On Apr 4, 2016, at 3:42 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > Unless you can point out a clause in the "CMS" format RFCs > that allow use without X.509 certificates, there is no reason > why the "CMS" part of the OpenSSL library should be able to > any such thing. The CMS RFC (RFC 5652) specifies password based key derivation (in addition to asymmetric-key crypto key transport or agreement, and also a symmetric-cryptography key transport mechanism). See section 6.2. It looks like password based key derivation wasn't in the original PKCS#7, but was introduced in a 2001 specification (RFC 3211) and was folded into the 2002 revision of CMS (RFC 3369).
