[openssl-users] mail encryption with ecdsa cert

Kyle Hamilton aerowolf at gmail.com
Fri Jan 26 17:20:40 UTC 2018


On the algorithmic side of things, the ECDSA algorithm cannot encrypt.
It is signing-only.

In order to use Elliptical Curves to encrypt, you would have to use
the "Elliptical Curve Diffie-Hellman" algorithm to perform a key
agreement.  This requires that both the sender and the recipient have
EC keys which are marked in their certificates as being for the
purpose "keyAgreement".

Your command line only specifies the recipient certificate, not the
sending certificate.  You can't do an ecdh_kdf_md:sha256 operation
without the sender's certificate and private key.

I hope this helps!

-Kyle H



On Fri, Jan 26, 2018 at 7:13 AM, clou <mail at iclou.ch> wrote:
> openssl 1.1.0.f
> ecdsa 512 certificate
>
> openssl cms -sign works perfect and sending an email.
>
> For encryption and sending an email I just get an email with an attachment
> smime.p7m.
>
> I use the following encryption command
>
> openssl cms -encrypt \
>         -recip cert.pem \
>         -subject 'openssl encrypt' \
>         -to email \
>         -from email \
>         -in msg.txt \
>         -keyopt ecdh_kdf_md:sha256 \
>         | \
>         sendmail email
>
>
> Any idea how I need do encrypt (or encrypt and sign) in order to get a
> proper email?
>
> Thanks a lot!
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


More information about the openssl-users mailing list