CMS decryption of message with OAEP using Hardware security module

RudyAC rpo at compumatica.com
Tue Feb 18 11:12:48 UTC 2020


Hello Thulasi,

thank you for your quick response. 

the encryption takes not place in the HSM because we only store the private
keys inside the HSM. For encryption we use the openssl CMS_encrypt()
function. In case of OAEP I use the parameters:
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
		EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
		EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
and call CMS_final() at last.
For decryption we use the HSM where the private keys are stored and the
openssl PKCS11 engine is used.
Therefore we call CMS_decrypt(). Unfortunately there are no OAEP parameters
that can be specified at CMS_decrypt().

By default we do encryption and decryption without HSM. Using the same
functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is my
job to do decryption with a HSM (Utimaco). 

My question is if there is a possibility to tell CMS_decrypt() that the
encrypted email uses OAEP padding or is there only a problem at the side of
the HSM provider.

Best regards
Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


More information about the openssl-users mailing list