Re: openssl cms -encrypt error: error setting recipientinfo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At least one problem I can see with your EC certificate is wrong Key Usage. For EC it should be "Key Agreement".

I'd not use the same cert for signing and encrypting. If you do, then add Signature and Non-Repudiation (but I've never done that).
--
Regards,
Uri
 
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare
 

On 5/5/21, 22:07, "openssl-users on behalf of Ted Wynnychenko" <openssl-users-bounces@xxxxxxxxxxx on behalf of ted.m.w@xxxxxxxxxxx> wrote:

    Hello


    I recently decided to change from RSA to EC keys/certs.
    I do this primarily as a learning exercise (there is no real corporate or
    professional demand to have this working).
    I am running OpenBSD current (6.9) from about 1 month ago.


    Previously, I have been using "openssl smime" to sign and encrypt emails.

    Now that I am migrating to EC keys/certificates, I need to switch to
    "openssl cms".

    However, I am unable to encrypt using the EC certificate.

    When I use:
    (I am going to obfuscate the emails in plain text, although I understand
    there will be some encoded in the public key that follows.)

    cat text.in | /usr/bin/openssl cms -encrypt -from 'User <user@xxxxxxxxxxx>'
    -to 'Admin <admin@xxxxxxxxxxx>' -subject "Test Email" -aes256 encryption.pem
    > encrypted.out

    with the old RSA certificate, everything works as expected.

    But, when I replace the RSA cert with the EC certificate, it does not.
    Instead, I see:

    15724089243112:error:2EFFF06F:CMS routines:CRYPTO_internal:ctrl
    failure:/usr/src/lib/libcrypto/cms/cms_env.c:124:
    15724089243112:error:2EFFF074:CMS routines:CRYPTO_internal:error setting
    recipientinfo:/usr/src/lib/libcrypto/cms/cms_env.c:944:
    15724089243112:error:2EFFF068:CMS routines:CRYPTO_internal:cms
    lib:/usr/src/lib/libcrypto/cms/cms_smime.c:850:

    And the output file is zero size.
    The "-to" email address used is encoded as a SAN email in the EC
    certificate.

    I tried a more basic command:

    openssl cms -encrypt -in text.in -out encrypted.out -recip encryption.pem

    Works with RSA certificate, same error with EC certificate.

    I also tried (not really understanding, but it is in the man page example):

    openssl cms -encrypt -in text.in -out encrypted.out -recip encryption.pem
    -keyopt ecdh_kdf_md:sha256

    and got the same error.

    I am not sure what this error means, or how to address it.

    I was wondering if I needed to add the email to the certificate's DN, but
    since (I understand) emails in the DN are depreciated, and the email is
    included as a SAN, that seems unlikely.

    Any suggestions would be great.

    I have pasted the output from, "openssl x509 -in encryption.pem -noout
    -text" below.
    As I said, the plain text has been altered, but the public key is unchanged.

    Thanks

    Ted


    $ openssl x509 -in encryption.pem -noout -text

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 25 (0x19)
        Signature Algorithm: ecdsa-with-SHA384
            Issuer: C=US, ST=State, L=Town, O=Example, OU=Home, CN=example.com
            Validity
                Not Before: Jan  2 00:00:00 2019 GMT
                Not After : Apr 17 13:57:06 2051 GMT
            Subject: C=US, ST=State, L=Town, O=Example, OU=Home,
    CN=admin.example.com
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (384 bit)
                    pub:
                        04:80:34:1b:cf:63:94:33:47:37:39:42:89:cd:80:
                        86:44:2f:df:5f:e2:cb:3f:1b:08:3b:2c:c8:20:ec:
                        4e:68:2a:ac:1d:ba:7b:09:3d:78:84:cc:e5:7c:f1:
                        5f:3c:36:c1:89:c1:8d:95:dc:ec:dd:7c:18:e9:58:
                        a2:83:bc:f9:db:82:cc:c3:fe:17:87:e3:52:78:70:
                        3b:2a:9e:ca:44:f6:f0:ff:42:82:8b:5a:51:9f:94:
                        63:4b:ef:08:d1:53:37
                    ASN1 OID: secp384r1
                    NIST CURVE: P-384
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    C6:1E:C2:DD:D2:89:2A:64:58:F2:94:1F:EB:80:CA:AC:3C:9B:43:DC
                X509v3 CRL Distribution Points:

                    Full Name:
                      URI:https://crl.example.com/example.ca.crl
                    CRL Issuer:
                      DirName: C = US, O = Example, CN = example.com

                Authority Information Access:
                    OCSP - URI:http://ocsp.example.com:2560

                X509v3 Issuer Alternative Name:
                    DNS:example.com, email:admin@xxxxxxxxxxx
                X509v3 Authority Key Identifier:

    keyid:74:87:C7:29:8F:E5:8F:79:00:9F:95:52:69:F8:CA:57:A6:84:4C:9E

    DirName:/C=US/ST=Illinois/L=Winnetka/O=Wynnychenko/OU=Home/CN=wynnychenko.co
    m
                    serial:B0:99:14:14:0B:6D:33:21

                X509v3 Key Usage: critical
                    Digital Signature, Non Repudiation, Key Encipherment, Data
    Encipherment
                X509v3 Extended Key Usage:
                    E-mail Protection
                X509v3 Subject Alternative Name:
                    email:admin@xxxxxxxxxxx
        Signature Algorithm: ecdsa-with-SHA384
             30:65:02:31:00:94:1c:9e:ce:f2:0f:9f:b4:65:18:6d:7d:e4:
             be:01:19:0e:05:02:02:f6:83:84:88:11:0a:39:69:39:2a:7a:
             af:64:dd:4d:d0:57:dd:e3:db:8f:02:0a:8a:1b:27:8a:80:02:
             30:44:65:8c:36:be:7a:c6:27:cf:6d:3d:9c:42:d1:72:93:a5:
             df:21:c9:c0:58:64:c3:6e:d7:7c:30:13:da:10:7d:b9:e6:5d:
             d6:1c:89:e0:d5:eb:ba:03:d8:76:22:17:18


Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux