[openssl-users] openssl cms encrypt recipientInfo [questions for openssl developers].

Марк Коренберг socketpair at gmail.com
Wed Oct 24 16:42:49 UTC 2018 

Here is a dump of my CMS encrypted message.

===================
CMS_ContentInfo:.
  contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3)
  d.envelopedData:.
    version: 2
    originatorInfo: <ABSENT>
    recipientInfos:
      d.kari:.
        version: 3
        d.originatorKey:.
          algorithm:.
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: <ABSENT>
          publicKey:  (0 unused bits)
            0000 - 04 89 ee 81 d8 05 30 2d-4e 3a a3 33 dd 8b   ......0-N:.3..
            000e - c5 7d 56 79 02 2b 16 7a-f5 4c 20 3f 18 ed   .}Vy.+.z.L ?..
            001c - 92 ba 81 98 88 f8 7a 6c-41 ba 8e bb c0 a5   ......zlA.....
            002a - 41 c4 2a fe 36 31 5c f3-92 9c b5 ad 79 a9   A.*.61\.....y.
            0038 - 9c 4c 75 69 23 9d a1 5b-ef                  .Lui#..[.
        ukm: <ABSENT>
        keyEncryptionAlgorithm:.
          algorithm: dhSinglePass-stdDH-sha256kdf-scheme (1.3.132.1.11.1)
          parameter: SEQUENCE:
        recipientEncryptedKeys:
            d.rKeyId:.
              subjectKeyIdentifier:.
                0000 - 82 46 4f ae b4 cb 84 7b-f4 70 68 6f d0   .FO....{.pho.
                000d - 24 e7 15 8c 34 f3 c4                     $...4..
              date: <ABSENT>
              other: <ABSENT>
            encryptedKey:.
              0000 - f9 b1 b1 28 2a 0c ea e5-eb 3b 0f 22 a5 f4   ...(*....;."..
              000e - 51 8e 22 a3 76 4f fe 01-6f 26 37 b5 24 1c   Q.".vO..o&7.$.
              001c - 20 ba 9f 1a 11 92 25 a5-e4 4e 79 6f          .....%..Nyo
    encryptedContentInfo:.
      contentType: pkcs7-data (1.2.840.113549.1.7.1)
      contentEncryptionAlgorithm:.
        algorithm: aes-256-cbc (2.16.840.1.101.3.4.1.42)
        parameter: OCTET STRING:
          0000 - c4 12 53 6c 1f 04 ee 3a-2f 19 43 6f 87 0c af   ..Sl...:/.Co...
          000f - 9b                                             .
      encryptedContent:.
        0000 - 9f 18 ea 29 08 26 f5 8c-7c 69 ae 23 f2 ca 95   ...).&..|i.#...
        000f - 76                                             v
    unprotectedAttrs:
      <EMPTY>
========

As you can see it has reference to one recipient, identified by his
subjectKeyIdentifier. By some reason
RecipientInfos/d.kari/d.originatorKey also includes full public key
from recipient's certificate. Questions:

1. Why is it required?
2. Is it possible to omit it since it is superfluous (IMHO) ?
3. https://github.com/openssl/openssl/blob/master/crypto/cms/cms_kari.c#L386
(and RFC) say that there could be either key, subjectandserial or
subjectkeyidentifier. So, how to set it using command line openssl
application ?

-- 
Segmentation fault

More information about the openssl-users mailing list