跟老韩学UbuntuServer2204cms帮助手册

　　跟老韩学LinuxSRE系列
　　那些过往，如盛夏的月光，一如你青涩的脸庞。hanywhanyw：manopensslcmsgrepEv34；OPENSSLCMS（1SSL）OpenSSLOPENSSLCMS（1SSL）NAMEopensslcmsCMScommandSYNOPSISopensslcms〔help〕Generaloptions：〔infilename〕〔outfilename〕〔configconfigfile〕Operationoptions：〔encrypt〕〔decrypt〕〔sign〕〔verify〕〔resign〕〔signreceipt〕〔verifyreceiptreceipt〕〔digestcreate〕〔digestverify〕〔compress〕〔uncompress〕〔EncryptedDataencrypt〕〔EncryptedDatadecrypt〕〔datacreate〕〔dataout〕〔cmsout〕Fileformatoptions：〔informDERPEMSMIME〕〔outformDERPEMSMIME〕〔rctformDERPEMSMIME〕〔stream〕〔indef〕〔noindef〕〔binary〕〔crlfeol〕〔asciicrlf〕Keysandpasswordoptions：〔pwripasswordpassword〕〔secretkeykey〕〔secretkeyidid〕〔inkeyfilenameuri〕〔passinarg〕〔keyoptname：parameter〕〔keyformDERPEMP12ENGINE〕〔engineid〕〔providername〕〔providerpathpath〕〔propquerypropq〕〔randfiles〕〔writerandfile〕Encryptionoptions：〔originatorfile〕〔recipfile〕〔recipientcert。。。〕〔cipher〕〔wrapcipher〕〔aes128wrap〕〔aes192wrap〕〔aes256wrap〕〔des3wrap〕〔debugdecrypt〕Signingoptions：〔mddigest〕〔signerfile〕〔certfilefile〕〔cades〕〔nodetach〕〔nocerts〕〔noattr〕〔nosmimecap〕〔receiptrequestall〕〔receiptrequestfirst〕〔receiptrequestfromemailaddress〕〔receiptrequesttoemailaddress〕Verificationoptions：〔signerfile〕〔contentfilename〕〔nocontentverify〕〔noattrverify〕〔nosigs〕〔noverify〕〔nointern〕〔cades〕〔verifyretcode〕〔CAfilefile〕〔noCAfile〕〔CApathdir〕〔noCApath〕〔CAstoreuri〕〔noCAstore〕Outputoptions：〔keyid〕〔econtenttypetype〕〔text〕〔certsoutfile〕〔toaddr〕〔fromaddr〕〔subjectsubj〕Printingoptions：〔noout〕〔print〕〔nameoptoption〕〔receiptrequestprint〕Validationoptions：〔allowproxycerts〕〔attimetimestamp〕〔nochecktime〕〔checksssig〕〔crlcheck〕〔crlcheckall〕〔explicitpolicy〕〔extendedcrl〕〔ignorecritical〕〔inhibitany〕〔inhibitmap〕〔partialchain〕〔policyarg〕〔policycheck〕〔policyprint〕〔purposepurpose〕〔suiteB128〕〔suiteB128only〕〔suiteB192〕〔trustedfirst〕〔noaltchains〕〔usedeltas〕〔authlevelnum〕〔verifydepthnum〕〔verifyemailemail〕〔verifyhostnamehostname〕〔verifyipip〕〔verifynamename〕〔x509strict〕〔issuerchecks〕DESCRIPTIONThiscommandhandlesdatainCMSformatsuchasSMIMEv3。1emailmessages。Itcanencrypt，decrypt，sign，verify，compress，uncompress，andprintmessages。OPTIONSThereareanumberofoperationoptionsthatsetthetypeofoperationtobeperformed：encrypt，decrypt，sign，verify，resign，signreceipt，verifyreceipt，digestcreate，digestverify，compress，uncompress，EncryptedDataencrypt，EncryptedDatadecrypt，datacreate，dataout，orcmsout。Therelevanceoftheotheroptionsdependsontheoperationtypeandtheirmeaningmayvaryaccordingtoit。helpPrintoutausagemessage。GeneraloptionsinfilenameTheinputmessagetobeencryptedorsignedorthemessagetobedecryptedorverified。outfilenameThemessagetextthathasbeendecryptedorverifiedortheoutputMIMEformatmessagethathasbeensignedorverified。configconfigfileSeeConfigurationOptioninopenssl（1）。OperationoptionsencryptEncryptdataforthegivenrecipientcertificates。Inputfileisthemessagetobeencrypted。TheoutputfileistheencrypteddatainMIMEformat。TheactualCMStypeisEnvelopedData。Notethatnorevocationcheckisdonefortherecipientcert，soifthatkeyhasbeencompromised，othersmaybeabletodecryptthetext。decryptDecryptdatausingthesuppliedcertificateandprivatekey。ExpectsencrypteddatainMIMEformatfortheinputfile。Thedecrypteddataiswrittentotheoutputfile。signSigndatausingthesuppliedcertificateandprivatekey。Inputfileisthemessagetobesigned。ThesigneddatainMIMEformatiswrittentotheoutputfile。verifyVerifysigneddata。Expectsasigneddataoninputandoutputsthesigneddata。Bothcleartextandopaquesigningissupported。resignResignamessage：takeanexistingmessageandoneormorenewsigners。signreceiptGenerateandoutputasignedreceiptforthesuppliedmessage。Theinputmessagemustcontainasignedreceiptrequest。Functionalityisotherwisesimilartothesignoperation。verifyreceiptreceiptVerifyasignedreceiptinfilenamereceipt。Theinputmessagemustcontaintheoriginalreceiptrequest。Functionalityisotherwisesimilartotheverifyoperation。digestcreateCreateaCMSDigestedDatatype。digestverifyVerifyaCMSDigestedDatatypeandoutputthecontent。compressCreateaCMSCompressedDatatype。OpenSSLmustbecompiledwithzlibsupportforthisoptiontowork，otherwiseitwilloutputanerror。uncompressUncompressaCMSCompressedDatatypeandoutputthecontent。OpenSSLmustbecompiledwithzlibsupportforthisoptiontowork，otherwiseitwilloutputanerror。EncryptedDataencryptEncryptcontentusingsuppliedsymmetrickeyandalgorithmusingaCMSEncryptedDatatypeandoutputthecontent。EncryptedDatadecryptDecryptcontentusingsuppliedsymmetrickeyandalgorithmusingaCMSEncryptedDatatypeandoutputthecontent。datacreateCreateaCMSDatatype。dataoutDatatypeandoutputthecontent。cmsoutTakesaninputmessageandwritesoutaPEMencodedCMSstructure。FileformatoptionsinformDERPEMSMIMETheinputformatoftheCMSstructure（ifoneisbeingread）；thedefaultisSMIME。Seeopensslformatoptions（1）fordetails。outformDERPEMSMIMETheoutputformatoftheCMSstructure（ifoneisbeingwritten）；thedefaultisSMIME。Seeopensslformatoptions（1）fordetails。rctformDERPEMSMIMETthedefaultisSMIME。Seeopensslformatoptions（1）fordetails。stream，indefThestreamandindefoptionsareequivalentandenablestreamingIOforencodingoperations。Thispermitssinglepassprocessingofdatawithouttheneedtoholdtheentirecontentsinmemory，potentiallysupportingverylargefiles。StreamingisautomaticallysetforSMIMEsigningwithdetacheddataiftheoutputformatisSMIMEitiscurrentlyoffbydefaultforallotheroperations。noindefDisablestreamingIOwhereitwouldproduceandindefinitelengthconstructedencoding。Thisoptioncurrentlyhasnoeffect。Infuturestreamingwillbeenabledbydefaultonallrelevantoperationsandthisoptionwilldisableit。binaryNormallytheinputmessageisconvertedtocanonicalformatwhichiseffectivelyusingCRandLFasendofline：asrequiredbytheSMIMEspecification。Whenthisoptionispresentnotranslationoccurs。ThisisusefulwhenhandlingbinarydatawhichmaynotbeinMIMEformat。crlfeolNormallytheoutputfileusesasingleLFasendofline。WhenthisoptionispresentCRLFisusedinstead。asciicrlfWhensigninguseASCIICRLFformatcanonicalisation。Thisstripstrailingwhitespacefromalllines，deletestrailingblanklinesatEOFandsetstheencapsulatedcontenttype。ThisoptionisnormallyusedwithdetachedcontentandanoutputsignatureformatofDER。Thisoptionisnotnormallyneededwhenverifyingasitisenabledautomaticallyiftheencapsulatedcontentformatisdetected。KeysandpasswordoptionspwripasswordpasswordSpecifypasswordforrecipient。secretkeykeySpecifysymmetrickeytouse。Thekeymustbesuppliedinhexformatandbeconsistentwiththealgorithmused。SupportedbytheEncryptedDataencryptEncryptedDatadecrypt，encryptanddecryptoptions。WhenusedwithencryptordecryptthesuppliedkeyisusedtowraporunwrapthecontentencryptionkeyusinganAESkeyintheKEKRecipientInfotype。secretkeyididThekeyidentifierforthesuppliedsymmetrickeyforKEKRecipientInfotype。Thisoptionmustbepresentifthesecretkeyoptionisusedwithencrypt。WithdecryptoperationstheidisusedtolocatetherelevantkeyifitisnotsuppliedthenanattemptisusedtodecryptanyKEKRecipientInfostructures。inkeyfilenameuriTheprivatekeytousewhensigningordecrypting。Thismustmatchthecorrespondingcertificate。Ifthisoptionisnotspecifiedthentheprivatekeymustbeincludedinthecertificatefilespecifiedwiththereciporsignerfile。Whensigningthisoptioncanbeusedmultipletimestospecifysuccessivekeys。passinargTheprivatekeypasswordsource。Formoreinformationabouttheformatofargseeopensslpassphraseoptions（1）。keyoptname：parameterForsigningandencryptionthisoptioncanbeusedmultipletimestosetcustomisedparametersfortheprecedingkeyorcertificate。ItcancurrentlybeusedtosetRSAPSSforsigning，RSAOAEPforencryptionortomodifydefaultparametersforECDH。keyformDERPEMP12ENGINETunspecifiedbydefault。Seeopensslformatoptions（1）fordetails。engineidSeeEngineOptionsinopenssl（1）。Thisoptionisdeprecated。providernameproviderpathpathpropquerypropqSeeProviderOptionsinopenssl（1），provider（7），andproperty（7）。randfiles，writerandfileSeeRandomStateOptionsinopenssl（1）fordetails。EncryptionanddecryptionoptionsoriginatorfileAcertificateoftheoriginatoroftheencryptedmessage。NecessaryfordecryptionwhenKeyAgreementisinuseforasharedkey。recipfileWhendecryptingamessagethisspecifiesthecertificateoftherecipient。Thecertificatemustmatchoneoftherecipientsofthemessage。Whenencryptingamessagethisoptionmaybeusedmultipletimestospecifyeachrecipient。Thisformmustbeusedifcustomisedparametersarerequired（forexampletospecifyRSAOAEP）。OnlycertificatescarryingRSA，DiffieHellmanorECkeysaresupportedbythisoption。recipientcert。。。Thisisanalternativetousingtherecipoptionwhenencryptingamessage。Oneormorecertificatefilennamesmaybegiven。cipherTheencryptionalgorithmtouse。ForexampletripleDES（168bits）des3or256bitAESaes256。Anystandardalgorithmname（asusedbytheEVPgetcipherbyname（）function）canalsobeusedprecededbyadash，forexampleaes128cbc。Seeopensslenc（1）foralistofcipherssupportedbyyourversionofOpenSSL。CurrentlytheAESvariantswithGCMmodearetheonlysupportedAEADalgorithms。IfnotspecifiedtripleDESisused。OnlyusedwithencryptandEncryptedDatacreatecommands。wrapcipherCipheralgorithmtouseforkeywrapwhenencryptingthemessageusingKeyAgreementforkeytransport。Thealgorithmspecifiedshouldbesuitableforkeywrap。aes128wrap，aes192wrap，aes256wrap，des3wrapUseAES128，AES192，AES256，or3DESEDE，respectively，towrapkey。DependingontheOpenSSLbuildoptionsused，des3wrapmaynotbesupported。debugdecryptThisoptionsetstheCMSDEBUGDECRYPTflag。Thisoptionshouldbeusedwithcaution：seethenotessectionbelow。SigningoptionsmddigestDigestalgorithmtousewhensigningorresigning。Ifnotpresentthenthedefaultdigestalgorithmforthesigningkeywillbeused（usuallySHA1）。signerfileAsigningcertificate。Whensigningorresigningamessage，thisoptioncanbeusedmultipletimesifmorethanonesignerisrequired。certfilefileAllowsadditionalcertificatestobespecified。Whensigningthesewillbeincludedwiththemessage。Whenverifyingthesewillbesearchedforthesignerscertificates。TheinputcanbeinPEM，DER，orPKCS12format。cadesWhenusedwithsign，addanESSsigningCertificateorESSsigningCertificateV2signedattributetotheSignerInfo，inordertomakethesignaturecomplywiththerequirementsforaCAdESBasicElectronicSignature（CAdESBES）。nodetachWhensigningamessageuseopaquesigning：thisformismoreresistanttotranslationbymailrelaysbutitcannotbereadbymailagentsthatdonotsupportSMIME。WithoutthisoptioncleartextsigningwiththeMIMEtypemultipartsignedisused。nocertsWhensigningamessagethesignerscertificateisnormallyincludedwiththisoptionitisexcluded。Thiswillreducethesizeofthesignedmessagebuttheverifiermusthaveacopyofthesignerscertificateavailablelocally（passedusingthecertfileoptionforexample）。noattrNormallywhenamessageissignedasetofattributesareincludedwhichincludethesigningtimeandsupportedsymmetricalgorithms。Withthisoptiontheyarenotincluded。nosmimecapExcludethelistofsupportedalgorithmsfromsignedattributes，otheroptionssuchassigningtimeandcontenttypearestillincluded。receiptrequestall，receiptrequestfirstForsignoptionincludeasignedreceiptrequest。Indicaterequestsshouldbeprovidedbyallrecipientorfirsttierrecipients（thosemaileddirectlyandnotfromamailinglist）。Ignoreditreceiptrequestfromisincluded。receiptrequestfromemailaddressForsignoptionincludeasignedreceiptrequest。Addanexplicitemailaddresswherereceiptsshouldbesupplied。receiptrequesttoemailaddressAddanexplicitemailaddresswheresignedreceiptsshouldbesentto。Thisoptionmustbutsuppliedifasignedreceiptisrequested。VerificationoptionssignerfileIfamessagehasbeenverifiedsuccessfullythenthesignerscertificate（s）willbewrittentothisfileiftheverificationwassuccessful。contentfilenameThisspecifiesafilecontainingthedetachedcontentforoperationstakingSMIMEinput，suchastheverifycommand。ThisisonlyusableiftheCMSstructureisusingthedetachedsignatureformwherethecontentisnotincluded。ThisoptionwilloverrideanycontentiftheinputformatisSMIMEanditusesthemultipartsignedMIMEcontenttype。nocontentverifyDonotverifysignedcontentsignatures。noattrverifyDonotverifysignedattributesignatures。nosigsDontverifymessagesignature。noverifyDonotverifythesignerscertificateofasignedmessage。nointernWhenverifyingamessagenormallycertificates（ifany）includedinthemessagearesearchedforthesigningcertificate。Withthisoptiononlythecertificatesspecifiedinthecertfileoptionareused。ThesuppliedcertificatescanstillbeusedasuntrustedCAshowever。cadesWhenusedwithverify，requireandchecksignercertificatedigest。SeetheNOTESsectionformoredetails。verifyretcodeExitnonzeroonverificationfailure。CAfilefile，noCAfile，CApathdir，noCApath，CAstoreuri，noCAstoreSeeTrustedCertificateOptionsinopensslverificationoptions（1）fordetails。OutputoptionskeyidUsesubjectkeyidentifiertoidentifycertificatesinsteadofissuernameandserialnumber。Thesuppliedcertificatemustincludeasubjectkeyidentifierextension。Supportedbysignandencryptoptions。econtenttypetypeSettheencapsulatedcontenttypetotypeifnotsuppliedtheDatatypeisused。ThetypeargumentcanbeanyvalidOIDnameineithertextornumericalformat。textThisoptionaddsplaintext（textplain）MIMEheaderstothesuppliedmessageifencryptingorsigning。Ifdecryptingorverifyingitstripsofftextheaders：ifthedecryptedorverifiedmessageisnotofMIMEtypetextplainthenanerroroccurs。certsoutfileAnycertificatescontainedintheinputmessagearewrittentofile。to，from，subjectTherelevantemailheaders。Theseareincludedoutsidethesignedportionofamessagesotheymaybeincludedmanually。IfsigningthenmanySMIMEmailclientscheckthesignerscertificatesemailaddressmatchesthatspecifiedintheFrom：address。PrintingoptionsnooutForthecmsoutoperationdonotoutputtheparsedCMSstructure。ThisisusefulifthesyntaxoftheCMSstructureisbeingchecked。printForthecmsoutoperationprintoutallfieldsoftheCMSstructure。Thisimpliesnoout。Thisismainlyusefulfortestingpurposes。nameoptoptionForthecmsoutoperationwhenprintoptionisinuse，specifiesprintingoptionsforstringfields。Formostcasesutf8isreasonablevalue。Seeopensslnamedisplayoptions（1）fordetails。receiptrequestprintFortheverifyoperationprintoutthecontentsofanysignedreceiptrequests。Validationoptionsallowproxycerts，attime，nochecktime，checksssig，crlcheck，crlcheckall，explicitpolicy，extendedcrl，ignorecritical，inhibitany，inhibitmap，noaltchains，partialchain，policy，policycheck，policyprint，purpose，suiteB128，suiteB128only，suiteB192，trustedfirst，usedeltas，authlevel，verifydepth，verifyemail，verifyhostname，verifyip，verifyname，x509strictissuerchecksSetvariousoptionsofcertificatechainverification。SeeVerificationOptionsinopensslverificationoptions（1）fordetails。Anyvalidationerrorscausethecommandtoexit。NOTESTheMIMEmessagemustbesentwithoutanyblanklinesbetweentheheadersandtheoutput。Somemailprogramswillautomaticallyaddablankline。Pipingthemaildirectlytosendmailisonewaytoachievethecorrectformat。ThesuppliedmessagetobesignedorencryptedmustincludethenecessaryMIMEheadersormanySMIMEclientswontdisplayitproperly（ifatall）。Youcanusethetextoptiontoautomaticallyaddplaintextheaders。Asignedandencryptedmessageisonewhereasignedmessageisthenencrypted。Thiscanbeproducedbyencryptinganalreadysignedmessage：seetheexamplessection。Thisversionoftheprogramonlyallowsonesignerpermessagebutitwillverifymultiplesignersonreceivedmessages。SomeSMIMEclientschokeifamessagecontainsmultiplesigners。Itispossibletosignmessagesinparallelbysigninganalreadysignedmessage。TheoptionsencryptanddecryptreflectcommonusageinSMIMEclients。StrictlyspeakingtheseprocessCMSenvelopeddata：CMSencrypteddataisusedforotherpurposes。Theresignoptionusesanexistingmessagedigestwhenaddinganewsigner。Thismeansthatattributesmustbepresentinatleastoneexistingsignerusingthesamemessagedigestorthisoperationwillfail。ThestreamandindefoptionsenablestreamingIOsupport。AsaresulttheencodingisBERusingindefinitelengthconstructedencodingandnolongerDER。Streamingissupportedfortheencryptoperationandthesignoperationifthecontentisnotdetached。StreamingisalwaysusedforthesignoperationwithdetacheddatabutsincethecontentisnolongerpartoftheCMSstructuretheencodingremainsDER。Ifthedecryptoptionisusedwithoutarecipientcertificatethenanattemptismadetolocatetherecipientbytryingeachpotentialrecipientinturnusingthesuppliedprivatekey。TothwarttheMMAattack（BleichenbachersattackonPKCS1v1。5RSApadding）allrecipientsaretriedwhethertheysucceedornotandifnorecipientsmatchthemessageisdecryptedusingarandomkeywhichwilltypicallyoutputgarbage。ThedebugdecryptoptioncanbeusedtodisabletheMMAattackprotectionandreturnanerrorifnorecipientcanbefound：thisoptionshouldbeusedwithcaution。ForafullerdescriptionseeCMSdecrypt（3））。CADESBASICELECTRONICSIGNATURE（CADESBES）ACAdESBasicElectronicSignature（CAdESBES），asdefinedintheEuropeanStandardETSIEN3191221V1。1。1，contains：ThesigneduserdataasdefinedinCMS（RFC3852）；ContenttypeoftheEncapsulatedContentIMessagedigestoftheeContentOCTETSTRINGwithinencapContentIAnESSsigningCertificateorESSsigningCertificateV2attribute，asdefinedinEnhancedSecurityServices（ESS），RFC2634andRFC5035。AnESSsigningCertificateattributeonlyallowsforSHA1asdigestalgorithm。AnESSsigningCertificateV2attributeallowsforanydigestalgorithm。Thedigitalsignaturevaluecomputedontheuserdataand，whenpresent，onthesignedattributes。NOTEthatthecadesoptionappliestothesignorverifyoperations。Withthisoption，theverifyoperationalsorequiresthatthesigningCertificateattributeispresentandchecksthatthegivenidentifiersmatchtheverificationtrustchainbuiltduringtheverificationprocess。EXITCODES0Theoperationwascompletelysuccessfully。1Anerroroccurredparsingthecommandoptions。2Oneoftheinputfilescouldnotberead。3AnerroroccurredcreatingtheCMSfileorwhenreadingtheMIMEmessage。4Anerroroccurreddecryptingorverifyingthemessage。5Themessagewasverifiedcorrectlybutanerroroccurredwritingoutthesignerscertificates。COMPATIBILITYWITHPKCS7FORMATopensslsmime（1）canonlyprocesstheolderPKCS7format。opensslcmssupportsCryptographicMessageSyntaxformat。Useofsomefeatureswillresultinmessageswhichcannotbeprocessedbyapplicationswhichonlysupporttheolderformat。Thesearedetailedbelow。Theuseofthekeyidoptionwithsignorencrypt。TheoutformPEMoptionusesdifferentheaders。Thecompressoption。Thesecretkeyoptionwhenusedwithencrypt。TheuseofPSSwithsign。TheuseofOAEPornonRSAkeyswithencrypt。AdditionallytheEncryptedDatacreateanddatacreatetypecannotbeprocessedbytheolderopensslsmime（1）command。EXAMPLESCreateacleartextsignedmessage：opensslcmssigninmessage。txttextoutmail。msgsignermycert。pemCreateanopaquesignedmessageopensslcmssigninmessage。txttextoutmail。msgnodetachsignermycert。pemCreateasignedmessage，includesomeadditionalcertificatesandreadtheprivatekeyfromanotherfile：opensslcmssigninin。txttextoutmail。msgsignermycert。peminkeymykey。pemcertfilemycerts。pemCreateasignedmessagewithtwosigners，usekeyidentifier：opensslcmssigninmessage。txttextoutmail。msgsignermycert。pemsignerothercert。pemkeyidSendasignedmessageunderUnixdirectlytosendmail，includingheaders：opensslcmssigninin。txttextsignermycert。pemfromsteveopenssl。orgtosomeonesomewheresubjectSignedmessagesendmailsomeonesomewhereVerifyamessageandextractthesignerscertificateifsuccessful：opensslcmsverifyinmail。msgsigneruser。pemoutsignedtext。txtSendencryptedmailusingtripleDES：opensslcmsencryptinin。txtfromsteveopenssl。orgtosomeonesomewheresubjectEncryptedmessagedes3user。pemoutmail。msgSignandencryptmail：opensslcmssigninml。txtsignermy。pemtextopensslcmsencryptoutmail。msgfromsteveopenssl。orgtosomeonesomewheresubjectSignedandEncryptedmessagedes3user。pemNote：theencryptioncommanddoesnotincludethetextoptionbecausethemessagebeingencryptedalreadyhasMIMEheaders。Decryptamessage：opensslcmsdecryptinmail。msgrecipmycert。peminkeykey。pemTheoutputfromNetscapeformsigningisaPKCS7structurewiththedetachedsignatureformat。Youcanusethisprogramtoverifythesignaturebylinewrappingthebase64encodedstructureandsurroundingitwith：BEGINPKCS7ENDPKCS7andusingthecommand，opensslcmsverifyinformPEMinsignature。pemcontentcontent。txtalternativelyyoucanbase64decodethesignatureanduseopensslcmsverifyinformDERinsignature。dercontentcontent。txtCreateanencryptedmessageusing128bitCamellia：opensslcmsencryptinplain。txtcamellia128outmail。msgcert。pemAddasignertoanexistingmessage：opensslcmsresigninmail。msgsignernewsign。pemoutmail2。msgSignamessageusingRSAPSS：opensslcmssigninmessage。txttextoutmail。msgsignermycert。pemkeyoptrsapaddingmode：pssCreateanencryptedmessageusingRSAOAEP：opensslcmsencryptinplain。txtoutmail。msgrecipcert。pemkeyoptrsapaddingmode：oaepUseSHA256KDFwithanECDHcertificate：opensslcmsencryptinplain。txtoutmail。msgrecipecdhcert。pemkeyoptecdhkdfmd：sha256PrintCMSsignedbinarydatainhumanreadableform：opensslcmsinsigned。cmsbinaryinformDERcmsoutprintBUGSTheMIMEparserisntveryclever：itseemstohandlemostmessagesthatIvethrownatitbutitmaychokeonothers。Thecodecurrentlywillonlywriteoutthesignerscertificatetoafile：ifthesignerhasaseparateencryptioncertificatethismustbemanuallyextracted。Thereshouldbesomeheuristicthatdeterminesthecorrectencryptioncertificate。Ideallyadatabaseshouldbemaintainedofacertificatesforeachemailaddress。ThecodedoesntcurrentlytakenoteofthepermittedsymmetricencryptionalgorithmsassuppliedintheSMIMECapabilitiessignedattribute。thismeanstheuserhastomanuallyincludethecorrectencryptionalgorithm。Itshouldstorethelistofpermittedciphersinadatabaseandonlyusethose。Norevocationcheckingisdoneonthesignerscertificate。SEEALSOosslstorefile（7）HISTORYTheuseofmultiplesigneroptionsandtheresigncommandwerefirstaddedinOpenSSL1。0。0。ThekeyoptoptionwasaddedinOpenSSL1。0。2。SupportforRSAOAEPandRSAPSSwasaddedinOpenSSL1。0。2。TheuseofnonRSAkeyswithencryptanddecryptwasaddedinOpenSSL1。0。2。ThenoaltchainsoptionwasaddedinOpenSSL1。0。2b。ThenameoptoptionwasaddedinOpenSSL3。0。0。TheengineoptionwasdeprecatedinOpenSSL3。0。COPYRIGHTCopyright20082021TheOpenSSLProjectAuthors。AllRightsReserved。LicensedundertheApacheLicense2。0（theLicense）。YoumaynotusethisfileexceptincompliancewiththeLicense。YoucanobtainacopyinthefileLICENSEinthesourcedistributionorathttps：www。openssl。orgsourcelicense。html。3。0。220220316OPENSSLCMS（1SSL）