java 如何以编程方式发送加密电子邮件(来自自动化过程)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/300334/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to Send Encrypted Emails Programmatically (from an automated process)
提问by
I have a process that runs on a UNIX (Solaris) server that runs nightly and needs to be able to send out encrypted emails.
我有一个在 UNIX (Solaris) 服务器上运行的进程,该服务器每晚运行并且需要能够发送加密的电子邮件。
I only need the "encryption" portion, NOT the digital signature / self-repudiation part of PKI.
我只需要“加密”部分,而不是 PKI 的数字签名/自我否认部分。
I use MS Outlook in a corporate setting and I am assuming that when a user clicks "Publish to GAL..." under Tools -> Options -> Security, this will publish their PUBLIC KEY to the Global Address List (GAL).
我在公司环境中使用 MS Outlook,我假设当用户单击工具 -> 选项 -> 安全下的“发布到 GAL...”时,这会将他们的公钥发布到全局地址列表 (GAL)。
So I am thinking that I need a way to connect to the Exchange Server that the GAL is on from my UNIX server. Then I would need to retrieve the recepients PUBLIC KEY. Then I could encrypt the email using the recepients PUBLIC KEY. This would encrypt the email and only allow someone with the recepients PRIVATE KEY to read the email right? Then I would send out the email. But, what I am not sure about, is how to encrypt the email using only the recepients PUBLIC KEY (no KEYS on the UNIX side) in a way that MS Outlook will be able to read the email when the recepient receives it?
所以我想我需要一种方法来从我的 UNIX 服务器连接到 GAL 所在的 Exchange 服务器。然后我需要检索接收者的公钥。然后我可以使用收件人的公钥加密电子邮件。这将加密电子邮件并只允许拥有收件人私钥的人阅读电子邮件,对吗?然后我会发送电子邮件。但是,我不确定的是,如何仅使用收件人的公钥(UNIX 端没有密钥)加密电子邮件,以便 MS Outlook 在收件人收到电子邮件时能够读取电子邮件?
Would this work? Anybody out there run into a similiar problem and come up with a solution? Java code is preferred, but any langauge would do to start with.
这行得通吗?有没有人遇到类似的问题并提出解决方案?Java 代码是首选,但任何语言都可以开始。
Any additional details required in order to get a reasonable answer?
为了获得合理的答案,还需要任何其他详细信息吗?
Thanks
谢谢
回答by bethlakshmi
You're logic is right.
你的逻辑是对的。
Typical PKI encryption is:
典型的 PKI 加密是:
cryptoAlgorithm(plaintext, public key) = ciphertext
cryptoAlgorithm(ciphertext, private key) = plaintext
For some algorithms, the cryptoAlgorithm is the same procedure, sending and receiving.
对于某些算法,cryptoAlgorithm 是相同的过程,发送和接收。
So... for each recipient you need their digital certificate, which will contain their public key.
所以...对于每个收件人,您都需要他们的数字证书,其中将包含他们的公钥。
GAL Certificate Storage
GAL 证书存储
I would think it would be possible to configure the GAL to allow users to publish certificates. My general impression is that how the GAL is configured and used varies from company to company.
我认为可以配置 GAL 以允许用户发布证书。我的总体印象是 GAL 的配置和使用方式因公司而异。
S/MIME & PGP
S/MIME 和 PGP
I agree with the post that S/MIME is what you want for Outlook.
我同意 S/MIME 是 Outlook 所需的帖子。
Also note - if your users are using Outlook Web, rather than the Outlook client, they won't be able to receive encrypted emails. At least as of 2000, but I suspect 2003 as well. It's a huge usability problem and I've got no good workaround.
另请注意 - 如果您的用户使用的是 Outlook Web 而不是 Outlook 客户端,他们将无法接收加密的电子邮件。至少截至 2000 年,但我怀疑 2003 年也是如此。这是一个巨大的可用性问题,我没有好的解决方法。
General Microsoftyness
一般微软
Microsoft has their own special way of doing things (no kidding...). They are no different in the world of PKI. User certificates must be clearly marked with an encryption capability. I know it must have the KeyUsage field KeyEncipherment. And there may be one other extension required by Microsoft. Having an incorrectly formatted user certificate could mean that the recipient will be unable to read the mail when it arrives, because Outlook won't agree on the fact that the mail was encrypted. Spare some serious integration testing time here and plan to hit lots of user groups on how to do this. Every time my team has had to integrate with a Microsoft product, there have been nasty surprises, particularly regarding how the certificate is configured.
微软有自己特殊的做事方式(不是开玩笑......)。它们在 PKI 的世界中也没有什么不同。用户证书必须明确标有加密功能。我知道它必须有 KeyUsage 字段 KeyEncipherment。并且可能还有 Microsoft 要求的其他扩展。拥有格式不正确的用户证书可能意味着收件人将无法在邮件到达时阅读邮件,因为 Outlook 不会同意邮件已加密这一事实。在这里留出一些认真的集成测试时间,并计划针对如何执行此操作的大量用户组进行讨论。每次我的团队不得不与 Microsoft 产品集成时,都会出现令人讨厌的惊喜,尤其是在如何配置证书方面。
Libraries & Tools
图书馆和工具
I second the recommendation for BouncyCastle - I haven't used it, but people I trust swear by it. I personally loved the Phaos toolkit when I had to write this stuff, but I'm out of date. I know it cost serious money, and may be too much bang for your buck.
我支持 BouncyCastle 的推荐——我没用过它,但我信任的人都发誓。当我不得不写这些东西时,我个人喜欢 Phoas 工具包,但我已经过时了。我知道这要花很多钱,而且可能对你来说太划算了。
OpenSSL is another fabulous tool, and useful for much more than SSL. It's great for generating test certificates, but I can't remember if it does S/MIME email encryption as well.
OpenSSL 是另一个出色的工具,其用途远不止 SSL。它非常适合生成测试证书,但我不记得它是否也进行 S/MIME 电子邮件加密。
For most libraries, you should be able to take plaintext, and the certificate, and put both into a function that generates the S/MIME message. They may require the encryption algorithm as well.
对于大多数库,您应该能够获取明文和证书,并将两者放入生成 S/MIME 消息的函数中。他们也可能需要加密算法。
回答by Guillaume
In the general case : to send an encrypted message to someone, you only need their public key. You dont need to have a key yourself. The rule with asymetric crypto is whatever is encrypted with a public key can be decrypted with the corresponding private key, and whatever is encrypted with a private key can be decrypted with the corresponding public key.
在一般情况下:要向某人发送加密消息,您只需要他们的公钥。您不需要自己拥有钥匙。非对称加密的规则是用公钥加密的任何东西都可以用相应的私钥解密,用私钥加密的任何东西都可以用相应的公钥解密。
You will need a key for your server only if you want to sign the message.
仅当您想对消息进行签名时,才需要服务器的密钥。
If you want to do the implementation in Java, I dont think that JavaMail supports encryption out of the box, but you can have a look at JavaMail-Crypto(havent used it myself). There is supposedly a JNI interface to GnuPG somewhere ... And you can always exec PGP or GnuPG from any language ...
如果你想用Java来实现,我不认为JavaMail支持开箱即用的加密,但你可以看看JavaMail-Crypto(我自己没有使用过)。据说某处有一个 GnuPG 的 JNI 接口......而且你总是可以从任何语言执行 PGP 或 GnuPG......
I dont know about the support for PGP in Outlook, nor anything else about Outlook.
我不知道 Outlook 中对 PGP 的支持,也不知道 Outlook 的其他任何内容。
回答by Hes Siemelink
You have to send encrypted mail to Outlook in s/mime format. Outlook doesn't support PGP.
您必须以 s/mime 格式将加密邮件发送到 Outlook。Outlook 不支持 PGP。
Start by trying to send a plaintext message from Java and see if you can get it into Outlook. Worry about the encryption later. Use the JavaMail library to create and send emails.
首先尝试从 Java 发送纯文本消息,看看是否可以将其发送到 Outlook。稍后担心加密。使用 JavaMail 库创建和发送电子邮件。
I don't know how to extract keys from the GAL. It is probably easiest to start off by exporting a key manually and see if you can work with it.
我不知道如何从 GAL 中提取密钥。通过手动导出密钥并查看您是否可以使用它可能是最简单的开始。
To create encrypted mails in s/mime format I recommend Bouncy Castle. Bouncy Castle is a crypto-provider that also has support for s/mime. (Look for the CMS/Smime package). There should be some examples in the downloaded sources. I've used it in the past to send emails to a wide array of email clients, including Outlook and it works pretty well. But brace yourself for the crypto stuff -- it can be a steep learning curve!
要以 s/mime 格式创建加密邮件,我建议使用Bouncy Castle。Bouncy Castle 是一个加密货币提供商,也支持 s/mime。(寻找 CMS/Smime 包)。下载的源中应该有一些示例。我过去曾使用它向各种电子邮件客户端(包括 Outlook)发送电子邮件,并且运行良好。但是为加密货币做好准备——这可能是一个陡峭的学习曲线!
回答by Orihara
The caveat not noted previous is that the GAL isn't necessarily on the Exchange Server, and is more frequently found on the Domain server, when not run in a standalone mode. The certificate will be found in the LDAP attribute userCertificate or userSMIMECertificate.
前面没有提到的警告是 GAL 不一定在 Exchange Server 上,并且在不以独立模式运行时更常出现在域服务器上。证书将在 LDAP 属性 userCertificate 或 userSMIMECertificate 中找到。
