From ecd4b8fe852612bb902b8dee7ca09648fa730253 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 30 Apr 2018 12:05:42 +0100 Subject: [PATCH 1/1] Fix some errors and missing info in the CMS docs Fixes #5063 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6134) --- doc/man1/cms.pod | 16 ++++++++-------- doc/man3/CMS_encrypt.pod | 5 ++--- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod index 7bd1b0d38a..d63efa66ef 100644 --- a/doc/man1/cms.pod +++ b/doc/man1/cms.pod @@ -394,6 +394,9 @@ When encrypting a message this option may be used multiple times to specify each recipient. This form B be used if customised parameters are required (for example to specify RSA-OAEP). +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +option. + =item B<-keyid> Use subject key identifier to identify certificates instead of issuer name and @@ -718,19 +721,16 @@ No revocation checking is done on the signer's certificate. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 - -The B option was first added in OpenSSL 1.1.0 +added in OpenSSL 1.0.0. -The use of B<-recip> to specify the recipient when encrypting mail was first -added to OpenSSL 1.1.0 +The B option was first added in OpenSSL 1.0.2. -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added -to OpenSSL 1.1.0. +to OpenSSL 1.0.2. -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to OpenSSL 1.0.2b. =head1 COPYRIGHT diff --git a/doc/man3/CMS_encrypt.pod b/doc/man3/CMS_encrypt.pod index 8d7211056e..3e777582d5 100644 --- a/doc/man3/CMS_encrypt.pod +++ b/doc/man3/CMS_encrypt.pod @@ -19,9 +19,8 @@ B is the symmetric cipher to use. B is an optional set of flags. =head1 NOTES -Only certificates carrying RSA keys are supported so the recipient certificates -supplied to this function must all contain RSA public keys, though they do not -have to be signed using the RSA algorithm. +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +function. EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because most clients will support it. -- 2.34.1