Re: [openssl-users] CMS with Symmetric key
On Mon, Apr 11, 2016, Abe Racioppo wrote: > Thank you for the responses. > > I have implemented encryption that adds a secret key, and secret key id > using: > CMS_add0_recipient_key, > CMS_EncryptData_encrypt, > SMIME_write_CMS > The output file looks correct, but I need to decrypt it back to be sure. > Ah CMS_EncryptedData_encrypt() just creates the encrypted data type. If you want to use enveloped data you use CMS_encrypt() first then CMS_add0_recipient_key() and finally SMIME_write_CMS(). > I would like to be able to get the secret key id from the envelope data to > then search a database for the key, and then CMS_decrypt. I have yet to > determine the most straightforward way of getting the key ids from the > envelope/wrapped content of cms. > > Is there a combination if I have SMIME_read the cms from a file like: > keyId = cms->envelopedData->keyId? > > Or do I need to handle a stack_of recipient infos in order to get the key > id from kekri0_get_id? > Yes. You need to use CMS_get0_RecipientInfos() as there can be multiple recipients of different types. For each recipient info you check the type with: CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_KEY For each match retrieve the key ID using CMS_RecipientInfo_kekri_get0_id(). If the id doesn't match a value in you database continue to the next recipient info. If no matches return an error. If you do get a match then call CMS_RecipientInfo_set0_key(). Finally call CMS_decrypt(): setting the key and certificate parameters to NULL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS with Symmetric key
Thank you for the responses. I have implemented encryption that adds a secret key, and secret key id using: CMS_add0_recipient_key, CMS_EncryptData_encrypt, SMIME_write_CMS The output file looks correct, but I need to decrypt it back to be sure. I would like to be able to get the secret key id from the envelope data to then search a database for the key, and then CMS_decrypt. I have yet to determine the most straightforward way of getting the key ids from the envelope/wrapped content of cms. Is there a combination if I have SMIME_read the cms from a file like: keyId = cms->envelopedData->keyId? Or do I need to handle a stack_of recipient infos in order to get the key id from kekri0_get_id? Thanks again, Abe On Tue, Apr 5, 2016 at 7:39 AM, Dr. Stephen Hensonwrote: > On Mon, Apr 04, 2016, Abe Racioppo wrote: > > > Hey guys, > > > > I'm trying to use the CMS operations in libcrypto but with a symmetric > key > > encryption key instead of x509. > > > > I'm thinking I want to use a combination of > > > > CMS_RecipientInfo_set0_pkey, > > SMIME_write_CMS, > > and > > CMS_EncryptedData_encrypt. > > > > Has anyone done this before and can give me some direction? This is my > > first time working with openssl and am getting kinda lost. > > > > You have several options here. > > You can just use the encrypted data type with a key directly. > > You can use the enveloped data type with a symmetric wrapping key. > > You can use the enveloped data type with a password based recipient info. > > Which you use depends on the application you have in mind. > > In the first case you just call CMS_EncryptData_encrypt() followed by > SMIME_write_CMS(). > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS with Symmetric key
On Mon, Apr 04, 2016, Abe Racioppo wrote: > Hey guys, > > I'm trying to use the CMS operations in libcrypto but with a symmetric key > encryption key instead of x509. > > I'm thinking I want to use a combination of > > CMS_RecipientInfo_set0_pkey, > SMIME_write_CMS, > and > CMS_EncryptedData_encrypt. > > Has anyone done this before and can give me some direction? This is my > first time working with openssl and am getting kinda lost. > You have several options here. You can just use the encrypted data type with a key directly. You can use the enveloped data type with a symmetric wrapping key. You can use the enveloped data type with a password based recipient info. Which you use depends on the application you have in mind. In the first case you just call CMS_EncryptData_encrypt() followed by SMIME_write_CMS(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS with Symmetric key
> On Apr 4, 2016, at 11:34 PM, Salz, Richwrote: > >> I'm trying to use the CMS operations in libcrypto but with a symmetric key >> encryption key instead of x509. > > We don't support this. It looks like we do. See crypto/cms/cms_pwri.c and the undocumented "-pwri_password" option of the cms(1) command. Documentation would of course be great... -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS with Symmetric key
> I'm trying to use the CMS operations in libcrypto but with a symmetric key > encryption key instead of x509. We don't support this. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS with Symmetric key
On Apr 4, 2016, at 3:42 PM, Jakob Bohmwrote: > Unless you can point out a clause in the "CMS" format RFCs > that allow use without X.509 certificates, there is no reason > why the "CMS" part of the OpenSSL library should be able to > any such thing. The CMS RFC (RFC 5652) specifies password based key derivation (in addition to asymmetric-key crypto key transport or agreement, and also a symmetric-cryptography key transport mechanism). See section 6.2. It looks like password based key derivation wasn't in the original PKCS#7, but was introduced in a 2001 specification (RFC 3211) and was folded into the 2002 revision of CMS (RFC 3369). -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS with Symmetric key
On 05/04/2016 00:18, Abe Racioppo wrote: Hey guys, I'm trying to use the CMS operations in libcrypto but with a symmetric key encryption key instead of x509. I'm thinking I want to use a combination of CMS_RecipientInfo_set0_pkey, SMIME_write_CMS, and CMS_EncryptedData_encrypt. Has anyone done this before and can give me some direction? This is my first time working with openssl and am getting kinda lost. The "CMS" operations implement the "CMS" standard, formerly known as PKCS#7, which is based entirely on the use of X.509 certificates. Unless you can point out a clause in the "CMS" format RFCs that allow use without X.509 certificates, there is no reason why the "CMS" part of the OpenSSL library should be able to any such thing. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CMS with Symmetric key
Hey guys, I'm trying to use the CMS operations in libcrypto but with a symmetric key encryption key instead of x509. I'm thinking I want to use a combination of CMS_RecipientInfo_set0_pkey, SMIME_write_CMS, and CMS_EncryptedData_encrypt. Has anyone done this before and can give me some direction? This is my first time working with openssl and am getting kinda lost. Thanks, Abe -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users