add a signer to a CMS SignedData
*cms, X509 *signcert, EVP_PKEY
*pkey, const EVP_MD *md,
unsigned int flags);
adds a signer with certificate signcert and private
key pkey using message digest md
to the signerInfos field of the
SignedData structure cms, which
should have been obtained from an initial call to
CMS_sign(3) with the flag
CMS_PARTIAL set, or
which can be a valid SignedData structure in the case
If md is
default digest for the public key algorithm of pkey is
CMS_REUSE_DIGEST flag is set,
the cms structure remains incomplete and must be
finalized either by streaming (if applicable) or by a call to
The main purpose of
is to provide finer control over a CMS SignedData
structure where the simpler
CMS_sign(3) function defaults are not appropriate, for example if
multiple signers or non default digest algorithms are needed. New attributes
can also be added using the returned CMS_SignerInfo
structure and the CMS attribute utility functions or the CMS signed receipt
Any of the following flags (OR'ed together) can be passed in the flags parameter:
- Attempt to copy the content digest value from one of the existing CMS_SignerInfo structures in cms while adding another signer. An error occurs if a matching digest value cannot be found to copy. The cms structure will be valid and finalized when this flag is set.
- If this flag is set in addition to
CMS_REUSE_DIGEST, the returned CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call to
CMS_SignerInfo_sign() is needed to finalize it.
- Do not add the signer's certificate to the certificates field of cms. The signer's certificate must still be supplied in the signcert parameter though. This flag can reduce the size of the signature if the signer's certificate can be obtained by other means, for example from a previously signed message.
- Leave the signedAttrs field of the returned CMS_SignedData structure empty. By default, several CMS SignedAttributes are added, including the signing time, the CMS content type, and the supported list of ciphers in an SMIMECapabilities attribute.
- Omit just the SMIMECapabilities attribute.
- Use the subject key identifier value to identify signing certificates. An error occurs if the signing certificate does not have a subject key identifier extension. By default, issuer name and serial number are used instead.
If present, the SMIMECapabilities attribute indicates support for the following algorithms in preference order: 256-bit AES, Gost R3411-94, Gost 28147-89, 192-bit AES, 128-bit AES, triple DES, 128-bit RC2, 64-bit RC2, DES and 40-bit RC2. If any of these algorithms is not available then it will not be included.
function explicitly signs si. Its main use is when the
CMS_PARTIAL flags were both set in the call to
CMS_add1_signer() that created
CMS_add1_signer() returns an internal
pointer to the new CMS_SignerInfo structure just added
NULL if an error occurs.
CMS_ContentInfo_new(3), CMS_final(3), CMS_sign(3), ERR_get_error(3)
RFC 5652: Cryptographic Message Syntax, section 5.1: SignedData Type
RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification
- section 2.5: Attributes and the SignerInfo Type
- section 2.5.2: SMIMECapabilities Attribute
CMS_SignerInfo_sign() first appeared in OpenSSL
0.9.8h and have been available since OpenBSD