diff options
| author | Craig Gallek <cgallek@gmail.com> | 2021-08-25 16:00:31 -0400 |
|---|---|---|
| committer | Kevin McCarthy <kevin@8t8.us> | 2021-08-25 15:06:22 -0700 |
| commit | f0ff78a5d98ee65f7501fbce3231fbe5c886f623 (patch) | |
| tree | 542dcedb07b37a367420336311da13b13bf2175c /contrib | |
| parent | 27e61da5682635c75becda44a8075428bee4b586 (diff) | |
Use cms utility for SMIME encryption/decryption.
The openssl smime utility only supports RSA keys for encryption (more
specifically, the PKCS7 container that it uses can't be used with other
key types). The cms utility supports newer versions of the SMIME RFCs,
including the use DH ephemeral-static algorithms for encrypting the
symmetric key used during message encryption.
This patch updates the suggested encryption/decryption commands, but
does not change any of the commands used for signature
generation/verification (as the smime sign/verify commands do support
other key types).
Debian seems to have already made this change[1] for the decryption path
a while ago, but did not update the encryption command (current Debian
patch for this file[2]). There is a slight danger of updating the
decryption command at the same time as the encryption command (as
clients still trying to decrypt with smime could have problems reading
messages encrypted with cms), but the existence of that Debian bug seems
to imply that there is already a source of messages using the newer CMS
format.
I verified that I am now able to encrypt a message with public key type
id-ecPublicKey. Previously, this resulted in an error like:
"encryption not supported for this key type:pk7_lib.c"
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639533
[2] https://sources.debian.org/patches/mutt/2.0.5-4.1/misc/smime.rc.patch/
Signed-off-by: Craig Gallek <cgallek@gmail.com>
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/smime.rc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/contrib/smime.rc b/contrib/smime.rc index e2c29889..410606c2 100644 --- a/contrib/smime.rc +++ b/contrib/smime.rc @@ -80,7 +80,7 @@ set smime_import_cert_command="smime_keys add_cert %f" set smime_encrypt_with="aes256" # Encrypt a message. Input file is a MIME entity. -set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" +set smime_encrypt_command="openssl cms -encrypt -%a -outform DER -in %f %c" # Algorithm for the signature message digest. # Valid choices are md5, sha1, sha224, sha256, sha384, sha512. @@ -94,7 +94,7 @@ set smime_sign_command="openssl smime -sign -md %d -signer %c -inkey %k -passin # Section C: Incoming messages # Decrypt a message. Output is a MIME entity. -set smime_decrypt_command="openssl smime -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" +set smime_decrypt_command="openssl cms -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" # Verify a signature of type multipart/signed set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f" |