CMS decryption of message with OAEP using Hardware security module

Thulasi Goriparthi thulasi.goriparthi at gmail.com
Tue Feb 18 12:59:49 UTC 2020 

CMS_Decrypt doesn't need to feed this information explicitly and it will
part of CMS envelope of the encrypted data.

https://tools.ietf.org/html/rfc3560#page-4

Thanks,
Thulasi.

On Tue, 18 Feb 2020 at 17:16, Thulasi Goriparthi <
thulasi.goriparthi at gmail.com> wrote:

> Sorry for this. I see that you already knew about it.
>
> On Tue, 18 Feb, 2020, 17:08 Thulasi Goriparthi, <
> thulasi.goriparthi at gmail.com> wrote:
>
>> https://www.openssl.org/docs/man1.1.0/man3/EVP_PKEY_CTX_ctrl_str.html
>>
>> Thanks,
>> Thulasi.
>>
>> On Tue, 18 Feb, 2020, 16:43 RudyAC, <rpo at compumatica.com> wrote:
>>
>>> Hello Thulasi,
>>>
>>> thank you for your quick response.
>>>
>>> the encryption takes not place in the HSM because we only store the
>>> private
>>> keys inside the HSM. For encryption we use the openssl CMS_encrypt()
>>> function. In case of OAEP I use the parameters:
>>>                 EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
>>>                 EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
>>>                 EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label,
>>> oaep_label_l);
>>> and call CMS_final() at last.
>>> For decryption we use the HSM where the private keys are stored and the
>>> openssl PKCS11 engine is used.
>>> Therefore we call CMS_decrypt(). Unfortunately there are no OAEP
>>> parameters
>>> that can be specified at CMS_decrypt().
>>>
>>> By default we do encryption and decryption without HSM. Using the same
>>> functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it
>>> is my
>>> job to do decryption with a HSM (Utimaco).
>>>
>>> My question is if there is a possibility to tell CMS_decrypt() that the
>>> encrypted email uses OAEP padding or is there only a problem at the side
>>> of
>>> the HSM provider.
>>>
>>> Best regards
>>> Rudy
>>>
>>>
>>>
>>> --
>>> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200218/a4a47e11/attachment-0001.html>

More information about the openssl-users mailing list