CMSDECRYPT - Decrypt a CMS encrypted file

Syntax:	CMSDECRYPT	[ source file ] [ target file ] [ options ]
Arguments:	[ source file ]	A variable or string defining the file name of a valid CMS (PKCS #7) file; this file may be encrypted, signed, or both encrypted and signed. Wildcards are not permitted in [ source file ] or [ target file ]
	[ target file ]	A variable or string defining the file name of the outputted file; if the file exists, it will be overwritten. The target file may not be the same as the source file.
Options:
	/signature=xx	required - a valid digital signature must exist optional - if there is a signature it must be valid (default) ignore - signatures are ignored
	/validatewith=xx	This option is used to specify the SSL certificate which should be used to validate the signature (if any) attached to the source file. Either the email address or common name of the certificate can be used, as displayed in the "View Certificate Details" dialog as found in the SSL Certificates page of the Configurator. Alternately, the email address and common name can be used together in the keyspec to look up the certificate, as follows: "My common name <[email protected]>".

This script command decrypts / verifies a CMS (PKCS #7) file that was previously encrypted / signed using the CMSENCRYPT command. To decrypt a file you must have already imported the PKCS#12 SSL certificate that corresponds to the X.509 SSL certificate that was used to encrypt the file. The certificate used for decryption will be contained in a .pfx (PKCS #12) file. Such certificates are imported by using the Import Certificate functionality in the Robo-FTP Configurator. To validate the signature of a file you must have already used the Robo-FTP Configurator to import the SSL certificate provided by the signer, which will be given as an X.509 certificate enclosed within a .cer or .pem file.

In the following example, the CMSDECRYPT command is used to decrypt and validate the signature of a file which was previously signed by "Fictional Company A" and encrypted in the CMS format for recipient "Fictional Company B". Because the /signature=required option is provided, if no signature is found inside the CMS file, an error will occur. Note that in order for the recipient to successfully validate the signature in the file, Fictional Company A's X.509 SSL certificate (e.g. file "fictional_company_a.cer") must have been previously imported in the Configurator, as an SSL certificate ("for: encryption"). Additionally, for decryption to succeed, the recipient's PKCS #12 certificate (e.g. from file "fictional_company_b.pfx") must have been previously imported in the Configurator, as an SSL certificate ("for: decryption + signing"):

CMSDECRYPT "plaintext.signed_and_encrypted.cms" "plaintext.txt" /signature=required /validatewith="Fictional Company A"

In the following example, the same conditions apply, but with one exception. Since the /signature=required option has been changed to /signature=ignore, the file will be decrypted into the target file "plaintext.txt", regardless of the existence or validity of any enclosed signature in the source file:

CMSDECRYPT "plaintext.signed_and_encrypted.cms" "plaintext.txt" /signature=ignore

$ERROR Constant Name	Code	Description
$ERROR_SUCCESS	0	No error occurred
$ERROR_FILE_OPEN_ERROR	1003	Unable to create the output specified by the [ target file ] argument
$ERROR_VAR_NOT_FOUND	1009	Script variable not set
$FILE_NOT_FOUND	1055	Unable to access the source specified by the [ source file ] argument
$ERROR_INVALID_ARGUMENT	1100	Invalid argument
$ERROR_CMS_DECRYPTION_FAILED	1348	PGP decryption operation failed or canceled
$ERROR_CMS_KEY_DOES_NOT_EXIST	1280	Private decryption key not imported or unavailable to current user
$ERROR_CMS_SIGNATURE_MODIFIED	1357	Signature not validated; the file contents have changed since it was signed or the signer's public key was not imported or is unavailable to the current user