diff options
author | Jakub Zelenka <jakub.openssl@gmail.com> | 2020-09-06 20:11:34 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-08 15:43:11 +0200 |
commit | 924663c36d47066d5307937da77fed7e872730c7 (patch) | |
tree | a60cfe385cc29402bdaceaaa5a8b069ca6a6a50a /doc | |
parent | apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option (diff) | |
download | openssl-924663c36d47066d5307937da77fed7e872730c7.tar.xz openssl-924663c36d47066d5307937da77fed7e872730c7.zip |
Add CMS AuthEnvelopedData with AES-GCM support
Add the AuthEnvelopedData as defined in RFC 5083 with AES-GCM
parameter as defined in RFC 5084.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8024)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-cms.pod.in | 3 | ||||
-rw-r--r-- | doc/man3/CMS_EnvelopedData_create.pod | 48 | ||||
-rw-r--r-- | doc/man3/CMS_decrypt.pod | 6 | ||||
-rw-r--r-- | doc/man3/CMS_encrypt.pod | 22 |
4 files changed, 51 insertions, 28 deletions
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index def9766b3c..ebe3fbda8c 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -309,6 +309,9 @@ EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers supported by your version of OpenSSL. +Currently the AES variants with GCM mode are the only supported AEAD +algorithms. + If not specified triple DES is used. Only used with B<-encrypt> and B<-EncryptedData_create> commands. diff --git a/doc/man3/CMS_EnvelopedData_create.pod b/doc/man3/CMS_EnvelopedData_create.pod index e6903ea3f8..6978aaabcb 100644 --- a/doc/man3/CMS_EnvelopedData_create.pod +++ b/doc/man3/CMS_EnvelopedData_create.pod @@ -2,25 +2,39 @@ =head1 NAME -CMS_EnvelopedData_create_with_libctx, CMS_EnvelopedData_create +CMS_EnvelopedData_create_with_libctx, CMS_EnvelopedData_create, +CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_with_libctx - Create CMS envelope =head1 SYNOPSIS #include <openssl/cms.h> - CMS_ContentInfo *CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher, - OPENSSL_CTX *libctx, - const char *propq); + CMS_ContentInfo * + CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher, + OPENSSL_CTX *libctx, + const char *propq); CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher); + CMS_ContentInfo * + CMS_AuthEnvelopedData_create_with_libctx(const EVP_CIPHER *cipher, + OPENSSL_CTX *libctx, + const char *propq); + CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher); + =head1 DESCRIPTION -CMS_EnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo> structure with -a type B<NID_pkcs7_enveloped>. I<cipher> is the symmetric cipher to use. The -library context I<libctx> and the property query I<propq> are used when +CMS_EnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo> structure +with a type B<NID_pkcs7_enveloped>. I<cipher> is the symmetric cipher to use. +The library context I<libctx> and the property query I<propq> are used when retrieving algorithms from providers. +CMS_AuthEnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo> +structure with a type B<NID_id_smime_ct_authEnvelopedData>. B<cipher> is the +symmetric AEAD cipher to use. Currently only AES variants with GCM mode are +supported. The library context I<libctx> and the property query I<propq> are +used when retrieving algorithms from providers. + The algorithm passed in the I<cipher> parameter must support ASN1 encoding of its parameters. @@ -30,21 +44,23 @@ L<CMS_add0_recipient_key(3)>. The B<CMS_ContentInfo> structure needs to be finalized using L<CMS_final(3)> and then freed using L<CMS_ContentInfo_free(3)>. -CMS_EnvelopedData_create() is similar to CMS_EnvelopedData_create_with_libctx() -but uses default values of NULL for the library context I<libctx> and the -property query I<propq>. +CMS_EnvelopedData_create() and CMS_AuthEnvelopedData_create are similar to +CMS_EnvelopedData_create_with_libctx() and +CMS_AuthEnvelopedData_create_with_libctx() but use default values of NULL for +the library context I<libctx> and the property query I<propq>. =head1 NOTES -Although CMS_EnvelopedData_create() allocates a new B<CMS_ContentInfo> -structure it is usually not used in applications. The wrappers -L<CMS_encrypt(3)> and L<CMS_decrypt(3)> are often used instead. +Although CMS_EnvelopedData_create() and CMS_AuthEnvelopedData_create() allocate +a new B<CMS_ContentInfo> structure, they are not usually used in applications. +The wrappers L<CMS_encrypt(3)> and L<CMS_decrypt(3)> are often used instead. =head1 RETURN VALUES -If the allocation fails, CMS_EnvelopedData_create() returns NULL and sets -an error code that can be obtained by L<ERR_get_error(3)>. -Otherwise it returns a pointer to the newly allocated structure. +If the allocation fails, CMS_EnvelopedData_create() and +CMS_AuthEnvelopedData_create() return NULL and set an error code that can be +obtained by L<ERR_get_error(3)>. Otherwise they return a pointer to the newly +allocated structure. =head1 SEE ALSO diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod index 3124fa8394..4f8d32fbbb 100644 --- a/doc/man3/CMS_decrypt.pod +++ b/doc/man3/CMS_decrypt.pod @@ -18,9 +18,9 @@ content from a CMS envelopedData structure =head1 DESCRIPTION CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData -structure. B<pkey> is the private key of the recipient, B<cert> is the -recipient's certificate, B<out> is a BIO to write the content to and -B<flags> is an optional set of flags. +or AuthEnvelopedData structure. B<pkey> is the private key of the recipient, +B<cert> is the recipient's certificate, B<out> is a BIO to write the content to +and B<flags> is an optional set of flags. The B<dcont> parameter is used in the rare case where the encrypted content is detached. It will normally be set to NULL. diff --git a/doc/man3/CMS_encrypt.pod b/doc/man3/CMS_encrypt.pod index 211ec18d36..9fe92e3ee6 100644 --- a/doc/man3/CMS_encrypt.pod +++ b/doc/man3/CMS_encrypt.pod @@ -11,17 +11,19 @@ CMS_encrypt_with_libctx, CMS_encrypt - create a CMS envelopedData structure CMS_ContentInfo *CMS_encrypt_with_libctx(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags, - OPENSSL_CTX *libctx, const char *propq); + OPENSSL_CTX *libctx, + const char *propq); CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags); =head1 DESCRIPTION -CMS_encrypt_with_libctx() creates and returns a CMS EnvelopedData structure. -I<certs> is a list of recipient certificates. I<in> is the content to be -encrypted. I<cipher> is the symmetric cipher to use. I<flags> is an optional set -of flags. The library context I<libctx> and the property query I<propq> are used -internally when retrieving algorithms from providers. +CMS_encrypt_with_libctx() creates and returns a CMS EnvelopedData or +AuthEnvelopedData structure. I<certs> is a list of recipient certificates. +I<in> is the content to be encrypted. I<cipher> is the symmetric cipher to use. +I<flags> is an optional set of flags. The library context I<libctx> and the +property query I<propq> are used internally when retrieving algorithms from +providers. Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this function. @@ -30,7 +32,9 @@ EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because most clients will support it. The algorithm passed in the B<cipher> parameter must support ASN1 encoding of -its parameters. +its parameters. If the cipher mode is GCM, then an AuthEnvelopedData structure +containing MAC is used. Otherwise an EnvelopedData structure is used. Currently +the AES variants with GCM mode are the only supported AEAD algorithms. Many browsers implement a "sign and encrypt" option which is simply an S/MIME envelopedData containing an S/MIME signed message. This can be readily produced @@ -81,8 +85,8 @@ and CMS_add0_recipient_key(). The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key(). -CMS_encrypt() is similar to CMS_encrypt_with_libctx() but uses default values of -NULL for the library context I<libctx> and the property query I<propq>. +CMS_encrypt() is similar to CMS_encrypt_with_libctx() but uses default values +of NULL for the library context I<libctx> and the property query I<propq>. =head1 RETURN VALUES |