1 files changed, 190 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/PKCS7_sign.3 b/src/lib/libcrypto/man/PKCS7_sign.3
new file mode 100644
index 0000000000..894472402d
--- /dev/null
+++ b/src/lib/libcrypto/man/PKCS7_sign.3
@@ -0,0 +1,190 @@
+.Dd $Mdocdate: November 3 2016 $
+.Dt PKCS7_SIGN 3
+.Os
+.Sh NAME
+.Nm PKCS7_sign
+.Nd create a PKCS#7 signedData structure
+.Sh SYNOPSIS
+.In openssl/pkcs7.h
+.Ft PKCS7 *
+.Fo PKCS7_sign
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "STACK_OF(X509) *certs"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn PKCS7_sign
+creates and returns a PKCS#7 signedData structure.
+.Fa signcert
+is the certificate to sign with,
+.Fa pkey
+is the corresponding private key.
+.Fa certs
+is an optional additional set of certificates to include in the PKCS#7
+structure (for example any intermediate CAs in the chain).
+.Pp
+The data to be signed is read from
+.Vt BIO
+.Fa data .
+.Pp
+.Fa flags
+is an optional set of flags.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter.
+.Pp
+Many S/MIME clients expect the signed content to include valid MIME
+headers.
+If the
+.Dv PKCS7_TEXT
+flag is set, MIME headers for type
+.Sy text/plain
+are prepended to the data.
+.Pp
+If
+.Dv PKCS7_NOCERTS
+is set, the signer's certificate will not be included in the PKCS7
+structure, the signer's certificate must still be supplied in the
+.Fa signcert
+parameter though.
+This can reduce the size of the signature if the signers certificate can
+be obtained by other means: for example a previously signed message.
+.Pp
+The data being signed is included in the
+.Vt PKCS7
+structure, unless
+.Dv PKCS7_DETACHED
+is set in which case it is omitted.
+This is used for PKCS7 detached signatures which are used in S/MIME
+plaintext signed messages for example.
+.Pp
+Normally the supplied content is translated into MIME canonical format
+(as required by the S/MIME specifications).
+If
+.Dv PKCS7_BINARY
+is set, no translation occurs.
+This option should be used if the supplied data is in binary format;
+otherwise, the translation will corrupt it.
+.Pp
+The signedData structure includes several PKCS#7 authenticatedAttributes
+including the signing time, the PKCS#7 content type and the supported
+list of ciphers in an SMIMECapabilities attribute.
+If
+.Dv PKCS7_NOATTR
+is set, then no authenticatedAttributes will be used.
+If
+.Dv PKCS7_NOSMIMECAP
+is set, then just the SMIMECapabilities are omitted.
+.Pp
+If present, the SMIMECapabilities attribute indicates support for the
+following algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40
+bit RC2.
+If any of these algorithms is disabled then it will not be included.
+.Pp
+If the flags
+.Dv PKCS7_STREAM
+is set, then the returned
+.Vt PKCS7
+structure is just initialized ready to perform the signing operation.
+The signing is however
+.Sy not
+performed and the data to be signed is not read from the
+.Fa data
+parameter.
+Signing is deferred until after the data has been written.
+In this way data can be signed in a single pass.
+.Pp
+If the
+.Dv PKCS7_PARTIAL
+flag is set, a partial
+.Vt PKCS7
+structure is output to which additional signers and capabilities can be
+added before finalization.
+.Pp
+If the flag
+.Dv PKCS7_STREAM
+is set, the returned
+.Vt PKCS7
+structure is
+.Sy not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt PKCS7
+structure will give unpredictable results.
+.Pp
+Several functions including
+.Xr SMIME_write_PKCS7 3 ,
+.Xr i2d_PKCS7_bio_stream 3 ,
+.Xr PEM_write_bio_PKCS7_stream 3
+finalize the structure.
+Alternatively finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_PKCS7 3 .
+.Pp
+If a signer is specified, it will use the default digest for the
+signing algorithm.
+This is
+.Sy SHA1
+for both RSA and DSA keys.
+.Pp
+In OpenSSL 1.0.0, the
+.Fa certs ,
+.Fa signcert ,
+and
+.Fa pkey
+parameters can all be
+.Dv NULL
+if the
+.Dv PKCS7_PARTIAL
+flag is set.
+One or more signers can be added using the function
+.Xr PKCS7_sign_add_signer 3.
+.Xr PKCS7_final 3
+must also be called to finalize the structure if streaming is not
+enabled.
+Alternative signing digests can also be specified using this method.
+.Pp
+In OpenSSL 1.0.0, if
+.Fa signcert
+and
+.Fa pkey
+are
+.Dv NULL ,
+then a certificates only PKCS#7 structure is output.
+.Pp
+In versions of OpenSSL before 1.0.0 the
+.Fa signcert
+and
+.Fa pkey
+parameters must
+.Sy NOT
+be
+.Dv NULL .
+.Sh RETURN VALUES
+.Fn PKCS7_sign
+returns either a valid
+.Vt PKCS7
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Fn ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr ERR_get_error 3 ,
+.Xr PKCS7_verify 3
+.Sh HISTORY
+.Fn PKCS7_sign
+was added to OpenSSL 0.9.5.
+.Pp
+The
+.Dv PKCS7_PARTIAL
+and
+.Dv PKCS7_STREAM
+flags were added in OpenSSL 1.0.0.
+.Sh BUGS
+Some advanced attributes such as counter signatures are not supported.

diff --git a/src/lib/libcrypto/man/PKCS7_sign.3 b/src/lib/libcrypto/man/PKCS7_sign.3 new file mode 100644 index 0000000000..894472402d --- /dev/null +++ b/src/lib/libcrypto/man/PKCS7_sign.3
@@ -0,0 +1,190 @@
	1	.Dd $Mdocdate: November 3 2016 $
	2	.Dt PKCS7_SIGN 3
	3	.Os
	4	.Sh NAME
	5	.Nm PKCS7_sign
	6	.Nd create a PKCS#7 signedData structure
	7	.Sh SYNOPSIS
	8	.In openssl/pkcs7.h
	9	.Ft PKCS7 *
	10	.Fo PKCS7_sign
	11	.Fa "X509 *signcert"
	12	.Fa "EVP_PKEY *pkey"
	13	.Fa "STACK_OF(X509) *certs"
	14	.Fa "BIO *data"
	15	.Fa "int flags"
	16	.Fc
	17	.Sh DESCRIPTION
	18	.Fn PKCS7_sign
	19	creates and returns a PKCS#7 signedData structure.
	20	.Fa signcert
	21	is the certificate to sign with,
	22	.Fa pkey
	23	is the corresponding private key.
	24	.Fa certs
	25	is an optional additional set of certificates to include in the PKCS#7
	26	structure (for example any intermediate CAs in the chain).
	27	.Pp
	28	The data to be signed is read from
	29	.Vt BIO
	30	.Fa data .
	31	.Pp
	32	.Fa flags
	33	is an optional set of flags.
	34	.Pp
	35	Any of the following flags (OR'ed together) can be passed in the
	36	.Fa flags
	37	parameter.
	38	.Pp
	39	Many S/MIME clients expect the signed content to include valid MIME
	40	headers.
	41	If the
	42	.Dv PKCS7_TEXT
	43	flag is set, MIME headers for type
	44	.Sy text/plain
	45	are prepended to the data.
	46	.Pp
	47	If
	48	.Dv PKCS7_NOCERTS
	49	is set, the signer's certificate will not be included in the PKCS7
	50	structure, the signer's certificate must still be supplied in the
	51	.Fa signcert
	52	parameter though.
	53	This can reduce the size of the signature if the signers certificate can
	54	be obtained by other means: for example a previously signed message.
	55	.Pp
	56	The data being signed is included in the
	57	.Vt PKCS7
	58	structure, unless
	59	.Dv PKCS7_DETACHED
	60	is set in which case it is omitted.
	61	This is used for PKCS7 detached signatures which are used in S/MIME
	62	plaintext signed messages for example.
	63	.Pp
	64	Normally the supplied content is translated into MIME canonical format
	65	(as required by the S/MIME specifications).
	66	If
	67	.Dv PKCS7_BINARY
	68	is set, no translation occurs.
	69	This option should be used if the supplied data is in binary format;
	70	otherwise, the translation will corrupt it.
	71	.Pp
	72	The signedData structure includes several PKCS#7 authenticatedAttributes
	73	including the signing time, the PKCS#7 content type and the supported
	74	list of ciphers in an SMIMECapabilities attribute.
	75	If
	76	.Dv PKCS7_NOATTR
	77	is set, then no authenticatedAttributes will be used.
	78	If
	79	.Dv PKCS7_NOSMIMECAP
	80	is set, then just the SMIMECapabilities are omitted.
	81	.Pp
	82	If present, the SMIMECapabilities attribute indicates support for the
	83	following algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40
	84	bit RC2.
	85	If any of these algorithms is disabled then it will not be included.
	86	.Pp
	87	If the flags
	88	.Dv PKCS7_STREAM
	89	is set, then the returned
	90	.Vt PKCS7
	91	structure is just initialized ready to perform the signing operation.
	92	The signing is however
	93	.Sy not
	94	performed and the data to be signed is not read from the
	95	.Fa data
	96	parameter.
	97	Signing is deferred until after the data has been written.
	98	In this way data can be signed in a single pass.
	99	.Pp
	100	If the
	101	.Dv PKCS7_PARTIAL
	102	flag is set, a partial
	103	.Vt PKCS7
	104	structure is output to which additional signers and capabilities can be
	105	added before finalization.
	106	.Pp
	107	If the flag
	108	.Dv PKCS7_STREAM
	109	is set, the returned
	110	.Vt PKCS7
	111	structure is
	112	.Sy not
	113	complete and outputting its contents via a function that does not
	114	properly finalize the
	115	.Vt PKCS7
	116	structure will give unpredictable results.
	117	.Pp
	118	Several functions including
	119	.Xr SMIME_write_PKCS7 3 ,
	120	.Xr i2d_PKCS7_bio_stream 3 ,
	121	.Xr PEM_write_bio_PKCS7_stream 3
	122	finalize the structure.
	123	Alternatively finalization can be performed by obtaining the streaming
	124	ASN1
	125	.Vt BIO
	126	directly using
	127	.Xr BIO_new_PKCS7 3 .
	128	.Pp
	129	If a signer is specified, it will use the default digest for the
	130	signing algorithm.
	131	This is
	132	.Sy SHA1
	133	for both RSA and DSA keys.
	134	.Pp
	135	In OpenSSL 1.0.0, the
	136	.Fa certs ,
	137	.Fa signcert ,
	138	and
	139	.Fa pkey
	140	parameters can all be
	141	.Dv NULL
	142	if the
	143	.Dv PKCS7_PARTIAL
	144	flag is set.
	145	One or more signers can be added using the function
	146	.Xr PKCS7_sign_add_signer 3.
	147	.Xr PKCS7_final 3
	148	must also be called to finalize the structure if streaming is not
	149	enabled.
	150	Alternative signing digests can also be specified using this method.
	151	.Pp
	152	In OpenSSL 1.0.0, if
	153	.Fa signcert
	154	and
	155	.Fa pkey
	156	are
	157	.Dv NULL ,
	158	then a certificates only PKCS#7 structure is output.
	159	.Pp
	160	In versions of OpenSSL before 1.0.0 the
	161	.Fa signcert
	162	and
	163	.Fa pkey
	164	parameters must
	165	.Sy NOT
	166	be
	167	.Dv NULL .
	168	.Sh RETURN VALUES
	169	.Fn PKCS7_sign
	170	returns either a valid
	171	.Vt PKCS7
	172	structure or
	173	.Dv NULL
	174	if an error occurred.
	175	The error can be obtained from
	176	.Fn ERR_get_error 3 .
	177	.Sh SEE ALSO
	178	.Xr ERR_get_error 3 ,
	179	.Xr PKCS7_verify 3
	180	.Sh HISTORY
	181	.Fn PKCS7_sign
	182	was added to OpenSSL 0.9.5.
	183	.Pp
	184	The
	185	.Dv PKCS7_PARTIAL
	186	and
	187	.Dv PKCS7_STREAM
	188	flags were added in OpenSSL 1.0.0.
	189	.Sh BUGS
	190	Some advanced attributes such as counter signatures are not supported.