33 SMIME messages may have multiple recipients. For an encrypted message, the body of the message is encrypted using a symmetric cipher, and the key for the symmetric cipher is encrypted using the recipients public key. When multiple recipients are involved, the same symmetric key is used, but the key is encrypted using each recipients public key. For example, if Alice sends the same message to Bob and Charlie, two encrypted copies of the key for the symmetric cipher are included in the message. One copy is encrypted using Bobs public key, and the other is encrypted using Charlies public key. To decrypt a message, the recipients certificate is required to determine which encrypted key to decrypt. The command-line tool provides the smime command, which supports encryption, decryption, signing, and verifying SMIME v2 messages support for SMIME v3 is limited and is not likely to work. Email applications that do not natively support SMIME can often be made to support it by using the command-line tools smime command to process incoming and outgoing messages. The smime command does have some limitations, and it is not recommended in any kind of production environment. However, it provides a good foundation for building a more powerful and fully featured SMIME implementation.

2.5.1 Examples

The following examples illustrate the use of the SMIME commands: openssl smime -encrypt -in mail.txt -des3 -out mail.enc cert.pem Obtains a public key from the X.509 certificate in the file cert.pem and encrypts the contents of the file mail.txt using that key and 3DES. The resulting encrypted SMIME message is written to the file mail.enc. openssl smime -decrypt -in mail.enc -recip cert.pem -inkey key.pem -out mail.txt Obtains the recipients public key from the X.509 certificate in the file cert.pem and decrypts the SMIME message from the file mail.enc using the private key from the file key.pem . The decrypted message is written to the file mail.txt. openssl smime -sign -in mail.txt -signer cert.pem -inkey key.pem -out mail.sgn The signers X.509 certificate is obtained from the file cert.pem, and the contents of the file mail.txt are signed using the private key from the file key.pem. The certificate is included in the SMIME message that is written to the file mail.sgn. openssl smime -verify -in mail.sgn -out mail.txt Verifies the signature on the SMIME message contained in the file mail.sgn and writes the result to the file mail.txt. The signers certificate is expected to be included as part of the SMIME message.

2.6 Passwords and Passphrases

Many commands particularly those that involve a private key require a password or passphrase to complete successfully, usually to decrypt a key that is stored securely on a disk. Normally, the 34 command-line tool will prompt you to enter a password or passphrase when appropriate, even if youre not running the tool in interactive mode. The need for a password or passphrase to be physically entered by someone using the keyboard at the computer when its needed makes using the tool for automated processes difficult, to say the least. Fortunately, theres a solution. Many of the commands accept options that allow you to specify the necessary password or passphrase. Unfortunately, the options are not consistently named, so you need to use the right option with the right command. In general, the options passin and passout are used. No matter what the option is named, it requires a parameter that specifies how the password or passphrase will be obtained. A variety of sources may be specified, some of them not very secure at all. None of them provides the level of security that someone sitting at the computer and typing in the password or passphrase does, but you need to determine for yourself what you consider to be an acceptable risk. stdin This method for reading a password is distinctly different from the default method. The default method reads passwords from the actual terminal device TTY, thus explicitly avoiding input redirection from the command line. The stdin method for providing passwords allows for such input redirection. pass:password This method can be used to supply the password or passphrase directly on the command line itself. If your password or passphrase contains spaces, you typically need to enclose the whole of the parameter in quotes, but the precise method of handling such a situation may differ on the platform that youre using. We strongly recommend that you do not use this method, for two reasons. First, if youre using batch mode, the command line for a process is readily accessible to any other process that is running on the system. In fact, on such systems there are commands specifically designed for this purpose, such as the ps command on Unix systems. Second, if youre using this as part of a script, it usually means the password or passphrase will be contained in your script, which also means that the password or passphrase can be easily compromised. env:variable This method obtains the password or passphrase from an environment variable. We recommend against using this method, although not as strongly as we do against specifying the password or passphrase directly on the command line. This method is slightly more secure, but a processs environment is still available to other processes on some operating systems under the right circumstances. file:filename This method obtains the password or passphrase by reading it from the named file. The file containing the password or passphrase should be well protected, denying read access to any user on the system other than the owner of the file. Additionally, on Unix systems steps should be taken to ensure that each directory that parents the file does not allow access to a user other than the owner. fd:number 35 This method obtains the password or passphrase by reading it from the specified file descriptor. This method is really useful only when the tool is launched from another process and not directly from the command line because the tools process must have inherited the file descriptor from its parent in order for it to gain access.

2.7 Seeding the Pseudorandom Number Generator