Openssl CMS with ECDH EnvelopedData

Question

Openssl CMS with ECDH EnvelopedData

I play with openssl 1.0.2a - in particular, CMS support for ECC. As a test, I am doing simple encryption and decryption. I cited the RSA example as a well-established good working example / sanity test. ECC example does not work.

Any ideas? TIA.

./openssl version
OpenSSL 1.0.2a 19 Mar 2015

echo -n 12345678123456781234567812345678 > sess.txt # 32 byte plaintext

#RSA works
./openssl genrsa -out rsa.key 2048
./openssl req -x509 -new -key rsa.key -out rsa.crt
./openssl cms -encrypt -in sess.txt -out rsaencsess.bin -outform PEM rsa.crt
./openssl cms -decrypt -in rsaencsess.bin -out rsadecsess.txt -inform PEM -inkey rsa.key
#AOK.

#EC fails
  ./openssl ecparam -name prime192v1 -genkey -out ecc.key
  ./openssl req -x509 -new -key ecc.key -out ecc.crt
  ./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
  ./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM -inkey ecc.key
Error decrypting CMS structure
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:

+1

cryptography openssl elliptic-curve

IgorStojanovic Mar 26 '15 at 14:11

source share

1 answer

IgorStojanovic · Answer 1 · 2015-03-27T11:53:50+0000

OpenSSL Steve Henson decided the following: “RSA can decrypt without knowing the certificate, but currently the EC cannot. Therefore, try to enable the -recip ecc.crt option when decrypting

now it works:

./openssl ecparam -name prime192v1 -genkey -out ecc.key
./openssl req -x509 -new -key ecc.key -out ecc.crt
./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM -inkey ecc.key -recip ecc.crt # NOTE "-recip ecc.crt" is currently required else it won't work!

Openssl CMS with ECDH EnvelopedData

More articles: