diff options
Diffstat (limited to 'src/lib/libcrypto/doc/PKCS7_sign.pod')
| -rw-r--r-- | src/lib/libcrypto/doc/PKCS7_sign.pod | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/src/lib/libcrypto/doc/PKCS7_sign.pod b/src/lib/libcrypto/doc/PKCS7_sign.pod index fc7e649b34..ffd0c734b0 100644 --- a/src/lib/libcrypto/doc/PKCS7_sign.pod +++ b/src/lib/libcrypto/doc/PKCS7_sign.pod | |||
| @@ -51,6 +51,24 @@ If present the SMIMECapabilities attribute indicates support for the following | |||
| 51 | algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any | 51 | algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any |
| 52 | of these algorithms is disabled then it will not be included. | 52 | of these algorithms is disabled then it will not be included. |
| 53 | 53 | ||
| 54 | If the flags B<PKCS7_PARTSIGN> is set then the returned B<PKCS7> structure | ||
| 55 | is just initialized ready to perform the signing operation. The signing | ||
| 56 | is however B<not> performed and the data to be signed is not read from | ||
| 57 | the B<data> parameter. Signing is deferred until after the data has been | ||
| 58 | written. In this way data can be signed in a single pass. Currently the | ||
| 59 | flag B<PKCS7_DETACHED> B<must> also be set. | ||
| 60 | |||
| 61 | =head1 NOTES | ||
| 62 | |||
| 63 | Currently the flag B<PKCS7_PARTSIGN> is only supported for detached | ||
| 64 | data. If this flag is set the returned B<PKCS7> structure is B<not> | ||
| 65 | complete and outputting its contents via a function that does not | ||
| 66 | properly finalize the B<PKCS7> structure will give unpredictable | ||
| 67 | results. | ||
| 68 | |||
| 69 | At present only the SMIME_write_PKCS7() function properly finalizes the | ||
| 70 | structure. | ||
| 71 | |||
| 54 | =head1 BUGS | 72 | =head1 BUGS |
| 55 | 73 | ||
| 56 | PKCS7_sign() is somewhat limited. It does not support multiple signers, some | 74 | PKCS7_sign() is somewhat limited. It does not support multiple signers, some |
| @@ -64,10 +82,6 @@ signed due to memory restraints. There should be a way to sign data without | |||
| 64 | having to hold it all in memory, this would however require fairly major | 82 | having to hold it all in memory, this would however require fairly major |
| 65 | revisions of the OpenSSL ASN1 code. | 83 | revisions of the OpenSSL ASN1 code. |
| 66 | 84 | ||
| 67 | Clear text signing does not store the content in memory but the way PKCS7_sign() | ||
| 68 | operates means that two passes of the data must typically be made: one to compute | ||
| 69 | the signatures and a second to output the data along with the signature. There | ||
| 70 | should be a way to process the data with only a single pass. | ||
| 71 | 85 | ||
| 72 | =head1 RETURN VALUES | 86 | =head1 RETURN VALUES |
| 73 | 87 | ||
| @@ -82,4 +96,6 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)> | |||
| 82 | 96 | ||
| 83 | PKCS7_sign() was added to OpenSSL 0.9.5 | 97 | PKCS7_sign() was added to OpenSSL 0.9.5 |
| 84 | 98 | ||
| 99 | The B<PKCS7_PARTSIGN> flag was added in OpenSSL 0.9.8 | ||
| 100 | |||
| 85 | =cut | 101 | =cut |