1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-cms - CMS command 7 8=head1 SYNOPSIS 9 10B<openssl> B<cms> 11[B<-help>] 12 13General options: 14 15[B<-in> I<filename>] 16[B<-out> I<filename>] 17{- $OpenSSL::safe::opt_config_synopsis -} 18 19Operation options: 20 21[B<-encrypt>] 22[B<-decrypt>] 23[B<-sign>] 24[B<-verify>] 25[B<-resign>] 26[B<-sign_receipt>] 27[B<-verify_receipt> I<receipt>] 28[B<-digest> I<digest>] 29[B<-digest_create>] 30[B<-digest_verify>] 31[B<-compress>] 32[B<-uncompress>] 33[B<-EncryptedData_encrypt>] 34[B<-EncryptedData_decrypt>] 35[B<-data_create>] 36[B<-data_out>] 37[B<-cmsout>] 38 39File format options: 40 41[B<-inform> B<DER>|B<PEM>|B<SMIME>] 42[B<-outform> B<DER>|B<PEM>|B<SMIME>] 43[B<-rctform> B<DER>|B<PEM>|B<SMIME>] 44[B<-stream>] 45[B<-indef>] 46[B<-noindef>] 47[B<-binary>] 48[B<-crlfeol>] 49[B<-asciicrlf>] 50 51Keys and password options: 52 53[B<-pwri_password> I<password>] 54[B<-secretkey> I<key>] 55[B<-secretkeyid> I<id>] 56[B<-inkey> I<filename>|I<uri>] 57[B<-passin> I<arg>] 58[B<-keyopt> I<name>:I<parameter>] 59[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 60{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 61{- $OpenSSL::safe::opt_r_synopsis -} 62 63Encryption options: 64 65[B<-originator> I<file>] 66[B<-recip> I<file>] 67[I<recipient-cert> ...] 68[B<-I<cipher>>] 69[B<-wrap> I<cipher>] 70[B<-aes128-wrap>] 71[B<-aes192-wrap>] 72[B<-aes256-wrap>] 73[B<-des3-wrap>] 74[B<-debug_decrypt>] 75 76Signing options: 77 78[B<-md> I<digest>] 79[B<-signer> I<file>] 80[B<-certfile> I<file>] 81[B<-cades>] 82[B<-nodetach>] 83[B<-nocerts>] 84[B<-noattr>] 85[B<-nosmimecap>] 86[B<-receipt_request_all>] 87[B<-receipt_request_first>] 88[B<-receipt_request_from> I<emailaddress>] 89[B<-receipt_request_to> I<emailaddress>] 90 91Verification options: 92 93[B<-signer> I<file>] 94[B<-content> I<filename>] 95[B<-no_content_verify>] 96[B<-no_attr_verify>] 97[B<-nosigs>] 98[B<-noverify>] 99[B<-nointern>] 100[B<-cades>] 101[B<-verify_retcode>] 102{- $OpenSSL::safe::opt_trust_synopsis -} 103 104Output options: 105 106[B<-keyid>] 107[B<-econtent_type> I<type>] 108[B<-text>] 109[B<-certsout> I<file>] 110[B<-to> I<addr>] 111[B<-from> I<addr>] 112[B<-subject> I<subj>] 113 114Printing options: 115 116[B<-noout>] 117[B<-print>] 118[B<-nameopt> I<option>] 119[B<-receipt_request_print>] 120 121Validation options: 122 123{- $OpenSSL::safe::opt_v_synopsis -} 124 125=head1 DESCRIPTION 126 127This command handles data in CMS format such as S/MIME v3.1 email messages. 128It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages. 129 130=head1 OPTIONS 131 132There are a number of operation options that set the type of operation to be 133performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt, 134digest_create, digest_verify, compress, uncompress, 135EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout. 136The relevance of the other options depends on the operation type 137and their meaning may vary according to it. 138 139=over 4 140 141=item B<-help> 142 143Print out a usage message. 144 145=back 146 147=head2 General options 148 149=over 4 150 151=item B<-in> I<filename> 152 153The input message to be encrypted or signed or the message to be decrypted 154or verified. 155 156=item B<-out> I<filename> 157 158The message text that has been decrypted or verified or the output MIME 159format message that has been signed or verified. 160 161{- $OpenSSL::safe::opt_config_item -} 162 163=back 164 165=head2 Operation options 166 167=over 4 168 169=item B<-encrypt> 170 171Encrypt data for the given recipient certificates. Input file is the message 172to be encrypted. The output file is the encrypted data in MIME format. The 173actual CMS type is B<EnvelopedData>. 174 175Note that no revocation check is done for the recipient cert, so if that 176key has been compromised, others may be able to decrypt the text. 177 178=item B<-decrypt> 179 180Decrypt data using the supplied certificate and private key. Expects 181encrypted datain MIME format for the input file. The decrypted data 182is written to the output file. 183 184=item B<-sign> 185 186Sign data using the supplied certificate and private key. Input file is 187the message to be signed. The signed data in MIME format is written 188to the output file. 189 190=item B<-verify> 191 192Verify signed data. Expects a signed data on input and outputs 193the signed data. Both clear text and opaque signing is supported. 194 195=item B<-resign> 196 197Resign a message: take an existing message and one or more new signers. 198 199=item B<-sign_receipt> 200 201Generate and output a signed receipt for the supplied message. The input 202message B<must> contain a signed receipt request. Functionality is otherwise 203similar to the B<-sign> operation. 204 205=item B<-verify_receipt> I<receipt> 206 207Verify a signed receipt in filename B<receipt>. The input message B<must> 208contain the original receipt request. Functionality is otherwise similar 209to the B<-verify> operation. 210 211=item B<-digest> I<digest> 212 213When used with B<-sign>, provides the digest in hexadecimal form instead of 214computing it from the original message content. Cannot be combined with B<-in> 215or B<-nodetach>. 216 217This operation is the CMS equivalent of L<openssl-pkeyutl(1)> signing. 218When signing a pre-computed digest, the security relies on the digest and its 219computation from the original message being trusted. 220 221=item B<-digest_create> 222 223Create a CMS B<DigestedData> type. 224 225=item B<-digest_verify> 226 227Verify a CMS B<DigestedData> type and output the content. 228 229=item B<-compress> 230 231Create a CMS B<CompressedData> type. OpenSSL must be compiled with B<zlib> 232support for this option to work, otherwise it will output an error. 233 234=item B<-uncompress> 235 236Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be 237compiled with B<zlib> support for this option to work, otherwise it will 238output an error. 239 240=item B<-EncryptedData_encrypt> 241 242Encrypt content using supplied symmetric key and algorithm using a CMS 243B<EncryptedData> type and output the content. 244 245=item B<-EncryptedData_decrypt> 246 247Decrypt content using supplied symmetric key and algorithm using a CMS 248B<EncryptedData> type and output the content. 249 250=item B<-data_create> 251 252Create a CMS B<Data> type. 253 254=item B<-data_out> 255 256B<Data> type and output the content. 257 258=item B<-cmsout> 259 260Takes an input message and writes out a PEM encoded CMS structure. 261 262=back 263 264=head2 File format options 265 266=over 4 267 268=item B<-inform> B<DER>|B<PEM>|B<SMIME> 269 270The input format of the CMS structure (if one is being read); 271the default is B<SMIME>. 272See L<openssl-format-options(1)> for details. 273 274=item B<-outform> B<DER>|B<PEM>|B<SMIME> 275 276The output format of the CMS structure (if one is being written); 277the default is B<SMIME>. 278See L<openssl-format-options(1)> for details. 279 280=item B<-rctform> B<DER>|B<PEM>|B<SMIME> 281 282The signed receipt format for use with the B<-receipt_verify>; the default 283is B<SMIME>. 284See L<openssl-format-options(1)> for details. 285 286=item B<-stream>, B<-indef> 287 288The B<-stream> and B<-indef> options are equivalent and enable streaming I/O 289for encoding operations. This permits single pass processing of data without 290the need to hold the entire contents in memory, potentially supporting very 291large files. Streaming is automatically set for S/MIME signing with detached 292data if the output format is B<SMIME> it is currently off by default for all 293other operations. 294 295=item B<-noindef> 296 297Disable streaming I/O where it would produce and indefinite length constructed 298encoding. This option currently has no effect. In future streaming will be 299enabled by default on all relevant operations and this option will disable it. 300 301=item B<-binary> 302 303Normally the input message is converted to "canonical" format which is 304effectively using CR and LF as end of line: as required by the S/MIME 305specification. When this option is present no translation occurs. This 306is useful when handling binary data which may not be in MIME format. 307 308=item B<-crlfeol> 309 310Normally the output file uses a single B<LF> as end of line. When this 311option is present B<CRLF> is used instead. 312 313=item B<-asciicrlf> 314 315When signing use ASCII CRLF format canonicalisation. This strips trailing 316whitespace from all lines, deletes trailing blank lines at EOF and sets 317the encapsulated content type. This option is normally used with detached 318content and an output signature format of DER. This option is not normally 319needed when verifying as it is enabled automatically if the encapsulated 320content format is detected. 321 322=back 323 324=head2 Keys and password options 325 326=over 4 327 328=item B<-pwri_password> I<password> 329 330Specify password for recipient. 331 332=item B<-secretkey> I<key> 333 334Specify symmetric key to use. The key must be supplied in hex format and be 335consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt> 336B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used 337with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the 338content encryption key using an AES key in the B<KEKRecipientInfo> type. 339 340=item B<-secretkeyid> I<id> 341 342The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type. 343This option B<must> be present if the B<-secretkey> option is used with 344B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the 345relevant key if it is not supplied then an attempt is used to decrypt any 346B<KEKRecipientInfo> structures. 347 348=item B<-inkey> I<filename>|I<uri> 349 350The private key to use when signing or decrypting. This must match the 351corresponding certificate. If this option is not specified then the 352private key must be included in the certificate file specified with 353the B<-recip> or B<-signer> file. When signing this option can be used 354multiple times to specify successive keys. 355 356=item B<-passin> I<arg> 357 358The private key password source. For more information about the format of B<arg> 359see L<openssl-passphrase-options(1)>. 360 361=item B<-keyopt> I<name>:I<parameter> 362 363For signing and encryption this option can be used multiple times to 364set customised parameters for the preceding key or certificate. It can 365currently be used to set RSA-PSS for signing, RSA-OAEP for encryption 366or to modify default parameters for ECDH. 367 368=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 369 370The format of the private key file; unspecified by default. 371See L<openssl-format-options(1)> for details. 372 373{- $OpenSSL::safe::opt_engine_item -} 374 375{- $OpenSSL::safe::opt_provider_item -} 376 377{- $OpenSSL::safe::opt_r_item -} 378 379=back 380 381=head2 Encryption and decryption options 382 383=over 4 384 385=item B<-originator> I<file> 386 387A certificate of the originator of the encrypted message. Necessary for 388decryption when Key Agreement is in use for a shared key. 389 390=item B<-recip> I<file> 391 392When decrypting a message this specifies the certificate of the recipient. 393The certificate must match one of the recipients of the message. 394 395When encrypting a message this option may be used multiple times to specify 396each recipient. This form B<must> be used if customised parameters are 397required (for example to specify RSA-OAEP). 398 399Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this 400option. 401 402=item I<recipient-cert> ... 403 404This is an alternative to using the B<-recip> option when encrypting a message. 405One or more certificate filennames may be given. 406 407=item B<-I<cipher>> 408 409The encryption algorithm to use. For example triple DES (168 bits) - B<-des3> 410or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the 411EVP_get_cipherbyname() function) can also be used preceded by a dash, for 412example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers 413supported by your version of OpenSSL. 414 415Currently the AES variants with GCM mode are the only supported AEAD 416algorithms. 417 418If not specified triple DES is used. Only used with B<-encrypt> and 419B<-EncryptedData_create> commands. 420 421=item B<-wrap> I<cipher> 422 423Cipher algorithm to use for key wrap when encrypting the message using Key 424Agreement for key transport. The algorithm specified should be suitable for key 425wrap. 426 427=item B<-aes128-wrap>, B<-aes192-wrap>, B<-aes256-wrap>, B<-des3-wrap> 428 429Use AES128, AES192, AES256, or 3DES-EDE, respectively, to wrap key. 430Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported. 431 432=item B<-debug_decrypt> 433 434This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used 435with caution: see the notes section below. 436 437=back 438 439=head2 Signing options 440 441=over 4 442 443=item B<-md> I<digest> 444 445Digest algorithm to use when signing or resigning. If not present then the 446default digest algorithm for the signing key will be used (usually SHA1). 447 448=item B<-signer> I<file> 449 450A signing certificate. When signing or resigning a message, this option can be 451used multiple times if more than one signer is required. 452 453=item B<-certfile> I<file> 454 455Allows additional certificates to be specified. When signing these will 456be included with the message. When verifying these will be searched for 457the signers certificates. 458The input can be in PEM, DER, or PKCS#12 format. 459 460=item B<-cades> 461 462When used with B<-sign>, 463add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute 464to the SignerInfo, in order to make the signature comply with the requirements 465for a CAdES Basic Electronic Signature (CAdES-BES). 466 467=item B<-nodetach> 468 469When signing a message use opaque signing: this form is more resistant 470to translation by mail relays but it cannot be read by mail agents that 471do not support S/MIME. Without this option cleartext signing with 472the MIME type multipart/signed is used. 473 474=item B<-nocerts> 475 476When signing a message the signer's certificate is normally included 477with this option it is excluded. This will reduce the size of the 478signed message but the verifier must have a copy of the signers certificate 479available locally (passed using the B<-certfile> option for example). 480 481=item B<-noattr> 482 483Normally when a message is signed a set of attributes are included which 484include the signing time and supported symmetric algorithms. With this 485option they are not included. 486 487=item B<-nosmimecap> 488 489Exclude the list of supported algorithms from signed attributes, other options 490such as signing time and content type are still included. 491 492=item B<-receipt_request_all>, B<-receipt_request_first> 493 494For B<-sign> option include a signed receipt request. Indicate requests should 495be provided by all recipient or first tier recipients (those mailed directly 496and not from a mailing list). Ignored it B<-receipt_request_from> is included. 497 498=item B<-receipt_request_from> I<emailaddress> 499 500For B<-sign> option include a signed receipt request. Add an explicit email 501address where receipts should be supplied. 502 503=item B<-receipt_request_to> I<emailaddress> 504 505Add an explicit email address where signed receipts should be sent to. This 506option B<must> but supplied if a signed receipt is requested. 507 508=back 509 510=head2 Verification options 511 512=over 4 513 514=item B<-signer> I<file> 515 516If a message has been verified successfully then the signers certificate(s) 517will be written to this file if the verification was successful. 518 519=item B<-content> I<filename> 520 521This specifies a file containing the detached content for operations taking 522S/MIME input, such as the B<-verify> command. This is only usable if the CMS 523structure is using the detached signature form where the content is 524not included. This option will override any content if the input format 525is S/MIME and it uses the multipart/signed MIME content type. 526 527=item B<-no_content_verify> 528 529Do not verify signed content signatures. 530 531=item B<-no_attr_verify> 532 533Do not verify signed attribute signatures. 534 535=item B<-nosigs> 536 537Don't verify message signature. 538 539=item B<-noverify> 540 541Do not verify the signers certificate of a signed message. 542 543=item B<-nointern> 544 545When verifying a message normally certificates (if any) included in 546the message are searched for the signing certificate. With this option 547only the certificates specified in the B<-certfile> option are used. 548The supplied certificates can still be used as untrusted CAs however. 549 550=item B<-cades> 551 552When used with B<-verify>, require and check signer certificate digest. 553See the NOTES section for more details. 554 555=item B<-verify_retcode> 556 557Exit nonzero on verification failure. 558 559{- $OpenSSL::safe::opt_trust_item -} 560 561=back 562 563=head2 Output options 564 565=over 4 566 567=item B<-keyid> 568 569Use subject key identifier to identify certificates instead of issuer name and 570serial number. The supplied certificate B<must> include a subject key 571identifier extension. Supported by B<-sign> and B<-encrypt> options. 572 573=item B<-econtent_type> I<type> 574 575Set the encapsulated content type to I<type> if not supplied the B<Data> type 576is used. The I<type> argument can be any valid OID name in either text or 577numerical format. 578 579=item B<-text> 580 581This option adds plain text (text/plain) MIME headers to the supplied 582message if encrypting or signing. If decrypting or verifying it strips 583off text headers: if the decrypted or verified message is not of MIME 584type text/plain then an error occurs. 585 586=item B<-certsout> I<file> 587 588Any certificates contained in the input message are written to I<file>. 589 590=item B<-to>, B<-from>, B<-subject> 591 592The relevant email headers. These are included outside the signed 593portion of a message so they may be included manually. If signing 594then many S/MIME mail clients check the signers certificate's email 595address matches that specified in the From: address. 596 597=back 598 599=head2 Printing options 600 601=over 4 602 603=item B<-noout> 604 605For the B<-cmsout> operation do not output the parsed CMS structure. 606This is useful if the syntax of the CMS structure is being checked. 607 608=item B<-print> 609 610For the B<-cmsout> operation print out all fields of the CMS structure. 611This implies B<-noout>. 612This is mainly useful for testing purposes. 613 614=item B<-nameopt> I<option> 615 616For the B<-cmsout> operation when B<-print> option is in use, specifies 617printing options for string fields. For most cases B<utf8> is reasonable value. 618See L<openssl-namedisplay-options(1)> for details. 619 620=item B<-receipt_request_print> 621 622For the B<-verify> operation print out the contents of any signed receipt 623requests. 624 625=back 626 627=head2 Validation options 628 629=over 4 630 631{- $OpenSSL::safe::opt_v_item -} 632 633Any validation errors cause the command to exit. 634 635=back 636 637=head1 NOTES 638 639The MIME message must be sent without any blank lines between the 640headers and the output. Some mail programs will automatically add 641a blank line. Piping the mail directly to sendmail is one way to 642achieve the correct format. 643 644The supplied message to be signed or encrypted must include the 645necessary MIME headers or many S/MIME clients won't display it 646properly (if at all). You can use the B<-text> option to automatically 647add plain text headers. 648 649A "signed and encrypted" message is one where a signed message is 650then encrypted. This can be produced by encrypting an already signed 651message: see the examples section. 652 653This version of the program only allows one signer per message but it 654will verify multiple signers on received messages. Some S/MIME clients 655choke if a message contains multiple signers. It is possible to sign 656messages "in parallel" by signing an already signed message. 657 658The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME 659clients. Strictly speaking these process CMS enveloped data: CMS 660encrypted data is used for other purposes. 661 662The B<-resign> option uses an existing message digest when adding a new 663signer. This means that attributes must be present in at least one existing 664signer using the same message digest or this operation will fail. 665 666The B<-stream> and B<-indef> options enable streaming I/O support. 667As a result the encoding is BER using indefinite length constructed encoding 668and no longer DER. Streaming is supported for the B<-encrypt> operation and the 669B<-sign> operation if the content is not detached. 670 671Streaming is always used for the B<-sign> operation with detached data but 672since the content is no longer part of the CMS structure the encoding 673remains DER. 674 675If the B<-decrypt> option is used without a recipient certificate then an 676attempt is made to locate the recipient by trying each potential recipient 677in turn using the supplied private key. To thwart the MMA attack 678(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are 679tried whether they succeed or not and if no recipients match the message 680is "decrypted" using a random key which will typically output garbage. 681The B<-debug_decrypt> option can be used to disable the MMA attack protection 682and return an error if no recipient can be found: this option should be used 683with caution. For a fuller description see L<CMS_decrypt(3)>). 684 685=head1 CADES BASIC ELECTRONIC SIGNATURE (CADES-BES) 686 687A CAdES Basic Electronic Signature (CAdES-BES), 688as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: 689 690=over 4 691 692=item * 693 694The signed user data as defined in CMS (RFC 3852); 695 696=item * 697 698Content-type of the EncapsulatedContentInfo value being signed; 699 700=item * 701 702Message-digest of the eContent OCTET STRING within encapContentInfo being signed; 703 704=item * 705 706An ESS signingCertificate or ESS signingCertificateV2 attribute, 707as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. 708An ESS signingCertificate attribute only allows for SHA-1 as digest algorithm. 709An ESS signingCertificateV2 attribute allows for any digest algorithm. 710 711=item * 712 713The digital signature value computed on the user data and, when present, on the signed attributes. 714 715NOTE that the B<-cades> option applies to the B<-sign> or B<-verify> operations. 716With this option, the B<-verify> operation also requires that the 717signingCertificate attribute is present and checks that the given identifiers 718match the verification trust chain built during the verification process. 719 720=back 721 722=head1 EXIT CODES 723 724=over 4 725 726=item Z<>0 727 728The operation was completely successfully. 729 730=item Z<>1 731 732An error occurred parsing the command options. 733 734=item Z<>2 735 736One of the input files could not be read. 737 738=item Z<>3 739 740An error occurred creating the CMS file or when reading the MIME 741message. 742 743=item Z<>4 744 745An error occurred decrypting or verifying the message. 746 747=item Z<>5 748 749The message was verified correctly but an error occurred writing out 750the signers certificates. 751 752=back 753 754=head1 COMPATIBILITY WITH PKCS#7 FORMAT 755 756L<openssl-smime(1)> can only process the older B<PKCS#7> format. 757B<openssl cms> supports Cryptographic Message Syntax format. 758Use of some features will result in messages which cannot be processed by 759applications which only support the older format. These are detailed below. 760 761The use of the B<-keyid> option with B<-sign> or B<-encrypt>. 762 763The B<-outform> I<PEM> option uses different headers. 764 765The B<-compress> option. 766 767The B<-secretkey> option when used with B<-encrypt>. 768 769The use of PSS with B<-sign>. 770 771The use of OAEP or non-RSA keys with B<-encrypt>. 772 773Additionally the B<-EncryptedData_create> and B<-data_create> type cannot 774be processed by the older L<openssl-smime(1)> command. 775 776=head1 EXAMPLES 777 778Create a cleartext signed message: 779 780 openssl cms -sign -in message.txt -text -out mail.msg \ 781 -signer mycert.pem 782 783Create an opaque signed message 784 785 openssl cms -sign -in message.txt -text -out mail.msg -nodetach \ 786 -signer mycert.pem 787 788Create a signed message, include some additional certificates and 789read the private key from another file: 790 791 openssl cms -sign -in in.txt -text -out mail.msg \ 792 -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem 793 794Create a signed message with two signers, use key identifier: 795 796 openssl cms -sign -in message.txt -text -out mail.msg \ 797 -signer mycert.pem -signer othercert.pem -keyid 798 799Send a signed message under Unix directly to sendmail, including headers: 800 801 openssl cms -sign -in in.txt -text -signer mycert.pem \ 802 -from steve@openssl.org -to someone@somewhere \ 803 -subject "Signed message" | sendmail someone@somewhere 804 805Verify a message and extract the signer's certificate if successful: 806 807 openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt 808 809Send encrypted mail using triple DES: 810 811 openssl cms -encrypt -in in.txt -from steve@openssl.org \ 812 -to someone@somewhere -subject "Encrypted message" \ 813 -des3 user.pem -out mail.msg 814 815Sign and encrypt mail: 816 817 openssl cms -sign -in ml.txt -signer my.pem -text \ 818 | openssl cms -encrypt -out mail.msg \ 819 -from steve@openssl.org -to someone@somewhere \ 820 -subject "Signed and Encrypted message" -des3 user.pem 821 822Note: the encryption command does not include the B<-text> option because the 823message being encrypted already has MIME headers. 824 825Decrypt a message: 826 827 openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem 828 829The output from Netscape form signing is a PKCS#7 structure with the 830detached signature format. You can use this program to verify the 831signature by line wrapping the base64 encoded structure and surrounding 832it with: 833 834 -----BEGIN PKCS7----- 835 -----END PKCS7----- 836 837and using the command, 838 839 openssl cms -verify -inform PEM -in signature.pem -content content.txt 840 841alternatively you can base64 decode the signature and use 842 843 openssl cms -verify -inform DER -in signature.der -content content.txt 844 845Create an encrypted message using 128 bit Camellia: 846 847 openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem 848 849Add a signer to an existing message: 850 851 openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg 852 853Sign a message using RSA-PSS: 854 855 openssl cms -sign -in message.txt -text -out mail.msg \ 856 -signer mycert.pem -keyopt rsa_padding_mode:pss 857 858Create an encrypted message using RSA-OAEP: 859 860 openssl cms -encrypt -in plain.txt -out mail.msg \ 861 -recip cert.pem -keyopt rsa_padding_mode:oaep 862 863Use SHA256 KDF with an ECDH certificate: 864 865 openssl cms -encrypt -in plain.txt -out mail.msg \ 866 -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 867 868Print CMS signed binary data in human-readable form: 869 870openssl cms -in signed.cms -binary -inform DER -cmsout -print 871 872=head1 BUGS 873 874The MIME parser isn't very clever: it seems to handle most messages that I've 875thrown at it but it may choke on others. 876 877The code currently will only write out the signer's certificate to a file: if 878the signer has a separate encryption certificate this must be manually 879extracted. There should be some heuristic that determines the correct 880encryption certificate. 881 882Ideally a database should be maintained of a certificates for each email 883address. 884 885The code doesn't currently take note of the permitted symmetric encryption 886algorithms as supplied in the SMIMECapabilities signed attribute. this means the 887user has to manually include the correct encryption algorithm. It should store 888the list of permitted ciphers in a database and only use those. 889 890No revocation checking is done on the signer's certificate. 891 892=head1 SEE ALSO 893 894L<ossl_store-file(7)> 895 896=head1 HISTORY 897 898The use of multiple B<-signer> options and the B<-resign> command were first 899added in OpenSSL 1.0.0. 900 901The B<-keyopt> option was added in OpenSSL 1.0.2. 902 903Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2. 904 905The use of non-RSA keys with B<-encrypt> and B<-decrypt> 906was added in OpenSSL 1.0.2. 907 908The -no_alt_chains option was added in OpenSSL 1.0.2b. 909 910The B<-nameopt> option was added in OpenSSL 3.0.0. 911 912The B<-engine> option was deprecated in OpenSSL 3.0. 913 914The B<-digest> option was added in OpenSSL 3.1. 915 916=head1 COPYRIGHT 917 918Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. 919 920Licensed under the Apache License 2.0 (the "License"). You may not use 921this file except in compliance with the License. You can obtain a copy 922in the file LICENSE in the source distribution or at 923L<https://www.openssl.org/source/license.html>. 924 925=cut 926