Document -debug_decrypt option.

(cherry picked from commit 0dd5b94aeb)
2014-04-16 12:15:43 +01:00 · 2014-04-16 12:15:43 +01:00 · 6e85eba11b
commit 6e85eba11b
parent 5cd5e0219d
1 changed files with 15 additions and 0 deletions
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@ -91,6 +91,11 @@ decrypt mail using the supplied certificate and private key. Expects an
 encrypted mail message in MIME format for the input file. The decrypted mail
 is written to the output file.

+=item B<-debug_decrypt>
+
+this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+with caution: see the notes section below.
+
 =item B<-sign>

 sign mail using the supplied certificate and private key. Input file is
@ -459,6 +464,16 @@ Streaming is always used for the B<-sign> operation with detached data but
 since the content is no longer part of the CMS structure the encoding
 remains DER.

+If the B<-decrypt> option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the MMA attack
+(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is "decrypted" using a random key which will typically output garbage. 
+The B<-debug_decrypt> option can be used to disable the MMA attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>).
+
 =head1 EXIT CODES

 =over 4