aboutsummaryrefslogtreecommitdiff
path: root/secure/usr.bin/openssl/man/cms.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/openssl/man/cms.1')
-rw-r--r--secure/usr.bin/openssl/man/cms.169
1 files changed, 46 insertions, 23 deletions
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1
index 0f70b9dbd4ff..862a569925a9 100644
--- a/secure/usr.bin/openssl/man/cms.1
+++ b/secure/usr.bin/openssl/man/cms.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,6 +38,8 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+. if \nF \{
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{
+. nr % 0
+. nr F 2
+. \}
+. \}
.\}
+.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -124,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CMS 1"
-.TH CMS 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS 1 "2015-01-15" "1.0.1l" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -210,6 +219,10 @@ actual \s-1CMS\s0 type is <B>EnvelopedData<B>.
decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
is written to the output file.
+.IP "\fB\-debug_decrypt\fR" 4
+.IX Item "-debug_decrypt"
+this option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used
+with caution: see the notes section below.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
sign mail using the supplied certificate and private key. Input file is
@@ -227,29 +240,29 @@ takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
resign a message: take an existing message and one or more new signers.
.IP "\fB\-data_create\fR" 4
.IX Item "-data_create"
-Create a \s-1CMS\s0 \fBData\fR type.
+Create a \s-1CMS \s0\fBData\fR type.
.IP "\fB\-data_out\fR" 4
.IX Item "-data_out"
\&\fBData\fR type and output the content.
.IP "\fB\-digest_create\fR" 4
.IX Item "-digest_create"
-Create a \s-1CMS\s0 \fBDigestedData\fR type.
+Create a \s-1CMS \s0\fBDigestedData\fR type.
.IP "\fB\-digest_verify\fR" 4
.IX Item "-digest_verify"
-Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content.
+Verify a \s-1CMS \s0\fBDigestedData\fR type and output the content.
.IP "\fB\-compress\fR" 4
.IX Item "-compress"
-Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
+Create a \s-1CMS \s0\fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
support for this option to work, otherwise it will output an error.
.IP "\fB\-uncompress\fR" 4
.IX Item "-uncompress"
-Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be
+Uncompress a \s-1CMS \s0\fBCompressedData\fR type and output the content. OpenSSL must be
compiled with \fBzlib\fR support for this option to work, otherwise it will
output an error.
.IP "\fB\-EncryptedData_encrypt\fR" 4
.IX Item "-EncryptedData_encrypt"
-Encrypt suppled content using supplied symmetric key and algorithm using a \s-1CMS\s0
-\&\fBEncrytedData\fR type and output the content.
+Encrypt content using supplied symmetric key and algorithm using a \s-1CMS
+\&\s0\fBEncrytedData\fR type and output the content.
.IP "\fB\-sign_receipt\fR" 4
.IX Item "-sign_receipt"
Generate and output a signed receipt for the supplied message. The input
@@ -312,7 +325,7 @@ is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
.IX Item "-text"
this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of \s-1MIME\s0
+off text headers: if the decrypted or verified message is not of \s-1MIME \s0
type text/plain then an error occurs.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
@@ -338,8 +351,8 @@ digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
.IP "\fB\-[cipher]\fR" 4
.IX Item "-[cipher]"
-the encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
-or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
+the encryption algorithm to use. For example triple \s-1DES \s0(168 bits) \- \fB\-des3\fR
+or 256 bit \s-1AES \- \s0\fB\-aes256\fR. Any standard algorithm name (as used by the
\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
example \fB\-aes_128_cbc\fR. See \fBenc\fR for a list of ciphers
supported by your version of OpenSSL.
@@ -451,7 +464,7 @@ multiple times to specify successive keys.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
.IP "\fB\-rand file(s)\fR" 4
.IX Item "-rand file(s)"
a file or files containing random data used to seed the random number
@@ -504,12 +517,22 @@ signer using the same message digest or this operation will fail.
.PP
The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support.
As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
-and no longer \s-1DER\s0. Streaming is supported for the \fB\-encrypt\fR operation and the
+and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
\&\fB\-sign\fR operation if the content is not detached.
.PP
Streaming is always used for the \fB\-sign\fR operation with detached data but
since the content is no longer part of the \s-1CMS\s0 structure the encoding
-remains \s-1DER\s0.
+remains \s-1DER.\s0
+.PP
+If the \fB\-decrypt\fR option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the \s-1MMA\s0 attack
+(Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is \*(L"decrypted\*(R" using a random key which will typically output garbage.
+The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see \fICMS_decrypt\fR\|(3)).
.SH "EXIT CODES"
.IX Header "EXIT CODES"
.IP "0" 4
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 19:24:38 +0000