0

I need to send an encrypted email with a binary attachment from bash. I've read the RFC, and the openssl docs as well as a couple additional posts here in SF to no avail.

So far the process I understand goes like this:

  1. Create a MIME message
  2. use openssl smime to encrypt it generating additional headers for the envelope. This should be signed with my own private key but encrypted with the recipient's public key.
  3. pipe this output to sendmail
  4. The receiver should be able to decrypt the whole thing in outlook.

However what I'm seeing is a bit of garbled text. If anyone can shine some light where I'm messing up, I'd be thankful.

What follows are the nitty gritty details:

1. MIME Message

From: <FROM>
To: <TO>
Subject: <SUBJECT>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="<BOUNDARY>"

--<BOUNDARY>
Content-Type: text/plain; charset=utf-8

<TEXT>

--<BOUNDARY>
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename= "<FILENAME>"

<BASE64_DATA>

--<BOUNDARY>

2. The signing & Encrypting:

SIGNED=$(openssl smime -sign -in mime.txt -signer MyPublic.cer -inkey MyPrivate.key)
ENCRYPTED=$(openssl smime -encrypt -subject "Work damn you" RecipientPublic.cer <<< $SIGNED)

3. The Sending

echo "$ENCRYPTED" | sendmail recipient@hush-hush.com
oguz ismail
  • 1
  • 16
  • 47
  • 69
dorphalsig
  • 689
  • 1
  • 10
  • 27
  • The ending boundary in a multipart should have `--` at the end like `--valuefromheader--` but otherwise it looks good to me. However I can't help with the Outlook side; it took me decades to escape the opression of that evil empire. You might try simpler cases like encrypting without signing and simple text instead of multipart to (maybe) narrow it down. – dave_thompson_085 Dec 31 '20 at 04:42
  • You will need to separate some, but not all, headers from the body, then encrypt the body only, add some 'outside' headers, put it all together. For details, please check if [https://stackoverflow.com/q/60380150/4850949](this question and answer) help you. – not2savvy Dec 31 '20 at 09:57

1 Answers1

0

so... after blood and tears it is done.

Lessons learned:

  1. Also the Content-Type: multipart/alternative; should be Content-Type: multipart/mixed; else the email clients will be confused and show garbage.
  2. @dave_thompson_085 's comment of the missing -- at the end were spot on. That was part of the whole drama. be any funky word-wrapping that will mess up the encoding (don't ask me why).
  3. In Bash, as in real-life, quotes are important. So ENCRYPTED=$(openssl smime -encrypt -subject "Work damn you" RecipientPublic.cer <<< $SIGNED) should really be ENCRYPTED=$(openssl smime -encrypt -subject "Work damn you" RecipientPublic.cer <<< "$SIGNED")
  4. Openssl will take care of enveloping the appropriate headers, so there's no need to do anything here except the -subject flag.
dorphalsig
  • 689
  • 1
  • 10
  • 27