Who is that e-mail encrypted for?

This morning I was testing a program that builds a certificate request (for S/MIME encryption) and submits it to a CA in our new MS PKI. The tests went well and I generated, installed and deleted some certificates. Later my colleague Thomas ran the program to install a certificate and sent me a signed (and encrypted) e-mail. I was surprised to find that I could not read it in Outlook.

This is how Outlook tels you that you do not have the private key needed to decrypt the message.

Fortunatly I had backed up my certificates (this was Windows XP so I used “certmgr.msc” to export the certs, with private keys) before the tests. Rather than re-install all the certificates I decided to see what certificate Thomas had encrypted the e-mail for but Outlook stubbornly refused to let me inspect the e-mail in any way or to save it to a file.

As we have IMAP enabled in our Exchange environment I used Thunderbird to download the e-mail and save it to a file which I then edited to remove the headers. That left just the base64 encoded S/MIME part.

I decoded that by “base64 -d thomas.b64 > thomas.bin” which left me with an encrypted blob that contains a few strings in that tells you which Certificate Authority issued the certificates that it is encrypted for but no indication of the recipients. S/MIME uses CMS format which identifies the intended recipients by only two attributes: the issuing CA name and the serial numer of the certificate.

CMS uses ASN1 so you can parse this blob using the ASN1 parser in OpenSSL:

openssl asn1parse -in thomas.bin -inform DER > thomas.txt

View the output and you will find some lines like this repeated for each recipient :

807:d=9  hl=2 l=   3 prim: OBJECT            :commonName
812:d=9  hl=2 l=  33 prim: PRINTABLESTRING   :Example Internal Sub CA
847:d=6  hl=2 l=  10 prim: INTEGER           :238DC0A500000000001A

The third line is the serial number of the certificate (the MS Certificate Authority adds some “randomness” to the high bytes of the serial numbers). Then I went through my backup and sure enough found that I have an encryption certificate serial number ….001A and once I had re-installed that cert Outlook was able to decrypt the e-mail.