OLD | NEW |
(Empty) | |
| 1 =pod |
| 2 |
| 3 =head1 NAME |
| 4 |
| 5 PKCS7_sign_add_signer - add a signer PKCS7 signed data structure. |
| 6 |
| 7 =head1 SYNOPSIS |
| 8 |
| 9 #include <openssl/pkcs7.h> |
| 10 |
| 11 PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *p
key, const EVP_MD *md, int flags); |
| 12 |
| 13 |
| 14 =head1 DESCRIPTION |
| 15 |
| 16 PKCS7_sign_add_signer() adds a signer with certificate B<signcert> and private |
| 17 key B<pkey> using message digest B<md> to a PKCS7 signed data structure |
| 18 B<p7>. |
| 19 |
| 20 The PKCS7 structure should be obtained from an initial call to PKCS7_sign() |
| 21 with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS7 |
| 22 signed data structure. |
| 23 |
| 24 If the B<md> parameter is B<NULL> then the default digest for the public |
| 25 key algorithm will be used. |
| 26 |
| 27 Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned PKCS7 structure |
| 28 is not complete and must be finalized either by streaming (if applicable) or |
| 29 a call to PKCS7_final(). |
| 30 |
| 31 |
| 32 =head1 NOTES |
| 33 |
| 34 The main purpose of this function is to provide finer control over a PKCS#7 |
| 35 signed data structure where the simpler PKCS7_sign() function defaults are |
| 36 not appropriate. For example if multiple signers or non default digest |
| 37 algorithms are needed. |
| 38 |
| 39 Any of the following flags (ored together) can be passed in the B<flags> |
| 40 parameter. |
| 41 |
| 42 If B<PKCS7_REUSE_DIGEST> is set then an attempt is made to copy the content |
| 43 digest value from the PKCS7 struture: to add a signer to an existing structure. |
| 44 An error occurs if a matching digest value cannot be found to copy. The |
| 45 returned PKCS7 structure will be valid and finalized when this flag is set. |
| 46 |
| 47 If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the |
| 48 B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes |
| 49 can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is |
| 50 needed to finalize it. |
| 51 |
| 52 If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the |
| 53 PKCS7 structure, the signer's certificate must still be supplied in the |
| 54 B<signcert> parameter though. This can reduce the size of the signature if the |
| 55 signers certificate can be obtained by other means: for example a previously |
| 56 signed message. |
| 57 |
| 58 The signedData structure includes several PKCS#7 autenticatedAttributes |
| 59 including the signing time, the PKCS#7 content type and the supported list of |
| 60 ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no |
| 61 authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just |
| 62 the SMIMECapabilities are omitted. |
| 63 |
| 64 If present the SMIMECapabilities attribute indicates support for the following |
| 65 algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of |
| 66 these algorithms is disabled then it will not be included. |
| 67 |
| 68 |
| 69 PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO |
| 70 structure just added, this can be used to set additional attributes |
| 71 before it is finalized. |
| 72 |
| 73 =head1 RETURN VALUES |
| 74 |
| 75 PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO |
| 76 structure just added or NULL if an error occurs. |
| 77 |
| 78 =head1 SEE ALSO |
| 79 |
| 80 L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>, |
| 81 L<PKCS7_final(3)|PKCS7_final(3)>, |
| 82 |
| 83 =head1 HISTORY |
| 84 |
| 85 PPKCS7_sign_add_signer() was added to OpenSSL 1.0.0 |
| 86 |
| 87 =cut |
OLD | NEW |