S/MIME
Usage
The S/MIME module enables you to encrypt, decrypt or sign MIME formatted input messages as well as check their signatures.
RSA PKCS 1.5, PSS, and OAEP as well as EC and RSA public key length of 2048 bits are supported.
|
The S/MIME module does not support input messages in p7m format. |
Generating Keys and Certificates in the S/MIME Utility
For encryption, you need keys which you can generate using the Java keytool. You can enter the algorithm to be used while generating the key.
For information about calling keytool, refer to Configuring SSL Connections and Server Authentication.
Example: Generating a key
keytool \\
-genkey \\
-dname "O=Virtimo, C=de" \\
-validity 365 \\
-keystore smime.keystore \\
-keypass inubit \\
-storepass inubit \\
-alias inubit \\
-keyalg RSAExample: Generating a certificate
keytool \\
-export \\
-keystore smime.keystore \\
-alias inubit \\
-file smime.cerModule Variables of the S/MIME Utility
The following table contains variables that are set by the S/MIME Utility based on the input message:
| Module variable | Value |
|---|---|
|
Content encryption algorithm used to encrypt the message content |
|
Key encryption algorithm used to exchange symmetric keys necessary to encrypt the content |
|
Information whether the message is encrypted ( |
|
Signature hash algorithm used for message |
|
Signature algorithm used for message |
|
Information whether the message is signed ( |
Dialog Description in the S/MIME Utility
Dialog S/MIME Configuration
-
MIME encryption
Output messages are S/MIME encrypted. To this end, the sender must know the recipient’s public key. To do so, you as sender need to have the public key of the recipient. You store this key in the next dialog.
-
MIME decryption
Input messages are decrypted by using the recipient’s private key. You store this key in the next dialog.
-
Sign MIME
Signs the output messages by adding an encrypted checksum. To do so, you need a private key. You store this key in the next dialog. The recipient must have the sender’s public key to verify the signature.
-
Check MIME signature / Extract signed data
Allows verifying the correctness of the signature in the input message by comparing the signature with the sender’s public key. You store this key in the next dialog. Allows extracting the message without prior signature check as well as copying the message headers.
Dialog S/MIME Encryption
Usage
For the option MIME encryption
This dialog offers the following options:
-
Encryption algorithm
Select the encryption algorithm from the drop-down list.
To set the encryption algorithm using module properties, set the variable smime.encryption.algoto the required algorithm name. -
Key encryption algorithm
If no key encryption algorithm is selected, the key encryption algorithm configured in the certificate is considered.
You can also use the
smime.key.encryption.algomodule property to set the key encryption algorithm using the variables mapping. If this module property is set, it overrides the configured value set using this dialog. -
Hashing Algorithm
If you have selected the
RSAES-OAEPkey encryption algorithm, you can choose a hashing algorithm from the drop-down list.SHA-1 is set by default.
You can set/override the hashing algorithm by using the
smime.rsaoaep.hash.algomodule property. -
Key wrap algorithm
If you have selected the
ECDHkey encryption algorithm, you must select a key wrap algorithm from the drop-down list. This algorithm encrypts and safeguards cryptographic keys during storage or transmission using another key, such as AES Key Wrap.AES128_WRAP is set by default.
-
Key derivation function
If you have selected the
ECDHkey encryption algorithm, you must select a key derivation function from the drop-down list. This function generates cryptographic keys from inputs and is utilised in key generation and password-based key derivation, such as KDF.ECDH_SHA256KDF is set by default.
-
Add recipient’s public certificate
Click Add to add the certificate file.
-
Certificate data
This field displays an already added certificate.
Dialog S/MIME Decryption
Usage
For the option MIME decryption
|
In INUBIT, Bouncy Castle is used internally to automatically decrypt messages with the appropriate decryption algorithm. |
Add private key
Click Add to add the private key in JKS format.
Public key data
This field displays already added private keys.
Dialog S/MIME Sign message
Usage
For the option Sign MIME
This dialog offers the following options:
-
Hashing algorithm
Choose the hashing algorithm from the drop-down list.
-
Signature algorithm
If no signature algorithm is selected, the signature algorithm configured in the certificate is considered.
You can also use the
smime.signature.algomodule property to set the signature algorithm using the variables mapping. If this module property is set, it overrides the configured value set using this dialog. -
Add private key
Click Add to add the private key in JKS format.
-
Public key data
This field displays an already added private key.
Dialog Check S/MIME Signature / Extract signed data
Usage
For the option Check MIME signature / Extract signed data
Activate signature verification
If activated, the correctness of the signatures in the input message is checked. This is done by validating the signatures against the public key of the sender.
Extract signed data
If activated, the signed message is extracted and transferred unchanged without signature check. Otherwise, the signed user data are extracted from the message and only these are transferred.
Copy additional headers
If activated, the message headers are copied in addition.
Add public certificate of the signer
Click the button to add the certificate of the signer.
|
An already added certificate will be overwritten. |
Certificate data
This field displays the already added certificate.
