[openssl-users] Some S/MIME CMS encrypted messages produce invalid key length when using the debug_decrypt option

Harakiri harakiri_23 at yahoo.com
Fri May 12 05:52:34 UTC 2017

The message is first signed then encrypted. Commands are as follows

/usr/bin/openssl cms -encrypt -aes128 -in /tmp/OpenSSL5294490400891792656.eml -out /tmp/OpenSSL3519826551660167644.eml -subject 'subject' -from sender at sender.com -to recipient at recipient.com,recipient2 at recipient.com  -recip cert1.pem -recip cert2.pem -keyopt rsa_padding_mode:oaepI maybe could provide a problematic e-mail including private keys - off the list - due privacy concerns to investigate - would that be acceptable ? If so - what e-mail address can i sent it to

      From: Dr. Stephen Henson <steve at openssl.org>
 To: Harakiri <harakiri_23 at yahoo.com>; openssl-users at openssl.org 
 Sent: Tuesday, May 9, 2017 1:04 AM
 Subject: Re: [openssl-users] Some S/MIME CMS encrypted messages produce invalid key length when using the debug_decrypt option
On Mon, May 08, 2017, Harakiri via openssl-users wrote:

> Im using the cmd client openssl cms -decrypt with the "debug_decrypt" option to have the same behaviour as before the bleichenbach security patch to use decryption without recipient public keys.
> For some reason, some messages will produce the following error on OpenSSL 1.0.2d and even OpenSSL 1.0.2k
> Error decrypting CMS structure6828:error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length:evp_enc.c:593:6828:error:2E078076:CMS routines:cms_EncryptedContent_init_bio:invalid key length:cms_enc.c:163:
> Calling cms -decrypt without the debug_decrypt option produces no error.
> What is weird, is that its always basically the same source e-mail encrypted using openssl cms with aes-128-cbc and rsaesOaep and sometimes the resulting messagewill produce this error and other times it works.

That's odd. What command line are you using to create the messages?

Would it be possible to create a test case that reproduces this error?

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170512/0001b42b/attachment.html>

More information about the openssl-users mailing list