diff options
Diffstat (limited to 'upstream/archlinux/man1/openssl-smime.1ssl')
| -rw-r--r-- | upstream/archlinux/man1/openssl-smime.1ssl | 569 |
1 files changed, 569 insertions, 0 deletions
diff --git a/upstream/archlinux/man1/openssl-smime.1ssl b/upstream/archlinux/man1/openssl-smime.1ssl new file mode 100644 index 00000000..ee8ad6b6 --- /dev/null +++ b/upstream/archlinux/man1/openssl-smime.1ssl @@ -0,0 +1,569 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" ======================================================================== +.\" +.IX Title "OPENSSL-SMIME 1ssl" +.TH OPENSSL-SMIME 1ssl 2024-01-30 3.2.1 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +openssl\-smime \- S/MIME command +.SH SYNOPSIS +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBsmime\fR +[\fB\-help\fR] +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-sign\fR] +[\fB\-resign\fR] +[\fB\-verify\fR] +[\fB\-pk7out\fR] +[\fB\-binary\fR] +[\fB\-crlfeol\fR] +[\fB\-\fR\f(BIcipher\fR] +[\fB\-in\fR \fIfile\fR] +[\fB\-certfile\fR \fIfile\fR] +[\fB\-signer\fR \fIfile\fR] +[\fB\-nointern\fR] +[\fB\-noverify\fR] +[\fB\-nochain\fR] +[\fB\-nosigs\fR] +[\fB\-nocerts\fR] +[\fB\-noattr\fR] +[\fB\-nodetach\fR] +[\fB\-nosmimecap\fR] +[\fB\-recip\fR \fI file\fR] +[\fB\-inform\fR \fBDER\fR|\fBPEM\fR|\fBSMIME\fR] +[\fB\-outform\fR \fBDER\fR|\fBPEM\fR|\fBSMIME\fR] +[\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR] +[\fB\-passin\fR \fIarg\fR] +[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR] +[\fB\-out\fR \fIfile\fR] +[\fB\-content\fR \fIfile\fR] +[\fB\-to\fR \fIaddr\fR] +[\fB\-from\fR \fIad\fR] +[\fB\-subject\fR \fIs\fR] +[\fB\-text\fR] +[\fB\-indef\fR] +[\fB\-noindef\fR] +[\fB\-stream\fR] +[\fB\-md\fR \fIdigest\fR] +[\fB\-CAfile\fR \fIfile\fR] +[\fB\-no\-CAfile\fR] +[\fB\-CApath\fR \fIdir\fR] +[\fB\-no\-CApath\fR] +[\fB\-CAstore\fR \fIuri\fR] +[\fB\-no\-CAstore\fR] +[\fB\-engine\fR \fIid\fR] +[\fB\-rand\fR \fIfiles\fR] +[\fB\-writerand\fR \fIfile\fR] +[\fB\-allow_proxy_certs\fR] +[\fB\-attime\fR \fItimestamp\fR] +[\fB\-no_check_time\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-partial_chain\fR] +[\fB\-policy\fR \fIarg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose\fR \fIpurpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level\fR \fInum\fR] +[\fB\-verify_depth\fR \fInum\fR] +[\fB\-verify_email\fR \fIemail\fR] +[\fB\-verify_hostname\fR \fIhostname\fR] +[\fB\-verify_ip\fR \fIip\fR] +[\fB\-verify_name\fR \fIname\fR] +[\fB\-x509_strict\fR] +[\fB\-issuer_checks\fR] +[\fB\-provider\fR \fIname\fR] +[\fB\-provider\-path\fR \fIpath\fR] +[\fB\-propquery\fR \fIpropq\fR] +[\fB\-config\fR \fIconfigfile\fR] +\&\fIrecipcert\fR ... +.SH DESCRIPTION +.IX Header "DESCRIPTION" +This command handles S/MIME mail. It can encrypt, decrypt, sign +and verify S/MIME messages. +.SH OPTIONS +.IX Header "OPTIONS" +There are six operation options that set the type of operation to be performed: +\&\fB\-encrypt\fR, \fB\-decrypt\fR, \fB\-sign\fR, \fB\-resign\fR, \fB\-verify\fR, and \fB\-pk7out\fR. +These are mutually exclusive. +The meaning of the other options varies according to the operation type. +.IP \fB\-help\fR 4 +.IX Item "-help" +Print out a usage message. +.IP \fB\-encrypt\fR 4 +.IX Item "-encrypt" +Encrypt mail for the given recipient certificates. Input file is the message +to be encrypted. The output file is the encrypted mail in MIME format. +.Sp +Note that no revocation check is done for the recipient cert, so if that +key has been compromised, others may be able to decrypt the text. +.IP \fB\-decrypt\fR 4 +.IX Item "-decrypt" +Decrypt mail using the supplied certificate and private key. Expects an +encrypted mail message in MIME format for the input file. The decrypted mail +is written to the output file. +.IP \fB\-sign\fR 4 +.IX Item "-sign" +Sign mail using the supplied certificate and private key. Input file is +the message to be signed. The signed message in MIME format is written +to the output file. +.IP \fB\-resign\fR 4 +.IX Item "-resign" +Resign a message: take an existing message and one or more new signers. +.IP \fB\-verify\fR 4 +.IX Item "-verify" +Verify signed mail. Expects a signed mail message on input and outputs +the signed data. Both clear text and opaque signing is supported. +.IP \fB\-pk7out\fR 4 +.IX Item "-pk7out" +Takes an input message and writes out a PEM encoded PKCS#7 structure. +.IP "\fB\-in\fR \fIfilename\fR" 4 +.IX Item "-in filename" +The input message to be encrypted or signed or the MIME message to +be decrypted or verified. +.IP "\fB\-out\fR \fIfilename\fR" 4 +.IX Item "-out filename" +The message text that has been decrypted or verified or the output MIME +format message that has been signed or verified. +.IP "\fB\-inform\fR \fBDER\fR|\fBPEM\fR|\fBSMIME\fR" 4 +.IX Item "-inform DER|PEM|SMIME" +The input format of the PKCS#7 (S/MIME) structure (if one is being read); +the default is \fBSMIME\fR. +See \fBopenssl\-format\-options\fR\|(1) for details. +.IP "\fB\-outform\fR \fBDER\fR|\fBPEM\fR|\fBSMIME\fR" 4 +.IX Item "-outform DER|PEM|SMIME" +The output format of the PKCS#7 (S/MIME) structure (if one is being written); +the default is \fBSMIME\fR. +See \fBopenssl\-format\-options\fR\|(1) for details. +.IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4 +.IX Item "-keyform DER|PEM|P12|ENGINE" +The key format; unspecified by default. +See \fBopenssl\-format\-options\fR\|(1) for details. +.IP "\fB\-stream\fR, \fB\-indef\fR, \fB\-noindef\fR" 4 +.IX Item "-stream, -indef, -noindef" +The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O +for encoding operations. This permits single pass processing of data without +the need to hold the entire contents in memory, potentially supporting very +large files. Streaming is automatically set for S/MIME signing with detached +data if the output format is \fBSMIME\fR it is currently off by default for all +other operations. +.IP \fB\-noindef\fR 4 +.IX Item "-noindef" +Disable streaming I/O where it would produce and indefinite length constructed +encoding. This option currently has no effect. In future streaming will be +enabled by default on all relevant operations and this option will disable it. +.IP "\fB\-content\fR \fIfilename\fR" 4 +.IX Item "-content filename" +This specifies a file containing the detached content, this is only +useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 +structure is using the detached signature form where the content is +not included. This option will override any content if the input format +is S/MIME and it uses the multipart/signed MIME content type. +.IP \fB\-text\fR 4 +.IX Item "-text" +This option adds plain text (text/plain) MIME headers to the supplied +message if encrypting or signing. If decrypting or verifying it strips +off text headers: if the decrypted or verified message is not of MIME +type text/plain then an error occurs. +.IP "\fB\-md\fR \fIdigest\fR" 4 +.IX Item "-md digest" +Digest algorithm to use when signing or resigning. If not present then the +default digest algorithm for the signing key will be used (usually SHA1). +.IP \fB\-\fR\f(BIcipher\fR 4 +.IX Item "-cipher" +The encryption algorithm to use. For example DES (56 bits) \- \fB\-des\fR, +triple DES (168 bits) \- \fB\-des3\fR, +\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for +example \fB\-aes\-128\-cbc\fR. See \fBopenssl\-enc\fR\|(1) for list of ciphers +supported by your version of OpenSSL. +.Sp +If not specified triple DES is used. Only used with \fB\-encrypt\fR. +.IP \fB\-nointern\fR 4 +.IX Item "-nointern" +When verifying a message normally certificates (if any) included in +the message are searched for the signing certificate. With this option +only the certificates specified in the \fB\-certfile\fR option are used. +The supplied certificates can still be used as untrusted CAs however. +.IP \fB\-noverify\fR 4 +.IX Item "-noverify" +Do not verify the signers certificate of a signed message. +.IP \fB\-nochain\fR 4 +.IX Item "-nochain" +Do not do chain verification of signers certificates; that is, do not +use the certificates in the signed message as untrusted CAs. +.IP \fB\-nosigs\fR 4 +.IX Item "-nosigs" +Don't try to verify the signatures on the message. +.IP \fB\-nocerts\fR 4 +.IX Item "-nocerts" +When signing a message the signer's certificate is normally included +with this option it is excluded. This will reduce the size of the +signed message but the verifier must have a copy of the signers certificate +available locally (passed using the \fB\-certfile\fR option for example). +.IP \fB\-noattr\fR 4 +.IX Item "-noattr" +Normally when a message is signed a set of attributes are included which +include the signing time and supported symmetric algorithms. With this +option they are not included. +.IP \fB\-nodetach\fR 4 +.IX Item "-nodetach" +When signing a message use opaque signing. This form is more resistant +to translation by mail relays but it cannot be read by mail agents that +do not support S/MIME. Without this option cleartext signing with +the MIME type multipart/signed is used. +.IP \fB\-nosmimecap\fR 4 +.IX Item "-nosmimecap" +When signing a message, do not include the \fBSMIMECapabilities\fR attribute. +.IP \fB\-binary\fR 4 +.IX Item "-binary" +Normally the input message is converted to "canonical" format which is +effectively using CR and LF as end of line: as required by the S/MIME +specification. When this option is present no translation occurs. This +is useful when handling binary data which may not be in MIME format. +.IP \fB\-crlfeol\fR 4 +.IX Item "-crlfeol" +Normally the output file uses a single \fBLF\fR as end of line. When this +option is present \fBCRLF\fR is used instead. +.IP "\fB\-certfile\fR \fIfile\fR" 4 +.IX Item "-certfile file" +Allows additional certificates to be specified. When signing these will +be included with the message. When verifying these will be searched for +the signers certificates. +The input can be in PEM, DER, or PKCS#12 format. +.IP "\fB\-signer\fR \fIfile\fR" 4 +.IX Item "-signer file" +A signing certificate when signing or resigning a message, this option can be +used multiple times if more than one signer is required. If a message is being +verified then the signers certificates will be written to this file if the +verification was successful. +.IP \fB\-nocerts\fR 4 +.IX Item "-nocerts" +Don't include signers certificate when signing. +.IP \fB\-noattr\fR 4 +.IX Item "-noattr" +Don't include any signed attributes when signing. +.IP "\fB\-recip\fR \fIfile\fR" 4 +.IX Item "-recip file" +The recipients certificate when decrypting a message. This certificate +must match one of the recipients of the message or an error occurs. +.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4 +.IX Item "-inkey filename|uri" +The private key to use when signing or decrypting. This must match the +corresponding certificate. If this option is not specified then the +private key must be included in the certificate file specified with +the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used +multiple times to specify successive keys. +.IP "\fB\-passin\fR \fIarg\fR" 4 +.IX Item "-passin arg" +The private key password source. For more information about the format of \fIarg\fR +see \fBopenssl\-passphrase\-options\fR\|(1). +.IP "\fB\-to\fR, \fB\-from\fR, \fB\-subject\fR" 4 +.IX Item "-to, -from, -subject" +The relevant mail headers. These are included outside the signed +portion of a message so they may be included manually. If signing +then many S/MIME mail clients check the signers certificate's email +address matches that specified in the From: address. +.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4 +.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks" +Set various options of certificate chain verification. +See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details. +.Sp +Any verification errors cause the command to exit. +.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4 +.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore" +See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details. +.IP "\fB\-engine\fR \fIid\fR" 4 +.IX Item "-engine id" +See "Engine Options" in \fBopenssl\fR\|(1). +This option is deprecated. +.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4 +.IX Item "-rand files, -writerand file" +See "Random State Options" in \fBopenssl\fR\|(1) for details. +.IP "\fB\-provider\fR \fIname\fR" 4 +.IX Item "-provider name" +.PD 0 +.IP "\fB\-provider\-path\fR \fIpath\fR" 4 +.IX Item "-provider-path path" +.IP "\fB\-propquery\fR \fIpropq\fR" 4 +.IX Item "-propquery propq" +.PD +See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7). +.IP "\fB\-config\fR \fIconfigfile\fR" 4 +.IX Item "-config configfile" +See "Configuration Option" in \fBopenssl\fR\|(1). +.IP "\fIrecipcert\fR ..." 4 +.IX Item "recipcert ..." +One or more certificates of message recipients, used when encrypting +a message. +.SH NOTES +.IX Header "NOTES" +The MIME message must be sent without any blank lines between the +headers and the output. Some mail programs will automatically add +a blank line. Piping the mail directly to sendmail is one way to +achieve the correct format. +.PP +The supplied message to be signed or encrypted must include the +necessary MIME headers or many S/MIME clients won't display it +properly (if at all). You can use the \fB\-text\fR option to automatically +add plain text headers. +.PP +A "signed and encrypted" message is one where a signed message is +then encrypted. This can be produced by encrypting an already signed +message: see the examples section. +.PP +This version of the program only allows one signer per message but it +will verify multiple signers on received messages. Some S/MIME clients +choke if a message contains multiple signers. It is possible to sign +messages "in parallel" by signing an already signed message. +.PP +The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME +clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 +encrypted data is used for other purposes. +.PP +The \fB\-resign\fR option uses an existing message digest when adding a new +signer. This means that attributes must be present in at least one existing +signer using the same message digest or this operation will fail. +.PP +The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support. +As a result the encoding is BER using indefinite length constructed encoding +and no longer DER. Streaming is supported for the \fB\-encrypt\fR operation and the +\&\fB\-sign\fR operation if the content is not detached. +.PP +Streaming is always used for the \fB\-sign\fR operation with detached data but +since the content is no longer part of the PKCS#7 structure the encoding +remains DER. +.SH "EXIT CODES" +.IX Header "EXIT CODES" +.IP 0 4 +The operation was completely successfully. +.IP 1 4 +.IX Item "1" +An error occurred parsing the command options. +.IP 2 4 +.IX Item "2" +One of the input files could not be read. +.IP 3 4 +.IX Item "3" +An error occurred creating the PKCS#7 file or when reading the MIME +message. +.IP 4 4 +.IX Item "4" +An error occurred decrypting or verifying the message. +.IP 5 4 +.IX Item "5" +The message was verified correctly but an error occurred writing out +the signers certificates. +.SH EXAMPLES +.IX Header "EXAMPLES" +Create a cleartext signed message: +.PP +.Vb 2 +\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem +.Ve +.PP +Create an opaque signed message: +.PP +.Vb 2 +\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e +\& \-signer mycert.pem +.Ve +.PP +Create a signed message, include some additional certificates and +read the private key from another file: +.PP +.Vb 2 +\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem +.Ve +.PP +Create a signed message with two signers: +.PP +.Vb 2 +\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-signer othercert.pem +.Ve +.PP +Send a signed message under Unix directly to sendmail, including headers: +.PP +.Vb 3 +\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e +\& \-from steve@openssl.org \-to someone@somewhere \e +\& \-subject "Signed message" | sendmail someone@somewhere +.Ve +.PP +Verify a message and extract the signer's certificate if successful: +.PP +.Vb 1 +\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt +.Ve +.PP +Send encrypted mail using triple DES: +.PP +.Vb 3 +\& openssl smime \-encrypt \-in in.txt \-from steve@openssl.org \e +\& \-to someone@somewhere \-subject "Encrypted message" \e +\& \-des3 user.pem \-out mail.msg +.Ve +.PP +Sign and encrypt mail: +.PP +.Vb 4 +\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e +\& | openssl smime \-encrypt \-out mail.msg \e +\& \-from steve@openssl.org \-to someone@somewhere \e +\& \-subject "Signed and Encrypted message" \-des3 user.pem +.Ve +.PP +Note: the encryption command does not include the \fB\-text\fR option because the +message being encrypted already has MIME headers. +.PP +Decrypt mail: +.PP +.Vb 1 +\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem +.Ve +.PP +The output from Netscape form signing is a PKCS#7 structure with the +detached signature format. You can use this program to verify the +signature by line wrapping the base64 encoded structure and surrounding +it with: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- +\& \-\-\-\-\-END PKCS7\-\-\-\-\- +.Ve +.PP +and using the command: +.PP +.Vb 1 +\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt +.Ve +.PP +Alternatively you can base64 decode the signature and use: +.PP +.Vb 1 +\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt +.Ve +.PP +Create an encrypted message using 128 bit Camellia: +.PP +.Vb 1 +\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem +.Ve +.PP +Add a signer to an existing message: +.PP +.Vb 1 +\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg +.Ve +.SH BUGS +.IX Header "BUGS" +The MIME parser isn't very clever: it seems to handle most messages that I've +thrown at it but it may choke on others. +.PP +The code currently will only write out the signer's certificate to a file: if +the signer has a separate encryption certificate this must be manually +extracted. There should be some heuristic that determines the correct +encryption certificate. +.PP +Ideally a database should be maintained of a certificates for each email +address. +.PP +The code doesn't currently take note of the permitted symmetric encryption +algorithms as supplied in the SMIMECapabilities signed attribute. This means the +user has to manually include the correct encryption algorithm. It should store +the list of permitted ciphers in a database and only use those. +.PP +No revocation checking is done on the signer's certificate. +.PP +The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 +structures may cause parsing errors. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBossl_store\-file\fR\|(7) +.SH HISTORY +.IX Header "HISTORY" +The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first +added in OpenSSL 1.0.0 +.PP +The \-no_alt_chains option was added in OpenSSL 1.1.0. +.PP +The \fB\-engine\fR option was deprecated in OpenSSL 3.0. +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. |