xref: /freebsd/crypto/openssl/doc/man1/openssl-cms.pod.in (revision 24e4dcf4ba5e9dedcf89efd358ea3e1fe5867020)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-cms - CMS command
7
8=head1 SYNOPSIS
9
10=for openssl duplicate options
11
12B<openssl> B<cms>
13[B<-help>]
14
15General options:
16
17[B<-in> I<filename>]
18[B<-out> I<filename>]
19{- $OpenSSL::safe::opt_config_synopsis -}
20
21Operation options:
22
23[B<-encrypt>]
24[B<-decrypt>]
25[B<-sign>]
26[B<-verify>]
27[B<-resign>]
28[B<-sign_receipt>]
29[B<-verify_receipt> I<receipt>]
30[B<-digest> I<digest>]
31[B<-digest_create>]
32[B<-digest_verify>]
33[B<-compress>]
34[B<-uncompress>]
35[B<-EncryptedData_encrypt>]
36[B<-EncryptedData_decrypt>]
37[B<-data_create>]
38[B<-data_out>]
39[B<-cmsout>]
40
41File format options:
42
43[B<-inform> B<DER>|B<PEM>|B<SMIME>]
44[B<-outform> B<DER>|B<PEM>|B<SMIME>]
45[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
46[B<-stream>]
47[B<-indef>]
48[B<-noindef>]
49[B<-binary>]
50[B<-crlfeol>]
51[B<-asciicrlf>]
52
53Keys and password options:
54
55[B<-pwri_password> I<password>]
56[B<-secretkey> I<key>]
57[B<-secretkeyid> I<id>]
58[B<-inkey> I<filename>|I<uri>]
59[B<-passin> I<arg>]
60[B<-keyopt> I<name>:I<parameter>]
61[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
62{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
63{- $OpenSSL::safe::opt_r_synopsis -}
64
65Encryption options:
66
67[B<-originator> I<file>]
68[B<-recip> I<file>]
69[I<recipient-cert> ...]
70[B<-I<cipher>>]
71[B<-wrap> I<cipher>]
72[B<-aes128-wrap>]
73[B<-aes192-wrap>]
74[B<-aes256-wrap>]
75[B<-des3-wrap>]
76[B<-debug_decrypt>]
77
78Signing options:
79
80[B<-md> I<digest>]
81[B<-signer> I<file>]
82[B<-certfile> I<file>]
83[B<-cades>]
84[B<-nodetach>]
85[B<-nocerts>]
86[B<-noattr>]
87[B<-nosmimecap>]
88[B<-no_signing_time>]
89[B<-receipt_request_all>]
90[B<-receipt_request_first>]
91[B<-receipt_request_from> I<emailaddress>]
92[B<-receipt_request_to> I<emailaddress>]
93
94Verification options:
95
96[B<-signer> I<file>]
97[B<-content> I<filename>]
98[B<-no_content_verify>]
99[B<-no_attr_verify>]
100[B<-nosigs>]
101[B<-noverify>]
102[B<-nointern>]
103[B<-cades>]
104[B<-verify_retcode>]
105{- $OpenSSL::safe::opt_trust_synopsis -}
106
107Output options:
108
109[B<-keyid>]
110[B<-econtent_type> I<type>]
111[B<-text>]
112[B<-certsout> I<file>]
113[B<-to> I<addr>]
114[B<-from> I<addr>]
115[B<-subject> I<subj>]
116
117Printing options:
118
119[B<-noout>]
120[B<-print>]
121[B<-nameopt> I<option>]
122[B<-receipt_request_print>]
123
124Validation options:
125
126{- $OpenSSL::safe::opt_v_synopsis -}
127
128=head1 DESCRIPTION
129
130This command handles data in CMS format such as S/MIME v3.1 email messages.
131It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages.
132
133=head1 OPTIONS
134
135There are a number of operation options that set the type of operation to be
136performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt,
137digest_create, digest_verify, compress, uncompress,
138EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout.
139The relevance of the other options depends on the operation type
140and their meaning may vary according to it.
141
142=over 4
143
144=item B<-help>
145
146Print out a usage message.
147
148=back
149
150=head2 General options
151
152=over 4
153
154=item B<-in> I<filename>
155
156The input message to be encrypted or signed or the message to be decrypted
157or verified.
158
159=item B<-out> I<filename>
160
161The message text that has been decrypted or verified or the output MIME
162format message that has been signed or verified.
163
164{- $OpenSSL::safe::opt_config_item -}
165
166=back
167
168=head2 Operation options
169
170=over 4
171
172=item B<-encrypt>
173
174Encrypt data for the given recipient certificates. Input file is the message
175to be encrypted. The output file is the encrypted data in MIME format. The
176actual CMS type is B<EnvelopedData>.
177
178Note that no revocation check is done for the recipient cert, so if that
179key has been compromised, others may be able to decrypt the text.
180
181=item B<-decrypt>
182
183Decrypt data using the supplied certificate and private key. Expects
184encrypted datain MIME format for the input file. The decrypted data
185is written to the output file.
186
187=item B<-sign>
188
189Sign data using the supplied certificate and private key. Input file is
190the message to be signed. The signed data in MIME format is written
191to the output file.
192
193=item B<-verify>
194
195Verify signed data. Expects a signed data on input and outputs
196the signed data. Both clear text and opaque signing is supported.
197
198By default, validation of signer certificates and their chain
199is done w.r.t. the S/MIME signing (C<smimesign>) purpose.
200For details see L<openssl-verification-options(1)/Certificate Extensions>.
201
202=item B<-resign>
203
204Resign a message: take an existing message and one or more new signers.
205
206=item B<-sign_receipt>
207
208Generate and output a signed receipt for the supplied message. The input
209message B<must> contain a signed receipt request. Functionality is otherwise
210similar to the B<-sign> operation.
211
212=item B<-verify_receipt> I<receipt>
213
214Verify a signed receipt in filename B<receipt>. The input message B<must>
215contain the original receipt request. Functionality is otherwise similar
216to the B<-verify> operation.
217
218=item B<-digest> I<digest>
219
220When used with B<-sign>, provides the digest in hexadecimal form instead of
221computing it from the original message content. Cannot be combined with B<-in>
222or B<-nodetach>.
223
224This operation is the CMS equivalent of L<openssl-pkeyutl(1)> signing.
225When signing a pre-computed digest, the security relies on the digest and its
226computation from the original message being trusted.
227
228=item B<-digest_create>
229
230Create a CMS B<DigestedData> type.
231
232=item B<-digest_verify>
233
234Verify a CMS B<DigestedData> type and output the content.
235
236=item B<-compress>
237
238Create a CMS B<CompressedData> type. OpenSSL must be compiled with B<zlib>
239support for this option to work, otherwise it will output an error.
240
241=item B<-uncompress>
242
243Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
244compiled with B<zlib> support for this option to work, otherwise it will
245output an error.
246
247=item B<-EncryptedData_encrypt>
248
249Encrypt content using supplied symmetric key and algorithm using a CMS
250B<EncryptedData> type and output the content.
251
252=item B<-EncryptedData_decrypt>
253
254Decrypt content using supplied symmetric key and algorithm using a CMS
255B<EncryptedData> type and output the content.
256
257=item B<-data_create>
258
259Create a CMS B<Data> type.
260
261=item B<-data_out>
262
263B<Data> type and output the content.
264
265=item B<-cmsout>
266
267Takes an input message and writes out a PEM encoded CMS structure.
268
269=back
270
271=head2 File format options
272
273=over 4
274
275=item B<-inform> B<DER>|B<PEM>|B<SMIME>
276
277The input format of the CMS structure (if one is being read);
278the default is B<SMIME>.
279See L<openssl-format-options(1)> for details.
280
281=item B<-outform> B<DER>|B<PEM>|B<SMIME>
282
283The output format of the CMS structure (if one is being written);
284the default is B<SMIME>.
285See L<openssl-format-options(1)> for details.
286
287=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
288
289The signed receipt format for use with the B<-receipt_verify>; the default
290is B<SMIME>.
291See L<openssl-format-options(1)> for details.
292
293=item B<-stream>, B<-indef>
294
295The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
296for encoding operations. This permits single pass processing of data without
297the need to hold the entire contents in memory, potentially supporting very
298large files. Streaming is automatically set for S/MIME signing with detached
299data if the output format is B<SMIME> it is currently off by default for all
300other operations.
301
302=item B<-noindef>
303
304Disable streaming I/O where it would produce and indefinite length constructed
305encoding. This option currently has no effect. In future streaming will be
306enabled by default on all relevant operations and this option will disable it.
307
308=item B<-binary>
309
310Normally the input message is converted to "canonical" format which is
311effectively using CR and LF as end of line: as required by the S/MIME
312specification. When this option is present no translation occurs. This
313is useful when handling binary data which may not be in MIME format.
314
315=item B<-crlfeol>
316
317Normally the output file uses a single B<LF> as end of line. When this
318option is present B<CRLF> is used instead.
319
320=item B<-asciicrlf>
321
322When signing use ASCII CRLF format canonicalisation. This strips trailing
323whitespace from all lines, deletes trailing blank lines at EOF and sets
324the encapsulated content type. This option is normally used with detached
325content and an output signature format of DER. This option is not normally
326needed when verifying as it is enabled automatically if the encapsulated
327content format is detected.
328
329=back
330
331=head2 Keys and password options
332
333=over 4
334
335=item B<-pwri_password> I<password>
336
337Specify password for recipient.
338
339=item B<-secretkey> I<key>
340
341Specify symmetric key to use. The key must be supplied in hex format and be
342consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
343B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
344with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
345content encryption key using an AES key in the B<KEKRecipientInfo> type.
346
347=item B<-secretkeyid> I<id>
348
349The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
350This option B<must> be present if the B<-secretkey> option is used with
351B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
352relevant key if it is not supplied then an attempt is used to decrypt any
353B<KEKRecipientInfo> structures.
354
355=item B<-inkey> I<filename>|I<uri>
356
357The private key to use when signing or decrypting. This must match the
358corresponding certificate. If this option is not specified then the
359private key must be included in the certificate file specified with
360the B<-recip> or B<-signer> file. When signing this option can be used
361multiple times to specify successive keys.
362
363=item B<-passin> I<arg>
364
365The private key password source. For more information about the format of B<arg>
366see L<openssl-passphrase-options(1)>.
367
368=item B<-keyopt> I<name>:I<parameter>
369
370For signing and encryption this option can be used multiple times to
371set customised parameters for the preceding key or certificate. It can
372currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
373or to modify default parameters for ECDH.
374
375=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
376
377The format of the private key file; unspecified by default.
378See L<openssl-format-options(1)> for details.
379
380{- $OpenSSL::safe::opt_engine_item -}
381
382{- $OpenSSL::safe::opt_provider_item -}
383
384{- $OpenSSL::safe::opt_r_item -}
385
386=back
387
388=head2 Encryption and decryption options
389
390=over 4
391
392=item B<-originator> I<file>
393
394A certificate of the originator of the encrypted message. Necessary for
395decryption when Key Agreement is in use for a shared key. Currently, not
396allowed for encryption.
397
398=item B<-recip> I<file>
399
400When decrypting a message this specifies the certificate of the recipient.
401The certificate must match one of the recipients of the message.
402
403When encrypting a message this option may be used multiple times to specify
404each recipient. This form B<must> be used if customised parameters are
405required (for example to specify RSA-OAEP).
406
407Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
408option.
409
410=item I<recipient-cert> ...
411
412This is an alternative to using the B<-recip> option when encrypting a message.
413One or more certificate filenames may be given.
414
415=item B<-I<cipher>>
416
417The encryption algorithm to use. For example, AES (256 bits) - B<-aes256>
418or triple DES (168 bits) - B<-des3>. Any standard algorithm name (as used by the
419EVP_get_cipherbyname() function) can also be used preceded by a dash, for
420example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
421supported by your version of OpenSSL.
422
423Currently, the AES variants with GCM mode are the only supported AEAD
424algorithms.
425
426If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt> and
427B<-EncryptedData_create> commands.
428
429=item B<-wrap> I<cipher>
430
431Cipher algorithm to use for key wrap when encrypting the message using Key
432Agreement for key transport. The algorithm specified should be suitable for key
433wrap.
434
435=item B<-aes128-wrap>, B<-aes192-wrap>, B<-aes256-wrap>, B<-des3-wrap>
436
437Use AES128, AES192, AES256, or 3DES-EDE, respectively, to wrap key.
438Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
439
440=item B<-debug_decrypt>
441
442This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
443with caution: see the notes section below.
444
445=back
446
447=head2 Signing options
448
449=over 4
450
451=item B<-md> I<digest>
452
453Digest algorithm to use when signing or resigning. If not present then the
454default digest algorithm for the signing key will be used (usually SHA1).
455
456=item B<-signer> I<file>
457
458A signing certificate.  When signing or resigning a message, this option can be
459used multiple times if more than one signer is required.
460
461=item B<-certfile> I<file>
462
463Allows additional certificates to be specified. When signing these will
464be included with the message. When verifying, these will be searched for
465signer certificates and will be used for chain building.
466
467The input can be in PEM, DER, or PKCS#12 format.
468
469=item B<-cades>
470
471When used with B<-sign>,
472add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute
473to the SignerInfo, in order to make the signature comply with the requirements
474for a CAdES Basic Electronic Signature (CAdES-BES).
475
476=item B<-nodetach>
477
478When signing a message use opaque signing: this form is more resistant
479to translation by mail relays but it cannot be read by mail agents that
480do not support S/MIME.  Without this option cleartext signing with
481the MIME type multipart/signed is used.
482
483=item B<-nocerts>
484
485When signing a message the signer's certificate is normally included
486with this option it is excluded. This will reduce the size of the
487signed message but the verifier must have a copy of the signers certificate
488available locally (passed using the B<-certfile> option for example).
489
490=item B<-noattr>
491
492Normally when a message is signed a set of attributes are included which
493include the signing time and supported symmetric algorithms. With this
494option they are not included.
495
496=item B<-nosmimecap>
497
498Exclude the list of supported algorithms from signed attributes, other options
499such as content type and (optionally) signing time are still included.
500
501=item B<-no_signing_time>
502
503Exclude the signing time from signed attributes, other options
504such as content type are still included.
505
506=item B<-receipt_request_all>, B<-receipt_request_first>
507
508For B<-sign> option include a signed receipt request. Indicate requests should
509be provided by all recipient or first tier recipients (those mailed directly
510and not from a mailing list). Ignored it B<-receipt_request_from> is included.
511
512=item B<-receipt_request_from> I<emailaddress>
513
514For B<-sign> option include a signed receipt request. Add an explicit email
515address where receipts should be supplied.
516
517=item B<-receipt_request_to> I<emailaddress>
518
519Add an explicit email address where signed receipts should be sent to. This
520option B<must> but supplied if a signed receipt is requested.
521
522=back
523
524=head2 Verification options
525
526=over 4
527
528=item B<-signer> I<file>
529
530If a message has been verified successfully then the signers certificate(s)
531will be written to this file if the verification was successful.
532
533=item B<-content> I<filename>
534
535This specifies a file containing the detached content for operations taking
536S/MIME input, such as the B<-verify> command. This is only usable if the CMS
537structure is using the detached signature form where the content is
538not included. This option will override any content if the input format
539is S/MIME and it uses the multipart/signed MIME content type.
540
541=item B<-no_content_verify>
542
543Do not verify signed content signatures.
544
545=item B<-no_attr_verify>
546
547Do not verify signed attribute signatures.
548
549=item B<-nosigs>
550
551Don't verify message signature.
552
553=item B<-noverify>
554
555Do not verify the signers certificate of a signed message.
556
557=item B<-nointern>
558
559When verifying a message normally certificates (if any) included in
560the message are searched for the signing certificate. With this option
561only the certificates specified in the B<-certfile> option are used.
562The supplied certificates can still be used as untrusted CAs however.
563
564=item B<-cades>
565
566When used with B<-verify>, require and check signer certificate digest.
567See the NOTES section for more details.
568
569=item B<-verify_retcode>
570
571Exit nonzero on verification failure.
572
573{- $OpenSSL::safe::opt_trust_item -}
574
575=back
576
577=head2 Output options
578
579=over 4
580
581=item B<-keyid>
582
583Use subject key identifier to identify certificates instead of issuer name and
584serial number. The supplied certificate B<must> include a subject key
585identifier extension. Supported by B<-sign> and B<-encrypt> options.
586
587=item B<-econtent_type> I<type>
588
589Set the encapsulated content type to I<type> if not supplied the B<Data> type
590is used. The I<type> argument can be any valid OID name in either text or
591numerical format.
592
593=item B<-text>
594
595This option adds plain text (text/plain) MIME headers to the supplied
596message if encrypting or signing. If decrypting or verifying it strips
597off text headers: if the decrypted or verified message is not of MIME
598type text/plain then an error occurs.
599
600=item B<-certsout> I<file>
601
602Any certificates contained in the input message are written to I<file>.
603
604=item B<-to>, B<-from>, B<-subject>
605
606The relevant email headers. These are included outside the signed
607portion of a message so they may be included manually. If signing
608then many S/MIME mail clients check the signers certificate's email
609address matches that specified in the From: address.
610
611=back
612
613=head2 Printing options
614
615=over 4
616
617=item B<-noout>
618
619For the B<-cmsout> operation do not output the parsed CMS structure.
620This is useful if the syntax of the CMS structure is being checked.
621
622=item B<-print>
623
624For the B<-cmsout> operation print out all fields of the CMS structure.
625This implies B<-noout>.
626This is mainly useful for testing purposes.
627
628=item B<-nameopt> I<option>
629
630For the B<-cmsout> operation when B<-print> option is in use, specifies
631printing options for string fields. For most cases B<utf8> is reasonable value.
632See L<openssl-namedisplay-options(1)> for details.
633
634=item B<-receipt_request_print>
635
636For the B<-verify> operation print out the contents of any signed receipt
637requests.
638
639=back
640
641=head2 Validation options
642
643=over 4
644
645{- $OpenSSL::safe::opt_v_item -}
646
647Any validation errors cause the command to exit.
648
649=back
650
651=head1 NOTES
652
653The MIME message must be sent without any blank lines between the
654headers and the output. Some mail programs will automatically add
655a blank line. Piping the mail directly to sendmail is one way to
656achieve the correct format.
657
658The supplied message to be signed or encrypted must include the
659necessary MIME headers or many S/MIME clients won't display it
660properly (if at all). You can use the B<-text> option to automatically
661add plain text headers.
662
663A "signed and encrypted" message is one where a signed message is
664then encrypted. This can be produced by encrypting an already signed
665message: see the examples section.
666
667This version of the program only allows one signer per message but it
668will verify multiple signers on received messages. Some S/MIME clients
669choke if a message contains multiple signers. It is possible to sign
670messages "in parallel" by signing an already signed message.
671
672The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
673clients. Strictly speaking these process CMS enveloped data: CMS
674encrypted data is used for other purposes.
675
676The B<-resign> option uses an existing message digest when adding a new
677signer. This means that attributes must be present in at least one existing
678signer using the same message digest or this operation will fail.
679
680The B<-stream> and B<-indef> options enable streaming I/O support.
681As a result the encoding is BER using indefinite length constructed encoding
682and no longer DER. Streaming is supported for the B<-encrypt> operation and the
683B<-sign> operation if the content is not detached.
684
685Streaming is always used for the B<-sign> operation with detached data but
686since the content is no longer part of the CMS structure the encoding
687remains DER.
688
689If the B<-decrypt> option is used without a recipient certificate then an
690attempt is made to locate the recipient by trying each potential recipient
691in turn using the supplied private key. To thwart the MMA attack
692(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
693tried whether they succeed or not and if no recipients match the message
694is "decrypted" using a random key which will typically output garbage.
695The B<-debug_decrypt> option can be used to disable the MMA attack protection
696and return an error if no recipient can be found: this option should be used
697with caution. For a fuller description see L<CMS_decrypt(3)>).
698
699=head1 CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)
700
701A CAdES Basic Electronic Signature (CAdES-BES),
702as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains:
703
704=over 4
705
706=item *
707
708The signed user data as defined in CMS (RFC 3852);
709
710=item *
711
712Content-type of the EncapsulatedContentInfo value being signed;
713
714=item *
715
716Message-digest of the eContent OCTET STRING within encapContentInfo being signed;
717
718=item *
719
720An ESS signingCertificate or ESS signingCertificateV2 attribute,
721as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035.
722An ESS signingCertificate attribute only allows for SHA-1 as digest algorithm.
723An ESS signingCertificateV2 attribute allows for any digest algorithm.
724
725=item *
726
727The digital signature value computed on the user data and, when present, on the signed attributes.
728
729NOTE that the B<-cades> option applies to the B<-sign> or B<-verify> operations.
730With this option, the B<-verify> operation also requires that the
731signingCertificate attribute is present and checks that the given identifiers
732match the verification trust chain built during the verification process.
733
734=back
735
736=head1 EXIT CODES
737
738=over 4
739
740=item Z<>0
741
742The operation was completely successfully.
743
744=item Z<>1
745
746An error occurred parsing the command options.
747
748=item Z<>2
749
750One of the input files could not be read.
751
752=item Z<>3
753
754An error occurred creating the CMS file or when reading the MIME
755message.
756
757=item Z<>4
758
759An error occurred decrypting or verifying the message.
760
761=item Z<>5
762
763The message was verified correctly but an error occurred writing out
764the signers certificates.
765
766=back
767
768=head1 COMPATIBILITY WITH PKCS#7 FORMAT
769
770L<openssl-smime(1)> can only process the older B<PKCS#7> format.
771B<openssl cms> supports Cryptographic Message Syntax format.
772Use of some features will result in messages which cannot be processed by
773applications which only support the older format. These are detailed below.
774
775The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
776
777The B<-outform> I<PEM> option uses different headers.
778
779The B<-compress> option.
780
781The B<-secretkey> option when used with B<-encrypt>.
782
783The use of PSS with B<-sign>.
784
785The use of OAEP or non-RSA keys with B<-encrypt>.
786
787Additionally the B<-EncryptedData_create> and B<-data_create> type cannot
788be processed by the older L<openssl-smime(1)> command.
789
790=head1 EXAMPLES
791
792Create a cleartext signed message:
793
794 openssl cms -sign -in message.txt -text -out mail.msg \
795        -signer mycert.pem
796
797Create an opaque signed message
798
799 openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
800        -signer mycert.pem
801
802Create a signed message, include some additional certificates and
803read the private key from another file:
804
805 openssl cms -sign -in in.txt -text -out mail.msg \
806        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
807
808Create a signed message with two signers, use key identifier:
809
810 openssl cms -sign -in message.txt -text -out mail.msg \
811        -signer mycert.pem -signer othercert.pem -keyid
812
813Send a signed message under Unix directly to sendmail, including headers:
814
815 openssl cms -sign -in in.txt -text -signer mycert.pem \
816        -from steve@openssl.org -to someone@somewhere \
817        -subject "Signed message" | sendmail someone@somewhere
818
819Verify a message and extract the signer's certificate if successful:
820
821 openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt
822
823Send encrypted mail using triple DES:
824
825 openssl cms -encrypt -in in.txt -from steve@openssl.org \
826        -to someone@somewhere -subject "Encrypted message" \
827        -des3 user.pem -out mail.msg
828
829Sign and encrypt mail:
830
831 openssl cms -sign -in ml.txt -signer my.pem -text \
832        | openssl cms -encrypt -out mail.msg \
833        -from steve@openssl.org -to someone@somewhere \
834        -subject "Signed and Encrypted message" -des3 user.pem
835
836Note: the encryption command does not include the B<-text> option because the
837message being encrypted already has MIME headers.
838
839Decrypt a message:
840
841 openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
842
843The output from Netscape form signing is a PKCS#7 structure with the
844detached signature format. You can use this program to verify the
845signature by line wrapping the base64 encoded structure and surrounding
846it with:
847
848 -----BEGIN PKCS7-----
849 -----END PKCS7-----
850
851and using the command,
852
853 openssl cms -verify -inform PEM -in signature.pem -content content.txt
854
855alternatively you can base64 decode the signature and use
856
857 openssl cms -verify -inform DER -in signature.der -content content.txt
858
859Create an encrypted message using 128 bit Camellia:
860
861 openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
862
863Add a signer to an existing message:
864
865 openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
866
867Sign a message using RSA-PSS:
868
869 openssl cms -sign -in message.txt -text -out mail.msg \
870        -signer mycert.pem -keyopt rsa_padding_mode:pss
871
872Create an encrypted message using RSA-OAEP:
873
874 openssl cms -encrypt -in plain.txt -out mail.msg \
875        -recip cert.pem -keyopt rsa_padding_mode:oaep
876
877Use SHA256 KDF with an ECDH certificate:
878
879 openssl cms -encrypt -in plain.txt -out mail.msg \
880        -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
881
882Print CMS signed binary data in human-readable form:
883
884openssl cms -in signed.cms -binary -inform DER -cmsout -print
885
886=head1 BUGS
887
888The MIME parser isn't very clever: it seems to handle most messages that I've
889thrown at it but it may choke on others.
890
891The code currently will only write out the signer's certificate to a file: if
892the signer has a separate encryption certificate this must be manually
893extracted. There should be some heuristic that determines the correct
894encryption certificate.
895
896Ideally a database should be maintained of a certificates for each email
897address.
898
899The code doesn't currently take note of the permitted symmetric encryption
900algorithms as supplied in the SMIMECapabilities signed attribute. this means the
901user has to manually include the correct encryption algorithm. It should store
902the list of permitted ciphers in a database and only use those.
903
904No revocation checking is done on the signer's certificate.
905
906=head1 SEE ALSO
907
908L<ossl_store-file(7)>
909
910=head1 HISTORY
911
912The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
913
914The use of multiple B<-signer> options and the B<-resign> command were first
915added in OpenSSL 1.0.0.
916
917The B<-keyopt> option was added in OpenSSL 1.0.2.
918
919Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
920
921The use of non-RSA keys with B<-encrypt> and B<-decrypt>
922was added in OpenSSL 1.0.2.
923
924The -no_alt_chains option was added in OpenSSL 1.0.2b.
925
926The B<-nameopt> option was added in OpenSSL 3.0.0.
927
928The B<-engine> option was deprecated in OpenSSL 3.0.
929
930The B<-digest> option was added in OpenSSL 3.2.
931
932=head1 COPYRIGHT
933
934Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
935
936Licensed under the Apache License 2.0 (the "License").  You may not use
937this file except in compliance with the License.  You can obtain a copy
938in the file LICENSE in the source distribution or at
939L<https://www.openssl.org/source/license.html>.
940
941=cut
942