[openssl-users] mail encryption with ecdsa cert

Jakob Bohm jb-openssl at wisemo.com
Fri Jan 26 17:46:28 UTC 2018


Doesn't S/MIME permit the half-ephemeral ECDH algorithm where the
recipient's static ECDH certificate is combined with a per message
ephemeral ECDH key?

On 26/01/2018 18:20, Kyle Hamilton wrote:
> On the algorithmic side of things, the ECDSA algorithm cannot encrypt.
> It is signing-only.
>
> In order to use Elliptical Curves to encrypt, you would have to use
> the "Elliptical Curve Diffie-Hellman" algorithm to perform a key
> agreement.  This requires that both the sender and the recipient have
> EC keys which are marked in their certificates as being for the
> purpose "keyAgreement".
>
> Your command line only specifies the recipient certificate, not the
> sending certificate.  You can't do an ecdh_kdf_md:sha256 operation
> without the sender's certificate and private key.
>
> I hope this helps!
>
> -Kyle H
>
>
>
> On Fri, Jan 26, 2018 at 7:13 AM, clou <mail at iclou.ch> wrote:
>> openssl 1.1.0.f
>> ecdsa 512 certificate
>>
>> openssl cms -sign works perfect and sending an email.
>>
>> For encryption and sending an email I just get an email with an attachment
>> smime.p7m.
>>
>> I use the following encryption command
>>
>> openssl cms -encrypt \
>>          -recip cert.pem \
>>          -subject 'openssl encrypt' \
>>          -to email \
>>          -from email \
>>          -in msg.txt \
>>          -keyopt ecdh_kdf_md:sha256 \
>>          | \
>>          sendmail email
>>
>>
>> Any idea how I need do encrypt (or encrypt and sign) in order to get a
>> proper email?
>>
>> Thanks a lot!
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list