Lines Matching +full:- +full:b
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-cms - CMS command
10 B<openssl> B<cms>
11 [B<-help>]
15 [B<-in> I<filename>]
16 [B<-out> I<filename>]
17 {- $OpenSSL::safe::opt_config_synopsis -}
21 [B<-encrypt>]
22 [B<-decrypt>]
23 [B<-sign>]
24 [B<-verify>]
25 [B<-resign>]
26 [B<-sign_receipt>]
27 [B<-verify_receipt> I<receipt>]
28 [B<-digest_create>]
29 [B<-digest_verify>]
30 [B<-compress>]
31 [B<-uncompress>]
32 [B<-EncryptedData_encrypt>]
33 [B<-EncryptedData_decrypt>]
34 [B<-data_create>]
35 [B<-data_out>]
36 [B<-cmsout>]
40 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
41 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
42 [B<-rctform> B<DER>|B<PEM>|B<SMIME>]
43 [B<-stream>]
44 [B<-indef>]
45 [B<-noindef>]
46 [B<-binary>]
47 [B<-crlfeol>]
48 [B<-asciicrlf>]
52 [B<-pwri_password> I<password>]
53 [B<-secretkey> I<key>]
54 [B<-secretkeyid> I<id>]
55 [B<-inkey> I<filename>|I<uri>]
56 [B<-passin> I<arg>]
57 [B<-keyopt> I<name>:I<parameter>]
58 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
59 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
60 {- $OpenSSL::safe::opt_r_synopsis -}
64 [B<-originator> I<file>]
65 [B<-recip> I<file>]
66 [I<recipient-cert> ...]
67 [B<-I<cipher>>]
68 [B<-wrap> I<cipher>]
69 [B<-aes128-wrap>]
70 [B<-aes192-wrap>]
71 [B<-aes256-wrap>]
72 [B<-des3-wrap>]
73 [B<-debug_decrypt>]
77 [B<-md> I<digest>]
78 [B<-signer> I<file>]
79 [B<-certfile> I<file>]
80 [B<-cades>]
81 [B<-nodetach>]
82 [B<-nocerts>]
83 [B<-noattr>]
84 [B<-nosmimecap>]
85 [B<-receipt_request_all>]
86 [B<-receipt_request_first>]
87 [B<-receipt_request_from> I<emailaddress>]
88 [B<-receipt_request_to> I<emailaddress>]
92 [B<-signer> I<file>]
93 [B<-content> I<filename>]
94 [B<-no_content_verify>]
95 [B<-no_attr_verify>]
96 [B<-nosigs>]
97 [B<-noverify>]
98 [B<-nointern>]
99 [B<-cades>]
100 [B<-verify_retcode>]
101 {- $OpenSSL::safe::opt_trust_synopsis -}
105 [B<-keyid>]
106 [B<-econtent_type> I<type>]
107 [B<-text>]
108 [B<-certsout> I<file>]
109 [B<-to> I<addr>]
110 [B<-from> I<addr>]
111 [B<-subject> I<subj>]
115 [B<-noout>]
116 [B<-print>]
117 [B<-nameopt> I<option>]
118 [B<-receipt_request_print>]
122 {- $OpenSSL::safe::opt_v_synopsis -}
140 =item B<-help>
150 =item B<-in> I<filename>
155 =item B<-out> I<filename>
160 {- $OpenSSL::safe::opt_config_item -}
168 =item B<-encrypt>
172 actual CMS type is B<EnvelopedData>.
177 =item B<-decrypt>
183 =item B<-sign>
189 =item B<-verify>
194 =item B<-resign>
198 =item B<-sign_receipt>
201 message B<must> contain a signed receipt request. Functionality is otherwise
202 similar to the B<-sign> operation.
204 =item B<-verify_receipt> I<receipt>
206 Verify a signed receipt in filename B<receipt>. The input message B<must>
208 to the B<-verify> operation.
210 =item B<-digest_create>
212 Create a CMS B<DigestedData> type.
214 =item B<-digest_verify>
216 Verify a CMS B<DigestedData> type and output the content.
218 =item B<-compress>
220 Create a CMS B<CompressedData> type. OpenSSL must be compiled with B<zlib>
223 =item B<-uncompress>
225 Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
226 compiled with B<zlib> support for this option to work, otherwise it will
229 =item B<-EncryptedData_encrypt>
232 B<EncryptedData> type and output the content.
234 =item B<-EncryptedData_decrypt>
237 B<EncryptedData> type and output the content.
239 =item B<-data_create>
241 Create a CMS B<Data> type.
243 =item B<-data_out>
245 B<Data> type and output the content.
247 =item B<-cmsout>
257 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
260 the default is B<SMIME>.
261 See L<openssl-format-options(1)> for details.
263 =item B<-outform> B<DER>|B<PEM>|B<SMIME>
266 the default is B<SMIME>.
267 See L<openssl-format-options(1)> for details.
269 =item B<-rctform> B<DER>|B<PEM>|B<SMIME>
271 The signed receipt format for use with the B<-receipt_verify>; the default
272 is B<SMIME>.
273 See L<openssl-format-options(1)> for details.
275 =item B<-stream>, B<-indef>
277 The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
281 data if the output format is B<SMIME> it is currently off by default for all
284 =item B<-noindef>
290 =item B<-binary>
297 =item B<-crlfeol>
299 Normally the output file uses a single B<LF> as end of line. When this
300 option is present B<CRLF> is used instead.
302 =item B<-asciicrlf>
317 =item B<-pwri_password> I<password>
321 =item B<-secretkey> I<key>
324 consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
325 B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
326 with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
327 content encryption key using an AES key in the B<KEKRecipientInfo> type.
329 =item B<-secretkeyid> I<id>
331 The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
332 This option B<must> be present if the B<-secretkey> option is used with
333 B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
335 B<KEKRecipientInfo> structures.
337 =item B<-inkey> I<filename>|I<uri>
342 the B<-recip> or B<-signer> file. When signing this option can be used
345 =item B<-passin> I<arg>
347 The private key password source. For more information about the format of B<arg>
348 see L<openssl-passphrase-options(1)>.
350 =item B<-keyopt> I<name>:I<parameter>
354 currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
357 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
360 See L<openssl-format-options(1)> for details.
362 {- $OpenSSL::safe::opt_engine_item -}
364 {- $OpenSSL::safe::opt_provider_item -}
366 {- $OpenSSL::safe::opt_r_item -}
374 =item B<-originator> I<file>
379 =item B<-recip> I<file>
385 each recipient. This form B<must> be used if customised parameters are
386 required (for example to specify RSA-OAEP).
388 Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
391 =item I<recipient-cert> ...
393 This is an alternative to using the B<-recip> option when encrypting a message.
396 =item B<-I<cipher>>
398 The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
399 or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
401 example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
407 If not specified triple DES is used. Only used with B<-encrypt> and
408 B<-EncryptedData_create> commands.
410 =item B<-wrap> I<cipher>
416 =item B<-aes128-wrap>, B<-aes192-wrap>, B<-aes256-wrap>, B<-des3-wrap>
418 Use AES128, AES192, AES256, or 3DES-EDE, respectively, to wrap key.
419 Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
421 =item B<-debug_decrypt>
423 This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
432 =item B<-md> I<digest>
437 =item B<-signer> I<file>
442 =item B<-certfile> I<file>
449 =item B<-cades>
451 When used with B<-sign>,
452 add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute
454 for a CAdES Basic Electronic Signature (CAdES-BES).
456 =item B<-nodetach>
463 =item B<-nocerts>
468 available locally (passed using the B<-certfile> option for example).
470 =item B<-noattr>
476 =item B<-nosmimecap>
481 =item B<-receipt_request_all>, B<-receipt_request_first>
483 For B<-sign> option include a signed receipt request. Indicate requests should
485 and not from a mailing list). Ignored it B<-receipt_request_from> is included.
487 =item B<-receipt_request_from> I<emailaddress>
489 For B<-sign> option include a signed receipt request. Add an explicit email
492 =item B<-receipt_request_to> I<emailaddress>
495 option B<must> but supplied if a signed receipt is requested.
503 =item B<-signer> I<file>
508 =item B<-content> I<filename>
511 S/MIME input, such as the B<-verify> command. This is only usable if the CMS
516 =item B<-no_content_verify>
520 =item B<-no_attr_verify>
524 =item B<-nosigs>
528 =item B<-noverify>
532 =item B<-nointern>
536 only the certificates specified in the B<-certfile> option are used.
539 =item B<-cades>
541 When used with B<-verify>, require and check signer certificate digest.
544 =item B<-verify_retcode>
548 {- $OpenSSL::safe::opt_trust_item -}
556 =item B<-keyid>
559 serial number. The supplied certificate B<must> include a subject key
560 identifier extension. Supported by B<-sign> and B<-encrypt> options.
562 =item B<-econtent_type> I<type>
564 Set the encapsulated content type to I<type> if not supplied the B<Data> type
568 =item B<-text>
575 =item B<-certsout> I<file>
579 =item B<-to>, B<-from>, B<-subject>
592 =item B<-noout>
594 For the B<-cmsout> operation do not output the parsed CMS structure.
597 =item B<-print>
599 For the B<-cmsout> operation print out all fields of the CMS structure.
600 This implies B<-noout>.
603 =item B<-nameopt> I<option>
605 For the B<-cmsout> operation when B<-print> option is in use, specifies
606 printing options for string fields. For most cases B<utf8> is reasonable value.
607 See L<openssl-namedisplay-options(1)> for details.
609 =item B<-receipt_request_print>
611 For the B<-verify> operation print out the contents of any signed receipt
620 {- $OpenSSL::safe::opt_v_item -}
635 properly (if at all). You can use the B<-text> option to automatically
647 The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
651 The B<-resign> option uses an existing message digest when adding a new
655 The B<-stream> and B<-indef> options enable streaming I/O support.
657 and no longer DER. Streaming is supported for the B<-encrypt> operation and the
658 B<-sign> operation if the content is not detached.
660 Streaming is always used for the B<-sign> operation with detached data but
664 If the B<-decrypt> option is used without a recipient certificate then an
670 The B<-debug_decrypt> option can be used to disable the MMA attack protection
674 =head1 CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)
676 A CAdES Basic Electronic Signature (CAdES-BES),
677 as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains:
687 Content-type of the EncapsulatedContentInfo value being signed;
691 Message-digest of the eContent OCTET STRING within encapContentInfo being signed;
697 An ESS signingCertificate attribute only allows for SHA-1 as digest algorithm.
704 NOTE that the B<-cades> option applies to the B<-sign> or B<-verify> operations.
705 With this option, the B<-verify> operation also requires that the
745 L<openssl-smime(1)> can only process the older B<PKCS#7> format.
746 B<openssl cms> supports Cryptographic Message Syntax format.
750 The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
752 The B<-outform> I<PEM> option uses different headers.
754 The B<-compress> option.
756 The B<-secretkey> option when used with B<-encrypt>.
758 The use of PSS with B<-sign>.
760 The use of OAEP or non-RSA keys with B<-encrypt>.
762 Additionally the B<-EncryptedData_create> and B<-data_create> type cannot
763 be processed by the older L<openssl-smime(1)> command.
769 openssl cms -sign -in message.txt -text -out mail.msg \
770 -signer mycert.pem
774 openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
775 -signer mycert.pem
780 openssl cms -sign -in in.txt -text -out mail.msg \
781 -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
785 openssl cms -sign -in message.txt -text -out mail.msg \
786 -signer mycert.pem -signer othercert.pem -keyid
790 openssl cms -sign -in in.txt -text -signer mycert.pem \
791 -from steve@openssl.org -to someone@somewhere \
792 -subject "Signed message" | sendmail someone@somewhere
796 openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt
800 openssl cms -encrypt -in in.txt -from steve@openssl.org \
801 -to someone@somewhere -subject "Encrypted message" \
802 -des3 user.pem -out mail.msg
806 openssl cms -sign -in ml.txt -signer my.pem -text \
807 | openssl cms -encrypt -out mail.msg \
808 -from steve@openssl.org -to someone@somewhere \
809 -subject "Signed and Encrypted message" -des3 user.pem
811 Note: the encryption command does not include the B<-text> option because the
816 openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
823 -----BEGIN PKCS7-----
824 -----END PKCS7-----
828 openssl cms -verify -inform PEM -in signature.pem -content content.txt
832 openssl cms -verify -inform DER -in signature.der -content content.txt
836 openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
840 openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
842 Sign a message using RSA-PSS:
844 openssl cms -sign -in message.txt -text -out mail.msg \
845 -signer mycert.pem -keyopt rsa_padding_mode:pss
847 Create an encrypted message using RSA-OAEP:
849 openssl cms -encrypt -in plain.txt -out mail.msg \
850 -recip cert.pem -keyopt rsa_padding_mode:oaep
854 openssl cms -encrypt -in plain.txt -out mail.msg \
855 -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
857 Print CMS signed binary data in human-readable form:
859 openssl cms -in signed.cms -binary -inform DER -cmsout -print
883 L<ossl_store-file(7)>
887 The use of multiple B<-signer> options and the B<-resign> command were first
890 The B<-keyopt> option was added in OpenSSL 1.0.2.
892 Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
894 The use of non-RSA keys with B<-encrypt> and B<-decrypt>
897 The -no_alt_chains option was added in OpenSSL 1.0.2b.
899 The B<-nameopt> option was added in OpenSSL 3.0.0.
901 The B<-engine> option was deprecated in OpenSSL 3.0.
905 Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.