z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_read_enveloped_data_content()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Processes PKCS #7 EnvelopedData content information.

Format

#include <gskcms.h>

gsk_status gsk_read_enveloped_data_content (
                                            pkcs_cert_keys *           recipient_keys,
                                            pkcs_content_info *        content_info,
                                            x509_algorithm_type *      encryption_algorithm,
                                            gsk_size *                 key_size,
                                            pkcs_content_info *        content_data)

Parameters

recipient_keys
Specifies one or more certificates and associated private keys.
content_info
Specifies the content information to be processed.
encryption_algorithm
Returns the encryption algorithm used to encrypt the message content.
key_size
Returns the encryption key size in bytes.
content_data
Returns the EnvelopedData content data. The application should call the gsk_free_content_info() routine to release the content information when it is no longer needed.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[CMSERR_ALG_NOT_AVAILABLE]
The encryption algorithm is not available.
[CMSERR_ALG_NOT_SUPPORTED]
The encryption algorithm is not supported.
[CMSERR_BAD_KEY_SIZE]
The encryption key size is not supported.
[CMSERR_CONTENT_NOT_SUPPORTED]
The message content type is not EnvelopedData or the content of the EnvelopedData message is not supported.
[CMSERR_CRYPTO_HARDWARE_NOT_AVAILABLE]
Cryptographic hardware does not support service or algorithm.
[CMSERR_INCORRECT_KEY_USAGE]
The recipient certificate does not allow key encipherment.
[CMSERR_KEY_MISMATCH]
A recipient private key does not support data decryption.
[CMSERR_NO_CONTENT_DATA]
The content data length is zero.
[CMSERR_NO_MEMORY]
Insufficient storage is available.
[CMSERR_NO_PRIVATE_KEY]
Private key does not exist or is not accessible.
[CMSERR_RECIPIENT_NOT_FOUND]
No matching recipient certificate provided.

Usage

The gsk_read_enveloped_data_content() routine processes PKCS #7 (Cryptographic Message Syntax) EnvelopedData content information created by the gsk_make_enveloped_data_content() routine.

The recipient_keys parameter supplies one or more recipient certificates and associated private keys. The gsk_read_enveloped_data_content() routine will search for a certificate matching one of the message recipients. The private key will be used to decrypt the session key and the session key will then be used to decrypt the enveloped data. The certificate key usage must allow key encipherment.

No certificate validation is performed by the gsk_read_enveloped_data_content() routine. It is assumed that the application has already validated the recipient certificates.

These encryption algorithms are supported. Strong encryption might not be available depending upon government export regulations.

  • x509_alg_rc2CbcPad - 40-bit and 128-bit RC2 - {1.2.840.113549.3.2}
  • x509_alg_rc4 - 40-bit and 128-bit RC4 - {1.2.840.113549.3.4}
  • x509_alg_desCbcPad - 56-bit DES - {1.3.14.3.2.7}
  • x509_alg_desEde3CbcPad - 168-bit 3DES - {1.2.840.113549.3.7}
  • x509_alg_aesCbc128 - 128-bit AES CBC - {2.16.840.1.101.3.4.1.2}
  • x509_alg_aesCbc256 - 256-bit AES CBC - {2.16.840.1.101.3.4.1.42}

When executing in FIPS mode, encryption algorithms x509_alg_rc2CbcPad, x509_alg_rc4 and x509_alg_desCbcPad are not supported.

Parent topic: Certificate Management Services (CMS) API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014