[openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

Stephan Mühlstrasser via RT rt at openssl.org
Mon Mar 14 17:45:34 UTC 2016

I had written a message about this issue to openssl-users, but received 
no reaction.

As OpenSSL cannot decrypt data encrypted by itself, this looks like a 
defect. It is also not possible to decrypt RC4-encrypted CMS objects 
created by third-party software.

This was reproduced with the current HEAD revision from the 
OpenSSL_1_0_2-stable branch, namely with Git revision 

How to reproduce:

Create a self-signed certificate, encrypt some data as a CMS message 
with "-rc4" using the certificate as a recipient, and try to decrypt it 
again. This fails with an error message:

$ echo "abcdefg" >data.txt
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out 
cert.pem -days 100 -subj "/CN=RC4 CMS Test"
Generating a 2048 bit RSA private key
writing new private key to 'key.pem'
$ openssl cms -rc4 -encrypt -binary -in data.txt -out data.txt.cms 
-outform DER cert.pem
$ openssl cms -decrypt -in data.txt.cms -inform DER -out data2.txt 
-inkey key.pem -recip cert.pem
Error decrypting CMS structure
routines:cms_EncryptedContent_init_bio:cipher parameter initialisation 

With other encryption algorithms, this works as expected.

The same problem is also reproducible with the "openssl smime" command.

Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list