I'm looking using OpenSSL to realize "The CMS [...] allows multiple
encapsulations; one encapsulation envelope can be nested inside another."
from RFC5652. In particular it's the objective to have an 'enveloped-data'
encapsulating (encrypted) 'digested-data' (encapsulating 'data').
Am I right that this is currently nog possible using 'openssl cms'?
Considering the current approach in 'openssl cms' an approach somewhat
similar to S/MIME seems practical:
1. openssl cms -in file.in -binary -digest_create -md sha256 -outform DER
-out file.out1
2. openssl cms -in file.out1 -binary -incms -inform DER -encrypt -aes128
-secretkey 01020304050607080102030405060708 -secretkeyid 01 -outform DER
-out file.out2 (-incms would be indicating it is not 'data' as is now the
default)
3. openssl cms -in file.out2 -inform DER -decrypt -aes128 -secretkey
01020304050607080102030405060708 -out file.out3
4. openssl cms -in file.out3 -inform DER -digest_verify -out file.out
The issues are with step 2 and 3 as there seem to be only functions
available to operate on whole cms (ContentInfo) structures?
* how to get an encoded version of just the ContentInfo.content
sub-structure? Is there an appropriate i2d_* function to apply e.g. on
cms->d.digestedData?
* how to create a new cms (ContentInfo) structure using the eContentType
(easy) and (decrypted) encapsulated encoded Content sub-structure? Is there
an appropriate d2i_* function to apply to the encoded Content data?
Any suggestions on how to achieve this functionality?
Kind regards,
Paul
Example file.out2:
CMS_ContentInfo:
contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3)
d.envelopedData:
version: <ABSENT>
originatorInfo: <ABSENT>
recipientInfos:
d.kekri:
version: 4
kekid:
keyIdentifier:
0000 - 01 .
date: <ABSENT>
other: <ABSENT>
keyEncryptionAlgorithm:
algorithm: id-aes128-wrap (2.16.840.1.101.3.4.1.5)
parameter: <ABSENT>
encryptedKey:
0000 - c3 b4 8b cc 4d 09 4b 36-34 8b 7b 48 73 1c 40
....M.K64.{Hs.@
000f - 68 a3 1e 56 0c 63 9c ec-ff h..V.c...
encryptedContentInfo:
contentType: pkcs7-digestData (1.2.840.113549.1.7.5)
contentEncryptionAlgorithm:
algorithm: aes-128-cbc (2.16.840.1.101.3.4.1.2)
parameter: OCTET STRING:
0000 - 4d 70 ed bd 7f c7 15 e2-65 15 c9 da cc b0 32
Mp......e.....2
000f - 1a .
encryptedContent:
0000 - a8 0b c4 73 33 a7 ef 19-cd f2 72 53 7d d6 16
...s3.....rS}..
000f - 1d 1f 7b 61 a1 5b 21 4d-be ec f9 7b 2c 07 00
..{a.[!M...{,..
001e - 8a d0 56 ba 3a bb 16 dd-e0 ab db 1b f0 af 99
..V.:..........
002d - 28 47 f8 8f 79 08 91 f9-e7 6e ef 33 04 de e5
(G..y....n.3...
003c - e6 96 47 b8 67 3b 6f f2-a4 86 59 55 82 45 62
..G.g;o...YU.Eb
004b - 7c 31 fb 51 74 25 26 74-c8 ff 0c 52 bb 4c ff
|1.Qt%&t...R.L.
005a - de 17 70 8b 38 36 a0 e1-a8 fe 64 9b 52 3a 34
..p.86....d.R:4
0069 - c8 60 f1 68 7c c6 a6 .`.h|..
unprotectedAttrs:
<EMPTY>
