CMS_decrypt.pod 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. =pod
  2. =head1 NAME
  3. CMS_decrypt, CMS_decrypt_set1_pkey_and_peer,
  4. CMS_decrypt_set1_pkey, CMS_decrypt_set1_password
  5. - decrypt content from a CMS envelopedData structure
  6. =head1 SYNOPSIS
  7. #include <openssl/cms.h>
  8. int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert,
  9. BIO *dcont, BIO *out, unsigned int flags);
  10. int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms,
  11. EVP_PKEY *pk, X509 *cert, X509 *peer);
  12. int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
  13. int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
  14. unsigned char *pass, ossl_ssize_t passlen);
  15. =head1 DESCRIPTION
  16. CMS_decrypt() extracts the decrypted content from a CMS EnvelopedData
  17. or AuthEnvelopedData structure.
  18. It uses CMS_decrypt_set1_pkey() to decrypt the content
  19. with the recipient private key I<pkey> if I<pkey> is not NULL.
  20. In this case, it is recommended to provide the associated certificate
  21. in I<cert> - see the NOTES below.
  22. I<out> is a BIO to write the content to and
  23. I<flags> is an optional set of flags.
  24. If I<pkey> is NULL the function assumes that decryption was already done
  25. (e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just
  26. provides the content unless I<cert>, I<dcont>, and I<out> are NULL as well.
  27. The I<dcont> parameter is used in the rare case where the encrypted content
  28. is detached. It will normally be set to NULL.
  29. CMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I<cms>
  30. using the private key I<pkey>, the corresponding certificate I<cert>, which is
  31. recommended to be supplied but may be NULL,
  32. and the (optional) originator certificate I<peer>.
  33. On success, it also records in I<cms> the decryption key I<pkey>, and this
  34. should be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>.
  35. This call deallocates any decryption key stored in I<cms>.
  36. CMS_decrypt_set1_pkey() is the same as
  37. CMS_decrypt_set1_pkey_and_peer() with I<peer> being NULL.
  38. CMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I<cms>
  39. using the secret I<pass> of length I<passlen>.
  40. On success, it also records in I<cms> the decryption key used, and this
  41. should be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>.
  42. This call deallocates any decryption key stored in I<cms>.
  43. =head1 NOTES
  44. Although the recipients certificate is not needed to decrypt the data it is
  45. needed to locate the appropriate (of possible several) recipients in the CMS
  46. structure.
  47. If I<cert> is set to NULL all possible recipients are tried. This case however
  48. is problematic. To thwart the MMA attack (Bleichenbacher's attack on
  49. PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
  50. not. If no recipient succeeds then a random symmetric key is used to decrypt
  51. the content: this will typically output garbage and may (but is not guaranteed
  52. to) ultimately return a padding error only. If CMS_decrypt() just returned an
  53. error when all recipient encrypted keys failed to decrypt an attacker could
  54. use this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set
  55. then the above behaviour is modified and an error B<is> returned if no
  56. recipient encrypted key can be decrypted B<without> generating a random
  57. content encryption key. Applications should use this flag with
  58. B<extreme caution> especially in automated gateways as it can leave them
  59. open to attack.
  60. It is possible to determine the correct recipient key by other means (for
  61. example looking them up in a database) and setting them in the CMS structure
  62. in advance using the CMS utility functions such as CMS_set1_pkey(),
  63. or use CMS_decrypt_set1_password() if the recipient has a symmetric key.
  64. In these cases both I<cert> and I<pkey> should be set to NULL.
  65. To process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key()
  66. and CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and
  67. I<cert> and I<pkey> set to NULL.
  68. The following flags can be passed in the I<flags> parameter.
  69. If the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted
  70. from the content. If the content is not of type C<text/plain> then an error is
  71. returned.
  72. =head1 RETURN VALUES
  73. CMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(),
  74. CMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password()
  75. return either 1 for success or 0 for failure.
  76. The error can be obtained from ERR_get_error(3).
  77. =head1 BUGS
  78. The B<set1_> part of these function names is misleading
  79. and should better read: B<with_>.
  80. The lack of single pass processing and the need to hold all data in memory as
  81. mentioned in CMS_verify() also applies to CMS_decrypt().
  82. =head1 SEE ALSO
  83. L<ERR_get_error(3)>, L<CMS_encrypt(3)>
  84. =head1 HISTORY
  85. CMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password()
  86. were added in OpenSSL 3.0.
  87. =head1 COPYRIGHT
  88. Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
  89. Licensed under the Apache License 2.0 (the "License"). You may not use
  90. this file except in compliance with the License. You can obtain a copy
  91. in the file LICENSE in the source distribution or at
  92. L<https://www.openssl.org/source/license.html>.
  93. =cut