Lines Matching +full:1 +full:- +full:of +full:- +full:4
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
62 . tm Index:\\$1\t\\n%\t"\\$2"
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-CMS 1ossl"
134 .TH OPENSSL-CMS 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-cms \- CMS command
144 [\fB\-help\fR]
148 [\fB\-in\fR \fIfilename\fR]
149 [\fB\-out\fR \fIfilename\fR]
150 [\fB\-config\fR \fIconfigfile\fR]
154 [\fB\-encrypt\fR]
155 [\fB\-decrypt\fR]
156 [\fB\-sign\fR]
157 [\fB\-verify\fR]
158 [\fB\-resign\fR]
159 [\fB\-sign_receipt\fR]
160 [\fB\-verify_receipt\fR \fIreceipt\fR]
161 [\fB\-digest_create\fR]
162 [\fB\-digest_verify\fR]
163 [\fB\-compress\fR]
164 [\fB\-uncompress\fR]
165 [\fB\-EncryptedData_encrypt\fR]
166 [\fB\-EncryptedData_decrypt\fR]
167 [\fB\-data_create\fR]
168 [\fB\-data_out\fR]
169 [\fB\-cmsout\fR]
173 [\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
174 [\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
175 [\fB\-rctform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
176 [\fB\-stream\fR]
177 [\fB\-indef\fR]
178 [\fB\-noindef\fR]
179 [\fB\-binary\fR]
180 [\fB\-crlfeol\fR]
181 [\fB\-asciicrlf\fR]
185 [\fB\-pwri_password\fR \fIpassword\fR]
186 [\fB\-secretkey\fR \fIkey\fR]
187 [\fB\-secretkeyid\fR \fIid\fR]
188 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
189 [\fB\-passin\fR \fIarg\fR]
190 [\fB\-keyopt\fR \fIname\fR:\fIparameter\fR]
191 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
192 [\fB\-engine\fR \fIid\fR]
193 [\fB\-provider\fR \fIname\fR]
194 [\fB\-provider\-path\fR \fIpath\fR]
195 [\fB\-propquery\fR \fIpropq\fR]
196 [\fB\-rand\fR \fIfiles\fR]
197 [\fB\-writerand\fR \fIfile\fR]
201 [\fB\-originator\fR \fIfile\fR]
202 [\fB\-recip\fR \fIfile\fR]
203 [\fIrecipient-cert\fR ...]
204 [\fB\-\f(BIcipher\fB\fR]
205 [\fB\-wrap\fR \fIcipher\fR]
206 [\fB\-aes128\-wrap\fR]
207 [\fB\-aes192\-wrap\fR]
208 [\fB\-aes256\-wrap\fR]
209 [\fB\-des3\-wrap\fR]
210 [\fB\-debug_decrypt\fR]
214 [\fB\-md\fR \fIdigest\fR]
215 [\fB\-signer\fR \fIfile\fR]
216 [\fB\-certfile\fR \fIfile\fR]
217 [\fB\-cades\fR]
218 [\fB\-nodetach\fR]
219 [\fB\-nocerts\fR]
220 [\fB\-noattr\fR]
221 [\fB\-nosmimecap\fR]
222 [\fB\-receipt_request_all\fR]
223 [\fB\-receipt_request_first\fR]
224 [\fB\-receipt_request_from\fR \fIemailaddress\fR]
225 [\fB\-receipt_request_to\fR \fIemailaddress\fR]
229 [\fB\-signer\fR \fIfile\fR]
230 [\fB\-content\fR \fIfilename\fR]
231 [\fB\-no_content_verify\fR]
232 [\fB\-no_attr_verify\fR]
233 [\fB\-nosigs\fR]
234 [\fB\-noverify\fR]
235 [\fB\-nointern\fR]
236 [\fB\-cades\fR]
237 [\fB\-verify_retcode\fR]
238 [\fB\-CAfile\fR \fIfile\fR]
239 [\fB\-no\-CAfile\fR]
240 [\fB\-CApath\fR \fIdir\fR]
241 [\fB\-no\-CApath\fR]
242 [\fB\-CAstore\fR \fIuri\fR]
243 [\fB\-no\-CAstore\fR]
247 [\fB\-keyid\fR]
248 [\fB\-econtent_type\fR \fItype\fR]
249 [\fB\-text\fR]
250 [\fB\-certsout\fR \fIfile\fR]
251 [\fB\-to\fR \fIaddr\fR]
252 [\fB\-from\fR \fIaddr\fR]
253 [\fB\-subject\fR \fIsubj\fR]
257 [\fB\-noout\fR]
258 [\fB\-print\fR]
259 [\fB\-nameopt\fR \fIoption\fR]
260 [\fB\-receipt_request_print\fR]
264 [\fB\-allow_proxy_certs\fR]
265 [\fB\-attime\fR \fItimestamp\fR]
266 [\fB\-no_check_time\fR]
267 [\fB\-check_ss_sig\fR]
268 [\fB\-crl_check\fR]
269 [\fB\-crl_check_all\fR]
270 [\fB\-explicit_policy\fR]
271 [\fB\-extended_crl\fR]
272 [\fB\-ignore_critical\fR]
273 [\fB\-inhibit_any\fR]
274 [\fB\-inhibit_map\fR]
275 [\fB\-partial_chain\fR]
276 [\fB\-policy\fR \fIarg\fR]
277 [\fB\-policy_check\fR]
278 [\fB\-policy_print\fR]
279 [\fB\-purpose\fR \fIpurpose\fR]
280 [\fB\-suiteB_128\fR]
281 [\fB\-suiteB_128_only\fR]
282 [\fB\-suiteB_192\fR]
283 [\fB\-trusted_first\fR]
284 [\fB\-no_alt_chains\fR]
285 [\fB\-use_deltas\fR]
286 [\fB\-auth_level\fR \fInum\fR]
287 [\fB\-verify_depth\fR \fInum\fR]
288 [\fB\-verify_email\fR \fIemail\fR]
289 [\fB\-verify_hostname\fR \fIhostname\fR]
290 [\fB\-verify_ip\fR \fIip\fR]
291 [\fB\-verify_name\fR \fIname\fR]
292 [\fB\-x509_strict\fR]
293 [\fB\-issuer_checks\fR]
296 This command handles data in \s-1CMS\s0 format such as S/MIME v3.1 email messages.
300 There are a number of operation options that set the type of operation to be
304 The relevance of the other options depends on the operation type
306 .IP "\fB\-help\fR" 4
307 .IX Item "-help"
311 .IP "\fB\-in\fR \fIfilename\fR" 4
312 .IX Item "-in filename"
315 .IP "\fB\-out\fR \fIfilename\fR" 4
316 .IX Item "-out filename"
317 The message text that has been decrypted or verified or the output \s-1MIME\s0
319 .IP "\fB\-config\fR \fIconfigfile\fR" 4
320 .IX Item "-config configfile"
321 See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
324 .IP "\fB\-encrypt\fR" 4
325 .IX Item "-encrypt"
327 to be encrypted. The output file is the encrypted data in \s-1MIME\s0 format. The
328 actual \s-1CMS\s0 type is \fBEnvelopedData\fR.
332 .IP "\fB\-decrypt\fR" 4
333 .IX Item "-decrypt"
335 encrypted datain \s-1MIME\s0 format for the input file. The decrypted data
337 .IP "\fB\-sign\fR" 4
338 .IX Item "-sign"
340 the message to be signed. The signed data in \s-1MIME\s0 format is written
342 .IP "\fB\-verify\fR" 4
343 .IX Item "-verify"
346 .IP "\fB\-resign\fR" 4
347 .IX Item "-resign"
349 .IP "\fB\-sign_receipt\fR" 4
350 .IX Item "-sign_receipt"
353 similar to the \fB\-sign\fR operation.
354 .IP "\fB\-verify_receipt\fR \fIreceipt\fR" 4
355 .IX Item "-verify_receipt receipt"
358 to the \fB\-verify\fR operation.
359 .IP "\fB\-digest_create\fR" 4
360 .IX Item "-digest_create"
361 Create a \s-1CMS\s0 \fBDigestedData\fR type.
362 .IP "\fB\-digest_verify\fR" 4
363 .IX Item "-digest_verify"
364 Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content.
365 .IP "\fB\-compress\fR" 4
366 .IX Item "-compress"
367 Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
369 .IP "\fB\-uncompress\fR" 4
370 .IX Item "-uncompress"
371 Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be
374 .IP "\fB\-EncryptedData_encrypt\fR" 4
375 .IX Item "-EncryptedData_encrypt"
376 Encrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0
378 .IP "\fB\-EncryptedData_decrypt\fR" 4
379 .IX Item "-EncryptedData_decrypt"
380 Decrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0
382 .IP "\fB\-data_create\fR" 4
383 .IX Item "-data_create"
384 Create a \s-1CMS\s0 \fBData\fR type.
385 .IP "\fB\-data_out\fR" 4
386 .IX Item "-data_out"
388 .IP "\fB\-cmsout\fR" 4
389 .IX Item "-cmsout"
390 Takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
393 .IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
394 .IX Item "-inform DER|PEM|SMIME"
395 The input format of the \s-1CMS\s0 structure (if one is being read);
396 the default is \fB\s-1SMIME\s0\fR.
397 See \fBopenssl\-format\-options\fR\|(1) for details.
398 .IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
399 .IX Item "-outform DER|PEM|SMIME"
400 The output format of the \s-1CMS\s0 structure (if one is being written);
401 the default is \fB\s-1SMIME\s0\fR.
402 See \fBopenssl\-format\-options\fR\|(1) for details.
403 .IP "\fB\-rctform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
404 .IX Item "-rctform DER|PEM|SMIME"
405 The signed receipt format for use with the \fB\-receipt_verify\fR; the default
406 is \fB\s-1SMIME\s0\fR.
407 See \fBopenssl\-format\-options\fR\|(1) for details.
408 .IP "\fB\-stream\fR, \fB\-indef\fR" 4
409 .IX Item "-stream, -indef"
410 The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
411 for encoding operations. This permits single pass processing of data without
414 data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all
416 .IP "\fB\-noindef\fR" 4
417 .IX Item "-noindef"
421 .IP "\fB\-binary\fR" 4
422 .IX Item "-binary"
424 effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
426 is useful when handling binary data which may not be in \s-1MIME\s0 format.
427 .IP "\fB\-crlfeol\fR" 4
428 .IX Item "-crlfeol"
429 Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this
430 option is present \fB\s-1CRLF\s0\fR is used instead.
431 .IP "\fB\-asciicrlf\fR" 4
432 .IX Item "-asciicrlf"
433 When signing use \s-1ASCII CRLF\s0 format canonicalisation. This strips trailing
434 whitespace from all lines, deletes trailing blank lines at \s-1EOF\s0 and sets
436 content and an output signature format of \s-1DER.\s0 This option is not normally
441 .IP "\fB\-pwri_password\fR \fIpassword\fR" 4
442 .IX Item "-pwri_password password"
444 .IP "\fB\-secretkey\fR \fIkey\fR" 4
445 .IX Item "-secretkey key"
447 consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR
448 \&\fB\-EncryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used
449 with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the
450 content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type.
451 .IP "\fB\-secretkeyid\fR \fIid\fR" 4
452 .IX Item "-secretkeyid id"
454 This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with
455 \&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fIid\fR is used to locate the
458 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
459 .IX Item "-inkey filename|uri"
463 the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
465 .IP "\fB\-passin\fR \fIarg\fR" 4
466 .IX Item "-passin arg"
467 The private key password source. For more information about the format of \fBarg\fR
468 see \fBopenssl\-passphrase\-options\fR\|(1).
469 .IP "\fB\-keyopt\fR \fIname\fR:\fIparameter\fR" 4
470 .IX Item "-keyopt name:parameter"
473 currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
474 or to modify default parameters for \s-1ECDH.\s0
475 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
476 .IX Item "-keyform DER|PEM|P12|ENGINE"
477 The format of the private key file; unspecified by default.
478 See \fBopenssl\-format\-options\fR\|(1) for details.
479 .IP "\fB\-engine\fR \fIid\fR" 4
480 .IX Item "-engine id"
481 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
483 .IP "\fB\-provider\fR \fIname\fR" 4
484 .IX Item "-provider name"
486 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
487 .IX Item "-provider-path path"
488 .IP "\fB\-propquery\fR \fIpropq\fR" 4
489 .IX Item "-propquery propq"
491 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
492 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
493 .IX Item "-rand files, -writerand file"
494 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
497 .IP "\fB\-originator\fR \fIfile\fR" 4
498 .IX Item "-originator file"
499 A certificate of the originator of the encrypted message. Necessary for
501 .IP "\fB\-recip\fR \fIfile\fR" 4
502 .IX Item "-recip file"
503 When decrypting a message this specifies the certificate of the recipient.
504 The certificate must match one of the recipients of the message.
508 required (for example to specify RSA-OAEP).
510 Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
512 .IP "\fIrecipient-cert\fR ..." 4
513 .IX Item "recipient-cert ..."
514 This is an alternative to using the \fB\-recip\fR option when encrypting a message.
516 .IP "\fB\-\f(BIcipher\fB\fR" 4
517 .IX Item "-cipher"
518 The encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
519 or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
521 example \fB\-aes\-128\-cbc\fR. See \fBopenssl\-enc\fR\|(1) for a list of ciphers
522 supported by your version of OpenSSL.
524 Currently the \s-1AES\s0 variants with \s-1GCM\s0 mode are the only supported \s-1AEAD\s0
527 If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and
528 \&\fB\-EncryptedData_create\fR commands.
529 .IP "\fB\-wrap\fR \fIcipher\fR" 4
530 .IX Item "-wrap cipher"
534 .IP "\fB\-aes128\-wrap\fR, \fB\-aes192\-wrap\fR, \fB\-aes256\-wrap\fR, \fB\-des3\-wrap\fR" 4
535 .IX Item "-aes128-wrap, -aes192-wrap, -aes256-wrap, -des3-wrap"
536 Use \s-1AES128, AES192, AES256,\s0 or 3DES\-EDE, respectively, to wrap key.
537 Depending on the OpenSSL build options used, \fB\-des3\-wrap\fR may not be supported.
538 .IP "\fB\-debug_decrypt\fR" 4
539 .IX Item "-debug_decrypt"
540 This option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used
544 .IP "\fB\-md\fR \fIdigest\fR" 4
545 .IX Item "-md digest"
547 default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
548 .IP "\fB\-signer\fR \fIfile\fR" 4
549 .IX Item "-signer file"
552 .IP "\fB\-certfile\fR \fIfile\fR" 4
553 .IX Item "-certfile file"
557 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
558 .IP "\fB\-cades\fR" 4
559 .IX Item "-cades"
560 When used with \fB\-sign\fR,
561 add an \s-1ESS\s0 signingCertificate or \s-1ESS\s0 signingCertificateV2 signed-attribute
563 for a CAdES Basic Electronic Signature (CAdES-BES).
564 .IP "\fB\-nodetach\fR" 4
565 .IX Item "-nodetach"
569 the \s-1MIME\s0 type multipart/signed is used.
570 .IP "\fB\-nocerts\fR" 4
571 .IX Item "-nocerts"
573 with this option it is excluded. This will reduce the size of the
574 signed message but the verifier must have a copy of the signers certificate
575 available locally (passed using the \fB\-certfile\fR option for example).
576 .IP "\fB\-noattr\fR" 4
577 .IX Item "-noattr"
578 Normally when a message is signed a set of attributes are included which
581 .IP "\fB\-nosmimecap\fR" 4
582 .IX Item "-nosmimecap"
583 Exclude the list of supported algorithms from signed attributes, other options
585 .IP "\fB\-receipt_request_all\fR, \fB\-receipt_request_first\fR" 4
586 .IX Item "-receipt_request_all, -receipt_request_first"
587 For \fB\-sign\fR option include a signed receipt request. Indicate requests should
589 and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included.
590 .IP "\fB\-receipt_request_from\fR \fIemailaddress\fR" 4
591 .IX Item "-receipt_request_from emailaddress"
592 For \fB\-sign\fR option include a signed receipt request. Add an explicit email
594 .IP "\fB\-receipt_request_to\fR \fIemailaddress\fR" 4
595 .IX Item "-receipt_request_to emailaddress"
600 .IP "\fB\-signer\fR \fIfile\fR" 4
601 .IX Item "-signer file"
604 .IP "\fB\-content\fR \fIfilename\fR" 4
605 .IX Item "-content filename"
607 S/MIME input, such as the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0
610 is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
611 .IP "\fB\-no_content_verify\fR" 4
612 .IX Item "-no_content_verify"
614 .IP "\fB\-no_attr_verify\fR" 4
615 .IX Item "-no_attr_verify"
617 .IP "\fB\-nosigs\fR" 4
618 .IX Item "-nosigs"
620 .IP "\fB\-noverify\fR" 4
621 .IX Item "-noverify"
622 Do not verify the signers certificate of a signed message.
623 .IP "\fB\-nointern\fR" 4
624 .IX Item "-nointern"
627 only the certificates specified in the \fB\-certfile\fR option are used.
629 .IP "\fB\-cades\fR" 4
630 .IX Item "-cades"
631 When used with \fB\-verify\fR, require and check signer certificate digest.
632 See the \s-1NOTES\s0 section for more details.
633 .IP "\fB\-verify_retcode\fR" 4
634 .IX Item "-verify_retcode"
636 …P "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \f…
637 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
638 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
641 .IP "\fB\-keyid\fR" 4
642 .IX Item "-keyid"
643 Use subject key identifier to identify certificates instead of issuer name and
645 identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options.
646 .IP "\fB\-econtent_type\fR \fItype\fR" 4
647 .IX Item "-econtent_type type"
649 is used. The \fItype\fR argument can be any valid \s-1OID\s0 name in either text or
651 .IP "\fB\-text\fR" 4
652 .IX Item "-text"
653 This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
655 off text headers: if the decrypted or verified message is not of \s-1MIME\s0
657 .IP "\fB\-certsout\fR \fIfile\fR" 4
658 .IX Item "-certsout file"
660 .IP "\fB\-to\fR, \fB\-from\fR, \fB\-subject\fR" 4
661 .IX Item "-to, -from, -subject"
663 portion of a message so they may be included manually. If signing
668 .IP "\fB\-noout\fR" 4
669 .IX Item "-noout"
670 For the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure.
671 This is useful if the syntax of the \s-1CMS\s0 structure is being checked.
672 .IP "\fB\-print\fR" 4
673 .IX Item "-print"
674 For the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure.
675 This implies \fB\-noout\fR.
677 .IP "\fB\-nameopt\fR \fIoption\fR" 4
678 .IX Item "-nameopt option"
679 For the \fB\-cmsout\fR operation when \fB\-print\fR option is in use, specifies
681 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
682 .IP "\fB\-receipt_request_print\fR" 4
683 .IX Item "-receipt_request_print"
684 For the \fB\-verify\fR operation print out the contents of any signed receipt
688 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
689 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
690 Set various options of certificate chain verification.
691 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
696 The \s-1MIME\s0 message must be sent without any blank lines between the
702 necessary \s-1MIME\s0 headers or many S/MIME clients won't display it
703 properly (if at all). You can use the \fB\-text\fR option to automatically
710 This version of the program only allows one signer per message but it
715 The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
716 clients. Strictly speaking these process \s-1CMS\s0 enveloped data: \s-1CMS\s0
719 The \fB\-resign\fR option uses an existing message digest when adding a new
723 The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support.
724 As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
725 and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
726 \&\fB\-sign\fR operation if the content is not detached.
728 Streaming is always used for the \fB\-sign\fR operation with detached data but
729 since the content is no longer part of the \s-1CMS\s0 structure the encoding
730 remains \s-1DER.\s0
732 If the \fB\-decrypt\fR option is used without a recipient certificate then an
734 in turn using the supplied private key. To thwart the \s-1MMA\s0 attack
735 (Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are
738 The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection
741 .SH "CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)"
742 .IX Header "CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)"
743 A CAdES Basic Electronic Signature (CAdES-BES),
744 as defined in the European Standard \s-1ETSI EN 319 122\-1 V1.1.1,\s0 contains:
745 .IP "\(bu" 4
746 The signed user data as defined in \s-1CMS\s0 (\s-1RFC 3852\s0);
747 .IP "\(bu" 4
748 Content-type of the EncapsulatedContentInfo value being signed;
749 .IP "\(bu" 4
750 Message-digest of the eContent \s-1OCTET STRING\s0 within encapContentInfo being signed;
751 .IP "\(bu" 4
752 An \s-1ESS\s0 signingCertificate or \s-1ESS\s0 signingCertificateV2 attribute,
753 as defined in Enhanced Security Services (\s-1ESS\s0), \s-1RFC 2634\s0 and \s-1RFC 5035.\s0
754 An \s-1ESS\s0 signingCertificate attribute only allows for \s-1SHA\-1\s0 as digest algorithm.
755 An \s-1ESS\s0 signingCertificateV2 attribute allows for any digest algorithm.
756 .IP "\(bu" 4
759 \&\s-1NOTE\s0 that the \fB\-cades\fR option applies to the \fB\-sign\fR or \fB\-verify\fR operation…
760 With this option, the \fB\-verify\fR operation also requires that the
765 .IP "0" 4
767 .IP "1" 4
768 .IX Item "1"
770 .IP "2" 4
772 One of the input files could not be read.
773 .IP "3" 4
775 An error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0
777 .IP "4" 4
778 .IX Item "4"
780 .IP "5" 4
786 \&\fBopenssl\-smime\fR\|(1) can only process the older \fBPKCS#7\fR format.
788 Use of some features will result in messages which cannot be processed by
791 The use of the \fB\-keyid\fR option with \fB\-sign\fR or \fB\-encrypt\fR.
793 The \fB\-outform\fR \fI\s-1PEM\s0\fR option uses different headers.
795 The \fB\-compress\fR option.
797 The \fB\-secretkey\fR option when used with \fB\-encrypt\fR.
799 The use of \s-1PSS\s0 with \fB\-sign\fR.
801 The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR.
803 Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot
804 be processed by the older \fBopenssl\-smime\fR\|(1) command.
810 \& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
811 \& \-signer mycert.pem
817 \& openssl cms \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
818 \& \-signer mycert.pem
825 \& openssl cms \-sign \-in in.txt \-text \-out mail.msg \e
826 \& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
832 \& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
833 \& \-signer mycert.pem \-signer othercert.pem \-keyid
839 \& openssl cms \-sign \-in in.txt \-text \-signer mycert.pem \e
840 \& \-from steve@openssl.org \-to someone@somewhere \e
841 \& \-subject "Signed message" | sendmail someone@somewhere
846 .Vb 1
847 \& openssl cms \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt
850 Send encrypted mail using triple \s-1DES:\s0
853 \& openssl cms \-encrypt \-in in.txt \-from steve@openssl.org \e
854 \& \-to someone@somewhere \-subject "Encrypted message" \e
855 \& \-des3 user.pem \-out mail.msg
860 .Vb 4
861 \& openssl cms \-sign \-in ml.txt \-signer my.pem \-text \e
862 \& | openssl cms \-encrypt \-out mail.msg \e
863 \& \-from steve@openssl.org \-to someone@somewhere \e
864 \& \-subject "Signed and Encrypted message" \-des3 user.pem
867 Note: the encryption command does not include the \fB\-text\fR option because the
868 message being encrypted already has \s-1MIME\s0 headers.
872 .Vb 1
873 \& openssl cms \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
882 \& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
883 \& \-\-\-\-\-END PKCS7\-\-\-\-\-
888 .Vb 1
889 \& openssl cms \-verify \-inform PEM \-in signature.pem \-content content.txt
894 .Vb 1
895 \& openssl cms \-verify \-inform DER \-in signature.der \-content content.txt
900 .Vb 1
901 \& openssl cms \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
906 .Vb 1
907 \& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
910 Sign a message using RSA-PSS:
913 \& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
914 \& \-signer mycert.pem \-keyopt rsa_padding_mode:pss
917 Create an encrypted message using RSA-OAEP:
920 \& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
921 \& \-recip cert.pem \-keyopt rsa_padding_mode:oaep
924 Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate:
927 \& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
928 \& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256
931 Print \s-1CMS\s0 signed binary data in human-readable form:
933 openssl cms \-in signed.cms \-binary \-inform \s-1DER\s0 \-cmsout \-print
936 The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
944 Ideally a database should be maintained of a certificates for each email
947 The code doesn't currently take note of the permitted symmetric encryption
950 the list of permitted ciphers in a database and only use those.
955 \&\fBossl_store\-file\fR\|(7)
958 The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
961 The \fB\-keyopt\fR option was added in OpenSSL 1.0.2.
963 Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
965 The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR
968 The \-no_alt_chains option was added in OpenSSL 1.0.2b.
970 The \fB\-nameopt\fR option was added in OpenSSL 3.0.0.
972 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
975 Copyright 2008\-2023 The OpenSSL Project Authors. All Rights Reserved.
979 in the file \s-1LICENSE\s0 in the source distribution or at