diff options
Diffstat (limited to 'secure/lib/libcrypto/man/smime.1')
| -rw-r--r-- | secure/lib/libcrypto/man/smime.1 | 473 |
1 files changed, 0 insertions, 473 deletions
diff --git a/secure/lib/libcrypto/man/smime.1 b/secure/lib/libcrypto/man/smime.1 deleted file mode 100644 index a04e835..0000000 --- a/secure/lib/libcrypto/man/smime.1 +++ /dev/null @@ -1,473 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Tue Jul 30 09:20:57 2002 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "SMIME 1" -.TH SMIME 1 "0.9.6e" "2002-07-30" "OpenSSL" -.UC -.SH "NAME" -smime \- S/MIME utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBsmime\fR -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-sign\fR] -[\fB\-verify\fR] -[\fB\-pk7out\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-rc2\-40\fR] -[\fB\-rc2\-64\fR] -[\fB\-rc2\-128\fR] -[\fB\-in file\fR] -[\fB\-certfile file\fR] -[\fB\-signer file\fR] -[\fB\-recip file\fR] -[\fB\-inform SMIME|PEM|DER\fR] -[\fB\-passin arg\fR] -[\fB\-inkey file\fR] -[\fB\-out file\fR] -[\fB\-outform SMIME|PEM|DER\fR] -[\fB\-content file\fR] -[\fB\-to addr\fR] -[\fB\-from ad\fR] -[\fB\-subject s\fR] -[\fB\-text\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[cert.pem]... -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and -verify S/MIME messages. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -There are five operation options that set the type of operation to be performed. -The meaning of the other options varies according to the operation type. -.Ip "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt mail for the given recipient certificates. Input file is the message -to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. -.Ip "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt mail using the supplied certificate and private key. Expects an -encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail -is written to the output file. -.Ip "\fB\-sign\fR" 4 -.IX Item "-sign" -sign mail using the supplied certificate and private key. Input file is -the message to be signed. The signed message in \s-1MIME\s0 format is written -to the output file. -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verify signed mail. Expects a signed mail message on input and outputs -the signed data. Both clear text and opaque signing is supported. -.Ip "\fB\-pk7out\fR" 4 -.IX Item "-pk7out" -takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input message to be encrypted or signed or the \s-1MIME\s0 message to -be decrypted or verified. -.Ip "\fB\-inform SMIME|PEM|DER\fR" 4 -.IX Item "-inform SMIME|PEM|DER" -this specifies the input format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the input format of the PKCS#7 -structure, if no PKCS#7 structure is being input (for example with -\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the message text that has been decrypted or verified or the output \s-1MIME\s0 -format message that has been signed or verified. -.Ip "\fB\-outform SMIME|PEM|DER\fR" 4 -.IX Item "-outform SMIME|PEM|DER" -this specifies the output format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the output format of the PKCS#7 -structure, if no PKCS#7 structure is being output (for example with -\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. -.Ip "\fB\-content filename\fR" 4 -.IX Item "-content filename" -This specifies a file containing the detached content, this is only -useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 -structure is using the detached signature form where the content is -not included. This option will override any content if the input format -is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied -message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME\s0 -type text/plain then an error occurs. -.Ip "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. -.Ip "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -a directory containing trusted \s-1CA\s0 certificates, only used with -\&\fB\-verify\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.Ip "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128\fR" 4 -.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128" -the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits) -or 40, 64 or 128 bit \s-1RC2\s0 respectively if not specified 40 bit \s-1RC2\s0 is -used. Only used with \fB\-encrypt\fR. -.Ip "\fB\-nointern\fR" 4 -.IX Item "-nointern" -when verifying a message normally certificates (if any) included in -the message are searched for the signing certificate. With this option -only the certificates specified in the \fB\-certfile\fR option are used. -The supplied certificates can still be used as untrusted CAs however. -.Ip "\fB\-noverify\fR" 4 -.IX Item "-noverify" -do not verify the signers certificate of a signed message. -.Ip "\fB\-nochain\fR" 4 -.IX Item "-nochain" -do not do chain verification of signers certificates: that is don't -use the certificates in the signed message as untrusted CAs. -.Ip "\fB\-nosigs\fR" 4 -.IX Item "-nosigs" -don't try to verify the signatures on the message. -.Ip "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -when signing a message the signer's certificate is normally included -with this option it is excluded. This will reduce the size of the -signed message but the verifier must have a copy of the signers certificate -available locally (passed using the \fB\-certfile\fR option for example). -.Ip "\fB\-noattr\fR" 4 -.IX Item "-noattr" -normally when a message is signed a set of attributes are included which -include the signing time and supported symmetric algorithms. With this -option they are not included. -.Ip "\fB\-binary\fR" 4 -.IX Item "-binary" -normally the input message is converted to \*(L"canonical\*(R" format which is -effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME -specification. When this option is present no translation occurs. This -is useful when handling binary data which may not be in \s-1MIME\s0 format. -.Ip "\fB\-nodetach\fR" 4 -.IX Item "-nodetach" -when signing a message use opaque signing: this form is more resistant -to translation by mail relays but it cannot be read by mail agents that -do not support S/MIME. Without this option cleartext signing with -the \s-1MIME\s0 type multipart/signed is used. -.Ip "\fB\-certfile file\fR" 4 -.IX Item "-certfile file" -allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in \s-1PEM\s0 format. -.Ip "\fB\-signer file\fR" 4 -.IX Item "-signer file" -the signers certificate when signing a message. If a message is -being verified then the signers certificates will be written to this -file if the verification was successful. -.Ip "\fB\-recip file\fR" 4 -.IX Item "-recip file" -the recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. -.Ip "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the private key to use when signing or decrypting. This must match the -corresponding certificate. If this option is not specified then the -private key must be included in the certificate file specified with -the \fB\-recip\fR or \fB\-signer\fR file. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fBcert.pem...\fR" 4 -.IX Item "cert.pem..." -one or more certificates of message recipients: used when encrypting -a message. -.Ip "\fB\-to, \-from, \-subject\fR" 4 -.IX Item "-to, -from, -subject" -the relevant mail headers. These are included outside the signed -portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email -address matches that specified in the From: address. -.SH "NOTES" -.IX Header "NOTES" -The \s-1MIME\s0 message must be sent without any blank lines between the -headers and the output. Some mail programs will automatically add -a blank line. Piping the mail directly to sendmail is one way to -achieve the correct format. -.PP -The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients wont display it -properly (if at all). You can use the \fB\-text\fR option to automatically -add plain text headers. -.PP -A \*(L"signed and encrypted\*(R" message is one where a signed message is -then encrypted. This can be produced by encrypting an already signed -message: see the examples section. -.PP -This version of the program only allows one signer per message but it -will verify multiple signers on received messages. Some S/MIME clients -choke if a message contains multiple signers. It is possible to sign -messages \*(L"in parallel\*(R" by signing an already signed message. -.PP -The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME -clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 -encrypted data is used for other purposes. -.SH "EXIT CODES" -.IX Header "EXIT CODES" -.Ip "0" 4 -the operation was completely successfully. -.Ip "1" 4 -.IX Item "1" -an error occurred parsing the command options. -.Ip "2" 4 -.IX Item "2" -one of the input files could not be read. -.Ip "3" 4 -.IX Item "3" -an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 -message. -.Ip "4" 4 -.IX Item "4" -an error occurred decrypting or verifying the message. -.Ip "5" 4 -.IX Item "5" -the message was verified correctly but an error occurred writing out -the signers certificates. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a cleartext signed message: -.PP -.Vb 2 -\& openssl smime -sign -in message.txt -text -out mail.msg \e -\& -signer mycert.pem -.Ve -Create and opaque signed message -.PP -.Vb 2 -\& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e -\& -signer mycert.pem -.Ve -Create a signed message, include some additional certificates and -read the private key from another file: -.PP -.Vb 2 -\& openssl smime -sign -in in.txt -text -out mail.msg \e -\& -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem -.Ve -Send a signed message under Unix directly to sendmail, including headers: -.PP -.Vb 3 -\& openssl smime -sign -in in.txt -text -signer mycert.pem \e -\& -from steve@openssl.org -to someone@somewhere \e -\& -subject "Signed message" | sendmail someone@somewhere -.Ve -Verify a message and extract the signer's certificate if successful: -.PP -.Vb 1 -\& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt -.Ve -Send encrypted mail using triple \s-1DES:\s0 -.PP -.Vb 3 -\& openssl smime -encrypt -in in.txt -from steve@openssl.org \e -\& -to someone@somewhere -subject "Encrypted message" \e -\& -des3 user.pem -out mail.msg -.Ve -Sign and encrypt mail: -.PP -.Vb 4 -\& openssl smime -sign -in ml.txt -signer my.pem -text \e -\& | openssl smime -encrypt -out mail.msg \e -\& -from steve@openssl.org -to someone@somewhere \e -\& -subject "Signed and Encrypted message" -des3 user.pem -.Ve -Note: the encryption command does not include the \fB\-text\fR option because the message -being encrypted already has \s-1MIME\s0 headers. -.PP -Decrypt mail: -.PP -.Vb 1 -\& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem -.Ve -The output from Netscape form signing is a PKCS#7 structure with the -detached signature format. You can use this program to verify the -signature by line wrapping the base64 encoded structure and surrounding -it with: -.PP -.Vb 2 -\& -----BEGIN PKCS7---- -\& -----END PKCS7---- -.Ve -and using the command, -.PP -.Vb 1 -\& openssl smime -verify -inform PEM -in signature.pem -content content.txt -.Ve -alternatively you can base64 decode the signature and use -.PP -.Vb 1 -\& openssl smime -verify -inform DER -in signature.der -content content.txt -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown -at it but it may choke on others. -.PP -The code currently will only write out the signer's certificate to a file: if the -signer has a separate encryption certificate this must be manually extracted. There -should be some heuristic that determines the correct encryption certificate. -.PP -Ideally a database should be maintained of a certificates for each email address. -.PP -The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. this means the -user has to manually include the correct encryption algorithm. It should store -the list of permitted ciphers in a database and only use those. -.PP -No revocation checking is done on the signer's certificate. -.PP -The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 -structures may cause parsing errors. |
