1*2175Sjp161948=pod 2*2175Sjp161948 3*2175Sjp161948=head1 NAME 4*2175Sjp161948 5*2175Sjp161948PKCS7_encrypt - create a PKCS#7 envelopedData structure 6*2175Sjp161948 7*2175Sjp161948=head1 SYNOPSIS 8*2175Sjp161948 9*2175Sjp161948PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); 10*2175Sjp161948 11*2175Sjp161948=head1 DESCRIPTION 12*2175Sjp161948 13*2175Sjp161948PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs> 14*2175Sjp161948is a list of recipient certificates. B<in> is the content to be encrypted. 15*2175Sjp161948B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. 16*2175Sjp161948 17*2175Sjp161948=head1 NOTES 18*2175Sjp161948 19*2175Sjp161948Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates 20*2175Sjp161948supplied to this function must all contain RSA public keys, though they do not have to 21*2175Sjp161948be signed using the RSA algorithm. 22*2175Sjp161948 23*2175Sjp161948EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because 24*2175Sjp161948most clients will support it. 25*2175Sjp161948 26*2175Sjp161948Some old "export grade" clients may only support weak encryption using 40 or 64 bit 27*2175Sjp161948RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively. 28*2175Sjp161948 29*2175Sjp161948The algorithm passed in the B<cipher> parameter must support ASN1 encoding of its 30*2175Sjp161948parameters. 31*2175Sjp161948 32*2175Sjp161948Many browsers implement a "sign and encrypt" option which is simply an S/MIME 33*2175Sjp161948envelopedData containing an S/MIME signed message. This can be readily produced 34*2175Sjp161948by storing the S/MIME signed message in a memory BIO and passing it to 35*2175Sjp161948PKCS7_encrypt(). 36*2175Sjp161948 37*2175Sjp161948The following flags can be passed in the B<flags> parameter. 38*2175Sjp161948 39*2175Sjp161948If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended 40*2175Sjp161948to the data. 41*2175Sjp161948 42*2175Sjp161948Normally the supplied content is translated into MIME canonical format (as required 43*2175Sjp161948by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This 44*2175Sjp161948option should be used if the supplied data is in binary format otherwise the translation 45*2175Sjp161948will corrupt it. If B<PKCS7_BINARY> is set then B<PKCS7_TEXT> is ignored. 46*2175Sjp161948 47*2175Sjp161948=head1 RETURN VALUES 48*2175Sjp161948 49*2175Sjp161948PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred. 50*2175Sjp161948The error can be obtained from ERR_get_error(3). 51*2175Sjp161948 52*2175Sjp161948=head1 BUGS 53*2175Sjp161948 54*2175Sjp161948The lack of single pass processing and need to hold all data in memory as 55*2175Sjp161948mentioned in PKCS7_sign() also applies to PKCS7_verify(). 56*2175Sjp161948 57*2175Sjp161948=head1 SEE ALSO 58*2175Sjp161948 59*2175Sjp161948L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)> 60*2175Sjp161948 61*2175Sjp161948=head1 HISTORY 62*2175Sjp161948 63*2175Sjp161948PKCS7_decrypt() was added to OpenSSL 0.9.5 64*2175Sjp161948 65*2175Sjp161948=cut 66