encrypted email with entrust certificate is not opening with MS Outlook

Question

Enrypted email encrypted using certificate provider Entrust is unable to be decrypted by MS Outlook client.

The error outlook throws is:

This message cannot be decoded. An error occured while unprotecting the message. It could not be decrypted because an error occured decrypting the symmetric encryption key. The original data may be corrupt

Answer 1

I have found a solution to this issue. After decoding the encrypted email I see from the pkcs7-envelopedData that OID ":rsaEncryption" is missing. Here is how a good envelope using RSA for Key Encryption and AES256 for data encryption looks like

 0:d=0  hl=5 l=393952 cons: SEQUENCE          
    5:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-envelopedData
   16:d=1  hl=5 l=393936 cons: cont [ 0 ]        
   21:d=2  hl=5 l=393931 cons: SEQUENCE          
   26:d=3  hl=2 l=   1 prim: INTEGER           :02
   29:d=3  hl=4 l= 304 cons: SET               
   33:d=4  hl=4 l= 300 cons: SEQUENCE          
   37:d=5  hl=2 l=   1 prim: INTEGER           :02
   40:d=5  hl=2 l=  20 prim: cont [ 0 ]        
   62:d=5  hl=2 l=  13 cons: SEQUENCE          
   64:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   75:d=6  hl=2 l=   0 prim: NULL              
   77:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:A2F5A9F82CCE74FE71554032235FAB5560AC1F2AEB7C25462D80CFF84658DD4D3823FBCB602B992BF3F74D385F64582459AE7DFF5AADDCA296D57D85F49B0BADE2868FC8EDC0E8CD8EDFC6831DCDCA7B7B951EFBB77E19A6BFE74F14D6DA3DD83743014A6007A2A7040F7C15BB2179767D54F849257D14E4C1229B3EB8C29552A15ACDC163FB5799E3B75D0B10D47147F97B95E663C8EB28729847DECD2A0806F710F4186C991277D5F3C1123B8A6907A6795B7C849C1D263721C78E72E5642353D8B9A2B68FB2F9552868CC1F4E4B9785D2E8314D6438490A9AF8EA60EC1EB41A082CA121B2E102EF30C03F4D26F55931B76EFBF75F057F3F2A668FEF3D2527
  337:d=3  hl=5 l=393615 cons: SEQUENCE          
  342:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
  353:d=4  hl=2 l=  29 cons: SEQUENCE          
  355:d=5  hl=2 l=   9 prim: OBJECT            :aes-256-cbc
  366:d=5  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:1A4BB3CAB2F425A2456C5B8700219FC0
  384:d=4  hl=5 l=393568 prim: cont [ 0 ] 

And here is what I would get while using .Net 4.5 SMTP client

0:d=0  hl=5 l=394986 cons: SEQUENCE          
5:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-envelopedData
16:d=1  hl=5 l=394970 cons: cont [ 0 ]        
21:d=2  hl=5 l=394965 cons: SEQUENCE          
26:d=3  hl=2 l=   1 prim: INTEGER           :00
29:d=3  hl=4 l= 554 cons: SET               
33:d=4  hl=4 l= 550 cons: SEQUENCE          
37:d=5  hl=2 l=   1 prim: INTEGER           :00
40:d=5  hl=4 l= 268 cons: SEQUENCE          
44:d=6  hl=3 l= 247 cons: SEQUENCE          
47:d=7  hl=2 l=  11 cons: SET               
49:d=8  hl=2 l=   9 cons: SEQUENCE          
51:d=9  hl=2 l=   3 prim: OBJECT            :countryName
56:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :US
60:d=7  hl=2 l=  32 cons: SET               
62:d=8  hl=2 l=  30 cons: SEQUENCE          
64:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
69:d=9  hl=2 l=  23 prim: PRINTABLESTRING   :Hewlett-Packard Company
94:d=7  hl=2 l=  31 cons: SET               
96:d=8  hl=2 l=  29 cons: SEQUENCE          
98:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
103:d=9  hl=2 l=  22 prim: PRINTABLESTRING   :VeriSign Trust Network
127:d=7  hl=2 l=  59 cons: SET               
129:d=8  hl=2 l=  57 cons: SEQUENCE          
131:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
136:d=9  hl=2 l=  50 prim: PRINTABLESTRING   :Terms of use at    https://www.verisign.com/rpa (c)09
188:d=7  hl=2 l=  53 cons: SET               
190:d=8  hl=2 l=  51 cons: SEQUENCE          
192:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
197:d=9  hl=2 l=  44 prim: PRINTABLESTRING   :Class 2 Managed PKI Individual Subscriber CA
243:d=7  hl=2 l=  49 cons: SET               
245:d=8  hl=2 l=  47 cons: SEQUENCE          
247:d=9  hl=2 l=   3 prim: OBJECT            :commonName
252:d=9  hl=2 l=  40 prim: PRINTABLESTRING   :Collaboration Certification Authority G2
294:d=6  hl=2 l=  16 prim: INTEGER           :4C1DCC56F939DF3671B26A50DF810C16
312:d=5  hl=2 l=  13 cons: SEQUENCE          
314:d=6  hl=2 l=   9 prim: OBJECT            :1.2.840.113549.1.1.7
325:d=6  hl=2 l=   0 cons: SEQUENCE          
327:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:766ECBA847C51B3F8BDFD7D2CC2036B1161DA0BAD757A628E4EBB0A15F46586DDBB848F918D78072542F9E618D69ADDE5D863689CEB79A1B7D84D69AB3A8BAE0BF0E1A968485CB04F04A6D4FDB6946147EF95A9C472E2B02AAF664745E8C6BEFD0F078D469DA5B227EE0C4EB95E5D6D909A09301444D3D961EF66BB24D153F4778E128B50E5B382BA46CD849C723C6ED1B1C845BDCA8441F03B554E6513BF16E65A7F1F7DAEA66B3081C1A5C7B4B4C46D1395011139694332D6F400D8DDD0522AD128ADFFCE1249FF8465026EABDB907A0ACF01E2825D4C6E1F90ABE6D74E2FE389325C2B9152078B3119685E0F06954F13349ABA46E7F2DFD99DF458C5C703F
587:d=3  hl=5 l=394399 cons: SEQUENCE          
592:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
603:d=4  hl=2 l=  29 cons: SEQUENCE          
605:d=5  hl=2 l=   9 prim: OBJECT            :aes-256-cbc
616:d=5  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:9B746E27201198B82A599C3E9FD13498
634:d=4  hl=5 l=394352 prim: cont [ 0 ]

So it is noticeable that the ":rsaEncryption" is missing from the pkcs7-envelopedData

To solve this I had to specify SubjectIdentifierType as SubjectIdentifierType.SubjectKeyIdentifier while adding CmsRecipient to the recipient collection. As following code snippet shows

    recipientCollection.Add(new CmsRecipient(SubjectIdentifierType.SubjectKeyIdentifier, EncryptCert));     

This ensured that RSA Key endryption OID "rsaEncryption (1 2 840 113549 1 1 1)" is not missed out of the Envelope.

Please note that I found this issue only while dealing with Entrust provided Certificates(for encryption). I do not see this issue otherwise.