Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Name

smime

Synopsis

The smime command is used to encrypt, decrypt, sign, and verify S/MIME format messages. It supports versions of S/MIME up to v2 and can be used to S/MIME-enable mail readers that do not natively support it.

Options

-in filename

Specify the name of a file from which data will be read. If this option is omitted, stdin will be used by default.

-inform DER|PEM|SMIME

Specify the format of the input data. If this option is omitted, the default is to use SMIME. This option is ignored if data is being encrypted or signed.

-out filename

Specify the name of a file to which data will be written. If this option is omitted, stdout will be used by default.

-outform DER|PEM|SMIME

Specify the format of the output data. If this option is omitted, the default is to use SMIME. This option is ignored if data is being decrypted or verified.

-encrypt

Cause the input data to be encrypted.

-decrypt

Cause the input data to be decrypted.

-sign

Cause the input data to be signed.

-verify

Cause the input data to be verified.

-pk7out

Cause the input data to be written out as a PEM-encoded PKCS#7 structure.

-content filename

Specify the name of a file containing the detached content. This option is valid only when verifying data.

-text

Cause plaintext MIME headers to be added to the output if the input data is being encrypted or signed. Cause plaintext MIME headers to be stripped from the input if the input data is being decrypted or verified.

-CAfile filename

Specify the name of a file containing trusted certificates for use in verifying.

-CApath directory

Specify the name of a directory containing trusted certificates for use in verifying. Each file in the directory should contain a single certificate and be named with the certificate issuer name’s hash and an extension of “.0”.

-nointern

When verifying data, cause any certificates included in the data to be considered untrusted.

-noverify

Do not verify the signer’s certificate of a signed message.

-nochain

Do not perform chain verification of the signer’s certificate or certificates.

-nosigs

Do not attempt to verify the signatures on the input data.

-nocerts

Do not include certificates in the signed data when signing.

-noattr

Do not include attributes like the time the data was signed in the output when signing.

-binary

Do not perform canonical translation.

-nodetach

Use opaque signing when signing data. Using this option requires that any mail agents encountering this message must be S/MIME-enabled. If this option is not specified, cleartext signing with the MIME type multipart/signed is used.

-certfile filename

Specify the name of a file containing one or more certificates. When signing, these certificates will be included in the signed data. When verifying, these certificates will be searched for the signer’s certificate.

-signer filename

Specify the name of a file that the signer’s certificate will be written to when verifying a signature. When signing, this file should contain the signer’s certificate.

-recip filename

Specify the name of a file that contains the recipient’s certificate. The certificate must match one of the recipients of the data.

-inkey filename

Specify the name of a file containing the private key to use when signing or decrypting data. The private key must match the public key contained in the certificate. If this option is omitted, the private key must be included in the certificate file specified with the recip or signer options.

-passin password

Specify the password or passphrase required to decrypt the private key when signing or decrypting data. This option follows the guidelines outlined in Chapter 2 for passwords and passphrases.

-rand filename

Specify the name of a file or files that will be used to seed the PRNG. This option follows the guidelines outlined in Chapter 2.

-to recipient

Specify the address of the recipient. If this is specified, it is included as part of the headers written outside the encrypted or signed data.

-from sender

Specify the address of the sender. If this is specified, it is included as part of the headers written outside the encrypted or signed data.

-subject subject

Specify the subject of the message. If this is specified, it is included as part of the headers written outside the encrypted or signed data.

Notes

When encrypting a message, files containing the certificates of the recipients in PEM format are also required on the command line. The filenames should be included after all other options are specified in free form.

When sending S/MIME messages using this command, it is important that no blank line be inserted between the message’s headers and the output from this command. Some mail programs add a blank space, so care must be taken to avoid that.

This command allows only a single signer per message when signing. When verifying a signed message, the command does support multiple signers. Some S/MIME clients do not deal well with messages that have multiple signers. It is possible to sign an already signed message to achieve a similar effect.

The command sets the exit code (or errorlevel on Windows) according to the status of the command’s requested operation. Exit codes are as follows:

0

The operation was completed successfully.

1

An error occurred when parsing the command’s options.

2

One of the input files could not be read.

3

An error occurred creating the PKCS#7 file or when reading the MIME message.

4

An error occurred decrypting or verifying the message.

5

The message was verified correctly, but an error occurred when attempting to write out the signer’s certificate or certificates.