[openssl-users] CMS_encrypt with ECDH key

Dr. Stephen Henson steve at openssl.org
Mon Apr 20 16:11:15 UTC 2015 

On Sat, Apr 18, 2015, Q Rius wrote:

> I'm trying to implement CMS encrypt using ECDH keys. Ref openssl CMS with
> ECDH EnvelopedData
> <http://stackoverflow.com/questions/29280688/openssl-cms-with-ecdh-envelopeddata>
> The command line works flawlessly but my program is giving an error -
> 
> Error Encrypting Data
> 140508524291744:error:2E06507D:CMS routines:CMS_add1_recipient_cert:not
> supported for this key type:cms_env.c:210:
> 
> In code below, recip.pem was created using steps here openssl CMS with ECDH
> EnvelopedData
> <http://stackoverflow.com/questions/29280688/openssl-cms-with-ecdh-envelopeddata>
> 
> int main (int argc, char **argv)
> {
>     CMS_ContentInfo *cms1 = NULL;
>     BIO *in = NULL, *out = NULL, *tbio = NULL;
>     X509 *rcert = NULL;
>     int ret = 1;
>     int flags = CMS_STREAM;
> 
>     OpenSSL_add_all_algorithms();
>     ERR_load_crypto_strings();
> 
>     tbio = BIO_new_file("recip.pem", "r");
>     if (!tbio)
>         goto err;
> 
>     rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
>     if (!rcert)
>         goto err;
> 
>     in = BIO_new_file("encr.txt", "r");
>     flags |= CMS_PARTIAL;
>     cms1 = CMS_encrypt(NULL, in, EVP_des_ede3_cbc(), flags);
> 
>     CMS_RecipientInfo *ri;
>     ri = CMS_add1_recipient_cert(cms1, rcert, flags);
>     if (!ri)
>         goto err;
> 
>     if(!CMS_final(cms1, in, NULL, flags))
>         goto err;
> 
>     if (!cms1)
>         goto err;
> 
>     out = BIO_new_file("cms1.pem", "w");
>     if(!out)
>         goto err;
> 
>     if(!PEM_write_bio_CMS_stream(out, cms1, in, flags))
>         goto err;
> 
>     ret = 0;
> 
> err:
> 
>     ##cleanup
> 
> }
> 
> The documentation states ECC keys are not supported yet the commandline cms
> app is able to do it without a problem. I stepped through the cms app but
> am unable to figure out what I'm doing differently. Also tried the
> cms_enc.c from the demos folder but that does not handle ecc keys as well.
> 

Are you're sure you are linking against OpenSSL 1.0.2 or later? OpenSSL 1.0.1
and ealier do not support ECDH for CMS.

Your program works OK here except you need to delete the CMS_final part:
finalisations is performed on the fly when writing if you use the flag
CMS_STREAM.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list