6-14 Oracle Fusion Middleware Reference for Oracle Security Developer Tools in a certificate for the private key which generated the signature. This method makes use of the attached certificate and CRLs in order to follow certificate chains. For example, given a trusted certificate authority CA certificate already in hand: TrustedCAPolicy trusts = new TrustedCAPolicy; if true, need CRL for each cert in chain trusts.setRequireCRLsfalse; caCert is an X509Certificate object with CA cert trusts.addTrustedCAcaCert; SmimeSignedObject sig = SmimeSignedObjectmsg.getContent; sig.verifytrusts, msg.getFrom; Like verifySignature, verify throws an AuthenticationException if the signature cannot be verified; otherwise it returns normally. In either case you can recover the document that was signed, which is itself a MIME entity, by invoking getEnclosedBodyPart: MimeBodyPart doc = sig.getEnclosedBodyPart;

6.3.3.8 Opening Digital Envelopes Encrypted Messages

An SMIME digital envelope consists of: ■ A protected MIME body part, which has been encrypted with a symmetric key algorithm for example, DES or RC2 ■ A randomly generated content encryption key ■ Information that allows one or more intended recipients to decrypt the content For each recipient, this information consists of the content encryption key, itself encrypted with the recipients public key. To obtain the encrypted content from an SmimeEnveloped object, you need the recipients private key and the corresponding certificate; the certificate is used as an index into the recipient information table contained in the envelopes data structure. For example: SmimeEnveloped env = SmimeEnvelopedmsg.getContent; MimeBodyPart mbp = env.getEnclosedBodyPartprivKey, cert privKey is a PrivateKey object cert is an X509Certificate object Passing the private key and the certificate to the getEnclosedBodyPart method returns the decrypted content as an instance of MimeBodyPart. The getContent method can now be invoked on the MimeBodyPart object to retrieve the now decrypted content. This content may be a String in the case of an encrypted text message, or any other object such as an SmimeSigned.

6.3.3.9 Adding Enhanced Security Services ESS

You can add the ESS services ReceiptRequests, SecurityLabels, and SigningCertificates to an SMIME signed message by adding them to the signedAttributes of a signature. Create a Signed Message SmimeSigned sig = new SmimeSigned; AttributeSet signedAttributes = new AttributeSet; Oracle SMIME 6-15 Receipt Request oracle.security.crypto.smime.ess.ReceiptRequest To request a signed receipt from the recipient of a message, add a receiptRequest attribute to the signedAttributes field while adding a signature: ReceiptRequest rr = new ReceiptRequest; ......... signedAttributes.addAttributeSmime.id_aa_receiptRequest, rr; Security Label oracle.security.crypto.smime.ess.ESSSecurityLabel To attach a security label to a message, add an ESSSecurityLabel attribute to the signedAttributes field while adding a signature: ESSSecurityLabel sl = new ESSSecurityLabel; ......... signedAttributes.addAttributeSmime.id_aa_securityLabel, sl; Signing Certificate oracle.security.crypto.smime.ess.SigningCertificate To attach a signing certificate to a message, add a SigningCertificate attribute to the signedAttributes field while adding a signature: SigningCertificate sc = new SigningCertificate; ......... signedAttributes.addAttributeSmime.id_aa_signingCertificate, sc; Use the signedAttributes while adding a signature: sig.addSignaturesignerKey, signerCert, digestAlgID, signedAttributes; The ESS signed receipts are generated using the SmimeSignedReceipt class in the oracle.security.crypto.smime package, in a manner similar to using a SmimeSigned class, except that the content that is signed is an oracle.security.crypto.cms.ESSReceipt object.

6.3.3.10 Processing Enhanced Security Services ESS