smime man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

smime(1ssl)							   smime(1ssl)

NAME
       smime - S/MIME utility

SYNOPSIS
       openssl	smime [-encrypt] [-decrypt] [-sign] [-verify] [-pk7out] [-des]
       [-des3] [-rc2-40] [-rc2-64] [-rc2-128]  [-certfile  filename]  [-signer
       filename]  [-recip  filename]  [-infile]	 [-informSMIME	|  PEM	| DER]
       [-passin arg] [-inkey filename] [-outfile] [-outform SMIME | PEM | DER]
       [-content  filename]  [-to  addr] [-fromad] [-subject s] [-text] [-rand
       filename] [cert.pem ...]

OPTIONS
       There are five options that set the type of operation to be  performed.
       The  meaning  of	 the  other  options varies according to the operation
       type.  Encrypts mail for the given recipient certificates.  Input  file
       is  the	message to be encrypted. The output file is the encrypted mail
       in MIME format.	Decrypts mail using the supplied certificate and  pri‐
       vate  key.  Expects  an	encrypted  mail message in MIME format for the
       input file. The decrypted mail is written to the	 output	 file.	 Signs
       mail  using the supplied certificate and private key. Input file is the
       message to be signed. The signed message in MIME format is  written  to
       the  output file.  Verifies signed mail.	 Expects a signed mail message
       on input, and outputs the signed data. Both clear text and opaque sign‐
       ing  is supported.  Takes an input message and writes out a PEM encoded
       PKCS#7 structure.  The input message to be encrypted or signed, or  the
       MIME  message  to be decrypted or verified.  Specifies the input format
       for the PKCS#7 structure. The default is SMIME which  reads  an	S/MIME
       format  message.	 The  PEM and the DER format change this to expect PEM
       and DER format PKCS#7 structures instead. This only affects  the	 input
       format  of the PKCS#7 structure. If no PKCS#7 structure is  input, such
       as -encrypt or -sign, this option has no effect.	 The message text that
       has  been  decrypted or verified or the output MIME format message that
       has been signed or verified.   Specifies	 the  output  format  for  the
       PKCS#7  structure.  The	default is SMIME which writes an S/MIME format
       message. The PEM and DER format change this to write PEM and DER format
       PKCS#7  structures  instead. This only affects the output format of the
       PKCS#7 structure. If no PKCS#7 structure is  output, such as -verify or
       -decrypt,  this	option has no effect.  Specifies a file containing the
       detached content. This is only useful with the -verify option. This  is
       only  usable  if	 the  PKCS#7 structure is using the detached signature
       form where the content is not included.	This option will override  any
       content	if the input format is S/MIME and it uses the multipart/signed
       MIME content type.  Adds plain text (text/plain) MIME  headers  to  the
       supplied	 message  if encrypting or signing. If decrypting or verifying
       it strips off text headers. If the decrypted or verified message is not
       of  MIME	  type	text/plain  then  an  error occurs.  A file containing
       trusted CA certificates. It is only used with the  -verify  option.   A
       directory  containing trusted CA certificates. It is only used with the
       -verify option. This directory must be a	 standard  certificate	direc‐
       tory,  meaning a hash of each subject name (using x509 -hash) should be
       linked to each certificate.  The encryption algorithm to use.  DES  (56
       bits), triple DES (168 bits) or 40, 64 or 128 bit RC2, respectively. If
       not specified, 40-bit RC2  is  used.  These  are	 used  only  with  the
       -encrypt	 option.   When	 verifying  a  message,	 certificates (if any)
       included in the message are searched for the signing certificate.  With
       this option only the certificates specified in the -certfile option are
       used. The supplied certificates can still be used as untrusted CAs how‐
       ever.   Does  not  verify  the signers certificate of a signed message.
       Does not perform chain verification of signers certificates.  That  is,
       it  does	 not   use the certificates in the signed message as untrusted
       CAs.  Does not try to verify the signatures on the message.  When sign‐
       ing  a message, the signer's certificate is usually included. With this
       option the signer's certificate is excluded. This will reduce the  size
       of  the	signed	message,  but  the  verifier  must  have a copy of the
       signer's certificate available  locally	(passed	 using	the  -certfile
       option, for example).  When a message is signed, a set of attributes is
       included, such as the signing time and supported symmetric  algorithms.
       With  this  option they are not included.  Usually the input message is
       converted to canonical format, which is effectively using CR and LF  as
       end-of-line,  as required by the S/MIME specification. With this option
       no translation occurs. This is useful when handling binary  data	 which
       may not be in MIME format.  Uses opaque signing when signing a message.
       This form is more resistant to translation by mail relays, but it  can‐
       not  be	read  by mail agents that do not support S/MIME.  Without this
       option cleartext signing with the MIME type multipart/signed  is	 used.
       Allows additional certificates to be specified. When signing these will
       be included with the message. When verifying, these  will  be  searched
       for  the	 signer's certificates. The certificates should be in PEM for‐
       mat.  The signer's certificate when signing a message. If a message  is
       being  verified	then the signer's certificates will be written to this
       file if the verification was successful.	 The  recipient's  certificate
       when  decrypting	 a  message.  This  certificate	 must match one of the
       recipient's of the message or an error occurs.  The private key to  use
       when  signing or decrypting. This must match the corresponding certifi‐
       cate. If this option is not specified then  the	private	 key  must  be
       included	 in  the  certificate  file  specified	with the -recip or the
       -signer option.	The private key password source. For more  information
       about  the  format  of  arg,  see  the Pass Phrase Arguments section in
       openssl(1ssl).  A file or files containing random data used to seed the
       random  number generator, or an EGD socket. (See RAND_egd(3).) Multiple
       files can be separated by an OS-dependent character. The separator is a
       semicolon  (;) for MS-Windows, a comma (,) for OpenVMS, and a colon (:)
       for all others.	One or more certificates of message  recipients,  used
       when  encrypting	 a  message.   The  relevant  mail  headers. These are
       included outside the signed  portion  of	 a  message  so	 they  may  be
       included manually. If signing, then many S/MIME mail clients check that
       the signer's certificate email address matches that  specified  in  the
       From: address.

DESCRIPTION
       The  smime  command  handles S/MIME mail. It can encrypt, decrypt, sign
       and verify S/MIME messages.

NOTES
       The MIME message must be sent without any blank lines between the head‐
       ers  and	 the output. Some mail programs will automatically add a blank
       line. Piping the mail directly to sendmail is one way  to  achieve  the
       correct format.

       The  supplied message to be signed or encrypted must include the neces‐
       sary MIME headers or many S/MIME clients will not display  it  properly
       (if  at	all).  You can use the -text option to automatically add plain
       text headers.

       A signed and encrypted message is one where a signed  message  is  then
       encrypted.  This	 can  be produced by encrypting an already signed mes‐
       sage.

       This version of the program only allows one signer per message, but  it
       will  verify multiple signers on received messages. Some S/MIME clients
       fail if a message contains multiple signers. It	is  possible  to  sign
       messages in parallel by signing an already signed message.

       The  options  -encrypt  and  -decrypt  reflect  common  usage in S/MIME
       clients. These process PKCS#7 enveloped data. The PKCS#7 encrypted data
       is used for other purposes.

RESTRICTIONS
       The  MIME  parser is not very clever. It seems to handle most messages,
       but it may fail on others.

       The code will only write out the signer's certificate to a file. If the
       signer  has  a  separate	 encryption  certificate this must be manually
       extracted.  There should be some heuristic that determines the  correct
       encryption certificate.

       Ideally	a  certificate	database  should  be maintained for each email
       address.

       The code does not take note of the permitted symmetric encryption algo‐
       rithms  as  supplied  in	 the  SMIMECapabilities signed attribute. This
       means the user has to manually include  the  correct  encryption	 algo‐
       rithm.  It should store the list of permitted ciphers in a database and
       only use those.

       No revocation checking is done on the signer's certificate.

       The code can only handle S/MIME v2 messages. The more complex S/MIME v3
       structures may cause parsing errors.

EXIT STATUS
       The  operation  was completely successfully.  An error occurred parsing
       the command options.  One of the input files could  not	be  read.   An
       error  occurred	creating the PKCS#7 file or when reading the MIME mes‐
       sage.  An error occurred decrypting or verifying the message.  The mes‐
       sage was verified correctly but an error occurred writing out the sign‐
       ers certificates.

EXAMPLES
       Create a cleartext signed message: openssl smime -sign -in  message.txt
       -text -out mail.msg \	  -signer mycert.pem

       Create  an  opaque  signed message: openssl smime -sign -in message.txt
       -text -out mail.msg -nodetach \	    -signer mycert.pem

       Create a signed message, include some additional certificates and  read
       the private key from another file: openssl smime -sign -in in.txt -text
       -out mail.msg \	    -signer mycert.pem -inkey mykey.pem -certfile myc‐
       erts.pem

       Send  a signed message under UNIX directly to sendmail, including head‐
       ers:  openssl  smime  -sign  -in	 in.txt	 -text	-signer	 mycert.pem  \
	    -from  steve@openssl.org  -to  someone@somewhere  \	      -subject
       "Signed message" | sendmail someone@somewhere

       Verify a message and extract the signer's  certificate  if  successful:
       openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt

       Send encrypted mail using triple DES: openssl smime -encrypt -in in.txt
       -from   steve@openssl.org   \	    -to	  someone@somewhere   -subject
       "Encrypted message" \	  -des3 user.pem -out mail.msg

       Sign  and  encrypt  mail: openssl smime -sign -in ml.txt -signer my.pem
       -text \	    |  openssl	smime  -encrypt	 -out  mail.msg	 \	 -from
       steve@openssl.org  -to  someone@somewhere  \	  -subject "Signed and
       Encrypted message" -des3 user.pem

       Notice that the encryption command does not include  the	 -text	option
       because the message being encrypted already has MIME headers.

       Decrypt	mail:  openssl	smime  -decrypt -in mail.msg -recip mycert.pem
       -inkey key.pem

       The output from Netscape form signing is a PKCS#7  structure  with  the
       detached	 signature format. You can use this program to verify the sig‐
       nature by line wrapping the base64 encoded structure and surrounding it
       with the following lines:
	-----BEGIN PKCS7----
	-----END PKCS7----

       You  should  then  use  the  following  command:	 openssl smime -verify
       -inform PEM -in signature.pem -content content.txt

       Alternatively, you can base64 decode the signature and use the  follow‐
       ing  command: openssl smime -verify -inform DER -in signature.der -con‐
       tent content.txt

								   smime(1ssl)
[top]

List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net