]>
Commit | Line | Data |
---|---|---|
4e1b50e2 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
d8652be0 | 5 | PKCS7_encrypt_ex, PKCS7_encrypt |
90a1f2d7 | 6 | - create a PKCS#7 envelopedData structure |
4e1b50e2 DSH |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
c264592d UM |
10 | #include <openssl/pkcs7.h> |
11 | ||
d8652be0 MC |
12 | PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in, |
13 | const EVP_CIPHER *cipher, int flags, | |
b4250010 | 14 | OSSL_LIB_CTX *libctx, const char *propq); |
e9b77246 BB |
15 | PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, |
16 | int flags); | |
4e1b50e2 DSH |
17 | |
18 | =head1 DESCRIPTION | |
19 | ||
d8652be0 | 20 | PKCS7_encrypt_ex() creates and returns a PKCS#7 envelopedData structure. |
90a1f2d7 SL |
21 | I<certs> is a list of recipient certificates. I<in> is the content to be |
22 | encrypted. I<cipher> is the symmetric cipher to use. I<flags> is an optional set | |
23 | of flags. The library context I<libctx> and the property query I<propq> are used | |
24 | when retrieving algorithms from providers. | |
4e1b50e2 | 25 | |
4cfb986f DSH |
26 | Only RSA keys are supported in PKCS#7 and envelopedData so the recipient |
27 | certificates supplied to this function must all contain RSA public keys, though | |
28 | they do not have to be signed using the RSA algorithm. | |
4e1b50e2 | 29 | |
4cfb986f DSH |
30 | EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use |
31 | because most clients will support it. | |
4e1b50e2 | 32 | |
4cfb986f DSH |
33 | Some old "export grade" clients may only support weak encryption using 40 or 64 |
34 | bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() | |
35 | respectively. | |
4e1b50e2 | 36 | |
4cfb986f | 37 | The algorithm passed in the B<cipher> parameter must support ASN1 encoding of |
1bc74519 | 38 | its parameters. |
4e1b50e2 | 39 | |
4cfb986f | 40 | Many browsers implement a "sign and encrypt" option which is simply an S/MIME |
ec8ad2bb DSH |
41 | envelopedData containing an S/MIME signed message. This can be readily produced |
42 | by storing the S/MIME signed message in a memory BIO and passing it to | |
43 | PKCS7_encrypt(). | |
44 | ||
4e1b50e2 DSH |
45 | The following flags can be passed in the B<flags> parameter. |
46 | ||
4cfb986f DSH |
47 | If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are |
48 | prepended to the data. | |
4e1b50e2 | 49 | |
4cfb986f DSH |
50 | Normally the supplied content is translated into MIME canonical format (as |
51 | required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation | |
52 | occurs. This option should be used if the supplied data is in binary format | |
53 | otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then | |
54 | B<PKCS7_TEXT> is ignored. | |
4e1b50e2 | 55 | |
4cfb986f DSH |
56 | If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output |
57 | suitable for streaming I/O: no data is read from the BIO B<in>. | |
4e1b50e2 | 58 | |
4cfb986f DSH |
59 | If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> |
60 | complete and outputting its contents via a function that does not | |
1bc74519 | 61 | properly finalize the B<PKCS7> structure will give unpredictable |
4cfb986f | 62 | results. |
4e1b50e2 | 63 | |
9034c56c | 64 | Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(), |
4cfb986f DSH |
65 | PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization |
66 | can be performed by obtaining the streaming ASN1 B<BIO> directly using | |
67 | BIO_new_PKCS7(). | |
4e1b50e2 | 68 | |
d8652be0 | 69 | PKCS7_encrypt() is similar to PKCS7_encrypt_ex() but uses default |
90a1f2d7 SL |
70 | values of NULL for the library context I<libctx> and the property query I<propq>. |
71 | ||
4cfb986f DSH |
72 | =head1 RETURN VALUES |
73 | ||
d8652be0 | 74 | PKCS7_encrypt_ex() and PKCS7_encrypt() return either a PKCS7 structure |
90a1f2d7 | 75 | or NULL if an error occurred. The error can be obtained from ERR_get_error(3). |
4e1b50e2 DSH |
76 | |
77 | =head1 SEE ALSO | |
78 | ||
9b86974e | 79 | L<ERR_get_error(3)>, L<PKCS7_decrypt(3)> |
4e1b50e2 DSH |
80 | |
81 | =head1 HISTORY | |
82 | ||
d8652be0 | 83 | The function PKCS7_encrypt_ex() was added in OpenSSL 3.0. |
90a1f2d7 | 84 | |
a528d4f0 | 85 | The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0. |
4e1b50e2 | 86 | |
e2f92610 RS |
87 | =head1 COPYRIGHT |
88 | ||
90a1f2d7 | 89 | Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 90 | |
4746f25a | 91 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
92 | this file except in compliance with the License. You can obtain a copy |
93 | in the file LICENSE in the source distribution or at | |
94 | L<https://www.openssl.org/source/license.html>. | |
95 | ||
96 | =cut |