CMS with ECC Keys is incompatibel to Windows CMS / Outlook

Meik Kreyenkoetter <meikkr@xxxxxxxxx> · Fri, 15 Nov 2019 12:18:39 +0100

Hello,

when generating a CMS with OpenSSL 1.1.1d or OpenSSL 1.0.2g using only ECC Keys, Windows 10 is unable to decrypt the CMS.
All Passwords for keys is "test".

Encrypting:

openssl cms -encrypt -outform PEM -recip bob.pem -in Test.eml -out opensslencrypted.cms -aes256 -aes128-wrap

Decryption on Windows 10 (with installed Keys in Store):

Unprotect-CmsMessage -Path .\opensslencrypted.cms

Unprotect-CmsMessage : Die Daten sind unzulässig.
In Zeile:1 Zeichen:1
+ Unprotect-CmsMessage -Path .\opensslencrypted.cms
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Unprotect-CmsMessage], CryptographicException
    + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.Unprot
   ectCmsMessageCommand

The file outlookencrypted.cms contains a CMS with ECC keys generated on Windows 10. It's decryptable by Windows and OpenSSL.

Inspecting the Windows and Openssl generated CMS, they both look ok. The only difference if have seen in CMS -print output is parameter absent in openssl generated and NULL in Windows generated:

OpenSSL, openssl cms -in opensslencrypted.cms -cmsout -print -inform PEM:

    recipientInfos:
      d.kari:
        version: 3
        d.originatorKey:
          algorithm:
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: <ABSENT>
          publicKey:  (0 unused bits)

Windows generated, openssl cms -in outlookencrypted.cms -cmsout -print -inform PEM:

recipientInfos:
      d.kari:
        version: 3
        d.originatorKey:
          algorithm:
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: NULL
          publicKey:  (0 unused bits)

I have changed the OpenSSL sources to include "parameter: NULL" in CMS generation, but that makes no difference. The CMS with changed sources is decryptable by OpenSSL, but not on Windows:

openssl cms -decrypt -in opensslencrypted_changed_sources.cms -inform PEM -recip bob.pem

I have attached all keys and output.

Anything i am missing here?

Meik

Attachment:
opensslencrypted_changed_sources.cms

Description: Binary data
Attachment:
outlookencrypted.cms

Description: Binary data
Attachment:
opensslencrypted.cms

Description: Binary data
Attachment:
cacert.crt

Description: application/x509-ca-cert
Attachment:
bob@external.com.p12

Description: application/pkcs12
Attachment:
bob.pem

Description: application/x509-ca-cert
Attachment:
bob.cer

Description: application/x509-ca-cert
Attachment:
alice@internal.com.p12

Description: application/pkcs12
Attachment:
alice.pem

Description: application/x509-ca-cert
Attachment:
alice.cer

Description: application/x509-ca-cert
--- Begin Message ---
Testmail

--- End Message ---