On Sat, May 14, 2011, Paul Koster wrote: > I'm looking using OpenSSL to realize "The CMS [...] allows multiple > encapsulations; one encapsulation envelope can be nested inside another." > from RFC5652. In particular it's the objective to have an 'enveloped-data' > encapsulating (encrypted) 'digested-data' (encapsulating 'data'). > > Am I right that this is currently nog possible using 'openssl cms'? > > Considering the current approach in 'openssl cms' an approach somewhat > similar to S/MIME seems practical: > 1. openssl cms -in file.in -binary -digest_create -md sha256 -outform DER > -out file.out1 > 2. openssl cms -in file.out1 -binary -incms -inform DER -encrypt -aes128 > -secretkey 01020304050607080102030405060708 -secretkeyid 01 -outform DER > -out file.out2 (-incms would be indicating it is not 'data' as is now the > default) > 3. openssl cms -in file.out2 -inform DER -decrypt -aes128 -secretkey > 01020304050607080102030405060708 -out file.out3 > 4. openssl cms -in file.out3 -inform DER -digest_verify -out file.out > > The issues are with step 2 and 3 as there seem to be only functions > available to operate on whole cms (ContentInfo) structures? > * how to get an encoded version of just the ContentInfo.content > sub-structure? Is there an appropriate i2d_* function to apply e.g. on > cms->d.digestedData? > * how to create a new cms (ContentInfo) structure using the eContentType > (easy) and (decrypted) encapsulated encoded Content sub-structure? Is there > an appropriate d2i_* function to apply to the encoded Content data? > > Any suggestions on how to achieve this functionality? >
OpenSSL has no idea what the type of the encapsulated content is: it could be raw binary or raw binary that looks like a CMS ContentINfo but isn't. So you have to tell it the type of the encapsulated content explicitly using the -econtent_type option. For decoding you have to manually use the correct cms command on the encapsulated content type. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
