diff options
Diffstat (limited to 'doc/man1')
| -rw-r--r-- | doc/man1/openssl-cms.pod.in | 26 | ||||
| -rw-r--r-- | doc/man1/openssl-ts.pod.in | 11 |
2 files changed, 21 insertions, 16 deletions
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 847ebaccd8..54e258a8f3 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -161,9 +161,12 @@ Resign a message: take an existing message and one or more new signers. =item B<-cades> -Add an ESS signing-certificate or ESS signing-certificate-v2 signed-attribute to the SignerInfo, in order to make -the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES). See the NOTES -section for more details. +When used with B<-sign>, +add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute +to the SignerInfo, in order to make the signature comply with the requirements +for a CAdES Basic Electronic Signature (CAdES-BES). +When used with B<-verify>, require and check signer certificate digest. +See the NOTES section for more details. =item B<-data_create> @@ -564,7 +567,8 @@ with caution. For a fuller description see L<CMS_decrypt(3)>). =head1 CADES BASIC ELECTRONIC SIGNATURE (CADES-BES) -A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: +A CAdES Basic Electronic Signature (CAdES-BES), +as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: =over 4 @@ -582,19 +586,19 @@ Message-digest of the eContent OCTET STRING within encapContentInfo being signed =item * -An ESS signing-certificate or ESS signing-certificate-v2 attribute, as defined -in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. -An ESS signing-certificate attribute only allows for the use of SHA-1 as a digest algorithm. -An ESS signing-certificate-v2 attribute allows for the use of any digest algorithm. +An ESS signingCertificate or ESS signingCertificateV2 attribute, +as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. +An ESS signingCertificate attribute only allows for SHA-1 as digest algorithm. +An ESS signingCertificateV2 attribute allows for any digest algorithm. =item * The digital signature value computed on the user data and, when present, on the signed attributes. NOTE that the B<-cades> option applies to the B<-sign> or B<-verify> operations. -With this option, the B<-verify> operation also checks that the signing-certificates -attribute is present, and its value matches the verification trust chain built -during the verification process. +With this option, the B<-verify> operation also requires that the +signingCertificate attribute is present and checks that the given identifiers +match the verification trust chain built during the verification process. =back diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 402a7a879a..c68f79c156 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -469,12 +469,13 @@ the TSA name field of the response. Default is no. (Optional) The SignedData objects created by the TSA always contain the certificate identifier of the signing certificate in a signed -attribute (see RFC 2634, Enhanced Security Services). If this option -is set to yes and either the B<certs> variable or the B<-chain> option +attribute (see RFC 2634, Enhanced Security Services). +If this variable is set to no, only this signing certificate identifier +is included in the SigningCertificate signed attribute. +If this variable is set to yes and the B<certs> variable or the B<-chain> option is specified then the certificate identifiers of the chain will also -be included in the SigningCertificate signed attribute. If this -variable is set to no, only the signing certificate identifier is -included. Default is no. (Optional) +be included, where the B<-chain> option overrides the B<certs> variable. +Default is no. (Optional) =item B<ess_cert_id_alg> |