GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CMS_ENCRYPT(3) FreeBSD Library Functions Manual CMS_ENCRYPT(3)

CMS_encryptcreate a CMS EnvelopedData structure

#include <openssl/cms.h>

CMS_ContentInfo *
CMS_encrypt(STACK_OF(X509) *certificates, BIO *in, const EVP_CIPHER *cipher, unsigned int flags);

() creates a CMS EnvelopedData structure, encrypting the content provided by in.

The recipient certificates are added as KeyTransRecipientInfo structures by calling the function CMS_add1_recipient_cert(3) internally. Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this function. The certificates argument can be set to NULL if the CMS_PARTIAL flag is set and recipients are added later using CMS_add1_recipient_cert(3) or CMS_add0_recipient_key(3).

cipher is the symmetric cipher to use. It must support ASN.1 encoding of its parameters. EVP_des_ede3_cbc(3) (triple DES) is the algorithm of choice for S/MIME use because most clients support it.

Many browsers implement a "sign and encrypt" option which is simply an S/MIME EnvelopedData containing an S/MIME signed message. This can be readily produced by storing the S/MIME signed message in a memory BIO and passing it to ().

The following flags can be passed in the flags parameter:

MIME headers for type text/plain are prepended to the data.
Do not translate the supplied content into MIME canonical format even though that is required by the S/MIME specifications. This option should be used if the supplied data is in binary format. Otherwise, the translation will corrupt it. If CMS_BINARY is set, then CMS_TEXT is ignored.
Use the subject key identifier value to identify recipient certificates. An error occurs if all recipient certificates do not have a subject key identifier extension. By default, issuer name and serial number are used instead.
Return a partial CMS_ContentInfo structure suitable for streaming I/O: no data is read from the BIO in. Several functions including SMIME_write_CMS(3), i2d_CMS_bio_stream(3), or PEM_write_bio_CMS_stream(3) can be used to finalize the structure. Alternatively, finalization can be performed by obtaining the streaming ASN1 BIO directly using BIO_new_CMS(3). Outputting the content of the returned CMS_ContentInfo structure via a function that does not properly finalize it will give unpredictable results.
Return a partial CMS_ContentInfo structure to which additional recipients and attributes can be added before finalization.
Omit the data being encrypted from the CMS_ContentInfo structure. This is rarely used in practice and is not supported by SMIME_write_CMS(3).

CMS_encrypt() returns either a CMS_ContentInfo structure or NULL if an error occurred. The error can be obtained from ERR_get_error(3).

CMS_add0_cert(3), CMS_add1_recipient_cert(3), CMS_ContentInfo_new(3), CMS_decrypt(3)

RFC 5652: Cryptographic Message Syntax (CMS)

  • section 6.1: EnvelopedData Type
  • section 6.2.1: KeyTransRecipientInfo Type

CMS_encrypt() first appeared in OpenSSL 0.9.8h and has been available since OpenBSD 6.7.

The CMS_STREAM flag first appeared in OpenSSL 1.0.0.

November 2, 2019 FreeBSD 14.3-RELEASE
Search for    or go to Top of page |  Section 3 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.