CMS with ECC Keys is incompatibel to Windows CMS / Outlook
Meik Kreyenkoetter
meikkr at gmail.com
Fri Nov 15 16:11:20 UTC 2019
Hello again,
maybe i have found the difference in the CMSes generated by OpenSSL and Windows.
This is the keyEncryptionAlgorithm in kari generated on Windows:
keyEncryptionAlgorithm:
algorithm: dhSinglePass-stdDH-sha1kdf-scheme (1.3.133.16.840.63.0.2)
parameter: SEQUENCE:
0:d=0 hl=2 l= 13 cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :id-aes256-wrap
13:d=1 hl=2 l= 0 prim: NULL
recipientEncryptedKeys:
This is the keyEncryptionAlgorithm in kari generated with OpenSSL:
keyEncryptionAlgorithm:
algorithm: dhSinglePass-stdDH-sha1kdf-scheme (1.3.133.16.840.63.0.2)
parameter: SEQUENCE:
0:d=0 hl=2 l= 11 cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :id-aes256-wrap
recipientEncryptedKeys:
As one can see, there is a NULL at the end of the parameter sequence generated on Windows. CMS output from BouncyCaste is like OpenSSL:
keyEncryptionAlgorithm:
algorithm: dhSinglePass-stdDH-sha1kdf-scheme (1.3.133.16.840.63.0.2)
parameter: SEQUENCE:
0:d=0 hl=2 l= 11 cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :id-aes128-wrap
The BouncyCaste output is not decryptable on Windows. Is there a way generate a CMS with ECC compatible with Windows?
Meik
> On 15. Nov 2019, at 12:18, Meik Kreyenkoetter <meikkr at gmail.com> wrote:
>
> Hello,
>
> when generating a CMS with OpenSSL 1.1.1d or OpenSSL 1.0.2g using only ECC Keys, Windows 10 is unable to decrypt the CMS.
> All Passwords for keys is "test".
>
> Encrypting:
>
> openssl cms -encrypt -outform PEM -recip bob.pem -in Test.eml -out opensslencrypted.cms -aes256 -aes128-wrap
>
> Decryption on Windows 10 (with installed Keys in Store):
>
> Unprotect-CmsMessage -Path .\opensslencrypted.cms
>
> Unprotect-CmsMessage : Die Daten sind unzulässig.
> In Zeile:1 Zeichen:1
> + Unprotect-CmsMessage -Path .\opensslencrypted.cms
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : NotSpecified: (:) [Unprotect-CmsMessage], CryptographicException
> + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.Unprot
> ectCmsMessageCommand
>
>
> The file outlookencrypted.cms contains a CMS with ECC keys generated on Windows 10. It's decryptable by Windows and OpenSSL.
>
> Inspecting the Windows and Openssl generated CMS, they both look ok. The only difference if have seen in CMS -print output is parameter absent in openssl generated and NULL in Windows generated:
>
> OpenSSL, openssl cms -in opensslencrypted.cms -cmsout -print -inform PEM:
>
> recipientInfos:
> d.kari:
> version: 3
> d.originatorKey:
> algorithm:
> algorithm: id-ecPublicKey (1.2.840.10045.2.1)
> parameter: <ABSENT>
> publicKey: (0 unused bits)
>
> Windows generated, openssl cms -in outlookencrypted.cms -cmsout -print -inform PEM:
>
> recipientInfos:
> d.kari:
> version: 3
> d.originatorKey:
> algorithm:
> algorithm: id-ecPublicKey (1.2.840.10045.2.1)
> parameter: NULL
> publicKey: (0 unused bits)
>
> I have changed the OpenSSL sources to include "parameter: NULL" in CMS generation, but that makes no difference. The CMS with changed sources is decryptable by OpenSSL, but not on Windows:
>
> openssl cms -decrypt -in opensslencrypted_changed_sources.cms -inform PEM -recip bob.pem
>
> I have attached all keys and output.
>
> Anything i am missing here?
>
>
> Meik
>
>
> <opensslencrypted_changed_sources.cms><outlookencrypted.cms><opensslencrypted.cms><cacert.crt><bob at external.com.p12><bob.pem><bob.cer><alice at internal.com.p12><alice.pem><alice.cer><Test.eml>
>
>
>
More information about the openssl-users
mailing list