CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp, CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id, CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key, CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encryptCMS EnvelopedData RecipientInfo routines

#include <openssl/cms.h>

STACK_OF(CMS_RecipientInfo) *
CMS_get0_RecipientInfos(CMS_ContentInfo *cms);

CMS_RecipientInfo_type(CMS_RecipientInfo *ri);

CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);

CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *certificate);

CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);

CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate, ASN1_OBJECT **potherid, ASN1_TYPE **pothertype);

CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id, size_t idlen);

CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, size_t keylen);

CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);

CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);

() returns all the RecipientInfo structures associated with the EnvelopedData structure cms.

() returns the type of ri:

for KeyTransRecipientInfo,
for KeyAgreeRecipientInfo,
for KEKRecipientInfo,
for PasswordRecipientinfo, or
for OtherRecipientInfo.

() retrieves the certificate RecipientIdentifier associated with the KeyTransRecipientInfo structure ri. Either the SubjectKeyIdentifier will be set in keyid or both issuer name and serial number in issuer and sno.

() compares the certificate against the KeyTransRecipientInfo structure ri.

() associates the private key pkey with the KeyTransRecipientInfo structure ri.

() retrieves the key information from the KEKRecipientInfo structure ri. Fields are copied out as follows:

keyEncryptionAlgorithm to *palg,
keyIdentifier to *pid,
date to *pdate (optional),
other.keyAttrId to *potherid (optional),
other.keyAttr to *pothertype (optional).
Where a field is optional and absent, NULL is written to the corresponding parameter. Parameters the application is not interested in can be set to NULL.

() compares the identifier in the id and idlen parameters against the keyIdentifier field of the KEKRecipientInfo structure ri.

() associates the symmetric key of length keylen with the KEKRecipientInfo structure ri.

() attempts to decrypt the RecipientInfo structure ri in cms. A key must have been associated with ri first.

() attempts to encrypt the RecipientInfo structure ri in cms. A key must have been associated with ri first and the content encryption key must be available, for example by a previous call to CMS_RecipientInfo_decrypt().

The main purpose of these functions is to enable an application to lookup recipient keys using any appropriate technique when the simpler method of CMS_decrypt(3) is not appropriate.

In typical usage, an application retrieves all CMS_RecipientInfo structures using () and checks the type of each using CMS_RecipientInfo_type(). Depending on the type, the CMS_RecipientInfo structure can be ignored or its key identifier data retrieved using an appropriate function. If the corresponding secret or private key can be obtained by any appropriate means, it can then be associated with the structure and CMS_RecipientInfo_decrypt() called. If successful, CMS_decrypt(3) can be called with a NULL key to decrypt the enveloped content.

The function () can be used to add a new recipient to an existing enveloped data structure. Typically an application will first decrypt an appropriate CMS_RecipientInfo structure to make the content encrypt key available. It will then add a new recipient using a function such as CMS_add1_recipient_cert(3) and finally encrypt the content encryption key using CMS_RecipientInfo_encrypt().

CMS_get0_RecipientInfos() returns an internal pointer to all the CMS_RecipientInfo structures, or NULL if an error occurs.

CMS_RecipientInfo_type() returns an integer constant.

CMS_RecipientInfo_ktri_get0_signer_id(), CMS_RecipientInfo_set0_pkey(), CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key(), CMS_RecipientInfo_decrypt(), and CMS_RecipientInfo_encrypt() return 1 for success or 0 if an error occurs.

CMS_RecipientInfo_ktri_cert_cmp() and CMS_RecipientInfo_kekri_id_cmp() return 0 when ri matches or non-zero otherwise.

Any error can be obtained from ERR_get_error(3).

CMS_ContentInfo_new(3), CMS_decrypt(3)

RFC 5652 Cryptographic Message Syntax (CMS):

  • section 6.1: EnvelopedData Type
  • section 6.2: RecipientInfo Type
  • section 6.2.1: KeyTransRecipientInfo Type
  • section 6.2.3: KEKRecipientInfo Type

These functions first appeared in OpenSSL 0.9.8h, except that CMS_RecipientInfo_encrypt() first appeared in OpenSSL 1.0.2. They have been available since OpenBSD 6.7.

March 31, 2022 OpenBSD 7.5