> From: owner-openssl-us...@openssl.org On Behalf Of Claudiu Stanciu
> Sent: Saturday, 11 June, 2011 12:32
Aside: not sure what this delay is. Headers (on my copy, going up)
show originate yahoo near 06-11 09:32 -7 = 16:32Z and (consistent)
Received by master.openssl.org 06-11 18:34 +2, then X-Greylist
delayed 145 seconds, then Received 06-14 10:10 +2 repeated 3 times
(with Delivered-to the listname twice), and then to my mailhost
06-14 04:14 -4 (consistent). Weird. (My Outlook is in -4 and
displays and quotes as 12:32 without zone. Yeah, lame.)
> Need some help again. I'm doing the decryption now. Done almost
> everything, but have a question related to the public key of the
recipient.
> So i encrypted a text into PKCS7 enveloped data. Now, I am
> reading from that structure the symmetric key IV and the encrypted
> data with the symmetric key.
> How do I read the Public Key of the recipient and his
> encrypted symmetric key?
Recipient doesn't use publickey, it uses privatekey. It can
use the cert (containing publickey) to *identify* the keypair.
> I tryed the following, but not sure is the right way. I load
> the serial number of the recipient from his certificate, and
> started comparing it with does from the PKCS7 file, using the
> stack sk_PKCS7_RECIP_INFO. If i find the serial, then i copy
To be exact, I hope you mean the recipientinfo field of a
PKCS7_ENVELOPE struct, probably the envelope choice in PKCS7
union, using the sk_PKCS7_RECIP_INFO_* routines.
Given the (traditional) issuer-serial choice is used,
you should compare both issuer and serial. Serial by itself
is not reliably unique. Unless you are in an environment
where there is only one (acceptable) issuer, such as perhaps
within certain government agencies.
See PKCS7_dataDecode and related in crypto/pkcs7/pk7_doit.c
(but skip the signed parts, and you don't need to go through
a BIO_f_cipher to do symmetric decrypt if you don't want to).
> the symmetric encrypted file from the stack. Big question now
Presumably you mean the enc_key field of the stack *element*
(i.e. the/a RECIP_INFO struct). *For key transfer like RSA*
that is the DEK encrypted under the recipient publickey.
To decrypt it, you need the recipient *privatekey* matching
the publickey in the cert, which was used by the encrypter.
*For openssl using (default) PEM format* you can store the
privatekey in the same file as the cert (and/or publickey)
and some people do. Or you can store them in separate files,
linked somehow (maybe an index). Or you can store them in
a PKCS12. Or any other method of your own, like a database.
> because I didn't understood the structure of the PKCS7.
> The Public Key of the recipient is loaded from his certificate
> or from the PKCS7 structure? Because I don't see it in the PKCS7
> file and when i tryed to open it, i receive an error that it doesn't
> have a good format. <snip>
A PKCS7 is neither a publickey nor a privatekey. It is a PKCS7.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
