On Wed, Aug 04, 2010, Harakiri wrote: > Problem: Outlook 2010 violates CMS rfc, it sets the SubjectKeyIdentifier in > an smime encrypted message, even tho the x509 certificate used to encrypt > this message does not have this extension set. Outlook synthesize this value > somehow. When trying to decrypt the message with the private key, openssl > refuses the decrypt because the sanity check (does any recipient IDs match > of this private key match this encrypted message) fails. > > Solution: Disable the recipient check, when i manually assign the private > key - just use it to decrypt the message. > > See https://bugzilla.mozilla.org/show_bug.cgi?id=559243 > > The same applies for the smime command, this issue made no sense to me - > when you reissue a key from a CA (using the same private key) you are unable > to decrypt messages encrypted to the old x509 public key because openssl > refused to decrypt, because it cannot find the recip - of course it cannot > find the id because the new x509 cert has a new recip id - however the > private key is unchanged so it is still possible to decrypt the message. >
In that latter case it would work if you used the old certificate. The smime command uses PKCS#7 which only includes an issuer and serial number ID so a new certificate with the same key would get a new serial number and there would be a mismatch. If you don't supply the certificate to the cms or smime command it doesn't attempt to check and it should try the private key against any possible recipients. Ah I notice that this is undocumented... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
