From: Dr. Stephen Henson Date: Wed, 12 Jul 2000 23:55:30 +0000 (+0000) Subject: Make req seed the PRNG if signing with X-Git-Tag: OpenSSL-engine-0_9_6-beta1~17^2~31 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=fd13f0ee52122e7a1f6deec1c4fd73fa1a0cb36b;p=oweals%2Fopenssl.git Make req seed the PRNG if signing with an already existing DSA key. Document the new smime options. --- diff --git a/CHANGES b/CHANGES index 3f8faa9856..f5a439fa98 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) Fix so PRNG is seeded in req if using an already existing + DSA key. + [Steve Henson] + *) New options to smime application. -inform and -outform allow alternative formats for the S/MIME message including PEM and DER. The -content option allows the content to be diff --git a/apps/req.c b/apps/req.c index fd26ed8343..6a225bb431 100644 --- a/apps/req.c +++ b/apps/req.c @@ -547,6 +547,11 @@ bad: BIO_printf(bio_err,"unable to load Private key\n"); goto end; } + if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) + { + char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE"); + app_RAND_load_file(randfile, bio_err, 0); + } } if (newreq && (pkey == NULL)) diff --git a/apps/smime.c b/apps/smime.c index ebc0eb6af4..e380443d6c 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -277,8 +277,11 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-signer file signer certificate file\n"); BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n"); BIO_printf (bio_err, "-in file input file\n"); + BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n"); BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n"); BIO_printf (bio_err, "-out file output file\n"); + BIO_printf (bio_err, "-outform arg output format SMIME (default), PEM or DER\n"); + BIO_printf (bio_err, "-content file supply or override content for detached signature\n"); BIO_printf (bio_err, "-to addr to address\n"); BIO_printf (bio_err, "-from ad from address\n"); BIO_printf (bio_err, "-subject s subject\n"); diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 5dee935606..eee9d049ca 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -22,8 +22,11 @@ B B [B<-signer file>] [B<-recip file>] [B<-in file>] +[B<-inform SMIME|PEM|DER>] [B<-inkey file>] [B<-out file>] +[B<-outform SMIME|PEM|DER>] +[B<-content file>] [B<-to addr>] [B<-from ad>] [B<-subject s>] @@ -74,11 +77,37 @@ takes an input message and writes out a PEM encoded PKCS#7 structure. the input message to be encrypted or signed or the MIME message to be decrypted or verified. +=item B<-inform SMIME|PEM|DER> + +this specifies the input format for the PKCS#7 structure. The default +is B which reads an S/MIME format message. B and B +format change this to expect PEM and DER format PKCS#7 structures +instead. This currently only affects the input format of the PKCS#7 +structure, if no PKCS#7 structure is being input (for example with +B<-encrypt> or B<-sign>) this option has no effect. + =item B<-out filename> the message text that has been decrypted or verified or the output MIME format message that has been signed or verified. +=item B<-outform SMIME|PEM|DER> + +this specifies the output format for the PKCS#7 structure. The default +is B which write an S/MIME format message. B and B +format change this to write PEM and DER format PKCS#7 structures +instead. This currently only affects the output format of the PKCS#7 +structure, if no PKCS#7 structure is being output (for example with +B<-verify> or B<-decrypt>) this option has no effect. + +=item B<-content filename> + +This specifies a file containing the detached content, this is only +useful with the B<-verify> command. This is only usable if the PKCS#7 +structure is using the detached signature form where the content is +not included. This option will override any content if the input format +is S/MIME and it uses the multipart/signed MIME content type. + =item B<-text> this option adds plain text (text/plain) MIME headers to the supplied @@ -204,7 +233,7 @@ a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. The supplied message to be signed or encrypted must include the -necessary MIME headers: or many S/MIME clients wont display it +necessary MIME headers or many S/MIME clients wont display it properly (if at all). You can use the B<-text> option to automatically add plain text headers. @@ -301,6 +330,22 @@ Decrypt mail: openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem +The output from Netscape form signing is a PKCS#7 structure with the +detached signature format. You can use this program to verify the +signature by line wrapping the base64 encoded structure and surrounding +it with: + + -----BEGIN PKCS7---- + -----END PKCS7---- + +and using the command, + + openssl smime -verify -inform PEM -in signature.pem -content content.txt + +alternatively you can base64 decode the signature and use + + openssl smime -verify -inform DER -in signature.der -content content.txt + =head1 BUGS The MIME parser isn't very clever: it seems to handle most messages that I've thrown