OpenSSL_CMS.txt

CMS (Cryptographic Message Syntax) using OpenSSL
--------------------------------------------------

Useful links :-
https://manpages.ubuntu.com/manpages/bionic/man1/cms.1ssl.html
https://www.rfc-editor.org/rfc/rfc5652


-in 			: input file.
-out			: output file.
-inkey			: private key as input
-certfile		: include other certificates in a message.
-CAfile			: Use a CA Certificate Bundle
-recip			: Recipient of the message.
-signer			: Certificate of the signer.
-md				: Message Digest algorithm to use.
-encrypt		: encrypt a message.ss
-decrypt		: decrypt an encrypted message.
-sign			: sign a message
-verify			: verify a signed message
-resign			: resign a signed messagess
-compress		:
-uncompress		:
-cmsout			: Outputs the CMS structure
-print			: Used with -cmsout; prints the cms structure as text.
-nodetach		: Don't include S/MIME header and clear message.
-nocerts		: Don't include certificates in the processed message.
-noattr			: Don't include signed atttributes
-nosmimecap		: Don't include S/MIME capability set.
-noverify		: Don't verify a certificate.
-certsout		: Output all certificates included the message
-secretkey		: Use a specified hex encoded encryption key
-secretkeyid	: keyid to identity a secret key.


====================================================================================================================
Commands :-


> Generate Keypair and a self-signed certificate
-------------------------------------------------
# Generate PKCS #8 formatted private key
openssl genpkey -algorithm rsa -out key.rsa -quiet

# Generate self-signed certificate
openssl req -new -x509 -sha256 -days 365 -subj '/CN=CMS' -key cms.key -extensions usr_cert -out cms.cer



> Simple Sign/Verify using self-signed and CA signed certificates
------------------------------------------------------------------
# Sign a message
openssl cms -sign -in message.txt -out message.txt.msg -inkey cms.pri -signer cms_ss.cer

# Verify a message
openssl cms -verify -in message.txt.msg

# Verification fails if you're using a self-signed certificate so using -noverify to ignore.
openssl cms -verify -in message.txt.msg -noverify

# Examine a message.
openssl cms -cmsout -print -in message.txt.msg

# Simple Sign/Verify using ca-signed certificate
openssl cms -sign -in message.txt -out message.msg -inkey cms.pri -signer cms.cer
openssl cms -verify -in message.msg -CAfile cacert.cer

# Sign a message with signer and CA certificates included.
openssl cms -sign -in message.txt -out message.msg -inkey cms.pri -signer cms.cer -certfile cacert.cer
openssl cms -verify -in message.msg -noverify

# Verify a message, output all certificates and verified message into a file.
openssl cms -verify -in message.msg -noverify -out message.txt -certsout all_certs.cer

# Sign a message without attaching the signer certificate to the message.
openssl cms -sign -in message.txt -out message.msg -inkey cms.pri -signer cms.cer -nocerts

openssl cms -verify -in message.msg -certfile cms.cer -CAfile cacert.cer
openssl cms -verify -in message.msg -certfile cms.cer -noverify


# Sign a message without attaching header and clear message.
openssl cms -sign -in message.txt -out message2.msg -inkey cms.pri -signer cms.cer -nocerts -nodetach
openssl cms -verify -in message2.msg -certfile cms.cer -CAfile cacert.cer

# Sign a message without including certificates, headers and signed attributes
openssl cms -sign -in message.txt -out message4.msg -inkey cms.pri -signer cms.cer -nocerts -nodetach -noattr

# Sign a message without including certificates, header, signed attributes and smime capabilities
openssl cms -sign -in message.txt -out message4.msg -inkey cms.pri -signer cms.cer -nocerts -nodetach -noattr -nosmimecap



Encryption using CMS
-----------------------

# Simple message encryption. Encrypted envelop contains the encrypted message, encrypted secret key and the algorithm used for encryption (default des3-ede-cbc)
openssl cms -encrypt -in message.txt -out message.enc -recip cms.cer

# Decrypt the message.
openssl cms -decrypt -in message.enc -inkey cms.pri

# Examine an encrypted message
openssl cms -cmsout -print -in message.enc 

# Encrypt a message using a different Secret key algorithm
openssl enc -list
openssl cms -encrypt -aes-256-cbc -in message.txt -out message.enc -recip cms.cer
openssl cms -decrypt -in message.enc -inkey cms.pri

# Encrypt a message with a user specified encryption key
openssl rand -hex -out cms.aes 16
openssl cms -encrypt -in message.txt -out message.enc -recip cms.cer -secretkey `cat cms.aes` -secretkeyid 1234 -aes-256-cbc