diff options
Diffstat (limited to 'openssl/doc/crypto/PKCS7_encrypt.pod')
| -rw-r--r-- | openssl/doc/crypto/PKCS7_encrypt.pod | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/openssl/doc/crypto/PKCS7_encrypt.pod b/openssl/doc/crypto/PKCS7_encrypt.pod new file mode 100644 index 000000000..1a507b22a --- /dev/null +++ b/openssl/doc/crypto/PKCS7_encrypt.pod @@ -0,0 +1,65 @@ +=pod + +=head1 NAME + +PKCS7_encrypt - create a PKCS#7 envelopedData structure + +=head1 SYNOPSIS + +PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); + +=head1 DESCRIPTION + +PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs> +is a list of recipient certificates. B<in> is the content to be encrypted. +B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. + +=head1 NOTES + +Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates +supplied to this function must all contain RSA public keys, though they do not have to +be signed using the RSA algorithm. + +EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because +most clients will support it. + +Some old "export grade" clients may only support weak encryption using 40 or 64 bit +RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively. + +The algorithm passed in the B<cipher> parameter must support ASN1 encoding of its +parameters. + +Many browsers implement a "sign and encrypt" option which is simply an S/MIME +envelopedData containing an S/MIME signed message. This can be readily produced +by storing the S/MIME signed message in a memory BIO and passing it to +PKCS7_encrypt(). + +The following flags can be passed in the B<flags> parameter. + +If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended +to the data. + +Normally the supplied content is translated into MIME canonical format (as required +by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This +option should be used if the supplied data is in binary format otherwise the translation +will corrupt it. If B<PKCS7_BINARY> is set then B<PKCS7_TEXT> is ignored. + +=head1 RETURN VALUES + +PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred. +The error can be obtained from ERR_get_error(3). + +=head1 BUGS + +The lack of single pass processing and need to hold all data in memory as +mentioned in PKCS7_sign() also applies to PKCS7_verify(). + +=head1 SEE ALSO + +L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)> + +=head1 HISTORY + +PKCS7_decrypt() was added to OpenSSL 0.9.5 + +=cut |