CMS in openssl

Michael Richardson mcr at sandelman.ca
Wed Apr 22 18:56:12 UTC 2020 

Michael Mueller <abaci.mjm at gmail.com> wrote:
    >> Michael Mueller <abaci.mjm at gmail.com> wrote:
    >> > We've implemented what I gather can be called a CMS on Linux and
    >> Windows
    >> > using openssl evp functions.
    >>
    >> I'm not sure why you say it this way.
    >> OpenSSL includes CMS (RFC3369) support, but I think not until 1.1.0.
    >> Did you implement RFC3369, or something else?
    >>
    >> You don't say if this is email or something else.
    >>

    > My bad. I thought CMS could be used as a generic reference to packaging
    > encrypted messages.

    > We are not implementing CMS as specified by IETF.

    > We used the openssl evp functions to quickly improve the security of an
    > existing proprietary data exchange system.

    > Now we are being asked if our evp based solution can interoperate with a
    > system that may support PKCS7. The thought is PKCS7 would be used to
    > envelope data in a manner similar to how the evp functions operate.

I don't think you will find any compatibility.

You can use the PKCS7 functions to process that kind of data.
Or future proof and use CMS functions to read, and figure out how you will
write/send messages.

    > I suspect that evp functions are not compatible with PKCS7, but I don't
    > know how to easily confirm this. I also suspect it will be difficult to
    > explain why they are incompatible.

    > If evp and PKCS7 are incompatible, we might be asked if we can use PKCS7
    > enveloping instead of evp.

    > Any insights, thoughts, advice, code to read, etc would be appreciated.

I think you should consider if you want to move to PKCS7.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200422/a59df6c5/attachment-0001.sig>

More information about the openssl-users mailing list