[openssl-users] openssl 1.0.2a CMS encrypt with ECDH EnvelopedData fails?

Dr. Stephen Henson steve at openssl.org
Thu Mar 26 20:14:36 UTC 2015

On Thu, Mar 26, 2015, Chris Madden wrote:

> Hi,
> I am playing with openssl 1.0.2a - specifically CMS support for ECC.
> But what I think should work doesn't.
> Commands used and parsed data shown.
> (I gave an RSA example as a known good working example)
> ./openssl version
> OpenSSL 1.0.2a 19 Mar 2015
> echo -n 12345678123456781234567812345678 > sess.txt # 32 byte plaintext
> #EC fails
> ================
>   ./openssl ecparam -name prime192v1 -genkey -out ecc.key
>   ./openssl req -x509 -new -key ecc.key -out ecc.crt
>   ./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
>   ./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM
> -inkey ecc.key
> Error decrypting CMS structure
> error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
> decrypt:evp_enc.c:529:

RSA can decrypt without knowing the certificate but currently EC cannot. So
try including the option -recip ecc.crt when you decrypt.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list