[openssl-users] CMS with Symmetric key

Dr. Stephen Henson steve at openssl.org
Tue Apr 12 19:18:36 UTC 2016

On Mon, Apr 11, 2016, Abe Racioppo wrote:

> Thank you for the responses.
> I have implemented encryption that adds a secret key, and secret key id
> using:
> CMS_add0_recipient_key,
> CMS_EncryptData_encrypt,
> SMIME_write_CMS
> The output file looks correct, but I need to decrypt it back to be sure.

Ah CMS_EncryptedData_encrypt() just creates the encrypted data type. If you
want to use enveloped data you use CMS_encrypt() first then
CMS_add0_recipient_key() and finally SMIME_write_CMS().

> I would like to be able to get the secret key id from the envelope data to
> then search a database for the key, and then CMS_decrypt.  I have yet to
> determine the most straightforward way of getting the key ids from the
> envelope/wrapped content of cms.
> Is there a combination if I have SMIME_read the cms from a file like:
>   keyId =  cms->envelopedData->keyId?
> Or do I need to handle a stack_of recipient infos in order to get the key
> id from kekri0_get_id?

Yes. You need to use CMS_get0_RecipientInfos() as there can be multiple
recipients of different types.

For each recipient info you check the type with:

	CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_KEY

For each match retrieve the key ID using CMS_RecipientInfo_kekri_get0_id().

If the id doesn't match a value in you database continue to the next recipient
info. If no matches return an error.

If you do get a match then call CMS_RecipientInfo_set0_key().

Finally call CMS_decrypt(): setting the key and certificate parameters to

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list