OPENSSL-CMS(1ssl) OpenSSL OPENSSL-CMS(1ssl) openssl-cms - CMS openssl cms [-help] : [-in _] [-out _] [-config _] : [-encrypt] [-decrypt] [-sign] [-verify] [-resign] [-sign_receipt] [-verify_receipt ] [-digest ] [-digest_create] [-digest_verify] [-compress] [-uncompress] [-EncryptedData_encrypt] [-EncryptedData_decrypt] [-data_create] [-data_out] [-cmsout] : [-inform DER|PEM|SMIME] [-outform DER|PEM|SMIME] [-rctform DER|PEM|SMIME] [-stream] [-indef] [-noindef] [-binary] [-crlfeol] [-asciicrlf] : [-pwri_password _] [-secretkey ] [-secretkeyid ] [-inkey _|uri] [-passin ] [-keyopt :] [-keyform DER|PEM|P12|ENGINE] [-engine ] [-provider ] [-provider-path ] [-provparam [:]=] [-propquery propq] [-rand ] [-writerand ] : [-originator ] [-recip ] [- ...] [-cipher] [-kekcipher ] [-wrap ] [-aes128-wrap] [-aes192-wrap] [-aes256-wrap] [-des3-wrap] [-debug_decrypt] [-recip_kdf kdf] [-recip_ukm ukm] : [-md ] [-signer ] [-certfile ] [-cades] [-nodetach] [-nocerts] [-noattr] [-nosmimecap] [-no_signing_time] [-receipt_request_all] [-receipt_request_first] [-receipt_request_from _] [-receipt_request_to _] : [-signer ] [-content _] [-no_content_verify] [-no_attr_verify] [-nosigs] [-noverify] [-nointern] [-cades] [-verify_retcode] [-CAfile ] [-no-CAfile] [-CApath ] [-no-CApath] [-CAstore uri] [-no-CAstore] : [-keyid] [-econtent_type ] [-text] [-certsout ] [-to ] [-from ] [-subject ] : [-noout] [-print] [-nameopt ] [-receipt_request_print] : [-allow_proxy_certs] [-attime _] [-no_check_time] [-check_ss_sig] [-crl_check] [-crl_check_all] [-explicit_policy] [-extended_crl] [-ignore_critical] [-inhibit_any] [-inhibit_map] [-partial_chain] [-policy ] [-policy_check] [-policy_print] [-purpose ] [-suiteB_128] [-suiteB_128_only] [-suiteB_192] [-trusted_first] [-no_alt_chains] [-use_deltas] [-auth_level ] [-verify_depth ] [-verify_email ] [-verify_hostname _] [-verify_ip ip] [-verify_name ] [-x509_strict] [-issuer_checks] CMS S/MIME v3.1. . : encrypt decrypt sign verify resign sign_receipt verify_receipt digest_create digest_verify compress uncompress EncryptedData_encrypt EncryptedData_decrypt data_create data_out cmsout. . -help . -in filename . -out filename MIME . -config _ "Configuration Option" openssl(1). -encrypt . . MIME. CMS EnvelopedData. . -decrypt . MIME . . -sign . . MIME . -verify . . . S/MIME ("smimesign"). "Certificate Extensions" openssl-verification-options(1). -resign : . -sign_receipt . **** . -sign. -verify_receipt . **** . -verify. -digest -sign . -in -nodetach. CMS openssl-pkeyutl(1). . -digest_create CMS DigestedData. -digest_verify CMS DigestedData . -compress CMS CompressedData. OpenSSL zlib . -uncompress CMS CompressedData . OpenSSL zlib . -EncryptedData_encrypt CMS EncryptedData . -EncryptedData_decrypt CMS EncryptedData . -data_create CMS Data. -data_out . -cmsout CMS PEM. -inform DER|PEM|SMIME CMS ( ) SMIME. openssl-format-options(1) . -outform DER|PEM|SMIME CMS ( ) SMIME. openssl-format-options(1) . -rctform DER|PEM|SMIME -receipt_verify SMIME. openssl-format-options(1) . -stream -indef -stream -indef / . . S/MIME SMIME . -noindef / . . . -binary "" CR LF : S/MIME. . MIME. -crlfeol LF . CRLF . -asciicrlf ASCII CRLF. . DER. . -pwri_password _ . -secretkey . . -EncryptedData_encrypt -EncryptedData_decrypt -encrypt -decrypt. -encrypt -decrypt AES KEKRecipientInfo. -secretkeyid KEKRecipientInfo. -secretkey -encrypt. -decrypt KEKRecipientInfo. -inkey _|_ . . -recip -signer. . -passin . openssl-passphrase-options(1). -keyopt : . RSA-PSS RSA-OAEP ECDH. -keyform DER|PEM|P12|ENGINE . openssl-format-options(1) . -engine id " " openssl(1). . -provider name -provider-path path -provparam [name:]key=value -propquery propq " " openssl(1) provider(7) property(7). -rand files -writerand file " " openssl(1) . -originator . (Key Agreement) . . -recip . . . ( RSA-OAEP). RSA Diffie-Hellman EC. - ... -recip . . - . AES (256 ) - -aes256 DES (168 ) - -des3. ( EVP_get_cipherbyname()) -aes-128-cbc. openssl-enc(1) OpenSSL . AES GCM AEAD . AES-256-CBC . -encrypt -EncryptedData_encrypt. -kekcipher . -pwri_password AEAD. AEAD . -wrap . . -aes128-wrap -aes192-wrap -aes256-wrap -des3-wrap AES128 AES192 AES256 3DES-EDE . OpenSSL -des3-wrap . -debug_decrypt CMS_DEBUG_DECRYPT. : . -recip_kdf KDF KEMRecipientInfo. KDF OSSL_KDF_PARAM_KEY OSSL_KDF_PARAM_INFO (OID) HKDF-SHA256. -recip_ukm (UKM) KEMRecipientInfo . UKM OSSL_KDF_PARAM_INFO KDF KEMRecipientInfo. -md digest . ( SHA-256). -signer . . -certfile . . . PEM DER PKCS#12. -cades -sign ESS signingCertificate ESS signingCertificateV2 SignerInfo CAdES (CAdES-BES). -nodetach : S/MIME. MIME multipart/signed. -nocerts . ( -certfile ). -noattr . . -nosmimecap (). -no_signing_time . -receipt_request_all -receipt_request_first -sign . ( ). -receipt_request_from. -receipt_request_from __ -sign . . -receipt_request_to __ . . -signer ( ) . -content _ S/MIME -verify. CMS . S/MIME MIME multipart/signed. -no_content_verify . -no_attr_verify . -nosigs . -noverify . -nointern ( ) . -certfile . (CAs) . -cades -verify . (NOTES) . -verify_retcode . -CAfile -no-CAfile -CApath -no-CApath -CAstore _ -no-CAstore "Trusted Certificate Options" openssl-verification-options(1) . -keyid (subject key identifier) . . -sign -encrypt. -econtent_type Data. OID . -text MIME (text/plain) . : MIME text/plain . -certsout . -to -from -subject . . S/MIME From:. -noout -cmsout CMS . CMS . -print -cmsout CMS. -noout. . -nameopt -cmsout -print . utf8 . openssl-namedisplay-options(1) . -receipt_request_print -verify . -allow_proxy_certs -attime -no_check_time -check_ss_sig -crl_check -crl_check_all -explicit_policy -extended_crl -ignore_critical -inhibit_any -inhibit_map -no_alt_chains -partial_chain -policy -policy_check -policy_print -purpose -suiteB_128 -suiteB_128_only -suiteB_192 -trusted_first -use_deltas -auth_level -verify_depth -verify_email -verify_hostname -verify_ip -verify_name -x509_strict -issuer_checks . " " openssl-verification-options(1) . . MIME . . sendmail . MIME S/MIME ( ). -text . " " . : . . S/MIME . "" . -encrypt -decrypt S/MIME. CMS : CMS . -resign . . -stream -indef / . BER DER. -encrypt -sign . -sign CMS DER. -decrypt . MMA ( Bleichenbacher PKCS #1 v1.5 RSA) " " . -debug_decrypt MMA : . CMS_decrypt(3)). (CADES-BES) (CAdES-BES) ETSI EN 319 122-1 V1.1.1 : o CMS (RFC 3852) o (Content-type) EncapsulatedContentInfo o (Message-digest) eContent OCTET STRING encapContentInfo o ESS signingCertificate ESS signingCertificateV2 (ESS) RFC 2634 RFC 5035. ESS signingCertificate SHA-1 . ESS signingCertificateV2 . o . -cades -sign -verify. -verify signingCertificate . 0 . 1 . 2 . 3 CMS MIME. 4 . 5 . PKCS#7 openssl-smime(1) PKCS#7 . openssl cms Cryptographic Message Syntax. . . -keyid -sign -encrypt. -outform PEM . -compress. -secretkey -encrypt. PSS -sign. OAEP RSA -encrypt. -EncryptedData_encrypt -data_create openssl-smime(1) . : openssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem openssl cms -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem : openssl cms -sign -in in.txt -text -out mail.msg \ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem : openssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -signer othercert.pem -keyid sendmail : openssl cms -sign -in in.txt -text -signer mycert.pem \ -from steve@openssl.org -to someone@somewhere \ -subject "Signed message" | sendmail someone@somewhere : openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt triple DES: openssl cms -encrypt -in in.txt -from steve@openssl.org \ -to someone@somewhere -subject "Encrypted message" \ -des3 user.pem -out mail.msg : openssl cms -sign -in ml.txt -signer my.pem -text \ | openssl cms -encrypt -out mail.msg \ -from steve@openssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem : -text MIME. : openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem (Netscape) PKCS#7 . base64 : -----BEGIN PKCS7----- -----END PKCS7----- openssl cms -verify -inform PEM -in signature.pem -content content.txt base64 openssl cms -verify -inform DER -in signature.der -content content.txt Camellia 128 : openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem : openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg RSA-PSS: openssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -keyopt rsa_padding_mode:pss RSA-OAEP: openssl cms -encrypt -in plain.txt -out mail.msg \ -recip cert.pem -keyopt rsa_padding_mode:oaep SHA256 KDF ECDH: openssl cms -encrypt -in plain.txt -out mail.msg \ -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 CMS : openssl cms -in signed.cms -binary -inform DER -cmsout -print MIME : . : . . . SMIMECapabilities . . . . ossl_store-file(7) 3DES AES-256 OpenSSL 3.5. -signer -resign OpenSSL 1.0.0. -keyopt OpenSSL 1.0.2. RSA-OAEP RSA-PSS OpenSSL 1.0.2. RSA -encrypt -decrypt OpenSSL 1.0.2. -no_alt_chains OpenSSL 1.0.2b. -nameopt OpenSSL 3.0.0. -engine OpenSSL 3.0. -digest OpenSSL 3.2. -recip_kdf -recip_ukm OpenSSL 3.6. 2008-2026 OpenSSL. . Apache 2.0 ( ""). . LICENSE . 3 . . : . 3.6.2 7 2026 OPENSSL-CMS(1ssl)