gsk_read_enveloped_data

Processes a PKCS #7 EnvelopedData message.

Format

#include <gskcms.h>

gsk_status gsk_read_enveloped_data_msg (
                                        pkcs_cert_keys *             recipient_keys, 
                                        gsk_buffer *                 stream,
                                        x509_algorithm_type *        encryption_algorithm,
                                        gsk_size *                   key_size,
                                        gsk_buffer *                 data)

Parameters

recipient_keys: Specifies one or more certificates and associated private keys.
stream: Specifies the ASN.1 DER-encoded stream to be processed.
encryption_algorithm: Returns the encryption algorithm used to encrypt the message content.
key_size: Returns the encryption key size in bytes.
data: Returns the content of the EnvelopedData message. The application should call the gsk_free_buffer() routine to release the data when it is no longer needed.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[CMSERR_ALG_NOT_SUPPORTED]: Encryption algorithm is not supported.
[CMSERR_BAD_ENCODING]: The message content type is not EnvelopedData or the message content is not Data.
[CMSERR_BAD_KEY_SIZE]: The encryption key size is not supported.
[CMSERR_CONTENT_NOT_SUPPORTED]: The message content type is not EnvelopedData or the content of the EnvelopedData message is not Data.
[CMSERR_CRYPTO_HARDWARE_NOT_AVAILABLE]: Cryptographic hardware does not support service or algorithm.
[CMSERR_INCORRECT_KEY_USAGE]: The recipient certificate does not allow key encipherment.
[CMSERR_KEY_MISMATCH]: A recipient private key does not support data decryption.
[CMSERR_NO_CONTENT_DATA]: The content data length is zero.
[CMSERR_NO_MEMORY]: Insufficient storage is available.
[CMSERR_NO_PRIVATE_KEY]: Private key does not exist or is not accessible.
[CMSERR_RECIPIENT_NOT_FOUND]: No matching recipient certificate provided.

Usage

The gsk_read_enveloped_data_msg() routine processes a PKCS #7 (Cryptographic Message Syntax) EnvelopedData message created by the gsk_make_enveloped_data_msg() routine and returns the message content. The enveloped data content type must be Data.

Calling the gsk_read_enveloped_data_msg() routine is equivalent to calling the gsk_read_content_msg() routine, the gsk_read_enveloped_data_content() routine, and the gsk_read_data_content() routine.

The recipient_keys parameter supplies one or more recipient certificates and associated private keys. The gsk_read_enveloped_data_msg() routine will search for a certificate matching one of the message recipients. The private key will be used to decrypt the session key and the session key will then be used to decrypt the enveloped data. The certificate key usage must allow key encipherment.

No certificate validation is performed by the gsk_read_enveloped_data_msg() routine. It is assumed that the application has already validated the recipient certificates.

These encryption algorithms are supported. Strong encryption might not be available depending upon government export regulations.

x509_alg_rc2CbcPad - 40-bit and 128-bit RC2 - {1.2.840.113549.3.2}
x509_alg_rc4 - 40-bit and 128-bit RC4 - {1.2.840.113549.3.4}
x509_alg_desCbcPad - 56-bit DES - {1.3.14.3.2.7}
x509_alg_desEde3CbcPad - 168-bit 3DES - {1.2.840.113549.3.7}
x509_alg_aesCbc128 - 128-bit AES CBC - {2.16.840.1.101.3.4.1.2}
x509_alg_aesCbc256 - 256-bit AES CBC - {2.16.840.1.101.3.4.1.42}

When executing in FIPS mode, encryption algorithms x509_alg_rc2CbcPad, x509_alg_rc4 and x509_alg_desCbcPad are not supported.