opensslcertificatex509certificateasicxades

Strange behavior during encryption of ASiC ZIP archive


I'm currently implementing feature which is creating ASiC-E with XAdES container for storing information regarding certain files along with their signatures (e.g. mimetype, file1.xml, META-INF/manifest.xml, META-INF/signatures.xml)

After the creation of the container I'm performing encryption operation using openssl command execution:

openssl cms -encrypt -in container.zip -out encrypted_data.cms -recip certificate.pem -outform PEM -aes-128-cbc

While attempting to decrypt the information from the CMS using the decrypt command: openssl cms -decrypt -inform PEM -in encrypted_data.cms -out decrypted_output.zip -recip certificate.pem -inkey privateKey.pem

the zip file appears empty containing only binary that indicates it's zip file. Any advice on what am I doing wrong or why the content from the zip file earlier is not encrypted entirely or why during the decryption the output is empty zip?

Edit: The problem is not from the extension as with .asice extension does the same.


Solution

  • I've found the solution. The problem was that -binary flag is essential during the execution. Here's more info why it is important:

    When you pass a ZIP file without the -binary flag, OpenSSL tries to treat the input as an S/MIME message and may interpret binary data as needing conversion. This can lead to corruption, particularly when dealing with non-textual files like ZIP archives, images, or any other binary formats. If OpenSSL applies S/MIME canonicalization to binary files: It alters the file content by modifying newline characters or interpreting certain byte patterns in unintended ways. Metadata corruption occurs because S/MIME canonicalization assumes text data. The header and structure of binary files, like ZIP headers, require exact byte-for-byte preservation, which this process disrupts.