=head1 NAME
+openssl-cms,
cms - CMS utility
=head1 SYNOPSIS
[B<-verify>]
[B<-cmsout>]
[B<-resign>]
+[B<-cades>]
[B<-data_create>]
[B<-data_out>]
[B<-digest_create>]
[B<-verify_name name>]
[B<-x509_strict>]
[B<-md digest>]
-[B<-[cipher]>]
+[B<-I<cipher>>]
[B<-nointern>]
-[B<-no_signer_cert_verify>]
+[B<-noverify>]
[B<-nocerts>]
[B<-noattr>]
[B<-nosmimecap>]
[B<-signer file>]
[B<-recip file>]
[B<-keyid>]
-[B<-receipt_request_all -receipt_request_first>]
+[B<-receipt_request_all>]
+[B<-receipt_request_first>]
[B<-receipt_request_from emailaddress>]
[B<-receipt_request_to emailaddress>]
[B<-receipt_request_print>]
[B<-inkey file>]
[B<-keyopt name:parameter>]
[B<-passin arg>]
-[B<-rand file(s)>]
+[B<-rand file...>]
+[B<-writerand file>]
[B<cert.pem...>]
[B<-to addr>]
[B<-from addr>]
Resign a message: take an existing message and one or more new signers.
+=item B<-cades>
+
+Add an ESS signing-certificate or ESS signing-certificate-v2 signed-attribute to the SignerInfo, in order to make
+the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES). See the NOTES
+section for more details.
+
=item B<-data_create>
Create a CMS B<Data> type.
=item B<-EncryptedData_encrypt>
Encrypt content using supplied symmetric key and algorithm using a CMS
-B<EncrytedData> type and output the content.
+B<EncryptedData> type and output the content.
=item B<-sign_receipt>
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-[cipher]>
+=item B<-I<cipher>>
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
+example B<-aes-128-cbc>. See L<enc(1)> for a list of ciphers
supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt> and
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
-=item B<-no_signer_cert_verify>
+=item B<-noverify>
Do not verify the signers certificate of a signed message.
each recipient. This form B<must> be used if customised parameters are
required (for example to specify RSA-OAEP).
+Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
+option.
+
=item B<-keyid>
Use subject key identifier to identify certificates instead of issuer name and
serial number. The supplied certificate B<must> include a subject key
identifier extension. Supported by B<-sign> and B<-encrypt> options.
-=item B<-receipt_request_all -receipt_request_first>
+=item B<-receipt_request_all>, B<-receipt_request_first>
For B<-sign> option include a signed receipt request. Indicate requests should
be provided by all recipient or first tier recipients (those mailed directly
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-rand file(s)>
+=item B<-rand file...>
A file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)>).
+generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
+=item [B<-writerand file>]
+
+Writes random data to the specified I<file> upon exit.
+This can be used with a subsequent B<-rand> flag.
+
=item B<cert.pem...>
One or more certificates of message recipients: used when encrypting
and return an error if no recipient can be found: this option should be used
with caution. For a fuller description see L<CMS_decrypt(3)>).
+=head1 CAdES Basic Electronic Signature (CAdES-BES)
+
+A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains:
+
+=over 4
+
+=item *
+
+The signed user data as defined in CMS (RFC 3852);
+
+=item *
+
+Content-type of the EncapsulatedContentInfo value being signed;
+
+=item *
+
+Message-digest of the eContent OCTET STRING within encapContentInfo being signed;
+
+=item *
+
+An ESS signing-certificate or ESS signing-certificate-v2 attribute, as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035.
+An ESS signing-certificate attribute only allows for the use of SHA-1 as a digest algorithm.
+An ESS signing-certificate-v2 attribute allows for the use of any digest algorithm.
+
+=item *
+
+The digital signature value computed on the user data and, when present, on the signed attributes.
+
+Note that currently the B<-cades> option applies only to the B<-sign> operation and is ignored during
+the B<-verify> operation, i.e. the signing certification is not checked during the verification process.
+This feature might be added in a future version.
+
+=back
+
=head1 EXIT CODES
=over 4
=head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first
-added in OpenSSL 1.0.0
-
-The B<keyopt> option was first added in OpenSSL 1.1.0
+added in OpenSSL 1.0.0.
-The use of B<-recip> to specify the recipient when encrypting mail was first
-added to OpenSSL 1.1.0
+The B<keyopt> option was added in OpenSSL 1.0.2.
-Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
+Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
-The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
-to OpenSSL 1.1.0.
+The use of non-RSA keys with B<-encrypt> and B<-decrypt>
+was added in OpenSSL 1.0.2.
-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.0.2b.
=head1 COPYRIGHT
-Copyright 2008-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the OpenSSL license (the "License"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
projects / openssl.git / blobdiff