summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorJakub Zelenka <jakub.openssl@gmail.com>2020-09-06 20:11:34 +0200
committerTomas Mraz <tmraz@fedoraproject.org>2020-09-08 15:43:11 +0200
commit924663c36d47066d5307937da77fed7e872730c7 (patch)
treea60cfe385cc29402bdaceaaa5a8b069ca6a6a50a /doc
parentapps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option (diff)
downloadopenssl-924663c36d47066d5307937da77fed7e872730c7.tar.xz
openssl-924663c36d47066d5307937da77fed7e872730c7.zip
Add CMS AuthEnvelopedData with AES-GCM support
Add the AuthEnvelopedData as defined in RFC 5083 with AES-GCM parameter as defined in RFC 5084. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8024)
Diffstat (limited to 'doc')
-rw-r--r--doc/man1/openssl-cms.pod.in3
-rw-r--r--doc/man3/CMS_EnvelopedData_create.pod48
-rw-r--r--doc/man3/CMS_decrypt.pod6
-rw-r--r--doc/man3/CMS_encrypt.pod22
4 files changed, 51 insertions, 28 deletions
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index def9766b3c..ebe3fbda8c 100644
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -309,6 +309,9 @@ EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
supported by your version of OpenSSL.
+Currently the AES variants with GCM mode are the only supported AEAD
+algorithms.
+
If not specified triple DES is used. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
diff --git a/doc/man3/CMS_EnvelopedData_create.pod b/doc/man3/CMS_EnvelopedData_create.pod
index e6903ea3f8..6978aaabcb 100644
--- a/doc/man3/CMS_EnvelopedData_create.pod
+++ b/doc/man3/CMS_EnvelopedData_create.pod
@@ -2,25 +2,39 @@
=head1 NAME
-CMS_EnvelopedData_create_with_libctx, CMS_EnvelopedData_create
+CMS_EnvelopedData_create_with_libctx, CMS_EnvelopedData_create,
+CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_with_libctx
- Create CMS envelope
=head1 SYNOPSIS
#include <openssl/cms.h>
- CMS_ContentInfo *CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
- OPENSSL_CTX *libctx,
- const char *propq);
+ CMS_ContentInfo *
+ CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
+ OPENSSL_CTX *libctx,
+ const char *propq);
CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
+ CMS_ContentInfo *
+ CMS_AuthEnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
+ OPENSSL_CTX *libctx,
+ const char *propq);
+ CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher);
+
=head1 DESCRIPTION
-CMS_EnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo> structure with
-a type B<NID_pkcs7_enveloped>. I<cipher> is the symmetric cipher to use. The
-library context I<libctx> and the property query I<propq> are used when
+CMS_EnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo> structure
+with a type B<NID_pkcs7_enveloped>. I<cipher> is the symmetric cipher to use.
+The library context I<libctx> and the property query I<propq> are used when
retrieving algorithms from providers.
+CMS_AuthEnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo>
+structure with a type B<NID_id_smime_ct_authEnvelopedData>. B<cipher> is the
+symmetric AEAD cipher to use. Currently only AES variants with GCM mode are
+supported. The library context I<libctx> and the property query I<propq> are
+used when retrieving algorithms from providers.
+
The algorithm passed in the I<cipher> parameter must support ASN1 encoding of
its parameters.
@@ -30,21 +44,23 @@ L<CMS_add0_recipient_key(3)>.
The B<CMS_ContentInfo> structure needs to be finalized using L<CMS_final(3)>
and then freed using L<CMS_ContentInfo_free(3)>.
-CMS_EnvelopedData_create() is similar to CMS_EnvelopedData_create_with_libctx()
-but uses default values of NULL for the library context I<libctx> and the
-property query I<propq>.
+CMS_EnvelopedData_create() and CMS_AuthEnvelopedData_create are similar to
+CMS_EnvelopedData_create_with_libctx() and
+CMS_AuthEnvelopedData_create_with_libctx() but use default values of NULL for
+the library context I<libctx> and the property query I<propq>.
=head1 NOTES
-Although CMS_EnvelopedData_create() allocates a new B<CMS_ContentInfo>
-structure it is usually not used in applications. The wrappers
-L<CMS_encrypt(3)> and L<CMS_decrypt(3)> are often used instead.
+Although CMS_EnvelopedData_create() and CMS_AuthEnvelopedData_create() allocate
+a new B<CMS_ContentInfo> structure, they are not usually used in applications.
+The wrappers L<CMS_encrypt(3)> and L<CMS_decrypt(3)> are often used instead.
=head1 RETURN VALUES
-If the allocation fails, CMS_EnvelopedData_create() returns NULL and sets
-an error code that can be obtained by L<ERR_get_error(3)>.
-Otherwise it returns a pointer to the newly allocated structure.
+If the allocation fails, CMS_EnvelopedData_create() and
+CMS_AuthEnvelopedData_create() return NULL and set an error code that can be
+obtained by L<ERR_get_error(3)>. Otherwise they return a pointer to the newly
+allocated structure.
=head1 SEE ALSO
diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod
index 3124fa8394..4f8d32fbbb 100644
--- a/doc/man3/CMS_decrypt.pod
+++ b/doc/man3/CMS_decrypt.pod
@@ -18,9 +18,9 @@ content from a CMS envelopedData structure
=head1 DESCRIPTION
CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData
-structure. B<pkey> is the private key of the recipient, B<cert> is the
-recipient's certificate, B<out> is a BIO to write the content to and
-B<flags> is an optional set of flags.
+or AuthEnvelopedData structure. B<pkey> is the private key of the recipient,
+B<cert> is the recipient's certificate, B<out> is a BIO to write the content to
+and B<flags> is an optional set of flags.
The B<dcont> parameter is used in the rare case where the encrypted content
is detached. It will normally be set to NULL.
diff --git a/doc/man3/CMS_encrypt.pod b/doc/man3/CMS_encrypt.pod
index 211ec18d36..9fe92e3ee6 100644
--- a/doc/man3/CMS_encrypt.pod
+++ b/doc/man3/CMS_encrypt.pod
@@ -11,17 +11,19 @@ CMS_encrypt_with_libctx, CMS_encrypt - create a CMS envelopedData structure
CMS_ContentInfo *CMS_encrypt_with_libctx(STACK_OF(X509) *certs,
BIO *in, const EVP_CIPHER *cipher,
unsigned int flags,
- OPENSSL_CTX *libctx, const char *propq);
+ OPENSSL_CTX *libctx,
+ const char *propq);
CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags);
=head1 DESCRIPTION
-CMS_encrypt_with_libctx() creates and returns a CMS EnvelopedData structure.
-I<certs> is a list of recipient certificates. I<in> is the content to be
-encrypted. I<cipher> is the symmetric cipher to use. I<flags> is an optional set
-of flags. The library context I<libctx> and the property query I<propq> are used
-internally when retrieving algorithms from providers.
+CMS_encrypt_with_libctx() creates and returns a CMS EnvelopedData or
+AuthEnvelopedData structure. I<certs> is a list of recipient certificates.
+I<in> is the content to be encrypted. I<cipher> is the symmetric cipher to use.
+I<flags> is an optional set of flags. The library context I<libctx> and the
+property query I<propq> are used internally when retrieving algorithms from
+providers.
Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
function.
@@ -30,7 +32,9 @@ EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
because most clients will support it.
The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
-its parameters.
+its parameters. If the cipher mode is GCM, then an AuthEnvelopedData structure
+containing MAC is used. Otherwise an EnvelopedData structure is used. Currently
+the AES variants with GCM mode are the only supported AEAD algorithms.
Many browsers implement a "sign and encrypt" option which is simply an S/MIME
envelopedData containing an S/MIME signed message. This can be readily produced
@@ -81,8 +85,8 @@ and CMS_add0_recipient_key().
The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients
added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key().
-CMS_encrypt() is similar to CMS_encrypt_with_libctx() but uses default values of
-NULL for the library context I<libctx> and the property query I<propq>.
+CMS_encrypt() is similar to CMS_encrypt_with_libctx() but uses default values
+of NULL for the library context I<libctx> and the property query I<propq>.
=head1 RETURN VALUES