openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

This adds CMS support to the Ruby layer.

Open mcr opened this issue 5 months ago • 7 comments

This updates the patch to support openssl 3.x. I have maintained a patch for some years for openssl1.1.1 that adds CMS support. (This is needed for RFC8995 code)

mcr avatar Jul 26 '25 17:07 mcr

Not sure how to get the aws-lc-latest test case to run. Does it even work?

mcr avatar Jul 27 '25 20:07 mcr

From a quick look, the current implementation of OpenSSL::CMS seems to support a subset of what OpenSSL::PKCS7 can currently handle. Do you plan to implement the remaining accessors or add new features that require the CMS API?

My understanding is that CMS is intended to be the successor of PKCS#7 and backwards-compatible with it. I wonder if we could avoid maintaining two separate modules for what is basically the same structure. I haven't looked into the OpenSSL API and I'm not sure if it's possible to do fully copy the existing behaviors, but would it be feasible to update OpenSSL::PKCS7 to use the CMS API and rename it?

I'm also not sure why OpenSSL decided to use different structs for PKCS#7 and CMS in the first place.

rhenium avatar Jul 28 '25 10:07 rhenium

Not sure how to get the aws-lc-latest test case to run. Does it even work?

AWS-LC doesn't appear to have openssl/cms.h. AWS-LC defines OPENSSL_NO_CMS.

rhenium avatar Jul 28 '25 10:07 rhenium

My understanding is that CMS is intended to be the successor of PKCS#7 and backwards-compatible with it. I wonder if we could avoid maintaining two separate modules for what is basically the same structure. I haven't looked into the OpenSSL API and I'm not sure if it's possible to do fully copy the existing behaviors, but would it be feasible to update OpenSSL::PKCS7 to use the CMS API and rename it?

CMS > PKCS7, but PKCS7 things can not in general parse CMS. So if one wants to generate PKCS7 things, the one needs to use the old APIs. Why OpenSSL didn't do what you suggest, I don't know. Legacy.

If we were to do anything, it would be to rip PKCS7 code out.

mcr avatar Jul 28 '25 13:07 mcr

Not sure how to get the aws-lc-latest test case to run. Does it even work?

I ran the latest master branch of the ruby/openssl in my forked repository, and the awc-ls-latest case passed. So, this PR's change might break the awc-ls-latest case.

https://github.com/junaruga/ruby-openssl/actions/runs/16567236800

junaruga avatar Jul 28 '25 16:07 junaruga

It seems that aws-lc does not include CMS support. The error that I saw, however, was about impossible version numbers, which I couldn't understand at all. With OPENSSL_NO_CMS as the key to compiling the CMS code, then aws-lc-latest "works", because it doesn't test anything.

mcr avatar Jul 28 '25 20:07 mcr

It seems that aws-lc does not include CMS support. The error that I saw, however, was about impossible version numbers

Yes, AWS-LC doesn't have openssl/cms.h either. openssl/cms.h from Ubuntu's base system appears to be included incorrectly as a result.

rhenium avatar Jul 31 '25 16:07 rhenium