Notesapi: MIMEConvertCDParts loses out the (added) attachment if the note was originally encrypted

Question

Scenario:

There are two notes-client users A and B, who have logged in from the machine where the following happens.

User A is the one who used the notes client last (so, the notes.ini contains her information). And, the database on which I work is user B's nsf file.

Actions:

I am attaching a file to an encrypted note, using NSFNoteAttachFile. After attaching, I want to use MIMEConvertCDParts to convert the note to MIME. (and use MIMEStreamOpen to get the content as stream)

I do not have the key/id/password for decrypting the note. Hence, when I convert it to MIMEConvertCDParts, the content of the note is

"[Portions of this MIME document are encrypted with a Notes certificate and cannot be read.]",

which is expected.

Problem

But the attachment I added earlier is missing in the converted stream (the attachment which were originally present are still there, but of size zero -- also as expected -- as I didn't provide the key/pwd)

I tried dumping the fields of the note before and after the MIMEConvertCDParts (conversion).

Before the conversion, the "$File" object with my attachment is present as one of the fields,

But after the conversion, it doesn't show in the MIME, but the conversion adds this to the field "$MIMETrack".

"CD-MIME failed at 02.25.2013 10:30:02 AM: You must supply the bulk decryption key in order to extract this file object."

I think that when I added the attachment, it was encrypted with either the public key of the original owner (user B) of the NSF file (or some other key present).

What I need to know

How can I tell/force notesapi to leave the file as it is when I add it. i.e., No encryption.

Or how can I ask it to decrypt it while converting (in case it used user-A's own key to do the encryption). And how do I know what key was used to encrypt the attachment?

Any help would be appreciated.

Thanks, Littleboy.

PS: If I take the nsf file of user B to a domain/machine which has never been aware of B, then I have no problems in adding/getting the attachment. This is what leads me to think that B's public key might be known to A, and the file gets automatically encrypted when I add to B's note.

Answer 1

First of all, B's public key is... public. It's in the Domino Directory. It is known to everyone in the domain, so everyone can encrypt a document for B. But I am a bit surprised by your last paragraph. I would expect this operation to not work, ever. I wouldn't think you can mix encrypted and unencrypted attachments in the same note.

In any case, info about who the document was encrypted for is in the $Seal item, which is an ITEM_NAME_NOTE_SEALUSERS item, but I don't know if you can pull any useful info out of this field if you don't have the key. The function NSFNoteDecrypt is used to decrypt an encrypted note, presuming you have the private key. It will return an error if you don't have the key. Take a look at chapter 11-2 in the Notes C API User Guide. For data ancrypted with Notes/DOmino 8.0.1 or later, NSFNoteCipherDecrypt is preferred.