1=pod 2 3=head1 NAME 4 5PKCS7_encrypt - create a PKCS#7 envelopedData structure 6 7=head1 SYNOPSIS 8 9 #include <openssl/pkcs7.h> 10 11 PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); 12 13=head1 DESCRIPTION 14 15PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs> 16is a list of recipient certificates. B<in> is the content to be encrypted. 17B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. 18 19=head1 NOTES 20 21Only RSA keys are supported in PKCS#7 and envelopedData so the recipient 22certificates supplied to this function must all contain RSA public keys, though 23they do not have to be signed using the RSA algorithm. 24 25EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use 26because most clients will support it. 27 28Some old "export grade" clients may only support weak encryption using 40 or 64 29bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() 30respectively. 31 32The algorithm passed in the B<cipher> parameter must support ASN1 encoding of 33its parameters. 34 35Many browsers implement a "sign and encrypt" option which is simply an S/MIME 36envelopedData containing an S/MIME signed message. This can be readily produced 37by storing the S/MIME signed message in a memory BIO and passing it to 38PKCS7_encrypt(). 39 40The following flags can be passed in the B<flags> parameter. 41 42If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are 43prepended to the data. 44 45Normally the supplied content is translated into MIME canonical format (as 46required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation 47occurs. This option should be used if the supplied data is in binary format 48otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then 49B<PKCS7_TEXT> is ignored. 50 51If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output 52suitable for streaming I/O: no data is read from the BIO B<in>. 53 54=head1 NOTES 55 56If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> 57complete and outputting its contents via a function that does not 58properly finalize the B<PKCS7> structure will give unpredictable 59results. 60 61Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(), 62PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization 63can be performed by obtaining the streaming ASN1 B<BIO> directly using 64BIO_new_PKCS7(). 65 66=head1 RETURN VALUES 67 68PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred. 69The error can be obtained from ERR_get_error(3). 70 71=head1 SEE ALSO 72 73L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)> 74 75=head1 HISTORY 76 77PKCS7_decrypt() was added to OpenSSL 0.9.5 78The B<PKCS7_STREAM> flag was first supported in OpenSSL 1.0.0. 79 80=cut 81