[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu May 20 14:32:00 UTC 2021
The branch master has been updated
via 340cf8759f904859e609cecf4315b7cb50cde561 (commit)
via 56c4f6fe724e4aa54498188873d84e5694b02984 (commit)
via 601fe8e0d78d4344445cbfa83dbe9bc4ad1287f1 (commit)
from 41d331b6f02267dbaa24cf35b9810994199431f4 (commit)
- Log -----------------------------------------------------------------
commit 340cf8759f904859e609cecf4315b7cb50cde561
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Apr 3 19:42:39 2021 +0200
apps/cms: Clean up order of options in help output and documentation
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
commit 56c4f6fe724e4aa54498188873d84e5694b02984
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Apr 12 19:00:00 2021 +0200
APPS: Allow duplicate entries in options list, marking them OPT_DUP
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
commit 601fe8e0d78d4344445cbfa83dbe9bc4ad1287f1
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Apr 3 16:03:21 2021 +0200
APPS: Allow non-option parameters appear anywhere in list, marking them OPT_PARAM
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
-----------------------------------------------------------------------
Summary of changes:
apps/cms.c | 299 +++++++++++----------
apps/include/opt.h | 3 +
apps/lib/opt.c | 20 +-
doc/man1/openssl-cms.pod.in | 639 ++++++++++++++++++++++++++------------------
4 files changed, 547 insertions(+), 414 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index d2225d51af..25ef1effd4 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -30,25 +30,25 @@ static CMS_ReceiptRequest
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param);
-#define SMIME_OP 0x10
-#define SMIME_IP 0x20
-#define SMIME_SIGNERS 0x40
+#define SMIME_OP 0x100
+#define SMIME_IP 0x200
+#define SMIME_SIGNERS 0x400
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
-#define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
-#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
-#define SMIME_DATAOUT (7 | SMIME_IP)
-#define SMIME_DATA_CREATE (8 | SMIME_OP)
+#define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
+#define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP)
+#define SMIME_VERIFY_RECEIPT (7 | SMIME_IP)
+#define SMIME_DIGEST_CREATE (8 | SMIME_OP)
#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
-#define SMIME_DIGEST_CREATE (10 | SMIME_OP)
+#define SMIME_COMPRESS (10 | SMIME_OP)
#define SMIME_UNCOMPRESS (11 | SMIME_IP)
-#define SMIME_COMPRESS (12 | SMIME_OP)
+#define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP)
#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
-#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
-#define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
-#define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
+#define SMIME_DATA_CREATE (14 | SMIME_OP)
+#define SMIME_DATA_OUT (15 | SMIME_IP)
+#define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP)
static int verify_err = 0;
@@ -89,141 +89,152 @@ typedef enum OPTION_choice {
const OPTIONS cms_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
+ {"help", OPT_HELP, '-', "Display this summary"},
OPT_SECTION("General"),
- {"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
- {"outform", OPT_OUTFORM, 'c',
- "Output format SMIME (default), PEM or DER"},
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
- {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
- "Disable MMA protection and return an error if no recipient found"
- " (see documentation)"},
- {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
- {"indef", OPT_INDEF, '-', "Same as -stream"},
- {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
- {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
- {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
- {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
- {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
- {"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
- {"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
- {"no-CAstore", OPT_NOCASTORE, '-',
- "Do not load certificates from the default certificates store"},
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
OPT_CONFIG_OPTION,
- OPT_SECTION("Action"),
+ OPT_SECTION("Operation"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
- {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
- {"resign", OPT_RESIGN, '-', "Resign a signed message"},
- {"cades", OPT_CADES, '-', "Include or check signingCertificate (CAdES-BES)"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
- {"verify_retcode", OPT_VERIFY_RETCODE, '-',
- "Exit non-zero on verification failure"},
+ {"resign", OPT_RESIGN, '-', "Resign a signed message"},
+ {"sign_receipt", OPT_SIGN_RECEIPT, '-',
+ "Generate a signed receipt for a message"},
{"verify_receipt", OPT_VERIFY_RECEIPT, '<',
- "Verify receipts; exit if receipt signatures do not verify"},
- {"digest_verify", OPT_DIGEST_VERIFY, '-',
- "Verify a CMS \"DigestedData\" object and output it"},
+ "Verify receipts; exit if receipt signatures do not verify"},
{"digest_create", OPT_DIGEST_CREATE, '-',
- "Create a CMS \"DigestedData\" object"},
+ "Create a CMS \"DigestedData\" object"},
+ {"digest_verify", OPT_DIGEST_VERIFY, '-',
+ "Verify a CMS \"DigestedData\" object and output it"},
{"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
{"uncompress", OPT_UNCOMPRESS, '-',
- "Uncompress a CMS \"CompressedData\" object"},
- {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
- "Decrypt CMS \"EncryptedData\" object using symmetric key"},
+ "Uncompress a CMS \"CompressedData\" object"},
{"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
- "Create CMS \"EncryptedData\" object using symmetric key"},
- {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
+ "Create CMS \"EncryptedData\" object using symmetric key"},
+ {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
+ "Decrypt CMS \"EncryptedData\" object using symmetric key"},
{"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
+ {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
{"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
- {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
- "Do not verify signed content signatures"},
- {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
- "Do not verify signed attribute signatures"},
- {"nointern", OPT_NOINTERN, '-',
- "Don't search certificates in message for signer"},
- {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
- OPT_SECTION("Formatting"),
- {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
- {"asciicrlf", OPT_ASCIICRLF, '-',
- "Perform CRLF canonicalisation when signing"},
- {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
- {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
- {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
- {"binary", OPT_BINARY, '-', "Treat input as binary: do not translate to canonical form"},
- {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
- {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
- {"nocerts", OPT_NOCERTS, '-',
- "Don't include signers certificate when signing"},
- {"noout", OPT_NOOUT, '-',
- "For the -cmsout operation do not output the parsed CMS structure"},
- {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
- {"receipt_request_all", OPT_RR_ALL, '-',
- "When signing, create a receipt request for all recipients"},
- {"receipt_request_first", OPT_RR_FIRST, '-',
- "When signing, create a receipt request for first recipient"},
+ OPT_SECTION("File format"),
+ {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
+ {"outform", OPT_OUTFORM, 'c',
+ "Output format SMIME (default), PEM or DER"},
{"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
- {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
- {"content", OPT_CONTENT, '<',
- "Supply or override content for detached signature"},
- {"print", OPT_PRINT, '-',
- "For the -cmsout operation print out all fields of the CMS structure"},
- {"nameopt", OPT_NAMEOPT, 's',
- "For the -print option specifies various strings printing options"},
- {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+ {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
+ {"indef", OPT_INDEF, '-', "Same as -stream"},
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
+ {"binary", OPT_BINARY, '-',
+ "Treat input as binary: do not translate to canonical form"},
+ {"crlfeol", OPT_CRLFEOL, '-',
+ "Use CRLF as EOL termination instead of CR only" },
+ {"asciicrlf", OPT_ASCIICRLF, '-',
+ "Perform CRLF canonicalisation when signing"},
- OPT_SECTION("Keying"),
+ OPT_SECTION("Keys and passwords"),
+ {"pwri_password", OPT_PWRI_PASSWORD, 's',
+ "Specific password for recipient"},
{"secretkey", OPT_SECRETKEY, 's',
- "Use specified hex-encoded key to decrypt/encrypt recipients or content"},
+ "Use specified hex-encoded key to decrypt/encrypt recipients or content"},
{"secretkeyid", OPT_SECRETKEYID, 's',
- "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
- {"pwri_password", OPT_PWRI_PASSWORD, 's',
- "Specific password for recipient"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
+ {"keyform", OPT_KEYFORM, 'f',
+ "Input private key format (ENGINE, other values ignored)"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+#endif
+ OPT_PROV_OPTIONS,
+ OPT_R_OPTIONS,
- OPT_SECTION("Mail header"),
- {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
- {"to", OPT_TO, 's', "To address"},
- {"from", OPT_FROM, 's', "From address"},
- {"subject", OPT_SUBJECT, 's', "Subject"},
- {"signer", OPT_SIGNER, 's', "Signer certificate file"},
+ OPT_SECTION("Encryption and decryption"),
{"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
- {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
- {"receipt_request_from", OPT_RR_FROM, 's',
- "Create signed receipt request with specified email address"},
- {"receipt_request_to", OPT_RR_TO, 's',
- "Create signed receipt targeted to specified address"},
-
- OPT_SECTION("Encryption"),
- {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
- {"", OPT_CIPHER, '-', "Any supported cipher"},
-
- OPT_SECTION("Key-wrapping"),
+ {"recip", OPT_RECIP, '<', "Recipient cert file"},
+ {"cert...", OPT_PARAM, '.',
+ "Recipient certs (optional; used only when encrypting)"},
+ {"", OPT_CIPHER, '-',
+ "The encryption algorithm to use (any supported cipher)"},
+ {"wrap", OPT_WRAP, 's',
+ "Key wrap algorithm to use when encrypting with key agreement"},
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
{"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
{"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
- {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
+ {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
+ "Disable MMA protection, return error if no recipient found (see doc)"},
- OPT_R_OPTIONS,
- OPT_V_OPTIONS,
- OPT_PROV_OPTIONS,
+ OPT_SECTION("Signing"),
+ {"md", OPT_MD, 's', "Digest algorithm to use"},
+ {"signer", OPT_SIGNER, 's', "Signer certificate input file"},
+ {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
+ {"cades", OPT_CADES, '-',
+ "Include signingCertificate attribute (CAdES-BES)"},
+ {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
+ {"nocerts", OPT_NOCERTS, '-',
+ "Don't include signer's certificate when signing"},
+ {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
+ {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+ {"receipt_request_all", OPT_RR_ALL, '-',
+ "When signing, create a receipt request for all recipients"},
+ {"receipt_request_first", OPT_RR_FIRST, '-',
+ "When signing, create a receipt request for first recipient"},
+ {"receipt_request_from", OPT_RR_FROM, 's',
+ "Create signed receipt request with specified email address"},
+ {"receipt_request_to", OPT_RR_TO, 's',
+ "Create signed receipt targeted to specified address"},
- OPT_PARAMETERS(),
- {"cert", 0, 0, "Recipient certs (optional; used only when encrypting)"},
+ OPT_SECTION("Verification"),
+ {"signer", OPT_DUP, 's', "Signer certificate(s) output file"},
+ {"content", OPT_CONTENT, '<',
+ "Supply or override content for detached signature"},
+ {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
+ "Do not verify signed content signatures"},
+ {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
+ "Do not verify signed attribute signatures"},
+ {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
+ {"nointern", OPT_NOINTERN, '-',
+ "Don't search certificates in message for signer"},
+ {"cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)"},
+ {"verify_retcode", OPT_VERIFY_RETCODE, '-',
+ "Exit non-zero on verification failure"},
+ {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
+ {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
+
+ OPT_SECTION("Output"),
+ {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
+ {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
+ {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
+ {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+ {"to", OPT_TO, 's', "To address"},
+ {"from", OPT_FROM, 's', "From address"},
+ {"subject", OPT_SUBJECT, 's', "Subject"},
+
+ OPT_SECTION("Printing"),
+ {"noout", OPT_NOOUT, '-',
+ "For the -cmsout operation do not output the parsed CMS structure"},
+ {"print", OPT_PRINT, '-',
+ "For the -cmsout operation print out all fields of the CMS structure"},
+ {"nameopt", OPT_NAMEOPT, 's',
+ "For the -print option specifies various strings printing options"},
+ {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
+
+ OPT_V_OPTIONS,
{NULL}
};
@@ -347,6 +358,7 @@ int cms_main(int argc, char **argv)
case OPT_OUT:
outfile = opt_arg();
break;
+
case OPT_ENCRYPT:
operation = SMIME_ENCRYPT;
break;
@@ -356,49 +368,50 @@ int cms_main(int argc, char **argv)
case OPT_SIGN:
operation = SMIME_SIGN;
break;
- case OPT_SIGN_RECEIPT:
- operation = SMIME_SIGN_RECEIPT;
+ case OPT_VERIFY:
+ operation = SMIME_VERIFY;
break;
case OPT_RESIGN:
operation = SMIME_RESIGN;
break;
- case OPT_VERIFY:
- operation = SMIME_VERIFY;
- break;
- case OPT_VERIFY_RETCODE:
- verify_retcode = 1;
+ case OPT_SIGN_RECEIPT:
+ operation = SMIME_SIGN_RECEIPT;
break;
case OPT_VERIFY_RECEIPT:
operation = SMIME_VERIFY_RECEIPT;
rctfile = opt_arg();
break;
- case OPT_CMSOUT:
- operation = SMIME_CMSOUT;
- break;
- case OPT_DATA_OUT:
- operation = SMIME_DATAOUT;
+ case OPT_VERIFY_RETCODE:
+ verify_retcode = 1;
break;
- case OPT_DATA_CREATE:
- operation = SMIME_DATA_CREATE;
+ case OPT_DIGEST_CREATE:
+ operation = SMIME_DIGEST_CREATE;
break;
case OPT_DIGEST_VERIFY:
operation = SMIME_DIGEST_VERIFY;
break;
- case OPT_DIGEST_CREATE:
- operation = SMIME_DIGEST_CREATE;
- break;
case OPT_COMPRESS:
operation = SMIME_COMPRESS;
break;
case OPT_UNCOMPRESS:
operation = SMIME_UNCOMPRESS;
break;
+ case OPT_ED_ENCRYPT:
+ operation = SMIME_ENCRYPTED_ENCRYPT;
+ break;
case OPT_ED_DECRYPT:
operation = SMIME_ENCRYPTED_DECRYPT;
break;
- case OPT_ED_ENCRYPT:
- operation = SMIME_ENCRYPTED_ENCRYPT;
+ case OPT_DATA_CREATE:
+ operation = SMIME_DATA_CREATE;
+ break;
+ case OPT_DATA_OUT:
+ operation = SMIME_DATA_OUT;
+ break;
+ case OPT_CMSOUT:
+ operation = SMIME_CMSOUT;
break;
+
case OPT_DEBUG_DECRYPT:
flags |= CMS_DEBUG_DECRYPT;
break;
@@ -693,15 +706,15 @@ int cms_main(int argc, char **argv)
if (conf == NULL)
goto end;
break;
- case OPT_3DES_WRAP:
+ case OPT_WRAP:
+ wrapname = opt_unknown();
+ break;
case OPT_AES128_WRAP:
case OPT_AES192_WRAP:
case OPT_AES256_WRAP:
+ case OPT_3DES_WRAP:
wrapname = opt_flag() + 1;
break;
- case OPT_WRAP:
- wrapname = opt_unknown();
- break;
}
}
if (!app_RAND_load())
@@ -812,12 +825,12 @@ int cms_main(int argc, char **argv)
if (operation == SMIME_ENCRYPT) {
if (!cipher) {
-# ifndef OPENSSL_NO_DES
+#ifndef OPENSSL_NO_DES
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
-# else
+#else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
-# endif
+#endif
}
if (secret_key && !secret_keyid) {
@@ -1149,7 +1162,7 @@ int cms_main(int argc, char **argv)
BIO_printf(bio_err, "Error decrypting CMS structure\n");
goto end;
}
- } else if (operation == SMIME_DATAOUT) {
+ } else if (operation == SMIME_DATA_OUT) {
if (!CMS_data(cms, out, flags))
goto end;
} else if (operation == SMIME_UNCOMPRESS) {
@@ -1177,8 +1190,8 @@ int cms_main(int argc, char **argv)
goto end;
}
if (signerfile != NULL) {
- STACK_OF(X509) *signers;
- signers = CMS_get0_signers(cms);
+ STACK_OF(X509) *signers = CMS_get0_signers(cms);
+
if (!save_certs(signerfile, signers)) {
BIO_printf(bio_err,
"Error writing signers to %s\n", signerfile);
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 5d85877301..951557974b 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -316,6 +316,9 @@ typedef struct options_st {
int valtype;
const char *helpstr;
} OPTIONS;
+/* Special retval values: */
+#define OPT_PARAM 0 /* same as OPT_EOF usually defined in apps */
+#define OPT_DUP -2 /* marks duplicate occurrence of option in help output */
/*
* A string/int pairing; widely use for option value lookup, hence the
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 4b75b46681..0f08da2df4 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -184,9 +184,13 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
/* Make sure options are legit. */
OPENSSL_assert(o->name[0] != '-');
- OPENSSL_assert(o->retval > 0);
+ if (o->valtype == '.')
+ OPENSSL_assert(o->retval == OPT_PARAM);
+ else
+ OPENSSL_assert(o->retval == OPT_DUP || o->retval > OPT_PARAM);
switch (i) {
- case 0: case '-': case '/': case '<': case '>': case 'E': case 'F':
+ case 0: case '-': case '.':
+ case '/': case '<': case '>': case 'E': case 'F':
case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
case 'u': case 'c': case ':': case 'N':
break;
@@ -199,8 +203,13 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
/*
* Some compilers inline strcmp and the assert string is too long.
*/
- duplicated = strcmp(o->name, next->name) == 0;
- OPENSSL_assert(!duplicated);
+ duplicated = next->retval != OPT_DUP
+ && strcmp(o->name, next->name) == 0;
+ if (duplicated) {
+ opt_printf_stderr("%s: Internal error: duplicate option %s\n",
+ prog, o->name);
+ OPENSSL_assert(!duplicated);
+ }
}
#endif
if (o->name[0] == '\0') {
@@ -821,6 +830,9 @@ int opt_next(void)
case ':':
/* Just a string. */
break;
+ case '.':
+ /* Parameters */
+ break;
case '/':
if (opt_isdir(arg) > 0)
break;
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index bdfb607134..6e0f86804a 100644
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -9,96 +9,131 @@ openssl-cms - CMS command
B<openssl> B<cms>
[B<-help>]
+
+General options:
+
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+{- $OpenSSL::safe::opt_config_synopsis -}
+
+Operation options:
+
[B<-encrypt>]
[B<-decrypt>]
-[B<-debug_decrypt>]
[B<-sign>]
[B<-verify>]
-[B<-verify_retcode>]
-[B<-no_attr_verify>]
-[B<-nosigs>]
-[B<-no_content_verify>]
-[B<-cmsout>]
[B<-resign>]
-[B<-cades>]
-[B<-data_create>]
-[B<-data_out>]
+[B<-sign_receipt>]
+[B<-verify_receipt> I<receipt>]
[B<-digest_create>]
[B<-digest_verify>]
[B<-compress>]
[B<-uncompress>]
-[B<-EncryptedData_decrypt>]
[B<-EncryptedData_encrypt>]
-[B<-sign_receipt>]
-[B<-verify_receipt> I<receipt>]
-[B<-in> I<filename>]
-[B<-out> I<filename>]
+[B<-EncryptedData_decrypt>]
+[B<-data_create>]
+[B<-data_out>]
+[B<-cmsout>]
+
+File format options:
+
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-stream>]
[B<-indef>]
[B<-noindef>]
-[B<-content> I<filename>]
-[B<-text>]
-[B<-noout>]
-[B<-print>]
-[B<-nameopt> I<option>]
-[B<-md> I<digest>]
+[B<-binary>]
+[B<-crlfeol>]
+[B<-asciicrlf>]
+
+Keys and password options:
+
+[B<-pwri_password> I<password>]
+[B<-secretkey> I<key>]
+[B<-secretkeyid> I<id>]
+[B<-inkey> I<filename>|I<uri>]
+[B<-passin> I<arg>]
+[B<-keyopt> I<name>:I<parameter>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
+
+Encryption options:
+
+[B<-originator> I<file>]
+[B<-recip> I<file>]
+[I<recipient-cert> ...]
[B<-I<cipher>>]
[B<-wrap> I<cipher>]
[B<-aes128-wrap>]
[B<-aes192-wrap>]
[B<-aes256-wrap>]
[B<-des3-wrap>]
-[B<-nointern>]
-[B<-noverify>]
+[B<-debug_decrypt>]
+
+Signing options:
+
+[B<-md> I<digest>]
+[B<-signer> I<file>]
+[B<-certfile> I<file>]
+[B<-cades>]
+[B<-nodetach>]
[B<-nocerts>]
[B<-noattr>]
[B<-nosmimecap>]
-[B<-binary>]
-[B<-crlfeol>]
-[B<-asciicrlf>]
-[B<-nodetach>]
-[B<-certfile> I<file>]
-[B<-certsout> I<file>]
-[B<-signer> I<file>]
-[B<-originator> I<file>]
-[B<-recip> I<file>]
-[B<-keyid>]
[B<-receipt_request_all>]
[B<-receipt_request_first>]
[B<-receipt_request_from> I<emailaddress>]
[B<-receipt_request_to> I<emailaddress>]
-[B<-receipt_request_print>]
-[B<-pwri_password> I<password>]
-[B<-secretkey> I<key>]
-[B<-secretkeyid> I<id>]
+
+Verification options:
+
+[B<-signer> I<file>]
+[B<-content> I<filename>]
+[B<-no_content_verify>]
+[B<-no_attr_verify>]
+[B<-nosigs>]
+[B<-noverify>]
+[B<-nointern>]
+[B<-cades>]
+[B<-verify_retcode>]
+{- $OpenSSL::safe::opt_trust_synopsis -}
+
+Output options:
+
+[B<-keyid>]
[B<-econtent_type> I<type>]
-[B<-inkey> I<filename>|I<uri>]
-[B<-keyopt> I<name>:I<parameter>]
-[B<-passin> I<arg>]
+[B<-text>]
+[B<-certsout> I<file>]
[B<-to> I<addr>]
[B<-from> I<addr>]
[B<-subject> I<subj>]
+
+Printing options:
+
+[B<-noout>]
+[B<-print>]
+[B<-nameopt> I<option>]
+[B<-receipt_request_print>]
+
+Validation options:
+
{- $OpenSSL::safe::opt_v_synopsis -}
-{- $OpenSSL::safe::opt_trust_synopsis -}
-{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
-{- $OpenSSL::safe::opt_config_synopsis -}
-[I<recipient-cert> ...]
=head1 DESCRIPTION
-This command handles S/MIME v3.1 mail. It can encrypt, decrypt,
-sign and verify, compress and uncompress S/MIME messages.
+This command handles data in CMS format such as S/MIME v3.1 email messages.
+It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages.
=head1 OPTIONS
-There are fourteen operation options that set the type of operation to be
-performed. The meaning of the other options varies according to the operation
-type.
+There are a number of operation options that set the type of operation to be
+performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt,
+digest_create, digest_verify, compress, uncompress,
+EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout.
+The relevance of the other options depends on the operation type
+and their meaning may vary according to it.
=over 4
@@ -106,77 +141,71 @@ type.
Print out a usage message.
-=item B<-encrypt>
-
-Encrypt mail for the given recipient certificates. Input file is the message
-to be encrypted. The output file is the encrypted mail in MIME format. The
-actual CMS type is B<EnvelopedData>.
+=back
-Note that no revocation check is done for the recipient cert, so if that
-key has been compromised, others may be able to decrypt the text.
+=head2 General options
-=item B<-decrypt>
+=over 4
-Decrypt mail using the supplied certificate and private key. Expects an
-encrypted mail message in MIME format for the input file. The decrypted mail
-is written to the output file.
+=item B<-in> I<filename>
-=item B<-debug_decrypt>
+The input message to be encrypted or signed or the message to be decrypted
+or verified.
-This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
-with caution: see the notes section below.
+=item B<-out> I<filename>
-=item B<-sign>
+The message text that has been decrypted or verified or the output MIME
+format message that has been signed or verified.
-Sign mail using the supplied certificate and private key. Input file is
-the message to be signed. The signed message in MIME format is written
-to the output file.
+{- $OpenSSL::safe::opt_config_item -}
-=item B<-verify>
+=back
-Verify signed mail. Expects a signed mail message on input and outputs
-the signed data. Both clear text and opaque signing is supported.
+=head2 Operation options
-=item B<-verify_retcode>
+=over 4
-Exit nonzero on verification failure.
+=item B<-encrypt>
-=item B<-no_attr_verify>
+Encrypt data for the given recipient certificates. Input file is the message
+to be encrypted. The output file is the encrypted data in MIME format. The
+actual CMS type is B<EnvelopedData>.
-Do not verify signed attribute signatures.
+Note that no revocation check is done for the recipient cert, so if that
+key has been compromised, others may be able to decrypt the text.
-=item B<-no_content_verify>
+=item B<-decrypt>
-Do not verify signed content signatures.
+Decrypt data using the supplied certificate and private key. Expects
+encrypted datain MIME format for the input file. The decrypted data
+is written to the output file.
-=item B<-nosigs>
+=item B<-sign>
-Don't verify message signature.
+Sign data using the supplied certificate and private key. Input file is
+the message to be signed. The signed data in MIME format is written
+to the output file.
-=item B<-cmsout>
+=item B<-verify>
-Takes an input message and writes out a PEM encoded CMS structure.
+Verify signed data. Expects a signed data on input and outputs
+the signed data. Both clear text and opaque signing is supported.
=item B<-resign>
Resign a message: take an existing message and one or more new signers.
-=item B<-cades>
-
-When used with B<-sign>,
-add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute
-to the SignerInfo, in order to make the signature comply with the requirements
-for a CAdES Basic Electronic Signature (CAdES-BES).
-When used with B<-verify>, require and check signer certificate digest.
-See the NOTES section for more details.
-
-=item B<-data_create>
+=item B<-sign_receipt>
-Create a CMS B<Data> type.
+Generate and output a signed receipt for the supplied message. The input
+message B<must> contain a signed receipt request. Functionality is otherwise
+similar to the B<-sign> operation.
-=item B<-data_out>
+=item B<-verify_receipt> I<receipt>
-B<Data> type and output the content.
+Verify a signed receipt in filename B<receipt>. The input message B<must>
+contain the original receipt request. Functionality is otherwise similar
+to the B<-verify> operation.
=item B<-digest_create>
@@ -197,37 +226,33 @@ Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
compiled with B<zlib> support for this option to work, otherwise it will
output an error.
-=item B<-EncryptedData_decrypt>
+=item B<-EncryptedData_encrypt>
-Decrypt content using supplied symmetric key and algorithm using a CMS
+Encrypt content using supplied symmetric key and algorithm using a CMS
B<EncryptedData> type and output the content.
-=item B<-EncryptedData_encrypt>
+=item B<-EncryptedData_decrypt>
-Encrypt content using supplied symmetric key and algorithm using a CMS
+Decrypt content using supplied symmetric key and algorithm using a CMS
B<EncryptedData> type and output the content.
-=item B<-sign_receipt>
+=item B<-data_create>
-Generate and output a signed receipt for the supplied message. The input
-message B<must> contain a signed receipt request. Functionality is otherwise
-similar to the B<-sign> operation.
+Create a CMS B<Data> type.
-=item B<-verify_receipt> I<receipt>
+=item B<-data_out>
-Verify a signed receipt in filename B<receipt>. The input message B<must>
-contain the original receipt request. Functionality is otherwise similar
-to the B<-verify> operation.
+B<Data> type and output the content.
-=item B<-in> I<filename>
+=item B<-cmsout>
-The input message to be encrypted or signed or the message to be decrypted
-or verified.
+Takes an input message and writes out a PEM encoded CMS structure.
-=item B<-out> I<filename>
+=back
-The message text that has been decrypted or verified or the output MIME
-format message that has been signed or verified.
+=head2 File format options
+
+=over 4
=item B<-inform> B<DER>|B<PEM>|B<SMIME>
@@ -241,68 +266,132 @@ The output format of the CMS structure (if one is being written);
the default is B<SMIME>.
See L<openssl-format-options(1)> for details.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-
-The format of the private key file; unspecified by default.
-See L<openssl-format-options(1)> for details.
-
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
The signed receipt format for use with the B<-receipt_verify>; the default
is B<SMIME>.
See L<openssl-format-options(1)> for details.
-=item B<-stream>, B<-indef>
+=item B<-stream>, B<-indef>
+
+The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
+for encoding operations. This permits single pass processing of data without
+the need to hold the entire contents in memory, potentially supporting very
+large files. Streaming is automatically set for S/MIME signing with detached
+data if the output format is B<SMIME> it is currently off by default for all
+other operations.
+
+=item B<-noindef>
+
+Disable streaming I/O where it would produce and indefinite length constructed
+encoding. This option currently has no effect. In future streaming will be
+enabled by default on all relevant operations and this option will disable it.
+
+=item B<-binary>
+
+Normally the input message is converted to "canonical" format which is
+effectively using CR and LF as end of line: as required by the S/MIME
+specification. When this option is present no translation occurs. This
+is useful when handling binary data which may not be in MIME format.
+
+=item B<-crlfeol>
+
+Normally the output file uses a single B<LF> as end of line. When this
+option is present B<CRLF> is used instead.
+
+=item B<-asciicrlf>
+
+When signing use ASCII CRLF format canonicalisation. This strips trailing
+whitespace from all lines, deletes trailing blank lines at EOF and sets
+the encapsulated content type. This option is normally used with detached
+content and an output signature format of DER. This option is not normally
+needed when verifying as it is enabled automatically if the encapsulated
+content format is detected.
+
+=back
+
+=head2 Keys and password options
+
+=over 4
+
+=item B<-pwri_password> I<password>
+
+Specify password for recipient.
+
+=item B<-secretkey> I<key>
+
+Specify symmetric key to use. The key must be supplied in hex format and be
+consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
+B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
+with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
+content encryption key using an AES key in the B<KEKRecipientInfo> type.
+
+=item B<-secretkeyid> I<id>
+
+The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
+This option B<must> be present if the B<-secretkey> option is used with
+B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
+relevant key if it is not supplied then an attempt is used to decrypt any
+B<KEKRecipientInfo> structures.
+
+=item B<-inkey> I<filename>|I<uri>
+
+The private key to use when signing or decrypting. This must match the
+corresponding certificate. If this option is not specified then the
+private key must be included in the certificate file specified with
+the B<-recip> or B<-signer> file. When signing this option can be used
+multiple times to specify successive keys.
+
+=item B<-passin> I<arg>
+
+The private key password source. For more information about the format of B<arg>
+see L<openssl-passphrase-options(1)>.
+
+=item B<-keyopt> I<name>:I<parameter>
+
+For signing and encryption this option can be used multiple times to
+set customised parameters for the preceding key or certificate. It can
+currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
+or to modify default parameters for ECDH.
+
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
-for encoding operations. This permits single pass processing of data without
-the need to hold the entire contents in memory, potentially supporting very
-large files. Streaming is automatically set for S/MIME signing with detached
-data if the output format is B<SMIME> it is currently off by default for all
-other operations.
+The format of the private key file; unspecified by default.
+See L<openssl-format-options(1)> for details.
-=item B<-noindef>
+{- $OpenSSL::safe::opt_engine_item -}
-Disable streaming I/O where it would produce and indefinite length constructed
-encoding. This option currently has no effect. In future streaming will be
-enabled by default on all relevant operations and this option will disable it.
+{- $OpenSSL::safe::opt_provider_item -}
-=item B<-content> I<filename>
+{- $OpenSSL::safe::opt_r_item -}
-This specifies a file containing the detached content, this is only
-useful with the B<-verify> command. This is only usable if the CMS
-structure is using the detached signature form where the content is
-not included. This option will override any content if the input format
-is S/MIME and it uses the multipart/signed MIME content type.
+=back
-=item B<-text>
+=head2 Encryption and decryption options
-This option adds plain text (text/plain) MIME headers to the supplied
-message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME
-type text/plain then an error occurs.
+=over 4
-=item B<-noout>
+=item B<-originator> I<file>
-For the B<-cmsout> operation do not output the parsed CMS structure. This
-is useful when combined with the B<-print> option or if the syntax of the CMS
-structure is being checked.
+A certificate of the originator of the encrypted message. Necessary for
+decryption when Key Agreement is in use for a shared key.
-=item B<-print>
+=item B<-recip> I<file>
-For the B<-cmsout> operation print out all fields of the CMS structure. This
-is mainly useful for testing purposes.
+When decrypting a message this specifies the certificate of the recipient.
+The certificate must match one of the recipients of the message.
-=item B<-nameopt> I<option>
+When encrypting a message this option may be used multiple times to specify
+each recipient. This form B<must> be used if customised parameters are
+required (for example to specify RSA-OAEP).
-For the B<-cmsout> operation when B<-print> option is in use, specifies
-printing options for string fields. For most cases B<utf8> is reasonable value.
-See L<openssl-namedisplay-options(1)> for details.
+Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
+option.
-=item B<-md> I<digest>
+=item I<recipient-cert> ...
-Digest algorithm to use when signing or resigning. If not present then the
-default digest algorithm for the signing key will be used (usually SHA1).
+This is an alternative to using the B<-recip> option when encrypting a message.
+One or more certificate filennames may be given.
=item B<-I<cipher>>
@@ -327,17 +416,49 @@ wrap.
=item B<-aes128-wrap>, B<-aes192-wrap>, B<-aes256-wrap>, B<-des3-wrap>
Use AES128, AES192, AES256, or 3DES-EDE, respectively, to wrap key.
+Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
-=item B<-nointern>
+=item B<-debug_decrypt>
-When verifying a message normally certificates (if any) included in
-the message are searched for the signing certificate. With this option
-only the certificates specified in the B<-certfile> option are used.
-The supplied certificates can still be used as untrusted CAs however.
+This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+with caution: see the notes section below.
-=item B<-noverify>
+=back
-Do not verify the signers certificate of a signed message.
+=head2 Signing options
+
+=over 4
+
+=item B<-md> I<digest>
+
+Digest algorithm to use when signing or resigning. If not present then the
+default digest algorithm for the signing key will be used (usually SHA1).
+
+=item B<-signer> I<file>
+
+A signing certificate. When signing or resigning a message, this option can be
+used multiple times if more than one signer is required.
+
+=item B<-certfile> I<file>
+
+Allows additional certificates to be specified. When signing these will
+be included with the message. When verifying these will be searched for
+the signers certificates.
+The input can be in PEM, DER, or PKCS#12 format.
+
+=item B<-cades>
+
+When used with B<-sign>,
+add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute
+to the SignerInfo, in order to make the signature comply with the requirements
+for a CAdES Basic Electronic Signature (CAdES-BES).
+
+=item B<-nodetach>
+
+When signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME. Without this option cleartext signing with
+the MIME type multipart/signed is used.
=item B<-nocerts>
@@ -357,116 +478,86 @@ option they are not included.
Exclude the list of supported algorithms from signed attributes, other options
such as signing time and content type are still included.
-=item B<-binary>
-
-Normally the input message is converted to "canonical" format which is
-effectively using CR and LF as end of line: as required by the S/MIME
-specification. When this option is present no translation occurs. This
-is useful when handling binary data which may not be in MIME format.
-
-=item B<-crlfeol>
-
-Normally the output file uses a single B<LF> as end of line. When this
-option is present B<CRLF> is used instead.
+=item B<-receipt_request_all>, B<-receipt_request_first>
-=item B<-asciicrlf>
+For B<-sign> option include a signed receipt request. Indicate requests should
+be provided by all recipient or first tier recipients (those mailed directly
+and not from a mailing list). Ignored it B<-receipt_request_from> is included.
-When signing use ASCII CRLF format canonicalisation. This strips trailing
-whitespace from all lines, deletes trailing blank lines at EOF and sets
-the encapsulated content type. This option is normally used with detached
-content and an output signature format of DER. This option is not normally
-needed when verifying as it is enabled automatically if the encapsulated
-content format is detected.
+=item B<-receipt_request_from> I<emailaddress>
-=item B<-nodetach>
+For B<-sign> option include a signed receipt request. Add an explicit email
+address where receipts should be supplied.
-When signing a message use opaque signing: this form is more resistant
-to translation by mail relays but it cannot be read by mail agents that
-do not support S/MIME. Without this option cleartext signing with
-the MIME type multipart/signed is used.
+=item B<-receipt_request_to> I<emailaddress>
-=item B<-certfile> I<file>
+Add an explicit email address where signed receipts should be sent to. This
+option B<must> but supplied if a signed receipt is requested.
-Allows additional certificates to be specified. When signing these will
-be included with the message. When verifying these will be searched for
-the signers certificates.
-The input can be in PEM, DER, or PKCS#12 format.
+=back
-=item B<-certsout> I<file>
+=head2 Verification options
-Any certificates contained in the message are written to I<file>.
+=over 4
=item B<-signer> I<file>
-A signing certificate when signing or resigning a message, this option can be
-used multiple times if more than one signer is required. If a message is being
-verified then the signers certificates will be written to this file if the
-verification was successful.
+If a message has been verified successfully then the signers certificate(s)
+will be written to this file if the verification was successful.
-=item B<-originator> I<file>
+=item B<-content> I<filename>
-A certificate of the originator of the encrypted message. Necessary for
-decryption when Key Agreement is in use for a shared key.
+This specifies a file containing the detached content, this is only
+useful with the B<-verify> command. This is only usable if the CMS
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed MIME content type.
-=item B<-recip> I<file>
+=item B<-no_content_verify>
-When decrypting a message this specifies the recipients certificate. The
-certificate must match one of the recipients of the message or an error
-occurs.
+Do not verify signed content signatures.
-When encrypting a message this option may be used multiple times to specify
-each recipient. This form B<must> be used if customised parameters are
-required (for example to specify RSA-OAEP).
+=item B<-no_attr_verify>
-Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
-option.
+Do not verify signed attribute signatures.
-=item B<-keyid>
+=item B<-nosigs>
-Use subject key identifier to identify certificates instead of issuer name and
-serial number. The supplied certificate B<must> include a subject key
-identifier extension. Supported by B<-sign> and B<-encrypt> options.
+Don't verify message signature.
-=item B<-receipt_request_all>, B<-receipt_request_first>
+=item B<-noverify>
-For B<-sign> option include a signed receipt request. Indicate requests should
-be provided by all recipient or first tier recipients (those mailed directly
-and not from a mailing list). Ignored it B<-receipt_request_from> is included.
+Do not verify the signers certificate of a signed message.
-=item B<-receipt_request_from> I<emailaddress>
+=item B<-nointern>
-For B<-sign> option include a signed receipt request. Add an explicit email
-address where receipts should be supplied.
+When verifying a message normally certificates (if any) included in
+the message are searched for the signing certificate. With this option
+only the certificates specified in the B<-certfile> option are used.
+The supplied certificates can still be used as untrusted CAs however.
-=item B<-receipt_request_to> I<emailaddress>
+=item B<-cades>
-Add an explicit email address where signed receipts should be sent to. This
-option B<must> but supplied if a signed receipt it requested.
+When used with B<-verify>, require and check signer certificate digest.
+See the NOTES section for more details.
-=item B<-receipt_request_print>
+=item B<-verify_retcode>
-For the B<-verify> operation print out the contents of any signed receipt
-requests.
+Exit nonzero on verification failure.
-=item B<-pwri_password> I<password>
+{- $OpenSSL::safe::opt_trust_item -}
-Specify password for recipient.
+=back
-=item B<-secretkey> I<key>
+=head2 Output options
-Specify symmetric key to use. The key must be supplied in hex format and be
-consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
-B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
-with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
-content encryption key using an AES key in the B<KEKRecipientInfo> type.
+=over 4
-=item B<-secretkeyid> I<id>
+=item B<-keyid>
-The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
-This option B<must> be present if the B<-secretkey> option is used with
-B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
-relevant key if it is not supplied then an attempt is used to decrypt any
-B<KEKRecipientInfo> structures.
+Use subject key identifier to identify certificates instead of issuer name and
+serial number. The supplied certificate B<must> include a subject key
+identifier extension. Supported by B<-sign> and B<-encrypt> options.
=item B<-econtent_type> I<type>
@@ -474,51 +565,61 @@ Set the encapsulated content type to I<type> if not supplied the B<Data> type
is used. The I<type> argument can be any valid OID name in either text or
numerical format.
-=item B<-inkey> I<filename>|I<uri>
-
-The private key to use when signing or decrypting. This must match the
-corresponding certificate. If this option is not specified then the
-private key must be included in the certificate file specified with
-the B<-recip> or B<-signer> file. When signing this option can be used
-multiple times to specify successive keys.
-
-=item B<-keyopt> I<name>:I<parameter>
+=item B<-text>
-For signing and encryption this option can be used multiple times to
-set customised parameters for the preceding key or certificate. It can
-currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
-or to modify default parameters for ECDH.
+This option adds plain text (text/plain) MIME headers to the supplied
+message if encrypting or signing. If decrypting or verifying it strips
+off text headers: if the decrypted or verified message is not of MIME
+type text/plain then an error occurs.
-=item B<-passin> I<arg>
+=item B<-certsout> I<file>
-The private key password source. For more information about the format of B<arg>
-see L<openssl-passphrase-options(1)>.
+Any certificates contained in the input message are written to I<file>.
=item B<-to>, B<-from>, B<-subject>
-The relevant mail headers. These are included outside the signed
+The relevant email headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-{- $OpenSSL::safe::opt_v_item -}
+=back
-Any verification errors cause the command to exit.
+=head2 Printing options
-{- $OpenSSL::safe::opt_trust_item -}
+=over 4
-{- $OpenSSL::safe::opt_r_item -}
+=item B<-noout>
-{- $OpenSSL::safe::opt_engine_item -}
+For the B<-cmsout> operation do not output the parsed CMS structure.
+This is useful if the syntax of the CMS structure is being checked.
-{- $OpenSSL::safe::opt_provider_item -}
+=item B<-print>
-{- $OpenSSL::safe::opt_config_item -}
+For the B<-cmsout> operation print out all fields of the CMS structure.
+This implies B<-noout>.
+This is mainly useful for testing purposes.
-=item I<recipient-cert> ...
+=item B<-nameopt> I<option>
+
+For the B<-cmsout> operation when B<-print> option is in use, specifies
+printing options for string fields. For most cases B<utf8> is reasonable value.
+See L<openssl-namedisplay-options(1)> for details.
+
+=item B<-receipt_request_print>
+
+For the B<-verify> operation print out the contents of any signed receipt
+requests.
+
+=back
+
+=head2 Validation options
+
+=over 4
-One or more certificates of message recipients: used when encrypting
-a message.
+{- $OpenSSL::safe::opt_v_item -}
+
+Any validation errors cause the command to exit.
=back
@@ -710,7 +811,7 @@ Sign and encrypt mail:
Note: the encryption command does not include the B<-text> option because the
message being encrypted already has MIME headers.
-Decrypt mail:
+Decrypt a message:
openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
@@ -738,12 +839,12 @@ Add a signer to an existing message:
openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
-Sign mail using RSA-PSS:
+Sign a message using RSA-PSS:
openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -keyopt rsa_padding_mode:pss
-Create encrypted mail using RSA-OAEP:
+Create an encrypted message using RSA-OAEP:
openssl cms -encrypt -in plain.txt -out mail.msg \
-recip cert.pem -keyopt rsa_padding_mode:oaep
@@ -753,6 +854,10 @@ Use SHA256 KDF with an ECDH certificate:
openssl cms -encrypt -in plain.txt -out mail.msg \
-recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
+Print CMS signed binary data in human-readable form:
+
+openssl cms -in signed.cms -binary -inform DER -cmsout -print
+
=head1 BUGS
The MIME parser isn't very clever: it seems to handle most messages that I've
More information about the openssl-commits
mailing list