<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 22, 2020, 2:56 PM Michael Richardson <<a href="mailto:mcr@sandelman.ca">mcr@sandelman.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Michael Mueller <<a href="mailto:abaci.mjm@gmail.com" target="_blank" rel="noreferrer">abaci.mjm@gmail.com</a>> wrote:<br>
>> Michael Mueller <<a href="mailto:abaci.mjm@gmail.com" target="_blank" rel="noreferrer">abaci.mjm@gmail.com</a>> wrote:<br>
>> > We've implemented what I gather can be called a CMS on Linux and<br>
>> Windows<br>
>> > using openssl evp functions.<br>
>><br>
>> I'm not sure why you say it this way.<br>
>> OpenSSL includes CMS (RFC3369) support, but I think not until 1.1.0.<br>
>> Did you implement RFC3369, or something else?<br>
>><br>
>> You don't say if this is email or something else.<br>
>><br>
<br>
> My bad. I thought CMS could be used as a generic reference to packaging<br>
> encrypted messages.<br>
<br>
> We are not implementing CMS as specified by IETF.<br>
<br>
> We used the openssl evp functions to quickly improve the security of an<br>
> existing proprietary data exchange system.<br>
<br>
> Now we are being asked if our evp based solution can interoperate with a<br>
> system that may support PKCS7. The thought is PKCS7 would be used to<br>
> envelope data in a manner similar to how the evp functions operate.<br>
<br>
I don't think you will find any compatibility.<br>
<br>
You can use the PKCS7 functions to process that kind of data.<br>
Or future proof and use CMS functions to read, and figure out how you will<br>
write/send messages<br></blockquote></div></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Today we learned that we have PKCS7 1.5 & 1.6 and RFC 3852 are available on the "older" system. </div><div dir="auto"><br></div><div dir="auto">Also was guided to CMS specs, and the CMS tools and functions in openssl.</div><div dir="auto"><br></div><div dir="auto">We'll experiment with the openssl cms functions on linux and the older system independently. If that works, we'll try interworking linux with the older system. If that works, we'll toggle from evp to cms if the older system is involved.</div><div dir="auto"><br></div><div dir="auto">Thank you all for your help.</div><div dir="auto"><br></div><div dir="auto"></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
> I suspect that evp functions are not compatible with PKCS7, but I don't<br>
> know how to easily confirm this. I also suspect it will be difficult to<br>
> explain why they are incompatible.<br>
<br>
> If evp and PKCS7 are incompatible, we might be asked if we can use PKCS7<br>
> enveloping instead of evp.<br>
<br>
> Any insights, thoughts, advice, code to read, etc would be appreciated.<br>
<br>
I think you should consider if you want to move to PKCS7.<br>
<br>
--<br>
] Never tell me the odds! | ipv6 mesh networks [<br>
] Michael Richardson, Sandelman Software Works | IoT architect [<br>
] <a href="mailto:mcr@sandelman.ca" target="_blank" rel="noreferrer">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/" rel="noreferrer noreferrer" target="_blank">http://www.sandelman.ca/</a> | ruby on rails [<br>
<br>
</blockquote></div></div></div>