[openssl-users] PKCS7_sign conflict with PKCS7_decrypt?

[Dr. Stephen Henson]

On Tue, Jul 26, 2016, Jim Carroll wrote:

> Running into trouble -- any attempt to PKCS7_decrypt() S/MIME content that
> was created with PKCS7_sign()+PKCS7_encrypt() yields an empty result set.  I
> have the distinct impression I'm doing something dumb -- but several days of
> debugging I'm completely stuck.
> 
> I've created an MVCE and included it below. The code was built and run on
> Windows 8.1 Pro, Visual C++ 2008 Express, using OpenSSL 1.1.0-pre6-dev
> (32-bit build).
> 
> Interesting point -- If I remove the PKCS7_sign() code, I have no problem
> encrypting and decrypting the content. I strongly suspect my issue has
> something todo with S/MIME headers interfering with encryption or
> decryption.  But that theory would suggest there's a bug in OpenSSL's S/MIME
> handling. I find that hard to swallow -- more likely I'm missing some sort
> of required flag.
> 

What you're doing is sign followed by encrypt which gives a signed messsage
within an encrypted one.

Then you just decrypt which ends up giving you the signed content back. So if
you want to process that you have to verify it first.

Note there is a big in the current master which breaks CMS/PKCS#7 (overlapping
buffers check) so you'll have to either try an earlier version or wait for it
to be fixed.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org