diff options
Diffstat (limited to 'crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod')
-rw-r--r-- | crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod | 57 |
1 files changed, 35 insertions, 22 deletions
diff --git a/crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod b/crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod index d4a27a2f6194..d1271fe7f424 100644 --- a/crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod +++ b/crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod @@ -2,7 +2,8 @@ =head1 NAME -PKCS7_sign_add_signer - add a signer PKCS7 signed data structure +PKCS7_sign_add_signer, +PKCS7_add_certificate, PKCS7_add_crl - add information to PKCS7 structure =head1 SYNOPSIS @@ -10,22 +11,22 @@ PKCS7_sign_add_signer - add a signer PKCS7 signed data structure PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags); - + int PKCS7_add_certificate(PKCS7 *p7, X509 *cert); + int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl); =head1 DESCRIPTION -PKCS7_sign_add_signer() adds a signer with certificate B<signcert> and private -key B<pkey> using message digest B<md> to a PKCS7 signed data structure -B<p7>. +PKCS7_sign_add_signer() adds a signer with certificate I<signcert> and private +key I<pkey> using message digest I<md> to a PKCS7 signed data structure I<p7>. -The PKCS7 structure should be obtained from an initial call to PKCS7_sign() -with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS7 +The B<PKCS7> structure should be obtained from an initial call to PKCS7_sign() +with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS#7 signed data structure. -If the B<md> parameter is B<NULL> then the default digest for the public +If the I<md> parameter is NULL then the default digest for the public key algorithm will be used. -Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned PKCS7 structure +Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned B<PKCS7> structure is not complete and must be finalized either by streaming (if applicable) or a call to PKCS7_final(). @@ -37,13 +38,13 @@ signed data structure where the simpler PKCS7_sign() function defaults are not appropriate. For example if multiple signers or non default digest algorithms are needed. -Any of the following flags (ored together) can be passed in the B<flags> +Any of the following flags (ored together) can be passed in the I<flags> parameter. If B<PKCS7_REUSE_DIGEST> is set then an attempt is made to copy the content -digest value from the PKCS7 structure: to add a signer to an existing structure. +digest value from the B<PKCS7> structure: to add a signer to an existing structure. An error occurs if a matching digest value cannot be found to copy. The -returned PKCS7 structure will be valid and finalized when this flag is set. +returned B<PKCS7> structure will be valid and finalized when this flag is set. If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes @@ -51,8 +52,8 @@ can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is needed to finalize it. If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the -PKCS7 structure, the signer's certificate must still be supplied in the -B<signcert> parameter though. This can reduce the size of the signature if the +B<PKCS7> structure, the signer's certificate must still be supplied in the +I<signcert> parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. @@ -66,20 +67,32 @@ If present the SMIMECapabilities attribute indicates support for the following algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of these algorithms is disabled then it will not be included. - -PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO -structure just added, this can be used to set additional attributes +PKCS7_sign_add_signers() returns an internal pointer to the B<PKCS7_SIGNER_INFO> +structure just added, which can be used to set additional attributes before it is finalized. +PKCS7_add_certificate() adds to the B<PKCS7> structure I<p7> the certificate +I<cert>, which may be an end-entity (signer) certificate +or a CA certificate useful for chain building. +This is done internally by L<PKCS7_sign_ex(3)> and similar signing functions. +It may have to be used before calling L<PKCS7_verify(3)> +in order to provide any missing certificate(s) needed for verification. + +PKCS7_add_crl() adds the CRL I<crl> to the B<PKCS7> structure I<p7>. +This may be called to provide certificate status information +to be included when signing or to use when verifying the B<PKCS7> structure. + =head1 RETURN VALUES -PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO +PKCS7_sign_add_signers() returns an internal pointer to the B<PKCS7_SIGNER_INFO> structure just added or NULL if an error occurs. +PKCS7_add_certificate() and PKCS7_add_crl() return 1 on success, 0 on error. + =head1 SEE ALSO -L<ERR_get_error(3)>, L<PKCS7_sign(3)>, -L<PKCS7_final(3)>, +L<ERR_get_error(3)>, L<PKCS7_sign_ex(3)>, +L<PKCS7_final(3)>, L<PKCS7_verify(3)> =head1 HISTORY @@ -87,9 +100,9 @@ The PPKCS7_sign_add_signer() function was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. |