Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / lib / libcrypto / man / CMS_sign.3
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
01185282
PA
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
41'br\}
42.\"
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
47.\" If the F register is turned on, we'll generate index entries on stderr for
48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
51.ie \nF \{\
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
54..
55. nr % 0
56. rr F
57.\}
58.el \{\
59. de IX
60..
61.\}
62.\"
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
66.if n \{\
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
72.\}
73.if t \{\
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
79.\}
80. \" simple accents for nroff and troff
81.if n \{\
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
88.\}
89.if t \{\
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
96.\}
97. \" troff and (daisy-wheel) nroff accents
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
107. \" corrections for vroff
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
110. \" for low resolution devices (crt and lpr)
111.if \n(.H>23 .if \n(.V>19 \
112\{\
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
122.\}
123.rm #[ #] #H #V #F C
124.\" ========================================================================
125.\"
126.IX Title "CMS_sign 3"
e3261593 127.TH CMS_sign 3 "2012-01-04" "1.0.0f" "OpenSSL"
01185282
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
132.SH "NAME"
133.Vb 1
134\& CMS_sign \- create a CMS SignedData structure
135.Ve
136.SH "SYNOPSIS"
137.IX Header "SYNOPSIS"
138.Vb 1
139\& #include <openssl/cms.h>
140\&
141\& CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, unsigned int flags);
142.Ve
143.SH "DESCRIPTION"
144.IX Header "DESCRIPTION"
145\&\fICMS_sign()\fR creates and returns a \s-1CMS\s0 SignedData structure. \fBsigncert\fR is
146the certificate to sign with, \fBpkey\fR is the corresponding private key.
147\&\fBcerts\fR is an optional additional set of certificates to include in the \s-1CMS\s0
148structure (for example any intermediate CAs in the chain). Any or all of
149these parameters can be \fB\s-1NULL\s0\fR, see \fB\s-1NOTES\s0\fR below.
150.PP
151The data to be signed is read from \s-1BIO\s0 \fBdata\fR.
152.PP
153\&\fBflags\fR is an optional set of flags.
154.SH "NOTES"
155.IX Header "NOTES"
156Any of the following flags (ored together) can be passed in the \fBflags\fR
157parameter.
158.PP
159Many S/MIME clients expect the signed content to include valid \s-1MIME\s0 headers. If
160the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are prepended
161to the data.
162.PP
163If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
164CMS_ContentInfo structure, the signer's certificate must still be supplied in
165the \fBsigncert\fR parameter though. This can reduce the size of the signature if
166the signers certificate can be obtained by other means: for example a
167previously signed message.
168.PP
169The data being signed is included in the CMS_ContentInfo structure, unless
170\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is used for
171CMS_ContentInfo detached signatures which are used in S/MIME plaintext signed
172messages for example.
173.PP
174Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
175required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
176occurs. This option should be used if the supplied data is in binary format
177otherwise the translation will corrupt it.
178.PP
179The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
180signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
181SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
182will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
183omitted.
184.PP
185If present the SMIMECapabilities attribute indicates support for the following
186algorithms in preference order: 256 bit \s-1AES\s0, Gost R3411\-94, Gost 28147\-89, 192
187bit \s-1AES\s0, 128 bit \s-1AES\s0, triple \s-1DES\s0, 128 bit \s-1RC2\s0, 64 bit \s-1RC2\s0, \s-1DES\s0 and 40 bit \s-1RC2\s0.
188If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST\s0 \s-1ENGINE\s0 is
189not loaded.
190.PP
191OpenSSL will by default identify signing certificates using issuer name
192and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
193identifier value instead. An error occurs if the signing certificate does not
194have a subject key identifier extension.
195.PP
196If the flags \fB\s-1CMS_STREAM\s0\fR is set then the returned \fBCMS_ContentInfo\fR
197structure is just initialized ready to perform the signing operation. The
198signing is however \fBnot\fR performed and the data to be signed is not read from
199the \fBdata\fR parameter. Signing is deferred until after the data has been
200written. In this way data can be signed in a single pass.
201.PP
202If the \fB\s-1CMS_PARTIAL\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
203output to which additional signers and capabilities can be added before
204finalization.
205.PP
206If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
207\&\fBnot\fR complete and outputting its contents via a function that does not
208properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
209results.
210.PP
211Several functions including \fISMIME_write_CMS()\fR, \fIi2d_CMS_bio_stream()\fR,
212\&\fIPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
213can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
214\&\fIBIO_new_CMS()\fR.
215.PP
216If a signer is specified it will use the default digest for the signing
217algorithm. This is \fB\s-1SHA1\s0\fR for both \s-1RSA\s0 and \s-1DSA\s0 keys.
218.PP
219If \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certificates only \s-1CMS\s0 structure is
220output.
221.PP
222The function \fICMS_sign()\fR is a basic \s-1CMS\s0 signing function whose output will be
223suitable for many purposes. For finer control of the output format the
224\&\fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be \fB\s-1NULL\s0\fR and the
225\&\fB\s-1CMS_PARTIAL\s0\fR flag set. Then one or more signers can be added using the
226function \fICMS_sign_add1_signer()\fR, non default digests can be used and custom
227attributes added. \fB\f(BICMS_final()\fB\fR must then be called to finalize the
228structure if streaming is not enabled.
229.SH "BUGS"
230.IX Header "BUGS"
231Some attributes such as counter signatures are not supported.
232.SH "RETURN VALUES"
233.IX Header "RETURN VALUES"
234\&\fICMS_sign()\fR returns either a valid CMS_ContentInfo structure or \s-1NULL\s0 if an error
235occurred. The error can be obtained from \fIERR_get_error\fR\|(3).
236.SH "SEE ALSO"
237.IX Header "SEE ALSO"
238\&\fIERR_get_error\fR\|(3), \fICMS_verify\fR\|(3)
239.SH "HISTORY"
240.IX Header "HISTORY"
241\&\fICMS_sign()\fR was added to OpenSSL 0.9.8
242.PP
243The \fB\s-1CMS_STREAM\s0\fR flag is only supported for detached data in OpenSSL 0.9.8,
244it is supported for embedded data in OpenSSL 1.0.0 and later.