Upgrade to OpenSSL 0.9.8h.
[dragonfly.git] / secure / usr.bin / openssl / man / smime.1
CommitLineData
aac4ff6f 1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
aac4ff6f
PA
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
32.tr \(*W-|\(bv\*(Tr
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
8b0cefbb
JR
59. nr % 0
60. rr F
984263bc 61.\}
8b0cefbb 62.\"
aac4ff6f
PA
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
66.if n .na
67.\"
8b0cefbb
JR
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
984263bc 71.if n \{\
8b0cefbb
JR
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
984263bc
MD
77.\}
78.if t \{\
8b0cefbb
JR
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
984263bc 84.\}
8b0cefbb 85. \" simple accents for nroff and troff
984263bc 86.if n \{\
8b0cefbb
JR
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
984263bc
MD
93.\}
94.if t \{\
8b0cefbb
JR
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 101.\}
8b0cefbb 102. \" troff and (daisy-wheel) nroff accents
984263bc
MD
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 112. \" corrections for vroff
984263bc
MD
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 115. \" for low resolution devices (crt and lpr)
984263bc
MD
116.if \n(.H>23 .if \n(.V>19 \
117\{\
8b0cefbb
JR
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
984263bc
MD
127.\}
128.rm #[ #] #H #V #F C
8b0cefbb
JR
129.\" ========================================================================
130.\"
131.IX Title "SMIME 1"
aac4ff6f 132.TH SMIME 1 "2008-09-06" "0.9.8h" "OpenSSL"
984263bc
MD
133.SH "NAME"
134smime \- S/MIME utility
135.SH "SYNOPSIS"
8b0cefbb
JR
136.IX Header "SYNOPSIS"
137\&\fBopenssl\fR \fBsmime\fR
984263bc
MD
138[\fB\-encrypt\fR]
139[\fB\-decrypt\fR]
140[\fB\-sign\fR]
141[\fB\-verify\fR]
142[\fB\-pk7out\fR]
143[\fB\-des\fR]
144[\fB\-des3\fR]
8b0cefbb
JR
145[\fB\-rc2\-40\fR]
146[\fB\-rc2\-64\fR]
147[\fB\-rc2\-128\fR]
e3cdf75b
JR
148[\fB\-aes128\fR]
149[\fB\-aes192\fR]
150[\fB\-aes256\fR]
c6e28a8e
SS
151[\fB\-camellia128\fR]
152[\fB\-camellia192\fR]
153[\fB\-camellia256\fR]
984263bc
MD
154[\fB\-in file\fR]
155[\fB\-certfile file\fR]
156[\fB\-signer file\fR]
157[\fB\-recip file\fR]
158[\fB\-inform SMIME|PEM|DER\fR]
159[\fB\-passin arg\fR]
160[\fB\-inkey file\fR]
161[\fB\-out file\fR]
162[\fB\-outform SMIME|PEM|DER\fR]
163[\fB\-content file\fR]
164[\fB\-to addr\fR]
165[\fB\-from ad\fR]
166[\fB\-subject s\fR]
167[\fB\-text\fR]
e3cdf75b 168[\fB\-rand file(s)\fR]
984263bc
MD
169[cert.pem]...
170.SH "DESCRIPTION"
8b0cefbb 171.IX Header "DESCRIPTION"
984263bc
MD
172The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
173verify S/MIME messages.
174.SH "COMMAND OPTIONS"
8b0cefbb 175.IX Header "COMMAND OPTIONS"
984263bc
MD
176There are five operation options that set the type of operation to be performed.
177The meaning of the other options varies according to the operation type.
8b0cefbb
JR
178.IP "\fB\-encrypt\fR" 4
179.IX Item "-encrypt"
984263bc
MD
180encrypt mail for the given recipient certificates. Input file is the message
181to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
8b0cefbb
JR
182.IP "\fB\-decrypt\fR" 4
183.IX Item "-decrypt"
984263bc
MD
184decrypt mail using the supplied certificate and private key. Expects an
185encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
186is written to the output file.
8b0cefbb
JR
187.IP "\fB\-sign\fR" 4
188.IX Item "-sign"
984263bc
MD
189sign mail using the supplied certificate and private key. Input file is
190the message to be signed. The signed message in \s-1MIME\s0 format is written
191to the output file.
8b0cefbb
JR
192.IP "\fB\-verify\fR" 4
193.IX Item "-verify"
984263bc
MD
194verify signed mail. Expects a signed mail message on input and outputs
195the signed data. Both clear text and opaque signing is supported.
8b0cefbb
JR
196.IP "\fB\-pk7out\fR" 4
197.IX Item "-pk7out"
198takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
199.IP "\fB\-in filename\fR" 4
200.IX Item "-in filename"
984263bc
MD
201the input message to be encrypted or signed or the \s-1MIME\s0 message to
202be decrypted or verified.
8b0cefbb
JR
203.IP "\fB\-inform SMIME|PEM|DER\fR" 4
204.IX Item "-inform SMIME|PEM|DER"
205this specifies the input format for the PKCS#7 structure. The default
206is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
207format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
208instead. This currently only affects the input format of the PKCS#7
209structure, if no PKCS#7 structure is being input (for example with
210\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
211.IP "\fB\-out filename\fR" 4
212.IX Item "-out filename"
984263bc
MD
213the message text that has been decrypted or verified or the output \s-1MIME\s0
214format message that has been signed or verified.
8b0cefbb
JR
215.IP "\fB\-outform SMIME|PEM|DER\fR" 4
216.IX Item "-outform SMIME|PEM|DER"
217this specifies the output format for the PKCS#7 structure. The default
218is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
219format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
220instead. This currently only affects the output format of the PKCS#7
221structure, if no PKCS#7 structure is being output (for example with
222\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
223.IP "\fB\-content filename\fR" 4
224.IX Item "-content filename"
984263bc 225This specifies a file containing the detached content, this is only
8b0cefbb 226useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
984263bc
MD
227structure is using the detached signature form where the content is
228not included. This option will override any content if the input format
8b0cefbb
JR
229is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
230.IP "\fB\-text\fR" 4
231.IX Item "-text"
984263bc
MD
232this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
233message if encrypting or signing. If decrypting or verifying it strips
234off text headers: if the decrypted or verified message is not of \s-1MIME\s0
235type text/plain then an error occurs.
8b0cefbb
JR
236.IP "\fB\-CAfile file\fR" 4
237.IX Item "-CAfile file"
984263bc 238a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
8b0cefbb
JR
239.IP "\fB\-CApath dir\fR" 4
240.IX Item "-CApath dir"
984263bc 241a directory containing trusted \s-1CA\s0 certificates, only used with
8b0cefbb 242\&\fB\-verify\fR. This directory must be a standard certificate directory: that
984263bc
MD
243is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
244to each certificate.
c6e28a8e
SS
245.IP "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128 \-aes128 \-aes192 \-aes256 \-camellia128 \-camellia192 \-camellia256\fR" 4
246.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256"
e3cdf75b 247the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits),
c6e28a8e 24840, 64 or 128 bit \s-1RC2\s0, 128, 192 or 256 bit \s-1AES\s0, or 128, 192 or 256 bit Camellia respectively. If not
e3cdf75b 249specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
8b0cefbb
JR
250.IP "\fB\-nointern\fR" 4
251.IX Item "-nointern"
984263bc
MD
252when verifying a message normally certificates (if any) included in
253the message are searched for the signing certificate. With this option
254only the certificates specified in the \fB\-certfile\fR option are used.
255The supplied certificates can still be used as untrusted CAs however.
8b0cefbb
JR
256.IP "\fB\-noverify\fR" 4
257.IX Item "-noverify"
984263bc 258do not verify the signers certificate of a signed message.
8b0cefbb
JR
259.IP "\fB\-nochain\fR" 4
260.IX Item "-nochain"
984263bc
MD
261do not do chain verification of signers certificates: that is don't
262use the certificates in the signed message as untrusted CAs.
8b0cefbb
JR
263.IP "\fB\-nosigs\fR" 4
264.IX Item "-nosigs"
984263bc 265don't try to verify the signatures on the message.
8b0cefbb
JR
266.IP "\fB\-nocerts\fR" 4
267.IX Item "-nocerts"
984263bc
MD
268when signing a message the signer's certificate is normally included
269with this option it is excluded. This will reduce the size of the
270signed message but the verifier must have a copy of the signers certificate
271available locally (passed using the \fB\-certfile\fR option for example).
8b0cefbb
JR
272.IP "\fB\-noattr\fR" 4
273.IX Item "-noattr"
984263bc
MD
274normally when a message is signed a set of attributes are included which
275include the signing time and supported symmetric algorithms. With this
276option they are not included.
8b0cefbb
JR
277.IP "\fB\-binary\fR" 4
278.IX Item "-binary"
984263bc 279normally the input message is converted to \*(L"canonical\*(R" format which is
8b0cefbb 280effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
984263bc
MD
281specification. When this option is present no translation occurs. This
282is useful when handling binary data which may not be in \s-1MIME\s0 format.
8b0cefbb
JR
283.IP "\fB\-nodetach\fR" 4
284.IX Item "-nodetach"
984263bc
MD
285when signing a message use opaque signing: this form is more resistant
286to translation by mail relays but it cannot be read by mail agents that
8b0cefbb 287do not support S/MIME. Without this option cleartext signing with
984263bc 288the \s-1MIME\s0 type multipart/signed is used.
8b0cefbb
JR
289.IP "\fB\-certfile file\fR" 4
290.IX Item "-certfile file"
984263bc
MD
291allows additional certificates to be specified. When signing these will
292be included with the message. When verifying these will be searched for
293the signers certificates. The certificates should be in \s-1PEM\s0 format.
8b0cefbb
JR
294.IP "\fB\-signer file\fR" 4
295.IX Item "-signer file"
984263bc
MD
296the signers certificate when signing a message. If a message is
297being verified then the signers certificates will be written to this
298file if the verification was successful.
8b0cefbb
JR
299.IP "\fB\-recip file\fR" 4
300.IX Item "-recip file"
984263bc
MD
301the recipients certificate when decrypting a message. This certificate
302must match one of the recipients of the message or an error occurs.
8b0cefbb
JR
303.IP "\fB\-inkey file\fR" 4
304.IX Item "-inkey file"
984263bc
MD
305the private key to use when signing or decrypting. This must match the
306corresponding certificate. If this option is not specified then the
307private key must be included in the certificate file specified with
308the \fB\-recip\fR or \fB\-signer\fR file.
8b0cefbb
JR
309.IP "\fB\-passin arg\fR" 4
310.IX Item "-passin arg"
984263bc 311the private key password source. For more information about the format of \fBarg\fR
8b0cefbb
JR
312see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
313.IP "\fB\-rand file(s)\fR" 4
314.IX Item "-rand file(s)"
984263bc 315a file or files containing random data used to seed the random number
8b0cefbb
JR
316generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
317Multiple files can be specified separated by a OS-dependent character.
aac4ff6f 318The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc 319all others.
8b0cefbb
JR
320.IP "\fBcert.pem...\fR" 4
321.IX Item "cert.pem..."
984263bc 322one or more certificates of message recipients: used when encrypting
aac4ff6f 323a message.
8b0cefbb
JR
324.IP "\fB\-to, \-from, \-subject\fR" 4
325.IX Item "-to, -from, -subject"
984263bc
MD
326the relevant mail headers. These are included outside the signed
327portion of a message so they may be included manually. If signing
8b0cefbb 328then many S/MIME mail clients check the signers certificate's email
984263bc
MD
329address matches that specified in the From: address.
330.SH "NOTES"
8b0cefbb
JR
331.IX Header "NOTES"
332The \s-1MIME\s0 message must be sent without any blank lines between the
984263bc
MD
333headers and the output. Some mail programs will automatically add
334a blank line. Piping the mail directly to sendmail is one way to
335achieve the correct format.
336.PP
337The supplied message to be signed or encrypted must include the
8b0cefbb 338necessary \s-1MIME\s0 headers or many S/MIME clients wont display it
984263bc
MD
339properly (if at all). You can use the \fB\-text\fR option to automatically
340add plain text headers.
341.PP
342A \*(L"signed and encrypted\*(R" message is one where a signed message is
343then encrypted. This can be produced by encrypting an already signed
344message: see the examples section.
345.PP
346This version of the program only allows one signer per message but it
347will verify multiple signers on received messages. Some S/MIME clients
348choke if a message contains multiple signers. It is possible to sign
349messages \*(L"in parallel\*(R" by signing an already signed message.
350.PP
351The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
352clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
353encrypted data is used for other purposes.
354.SH "EXIT CODES"
8b0cefbb
JR
355.IX Header "EXIT CODES"
356.IP "0" 4
984263bc 357the operation was completely successfully.
8b0cefbb
JR
358.IP "1" 4
359.IX Item "1"
984263bc 360an error occurred parsing the command options.
8b0cefbb
JR
361.IP "2" 4
362.IX Item "2"
984263bc 363one of the input files could not be read.
8b0cefbb
JR
364.IP "3" 4
365.IX Item "3"
366an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
984263bc 367message.
8b0cefbb
JR
368.IP "4" 4
369.IX Item "4"
984263bc 370an error occurred decrypting or verifying the message.
8b0cefbb
JR
371.IP "5" 4
372.IX Item "5"
984263bc
MD
373the message was verified correctly but an error occurred writing out
374the signers certificates.
375.SH "EXAMPLES"
8b0cefbb 376.IX Header "EXAMPLES"
984263bc
MD
377Create a cleartext signed message:
378.PP
379.Vb 2
aac4ff6f
PA
380\& openssl smime -sign -in message.txt -text -out mail.msg \e
381\& -signer mycert.pem
984263bc 382.Ve
8b0cefbb 383.PP
984263bc
MD
384Create and opaque signed message
385.PP
386.Vb 2
aac4ff6f
PA
387\& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e
388\& -signer mycert.pem
984263bc 389.Ve
8b0cefbb 390.PP
984263bc
MD
391Create a signed message, include some additional certificates and
392read the private key from another file:
393.PP
394.Vb 2
aac4ff6f
PA
395\& openssl smime -sign -in in.txt -text -out mail.msg \e
396\& -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
984263bc 397.Ve
8b0cefbb 398.PP
984263bc
MD
399Send a signed message under Unix directly to sendmail, including headers:
400.PP
401.Vb 3
aac4ff6f
PA
402\& openssl smime -sign -in in.txt -text -signer mycert.pem \e
403\& -from steve@openssl.org -to someone@somewhere \e
404\& -subject "Signed message" | sendmail someone@somewhere
984263bc 405.Ve
8b0cefbb 406.PP
984263bc
MD
407Verify a message and extract the signer's certificate if successful:
408.PP
409.Vb 1
aac4ff6f 410\& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
984263bc 411.Ve
8b0cefbb
JR
412.PP
413Send encrypted mail using triple \s-1DES:\s0
984263bc
MD
414.PP
415.Vb 3
aac4ff6f
PA
416\& openssl smime -encrypt -in in.txt -from steve@openssl.org \e
417\& -to someone@somewhere -subject "Encrypted message" \e
418\& -des3 user.pem -out mail.msg
984263bc 419.Ve
8b0cefbb 420.PP
984263bc
MD
421Sign and encrypt mail:
422.PP
423.Vb 4
aac4ff6f
PA
424\& openssl smime -sign -in ml.txt -signer my.pem -text \e
425\& | openssl smime -encrypt -out mail.msg \e
426\& -from steve@openssl.org -to someone@somewhere \e
427\& -subject "Signed and Encrypted message" -des3 user.pem
984263bc 428.Ve
8b0cefbb 429.PP
984263bc 430Note: the encryption command does not include the \fB\-text\fR option because the message
8b0cefbb 431being encrypted already has \s-1MIME\s0 headers.
984263bc
MD
432.PP
433Decrypt mail:
434.PP
435.Vb 1
aac4ff6f 436\& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
984263bc 437.Ve
8b0cefbb 438.PP
984263bc
MD
439The output from Netscape form signing is a PKCS#7 structure with the
440detached signature format. You can use this program to verify the
441signature by line wrapping the base64 encoded structure and surrounding
442it with:
443.PP
444.Vb 2
aac4ff6f
PA
445\& -----BEGIN PKCS7-----
446\& -----END PKCS7-----
984263bc 447.Ve
8b0cefbb 448.PP
aac4ff6f 449and using the command,
984263bc
MD
450.PP
451.Vb 1
aac4ff6f 452\& openssl smime -verify -inform PEM -in signature.pem -content content.txt
984263bc 453.Ve
8b0cefbb 454.PP
984263bc
MD
455alternatively you can base64 decode the signature and use
456.PP
457.Vb 1
aac4ff6f 458\& openssl smime -verify -inform DER -in signature.der -content content.txt
984263bc 459.Ve
c6e28a8e
SS
460.PP
461Create an encrypted message using 128 bit Camellia:
462.PP
463.Vb 1
aac4ff6f 464\& openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
c6e28a8e 465.Ve
984263bc 466.SH "BUGS"
8b0cefbb
JR
467.IX Header "BUGS"
468The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown
984263bc
MD
469at it but it may choke on others.
470.PP
471The code currently will only write out the signer's certificate to a file: if the
472signer has a separate encryption certificate this must be manually extracted. There
473should be some heuristic that determines the correct encryption certificate.
474.PP
475Ideally a database should be maintained of a certificates for each email address.
476.PP
477The code doesn't currently take note of the permitted symmetric encryption
478algorithms as supplied in the SMIMECapabilities signed attribute. this means the
479user has to manually include the correct encryption algorithm. It should store
480the list of permitted ciphers in a database and only use those.
481.PP
482No revocation checking is done on the signer's certificate.
483.PP
484The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
485structures may cause parsing errors.