apps/cms: Clean up order of options in help output and documentation

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15126)
2021-04-03 19:42:39 +02:00 · 2021-04-03 19:42:39 +02:00 · 340cf8759f
parent 56c4f6fe72
commit 340cf8759f
2 changed files with 547 additions and 429 deletions
--- a/apps/cms.c
+++ b/apps/cms.c
@ -30,25 +30,25 @@ static CMS_ReceiptRequest
 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
                              STACK_OF(OPENSSL_STRING) *param);
-#define SMIME_OP        0x10
+#define SMIME_OP                0x100
-#define SMIME_IP        0x20
+#define SMIME_IP                0x200
-#define SMIME_SIGNERS   0x40
+#define SMIME_SIGNERS           0x400
 #define SMIME_ENCRYPT           (1 | SMIME_OP)
 #define SMIME_DECRYPT           (2 | SMIME_IP)
 #define SMIME_SIGN              (3 | SMIME_OP | SMIME_SIGNERS)
 #define SMIME_VERIFY            (4 | SMIME_IP)
-#define SMIME_CMSOUT            (5 | SMIME_IP | SMIME_OP)
+#define SMIME_RESIGN            (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
-#define SMIME_RESIGN            (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
+#define SMIME_SIGN_RECEIPT      (6 | SMIME_IP | SMIME_OP)
-#define SMIME_DATAOUT           (7 | SMIME_IP)
+#define SMIME_VERIFY_RECEIPT    (7 | SMIME_IP)
-#define SMIME_DATA_CREATE       (8 | SMIME_OP)
+#define SMIME_DIGEST_CREATE     (8 | SMIME_OP)
 #define SMIME_DIGEST_VERIFY     (9 | SMIME_IP)
-#define SMIME_DIGEST_CREATE     (10 | SMIME_OP)
+#define SMIME_COMPRESS          (10 | SMIME_OP)
 #define SMIME_UNCOMPRESS        (11 | SMIME_IP)
-#define SMIME_COMPRESS          (12 | SMIME_OP)
+#define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP)
 #define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
-#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
+#define SMIME_DATA_CREATE       (14 | SMIME_OP)
-#define SMIME_SIGN_RECEIPT      (15 | SMIME_IP | SMIME_OP)
+#define SMIME_DATA_OUT          (15 | SMIME_IP)
-#define SMIME_VERIFY_RECEIPT    (16 | SMIME_IP)
+#define SMIME_CMSOUT            (16 | SMIME_IP | SMIME_OP)
 static int verify_err = 0;
@ -89,141 +89,152 @@ typedef enum OPTION_choice {
 const OPTIONS cms_options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    OPT_SECTION("General"),
-    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    OPT_CONFIG_OPTION,
    OPT_SECTION("Operation"),
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
    {"sign", OPT_SIGN, '-', "Sign message"},
    {"verify", OPT_VERIFY, '-', "Verify signed message"},
    {"resign", OPT_RESIGN, '-', "Resign a signed message"},
    {"sign_receipt", OPT_SIGN_RECEIPT, '-',
     "Generate a signed receipt for a message"},
    {"verify_receipt", OPT_VERIFY_RECEIPT, '<',
     "Verify receipts; exit if receipt signatures do not verify"},
    {"digest_create", OPT_DIGEST_CREATE, '-',
     "Create a CMS \"DigestedData\" object"},
    {"digest_verify", OPT_DIGEST_VERIFY, '-',
     "Verify a CMS \"DigestedData\" object and output it"},
    {"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
    {"uncompress", OPT_UNCOMPRESS, '-',
     "Uncompress a CMS \"CompressedData\" object"},
    {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
     "Create CMS \"EncryptedData\" object using symmetric key"},
    {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
     "Decrypt CMS \"EncryptedData\" object using symmetric key"},
    {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
    {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
    {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
    OPT_SECTION("File format"),
    {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
    {"outform", OPT_OUTFORM, 'c',
     "Output format SMIME (default), PEM or DER"},
-    {"in", OPT_IN, '<', "Input file"},
+    {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
    {"out", OPT_OUT, '>', "Output file"},
    {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
        "Disable MMA protection and return an error if no recipient found"
        " (see documentation)"},
    {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
    {"indef", OPT_INDEF, '-', "Same as -stream"},
    {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
-    {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
+    {"binary", OPT_BINARY, '-',
     "Treat input as binary: do not translate to canonical form"},
    {"crlfeol", OPT_CRLFEOL, '-',
     "Use CRLF as EOL termination instead of CR only" },
    {"asciicrlf", OPT_ASCIICRLF, '-',
     "Perform CRLF canonicalisation when signing"},
    OPT_SECTION("Keys and passwords"),
    {"pwri_password", OPT_PWRI_PASSWORD, 's',
     "Specific password for recipient"},
    {"secretkey", OPT_SECRETKEY, 's',
     "Use specified hex-encoded key to decrypt/encrypt recipients or content"},
    {"secretkeyid", OPT_SECRETKEYID, 's',
     "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
    {"inkey", OPT_INKEY, 's',
     "Input private key (if not signer or recipient)"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
    {"keyform", OPT_KEYFORM, 'f',
     "Input private key format (ENGINE, other values ignored)"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 #endif
    OPT_PROV_OPTIONS,
    OPT_R_OPTIONS,
    OPT_SECTION("Encryption and decryption"),
    {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
    {"recip", OPT_RECIP, '<', "Recipient cert file"},
    {"cert...", OPT_PARAM, '.',
     "Recipient certs (optional; used only when encrypting)"},
    {"", OPT_CIPHER, '-',
     "The encryption algorithm to use (any supported cipher)"},
    {"wrap", OPT_WRAP, 's',
     "Key wrap algorithm to use when encrypting with key agreement"},
    {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
    {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
    {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
    {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
    {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
     "Disable MMA protection, return error if no recipient found (see doc)"},
    OPT_SECTION("Signing"),
    {"md", OPT_MD, 's', "Digest algorithm to use"},
    {"signer", OPT_SIGNER, 's', "Signer certificate input file"},
    {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
    {"cades", OPT_CADES, '-',
     "Include signingCertificate attribute (CAdES-BES)"},
    {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
    {"nocerts", OPT_NOCERTS, '-',
     "Don't include signer's certificate when signing"},
    {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
    {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
    {"receipt_request_all", OPT_RR_ALL, '-',
     "When signing, create a receipt request for all recipients"},
    {"receipt_request_first", OPT_RR_FIRST, '-',
     "When signing, create a receipt request for first recipient"},
    {"receipt_request_from", OPT_RR_FROM, 's',
     "Create signed receipt request with specified email address"},
    {"receipt_request_to", OPT_RR_TO, 's',
     "Create signed receipt targeted to specified address"},
    OPT_SECTION("Verification"),
    {"signer", OPT_DUP, 's', "Signer certificate(s) output file"},
    {"content", OPT_CONTENT, '<',
     "Supply or override content for detached signature"},
    {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
     "Do not verify signed content signatures"},
    {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
     "Do not verify signed attribute signatures"},
    {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
    {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
    {"nointern", OPT_NOINTERN, '-',
     "Don't search certificates in message for signer"},
    {"cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)"},
    {"verify_retcode", OPT_VERIFY_RETCODE, '-',
     "Exit non-zero on verification failure"},
    {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
-    {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+    {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
-    {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
+    {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
    {"no-CAfile", OPT_NOCAFILE, '-',
     "Do not load the default certificates file"},
    {"no-CApath", OPT_NOCAPATH, '-',
     "Do not load certificates from the default certificates directory"},
    {"no-CAstore", OPT_NOCASTORE, '-',
     "Do not load certificates from the default certificates store"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    OPT_CONFIG_OPTION,
-    OPT_SECTION("Action"),
+    OPT_SECTION("Output"),
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
    {"sign", OPT_SIGN, '-', "Sign message"},
    {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
    {"resign", OPT_RESIGN, '-', "Resign a signed message"},
    {"cades", OPT_CADES, '-', "Include or check signingCertificate (CAdES-BES)"},
    {"verify", OPT_VERIFY, '-', "Verify signed message"},
    {"verify_retcode", OPT_VERIFY_RETCODE, '-',
        "Exit non-zero on verification failure"},
    {"verify_receipt", OPT_VERIFY_RECEIPT, '<',
        "Verify receipts; exit if receipt signatures do not verify"},
    {"digest_verify", OPT_DIGEST_VERIFY, '-',
        "Verify a CMS \"DigestedData\" object and output it"},
    {"digest_create", OPT_DIGEST_CREATE, '-',
        "Create a CMS \"DigestedData\" object"},
    {"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
    {"uncompress", OPT_UNCOMPRESS, '-',
        "Uncompress a CMS \"CompressedData\" object"},
    {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
        "Decrypt CMS \"EncryptedData\" object using symmetric key"},
    {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
        "Create CMS \"EncryptedData\" object using symmetric key"},
    {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
    {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
    {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
    {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
        "Do not verify signed content signatures"},
    {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
        "Do not verify signed attribute signatures"},
    {"nointern", OPT_NOINTERN, '-',
        "Don't search certificates in message for signer"},
    {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
    OPT_SECTION("Formatting"),
    {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
    {"asciicrlf", OPT_ASCIICRLF, '-',
        "Perform CRLF canonicalisation when signing"},
    {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
    {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
    {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
    {"binary", OPT_BINARY, '-', "Treat input as binary: do not translate to canonical form"},
    {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
-    {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
+    {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
-    {"nocerts", OPT_NOCERTS, '-',
+    {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
-     "Don't include signers certificate when signing"},
+    {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
    {"to", OPT_TO, 's', "To address"},
    {"from", OPT_FROM, 's', "From address"},
    {"subject", OPT_SUBJECT, 's', "Subject"},
    OPT_SECTION("Printing"),
    {"noout", OPT_NOOUT, '-',
-        "For the -cmsout operation do not output the parsed CMS structure"},
+     "For the -cmsout operation do not output the parsed CMS structure"},
    {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
    {"receipt_request_all", OPT_RR_ALL, '-',
        "When signing, create a receipt request for all recipients"},
    {"receipt_request_first", OPT_RR_FIRST, '-',
        "When signing, create a receipt request for first recipient"},
    {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
    {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
    {"content", OPT_CONTENT, '<',
     "Supply or override content for detached signature"},
    {"print", OPT_PRINT, '-',
     "For the -cmsout operation print out all fields of the CMS structure"},
    {"nameopt", OPT_NAMEOPT, 's',
     "For the -print option specifies various strings printing options"},
-    {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+    {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
    OPT_SECTION("Keying"),
    {"secretkey", OPT_SECRETKEY, 's',
        "Use specified hex-encoded key to decrypt/encrypt recipients or content"},
    {"secretkeyid", OPT_SECRETKEYID, 's',
        "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
    {"pwri_password", OPT_PWRI_PASSWORD, 's',
        "Specific password for recipient"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"inkey", OPT_INKEY, 's',
     "Input private key (if not signer or recipient)"},
    {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
    {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
    OPT_SECTION("Mail header"),
    {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
    {"to", OPT_TO, 's', "To address"},
    {"from", OPT_FROM, 's', "From address"},
    {"subject", OPT_SUBJECT, 's', "Subject"},
    {"signer", OPT_SIGNER, 's', "Signer certificate file"},
    {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
    {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
    {"receipt_request_from", OPT_RR_FROM, 's',
        "Create signed receipt request with specified email address"},
    {"receipt_request_to", OPT_RR_TO, 's',
        "Create signed receipt targeted to specified address"},
    OPT_SECTION("Encryption"),
    {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
    OPT_SECTION("Key-wrapping"),
    {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
    {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
    {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
    {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
    {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
    OPT_R_OPTIONS,
    OPT_V_OPTIONS,
    OPT_PROV_OPTIONS,
    OPT_PARAMETERS(),
    {"cert", 0, 0, "Recipient certs (optional; used only when encrypting)"},
    {NULL}
 };
@ -347,6 +358,7 @@ int cms_main(int argc, char **argv)
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENCRYPT:
            operation = SMIME_ENCRYPT;
            break;
@ -356,49 +368,50 @@ int cms_main(int argc, char **argv)
        case OPT_SIGN:
            operation = SMIME_SIGN;
            break;
-        case OPT_SIGN_RECEIPT:
+        case OPT_VERIFY:
-            operation = SMIME_SIGN_RECEIPT;
+            operation = SMIME_VERIFY;
            break;
        case OPT_RESIGN:
            operation = SMIME_RESIGN;
            break;
-        case OPT_VERIFY:
+        case OPT_SIGN_RECEIPT:
-            operation = SMIME_VERIFY;
+            operation = SMIME_SIGN_RECEIPT;
            break;
        case OPT_VERIFY_RETCODE:
            verify_retcode = 1;
            break;
        case OPT_VERIFY_RECEIPT:
            operation = SMIME_VERIFY_RECEIPT;
            rctfile = opt_arg();
            break;
-        case OPT_CMSOUT:
+        case OPT_VERIFY_RETCODE:
-            operation = SMIME_CMSOUT;
+            verify_retcode = 1;
            break;
        case OPT_DATA_OUT:
            operation = SMIME_DATAOUT;
            break;
        case OPT_DATA_CREATE:
            operation = SMIME_DATA_CREATE;
            break;
        case OPT_DIGEST_VERIFY:
            operation = SMIME_DIGEST_VERIFY;
            break;
        case OPT_DIGEST_CREATE:
            operation = SMIME_DIGEST_CREATE;
            break;
        case OPT_DIGEST_VERIFY:
            operation = SMIME_DIGEST_VERIFY;
            break;
        case OPT_COMPRESS:
            operation = SMIME_COMPRESS;
            break;
        case OPT_UNCOMPRESS:
            operation = SMIME_UNCOMPRESS;
            break;
        case OPT_ED_DECRYPT:
            operation = SMIME_ENCRYPTED_DECRYPT;
            break;
        case OPT_ED_ENCRYPT:
            operation = SMIME_ENCRYPTED_ENCRYPT;
            break;
        case OPT_ED_DECRYPT:
            operation = SMIME_ENCRYPTED_DECRYPT;
            break;
        case OPT_DATA_CREATE:
            operation = SMIME_DATA_CREATE;
            break;
        case OPT_DATA_OUT:
            operation = SMIME_DATA_OUT;
            break;
        case OPT_CMSOUT:
            operation = SMIME_CMSOUT;
            break;
        case OPT_DEBUG_DECRYPT:
            flags |= CMS_DEBUG_DECRYPT;
            break;
@ -693,15 +706,15 @@ int cms_main(int argc, char **argv)
            if (conf == NULL)
                goto end;
            break;
-        case OPT_3DES_WRAP:
+        case OPT_WRAP:
            wrapname = opt_unknown();
            break;
        case OPT_AES128_WRAP:
        case OPT_AES192_WRAP:
        case OPT_AES256_WRAP:
        case OPT_3DES_WRAP:
            wrapname = opt_flag() + 1;
            break;
        case OPT_WRAP:
            wrapname = opt_unknown();
            break;
        }
    }
    if (!app_RAND_load())
@ -812,12 +825,12 @@ int cms_main(int argc, char **argv)
    if (operation == SMIME_ENCRYPT) {
        if (!cipher) {
-# ifndef OPENSSL_NO_DES
+#ifndef OPENSSL_NO_DES
            cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
-# else
+#else
            BIO_printf(bio_err, "No cipher selected\n");
            goto end;
-# endif
+#endif
        }
        if (secret_key && !secret_keyid) {
@ -1149,7 +1162,7 @@ int cms_main(int argc, char **argv)
            BIO_printf(bio_err, "Error decrypting CMS structure\n");
            goto end;
        }
-    } else if (operation == SMIME_DATAOUT) {
+    } else if (operation == SMIME_DATA_OUT) {
        if (!CMS_data(cms, out, flags))
            goto end;
    } else if (operation == SMIME_UNCOMPRESS) {
@ -1177,8 +1190,8 @@ int cms_main(int argc, char **argv)
            goto end;
        }
        if (signerfile != NULL) {
-            STACK_OF(X509) *signers;
+            STACK_OF(X509) *signers = CMS_get0_signers(cms);
-            signers = CMS_get0_signers(cms);
+
            if (!save_certs(signerfile, signers)) {
                BIO_printf(bio_err,
                           "Error writing signers to %s\n", signerfile);
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@ -9,96 +9,131 @@ openssl-cms - CMS command
 B<openssl> B<cms>
 [B<-help>]
 General options:
 [B<-in> I<filename>]
 [B<-out> I<filename>]
 {- $OpenSSL::safe::opt_config_synopsis -}
 Operation options:
 [B<-encrypt>]
 [B<-decrypt>]
 [B<-debug_decrypt>]
 [B<-sign>]
 [B<-verify>]
 [B<-verify_retcode>]
 [B<-no_attr_verify>]
 [B<-nosigs>]
 [B<-no_content_verify>]
 [B<-cmsout>]
 [B<-resign>]
-[B<-cades>]
+[B<-sign_receipt>]
-[B<-data_create>]
+[B<-verify_receipt> I<receipt>]
 [B<-data_out>]
 [B<-digest_create>]
 [B<-digest_verify>]
 [B<-compress>]
 [B<-uncompress>]
 [B<-EncryptedData_decrypt>]
 [B<-EncryptedData_encrypt>]
-[B<-sign_receipt>]
+[B<-EncryptedData_decrypt>]
-[B<-verify_receipt> I<receipt>]
+[B<-data_create>]
-[B<-in> I<filename>]
+[B<-data_out>]
-[B<-out> I<filename>]
+[B<-cmsout>]
 File format options:
 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
 [B<-rctform> B<DER>|B<PEM>|B<SMIME>]
 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
 [B<-stream>]
 [B<-indef>]
 [B<-noindef>]
-[B<-content> I<filename>]
+[B<-binary>]
-[B<-text>]
+[B<-crlfeol>]
-[B<-noout>]
+[B<-asciicrlf>]
-[B<-print>]
+
-[B<-nameopt> I<option>]
+Keys and password options:
-[B<-md> I<digest>]
+
 [B<-pwri_password> I<password>]
 [B<-secretkey> I<key>]
 [B<-secretkeyid> I<id>]
 [B<-inkey> I<filename>|I<uri>]
 [B<-passin> I<arg>]
 [B<-keyopt> I<name>:I<parameter>]
 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 Encryption options:
 [B<-originator> I<file>]
 [B<-recip> I<file>]
 [I<recipient-cert> ...]
 [B<-I<cipher>>]
 [B<-wrap> I<cipher>]
 [B<-aes128-wrap>]
 [B<-aes192-wrap>]
 [B<-aes256-wrap>]
 [B<-des3-wrap>]
-[B<-nointern>]
+[B<-debug_decrypt>]
-[B<-noverify>]
+
 Signing options:
 [B<-md> I<digest>]
 [B<-signer> I<file>]
 [B<-certfile> I<file>]
 [B<-cades>]
 [B<-nodetach>]
 [B<-nocerts>]
 [B<-noattr>]
 [B<-nosmimecap>]
 [B<-binary>]
 [B<-crlfeol>]
 [B<-asciicrlf>]
 [B<-nodetach>]
 [B<-certfile> I<file>]
 [B<-certsout> I<file>]
 [B<-signer> I<file>]
 [B<-originator> I<file>]
 [B<-recip> I<file>]
 [B<-keyid>]
 [B<-receipt_request_all>]
 [B<-receipt_request_first>]
 [B<-receipt_request_from> I<emailaddress>]
 [B<-receipt_request_to> I<emailaddress>]
-[B<-receipt_request_print>]
+
-[B<-pwri_password> I<password>]
+Verification options:
-[B<-secretkey> I<key>]
+
-[B<-secretkeyid> I<id>]
+[B<-signer> I<file>]
 [B<-content> I<filename>]
 [B<-no_content_verify>]
 [B<-no_attr_verify>]
 [B<-nosigs>]
 [B<-noverify>]
 [B<-nointern>]
 [B<-cades>]
 [B<-verify_retcode>]
 {- $OpenSSL::safe::opt_trust_synopsis -}
 Output options:
 [B<-keyid>]
 [B<-econtent_type> I<type>]
-[B<-inkey> I<filename>|I<uri>]
+[B<-text>]
-[B<-keyopt> I<name>:I<parameter>]
+[B<-certsout> I<file>]
 [B<-passin> I<arg>]
 [B<-to> I<addr>]
 [B<-from> I<addr>]
 [B<-subject> I<subj>]
 Printing options:
 [B<-noout>]
 [B<-print>]
 [B<-nameopt> I<option>]
 [B<-receipt_request_print>]
 Validation options:
 {- $OpenSSL::safe::opt_v_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
 {- $OpenSSL::safe::opt_config_synopsis -}
 [I<recipient-cert> ...]
 =head1 DESCRIPTION
-This command handles S/MIME v3.1 mail. It can encrypt, decrypt,
+This command handles data in CMS format such as S/MIME v3.1 email messages.
-sign and verify, compress and uncompress S/MIME messages.
+It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages.
 =head1 OPTIONS
-There are fourteen operation options that set the type of operation to be
+There are a number of operation options that set the type of operation to be
-performed. The meaning of the other options varies according to the operation
+performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt,
-type.
+digest_create, digest_verify, compress, uncompress,
 EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout.
 The relevance of the other options depends on the operation type
 and their meaning may vary according to it.
 =over 4
@ -106,10 +141,34 @@ type.
 Print out a usage message.
 =back
 =head2 General options
 =over 4
 =item B<-in> I<filename>
 The input message to be encrypted or signed or the message to be decrypted
 or verified.
 =item B<-out> I<filename>
 The message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.
 {- $OpenSSL::safe::opt_config_item -}
 =back
 =head2 Operation options
 =over 4
 =item B<-encrypt>
-Encrypt mail for the given recipient certificates. Input file is the message
+Encrypt data for the given recipient certificates. Input file is the message
-to be encrypted. The output file is the encrypted mail in MIME format. The
+to be encrypted. The output file is the encrypted data in MIME format. The
 actual CMS type is B<EnvelopedData>.
 Note that no revocation check is done for the recipient cert, so if that
@ -117,66 +176,36 @@ key has been compromised, others may be able to decrypt the text.
 =item B<-decrypt>
-Decrypt mail using the supplied certificate and private key. Expects an
+Decrypt data using the supplied certificate and private key. Expects
-encrypted mail message in MIME format for the input file. The decrypted mail
+encrypted datain MIME format for the input file. The decrypted data
 is written to the output file.
 =item B<-debug_decrypt>
 This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
 with caution: see the notes section below.
 =item B<-sign>
-Sign mail using the supplied certificate and private key. Input file is
+Sign data using the supplied certificate and private key. Input file is
-the message to be signed. The signed message in MIME format is written
+the message to be signed. The signed data in MIME format is written
 to the output file.
 =item B<-verify>
-Verify signed mail. Expects a signed mail message on input and outputs
+Verify signed data. Expects a signed data on input and outputs
 the signed data. Both clear text and opaque signing is supported.
 =item B<-verify_retcode>
 Exit nonzero on verification failure.
 =item B<-no_attr_verify>
 Do not verify signed attribute signatures.
 =item B<-no_content_verify>
 Do not verify signed content signatures.
 =item B<-nosigs>
 Don't verify message signature.
 =item B<-cmsout>
 Takes an input message and writes out a PEM encoded CMS structure.
 =item B<-resign>
 Resign a message: take an existing message and one or more new signers.
-=item B<-cades>
+=item B<-sign_receipt>
-When used with B<-sign>,
+Generate and output a signed receipt for the supplied message. The input
-add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute
+message B<must> contain a signed receipt request. Functionality is otherwise
-to the SignerInfo, in order to make the signature comply with the requirements
+similar to the B<-sign> operation.
 for a CAdES Basic Electronic Signature (CAdES-BES).
 When used with B<-verify>, require and check signer certificate digest.
 See the NOTES section for more details.
-=item B<-data_create>
+=item B<-verify_receipt> I<receipt>
-Create a CMS B<Data> type.
+Verify a signed receipt in filename B<receipt>. The input message B<must>
-
+contain the original receipt request. Functionality is otherwise similar
-=item B<-data_out>
+to the B<-verify> operation.
 B<Data> type and output the content.
 =item B<-digest_create>
@ -197,37 +226,33 @@ Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
 compiled with B<zlib> support for this option to work, otherwise it will
 output an error.
 =item B<-EncryptedData_decrypt>
 Decrypt content using supplied symmetric key and algorithm using a CMS
 B<EncryptedData> type and output the content.
 =item B<-EncryptedData_encrypt>
 Encrypt content using supplied symmetric key and algorithm using a CMS
 B<EncryptedData> type and output the content.
-=item B<-sign_receipt>
+=item B<-EncryptedData_decrypt>
-Generate and output a signed receipt for the supplied message. The input
+Decrypt content using supplied symmetric key and algorithm using a CMS
-message B<must> contain a signed receipt request. Functionality is otherwise
+B<EncryptedData> type and output the content.
 similar to the B<-sign> operation.
-=item B<-verify_receipt> I<receipt>
+=item B<-data_create>
-Verify a signed receipt in filename B<receipt>. The input message B<must>
+Create a CMS B<Data> type.
 contain the original receipt request. Functionality is otherwise similar
 to the B<-verify> operation.
-=item B<-in> I<filename>
+=item B<-data_out>
-The input message to be encrypted or signed or the message to be decrypted
+B<Data> type and output the content.
 or verified.
-=item B<-out> I<filename>
+=item B<-cmsout>
-The message text that has been decrypted or verified or the output MIME
+Takes an input message and writes out a PEM encoded CMS structure.
-format message that has been signed or verified.
+
 =back
 =head2 File format options
 =over 4
 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
@ -241,11 +266,6 @@ The output format of the CMS structure (if one is being written);
 the default is B<SMIME>.
 See L<openssl-format-options(1)> for details.
 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
 The format of the private key file; unspecified by default.
 See L<openssl-format-options(1)> for details.
 =item B<-rctform> B<DER>|B<PEM>|B<SMIME>
 The signed receipt format for use with the B<-receipt_verify>; the default
@ -267,42 +287,111 @@ Disable streaming I/O where it would produce and indefinite length constructed
 encoding. This option currently has no effect. In future streaming will be
 enabled by default on all relevant operations and this option will disable it.
-=item B<-content> I<filename>
+=item B<-binary>
-This specifies a file containing the detached content, this is only
+Normally the input message is converted to "canonical" format which is
-useful with the B<-verify> command. This is only usable if the CMS
+effectively using CR and LF as end of line: as required by the S/MIME
-structure is using the detached signature form where the content is
+specification. When this option is present no translation occurs. This
-not included. This option will override any content if the input format
+is useful when handling binary data which may not be in MIME format.
 is S/MIME and it uses the multipart/signed MIME content type.
-=item B<-text>
+=item B<-crlfeol>
-This option adds plain text (text/plain) MIME headers to the supplied
+Normally the output file uses a single B<LF> as end of line. When this
-message if encrypting or signing. If decrypting or verifying it strips
+option is present B<CRLF> is used instead.
 off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
-=item B<-noout>
+=item B<-asciicrlf>
-For the B<-cmsout> operation do not output the parsed CMS structure. This
+When signing use ASCII CRLF format canonicalisation. This strips trailing
-is useful when combined with the B<-print> option or if the syntax of the CMS
+whitespace from all lines, deletes trailing blank lines at EOF and sets
-structure is being checked.
+the encapsulated content type. This option is normally used with detached
 content and an output signature format of DER. This option is not normally
 needed when verifying as it is enabled automatically if the encapsulated
 content format is detected.
-=item B<-print>
+=back
-For the B<-cmsout> operation print out all fields of the CMS structure. This
+=head2 Keys and password options
 is mainly useful for testing purposes.
-=item B<-nameopt> I<option>
+=over 4
-For the B<-cmsout> operation when B<-print> option is in use, specifies
+=item B<-pwri_password> I<password>
 printing options for string fields. For most cases B<utf8> is reasonable value.
 See L<openssl-namedisplay-options(1)> for details.
-=item B<-md> I<digest>
+Specify password for recipient.
-Digest algorithm to use when signing or resigning. If not present then the
+=item B<-secretkey> I<key>
-default digest algorithm for the signing key will be used (usually SHA1).
+
 Specify symmetric key to use. The key must be supplied in hex format and be
 consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
 B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
 with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
 content encryption key using an AES key in the B<KEKRecipientInfo> type.
 =item B<-secretkeyid> I<id>
 The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
 This option B<must> be present if the B<-secretkey> option is used with
 B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
 relevant key if it is not supplied then an attempt is used to decrypt any
 B<KEKRecipientInfo> structures.
 =item B<-inkey> I<filename>|I<uri>
 The private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
 the B<-recip> or B<-signer> file. When signing this option can be used
 multiple times to specify successive keys.
 =item B<-passin> I<arg>
 The private key password source. For more information about the format of B<arg>
 see L<openssl-passphrase-options(1)>.
 =item B<-keyopt> I<name>:I<parameter>
 For signing and encryption this option can be used multiple times to
 set customised parameters for the preceding key or certificate. It can
 currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
 or to modify default parameters for ECDH.
 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
 The format of the private key file; unspecified by default.
 See L<openssl-format-options(1)> for details.
 {- $OpenSSL::safe::opt_engine_item -}
 {- $OpenSSL::safe::opt_provider_item -}
 {- $OpenSSL::safe::opt_r_item -}
 =back
 =head2 Encryption and decryption options
 =over 4
 =item B<-originator> I<file>
 A certificate of the originator of the encrypted message. Necessary for
 decryption when Key Agreement is in use for a shared key.
 =item B<-recip> I<file>
 When decrypting a message this specifies the certificate of the recipient.
 The certificate must match one of the recipients of the message.
 When encrypting a message this option may be used multiple times to specify
 each recipient. This form B<must> be used if customised parameters are
 required (for example to specify RSA-OAEP).
 Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
 option.
 =item I<recipient-cert> ...
 This is an alternative to using the B<-recip> option when encrypting a message.
 One or more certificate filennames may be given.
 =item B<-I<cipher>>
@ -327,17 +416,49 @@ wrap.
 =item B<-aes128-wrap>, B<-aes192-wrap>, B<-aes256-wrap>, B<-des3-wrap>
 Use AES128, AES192, AES256, or 3DES-EDE, respectively, to wrap key.
 Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
-=item B<-nointern>
+=item B<-debug_decrypt>
-When verifying a message normally certificates (if any) included in
+This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
-the message are searched for the signing certificate. With this option
+with caution: see the notes section below.
 only the certificates specified in the B<-certfile> option are used.
 The supplied certificates can still be used as untrusted CAs however.
-=item B<-noverify>
+=back
-Do not verify the signers certificate of a signed message.
+=head2 Signing options
 =over 4
 =item B<-md> I<digest>
 Digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually SHA1).
 =item B<-signer> I<file>
 A signing certificate.  When signing or resigning a message, this option can be
 used multiple times if more than one signer is required.
 =item B<-certfile> I<file>
 Allows additional certificates to be specified. When signing these will
 be included with the message. When verifying these will be searched for
 the signers certificates.
 The input can be in PEM, DER, or PKCS#12 format.
 =item B<-cades>
 When used with B<-sign>,
 add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute
 to the SignerInfo, in order to make the signature comply with the requirements
 for a CAdES Basic Electronic Signature (CAdES-BES).
 =item B<-nodetach>
 When signing a message use opaque signing: this form is more resistant
 to translation by mail relays but it cannot be read by mail agents that
 do not support S/MIME.  Without this option cleartext signing with
 the MIME type multipart/signed is used.
 =item B<-nocerts>
@ -357,76 +478,6 @@ option they are not included.
 Exclude the list of supported algorithms from signed attributes, other options
 such as signing time and content type are still included.
 =item B<-binary>
 Normally the input message is converted to "canonical" format which is
 effectively using CR and LF as end of line: as required by the S/MIME
 specification. When this option is present no translation occurs. This
 is useful when handling binary data which may not be in MIME format.
 =item B<-crlfeol>
 Normally the output file uses a single B<LF> as end of line. When this
 option is present B<CRLF> is used instead.
 =item B<-asciicrlf>
 When signing use ASCII CRLF format canonicalisation. This strips trailing
 whitespace from all lines, deletes trailing blank lines at EOF and sets
 the encapsulated content type. This option is normally used with detached
 content and an output signature format of DER. This option is not normally
 needed when verifying as it is enabled automatically if the encapsulated
 content format is detected.
 =item B<-nodetach>
 When signing a message use opaque signing: this form is more resistant
 to translation by mail relays but it cannot be read by mail agents that
 do not support S/MIME.  Without this option cleartext signing with
 the MIME type multipart/signed is used.
 =item B<-certfile> I<file>
 Allows additional certificates to be specified. When signing these will
 be included with the message. When verifying these will be searched for
 the signers certificates.
 The input can be in PEM, DER, or PKCS#12 format.
 =item B<-certsout> I<file>
 Any certificates contained in the message are written to I<file>.
 =item B<-signer> I<file>
 A signing certificate when signing or resigning a message, this option can be
 used multiple times if more than one signer is required. If a message is being
 verified then the signers certificates will be written to this file if the
 verification was successful.
 =item B<-originator> I<file>
 A certificate of the originator of the encrypted message. Necessary for
 decryption when Key Agreement is in use for a shared key.
 =item B<-recip> I<file>
 When decrypting a message this specifies the recipients certificate. The
 certificate must match one of the recipients of the message or an error
 occurs.
 When encrypting a message this option may be used multiple times to specify
 each recipient. This form B<must> be used if customised parameters are
 required (for example to specify RSA-OAEP).
 Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
 option.
 =item B<-keyid>
 Use subject key identifier to identify certificates instead of issuer name and
 serial number. The supplied certificate B<must> include a subject key
 identifier extension. Supported by B<-sign> and B<-encrypt> options.
 =item B<-receipt_request_all>, B<-receipt_request_first>
 For B<-sign> option include a signed receipt request. Indicate requests should
@ -441,32 +492,72 @@ address where receipts should be supplied.
 =item B<-receipt_request_to> I<emailaddress>
 Add an explicit email address where signed receipts should be sent to. This
-option B<must> but supplied if a signed receipt it requested.
+option B<must> but supplied if a signed receipt is requested.
-=item B<-receipt_request_print>
+=back
-For the B<-verify> operation print out the contents of any signed receipt
+=head2 Verification options
 requests.
-=item B<-pwri_password> I<password>
+=over 4
-Specify password for recipient.
+=item B<-signer> I<file>
-=item B<-secretkey> I<key>
+If a message has been verified successfully then the signers certificate(s)
 will be written to this file if the verification was successful.
-Specify symmetric key to use. The key must be supplied in hex format and be
+=item B<-content> I<filename>
 consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
 B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
 with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
 content encryption key using an AES key in the B<KEKRecipientInfo> type.
-=item B<-secretkeyid> I<id>
+This specifies a file containing the detached content, this is only
 useful with the B<-verify> command. This is only usable if the CMS
 structure is using the detached signature form where the content is
 not included. This option will override any content if the input format
 is S/MIME and it uses the multipart/signed MIME content type.
-The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
+=item B<-no_content_verify>
-This option B<must> be present if the B<-secretkey> option is used with
+
-B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
+Do not verify signed content signatures.
-relevant key if it is not supplied then an attempt is used to decrypt any
+
-B<KEKRecipientInfo> structures.
+=item B<-no_attr_verify>
 Do not verify signed attribute signatures.
 =item B<-nosigs>
 Don't verify message signature.
 =item B<-noverify>
 Do not verify the signers certificate of a signed message.
 =item B<-nointern>
 When verifying a message normally certificates (if any) included in
 the message are searched for the signing certificate. With this option
 only the certificates specified in the B<-certfile> option are used.
 The supplied certificates can still be used as untrusted CAs however.
 =item B<-cades>
 When used with B<-verify>, require and check signer certificate digest.
 See the NOTES section for more details.
 =item B<-verify_retcode>
 Exit nonzero on verification failure.
 {- $OpenSSL::safe::opt_trust_item -}
 =back
 =head2 Output options
 =over 4
 =item B<-keyid>
 Use subject key identifier to identify certificates instead of issuer name and
 serial number. The supplied certificate B<must> include a subject key
 identifier extension. Supported by B<-sign> and B<-encrypt> options.
 =item B<-econtent_type> I<type>
@ -474,51 +565,61 @@ Set the encapsulated content type to I<type> if not supplied the B<Data> type
 is used. The I<type> argument can be any valid OID name in either text or
 numerical format.
-=item B<-inkey> I<filename>|I<uri>
+=item B<-text>
-The private key to use when signing or decrypting. This must match the
+This option adds plain text (text/plain) MIME headers to the supplied
-corresponding certificate. If this option is not specified then the
+message if encrypting or signing. If decrypting or verifying it strips
-private key must be included in the certificate file specified with
+off text headers: if the decrypted or verified message is not of MIME
-the B<-recip> or B<-signer> file. When signing this option can be used
+type text/plain then an error occurs.
 multiple times to specify successive keys.
-=item B<-keyopt> I<name>:I<parameter>
+=item B<-certsout> I<file>
-For signing and encryption this option can be used multiple times to
+Any certificates contained in the input message are written to I<file>.
 set customised parameters for the preceding key or certificate. It can
 currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
 or to modify default parameters for ECDH.
 =item B<-passin> I<arg>
 The private key password source. For more information about the format of B<arg>
 see L<openssl-passphrase-options(1)>.
 =item B<-to>, B<-from>, B<-subject>
-The relevant mail headers. These are included outside the signed
+The relevant email headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 =back
 =head2 Printing options
 =over 4
 =item B<-noout>
 For the B<-cmsout> operation do not output the parsed CMS structure.
 This is useful if the syntax of the CMS structure is being checked.
 =item B<-print>
 For the B<-cmsout> operation print out all fields of the CMS structure.
 This implies B<-noout>.
 This is mainly useful for testing purposes.
 =item B<-nameopt> I<option>
 For the B<-cmsout> operation when B<-print> option is in use, specifies
 printing options for string fields. For most cases B<utf8> is reasonable value.
 See L<openssl-namedisplay-options(1)> for details.
 =item B<-receipt_request_print>
 For the B<-verify> operation print out the contents of any signed receipt
 requests.
 =back
 =head2 Validation options
 =over 4
 {- $OpenSSL::safe::opt_v_item -}
-Any verification errors cause the command to exit.
+Any validation errors cause the command to exit.
 {- $OpenSSL::safe::opt_trust_item -}
 {- $OpenSSL::safe::opt_r_item -}
 {- $OpenSSL::safe::opt_engine_item -}
 {- $OpenSSL::safe::opt_provider_item -}
 {- $OpenSSL::safe::opt_config_item -}
 =item I<recipient-cert> ...
 One or more certificates of message recipients: used when encrypting
 a message.
 =back
@ -710,7 +811,7 @@ Sign and encrypt mail:
 Note: the encryption command does not include the B<-text> option because the
 message being encrypted already has MIME headers.
-Decrypt mail:
+Decrypt a message:
 openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
@ -738,12 +839,12 @@ Add a signer to an existing message:
 openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
-Sign mail using RSA-PSS:
+Sign a message using RSA-PSS:
 openssl cms -sign -in message.txt -text -out mail.msg \
        -signer mycert.pem -keyopt rsa_padding_mode:pss
-Create encrypted mail using RSA-OAEP:
+Create an encrypted message using RSA-OAEP:
 openssl cms -encrypt -in plain.txt -out mail.msg \
        -recip cert.pem -keyopt rsa_padding_mode:oaep
@ -753,6 +854,10 @@ Use SHA256 KDF with an ECDH certificate:
 openssl cms -encrypt -in plain.txt -out mail.msg \
        -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
 Print CMS signed binary data in human-readable form:
 openssl cms -in signed.cms -binary -inform DER -cmsout -print
 =head1 BUGS
 The MIME parser isn't very clever: it seems to handle most messages that I've