Make req seed the PRNG if signing with

an already existing DSA key.

Document the new smime options.

diff --git a/CHANGES b/CHANGES
index 3f8faa98569904ca8f8de7408a4d1656246175f8..f5a439fa986288e080af0760de6643655343e084 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Fix so PRNG is seeded in req if using an already existing
+     DSA key.
+     [Steve Henson]
+
   *) New options to smime application. -inform and -outform
      allow alternative formats for the S/MIME message including
      PEM and DER. The -content option allows the content to be

diff --git a/apps/req.c b/apps/req.c
index fd26ed8343443560eca87fb044d5abaf7a683b2d..6a225bb4316454f6166f84d255ee7814013a165a 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -547,6 +547,11 @@ bad:
                        BIO_printf(bio_err,"unable to load Private key\n");
                        goto end;
                        }
+                if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
+                       {
+                       char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
+                       app_RAND_load_file(randfile, bio_err, 0);
+                       }
                }
 
        if (newreq && (pkey == NULL))

diff --git a/apps/smime.c b/apps/smime.c
index ebc0eb6af44c1c22842112a66d6183250d1d1e4e..e380443d6c4f3369d738e32411c9995f5764f78b 100644 (file)
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -277,8 +277,11 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "-signer file   signer certificate file\n");
                BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
                BIO_printf (bio_err, "-in file       input file\n");
+               BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
                BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
                BIO_printf (bio_err, "-out file      output file\n");
+               BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
+               BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
                BIO_printf (bio_err, "-to addr       to address\n");
                BIO_printf (bio_err, "-from ad       from address\n");
                BIO_printf (bio_err, "-subject s     subject\n");

diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 5dee93560689f136c4a08497e99cc72aa79bb1bc..eee9d049ca022648315dfe98397853c46dc74936 100644 (file)
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -22,8 +22,11 @@ B<openssl> B<smime>
 [B<-signer file>]
 [B<-recip  file>]
 [B<-in file>]
+[B<-inform SMIME|PEM|DER>]
 [B<-inkey file>]
 [B<-out file>]
+[B<-outform SMIME|PEM|DER>]
+[B<-content file>]
 [B<-to addr>]
 [B<-from ad>]
 [B<-subject s>]
@@ -74,11 +77,37 @@ takes an input message and writes out a PEM encoded PKCS#7 structure.
 the input message to be encrypted or signed or the MIME message to
 be decrypted or verified.
 
+=item B<-inform SMIME|PEM|DER>
+
+this specifies the input format for the PKCS#7 structure. The default
+is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
+format change this to expect PEM and DER format PKCS#7 structures
+instead. This currently only affects the input format of the PKCS#7
+structure, if no PKCS#7 structure is being input (for example with
+B<-encrypt> or B<-sign>) this option has no effect.
+
 =item B<-out filename>
 
 the message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.
 
+=item B<-outform SMIME|PEM|DER>
+
+this specifies the output format for the PKCS#7 structure. The default
+is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
+format change this to write PEM and DER format PKCS#7 structures
+instead. This currently only affects the output format of the PKCS#7
+structure, if no PKCS#7 structure is being output (for example with
+B<-verify> or B<-decrypt>) this option has no effect.
+
+=item B<-content filename>
+
+This specifies a file containing the detached content, this is only
+useful with the B<-verify> command. This is only usable if the PKCS#7
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed MIME content type.
+
 =item B<-text>
 
 this option adds plain text (text/plain) MIME headers to the supplied
@@ -204,7 +233,7 @@ a blank line. Piping the mail directly to sendmail is one way to
 achieve the correct format.
 
 The supplied message to be signed or encrypted must include the
-necessary MIME headers: or many S/MIME clients wont display it
+necessary MIME headers or many S/MIME clients wont display it
 properly (if at all). You can use the B<-text> option to automatically
 add plain text headers.
 
@@ -301,6 +330,22 @@ Decrypt mail:
 
  openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
 
+The output from Netscape form signing is a PKCS#7 structure with the
+detached signature format. You can use this program to verify the
+signature by line wrapping the base64 encoded structure and surrounding
+it with:
+
+ -----BEGIN PKCS7----
+ -----END PKCS7----
+
+and using the command, 
+
+ openssl smime -verify -inform PEM -in signature.pem -content content.txt
+
+alternatively you can base64 decode the signature and use
+
+ openssl smime -verify -inform DER -in signature.der -content content.txt
+
 =head1 BUGS
 
 The MIME parser isn't very clever: it seems to handle most messages that I've thrown