Doesn't S/MIME permit the half-ephemeral ECDH algorithm where the recipient's static ECDH certificate is combined with a per message ephemeral ECDH key? On 26/01/2018 18:20, Kyle Hamilton wrote:
On the algorithmic side of things, the ECDSA algorithm cannot encrypt. It is signing-only. In order to use Elliptical Curves to encrypt, you would have to use the "Elliptical Curve Diffie-Hellman" algorithm to perform a key agreement. This requires that both the sender and the recipient have EC keys which are marked in their certificates as being for the purpose "keyAgreement". Your command line only specifies the recipient certificate, not the sending certificate. You can't do an ecdh_kdf_md:sha256 operation without the sender's certificate and private key. I hope this helps! -Kyle H On Fri, Jan 26, 2018 at 7:13 AM, clou <mail@xxxxxxxx> wrote:openssl 1.1.0.f ecdsa 512 certificate openssl cms -sign works perfect and sending an email. For encryption and sending an email I just get an email with an attachment smime.p7m. I use the following encryption command openssl cms -encrypt \ -recip cert.pem \ -subject 'openssl encrypt' \ -to email \ -from email \ -in msg.txt \ -keyopt ecdh_kdf_md:sha256 \ | \ sendmail email Any idea how I need do encrypt (or encrypt and sign) in order to get a proper email? Thanks a lot! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
