S/MIME Support

[GoogleCodeExporter]

Would like to see support for S/MIME X.509 certificates in addition to the 
OpenPGP support to create a complete solution for Android email encryption.

Original issue reported on code.google.com by rmalo...@gmail.com on 4 Jun 2010 at 4:20

[GoogleCodeExporter]

Excellent idea. I'd like to see that as well, but I'll have to read into S/MIME 
quite 
a bit, as I haven't used it and know very little about it. :/

Anyone else up for this? :)

Original comment by thialfi...@gmail.com on 4 Jun 2010 at 4:23

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I'm currently doing a graduation project on SMIME implementation on Android. 
Due to severe lack of resources, I would love some help with it. :)

Original comment by cosmovec...@gmail.com on 17 Jun 2010 at 12:57

[GoogleCodeExporter]

This is a big topic and a lot of work. It'd require certificate management and 
encryption/decryption at a lower level in combination with an email client. I 
hope it can someday be added together with K9, but currently PGP/MIME is closer 
to what APG already does and should be tackled next.

If you get some basic functionality working, however, then I'd be happy to add 
it. I just can't help with it right now. :)

Original comment by thialfi...@gmail.com on 17 Jun 2010 at 1:50

• Changed state: Accepted
• Added labels: Priority-Low, Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

@cosmovector - I'm also working on a small implementation. Basic starting point 
is simply to be able to open the p7m, have it ask for a certificate to be 
opened with, and decrypt / display the contents. Ignoring all forms of 
encryption at this point. Simple looking to read encrypted emails. If you'd 
like to collaborate on this at all let me know. I've just started the project.

Still getting to grips with how much of BouncyCastle is implemented, and how 
much is usable if at all at this point. 

Original comment by wolfka...@gmail.com on 23 Aug 2010 at 5:37

[GoogleCodeExporter]

SMIME and PGP are completely different technologies unfortunately. They address 
a similar problem space in quite different ways. You could perhaps reasonably 
wishlist SMIME support in K9, but since it's based on a different premise 
almost from the ground up, asking for APG to support it too is a bit like 
asking for a ship to have wheels fitted so it can be driven on land.

To see how very different they are look at Thunderbird with Enigmail plugged in 
and then, with a PGP keypair and a free SMIME certificate, try sending an 
encrypted email to two correspondents, one of whom uses PGP and the other 
SMIME. It will have you pulling your hair out. These are sadly oil-and-water 
approaches, each fundamentally incompatible with the other. 

It's a shame we are left with this mess but that's where the email world 
stands. 

Encrypting the email is only half the issue - in the real world you have to 
sort out Key Exchange and Trust (capitalised because it's a big issue; if you 
don't think it is then you don't understand the problem). PGP and SMIME have 
similar views on encryption but are as different in Trust ideology as, oh, 
capitalism and communism. I see PGP working well in loosely connected 
cooperating groups who are willing to build their own Trust structures, SMIME 
is a top-down imposition of Trust by diktat.

What's truly hilarious is a short signed SMIME message: a few bytes of message, 
a few dozen bytes of signature and then typically the entire keychain including 
user and certificate intermediaries right up to the Master CA's certificate all 
having to be appended to the email as attachments so the signature can be 
verified!

If you are sure the recipient already has those certificates then they can be 
omitted but the default is usually to assume the opposite.

Two very different worlds collide here.

Original comment by mike.ban...@gmail.com on 16 Oct 2010 at 10:17

[GoogleCodeExporter]

@wolfkabal Hi please contact me @ cosmovector@gmail.com so we can talk more 
about this issue :)

Original comment by cosmovec...@gmail.com on 2 Dec 2010 at 1:20

[GoogleCodeExporter]

@mike.banahan agreed. I've switched tactics and moved to trying to implement 
something from the ground up. APG was a good help in understanding what would 
be needed. Looking more at the k9 implementations and seeing where I need to 
hook into. Hoping cosmovector and I can work together to come up with a working 
solution. This is something that will benefit everyone hopefully.

Original comment by wolfka...@gmail.com on 5 Dec 2010 at 4:37

[GoogleCodeExporter]

@wolfkabal & @cosmovector. I would love to have an Android S/MIME reader and 
would pay good money for it. Don't let mike.banahan's realism discourage you 
too much :-) , and don't let the perfect be the enemy of the good. S/MIME does 
indeed support an extremely complex Trust ideology, but I don't think you 
necessarily have to support it all in rev. 1 of your app.

1. For example, I'd love to load my private key and to use it to decrypt and 
read messages sent to me. Don't worry about verifying digital signatures, and 
don't worry about sending encrypted email.

2. Maybe the next version can support sending encrypted email, but make the 
user select the encryption key manually and just use it blindly. At this point 
Key Exchange and Trust (the Big Hard Issues) would still be the user's 
responsibility.

3. Then finally in your "Gold" version a year from now you can add verifying 
digital signatures via the top-down chain of trust, automatic caching of keys 
by recipient, checking for revoked keys, etc.

The OpenSSL command-line tool already has a lot of support for S/MIME, and 
OpenSSL has been ported to Android, so maybe the hard part is just figuring out 
how to hook OpenSSL into the Android email client?

Good luck!

Original comment by cpAgainF...@stellarscience.com on 9 Dec 2010 at 5:24

[GoogleCodeExporter]

Agreed with cpAgain... Android includes BouncyCastle which has good S/MIME 
support as well.  Please let me know if I can lend any support to the effort... 

Original comment by pmhe...@gmail.com on 9 Dec 2010 at 3:51

[GoogleCodeExporter]

@pmhesse Android's default BC lib was one that was about 3 years old. I know 
internally they've recently been using BC v1.45 - but what I don't know is 
whether that's been included in the recent 2.3 release or not. Also - they are 
working to move away form BC and use OpenSSL overall. So I think any 
development would still require the use of a custom built BC library to import 
all the other missing libraries that the default doesn't include. 

@cpAgain - That is basically the exact attack plan I have. It's going slow - 
but @cosmovector and I are trying to get together and hopefully make something 
out of this. Don't expect anything ground breaking immediately. Opening an 
encrypted email will be a huge victory with me. 

Original comment by wolfka...@gmail.com on 9 Dec 2010 at 3:57

[GoogleCodeExporter]

@cpAgain and @wolfkabal: yes if we can get a breakthrough with the basics of 
S/MIME support like opening an encrypted email, it would be cause for 
celebration. Good technologies is coming out with a purportedly S/MIME 
compliant android app, but it has been a year since their initial announcement, 
so not sure how they are doing. I have emailed their representative but his 
reply was only that "works are in progress". 

@wolfkabal: hope you can set up a repo soon so that we can throw ideas about!

Original comment by cosmovec...@gmail.com on 13 Dec 2010 at 5:18

[GoogleCodeExporter]

Hi everyone.

I have written an SMIME decrypter (no encryption support yet).  I have also 
done a _really_ _really_ rough integration with k9 - because of the way they 
are storing mail, it makes it very difficult to integrate SMIME into their 
flow.  Plus they have some bugs when loading MIME mail with an attachment as 
the body.

But back to the decryption.  I did a ham fisted "port" of Bouncy Castle (to 
org.bouncykitty) and the key management is also lame (I'm just loading p12 
files on the fly rather than importing the certs into my own keystore).

It's pretty self contained... I haven't decided how to release this (I still 
have a bit of work to do on it), but it works so far.

Original comment by vincent....@gmail.com on 14 Dec 2010 at 7:11

[GoogleCodeExporter]

OOopps, the whole reason for me posting in here is that I wouldn't mind 
integrating it with APG...

Original comment by vincent....@gmail.com on 14 Dec 2010 at 7:13

[GoogleCodeExporter]

apks for the above if anyone wants to try it out.

https://wiki.npfk.org/tiki-index.php?page=Android+SMIME+Handling

Original comment by vincent....@gmail.com on 15 Dec 2010 at 1:54

[GoogleCodeExporter]

Heyup. Sorry for the late response. I was very busy with work.

The point about S/MIME and OpenPGP being very different is valid, but I still 
always liked the idea of supporting both in APG. One advantage would be already 
having BC libs. In a standalone S/MIME app they'd again have to be included.

The way K9 uses APG right now would also work with S/MIME then... simply 
providing some Intent API to access S/MIME functionalities.

vincent.ting: that sounds promising. K9's MIME handling is also one reason why 
PGP/MIME is tough to implement. I hope we can somehow rewrite or tidy it.
If you or others still would like to try to add it to APG, then I'd be all for 
it. Drop me an email. :)

Original comment by thialfi...@gmail.com on 25 Dec 2010 at 7:34

[GoogleCodeExporter]

Hey,

according to this an many other request I wrote a SMIME Client for android.
Please try it and send me your feedback 
(https://market.android.com/details?id=at.rundquadrat.android.x509tools&feature=
search_result).

At the moment the client only opens attachments with mime type (x-)pkcs7-mime 
and there is no direct integration in any mail client. Intents for signing, 
verifying signatures, en- and decryption to allow mailclients to use the app 
directly will follow soon.

Original comment by selbitsc...@gmail.com on 14 Apr 2011 at 4:03

[GoogleCodeExporter]

A proposito... Pare che io abbia un client s/mime per i certificati di firma
digitale! B-)
Peccato che ancora non ho rinnovato la mia firma...

Emanuele Pastore

Seguimi sui Twitter: http://twitter.com/emapas1502
Il giorno 14/apr/2011 18.04, <android-privacy-guard@googlecode.com> ha
scritto:

android.

https://market.android.com/details?id=at.rundquadrat.android.x509tools&feature=s
earch_result
).

Original comment by studiopa...@gmail.com on 15 Apr 2011 at 5:39

[GoogleCodeExporter]

@selbitschka what license is your code released under? Can code from your 
project be used in APG?

Original comment by jon@sprig.gs on 15 Apr 2011 at 7:36

[GoogleCodeExporter]

@jon
sorry for the delay but I was on vacation last 3 weeks.

Code is currently not under a specific license and not open source atm. We are 
currently not sure if we want to make it open source or not.

Never the less the question is should smime functions be included in APG or 
not? Since this are two different world, as said before in this issue.

On the other hand the integration to K9 is already done in APG so why to it 
again and for people who need PGP and SMIME an integration would be great.

Give some more time to think about ... I'll also take a deeper look to APG 
source to determine the cost of an integration.

Original comment by selbitsc...@gmail.com on 16 May 2011 at 1:13

[GoogleCodeExporter]

@selbitschka - the Android SMIME client is excellent, thank you!

The visual appearance of the app is nice too. I have two minor suggestions - is 
this the right place to provide them or is there a better forum?

1. My Android phone has a slide-out keyboard but when I use it the display goes 
into landscape mode. In landscape mode there are only about 3 lines of email 
text visible, and a lot of vertical space is taken up by things like:
- X509Tools at the top
- P7M Decryption Viewer
- Sorry, no header information available!
- Signed message: View Certificate
- The reply/reply-all/forward buttons (first two always greyed out, maybe 
because no header info?)
- Attachments: (blank)
- Runquadrat
I guess my suggestion is to somehow free up more vertical space for the email 
text when in landscape mode.

2. Desktop email programs like Thunderbird ask me for my password once and then 
don't ask me again for the duration of the session. I've put a password on my 
certificate store, but the app asks me to type it in again every time I need to 
read an encrypted email. Is there some way to keep it in memory? I understand 
it might be hard to implement this feature securely, i.e. if it's easy for 
other apps to read your password or if it gets saved then it defeats the 
purpose of the password.

These are minor things, the tool is excellent and very useful as it is now. 
Thanks again!

Original comment by cpAgainF...@stellarscience.com on 16 May 2011 at 4:12

[GoogleCodeExporter]

most likely the wrong forum since this is the bugtracker of APG but I'll send 
you an email - for more info and contact form visit rundquadrat.at/x509tools

Original comment by selbitsc...@gmail.com on 16 May 2011 at 5:42

[GoogleCodeExporter]

Thanks, I resubmitted my comments there via the Kontakt page but after 
submission it immediately redisplayed a blank Kontakt page, so I'm not 100% 
sure my comments were properly submitted.

Original comment by cpAgainF...@stellarscience.com on 16 May 2011 at 6:02

[GoogleCodeExporter]

Hi guys, now it's about two years since the last comment. Are there any updates 
on this issue?
Does anyone plan to integrate S/MIME support into K9?

Original comment by greensun...@gmail.com on 31 Oct 2013 at 2:43