How to Sign and Encrypt in CMS ?

[Wim Lewis]

On May 5, 2019, at 7:13 PM, Dr. Pala <director at openca.org> wrote:
> small question - I was playing around with the CMS interface and I was wondering what is the right way to generate a signed and encrypted CMS. In particular, for PKCS#7, you could use the signed_and_encrypted choice... but in CMS, there is the envelopedData ... but that does not allow for signing... ??? And for the signed data, there is the signedData type... but that does not allow for encryption... The EncryptedData is for use with PSK - not a case I am interested into...

There are two common approaches that I know of:

- You can combine a SignedData and an EnvelopedData. Depending on your use case you may want to sign first and then envelop(e), or envelope first and then sign. (IIRC, one of the RFCs suggests sign-envelop-sign, though I can't find that text right now.)

- You can use the AuthenticatedEnvelopedData type from RFC5083, with an AEAD cipher mode. (This does not provide a signature, but it does provide an integrity check which may be sufficient for your needs. You can also combine it with SignedData, of course.)

Note that SignedAndEnvelopedData is part of PKCS#7 but wasn't included in CMS; even PKCS#7 (RFC2315) suggests that "the sequential combination of signed-data and enveloped-data content types is generally preferable to the SignedAndEnvelopedData content type" unless you need it for compatibility reasons.

Also, last time I tried, OpenSSL's API made it kind of tricky to produce a correctly formed sign-envelop or envelop-sign message; that may have improved since then, though.