Document Encryption - Implementation Notes and Examples
Introduction =
This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support.
Tooling
CMS
Software | version | encryption (AES) | password | PKI | shared key | digest (SHA-256) | signature (RSA) | note |
---|---|---|---|---|---|---|---|---|
openssl | 1.0.0-d | + | - | + (note 1) | + | + | + | + |
BouncyCastle |
Interoperability
The following have been verified as being interoperable:
- OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature
TBD: interoperability matrix
= Special cases
TBD: special cases, e.g. multiple recipients
= OpenSSL example
The following example demonstrates encryption of a file according to the CMS profile:
openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested
openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem
notes:
- assumption: doc.mime contains mime-wrapped document
- proper handling of the econtent_type option requires a small patch
- example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest
And decryption:
openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted
openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified
notes:
- doc.digested.encrypted_cert.decrypted.verified should equal doc.mime
A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package.
Document Encryption (DEN)
MIME
Example MIME header for DEN:
MIME-Version: 1.0
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=doc.bin
XDM Media Encryption option
TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper).
Example files, scripts, patches
A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: << url >>