Hi,
Am 30.07.19 um 17:37 schrieb Martin Bartosch:
Hi,
If I generate a certificate with RSA key (i.e. 4096 bit) things works as
expected but when I try to use a EC Key (prime256v1 256 bit) I see the
following in logs:
----
2019/07/30 17:08:09 system.crypto.ERROR OpenSSL error: Error creating PKCS#7
structure
unable to write 'random state'
140699646637712:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption
not supported for this key type:pk7_lib.c:542:
140699646637712:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding
recipient:pk7_smime.c:499:
[pid=14086|sid=Kq1K]
2019/07/30 17:08:09 openxpki.system.ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 768 [pid=14086|sid=Kq1K]
2019/07/30 17:08:09 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_encrypt, __ERRVAL__
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768
[pid=14086|sid=Kq1K]
---
Is there a a official statement somewhere in OpenXPKI page that one should not
use EC yet ?
# openxpkiadm version
Version (core): 2.5.5
# openssl version
OpenSSL 1.0.1t 3 May 2016
# cat /etc/debian_version
8.11
I found this message in a forum from a long time ago (2016) which states:
"The smime utility uses PKCS#7 which doesn't support anything other than RSAfor the
enveloped data type."
Source: https://mta.openssl.org/pipermail/openssl-dev/2016-May/007241.html
Does that mean I can forget to use EC for now ?
If that is the case, I think it should be clear in documentation.
If not, can someone help me to find out what am I missing ?
OpenXPKI does support creation of EC certificates, but as the OpenSSL tool
rightly complains, EC certificates cannot be directly used to encrypt data,
they can normally only be used for Digital Signatures. The only way around is
to create static DH parameters and use these for encryption.
You did not mention what you did to produce this error, allowing us to
reproduce this error or determine the cause of the problem. This does not look
like you requested the certificate via the GUI, I suspect you used an
enrollment interface? Could you please provide more details?
Martin, I think this is our lately discussed "token online" check - we
really need to refactor that :(
Jeff, for the background: Some time ago we needed a "is token working"
check which was implemented by doing a pkcs7 encrypt/decrypt operation
which correctly fails with EC keys.
See https://sourceforge.net/p/openxpki/mailman/message/36708777/
I will try to get a fix for that ASAP.
Oliver
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
