Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for pkcs encryption with secret key for recipient #1067

Open
frelibert opened this issue Dec 22, 2023 · 0 comments · May be fixed by #1063
Open

Add support for pkcs encryption with secret key for recipient #1067

frelibert opened this issue Dec 22, 2023 · 0 comments · May be fixed by #1063

Comments

@frelibert
Copy link

In cases where the recipient is not yet known or it is a group of recipients that may share a secret, encryption should be done with a secret key.
this results in a different algorithm and logic to be executed and a different RecipientInfo block in the cms message.

From the rfc: https://datatracker.ietf.org/doc/html/rfc5652#page-25

Recipient information using previously distributed symmetric keys is
represented in the type KEKRecipientInfo. Each instance of
KEKRecipientInfo will transfer the content-encryption key to one or
more recipients who have the previously distributed key-encryption
key.

  KEKRecipientInfo ::= SEQUENCE {
    version CMSVersion,  -- always set to 4
    kekid KEKIdentifier,
    keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
    encryptedKey EncryptedKey }

  KEKIdentifier ::= SEQUENCE {
    keyIdentifier OCTET STRING,
    date GeneralizedTime OPTIONAL,
    other OtherKeyAttribute OPTIONAL }

It should be possible to add a recipient with a symmetric key and key identifier before encryption takes place.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@frelibert