We employ the services of an OpenSSL PKI to issue S/MIME certificates to our Lotus Notes users. Unfortunately, it was very difficult to add the public keys into a user’s personal address book, needed on every workstation so that a user may send an encrypted message. (The public key of the person I’m sending to must be available to my Notes client for encryption to work.) Back in 2003, I had developed a mechanism which worked fine for a number of years, but it was a bit brittle, in as much as a lot of different components had to work hand in hand for the operation to succeed. Finally, a couple of weeks ago, the whole shebang stopped working because of a change in the setup of cascaded address books (NAB) on a Domino server. Instead of fixing that up rudimentarily, I’ve been trying to rework the whole process. The difficulty at the time was that there didn’t exist an API with which I could import a public key into a Lotus Notes address book. Since then however, (and don’t ask since when – I haven’t looked it up, and I’d probably be embarrassed how long it has existed: that’s the trouble when you do too much…) the Notes C-API contains a function which does just that: SECNABAddCertificate(). SECNABAddCertificate is quite easy to use: it takes a handle to an open note and a pointer to a buffer containing the DER encoded certificate and writes it into the note. Consider this short example:

    DWORD certlen, flags = 0L;
    unsigned char cert[5120];
    FILE *fp;
    if ((fp = fopen(DERpath, "rb")) != NULL) { 
       certlen = fread(cert, sizeof(unsigned char), sizeof(cert), fp); 
       if ((st = SECNABAddCertificate(nh, 
               (void *)cert, certlen, flags, NULL))) {

What I’m now doing is rewriting the utilities that our guys and gals use to manage all this. All valid (i.e. non-revoked) certificates will be dumped into new documents in a personal address book, a copy of which is replicated onto user’s workstations. The result looks quite good. Here is an example of an address book entry for Jane after the import:

LDAP, DomiNotes, Security, and CLI :: 21 Feb 2009 :: e-mail