]>
Commit | Line | Data |
---|---|---|
4e1b50e2 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | PKCS7_encrypt - create a PKCS#7 envelopedData structure | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
c264592d UM |
9 | #include <openssl/pkcs7.h> |
10 | ||
e9b77246 BB |
11 | PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, |
12 | int flags); | |
4e1b50e2 DSH |
13 | |
14 | =head1 DESCRIPTION | |
15 | ||
16 | PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs> | |
17 | is a list of recipient certificates. B<in> is the content to be encrypted. | |
18 | B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. | |
19 | ||
20 | =head1 NOTES | |
21 | ||
4cfb986f DSH |
22 | Only RSA keys are supported in PKCS#7 and envelopedData so the recipient |
23 | certificates supplied to this function must all contain RSA public keys, though | |
24 | they do not have to be signed using the RSA algorithm. | |
4e1b50e2 | 25 | |
4cfb986f DSH |
26 | EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use |
27 | because most clients will support it. | |
4e1b50e2 | 28 | |
4cfb986f DSH |
29 | Some old "export grade" clients may only support weak encryption using 40 or 64 |
30 | bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() | |
31 | respectively. | |
4e1b50e2 | 32 | |
4cfb986f | 33 | The algorithm passed in the B<cipher> parameter must support ASN1 encoding of |
1bc74519 | 34 | its parameters. |
4e1b50e2 | 35 | |
4cfb986f | 36 | Many browsers implement a "sign and encrypt" option which is simply an S/MIME |
ec8ad2bb DSH |
37 | envelopedData containing an S/MIME signed message. This can be readily produced |
38 | by storing the S/MIME signed message in a memory BIO and passing it to | |
39 | PKCS7_encrypt(). | |
40 | ||
4e1b50e2 DSH |
41 | The following flags can be passed in the B<flags> parameter. |
42 | ||
4cfb986f DSH |
43 | If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are |
44 | prepended to the data. | |
4e1b50e2 | 45 | |
4cfb986f DSH |
46 | Normally the supplied content is translated into MIME canonical format (as |
47 | required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation | |
48 | occurs. This option should be used if the supplied data is in binary format | |
49 | otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then | |
50 | B<PKCS7_TEXT> is ignored. | |
4e1b50e2 | 51 | |
4cfb986f DSH |
52 | If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output |
53 | suitable for streaming I/O: no data is read from the BIO B<in>. | |
4e1b50e2 | 54 | |
4cfb986f DSH |
55 | =head1 NOTES |
56 | ||
57 | If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> | |
58 | complete and outputting its contents via a function that does not | |
1bc74519 | 59 | properly finalize the B<PKCS7> structure will give unpredictable |
4cfb986f | 60 | results. |
4e1b50e2 | 61 | |
9034c56c | 62 | Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(), |
4cfb986f DSH |
63 | PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization |
64 | can be performed by obtaining the streaming ASN1 B<BIO> directly using | |
65 | BIO_new_PKCS7(). | |
4e1b50e2 | 66 | |
4cfb986f DSH |
67 | =head1 RETURN VALUES |
68 | ||
69 | PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred. | |
70 | The error can be obtained from ERR_get_error(3). | |
4e1b50e2 DSH |
71 | |
72 | =head1 SEE ALSO | |
73 | ||
9b86974e | 74 | L<ERR_get_error(3)>, L<PKCS7_decrypt(3)> |
4e1b50e2 DSH |
75 | |
76 | =head1 HISTORY | |
77 | ||
a528d4f0 | 78 | The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0. |
4e1b50e2 | 79 | |
e2f92610 RS |
80 | =head1 COPYRIGHT |
81 | ||
82 | Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. | |
83 | ||
84 | Licensed under the OpenSSL license (the "License"). You may not use | |
85 | this file except in compliance with the License. You can obtain a copy | |
86 | in the file LICENSE in the source distribution or at | |
87 | L<https://www.openssl.org/source/license.html>. | |
88 | ||
89 | =cut |