How can I insert the signers certificate in the signed email?.

I was testing the example and the signed email, hasn't got a certificate from the person who signed the email.

Thanks.

That can happen - the inclusion of the signing certificates is optional.

In that case you just need to source the signing certificate from elsewhere. The fundamental principles are the same.

Regards,

David

Yes I know that is possible, but I would like to know where or how I have to insert the public certificate of the signer of the Signed Mime Message.


The example has added, issuer and serialnumber in the signerInfo object
but has not added the signers or root certificate.

I would like to insert a certificate. The signers public certificate or public root certificate, email clients have to identify who send the email or could validate the signed email.

In the example seems the certifcates are included in the signed email with the method .addCertificatesAndCRLs


SMIMESignedGenerator gen = new SMIMESignedGenerator();

gen.addSigner(key, cert, SMIMESignedGenerator.DIGEST_SHA256, new AttributeTable(signedAttrs), null);

gen.addCertificatesAndCRLs(certsAndCRLs);


I have inserted code to send an email, but in Thunderbird email client tells me that the email received hasn't got a digital signature from sender. There is no certificate.

Maybe I have to insert the public certificate from signer or the rootCA like a signed atributte

These are the signed atributes at the RFC5751

- Signing Time (section (Section 2.5.1 in this document)
- SMIME Capabilities (section (Section 2.5.2 in this document)
- Encryption Key Preference (section (Section 2.5.3 in this
document)
- Message Digest (section (Section 11.2 in [CMS])
- Content Type (section (Section 11.1 in [CMS])

And tells this:
Sending agents SHOULD generate one instance of the signingCertificate
or signingCertificatev2 signed attribute in each SignerInfo
structure

I'm not sure if I have to insert the signers certificate or root certificate like a signed atributte of SMime Capabilities.

And I'm not sure how

Is there an example to do this?

Any help would be appreciated

Yes, you use addCertificatesAndCRLs. The certificate associated with "cert" would need to be included in the CertStore. It must be associated with the private key of the signer.

For a signature to be validated the trust anchor for "cert" would need to be accepted into Thunderbird. You can also add the ca certificates and trust anchor to the cert store, which might help, on the other hand the trust anchor may need to be imported separately.

Regards,

David

I have exported rootCert created in the example to root.cer

And I have installed into windows keystore and thunderbird keystore but is not validating or showing the signers certificate in the signed email.

I can see the signed data in thunderbird.


I have another cuestion:

In the method
gen.addSigner(key, cert, SMIMESignedGenerator.DIGEST_SHA256, new AttributeTable(signedAttrs), null);

there are a private key and cert

key has to be extracted from cert, isn't it?

endEntitykey has to be extracted from endEntitykey.

The parameters of the method addSigner
key - key to use to generate the signature
cert - the public key certificate associated with the signer's key.
digestOID - object ID of the digest algorithm to use.
signedAttr - signed attributes to be included in the signature.
unsignedAttr - unsigned attribitues to be included.

I'm confused, when method addSigner() is callled in the example of the book, "key" is private key from END_ENTITY_ALIAS and cert is the certificate from INTERMEDIATE_ALIAS.
Should It use key (private key from END_ENTITY_ALIAS and cert from END_ENTITY_ALIAS the public key certificate associated with the signer's key?