create a CMS EnvelopedData
*certificates, BIO *in, const
EVP_CIPHER *cipher, unsigned int flags);
creates a CMS EnvelopedData structure, encrypting the
content provided by in.
The recipient certificates are added as
KeyTransRecipientInfo structures by calling the
CMS_add1_recipient_cert(3) internally. Only certificates
carrying RSA, Diffie-Hellman or EC keys are supported by this function. The
certificates argument can be set to
NULL if the
is set and recipients are added later using
cipher is the symmetric cipher to use. It must support ASN.1 encoding of its parameters. EVP_des_ede3_cbc(3) (triple DES) is the algorithm of choice for S/MIME use because most clients support it.
Many browsers implement a "sign and
encrypt" option which is simply an S/MIME
EnvelopedData containing an S/MIME signed message.
This can be readily produced by storing the S/MIME signed message in a
memory BIO and passing it to
The following flags can be passed in the flags parameter:
- MIME headers for type text/plain are prepended to the data.
- Do not translate the supplied content into MIME canonical format even
though that is required by the S/MIME specifications. This option should
be used if the supplied data is in binary format. Otherwise, the
translation will corrupt it. If
CMS_BINARYis set, then
- Use the subject key identifier value to identify recipient certificates. An error occurs if all recipient certificates do not have a subject key identifier extension. By default, issuer name and serial number are used instead.
- Return a partial CMS_ContentInfo structure suitable for streaming I/O: no data is read from the BIO in. Several functions including SMIME_write_CMS(3), i2d_CMS_bio_stream(3), or PEM_write_bio_CMS_stream(3) can be used to finalize the structure. Alternatively, finalization can be performed by obtaining the streaming ASN1 BIO directly using BIO_new_CMS(3). Outputting the content of the returned CMS_ContentInfo structure via a function that does not properly finalize it will give unpredictable results.
- Return a partial CMS_ContentInfo structure to which additional recipients and attributes can be added before finalization.
- Omit the data being encrypted from the CMS_ContentInfo structure. This is rarely used in practice and is not supported by SMIME_write_CMS(3).
CMS_encrypt() returns either a
CMS_ContentInfo structure or
NULL if an error occurred. The error can be obtained
CMS_add0_cert(3), CMS_add1_recipient_cert(3), CMS_ContentInfo_new(3), CMS_decrypt(3)
RFC 5652: Cryptographic Message Syntax (CMS)
- section 6.1: EnvelopedData Type
- section 6.2.1: KeyTransRecipientInfo Type
CMS_encrypt() first appeared in OpenSSL
0.9.8h and has been available since OpenBSD 6.7.
CMS_STREAM flag first appeared in