diff options
21 files changed, 3388 insertions, 0 deletions
diff --git a/lib/libcrypto/man/BIO_new_CMS.3 b/lib/libcrypto/man/BIO_new_CMS.3 new file mode 100644 index 00000000000..d35fb0b7bf2 --- /dev/null +++ b/lib/libcrypto/man/BIO_new_CMS.3 @@ -0,0 +1,138 @@ +.\" $OpenBSD: BIO_new_CMS.3,v 1.4 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt BIO_NEW_CMS 3 +.Os +.Sh NAME +.Nm BIO_new_CMS +.Nd CMS streaming filter BIO +.Sh SYNOPSIS +.In openssl/cms.h +.Ft BIO * +.Fo BIO_new_CMS +.Fa "BIO *out" +.Fa "CMS_ContentInfo *cms" +.Fc +.Sh DESCRIPTION +.Fn BIO_new_CMS +returns a streaming filter +.Vt BIO +chain based on +.Fa cms . +The output of the filter is written to +.Fa out . +Any data written to the chain is automatically translated +to a BER format CMS structure of the appropriate type. +.Pp +The chain returned by this function behaves like a standard filter +.Vt BIO . +It supports non blocking I/O. +Content is processed and streamed on the fly and not all held in memory +at once: so it is possible to encode very large structures. +After all content has been written through the chain, +.Xr BIO_flush 3 +must be called to finalise the structure. +.Pp +The +.Dv CMS_STREAM +flag must be included in the corresponding +.Fa flags +parameter of the +.Fa cms +creation function. +.Pp +If an application wishes to write additional data to +.Fa out , +BIOs should be removed from the chain using +.Xr BIO_pop 3 +and freed with +.Xr BIO_free 3 +until +.Fa out +is reached. +If no additional data needs to be written, +.Xr BIO_free_all 3 +can be called to free up the whole chain. +.Pp +Any content written through the filter is used verbatim: +no canonical translation is performed. +.Pp +It is possible to chain multiple BIOs to, for example, +create a triple wrapped signed, enveloped, signed structure. +In this case it is the application's responsibility +to set the inner content type of any outer +.Vt CMS_ContentInfo +structures. +.Pp +Large numbers of small writes through the chain should be avoided as this +will produce an output consisting of lots of OCTET STRING structures. +Prepending a +.Xr BIO_f_buffer 3 +buffering BIO will prevent this. +.Sh RETURN VALUES +.Fn BIO_new_CMS +returns a +.Vt BIO +chain when successful or +.Dv NULL +if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 +.Sh HISTORY +The +.Fn BIO_new_CMS +function was added in OpenSSL 1.0.0. +.Sh BUGS +There is currently no corresponding inverse BIO +which can decode a CMS structure on the fly. diff --git a/lib/libcrypto/man/CMS_add0_cert.3 b/lib/libcrypto/man/CMS_add0_cert.3 new file mode 100644 index 00000000000..9f99e2259fb --- /dev/null +++ b/lib/libcrypto/man/CMS_add0_cert.3 @@ -0,0 +1,177 @@ +.\" $OpenBSD: CMS_add0_cert.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_ADD0_CERT 3 +.Os +.Sh NAME +.Nm CMS_add0_cert , +.Nm CMS_add1_cert , +.Nm CMS_get1_certs , +.Nm CMS_add0_crl , +.Nm CMS_add1_crl , +.Nm CMS_get1_crls +.Nd CMS certificate and CRL utility functions +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo CMS_add0_cert +.Fa "CMS_ContentInfo *cms" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo CMS_add1_cert +.Fa "CMS_ContentInfo *cms" +.Fa "X509 *cert" +.Fc +.Ft STACK_OF(X509) * +.Fo CMS_get1_certs +.Fa "CMS_ContentInfo *cms" +.Fc +.Ft int +.Fo CMS_add0_crl +.Fa "CMS_ContentInfo *cms" +.Fa "X509_CRL *crl" +.Fc +.Ft int +.Fo CMS_add1_crl +.Fa "CMS_ContentInfo *cms" +.Fa "X509_CRL *crl" +.Fc +.Ft STACK_OF(X509_CRL) * +.Fo CMS_get1_crls +.Fa "CMS_ContentInfo *cms" +.Fc +.Sh DESCRIPTION +.Fn CMS_add0_cert +and +.Fn CMS_add1_cert +add the certificate +.Fa cert +to +.Fa cms . +.Fa cms +must be of type signed data or enveloped data. +.Pp +.Fn CMS_get1_certs +returns all certificates in +.Fa cms . +.Pp +.Fn CMS_add0_crl +and +.Fn CMS_add1_crl +add the CRL +.Fa crl +to +.Fa cms . +.Fn CMS_get1_crls +returns any CRLs in +.Fa cms . +.Pp +The +.Vt CMS_ContentInfo +structure +.Fa cms +must be of type signed data or enveloped data or an error will be +returned. +.Pp +The signed data certificates and CRLs are added to the +.Sy certificates +and +.Sy crls +fields of the SignedData structure. +For enveloped data, they are added to +.Sy OriginatorInfo . +.Pp +As the +.Sq 0 +in the function name implies, +.Fn CMS_add0_cert +adds +.Fa cert +internally to +.Fa cms +and it must not be freed up after the call, as opposed to +.Fn CMS_add1_cert +where +.Fa cert +must be freed up. +.Pp +The same certificate or CRL must not be added to the same cms structure +more than once. +.Sh RETURN VALUES +.Fn CMS_add0_cert , +.Fn CMS_add1_cert , +.Fn CMS_add0_crl , +and +.Fn CMS_add1_crl +return 1 for success or 0 for failure. +.Pp +.Fn CMS_get1_certs +and +.Fn CMS_get1_crls +return the STACK of certificates or CRLs or +.Dv NULL +if there are none or an error occurs. +The only error which will occur in practice is if the +.Fa cms +type is invalid. +.Sh SEE ALSO +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 , +.Xr ERR_get_error 3 +.Sh HISTORY +.Fn CMS_add0_cert , +.Fn CMS_add1_cert , +.Fn CMS_get1_certs , +.Fn CMS_add0_crl +and +.Fn CMS_get1_crls +were all first added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/lib/libcrypto/man/CMS_add1_recipient_cert.3 new file mode 100644 index 00000000000..47307fdaa19 --- /dev/null +++ b/lib/libcrypto/man/CMS_add1_recipient_cert.3 @@ -0,0 +1,165 @@ +.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_ADD1_RECIPIENT_CERT 3 +.Os +.Sh NAME +.Nm CMS_add1_recipient_cert , +.Nm CMS_add0_recipient_key +.Nd add recipients to a CMS enveloped data structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_RecipientInfo * +.Fo CMS_add1_recipient_cert +.Fa "CMS_ContentInfo *cms" +.Fa "X509 *recip" +.Fa "unsigned int flags" +.Fc +.Ft CMS_RecipientInfo * +.Fo CMS_add0_recipient_key +.Fa "CMS_ContentInfo *cms" +.Fa "int nid" +.Fa "unsigned char *key" +.Fa "size_t keylen" +.Fa "unsigned char *id" +.Fa "size_t idlen" +.Fa "ASN1_GENERALIZEDTIME *date" +.Fa "ASN1_OBJECT *otherTypeId" +.Fa "ASN1_TYPE *otherType" +.Fc +.Sh DESCRIPTION +.Fn CMS_add1_recipient_cert +adds the recipient +.Fa recip +to the +.Vt CMS_ContentInfo +enveloped data structure +.Fa cms +as a KeyTransRecipientInfo structure. +.Pp +.Fn CMS_add0_recipient_key +adds the symmetric key +.Fa key +of length +.Fa keylen +using the wrapping algorithm +.Fa nid , +the identifier +.Fa id +of length +.Fa idlen , +and the optional values +.Fa date , +.Fa otherTypeId +and +.Fa otherType +to the +.Vt CMS_ContentInfo +enveloped data structure +.Fa cms +as a KEKRecipientInfo structure. +.Pp +The +.Vt CMS_ContentInfo +structure should be obtained from an initial call to +.Xr CMS_encrypt 3 +with the flag +.Dv CMS_PARTIAL +set. +.Pp +The main purpose of this function is to provide finer control over a CMS +enveloped data structure where the simpler +.Xr CMS_encrypt 3 +function defaults are not appropriate, +for example if one or more KEKRecipientInfo structures need to be added. +New attributes can also be added using the returned +.Vt CMS_RecipientInfo +structure and the CMS attribute utility functions. +.Pp +By default, recipient certificates are identified using issuer +name and serial number. +If the flag +.Dv CMS_USE_KEYID +is set, it will use the subject key identifier value instead. +An error occurs if all recipient certificates do not have a subject key +identifier extension. +.Pp +Currently only AES based key wrapping algorithms are supported for +.Fa nid , +specifically +.Dv NID_id_aes128_wrap , +.Dv NID_id_aes192_wrap , +and +.Dv NID_id_aes256_wrap . +If +.Fa nid +is set to +.Dv NID_undef , +then an AES wrap algorithm will be used consistent with +.Fa keylen . +.Sh RETURN VALUES +.Fn CMS_add1_recipient_cert +and +.Fn CMS_add0_recipient_key +return an internal pointer to the +.Vt CMS_RecipientInfo +structure just added or +.Dv NULL +if an error occurs. +.Sh SEE ALSO +.Xr CMS_decrypt 3 , +.Xr CMS_final 3 , +.Xr ERR_get_error 3 +.Sh HISTORY +.Fn CMS_add1_recipient_cert +and +.Fn CMS_add0_recipient_key +were added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_add1_signer.3 b/lib/libcrypto/man/CMS_add1_signer.3 new file mode 100644 index 00000000000..065e15c7be9 --- /dev/null +++ b/lib/libcrypto/man/CMS_add1_signer.3 @@ -0,0 +1,203 @@ +.\" $OpenBSD: CMS_add1_signer.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_ADD1_SIGNER 3 +.Os +.Sh NAME +.Nm CMS_add1_signer , +.Nm CMS_SignerInfo_sign +.Nd add a signer to a CMS_ContentInfo signed data structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_SignerInfo * +.Fo CMS_add1_signer +.Fa "CMS_ContentInfo *cms" +.Fa "X509 *signcert" +.Fa "EVP_PKEY *pkey" +.Fa "const EVP_MD *md" +.Fa "unsigned int flags" +.Fc +.Ft int +.Fo CMS_SignerInfo_sign +.Fa "CMS_SignerInfo *si" +.Fc +.Sh DESCRIPTION +.Fn CMS_add1_signer +adds a signer with certificate +.Fa signcert +and private key +.Fa pkey +using message digest +.Fa md +to the +.Vt CMS_ContentInfo +SignedData structure +.Fa cms . +.Pp +The +.Vt CMS_ContentInfo +structure should be obtained from an initial call to +.Xr CMS_sign 3 +with the flag +.Dv CMS_PARTIAL +set or in the case or re-signing a valid +.Vt CMS_ContentInfo +SignedData structure. +.Pp +If the +.Fa md +parameter is +.Dv NULL , +then the default digest for the public key algorithm will be used. +.Pp +Unless the +.Dv CMS_REUSE_DIGEST +flag is set, the returned +.Vt CMS_ContentInfo +structure is not complete and must be finalized either by streaming +(if applicable) or a call to +.Xr CMS_final 3 . +.Pp +The +.Fn CMS_SignerInfo_sign +function will explicitly sign a +.Vt CMS_SignerInfo +structure. +Its main use is when the +.Dv CMS_REUSE_DIGEST +and +.Dv CMS_PARTIAL +flags are both set. +.Pp +The main purpose of +.Fn CMS_add1_signer +is to provide finer control over a CMS signed data structure where the +simpler +.Xr CMS_sign 3 +function defaults are not appropriate, for example if multiple signers +or non default digest algorithms are needed. +New attributes can also be added using the returned +.Vt CMS_SignerInfo +structure and the CMS attribute utility functions or the CMS signed +receipt request functions. +.Pp +Any of the following flags (OR'ed together) can be passed in the +.Fa flags +parameter: +.Bl -tag -width Ds +.It Dv CMS_REUSE_DIGEST +Attempt to copy the content digest value from the +.Vt CMS_ContentInfo +structure to add a signer to an existing structure. +An error occurs if a matching digest value cannot be found to copy. +The returned +.Vt CMS_ContentInfo +structure will be valid and finalized when this flag is set. +.It Dv CMS_PARTIAL +If this flag is set in addition to +.Dv CMS_REUSE_DIGEST , +then the +.Vt CMS_SignerInfo +structure will not be finalized so additional attributes can be added. +In this case an explicit call to +.Fn CMS_SignerInfo_sign +is needed to finalize it. +.It Dv CMS_NOCERTS +Do not include the signer's certificate in the +.Vt CMS_ContentInfo +structure. +The signer's certificate must still be supplied in the +.Fa signcert +parameter though. +This can reduce the size of the signature if the signer's certificate can +be obtained by other means, for example from a previously signed message. +.Pp +The SignedData structure includes several CMS signedAttributes including +the signing time, the CMS content type and the supported list of ciphers +in an SMIMECapabilities attribute. +.It Dv CMS_NOATTR +Use no signedAttributes. +.It Dv CMS_NOSMIMECAP +Omit just the SMIMECapabilities. +.It Dv CMS_USE_KEYID +Use the subject key identifier value to identify signing certificates. +An error occurs if the signing certificate does not have a subject key +identifier extension. +By default, issuer name and serial number are used instead. +.El +.Pp +If present, the SMIMECapabilities attribute indicates support for the +following algorithms in preference order: 256 bit AES, Gost R3411-94, +Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit +RC2, DES and 40 bit RC2. +If any of these algorithms is not available then it will not be +included: for example the GOST algorithms will not be included if +the GOST ENGINE is not loaded. +.Pp +.Fn CMS_add1_signer +returns an internal pointer to the +.Vt CMS_SignerInfo +structure just added. +This can be used to set additional attributes before it is finalized. +.Sh RETURN VALUES +.Fn CMS_add1_signer +returns an internal pointer to the +.Vt CMS_SignerInfo +structure just added or +.Dv NULL +if an error occurs. +.Sh SEE ALSO +.Xr CMS_final 3 , +.Xr CMS_sign 3 , +.Xr ERR_get_error 3 +.Sh HISTORY +.Fn CMS_add1_signer +was added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_compress.3 b/lib/libcrypto/man/CMS_compress.3 new file mode 100644 index 00000000000..64bab796174 --- /dev/null +++ b/lib/libcrypto/man/CMS_compress.3 @@ -0,0 +1,157 @@ +.\" $OpenBSD: CMS_compress.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_COMPRESS 3 +.Os +.Sh NAME +.Nm CMS_compress +.Nd create a CMS CompressedData structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_ContentInfo * +.Fo CMS_compress +.Fa "BIO *in" +.Fa "int comp_nid" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_compress +creates and returns a CMS CompressedData structure. +.Fa comp_nid +is the compression algorithm to use or +.Dv NID_undef +to use the default algorithm (zlib compression). +.Fa in +is the content to be compressed. +.Fa flags +is an optional set of flags. +.Pp +The only currently supported compression algorithm is zlib using the NID +.Dv NID_zlib_compression . +.Pp +If zlib support is not compiled in, then +.Fn CMS_compress +will return an error. +.Pp +If the +.Dv CMS_TEXT +flag is set, MIME headers for type text/plain are prepended to the data. +.Pp +Normally the supplied content is translated into MIME canonical format +(as required by the S/MIME specifications); if +.Dv CMS_BINARY +is set, no translation occurs. +This option should be used if the supplied data is in binary format. +Otherwise, the translation will corrupt it. +If +.Dv CMS_BINARY +is set then +.Dv CMS_TEXT +is ignored. +.Pp +If the +.Dv CMS_STREAM +flag is set, a partial +.Vt CMS_ContentInfo +structure is returned suitable for streaming I/O: no data is read from +the BIO +.Fa in . +.Pp +The compressed data is included in the +.Vt CMS_ContentInfo +structure unless +.Dv CMS_DETACHED +is set, in which case it is omitted. +This is rarely used in practice and is not supported by +.Xr SMIME_write_CMS 3 . +.Pp +If the flag +.Dv CMS_STREAM +is set, the returned +.Vt CMS_ContentInfo +structure is +.Em not +complete and outputting its contents via a function that does not +properly finalize the +.Vt CMS_ContentInfo +structure will give unpredictable results. +.Pp +Several functions including +.Xr SMIME_write_CMS 3 , +.Xr i2d_CMS_bio_stream 3 , +and +.Xr PEM_write_bio_CMS_stream 3 +finalize the structure. +Alternatively finalization can be performed by obtaining the streaming +ASN1 +.Vt BIO +directly using +.Xr BIO_new_CMS 3 . +.Pp +Additional compression parameters such as the zlib compression level +cannot currently be set. +.Sh RETURN VALUES +.Fn CMS_compress +returns either a +.Vt CMS_ContentInfo +structure or +.Dv NULL +if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_uncompress 3 +.Sh HISTORY +.Fn CMS_compress +was added to OpenSSL 0.9.8. +The +.Dv CMS_STREAM +flag was added in OpenSSL 1.0.0. diff --git a/lib/libcrypto/man/CMS_decrypt.3 b/lib/libcrypto/man/CMS_decrypt.3 new file mode 100644 index 00000000000..de37b357a14 --- /dev/null +++ b/lib/libcrypto/man/CMS_decrypt.3 @@ -0,0 +1,169 @@ +.\" $OpenBSD: CMS_decrypt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008, 2014 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_DECRYPT 3 +.Os +.Sh NAME +.Nm CMS_decrypt +.Nd decrypt content from a CMS envelopedData structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo CMS_decrypt +.Fa "CMS_ContentInfo *cms" +.Fa "EVP_PKEY *pkey" +.Fa "X509 *cert" +.Fa "BIO *dcont" +.Fa "BIO *out" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_decrypt +extracts and decrypts the content from a CMS EnvelopedData structure. +.Fa pkey +is the private key of the recipient, +.Fa cert +is the recipient's certificate, +.Fa out +is a +.Vt BIO +to write the content to and +.Fa flags +is an optional set of flags. +.Pp +The +.Fa dcont +parameter is used in the rare case where the encrypted content is +detached. +It will normally be set to +.Dv NULL . +.Pp +Although the recipients certificate is not needed to decrypt the data it +is needed to locate the appropriate (of possible several) recipients in +the CMS structure. +.Pp +If +.Fa cert +is set to +.Dv NULL , +all possible recipients are tried. +This case however is problematic. +To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA +padding) all recipients are tried whether they succeed or not. +If no recipient succeeds then a random symmetric key is used to decrypt +the content: this will typically output garbage and may (but is not +guaranteed to) ultimately return a padding error only. +If +.Fn CMS_decrypt +just returned an error when all recipient encrypted keys failed to +decrypt an attacker could use this in a timing attack. +If the special flag +.Dv CMS_DEBUG_DECRYPT +is set, then the above behaviour is modified and an error +.Em is +returned if no recipient encrypted key can be decrypted +.Em without +generating a random content encryption key. +Applications should use this flag with extreme caution +especially in automated gateways as it can leave them open to attack. +.Pp +It is possible to determine the correct recipient key by other means +(for example looking them up in a database) and setting them in the CMS +structure in advance using the CMS utility functions such as +.Xr CMS_set1_pkey 3 . +In this case both +.Fa cert +and +.Fa pkey +should be set to +.Dv NULL . +.Pp +To process KEKRecipientInfo types, +.Xr CMS_set1_key 3 +or +.Xr CMS_RecipientInfo_set0_key 3 +and +.Xr CMS_RecipientInfo_decrypt 3 +should be called before +.Fn CMS_decrypt +and +.Fa cert +and +.Fa pkey +set to +.Dv NULL . +.Pp +The following flags can be passed in the +.Fa flags +parameter: +.Pp +If the +.Dv CMS_TEXT +flag is set, MIME headers for type text/plain +are deleted from the content. +If the content is not of type text/plain, +then an error is returned. +.Sh RETURN VALUES +.Fn CMS_decrypt +returns either 1 for success or 0 for failure. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_encrypt 3 +.Sh HISTORY +.Fn CMS_decrypt +was added to OpenSSL 0.9.8. +.Sh BUGS +The lack of single pass processing and the need to hold all data in +memory as mentioned in +.Xr CMS_verify 3 +also applies to +.Fn CMS_decrypt . diff --git a/lib/libcrypto/man/CMS_encrypt.3 b/lib/libcrypto/man/CMS_encrypt.3 new file mode 100644 index 00000000000..8550de2c9f3 --- /dev/null +++ b/lib/libcrypto/man/CMS_encrypt.3 @@ -0,0 +1,190 @@ +.\" $OpenBSD: CMS_encrypt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_ENCRYPT 3 +.Os +.Sh NAME +.Nm CMS_encrypt +.Nd create a CMS envelopedData structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_ContentInfo * +.Fo CMS_encrypt +.Fa "STACK_OF(X509) *certs" +.Fa "BIO *in" +.Fa "const EVP_CIPHER *cipher" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_encrypt +creates and returns a CMS EnvelopedData structure. +.Fa certs +is a list of recipient certificates. +.Fa in +is the content to be encrypted. +.Fa cipher +is the symmetric cipher to use. +.Fa flags +is an optional set of flags. +.Pp +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported +by this function. +.Pp +.Xr EVP_des_ede3_cbc 3 +(triple DES) is the algorithm of choice for S/MIME use because most +clients will support it. +.Pp +The algorithm passed in the +.Fa cipher +parameter must support ASN1 encoding of its parameters. +.Pp +Many browsers implement a "sign and encrypt" option which is simply an +S/MIME envelopedData containing an S/MIME signed message. +This can be readily produced by storing the S/MIME signed message in a +memory BIO and passing it to +.Fn CMS_encrypt . +.Pp +The following flags can be passed in the +.Fa flags +parameter: +.Bl -tag -width Ds +.It Dv CMS_TEXT +MIME headers for type text/plain are prepended to the data. +.It Dv CMS_BINARY +Do not translate the supplied content into MIME canonical format +even though that is required by the S/MIME specifications. +This option should be used if the supplied data is in binary format. +Otherwise, the translation will corrupt it. +If +.Dv CMS_BINARY +is set, then +.Dv CMS_TEXT +is ignored. +.It Dv CMS_USE_KEYID +Use the subject key identifier value to identify recipient certificates. +An error occurs if all recipient certificates do not have a subject key +identifier extension. +By default, issuer name and serial number are used instead. +.It Dv CMS_STREAM +Return a partial +.Vt CMS_ContentInfo +structure suitable for streaming I/O: no data is read from the BIO +.Fa in . +.It Dv CMS_PARTIAL +Return a partial +.Vt CMS_ContentInfo +structure to which additional recipients and attributes can +be added before finalization. +.It Dv CMS_DETACHED +Omit the data being encrypted from the +.Vt CMS_ContentInfo +structure. +This is rarely used in practice and is not supported by +.Xr SMIME_write_CMS 3 . +.El +.Pp +If the flag +.Dv CMS_STREAM +is set, the returned +.Vt CMS_ContentInfo +structure is +.Em not +complete and outputting its contents via a function that does not +properly finalize the +.Vt CMS_ContentInfo +structure will give unpredictable results. +.Pp +Several functions including +.Xr SMIME_write_CMS 3 , +.Xr i2d_CMS_bio_stream 3 , +.Xr PEM_write_bio_CMS_stream 3 +finalize the structure. +Alternatively finalization can be performed by obtaining the streaming +ASN1 +.Vt BIO +directly using +.Xr BIO_new_CMS 3 . +.Pp +The recipients specified in +.Fa certs +use a CMS KeyTransRecipientInfo info structure. +KEKRecipientInfo is also supported using the flag +.Dv CMS_PARTIAL +and +.Xr CMS_add0_recipient_key 3 . +.Pp +The parameter +.Fa certs +may be +.Dv NULL +if +.Dv CMS_PARTIAL +is set and recipients are added later using +.Xr CMS_add1_recipient_cert 3 +or +.Xr CMS_add0_recipient_key 3 . +.Sh RETURN VALUES +.Fn CMS_encrypt +returns either a +.Vt CMS_ContentInfo +structure or +.Dv NULL +if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_decrypt 3 +.Sh HISTORY +.Fn CMS_encrypt +was added to OpenSSL 0.9.8. +The +.Sy CMS_STREAM +flag was first supported in OpenSSL 1.0.0. diff --git a/lib/libcrypto/man/CMS_final.3 b/lib/libcrypto/man/CMS_final.3 new file mode 100644 index 00000000000..8404005c74f --- /dev/null +++ b/lib/libcrypto/man/CMS_final.3 @@ -0,0 +1,98 @@ +.\" $OpenBSD: CMS_final.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_FINAL 3 +.Os +.Sh NAME +.Nm CMS_final +.Nd finalise a CMS_ContentInfo structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo CMS_final +.Fa "CMS_ContentInfo *cms" +.Fa "BIO *data" +.Fa "BIO *dcont" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_final +finalises the structure +.Fa cms . +Its purpose is to perform any operations necessary on +.Fa cms +(digest computation for example) and set the appropriate fields. +The parameter +.Fa data +contains the content to be processed. +The +.Fa dcont +parameter contains a +.Vt BIO +to write content to after processing: this is +only used with detached data and will usually be set to +.Dv NULL . +.Pp +This function will normally be called when the +.Dv CMS_PARTIAL +flag is used. +It should only be used when streaming is not performed because the +streaming I/O functions perform finalisation operations internally. +.Sh RETURN VALUES +.Fn CMS_final +returns 1 for success or 0 for failure. +.Sh SEE ALSO +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 , +.Xr ERR_get_error 3 +.Sh HISTORY +.Fn CMS_final +was added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/lib/libcrypto/man/CMS_get0_RecipientInfos.3 new file mode 100644 index 00000000000..07c16c5675a --- /dev/null +++ b/lib/libcrypto/man/CMS_get0_RecipientInfos.3 @@ -0,0 +1,323 @@ +.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008, 2013 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_GET0_RECIPIENTINFOS 3 +.Os +.Sh NAME +.Nm CMS_get0_RecipientInfos , +.Nm CMS_RecipientInfo_type , +.Nm CMS_RecipientInfo_ktri_get0_signer_id , +.Nm CMS_RecipientInfo_ktri_cert_cmp , +.Nm CMS_RecipientInfo_set0_pkey , +.Nm CMS_RecipientInfo_kekri_get0_id , +.Nm CMS_RecipientInfo_kekri_id_cmp , +.Nm CMS_RecipientInfo_set0_key , +.Nm CMS_RecipientInfo_decrypt , +.Nm CMS_RecipientInfo_encrypt +.Nd CMS envelopedData RecipientInfo routines +.Sh SYNOPSIS +.In openssl/cms.h +.Ft STACK_OF(CMS_RecipientInfo) * +.Fo CMS_get0_RecipientInfos +.Fa "CMS_ContentInfo *cms" +.Fc +.Ft int +.Fo CMS_RecipientInfo_type +.Fa "CMS_RecipientInfo *ri" +.Fc +.Ft int +.Fo CMS_RecipientInfo_ktri_get0_signer_id +.Fa "CMS_RecipientInfo *ri" +.Fa "ASN1_OCTET_STRING **keyid" +.Fa "X509_NAME **issuer" +.Fa "ASN1_INTEGER **sno" +.Fc +.Ft int +.Fo CMS_RecipientInfo_ktri_cert_cmp +.Fa "CMS_RecipientInfo *ri" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo CMS_RecipientInfo_set0_pkey +.Fa "CMS_RecipientInfo *ri" +.Fa "EVP_PKEY *pkey" +.Fc +.Ft int +.Fo CMS_RecipientInfo_kekri_get0_id +.Fa "CMS_RecipientInfo *ri" +.Fa "X509_ALGOR **palg" +.Fa "ASN1_OCTET_STRING **pid" +.Fa "ASN1_GENERALIZEDTIME **pdate" +.Fa "ASN1_OBJECT **potherid" +.Fa "ASN1_TYPE **pothertype" +.Fc +.Ft int +.Fo CMS_RecipientInfo_kekri_id_cmp +.Fa "CMS_RecipientInfo *ri" +.Fa "const unsigned char *id" +.Fa "size_t idlen" +.Fc +.Ft int +.Fo CMS_RecipientInfo_set0_key +.Fa "CMS_RecipientInfo *ri" +.Fa "unsigned char *key" +.Fa "size_t keylen" +.Fc +.Ft int +.Fo CMS_RecipientInfo_decrypt +.Fa "CMS_ContentInfo *cms" +.Fa "CMS_RecipientInfo *ri" +.Fc +.Ft int +.Fo CMS_RecipientInfo_encrypt +.Fa "CMS_ContentInfo *cms" +.Fa "CMS_RecipientInfo *ri" +.Fc +.Sh DESCRIPTION +The function +.Fn CMS_get0_RecipientInfos +returns all the +.Vt CMS_RecipientInfo +structures associated with a CMS EnvelopedData structure. +.Pp +.Fn CMS_RecipientInfo_type +returns the type of the +.Vt CMS_RecipientInfo +structure +.Fa ri . +It will currently return +.Dv CMS_RECIPINFO_TRANS , +.Dv CMS_RECIPINFO_AGREE , +.Dv CMS_RECIPINFO_KEK , +.Dv CMS_RECIPINFO_PASS , +or +.Dv CMS_RECIPINFO_OTHER . +.Pp +.Fn CMS_RecipientInfo_ktri_get0_signer_id +retrieves the certificate recipient identifier associated with a +specific +.Vt CMS_RecipientInfo +structure +.Fa ri , +which must be of type +.Dv CMS_RECIPINFO_TRANS . +Either the keyidentifier will be set in +.Fa keyid +or +.Em both +issuer name and serial number in +.Fa issuer +and +.Fa sno . +.Pp +.Fn CMS_RecipientInfo_ktri_cert_cmp +compares the certificate +.Fa cert +against the +.Vt CMS_RecipientInfo +structure +.Fa ri , +which must be of type +.Dv CMS_RECIPINFO_TRANS . +It returns zero if the comparison is successful or non-zero if not. +.Pp +.Fn CMS_RecipientInfo_set0_pkey +associates the private key +.Fa pkey +with the +.Vt CMS_RecipientInfo +structure +.Fa ri , +which must be of type +.Dv CMS_RECIPINFO_TRANS . +.Pp +.Fn CMS_RecipientInfo_kekri_get0_id +retrieves the key information from the +.Vt CMS_RecipientInfo +structure +.Fa ri +which must be of type +.Dv CMS_RECIPINFO_KEK . +Any of the remaining parameters can be +.Dv NULL +if the application is not interested in the value of a field. +Where a field is optional and absent, +.Dv NULL +will be written to the corresponding parameter. +The keyEncryptionAlgorithm field is written to +.Fa palg , +the keyIdentifier field is written to +.Fa pid , +the +.Sy date +field if present is written to +.Fa pdate . +If the +.Sy other +field is present the components +.Sy keyAttrId +and +.Sy keyAttr +are written to the parameters +.Fa potherid +and +.Fa pothertype . +.Pp +.Fn CMS_RecipientInfo_kekri_id_cmp +compares the ID in the +.Fa id +and +.Fa idlen +parameters against the keyIdentifier +.Vt CMS_RecipientInfo +structure +.Fa ri , +which must be of type +.Dv CMS_RECIPINFO_KEK . +It returns zero if the comparison is successful or non-zero if not. +.Pp +.Fn CMS_RecipientInfo_set0_key +associates the symmetric key +.Fa key +of length +.Fa keylen +with the +.Vt CMS_RecipientInfo +structure +.Fa ri , +which must be of type +.Dv CMS_RECIPINFO_KEK . +.Pp +.Fn CMS_RecipientInfo_decrypt +attempts to decrypt the +.Vt CMS_RecipientInfo +structure +.Fa ri +in structure +.Fa cms . +A key must have been associated with the structure first. +.Pp +.Fn CMS_RecipientInfo_encrypt +attempts to encrypt the +.Vt CMS_RecipientInfo +structure +.Fa ri +in structure +.Fa cms . +A key must have been associated with the structure first and the content +encryption key must be available: for example by a previous call to +.Fn CMS_RecipientInfo_decrypt . +.Pp +The main purpose of these functions is to enable an application to +lookup recipient keys using any appropriate technique when the simpler +method of +.Xr CMS_decrypt 3 +is not appropriate. +.Pp +In typical usage, an application will retrieve all +.Vt CMS_RecipientInfo +structures using +.Fn CMS_get0_RecipientInfos +and check the type of each using +.Fn CMS_RecipientInfo_type . +Depending on the type, the +.Vt CMS_RecipientInfo +structure can be ignored or its key identifier data retrieved using +an appropriate function. +If the corresponding secret or private key can be obtained by any +appropriate means it can then be associated with the structure and +.Fn CMS_RecipientInfo_decrypt +called. +If successful, +.Xr CMS_decrypt 3 +can be called with a +.Dv NULL +key to decrypt the enveloped content. +.Pp +The function +.Fn CMS_RecipientInfo_encrypt +can be used to add a new recipient to an existing enveloped data +structure. +Typically an application will first decrypt an appropriate +.Vt CMS_RecipientInfo +structure to make the content encrypt key available. +Ot will then add a new recipient using a function such as +.Xr CMS_add1_recipient_cert 3 +and finally encrypt the content encryption key using +.Fn CMS_RecipientInfo_encrypt . +.Sh RETURN VALUES +.Fn CMS_get0_RecipientInfos +returns all +.Vt CMS_RecipientInfo +structures, or +.Dv NULL +if an error occurs. +.Pp +.Fn CMS_RecipientInfo_ktri_get0_signer_id , +.Fn CMS_RecipientInfo_set0_pkey , +.Fn CMS_RecipientInfo_kekri_get0_id , +.Fn CMS_RecipientInfo_set0_key , +.Fn CMS_RecipientInfo_decrypt , +and +.Fn CMS_RecipientInfo_encrypt +return 1 for success or 0 if an error occurs. +.Pp +.Fn CMS_RecipientInfo_ktri_cert_cmp +and +.Fn CMS_RecipientInfo_kekri_id_cmp +return 0 for a successful comparison or non-zero otherwise. +.Pp +Any error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_decrypt 3 +.Sh HISTORY +These functions were first was added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/lib/libcrypto/man/CMS_get0_SignerInfos.3 new file mode 100644 index 00000000000..b9c8fee3666 --- /dev/null +++ b/lib/libcrypto/man/CMS_get0_SignerInfos.3 @@ -0,0 +1,180 @@ +.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008, 2013 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_GET0_SIGNERINFOS 3 +.Os +.Sh NAME +.Nm CMS_get0_SignerInfos , +.Nm CMS_SignerInfo_get0_signer_id , +.Nm CMS_SignerInfo_get0_signature , +.Nm CMS_SignerInfo_cert_cmp , +.Nm CMS_SignerInfo_set1_signer_cert +.Nd CMS signedData signer functions +.Sh SYNOPSIS +.In openssl/cms.h +.Ft STACK_OF(CMS_SignerInfo) * +.Fo CMS_get0_SignerInfos +.Fa "CMS_ContentInfo *cms" +.Fc +.Ft int +.Fo CMS_SignerInfo_get0_signer_id +.Fa "CMS_SignerInfo *si" +.Fa "ASN1_OCTET_STRING **keyid" +.Fa "X509_NAME **issuer" +.Fa "ASN1_INTEGER **sno" +.Fc +.Ft ASN1_OCTET_STRING * +.Fo CMS_SignerInfo_get0_signature +.Fa "CMS_SignerInfo *si" +.Fc +.Ft int +.Fo CMS_SignerInfo_cert_cmp +.Fa "CMS_SignerInfo *si" +.Fa "X509 *cert" +.Fc +.Ft void +.Fo CMS_SignerInfo_set1_signer_cert +.Fa "CMS_SignerInfo *si" +.Fa "X509 *signer" +.Fc +.Sh DESCRIPTION +The function +.Fn CMS_get0_SignerInfos +returns all the +.Vt CMS_SignerInfo +structures associated with a CMS signedData structure. +.Pp +.Fn CMS_SignerInfo_get0_signer_id +retrieves the certificate signer identifier associated with a specific +.Vt CMS_SignerInfo +structure +.Fa si . +Either the keyidentifier will be set in +.Fa keyid +or +.Em both +issuer name and serial number in +.Fa issuer +and +.Fa sno . +.Pp +.Fn CMS_SignerInfo_get0_signature +retrieves the signature associated with +.Fa si +in a pointer to an +.Vt ASN1_OCTET_STRING +structure. +This pointer returned corresponds to the internal signature value of +.Fa si +so it may be read or modified. +.Pp +.Fn CMS_SignerInfo_cert_cmp +compares the certificate +.Fa cert +against the signer identifier +.Fa si . +It returns zero if the comparison is successful or non-zero if not. +.Pp +.Fn CMS_SignerInfo_set1_signer_cert +sets the signers certificate of +.Fa si +to +.Fa signer . +.Pp +The main purpose of these functions is to enable an application to +lookup signers certificates using any appropriate technique when the +simpler method of +.Xr CMS_verify 3 +is not appropriate. +.Pp +In typical usage an application will retrieve all +.Vt CMS_SignerInfo +structures using +.Fn CMS_get0_SignerInfos +and retrieve the identifier information using CMS. +It will then obtain the signer certificate by some unspecified means +(or return and error if it cannot be found) and set it using +.Fn CMS_SignerInfo_set1_signer_cert . +.Pp +Once all signer certificates have been set, +.Xr CMS_verify 3 +can be used. +.Pp +Although +.Fn CMS_get0_SignerInfos +can return +.Dv NULL +if an error occurs +.Em or +if there are no signers, this is not a problem in practice because the +only error which can occur is if the +.Fa cms +structure is not of type signedData due to application error. +.Sh RETURN VALUES +.Fn CMS_get0_SignerInfos +returns all +.Vt CMS_SignerInfo +structures, or +.Dv NULL +if there are no signers or an error occurs. +.Pp +.Fn CMS_SignerInfo_get0_signer_id +returns 1 for success or 0 for failure. +.Pp +.Fn CMS_SignerInfo_cert_cmp +returns 0 for a successful comparison or non-zero otherwise. +.Pp +Any error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_verify 3 +.Sh HISTORY +These functions were first was added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_get0_type.3 b/lib/libcrypto/man/CMS_get0_type.3 new file mode 100644 index 00000000000..982826c7ca2 --- /dev/null +++ b/lib/libcrypto/man/CMS_get0_type.3 @@ -0,0 +1,174 @@ +.\" $OpenBSD: CMS_get0_type.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008, 2015 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_GET0_TYPE 3 +.Os +.Sh NAME +.Nm CMS_get0_type , +.Nm CMS_set1_eContentType , +.Nm CMS_get0_eContentType , +.Nm CMS_get0_content +.Nd get and set CMS content types and content +.Sh SYNOPSIS +.In openssl/cms.h +.Ft const ASN1_OBJECT * +.Fo CMS_get0_type +.Fa "const CMS_ContentInfo *cms" +.Fc +.Ft int +.Fo CMS_set1_eContentType +.Fa "CMS_ContentInfo *cms" +.Fa "const ASN1_OBJECT *oid" +.Fc +.Ft const ASN1_OBJECT * +.Fo CMS_get0_eContentType +.Fa "CMS_ContentInfo *cms" +.Fc +.Ft ASN1_OCTET_STRING ** +.Fo CMS_get0_content +.Fa "CMS_ContentInfo *cms" +.Fc +.Sh DESCRIPTION +.Fn CMS_get0_type +returns the content type of a +.Vt CMS_ContentInfo +structure as an +.Vt ASN1_OBJECT +pointer. +An application can then decide how to process the +.Vt CMS_ContentInfo +structure based on this value. +.Pp +.Fn CMS_set1_eContentType +sets the embedded content type of a +.Vt CMS_ContentInfo +structure. +It should be called with CMS functions (such as +.Xr CMS_sign 3 , +.Xr CMS_encrypt 3 ) +with the +.Dv CMS_PARTIAL +flag and +.Em before +the structure is finalised, otherwise the results are undefined. +.Pp +.Fn CMS_get0_eContentType +returns a pointer to the embedded content type. +.Pp +.Fn CMS_get0_content +returns a pointer to the +.Vt ASN1_OCTET_STRING +pointer containing the embedded content. +.Pp +As the +.Sq 0 +in the function names imply, +.Fn CMS_get0_type , +.Fn CMS_get0_eContentType , +and +.Fn CMS_get0_content +return internal pointers which should +.Em not +be freed up. +.Fn CMS_set1_eContentType +copies the supplied OID and it +.Em should +be freed up after use. +.Pp +The +.Vt ASN1_OBJECT +values returned can be converted to an integer NID value using +.Xr OBJ_obj2nid 3 . +For the currently supported content types the following values are +returned: +.Dv NID_pkcs7_data , +.Dv NID_pkcs7_signed , +.Dv NID_pkcs7_digest , +.Dv NID_id_smime_ct_compressedData , +.Dv NID_pkcs7_encrypted , +.Dv NID_pkcs7_enveloped . +.Pp +The return value of +.Fn CMS_get0_content +is a pointer to the +.Vt ASN1_OCTET_STRING +content pointer. +That means that for example after +.Pp +.Dl ASN1_OCTET_STRING **pconf = CMS_get0_content(cms); +.Pp +.Pf * Va pconf +could be +.Dv NULL +if there is no embedded content. +Applications can access, modify or create the embedded content in a +.Vt CMS_ContentInfo +structure using this function. +Applications usually will not need to modify the embedded content as it +is normally set by higher level functions. +.Sh RETURN VALUES +.Fn CMS_get0_type +and +.Fn CMS_get0_eContentType +return an +.Vt ASN1_OBJECT +structure. +.Pp +.Fn CMS_set1_eContentType +returns 1 for success or 0 if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh HISTORY +.Fn CMS_get0_type , +.Fn CMS_set1_eContentType , +and +.Fn CMS_get0_eContentType +were all first added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 new file mode 100644 index 00000000000..d944f606d8a --- /dev/null +++ b/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 @@ -0,0 +1,175 @@ +.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_GET1_RECEIPTREQUEST 3 +.Os +.Sh NAME +.Nm CMS_ReceiptRequest_create0 , +.Nm CMS_add1_ReceiptRequest , +.Nm CMS_get1_ReceiptRequest , +.Nm CMS_ReceiptRequest_get0_values +.Nd CMS signed receipt request functions +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_ReceiptRequest * +.Fo CMS_ReceiptRequest_create0 +.Fa "unsigned char *id" +.Fa "int idlen" +.Fa "int allorfirst" +.Fa "STACK_OF(GENERAL_NAMES) *receiptList" +.Fa "STACK_OF(GENERAL_NAMES) *receiptsTo" +.Fc +.Ft int +.Fo CMS_add1_ReceiptRequest +.Fa "CMS_SignerInfo *si" +.Fa "CMS_ReceiptRequest *rr" +.Fc +.Ft int +.Fo CMS_get1_ReceiptRequest +.Fa "CMS_SignerInfo *si" +.Fa "CMS_ReceiptRequest **prr" +.Fc +.Ft void +.Fo CMS_ReceiptRequest_get0_values +.Fa "CMS_ReceiptRequest *rr" +.Fa "ASN1_STRING **pcid" +.Fa "int *pallorfirst" +.Fa "STACK_OF(GENERAL_NAMES) **plist" +.Fa "STACK_OF(GENERAL_NAMES) **prto" +.Fc +.Sh DESCRIPTION +.Fn CMS_ReceiptRequest_create0 +creates a signed receipt request structure. +The signedContentIdentifier field is set using +.Fa id +and +.Fa idlen , +or it is set to 32 bytes of pseudo random data if +.Fa id +is +.Dv NULL . +If +.Fa receiptList +is +.Dv NULL , +the allOrFirstTier option in receiptsFrom +is used and set to the value of the +.Fa allorfirst +parameter. +If +.Fa receiptList +is not +.Dv NULL , +the receiptList option in receiptsFrom is used. +The +.Fa receiptsTo +parameter specifies the receiptsTo field value. +.Pp +The +.Fn CMS_add1_ReceiptRequest +function adds a signed receipt request +.Fa rr +to the +.Vt CMS_SignerInfo +structure +.Fa si . +.Pp +.Fn CMS_get1_ReceiptRequest +looks for a signed receipt request in +.Fa si . +If any is found, it is decoded and written to +.Fa prr . +.Pp +.Fn CMS_ReceiptRequest_get0_values +retrieves the values of a receipt request. +The signedContentIdentifier is copied to +.Fa pcid . +If the allOrFirstTier option of receiptsFrom is used, +its value is copied to +.Fa pallorfirst ; +otherwise the receiptList field is copied to +.Fa plist . +The receiptsTo parameter is copied to +.Fa prto . +.Pp +For more details on the meaning of the fields see RFC2634. +.Pp +The contents of a signed receipt should only be considered meaningful if +the corresponding +.Vt CMS_ContentInfo +structure can be successfully verified using +.Xr CMS_verify 3 . +.Sh RETURN VALUES +.Fn CMS_ReceiptRequest_create0 +returns a signed receipt request structure or +.Dv NULL +if an error occurred. +.Pp +.Fn CMS_add1_ReceiptRequest +returns 1 for success or 0 if an error occurred. +.Pp +.Fn CMS_get1_ReceiptRequest +returns 1 is a signed receipt request is found and decoded. +It returns 0 if a signed receipt request is not present or -1 if it is +present but malformed. +.Sh SEE ALSO +.Xr CMS_sign 3 , +.Xr CMS_sign_receipt 3 , +.Xr CMS_verify 3 , +.Xr CMS_verify_receipt 3 , +.Xr ERR_get_error 3 +.Sh HISTORY +.Fn CMS_ReceiptRequest_create0 , +.Fn CMS_add1_ReceiptRequest , +.Fn CMS_get1_ReceiptRequest , +and +.Fn CMS_ReceiptRequest_get0_values +were added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_sign.3 b/lib/libcrypto/man/CMS_sign.3 new file mode 100644 index 00000000000..54d95f4a5df --- /dev/null +++ b/lib/libcrypto/man/CMS_sign.3 @@ -0,0 +1,224 @@ +.\" $OpenBSD: CMS_sign.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_SIGN 3 +.Os +.Sh NAME +.Nm CMS_sign +.Nd create a CMS SignedData structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_ContentInfo * +.Fo CMS_sign +.Fa "X509 *signcert" +.Fa "EVP_PKEY *pkey" +.Fa "STACK_OF(X509) *certs" +.Fa "BIO *data" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_sign +creates and returns a CMS SignedData structure. +.Fa signcert +is the certificate to sign with, +.Fa pkey +is the corresponding private key. +.Fa certs +is an optional additional set of certificates to include in the CMS +structure (for example any intermediate CAs in the chain). +Any or all of these parameters can be +.Dv NULL . +.Pp +The data to be signed is read from +.Fa data . +.Pp +.Fa flags +is an optional set of flags. +.Pp +Any of the following flags (OR'ed together) can be passed in the +.Fa flags +parameter: +.Bl -tag -width Ds +.It Dv CMS_TEXT +Prepend MIME headers for the type text/plain to the data. +Many S/MIME clients expect the signed content to include valid MIME +headers. +.It Dv CMS_NOCERTS +Do not include the signer's certificate in the +.Vt CMS_ContentInfo +structure. +The signer's certificate must still be supplied in the +.Fa signcert +parameter though. +This can reduce the size of the signature if the signers certificate can +be obtained by other means: for example a previously signed message. +.It Dv CMS_DETACHED +Omit the data being signed from the +.Vt CMS_ContentInfo +structure. +This is used for +.Vt CMS_ContentInfo +detached signatures which are used in S/MIME plaintext signed messages +for example. +.It Dv CMS_BINARY +Do not translate the supplied content into MIME canonical format +even though that is required by the S/MIME specifications. +This option should be used if the supplied data is in binary format. +Otherwise the translation will corrupt it. +.It Dv CMS_NOATTR +Do not use any signedAttributes. +By default, the SignedData structure includes several CMS +signedAttributes including the signing time, the CMS content type, +and the supported list of ciphers in an SMIMECapabilities attribute. +.It Dv CMS_NOSMIMECAP +Omit just the SMIMECapabilities. +If present, the SMIMECapabilities attribute indicates support for the +following algorithms in preference order: 256 bit AES, Gost R3411-94, +Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit +RC2, DES and 40 bit RC2. +If any of these algorithms is not available, then it will not be +included: for example the GOST algorithms will not be included if +the GOST ENGINE is not loaded. +.It Dv CMS_USE_KEYID +Use the subject key identifier value to identify signing certificates. +An error occurs if the signing certificate does not have a subject key +identifier extension. +By default, issuer name and serial number are used instead. +.It Dv CMS_STREAM +Only initialize the returned +.Vt CMS_ContentInfo +structure to prepare it for performing the signing operation. +The signing is however +.Em not +performed and the data to be signed is not read from the +.Fa data +parameter. +Signing is deferred until after the data has been written. +In this way, data can be signed in a single pass. +The returned +.Vt CMS_ContentInfo +structure is +.Em not +complete and outputting its contents via a function that does not +properly finalize the +.Vt CMS_ContentInfo +structure will give unpredictable results. +Several functions including +.Xr SMIME_write_CMS 3 , +.Xr i2d_CMS_bio_stream 3 , +or +.Xr PEM_write_bio_CMS_stream 3 +finalize the structure. +Alternatively, finalization can be performed by obtaining the streaming +ASN1 +.Vt BIO +directly using +.Xr BIO_new_CMS 3 . +.It Dv CMS_PARTIAL +Output a partial +.Vt CMS_ContentInfo +structure to which additional signers and capabilities can be +added before finalization. +.El +.Pp +If a signer is specified, it will use the default digest for the signing +algorithm. +This is SHA1 for both RSA and DSA keys. +.Pp +If +.Fa signcert +and +.Fa pkey +are +.Dv NULL , +then a certificates only CMS structure is output. +.Pp +The function +.Fn CMS_sign +is a basic CMS signing function whose output will be suitable for many +purposes. +For finer control of the output format the +.Fa certs , +.Fa signcert +and +.Fa pkey +parameters can all be +.Dv NULL +and the +.Dv CMS_PARTIAL +flag set. +Then one or more signers can be added using the function +.Xr CMS_sign_add1_signer 3 , +non default digests can be used and custom attributes added. +.Xr CMS_final 3 +must then be called to finalize the structure if streaming is not +enabled. +.Sh RETURN VALUES +.Fn CMS_sign +returns either a valid +.Vt CMS_ContentInfo +structure or +.Dv NULL +if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_verify 3 +.Sh HISTORY +.Fn CMS_sign +was added to OpenSSL 0.9.8. +.Pp +The +.Dv CMS_STREAM +flag is only supported for detached data in OpenSSL 0.9.8, it is +supported for embedded data in OpenSSL 1.0.0 and later. +.Sh BUGS +Some attributes such as counter signatures are not supported. diff --git a/lib/libcrypto/man/CMS_sign_receipt.3 b/lib/libcrypto/man/CMS_sign_receipt.3 new file mode 100644 index 00000000000..7ddff976cc6 --- /dev/null +++ b/lib/libcrypto/man/CMS_sign_receipt.3 @@ -0,0 +1,110 @@ +.\" $OpenBSD: CMS_sign_receipt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_SIGN_RECEIPT 3 +.Os +.Sh NAME +.Nm CMS_sign_receipt +.Nd create a CMS signed receipt +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_ContentInfo * +.Fo CMS_sign_receipt +.Fa "CMS_SignerInfo *si" +.Fa "X509 *signcert" +.Fa "EVP_PKEY *pkey" +.Fa "STACK_OF(X509) *certs" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_sign_receipt +creates and returns a CMS signed receipt structure. +.Fa si +is the +.Vt CMS_SignerInfo +structure containing the signed receipt request. +.Fa signcert +is the certificate to sign with, +.Fa pkey +is the corresponding private key. +.Fa certs +is an optional additional set of certificates to include in the CMS +structure (for example any intermediate CAs in the chain). +.Pp +.Fa flags +is an optional set of flags. +.Pp +This functions behaves in a similar way to +.Xr CMS_sign 3 +except the flag values +.Dv CMS_DETACHED , +.Dv CMS_BINARY , +.Dv CMS_NOATTR , +.Dv CMS_TEXT , +and +.Dv CMS_STREAM +are not supported since they do not make sense in the context of +signed receipts. +.Sh RETURN VALUES +.Fn CMS_sign_receipt +returns either a valid +.Vt CMS_ContentInfo +structure or +.Dv NULL +if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_sign 3 , +.Xr CMS_verify_receipt 3 +.Sh HISTORY +.Fn CMS_sign_receipt +was added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/CMS_uncompress.3 b/lib/libcrypto/man/CMS_uncompress.3 new file mode 100644 index 00000000000..50926b73585 --- /dev/null +++ b/lib/libcrypto/man/CMS_uncompress.3 @@ -0,0 +1,111 @@ +.\" $OpenBSD: CMS_uncompress.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_UNCOMPRESS 3 +.Os +.Sh NAME +.Nm CMS_uncompress +.Nd uncompress a CMS CompressedData structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo CMS_uncompress +.Fa "CMS_ContentInfo *cms" +.Fa "BIO *dcont" +.Fa "BIO *out" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_uncompress +extracts and uncompresses the content from a CMS CompressedData +structure +.Fa cms . +.Fa out +is a +.Vt BIO +to write the content to and +.Fa flags +is an optional set of flags. +.Pp +The +.Fa dcont +parameter is used in the rare case where the compressed content is +detached. +It will normally be set to +.Dv NULL . +.Pp +The only currently supported compression algorithm is zlib: if the +structure indicates the use of any other algorithm, an error is returned. +.Pp +If zlib support is not compiled in, then +.Fn CMS_uncompress +will always return an error. +.Pp +If the +.Dv CMS_TEXT +flag is set, MIME headers for type text/plain are deleted from the content. +If the content is not of type text/plain, an error is returned. +.Sh RETURN VALUES +.Fn CMS_uncompress +returns either 1 for success or 0 for failure. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_compress 3 +.Sh HISTORY +.Fn CMS_uncompress +was added to OpenSSL 0.9.8. +.Sh BUGS +The lack of single pass processing and the need to hold all data in +memory as mentioned in +.Xr CMS_verify 3 +also applies to +.Fn CMS_uncompress . diff --git a/lib/libcrypto/man/CMS_verify.3 b/lib/libcrypto/man/CMS_verify.3 new file mode 100644 index 00000000000..cec1dc06d8c --- /dev/null +++ b/lib/libcrypto/man/CMS_verify.3 @@ -0,0 +1,223 @@ +.\" $OpenBSD: CMS_verify.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_VERIFY 3 +.Os +.Sh NAME +.Nm CMS_verify , +.Nm CMS_get0_signers +.Nd verify a CMS SignedData structure +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo CMS_verify +.Fa "CMS_ContentInfo *cms" +.Fa "STACK_OF(X509) *certs" +.Fa "X509_STORE *store" +.Fa "BIO *indata" +.Fa "BIO *out" +.Fa "unsigned int flags" +.Fc +.Ft STACK_OF(X509) * +.Fo CMS_get0_signers +.Fa "CMS_ContentInfo *cms" +.Fc +.Sh DESCRIPTION +.Fn CMS_verify +verifies a CMS SignedData structure. +.Fa cms +is the +.Vt CMS_ContentInfo +structure to verify. +.Fa certs +is a set of certificates in which to search for the signing +certificate(s). +.Fa store +is a trusted certificate store used for chain verification. +.Fa indata +is the detached content if the content is not present in +.Fa cms . +The content is written to +.Fa out +if it is not +.Dv NULL . +.Pp +.Fa flags +is an optional set of flags, which can be used to modify the verify +operation. +.Pp +.Fn CMS_get0_signers +retrieves the signing certificate(s) from +.Fa cms . +It must be called after a successful +.Fn CMS_verify +operation. +.Pp +Normally the verify process proceeds as follows. +.Pp +Initially some sanity checks are performed on +.Fa cms . +The type of +.Fa cms +must be SignedData. +There must be at least one signature on the data and if the content is +detached; +.Fa indata +cannot be +.Dv NULL . +.Pp +An attempt is made to locate all the signing certificate(s), first +looking in the +.Fa certs +parameter (if it is not +.Dv NULL ) +and then looking in any certificates contained in the +.Fa cms +structure itself. +If any signing certificate cannot be located, the operation fails. +.Pp +Each signing certificate is chain verified using the +.Sy smimesign +purpose and the supplied trusted certificate store. +Any internal certificates in the message are used as untrusted CAs. +If CRL checking is enabled in +.Fa store , +any internal CRLs are used in addition to attempting to look them up in +.Fa store . +If any chain verify fails, an error code is returned. +.Pp +Finally the signed content is read (and written to +.Fa out +if it is not +.Dv NULL ) +and the signature is checked. +.Pp +If all signatures verify correctly, then the function is successful. +.Pp +Any of the following flags (OR'ed together) can be passed in the +.Fa flags +parameter to change the default verify behaviour: +.Bl -tag -width Ds +.It Dv CMS_NOINTERN +Do not use the certificates in the message itself when +locating the signing certificate(s). +This means that all the signing certificates must be in the +.Fa certs +parameter. +.It Dv CMS_NOCRL +If CRL checking is enabled in +.Fa store , +then any CRLs in the message itself are ignored. +It Dv CMS_TEXT +MIME headers for type text/plain are deleted from the content. +If the content is not of type text/plain, an error is returned. +.It Dv CMS_NO_SIGNER_CERT_VERIFY +Do not verify signing certificates. +.It Dv CMS_NO_ATTR_VERIFY +Do not check the signed attributes signature. +.It Dv CMS_NO_CONTENT_VERIFY +Do not check the content digest. +.El +.Pp +One application of +.Dv CMS_NOINTERN +is to only accept messages signed by a small number of certificates. +The acceptable certificates would be passed in the +.Fa certs +parameter. +In this case, if the signer is not one of the certificates supplied in +.Fa certs , +then the verify will fail because the signer cannot be found. +.Pp +In some cases the standard techniques for looking up and validating +certificates are not appropriate: for example an application may wish to +lookup certificates in a database or perform customised verification. +This can be achieved by setting and verifying the signers certificates +manually using the signed data utility functions. +.Pp +Care should be taken when modifying the default verify behaviour, for +example setting +.Dv CMS_NO_CONTENT_VERIFY +will totally disable all content verification and any modified content +will be considered valid. +This combination is however useful if one merely wishes to write the +content to +.Fa out +and its validity is not considered important. +.Pp +Chain verification should arguably be performed using the signing time +rather than the current time. +However since the signing time is supplied by the signer it cannot be +trusted without additional evidence (such as a trusted timestamp). +.Sh RETURN VALUES +.Fn CMS_verify +returns 1 for a successful verification or zero if an error occurred. +.Pp +.Fn CMS_get0_signers +returns all signers or +.Dv NULL +if an error occurred. +.Pp +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_sign 3 +.Sh HISTORY +.Fn CMS_verify +was added to OpenSSL 0.9.8. +.Sh BUGS +The trusted certificate store is not searched for the signing certificate. +This is primarily due to the inadequacies of the current +.Vt X509_STORE +functionality. +.Pp +The lack of single pass processing means that the signed content must +all be held in memory if it is not detached. diff --git a/lib/libcrypto/man/CMS_verify_receipt.3 b/lib/libcrypto/man/CMS_verify_receipt.3 new file mode 100644 index 00000000000..33bb43ed8dd --- /dev/null +++ b/lib/libcrypto/man/CMS_verify_receipt.3 @@ -0,0 +1,104 @@ +.\" $OpenBSD: CMS_verify_receipt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt CMS_VERIFY_RECEIPT 3 +.Os +.Sh NAME +.Nm CMS_verify_receipt +.Nd verify a CMS signed receipt +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo CMS_verify_receipt +.Fa "CMS_ContentInfo *rcms" +.Fa "CMS_ContentInfo *ocms" +.Fa "STACK_OF(X509) *certs" +.Fa "X509_STORE *store" +.Fa "unsigned int flags" +.Fc +.Sh DESCRIPTION +.Fn CMS_verify_receipt +verifies a CMS signed receipt. +.Fa rcms +is the signed receipt to verify. +.Fa ocms +is the original SignedData structure containing the receipt request. +.Fa certs +is a set of certificates in which to search for the signing certificate. +.Fa store +is a trusted certificate store (used for chain verification). +.Pp +.Fa flags +is an optional set of flags, which can be used to modify the verify +operation. +.Pp +This functions behaves in a similar way to +.Xr CMS_verify 3 +except the flag values +.Dv CMS_DETACHED , +.Dv CMS_BINARY , +.Dv CMS_TEXT , +and +.Dv CMS_STREAM +are not supported since they do not make sense in the context of signed +receipts. +.Sh RETURN VALUES +.Fn CMS_verify_receipt +returns 1 for a successful verification or zero if an error occurred. +.Pp +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_sign_receipt 3 , +.Xr CMS_verify 3 +.Sh HISTORY +.Fn CMS_verify_receipt +was added to OpenSSL 0.9.8. diff --git a/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 new file mode 100644 index 00000000000..ad1688ba14f --- /dev/null +++ b/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 @@ -0,0 +1,93 @@ +.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt PEM_WRITE_BIO_CMS_STREAM 3 +.Os +.Sh NAME +.Nm PEM_write_bio_CMS_stream +.Nd output CMS_ContentInfo structure in PEM format +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo PEM_write_bio_CMS_stream +.Fa "BIO *out" +.Fa "CMS_ContentInfo *cms" +.Fa "BIO *data" +.Fa "int flags" +.Fc +.Sh DESCRIPTION +.Fn PEM_write_bio_CMS_stream +outputs a +.Vt CMS_ContentInfo +structure in PEM format. +.Pp +It is otherwise identical to the function +.Xr SMIME_write_CMS 3 . +.Pp +This function is effectively a version of +.Xr PEM_write_bio_CMS 3 +supporting streaming. +.Sh RETURN VALUES +.Fn PEM_write_bio_CMS_stream +returns 1 for success or 0 for failure. +.Sh SEE ALSO +.Xr CMS_decrypt 3 , +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 , +.Xr CMS_verify 3 , +.Xr ERR_get_error 3 , +.Xr i2d_CMS_bio_stream 3 , +.Xr PEM_write 3 , +.Xr SMIME_write_CMS 3 +.Sh HISTORY +The +.Fn PEM_write_bio_CMS_stream +function was added in OpenSSL 1.0.0. diff --git a/lib/libcrypto/man/SMIME_read_CMS.3 b/lib/libcrypto/man/SMIME_read_CMS.3 new file mode 100644 index 00000000000..17f60b11eca --- /dev/null +++ b/lib/libcrypto/man/SMIME_read_CMS.3 @@ -0,0 +1,146 @@ +.\" $OpenBSD: SMIME_read_CMS.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt SMIME_READ_CMS 3 +.Os +.Sh NAME +.Nm SMIME_read_CMS +.Nd parse S/MIME message +.Sh SYNOPSIS +.In openssl/cms.h +.Ft CMS_ContentInfo * +.Fo SMIME_read_CMS +.Fa "BIO *in" +.Fa "BIO **bcont" +.Fc +.Sh DESCRIPTION +.Fn SMIME_read_CMS +parses a message in S/MIME format. +.Pp +.Fa in +is a +.Vt BIO +to read the message from. +.Pp +If cleartext signing is used, then the content is saved in a memory BIO +which is written to +.Pf * Fa bcont ; +otherwise +.Pf * Fa bcont +is set to +.Dv NULL . +.Pp +The parsed +.Vt CMS_ContentInfo +structure is returned, or +.Dv NULL +if an error occurred. +.Pp +If +.Pf * Fa bcont +is not +.Dv NULL , +then the message is clear text signed. +.Pf * Fa bcont +can then be passed to +.Xr CMS_verify 3 +with the +.Dv CMS_DETACHED +flag set. +.Pp +Otherwise the type of the returned structure can be determined using +.Xr CMS_get0_type 3 . +.Pp +To support future functionality if +.Fa bcont +is not +.Dv NULL , +.Pf * Fa bcont +should be initialized to +.Dv NULL . +For example: +.Bd -literal -offset indent +BIO *cont = NULL; +CMS_ContentInfo *cms; + +cms = SMIME_read_CMS(in, &cont); +.Ed +.Sh RETURN VALUES +.Fn SMIME_read_CMS +returns a valid +.Vt CMS_ContentInfo +structure or +.Dv NULL +if an error occurred. +The error can be obtained from +.Xr ERR_get_error 3 . +.Sh SEE ALSO +.Xr CMS_decrypt 3 , +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 , +.Xr CMS_type 3 , +.Xr CMS_verify 3 , +.Xr SMIME_write_CMS 3 +.Sh BUGS +The MIME parser used by +.Fn SMIME_read_CMS +is somewhat primitive. +While it will handle most S/MIME messages, more complex compound formats +may not work. +.Pp +The parser assumes that the +.Vt CMS_ContentInfo +structure is always base64 encoded and will not handle the case +where it is in binary format or uses quoted printable format. +.Pp +The use of a memory BIO to hold the signed content limits the size of +message which can be processed due to memory restraints: a streaming +single pass option should be available. diff --git a/lib/libcrypto/man/SMIME_write_CMS.3 b/lib/libcrypto/man/SMIME_write_CMS.3 new file mode 100644 index 00000000000..c9afa5e5a56 --- /dev/null +++ b/lib/libcrypto/man/SMIME_write_CMS.3 @@ -0,0 +1,133 @@ +.\" $OpenBSD: SMIME_write_CMS.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt SMIME_WRITE_CMS 3 +.Os +.Sh NAME +.Nm SMIME_write_CMS +.Nd convert CMS structure to S/MIME format +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo SMIME_write_CMS +.Fa "BIO *out" +.Fa "CMS_ContentInfo *cms" +.Fa "BIO *data" +.Fa "int flags" +.Fc +.Sh DESCRIPTION +.Fn SMIME_write_CMS +adds the appropriate MIME headers to a CMS structure to produce an +S/MIME message. +.Pp +.Fa out +is the +.Vt BIO +to write the data to. +.Fa cms +is the appropriate +.Vt CMS_ContentInfo +structure. +If streaming is enabled, then the content must be supplied in the +.Fa data +argument. +.Fa flags +is an optional set of flags. +.Pp +The following flags can be passed in the +.Fa flags +parameter: +.Bl -tag -width Ds +.It Dv CMS_DETACHED +Use cleartext signing. +This option only makes sense for SignedData where +.Dv CMS_DETACHED +is also set when +.Xr CMS_sign 3 +is called. +.Pp +If cleartext signing is used and +.Dv CMS_STREAM +is not set, then the data must be read twice: +once to compute the signature in +.Xr CMS_sign 3 +and once to output the S/MIME message. +.It Dv CMS_TEXT +Add MIME headers for type text/plain to the content. +This only makes sense if +.Dv CMS_DETACHED +is also set. +.It Dv CMS_STREAM +Perform streaming. +This flag should only be set if +.Dv CMS_STREAM +was also set in the previous call to a +.Vt CMS_ContentInfo +creation function. +.Pp +If streaming is performed, the content is output in BER format using +indefinite length constructed encoding except in the case of signed data +with detached content where the content is absent and DER format is +used. +.El +.Sh RETURN VALUES +.Fn SMIME_write_CMS +returns 1 for success or 0 for failure. +.Sh SEE ALSO +.Xr CMS_decrypt 3 , +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 , +.Xr CMS_verify 3 , +.Xr ERR_get_error 3 +.Sh BUGS +.Fn SMIME_write_CMS +always base64 encodes CMS structures. +There should be an option to disable this. diff --git a/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/lib/libcrypto/man/i2d_CMS_bio_stream.3 new file mode 100644 index 00000000000..3615c01ccbe --- /dev/null +++ b/lib/libcrypto/man/i2d_CMS_bio_stream.3 @@ -0,0 +1,95 @@ +.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2008 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 10 2019 $ +.Dt I2D_CMS_BIO_STREAM 3 +.Os +.Sh NAME +.Nm i2d_CMS_bio_stream +.Nd output CMS_ContentInfo structure in BER format +.Sh SYNOPSIS +.In openssl/cms.h +.Ft int +.Fo i2d_CMS_bio_stream +.Fa "BIO *out" +.Fa "CMS_ContentInfo *cms" +.Fa "BIO *data" +.Fa "int flags" +.Fc +.Sh DESCRIPTION +.Fn i2d_CMS_bio_stream +outputs a +.Vt CMS_ContentInfo +structure in BER format. +.Pp +It is otherwise identical to the function +.Xr SMIME_write_CMS 3 . +.Pp +This function is effectively a version of +.Xr i2d_CMS_bio 3 +supporting streaming. +.Sh RETURN VALUES +.Fn i2d_CMS_bio_stream +returns 1 for success or 0 for failure. +.Sh SEE ALSO +.Xr CMS_decrypt 3 , +.Xr CMS_encrypt 3 , +.Xr CMS_sign 3 , +.Xr CMS_verify 3 , +.Xr ERR_get_error 3 , +.Xr PEM_write_bio_CMS_stream 3 , +.Xr SMIME_write_CMS 3 +.Sh HISTORY +The +.Fn i2d_CMS_bio_stream +function was added in OpenSSL 1.0.0. +.Sh BUGS +The prefix "i2d" is arguably wrong because the function outputs BER +format. |