CMS in openssl

Michael Richardson mcr at sandelman.ca
Wed Apr 22 01:46:08 UTC 2020 

Michael Mueller <abaci.mjm at gmail.com> wrote:
    > We've implemented what I gather can be called a CMS on Linux and Windows
    > using openssl evp functions.

I'm not sure why you say it this way.
OpenSSL includes CMS (RFC3369) support, but I think not until 1.1.0.
Did you implement RFC3369, or something else?

You don't say if this is email or something else.

    > We need to expand this CMS to other systems, on which we have not been able
    > to build openssl. These other systems have a vendor supplied security
    > application. This application supports PKCS7.

    > We are being asked if our evp CMS is interoperable with PKCS7.

CMS (RFC3369/2630) is an upward revision to PKCS7 (RFC2315) 1.5.
CMS can read PKCS7 messages, but converse is not true.

I think it is possible to configure the CMS routines to produce PKCS7
messages, but I didn't do this in my RFC8366 support. I just forklift
upgraded to CMS.

    > If it is possible and more information is required to answer this question,
    > I'll provide such information.

    > If not, advice on how to present that argument to management would be
    > appreciated.

You will understand them, but they won't understand you.

You may be able to configure your end to generate PKCS7 easily, and it may
have little effect.  This might degenerate until just using PKCS7 everywhere.

The major difference is the eContentType that is lacking in PKCS7.
And algorithms: I think that there are few modern algorithms defined for PKCS7.

You could easily run in PKCS7 mode until you receive a CMS message from the
peer, and then upgrade to CMS.  But this winds up in a bid-down attack if
both parties run this algorithm, so you'd want to insert some extension that
said: "I can do CMS" into your PKCS7 messages.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200421/bd4c27d7/attachment.sig>

More information about the openssl-users mailing list