CMS with ECC Keys is incompatibel to Windows CMS / Outlook

Fri, 15 Nov 2019 03:19:13 -0800 

Hello,

when generating a CMS with OpenSSL 1.1.1d or OpenSSL 1.0.2g using only ECC 
Keys, Windows 10 is unable to decrypt the CMS.
All Passwords for keys is "test".

Encrypting:

openssl cms -encrypt -outform PEM -recip bob.pem -in Test.eml -out 
opensslencrypted.cms -aes256 -aes128-wrap

Decryption on Windows 10 (with installed Keys in Store):

Unprotect-CmsMessage -Path .\opensslencrypted.cms

Unprotect-CmsMessage : Die Daten sind unzulässig.
In Zeile:1 Zeichen:1
+ Unprotect-CmsMessage -Path .\opensslencrypted.cms
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Unprotect-CmsMessage], 
CryptographicException
    + FullyQualifiedErrorId : 
System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.Unprot
   ectCmsMessageCommand


The file outlookencrypted.cms contains a CMS with ECC keys generated on Windows 
10. It's decryptable by Windows and OpenSSL.

Inspecting the Windows and Openssl generated CMS, they both look ok. The only 
difference if have seen in CMS -print output is parameter absent in openssl 
generated and NULL in Windows generated:

OpenSSL, openssl cms -in opensslencrypted.cms -cmsout -print -inform PEM:

    recipientInfos:
      d.kari:
        version: 3
        d.originatorKey:
          algorithm:
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: <ABSENT>
          publicKey:  (0 unused bits)

Windows generated, openssl cms -in outlookencrypted.cms -cmsout -print -inform 
PEM:

recipientInfos:
      d.kari:
        version: 3
        d.originatorKey:
          algorithm:
            algorithm: id-ecPublicKey (1.2.840.10045.2.1)
            parameter: NULL
          publicKey:  (0 unused bits)

I have changed the OpenSSL sources to include "parameter: NULL" in CMS 
generation, but that makes no difference. The CMS with changed sources is 
decryptable by OpenSSL, but not on Windows:

openssl cms -decrypt -in opensslencrypted_changed_sources.cms -inform PEM 
-recip bob.pem

I have attached all keys and output.

Anything i am missing here?


Meik

Attachment: opensslencrypted_changed_sources.cms
Description: Binary data

Attachment: outlookencrypted.cms
Description: Binary data

Attachment: opensslencrypted.cms
Description: Binary data

Attachment: cacert.crt
Description: application/x509-ca-cert

Attachment: bob@external.com.p12
Description: application/pkcs12

Attachment: bob.pem
Description: application/x509-ca-cert

Attachment: bob.cer
Description: application/x509-ca-cert

Attachment: alice@internal.com.p12
Description: application/pkcs12

Attachment: alice.pem
Description: application/x509-ca-cert

Attachment: alice.cer
Description: application/x509-ca-cert

--- Begin Message --- 
Testmail

--- End Message ---

Reply via email to