[openssl-users] How to turn on certain elements in CMS objects

Stephan Mühlstrasser stm at pdflib.com
Wed Jul 6 14:52:27 UTC 2016


Am 06.07.16 um 15:46 schrieb Dr. Stephen Henson:
>...
>
>> Second the following:
>>
>>  129   10:           [1] {
>>  131    8:             OCTET STRING B1 04 4A FD FC 8B 70 6D
>>          :             }
>>
>> If I match this correctly to RFC 5652, this is
>>
>> ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL
>>
>> inside the KeyAgreeRecipientInfo SEQUENCE (see
>> https://tools.ietf.org/html/rfc5652#section-6.2.2).
>>
>> Can OpenSSL emit this optional element?
>
> Yes but not using the command line utility. It would require a custom program
> to set the parameter using the CMS API.

Could you pleaee briefly explain how set the parameter? I could not find 
anything in the documentation of the CMS API about this.

>> What is the purpose of the "ukm" field?
>>
>
> It provides some additional optional random data used in the key encryption
> key derivation algorithm.
>
> Note that you can get a diagnistic dump using:
>
>   openssl cms -cmsout -inform DER -print -in cmd.der

I wasn't aware of this feature, that looks very useful, thanks!

-- 
Stephan


More information about the openssl-users mailing list