Encoding Enveloped Data

The tasks required to encode an enveloped message are depicted in the following illustration and described in the list that follows it.

The sequence of events for encoding enveloped data, as depicted in the previous illustration, is as follows:

  1. A pointer to the plaintext message is retrieved.
  2. A symmetric (session) key is generated.
  3. The symmetric key and specified encryption algorithm are used to encrypt the message data.
  4. A certificate store is opened.
  5. The recipient's certificate is retrieved from the store.
  6. The public key is retrieved from the recipient's certificate.
  7. Using the recipient's public key, the symmetric key is encrypted.
  8. From the recipients certificate, the recipient's ID is retrieved.
  9. The following information is included in the digitally enveloped message: the data encryption algorithm, the encrypted data, the encrypted symmetric key, and the recipient information structure.

To use low-level message functions to accomplish the tasks just listed, use the following procedure.

    To encode an enveloped message using CryptoAPI
  1. Create or retrieve the content.
  2. Get a cryptographic provider.
  3. Get a recipient certificate.
  4. Initialize the CMSG_ENVELOPED_ENCODE_INFO structure.
  5. Call CryptMsgCalculateEncodedLength to get the size of the encoded message blob. Allocate memory for it.
  6. Call CryptMsgOpenToEncode passing in CMSG_ENVELOPED for dwMsgType, and a pointer to CMSG_ENVELOPED_ENCODE_INFO for pvMsgEncodeInfo. As a result of this call, you will get a handle to the opened message.
  7. Call CryptMsgUpdate passing in the handle retrieved in step 6, and a pointer to the data that is to be encrypted, enveloped, and encoded. This function can be called as many times as necessary to complete the encoding process.
  8. Call CryptMsgGetParam, passing in the handle retrieved in step 6, and the appropriate parameter types to access the desired, encoded data. For example, pass in CMSG_CONTENT_PARAM to get a pointer to the entire PKCS #7 message.

    If the result of this encoding is to be used as the inner data for another encoded message, such as an enveloped message, the CMSG_BARE_CONTENT_PARAM parameter must be passed. For example code showing this, see Enveloped Message Example 2.

  9. Close the message by calling CryptMsgClose.

The result of this procedure is an encoded message that contains the encrypted data, the symmetric key that is encrypted with the recipient's public keys, and the recipient info data structures. The combination of encrypted content and an encrypted symmetric key for a recipient is a digital envelope for that recipient. Any type of content can be enveloped for multiple recipients.