Make req seed the PRNG if signing with
an already existing DSA key. Document the new smime options.
This commit is contained in:
Dr. Stephen Henson
parent
b364e5d27b
commit
fd13f0ee52
4
CHANGES
4
CHANGES
@ -4,6 +4,10 @@
|
|||||||
|
|
||||||
Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
|
Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
|
||||||
|
|
||||||
|
*) Fix so PRNG is seeded in req if using an already existing
|
||||||
|
DSA key.
|
||||||
|
[Steve Henson]
|
||||||
|
|
||||||
*) New options to smime application. -inform and -outform
|
*) New options to smime application. -inform and -outform
|
||||||
allow alternative formats for the S/MIME message including
|
allow alternative formats for the S/MIME message including
|
||||||
PEM and DER. The -content option allows the content to be
|
PEM and DER. The -content option allows the content to be
|
||||||
|
|||||||
@ -547,6 +547,11 @@ bad:
|
|||||||
BIO_printf(bio_err,"unable to load Private key\n");
|
BIO_printf(bio_err,"unable to load Private key\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
|
||||||
|
{
|
||||||
|
char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
|
||||||
|
app_RAND_load_file(randfile, bio_err, 0);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (newreq && (pkey == NULL))
|
if (newreq && (pkey == NULL))
|
||||||
|
|||||||
@ -277,8 +277,11 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf (bio_err, "-signer file signer certificate file\n");
|
BIO_printf (bio_err, "-signer file signer certificate file\n");
|
||||||
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
|
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
|
||||||
BIO_printf (bio_err, "-in file input file\n");
|
BIO_printf (bio_err, "-in file input file\n");
|
||||||
|
BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
|
||||||
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
|
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
|
||||||
BIO_printf (bio_err, "-out file output file\n");
|
BIO_printf (bio_err, "-out file output file\n");
|
||||||
|
BIO_printf (bio_err, "-outform arg output format SMIME (default), PEM or DER\n");
|
||||||
|
BIO_printf (bio_err, "-content file supply or override content for detached signature\n");
|
||||||
BIO_printf (bio_err, "-to addr to address\n");
|
BIO_printf (bio_err, "-to addr to address\n");
|
||||||
BIO_printf (bio_err, "-from ad from address\n");
|
BIO_printf (bio_err, "-from ad from address\n");
|
||||||
BIO_printf (bio_err, "-subject s subject\n");
|
BIO_printf (bio_err, "-subject s subject\n");
|
||||||
|
|||||||
@ -22,8 +22,11 @@ B<openssl> B<smime>
|
|||||||
[B<-signer file>]
|
[B<-signer file>]
|
||||||
[B<-recip file>]
|
[B<-recip file>]
|
||||||
[B<-in file>]
|
[B<-in file>]
|
||||||
|
[B<-inform SMIME|PEM|DER>]
|
||||||
[B<-inkey file>]
|
[B<-inkey file>]
|
||||||
[B<-out file>]
|
[B<-out file>]
|
||||||
|
[B<-outform SMIME|PEM|DER>]
|
||||||
|
[B<-content file>]
|
||||||
[B<-to addr>]
|
[B<-to addr>]
|
||||||
[B<-from ad>]
|
[B<-from ad>]
|
||||||
[B<-subject s>]
|
[B<-subject s>]
|
||||||
@ -74,11 +77,37 @@ takes an input message and writes out a PEM encoded PKCS#7 structure.
|
|||||||
the input message to be encrypted or signed or the MIME message to
|
the input message to be encrypted or signed or the MIME message to
|
||||||
be decrypted or verified.
|
be decrypted or verified.
|
||||||
|
|
||||||
|
=item B<-inform SMIME|PEM|DER>
|
||||||
|
|
||||||
|
this specifies the input format for the PKCS#7 structure. The default
|
||||||
|
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
|
||||||
|
format change this to expect PEM and DER format PKCS#7 structures
|
||||||
|
instead. This currently only affects the input format of the PKCS#7
|
||||||
|
structure, if no PKCS#7 structure is being input (for example with
|
||||||
|
B<-encrypt> or B<-sign>) this option has no effect.
|
||||||
|
|
||||||
=item B<-out filename>
|
=item B<-out filename>
|
||||||
|
|
||||||
the message text that has been decrypted or verified or the output MIME
|
the message text that has been decrypted or verified or the output MIME
|
||||||
format message that has been signed or verified.
|
format message that has been signed or verified.
|
||||||
|
|
||||||
|
=item B<-outform SMIME|PEM|DER>
|
||||||
|
|
||||||
|
this specifies the output format for the PKCS#7 structure. The default
|
||||||
|
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
|
||||||
|
format change this to write PEM and DER format PKCS#7 structures
|
||||||
|
instead. This currently only affects the output format of the PKCS#7
|
||||||
|
structure, if no PKCS#7 structure is being output (for example with
|
||||||
|
B<-verify> or B<-decrypt>) this option has no effect.
|
||||||
|
|
||||||
|
=item B<-content filename>
|
||||||
|
|
||||||
|
This specifies a file containing the detached content, this is only
|
||||||
|
useful with the B<-verify> command. This is only usable if the PKCS#7
|
||||||
|
structure is using the detached signature form where the content is
|
||||||
|
not included. This option will override any content if the input format
|
||||||
|
is S/MIME and it uses the multipart/signed MIME content type.
|
||||||
|
|
||||||
=item B<-text>
|
=item B<-text>
|
||||||
|
|
||||||
this option adds plain text (text/plain) MIME headers to the supplied
|
this option adds plain text (text/plain) MIME headers to the supplied
|
||||||
@ -204,7 +233,7 @@ a blank line. Piping the mail directly to sendmail is one way to
|
|||||||
achieve the correct format.
|
achieve the correct format.
|
||||||
|
|
||||||
The supplied message to be signed or encrypted must include the
|
The supplied message to be signed or encrypted must include the
|
||||||
necessary MIME headers: or many S/MIME clients wont display it
|
necessary MIME headers or many S/MIME clients wont display it
|
||||||
properly (if at all). You can use the B<-text> option to automatically
|
properly (if at all). You can use the B<-text> option to automatically
|
||||||
add plain text headers.
|
add plain text headers.
|
||||||
|
|
||||||
@ -301,6 +330,22 @@ Decrypt mail:
|
|||||||
|
|
||||||
openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
|
openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
|
||||||
|
|
||||||
|
The output from Netscape form signing is a PKCS#7 structure with the
|
||||||
|
detached signature format. You can use this program to verify the
|
||||||
|
signature by line wrapping the base64 encoded structure and surrounding
|
||||||
|
it with:
|
||||||
|
|
||||||
|
-----BEGIN PKCS7----
|
||||||
|
-----END PKCS7----
|
||||||
|
|
||||||
|
and using the command,
|
||||||
|
|
||||||
|
openssl smime -verify -inform PEM -in signature.pem -content content.txt
|
||||||
|
|
||||||
|
alternatively you can base64 decode the signature and use
|
||||||
|
|
||||||
|
openssl smime -verify -inform DER -in signature.der -content content.txt
|
||||||
|
|
||||||
=head1 BUGS
|
=head1 BUGS
|
||||||
|
|
||||||
The MIME parser isn't very clever: it seems to handle most messages that I've thrown
|
The MIME parser isn't very clever: it seems to handle most messages that I've thrown
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user