Sortix
current nightly

Sortix nightly manual

This manual documents Sortix nightly, a development build that has not been officially released. You can instead view this document in the latest official manual.

NAME

CMS_encryptcreate a CMS EnvelopedData structure

SYNOPSIS

#include <openssl/cms.h>
CMS_ContentInfo *
CMS_encrypt(STACK_OF(X509) *certificates, BIO *in, const EVP_CIPHER *cipher, unsigned int flags);

DESCRIPTION

CMS_encrypt() creates a CMS EnvelopedData structure, encrypting the content provided by in.
The recipient certificates are added as KeyTransRecipientInfo structures by calling the function CMS_add1_recipient_cert(3) internally. Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this function. The certificates argument can be set to NULL if the CMS_PARTIAL flag is set and recipients are added later using CMS_add1_recipient_cert(3) or CMS_add0_recipient_key(3).
cipher is the symmetric cipher to use. It must support ASN.1 encoding of its parameters. EVP_des_ede3_cbc(3) (triple DES) is the algorithm of choice for S/MIME use because most clients support it.
Many browsers implement a "sign and encrypt" option which is simply an S/MIME EnvelopedData containing an S/MIME signed message. This can be readily produced by storing the S/MIME signed message in a memory BIO and passing it to CMS_encrypt().
The following flags can be passed in the flags parameter:
CMS_TEXT
MIME headers for type text/plain are prepended to the data.
CMS_BINARY
Do not translate the supplied content into MIME canonical format even though that is required by the S/MIME specifications. This option should be used if the supplied data is in binary format. Otherwise, the translation will corrupt it. If CMS_BINARY is set, then CMS_TEXT is ignored.
CMS_USE_KEYID
Use the subject key identifier value to identify recipient certificates. An error occurs if all recipient certificates do not have a subject key identifier extension. By default, issuer name and serial number are used instead.
CMS_STREAM
Return a partial CMS_ContentInfo structure suitable for streaming I/O: no data is read from the BIO in. Several functions including SMIME_write_CMS(3), i2d_CMS_bio_stream(3), or PEM_write_bio_CMS_stream(3) can be used to finalize the structure. Alternatively, finalization can be performed by obtaining the streaming ASN1 BIO directly using BIO_new_CMS(3). Outputting the content of the returned CMS_ContentInfo structure via a function that does not properly finalize it will give unpredictable results.
CMS_PARTIAL
Return a partial CMS_ContentInfo structure to which additional recipients and attributes can be added before finalization.
CMS_DETACHED
Omit the data being encrypted from the CMS_ContentInfo structure. This is rarely used in practice and is not supported by SMIME_write_CMS(3).

RETURN VALUES

CMS_encrypt() returns either a CMS_ContentInfo structure or NULL if an error occurred. The error can be obtained from ERR_get_error(3).

SEE ALSO

CMS_add0_cert(3), CMS_add1_recipient_cert(3), CMS_ContentInfo_new(3), CMS_decrypt(3)

STANDARDS

RFC 5652: Cryptographic Message Syntax (CMS)
  • section 6.1: EnvelopedData Type
  • section 6.2.1: KeyTransRecipientInfo Type

HISTORY

CMS_encrypt() first appeared in OpenSSL 0.9.8h and has been available since OpenBSD 6.7.
The CMS_STREAM flag first appeared in OpenSSL 1.0.0.
Copyright 2011-2024 Jonas 'Sortie' Termansen and contributors.
Sortix is free software under the ISC license. 		#sortix on irc.sortix.org
@sortix_org