able to decrypt smime with openssl, but not with python and M2crypto

Question

I have to create a searchable archive of old emails, many of which are encrypted using S/MIME.

I can decrypt the .eml files using openssl. This works:

openssl smime -decrypt -in mails/example.eml -inkey certs/example.pem

However, when I try to do the same using python and M2crypto, I get an error.

emailfile='mails/example.eml'
# Instantiate an SMIME object.
s = SMIME.SMIME()

# Load private key and cert. can be one arg or two
s.load_key('certs/example.pem')

# Load the encrypted data.
try:
    p7, data = SMIME.smime_load_pkcs7(emailfile)
except SMIME.SMIME_Error, e:
    print 'Error: could not load {file} because {error}'.format(file=emailfile,error=e)
    sys.exit()

# Decrypt p7.
try:
    out = s.decrypt(p7,0)
    print out
except SMIME.PKCS7_Error, e:
    sys.stderr.write('Error: could not decrypt {file} because PKCS7 says {error}\n'.format(file=emailfile,error=e))
except SMIME.SMIME_Error, e:
    sys.stderr.write('Error: could not decrypt {file} because SMIME {error}\n'.format(file=emailfile,error=e))

When I run this code with the exact same email file and the exact same .pem file with the exact same private key and certificate, I get:

Error: could not decrypt example.eml because PKCS7 says key values mismatch

When I trace, it looks like it's failing signature verification:

mailarcher.py(110):     try:
mailarcher.py(111):         out = s.decrypt(p7,0)
 --- modulename: SMIME, funcname: decrypt
SMIME.py(182):         if not hasattr(self, 'pkey'):
SMIME.py(184):         if not hasattr(self, 'x509'):
SMIME.py(186):         blob = m2.pkcs7_decrypt(pkcs7._ptr(), self.pkey._ptr(), self.x509._ptr(), flags)
 --- modulename: SMIME, funcname: _ptr
SMIME.py(44):         return self.pkcs7
 --- modulename: EVP, funcname: _ptr
EVP.py(158):         return self.pkey
 --- modulename: X509, funcname: _ptr
X509.py(342):         assert m2.x509_type_check(self.x509), "'x509' type error"
X509.py(343):         return self.x509
mailarcher.py(113):     except SMIME.PKCS7_Error, e:
mailarcher.py(114):         sys.stderr.write('Error: could not decrypt {file} because PKCS7 says {error}\n'.format(file=emailfile,error=e))

I checked to see if there is a NOVERIFY flag I can set, and tried a few flags with the s.decrypt call, but to no avail.

I can have the script just call openssl of course, but I would like to stay within python because there is a lot of other handling I have to do (multiple certs, group lists, etc) that would be easier with python.

Thanks for any help anyone can provide.

Answer 1

Did you try removing the ",0" from the decrypt line?

None of the examples I see use anything like that for decrypt. For a verify feature, the data/data_bio can be conditionally added on whether or not data/data_bio is not None.