diff options
Diffstat (limited to 'secure/usr.bin')
70 files changed, 20271 insertions, 0 deletions
diff --git a/secure/usr.bin/Makefile b/secure/usr.bin/Makefile new file mode 100644 index 000000000000..62cdeb3d640b --- /dev/null +++ b/secure/usr.bin/Makefile @@ -0,0 +1,17 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +SUBDIR= +.if ${MK_OPENSSL} != "no" +SUBDIR+=openssl +.if ${MK_OPENSSH} != "no" +SUBDIR+=scp sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan +.endif +.endif + +SUBDIR.${MK_TESTS}+= tests + +SUBDIR_PARALLEL= + +.include <bsd.subdir.mk> diff --git a/secure/usr.bin/Makefile.inc b/secure/usr.bin/Makefile.inc new file mode 100644 index 000000000000..4cec6fe01a45 --- /dev/null +++ b/secure/usr.bin/Makefile.inc @@ -0,0 +1,5 @@ +# $FreeBSD$ + +BINDIR?= /usr/bin + +.include "../Makefile.inc" diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile new file mode 100644 index 000000000000..e71be39bae56 --- /dev/null +++ b/secure/usr.bin/openssl/Makefile @@ -0,0 +1,28 @@ +# $FreeBSD$ + +CONFS= openssl.cnf +CONFSDIR= /etc/ssl +PROG= openssl + +LIBADD= ssl crypto + +.if exists(Makefile.man) +.include "Makefile.man" +.endif +.include "../../lib/libcrypto/Makefile.inc" + +CFLAGS+= -I${LCRYPTO_SRC}/apps +CFLAGS+= -I${OBJTOP}/secure/lib/libcrypto + +SRCS= app_rand.c apps.c asn1pars.c bf_prefix.c ca.c ciphers.c cms.c crl.c +SRCS+= crl2p7.c dgst.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c +SRCS+= engine.c errstr.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c +SRCS+= openssl.c opt.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c +SRCS+= pkeyutl.c prime.c rand.c rehash.c req.c rsa.c rsautl.c s_cb.c +SRCS+= s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c +SRCS+= spkac.c srp.c storeutl.c ts.c verify.c version.c x509.c + +.include <bsd.prog.mk> + +.PATH: ${LCRYPTO_SRC}/apps \ + ${.CURDIR}/man diff --git a/secure/usr.bin/openssl/Makefile.depend b/secure/usr.bin/openssl/Makefile.depend new file mode 100644 index 000000000000..e383274b1a46 --- /dev/null +++ b/secure/usr.bin/openssl/Makefile.depend @@ -0,0 +1,21 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/msun \ + secure/lib/libcrypto \ + secure/lib/libssl \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man new file mode 100644 index 000000000000..34951d63abb1 --- /dev/null +++ b/secure/usr.bin/openssl/Makefile.man @@ -0,0 +1,97 @@ +# $FreeBSD$ +MAN+= CA.pl.1 +MAN+= asn1parse.1 +MAN+= ca.1 +MAN+= ciphers.1 +MAN+= cms.1 +MAN+= crl.1 +MAN+= crl2pkcs7.1 +MAN+= dgst.1 +MAN+= dhparam.1 +MAN+= dsa.1 +MAN+= dsaparam.1 +MAN+= ec.1 +MAN+= ecparam.1 +MAN+= enc.1 +MAN+= engine.1 +MAN+= errstr.1 +MAN+= gendsa.1 +MAN+= genpkey.1 +MAN+= genrsa.1 +MAN+= list.1 +MAN+= nseq.1 +MAN+= ocsp.1 +MAN+= openssl.1 +MAN+= passwd.1 +MAN+= pkcs12.1 +MAN+= pkcs7.1 +MAN+= pkcs8.1 +MAN+= pkey.1 +MAN+= pkeyparam.1 +MAN+= pkeyutl.1 +MAN+= prime.1 +MAN+= rand.1 +MAN+= req.1 +MAN+= rsa.1 +MAN+= rsautl.1 +MAN+= s_client.1 +MAN+= s_server.1 +MAN+= s_time.1 +MAN+= sess_id.1 +MAN+= smime.1 +MAN+= speed.1 +MAN+= spkac.1 +MAN+= srp.1 +MAN+= storeutl.1 +MAN+= ts.1 +MAN+= tsget.1 +MAN+= verify.1 +MAN+= version.1 +MAN+= x509.1 +MLINKS+= asn1parse.1 openssl-asn1parse.1 +MLINKS+= ca.1 openssl-ca.1 +MLINKS+= ciphers.1 openssl-ciphers.1 +MLINKS+= cms.1 openssl-cms.1 +MLINKS+= crl.1 openssl-crl.1 +MLINKS+= crl2pkcs7.1 openssl-crl2pkcs7.1 +MLINKS+= dgst.1 openssl-dgst.1 +MLINKS+= dhparam.1 openssl-dhparam.1 +MLINKS+= dsa.1 openssl-dsa.1 +MLINKS+= dsaparam.1 openssl-dsaparam.1 +MLINKS+= ec.1 openssl-ec.1 +MLINKS+= ecparam.1 openssl-ecparam.1 +MLINKS+= enc.1 openssl-enc.1 +MLINKS+= engine.1 openssl-engine.1 +MLINKS+= errstr.1 openssl-errstr.1 +MLINKS+= gendsa.1 openssl-gendsa.1 +MLINKS+= genpkey.1 openssl-genpkey.1 +MLINKS+= genrsa.1 openssl-genrsa.1 +MLINKS+= list.1 openssl-list.1 +MLINKS+= nseq.1 openssl-nseq.1 +MLINKS+= ocsp.1 openssl-ocsp.1 +MLINKS+= passwd.1 openssl-passwd.1 +MLINKS+= pkcs12.1 openssl-pkcs12.1 +MLINKS+= pkcs7.1 openssl-pkcs7.1 +MLINKS+= pkcs8.1 openssl-pkcs8.1 +MLINKS+= pkey.1 openssl-pkey.1 +MLINKS+= pkeyparam.1 openssl-pkeyparam.1 +MLINKS+= pkeyutl.1 openssl-pkeyutl.1 +MLINKS+= prime.1 openssl-prime.1 +MLINKS+= rand.1 openssl-rand.1 +MLINKS+= req.1 openssl-req.1 +MLINKS+= rsa.1 openssl-rsa.1 +MLINKS+= rsautl.1 openssl-rsautl.1 +MLINKS+= s_client.1 openssl-s_client.1 +MLINKS+= s_server.1 openssl-s_server.1 +MLINKS+= s_time.1 openssl-s_time.1 +MLINKS+= sess_id.1 openssl-sess_id.1 +MLINKS+= smime.1 openssl-smime.1 +MLINKS+= speed.1 openssl-speed.1 +MLINKS+= spkac.1 openssl-spkac.1 +MLINKS+= srp.1 openssl-srp.1 +MLINKS+= storeutl.1 openssl-storeutl.1 +MLINKS+= ts.1 openssl-ts.1 +MLINKS+= tsget.1 openssl-tsget.1 +MLINKS+= verify.1 openssl-verify.1 +MLINKS+= version.1 openssl-version.1 +MLINKS+= x509.1 openssl-x509.1 diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 new file mode 100644 index 000000000000..126e63cbaa85 --- /dev/null +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -0,0 +1,337 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CA.PL 1" +.TH CA.PL 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CA.pl \- friendlier interface for OpenSSL certificate programs +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fB\s-1CA\s0.pl\fR +\&\fB\-?\fR | +\&\fB\-h\fR | +\&\fB\-help\fR +.PP +\&\fB\s-1CA\s0.pl\fR +\&\fB\-newcert\fR | +\&\fB\-newreq\fR | +\&\fB\-newreq\-nodes\fR | +\&\fB\-xsign\fR | +\&\fB\-sign\fR | +\&\fB\-signCA\fR | +\&\fB\-signcert\fR | +\&\fB\-crl\fR | +\&\fB\-newca\fR +[\fB\-extra\-cmd\fR extra\-params] +.PP +\&\fB\s-1CA\s0.pl\fR \fB\-pkcs12\fR [\fB\-extra\-pkcs12\fR extra\-params] [\fBcertname\fR] +.PP +\&\fB\s-1CA\s0.pl\fR \fB\-verify\fR [\fB\-extra\-verify\fR extra\-params] \fBcertfile\fR... +.PP +\&\fB\s-1CA\s0.pl\fR \fB\-revoke\fR [\fB\-extra\-ca\fR extra\-params] \fBcertfile\fR [\fBreason\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line +arguments to the \fBopenssl\fR command for some common certificate operations. +It is intended to simplify the process of certificate creation and management +by the use of some simple options. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4 +.IX Item "?, -h, -help" +Prints a usage message. +.IP "\fB\-newcert\fR" 4 +.IX Item "-newcert" +Creates a new self signed certificate. The private key is written to the file +\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R". +This argument invokes \fBopenssl req\fR command. +.IP "\fB\-newreq\fR" 4 +.IX Item "-newreq" +Creates a new certificate request. The private key is written to the file +\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R". +Executes \fBopenssl req\fR command below the hood. +.IP "\fB\-newreq\-nodes\fR" 4 +.IX Item "-newreq-nodes" +Is like \fB\-newreq\fR except that the private key will not be encrypted. +Uses \fBopenssl req\fR command. +.IP "\fB\-newca\fR" 4 +.IX Item "-newca" +Creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR +and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0 +certificates (which should also contain the private key) or by hitting \s-1ENTER\s0 +details of the \s-1CA\s0 will be prompted for. The relevant files and directories +are created in a directory called \*(L"demoCA\*(R" in the current directory. +\&\fBopenssl req\fR and \fBopenssl ca\fR commands are get invoked. +.IP "\fB\-pkcs12\fR" 4 +.IX Item "-pkcs12" +Create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0 +certificate. It expects the user certificate and private key to be in the +file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem, +it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the +\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser. +If there is an additional argument on the command line it will be used as the +\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser +list box), otherwise the name \*(L"My Certificate\*(R" is used. +Delegates work to \fBopenssl pkcs12\fR command. +.IP "\fB\-sign\fR, \fB\-signcert\fR, \fB\-xsign\fR" 4 +.IX Item "-sign, -signcert, -xsign" +Calls the \fBca\fR program to sign a certificate request. It expects the request +to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file +\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written +to standard output. Leverages \fBopenssl ca\fR command. +.IP "\fB\-signCA\fR" 4 +.IX Item "-signCA" +This option is the same as the \fB\-signreq\fR option except it uses the +configuration file section \fBv3_ca\fR and so makes the signed request a +valid \s-1CA\s0 certificate. This is useful when creating intermediate \s-1CA\s0 from +a root \s-1CA.\s0 Extra params are passed on to \fBopenssl ca\fR command. +.IP "\fB\-signcert\fR" 4 +.IX Item "-signcert" +This option is the same as \fB\-sign\fR except it expects a self signed certificate +to be present in the file \*(L"newreq.pem\*(R". +Extra params are passed on to \fBopenssl x509\fR and \fBopenssl ca\fR commands. +.IP "\fB\-crl\fR" 4 +.IX Item "-crl" +Generate a \s-1CRL.\s0 Executes \fBopenssl ca\fR command. +.IP "\fB\-revoke certfile [reason]\fR" 4 +.IX Item "-revoke certfile [reason]" +Revoke the certificate contained in the specified \fBcertfile\fR. An optional +reason may be specified, and must be one of: \fBunspecified\fR, +\&\fBkeyCompromise\fR, \fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, +\&\fBcessationOfOperation\fR, \fBcertificateHold\fR, or \fBremoveFromCRL\fR. +Leverages \fBopenssl ca\fR command. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no +certificates are specified on the command line it tries to verify the file +\&\*(L"newcert.pem\*(R". Invokes \fBopenssl verify\fR command. +.IP "\fB\-extra\-req\fR | \fB\-extra\-ca\fR | \fB\-extra\-pkcs12\fR | \fB\-extra\-x509\fR | \fB\-extra\-verify\fR <extra\-params>" 4 +.IX Item "-extra-req | -extra-ca | -extra-pkcs12 | -extra-x509 | -extra-verify <extra-params>" +The purpose of these parameters is to allow optional parameters to be supplied +to \fBopenssl\fR that this command executes. The \fB\-extra\-cmd\fR are specific to the +option being used and the \fBopenssl\fR command getting invoked. For example +when this command invokes \fBopenssl req\fR extra parameters can be passed on +with the \fB\-extra\-req\fR parameter. The +\&\fBopenssl\fR commands being invoked per option are documented below. +Users should consult \fBopenssl\fR command documentation for more information. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a \s-1CA\s0 hierarchy: +.PP +.Vb 1 +\& CA.pl \-newca +.Ve +.PP +Complete certificate creation example: create a \s-1CA,\s0 create a request, sign +the request and finally create a PKCS#12 file containing it. +.PP +.Vb 4 +\& CA.pl \-newca +\& CA.pl \-newreq +\& CA.pl \-signreq +\& CA.pl \-pkcs12 "My Test Certificate" +.Ve +.SH "DSA CERTIFICATES" +.IX Header "DSA CERTIFICATES" +Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to +use it with \s-1DSA\s0 certificates and requests using the \fIreq\fR\|(1) command +directly. The following example shows the steps that would typically be taken. +.PP +Create some \s-1DSA\s0 parameters: +.PP +.Vb 1 +\& openssl dsaparam \-out dsap.pem 1024 +.Ve +.PP +Create a \s-1DSA CA\s0 certificate and private key: +.PP +.Vb 1 +\& openssl req \-x509 \-newkey dsa:dsap.pem \-keyout cacert.pem \-out cacert.pem +.Ve +.PP +Create the \s-1CA\s0 directories and files: +.PP +.Vb 1 +\& CA.pl \-newca +.Ve +.PP +enter cacert.pem when prompted for the \s-1CA\s0 file name. +.PP +Create a \s-1DSA\s0 certificate request and private key (a different set of parameters +can optionally be created first): +.PP +.Vb 1 +\& openssl req \-out newreq.pem \-newkey dsa:dsap.pem +.Ve +.PP +Sign the request: +.PP +.Vb 1 +\& CA.pl \-signreq +.Ve +.SH "NOTES" +.IX Header "NOTES" +Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script. +.PP +If the demoCA directory already exists then the \fB\-newca\fR command will not +overwrite it and will do nothing. This can happen if a previous call using +the \fB\-newca\fR option terminated abnormally. To get the correct behaviour +delete the demoCA directory if it already exists. +.PP +Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script +directly (for example Win32) and the default configuration file location may +be wrong. In this case the command: +.PP +.Vb 1 +\& perl \-S CA.pl +.Ve +.PP +can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to +the correct path of the configuration file. +.PP +The script is intended as a simple front end for the \fBopenssl\fR program for use +by a beginner. Its behaviour isn't always what is wanted. For more control over the +behaviour of the certificate commands call the \fBopenssl\fR command directly. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIreq\fR\|(1), \fIpkcs12\fR\|(1), +\&\fIconfig\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1 new file mode 100644 index 000000000000..a9d20be114bf --- /dev/null +++ b/secure/usr.bin/openssl/man/asn1parse.1 @@ -0,0 +1,335 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASN1PARSE 1" +.TH ASN1PARSE 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-asn1parse, asn1parse \- ASN.1 parsing tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBasn1parse\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-offset number\fR] +[\fB\-length number\fR] +[\fB\-i\fR] +[\fB\-oid filename\fR] +[\fB\-dump\fR] +[\fB\-dlimit num\fR] +[\fB\-strparse offset\fR] +[\fB\-genstr string\fR] +[\fB\-genconf file\fR] +[\fB\-strictpem\fR] +[\fB\-item name\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN.1\s0 +structures. It can also be used to extract data from \s-1ASN.1\s0 formatted data. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform\fR \fBDER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +The input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64 +encoded. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +The input file, default is standard input. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Output file to place the \s-1DER\s0 encoded data into. If this +option is not present then no data will be output. This is most useful when +combined with the \fB\-strparse\fR option. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +Don't output the parsed version of the input file. +.IP "\fB\-offset number\fR" 4 +.IX Item "-offset number" +Starting offset to begin parsing, default is start of file. +.IP "\fB\-length number\fR" 4 +.IX Item "-length number" +Number of bytes to parse, default is until end of file. +.IP "\fB\-i\fR" 4 +.IX Item "-i" +Indents the output according to the \*(L"depth\*(R" of the structures. +.IP "\fB\-oid filename\fR" 4 +.IX Item "-oid filename" +A file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this +file is described in the \s-1NOTES\s0 section below. +.IP "\fB\-dump\fR" 4 +.IX Item "-dump" +Dump unknown data in hex format. +.IP "\fB\-dlimit num\fR" 4 +.IX Item "-dlimit num" +Like \fB\-dump\fR, but only the first \fBnum\fR bytes are output. +.IP "\fB\-strparse offset\fR" 4 +.IX Item "-strparse offset" +Parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This +option can be used multiple times to \*(L"drill down\*(R" into a nested structure. +.IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4 +.IX Item "-genstr string, -genconf file" +Generate encoded data based on \fBstring\fR, \fBfile\fR or both using +\&\fIASN1_generate_nconf\fR\|(3) format. If \fBfile\fR only is +present then the string is obtained from the default section using the name +\&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as +though it came from a file, the contents can thus be examined and written to a +file using the \fBout\fR option. +.IP "\fB\-strictpem\fR" 4 +.IX Item "-strictpem" +If this option is used then \fB\-inform\fR will be ignored. Without this option any +data in a \s-1PEM\s0 format input file will be treated as being base64 encoded and +processed whether it has the normal \s-1PEM BEGIN\s0 and \s-1END\s0 markers or not. This +option will ignore any data prior to the start of the \s-1BEGIN\s0 marker, or after an +\&\s-1END\s0 marker in a \s-1PEM\s0 file. +.IP "\fB\-item name\fR" 4 +.IX Item "-item name" +Attempt to decode and print the data as \fB\s-1ASN1_ITEM\s0 name\fR. This can be used to +print out the fields of any supported \s-1ASN.1\s0 structure if the type is known. +.SS "Output" +.IX Subsection "Output" +The output will typically contain lines like this: +.PP +.Vb 1 +\& 0:d=0 hl=4 l= 681 cons: SEQUENCE +.Ve +.PP +\&..... +.PP +.Vb 10 +\& 229:d=3 hl=3 l= 141 prim: BIT STRING +\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ] +\& 376:d=3 hl=3 l= 159 cons: SEQUENCE +\& 379:d=4 hl=2 l= 29 cons: SEQUENCE +\& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +\& 386:d=5 hl=2 l= 22 prim: OCTET STRING +\& 410:d=4 hl=2 l= 112 cons: SEQUENCE +\& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +\& 417:d=5 hl=2 l= 105 prim: OCTET STRING +\& 524:d=4 hl=2 l= 12 cons: SEQUENCE +.Ve +.PP +\&..... +.PP +This example is part of a self-signed certificate. Each line starts with the +offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased +within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \fBhl=XX\fR gives the header length +(tag and length octets) of the current type. \fBl=XX\fR gives the length of +the contents octets. +.PP +The \fB\-i\fR option can be used to make the output more readable. +.PP +Some knowledge of the \s-1ASN.1\s0 structure is needed to interpret the output. +.PP +In this example the \s-1BIT STRING\s0 at offset 229 is the certificate public key. +The contents octets of this will contain the public key information. This can +be examined using the option \fB\-strparse 229\fR to yield: +.PP +.Vb 3 +\& 0:d=0 hl=3 l= 137 cons: SEQUENCE +\& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 +\& 135:d=1 hl=2 l= 3 prim: INTEGER :010001 +.Ve +.SH "NOTES" +.IX Header "NOTES" +If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in +numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option +allows additional OIDs to be included. Each line consists of three columns, +the first column is the \s-1OID\s0 in numerical format and should be followed by white +space. The second column is the \*(L"short name\*(R" which is a single word followed +by white space. The final column is the rest of the line and is the +\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example: +.PP +\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Parse a file: +.PP +.Vb 1 +\& openssl asn1parse \-in file.pem +.Ve +.PP +Parse a \s-1DER\s0 file: +.PP +.Vb 1 +\& openssl asn1parse \-inform DER \-in file.der +.Ve +.PP +Generate a simple UTF8String: +.PP +.Vb 1 +\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq +.Ve +.PP +Generate and write out a UTF8String, don't print parsed output: +.PP +.Vb 1 +\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq \-noout \-out utf8.der +.Ve +.PP +Generate using a config file: +.PP +.Vb 1 +\& openssl asn1parse \-genconf asn1.cnf \-noout \-out asn1.der +.Ve +.PP +Example config file: +.PP +.Vb 1 +\& asn1=SEQUENCE:seq_sect +\& +\& [seq_sect] +\& +\& field1=BOOL:TRUE +\& field2=EXP:0, UTF8:some random string +.Ve +.SH "BUGS" +.IX Header "BUGS" +There should be options to change the format of output lines. The output of some +\&\s-1ASN.1\s0 types is not well handled (if at all). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIASN1_generate_nconf\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1 new file mode 100644 index 000000000000..c155e2415098 --- /dev/null +++ b/secure/usr.bin/openssl/man/ca.1 @@ -0,0 +1,814 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CA 1" +.TH CA 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-ca, ca \- sample minimal CA application +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBca\fR +[\fB\-help\fR] +[\fB\-verbose\fR] +[\fB\-config filename\fR] +[\fB\-name section\fR] +[\fB\-gencrl\fR] +[\fB\-revoke file\fR] +[\fB\-valid file\fR] +[\fB\-status serial\fR] +[\fB\-updatedb\fR] +[\fB\-crl_reason reason\fR] +[\fB\-crl_hold instruction\fR] +[\fB\-crl_compromise time\fR] +[\fB\-crl_CA_compromise time\fR] +[\fB\-crldays days\fR] +[\fB\-crlhours hours\fR] +[\fB\-crlexts section\fR] +[\fB\-startdate date\fR] +[\fB\-enddate date\fR] +[\fB\-days arg\fR] +[\fB\-md arg\fR] +[\fB\-policy arg\fR] +[\fB\-keyfile arg\fR] +[\fB\-keyform PEM|DER\fR] +[\fB\-key arg\fR] +[\fB\-passin arg\fR] +[\fB\-cert file\fR] +[\fB\-selfsign\fR] +[\fB\-in file\fR] +[\fB\-out file\fR] +[\fB\-notext\fR] +[\fB\-outdir dir\fR] +[\fB\-infiles\fR] +[\fB\-spkac file\fR] +[\fB\-ss_cert file\fR] +[\fB\-preserveDN\fR] +[\fB\-noemailDN\fR] +[\fB\-batch\fR] +[\fB\-msie_hack\fR] +[\fB\-extensions section\fR] +[\fB\-extfile section\fR] +[\fB\-engine id\fR] +[\fB\-subj arg\fR] +[\fB\-utf8\fR] +[\fB\-create_serial\fR] +[\fB\-rand_serial\fR] +[\fB\-multivalue\-rdn\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used +to sign certificate requests in a variety of forms and generate +CRLs it also maintains a text database of issued certificates +and their status. +.PP +The options descriptions will be divided into each purpose. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-verbose\fR" 4 +.IX Item "-verbose" +This prints extra details about the operations being performed. +.IP "\fB\-config filename\fR" 4 +.IX Item "-config filename" +Specifies the configuration file to use. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). +.IP "\fB\-name section\fR" 4 +.IX Item "-name section" +Specifies the configuration file section to use (overrides +\&\fBdefault_ca\fR in the \fBca\fR section). +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +An input filename containing a single certificate request to be +signed by the \s-1CA.\s0 +.IP "\fB\-ss_cert filename\fR" 4 +.IX Item "-ss_cert filename" +A single self-signed certificate to be signed by the \s-1CA.\s0 +.IP "\fB\-spkac filename\fR" 4 +.IX Item "-spkac filename" +A file containing a single Netscape signed public key and challenge +and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR +section for information on the required input and output format. +.IP "\fB\-infiles\fR" 4 +.IX Item "-infiles" +If present this should be the last option, all subsequent arguments +are taken as the names of files containing certificate requests. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +The output file to output certificates to. The default is standard +output. The certificate details will also be printed out to this +file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format). +.IP "\fB\-outdir directory\fR" 4 +.IX Item "-outdir directory" +The directory to output certificates to. The certificate will be +written to a filename consisting of the serial number in hex with +\&\*(L".pem\*(R" appended. +.IP "\fB\-cert\fR" 4 +.IX Item "-cert" +The \s-1CA\s0 certificate file. +.IP "\fB\-keyfile filename\fR" 4 +.IX Item "-keyfile filename" +The private key to sign requests with. +.IP "\fB\-keyform PEM|DER\fR" 4 +.IX Item "-keyform PEM|DER" +The format of the data in the private key file. +The default is \s-1PEM.\s0 +.IP "\fB\-key password\fR" 4 +.IX Item "-key password" +The password used to encrypt the private key. Since on some +systems the command line arguments are visible (e.g. Unix with +the 'ps' utility) this option should be used with caution. +.IP "\fB\-selfsign\fR" 4 +.IX Item "-selfsign" +Indicates the issued certificates are to be signed with the key +the certificate requests were signed with (given with \fB\-keyfile\fR). +Certificate requests signed with a different key are ignored. If +\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is +ignored. +.Sp +A consequence of using \fB\-selfsign\fR is that the self-signed +certificate appears among the entries in the certificate database +(see the configuration option \fBdatabase\fR), and uses the same +serial number counter as all other certificates sign with the +self-signed certificate. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-notext\fR" 4 +.IX Item "-notext" +Don't output the text form of a certificate to the output file. +.IP "\fB\-startdate date\fR" 4 +.IX Item "-startdate date" +This allows the start date to be explicitly set. The format of the +date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or +\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In +both formats, seconds \s-1SS\s0 and timezone Z must be present. +.IP "\fB\-enddate date\fR" 4 +.IX Item "-enddate date" +This allows the expiry date to be explicitly set. The format of the +date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or +\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In +both formats, seconds \s-1SS\s0 and timezone Z must be present. +.IP "\fB\-days arg\fR" 4 +.IX Item "-days arg" +The number of days to certify the certificate for. +.IP "\fB\-md alg\fR" 4 +.IX Item "-md alg" +The message digest to use. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. For signing +algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message +digest that is set is ignored. This option also applies to CRLs. +.IP "\fB\-policy arg\fR" 4 +.IX Item "-policy arg" +This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in +the configuration file which decides which fields should be mandatory +or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section +for more information. +.IP "\fB\-msie_hack\fR" 4 +.IX Item "-msie_hack" +This is a deprecated option to make \fBca\fR work with very old versions of +the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings +for almost everything. Since the old control has various security bugs +its use is strongly discouraged. +.IP "\fB\-preserveDN\fR" 4 +.IX Item "-preserveDN" +Normally the \s-1DN\s0 order of a certificate is the same as the order of the +fields in the relevant policy section. When this option is set the order +is the same as the request. This is largely for compatibility with the +older \s-1IE\s0 enrollment control which would only accept certificates if their +DNs match the order of the request. This is not needed for Xenroll. +.IP "\fB\-noemailDN\fR" 4 +.IX Item "-noemailDN" +The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the +request \s-1DN,\s0 however it is good policy just having the e\-mail set into +the altName extension of the certificate. When this option is set the +\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in +the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be +used in the configuration file to enable this behaviour. +.IP "\fB\-batch\fR" 4 +.IX Item "-batch" +This sets the batch mode. In this mode no questions will be asked +and all certificates will be certified automatically. +.IP "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +The section of the configuration file containing certificate extensions +to be added when a certificate is issued (defaults to \fBx509_extensions\fR +unless the \fB\-extfile\fR option is used). If no extension section is +present then, a V1 certificate is created. If the extension section +is present (even if it is empty), then a V3 certificate is created. See the:w +\&\fIx509v3_config\fR\|(5) manual page for details of the +extension section format. +.IP "\fB\-extfile file\fR" 4 +.IX Item "-extfile file" +An additional configuration file to read certificate extensions from +(using the default section unless the \fB\-extensions\fR option is also +used). +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +Supersedes subject name given in the request. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. +Keyword characters may be escaped by \e (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the resulting certificate. +.IP "\fB\-utf8\fR" 4 +.IX Item "-utf8" +This option causes field values to be interpreted as \s-1UTF8\s0 strings, by +default they are interpreted as \s-1ASCII.\s0 This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fB\-create_serial\fR" 4 +.IX Item "-create_serial" +If reading serial from the text file as specified in the configuration +fails, specifying this option creates a new random serial to be used as next +serial number. +To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this +should only be used for simple error-recovery. +.IP "\fB\-rand_serial\fR" 4 +.IX Item "-rand_serial" +Generate a large random number to use as the serial number. +This overrides any option or configuration to use a serial number file. +.IP "\fB\-multivalue\-rdn\fR" 4 +.IX Item "-multivalue-rdn" +This option causes the \-subj argument to be interpreted with full +support for multivalued RDNs. Example: +.Sp +\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR +.Sp +If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.SH "CRL OPTIONS" +.IX Header "CRL OPTIONS" +.IP "\fB\-gencrl\fR" 4 +.IX Item "-gencrl" +This option generates a \s-1CRL\s0 based on information in the index file. +.IP "\fB\-crldays num\fR" 4 +.IX Item "-crldays num" +The number of days before the next \s-1CRL\s0 is due. That is the days from +now to place in the \s-1CRL\s0 nextUpdate field. +.IP "\fB\-crlhours num\fR" 4 +.IX Item "-crlhours num" +The number of hours before the next \s-1CRL\s0 is due. +.IP "\fB\-revoke filename\fR" 4 +.IX Item "-revoke filename" +A filename containing a certificate to revoke. +.IP "\fB\-valid filename\fR" 4 +.IX Item "-valid filename" +A filename containing a certificate to add a Valid certificate entry. +.IP "\fB\-status serial\fR" 4 +.IX Item "-status serial" +Displays the revocation status of the certificate with the specified +serial number and exits. +.IP "\fB\-updatedb\fR" 4 +.IX Item "-updatedb" +Updates the database index to purge expired certificates. +.IP "\fB\-crl_reason reason\fR" 4 +.IX Item "-crl_reason reason" +Revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, +\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR, +\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case +insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2. +.Sp +In practice \fBremoveFromCRL\fR is not particularly useful because it is only used +in delta CRLs which are not currently implemented. +.IP "\fB\-crl_hold instruction\fR" 4 +.IX Item "-crl_hold instruction" +This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold +instruction to \fBinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be +used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0) +\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used. +.IP "\fB\-crl_compromise time\fR" 4 +.IX Item "-crl_compromise time" +This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to +\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR. +.IP "\fB\-crl_CA_compromise time\fR" 4 +.IX Item "-crl_CA_compromise time" +This is the same as \fBcrl_compromise\fR except the revocation reason is set to +\&\fBCACompromise\fR. +.IP "\fB\-crlexts section\fR" 4 +.IX Item "-crlexts section" +The section of the configuration file containing \s-1CRL\s0 extensions to +include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is +created, if the \s-1CRL\s0 extension section is present (even if it is +empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are +\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted +that some software (for example Netscape) can't handle V2 CRLs. See +\&\fIx509v3_config\fR\|(5) manual page for details of the +extension section format. +.SH "CONFIGURATION FILE OPTIONS" +.IX Header "CONFIGURATION FILE OPTIONS" +The section of the configuration file containing options for \fBca\fR +is found as follows: If the \fB\-name\fR command line option is used, +then it names the section to be used. Otherwise the section to +be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section +of the configuration file (or in the default section of the +configuration file). Besides \fBdefault_ca\fR, the following options are +read directly from the \fBca\fR section: + \s-1RANDFILE\s0 + preserve + msie_hack +With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may +change in future releases. +.PP +Many of the configuration file options are identical to command line +options. Where the option is present in the configuration file +and the command line the command line value is used. Where an +option is described as mandatory then it must be present in +the configuration file or the command line equivalent (if +any) used. +.IP "\fBoid_file\fR" 4 +.IX Item "oid_file" +This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. +.IP "\fBoid_section\fR" 4 +.IX Item "oid_section" +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by \fB=\fR and the numerical form. The short +and long names are the same when this option is used. +.IP "\fBnew_certs_dir\fR" 4 +.IX Item "new_certs_dir" +The same as the \fB\-outdir\fR command line option. It specifies +the directory where new certificates will be placed. Mandatory. +.IP "\fBcertificate\fR" 4 +.IX Item "certificate" +The same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 +certificate. Mandatory. +.IP "\fBprivate_key\fR" 4 +.IX Item "private_key" +Same as the \fB\-keyfile\fR option. The file containing the +\&\s-1CA\s0 private key. Mandatory. +.IP "\fB\s-1RANDFILE\s0\fR" 4 +.IX Item "RANDFILE" +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. +.IP "\fBdefault_days\fR" 4 +.IX Item "default_days" +The same as the \fB\-days\fR option. The number of days to certify +a certificate for. +.IP "\fBdefault_startdate\fR" 4 +.IX Item "default_startdate" +The same as the \fB\-startdate\fR option. The start date to certify +a certificate for. If not set the current time is used. +.IP "\fBdefault_enddate\fR" 4 +.IX Item "default_enddate" +The same as the \fB\-enddate\fR option. Either this option or +\&\fBdefault_days\fR (or the command line equivalents) must be +present. +.IP "\fBdefault_crl_hours default_crl_days\fR" 4 +.IX Item "default_crl_hours default_crl_days" +The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These +will only be used if neither command line option is present. At +least one of these must be present to generate a \s-1CRL.\s0 +.IP "\fBdefault_md\fR" 4 +.IX Item "default_md" +The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does +not require a digest (i.e. Ed25519 and Ed448). +.IP "\fBdatabase\fR" 4 +.IX Item "database" +The text database file to use. Mandatory. This file must be present +though initially it will be empty. +.IP "\fBunique_subject\fR" 4 +.IX Item "unique_subject" +If the value \fByes\fR is given, the valid certificate entries in the +database must have unique subjects. if the value \fBno\fR is given, +several valid certificate entries may have the exact same subject. +The default value is \fByes\fR, to be compatible with older (pre 0.9.8) +versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier, +it's recommended to use the value \fBno\fR, especially if combined with +the \fB\-selfsign\fR command line option. +.Sp +Note that it is valid in some circumstances for certificates to be created +without any subject. In the case where there are multiple certificates without +subjects this does not count as a duplicate. +.IP "\fBserial\fR" 4 +.IX Item "serial" +A text file containing the next serial number to use in hex. Mandatory. +This file must be present and contain a valid serial number. +.IP "\fBcrlnumber\fR" 4 +.IX Item "crlnumber" +A text file containing the next \s-1CRL\s0 number to use in hex. The crl number +will be inserted in the CRLs only if this file exists. If this file is +present, it must contain a valid \s-1CRL\s0 number. +.IP "\fBx509_extensions\fR" 4 +.IX Item "x509_extensions" +The same as \fB\-extensions\fR. +.IP "\fBcrl_extensions\fR" 4 +.IX Item "crl_extensions" +The same as \fB\-crlexts\fR. +.IP "\fBpreserve\fR" 4 +.IX Item "preserve" +The same as \fB\-preserveDN\fR +.IP "\fBemail_in_dn\fR" 4 +.IX Item "email_in_dn" +The same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed +from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present +the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0 +.IP "\fBmsie_hack\fR" 4 +.IX Item "msie_hack" +The same as \fB\-msie_hack\fR +.IP "\fBpolicy\fR" 4 +.IX Item "policy" +The same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section +for more information. +.IP "\fBname_opt\fR, \fBcert_opt\fR" 4 +.IX Item "name_opt, cert_opt" +These options allow the format used to display the certificate details +when asking the user to confirm signing. All the options supported by +the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used +here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set +and cannot be disabled (this is because the certificate signature cannot +be displayed because the certificate has not been signed at this point). +.Sp +For convenience the values \fBca_default\fR are accepted by both to produce +a reasonable output. +.Sp +If neither option is present the format used in earlier versions of +OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because +it only displays fields mentioned in the \fBpolicy\fR section, mishandles +multicharacter string types and does not display extensions. +.IP "\fBcopy_extensions\fR" 4 +.IX Item "copy_extensions" +Determines how extensions in certificate requests should be handled. +If set to \fBnone\fR or this option is not present then extensions are +ignored and not copied to the certificate. If set to \fBcopy\fR then any +extensions present in the request that are not already present are copied +to the certificate. If set to \fBcopyall\fR then all extensions in the +request are copied to the certificate: if the extension is already present +in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before +using this option. +.Sp +The main use of this option is to allow a certificate request to supply +values for certain extensions such as subjectAltName. +.SH "POLICY FORMAT" +.IX Header "POLICY FORMAT" +The policy section consists of a set of variables corresponding to +certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value +must match the same field in the \s-1CA\s0 certificate. If the value is +\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then +it may be present. Any fields not mentioned in the policy section +are silently deleted, unless the \fB\-preserveDN\fR option is set but +this can be regarded more of a quirk than intended behaviour. +.SH "SPKAC FORMAT" +.IX Header "SPKAC FORMAT" +The input to the \fB\-spkac\fR command line option is a Netscape +signed public key and challenge. This will usually come from +the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. +It is however possible to create SPKACs using the \fBspkac\fR utility. +.PP +The file should contain the variable \s-1SPKAC\s0 set to the value of +the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs. +If you need to include the same component twice then it can be +preceded by a number and a '.'. +.PP +When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR +flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR +flag is used. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Note: these examples assume that the \fBca\fR directory structure is +already set up and the relevant files already exist. This usually +involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a +serial number file and an empty index file and placing them in +the relevant directories. +.PP +To use the sample configuration file below the directories demoCA, +demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0 +certificate would be copied to demoCA/cacert.pem and its private +key to demoCA/private/cakey.pem. A file demoCA/serial would be +created containing for example \*(L"01\*(R" and the empty index file +demoCA/index.txt. +.PP +Sign a certificate request: +.PP +.Vb 1 +\& openssl ca \-in req.pem \-out newcert.pem +.Ve +.PP +Sign a certificate request, using \s-1CA\s0 extensions: +.PP +.Vb 1 +\& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem +.Ve +.PP +Generate a \s-1CRL\s0 +.PP +.Vb 1 +\& openssl ca \-gencrl \-out crl.pem +.Ve +.PP +Sign several requests: +.PP +.Vb 1 +\& openssl ca \-infiles req1.pem req2.pem req3.pem +.Ve +.PP +Certify a Netscape \s-1SPKAC:\s0 +.PP +.Vb 1 +\& openssl ca \-spkac spkac.txt +.Ve +.PP +A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): +.PP +.Vb 5 +\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 +\& CN=Steve Test +\& emailAddress=steve@openssl.org +\& 0.OU=OpenSSL Group +\& 1.OU=Another Group +.Ve +.PP +A sample configuration file with the relevant sections for \fBca\fR: +.PP +.Vb 2 +\& [ ca ] +\& default_ca = CA_default # The default ca section +\& +\& [ CA_default ] +\& +\& dir = ./demoCA # top dir +\& database = $dir/index.txt # index file. +\& new_certs_dir = $dir/newcerts # new certs dir +\& +\& certificate = $dir/cacert.pem # The CA cert +\& serial = $dir/serial # serial no file +\& #rand_serial = yes # for random serial#\*(Aqs +\& private_key = $dir/private/cakey.pem# CA private key +\& RANDFILE = $dir/private/.rand # random number file +\& +\& default_days = 365 # how long to certify for +\& default_crl_days= 30 # how long before next CRL +\& default_md = md5 # md to use +\& +\& policy = policy_any # default policy +\& email_in_dn = no # Don\*(Aqt add the email into cert DN +\& +\& name_opt = ca_default # Subject name display option +\& cert_opt = ca_default # Certificate display option +\& copy_extensions = none # Don\*(Aqt copy extensions from request +\& +\& [ policy_any ] +\& countryName = supplied +\& stateOrProvinceName = optional +\& organizationName = optional +\& organizationalUnitName = optional +\& commonName = supplied +\& emailAddress = optional +.Ve +.SH "FILES" +.IX Header "FILES" +Note: the location of all files can change either by compile time options, +configuration file entries, environment variables or command line options. +The values below reflect the default values. +.PP +.Vb 10 +\& /usr/local/ssl/lib/openssl.cnf \- master configuration file +\& ./demoCA \- main CA directory +\& ./demoCA/cacert.pem \- CA certificate +\& ./demoCA/private/cakey.pem \- CA private key +\& ./demoCA/serial \- CA serial number file +\& ./demoCA/serial.old \- CA serial number backup file +\& ./demoCA/index.txt \- CA text database file +\& ./demoCA/index.txt.old \- CA text database backup file +\& ./demoCA/certs \- certificate output file +\& ./demoCA/.rnd \- CA random seed information +.Ve +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +The text database index file is a critical part of the process and +if corrupted it can be difficult to fix. It is theoretically possible +to rebuild the index file from all the issued certificates and a current +\&\s-1CRL:\s0 however there is no option to do this. +.PP +V2 \s-1CRL\s0 features like delta CRLs are not currently supported. +.PP +Although several requests can be input and handled at once it is only +possible to include one \s-1SPKAC\s0 or self-signed certificate. +.SH "BUGS" +.IX Header "BUGS" +The use of an in-memory text database can cause problems when large +numbers of certificates are present because, as the name implies +the database has to be kept in memory. +.PP +The \fBca\fR command really needs rewriting or the required functionality +exposed at either a command or interface level so a more friendly utility +(perl script or \s-1GUI\s0) can handle things properly. The script +\&\fB\s-1CA\s0.pl\fR helps a little but not very much. +.PP +Any fields in a request that are not present in a policy are silently +deleted. This does not happen if the \fB\-preserveDN\fR option is used. To +enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by +RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR +option can be used. The behaviour should be more friendly and +configurable. +.PP +Canceling some commands by refusing to certify a certificate can +create an empty file. +.SH "WARNINGS" +.IX Header "WARNINGS" +The \fBca\fR command is quirky and at times downright unfriendly. +.PP +The \fBca\fR utility was originally meant as an example of how to do things +in a \s-1CA.\s0 It was not supposed to be used as a full blown \s-1CA\s0 itself: +nevertheless some people are using it for this purpose. +.PP +The \fBca\fR command is effectively a single user command: no locking is +done on the various files and attempts to run more than one \fBca\fR command +on the same database can have unpredictable results. +.PP +The \fBcopy_extensions\fR option should be used with caution. If care is +not taken then it can be a security risk. For example if a certificate +request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the +\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot +this when the certificate is displayed then this will hand the requester +a valid \s-1CA\s0 certificate. +.PP +This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR +and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file. +Then if the request contains a basicConstraints extension it will be +ignored. +.PP +It is advisable to also include values for other extensions such +as \fBkeyUsage\fR to prevent a request supplying its own values. +.PP +Additional restrictions can be placed on the \s-1CA\s0 certificate itself. +For example if the \s-1CA\s0 certificate has: +.PP +.Vb 1 +\& basicConstraints = CA:TRUE, pathlen:0 +.Ve +.PP +then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid. +.SH "HISTORY" +.IX Header "HISTORY" +Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically, +certificate validity period (specified by any of \fB\-startdate\fR, +\&\fB\-enddate\fR and \fB\-days\fR) will be encoded as UTCTime if the dates are +earlier than year 2049 (included), and as GeneralizedTime if the dates +are in year 2050 or later. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIreq\fR\|(1), \fIspkac\fR\|(1), \fIx509\fR\|(1), \s-1\fICA\s0.pl\fR\|(1), +\&\fIconfig\fR\|(5), \fIx509v3_config\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 new file mode 100644 index 000000000000..82d7870c8e31 --- /dev/null +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -0,0 +1,864 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CIPHERS 1" +.TH CIPHERS 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-ciphers, ciphers \- SSL cipher display and cipher list tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBciphers\fR +[\fB\-help\fR] +[\fB\-s\fR] +[\fB\-v\fR] +[\fB\-V\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] +[\fB\-s\fR] +[\fB\-psk\fR] +[\fB\-srp\fR] +[\fB\-stdname\fR] +[\fB\-convert name\fR] +[\fB\-ciphersuites val\fR] +[\fBcipherlist\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBciphers\fR command converts textual OpenSSL cipher lists into ordered +\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine +the appropriate cipherlist. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print a usage message. +.IP "\fB\-s\fR" 4 +.IX Item "-s" +Only list supported ciphers: those consistent with the security level, and +minimum and maximum protocol version. This is closer to the actual cipher list +an application will support. +.Sp +\&\s-1PSK\s0 and \s-1SRP\s0 ciphers are not enabled by default: they require \fB\-psk\fR or \fB\-srp\fR +to enable them. +.Sp +It also does not change the default list of supported signature algorithms. +.Sp +On a server the list of supported ciphers might also exclude other ciphers +depending on the configured certificates and presence of \s-1DH\s0 parameters. +.Sp +If this option is not used then all ciphers that match the cipherlist will be +listed. +.IP "\fB\-psk\fR" 4 +.IX Item "-psk" +When combined with \fB\-s\fR includes cipher suites which require \s-1PSK.\s0 +.IP "\fB\-srp\fR" 4 +.IX Item "-srp" +When combined with \fB\-s\fR includes cipher suites which require \s-1SRP.\s0 +.IP "\fB\-v\fR" 4 +.IX Item "-v" +Verbose output: For each cipher suite, list details as provided by +\&\fISSL_CIPHER_description\fR\|(3). +.IP "\fB\-V\fR" 4 +.IX Item "-V" +Like \fB\-v\fR, but include the official cipher suite values in hex. +.IP "\fB\-tls1_3\fR, \fB\-tls1_2\fR, \fB\-tls1_1\fR, \fB\-tls1\fR, \fB\-ssl3\fR" 4 +.IX Item "-tls1_3, -tls1_2, -tls1_1, -tls1, -ssl3" +In combination with the \fB\-s\fR option, list the ciphers which could be used if +the specified protocol were negotiated. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. +.IP "\fB\-stdname\fR" 4 +.IX Item "-stdname" +Precede each cipher suite by its standard name. +.IP "\fB\-convert name\fR" 4 +.IX Item "-convert name" +Convert a standard cipher \fBname\fR to its OpenSSL name. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +Sets the list of TLSv1.3 ciphersuites. This list will be combined with any +TLSv1.2 and below ciphersuites that have been configured. The format for this +list is a simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. By +default this value is: +.Sp +.Vb 1 +\& TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +.Ve +.IP "\fBcipherlist\fR" 4 +.IX Item "cipherlist" +A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher +preference list. This list will be combined with any TLSv1.3 ciphersuites that +have been configured. If it is not included then the default cipher list will be +used. The format is described below. +.SH "CIPHER LIST FORMAT" +.IX Header "CIPHER LIST FORMAT" +The cipher list consists of one or more \fIcipher strings\fR separated by colons. +Commas or spaces are also acceptable separators but colons are normally used. +.PP +The actual cipher string can take several different forms. +.PP +It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR. +.PP +It can represent a list of cipher suites containing a certain algorithm, or +cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers +suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3 +algorithms. +.PP +Lists of cipher suites can be combined in a single cipher string using the +\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example +\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0 +algorithms. +.PP +Each cipher string can be optionally preceded by the characters \fB!\fR, +\&\fB\-\fR or \fB+\fR. +.PP +If \fB!\fR is used then the ciphers are permanently deleted from the list. +The ciphers deleted can never reappear in the list even if they are +explicitly stated. +.PP +If \fB\-\fR is used then the ciphers are deleted from the list, but some or +all of the ciphers can be added again by later options. +.PP +If \fB+\fR is used then the ciphers are moved to the end of the list. This +option doesn't add any new ciphers it just moves matching existing ones. +.PP +If none of these characters is present then the string is just interpreted +as a list of ciphers to be appended to the current preference list. If the +list includes any ciphers already present they will be ignored: that is they +will not moved to the end of the list. +.PP +The cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort the current +cipher list in order of encryption algorithm key length. +.PP +The cipher string \fB\f(CB@SECLEVEL\fB=n\fR can be used at any point to set the security +level to \fBn\fR, which should be a number between zero and five, inclusive. +See SSL_CTX_set_security_level for a description of what each level means. +.PP +The cipher list can be prefixed with the \fB\s-1DEFAULT\s0\fR keyword, which enables +the default cipher list as defined below. Unlike cipher strings, +this prefix may not be combined with other strings using \fB+\fR character. +For example, \fB\s-1DEFAULT+DES\s0\fR is not valid. +.PP +The content of the default list is determined at compile time and normally +corresponds to \fB\s-1ALL:\s0!COMPLEMENTOFDEFAULT:!eNULL\fR. +.SH "CIPHER STRINGS" +.IX Header "CIPHER STRINGS" +The following is a list of all permitted cipher strings and their meanings. +.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 +.IX Item "COMPLEMENTOFDEFAULT" +The ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently +this includes all \s-1RC4\s0 and anonymous ciphers. Note that this rule does +not cover \fBeNULL\fR, which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if +necessary). Note that \s-1RC4\s0 based cipher suites are not built into OpenSSL by +default (see the enable-weak-ssl-ciphers option to Configure). +.IP "\fB\s-1ALL\s0\fR" 4 +.IX Item "ALL" +All cipher suites except the \fBeNULL\fR ciphers (which must be explicitly enabled +if needed). +As of OpenSSL 1.0.0, the \fB\s-1ALL\s0\fR cipher suites are sensibly ordered by default. +.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 +.IX Item "COMPLEMENTOFALL" +The cipher suites not enabled by \fB\s-1ALL\s0\fR, currently \fBeNULL\fR. +.IP "\fB\s-1HIGH\s0\fR" 4 +.IX Item "HIGH" +\&\*(L"High\*(R" encryption cipher suites. This currently means those with key lengths +larger than 128 bits, and some cipher suites with 128\-bit keys. +.IP "\fB\s-1MEDIUM\s0\fR" 4 +.IX Item "MEDIUM" +\&\*(L"Medium\*(R" encryption cipher suites, currently some of those using 128 bit +encryption. +.IP "\fB\s-1LOW\s0\fR" 4 +.IX Item "LOW" +\&\*(L"Low\*(R" encryption cipher suites, currently those using 64 or 56 bit +encryption algorithms but excluding export cipher suites. All these +cipher suites have been removed as of OpenSSL 1.1.0. +.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 +.IX Item "eNULL, NULL" +The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no +encryption at all and are a security risk they are not enabled via either the +\&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings. +Be careful when building cipherlists out of lower-level primitives such as +\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. When in +doubt, include \fB!eNULL\fR in your cipherlist. +.IP "\fBaNULL\fR" 4 +.IX Item "aNULL" +The cipher suites offering no authentication. This is currently the anonymous +\&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable +to \*(L"man in the middle\*(R" attacks and so their use is discouraged. +These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR +ciphers. +Be careful when building cipherlists out of lower-level primitives such as +\&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers. +When in doubt, include \fB!aNULL\fR in your cipherlist. +.IP "\fBkRSA\fR, \fBaRSA\fR, \fB\s-1RSA\s0\fR" 4 +.IX Item "kRSA, aRSA, RSA" +Cipher suites using \s-1RSA\s0 key exchange or authentication. \fB\s-1RSA\s0\fR is an alias for +\&\fBkRSA\fR. +.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4 +.IX Item "kDHr, kDHd, kDH" +Cipher suites using static \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs +with \s-1RSA\s0 and \s-1DSS\s0 keys or either respectively. +All these cipher suites have been removed in OpenSSL 1.1.0. +.IP "\fBkDHE\fR, \fBkEDH\fR, \fB\s-1DH\s0\fR" 4 +.IX Item "kDHE, kEDH, DH" +Cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher +suites. +.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4 +.IX Item "DHE, EDH" +Cipher suites using authenticated ephemeral \s-1DH\s0 key agreement. +.IP "\fB\s-1ADH\s0\fR" 4 +.IX Item "ADH" +Anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic +Curve \s-1DH\s0 (\s-1ECDH\s0) cipher suites. +.IP "\fBkEECDH\fR, \fBkECDHE\fR, \fB\s-1ECDH\s0\fR" 4 +.IX Item "kEECDH, kECDHE, ECDH" +Cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous +cipher suites. +.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4 +.IX Item "ECDHE, EECDH" +Cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement. +.IP "\fB\s-1AECDH\s0\fR" 4 +.IX Item "AECDH" +Anonymous Elliptic Curve Diffie-Hellman cipher suites. +.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 +.IX Item "aDSS, DSS" +Cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. +.IP "\fBaDH\fR" 4 +.IX Item "aDH" +Cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry +\&\s-1DH\s0 keys. +All these cipher suites have been removed in OpenSSL 1.1.0. +.IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4 +.IX Item "aECDSA, ECDSA" +Cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0 +keys. +.IP "\fBTLSv1.2\fR, \fBTLSv1.0\fR, \fBSSLv3\fR" 4 +.IX Item "TLSv1.2, TLSv1.0, SSLv3" +Lists cipher suites which are only supported in at least \s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0 or +\&\s-1SSL\s0 v3.0 respectively. +Note: there are no cipher suites specific to \s-1TLS\s0 v1.1. +Since this is only the minimum version, if, for example, TLSv1.0 is negotiated +then both TLSv1.0 and SSLv3.0 cipher suites are available. +.Sp +Note: these cipher strings \fBdo not\fR change the negotiated version of \s-1SSL\s0 or +\&\s-1TLS,\s0 they only affect the list of available cipher suites. +.IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4 +.IX Item "AES128, AES256, AES" +cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0 +.IP "\fB\s-1AESGCM\s0\fR" 4 +.IX Item "AESGCM" +\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these cipher suites are only supported +in \s-1TLS\s0 v1.2. +.IP "\fB\s-1AESCCM\s0\fR, \fB\s-1AESCCM8\s0\fR" 4 +.IX Item "AESCCM, AESCCM8" +\&\s-1AES\s0 in Cipher Block Chaining \- Message Authentication Mode (\s-1CCM\s0): these +cipher suites are only supported in \s-1TLS\s0 v1.2. \fB\s-1AESCCM\s0\fR references \s-1CCM\s0 +cipher suites using both 16 and 8 octet Integrity Check Value (\s-1ICV\s0) +while \fB\s-1AESCCM8\s0\fR only references 8 octet \s-1ICV.\s0 +.IP "\fB\s-1ARIA128\s0\fR, \fB\s-1ARIA256\s0\fR, \fB\s-1ARIA\s0\fR" 4 +.IX Item "ARIA128, ARIA256, ARIA" +Cipher suites using 128 bit \s-1ARIA, 256\s0 bit \s-1ARIA\s0 or either 128 or 256 bit +\&\s-1ARIA.\s0 +.IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4 +.IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA" +Cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit +\&\s-1CAMELLIA.\s0 +.IP "\fB\s-1CHACHA20\s0\fR" 4 +.IX Item "CHACHA20" +Cipher suites using ChaCha20. +.IP "\fB3DES\fR" 4 +.IX Item "3DES" +Cipher suites using triple \s-1DES.\s0 +.IP "\fB\s-1DES\s0\fR" 4 +.IX Item "DES" +Cipher suites using \s-1DES\s0 (not triple \s-1DES\s0). +All these cipher suites have been removed in OpenSSL 1.1.0. +.IP "\fB\s-1RC4\s0\fR" 4 +.IX Item "RC4" +Cipher suites using \s-1RC4.\s0 +.IP "\fB\s-1RC2\s0\fR" 4 +.IX Item "RC2" +Cipher suites using \s-1RC2.\s0 +.IP "\fB\s-1IDEA\s0\fR" 4 +.IX Item "IDEA" +Cipher suites using \s-1IDEA.\s0 +.IP "\fB\s-1SEED\s0\fR" 4 +.IX Item "SEED" +Cipher suites using \s-1SEED.\s0 +.IP "\fB\s-1MD5\s0\fR" 4 +.IX Item "MD5" +Cipher suites using \s-1MD5.\s0 +.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 +.IX Item "SHA1, SHA" +Cipher suites using \s-1SHA1.\s0 +.IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4 +.IX Item "SHA256, SHA384" +Cipher suites using \s-1SHA256\s0 or \s-1SHA384.\s0 +.IP "\fBaGOST\fR" 4 +.IX Item "aGOST" +Cipher suites using \s-1GOST R 34.10\s0 (either 2001 or 94) for authentication +(needs an engine supporting \s-1GOST\s0 algorithms). +.IP "\fBaGOST01\fR" 4 +.IX Item "aGOST01" +Cipher suites using \s-1GOST R 34.10\-2001\s0 authentication. +.IP "\fBkGOST\fR" 4 +.IX Item "kGOST" +Cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0 +.IP "\fB\s-1GOST94\s0\fR" 4 +.IX Item "GOST94" +Cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0 +.IP "\fB\s-1GOST89MAC\s0\fR" 4 +.IX Item "GOST89MAC" +Cipher suites using \s-1GOST 28147\-89 MAC\s0 \fBinstead of\fR \s-1HMAC.\s0 +.IP "\fB\s-1PSK\s0\fR" 4 +.IX Item "PSK" +All cipher suites using pre-shared keys (\s-1PSK\s0). +.IP "\fBkPSK\fR, \fBkECDHEPSK\fR, \fBkDHEPSK\fR, \fBkRSAPSK\fR" 4 +.IX Item "kPSK, kECDHEPSK, kDHEPSK, kRSAPSK" +Cipher suites using \s-1PSK\s0 key exchange, \s-1ECDHE_PSK, DHE_PSK\s0 or \s-1RSA_PSK.\s0 +.IP "\fBaPSK\fR" 4 +.IX Item "aPSK" +Cipher suites using \s-1PSK\s0 authentication (currently all \s-1PSK\s0 modes apart from +\&\s-1RSA_PSK\s0). +.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4 +.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192" +Enables suite B mode of operation using 128 (permitting 192 bit mode by peer) +128 bit (not permitting 192 bit by peer) or 192 bit level of security +respectively. +If used these cipherstrings should appear first in the cipher +list and anything after them is ignored. +Setting Suite B mode has additional consequences required to comply with +\&\s-1RFC6460.\s0 +In particular the supported signature algorithms is reduced to support only +\&\s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 only the elliptic curves P\-256 and P\-384 can be +used and only the two suite B compliant cipher suites +(\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and \s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are +permissible. +.SH "CIPHER SUITE NAMES" +.IX Header "CIPHER SUITE NAMES" +The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the +relevant specification and their OpenSSL equivalents. It should be noted, +that several cipher suite names do not include the authentication used, +e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. +.SS "\s-1SSL\s0 v3.0 cipher suites" +.IX Subsection "SSL v3.0 cipher suites" +.Vb 6 +\& SSL_RSA_WITH_NULL_MD5 NULL\-MD5 +\& SSL_RSA_WITH_NULL_SHA NULL\-SHA +\& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5 +\& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA +\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA +\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA +\& +\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA +\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA +\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA +\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA +\& +\& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 +\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA +\& +\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. +\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. +\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. +.Ve +.SS "\s-1TLS\s0 v1.0 cipher suites" +.IX Subsection "TLS v1.0 cipher suites" +.Vb 6 +\& TLS_RSA_WITH_NULL_MD5 NULL\-MD5 +\& TLS_RSA_WITH_NULL_SHA NULL\-SHA +\& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5 +\& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA +\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA +\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA +\& +\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. +\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. +\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA +\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA +\& +\& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 +\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA +.Ve +.SS "\s-1AES\s0 cipher suites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0" +.IX Subsection "AES cipher suites from RFC3268, extending TLS v1.0" +.Vb 2 +\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA +\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA +\& +\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA +\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA +\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA +\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA +\& +\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA +\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA +\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA +\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA +\& +\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA +\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA +.Ve +.SS "Camellia cipher suites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0" +.IX Subsection "Camellia cipher suites from RFC4132, extending TLS v1.0" +.Vb 2 +\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA +\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA +\& +\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA +\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA +\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA +\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA +\& +\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA +\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA +\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA +\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA +\& +\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA +\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA +.Ve +.SS "\s-1SEED\s0 cipher suites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0" +.IX Subsection "SEED cipher suites from RFC4162, extending TLS v1.0" +.Vb 1 +\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA +\& +\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA +\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA +\& +\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA +\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA +\& +\& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA +.Ve +.SS "\s-1GOST\s0 cipher suites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0" +.IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0" +Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic +algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distribution. +.PP +.Vb 4 +\& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89 +\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89 +\& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94 +\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94 +.Ve +.SS "Additional Export 1024 and other cipher suites" +.IX Subsection "Additional Export 1024 and other cipher suites" +Note: these ciphers can also be used in \s-1SSL\s0 v3. +.PP +.Vb 1 +\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA +.Ve +.SS "Elliptic curve cipher suites." +.IX Subsection "Elliptic curve cipher suites." +.Vb 5 +\& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA +\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA +\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA +\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA +\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA +\& +\& TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE\-ECDSA\-NULL\-SHA +\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA +\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA +\& +\& TLS_ECDH_anon_WITH_NULL_SHA AECDH\-NULL\-SHA +\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA +\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA +\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA +\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA +.Ve +.SS "\s-1TLS\s0 v1.2 cipher suites" +.IX Subsection "TLS v1.2 cipher suites" +.Vb 1 +\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256 +\& +\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256 +\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256 +\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256 +\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384 +\& +\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256 +\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256 +\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256 +\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384 +\& +\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256 +\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256 +\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256 +\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384 +\& +\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256 +\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256 +\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256 +\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384 +\& +\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256 +\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256 +\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256 +\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384 +\& +\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256 +\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384 +\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384 +\& +\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384 +\& +\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256 +\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256 +\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256 +\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384 +\& +\& RSA_WITH_AES_128_CCM AES128\-CCM +\& RSA_WITH_AES_256_CCM AES256\-CCM +\& DHE_RSA_WITH_AES_128_CCM DHE\-RSA\-AES128\-CCM +\& DHE_RSA_WITH_AES_256_CCM DHE\-RSA\-AES256\-CCM +\& RSA_WITH_AES_128_CCM_8 AES128\-CCM8 +\& RSA_WITH_AES_256_CCM_8 AES256\-CCM8 +\& DHE_RSA_WITH_AES_128_CCM_8 DHE\-RSA\-AES128\-CCM8 +\& DHE_RSA_WITH_AES_256_CCM_8 DHE\-RSA\-AES256\-CCM8 +\& ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM +\& ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM +\& ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8 +\& ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8 +.Ve +.SS "\s-1ARIA\s0 cipher suites from \s-1RFC6209,\s0 extending \s-1TLS\s0 v1.2" +.IX Subsection "ARIA cipher suites from RFC6209, extending TLS v1.2" +Note: the \s-1CBC\s0 modes mentioned in this \s-1RFC\s0 are not supported. +.PP +.Vb 10 +\& TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128\-GCM\-SHA256 +\& TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256\-GCM\-SHA384 +\& TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE\-RSA\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE\-RSA\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE\-DSS\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE\-DSS\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ARIA256\-GCM\-SHA384 +\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256 +\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384 +.Ve +.SS "Camellia HMAC-Based cipher suites from \s-1RFC6367,\s0 extending \s-1TLS\s0 v1.2" +.IX Subsection "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2" +.Vb 4 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384 +.Ve +.SS "Pre-shared keying (\s-1PSK\s0) cipher suites" +.IX Subsection "Pre-shared keying (PSK) cipher suites" +.Vb 3 +\& PSK_WITH_NULL_SHA PSK\-NULL\-SHA +\& DHE_PSK_WITH_NULL_SHA DHE\-PSK\-NULL\-SHA +\& RSA_PSK_WITH_NULL_SHA RSA\-PSK\-NULL\-SHA +\& +\& PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA +\& PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA +\& PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA +\& PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA +\& +\& DHE_PSK_WITH_RC4_128_SHA DHE\-PSK\-RC4\-SHA +\& DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE\-PSK\-3DES\-EDE\-CBC\-SHA +\& DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA +\& DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA +\& +\& RSA_PSK_WITH_RC4_128_SHA RSA\-PSK\-RC4\-SHA +\& RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA\-PSK\-3DES\-EDE\-CBC\-SHA +\& RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA +\& RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA +\& +\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 +\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 +\& DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256 +\& DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384 +\& RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256 +\& RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384 +\& +\& PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256 +\& PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384 +\& PSK_WITH_NULL_SHA256 PSK\-NULL\-SHA256 +\& PSK_WITH_NULL_SHA384 PSK\-NULL\-SHA384 +\& DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256 +\& DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384 +\& DHE_PSK_WITH_NULL_SHA256 DHE\-PSK\-NULL\-SHA256 +\& DHE_PSK_WITH_NULL_SHA384 DHE\-PSK\-NULL\-SHA384 +\& RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256 +\& RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384 +\& RSA_PSK_WITH_NULL_SHA256 RSA\-PSK\-NULL\-SHA256 +\& RSA_PSK_WITH_NULL_SHA384 RSA\-PSK\-NULL\-SHA384 +\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 +\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 +\& +\& ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA +\& ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-3DES\-EDE\-CBC\-SHA +\& ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA +\& ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA +\& ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256 +\& ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384 +\& ECDHE_PSK_WITH_NULL_SHA ECDHE\-PSK\-NULL\-SHA +\& ECDHE_PSK_WITH_NULL_SHA256 ECDHE\-PSK\-NULL\-SHA256 +\& ECDHE_PSK_WITH_NULL_SHA384 ECDHE\-PSK\-NULL\-SHA384 +\& +\& PSK_WITH_CAMELLIA_128_CBC_SHA256 PSK\-CAMELLIA128\-SHA256 +\& PSK_WITH_CAMELLIA_256_CBC_SHA384 PSK\-CAMELLIA256\-SHA384 +\& +\& DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 DHE\-PSK\-CAMELLIA128\-SHA256 +\& DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 DHE\-PSK\-CAMELLIA256\-SHA384 +\& +\& RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 RSA\-PSK\-CAMELLIA128\-SHA256 +\& RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 RSA\-PSK\-CAMELLIA256\-SHA384 +\& +\& ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256 +\& ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384 +\& +\& PSK_WITH_AES_128_CCM PSK\-AES128\-CCM +\& PSK_WITH_AES_256_CCM PSK\-AES256\-CCM +\& DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM +\& DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM +\& PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8 +\& PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8 +\& DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8 +\& DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8 +.Ve +.SS "ChaCha20\-Poly1305 cipher suites, extending \s-1TLS\s0 v1.2" +.IX Subsection "ChaCha20-Poly1305 cipher suites, extending TLS v1.2" +.Vb 7 +\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305 +\& TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305 +\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305 +.Ve +.SS "\s-1TLS\s0 v1.3 cipher suites" +.IX Subsection "TLS v1.3 cipher suites" +.Vb 5 +\& TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 +\& TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 +\& TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256 +\& TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256 +\& TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256 +.Ve +.SS "Older names used by OpenSSL" +.IX Subsection "Older names used by OpenSSL" +The following names are accepted by older releases: +.PP +.Vb 2 +\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA (DHE\-RSA\-DES\-CBC3\-SHA) +\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA (DHE\-DSS\-DES\-CBC3\-SHA) +.Ve +.SH "NOTES" +.IX Header "NOTES" +Some compiled versions of OpenSSL may not include all the ciphers +listed here because some ciphers were excluded at compile time. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers: +.PP +.Vb 1 +\& openssl ciphers \-v \*(AqALL:eNULL\*(Aq +.Ve +.PP +Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by +strength: +.PP +.Vb 1 +\& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq +.Ve +.PP +Include all ciphers except ones with no encryption (eNULL) or no +authentication (aNULL): +.PP +.Vb 1 +\& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq +.Ve +.PP +Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last: +.PP +.Vb 1 +\& openssl ciphers \-v \*(Aq3DES:+RSA\*(Aq +.Ve +.PP +Include all \s-1RC4\s0 ciphers but leave out those without authentication: +.PP +.Vb 1 +\& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq +.Ve +.PP +Include all ciphers with \s-1RSA\s0 authentication but leave out ciphers without +encryption. +.PP +.Vb 1 +\& openssl ciphers \-v \*(AqRSA:!COMPLEMENTOFALL\*(Aq +.Ve +.PP +Set security level to 2 and display all ciphers consistent with level 2: +.PP +.Vb 1 +\& openssl ciphers \-s \-v \*(AqALL:@SECLEVEL=2\*(Aq +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\-V\fR option for the \fBciphers\fR command was added in OpenSSL 1.0.0. +.PP +The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled +(\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1. +.PP +The \fB\-convert\fR was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1 new file mode 100644 index 000000000000..152fc013ecc2 --- /dev/null +++ b/secure/usr.bin/openssl/man/cms.1 @@ -0,0 +1,816 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CMS 1" +.TH CMS 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-cms, cms \- CMS utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBcms\fR +[\fB\-help\fR] +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-sign\fR] +[\fB\-verify\fR] +[\fB\-cmsout\fR] +[\fB\-resign\fR] +[\fB\-data_create\fR] +[\fB\-data_out\fR] +[\fB\-digest_create\fR] +[\fB\-digest_verify\fR] +[\fB\-compress\fR] +[\fB\-uncompress\fR] +[\fB\-EncryptedData_encrypt\fR] +[\fB\-sign_receipt\fR] +[\fB\-verify_receipt receipt\fR] +[\fB\-in filename\fR] +[\fB\-inform SMIME|PEM|DER\fR] +[\fB\-rctform SMIME|PEM|DER\fR] +[\fB\-out filename\fR] +[\fB\-outform SMIME|PEM|DER\fR] +[\fB\-stream \-indef \-noindef\fR] +[\fB\-noindef\fR] +[\fB\-content filename\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-print\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] +[\fB\-md digest\fR] +[\fB\-\f(BIcipher\fB\fR] +[\fB\-nointern\fR] +[\fB\-noverify\fR] +[\fB\-nocerts\fR] +[\fB\-noattr\fR] +[\fB\-nosmimecap\fR] +[\fB\-binary\fR] +[\fB\-crlfeol\fR] +[\fB\-asciicrlf\fR] +[\fB\-nodetach\fR] +[\fB\-certfile file\fR] +[\fB\-certsout file\fR] +[\fB\-signer file\fR] +[\fB\-recip file\fR] +[\fB\-keyid\fR] +[\fB\-receipt_request_all\fR] +[\fB\-receipt_request_first\fR] +[\fB\-receipt_request_from emailaddress\fR] +[\fB\-receipt_request_to emailaddress\fR] +[\fB\-receipt_request_print\fR] +[\fB\-secretkey key\fR] +[\fB\-secretkeyid id\fR] +[\fB\-econtent_type type\fR] +[\fB\-inkey file\fR] +[\fB\-keyopt name:parameter\fR] +[\fB\-passin arg\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fBcert.pem...\fR] +[\fB\-to addr\fR] +[\fB\-from addr\fR] +[\fB\-subject subj\fR] +[cert.pem]... +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBcms\fR command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and +verify, compress and uncompress S/MIME messages. +.SH "OPTIONS" +.IX Header "OPTIONS" +There are fourteen operation options that set the type of operation to be +performed. The meaning of the other options varies according to the operation +type. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-encrypt\fR" 4 +.IX Item "-encrypt" +Encrypt mail for the given recipient certificates. Input file is the message +to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. The +actual \s-1CMS\s0 type is <B>EnvelopedData<B>. +.Sp +Note that no revocation check is done for the recipient cert, so if that +key has been compromised, others may be able to decrypt the text. +.IP "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +Decrypt mail using the supplied certificate and private key. Expects an +encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail +is written to the output file. +.IP "\fB\-debug_decrypt\fR" 4 +.IX Item "-debug_decrypt" +This option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used +with caution: see the notes section below. +.IP "\fB\-sign\fR" 4 +.IX Item "-sign" +Sign mail using the supplied certificate and private key. Input file is +the message to be signed. The signed message in \s-1MIME\s0 format is written +to the output file. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verify signed mail. Expects a signed mail message on input and outputs +the signed data. Both clear text and opaque signing is supported. +.IP "\fB\-cmsout\fR" 4 +.IX Item "-cmsout" +Takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure. +.IP "\fB\-resign\fR" 4 +.IX Item "-resign" +Resign a message: take an existing message and one or more new signers. +.IP "\fB\-data_create\fR" 4 +.IX Item "-data_create" +Create a \s-1CMS\s0 \fBData\fR type. +.IP "\fB\-data_out\fR" 4 +.IX Item "-data_out" +\&\fBData\fR type and output the content. +.IP "\fB\-digest_create\fR" 4 +.IX Item "-digest_create" +Create a \s-1CMS\s0 \fBDigestedData\fR type. +.IP "\fB\-digest_verify\fR" 4 +.IX Item "-digest_verify" +Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content. +.IP "\fB\-compress\fR" 4 +.IX Item "-compress" +Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR +support for this option to work, otherwise it will output an error. +.IP "\fB\-uncompress\fR" 4 +.IX Item "-uncompress" +Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be +compiled with \fBzlib\fR support for this option to work, otherwise it will +output an error. +.IP "\fB\-EncryptedData_encrypt\fR" 4 +.IX Item "-EncryptedData_encrypt" +Encrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0 +\&\fBEncryptedData\fR type and output the content. +.IP "\fB\-sign_receipt\fR" 4 +.IX Item "-sign_receipt" +Generate and output a signed receipt for the supplied message. The input +message \fBmust\fR contain a signed receipt request. Functionality is otherwise +similar to the \fB\-sign\fR operation. +.IP "\fB\-verify_receipt receipt\fR" 4 +.IX Item "-verify_receipt receipt" +Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR +contain the original receipt request. Functionality is otherwise similar +to the \fB\-verify\fR operation. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +The input message to be encrypted or signed or the message to be decrypted +or verified. +.IP "\fB\-inform SMIME|PEM|DER\fR" 4 +.IX Item "-inform SMIME|PEM|DER" +This specifies the input format for the \s-1CMS\s0 structure. The default +is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR +format change this to expect \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures +instead. This currently only affects the input format of the \s-1CMS\s0 +structure, if no \s-1CMS\s0 structure is being input (for example with +\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. +.IP "\fB\-rctform SMIME|PEM|DER\fR" 4 +.IX Item "-rctform SMIME|PEM|DER" +Specify the format for a signed receipt for use with the \fB\-receipt_verify\fR +operation. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +The message text that has been decrypted or verified or the output \s-1MIME\s0 +format message that has been signed or verified. +.IP "\fB\-outform SMIME|PEM|DER\fR" 4 +.IX Item "-outform SMIME|PEM|DER" +This specifies the output format for the \s-1CMS\s0 structure. The default +is \fB\s-1SMIME\s0\fR which writes an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR +format change this to write \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures +instead. This currently only affects the output format of the \s-1CMS\s0 +structure, if no \s-1CMS\s0 structure is being output (for example with +\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. +.IP "\fB\-stream \-indef \-noindef\fR" 4 +.IX Item "-stream -indef -noindef" +The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O +for encoding operations. This permits single pass processing of data without +the need to hold the entire contents in memory, potentially supporting very +large files. Streaming is automatically set for S/MIME signing with detached +data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all +other operations. +.IP "\fB\-noindef\fR" 4 +.IX Item "-noindef" +Disable streaming I/O where it would produce and indefinite length constructed +encoding. This option currently has no effect. In future streaming will be +enabled by default on all relevant operations and this option will disable it. +.IP "\fB\-content filename\fR" 4 +.IX Item "-content filename" +This specifies a file containing the detached content, this is only +useful with the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0 +structure is using the detached signature form where the content is +not included. This option will override any content if the input format +is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied +message if encrypting or signing. If decrypting or verifying it strips +off text headers: if the decrypted or verified message is not of \s-1MIME\s0 +type text/plain then an error occurs. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +For the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This +is useful when combined with the \fB\-print\fR option or if the syntax of the \s-1CMS\s0 +structure is being checked. +.IP "\fB\-print\fR" 4 +.IX Item "-print" +For the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This +is mainly useful for testing purposes. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. +.IP "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +A directory containing trusted \s-1CA\s0 certificates, only used with +\&\fB\-verify\fR. This directory must be a standard certificate directory: that +is a hash of each subject name (using \fBx509 \-hash\fR) should be linked +to each certificate. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location +.IP "\fB\-md digest\fR" 4 +.IX Item "-md digest" +Digest algorithm to use when signing or resigning. If not present then the +default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +The encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR +or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the +\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for +example \fB\-aes\-128\-cbc\fR. See \fIenc\fR\|(1) for a list of ciphers +supported by your version of OpenSSL. +.Sp +If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and +\&\fB\-EncryptedData_create\fR commands. +.IP "\fB\-nointern\fR" 4 +.IX Item "-nointern" +When verifying a message normally certificates (if any) included in +the message are searched for the signing certificate. With this option +only the certificates specified in the \fB\-certfile\fR option are used. +The supplied certificates can still be used as untrusted CAs however. +.IP "\fB\-noverify\fR" 4 +.IX Item "-noverify" +Do not verify the signers certificate of a signed message. +.IP "\fB\-nocerts\fR" 4 +.IX Item "-nocerts" +When signing a message the signer's certificate is normally included +with this option it is excluded. This will reduce the size of the +signed message but the verifier must have a copy of the signers certificate +available locally (passed using the \fB\-certfile\fR option for example). +.IP "\fB\-noattr\fR" 4 +.IX Item "-noattr" +Normally when a message is signed a set of attributes are included which +include the signing time and supported symmetric algorithms. With this +option they are not included. +.IP "\fB\-nosmimecap\fR" 4 +.IX Item "-nosmimecap" +Exclude the list of supported algorithms from signed attributes, other options +such as signing time and content type are still included. +.IP "\fB\-binary\fR" 4 +.IX Item "-binary" +Normally the input message is converted to \*(L"canonical\*(R" format which is +effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME +specification. When this option is present no translation occurs. This +is useful when handling binary data which may not be in \s-1MIME\s0 format. +.IP "\fB\-crlfeol\fR" 4 +.IX Item "-crlfeol" +Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this +option is present \fB\s-1CRLF\s0\fR is used instead. +.IP "\fB\-asciicrlf\fR" 4 +.IX Item "-asciicrlf" +When signing use \s-1ASCII CRLF\s0 format canonicalisation. This strips trailing +whitespace from all lines, deletes trailing blank lines at \s-1EOF\s0 and sets +the encapsulated content type. This option is normally used with detached +content and an output signature format of \s-1DER.\s0 This option is not normally +needed when verifying as it is enabled automatically if the encapsulated +content format is detected. +.IP "\fB\-nodetach\fR" 4 +.IX Item "-nodetach" +When signing a message use opaque signing: this form is more resistant +to translation by mail relays but it cannot be read by mail agents that +do not support S/MIME. Without this option cleartext signing with +the \s-1MIME\s0 type multipart/signed is used. +.IP "\fB\-certfile file\fR" 4 +.IX Item "-certfile file" +Allows additional certificates to be specified. When signing these will +be included with the message. When verifying these will be searched for +the signers certificates. The certificates should be in \s-1PEM\s0 format. +.IP "\fB\-certsout file\fR" 4 +.IX Item "-certsout file" +Any certificates contained in the message are written to \fBfile\fR. +.IP "\fB\-signer file\fR" 4 +.IX Item "-signer file" +A signing certificate when signing or resigning a message, this option can be +used multiple times if more than one signer is required. If a message is being +verified then the signers certificates will be written to this file if the +verification was successful. +.IP "\fB\-recip file\fR" 4 +.IX Item "-recip file" +When decrypting a message this specifies the recipients certificate. The +certificate must match one of the recipients of the message or an error +occurs. +.Sp +When encrypting a message this option may be used multiple times to specify +each recipient. This form \fBmust\fR be used if customised parameters are +required (for example to specify RSA-OAEP). +.Sp +Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this +option. +.IP "\fB\-keyid\fR" 4 +.IX Item "-keyid" +Use subject key identifier to identify certificates instead of issuer name and +serial number. The supplied certificate \fBmust\fR include a subject key +identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options. +.IP "\fB\-receipt_request_all\fR, \fB\-receipt_request_first\fR" 4 +.IX Item "-receipt_request_all, -receipt_request_first" +For \fB\-sign\fR option include a signed receipt request. Indicate requests should +be provided by all recipient or first tier recipients (those mailed directly +and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included. +.IP "\fB\-receipt_request_from emailaddress\fR" 4 +.IX Item "-receipt_request_from emailaddress" +For \fB\-sign\fR option include a signed receipt request. Add an explicit email +address where receipts should be supplied. +.IP "\fB\-receipt_request_to emailaddress\fR" 4 +.IX Item "-receipt_request_to emailaddress" +Add an explicit email address where signed receipts should be sent to. This +option \fBmust\fR but supplied if a signed receipt it requested. +.IP "\fB\-receipt_request_print\fR" 4 +.IX Item "-receipt_request_print" +For the \fB\-verify\fR operation print out the contents of any signed receipt +requests. +.IP "\fB\-secretkey key\fR" 4 +.IX Item "-secretkey key" +Specify symmetric key to use. The key must be supplied in hex format and be +consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR +\&\fB\-EncryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used +with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the +content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type. +.IP "\fB\-secretkeyid id\fR" 4 +.IX Item "-secretkeyid id" +The key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type. +This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with +\&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fBid\fR is used to locate the +relevant key if it is not supplied then an attempt is used to decrypt any +\&\fBKEKRecipientInfo\fR structures. +.IP "\fB\-econtent_type type\fR" 4 +.IX Item "-econtent_type type" +Set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type +is used. The \fBtype\fR argument can be any valid \s-1OID\s0 name in either text or +numerical format. +.IP "\fB\-inkey file\fR" 4 +.IX Item "-inkey file" +The private key to use when signing or decrypting. This must match the +corresponding certificate. If this option is not specified then the +private key must be included in the certificate file specified with +the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used +multiple times to specify successive keys. +.IP "\fB\-keyopt name:opt\fR" 4 +.IX Item "-keyopt name:opt" +For signing and encryption this option can be used multiple times to +set customised parameters for the preceding key or certificate. It can +currently be used to set RSA-PSS for signing, RSA-OAEP for encryption +or to modify default parameters for \s-1ECDH.\s0 +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fBcert.pem...\fR" 4 +.IX Item "cert.pem..." +One or more certificates of message recipients: used when encrypting +a message. +.IP "\fB\-to, \-from, \-subject\fR" 4 +.IX Item "-to, -from, -subject" +The relevant mail headers. These are included outside the signed +portion of a message so they may be included manually. If signing +then many S/MIME mail clients check the signers certificate's email +address matches that specified in the From: address. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set various certificate chain validation options. See the +\&\fIverify\fR\|(1) manual page for details. +.SH "NOTES" +.IX Header "NOTES" +The \s-1MIME\s0 message must be sent without any blank lines between the +headers and the output. Some mail programs will automatically add +a blank line. Piping the mail directly to sendmail is one way to +achieve the correct format. +.PP +The supplied message to be signed or encrypted must include the +necessary \s-1MIME\s0 headers or many S/MIME clients won't display it +properly (if at all). You can use the \fB\-text\fR option to automatically +add plain text headers. +.PP +A \*(L"signed and encrypted\*(R" message is one where a signed message is +then encrypted. This can be produced by encrypting an already signed +message: see the examples section. +.PP +This version of the program only allows one signer per message but it +will verify multiple signers on received messages. Some S/MIME clients +choke if a message contains multiple signers. It is possible to sign +messages \*(L"in parallel\*(R" by signing an already signed message. +.PP +The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME +clients. Strictly speaking these process \s-1CMS\s0 enveloped data: \s-1CMS\s0 +encrypted data is used for other purposes. +.PP +The \fB\-resign\fR option uses an existing message digest when adding a new +signer. This means that attributes must be present in at least one existing +signer using the same message digest or this operation will fail. +.PP +The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support. +As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding +and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the +\&\fB\-sign\fR operation if the content is not detached. +.PP +Streaming is always used for the \fB\-sign\fR operation with detached data but +since the content is no longer part of the \s-1CMS\s0 structure the encoding +remains \s-1DER.\s0 +.PP +If the \fB\-decrypt\fR option is used without a recipient certificate then an +attempt is made to locate the recipient by trying each potential recipient +in turn using the supplied private key. To thwart the \s-1MMA\s0 attack +(Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are +tried whether they succeed or not and if no recipients match the message +is \*(L"decrypted\*(R" using a random key which will typically output garbage. +The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection +and return an error if no recipient can be found: this option should be used +with caution. For a fuller description see \fICMS_decrypt\fR\|(3)). +.SH "EXIT CODES" +.IX Header "EXIT CODES" +.IP "0" 4 +The operation was completely successfully. +.IP "1" 4 +.IX Item "1" +An error occurred parsing the command options. +.IP "2" 4 +.IX Item "2" +One of the input files could not be read. +.IP "3" 4 +.IX Item "3" +An error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0 +message. +.IP "4" 4 +.IX Item "4" +An error occurred decrypting or verifying the message. +.IP "5" 4 +.IX Item "5" +The message was verified correctly but an error occurred writing out +the signers certificates. +.SH "COMPATIBILITY WITH PKCS#7 format." +.IX Header "COMPATIBILITY WITH PKCS#7 format." +The \fBsmime\fR utility can only process the older \fBPKCS#7\fR format. The \fBcms\fR +utility supports Cryptographic Message Syntax format. Use of some features +will result in messages which cannot be processed by applications which only +support the older format. These are detailed below. +.PP +The use of the \fB\-keyid\fR option with \fB\-sign\fR or \fB\-encrypt\fR. +.PP +The \fB\-outform \s-1PEM\s0\fR option uses different headers. +.PP +The \fB\-compress\fR option. +.PP +The \fB\-secretkey\fR option when used with \fB\-encrypt\fR. +.PP +The use of \s-1PSS\s0 with \fB\-sign\fR. +.PP +The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR. +.PP +Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot +be processed by the older \fBsmime\fR command. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a cleartext signed message: +.PP +.Vb 2 +\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem +.Ve +.PP +Create an opaque signed message +.PP +.Vb 2 +\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e +\& \-signer mycert.pem +.Ve +.PP +Create a signed message, include some additional certificates and +read the private key from another file: +.PP +.Vb 2 +\& openssl cms \-sign \-in in.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem +.Ve +.PP +Create a signed message with two signers, use key identifier: +.PP +.Vb 2 +\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-signer othercert.pem \-keyid +.Ve +.PP +Send a signed message under Unix directly to sendmail, including headers: +.PP +.Vb 3 +\& openssl cms \-sign \-in in.txt \-text \-signer mycert.pem \e +\& \-from steve@openssl.org \-to someone@somewhere \e +\& \-subject "Signed message" | sendmail someone@somewhere +.Ve +.PP +Verify a message and extract the signer's certificate if successful: +.PP +.Vb 1 +\& openssl cms \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt +.Ve +.PP +Send encrypted mail using triple \s-1DES:\s0 +.PP +.Vb 3 +\& openssl cms \-encrypt \-in in.txt \-from steve@openssl.org \e +\& \-to someone@somewhere \-subject "Encrypted message" \e +\& \-des3 user.pem \-out mail.msg +.Ve +.PP +Sign and encrypt mail: +.PP +.Vb 4 +\& openssl cms \-sign \-in ml.txt \-signer my.pem \-text \e +\& | openssl cms \-encrypt \-out mail.msg \e +\& \-from steve@openssl.org \-to someone@somewhere \e +\& \-subject "Signed and Encrypted message" \-des3 user.pem +.Ve +.PP +Note: the encryption command does not include the \fB\-text\fR option because the +message being encrypted already has \s-1MIME\s0 headers. +.PP +Decrypt mail: +.PP +.Vb 1 +\& openssl cms \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem +.Ve +.PP +The output from Netscape form signing is a PKCS#7 structure with the +detached signature format. You can use this program to verify the +signature by line wrapping the base64 encoded structure and surrounding +it with: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- +\& \-\-\-\-\-END PKCS7\-\-\-\-\- +.Ve +.PP +and using the command, +.PP +.Vb 1 +\& openssl cms \-verify \-inform PEM \-in signature.pem \-content content.txt +.Ve +.PP +alternatively you can base64 decode the signature and use +.PP +.Vb 1 +\& openssl cms \-verify \-inform DER \-in signature.der \-content content.txt +.Ve +.PP +Create an encrypted message using 128 bit Camellia: +.PP +.Vb 1 +\& openssl cms \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem +.Ve +.PP +Add a signer to an existing message: +.PP +.Vb 1 +\& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg +.Ve +.PP +Sign mail using RSA-PSS: +.PP +.Vb 2 +\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-keyopt rsa_padding_mode:pss +.Ve +.PP +Create encrypted mail using RSA-OAEP: +.PP +.Vb 2 +\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e +\& \-recip cert.pem \-keyopt rsa_padding_mode:oaep +.Ve +.PP +Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate: +.PP +.Vb 2 +\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e +\& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256 +.Ve +.SH "BUGS" +.IX Header "BUGS" +The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've +thrown at it but it may choke on others. +.PP +The code currently will only write out the signer's certificate to a file: if +the signer has a separate encryption certificate this must be manually +extracted. There should be some heuristic that determines the correct +encryption certificate. +.PP +Ideally a database should be maintained of a certificates for each email +address. +.PP +The code doesn't currently take note of the permitted symmetric encryption +algorithms as supplied in the SMIMECapabilities signed attribute. this means the +user has to manually include the correct encryption algorithm. It should store +the list of permitted ciphers in a database and only use those. +.PP +No revocation checking is done on the signer's certificate. +.SH "HISTORY" +.IX Header "HISTORY" +The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first +added in OpenSSL 1.0.0. +.PP +The \fBkeyopt\fR option was first added in OpenSSL 1.0.2. +.PP +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2. +.PP +The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was first added +to OpenSSL 1.0.2. +.PP +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1 new file mode 100644 index 000000000000..628cb3213b1b --- /dev/null +++ b/secure/usr.bin/openssl/man/crl.1 @@ -0,0 +1,253 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CRL 1" +.TH CRL 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-crl, crl \- CRL utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBcrl\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-text\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-nameopt option\fR] +[\fB\-noout\fR] +[\fB\-hash\fR] +[\fB\-issuer\fR] +[\fB\-lastupdate\fR] +[\fB\-nextupdate\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath dir\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 +structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read from or standard input if this +option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename to write to or standard output by +default. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Print out the \s-1CRL\s0 in text form. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. See +the description of \fB\-nameopt\fR in \fIx509\fR\|(1). +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +Don't output the encoded version of the \s-1CRL.\s0 +.IP "\fB\-hash\fR" 4 +.IX Item "-hash" +Output a hash of the issuer name. This can be use to lookup CRLs in +a directory by issuer name. +.IP "\fB\-hash_old\fR" 4 +.IX Item "-hash_old" +Outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm +as used by OpenSSL before version 1.0.0. +.IP "\fB\-issuer\fR" 4 +.IX Item "-issuer" +Output the issuer name. +.IP "\fB\-lastupdate\fR" 4 +.IX Item "-lastupdate" +Output the lastUpdate field. +.IP "\fB\-nextupdate\fR" 4 +.IX Item "-nextupdate" +Output the nextUpdate field. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in +\&\fBfile\fR. +.IP "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in +\&\fBdir\fR. This directory must be a standard certificate directory: that +is a hash of each subject name (using \fBx509 \-hash\fR) should be linked +to each certificate. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM CRL\s0 format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN X509 CRL\-\-\-\-\- +\& \-\-\-\-\-END X509 CRL\-\-\-\-\- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0 +.PP +.Vb 1 +\& openssl crl \-in crl.pem \-outform DER \-out crl.der +.Ve +.PP +Output the text form of a \s-1DER\s0 encoded certificate: +.PP +.Vb 1 +\& openssl crl \-in crl.der \-inform DER \-text \-noout +.Ve +.SH "BUGS" +.IX Header "BUGS" +Ideally it should be possible to create a \s-1CRL\s0 using appropriate options +and files too. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrl2pkcs7\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1 new file mode 100644 index 000000000000..20a5269e33f6 --- /dev/null +++ b/secure/usr.bin/openssl/man/crl2pkcs7.1 @@ -0,0 +1,223 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CRL2PKCS7 1" +.TH CRL2PKCS7 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-crl2pkcs7, crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBcrl2pkcs7\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-certfile filename\fR] +[\fB\-nocrl\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more +certificates and converts them into a PKCS#7 degenerate \*(L"certificates +only\*(R" structure. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 +structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0 +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0 +encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0 +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a \s-1CRL\s0 from or standard input if this +option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename to write the PKCS#7 structure to or standard +output by default. +.IP "\fB\-certfile filename\fR" 4 +.IX Item "-certfile filename" +Specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format. +All certificates in the file will be added to the PKCS#7 structure. This +option can be used more than once to read certificates form multiple +files. +.IP "\fB\-nocrl\fR" 4 +.IX Item "-nocrl" +Normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is +included in the output file and a \s-1CRL\s0 is not read from the input file. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a PKCS#7 structure from a certificate and \s-1CRL:\s0 +.PP +.Vb 1 +\& openssl crl2pkcs7 \-in crl.pem \-certfile cert.pem \-out p7.pem +.Ve +.PP +Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several +different certificates: +.PP +.Vb 2 +\& openssl crl2pkcs7 \-nocrl \-certfile newcert.pem +\& \-certfile demoCA/cacert.pem \-outform DER \-out p7.der +.Ve +.SH "NOTES" +.IX Header "NOTES" +The output file is a PKCS#7 signed data structure containing no signers and +just certificates and an optional \s-1CRL.\s0 +.PP +This utility can be used to send certificates and CAs to Netscape as part of +the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output +as \s-1MIME\s0 type application/x\-x509\-user\-cert. +.PP +The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to +install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIpkcs7\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1 new file mode 100644 index 000000000000..db0c6100ae4e --- /dev/null +++ b/secure/usr.bin/openssl/man/dgst.1 @@ -0,0 +1,337 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DGST 1" +.TH DGST 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-dgst, dgst \- perform digest operations +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl dgst\fR +[\fB\-\f(BIdigest\fB\fR] +[\fB\-help\fR] +[\fB\-c\fR] +[\fB\-d\fR] +[\fB\-hex\fR] +[\fB\-binary\fR] +[\fB\-r\fR] +[\fB\-out filename\fR] +[\fB\-sign filename\fR] +[\fB\-keyform arg\fR] +[\fB\-passin arg\fR] +[\fB\-verify filename\fR] +[\fB\-prverify filename\fR] +[\fB\-signature filename\fR] +[\fB\-hmac key\fR] +[\fB\-fips\-fingerprint\fR] +[\fB\-rand file...\fR] +[\fB\-engine id\fR] +[\fB\-engine_impl\fR] +[\fBfile...\fR] +.PP +\&\fBopenssl\fR \fIdigest\fR [\fB...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The digest functions output the message digest of a supplied file or files +in hexadecimal. The digest functions also generate and verify digital +signatures using message digests. +.PP +The generic name, \fBdgst\fR, may be used with an option specifying the +algorithm to be used. +The default digest is \fIsha256\fR. +A supported \fIdigest\fR name may also be used as the command name. +To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR +command. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +Specifies name of a supported digest to be used. To see the list of +supported digests, use the command \fIlist \-\-digest\-commands\fR. +.IP "\fB\-c\fR" 4 +.IX Item "-c" +Print out the digest in two digit groups separated by colons, only relevant if +\&\fBhex\fR format output is used. +.IP "\fB\-d\fR" 4 +.IX Item "-d" +Print out \s-1BIO\s0 debugging information. +.IP "\fB\-hex\fR" 4 +.IX Item "-hex" +Digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R" +digest as opposed to a digital signature. See \s-1NOTES\s0 below for digital +signatures using \fB\-hex\fR. +.IP "\fB\-binary\fR" 4 +.IX Item "-binary" +Output the digest or signature in binary form. +.IP "\fB\-r\fR" 4 +.IX Item "-r" +Output the digest in the \*(L"coreutils\*(R" format used by programs like \fBsha1sum\fR. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Filename to output to, or standard output by default. +.IP "\fB\-sign filename\fR" 4 +.IX Item "-sign filename" +Digitally sign the digest using the private key in \*(L"filename\*(R". Note this option +does not support Ed25519 or Ed448 private keys. Use the \fBpkeyutl\fR command +instead for this. +.IP "\fB\-keyform arg\fR" 4 +.IX Item "-keyform arg" +Specifies the key format to sign digest with. The \s-1DER, PEM, P12,\s0 +and \s-1ENGINE\s0 formats are supported. +.IP "\fB\-sigopt nm:v\fR" 4 +.IX Item "-sigopt nm:v" +Pass options to the signature algorithm during sign or verify operations. +Names and values of these options are algorithm-specific. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-verify filename\fR" 4 +.IX Item "-verify filename" +Verify the signature using the public key in \*(L"filename\*(R". +The output is either \*(L"Verification \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R". +.IP "\fB\-prverify filename\fR" 4 +.IX Item "-prverify filename" +Verify the signature using the private key in \*(L"filename\*(R". +.IP "\fB\-signature filename\fR" 4 +.IX Item "-signature filename" +The actual signature to verify. +.IP "\fB\-hmac key\fR" 4 +.IX Item "-hmac key" +Create a hashed \s-1MAC\s0 using \*(L"key\*(R". +.IP "\fB\-mac alg\fR" 4 +.IX Item "-mac alg" +Create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0 +algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms +which are not based on hash, for instance \fBgost-mac\fR algorithm, +supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set +via \fB\-macopt\fR parameter. +.IP "\fB\-macopt nm:v\fR" 4 +.IX Item "-macopt nm:v" +Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key. +Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR: +.RS 4 +.IP "\fBkey:string\fR" 4 +.IX Item "key:string" +Specifies \s-1MAC\s0 key as alphanumeric string (use if key contain printable +characters only). String length must conform to any restrictions of +the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac. +.IP "\fBhexkey:string\fR" 4 +.IX Item "hexkey:string" +Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte). +Key length must conform to any restrictions of the \s-1MAC\s0 algorithm +for example exactly 32 chars for gost-mac. +.RE +.RS 4 +.RE +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-fips\-fingerprint\fR" 4 +.IX Item "-fips-fingerprint" +Compute \s-1HMAC\s0 using a specific key for certain OpenSSL-FIPS operations. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Use engine \fBid\fR for operations (including private key storage). +This engine is not used as source for digest algorithms, unless it is +also specified in the configuration file or \fB\-engine_impl\fR is also +specified. +.IP "\fB\-engine_impl\fR" 4 +.IX Item "-engine_impl" +When used with the \fB\-engine\fR option, it specifies to also use +engine \fBid\fR for digest operations. +.IP "\fBfile...\fR" 4 +.IX Item "file..." +File or files to digest. If no files are specified then standard input is +used. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To create a hex-encoded message digest of a file: + openssl dgst \-md5 \-hex file.txt +.PP +To sign a file using \s-1SHA\-256\s0 with binary file output: + openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt +.PP +To verify a signature: + openssl dgst \-sha256 \-verify publickey.pem \e + \-signature signature.sign \e + file.txt +.SH "NOTES" +.IX Header "NOTES" +The digest mechanisms that are available will depend on the options +used when building OpenSSL. +The \fBlist digest-commands\fR command can be used to list them. +.PP +New or agile applications should use probably use \s-1SHA\-256.\s0 Other digests, +particularly \s-1SHA\-1\s0 and \s-1MD5,\s0 are still widely used for interoperating +with existing formats and protocols. +.PP +When signing a file, \fBdgst\fR will automatically determine the algorithm +(\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info. +When verifying signatures, it only handles the \s-1RSA, DSA,\s0 or \s-1ECDSA\s0 signature +itself, not the related data to identify the signer and algorithm used in +formats such as x.509, \s-1CMS,\s0 and S/MIME. +.PP +A source of random numbers is required for certain signing algorithms, in +particular \s-1ECDSA\s0 and \s-1DSA.\s0 +.PP +The signing and verify options should only be used if a single file is +being signed or verified. +.PP +Hex signatures cannot be verified using \fBopenssl\fR. Instead, use \*(L"xxd \-r\*(R" +or similar program to transform the hex signature into a binary signature +prior to verification. +.SH "HISTORY" +.IX Header "HISTORY" +The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0 +The FIPS-related options were removed in OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1 new file mode 100644 index 000000000000..f0a753566e98 --- /dev/null +++ b/secure/usr.bin/openssl/man/dhparam.1 @@ -0,0 +1,272 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DHPARAM 1" +.TH DHPARAM 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-dhparam, dhparam \- DH parameter manipulation and generation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl dhparam\fR +[\fB\-help\fR] +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-in\fR \fIfilename\fR] +[\fB\-out\fR \fIfilename\fR] +[\fB\-dsaparam\fR] +[\fB\-check\fR] +[\fB\-noout\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-2\fR] +[\fB\-5\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-engine id\fR] +[\fInumbits\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to manipulate \s-1DH\s0 parameter files. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded +form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the +default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with +additional header and footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in\fR \fIfilename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. +.IP "\fB\-out\fR \fIfilename\fR" 4 +.IX Item "-out filename" +This specifies the output filename parameters to. Standard output is used +if this option is not present. The output filename should \fBnot\fR be the same +as the input filename. +.IP "\fB\-dsaparam\fR" 4 +.IX Item "-dsaparam" +If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created; +they are converted to \s-1DH\s0 format. Otherwise, \*(L"strong\*(R" primes (such +that (p\-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation. +.Sp +\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster, +and the recommended exponent length is shorter, which makes \s-1DH\s0 key +exchange more efficient. Beware that with such DSA-style \s-1DH\s0 +parameters, a fresh \s-1DH\s0 key should be created for each use to +avoid small-subgroup attacks that may be possible otherwise. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +Performs numerous checks to see if the supplied parameters are valid and +displays a warning if not. +.IP "\fB\-2\fR, \fB\-5\fR" 4 +.IX Item "-2, -5" +The generator to use, either 2 or 5. If present then the +input file is ignored and parameters are generated instead. If not +present but \fBnumbits\fR is present, parameters are generated with the +default generator 2. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fInumbits\fR" 4 +.IX Item "numbits" +This option specifies that a parameter set should be generated of size +\&\fInumbits\fR. It must be the last option. If this option is present then +the input file is ignored and parameters are generated instead. If +this option is not present but a generator (\fB\-2\fR or \fB\-5\fR) is +present, parameters are generated with a default length of 2048 bits. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option inhibits the output of the encoded version of the parameters. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +This option prints out the \s-1DH\s0 parameters in human readable form. +.IP "\fB\-C\fR" 4 +.IX Item "-C" +This option converts the parameters into C code. The parameters can then +be loaded by calling the \fIget_dhNNNN()\fR function. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "WARNINGS" +.IX Header "WARNINGS" +The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and +\&\fBgendh\fR in previous versions of OpenSSL. The \fBdh\fR and \fBgendh\fR +programs are retained for now but may have different purposes in future +versions of OpenSSL. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN DH PARAMETERS\-\-\-\-\- +\& \-\-\-\-\-END DH PARAMETERS\-\-\-\-\- +.Ve +.PP +OpenSSL currently only supports the older PKCS#3 \s-1DH,\s0 not the newer X9.42 +\&\s-1DH.\s0 +.PP +This program manipulates \s-1DH\s0 parameters not keys. +.SH "BUGS" +.IX Header "BUGS" +There should be a way to generate and manipulate \s-1DH\s0 keys. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIdsaparam\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1 new file mode 100644 index 000000000000..a799b42bfff5 --- /dev/null +++ b/secure/usr.bin/openssl/man/dsa.1 @@ -0,0 +1,302 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DSA 1" +.TH DSA 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-dsa, dsa \- DSA key processing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBdsa\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-aes128\fR] +[\fB\-aes192\fR] +[\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] +[\fB\-camellia128\fR] +[\fB\-camellia192\fR] +[\fB\-camellia256\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-modulus\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various +forms and their components printed out. \fBNote\fR This command uses the +traditional SSLeay compatible format for private key encryption: newer +applications should use the more secure PKCS#8 format using the \fBpkcs8\fR +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses +an \s-1ASN1 DER\s0 encoded form of an \s-1ASN.1 SEQUENCE\s0 consisting of the values of +version (currently zero), p, q, g, the public and private key components +respectively as \s-1ASN.1\s0 INTEGERs. When used with a public key it uses a +SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA.\s0 +.Sp +The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 +encoded with additional header and footer lines. In the case of a private key +PKCS#8 format is also accepted. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output by +is not specified. If any encryption options are set then a pass phrase will be +prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" +These options encrypt the private key with the specified +cipher before outputting it. A pass phrase is prompted for. +If none of these options is specified the key is written in plain text. This +means that using the \fBdsa\fR utility to read in an encrypted key with no +encryption option can be used to remove the pass phrase from a key, or by +setting the encryption options it can be use to add or change the pass phrase. +These options can only be used with \s-1PEM\s0 format output files. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the public, private key components and parameters. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option prevents output of the encoded version of the key. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +This option prints out the value of the public key component of the key. +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +By default, a private key is read from the input file. With this option a +public key is read instead. +.IP "\fB\-pubout\fR" 4 +.IX Item "-pubout" +By default, a private key is output. With this option a public +key will be output instead. This option is automatically set if the input is +a public key. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 private key format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\- +\& \-\-\-\-\-END DSA PRIVATE KEY\-\-\-\-\- +.Ve +.PP +The \s-1PEM\s0 public key format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\- +\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To remove the pass phrase on a \s-1DSA\s0 private key: +.PP +.Vb 1 +\& openssl dsa \-in key.pem \-out keyout.pem +.Ve +.PP +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl dsa \-in key.pem \-des3 \-out keyout.pem +.Ve +.PP +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl dsa \-in key.pem \-outform DER \-out keyout.der +.Ve +.PP +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl dsa \-in key.pem \-text \-noout +.Ve +.PP +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl dsa \-in key.pem \-pubout \-out pubkey.pem +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIdsaparam\fR\|(1), \fIgendsa\fR\|(1), \fIrsa\fR\|(1), +\&\fIgenrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1 new file mode 100644 index 000000000000..b9c6088097d1 --- /dev/null +++ b/secure/usr.bin/openssl/man/dsaparam.1 @@ -0,0 +1,241 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DSAPARAM 1" +.TH DSAPARAM 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-dsaparam, dsaparam \- DSA parameter manipulation and generation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl dsaparam\fR +[\fB\-help\fR] +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-genkey\fR] +[\fB\-engine id\fR] +[\fBnumbits\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to manipulate or generate \s-1DSA\s0 parameter files. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded +form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting +of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists +of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. If the \fBnumbits\fR parameter is included then +this option will be ignored. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename parameters to. Standard output is used +if this option is not present. The output filename should \fBnot\fR be the same +as the input filename. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option inhibits the output of the encoded version of the parameters. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +This option prints out the \s-1DSA\s0 parameters in human readable form. +.IP "\fB\-C\fR" 4 +.IX Item "-C" +This option converts the parameters into C code. The parameters can then +be loaded by calling the \fIget_dsaXXX()\fR function. +.IP "\fB\-genkey\fR" 4 +.IX Item "-genkey" +This option will generate a \s-1DSA\s0 either using the specified or generated +parameters. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fBnumbits\fR" 4 +.IX Item "numbits" +This option specifies that a parameter set should be generated of size +\&\fBnumbits\fR. It must be the last option. If this option is included then +the input file (if any) is ignored. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN DSA PARAMETERS\-\-\-\-\- +\& \-\-\-\-\-END DSA PARAMETERS\-\-\-\-\- +.Ve +.PP +\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of +\&\s-1DSA\s0 parameters is often used to generate several distinct keys. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgendsa\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1 new file mode 100644 index 000000000000..b2288579a600 --- /dev/null +++ b/secure/usr.bin/openssl/man/ec.1 @@ -0,0 +1,325 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EC 1" +.TH EC 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-ec, ec \- EC key processing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBec\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-param_out\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +[\fB\-conv_form arg\fR] +[\fB\-param_enc arg\fR] +[\fB\-no_public\fR] +[\fB\-check\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various +forms and their components printed out. \fBNote\fR OpenSSL uses the +private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography' +(http://www.secg.org/). To convert an OpenSSL \s-1EC\s0 private key into the +PKCS#8 private key format use the \fBpkcs8\fR command. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses +an \s-1ASN.1 DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it +uses the SubjectPublicKeyInfo structure as specified in \s-1RFC 3280.\s0 +The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 +encoded with additional header and footer lines. In the case of a private key +PKCS#8 format is also accepted. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output by +is not specified. If any encryption options are set then a pass phrase will be +prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-des|\-des3|\-idea\fR" 4 +.IX Item "-des|-des3|-idea" +These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or +any other cipher supported by OpenSSL before outputting it. A pass phrase is +prompted for. +If none of these options is specified the key is written in plain text. This +means that using the \fBec\fR utility to read in an encrypted key with no +encryption option can be used to remove the pass phrase from a key, or by +setting the encryption options it can be use to add or change the pass phrase. +These options can only be used with \s-1PEM\s0 format output files. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the public, private key components and parameters. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option prevents output of the encoded version of the key. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +This option prints out the value of the public key component of the key. +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +By default, a private key is read from the input file. With this option a +public key is read instead. +.IP "\fB\-pubout\fR" 4 +.IX Item "-pubout" +By default a private key is output. With this option a public +key will be output instead. This option is automatically set if the input is +a public key. +.IP "\fB\-conv_form\fR" 4 +.IX Item "-conv_form" +This specifies how the points on the elliptic curve are converted +into octet strings. Possible values are: \fBcompressed\fR (the default +value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding +the point conversion forms please read the X9.62 standard. +\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled +by default for binary curves and can be enabled by defining +the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. +.IP "\fB\-param_enc arg\fR" 4 +.IX Item "-param_enc arg" +This specifies how the elliptic curve parameters are encoded. +Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are +specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are +explicitly given (see \s-1RFC 3279\s0 for the definition of the +\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. +\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0 +is currently not implemented in OpenSSL. +.IP "\fB\-no_public\fR" 4 +.IX Item "-no_public" +This option omits the public key components from the private key output. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the consistency of an \s-1EC\s0 private or public key. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 private key format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\- +\& \-\-\-\-\-END EC PRIVATE KEY\-\-\-\-\- +.Ve +.PP +The \s-1PEM\s0 public key format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\- +\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl ec \-in key.pem \-des3 \-out keyout.pem +.Ve +.PP +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl ec \-in key.pem \-outform DER \-out keyout.der +.Ve +.PP +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl ec \-in key.pem \-text \-noout +.Ve +.PP +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl ec \-in key.pem \-pubout \-out pubkey.pem +.Ve +.PP +To change the parameters encoding to \fBexplicit\fR: +.PP +.Vb 1 +\& openssl ec \-in key.pem \-param_enc explicit \-out keyout.pem +.Ve +.PP +To change the point conversion form to \fBcompressed\fR: +.PP +.Vb 1 +\& openssl ec \-in key.pem \-conv_form compressed \-out keyout.pem +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIecparam\fR\|(1), \fIdsa\fR\|(1), \fIrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2003\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1 new file mode 100644 index 000000000000..a422cf92a865 --- /dev/null +++ b/secure/usr.bin/openssl/man/ecparam.1 @@ -0,0 +1,308 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ECPARAM 1" +.TH ECPARAM 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-ecparam, ecparam \- EC parameter manipulation and generation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl ecparam\fR +[\fB\-help\fR] +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-check\fR] +[\fB\-name arg\fR] +[\fB\-list_curves\fR] +[\fB\-conv_form arg\fR] +[\fB\-param_enc arg\fR] +[\fB\-no_seed\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-genkey\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to manipulate or generate \s-1EC\s0 parameter files. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN.1 DER\s0 encoded +form compatible with \s-1RFC 3279\s0 EcpkParameters. The \s-1PEM\s0 form is the default +format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional +header and footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename parameters to. Standard output is used +if this option is not present. The output filename should \fBnot\fR be the same +as the input filename. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option inhibits the output of the encoded version of the parameters. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +This option prints out the \s-1EC\s0 parameters in human readable form. +.IP "\fB\-C\fR" 4 +.IX Item "-C" +This option converts the \s-1EC\s0 parameters into C code. The parameters can then +be loaded by calling the \fIget_ec_group_XXX()\fR function. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +Validate the elliptic curve parameters. +.IP "\fB\-name arg\fR" 4 +.IX Item "-name arg" +Use the \s-1EC\s0 parameters with the specified 'short' name. Use \fB\-list_curves\fR +to get a list of all currently implemented \s-1EC\s0 parameters. +.IP "\fB\-list_curves\fR" 4 +.IX Item "-list_curves" +If this options is specified \fBecparam\fR will print out a list of all +currently implemented \s-1EC\s0 parameters names and exit. +.IP "\fB\-conv_form\fR" 4 +.IX Item "-conv_form" +This specifies how the points on the elliptic curve are converted +into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the +default value) and \fBhybrid\fR. For more information regarding +the point conversion forms please read the X9.62 standard. +\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled +by default for binary curves and can be enabled by defining +the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. +.IP "\fB\-param_enc arg\fR" 4 +.IX Item "-param_enc arg" +This specifies how the elliptic curve parameters are encoded. +Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are +specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are +explicitly given (see \s-1RFC 3279\s0 for the definition of the +\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. +\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0 +is currently not implemented in OpenSSL. +.IP "\fB\-no_seed\fR" 4 +.IX Item "-no_seed" +This option inhibits that the 'seed' for the parameter generation +is included in the ECParameters structure (see \s-1RFC 3279\s0). +.IP "\fB\-genkey\fR" 4 +.IX Item "-genkey" +This option will generate an \s-1EC\s0 private key using the specified parameters. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1PEM\s0 format \s-1EC\s0 parameters use the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN EC PARAMETERS\-\-\-\-\- +\& \-\-\-\-\-END EC PARAMETERS\-\-\-\-\- +.Ve +.PP +OpenSSL is currently not able to generate new groups and therefore +\&\fBecparam\fR can only create \s-1EC\s0 parameters from known (named) curves. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To create \s-1EC\s0 parameters with the group 'prime192v1': +.PP +.Vb 1 +\& openssl ecparam \-out ec_param.pem \-name prime192v1 +.Ve +.PP +To create \s-1EC\s0 parameters with explicit parameters: +.PP +.Vb 1 +\& openssl ecparam \-out ec_param.pem \-name prime192v1 \-param_enc explicit +.Ve +.PP +To validate given \s-1EC\s0 parameters: +.PP +.Vb 1 +\& openssl ecparam \-in ec_param.pem \-check +.Ve +.PP +To create \s-1EC\s0 parameters and a private key: +.PP +.Vb 1 +\& openssl ecparam \-out ec_key.pem \-name prime192v1 \-genkey +.Ve +.PP +To change the point encoding to 'compressed': +.PP +.Vb 1 +\& openssl ecparam \-in ec_in.pem \-out ec_out.pem \-conv_form compressed +.Ve +.PP +To print out the \s-1EC\s0 parameters to standard output: +.PP +.Vb 1 +\& openssl ecparam \-in ec_param.pem \-noout \-text +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIec\fR\|(1), \fIdsaparam\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2003\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1 new file mode 100644 index 000000000000..c39476ff7383 --- /dev/null +++ b/secure/usr.bin/openssl/man/enc.1 @@ -0,0 +1,533 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ENC 1" +.TH ENC 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-enc, enc \- symmetric cipher routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl enc \-\f(BIcipher\fB\fR +[\fB\-help\fR] +[\fB\-ciphers\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-pass arg\fR] +[\fB\-e\fR] +[\fB\-d\fR] +[\fB\-a\fR] +[\fB\-base64\fR] +[\fB\-A\fR] +[\fB\-k password\fR] +[\fB\-kfile filename\fR] +[\fB\-K key\fR] +[\fB\-iv \s-1IV\s0\fR] +[\fB\-S salt\fR] +[\fB\-salt\fR] +[\fB\-nosalt\fR] +[\fB\-z\fR] +[\fB\-md digest\fR] +[\fB\-iter count\fR] +[\fB\-pbkdf2\fR] +[\fB\-p\fR] +[\fB\-P\fR] +[\fB\-bufsize number\fR] +[\fB\-nopad\fR] +[\fB\-debug\fR] +[\fB\-none\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-engine id\fR] +.PP +\&\fBopenssl\fR \fI[cipher]\fR [\fB...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The symmetric cipher commands allow data to be encrypted or decrypted +using various block and stream ciphers using keys based on passwords +or explicitly provided. Base64 encoding or decoding can also be performed +either by itself or in addition to the encryption or decryption. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-ciphers\fR" 4 +.IX Item "-ciphers" +List all supported ciphers. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +The input filename, standard input by default. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +The output filename, standard output by default. +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +The password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-e\fR" 4 +.IX Item "-e" +Encrypt the input data: this is the default. +.IP "\fB\-d\fR" 4 +.IX Item "-d" +Decrypt the input data. +.IP "\fB\-a\fR" 4 +.IX Item "-a" +Base64 process the data. This means that if encryption is taking place +the data is base64 encoded after encryption. If decryption is set then +the input data is base64 decoded before being decrypted. +.IP "\fB\-base64\fR" 4 +.IX Item "-base64" +Same as \fB\-a\fR +.IP "\fB\-A\fR" 4 +.IX Item "-A" +If the \fB\-a\fR option is set then base64 process the data on one line. +.IP "\fB\-k password\fR" 4 +.IX Item "-k password" +The password to derive the key from. This is for compatibility with previous +versions of OpenSSL. Superseded by the \fB\-pass\fR argument. +.IP "\fB\-kfile filename\fR" 4 +.IX Item "-kfile filename" +Read the password to derive the key from the first line of \fBfilename\fR. +This is for compatibility with previous versions of OpenSSL. Superseded by +the \fB\-pass\fR argument. +.IP "\fB\-md digest\fR" 4 +.IX Item "-md digest" +Use the specified digest to create the key from the passphrase. +The default algorithm is sha\-256. +.IP "\fB\-iter count\fR" 4 +.IX Item "-iter count" +Use a given number of iterations on the password in deriving the encryption key. +High values increase the time required to brute-force the resulting file. +This option enables the use of \s-1PBKDF2\s0 algorithm to derive the key. +.IP "\fB\-pbkdf2\fR" 4 +.IX Item "-pbkdf2" +Use \s-1PBKDF2\s0 algorithm with default iteration count unless otherwise specified. +.IP "\fB\-nosalt\fR" 4 +.IX Item "-nosalt" +Don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be +used except for test purposes or compatibility with ancient versions of +OpenSSL. +.IP "\fB\-salt\fR" 4 +.IX Item "-salt" +Use salt (randomly generated or provide with \fB\-S\fR option) when +encrypting, this is the default. +.IP "\fB\-S salt\fR" 4 +.IX Item "-S salt" +The actual salt to use: this must be represented as a string of hex digits. +.IP "\fB\-K key\fR" 4 +.IX Item "-K key" +The actual key to use: this must be represented as a string comprised only +of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified +using the \fB\-iv\fR option. When both a key and a password are specified, the +key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the +password will be taken. It does not make much sense to specify both key +and password. +.IP "\fB\-iv \s-1IV\s0\fR" 4 +.IX Item "-iv IV" +The actual \s-1IV\s0 to use: this must be represented as a string comprised only +of hex digits. When only the key is specified using the \fB\-K\fR option, the +\&\s-1IV\s0 must explicitly be defined. When a password is being specified using +one of the other options, the \s-1IV\s0 is generated from this password. +.IP "\fB\-p\fR" 4 +.IX Item "-p" +Print out the key and \s-1IV\s0 used. +.IP "\fB\-P\fR" 4 +.IX Item "-P" +Print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption +or decryption. +.IP "\fB\-bufsize number\fR" 4 +.IX Item "-bufsize number" +Set the buffer size for I/O. +.IP "\fB\-nopad\fR" 4 +.IX Item "-nopad" +Disable standard block padding. +.IP "\fB\-debug\fR" 4 +.IX Item "-debug" +Debug the BIOs used for I/O. +.IP "\fB\-z\fR" 4 +.IX Item "-z" +Compress or decompress clear text using zlib before encryption or after +decryption. This option exists only if OpenSSL with compiled with zlib +or zlib-dynamic option. +.IP "\fB\-none\fR" 4 +.IX Item "-none" +Use \s-1NULL\s0 cipher (no encryption or decryption of input). +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.SH "NOTES" +.IX Header "NOTES" +The program can be called either as \fBopenssl cipher\fR or +\&\fBopenssl enc \-cipher\fR. The first form doesn't work with +engine-provided ciphers, because this form is processed before the +configuration file is read and any ENGINEs loaded. +Use the \fBlist\fR command to get a list of supported ciphers. +.PP +Engines which provide entirely new encryption algorithms (such as the ccgost +engine which provides gost89 algorithm) should be configured in the +configuration file. Engines specified on the command line using \-engine +options can only be used for hardware-assisted implementations of +ciphers which are supported by the OpenSSL core or another engine specified +in the configuration file. +.PP +When the enc command lists supported ciphers, ciphers provided by engines, +specified in the configuration files are listed too. +.PP +A password will be prompted for to derive the key and \s-1IV\s0 if necessary. +.PP +The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived +from a password unless you want compatibility with previous versions of +OpenSSL. +.PP +Without the \fB\-salt\fR option it is possible to perform efficient dictionary +attacks on the password and to attack stream cipher encrypted data. The reason +for this is that without the salt the same password always generates the same +encryption key. When the salt is being used the first eight bytes of the +encrypted data are reserved for the salt: it is generated at random when +encrypting a file and read from the encrypted file when it is decrypted. +.PP +Some of the ciphers do not have large keys and others have security +implications if not used correctly. A beginner is advised to just use +a strong block cipher, such as \s-1AES,\s0 in \s-1CBC\s0 mode. +.PP +All the block ciphers normally use PKCS#5 padding, also known as standard +block padding. This allows a rudimentary integrity or password check to +be performed. However since the chance of random data passing the test +is better than 1 in 256 it isn't a very good test. +.PP +If padding is disabled then the input data must be a multiple of the cipher +block length. +.PP +All \s-1RC2\s0 ciphers have the same key and effective key length. +.PP +Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. +.SH "SUPPORTED CIPHERS" +.IX Header "SUPPORTED CIPHERS" +Note that some of these ciphers can be disabled at compile time +and some are available only if an appropriate engine is configured +in the configuration file. The output of the \fBenc\fR command run with +the \fB\-ciphers\fR option (that is \fBopenssl enc \-ciphers\fR) produces a +list of ciphers, supported by your version of OpenSSL, including +ones provided by configured engines. +.PP +The \fBenc\fR program does not support authenticated encryption modes +like \s-1CCM\s0 and \s-1GCM,\s0 and will not support such modes in the future. +The \fBenc\fR interface by necessity must begin streaming output (e.g., +to standard output when \fB\-out\fR is not used) before the authentication +tag could be validated, leading to the usage of \fBenc\fR in pipelines +that begin processing untrusted data and are not capable of rolling +back upon authentication failure. The \s-1AEAD\s0 modes currently in common +use also suffer from catastrophic failure of confidentiality and/or +integrity upon reuse of key/iv/nonce, and since \fBenc\fR places the +entire burden of key/iv/nonce management upon the user, the risk of +exposing \s-1AEAD\s0 modes is too great to allow. These key/iv/nonce +management issues also affect other modes currently exposed in \fBenc\fR, +but the failure modes are less extreme in these cases, and the +functionality cannot be removed with a stable release branch. +For bulk encryption of data, whether using authenticated encryption +modes or other modes, \fIcms\fR\|(1) is recommended, as it provides a +standard data format and performs the needed key/iv/nonce management. +.PP +.Vb 1 +\& base64 Base 64 +\& +\& bf\-cbc Blowfish in CBC mode +\& bf Alias for bf\-cbc +\& blowfish Alias for bf\-cbc +\& bf\-cfb Blowfish in CFB mode +\& bf\-ecb Blowfish in ECB mode +\& bf\-ofb Blowfish in OFB mode +\& +\& cast\-cbc CAST in CBC mode +\& cast Alias for cast\-cbc +\& cast5\-cbc CAST5 in CBC mode +\& cast5\-cfb CAST5 in CFB mode +\& cast5\-ecb CAST5 in ECB mode +\& cast5\-ofb CAST5 in OFB mode +\& +\& chacha20 ChaCha20 algorithm +\& +\& des\-cbc DES in CBC mode +\& des Alias for des\-cbc +\& des\-cfb DES in CFB mode +\& des\-ofb DES in OFB mode +\& des\-ecb DES in ECB mode +\& +\& des\-ede\-cbc Two key triple DES EDE in CBC mode +\& des\-ede Two key triple DES EDE in ECB mode +\& des\-ede\-cfb Two key triple DES EDE in CFB mode +\& des\-ede\-ofb Two key triple DES EDE in OFB mode +\& +\& des\-ede3\-cbc Three key triple DES EDE in CBC mode +\& des\-ede3 Three key triple DES EDE in ECB mode +\& des3 Alias for des\-ede3\-cbc +\& des\-ede3\-cfb Three key triple DES EDE CFB mode +\& des\-ede3\-ofb Three key triple DES EDE in OFB mode +\& +\& desx DESX algorithm. +\& +\& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine) +\& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine) +\& +\& idea\-cbc IDEA algorithm in CBC mode +\& idea same as idea\-cbc +\& idea\-cfb IDEA in CFB mode +\& idea\-ecb IDEA in ECB mode +\& idea\-ofb IDEA in OFB mode +\& +\& rc2\-cbc 128 bit RC2 in CBC mode +\& rc2 Alias for rc2\-cbc +\& rc2\-cfb 128 bit RC2 in CFB mode +\& rc2\-ecb 128 bit RC2 in ECB mode +\& rc2\-ofb 128 bit RC2 in OFB mode +\& rc2\-64\-cbc 64 bit RC2 in CBC mode +\& rc2\-40\-cbc 40 bit RC2 in CBC mode +\& +\& rc4 128 bit RC4 +\& rc4\-64 64 bit RC4 +\& rc4\-40 40 bit RC4 +\& +\& rc5\-cbc RC5 cipher in CBC mode +\& rc5 Alias for rc5\-cbc +\& rc5\-cfb RC5 cipher in CFB mode +\& rc5\-ecb RC5 cipher in ECB mode +\& rc5\-ofb RC5 cipher in OFB mode +\& +\& seed\-cbc SEED cipher in CBC mode +\& seed Alias for seed\-cbc +\& seed\-cfb SEED cipher in CFB mode +\& seed\-ecb SEED cipher in ECB mode +\& seed\-ofb SEED cipher in OFB mode +\& +\& sm4\-cbc SM4 cipher in CBC mode +\& sm4 Alias for sm4\-cbc +\& sm4\-cfb SM4 cipher in CFB mode +\& sm4\-ctr SM4 cipher in CTR mode +\& sm4\-ecb SM4 cipher in ECB mode +\& sm4\-ofb SM4 cipher in OFB mode +\& +\& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode +\& aes[128|192|256] Alias for aes\-[128|192|256]\-cbc +\& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode +\& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode +\& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode +\& aes\-[128|192|256]\-ctr 128/192/256 bit AES in CTR mode +\& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode +\& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode +\& +\& aria\-[128|192|256]\-cbc 128/192/256 bit ARIA in CBC mode +\& aria[128|192|256] Alias for aria\-[128|192|256]\-cbc +\& aria\-[128|192|256]\-cfb 128/192/256 bit ARIA in 128 bit CFB mode +\& aria\-[128|192|256]\-cfb1 128/192/256 bit ARIA in 1 bit CFB mode +\& aria\-[128|192|256]\-cfb8 128/192/256 bit ARIA in 8 bit CFB mode +\& aria\-[128|192|256]\-ctr 128/192/256 bit ARIA in CTR mode +\& aria\-[128|192|256]\-ecb 128/192/256 bit ARIA in ECB mode +\& aria\-[128|192|256]\-ofb 128/192/256 bit ARIA in OFB mode +\& +\& camellia\-[128|192|256]\-cbc 128/192/256 bit Camellia in CBC mode +\& camellia[128|192|256] Alias for camellia\-[128|192|256]\-cbc +\& camellia\-[128|192|256]\-cfb 128/192/256 bit Camellia in 128 bit CFB mode +\& camellia\-[128|192|256]\-cfb1 128/192/256 bit Camellia in 1 bit CFB mode +\& camellia\-[128|192|256]\-cfb8 128/192/256 bit Camellia in 8 bit CFB mode +\& camellia\-[128|192|256]\-ctr 128/192/256 bit Camellia in CTR mode +\& camellia\-[128|192|256]\-ecb 128/192/256 bit Camellia in ECB mode +\& camellia\-[128|192|256]\-ofb 128/192/256 bit Camellia in OFB mode +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Just base64 encode a binary file: +.PP +.Vb 1 +\& openssl base64 \-in file.bin \-out file.b64 +.Ve +.PP +Decode the same file +.PP +.Vb 1 +\& openssl base64 \-d \-in file.b64 \-out file.bin +.Ve +.PP +Encrypt a file using \s-1AES\-128\s0 using a prompted password +and \s-1PBKDF2\s0 key derivation: +.PP +.Vb 1 +\& openssl enc \-aes128 \-pbkdf2 \-in file.txt \-out file.aes128 +.Ve +.PP +Decrypt a file using a supplied password: +.PP +.Vb 2 +\& openssl enc \-aes128 \-pbkdf2 \-d \-in file.aes128 \-out file.txt \e +\& \-pass pass:<password> +.Ve +.PP +Encrypt a file then base64 encode it (so it can be sent via mail for example) +using \s-1AES\-256\s0 in \s-1CTR\s0 mode and \s-1PBKDF2\s0 key derivation: +.PP +.Vb 1 +\& openssl enc \-aes\-256\-ctr \-pbkdf2 \-a \-in file.txt \-out file.aes256 +.Ve +.PP +Base64 decode a file then decrypt it using a password supplied in a file: +.PP +.Vb 2 +\& openssl enc \-aes\-256\-ctr \-pbkdf2 \-d \-a \-in file.aes256 \-out file.txt \e +\& \-pass file:<passfile> +.Ve +.SH "BUGS" +.IX Header "BUGS" +The \fB\-A\fR option when used with large files doesn't work properly. +.PP +The \fBenc\fR program only supports a fixed number of algorithms with +certain parameters. So if, for example, you want to use \s-1RC2\s0 with a +76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program. +.SH "HISTORY" +.IX Header "HISTORY" +The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in Openssl 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/engine.1 b/secure/usr.bin/openssl/man/engine.1 new file mode 100644 index 000000000000..851f31e46ae3 --- /dev/null +++ b/secure/usr.bin/openssl/man/engine.1 @@ -0,0 +1,236 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ENGINE 1" +.TH ENGINE 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-engine, engine \- load and query engines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl engine\fR +[ \fIengine...\fR ] +[\fB\-v\fR] +[\fB\-vv\fR] +[\fB\-vvv\fR] +[\fB\-vvv\fR] +[\fB\-vvv\fR] +[\fB\-c\fR] +[\fB\-t\fR] +[\fB\-tt\fR] +[\fB\-pre\fR \fIcommand\fR] +[\fB\-post\fR \fIcommand\fR] +[ \fIengine...\fR ] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBengine\fR command is used to query the status and capabilities +of the specified \fBengine\fR's. +Engines may be specified before and after all other command-line flags. +Only those specified are queried. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-v\fR \fB\-vv\fR \fB\-vvv\fR \fB\-vvvv\fR" 4 +.IX Item "-v -vv -vvv -vvvv" +Provides information about each specified engine. The first flag lists +all the possible run-time control commands; the second adds a +description of each command; the third adds the input flags, and the +final option adds the internal input flags. +.IP "\fB\-c\fR" 4 +.IX Item "-c" +Lists the capabilities of each engine. +.IP "\fB\-t\fR" 4 +.IX Item "-t" +Tests if each specified engine is available, and displays the answer. +.IP "\fB\-tt\fR" 4 +.IX Item "-tt" +Displays an error trace for any unavailable engine. +.IP "\fB\-pre\fR \fIcommand\fR" 4 +.IX Item "-pre command" +.PD 0 +.IP "\fB\-post\fR \fIcommand\fR" 4 +.IX Item "-post command" +.PD +Command-line configuration of engines. +The \fB\-pre\fR command is given to the engine before it is loaded and +the \fB\-post\fR command is given after the engine is loaded. +The \fIcommand\fR is of the form \fIcmd:val\fR where \fIcmd\fR is the command, +and \fIval\fR is the value for the command. +See the example below. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +To list all the commands available to a dynamic engine: +.PP +.Vb 10 +\& $ openssl engine \-t \-tt \-vvvv dynamic +\& (dynamic) Dynamic engine loading support +\& [ unavailable ] +\& SO_PATH: Specifies the path to the new ENGINE shared library +\& (input flags): STRING +\& NO_VCHECK: Specifies to continue even if version checking fails (boolean) +\& (input flags): NUMERIC +\& ID: Specifies an ENGINE id name for loading +\& (input flags): STRING +\& LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory) +\& (input flags): NUMERIC +\& DIR_LOAD: Specifies whether to load from \*(AqDIR_ADD\*(Aq directories (0=no,1=yes,2=mandatory) +\& (input flags): NUMERIC +\& DIR_ADD: Adds a directory from which ENGINEs can be loaded +\& (input flags): STRING +\& LOAD: Load up the ENGINE specified by other settings +\& (input flags): NO_INPUT +.Ve +.PP +To list the capabilities of the \fIrsax\fR engine: +.PP +.Vb 4 +\& $ openssl engine \-c +\& (rsax) RSAX engine support +\& [RSA] +\& (dynamic) Dynamic engine loading support +.Ve +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4 +.IX Item "OPENSSL_ENGINES" +The path to the engines directory. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIconfig\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1 new file mode 100644 index 000000000000..25f92828f289 --- /dev/null +++ b/secure/usr.bin/openssl/man/errstr.1 @@ -0,0 +1,177 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ERRSTR 1" +.TH ERRSTR 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-errstr, errstr \- lookup error codes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl errstr error_code\fR +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Sometimes an application will not load error message and only +numerical forms will be available. The \fBerrstr\fR utility can be used to +display the meaning of the hex code. The hex code is the hex digits after the +second colon. +.SH "OPTIONS" +.IX Header "OPTIONS" +None. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +The error code: +.PP +.Vb 1 +\& 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107: +.Ve +.PP +can be displayed with: +.PP +.Vb 1 +\& openssl errstr 2006D080 +.Ve +.PP +to produce the error message: +.PP +.Vb 1 +\& error:2006D080:BIO routines:BIO_new_file:no such file +.Ve +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1 new file mode 100644 index 000000000000..cdcaaf281d71 --- /dev/null +++ b/secure/usr.bin/openssl/man/gendsa.1 @@ -0,0 +1,215 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "GENDSA 1" +.TH GENDSA 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-gendsa, gendsa \- generate a DSA private key from a set of parameters +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBgendsa\fR +[\fB\-help\fR] +[\fB\-out filename\fR] +[\fB\-aes128\fR] +[\fB\-aes192\fR] +[\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] +[\fB\-camellia128\fR] +[\fB\-camellia192\fR] +[\fB\-camellia256\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-engine id\fR] +[\fBparamfile\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file +(which will be typically generated by the \fBopenssl dsaparam\fR command). +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Output the key to the specified file. If this argument is not specified then +standard output is used. +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" +These options encrypt the private key with specified +cipher before outputting it. A pass phrase is prompted for. +If none of these options is specified no encryption is used. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fBparamfile\fR" 4 +.IX Item "paramfile" +This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this +file determine the size of the private key. \s-1DSA\s0 parameters can be generated +and examined using the \fBopenssl dsaparam\fR command. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1DSA\s0 key generation is little more than random number generation so it is +much quicker that \s-1RSA\s0 key generation for example. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIdsaparam\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1 new file mode 100644 index 000000000000..1fd374770d10 --- /dev/null +++ b/secure/usr.bin/openssl/man/genpkey.1 @@ -0,0 +1,430 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "GENPKEY 1" +.TH GENPKEY 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-genpkey, genpkey \- generate a private key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBgenpkey\fR +[\fB\-help\fR] +[\fB\-out filename\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-pass arg\fR] +[\fB\-\f(BIcipher\fB\fR] +[\fB\-engine id\fR] +[\fB\-paramfile file\fR] +[\fB\-algorithm alg\fR] +[\fB\-pkeyopt opt:value\fR] +[\fB\-genparam\fR] +[\fB\-text\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBgenpkey\fR command generates a private key. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Output the key to the specified file. If this argument is not specified then +standard output is used. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0 +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +This option encrypts the private key with the supplied cipher. Any algorithm +name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. If used this option should precede all other +options. +.IP "\fB\-algorithm alg\fR" 4 +.IX Item "-algorithm alg" +Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must +precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR +are mutually exclusive. Engines may add algorithms in addition to the standard +built-in ones. +.Sp +Valid built-in algorithm names for private key generation are \s-1RSA,\s0 RSA-PSS, \s-1EC, +X25519, X448, ED25519\s0 and \s-1ED448.\s0 +.Sp +Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR +option) are \s-1DH, DSA\s0 and \s-1EC.\s0 +.Sp +Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0 +algorithm. These are identical and do not indicate the type of parameters that +will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3 +or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R" +below for more details. +.IP "\fB\-pkeyopt opt:value\fR" 4 +.IX Item "-pkeyopt opt:value" +Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of +options supported depends on the public key algorithm used and its +implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and +\&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details. +.IP "\fB\-genparam\fR" 4 +.IX Item "-genparam" +Generate a set of parameters instead of a private key. If used this option must +precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options. +.IP "\fB\-paramfile filename\fR" 4 +.IX Item "-paramfile filename" +Some public key algorithms generate a private key based on a set of parameters. +They can be supplied using this option. If this option is used the public key +algorithm used is determined by the parameters. If used this option must +precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR +are mutually exclusive. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Print an (unencrypted) text representation of private and public keys and +parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure. +.SH "KEY GENERATION OPTIONS" +.IX Header "KEY GENERATION OPTIONS" +The options supported by each algorithm and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. There are no key generation options defined for the X25519, X448, \s-1ED25519\s0 +or \s-1ED448\s0 algorithms. +.SS "\s-1RSA\s0 Key Generation Options" +.IX Subsection "RSA Key Generation Options" +.IP "\fBrsa_keygen_bits:numbits\fR" 4 +.IX Item "rsa_keygen_bits:numbits" +The number of bits in the generated key. If not specified 1024 is used. +.IP "\fBrsa_keygen_primes:numprimes\fR" 4 +.IX Item "rsa_keygen_primes:numprimes" +The number of primes in the generated key. If not specified 2 is used. +.IP "\fBrsa_keygen_pubexp:value\fR" 4 +.IX Item "rsa_keygen_pubexp:value" +The \s-1RSA\s0 public exponent value. This can be a large decimal or +hexadecimal value if preceded by \fB0x\fR. Default value is 65537. +.SS "RSA-PSS Key Generation Options" +.IX Subsection "RSA-PSS Key Generation Options" +Note: by default an \fBRSA-PSS\fR key has no parameter restrictions. +.IP "\fBrsa_keygen_bits:numbits\fR, \fBrsa_keygen_primes:numprimes\fR, \fBrsa_keygen_pubexp:value\fR" 4 +.IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value" +These options have the same meaning as the \fB\s-1RSA\s0\fR algorithm. +.IP "\fBrsa_pss_keygen_md:digest\fR" 4 +.IX Item "rsa_pss_keygen_md:digest" +If set the key is restricted and can only use \fBdigest\fR for signing. +.IP "\fBrsa_pss_keygen_mgf1_md:digest\fR" 4 +.IX Item "rsa_pss_keygen_mgf1_md:digest" +If set the key is restricted and can only use \fBdigest\fR as it's \s-1MGF1\s0 +parameter. +.IP "\fBrsa_pss_keygen_saltlen:len\fR" 4 +.IX Item "rsa_pss_keygen_saltlen:len" +If set the key is restricted and \fBlen\fR specifies the minimum salt length. +.SS "\s-1EC\s0 Key Generation Options" +.IX Subsection "EC Key Generation Options" +The \s-1EC\s0 key generation options can also be used for parameter generation. +.IP "\fBec_paramgen_curve:curve\fR" 4 +.IX Item "ec_paramgen_curve:curve" +The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R". +.IP "\fBec_param_enc:encoding\fR" 4 +.IX Item "ec_param_enc:encoding" +The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either +\&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R". +.SH "PARAMETER GENERATION OPTIONS" +.IX Header "PARAMETER GENERATION OPTIONS" +The options supported by each algorithm and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. +.SS "\s-1DSA\s0 Parameter Generation Options" +.IX Subsection "DSA Parameter Generation Options" +.IP "\fBdsa_paramgen_bits:numbits\fR" 4 +.IX Item "dsa_paramgen_bits:numbits" +The number of bits in the generated prime. If not specified 1024 is used. +.IP "\fBdsa_paramgen_q_bits:numbits\fR" 4 +.IX Item "dsa_paramgen_q_bits:numbits" +The number of bits in the q parameter. Must be one of 160, 224 or 256. If not +specified 160 is used. +.IP "\fBdsa_paramgen_md:digest\fR" 4 +.IX Item "dsa_paramgen_md:digest" +The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR +or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size +of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be +ignored. If not set, then a digest will be used that gives an output matching +the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224 +or \fBsha256\fR if it is 256. +.SS "\s-1DH\s0 Parameter Generation Options" +.IX Subsection "DH Parameter Generation Options" +.IP "\fBdh_paramgen_prime_len:numbits\fR" 4 +.IX Item "dh_paramgen_prime_len:numbits" +The number of bits in the prime parameter \fBp\fR. The default is 1024. +.IP "\fBdh_paramgen_subprime_len:numbits\fR" 4 +.IX Item "dh_paramgen_subprime_len:numbits" +The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the +prime is at least 2048 bits long or 160 otherwise. Only relevant if used in +conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters. +.IP "\fBdh_paramgen_generator:value\fR" 4 +.IX Item "dh_paramgen_generator:value" +The value to use for the generator \fBg\fR. The default is 2. +.IP "\fBdh_paramgen_type:value\fR" 4 +.IX Item "dh_paramgen_type:value" +The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0 +The default is 0. +.IP "\fBdh_rfc5114:num\fR" 4 +.IX Item "dh_rfc5114:num" +If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used +instead of generating new parameters. The value \fBnum\fR can take the +values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of +1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup +and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections +2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter +options. +.SS "\s-1EC\s0 Parameter Generation Options" +.IX Subsection "EC Parameter Generation Options" +The \s-1EC\s0 parameter generation options are the same as for key generation. See +\&\*(L"\s-1EC\s0 Key Generation Options\*(R" above. +.SH "NOTES" +.IX Header "NOTES" +The use of the genpkey program is encouraged over the algorithm specific +utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms +can be used. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Generate an \s-1RSA\s0 private key using default parameters: +.PP +.Vb 1 +\& openssl genpkey \-algorithm RSA \-out key.pem +.Ve +.PP +Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R": +.PP +.Vb 1 +\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello +.Ve +.PP +Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent: +.PP +.Vb 2 +\& openssl genpkey \-algorithm RSA \-out key.pem \e +\& \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3 +.Ve +.PP +Generate 2048 bit \s-1DSA\s0 parameters: +.PP +.Vb 2 +\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e +\& \-pkeyopt dsa_paramgen_bits:2048 +.Ve +.PP +Generate \s-1DSA\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem +.Ve +.PP +Generate 2048 bit \s-1DH\s0 parameters: +.PP +.Vb 2 +\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e +\& \-pkeyopt dh_paramgen_prime_len:2048 +.Ve +.PP +Generate 2048 bit X9.42 \s-1DH\s0 parameters: +.PP +.Vb 3 +\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e +\& \-pkeyopt dh_paramgen_prime_len:2048 \e +\& \-pkeyopt dh_paramgen_type:1 +.Ve +.PP +Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup: +.PP +.Vb 1 +\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2 +.Ve +.PP +Generate \s-1DH\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem +.Ve +.PP +Generate \s-1EC\s0 parameters: +.PP +.Vb 3 +\& openssl genpkey \-genparam \-algorithm EC \-out ecp.pem \e +\& \-pkeyopt ec_paramgen_curve:secp384r1 \e +\& \-pkeyopt ec_param_enc:named_curve +.Ve +.PP +Generate \s-1EC\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile ecp.pem \-out eckey.pem +.Ve +.PP +Generate \s-1EC\s0 key directly: +.PP +.Vb 3 +\& openssl genpkey \-algorithm EC \-out eckey.pem \e +\& \-pkeyopt ec_paramgen_curve:P\-384 \e +\& \-pkeyopt ec_param_enc:named_curve +.Ve +.PP +Generate an X25519 private key: +.PP +.Vb 1 +\& openssl genpkey \-algorithm X25519 \-out xkey.pem +.Ve +.PP +Generate an \s-1ED448\s0 private key: +.PP +.Vb 1 +\& openssl genpkey \-algorithm ED448 \-out xkey.pem +.Ve +.SH "HISTORY" +.IX Header "HISTORY" +The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly, +were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in +OpenSSL 1.1.0. The ability to generate X448, \s-1ED25519\s0 and \s-1ED448\s0 keys was added in +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1 new file mode 100644 index 000000000000..f2221a082d6a --- /dev/null +++ b/secure/usr.bin/openssl/man/genrsa.1 @@ -0,0 +1,239 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "GENRSA 1" +.TH GENRSA 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-genrsa, genrsa \- generate an RSA private key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBgenrsa\fR +[\fB\-help\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-aes128\fR] +[\fB\-aes192\fR] +[\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] +[\fB\-camellia128\fR] +[\fB\-camellia192\fR] +[\fB\-camellia256\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-f4\fR] +[\fB\-3\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-engine id\fR] +[\fB\-primes num\fR] +[\fBnumbits\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBgenrsa\fR command generates an \s-1RSA\s0 private key. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Output the key to the specified file. If this argument is not specified then +standard output is used. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +The output file password source. For more information about the format +of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" +These options encrypt the private key with specified +cipher before outputting it. If none of these options is +specified no encryption is used. If encryption is used a pass phrase is prompted +for if it is not supplied via the \fB\-passout\fR argument. +.IP "\fB\-F4|\-3\fR" 4 +.IX Item "-F4|-3" +The public exponent to use, either 65537 or 3. The default is 65537. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-primes num\fR" 4 +.IX Item "-primes num" +Specify the number of primes to use while generating the \s-1RSA\s0 key. The \fBnum\fR +parameter must be a positive integer that is greater than 1 and less than 16. +If \fBnum\fR is greater than 2, then the generated key is called a 'multi\-prime' +\&\s-1RSA\s0 key, which is defined in \s-1RFC 8017.\s0 +.IP "\fBnumbits\fR" 4 +.IX Item "numbits" +The size of the private key to generate in bits. This must be the last option +specified. The default is 2048 and values less than 512 are not allowed. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1RSA\s0 private key generation essentially involves the generation of two or more +prime numbers. When generating a private key various symbols will be output to +indicate the progress of the generation. A \fB.\fR represents each number which +has passed an initial sieve test, \fB+\fR means a number has passed a single +round of the Miller-Rabin primality test, \fB*\fR means the current prime starts +a regenerating progress due to some failed tests. A newline means that the number +has passed all the prime tests (the actual number depends on the key size). +.PP +Because key generation is a random process the time taken to generate a key +may vary somewhat. But in general, more primes lead to less generation time +of a key. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/list.1 b/secure/usr.bin/openssl/man/list.1 new file mode 100644 index 000000000000..8b0d6cf3486f --- /dev/null +++ b/secure/usr.bin/openssl/man/list.1 @@ -0,0 +1,207 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "LIST 1" +.TH LIST 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-list, list \- list algorithms and features +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl list\fR +[\fB\-help\fR] +[\fB\-1\fR] +[\fB\-commands\fR] +[\fB\-digest\-commands\fR] +[\fB\-digest\-algorithms\fR] +[\fB\-cipher\-commands\fR] +[\fB\-cipher\-algorithms\fR] +[\fB\-public\-key\-algorithms\fR] +[\fB\-public\-key\-methods\fR] +[\fB\-disabled\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to generate list of algorithms or disabled +features. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Display a usage message. +.IP "\fB\-1\fR" 4 +.IX Item "-1" +List the commands, digest-commands, or cipher-commands in a single column. +If used, this option must be given first. +.IP "\fB\-commands\fR" 4 +.IX Item "-commands" +Display a list of standard commands. +.IP "\fB\-digest\-commands\fR" 4 +.IX Item "-digest-commands" +Display a list of message digest commands, which are typically used +as input to the \fIdgst\fR\|(1) or \fIspeed\fR\|(1) commands. +.IP "\fB\-digest\-algorithms\fR" 4 +.IX Item "-digest-algorithms" +Display a list of message digest algorithms. +If a line is of the form + foo => bar +then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR. +.IP "\fB\-cipher\-commands\fR" 4 +.IX Item "-cipher-commands" +Display a list of cipher commands, which are typically used as input +to the \fIdgst\fR\|(1) or \fIspeed\fR\|(1) commands. +.IP "\fB\-cipher\-algorithms\fR" 4 +.IX Item "-cipher-algorithms" +Display a list of cipher algorithms. +If a line is of the form + foo => bar +then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR. +.IP "\fB\-public\-key\-algorithms\fR" 4 +.IX Item "-public-key-algorithms" +Display a list of public key algorithms, with each algorithm as +a block of multiple lines, all but the first are indented. +.IP "\fB\-public\-key\-methods\fR" 4 +.IX Item "-public-key-methods" +Display a list of public key method OIDs: this also includes public key methods +without an associated \s-1ASN.1\s0 method, for example, \s-1KDF\s0 algorithms. +.IP "\fB\-disabled\fR" 4 +.IX Item "-disabled" +Display a list of disabled features, those that were compiled out +of the installation. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1 new file mode 100644 index 000000000000..c18182844792 --- /dev/null +++ b/secure/usr.bin/openssl/man/nseq.1 @@ -0,0 +1,207 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "NSEQ 1" +.TH NSEQ 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-nseq, nseq \- create or examine a Netscape certificate sequence +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBnseq\fR +[\fB\-help\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-toseq\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBnseq\fR command takes a file containing a Netscape certificate +sequence and prints out the certificates contained in it or takes a +file of certificates and converts it into a Netscape certificate +sequence. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read or standard input if this +option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename or standard output by default. +.IP "\fB\-toseq\fR" 4 +.IX Item "-toseq" +Normally a Netscape certificate sequence will be input and the output +is the certificates contained in it. With the \fB\-toseq\fR option the +situation is reversed: a Netscape certificate sequence is created from +a file of certificates. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Output the certificates in a Netscape certificate sequence +.PP +.Vb 1 +\& openssl nseq \-in nseq.pem \-out certs.pem +.Ve +.PP +Create a Netscape certificate sequence +.PP +.Vb 1 +\& openssl nseq \-in certs.pem \-toseq \-out nseq.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +.Ve +.PP +A Netscape certificate sequence is a Netscape specific format that can be sent +to browsers as an alternative to the standard PKCS#7 format when several +certificates are sent to the browser: for example during certificate enrollment. +It is used by Netscape certificate server for example. +.SH "BUGS" +.IX Header "BUGS" +This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and +output files and allowing multiple certificate files to be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 new file mode 100644 index 000000000000..a8c9c564d3fe --- /dev/null +++ b/secure/usr.bin/openssl/man/ocsp.1 @@ -0,0 +1,580 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OCSP 1" +.TH OCSP 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-ocsp, ocsp \- Online Certificate Status Protocol utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBocsp\fR +[\fB\-help\fR] +[\fB\-out file\fR] +[\fB\-issuer file\fR] +[\fB\-cert file\fR] +[\fB\-serial n\fR] +[\fB\-signer file\fR] +[\fB\-signkey file\fR] +[\fB\-sign_other file\fR] +[\fB\-no_certs\fR] +[\fB\-req_text\fR] +[\fB\-resp_text\fR] +[\fB\-text\fR] +[\fB\-reqout file\fR] +[\fB\-respout file\fR] +[\fB\-reqin file\fR] +[\fB\-respin file\fR] +[\fB\-nonce\fR] +[\fB\-no_nonce\fR] +[\fB\-url \s-1URL\s0\fR] +[\fB\-host host:port\fR] +[\fB\-multi process-count\fR] +[\fB\-header\fR] +[\fB\-path\fR] +[\fB\-CApath dir\fR] +[\fB\-CAfile file\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] +[\fB\-VAfile file\fR] +[\fB\-validity_period n\fR] +[\fB\-status_age n\fR] +[\fB\-noverify\fR] +[\fB\-verify_other file\fR] +[\fB\-trust_other\fR] +[\fB\-no_intern\fR] +[\fB\-no_signature_verify\fR] +[\fB\-no_cert_verify\fR] +[\fB\-no_chain\fR] +[\fB\-no_cert_checks\fR] +[\fB\-no_explicit\fR] +[\fB\-port num\fR] +[\fB\-ignore_err\fR] +[\fB\-index file\fR] +[\fB\-CA file\fR] +[\fB\-rsigner file\fR] +[\fB\-rkey file\fR] +[\fB\-rother file\fR] +[\fB\-rsigopt nm:v\fR] +[\fB\-resp_no_certs\fR] +[\fB\-nmin n\fR] +[\fB\-ndays n\fR] +[\fB\-resp_key_id\fR] +[\fB\-nrequest n\fR] +[\fB\-\f(BIdigest\fB\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to +determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0). +.PP +The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used +to print out requests and responses, create requests and send queries +to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. +.SH "OPTIONS" +.IX Header "OPTIONS" +This command operates as either a client or a server. +The options are described below, divided into those two modes. +.SS "\s-1OCSP\s0 Client Options" +.IX Subsection "OCSP Client Options" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specify output filename, default is standard output. +.IP "\fB\-issuer filename\fR" 4 +.IX Item "-issuer filename" +This specifies the current issuer certificate. This option can be used +multiple times. The certificate specified in \fBfilename\fR must be in +\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options. +.IP "\fB\-cert filename\fR" 4 +.IX Item "-cert filename" +Add the certificate \fBfilename\fR to the request. The issuer certificate +is taken from the previous \fBissuer\fR option, or an error occurs if no +issuer certificate is specified. +.IP "\fB\-serial num\fR" 4 +.IX Item "-serial num" +Same as the \fBcert\fR option except the certificate with serial number +\&\fBnum\fR is added to the request. The serial number is interpreted as a +decimal integer unless preceded by \fB0x\fR. Negative integers can also +be specified by preceding the value by a \fB\-\fR sign. +.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4 +.IX Item "-signer filename, -signkey filename" +Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR +option and the private key specified by the \fBsignkey\fR option. If +the \fBsignkey\fR option is not present then the private key is read +from the same file as the certificate. If neither option is specified then +the \s-1OCSP\s0 request is not signed. +.IP "\fB\-sign_other filename\fR" 4 +.IX Item "-sign_other filename" +Additional certificates to include in the signed request. +.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 +.IX Item "-nonce, -no_nonce" +Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. +Normally if an \s-1OCSP\s0 request is input using the \fBreqin\fR option no +nonce is added: using the \fBnonce\fR option will force addition of a nonce. +If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) +a nonce is automatically added specifying \fBno_nonce\fR overrides this. +.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 +.IX Item "-req_text, -resp_text, -text" +Print out the text form of the \s-1OCSP\s0 request, response or both respectively. +.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4 +.IX Item "-reqout file, -respout file" +Write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. +.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4 +.IX Item "-reqin file, -respin file" +Read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored +if \s-1OCSP\s0 request or response creation is implied by other options (for example +with \fBserial\fR, \fBcert\fR and \fBhost\fR options). +.IP "\fB\-url responder_url\fR" 4 +.IX Item "-url responder_url" +Specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. +.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 +.IX Item "-host hostname:port, -path pathname" +If the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host +\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use +or \*(L"/\*(R" by default. This is equivalent to specifying \fB\-url\fR with scheme +http:// and the given hostname, port, and pathname. +.IP "\fB\-header name=value\fR" 4 +.IX Item "-header name=value" +Adds the header \fBname\fR with the specified \fBvalue\fR to the \s-1OCSP\s0 request +that is sent to the responder. +This may be repeated. +.IP "\fB\-timeout seconds\fR" 4 +.IX Item "-timeout seconds" +Connection timeout to the \s-1OCSP\s0 responder in seconds. +On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits +the time that the responder is willing to wait for the client request. +This time is measured from the time the responder accepts the connection until +the complete request is received. +.IP "\fB\-multi process-count\fR" 4 +.IX Item "-multi process-count" +Run the specified number of \s-1OCSP\s0 responder child processes, with the parent +process respawning child processes as needed. +Child processes will detect changes in the \s-1CA\s0 index file and automatically +reload it. +When running as a responder \fB\-timeout\fR option is recommended to limit the time +each child is willing to wait for the client's \s-1OCSP\s0 response. +This option is available on \s-1POSIX\s0 systems (that support the \fIfork()\fR and other +required unix system-calls). +.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 +.IX Item "-CAfile file, -CApath pathname" +File or pathname containing trusted \s-1CA\s0 certificates. These are used to verify +the signature on the \s-1OCSP\s0 response. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set different certificate verification options. +See \fIverify\fR\|(1) manual page for details. +.IP "\fB\-verify_other file\fR" 4 +.IX Item "-verify_other file" +File containing additional certificates to search when attempting to locate +the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's +certificate from the response: this option can be used to supply the necessary +certificate in such cases. +.IP "\fB\-trust_other\fR" 4 +.IX Item "-trust_other" +The certificates specified by the \fB\-verify_other\fR option should be explicitly +trusted and no additional checks will be performed on them. This is useful +when the complete responder certificate chain is not available or trusting a +root \s-1CA\s0 is not appropriate. +.IP "\fB\-VAfile file\fR" 4 +.IX Item "-VAfile file" +File containing explicitly trusted responder certificates. Equivalent to the +\&\fB\-verify_other\fR and \fB\-trust_other\fR options. +.IP "\fB\-noverify\fR" 4 +.IX Item "-noverify" +Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce +values. This option will normally only be used for debugging since it +disables all verification of the responders certificate. +.IP "\fB\-no_intern\fR" 4 +.IX Item "-no_intern" +Ignore certificates contained in the \s-1OCSP\s0 response when searching for the +signers certificate. With this option the signers certificate must be specified +with either the \fB\-verify_other\fR or \fB\-VAfile\fR options. +.IP "\fB\-no_signature_verify\fR" 4 +.IX Item "-no_signature_verify" +Don't check the signature on the \s-1OCSP\s0 response. Since this option +tolerates invalid signatures on \s-1OCSP\s0 responses it will normally only be +used for testing purposes. +.IP "\fB\-no_cert_verify\fR" 4 +.IX Item "-no_cert_verify" +Don't verify the \s-1OCSP\s0 response signers certificate at all. Since this +option allows the \s-1OCSP\s0 response to be signed by any certificate it should +only be used for testing purposes. +.IP "\fB\-no_chain\fR" 4 +.IX Item "-no_chain" +Do not use certificates in the response as additional untrusted \s-1CA\s0 +certificates. +.IP "\fB\-no_explicit\fR" 4 +.IX Item "-no_explicit" +Do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing. +.IP "\fB\-no_cert_checks\fR" 4 +.IX Item "-no_cert_checks" +Don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. +That is do not make any checks to see if the signers certificate is authorised +to provide the necessary status information: as a result this option should +only be used for testing purposes. +.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 +.IX Item "-validity_period nsec, -status_age age" +These options specify the range of times, in seconds, which will be tolerated +in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR +time and an optional \fBnotAfter\fR time. The current time should fall between +these two values, but the interval between the two times may be only a few +seconds. In practice the \s-1OCSP\s0 responder and clients clocks may not be precisely +synchronised and so such a check may fail. To avoid this the +\&\fB\-validity_period\fR option can be used to specify an acceptable error range in +seconds, the default value is 5 minutes. +.Sp +If the \fBnotAfter\fR time is omitted from a response then this means that new +status information is immediately available. In this case the age of the +\&\fBnotBefore\fR field is checked to see it is not older than \fBage\fR seconds old. +By default this additional check is not performed. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +This option sets digest algorithm to use for certificate identification in the +\&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used. +The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the +digest used by subsequent certificate identifiers. +.SS "\s-1OCSP\s0 Server Options" +.IX Subsection "OCSP Server Options" +.IP "\fB\-index indexfile\fR" 4 +.IX Item "-index indexfile" +The \fBindexfile\fR parameter is the name of a text index file in \fBca\fR +format containing certificate revocation information. +.Sp +If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder +mode, otherwise it is in client mode. The request(s) the responder +processes can be either specified on the command line (using \fBissuer\fR +and \fBserial\fR options), supplied in a file (using the \fBreqin\fR option) +or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). +.Sp +If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options +must also be present. +.IP "\fB\-CA file\fR" 4 +.IX Item "-CA file" +\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. +.IP "\fB\-rsigner file\fR" 4 +.IX Item "-rsigner file" +The certificate to sign \s-1OCSP\s0 responses with. +.IP "\fB\-rother file\fR" 4 +.IX Item "-rother file" +Additional certificates to include in the \s-1OCSP\s0 response. +.IP "\fB\-resp_no_certs\fR" 4 +.IX Item "-resp_no_certs" +Don't include any certificates in the \s-1OCSP\s0 response. +.IP "\fB\-resp_key_id\fR" 4 +.IX Item "-resp_key_id" +Identify the signer certificate using the key \s-1ID,\s0 default is to use the +subject name. +.IP "\fB\-rkey file\fR" 4 +.IX Item "-rkey file" +The private key to sign \s-1OCSP\s0 responses with: if not present the file +specified in the \fBrsigner\fR option is used. +.IP "\fB\-rsigopt nm:v\fR" 4 +.IX Item "-rsigopt nm:v" +Pass options to the signature algorithm when signing \s-1OCSP\s0 responses. +Names and values of these options are algorithm-specific. +.IP "\fB\-port portnum\fR" 4 +.IX Item "-port portnum" +Port to listen for \s-1OCSP\s0 requests on. The port may also be specified +using the \fBurl\fR option. +.IP "\fB\-ignore_err\fR" 4 +.IX Item "-ignore_err" +Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if +a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue +running instead of terminating upon receiving a malformed request. +.IP "\fB\-nrequest number\fR" 4 +.IX Item "-nrequest number" +The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. +.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 +.IX Item "-nmin minutes, -ndays days" +Number of minutes or days when fresh revocation information is available: +used in the \fBnextUpdate\fR field. If neither option is present then the +\&\fBnextUpdate\fR field is omitted meaning fresh revocation information is +immediately available. +.SH "OCSP Response verification." +.IX Header "OCSP Response verification." +\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0 +.PP +Initially the \s-1OCSP\s0 responder certificate is located and the signature on +the \s-1OCSP\s0 request checked using the responder certificate's public key. +.PP +Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate +building up a certificate chain in the process. The locations of the trusted +certificates used to build the chain can be specified by the \fBCAfile\fR +and \fBCApath\fR options or they will be looked for in the standard OpenSSL +certificates directory. +.PP +If the initial verify fails then the \s-1OCSP\s0 verify process halts with an +error. +.PP +Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0 +responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds. +.PP +Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing +\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning +extended key usage is present in the \s-1OCSP\s0 responder certificate then the +\&\s-1OCSP\s0 verify succeeds. +.PP +Otherwise, if \fB\-no_explicit\fR is \fBnot\fR set the root \s-1CA\s0 of the \s-1OCSP\s0 responders +\&\s-1CA\s0 is checked to see if it is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 +verify succeeds. +.PP +If none of these checks is successful then the \s-1OCSP\s0 verify fails. +.PP +What this effectively means if that if the \s-1OCSP\s0 responder certificate is +authorised directly by the \s-1CA\s0 it is issuing revocation information about +(and it is correctly configured) then verification will succeed. +.PP +If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about +multiple CAs and has its own separate certificate chain then its root +\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example: +.PP +.Vb 1 +\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem +.Ve +.PP +Alternatively the responder certificate itself can be explicitly trusted +with the \fB\-VAfile\fR option. +.SH "NOTES" +.IX Header "NOTES" +As noted, most of the verify options are for testing or debugging purposes. +Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global +\&\s-1VA\s0') \fB\-VAfile\fR options need to be used. +.PP +The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is +not really usable as a full \s-1OCSP\s0 responder. It contains only a very +simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0 +queries. It also handles requests serially meaning it cannot respond to +new requests until it has processed the current one. The text index file +format of revocation is also inefficient for large quantities of revocation +data. +.PP +It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 +script using the \fBreqin\fR and \fBrespout\fR options. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create an \s-1OCSP\s0 request and write it to a file: +.PP +.Vb 1 +\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der +.Ve +.PP +Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the +response to a file, print it out in text form, and verify the response: +.PP +.Vb 2 +\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e +\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der +.Ve +.PP +Read in an \s-1OCSP\s0 response and print out text form: +.PP +.Vb 1 +\& openssl ocsp \-respin resp.der \-text \-noverify +.Ve +.PP +\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate +responder certificate. All requests and responses are printed to a file. +.PP +.Vb 2 +\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem +\& \-text \-out log.txt +.Ve +.PP +As above but exit after processing one request: +.PP +.Vb 2 +\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem +\& \-nrequest 1 +.Ve +.PP +Query status information using an internally generated request: +.PP +.Vb 2 +\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem +\& \-issuer demoCA/cacert.pem \-serial 1 +.Ve +.PP +Query status information using request read from a file, and write the response +to a second file. +.PP +.Vb 2 +\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem +\& \-reqin req.der \-respout resp.der +.Ve +.SH "HISTORY" +.IX Header "HISTORY" +The \-no_alt_chains options was first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 new file mode 100644 index 000000000000..bd6dbf7a6976 --- /dev/null +++ b/secure/usr.bin/openssl/man/openssl.1 @@ -0,0 +1,579 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL 1" +.TH OPENSSL 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl \- OpenSSL command line tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR +\&\fIcommand\fR +[ \fIcommand_opts\fR ] +[ \fIcommand_args\fR ] +.PP +\&\fBopenssl\fR \fBlist\fR [ \fBstandard-commands\fR | \fBdigest-commands\fR | \fBcipher-commands\fR | \fBcipher-algorithms\fR | \fBdigest-algorithms\fR | \fBpublic-key-algorithms\fR] +.PP +\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0 +v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related +cryptography standards required by them. +.PP +The \fBopenssl\fR program is a command line tool for using the various +cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. +It can be used for +.PP +.Vb 8 +\& o Creation and management of private keys, public keys and parameters +\& o Public key cryptographic operations +\& o Creation of X.509 certificates, CSRs and CRLs +\& o Calculation of Message Digests +\& o Encryption and Decryption with Ciphers +\& o SSL/TLS Client and Server Tests +\& o Handling of S/MIME signed or encrypted mail +\& o Time Stamp requests, generation and verification +.Ve +.SH "COMMAND SUMMARY" +.IX Header "COMMAND SUMMARY" +The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the +\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments +(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0). +.PP +Detailed documentation and use cases for most standard subcommands are available +(e.g., \fIx509\fR\|(1) or \fIopenssl\-x509\fR\|(1)). +.PP +Many commands use an external configuration file for some or all of their +arguments and have a \fB\-config\fR option to specify that file. +The environment variable \fB\s-1OPENSSL_CONF\s0\fR can be used to specify +the location of the file. +If the environment variable is not specified, then the file is named +\&\fBopenssl.cnf\fR in the default certificate storage area, whose value +depends on the configuration flags specified when the OpenSSL +was built. +.PP +The list parameters \fBstandard-commands\fR, \fBdigest-commands\fR, +and \fBcipher-commands\fR output a list (one entry per line) of the names +of all standard commands, message digest commands, or cipher commands, +respectively, that are available in the present \fBopenssl\fR utility. +.PP +The list parameters \fBcipher-algorithms\fR and +\&\fBdigest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as: +.PP +.Vb 1 +\& from => to +.Ve +.PP +The list parameter \fBpublic-key-algorithms\fR lists all supported public +key algorithms. +.PP +The command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the +specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it +returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1 +and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and +nothing is printed to \fBstderr\fR. Additional command line arguments +are always ignored. Since for each cipher there is a command of the +same name, this provides an easy way for shell scripts to test for the +availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fI\s-1XXX\s0\fR is +not able to detect pseudo-commands such as \fBquit\fR, +\&\fBlist\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.) +.SS "Standard Commands" +.IX Subsection "Standard Commands" +.IP "\fBasn1parse\fR" 4 +.IX Item "asn1parse" +Parse an \s-1ASN.1\s0 sequence. +.IP "\fBca\fR" 4 +.IX Item "ca" +Certificate Authority (\s-1CA\s0) Management. +.IP "\fBciphers\fR" 4 +.IX Item "ciphers" +Cipher Suite Description Determination. +.IP "\fBcms\fR" 4 +.IX Item "cms" +\&\s-1CMS\s0 (Cryptographic Message Syntax) utility. +.IP "\fBcrl\fR" 4 +.IX Item "crl" +Certificate Revocation List (\s-1CRL\s0) Management. +.IP "\fBcrl2pkcs7\fR" 4 +.IX Item "crl2pkcs7" +\&\s-1CRL\s0 to PKCS#7 Conversion. +.IP "\fBdgst\fR" 4 +.IX Item "dgst" +Message Digest Calculation. +.IP "\fBdh\fR" 4 +.IX Item "dh" +Diffie-Hellman Parameter Management. +Obsoleted by \fIdhparam\fR\|(1). +.IP "\fBdhparam\fR" 4 +.IX Item "dhparam" +Generation and Management of Diffie-Hellman Parameters. Superseded by +\&\fIgenpkey\fR\|(1) and \fIpkeyparam\fR\|(1). +.IP "\fBdsa\fR" 4 +.IX Item "dsa" +\&\s-1DSA\s0 Data Management. +.IP "\fBdsaparam\fR" 4 +.IX Item "dsaparam" +\&\s-1DSA\s0 Parameter Generation and Management. Superseded by +\&\fIgenpkey\fR\|(1) and \fIpkeyparam\fR\|(1). +.IP "\fBec\fR" 4 +.IX Item "ec" +\&\s-1EC\s0 (Elliptic curve) key processing. +.IP "\fBecparam\fR" 4 +.IX Item "ecparam" +\&\s-1EC\s0 parameter manipulation and generation. +.IP "\fBenc\fR" 4 +.IX Item "enc" +Encoding with Ciphers. +.IP "\fBengine\fR" 4 +.IX Item "engine" +Engine (loadable module) information and manipulation. +.IP "\fBerrstr\fR" 4 +.IX Item "errstr" +Error Number to Error String Conversion. +.IP "\fBgendh\fR" 4 +.IX Item "gendh" +Generation of Diffie-Hellman Parameters. +Obsoleted by \fIdhparam\fR\|(1). +.IP "\fBgendsa\fR" 4 +.IX Item "gendsa" +Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by +\&\fIgenpkey\fR\|(1) and \fIpkey\fR\|(1). +.IP "\fBgenpkey\fR" 4 +.IX Item "genpkey" +Generation of Private Key or Parameters. +.IP "\fBgenrsa\fR" 4 +.IX Item "genrsa" +Generation of \s-1RSA\s0 Private Key. Superseded by \fIgenpkey\fR\|(1). +.IP "\fBnseq\fR" 4 +.IX Item "nseq" +Create or examine a Netscape certificate sequence. +.IP "\fBocsp\fR" 4 +.IX Item "ocsp" +Online Certificate Status Protocol utility. +.IP "\fBpasswd\fR" 4 +.IX Item "passwd" +Generation of hashed passwords. +.IP "\fBpkcs12\fR" 4 +.IX Item "pkcs12" +PKCS#12 Data Management. +.IP "\fBpkcs7\fR" 4 +.IX Item "pkcs7" +PKCS#7 Data Management. +.IP "\fBpkcs8\fR" 4 +.IX Item "pkcs8" +PKCS#8 format private key conversion tool. +.IP "\fBpkey\fR" 4 +.IX Item "pkey" +Public and private key management. +.IP "\fBpkeyparam\fR" 4 +.IX Item "pkeyparam" +Public key algorithm parameter management. +.IP "\fBpkeyutl\fR" 4 +.IX Item "pkeyutl" +Public key algorithm cryptographic operation utility. +.IP "\fBprime\fR" 4 +.IX Item "prime" +Compute prime numbers. +.IP "\fBrand\fR" 4 +.IX Item "rand" +Generate pseudo-random bytes. +.IP "\fBrehash\fR" 4 +.IX Item "rehash" +Create symbolic links to certificate and \s-1CRL\s0 files named by the hash values. +.IP "\fBreq\fR" 4 +.IX Item "req" +PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management. +.IP "\fBrsa\fR" 4 +.IX Item "rsa" +\&\s-1RSA\s0 key management. +.IP "\fBrsautl\fR" 4 +.IX Item "rsautl" +\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. Superseded +by \fIpkeyutl\fR\|(1). +.IP "\fBs_client\fR" 4 +.IX Item "s_client" +This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent +connection to a remote server speaking \s-1SSL/TLS.\s0 It's intended for testing +purposes only and provides only rudimentary interface functionality but +internally uses mostly all functionality of the OpenSSL \fBssl\fR library. +.IP "\fBs_server\fR" 4 +.IX Item "s_server" +This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote +clients speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides +only rudimentary interface functionality but internally uses mostly all +functionality of the OpenSSL \fBssl\fR library. It provides both an own command +line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response +facility to emulate an SSL/TLS\-aware webserver. +.IP "\fBs_time\fR" 4 +.IX Item "s_time" +\&\s-1SSL\s0 Connection Timer. +.IP "\fBsess_id\fR" 4 +.IX Item "sess_id" +\&\s-1SSL\s0 Session Data Management. +.IP "\fBsmime\fR" 4 +.IX Item "smime" +S/MIME mail processing. +.IP "\fBspeed\fR" 4 +.IX Item "speed" +Algorithm Speed Measurement. +.IP "\fBspkac\fR" 4 +.IX Item "spkac" +\&\s-1SPKAC\s0 printing and generating utility. +.IP "\fBsrp\fR" 4 +.IX Item "srp" +Maintain \s-1SRP\s0 password file. +.IP "\fBstoreutl\fR" 4 +.IX Item "storeutl" +Utility to list and display certificates, keys, CRLs, etc. +.IP "\fBts\fR" 4 +.IX Item "ts" +Time Stamping Authority tool (client/server). +.IP "\fBverify\fR" 4 +.IX Item "verify" +X.509 Certificate Verification. +.IP "\fBversion\fR" 4 +.IX Item "version" +OpenSSL Version Information. +.IP "\fBx509\fR" 4 +.IX Item "x509" +X.509 Certificate Data Management. +.SS "Message Digest Commands" +.IX Subsection "Message Digest Commands" +.IP "\fBblake2b512\fR" 4 +.IX Item "blake2b512" +BLAKE2b\-512 Digest +.IP "\fBblake2s256\fR" 4 +.IX Item "blake2s256" +BLAKE2s\-256 Digest +.IP "\fBmd2\fR" 4 +.IX Item "md2" +\&\s-1MD2\s0 Digest +.IP "\fBmd4\fR" 4 +.IX Item "md4" +\&\s-1MD4\s0 Digest +.IP "\fBmd5\fR" 4 +.IX Item "md5" +\&\s-1MD5\s0 Digest +.IP "\fBmdc2\fR" 4 +.IX Item "mdc2" +\&\s-1MDC2\s0 Digest +.IP "\fBrmd160\fR" 4 +.IX Item "rmd160" +\&\s-1RMD\-160\s0 Digest +.IP "\fBsha1\fR" 4 +.IX Item "sha1" +\&\s-1SHA\-1\s0 Digest +.IP "\fBsha224\fR" 4 +.IX Item "sha224" +\&\s-1SHA\-2 224\s0 Digest +.IP "\fBsha256\fR" 4 +.IX Item "sha256" +\&\s-1SHA\-2 256\s0 Digest +.IP "\fBsha384\fR" 4 +.IX Item "sha384" +\&\s-1SHA\-2 384\s0 Digest +.IP "\fBsha512\fR" 4 +.IX Item "sha512" +\&\s-1SHA\-2 512\s0 Digest +.IP "\fBsha3\-224\fR" 4 +.IX Item "sha3-224" +\&\s-1SHA\-3 224\s0 Digest +.IP "\fBsha3\-256\fR" 4 +.IX Item "sha3-256" +\&\s-1SHA\-3 256\s0 Digest +.IP "\fBsha3\-384\fR" 4 +.IX Item "sha3-384" +\&\s-1SHA\-3 384\s0 Digest +.IP "\fBsha3\-512\fR" 4 +.IX Item "sha3-512" +\&\s-1SHA\-3 512\s0 Digest +.IP "\fBshake128\fR" 4 +.IX Item "shake128" +\&\s-1SHA\-3 SHAKE128\s0 Digest +.IP "\fBshake256\fR" 4 +.IX Item "shake256" +\&\s-1SHA\-3 SHAKE256\s0 Digest +.IP "\fBsm3\fR" 4 +.IX Item "sm3" +\&\s-1SM3\s0 Digest +.SS "Encoding and Cipher Commands" +.IX Subsection "Encoding and Cipher Commands" +The following aliases provide convenient access to the most used encodings +and ciphers. +.PP +Depending on how OpenSSL was configured and built, not all ciphers listed +here may be present. See \fIenc\fR\|(1) for more information and command usage. +.IP "\fBaes128\fR, \fBaes\-128\-cbc\fR, \fBaes\-128\-cfb\fR, \fBaes\-128\-ctr\fR, \fBaes\-128\-ecb\fR, \fBaes\-128\-ofb\fR" 4 +.IX Item "aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb" +\&\s-1AES\-128\s0 Cipher +.IP "\fBaes192\fR, \fBaes\-192\-cbc\fR, \fBaes\-192\-cfb\fR, \fBaes\-192\-ctr\fR, \fBaes\-192\-ecb\fR, \fBaes\-192\-ofb\fR" 4 +.IX Item "aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb" +\&\s-1AES\-192\s0 Cipher +.IP "\fBaes256\fR, \fBaes\-256\-cbc\fR, \fBaes\-256\-cfb\fR, \fBaes\-256\-ctr\fR, \fBaes\-256\-ecb\fR, \fBaes\-256\-ofb\fR" 4 +.IX Item "aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb" +\&\s-1AES\-256\s0 Cipher +.IP "\fBaria128\fR, \fBaria\-128\-cbc\fR, \fBaria\-128\-cfb\fR, \fBaria\-128\-ctr\fR, \fBaria\-128\-ecb\fR, \fBaria\-128\-ofb\fR" 4 +.IX Item "aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb, aria-128-ofb" +Aria\-128 Cipher +.IP "\fBaria192\fR, \fBaria\-192\-cbc\fR, \fBaria\-192\-cfb\fR, \fBaria\-192\-ctr\fR, \fBaria\-192\-ecb\fR, \fBaria\-192\-ofb\fR" 4 +.IX Item "aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb, aria-192-ofb" +Aria\-192 Cipher +.IP "\fBaria256\fR, \fBaria\-256\-cbc\fR, \fBaria\-256\-cfb\fR, \fBaria\-256\-ctr\fR, \fBaria\-256\-ecb\fR, \fBaria\-256\-ofb\fR" 4 +.IX Item "aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb, aria-256-ofb" +Aria\-256 Cipher +.IP "\fBbase64\fR" 4 +.IX Item "base64" +Base64 Encoding +.IP "\fBbf\fR, \fBbf-cbc\fR, \fBbf-cfb\fR, \fBbf-ecb\fR, \fBbf-ofb\fR" 4 +.IX Item "bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb" +Blowfish Cipher +.IP "\fBcamellia128\fR, \fBcamellia\-128\-cbc\fR, \fBcamellia\-128\-cfb\fR, \fBcamellia\-128\-ctr\fR, \fBcamellia\-128\-ecb\fR, \fBcamellia\-128\-ofb\fR" 4 +.IX Item "camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr, camellia-128-ecb, camellia-128-ofb" +Camellia\-128 Cipher +.IP "\fBcamellia192\fR, \fBcamellia\-192\-cbc\fR, \fBcamellia\-192\-cfb\fR, \fBcamellia\-192\-ctr\fR, \fBcamellia\-192\-ecb\fR, \fBcamellia\-192\-ofb\fR" 4 +.IX Item "camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr, camellia-192-ecb, camellia-192-ofb" +Camellia\-192 Cipher +.IP "\fBcamellia256\fR, \fBcamellia\-256\-cbc\fR, \fBcamellia\-256\-cfb\fR, \fBcamellia\-256\-ctr\fR, \fBcamellia\-256\-ecb\fR, \fBcamellia\-256\-ofb\fR" 4 +.IX Item "camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr, camellia-256-ecb, camellia-256-ofb" +Camellia\-256 Cipher +.IP "\fBcast\fR, \fBcast-cbc\fR" 4 +.IX Item "cast, cast-cbc" +\&\s-1CAST\s0 Cipher +.IP "\fBcast5\-cbc\fR, \fBcast5\-cfb\fR, \fBcast5\-ecb\fR, \fBcast5\-ofb\fR" 4 +.IX Item "cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb" +\&\s-1CAST5\s0 Cipher +.IP "\fBchacha20\fR" 4 +.IX Item "chacha20" +Chacha20 Cipher +.IP "\fBdes\fR, \fBdes-cbc\fR, \fBdes-cfb\fR, \fBdes-ecb\fR, \fBdes-ede\fR, \fBdes-ede-cbc\fR, \fBdes-ede-cfb\fR, \fBdes-ede-ofb\fR, \fBdes-ofb\fR" 4 +.IX Item "des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ofb" +\&\s-1DES\s0 Cipher +.IP "\fBdes3\fR, \fBdesx\fR, \fBdes\-ede3\fR, \fBdes\-ede3\-cbc\fR, \fBdes\-ede3\-cfb\fR, \fBdes\-ede3\-ofb\fR" 4 +.IX Item "des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb" +Triple-DES Cipher +.IP "\fBidea\fR, \fBidea-cbc\fR, \fBidea-cfb\fR, \fBidea-ecb\fR, \fBidea-ofb\fR" 4 +.IX Item "idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb" +\&\s-1IDEA\s0 Cipher +.IP "\fBrc2\fR, \fBrc2\-cbc\fR, \fBrc2\-cfb\fR, \fBrc2\-ecb\fR, \fBrc2\-ofb\fR" 4 +.IX Item "rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb" +\&\s-1RC2\s0 Cipher +.IP "\fBrc4\fR" 4 +.IX Item "rc4" +\&\s-1RC4\s0 Cipher +.IP "\fBrc5\fR, \fBrc5\-cbc\fR, \fBrc5\-cfb\fR, \fBrc5\-ecb\fR, \fBrc5\-ofb\fR" 4 +.IX Item "rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb" +\&\s-1RC5\s0 Cipher +.IP "\fBseed\fR, \fBseed-cbc\fR, \fBseed-cfb\fR, \fBseed-ecb\fR, \fBseed-ofb\fR" 4 +.IX Item "seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb" +\&\s-1SEED\s0 Cipher +.IP "\fBsm4\fR, \fBsm4\-cbc\fR, \fBsm4\-cfb\fR, \fBsm4\-ctr\fR, \fBsm4\-ecb\fR, \fBsm4\-ofb\fR" 4 +.IX Item "sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb" +\&\s-1SM4\s0 Cipher +.SH "OPTIONS" +.IX Header "OPTIONS" +Details of which options are available depend on the specific command. +This section describes some common options with common behavior. +.SS "Common Options" +.IX Subsection "Common Options" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Provides a terse summary of all options. +.SS "Pass Phrase Options" +.IX Subsection "Pass Phrase Options" +Several commands accept password arguments, typically using \fB\-passin\fR +and \fB\-passout\fR for input and output passwords respectively. These allow +the password to be obtained from a variety of sources. Both of these +options take a single argument whose format is described below. If no +password argument is given and a password is required then the user is +prompted to enter one: this will typically be read from the current +terminal with echoing turned off. +.PP +Note that character encoding may be relevant, please see +\&\fIpassphrase\-encoding\fR\|(7). +.IP "\fBpass:password\fR" 4 +.IX Item "pass:password" +The actual password is \fBpassword\fR. Since the password is visible +to utilities (like 'ps' under Unix) this form should only be used +where security is not important. +.IP "\fBenv:var\fR" 4 +.IX Item "env:var" +Obtain the password from the environment variable \fBvar\fR. Since +the environment of other processes is visible on certain platforms +(e.g. ps under certain Unix OSes) this option should be used with caution. +.IP "\fBfile:pathname\fR" 4 +.IX Item "file:pathname" +The first line of \fBpathname\fR is the password. If the same \fBpathname\fR +argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first +line will be used for the input password and the next line for the output +password. \fBpathname\fR need not refer to a regular file: it could for example +refer to a device or named pipe. +.IP "\fBfd:number\fR" 4 +.IX Item "fd:number" +Read the password from the file descriptor \fBnumber\fR. This can be used to +send the data via a pipe for example. +.IP "\fBstdin\fR" 4 +.IX Item "stdin" +Read the password from standard input. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIciphers\fR\|(1), \fIcms\fR\|(1), \fIconfig\fR\|(5), +\&\fIcrl\fR\|(1), \fIcrl2pkcs7\fR\|(1), \fIdgst\fR\|(1), +\&\fIdhparam\fR\|(1), \fIdsa\fR\|(1), \fIdsaparam\fR\|(1), +\&\fIec\fR\|(1), \fIecparam\fR\|(1), +\&\fIenc\fR\|(1), \fIengine\fR\|(1), \fIerrstr\fR\|(1), \fIgendsa\fR\|(1), \fIgenpkey\fR\|(1), +\&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIocsp\fR\|(1), +\&\fIpasswd\fR\|(1), +\&\fIpkcs12\fR\|(1), \fIpkcs7\fR\|(1), \fIpkcs8\fR\|(1), +\&\fIpkey\fR\|(1), \fIpkeyparam\fR\|(1), \fIpkeyutl\fR\|(1), \fIprime\fR\|(1), +\&\fIrand\fR\|(1), \fIrehash\fR\|(1), \fIreq\fR\|(1), \fIrsa\fR\|(1), +\&\fIrsautl\fR\|(1), \fIs_client\fR\|(1), +\&\fIs_server\fR\|(1), \fIs_time\fR\|(1), \fIsess_id\fR\|(1), +\&\fIsmime\fR\|(1), \fIspeed\fR\|(1), \fIspkac\fR\|(1), \fIsrp\fR\|(1), \fIstoreutl\fR\|(1), +\&\fIts\fR\|(1), +\&\fIverify\fR\|(1), \fIversion\fR\|(1), \fIx509\fR\|(1), +\&\fIcrypto\fR\|(7), \fIssl\fR\|(7), \fIx509v3_config\fR\|(5) +.SH "HISTORY" +.IX Header "HISTORY" +The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-algorithms\fR pseudo-commands were added in OpenSSL 1.0.0; +For notes on the availability of other commands, see their individual +manual pages. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1 new file mode 100644 index 000000000000..b44ea2d0d68a --- /dev/null +++ b/secure/usr.bin/openssl/man/passwd.1 @@ -0,0 +1,244 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PASSWD 1" +.TH PASSWD 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-passwd, passwd \- compute password hashes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl passwd\fR +[\fB\-help\fR] +[\fB\-crypt\fR] +[\fB\-1\fR] +[\fB\-apr1\fR] +[\fB\-aixmd5\fR] +[\fB\-5\fR] +[\fB\-6\fR] +[\fB\-salt\fR \fIstring\fR] +[\fB\-in\fR \fIfile\fR] +[\fB\-stdin\fR] +[\fB\-noverify\fR] +[\fB\-quiet\fR] +[\fB\-table\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +{\fIpassword\fR} +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpasswd\fR command computes the hash of a password typed at +run-time or the hash of each password in a list. The password list is +taken from the named file for option \fB\-in file\fR, from stdin for +option \fB\-stdin\fR, or from the command line, or from the terminal otherwise. +The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password +algorithm \fB1\fR, its Apache variant \fBapr1\fR, and its \s-1AIX\s0 variant are available. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-crypt\fR" 4 +.IX Item "-crypt" +Use the \fBcrypt\fR algorithm (default). +.IP "\fB\-1\fR" 4 +.IX Item "-1" +Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR. +.IP "\fB\-apr1\fR" 4 +.IX Item "-apr1" +Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm). +.IP "\fB\-aixmd5\fR" 4 +.IX Item "-aixmd5" +Use the \fB\s-1AIX MD5\s0\fR algorithm (\s-1AIX\s0 variant of the \s-1BSD\s0 algorithm). +.IP "\fB\-5\fR" 4 +.IX Item "-5" +.PD 0 +.IP "\fB\-6\fR" 4 +.IX Item "-6" +.PD +Use the \fB\s-1SHA256\s0\fR / \fB\s-1SHA512\s0\fR based algorithms defined by Ulrich Drepper. +See <https://www.akkadia.org/drepper/SHA\-crypt.txt>. +.IP "\fB\-salt\fR \fIstring\fR" 4 +.IX Item "-salt string" +Use the specified salt. +When reading a password from the terminal, this implies \fB\-noverify\fR. +.IP "\fB\-in\fR \fIfile\fR" 4 +.IX Item "-in file" +Read passwords from \fIfile\fR. +.IP "\fB\-stdin\fR" 4 +.IX Item "-stdin" +Read passwords from \fBstdin\fR. +.IP "\fB\-noverify\fR" 4 +.IX Item "-noverify" +Don't verify when reading a password from the terminal. +.IP "\fB\-quiet\fR" 4 +.IX Item "-quiet" +Don't output warnings when passwords given at the command line are truncated. +.IP "\fB\-table\fR" 4 +.IX Item "-table" +In the output list, prepend the cleartext password and a \s-1TAB\s0 character +to each password hash. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +.Vb 2 +\& % openssl passwd \-crypt \-salt xx password +\& xxj31ZMTZzkVA +\& +\& % openssl passwd \-1 \-salt xxxxxxxx password +\& $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a. +\& +\& % openssl passwd \-apr1 \-salt xxxxxxxx password +\& $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 +\& +\& % openssl passwd \-aixmd5 \-salt xxxxxxxx password +\& xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/ +.Ve +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 new file mode 100644 index 000000000000..dca9461fefad --- /dev/null +++ b/secure/usr.bin/openssl/man/pkcs12.1 @@ -0,0 +1,473 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKCS12 1" +.TH PKCS12 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-pkcs12, pkcs12 \- PKCS#12 file utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkcs12\fR +[\fB\-help\fR] +[\fB\-export\fR] +[\fB\-chain\fR] +[\fB\-inkey file_or_id\fR] +[\fB\-certfile filename\fR] +[\fB\-name name\fR] +[\fB\-caname name\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-nomacver\fR] +[\fB\-nocerts\fR] +[\fB\-clcerts\fR] +[\fB\-cacerts\fR] +[\fB\-nokeys\fR] +[\fB\-info\fR] +[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-aria128 | \-aria192 | \-aria256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR] +[\fB\-noiter\fR] +[\fB\-maciter | \-nomaciter | \-nomac\fR] +[\fB\-twopass\fR] +[\fB\-descert\fR] +[\fB\-certpbe cipher\fR] +[\fB\-keypbe cipher\fR] +[\fB\-macalg digest\fR] +[\fB\-keyex\fR] +[\fB\-keysig\fR] +[\fB\-password arg\fR] +[\fB\-passin arg\fR] +[\fB\-passout arg\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-CSP name\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as +\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several +programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook. +.SH "OPTIONS" +.IX Header "OPTIONS" +There are a lot of options the meaning of some depends of whether a PKCS#12 file +is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 +file can be created by using the \fB\-export\fR option (see below). +.SH "PARSING OPTIONS" +.IX Header "PARSING OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies filename of the PKCS#12 file to be parsed. Standard input is used +by default. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +The filename to write certificates and private keys to, standard output by +default. They are all written in \s-1PEM\s0 format. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The PKCS#12 file (i.e. input file) password source. For more information about +the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in +\&\fIopenssl\fR\|(1). +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +Pass phrase source to encrypt any outputted private keys with. For more +information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section +in \fIopenssl\fR\|(1). +.IP "\fB\-password arg\fR" 4 +.IX Item "-password arg" +With \-export, \-password is equivalent to \-passout. +Otherwise, \-password is equivalent to \-passin. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option inhibits output of the keys and certificates to the output file +version of the PKCS#12 file. +.IP "\fB\-clcerts\fR" 4 +.IX Item "-clcerts" +Only output client certificates (not \s-1CA\s0 certificates). +.IP "\fB\-cacerts\fR" 4 +.IX Item "-cacerts" +Only output \s-1CA\s0 certificates (not client certificates). +.IP "\fB\-nocerts\fR" 4 +.IX Item "-nocerts" +No certificates at all will be output. +.IP "\fB\-nokeys\fR" 4 +.IX Item "-nokeys" +No private keys will be output. +.IP "\fB\-info\fR" 4 +.IX Item "-info" +Output additional information about the PKCS#12 file structure, algorithms +used and iteration counts. +.IP "\fB\-des\fR" 4 +.IX Item "-des" +Use \s-1DES\s0 to encrypt private keys before outputting. +.IP "\fB\-des3\fR" 4 +.IX Item "-des3" +Use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. +.IP "\fB\-idea\fR" 4 +.IX Item "-idea" +Use \s-1IDEA\s0 to encrypt private keys before outputting. +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4 +.IX Item "-aes128, -aes192, -aes256" +Use \s-1AES\s0 to encrypt private keys before outputting. +.IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4 +.IX Item "-aria128, -aria192, -aria256" +Use \s-1ARIA\s0 to encrypt private keys before outputting. +.IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4 +.IX Item "-camellia128, -camellia192, -camellia256" +Use Camellia to encrypt private keys before outputting. +.IP "\fB\-nodes\fR" 4 +.IX Item "-nodes" +Don't encrypt the private keys at all. +.IP "\fB\-nomacver\fR" 4 +.IX Item "-nomacver" +Don't attempt to verify the integrity \s-1MAC\s0 before reading the file. +.IP "\fB\-twopass\fR" 4 +.IX Item "-twopass" +Prompt for separate integrity and encryption passwords: most software +always assumes these are the same so this option will render such +PKCS#12 files unreadable. +.SH "FILE CREATION OPTIONS" +.IX Header "FILE CREATION OPTIONS" +.IP "\fB\-export\fR" 4 +.IX Item "-export" +This option specifies that a PKCS#12 file will be created rather than +parsed. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies filename to write the PKCS#12 file to. Standard output is used +by default. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +The filename to read certificates and private keys from, standard input by +default. They must all be in \s-1PEM\s0 format. The order doesn't matter but one +private key and its corresponding certificate should be present. If additional +certificates are present they will also be included in the PKCS#12 file. +.IP "\fB\-inkey file_or_id\fR" 4 +.IX Item "-inkey file_or_id" +File to read private key from. If not present then a private key must be present +in the input file. +If no engine is used, the argument is taken as a file; if an engine is +specified, the argument is given to the engine as a key identifier. +.IP "\fB\-name friendlyname\fR" 4 +.IX Item "-name friendlyname" +This specifies the \*(L"friendly name\*(R" for the certificate and private key. This +name is typically displayed in list boxes by software importing the file. +.IP "\fB\-certfile filename\fR" 4 +.IX Item "-certfile filename" +A filename to read additional certificates from. +.IP "\fB\-caname friendlyname\fR" 4 +.IX Item "-caname friendlyname" +This specifies the \*(L"friendly name\*(R" for other certificates. This option may be +used multiple times to specify names for all certificates in the order they +appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0 +displays them. +.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 +.IX Item "-pass arg, -passout arg" +The PKCS#12 file (i.e. output file) password source. For more information about +the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in +\&\fIopenssl\fR\|(1). +.IP "\fB\-passin password\fR" 4 +.IX Item "-passin password" +Pass phrase source to decrypt any input private keys with. For more information +about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in +\&\fIopenssl\fR\|(1). +.IP "\fB\-chain\fR" 4 +.IX Item "-chain" +If this option is present then an attempt is made to include the entire +certificate chain of the user certificate. The standard \s-1CA\s0 store is used +for this search. If the search fails it is considered a fatal error. +.IP "\fB\-descert\fR" 4 +.IX Item "-descert" +Encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12 +file unreadable by some \*(L"export grade\*(R" software. By default the private +key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2.\s0 +.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 +.IX Item "-keypbe alg, -certpbe alg" +These options allow the algorithm used to encrypt the private key and +certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name +can be used (see \fB\s-1NOTES\s0\fR section for more information). If a cipher name +(as output by the \fBlist-cipher-algorithms\fR command is specified then it +is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only +use PKCS#12 algorithms. +.IP "\fB\-keyex|\-keysig\fR" 4 +.IX Item "-keyex|-keysig" +Specifies that the private key is to be used for key exchange or just signing. +This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally +\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for +encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR +option marks the key for signing only. Signing only keys can be used for +S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client +authentication, however due to a bug only \s-1MSIE 5.0\s0 and later support +the use of signing only keys for \s-1SSL\s0 client authentication. +.IP "\fB\-macalg digest\fR" 4 +.IX Item "-macalg digest" +Specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used. +.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 +.IX Item "-nomaciter, -noiter" +These options affect the iteration counts on the \s-1MAC\s0 and key algorithms. +Unless you wish to produce files compatible with \s-1MSIE 4.0\s0 you should leave +these options alone. +.Sp +To discourage attacks by using large dictionaries of common passwords the +algorithm that derives keys from passwords can have an iteration count applied +to it: this causes a certain part of the algorithm to be repeated and slows it +down. The \s-1MAC\s0 is used to check the file integrity but since it will normally +have the same password as the keys and certificates it could also be attacked. +By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using +these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since +this reduces the file security you should not use these options unless you +really have to. Most software supports both \s-1MAC\s0 and key iteration counts. +\&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR +option. +.IP "\fB\-maciter\fR" 4 +.IX Item "-maciter" +This option is included for compatibility with previous versions, it used +to be needed to use \s-1MAC\s0 iterations counts but they are now used by default. +.IP "\fB\-nomac\fR" 4 +.IX Item "-nomac" +Don't attempt to provide the \s-1MAC\s0 integrity. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +\&\s-1CA\s0 storage as a file. +.IP "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +\&\s-1CA\s0 storage as a directory. This directory must be a standard certificate +directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be +linked to each certificate. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. +.IP "\fB\-CSP name\fR" 4 +.IX Item "-CSP name" +Write \fBname\fR as a Microsoft \s-1CSP\s0 name. +.SH "NOTES" +.IX Header "NOTES" +Although there are a large number of options most of them are very rarely +used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used +for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used. +.PP +If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present +then all certificates will be output in the order they appear in the input +PKCS#12 files. There is no guarantee that the first certificate present is +the one corresponding to the private key. Certain software which requires +a private key and certificate and assumes the first certificate in the +file is the one corresponding to the private key: this may not always +be the case. Using the \fB\-clcerts\fR option will solve this problem by only +outputting the certificate corresponding to the private key. If the \s-1CA\s0 +certificates are required then they can be output to a separate file using +the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates. +.PP +The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption +algorithms for private keys and certificates to be specified. Normally +the defaults are fine but occasionally software can't handle triple \s-1DES\s0 +encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can +be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete +description of all algorithms is contained in the \fBpkcs8\fR manual page. +.PP +Prior 1.1 release passwords containing non-ASCII characters were encoded +in non-compliant manner, which limited interoperability, in first hand +with Windows. But switching to standard-compliant password encoding +poses problem accessing old data protected with broken encoding. For +this reason even legacy encodings is attempted when reading the +data. If you use PKCS#12 files in production application you are advised +to convert the data, because implemented heuristic approach is not +MT-safe, its sole goal is to facilitate the data upgrade with this +utility. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Parse a PKCS#12 file and output it to a file: +.PP +.Vb 1 +\& openssl pkcs12 \-in file.p12 \-out file.pem +.Ve +.PP +Output only client certificates to a file: +.PP +.Vb 1 +\& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem +.Ve +.PP +Don't encrypt the private key: +.PP +.Vb 1 +\& openssl pkcs12 \-in file.p12 \-out file.pem \-nodes +.Ve +.PP +Print some info about a PKCS#12 file: +.PP +.Vb 1 +\& openssl pkcs12 \-in file.p12 \-info \-noout +.Ve +.PP +Create a PKCS#12 file: +.PP +.Vb 1 +\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" +.Ve +.PP +Include some extra certificates: +.PP +.Vb 2 +\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e +\& \-certfile othercerts.pem +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIpkcs8\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1 new file mode 100644 index 000000000000..9154b12bf9c3 --- /dev/null +++ b/secure/usr.bin/openssl/man/pkcs7.1 @@ -0,0 +1,238 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKCS7 1" +.TH PKCS7 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-pkcs7, pkcs7 \- PKCS#7 utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkcs7\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-print_certs\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7 +v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read from or standard input if this +option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename to write to or standard output by +default. +.IP "\fB\-print_certs\fR" 4 +.IX Item "-print_certs" +Prints out any certificates or CRLs contained in the file. They are +preceded by their subject and issuer names in one line format. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out certificates details in full rather than just subject and +issuer names. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +Don't output the encoded version of the PKCS#7 structure (or certificates +is \fB\-print_certs\fR is set). +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0 +.PP +.Vb 1 +\& openssl pkcs7 \-in file.pem \-outform DER \-out file.der +.Ve +.PP +Output all certificates in a file: +.PP +.Vb 1 +\& openssl pkcs7 \-in file.pem \-print_certs \-out certs.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 PKCS#7 format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- +\& \-\-\-\-\-END PKCS7\-\-\-\-\- +.Ve +.PP +For compatibility with some CAs it will also accept: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +.Ve +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +There is no option to print out all the fields of a PKCS#7 file. +.PP +This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they +cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrl2pkcs7\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1 new file mode 100644 index 000000000000..ad6119457bea --- /dev/null +++ b/secure/usr.bin/openssl/man/pkcs8.1 @@ -0,0 +1,430 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKCS8 1" +.TH PKCS8 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-pkcs8, pkcs8 \- PKCS#8 format private key conversion tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkcs8\fR +[\fB\-help\fR] +[\fB\-topk8\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-iter count\fR] +[\fB\-noiter\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-nocrypt\fR] +[\fB\-traditional\fR] +[\fB\-v2 alg\fR] +[\fB\-v2prf alg\fR] +[\fB\-v1 alg\fR] +[\fB\-engine id\fR] +[\fB\-scrypt\fR] +[\fB\-scrypt_N N\fR] +[\fB\-scrypt_r r\fR] +[\fB\-scrypt_p p\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle +both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo +format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-topk8\fR" 4 +.IX Item "-topk8" +Normally a PKCS#8 private key is expected on input and a private key will be +written to the output file. With the \fB\-topk8\fR option the situation is +reversed: it reads a private key and writes a PKCS#8 format key. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default +format is \s-1PEM.\s0 +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default +format is \s-1PEM.\s0 +.IP "\fB\-traditional\fR" 4 +.IX Item "-traditional" +When this option is present and \fB\-topk8\fR is not a traditional format private +key is written. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output by +default. If any encryption options are set then a pass phrase will be +prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-iter count\fR" 4 +.IX Item "-iter count" +When creating new PKCS#8 containers, use a given number of iterations on +the password in deriving the encryption key for the PKCS#8 output. +High values increase the time required to brute-force a PKCS#8 container. +.IP "\fB\-nocrypt\fR" 4 +.IX Item "-nocrypt" +PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo +structures using an appropriate password based encryption algorithm. With +this option an unencrypted PrivateKeyInfo structure is expected or output. +This option does not encrypt private keys at all and should only be used +when absolutely necessary. Certain software such as some versions of Java +code signing software used unencrypted private keys. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-v2 alg\fR" 4 +.IX Item "-v2 alg" +This option sets the PKCS#5 v2.0 algorithm. +.Sp +The \fBalg\fR argument is the encryption algorithm to use, valid values include +\&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn't specified then \fBaes256\fR +is used. +.IP "\fB\-v2prf alg\fR" 4 +.IX Item "-v2prf alg" +This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value +value would be \fBhmacWithSHA256\fR. If this option isn't set then the default +for the cipher is used or \fBhmacWithSHA256\fR if there is no default. +.Sp +Some implementations may not support custom \s-1PRF\s0 algorithms and may require +the \fBhmacWithSHA1\fR option to work. +.IP "\fB\-v1 alg\fR" 4 +.IX Item "-v1 alg" +This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some +older implementations may not support PKCS#5 v2.0 and may require this option. +If not specified PKCS#5 v2.0 form is used. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-scrypt\fR" 4 +.IX Item "-scrypt" +Uses the \fBscrypt\fR algorithm for private key encryption using default +parameters: currently N=16384, r=8 and p=1 and \s-1AES\s0 in \s-1CBC\s0 mode with a 256 bit +key. These parameters can be modified using the \fB\-scrypt_N\fR, \fB\-scrypt_r\fR, +\&\fB\-scrypt_p\fR and \fB\-v2\fR options. +.IP "\fB\-scrypt_N N\fR \fB\-scrypt_r r\fR \fB\-scrypt_p p\fR" 4 +.IX Item "-scrypt_N N -scrypt_r r -scrypt_p p" +Sets the scrypt \fBN\fR, \fBr\fR or \fBp\fR parameters. +.SH "KEY FORMATS" +.IX Header "KEY FORMATS" +Various different formats are used by the pkcs8 utility. These are detailed +below. +.PP +If a key is being converted from PKCS#8 form (i.e. the \fB\-topk8\fR option is +not used) then the input file must be in PKCS#8 format. An encrypted +key is expected unless \fB\-nocrypt\fR is included. +.PP +If \fB\-topk8\fR is not used and \fB\s-1PEM\s0\fR mode is set the output file will be an +unencrypted private key in PKCS#8 format. If the \fB\-traditional\fR option is +used then a traditional format private key is written instead. +.PP +If \fB\-topk8\fR is not used and \fB\s-1DER\s0\fR mode is set the output file will be an +unencrypted private key in traditional \s-1DER\s0 format. +.PP +If \fB\-topk8\fR is used then any supported private key can be used for the input +file in a format specified by \fB\-inform\fR. The output file will be encrypted +PKCS#8 format using the specified encryption parameters unless \fB\-nocrypt\fR +is included. +.SH "NOTES" +.IX Header "NOTES" +By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit +\&\s-1AES\s0 with \s-1HMAC\s0 and \s-1SHA256\s0 is used. +.PP +Some older implementations do not support PKCS#5 v2.0 format and require +the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak +encryption algorithms such as 56 bit \s-1DES.\s0 +.PP +The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following +headers and footers: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN ENCRYPTED PRIVATE KEY\-\-\-\-\- +\& \-\-\-\-\-END ENCRYPTED PRIVATE KEY\-\-\-\-\- +.Ve +.PP +The unencrypted form uses: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- +\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\- +.Ve +.PP +Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration +counts are more secure that those encrypted using the traditional +SSLeay compatible formats. So if additional security is considered +important the keys should be converted. +.PP +It is possible to write out \s-1DER\s0 encoded encrypted private keys in +PKCS#8 format because the encryption details are included at an \s-1ASN1\s0 +level whereas the traditional format includes them at a \s-1PEM\s0 level. +.SH "PKCS#5 v1.5 and PKCS#12 algorithms." +.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms." +Various algorithms can be used with the \fB\-v1\fR command line option, +including PKCS#5 v1.5 and PKCS#12. These are described in more detail +below. +.IP "\fB\s-1PBE\-MD2\-DES PBE\-MD5\-DES\s0\fR" 4 +.IX Item "PBE-MD2-DES PBE-MD5-DES" +These algorithms were included in the original PKCS#5 v1.5 specification. +They only offer 56 bits of protection since they both use \s-1DES.\s0 +.IP "\fB\s-1PBE\-SHA1\-RC2\-64\s0\fR, \fB\s-1PBE\-MD2\-RC2\-64\s0\fR, \fB\s-1PBE\-MD5\-RC2\-64\s0\fR, \fB\s-1PBE\-SHA1\-DES\s0\fR" 4 +.IX Item "PBE-SHA1-RC2-64, PBE-MD2-RC2-64, PBE-MD5-RC2-64, PBE-SHA1-DES" +These algorithms are not mentioned in the original PKCS#5 v1.5 specification +but they use the same key derivation algorithm and are supported by some +software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or +56 bit \s-1DES.\s0 +.IP "\fB\s-1PBE\-SHA1\-RC4\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC4\-40\s0\fR, \fB\s-1PBE\-SHA1\-3DES\s0\fR, \fB\s-1PBE\-SHA1\-2DES\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-40\s0\fR" 4 +.IX Item "PBE-SHA1-RC4-128, PBE-SHA1-RC4-40, PBE-SHA1-3DES, PBE-SHA1-2DES, PBE-SHA1-RC2-128, PBE-SHA1-RC2-40" +These algorithms use the PKCS#12 password based encryption algorithm and +allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Convert a private key to PKCS#8 format using default parameters (\s-1AES\s0 with +256 bit key and \fBhmacWithSHA256\fR): +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#8 unencrypted format: +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-nocrypt \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#5 v2.0 format using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#5 v2.0 format using \s-1AES\s0 with 256 bits in \s-1CBC\s0 +mode and \fBhmacWithSHA512\fR \s-1PRF:\s0 +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA512 \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm +(\s-1DES\s0): +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-v1 PBE\-MD5\-DES \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm +(3DES): +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem \-v1 PBE\-SHA1\-3DES +.Ve +.PP +Read a \s-1DER\s0 unencrypted PKCS#8 format private key: +.PP +.Vb 1 +\& openssl pkcs8 \-inform DER \-nocrypt \-in key.der \-out key.pem +.Ve +.PP +Convert a private key from any PKCS#8 encrypted format to traditional format: +.PP +.Vb 1 +\& openssl pkcs8 \-in pk8.pem \-traditional \-out key.pem +.Ve +.PP +Convert a private key to PKCS#8 format, encrypting with \s-1AES\-256\s0 and with +one million iterations of the password: +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-iter 1000000 \-out pk8.pem +.Ve +.SH "STANDARDS" +.IX Header "STANDARDS" +Test vectors from this PKCS#5 v2.0 implementation were posted to the +pkcs-tng mailing list using triple \s-1DES, DES\s0 and \s-1RC2\s0 with high iteration +counts, several people confirmed that they could decrypt the private +keys produced and Therefore it can be assumed that the PKCS#5 v2.0 +implementation is reasonably accurate at least as far as these +algorithms are concerned. +.PP +The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented: +it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0 +PKCS#8 private key format complies with this standard. +.SH "BUGS" +.IX Header "BUGS" +There should be an option that prints out the encryption algorithm +in use and other details such as the iteration count. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIdsa\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIgendsa\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\-iter\fR option was added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1 new file mode 100644 index 000000000000..6a9196412fe8 --- /dev/null +++ b/secure/usr.bin/openssl/man/pkey.1 @@ -0,0 +1,284 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKEY 1" +.TH PKEY 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-pkey, pkey \- public or private key processing tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkey\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-traditional\fR] +[\fB\-\f(BIcipher\fB\fR] +[\fB\-text\fR] +[\fB\-text_pub\fR] +[\fB\-noout\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +[\fB\-engine id\fR] +[\fB\-check\fR] +[\fB\-pubcheck\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkey\fR command processes public or private keys. They can be converted +between various forms and their components printed out. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0 +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output if this +option is not specified. If any encryption options are set then a pass phrase +will be prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.IP "\fB\-passout password\fR" 4 +.IX Item "-passout password" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-traditional\fR" 4 +.IX Item "-traditional" +Normally a private key is written using standard format: this is PKCS#8 form +with the appropriate encryption algorithm (if any). If the \fB\-traditional\fR +option is specified then the older \*(L"traditional\*(R" format is used instead. +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +These options encrypt the private key with the supplied cipher. Any algorithm +name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the various public or private key components in +plain text in addition to the encoded version. +.IP "\fB\-text_pub\fR" 4 +.IX Item "-text_pub" +Print out only public key components even if a private key is being processed. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +Do not output the encoded version of the key. +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +By default a private key is read from the input file: with this +option a public key is read instead. +.IP "\fB\-pubout\fR" 4 +.IX Item "-pubout" +By default a private key is output: with this option a public +key will be output instead. This option is automatically set if +the input is a public key. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the consistency of a key pair for both public and private +components. +.IP "\fB\-pubcheck\fR" 4 +.IX Item "-pubcheck" +This option checks the correctness of either a public key or the public component +of a key pair. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To remove the pass phrase on an \s-1RSA\s0 private key: +.PP +.Vb 1 +\& openssl pkey \-in key.pem \-out keyout.pem +.Ve +.PP +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl pkey \-in key.pem \-des3 \-out keyout.pem +.Ve +.PP +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl pkey \-in key.pem \-outform DER \-out keyout.der +.Ve +.PP +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl pkey \-in key.pem \-text \-noout +.Ve +.PP +To print out the public components of a private key to standard output: +.PP +.Vb 1 +\& openssl pkey \-in key.pem \-text_pub \-noout +.Ve +.PP +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl pkey \-in key.pem \-pubout \-out pubkey.pem +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1), +\&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1 new file mode 100644 index 000000000000..0f84ec6ff4da --- /dev/null +++ b/secure/usr.bin/openssl/man/pkeyparam.1 @@ -0,0 +1,203 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKEYPARAM 1" +.TH PKEYPARAM 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-pkeyparam, pkeyparam \- public key algorithm parameter processing tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkeyparam\fR +[\fB\-help\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-engine id\fR] +[\fB\-check\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkeyparam\fR command processes public key algorithm parameters. +They can be checked for correctness and their components printed out. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write parameters to or standard output if +this option is not specified. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the parameters in plain text in addition to the encoded version. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +Do not output the encoded version of the parameters. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the correctness of parameters. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +Print out text version of parameters: +.PP +.Vb 1 +\& openssl pkeyparam \-in param.pem \-text +.Ve +.SH "NOTES" +.IX Header "NOTES" +There are no \fB\-inform\fR or \fB\-outform\fR options for this command because only +\&\s-1PEM\s0 format is supported because the key type is determined by the \s-1PEM\s0 headers. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1), +\&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1 new file mode 100644 index 000000000000..1c413421a3a7 --- /dev/null +++ b/secure/usr.bin/openssl/man/pkeyutl.1 @@ -0,0 +1,425 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKEYUTL 1" +.TH PKEYUTL 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-pkeyutl, pkeyutl \- public key algorithm utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkeyutl\fR +[\fB\-help\fR] +[\fB\-in file\fR] +[\fB\-out file\fR] +[\fB\-sigfile file\fR] +[\fB\-inkey file\fR] +[\fB\-keyform PEM|DER|ENGINE\fR] +[\fB\-passin arg\fR] +[\fB\-peerkey file\fR] +[\fB\-peerform PEM|DER|ENGINE\fR] +[\fB\-pubin\fR] +[\fB\-certin\fR] +[\fB\-rev\fR] +[\fB\-sign\fR] +[\fB\-verify\fR] +[\fB\-verifyrecover\fR] +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-derive\fR] +[\fB\-kdf algorithm\fR] +[\fB\-kdflen length\fR] +[\fB\-pkeyopt opt:value\fR] +[\fB\-hexdump\fR] +[\fB\-asn1parse\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-engine id\fR] +[\fB\-engine_impl\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkeyutl\fR command can be used to perform low level public key operations +using any supported algorithm. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read data from or standard input +if this option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename to write to or standard output by +default. +.IP "\fB\-sigfile file\fR" 4 +.IX Item "-sigfile file" +Signature file, required for \fBverify\fR operations only +.IP "\fB\-inkey file\fR" 4 +.IX Item "-inkey file" +The input key file, by default it should be a private key. +.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 +.IX Item "-keyform PEM|DER|ENGINE" +The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0 +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-peerkey file\fR" 4 +.IX Item "-peerkey file" +The peer key file, used by key derivation (agreement) operations. +.IP "\fB\-peerform PEM|DER|ENGINE\fR" 4 +.IX Item "-peerform PEM|DER|ENGINE" +The peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0 +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +The input file is a public key. +.IP "\fB\-certin\fR" 4 +.IX Item "-certin" +The input is a certificate containing a public key. +.IP "\fB\-rev\fR" 4 +.IX Item "-rev" +Reverse the order of the input buffer. This is useful for some libraries +(such as CryptoAPI) which represent the buffer in little endian format. +.IP "\fB\-sign\fR" 4 +.IX Item "-sign" +Sign the input data (which must be a hash) and output the signed result. This +requires a private key. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verify the input data (which must be a hash) against the signature file and +indicate if the verification succeeded or failed. +.IP "\fB\-verifyrecover\fR" 4 +.IX Item "-verifyrecover" +Verify the input data (which must be a hash) and output the recovered data. +.IP "\fB\-encrypt\fR" 4 +.IX Item "-encrypt" +Encrypt the input data using a public key. +.IP "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +Decrypt the input data using a private key. +.IP "\fB\-derive\fR" 4 +.IX Item "-derive" +Derive a shared secret using the peer key. +.IP "\fB\-kdf algorithm\fR" 4 +.IX Item "-kdf algorithm" +Use key derivation function \fBalgorithm\fR. The supported algorithms are +at present \fB\s-1TLS1\-PRF\s0\fR and \fB\s-1HKDF\s0\fR. +Note: additional parameters and the \s-1KDF\s0 output length will normally have to be +set for this to work. +See \fIEVP_PKEY_CTX_set_hkdf_md\fR\|(3) and \fIEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3) +for the supported string parameters of each algorithm. +.IP "\fB\-kdflen length\fR" 4 +.IX Item "-kdflen length" +Set the output length for \s-1KDF.\s0 +.IP "\fB\-pkeyopt opt:value\fR" 4 +.IX Item "-pkeyopt opt:value" +Public key options specified as opt:value. See \s-1NOTES\s0 below for more details. +.IP "\fB\-hexdump\fR" 4 +.IX Item "-hexdump" +hex dump the output data. +.IP "\fB\-asn1parse\fR" 4 +.IX Item "-asn1parse" +Parse the \s-1ASN.1\s0 output data, this is useful when combined with the +\&\fB\-verifyrecover\fR option when an \s-1ASN1\s0 structure is signed. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-engine_impl\fR" 4 +.IX Item "-engine_impl" +When used with the \fB\-engine\fR option, it specifies to also use +engine \fBid\fR for crypto operations. +.SH "NOTES" +.IX Header "NOTES" +The operations and options supported vary according to the key algorithm +and its implementation. The OpenSSL operations and options are indicated below. +.PP +Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option +which specifies the digest in use for sign, verify and verifyrecover operations. +The value \fBalg\fR should represent a digest name as used in the +\&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR. This value is not used to +hash the input data. It is used (by some algorithms) for sanity-checking the +lengths of data passed in to the \fBpkeyutl\fR and for creating the structures that +make up the signature (e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures). +.PP +This utility does not hash the input data but rather it will use the data +directly as input to the signature algorithm. Depending on the key type, +signature type, and mode of padding, the maximum acceptable lengths of input +data differ. The signed data can't be longer than the key modulus with \s-1RSA.\s0 In +case of \s-1ECDSA\s0 and \s-1DSA\s0 the data shouldn't be longer than the field +size, otherwise it will be silently truncated to the field size. In any event +the input size must not be larger than the largest supported digest size. +.PP +In other words, if the value of digest is \fBsha1\fR the input should be the 20 +bytes long binary encoding of the \s-1SHA\-1\s0 hash function output. +.PP +The Ed25519 and Ed448 signature algorithms are not supported by this utility. +They accept non-hashed input, but this utility can only be used to sign hashed +input. +.SH "RSA ALGORITHM" +.IX Header "RSA ALGORITHM" +The \s-1RSA\s0 algorithm generally supports the encrypt, decrypt, sign, +verify and verifyrecover operations. However, some padding modes +support only a subset of these operations. The following additional +\&\fBpkeyopt\fR values are supported: +.IP "\fBrsa_padding_mode:mode\fR" 4 +.IX Item "rsa_padding_mode:mode" +This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for +PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR +for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0 +.Sp +In PKCS#1 padding if the message digest is not set then the supplied data is +signed or verified directly instead of using a \fBDigestInfo\fR structure. If a +digest is set then the a \fBDigestInfo\fR structure is used and its the length +must correspond to the digest type. +.Sp +For \fBoaep\fR mode only encryption and decryption is supported. +.Sp +For \fBx931\fR if the digest type is set it is used to format the block data +otherwise the first byte is used to specify the X9.31 digest \s-1ID.\s0 Sign, +verify and verifyrecover are can be performed in this mode. +.Sp +For \fBpss\fR mode only sign and verify are supported and the digest type must be +specified. +.IP "\fBrsa_pss_saltlen:len\fR" 4 +.IX Item "rsa_pss_saltlen:len" +For \fBpss\fR mode only this option specifies the salt length. Three special +values are supported: \*(L"digest\*(R" sets the salt length to the digest length, +\&\*(L"max\*(R" sets the salt length to the maximum permissible value. When verifying +\&\*(L"auto\*(R" causes the salt length to be automatically determined based on the +\&\fB\s-1PSS\s0\fR block structure. +.IP "\fBrsa_mgf1_md:digest\fR" 4 +.IX Item "rsa_mgf1_md:digest" +For \s-1PSS\s0 and \s-1OAEP\s0 padding sets the \s-1MGF1\s0 digest. If the \s-1MGF1\s0 digest is not +explicitly set in \s-1PSS\s0 mode then the signing digest is used. +.SH "RSA-PSS ALGORITHM" +.IX Header "RSA-PSS ALGORITHM" +The RSA-PSS algorithm is a restricted version of the \s-1RSA\s0 algorithm which only +supports the sign and verify operations with \s-1PSS\s0 padding. The following +additional \fBpkeyopt\fR values are supported: +.IP "\fBrsa_padding_mode:mode\fR, \fBrsa_pss_saltlen:len\fR, \fBrsa_mgf1_md:digest\fR" 4 +.IX Item "rsa_padding_mode:mode, rsa_pss_saltlen:len, rsa_mgf1_md:digest" +These have the same meaning as the \fB\s-1RSA\s0\fR algorithm with some additional +restrictions. The padding mode can only be set to \fBpss\fR which is the +default value. +.Sp +If the key has parameter restrictions than the digest, \s-1MGF1\s0 +digest and salt length are set to the values specified in the parameters. +The digest and \s-1MG\s0 cannot be changed and the salt length cannot be set to a +value less than the minimum restriction. +.SH "DSA ALGORITHM" +.IX Header "DSA ALGORITHM" +The \s-1DSA\s0 algorithm supports signing and verification operations only. Currently +there are no additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 +digest can be used and this digest is assumed by default. +.SH "DH ALGORITHM" +.IX Header "DH ALGORITHM" +The \s-1DH\s0 algorithm only supports the derivation operation and no additional +options. +.SH "EC ALGORITHM" +.IX Header "EC ALGORITHM" +The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and +verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH.\s0 Currently there are no +additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 digest can be used and +this digest is assumed by default. +.SH "X25519 and X448 ALGORITHMS" +.IX Header "X25519 and X448 ALGORITHMS" +The X25519 and X448 algorithms support key derivation only. Currently there are +no additional options. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Sign some data using a private key: +.PP +.Vb 1 +\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig +.Ve +.PP +Recover the signed data (e.g. if an \s-1RSA\s0 key is used): +.PP +.Vb 1 +\& openssl pkeyutl \-verifyrecover \-in sig \-inkey key.pem +.Ve +.PP +Verify the signature (e.g. a \s-1DSA\s0 key): +.PP +.Vb 1 +\& openssl pkeyutl \-verify \-in file \-sigfile sig \-inkey key.pem +.Ve +.PP +Sign data using a message digest value (this is currently only valid for \s-1RSA\s0): +.PP +.Vb 1 +\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig \-pkeyopt digest:sha256 +.Ve +.PP +Derive a shared secret value: +.PP +.Vb 1 +\& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret +.Ve +.PP +Hexdump 48 bytes of \s-1TLS1 PRF\s0 using digest \fB\s-1SHA256\s0\fR and shared secret and +seed consisting of the single byte 0xFF: +.PP +.Vb 2 +\& openssl pkeyutl \-kdf TLS1\-PRF \-kdflen 48 \-pkeyopt md:SHA256 \e +\& \-pkeyopt hexsecret:ff \-pkeyopt hexseed:ff \-hexdump +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgenpkey\fR\|(1), \fIpkey\fR\|(1), \fIrsautl\fR\|(1) +\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIEVP_PKEY_CTX_set_hkdf_md\fR\|(3), \fIEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/prime.1 b/secure/usr.bin/openssl/man/prime.1 new file mode 100644 index 000000000000..ded2a5e5ac52 --- /dev/null +++ b/secure/usr.bin/openssl/man/prime.1 @@ -0,0 +1,185 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PRIME 1" +.TH PRIME 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-prime, prime \- compute prime numbers +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl prime\fR +[\fB\-help\fR] +[\fB\-hex\fR] +[\fB\-generate\fR] +[\fB\-bits\fR] +[\fB\-safe\fR] +[\fB\-checks\fR] +[\fInumber...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBprime\fR command checks if the specified numbers are prime. +.PP +If no numbers are given on the command line, the \fB\-generate\fR flag should +be used to generate primes according to the requirements specified by the +rest of the flags. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "[\fB\-help\fR]" 4 +.IX Item "[-help]" +Display an option summary. +.IP "[\fB\-hex\fR]" 4 +.IX Item "[-hex]" +Generate hex output. +.IP "[\fB\-generate\fR]" 4 +.IX Item "[-generate]" +Generate a prime number. +.IP "[\fB\-bits num\fR]" 4 +.IX Item "[-bits num]" +Generate a prime with \fBnum\fR bits. +.IP "[\fB\-safe\fR]" 4 +.IX Item "[-safe]" +When used with \fB\-generate\fR, generates a \*(L"safe\*(R" prime. If the number +generated is \fBn\fR, then check that \fB(n\-1)/2\fR is also prime. +.IP "[\fB\-checks num\fR]" 4 +.IX Item "[-checks num]" +Perform the checks \fBnum\fR times to see that the generated number +is prime. The default is 20. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1 new file mode 100644 index 000000000000..ae88ed6a3b9b --- /dev/null +++ b/secure/usr.bin/openssl/man/rand.1 @@ -0,0 +1,192 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RAND 1" +.TH RAND 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-rand, rand \- generate pseudo\-random bytes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl rand\fR +[\fB\-help\fR] +[\fB\-out\fR \fIfile\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-base64\fR] +[\fB\-hex\fR] +\&\fInum\fR +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding +the random number generator once. As in other \fBopenssl\fR command +line tools, \s-1PRNG\s0 seeding uses the file \fI\f(CI$HOME\fI/\fR\fB.rnd\fR or \fB.rnd\fR +in addition to the files given in the \fB\-rand\fR option. A new +\&\fI\f(CI$HOME\fI\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough +seeding was obtained from these sources. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out file\fR" 4 +.IX Item "-out file" +Write to \fIfile\fR instead of standard output. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-base64\fR" 4 +.IX Item "-base64" +Perform base64 encoding on the output. +.IP "\fB\-hex\fR" 4 +.IX Item "-hex" +Show the output as a hex string. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_bytes\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 new file mode 100644 index 000000000000..20cf8fe68768 --- /dev/null +++ b/secure/usr.bin/openssl/man/req.1 @@ -0,0 +1,788 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "REQ 1" +.TH REQ 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-req, req \- PKCS#10 certificate request and certificate generating utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBreq\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-text\fR] +[\fB\-pubkey\fR] +[\fB\-noout\fR] +[\fB\-verify\fR] +[\fB\-modulus\fR] +[\fB\-new\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-newkey rsa:bits\fR] +[\fB\-newkey alg:file\fR] +[\fB\-nodes\fR] +[\fB\-key filename\fR] +[\fB\-keyform PEM|DER\fR] +[\fB\-keyout filename\fR] +[\fB\-keygen_engine id\fR] +[\fB\-\f(BIdigest\fB\fR] +[\fB\-config filename\fR] +[\fB\-multivalue\-rdn\fR] +[\fB\-x509\fR] +[\fB\-days n\fR] +[\fB\-set_serial n\fR] +[\fB\-newhdr\fR] +[\fB\-addext ext\fR] +[\fB\-extensions section\fR] +[\fB\-reqexts section\fR] +[\fB\-precert\fR] +[\fB\-utf8\fR] +[\fB\-nameopt\fR] +[\fB\-reqopt\fR] +[\fB\-subject\fR] +[\fB\-subj arg\fR] +[\fB\-batch\fR] +[\fB\-verbose\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBreq\fR command primarily creates and processes certificate requests +in PKCS#10 format. It can additionally create self signed certificates +for use as root CAs for example. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded +form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it +consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and +footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a request from or standard input +if this option is not specified. A request is only read if the creation +options (\fB\-new\fR and \fB\-newkey\fR) are not specified. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write to or standard output by +default. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the certificate request in text form. +.IP "\fB\-subject\fR" 4 +.IX Item "-subject" +Prints out the request subject (or certificate subject if \fB\-x509\fR is +specified) +.IP "\fB\-pubkey\fR" 4 +.IX Item "-pubkey" +Outputs the public key. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option prevents output of the encoded version of the request. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +This option prints out the value of the modulus of the public key +contained in the request. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verifies the signature on the request. +.IP "\fB\-new\fR" 4 +.IX Item "-new" +This option generates a new certificate request. It will prompt +the user for the relevant field values. The actual fields +prompted for and their maximum and minimum sizes are specified +in the configuration file and any requested extensions. +.Sp +If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private +key using information specified in the configuration file. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-newkey arg\fR" 4 +.IX Item "-newkey arg" +This option creates a new certificate request and a new private +key. The argument takes one of several forms. \fBrsa:nbits\fR, where +\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR +in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified, +the default key size, specified in the configuration file is used. +.Sp +All other algorithms support the \fB\-newkey alg:file\fR form, where file may be +an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command +or and X.509 certificate for a key with appropriate algorithm. +.Sp +\&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR, +the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm +\&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an +error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters, +if necessary should be specified via \fB\-pkeyopt\fR parameter. +.Sp +\&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters +in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with +\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST R +34.10\-2001\s0 key (requires \fBccgost\fR engine configured in the configuration +file). If just \fBgost2001\fR is specified a parameter set should be +specified by \fB\-pkeyopt paramset:X\fR +.IP "\fB\-pkeyopt opt:value\fR" 4 +.IX Item "-pkeyopt opt:value" +Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of +options supported depends on the public key algorithm used and its +implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR in the \fBgenpkey\fR manual page +for more details. +.IP "\fB\-key filename\fR" 4 +.IX Item "-key filename" +This specifies the file to read the private key from. It also +accepts PKCS#8 format private keys for \s-1PEM\s0 format files. +.IP "\fB\-keyform PEM|DER\fR" 4 +.IX Item "-keyform PEM|DER" +The format of the private key file specified in the \fB\-key\fR +argument. \s-1PEM\s0 is the default. +.IP "\fB\-keyout filename\fR" 4 +.IX Item "-keyout filename" +This gives the filename to write the newly created private key to. +If this option is not specified then the filename present in the +configuration file is used. +.IP "\fB\-nodes\fR" 4 +.IX Item "-nodes" +If this option is specified then if a private key is created it +will not be encrypted. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +This specifies the message digest to sign the request. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. +This overrides the digest algorithm specified in +the configuration file. +.Sp +Some public key algorithms may override this choice. For instance, \s-1DSA\s0 +signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use +\&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR), Ed25519 and Ed448 never use any digest. +.IP "\fB\-config filename\fR" 4 +.IX Item "-config filename" +This allows an alternative configuration file to be specified. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). +.IP "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +Sets subject name for new request or supersedes the subject name +when processing a request. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. +Keyword characters may be escaped by \e (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the request. +.IP "\fB\-multivalue\-rdn\fR" 4 +.IX Item "-multivalue-rdn" +This option causes the \-subj argument to be interpreted with full +support for multivalued RDNs. Example: +.Sp +\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR +.Sp +If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. +.IP "\fB\-x509\fR" 4 +.IX Item "-x509" +This option outputs a self signed certificate instead of a certificate +request. This is typically used to generate a test certificate or +a self signed root \s-1CA.\s0 The extensions added to the certificate +(if any) are specified in the configuration file. Unless specified +using the \fBset_serial\fR option, a large random number will be used for +the serial number. +.Sp +If existing request is specified with the \fB\-in\fR option, it is converted +to the self signed certificate otherwise new request is created. +.IP "\fB\-days n\fR" 4 +.IX Item "-days n" +When the \fB\-x509\fR option is being used this specifies the number of +days to certify the certificate for, otherwise it is ignored. \fBn\fR should +be a positive integer. The default is 30 days. +.IP "\fB\-set_serial n\fR" 4 +.IX Item "-set_serial n" +Serial number to use when outputting a self signed certificate. This +may be specified as a decimal value or a hex value if preceded by \fB0x\fR. +.IP "\fB\-addext ext\fR" 4 +.IX Item "-addext ext" +Add a specific extension to the certificate (if the \fB\-x509\fR option is +present) or certificate request. The argument must have the form of +a key=value pair as it would appear in a config file. +.Sp +This option can be given multiple times. +.IP "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +.PD 0 +.IP "\fB\-reqexts section\fR" 4 +.IX Item "-reqexts section" +.PD +These options specify alternative sections to include certificate +extensions (if the \fB\-x509\fR option is present) or certificate +request extensions. This allows several different sections to +be used in the same configuration file to specify requests for +a variety of purposes. +.IP "\fB\-precert\fR" 4 +.IX Item "-precert" +A poison extension will be added to the certificate, making it a +\&\*(L"pre-certificate\*(R" (see \s-1RFC6962\s0). This can be submitted to Certificate +Transparency logs in order to obtain signed certificate timestamps (SCTs). +These SCTs can then be embedded into the pre-certificate as an extension, before +removing the poison and signing the certificate. +.Sp +This implies the \fB\-new\fR flag. +.IP "\fB\-utf8\fR" 4 +.IX Item "-utf8" +This option causes field values to be interpreted as \s-1UTF8\s0 strings, by +default they are interpreted as \s-1ASCII.\s0 This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-reqopt\fR" 4 +.IX Item "-reqopt" +Customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be +a single option or multiple options separated by commas. +.Sp +See discussion of the \fB\-certopt\fR parameter in the \fIx509\fR\|(1) +command. +.IP "\fB\-newhdr\fR" 4 +.IX Item "-newhdr" +Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted +request. Some software (Netscape certificate server) and some CAs need this. +.IP "\fB\-batch\fR" 4 +.IX Item "-batch" +Non-interactive mode. +.IP "\fB\-verbose\fR" 4 +.IX Item "-verbose" +Print extra details about the operations being performed. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-keygen_engine id\fR" 4 +.IX Item "-keygen_engine id" +Specifies an engine (by its unique \fBid\fR string) which would be used +for key generation operations. +.SH "CONFIGURATION FILE FORMAT" +.IX Header "CONFIGURATION FILE FORMAT" +The configuration options are specified in the \fBreq\fR section of +the configuration file. As with all configuration files if no +value is specified in the specific section (i.e. \fBreq\fR) then +the initial unnamed or \fBdefault\fR section is searched too. +.PP +The options available are described in detail below. +.IP "\fBinput_password output_password\fR" 4 +.IX Item "input_password output_password" +The passwords for the input private key file (if present) and +the output private key file (if one will be created). The +command line options \fBpassin\fR and \fBpassout\fR override the +configuration file values. +.IP "\fBdefault_bits\fR" 4 +.IX Item "default_bits" +Specifies the default key size in bits. +.Sp +This option is used in conjunction with the \fB\-new\fR option to generate +a new key. It can be overridden by specifying an explicit key size in +the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If +no key size is specified then 2048 bits is used. +.IP "\fBdefault_keyfile\fR" 4 +.IX Item "default_keyfile" +This is the default filename to write a private key to. If not +specified the key is written to standard output. This can be +overridden by the \fB\-keyout\fR option. +.IP "\fBoid_file\fR" 4 +.IX Item "oid_file" +This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. +.IP "\fBoid_section\fR" 4 +.IX Item "oid_section" +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by \fB=\fR and the numerical form. The short +and long names are the same when this option is used. +.IP "\fB\s-1RANDFILE\s0\fR" 4 +.IX Item "RANDFILE" +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. +It is used for private key generation. +.IP "\fBencrypt_key\fR" 4 +.IX Item "encrypt_key" +If this is set to \fBno\fR then if a private key is generated it is +\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line +option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. +.IP "\fBdefault_md\fR" 4 +.IX Item "default_md" +This option specifies the digest algorithm to use. Any digest supported by the +OpenSSL \fBdgst\fR command can be used. This option can be overridden on the +command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore +any digest that has been set. +.IP "\fBstring_mask\fR" 4 +.IX Item "string_mask" +This option masks out the use of certain string types in certain +fields. Most users will not need to change this option. +.Sp +It can be set to several values \fBdefault\fR which is also the default +option uses PrintableStrings, T61Strings and BMPStrings if the +\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will +be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459.\s0 If the +\&\fButf8only\fR option is used then only UTF8Strings will be used: this +is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR +option just uses PrintableStrings and T61Strings: certain software has +problems with BMPStrings and UTF8Strings: in particular Netscape. +.IP "\fBreq_extensions\fR" 4 +.IX Item "req_extensions" +This specifies the configuration file section containing a list of +extensions to add to the certificate request. It can be overridden +by the \fB\-reqexts\fR command line switch. See the +\&\fIx509v3_config\fR\|(5) manual page for details of the +extension section format. +.IP "\fBx509_extensions\fR" 4 +.IX Item "x509_extensions" +This specifies the configuration file section containing a list of +extensions to add to certificate generated when the \fB\-x509\fR switch +is used. It can be overridden by the \fB\-extensions\fR command line switch. +.IP "\fBprompt\fR" 4 +.IX Item "prompt" +If set to the value \fBno\fR this disables prompting of certificate fields +and just takes values from the config file directly. It also changes the +expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. +.IP "\fButf8\fR" 4 +.IX Item "utf8" +If set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 +strings, by default they are interpreted as \s-1ASCII.\s0 This means that +the field values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fBattributes\fR" 4 +.IX Item "attributes" +This specifies the section containing any request attributes: its format +is the same as \fBdistinguished_name\fR. Typically these may contain the +challengePassword or unstructuredName types. They are currently ignored +by OpenSSL's request signing utilities but some CAs might want them. +.IP "\fBdistinguished_name\fR" 4 +.IX Item "distinguished_name" +This specifies the section containing the distinguished name fields to +prompt for when generating a certificate or certificate request. The format +is described in the next section. +.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" +.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" +There are two separate formats for the distinguished name and attribute +sections. If the \fBprompt\fR option is set to \fBno\fR then these sections +just consist of field names and values: for example, +.PP +.Vb 3 +\& CN=My Name +\& OU=My Organization +\& emailAddress=someone@somewhere.org +.Ve +.PP +This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file +with all the field names and values and just pass it to \fBreq\fR. An example +of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section. +.PP +Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the +file contains field prompting information. It consists of lines of the form: +.PP +.Vb 4 +\& fieldName="prompt" +\& fieldName_default="default field value" +\& fieldName_min= 2 +\& fieldName_max= 4 +.Ve +.PP +\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0). +The \*(L"prompt\*(R" string is used to ask the user to enter the relevant +details. If the user enters nothing then the default value is used if no +default value is present then the field is omitted. A field can +still be omitted if a default value is present if the user just +enters the '.' character. +.PP +The number of characters entered must be between the fieldName_min and +fieldName_max limits: there may be additional restrictions based +on the field being used (for example countryName can only ever be +two characters long and must fit in a PrintableString). +.PP +Some fields (such as organizationName) can be used more than once +in a \s-1DN.\s0 This presents a problem because configuration files will +not recognize the same name occurring twice. To avoid this problem +if the fieldName contains some characters followed by a full stop +they will be ignored. So for example a second organizationName can +be input by calling it \*(L"1.organizationName\*(R". +.PP +The actual permitted field names are any object identifier short or +long names. These are compiled into OpenSSL and include the usual +values such as commonName, countryName, localityName, organizationName, +organizationalUnitName, stateOrProvinceName. Additionally emailAddress +is include as well as name, surname, givenName initials and dnQualifier. +.PP +Additional object identifiers can be defined with the \fBoid_file\fR or +\&\fBoid_section\fR options in the configuration file. Any additional fields +will be treated as though they were a DirectoryString. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Examine and verify certificate request: +.PP +.Vb 1 +\& openssl req \-in req.pem \-text \-verify \-noout +.Ve +.PP +Create a private key and then generate a certificate request from it: +.PP +.Vb 2 +\& openssl genrsa \-out key.pem 2048 +\& openssl req \-new \-key key.pem \-out req.pem +.Ve +.PP +The same but just using req: +.PP +.Vb 1 +\& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem +.Ve +.PP +Generate a self signed root certificate: +.PP +.Vb 1 +\& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem +.Ve +.PP +Example of a file pointed to by the \fBoid_file\fR option: +.PP +.Vb 2 +\& 1.2.3.4 shortName A longer Name +\& 1.2.3.6 otherName Other longer Name +.Ve +.PP +Example of a section pointed to by \fBoid_section\fR making use of variable +expansion: +.PP +.Vb 2 +\& testoid1=1.2.3.5 +\& testoid2=${testoid1}.6 +.Ve +.PP +Sample configuration file prompting for field values: +.PP +.Vb 6 +\& [ req ] +\& default_bits = 2048 +\& default_keyfile = privkey.pem +\& distinguished_name = req_distinguished_name +\& attributes = req_attributes +\& req_extensions = v3_ca +\& +\& dirstring_type = nobmp +\& +\& [ req_distinguished_name ] +\& countryName = Country Name (2 letter code) +\& countryName_default = AU +\& countryName_min = 2 +\& countryName_max = 2 +\& +\& localityName = Locality Name (eg, city) +\& +\& organizationalUnitName = Organizational Unit Name (eg, section) +\& +\& commonName = Common Name (eg, YOUR name) +\& commonName_max = 64 +\& +\& emailAddress = Email Address +\& emailAddress_max = 40 +\& +\& [ req_attributes ] +\& challengePassword = A challenge password +\& challengePassword_min = 4 +\& challengePassword_max = 20 +\& +\& [ v3_ca ] +\& +\& subjectKeyIdentifier=hash +\& authorityKeyIdentifier=keyid:always,issuer:always +\& basicConstraints = critical, CA:true +.Ve +.PP +Sample configuration containing all field values: +.PP +.Vb 1 +\& RANDFILE = $ENV::HOME/.rnd +\& +\& [ req ] +\& default_bits = 2048 +\& default_keyfile = keyfile.pem +\& distinguished_name = req_distinguished_name +\& attributes = req_attributes +\& prompt = no +\& output_password = mypass +\& +\& [ req_distinguished_name ] +\& C = GB +\& ST = Test State or Province +\& L = Test Locality +\& O = Organization Name +\& OU = Organizational Unit Name +\& CN = Common Name +\& emailAddress = test@email.address +\& +\& [ req_attributes ] +\& challengePassword = A challenge password +.Ve +.PP +Example of giving the most common attributes (subject and extensions) +on the command line: +.PP +.Vb 4 +\& openssl req \-new \-subj "/C=GB/CN=foo" \e +\& \-addext "subjectAltName = DNS:foo.co.uk" \e +\& \-addext "certificatePolicies = 1.2.3.4" \e +\& \-newkey rsa:2048 \-keyout key.pem \-out req.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN CERTIFICATE REQUEST\-\-\-\-\- +\& \-\-\-\-\-END CERTIFICATE REQUEST\-\-\-\-\- +.Ve +.PP +some software (some versions of Netscape certificate server) instead needs: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN NEW CERTIFICATE REQUEST\-\-\-\-\- +\& \-\-\-\-\-END NEW CERTIFICATE REQUEST\-\-\-\-\- +.Ve +.PP +which is produced with the \fB\-newhdr\fR option but is otherwise compatible. +Either form is accepted transparently on input. +.PP +The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions +added. It includes the \fBkeyUsage\fR extension which determines the type of +key (signature only or general purpose) and any additional OIDs entered +by the script in an extendedKeyUsage extension. +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" +The following messages are frequently asked about: +.PP +.Vb 2 +\& Using configuration from /some/path/openssl.cnf +\& Unable to load config info +.Ve +.PP +This is followed some time later by... +.PP +.Vb 2 +\& unable to find \*(Aqdistinguished_name\*(Aq in config +\& problems making Certificate Request +.Ve +.PP +The first error message is the clue: it can't find the configuration +file! Certain operations (like examining a certificate request) don't +need a configuration file so its use isn't enforced. Generation of +certificates or requests however does need a configuration file. This +could be regarded as a bug. +.PP +Another puzzling message is this: +.PP +.Vb 2 +\& Attributes: +\& a0:00 +.Ve +.PP +this is displayed when no attributes are present and the request includes +the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0 +0x00). If you just see: +.PP +.Vb 1 +\& Attributes: +.Ve +.PP +then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but +it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR +for more information. +.SH "BUGS" +.IX Header "BUGS" +OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively +treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour. +This can cause problems if you need characters that aren't available in +PrintableStrings and you don't want to or can't use BMPStrings. +.PP +As a consequence of the T61String handling the only correct way to represent +accented characters in OpenSSL is to use a BMPString: unfortunately Netscape +currently chokes on these. If you have to use accented characters with Netscape +and \s-1MSIE\s0 then you currently need to use the invalid T61String form. +.PP +The current prompting is not very friendly. It doesn't allow you to confirm what +you've just entered. Other things like extensions in certificate requests are +statically defined in the configuration file. Some of these: like an email +address in subjectAltName should be input by the user. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIgendsa\fR\|(1), \fIconfig\fR\|(5), +\&\fIx509v3_config\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1 new file mode 100644 index 000000000000..53e2d89a7f74 --- /dev/null +++ b/secure/usr.bin/openssl/man/rsa.1 @@ -0,0 +1,326 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RSA 1" +.TH RSA 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-rsa, rsa \- RSA key processing tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBrsa\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-aes128\fR] +[\fB\-aes192\fR] +[\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] +[\fB\-camellia128\fR] +[\fB\-camellia192\fR] +[\fB\-camellia256\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-modulus\fR] +[\fB\-check\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +[\fB\-RSAPublicKey_in\fR] +[\fB\-RSAPublicKey_out\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various +forms and their components printed out. \fBNote\fR this command uses the +traditional SSLeay compatible format for private key encryption: newer +applications should use the more secure PKCS#8 format using the \fBpkcs8\fR +utility. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded +form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. +The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 +encoded with additional header and footer lines. On input PKCS#8 format private +keys are also accepted. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output if this +option is not specified. If any encryption options are set then a pass phrase +will be prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.IP "\fB\-passout password\fR" 4 +.IX Item "-passout password" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" +These options encrypt the private key with the specified +cipher before outputting it. A pass phrase is prompted for. +If none of these options is specified the key is written in plain text. This +means that using the \fBrsa\fR utility to read in an encrypted key with no +encryption option can be used to remove the pass phrase from a key, or by +setting the encryption options it can be use to add or change the pass phrase. +These options can only be used with \s-1PEM\s0 format output files. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the various public or private key components in +plain text in addition to the encoded version. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option prevents output of the encoded version of the key. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +This option prints out the value of the modulus of the key. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the consistency of an \s-1RSA\s0 private key. +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +By default a private key is read from the input file: with this +option a public key is read instead. +.IP "\fB\-pubout\fR" 4 +.IX Item "-pubout" +By default a private key is output: with this option a public +key will be output instead. This option is automatically set if +the input is a public key. +.IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4 +.IX Item "-RSAPublicKey_in, -RSAPublicKey_out" +Like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 private key format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- +\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- +.Ve +.PP +The \s-1PEM\s0 public key format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\- +\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +.Ve +.PP +The \s-1PEM\s0 \fBRSAPublicKey\fR format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN RSA PUBLIC KEY\-\-\-\-\- +\& \-\-\-\-\-END RSA PUBLIC KEY\-\-\-\-\- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To remove the pass phrase on an \s-1RSA\s0 private key: +.PP +.Vb 1 +\& openssl rsa \-in key.pem \-out keyout.pem +.Ve +.PP +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl rsa \-in key.pem \-des3 \-out keyout.pem +.Ve +.PP +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl rsa \-in key.pem \-outform DER \-out keyout.der +.Ve +.PP +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl rsa \-in key.pem \-text \-noout +.Ve +.PP +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl rsa \-in key.pem \-pubout \-out pubkey.pem +.Ve +.PP +Output the public part of a private key in \fBRSAPublicKey\fR format: +.PP +.Vb 1 +\& openssl rsa \-in key.pem \-RSAPublicKey_out \-out pubkey.pem +.Ve +.SH "BUGS" +.IX Header "BUGS" +There should be an option that automatically handles .key files, +without having to manually edit them. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIpkcs8\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1 new file mode 100644 index 000000000000..089d1ac60789 --- /dev/null +++ b/secure/usr.bin/openssl/man/rsautl.1 @@ -0,0 +1,341 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RSAUTL 1" +.TH RSAUTL 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-rsautl, rsautl \- RSA utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBrsautl\fR +[\fB\-help\fR] +[\fB\-in file\fR] +[\fB\-out file\fR] +[\fB\-inkey file\fR] +[\fB\-keyform PEM|DER|ENGINE\fR] +[\fB\-pubin\fR] +[\fB\-certin\fR] +[\fB\-sign\fR] +[\fB\-verify\fR] +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-pkcs\fR] +[\fB\-ssl\fR] +[\fB\-raw\fR] +[\fB\-hexdump\fR] +[\fB\-asn1parse\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt +data using the \s-1RSA\s0 algorithm. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read data from or standard input +if this option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename to write to or standard output by +default. +.IP "\fB\-inkey file\fR" 4 +.IX Item "-inkey file" +The input key file, by default it should be an \s-1RSA\s0 private key. +.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 +.IX Item "-keyform PEM|DER|ENGINE" +The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +The input file is an \s-1RSA\s0 public key. +.IP "\fB\-certin\fR" 4 +.IX Item "-certin" +The input is a certificate containing an \s-1RSA\s0 public key. +.IP "\fB\-sign\fR" 4 +.IX Item "-sign" +Sign the input data and output the signed result. This requires +an \s-1RSA\s0 private key. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verify the input data and output the recovered data. +.IP "\fB\-encrypt\fR" 4 +.IX Item "-encrypt" +Encrypt the input data using an \s-1RSA\s0 public key. +.IP "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +Decrypt the input data using an \s-1RSA\s0 private key. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4 +.IX Item "-pkcs, -oaep, -ssl, -raw" +The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0 +special padding used in \s-1SSL\s0 v2 backwards compatible handshakes, +or no padding, respectively. +For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used. +.IP "\fB\-hexdump\fR" 4 +.IX Item "-hexdump" +Hex dump the output data. +.IP "\fB\-asn1parse\fR" 4 +.IX Item "-asn1parse" +Parse the \s-1ASN.1\s0 output data, this is useful when combined with the +\&\fB\-verify\fR option. +.SH "NOTES" +.IX Header "NOTES" +\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be +used to sign or verify small pieces of data. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Sign some data using a private key: +.PP +.Vb 1 +\& openssl rsautl \-sign \-in file \-inkey key.pem \-out sig +.Ve +.PP +Recover the signed data +.PP +.Vb 1 +\& openssl rsautl \-verify \-in sig \-inkey key.pem +.Ve +.PP +Examine the raw signed data: +.PP +.Vb 1 +\& openssl rsautl \-verify \-in sig \-inkey key.pem \-raw \-hexdump +\& +\& 0000 \- 00 01 ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0010 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0020 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0030 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0040 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0050 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0060 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ +\& 0070 \- ff ff ff ff 00 68 65 6c\-6c 6f 20 77 6f 72 6c 64 .....hello world +.Ve +.PP +The PKCS#1 block formatting is evident from this. If this was done using +encrypt and decrypt the block would have been of type 2 (the second byte) +and random padding data visible instead of the 0xff bytes. +.PP +It is possible to analyse the signature of certificates using this +utility in conjunction with \fBasn1parse\fR. Consider the self signed +example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields: +.PP +.Vb 1 +\& openssl asn1parse \-in pca\-cert.pem +\& +\& 0:d=0 hl=4 l= 742 cons: SEQUENCE +\& 4:d=1 hl=4 l= 591 cons: SEQUENCE +\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] +\& 10:d=3 hl=2 l= 1 prim: INTEGER :02 +\& 13:d=2 hl=2 l= 1 prim: INTEGER :00 +\& 16:d=2 hl=2 l= 13 cons: SEQUENCE +\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption +\& 29:d=3 hl=2 l= 0 prim: NULL +\& 31:d=2 hl=2 l= 92 cons: SEQUENCE +\& 33:d=3 hl=2 l= 11 cons: SET +\& 35:d=4 hl=2 l= 9 cons: SEQUENCE +\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName +\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU +\& .... +\& 599:d=1 hl=2 l= 13 cons: SEQUENCE +\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption +\& 612:d=2 hl=2 l= 0 prim: NULL +\& 614:d=1 hl=3 l= 129 prim: BIT STRING +.Ve +.PP +The final \s-1BIT STRING\s0 contains the actual signature. It can be extracted with: +.PP +.Vb 1 +\& openssl asn1parse \-in pca\-cert.pem \-out sig \-noout \-strparse 614 +.Ve +.PP +The certificate public key can be extracted with: +.PP +.Vb 1 +\& openssl x509 \-in test/testx509.pem \-pubkey \-noout >pubkey.pem +.Ve +.PP +The signature can be analysed with: +.PP +.Vb 1 +\& openssl rsautl \-in sig \-verify \-asn1parse \-inkey pubkey.pem \-pubin +\& +\& 0:d=0 hl=2 l= 32 cons: SEQUENCE +\& 2:d=1 hl=2 l= 12 cons: SEQUENCE +\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5 +\& 14:d=2 hl=2 l= 0 prim: NULL +\& 16:d=1 hl=2 l= 16 prim: OCTET STRING +\& 0000 \- f3 46 9e aa 1a 4a 73 c9\-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. +.Ve +.PP +This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that +the digest used was md5. The actual part of the certificate that was signed can +be extracted with: +.PP +.Vb 1 +\& openssl asn1parse \-in pca\-cert.pem \-out tbs \-noout \-strparse 4 +.Ve +.PP +and its digest computed with: +.PP +.Vb 2 +\& openssl md5 \-c tbs +\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 +.Ve +.PP +which it can be seen agrees with the recovered value above. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 new file mode 100644 index 000000000000..3601cd511b79 --- /dev/null +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -0,0 +1,848 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "S_CLIENT 1" +.TH S_CLIENT 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-s_client, s_client \- SSL/TLS client program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_client\fR +[\fB\-help\fR] +[\fB\-connect host:port\fR] +[\fB\-bind host:port\fR] +[\fB\-proxy host:port\fR] +[\fB\-unix path\fR] +[\fB\-4\fR] +[\fB\-6\fR] +[\fB\-servername name\fR] +[\fB\-noservername\fR] +[\fB\-verify depth\fR] +[\fB\-verify_return_error\fR] +[\fB\-cert filename\fR] +[\fB\-certform DER|PEM\fR] +[\fB\-key filename\fR] +[\fB\-keyform DER|PEM\fR] +[\fB\-cert_chain filename\fR] +[\fB\-build_chain\fR] +[\fB\-xkey\fR] +[\fB\-xcert\fR] +[\fB\-xchain\fR] +[\fB\-xchain_build\fR] +[\fB\-xcertform PEM|DER\fR] +[\fB\-xkeyform PEM|DER\fR] +[\fB\-pass arg\fR] +[\fB\-CApath directory\fR] +[\fB\-CAfile filename\fR] +[\fB\-chainCApath directory\fR] +[\fB\-chainCAfile filename\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-requestCAfile filename\fR] +[\fB\-dane_tlsa_domain domain\fR] +[\fB\-dane_tlsa_rrdata rrdata\fR] +[\fB\-dane_ee_no_namechecks\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-nameopt option\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-build_chain\fR] +[\fB\-x509_strict\fR] +[\fB\-reconnect\fR] +[\fB\-showcerts\fR] +[\fB\-debug\fR] +[\fB\-msg\fR] +[\fB\-nbio_test\fR] +[\fB\-state\fR] +[\fB\-nbio\fR] +[\fB\-crlf\fR] +[\fB\-ign_eof\fR] +[\fB\-no_ign_eof\fR] +[\fB\-psk_identity identity\fR] +[\fB\-psk key\fR] +[\fB\-psk_session file\fR] +[\fB\-quiet\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-no_tls1_1\fR] +[\fB\-no_tls1_2\fR] +[\fB\-no_tls1_3\fR] +[\fB\-dtls\fR] +[\fB\-dtls1\fR] +[\fB\-dtls1_2\fR] +[\fB\-sctp\fR] +[\fB\-fallback_scsv\fR] +[\fB\-async\fR] +[\fB\-max_send_frag\fR] +[\fB\-split_send_frag\fR] +[\fB\-max_pipelines\fR] +[\fB\-read_buf\fR] +[\fB\-bugs\fR] +[\fB\-comp\fR] +[\fB\-no_comp\fR] +[\fB\-allow_no_dhe_kex\fR] +[\fB\-sigalgs sigalglist\fR] +[\fB\-curves curvelist\fR] +[\fB\-cipher cipherlist\fR] +[\fB\-ciphersuites val\fR] +[\fB\-serverpref\fR] +[\fB\-starttls protocol\fR] +[\fB\-xmpphost hostname\fR] +[\fB\-name hostname\fR] +[\fB\-engine id\fR] +[\fB\-tlsextdebug\fR] +[\fB\-no_ticket\fR] +[\fB\-sess_out filename\fR] +[\fB\-sess_in filename\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-serverinfo types\fR] +[\fB\-status\fR] +[\fB\-alpn protocols\fR] +[\fB\-nextprotoneg protocols\fR] +[\fB\-ct\fR] +[\fB\-noct\fR] +[\fB\-ctlogfile\fR] +[\fB\-keylogfile file\fR] +[\fB\-early_data file\fR] +[\fB\-enable_pha\fR] +[\fBtarget\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects +to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool for +\&\s-1SSL\s0 servers. +.SH "OPTIONS" +.IX Header "OPTIONS" +In addition to the options below the \fBs_client\fR utility also supports the +common and client only options documented in the +in the \*(L"Supported Command Line Commands\*(R" section of the \fISSL_CONF_cmd\fR\|(3) +manual page. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-connect host:port\fR" 4 +.IX Item "-connect host:port" +This specifies the host and optional port to connect to. It is possible to +select the host and port using the optional target positional argument instead. +If neither this nor the target positional argument are specified then an attempt +is made to connect to the local host on port 4433. +.IP "\fB\-bind host:port\fR]" 4 +.IX Item "-bind host:port]" +This specifies the host address and or port to bind as the source for the +connection. For Unix-domain sockets the port is ignored and the host is +used as the source socket address. +.IP "\fB\-proxy host:port\fR" 4 +.IX Item "-proxy host:port" +When used with the \fB\-connect\fR flag, the program uses the host and port +specified with this flag and issues an \s-1HTTP CONNECT\s0 command to connect +to the desired server. +.IP "\fB\-unix path\fR" 4 +.IX Item "-unix path" +Connect over the specified Unix-domain socket. +.IP "\fB\-4\fR" 4 +.IX Item "-4" +Use IPv4 only. +.IP "\fB\-6\fR" 4 +.IX Item "-6" +Use IPv6 only. +.IP "\fB\-servername name\fR" 4 +.IX Item "-servername name" +Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message to +the given value. If both this option and the \fB\-noservername\fR are not given, the +\&\s-1TLS SNI\s0 extension is still set to the hostname provided to the \fB\-connect\fR option, +or \*(L"localhost\*(R" if \fB\-connect\fR has not been supplied. This is default since OpenSSL +1.1.1. +.Sp +Even though \s-1SNI\s0 name should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, this +option will not make the distinction when parsing \fB\-connect\fR and will send +\&\s-1IP\s0 address if one passed. +.IP "\fB\-noservername\fR" 4 +.IX Item "-noservername" +Suppresses sending of the \s-1SNI\s0 (Server Name Indication) extension in the +ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or +<\-dane_tlsa_domain> options. +.IP "\fB\-cert certname\fR" 4 +.IX Item "-cert certname" +The certificate to use, if one is requested by the server. The default is +not to use a certificate. +.IP "\fB\-certform format\fR" 4 +.IX Item "-certform format" +The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +The private key to use. If not specified then the certificate file will +be used. +.IP "\fB\-keyform format\fR" 4 +.IX Item "-keyform format" +The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-cert_chain\fR" 4 +.IX Item "-cert_chain" +A file containing trusted certificates to use when attempting to build the +client/server certificate chain related to the certificate specified via the +\&\fB\-cert\fR option. +.IP "\fB\-build_chain\fR" 4 +.IX Item "-build_chain" +Specify whether the application should build the certificate chain to be +provided to the server. +.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4 +.IX Item "-xkey infile, -xcert infile, -xchain" +Specify an extra certificate, private key and certificate chain. These behave +in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When +specified, the callback returning the first valid chain will be in use by the +client. +.IP "\fB\-xchain_build\fR" 4 +.IX Item "-xchain_build" +Specify whether the application should build the certificate chain to be +provided to the server for the extra certificates provided via \fB\-xkey infile\fR, +\&\fB\-xcert infile\fR, \fB\-xchain\fR options. +.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4 +.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER" +Extra certificate and private key format respectively. +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +the private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-verify depth\fR" 4 +.IX Item "-verify depth" +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. +.IP "\fB\-verify_return_error\fR" 4 +.IX Item "-verify_return_error" +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +The directory to use for server certificate verification. This directory +must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. These are +also used when building the client certificate chain. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. +.IP "\fB\-chainCApath directory\fR" 4 +.IX Item "-chainCApath directory" +The directory to use for building the chain provided to the server. This +directory must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. +.IP "\fB\-chainCAfile file\fR" 4 +.IX Item "-chainCAfile file" +A file containing trusted certificates to use when attempting to build the +client certificate chain. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location +.IP "\fB\-requestCAfile file\fR" 4 +.IX Item "-requestCAfile file" +A file containing a list of certificates whose subject names will be sent +to the server in the \fBcertificate_authorities\fR extension. Only supported +for \s-1TLS 1.3\s0 +.IP "\fB\-dane_tlsa_domain domain\fR" 4 +.IX Item "-dane_tlsa_domain domain" +Enable \s-1RFC6698/RFC7671 DANE TLSA\s0 authentication and specify the +\&\s-1TLSA\s0 base domain which becomes the default \s-1SNI\s0 hint and the primary +reference identifier for hostname checks. This must be used in +combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR +option below. +.Sp +When \s-1DANE\s0 authentication succeeds, the diagnostic output will include +the lowest (closest to 0) depth at which a \s-1TLSA\s0 record authenticated +a chain certificate. When that \s-1TLSA\s0 record is a \*(L"2 1 0\*(R" trust +anchor public key that signed (rather than matched) the top-most +certificate of the chain, the result is reported as \*(L"\s-1TA\s0 public key +verified\*(R". Otherwise, either the \s-1TLSA\s0 record \*(L"matched \s-1TA\s0 certificate\*(R" +at a positive depth or else \*(L"matched \s-1EE\s0 certificate\*(R" at depth 0. +.IP "\fB\-dane_tlsa_rrdata rrdata\fR" 4 +.IX Item "-dane_tlsa_rrdata rrdata" +Use one or more times to specify the \s-1RRDATA\s0 fields of the \s-1DANE TLSA\s0 +RRset associated with the target service. The \fBrrdata\fR value is +specied in \*(L"presentation form\*(R", that is four whitespace separated +fields that specify the usage, selector, matching type and associated +data, with the last of these encoded in hexadecimal. Optional +whitespace is ignored in the associated data field. For example: +.Sp +.Vb 12 +\& $ openssl s_client \-brief \-starttls smtp \e +\& \-connect smtp.example.com:25 \e +\& \-dane_tlsa_domain smtp.example.com \e +\& \-dane_tlsa_rrdata "2 1 1 +\& B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \e +\& \-dane_tlsa_rrdata "2 1 1 +\& 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18" +\& ... +\& Verification: OK +\& Verified peername: smtp.example.com +\& DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1 +\& ... +.Ve +.IP "\fB\-dane_ee_no_namechecks\fR" 4 +.IX Item "-dane_ee_no_namechecks" +This disables server name checks when authenticating via \s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 +records. +For some applications, primarily web browsers, it is not safe to disable name +checks due to \*(L"unknown key share\*(R" attacks, in which a malicious server can +convince a client that a connection to a victim server is instead a secure +connection to the malicious server. +The malicious server may then be able to violate cross-origin scripting +restrictions. +Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for +\&\s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is safe +to do so. +In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\s0 +records already make it possible for a remote domain to redirect client +connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients +do not execute scripts downloaded from remote servers. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set various certificate chain validation options. See the +\&\fIverify\fR\|(1) manual page for details. +.IP "\fB\-reconnect\fR" 4 +.IX Item "-reconnect" +Reconnects to the same server 5 times using the same session \s-1ID,\s0 this can +be used as a test that session caching is working. +.IP "\fB\-showcerts\fR" 4 +.IX Item "-showcerts" +Displays the server certificate list as sent by the server: it only consists of +certificates the server has sent (in the order the server has sent them). It is +\&\fBnot\fR a verified chain. +.IP "\fB\-prexit\fR" 4 +.IX Item "-prexit" +Print session information when the program exits. This will always attempt +to print out information even if the connection fails. Normally information +will only be printed out once if the connection succeeds. This option is useful +because the cipher in use may be renegotiated or the connection may fail +because a client certificate is required or is requested only after an +attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this +option is not always accurate because a connection might never have been +established. +.IP "\fB\-state\fR" 4 +.IX Item "-state" +Prints out the \s-1SSL\s0 session states. +.IP "\fB\-debug\fR" 4 +.IX Item "-debug" +Print extensive debugging information including a hex dump of all traffic. +.IP "\fB\-msg\fR" 4 +.IX Item "-msg" +Show all protocol messages with hex dump. +.IP "\fB\-trace\fR" 4 +.IX Item "-trace" +Show verbose trace output of protocol messages. OpenSSL needs to be compiled +with \fBenable-ssl-trace\fR for this option to work. +.IP "\fB\-msgfile\fR" 4 +.IX Item "-msgfile" +File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output. +.IP "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +Tests non-blocking I/O +.IP "\fB\-nbio\fR" 4 +.IX Item "-nbio" +Turns on non-blocking I/O +.IP "\fB\-crlf\fR" 4 +.IX Item "-crlf" +This option translated a line feed from the terminal into \s-1CR+LF\s0 as required +by some servers. +.IP "\fB\-ign_eof\fR" 4 +.IX Item "-ign_eof" +Inhibit shutting down the connection when end of file is reached in the +input. +.IP "\fB\-quiet\fR" 4 +.IX Item "-quiet" +Inhibit printing of session and certificate information. This implicitly +turns on \fB\-ign_eof\fR as well. +.IP "\fB\-no_ign_eof\fR" 4 +.IX Item "-no_ign_eof" +Shut down the connection when end of file is reached in the input. +Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR. +.IP "\fB\-psk_identity identity\fR" 4 +.IX Item "-psk_identity identity" +Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite. +The default value is \*(L"Client_identity\*(R" (without the quotes). +.IP "\fB\-psk key\fR" 4 +.IX Item "-psk key" +Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is +given as a hexadecimal number without leading 0x, for example \-psk +1a2b3c4d. +This option must be provided in order to use a \s-1PSK\s0 cipher. +.IP "\fB\-psk_session file\fR" 4 +.IX Item "-psk_session file" +Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0 +Note that this will only work if TLSv1.3 is negotiated. +.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4 +.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3" +These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. +By default \fBs_client\fR will negotiate the highest mutually supported protocol +version. +When a specific \s-1TLS\s0 version is required, only that version will be offered to +and accepted from the server. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. +.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4 +.IX Item "-dtls, -dtls1, -dtls1_2" +These options make \fBs_client\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0 +With \fB\-dtls\fR, \fBs_client\fR will negotiate any supported \s-1DTLS\s0 protocol version, +whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support \s-1DTLS1.0\s0 and \s-1DTLS1.2\s0 +respectively. +.IP "\fB\-sctp\fR" 4 +.IX Item "-sctp" +Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in +conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only +available where OpenSSL has support for \s-1SCTP\s0 enabled. +.IP "\fB\-fallback_scsv\fR" 4 +.IX Item "-fallback_scsv" +Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello. +.IP "\fB\-async\fR" 4 +.IX Item "-async" +Switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the \fB\-engine\fR option. For test purposes the dummy async engine +(dasync) can be used (if available). +.IP "\fB\-max_send_frag int\fR" 4 +.IX Item "-max_send_frag int" +The maximum size of data fragment to send. +See \fISSL_CTX_set_max_send_fragment\fR\|(3) for further information. +.IP "\fB\-split_send_frag int\fR" 4 +.IX Item "-split_send_frag int" +The size used to split data for encrypt pipelines. If more data is written in +one go than this value then it will be split into multiple pipelines, up to the +maximum number of pipelines defined by max_pipelines. This only has an effect if +a suitable cipher suite has been negotiated, an engine that supports pipelining +has been loaded, and max_pipelines is greater than 1. See +\&\fISSL_CTX_set_split_send_fragment\fR\|(3) for further information. +.IP "\fB\-max_pipelines int\fR" 4 +.IX Item "-max_pipelines int" +The maximum number of encrypt/decrypt pipelines to be used. This will only have +an effect if an engine has been loaded that supports pipelining (e.g. the dasync +engine) and a suitable cipher suite has been negotiated. The default value is 1. +See \fISSL_CTX_set_max_pipelines\fR\|(3) for further information. +.IP "\fB\-read_buf int\fR" 4 +.IX Item "-read_buf int" +The default read buffer size to be used for connections. This will only have an +effect if the buffer size is larger than the size that would otherwise be used +and pipelining is in use (see \fISSL_CTX_set_default_read_buffer_len\fR\|(3) for +further information). +.IP "\fB\-bugs\fR" 4 +.IX Item "-bugs" +There are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.IP "\fB\-comp\fR" 4 +.IX Item "-comp" +Enables support for \s-1SSL/TLS\s0 compression. +This option was introduced in OpenSSL 1.1.0. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-no_comp\fR" 4 +.IX Item "-no_comp" +Disables support for \s-1SSL/TLS\s0 compression. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-brief\fR" 4 +.IX Item "-brief" +Only provide a brief summary of connection parameters instead of the +normal verbose output. +.IP "\fB\-sigalgs sigalglist\fR" 4 +.IX Item "-sigalgs sigalglist" +Specifies the list of signature algorithms that are sent by the client. +The server selects one entry in the list based on its preferences. +For example strings, see \fISSL_CTX_set1_sigalgs\fR\|(3) +.IP "\fB\-curves curvelist\fR" 4 +.IX Item "-curves curvelist" +Specifies the list of supported curves to be sent by the client. The curve is +ultimately selected by the server. For a list of all curves, use: +.Sp +.Vb 1 +\& $ openssl ecparam \-list_curves +.Ve +.IP "\fB\-cipher cipherlist\fR" 4 +.IX Item "-cipher cipherlist" +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which ciphersuite is used it should +take the first supported cipher in the list sent by the client. See the +\&\fBciphers\fR command for more information. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See the +\&\fBciphers\fR command for more information. The format for this list is a simple +colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. +.IP "\fB\-starttls protocol\fR" 4 +.IX Item "-starttls protocol" +Send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication. +\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only +supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R", \*(L"xmpp-server\*(R", +\&\*(L"irc\*(R", \*(L"postgres\*(R", \*(L"mysql\*(R", \*(L"lmtp\*(R", \*(L"nntp\*(R", \*(L"sieve\*(R" and \*(L"ldap\*(R". +.IP "\fB\-xmpphost hostname\fR" 4 +.IX Item "-xmpphost hostname" +This option, when used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R", +specifies the host for the \*(L"to\*(R" attribute of the stream element. +If this option is not specified, then the host specified with \*(L"\-connect\*(R" +will be used. +.Sp +This option is an alias of the \fB\-name\fR option for \*(L"xmpp\*(R" and \*(L"xmpp-server\*(R". +.IP "\fB\-name hostname\fR" 4 +.IX Item "-name hostname" +This option is used to specify hostname information for various protocols +used with \fB\-starttls\fR option. Currently only \*(L"xmpp\*(R", \*(L"xmpp-server\*(R", +\&\*(L"smtp\*(R" and \*(L"lmtp\*(R" can utilize this \fB\-name\fR option. +.Sp +If this option is used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R", +if specifies the host for the \*(L"to\*(R" attribute of the stream element. If this +option is not specified, then the host specified with \*(L"\-connect\*(R" will be used. +.Sp +If this option is used with \*(L"\-starttls lmtp\*(R" or \*(L"\-starttls smtp\*(R", it specifies +the name to use in the \*(L"\s-1LMTP LHLO\*(R"\s0 or \*(L"\s-1SMTP EHLO\*(R"\s0 message, respectively. If +this option is not specified, then \*(L"mail.example.com\*(R" will be used. +.IP "\fB\-tlsextdebug\fR" 4 +.IX Item "-tlsextdebug" +Print out a hex dump of any \s-1TLS\s0 extensions received from the server. +.IP "\fB\-no_ticket\fR" 4 +.IX Item "-no_ticket" +Disable RFC4507bis session ticket support. +.IP "\fB\-sess_out filename\fR" 4 +.IX Item "-sess_out filename" +Output \s-1SSL\s0 session to \fBfilename\fR. +.IP "\fB\-sess_in sess.pem\fR" 4 +.IX Item "-sess_in sess.pem" +Load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a +connection from this session. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-serverinfo types\fR" 4 +.IX Item "-serverinfo types" +A list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and +65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension. +The server's response (if any) will be encoded and displayed as a \s-1PEM\s0 +file. +.IP "\fB\-status\fR" 4 +.IX Item "-status" +Sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server +response (if any) is printed out. +.IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4 +.IX Item "-alpn protocols, -nextprotoneg protocols" +These flags enable the Enable the Application-Layer Protocol Negotiation +or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the +\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0 +The \fBprotocols\fR list is a comma-separated list of protocol names that +the client should advertise support for. The list should contain the most +desirable protocols first. Protocol names are printable \s-1ASCII\s0 strings, +for example \*(L"http/1.1\*(R" or \*(L"spdy/3\*(R". +An empty list of protocols is treated specially and will cause the +client to advertise support for the \s-1TLS\s0 extension but disconnect just +after receiving ServerHello with a list of server supported protocols. +The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used. +.IP "\fB\-ct\fR, \fB\-noct\fR" 4 +.IX Item "-ct, -noct" +Use one of these two options to control whether Certificate Transparency (\s-1CT\s0) +is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR). +If \s-1CT\s0 is enabled, signed certificate timestamps (SCTs) will be requested from +the server and reported at handshake completion. +.Sp +Enabling \s-1CT\s0 also enables \s-1OCSP\s0 stapling, as this is one possible delivery method +for SCTs. +.IP "\fB\-ctlogfile\fR" 4 +.IX Item "-ctlogfile" +A file containing a list of known Certificate Transparency logs. See +\&\fISSL_CTX_set_ctlog_list_file\fR\|(3) for the expected file format. +.IP "\fB\-keylogfile file\fR" 4 +.IX Item "-keylogfile file" +Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs +(like Wireshark) can decrypt \s-1TLS\s0 connections. +.IP "\fB\-early_data file\fR" 4 +.IX Item "-early_data file" +Reads the contents of the specified file and attempts to send it as early data +to the server. This will only work with resumed sessions that support early +data and when the server accepts the early data. +.IP "\fB\-enable_pha\fR" 4 +.IX Item "-enable_pha" +For TLSv1.3 only, send the Post-Handshake Authentication extension. This will +happen whether or not a certificate has been provided via \fB\-cert\fR. +.IP "\fB[target]\fR" 4 +.IX Item "[target]" +Rather than providing \fB\-connect\fR, the target hostname and optional port may +be provided as a single positional argument after all options. If neither this +nor \fB\-connect\fR are provided, falls back to attempting to connect to localhost +on port 4433. +.SH "CONNECTED COMMANDS" +.IX Header "CONNECTED COMMANDS" +If a connection is established with an \s-1SSL\s0 server then any data received +from the server is displayed and any key presses will be sent to the +server. If end of file is reached then the connection will be closed down. When +used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been +given), then certain commands are also recognized which perform special +operations. These commands are a letter which must appear at the start of a +line. They are listed below. +.IP "\fBQ\fR" 4 +.IX Item "Q" +End the current \s-1SSL\s0 connection and exit. +.IP "\fBR\fR" 4 +.IX Item "R" +Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only). +.IP "\fBB\fR" 4 +.IX Item "B" +Send a heartbeat message to the server (\s-1DTLS\s0 only) +.IP "\fBk\fR" 4 +.IX Item "k" +Send a key update message to the server (TLSv1.3 only) +.IP "\fBK\fR" 4 +.IX Item "K" +Send a key update message to the server and request one back (TLSv1.3 only) +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0 +server the command: +.PP +.Vb 1 +\& openssl s_client \-connect servername:443 +.Ve +.PP +would typically be used (https uses port 443). If the connection succeeds +then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page. +.PP +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the \fB\-bugs\fR, +\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried +in case it is a buggy server. In particular you should play with these +options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. +.PP +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it +requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed +and checked. However some servers only request client authentication +after a specific \s-1URL\s0 is requested. To obtain the list in this case it +is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request +for an appropriate page. +.PP +If a certificate is specified on the command line using the \fB\-cert\fR +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. +.PP +If there are problems verifying a server certificate then the +\&\fB\-showcerts\fR option can be used to show all the certificates sent by the +server. +.PP +The \fBs_client\fR utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0 +attack. This behaviour can be changed by with the \fB\-verify_return_error\fR +option: any verify errors are then returned aborting the handshake. +.PP +The \fB\-bind\fR option may be useful if the server or a firewall requires +connections to come from some particular address and or port. +.SH "BUGS" +.IX Header "BUGS" +Because this program has a lot of options and also because some of the +techniques used are rather old, the C source of \fBs_client\fR is rather hard to +read and not a model of how things should be done. +A typical \s-1SSL\s0 client program would be much simpler. +.PP +The \fB\-prexit\fR option is a bit of a hack. We should really report +information whenever a session is renegotiated. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CONF_cmd\fR\|(3), \fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1), +\&\fISSL_CTX_set_max_send_fragment\fR\|(3), \fISSL_CTX_set_split_send_fragment\fR\|(3), +\&\fISSL_CTX_set_max_pipelines\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\-no_alt_chains\fR option was first added to OpenSSL 1.1.0. +The \fB\-name\fR option was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 new file mode 100644 index 000000000000..f3fa8ae0e466 --- /dev/null +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -0,0 +1,849 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "S_SERVER 1" +.TH S_SERVER 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-s_server, s_server \- SSL/TLS server program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_server\fR +[\fB\-help\fR] +[\fB\-port +int\fR] +[\fB\-accept val\fR] +[\fB\-unix val\fR] +[\fB\-4\fR] +[\fB\-6\fR] +[\fB\-unlink\fR] +[\fB\-context val\fR] +[\fB\-verify int\fR] +[\fB\-Verify int\fR] +[\fB\-cert infile\fR] +[\fB\-nameopt val\fR] +[\fB\-naccept +int\fR] +[\fB\-serverinfo val\fR] +[\fB\-certform PEM|DER\fR] +[\fB\-key infile\fR] +[\fB\-keyform format\fR] +[\fB\-pass val\fR] +[\fB\-dcert infile\fR] +[\fB\-dcertform PEM|DER\fR] +[\fB\-dkey infile\fR] +[\fB\-dkeyform PEM|DER\fR] +[\fB\-dpass val\fR] +[\fB\-nbio_test\fR] +[\fB\-crlf\fR] +[\fB\-debug\fR] +[\fB\-msg\fR] +[\fB\-msgfile outfile\fR] +[\fB\-state\fR] +[\fB\-CAfile infile\fR] +[\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-nocert\fR] +[\fB\-quiet\fR] +[\fB\-no_resume_ephemeral\fR] +[\fB\-www\fR] +[\fB\-WWW\fR] +[\fB\-servername\fR] +[\fB\-servername_fatal\fR] +[\fB\-cert2 infile\fR] +[\fB\-key2 infile\fR] +[\fB\-tlsextdebug\fR] +[\fB\-HTTP\fR] +[\fB\-id_prefix val\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-keymatexport val\fR] +[\fB\-keymatexportlen +int\fR] +[\fB\-CRL infile\fR] +[\fB\-crl_download\fR] +[\fB\-cert_chain infile\fR] +[\fB\-dcert_chain infile\fR] +[\fB\-chainCApath dir\fR] +[\fB\-verifyCApath dir\fR] +[\fB\-no_cache\fR] +[\fB\-ext_cache\fR] +[\fB\-CRLform PEM|DER\fR] +[\fB\-verify_return_error\fR] +[\fB\-verify_quiet\fR] +[\fB\-build_chain\fR] +[\fB\-chainCAfile infile\fR] +[\fB\-verifyCAfile infile\fR] +[\fB\-ign_eof\fR] +[\fB\-no_ign_eof\fR] +[\fB\-status\fR] +[\fB\-status_verbose\fR] +[\fB\-status_timeout int\fR] +[\fB\-status_url val\fR] +[\fB\-status_file infile\fR] +[\fB\-trace\fR] +[\fB\-security_debug\fR] +[\fB\-security_debug_verbose\fR] +[\fB\-brief\fR] +[\fB\-rev\fR] +[\fB\-async\fR] +[\fB\-ssl_config val\fR] +[\fB\-max_send_frag +int\fR] +[\fB\-split_send_frag +int\fR] +[\fB\-max_pipelines +int\fR] +[\fB\-read_buf +int\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-no_tls1_1\fR] +[\fB\-no_tls1_2\fR] +[\fB\-no_tls1_3\fR] +[\fB\-bugs\fR] +[\fB\-no_comp\fR] +[\fB\-comp\fR] +[\fB\-no_ticket\fR] +[\fB\-serverpref\fR] +[\fB\-legacy_renegotiation\fR] +[\fB\-no_renegotiation\fR] +[\fB\-legacy_server_connect\fR] +[\fB\-no_resumption_on_reneg\fR] +[\fB\-no_legacy_server_connect\fR] +[\fB\-allow_no_dhe_kex\fR] +[\fB\-prioritize_chacha\fR] +[\fB\-strict\fR] +[\fB\-sigalgs val\fR] +[\fB\-client_sigalgs val\fR] +[\fB\-groups val\fR] +[\fB\-curves val\fR] +[\fB\-named_curve val\fR] +[\fB\-cipher val\fR] +[\fB\-ciphersuites val\fR] +[\fB\-dhparam infile\fR] +[\fB\-record_padding val\fR] +[\fB\-debug_broken_protocol\fR] +[\fB\-policy val\fR] +[\fB\-purpose val\fR] +[\fB\-verify_name val\fR] +[\fB\-verify_depth int\fR] +[\fB\-auth_level int\fR] +[\fB\-attime intmax\fR] +[\fB\-verify_hostname val\fR] +[\fB\-verify_email val\fR] +[\fB\-verify_ip\fR] +[\fB\-ignore_critical\fR] +[\fB\-issuer_checks\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-policy_check\fR] +[\fB\-explicit_policy\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-x509_strict\fR] +[\fB\-extended_crl\fR] +[\fB\-use_deltas\fR] +[\fB\-policy_print\fR] +[\fB\-check_ss_sig\fR] +[\fB\-trusted_first\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_192\fR] +[\fB\-partial_chain\fR] +[\fB\-no_alt_chains\fR] +[\fB\-no_check_time\fR] +[\fB\-allow_proxy_certs\fR] +[\fB\-xkey\fR] +[\fB\-xcert\fR] +[\fB\-xchain\fR] +[\fB\-xchain_build\fR] +[\fB\-xcertform PEM|DER\fR] +[\fB\-xkeyform PEM|DER\fR] +[\fB\-nbio\fR] +[\fB\-psk_identity val\fR] +[\fB\-psk_hint val\fR] +[\fB\-psk val\fR] +[\fB\-psk_session file\fR] +[\fB\-srpvfile infile\fR] +[\fB\-srpuserseed val\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] +[\fB\-dtls\fR] +[\fB\-timeout\fR] +[\fB\-mtu +int\fR] +[\fB\-listen\fR] +[\fB\-dtls1\fR] +[\fB\-dtls1_2\fR] +[\fB\-sctp\fR] +[\fB\-no_dhe\fR] +[\fB\-nextprotoneg val\fR] +[\fB\-use_srtp val\fR] +[\fB\-alpn val\fR] +[\fB\-engine val\fR] +[\fB\-keylogfile outfile\fR] +[\fB\-max_early_data int\fR] +[\fB\-early_data\fR] +[\fB\-anti_replay\fR] +[\fB\-no_anti_replay\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens +for connections on a given port using \s-1SSL/TLS.\s0 +.SH "OPTIONS" +.IX Header "OPTIONS" +In addition to the options below the \fBs_server\fR utility also supports the +common and server only options documented in the +in the \*(L"Supported Command Line Commands\*(R" section of the \fISSL_CONF_cmd\fR\|(3) +manual page. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-port +int\fR" 4 +.IX Item "-port +int" +The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. +.IP "\fB\-accept val\fR" 4 +.IX Item "-accept val" +The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is used. +.IP "\fB\-unix val\fR" 4 +.IX Item "-unix val" +Unix domain socket to accept on. +.IP "\fB\-4\fR" 4 +.IX Item "-4" +Use IPv4 only. +.IP "\fB\-6\fR" 4 +.IX Item "-6" +Use IPv6 only. +.IP "\fB\-unlink\fR" 4 +.IX Item "-unlink" +For \-unix, unlink any existing socket first. +.IP "\fB\-context val\fR" 4 +.IX Item "-context val" +Sets the \s-1SSL\s0 context id. It can be given any string value. If this option +is not present a default value will be used. +.IP "\fB\-verify int\fR, \fB\-Verify int\fR" 4 +.IX Item "-verify int, -Verify int" +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the \fB\-verify\fR option a certificate is requested but the +client does not have to send one, with the \fB\-Verify\fR option the client +must supply a certificate or an error occurs. +.Sp +If the cipher suite cannot request a client certificate (for example an +anonymous cipher suite or \s-1PSK\s0) this option has no effect. +.IP "\fB\-cert infile\fR" 4 +.IX Item "-cert infile" +The certificate to use, most servers cipher suites require the use of a +certificate and some require a certificate with a certain public key type: +for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0 +(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. +.IP "\fB\-cert_chain\fR" 4 +.IX Item "-cert_chain" +A file containing trusted certificates to use when attempting to build the +client/server certificate chain related to the certificate specified via the +\&\fB\-cert\fR option. +.IP "\fB\-build_chain\fR" 4 +.IX Item "-build_chain" +Specify whether the application should build the certificate chain to be +provided to the client. +.IP "\fB\-nameopt val\fR" 4 +.IX Item "-nameopt val" +Option which determines how the subject or issuer names are displayed. The +\&\fBval\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-naccept +int\fR" 4 +.IX Item "-naccept +int" +The server will exit after receiving the specified number of connections, +default unlimited. +.IP "\fB\-serverinfo val\fR" 4 +.IX Item "-serverinfo val" +A file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block +must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length, +followed by \*(L"length\*(R" bytes of extension data). If the client sends +an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. +.IP "\fB\-certform PEM|DER\fR" 4 +.IX Item "-certform PEM|DER" +The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-key infile\fR" 4 +.IX Item "-key infile" +The private key to use. If not specified then the certificate file will +be used. +.IP "\fB\-keyform format\fR" 4 +.IX Item "-keyform format" +The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-pass val\fR" 4 +.IX Item "-pass val" +The private key password source. For more information about the format of \fBval\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-dcert infile\fR, \fB\-dkey infile\fR" 4 +.IX Item "-dcert infile, -dkey infile" +Specify an additional certificate and private key, these behave in the +same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default +if they are not specified (no additional certificate and key is used). As +noted above some cipher suites require a certificate containing a key of +a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key +and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys +a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites +by using an appropriate certificate. +.IP "\fB\-dcert_chain\fR" 4 +.IX Item "-dcert_chain" +A file containing trusted certificates to use when attempting to build the +server certificate chain when a certificate specified via the \fB\-dcert\fR option +is in use. +.IP "\fB\-dcertform PEM|DER\fR, \fB\-dkeyform PEM|DER\fR, \fB\-dpass val\fR" 4 +.IX Item "-dcertform PEM|DER, -dkeyform PEM|DER, -dpass val" +Additional certificate and private key format and passphrase respectively. +.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4 +.IX Item "-xkey infile, -xcert infile, -xchain" +Specify an extra certificate, private key and certificate chain. These behave +in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When +specified, the callback returning the first valid chain will be in use by +the server. +.IP "\fB\-xchain_build\fR" 4 +.IX Item "-xchain_build" +Specify whether the application should build the certificate chain to be +provided to the client for the extra certificates provided via \fB\-xkey infile\fR, +\&\fB\-xcert infile\fR, \fB\-xchain\fR options. +.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4 +.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER" +Extra certificate and private key format respectively. +.IP "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +Tests non blocking I/O. +.IP "\fB\-crlf\fR" 4 +.IX Item "-crlf" +This option translated a line feed from the terminal into \s-1CR+LF.\s0 +.IP "\fB\-debug\fR" 4 +.IX Item "-debug" +Print extensive debugging information including a hex dump of all traffic. +.IP "\fB\-msg\fR" 4 +.IX Item "-msg" +Show all protocol messages with hex dump. +.IP "\fB\-msgfile outfile\fR" 4 +.IX Item "-msgfile outfile" +File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output. +.IP "\fB\-state\fR" 4 +.IX Item "-state" +Prints the \s-1SSL\s0 session states. +.IP "\fB\-CAfile infile\fR" 4 +.IX Item "-CAfile infile" +A file containing trusted certificates to use during client authentication +and to use when attempting to build the server certificate chain. The list +is also used in the list of acceptable client CAs passed to the client when +a certificate is requested. +.IP "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +The directory to use for client certificate verification. This directory +must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. These are +also used when building the server certificate chain. +.IP "\fB\-chainCApath dir\fR" 4 +.IX Item "-chainCApath dir" +The directory to use for building the chain provided to the client. This +directory must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. +.IP "\fB\-chainCAfile file\fR" 4 +.IX Item "-chainCAfile file" +A file containing trusted certificates to use when attempting to build the +server certificate chain. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. +.IP "\fB\-nocert\fR" 4 +.IX Item "-nocert" +If this option is set then no certificate is used. This restricts the +cipher suites available to the anonymous ones (currently just anonymous +\&\s-1DH\s0). +.IP "\fB\-quiet\fR" 4 +.IX Item "-quiet" +Inhibit printing of session and certificate information. +.IP "\fB\-www\fR" 4 +.IX Item "-www" +Sends a status message back to the client when it connects. This includes +information about the ciphers used and various session parameters. +The output is in \s-1HTML\s0 format so this option will normally be used with a +web browser. Cannot be used in conjunction with \fB\-early_data\fR. +.IP "\fB\-WWW\fR" 4 +.IX Item "-WWW" +Emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. Cannot be used in conjunction +with \fB\-early_data\fR. +.IP "\fB\-tlsextdebug\fR" 4 +.IX Item "-tlsextdebug" +Print a hex dump of any \s-1TLS\s0 extensions received from the server. +.IP "\fB\-HTTP\fR" 4 +.IX Item "-HTTP" +Emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. The files loaded are +assumed to contain a complete and correct \s-1HTTP\s0 response (lines that +are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). Cannot be +used in conjunction with \fB\-early_data\fR. +.IP "\fB\-id_prefix val\fR" 4 +.IX Item "-id_prefix val" +Generate \s-1SSL/TLS\s0 session IDs prefixed by \fBval\fR. This is mostly useful +for testing any \s-1SSL/TLS\s0 code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-verify_return_error\fR" 4 +.IX Item "-verify_return_error" +Verification errors normally just print a message but allow the +connection to continue, for debugging purposes. +If this option is used, then verification errors close the connection. +.IP "\fB\-status\fR" 4 +.IX Item "-status" +Enables certificate status request support (aka \s-1OCSP\s0 stapling). +.IP "\fB\-status_verbose\fR" 4 +.IX Item "-status_verbose" +Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives +a verbose printout of the \s-1OCSP\s0 response. +.IP "\fB\-status_timeout int\fR" 4 +.IX Item "-status_timeout int" +Sets the timeout for \s-1OCSP\s0 response to \fBint\fR seconds. +.IP "\fB\-status_url val\fR" 4 +.IX Item "-status_url val" +Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the +server certificate. Without this option an error is returned if the server +certificate does not contain a responder address. +.IP "\fB\-status_file infile\fR" 4 +.IX Item "-status_file infile" +Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the +\&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format. +.IP "\fB\-trace\fR" 4 +.IX Item "-trace" +Show verbose trace output of protocol messages. OpenSSL needs to be compiled +with \fBenable-ssl-trace\fR for this option to work. +.IP "\fB\-brief\fR" 4 +.IX Item "-brief" +Provide a brief summary of connection parameters instead of the normal verbose +output. +.IP "\fB\-rev\fR" 4 +.IX Item "-rev" +Simple test server which just reverses the text received from the client +and sends it back to the server. Also sets \fB\-brief\fR. Cannot be used in +conjunction with \fB\-early_data\fR. +.IP "\fB\-async\fR" 4 +.IX Item "-async" +Switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the \fB\-engine\fR option. For test purposes the dummy async engine +(dasync) can be used (if available). +.IP "\fB\-max_send_frag +int\fR" 4 +.IX Item "-max_send_frag +int" +The maximum size of data fragment to send. +See \fISSL_CTX_set_max_send_fragment\fR\|(3) for further information. +.IP "\fB\-split_send_frag +int\fR" 4 +.IX Item "-split_send_frag +int" +The size used to split data for encrypt pipelines. If more data is written in +one go than this value then it will be split into multiple pipelines, up to the +maximum number of pipelines defined by max_pipelines. This only has an effect if +a suitable cipher suite has been negotiated, an engine that supports pipelining +has been loaded, and max_pipelines is greater than 1. See +\&\fISSL_CTX_set_split_send_fragment\fR\|(3) for further information. +.IP "\fB\-max_pipelines +int\fR" 4 +.IX Item "-max_pipelines +int" +The maximum number of encrypt/decrypt pipelines to be used. This will only have +an effect if an engine has been loaded that supports pipelining (e.g. the dasync +engine) and a suitable cipher suite has been negotiated. The default value is 1. +See \fISSL_CTX_set_max_pipelines\fR\|(3) for further information. +.IP "\fB\-read_buf +int\fR" 4 +.IX Item "-read_buf +int" +The default read buffer size to be used for connections. This will only have an +effect if the buffer size is larger than the size that would otherwise be used +and pipelining is in use (see \fISSL_CTX_set_default_read_buffer_len\fR\|(3) for +further information). +.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3" +These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. +By default \fBs_server\fR will negotiate the highest mutually supported protocol +version. +When a specific \s-1TLS\s0 version is required, only that version will be accepted +from the client. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. +.IP "\fB\-bugs\fR" 4 +.IX Item "-bugs" +There are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.IP "\fB\-no_comp\fR" 4 +.IX Item "-no_comp" +Disable negotiation of \s-1TLS\s0 compression. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-comp\fR" 4 +.IX Item "-comp" +Enable negotiation of \s-1TLS\s0 compression. +This option was introduced in OpenSSL 1.1.0. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-no_ticket\fR" 4 +.IX Item "-no_ticket" +Disable RFC4507bis session ticket support. +.IP "\fB\-serverpref\fR" 4 +.IX Item "-serverpref" +Use the server's cipher preferences, rather than the client's preferences. +.IP "\fB\-prioritize_chacha\fR" 4 +.IX Item "-prioritize_chacha" +Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR. +.IP "\fB\-no_resumption_on_reneg\fR" 4 +.IX Item "-no_resumption_on_reneg" +Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option. +.IP "\fB\-client_sigalgs val\fR" 4 +.IX Item "-client_sigalgs val" +Signature algorithms to support for client certificate authentication +(colon-separated list). +.IP "\fB\-named_curve val\fR" 4 +.IX Item "-named_curve val" +Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list. +For a list of all possible curves, use: +.Sp +.Vb 1 +\& $ openssl ecparam \-list_curves +.Ve +.IP "\fB\-cipher val\fR" 4 +.IX Item "-cipher val" +This allows the list of TLSv1.2 and below ciphersuites used by the server to be +modified. This list is combined with any TLSv1.3 ciphersuites that have been +configured. When the client sends a list of supported ciphers the first client +cipher also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist is irrelevant. See +the \fBciphers\fR command for more information. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +This allows the list of TLSv1.3 ciphersuites used by the server to be modified. +This list is combined with any TLSv1.2 and below ciphersuites that have been +configured. When the client sends a list of supported ciphers the first client +cipher also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist is irrelevant. See +the \fBciphers\fR command for more information. The format for this list is a +simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. +.IP "\fB\-dhparam infile\fR" 4 +.IX Item "-dhparam infile" +The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys +using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to +load the parameters from the server certificate file. +If this fails then a static set of parameters hard coded into the \fBs_server\fR +program will be used. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set different peer certificate verification options. +See the \fIverify\fR\|(1) manual page for details. +.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4 +.IX Item "-crl_check, -crl_check_all" +Check the peer certificate has not been revoked by its \s-1CA.\s0 +The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR +option all CRLs of all CAs in the chain are checked. +.IP "\fB\-nbio\fR" 4 +.IX Item "-nbio" +Turns on non blocking I/O. +.IP "\fB\-psk_identity val\fR" 4 +.IX Item "-psk_identity val" +Expect the client to send \s-1PSK\s0 identity \fBval\fR when using a \s-1PSK\s0 +cipher suite, and warn if they do not. By default, the expected \s-1PSK\s0 +identity is the string \*(L"Client_identity\*(R". +.IP "\fB\-psk_hint val\fR" 4 +.IX Item "-psk_hint val" +Use the \s-1PSK\s0 identity hint \fBval\fR when using a \s-1PSK\s0 cipher suite. +.IP "\fB\-psk val\fR" 4 +.IX Item "-psk val" +Use the \s-1PSK\s0 key \fBval\fR when using a \s-1PSK\s0 cipher suite. The key is +given as a hexadecimal number without leading 0x, for example \-psk +1a2b3c4d. +This option must be provided in order to use a \s-1PSK\s0 cipher. +.IP "\fB\-psk_session file\fR" 4 +.IX Item "-psk_session file" +Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0 +Note that this will only work if TLSv1.3 is negotiated. +.IP "\fB\-listen\fR" 4 +.IX Item "-listen" +This option can only be used in conjunction with one of the \s-1DTLS\s0 options above. +With this option \fBs_server\fR will listen on a \s-1UDP\s0 port for incoming connections. +Any ClientHellos that arrive will be checked to see if they have a cookie in +them or not. +Any without a cookie will be responded to with a HelloVerifyRequest. +If a ClientHello with a cookie is received then \fBs_server\fR will connect to +that peer and complete the handshake. +.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4 +.IX Item "-dtls, -dtls1, -dtls1_2" +These options make \fBs_server\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0 +With \fB\-dtls\fR, \fBs_server\fR will negotiate any supported \s-1DTLS\s0 protocol version, +whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support DTLSv1.0 and DTLSv1.2 +respectively. +.IP "\fB\-sctp\fR" 4 +.IX Item "-sctp" +Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in +conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only +available where OpenSSL has support for \s-1SCTP\s0 enabled. +.IP "\fB\-no_dhe\fR" 4 +.IX Item "-no_dhe" +If this option is set then no \s-1DH\s0 parameters will be loaded effectively +disabling the ephemeral \s-1DH\s0 cipher suites. +.IP "\fB\-alpn val\fR, \fB\-nextprotoneg val\fR" 4 +.IX Item "-alpn val, -nextprotoneg val" +These flags enable the Enable the Application-Layer Protocol Negotiation +or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the +\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0 +The \fBval\fR list is a comma-separated list of supported protocol +names. The list should contain the most desirable protocols first. +Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or +\&\*(L"spdy/3\*(R". +The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used. +.IP "\fB\-engine val\fR" 4 +.IX Item "-engine val" +Specifying an engine (by its unique id string in \fBval\fR) will cause \fBs_server\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-keylogfile outfile\fR" 4 +.IX Item "-keylogfile outfile" +Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs +(like Wireshark) can decrypt \s-1TLS\s0 connections. +.IP "\fB\-max_early_data int\fR" 4 +.IX Item "-max_early_data int" +Change the default maximum early data bytes that are specified for new sessions +and any incoming early data (when used in conjunction with the \fB\-early_data\fR +flag). The default value is approximately 16k. The argument must be an integer +greater than or equal to 0. +.IP "\fB\-early_data\fR" 4 +.IX Item "-early_data" +Accept early data where possible. Cannot be used in conjunction with \fB\-www\fR, +\&\fB\-WWW\fR, \fB\-HTTP\fR or \fB\-rev\fR. +.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4 +.IX Item "-anti_replay, -no_anti_replay" +Switches replay protection on or off, respectively. Replay protection is on by +default unless overridden by a configuration file. When it is on, OpenSSL will +automatically detect if a session ticket has been used more than once, TLSv1.3 +has been negotiated, and early data is enabled on the server. A full handshake +is forced if a session ticket is used a second or subsequent time. Any early +data that was sent will be rejected. +.SH "CONNECTED COMMANDS" +.IX Header "CONNECTED COMMANDS" +If a connection request is established with an \s-1SSL\s0 client and neither the +\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received +from the client is displayed and any key presses will be sent to the client. +.PP +Certain commands are also recognized which perform special operations. These +commands are a letter which must appear at the start of a line. They are listed +below. +.IP "\fBq\fR" 4 +.IX Item "q" +End the current \s-1SSL\s0 connection but still accept new connections. +.IP "\fBQ\fR" 4 +.IX Item "Q" +End the current \s-1SSL\s0 connection and exit. +.IP "\fBr\fR" 4 +.IX Item "r" +Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only). +.IP "\fBR\fR" 4 +.IX Item "R" +Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below +only). +.IP "\fBP\fR" 4 +.IX Item "P" +Send some plain text down the underlying \s-1TCP\s0 connection: this should +cause the client to disconnect due to a protocol violation. +.IP "\fBS\fR" 4 +.IX Item "S" +Print out some session cache status information. +.IP "\fBB\fR" 4 +.IX Item "B" +Send a heartbeat message to the client (\s-1DTLS\s0 only) +.IP "\fBk\fR" 4 +.IX Item "k" +Send a key update message to the client (TLSv1.3 only) +.IP "\fBK\fR" 4 +.IX Item "K" +Send a key update message to the client and request one back (TLSv1.3 only) +.IP "\fBc\fR" 4 +.IX Item "c" +Send a certificate request to the client (TLSv1.3 only) +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from +a web browser the command: +.PP +.Vb 1 +\& openssl s_server \-accept 443 \-www +.Ve +.PP +can be used for example. +.PP +Although specifying an empty list of CAs when requesting a client certificate +is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to +mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes. +.PP +The session parameters can printed out using the \fBsess_id\fR program. +.SH "BUGS" +.IX Header "BUGS" +Because this program has a lot of options and also because some of the +techniques used are rather old, the C source of \fBs_server\fR is rather hard to +read and not a model of how things should be done. +A typical \s-1SSL\s0 server program would be much simpler. +.PP +The output of common ciphers is wrong: it just gives the list of ciphers that +OpenSSL recognizes and the client supports. +.PP +There should be a way for the \fBs_server\fR program to print out details of any +unknown cipher suites a client says it supports. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CONF_cmd\fR\|(3), \fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) +\&\fISSL_CTX_set_max_send_fragment\fR\|(3), +\&\fISSL_CTX_set_split_send_fragment\fR\|(3), +\&\fISSL_CTX_set_max_pipelines\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \-no_alt_chains option was first added to OpenSSL 1.1.0. +.PP +The \-allow\-no\-dhe\-kex and \-prioritize_chacha options were first added to +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1 new file mode 100644 index 000000000000..0439fe218f68 --- /dev/null +++ b/secure/usr.bin/openssl/man/s_time.1 @@ -0,0 +1,316 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "S_TIME 1" +.TH S_TIME 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-s_time, s_time \- SSL/TLS performance timing program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_time\fR +[\fB\-help\fR] +[\fB\-connect host:port\fR] +[\fB\-www page\fR] +[\fB\-cert filename\fR] +[\fB\-key filename\fR] +[\fB\-CApath directory\fR] +[\fB\-cafile filename\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-reuse\fR] +[\fB\-new\fR] +[\fB\-verify depth\fR] +[\fB\-nameopt option\fR] +[\fB\-time seconds\fR] +[\fB\-ssl3\fR] +[\fB\-bugs\fR] +[\fB\-cipher cipherlist\fR] +[\fB\-ciphersuites val\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_time\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a +remote host using \s-1SSL/TLS.\s0 It can request a page from the server and includes +the time to transfer the payload data in its timing measurements. It measures +the number of connections within a given timeframe, the amount of data +transferred (if any), and calculates the average time spent for one connection. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-connect host:port\fR" 4 +.IX Item "-connect host:port" +This specifies the host and optional port to connect to. +.IP "\fB\-www page\fR" 4 +.IX Item "-www page" +This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the +index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only +perform the handshake to establish \s-1SSL\s0 connections but not transfer any +payload data. +.IP "\fB\-cert certname\fR" 4 +.IX Item "-cert certname" +The certificate to use, if one is requested by the server. The default is +not to use a certificate. The file is in \s-1PEM\s0 format. +.IP "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +The private key to use. If not specified then the certificate file will +be used. The file is in \s-1PEM\s0 format. +.IP "\fB\-verify depth\fR" 4 +.IX Item "-verify depth" +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +The directory to use for server certificate verification. This directory +must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are +also used when building the client certificate chain. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location +.IP "\fB\-new\fR" 4 +.IX Item "-new" +Performs the timing test using a new session \s-1ID\s0 for each connection. +If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default +and executed in sequence. +.IP "\fB\-reuse\fR" 4 +.IX Item "-reuse" +Performs the timing test using the same session \s-1ID\s0; this can be used as a test +that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are +specified, they are both on by default and executed in sequence. +.IP "\fB\-ssl3\fR" 4 +.IX Item "-ssl3" +This option disables the use of \s-1SSL\s0 version 3. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use \s-1SSL\s0 v3 or \s-1TLS\s0 as appropriate. +.Sp +The timing program is not as rich in options to turn protocols on and off as +the \fIs_client\fR\|(1) program and may not connect to all servers. +Unfortunately there are a lot of ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option. +.Sp +Note that this option may not be available, depending on how +OpenSSL was built. +.IP "\fB\-bugs\fR" 4 +.IX Item "-bugs" +There are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.IP "\fB\-cipher cipherlist\fR" 4 +.IX Item "-cipher cipherlist" +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See +\&\fIciphers\fR\|(1) for more information. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See +\&\fIciphers\fR\|(1) for more information. The format for this list is a simple +colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. +.IP "\fB\-time length\fR" 4 +.IX Item "-time length" +Specifies how long (in seconds) \fBs_time\fR should establish connections and +optionally transfer payload data from a server. Server and client performance +and the link speed determine how many connections \fBs_time\fR can establish. +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_time\fR can be used to measure the performance of an \s-1SSL\s0 connection. +To connect to an \s-1SSL HTTP\s0 server and get the default page the command +.PP +.Vb 1 +\& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3] +.Ve +.PP +would typically be used (https uses port 443). 'commoncipher' is a cipher to +which both client and server can agree, see the \fIciphers\fR\|(1) command +for details. +.PP +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the \fB\-bugs\fR and +\&\fB\-ssl3\fR options can be tried +in case it is a buggy server. In particular you should play with these +options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. +.PP +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it +requests a certificate. By using \fIs_client\fR\|(1) the \s-1CA\s0 list can be +viewed and checked. However some servers only request client authentication +after a specific \s-1URL\s0 is requested. To obtain the list in this case it +is necessary to use the \fB\-prexit\fR option of \fIs_client\fR\|(1) and +send an \s-1HTTP\s0 request for an appropriate page. +.PP +If a certificate is specified on the command line using the \fB\-cert\fR +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. +.SH "BUGS" +.IX Header "BUGS" +Because this program does not have all the options of the +\&\fIs_client\fR\|(1) program to turn protocols on and off, you may not be +able to measure the performance of all protocols with all servers. +.PP +The \fB\-verify\fR option should really exit if the server verification +fails. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1 new file mode 100644 index 000000000000..dac71229957c --- /dev/null +++ b/secure/usr.bin/openssl/man/sess_id.1 @@ -0,0 +1,268 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SESS_ID 1" +.TH SESS_ID 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-sess_id, sess_id \- SSL/TLS session handling utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBsess_id\fR +[\fB\-help\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER|NSS\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-context \s-1ID\s0\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure +and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session +master key) in human readable format. Since this is a diagnostic tool that +needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will +not need to use it. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded +format containing session details. The precise format can vary from one version +to the next. The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR +format base64 encoded with additional header and footer lines. +.IP "\fB\-outform DER|PEM|NSS\fR" 4 +.IX Item "-outform DER|PEM|NSS" +This specifies the output format. The \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR options have the same meaning +and default as the \fB\-inform\fR option. The \fB\s-1NSS\s0\fR option outputs the session id and +the master key in \s-1NSS\s0 keylog format. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read session information from or standard +input by default. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write session information to or standard +output if this option is not specified. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the various public or private key components in +plain text in addition to the encoded version. +.IP "\fB\-cert\fR" 4 +.IX Item "-cert" +If a certificate is present in the session it will be output using this option, +if the \fB\-text\fR option is also present then it will be printed out in text form. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option prevents output of the encoded version of the session. +.IP "\fB\-context \s-1ID\s0\fR" 4 +.IX Item "-context ID" +This option can set the session id so the output session information uses the +supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option won't normally +be used. +.SH "OUTPUT" +.IX Header "OUTPUT" +Typical output: +.PP +.Vb 10 +\& SSL\-Session: +\& Protocol : TLSv1 +\& Cipher : 0016 +\& Session\-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED +\& Session\-ID\-ctx: 01000000 +\& Master\-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD +\& Key\-Arg : None +\& Start Time: 948459261 +\& Timeout : 300 (sec) +\& Verify return code 0 (ok) +.Ve +.PP +Theses are described below in more detail. +.IP "\fBProtocol\fR" 4 +.IX Item "Protocol" +This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3. +.IP "\fBCipher\fR" 4 +.IX Item "Cipher" +The cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0 +or \s-1TLS\s0 specifications for more information. +.IP "\fBSession-ID\fR" 4 +.IX Item "Session-ID" +The \s-1SSL\s0 session \s-1ID\s0 in hex format. +.IP "\fBSession-ID-ctx\fR" 4 +.IX Item "Session-ID-ctx" +The session \s-1ID\s0 context in hex format. +.IP "\fBMaster-Key\fR" 4 +.IX Item "Master-Key" +This is the \s-1SSL\s0 session master key. +.IP "\fBStart Time\fR" 4 +.IX Item "Start Time" +This is the session start time represented as an integer in standard +Unix format. +.IP "\fBTimeout\fR" 4 +.IX Item "Timeout" +The timeout in seconds. +.IP "\fBVerify return code\fR" 4 +.IX Item "Verify return code" +This is the return code when an \s-1SSL\s0 client certificate is verified. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 encoded session format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN SSL SESSION PARAMETERS\-\-\-\-\- +\& \-\-\-\-\-END SSL SESSION PARAMETERS\-\-\-\-\- +.Ve +.PP +Since the \s-1SSL\s0 session output contains the master key it is +possible to read the contents of an encrypted session using this +information. Therefore appropriate security precautions should be taken if +the information is being output by a \*(L"real\*(R" application. This is however +strongly discouraged and should only be used for debugging purposes. +.SH "BUGS" +.IX Header "BUGS" +The cipher and start time should be printed out in human readable form. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIciphers\fR\|(1), \fIs_server\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 new file mode 100644 index 000000000000..d200e89e52a9 --- /dev/null +++ b/secure/usr.bin/openssl/man/smime.1 @@ -0,0 +1,613 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SMIME 1" +.TH SMIME 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-smime, smime \- S/MIME utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBsmime\fR +[\fB\-help\fR] +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-sign\fR] +[\fB\-resign\fR] +[\fB\-verify\fR] +[\fB\-pk7out\fR] +[\fB\-binary\fR] +[\fB\-crlfeol\fR] +[\fB\-\f(BIcipher\fB\fR] +[\fB\-in file\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] +[\fB\-certfile file\fR] +[\fB\-signer file\fR] +[\fB\-recip file\fR] +[\fB\-inform SMIME|PEM|DER\fR] +[\fB\-passin arg\fR] +[\fB\-inkey file_or_id\fR] +[\fB\-out file\fR] +[\fB\-outform SMIME|PEM|DER\fR] +[\fB\-content file\fR] +[\fB\-to addr\fR] +[\fB\-from ad\fR] +[\fB\-subject s\fR] +[\fB\-text\fR] +[\fB\-indef\fR] +[\fB\-noindef\fR] +[\fB\-stream\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-md digest\fR] +[cert.pem]... +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and +verify S/MIME messages. +.SH "OPTIONS" +.IX Header "OPTIONS" +There are six operation options that set the type of operation to be performed. +The meaning of the other options varies according to the operation type. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-encrypt\fR" 4 +.IX Item "-encrypt" +Encrypt mail for the given recipient certificates. Input file is the message +to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. +.Sp +Note that no revocation check is done for the recipient cert, so if that +key has been compromised, others may be able to decrypt the text. +.IP "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +Decrypt mail using the supplied certificate and private key. Expects an +encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail +is written to the output file. +.IP "\fB\-sign\fR" 4 +.IX Item "-sign" +Sign mail using the supplied certificate and private key. Input file is +the message to be signed. The signed message in \s-1MIME\s0 format is written +to the output file. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verify signed mail. Expects a signed mail message on input and outputs +the signed data. Both clear text and opaque signing is supported. +.IP "\fB\-pk7out\fR" 4 +.IX Item "-pk7out" +Takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. +.IP "\fB\-resign\fR" 4 +.IX Item "-resign" +Resign a message: take an existing message and one or more new signers. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +The input message to be encrypted or signed or the \s-1MIME\s0 message to +be decrypted or verified. +.IP "\fB\-inform SMIME|PEM|DER\fR" 4 +.IX Item "-inform SMIME|PEM|DER" +This specifies the input format for the PKCS#7 structure. The default +is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR +format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures +instead. This currently only affects the input format of the PKCS#7 +structure, if no PKCS#7 structure is being input (for example with +\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +The message text that has been decrypted or verified or the output \s-1MIME\s0 +format message that has been signed or verified. +.IP "\fB\-outform SMIME|PEM|DER\fR" 4 +.IX Item "-outform SMIME|PEM|DER" +This specifies the output format for the PKCS#7 structure. The default +is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR +format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures +instead. This currently only affects the output format of the PKCS#7 +structure, if no PKCS#7 structure is being output (for example with +\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. +.IP "\fB\-stream \-indef \-noindef\fR" 4 +.IX Item "-stream -indef -noindef" +The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O +for encoding operations. This permits single pass processing of data without +the need to hold the entire contents in memory, potentially supporting very +large files. Streaming is automatically set for S/MIME signing with detached +data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all +other operations. +.IP "\fB\-noindef\fR" 4 +.IX Item "-noindef" +Disable streaming I/O where it would produce and indefinite length constructed +encoding. This option currently has no effect. In future streaming will be +enabled by default on all relevant operations and this option will disable it. +.IP "\fB\-content filename\fR" 4 +.IX Item "-content filename" +This specifies a file containing the detached content, this is only +useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 +structure is using the detached signature form where the content is +not included. This option will override any content if the input format +is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied +message if encrypting or signing. If decrypting or verifying it strips +off text headers: if the decrypted or verified message is not of \s-1MIME\s0 +type text/plain then an error occurs. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. +.IP "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +A directory containing trusted \s-1CA\s0 certificates, only used with +\&\fB\-verify\fR. This directory must be a standard certificate directory: that +is a hash of each subject name (using \fBx509 \-hash\fR) should be linked +to each certificate. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. +.IP "\fB\-md digest\fR" 4 +.IX Item "-md digest" +Digest algorithm to use when signing or resigning. If not present then the +default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +The encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR, +triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR, +\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for +example \fB\-aes\-128\-cbc\fR. See \fBenc\fR for list of ciphers +supported by your version of OpenSSL. +.Sp +If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR. +.IP "\fB\-nointern\fR" 4 +.IX Item "-nointern" +When verifying a message normally certificates (if any) included in +the message are searched for the signing certificate. With this option +only the certificates specified in the \fB\-certfile\fR option are used. +The supplied certificates can still be used as untrusted CAs however. +.IP "\fB\-noverify\fR" 4 +.IX Item "-noverify" +Do not verify the signers certificate of a signed message. +.IP "\fB\-nochain\fR" 4 +.IX Item "-nochain" +Do not do chain verification of signers certificates: that is don't +use the certificates in the signed message as untrusted CAs. +.IP "\fB\-nosigs\fR" 4 +.IX Item "-nosigs" +Don't try to verify the signatures on the message. +.IP "\fB\-nocerts\fR" 4 +.IX Item "-nocerts" +When signing a message the signer's certificate is normally included +with this option it is excluded. This will reduce the size of the +signed message but the verifier must have a copy of the signers certificate +available locally (passed using the \fB\-certfile\fR option for example). +.IP "\fB\-noattr\fR" 4 +.IX Item "-noattr" +Normally when a message is signed a set of attributes are included which +include the signing time and supported symmetric algorithms. With this +option they are not included. +.IP "\fB\-binary\fR" 4 +.IX Item "-binary" +Normally the input message is converted to \*(L"canonical\*(R" format which is +effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME +specification. When this option is present no translation occurs. This +is useful when handling binary data which may not be in \s-1MIME\s0 format. +.IP "\fB\-crlfeol\fR" 4 +.IX Item "-crlfeol" +Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this +option is present \fB\s-1CRLF\s0\fR is used instead. +.IP "\fB\-nodetach\fR" 4 +.IX Item "-nodetach" +When signing a message use opaque signing: this form is more resistant +to translation by mail relays but it cannot be read by mail agents that +do not support S/MIME. Without this option cleartext signing with +the \s-1MIME\s0 type multipart/signed is used. +.IP "\fB\-certfile file\fR" 4 +.IX Item "-certfile file" +Allows additional certificates to be specified. When signing these will +be included with the message. When verifying these will be searched for +the signers certificates. The certificates should be in \s-1PEM\s0 format. +.IP "\fB\-signer file\fR" 4 +.IX Item "-signer file" +A signing certificate when signing or resigning a message, this option can be +used multiple times if more than one signer is required. If a message is being +verified then the signers certificates will be written to this file if the +verification was successful. +.IP "\fB\-recip file\fR" 4 +.IX Item "-recip file" +The recipients certificate when decrypting a message. This certificate +must match one of the recipients of the message or an error occurs. +.IP "\fB\-inkey file_or_id\fR" 4 +.IX Item "-inkey file_or_id" +The private key to use when signing or decrypting. This must match the +corresponding certificate. If this option is not specified then the +private key must be included in the certificate file specified with +the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used +multiple times to specify successive keys. +If no engine is used, the argument is taken as a file; if an engine is +specified, the argument is given to the engine as a key identifier. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fBcert.pem...\fR" 4 +.IX Item "cert.pem..." +One or more certificates of message recipients: used when encrypting +a message. +.IP "\fB\-to, \-from, \-subject\fR" 4 +.IX Item "-to, -from, -subject" +The relevant mail headers. These are included outside the signed +portion of a message so they may be included manually. If signing +then many S/MIME mail clients check the signers certificate's email +address matches that specified in the From: address. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set various options of certificate chain verification. See +\&\fIverify\fR\|(1) manual page for details. +.SH "NOTES" +.IX Header "NOTES" +The \s-1MIME\s0 message must be sent without any blank lines between the +headers and the output. Some mail programs will automatically add +a blank line. Piping the mail directly to sendmail is one way to +achieve the correct format. +.PP +The supplied message to be signed or encrypted must include the +necessary \s-1MIME\s0 headers or many S/MIME clients won't display it +properly (if at all). You can use the \fB\-text\fR option to automatically +add plain text headers. +.PP +A \*(L"signed and encrypted\*(R" message is one where a signed message is +then encrypted. This can be produced by encrypting an already signed +message: see the examples section. +.PP +This version of the program only allows one signer per message but it +will verify multiple signers on received messages. Some S/MIME clients +choke if a message contains multiple signers. It is possible to sign +messages \*(L"in parallel\*(R" by signing an already signed message. +.PP +The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME +clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 +encrypted data is used for other purposes. +.PP +The \fB\-resign\fR option uses an existing message digest when adding a new +signer. This means that attributes must be present in at least one existing +signer using the same message digest or this operation will fail. +.PP +The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support. +As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding +and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the +\&\fB\-sign\fR operation if the content is not detached. +.PP +Streaming is always used for the \fB\-sign\fR operation with detached data but +since the content is no longer part of the PKCS#7 structure the encoding +remains \s-1DER.\s0 +.SH "EXIT CODES" +.IX Header "EXIT CODES" +.IP "0" 4 +The operation was completely successfully. +.IP "1" 4 +.IX Item "1" +An error occurred parsing the command options. +.IP "2" 4 +.IX Item "2" +One of the input files could not be read. +.IP "3" 4 +.IX Item "3" +An error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 +message. +.IP "4" 4 +.IX Item "4" +An error occurred decrypting or verifying the message. +.IP "5" 4 +.IX Item "5" +The message was verified correctly but an error occurred writing out +the signers certificates. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a cleartext signed message: +.PP +.Vb 2 +\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem +.Ve +.PP +Create an opaque signed message: +.PP +.Vb 2 +\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e +\& \-signer mycert.pem +.Ve +.PP +Create a signed message, include some additional certificates and +read the private key from another file: +.PP +.Vb 2 +\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem +.Ve +.PP +Create a signed message with two signers: +.PP +.Vb 2 +\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-signer othercert.pem +.Ve +.PP +Send a signed message under Unix directly to sendmail, including headers: +.PP +.Vb 3 +\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e +\& \-from steve@openssl.org \-to someone@somewhere \e +\& \-subject "Signed message" | sendmail someone@somewhere +.Ve +.PP +Verify a message and extract the signer's certificate if successful: +.PP +.Vb 1 +\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt +.Ve +.PP +Send encrypted mail using triple \s-1DES:\s0 +.PP +.Vb 3 +\& openssl smime \-encrypt \-in in.txt \-from steve@openssl.org \e +\& \-to someone@somewhere \-subject "Encrypted message" \e +\& \-des3 user.pem \-out mail.msg +.Ve +.PP +Sign and encrypt mail: +.PP +.Vb 4 +\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e +\& | openssl smime \-encrypt \-out mail.msg \e +\& \-from steve@openssl.org \-to someone@somewhere \e +\& \-subject "Signed and Encrypted message" \-des3 user.pem +.Ve +.PP +Note: the encryption command does not include the \fB\-text\fR option because the +message being encrypted already has \s-1MIME\s0 headers. +.PP +Decrypt mail: +.PP +.Vb 1 +\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem +.Ve +.PP +The output from Netscape form signing is a PKCS#7 structure with the +detached signature format. You can use this program to verify the +signature by line wrapping the base64 encoded structure and surrounding +it with: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- +\& \-\-\-\-\-END PKCS7\-\-\-\-\- +.Ve +.PP +and using the command: +.PP +.Vb 1 +\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt +.Ve +.PP +Alternatively you can base64 decode the signature and use: +.PP +.Vb 1 +\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt +.Ve +.PP +Create an encrypted message using 128 bit Camellia: +.PP +.Vb 1 +\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem +.Ve +.PP +Add a signer to an existing message: +.PP +.Vb 1 +\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg +.Ve +.SH "BUGS" +.IX Header "BUGS" +The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've +thrown at it but it may choke on others. +.PP +The code currently will only write out the signer's certificate to a file: if +the signer has a separate encryption certificate this must be manually +extracted. There should be some heuristic that determines the correct +encryption certificate. +.PP +Ideally a database should be maintained of a certificates for each email +address. +.PP +The code doesn't currently take note of the permitted symmetric encryption +algorithms as supplied in the SMIMECapabilities signed attribute. This means the +user has to manually include the correct encryption algorithm. It should store +the list of permitted ciphers in a database and only use those. +.PP +No revocation checking is done on the signer's certificate. +.PP +The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 +structures may cause parsing errors. +.SH "HISTORY" +.IX Header "HISTORY" +The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first +added in OpenSSL 1.0.0 +.PP +The \-no_alt_chains options was first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1 new file mode 100644 index 000000000000..1b556805bd00 --- /dev/null +++ b/secure/usr.bin/openssl/man/speed.1 @@ -0,0 +1,216 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SPEED 1" +.TH SPEED 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-speed, speed \- test library performance +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl speed\fR +[\fB\-help\fR] +[\fB\-engine id\fR] +[\fB\-elapsed\fR] +[\fB\-evp algo\fR] +[\fB\-decrypt\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-primes num\fR] +[\fB\-seconds num\fR] +[\fB\-bytes num\fR] +[\fBalgorithm...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to test the performance of cryptographic algorithms. +To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR +or \fIlist \-\-cipher\-commands\fR command. The global \s-1CSPRNG\s0 is denoted by +the \fIrand\fR algorithm name. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-elapsed\fR" 4 +.IX Item "-elapsed" +When calculating operations\- or bytes-per-second, use wall-clock time +instead of \s-1CPU\s0 user time as divisor. It can be useful when testing speed +of hardware engines. +.IP "\fB\-evp algo\fR" 4 +.IX Item "-evp algo" +Use the specified cipher or message digest algorithm via the \s-1EVP\s0 interface. +If \fBalgo\fR is an \s-1AEAD\s0 cipher, then you can pass <\-aead> to benchmark a +TLS-like sequence. And if \fBalgo\fR is a multi-buffer capable cipher, e.g. +aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi-buffer operation. +.IP "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +Time the decryption instead of encryption. Affects only the \s-1EVP\s0 testing. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-primes num\fR" 4 +.IX Item "-primes num" +Generate a \fBnum\fR\-prime \s-1RSA\s0 key and use it to run the benchmarks. This option +is only effective if \s-1RSA\s0 algorithm is specified to test. +.IP "\fB\-seconds num\fR" 4 +.IX Item "-seconds num" +Run benchmarks for \fBnum\fR seconds. +.IP "\fB\-bytes num\fR" 4 +.IX Item "-bytes num" +Run benchmarks on \fBnum\fR\-byte buffers. Affects ciphers, digests and the \s-1CSPRNG.\s0 +.IP "\fB[zero or more test algorithms]\fR" 4 +.IX Item "[zero or more test algorithms]" +If any options are given, \fBspeed\fR tests those algorithms, otherwise a +pre-compiled grand selection is tested. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1 new file mode 100644 index 000000000000..99cb3e60b390 --- /dev/null +++ b/secure/usr.bin/openssl/man/spkac.1 @@ -0,0 +1,270 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SPKAC 1" +.TH SPKAC 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-spkac, spkac \- SPKAC printing and generating utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBspkac\fR +[\fB\-help\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-key keyfile\fR] +[\fB\-keyform PEM|DER|ENGINE\fR] +[\fB\-passin arg\fR] +[\fB\-challenge string\fR] +[\fB\-pubkey\fR] +[\fB\-spkac spkacname\fR] +[\fB\-spksect section\fR] +[\fB\-noout\fR] +[\fB\-verify\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBspkac\fR command processes Netscape signed public key and challenge +(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and +produce its own SPKACs from a supplied private key. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read from or standard input if this +option is not specified. Ignored if the \fB\-key\fR option is used. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Specifies the output filename to write to or standard output by +default. +.IP "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +Create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The +\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if +present. +.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 +.IX Item "-keyform PEM|DER|ENGINE" +Whether the key format is \s-1PEM, DER,\s0 or an engine-backed key. +The default is \s-1PEM.\s0 +.IP "\fB\-passin password\fR" 4 +.IX Item "-passin password" +The input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-challenge string\fR" 4 +.IX Item "-challenge string" +Specifies the challenge string if an \s-1SPKAC\s0 is being created. +.IP "\fB\-spkac spkacname\fR" 4 +.IX Item "-spkac spkacname" +Allows an alternative name form the variable containing the +\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both +generated and input \s-1SPKAC\s0 files. +.IP "\fB\-spksect section\fR" 4 +.IX Item "-spksect section" +Allows an alternative name form the section containing the +\&\s-1SPKAC.\s0 The default is the default section. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +Don't output the text version of the \s-1SPKAC\s0 (not used if an +\&\s-1SPKAC\s0 is being created). +.IP "\fB\-pubkey\fR" 4 +.IX Item "-pubkey" +Output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is +being created). +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +Verifies the digital signature on the supplied \s-1SPKAC.\s0 +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Print out the contents of an \s-1SPKAC:\s0 +.PP +.Vb 1 +\& openssl spkac \-in spkac.cnf +.Ve +.PP +Verify the signature of an \s-1SPKAC:\s0 +.PP +.Vb 1 +\& openssl spkac \-in spkac.cnf \-noout \-verify +.Ve +.PP +Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R": +.PP +.Vb 1 +\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf +.Ve +.PP +Example of an \s-1SPKAC,\s0 (long lines split up for clarity): +.PP +.Vb 6 +\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\e +\& 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\e +\& 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\e +\& FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\e +\& h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\e +\& dq+NQ3F+X4deMx9AaEglZtULwV4= +.Ve +.SH "NOTES" +.IX Header "NOTES" +A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into +the \fBca\fR utility. +.PP +SPKACs are typically generated by Netscape when a form is submitted +containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment +process. +.PP +The challenge string permits a primitive form of proof of possession +of private key. By checking the \s-1SPKAC\s0 signature and a random challenge +string some guarantee is given that the user knows the private key +corresponding to the public key being certified. This is important in +some applications. Without this it is possible for a previous \s-1SPKAC\s0 +to be used in a \*(L"replay attack\*(R". +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIca\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/srp.1 b/secure/usr.bin/openssl/man/srp.1 new file mode 100644 index 000000000000..109ca21f1015 --- /dev/null +++ b/secure/usr.bin/openssl/man/srp.1 @@ -0,0 +1,194 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SRP 1" +.TH SRP 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-srp, srp \- maintain SRP password file +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl srp\fR +[\fB\-help\fR] +[\fB\-verbose\fR] +[\fB\-add\fR] +[\fB\-modify\fR] +[\fB\-delete\fR] +[\fB\-list\fR] +[\fB\-name section\fR] +[\fB\-config file\fR] +[\fB\-srpvfile file\fR] +[\fB\-gn identifier\fR] +[\fB\-userinfo text...\fR] +[\fB\-passin arg\fR] +[\fB\-passout arg\fR] +[\fIuser...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBsrp\fR command is user to maintain an \s-1SRP\s0 (secure remote password) +file. +At most one of the \fB\-add\fR, \fB\-modify\fR, \fB\-delete\fR, and \fB\-list\fR options +can be specified. +These options take zero or more usernames as parameters and perform the +appropriate operation on the \s-1SRP\s0 file. +For \fB\-list\fR, if no \fBuser\fR is given then all users are displayed. +.PP +The configuration file to use, and the section within the file, can be +specified with the \fB\-config\fR and \fB\-name\fR flags, respectively. +If the config file is not specified, the \fB\-srpvfile\fR can be used to +just specify the file to operate on. +.PP +The \fB\-userinfo\fR option specifies additional information to add when +adding or modifying a user. +.PP +The \fB\-gn\fR flag specifies the \fBg\fR and \fBN\fR values, using one of +the strengths defined in \s-1IETF RFC 5054.\s0 +.PP +The \fB\-passin\fR and \fB\-passout\fR arguments are parsed as described in +the \fIopenssl\fR\|(1) command. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "[\fB\-help\fR]" 4 +.IX Item "[-help]" +Display an option summary. +.IP "[\fB\-verbose\fR]" 4 +.IX Item "[-verbose]" +Generate verbose output while processing. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/storeutl.1 b/secure/usr.bin/openssl/man/storeutl.1 new file mode 100644 index 000000000000..b09f3f473297 --- /dev/null +++ b/secure/usr.bin/openssl/man/storeutl.1 @@ -0,0 +1,245 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "STOREUTL 1" +.TH STOREUTL 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-storeutl, storeutl \- STORE utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBstoreutl\fR +[\fB\-help\fR] +[\fB\-out file\fR] +[\fB\-noout\fR] +[\fB\-passin arg\fR] +[\fB\-text arg\fR] +[\fB\-engine id\fR] +[\fB\-r\fR] +[\fB\-certs\fR] +[\fB\-keys\fR] +[\fB\-crls\fR] +[\fB\-subject arg\fR] +[\fB\-issuer arg\fR] +[\fB\-serial arg\fR] +[\fB\-alias arg\fR] +[\fB\-fingerprint arg\fR] +[\fB\-\f(BIdigest\fB\fR] +\&\fBuri\fR ... +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBstoreutl\fR command can be used to display the contents (after decryption +as the case may be) fetched from the given URIs. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write to or standard output by +default. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the \s-1PEM\s0 data. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the objects in text form, similarly to the \fB\-text\fR output from +\&\fBopenssl x509\fR, \fBopenssl pkey\fR, etc. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by its unique \fBid\fR string) will cause \fBstoreutl\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. +The engine will then be set as the default for all available algorithms. +.IP "\fB\-r\fR" 4 +.IX Item "-r" +Fetch objects recursively when possible. +.IP "\fB\-certs\fR" 4 +.IX Item "-certs" +.PD 0 +.IP "\fB\-keys\fR" 4 +.IX Item "-keys" +.IP "\fB\-crls\fR" 4 +.IX Item "-crls" +.PD +Only select the certificates, keys or CRLs from the given \s-1URI.\s0 +However, if this \s-1URI\s0 would return a set of names (URIs), those are always +returned. +.IP "\fB\-subject arg\fR" 4 +.IX Item "-subject arg" +Search for an object having the subject name \fBarg\fR. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. +Keyword characters may be escaped by \e (backslash), and whitespace is retained. +Empty values are permitted but are ignored for the search. That is, +a search with an empty value will have the same effect as not specifying +the type at all. +.IP "\fB\-issuer arg\fR" 4 +.IX Item "-issuer arg" +.PD 0 +.IP "\fB\-serial arg\fR" 4 +.IX Item "-serial arg" +.PD +Search for an object having the given issuer name and serial number. +These two options \fImust\fR be used together. +The issuer arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +The serial arg may be specified as a decimal value or a hex value if preceded +by \fB0x\fR. +.IP "\fB\-alias arg\fR" 4 +.IX Item "-alias arg" +Search for an object having the given alias. +.IP "\fB\-fingerprint arg\fR" 4 +.IX Item "-fingerprint arg" +Search for an object having the given fingerprint. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +The digest that was used to compute the fingerprint given with \fB\-fingerprint\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIopenssl\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fBopenssl\fR \fBstoreutl\fR was added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1 new file mode 100644 index 000000000000..43ad019c7290 --- /dev/null +++ b/secure/usr.bin/openssl/man/ts.1 @@ -0,0 +1,722 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "TS 1" +.TH TS 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-ts, ts \- Time Stamping Authority tool (client/server) +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBts\fR +\&\fB\-query\fR +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-config\fR configfile] +[\fB\-data\fR file_to_hash] +[\fB\-digest\fR digest_bytes] +[\fB\-\f(BIdigest\fB\fR] +[\fB\-tspolicy\fR object_id] +[\fB\-no_nonce\fR] +[\fB\-cert\fR] +[\fB\-in\fR request.tsq] +[\fB\-out\fR request.tsq] +[\fB\-text\fR] +.PP +\&\fBopenssl\fR \fBts\fR +\&\fB\-reply\fR +[\fB\-config\fR configfile] +[\fB\-section\fR tsa_section] +[\fB\-queryfile\fR request.tsq] +[\fB\-passin\fR password_src] +[\fB\-signer\fR tsa_cert.pem] +[\fB\-inkey\fR file_or_id] +[\fB\-\f(BIdigest\fB\fR] +[\fB\-chain\fR certs_file.pem] +[\fB\-tspolicy\fR object_id] +[\fB\-in\fR response.tsr] +[\fB\-token_in\fR] +[\fB\-out\fR response.tsr] +[\fB\-token_out\fR] +[\fB\-text\fR] +[\fB\-engine\fR id] +.PP +\&\fBopenssl\fR \fBts\fR +\&\fB\-verify\fR +[\fB\-data\fR file_to_hash] +[\fB\-digest\fR digest_bytes] +[\fB\-queryfile\fR request.tsq] +[\fB\-in\fR response.tsr] +[\fB\-token_in\fR] +[\fB\-CApath\fR trusted_cert_path] +[\fB\-CAfile\fR trusted_certs.pem] +[\fB\-untrusted\fR cert_file.pem] +[\fIverify options\fR] +.PP +\&\fIverify options:\fR +[\-attime timestamp] +[\-check_ss_sig] +[\-crl_check] +[\-crl_check_all] +[\-explicit_policy] +[\-extended_crl] +[\-ignore_critical] +[\-inhibit_any] +[\-inhibit_map] +[\-issuer_checks] +[\-no_alt_chains] +[\-no_check_time] +[\-partial_chain] +[\-policy arg] +[\-policy_check] +[\-policy_print] +[\-purpose purpose] +[\-suiteB_128] +[\-suiteB_128_only] +[\-suiteB_192] +[\-trusted_first] +[\-use_deltas] +[\-auth_level num] +[\-verify_depth num] +[\-verify_email email] +[\-verify_hostname hostname] +[\-verify_ip ip] +[\-verify_name name] +[\-x509_strict] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server +application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A +\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long +term proof of the existence of a certain datum before a particular +time. Here is a brief description of the protocol: +.IP "1." 4 +The \s-1TSA\s0 client computes a one-way hash value for a data file and sends +the hash to the \s-1TSA.\s0 +.IP "2." 4 +The \s-1TSA\s0 attaches the current date and time to the received hash value, +signs them and sends the time stamp token back to the client. By +creating this token the \s-1TSA\s0 certifies the existence of the original +data file at the time of response generation. +.IP "3." 4 +The \s-1TSA\s0 client receives the time stamp token and verifies the +signature on it. It also checks if the token contains the same hash +value that it had sent to the \s-1TSA.\s0 +.PP +There is one \s-1DER\s0 encoded protocol data unit defined for transporting a time +stamp request to the \s-1TSA\s0 and one for sending the time stamp response +back to the client. The \fBts\fR command has three main functions: +creating a time stamp request based on a data file, +creating a time stamp response based on a request, verifying if a +response corresponds to a particular request or a data file. +.PP +There is no support for sending the requests/responses automatically +over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the +requests either by ftp or e\-mail. +.SH "OPTIONS" +.IX Header "OPTIONS" +.SS "Time Stamp Request generation" +.IX Subsection "Time Stamp Request generation" +The \fB\-query\fR switch can be used for creating and printing a time stamp +request with the following options: +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-config\fR configfile" 4 +.IX Item "-config configfile" +The configuration file to use. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). +.IP "\fB\-data\fR file_to_hash" 4 +.IX Item "-data file_to_hash" +The data file for which the time stamp request needs to be +created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR +parameter is specified. (Optional) +.IP "\fB\-digest\fR digest_bytes" 4 +.IX Item "-digest digest_bytes" +It is possible to specify the message imprint explicitly without the data +file. The imprint must be specified in a hexadecimal format, two characters +per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or +1AF601...). The number of bytes must match the message digest algorithm +in use. (Optional) +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +The message digest to apply to the data file. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. +The default is \s-1SHA\-1.\s0 (Optional) +.IP "\fB\-tspolicy\fR object_id" 4 +.IX Item "-tspolicy object_id" +The policy that the client expects the \s-1TSA\s0 to use for creating the +time stamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined +in the config file can be used. If no policy is requested the \s-1TSA\s0 will +use its own default policy. (Optional) +.IP "\fB\-no_nonce\fR" 4 +.IX Item "-no_nonce" +No nonce is specified in the request if this option is +given. Otherwise a 64 bit long pseudo-random none is +included in the request. It is recommended to use nonce to +protect against replay-attacks. (Optional) +.IP "\fB\-cert\fR" 4 +.IX Item "-cert" +The \s-1TSA\s0 is expected to include its signing certificate in the +response. (Optional) +.IP "\fB\-in\fR request.tsq" 4 +.IX Item "-in request.tsq" +This option specifies a previously created time stamp request in \s-1DER\s0 +format that will be printed into the output file. Useful when you need +to examine the content of a request in human-readable +format. (Optional) +.IP "\fB\-out\fR request.tsq" 4 +.IX Item "-out request.tsq" +Name of the output file to which the request will be written. Default +is stdout. (Optional) +.IP "\fB\-text\fR" 4 +.IX Item "-text" +If this option is specified the output is human-readable text format +instead of \s-1DER.\s0 (Optional) +.SS "Time Stamp Response generation" +.IX Subsection "Time Stamp Response generation" +A time stamp response (TimeStampResp) consists of a response status +and the time stamp token itself (ContentInfo), if the token generation was +successful. The \fB\-reply\fR command is for creating a time stamp +response or time stamp token based on a request and printing the +response/token in human-readable format. If \fB\-token_out\fR is not +specified the output is always a time stamp response (TimeStampResp), +otherwise it is a time stamp token (ContentInfo). +.IP "\fB\-config\fR configfile" 4 +.IX Item "-config configfile" +The configuration file to use. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). +See \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for configurable variables. +.IP "\fB\-section\fR tsa_section" 4 +.IX Item "-section tsa_section" +The name of the config file section containing the settings for the +response generation. If not specified the default \s-1TSA\s0 section is +used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional) +.IP "\fB\-queryfile\fR request.tsq" 4 +.IX Item "-queryfile request.tsq" +The name of the file containing a \s-1DER\s0 encoded time stamp request. (Optional) +.IP "\fB\-passin\fR password_src" 4 +.IX Item "-passin password_src" +Specifies the password source for the private key of the \s-1TSA.\s0 See +\&\fB\s-1PASS PHRASE ARGUMENTS\s0\fR in \fIopenssl\fR\|(1). (Optional) +.IP "\fB\-signer\fR tsa_cert.pem" 4 +.IX Item "-signer tsa_cert.pem" +The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing +certificate must have exactly one extended key usage assigned to it: +timeStamping. The extended key usage must also be critical, otherwise +the certificate is going to be refused. Overrides the \fBsigner_cert\fR +variable of the config file. (Optional) +.IP "\fB\-inkey\fR file_or_id" 4 +.IX Item "-inkey file_or_id" +The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the +\&\fBsigner_key\fR config file option. (Optional) +If no engine is used, the argument is taken as a file; if an engine is +specified, the argument is given to the engine as a key identifier. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +Signing digest to use. Overrides the \fBsigner_digest\fR config file +option. (Optional) +.IP "\fB\-chain\fR certs_file.pem" 4 +.IX Item "-chain certs_file.pem" +The collection of certificates in \s-1PEM\s0 format that will all +be included in the response in addition to the signer certificate if +the \fB\-cert\fR option was used for the request. This file is supposed to +contain the certificate chain for the signer certificate from its +issuer upwards. The \fB\-reply\fR command does not build a certificate +chain automatically. (Optional) +.IP "\fB\-tspolicy\fR object_id" 4 +.IX Item "-tspolicy object_id" +The default policy to use for the response unless the client +explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified +either in dotted notation or with its name. Overrides the +\&\fBdefault_policy\fR config file option. (Optional) +.IP "\fB\-in\fR response.tsr" 4 +.IX Item "-in response.tsr" +Specifies a previously created time stamp response or time stamp token +(if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written +to the output file. This option does not require a request, it is +useful e.g. when you need to examine the content of a response or +token or you want to extract the time stamp token from a response. If +the input is a token and the output is a time stamp response a default +\&'granted' status info is added to the token. (Optional) +.IP "\fB\-token_in\fR" 4 +.IX Item "-token_in" +This flag can be used together with the \fB\-in\fR option and indicates +that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead +of a time stamp response (TimeStampResp). (Optional) +.IP "\fB\-out\fR response.tsr" 4 +.IX Item "-out response.tsr" +The response is written to this file. The format and content of the +file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is +stdout. (Optional) +.IP "\fB\-token_out\fR" 4 +.IX Item "-token_out" +The output is a time stamp token (ContentInfo) instead of time stamp +response (TimeStampResp). (Optional) +.IP "\fB\-text\fR" 4 +.IX Item "-text" +If this option is specified the output is human-readable text format +instead of \s-1DER.\s0 (Optional) +.IP "\fB\-engine\fR id" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. Default is builtin. (Optional) +.SS "Time Stamp Response verification" +.IX Subsection "Time Stamp Response verification" +The \fB\-verify\fR command is for verifying if a time stamp response or time +stamp token is valid and matches a particular time stamp request or +data file. The \fB\-verify\fR command does not use the configuration file. +.IP "\fB\-data\fR file_to_hash" 4 +.IX Item "-data file_to_hash" +The response or token must be verified against file_to_hash. The file +is hashed with the message digest algorithm specified in the token. +The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one. +(Optional) +.IP "\fB\-digest\fR digest_bytes" 4 +.IX Item "-digest digest_bytes" +The response or token must be verified against the message digest specified +with this option. The number of bytes must match the message digest algorithm +specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be +specified with this one. (Optional) +.IP "\fB\-queryfile\fR request.tsq" 4 +.IX Item "-queryfile request.tsq" +The original time stamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR +options must not be specified with this one. (Optional) +.IP "\fB\-in\fR response.tsr" 4 +.IX Item "-in response.tsr" +The time stamp response that needs to be verified in \s-1DER\s0 format. (Mandatory) +.IP "\fB\-token_in\fR" 4 +.IX Item "-token_in" +This flag can be used together with the \fB\-in\fR option and indicates +that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead +of a time stamp response (TimeStampResp). (Optional) +.IP "\fB\-CApath\fR trusted_cert_path" 4 +.IX Item "-CApath trusted_cert_path" +The name of the directory containing the trusted \s-1CA\s0 certificates of the +client. See the similar option of \fIverify\fR\|(1) for additional +details. Either this option or \fB\-CAfile\fR must be specified. (Optional) +.IP "\fB\-CAfile\fR trusted_certs.pem" 4 +.IX Item "-CAfile trusted_certs.pem" +The name of the file containing a set of trusted self-signed \s-1CA\s0 +certificates in \s-1PEM\s0 format. See the similar option of +\&\fIverify\fR\|(1) for additional details. Either this option +or \fB\-CApath\fR must be specified. +(Optional) +.IP "\fB\-untrusted\fR cert_file.pem" 4 +.IX Item "-untrusted cert_file.pem" +Set of additional untrusted certificates in \s-1PEM\s0 format which may be +needed when building the certificate chain for the \s-1TSA\s0's signing +certificate. This file must contain the \s-1TSA\s0 signing certificate and +all intermediate \s-1CA\s0 certificates unless the response includes them. +(Optional) +.IP "\fIverify options\fR" 4 +.IX Item "verify options" +The options \fB\-attime timestamp\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, +\&\fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, +\&\fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-issuer_checks\fR, \fB\-no_alt_chains\fR, +\&\fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, +\&\fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, +\&\fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, +\&\fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, +\&\fB\-verify_name\fR, and \fB\-x509_strict\fR can be used to control timestamp +verification. See \fIverify\fR\|(1). +.SH "CONFIGURATION FILE OPTIONS" +.IX Header "CONFIGURATION FILE OPTIONS" +The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file. +See \fIconfig\fR\|(5) +for a general description of the syntax of the config file. The +\&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section +and it can work without it. However, the \fB\-reply\fR command needs the +config file for its operation. +.PP +When there is a command line switch equivalent of a variable the +switch always overrides the settings in the config file. +.IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4 +.IX Item "tsa section, default_tsa" +This is the main section and it specifies the name of another section +that contains all the options for the \fB\-reply\fR command. This default +section can be overridden with the \fB\-section\fR command line switch. (Optional) +.IP "\fBoid_file\fR" 4 +.IX Item "oid_file" +See \fIca\fR\|(1) for description. (Optional) +.IP "\fBoid_section\fR" 4 +.IX Item "oid_section" +See \fIca\fR\|(1) for description. (Optional) +.IP "\fB\s-1RANDFILE\s0\fR" 4 +.IX Item "RANDFILE" +See \fIca\fR\|(1) for description. (Optional) +.IP "\fBserial\fR" 4 +.IX Item "serial" +The name of the file containing the hexadecimal serial number of the +last time stamp response created. This number is incremented by 1 for +each response. If the file does not exist at the time of response +generation a new file is created with serial number 1. (Mandatory) +.IP "\fBcrypto_device\fR" 4 +.IX Item "crypto_device" +Specifies the OpenSSL engine that will be set as the default for +all available algorithms. The default value is builtin, you can specify +any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0). +(Optional) +.IP "\fBsigner_cert\fR" 4 +.IX Item "signer_cert" +\&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR +command line option. (Optional) +.IP "\fBcerts\fR" 4 +.IX Item "certs" +A file containing a set of \s-1PEM\s0 encoded certificates that need to be +included in the response. The same as the \fB\-chain\fR command line +option. (Optional) +.IP "\fBsigner_key\fR" 4 +.IX Item "signer_key" +The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR +command line option. (Optional) +.IP "\fBsigner_digest\fR" 4 +.IX Item "signer_digest" +Signing digest to use. The same as the +\&\fB\-\f(BIdigest\fB\fR command line option. (Optional) +.IP "\fBdefault_policy\fR" 4 +.IX Item "default_policy" +The default policy to use when the request does not mandate any +policy. The same as the \fB\-tspolicy\fR command line option. (Optional) +.IP "\fBother_policies\fR" 4 +.IX Item "other_policies" +Comma separated list of policies that are also acceptable by the \s-1TSA\s0 +and used only if the request explicitly specifies one of them. (Optional) +.IP "\fBdigests\fR" 4 +.IX Item "digests" +The list of message digest algorithms that the \s-1TSA\s0 accepts. At least +one algorithm must be specified. (Mandatory) +.IP "\fBaccuracy\fR" 4 +.IX Item "accuracy" +The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds +and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of +the components is missing zero is assumed for that field. (Optional) +.IP "\fBclock_precision_digits\fR" 4 +.IX Item "clock_precision_digits" +Specifies the maximum number of digits, which represent the fraction of +seconds, that need to be included in the time field. The trailing zeroes +must be removed from the time, so there might actually be fewer digits, +or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms. +The maximum value is 6, default is 0. +(Optional) +.IP "\fBordering\fR" 4 +.IX Item "ordering" +If this option is yes the responses generated by this \s-1TSA\s0 can always +be ordered, even if the time difference between two responses is less +than the sum of their accuracies. Default is no. (Optional) +.IP "\fBtsa_name\fR" 4 +.IX Item "tsa_name" +Set this option to yes if the subject name of the \s-1TSA\s0 must be included in +the \s-1TSA\s0 name field of the response. Default is no. (Optional) +.IP "\fBess_cert_id_chain\fR" 4 +.IX Item "ess_cert_id_chain" +The SignedData objects created by the \s-1TSA\s0 always contain the +certificate identifier of the signing certificate in a signed +attribute (see \s-1RFC 2634,\s0 Enhanced Security Services). If this option +is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option +is specified then the certificate identifiers of the chain will also +be included in the SigningCertificate signed attribute. If this +variable is set to no, only the signing certificate identifier is +included. Default is no. (Optional) +.IP "\fBess_cert_id_alg\fR" 4 +.IX Item "ess_cert_id_alg" +This option specifies the hash function to be used to calculate the \s-1TSA\s0's +public key certificate identifier. Default is sha1. (Optional) +.SH "EXAMPLES" +.IX Header "EXAMPLES" +All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper +configuration file, e.g. the example configuration file +openssl/apps/openssl.cnf will do. +.SS "Time Stamp Request" +.IX Subsection "Time Stamp Request" +To create a time stamp request for design1.txt with \s-1SHA\-1\s0 +without nonce and policy and no certificate is required in the response: +.PP +.Vb 2 +\& openssl ts \-query \-data design1.txt \-no_nonce \e +\& \-out design1.tsq +.Ve +.PP +To create a similar time stamp request with specifying the message imprint +explicitly: +.PP +.Vb 2 +\& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e +\& \-no_nonce \-out design1.tsq +.Ve +.PP +To print the content of the previous request in human readable format: +.PP +.Vb 1 +\& openssl ts \-query \-in design1.tsq \-text +.Ve +.PP +To create a time stamp request which includes the \s-1MD\-5\s0 digest +of design2.txt, requests the signer certificate and nonce, +specifies a policy id (assuming the tsa_policy1 name is defined in the +\&\s-1OID\s0 section of the config file): +.PP +.Vb 2 +\& openssl ts \-query \-data design2.txt \-md5 \e +\& \-tspolicy tsa_policy1 \-cert \-out design2.tsq +.Ve +.SS "Time Stamp Response" +.IX Subsection "Time Stamp Response" +Before generating a response a signing certificate must be created for +the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension +without any other key usage extensions. You can add this line to the +user certificate section of the config file to generate a proper certificate; +.PP +.Vb 1 +\& extendedKeyUsage = critical,timeStamping +.Ve +.PP +See \fIreq\fR\|(1), \fIca\fR\|(1), and \fIx509\fR\|(1) for instructions. The examples +below assume that cacert.pem contains the certificate of the \s-1CA,\s0 +tsacert.pem is the signing certificate issued by cacert.pem and +tsakey.pem is the private key of the \s-1TSA.\s0 +.PP +To create a time stamp response for a request: +.PP +.Vb 2 +\& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e +\& \-signer tsacert.pem \-out design1.tsr +.Ve +.PP +If you want to use the settings in the config file you could just write: +.PP +.Vb 1 +\& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr +.Ve +.PP +To print a time stamp reply to stdout in human readable format: +.PP +.Vb 1 +\& openssl ts \-reply \-in design1.tsr \-text +.Ve +.PP +To create a time stamp token instead of time stamp response: +.PP +.Vb 1 +\& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out +.Ve +.PP +To print a time stamp token to stdout in human readable format: +.PP +.Vb 1 +\& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out +.Ve +.PP +To extract the time stamp token from a response: +.PP +.Vb 1 +\& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out +.Ve +.PP +To add 'granted' status info to a time stamp token thereby creating a +valid response: +.PP +.Vb 1 +\& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr +.Ve +.SS "Time Stamp Verification" +.IX Subsection "Time Stamp Verification" +To verify a time stamp reply against a request: +.PP +.Vb 2 +\& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e +\& \-CAfile cacert.pem \-untrusted tsacert.pem +.Ve +.PP +To verify a time stamp reply that includes the certificate chain: +.PP +.Vb 2 +\& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e +\& \-CAfile cacert.pem +.Ve +.PP +To verify a time stamp token against the original data file: + openssl ts \-verify \-data design2.txt \-in design2.tsr \e + \-CAfile cacert.pem +.PP +To verify a time stamp token against a message imprint: + openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e + \-in design2.tsr \-CAfile cacert.pem +.PP +You could also look at the 'test' directory for more examples. +.SH "BUGS" +.IX Header "BUGS" +.IP "\(bu" 2 +No support for time stamps over \s-1SMTP,\s0 though it is quite easy +to implement an automatic e\-mail based \s-1TSA\s0 with \fIprocmail\fR\|(1) +and \fIperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of +a separate apache module. \s-1HTTP\s0 client support is provided by +\&\fItsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported. +.IP "\(bu" 2 +The file containing the last serial number of the \s-1TSA\s0 is not +locked when being read or written. This is a problem if more than one +instance of \fIopenssl\fR\|(1) is trying to create a time stamp +response at the same time. This is not an issue when using the apache +server module, it does proper locking. +.IP "\(bu" 2 +Look for the \s-1FIXME\s0 word in the source files. +.IP "\(bu" 2 +The source code should really be reviewed by somebody else, too. +.IP "\(bu" 2 +More testing is needed, I have done only some basic tests (see +test/testtsa). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fItsget\fR\|(1), \fIopenssl\fR\|(1), \fIreq\fR\|(1), +\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIconfig\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1 new file mode 100644 index 000000000000..9dc722411cb0 --- /dev/null +++ b/secure/usr.bin/openssl/man/tsget.1 @@ -0,0 +1,321 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "TSGET 1" +.TH TSGET 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-tsget, tsget \- Time Stamping HTTP/HTTPS client +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBtsget\fR +\&\fB\-h\fR server_url +[\fB\-e\fR extension] +[\fB\-o\fR output] +[\fB\-v\fR] +[\fB\-d\fR] +[\fB\-k\fR private_key.pem] +[\fB\-p\fR key_password] +[\fB\-c\fR client_cert.pem] +[\fB\-C\fR CA_certs.pem] +[\fB\-P\fR CA_path] +[\fB\-r\fR file:file...] +[\fB\-g\fR EGD_socket] +[request]... +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBtsget\fR command can be used for sending a time stamp request, as +specified in \fB\s-1RFC 3161\s0\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing +the time stamp response in a file. This tool cannot be used for creating the +requests and verifying responses, you can use the OpenSSL \fB\f(BIts\fB\|(1)\fR command to +do that. \fBtsget\fR can send several requests to the server without closing +the \s-1TCP\s0 connection if more than one requests are specified on the command +line. +.PP +The tool sends the following \s-1HTTP\s0 request for each time stamp request: +.PP +.Vb 7 +\& POST url HTTP/1.1 +\& User\-Agent: OpenTSA tsget.pl/<version> +\& Host: <host>:<port> +\& Pragma: no\-cache +\& Content\-Type: application/timestamp\-query +\& Accept: application/timestamp\-reply +\& Content\-Length: length of body +\& +\& ...binary request specified by the user... +.Ve +.PP +\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is +written to a file without any interpretation. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-h\fR server_url" 4 +.IX Item "-h server_url" +The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for time stamp requests. +.IP "\fB\-e\fR extension" 4 +.IX Item "-e extension" +If the \fB\-o\fR option is not given this argument specifies the extension of the +output files. The base name of the output file will be the same as those of +the input files. Default extension is '.tsr'. (Optional) +.IP "\fB\-o\fR output" 4 +.IX Item "-o output" +This option can be specified only when just one request is sent to the +server. The time stamp response will be written to the given output file. '\-' +means standard output. In case of multiple time stamp requests or the absence +of this argument the names of the output files will be derived from the names +of the input files and the default or specified extension argument. (Optional) +.IP "\fB\-v\fR" 4 +.IX Item "-v" +The name of the currently processed request is printed on standard +error. (Optional) +.IP "\fB\-d\fR" 4 +.IX Item "-d" +Switches on verbose mode for the underlying \fBcurl\fR library. You can see +detailed debug messages for the connection. (Optional) +.IP "\fB\-k\fR private_key.pem" 4 +.IX Item "-k private_key.pem" +(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0 +<private_key.pem> must contain the private key of the user. The private key +file can optionally be protected by a passphrase. The \fB\-c\fR option must also +be specified. (Optional) +.IP "\fB\-p\fR key_password" 4 +.IX Item "-p key_password" +(\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR +argument. If this option is omitted and the key is passphrase protected \fBtsget\fR +will ask for it. (Optional) +.IP "\fB\-c\fR client_cert.pem" 4 +.IX Item "-c client_cert.pem" +(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0 +<client_cert.pem> must contain the X.509 certificate of the user. The \fB\-k\fR +option must also be specified. If this option is not specified no +certificate-based client authentication will take place. (Optional) +.IP "\fB\-C\fR CA_certs.pem" 4 +.IX Item "-C CA_certs.pem" +(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's +certificate must include one of the \s-1CA\s0 certificates specified in this file. +Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS.\s0 (Optional) +.IP "\fB\-P\fR CA_path" 4 +.IX Item "-P CA_path" +(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's +certificate. The directory must be prepared with the \fBc_rehash\fR +OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of +\&\s-1HTTPS.\s0 (Optional) +.IP "\fB\-rand\fR file:file..." 4 +.IX Item "-rand file:file..." +The files containing random data for seeding the random number +generator. Multiple files can be specified, the separator is \fB;\fR for +MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional) +.IP "\fB\-g\fR EGD_socket" 4 +.IX Item "-g EGD_socket" +The name of an \s-1EGD\s0 socket to get random data from. (Optional) +.IP "[request]..." 4 +.IX Item "[request]..." +List of files containing \fB\s-1RFC 3161\s0\fR DER-encoded time stamp requests. If no +requests are specified only one request will be sent to the server and it will be +read from the standard input. (Optional) +.SH "ENVIRONMENT VARIABLES" +.IX Header "ENVIRONMENT VARIABLES" +The \fB\s-1TSGET\s0\fR environment variable can optionally contain default +arguments. The content of this variable is added to the list of command line +arguments. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid +time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests +and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa +absolute path. +.PP +Get a time stamp response for file1.tsq over \s-1HTTP,\s0 output is written to +file1.tsr: +.PP +.Vb 1 +\& tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq +.Ve +.PP +Get a time stamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing +progress, output is written to file1.reply and file2.reply respectively: +.PP +.Vb 2 +\& tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e +\& file1.tsq file2.tsq +.Ve +.PP +Create a time stamp request, write it to file3.tsq, send it to the server and +write the response to file3.tsr: +.PP +.Vb 3 +\& openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e +\& | tsget \-h http://tsa.opentsa.org:8080/tsa \e +\& \-o file3.tsr +.Ve +.PP +Get a time stamp response for file1.tsq over \s-1HTTPS\s0 without client +authentication: +.PP +.Vb 2 +\& tsget \-h https://tsa.opentsa.org:8443/tsa \e +\& \-C cacerts.pem file1.tsq +.Ve +.PP +Get a time stamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based +client authentication (it will ask for the passphrase if client_key.pem is +protected): +.PP +.Vb 2 +\& tsget \-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e +\& \-k client_key.pem \-c client_cert.pem file1.tsq +.Ve +.PP +You can shorten the previous command line if you make use of the \fB\s-1TSGET\s0\fR +environment variable. The following commands do the same as the previous +example: +.PP +.Vb 4 +\& TSGET=\*(Aq\-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e +\& \-k client_key.pem \-c client_cert.pem\*(Aq +\& export TSGET +\& tsget file1.tsq +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), +\&\fB\s-1RFC 3161\s0\fR +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 new file mode 100644 index 000000000000..92d18ae51430 --- /dev/null +++ b/secure/usr.bin/openssl/man/verify.1 @@ -0,0 +1,776 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "VERIFY 1" +.TH VERIFY 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-verify, verify \- Utility to verify certificates +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBverify\fR +[\fB\-help\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath directory\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-allow_proxy_certs\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-CRLfile file\fR] +[\fB\-crl_download\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-engine id\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-nameopt option\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-untrusted file\fR] +[\fB\-trusted file\fR] +[\fB\-use_deltas\fR] +[\fB\-verbose\fR] +[\fB\-auth_level level\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] +[\fB\-show_chain\fR] +[\fB\-\fR] +[certificates] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBverify\fR command verifies certificate chains. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A \fBfile\fR of trusted certificates. +The file should contain one or more certificates in \s-1PEM\s0 format. +.IP "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +A directory of trusted certificates. The certificates should have names +of the form: hash.0 or have symbolic links to them of this +form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option +of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically +create symbolic links to a directory of certificates. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. +.IP "\fB\-allow_proxy_certs\fR" 4 +.IX Item "-allow_proxy_certs" +Allow the verification of proxy certificates. +.IP "\fB\-attime timestamp\fR" 4 +.IX Item "-attime timestamp" +Perform validation checks using time specified by \fBtimestamp\fR and not +current system time. \fBtimestamp\fR is the number of seconds since +01.01.1970 (\s-1UNIX\s0 time). +.IP "\fB\-check_ss_sig\fR" 4 +.IX Item "-check_ss_sig" +Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default +because it doesn't add any security. +.IP "\fB\-CRLfile file\fR" 4 +.IX Item "-CRLfile file" +The \fBfile\fR should contain one or more CRLs in \s-1PEM\s0 format. +This option can be specified more than once to include CRLs from multiple +\&\fBfiles\fR. +.IP "\fB\-crl_download\fR" 4 +.IX Item "-crl_download" +Attempt to download \s-1CRL\s0 information for this certificate. +.IP "\fB\-crl_check\fR" 4 +.IX Item "-crl_check" +Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 +If a valid \s-1CRL\s0 cannot be found an error occurs. +.IP "\fB\-crl_check_all\fR" 4 +.IX Item "-crl_check_all" +Checks the validity of \fBall\fR certificates in the chain by attempting +to look up valid CRLs. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine \fBid\fR will cause \fIverify\fR\|(1) to attempt to load the +specified engine. +The engine will then be set as the default for all its supported algorithms. +If you want to load certificates or CRLs that require engine support via any of +the \fB\-trusted\fR, \fB\-untrusted\fR or \fB\-CRLfile\fR options, the \fB\-engine\fR option +must be specified before those options. +.IP "\fB\-explicit_policy\fR" 4 +.IX Item "-explicit_policy" +Set policy variable require-explicit-policy (see \s-1RFC5280\s0). +.IP "\fB\-extended_crl\fR" 4 +.IX Item "-extended_crl" +Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0 +signing keys. +.IP "\fB\-ignore_critical\fR" 4 +.IX Item "-ignore_critical" +Normally if an unhandled critical extension is present which is not +supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0). +If this option is set critical extensions are ignored. +.IP "\fB\-inhibit_any\fR" 4 +.IX Item "-inhibit_any" +Set policy variable inhibit-any-policy (see \s-1RFC5280\s0). +.IP "\fB\-inhibit_map\fR" 4 +.IX Item "-inhibit_map" +Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0). +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-no_check_time\fR" 4 +.IX Item "-no_check_time" +This option suppresses checking the validity period of certificates and CRLs +against the current time. If option \fB\-attime timestamp\fR is used to specify +a verification time, the check is not suppressed. +.IP "\fB\-partial_chain\fR" 4 +.IX Item "-partial_chain" +Allow verification to succeed even if a \fIcomplete\fR chain cannot be built to a +self-signed trust-anchor, provided it is possible to construct a chain to a +trusted certificate that might not be self-signed. +.IP "\fB\-policy arg\fR" 4 +.IX Item "-policy arg" +Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see +\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form. +This argument can appear more than once. +.IP "\fB\-policy_check\fR" 4 +.IX Item "-policy_check" +Enables certificate policy processing. +.IP "\fB\-policy_print\fR" 4 +.IX Item "-policy_print" +Print out diagnostics related to policy processing. +.IP "\fB\-purpose purpose\fR" 4 +.IX Item "-purpose purpose" +The intended use for the certificate. If this option is not specified, +\&\fBverify\fR will not consider certificate purpose during chain verification. +Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR, +\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more +information. +.IP "\fB\-suiteB_128_only\fR, \fB\-suiteB_128\fR, \fB\-suiteB_192\fR" 4 +.IX Item "-suiteB_128_only, -suiteB_128, -suiteB_192" +Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or +192 bit, or only 192 bit Level of Security respectively. +See \s-1RFC6460\s0 for details. In particular the supported signature algorithms are +reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384\s0 and only the elliptic curves +P\-256 and P\-384. +.IP "\fB\-trusted_first\fR" 4 +.IX Item "-trusted_first" +When constructing the certificate chain, use the trusted certificates specified +via \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-trusted\fR before any certificates specified via +\&\fB\-untrusted\fR. +This can be useful in environments with Bridge or Cross-Certified CAs. +As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. +.IP "\fB\-no_alt_chains\fR" 4 +.IX Item "-no_alt_chains" +By default, unless \fB\-trusted_first\fR is specified, when building a certificate +chain, if the first certificate chain found is not trusted, then OpenSSL will +attempt to replace untrusted issuer certificates with certificates from the +trust store to see if an alternative chain can be found that is trusted. +As of OpenSSL 1.1.0, with \fB\-trusted_first\fR always on, this option has no +effect. +.IP "\fB\-untrusted file\fR" 4 +.IX Item "-untrusted file" +A \fBfile\fR of additional untrusted certificates (intermediate issuer CAs) used +to construct a certificate chain from the subject certificate to a trust-anchor. +The \fBfile\fR should contain one or more certificates in \s-1PEM\s0 format. +This option can be specified more than once to include untrusted certificates +from multiple \fBfiles\fR. +.IP "\fB\-trusted file\fR" 4 +.IX Item "-trusted file" +A \fBfile\fR of trusted certificates, which must be self-signed, unless the +\&\fB\-partial_chain\fR option is specified. +The \fBfile\fR contains one or more certificates in \s-1PEM\s0 format. +With this option, no additional (e.g., default) certificate lists are +consulted. +That is, the only trust-anchors are those listed in \fBfile\fR. +This option can be specified more than once to include trusted certificates +from multiple \fBfiles\fR. +This option implies the \fB\-no\-CAfile\fR and \fB\-no\-CApath\fR options. +This option cannot be used in combination with either of the \fB\-CAfile\fR or +\&\fB\-CApath\fR options. +.IP "\fB\-use_deltas\fR" 4 +.IX Item "-use_deltas" +Enable support for delta CRLs. +.IP "\fB\-verbose\fR" 4 +.IX Item "-verbose" +Print extra information about the operations being performed. +.IP "\fB\-auth_level level\fR" 4 +.IX Item "-auth_level level" +Set the certificate chain authentication security level to \fBlevel\fR. +The authentication security level determines the acceptable signature and +public key strength when verifying certificate chains. +For a certificate chain to validate, the public keys of all the certificates +must meet the specified security \fBlevel\fR. +The signature algorithm security level is enforced for all the certificates in +the chain except for the chain's \fItrust anchor\fR, which is either directly +trusted or validated by means other than its signature. +See \fISSL_CTX_set_security_level\fR\|(3) for the definitions of the available +levels. +The default security level is \-1, or \*(L"not set\*(R". +At security level 0 or lower all algorithms are acceptable. +Security level 1 requires at least 80\-bit\-equivalent security and is broadly +interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys +shorter than 1024 bits. +.IP "\fB\-verify_depth num\fR" 4 +.IX Item "-verify_depth num" +Limit the certificate chain to \fBnum\fR intermediate \s-1CA\s0 certificates. +A maximal depth chain can have up to \fBnum+2\fR certificates, since neither the +end-entity certificate nor the trust-anchor certificate count against the +\&\fB\-verify_depth\fR limit. +.IP "\fB\-verify_email email\fR" 4 +.IX Item "-verify_email email" +Verify if the \fBemail\fR matches the email address in Subject Alternative Name or +the email in the subject Distinguished Name. +.IP "\fB\-verify_hostname hostname\fR" 4 +.IX Item "-verify_hostname hostname" +Verify if the \fBhostname\fR matches \s-1DNS\s0 name in Subject Alternative Name or +Common Name in the subject certificate. +.IP "\fB\-verify_ip ip\fR" 4 +.IX Item "-verify_ip ip" +Verify if the \fBip\fR matches the \s-1IP\s0 address in Subject Alternative Name of +the subject certificate. +.IP "\fB\-verify_name name\fR" 4 +.IX Item "-verify_name name" +Use default verification policies like trust model and required certificate +policies identified by \fBname\fR. +The trust model determines which auxiliary trust or reject OIDs are applicable +to verifying the given certificate chain. +See the \fB\-addtrust\fR and \fB\-addreject\fR options of the \fIx509\fR\|(1) command-line +utility. +Supported policy names include: \fBdefault\fR, \fBpkcs7\fR, \fBsmime_sign\fR, +\&\fBssl_client\fR, \fBssl_server\fR. +These mimics the combinations of purpose and trust settings used in \s-1SSL, CMS\s0 +and S/MIME. +As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not +specified, so the \fB\-verify_name\fR options are functionally equivalent to the +corresponding \fB\-purpose\fR settings. +.IP "\fB\-x509_strict\fR" 4 +.IX Item "-x509_strict" +For strict X.509 compliance, disable non-compliant workarounds for broken +certificates. +.IP "\fB\-show_chain\fR" 4 +.IX Item "-show_chain" +Display information about the certificate chain that has been built (if +successful). Certificates in the chain that came from the untrusted list will be +flagged as \*(L"untrusted\*(R". +.IP "\fB\-\fR" 4 +.IX Item "-" +Indicates the last option. All arguments following this are assumed to be +certificate files. This is useful if the first certificate filename begins +with a \fB\-\fR. +.IP "\fBcertificates\fR" 4 +.IX Item "certificates" +One or more certificates to verify. If no certificates are given, \fBverify\fR +will attempt to read a certificate from standard input. Certificates must be +in \s-1PEM\s0 format. +.SH "VERIFY OPERATION" +.IX Header "VERIFY OPERATION" +The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME +verification, therefore this description applies to these verify operations +too. +.PP +There is one crucial difference between the verify operations performed +by the \fBverify\fR program: wherever possible an attempt is made to continue +after an error whereas normally the verify operation would halt on the +first error. This allows all the problems with a certificate chain to be +determined. +.PP +The verify operation consists of a number of separate steps. +.PP +Firstly a certificate chain is built up starting from the supplied certificate +and ending in the root \s-1CA.\s0 +It is an error if the whole chain cannot be built up. +The chain is built up by looking up the issuers certificate of the current +certificate. +If a certificate is found which is its own issuer it is assumed to be the root +\&\s-1CA.\s0 +.PP +The process of 'looking up the issuers certificate' itself involves a number of +steps. +After all certificates whose subject name matches the issuer name of the current +certificate are subject to further tests. +The relevant authority key identifier components of the current certificate (if +present) must match the subject key identifier (if present) and issuer and +serial number of the candidate issuer, in addition the keyUsage extension of +the candidate issuer (if present) must permit certificate signing. +.PP +The lookup first looks in the list of untrusted certificates and if no match +is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0 +is always looked up in the trusted certificate list: if the certificate to +verify is a root certificate then an exact match must be found in the trusted +list. +.PP +The second operation is to check every untrusted certificate's extensions for +consistency with the supplied purpose. If the \fB\-purpose\fR option is not included +then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions +compatible with the supplied purpose and all other certificates must also be valid +\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in +the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility. +.PP +The third operation is to check the trust settings on the root \s-1CA.\s0 The root \s-1CA\s0 +should be trusted for the supplied purpose. +For compatibility with previous versions of OpenSSL, a certificate with no +trust settings is considered to be valid for all purposes. +.PP +The final operation is to check the validity of the certificate chain. The validity +period is checked against the current system time and the notBefore and notAfter +dates in the certificate. The certificate signatures are also checked at this +point. +.PP +If all operations complete successfully then certificate is considered valid. If +any operation fails then the certificate is not valid. +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" +When a verify operation fails the output messages can be somewhat cryptic. The +general form of the error message is: +.PP +.Vb 2 +\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) +\& error 24 at 1 depth lookup:invalid CA certificate +.Ve +.PP +The first line contains the name of the certificate being verified followed by +the subject name of the certificate. The second line contains the error number +and the depth. The depth is number of the certificate being verified when a +problem was detected starting with zero for the certificate being verified itself +then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version +of the error number is presented. +.PP +A partial list of the error codes and messages is shown below, this also +includes the name of the error code as defined in the header file x509_vfy.h +Some of the error codes are defined but never returned: these are described +as \*(L"unused\*(R". +.IP "\fBX509_V_OK\fR" 4 +.IX Item "X509_V_OK" +The operation was successful. +.IP "\fBX509_V_ERR_UNSPECIFIED\fR" 4 +.IX Item "X509_V_ERR_UNSPECIFIED" +Unspecified error; should not happen. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT" +The issuer certificate of a looked up certificate could not be found. This +normally means the list of trusted certificates is not complete. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL" +The \s-1CRL\s0 of a certificate could not be found. +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE" +The certificate signature could not be decrypted. This means that the +actual signature value could not be determined rather than it not matching +the expected value, this is only meaningful for \s-1RSA\s0 keys. +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE" +The \s-1CRL\s0 signature could not be decrypted: this means that the actual +signature value could not be determined rather than it not matching the +expected value. Unused. +.IP "\fBX509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY" +The public key in the certificate SubjectPublicKeyInfo could not be read. +.IP "\fBX509_V_ERR_CERT_SIGNATURE_FAILURE\fR" 4 +.IX Item "X509_V_ERR_CERT_SIGNATURE_FAILURE" +The signature of the certificate is invalid. +.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE\fR" 4 +.IX Item "X509_V_ERR_CRL_SIGNATURE_FAILURE" +The signature of the certificate is invalid. +.IP "\fBX509_V_ERR_CERT_NOT_YET_VALID\fR" 4 +.IX Item "X509_V_ERR_CERT_NOT_YET_VALID" +The certificate is not yet valid: the notBefore date is after the +current time. +.IP "\fBX509_V_ERR_CERT_HAS_EXPIRED\fR" 4 +.IX Item "X509_V_ERR_CERT_HAS_EXPIRED" +The certificate has expired: that is the notAfter date is before the +current time. +.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID\fR" 4 +.IX Item "X509_V_ERR_CRL_NOT_YET_VALID" +The \s-1CRL\s0 is not yet valid. +.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED\fR" 4 +.IX Item "X509_V_ERR_CRL_HAS_EXPIRED" +The \s-1CRL\s0 has expired. +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD" +The certificate notBefore field contains an invalid time. +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD" +The certificate notAfter field contains an invalid time. +.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD" +The \s-1CRL\s0 lastUpdate field contains an invalid time. +.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD" +The \s-1CRL\s0 nextUpdate field contains an invalid time. +.IP "\fBX509_V_ERR_OUT_OF_MEM\fR" 4 +.IX Item "X509_V_ERR_OUT_OF_MEM" +An error occurred trying to allocate memory. This should never happen. +.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT\fR" 4 +.IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT" +The passed certificate is self-signed and the same certificate cannot +be found in the list of trusted certificates. +.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\fR" 4 +.IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN" +The certificate chain could be built up using the untrusted certificates +but the root could not be found locally. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY" +The issuer certificate could not be found: this occurs if the issuer +certificate of an untrusted certificate cannot be found. +.IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE" +No signatures could be verified because the chain contains only one +certificate and it is not self signed. +.IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG\fR" 4 +.IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG" +The certificate chain length is greater than the supplied maximum +depth. Unused. +.IP "\fBX509_V_ERR_CERT_REVOKED\fR" 4 +.IX Item "X509_V_ERR_CERT_REVOKED" +The certificate has been revoked. +.IP "\fBX509_V_ERR_INVALID_CA\fR" 4 +.IX Item "X509_V_ERR_INVALID_CA" +A \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions +are not consistent with the supplied purpose. +.IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED\fR" 4 +.IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED" +The basicConstraints pathlength parameter has been exceeded. +.IP "\fBX509_V_ERR_INVALID_PURPOSE\fR" 4 +.IX Item "X509_V_ERR_INVALID_PURPOSE" +The supplied certificate cannot be used for the specified purpose. +.IP "\fBX509_V_ERR_CERT_UNTRUSTED\fR" 4 +.IX Item "X509_V_ERR_CERT_UNTRUSTED" +The root \s-1CA\s0 is not marked as trusted for the specified purpose. +.IP "\fBX509_V_ERR_CERT_REJECTED\fR" 4 +.IX Item "X509_V_ERR_CERT_REJECTED" +The root \s-1CA\s0 is marked to reject the specified purpose. +.IP "\fBX509_V_ERR_SUBJECT_ISSUER_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_SUBJECT_ISSUER_MISMATCH" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_AKID_SKID_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_AKID_SKID_MISMATCH" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_KEYUSAGE_NO_CERTSIGN\fR" 4 +.IX Item "X509_V_ERR_KEYUSAGE_NO_CERTSIGN" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL_ISSUER\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER" +Unable to get \s-1CRL\s0 issuer certificate. +.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION" +Unhandled critical extension. +.IP "\fBX509_V_ERR_KEYUSAGE_NO_CRL_SIGN\fR" 4 +.IX Item "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN" +Key usage does not include \s-1CRL\s0 signing. +.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION" +Unhandled critical \s-1CRL\s0 extension. +.IP "\fBX509_V_ERR_INVALID_NON_CA\fR" 4 +.IX Item "X509_V_ERR_INVALID_NON_CA" +Invalid non-CA certificate has \s-1CA\s0 markings. +.IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED\fR" 4 +.IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED" +Proxy path length constraint exceeded. +.IP "\fBX509_V_ERR_PROXY_SUBJECT_INVALID\fR" 4 +.IX Item "X509_V_ERR_PROXY_SUBJECT_INVALID" +Proxy certificate subject is invalid. It \s-1MUST\s0 be the same as the issuer +with a single \s-1CN\s0 component added. +.IP "\fBX509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE" +Key usage does not include digital signature. +.IP "\fBX509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED\fR" 4 +.IX Item "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED" +Proxy certificates not allowed, please use \fB\-allow_proxy_certs\fR. +.IP "\fBX509_V_ERR_INVALID_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_INVALID_EXTENSION" +Invalid or inconsistent certificate extension. +.IP "\fBX509_V_ERR_INVALID_POLICY_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_INVALID_POLICY_EXTENSION" +Invalid or inconsistent certificate policy extension. +.IP "\fBX509_V_ERR_NO_EXPLICIT_POLICY\fR" 4 +.IX Item "X509_V_ERR_NO_EXPLICIT_POLICY" +No explicit policy. +.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE\fR" 4 +.IX Item "X509_V_ERR_DIFFERENT_CRL_SCOPE" +Different \s-1CRL\s0 scope. +.IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE" +Unsupported extension feature. +.IP "\fBX509_V_ERR_UNNESTED_RESOURCE\fR" 4 +.IX Item "X509_V_ERR_UNNESTED_RESOURCE" +\&\s-1RFC 3779\s0 resource not subset of parent's resources. +.IP "\fBX509_V_ERR_PERMITTED_VIOLATION\fR" 4 +.IX Item "X509_V_ERR_PERMITTED_VIOLATION" +Permitted subtree violation. +.IP "\fBX509_V_ERR_EXCLUDED_VIOLATION\fR" 4 +.IX Item "X509_V_ERR_EXCLUDED_VIOLATION" +Excluded subtree violation. +.IP "\fBX509_V_ERR_SUBTREE_MINMAX\fR" 4 +.IX Item "X509_V_ERR_SUBTREE_MINMAX" +Name constraints minimum and maximum not supported. +.IP "\fBX509_V_ERR_APPLICATION_VERIFICATION\fR" 4 +.IX Item "X509_V_ERR_APPLICATION_VERIFICATION" +Application verification failure. Unused. +.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE" +Unsupported name constraint type. +.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX" +Unsupported or invalid name constraint syntax. +.IP "\fBX509_V_ERR_UNSUPPORTED_NAME_SYNTAX\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX" +Unsupported or invalid name syntax. +.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR\fR" 4 +.IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR" +\&\s-1CRL\s0 path validation error. +.IP "\fBX509_V_ERR_PATH_LOOP\fR" 4 +.IX Item "X509_V_ERR_PATH_LOOP" +Path loop. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_VERSION\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_VERSION" +Suite B: certificate version invalid. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_ALGORITHM\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_ALGORITHM" +Suite B: invalid public key algorithm. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_CURVE\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_CURVE" +Suite B: invalid \s-1ECC\s0 curve. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM" +Suite B: invalid signature algorithm. +.IP "\fBX509_V_ERR_SUITE_B_LOS_NOT_ALLOWED\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED" +Suite B: curve not allowed for this \s-1LOS.\s0 +.IP "\fBX509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256" +Suite B: cannot sign P\-384 with P\-256. +.IP "\fBX509_V_ERR_HOSTNAME_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_HOSTNAME_MISMATCH" +Hostname mismatch. +.IP "\fBX509_V_ERR_EMAIL_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_EMAIL_MISMATCH" +Email address mismatch. +.IP "\fBX509_V_ERR_IP_ADDRESS_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_IP_ADDRESS_MISMATCH" +\&\s-1IP\s0 address mismatch. +.IP "\fBX509_V_ERR_DANE_NO_MATCH\fR" 4 +.IX Item "X509_V_ERR_DANE_NO_MATCH" +\&\s-1DANE TLSA\s0 authentication is enabled, but no \s-1TLSA\s0 records matched the +certificate chain. +This error is only possible in \fIs_client\fR\|(1). +.IP "\fBX509_V_ERR_EE_KEY_TOO_SMALL\fR" 4 +.IX Item "X509_V_ERR_EE_KEY_TOO_SMALL" +\&\s-1EE\s0 certificate key too weak. +.IP "\fBX509_ERR_CA_KEY_TOO_SMALL\fR" 4 +.IX Item "X509_ERR_CA_KEY_TOO_SMALL" +\&\s-1CA\s0 certificate key too weak. +.IP "\fBX509_ERR_CA_MD_TOO_WEAK\fR" 4 +.IX Item "X509_ERR_CA_MD_TOO_WEAK" +\&\s-1CA\s0 signature digest algorithm too weak. +.IP "\fBX509_V_ERR_INVALID_CALL\fR" 4 +.IX Item "X509_V_ERR_INVALID_CALL" +nvalid certificate verification context. +.IP "\fBX509_V_ERR_STORE_LOOKUP\fR" 4 +.IX Item "X509_V_ERR_STORE_LOOKUP" +Issuer certificate lookup error. +.IP "\fBX509_V_ERR_NO_VALID_SCTS\fR" 4 +.IX Item "X509_V_ERR_NO_VALID_SCTS" +Certificate Transparency required, but no valid SCTs found. +.IP "\fBX509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION\fR" 4 +.IX Item "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION" +Proxy subject name violation. +.IP "\fBX509_V_ERR_OCSP_VERIFY_NEEDED\fR" 4 +.IX Item "X509_V_ERR_OCSP_VERIFY_NEEDED" +Returned by the verify callback to indicate an \s-1OCSP\s0 verification is needed. +.IP "\fBX509_V_ERR_OCSP_VERIFY_FAILED\fR" 4 +.IX Item "X509_V_ERR_OCSP_VERIFY_FAILED" +Returned by the verify callback to indicate \s-1OCSP\s0 verification failed. +.IP "\fBX509_V_ERR_OCSP_CERT_UNKNOWN\fR" 4 +.IX Item "X509_V_ERR_OCSP_CERT_UNKNOWN" +Returned by the verify callback to indicate that the certificate is not recognized +by the \s-1OCSP\s0 responder. +.SH "BUGS" +.IX Header "BUGS" +Although the issuer checks are a considerable improvement over the old +technique they still suffer from limitations in the underlying X509_LOOKUP +\&\s-1API.\s0 One consequence of this is that trusted certificates with matching +subject name must either appear in a file (as specified by the \fB\-CAfile\fR +option) or a directory (as specified by \fB\-CApath\fR). If they occur in +both then only the certificates in the file will be recognised. +.PP +Previous versions of OpenSSL assume certificates with matching subject +name are identical and mishandled them. +.PP +Previous versions of this documentation swapped the meaning of the +\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and +\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIx509\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\-show_chain\fR option was first added to OpenSSL 1.1.0. +.PP +The \fB\-issuer_checks\fR option is deprecated as of OpenSSL 1.1.0 and +is silently ignored. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1 new file mode 100644 index 000000000000..7b4cb41e3701 --- /dev/null +++ b/secure/usr.bin/openssl/man/version.1 @@ -0,0 +1,194 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "VERSION 1" +.TH VERSION 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-version, version \- print OpenSSL version information +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl version\fR +[\fB\-help\fR] +[\fB\-a\fR] +[\fB\-v\fR] +[\fB\-b\fR] +[\fB\-o\fR] +[\fB\-f\fR] +[\fB\-p\fR] +[\fB\-d\fR] +[\fB\-e\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to print out version information about OpenSSL. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-a\fR" 4 +.IX Item "-a" +All information, this is the same as setting all the other flags. +.IP "\fB\-v\fR" 4 +.IX Item "-v" +The current OpenSSL version. +.IP "\fB\-b\fR" 4 +.IX Item "-b" +The date the current version of OpenSSL was built. +.IP "\fB\-o\fR" 4 +.IX Item "-o" +Option information: various options set when the library was built. +.IP "\fB\-f\fR" 4 +.IX Item "-f" +Compilation flags. +.IP "\fB\-p\fR" 4 +.IX Item "-p" +Platform setting. +.IP "\fB\-d\fR" 4 +.IX Item "-d" +\&\s-1OPENSSLDIR\s0 setting. +.IP "\fB\-e\fR" 4 +.IX Item "-e" +\&\s-1ENGINESDIR\s0 setting. +.SH "NOTES" +.IX Header "NOTES" +The output of \fBopenssl version \-a\fR would typically be used when sending +in a bug report. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 new file mode 100644 index 000000000000..c7a8c229929f --- /dev/null +++ b/secure/usr.bin/openssl/man/x509.1 @@ -0,0 +1,945 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509 1" +.TH X509 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-x509, x509 \- Certificate display and signing utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBx509\fR +[\fB\-help\fR] +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-keyform DER|PEM\fR] +[\fB\-CAform DER|PEM\fR] +[\fB\-CAkeyform DER|PEM\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-serial\fR] +[\fB\-hash\fR] +[\fB\-subject_hash\fR] +[\fB\-issuer_hash\fR] +[\fB\-ocspid\fR] +[\fB\-subject\fR] +[\fB\-issuer\fR] +[\fB\-nameopt option\fR] +[\fB\-email\fR] +[\fB\-ocsp_uri\fR] +[\fB\-startdate\fR] +[\fB\-enddate\fR] +[\fB\-purpose\fR] +[\fB\-dates\fR] +[\fB\-checkend num\fR] +[\fB\-modulus\fR] +[\fB\-pubkey\fR] +[\fB\-fingerprint\fR] +[\fB\-alias\fR] +[\fB\-noout\fR] +[\fB\-trustout\fR] +[\fB\-clrtrust\fR] +[\fB\-clrreject\fR] +[\fB\-addtrust arg\fR] +[\fB\-addreject arg\fR] +[\fB\-setalias arg\fR] +[\fB\-days arg\fR] +[\fB\-set_serial n\fR] +[\fB\-signkey filename\fR] +[\fB\-passin arg\fR] +[\fB\-x509toreq\fR] +[\fB\-req\fR] +[\fB\-CA filename\fR] +[\fB\-CAkey filename\fR] +[\fB\-CAcreateserial\fR] +[\fB\-CAserial filename\fR] +[\fB\-force_pubkey key\fR] +[\fB\-text\fR] +[\fB\-ext extensions\fR] +[\fB\-certopt option\fR] +[\fB\-C\fR] +[\fB\-\f(BIdigest\fB\fR] +[\fB\-clrext\fR] +[\fB\-extfile filename\fR] +[\fB\-extensions section\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-engine id\fR] +[\fB\-preserve_dates\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBx509\fR command is a multi purpose certificate utility. It can be +used to display certificate information, convert certificates to +various forms, sign certificate requests like a \*(L"mini \s-1CA\*(R"\s0 or edit +certificate trust settings. +.PP +Since there are a large number of options they will split up into +various sections. +.SH "OPTIONS" +.IX Header "OPTIONS" +.SS "Input, Output, and General Purpose Options" +.IX Subsection "Input, Output, and General Purpose Options" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format normally the command will expect an X509 +certificate but this can change if other options such as \fB\-req\fR are +present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 +is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines +added. The default format is \s-1PEM.\s0 +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a certificate from or standard input +if this option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write to or standard output by +default. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +The digest to use. +This affects any signing or display option that uses a message +digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. +If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or +the default digest for the signing algorithm is used, typically \s-1SHA256.\s0 +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-preserve_dates\fR" 4 +.IX Item "-preserve_dates" +When signing a certificate, preserve the \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates instead +of adjusting them to current time and duration. Cannot be used with the \fB\-days\fR option. +.SS "Display Options" +.IX Subsection "Display Options" +Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options +but are described in the \fB\s-1TRUST SETTINGS\s0\fR section. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the certificate in text form. Full details are output including the +public key, signature algorithms, issuer and subject names, serial number +any extensions present and any trust settings. +.IP "\fB\-ext extensions\fR" 4 +.IX Item "-ext extensions" +Prints out the certificate extensions in text form. Extensions are specified +with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R". +See the \fIx509v3_config\fR\|(5) manual page for the extension names. +.IP "\fB\-certopt option\fR" 4 +.IX Item "-certopt option" +Customise the output format used with \fB\-text\fR. The \fBoption\fR argument +can be a single option or multiple options separated by commas. The +\&\fB\-certopt\fR switch may be also be used more than once to set multiple +options. See the \fB\s-1TEXT OPTIONS\s0\fR section for more information. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option prevents output of the encoded version of the request. +.IP "\fB\-pubkey\fR" 4 +.IX Item "-pubkey" +Outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +This option prints out the value of the modulus of the public key +contained in the certificate. +.IP "\fB\-serial\fR" 4 +.IX Item "-serial" +Outputs the certificate serial number. +.IP "\fB\-subject_hash\fR" 4 +.IX Item "-subject_hash" +Outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to +form an index to allow certificates in a directory to be looked up by subject +name. +.IP "\fB\-issuer_hash\fR" 4 +.IX Item "-issuer_hash" +Outputs the \*(L"hash\*(R" of the certificate issuer name. +.IP "\fB\-ocspid\fR" 4 +.IX Item "-ocspid" +Outputs the \s-1OCSP\s0 hash values for the subject name and public key. +.IP "\fB\-hash\fR" 4 +.IX Item "-hash" +Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons. +.IP "\fB\-subject_hash_old\fR" 4 +.IX Item "-subject_hash_old" +Outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm +as used by OpenSSL before version 1.0.0. +.IP "\fB\-issuer_hash_old\fR" 4 +.IX Item "-issuer_hash_old" +Outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm +as used by OpenSSL before version 1.0.0. +.IP "\fB\-subject\fR" 4 +.IX Item "-subject" +Outputs the subject name. +.IP "\fB\-issuer\fR" 4 +.IX Item "-issuer" +Outputs the issuer name. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information. +.IP "\fB\-email\fR" 4 +.IX Item "-email" +Outputs the email address(es) if any. +.IP "\fB\-ocsp_uri\fR" 4 +.IX Item "-ocsp_uri" +Outputs the \s-1OCSP\s0 responder address(es) if any. +.IP "\fB\-startdate\fR" 4 +.IX Item "-startdate" +Prints out the start date of the certificate, that is the notBefore date. +.IP "\fB\-enddate\fR" 4 +.IX Item "-enddate" +Prints out the expiry date of the certificate, that is the notAfter date. +.IP "\fB\-dates\fR" 4 +.IX Item "-dates" +Prints out the start and expiry dates of a certificate. +.IP "\fB\-checkend arg\fR" 4 +.IX Item "-checkend arg" +Checks if the certificate expires within the next \fBarg\fR seconds and exits +non-zero if yes it will expire or zero if not. +.IP "\fB\-fingerprint\fR" 4 +.IX Item "-fingerprint" +Calculates and outputs the digest of the \s-1DER\s0 encoded version of the entire +certificate (see digest options). +This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message +digests, the fingerprint of a certificate is unique to that certificate and +two certificates with the same fingerprint can be considered to be the same. +.IP "\fB\-C\fR" 4 +.IX Item "-C" +This outputs the certificate in the form of a C source file. +.SS "Trust Settings" +.IX Subsection "Trust Settings" +A \fBtrusted certificate\fR is an ordinary certificate which has several +additional pieces of information attached to it such as the permitted +and prohibited uses of the certificate and an \*(L"alias\*(R". +.PP +Normally when a certificate is being verified at least one certificate +must be \*(L"trusted\*(R". By default a trusted certificate must be stored +locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0 +is then usable for any purpose. +.PP +Trust settings currently are only used with a root \s-1CA.\s0 They allow a finer +control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0 +may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use. +.PP +See the description of the \fBverify\fR utility for more information on the +meaning of trust settings. +.PP +Future versions of OpenSSL will recognize trust settings on any +certificate: not just root CAs. +.IP "\fB\-trustout\fR" 4 +.IX Item "-trustout" +This causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary +or trusted certificate can be input but by default an ordinary +certificate is output and any trust settings are discarded. With the +\&\fB\-trustout\fR option a trusted certificate is output. A trusted +certificate is automatically output if any trust settings are modified. +.IP "\fB\-setalias arg\fR" 4 +.IX Item "-setalias arg" +Sets the alias of the certificate. This will allow the certificate +to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". +.IP "\fB\-alias\fR" 4 +.IX Item "-alias" +Outputs the certificate alias, if any. +.IP "\fB\-clrtrust\fR" 4 +.IX Item "-clrtrust" +Clears all the permitted or trusted uses of the certificate. +.IP "\fB\-clrreject\fR" 4 +.IX Item "-clrreject" +Clears all the prohibited or rejected uses of the certificate. +.IP "\fB\-addtrust arg\fR" 4 +.IX Item "-addtrust arg" +Adds a trusted certificate use. +Any object name can be used here but currently only \fBclientAuth\fR (\s-1SSL\s0 client +use), \fBserverAuth\fR (\s-1SSL\s0 server use), \fBemailProtection\fR (S/MIME email) and +\&\fBanyExtendedKeyUsage\fR are used. +As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or +enables all purposes when trusted. +Other OpenSSL applications may define additional uses. +.IP "\fB\-addreject arg\fR" 4 +.IX Item "-addreject arg" +Adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR +option. +.IP "\fB\-purpose\fR" 4 +.IX Item "-purpose" +This option performs tests on the certificate extensions and outputs +the results. For a more complete description see the \fB\s-1CERTIFICATE +EXTENSIONS\s0\fR section. +.SS "Signing Options" +.IX Subsection "Signing Options" +The \fBx509\fR utility can be used to sign certificates and requests: it +can thus behave like a \*(L"mini \s-1CA\*(R".\s0 +.IP "\fB\-signkey filename\fR" 4 +.IX Item "-signkey filename" +This option causes the input file to be self signed using the supplied +private key. +.Sp +If the input file is a certificate it sets the issuer name to the +subject name (i.e. makes it self signed) changes the public key to the +supplied value and changes the start and end dates. The start date is +set to the current time and the end date is set to a value determined +by the \fB\-days\fR option. Any certificate extensions are retained unless +the \fB\-clrext\fR option is supplied; this includes, for example, any existing +key identifier extensions. +.Sp +If the input is a certificate request then a self signed certificate +is created using the supplied private key using the subject name in +the request. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +The key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-clrext\fR" 4 +.IX Item "-clrext" +Delete any extensions from a certificate. This option is used when a +certificate is being created from another certificate (for example with +the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are +retained. +.IP "\fB\-keyform PEM|DER\fR" 4 +.IX Item "-keyform PEM|DER" +Specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the +\&\fB\-signkey\fR option. +.IP "\fB\-days arg\fR" 4 +.IX Item "-days arg" +Specifies the number of days to make a certificate valid for. The default +is 30 days. Cannot be used with the \fB\-preserve_dates\fR option. +.IP "\fB\-x509toreq\fR" 4 +.IX Item "-x509toreq" +Converts a certificate into a certificate request. The \fB\-signkey\fR option +is used to pass the required private key. +.IP "\fB\-req\fR" 4 +.IX Item "-req" +By default a certificate is expected on input. With this option a +certificate request is expected instead. +.IP "\fB\-set_serial n\fR" 4 +.IX Item "-set_serial n" +Specifies the serial number to use. This option can be used with either +the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR +option the serial number file (as specified by the \fB\-CAserial\fR or +\&\fB\-CAcreateserial\fR options) is not used. +.Sp +The serial number can be decimal or hex (if preceded by \fB0x\fR). +.IP "\fB\-CA filename\fR" 4 +.IX Item "-CA filename" +Specifies the \s-1CA\s0 certificate to be used for signing. When this option is +present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this +\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name +of the \s-1CA\s0 and it is digitally signed using the CAs private key. +.Sp +This option is normally combined with the \fB\-req\fR option. Without the +\&\fB\-req\fR option the input is a certificate which must be self signed. +.IP "\fB\-CAkey filename\fR" 4 +.IX Item "-CAkey filename" +Sets the \s-1CA\s0 private key to sign a certificate with. If this option is +not specified then it is assumed that the \s-1CA\s0 private key is present in +the \s-1CA\s0 certificate file. +.IP "\fB\-CAserial filename\fR" 4 +.IX Item "-CAserial filename" +Sets the \s-1CA\s0 serial number file to use. +.Sp +When the \fB\-CA\fR option is used to sign a certificate it uses a serial +number specified in a file. This file consists of one line containing +an even number of hex digits with the serial number to use. After each +use the serial number is incremented and written out to the file again. +.Sp +The default filename consists of the \s-1CA\s0 certificate file base name with +\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called +\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". +.IP "\fB\-CAcreateserial\fR" 4 +.IX Item "-CAcreateserial" +With this option the \s-1CA\s0 serial number file is created if it does not exist: +it will contain the serial number \*(L"02\*(R" and the certificate being signed will +have the 1 as its serial number. If the \fB\-CA\fR option is specified +and the serial number file does not exist a random number is generated; +this is the recommended practice. +.IP "\fB\-extfile filename\fR" 4 +.IX Item "-extfile filename" +File containing certificate extensions to use. If not specified then +no extensions are added to the certificate. +.IP "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +The section to add certificate extensions from. If this option is not +specified then the extensions should either be contained in the unnamed +(default) section or the default section should contain a variable called +\&\*(L"extensions\*(R" which contains the section to use. See the +\&\fIx509v3_config\fR\|(5) manual page for details of the +extension section format. +.IP "\fB\-force_pubkey key\fR" 4 +.IX Item "-force_pubkey key" +When a certificate is created set its public key to \fBkey\fR instead of the +key in the certificate or certificate request. This option is useful for +creating certificates where the algorithm can't normally sign requests, for +example \s-1DH.\s0 +.Sp +The format or \fBkey\fR can be specified using the \fB\-keyform\fR option. +.SS "Name Options" +.IX Subsection "Name Options" +The \fBnameopt\fR command line switch determines how the subject and issuer +names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" +format is used which is compatible with previous versions of OpenSSL. +Each option is described in detail below, all options can be preceded by +a \fB\-\fR to turn the option off. Only the first four will normally be used. +.IP "\fBcompat\fR" 4 +.IX Item "compat" +Use the old format. +.IP "\fB\s-1RFC2253\s0\fR" 4 +.IX Item "RFC2253" +Displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, +\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, +\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. +.IP "\fBoneline\fR" 4 +.IX Item "oneline" +A oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to +specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, +\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR +options. This is the \fIdefault\fR of no name options are given explicitly. +.IP "\fBmultiline\fR" 4 +.IX Item "multiline" +A multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, +\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR. +.IP "\fBesc_2253\fR" 4 +.IX Item "esc_2253" +Escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field. That is +\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string +and a space character at the beginning or end of a string. +.IP "\fBesc_2254\fR" 4 +.IX Item "esc_2254" +Escape the \*(L"special\*(R" characters required by \s-1RFC2254\s0 in a field. That is +the \fB\s-1NUL\s0\fR character as well as and \fB()*\fR. +.IP "\fBesc_ctrl\fR" 4 +.IX Item "esc_ctrl" +Escape control characters. That is those with \s-1ASCII\s0 values less than +0x20 (space) and the delete (0x7f) character. They are escaped using the +\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the +character value). +.IP "\fBesc_msb\fR" 4 +.IX Item "esc_msb" +Escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than +127. +.IP "\fBuse_quote\fR" 4 +.IX Item "use_quote" +Escapes some characters by surrounding the whole string with \fB"\fR characters, +without the option all escaping is done with the \fB\e\fR character. +.IP "\fButf8\fR" 4 +.IX Item "utf8" +Convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If +you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use +of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct +display of multibyte (international) characters. Is this option is not +present then multibyte characters larger than 0xff will be represented +using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits. +Also if this option is off any UTF8Strings will be converted to their +character form first. +.IP "\fBignore_type\fR" 4 +.IX Item "ignore_type" +This option does not attempt to interpret multibyte characters in any +way. That is their content octets are merely dumped as though one octet +represents each character. This is useful for diagnostic purposes but +will result in rather odd looking output. +.IP "\fBshow_type\fR" 4 +.IX Item "show_type" +Show the type of the \s-1ASN1\s0 character string. The type precedes the +field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". +.IP "\fBdump_der\fR" 4 +.IX Item "dump_der" +When this option is set any fields that need to be hexdumped will +be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the +content octets will be displayed. Both options use the \s-1RFC2253\s0 +\&\fB#XXXX...\fR format. +.IP "\fBdump_nostr\fR" 4 +.IX Item "dump_nostr" +Dump non character string types (for example \s-1OCTET STRING\s0) if this +option is not set then non character string types will be displayed +as though each content octet represents a single character. +.IP "\fBdump_all\fR" 4 +.IX Item "dump_all" +Dump all fields. This option when used with \fBdump_der\fR allows the +\&\s-1DER\s0 encoding of the structure to be unambiguously determined. +.IP "\fBdump_unknown\fR" 4 +.IX Item "dump_unknown" +Dump any field whose \s-1OID\s0 is not recognised by OpenSSL. +.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 +.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" +These options determine the field separators. The first character is +between RDNs and the second between multiple AVAs (multiple AVAs are +very rare and their use is discouraged). The options ending in +\&\*(L"space\*(R" additionally place a space after the separator to make it +more readable. The \fBsep_multiline\fR uses a linefeed character for +the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also +indents the fields by four characters. If no field separator is specified +then \fBsep_comma_plus_space\fR is used by default. +.IP "\fBdn_rev\fR" 4 +.IX Item "dn_rev" +Reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side +effect this also reverses the order of multiple AVAs but this is +permissible. +.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 +.IX Item "nofname, sname, lname, oid" +These options alter how the field name is displayed. \fBnofname\fR does +not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form +(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. +\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for +diagnostic purpose. +.IP "\fBalign\fR" 4 +.IX Item "align" +Align field values for a more readable output. Only usable with +\&\fBsep_multiline\fR. +.IP "\fBspace_eq\fR" 4 +.IX Item "space_eq" +Places spaces round the \fB=\fR character which follows the field +name. +.SS "Text Options" +.IX Subsection "Text Options" +As well as customising the name output format, it is also possible to +customise the actual fields printed using the \fBcertopt\fR options when +the \fBtext\fR option is present. The default behaviour is to print all fields. +.IP "\fBcompatible\fR" 4 +.IX Item "compatible" +Use the old format. This is equivalent to specifying no output options at all. +.IP "\fBno_header\fR" 4 +.IX Item "no_header" +Don't print header information: that is the lines saying \*(L"Certificate\*(R" +and \*(L"Data\*(R". +.IP "\fBno_version\fR" 4 +.IX Item "no_version" +Don't print out the version number. +.IP "\fBno_serial\fR" 4 +.IX Item "no_serial" +Don't print out the serial number. +.IP "\fBno_signame\fR" 4 +.IX Item "no_signame" +Don't print out the signature algorithm used. +.IP "\fBno_validity\fR" 4 +.IX Item "no_validity" +Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. +.IP "\fBno_subject\fR" 4 +.IX Item "no_subject" +Don't print out the subject name. +.IP "\fBno_issuer\fR" 4 +.IX Item "no_issuer" +Don't print out the issuer name. +.IP "\fBno_pubkey\fR" 4 +.IX Item "no_pubkey" +Don't print out the public key. +.IP "\fBno_sigdump\fR" 4 +.IX Item "no_sigdump" +Don't give a hexadecimal dump of the certificate signature. +.IP "\fBno_aux\fR" 4 +.IX Item "no_aux" +Don't print out certificate trust information. +.IP "\fBno_extensions\fR" 4 +.IX Item "no_extensions" +Don't print out any X509V3 extensions. +.IP "\fBext_default\fR" 4 +.IX Item "ext_default" +Retain default extension behaviour: attempt to print out unsupported +certificate extensions. +.IP "\fBext_error\fR" 4 +.IX Item "ext_error" +Print an error message for unsupported certificate extensions. +.IP "\fBext_parse\fR" 4 +.IX Item "ext_parse" +\&\s-1ASN1\s0 parse unsupported extensions. +.IP "\fBext_dump\fR" 4 +.IX Item "ext_dump" +Hex dump unsupported extensions. +.IP "\fBca_default\fR" 4 +.IX Item "ca_default" +The value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, +\&\fBno_header\fR, and \fBno_version\fR. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Note: in these examples the '\e' means the example should be all on one +line. +.PP +Display the contents of a certificate: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-text +.Ve +.PP +Display the \*(L"Subject Alternative Name\*(R" extension of a certificate: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName +.Ve +.PP +Display more extensions of a certificate: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType +.Ve +.PP +Display the certificate serial number: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-serial +.Ve +.PP +Display the certificate subject name: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-subject +.Ve +.PP +Display the certificate subject name in \s-1RFC2253\s0 form: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253 +.Ve +.PP +Display the certificate subject name in oneline form on a terminal +supporting \s-1UTF8:\s0 +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb +.Ve +.PP +Display the certificate \s-1SHA1\s0 fingerprint: +.PP +.Vb 1 +\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint +.Ve +.PP +Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER +.Ve +.PP +Convert a certificate to a certificate request: +.PP +.Vb 1 +\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem +.Ve +.PP +Convert a certificate request into a self signed certificate using +extensions for a \s-1CA:\s0 +.PP +.Vb 2 +\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e +\& \-signkey key.pem \-out cacert.pem +.Ve +.PP +Sign a certificate request using the \s-1CA\s0 certificate above and add user +certificate extensions: +.PP +.Vb 2 +\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e +\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial +.Ve +.PP +Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to +\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0 +.PP +.Vb 2 +\& openssl x509 \-in cert.pem \-addtrust clientAuth \e +\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 format uses the header and footer lines: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +.Ve +.PP +it will also handle files containing: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\- +\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\- +.Ve +.PP +Trusted certificates have the lines +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\- +\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\- +.Ve +.PP +The conversion to \s-1UTF8\s0 format used with the name options assumes that +T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape +and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect +it is more likely to display the majority of certificates correctly. +.PP +The \fB\-email\fR option searches the subject name and the subject alternative +name extension. Only unique email addresses will be printed out: it will +not print the same address more than once. +.SH "CERTIFICATE EXTENSIONS" +.IX Header "CERTIFICATE EXTENSIONS" +The \fB\-purpose\fR option checks the certificate extensions and determines +what the certificate can be used for. The actual checks done are rather +complex and include various hacks and workarounds to handle broken +certificates and software. +.PP +The same code is used when verifying untrusted certificates in chains +so this section is useful if a chain is rejected by the verify code. +.PP +The basicConstraints extension \s-1CA\s0 flag is used to determine whether the +certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0 +if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the +\&\s-1CA\s0 flag set to true. +.PP +If the basicConstraints extension is absent then the certificate is +considered to be a \*(L"possible \s-1CA\*(R"\s0 other extensions are checked according +to the intended use of the certificate. A warning is given in this case +because the certificate should really not be regarded as a \s-1CA:\s0 however +it is allowed to be a \s-1CA\s0 to work around some broken software. +.PP +If the certificate is a V1 certificate (and thus has no extensions) and +it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again +given: this is to work around the problem of Verisign roots which are V1 +self signed certificates. +.PP +If the keyUsage extension is present then additional restraints are +made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the +keyCertSign bit set if the keyUsage extension is present. +.PP +The extended key usage extension places additional restrictions on the +certificate uses. If this extension is present (whether critical or not) +the key can only be used for the purposes specified. +.PP +A complete description of each test is given below. The comments about +basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR +\&\s-1CA\s0 certificates. +.IP "\fB\s-1SSL\s0 Client\fR" 4 +.IX Item "SSL Client" +The extended key usage extension must be absent or include the \*(L"web client +authentication\*(R" \s-1OID.\s0 keyUsage must be absent or it must have the +digitalSignature bit set. Netscape certificate type must be absent or it must +have the \s-1SSL\s0 client bit set. +.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4 +.IX Item "SSL Client CA" +The extended key usage extension must be absent or include the \*(L"web client +authentication\*(R" \s-1OID.\s0 Netscape certificate type must be absent or it must have +the \s-1SSL CA\s0 bit set: this is used as a work around if the basicConstraints +extension is absent. +.IP "\fB\s-1SSL\s0 Server\fR" 4 +.IX Item "SSL Server" +The extended key usage extension must be absent or include the \*(L"web server +authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it +must have the digitalSignature, the keyEncipherment set or both bits set. +Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set. +.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4 +.IX Item "SSL Server CA" +The extended key usage extension must be absent or include the \*(L"web server +authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must +be absent or the \s-1SSL CA\s0 bit must be set: this is used as a work around if the +basicConstraints extension is absent. +.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4 +.IX Item "Netscape SSL Server" +For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the +keyEncipherment bit set if the keyUsage extension is present. This isn't +always valid because some cipher suites use the key for digital signing. +Otherwise it is the same as a normal \s-1SSL\s0 server. +.IP "\fBCommon S/MIME Client Tests\fR" 4 +.IX Item "Common S/MIME Client Tests" +The extended key usage extension must be absent or include the \*(L"email +protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the +S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type +then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: +this is because some Verisign certificates don't set the S/MIME bit. +.IP "\fBS/MIME Signing\fR" 4 +.IX Item "S/MIME Signing" +In addition to the common S/MIME client tests the digitalSignature bit or +the nonRepudiation bit must be set if the keyUsage extension is present. +.IP "\fBS/MIME Encryption\fR" 4 +.IX Item "S/MIME Encryption" +In addition to the common S/MIME tests the keyEncipherment bit must be set +if the keyUsage extension is present. +.IP "\fBS/MIME \s-1CA\s0\fR" 4 +.IX Item "S/MIME CA" +The extended key usage extension must be absent or include the \*(L"email +protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or must have the +S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints +extension is absent. +.IP "\fB\s-1CRL\s0 Signing\fR" 4 +.IX Item "CRL Signing" +The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit +set. +.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4 +.IX Item "CRL Signing CA" +The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension +must be present. +.SH "BUGS" +.IX Header "BUGS" +Extensions in certificates are not transferred to certificate requests and +vice versa. +.PP +It is possible to produce invalid certificates or requests by specifying the +wrong private key or using inconsistent options in some cases: these should +be checked. +.PP +There should be options to explicitly set such things as start and end +dates rather than an offset from the current time. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIgendsa\fR\|(1), \fIverify\fR\|(1), +\&\fIx509v3_config\fR\|(5) +.SH "HISTORY" +.IX Header "HISTORY" +The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options +before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding +of the distinguished name. In OpenSSL 1.0.0 and later it is based on a +canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using +the old form must have their links rebuilt using \fBc_rehash\fR or similar. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile new file mode 100644 index 000000000000..34469a443287 --- /dev/null +++ b/secure/usr.bin/scp/Makefile @@ -0,0 +1,21 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +PROG= scp +SRCS= scp.c +PACKAGE= ssh +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +#DPADD+= ${LIBLDNS} +#LDADD+= -lldns +.endif + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/scp/Makefile.depend b/secure/usr.bin/scp/Makefile.depend new file mode 100644 index 000000000000..270b7612d3a6 --- /dev/null +++ b/secure/usr.bin/scp/Makefile.depend @@ -0,0 +1,25 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile new file mode 100644 index 000000000000..249fef233d37 --- /dev/null +++ b/secure/usr.bin/sftp/Makefile @@ -0,0 +1,21 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +PROG= sftp +SRCS= sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c +PACKAGE= ssh +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh edit + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +#DPADD+= ${LIBLDNS} +#LDADD+= -lldns +.endif + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/sftp/Makefile.depend b/secure/usr.bin/sftp/Makefile.depend new file mode 100644 index 000000000000..255a2ea15c03 --- /dev/null +++ b/secure/usr.bin/sftp/Makefile.depend @@ -0,0 +1,27 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libedit \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + lib/ncurses/ncursesw \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile new file mode 100644 index 000000000000..acce73d3841d --- /dev/null +++ b/secure/usr.bin/ssh-add/Makefile @@ -0,0 +1,21 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +PROG= ssh-add +SRCS+= ssh-add.c +PACKAGE= ssh +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +#DPADD+= ${LIBLDNS} +#LDADD+= -lldns +.endif + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-add/Makefile.depend b/secure/usr.bin/ssh-add/Makefile.depend new file mode 100644 index 000000000000..270b7612d3a6 --- /dev/null +++ b/secure/usr.bin/ssh-add/Makefile.depend @@ -0,0 +1,25 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile new file mode 100644 index 000000000000..50eafa6ba621 --- /dev/null +++ b/secure/usr.bin/ssh-agent/Makefile @@ -0,0 +1,23 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +PROG= ssh-agent +SRCS= ssh-agent.c +PACKAGE= ssh +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +#DPADD+= ${LIBLDNS} +#LDADD+= -lldns +.endif + +LIBADD+= crypto + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-agent/Makefile.depend b/secure/usr.bin/ssh-agent/Makefile.depend new file mode 100644 index 000000000000..270b7612d3a6 --- /dev/null +++ b/secure/usr.bin/ssh-agent/Makefile.depend @@ -0,0 +1,25 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile new file mode 100644 index 000000000000..d6b5616dfc0a --- /dev/null +++ b/secure/usr.bin/ssh-keygen/Makefile @@ -0,0 +1,21 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +PROG= ssh-keygen +SRCS= ssh-keygen.c +PACKAGE= ssh +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +.endif + +LIBADD+= crypto + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-keygen/Makefile.depend b/secure/usr.bin/ssh-keygen/Makefile.depend new file mode 100644 index 000000000000..270b7612d3a6 --- /dev/null +++ b/secure/usr.bin/ssh-keygen/Makefile.depend @@ -0,0 +1,25 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile new file mode 100644 index 000000000000..ade1e4237ff5 --- /dev/null +++ b/secure/usr.bin/ssh-keyscan/Makefile @@ -0,0 +1,21 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +PROG= ssh-keyscan +SRCS= ssh-keyscan.c +PACKAGE= ssh +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +#DPADD+= ${LIBLDNS} +#LDADD+= -lldns +.endif + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-keyscan/Makefile.depend b/secure/usr.bin/ssh-keyscan/Makefile.depend new file mode 100644 index 000000000000..270b7612d3a6 --- /dev/null +++ b/secure/usr.bin/ssh-keyscan/Makefile.depend @@ -0,0 +1,25 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile new file mode 100644 index 000000000000..614cc7627fc5 --- /dev/null +++ b/secure/usr.bin/ssh/Makefile @@ -0,0 +1,42 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +CONFS= ssh_config +CONFSDIR= /etc/ssh +PROG= ssh +LINKS= ${BINDIR}/ssh ${BINDIR}/slogin +MAN= ssh.1 ssh_config.5 +MLINKS= ssh.1 slogin.1 +PACKAGE= ssh + +SRCS= ssh.c readconf.c clientloop.c sshtty.c \ + sshconnect.c sshconnect2.c mux.c + +# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile +SRCS+= gss-genr.c + +CFLAGS+=-I${SSHDIR} -include ssh_namespace.h +SRCS+= ssh_namespace.h + +LIBADD= ssh + +.if ${MK_LDNS} != "no" +CFLAGS+= -DHAVE_LDNS=1 +.endif + +.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +CFLAGS+= -include krb5_config.h +SRCS+= krb5_config.h +LIBADD+= gssapi +.endif + +LIBADD+= crypto + +.if defined(LOCALBASE) +CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" +.endif + +.include <bsd.prog.mk> + +.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh/Makefile.depend b/secure/usr.bin/ssh/Makefile.depend new file mode 100644 index 000000000000..c56fe0f8f0fd --- /dev/null +++ b/secure/usr.bin/ssh/Makefile.depend @@ -0,0 +1,28 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + gnu/lib/csu \ + include \ + include/arpa \ + include/gssapi \ + include/rpc \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/libcrypt \ + lib/libgssapi \ + lib/libldns \ + lib/libpam/libpam \ + lib/libutil \ + lib/libz \ + secure/lib/libcrypto \ + secure/lib/libssh \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/secure/usr.bin/tests/Makefile b/secure/usr.bin/tests/Makefile new file mode 100644 index 000000000000..3b3078f8612a --- /dev/null +++ b/secure/usr.bin/tests/Makefile @@ -0,0 +1,6 @@ +# $FreeBSD$ + +.PATH: ${SRCTOP}/tests +KYUAFILE= yes + +.include <bsd.test.mk> diff --git a/secure/usr.bin/tests/Makefile.depend b/secure/usr.bin/tests/Makefile.depend new file mode 100644 index 000000000000..f80275d86ab1 --- /dev/null +++ b/secure/usr.bin/tests/Makefile.depend @@ -0,0 +1,11 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif |