Re: CMS with ECC Keys is incompatibel to Windows CMS / Outlook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello again,

maybe i have found the difference in the CMSes generated by OpenSSL and Windows.

This is the keyEncryptionAlgorithm in kari generated on Windows:

keyEncryptionAlgorithm:
          algorithm: dhSinglePass-stdDH-sha1kdf-scheme (1.3.133.16.840.63.0.2)
          parameter: SEQUENCE:
    0:d=0  hl=2 l=  13 cons: SEQUENCE
    2:d=1  hl=2 l=   9 prim:  OBJECT            :id-aes256-wrap
   13:d=1  hl=2 l=   0 prim:  NULL
        recipientEncryptedKeys:

This is the keyEncryptionAlgorithm in kari generated with OpenSSL:

keyEncryptionAlgorithm:
          algorithm: dhSinglePass-stdDH-sha1kdf-scheme (1.3.133.16.840.63.0.2)
          parameter: SEQUENCE:
    0:d=0  hl=2 l=  11 cons: SEQUENCE
    2:d=1  hl=2 l=   9 prim:  OBJECT            :id-aes256-wrap
        recipientEncryptedKeys:

As one can see, there is a NULL at the end of the parameter sequence generated on Windows. CMS output from BouncyCaste is like OpenSSL:

keyEncryptionAlgorithm:
          algorithm: dhSinglePass-stdDH-sha1kdf-scheme (1.3.133.16.840.63.0.2)
          parameter: SEQUENCE:
    0:d=0  hl=2 l=  11 cons: SEQUENCE
    2:d=1  hl=2 l=   9 prim:  OBJECT            :id-aes128-wrap


The BouncyCaste output is not decryptable on Windows. Is there a way generate a CMS with ECC compatible with Windows?

Meik



> On 15. Nov 2019, at 12:18, Meik Kreyenkoetter <meikkr@xxxxxxxxx> wrote:
> 
> Hello,
> 
> when generating a CMS with OpenSSL 1.1.1d or OpenSSL 1.0.2g using only ECC Keys, Windows 10 is unable to decrypt the CMS.
> All Passwords for keys is "test".
> 
> Encrypting:
> 
> openssl cms -encrypt -outform PEM -recip bob.pem -in Test.eml -out opensslencrypted.cms -aes256 -aes128-wrap
> 
> Decryption on Windows 10 (with installed Keys in Store):
> 
> Unprotect-CmsMessage -Path .\opensslencrypted.cms
> 
> Unprotect-CmsMessage : Die Daten sind unzulässig.
> In Zeile:1 Zeichen:1
> + Unprotect-CmsMessage -Path .\opensslencrypted.cms
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    + CategoryInfo          : NotSpecified: (:) [Unprotect-CmsMessage], CryptographicException
>    + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.Unprot
>   ectCmsMessageCommand
> 
> 
> The file outlookencrypted.cms contains a CMS with ECC keys generated on Windows 10. It's decryptable by Windows and OpenSSL.
> 
> Inspecting the Windows and Openssl generated CMS, they both look ok. The only difference if have seen in CMS -print output is parameter absent in openssl generated and NULL in Windows generated:
> 
> OpenSSL, openssl cms -in opensslencrypted.cms -cmsout -print -inform PEM:
> 
>    recipientInfos:
>      d.kari:
>        version: 3
>        d.originatorKey:
>          algorithm:
>            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
>            parameter: <ABSENT>
>          publicKey:  (0 unused bits)
> 
> Windows generated, openssl cms -in outlookencrypted.cms -cmsout -print -inform PEM:
> 
> recipientInfos:
>      d.kari:
>        version: 3
>        d.originatorKey:
>          algorithm:
>            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
>            parameter: NULL
>          publicKey:  (0 unused bits)
> 
> I have changed the OpenSSL sources to include "parameter: NULL" in CMS generation, but that makes no difference. The CMS with changed sources is decryptable by OpenSSL, but not on Windows:
> 
> openssl cms -decrypt -in opensslencrypted_changed_sources.cms -inform PEM -recip bob.pem
> 
> I have attached all keys and output.
> 
> Anything i am missing here?
> 
> 
> Meik
> 
> 
> <opensslencrypted_changed_sources.cms><outlookencrypted.cms><opensslencrypted.cms><cacert.crt><bob@xxxxxxxxxxxx.p12><bob.pem><bob.cer><alice@xxxxxxxxxxxx.p12><alice.pem><alice.cer><Test.eml>
> 
> 
> 





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux