[openssl-dev] Does OpenSSL support ECC-based S/MIME as defined in RFC 5753?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue May 31 14:07:41 UTC 2016
Does OpenSSL support ECC-based S/MIME as defined in RFC 5753?
I was trying to create an encrypted S/MIME message using OpenSSL-1.0.2h,
and got the following:
$ openssl smime -encrypt -aes128 -inform SMIME -in Cyph_Bot_test.eml
-outform SMIME -out Cyph_Bot_test.smime.eml -subject SMIME_ECC
~/Documents/Certs/me_mouse_yubi_9d_.pem
Error creating PKCS#7 structure
140735083847760:error:21082096:PKCS7
routines:PKCS7_RECIP_INFO_set:encryption not supported for this key
type:pk7_lib.c:542:
140735083847760:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding
recipient:pk7_smime.c:503:
$ openssl version
OpenSSL 1.0.2h 3 May 2016
$
The problem seems to be related to this code in pk7_lib.c:
533: if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
534: PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
535: PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
536: goto err;
537: }
538:
539: ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT,
0, p7i);
540: if (ret == -2) {
541: PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
542: PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
543: goto err;
544: }
Note: EC keys cannot “encrypt” - they can only “derive”.
--
Regards,
Uri Blumenthal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4324 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160531/99dc3dec/attachment.bin>
More information about the openssl-dev
mailing list