CMS with ECC Keys is incompatibel to Windows CMS / Outlook

Meik Kreyenkoetter meikkr at gmail.com
Fri Nov 15 11:18:39 UTC 2019 

Hello,

when generating a CMS with OpenSSL 1.1.1d or OpenSSL 1.0.2g using only ECC Keys, Windows 10 is unable to decrypt the CMS.
All Passwords for keys is "test".

Encrypting:

openssl cms -encrypt -outform PEM -recip bob.pem -in Test.eml -out opensslencrypted.cms -aes256 -aes128-wrap

Decryption on Windows 10 (with installed Keys in Store):

Unprotect-CmsMessage -Path .\opensslencrypted.cms

Unprotect-CmsMessage : Die Daten sind unzulässig.
In Zeile:1 Zeichen:1
+ Unprotect-CmsMessage -Path .\opensslencrypted.cms
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Unprotect-CmsMessage], CryptographicException
    + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.Unprot
   ectCmsMessageCommand


The file outlookencrypted.cms contains a CMS with ECC keys generated on Windows 10. It's decryptable by Windows and OpenSSL.

Inspecting the Windows and Openssl generated CMS, they both look ok. The only difference if have seen in CMS -print output is parameter absent in openssl generated and NULL in Windows generated:

OpenSSL, openssl cms -in opensslencrypted.cms -cmsout -print -inform PEM:

    recipientInfos:
      d.kari:
        version: 3
        d.originatorKey:
          algorithm:
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: <ABSENT>
          publicKey:  (0 unused bits)

Windows generated, openssl cms -in outlookencrypted.cms -cmsout -print -inform PEM:

recipientInfos:
      d.kari:
        version: 3
        d.originatorKey:
          algorithm:
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: NULL
          publicKey:  (0 unused bits)

I have changed the OpenSSL sources to include "parameter: NULL" in CMS generation, but that makes no difference. The CMS with changed sources is decryptable by OpenSSL, but not on Windows:

openssl cms -decrypt -in opensslencrypted_changed_sources.cms -inform PEM -recip bob.pem

I have attached all keys and output.

Anything i am missing here?


Meik


-------------- next part --------------
A non-text attachment was scrubbed...
Name: opensslencrypted_changed_sources.cms
Type: application/octet-stream
Size: 693 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: outlookencrypted.cms
Type: application/octet-stream
Size: 3906 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: opensslencrypted.cms
Type: application/octet-stream
Size: 693 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.crt
Type: application/x-x509-ca-cert
Size: 940 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0005.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bob at external.com.p12
Type: application/x-pkcs12
Size: 1399 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0002.p12>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bob.pem
Type: application/x-x509-ca-cert
Size: 2052 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0006.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bob.cer
Type: application/x-x509-ca-cert
Size: 1074 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0007.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alice at internal.com.p12
Type: application/x-pkcs12
Size: 1419 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0003.p12>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alice.pem
Type: application/x-x509-ca-cert
Size: 2074 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0008.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alice.cer
Type: application/x-x509-ca-cert
Size: 1086 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0009.crt>
-------------- next part --------------
An embedded message was scrubbed...
From: unknown sender
Subject: no subject
Date: no date
Size: 123
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191115/0ea65e01/attachment-0001.eml>
-------------- next part --------------

More information about the openssl-users mailing list