libressl
Error decrypting CMS structure
OS: OpenBSD 7.7 Version: LibreSSL 4.1.0
When encrypting a file using the cms command and a AEAD ciper such as
- aes-128-gcm
- aes-256-gcm
- aes-128-ccm
- aes-256-ccm
the encryption appears to work fine, but I get an error trying to decrypt.
Commands to reproduce:
$ echo "Hello, world!" >msg.txt
$ key=`openssl rand -hex 32`
$ openssl cms -encrypt -in msg.txt -secretkey $key -secretkeyid bc2025 -aes-256-gcm -outform PEM >msg.pem
$ openssl cms -decrypt -in msg.pem -secretkey $key -secretkeyid bc2025 -aes-256-gcm -inform PEM
Error decrypting CMS structure
Replacing aes-256-gcm with aes-256-cbc or aes-256-cfb causes the decryption to work perfectly fine.
Running the same commands on eopenssl34 (OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)) also works just fine.
I would have to investigate more closely, but I suspect that our CMS code does not support AEAD ciphers properly, which to my knowledge would need to have some support code for AuthEnvelopedData (per RFC 5084).
That does seem to be the issue. Dumping the PEM file created by OpenSSL gives the following (using the command
eopenssl34 cms -cmsout -in msg.pem -inform PEM -print)
CMS_ContentInfo:
contentType: id-smime-ct-authEnvelopedData (1.2.840.113549.1.9.16.1.23)
d.authEnvelopedData:
version: 0
originatorInfo: <ABSENT>
recipientInfos:
d.kekri:
version: 4
kekid:
keyIdentifier:
0000 - bc 20 25 . %
date: <ABSENT>
other: <ABSENT>
keyEncryptionAlgorithm:
algorithm: id-aes256-wrap (2.16.840.1.101.3.4.1.45)
parameter: <ABSENT>
encryptedKey:
0000 - 11 db c4 7f f2 6f e4 ad-16 98 54 d4 b7 55 36 .....o....T..U6
000f - 13 71 c5 3e 2c 45 e7 97-4a 71 98 2b 0d 43 7d .q.>,E..Jq.+.C}
001e - 4c 94 08 b7 6f 23 be cb-32 1c L...o#..2.
authEncryptedContentInfo:
contentType: pkcs7-data (1.2.840.113549.1.7.1)
contentEncryptionAlgorithm:
algorithm: aes-256-gcm (2.16.840.1.101.3.4.1.46)
parameter: SEQUENCE:
0:d=0 hl=2 l= 17 cons: SEQUENCE
2:d=1 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:1585AB536BE1ED906DB4DDBC
16:d=1 hl=2 l= 1 prim: INTEGER :10
encryptedContent:
0000 - d1 c7 7c 99 35 56 44 f9-0c 06 57 5b 17 49 48 ..|.5VD...W[.IH
000f - ac 50 c9 36 ed b6 e1 7f-f3 f2 8c aa a3 50 71 .P.6.........Pq
001e - 0c 81 dc 39 ae f7 e4 71-0c ...9...q.
authAttrs:
<ABSENT>
mac:
0000 - 0a 24 16 c1 aa c5 1d 7e-cb 23 07 5b af cf e9 26 .$.....~.#.[...&
unauthAttrs:
<ABSENT>
While LibreSSL gives
CMS_ContentInfo:
contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3)
d.envelopedData:
version: 2
originatorInfo: <ABSENT>
recipientInfos:
d.kekri:
version: 4
kekid:
keyIdentifier:
0000 - bc 20 25 . %
date: <ABSENT>
other: <ABSENT>
keyEncryptionAlgorithm:
algorithm: id-aes256-wrap (2.16.840.1.101.3.4.1.45)
parameter: <ABSENT>
encryptedKey:
0000 - 19 bb 9d 5d 7f ec 9d fb-c6 ae 06 ad 7a 52 79 ...]........zRy
000f - fc 37 52 00 6f b0 f8 38-b0 49 c8 69 e6 e9 ed .7R.o..8.I.i...
001e - 79 a7 b2 40 40 b9 e0 ca-7c 27 y..@@...|'
encryptedContentInfo:
contentType: pkcs7-data (1.2.840.113549.1.7.1)
contentEncryptionAlgorithm:
algorithm: aes-256-cbc (2.16.840.1.101.3.4.1.42)
parameter: OCTET STRING:
0000 - d4 5c 9c 13 f2 89 3d d2-5d 4e 69 fc 73 a6 90 .\....=.]Ni.s..
000f - b6 .
encryptedContent:
0000 - 11 72 a0 43 91 c1 c5 c4-1d 5f d0 4a 4e 1a 3f .r.C....._.JN.?
000f - d1 d5 18 f7 b4 fc d6 2f-43 7e 71 40 4e fa b5 ......./C~q@N..
001e - d3 61 65 91 67 fe 25 e6-c8 a0 de 85 aa be d2 .ae.g.%........
002d - 46 0f 8d F..
unprotectedAttrs:
<EMPTY>
Thanks. So I think this has been broken since forever in our CMS code - the only reason we have reimported it is for signedData support, because we need that for RPKI.
We should probably see if we can avoid producing this kind of garbage output until we add support. But don't hold your breath. I don't think we currently have enough compelling use cases to justify spending much time on the encryption side of CMS. CMS is endless complications and really unpleasant code.