Make req seed the PRNG if signing with an already existing DSA key. Document the new smime options.

fd13f0ee · Dr. Stephen Henson · b364e5d2 · fd13f0ee · fd13f0ee · fd13f0ee
隐藏空白更改
内联并排

Showing with 58 addition and 1 deletion

CHANGES CHANGES +4 -0

apps/req.c apps/req.c +5 -0

apps/smime.c apps/smime.c +3 -0

doc/apps/smime.pod doc/apps/smime.pod +46 -1

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

+  *) Fix so PRNG is seeded in req if using an already existing
+     DSA key.
+     [Steve Henson]
+
  *) New options to smime application. -inform and -outform
     allow alternative formats for the S/MIME message including
     PEM and DER. The -content option allows the content to be

--- a/apps/req.c
+++ b/apps/req.c
@@ -547,6 +547,11 @@ bad:
 			BIO_printf(bio_err,"unable to load Private key\n");
 			goto end;
 			}
+                if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
+			{
+			char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
+			app_RAND_load_file(randfile, bio_err, 0);
+                	}
 		}

 	if (newreq && (pkey == NULL))

--- a/apps/smime.c
+++ b/apps/smime.c
@@ -277,8 +277,11 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-signer file   signer certificate file\n");
 		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
 		BIO_printf (bio_err, "-in file       input file\n");
+		BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
 		BIO_printf (bio_err, "-out file      output file\n");
+		BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
+		BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
 		BIO_printf (bio_err, "-to addr       to address\n");
 		BIO_printf (bio_err, "-from ad       from address\n");
 		BIO_printf (bio_err, "-subject s     subject\n");

--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -22,8 +22,11 @@ B<openssl> B<smime>
 [B<-signer file>]
 [B<-recip  file>]
 [B<-in file>]
+[B<-inform SMIME|PEM|DER>]
 [B<-inkey file>]
 [B<-out file>]
+[B<-outform SMIME|PEM|DER>]
+[B<-content file>]
 [B<-to addr>]
 [B<-from ad>]
 [B<-subject s>]
@@ -74,11 +77,37 @@ takes an input message and writes out a PEM encoded PKCS#7 structure.
 the input message to be encrypted or signed or the MIME message to
 be decrypted or verified.

+=item B<-inform SMIME|PEM|DER>
+
+this specifies the input format for the PKCS#7 structure. The default
+is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
+format change this to expect PEM and DER format PKCS#7 structures
+instead. This currently only affects the input format of the PKCS#7
+structure, if no PKCS#7 structure is being input (for example with
+B<-encrypt> or B<-sign>) this option has no effect.
+
 =item B<-out filename>

 the message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.

+=item B<-outform SMIME|PEM|DER>
+
+this specifies the output format for the PKCS#7 structure. The default
+is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
+format change this to write PEM and DER format PKCS#7 structures
+instead. This currently only affects the output format of the PKCS#7
+structure, if no PKCS#7 structure is being output (for example with
+B<-verify> or B<-decrypt>) this option has no effect.
+
+=item B<-content filename>
+
+This specifies a file containing the detached content, this is only
+useful with the B<-verify> command. This is only usable if the PKCS#7
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed MIME content type.
+
 =item B<-text>

 this option adds plain text (text/plain) MIME headers to the supplied
@@ -204,7 +233,7 @@ a blank line. Piping the mail directly to sendmail is one way to
 achieve the correct format.

 The supplied message to be signed or encrypted must include the
-necessary MIME headers: or many S/MIME clients wont display it
+necessary MIME headers or many S/MIME clients wont display it
 properly (if at all). You can use the B<-text> option to automatically
 add plain text headers.

@@ -301,6 +330,22 @@ Decrypt mail:

 openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem

+The output from Netscape form signing is a PKCS#7 structure with the
+detached signature format. You can use this program to verify the
+signature by line wrapping the base64 encoded structure and surrounding
+it with:
+
+ -----BEGIN PKCS7----
+ -----END PKCS7----
+
+and using the command, 
+
+ openssl smime -verify -inform PEM -in signature.pem -content content.txt
+
+alternatively you can base64 decode the signature and use
+
+ openssl smime -verify -inform DER -in signature.der -content content.txt
+
 =head1 BUGS

 The MIME parser isn't very clever: it seems to handle most messages that I've thrown