algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any
of these algorithms is disabled then it will not be included.
+If the flags B<PKCS7_PARTSIGN> is set then the returned B<PKCS7> structure
+is just initialized ready to perform the signing operation. The signing
+is however B<not> performed and the data to be signed is not read from
+the B<data> parameter. Signing is deferred until after the data has been
+written. In this way data can be signed in a single pass. Currently the
+flag B<PKCS7_DETACHED> B<must> also be set.
+
+=head1 NOTES
+
+Currently the flag B<PKCS7_PARTSIGN> is only supported for detached
+data. If this flag is set the returned B<PKCS7> structure is B<not>
+complete and outputting its contents via a function that does not
+properly finalize the B<PKCS7> structure will give unpredictable
+results.
+
+At present only the SMIME_write_PKCS7() function properly finalizes the
+structure.
+
=head1 BUGS
PKCS7_sign() is somewhat limited. It does not support multiple signers, some
having to hold it all in memory, this would however require fairly major
revisions of the OpenSSL ASN1 code.
-Clear text signing does not store the content in memory but the way PKCS7_sign()
-operates means that two passes of the data must typically be made: one to compute
-the signatures and a second to output the data along with the signature. There
-should be a way to process the data with only a single pass.
=head1 RETURN VALUES
PKCS7_sign() was added to OpenSSL 0.9.5
+The B<PKCS7_PARTSIGN> flag was added in OpenSSL 0.9.8
+
=cut
are added to the content, this only makes sense if B<PKCS7_DETACHED>
is also set.
-If cleartext signing is being used then the data must be read twice:
-once to compute the signature in PKCS7_sign() and once to output the
-S/MIME message.
+If the B<PKCS7_PARTSIGN> flag is set the signed data is finalized
+and output along with the content. This flag should only be set
+if B<PKCS7_DETACHED> is also set and the previous call to PKCS7_sign()
+also set these flags.
+
+If cleartext signing is being used and B<PKCS7_PARTSIGN> not set then
+the data must be read twice: once to compute the signature in PKCS7_sign()
+and once to output the S/MIME message.
=head1 BUGS
SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there
should be an option to disable this.
-There should really be a way to produce cleartext signing using only
-a single pass of the data.
-
=head1 RETURN VALUES
SMIME_write_PKCS7() returns 1 for success or 0 for failure.