|
working with S/MIME
Hi All!
I'm a developer, working with BlackBerry Pearl 9105. I've installed S/MIME Support Package, and have valid certificates in the key store. The problem is, when I want to create a new email, the button "Encoding" is absent. Can you help me with this? Maybe I've set wrong configuration? Thanks for help in advance |
Re: working with S/MIME
Moved to the Developer Forum.
|
Re: working with S/MIME
S/Mime support for email is only available on BES (Desktop) email accounts.
It does work on PIN to PIN messages, so if you compose a PIN messag you should see the Encoding option. |
Re: working with S/MIME
Thanks for reply.
Is it possible to use S/MIME with BIS? All I need to is, is to test my certificate set, stored on Smart Card. Some functions like decrypt, encrypt, sign, verify. To check, how native BB applications use BB Key Store. best regards |
Re: working with S/MIME
Yes, PIN to PIN messages travel via BIS. You should probably enlist the assistance of someone else with a BlackBerry to help test it, but we use S/Mime to encrypt PIN messages.
|
Re: working with S/MIME
Thank you very much, it helped. But with PIN messages I can send only plain data,
when I'm trying to sign or decrypt message, following error appears: "You do not have a certificate for the following recipients" If you know, can you please provide me with information about how I should configure my device, to be able to send encrypted messages. Thank you |
Re: working with S/MIME
You need the certificate for everyone you want to encrypt a PIN to, and you need the certificate of everyone who's signature you wish to verify. If you are sure that you have their certificates in you certificate store, and they are trusted you may need to associate the certificate with the Address Book entry containing their PIN.
Go into Optiions -> Security -> Advanced Security -> Certificates and select show Others Hilight the certificate belonging to the person in question, press the BB menu key and select Associate Addresses. You should see the address specified in the X509 certificate DN. Highlight the field under Other Addresses, bring up the menu and select Add Address. Go through your Address Book to find the entry for the person that has their PIN entry in it, and add an email address that isn't the one in the X509 cert DN. If the person only has that one email address you can make up a bogus one for them (just remember not to use it). Going through this dance associates the certificate with the "person" associated with the PIN. The messages application should be able to find the certificate. This isn't necessary if you have a certificate server that you can configure in your S/Mime setup, and works quite a bit more smoothly with a BES and knowledgable administrator. But you can get PINs to work. |
Re: working with S/MIME
thank you for response.
Actually I did what you said, and I faced some problems: - when I'm trying to Sign a message, the ObjectGroupReadOnlyException is thrown - when I'm trying to Encrypt, i see two messages: 1) The following recipient has a certificate chain with a stale status, I can't perform fetching the status because I don't have BES So I click on Send anyway, and I see 2) There may be a problem with your encryption certificate I see sent message, with error, that S/MIME message cannot be decoded because an unexpected error occurred. |
Re: working with S/MIME
You get a stale status because you don't have access to either a CRL or OCSP servers to provide that information. There is an API to set a certificate status but I havn't seen any thing exposed in the UI to manually set it. You can set up servers to provide a CRL or OCSP services, you can also set up an LDAP server to provide certificates but it is a lot of work to configure and maintain them.
Without knowing the version of the OS you're using, or how you made and signed your certificates it is difficult to say what may be causing your encryption problem. As I said before, S/Mime support is meant to be used with a BES, you can make it work with PIN messages but you have to get all the pieces set up just right. |
Re: working with S/MIME
Thanks very much.
Is there any alternative of S/MIME, or maybe some native application, that use BlackBerry key store the same way as S/MIME? Because I need just to find out the mechanism of working native BB apps with key store. best regards |
Re: working with S/MIME
There is a PGP client but I don't know how it interfaces with the key store, if at all, and it is a comercial package.
I have a fair amount of experience using both symetric and public key cryptography and the key store on BlackBerry, what do you need to know? I may be able to pull examples out of some of my applications. |
Re: working with S/MIME
Thanks, I've read about PGP client already, but it's not suitable for me.
About my app, it emulates a real smart card, but as a software token. We have our protected storage, where we keep certificates and corresponding keys ( public, private ). We're able to export certificates and corresponding keys to BlackBerry key store. But the private key is not exposed, and we just return a reference to the private key stored in our app. Also we've implemented RSACryptoToken, and all crypto operations like encryptRSA, decryptRSA, signRSA and verifyRSA and some other are performed inside our app. So the third party applications can perform operations through RSACryptoToken methods, and they know the way how to use them. But the question is, how native BB apps use key store to ensure that our logics fits to BB apps logics. |
Re: working with S/MIME
Well I'm not sure I understand exactly what you are doing when you say "we just return a reference to the private key stored in our app", but I have to wonder if that is causing the issues with the S/Mime support package. It sounds a bit like what malware would try to do to exploit the trust relationship implied by a private/public key pair.
|
Re: working with S/MIME
"We're able to export certificates and corresponding keys to BlackBerry key store. But the private key is not exposed, and we just return a reference to the private key stored in our app."
BlackBerry's API provides with CryptoSmartCardSession class, that have a method getKeyStoreDataArrayImpl with description: "Returns an array of KeyStoreData associated with the keys stored on the card. The array should contain all the private keys (or references to), symmetric keys (or references to), public keys and certificates on the card. If a KeyStoreData contains public keys, they must be valid PublicKeys. Public key cryptographic operations will be handled by the device and not by the smartcard. If the key store contains certificates, they must be valid Certificates." |
Re: working with S/MIME
I will have to have a look at the API and documentation. At them moment I am perpelxed by the phrase "Public key cryptographic operations will be handled by the device and not by the smartcard." This will be difficult to do while not exposing any necessary private keys to the device at some point.
I haven't use the Smart Card API yet, but I will let you know if I find anything worth looking into. |
Re: working with S/MIME
OK, thanks
|
Re: working with S/MIME
Hello again.
Does anybody know, what algorithms uses S/MIME for ecryption and verifying messages? Does S/MIME use padding? thanks |
Re: working with S/MIME
ARRGGGG TARA MAYBE YOU CAN HELP ME....
i need to convert my company's public keys or .cer files to alx and cod files so i can push it via software configuration. Options 50 minutes ago After weeks of failed attemps by DART support, I feel i'm not getting the expertise we require from RIM. All KB articles on how to configure SMIME have been followed and all i's are dotted and the T's are crossed. BY NOW IM JUST LOOKING TO TAKE OUR PUBLIC CERTS AND PAKAGE THEM ALX AND COD FILE SO WE CAN PUSH THEM WIRELESSLY AND STOP THE INSANITY!!!!! CAN SOMEONE HELP ME !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Configuring BlackBerrydevices to enroll certificates over the wireless network You can configure the BlackBerry® Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing users to send the certificates to themselves in an email message or use the certificate synchronization tool in the BlackBerry® Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates, you can control how users request certificates and which certification authority issues the certificates. |
| All times are GMT -5. The time now is 08:03 PM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.