates to My store, 2 of those don&#8217;t import private key:<\/p>\n<ul>\n<li>&#8220;Personal&#8221; tab in CertMgr  (does not import private key).<\/li>\n<li>MMC &#8220;Certificates&#8221; snap-in (&#8220;My user account&#8221;) (does not import private key).<\/li>\n<li>Double clicking the pfx file (imports private key).<\/li>\n<\/ul>\n<p>In many cases data are <strong>encrypted using 2 or more certificates <\/strong>(so both sender and receiver are able to decrypt the message)<\/p>\n<p>The problem with all <em>Decrypt<\/em> methods is that<strong> they try to use only the first certificate they find<\/strong>. The matching is based on certificate SN. First, both My stores are search, then extra store (passed certificate collection). <\/p>\n<p>This leads to a problem when, both certificates are in My store, but only one contains a private key. <\/p>\n<p>.NET is going to use the first certificate it finds &#8211; if it&#8217;s the one without the private key, &#8220;Cannot find object or property&#8221; exception is going to be thrown.<\/p>\n<p>The only workaround for this problem is to try to decrypt the message for each <em>ReceipientInfo<\/em> separately. This way we are sure that all certificates will be tried.<\/p>\n<p>Mail.dll <a href=\"\/mail\">.NET secure email component<\/a> does this automatically, so no additional code is required.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>.NET&#8217;s EnvelopedCms class represents a CMS\/PKCS #7 structure for enveloped data. Such data are for example used in S\/MIME encrypted messages. EnvelopedCms class contains several Decrypt method overloads: Decrypt() Decrypt(RecipientInfo) Decrypt(X509Certificate2Collection) Decrypt(RecipientInfo, X509Certificate2Collection) Each Decrypt method decrypts the contents of the decoded enveloped CMS\/PKCS #7 data. Each searches the current user and local machine My [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[49],"class_list":["post-4423","post","type-post","status-publish","format-standard","hentry","category-programming","tag-smime"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/4423"}],"collection":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/comments?post=4423"}],"version-history":[{"count":12,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/4423\/revisions"}],"predecessor-version":[{"id":4488,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/4423\/revisions\/4488"}],"wp:attachment":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/media?parent=4423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/categories?post=4423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/tags?post=4423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}