CMS_encrypt使用ECDH密钥

时间:2015-04-18 19:20:04

标签: c cryptography openssl

我正在尝试使用ECDH密钥实施CMS加密。参考openssl CMS with ECDH EnvelopedData命令行完美无缺,但我的程序发出错误 -

Error Encrypting Data
140508524291744:error:2E06507D:CMS routines:CMS_add1_recipient_cert:not supported for this key type:cms_env.c:210:

在下面的代码中,使用openssl CMS with ECDH EnvelopedData

中的步骤创建了recip.pem
#include <stdio.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/cms.h>

int main (int argc, char **argv)
{
    CMS_ContentInfo *cms1 = NULL;
    BIO *in = NULL, *out = NULL, *tbio = NULL;
    X509 *rcert = NULL;
    int ret = 1;
    int flags = CMS_STREAM;

    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();

    tbio = BIO_new_file("recip.pem", "r");
    if (!tbio)
        goto err;

    rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
    if (!rcert)
        goto err;

    in = BIO_new_file("encr.txt", "r");
    flags |= CMS_PARTIAL;
    cms1 = CMS_encrypt(NULL, in, EVP_des_ede3_cbc(), flags);

    CMS_RecipientInfo *ri;
    ri = CMS_add1_recipient_cert(cms1, rcert, flags);
    if (!ri)
        goto err;

    if(!CMS_final(cms1, in, NULL, flags))
        goto err;

    if (!cms1)
        goto err;

    out = BIO_new_file("cms1.pem", "w");
    if(!out)
        goto err;

    if(!PEM_write_bio_CMS_stream(out, cms1, in, flags))
        goto err;

    ret = 0;

err:
    if (ret) {
        fprintf(stderr, "Error Encrypting Data\n");
        ERR_print_errors_fp(stderr);
    }

    if (cms1)
        CMS_ContentInfo_free(cms1);
    if (rcert)
        X509_free(rcert);

    if (in)
        BIO_free(in);
    if (out)
        BIO_free(out);
    if (tbio)
        BIO_free(tbio);

    return ret; 
}

文档声明ECC键不受支持但命令行cms app能够顺利完成。我通过cms应用程序,但我无法弄清楚我在做什么不同。还尝试了demos文件夹中的cms_enc.c,但也没有处理ecc键。

我对我的计划的期望是

> openssl cms -encrypt -aes256 -in "x.txt" -out "y.bin" -outformat PEM ecc.crt
> openssl asn1parse -dump -in "y.bin"

    0:d=0  hl=4 l= 855 cons: SEQUENCE
    4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-envelopedData
   15:d=1  hl=4 l= 840 cons:  cont [ 0 ]
   19:d=2  hl=4 l= 836 cons:   SEQUENCE
   23:d=3  hl=2 l=   1 prim:    INTEGER           :02
   26:d=3  hl=4 l= 379 cons:    SET
   30:d=4  hl=4 l= 375 cons:     cont [ 1 ]
   34:d=5  hl=2 l=   1 prim:      INTEGER           :03
   37:d=5  hl=3 l= 151 cons:      cont [ 0 ]
   40:d=6  hl=3 l= 148 cons:       cont [ 1 ]
   43:d=7  hl=2 l=   9 cons:        SEQUENCE
   45:d=8  hl=2 l=   7 prim:         OBJECT            :id-ecPublicKey
   54:d=7  hl=3 l= 134 prim:        BIT STRING
      0000 - 00 04 00 3e 4c 80 5b bb-10 ff 83 30 33 1f 44 ab   ...>L.[....03.D.
      0010 - ad 2c a2 9d a9 5a 19 5f-8e 5a dc 30 a2 4d f5 19   .,...Z._.Z.0.M..
      0020 - 51 49 e6 cb ff 63 08 e7-87 e8 d3 66 60 f5 0f 67   QI...c.....f`..g
      0030 - c1 94 3a aa b9 88 3c 7c-5c cd 5a cd 4e f2 5f ba   ..:...<|\.Z.N._.
      0040 - 15 05 0d bc 01 be 6c 2c-32 fd b1 3d d1 d1 52 f8   ......l,2..=..R.
      0050 - e0 43 a5 03 25 05 2a 63-32 47 d9 e6 15 71 75 d0   .C..%.*c2G...qu.
      0060 - 5b 45 ca f5 db 91 e2 68-4c 65 29 1c 6d c3 1f f1   [E.....hLe).m...
      0070 - 3a e4 55 78 1b dd 95 b5-bd 24 06 31 34 fa 26 c5   :.Ux.....$.14.&.
      0080 - 52 8f c9 24 37 4c                                 R..$7L
  191:d=5  hl=2 l=  23 cons:      SEQUENCE
  193:d=6  hl=2 l=   6 prim:       OBJECT            :1.3.132.1.11.1
  201:d=6  hl=2 l=  13 cons:       SEQUENCE
  203:d=7  hl=2 l=   9 prim:        OBJECT            :id-aes256-wrap
  214:d=7  hl=2 l=   0 prim:        NULL
  216:d=5  hl=3 l= 190 cons:      SEQUENCE
  219:d=6  hl=3 l= 187 cons:       SEQUENCE
  222:d=7  hl=3 l= 142 cons:        SEQUENCE
  225:d=8  hl=3 l= 128 cons:         SEQUENCE
  228:d=9  hl=2 l=  11 cons:          SET
  230:d=10 hl=2 l=   9 cons:           SEQUENCE
  232:d=11 hl=2 l=   3 prim:            OBJECT            :countryName
  237:d=11 hl=2 l=   2 prim:            PRINTABLESTRING   :US
  241:d=9  hl=2 l=  19 cons:          SET
  243:d=10 hl=2 l=  17 cons:           SEQUENCE
  245:d=11 hl=2 l=   3 prim:            OBJECT            :stateOrProvinceName
  250:d=11 hl=2 l=  10 prim:            UTF8STRING        :California
  ## other cert params ##
  356:d=8  hl=2 l=   9 prim:         INTEGER           :FEEAB1D7F247D77B
  367:d=7  hl=2 l=  40 prim:        OCTET STRING
      0000 - d5 fd 5c 37 ac 0b b7 ad-07 b7 42 38 5a 3e a5 bc   ..\7......B8Z>..
      0010 - 5e eb 1f bf a4 b9 63 bb-6d 58 87 a5 3c 96 34 68   ^.....c.mX..<.4h
      0020 - 55 26 4e 63 f0 16 92 0a-                          U&Nc....
  409:d=3  hl=4 l= 446 cons:    SEQUENCE
  413:d=4  hl=2 l=   9 prim:     OBJECT            :pkcs7-data
  424:d=4  hl=2 l=  29 cons:     SEQUENCE
  426:d=5  hl=2 l=   9 prim:      OBJECT            :aes-256-cbc
  437:d=5  hl=2 l=  16 prim:      OCTET STRING
      0000 - 82 cd 6e 4b 7a 2a bc 59-63 c0 55 a3 bb b1 9a e6   ..nKz*.Yc.U.....
  455:d=4  hl=4 l= 400 prim:     cont [ 0 ]

1 个答案:

答案 0 :(得分:1)

The command line works flawlessly but my program is giving an error

您是否构建了openssl二进制文件的本地副本,因为您引用的链接是假定的?如果是这样,那么不同的行为很可能是由openssl的不同版本引起的(假设您将示例代码与系统库链接)。最近增加了对EC的支持;我的系统OpenSSL版本 1.0.1f 报告的错误与您显示的相同,而本地安装的版本 1.0.2a 使用EC密钥成功加密。

因此,如果您需要二进制文件来使用EC密钥,请在您的系统上安装较新的OpenSSL,或者将二进制文件静态链接到本地​​构建的OpenSSL库(libssl和libcrypto)。