How to encode a CMS or S/MIME PEM file with OpenSSL not encrypted or digitally signed?

Question

We developed an application that reads a CMS encoded PEM file with this command:

$ openssl cms -verify -in filepath -inform PEM -noverify

The file is digitally signed, but we don't care about it, as we only want to extract the contents inside (it starts with: -----BEGIN CMS----- and has a ".pem" extension). That is working like a charm.

Now, we need to write an acceptance tests for this app.. but we cannot use the production handled CMS files so we want to encode a custom file to use as "test input".

As far as my understanding is, we simply need to genearate a CMS encoded file from an input file that 1) is not encrypted and 2) it could or not be digitally signed (but as far as I understand is not a must of CMS).

No matter wich parameters we call openssl with, we cannot get it this work. This is more or less what we are trying (with all the -nosigs -noverify -nocerts -noattr -nodetach combinations):

$ openssl cms -in input.xml -outform PEM -cmsout -out output.pem

Any ideas? Thanks

Answer 1

CMS has options for several types of messages including both signed and unsigned ones (and so does SMIME which is based on CMS) but the openssl cms -verify subcommand can only handle a signed message; -inform PEM and no -content further requires CMS (not SMIME) and 'embedded' (not 'detached') format. Even though the purpose of your command is to discard the signature, your command requires the signature be there before it can be discarded.

To create such a signed message, you must have a keypair and certificate, but since the receiving command uses the seemingly contradictory combination -verify -noverify this certificate doesn't need to be official, it can be a selfsigned (dummy) cert you create yourself, which with openssl is easy:

# to create an RSA keypair and selfsigned cert for test
openssl req -newkey rsa:2048 -keyout testkey.pem -x509 [-days N] [-subj name] -out testcert.pem
# -subj name has the form /attr=value/attr=value/... where common attrs are 
# C (Country) ST (State/Province) L (Locality) O (Organization) OU (Org. Unit) CN (CommonName); 
# if you don't specify -subj you will be prompted for these fields 
# (unless you or someone has modified the config file on your system).
# -days N defaults to 30; for testing longer times like 10 or 20 years are popular.
# By default the keyfile is password-encrypted, and you must re-enter the password 
# to use it. For test this isn't needed; to avoid it add -nodes .

Then do:

openssl cms -sign -in $datafile -signer testcert.pem -inkey testkey.pem -nodetach -outform PEM -out $outfile
# possibly add -noattr; the command you posted works for SignedData
# either with or without signedAttributes, or even a mixture, 
# so I can't say whether you should test with, without, or both

(Change the filenames if needed to fit your environment or procedure(s).)

Answer 2

I understand that you are aiming to create CMS document with just Enveloped Data, which should be technically possible.

If you already tried a combination of -nosigs & -cmsout, then I think you've reached a limit of what can be done with command-line OpenSSL tool.

There are couple of other things you can try:

1. Try to execute the same request using API interface, rather than command line. There are sometimes configuration options available through API.
2. CMS format is based on the DER encoding format. You can experiment with generating Enveloped Data using DER encoding tool like https://lapo.it/asn1js/.