10 B<openssl> B<cms>
11 [B<-help>]
15 [B<-in> I<filename>]
16 [B<-out> I<filename>]
21 [B<-encrypt>]
22 [B<-decrypt>]
23 [B<-sign>]
24 [B<-verify>]
25 [B<-resign>]
26 [B<-sign_receipt>]
27 [B<-verify_receipt> I<receipt>]
28 [B<-digest> I<digest>]
29 [B<-digest_create>]
30 [B<-digest_verify>]
31 [B<-compress>]
32 [B<-uncompress>]
33 [B<-EncryptedData_encrypt>]
34 [B<-EncryptedData_decrypt>]
35 [B<-data_create>]
36 [B<-data_out>]
37 [B<-cmsout>]
41 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
42 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
43 [B<-rctform> B<DER>|B<PEM>|B<SMIME>]
44 [B<-stream>]
45 [B<-indef>]
46 [B<-noindef>]
47 [B<-binary>]
48 [B<-crlfeol>]
49 [B<-asciicrlf>]
53 [B<-pwri_password> I<password>]
54 [B<-secretkey> I<key>]
55 [B<-secretkeyid> I<id>]
56 [B<-inkey> I<filename>|I<uri>]
57 [B<-passin> I<arg>]
58 [B<-keyopt> I<name>:I<parameter>]
59 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
65 [B<-originator> I<file>]
66 [B<-recip> I<file>]
68 [B<-I<cipher>>]
69 [B<-wrap> I<cipher>]
70 [B<-aes128-wrap>]
71 [B<-aes192-wrap>]
72 [B<-aes256-wrap>]
73 [B<-des3-wrap>]
74 [B<-debug_decrypt>]
78 [B<-md> I<digest>]
79 [B<-signer> I<file>]
80 [B<-certfile> I<file>]
81 [B<-cades>]
82 [B<-nodetach>]
83 [B<-nocerts>]
84 [B<-noattr>]
85 [B<-nosmimecap>]
86 [B<-receipt_request_all>]
87 [B<-receipt_request_first>]
88 [B<-receipt_request_from> I<emailaddress>]
89 [B<-receipt_request_to> I<emailaddress>]
93 [B<-signer> I<file>]
94 [B<-content> I<filename>]
95 [B<-no_content_verify>]
96 [B<-no_attr_verify>]
97 [B<-nosigs>]
98 [B<-noverify>]
99 [B<-nointern>]
100 [B<-cades>]
101 [B<-verify_retcode>]
106 [B<-keyid>]
107 [B<-econtent_type> I<type>]
108 [B<-text>]
109 [B<-certsout> I<file>]
110 [B<-to> I<addr>]
111 [B<-from> I<addr>]
112 [B<-subject> I<subj>]
116 [B<-noout>]
117 [B<-print>]
118 [B<-nameopt> I<option>]
119 [B<-receipt_request_print>]
141 =item B<-help>
151 =item B<-in> I<filename>
156 =item B<-out> I<filename>
169 =item B<-encrypt>
173 actual CMS type is B<EnvelopedData>.
178 =item B<-decrypt>
184 =item B<-sign>
190 =item B<-verify>
195 =item B<-resign>
199 =item B<-sign_receipt>
202 message B<must> contain a signed receipt request. Functionality is otherwise
203 similar to the B<-sign> operation.
205 =item B<-verify_receipt> I<receipt>
207 Verify a signed receipt in filename B<receipt>. The input message B<must>
209 to the B<-verify> operation.
211 =item B<-digest> I<digest>
213 When used with B<-sign>, provides the digest in hexadecimal form instead of
214 computing it from the original message content. Cannot be combined with B<-in>
215 or B<-nodetach>.
221 =item B<-digest_create>
223 Create a CMS B<DigestedData> type.
225 =item B<-digest_verify>
227 Verify a CMS B<DigestedData> type and output the content.
229 =item B<-compress>
231 Create a CMS B<CompressedData> type. OpenSSL must be compiled with B<zlib>
234 =item B<-uncompress>
236 Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
237 compiled with B<zlib> support for this option to work, otherwise it will
240 =item B<-EncryptedData_encrypt>
243 B<EncryptedData> type and output the content.
245 =item B<-EncryptedData_decrypt>
248 B<EncryptedData> type and output the content.
250 =item B<-data_create>
252 Create a CMS B<Data> type.
254 =item B<-data_out>
256 B<Data> type and output the content.
258 =item B<-cmsout>
268 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
271 the default is B<SMIME>.
274 =item B<-outform> B<DER>|B<PEM>|B<SMIME>
277 the default is B<SMIME>.
280 =item B<-rctform> B<DER>|B<PEM>|B<SMIME>
282 The signed receipt format for use with the B<-receipt_verify>; the default
283 is B<SMIME>.
286 =item B<-stream>, B<-indef>
288 The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
292 data if the output format is B<SMIME> it is currently off by default for all
295 =item B<-noindef>
301 =item B<-binary>
308 =item B<-crlfeol>
310 Normally the output file uses a single B<LF> as end of line. When this
311 option is present B<CRLF> is used instead.
313 =item B<-asciicrlf>
328 =item B<-pwri_password> I<password>
332 =item B<-secretkey> I<key>
335 consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
336 B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
337 with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
338 content encryption key using an AES key in the B<KEKRecipientInfo> type.
340 =item B<-secretkeyid> I<id>
342 The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
343 This option B<must> be present if the B<-secretkey> option is used with
344 B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
346 B<KEKRecipientInfo> structures.
348 =item B<-inkey> I<filename>|I<uri>
353 the B<-recip> or B<-signer> file. When signing this option can be used
356 =item B<-passin> I<arg>
358 The private key password source. For more information about the format of B<arg>
361 =item B<-keyopt> I<name>:I<parameter>
368 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
385 =item B<-originator> I<file>
390 =item B<-recip> I<file>
396 each recipient. This form B<must> be used if customised parameters are
404 This is an alternative to using the B<-recip> option when encrypting a message.
407 =item B<-I<cipher>>
409 The encryption algorithm to use. For example, AES (256 bits) - B<-aes256>
410 or triple DES (168 bits) - B<-des3>. Any standard algorithm name (as used by the
412 example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
418 If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt> and
419 B<-EncryptedData_create> commands.
421 =item B<-wrap> I<cipher>
427 =item B<-aes128-wrap>, B<-aes192-wrap>, B<-aes256-wrap>, B<-des3-wrap>
430 Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
432 =item B<-debug_decrypt>
434 This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
443 =item B<-md> I<digest>
448 =item B<-signer> I<file>
453 =item B<-certfile> I<file>
461 =item B<-cades>
463 When used with B<-sign>,
468 =item B<-nodetach>
475 =item B<-nocerts>
480 available locally (passed using the B<-certfile> option for example).
482 =item B<-noattr>
488 =item B<-nosmimecap>
493 =item B<-receipt_request_all>, B<-receipt_request_first>
495 For B<-sign> option include a signed receipt request. Indicate requests should
497 and not from a mailing list). Ignored it B<-receipt_request_from> is included.
499 =item B<-receipt_request_from> I<emailaddress>
501 For B<-sign> option include a signed receipt request. Add an explicit email
504 =item B<-receipt_request_to> I<emailaddress>
507 option B<must> but supplied if a signed receipt is requested.
515 =item B<-signer> I<file>
520 =item B<-content> I<filename>
523 S/MIME input, such as the B<-verify> command. This is only usable if the CMS
528 =item B<-no_content_verify>
532 =item B<-no_attr_verify>
536 =item B<-nosigs>
540 =item B<-noverify>
544 =item B<-nointern>
548 only the certificates specified in the B<-certfile> option are used.
551 =item B<-cades>
553 When used with B<-verify>, require and check signer certificate digest.
556 =item B<-verify_retcode>
568 =item B<-keyid>
571 serial number. The supplied certificate B<must> include a subject key
572 identifier extension. Supported by B<-sign> and B<-encrypt> options.
574 =item B<-econtent_type> I<type>
576 Set the encapsulated content type to I<type> if not supplied the B<Data> type
580 =item B<-text>
587 =item B<-certsout> I<file>
591 =item B<-to>, B<-from>, B<-subject>
604 =item B<-noout>
606 For the B<-cmsout> operation do not output the parsed CMS structure.
609 =item B<-print>
611 For the B<-cmsout> operation print out all fields of the CMS structure.
612 This implies B<-noout>.
615 =item B<-nameopt> I<option>
617 For the B<-cmsout> operation when B<-print> option is in use, specifies
618 printing options for string fields. For most cases B<utf8> is reasonable value.
621 =item B<-receipt_request_print>
623 For the B<-verify> operation print out the contents of any signed receipt
647 properly (if at all). You can use the B<-text> option to automatically
659 The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
663 The B<-resign> option uses an existing message digest when adding a new
667 The B<-stream> and B<-indef> options enable streaming I/O support.
669 and no longer DER. Streaming is supported for the B<-encrypt> operation and the
670 B<-sign> operation if the content is not detached.
672 Streaming is always used for the B<-sign> operation with detached data but
676 If the B<-decrypt> option is used without a recipient certificate then an
682 The B<-debug_decrypt> option can be used to disable the MMA attack protection
716 NOTE that the B<-cades> option applies to the B<-sign> or B<-verify> operations.
717 With this option, the B<-verify> operation also requires that the
757 L<openssl-smime(1)> can only process the older B<PKCS#7> format.
758 B<openssl cms> supports Cryptographic Message Syntax format.
762 The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
764 The B<-outform> I<PEM> option uses different headers.
766 The B<-compress> option.
768 The B<-secretkey> option when used with B<-encrypt>.
770 The use of PSS with B<-sign>.
772 The use of OAEP or non-RSA keys with B<-encrypt>.
774 Additionally the B<-EncryptedData_create> and B<-data_create> type cannot
823 Note: the encryption command does not include the B<-text> option because the
901 The use of multiple B<-signer> options and the B<-resign> command were first
904 The B<-keyopt> option was added in OpenSSL 1.0.2.
908 The use of non-RSA keys with B<-encrypt> and B<-decrypt>
913 The B<-nameopt> option was added in OpenSSL 3.0.0.
915 The B<-engine> option was deprecated in OpenSSL 3.0.
917 The B<-digest> option was added in OpenSSL 3.2.

Last Index update Tue Nov 26 00:08:07 UTC 2024

Dedicated to & Maintained by Room-11