1 files changed, 208 insertions, 14 deletions
diff --git a/src/lib/libcrypto/man/PKCS7_add_attribute.3 b/src/lib/libcrypto/man/PKCS7_add_attribute.3
index 081703f0f3..4a1c350f98 100644
--- a/src/lib/libcrypto/man/PKCS7_add_attribute.3
+++ b/src/lib/libcrypto/man/PKCS7_add_attribute.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_add_attribute.3,v 1.2 2020/06/04 21:21:03 schwarze Exp $
+.\" $OpenBSD: PKCS7_add_attribute.3,v 1.3 2020/06/10 11:39:12 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,14 +14,20 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 4 2020 $
+.Dd $Mdocdate: June 10 2020 $
 .Dt PKCS7_ADD_ATTRIBUTE 3
 .Os
 .Sh NAME
 .Nm PKCS7_add_attribute ,
+.Nm PKCS7_set_attributes ,
 .Nm PKCS7_get_attribute ,
 .Nm PKCS7_add_signed_attribute ,
-.Nm PKCS7_get_signed_attribute
+.Nm PKCS7_set_signed_attributes ,
+.Nm PKCS7_get_signed_attribute ,
+.Nm PKCS7_add_attrib_content_type ,
+.Nm PKCS7_add1_attrib_digest ,
+.Nm PKCS7_add0_attrib_signing_time ,
+.Nm PKCS7_add_attrib_smimecap
 .Nd attributes of SignerInfo objects
 .Sh SYNOPSIS
 .In openssl/pkcs7.h
@@ -32,6 +38,11 @@
 .Fa "int attrtype"
 .Fa "void *value"
 .Fc
+.Ft int
+.Fo PKCS7_set_attributes
+.Fa "PKCS7_SIGNER_INFO *si"
+.Fa "STACK_OF(X509_ATTRIBUTE) *sk"
+.Fc
 .Ft ASN1_TYPE *
 .Fo PKCS7_get_attribute
 .Fa "PKCS7_SIGNER_INFO *si"
@@ -44,11 +55,37 @@
 .Fa "int attrtype"
 .Fa "void *value"
 .Fc
+.Ft int
+.Fo PKCS7_set_signed_attributes
+.Fa "PKCS7_SIGNER_INFO *si"
+.Fa "STACK_OF(X509_ATTRIBUTE) *sk"
+.Fc
 .Ft ASN1_TYPE *
 .Fo PKCS7_get_signed_attribute
 .Fa "PKCS7_SIGNER_INFO *si"
 .Fa "int nid"
 .Fc
+.Ft int
+.Fo PKCS7_add_attrib_content_type
+.Fa "PKCS7_SIGNER_INFO *si"
+.Fa "ASN1_OBJECT *coid"
+.Fc
+.Ft int
+.Fo PKCS7_add1_attrib_digest
+.Fa "PKCS7_SIGNER_INFO *si"
+.Fa "const unsigned char *md"
+.Fa "int mdlen"
+.Fc
+.Ft int
+.Fo PKCS7_add0_attrib_signing_time
+.Fa "PKCS7_SIGNER_INFO *si"
+.Fa "ASN1_TIME *t"
+.Fc
+.Ft int
+.Fo PKCS7_add_attrib_smimecap
+.Fa "PKCS7_SIGNER_INFO *si"
+.Fa "STACK_OF(X509_ALGOR) *cap"
+.Fc
 .Sh DESCRIPTION
 .Fn PKCS7_add_attribute
 appends a new attribute of type
@@ -74,6 +111,14 @@ If the list already contains an unauthenticated attribute of type
 before the call, the new attribute replaces the old one
 instead of being appended to the end of the list.
 .Pp
+.Fn PKCS7_set_attributes
+frees the
+.Fa unauthenticatedAttributes
+list of
+.Fa si
+and all the attributes contained in it and replaces it with a deep copy of
+.Fa sk .
+.Pp
 .Fn PKCS7_get_attribute
 retrieves the first ASN.1 ANY member of the attribute of type
 .Fa nid
@@ -83,7 +128,8 @@ list of
 .Fa si .
 .Pp
 The behaviour of
-.Fn PKCS7_add_signed_attribute
+.Fn PKCS7_add_signed_attribute ,
+.Fn PKCS7_set_signed_attributes ,
 and
 .Fn PKCS7_get_signed_attribute
 is identical except that they operate on the list of
@@ -101,8 +147,8 @@ or
 .Dv PKCS7_STREAM
 flag, retrieve the
 .Vt PKCS7_SIGNER_INFO
-object with the undocumented function
+object with
-.Fn PKCS7_get_signer_info
+.Xr PKCS7_get_signer_info 3
 or add an additional one with
 .Xr PKCS7_sign_add_signer 3 ,
 call
@@ -111,21 +157,122 @@ for each desired additional attribute, then do the signing with
 .Xr PKCS7_final 3
 or with another finalizing function.
 .Pp
-For particular types of attributes, undocumented wrapper functions
+The four remaining functions are wrappers around
+.Fn PKCS7_add_signed_attribute .
+.Pp
+.Fn PKCS7_add_attrib_content_type
+sets the
+.Dv NID_pkcs9_contentType
+attribute to
+.Fa coid ,
+which specifies the content type of the
+.Vt ContentInfo
+value to be signed.
+This attribute is mandatory and automatically added by
+.Xr PKCS7_sign 3
+and
+.Xr PKCS7_sign_add_signer 3
+unless the
+.Dv PKCS7_NOATTR
+flag is present.
+Objects suitable as
+.Fa coid
+arguments can for example be obtained with
+.Xr OBJ_nid2obj 3 .
+If
+.Fa coid
+is
+.Dv NULL ,
+the content type defaults to
+.Dv NID_pkcs7_data .
+.Pp
+.Fn PKCS7_add1_attrib_digest
+sets or replaces the
+.Dv NID_pkcs9_messageDigest
+attribute, which is the message digest of the contents octets
+of the DER-encoding of the content field of the
+.Vt ContentInfo
+value being signed, to a copy of
+.Fa md ,
+which is assumed to be
+.Fa mdlen
+bytes long.
+If
+.Fa mdlen
+is -1, then
+.Fn strlen md
+is used instead of
+.Fa mdlen .
+This attribute is mandatory and automatically added by
+.Xr PKCS7_dataFinal 3
+and
+.Xr PKCS7_final 3 .
+.Pp
+.Fn PKCS7_add0_attrib_signing_time
+sets or replaces the optional
+.Dv NID_pkcs9_signingTime
+attribute to
+.Fa t ,
+specifying the time at which the signer performed the signing process.
+Ownership of
+.Fa t
+is transferred into the new attribute object, so the calling code
+must not
+.Xr free 3
+.Fa t .
+If
+.Fa t
+is
+.Dv NULL ,
+a new
+.Vt ASN1_TIME
+structure is allocated.
+This attribute is automatically added by
+.Xr PKCS7_dataFinal 3
+and
+.Xr PKCS7_final 3 .
+.Pp
+.Fn PKCS7_add_attrib_smimecap
+sets or replaces the optional
+.Dv NID_SMIMECapabilities
+attribute, indicating algorithms the sender is prepared to handle.
+The
+.Fa cap
+pointer is not stored in the new attribute object and can be passed to
+.Fn sk_X509_ALGOR_pop_free
+after the call.
+This attribute is automatically added by
+.Xr PKCS7_sign 3
+and
+.Xr PKCS7_sign_add_signer 3
+unless the
+.Dv PKCS7_NOATTR
+or
+.Dv PKCS7_NOSMIMECAP
+flag is present.
+.Sh RETURN VALUES
+.Fn PKCS7_add_attribute ,
+.Fn PKCS7_set_attributes ,
+.Fn PKCS7_add_signed_attribute ,
+.Fn PKCS7_set_signed_attributes ,
 .Fn PKCS7_add_attrib_content_type ,
 .Fn PKCS7_add1_attrib_digest ,
 .Fn PKCS7_add0_attrib_signing_time ,
 and
 .Fn PKCS7_add_attrib_smimecap
-exist.
+return 1 on success or 0 on failure.
-.Sh RETURN VALUES
+The most common reason for failure is lack of memory.
 .Fn PKCS7_add_attribute
 and
 .Fn PKCS7_add_signed_attribute
-return 1 on success or 0 on failure.
+also fail if
-The most common reasons for failure are an invalid
 .Fa nid
-argument or lack of memory.
+is invalid, and
+.Fn PKCS7_add_attrib_content_type
+if
+.Fa si
+already contains an authenticated attribute of type
+.Dv NID_pkcs9_contentType .
 .Pp
 .Fn PKCS7_get_attribute
 and
@@ -140,20 +287,67 @@ is invalid, if the respective list in
 contains no attribute of the requested type, or if an invalid element
 is found in the list before finding the attribute of the requested type.
 .Sh SEE ALSO
+.Xr ASN1_TIME_new 3 ,
 .Xr ASN1_TYPE_new 3 ,
+.Xr OBJ_nid2obj 3 ,
 .Xr PKCS7_final 3 ,
+.Xr PKCS7_get_signer_info 3 ,
 .Xr PKCS7_new 3 ,
 .Xr PKCS7_sign 3 ,
 .Xr PKCS7_sign_add_signer 3 ,
 .Xr STACK_OF 3 ,
+.Xr X509_ALGOR_new 3 ,
 .Xr X509_ATTRIBUTE_new 3
 .Sh STANDARDS
 RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5,
 section 9.2: SignerInfo type
+.Pp
+RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0,
+section 5.3: Attribute types for use in PKCS #7 data
+and section 5.6: Attributes defined in S/MIME
+.Pp
+RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
+Version 4.0 Message Specification,
+section 2.5.2: SMIMECapabilities Attribute
 .Sh HISTORY
-These functions first appeared in OpenSSL 0.9.1
+.Fn PKCS7_add_attribute ,
-and have been available since
+.Fn PKCS7_set_attributes ,
+.Fn PKCS7_get_attribute ,
+.Fn PKCS7_add_signed_attribute ,
+.Fn PKCS7_set_signed_attributes ,
+and
+.Fn PKCS7_get_signed_attribute
+first appeared in OpenSSL 0.9.1 and have been available since
 .Ox 2.6 .
+.Pp
+.Fn PKCS7_add_attrib_smimecap
+first appeared in OpenSSL 0.9.5 and has been available since
+.Ox 2.7 .
+.Pp
+.Fn PKCS7_add_attrib_content_type ,
+.Fn PKCS7_add1_attrib_digest ,
+and
+.Fn PKCS7_add0_attrib_signing_time
+first appeared in OpenSSL 1.0.0 and have been available since
+.Ox 4.9 .
+.Sh CAVEATS
+.Fn PKCS7_set_signed_attributes
+does not validate that
+.Fa sk
+contains the PKCS #9 content type and message digest attributes
+required by RFC 2315.
+It succeeds even when
+.Fa sk
+is empty, leaving
+.Fa si
+in a state that violates the standard.
+.Pp
+.Fn PKCS7_add0_attrib_signing_time
+does not validate
+.Fa t
+in any way.
+In particular, it may set the signing time to the future
+or to the remote past.
 .Sh BUGS
 A function to remove individual attributes from these lists
 does not appear to exist.

diff --git a/src/lib/libcrypto/man/PKCS7_add_attribute.3 b/src/lib/libcrypto/man/PKCS7_add_attribute.3 index 081703f0f3..4a1c350f98 100644 --- a/src/lib/libcrypto/man/PKCS7_add_attribute.3 +++ b/src/lib/libcrypto/man/PKCS7_add_attribute.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: PKCS7_add_attribute.3,v 1.2 2020/06/04 21:21:03 schwarze Exp $	1	.\" $OpenBSD: PKCS7_add_attribute.3,v 1.3 2020/06/10 11:39:12 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,14 +14,20 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: June 4 2020 $	17	.Dd $Mdocdate: June 10 2020 $
18	.Dt PKCS7_ADD_ATTRIBUTE 3	18	.Dt PKCS7_ADD_ATTRIBUTE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm PKCS7_add_attribute ,	21	.Nm PKCS7_add_attribute ,
		22	.Nm PKCS7_set_attributes ,
22	.Nm PKCS7_get_attribute ,	23	.Nm PKCS7_get_attribute ,
23	.Nm PKCS7_add_signed_attribute ,	24	.Nm PKCS7_add_signed_attribute ,
24	.Nm PKCS7_get_signed_attribute	25	.Nm PKCS7_set_signed_attributes ,
		26	.Nm PKCS7_get_signed_attribute ,
		27	.Nm PKCS7_add_attrib_content_type ,
		28	.Nm PKCS7_add1_attrib_digest ,
		29	.Nm PKCS7_add0_attrib_signing_time ,
		30	.Nm PKCS7_add_attrib_smimecap
25	.Nd attributes of SignerInfo objects	31	.Nd attributes of SignerInfo objects
26	.Sh SYNOPSIS	32	.Sh SYNOPSIS
27	.In openssl/pkcs7.h	33	.In openssl/pkcs7.h
@@ -32,6 +38,11 @@
32	.Fa "int attrtype"	38	.Fa "int attrtype"
33	.Fa "void *value"	39	.Fa "void *value"
34	.Fc	40	.Fc
		41	.Ft int
		42	.Fo PKCS7_set_attributes
		43	.Fa "PKCS7_SIGNER_INFO *si"
		44	.Fa "STACK_OF(X509_ATTRIBUTE) *sk"
		45	.Fc
35	.Ft ASN1_TYPE *	46	.Ft ASN1_TYPE *
36	.Fo PKCS7_get_attribute	47	.Fo PKCS7_get_attribute
37	.Fa "PKCS7_SIGNER_INFO *si"	48	.Fa "PKCS7_SIGNER_INFO *si"
@@ -44,11 +55,37 @@
44	.Fa "int attrtype"	55	.Fa "int attrtype"
45	.Fa "void *value"	56	.Fa "void *value"
46	.Fc	57	.Fc
		58	.Ft int
		59	.Fo PKCS7_set_signed_attributes
		60	.Fa "PKCS7_SIGNER_INFO *si"
		61	.Fa "STACK_OF(X509_ATTRIBUTE) *sk"
		62	.Fc
47	.Ft ASN1_TYPE *	63	.Ft ASN1_TYPE *
48	.Fo PKCS7_get_signed_attribute	64	.Fo PKCS7_get_signed_attribute
49	.Fa "PKCS7_SIGNER_INFO *si"	65	.Fa "PKCS7_SIGNER_INFO *si"
50	.Fa "int nid"	66	.Fa "int nid"
51	.Fc	67	.Fc
		68	.Ft int
		69	.Fo PKCS7_add_attrib_content_type
		70	.Fa "PKCS7_SIGNER_INFO *si"
		71	.Fa "ASN1_OBJECT *coid"
		72	.Fc
		73	.Ft int
		74	.Fo PKCS7_add1_attrib_digest
		75	.Fa "PKCS7_SIGNER_INFO *si"
		76	.Fa "const unsigned char *md"
		77	.Fa "int mdlen"
		78	.Fc
		79	.Ft int
		80	.Fo PKCS7_add0_attrib_signing_time
		81	.Fa "PKCS7_SIGNER_INFO *si"
		82	.Fa "ASN1_TIME *t"
		83	.Fc
		84	.Ft int
		85	.Fo PKCS7_add_attrib_smimecap
		86	.Fa "PKCS7_SIGNER_INFO *si"
		87	.Fa "STACK_OF(X509_ALGOR) *cap"
		88	.Fc
52	.Sh DESCRIPTION	89	.Sh DESCRIPTION
53	.Fn PKCS7_add_attribute	90	.Fn PKCS7_add_attribute
54	appends a new attribute of type	91	appends a new attribute of type
@@ -74,6 +111,14 @@ If the list already contains an unauthenticated attribute of type
74	before the call, the new attribute replaces the old one	111	before the call, the new attribute replaces the old one
75	instead of being appended to the end of the list.	112	instead of being appended to the end of the list.
76	.Pp	113	.Pp
		114	.Fn PKCS7_set_attributes
		115	frees the
		116	.Fa unauthenticatedAttributes
		117	list of
		118	.Fa si
		119	and all the attributes contained in it and replaces it with a deep copy of
		120	.Fa sk .
		121	.Pp
77	.Fn PKCS7_get_attribute	122	.Fn PKCS7_get_attribute
78	retrieves the first ASN.1 ANY member of the attribute of type	123	retrieves the first ASN.1 ANY member of the attribute of type
79	.Fa nid	124	.Fa nid
@@ -83,7 +128,8 @@ list of
83	.Fa si .	128	.Fa si .
84	.Pp	129	.Pp
85	The behaviour of	130	The behaviour of
86	.Fn PKCS7_add_signed_attribute	131	.Fn PKCS7_add_signed_attribute ,
		132	.Fn PKCS7_set_signed_attributes ,
87	and	133	and
88	.Fn PKCS7_get_signed_attribute	134	.Fn PKCS7_get_signed_attribute
89	is identical except that they operate on the list of	135	is identical except that they operate on the list of
@@ -101,8 +147,8 @@ or
101	.Dv PKCS7_STREAM	147	.Dv PKCS7_STREAM
102	flag, retrieve the	148	flag, retrieve the
103	.Vt PKCS7_SIGNER_INFO	149	.Vt PKCS7_SIGNER_INFO
104	object with the undocumented function	150	object with
105	.Fn PKCS7_get_signer_info	151	.Xr PKCS7_get_signer_info 3
106	or add an additional one with	152	or add an additional one with
107	.Xr PKCS7_sign_add_signer 3 ,	153	.Xr PKCS7_sign_add_signer 3 ,
108	call	154	call
@@ -111,21 +157,122 @@ for each desired additional attribute, then do the signing with
111	.Xr PKCS7_final 3	157	.Xr PKCS7_final 3
112	or with another finalizing function.	158	or with another finalizing function.
113	.Pp	159	.Pp
114	For particular types of attributes, undocumented wrapper functions	160	The four remaining functions are wrappers around
		161	.Fn PKCS7_add_signed_attribute .
		162	.Pp
		163	.Fn PKCS7_add_attrib_content_type
		164	sets the
		165	.Dv NID_pkcs9_contentType
		166	attribute to
		167	.Fa coid ,
		168	which specifies the content type of the
		169	.Vt ContentInfo
		170	value to be signed.
		171	This attribute is mandatory and automatically added by
		172	.Xr PKCS7_sign 3
		173	and
		174	.Xr PKCS7_sign_add_signer 3
		175	unless the
		176	.Dv PKCS7_NOATTR
		177	flag is present.
		178	Objects suitable as
		179	.Fa coid
		180	arguments can for example be obtained with
		181	.Xr OBJ_nid2obj 3 .
		182	If
		183	.Fa coid
		184	is
		185	.Dv NULL ,
		186	the content type defaults to
		187	.Dv NID_pkcs7_data .
		188	.Pp
		189	.Fn PKCS7_add1_attrib_digest
		190	sets or replaces the
		191	.Dv NID_pkcs9_messageDigest
		192	attribute, which is the message digest of the contents octets
		193	of the DER-encoding of the content field of the
		194	.Vt ContentInfo
		195	value being signed, to a copy of
		196	.Fa md ,
		197	which is assumed to be
		198	.Fa mdlen
		199	bytes long.
		200	If
		201	.Fa mdlen
		202	is -1, then
		203	.Fn strlen md
		204	is used instead of
		205	.Fa mdlen .
		206	This attribute is mandatory and automatically added by
		207	.Xr PKCS7_dataFinal 3
		208	and
		209	.Xr PKCS7_final 3 .
		210	.Pp
		211	.Fn PKCS7_add0_attrib_signing_time
		212	sets or replaces the optional
		213	.Dv NID_pkcs9_signingTime
		214	attribute to
		215	.Fa t ,
		216	specifying the time at which the signer performed the signing process.
		217	Ownership of
		218	.Fa t
		219	is transferred into the new attribute object, so the calling code
		220	must not
		221	.Xr free 3
		222	.Fa t .
		223	If
		224	.Fa t
		225	is
		226	.Dv NULL ,
		227	a new
		228	.Vt ASN1_TIME
		229	structure is allocated.
		230	This attribute is automatically added by
		231	.Xr PKCS7_dataFinal 3
		232	and
		233	.Xr PKCS7_final 3 .
		234	.Pp
		235	.Fn PKCS7_add_attrib_smimecap
		236	sets or replaces the optional
		237	.Dv NID_SMIMECapabilities
		238	attribute, indicating algorithms the sender is prepared to handle.
		239	The
		240	.Fa cap
		241	pointer is not stored in the new attribute object and can be passed to
		242	.Fn sk_X509_ALGOR_pop_free
		243	after the call.
		244	This attribute is automatically added by
		245	.Xr PKCS7_sign 3
		246	and
		247	.Xr PKCS7_sign_add_signer 3
		248	unless the
		249	.Dv PKCS7_NOATTR
		250	or
		251	.Dv PKCS7_NOSMIMECAP
		252	flag is present.
		253	.Sh RETURN VALUES
		254	.Fn PKCS7_add_attribute ,
		255	.Fn PKCS7_set_attributes ,
		256	.Fn PKCS7_add_signed_attribute ,
		257	.Fn PKCS7_set_signed_attributes ,
115	.Fn PKCS7_add_attrib_content_type ,	258	.Fn PKCS7_add_attrib_content_type ,
116	.Fn PKCS7_add1_attrib_digest ,	259	.Fn PKCS7_add1_attrib_digest ,
117	.Fn PKCS7_add0_attrib_signing_time ,	260	.Fn PKCS7_add0_attrib_signing_time ,
118	and	261	and
119	.Fn PKCS7_add_attrib_smimecap	262	.Fn PKCS7_add_attrib_smimecap
120	exist.	263	return 1 on success or 0 on failure.
121	.Sh RETURN VALUES	264	The most common reason for failure is lack of memory.
122	.Fn PKCS7_add_attribute	265	.Fn PKCS7_add_attribute
123	and	266	and
124	.Fn PKCS7_add_signed_attribute	267	.Fn PKCS7_add_signed_attribute
125	return 1 on success or 0 on failure.	268	also fail if
126	The most common reasons for failure are an invalid
127	.Fa nid	269	.Fa nid
128	argument or lack of memory.	270	is invalid, and
		271	.Fn PKCS7_add_attrib_content_type
		272	if
		273	.Fa si
		274	already contains an authenticated attribute of type
		275	.Dv NID_pkcs9_contentType .
129	.Pp	276	.Pp
130	.Fn PKCS7_get_attribute	277	.Fn PKCS7_get_attribute
131	and	278	and
@@ -140,20 +287,67 @@ is invalid, if the respective list in
140	contains no attribute of the requested type, or if an invalid element	287	contains no attribute of the requested type, or if an invalid element
141	is found in the list before finding the attribute of the requested type.	288	is found in the list before finding the attribute of the requested type.
142	.Sh SEE ALSO	289	.Sh SEE ALSO
		290	.Xr ASN1_TIME_new 3 ,
143	.Xr ASN1_TYPE_new 3 ,	291	.Xr ASN1_TYPE_new 3 ,
		292	.Xr OBJ_nid2obj 3 ,
144	.Xr PKCS7_final 3 ,	293	.Xr PKCS7_final 3 ,
		294	.Xr PKCS7_get_signer_info 3 ,
145	.Xr PKCS7_new 3 ,	295	.Xr PKCS7_new 3 ,
146	.Xr PKCS7_sign 3 ,	296	.Xr PKCS7_sign 3 ,
147	.Xr PKCS7_sign_add_signer 3 ,	297	.Xr PKCS7_sign_add_signer 3 ,
148	.Xr STACK_OF 3 ,	298	.Xr STACK_OF 3 ,
		299	.Xr X509_ALGOR_new 3 ,
149	.Xr X509_ATTRIBUTE_new 3	300	.Xr X509_ATTRIBUTE_new 3
150	.Sh STANDARDS	301	.Sh STANDARDS
151	RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5,	302	RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5,
152	section 9.2: SignerInfo type	303	section 9.2: SignerInfo type
		304	.Pp
		305	RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0,
		306	section 5.3: Attribute types for use in PKCS #7 data
		307	and section 5.6: Attributes defined in S/MIME
		308	.Pp
		309	RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
		310	Version 4.0 Message Specification,
		311	section 2.5.2: SMIMECapabilities Attribute
153	.Sh HISTORY	312	.Sh HISTORY
154	These functions first appeared in OpenSSL 0.9.1	313	.Fn PKCS7_add_attribute ,
155	and have been available since	314	.Fn PKCS7_set_attributes ,
		315	.Fn PKCS7_get_attribute ,
		316	.Fn PKCS7_add_signed_attribute ,
		317	.Fn PKCS7_set_signed_attributes ,
		318	and
		319	.Fn PKCS7_get_signed_attribute
		320	first appeared in OpenSSL 0.9.1 and have been available since
156	.Ox 2.6 .	321	.Ox 2.6 .
		322	.Pp
		323	.Fn PKCS7_add_attrib_smimecap
		324	first appeared in OpenSSL 0.9.5 and has been available since
		325	.Ox 2.7 .
		326	.Pp
		327	.Fn PKCS7_add_attrib_content_type ,
		328	.Fn PKCS7_add1_attrib_digest ,
		329	and
		330	.Fn PKCS7_add0_attrib_signing_time
		331	first appeared in OpenSSL 1.0.0 and have been available since
		332	.Ox 4.9 .
		333	.Sh CAVEATS
		334	.Fn PKCS7_set_signed_attributes
		335	does not validate that
		336	.Fa sk
		337	contains the PKCS #9 content type and message digest attributes
		338	required by RFC 2315.
		339	It succeeds even when
		340	.Fa sk
		341	is empty, leaving
		342	.Fa si
		343	in a state that violates the standard.
		344	.Pp
		345	.Fn PKCS7_add0_attrib_signing_time
		346	does not validate
		347	.Fa t
		348	in any way.
		349	In particular, it may set the signing time to the future
		350	or to the remote past.
157	.Sh BUGS	351	.Sh BUGS
158	A function to remove individual attributes from these lists	352	A function to remove individual attributes from these lists
159	does not appear to exist.	353	does not appear to exist.