OPT_R_ENUM,
OPT_PROV_ENUM, OPT_CONFIG,
OPT_V_ENUM,
- OPT_CIPHER,
+ OPT_CIPHER, OPT_KEKCIPHER,
OPT_ORIGINATOR
} OPTION_CHOICE;
"Recipient certs (optional; used only when encrypting)"},
{"", OPT_CIPHER, '-',
"The encryption algorithm to use (any supported cipher)"},
+ {"kekcipher", OPT_KEKCIPHER, 's',
+ "The key encryption algorithm to use"},
{"wrap", OPT_WRAP, 's',
"Key wrap algorithm to use when encrypting with key agreement"},
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
CMS_ReceiptRequest *rr = NULL;
ENGINE *e = NULL;
EVP_PKEY *key = NULL;
- EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
+ EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL, *kekcipher = NULL;
EVP_MD *sign_md = NULL;
STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
long digestlen = 0;
char *infile = NULL, *outfile = NULL, *rctfile = NULL;
char *passinarg = NULL, *passin = NULL, *signerfile = NULL;
- char *originatorfile = NULL, *recipfile = NULL, *ciphername = NULL;
+ char *originatorfile = NULL, *recipfile = NULL;
+ char *ciphername = NULL, *kekciphername = NULL;
char *to = NULL, *from = NULL, *subject = NULL, *prog;
cms_key_param *key_first = NULL, *key_param = NULL;
int flags = CMS_DETACHED, binary_files = 0;
case OPT_CIPHER:
ciphername = opt_unknown();
break;
+ case OPT_KEKCIPHER:
+ kekciphername = opt_arg();
+ break;
case OPT_KEYOPT:
keyidx = -1;
if (operation == SMIME_ENCRYPT) {
}
if (!opt_cipher_any(ciphername, &cipher))
goto end;
+ if (kekciphername != NULL && !opt_cipher_any(kekciphername, &kekcipher))
+ goto end;
if (wrapname != NULL) {
if (!opt_cipher_any(wrapname, &wrap_cipher))
goto end;
pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass);
if (pwri_tmp == NULL)
goto end;
- if (CMS_add0_recipient_password(cms,
- -1, NID_undef, NID_undef,
- pwri_tmp, -1, NULL) == NULL)
+ if (CMS_add0_recipient_password(cms, -1, NID_undef, NID_undef,
+ pwri_tmp, -1, kekcipher) == NULL)
goto end;
pwri_tmp = NULL;
}
X509_free(originator);
EVP_PKEY_free(key);
EVP_CIPHER_free(cipher);
+ EVP_CIPHER_free(kekcipher);
EVP_CIPHER_free(wrap_cipher);
EVP_MD_free(sign_md);
CMS_ContentInfo_free(cms);
[B<-recip> I<file>]
[I<recipient-cert> ...]
[B<-I<cipher>>]
+[B<-kekcipher> I<cipher>]
[B<-wrap> I<cipher>]
[B<-aes128-wrap>]
[B<-aes192-wrap>]
If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
+=item B<-kekcipher> I<cipher>
+
+Cipher algorithm to use for password key encryption. This option is relevant
+when a password for password recipient information is provided using
+B<-pwri_password>, and an AEAD encryption algorithm is selected. In such cases,
+a non-AEAD algorithm should be specified using this option.
+
=item B<-wrap> I<cipher>
Cipher algorithm to use for key wrap when encrypting the message using Key
\&final_compare
],
+ [ "enveloped content test streaming PEM format, AES-128-GCM cipher and AES-128-CBC KEK cipher, password",
+ [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
+ "-kekcipher", "aes-128-cbc",
+ "-stream", "-out", "{output}.cms",
+ "-pwri_password", "test" ],
+ [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
+ "-inform", "PEM",
+ "-pwri_password", "test" ],
+ \&final_compare
+ ],
+
[ "enveloped content test streaming PEM format, KEK, key only",
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
"-stream", "-out", "{output}.cms",
projects / thirdparty / openssl.git / commitdiff
