Function build_cms_enveloped_data 

pub fn build_cms_enveloped_data(
    payload: &[u8],
    recipient_cert_der: &[u8],
    content_encryption_alg: &str,
) -> Result<Vec<u8>, KipukaError>

Build a CMS EnvelopedData message to encrypt a response payload.

RFC 8295 §3.2: The EST server encrypts the response (issued certificate) to the client’s public key so that only the client can decrypt it, even if the transport layer is plain HTTP.

The construction follows RFC 5652 §6 (EnvelopedData):

1. Generate a random content-encryption key (CEK) for the selected algorithm (content_encryption_alg).
2. Encrypt payload with the CEK to produce the encryptedContent.
3. Encrypt the CEK to the recipient’s public key (from recipient_cert_der) using KeyTransRecipientInfo (ktri).
4. Assemble the EnvelopedData:
   • version: 0 (ktri with issuerAndSerialNumber)
   • recipientInfos: one KeyTransRecipientInfo
   • encryptedContentInfo: the encrypted payload
5. Wrap in ContentInfo with contentType = id-envelopedData (OID 1.2.840.113549.1.7.3).
6. Return the DER-encoded ContentInfo.

Arguments

• payload — the plaintext to encrypt (e.g., DER-encoded certificate).
• recipient_cert_der — DER-encoded certificate of the recipient; the public key is extracted for key transport.
• content_encryption_alg — algorithm name or OID for content encryption (validated via validate_content_encryption).

Errors

• KipukaError::BadRequest — empty payload, invalid certificate, unsupported algorithm.
• KipukaError::Internal — crypto operations not yet implemented.