diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/smime.1')
-rw-r--r-- | secure/usr.bin/openssl/man/smime.1 | 617 |
1 files changed, 0 insertions, 617 deletions
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 deleted file mode 100644 index c055bce83f5d..000000000000 --- a/secure/usr.bin/openssl/man/smime.1 +++ /dev/null @@ -1,617 +0,0 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{\ -. if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SMIME 1" -.TH SMIME 1 "2022-07-05" "1.1.1q" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -openssl\-smime, smime \- S/MIME utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBsmime\fR -[\fB\-help\fR] -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-sign\fR] -[\fB\-resign\fR] -[\fB\-verify\fR] -[\fB\-pk7out\fR] -[\fB\-binary\fR] -[\fB\-crlfeol\fR] -[\fB\-\f(BIcipher\fB\fR] -[\fB\-in file\fR] -[\fB\-CAfile file\fR] -[\fB\-CApath dir\fR] -[\fB\-no\-CAfile\fR] -[\fB\-no\-CApath\fR] -[\fB\-attime timestamp\fR] -[\fB\-check_ss_sig\fR] -[\fB\-crl_check\fR] -[\fB\-crl_check_all\fR] -[\fB\-explicit_policy\fR] -[\fB\-extended_crl\fR] -[\fB\-ignore_critical\fR] -[\fB\-inhibit_any\fR] -[\fB\-inhibit_map\fR] -[\fB\-partial_chain\fR] -[\fB\-policy arg\fR] -[\fB\-policy_check\fR] -[\fB\-policy_print\fR] -[\fB\-purpose purpose\fR] -[\fB\-suiteB_128\fR] -[\fB\-suiteB_128_only\fR] -[\fB\-suiteB_192\fR] -[\fB\-trusted_first\fR] -[\fB\-no_alt_chains\fR] -[\fB\-use_deltas\fR] -[\fB\-auth_level num\fR] -[\fB\-verify_depth num\fR] -[\fB\-verify_email email\fR] -[\fB\-verify_hostname hostname\fR] -[\fB\-verify_ip ip\fR] -[\fB\-verify_name name\fR] -[\fB\-x509_strict\fR] -[\fB\-certfile file\fR] -[\fB\-signer file\fR] -[\fB\-recip file\fR] -[\fB\-inform SMIME|PEM|DER\fR] -[\fB\-passin arg\fR] -[\fB\-inkey file_or_id\fR] -[\fB\-out file\fR] -[\fB\-outform SMIME|PEM|DER\fR] -[\fB\-content file\fR] -[\fB\-to addr\fR] -[\fB\-from ad\fR] -[\fB\-subject s\fR] -[\fB\-text\fR] -[\fB\-indef\fR] -[\fB\-noindef\fR] -[\fB\-stream\fR] -[\fB\-rand file...\fR] -[\fB\-writerand file\fR] -[\fB\-md digest\fR] -[cert.pem]... -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and -verify S/MIME messages. -.SH "OPTIONS" -.IX Header "OPTIONS" -There are six operation options that set the type of operation to be performed. -The meaning of the other options varies according to the operation type. -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Print out a usage message. -.IP "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -Encrypt mail for the given recipient certificates. Input file is the message -to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. -.Sp -Note that no revocation check is done for the recipient cert, so if that -key has been compromised, others may be able to decrypt the text. -.IP "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -Decrypt mail using the supplied certificate and private key. Expects an -encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail -is written to the output file. -.IP "\fB\-sign\fR" 4 -.IX Item "-sign" -Sign mail using the supplied certificate and private key. Input file is -the message to be signed. The signed message in \s-1MIME\s0 format is written -to the output file. -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -Verify signed mail. Expects a signed mail message on input and outputs -the signed data. Both clear text and opaque signing is supported. -.IP "\fB\-pk7out\fR" 4 -.IX Item "-pk7out" -Takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. -.IP "\fB\-resign\fR" 4 -.IX Item "-resign" -Resign a message: take an existing message and one or more new signers. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -The input message to be encrypted or signed or the \s-1MIME\s0 message to -be decrypted or verified. -.IP "\fB\-inform SMIME|PEM|DER\fR" 4 -.IX Item "-inform SMIME|PEM|DER" -This specifies the input format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the input format of the PKCS#7 -structure, if no PKCS#7 structure is being input (for example with -\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -The message text that has been decrypted or verified or the output \s-1MIME\s0 -format message that has been signed or verified. -.IP "\fB\-outform SMIME|PEM|DER\fR" 4 -.IX Item "-outform SMIME|PEM|DER" -This specifies the output format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the output format of the PKCS#7 -structure, if no PKCS#7 structure is being output (for example with -\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. -.IP "\fB\-stream \-indef \-noindef\fR" 4 -.IX Item "-stream -indef -noindef" -The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O -for encoding operations. This permits single pass processing of data without -the need to hold the entire contents in memory, potentially supporting very -large files. Streaming is automatically set for S/MIME signing with detached -data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all -other operations. -.IP "\fB\-noindef\fR" 4 -.IX Item "-noindef" -Disable streaming I/O where it would produce and indefinite length constructed -encoding. This option currently has no effect. In future streaming will be -enabled by default on all relevant operations and this option will disable it. -.IP "\fB\-content filename\fR" 4 -.IX Item "-content filename" -This specifies a file containing the detached content, this is only -useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 -structure is using the detached signature form where the content is -not included. This option will override any content if the input format -is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied -message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME\s0 -type text/plain then an error occurs. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. -.IP "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -A directory containing trusted \s-1CA\s0 certificates, only used with -\&\fB\-verify\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.IP "\fB\-no\-CAfile\fR" 4 -.IX Item "-no-CAfile" -Do not load the trusted \s-1CA\s0 certificates from the default file location. -.IP "\fB\-no\-CApath\fR" 4 -.IX Item "-no-CApath" -Do not load the trusted \s-1CA\s0 certificates from the default directory location. -.IP "\fB\-md digest\fR" 4 -.IX Item "-md digest" -Digest algorithm to use when signing or resigning. If not present then the -default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). -.IP "\fB\-\f(BIcipher\fB\fR" 4 -.IX Item "-cipher" -The encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR, -triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR, -\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for -example \fB\-aes\-128\-cbc\fR. See \fBenc\fR for list of ciphers -supported by your version of OpenSSL. -.Sp -If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR. -.IP "\fB\-nointern\fR" 4 -.IX Item "-nointern" -When verifying a message normally certificates (if any) included in -the message are searched for the signing certificate. With this option -only the certificates specified in the \fB\-certfile\fR option are used. -The supplied certificates can still be used as untrusted CAs however. -.IP "\fB\-noverify\fR" 4 -.IX Item "-noverify" -Do not verify the signers certificate of a signed message. -.IP "\fB\-nochain\fR" 4 -.IX Item "-nochain" -Do not do chain verification of signers certificates: that is don't -use the certificates in the signed message as untrusted CAs. -.IP "\fB\-nosigs\fR" 4 -.IX Item "-nosigs" -Don't try to verify the signatures on the message. -.IP "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -When signing a message the signer's certificate is normally included -with this option it is excluded. This will reduce the size of the -signed message but the verifier must have a copy of the signers certificate -available locally (passed using the \fB\-certfile\fR option for example). -.IP "\fB\-noattr\fR" 4 -.IX Item "-noattr" -Normally when a message is signed a set of attributes are included which -include the signing time and supported symmetric algorithms. With this -option they are not included. -.IP "\fB\-binary\fR" 4 -.IX Item "-binary" -Normally the input message is converted to \*(L"canonical\*(R" format which is -effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME -specification. When this option is present no translation occurs. This -is useful when handling binary data which may not be in \s-1MIME\s0 format. -.IP "\fB\-crlfeol\fR" 4 -.IX Item "-crlfeol" -Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this -option is present \fB\s-1CRLF\s0\fR is used instead. -.IP "\fB\-nodetach\fR" 4 -.IX Item "-nodetach" -When signing a message use opaque signing: this form is more resistant -to translation by mail relays but it cannot be read by mail agents that -do not support S/MIME. Without this option cleartext signing with -the \s-1MIME\s0 type multipart/signed is used. -.IP "\fB\-certfile file\fR" 4 -.IX Item "-certfile file" -Allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in \s-1PEM\s0 format. -.IP "\fB\-signer file\fR" 4 -.IX Item "-signer file" -A signing certificate when signing or resigning a message, this option can be -used multiple times if more than one signer is required. If a message is being -verified then the signers certificates will be written to this file if the -verification was successful. -.IP "\fB\-recip file\fR" 4 -.IX Item "-recip file" -The recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. -.IP "\fB\-inkey file_or_id\fR" 4 -.IX Item "-inkey file_or_id" -The private key to use when signing or decrypting. This must match the -corresponding certificate. If this option is not specified then the -private key must be included in the certificate file specified with -the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used -multiple times to specify successive keys. -If no engine is used, the argument is taken as a file; if an engine is -specified, the argument is given to the engine as a key identifier. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -The private key password source. For more information about the format of \fBarg\fR -see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1). -.IP "\fB\-rand file...\fR" 4 -.IX Item "-rand file..." -A file or files containing random data used to seed the random number -generator. -Multiple files can be specified separated by an OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "[\fB\-writerand file\fR]" 4 -.IX Item "[-writerand file]" -Writes random data to the specified \fIfile\fR upon exit. -This can be used with a subsequent \fB\-rand\fR flag. -.IP "\fBcert.pem...\fR" 4 -.IX Item "cert.pem..." -One or more certificates of message recipients: used when encrypting -a message. -.IP "\fB\-to, \-from, \-subject\fR" 4 -.IX Item "-to, -from, -subject" -The relevant mail headers. These are included outside the signed -portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email -address matches that specified in the From: address. -.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 -.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" -Set various options of certificate chain verification. See -\&\fBverify\fR\|(1) manual page for details. -.SH "NOTES" -.IX Header "NOTES" -The \s-1MIME\s0 message must be sent without any blank lines between the -headers and the output. Some mail programs will automatically add -a blank line. Piping the mail directly to sendmail is one way to -achieve the correct format. -.PP -The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients won't display it -properly (if at all). You can use the \fB\-text\fR option to automatically -add plain text headers. -.PP -A \*(L"signed and encrypted\*(R" message is one where a signed message is -then encrypted. This can be produced by encrypting an already signed -message: see the examples section. -.PP -This version of the program only allows one signer per message but it -will verify multiple signers on received messages. Some S/MIME clients -choke if a message contains multiple signers. It is possible to sign -messages \*(L"in parallel\*(R" by signing an already signed message. -.PP -The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME -clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 -encrypted data is used for other purposes. -.PP -The \fB\-resign\fR option uses an existing message digest when adding a new -signer. This means that attributes must be present in at least one existing -signer using the same message digest or this operation will fail. -.PP -The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support. -As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding -and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the -\&\fB\-sign\fR operation if the content is not detached. -.PP -Streaming is always used for the \fB\-sign\fR operation with detached data but -since the content is no longer part of the PKCS#7 structure the encoding -remains \s-1DER.\s0 -.SH "EXIT CODES" -.IX Header "EXIT CODES" -.IP "0" 4 -The operation was completely successfully. -.IP "1" 4 -.IX Item "1" -An error occurred parsing the command options. -.IP "2" 4 -.IX Item "2" -One of the input files could not be read. -.IP "3" 4 -.IX Item "3" -An error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 -message. -.IP "4" 4 -.IX Item "4" -An error occurred decrypting or verifying the message. -.IP "5" 4 -.IX Item "5" -The message was verified correctly but an error occurred writing out -the signers certificates. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a cleartext signed message: -.PP -.Vb 2 -\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem -.Ve -.PP -Create an opaque signed message: -.PP -.Vb 2 -\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e -\& \-signer mycert.pem -.Ve -.PP -Create a signed message, include some additional certificates and -read the private key from another file: -.PP -.Vb 2 -\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem -.Ve -.PP -Create a signed message with two signers: -.PP -.Vb 2 -\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-signer othercert.pem -.Ve -.PP -Send a signed message under Unix directly to sendmail, including headers: -.PP -.Vb 3 -\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e -\& \-from steve@openssl.org \-to someone@somewhere \e -\& \-subject "Signed message" | sendmail someone@somewhere -.Ve -.PP -Verify a message and extract the signer's certificate if successful: -.PP -.Vb 1 -\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt -.Ve -.PP -Send encrypted mail using triple \s-1DES:\s0 -.PP -.Vb 3 -\& openssl smime \-encrypt \-in in.txt \-from steve@openssl.org \e -\& \-to someone@somewhere \-subject "Encrypted message" \e -\& \-des3 user.pem \-out mail.msg -.Ve -.PP -Sign and encrypt mail: -.PP -.Vb 4 -\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e -\& | openssl smime \-encrypt \-out mail.msg \e -\& \-from steve@openssl.org \-to someone@somewhere \e -\& \-subject "Signed and Encrypted message" \-des3 user.pem -.Ve -.PP -Note: the encryption command does not include the \fB\-text\fR option because the -message being encrypted already has \s-1MIME\s0 headers. -.PP -Decrypt mail: -.PP -.Vb 1 -\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem -.Ve -.PP -The output from Netscape form signing is a PKCS#7 structure with the -detached signature format. You can use this program to verify the -signature by line wrapping the base64 encoded structure and surrounding -it with: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- -\& \-\-\-\-\-END PKCS7\-\-\-\-\- -.Ve -.PP -and using the command: -.PP -.Vb 1 -\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt -.Ve -.PP -Alternatively you can base64 decode the signature and use: -.PP -.Vb 1 -\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt -.Ve -.PP -Create an encrypted message using 128 bit Camellia: -.PP -.Vb 1 -\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem -.Ve -.PP -Add a signer to an existing message: -.PP -.Vb 1 -\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've -thrown at it but it may choke on others. -.PP -The code currently will only write out the signer's certificate to a file: if -the signer has a separate encryption certificate this must be manually -extracted. There should be some heuristic that determines the correct -encryption certificate. -.PP -Ideally a database should be maintained of a certificates for each email -address. -.PP -The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. This means the -user has to manually include the correct encryption algorithm. It should store -the list of permitted ciphers in a database and only use those. -.PP -No revocation checking is done on the signer's certificate. -.PP -The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 -structures may cause parsing errors. -.SH "HISTORY" -.IX Header "HISTORY" -The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first -added in OpenSSL 1.0.0 -.PP -The \-no_alt_chains option was added in OpenSSL 1.1.0. -.SH "COPYRIGHT" -.IX Header "COPYRIGHT" -Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. -.PP -Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file \s-1LICENSE\s0 in the source distribution or at -<https://www.openssl.org/source/license.html>. |