1 files changed, 224 insertions, 0 deletions

diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
new file mode 100644
index 0000000000..54d95f4a5d
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_sign.3
@@ -0,0 +1,224 @@
+.\" $OpenBSD: CMS_sign.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_SIGN 3
+.Os
+.Sh NAME
+.Nm CMS_sign
+.Nd create a CMS SignedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_sign
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "STACK_OF(X509) *certs"
+.Fa "BIO *data"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_sign
+creates and returns a CMS SignedData structure.
+.Fa signcert
+is the certificate to sign with,
+.Fa pkey
+is the corresponding private key.
+.Fa certs
+is an optional additional set of certificates to include in the CMS
+structure (for example any intermediate CAs in the chain).
+Any or all of these parameters can be
+.Dv NULL .
+.Pp
+The data to be signed is read from
+.Fa data .
+.Pp
+.Fa flags
+is an optional set of flags.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_TEXT
+Prepend MIME headers for the type text/plain to the data.
+Many S/MIME clients expect the signed content to include valid MIME
+headers.
+.It Dv CMS_NOCERTS
+Do not include the signer's certificate in the
+.Vt CMS_ContentInfo
+structure.
+The signer's certificate must still be supplied in the
+.Fa signcert
+parameter though.
+This can reduce the size of the signature if the signers certificate can
+be obtained by other means: for example a previously signed message.
+.It Dv CMS_DETACHED
+Omit the data being signed from the
+.Vt CMS_ContentInfo
+structure.
+This is used for
+.Vt CMS_ContentInfo
+detached signatures which are used in S/MIME plaintext signed messages
+for example.
+.It Dv CMS_BINARY
+Do not translate the supplied content into MIME canonical format
+even though that is required by the S/MIME specifications.
+This option should be used if the supplied data is in binary format.
+Otherwise the translation will corrupt it.
+.It Dv CMS_NOATTR
+Do not use any signedAttributes.
+By default, the SignedData structure includes several CMS
+signedAttributes including the signing time, the CMS content type,
+and the supported list of ciphers in an SMIMECapabilities attribute.
+.It Dv CMS_NOSMIMECAP
+Omit just the SMIMECapabilities.
+If present, the SMIMECapabilities attribute indicates support for the
+following algorithms in preference order: 256 bit AES, Gost R3411-94,
+Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
+RC2, DES and 40 bit RC2.
+If any of these algorithms is not available, then it will not be
+included: for example the GOST algorithms will not be included if
+the GOST ENGINE is not loaded.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify signing certificates.
+An error occurs if the signing certificate does not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.It Dv CMS_STREAM
+Only initialize the returned
+.Vt CMS_ContentInfo
+structure to prepare it for performing the signing operation.
+The signing is however
+.Em not
+performed and the data to be signed is not read from the
+.Fa data
+parameter.
+Signing is deferred until after the data has been written.
+In this way, data can be signed in a single pass.
+The returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+or
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively, finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.It Dv CMS_PARTIAL
+Output a partial
+.Vt CMS_ContentInfo
+structure to which additional signers and capabilities can be
+added before finalization.
+.El
+.Pp
+If a signer is specified, it will use the default digest for the signing
+algorithm.
+This is SHA1 for both RSA and DSA keys.
+.Pp
+If
+.Fa signcert
+and
+.Fa pkey
+are
+.Dv NULL ,
+then a certificates only CMS structure is output.
+.Pp
+The function
+.Fn CMS_sign
+is a basic CMS signing function whose output will be suitable for many
+purposes.
+For finer control of the output format the
+.Fa certs ,
+.Fa signcert
+and
+.Fa pkey
+parameters can all be
+.Dv NULL
+and the
+.Dv CMS_PARTIAL
+flag set.
+Then one or more signers can be added using the function
+.Xr CMS_sign_add1_signer 3 ,
+non default digests can be used and custom attributes added.
+.Xr CMS_final 3
+must then be called to finalize the structure if streaming is not
+enabled.
+.Sh RETURN VALUES
+.Fn CMS_sign
+returns either a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_verify 3
+.Sh HISTORY
+.Fn CMS_sign
+was added to OpenSSL 0.9.8.
+.Pp
+The
+.Dv CMS_STREAM
+flag is only supported for detached data in OpenSSL 0.9.8, it is
+supported for embedded data in OpenSSL 1.0.0 and later.
+.Sh BUGS
+Some attributes such as counter signatures are not supported.