PKCS#7 Enveloped-data (RFC 2630/3369/3852)
Hi there, I need to encrypt some content in an Enveloped-data content type of the cryptographic message syntax defined in RFC 2630/3369/3852. Quoting the exacts word from the DICOM specification: ... The encoding is based on the Enveloped-data Content Type of the Cryptographic Message Syntax defined in RFC 2630. ... I thought first of using xyssl / polarssl, but because of lack of knowledge in this field and the lack of a stronger xyssl community I am not making any progress. I then turn to OpenSSL (following an advice on sci.crypt) but then again I am hitting a brick wall (*). I was then suggested NSS and in particular the cmsutil cmd line tool. Before investing too much time in yet-another crypto library, could someone please let me know: 1. Is cmsutil the right tool for me ? 2. In the longer term, I will need to decode file such as the one I sent on openssl mailing list (**), does NSS support this kind of file ? Thanks *a lot* for your time, -Mathieu (*) http://www.mail-archive.com/openssl-us...@openssl.org/msg55369.html (**) http://www.mail-archive.com/openssl-us...@openssl.org/msg56902.html -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Where is the man page for cmsutil ?
Hi there, I am looking at the nss source code but I cannot find the man page for cmsutil. All I can find is an online reference: http://www.mozilla.org/projects/security/pki/nss/tools/cmsutil.html did I miss anything ? Thanks. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
cmsutil: failed to decode message.
Hi there, I am trying to understand how to use cmsutil. Here is a self- contained shell script: DB=MM PASSWD=$DB/passwd.txt RS=$DB/rand.seed CANN=netauth.com certutil -N -f $PASSWD -d $DB certutil -S -s "cn=netauth ca,dc=netauth,dc=com" -n $CANN \ -f $PASSWD -z $RS -x -t "C,C,C" -d $DB certutil -R -7 j...@xxx -z $RS -f $PASSWD -o $DB/jimi.req -d $DB \ -s "e=j...@xxx,cn=jimi hendrix,ou=people,dc=netauth,dc=com" certutil -C -i $DB/jimi.req -o $DB/jimi.crt -f $PASSWD -z $RS \ -7 j...@xxx -c $CANN -d $DB certutil -A -n j...@xxx -f $PASSWD -t ",," -i $DB/jimi.crt -d $DB certutil -R -s "e=...@xxx,cn=tom jones,ou=people,dc=netauth,dc=com" \ -7 t...@xxx -z $RS -f $PASSWD -o $DB/tom.req -d $DB certutil -C -i $DB/tom.req -o $DB/tom.crt -f $PASSWD -z $RS \ -7 t...@xxx -c $CANN -d $DB certutil -A -n t...@xxx -f $PASSWD -t ",," -i $DB/tom.crt -d $DB certutil -L -d $DB certutil -L -d $DB -n t...@xxx cmsutil -E -r t...@xxx -i $DB/jimi.txt -d $DB -p foobar -o $DB/ jimi.env cmsutil -v -D -d $DB -i $DB/jimi.env -p foobar It fails with: received commands NSS has been initialized. Got default certdb Incorrect password/PIN entered. cmsutil: failed to decode message. cmsutil: problem decoding: Cannot decrypt: you are not a recipient, or matching certificate and private key not found. Could someone please point me to the issue in my cmsutil -D command ? Thanks a bunch -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
PKCS#7 Enveloped-data (RFC 2630/3369/3852)
Hi there, I need to encrypt some content in an Enveloped-data content type of the cryptographic message syntax defined in RFC 2630/3369/3852. Quoting the exacts word from the DICOM specification: ... The encoding is based on the Enveloped-data Content Type of the Cryptographic Message Syntax defined in RFC 2630. ... I thought first of using xyssl / polarssl, but because of lack of knowledge in this field and the lack of a stronger xyssl community I am not making any progress. I then turn to OpenSSL (following an advice on sci.crypt) but then again I am hitting a brick wall (*). I was then suggested NSS and in particular the cmsutil cmd line tool. Before investing too much time in yet-another crypto library, could someone please let me know: 1. Is cmsutil the right tool for me ? 2. In the longer term, I will need to decode file such as the one I sent on openssl mailing list (**), does NSS support this kind of file ? Thanks *a lot* for your time, -Mathieu (*) http://www.mail-archive.com/openssl-us...@openssl.org/msg55369.html (**) http://www.mail-archive.com/openssl-us...@openssl.org/msg56902.html -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
PKCS#7 Enveloped-data (RFC 2630/3369/3852)
Hi there, I need to encrypt some content in an Enveloped-data content type of the cryptographic message syntax defined in RFC 2630/3369/3852. Quoting the exacts word from the DICOM specification: ... The encoding is based on the Enveloped-data Content Type of the Cryptographic Message Syntax defined in RFC 2630. ... I thought first of using xyssl / polarssl, but because of lack of knowledge in this field and the lack of a stronger xyssl community I am not making any progress. I then turn to OpenSSL (following an advice on sci.crypt) but then again I am hitting a brick wall (*). I was then suggested NSS and in particular the cmsutil cmd line tool. Before investing too much time in yet-another crypto library, could someone please let me know: 1. Is cmsutil the right tool for me ? 2. In the longer term, I will need to decode file such as the one I sent on openssl mailing list (**), does NSS support this kind of file ? Thanks *a lot* for your time, -Mathieu (*) http://www.mail-archive.com/openssl-us...@openssl.org/msg55369.html (**) http://www.mail-archive.com/openssl-us...@openssl.org/msg56902.html signature.asc Description: OpenPGP digital signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#7 Enveloped-data (RFC 2630/3369/3852)
Nelson, On Thu, Apr 30, 2009 at 1:22 AM, Nelson B Bolyard wrote: > Hi Mathieu, > Welcome to dev-tech-crypto. > You can expect replies here in 24-48 hours after you post. Awefully sorry about that. I tried posting from groups.google.com, and after ~8h it was still not showing on the very same groups.google.com. So I tried the mailing list, but an error occured when sending the first mail (reported by gmail.com) so I decided to post again... >> ... >> The encoding is based on the Enveloped-data Content Type of the >> Cryptographic Message Syntax defined in RFC 2630. > > NSS's CMS library is the one used in Thunderbird's S/MIME implementation. > That library and associated utility program claim conformance to RFC 2630. > They do not claim conformance to the two newer RFCS you cited, 3369 & 3852. Ok. Now I know :) >> Before investing too much time in yet-another crypto library, could >> someone please let me know: >> >> 1. Is cmsutil the right tool for me ? > > That depends on your requirements and objectives. If your requirements > can be satisfied with the features of RFC 2630, then the answer may be > yes, but if you require features not found in RFC 2630 but only found in > the later RFCs you cited, then at this time the answer is no. ok. >> 2. In the longer term, I will need to decode file such as the one I >> sent on openssl mailing list (**), does NSS support this kind of file ? >> (**) http://www.mail-archive.com/openssl-us...@openssl.org/msg56902.html > > The file shown there uses Password Based Encryption features of RFC 3369 > and RFC 3211, which are not supported by NSS at this time. (BTW, RFC 3211 > wasn't in your list.) > > NSS 3.12 offers the low level PBKDF2 functions, but that support has not > been integrated into NSS's CMS library, libSMIME, AFAIK. > > (Bob, feel free to correct me if I'm mistaken about that) > > If you absolutely must have password-based encryption of S/MIME messages, > then NSS cannot help you at this time. But if you are able to use public > keys for key transport, as provided in RFC 2630, then NSS can help you. This is not an issue in the short term for me. But in the longer this is something I'll be looking for. Hopefully with some help to get me started I might be able to contribute this back to NSS. From th OpenSSL post it looks like this is not easy to add there, so my best bet would be NSS. Thanks, -- Mathieu -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#7 Enveloped-data (RFC 2630/3369/3852)
2009/4/30 Robert Relyea : > Nelson B Bolyard wrote: >>> >>> 2. In the longer term, I will need to decode file such as the one I >>> sent on openssl mailing list (**), does NSS support this kind of file ? >>> (**) http://www.mail-archive.com/openssl-us...@openssl.org/msg56902.html >>> >> >> The file shown there uses Password Based Encryption features of RFC 3369 >> and RFC 3211, which are not supported by NSS at this time. (BTW, RFC 3211 >> wasn't in your list.) >> >> NSS 3.12 offers the low level PBKDF2 functions, but that support has not >> been integrated into NSS's CMS library, libSMIME, AFAIK. >> >> (Bob, feel free to correct me if I'm mistaken about that) >> > > The PBE support in the cms library is incomplete. It is missing the > following: > > 1) The PBE recipient info oid would have to be added to cmsrecinfo.c, along > with some way of passing in the password. (actually the only need would be > to generate a fake key and add the password, CMS will already handle PBE > encrypted blocks properly if the password can be supplied). > > 2) Probably some interface changes to allow that password to be set (maybe > as simple as setting it on the appropriate cms_info structure). If full PKCS > 5v2 is needed on the creation side, there will need to be a new interface > for that (decrypt is already handled properly). > > 3) Testing. > > Short answer cmsutil certainly wont' decrypt PBE encrypted data without some > extra work. > This work would certainly be accepted, if done properly (probably means a > callback to get the password, which would allow thunderbird to automatically > start handling PBE data). A long week end is coming, I'll try to see if this is an easy -for me- feature to add. Thanks, -- Mathieu -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
