From: Dr. Stephen Henson Date: Fri, 21 Jun 2013 22:24:25 +0000 (+0100) Subject: Update cms docs. X-Git-Tag: master-post-reformat~1276 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=4bf4a6501c6ca3fa1853f07c82e0e9cfe22dee45;p=oweals%2Fopenssl.git Update cms docs. Document use of -keyopt to use RSA-PSS and RSA-OAEP modes. --- diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index a09588a18d..18fe43caa9 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -316,8 +316,13 @@ verification was successful. =item B<-recip file> -the recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. +when decrypting a message this specifies the recipients certificate. The +certificate must match one of the recipients of the message or an error +occurs. + +When encrypting a message this option may be used multiple times to specify +each recipient. This form B be used if customised parameters are +required (for example to specify RSA-OAEP). =item B<-keyid> @@ -376,6 +381,12 @@ private key must be included in the certificate file specified with the B<-recip> or B<-signer> file. When signing this option can be used multiple times to specify successive keys. +=item B<-keyopt name:opt> + +for signing and encryption this option can be used multiple times to +set customised parameters for the preceding key or certificate. It can +currently be used to set RSA-PSS for signing or RSA-OAEP for encryption. + =item B<-passin arg> the private key password source. For more information about the format of B @@ -573,6 +584,16 @@ Add a signer to an existing message: openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg +Sign mail using RSA-PSS: + + openssl cms -sign -in message.txt -text -out mail.msg \ + -signer mycert.pem -keyopt rsa_padding_mode:pss + +Create encrypted mail using RSA-OAEP: + + openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg \ + -recip cert.pem -keyopt rsa_padding_mode:oaep + =head1 BUGS The MIME parser isn't very clever: it seems to handle most messages that I've @@ -598,5 +619,11 @@ No revocation checking is done on the signer's certificate. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The B option was first added in OpenSSL 1.1.0 + +The use of B<-recip> to specify the recipient when encrypting mail was first +added to OpenSSL 1.1.0 + +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. =cut