CMS in openssl

Michael Mueller abaci.mjm at gmail.com
Wed Apr 22 21:54:15 UTC 2020 

On Wed, Apr 22, 2020, 2:56 PM Michael Richardson <mcr at sandelman.ca> wrote:

>
> Michael Mueller <abaci.mjm at gmail.com> wrote:
>     >> Michael Mueller <abaci.mjm at gmail.com> wrote:
>     >> > We've implemented what I gather can be called a CMS on Linux and
>     >> Windows
>     >> > using openssl evp functions.
>     >>
>     >> I'm not sure why you say it this way.
>     >> OpenSSL includes CMS (RFC3369) support, but I think not until 1.1.0.
>     >> Did you implement RFC3369, or something else?
>     >>
>     >> You don't say if this is email or something else.
>     >>
>
>     > My bad. I thought CMS could be used as a generic reference to
> packaging
>     > encrypted messages.
>
>     > We are not implementing CMS as specified by IETF.
>
>     > We used the openssl evp functions to quickly improve the security of
> an
>     > existing proprietary data exchange system.
>
>     > Now we are being asked if our evp based solution can interoperate
> with a
>     > system that may support PKCS7. The thought is PKCS7 would be used to
>     > envelope data in a manner similar to how the evp functions operate.
>
> I don't think you will find any compatibility.
>
> You can use the PKCS7 functions to process that kind of data.
> Or future proof and use CMS functions to read, and figure out how you will
> write/send messages
>

Today we learned that we have PKCS7 1.5 & 1.6 and RFC 3852 are available on
the "older" system.

Also was guided to CMS specs, and the CMS tools and functions in openssl.

We'll experiment with the openssl cms functions on linux and the older
system independently. If that works, we'll try interworking linux with the
older system. If that works, we'll toggle from evp to cms if the older
system is involved.

Thank you all for your help.


>     > I suspect that evp functions are not compatible with PKCS7, but I
> don't
>     > know how to easily confirm this. I also suspect it will be difficult
> to
>     > explain why they are incompatible.
>
>     > If evp and PKCS7 are incompatible, we might be asked if we can use
> PKCS7
>     > enveloping instead of evp.
>
>     > Any insights, thoughts, advice, code to read, etc would be
> appreciated.
>
> I think you should consider if you want to move to PKCS7.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200422/308976ef/attachment.html>

More information about the openssl-users mailing list