Am 06.07.16 um 15:46 schrieb Dr. Stephen Henson:
>...
>
>> Second the following:
>>
>> 129 10: [1] {
>> 131 8: OCTET STRING B1 04 4A FD FC 8B 70 6D
>> : }
>>
>> If I match this correctly to RFC 5652, this is
>>
>> ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL
>>
>> inside the KeyAgreeRecipientInfo SEQUENCE (see
>> https://tools.ietf.org/html/rfc5652#section-6.2.2).
>>
>> Can OpenSSL emit this optional element?
>
> Yes but not using the command line utility. It would require a custom program
> to set the parameter using the CMS API.
Could you pleaee briefly explain how set the parameter? I could not find
anything in the documentation of the CMS API about this.
>> What is the purpose of the "ukm" field?
>>
>
> It provides some additional optional random data used in the key encryption
> key derivation algorithm.
>
> Note that you can get a diagnistic dump using:
>
> openssl cms -cmsout -inform DER -print -in cmd.der
I wasn't aware of this feature, that looks very useful, thanks!
--
Stephan
