diff options
Diffstat (limited to 'src/lib/libcrypto/doc/PKCS7_sign.pod')
| -rw-r--r-- | src/lib/libcrypto/doc/PKCS7_sign.pod | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/src/lib/libcrypto/doc/PKCS7_sign.pod b/src/lib/libcrypto/doc/PKCS7_sign.pod new file mode 100644 index 0000000000..ffd0c734b0 --- /dev/null +++ b/src/lib/libcrypto/doc/PKCS7_sign.pod | |||
| @@ -0,0 +1,101 @@ | |||
| 1 | =pod | ||
| 2 | |||
| 3 | =head1 NAME | ||
| 4 | |||
| 5 | PKCS7_sign - create a PKCS#7 signedData structure | ||
| 6 | |||
| 7 | =head1 SYNOPSIS | ||
| 8 | |||
| 9 | PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); | ||
| 10 | |||
| 11 | =head1 DESCRIPTION | ||
| 12 | |||
| 13 | PKCS7_sign() creates and returns a PKCS#7 signedData structure. B<signcert> | ||
| 14 | is the certificate to sign with, B<pkey> is the corresponsding private key. | ||
| 15 | B<certs> is an optional additional set of certificates to include in the | ||
| 16 | PKCS#7 structure (for example any intermediate CAs in the chain). | ||
| 17 | |||
| 18 | The data to be signed is read from BIO B<data>. | ||
| 19 | |||
| 20 | B<flags> is an optional set of flags. | ||
| 21 | |||
| 22 | =head1 NOTES | ||
| 23 | |||
| 24 | Any of the following flags (ored together) can be passed in the B<flags> parameter. | ||
| 25 | |||
| 26 | Many S/MIME clients expect the signed content to include valid MIME headers. If | ||
| 27 | the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended | ||
| 28 | to the data. | ||
| 29 | |||
| 30 | If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the | ||
| 31 | PKCS7 structure, the signer's certificate must still be supplied in the B<signcert> | ||
| 32 | parameter though. This can reduce the size of the signature if the signers certificate | ||
| 33 | can be obtained by other means: for example a previously signed message. | ||
| 34 | |||
| 35 | The data being signed is included in the PKCS7 structure, unless B<PKCS7_DETACHED> | ||
| 36 | is set in which case it is omitted. This is used for PKCS7 detached signatures | ||
| 37 | which are used in S/MIME plaintext signed messages for example. | ||
| 38 | |||
| 39 | Normally the supplied content is translated into MIME canonical format (as required | ||
| 40 | by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This | ||
| 41 | option should be used if the supplied data is in binary format otherwise the translation | ||
| 42 | will corrupt it. | ||
| 43 | |||
| 44 | The signedData structure includes several PKCS#7 autenticatedAttributes including | ||
| 45 | the signing time, the PKCS#7 content type and the supported list of ciphers in | ||
| 46 | an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no authenticatedAttributes | ||
| 47 | will be used. If B<PKCS7_NOSMIMECAP> is set then just the SMIMECapabilities are | ||
| 48 | omitted. | ||
| 49 | |||
| 50 | If present the SMIMECapabilities attribute indicates support for the following | ||
| 51 | algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any | ||
| 52 | of these algorithms is disabled then it will not be included. | ||
| 53 | |||
| 54 | If the flags B<PKCS7_PARTSIGN> is set then the returned B<PKCS7> structure | ||
| 55 | is just initialized ready to perform the signing operation. The signing | ||
| 56 | is however B<not> performed and the data to be signed is not read from | ||
| 57 | the B<data> parameter. Signing is deferred until after the data has been | ||
| 58 | written. In this way data can be signed in a single pass. Currently the | ||
| 59 | flag B<PKCS7_DETACHED> B<must> also be set. | ||
| 60 | |||
| 61 | =head1 NOTES | ||
| 62 | |||
| 63 | Currently the flag B<PKCS7_PARTSIGN> is only supported for detached | ||
| 64 | data. If this flag is set the returned B<PKCS7> structure is B<not> | ||
| 65 | complete and outputting its contents via a function that does not | ||
| 66 | properly finalize the B<PKCS7> structure will give unpredictable | ||
| 67 | results. | ||
| 68 | |||
| 69 | At present only the SMIME_write_PKCS7() function properly finalizes the | ||
| 70 | structure. | ||
| 71 | |||
| 72 | =head1 BUGS | ||
| 73 | |||
| 74 | PKCS7_sign() is somewhat limited. It does not support multiple signers, some | ||
| 75 | advanced attributes such as counter signatures are not supported. | ||
| 76 | |||
| 77 | The SHA1 digest algorithm is currently always used. | ||
| 78 | |||
| 79 | When the signed data is not detached it will be stored in memory within the | ||
| 80 | B<PKCS7> structure. This effectively limits the size of messages which can be | ||
| 81 | signed due to memory restraints. There should be a way to sign data without | ||
| 82 | having to hold it all in memory, this would however require fairly major | ||
| 83 | revisions of the OpenSSL ASN1 code. | ||
| 84 | |||
| 85 | |||
| 86 | =head1 RETURN VALUES | ||
| 87 | |||
| 88 | PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error occurred. | ||
| 89 | The error can be obtained from ERR_get_error(3). | ||
| 90 | |||
| 91 | =head1 SEE ALSO | ||
| 92 | |||
| 93 | L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)> | ||
| 94 | |||
| 95 | =head1 HISTORY | ||
| 96 | |||
| 97 | PKCS7_sign() was added to OpenSSL 0.9.5 | ||
| 98 | |||
| 99 | The B<PKCS7_PARTSIGN> flag was added in OpenSSL 0.9.8 | ||
| 100 | |||
| 101 | =cut | ||