OLD | NEW |
1 =pod | 1 =pod |
2 | 2 |
3 =head1 NAME | 3 =head1 NAME |
4 | 4 |
5 smime - S/MIME utility | 5 smime - S/MIME utility |
6 | 6 |
7 =head1 SYNOPSIS | 7 =head1 SYNOPSIS |
8 | 8 |
9 B<openssl> B<smime> | 9 B<openssl> B<smime> |
10 [B<-encrypt>] | 10 [B<-encrypt>] |
11 [B<-decrypt>] | 11 [B<-decrypt>] |
12 [B<-sign>] | 12 [B<-sign>] |
| 13 [B<-resign>] |
13 [B<-verify>] | 14 [B<-verify>] |
14 [B<-pk7out>] | 15 [B<-pk7out>] |
15 [B<-des>] | 16 [B<-[cipher]>] |
16 [B<-des3>] | |
17 [B<-rc2-40>] | |
18 [B<-rc2-64>] | |
19 [B<-rc2-128>] | |
20 [B<-aes128>] | |
21 [B<-aes192>] | |
22 [B<-aes256>] | |
23 [B<-camellia128>] | |
24 [B<-camellia192>] | |
25 [B<-camellia256>] | |
26 [B<-in file>] | 17 [B<-in file>] |
27 [B<-certfile file>] | 18 [B<-certfile file>] |
28 [B<-signer file>] | 19 [B<-signer file>] |
29 [B<-recip file>] | 20 [B<-recip file>] |
30 [B<-inform SMIME|PEM|DER>] | 21 [B<-inform SMIME|PEM|DER>] |
31 [B<-passin arg>] | 22 [B<-passin arg>] |
32 [B<-inkey file>] | 23 [B<-inkey file>] |
33 [B<-out file>] | 24 [B<-out file>] |
34 [B<-outform SMIME|PEM|DER>] | 25 [B<-outform SMIME|PEM|DER>] |
35 [B<-content file>] | 26 [B<-content file>] |
36 [B<-to addr>] | 27 [B<-to addr>] |
37 [B<-from ad>] | 28 [B<-from ad>] |
38 [B<-subject s>] | 29 [B<-subject s>] |
39 [B<-text>] | 30 [B<-text>] |
| 31 [B<-indef>] |
| 32 [B<-noindef>] |
| 33 [B<-stream>] |
40 [B<-rand file(s)>] | 34 [B<-rand file(s)>] |
| 35 [B<-md digest>] |
41 [cert.pem]... | 36 [cert.pem]... |
42 | 37 |
43 =head1 DESCRIPTION | 38 =head1 DESCRIPTION |
44 | 39 |
45 The B<smime> command handles S/MIME mail. It can encrypt, decrypt, sign and | 40 The B<smime> command handles S/MIME mail. It can encrypt, decrypt, sign and |
46 verify S/MIME messages. | 41 verify S/MIME messages. |
47 | 42 |
48 =head1 COMMAND OPTIONS | 43 =head1 COMMAND OPTIONS |
49 | 44 |
50 There are five operation options that set the type of operation to be performed. | 45 There are six operation options that set the type of operation to be performed. |
51 The meaning of the other options varies according to the operation type. | 46 The meaning of the other options varies according to the operation type. |
52 | 47 |
53 =over 4 | 48 =over 4 |
54 | 49 |
55 =item B<-encrypt> | 50 =item B<-encrypt> |
56 | 51 |
57 encrypt mail for the given recipient certificates. Input file is the message | 52 encrypt mail for the given recipient certificates. Input file is the message |
58 to be encrypted. The output file is the encrypted mail in MIME format. | 53 to be encrypted. The output file is the encrypted mail in MIME format. |
59 | 54 |
60 =item B<-decrypt> | 55 =item B<-decrypt> |
(...skipping 10 matching lines...) Expand all Loading... |
71 | 66 |
72 =item B<-verify> | 67 =item B<-verify> |
73 | 68 |
74 verify signed mail. Expects a signed mail message on input and outputs | 69 verify signed mail. Expects a signed mail message on input and outputs |
75 the signed data. Both clear text and opaque signing is supported. | 70 the signed data. Both clear text and opaque signing is supported. |
76 | 71 |
77 =item B<-pk7out> | 72 =item B<-pk7out> |
78 | 73 |
79 takes an input message and writes out a PEM encoded PKCS#7 structure. | 74 takes an input message and writes out a PEM encoded PKCS#7 structure. |
80 | 75 |
| 76 =item B<-resign> |
| 77 |
| 78 resign a message: take an existing message and one or more new signers. |
| 79 |
81 =item B<-in filename> | 80 =item B<-in filename> |
82 | 81 |
83 the input message to be encrypted or signed or the MIME message to | 82 the input message to be encrypted or signed or the MIME message to |
84 be decrypted or verified. | 83 be decrypted or verified. |
85 | 84 |
86 =item B<-inform SMIME|PEM|DER> | 85 =item B<-inform SMIME|PEM|DER> |
87 | 86 |
88 this specifies the input format for the PKCS#7 structure. The default | 87 this specifies the input format for the PKCS#7 structure. The default |
89 is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER> | 88 is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER> |
90 format change this to expect PEM and DER format PKCS#7 structures | 89 format change this to expect PEM and DER format PKCS#7 structures |
91 instead. This currently only affects the input format of the PKCS#7 | 90 instead. This currently only affects the input format of the PKCS#7 |
92 structure, if no PKCS#7 structure is being input (for example with | 91 structure, if no PKCS#7 structure is being input (for example with |
93 B<-encrypt> or B<-sign>) this option has no effect. | 92 B<-encrypt> or B<-sign>) this option has no effect. |
94 | 93 |
95 =item B<-out filename> | 94 =item B<-out filename> |
96 | 95 |
97 the message text that has been decrypted or verified or the output MIME | 96 the message text that has been decrypted or verified or the output MIME |
98 format message that has been signed or verified. | 97 format message that has been signed or verified. |
99 | 98 |
100 =item B<-outform SMIME|PEM|DER> | 99 =item B<-outform SMIME|PEM|DER> |
101 | 100 |
102 this specifies the output format for the PKCS#7 structure. The default | 101 this specifies the output format for the PKCS#7 structure. The default |
103 is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER> | 102 is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER> |
104 format change this to write PEM and DER format PKCS#7 structures | 103 format change this to write PEM and DER format PKCS#7 structures |
105 instead. This currently only affects the output format of the PKCS#7 | 104 instead. This currently only affects the output format of the PKCS#7 |
106 structure, if no PKCS#7 structure is being output (for example with | 105 structure, if no PKCS#7 structure is being output (for example with |
107 B<-verify> or B<-decrypt>) this option has no effect. | 106 B<-verify> or B<-decrypt>) this option has no effect. |
108 | 107 |
| 108 =item B<-stream -indef -noindef> |
| 109 |
| 110 the B<-stream> and B<-indef> options are equivalent and enable streaming I/O |
| 111 for encoding operations. This permits single pass processing of data without |
| 112 the need to hold the entire contents in memory, potentially supporting very |
| 113 large files. Streaming is automatically set for S/MIME signing with detached |
| 114 data if the output format is B<SMIME> it is currently off by default for all |
| 115 other operations. |
| 116 |
| 117 =item B<-noindef> |
| 118 |
| 119 disable streaming I/O where it would produce and indefinite length constructed |
| 120 encoding. This option currently has no effect. In future streaming will be |
| 121 enabled by default on all relevant operations and this option will disable it. |
| 122 |
109 =item B<-content filename> | 123 =item B<-content filename> |
110 | 124 |
111 This specifies a file containing the detached content, this is only | 125 This specifies a file containing the detached content, this is only |
112 useful with the B<-verify> command. This is only usable if the PKCS#7 | 126 useful with the B<-verify> command. This is only usable if the PKCS#7 |
113 structure is using the detached signature form where the content is | 127 structure is using the detached signature form where the content is |
114 not included. This option will override any content if the input format | 128 not included. This option will override any content if the input format |
115 is S/MIME and it uses the multipart/signed MIME content type. | 129 is S/MIME and it uses the multipart/signed MIME content type. |
116 | 130 |
117 =item B<-text> | 131 =item B<-text> |
118 | 132 |
119 this option adds plain text (text/plain) MIME headers to the supplied | 133 this option adds plain text (text/plain) MIME headers to the supplied |
120 message if encrypting or signing. If decrypting or verifying it strips | 134 message if encrypting or signing. If decrypting or verifying it strips |
121 off text headers: if the decrypted or verified message is not of MIME | 135 off text headers: if the decrypted or verified message is not of MIME |
122 type text/plain then an error occurs. | 136 type text/plain then an error occurs. |
123 | 137 |
124 =item B<-CAfile file> | 138 =item B<-CAfile file> |
125 | 139 |
126 a file containing trusted CA certificates, only used with B<-verify>. | 140 a file containing trusted CA certificates, only used with B<-verify>. |
127 | 141 |
128 =item B<-CApath dir> | 142 =item B<-CApath dir> |
129 | 143 |
130 a directory containing trusted CA certificates, only used with | 144 a directory containing trusted CA certificates, only used with |
131 B<-verify>. This directory must be a standard certificate directory: that | 145 B<-verify>. This directory must be a standard certificate directory: that |
132 is a hash of each subject name (using B<x509 -hash>) should be linked | 146 is a hash of each subject name (using B<x509 -hash>) should be linked |
133 to each certificate. | 147 to each certificate. |
134 | 148 |
135 =item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128
-camellia192 -camellia256> | 149 =item B<-md digest> |
136 | 150 |
137 the encryption algorithm to use. DES (56 bits), triple DES (168 bits), | 151 digest algorithm to use when signing or resigning. If not present then the |
138 40, 64 or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia
respectively. If not | 152 default digest algorithm for the signing key will be used (usually SHA1). |
139 specified 40 bit RC2 is used. Only used with B<-encrypt>. | 153 |
| 154 =item B<-[cipher]> |
| 155 |
| 156 the encryption algorithm to use. For example DES (56 bits) - B<-des>, |
| 157 triple DES (168 bits) - B<-des3>, |
| 158 EVP_get_cipherbyname() function) can also be used preceded by a dash, for |
| 159 example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers |
| 160 supported by your version of OpenSSL. |
| 161 |
| 162 If not specified 40 bit RC2 is used. Only used with B<-encrypt>. |
140 | 163 |
141 =item B<-nointern> | 164 =item B<-nointern> |
142 | 165 |
143 when verifying a message normally certificates (if any) included in | 166 when verifying a message normally certificates (if any) included in |
144 the message are searched for the signing certificate. With this option | 167 the message are searched for the signing certificate. With this option |
145 only the certificates specified in the B<-certfile> option are used. | 168 only the certificates specified in the B<-certfile> option are used. |
146 The supplied certificates can still be used as untrusted CAs however. | 169 The supplied certificates can still be used as untrusted CAs however. |
147 | 170 |
148 =item B<-noverify> | 171 =item B<-noverify> |
149 | 172 |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
186 the MIME type multipart/signed is used. | 209 the MIME type multipart/signed is used. |
187 | 210 |
188 =item B<-certfile file> | 211 =item B<-certfile file> |
189 | 212 |
190 allows additional certificates to be specified. When signing these will | 213 allows additional certificates to be specified. When signing these will |
191 be included with the message. When verifying these will be searched for | 214 be included with the message. When verifying these will be searched for |
192 the signers certificates. The certificates should be in PEM format. | 215 the signers certificates. The certificates should be in PEM format. |
193 | 216 |
194 =item B<-signer file> | 217 =item B<-signer file> |
195 | 218 |
196 the signers certificate when signing a message. If a message is | 219 a signing certificate when signing or resigning a message, this option can be |
197 being verified then the signers certificates will be written to this | 220 used multiple times if more than one signer is required. If a message is being |
198 file if the verification was successful. | 221 verified then the signers certificates will be written to this file if the |
| 222 verification was successful. |
199 | 223 |
200 =item B<-recip file> | 224 =item B<-recip file> |
201 | 225 |
202 the recipients certificate when decrypting a message. This certificate | 226 the recipients certificate when decrypting a message. This certificate |
203 must match one of the recipients of the message or an error occurs. | 227 must match one of the recipients of the message or an error occurs. |
204 | 228 |
205 =item B<-inkey file> | 229 =item B<-inkey file> |
206 | 230 |
207 the private key to use when signing or decrypting. This must match the | 231 the private key to use when signing or decrypting. This must match the |
208 corresponding certificate. If this option is not specified then the | 232 corresponding certificate. If this option is not specified then the |
209 private key must be included in the certificate file specified with | 233 private key must be included in the certificate file specified with |
210 the B<-recip> or B<-signer> file. | 234 the B<-recip> or B<-signer> file. When signing this option can be used |
| 235 multiple times to specify successive keys. |
211 | 236 |
212 =item B<-passin arg> | 237 =item B<-passin arg> |
213 | 238 |
214 the private key password source. For more information about the format of B<arg> | 239 the private key password source. For more information about the format of B<arg> |
215 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | 240 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. |
216 | 241 |
217 =item B<-rand file(s)> | 242 =item B<-rand file(s)> |
218 | 243 |
219 a file or files containing random data used to seed the random number | 244 a file or files containing random data used to seed the random number |
220 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). | 245 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). |
221 Multiple files can be specified separated by a OS-dependent character. | 246 Multiple files can be specified separated by a OS-dependent character. |
222 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | 247 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
223 all others. | 248 all others. |
224 | 249 |
225 =item B<cert.pem...> | 250 =item B<cert.pem...> |
226 | 251 |
227 one or more certificates of message recipients: used when encrypting | 252 one or more certificates of message recipients: used when encrypting |
228 a message. | 253 a message. |
229 | 254 |
230 =item B<-to, -from, -subject> | 255 =item B<-to, -from, -subject> |
231 | 256 |
232 the relevant mail headers. These are included outside the signed | 257 the relevant mail headers. These are included outside the signed |
233 portion of a message so they may be included manually. If signing | 258 portion of a message so they may be included manually. If signing |
234 then many S/MIME mail clients check the signers certificate's email | 259 then many S/MIME mail clients check the signers certificate's email |
235 address matches that specified in the From: address. | 260 address matches that specified in the From: address. |
236 | 261 |
| 262 =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all,
-policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> |
| 263 |
| 264 Set various options of certificate chain verification. See |
| 265 L<B<verify>|verify(1)> manual page for details. |
| 266 |
237 =back | 267 =back |
238 | 268 |
239 =head1 NOTES | 269 =head1 NOTES |
240 | 270 |
241 The MIME message must be sent without any blank lines between the | 271 The MIME message must be sent without any blank lines between the |
242 headers and the output. Some mail programs will automatically add | 272 headers and the output. Some mail programs will automatically add |
243 a blank line. Piping the mail directly to sendmail is one way to | 273 a blank line. Piping the mail directly to sendmail is one way to |
244 achieve the correct format. | 274 achieve the correct format. |
245 | 275 |
246 The supplied message to be signed or encrypted must include the | 276 The supplied message to be signed or encrypted must include the |
247 necessary MIME headers or many S/MIME clients wont display it | 277 necessary MIME headers or many S/MIME clients wont display it |
248 properly (if at all). You can use the B<-text> option to automatically | 278 properly (if at all). You can use the B<-text> option to automatically |
249 add plain text headers. | 279 add plain text headers. |
250 | 280 |
251 A "signed and encrypted" message is one where a signed message is | 281 A "signed and encrypted" message is one where a signed message is |
252 then encrypted. This can be produced by encrypting an already signed | 282 then encrypted. This can be produced by encrypting an already signed |
253 message: see the examples section. | 283 message: see the examples section. |
254 | 284 |
255 This version of the program only allows one signer per message but it | 285 This version of the program only allows one signer per message but it |
256 will verify multiple signers on received messages. Some S/MIME clients | 286 will verify multiple signers on received messages. Some S/MIME clients |
257 choke if a message contains multiple signers. It is possible to sign | 287 choke if a message contains multiple signers. It is possible to sign |
258 messages "in parallel" by signing an already signed message. | 288 messages "in parallel" by signing an already signed message. |
259 | 289 |
260 The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME | 290 The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME |
261 clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 | 291 clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 |
262 encrypted data is used for other purposes. | 292 encrypted data is used for other purposes. |
263 | 293 |
| 294 The B<-resign> option uses an existing message digest when adding a new |
| 295 signer. This means that attributes must be present in at least one existing |
| 296 signer using the same message digest or this operation will fail. |
| 297 |
| 298 The B<-stream> and B<-indef> options enable experimental streaming I/O support. |
| 299 As a result the encoding is BER using indefinite length constructed encoding |
| 300 and no longer DER. Streaming is supported for the B<-encrypt> operation and the |
| 301 B<-sign> operation if the content is not detached. |
| 302 |
| 303 Streaming is always used for the B<-sign> operation with detached data but |
| 304 since the content is no longer part of the PKCS#7 structure the encoding |
| 305 remains DER. |
| 306 |
264 =head1 EXIT CODES | 307 =head1 EXIT CODES |
265 | 308 |
266 =over 4 | 309 =over 4 |
267 | 310 |
268 =item 0 | 311 =item 0 |
269 | 312 |
270 the operation was completely successfully. | 313 the operation was completely successfully. |
271 | 314 |
272 =item 1 | 315 =item 1 |
273 | 316 |
(...skipping 19 matching lines...) Expand all Loading... |
293 | 336 |
294 =back | 337 =back |
295 | 338 |
296 =head1 EXAMPLES | 339 =head1 EXAMPLES |
297 | 340 |
298 Create a cleartext signed message: | 341 Create a cleartext signed message: |
299 | 342 |
300 openssl smime -sign -in message.txt -text -out mail.msg \ | 343 openssl smime -sign -in message.txt -text -out mail.msg \ |
301 -signer mycert.pem | 344 -signer mycert.pem |
302 | 345 |
303 Create and opaque signed message | 346 Create an opaque signed message: |
304 | 347 |
305 openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ | 348 openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ |
306 -signer mycert.pem | 349 -signer mycert.pem |
307 | 350 |
308 Create a signed message, include some additional certificates and | 351 Create a signed message, include some additional certificates and |
309 read the private key from another file: | 352 read the private key from another file: |
310 | 353 |
311 openssl smime -sign -in in.txt -text -out mail.msg \ | 354 openssl smime -sign -in in.txt -text -out mail.msg \ |
312 -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem | 355 -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem |
313 | 356 |
| 357 Create a signed message with two signers: |
| 358 |
| 359 openssl smime -sign -in message.txt -text -out mail.msg \ |
| 360 -signer mycert.pem -signer othercert.pem |
| 361 |
314 Send a signed message under Unix directly to sendmail, including headers: | 362 Send a signed message under Unix directly to sendmail, including headers: |
315 | 363 |
316 openssl smime -sign -in in.txt -text -signer mycert.pem \ | 364 openssl smime -sign -in in.txt -text -signer mycert.pem \ |
317 -from steve@openssl.org -to someone@somewhere \ | 365 -from steve@openssl.org -to someone@somewhere \ |
318 -subject "Signed message" | sendmail someone@somewhere | 366 -subject "Signed message" | sendmail someone@somewhere |
319 | 367 |
320 Verify a message and extract the signer's certificate if successful: | 368 Verify a message and extract the signer's certificate if successful: |
321 | 369 |
322 openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt | 370 openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt |
323 | 371 |
324 Send encrypted mail using triple DES: | 372 Send encrypted mail using triple DES: |
325 | 373 |
326 openssl smime -encrypt -in in.txt -from steve@openssl.org \ | 374 openssl smime -encrypt -in in.txt -from steve@openssl.org \ |
327 -to someone@somewhere -subject "Encrypted message" \ | 375 -to someone@somewhere -subject "Encrypted message" \ |
328 -des3 user.pem -out mail.msg | 376 -des3 user.pem -out mail.msg |
329 | 377 |
330 Sign and encrypt mail: | 378 Sign and encrypt mail: |
331 | 379 |
332 openssl smime -sign -in ml.txt -signer my.pem -text \ | 380 openssl smime -sign -in ml.txt -signer my.pem -text \ |
333 | openssl smime -encrypt -out mail.msg \ | 381 | openssl smime -encrypt -out mail.msg \ |
334 -from steve@openssl.org -to someone@somewhere \ | 382 -from steve@openssl.org -to someone@somewhere \ |
335 -subject "Signed and Encrypted message" -des3 user.pem | 383 -subject "Signed and Encrypted message" -des3 user.pem |
336 | 384 |
337 Note: the encryption command does not include the B<-text> option because the me
ssage | 385 Note: the encryption command does not include the B<-text> option because the |
338 being encrypted already has MIME headers. | 386 message being encrypted already has MIME headers. |
339 | 387 |
340 Decrypt mail: | 388 Decrypt mail: |
341 | 389 |
342 openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem | 390 openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem |
343 | 391 |
344 The output from Netscape form signing is a PKCS#7 structure with the | 392 The output from Netscape form signing is a PKCS#7 structure with the |
345 detached signature format. You can use this program to verify the | 393 detached signature format. You can use this program to verify the |
346 signature by line wrapping the base64 encoded structure and surrounding | 394 signature by line wrapping the base64 encoded structure and surrounding |
347 it with: | 395 it with: |
348 | 396 |
349 -----BEGIN PKCS7----- | 397 -----BEGIN PKCS7----- |
350 -----END PKCS7----- | 398 -----END PKCS7----- |
351 | 399 |
352 and using the command, | 400 and using the command: |
353 | 401 |
354 openssl smime -verify -inform PEM -in signature.pem -content content.txt | 402 openssl smime -verify -inform PEM -in signature.pem -content content.txt |
355 | 403 |
356 alternatively you can base64 decode the signature and use | 404 Alternatively you can base64 decode the signature and use: |
357 | 405 |
358 openssl smime -verify -inform DER -in signature.der -content content.txt | 406 openssl smime -verify -inform DER -in signature.der -content content.txt |
359 | 407 |
360 Create an encrypted message using 128 bit Camellia: | 408 Create an encrypted message using 128 bit Camellia: |
361 | 409 |
362 openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem | 410 openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem |
363 | 411 |
| 412 Add a signer to an existing message: |
| 413 |
| 414 openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg |
| 415 |
364 =head1 BUGS | 416 =head1 BUGS |
365 | 417 |
366 The MIME parser isn't very clever: it seems to handle most messages that I've th
rown | 418 The MIME parser isn't very clever: it seems to handle most messages that I've |
367 at it but it may choke on others. | 419 thrown at it but it may choke on others. |
368 | 420 |
369 The code currently will only write out the signer's certificate to a file: if th
e | 421 The code currently will only write out the signer's certificate to a file: if |
370 signer has a separate encryption certificate this must be manually extracted. Th
ere | 422 the signer has a separate encryption certificate this must be manually |
371 should be some heuristic that determines the correct encryption certificate. | 423 extracted. There should be some heuristic that determines the correct |
| 424 encryption certificate. |
372 | 425 |
373 Ideally a database should be maintained of a certificates for each email address
. | 426 Ideally a database should be maintained of a certificates for each email |
| 427 address. |
374 | 428 |
375 The code doesn't currently take note of the permitted symmetric encryption | 429 The code doesn't currently take note of the permitted symmetric encryption |
376 algorithms as supplied in the SMIMECapabilities signed attribute. this means the | 430 algorithms as supplied in the SMIMECapabilities signed attribute. This means the |
377 user has to manually include the correct encryption algorithm. It should store | 431 user has to manually include the correct encryption algorithm. It should store |
378 the list of permitted ciphers in a database and only use those. | 432 the list of permitted ciphers in a database and only use those. |
379 | 433 |
380 No revocation checking is done on the signer's certificate. | 434 No revocation checking is done on the signer's certificate. |
381 | 435 |
382 The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 | 436 The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 |
383 structures may cause parsing errors. | 437 structures may cause parsing errors. |
384 | 438 |
| 439 =head1 HISTORY |
| 440 |
| 441 The use of multiple B<-signer> options and the B<-resign> command were first |
| 442 added in OpenSSL 1.0.0 |
| 443 |
| 444 |
385 =cut | 445 =cut |
OLD | NEW |