我正在尝试使用ECDH密钥实施CMS加密。参考openssl CMS with ECDH EnvelopedData命令行完美无缺,但我的程序发出错误 -
Error Encrypting Data
140508524291744:error:2E06507D:CMS routines:CMS_add1_recipient_cert:not supported for this key type:cms_env.c:210:
在下面的代码中,使用openssl CMS with ECDH EnvelopedData
中的步骤创建了recip.pem#include <stdio.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/cms.h>
int main (int argc, char **argv)
{
CMS_ContentInfo *cms1 = NULL;
BIO *in = NULL, *out = NULL, *tbio = NULL;
X509 *rcert = NULL;
int ret = 1;
int flags = CMS_STREAM;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
tbio = BIO_new_file("recip.pem", "r");
if (!tbio)
goto err;
rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
if (!rcert)
goto err;
in = BIO_new_file("encr.txt", "r");
flags |= CMS_PARTIAL;
cms1 = CMS_encrypt(NULL, in, EVP_des_ede3_cbc(), flags);
CMS_RecipientInfo *ri;
ri = CMS_add1_recipient_cert(cms1, rcert, flags);
if (!ri)
goto err;
if(!CMS_final(cms1, in, NULL, flags))
goto err;
if (!cms1)
goto err;
out = BIO_new_file("cms1.pem", "w");
if(!out)
goto err;
if(!PEM_write_bio_CMS_stream(out, cms1, in, flags))
goto err;
ret = 0;
err:
if (ret) {
fprintf(stderr, "Error Encrypting Data\n");
ERR_print_errors_fp(stderr);
}
if (cms1)
CMS_ContentInfo_free(cms1);
if (rcert)
X509_free(rcert);
if (in)
BIO_free(in);
if (out)
BIO_free(out);
if (tbio)
BIO_free(tbio);
return ret;
}
文档声明ECC键不受支持但命令行cms app能够顺利完成。我通过cms应用程序,但我无法弄清楚我在做什么不同。还尝试了demos文件夹中的cms_enc.c,但也没有处理ecc键。
我对我的计划的期望是
> openssl cms -encrypt -aes256 -in "x.txt" -out "y.bin" -outformat PEM ecc.crt
> openssl asn1parse -dump -in "y.bin"
0:d=0 hl=4 l= 855 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData
15:d=1 hl=4 l= 840 cons: cont [ 0 ]
19:d=2 hl=4 l= 836 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :02
26:d=3 hl=4 l= 379 cons: SET
30:d=4 hl=4 l= 375 cons: cont [ 1 ]
34:d=5 hl=2 l= 1 prim: INTEGER :03
37:d=5 hl=3 l= 151 cons: cont [ 0 ]
40:d=6 hl=3 l= 148 cons: cont [ 1 ]
43:d=7 hl=2 l= 9 cons: SEQUENCE
45:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
54:d=7 hl=3 l= 134 prim: BIT STRING
0000 - 00 04 00 3e 4c 80 5b bb-10 ff 83 30 33 1f 44 ab ...>L.[....03.D.
0010 - ad 2c a2 9d a9 5a 19 5f-8e 5a dc 30 a2 4d f5 19 .,...Z._.Z.0.M..
0020 - 51 49 e6 cb ff 63 08 e7-87 e8 d3 66 60 f5 0f 67 QI...c.....f`..g
0030 - c1 94 3a aa b9 88 3c 7c-5c cd 5a cd 4e f2 5f ba ..:...<|\.Z.N._.
0040 - 15 05 0d bc 01 be 6c 2c-32 fd b1 3d d1 d1 52 f8 ......l,2..=..R.
0050 - e0 43 a5 03 25 05 2a 63-32 47 d9 e6 15 71 75 d0 .C..%.*c2G...qu.
0060 - 5b 45 ca f5 db 91 e2 68-4c 65 29 1c 6d c3 1f f1 [E.....hLe).m...
0070 - 3a e4 55 78 1b dd 95 b5-bd 24 06 31 34 fa 26 c5 :.Ux.....$.14.&.
0080 - 52 8f c9 24 37 4c R..$7L
191:d=5 hl=2 l= 23 cons: SEQUENCE
193:d=6 hl=2 l= 6 prim: OBJECT :1.3.132.1.11.1
201:d=6 hl=2 l= 13 cons: SEQUENCE
203:d=7 hl=2 l= 9 prim: OBJECT :id-aes256-wrap
214:d=7 hl=2 l= 0 prim: NULL
216:d=5 hl=3 l= 190 cons: SEQUENCE
219:d=6 hl=3 l= 187 cons: SEQUENCE
222:d=7 hl=3 l= 142 cons: SEQUENCE
225:d=8 hl=3 l= 128 cons: SEQUENCE
228:d=9 hl=2 l= 11 cons: SET
230:d=10 hl=2 l= 9 cons: SEQUENCE
232:d=11 hl=2 l= 3 prim: OBJECT :countryName
237:d=11 hl=2 l= 2 prim: PRINTABLESTRING :US
241:d=9 hl=2 l= 19 cons: SET
243:d=10 hl=2 l= 17 cons: SEQUENCE
245:d=11 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
250:d=11 hl=2 l= 10 prim: UTF8STRING :California
## other cert params ##
356:d=8 hl=2 l= 9 prim: INTEGER :FEEAB1D7F247D77B
367:d=7 hl=2 l= 40 prim: OCTET STRING
0000 - d5 fd 5c 37 ac 0b b7 ad-07 b7 42 38 5a 3e a5 bc ..\7......B8Z>..
0010 - 5e eb 1f bf a4 b9 63 bb-6d 58 87 a5 3c 96 34 68 ^.....c.mX..<.4h
0020 - 55 26 4e 63 f0 16 92 0a- U&Nc....
409:d=3 hl=4 l= 446 cons: SEQUENCE
413:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
424:d=4 hl=2 l= 29 cons: SEQUENCE
426:d=5 hl=2 l= 9 prim: OBJECT :aes-256-cbc
437:d=5 hl=2 l= 16 prim: OCTET STRING
0000 - 82 cd 6e 4b 7a 2a bc 59-63 c0 55 a3 bb b1 9a e6 ..nKz*.Yc.U.....
455:d=4 hl=4 l= 400 prim: cont [ 0 ]
答案 0 :(得分:1)
The command line works flawlessly but my program is giving an error
您是否构建了openssl
二进制文件的本地副本,因为您引用的链接是假定的?如果是这样,那么不同的行为很可能是由openssl的不同版本引起的(假设您将示例代码与系统库链接)。最近增加了对EC的支持;我的系统OpenSSL版本 1.0.1f 报告的错误与您显示的相同,而本地安装的版本 1.0.2a 使用EC密钥成功加密。
因此,如果您需要二进制文件来使用EC密钥,请在您的系统上安装较新的OpenSSL,或者将二进制文件静态链接到本地构建的OpenSSL库(libssl和libcrypto)。