diff options
Diffstat (limited to 'doc/man1/openssl-cms.pod.in')
-rw-r--r-- | doc/man1/openssl-cms.pod.in | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 847ebaccd8..54e258a8f3 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -161,9 +161,12 @@ Resign a message: take an existing message and one or more new signers. =item B<-cades> -Add an ESS signing-certificate or ESS signing-certificate-v2 signed-attribute to the SignerInfo, in order to make -the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES). See the NOTES -section for more details. +When used with B<-sign>, +add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute +to the SignerInfo, in order to make the signature comply with the requirements +for a CAdES Basic Electronic Signature (CAdES-BES). +When used with B<-verify>, require and check signer certificate digest. +See the NOTES section for more details. =item B<-data_create> @@ -564,7 +567,8 @@ with caution. For a fuller description see L<CMS_decrypt(3)>). =head1 CADES BASIC ELECTRONIC SIGNATURE (CADES-BES) -A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: +A CAdES Basic Electronic Signature (CAdES-BES), +as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: =over 4 @@ -582,19 +586,19 @@ Message-digest of the eContent OCTET STRING within encapContentInfo being signed =item * -An ESS signing-certificate or ESS signing-certificate-v2 attribute, as defined -in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. -An ESS signing-certificate attribute only allows for the use of SHA-1 as a digest algorithm. -An ESS signing-certificate-v2 attribute allows for the use of any digest algorithm. +An ESS signingCertificate or ESS signingCertificateV2 attribute, +as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. +An ESS signingCertificate attribute only allows for SHA-1 as digest algorithm. +An ESS signingCertificateV2 attribute allows for any digest algorithm. =item * The digital signature value computed on the user data and, when present, on the signed attributes. NOTE that the B<-cades> option applies to the B<-sign> or B<-verify> operations. -With this option, the B<-verify> operation also checks that the signing-certificates -attribute is present, and its value matches the verification trust chain built -during the verification process. +With this option, the B<-verify> operation also requires that the +signingCertificate attribute is present and checks that the given identifiers +match the verification trust chain built during the verification process. =back |