X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fsmime.pod;h=3aa6e848afd7689260a74898897ffe6d3e09cd43;hp=d4e238b1781d22c3ea7294cc6fd5f4326846d1ba;hb=e933f91f50108a43c0198cdc63ecdfdbc77b4d0d;hpb=d884c5bad1446d97bf4b5dafea1fc15c27ff6594 diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index d4e238b178..3aa6e848af 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -13,17 +13,7 @@ B B [B<-resign>] [B<-verify>] [B<-pk7out>] -[B<-des>] -[B<-des3>] -[B<-rc2-40>] -[B<-rc2-64>] -[B<-rc2-128>] -[B<-aes128>] -[B<-aes192>] -[B<-aes256>] -[B<-camellia128>] -[B<-camellia192>] -[B<-camellia256>] +[B<-[cipher]>] [B<-in file>] [B<-certfile file>] [B<-signer file>] @@ -38,6 +28,9 @@ B B [B<-from ad>] [B<-subject s>] [B<-text>] +[B<-indef>] +[B<-noindef>] +[B<-stream>] [B<-rand file(s)>] [B<-md digest>] [cert.pem]... @@ -49,7 +42,7 @@ verify S/MIME messages. =head1 COMMAND OPTIONS -There are five operation options that set the type of operation to be performed. +There are six operation options that set the type of operation to be performed. The meaning of the other options varies according to the operation type. =over 4 @@ -112,6 +105,21 @@ instead. This currently only affects the output format of the PKCS#7 structure, if no PKCS#7 structure is being output (for example with B<-verify> or B<-decrypt>) this option has no effect. +=item B<-stream -indef -noindef> + +the B<-stream> and B<-indef> options are equivalent and enable streaming I/O +for encoding operations. This permits single pass processing of data without +the need to hold the entire contents in memory, potentially supporting very +large files. Streaming is automatically set for S/MIME signing with detached +data if the output format is B it is currently off by default for all +other operations. + +=item B<-noindef> + +disable streaming I/O where it would produce and indefinite length constructed +encoding. This option currently has no effect. In future streaming will be +enabled by default on all relevant operations and this option will disable it. + =item B<-content filename> This specifies a file containing the detached content, this is only @@ -143,13 +151,13 @@ to each certificate. digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually SHA1). -=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256> +=item B<-[cipher]> -the encryption algorithm to use. DES (56 bits), triple DES (168 bits), 40, 64 -or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia -respectively. Any other cipher name (as recognized by the +the encryption algorithm to use. For example DES (56 bits) - B<-des>, +triple DES (168 bits) - B<-des3>, EVP_get_cipherbyname() function) can also be used preceded by a dash, for -example B<-aes_128_cbc>. +example B<-aes_128_cbc>. See L|enc(1)> for list of ciphers +supported by your version of OpenSSL. If not specified 40 bit RC2 is used. Only used with B<-encrypt>. @@ -251,6 +259,11 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> + +Set various options of certificate chain verification. See +L|verify(1)> manual page for details. + =back =head1 NOTES @@ -282,32 +295,41 @@ The B<-resign> option uses an existing message digest when adding a new signer. This means that attributes must be present in at least one existing signer using the same message digest or this operation will fail. +The B<-stream> and B<-indef> options enable experimental streaming I/O support. +As a result the encoding is BER using indefinite length constructed encoding +and no longer DER. Streaming is supported for the B<-encrypt> operation and the +B<-sign> operation if the content is not detached. + +Streaming is always used for the B<-sign> operation with detached data but +since the content is no longer part of the PKCS#7 structure the encoding +remains DER. + =head1 EXIT CODES =over 4 -=item 0 +=item Z<>0 the operation was completely successfully. -=item 1 +=item Z<>1 an error occurred parsing the command options. -=item 2 +=item Z<>2 one of the input files could not be read. -=item 3 +=item Z<>3 an error occurred creating the PKCS#7 file or when reading the MIME message. -=item 4 +=item Z<>4 an error occurred decrypting or verifying the message. -=item 5 +=item Z<>5 the message was verified correctly but an error occurred writing out the signers certificates. @@ -321,7 +343,7 @@ Create a cleartext signed message: openssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -Create an opaque signed message +Create an opaque signed message: openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem @@ -375,11 +397,11 @@ it with: -----BEGIN PKCS7----- -----END PKCS7----- -and using the command, +and using the command: openssl smime -verify -inform PEM -in signature.pem -content content.txt -alternatively you can base64 decode the signature and use +Alternatively you can base64 decode the signature and use: openssl smime -verify -inform DER -in signature.der -content content.txt @@ -405,7 +427,7 @@ Ideally a database should be maintained of a certificates for each email address. The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. this means the +algorithms as supplied in the SMIMECapabilities signed attribute. This means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those. @@ -417,7 +439,7 @@ structures may cause parsing errors. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 0.9.9 +added in OpenSSL 1.0.0 =cut