I'm currently implementing feature which is creating ASiC-E with XAdES container for storing information regarding certain files along with their signatures (e.g. mimetype, file1.xml, META-INF/manifest.xml, META-INF/signatures.xml)
After the creation of the container I'm performing encryption operation using openssl command execution:
openssl cms -encrypt -in container.zip -out encrypted_data.cms -recip certificate.pem -outform PEM -aes-128-cbc
While attempting to decrypt the information from the CMS using the decrypt command:
openssl cms -decrypt -inform PEM -in encrypted_data.cms -out decrypted_output.zip -recip certificate.pem -inkey privateKey.pem
the zip file appears empty containing only binary that indicates it's zip file. Any advice on what am I doing wrong or why the content from the zip file earlier is not encrypted entirely or why during the decryption the output is empty zip?
Edit: The problem is not from the extension as with .asice
extension does the same.
I've found the solution. The problem was that -binary
flag is essential during the execution.
Here's more info why it is important:
When you pass a ZIP file without the -binary flag, OpenSSL tries to treat the input as an S/MIME message and may interpret binary data as needing conversion. This can lead to corruption, particularly when dealing with non-textual files like ZIP archives, images, or any other binary formats. If OpenSSL applies S/MIME canonicalization to binary files: It alters the file content by modifying newline characters or interpreting certain byte patterns in unintended ways. Metadata corruption occurs because S/MIME canonicalization assumes text data. The header and structure of binary files, like ZIP headers, require exact byte-for-byte preservation, which this process disrupts.