Hi, > If I generate a certificate with RSA key (i.e. 4096 bit) things works as > expected but when I try to use a EC Key (prime256v1 256 bit) I see the > following in logs: > ---- > 2019/07/30 17:08:09 system.crypto.ERROR OpenSSL error: Error creating PKCS#7 > structure > unable to write 'random state' > 140699646637712:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption > not supported for this key type:pk7_lib.c:542: > 140699646637712:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding > recipient:pk7_smime.c:499: > [pid=14086|sid=Kq1K] > 2019/07/30 17:08:09 openxpki.system.ERROR > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 > [pid=14086|sid=Kq1K] > 2019/07/30 17:08:09 openxpki.system.ERROR > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_encrypt, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 > [pid=14086|sid=Kq1K] > --- > > Is there a a official statement somewhere in OpenXPKI page that one should > not use EC yet ? > > # openxpkiadm version > Version (core): 2.5.5 > > # openssl version > OpenSSL 1.0.1t 3 May 2016 > > # cat /etc/debian_version > 8.11 > > I found this message in a forum from a long time ago (2016) which states: > "The smime utility uses PKCS#7 which doesn't support anything other than > RSAfor the enveloped data type. " > > Source: https://mta.openssl.org/pipermail/openssl-dev/2016-May/007241.html > > Does that mean I can forget to use EC for now ? > If that is the case, I think it should be clear in documentation. > If not, can someone help me to find out what am I missing ?
OpenXPKI does support creation of EC certificates, but as the OpenSSL tool rightly complains, EC certificates cannot be directly used to encrypt data, they can normally only be used for Digital Signatures. The only way around is to create static DH parameters and use these for encryption. You did not mention what you did to produce this error, allowing us to reproduce this error or determine the cause of the problem. This does not look like you requested the certificate via the GUI, I suspect you used an enrollment interface? Could you please provide more details? Best regards Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
