The openssl smime utility only supports RSA keys for encryption (more specifically, the PKCS7 container that it uses can't be used with other key types). The cms utility supports newer versions of the SMIME RFCs, including the use DH ephemeral-static algorithms for encrypting the symmetric key used during message encryption.
This patch updates the suggested encryption/decryption commands, but does not change any of the commands used for signature generation/verification (as the smime sign/verify commands do support other key types). Debian seems to have already made this change[1] for the decryption path a while ago, but did not update the encryption command (current Debian patch for this file[2]). There is a slight danger of updating the decryption command at the same time as the encryption command (as clients still trying to decrypt with smime could have problems reading messages encrypted with cms), but the existence of that Debian bug seems to imply that there is already a source of messages using the newer CMS format. I verified that I am now able to encrypt a message with public key type id-ecPublicKey. Previously, this resulted in an error like: "encryption not supported for this key type:pk7_lib.c" [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639533 [2] https://sources.debian.org/patches/mutt/2.0.5-4.1/misc/smime.rc.patch/ Signed-off-by: Craig Gallek <cgal...@gmail.com> --- contrib/smime.rc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/smime.rc b/contrib/smime.rc index e2c298899b30..410606c251aa 100644 --- a/contrib/smime.rc +++ b/contrib/smime.rc @@ -80,7 +80,7 @@ set smime_import_cert_command="smime_keys add_cert %f" set smime_encrypt_with="aes256" # Encrypt a message. Input file is a MIME entity. -set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" +set smime_encrypt_command="openssl cms -encrypt -%a -outform DER -in %f %c" # Algorithm for the signature message digest. # Valid choices are md5, sha1, sha224, sha256, sha384, sha512. @@ -94,7 +94,7 @@ set smime_sign_command="openssl smime -sign -md %d -signer %c -inkey %k -passin # Section C: Incoming messages # Decrypt a message. Output is a MIME entity. -set smime_decrypt_command="openssl smime -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" +set smime_decrypt_command="openssl cms -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" # Verify a signature of type multipart/signed set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f" -- 2.30.2
