586 lines
25 KiB
HTML
Executable File
586 lines
25 KiB
HTML
Executable File
<?xml version="1.0" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>openssl-smime</title>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
|
<link rev="made" href="mailto:root@localhost" />
|
|
</head>
|
|
|
|
<body style="background-color: white">
|
|
|
|
|
|
<!-- INDEX BEGIN -->
|
|
<div name="index">
|
|
<p><a name="__index__"></a></p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#name">NAME</a></li>
|
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
|
<li><a href="#description">DESCRIPTION</a></li>
|
|
<li><a href="#options">OPTIONS</a></li>
|
|
<li><a href="#notes">NOTES</a></li>
|
|
<li><a href="#exit_codes">EXIT CODES</a></li>
|
|
<li><a href="#examples">EXAMPLES</a></li>
|
|
<li><a href="#bugs">BUGS</a></li>
|
|
<li><a href="#see_also">SEE ALSO</a></li>
|
|
<li><a href="#history">HISTORY</a></li>
|
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
|
</ul>
|
|
|
|
<hr name="index" />
|
|
</div>
|
|
<!-- INDEX END -->
|
|
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="name">NAME</a></h1>
|
|
<p>openssl-smime - S/MIME utility</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
|
<p><strong>openssl</strong> <strong>smime</strong>
|
|
[<strong>-help</strong>]
|
|
[<strong>-encrypt</strong>]
|
|
[<strong>-decrypt</strong>]
|
|
[<strong>-sign</strong>]
|
|
[<strong>-resign</strong>]
|
|
[<strong>-verify</strong>]
|
|
[<strong>-pk7out</strong>]
|
|
[<strong>-binary</strong>]
|
|
[<strong>-crlfeol</strong>]
|
|
[<strong>-<em>cipher</em></strong>]
|
|
[<strong>-in</strong> <em>file</em>]
|
|
[<strong>-certfile</strong> <em>file</em>]
|
|
[<strong>-signer</strong> <em>file</em>]
|
|
[<strong>-nointern</strong>]
|
|
[<strong>-noverify</strong>]
|
|
[<strong>-nochain</strong>]
|
|
[<strong>-nosigs</strong>]
|
|
[<strong>-nocerts</strong>]
|
|
[<strong>-noattr</strong>]
|
|
[<strong>-nodetach</strong>]
|
|
[<strong>-nosmimecap</strong>]
|
|
[<strong>-recip</strong> <em> file</em>]
|
|
[<strong>-inform</strong> <strong>DER</strong>|<strong>PEM</strong>|<strong>SMIME</strong>]
|
|
[<strong>-outform</strong> <strong>DER</strong>|<strong>PEM</strong>|<strong>SMIME</strong>]
|
|
[<strong>-keyform</strong> <strong>DER</strong>|<strong>PEM</strong>|<strong>ENGINE</strong>]
|
|
[<strong>-passin</strong> <em>arg</em>]
|
|
[<strong>-inkey</strong> <em>file_or_id</em>]
|
|
[<strong>-out</strong> <em>file</em>]
|
|
[<strong>-content</strong> <em>file</em>]
|
|
[<strong>-to</strong> <em>addr</em>]
|
|
[<strong>-from</strong> <em>ad</em>]
|
|
[<strong>-subject</strong> <em>s</em>]
|
|
[<strong>-text</strong>]
|
|
[<strong>-indef</strong>]
|
|
[<strong>-noindef</strong>]
|
|
[<strong>-stream</strong>]
|
|
[<strong>-md</strong> <em>digest</em>]
|
|
[<strong>-CAfile</strong> <em>file</em>]
|
|
[<strong>-no-CAfile</strong>]
|
|
[<strong>-CApath</strong> <em>dir</em>]
|
|
[<strong>-no-CApath</strong>]
|
|
[<strong>-CAstore</strong> <em>uri</em>]
|
|
[<strong>-no-CAstore</strong>]
|
|
[<strong>-engine</strong> <em>id</em>]
|
|
[<strong>-rand</strong> <em>files</em>]
|
|
[<strong>-writerand</strong> <em>file</em>]
|
|
[<strong>-allow_proxy_certs</strong>]
|
|
[<strong>-attime</strong> <em>timestamp</em>]
|
|
[<strong>-no_check_time</strong>]
|
|
[<strong>-check_ss_sig</strong>]
|
|
[<strong>-crl_check</strong>]
|
|
[<strong>-crl_check_all</strong>]
|
|
[<strong>-explicit_policy</strong>]
|
|
[<strong>-extended_crl</strong>]
|
|
[<strong>-ignore_critical</strong>]
|
|
[<strong>-inhibit_any</strong>]
|
|
[<strong>-inhibit_map</strong>]
|
|
[<strong>-partial_chain</strong>]
|
|
[<strong>-policy</strong> <em>arg</em>]
|
|
[<strong>-policy_check</strong>]
|
|
[<strong>-policy_print</strong>]
|
|
[<strong>-purpose</strong> <em>purpose</em>]
|
|
[<strong>-suiteB_128</strong>]
|
|
[<strong>-suiteB_128_only</strong>]
|
|
[<strong>-suiteB_192</strong>]
|
|
[<strong>-trusted_first</strong>]
|
|
[<strong>-no_alt_chains</strong>]
|
|
[<strong>-use_deltas</strong>]
|
|
[<strong>-auth_level</strong> <em>num</em>]
|
|
[<strong>-verify_depth</strong> <em>num</em>]
|
|
[<strong>-verify_email</strong> <em>email</em>]
|
|
[<strong>-verify_hostname</strong> <em>hostname</em>]
|
|
[<strong>-verify_ip</strong> <em>ip</em>]
|
|
[<strong>-verify_name</strong> <em>name</em>]
|
|
[<strong>-x509_strict</strong>]
|
|
[<strong>-issuer_checks</strong>]</p>
|
|
<p><em>cert.pem</em> ...</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="description">DESCRIPTION</a></h1>
|
|
<p>This command handles S/MIME mail. It can encrypt, decrypt, sign
|
|
and verify S/MIME messages.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="options">OPTIONS</a></h1>
|
|
<p>There are six operation options that set the type of operation to be performed.
|
|
The meaning of the other options varies according to the operation type.</p>
|
|
<dl>
|
|
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Print out a usage message.</p>
|
|
</dd>
|
|
<dt><strong><a name="encrypt" class="item"><strong>-encrypt</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Encrypt mail for the given recipient certificates. Input file is the message
|
|
to be encrypted. The output file is the encrypted mail in MIME format.</p>
|
|
<p>Note that no revocation check is done for the recipient cert, so if that
|
|
key has been compromised, others may be able to decrypt the text.</p>
|
|
</dd>
|
|
<dt><strong><a name="decrypt" class="item"><strong>-decrypt</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Decrypt mail using the supplied certificate and private key. Expects an
|
|
encrypted mail message in MIME format for the input file. The decrypted mail
|
|
is written to the output file.</p>
|
|
</dd>
|
|
<dt><strong><a name="sign" class="item"><strong>-sign</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Sign mail using the supplied certificate and private key. Input file is
|
|
the message to be signed. The signed message in MIME format is written
|
|
to the output file.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify" class="item"><strong>-verify</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Verify signed mail. Expects a signed mail message on input and outputs
|
|
the signed data. Both clear text and opaque signing is supported.</p>
|
|
</dd>
|
|
<dt><strong><a name="pk7out" class="item"><strong>-pk7out</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Takes an input message and writes out a PEM encoded PKCS#7 structure.</p>
|
|
</dd>
|
|
<dt><strong><a name="resign" class="item"><strong>-resign</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Resign a message: take an existing message and one or more new signers.</p>
|
|
</dd>
|
|
<dt><strong><a name="in_filename" class="item"><strong>-in</strong> <em>filename</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The input message to be encrypted or signed or the MIME message to
|
|
be decrypted or verified.</p>
|
|
</dd>
|
|
<dt><strong><a name="out_filename" class="item"><strong>-out</strong> <em>filename</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The message text that has been decrypted or verified or the output MIME
|
|
format message that has been signed or verified.</p>
|
|
</dd>
|
|
<dt><strong><a name="inform_der_pem_smime" class="item"><strong>-inform</strong> <strong>DER</strong>|<strong>PEM</strong>|<strong>SMIME</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The input format of the PKCS#7 (S/MIME) structure (if one is being read);
|
|
the default is <strong>SMIME</strong>.
|
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="outform_der_pem_smime" class="item"><strong>-outform</strong> <strong>DER</strong>|<strong>PEM</strong>|<strong>SMIME</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The output format of the PKCS#7 (S/MIME) structure (if one is being written);
|
|
the default is <strong>SMIME</strong>.
|
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="keyform_der_pem" class="item"><strong>-keyform</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The key format; the default is <strong>PEM</strong>.
|
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="stream_indef_noindef" class="item"><strong>-stream</strong>, <strong>-indef</strong>, <strong>-noindef</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The <strong>-stream</strong> and <strong>-indef</strong> options are equivalent and enable streaming I/O
|
|
for encoding operations. This permits single pass processing of data without
|
|
the need to hold the entire contents in memory, potentially supporting very
|
|
large files. Streaming is automatically set for S/MIME signing with detached
|
|
data if the output format is <strong>SMIME</strong> it is currently off by default for all
|
|
other operations.</p>
|
|
</dd>
|
|
<dt><strong><a name="noindef" class="item"><strong>-noindef</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Disable streaming I/O where it would produce and indefinite length constructed
|
|
encoding. This option currently has no effect. In future streaming will be
|
|
enabled by default on all relevant operations and this option will disable it.</p>
|
|
</dd>
|
|
<dt><strong><a name="content_filename" class="item"><strong>-content</strong> <em>filename</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This specifies a file containing the detached content, this is only
|
|
useful with the <strong>-verify</strong> command. This is only usable if the PKCS#7
|
|
structure is using the detached signature form where the content is
|
|
not included. This option will override any content if the input format
|
|
is S/MIME and it uses the multipart/signed MIME content type.</p>
|
|
</dd>
|
|
<dt><strong><a name="text" class="item"><strong>-text</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This option adds plain text (text/plain) MIME headers to the supplied
|
|
message if encrypting or signing. If decrypting or verifying it strips
|
|
off text headers: if the decrypted or verified message is not of MIME
|
|
type text/plain then an error occurs.</p>
|
|
</dd>
|
|
<dt><strong><a name="md_digest" class="item"><strong>-md</strong> <em>digest</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Digest algorithm to use when signing or resigning. If not present then the
|
|
default digest algorithm for the signing key will be used (usually SHA1).</p>
|
|
</dd>
|
|
<dt><strong><a name="cipher" class="item"><strong>-<em>cipher</em></strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The encryption algorithm to use. For example DES (56 bits) - <strong>-des</strong>,
|
|
triple DES (168 bits) - <strong>-des3</strong>,
|
|
<code>EVP_get_cipherbyname()</code> function) can also be used preceded by a dash, for
|
|
example <strong>-aes-128-cbc</strong>. See <em>openssl-enc(1)</em> for list of ciphers
|
|
supported by your version of OpenSSL.</p>
|
|
<p>If not specified triple DES is used. Only used with <strong>-encrypt</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="nointern" class="item"><strong>-nointern</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>When verifying a message normally certificates (if any) included in
|
|
the message are searched for the signing certificate. With this option
|
|
only the certificates specified in the <strong>-certfile</strong> option are used.
|
|
The supplied certificates can still be used as untrusted CAs however.</p>
|
|
</dd>
|
|
<dt><strong><a name="noverify" class="item"><strong>-noverify</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not verify the signers certificate of a signed message.</p>
|
|
</dd>
|
|
<dt><strong><a name="nochain" class="item"><strong>-nochain</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not do chain verification of signers certificates; that is, do not
|
|
use the certificates in the signed message as untrusted CAs.</p>
|
|
</dd>
|
|
<dt><strong><a name="nosigs" class="item"><strong>-nosigs</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Don't try to verify the signatures on the message.</p>
|
|
</dd>
|
|
<dt><strong><a name="nocerts" class="item"><strong>-nocerts</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>When signing a message the signer's certificate is normally included
|
|
with this option it is excluded. This will reduce the size of the
|
|
signed message but the verifier must have a copy of the signers certificate
|
|
available locally (passed using the <strong>-certfile</strong> option for example).</p>
|
|
</dd>
|
|
<dt><strong><a name="noattr" class="item"><strong>-noattr</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Normally when a message is signed a set of attributes are included which
|
|
include the signing time and supported symmetric algorithms. With this
|
|
option they are not included.</p>
|
|
</dd>
|
|
<dt><strong><a name="nodetach" class="item"><strong>-nodetach</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>When signing a message use opaque signing. This form is more resistant
|
|
to translation by mail relays but it cannot be read by mail agents that
|
|
do not support S/MIME. Without this option cleartext signing with
|
|
the MIME type multipart/signed is used.</p>
|
|
</dd>
|
|
<dt><strong><a name="nosmimecap" class="item"><strong>-nosmimecap</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>When signing a message, do not include the <strong>SMIMECapabilities</strong> attribute.</p>
|
|
</dd>
|
|
<dt><strong><a name="binary" class="item"><strong>-binary</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Normally the input message is converted to "canonical" format which is
|
|
effectively using CR and LF as end of line: as required by the S/MIME
|
|
specification. When this option is present no translation occurs. This
|
|
is useful when handling binary data which may not be in MIME format.</p>
|
|
</dd>
|
|
<dt><strong><a name="crlfeol" class="item"><strong>-crlfeol</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Normally the output file uses a single <strong>LF</strong> as end of line. When this
|
|
option is present <strong>CRLF</strong> is used instead.</p>
|
|
</dd>
|
|
<dt><strong><a name="certfile_file" class="item"><strong>-certfile</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Allows additional certificates to be specified. When signing these will
|
|
be included with the message. When verifying these will be searched for
|
|
the signers certificates. The certificates should be in PEM format.</p>
|
|
</dd>
|
|
<dt><strong><a name="signer_file" class="item"><strong>-signer</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>A signing certificate when signing or resigning a message, this option can be
|
|
used multiple times if more than one signer is required. If a message is being
|
|
verified then the signers certificates will be written to this file if the
|
|
verification was successful.</p>
|
|
</dd>
|
|
<dt><strong><a name="nocerts2" class="item"><strong>-nocerts</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Don't include signers certificate when signing.</p>
|
|
</dd>
|
|
<dt><strong><a name="noattr2" class="item"><strong>-noattr</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Don't include any signed attributes when signing.</p>
|
|
</dd>
|
|
<dt><strong><a name="recip_file" class="item"><strong>-recip</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The recipients certificate when decrypting a message. This certificate
|
|
must match one of the recipients of the message or an error occurs.</p>
|
|
</dd>
|
|
<dt><strong><a name="inkey_file_or_id" class="item"><strong>-inkey</strong> <em>file_or_id</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The private key to use when signing or decrypting. This must match the
|
|
corresponding certificate. If this option is not specified then the
|
|
private key must be included in the certificate file specified with
|
|
the <strong>-recip</strong> or <strong>-signer</strong> file. When signing this option can be used
|
|
multiple times to specify successive keys.
|
|
If no engine is used, the argument is taken as a file; if an engine is
|
|
specified, the argument is given to the engine as a key identifier.</p>
|
|
</dd>
|
|
<dt><strong><a name="passin_arg" class="item"><strong>-passin</strong> <em>arg</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The private key password source. For more information about the format of <em>arg</em>
|
|
see <em>openssl(1)/Pass Phrase Options</em>.</p>
|
|
</dd>
|
|
<dt><strong><a name="to_from_subject" class="item"><strong>-to</strong>, <strong>-from</strong>, <strong>-subject</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The relevant mail headers. These are included outside the signed
|
|
portion of a message so they may be included manually. If signing
|
|
then many S/MIME mail clients check the signers certificate's email
|
|
address matches that specified in the From: address.</p>
|
|
</dd>
|
|
<dt><strong><a name="allow_proxy_certs_attime_no_check_time_check_ss_sig_crl_check_crl_check_all_explicit_policy_extended_crl_ignore_critical_inhibit_any_inhibit_map_no_alt_chains_partial_chain_policy_policy_check_policy_print_purpose_suiteb_128_suiteb_128_only_suiteb_192_trusted_first_use_deltas_auth_level_verify_depth_verify_email_verify_hostname_verify_ip_verify_name_x509_strict_issuer_checks" class="item"><strong>-allow_proxy_certs</strong>, <strong>-attime</strong>, <strong>-no_check_time</strong>,
|
|
<strong>-check_ss_sig</strong>, <strong>-crl_check</strong>, <strong>-crl_check_all</strong>,
|
|
<strong>-explicit_policy</strong>, <strong>-extended_crl</strong>, <strong>-ignore_critical</strong>, <strong>-inhibit_any</strong>,
|
|
<strong>-inhibit_map</strong>, <strong>-no_alt_chains</strong>, <strong>-partial_chain</strong>, <strong>-policy</strong>,
|
|
<strong>-policy_check</strong>, <strong>-policy_print</strong>, <strong>-purpose</strong>, <strong>-suiteB_128</strong>,
|
|
<strong>-suiteB_128_only</strong>, <strong>-suiteB_192</strong>, <strong>-trusted_first</strong>, <strong>-use_deltas</strong>,
|
|
<strong>-auth_level</strong>, <strong>-verify_depth</strong>, <strong>-verify_email</strong>, <strong>-verify_hostname</strong>,
|
|
<strong>-verify_ip</strong>, <strong>-verify_name</strong>, <strong>-x509_strict</strong> <strong>-issuer_checks</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Set various options of certificate chain verification.
|
|
See <em>openssl(1)/Verification Options</em> for details.</p>
|
|
<p>Any verification errors cause the command to exit.</p>
|
|
</dd>
|
|
<dt><strong><a name="cafile_file_no_cafile_capath_dir_no_capath_castore_uri_no_castore" class="item"><strong>-CAfile</strong> <em>file</em>, <strong>-no-CAfile</strong>, <strong>-CApath</strong> <em>dir</em>, <strong>-no-CApath</strong>,
|
|
<strong>-CAstore</strong> <em>uri</em>, <strong>-no-CAstore</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>See <em>openssl(1)/Trusted Certificate Options</em> for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="engine_id" class="item"><strong>-engine</strong> <em>id</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>See <em>openssl(1)/Engine Options</em>.</p>
|
|
</dd>
|
|
<dt><strong><a name="rand_files_writerand_file" class="item"><strong>-rand</strong> <em>files</em>, <strong>-writerand</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>See <em>openssl(1)/Random State Options</em> for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="cert_pem" class="item"><em>cert.pem</em> ...</a></strong></dt>
|
|
|
|
<dd>
|
|
<p>One or more certificates of message recipients, used when encrypting
|
|
a message.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="notes">NOTES</a></h1>
|
|
<p>The MIME message must be sent without any blank lines between the
|
|
headers and the output. Some mail programs will automatically add
|
|
a blank line. Piping the mail directly to sendmail is one way to
|
|
achieve the correct format.</p>
|
|
<p>The supplied message to be signed or encrypted must include the
|
|
necessary MIME headers or many S/MIME clients won't display it
|
|
properly (if at all). You can use the <strong>-text</strong> option to automatically
|
|
add plain text headers.</p>
|
|
<p>A "signed and encrypted" message is one where a signed message is
|
|
then encrypted. This can be produced by encrypting an already signed
|
|
message: see the examples section.</p>
|
|
<p>This version of the program only allows one signer per message but it
|
|
will verify multiple signers on received messages. Some S/MIME clients
|
|
choke if a message contains multiple signers. It is possible to sign
|
|
messages "in parallel" by signing an already signed message.</p>
|
|
<p>The options <strong>-encrypt</strong> and <strong>-decrypt</strong> reflect common usage in S/MIME
|
|
clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
|
|
encrypted data is used for other purposes.</p>
|
|
<p>The <strong>-resign</strong> option uses an existing message digest when adding a new
|
|
signer. This means that attributes must be present in at least one existing
|
|
signer using the same message digest or this operation will fail.</p>
|
|
<p>The <strong>-stream</strong> and <strong>-indef</strong> options enable streaming I/O support.
|
|
As a result the encoding is BER using indefinite length constructed encoding
|
|
and no longer DER. Streaming is supported for the <strong>-encrypt</strong> operation and the
|
|
<strong>-sign</strong> operation if the content is not detached.</p>
|
|
<p>Streaming is always used for the <strong>-sign</strong> operation with detached data but
|
|
since the content is no longer part of the PKCS#7 structure the encoding
|
|
remains DER.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="exit_codes">EXIT CODES</a></h1>
|
|
<ol>
|
|
<li>
|
|
<p>The operation was completely successfully.</p>
|
|
</li>
|
|
<li>
|
|
<p>An error occurred parsing the command options.</p>
|
|
</li>
|
|
<li>
|
|
<p>One of the input files could not be read.</p>
|
|
</li>
|
|
<li>
|
|
<p>An error occurred creating the PKCS#7 file or when reading the MIME
|
|
message.</p>
|
|
</li>
|
|
<li>
|
|
<p>An error occurred decrypting or verifying the message.</p>
|
|
</li>
|
|
<li>
|
|
<p>The message was verified correctly but an error occurred writing out
|
|
the signers certificates.</p>
|
|
</li>
|
|
</ol>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="examples">EXAMPLES</a></h1>
|
|
<p>Create a cleartext signed message:</p>
|
|
<pre>
|
|
openssl smime -sign -in message.txt -text -out mail.msg \
|
|
-signer mycert.pem</pre>
|
|
<p>Create an opaque signed message:</p>
|
|
<pre>
|
|
openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
|
|
-signer mycert.pem</pre>
|
|
<p>Create a signed message, include some additional certificates and
|
|
read the private key from another file:</p>
|
|
<pre>
|
|
openssl smime -sign -in in.txt -text -out mail.msg \
|
|
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem</pre>
|
|
<p>Create a signed message with two signers:</p>
|
|
<pre>
|
|
openssl smime -sign -in message.txt -text -out mail.msg \
|
|
-signer mycert.pem -signer othercert.pem</pre>
|
|
<p>Send a signed message under Unix directly to sendmail, including headers:</p>
|
|
<pre>
|
|
openssl smime -sign -in in.txt -text -signer mycert.pem \
|
|
-from steve@openssl.org -to someone@somewhere \
|
|
-subject "Signed message" | sendmail someone@somewhere</pre>
|
|
<p>Verify a message and extract the signer's certificate if successful:</p>
|
|
<pre>
|
|
openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt</pre>
|
|
<p>Send encrypted mail using triple DES:</p>
|
|
<pre>
|
|
openssl smime -encrypt -in in.txt -from steve@openssl.org \
|
|
-to someone@somewhere -subject "Encrypted message" \
|
|
-des3 user.pem -out mail.msg</pre>
|
|
<p>Sign and encrypt mail:</p>
|
|
<pre>
|
|
openssl smime -sign -in ml.txt -signer my.pem -text \
|
|
| openssl smime -encrypt -out mail.msg \
|
|
-from steve@openssl.org -to someone@somewhere \
|
|
-subject "Signed and Encrypted message" -des3 user.pem</pre>
|
|
<p>Note: the encryption command does not include the <strong>-text</strong> option because the
|
|
message being encrypted already has MIME headers.</p>
|
|
<p>Decrypt mail:</p>
|
|
<pre>
|
|
openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem</pre>
|
|
<p>The output from Netscape form signing is a PKCS#7 structure with the
|
|
detached signature format. You can use this program to verify the
|
|
signature by line wrapping the base64 encoded structure and surrounding
|
|
it with:</p>
|
|
<pre>
|
|
-----BEGIN PKCS7-----
|
|
-----END PKCS7-----</pre>
|
|
<p>and using the command:</p>
|
|
<pre>
|
|
openssl smime -verify -inform PEM -in signature.pem -content content.txt</pre>
|
|
<p>Alternatively you can base64 decode the signature and use:</p>
|
|
<pre>
|
|
openssl smime -verify -inform DER -in signature.der -content content.txt</pre>
|
|
<p>Create an encrypted message using 128 bit Camellia:</p>
|
|
<pre>
|
|
openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem</pre>
|
|
<p>Add a signer to an existing message:</p>
|
|
<pre>
|
|
openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg</pre>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="bugs">BUGS</a></h1>
|
|
<p>The MIME parser isn't very clever: it seems to handle most messages that I've
|
|
thrown at it but it may choke on others.</p>
|
|
<p>The code currently will only write out the signer's certificate to a file: if
|
|
the signer has a separate encryption certificate this must be manually
|
|
extracted. There should be some heuristic that determines the correct
|
|
encryption certificate.</p>
|
|
<p>Ideally a database should be maintained of a certificates for each email
|
|
address.</p>
|
|
<p>The code doesn't currently take note of the permitted symmetric encryption
|
|
algorithms as supplied in the SMIMECapabilities signed attribute. This means the
|
|
user has to manually include the correct encryption algorithm. It should store
|
|
the list of permitted ciphers in a database and only use those.</p>
|
|
<p>No revocation checking is done on the signer's certificate.</p>
|
|
<p>The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
|
|
structures may cause parsing errors.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
|
<p><em>ossl_store-file(7)</em></p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="history">HISTORY</a></h1>
|
|
<p>The use of multiple <strong>-signer</strong> options and the <strong>-resign</strong> command were first
|
|
added in OpenSSL 1.0.0</p>
|
|
<p>The -no_alt_chains option was added in OpenSSL 1.1.0.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
|
<p>Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.</p>
|
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
|
|
|
</body>
|
|
|
|
</html>
|