Merge branch 'vendor/OPENSSL'
[dragonfly.git] / secure / usr.bin / openssl / man / smime.1
CommitLineData
e257b235 1.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb 50.\"
e257b235
PA
51.\" Escape single quotes in literal strings from groff's Unicode transform.
52.ie \n(.g .ds Aq \(aq
53.el .ds Aq '
54.\"
8b0cefbb
JR
55.\" If the F register is turned on, we'll generate index entries on stderr for
56.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
57.\" entries marked with X<> in POD. Of course, you'll have to process the
58.\" output yourself in some meaningful fashion.
e257b235 59.ie \nF \{\
8b0cefbb
JR
60. de IX
61. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 62..
8b0cefbb
JR
63. nr % 0
64. rr F
984263bc 65.\}
e257b235
PA
66.el \{\
67. de IX
68..
69.\}
aac4ff6f 70.\"
8b0cefbb
JR
71.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
72.\" Fear. Run. Save yourself. No user-serviceable parts.
73. \" fudge factors for nroff and troff
984263bc 74.if n \{\
8b0cefbb
JR
75. ds #H 0
76. ds #V .8m
77. ds #F .3m
78. ds #[ \f1
79. ds #] \fP
984263bc
MD
80.\}
81.if t \{\
8b0cefbb
JR
82. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
83. ds #V .6m
84. ds #F 0
85. ds #[ \&
86. ds #] \&
984263bc 87.\}
8b0cefbb 88. \" simple accents for nroff and troff
984263bc 89.if n \{\
8b0cefbb
JR
90. ds ' \&
91. ds ` \&
92. ds ^ \&
93. ds , \&
94. ds ~ ~
95. ds /
984263bc
MD
96.\}
97.if t \{\
8b0cefbb
JR
98. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
99. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
100. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
101. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
102. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
103. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 104.\}
8b0cefbb 105. \" troff and (daisy-wheel) nroff accents
984263bc
MD
106.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
107.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
108.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
109.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
110.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
111.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
112.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
113.ds ae a\h'-(\w'a'u*4/10)'e
114.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 115. \" corrections for vroff
984263bc
MD
116.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
117.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 118. \" for low resolution devices (crt and lpr)
984263bc
MD
119.if \n(.H>23 .if \n(.V>19 \
120\{\
8b0cefbb
JR
121. ds : e
122. ds 8 ss
123. ds o a
124. ds d- d\h'-1'\(ga
125. ds D- D\h'-1'\(hy
126. ds th \o'bp'
127. ds Th \o'LP'
128. ds ae ae
129. ds Ae AE
984263bc
MD
130.\}
131.rm #[ #] #H #V #F C
8b0cefbb
JR
132.\" ========================================================================
133.\"
134.IX Title "SMIME 1"
fc468453 135.TH SMIME 1 "2010-02-27" "0.9.8m" "OpenSSL"
e257b235
PA
136.\" For nroff, turn off justification. Always turn off hyphenation; it makes
137.\" way too many mistakes in technical documents.
138.if n .ad l
139.nh
984263bc
MD
140.SH "NAME"
141smime \- S/MIME utility
142.SH "SYNOPSIS"
8b0cefbb
JR
143.IX Header "SYNOPSIS"
144\&\fBopenssl\fR \fBsmime\fR
984263bc
MD
145[\fB\-encrypt\fR]
146[\fB\-decrypt\fR]
147[\fB\-sign\fR]
148[\fB\-verify\fR]
149[\fB\-pk7out\fR]
150[\fB\-des\fR]
151[\fB\-des3\fR]
8b0cefbb
JR
152[\fB\-rc2\-40\fR]
153[\fB\-rc2\-64\fR]
154[\fB\-rc2\-128\fR]
e3cdf75b
JR
155[\fB\-aes128\fR]
156[\fB\-aes192\fR]
157[\fB\-aes256\fR]
c6e28a8e
SS
158[\fB\-camellia128\fR]
159[\fB\-camellia192\fR]
160[\fB\-camellia256\fR]
984263bc
MD
161[\fB\-in file\fR]
162[\fB\-certfile file\fR]
163[\fB\-signer file\fR]
164[\fB\-recip file\fR]
165[\fB\-inform SMIME|PEM|DER\fR]
166[\fB\-passin arg\fR]
167[\fB\-inkey file\fR]
168[\fB\-out file\fR]
169[\fB\-outform SMIME|PEM|DER\fR]
170[\fB\-content file\fR]
171[\fB\-to addr\fR]
172[\fB\-from ad\fR]
173[\fB\-subject s\fR]
174[\fB\-text\fR]
e3cdf75b 175[\fB\-rand file(s)\fR]
984263bc
MD
176[cert.pem]...
177.SH "DESCRIPTION"
8b0cefbb 178.IX Header "DESCRIPTION"
984263bc
MD
179The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
180verify S/MIME messages.
181.SH "COMMAND OPTIONS"
8b0cefbb 182.IX Header "COMMAND OPTIONS"
984263bc
MD
183There are five operation options that set the type of operation to be performed.
184The meaning of the other options varies according to the operation type.
8b0cefbb
JR
185.IP "\fB\-encrypt\fR" 4
186.IX Item "-encrypt"
984263bc
MD
187encrypt mail for the given recipient certificates. Input file is the message
188to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
8b0cefbb
JR
189.IP "\fB\-decrypt\fR" 4
190.IX Item "-decrypt"
984263bc
MD
191decrypt mail using the supplied certificate and private key. Expects an
192encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
193is written to the output file.
8b0cefbb
JR
194.IP "\fB\-sign\fR" 4
195.IX Item "-sign"
984263bc
MD
196sign mail using the supplied certificate and private key. Input file is
197the message to be signed. The signed message in \s-1MIME\s0 format is written
198to the output file.
8b0cefbb
JR
199.IP "\fB\-verify\fR" 4
200.IX Item "-verify"
984263bc
MD
201verify signed mail. Expects a signed mail message on input and outputs
202the signed data. Both clear text and opaque signing is supported.
8b0cefbb
JR
203.IP "\fB\-pk7out\fR" 4
204.IX Item "-pk7out"
205takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
206.IP "\fB\-in filename\fR" 4
207.IX Item "-in filename"
984263bc
MD
208the input message to be encrypted or signed or the \s-1MIME\s0 message to
209be decrypted or verified.
8b0cefbb
JR
210.IP "\fB\-inform SMIME|PEM|DER\fR" 4
211.IX Item "-inform SMIME|PEM|DER"
212this specifies the input format for the PKCS#7 structure. The default
213is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
214format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
215instead. This currently only affects the input format of the PKCS#7
216structure, if no PKCS#7 structure is being input (for example with
217\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
218.IP "\fB\-out filename\fR" 4
219.IX Item "-out filename"
984263bc
MD
220the message text that has been decrypted or verified or the output \s-1MIME\s0
221format message that has been signed or verified.
8b0cefbb
JR
222.IP "\fB\-outform SMIME|PEM|DER\fR" 4
223.IX Item "-outform SMIME|PEM|DER"
224this specifies the output format for the PKCS#7 structure. The default
225is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
226format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
227instead. This currently only affects the output format of the PKCS#7
228structure, if no PKCS#7 structure is being output (for example with
229\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
230.IP "\fB\-content filename\fR" 4
231.IX Item "-content filename"
984263bc 232This specifies a file containing the detached content, this is only
8b0cefbb 233useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
984263bc
MD
234structure is using the detached signature form where the content is
235not included. This option will override any content if the input format
8b0cefbb
JR
236is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
237.IP "\fB\-text\fR" 4
238.IX Item "-text"
984263bc
MD
239this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
240message if encrypting or signing. If decrypting or verifying it strips
241off text headers: if the decrypted or verified message is not of \s-1MIME\s0
242type text/plain then an error occurs.
8b0cefbb
JR
243.IP "\fB\-CAfile file\fR" 4
244.IX Item "-CAfile file"
984263bc 245a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
8b0cefbb
JR
246.IP "\fB\-CApath dir\fR" 4
247.IX Item "-CApath dir"
984263bc 248a directory containing trusted \s-1CA\s0 certificates, only used with
8b0cefbb 249\&\fB\-verify\fR. This directory must be a standard certificate directory: that
984263bc
MD
250is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
251to each certificate.
c6e28a8e
SS
252.IP "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128 \-aes128 \-aes192 \-aes256 \-camellia128 \-camellia192 \-camellia256\fR" 4
253.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256"
e3cdf75b 254the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits),
c6e28a8e 25540, 64 or 128 bit \s-1RC2\s0, 128, 192 or 256 bit \s-1AES\s0, or 128, 192 or 256 bit Camellia respectively. If not
e3cdf75b 256specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
8b0cefbb
JR
257.IP "\fB\-nointern\fR" 4
258.IX Item "-nointern"
984263bc
MD
259when verifying a message normally certificates (if any) included in
260the message are searched for the signing certificate. With this option
261only the certificates specified in the \fB\-certfile\fR option are used.
262The supplied certificates can still be used as untrusted CAs however.
8b0cefbb
JR
263.IP "\fB\-noverify\fR" 4
264.IX Item "-noverify"
984263bc 265do not verify the signers certificate of a signed message.
8b0cefbb
JR
266.IP "\fB\-nochain\fR" 4
267.IX Item "-nochain"
984263bc
MD
268do not do chain verification of signers certificates: that is don't
269use the certificates in the signed message as untrusted CAs.
8b0cefbb
JR
270.IP "\fB\-nosigs\fR" 4
271.IX Item "-nosigs"
984263bc 272don't try to verify the signatures on the message.
8b0cefbb
JR
273.IP "\fB\-nocerts\fR" 4
274.IX Item "-nocerts"
984263bc
MD
275when signing a message the signer's certificate is normally included
276with this option it is excluded. This will reduce the size of the
277signed message but the verifier must have a copy of the signers certificate
278available locally (passed using the \fB\-certfile\fR option for example).
8b0cefbb
JR
279.IP "\fB\-noattr\fR" 4
280.IX Item "-noattr"
984263bc
MD
281normally when a message is signed a set of attributes are included which
282include the signing time and supported symmetric algorithms. With this
283option they are not included.
8b0cefbb
JR
284.IP "\fB\-binary\fR" 4
285.IX Item "-binary"
984263bc 286normally the input message is converted to \*(L"canonical\*(R" format which is
8b0cefbb 287effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
984263bc
MD
288specification. When this option is present no translation occurs. This
289is useful when handling binary data which may not be in \s-1MIME\s0 format.
8b0cefbb
JR
290.IP "\fB\-nodetach\fR" 4
291.IX Item "-nodetach"
984263bc
MD
292when signing a message use opaque signing: this form is more resistant
293to translation by mail relays but it cannot be read by mail agents that
8b0cefbb 294do not support S/MIME. Without this option cleartext signing with
984263bc 295the \s-1MIME\s0 type multipart/signed is used.
8b0cefbb
JR
296.IP "\fB\-certfile file\fR" 4
297.IX Item "-certfile file"
984263bc
MD
298allows additional certificates to be specified. When signing these will
299be included with the message. When verifying these will be searched for
300the signers certificates. The certificates should be in \s-1PEM\s0 format.
8b0cefbb
JR
301.IP "\fB\-signer file\fR" 4
302.IX Item "-signer file"
984263bc
MD
303the signers certificate when signing a message. If a message is
304being verified then the signers certificates will be written to this
305file if the verification was successful.
8b0cefbb
JR
306.IP "\fB\-recip file\fR" 4
307.IX Item "-recip file"
984263bc
MD
308the recipients certificate when decrypting a message. This certificate
309must match one of the recipients of the message or an error occurs.
8b0cefbb
JR
310.IP "\fB\-inkey file\fR" 4
311.IX Item "-inkey file"
984263bc
MD
312the private key to use when signing or decrypting. This must match the
313corresponding certificate. If this option is not specified then the
314private key must be included in the certificate file specified with
315the \fB\-recip\fR or \fB\-signer\fR file.
8b0cefbb
JR
316.IP "\fB\-passin arg\fR" 4
317.IX Item "-passin arg"
984263bc 318the private key password source. For more information about the format of \fBarg\fR
8b0cefbb
JR
319see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
320.IP "\fB\-rand file(s)\fR" 4
321.IX Item "-rand file(s)"
984263bc 322a file or files containing random data used to seed the random number
8b0cefbb
JR
323generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
324Multiple files can be specified separated by a OS-dependent character.
e257b235 325The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc 326all others.
8b0cefbb
JR
327.IP "\fBcert.pem...\fR" 4
328.IX Item "cert.pem..."
984263bc 329one or more certificates of message recipients: used when encrypting
e257b235 330a message.
8b0cefbb
JR
331.IP "\fB\-to, \-from, \-subject\fR" 4
332.IX Item "-to, -from, -subject"
984263bc
MD
333the relevant mail headers. These are included outside the signed
334portion of a message so they may be included manually. If signing
8b0cefbb 335then many S/MIME mail clients check the signers certificate's email
984263bc
MD
336address matches that specified in the From: address.
337.SH "NOTES"
8b0cefbb
JR
338.IX Header "NOTES"
339The \s-1MIME\s0 message must be sent without any blank lines between the
984263bc
MD
340headers and the output. Some mail programs will automatically add
341a blank line. Piping the mail directly to sendmail is one way to
342achieve the correct format.
343.PP
344The supplied message to be signed or encrypted must include the
8b0cefbb 345necessary \s-1MIME\s0 headers or many S/MIME clients wont display it
984263bc
MD
346properly (if at all). You can use the \fB\-text\fR option to automatically
347add plain text headers.
348.PP
349A \*(L"signed and encrypted\*(R" message is one where a signed message is
350then encrypted. This can be produced by encrypting an already signed
351message: see the examples section.
352.PP
353This version of the program only allows one signer per message but it
354will verify multiple signers on received messages. Some S/MIME clients
355choke if a message contains multiple signers. It is possible to sign
356messages \*(L"in parallel\*(R" by signing an already signed message.
357.PP
358The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
359clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
360encrypted data is used for other purposes.
361.SH "EXIT CODES"
8b0cefbb
JR
362.IX Header "EXIT CODES"
363.IP "0" 4
984263bc 364the operation was completely successfully.
8b0cefbb
JR
365.IP "1" 4
366.IX Item "1"
984263bc 367an error occurred parsing the command options.
8b0cefbb
JR
368.IP "2" 4
369.IX Item "2"
984263bc 370one of the input files could not be read.
8b0cefbb
JR
371.IP "3" 4
372.IX Item "3"
373an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
984263bc 374message.
8b0cefbb
JR
375.IP "4" 4
376.IX Item "4"
984263bc 377an error occurred decrypting or verifying the message.
8b0cefbb
JR
378.IP "5" 4
379.IX Item "5"
984263bc
MD
380the message was verified correctly but an error occurred writing out
381the signers certificates.
382.SH "EXAMPLES"
8b0cefbb 383.IX Header "EXAMPLES"
984263bc
MD
384Create a cleartext signed message:
385.PP
386.Vb 2
e257b235
PA
387\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e
388\& \-signer mycert.pem
984263bc 389.Ve
8b0cefbb 390.PP
984263bc
MD
391Create and opaque signed message
392.PP
393.Vb 2
e257b235
PA
394\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
395\& \-signer mycert.pem
984263bc 396.Ve
8b0cefbb 397.PP
984263bc
MD
398Create a signed message, include some additional certificates and
399read the private key from another file:
400.PP
401.Vb 2
e257b235
PA
402\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e
403\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
984263bc 404.Ve
8b0cefbb 405.PP
984263bc
MD
406Send a signed message under Unix directly to sendmail, including headers:
407.PP
408.Vb 3
e257b235
PA
409\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e
410\& \-from steve@openssl.org \-to someone@somewhere \e
411\& \-subject "Signed message" | sendmail someone@somewhere
984263bc 412.Ve
8b0cefbb 413.PP
984263bc
MD
414Verify a message and extract the signer's certificate if successful:
415.PP
416.Vb 1
e257b235 417\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt
984263bc 418.Ve
8b0cefbb
JR
419.PP
420Send encrypted mail using triple \s-1DES:\s0
984263bc
MD
421.PP
422.Vb 3
e257b235
PA
423\& openssl smime \-encrypt \-in in.txt \-from steve@openssl.org \e
424\& \-to someone@somewhere \-subject "Encrypted message" \e
425\& \-des3 user.pem \-out mail.msg
984263bc 426.Ve
8b0cefbb 427.PP
984263bc
MD
428Sign and encrypt mail:
429.PP
430.Vb 4
e257b235
PA
431\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e
432\& | openssl smime \-encrypt \-out mail.msg \e
433\& \-from steve@openssl.org \-to someone@somewhere \e
434\& \-subject "Signed and Encrypted message" \-des3 user.pem
984263bc 435.Ve
8b0cefbb 436.PP
984263bc 437Note: the encryption command does not include the \fB\-text\fR option because the message
8b0cefbb 438being encrypted already has \s-1MIME\s0 headers.
984263bc
MD
439.PP
440Decrypt mail:
441.PP
442.Vb 1
e257b235 443\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
984263bc 444.Ve
8b0cefbb 445.PP
984263bc
MD
446The output from Netscape form signing is a PKCS#7 structure with the
447detached signature format. You can use this program to verify the
448signature by line wrapping the base64 encoded structure and surrounding
449it with:
450.PP
451.Vb 2
e257b235
PA
452\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
453\& \-\-\-\-\-END PKCS7\-\-\-\-\-
984263bc 454.Ve
8b0cefbb 455.PP
e257b235 456and using the command,
984263bc
MD
457.PP
458.Vb 1
e257b235 459\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt
984263bc 460.Ve
8b0cefbb 461.PP
984263bc
MD
462alternatively you can base64 decode the signature and use
463.PP
464.Vb 1
e257b235 465\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt
984263bc 466.Ve
c6e28a8e
SS
467.PP
468Create an encrypted message using 128 bit Camellia:
469.PP
470.Vb 1
e257b235 471\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
c6e28a8e 472.Ve
984263bc 473.SH "BUGS"
8b0cefbb
JR
474.IX Header "BUGS"
475The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown
984263bc
MD
476at it but it may choke on others.
477.PP
478The code currently will only write out the signer's certificate to a file: if the
479signer has a separate encryption certificate this must be manually extracted. There
480should be some heuristic that determines the correct encryption certificate.
481.PP
482Ideally a database should be maintained of a certificates for each email address.
483.PP
484The code doesn't currently take note of the permitted symmetric encryption
485algorithms as supplied in the SMIMECapabilities signed attribute. this means the
486user has to manually include the correct encryption algorithm. It should store
487the list of permitted ciphers in a database and only use those.
488.PP
489No revocation checking is done on the signer's certificate.
490.PP
491The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
492structures may cause parsing errors.