This is an old revision of the document!

PHP RFC: Add CMS Support


PHP has for some time incorporated support for PKCS#7 sign, verify, encrypt, decrypt, and read operations. Cryptographic Message Syntax (CMS) is a newer version of PKCS#7. Having been around some time, CMS is used in both email messaging as well as signature verification operations relating to IoT devices.


It is proposed that analogous functions be created for CMS. These would be as follows:

PKCS#7 function new CMS function
openssl_pkcs7_encrypt() openssl_cms_encrypt()
openssl_pkcs7_decrypt() openssl_cms_decrypt()
openssl_pkcs7_sign() openssl_cms_sign()
openssl_pkcs7_verify () openssl_cms_verify()
openssl_pkcs7_read () openssl_cms_read()

As currently stands, the CMS sign and verify functions now can take as an argument the encoding method (DER/CMS/PEM).

The calling interface is as follows:

function openssl_cms_verify(string $filename, int $flags = 0, string $signerscerts = UNKNOWN,
array $cainfo = UNKNOWN, string $extracerts = UNKNOWN, string $content = UNKNOWN, string $pk7 = UNKNOWN, string $sigfile = UNKNOWN, $encoding = ENCODING_CMS ): bool {}
function openssl_cms_encrypt(string $infile, string $outfile, $recipcerts, ?array $headers, int $flags = 0, int $cipher = OPENSSL_CIPHER_RC2_40): bool {}
function openssl_cms_sign(string $infile, string $outfile, $signcert, $signkey, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_CMS, ?string $extracertsfilename = null): bool {}
function openssl_cms_decrypt(string $infilename, string $outfilename, $recipcert, $recipkey = UNKNOWN): bool {}
function openssl_cms_read(string $infilename, &$certs): bool {}

This is nearly identical to the PKCS#7 calling interface, the only exception being $encoding.

Backward Incompatible Changes


Proposed PHP Version(s)

PHP 8.0

RFC Impact


The only change is an additional API. No modifications to existing APIs.

To Existing Extensions

openssl code is extended. No existing functions are changed.

To Opcache

These are entirely file operations.

New Constants

Several new constants are defined to indicate encoding, as follows:

OPENSSL_ENCODING_CMS /* encoding is a CMS-encoded message */
OPENSSL_ENCODING_DER /* encoding is DER (Distinguished Encoding Rules) */
OPENSSL_ENCODING_PEM /* encoding is PEM (Privacy-Enhanced Mail) */

php.ini Defaults

No change.

Open Issues

Currently encoding isn't passed to the encrypt, decrypt, and read operations.

Unaffected PHP Functionality

As these are new functions, no side effects to other functions should be expected.

Future Scope

Currently, as with the PKCS#7 calls, these calls take files as arguments. It may make sense to take strings as input and deliver strings as output. However, existing use cases do not require this, and any such change could be backward compatible with a new flag.

Proposed Voting Choices

Include these so readers know where you are heading and can discuss the proposed voting options.

Patches and Tests

This capability is available for inspection as PR5251. Tests are available in that PR. This PR is subject to change of course, based on community feedback.


After the project is implemented, this section should contain

  1. the version(s) it was merged into
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)


Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/add-cms-support.1589199500.txt.gz · Last modified: 2020/05/11 12:18 by elear