NAME
CMS_encrypt
—
create a CMS EnvelopedData
structure
SYNOPSIS
#include
<openssl/cms.h>
CMS_ContentInfo *
CMS_encrypt
(STACK_OF(X509)
*certificates, BIO *in, const
EVP_CIPHER *cipher, unsigned int flags);
DESCRIPTION
CMS_encrypt
()
creates a CMS EnvelopedData structure, encrypting the
content provided by in.
The recipient certificates are added as
KeyTransRecipientInfo structures by calling the
function
CMS_add1_recipient_cert(3) internally. Only certificates
carrying RSA, Diffie-Hellman or EC keys are supported by this function. The
certificates argument can be set to
NULL
if the CMS_PARTIAL
flag
is set and recipients are added later using
CMS_add1_recipient_cert(3) or
CMS_add0_recipient_key(3).
cipher is the symmetric cipher to use. It must support ASN.1 encoding of its parameters. EVP_des_ede3_cbc(3) (triple DES) is the algorithm of choice for S/MIME use because most clients support it.
Many browsers implement a "sign and
encrypt" option which is simply an S/MIME
EnvelopedData containing an S/MIME signed message.
This can be readily produced by storing the S/MIME signed message in a
memory BIO and passing it to
CMS_encrypt
().
The following flags can be passed in the flags parameter:
CMS_TEXT
- MIME headers for type text/plain are prepended to the data.
CMS_BINARY
- Do not translate the supplied content into MIME canonical format even
though that is required by the S/MIME specifications. This option should
be used if the supplied data is in binary format. Otherwise, the
translation will corrupt it. If
CMS_BINARY
is set, thenCMS_TEXT
is ignored. CMS_USE_KEYID
- Use the subject key identifier value to identify recipient certificates. An error occurs if all recipient certificates do not have a subject key identifier extension. By default, issuer name and serial number are used instead.
CMS_STREAM
- Return a partial CMS_ContentInfo structure suitable for streaming I/O: no data is read from the BIO in. Several functions including SMIME_write_CMS(3), i2d_CMS_bio_stream(3), or PEM_write_bio_CMS_stream(3) can be used to finalize the structure. Alternatively, finalization can be performed by obtaining the streaming ASN1 BIO directly using BIO_new_CMS(3). Outputting the content of the returned CMS_ContentInfo structure via a function that does not properly finalize it will give unpredictable results.
CMS_PARTIAL
- Return a partial CMS_ContentInfo structure to which additional recipients and attributes can be added before finalization.
CMS_DETACHED
- Omit the data being encrypted from the CMS_ContentInfo structure. This is rarely used in practice and is not supported by SMIME_write_CMS(3).
RETURN VALUES
CMS_encrypt
() returns either a
CMS_ContentInfo structure or
NULL
if an error occurred. The error can be obtained
from
ERR_get_error(3).
SEE ALSO
CMS_add0_cert(3), CMS_add1_recipient_cert(3), CMS_ContentInfo_new(3), CMS_decrypt(3)
STANDARDS
RFC 5652: Cryptographic Message Syntax (CMS)
- section 6.1: EnvelopedData Type
- section 6.2.1: KeyTransRecipientInfo Type
HISTORY
CMS_encrypt
() first appeared in OpenSSL
0.9.8h and has been available since OpenBSD 6.7.
The CMS_STREAM
flag first appeared in
OpenSSL 1.0.0.