2002-10-09 14:06:12 +02:00
|
|
|
=pod
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
PKCS7_encrypt - create a PKCS#7 envelopedData structure
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
2006-05-14 13:28:00 +02:00
|
|
|
#include <openssl/pkcs7.h>
|
|
|
|
|
|
|
|
PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
|
2002-10-09 14:06:12 +02:00
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs>
|
|
|
|
is a list of recipient certificates. B<in> is the content to be encrypted.
|
|
|
|
B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
|
|
|
|
|
|
|
|
=head1 NOTES
|
|
|
|
|
|
|
|
Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates
|
|
|
|
supplied to this function must all contain RSA public keys, though they do not have to
|
|
|
|
be signed using the RSA algorithm.
|
|
|
|
|
|
|
|
EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because
|
|
|
|
most clients will support it.
|
|
|
|
|
|
|
|
Some old "export grade" clients may only support weak encryption using 40 or 64 bit
|
|
|
|
RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively.
|
|
|
|
|
|
|
|
The algorithm passed in the B<cipher> parameter must support ASN1 encoding of its
|
|
|
|
parameters.
|
|
|
|
|
2002-10-09 15:10:23 +02:00
|
|
|
Many browsers implement a "sign and encrypt" option which is simply an S/MIME
|
|
|
|
envelopedData containing an S/MIME signed message. This can be readily produced
|
|
|
|
by storing the S/MIME signed message in a memory BIO and passing it to
|
|
|
|
PKCS7_encrypt().
|
|
|
|
|
2002-10-09 14:06:12 +02:00
|
|
|
The following flags can be passed in the B<flags> parameter.
|
|
|
|
|
|
|
|
If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended
|
|
|
|
to the data.
|
|
|
|
|
|
|
|
Normally the supplied content is translated into MIME canonical format (as required
|
|
|
|
by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This
|
|
|
|
option should be used if the supplied data is in binary format otherwise the translation
|
|
|
|
will corrupt it. If B<PKCS7_BINARY> is set then B<PKCS7_TEXT> is ignored.
|
|
|
|
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
|
|
|
|
PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred.
|
|
|
|
The error can be obtained from ERR_get_error(3).
|
|
|
|
|
|
|
|
=head1 BUGS
|
|
|
|
|
|
|
|
The lack of single pass processing and need to hold all data in memory as
|
|
|
|
mentioned in PKCS7_sign() also applies to PKCS7_verify().
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
|
|
L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
|
|
|
|
|
|
|
|
=head1 HISTORY
|
|
|
|
|
|
|
|
PKCS7_decrypt() was added to OpenSSL 0.9.5
|
|
|
|
|
|
|
|
=cut
|