Does OpenSSL support ECC-based S/MIME as defined in RFC 5753? I was trying to create an encrypted S/MIME message using OpenSSL-1.0.2h, and got the following:
$ openssl smime -encrypt -aes128 -inform SMIME -in Cyph_Bot_test.eml
-outform SMIME -out Cyph_Bot_test.smime.eml -subject SMIME_ECC
~/Documents/Certs/me_mouse_yubi_9d_.pem
Error creating PKCS#7 structure
140735083847760:error:21082096:PKCS7
routines:PKCS7_RECIP_INFO_set:encryption not supported for this key
type:pk7_lib.c:542:
140735083847760:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding
recipient:pk7_smime.c:503:
$ openssl version
OpenSSL 1.0.2h 3 May 2016
$
The problem seems to be related to this code in pk7_lib.c:
533: if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
534: PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
535: PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
536: goto err;
537: }
538:
539: ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT,
0, p7i);
540: if (ret == -2) {
541: PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
542: PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
543: goto err;
544: }
Note: EC keys cannot “encrypt” - they can only “derive”.
--
Regards,
Uri Blumenthal
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
