Update cms docs.

Document use of -keyopt to use RSA-PSS and RSA-OAEP modes.

Update cms docs.
Document use of -keyopt to use RSA-PSS and RSA-OAEP modes.
4bf4a650 · Dr. Stephen Henson · 32b18e03 · 4bf4a650
隐藏空白更改
内联并排

Showing with 29 addition and 2 deletion

doc/apps/cms.pod doc/apps/cms.pod +29 -2

未找到文件。
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -316,8 +316,13 @@ verification was successful.

 =item B<-recip file>

-the recipients certificate when decrypting a message. This certificate
-must match one of the recipients of the message or an error occurs.
+when decrypting a message this specifies the recipients certificate. The
+certificate must match one of the recipients of the message or an error
+occurs.
+
+When encrypting a message this option may be used multiple times to specify
+each recipient. This form B<must> be used if customised parameters are
+required (for example to specify RSA-OAEP).

 =item B<-keyid>

@@ -376,6 +381,12 @@ private key must be included in the certificate file specified with
 the B<-recip> or B<-signer> file. When signing this option can be used
 multiple times to specify successive keys.

+=item B<-keyopt name:opt>
+
+for signing and encryption this option can be used multiple times to
+set customised parameters for the preceding key or certificate. It can
+currently be used to set RSA-PSS for signing or RSA-OAEP for encryption.
+
 =item B<-passin arg>

 the private key password source. For more information about the format of B<arg>
@@ -573,6 +584,16 @@ Add a signer to an existing message:

 openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg

+Sign mail using RSA-PSS:
+
+ openssl cms -sign -in message.txt -text -out mail.msg \
+	-signer mycert.pem -keyopt rsa_padding_mode:pss
+
+Create encrypted mail using RSA-OAEP:
+
+ openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg \
+	-recip cert.pem -keyopt rsa_padding_mode:oaep
+
 =head1 BUGS

 The MIME parser isn't very clever: it seems to handle most messages that I've
@@ -598,5 +619,11 @@ No revocation checking is done on the signer's certificate.
 The use of multiple B<-signer> options and the B<-resign> command were first
 added in OpenSSL 1.0.0

+The B<keyopt> option was first added in OpenSSL 1.1.0
+
+The use of B<-recip> to specify the recipient when encrypting mail was first
+added to OpenSSL 1.1.0
+
+Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. 

 =cut