jstedfast
diff --git a/‎MimeKit/Cryptography/BouncyCastleCertificateExtensions.cs
+6-2 b/‎MimeKit/Cryptography/BouncyCastleCertificateExtensions.cs
+6-2
diff --git a/‎UnitTests/Cryptography/X509CertificateGenerator.cs
+59-1 b/‎UnitTests/Cryptography/X509CertificateGenerator.cs
+59-1
diff --git a/‎UnitTests/TestData/smime/dsa/smime.cfg
+10 b/‎UnitTests/TestData/smime/dsa/smime.cfg
+10
diff --git a/‎UnitTests/TestData/smime/dsa/smime.pfx
128 Bytes b/‎UnitTests/TestData/smime/dsa/smime.pfx
128 Bytes
diff --git a/‎UnitTests/TestData/smime/ec/smime.cfg
+7 b/‎UnitTests/TestData/smime/ec/smime.cfg
+7
diff --git a/‎UnitTests/TestData/smime/ec/smime.pfx
88 Bytes b/‎UnitTests/TestData/smime/ec/smime.pfx
88 Bytes
diff --git a/‎UnitTests/TestData/smime/rsa/smime.cfg
+7 b/‎UnitTests/TestData/smime/rsa/smime.cfg
+7
diff --git a/‎UnitTests/TestData/smime/rsa/smime.pfx
-2 Bytes b/‎UnitTests/TestData/smime/rsa/smime.pfx
-2 Bytes
@@ -423,8 +423,12 @@ public static EncryptionAlgorithm[] GetEncryptionAlgorithms (this X509Certificat
 
 			var capabilities = certificate.GetExtensionValue (SmimeAttributes.SmimeCapabilities);
 
-			if (capabilities != null)
-				return DecodeEncryptionAlgorithms (capabilities.GetOctets ());
+			if (capabilities != null) {
+				var algorithms = DecodeEncryptionAlgorithms (capabilities.GetOctets ());
+
+				if (algorithms != null)
+					return algorithms;
+			}
 
 			return new EncryptionAlgorithm[] { EncryptionAlgorithm.TripleDes };
 		}
 
@@ -25,9 +25,18 @@
 //
 
 using System.Text;
+using System.Globalization;
 
 using Org.BouncyCastle.Asn1;
+using Org.BouncyCastle.Asn1.Nist;
+using Org.BouncyCastle.Asn1.Ntt;
+using Org.BouncyCastle.Asn1.Misc;
+using Org.BouncyCastle.Asn1.Oiw;
+using Org.BouncyCastle.Asn1.Pkcs;
+using Org.BouncyCastle.Asn1.Kisa;
+using Org.BouncyCastle.Asn1.Smime;
 using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Crypto.Generators;
@@ -41,13 +50,13 @@
 using Org.BouncyCastle.Utilities;
 using Org.BouncyCastle.X509;
 using Org.BouncyCastle.X509.Extension;
-using Org.BouncyCastle.Asn1.X9;
 
 using MimeKit;
 
 namespace UnitTests.Cryptography {
 	class X509CertificateGenerator
 	{
+		static readonly Dictionary<string, DerObjectIdentifier> SMimeCapabilityMapping;
 		static readonly Dictionary<string, DerObjectIdentifier> X509NameOidMapping;
 		static readonly Dictionary<string, int> X509SubjectAlternativeTagMapping;
 		static readonly char[] EqualSign = new char[] { '=' };
@@ -102,6 +111,21 @@ static X509CertificateGenerator ()
 				{ "Rfc822Name", GeneralName.Rfc822Name },
 				{ "DnsName", GeneralName.DnsName },
 			};
+
+			SMimeCapabilityMapping = new Dictionary<string, DerObjectIdentifier> (StringComparer.OrdinalIgnoreCase) {
+				{ "AES128", NistObjectIdentifiers.IdAes128Cbc },
+				{ "AES192", NistObjectIdentifiers.IdAes192Cbc },
+				{ "AES256", NistObjectIdentifiers.IdAes256Cbc },
+				{ "CAMELLIA128", NttObjectIdentifiers.IdCamellia128Cbc },
+				{ "CAMELLIA192", NttObjectIdentifiers.IdCamellia192Cbc },
+				{ "CAMELLIA256", NttObjectIdentifiers.IdCamellia256Cbc },
+				{ "CAST5", MiscObjectIdentifiers.cast5CBC },
+				{ "DES", OiwObjectIdentifiers.DesCbc },
+				{ "3DES", PkcsObjectIdentifiers.DesEde3Cbc },
+				{ "IDEA", MiscObjectIdentifiers.as_sys_sec_alg_ideaCBC },
+				{ "RC2", PkcsObjectIdentifiers.RC2Cbc },
+				{ "SEED", KisaObjectIdentifiers.IdSeedCbc }
+			};
 		}
 
 		static AsymmetricCipherKeyPair LoadAsymmetricCipherKeyPair (string fileName)
@@ -218,6 +242,8 @@ public CertificateOptions ()
 
 			internal List<GeneralName> SubjectAlternativeNames { get; private set; }
 
+			internal SmimeCapabilityVector SMimeCapabilities { get; private set; }
+
 			public void Add (DerObjectIdentifier oid, string value)
 			{
 				if (oid == X509Name.CN || oid == X509Name.E)
@@ -253,6 +279,26 @@ public void AddSubjectAlternativeName (string property, string value)
 					break;
 				}
 			}
+
+			public void AddSMimeCapability (string capability)
+			{
+				var components = capability.Split (new char[] { '-' }, StringSplitOptions.RemoveEmptyEntries);
+				DerObjectIdentifier oid;
+
+				if (SMimeCapabilityMapping.TryGetValue (components[0], out oid) || DerObjectIdentifier.TryFromID (components[0], out oid)) {
+					SMimeCapabilities ??= new SmimeCapabilityVector ();
+
+					if (components.Length > 1) {
+						int value = int.Parse (components[1], NumberStyles.None, CultureInfo.InvariantCulture);
+
+						SMimeCapabilities.AddCapability (oid, value);
+					} else {
+						SMimeCapabilities.AddCapability (oid);
+					}
+				} else {
+					throw new ArgumentException ($"Unknown S/MIME capability: {capability}", nameof (capability));
+				}
+			}
 		}
 
 		public sealed class GeneratorOptions
@@ -409,6 +455,11 @@ public static X509Certificate[] Generate (GeneratorOptions options, PrivateKeyOp
 				generator.AddExtension (X509Extensions.SubjectAlternativeName, false, altNames);
 			}
 
+			if (certificateOptions.SMimeCapabilities != null) {
+				var capabilities = certificateOptions.SMimeCapabilities.ToAsn1EncodableVector ();
+				generator.AddExtension (SmimeAttributes.SmimeCapabilities, false, new DerSequence (capabilities));
+			}
+
 			if (issuerCertificate != null)
 				generator.AddExtension (X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure (issuerCertificate));
 
@@ -554,6 +605,13 @@ public static X509Certificate[] Generate (string cfg)
 							throw new FormatException ($"Unknown [SubjectAlternativeNames] property: {property}");
 						}
 						break;
+					case "smimecapabilities":
+						try {
+							certificate.AddSMimeCapability (value);
+						} catch (ArgumentException) {
+							throw new FormatException ($"Unknown [SMimeCapabilities] value: {value}");
+						}
+						break;
 					case "generator":
 						switch (property.ToLowerInvariant ()) {
 						case "basicconstraints":
 
@@ -10,6 +10,16 @@ LocalityName           = Boston
 CommonName             = MimeKit UnitTests
 EmailAddress           = [email protected]
 
+[SMimeCapabilities]
+capability.0           = AES256
+capability.1           = AES192
+capability.2           = AES128
+capability.3           = IDEA
+capability.4           = 3DES
+capability.5           = RC2-128
+capability.6           = RC2-64
+capability.7           = RC2-40
+
 [Generator]
 BasicConstraints       = critical, CA:false
 DaysValid              = 3650
 
@@ -10,6 +10,13 @@ LocalityName           = Boston
 CommonName             = MimeKit UnitTests
 EmailAddress           = [email protected]
 
+[SMimeCapabilities]
+capability.0           = AES256
+capability.1           = AES192
+capability.2           = AES128
+capability.3           = IDEA
+capability.4           = 3DES
+
 [Generator]
 BasicConstraints       = critical, CA:false
 DaysValid              = 3650
 
@@ -10,6 +10,13 @@ LocalityName           = Boston
 CommonName             = MimeKit UnitTests
 EmailAddress           = [email protected]
 
+[SMimeCapabilities]
+capability.0           = AES256
+capability.1           = AES192
+capability.2           = AES128
+capability.3           = IDEA
+capability.4           = 3DES
+
 [Generator]
 BasicConstraints       = critical, CA:false
 DaysValid              = 3650