[openssl-dev] CMS: is there a support for authenticated encryption (aes-gcm, aes-cbc-cmac etc.) in CMS?

Paweł Kaźmierczak koraboros at gmail.com
Mon Apr 13 12:56:02 UTC 2015 

Hello,

is there a support for aes-gcm in openSSL CMS implementaion?
Following code works when EVP_aes_128_cbc is used as CMS_encrypt param but
fails with EVP_aes_128_gcm. Am I missing something (like setting the gcm
header/tag) or authenticated encryption is not supported in CMS?

void cmsTest()
{
  OPENSSL_init();
  SSL_library_init();
  SSL_load_error_strings();

  OpenSSL_add_all_algorithms();
  OpenSSL_add_all_ciphers();
  OpenSSL_add_all_digests();

  auto certFileBio = BIO_new_file("c:\\a\\advancedbr256r1_noPem.cer", "rb");
  auto prvKeyFileBio = BIO_new_file("c:\\a\\advancedbr256r1_pkey.pkcs8",
"rb");

  auto evpPkey = d2i_PrivateKey_bio(prvKeyFileBio, 0);
  auto cert = d2i_X509_bio(certFileBio, 0);
  stack_st_X509* certStack = sk_X509_new_null();
  sk_X509_push(certStack, cert);
  X509_STORE* store = X509_STORE_new();
  X509_STORE_add_cert(store, cert);

  //sign
  auto inFileBio = BIO_new_file("c:\\tmp2\\0_inContent.txt", "rb");
  CMS_ContentInfo *cms = CMS_sign(cert, evpPkey, 0, inFileBio, 0);
  auto cmsOutFileBio = BIO_new_file("c:\\tmp2\\1_signedCms.txt", "wb");
  auto res = PEM_write_bio_CMS(cmsOutFileBio, cms);
  BIO_free(inFileBio);
  BIO_free(cmsOutFileBio);

  //encrypt
  inFileBio = BIO_new_file("c:\\tmp2\\1_signedCms.txt", "rb");

 //cms = CMS_encrypt(certStack, inFileBio, EVP_aes_128_cbc(), 0); this
would work**********************
  cms = CMS_encrypt(certStack, inFileBio, EVP_aes_128_gcm(), 0);

  auto ecnryptedCmsOutFileBio =
BIO_new_file("c:\\tmp2\\2_encryptedSignedCmsOut.txt", "wb");
  res = PEM_write_bio_CMS(ecnryptedCmsOutFileBio, cms);
  BIO_free(inFileBio);
  BIO_free(ecnryptedCmsOutFileBio);

  //decrypt
  inFileBio = BIO_new_file("c:\\tmp2\\2_encryptedSignedCmsOut.txt", "rb");
  cms = PEM_read_bio_CMS(inFileBio, 0, 0, 0);
  auto decryptedCmsOutFileBio =
BIO_new_file("c:\\tmp2\\3_decryptedSignedCmsOut.txt", "wb");
  res = CMS_decrypt(cms, evpPkey, cert, 0, decryptedCmsOutFileBio, 0);
  BIO_free(decryptedCmsOutFileBio);
  BIO_free(inFileBio);

  //verify/read content CMS
  inFileBio = BIO_new_file("c:\\tmp2\\3_decryptedSignedCmsOut.txt", "rb");
  cms = PEM_read_bio_CMS(inFileBio, 0, 0, 0);
  auto decodedCmsOutFileBio = BIO_new_file("c:\\tmp2\\4_inContext.txt",
"wb");
  res = CMS_verify(cms, certStack, store, 0, decodedCmsOutFileBio, 0);
  auto signers = CMS_get0_signers(cms);
  BIO_free(inFileBio);
  BIO_free(decodedCmsOutFileBio);

  //deinit
  EVP_PKEY_free(evpPkey);
  sk_X509_free(certStack);
  X509_STORE_free(store);
  BIO_free(certFileBio);
  BIO_free(prvKeyFileBio);
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150413/435c4d8f/attachment.html>

More information about the openssl-dev mailing list