AspEncrypt can be used in conjunction with Persits Software AspEmail, our powerful free SMTP component, to send signed messages, encrypted (enveloped) messages and messages that are first signed and then encrypted. A copy of the AspEmail component is included with the AspEncrypt installation.

AspEncrypt provides a special object, CryptoMessage, which encapsulates PKCS#7-based encryption and digital signature functionality. An instance of the CryptoMessage object is created as follows:

Set Context = CM.OpenContext("", True <or False> )
Set Msg = Context.CreateMessage

CryptoMessage objects are passed to AspEmail's SendEncrypted, SendSigned, and SendSignedAndEncrypted methods to send signed and/or encrypted email messages as shown below.

To generate encrypted messages, CryptoMessage uses one or more CryptoCert objects representing the recipient certificates. A recipient's certificate object is passed to CryptoManager with the AddRecipientCert method. This procedure can be repeated as many times as there are recipients. The CryptoMsg object is then passed to AspEmail's SendEncrypted method.

The following code snippet grabs a recipient certificate located in the file d:\his.cer and uses it to send an encrypted message to the owner of this certificate.

<% Set CM = Server.CreateObject("Persits.CryptoManager") Set Mail = Server.CreateObject("Persits.MailSender") Set Context = CM.OpenContext("", True ) Set RecipientCert = CM.ImportCertFromFile("d:\his.cer") Set Msg = Context.CreateMessage Msg.AddRecipientCert RecipientCert ' repeat if necessary ' Send Encrypted Message Mail.Host = "smtp.veryhotcakes.com" Mail.Subject = "Encrypted message" Mail.From = "sales@veryhotcakes.com" Mail.FromName = "Very Hot Cakes, Inc." Mail.AddAddress "jsmith@somecompany.com" Mail.Body = "Here is your receipt." Mail.SendEncrypted Msg ' Use CryptoMessage object %>

  Sending Signed Mail

Signed mail involves the sender's private key. To avoid the "underwater rocks" described in the previous section, you should move the signer certificate from the HKEY_CURRENT_USER to HKEY_LOCAL_MACHINE section of the registry before sending signed mail in an ASP environment.

To generate a digital signature, the CryptoMessage object must be passed an instance of the CryptoCert object representing a signer certificate using the Msg.SetSignerCert method. This certificate must have an associated private key. The following code snippet sends a signed message using a Thawte certificate located in the MY store of the HKLM section of the registry:

<% Set CM = Server.CreateObject("Persits.CryptoManager") Set Mail = Server.CreateObject("Persits.MailSender") CM.LogonUser "mydomain", "Administrator", "xxx" Set Store = CM.OpenStore( "my", True ) Set SignerCert = Store.Certificates("012E78") Set Context = CM.OpenContext("", True ) Set Msg = Context.CreateMessage Msg.SetSignerCert SignerCert ' Specify signer certificate ' Send Signed Message Mail.Host = "smtp.veryhotcakes.com" Mail.Subject = "Signed message" Mail.From = "sales@veryhotcakes.com" Mail.FromName = "Very Hot Cakes, Inc." Mail.AddAddress "jsmith@somecompany.com" Mail.Body = "Thanks for shopping with us." Mail.SendSigned Msg ' Send CryptoMessage object %>

Starting with AspEncrypt 2.0, you can supply your signer certificate in a PFX (PKCS#12) file. A .pfx file can be obtained by exporting a certificate from your personal certificate store along with its private key. Note that Netscape uses the extension .p12 for this file format.

Once a .pfx file is created, you can place it on the server where AspEncrypt can access it via the method CM.OpenStoreFromPFX. The following code fragment can be used to retrieve the signer certificate. Note that there is no need to move the certificate to the HKEY_LOCAL_MACHINE section of the registry, and you no longer need to use the LogonUser method. However, you do need to call CM.RevertToSelf, and under IIS 5.0 you must make sure the virtual directory's Application Protection option is set to Low.

... CM.RevertToSelf Set Store = CM.OpenStoreFromPFX("c:\path\cert.pfx", "password") Set SignerCert = Store.Certificates("012E78") ...

This approach is demonstrated by the code sample localhost/aspencrypt/secure_mail/sendsigned_pfx.asp.

  Sending Signed and Encrypted Mail

To send a mail message which is first signed and then encrypted, two instances of the CryptoMessage object must be used: one for signing and the other for encryption. Once the message objects are created and passed appropriate certificates to, they are both passed to AspEmail's SendSignedAndEncrypted method, as follows:

<% Set CM = Server.CreateObject("Persits.CryptoManager") Set Mail = Server.CreateObject("Persits.MailSender") ' Obtain signer certificate CM.LogonUser "mydomain", "Administrator", "xxx" Set Store = CM.OpenStore( "my", True ) Set SignerCert = Store.Certificates("012E78") ' Obtain recipient certificate Set Context = CM.OpenContext("", True ) Set RecipientCert = CM.ImportCertFromFile("d:\his.cer") ' Create and configure two CryptoMessage objects Set Msg = Context.CreateMessage Msg.SetSignerCert SignerCert Set Msg2 = Context.CreateMessage Msg2.AddRecipientCert RecipientCert ' Send Signed and Encrypted Message Mail.Host = "smtp.veryhotcakes.com" Mail.Subject = "Signed message" Mail.From = "sales@veryhotcakes.com" Mail.FromName = "Very Hot Cakes, Inc." Mail.AddAddress "jsmith@somecompany.com" Mail.Body = "Thanks for shopping with us." Mail.SendSignedAndEncrypted Msg, Msg2 ' Use both CryptoMessage objects %>

The SendMail.asp sample application found in the directory \Samples\secure_mail of the installation demonstrates how AspEncrypt can be used together with AspUpload and AspEmail to allow users to request secret information over the web.

<% ' File SendMail.asp Set Mail = Server.CreateObject("Persits.MailSender") Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext("", True ) ' Upload client certificate Set Upload = Server.CreateObject("Persits.Upload") Count = Upload.Save("c:\upload") If Count <> 0 Then    On Error Resume Next    Set RecipientCert = CM.ImportCertFromFile( Upload.Files(1).Path )    If Err = 0 Then       On Error Goto 0 ' cancel On Error Resume Next       ' See if certificate contains Email address       Email = RecipientCert.Subject("E")       If Email <> "" Then          Set Msg = Context.CreateMessage          Msg.AddRecipientCert RecipientCert          ' Send Encrypted Message          Mail.Host = "vni.net"          Mail.Subject = "Encrypted message"          Mail.From = "sales@persits.com"          Mail.FromName = "Very Hot Cakes, Inc."          Mail.AddAddress Email          Mail.Body = "Here is your encrypted receipt."          Mail.SendEncrypted Msg          Response.Write "Message was successfully sent to " & Email       Else          Response.Write "Certificate does not contain an Email address."       End If    Else       Response.Write "Error opening certificate: " & Err.Description    End If Else    Response.Write "No certificate uploaded." End If %>

The file SendMail.asp is invloked by a standard file upload form (not shown here). This script captures an uploaded certificate and uses it to send an encrypted message to the certificate's owner by extracting the email address from the certificate's Subject.

If you configure your web site or a virtual directory to accept or require a client certificate, a user will be prompted by the browser to submit one of his client certificates when accessing such as resource. This client certificate becomes available to server-side ASP script through the Request.ClientCertificate collection. See the task Manage Certificates and Certificate Stores (section Accessing Client Certificates via ASP's Request.ClientCertificate) for a code sample.