| Index: openssl/doc/apps/smime.pod
|
| ===================================================================
|
| --- openssl/doc/apps/smime.pod (revision 105093)
|
| +++ openssl/doc/apps/smime.pod (working copy)
|
| @@ -10,19 +10,10 @@
|
| [B<-encrypt>]
|
| [B<-decrypt>]
|
| [B<-sign>]
|
| +[B<-resign>]
|
| [B<-verify>]
|
| [B<-pk7out>]
|
| -[B<-des>]
|
| -[B<-des3>]
|
| -[B<-rc2-40>]
|
| -[B<-rc2-64>]
|
| -[B<-rc2-128>]
|
| -[B<-aes128>]
|
| -[B<-aes192>]
|
| -[B<-aes256>]
|
| -[B<-camellia128>]
|
| -[B<-camellia192>]
|
| -[B<-camellia256>]
|
| +[B<-[cipher]>]
|
| [B<-in file>]
|
| [B<-certfile file>]
|
| [B<-signer file>]
|
| @@ -37,7 +28,11 @@
|
| [B<-from ad>]
|
| [B<-subject s>]
|
| [B<-text>]
|
| +[B<-indef>]
|
| +[B<-noindef>]
|
| +[B<-stream>]
|
| [B<-rand file(s)>]
|
| +[B<-md digest>]
|
| [cert.pem]...
|
|
|
| =head1 DESCRIPTION
|
| @@ -47,7 +42,7 @@
|
|
|
| =head1 COMMAND OPTIONS
|
|
|
| -There are five operation options that set the type of operation to be performed.
|
| +There are six operation options that set the type of operation to be performed.
|
| The meaning of the other options varies according to the operation type.
|
|
|
| =over 4
|
| @@ -78,6 +73,10 @@
|
|
|
| takes an input message and writes out a PEM encoded PKCS#7 structure.
|
|
|
| +=item B<-resign>
|
| +
|
| +resign a message: take an existing message and one or more new signers.
|
| +
|
| =item B<-in filename>
|
|
|
| the input message to be encrypted or signed or the MIME message to
|
| @@ -106,6 +105,21 @@
|
| structure, if no PKCS#7 structure is being output (for example with
|
| B<-verify> or B<-decrypt>) this option has no effect.
|
|
|
| +=item B<-stream -indef -noindef>
|
| +
|
| +the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
|
| +for encoding operations. This permits single pass processing of data without
|
| +the need to hold the entire contents in memory, potentially supporting very
|
| +large files. Streaming is automatically set for S/MIME signing with detached
|
| +data if the output format is B<SMIME> it is currently off by default for all
|
| +other operations.
|
| +
|
| +=item B<-noindef>
|
| +
|
| +disable streaming I/O where it would produce and indefinite length constructed
|
| +encoding. This option currently has no effect. In future streaming will be
|
| +enabled by default on all relevant operations and this option will disable it.
|
| +
|
| =item B<-content filename>
|
|
|
| This specifies a file containing the detached content, this is only
|
| @@ -132,12 +146,21 @@
|
| is a hash of each subject name (using B<x509 -hash>) should be linked
|
| to each certificate.
|
|
|
| -=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256>
|
| +=item B<-md digest>
|
|
|
| -the encryption algorithm to use. DES (56 bits), triple DES (168 bits),
|
| -40, 64 or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia respectively. If not
|
| -specified 40 bit RC2 is used. Only used with B<-encrypt>.
|
| +digest algorithm to use when signing or resigning. If not present then the
|
| +default digest algorithm for the signing key will be used (usually SHA1).
|
|
|
| +=item B<-[cipher]>
|
| +
|
| +the encryption algorithm to use. For example DES (56 bits) - B<-des>,
|
| +triple DES (168 bits) - B<-des3>,
|
| +EVP_get_cipherbyname() function) can also be used preceded by a dash, for
|
| +example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
|
| +supported by your version of OpenSSL.
|
| +
|
| +If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
|
| +
|
| =item B<-nointern>
|
|
|
| when verifying a message normally certificates (if any) included in
|
| @@ -193,9 +216,10 @@
|
|
|
| =item B<-signer file>
|
|
|
| -the signers certificate when signing a message. If a message is
|
| -being verified then the signers certificates will be written to this
|
| -file if the verification was successful.
|
| +a signing certificate when signing or resigning a message, this option can be
|
| +used multiple times if more than one signer is required. If a message is being
|
| +verified then the signers certificates will be written to this file if the
|
| +verification was successful.
|
|
|
| =item B<-recip file>
|
|
|
| @@ -207,7 +231,8 @@
|
| the private key to use when signing or decrypting. This must match the
|
| corresponding certificate. If this option is not specified then the
|
| private key must be included in the certificate file specified with
|
| -the B<-recip> or B<-signer> file.
|
| +the B<-recip> or B<-signer> file. When signing this option can be used
|
| +multiple times to specify successive keys.
|
|
|
| =item B<-passin arg>
|
|
|
| @@ -234,6 +259,11 @@
|
| then many S/MIME mail clients check the signers certificate's email
|
| address matches that specified in the From: address.
|
|
|
| +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
| +
|
| +Set various options of certificate chain verification. See
|
| +L<B<verify>|verify(1)> manual page for details.
|
| +
|
| =back
|
|
|
| =head1 NOTES
|
| @@ -261,6 +291,19 @@
|
| clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
|
| encrypted data is used for other purposes.
|
|
|
| +The B<-resign> option uses an existing message digest when adding a new
|
| +signer. This means that attributes must be present in at least one existing
|
| +signer using the same message digest or this operation will fail.
|
| +
|
| +The B<-stream> and B<-indef> options enable experimental streaming I/O support.
|
| +As a result the encoding is BER using indefinite length constructed encoding
|
| +and no longer DER. Streaming is supported for the B<-encrypt> operation and the
|
| +B<-sign> operation if the content is not detached.
|
| +
|
| +Streaming is always used for the B<-sign> operation with detached data but
|
| +since the content is no longer part of the PKCS#7 structure the encoding
|
| +remains DER.
|
| +
|
| =head1 EXIT CODES
|
|
|
| =over 4
|
| @@ -300,7 +343,7 @@
|
| openssl smime -sign -in message.txt -text -out mail.msg \
|
| -signer mycert.pem
|
|
|
| -Create and opaque signed message
|
| +Create an opaque signed message:
|
|
|
| openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
|
| -signer mycert.pem
|
| @@ -311,6 +354,11 @@
|
| openssl smime -sign -in in.txt -text -out mail.msg \
|
| -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
|
|
|
| +Create a signed message with two signers:
|
| +
|
| + openssl smime -sign -in message.txt -text -out mail.msg \
|
| + -signer mycert.pem -signer othercert.pem
|
| +
|
| Send a signed message under Unix directly to sendmail, including headers:
|
|
|
| openssl smime -sign -in in.txt -text -signer mycert.pem \
|
| @@ -334,8 +382,8 @@
|
| -from steve@openssl.org -to someone@somewhere \
|
| -subject "Signed and Encrypted message" -des3 user.pem
|
|
|
| -Note: the encryption command does not include the B<-text> option because the message
|
| -being encrypted already has MIME headers.
|
| +Note: the encryption command does not include the B<-text> option because the
|
| +message being encrypted already has MIME headers.
|
|
|
| Decrypt mail:
|
|
|
| @@ -349,11 +397,11 @@
|
| -----BEGIN PKCS7-----
|
| -----END PKCS7-----
|
|
|
| -and using the command,
|
| +and using the command:
|
|
|
| openssl smime -verify -inform PEM -in signature.pem -content content.txt
|
|
|
| -alternatively you can base64 decode the signature and use
|
| +Alternatively you can base64 decode the signature and use:
|
|
|
| openssl smime -verify -inform DER -in signature.der -content content.txt
|
|
|
| @@ -361,19 +409,25 @@
|
|
|
| openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
|
|
|
| +Add a signer to an existing message:
|
| +
|
| + openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg
|
| +
|
| =head1 BUGS
|
|
|
| -The MIME parser isn't very clever: it seems to handle most messages that I've thrown
|
| -at it but it may choke on others.
|
| +The MIME parser isn't very clever: it seems to handle most messages that I've
|
| +thrown at it but it may choke on others.
|
|
|
| -The code currently will only write out the signer's certificate to a file: if the
|
| -signer has a separate encryption certificate this must be manually extracted. There
|
| -should be some heuristic that determines the correct encryption certificate.
|
| +The code currently will only write out the signer's certificate to a file: if
|
| +the signer has a separate encryption certificate this must be manually
|
| +extracted. There should be some heuristic that determines the correct
|
| +encryption certificate.
|
|
|
| -Ideally a database should be maintained of a certificates for each email address.
|
| +Ideally a database should be maintained of a certificates for each email
|
| +address.
|
|
|
| The code doesn't currently take note of the permitted symmetric encryption
|
| -algorithms as supplied in the SMIMECapabilities signed attribute. this means the
|
| +algorithms as supplied in the SMIMECapabilities signed attribute. This means the
|
| user has to manually include the correct encryption algorithm. It should store
|
| the list of permitted ciphers in a database and only use those.
|
|
|
| @@ -382,4 +436,10 @@
|
| The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
|
| structures may cause parsing errors.
|
|
|
| +=head1 HISTORY
|
| +
|
| +The use of multiple B<-signer> options and the B<-resign> command were first
|
| +added in OpenSSL 1.0.0
|
| +
|
| +
|
| =cut
|
|
|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/