1=pod 2 3=head1 NAME 4 5PKCS7_sign_add_signer - add a signer PKCS7 signed data structure. 6 7=head1 SYNOPSIS 8 9 #include <openssl/pkcs7.h> 10 11 PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags); 12 13 14=head1 DESCRIPTION 15 16PKCS7_sign_add_signer() adds a signer with certificate B<signcert> and private 17key B<pkey> using message digest B<md> to a PKCS7 signed data structure 18B<p7>. 19 20The PKCS7 structure should be obtained from an initial call to PKCS7_sign() 21with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS7 22signed data structure. 23 24If the B<md> parameter is B<NULL> then the default digest for the public 25key algorithm will be used. 26 27Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned PKCS7 structure 28is not complete and must be finalized either by streaming (if applicable) or 29a call to PKCS7_final(). 30 31 32=head1 NOTES 33 34The main purpose of this function is to provide finer control over a PKCS#7 35signed data structure where the simpler PKCS7_sign() function defaults are 36not appropriate. For example if multiple signers or non default digest 37algorithms are needed. 38 39Any of the following flags (ored together) can be passed in the B<flags> 40parameter. 41 42If B<PKCS7_REUSE_DIGEST> is set then an attempt is made to copy the content 43digest value from the PKCS7 struture: to add a signer to an existing structure. 44An error occurs if a matching digest value cannot be found to copy. The 45returned PKCS7 structure will be valid and finalized when this flag is set. 46 47If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the 48B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes 49can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is 50needed to finalize it. 51 52If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the 53PKCS7 structure, the signer's certificate must still be supplied in the 54B<signcert> parameter though. This can reduce the size of the signature if the 55signers certificate can be obtained by other means: for example a previously 56signed message. 57 58The signedData structure includes several PKCS#7 autenticatedAttributes 59including the signing time, the PKCS#7 content type and the supported list of 60ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no 61authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just 62the SMIMECapabilities are omitted. 63 64If present the SMIMECapabilities attribute indicates support for the following 65algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of 66these algorithms is disabled then it will not be included. 67 68 69PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO 70structure just added, this can be used to set additional attributes 71before it is finalized. 72 73=head1 RETURN VALUES 74 75PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO 76structure just added or NULL if an error occurs. 77 78=head1 SEE ALSO 79 80L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>, 81L<PKCS7_final(3)|PKCS7_final(3)>, 82 83=head1 HISTORY 84 85PPKCS7_sign_add_signer() was added to OpenSSL 1.0.0 86 87=cut 88