1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5*b077aed3SPierre ProncheryCMS_decrypt, CMS_decrypt_set1_pkey_and_peer, 6*b077aed3SPierre ProncheryCMS_decrypt_set1_pkey, CMS_decrypt_set1_password 7*b077aed3SPierre Pronchery- decrypt content from a CMS envelopedData structure 8e71b7053SJung-uk Kim 9e71b7053SJung-uk Kim=head1 SYNOPSIS 10e71b7053SJung-uk Kim 11e71b7053SJung-uk Kim #include <openssl/cms.h> 12e71b7053SJung-uk Kim 13e71b7053SJung-uk Kim int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, 14e71b7053SJung-uk Kim BIO *dcont, BIO *out, unsigned int flags); 15*b077aed3SPierre Pronchery int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, 16*b077aed3SPierre Pronchery EVP_PKEY *pk, X509 *cert, X509 *peer); 17*b077aed3SPierre Pronchery int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); 18*b077aed3SPierre Pronchery int CMS_decrypt_set1_password(CMS_ContentInfo *cms, 19*b077aed3SPierre Pronchery unsigned char *pass, ossl_ssize_t passlen); 20e71b7053SJung-uk Kim 21e71b7053SJung-uk Kim=head1 DESCRIPTION 22e71b7053SJung-uk Kim 23*b077aed3SPierre ProncheryCMS_decrypt() extracts the decrypted content from a CMS EnvelopedData 24*b077aed3SPierre Proncheryor AuthEnvelopedData structure. 25*b077aed3SPierre ProncheryIt uses CMS_decrypt_set1_pkey() to decrypt the content 26*b077aed3SPierre Proncherywith the recipient private key I<pkey> if I<pkey> is not NULL. 27*b077aed3SPierre ProncheryIn this case, it is recommended to provide the associated certificate 28*b077aed3SPierre Proncheryin I<cert> - see the NOTES below. 29*b077aed3SPierre ProncheryI<out> is a BIO to write the content to and 30*b077aed3SPierre ProncheryI<flags> is an optional set of flags. 31*b077aed3SPierre ProncheryIf I<pkey> is NULL the function assumes that decryption was already done 32*b077aed3SPierre Pronchery(e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just 33*b077aed3SPierre Proncheryprovides the content unless I<cert>, I<dcont>, and I<out> are NULL as well. 34*b077aed3SPierre ProncheryThe I<dcont> parameter is used in the rare case where the encrypted content 35e71b7053SJung-uk Kimis detached. It will normally be set to NULL. 36e71b7053SJung-uk Kim 37*b077aed3SPierre ProncheryCMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I<cms> 38*b077aed3SPierre Proncheryusing the private key I<pkey>, the corresponding certificate I<cert>, which is 39*b077aed3SPierre Proncheryrecommended to be supplied but may be NULL, 40*b077aed3SPierre Proncheryand the (optional) originator certificate I<peer>. 41*b077aed3SPierre ProncheryOn success, it also records in I<cms> the decryption key I<pkey>, and this 42*b077aed3SPierre Proncheryshould be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>. 43*b077aed3SPierre ProncheryThis call deallocates any decryption key stored in I<cms>. 44*b077aed3SPierre Pronchery 45*b077aed3SPierre ProncheryCMS_decrypt_set1_pkey() is the same as 46*b077aed3SPierre ProncheryCMS_decrypt_set1_pkey_and_peer() with I<peer> being NULL. 47*b077aed3SPierre Pronchery 48*b077aed3SPierre ProncheryCMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I<cms> 49*b077aed3SPierre Proncheryusing the secret I<pass> of length I<passlen>. 50*b077aed3SPierre ProncheryOn success, it also records in I<cms> the decryption key used, and this 51*b077aed3SPierre Proncheryshould be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>. 52*b077aed3SPierre ProncheryThis call deallocates any decryption key stored in I<cms>. 53*b077aed3SPierre Pronchery 54e71b7053SJung-uk Kim=head1 NOTES 55e71b7053SJung-uk Kim 56e71b7053SJung-uk KimAlthough the recipients certificate is not needed to decrypt the data it is 57e71b7053SJung-uk Kimneeded to locate the appropriate (of possible several) recipients in the CMS 58e71b7053SJung-uk Kimstructure. 59e71b7053SJung-uk Kim 60*b077aed3SPierre ProncheryIf I<cert> is set to NULL all possible recipients are tried. This case however 61e71b7053SJung-uk Kimis problematic. To thwart the MMA attack (Bleichenbacher's attack on 62e71b7053SJung-uk KimPKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or 63e71b7053SJung-uk Kimnot. If no recipient succeeds then a random symmetric key is used to decrypt 64e71b7053SJung-uk Kimthe content: this will typically output garbage and may (but is not guaranteed 65e71b7053SJung-uk Kimto) ultimately return a padding error only. If CMS_decrypt() just returned an 66e71b7053SJung-uk Kimerror when all recipient encrypted keys failed to decrypt an attacker could 67e71b7053SJung-uk Kimuse this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set 68e71b7053SJung-uk Kimthen the above behaviour is modified and an error B<is> returned if no 69e71b7053SJung-uk Kimrecipient encrypted key can be decrypted B<without> generating a random 70e71b7053SJung-uk Kimcontent encryption key. Applications should use this flag with 71e71b7053SJung-uk KimB<extreme caution> especially in automated gateways as it can leave them 72e71b7053SJung-uk Kimopen to attack. 73e71b7053SJung-uk Kim 74e71b7053SJung-uk KimIt is possible to determine the correct recipient key by other means (for 75e71b7053SJung-uk Kimexample looking them up in a database) and setting them in the CMS structure 76*b077aed3SPierre Proncheryin advance using the CMS utility functions such as CMS_set1_pkey(), 77*b077aed3SPierre Proncheryor use CMS_decrypt_set1_password() if the recipient has a symmetric key. 78*b077aed3SPierre ProncheryIn these cases both I<cert> and I<pkey> should be set to NULL. 79e71b7053SJung-uk Kim 80e71b7053SJung-uk KimTo process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key() 81e71b7053SJung-uk Kimand CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and 82*b077aed3SPierre ProncheryI<cert> and I<pkey> set to NULL. 83e71b7053SJung-uk Kim 84*b077aed3SPierre ProncheryThe following flags can be passed in the I<flags> parameter. 85e71b7053SJung-uk Kim 86*b077aed3SPierre ProncheryIf the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted 87*b077aed3SPierre Proncheryfrom the content. If the content is not of type C<text/plain> then an error is 88e71b7053SJung-uk Kimreturned. 89e71b7053SJung-uk Kim 90e71b7053SJung-uk Kim=head1 RETURN VALUES 91e71b7053SJung-uk Kim 92*b077aed3SPierre ProncheryCMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(), 93*b077aed3SPierre ProncheryCMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password() 94*b077aed3SPierre Proncheryreturn either 1 for success or 0 for failure. 95*b077aed3SPierre ProncheryThe error can be obtained from ERR_get_error(3). 96e71b7053SJung-uk Kim 97e71b7053SJung-uk Kim=head1 BUGS 98e71b7053SJung-uk Kim 99*b077aed3SPierre ProncheryThe B<set1_> part of these function names is misleading 100*b077aed3SPierre Proncheryand should better read: B<with_>. 101*b077aed3SPierre Pronchery 102e71b7053SJung-uk KimThe lack of single pass processing and the need to hold all data in memory as 103e71b7053SJung-uk Kimmentioned in CMS_verify() also applies to CMS_decrypt(). 104e71b7053SJung-uk Kim 105e71b7053SJung-uk Kim=head1 SEE ALSO 106e71b7053SJung-uk Kim 107e71b7053SJung-uk KimL<ERR_get_error(3)>, L<CMS_encrypt(3)> 108e71b7053SJung-uk Kim 109*b077aed3SPierre Pronchery=head1 HISTORY 110*b077aed3SPierre Pronchery 111*b077aed3SPierre ProncheryCMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password() 112*b077aed3SPierre Proncherywere added in OpenSSL 3.0. 113*b077aed3SPierre Pronchery 114e71b7053SJung-uk Kim=head1 COPYRIGHT 115e71b7053SJung-uk Kim 116*b077aed3SPierre ProncheryCopyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. 117e71b7053SJung-uk Kim 118*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 119e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 120e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 121e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 122e71b7053SJung-uk Kim 123e71b7053SJung-uk Kim=cut 124