OpenSSL::PKCS7::PKCS7Error: decrypt error

[swapnils19]

smime = OpenSSL::PKCS7.read_smime(File.read('encrypted_smime.p7m'))
p_key = OpenSSL::PKey::RSA.new(File.read('pr_key.pem'))
cert = OpenSSL::X509::Certificate.new(File.read('cert.pem'))
smime.decrypt(p_key, cert)

Here in the decrypt line, I am getting the error specified in the title.
I am not sure why this error is causing, as I am able to decrypt the smime using openssl command line tool properly.

Also I have verified that the cert I am using is signed using the same private key that I am using in p_key.

Following is the command which is getting me the expected output -

openssl smime -decrypt -in encrypted_smime.p7m -inkey pr_key.pem -out decrypt_smime.pem

[rhenium]

How did you create encrypted_smime.p7m? And what version of OpenSSL and Ruby/OpenSSL are you using?

Adding OpenSSL.debug = true at the top of your code may be helpful to find out what is happening in lower level functions.

[swapnils19]

encrypted_smime.p7m is given by the 3rd party for cert that I have generated.
openssl version on my Ubuntu 17.10 is 1.0.2g 1 Mar 2016 and I didn't use openssl gem explicitly. Just using openssl bundled with ruby 2.4.2.

After adding OpenSSL.debug = true flag I am getting -

warning: error on stack: error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificate
warning: error on stack: error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
OpenSSL::PKCS7::PKCS7Error: decrypt error

According to this warning it is expecting Recipients for the smime mail but I didn't use recipients in a command as well.
Is it compulsory specify recipients here?
And if yes how can I specify in params for decrypt method?

[rhenium]

I didn't use openssl gem explicitly. Just using openssl bundled with ruby 2.4.2.

Then it is v2.0.x.

warning: error on stack: error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificate

It is complaining that none of the RecipientInfos contained in the PKCS #7 structure matches the identity (the issuer of the certificate and the serial number) of the certificate you gave. Something must be wrong with encrypted_smime.p7m or the certificate.

But, in your first comment, you didn't give the certificate to the openssl command, letting OpenSSL try all possible RecipientInfos:

openssl smime -decrypt -in encrypted_smime.p7m -inkey pr_key.pem -out decrypt_smime.pem

This seems a missing feature of OpenSSL::PKCS7#decrypt in any case. See #183.

[swapnils19]

Thanks for the quick response and updates @rhenium.
For now I am going with executing shell command specified above and manipulate the string output to get necessary info from the smime.

[swapnils19]

@rhenium can you also give an example of how to use decrypt function as I didn't find any proper code online that used it.

[rhenium]

For now I am going with executing shell command specified above and manipulate the string output to get necessary info from the smime.

Keep in mind that it is really little more than a kludge -- you really should check if the S/MIME is properly generated.

@rhenium can you also give an example of how to use decrypt function as I didn't find any proper code online that used it.

See PKCS7_decrypt(3) man page. The PKCS7_TEXT flag is available as OpenSSL::PKCS7::TEXT.