| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | PKCS7_encrypt - create a PKCS#7 envelopedData structure |
| 6 | |
| 7 | =head1 SYNOPSIS |
| 8 | |
| 9 | #include <openssl/pkcs7.h> |
| 10 | |
| 11 | PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, |
| 12 | int flags); |
| 13 | |
| 14 | =head1 DESCRIPTION |
| 15 | |
| 16 | PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs> |
| 17 | is a list of recipient certificates. B<in> is the content to be encrypted. |
| 18 | B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. |
| 19 | |
| 20 | =head1 NOTES |
| 21 | |
| 22 | Only RSA keys are supported in PKCS#7 and envelopedData so the recipient |
| 23 | certificates supplied to this function must all contain RSA public keys, though |
| 24 | they do not have to be signed using the RSA algorithm. |
| 25 | |
| 26 | EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use |
| 27 | because most clients will support it. |
| 28 | |
| 29 | Some old "export grade" clients may only support weak encryption using 40 or 64 |
| 30 | bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() |
| 31 | respectively. |
| 32 | |
| 33 | The algorithm passed in the B<cipher> parameter must support ASN1 encoding of |
| 34 | its parameters. |
| 35 | |
| 36 | Many browsers implement a "sign and encrypt" option which is simply an S/MIME |
| 37 | envelopedData containing an S/MIME signed message. This can be readily produced |
| 38 | by storing the S/MIME signed message in a memory BIO and passing it to |
| 39 | PKCS7_encrypt(). |
| 40 | |
| 41 | The following flags can be passed in the B<flags> parameter. |
| 42 | |
| 43 | If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are |
| 44 | prepended to the data. |
| 45 | |
| 46 | Normally the supplied content is translated into MIME canonical format (as |
| 47 | required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation |
| 48 | occurs. This option should be used if the supplied data is in binary format |
| 49 | otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then |
| 50 | B<PKCS7_TEXT> is ignored. |
| 51 | |
| 52 | If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output |
| 53 | suitable for streaming I/O: no data is read from the BIO B<in>. |
| 54 | |
| 55 | =head1 NOTES |
| 56 | |
| 57 | If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> |
| 58 | complete and outputting its contents via a function that does not |
| 59 | properly finalize the B<PKCS7> structure will give unpredictable |
| 60 | results. |
| 61 | |
| 62 | Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(), |
| 63 | PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization |
| 64 | can be performed by obtaining the streaming ASN1 B<BIO> directly using |
| 65 | BIO_new_PKCS7(). |
| 66 | |
| 67 | =head1 RETURN VALUES |
| 68 | |
| 69 | PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred. |
| 70 | The error can be obtained from ERR_get_error(3). |
| 71 | |
| 72 | =head1 SEE ALSO |
| 73 | |
| 74 | L<ERR_get_error(3)>, L<PKCS7_decrypt(3)> |
| 75 | |
| 76 | =head1 HISTORY |
| 77 | |
| 78 | The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0. |
| 79 | |
| 80 | =head1 COPYRIGHT |
| 81 | |
| 82 | Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. |
| 83 | |
| 84 | Licensed under the OpenSSL license (the "License"). You may not use |
| 85 | this file except in compliance with the License. You can obtain a copy |
| 86 | in the file LICENSE in the source distribution or at |
| 87 | L<https://www.openssl.org/source/license.html>. |
| 88 | |
| 89 | =cut |