Unable to decrypt CMS object encrypted with EC prime256v1 certificate

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Stephan Mühlstrasser
Hi,

we are testing OpenSSL interoperability with a third-party application,
and we cannot decrypt a CMS object that is encrypted by the third-party
application with a prime256v1 elliptic-curve certificate.

I have attached the following files:

demo_signer_ec_secp256r1.cms.der: DER-encoded CMS object
demo_signer_ec_secp256r1.cert.pem: recipient certificate
demo_signer_ec_secp256r1.pkey.pem. recipient private key (no password)

I try to decrypt the CMS object with the following command using OpenSSL
1.0.2:

$ openssl version
OpenSSL 1.0.2h  3 May 2016
$ openssl cms -decrypt -in demo_signer_ec_secp256r1.cms.der  -inform DER
-recip  demo_signer_ec_secp256r1.cert.pem  -inkey
demo_signer_ec_secp256r1.pkey.pem
Error decrypting CMS using private key

When I use OpenSSL 1.1.0 beta from today's HEAD of the master branch, I
see an additional error message:

$ openssl version
OpenSSL 1.1.0-pre6-dev  xx XXX xxxx
$ openssl cms -decrypt -in demo_signer_ec_secp256r1.cms.der  -inform DER
-recip  demo_signer_ec_secp256r1.cert.pem  -inkey
demo_signer_ec_secp256r1.pkey.pem
Error decrypting CMS using private key
140735294530304:error:0D06E0A4:asn1 encoding
routines:asn1_do_adb:unsupported any defined by
type:crypto/asn1/tasn_utl.c:238:

Is the CMS object broken, or is this a problem in OpenSSL?

Thanks

--
Stephan

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

demo_signer_ec_secp256r1.cert.pem (1K) Download Attachment
demo_signer_ec_secp256r1.cms.der (500 bytes) Download Attachment
demo_signer_ec_secp256r1.pkey.pem (500 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Dr. Stephen Henson
On Fri, Jul 01, 2016, Stephan M?hlstrasser wrote:

> Hi,
>
> we are testing OpenSSL interoperability with a third-party
> application, and we cannot decrypt a CMS object that is encrypted by
> the third-party application with a prime256v1 elliptic-curve
> certificate.
>
> I have attached the following files:
>
> demo_signer_ec_secp256r1.cms.der: DER-encoded CMS object
> demo_signer_ec_secp256r1.cert.pem: recipient certificate
> demo_signer_ec_secp256r1.pkey.pem. recipient private key (no password)
>
> I try to decrypt the CMS object with the following command using
> OpenSSL 1.0.2:
>
> $ openssl version
> OpenSSL 1.0.2h  3 May 2016
> $ openssl cms -decrypt -in demo_signer_ec_secp256r1.cms.der  -inform
> DER -recip  demo_signer_ec_secp256r1.cert.pem  -inkey
> demo_signer_ec_secp256r1.pkey.pem
> Error decrypting CMS using private key
>
> When I use OpenSSL 1.1.0 beta from today's HEAD of the master
> branch, I see an additional error message:
>
> $ openssl version
> OpenSSL 1.1.0-pre6-dev  xx XXX xxxx
> $ openssl cms -decrypt -in demo_signer_ec_secp256r1.cms.der  -inform
> DER -recip  demo_signer_ec_secp256r1.cert.pem  -inkey
> demo_signer_ec_secp256r1.pkey.pem
> Error decrypting CMS using private key
> 140735294530304:error:0D06E0A4:asn1 encoding
> routines:asn1_do_adb:unsupported any defined by
> type:crypto/asn1/tasn_utl.c:238:
>

The final error is bogus: fixed in current master.

> Is the CMS object broken, or is this a problem in OpenSSL?
>

Well the OpenSSL version does interop OK with the Bouncy Castle version of
ECDH and CMS. I've checked through your test message and the problem is that
the AES unwrapping algorithm checks fail meaning it can't proceed any further.
That could be down to a CMS problem, an ECDH issue or a problem with the wrap
algorithm either in the version you are testing or OpenSSL.

Is it possible to get any debugging information from the other version you are
using: for example the content encryption key it is expecting or the ECDH
shared secret?

Have you tried generating an message with OpenSSL and decrypting it with the
other version?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Stephan Mühlstrasser
Am 06.07.16 um 05:15 schrieb Dr. Stephen Henson:

> ...
>> Is the CMS object broken, or is this a problem in OpenSSL?
>>
>
> Well the OpenSSL version does interop OK with the Bouncy Castle version of
> ECDH and CMS. I've checked through your test message and the problem is that
> the AES unwrapping algorithm checks fail meaning it can't proceed any further.
> That could be down to a CMS problem, an ECDH issue or a problem with the wrap
> algorithm either in the version you are testing or OpenSSL.
>
> Is it possible to get any debugging information from the other version you are
> using: for example the content encryption key it is expecting or the ECDH
> shared secret?

I don't know whether that is possible, I will check.

> Have you tried generating an message with OpenSSL and decrypting it with the
> other version?

Yes, the other version cannot decrypt the CMS object generated by
OpenSSL. I did some tests with Bouncy Castle, and it also cannot decrypt
the CMS object.

What might be interesting is that on the other hand Windows CryptoAPI is
able to decrypt the CMS object (tested on Windows 10).

While doing research on this, we found one thing that looks suspicious
in the CMS objects generated by OpenSSL 1.0.2. When dumping the CMS
object with dumpasn1, the key wrap algorithm is encoded as follows:

SEQUENCE {
  OBJECT IDENTIFIER '1 3 132 1 11 3'
  SEQUENCE {
    OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
    NULL
    }
  }

Note the NULL parameter in the aes256-wrap algorithm identifier. Compare
that to RFC 3565, "2.3.2.  AES CEK Wrap Process":

https://tools.ietf.org/html/rfc3565#section-2.3.2

"In all cases the parameters field MUST be absent."

Does this refer to the parameters field of the AlgorithmIdentifier of
the AES key wrap algorithm? Then it would be incorrect to include the
NULL here.

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Dr. Stephen Henson
On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:

> Am 06.07.16 um 05:15 schrieb Dr. Stephen Henson:
> >...
> >>Is the CMS object broken, or is this a problem in OpenSSL?
> >>
> >
> >Well the OpenSSL version does interop OK with the Bouncy Castle version of
> >ECDH and CMS. I've checked through your test message and the problem is that
> >the AES unwrapping algorithm checks fail meaning it can't proceed any further.
> >That could be down to a CMS problem, an ECDH issue or a problem with the wrap
> >algorithm either in the version you are testing or OpenSSL.
> >
> >Is it possible to get any debugging information from the other version you are
> >using: for example the content encryption key it is expecting or the ECDH
> >shared secret?
>
> I don't know whether that is possible, I will check.
>
> >Have you tried generating an message with OpenSSL and decrypting it with the
> >other version?
>
> Yes, the other version cannot decrypt the CMS object generated by
> OpenSSL. I did some tests with Bouncy Castle, and it also cannot
> decrypt the CMS object.
>
> What might be interesting is that on the other hand Windows
> CryptoAPI is able to decrypt the CMS object (tested on Windows 10).
>

Just to clarify: you're saying that neither this third party version nor
BouncyCastler can decrypt the OpenSSL generated CMS objects?

> While doing research on this, we found one thing that looks
> suspicious in the CMS objects generated by OpenSSL 1.0.2. When
> dumping the CMS object with dumpasn1, the key wrap algorithm is
> encoded as follows:
>
> SEQUENCE {
>  OBJECT IDENTIFIER '1 3 132 1 11 3'
>  SEQUENCE {
>    OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
>    NULL
>    }
>  }
>
> Note the NULL parameter in the aes256-wrap algorithm identifier.
> Compare that to RFC 3565, "2.3.2.  AES CEK Wrap Process":
>
> https://tools.ietf.org/html/rfc3565#section-2.3.2
>
> "In all cases the parameters field MUST be absent."
>
> Does this refer to the parameters field of the AlgorithmIdentifier
> of the AES key wrap algorithm? Then it would be incorrect to include
> the NULL here.
>

I'll check. That looks like a bug as the code should be excluding the NULL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Dr. Stephen Henson
In reply to this post by Stephan Mühlstrasser
On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:

>
> While doing research on this, we found one thing that looks
> suspicious in the CMS objects generated by OpenSSL 1.0.2. When
> dumping the CMS object with dumpasn1, the key wrap algorithm is
> encoded as follows:
>
> SEQUENCE {
>  OBJECT IDENTIFIER '1 3 132 1 11 3'
>  SEQUENCE {
>    OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
>    NULL
>    }
>  }
>

That's strange: I just tried OpenSSL 1.0.2 and the master branch and I don't
get a NULL in either case.

Also that algorithm isn't something you'd get by default with OpenSSL. Has it
been modified in some way?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Stephan Mühlstrasser
Am 07.07.16 um 00:16 schrieb Dr. Stephen Henson:

> On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:
>
>>
>> While doing research on this, we found one thing that looks
>> suspicious in the CMS objects generated by OpenSSL 1.0.2. When
>> dumping the CMS object with dumpasn1, the key wrap algorithm is
>> encoded as follows:
>>
>> SEQUENCE {
>>  OBJECT IDENTIFIER '1 3 132 1 11 3'
>>  SEQUENCE {
>>    OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
>>    NULL
>>    }
>>  }
>>
>
> That's strange: I just tried OpenSSL 1.0.2 and the master branch and I don't
> get a NULL in either case.

I apologize, you are right. I tracked this down to the fact that the CMS
object was created with an OpenSSL 1.0.2 beta version. Sorry for the
confusion.

> Also that algorithm isn't something you'd get by default with OpenSSL. Has it
> been modified in some way?

It has not been modified. The algorithm is set with the
EVP_PKEY_CTX_ctrl_str() function:

EVP_PKEY_CTX_ctrl_str(ctx, "ecdh_kdf_md", "sha256");

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt CMS object encrypted with EC prime256v1 certificate

Stephan Mühlstrasser
In reply to this post by Dr. Stephen Henson
Am 06.07.16 um 23:35 schrieb Dr. Stephen Henson:

> ...
>> Yes, the other version cannot decrypt the CMS object generated by
>> OpenSSL. I did some tests with Bouncy Castle, and it also cannot
>> decrypt the CMS object.
>>
>> What might be interesting is that on the other hand Windows
>> CryptoAPI is able to decrypt the CMS object (tested on Windows 10).
>>
>
> Just to clarify: you're saying that neither this third party version nor
> BouncyCastler can decrypt the OpenSSL generated CMS objects?

No, I didn't want to say that. BouncyCastle is unable to decrypt the
third-party CMS object that I sent as an attachment in the initial email
of this thread.

OpenSSL and BouncyCastle interoperate just fine, I can encrypt and
decrypt CMS messages in both directions without problems.

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users