Как мне зашифровать с помощью aes-256-gcm и поместить его в файл pkcs7? ⇐ C#

[Anonymous]

To follow the new Peppol requirements for banking in Norway I have to use asymmetric encryption. The file I need to send is a pkcs#7 file and the encryption of the key needs to be aes-256-gcm.

Note that I am working on a Windows machine and am hoping to be able to do this in C#.

Encryption by itself works fine

Using only System.Security.Cryptography I can do this:

X509Certificate2 cert = new X509Certificate2(certificateAsByteArray); byte[] encryptedData = new byte[data.Length]; byte[] tag = new byte[16]; // GCM tag length is 16 bytes byte[] nonce = new byte[12]; // GCM standard nonce length is 12 bytes RandomNumberGenerator.Fill(nonce); // Generate a random nonce byte[] symmetricKey = new byte[32]; // 256 bits for AES-256-GCM RandomNumberGenerator.Fill(symmetricKey); using (AesGcm aesGcm = new AesGcm(symmetricKey)) { aesGcm.Encrypt(nonce, indreAsice, encryptedData, tag); } But I don't know how to get this into a pkcs#7 file.

MimeKit makes pkcs#7 file

MimeKit is a tool that helps with this.

var pkcs7AsStream = new MemoryStream(); using (var memoryStream = new MemoryStream(indreAsice)) using (var ctx = new AesGcmContextContext()) { ctx.Import(cert); var recipients = new MimeKit.Cryptography.CmsRecipientCollection { new MimeKit.Cryptography.CmsRecipient(cert) }; var mimePart = new MimePart(MimeKit.ContentType.Parse("application/pkcs7-mime")) { Content = new MimeContent(memoryStream) }; var mime = ApplicationPkcs7Mime.Encrypt(ctx, recipients, mimePart); mime.WriteTo(pkcs7AsStream); } pkcs7AsStream.Seek(0, SeekOrigin.Begin); The context is overridden by me:

public class AesGcmContextContext : TemporarySecureMimeContext { protected override EncryptionAlgorithm GetPreferredEncryptionAlgorithm(MimeKit.Cryptography.CmsRecipientCollection recipients) { return EncryptionAlgorithm.Aes256; //return base.GetPreferredEncryptionAlgorithm(recipients); } } This gives a pkcs#7 file where the encryption used is aes-256-cbc, not aes-256-gcm. It turns out you can't choose aes-256-gcm in MimeKit and .Aes256 gives aes-256-cbc.

OpenSSL

Another way of generating pkcs#7 is OpenSSL using cms like this:

codeopenssl cms -encrypt -in plaintext.txt -outform DER -out cms-enveloped-data.p7m -aes-256-gcm recipient-cert.pem But this does not work. The similar for aes-256-cbc works fine though.

BouncyCastle

It is perhaps here the best chance lies, but I can't seem to get this to work:

Org.BouncyCastle.Cms.CmsEnvelopedDataGenerator envData = new CmsEnvelopedDataGenerator(); envData.AddKeyTransRecipient(sertifikater.GetPublicCertificate()); var enveloped = envData.Generate(new CmsProcessableByteArray(data), "2.16.840.1.101.3.4.1.46"); var kryptencoded = enveloped.GetEncoded(); It accepts 2.16.840.1.101.3.4.1.42 (aes-256-cbc), but not 2.16.840.1.101.3.4.1.46 (aes-256-gcm).

My latest attempt is to use CryptoConfig.AddAlgorithm to add the algorihm, but with no success.

Finally the question:

It seems aes-256-gcm and pkcs#7 doesn't like each other. I have heard that this works fine in Java world, but we want to stay with .Net as everything else we do is .Net. How do I get this working?


Источник: https://stackoverflow.com/questions/772 ... pkcs7-file