BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 12-12-2011, 06:42 AM   #1 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default working with S/MIME

Please Login to Remove!

Hi All!
I'm a developer, working with BlackBerry Pearl 9105.
I've installed S/MIME Support Package, and have valid certificates in the key store.
The problem is, when I want to create a new email, the button "Encoding" is absent.
Can you help me with this? Maybe I've set wrong configuration?

Thanks for help in advance
Offline  
Old 12-12-2011, 12:11 PM   #2 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,806
Post Thanks: 33
Thanked 441 Times in 381 Posts
Default Re: working with S/MIME

Moved to the Developer Forum.
Offline  
Old 12-12-2011, 07:28 PM   #3 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

S/Mime support for email is only available on BES (Desktop) email accounts.

It does work on PIN to PIN messages, so if you compose a PIN messag you should see the Encoding option.
__________________
My other Blackberry is a PlayBook.
Offline  
The Following User Says Thank You to hrbuckley For This Useful Post:
taraspaliy (12-13-2011)
Old 12-13-2011, 09:23 AM   #4 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

Thanks for reply.

Is it possible to use S/MIME with BIS?
All I need to is, is to test my certificate set, stored on Smart Card.
Some functions like decrypt, encrypt, sign, verify. To check, how native BB applications
use BB Key Store.

best regards
Offline  
Old 12-13-2011, 04:41 PM   #5 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

Yes, PIN to PIN messages travel via BIS. You should probably enlist the assistance of someone else with a BlackBerry to help test it, but we use S/Mime to encrypt PIN messages.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 12-14-2011, 01:15 AM   #6 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

Thank you very much, it helped. But with PIN messages I can send only plain data,
when I'm trying to sign or decrypt message, following error appears:
"You do not have a certificate for the following recipients"

If you know, can you please provide me with information about how I should configure my device, to be able to send encrypted messages.

Thank you
Offline  
Old 12-14-2011, 08:46 AM   #7 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

You need the certificate for everyone you want to encrypt a PIN to, and you need the certificate of everyone who's signature you wish to verify. If you are sure that you have their certificates in you certificate store, and they are trusted you may need to associate the certificate with the Address Book entry containing their PIN.

Go into Optiions -> Security -> Advanced Security -> Certificates and select show Others

Hilight the certificate belonging to the person in question, press the BB menu key and select Associate Addresses. You should see the address specified in the X509 certificate DN. Highlight the field under Other Addresses, bring up the menu and select Add Address. Go through your Address Book to find the entry for the person that has their PIN entry in it, and add an email address that isn't the one in the X509 cert DN. If the person only has that one email address you can make up a bogus one for them (just remember not to use it). Going through this dance associates the certificate with the "person" associated with the PIN. The messages application should be able to find the certificate.

This isn't necessary if you have a certificate server that you can configure in your S/Mime setup, and works quite a bit more smoothly with a BES and knowledgable administrator. But you can get PINs to work.
__________________
My other Blackberry is a PlayBook.

Last edited by hrbuckley : 12-14-2011 at 08:48 AM. Reason: spelling
Offline  
The Following User Says Thank You to hrbuckley For This Useful Post:
taraspaliy (12-15-2011)
Old 12-15-2011, 06:09 AM   #8 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

thank you for response.
Actually I did what you said, and I faced some problems:
- when I'm trying to Sign a message, the ObjectGroupReadOnlyException is thrown
- when I'm trying to Encrypt, i see two messages:
1) The following recipient has a certificate chain with a stale status, I can't perform fetching the status because I don't have BES
So I click on Send anyway, and I see
2) There may be a problem with your encryption certificate

I see sent message, with error, that S/MIME message cannot be decoded because an unexpected error occurred.
Offline  
Old 12-15-2011, 07:13 AM   #9 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

You get a stale status because you don't have access to either a CRL or OCSP servers to provide that information. There is an API to set a certificate status but I havn't seen any thing exposed in the UI to manually set it. You can set up servers to provide a CRL or OCSP services, you can also set up an LDAP server to provide certificates but it is a lot of work to configure and maintain them.

Without knowing the version of the OS you're using, or how you made and signed your certificates it is difficult to say what may be causing your encryption problem.

As I said before, S/Mime support is meant to be used with a BES, you can make it work with PIN messages but you have to get all the pieces set up just right.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 12-15-2011, 07:28 AM   #10 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

Thanks very much.

Is there any alternative of S/MIME, or maybe some native application, that use BlackBerry key store the same way as S/MIME?
Because I need just to find out the mechanism of working native BB apps with key store.

best regards
Offline  
Old 12-15-2011, 09:17 AM   #11 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

There is a PGP client but I don't know how it interfaces with the key store, if at all, and it is a comercial package.

I have a fair amount of experience using both symetric and public key cryptography and the key store on BlackBerry, what do you need to know? I may be able to pull examples out of some of my applications.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 12-15-2011, 09:35 AM   #12 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

Thanks, I've read about PGP client already, but it's not suitable for me.

About my app, it emulates a real smart card, but as a software token. We have our protected storage, where we keep certificates and corresponding keys ( public, private ).
We're able to export certificates and corresponding keys to BlackBerry key store. But the private key is not exposed, and we just return a reference to the private key stored in our app.

Also we've implemented RSACryptoToken, and all crypto operations like encryptRSA, decryptRSA, signRSA and verifyRSA and some other are performed inside our app.

So the third party applications can perform operations through RSACryptoToken methods, and they know the way how to use them.
But the question is, how native BB apps use key store to ensure that our logics fits to BB apps logics.

Last edited by taraspaliy : 12-15-2011 at 09:46 AM.
Offline  
Old 12-16-2011, 07:54 AM   #13 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

Well I'm not sure I understand exactly what you are doing when you say "we just return a reference to the private key stored in our app", but I have to wonder if that is causing the issues with the S/Mime support package. It sounds a bit like what malware would try to do to exploit the trust relationship implied by a private/public key pair.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 12-16-2011, 08:33 AM   #14 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

"We're able to export certificates and corresponding keys to BlackBerry key store. But the private key is not exposed, and we just return a reference to the private key stored in our app."

BlackBerry's API provides with CryptoSmartCardSession class, that have a method getKeyStoreDataArrayImpl

with description:

"Returns an array of KeyStoreData associated with the keys stored on the card.

The array should contain all the private keys (or references to), symmetric keys (or references to), public keys and certificates on the card.

If a KeyStoreData contains public keys, they must be valid PublicKeys. Public key cryptographic operations will be handled by the device and not by the smartcard.

If the key store contains certificates, they must be valid Certificates."
Offline  
Old 12-16-2011, 02:09 PM   #15 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default Re: working with S/MIME

I will have to have a look at the API and documentation. At them moment I am perpelxed by the phrase "Public key cryptographic operations will be handled by the device and not by the smartcard." This will be difficult to do while not exposing any necessary private keys to the device at some point.

I haven't use the Smart Card API yet, but I will let you know if I find anything worth looking into.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 12-19-2011, 04:19 AM   #16 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

OK, thanks
Offline  
Old 01-25-2012, 09:54 AM   #17 (permalink)
New Member
 
Join Date: Dec 2011
Model: 9105
PIN: N/A
Carrier: null
Posts: 13
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

Hello again.

Does anybody know, what algorithms uses S/MIME for ecryption and verifying messages?
Does S/MIME use padding?

thanks
Offline  
Old 02-24-2012, 10:59 PM   #18 (permalink)
New Member
 
Join Date: Feb 2012
Model: 9930
PIN: N/A
Carrier: sprint
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: working with S/MIME

ARRGGGG TARA MAYBE YOU CAN HELP ME....


i need to convert my company's public keys or .cer files to alx and cod files so i can push it via software configuration.
Options

50 minutes ago

After weeks of failed attemps by DART support, I feel i'm not getting the expertise we require from RIM.



All KB articles on how to configure SMIME have been followed and all i's are dotted and the T's are crossed.



BY NOW IM JUST LOOKING TO TAKE OUR PUBLIC CERTS AND PAKAGE THEM ALX AND COD FILE SO WE CAN PUSH THEM WIRELESSLY AND STOP THE INSANITY!!!!!



CAN SOMEONE HELP ME !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Configuring BlackBerrydevices to enroll certificates over the wireless network

You can configure the BlackBerry® Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing users to send the certificates to themselves in an email message or use the certificate synchronization tool in the BlackBerry® Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates, you can control how users request certificates and which certification authority issues the certificates.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads for: working with S/MIME
Thread Thread Starter Forum Replies Last Post
blackberry 9000 spkear not working gsm st General 9000 Series Discussion - Bold 2 01-13-2010 02:06 AM
Blackberry keypad not working sdc29 General 8900 Series Discussion - Javelin 1 01-01-2010 06:58 AM
Emails sent to self not working jcricket General Legacy Device Discussion 3 04-13-2007 11:54 AM
Redirector - Not working, help? wangta01 General Legacy Device Discussion 3 02-23-2007 03:24 PM
can't send S/Mime mails Sunny0815 BES Admin Corner 1 12-11-2006 09:19 AM





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.