diff options
| author | Antonio Iacono <antiac@gmail.com> | 2018-12-12 23:08:49 +0100 |
|---|---|---|
| committer | Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> | 2019-01-27 23:59:21 +0100 |
| commit | e85d19c68e7fb3302410bd72d434793e5c0c23a0 (patch) | |
| tree | 748f849bfd79db2cc7b35e5c215f4ed8794cbe62 /doc/man1 | |
| parent | 9f5a87fd665cb597fa1c1f4eef882d2d2f833e61 (diff) | |
| download | openssl-new-e85d19c68e7fb3302410bd72d434793e5c0c23a0.tar.gz | |
crypto/cms: Add support for CAdES Basic Electronic Signatures (CAdES-BES)
A CAdES Basic Electronic Signature (CAdES-BES) contains, among other
specifications, a collection of Signing Certificate reference attributes,
stored in the signedData ether as ESS signing-certificate or as
ESS signing-certificate-v2. These are described in detail in Section 5.7.2
of RFC 5126 - CMS Advanced Electronic Signatures (CAdES).
This patch adds support for adding ESS signing-certificate[-v2] attributes
to CMS signedData. Although it implements only a small part of the RFC, it
is sufficient many cases to enable the `openssl cms` app to create signatures
which comply with legal requirements of some European States (e.g Italy).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7893)
Diffstat (limited to 'doc/man1')
| -rw-r--r-- | doc/man1/cms.pod | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod index 3d360e4262..b2031c6a7a 100644 --- a/doc/man1/cms.pod +++ b/doc/man1/cms.pod @@ -15,6 +15,7 @@ B<openssl> B<cms> [B<-verify>] [B<-cmsout>] [B<-resign>] +[B<-cades>] [B<-data_create>] [B<-data_out>] [B<-digest_create>] @@ -158,6 +159,12 @@ Takes an input message and writes out a PEM encoded CMS structure. Resign a message: take an existing message and one or more new signers. +=item B<-cades> + +Add an ESS signing-certificate or ESS signing-certificate-v2 signed-attribute to the SignerInfo, in order to make +the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES). See the NOTES +section for more details. + =item B<-data_create> Create a CMS B<Data> type. @@ -553,6 +560,40 @@ The B<-debug_decrypt> option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see L<CMS_decrypt(3)>). +=head1 CAdES Basic Electronic Signature (CAdES-BES) + +A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: + +=over 4 + +=item * + +The signed user data as defined in CMS (RFC 3852); + +=item * + +Content-type of the EncapsulatedContentInfo value being signed; + +=item * + +Message-digest of the eContent OCTET STRING within encapContentInfo being signed; + +=item * + +An ESS signing-certificate or ESS signing-certificate-v2 attribute, as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. +An ESS signing-certificate attribute only allows for the use of SHA-1 as a digest algorithm. +An ESS signing-certificate-v2 attribute allows for the use of any digest algorithm. + +=item * + +The digital signature value computed on the user data and, when present, on the signed attributes. + +Note that currently the B<-cades> option applies only to the B<-sign> operation and is ignored during +the B<-verify> operation, i.e. the signing certification is not checked during the verification process. +This feature might be added in a future version. + +=back + =head1 EXIT CODES =over 4 |