CMS_sign(3)                         OpenSSL                        CMS_sign(3)



NNAAMMEE
        CMS_sign - create a CMS SignedData structure

SSYYNNOOPPSSIISS
        #include <openssl/cms.h>

        CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, unsigned int flags);

DDEESSCCRRIIPPTTIIOONN
       _C_M_S___s_i_g_n_(_) creates and returns a CMS SignedData structure. ssiiggnncceerrtt is
       the certificate to sign with, ppkkeeyy is the corresponding private key.
       cceerrttss is an optional additional set of certificates to include in the
       CMS structure (for example any intermediate CAs in the chain). Any or
       all of these parameters can be NNUULLLL, see NNOOTTEESS below.

       The data to be signed is read from BIO ddaattaa.

       ffllaaggss is an optional set of flags.

NNOOTTEESS
       Any of the following flags (ored together) can be passed in the ffllaaggss
       parameter.

       Many S/MIME clients expect the signed content to include valid MIME
       headers. If the CCMMSS__TTEEXXTT flag is set MIME headers for type tteexxtt//ppllaaiinn
       are prepended to the data.

       If CCMMSS__NNOOCCEERRTTSS is set the signer's certificate will not be included in
       the CMS_ContentInfo structure, the signer's certificate must still be
       supplied in the ssiiggnncceerrtt parameter though. This can reduce the size of
       the signature if the signers certificate can be obtained by other
       means: for example a previously signed message.

       The data being signed is included in the CMS_ContentInfo structure,
       unless CCMMSS__DDEETTAACCHHEEDD is set in which case it is omitted. This is used
       for CMS_ContentInfo detached signatures which are used in S/MIME plain-
       text signed messages for example.

       Normally the supplied content is translated into MIME canonical format
       (as required by the S/MIME specifications) if CCMMSS__BBIINNAARRYY is set no
       translation occurs. This option should be used if the supplied data is
       in binary format otherwise the translation will corrupt it.

       The SignedData structure includes several CMS signedAttributes includ-
       ing the signing time, the CMS content type and the supported list of
       ciphers in an SMIMECapabilities attribute. If CCMMSS__NNOOAATTTTRR is set then no
       signedAttributes will be used. If CCMMSS__NNOOSSMMIIMMEECCAAPP is set then just the
       SMIMECapabilities are omitted.

       If present the SMIMECapabilities attribute indicates support for the
       following algorithms in preference order: 256 bit AES, Gost R3411-94,
       Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64
       bit RC2, DES and 40 bit RC2.  If any of these algorithms is not avail-
       able then it will not be included: for example the GOST algorithms will
       not be included if the GOST ENGINE is not loaded.

       OpenSSL will by default identify signing certificates using issuer name
       and serial number. If CCMMSS__UUSSEE__KKEEYYIIDD is set it will use the subject key
       identifier value instead. An error occurs if the signing certificate
       does not have a subject key identifier extension.

       If the flags CCMMSS__SSTTRREEAAMM is set then the returned CCMMSS__CCoonntteennttIInnffoo struc-
       ture is just initialized ready to perform the signing operation. The
       signing is however nnoott performed and the data to be signed is not read
       from the ddaattaa parameter. Signing is deferred until after the data has
       been written. In this way data can be signed in a single pass.

       If the CCMMSS__PPAARRTTIIAALL flag is set a partial CCMMSS__CCoonntteennttIInnffoo structure is
       output to which additional signers and capabilities can be added before
       finalization.

       If the flag CCMMSS__SSTTRREEAAMM is set the returned CCMMSS__CCoonntteennttIInnffoo structure is
       nnoott complete and outputting its contents via a function that does not
       properly finalize the CCMMSS__CCoonntteennttIInnffoo structure will give unpredictable
       results.

       Several functions including _S_M_I_M_E___w_r_i_t_e___C_M_S_(_), _i_2_d___C_M_S___b_i_o___s_t_r_e_a_m_(_),
       _P_E_M___w_r_i_t_e___b_i_o___C_M_S___s_t_r_e_a_m_(_) finalize the structure. Alternatively final-
       ization can be performed by obtaining the streaming ASN1 BBIIOO directly
       using _B_I_O___n_e_w___C_M_S_(_).

       If a signer is specified it will use the default digest for the signing
       algorithm. This is SSHHAA11 for both RSA and DSA keys.

       If ssiiggnncceerrtt and ppkkeeyy are NULL then a certificates only CMS structure is
       output.

       The function _C_M_S___s_i_g_n_(_) is a basic CMS signing function whose output
       will be suitable for many purposes. For finer control of the output
       format the cceerrttss, ssiiggnncceerrtt and ppkkeeyy parameters can all be NNUULLLL and the
       CCMMSS__PPAARRTTIIAALL flag set. Then one or more signers can be added using the
       function _C_M_S___s_i_g_n___a_d_d_1___s_i_g_n_e_r_(_), non default digests can be used and
       custom attributes added. _CC_MM_SS____ff_ii_nn_aa_ll_((_)) must then be called to finalize
       the structure if streaming is not enabled.

BBUUGGSS
       Some attributes such as counter signatures are not supported.

RREETTUURRNN VVAALLUUEESS
       _C_M_S___s_i_g_n_(_) returns either a valid CMS_ContentInfo structure or NULL if
       an error occurred. The error can be obtained from _E_R_R___g_e_t___e_r_r_o_r(3).

SSEEEE AALLSSOO
       _E_R_R___g_e_t___e_r_r_o_r(3), _C_M_S___v_e_r_i_f_y(3)

HHIISSTTOORRYY
       _C_M_S___s_i_g_n_(_) was added to OpenSSL 0.9.8

       The CCMMSS__SSTTRREEAAMM flag is only supported for detached data in OpenSSL
       0.9.8, it is supported for embedded data in OpenSSL 1.0.0 and later.



1.0.2u                            2019-12-20                       CMS_sign(3)