NAME
CMS_add1_signer
,
CMS_SignerInfo_sign
—
add a signer to a CMS SignedData
structure
SYNOPSIS
#include
<openssl/cms.h>
CMS_SignerInfo *
CMS_add1_signer
(CMS_ContentInfo
*cms, X509 *signcert, EVP_PKEY
*pkey, const EVP_MD *md,
unsigned int flags);
int
CMS_SignerInfo_sign
(CMS_SignerInfo
*si);
DESCRIPTION
CMS_add1_signer
()
adds a signer with certificate signcert and private key
pkey using message digest md to
the signerInfos field of the
SignedData structure cms, which
should have been obtained from an initial call to
CMS_sign(3) with the flag CMS_PARTIAL
set, or
which can be a valid SignedData structure in the case of
re-signing.
If md is NULL
, the
default digest for the public key algorithm of pkey is
used.
Unless the CMS_REUSE_DIGEST
flag is set,
the cms structure remains incomplete and must be
finalized either by streaming (if applicable) or by a call to
CMS_final(3).
The main purpose of
CMS_add1_signer
()
is to provide finer control over a CMS SignedData
structure where the simpler
CMS_sign(3) function defaults are not appropriate, for example if
multiple signers or non default digest algorithms are needed. New attributes
can also be added using the returned CMS_SignerInfo
structure and the CMS attribute utility functions or the CMS signed receipt
request functions.
Any of the following flags (OR'ed together) can be passed in the flags parameter:
CMS_REUSE_DIGEST
- Attempt to copy the content digest value from one of the existing CMS_SignerInfo structures in cms while adding another signer. An error occurs if a matching digest value cannot be found to copy. The cms structure will be valid and finalized when this flag is set.
CMS_PARTIAL
- If this flag is set in addition to
CMS_REUSE_DIGEST
, the returned CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call toCMS_SignerInfo_sign
() is needed to finalize it. CMS_NOCERTS
- Do not add the signer's certificate to the certificates field of cms. The signer's certificate must still be supplied in the signcert parameter though. This flag can reduce the size of the signature if the signer's certificate can be obtained by other means, for example from a previously signed message.
CMS_NOATTR
- Leave the signedAttrs field of the returned CMS_SignedData structure empty. By default, several CMS SignedAttributes are added, including the signing time, the CMS content type, and the supported list of ciphers in an SMIMECapabilities attribute.
CMS_NOSMIMECAP
- Omit just the SMIMECapabilities attribute.
CMS_USE_KEYID
- Use the subject key identifier value to identify signing certificates. An error occurs if the signing certificate does not have a subject key identifier extension. By default, issuer name and serial number are used instead.
If present, the SMIMECapabilities attribute indicates support for the following algorithms in preference order: 256-bit AES, Gost R3411-94, Gost 28147-89, 192-bit AES, 128-bit AES, triple DES, 128-bit RC2, 64-bit RC2, DES and 40-bit RC2. If any of these algorithms is not available then it will not be included.
The
CMS_SignerInfo_sign
()
function explicitly signs si. Its main use is when the
CMS_REUSE_DIGEST
and
CMS_PARTIAL
flags were both set in the call to
CMS_add1_signer
() that created
si.
RETURN VALUES
CMS_add1_signer
() returns an internal
pointer to the new CMS_SignerInfo structure just added
or NULL
if an error occurs.
SEE ALSO
CMS_ContentInfo_new(3), CMS_final(3), CMS_sign(3), ERR_get_error(3)
STANDARDS
RFC 5652: Cryptographic Message Syntax, section 5.1: SignedData Type
RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification
- section 2.5: Attributes and the SignerInfo Type
- section 2.5.2: SMIMECapabilities Attribute
HISTORY
CMS_add1_signer
() and
CMS_SignerInfo_sign
() first appeared in OpenSSL
0.9.8h and have been available since OpenBSD
6.7.