Regenerate the manual pages after the OpenSSL update to 0.9.7e.
[dragonfly.git] / secure / usr.bin / openssl / man / smime.1
CommitLineData
8b0cefbb
JR
1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
984263bc 32.tr \(*W-|\(bv\*(Tr
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
8b0cefbb
JR
59. nr % 0
60. rr F
984263bc 61.\}
8b0cefbb
JR
62.\"
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
984263bc 66.if n .na
8b0cefbb
JR
67.\"
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
984263bc 71.if n \{\
8b0cefbb
JR
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
984263bc
MD
77.\}
78.if t \{\
8b0cefbb
JR
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
984263bc 84.\}
8b0cefbb 85. \" simple accents for nroff and troff
984263bc 86.if n \{\
8b0cefbb
JR
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
984263bc
MD
93.\}
94.if t \{\
8b0cefbb
JR
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 101.\}
8b0cefbb 102. \" troff and (daisy-wheel) nroff accents
984263bc
MD
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 112. \" corrections for vroff
984263bc
MD
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 115. \" for low resolution devices (crt and lpr)
984263bc
MD
116.if \n(.H>23 .if \n(.V>19 \
117\{\
8b0cefbb
JR
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
984263bc
MD
127.\}
128.rm #[ #] #H #V #F C
8b0cefbb
JR
129.\" ========================================================================
130.\"
131.IX Title "SMIME 1"
132.TH SMIME 1 "2004-12-18" "0.9.7e" "OpenSSL"
984263bc
MD
133.SH "NAME"
134smime \- S/MIME utility
135.SH "SYNOPSIS"
8b0cefbb
JR
136.IX Header "SYNOPSIS"
137\&\fBopenssl\fR \fBsmime\fR
984263bc
MD
138[\fB\-encrypt\fR]
139[\fB\-decrypt\fR]
140[\fB\-sign\fR]
141[\fB\-verify\fR]
142[\fB\-pk7out\fR]
143[\fB\-des\fR]
144[\fB\-des3\fR]
8b0cefbb
JR
145[\fB\-rc2\-40\fR]
146[\fB\-rc2\-64\fR]
147[\fB\-rc2\-128\fR]
e3cdf75b
JR
148[\fB\-aes128\fR]
149[\fB\-aes192\fR]
150[\fB\-aes256\fR]
984263bc
MD
151[\fB\-in file\fR]
152[\fB\-certfile file\fR]
153[\fB\-signer file\fR]
154[\fB\-recip file\fR]
155[\fB\-inform SMIME|PEM|DER\fR]
156[\fB\-passin arg\fR]
157[\fB\-inkey file\fR]
158[\fB\-out file\fR]
159[\fB\-outform SMIME|PEM|DER\fR]
160[\fB\-content file\fR]
161[\fB\-to addr\fR]
162[\fB\-from ad\fR]
163[\fB\-subject s\fR]
164[\fB\-text\fR]
e3cdf75b 165[\fB\-rand file(s)\fR]
984263bc
MD
166[cert.pem]...
167.SH "DESCRIPTION"
8b0cefbb 168.IX Header "DESCRIPTION"
984263bc
MD
169The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
170verify S/MIME messages.
171.SH "COMMAND OPTIONS"
8b0cefbb 172.IX Header "COMMAND OPTIONS"
984263bc
MD
173There are five operation options that set the type of operation to be performed.
174The meaning of the other options varies according to the operation type.
8b0cefbb
JR
175.IP "\fB\-encrypt\fR" 4
176.IX Item "-encrypt"
984263bc
MD
177encrypt mail for the given recipient certificates. Input file is the message
178to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
8b0cefbb
JR
179.IP "\fB\-decrypt\fR" 4
180.IX Item "-decrypt"
984263bc
MD
181decrypt mail using the supplied certificate and private key. Expects an
182encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
183is written to the output file.
8b0cefbb
JR
184.IP "\fB\-sign\fR" 4
185.IX Item "-sign"
984263bc
MD
186sign mail using the supplied certificate and private key. Input file is
187the message to be signed. The signed message in \s-1MIME\s0 format is written
188to the output file.
8b0cefbb
JR
189.IP "\fB\-verify\fR" 4
190.IX Item "-verify"
984263bc
MD
191verify signed mail. Expects a signed mail message on input and outputs
192the signed data. Both clear text and opaque signing is supported.
8b0cefbb
JR
193.IP "\fB\-pk7out\fR" 4
194.IX Item "-pk7out"
195takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
196.IP "\fB\-in filename\fR" 4
197.IX Item "-in filename"
984263bc
MD
198the input message to be encrypted or signed or the \s-1MIME\s0 message to
199be decrypted or verified.
8b0cefbb
JR
200.IP "\fB\-inform SMIME|PEM|DER\fR" 4
201.IX Item "-inform SMIME|PEM|DER"
202this specifies the input format for the PKCS#7 structure. The default
203is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
204format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
205instead. This currently only affects the input format of the PKCS#7
206structure, if no PKCS#7 structure is being input (for example with
207\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
208.IP "\fB\-out filename\fR" 4
209.IX Item "-out filename"
984263bc
MD
210the message text that has been decrypted or verified or the output \s-1MIME\s0
211format message that has been signed or verified.
8b0cefbb
JR
212.IP "\fB\-outform SMIME|PEM|DER\fR" 4
213.IX Item "-outform SMIME|PEM|DER"
214this specifies the output format for the PKCS#7 structure. The default
215is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
216format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
217instead. This currently only affects the output format of the PKCS#7
218structure, if no PKCS#7 structure is being output (for example with
219\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
220.IP "\fB\-content filename\fR" 4
221.IX Item "-content filename"
984263bc 222This specifies a file containing the detached content, this is only
8b0cefbb 223useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
984263bc
MD
224structure is using the detached signature form where the content is
225not included. This option will override any content if the input format
8b0cefbb
JR
226is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
227.IP "\fB\-text\fR" 4
228.IX Item "-text"
984263bc
MD
229this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
230message if encrypting or signing. If decrypting or verifying it strips
231off text headers: if the decrypted or verified message is not of \s-1MIME\s0
232type text/plain then an error occurs.
8b0cefbb
JR
233.IP "\fB\-CAfile file\fR" 4
234.IX Item "-CAfile file"
984263bc 235a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
8b0cefbb
JR
236.IP "\fB\-CApath dir\fR" 4
237.IX Item "-CApath dir"
984263bc 238a directory containing trusted \s-1CA\s0 certificates, only used with
8b0cefbb 239\&\fB\-verify\fR. This directory must be a standard certificate directory: that
984263bc
MD
240is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
241to each certificate.
8b0cefbb
JR
242.IP "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128 \-aes128 \-aes192 \-aes256\fR" 4
243.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256"
e3cdf75b
JR
244the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits),
24540, 64 or 128 bit \s-1RC2\s0 or 128, 192 or 256 bit \s-1AES\s0 respectively. If not
246specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
8b0cefbb
JR
247.IP "\fB\-nointern\fR" 4
248.IX Item "-nointern"
984263bc
MD
249when verifying a message normally certificates (if any) included in
250the message are searched for the signing certificate. With this option
251only the certificates specified in the \fB\-certfile\fR option are used.
252The supplied certificates can still be used as untrusted CAs however.
8b0cefbb
JR
253.IP "\fB\-noverify\fR" 4
254.IX Item "-noverify"
984263bc 255do not verify the signers certificate of a signed message.
8b0cefbb
JR
256.IP "\fB\-nochain\fR" 4
257.IX Item "-nochain"
984263bc
MD
258do not do chain verification of signers certificates: that is don't
259use the certificates in the signed message as untrusted CAs.
8b0cefbb
JR
260.IP "\fB\-nosigs\fR" 4
261.IX Item "-nosigs"
984263bc 262don't try to verify the signatures on the message.
8b0cefbb
JR
263.IP "\fB\-nocerts\fR" 4
264.IX Item "-nocerts"
984263bc
MD
265when signing a message the signer's certificate is normally included
266with this option it is excluded. This will reduce the size of the
267signed message but the verifier must have a copy of the signers certificate
268available locally (passed using the \fB\-certfile\fR option for example).
8b0cefbb
JR
269.IP "\fB\-noattr\fR" 4
270.IX Item "-noattr"
984263bc
MD
271normally when a message is signed a set of attributes are included which
272include the signing time and supported symmetric algorithms. With this
273option they are not included.
8b0cefbb
JR
274.IP "\fB\-binary\fR" 4
275.IX Item "-binary"
984263bc 276normally the input message is converted to \*(L"canonical\*(R" format which is
8b0cefbb 277effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
984263bc
MD
278specification. When this option is present no translation occurs. This
279is useful when handling binary data which may not be in \s-1MIME\s0 format.
8b0cefbb
JR
280.IP "\fB\-nodetach\fR" 4
281.IX Item "-nodetach"
984263bc
MD
282when signing a message use opaque signing: this form is more resistant
283to translation by mail relays but it cannot be read by mail agents that
8b0cefbb 284do not support S/MIME. Without this option cleartext signing with
984263bc 285the \s-1MIME\s0 type multipart/signed is used.
8b0cefbb
JR
286.IP "\fB\-certfile file\fR" 4
287.IX Item "-certfile file"
984263bc
MD
288allows additional certificates to be specified. When signing these will
289be included with the message. When verifying these will be searched for
290the signers certificates. The certificates should be in \s-1PEM\s0 format.
8b0cefbb
JR
291.IP "\fB\-signer file\fR" 4
292.IX Item "-signer file"
984263bc
MD
293the signers certificate when signing a message. If a message is
294being verified then the signers certificates will be written to this
295file if the verification was successful.
8b0cefbb
JR
296.IP "\fB\-recip file\fR" 4
297.IX Item "-recip file"
984263bc
MD
298the recipients certificate when decrypting a message. This certificate
299must match one of the recipients of the message or an error occurs.
8b0cefbb
JR
300.IP "\fB\-inkey file\fR" 4
301.IX Item "-inkey file"
984263bc
MD
302the private key to use when signing or decrypting. This must match the
303corresponding certificate. If this option is not specified then the
304private key must be included in the certificate file specified with
305the \fB\-recip\fR or \fB\-signer\fR file.
8b0cefbb
JR
306.IP "\fB\-passin arg\fR" 4
307.IX Item "-passin arg"
984263bc 308the private key password source. For more information about the format of \fBarg\fR
8b0cefbb
JR
309see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
310.IP "\fB\-rand file(s)\fR" 4
311.IX Item "-rand file(s)"
984263bc 312a file or files containing random data used to seed the random number
8b0cefbb
JR
313generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
314Multiple files can be specified separated by a OS-dependent character.
315The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc 316all others.
8b0cefbb
JR
317.IP "\fBcert.pem...\fR" 4
318.IX Item "cert.pem..."
984263bc
MD
319one or more certificates of message recipients: used when encrypting
320a message.
8b0cefbb
JR
321.IP "\fB\-to, \-from, \-subject\fR" 4
322.IX Item "-to, -from, -subject"
984263bc
MD
323the relevant mail headers. These are included outside the signed
324portion of a message so they may be included manually. If signing
8b0cefbb 325then many S/MIME mail clients check the signers certificate's email
984263bc
MD
326address matches that specified in the From: address.
327.SH "NOTES"
8b0cefbb
JR
328.IX Header "NOTES"
329The \s-1MIME\s0 message must be sent without any blank lines between the
984263bc
MD
330headers and the output. Some mail programs will automatically add
331a blank line. Piping the mail directly to sendmail is one way to
332achieve the correct format.
333.PP
334The supplied message to be signed or encrypted must include the
8b0cefbb 335necessary \s-1MIME\s0 headers or many S/MIME clients wont display it
984263bc
MD
336properly (if at all). You can use the \fB\-text\fR option to automatically
337add plain text headers.
338.PP
339A \*(L"signed and encrypted\*(R" message is one where a signed message is
340then encrypted. This can be produced by encrypting an already signed
341message: see the examples section.
342.PP
343This version of the program only allows one signer per message but it
344will verify multiple signers on received messages. Some S/MIME clients
345choke if a message contains multiple signers. It is possible to sign
346messages \*(L"in parallel\*(R" by signing an already signed message.
347.PP
348The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
349clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
350encrypted data is used for other purposes.
351.SH "EXIT CODES"
8b0cefbb
JR
352.IX Header "EXIT CODES"
353.IP "0" 4
984263bc 354the operation was completely successfully.
8b0cefbb
JR
355.IP "1" 4
356.IX Item "1"
984263bc 357an error occurred parsing the command options.
8b0cefbb
JR
358.IP "2" 4
359.IX Item "2"
984263bc 360one of the input files could not be read.
8b0cefbb
JR
361.IP "3" 4
362.IX Item "3"
363an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
984263bc 364message.
8b0cefbb
JR
365.IP "4" 4
366.IX Item "4"
984263bc 367an error occurred decrypting or verifying the message.
8b0cefbb
JR
368.IP "5" 4
369.IX Item "5"
984263bc
MD
370the message was verified correctly but an error occurred writing out
371the signers certificates.
372.SH "EXAMPLES"
8b0cefbb 373.IX Header "EXAMPLES"
984263bc
MD
374Create a cleartext signed message:
375.PP
376.Vb 2
377\& openssl smime -sign -in message.txt -text -out mail.msg \e
378\& -signer mycert.pem
379.Ve
8b0cefbb 380.PP
984263bc
MD
381Create and opaque signed message
382.PP
383.Vb 2
384\& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e
385\& -signer mycert.pem
386.Ve
8b0cefbb 387.PP
984263bc
MD
388Create a signed message, include some additional certificates and
389read the private key from another file:
390.PP
391.Vb 2
392\& openssl smime -sign -in in.txt -text -out mail.msg \e
393\& -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
394.Ve
8b0cefbb 395.PP
984263bc
MD
396Send a signed message under Unix directly to sendmail, including headers:
397.PP
398.Vb 3
399\& openssl smime -sign -in in.txt -text -signer mycert.pem \e
400\& -from steve@openssl.org -to someone@somewhere \e
401\& -subject "Signed message" | sendmail someone@somewhere
402.Ve
8b0cefbb 403.PP
984263bc
MD
404Verify a message and extract the signer's certificate if successful:
405.PP
406.Vb 1
407\& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
408.Ve
8b0cefbb
JR
409.PP
410Send encrypted mail using triple \s-1DES:\s0
984263bc
MD
411.PP
412.Vb 3
413\& openssl smime -encrypt -in in.txt -from steve@openssl.org \e
414\& -to someone@somewhere -subject "Encrypted message" \e
415\& -des3 user.pem -out mail.msg
416.Ve
8b0cefbb 417.PP
984263bc
MD
418Sign and encrypt mail:
419.PP
420.Vb 4
421\& openssl smime -sign -in ml.txt -signer my.pem -text \e
422\& | openssl smime -encrypt -out mail.msg \e
423\& -from steve@openssl.org -to someone@somewhere \e
424\& -subject "Signed and Encrypted message" -des3 user.pem
425.Ve
8b0cefbb 426.PP
984263bc 427Note: the encryption command does not include the \fB\-text\fR option because the message
8b0cefbb 428being encrypted already has \s-1MIME\s0 headers.
984263bc
MD
429.PP
430Decrypt mail:
431.PP
432.Vb 1
433\& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
434.Ve
8b0cefbb 435.PP
984263bc
MD
436The output from Netscape form signing is a PKCS#7 structure with the
437detached signature format. You can use this program to verify the
438signature by line wrapping the base64 encoded structure and surrounding
439it with:
440.PP
441.Vb 2
442\& -----BEGIN PKCS7-----
443\& -----END PKCS7-----
444.Ve
8b0cefbb 445.PP
984263bc
MD
446and using the command,
447.PP
448.Vb 1
449\& openssl smime -verify -inform PEM -in signature.pem -content content.txt
450.Ve
8b0cefbb 451.PP
984263bc
MD
452alternatively you can base64 decode the signature and use
453.PP
454.Vb 1
455\& openssl smime -verify -inform DER -in signature.der -content content.txt
456.Ve
457.SH "BUGS"
8b0cefbb
JR
458.IX Header "BUGS"
459The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown
984263bc
MD
460at it but it may choke on others.
461.PP
462The code currently will only write out the signer's certificate to a file: if the
463signer has a separate encryption certificate this must be manually extracted. There
464should be some heuristic that determines the correct encryption certificate.
465.PP
466Ideally a database should be maintained of a certificates for each email address.
467.PP
468The code doesn't currently take note of the permitted symmetric encryption
469algorithms as supplied in the SMIMECapabilities signed attribute. this means the
470user has to manually include the correct encryption algorithm. It should store
471the list of permitted ciphers in a database and only use those.
472.PP
473No revocation checking is done on the signer's certificate.
474.PP
475The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
476structures may cause parsing errors.