Update cms docs.
Document use of -keyopt to use RSA-PSS and RSA-OAEP modes. (cherry picked from commit 4bf4a6501c6ca3fa1853f07c82e0e9cfe22dee45)
This commit is contained in:
Dr. Stephen Henson
parent
af7d6b936b
commit
dddb38834e
@ -316,8 +316,13 @@ verification was successful.
|
||||
|
||||
=item B<-recip file>
|
||||
|
||||
the recipients certificate when decrypting a message. This certificate
|
||||
must match one of the recipients of the message or an error occurs.
|
||||
when decrypting a message this specifies the recipients certificate. The
|
||||
certificate must match one of the recipients of the message or an error
|
||||
occurs.
|
||||
|
||||
When encrypting a message this option may be used multiple times to specify
|
||||
each recipient. This form B<must> be used if customised parameters are
|
||||
required (for example to specify RSA-OAEP).
|
||||
|
||||
=item B<-keyid>
|
||||
|
||||
@ -376,6 +381,12 @@ private key must be included in the certificate file specified with
|
||||
the B<-recip> or B<-signer> file. When signing this option can be used
|
||||
multiple times to specify successive keys.
|
||||
|
||||
=item B<-keyopt name:opt>
|
||||
|
||||
for signing and encryption this option can be used multiple times to
|
||||
set customised parameters for the preceding key or certificate. It can
|
||||
currently be used to set RSA-PSS for signing or RSA-OAEP for encryption.
|
||||
|
||||
=item B<-passin arg>
|
||||
|
||||
the private key password source. For more information about the format of B<arg>
|
||||
@ -573,6 +584,16 @@ Add a signer to an existing message:
|
||||
|
||||
openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
|
||||
|
||||
Sign mail using RSA-PSS:
|
||||
|
||||
openssl cms -sign -in message.txt -text -out mail.msg \
|
||||
-signer mycert.pem -keyopt rsa_padding_mode:pss
|
||||
|
||||
Create encrypted mail using RSA-OAEP:
|
||||
|
||||
openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg \
|
||||
-recip cert.pem -keyopt rsa_padding_mode:oaep
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
The MIME parser isn't very clever: it seems to handle most messages that I've
|
||||
@ -598,5 +619,11 @@ No revocation checking is done on the signer's certificate.
|
||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||
added in OpenSSL 1.0.0
|
||||
|
||||
The B<keyopt> option was first added in OpenSSL 1.1.0
|
||||
|
||||
The use of B<-recip> to specify the recipient when encrypting mail was first
|
||||
added to OpenSSL 1.1.0
|
||||
|
||||
Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user