If I generate a certificate with RSA key (i.e. 4096 bit) things works as expected but when I try to use a EC Key (prime256v1 256 bit) I see the following in logs: ---- 2019/07/30 17:08:09 system.crypto.ERROR OpenSSL error: Error creating PKCS#7 structure unable to write 'random state' 140699646637712:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption not supported for this key type:pk7_lib.c:542: 140699646637712:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding recipient:pk7_smime.c:499: [pid=14086|sid=Kq1K] 2019/07/30 17:08:09 openxpki.system.ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 [pid=14086|sid=Kq1K] 2019/07/30 17:08:09 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_encrypt, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 [pid=14086|sid=Kq1K] ---
Is there a a official statement somewhere in OpenXPKI page that one should not use EC yet ? # openxpkiadm version Version (core): 2.5.5 # openssl version OpenSSL 1.0.1t 3 May 2016 # cat /etc/debian_version 8.11 I found this message in a forum from a long time ago (2016) which states: "The smime utility uses PKCS#7 which doesn't support anything other than RSAfor the enveloped data type. " Source: https://mta.openssl.org/pipermail/openssl-dev/2016-May/007241.html Does that mean I can forget to use EC for now ? If that is the case, I think it should be clear in documentation. If not, can someone help me to find out what am I missing ? Cheers, Jeff
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
