Re: CMS in openssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A few corrections:

OpenSSL included CMS (RFC3369) support since 1.0.0 (see the CHANGES file), though for a long time, there was an arbitrary disconnect between functions named CMS and functions named PKCS#7 even though it should have been a continuum.

The PKCS#7 and CMS standards equally and fully support any non-interactive algorithm that has been assigned an OID, from RSA+MD2+DES to HSS/LSS+STREEBOG+CAMELIA, no artifical version dependencies like in the OpenSSL interpretation of TLS.

On 2020-04-22 03:46, Michael Richardson wrote:
Michael Mueller <abaci.mjm@xxxxxxxxx> wrote:
     > We've implemented what I gather can be called a CMS on Linux and Windows
     > using openssl evp functions.

I'm not sure why you say it this way.
OpenSSL includes CMS (RFC3369) support, but I think not until 1.1.0.
Did you implement RFC3369, or something else?

You don't say if this is email or something else.

     > We need to expand this CMS to other systems, on which we have not been able
     > to build openssl. These other systems have a vendor supplied security
     > application. This application supports PKCS7.

     > We are being asked if our evp CMS is interoperable with PKCS7.

CMS (RFC3369/2630) is an upward revision to PKCS7 (RFC2315) 1.5.
CMS can read PKCS7 messages, but converse is not true.

I think it is possible to configure the CMS routines to produce PKCS7
messages, but I didn't do this in my RFC8366 support. I just forklift
upgraded to CMS.

     > If it is possible and more information is required to answer this question,
     > I'll provide such information.

     > If not, advice on how to present that argument to management would be
     > appreciated.

You will understand them, but they won't understand you.

You may be able to configure your end to generate PKCS7 easily, and it may
have little effect.  This might degenerate until just using PKCS7 everywhere.

The major difference is the eContentType that is lacking in PKCS7.
And algorithms: I think that there are few modern algorithms defined for PKCS7.

You could easily run in PKCS7 mode until you receive a CMS message from the
peer, and then upgrade to CMS.  But this winds up in a bid-down attack if
both parties run this algorithm, so you'd want to insert some extension that
said: "I can do CMS" into your PKCS7 messages.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux