1 files changed, 86 insertions, 49 deletions
diff --git a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
index 72200c0b1b..5e344d9c63 100644
--- a/src/lib/libcrypto/man/SMIME_write_PKCS7.3
+++ b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
@@ -1,10 +1,10 @@
-.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.11 2025/06/11 14:23:14 schwarze Exp $
+.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.12 2025/06/11 23:16:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -84,48 +84,81 @@
 .Fc
 .Sh DESCRIPTION
 .Fn SMIME_write_PKCS7
-adds the appropriate MIME headers to a PKCS#7 structure to produce an
+generates an S/MIME message on
-S/MIME message.
-.Pp
 .Fa out
-is the
+by writing MIME 1.0 headers
-.Vt BIO
+followed by a BER- and base64-encoded serialization of
-to write the data to.
+.Fa p7 .
-.Fa p7
+The BER encoding uses the DER format except as described for
-is the appropriate
+.Dv PKCS7_STREAM
-.Vt PKCS7
+below.
-structure.
 If streaming is enabled, then the content must be supplied in the
 .Fa data
 argument.
-.Fa flags
-is an optional set of flags.
 .Pp
-The following flags can be passed in the
+The
 .Fa flags
-parameter.
+can be the logical OR of zero or more of the following bits:
-.Pp
+.Bl -tag -width Ds
+.It Dv PKCS7_DETACHED
+Use cleartext signing and generate a
+.Qq multipart/signed
+S/MIME message.
+The content is read from
+.Fa data .
 If
-.Dv PKCS7_DETACHED
+.Fa data
-is set, then cleartext signing will be used.
+is a
-This option only makes sense for signedData where
+.Dv NULL
+pointer, this flag is ignored.
+.Pp
+This flag is only supported for signedData where
 .Dv PKCS7_DETACHED
 is also set when
 .Xr PKCS7_sign 3
-is also called.
+is called.
 .Pp
-If the
+If
-.Dv PKCS7_TEXT
+.Dv PKCS7_STREAM
-flag is set, MIME headers for type
+is not set, the data must be read twice: once to compute the
-.Sy text/plain
+signature in
-are added to the content.
+.Xr PKCS7_sign 3
-This only makes sense if
+and once to output the S/MIME message.
+.Pp
+If
+.Dv PKCS7_DETACHED
+is ignored or not specified, the smime-type is chosen according to the type of
+.Fa p7 :
+.Bl -tag -width Ds
+.It Dv NID_pkcs7_enveloped
+.Qq enveloped-data
+.It Dv NID_pkcs7_signed
+.Bl -tag -width Msigned-dataM -compact
+.It Qq signed-data
+if
+.Fa p7
+specifies any digest algorithm
+.It Qq certs-only
+otherwise
+.El
+.It Dv NID_id_smime_ct_compressedData
+.Qq compressed-data
+.El
+.It Dv PKCS7_REUSE_DIGEST
+Skip the calls to
+.Xr PKCS7_dataInit 3
+and
+.Xr PKCS7_dataFinal 3 .
+This flag has no effect unless
 .Dv PKCS7_DETACHED
 is also set.
+.It Dv PKCS7_STREAM
+Perform streaming by reading the content from
+.Fa data .
+This only works if
+.Dv PKCS7_DETACHED
+is not specified.
 .Pp
-If the
-.Dv PKCS7_STREAM
-flag is set, streaming is performed.
 This flag should only be set if
 .Dv PKCS7_STREAM
 was also set in the previous call to
@@ -133,13 +166,28 @@ was also set in the previous call to
 or
 .Xr PKCS7_encrypt 3 .
 .Pp
-The bit
+The content is output in BER format using indefinite length constructed
-.Dv SMIME_OLDMIME
+encoding except in the case of signed data with detached content
-is inverted before passing on the
+where the content is absent and DER format is used.
-.Fa flags
+.It Dv PKCS7_TEXT
-to
+Prepend the line
-.Xr SMIME_write_ASN1 3 .
+.Qq Content-Type: text/plain
-Consequently, if this bit is set in the
+to the content.
+This only makes sense if
+.Dv PKCS7_DETACHED
+is also set.
+It is ignored if the flag
+.Dv SMIME_BINARY
+is also set.
+.It Dv SMIME_BINARY
+If specified, this flag is passed through to
+.Xr SMIME_crlf_copy 3 .
+.It Dv SMIME_CRLFEOL
+End MIME header lines with pairs of carriage return and newline characters.
+By default, no carriage return characters are written
+and header lines are ended with newline characters only.
+.It Dv SMIME_OLDMIME
+If this bit is set in the
 .Fa flags
 argument,
 .Qq application/pkcs7-mime
@@ -151,18 +199,7 @@ Otherwise,
 or
 .Qq application/x-pkcs7-signature
 is used.
-.Pp
+.El
-If cleartext signing is being used and
-.Dv PKCS7_STREAM
-is not set, then the data must be read twice: once to compute the
-signature in
-.Xr PKCS7_sign 3
-and once to output the S/MIME message.
-.Pp
-If streaming is performed, the content is output in BER format using
-indefinite length constructed encoding except in the case of signed
-data with detached content where the content is absent and DER
-format is used.
 .Sh RETURN VALUES
 .Fn SMIME_write_PKCS7
 is intended to return 1 on success or 0 on failure.

diff --git a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 b/src/lib/libcrypto/man/SMIME_write_PKCS7.3 index 72200c0b1b..5e344d9c63 100644 --- a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 +++ b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
@@ -1,10 +1,10 @@
1	.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.11 2025/06/11 14:23:14 schwarze Exp $	1	.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.12 2025/06/11 23:16:32 schwarze Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
5	.\" The changes are covered by the following Copyright and license:	5	.\" The changes are covered by the following Copyright and license:
6	.\"	6	.\"
7	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>	7	.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
8	.\"	8	.\"
9	.\" Permission to use, copy, modify, and distribute this software for any	9	.\" Permission to use, copy, modify, and distribute this software for any
10	.\" purpose with or without fee is hereby granted, provided that the above	10	.\" purpose with or without fee is hereby granted, provided that the above
@@ -84,48 +84,81 @@
84	.Fc	84	.Fc
85	.Sh DESCRIPTION	85	.Sh DESCRIPTION
86	.Fn SMIME_write_PKCS7	86	.Fn SMIME_write_PKCS7
87	adds the appropriate MIME headers to a PKCS#7 structure to produce an	87	generates an S/MIME message on
88	S/MIME message.
89	.Pp
90	.Fa out	88	.Fa out
91	is the	89	by writing MIME 1.0 headers
92	.Vt BIO	90	followed by a BER- and base64-encoded serialization of
93	to write the data to.	91	.Fa p7 .
94	.Fa p7	92	The BER encoding uses the DER format except as described for
95	is the appropriate	93	.Dv PKCS7_STREAM
96	.Vt PKCS7	94	below.
97	structure.
98	If streaming is enabled, then the content must be supplied in the	95	If streaming is enabled, then the content must be supplied in the
99	.Fa data	96	.Fa data
100	argument.	97	argument.
101	.Fa flags
102	is an optional set of flags.
103	.Pp	98	.Pp
104	The following flags can be passed in the	99	The
105	.Fa flags	100	.Fa flags
106	parameter.	101	can be the logical OR of zero or more of the following bits:
107	.Pp	102	.Bl -tag -width Ds
		103	.It Dv PKCS7_DETACHED
		104	Use cleartext signing and generate a
		105	.Qq multipart/signed
		106	S/MIME message.
		107	The content is read from
		108	.Fa data .
108	If	109	If
109	.Dv PKCS7_DETACHED	110	.Fa data
110	is set, then cleartext signing will be used.	111	is a
111	This option only makes sense for signedData where	112	.Dv NULL
		113	pointer, this flag is ignored.
		114	.Pp
		115	This flag is only supported for signedData where
112	.Dv PKCS7_DETACHED	116	.Dv PKCS7_DETACHED
113	is also set when	117	is also set when
114	.Xr PKCS7_sign 3	118	.Xr PKCS7_sign 3
115	is also called.	119	is called.
116	.Pp	120	.Pp
117	If the	121	If
118	.Dv PKCS7_TEXT	122	.Dv PKCS7_STREAM
119	flag is set, MIME headers for type	123	is not set, the data must be read twice: once to compute the
120	.Sy text/plain	124	signature in
121	are added to the content.	125	.Xr PKCS7_sign 3
122	This only makes sense if	126	and once to output the S/MIME message.
		127	.Pp
		128	If
		129	.Dv PKCS7_DETACHED
		130	is ignored or not specified, the smime-type is chosen according to the type of
		131	.Fa p7 :
		132	.Bl -tag -width Ds
		133	.It Dv NID_pkcs7_enveloped
		134	.Qq enveloped-data
		135	.It Dv NID_pkcs7_signed
		136	.Bl -tag -width Msigned-dataM -compact
		137	.It Qq signed-data
		138	if
		139	.Fa p7
		140	specifies any digest algorithm
		141	.It Qq certs-only
		142	otherwise
		143	.El
		144	.It Dv NID_id_smime_ct_compressedData
		145	.Qq compressed-data
		146	.El
		147	.It Dv PKCS7_REUSE_DIGEST
		148	Skip the calls to
		149	.Xr PKCS7_dataInit 3
		150	and
		151	.Xr PKCS7_dataFinal 3 .
		152	This flag has no effect unless
123	.Dv PKCS7_DETACHED	153	.Dv PKCS7_DETACHED
124	is also set.	154	is also set.
		155	.It Dv PKCS7_STREAM
		156	Perform streaming by reading the content from
		157	.Fa data .
		158	This only works if
		159	.Dv PKCS7_DETACHED
		160	is not specified.
125	.Pp	161	.Pp
126	If the
127	.Dv PKCS7_STREAM
128	flag is set, streaming is performed.
129	This flag should only be set if	162	This flag should only be set if
130	.Dv PKCS7_STREAM	163	.Dv PKCS7_STREAM
131	was also set in the previous call to	164	was also set in the previous call to
@@ -133,13 +166,28 @@ was also set in the previous call to
133	or	166	or
134	.Xr PKCS7_encrypt 3 .	167	.Xr PKCS7_encrypt 3 .
135	.Pp	168	.Pp
136	The bit	169	The content is output in BER format using indefinite length constructed
137	.Dv SMIME_OLDMIME	170	encoding except in the case of signed data with detached content
138	is inverted before passing on the	171	where the content is absent and DER format is used.
139	.Fa flags	172	.It Dv PKCS7_TEXT
140	to	173	Prepend the line
141	.Xr SMIME_write_ASN1 3 .	174	.Qq Content-Type: text/plain
142	Consequently, if this bit is set in the	175	to the content.
		176	This only makes sense if
		177	.Dv PKCS7_DETACHED
		178	is also set.
		179	It is ignored if the flag
		180	.Dv SMIME_BINARY
		181	is also set.
		182	.It Dv SMIME_BINARY
		183	If specified, this flag is passed through to
		184	.Xr SMIME_crlf_copy 3 .
		185	.It Dv SMIME_CRLFEOL
		186	End MIME header lines with pairs of carriage return and newline characters.
		187	By default, no carriage return characters are written
		188	and header lines are ended with newline characters only.
		189	.It Dv SMIME_OLDMIME
		190	If this bit is set in the
143	.Fa flags	191	.Fa flags
144	argument,	192	argument,
145	.Qq application/pkcs7-mime	193	.Qq application/pkcs7-mime
@@ -151,18 +199,7 @@ Otherwise,
151	or	199	or
152	.Qq application/x-pkcs7-signature	200	.Qq application/x-pkcs7-signature
153	is used.	201	is used.
154	.Pp	202	.El
155	If cleartext signing is being used and
156	.Dv PKCS7_STREAM
157	is not set, then the data must be read twice: once to compute the
158	signature in
159	.Xr PKCS7_sign 3
160	and once to output the S/MIME message.
161	.Pp
162	If streaming is performed, the content is output in BER format using
163	indefinite length constructed encoding except in the case of signed
164	data with detached content where the content is absent and DER
165	format is used.
166	.Sh RETURN VALUES	203	.Sh RETURN VALUES
167	.Fn SMIME_write_PKCS7	204	.Fn SMIME_write_PKCS7
168	is intended to return 1 on success or 0 on failure.	205	is intended to return 1 on success or 0 on failure.