Skip to content

Errors in CMS(1) and CMS_encrypt(3) manual pages (master, 1.0.2) #5063

New issue
New issue
Closed
Closed
Errors in CMS(1) and CMS_encrypt(3) manual pages (master, 1.0.2)#5063
Milestone
1.1.1
@mspncp

Description

@mspncp
mspncp
opened on Jan 12, 2018

When experimenting whith the openssl cms command, I noticed some incorrect respectively incomplete information in the cms manual pages. I'm not so deep in the subject that I would dare submitting a PR, some insider may have to look over the documentation.

ECDSA keys are not mentioned

Most notably, the CMS(1) manual page does not mention the ability to use ECDSA certificates for the recipient (-recip cert.pem), although it has been implemented in 1.0.2 for a while, see Victors (@vdukhovni) reply on openssl-users in November 2015.

This is not entirely true, in sufficiently recent versions of
OpenSSL, ECDSA keys can be used with CMS to encrypt keys.
https://mta.openssl.org/pipermail/openssl-users/2015-November/002381.html

Even more, CMS_encrypt(3) states explicitely that only RSA keys are supported. This statement is unchanged since 2008 (e33ffac):

e33ffaca12c (Dr. Stephen Henson 2008-04-08 19) =head1 NOTES
e33ffaca12c (Dr. Stephen Henson 2008-04-08 20)
38d3a738081 (Dr. Stephen Henson 2008-04-10 21) Only certificates carrying RSA keys are supported so the recipient certificates
38d3a738081 (Dr. Stephen Henson 2008-04-10 22) supplied to this function must all contain RSA public keys, though they do not
38d3a738081 (Dr. Stephen Henson 2008-04-10 23) have to be signed using the RSA algorithm.

Inconsistent History (1.0.2)

The HISTORY section of CMS(1) in the 1.0.2 manual page mentions that some features were introduced in 1.1.0. This sounds "back to the future" and is obviously incorrect, since the features must have been backported to 1.0.2 before the documentatation was cherry-picked in December 2013 (dddb388).

doc/apps/cms.pod

dddb38834ec (Dr. Stephen Henson 2013-06-21 653) The B<keyopt> option was first added in OpenSSL 1.1.0
dddb38834ec (Dr. Stephen Henson 2013-06-21 654)
dddb38834ec (Dr. Stephen Henson 2013-06-21 655) The use of B<-recip> to specify the recipient when encrypting mail was first
dddb38834ec (Dr. Stephen Henson 2013-06-21 656) added to OpenSSL 1.1.0
dddb38834ec (Dr. Stephen Henson 2013-06-21 657)
dddb38834ec (Dr. Stephen Henson 2013-06-21 658) Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions