diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-04-03 19:42:39 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-05-20 16:31:30 +0200 |
| commit | 340cf8759f904859e609cecf4315b7cb50cde561 (patch) | |
| tree | 5aa3a8bcf9ef4bf33847328a881a5fce77bb4c65 | |
| parent | 56c4f6fe724e4aa54498188873d84e5694b02984 (diff) | |
apps/cms: Clean up order of options in help output and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
| -rw-r--r-- | apps/cms.c | 299 | ||||
| -rw-r--r-- | doc/man1/openssl-cms.pod.in | 617 |
2 files changed, 517 insertions, 399 deletions
diff --git a/apps/cms.c b/apps/cms.c index d2225d51af..25ef1effd4 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -30,25 +30,25 @@ static CMS_ReceiptRequest static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, STACK_OF(OPENSSL_STRING) *param); -#define SMIME_OP 0x10 -#define SMIME_IP 0x20 -#define SMIME_SIGNERS 0x40 +#define SMIME_OP 0x100 +#define SMIME_IP 0x200 +#define SMIME_SIGNERS 0x400 #define SMIME_ENCRYPT (1 | SMIME_OP) #define SMIME_DECRYPT (2 | SMIME_IP) #define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) #define SMIME_VERIFY (4 | SMIME_IP) -#define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) -#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) -#define SMIME_DATAOUT (7 | SMIME_IP) -#define SMIME_DATA_CREATE (8 | SMIME_OP) +#define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) +#define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP) +#define SMIME_VERIFY_RECEIPT (7 | SMIME_IP) +#define SMIME_DIGEST_CREATE (8 | SMIME_OP) #define SMIME_DIGEST_VERIFY (9 | SMIME_IP) -#define SMIME_DIGEST_CREATE (10 | SMIME_OP) +#define SMIME_COMPRESS (10 | SMIME_OP) #define SMIME_UNCOMPRESS (11 | SMIME_IP) -#define SMIME_COMPRESS (12 | SMIME_OP) +#define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP) #define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) -#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) -#define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) -#define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) +#define SMIME_DATA_CREATE (14 | SMIME_OP) +#define SMIME_DATA_OUT (15 | SMIME_IP) +#define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP) static int verify_err = 0; @@ -89,141 +89,152 @@ typedef enum OPTION_choice { const OPTIONS cms_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, OPT_SECTION("General"), - {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, - {"outform", OPT_OUTFORM, 'c', - "Output format SMIME (default), PEM or DER"}, {"in", OPT_IN, '<', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, - {"debug_decrypt", OPT_DEBUG_DECRYPT, '-', - "Disable MMA protection and return an error if no recipient found" - " (see documentation)"}, - {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, - {"indef", OPT_INDEF, '-', "Same as -stream"}, - {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, - {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, - {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, - {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, - {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, - {"no-CAstore", OPT_NOCASTORE, '-', - "Do not load certificates from the default certificates store"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif OPT_CONFIG_OPTION, - OPT_SECTION("Action"), + OPT_SECTION("Operation"), {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, {"sign", OPT_SIGN, '-', "Sign message"}, - {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, - {"resign", OPT_RESIGN, '-', "Resign a signed message"}, - {"cades", OPT_CADES, '-', "Include or check signingCertificate (CAdES-BES)"}, {"verify", OPT_VERIFY, '-', "Verify signed message"}, - {"verify_retcode", OPT_VERIFY_RETCODE, '-', - "Exit non-zero on verification failure"}, + {"resign", OPT_RESIGN, '-', "Resign a signed message"}, + {"sign_receipt", OPT_SIGN_RECEIPT, '-', + "Generate a signed receipt for a message"}, {"verify_receipt", OPT_VERIFY_RECEIPT, '<', - "Verify receipts; exit if receipt signatures do not verify"}, - {"digest_verify", OPT_DIGEST_VERIFY, '-', - "Verify a CMS \"DigestedData\" object and output it"}, + "Verify receipts; exit if receipt signatures do not verify"}, {"digest_create", OPT_DIGEST_CREATE, '-', - "Create a CMS \"DigestedData\" object"}, + "Create a CMS \"DigestedData\" object"}, + {"digest_verify", OPT_DIGEST_VERIFY, '-', + "Verify a CMS \"DigestedData\" object and output it"}, {"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"}, {"uncompress", OPT_UNCOMPRESS, '-', - "Uncompress a CMS \"CompressedData\" object"}, - {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-', - "Decrypt CMS \"EncryptedData\" object using symmetric key"}, + "Uncompress a CMS \"CompressedData\" object"}, {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-', - "Create CMS \"EncryptedData\" object using symmetric key"}, - {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"}, + "Create CMS \"EncryptedData\" object using symmetric key"}, + {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-', + "Decrypt CMS \"EncryptedData\" object using symmetric key"}, {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"}, + {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"}, {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, - {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-', - "Do not verify signed content signatures"}, - {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-', - "Do not verify signed attribute signatures"}, - {"nointern", OPT_NOINTERN, '-', - "Don't search certificates in message for signer"}, - {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, - OPT_SECTION("Formatting"), - {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, - {"asciicrlf", OPT_ASCIICRLF, '-', - "Perform CRLF canonicalisation when signing"}, - {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, - {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, - {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, - {"binary", OPT_BINARY, '-', "Treat input as binary: do not translate to canonical form"}, - {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, - {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, - {"nocerts", OPT_NOCERTS, '-', - "Don't include signers certificate when signing"}, - {"noout", OPT_NOOUT, '-', - "For the -cmsout operation do not output the parsed CMS structure"}, - {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, - {"receipt_request_all", OPT_RR_ALL, '-', - "When signing, create a receipt request for all recipients"}, - {"receipt_request_first", OPT_RR_FIRST, '-', - "When signing, create a receipt request for first recipient"}, + OPT_SECTION("File format"), + {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, + {"outform", OPT_OUTFORM, 'c', + "Output format SMIME (default), PEM or DER"}, {"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, - {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, - {"content", OPT_CONTENT, '<', - "Supply or override content for detached signature"}, - {"print", OPT_PRINT, '-', - "For the -cmsout operation print out all fields of the CMS structure"}, - {"nameopt", OPT_NAMEOPT, 's', - "For the -print option specifies various strings printing options"}, - {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, + {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, + {"indef", OPT_INDEF, '-', "Same as -stream"}, + {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, + {"binary", OPT_BINARY, '-', + "Treat input as binary: do not translate to canonical form"}, + {"crlfeol", OPT_CRLFEOL, '-', + "Use CRLF as EOL termination instead of CR only" }, + {"asciicrlf", OPT_ASCIICRLF, '-', + "Perform CRLF canonicalisation when signing"}, - OPT_SECTION("Keying"), + OPT_SECTION("Keys and passwords"), + {"pwri_password", OPT_PWRI_PASSWORD, 's', + "Specific password for recipient"}, {"secretkey", OPT_SECRETKEY, 's', - "Use specified hex-encoded key to decrypt/encrypt recipients or content"}, + "Use specified hex-encoded key to decrypt/encrypt recipients or content"}, {"secretkeyid", OPT_SECRETKEYID, 's', - "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"}, - {"pwri_password", OPT_PWRI_PASSWORD, 's', - "Specific password for recipient"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"}, {"inkey", OPT_INKEY, 's', "Input private key (if not signer or recipient)"}, - {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, + {"keyform", OPT_KEYFORM, 'f', + "Input private key format (ENGINE, other values ignored)"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +#endif + OPT_PROV_OPTIONS, + OPT_R_OPTIONS, - OPT_SECTION("Mail header"), - {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"}, - {"to", OPT_TO, 's', "To address"}, - {"from", OPT_FROM, 's', "From address"}, - {"subject", OPT_SUBJECT, 's', "Subject"}, - {"signer", OPT_SIGNER, 's', "Signer certificate file"}, + OPT_SECTION("Encryption and decryption"), {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"}, - {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, - {"receipt_request_from", OPT_RR_FROM, 's', - "Create signed receipt request with specified email address"}, - {"receipt_request_to", OPT_RR_TO, 's', - "Create signed receipt targeted to specified address"}, - - OPT_SECTION("Encryption"), - {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, - {"", OPT_CIPHER, '-', "Any supported cipher"}, - - OPT_SECTION("Key-wrapping"), + {"recip", OPT_RECIP, '<', "Recipient cert file"}, + {"cert...", OPT_PARAM, '.', + "Recipient certs (optional; used only when encrypting)"}, + {"", OPT_CIPHER, '-', + "The encryption algorithm to use (any supported cipher)"}, + {"wrap", OPT_WRAP, 's', + "Key wrap algorithm to use when encrypting with key agreement"}, {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, - {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"}, + {"debug_decrypt", OPT_DEBUG_DECRYPT, '-', + "Disable MMA protection, return error if no recipient found (see doc)"}, - OPT_R_OPTIONS, - OPT_V_OPTIONS, - OPT_PROV_OPTIONS, + OPT_SECTION("Signing"), + {"md", OPT_MD, 's', "Digest algorithm to use"}, + {"signer", OPT_SIGNER, 's', "Signer certificate input file"}, + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"cades", OPT_CADES, '-', + "Include signingCertificate attribute (CAdES-BES)"}, + {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signer's certificate when signing"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, + {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, + {"receipt_request_all", OPT_RR_ALL, '-', + "When signing, create a receipt request for all recipients"}, + {"receipt_request_first", OPT_RR_FIRST, '-', + "When signing, create a receipt request for first recipient"}, + {"receipt_request_from", OPT_RR_FROM, 's', + "Create signed receipt request with specified email address"}, + {"receipt_request_to", OPT_RR_TO, 's', + "Create signed receipt targeted to specified address"}, - OPT_PARAMETERS(), - {"cert", 0, 0, "Recipient certs (optional; used only when encrypting)"}, + OPT_SECTION("Verification"), + {"signer", OPT_DUP, 's', "Signer certificate(s) output file"}, + {"content", OPT_CONTENT, '<', + "Supply or override content for detached signature"}, + {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-', + "Do not verify signed content signatures"}, + {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-', + "Do not verify signed attribute signatures"}, + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)"}, + {"verify_retcode", OPT_VERIFY_RETCODE, '-', + "Exit non-zero on verification failure"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"}, + {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCASTORE, '-', + "Do not load certificates from the default certificates store"}, + + OPT_SECTION("Output"), + {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, + {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"}, + {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, + {"to", OPT_TO, 's', "To address"}, + {"from", OPT_FROM, 's', "From address"}, + {"subject", OPT_SUBJECT, 's', "Subject"}, + + OPT_SECTION("Printing"), + {"noout", OPT_NOOUT, '-', + "For the -cmsout operation do not output the parsed CMS structure"}, + {"print", OPT_PRINT, '-', + "For the -cmsout operation print out all fields of the CMS structure"}, + {"nameopt", OPT_NAMEOPT, 's', + "For the -print option specifies various strings printing options"}, + {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, + + OPT_V_OPTIONS, {NULL} }; @@ -347,6 +358,7 @@ int cms_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; + case OPT_ENCRYPT: operation = SMIME_ENCRYPT; break; @@ -356,49 +368,50 @@ int cms_main(int argc, char **argv) case OPT_SIGN: operation = SMIME_SIGN; break; - case OPT_SIGN_RECEIPT: - operation = SMIME_SIGN_RECEIPT; + case OPT_VERIFY: + operation = SMIME_VERIFY; break; case OPT_RESIGN: operation = SMIME_RESIGN; break; - case OPT_VERIFY: - operation = SMIME_VERIFY; - break; - case OPT_VERIFY_RETCODE: - verify_retcode = 1; + case OPT_SIGN_RECEIPT: + operation = SMIME_SIGN_RECEIPT; break; case OPT_VERIFY_RECEIPT: operation = SMIME_VERIFY_RECEIPT; rctfile = opt_arg(); break; - case OPT_CMSOUT: - operation = SMIME_CMSOUT; - break; - case OPT_DATA_OUT: - operation = SMIME_DATAOUT; + case OPT_VERIFY_RETCODE: + verify_retcode = 1; break; - case OPT_DATA_CREATE: - operation = SMIME_DATA_CREATE; + case OPT_DIGEST_CREATE: + operation = SMIME_DIGEST_CREATE; break; case OPT_DIGEST_VERIFY: operation = SMIME_DIGEST_VERIFY; break; - case OPT_DIGEST_CREATE: - operation = SMIME_DIGEST_CREATE; - break; case OPT_COMPRESS: operation = SMIME_COMPRESS; break; case OPT_UNCOMPRESS: operation = SMIME_UNCOMPRESS; break; + case OPT_ED_ENCRYPT: + operation = SMIME_ENCRYPTED_ENCRYPT; + break; case OPT_ED_DECRYPT: operation = SMIME_ENCRYPTED_DECRYPT; break; - case OPT_ED_ENCRYPT: - operation = SMIME_ENCRYPTED_ENCRYPT; + case OPT_DATA_CREATE: + operation = SMIME_DATA_CREATE; + break; + case OPT_DATA_OUT: + operation = SMIME_DATA_OUT; + break; + case OPT_CMSOUT: + operation = SMIME_CMSOUT; break; + case OPT_DEBUG_DECRYPT: flags |= CMS_DEBUG_DECRYPT; break; @@ -693,15 +706,15 @@ int cms_main(int argc, char **argv) if (conf == NULL) goto end; break; - case OPT_3DES_WRAP: + case OPT_WRAP: + wrapname = opt_unknown(); + break; case OPT_AES128_WRAP: case OPT_AES192_WRAP: case OPT_AES256_WRAP: + case OPT_3DES_WRAP: wrapname = opt_flag() + 1; break; - case OPT_WRAP: - wrapname = opt_unknown(); - break; } } if (!app_RAND_load()) @@ -812,12 +825,12 @@ int cms_main(int argc, char **argv) if (operation == SMIME_ENCRYPT) { if (!cipher) { -# ifndef OPENSSL_NO_DES +#ifndef OPENSSL_NO_DES cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); -# else +#else BIO_printf(bio_err, "No cipher selected\n"); goto end; -# endif +#endif } if (secret_key && !secret_keyid) { @@ -1149,7 +1162,7 @@ int cms_main(int argc, char **argv) BIO_printf(bio_err, "Error decrypting CMS structure\n"); goto end; } - } else if (operation == SMIME_DATAOUT) { + } else if (operation == SMIME_DATA_OUT) { if (!CMS_data(cms, out, flags)) goto end; } else if (operation == SMIME_UNCOMPRESS) { @@ -1177,8 +1190,8 @@ int cms_main(int argc, char **argv) goto end; } if (signerfile != NULL) { - STACK_OF(X509) *signers; - signers = CMS_get0_signers(cms); + STACK_OF(X509) *signers = CMS_get0_signers(cms); + if (!save_certs(signerfile, signers)) { BIO_printf(bio_err, "Error writing signers to %s\n", signerfile); diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index bdfb607134..6e0f86804a 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -9,96 +9,131 @@ openssl-cms - CMS command B<openssl> B<cms> [B<-help>] + +General options: + +[B<-in> I<filename>] +[B<-out> I<filename>] +{- $OpenSSL::safe::opt_config_synopsis -} + +Operation options: + [B<-encrypt>] [B<-decrypt>] -[B<-debug_decrypt>] [B<-sign>] [B<-verify>] -[B<-verify_retcode>] -[B<-no_attr_verify>] -[B<-nosigs>] -[B<-no_content_verify>] -[B<-cmsout>] [B<-resign>] -[B<-cades>] -[B<-data_create>] -[B<-data_out>] +[B<-sign_receipt>] +[B<-verify_receipt> I<receipt>] [B<-digest_create>] [B<-digest_verify>] [B<-compress>] [B<-uncompress>] -[B<-EncryptedData_decrypt>] [B<-EncryptedData_encrypt>] -[B<-sign_receipt>] -[B<-verify_receipt> I<receipt>] -[B<-in> I<filename>] -[B<-out> I<filename>] +[B<-EncryptedData_decrypt>] +[B<-data_create>] +[B<-data_out>] +[B<-cmsout>] + +File format options: + [B<-inform> B<DER>|B<PEM>|B<SMIME>] [B<-outform> B<DER>|B<PEM>|B<SMIME>] [B<-rctform> B<DER>|B<PEM>|B<SMIME>] -[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-stream>] [B<-indef>] [B<-noindef>] -[B<-content> I<filename>] -[B<-text>] -[B<-noout>] -[B<-print>] -[B<-nameopt> I<option>] -[B<-md> I<digest>] +[B<-binary>] +[B<-crlfeol>] +[B<-asciicrlf>] + +Keys and password options: + +[B<-pwri_password> I<password>] +[B<-secretkey> I<key>] +[B<-secretkeyid> I<id>] +[B<-inkey> I<filename>|I<uri>] +[B<-passin> I<arg>] +[B<-keyopt> I<name>:I<parameter>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] +{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} + +Encryption options: + +[B<-originator> I<file>] +[B<-recip> I<file>] +[I<recipient-cert> ...] [B<-I<cipher>>] [B<-wrap> I<cipher>] [B<-aes128-wrap>] [B<-aes192-wrap>] [B<-aes256-wrap>] [B<-des3-wrap>] -[B<-nointern>] -[B<-noverify>] +[B<-debug_decrypt>] + +Signing options: + +[B<-md> I<digest>] +[B<-signer> I<file>] +[B<-certfile> I<file>] +[B<-cades>] +[B<-nodetach>] [B<-nocerts>] [B<-noattr>] [B<-nosmimecap>] -[B<-binary>] -[B<-crlfeol>] -[B<-asciicrlf>] -[B<-nodetach>] -[B<-certfile> I<file>] -[B<-certsout> I<file>] -[B<-signer> I<file>] -[B<-originator> I<file>] -[B<-recip> I<file>] -[B<-keyid>] [B<-receipt_request_all>] [B<-receipt_request_first>] [B<-receipt_request_from> I<emailaddress>] [B<-receipt_request_to> I<emailaddress>] -[B<-receipt_request_print>] -[B<-pwri_password> I<password>] -[B<-secretkey> I<key>] -[B<-secretkeyid> I<id>] + +Verification options: + +[B<-signer> I<file>] +[B<-content> I<filename>] +[B<-no_content_verify>] +[B<-no_attr_verify>] +[B<-nosigs>] +[B<-noverify>] +[B<-nointern>] +[B<-cades>] +[B<-verify_retcode>] +{- $OpenSSL::safe::opt_trust_synopsis -} + +Output options: + +[B<-keyid>] [B<-econtent_type> I<type>] -[B<-inkey> I<filename>|I<uri>] -[B<-keyopt> I<name>:I<parameter>] -[B<-passin> I<arg>] +[B<-text>] +[B<-certsout> I<file>] [B<-to> I<addr>] [B<-from> I<addr>] [B<-subject> I<subj>] + +Printing options: + +[B<-noout>] +[B<-print>] +[B<-nameopt> I<option>] +[B<-receipt_request_print>] + +Validation options: + {- $OpenSSL::safe::opt_v_synopsis -} -{- $OpenSSL::safe::opt_trust_synopsis -} -{- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} -{- $OpenSSL::safe::opt_config_synopsis -} -[I<recipient-cert> ...] =head1 DESCRIPTION -This command handles S/MIME v3.1 mail. It can encrypt, decrypt, -sign and verify, compress and uncompress S/MIME messages. +This command handles data in CMS format such as S/MIME v3.1 email messages. +It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages. =head1 OPTIONS -There are fourteen operation options that set the type of operation to be -performed. The meaning of the other options varies according to the operation -type. +There are a number of operation options that set the type of operation to be +performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt, +digest_create, digest_verify, compress, uncompress, +EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout. +The relevance of the other options depends on the operation type +and their meaning may vary according to it. =over 4 @@ -106,77 +141,71 @@ type. Print out a usage message. -=item B<-encrypt> +=back -Encrypt mail for the given recipient certificates. Input file is the message -to be encrypted. The output file is the encrypted mail in MIME format. The -actual CMS type is B<EnvelopedData>. +=head2 General options -Note that no revocation check is done for the recipient cert, so if that -key has been compromised, others may be able to decrypt the text. - -=item B<-decrypt> +=over 4 -Decrypt mail using the supplied certificate and private key. Expects an -encrypted mail message in MIME format for the input file. The decrypted mail -is written to the output file. +=item B<-in> I<filename> -=item B<-debug_decrypt> +The input message to be encrypted or signed or the message to be decrypted +or verified. -This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used -with caution: see the notes section below. +=item B<-out> I<filename> -=item B<-sign> +The message text that has been decrypted or verified or the output MIME +format message that has been signed or verified. -Sign mail using the supplied certificate and private key. Input file is -the message to be signed. The signed message in MIME format is written -to the output file. +{- $OpenSSL::safe::opt_config_item -} -=item B<-verify> +=back -Verify signed mail. Expects a signed mail message on input and outputs -the signed data. Both clear text and opaque signing is supported. +=head2 Operation options -=item B<-verify_retcode> +=over 4 -Exit nonzero on verification failure. +=item B<-encrypt> -=item B<-no_attr_verify> +Encrypt data for the given recipient certificates. Input file is the message +to be encrypted. The output file is the encrypted data in MIME format. The +actual CMS type is B<EnvelopedData>. -Do not verify signed attribute signatures. +Note that no revocation check is done for the recipient cert, so if that +key has been compromised, others may be able to decrypt the text. -=item B<-no_content_verify> +=item B<-decrypt> -Do not verify signed content signatures. +Decrypt data using the supplied certificate and private key. Expects +encrypted datain MIME format for the input file. The decrypted data +is written to the output file. -=item B<-nosigs> +=item B<-sign> -Don't verify message signature. +Sign data using the supplied certificate and private key. Input file is +the message to be signed. The signed data in MIME format is written +to the output file. -=item B<-cmsout> +=item B<-verify> -Takes an input message and writes out a PEM encoded CMS structure. +Verify signed data. Expects a signed data on input and outputs +the signed data. Both clear text and opaque signing is supported. =item B<-resign> Resign a message: take an existing message and one or more new signers. -=item B<-cades> - -When used with B<-sign>, -add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute -to the SignerInfo, in order to make the signature comply with the requirements -for a CAdES Basic Electronic Signature (CAdES-BES). -When used with B<-verify>, require and check signer certificate digest. -See the NOTES section for more details. - -=item B<-data_create> +=item B<-sign_receipt> -Create a CMS B<Data> type. +Generate and output a signed receipt for the supplied message. The input +message B<must> contain a signed receipt request. Functionality is otherwise +similar to the B<-sign> operation. -=item B<-data_out> +=item B<-verify_receipt> I<receipt> -B<Data> type and output the content. +Verify a signed receipt in filename B<receipt>. The input message B<must> +contain the original receipt request. Functionality is otherwise similar +to the B<-verify> operation. =item B<-digest_create> @@ -197,37 +226,33 @@ Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be compiled with B<zlib> support for this option to work, otherwise it will output an error. -=item B<-EncryptedData_decrypt> +=item B<-EncryptedData_encrypt> -Decrypt content using supplied symmetric key and algorithm using a CMS +Encrypt content using supplied symmetric key and algorithm using a CMS B<EncryptedData> type and output the content. -=item B<-EncryptedData_encrypt> +=item B<-EncryptedData_decrypt> -Encrypt content using supplied symmetric key and algorithm using a CMS +Decrypt content using supplied symmetric key and algorithm using a CMS B<EncryptedData> type and output the content. -=item B<-sign_receipt> +=item B<-data_create> -Generate and output a signed receipt for the supplied message. The input -message B<must> contain a signed receipt request. Functionality is otherwise -similar to the B<-sign> operation. +Create a CMS B<Data> type. -=item B<-verify_receipt> I<receipt> +=item B<-data_out> -Verify a signed receipt in filename B<receipt>. The input message B<must> -contain the original receipt request. Functionality is otherwise similar -to the B<-verify> operation. +B<Data> type and output the content. -=item B<-in> I<filename> +=item B<-cmsout> -The input message to be encrypted or signed or the message to be decrypted -or verified. +Takes an input message and writes out a PEM encoded CMS structure. -=item B<-out> I<filename> +=back -The message text that has been decrypted or verified or the output MIME -format message that has been signed or verified. +=head2 File format options + +=over 4 =item B<-inform> B<DER>|B<PEM>|B<SMIME> @@ -241,11 +266,6 @@ The output format of the CMS structure (if one is being written); the default is B<SMIME>. See L<openssl-format-options(1)> for details. -=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> - -The format of the private key file; unspecified by default. -See L<openssl-format-options(1)> for details. - =item B<-rctform> B<DER>|B<PEM>|B<SMIME> The signed receipt format for use with the B<-receipt_verify>; the default @@ -267,42 +287,111 @@ Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it. -=item B<-content> I<filename> +=item B<-binary> -This specifies a file containing the detached content, this is only -useful with the B<-verify> command. This is only usable if the CMS -structure is using the detached signature form where the content is -not included. This option will override any content if the input format -is S/MIME and it uses the multipart/signed MIME content type. +Normally the input message is converted to "canonical" format which is +effectively using CR and LF as end of line: as required by the S/MIME +specification. When this option is present no translation occurs. This +is useful when handling binary data which may not be in MIME format. -=item B<-text> +=item B<-crlfeol> -This option adds plain text (text/plain) MIME headers to the supplied -message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of MIME -type text/plain then an error occurs. +Normally the output file uses a single B<LF> as end of line. When this +option is present B<CRLF> is used instead. -=item B<-noout> +=item B<-asciicrlf> -For the B<-cmsout> operation do not output the parsed CMS structure. This -is useful when combined with the B<-print> option or if the syntax of the CMS -structure is being checked. +When signing use ASCII CRLF format canonicalisation. This strips trailing +whitespace from all lines, deletes trailing blank lines at EOF and sets +the encapsulated content type. This option is normally used with detached +content and an output signature format of DER. This option is not normally +needed when verifying as it is enabled automatically if the encapsulated +content format is detected. -=item B<-print> +=back -For the B<-cmsout> operation print out all fields of the CMS structure. This -is mainly useful for testing purposes. +=head2 Keys and password options -=item B<-nameopt> I<option> +=over 4 -For the B<-cmsout> operation when B<-print> option is in use, specifies -printing options for string fields. For most cases B<utf8> is reasonable value. -See L<openssl-namedisplay-options(1)> for details. +=item B<-pwri_password> I<password> -=item B<-md> I<digest> +Specify password for recipient. -Digest algorithm to use when signing or resigning. If not present then the -default digest algorithm for the signing key will be used (usually SHA1). +=item B<-secretkey> I<key> + +Specify symmetric key to use. The key must be supplied in hex format and be +consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt> +B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used +with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the +content encryption key using an AES key in the B<KEKRecipientInfo> type. + +=item B<-secretkeyid> I<id> + +The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type. +This option B<must> be present if the B<-secretkey> option is used with +B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the +relevant key if it is not supplied then an attempt is used to decrypt any +B<KEKRecipientInfo> structures. + +=item B<-inkey> I<filename>|I<uri> + +The private key to use when signing or decrypting. This must match the +corresponding certificate. If this option is not specified then the +private key must be included in the certificate file specified with +the B<-recip> or B<-signer> file. When signing this option can be used +multiple times to specify successive keys. + +=item B<-passin> I<arg> + +The private key password source. For more information about the format of B<arg> +see L<openssl-passphrase-options(1)>. + +=item B<-keyopt> I<name>:I<parameter> + +For signing and encryption this option can be used multiple times to +set customised parameters for the preceding key or certificate. It can +currently be used to set RSA-PSS for signing, RSA-OAEP for encryption +or to modify default parameters for ECDH. + +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> + +The format of the private key file; unspecified by default. +See L<openssl-format-options(1)> for details. + +{- $OpenSSL::safe::opt_engine_item -} + +{- $OpenSSL::safe::opt_provider_item -} + +{- $OpenSSL::safe::opt_r_item -} + +=back + +=head2 Encryption and decryption options + +=over 4 + +=item B<-originator> I<file> + +A certificate of the originator of the encrypted message. Necessary for +decryption when Key Agreement is in use for a shared key. + +=item B<-recip> I<file> + +When decrypting a message this specifies the certificate of the recipient. +The certificate must match one of the recipients of the message. + +When encrypting a message this option may be used multiple times to specify +each recipient. This form B<must> be used if customised pa |