create a PKCS#7 signedData structure
, EVP_PKEY *pkey
() creates and returns a PKCS#7
signedData structure. signcert
certificate to sign with, pkey
corresponding private key. certs
optional additional set of certificates to include in the PKCS#7 structure
(for example any intermediate CAs in the chain).
The data to be signed is read from BIO
is an optional set of flags.
Any of the following flags (OR'ed together) can be passed in the
Many S/MIME clients expect the signed content to include valid MIME headers. If
flag is set, MIME headers
for type text/plain
are prepended to the data.
is set, the signer's
certificate will not be included in the PKCS7 structure, though the signer's
certificate must still be supplied in the
parameter. This can reduce the size
of the signature if the signer's certificate can be obtained by other means:
for example a previously signed message.
The data being signed is included in the PKCS7
is set, in
which case it is omitted. This is used for PKCS7 detached signatures which are
used in S/MIME plaintext signed messages for example.
Normally the supplied content is translated into MIME canonical format (as
required by the S/MIME specifications). If
is set, no translation occurs.
This option should be used if the supplied data is in binary format;
otherwise, the translation will corrupt it.
The signedData structure includes several PKCS#7 authenticatedAttributes
including the signing time, the PKCS#7 content type and the supported list of
ciphers in an SMIMECapabilities attribute. If
is set, then no
authenticatedAttributes will be used. If
is set, then just the
SMIMECapabilities are omitted.
If present, the SMIMECapabilities attribute indicates support for the following
algorithms: triple DES, 128-bit RC2, 64-bit RC2, DES and 40-bit RC2. If any of
these algorithms is disabled then it will not be included.
If the flags
is set, then the
structure is just initialized
ready to perform the signing operation. The signing is however
performed and the data to be signed is not
read from the data
parameter. Signing is
deferred until after the data has been written. In this way data can be signed
in a single pass.
flag is set, a partial
structure is output to which additional
signers and capabilities can be added before finalization.
If the flag
is set, the returned
complete and outputting its contents via a
function that does not properly finalize the
structure will give unpredictable
Several functions, including
finalize the structure. Alternatively finalization can be performed by
obtaining the streaming ASN.1 BIO
If a signer is specified, it will use the default digest for the signing
algorithm. This is SHA1
for both RSA and DSA
In OpenSSL 1.0.0, the certs
parameters can all be
flag is set. One or more
signers can be added using the function
() must also be called to
finalize the structure if streaming is not enabled. Alternative signing
digests can also be specified using this method.
In OpenSSL 1.0.0, if signcert
, then a certificate-only PKCS#7
structure is output.
In versions of OpenSSL before 1.0.0 the
() returns either a valid
if an error occurred. The error can be
() first appeared in OpenSSL 0.9.5
and have been available since OpenBSD 2.7
flags were added in OpenSSL
Some advanced attributes such as counter signatures are not supported.