diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-06-21 23:24:25 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-10-01 14:01:18 +0100 |
commit | dddb38834ec69a241ff4079d22251956401d855d (patch) | |
tree | 2f26fdd34617f7564abda953f2f59dbf82cead8b | |
parent | af7d6b936b4020cf433a0bb20f911f9e03576e50 (diff) | |
download | openssl-new-dddb38834ec69a241ff4079d22251956401d855d.tar.gz |
Update cms docs.
Document use of -keyopt to use RSA-PSS and RSA-OAEP modes.
(cherry picked from commit 4bf4a6501c6ca3fa1853f07c82e0e9cfe22dee45)
-rw-r--r-- | doc/apps/cms.pod | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index a09588a18d..18fe43caa9 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -316,8 +316,13 @@ verification was successful. =item B<-recip file> -the recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. +when decrypting a message this specifies the recipients certificate. The +certificate must match one of the recipients of the message or an error +occurs. + +When encrypting a message this option may be used multiple times to specify +each recipient. This form B<must> be used if customised parameters are +required (for example to specify RSA-OAEP). =item B<-keyid> @@ -376,6 +381,12 @@ private key must be included in the certificate file specified with the B<-recip> or B<-signer> file. When signing this option can be used multiple times to specify successive keys. +=item B<-keyopt name:opt> + +for signing and encryption this option can be used multiple times to +set customised parameters for the preceding key or certificate. It can +currently be used to set RSA-PSS for signing or RSA-OAEP for encryption. + =item B<-passin arg> the private key password source. For more information about the format of B<arg> @@ -573,6 +584,16 @@ Add a signer to an existing message: openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg +Sign mail using RSA-PSS: + + openssl cms -sign -in message.txt -text -out mail.msg \ + -signer mycert.pem -keyopt rsa_padding_mode:pss + +Create encrypted mail using RSA-OAEP: + + openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg \ + -recip cert.pem -keyopt rsa_padding_mode:oaep + =head1 BUGS The MIME parser isn't very clever: it seems to handle most messages that I've @@ -598,5 +619,11 @@ No revocation checking is done on the signer's certificate. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The B<keyopt> option was first added in OpenSSL 1.1.0 + +The use of B<-recip> to specify the recipient when encrypting mail was first +added to OpenSSL 1.1.0 + +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. =cut |