1e1051a39Sopenharmony_ci=pod 2e1051a39Sopenharmony_ci 3e1051a39Sopenharmony_ci=head1 NAME 4e1051a39Sopenharmony_ci 5e1051a39Sopenharmony_ciCMS_decrypt, CMS_decrypt_set1_pkey_and_peer, 6e1051a39Sopenharmony_ciCMS_decrypt_set1_pkey, CMS_decrypt_set1_password 7e1051a39Sopenharmony_ci- decrypt content from a CMS envelopedData structure 8e1051a39Sopenharmony_ci 9e1051a39Sopenharmony_ci=head1 SYNOPSIS 10e1051a39Sopenharmony_ci 11e1051a39Sopenharmony_ci #include <openssl/cms.h> 12e1051a39Sopenharmony_ci 13e1051a39Sopenharmony_ci int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, 14e1051a39Sopenharmony_ci BIO *dcont, BIO *out, unsigned int flags); 15e1051a39Sopenharmony_ci int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, 16e1051a39Sopenharmony_ci EVP_PKEY *pk, X509 *cert, X509 *peer); 17e1051a39Sopenharmony_ci int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); 18e1051a39Sopenharmony_ci int CMS_decrypt_set1_password(CMS_ContentInfo *cms, 19e1051a39Sopenharmony_ci unsigned char *pass, ossl_ssize_t passlen); 20e1051a39Sopenharmony_ci 21e1051a39Sopenharmony_ci=head1 DESCRIPTION 22e1051a39Sopenharmony_ci 23e1051a39Sopenharmony_ciCMS_decrypt() extracts the decrypted content from a CMS EnvelopedData 24e1051a39Sopenharmony_cior AuthEnvelopedData structure. 25e1051a39Sopenharmony_ciIt uses CMS_decrypt_set1_pkey() to decrypt the content 26e1051a39Sopenharmony_ciwith the recipient private key I<pkey> if I<pkey> is not NULL. 27e1051a39Sopenharmony_ciIn this case, it is recommended to provide the associated certificate 28e1051a39Sopenharmony_ciin I<cert> - see the NOTES below. 29e1051a39Sopenharmony_ciI<out> is a BIO to write the content to and 30e1051a39Sopenharmony_ciI<flags> is an optional set of flags. 31e1051a39Sopenharmony_ciIf I<pkey> is NULL the function assumes that decryption was already done 32e1051a39Sopenharmony_ci(e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just 33e1051a39Sopenharmony_ciprovides the content unless I<cert>, I<dcont>, and I<out> are NULL as well. 34e1051a39Sopenharmony_ciThe I<dcont> parameter is used in the rare case where the encrypted content 35e1051a39Sopenharmony_ciis detached. It will normally be set to NULL. 36e1051a39Sopenharmony_ci 37e1051a39Sopenharmony_ciCMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I<cms> 38e1051a39Sopenharmony_ciusing the private key I<pkey>, the corresponding certificate I<cert>, which is 39e1051a39Sopenharmony_cirecommended to be supplied but may be NULL, 40e1051a39Sopenharmony_ciand the (optional) originator certificate I<peer>. 41e1051a39Sopenharmony_ciOn success, it also records in I<cms> the decryption key I<pkey>, and this 42e1051a39Sopenharmony_cishould be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>. 43e1051a39Sopenharmony_ciThis call deallocates any decryption key stored in I<cms>. 44e1051a39Sopenharmony_ci 45e1051a39Sopenharmony_ciCMS_decrypt_set1_pkey() is the same as 46e1051a39Sopenharmony_ciCMS_decrypt_set1_pkey_and_peer() with I<peer> being NULL. 47e1051a39Sopenharmony_ci 48e1051a39Sopenharmony_ciCMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I<cms> 49e1051a39Sopenharmony_ciusing the secret I<pass> of length I<passlen>. 50e1051a39Sopenharmony_ciOn success, it also records in I<cms> the decryption key used, and this 51e1051a39Sopenharmony_cishould be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>. 52e1051a39Sopenharmony_ciThis call deallocates any decryption key stored in I<cms>. 53e1051a39Sopenharmony_ci 54e1051a39Sopenharmony_ci=head1 NOTES 55e1051a39Sopenharmony_ci 56e1051a39Sopenharmony_ciAlthough the recipients certificate is not needed to decrypt the data it is 57e1051a39Sopenharmony_cineeded to locate the appropriate (of possible several) recipients in the CMS 58e1051a39Sopenharmony_cistructure. 59e1051a39Sopenharmony_ci 60e1051a39Sopenharmony_ciIf I<cert> is set to NULL all possible recipients are tried. This case however 61e1051a39Sopenharmony_ciis problematic. To thwart the MMA attack (Bleichenbacher's attack on 62e1051a39Sopenharmony_ciPKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or 63e1051a39Sopenharmony_cinot. If no recipient succeeds then a random symmetric key is used to decrypt 64e1051a39Sopenharmony_cithe content: this will typically output garbage and may (but is not guaranteed 65e1051a39Sopenharmony_cito) ultimately return a padding error only. If CMS_decrypt() just returned an 66e1051a39Sopenharmony_cierror when all recipient encrypted keys failed to decrypt an attacker could 67e1051a39Sopenharmony_ciuse this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set 68e1051a39Sopenharmony_cithen the above behaviour is modified and an error B<is> returned if no 69e1051a39Sopenharmony_cirecipient encrypted key can be decrypted B<without> generating a random 70e1051a39Sopenharmony_cicontent encryption key. Applications should use this flag with 71e1051a39Sopenharmony_ciB<extreme caution> especially in automated gateways as it can leave them 72e1051a39Sopenharmony_ciopen to attack. 73e1051a39Sopenharmony_ci 74e1051a39Sopenharmony_ciIt is possible to determine the correct recipient key by other means (for 75e1051a39Sopenharmony_ciexample looking them up in a database) and setting them in the CMS structure 76e1051a39Sopenharmony_ciin advance using the CMS utility functions such as CMS_set1_pkey(), 77e1051a39Sopenharmony_cior use CMS_decrypt_set1_password() if the recipient has a symmetric key. 78e1051a39Sopenharmony_ciIn these cases both I<cert> and I<pkey> should be set to NULL. 79e1051a39Sopenharmony_ci 80e1051a39Sopenharmony_ciTo process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key() 81e1051a39Sopenharmony_ciand CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and 82e1051a39Sopenharmony_ciI<cert> and I<pkey> set to NULL. 83e1051a39Sopenharmony_ci 84e1051a39Sopenharmony_ciThe following flags can be passed in the I<flags> parameter. 85e1051a39Sopenharmony_ci 86e1051a39Sopenharmony_ciIf the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted 87e1051a39Sopenharmony_cifrom the content. If the content is not of type C<text/plain> then an error is 88e1051a39Sopenharmony_cireturned. 89e1051a39Sopenharmony_ci 90e1051a39Sopenharmony_ci=head1 RETURN VALUES 91e1051a39Sopenharmony_ci 92e1051a39Sopenharmony_ciCMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(), 93e1051a39Sopenharmony_ciCMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password() 94e1051a39Sopenharmony_cireturn either 1 for success or 0 for failure. 95e1051a39Sopenharmony_ciThe error can be obtained from ERR_get_error(3). 96e1051a39Sopenharmony_ci 97e1051a39Sopenharmony_ci=head1 BUGS 98e1051a39Sopenharmony_ci 99e1051a39Sopenharmony_ciThe B<set1_> part of these function names is misleading 100e1051a39Sopenharmony_ciand should better read: B<with_>. 101e1051a39Sopenharmony_ci 102e1051a39Sopenharmony_ciThe lack of single pass processing and the need to hold all data in memory as 103e1051a39Sopenharmony_cimentioned in CMS_verify() also applies to CMS_decrypt(). 104e1051a39Sopenharmony_ci 105e1051a39Sopenharmony_ci=head1 SEE ALSO 106e1051a39Sopenharmony_ci 107e1051a39Sopenharmony_ciL<ERR_get_error(3)>, L<CMS_encrypt(3)> 108e1051a39Sopenharmony_ci 109e1051a39Sopenharmony_ci=head1 HISTORY 110e1051a39Sopenharmony_ci 111e1051a39Sopenharmony_ciCMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password() 112e1051a39Sopenharmony_ciwere added in OpenSSL 3.0. 113e1051a39Sopenharmony_ci 114e1051a39Sopenharmony_ci=head1 COPYRIGHT 115e1051a39Sopenharmony_ci 116e1051a39Sopenharmony_ciCopyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. 117e1051a39Sopenharmony_ci 118e1051a39Sopenharmony_ciLicensed under the Apache License 2.0 (the "License"). You may not use 119e1051a39Sopenharmony_cithis file except in compliance with the License. You can obtain a copy 120e1051a39Sopenharmony_ciin the file LICENSE in the source distribution or at 121e1051a39Sopenharmony_ciL<https://www.openssl.org/source/license.html>. 122e1051a39Sopenharmony_ci 123e1051a39Sopenharmony_ci=cut 124