diff options
Diffstat (limited to 'secure/usr.bin')
50 files changed, 0 insertions, 15952 deletions
diff --git a/secure/usr.bin/Makefile b/secure/usr.bin/Makefile deleted file mode 100644 index 42b8aa2ff2b3..000000000000 --- a/secure/usr.bin/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -# $FreeBSD$ - -SUBDIR= bdes -.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(MAKE_KERBEROS4) && !defined(MAKE_KERBEROS5) -SUBDIR+=telnet -.endif -.if !defined(NO_OPENSSL) -SUBDIR+=openssl -.if !defined(NO_OPENSSH) -SUBDIR+=scp sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan -.endif -.endif - -.include <bsd.subdir.mk> diff --git a/secure/usr.bin/Makefile.inc b/secure/usr.bin/Makefile.inc deleted file mode 100644 index de35b7828aab..000000000000 --- a/secure/usr.bin/Makefile.inc +++ /dev/null @@ -1,5 +0,0 @@ -# $FreeBSD$ - -BINDIR?= /usr/bin - -.include "${.CURDIR}/../../Makefile.inc" diff --git a/secure/usr.bin/bdes/Makefile b/secure/usr.bin/bdes/Makefile deleted file mode 100644 index 78af60c8e60f..000000000000 --- a/secure/usr.bin/bdes/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# @(#)Makefile 8.1 (Berkeley) 6/6/93 -# $FreeBSD$ - -PROG= bdes -SRCS= bdes.c - -.if exists(${.OBJDIR}/../../lib/libcipher) -LDFLAGS+= -L${.OBJDIR}/../../lib/libcipher -.else -LDFLAGS+= -L${.CURDIR}/../../lib/libcipher -.endif - -LDADD+= -lcipher -DPADD+= libcipher.a - -.include <bsd.prog.mk> diff --git a/secure/usr.bin/bdes/bdes.1 b/secure/usr.bin/bdes/bdes.1 deleted file mode 100644 index 579bbabedd80..000000000000 --- a/secure/usr.bin/bdes/bdes.1 +++ /dev/null @@ -1,338 +0,0 @@ -.\" Copyright (c) 1991, 1993 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" This code is derived from software contributed to Berkeley by -.\" Matt Bishop of Dartmouth College. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the University of -.\" California, Berkeley and its contributors. -.\" 4. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 -.\" $FreeBSD$ -.\" -.Dd June 29, 1993 -.Dt BDES 1 -.Os -.Sh NAME -.Nm bdes -.Nd "encrypt/decrypt using the Data Encryption Standard" -.Sh SYNOPSIS -.Nm -.Op Fl abdp -.Op Fl F Ar N -.Op Fl f Ar N -.Op Fl k Ar key -.Op Fl m Ar N -.Op Fl o Ar N -.Op Fl v Ar vector -.Sh DESCRIPTION -.Nm Bdes -implements all -.Tn DES -modes of operation described in -.%T "FIPS PUB 81" , -including alternative cipher feedback mode and both authentication -modes. -.Nm Bdes -reads from the standard input and writes to the standard output. -By default, the input is encrypted using cipher block chaining mode. -Using the same key for encryption and decryption preserves plain text. -.Pp -All modes but the electronic code book mode require an initialization -vector; if none is supplied, the zero vector is used. -If no -.Ar key -is specified on the command line, the user is prompted for one (see -.Xr getpass 3 -for more details). -.Pp -The options are as follows: -.Bl -tag -width indent -.It Fl a -The key and initialization vector strings are to be taken as -.Tn ASCII , -suppressing the special interpretation given to leading -.Dq Li 0X , -.Dq Li 0x , -.Dq Li 0B , -and -.Dq Li 0b -characters. -This flag applies to -.Em both -the key and initialization vector. -.It Fl b -Use electronic code book mode. -.It Fl d -Decrypt the input. -.It Fl F Ar N -Use -.Ar N Ns \-bit -alternative cipher feedback mode. -Currently -.Ar N -must be a multiple of 7 between 7 and 56 inclusive (this does not conform -to the alternative CFB mode specification). -.It Fl f Ar N -Use -.Ar N Ns \-bit -cipher feedback mode. -Currently -.Ar N -must be a multiple of 8 between 8 and 64 inclusive (this does not conform -to the standard CFB mode specification). -.It Fl k Ar key -Use -.Ar key -as the cryptographic key. -.It Fl m Ar N -Compute a message authentication code (MAC) of -.Ar N -bits on the input. -The value of -.Ar N -must be between 1 and 64 inclusive; if -.Ar N -is not a multiple of 8, enough 0 bits will be added to pad the MAC length -to the nearest multiple of 8. -Only the MAC is output. -MACs are only available in cipher block chaining mode or in cipher feedback -mode. -.It Fl o Ar N -Use -.Ar N Ns \-bit -output feedback mode. -Currently -.Ar N -must be a multiple of 8 between 8 and 64 inclusive (this does not conform -to the OFB mode specification). -.It Fl p -Disable the resetting of the parity bit. -This flag forces the parity bit of the key to be used as typed, rather than -making each character be of odd parity. -It is used only if the key is given in -.Tn ASCII . -.It Fl v Ar vector -Set the initialization vector to -.Ar vector ; -the vector is interpreted in the same way as the key. -The vector is ignored in electronic codebook mode. -.El -.Pp -The key and initialization vector are taken as sequences of -.Tn ASCII -characters which are then mapped into their bit representations. -If either begins with -.Dq Li 0X -or -.Dq Li 0x , -that one is taken as a sequence of hexadecimal digits indicating the -bit pattern; -if either begins with -.Dq Li 0B -or -.Dq Li 0b , -that one is taken as a sequence of binary digits indicating the bit pattern. -In either case, -only the leading 64 bits of the key or initialization vector -are used, -and if fewer than 64 bits are provided, enough 0 bits are appended -to pad the key to 64 bits. -.Pp -According to the -.Tn DES -standard, the low-order bit of each character in the -key string is deleted. -Since most -.Tn ASCII -representations set the high-order bit to 0, simply -deleting the low-order bit effectively reduces the size of the key space -from 2^56 to 2^48 keys. -To prevent this, the high-order bit must be a function depending in part -upon the low-order bit; so, the high-order bit is set to whatever value -gives odd parity. -This preserves the key space size. -Note this resetting of the parity bit is -.Em not -done if the key is given in binary or hex, and can be disabled for -.Tn ASCII -keys as well. -.Pp -The -.Tn DES -is considered a very strong cryptosystem, and other than table lookup -attacks, key search attacks, and Hellman's time-memory tradeoff (all of which -are very expensive and time-consuming), no cryptanalytic methods for breaking -the -.Tn DES -are known in the open literature. -No doubt the choice of keys and key security are the most vulnerable aspect -of -.Nm . -.Sh IMPLEMENTATION NOTES -For implementors wishing to write software compatible with this program, -the following notes are provided. -This software is believed to be compatible with the implementation of the -data encryption standard distributed by Sun Microsystems, Inc. -.Pp -In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, -also called a block). -To ensure that the plaintext file is encrypted correctly, -.Nm -will (internally) append from 1 to 8 bytes, the last byte containing an -integer stating how many bytes of that final block are from the plaintext -file, and encrypt the resulting block. -Hence, when decrypting, the last block may contain from 0 to 7 characters -present in the plaintext file, and the last byte tells how many. -Note that if during decryption the last byte of the file does not contain an -integer between 0 and 7, either the file has been corrupted or an incorrect -key has been given. -A similar mechanism is used for the OFB and CFB modes, except that those -simply require the length of the input to be a multiple of the mode size, -and the final byte contains an integer between 0 and one less than the number -of bytes being used as the mode. -(This was another reason that the mode size must be a multiple of 8 for those -modes.) -.Pp -Unlike Sun's implementation, unused bytes of that last block are not filled -with random data, but instead contain what was in those byte positions in -the preceding block. -This is quicker and more portable, and does not weaken the encryption -significantly. -.Pp -If the key is entered in -.Tn ASCII , -the parity bits of the key characters are set -so that each key character is of odd parity. -Unlike Sun's implementation, it is possible to enter binary or hexadecimal -keys on the command line, and if this is done, the parity bits are -.Em not -reset. -This allows testing using arbitrary bit patterns as keys. -.Pp -The Sun implementation always uses an initialization vector of 0 -(that is, all zeroes). -By default, -.Nm -does too, but this may be changed from the command line. -.Sh SEE ALSO -.Xr crypt 3 , -.Xr getpass 3 -.Rs -.%T "Data Encryption Standard" -.%R "Federal Information Processing Standard #46" -.%Q "National Bureau of Standards, U.S. Department of Commerce, Washington DC" -.%D "January 1977" -.Re -.Rs -.%T "DES Modes of Operation" -.%R "Federal Information Processing Standard #81" -.%Q "National Bureau of Standards, U.S. Department of Commerce, Washington DC" -.%D "December 1980" -.Re -.Rs -.%A "Dorothy Denning" -.%B "Cryptography and Data Security" -.%Q "Addison-Wesley Publishing Co., Reading, MA" -.%D 1982 -.Re -.Rs -.%A "Matt Bishop" -.%T "Implementation Notes on bdes(1)" -.%R "Technical Report PCS-TR-91-158" -.%Q "Department of Mathematics and Computer Science, Dartmouth College, Hanover, NH 03755" -.%D "April 1991" -.Re -.Sh DISCLAIMER -.Bd -literal -THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. -.Ed -.Sh BUGS -There is a controversy raging over whether the -.Tn DES -will still be secure -in a few years. -The advent of special-purpose hardware could reduce the cost of any of the -methods of attack named above so that they are no longer computationally -infeasible. -.Pp -As the key or key schedule is stored in memory, the encryption can be -compromised if memory is readable. -Additionally, programs which display programs' arguments may compromise the -key and initialization vector, if they are specified on the command line. -To avoid this -.Nm -overwrites its arguments, however, the obvious race cannot currently be -avoided. -.Pp -Certain specific keys should be avoided because they introduce potential -weaknesses; these keys, called the -.Em weak -and -.Em semiweak -keys, are (in hex notation, where -.Ar p -is either 0 or 1, and -.Ar P -is either -.Ql e -or -.Ql f ) : -.Bl -column "0x0p0p0p0p0p0p0p0p" -offset indent -.It "0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P" -.It "0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP" -.It "0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P" -.It "0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP" -.It "0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P" -.It "0xepepepepepepepep 0xepfPepfPfpfPfpfP" -.It "0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P" -.It "0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP" -.El -.Pp -This is inherent in the -.Tn DES -algorithm; see -.Rs -.%A Moore -.%A Simmons -.%T "Cycle structure of the DES with weak and semi-weak keys" -.%B "Advances in Cryptology \- Crypto '86 Proceedings" -.%Q "Springer-Verlag New York" -.%D 1987 -.%P "pp. 9-32" -.Re diff --git a/secure/usr.bin/bdes/bdes.c b/secure/usr.bin/bdes/bdes.c deleted file mode 100644 index f2dc827266d5..000000000000 --- a/secure/usr.bin/bdes/bdes.c +++ /dev/null @@ -1,1051 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Matt Bishop of Dartmouth College. - * - * The United States Government has rights in this work pursuant - * to contract no. NAG 2-680 between the National Aeronautics and - * Space Administration and Dartmouth College. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef lint -static char copyright[] = -"@(#) Copyright (c) 1991, 1993\n\ - The Regents of the University of California. All rights reserved.\n"; -#endif /* not lint */ - -#ifndef lint -#if 0 -static char sccsid[] = "@(#)bdes.c 8.1 (Berkeley) 6/6/93"; -#else -static const char rcsid[] = - "$FreeBSD$"; -#endif -#endif /* not lint */ - -/* - * BDES -- DES encryption package for Berkeley Software Distribution 4.4 - * options: - * -a key is in ASCII - * -b use ECB (electronic code book) mode - * -d invert (decrypt) input - * -f b use b-bit CFB (cipher feedback) mode - * -F b use b-bit CFB (cipher feedback) alternative mode - * -k key use key as the cryptographic key - * -m b generate a MAC of length b - * -o b use b-bit OFB (output feedback) mode - * -p don't reset the parity bit - * -v v use v as the initialization vector (ignored for ECB) - * note: the last character of the last block is the integer indicating - * how many characters of that block are to be output - * - * Author: Matt Bishop - * Department of Mathematics and Computer Science - * Dartmouth College - * Hanover, NH 03755 - * Email: Matt.Bishop@dartmouth.edu - * ...!decvax!dartvax!Matt.Bishop - * - * See Technical Report PCS-TR91-158, Department of Mathematics and Computer - * Science, Dartmouth College, for a detailed description of the implemen- - * tation and differences between it and Sun's. The DES is described in - * FIPS PUB 46, and the modes in FIPS PUB 81 (see either the manual page - * or the technical report for a complete reference). - */ - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> - -/* - * BSD and System V systems offer special library calls that do - * block moves and fills, so if possible we take advantage of them - */ -#define MEMCPY(dest,src,len) bcopy((src),(dest),(len)) -#define MEMZERO(dest,len) bzero((dest),(len)) - -/* Hide the calls to the primitive encryption routines. */ -#define FASTWAY -#ifdef FASTWAY -#define DES_KEY(buf) \ - if (des_setkey(buf)) \ - err("des_setkey", 0); -#define DES_XFORM(buf) \ - if (des_cipher(buf, buf, 0L, (inverse ? -1 : 1))) \ - err("des_cipher", 0); -#else -#define DES_KEY(buf) { \ - char bits1[64]; /* bits of key */ \ - expand(buf, bits1); \ - if (setkey(bits1)) \ - err("setkey", 0); \ - } -#define DES_XFORM(buf) { \ - char bits1[64]; /* bits of message */ \ - expand(buf, bits1); \ - if (encrypt(bits1, inverse)) \ - err("encrypt", 0); \ - compress(bits1, buf); \ - } -#endif - -/* - * this does an error-checking write - */ -#define READ(buf, n) fread(buf, sizeof(char), n, stdin) -#define WRITE(buf,n) \ - if (fwrite(buf, sizeof(char), n, stdout) != n) \ - err(bn, NULL); - -/* - * some things to make references easier - */ -typedef char Desbuf[8]; -#define CHAR(x,i) (x[i]) -#define UCHAR(x,i) (x[i]) -#define BUFFER(x) (x) -#define UBUFFER(x) (x) - -/* - * global variables and related macros - */ -#define KEY_DEFAULT 0 /* interpret radix of key from key */ -#define KEY_ASCII 1 /* key is in ASCII characters */ -int keybase = KEY_DEFAULT; /* how to interpret the key */ - -enum { /* encrypt, decrypt, authenticate */ - MODE_ENCRYPT, MODE_DECRYPT, MODE_AUTHENTICATE -} mode = MODE_ENCRYPT; -enum { /* ecb, cbc, cfb, cfba, ofb? */ - ALG_ECB, ALG_CBC, ALG_CFB, ALG_OFB, ALG_CFBA -} alg = ALG_CBC; - -Desbuf ivec; /* initialization vector */ -char bits[] = { /* used to extract bits from a char */ - '\200', '\100', '\040', '\020', '\010', '\004', '\002', '\001' -}; -int inverse; /* 0 to encrypt, 1 to decrypt */ -int macbits = -1; /* number of bits in authentication */ -int fbbits = -1; /* number of feedback bits */ -int pflag; /* 1 to preserve parity bits */ - -main(ac, av) - int ac; /* arg count */ - char **av; /* arg vector */ -{ - extern int optind; /* option (argument) number */ - extern char *optarg; /* argument to option if any */ - register int i; /* counter in a for loop */ - register char *p; /* used to obtain the key */ - Desbuf msgbuf; /* I/O buffer */ - int kflag; /* command-line encryptiooon key */ - int argc; /* the real arg count */ - char **argv; /* the real argument vector */ - - /* - * Hide the arguments from ps(1) by making private copies of them - * and clobbering the global (visible to ps(1)) ones. - */ - argc = ac; - ac = 1; - argv = malloc((argc + 1) * sizeof(char *)); - for (i = 0; i < argc; ++i) { - argv[i] = strdup(av[i]); - MEMZERO(av[i], strlen(av[i])); - } - argv[argc] = NULL; - - /* initialize the initialization vctor */ - MEMZERO(ivec, 8); - - /* process the argument list */ - kflag = 0; - while ((i = getopt(argc, argv, "abdF:f:k:m:o:pv:")) != EOF) - switch(i) { - case 'a': /* key is ASCII */ - keybase = KEY_ASCII; - break; - case 'b': /* use ECB mode */ - alg = ALG_ECB; - break; - case 'd': /* decrypt */ - mode = MODE_DECRYPT; - break; - case 'F': /* use alternative CFB mode */ - alg = ALG_CFBA; - if ((fbbits = setbits(optarg, 7)) > 56 || fbbits == 0) - err(-1, "-F: number must be 1-56 inclusive"); - else if (fbbits == -1) - err(-1, "-F: number must be a multiple of 7"); - break; - case 'f': /* use CFB mode */ - alg = ALG_CFB; - if ((fbbits = setbits(optarg, 8)) > 64 || fbbits == 0) - err(-1, "-f: number must be 1-64 inclusive"); - else if (fbbits == -1) - err(-1, "-f: number must be a multiple of 8"); - break; - case 'k': /* encryption key */ - kflag = 1; - cvtkey(BUFFER(msgbuf), optarg); - break; - case 'm': /* number of bits for MACing */ - mode = MODE_AUTHENTICATE; - if ((macbits = setbits(optarg, 1)) > 64) - err(-1, "-m: number must be 0-64 inclusive"); - break; - case 'o': /* use OFB mode */ - alg = ALG_OFB; - if ((fbbits = setbits(optarg, 8)) > 64 || fbbits == 0) - err(-1, "-o: number must be 1-64 inclusive"); - else if (fbbits == -1) - err(-1, "-o: number must be a multiple of 8"); - break; - case 'p': /* preserve parity bits */ - pflag = 1; - break; - case 'v': /* set initialization vector */ - cvtkey(BUFFER(ivec), optarg); - break; - default: /* error */ - usage(); - } - - if (!kflag) { - /* - * if the key's not ASCII, assume it is - */ - keybase = KEY_ASCII; - /* - * get the key - */ - p = getpass("Enter key: "); - /* - * copy it, nul-padded, into the key area - */ - cvtkey(BUFFER(msgbuf), p); - } - - makekey(msgbuf); - inverse = (alg == ALG_CBC || alg == ALG_ECB) && mode == MODE_DECRYPT; - - switch(alg) { - case ALG_CBC: - switch(mode) { - case MODE_AUTHENTICATE: /* authenticate using CBC mode */ - cbcauth(); - break; - case MODE_DECRYPT: /* decrypt using CBC mode */ - cbcdec(); - break; - case MODE_ENCRYPT: /* encrypt using CBC mode */ - cbcenc(); - break; - } - break; - case ALG_CFB: - switch(mode) { - case MODE_AUTHENTICATE: /* authenticate using CFB mode */ - cfbauth(); - break; - case MODE_DECRYPT: /* decrypt using CFB mode */ - cfbdec(); - break; - case MODE_ENCRYPT: /* encrypt using CFB mode */ - cfbenc(); - break; - } - break; - case ALG_CFBA: - switch(mode) { - case MODE_AUTHENTICATE: /* authenticate using CFBA mode */ - err(-1, "can't authenticate with CFBA mode"); - break; - case MODE_DECRYPT: /* decrypt using CFBA mode */ - cfbadec(); - break; - case MODE_ENCRYPT: /* encrypt using CFBA mode */ - cfbaenc(); - break; - } - break; - case ALG_ECB: - switch(mode) { - case MODE_AUTHENTICATE: /* authenticate using ECB mode */ - err(-1, "can't authenticate with ECB mode"); - break; - case MODE_DECRYPT: /* decrypt using ECB mode */ - ecbdec(); - break; - case MODE_ENCRYPT: /* encrypt using ECB mode */ - ecbenc(); - break; - } - break; - case ALG_OFB: - switch(mode) { - case MODE_AUTHENTICATE: /* authenticate using OFB mode */ - err(-1, "can't authenticate with OFB mode"); - break; - case MODE_DECRYPT: /* decrypt using OFB mode */ - ofbdec(); - break; - case MODE_ENCRYPT: /* encrypt using OFB mode */ - ofbenc(); - break; - } - break; - } - exit(0); -} - -/* - * print a warning message and, possibly, terminate - */ -err(n, s) - int n; /* offending block number */ - char *s; /* the message */ -{ - if (n > 0) - (void)fprintf(stderr, "bdes (block %d): ", n); - else - (void)fprintf(stderr, "bdes: "); - (void)fprintf(stderr, "%s\n", s ? s : strerror(errno)); - exit(1); -} - -/* - * map a hex character to an integer - */ -tobinhex(c, radix) - char c; /* char to be converted */ - int radix; /* base (2 to 16) */ -{ - switch(c) { - case '0': return(0x0); - case '1': return(0x1); - case '2': return(radix > 2 ? 0x2 : -1); - case '3': return(radix > 3 ? 0x3 : -1); - case '4': return(radix > 4 ? 0x4 : -1); - case '5': return(radix > 5 ? 0x5 : -1); - case '6': return(radix > 6 ? 0x6 : -1); - case '7': return(radix > 7 ? 0x7 : -1); - case '8': return(radix > 8 ? 0x8 : -1); - case '9': return(radix > 9 ? 0x9 : -1); - case 'A': case 'a': return(radix > 10 ? 0xa : -1); - case 'B': case 'b': return(radix > 11 ? 0xb : -1); - case 'C': case 'c': return(radix > 12 ? 0xc : -1); - case 'D': case 'd': return(radix > 13 ? 0xd : -1); - case 'E': case 'e': return(radix > 14 ? 0xe : -1); - case 'F': case 'f': return(radix > 15 ? 0xf : -1); - } - /* - * invalid character - */ - return(-1); -} - -/* - * convert the key to a bit pattern - */ -cvtkey(obuf, ibuf) - char *obuf; /* bit pattern */ - char *ibuf; /* the key itself */ -{ - register int i, j; /* counter in a for loop */ - int nbuf[64]; /* used for hex/key translation */ - - /* - * just switch on the key base - */ - switch(keybase) { - case KEY_ASCII: /* ascii to integer */ - (void)strncpy(obuf, ibuf, 8); - return; - case KEY_DEFAULT: /* tell from context */ - /* - * leading '0x' or '0X' == hex key - */ - if (ibuf[0] == '0' && (ibuf[1] == 'x' || ibuf[1] == 'X')) { - ibuf = &ibuf[2]; - /* - * now translate it, bombing on any illegal hex digit - */ - for (i = 0; ibuf[i] && i < 16; i++) - if ((nbuf[i] = tobinhex(ibuf[i], 16)) == -1) - err(-1, "bad hex digit in key"); - while (i < 16) - nbuf[i++] = 0; - for (i = 0; i < 8; i++) - obuf[i] = - ((nbuf[2*i]&0xf)<<4) | (nbuf[2*i+1]&0xf); - /* preserve parity bits */ - pflag = 1; - return; - } - /* - * leading '0b' or '0B' == binary key - */ - if (ibuf[0] == '0' && (ibuf[1] == 'b' || ibuf[1] == 'B')) { - ibuf = &ibuf[2]; - /* - * now translate it, bombing on any illegal binary digit - */ - for (i = 0; ibuf[i] && i < 16; i++) - if ((nbuf[i] = tobinhex(ibuf[i], 2)) == -1) - err(-1, "bad binary digit in key"); - while (i < 64) - nbuf[i++] = 0; - for (i = 0; i < 8; i++) - for (j = 0; j < 8; j++) - obuf[i] = (obuf[i]<<1)|nbuf[8*i+j]; - /* preserve parity bits */ - pflag = 1; - return; - } - /* - * no special leader -- ASCII - */ - (void)strncpy(obuf, ibuf, 8); - } -} - -/* - * convert an ASCII string into a decimal number: - * 1. must be between 0 and 64 inclusive - * 2. must be a valid decimal number - * 3. must be a multiple of mult - */ -setbits(s, mult) - char *s; /* the ASCII string */ - int mult; /* what it must be a multiple of */ -{ - register char *p; /* pointer in a for loop */ - register int n = 0; /* the integer collected */ - - /* - * skip white space - */ - while (isspace(*s)) - s++; - /* - * get the integer - */ - for (p = s; *p; p++) { - if (isdigit(*p)) - n = n * 10 + *p - '0'; - else { - err(-1, "bad decimal digit in MAC length"); - } - } - /* - * be sure it's a multiple of mult - */ - return((n % mult != 0) ? -1 : n); -} - -/***************** - * DES FUNCTIONS * - *****************/ -/* - * This sets the DES key and (if you're using the deszip version) - * the direction of the transformation. This uses the Sun - * to map the 64-bit key onto the 56 bits that the key schedule - * generation routines use: the old way, which just uses the user- - * supplied 64 bits as is, and the new way, which resets the parity - * bit to be the same as the low-order bit in each character. The - * new way generates a greater variety of key schedules, since many - * systems set the parity (high) bit of each character to 0, and the - * DES ignores the low order bit of each character. - */ -makekey(buf) - Desbuf buf; /* key block */ -{ - register int i, j; /* counter in a for loop */ - register int par; /* parity counter */ - - /* - * if the parity is not preserved, flip it - */ - if (!pflag) { - for (i = 0; i < 8; i++) { - par = 0; - for (j = 1; j < 8; j++) - if ((bits[j]&UCHAR(buf, i)) != 0) - par++; - if ((par&01) == 01) - UCHAR(buf, i) = UCHAR(buf, i)&0177; - else - UCHAR(buf, i) = (UCHAR(buf, i)&0177)|0200; - } - } - - DES_KEY(UBUFFER(buf)); -} - -/* - * This encrypts using the Electronic Code Book mode of DES - */ -ecbenc() -{ - register int n; /* number of bytes actually read */ - register int bn; /* block number */ - Desbuf msgbuf; /* I/O buffer */ - - for (bn = 0; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++) { - /* - * do the transformation - */ - DES_XFORM(UBUFFER(msgbuf)); - WRITE(BUFFER(msgbuf), 8); - } - /* - * at EOF or last block -- in either case, the last byte contains - * the character representation of the number of bytes in it - */ - bn++; - MEMZERO(&CHAR(msgbuf, n), 8 - n); - CHAR(msgbuf, 7) = n; - DES_XFORM(UBUFFER(msgbuf)); - WRITE(BUFFER(msgbuf), 8); - -} - -/* - * This decrypts using the Electronic Code Book mode of DES - */ -ecbdec() -{ - register int n; /* number of bytes actually read */ - register int c; /* used to test for EOF */ - register int bn; /* block number */ - Desbuf msgbuf; /* I/O buffer */ - - for (bn = 1; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++) { - /* - * do the transformation - */ - DES_XFORM(UBUFFER(msgbuf)); - /* - * if the last one, handle it specially - */ - if ((c = getchar()) == EOF) { - n = CHAR(msgbuf, 7); - if (n < 0 || n > 7) - err(bn, "decryption failed (block corrupted)"); - } - else - (void)ungetc(c, stdin); - WRITE(BUFFER(msgbuf), n); - } - if (n > 0) - err(bn, "decryption failed (incomplete block)"); -} - -/* - * This encrypts using the Cipher Block Chaining mode of DES - */ -cbcenc() -{ - register int n; /* number of bytes actually read */ - register int bn; /* block number */ - Desbuf msgbuf; /* I/O buffer */ - - /* - * do the transformation - */ - for (bn = 1; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++) { - for (n = 0; n < 8; n++) - CHAR(msgbuf, n) ^= CHAR(ivec, n); - DES_XFORM(UBUFFER(msgbuf)); - MEMCPY(BUFFER(ivec), BUFFER(msgbuf), 8); - WRITE(BUFFER(msgbuf), 8); - } - /* - * at EOF or last block -- in either case, the last byte contains - * the character representation of the number of bytes in it - */ - bn++; - MEMZERO(&CHAR(msgbuf, n), 8 - n); - CHAR(msgbuf, 7) = n; - for (n = 0; n < 8; n++) - CHAR(msgbuf, n) ^= CHAR(ivec, n); - DES_XFORM(UBUFFER(msgbuf)); - WRITE(BUFFER(msgbuf), 8); - -} - -/* - * This decrypts using the Cipher Block Chaining mode of DES - */ -cbcdec() -{ - register int n; /* number of bytes actually read */ - Desbuf msgbuf; /* I/O buffer */ - Desbuf ibuf; /* temp buffer for initialization vector */ - register int c; /* used to test for EOF */ - register int bn; /* block number */ - - for (bn = 0; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++) { - /* - * do the transformation - */ - MEMCPY(BUFFER(ibuf), BUFFER(msgbuf), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (c = 0; c < 8; c++) - UCHAR(msgbuf, c) ^= UCHAR(ivec, c); - MEMCPY(BUFFER(ivec), BUFFER(ibuf), 8); - /* - * if the last one, handle it specially - */ - if ((c = getchar()) == EOF) { - n = CHAR(msgbuf, 7); - if (n < 0 || n > 7) - err(bn, "decryption failed (block corrupted)"); - } - else - (void)ungetc(c, stdin); - WRITE(BUFFER(msgbuf), n); - } - if (n > 0) - err(bn, "decryption failed (incomplete block)"); -} - -/* - * This authenticates using the Cipher Block Chaining mode of DES - */ -cbcauth() -{ - register int n, j; /* number of bytes actually read */ - Desbuf msgbuf; /* I/O buffer */ - Desbuf encbuf; /* encryption buffer */ - - /* - * do the transformation - * note we DISCARD the encrypted block; - * we only care about the last one - */ - while ((n = READ(BUFFER(msgbuf), 8)) == 8) { - for (n = 0; n < 8; n++) - CHAR(encbuf, n) = CHAR(msgbuf, n) ^ CHAR(ivec, n); - DES_XFORM(UBUFFER(encbuf)); - MEMCPY(BUFFER(ivec), BUFFER(encbuf), 8); - } - /* - * now compute the last one, right padding with '\0' if need be - */ - if (n > 0) { - MEMZERO(&CHAR(msgbuf, n), 8 - n); - for (n = 0; n < 8; n++) - CHAR(encbuf, n) = CHAR(msgbuf, n) ^ CHAR(ivec, n); - DES_XFORM(UBUFFER(encbuf)); - } - /* - * drop the bits - * we write chars until fewer than 7 bits, - * and then pad the last one with 0 bits - */ - for (n = 0; macbits > 7; n++, macbits -= 8) - (void)putchar(CHAR(encbuf, n)); - if (macbits > 0) { - CHAR(msgbuf, 0) = 0x00; - for (j = 0; j < macbits; j++) - CHAR(msgbuf, 0) |= (CHAR(encbuf, n)&bits[j]); - (void)putchar(CHAR(msgbuf, 0)); - } -} - -/* - * This encrypts using the Cipher FeedBack mode of DES - */ -cfbenc() -{ - register int n; /* number of bytes actually read */ - register int nbytes; /* number of bytes to read */ - register int bn; /* block number */ - char ibuf[8]; /* input buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 8; - /* - * do the transformation - */ - for (bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < 8 - nbytes; n++) - UCHAR(ivec, n) = UCHAR(ivec, n+nbytes); - for (n = 0; n < nbytes; n++) - UCHAR(ivec, 8-nbytes+n) = ibuf[n] ^ UCHAR(msgbuf, n); - WRITE(&CHAR(ivec, 8-nbytes), nbytes); - } - /* - * at EOF or last block -- in either case, the last byte contains - * the character representation of the number of bytes in it - */ - bn++; - MEMZERO(&ibuf[n], nbytes - n); - ibuf[nbytes - 1] = n; - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < nbytes; n++) - ibuf[n] ^= UCHAR(msgbuf, n); - WRITE(ibuf, nbytes); -} - -/* - * This decrypts using the Cipher Block Chaining mode of DES - */ -cfbdec() -{ - register int n; /* number of bytes actually read */ - register int c; /* used to test for EOF */ - register int nbytes; /* number of bytes to read */ - register int bn; /* block number */ - char ibuf[8]; /* input buffer */ - char obuf[8]; /* output buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 8; - /* - * do the transformation - */ - for (bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (c = 0; c < 8 - nbytes; c++) - CHAR(ivec, c) = CHAR(ivec, c+nbytes); - for (c = 0; c < nbytes; c++) { - CHAR(ivec, 8-nbytes+c) = ibuf[c]; - obuf[c] = ibuf[c] ^ UCHAR(msgbuf, c); - } - /* - * if the last one, handle it specially - */ - if ((c = getchar()) == EOF) { - n = obuf[nbytes-1]; - if (n < 0 || n > nbytes-1) - err(bn, "decryption failed (block corrupted)"); - } - else - (void)ungetc(c, stdin); - WRITE(obuf, n); - } - if (n > 0) - err(bn, "decryption failed (incomplete block)"); -} - -/* - * This encrypts using the alternative Cipher FeedBack mode of DES - */ -cfbaenc() -{ - register int n; /* number of bytes actually read */ - register int nbytes; /* number of bytes to read */ - register int bn; /* block number */ - char ibuf[8]; /* input buffer */ - char obuf[8]; /* output buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 7; - /* - * do the transformation - */ - for (bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < 8 - nbytes; n++) - UCHAR(ivec, n) = UCHAR(ivec, n+nbytes); - for (n = 0; n < nbytes; n++) - UCHAR(ivec, 8-nbytes+n) = (ibuf[n] ^ UCHAR(msgbuf, n)) - |0200; - for (n = 0; n < nbytes; n++) - obuf[n] = CHAR(ivec, 8-nbytes+n)&0177; - WRITE(obuf, nbytes); - } - /* - * at EOF or last block -- in either case, the last byte contains - * the character representation of the number of bytes in it - */ - bn++; - MEMZERO(&ibuf[n], nbytes - n); - ibuf[nbytes - 1] = ('0' + n)|0200; - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < nbytes; n++) - ibuf[n] ^= UCHAR(msgbuf, n); - WRITE(ibuf, nbytes); -} - -/* - * This decrypts using the alternative Cipher Block Chaining mode of DES - */ -cfbadec() -{ - register int n; /* number of bytes actually read */ - register int c; /* used to test for EOF */ - register int nbytes; /* number of bytes to read */ - register int bn; /* block number */ - char ibuf[8]; /* input buffer */ - char obuf[8]; /* output buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 7; - /* - * do the transformation - */ - for (bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (c = 0; c < 8 - nbytes; c++) - CHAR(ivec, c) = CHAR(ivec, c+nbytes); - for (c = 0; c < nbytes; c++) { - CHAR(ivec, 8-nbytes+c) = ibuf[c]|0200; - obuf[c] = (ibuf[c] ^ UCHAR(msgbuf, c))&0177; - } - /* - * if the last one, handle it specially - */ - if ((c = getchar()) == EOF) { - if ((n = (obuf[nbytes-1] - '0')) < 0 - || n > nbytes-1) - err(bn, "decryption failed (block corrupted)"); - } - else - (void)ungetc(c, stdin); - WRITE(obuf, n); - } - if (n > 0) - err(bn, "decryption failed (incomplete block)"); -} - - -/* - * This encrypts using the Output FeedBack mode of DES - */ -ofbenc() -{ - register int n; /* number of bytes actually read */ - register int c; /* used to test for EOF */ - register int nbytes; /* number of bytes to read */ - register int bn; /* block number */ - char ibuf[8]; /* input buffer */ - char obuf[8]; /* output buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 8; - /* - * do the transformation - */ - for (bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < 8 - nbytes; n++) - UCHAR(ivec, n) = UCHAR(ivec, n+nbytes); - for (n = 0; n < nbytes; n++) { - UCHAR(ivec, 8-nbytes+n) = UCHAR(msgbuf, n); - obuf[n] = ibuf[n] ^ UCHAR(msgbuf, n); - } - WRITE(obuf, nbytes); - } - /* - * at EOF or last block -- in either case, the last byte contains - * the character representation of the number of bytes in it - */ - bn++; - MEMZERO(&ibuf[n], nbytes - n); - ibuf[nbytes - 1] = n; - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (c = 0; c < nbytes; c++) - ibuf[c] ^= UCHAR(msgbuf, c); - WRITE(ibuf, nbytes); -} - -/* - * This decrypts using the Output Block Chaining mode of DES - */ -ofbdec() -{ - register int n; /* number of bytes actually read */ - register int c; /* used to test for EOF */ - register int nbytes; /* number of bytes to read */ - register int bn; /* block number */ - char ibuf[8]; /* input buffer */ - char obuf[8]; /* output buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 8; - /* - * do the transformation - */ - for (bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (c = 0; c < 8 - nbytes; c++) - CHAR(ivec, c) = CHAR(ivec, c+nbytes); - for (c = 0; c < nbytes; c++) { - CHAR(ivec, 8-nbytes+c) = UCHAR(msgbuf, c); - obuf[c] = ibuf[c] ^ UCHAR(msgbuf, c); - } - /* - * if the last one, handle it specially - */ - if ((c = getchar()) == EOF) { - n = obuf[nbytes-1]; - if (n < 0 || n > nbytes-1) - err(bn, "decryption failed (block corrupted)"); - } - else - (void)ungetc(c, stdin); - /* - * dump it - */ - WRITE(obuf, n); - } - if (n > 0) - err(bn, "decryption failed (incomplete block)"); -} - -/* - * This authenticates using the Cipher FeedBack mode of DES - */ -cfbauth() -{ - register int n, j; /* number of bytes actually read */ - register int nbytes; /* number of bytes to read */ - char ibuf[8]; /* input buffer */ - Desbuf msgbuf; /* encryption buffer */ - - /* - * do things in bytes, not bits - */ - nbytes = fbbits / 8; - /* - * do the transformation - */ - while ((n = READ(ibuf, nbytes)) == nbytes) { - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < 8 - nbytes; n++) - UCHAR(ivec, n) = UCHAR(ivec, n+nbytes); - for (n = 0; n < nbytes; n++) - UCHAR(ivec, 8-nbytes+n) = ibuf[n] ^ UCHAR(msgbuf, n); - } - /* - * at EOF or last block -- in either case, the last byte contains - * the character representation of the number of bytes in it - */ - MEMZERO(&ibuf[n], nbytes - n); - ibuf[nbytes - 1] = '0' + n; - MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8); - DES_XFORM(UBUFFER(msgbuf)); - for (n = 0; n < nbytes; n++) - ibuf[n] ^= UCHAR(msgbuf, n); - /* - * drop the bits - * we write chars until fewer than 7 bits, - * and then pad the last one with 0 bits - */ - for (n = 0; macbits > 7; n++, macbits -= 8) - (void)putchar(CHAR(msgbuf, n)); - if (macbits > 0) { - CHAR(msgbuf, 0) = 0x00; - for (j = 0; j < macbits; j++) - CHAR(msgbuf, 0) |= (CHAR(msgbuf, n)&bits[j]); - (void)putchar(CHAR(msgbuf, 0)); - } -} - -#ifndef FASTWAY -/* - * change from 8 bits/Uchar to 1 bit/Uchar - */ -expand(from, to) - Desbuf from; /* 8bit/unsigned char string */ - char *to; /* 1bit/char string */ -{ - register int i, j; /* counters in for loop */ - - for (i = 0; i < 8; i++) - for (j = 0; j < 8; j++) - *to++ = (CHAR(from, i)>>(7-j))&01; -} - -/* - * change from 1 bit/char to 8 bits/Uchar - */ -compress(from, to) - char *from; /* 1bit/char string */ - Desbuf to; /* 8bit/unsigned char string */ -{ - register int i, j; /* counters in for loop */ - - for (i = 0; i < 8; i++) { - CHAR(to, i) = 0; - for (j = 0; j < 8; j++) - CHAR(to, i) = ((*from++)<<(7-j))|CHAR(to, i); - } -} -#endif - -/* - * message about usage - */ -usage() -{ - (void)fprintf(stderr, "%s\n", -"usage: bdes [-abdp] [-F bit] [-f bit] [-k key] [-m bit] [-o bit] [-v vector]"); - exit(1); -} diff --git a/secure/usr.bin/bdes/bdes.ps b/secure/usr.bin/bdes/bdes.ps deleted file mode 100644 index 471c267af751..000000000000 --- a/secure/usr.bin/bdes/bdes.ps +++ /dev/null @@ -1,2945 +0,0 @@ -%! -%%BoundingBox: (atend) -%%Pages: (atend) -%%DocumentFonts: (atend) -%%EndComments -% -% FrameMaker PostScript Prolog 2.0, for use with FrameMaker 2.0 -% Copyright (c) 1986,87,89 by Frame Technology, Inc. All rights reserved. -% -% Known Problems: -% Due to bugs in Transcript, the 'PS-Adobe-' is omitted from line 1 -/FMversion (2.0) def -% Set up Color vs. Black-and-White - /FMPrintInColor systemdict /colorimage known def -% Uncomment this line to force b&w on color printer -% /FMPrintInColor false def -/FrameDict 190 dict def -systemdict /errordict known not {/errordict 10 dict def - errordict /rangecheck {stop} put} if -% The readline in 23.0 doesn't recognize cr's as nl's on AppleTalk -FrameDict /tmprangecheck errordict /rangecheck get put -errordict /rangecheck {FrameDict /bug true put} put -FrameDict /bug false put -mark -% Some PS machines read past the CR, so keep the following 3 lines together! -currentfile 5 string readline -00 -0000000000 -cleartomark -errordict /rangecheck FrameDict /tmprangecheck get put -FrameDict /bug get { - /readline { - /gstring exch def - /gfile exch def - /gindex 0 def - { - gfile read pop - dup 10 eq {exit} if - dup 13 eq {exit} if - gstring exch gindex exch put - /gindex gindex 1 add def - } loop - pop - gstring 0 gindex getinterval true - } def - } if -/FMVERSION { - FMversion ne { - /Times-Roman findfont 18 scalefont setfont - 100 100 moveto - (FrameMaker version does not match postscript_prolog!) - dup = - show showpage - } if - } def -/FMLOCAL { - FrameDict begin - 0 def - end - } def - /gstring FMLOCAL - /gfile FMLOCAL - /gindex FMLOCAL - /orgxfer FMLOCAL - /orgproc FMLOCAL - /organgle FMLOCAL - /orgfreq FMLOCAL - /yscale FMLOCAL - /xscale FMLOCAL - /manualfeed FMLOCAL - /paperheight FMLOCAL - /paperwidth FMLOCAL -/FMDOCUMENT { - array /FMfonts exch def - /#copies exch def - FrameDict begin - 0 ne dup {setmanualfeed} if - /manualfeed exch def - /paperheight exch def - /paperwidth exch def - setpapername - manualfeed {true} {papersize} ifelse - {manualpapersize} {false} ifelse - {desperatepapersize} if - /yscale exch def - /xscale exch def - currenttransfer cvlit /orgxfer exch def - currentscreen cvlit /orgproc exch def - /organgle exch def /orgfreq exch def - end - } def - /pagesave FMLOCAL - /orgmatrix FMLOCAL - /landscape FMLOCAL -/FMBEGINPAGE { - FrameDict begin - /pagesave save def - 3.86 setmiterlimit - /landscape exch 0 ne def - landscape { - 90 rotate 0 exch neg translate pop - } - {pop pop} - ifelse - xscale yscale scale - /orgmatrix matrix def - gsave - } def -/FMENDPAGE { - grestore - pagesave restore - end - showpage - } def -/FMDEFINEFONT { - FrameDict begin - findfont - ReEncode - 2 index exch - definefont exch - scalefont - FMfonts 3 1 roll - put - end - } bind def -/FMNORMALIZEGRAPHICS { - newpath - 0.0 0.0 moveto - 1 setlinewidth - 0 setlinecap - 0 0 0 sethsbcolor - 0 setgray - } bind def - /fx FMLOCAL - /fy FMLOCAL - /fh FMLOCAL - /fw FMLOCAL - /llx FMLOCAL - /lly FMLOCAL - /urx FMLOCAL - /ury FMLOCAL -/FMBEGINEPSF { - end - /FMEPSF save def - /showpage {} def - FMNORMALIZEGRAPHICS - [/fy /fx /fh /fw /ury /urx /lly /llx] {exch def} forall - fx fy translate - rotate - fw urx llx sub div fh ury lly sub div scale - llx neg lly neg translate - } bind def -/FMENDEPSF { - FMEPSF restore - FrameDict begin - } bind def -FrameDict begin -/setmanualfeed { -%%BeginFeature *ManualFeed True - statusdict /manualfeed true put -%%EndFeature - } def -/max {2 copy lt {exch} if pop} bind def -/min {2 copy gt {exch} if pop} bind def -/inch {72 mul} def -/pagedimen { - paperheight sub abs 16 lt exch - paperwidth sub abs 16 lt and - {/papername exch def} {pop} ifelse - } def - /papersizedict FMLOCAL -/setpapername { - /papersizedict 14 dict def - papersizedict begin - /papername /unknown def - /Letter 8.5 inch 11.0 inch pagedimen - /LetterSmall 7.68 inch 10.16 inch pagedimen - /Tabloid 11.0 inch 17.0 inch pagedimen - /Ledger 17.0 inch 11.0 inch pagedimen - /Legal 8.5 inch 14.0 inch pagedimen - /Statement 5.5 inch 8.5 inch pagedimen - /Executive 7.5 inch 10.0 inch pagedimen - /A3 11.69 inch 16.5 inch pagedimen - /A4 8.26 inch 11.69 inch pagedimen - /A4Small 7.47 inch 10.85 inch pagedimen - /B4 10.125 inch 14.33 inch pagedimen - /B5 7.16 inch 10.125 inch pagedimen - end - } def -/papersize { - papersizedict begin - /Letter {lettertray} def - /LetterSmall {lettertray lettersmall} def - /Tabloid {11x17tray} def - /Ledger {ledgertray} def - /Legal {legaltray} def - /Statement {statementtray} def - /Executive {executivetray} def - /A3 {a3tray} def - /A4 {a4tray} def - /A4Small {a4tray a4small} def - /B4 {b4tray} def - /B5 {b5tray} def - /unknown {unknown} def - papersizedict dup papername known {papername} {/unknown} ifelse get - end - /FMdicttop countdictstack 1 add def - statusdict begin stopped end - countdictstack -1 FMdicttop {pop end} for - } def -/manualpapersize { - papersizedict begin - /Letter {letter} def - /LetterSmall {lettersmall} def - /Tabloid {11x17} def - /Ledger {ledger} def - /Legal {legal} def - /Statement {statement} def - /Executive {executive} def - /A3 {a3} def - /A4 {a4} def - /A4Small {a4small} def - /B4 {b4} def - /B5 {b5} def - /unknown {unknown} def - papersizedict dup papername known {papername} {/unknown} ifelse get - end - stopped - } def -/desperatepapersize { - statusdict /setpageparams known - { - paperwidth paperheight 0 1 - statusdict begin - {setpageparams} stopped pop - end - } if - } def -/savematrix { - orgmatrix currentmatrix pop - } bind def -/restorematrix { - orgmatrix setmatrix - } bind def -/dmatrix matrix def -/dpi 72 0 dmatrix defaultmatrix dtransform - dup mul exch dup mul add sqrt def -/freq dpi 18.75 div 8 div round dup 0 eq {pop 1} if 8 mul dpi exch div def -/sangle 1 0 dmatrix defaultmatrix dtransform exch atan def -/DiacriticEncoding [ -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /space /exclam /quotedbl -/numbersign /dollar /percent /ampersand /quotesingle /parenleft -/parenright /asterisk /plus /comma /hyphen /period /slash /zero /one -/two /three /four /five /six /seven /eight /nine /colon /semicolon -/less /equal /greater /question /at /A /B /C /D /E /F /G /H /I /J /K -/L /M /N /O /P /Q /R /S /T /U /V /W /X /Y /Z /bracketleft /backslash -/bracketright /asciicircum /underscore /grave /a /b /c /d /e /f /g /h -/i /j /k /l /m /n /o /p /q /r /s /t /u /v /w /x /y /z /braceleft /bar -/braceright /asciitilde /.notdef /Adieresis /Aring /Ccedilla /Eacute -/Ntilde /Odieresis /Udieresis /aacute /agrave /acircumflex /adieresis -/atilde /aring /ccedilla /eacute /egrave /ecircumflex /edieresis -/iacute /igrave /icircumflex /idieresis /ntilde /oacute /ograve -/ocircumflex /odieresis /otilde /uacute /ugrave /ucircumflex -/udieresis /dagger /.notdef /cent /sterling /section /bullet -/paragraph /germandbls /registered /copyright /trademark /acute -/dieresis /.notdef /AE /Oslash /.notdef /.notdef /.notdef /.notdef -/yen /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/ordfeminine /ordmasculine /.notdef /ae /oslash /questiondown -/exclamdown /logicalnot /.notdef /florin /.notdef /.notdef -/guillemotleft /guillemotright /ellipsis /.notdef /Agrave /Atilde -/Otilde /OE /oe /endash /emdash /quotedblleft /quotedblright -/quoteleft /quoteright /.notdef /.notdef /ydieresis /Ydieresis -/fraction /currency /guilsinglleft /guilsinglright /fi /fl /daggerdbl -/periodcentered /quotesinglbase /quotedblbase /perthousand -/Acircumflex /Ecircumflex /Aacute /Edieresis /Egrave /Iacute -/Icircumflex /Idieresis /Igrave /Oacute /Ocircumflex /.notdef /Ograve -/Uacute /Ucircumflex /Ugrave /dotlessi /circumflex /tilde /macron -/breve /dotaccent /ring /cedilla /hungarumlaut /ogonek /caron -] def -/ReEncode { - dup - length - dict begin - { - 1 index /FID ne - {def} - {pop pop} ifelse - } forall - Encoding StandardEncoding eq - { - /Encoding DiacriticEncoding def - }if - currentdict - end - } bind def -/graymode true def - /bwidth FMLOCAL - /bpside FMLOCAL - /bstring FMLOCAL - /onbits FMLOCAL - /offbits FMLOCAL - /xindex FMLOCAL - /yindex FMLOCAL - /x FMLOCAL - /y FMLOCAL -/setpattern { - /bwidth exch def - /bpside exch def - /bstring exch def - /onbits 0 def /offbits 0 def - freq sangle landscape {90 add} if - {/y exch def - /x exch def - /xindex x 1 add 2 div bpside mul cvi def - /yindex y 1 add 2 div bpside mul cvi def - bstring yindex bwidth mul xindex 8 idiv add get - 1 7 xindex 8 mod sub bitshift and 0 ne - {/onbits onbits 1 add def 1} - {/offbits offbits 1 add def 0} - ifelse - } - setscreen - {} settransfer - offbits offbits onbits add div FMsetgray - /graymode false def - } bind def -/grayness { - FMsetgray - graymode not { - /graymode true def - orgxfer cvx settransfer - orgfreq organgle orgproc cvx setscreen - } if - } bind def - /HUE FMLOCAL - /SAT FMLOCAL - /BRIGHT FMLOCAL - /Colors FMLOCAL -FMPrintInColor - - { - /HUE 0 def - /SAT 0 def - /BRIGHT 0 def - % array of arrays Hue and Sat values for the separations [HUE BRIGHT] - /Colors - [[0 0 ] % black - [0 0 ] % white - [0.00 1.0] % red - [0.37 1.0] % green - [0.60 1.0] % blue - [0.50 1.0] % cyan - [0.83 1.0] % magenta - [0.16 1.0] % comment / yellow - ] def - - /BEGINBITMAPCOLOR { - BITMAPCOLOR} def - /BEGINBITMAPCOLORc { - BITMAPCOLORc} def - /K { - Colors exch get dup - 0 get /HUE exch store - 1 get /BRIGHT exch store - HUE 0 eq BRIGHT 0 eq and - {1.0 SAT sub setgray} - {HUE SAT BRIGHT sethsbcolor} - ifelse - } def - /FMsetgray { - /SAT exch 1.0 exch sub store - HUE 0 eq BRIGHT 0 eq and - {1.0 SAT sub setgray} - {HUE SAT BRIGHT sethsbcolor} - ifelse - } bind def - } - - { - /BEGINBITMAPCOLOR { - BITMAPGRAY} def - /BEGINBITMAPCOLORc { - BITMAPGRAYc} def - /FMsetgray {setgray} bind def - /K { - pop - } def - } -ifelse -/normalize { - transform round exch round exch itransform - } bind def -/dnormalize { - dtransform round exch round exch idtransform - } bind def -/lnormalize { - 0 dtransform exch cvi 2 idiv 2 mul 1 add exch idtransform pop - } bind def -/H { - lnormalize setlinewidth - } bind def -/Z { - setlinecap - } bind def -/X { - fillprocs exch get exec - } bind def -/V { - gsave eofill grestore - } bind def -/N { - stroke - } bind def -/M {newpath moveto} bind def -/E {lineto} bind def -/D {curveto} bind def -/O {closepath} bind def - /n FMLOCAL -/L { - /n exch def - newpath - normalize - moveto - 2 1 n {pop normalize lineto} for - } bind def -/Y { - L - closepath - } bind def - /x1 FMLOCAL - /x2 FMLOCAL - /y1 FMLOCAL - /y2 FMLOCAL - /rad FMLOCAL -/R { - /y2 exch def - /x2 exch def - /y1 exch def - /x1 exch def - x1 y1 - x2 y1 - x2 y2 - x1 y2 - 4 Y - } bind def -/RR { - /rad exch def - normalize - /y2 exch def - /x2 exch def - normalize - /y1 exch def - /x1 exch def - newpath - x1 y1 rad add moveto - x1 y2 x2 y2 rad arcto - x2 y2 x2 y1 rad arcto - x2 y1 x1 y1 rad arcto - x1 y1 x1 y2 rad arcto - closepath - 16 {pop} repeat - } bind def -/C { - grestore - gsave - R - clip - } bind def -/U { - grestore - gsave - } bind def -/F { - FMfonts exch get - setfont - } bind def -/T { - moveto show - } bind def -/RF { - rotate - 0 ne {-1 1 scale} if - } bind def -/TF { - gsave - moveto - RF - show - grestore - } bind def -/P { - moveto - 0 32 3 2 roll widthshow - } bind def -/PF { - gsave - moveto - RF - 0 32 3 2 roll widthshow - grestore - } bind def -/S { - moveto - 0 exch ashow - } bind def -/SF { - gsave - moveto - RF - 0 exch ashow - grestore - } bind def -/B { - moveto - 0 32 4 2 roll 0 exch awidthshow - } bind def -/BF { - gsave - moveto - RF - 0 32 4 2 roll 0 exch awidthshow - grestore - } bind def - /x FMLOCAL - /y FMLOCAL - /dx FMLOCAL - /dy FMLOCAL - /dl FMLOCAL - /t FMLOCAL - /t2 FMLOCAL - /Cos FMLOCAL - /Sin FMLOCAL - /r FMLOCAL -/W { - dnormalize - /dy exch def - /dx exch def - normalize - /y exch def - /x exch def - /dl dx dx mul dy dy mul add sqrt def - dl 0.0 gt { - /t currentlinewidth def - savematrix - /Cos dx dl div def - /Sin dy dl div def - /r [Cos Sin Sin neg Cos 0.0 0.0] def - /t2 t 2.5 mul 3.5 max def - newpath - x y translate - r concat - 0.0 0.0 moveto - dl t 2.7 mul sub 0.0 rlineto - stroke - restorematrix - x dx add y dy add translate - r concat - t 0.67 mul setlinewidth - t 1.61 mul neg 0.0 translate - 0.0 0.0 moveto - t2 1.7 mul neg t2 2.0 div moveto - 0.0 0.0 lineto - t2 1.7 mul neg t2 2.0 div neg lineto - stroke - t setlinewidth - restorematrix - } if - } bind def -/G { - gsave - newpath - normalize translate 0.0 0.0 moveto - dnormalize scale - 0.0 0.0 1.0 5 3 roll arc - closepath fill - grestore - } bind def -/A { - gsave - savematrix - newpath - 2 index 2 div add exch 3 index 2 div sub exch - normalize 2 index 2 div sub exch 3 index 2 div add exch - translate - scale - 0.0 0.0 1.0 5 3 roll arc - restorematrix - stroke - grestore - } bind def - /x FMLOCAL - /y FMLOCAL - /w FMLOCAL - /h FMLOCAL - /xx FMLOCAL - /yy FMLOCAL - /ww FMLOCAL - /hh FMLOCAL - /FMsaveobject FMLOCAL - /FMoptop FMLOCAL - /FMdicttop FMLOCAL -/BEGINPRINTCODE { - /FMdicttop countdictstack 1 add def - /FMoptop count 4 sub def - /FMsaveobject save def - userdict begin - /showpage {} def - FMNORMALIZEGRAPHICS - 3 index neg 3 index neg translate - } bind def -/ENDPRINTCODE { - count -1 FMoptop {pop pop} for - countdictstack -1 FMdicttop {pop end} for - FMsaveobject restore - } bind def -/gn { - 0 - { 46 mul - cf read pop - 32 sub - dup 46 lt {exit} if - 46 sub add - } loop - add - } bind def - /str FMLOCAL -/cfs { - /str sl string def - 0 1 sl 1 sub {str exch val put} for - str def - } bind def -/ic [ - 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0223 - 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0223 - 0 - {0 hx} {1 hx} {2 hx} {3 hx} {4 hx} {5 hx} {6 hx} {7 hx} {8 hx} {9 hx} - {10 hx} {11 hx} {12 hx} {13 hx} {14 hx} {15 hx} {16 hx} {17 hx} {18 hx} - {19 hx} {gn hx} {0} {1} {2} {3} {4} {5} {6} {7} {8} {9} {10} {11} {12} - {13} {14} {15} {16} {17} {18} {19} {gn} {0 wh} {1 wh} {2 wh} {3 wh} - {4 wh} {5 wh} {6 wh} {7 wh} {8 wh} {9 wh} {10 wh} {11 wh} {12 wh} - {13 wh} {14 wh} {gn wh} {0 bl} {1 bl} {2 bl} {3 bl} {4 bl} {5 bl} {6 bl} - {7 bl} {8 bl} {9 bl} {10 bl} {11 bl} {12 bl} {13 bl} {14 bl} {gn bl} - {0 fl} {1 fl} {2 fl} {3 fl} {4 fl} {5 fl} {6 fl} {7 fl} {8 fl} {9 fl} - {10 fl} {11 fl} {12 fl} {13 fl} {14 fl} {gn fl} - ] def - /sl FMLOCAL - /val FMLOCAL - /ws FMLOCAL - /im FMLOCAL - /bs FMLOCAL - /cs FMLOCAL - /len FMLOCAL - /pos FMLOCAL -/ms { - /sl exch def - /val 255 def - /ws cfs - /im cfs - /val 0 def - /bs cfs - /cs cfs - } bind def -400 ms -/ip { - is - 0 - cf cs readline pop - { ic exch get exec - add - } forall - pop - - } bind def -/wh { - /len exch def - /pos exch def - ws 0 len getinterval im pos len getinterval copy pop - pos len - } bind def -/bl { - /len exch def - /pos exch def - bs 0 len getinterval im pos len getinterval copy pop - pos len - } bind def -/s1 1 string def -/fl { - /len exch def - /pos exch def - /val cf s1 readhexstring pop 0 get def - pos 1 pos len add 1 sub {im exch val put} for - pos len - } bind def -/hx { - 3 copy getinterval - cf exch readhexstring pop pop - } bind def - /h FMLOCAL - /w FMLOCAL - /d FMLOCAL - /lb FMLOCAL - /bitmapsave FMLOCAL - /is FMLOCAL - /cf FMLOCAL -/wbytes { - dup - 8 eq {pop} {1 eq {7 add 8 idiv} {3 add 4 idiv} ifelse} ifelse - } bind def -/BEGINBITMAPBWc { - 1 {} COMMONBITMAPc - } bind def -/BEGINBITMAPGRAYc { - 8 {} COMMONBITMAPc - } bind def -/BEGINBITMAP2BITc { - 2 {} COMMONBITMAPc - } bind def -/COMMONBITMAPc { - /r exch def - /d exch def - gsave - translate rotate scale /h exch def /w exch def - /lb w d wbytes def - sl lb lt {lb ms} if - /bitmapsave save def - r - /is im 0 lb getinterval def - ws 0 lb getinterval is copy pop - /cf currentfile def - w h d [w 0 0 h neg 0 h] - {ip} image - bitmapsave restore - grestore - } bind def -/BEGINBITMAPBW { - 1 {} COMMONBITMAP - } bind def -/BEGINBITMAPGRAY { - 8 {} COMMONBITMAP - } bind def -/BEGINBITMAP2BIT { - 2 {} COMMONBITMAP - } bind def -/COMMONBITMAP { - /r exch def - /d exch def - gsave - translate rotate scale /h exch def /w exch def - /bitmapsave save def - r - /is w d wbytes string def - /cf currentfile def - w h d [w 0 0 h neg 0 h] - {cf is readhexstring pop} image - bitmapsave restore - grestore - } bind def - /proc1 FMLOCAL - /proc2 FMLOCAL - /newproc FMLOCAL -/Fmcc { - /proc2 exch cvlit def - /proc1 exch cvlit def - /newproc proc1 length proc2 length add array def - newproc 0 proc1 putinterval - newproc proc1 length proc2 putinterval - newproc cvx -} bind def -/ngrayt 256 array def -/nredt 256 array def -/nbluet 256 array def -/ngreent 256 array def - /gryt FMLOCAL - /blut FMLOCAL - /grnt FMLOCAL - /redt FMLOCAL - /indx FMLOCAL - /cynu FMLOCAL - /magu FMLOCAL - /yelu FMLOCAL - /k FMLOCAL - /u FMLOCAL -/colorsetup { - currentcolortransfer - /gryt exch def - /blut exch def - /grnt exch def - /redt exch def - 0 1 255 { - /indx exch def - /cynu 1 red indx get 255 div sub def - /magu 1 green indx get 255 div sub def - /yelu 1 blue indx get 255 div sub def - /k cynu magu min yelu min def - /u k currentundercolorremoval exec def - nredt indx 1 0 cynu u sub max sub redt exec put - ngreent indx 1 0 magu u sub max sub grnt exec put - nbluet indx 1 0 yelu u sub max sub blut exec put - ngrayt indx 1 k currentblackgeneration exec sub gryt exec put - } for - {255 mul cvi nredt exch get} - {255 mul cvi ngreent exch get} - {255 mul cvi nbluet exch get} - {255 mul cvi ngrayt exch get} - setcolortransfer - {pop 0} setundercolorremoval - {} setblackgeneration - } bind def - /tran FMLOCAL -/fakecolorsetup { - /tran 256 string def - 0 1 255 {/indx exch def - tran indx - red indx get 77 mul - green indx get 151 mul - blue indx get 28 mul - add add 256 idiv put} for - currenttransfer - {255 mul cvi tran exch get 255.0 div} - exch Fmcc settransfer -} bind def -/BITMAPCOLOR { - /d 8 def - gsave - translate rotate scale /h exch def /w exch def - /bitmapsave save def - colorsetup - /is w d wbytes string def - /cf currentfile def - w h d [w 0 0 h neg 0 h] - {cf is readhexstring pop} {is} {is} true 3 colorimage - bitmapsave restore - grestore - } bind def -/BITMAPCOLORc { - /d 8 def - gsave - translate rotate scale /h exch def /w exch def - /lb w d wbytes def - sl lb lt {lb ms} if - /bitmapsave save def - colorsetup - /is im 0 lb getinterval def - ws 0 lb getinterval is copy pop - /cf currentfile def - w h d [w 0 0 h neg 0 h] - {ip} {is} {is} true 3 colorimage - bitmapsave restore - grestore - } bind def -/BITMAPGRAY { - 8 {fakecolorsetup} COMMONBITMAP - } bind def -/BITMAPGRAYc { - 8 {fakecolorsetup} COMMONBITMAPc - } bind def -/ENDBITMAP { - } bind def -end -%%EndProlog -%%BeginSetup -(2.0) FMVERSION -1 1 612 792 0 1 16 FMDOCUMENT -/fillprocs 32 array def -fillprocs 0 { 0.000000 grayness } put -fillprocs 1 { 0.100000 grayness } put -fillprocs 2 { 0.300000 grayness } put -fillprocs 3 { 0.500000 grayness } put -fillprocs 4 { 0.700000 grayness } put -fillprocs 5 { 0.900000 grayness } put -fillprocs 6 { 0.970000 grayness } put -fillprocs 7 { 1.000000 grayness } put -fillprocs 8 {<0f87c3e1f0783c1e> 8 1 setpattern } put -fillprocs 9 {<0f1e3c78f0e1c387> 8 1 setpattern } put -fillprocs 10 {<cccccccccccccccc> 8 1 setpattern } put -fillprocs 11 {<ffff0000ffff0000> 8 1 setpattern } put -fillprocs 12 {<8142241818244281> 8 1 setpattern } put -fillprocs 13 {<8040201008040201> 8 1 setpattern } put -fillprocs 14 {<03060c183060c081> 8 1 setpattern } put -fillprocs 15 {} put -fillprocs 16 { 1.000000 grayness } put -fillprocs 17 { 0.900000 grayness } put -fillprocs 18 { 0.700000 grayness } put -fillprocs 19 { 0.500000 grayness } put -fillprocs 20 { 0.300000 grayness } put -fillprocs 21 { 0.100000 grayness } put -fillprocs 22 { 0.030000 grayness } put -fillprocs 23 { 0.000000 grayness } put -fillprocs 24 {<f0783c1e0f87c3e1> 8 1 setpattern } put -fillprocs 25 {<f0e1c3870f1e3c78> 8 1 setpattern } put -fillprocs 26 {<3333333333333333> 8 1 setpattern } put -fillprocs 27 {<0000ffff0000ffff> 8 1 setpattern } put -fillprocs 28 {<7ebddbe7e7dbbd7e> 8 1 setpattern } put -fillprocs 29 {<7fbfdfeff7fbfdfe> 8 1 setpattern } put -fillprocs 30 {<fcf9f3e7cf9f3f7e> 8 1 setpattern } put -fillprocs 31 {} put -%%EndSetup -0 12 /Helvetica-Bold FMDEFINEFONT -1 12 /Helvetica-BoldOblique FMDEFINEFONT -%%Page: "-1" 1 -%%BeginPaperSize: Letter -%%EndPaperSize -612 792 0 FMBEGINPAGE -144 144 468 396 R -7 X -0 K -V -0 F -0 X -1.2 (IMPLEMENT) 178.34 388 S -1.2 (A) 258.88 388 S -1.2 (TION NOTES ON ) 267.85 388 S -1 F -1.2 (bdes) 382.61 388 S -0 F -1.2 (\0501\051) 415.4 388 S -1.2 (Matt Bishop) 265.09 338 S -1.2 (T) 197.74 288 S -1.2 (echnical Report PCS-TR91-158) 205.38 288 S -FMENDPAGE -%%EndPage: "-1" 2 -%%Page: "0" 2 -612 792 0 FMBEGINPAGE -72 72 540 720 R -7 X -0 K -V -FMENDPAGE -%%EndPage: "0" 3 -0 12 /Times-Roman FMDEFINEFONT -1 18 /Times-Bold FMDEFINEFONT -2 18 /Times-BoldItalic FMDEFINEFONT -3 12 /Times-Italic FMDEFINEFONT -4 12 /Times-Bold FMDEFINEFONT -5 10 /Times-Roman FMDEFINEFONT -6 12 /Courier FMDEFINEFONT -7 12 /Courier-Oblique FMDEFINEFONT -8 12 /ZapfDingbats FMDEFINEFONT -9 12 /Symbol FMDEFINEFONT -10 12 /Courier-Bold FMDEFINEFONT -%%Page: "1" 3 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 1 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -1 F -0 X -(Implementation Notes on ) 179.84 708 T -2 F -(bdes) 378.21 708 T -1 F -(\0501\051) 411.19 708 T -0 F -( ) 432.17 708 T -3 F -(Matt Bishop) 276.51 676 T -0 F -(Department of Mathematics and Computer Science) 182.92 656 T -(Dartmouth College) 259.86 642 T -(Hanover) 257.45 628 T -(, NH 03755) 298.26 628 T -3 F -(ABSTRACT) 277.68 602 T -0 F -0.27 (This note describes the implementation of ) 108 582 P -3 F -0.27 (bdes) 314.13 582 P -0 F -0.27 (, the \336le encryption program being) 336.12 582 P -0.36 (distributed in the 4.4 release of the Berkeley Software Distribution. It implements) 108 568 P -(all modes of the Data Encryption Standard program.) 108 554 T -4 F -(1. Intr) 72 528 T -(oduction) 104.43 528 T -0 F --0.09 (The Data Encryption Standard is a standard endorsed by the federal government. It is con-) 108 504 P --0.56 (siderably stronger than the algorithm used by the ) 72 484 P -5 F --0.47 (UNIX) 305.36 484 P -0 F --0.56 (\252 ) 330.34 484 P -3 F --0.56 (crypt) 344.53 484 P -0 F --0.56 (\0501\051 program, and therefore is a more) 369.18 484 P -0.11 (suitable candidate for protecting information, especially information contained in ) 72 464 P -5 F -0.09 (ASCII) 466.05 464 P -0 F -0.11 ( \336les. The) 492.14 464 P --0.65 (program ) 72 444 P -3 F --0.65 (bdes) 114.99 444 P -0 F --0.65 (\0501\051 implements the DES and all of its modes, including the two authentication modes.) 136.97 444 P --0.59 (Because others may wish to write software compatible with this program, this note presents) 108 420 P --0.04 (the layout of the encrypted \336les produced by ) 72 400 P -3 F --0.04 (bdes) 288.86 400 P -0 F --0.04 ( as well as internal details relevant to the imple-) 310.85 400 P --0.15 (mentation. Whereever possible and appropriate, the description of the ) 72 380 P -3 F --0.15 (des) 408.04 380 P -0 F --0.15 (\0501\051 program given in [4]) 424.03 380 P --0.2 (has been followed; thus, ) 72 360 P -3 F --0.2 (bdes) 190.77 360 P -0 F --0.2 ( is completely compatible with that program. However) 212.75 360 P --0.2 (, ) 473.33 360 P -3 F --0.2 (bdes) 479.12 360 P -0 F --0.2 ( also of-) 501.11 360 P -(fers several extensions to ) 72 340 T -3 F -(des) 195.9 340 T -0 F -( that are not compatible, and these will be explicitly pointed out.) 211.89 340 T --0.14 (In this note, strings typed as shown will be in ) 108 316 P -6 F --0.34 (Courier Roman font) 326.78 316 P -0 F --0.14 (, and strings to be) 455.62 316 P --0.42 (chosen by the user will be in ) 72 296 P -7 F --1 (Courier Oblique font) 209.32 296 P -0 F --0.42 (. The space character \050) 351.24 296 P -5 F --0.35 (ASCII) 457.79 296 P -0 F --0.42 ( <) 483.88 296 P -5 F --0.35 (SP) 493.23 296 P -0 F --0.42 (>, octal) 504.34 296 P --0.43 (40, decimal 32, hex 20\051 will be represented as \322) 72 276 P -8 F --0.47 (z) 296.98 276 P -0 F --0.43 (\323 and the newline character \050) 301.96 276 P -5 F --0.35 (ASCII) 438.03 276 P -0 F --0.43 ( <) 464.13 276 P -5 F --0.35 (NL) 473.46 276 P -0 F --0.43 (>, octal 12,) 486.79 276 P --0.05 (decimal 10, hex a\051 as \322) 72 256 P -9 F --0.05 (\277) 181.65 256 P -0 F --0.05 (\323. Because it is often more convenient to represent arbitrary characters as) 189.54 256 P -1.13 (a sequence of hexadecimal digits, that representation will often be used; these digits will be in) 72 236 P -10 F -(Courier Bold font) 72 216 T -0 F -( with spaces often inserted for readability) 194.33 216 T -(.) 392.07 216 T -4 F -(2. Overview and Use) 72 184 T -3 F --0.39 (Bdes) 108 160 P -0 F --0.39 ( implements the Data Encryption Standard algorithm in software, and enables the user) 131.32 160 P --0.61 (to encrypt data using any of the four modes of operation of the DES \050Electronic Code Book, Cipher) 72 140 P -72 72 540 720 C -72 72 540 117 C -72 72 549 108 R -7 X -0 K -V -5 F -0 X -(This work is based on work funded by grant NAG2-680 from the National -Aeronautics and Space Administration to ) 72 101.33 T -(Dartmouth College.) 72 89.33 T -(UNIX is a Registered T) 72 77.33 T -(rademark of A) 166.58 77.33 T -(T&T Bell Laboratories.) 223.75 77.33 T -72 72 540 720 C -0 0 612 792 C -72 126 225 126 2 L -7 X -0 K -V -0.5 H -2 Z -0 X -N -FMENDPAGE -%%EndPage: "1" 4 -%%Page: "2" 4 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 2 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -0 X -0.31 (Block Chaining, ) 72 712 P -3 F -0.31 (k) 154.25 712 P -0 F -0.31 (-bit Cipher Feed Back, and ) 159.58 712 P -3 F -0.31 (k) 293.71 712 P -0 F -0.31 (-bit Output Feed Back\051 as well as the Alternate ) 299.04 712 P -3 F -0.31 (k) 530.68 712 P -0 F -0.31 (-) 536.01 712 P --0.04 (bit Cipher Feed Back mode. Further) 72 692 P --0.04 (, ) 244.52 692 P -3 F --0.04 (bdes) 250.48 692 P -0 F --0.04 ( supports message authentication code generation based) 272.46 692 P -(on both the Cipher Block Chaining mode and the ) 72 672 T -3 F -(k) 310.86 672 T -0 F -(-bit Cipher Feed Back mode.) 316.19 672 T -0.07 (By default, ) 108 648 P -3 F -0.07 (bdes) 164.43 648 P -0 F -0.07 ( encrypts an input \336le using Cipher Block Chaining mode, and is invoked) 186.41 648 P --0.4 (as a \336lter) 72 628 P --0.4 (. The key may be speci\336ed either on the command line or may be typed to the prompt. So,) 114.51 628 P -(if the input \336le ) 72 608 T -7 F -(inputf) 145.96 608 T -(ile) 189.14 608 T -0 F -( contains the message) 210.73 608 T -6 F -(a) 253.9 584 T -8 F -(z) 261.1 584 T -6 F -(test) 266.07 584 T -8 F -(z) 294.86 584 T -6 F -(message) 299.83 584 T -9 F -(\277) 350.21 584 T -0 F -(then the following command encrypts it using the key ) 72 560 T -6 F -(abcdefgh) 333.5 560 T -0 F -(:) 391.07 560 T -6 F -(bdes -k abcdefgh < ) 158.48 536 T -7 F -(inputf) 295.21 536 T -(ile) 338.38 536 T -6 F -( > ) 359.97 536 T -7 F -(outputf) 381.56 536 T -(ile) 431.93 536 T -0 F -(The option ) 72 512 T -4 F -(-k) 127.3 512 T -0 F -( indicates the next ar) 137.96 512 T -(gument is the key) 237.01 512 T -(. Now ) 321.17 512 T -7 F -(outputf) 353.48 512 T -(ile) 403.86 512 T -0 F -( contains) 425.45 512 T -10 F -(16 0e eb af 68 a0 d0 19 f1 a2 9b 31 0d 8a 01 c3) 136.89 488 T -0 F -0.06 (Other modes are speci\336ed using command-line options, as is control of the way the key is) 108 464 P -(interpreted. The next sections contain several examples, and the Appendix has the manual page.) 72 444 T -4 F -(3. Keys and Parity) 72 412 T -0 F -0.58 (The key consists of 64 bits, and may be presented in any of hex, binary) 108 388 P -0.58 (, or as a string of) 456.48 388 P -5 F -0.12 (ASCII) 72 368 P -0 F -0.14 ( characters. If the key is given in hex or binary) 98.1 368 P -0.14 (, it is used as is with no changes. However) 322.21 368 P -0.14 (, if) 526.53 368 P --0.27 (the key is given in ) 72 348 P -5 F --0.23 (ASCII) 161.59 348 P -0 F --0.27 (, a delicate problem arises: by convention, the parity bit is usually set to 0.) 187.69 348 P --0.47 (This high-order bit is generally ignored by applications; but the DES -does not do so. Instead, it dis-) 72 328 P --0.14 (cards the low-order bit, ef) 72 308 P --0.14 (fectively reducing the size of the space of possible keys from 2) 195.44 308 P -5 F --0.12 (56) 495.97 312.8 P -0 F --0.14 ( to 2) 505.97 308 P -5 F --0.12 (48) 527.01 312.8 P -0 F --0.14 (.) 537 308 P --0.46 ( T) 108 284 P --0.46 (o preserve the size of the key space, the value of the parity bit must be related to the value) 117.03 284 P --0.09 (in the low-order bit, so the program sets the high-order bit to make each character in the key be of) 72 264 P --0.7 (odd parity) 72 244 P --0.7 (. \050Note that the initial value of the parity bit is ) 119.49 244 P -3 F --0.7 (not) 334.99 244 P -0 F --0.7 ( used in this computation.\051 For example,) 350.31 244 P -(if the key is ) 72 224 T -6 F -(abcdefgh) 131.29 224 T -0 F -(, the actual key bits used are determined as follows:) 188.86 224 T -5 F -(ASCII) 99 200 T -0 F -( key) 125.1 200 T -6 F -(a) 243 200 T -(b) 279 200 T -(c) 315 200 T -(d) 351 200 T -(e) 387 200 T -(f) 423 200 T -(g) 459 200 T -(h) 495 200 T -5 F -(ASCII) 99 180 T -0 F -( key bits \050hex\051) 125.1 180 T -10 F -(61) 243 180 T -(62) 279 180 T -(63) 315 180 T -(64) 351 180 T -(65) 387 180 T -(66) 423 180 T -(67) 459 180 T -(68) 495 180 T -0 F -(parity) 99 160 T -(odd) 243 160 T -(odd) 279 160 T -(even) 315 160 T -(odd) 351 160 T -(even) 387 160 T -(even) 423 160 T -(odd) 459 160 T -(odd) 495 160 T -(key bits used \050hex\051) 99 140 T -10 F -(61) 243 140 T -(62) 279 140 T -(e3) 315 140 T -(64) 351 140 T -(e5) 387 140 T -(e6) 423 140 T -(67) 459 140 T -(68) 495 140 T -0 F -0.18 (This convention \050as opposed to requiring even parity) 108 120 P -0.18 (, or simply copying the low-order bit) 362 120 P --0.41 (to the high-order bit\051 was chosen to provide compatibility with the encryption program ) 72 100 P -3 F --0.41 (des) 486.77 100 P -0 F --0.41 ( distrib-) 502.76 100 P --0.52 (uted by Sun Microsystems, Inc. [4]. Whether the key is entered on the command line or on the key-) 72 80 P -FMENDPAGE -%%EndPage: "2" 5 -%%Page: "3" 5 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 3 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -0 X -1.89 (board, by default it is processed into the same key schedule generated by Sun\325) 72 712 P -1.89 (s ) 471.02 712 P -3 F -1.89 (des) 480.58 712 P -0 F -1.89 (, so \336les) 496.56 712 P -(encrypted on a Sun can be decrypted using ) 72 692 T -3 F -(bdes) 280.51 692 T -0 F -( \050and vice versa\051.) 302.49 692 T --0.3 (If the user does not wish to use the Sun convention, the option \320) 108 668 P -4 F --0.3 (p) 411.9 668 P -0 F --0.3 ( will disable the parity bit) 418.57 668 P --0.62 (changing; with it, the parity bit is that of the character typed. This -is useful when the key is a known) 72 648 P -5 F -(ASCII) 72 628 T -0 F -( string and the \336le was encrypted on a system which does not alter parity bits.) 98.1 628 T --0.24 (A key may be represented as a bit vector) 108 604 P --0.24 (, rather than an ) 300.74 604 P -5 F --0.2 (ASCII) 374.7 604 P -0 F --0.24 ( string, in one of two ways. It) 400.8 604 P -0.19 (may be represented as a string of up to 16 hexadecimal digits; if fewer than 16 are given, the key) 72 584 P -0.16 (is right \336lled with 0 bits. Or) 72 564 P -0.16 (, it may be represented as a string of up to 64 binary digits, and again) 206.11 564 P -0.15 (if fewer than 64 are given, the key is right-\336lled with 0 bits. Bit -vector keys must be given on the) 72 544 P -0.51 (command line, and must begin with the characters ) 72 524 P -6 F -1.24 (0x) 320.28 524 P -0 F -0.51 ( or ) 334.67 524 P -6 F -1.24 (0X) 351.69 524 P -0 F -0.51 ( \050for hexadecimal\051 or ) 366.08 524 P -6 F -1.24 (0b) 472.71 524 P -0 F -0.51 ( or ) 487.1 524 P -6 F -1.24 (0B) 504.12 524 P -0 F -0.51 ( \050for) 518.51 524 P -(binary\051. For example, all of the following strings generate the same key schedule:) 72 504 T -5 F -(ASCII) 72 480 T -0 F -( key) 98.1 480 T -6 F -(abcdefgh) 180 480 T -0 F -(hexadecimal key) 72 460 T -6 F -(0x6162e364e5e66768) 180 460 T -0 F -(binary key) 72 440 T -6 F -(0b0110000101100010111000110110100011100101111000-) 180 440 T -(1100110011101101000) 180 420 T -0 F --0.14 ( Note that giving the key on the command line as ) 108 396 P -6 F --0.34 (0x6162636465666768) 345.27 396 P -0 F --0.14 ( will ) 474.8 396 P -3 F --0.14 (not) 499.17 396 P -0 F --0.14 ( reset) 514.5 396 P -0.25 (the parity bits, because it is interpreted as a sequence of hex digits, not ) 72 376 P -5 F -0.21 (ASCII) 416.58 376 P -0 F -0.25 ( characters. The dif-) 442.68 376 P -0.69 (ference in interpretation is that here the user can specify all bits of the key exactly) 72 356 P -0.69 (, whereas \050on) 474.34 356 P -0.25 (most terminals\051 it is not possible to control how the parity bit of ) 72 336 P -5 F -0.21 (ASCII) 384.76 336 P -0 F -0.25 ( characters is set. On some) 410.85 336 P -0.36 (systems, it is possible to use a \322Meta\323 key to set the parity bit for an ) 72 316 P -5 F -0.3 (ASCII) 407.23 316 P -0 F -0.36 ( character; should this) 433.33 316 P --0.3 (be the case and the user desire ) 72 296 P -3 F --0.3 (bdes) 218.09 296 P -0 F --0.3 ( not to reset the parity bit, the option ) 240.07 296 P -4 F --0.3 (\320p) 415.25 296 P -0 F --0.3 ( will force the parity bit) 427.92 296 P -(to be used as typed.) 72 276 T -4 F -(4. Encryption Output Repr) 72 244 T -(esentation) 211.05 244 T -0 F -0.01 (All modes of the DES output ciphertext in blocks; the size of the block is 64 bits \0508 bytes\051) 108 220 P --0.25 (for ECB and CBC modes, and ) 72 200 P -3 F --0.25 (k) 218.74 200 P -0 F --0.25 ( bits for the ) 224.07 200 P -3 F --0.25 (k) 281.02 200 P -0 F --0.25 (-bit CFB and OFB modes, and there are as many out-) 286.35 200 P --0.5 (put blocks as input blocks. However) 72 180 P --0.5 (, as the length of the input is usually not a multiple of the block) 243.55 180 P --0.35 (size, some padding is necessary; but as padding must be done by appending characters, these char-) 72 160 P -0.29 (acters must be distinguished from the input characters somehow) 72 140 P -0.29 (. The mechanism used is that the) 381.35 140 P -0.31 (last character of the \050decrypted\051 last block is the -\050integer\051 number of characters from the input in) 72 120 P -(the last block.) 72 100 T -FMENDPAGE -%%EndPage: "3" 6 -%%Page: "4" 6 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 4 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -0 X --0.59 (For example, suppose ) 108 712 P -7 F --1.41 (inputf) 214.16 712 P --1.41 (ile) 257.34 712 P -0 F --0.59 ( contains \322) 278.93 712 P -6 F --1.41 (This) 329.04 712 P -8 F --0.65 (z) 357.83 712 P -6 F --1.41 (is) 362.8 712 P -8 F --0.65 (z) 377.2 712 P -6 F --1.41 (a) 382.17 712 P -8 F --0.65 (z) 389.37 712 P -6 F --1.41 (test) 394.35 712 P -9 F --0.59 (\277) 423.13 712 P -0 F --0.59 (\323, and it is encrypted in) 431.02 712 P -(CBC mode using the key \322) 72 692 T -6 F -(abcdef#@) 200.93 692 T -0 F -(\323 and the initialization vector ) 258.5 692 T -6 F -(0x0) 401.4 692 T -0 F -(; the command is) 422.99 692 T -6 F -(bdes -k abcdef#@ < ) 158.48 668 T -7 F -(inputf) 295.21 668 T -(ile) 338.38 668 T -6 F -( > ) 359.97 668 T -7 F -(outputf) 381.56 668 T -(ile) 431.93 668 T -0 F -(as CBC is the default encryption mode and ) 72 644 T -6 F -(0x0) 281.2 644 T -0 F -( the default initialization vector:) 302.79 644 T -(text) 72 620 T -6 F -(T) 117 620 T -(h) 144 620 T -(i) 171 620 T -(s) 198 620 T -8 F -(z) 225 620 T -6 F -(i) 252 620 T -(s) 279 620 T -8 F -(z) 306 620 T -6 F -(a) 333 620 T -8 F -(z) 360 620 T -6 F -(t) 387 620 T -(e) 414 620 T -(s) 441 620 T -(t) 468 620 T -9 F -(\277) 495 620 T -0 F -(hex) 72 600 T -10 F -(54) 117 600 T -(68) 144 600 T -(69) 171 600 T -(73) 198 600 T -(20) 225 600 T -(69) 252 600 T -(73) 279 600 T -(20) 306 600 T -(61) 333 600 T -(20) 360 600 T -(74) 387 600 T -(65) 414 600 T -(73) 441 600 T -(74) 468 600 T -(0a) 495 600 T -0 F -(input) 72 580 T -10 F -(54) 117 580 T -(68) 144 580 T -(69) 171 580 T -(73) 198 580 T -(20) 225 580 T -(69) 252 580 T -(73) 279 580 T -(20) 306 580 T -(61) 333 580 T -(20) 360 580 T -(74) 387 580 T -(65) 414 580 T -(73) 441 580 T -(74) 468 580 T -(0a) 495 580 T -(07) 522 580 T -0 F -(output) 72 560 T -10 F -(a5) 117 560 T -(5f) 144 560 T -(81) 171 560 T -(53) 198 560 T -(51) 225 560 T -(98) 252 560 T -(47) 279 560 T -(02) 306 560 T -(db) 333 560 T -(5a) 360 560 T -(c5) 387 560 T -(fe) 414 560 T -(50) 441 560 T -(3d) 468 560 T -(40) 495 560 T -(ce) 522 560 T -0 F -0.04 (Notice that the text is 15 characters long, so there are 7 bytes following the last full block.) 108 540 P -3 F -0.22 (Bdes) 72 520 P -0 F -0.22 ( pads this to a full block by appending one byte containing the ) 95.32 520 P -5 F -0.19 (ASCII) 399.67 520 P -0 F -0.22 ( character with numeric) 425.77 520 P -(value 7 \050the ) 72 500 T -5 F -(ASCII) 131.62 500 T -0 F -( character <) 157.71 500 T -5 F -(BEL) 214.42 500 T -0 F -(>\051. The result is then encrypted.) 233.3 500 T -0.44 (As another example, suppose ) 108 476 P -7 F -1.07 (inputf) 253.34 476 P -1.07 (ile) 296.52 476 P -0 F -0.44 ( contains \322) 318.11 476 P -6 F -1.07 (test) 370.29 476 P -0 F -0.44 (\323, and it is encrypted in ECB) 399.08 476 P -(mode using the key \322) 72 456 T -6 F -(abcdef#@) 173.93 456 T -0 F -(\323; the command is) 231.5 456 T -6 F -(bdes -b \320k abcdef#@ < ) 147.69 432 T -7 F -(inputf) 306 432 T -(ile) 349.18 432 T -6 F -( > ) 370.76 432 T -7 F -(outputf) 392.35 432 T -(ile) 442.73 432 T -0 F -(because the option ) 72 408 T -4 F -(\320b) 164.26 408 T -0 F -( signi\336es ECB mode:) 176.93 408 T -(text) 72 384 T -6 F -(t) 144 384 T -(e) 171 384 T -(s) 198 384 T -(t) 225 384 T -0 F -(hex) 72 364 T -10 F -(74) 144 364 T -(65) 171 364 T -(73) 198 364 T -(74) 225 364 T -0 F -(input) 72 344 T -10 F -(74) 144 344 T -(65) 171 344 T -(73) 198 344 T -(74) 225 344 T -(00) 252 344 T -(00) 279 344 T -(00) 306 344 T -(04) 333 344 T -0 F -(output) 72 324 T -10 F -(0d) 144 324 T -(8a) 171 324 T -(6e) 198 324 T -(57) 225 324 T -(9c) 252 324 T -(8f) 279 324 T -(27) 306 324 T -(5d) 333 324 T -0 F --0.31 (Finally) 108 304 P --0.31 (, if the length of the message is indeed a multiple of the block size, an extra block of) 141.21 304 P -0.83 (all 0 bits is added. Suppose ) 72 284 P -7 F -1.99 (inputf) 210.57 284 P -1.99 (ile) 253.74 284 P -0 F -0.83 ( contains \322) 275.33 284 P -6 F -1.99 (test) 328.28 284 P -9 F -0.83 (\277) 357.07 284 P -0 F -0.83 (\323, and it is encrypted in 40-bit CFB) 364.96 284 P -1.51 (mode using the key \322) 72 264 P -6 F -3.62 (abcdef#@) 179.96 264 P -0 F -1.51 (\323 and the initialization vector ) 237.53 264 P -6 F -3.62 (0x0123456789abcdef) 387.97 264 P -0 F -1.51 (; the) 517.5 264 P -(command is) 72 244 T -6 F --0.99 (bdes -f40 -v0x0123456789abcdef -kabcdef#@ < ) 72 220 P -7 F --0.99 (inputf) 383.67 220 P --0.99 (ile) 426.85 220 P -6 F --0.99 ( > ) 448.43 220 P -7 F --0.99 (outputf) 468.04 220 P --0.99 (ile) 518.41 220 P -0 F -0.16 (because the option ) 72 196 P -4 F -0.16 (\320f40 ) 164.75 196 P -0 F -0.16 (signi\336es 40-bit CFB mode, and ) 189.89 196 P -4 F -0.16 (-v0x01234566789abcdef) 343.96 196 P -0 F -0.16 ( sets the initial-) 465.89 196 P -(ization vector \050note that spaces between the option and its ar) 72 176 T -(gument are optional\051:) 361.57 176 T -(text) 72 152 T -6 F -(t) 144 152 T -(e) 171 152 T -(s) 198 152 T -(t) 225 152 T -9 F -(\277) 252 152 T -0 F -(hex) 72 132 T -10 F -(74) 144 132 T -(65) 171 132 T -(73) 198 132 T -(74) 225 132 T -(0a) 252 132 T -0 F -(input) 72 112 T -10 F -(74) 144 112 T -(65) 171 112 T -(73) 198 112 T -(74) 225 112 T -(0a) 252 112 T -(00) 279 112 T -(00) 306 112 T -(00) 333 112 T -(00) 360 112 T -(00) 387 112 T -0 F -(output) 72 92 T -10 F -(e2) 144 92 T -(c2) 171 92 T -(69) 198 92 T -(a4) 225 92 T -(5b) 252 92 T -(3c) 279 92 T -(3d) 306 92 T -(b3) 333 92 T -(f5) 360 92 T -(3c) 387 92 T -FMENDPAGE -%%EndPage: "4" 7 -1 12 /Times-BoldItalic FMDEFINEFONT -2 14 /Symbol FMDEFINEFONT -%%Page: "5" 7 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 5 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -0 X -(Note here the block size is 40 bits \0505 bytes\051, not 64 bits \0508 bytes\051.) 108 712 T --0.4 (This technique allows complete compatibility with Sun\325) 108 688 P --0.4 (s ) 374.11 688 P -3 F --0.4 (des) 381.37 688 P -0 F --0.4 ( program. In Sun\325) 397.36 688 P --0.4 (s implemen-) 480.77 688 P -0.02 (tation, padding is done with random bytes rather than bytes containing all zero bits. Cryptograph-) 72 668 P -0.85 (ically) 72 648 P -0.85 (, this makes no dif) 97.87 648 P -0.85 (ference, as the DES is a suf) 189.32 648 P -0.85 (\336ciently good random cipher to obscure the) 325.74 648 P -(input \050see for example [2], Chapter 6\051, and known plaintext attacks are very dif) 72 628 T -(\336cult [1].) 451.82 628 T -4 F -(5. Differ) 72 596 T -(ences Between the Standard CFB and OFB Modes and ) 114.41 596 T -1 F -(bdes) 397.26 596 T -0 F --0.11 (The UNIX operating system treats all \336les as streams of 8-bit bytes. In order to implement) 108 572 P --0.08 (the CFB and OFB modes properly) 72 552 P --0.08 (, it would be necessary to read ) 235.74 552 P -3 F --0.08 (k) 383.74 552 P -0 F --0.08 ( bits from the \336le, where ) 389.07 552 P -3 F --0.08 (k) 509.51 552 P -0 F --0.08 ( is an) 514.84 552 P -0.98 (integer between 1 and 64 inclusive. However) 72 532 P -0.98 (, this would require considerable buf) 294.22 532 P -0.98 (fering and be) 474.77 532 P -0.23 (quite inef) 72 512 P -0.23 (\336cient and prohibitively slow) 117.65 512 P -0.23 (. For these reasons, the current implementation of ) 258.48 512 P -3 F -0.23 (bdes) 501.48 512 P -0 F -0.23 ( re-) 523.46 512 P -0.47 (quires that ) 72 492 P -3 F -0.47 (k) 126.23 492 P -0 F -0.47 ( be a multiple of 8, so that an integral number of bytes will always be read from the) 131.56 492 P -(\336le. Other than this change, this mode is implemented as described in [3].) 72 472 T --0.58 (A similar observation holds for the alternate CFB mode described in [3]. Here, only the low) 108 448 P -0.23 (7 bits of each byte are signi\336cant, and hence the parameter ) 72 428 P -3 F -0.23 (k) 358.95 428 P -0 F -0.23 ( is an integer from 1 to 56 inclusive;) 364.28 428 P -(bdes requires k to be a multiple of 7. The high-order bit is retained for encryption and decryption,) 72 408 T -(but output \050whether from encryption or decryption\051 always has the high-order bit set to zero.) 72 388 T -4 F -(6. Message Authentication Code Modes) 72 356 T -0 F -0.57 (The Data Encryption Standard provides two modes of authentication, each providing be-) 108 332 P -1.27 (tween 1 and 64 bits of authentication data. In both cases an ) 72 312 P -3 F -1.27 (n) 373.32 312 P -0 F -1.27 (-bit message authentication code) 379.32 312 P -0.62 (\050MAC\051 is generated, where 1) 72 292 P -2 F -0.73 ( ) 214.71 292 P -9 F -0.62 (\243) 218.94 292 P -0 F -0.62 ( ) 225.52 292 P -3 F -0.62 (n) 229.15 292 P -0 F -0.62 ( ) 235.14 292 P -9 F -0.62 (\243) 238.76 292 P -0 F -0.62 ( 64. The \336rst is based on the CBC encryption mode, and the) 245.35 292 P -(second on CFB mode. Both work the same.) 72 272 T -0.13 (First, the \336le is padded to a multiple of the block size by appending enough zero bits. It is) 108 248 P --0.16 (then encrypted using the standard CBC \050or CFB\051 algorithm, but -all encrypted text is discarded ex-) 72 228 P --0.44 (cept for the last block. The ) 72 208 P -3 F --0.44 (n) 200.9 208 P -0 F --0.44 ( leading bits of the last block are used as the MAC. Note that the block) 206.9 208 P -(size constrains the number of bits available as the MAC.) 72 188 T -0.71 (The implementation allows the user to specify that the MAC is to be computed in either) 108 164 P --0.01 (CBC or CFB mode, and the user can specify any number of bits from 1 to 64 inclusive. However) 72 144 P --0.01 (,) 537 144 P --0.11 (because the UNIX operating system can only output bits in multiples of 8, if the number of bits of) 72 124 P --0.08 (MAC is not a multiple of 8, the MAC will be right-padded with the minimum number of zero bits) 72 104 P --0.31 (necessary to make the MAC length be a multiple of 8. However) 72 84 P --0.31 (, note that as the standard \050[3], Ap-) 374.6 84 P -FMENDPAGE -%%EndPage: "5" 8 -%%Page: "6" 8 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 6 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -0 X --0.14 (pendix F\051 requires an incomplete \336nal block be right-padded with -zeroes, the technique of forcing) 72 712 P -(the last octet to contain the number of bytes in the message is ) 72 692 T -3 F -(not) 369.47 692 T -0 F -( used here.) 384.8 692 T --0.39 (For example, suppose ) 108 668 P -7 F --0.94 (inputf) 214.76 668 P --0.94 (ile) 257.93 668 P -0 F --0.39 ( contains \322) 279.52 668 P -6 F --0.94 (This) 330.04 668 P -8 F --0.43 (z) 358.82 668 P -6 F --0.94 (is) 363.8 668 P -8 F --0.43 (z) 378.19 668 P -6 F --0.94 (a) 383.17 668 P -8 F --0.43 (z) 390.36 668 P -6 F --0.94 (test) 395.34 668 P -9 F --0.39 (\277) 424.13 668 P -0 F --0.39 (\323, and a 64-bit MAC is) 432.02 668 P --0.73 (to be generated using CBC mode, the key \322) 72 648 P -6 F --1.74 (abcdef#@) 274.39 648 P -0 F --0.73 (\323 and the initialization vector ) 331.96 648 P -6 F --1.74 (0x0) 471.23 648 P -0 F --0.73 (; the com-) 492.82 648 P -(mand is) 72 628 T -6 F -(bdes -m 64 -k abcdef#@ < ) 136.89 604 T -7 F -(inputf) 316.79 604 T -(ile) 359.97 604 T -6 F -( > ) 381.56 604 T -7 F -(outputf) 403.15 604 T -(ile) 453.52 604 T -0 F -(as CBC is the default encryption mode and ) 72 580 T -6 F -(0x0) 281.2 580 T -0 F -( the default initialization vector:) 302.79 580 T -(text) 72 556 T -6 F -(T) 117 556 T -(h) 144 556 T -(i) 171 556 T -(s) 198 556 T -8 F -(z) 225 556 T -6 F -(i) 252 556 T -(s) 279 556 T -8 F -(z) 306 556 T -6 F -(a) 333 556 T -8 F -(z) 360 556 T -6 F -(t) 387 556 T -(e) 414 556 T -(s) 441 556 T -(t) 468 556 T -9 F -(\277) 495 556 T -0 F -(hex) 72 536 T -10 F -(54) 117 536 T -(68) 144 536 T -(69) 171 536 T -(73) 198 536 T -(20) 225 536 T -(69) 252 536 T -(73) 279 536 T -(20) 306 536 T -(61) 333 536 T -(20) 360 536 T -(74) 387 536 T -(65) 414 536 T -(73) 441 536 T -(74) 468 536 T -(0a) 495 536 T -0 F -(input) 72 516 T -10 F -(54) 117 516 T -(68) 144 516 T -(69) 171 516 T -(73) 198 516 T -(20) 225 516 T -(69) 252 516 T -(73) 279 516 T -(20) 306 516 T -(61) 333 516 T -(20) 360 516 T -(74) 387 516 T -(65) 414 516 T -(73) 441 516 T -(74) 468 516 T -(0a) 495 516 T -(00) 522 516 T -0 F -(output) 72 496 T -10 F -(43) 117 496 T -(18) 144 496 T -(de) 171 496 T -(74) 198 496 T -(24) 225 496 T -(a9) 252 496 T -(65) 279 496 T -(d1) 306 496 T -0 F -0.04 (Notice that the text is 15 characters long, so there are 7 bytes following the last full block.) 108 476 P -3 F -(Bdes) 72 456 T -0 F -( pads this to a full block by appending a zero-\336lled byte. The result is then encrypted and the) 95.32 456 T -(last block of output is used as the MAC.) 72 436 T -0.06 (As another example, suppose we used the same text, and wanted a 36-bit MAC to be gen-) 108 412 P -6.91 (erated using 40-bit CFB mode, the key \322) 72 392 P -6 F -16.58 (abcdef#@) 314.9 392 P -0 F -6.91 (\323 and the initialization vector) 372.47 392 P -6 F -(0x0123456789abcdef) 72 372 T -0 F -(; the command is) 201.53 372 T -6 F -(bdes -m 36 -f 40 -v 0x0123456789abcdef < ) 79.32 348 T -7 F -(inputf) 374.36 348 T -(ile) 417.54 348 T -6 F -( > ) 439.13 348 T -7 F -(outputf) 460.71 348 T -(ile) 511.09 348 T -0 F --0.19 (where ) 72 324 P -4 F --0.19 (\320m 36) 104.11 324 P -0 F --0.19 ( is the option to generate a 36-bit MAC, ) 134.91 324 P -4 F --0.19 (\320f 40) 327.79 324 P -0 F --0.19 ( indicates 40-bit CFB is to be used, and) 352.58 324 P -4 F --0.31 (\320v 0x123456789abcdef) 72 304 P -0 F --0.31 ( sets the initialization vector) 186.62 304 P --0.31 (. Note that, as the key is not given on the com-) 319.95 304 P -(mand line, the user will be prompted for it. It gives:) 72 284 T -(text) 72 260 T -6 F -(T) 117 260 T -(h) 144 260 T -(i) 171 260 T -(s) 198 260 T -8 F -(z) 225 260 T -6 F -(i) 252 260 T -(s) 279 260 T -8 F -(z) 306 260 T -6 F -(a) 333 260 T -8 F -(z) 360 260 T -6 F -(t) 387 260 T -(e) 414 260 T -(s) 441 260 T -(t) 468 260 T -9 F -(\277) 495 260 T -0 F -(hex) 72 240 T -10 F -(54) 117 240 T -(68) 144 240 T -(69) 171 240 T -(73) 198 240 T -(20) 225 240 T -(69) 252 240 T -(73) 279 240 T -(20) 306 240 T -(61) 333 240 T -(20) 360 240 T -(74) 387 240 T -(65) 414 240 T -(73) 441 240 T -(74) 468 240 T -(0a) 495 240 T -0 F -(input) 72 220 T -10 F -(54) 117 220 T -(68) 144 220 T -(69) 171 220 T -(73) 198 220 T -(20) 225 220 T -(69) 252 220 T -(73) 279 220 T -(20) 306 220 T -(61) 333 220 T -(20) 360 220 T -(74) 387 220 T -(65) 414 220 T -(73) 441 220 T -(74) 468 220 T -(0a) 495 220 T -0 F -(output) 72 200 T -10 F -(2b) 117 200 T -(18) 144 200 T -(68) 171 200 T -(2d) 198 200 T -(60) 225 200 T -0 F -0.19 (Note that the MAC is padded on the right by four zero bits to produce \336ve characters that) 108 180 P -(can be output.) 72 160 T -4 F -(7. Differ) 72 128 T -(ences Between ) 114.41 128 T -1 F -(bdes) 191.01 128 T -4 F -( and Sun\325) 212.99 128 T -(s DES Implementation) 261.88 128 T -0 F -0.02 (The program ) 108 104 P -3 F -0.02 (bdes) 173.33 104 P -0 F -0.02 ( is designed to be completely compatible with Sun Microsystems, Inc.\325) 195.31 104 P -0.02 (s) 535.33 104 P -0.57 (implementation of the Data Encryption Standard, called ) 72 84 P -3 F -0.57 (des) 347.14 84 P -0 F -0.57 ( and described in [4]. Thus, \336les en-) 363.13 84 P -FMENDPAGE -%%EndPage: "6" 9 -%%Page: "7" 9 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 7 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -0 X -0.44 (crypted using ) 72 712 P -3 F -0.44 (des) 140.84 712 P -0 F -0.44 ( can be decrypted using ) 156.83 712 P -3 F -0.44 (bdes) 275.29 712 P -0 F -0.44 (, and vice versa, provided modes common to both) 297.27 712 P --0.34 (are used. However) 72 692 P --0.34 (, ) 160.41 692 P -3 F --0.34 (bdes) 166.06 692 P -0 F --0.34 ( does not allow \336les to be named on the command line, nor does it support) 188.05 692 P --0.68 (hardware devices \050and so the ) 72 672 P -4 F --0.68 (-s) 210.83 672 P -0 F --0.68 ( and ) 219.49 672 P -4 F --0.68 (-f) 241.45 672 P -0 F --0.68 ( options of Sun\325) 249.44 672 P --0.68 (s ) 323.71 672 P -3 F --0.68 (des) 330.7 672 P -0 F --0.68 ( are not available\051. Further) 346.69 672 P --0.68 (, as encryption) 471.07 672 P --0.05 (is the default, the Sun ) 72 652 P -3 F --0.05 (des) 179.01 652 P -0 F --0.05 ( ) 195 652 P -4 F --0.05 (-e) 197.95 652 P -0 F --0.05 ( option is not recognized. As the manual page to ) 207.27 652 P -3 F --0.05 (bdes) 441.6 652 P -0 F --0.05 ( is in the appen-) 463.59 652 P -(dix, these dif) 72 632 T -(ferences will not be elaborated upon further) 134.08 632 T -(.) 343.24 632 T -0.44 (Sun\325) 108 608 P -0.44 (s ) 130 608 P -3 F -0.44 (des) 138.1 608 P -0 F -0.44 ( supports the use of special-purpose hardware to encrypt and decrypt. Although) 154.09 608 P -3 F -1.33 (bdes) 72 588 P -0 F -1.33 ( does not directly support the use of such hardware, it uses the library routine ) 93.98 588 P -3 F -1.33 (encrypt) 487.05 588 P -0 F -1.33 (\0503\051,) 523.02 588 P --0.09 (which may) 72 568 P --0.09 (. Hardware support was not included directly to support as lar) 124.1 568 P --0.09 (ge a number of platforms) 419.11 568 P -(as possible with installers needing to know as little about the hardware as possible.) 72 548 T --0.08 (Sun\325) 108 524 P --0.08 (s ) 130 524 P -3 F --0.08 (des) 137.58 524 P -0 F --0.08 ( supports only the CBC and ECB encryption modes; ) 153.57 524 P -3 F --0.08 (bdes) 407.07 524 P -0 F --0.08 ( supports all modes de-) 429.05 524 P -0.26 (scribed in [3] \050although CFB and OFB are not completely supported\051 as well as both CBC-based) 72 504 P -(and CFB-based MACs.) 72 484 T -0.15 (Although input with length not a multiple of the block size is handled in the same way by) 108 460 P --0.47 (both ) 72 440 P -3 F --0.47 (des) 95.85 440 P -0 F --0.47 ( and ) 111.84 440 P -3 F --0.47 (bdes) 134.21 440 P -0 F --0.47 (, dif) 156.19 440 P --0.47 (ferent values of the padding bytes are used in all but the last byte of the input.) 174.82 440 P -(Where ) 72 420 T -3 F -(bdes) 106.96 420 T -0 F -( puts zero bytes, ) 128.94 420 T -3 F -(des) 209.89 420 T -0 F -( puts bytes containing random values. The reason for Sun\325) 225.87 420 T -(s doing) 505.02 420 T -0.47 (so is to prevent a known plaintext attack on the \336le should an -attacker determine that the input\325) 72 400 P -0.47 (s) 535.33 400 P --0.29 (length were a multiple of the block size. W) 72 380 P --0.29 (ith ) 276.05 380 P -3 F --0.29 (bdes) 291.43 380 P -0 F --0.29 (, the plaintext contents of the last block of input) 313.41 380 P -0.31 (for such a \336le is known \050a block with all bits zero\051. W) 72 360 P -0.31 (ith ) 333.99 360 P -3 F -0.31 (des) 349.96 360 P -0 F -0.31 (, the plaintext contents of that block) 365.95 360 P -0.73 (are not known. Cryptanalytically) 72 340 P -0.73 (, given the information about the strength of the DES currently) 231.29 340 P -0.2 (known, it is widely believed that known plaintext attacks are infeasible -\050see for example [1]\051 and) 72 320 P -1.86 (so initializing and invoking the pseudorandom number generator seems unnecessary) 72 300 P -1.86 (. But this) 492.63 300 P -(means that ciphertexts produced from a plaintext by ) 72 280 T -3 F -(bdes) 324.48 280 T -0 F -( and ) 346.47 280 T -3 F -(des) 369.78 280 T -0 F -( will dif) 385.77 280 T -(fer in the last block.) 423.54 280 T -4 F -(Refer) 72 248 T -(ences) 100.41 248 T -0 F -([1]) 72 224 T -0.37 (D. Denning, \322The Data Encryption Standard: Fifteen Y) 108 224 P -0.37 (ears of Public Scrutiny) 374.87 224 P -0.37 (,\323 ) 484.8 224 P -3 F -0.37 (Pr) 496.49 224 P -0.37 (oceed-) 508.04 224 P --0.47 (ings of the Sixth Annual Computer Security Applications Confer) 108 204 P --0.47 (ence) 411.65 204 P -0 F --0.47 ( pp. x\320xv \050Dec. 1990\051.) 433.62 204 P -([2]) 72 180 T -(A. Konheim, ) 108 180 T -3 F -(Cryptography: A Primer) 173.29 180 T -0 F -(, John W) 291.4 180 T -(iley and Sons, Inc., New Y) 333.9 180 T -(ork, NY \0501981\051.) 461.94 180 T -([3]) 72 156 T -3 F -0.63 (DES Modes of Operation) 108 156 P -0 F -0.63 (, Federal Information Processing Standards Publication 81, Na-) 231.47 156 P --0.07 (tional Bureau of Standards, U.S. Department of Commerce, W) 108 136 P --0.07 (ashington, DC \050Dec. 1980\051.) 407.62 136 P -([4]) 72 112 T -3 F -(UNIX User) 108 112 T -(\325) 162.74 112 T -(s Manual) 165.18 112 T -0 F -(, Sun Microsystems Inc., Mountain V) 210.16 112 T -(iew) 390 112 T -(, CA \050Mar) 406.54 112 T -(. 1988\051.) 455.51 112 T -4 F -(Appendix. The UNIX System Manual Page for ) 72 80 T -1 F -(bdes) 313.2 80 T -FMENDPAGE -%%EndPage: "7" 10 -1 11 /Times-Bold FMDEFINEFONT -%%Page: "8" 10 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 8 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -1 F -0 X -(NAME) 72 712.67 T -0 F -(bdes - encrypt/decrypt using the Data Encryption Standard) 108 689 T -1 F -(SYNOPSIS) 72 663.67 T -4 F -(bdes) 108 640 T -0 F -( [) 131.33 640 T -3 F -( ) 138.32 640 T -4 F -(-abdp) 141.32 640 T -0 F -( ] [ ) 171.31 640 T -4 F -(-F) 188.3 640 T -0 F -( ) 199.62 640 T -3 F -(b) 202.62 640 T -0 F -( ] [ ) 208.61 640 T -4 F -(-f) 225.6 640 T -0 F -( ) 233.58 640 T -3 F -(b) 236.58 640 T -0 F -( ] [ ) 242.58 640 T -4 F -(-k) 259.56 640 T -0 F -( ) 270.22 640 T -3 F -(key) 273.22 640 T -0 F -( ] [ ) 289.2 640 T -4 F -(-m) 306.18 640 T -0 F -( ) 320.16 640 T -3 F -(b) 323.16 640 T -0 F -( ] [ ) 329.16 640 T -4 F -(-o) 346.14 640 T -0 F -( ) 356.13 640 T -3 F -(b) 359.13 640 T -0 F -( ] [ ) 365.13 640 T -4 F -(-v) 382.11 640 T -0 F -( ) 392.1 640 T -3 F -(vector) 395.1 640 T -0 F -( ]) 425.07 640 T -1 F -(DESCRIPTION) 72 614.67 T -3 F --0.69 (Bdes) 108 591 P -0 F --0.69 ( reads from the standard input and writes on the standard output. It implements all DES) 131.32 591 P --0.09 (modes of operation described in FIPS PUB 81 including alternative cipher feedback mode) 108 577 P -0.74 (and both authentication modes. All modes but the electronic code book mode require an) 108 563 P --0.14 (initialization vector; if none is supplied, the zero vector is used. T) 108 549 P --0.14 (o protect the key and ini-) 420.44 549 P -0.29 (tialization vector from being read by) 108 535 P -3 F -0.29 ( ps) 284.98 535 P -0 F -0.29 (\0501\051, ) 298.94 535 P -3 F -0.29 (bdes ) 319.21 535 P -0 F -0.29 (hides its ar) 344.48 535 P -0.29 (guments on entry) 396.81 535 P -0.29 (. If no ) 479.89 535 P -3 F -0.29 (key ) 512.74 535 P -0 F -0.29 (is) 532 535 P --0.61 (given, one is requested from the controlling terminal if that can be opened, or from the stan-) 108 521 P -(dard input if not.) 108 507 T --0.17 (The key and initialization vector are taken as sequences of ) 108 489 P -5 F --0.14 (ASCII) 389.38 489 P -0 F --0.17 ( characters which are then) 415.48 489 P --0.35 (mapped into their bit representations. If either begins with -\3240x\325 or \3240X\325, that one is taken as) 108 475 P -1.02 (a sequence of hexadecimal digits indicating the bit pattern; if either begins with \3240b\325 or) 108 461 P --0.73 (\3240B\325, that one is taken as a sequence of binary digits -indicating the bit pattern. In either case,) 108 447 P --0.37 (only the leading 64 bits of the key or initialization vector are used, and if fewer than 64 bits) 108 433 P -0.35 (are provided, enough 0 bits are appended to pad the key to 64 bits. Note that if the key is) 108 419 P -0.03 (not entered on the command line, it is interpreted in the same way) 108 405 P -0.03 (, because with 4.4 BSD,) 424.31 405 P --0.36 (the password reading function ) 108 391 P -3 F --0.36 (getpass) 254.45 391 P -0 F --0.36 (\0503\051 allows enough characters for either hex or binary) 290.43 391 P -(keys to be entered.) 108 377 T -0.04 (According to the DES standard, the low-order bit of each character in the key string is de-) 108 359 P --0.18 (leted. Since most ) 108 345 P -5 F --0.15 (ASCII) 192.75 345 P -0 F --0.18 ( representations set the high-order bit to 0, simply deleting the low-) 218.84 345 P --0.29 (order bit ef) 108 331 P --0.29 (fectively reduces the size of the key space from 2) 160.49 331 P -5 F --0.24 (56) 394.67 335.8 P -0 F --0.29 ( to 2) 404.67 331 P -5 F --0.24 (48) 425.41 335.8 P -0 F --0.29 ( keys. T) 435.4 331 P --0.29 (o prevent this,) 472.29 331 P --0.46 (the high-order bit must be a function depending in part upon the low-order bit; so, the high-) 108 317 P -0.11 (order bit is set to whatever value gives odd parity) 108 303 P -0.11 (. This preserves the key space size. Note) 345.05 303 P -(this resetting of the parity bit is ) 108 289 T -3 F -(not) 260.92 289 T -0 F -( done if the key is given in binary or hex.) 276.24 289 T --0.38 (By default, the standard input is encrypted using cipher block chaining mode and is written) 108 271 P -0.18 (to the standard output. Using the same key for encryption and decryption preserves plain-) 108 257 P -(text, so) 108 243 T -( bdes ) 225.81 225 T -3 F -(key) 253.79 225 T -0 F -( < plaintext | bdes \320i ) 269.77 225 T -3 F -(key) 370.21 225 T -0 F -( ) 386.19 225 T -(is a very expensive equivalent of ) 108 201 T -3 F -(cat) 268.54 201 T -0 F -(\0501\051.) 283.2 201 T -(Options are:) 108 183 T -( ) 108 165 T -4 F -(\320a) 111 165 T -0 F --0.75 (The key and initialization vector strings are to be taken as ) 144 165 P -5 F --0.62 (ASCII) 415.89 165 P -0 F --0.75 ( suppressing the spe-) 441.98 165 P -0.3 (cial interpretation given to leading \3240x\325, \3240X\325, \3240b\325, -and \3240B\325 characters. Note this) 144 151 P -(\337ag applies to ) 144 137 T -3 F -(both) 214.29 137 T -0 F -( the key and initialization vector) 235.62 137 T -(.) 389.85 137 T -4 F -(\320b) 108 119 T -0 F -(Use electronic code book mode.) 144 119 T -4 F -(\320d) 108 101 T -0 F -(Decrypt the input.) 144 101 T -FMENDPAGE -%%EndPage: "8" 11 -%%Page: "9" 11 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 9 of 11) 479.71 34.7 T -72 72 540 720 R -7 X -V -4 F -0 X -(\320f) 108 712 T -0 F -( ) 117.99 712 T -3 F -(b) 120.99 712 T -0 F --0.29 (Use ) 144 712 P -3 F --0.29 (b) 165.36 712 P -0 F --0.29 (-bit cipher feedback mode. Currently ) 171.35 712 P -3 F --0.29 (b) 350.42 712 P -0 F --0.29 ( must be a multiple of 8 between 8 and) 356.42 712 P -(64 inclusive \050this does not conform to the standard CFB mode speci\336cation\051.) 144 698 T -4 F -(\320F) 108 680 T -0 F -( ) 121.32 680 T -3 F -(b) 124.32 680 T -0 F --0.29 (Use ) 144 680 P -3 F --0.29 (b) 165.36 680 P -0 F --0.29 (-bit alternative cipher feedback mode. Currently ) 171.36 680 P -3 F --0.29 (b) 403.77 680 P -0 F --0.29 ( must be a multiple of 7 be-) 409.77 680 P --0.12 (tween 7 and 56 inclusive \050this does not conform to the alternative CFB mode spec-) 144 666 P -(i\336cation\051.) 144 652 T -4 F -(\320k) 108 634 T -0 F -( ) 120.67 634 T -3 F -(key) 123.66 634 T -0 F -0.37 (Use the string ) 144 616 P -3 F -0.37 (key) 214.74 616 P -0 F -0.37 ( as the cryptographic key) 230.72 616 P -0.37 (. If this ar) 352.01 616 P -0.37 (gument is not given, the user) 399.54 616 P -(will be prompted for the key) 144 602 T -(.) 280.12 602 T -4 F -(\320m) 108 584 T -0 F -( ) 123.99 584 T -3 F -(b) 126.99 584 T -0 F -0.71 (Compute a message authentication code \050MAC\051 of ) 144 584 P -3 F -0.71 (b) 395.78 584 P -0 F -0.71 ( bits on the input. ) 401.77 584 P -3 F -0.71 (b) 491.94 584 P -0 F -0.71 ( must be) 497.94 584 P -0.11 (between 1 and 64 inclusive; if ) 144 570 P -3 F -0.11 (b) 291.87 570 P -0 F -0.11 ( is not a multiple of 8, enough 0 bits will be added) 297.86 570 P --0.44 (to pad the MAC length to the nearest multiple of 8. Only the MAC is output. MACs) 144 556 P -(are only available in cipher block chaining mode or in cipher feedback mode.) 144 542 T -4 F -(\320o) 108 524 T -0 F -( ) 119.99 524 T -3 F -(b) 122.99 524 T -0 F --0.34 (Use ) 144 524 P -3 F --0.34 (b) 165.31 524 P -0 F --0.34 (-bit output feedback mode. Currently ) 171.31 524 P -3 F --0.34 (b) 350.83 524 P -0 F --0.34 ( must be a multiple of 8 between 8 and) 356.83 524 P -(64 inclusive \050this does not conform to the OFB mode speci\336cation\051.) 144 510 T -4 F -(\320p) 108 492 T -0 F --0.14 (Disable the resetting of the parity bit. This \337ag forces the parity bit of the key to be) 144 492 P -0.03 (used as typed, rather than making each character be of odd parity) 144 478 P -0.03 (. It is used only if) 455.91 478 P -(the key is given in ) 144 464 T -5 F -(ASCII) 234.95 464 T -0 F -(.) 261.04 464 T -4 F -(\320v) 108 446 T -0 F -( ) 119.99 446 T -3 F -(vector) 122.99 446 T -0 F --0.5 (Set the initialization vector to ) 144 428 P -3 F --0.5 (v) 286.44 428 P -0 F --0.5 (; the vector is interpreted in the same way as the key) 291.76 428 P --0.5 (.) 537 428 P -(The vector is ignored in electronic codebook mode.) 144 414 T --0.55 (The DES is considered a very strong cryptosystem, and other than table lookup attacks, key) 108 396 P -0.24 (search attacks, and Hellman\325) 108 382 P -0.24 (s time-memory tradeof) 246.61 382 P -0.24 (f \050all of which are very expensive and) 356.8 382 P -0.66 (time-consuming\051, no cryptanalytic methods for breaking the DES are known in the open) 108 368 P -0.33 (literature. No doubt the choice of keys and key security are the most vulnerable aspect of) 108 354 P -3 F -(bdes) 108 340 T -0 F -(.) 129.98 340 T -4 F -(IMPLEMENT) 72 314 T -(A) 146.41 314 T -(TION NOTES) 154.18 314 T -0 F -0.57 (For implementors wishing to write software compatible with this program, the following) 108 290 P --0.23 (notes are provided. This software is completely compatible with the implementation of the) 108 276 P -(data encryption standard distributed by Sun Microsystems, Inc.) 108 262 T -0.11 (In the ECB and CBC modes, plaintext is encrypted in units of 64 bits \0508 bytes, also called) 108 244 P -0.52 (a block\051. T) 108 230 P -0.52 (o ensure that the plaintext \336le is encrypted correctly) 160.49 230 P -0.52 (, ) 413.01 230 P -3 F -0.52 (bdes ) 419.53 230 P -0 F -0.52 (will \050internally\051 ap-) 445.03 230 P -0.29 (pend from 1 to 8 bytes, the last byte containing an integer stating how many bytes of that) 108 216 P --0.71 (\336nal block are from the plaintext \336le, and encrypt the resulting block. Hence, when decrypt-) 108 202 P -0.27 (ing, the last block may contain from 0 to 7 characters present in the plaintext \336le, and the) 108 188 P --0.59 (last byte tells how many) 108 174 P --0.59 (. Note that if during decryption the last byte of the \336le does not con-) 221.46 174 P -0.41 (tain an integer between 0 and 7, either the \336le has been corrupted or an incorrect key has) 108 160 P -0.48 (been given. A similar mechanism is used for the OFB and CFB modes, except that those) 108 146 P -0.26 (simply require the length of the input to be a multiple of the mode size, and the \336nal byte) 108 132 P --0.73 (contains an integer between 0 and one less than the number of bytes being used as the mode.) 108 118 P -(\050This was another reason that the mode size must be a multiple of 8 for those modes.\051) 108 104 T -FMENDPAGE -%%EndPage: "9" 12 -%%Page: "10" 12 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 10 of 11) 473.71 34.7 T -72 72 540 720 R -7 X -V -0 X -0.94 (Unlike Sun\325) 108 712 P -0.94 (s implementation, unused bytes of that last block are not \336lled with random) 166.58 712 P -0.57 (data, but instead contain what was in those byte positions in the preceding block. This is) 108 698 P -(quicker and more portable, and does not weaken the encryption signi\336cantly) 108 684 T -(.) 473.95 684 T -0.36 (If the key is entered in ) 108 666 P -5 F -0.3 (ASCII) 220.76 666 P -0 F -0.36 (, the parity bits of the key characters are set so that each key) 246.85 666 P -1.03 (character is of odd parity) 108 652 P -1.03 (. Unlike Sun\325) 231.23 652 P -1.03 (s implementation, it is possible to enter binary or) 296.92 652 P --0.57 (hexadecimal keys on the command line, and if this is done, the parity bits are ) 108 638 P -3 F --0.57 (not ) 472.85 638 P -0 F --0.57 (reset. This) 490.61 638 P -(allows testing using arbitrary bit patterns as keys.) 108 624 T -0.64 (The Sun implementation always uses an initialization vector of 0 \050that is, all zeroes\051. By) 108 606 P -(default, ) 108 592 T -3 F -(bdes ) 147.3 592 T -0 F -(does too, but this may be changed from the command line.) 172.29 592 T -4 F -(FILES) 72 566 T -0 F -(/dev/tty) 108 542 T -(controlling terminal for typed key) 180 542 T -4 F -(SEE ALSO) 72 516 T -3 F -(crypt) 108 492 T -0 F -(\0501\051, ) 132.65 492 T -3 F -(crypt) 152.63 492 T -0 F -(\0503\051) 177.27 492 T -3 F --0.4 (Data Encryption Standar) 108 474 P --0.4 (d) 228.02 474 P -0 F --0.4 (, Federal Information Processing Standard #46, National Bureau) 234.02 474 P -(of Standards, U.S. Department of Commerce, W) 108 460 T -(ashington DC \050Jan. 1977\051.) 340.2 460 T -3 F -0.16 (DES) 108 442 P -0 F -0.16 ( ) 129.98 442 P -3 F -0.16 (Modes of Operation, ) 133.15 442 P -0 F -0.16 (Federal Information Processing Standard #81, National Bureau) 236.24 442 P -(of Standards, U.S. Department of Commerce, W) 108 428 T -(ashington DC \050Dec. 1980\051.) 340.2 428 T -2.75 (Dorothy Denning, ) 108 410 P -3 F -2.75 (Cryptography and Data Security) 203.77 410 P -0 F -2.75 (, Addison-W) 368.8 410 P -2.75 (esley Publishing Co.,) 432.55 410 P -(Reading, MA \2511982.) 108 396 T --0.19 ( Matt Bishop, \322Implementation Notes on ) 108 378 P -3 F --0.19 (bdes) 305.76 378 P -0 F --0.19 (\0501\051\323, T) 327.75 378 P --0.19 (echnical Report PCS-TR-91-158, De-) 359.35 378 P -0.34 (partment of Mathematics and Computer Science, Dartmouth College, Hanover) 108 364 P -0.34 (, NH \050Apr) 488.01 364 P -0.34 (.) 537 364 P -(1991\051.) 108 350 T -4 F -(CAUTION) 72 324 T -0 F --0.55 (Certain speci\336c keys should be avoided because they introduce potential weaknesses; these) 108 300 P --0.44 (keys, called the ) 108 286 P -3 F --0.44 (weak) 183.95 286 P -0 F --0.44 ( and ) 208.6 286 P -3 F --0.44 (semiweak) 231.03 286 P -0 F --0.44 ( keys, are \050in hex notation, where ) 277.66 286 P -6 F --1.06 (p) 437.45 286 P -0 F --0.44 ( is either ) 444.64 286 P -6 F --1.06 (0) 487.63 286 P -0 F --0.44 ( or ) 494.82 286 P -6 F --1.06 (1) 509.93 286 P -0 F --0.44 (, and) 517.12 286 P -6 F -(P) 108 272 T -0 F -( is either ) 115.2 272 T -6 F -(e) 159.5 272 T -0 F -( or ) 166.7 272 T -6 F -(f) 182.68 272 T -0 F -(\051:) 189.88 272 T -6 F -(0x0p0p0p0p0p0p0p0p) 144 254 T -(0x0p1P0p1P0p0P0p0P) 360 254 T -(0x0pep0pep0pfp0pfp) 144 236 T -(0x0pfP0pfP0pfP0pfP) 360 236 T -(0x1P0p1P0p0P0p0P0p) 144 218 T -(0x1P1P1P1P0P0P0P0P) 360 218 T -(0x1Pep1Pep0Pfp0Pfp) 144 200 T -(0x1PfP1PfP0PfP0PfP) 360 200 T -(0xep0pep0pfp0pfp0p) 144 182 T -(0xep1Pep1pfp0Pfp0P) 360 182 T -(0xepepepepepepepep) 144 164 T -(0xepfPepfPfpfPfpfP) 360 164 T -(0xfP0pfP0pfP0pfP0p) 144 146 T -(0xfP1PfP1PfP0PfP0P) 360 146 T -(0xfPepfPepfPepfPep) 144 128 T -(0xfPfPfPfPfPfPfPfP) 360 128 T -0 F -0.13 (The weakness of these keys is inherent in the DES algorithm \050see for example Moore and) 108 110 P --0.57 (Simmons, \322Cycle structure of the DES with weak and semi-weak keys,\323) 108 96 P -3 F --0.57 ( Advances in Cryp-) 449.43 96 P -(tology \320 Crypto \32486 Pr) 108 82 T -(oceedings) 216.83 82 T -0 F -(, Springer) 264.79 82 T -(-V) 311.85 82 T -(erlag New Y) 323.17 82 T -(ork, \2511987, pp. 9-32\051.) 383.25 82 T -FMENDPAGE -%%EndPage: "10" 13 -%%Page: "11" 13 -612 792 0 FMBEGINPAGE -72 745.99 540 756 R -7 X -0 K -V -72 32.69 540 42.7 R -V -0 F -0 X -(Page 11 of 11) 473.71 34.7 T -72 72 540 720 R -7 X -V -4 F -0 X -(BUGS) 72 712 T -0 F --0.18 (There is a controversy raging over whether the DES will still be secure in a few years. The) 108 688 P -0.31 (advent of special-purpose hardware could reduce the cost of any of the methods of attack) 108 674 P -(named above so that they are no longer computationally infeasible.) 108 660 T -0.32 (Programs which display programs\325 ar) 108 642 P -0.32 (guments may compromise the key and initialization) 289.59 642 P -0.76 (vector if they are speci\336ed on the command line. T) 108 628 P -0.76 (o avoid this ) 358.46 628 P -3 F -0.76 (bdes) 419.7 628 P -0 F -0.76 ( overwrites its ar) 441.68 628 P -0.76 (gu-) 524.01 628 P -(ments. However) 108 614 T -(, the obvious race cannot currently be avoided.) 186.12 614 T -0.25 (As the key or key schedule is kept in memory throughout the run of this program, the en-) 108 596 P -(cryption can be compromised if memory is readable.) 108 582 T --0.4 (There is no warranty of merchantability nor any warranty of \336tness for a particular purpose) 108 564 P -0.05 (nor any other warranty) 108 550 P -0.05 (, either express or implied, as to the accuracy of the enclosed mate-) 216.95 550 P -(rials or as to their suitability for any particular purpose.) 108 536 T --0.06 (Accordingly) 108 518 P --0.06 (, the user assumes full responsibility for their use. Further) 167.18 518 P --0.06 (, the author assumes) 442.93 518 P --0.25 (no obligation to furnish any assistance of any kind whatsoever) 108 504 P --0.25 (, or to furnish any additional) 404.69 504 P -(information or documentation.) 108 490 T -4 F -(AUTHOR) 72 464 T -0 F --0.54 (Matt Bishop, Department of Mathematics and Computer Science, Bradley Hall, Dartmouth) 108 440 P -(College, Hanover) 108 426 T -(, NH 03755) 192.12 426 T -(Electronic mail addresses:) 108 408 T -(Internet: Matt.Bishop@dartmouth.edu) 108 390 T -(UUCP: decvax!dartvax!Matt.Bishop) 108 372 T -FMENDPAGE -%%EndPage: "11" 14 -%%Trailer -%%BoundingBox: 0 0 612 792 -%%Pages: 13 1 -%%DocumentFonts: Helvetica-Bold -%%+ Helvetica-BoldOblique -%%+ Times-Roman -%%+ Times-Bold -%%+ Times-BoldItalic -%%+ Times-Italic -%%+ Courier -%%+ Courier-Oblique -%%+ ZapfDingbats -%%+ Symbol -%%+ Courier-Bold diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile deleted file mode 100644 index 0b41c15442bc..000000000000 --- a/secure/usr.bin/openssl/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -# $FreeBSD$ - -PROG= xopenssl -PROGNAME= openssl - -DPADD= ${LIBSSL} ${LIBCRYPTO} -LDADD= -lssl -lcrypto - -NOLINT= true - -.if exists(Makefile.man) -.include "Makefile.man" -.endif -.include "../../lib/libcrypto/Makefile.inc" - -CFLAGS+= -DMONOLITH -I${.CURDIR} - -SRCS+= app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \ - dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c engine.c errstr.c \ - gendh.c gendsa.c genrsa.c nseq.c ocsp.c openssl.c passwd.c \ - pkcs12.c pkcs7.c pkcs8.c rand.c req.c rsa.c rsautl.c s_cb.c \ - s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \ - speed.c spkac.c verify.c version.c x509.c - -.include <bsd.prog.mk> - -.PATH: ${LCRYPTO_SRC}/apps \ - ${.CURDIR}/man diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man deleted file mode 100644 index 51f677d4c097..000000000000 --- a/secure/usr.bin/openssl/Makefile.man +++ /dev/null @@ -1,42 +0,0 @@ -# $FreeBSD$ -# DO NOT EDIT: generated from man-makefile-update target -MAN+= CA.pl.1 -MAN+= asn1parse.1 -MAN+= ca.1 -MAN+= ciphers.1 -MAN+= crl.1 -MAN+= crl2pkcs7.1 -MAN+= dgst.1 -MAN+= dhparam.1 -MAN+= dsa.1 -MAN+= dsaparam.1 -MAN+= enc.1 -MAN+= gendsa.1 -MAN+= genrsa.1 -MAN+= nseq.1 -MAN+= ocsp.1 -MAN+= openssl.1 -MAN+= passwd.1 -MAN+= pkcs12.1 -MAN+= pkcs7.1 -MAN+= pkcs8.1 -MAN+= rand.1 -MAN+= req.1 -MAN+= rsa.1 -MAN+= rsautl.1 -MAN+= s_client.1 -MAN+= s_server.1 -MAN+= sess_id.1 -MAN+= smime.1 -MAN+= speed.1 -MAN+= spkac.1 -MAN+= verify.1 -MAN+= version.1 -MAN+= x509.1 -MLINKS+= dgst.1 md5.1 -MLINKS+= dgst.1 md4.1 -MLINKS+= dgst.1 md2.1 -MLINKS+= dgst.1 sha1.1 -MLINKS+= dgst.1 sha.1 -MLINKS+= dgst.1 mdc2.1 -MLINKS+= dgst.1 ripemd160.1 diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 deleted file mode 100644 index 6cdcd26a3154..000000000000 --- a/secure/usr.bin/openssl/man/CA.pl.1 +++ /dev/null @@ -1,302 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:30 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "CA.PL 1" -.TH CA.PL 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -\&\s-1CA\s0.pl \- friendlier interface for OpenSSL certificate programs -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fB\s-1CA\s0.pl\fR -[\fB\-?\fR] -[\fB\-h\fR] -[\fB\-help\fR] -[\fB\-newcert\fR] -[\fB\-newreq\fR] -[\fB\-newreq-nodes\fR] -[\fB\-newca\fR] -[\fB\-xsign\fR] -[\fB\-sign\fR] -[\fB\-signreq\fR] -[\fB\-signcert\fR] -[\fB\-verify\fR] -[\fBfiles\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line -arguments to the \fBopenssl\fR command for some common certificate operations. -It is intended to simplify the process of certificate creation and management -by the use of some simple options. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4 -.IX Item "?, -h, -help" -prints a usage message. -.Ip "\fB\-newcert\fR" 4 -.IX Item "-newcert" -creates a new self signed certificate. The private key and certificate are -written to the file \*(L"newreq.pem\*(R". -.Ip "\fB\-newreq\fR" 4 -.IX Item "-newreq" -creates a new certificate request. The private key and request are -written to the file \*(L"newreq.pem\*(R". -.Ip "\fB\-newreq-nowdes\fR" 4 -.IX Item "-newreq-nowdes" -is like \fB\-newreq\fR except that the private key will not be encrypted. -.Ip "\fB\-newca\fR" 4 -.IX Item "-newca" -creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR -and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0 -certificates (which should also contain the private key) or by hitting \s-1ENTER\s0 -details of the \s-1CA\s0 will be prompted for. The relevant files and directories -are created in a directory called \*(L"demoCA\*(R" in the current directory. -.Ip "\fB\-pkcs12\fR" 4 -.IX Item "-pkcs12" -create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0 -certificate. It expects the user certificate and private key to be in the -file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem, -it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the -\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser. -If there is an additional argument on the command line it will be used as the -\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser -list box), otherwise the name \*(L"My Certificate\*(R" is used. -.Ip "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4 -.IX Item "-sign, -signreq, -xsign" -calls the \fBca\fR program to sign a certificate request. It expects the request -to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file -\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written -to standard output. -.Ip "\fB\-signCA\fR" 4 -.IX Item "-signCA" -this option is the same as the \fB\-signreq\fR option except it uses the configuration -file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This -is useful when creating intermediate \s-1CA\s0 from a root \s-1CA\s0. -.Ip "\fB\-signcert\fR" 4 -.IX Item "-signcert" -this option is the same as \fB\-sign\fR except it expects a self signed certificate -to be present in the file \*(L"newreq.pem\*(R". -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates -are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R". -.Ip "\fBfiles\fR" 4 -.IX Item "files" -one or more optional certificate file names for use with the \fB\-verify\fR command. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a \s-1CA\s0 hierarchy: -.PP -.Vb 1 -\& CA.pl -newca -.Ve -Complete certificate creation example: create a \s-1CA\s0, create a request, sign -the request and finally create a PKCS#12 file containing it. -.PP -.Vb 4 -\& CA.pl -newca -\& CA.pl -newreq -\& CA.pl -signreq -\& CA.pl -pkcs12 "My Test Certificate" -.Ve -.SH "DSA CERTIFICATES" -.IX Header "DSA CERTIFICATES" -Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to -use it with \s-1DSA\s0 certificates and requests using the req(1) command -directly. The following example shows the steps that would typically be taken. -.PP -Create some \s-1DSA\s0 parameters: -.PP -.Vb 1 -\& openssl dsaparam -out dsap.pem 1024 -.Ve -Create a \s-1DSA\s0 \s-1CA\s0 certificate and private key: -.PP -.Vb 1 -\& openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem -.Ve -Create the \s-1CA\s0 directories and files: -.PP -.Vb 1 -\& CA.pl -newca -.Ve -enter cacert.pem when prompted for the \s-1CA\s0 file name. -.PP -Create a \s-1DSA\s0 certificate request and private key (a different set of parameters -can optionally be created first): -.PP -.Vb 1 -\& openssl req -out newreq.pem -newkey dsa:dsap.pem -.Ve -Sign the request: -.PP -.Vb 1 -\& CA.pl -signreq -.Ve -.SH "NOTES" -.IX Header "NOTES" -Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script. -.PP -If the demoCA directory already exists then the \fB\-newca\fR command will not -overwrite it and will do nothing. This can happen if a previous call using -the \fB\-newca\fR option terminated abnormally. To get the correct behaviour -delete the demoCA directory if it already exists. -.PP -Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script -directly (for example Win32) and the default configuration file location may -be wrong. In this case the command: -.PP -.Vb 1 -\& perl -S CA.pl -.Ve -can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to -the correct path of the configuration file \*(L"openssl.cnf\*(R". -.PP -The script is intended as a simple front end for the \fBopenssl\fR program for use -by a beginner. Its behaviour isn't always what is wanted. For more control over the -behaviour of the certificate commands call the \fBopenssl\fR command directly. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it should contain the full path to the -configuration file, not just its directory. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -x509(1), ca(1), req(1), pkcs12(1), -config(5) diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1 deleted file mode 100644 index 0586002da1c7..000000000000 --- a/secure/usr.bin/openssl/man/asn1parse.1 +++ /dev/null @@ -1,251 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:31 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "ASN1PARSE 1" -.TH ASN1PARSE 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -asn1parse \- \s-1ASN\s0.1 parsing tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBasn1parse\fR -[\fB\-inform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-offset number\fR] -[\fB\-length number\fR] -[\fB\-i\fR] -[\fB\-oid filename\fR] -[\fB\-strparse offset\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN\s0.1 -structures. It can also be used to extract data from \s-1ASN\s0.1 formatted data. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-inform\fR \fBDER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -the input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64 -encoded. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input file, default is standard input -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -output file to place the \s-1DER\s0 encoded data into. If this -option is not present then no data will be output. This is most useful when -combined with the \fB\-strparse\fR option. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the parsed version of the input file. -.Ip "\fB\-offset number\fR" 4 -.IX Item "-offset number" -starting offset to begin parsing, default is start of file. -.Ip "\fB\-length number\fR" 4 -.IX Item "-length number" -number of bytes to parse, default is until end of file. -.Ip "\fB\-i\fR" 4 -.IX Item "-i" -indents the output according to the \*(L"depth\*(R" of the structures. -.Ip "\fB\-oid filename\fR" 4 -.IX Item "-oid filename" -a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this -file is described in the \s-1NOTES\s0 section below. -.Ip "\fB\-strparse offset\fR" 4 -.IX Item "-strparse offset" -parse the contents octets of the \s-1ASN\s0.1 object starting at \fBoffset\fR. This -option can be used multiple times to \*(L"drill down\*(R" into a nested structure. -.Sh "\s-1OUTPUT\s0" -.IX Subsection "OUTPUT" -The output will typically contain lines like this: -.PP -.Vb 1 -\& 0:d=0 hl=4 l= 681 cons: SEQUENCE -.Ve -\&..... -.PP -.Vb 10 -\& 229:d=3 hl=3 l= 141 prim: BIT STRING -\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ] -\& 376:d=3 hl=3 l= 159 cons: SEQUENCE -\& 379:d=4 hl=2 l= 29 cons: SEQUENCE -\& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -\& 386:d=5 hl=2 l= 22 prim: OCTET STRING -\& 410:d=4 hl=2 l= 112 cons: SEQUENCE -\& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -\& 417:d=5 hl=2 l= 105 prim: OCTET STRING -\& 524:d=4 hl=2 l= 12 cons: SEQUENCE -.Ve -\&..... -.PP -This example is part of a self signed certificate. Each line starts with the -offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased -within the scope of any \s-1SET\s0 or \s-1SEQUENCE\s0. \fBhl=XX\fR gives the header length -(tag and length octets) of the current type. \fBl=XX\fR gives the length of -the contents octets. -.PP -The \fB\-i\fR option can be used to make the output more readable. -.PP -Some knowledge of the \s-1ASN\s0.1 structure is needed to interpret the output. -.PP -In this example the \s-1BIT\s0 \s-1STRING\s0 at offset 229 is the certificate public key. -The contents octets of this will contain the public key information. This can -be examined using the option \fB\-strparse 229\fR to yield: -.PP -.Vb 3 -\& 0:d=0 hl=3 l= 137 cons: SEQUENCE -\& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 -\& 135:d=1 hl=2 l= 3 prim: INTEGER :010001 -.Ve -.SH "NOTES" -.IX Header "NOTES" -If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in -numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option -allows additional OIDs to be included. Each line consists of three columns, -the first column is the \s-1OID\s0 in numerical format and should be followed by white -space. The second column is the \*(L"short name\*(R" which is a single word followed -by white space. The final column is the rest of the line and is the -\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example: -.PP -\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR -.SH "BUGS" -.IX Header "BUGS" -There should be options to change the format of input lines. The output of some -\&\s-1ASN\s0.1 types is not well handled (if at all). diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1 deleted file mode 100644 index c6bc46dcb78d..000000000000 --- a/secure/usr.bin/openssl/man/ca.1 +++ /dev/null @@ -1,701 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:31 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "CA 1" -.TH CA 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -ca \- sample minimal \s-1CA\s0 application -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBca\fR -[\fB\-verbose\fR] -[\fB\-config filename\fR] -[\fB\-name section\fR] -[\fB\-gencrl\fR] -[\fB\-revoke file\fR] -[\fB\-crl_reason reason\fR] -[\fB\-crl_hold instruction\fR] -[\fB\-crl_compromise time\fR] -[\fB\-crl_CA_compromise time\fR] -[\fB\-subj arg\fR] -[\fB\-crldays days\fR] -[\fB\-crlhours hours\fR] -[\fB\-crlexts section\fR] -[\fB\-startdate date\fR] -[\fB\-enddate date\fR] -[\fB\-days arg\fR] -[\fB\-md arg\fR] -[\fB\-policy arg\fR] -[\fB\-keyfile arg\fR] -[\fB\-key arg\fR] -[\fB\-passin arg\fR] -[\fB\-cert file\fR] -[\fB\-in file\fR] -[\fB\-out file\fR] -[\fB\-notext\fR] -[\fB\-outdir dir\fR] -[\fB\-infiles\fR] -[\fB\-spkac file\fR] -[\fB\-ss_cert file\fR] -[\fB\-preserveDN\fR] -[\fB\-noemailDN\fR] -[\fB\-batch\fR] -[\fB\-msie_hack\fR] -[\fB\-extensions section\fR] -[\fB\-extfile section\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used -to sign certificate requests in a variety of forms and generate -CRLs it also maintains a text database of issued certificates -and their status. -.PP -The options descriptions will be divided into each purpose. -.SH "CA OPTIONS" -.IX Header "CA OPTIONS" -.Ip "\fB\-config filename\fR" 4 -.IX Item "-config filename" -specifies the configuration file to use. -.Ip "\fB\-name section\fR" 4 -.IX Item "-name section" -specifies the configuration file section to use (overrides -\&\fBdefault_ca\fR in the \fBca\fR section). -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -an input filename containing a single certificate request to be -signed by the \s-1CA\s0. -.Ip "\fB\-ss_cert filename\fR" 4 -.IX Item "-ss_cert filename" -a single self signed certificate to be signed by the \s-1CA\s0. -.Ip "\fB\-spkac filename\fR" 4 -.IX Item "-spkac filename" -a file containing a single Netscape signed public key and challenge -and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR -section for information on the required format. -.Ip "\fB\-infiles\fR" 4 -.IX Item "-infiles" -if present this should be the last option, all subsequent arguments -are assumed to the the names of files containing certificate requests. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output file to output certificates to. The default is standard -output. The certificate details will also be printed out to this -file. -.Ip "\fB\-outdir directory\fR" 4 -.IX Item "-outdir directory" -the directory to output certificates to. The certificate will be -written to a filename consisting of the serial number in hex with -\&\*(L".pem\*(R" appended. -.Ip "\fB\-cert\fR" 4 -.IX Item "-cert" -the \s-1CA\s0 certificate file. -.Ip "\fB\-keyfile filename\fR" 4 -.IX Item "-keyfile filename" -the private key to sign requests with. -.Ip "\fB\-key password\fR" 4 -.IX Item "-key password" -the password used to encrypt the private key. Since on some -systems the command line arguments are visible (e.g. Unix with -the 'ps' utility) this option should be used with caution. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-verbose\fR" 4 -.IX Item "-verbose" -this prints extra details about the operations being performed. -.Ip "\fB\-notext\fR" 4 -.IX Item "-notext" -don't output the text form of a certificate to the output file. -.Ip "\fB\-startdate date\fR" 4 -.IX Item "-startdate date" -this allows the start date to be explicitly set. The format of the -date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). -.Ip "\fB\-enddate date\fR" 4 -.IX Item "-enddate date" -this allows the expiry date to be explicitly set. The format of the -date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). -.Ip "\fB\-days arg\fR" 4 -.IX Item "-days arg" -the number of days to certify the certificate for. -.Ip "\fB\-md alg\fR" 4 -.IX Item "-md alg" -the message digest to use. Possible values include md5, sha1 and mdc2. -This option also applies to CRLs. -.Ip "\fB\-policy arg\fR" 4 -.IX Item "-policy arg" -this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in -the configuration file which decides which fields should be mandatory -or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section -for more information. -.Ip "\fB\-msie_hack\fR" 4 -.IX Item "-msie_hack" -this is a legacy option to make \fBca\fR work with very old versions of -the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings -for almost everything. Since the old control has various security bugs -its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not -need this option. -.Ip "\fB\-preserveDN\fR" 4 -.IX Item "-preserveDN" -Normally the \s-1DN\s0 order of a certificate is the same as the order of the -fields in the relevant policy section. When this option is set the order -is the same as the request. This is largely for compatibility with the -older \s-1IE\s0 enrollment control which would only accept certificates if their -DNs match the order of the request. This is not needed for Xenroll. -.Ip "\fB\-noemailDN\fR" 4 -.IX Item "-noemailDN" -The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the -request \s-1DN\s0, however it is good policy just having the e-mail set into -the altName extension of the certificate. When this option is set the -\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in -the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be -used in the configuration file to enable this behaviour. -.Ip "\fB\-batch\fR" 4 -.IX Item "-batch" -this sets the batch mode. In this mode no questions will be asked -and all certificates will be certified automatically. -.Ip "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -the section of the configuration file containing certificate extensions -to be added when a certificate is issued (defaults to \fBx509_extensions\fR -unless the \fB\-extfile\fR option is used). If no extension section is -present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. -.Ip "\fB\-extfile file\fR" 4 -.IX Item "-extfile file" -an additional configuration file to read certificate extensions from -(using the default section unless the \fB\-extensions\fR option is also -used). -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "CRL OPTIONS" -.IX Header "CRL OPTIONS" -.Ip "\fB\-gencrl\fR" 4 -.IX Item "-gencrl" -this option generates a \s-1CRL\s0 based on information in the index file. -.Ip "\fB\-crldays num\fR" 4 -.IX Item "-crldays num" -the number of days before the next \s-1CRL\s0 is due. That is the days from -now to place in the \s-1CRL\s0 nextUpdate field. -.Ip "\fB\-crlhours num\fR" 4 -.IX Item "-crlhours num" -the number of hours before the next \s-1CRL\s0 is due. -.Ip "\fB\-revoke filename\fR" 4 -.IX Item "-revoke filename" -a filename containing a certificate to revoke. -.Ip "\fB\-crl_reason reason\fR" 4 -.IX Item "-crl_reason reason" -revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, -\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR, -\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case -insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2. -.Sp -In practive \fBremoveFromCRL\fR is not particularly useful because it is only used -in delta CRLs which are not currently implemented. -.Ip "\fB\-crl_hold instruction\fR" 4 -.IX Item "-crl_hold instruction" -This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold -instruction to \fBinstruction\fR which must be an \s-1OID\s0. Although any \s-1OID\s0 can be -used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0) -\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used. -.Ip "\fB\-crl_compromise time\fR" 4 -.IX Item "-crl_compromise time" -This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to -\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR. -.Ip "\fB\-crl_CA_compromise time\fR" 4 -.IX Item "-crl_CA_compromise time" -This is the same as \fBcrl_compromise\fR except the revocation reason is set to -\&\fBCACompromise\fR. -.Ip "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -supersedes subject name given in the request. -The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. -.Ip "\fB\-crlexts section\fR" 4 -.IX Item "-crlexts section" -the section of the configuration file containing \s-1CRL\s0 extensions to -include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is -created, if the \s-1CRL\s0 extension section is present (even if it is -empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are -\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted -that some software (for example Netscape) can't handle V2 CRLs. -.SH "CONFIGURATION FILE OPTIONS" -.IX Header "CONFIGURATION FILE OPTIONS" -The section of the configuration file containing options for \fBca\fR -is found as follows: If the \fB\-name\fR command line option is used, -then it names the section to be used. Otherwise the section to -be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section -of the configuration file (or in the default section of the -configuration file). Besides \fBdefault_ca\fR, the following options are -read directly from the \fBca\fR section: - \s-1RANDFILE\s0 - preserve - msie_hack -With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may -change in future releases. -.PP -Many of the configuration file options are identical to command line -options. Where the option is present in the configuration file -and the command line the command line value is used. Where an -option is described as mandatory then it must be present in -the configuration file or the command line equivalent (if -any) used. -.Ip "\fBoid_file\fR" 4 -.IX Item "oid_file" -This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. -Each line of the file should consist of the numerical form of the -object identifier followed by white space then the short name followed -by white space and finally the long name. -.Ip "\fBoid_section\fR" 4 -.IX Item "oid_section" -This specifies a section in the configuration file containing extra -object identifiers. Each line should consist of the short name of the -object identifier followed by \fB=\fR and the numerical form. The short -and long names are the same when this option is used. -.Ip "\fBnew_certs_dir\fR" 4 -.IX Item "new_certs_dir" -the same as the \fB\-outdir\fR command line option. It specifies -the directory where new certificates will be placed. Mandatory. -.Ip "\fBcertificate\fR" 4 -.IX Item "certificate" -the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 -certificate. Mandatory. -.Ip "\fBprivate_key\fR" 4 -.IX Item "private_key" -same as the \fB\-keyfile\fR option. The file containing the -\&\s-1CA\s0 private key. Mandatory. -.Ip "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -a file used to read and write random number seed information, or -an \s-1EGD\s0 socket (see RAND_egd(3)). -.Ip "\fBdefault_days\fR" 4 -.IX Item "default_days" -the same as the \fB\-days\fR option. The number of days to certify -a certificate for. -.Ip "\fBdefault_startdate\fR" 4 -.IX Item "default_startdate" -the same as the \fB\-startdate\fR option. The start date to certify -a certificate for. If not set the current time is used. -.Ip "\fBdefault_enddate\fR" 4 -.IX Item "default_enddate" -the same as the \fB\-enddate\fR option. Either this option or -\&\fBdefault_days\fR (or the command line equivalents) must be -present. -.Ip "\fBdefault_crl_hours default_crl_days\fR" 4 -.IX Item "default_crl_hours default_crl_days" -the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These -will only be used if neither command line option is present. At -least one of these must be present to generate a \s-1CRL\s0. -.Ip "\fBdefault_md\fR" 4 -.IX Item "default_md" -the same as the \fB\-md\fR option. The message digest to use. Mandatory. -.Ip "\fBdatabase\fR" 4 -.IX Item "database" -the text database file to use. Mandatory. This file must be present -though initially it will be empty. -.Ip "\fBserialfile\fR" 4 -.IX Item "serialfile" -a text file containing the next serial number to use in hex. Mandatory. -This file must be present and contain a valid serial number. -.Ip "\fBx509_extensions\fR" 4 -.IX Item "x509_extensions" -the same as \fB\-extensions\fR. -.Ip "\fBcrl_extensions\fR" 4 -.IX Item "crl_extensions" -the same as \fB\-crlexts\fR. -.Ip "\fBpreserve\fR" 4 -.IX Item "preserve" -the same as \fB\-preserveDN\fR -.Ip "\fBemail_in_dn\fR" 4 -.IX Item "email_in_dn" -the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed -from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present -the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN\s0. -.Ip "\fBmsie_hack\fR" 4 -.IX Item "msie_hack" -the same as \fB\-msie_hack\fR -.Ip "\fBpolicy\fR" 4 -.IX Item "policy" -the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section -for more information. -.Ip "\fBnameopt\fR, \fBcertopt\fR" 4 -.IX Item "nameopt, certopt" -these options allow the format used to display the certificate details -when asking the user to confirm signing. All the options supported by -the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used -here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set -and cannot be disabled (this is because the certificate signature cannot -be displayed because the certificate has not been signed at this point). -.Sp -For convenience the values \fBdefault_ca\fR are accepted by both to produce -a reasonable output. -.Sp -If neither option is present the format used in earlier versions of -OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because -it only displays fields mentioned in the \fBpolicy\fR section, mishandles -multicharacter string types and does not display extensions. -.Ip "\fBcopy_extensions\fR" 4 -.IX Item "copy_extensions" -determines how extensions in certificate requests should be handled. -If set to \fBnone\fR or this option is not present then extensions are -ignored and not copied to the certificate. If set to \fBcopy\fR then any -extensions present in the request that are not already present are copied -to the certificate. If set to \fBcopyall\fR then all extensions in the -request are copied to the certificate: if the extension is already present -in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before -using this option. -.Sp -The main use of this option is to allow a certificate request to supply -values for certain extensions such as subjectAltName. -.SH "POLICY FORMAT" -.IX Header "POLICY FORMAT" -The policy section consists of a set of variables corresponding to -certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value -must match the same field in the \s-1CA\s0 certificate. If the value is -\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then -it may be present. Any fields not mentioned in the policy section -are silently deleted, unless the \fB\-preserveDN\fR option is set but -this can be regarded more of a quirk than intended behaviour. -.SH "SPKAC FORMAT" -.IX Header "SPKAC FORMAT" -The input to the \fB\-spkac\fR command line option is a Netscape -signed public key and challenge. This will usually come from -the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. -It is however possible to create SPKACs using the \fBspkac\fR utility. -.PP -The file should contain the variable \s-1SPKAC\s0 set to the value of -the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs. -If you need to include the same component twice then it can be -preceded by a number and a '.'. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: these examples assume that the \fBca\fR directory structure is -already set up and the relevant files already exist. This usually -involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a -serial number file and an empty index file and placing them in -the relevant directories. -.PP -To use the sample configuration file below the directories demoCA, -demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0 -certificate would be copied to demoCA/cacert.pem and its private -key to demoCA/private/cakey.pem. A file demoCA/serial would be -created containing for example \*(L"01\*(R" and the empty index file -demoCA/index.txt. -.PP -Sign a certificate request: -.PP -.Vb 1 -\& openssl ca -in req.pem -out newcert.pem -.Ve -Sign a certificate request, using \s-1CA\s0 extensions: -.PP -.Vb 1 -\& openssl ca -in req.pem -extensions v3_ca -out newcert.pem -.Ve -Generate a \s-1CRL\s0 -.PP -.Vb 1 -\& openssl ca -gencrl -out crl.pem -.Ve -Sign several requests: -.PP -.Vb 1 -\& openssl ca -infiles req1.pem req2.pem req3.pem -.Ve -Certify a Netscape \s-1SPKAC:\s0 -.PP -.Vb 1 -\& openssl ca -spkac spkac.txt -.Ve -A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): -.PP -.Vb 5 -\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 -\& CN=Steve Test -\& emailAddress=steve@openssl.org -\& 0.OU=OpenSSL Group -\& 1.OU=Another Group -.Ve -A sample configuration file with the relevant sections for \fBca\fR: -.PP -.Vb 2 -\& [ ca ] -\& default_ca = CA_default # The default ca section -.Ve -.Vb 1 -\& [ CA_default ] -.Ve -.Vb 3 -\& dir = ./demoCA # top dir -\& database = $dir/index.txt # index file. -\& new_certs_dir = $dir/newcerts # new certs dir -.Ve -.Vb 4 -\& certificate = $dir/cacert.pem # The CA cert -\& serial = $dir/serial # serial no file -\& private_key = $dir/private/cakey.pem# CA private key -\& RANDFILE = $dir/private/.rand # random number file -.Ve -.Vb 3 -\& default_days = 365 # how long to certify for -\& default_crl_days= 30 # how long before next CRL -\& default_md = md5 # md to use -.Ve -.Vb 2 -\& policy = policy_any # default policy -\& email_in_dn = no # Don't add the email into cert DN -.Ve -.Vb 3 -\& nameopt = default_ca # Subject name display option -\& certopt = default_ca # Certificate display option -\& copy_extensions = none # Don't copy extensions from request -.Ve -.Vb 7 -\& [ policy_any ] -\& countryName = supplied -\& stateOrProvinceName = optional -\& organizationName = optional -\& organizationalUnitName = optional -\& commonName = supplied -\& emailAddress = optional -.Ve -.SH "FILES" -.IX Header "FILES" -Note: the location of all files can change either by compile time options, -configuration file entries, environment variables or command line options. -The values below reflect the default values. -.PP -.Vb 10 -\& /usr/local/ssl/lib/openssl.cnf - master configuration file -\& ./demoCA - main CA directory -\& ./demoCA/cacert.pem - CA certificate -\& ./demoCA/private/cakey.pem - CA private key -\& ./demoCA/serial - CA serial number file -\& ./demoCA/serial.old - CA serial number backup file -\& ./demoCA/index.txt - CA text database file -\& ./demoCA/index.txt.old - CA text database backup file -\& ./demoCA/certs - certificate output file -\& ./demoCA/.rnd - CA random seed information -.Ve -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can -be overridden by the \fB\-config\fR command line option. -.SH "RESTRICTIONS" -.IX Header "RESTRICTIONS" -The text database index file is a critical part of the process and -if corrupted it can be difficult to fix. It is theoretically possible -to rebuild the index file from all the issued certificates and a current -\&\s-1CRL:\s0 however there is no option to do this. -.PP -V2 \s-1CRL\s0 features like delta \s-1CRL\s0 support and \s-1CRL\s0 numbers are not currently -supported. -.PP -Although several requests can be input and handled at once it is only -possible to include one \s-1SPKAC\s0 or self signed certificate. -.SH "BUGS" -.IX Header "BUGS" -The use of an in memory text database can cause problems when large -numbers of certificates are present because, as the name implies -the database has to be kept in memory. -.PP -It is not possible to certify two certificates with the same \s-1DN:\s0 this -is a side effect of how the text database is indexed and it cannot easily -be fixed without introducing other problems. Some S/MIME clients can use -two certificates with the same \s-1DN\s0 for separate signing and encryption -keys. -.PP -The \fBca\fR command really needs rewriting or the required functionality -exposed at either a command or interface level so a more friendly utility -(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and -\&\fB\s-1CA\s0.pl\fR help a little but not very much. -.PP -Any fields in a request that are not present in a policy are silently -deleted. This does not happen if the \fB\-preserveDN\fR option is used. To -enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN\s0, as suggested by -RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR -option can be used. The behaviour should be more friendly and -configurable. -.PP -Cancelling some commands by refusing to certify a certificate can -create an empty file. -.SH "WARNINGS" -.IX Header "WARNINGS" -The \fBca\fR command is quirky and at times downright unfriendly. -.PP -The \fBca\fR utility was originally meant as an example of how to do things -in a \s-1CA\s0. It was not supposed to be used as a full blown \s-1CA\s0 itself: -nevertheless some people are using it for this purpose. -.PP -The \fBca\fR command is effectively a single user command: no locking is -done on the various files and attempts to run more than one \fBca\fR command -on the same database can have unpredictable results. -.PP -The \fBcopy_extensions\fR option should be used with caution. If care is -not taken then it can be a security risk. For example if a certificate -request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the -\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot -this when the certificate is displayed then this will hand the requestor -a valid \s-1CA\s0 certificate. -.PP -This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR -and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file. -Then if the request contains a basicConstraints extension it will be -ignored. -.PP -It is advisable to also include values for other extensions such -as \fBkeyUsage\fR to prevent a request supplying its own values. -.PP -Additional restrictions can be placed on the \s-1CA\s0 certificate itself. -For example if the \s-1CA\s0 certificate has: -.PP -.Vb 1 -\& basicConstraints = CA:TRUE, pathlen:0 -.Ve -then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -req(1), spkac(1), x509(1), CA.pl(1), -config(5) diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 deleted file mode 100644 index 80e8138dd1c5..000000000000 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ /dev/null @@ -1,497 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:31 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "CIPHERS 1" -.TH CIPHERS 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -ciphers \- \s-1SSL\s0 cipher display and cipher list tool. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBciphers\fR -[\fB\-v\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fBcipherlist\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered -\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine -the appropriate cipherlist. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-v\fR" 4 -.IX Item "-v" -verbose option. List ciphers with a complete description of -protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange, -authentication, encryption and mac algorithms used along with any key size -restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher. -Note that without the \fB\-v\fR option, ciphers may seem to appear twice -in a cipher list; this is when similar ciphers are available for -\&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1. -.Ip "\fB\-ssl3\fR" 4 -.IX Item "-ssl3" -only include \s-1SSL\s0 v3 ciphers. -.Ip "\fB\-ssl2\fR" 4 -.IX Item "-ssl2" -only include \s-1SSL\s0 v2 ciphers. -.Ip "\fB\-tls1\fR" 4 -.IX Item "-tls1" -only include \s-1TLS\s0 v1 ciphers. -.Ip "\fB\-h\fR, \fB\-?\fR" 4 -.IX Item "-h, -?" -print a brief usage message. -.Ip "\fBcipherlist\fR" 4 -.IX Item "cipherlist" -a cipher list to convert to a cipher preference list. If it is not included -then the default cipher list will be used. The format is described below. -.SH "CIPHER LIST FORMAT" -.IX Header "CIPHER LIST FORMAT" -The cipher list consists of one or more \fIcipher strings\fR separated by colons. -Commas or spaces are also acceptable separators but colons are normally used. -.PP -The actual cipher string can take several different forms. -.PP -It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR. -.PP -It can represent a list of cipher suites containing a certain algorithm, or -cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers -suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3 -algorithms. -.PP -Lists of cipher suites can be combined in a single cipher string using the -\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example -\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0 -algorithms. -.PP -Each cipher string can be optionally preceded by the characters \fB!\fR, -\&\fB-\fR or \fB+\fR. -.PP -If \fB!\fR is used then the ciphers are permanently deleted from the list. -The ciphers deleted can never reappear in the list even if they are -explicitly stated. -.PP -If \fB-\fR is used then the ciphers are deleted from the list, but some or -all of the ciphers can be added again by later options. -.PP -If \fB+\fR is used then the ciphers are moved to the end of the list. This -option doesn't add any new ciphers it just moves matching existing ones. -.PP -If none of these characters is present then the string is just interpreted -as a list of ciphers to be appended to the current preference list. If the -list includes any ciphers already present they will be ignored: that is they -will not moved to the end of the list. -.PP -Additionally the cipher string \fB@STRENGTH\fR can be used at any point to sort -the current cipher list in order of encryption algorithm key length. -.SH "CIPHER STRINGS" -.IX Header "CIPHER STRINGS" -The following is a list of all permitted cipher strings and their meanings. -.Ip "\fB\s-1DEFAULT\s0\fR" 4 -.IX Item "DEFAULT" -the default cipher list. This is determined at compile time and is normally -\&\fB\s-1ALL:\s0!ADH:RC4+RSA:+SSLv2:@STRENGTH\fR. This must be the first cipher string -specified. -.Ip "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 -.IX Item "COMPLEMENTOFDEFAULT" -the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently -this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is -not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary). -.Ip "\fB\s-1ALL\s0\fR" 4 -.IX Item "ALL" -all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled. -.Ip "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 -.IX Item "COMPLEMENTOFALL" -the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR. -.Ip "\fB\s-1HIGH\s0\fR" 4 -.IX Item "HIGH" -\&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger -than 128 bits. -.Ip "\fB\s-1MEDIUM\s0\fR" 4 -.IX Item "MEDIUM" -\&\*(L"medium\*(R" encryption cipher suites, currently those using 128 bit encryption. -.Ip "\fB\s-1LOW\s0\fR" 4 -.IX Item "LOW" -\&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms -but excluding export cipher suites. -.Ip "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 -.IX Item "EXP, EXPORT" -export encryption algorithms. Including 40 and 56 bits algorithms. -.Ip "\fB\s-1EXPORT40\s0\fR" 4 -.IX Item "EXPORT40" -40 bit export encryption algorithms -.Ip "\fB\s-1EXPORT56\s0\fR" 4 -.IX Item "EXPORT56" -56 bit export encryption algorithms. -.Ip "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 -.IX Item "eNULL, NULL" -the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no -encryption at all and are a security risk they are disabled unless explicitly -included. -.Ip "\fBaNULL\fR" 4 -.IX Item "aNULL" -the cipher suites offering no authentication. This is currently the anonymous -\&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R" -attack and so their use is normally discouraged. -.Ip "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 -.IX Item "kRSA, RSA" -cipher suites using \s-1RSA\s0 key exchange. -.Ip "\fBkEDH\fR" 4 -.IX Item "kEDH" -cipher suites using ephemeral \s-1DH\s0 key agreement. -.Ip "\fBkDHr\fR, \fBkDHd\fR" 4 -.IX Item "kDHr, kDHd" -cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 -and \s-1DSS\s0 keys respectively. Not implemented. -.Ip "\fBaRSA\fR" 4 -.IX Item "aRSA" -cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys. -.Ip "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 -.IX Item "aDSS, DSS" -cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. -.Ip "\fBaDH\fR" 4 -.IX Item "aDH" -cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry -\&\s-1DH\s0 keys. Not implemented. -.Ip "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 -.IX Item "kFZA, aFZA, eFZA, FZA" -ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all -\&\s-1FORTEZZA\s0 algorithms. Not implemented. -.Ip "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 -.IX Item "TLSv1, SSLv3, SSLv2" -\&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. -.Ip "\fB\s-1DH\s0\fR" 4 -.IX Item "DH" -cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0. -.Ip "\fB\s-1ADH\s0\fR" 4 -.IX Item "ADH" -anonymous \s-1DH\s0 cipher suites. -.Ip "\fB\s-1AES\s0\fR" 4 -.IX Item "AES" -cipher suites using \s-1AES\s0. -.Ip "\fB3DES\fR" 4 -.IX Item "3DES" -cipher suites using triple \s-1DES\s0. -.Ip "\fB\s-1DES\s0\fR" 4 -.IX Item "DES" -cipher suites using \s-1DES\s0 (not triple \s-1DES\s0). -.Ip "\fB\s-1RC4\s0\fR" 4 -.IX Item "RC4" -cipher suites using \s-1RC4\s0. -.Ip "\fB\s-1RC2\s0\fR" 4 -.IX Item "RC2" -cipher suites using \s-1RC2\s0. -.Ip "\fB\s-1IDEA\s0\fR" 4 -.IX Item "IDEA" -cipher suites using \s-1IDEA\s0. -.Ip "\fB\s-1MD5\s0\fR" 4 -.IX Item "MD5" -cipher suites using \s-1MD5\s0. -.Ip "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 -.IX Item "SHA1, SHA" -cipher suites using \s-1SHA1\s0. -.SH "CIPHER SUITE NAMES" -.IX Header "CIPHER SUITE NAMES" -The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the -relevant specification and their OpenSSL equivalents. It should be noted, -that several cipher suite names do not include the authentication used, -e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. -.Sh "\s-1SSL\s0 v3.0 cipher suites." -.IX Subsection "SSL v3.0 cipher suites." -.Vb 10 -\& SSL_RSA_WITH_NULL_MD5 NULL-MD5 -\& SSL_RSA_WITH_NULL_SHA NULL-SHA -\& SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 -\& SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 -\& SSL_RSA_WITH_RC4_128_SHA RC4-SHA -\& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 -\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA -\& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA -\& SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA -\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA -.Ve -.Vb 12 -\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. -\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. -\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. -\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. -\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA -\& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA -\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA -\& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA -\& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA -\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA -.Ve -.Vb 5 -\& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 -\& SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 -\& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA -\& SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA -\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA -.Ve -.Vb 3 -\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. -\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. -\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. -.Ve -.Sh "\s-1TLS\s0 v1.0 cipher suites." -.IX Subsection "TLS v1.0 cipher suites." -.Vb 10 -\& TLS_RSA_WITH_NULL_MD5 NULL-MD5 -\& TLS_RSA_WITH_NULL_SHA NULL-SHA -\& TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 -\& TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 -\& TLS_RSA_WITH_RC4_128_SHA RC4-SHA -\& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 -\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA -\& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA -\& TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA -\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA -.Ve -.Vb 12 -\& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA -\& TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA -\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA -\& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA -\& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA -\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA -.Ve -.Vb 5 -\& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 -\& TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 -\& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA -\& TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA -\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA -.Ve -.Sh "\s-1AES\s0 ciphersuites from \s-1RFC3268\s0, extending \s-1TLS\s0 v1.0" -.IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0" -.Vb 2 -\& TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA -\& TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA -.Ve -.Vb 4 -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA -.Ve -.Vb 4 -\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA -\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA -\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA -\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA -.Ve -.Vb 2 -\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA -\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA -.Ve -.Sh "Additional Export 1024 and other cipher suites" -.IX Subsection "Additional Export 1024 and other cipher suites" -Note: these ciphers can also be used in \s-1SSL\s0 v3. -.PP -.Vb 5 -\& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA -\& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA -\& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA -\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA -\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA -.Ve -.Sh "\s-1SSL\s0 v2.0 cipher suites." -.IX Subsection "SSL v2.0 cipher suites." -.Vb 7 -\& SSL_CK_RC4_128_WITH_MD5 RC4-MD5 -\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 -\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 -\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 -\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 -\& SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 -\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 -.Ve -.SH "NOTES" -.IX Header "NOTES" -The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL -because there is no support for \s-1DH\s0 certificates. -.PP -Some compiled versions of OpenSSL may not include all the ciphers -listed here because some ciphers were excluded at compile time. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers: -.PP -.Vb 1 -\& openssl ciphers -v 'ALL:eNULL' -.Ve -Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by -strength: -.PP -.Vb 1 -\& openssl ciphers -v 'ALL:!ADH:@STRENGTH' -.Ve -Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last: -.PP -.Vb 1 -\& openssl ciphers -v '3DES:+RSA' -.Ve -Include all \s-1RC4\s0 ciphers but leave out those without authentication: -.PP -.Vb 1 -\& openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' -.Ve -Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without -encryption. -.PP -.Vb 1 -\& openssl ciphers -v 'RSA:!COMPLEMENTOFALL' -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -s_client(1), s_server(1), ssl(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were -added in version 0.9.7. diff --git a/secure/usr.bin/openssl/man/config.1 b/secure/usr.bin/openssl/man/config.1 deleted file mode 100644 index b6d8584eb410..000000000000 --- a/secure/usr.bin/openssl/man/config.1 +++ /dev/null @@ -1,282 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Sun Jan 12 18:05:02 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "config 3" -.TH config 3 "0.9.7" "2003-01-12" "OpenSSL" -.UC -.SH "NAME" -config \- OpenSSL \s-1CONF\s0 library configuration files -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The OpenSSL \s-1CONF\s0 library can be used to read configuration files. -It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR -and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension -files for the \fBx509\fR utility. -.PP -A configuration file is divided into a number of sections. Each section -starts with a line \fB[ section_name ]\fR and ends when a new section is -started or end of file is reached. A section name can consist of -alphanumeric characters and underscores. -.PP -The first section of a configuration file is special and is referred -to as the \fBdefault\fR section this is usually unnamed and is from the -start of file until the first named section. When a name is being looked up -it is first looked up in a named section (if any) and then the -default section. -.PP -The environment is mapped onto a section called \fB\s-1ENV\s0\fR. -.PP -Comments can be included by preceding them with the \fB#\fR character -.PP -Each section in a configuration file consists of a number of name and -value pairs of the form \fBname=value\fR -.PP -The \fBname\fR string can contain any alphanumeric characters as well as -a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR. -.PP -The \fBvalue\fR string consists of the string following the \fB=\fR character -until end of line with any leading and trailing white space removed. -.PP -The value string undergoes variable expansion. This can be done by -including the form \fB$var\fR or \fB${var}\fR: this will substitute the value -of the named variable in the current section. It is also possible to -substitute a value from another section using the syntax \fB$section::name\fR -or \fB${section::name}\fR. By using the form \fB$ENV::name\fR environment -variables can be substituted. It is also possible to assign values to -environment variables by using the name \fB\s-1ENV:\s0:name\fR, this will work -if the program looks up environment variables using the \fB\s-1CONF\s0\fR library -instead of calling \fB\f(BIgetenv()\fB\fR directly. -.PP -It is possible to escape certain characters by using any kind of quote -or the \fB\e\fR character. By making the last character of a line a \fB\e\fR -a \fBvalue\fR string can be spread across multiple lines. In addition -the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized. -.SH "NOTES" -.IX Header "NOTES" -If a configuration file attempts to expand a variable that doesn't exist -then an error is flagged and the file will not load. This can happen -if an attempt is made to expand an environment variable that doesn't -exist. For example the default OpenSSL master configuration file used -the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems. -.PP -This can be worked around by including a \fBdefault\fR section to provide -a default value: then if the environment lookup fails the default value -will be used instead. For this to work properly the default value must -be defined earlier in the configuration file than the expansion. See -the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this. -.PP -If the same variable exists in the same section then all but the last -value will be silently ignored. In certain circumstances such as with -DNs the same field may occur multiple times. This is usually worked -around by ignoring any characters before an initial \fB.\fR e.g. -.PP -.Vb 2 -\& 1.OU="My first OU" -\& 2.OU="My Second OU" -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Here is a sample configuration file using some of the features -mentioned above. -.PP -.Vb 1 -\& # This is the default section. -.Ve -.Vb 3 -\& HOME=/temp -\& RANDFILE= ${ENV::HOME}/.rnd -\& configdir=$ENV::HOME/config -.Ve -.Vb 1 -\& [ section_one ] -.Ve -.Vb 1 -\& # We are now in section one. -.Ve -.Vb 2 -\& # Quotes permit leading and trailing whitespace -\& any = " any variable name " -.Ve -.Vb 3 -\& other = A string that can \e -\& cover several lines \e -\& by including \e\e characters -.Ve -.Vb 1 -\& message = Hello World\en -.Ve -.Vb 1 -\& [ section_two ] -.Ve -.Vb 1 -\& greeting = $section_one::message -.Ve -This next example shows how to expand environment variables safely. -.PP -Suppose you want a variable called \fBtmpfile\fR to refer to a -temporary filename. The directory it is placed in can determined by -the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be -set to any value at all. If you just include the environment variable -names and the variable doesn't exist then this will cause an error when -an attempt is made to load the configuration file. By making use of the -default section both values can be looked up with \fB\s-1TEMP\s0\fR taking -priority and \fB/tmp\fR used if neither is defined: -.PP -.Vb 5 -\& TMP=/tmp -\& # The above value is used if TMP isn't in the environment -\& TEMP=$ENV::TMP -\& # The above value is used if TEMP isn't in the environment -\& tmpfile=${ENV::TEMP}/tmp.filename -.Ve -.SH "BUGS" -.IX Header "BUGS" -Currently there is no way to include characters using the octal \fB\ennn\fR -form. Strings are all null terminated so nulls cannot form part of -the value. -.PP -The escaping isn't quite right: if you want to use sequences like \fB\en\fR -you can't use any quote escaping on the same line. -.PP -Files are loaded in a single pass. This means that an variable expansion -will only work if the variables referenced are defined earlier in the -file. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -x509(1), req(1), ca(1) diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1 deleted file mode 100644 index 39fecaa280a3..000000000000 --- a/secure/usr.bin/openssl/man/crl.1 +++ /dev/null @@ -1,237 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:31 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "CRL 1" -.TH CRL 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -crl \- \s-1CRL\s0 utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBcrl\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-text\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-hash\fR] -[\fB\-issuer\fR] -[\fB\-lastupdate\fR] -[\fB\-nextupdate\fR] -[\fB\-CAfile file\fR] -[\fB\-CApath dir\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 -structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read from or standard input if this -option is not specified. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -print out the \s-1CRL\s0 in text form. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the encoded version of the \s-1CRL\s0. -.Ip "\fB\-hash\fR" 4 -.IX Item "-hash" -output a hash of the issuer name. This can be use to lookup CRLs in -a directory by issuer name. -.Ip "\fB\-issuer\fR" 4 -.IX Item "-issuer" -output the issuer name. -.Ip "\fB\-lastupdate\fR" 4 -.IX Item "-lastupdate" -output the lastUpdate field. -.Ip "\fB\-nextupdate\fR" 4 -.IX Item "-nextupdate" -output the nextUpdate field. -.Ip "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in -\&\fBfile\fR -.Ip "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in -\&\fBdir\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 \s-1CRL\s0 format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN X509 CRL----- -\& -----END X509 CRL----- -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0 -.PP -.Vb 1 -\& openssl crl -in crl.pem -outform DER -out crl.der -.Ve -Output the text form of a \s-1DER\s0 encoded certificate: -.PP -.Vb 1 -\& openssl crl -in crl.der -text -noout -.Ve -.SH "BUGS" -.IX Header "BUGS" -Ideally it should be possible to create a \s-1CRL\s0 using appropriate options -and files too. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -crl2pkcs7(1), ca(1), x509(1) diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1 deleted file mode 100644 index 850b4e7447ff..000000000000 --- a/secure/usr.bin/openssl/man/crl2pkcs7.1 +++ /dev/null @@ -1,216 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:32 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "CRL2PKCS7 1" -.TH CRL2PKCS7 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -crl2pkcs7 \- Create a PKCS#7 structure from a \s-1CRL\s0 and certificates. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBcrl2pkcs7\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-certfile filename\fR] -[\fB\-nocrl\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more -certificates and converts them into a PKCS#7 degenerate \*(L"certificates -only\*(R" structure. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 -structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0 -encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a \s-1CRL\s0 from or standard input if this -option is not specified. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write the PKCS#7 structure to or standard -output by default. -.Ip "\fB\-certfile filename\fR" 4 -.IX Item "-certfile filename" -specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format. -All certificates in the file will be added to the PKCS#7 structure. This -option can be used more than once to read certificates form multiple -files. -.Ip "\fB\-nocrl\fR" 4 -.IX Item "-nocrl" -normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is -included in the output file and a \s-1CRL\s0 is not read from the input file. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a PKCS#7 structure from a certificate and \s-1CRL:\s0 -.PP -.Vb 1 -\& openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem -.Ve -Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several -different certificates: -.PP -.Vb 2 -\& openssl crl2pkcs7 -nocrl -certfile newcert.pem -\& -certfile demoCA/cacert.pem -outform DER -out p7.der -.Ve -.SH "NOTES" -.IX Header "NOTES" -The output file is a PKCS#7 signed data structure containing no signers and -just certificates and an optional \s-1CRL\s0. -.PP -This utility can be used to send certificates and CAs to Netscape as part of -the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output -as \s-1MIME\s0 type application/x-x509\-user-cert. -.PP -The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to -install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -pkcs7(1) diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1 deleted file mode 100644 index b13b3220989d..000000000000 --- a/secure/usr.bin/openssl/man/dgst.1 +++ /dev/null @@ -1,223 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:32 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "DGST 1" -.TH DGST 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBdgst\fR -[\fB\-md5|\-md4|\-md2|\-sha1|\-sha|\-mdc2|\-ripemd160|\-dss1\fR] -[\fB\-c\fR] -[\fB\-d\fR] -[\fB\-hex\fR] -[\fB\-binary\fR] -[\fB\-out filename\fR] -[\fB\-sign filename\fR] -[\fB\-verify filename\fR] -[\fB\-prverify filename\fR] -[\fB\-signature filename\fR] -[\fBfile...\fR] -.PP -[\fBmd5|md4|md2|sha1|sha|mdc2|ripemd160\fR] -[\fB\-c\fR] -[\fB\-d\fR] -[\fBfile...\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The digest functions output the message digest of a supplied file or files -in hexadecimal form. They can also be used for digital signing and verification. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-c\fR" 4 -.IX Item "-c" -print out the digest in two digit groups separated by colons, only relevant if -\&\fBhex\fR format output is used. -.Ip "\fB\-d\fR" 4 -.IX Item "-d" -print out \s-1BIO\s0 debugging information. -.Ip "\fB\-hex\fR" 4 -.IX Item "-hex" -digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R" -digest as opposed to a digital signature. -.Ip "\fB\-binary\fR" 4 -.IX Item "-binary" -output the digest or signature in binary form. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -filename to output to, or standard output by default. -.Ip "\fB\-sign filename\fR" 4 -.IX Item "-sign filename" -digitally sign the digest using the private key in \*(L"filename\*(R". -.Ip "\fB\-verify filename\fR" 4 -.IX Item "-verify filename" -verify the signature using the the public key in \*(L"filename\*(R". -The output is either \*(L"Verification \s-1OK\s0\*(R" or \*(L"Verification Failure\*(R". -.Ip "\fB\-prverify filename\fR" 4 -.IX Item "-prverify filename" -verify the signature using the the private key in \*(L"filename\*(R". -.Ip "\fB\-signature filename\fR" 4 -.IX Item "-signature filename" -the actual signature to verify. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fBfile...\fR" 4 -.IX Item "file..." -file or files to digest. If no files are specified then standard input is -used. -.SH "NOTES" -.IX Header "NOTES" -The digest of choice for all new applications is \s-1SHA1\s0. Other digests are -however still widely used. -.PP -If you wish to sign or verify data using the \s-1DSA\s0 algorithm then the dss1 -digest must be used. -.PP -A source of random numbers is required for certain signing algorithms, in -particular \s-1DSA\s0. -.PP -The signing and verify options should only be used if a single file is -being signed or verified. diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1 deleted file mode 100644 index 95bc6d6040ad..000000000000 --- a/secure/usr.bin/openssl/man/dhparam.1 +++ /dev/null @@ -1,256 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:32 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "DHPARAM 1" -.TH DHPARAM 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -dhparam \- \s-1DH\s0 parameter manipulation and generation -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl dhparam\fR -[\fB\-inform DER|PEM\fR] -[\fB\-outform DER|PEM\fR] -[\fB\-in\fR \fIfilename\fR] -[\fB\-out\fR \fIfilename\fR] -[\fB\-dsaparam\fR] -[\fB\-noout\fR] -[\fB\-text\fR] -[\fB\-C\fR] -[\fB\-2\fR] -[\fB\-5\fR] -[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR] -[\fB\-engine id\fR] -[\fInumbits\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to manipulate \s-1DH\s0 parameter files. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded -form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the -default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with -additional header and footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in\fR \fIfilename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read parameters from or standard input if -this option is not specified. -.Ip "\fB\-out\fR \fIfilename\fR" 4 -.IX Item "-out filename" -This specifies the output filename parameters to. Standard output is used -if this option is not present. The output filename should \fBnot\fR be the same -as the input filename. -.Ip "\fB\-dsaparam\fR" 4 -.IX Item "-dsaparam" -If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created; -they are converted to \s-1DH\s0 format. Otherwise, \*(L"strong\*(R" primes (such -that (p-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation. -.Sp -\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster, -and the recommended exponent length is shorter, which makes \s-1DH\s0 key -exchange more efficient. Beware that with such DSA-style \s-1DH\s0 -parameters, a fresh \s-1DH\s0 key should be created for each use to -avoid small-subgroup attacks that may be possible otherwise. -.Ip "\fB\-2\fR, \fB\-5\fR" 4 -.IX Item "-2, -5" -The generator to use, either 2 or 5. 2 is the default. If present then the -input file is ignored and parameters are generated instead. -.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fInumbits\fR" 4 -.IX Item "numbits" -this option specifies that a parameter set should be generated of size -\&\fInumbits\fR. It must be the last option. If not present then a value of 512 -is used. If this option is present then the input file is ignored and -parameters are generated instead. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option inhibits the output of the encoded version of the parameters. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -this option prints out the \s-1DH\s0 parameters in human readable form. -.Ip "\fB\-C\fR" 4 -.IX Item "-C" -this option converts the parameters into C code. The parameters can then -be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "WARNINGS" -.IX Header "WARNINGS" -The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and -\&\fBgendh\fR in previous versions of OpenSSL and SSLeay. The \fBdh\fR and \fBgendh\fR -programs are retained for now but may have different purposes in future -versions of OpenSSL. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN DH PARAMETERS----- -\& -----END DH PARAMETERS----- -.Ve -OpenSSL currently only supports the older PKCS#3 \s-1DH\s0, not the newer X9.42 -\&\s-1DH\s0. -.PP -This program manipulates \s-1DH\s0 parameters not keys. -.SH "BUGS" -.IX Header "BUGS" -There should be a way to generate and manipulate \s-1DH\s0 keys. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -dsaparam(1) -.SH "HISTORY" -.IX Header "HISTORY" -The \fBdhparam\fR command was added in OpenSSL 0.9.5. -The \fB\-dsaparam\fR option was added in OpenSSL 0.9.6. diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1 deleted file mode 100644 index 35a9bb70b58b..000000000000 --- a/secure/usr.bin/openssl/man/dsa.1 +++ /dev/null @@ -1,282 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:32 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "DSA 1" -.TH DSA 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -dsa \- \s-1DSA\s0 key processing -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBdsa\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-modulus\fR] -[\fB\-pubin\fR] -[\fB\-pubout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various -forms and their components printed out. \fBNote\fR This command uses the -traditional SSLeay compatible format for private key encryption: newer -applications should use the more secure PKCS#8 format using the \fBpkcs8\fR -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses -an \s-1ASN1\s0 \s-1DER\s0 encoded form of an \s-1ASN\s0.1 \s-1SEQUENCE\s0 consisting of the values of -version (currently zero), p, q, g, the public and private key components -respectively as \s-1ASN\s0.1 INTEGERs. When used with a public key it uses a -SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA\s0. -.Sp -The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 -encoded with additional header and footer lines. In the case of a private key -PKCS#8 format is also accepted. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output by -is not specified. If any encryption options are set then a pass phrase will be -prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.Ip "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-des|\-des3|\-idea\fR" 4 -.IX Item "-des|-des3|-idea" -These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the -\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for. -If none of these options is specified the key is written in plain text. This -means that using the \fBdsa\fR utility to read in an encrypted key with no -encryption option can be used to remove the pass phrase from a key, or by -setting the encryption options it can be use to add or change the pass phrase. -These options can only be used with \s-1PEM\s0 format output files. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out the public, private key components and parameters. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the key. -.Ip "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the public key component of the key. -.Ip "\fB\-pubin\fR" 4 -.IX Item "-pubin" -by default a private key is read from the input file: with this option a -public key is read instead. -.Ip "\fB\-pubout\fR" 4 -.IX Item "-pubout" -by default a private key is output. With this option a public -key will be output instead. This option is automatically set if the input is -a public key. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 private key format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN DSA PRIVATE KEY----- -\& -----END DSA PRIVATE KEY----- -.Ve -The \s-1PEM\s0 public key format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN PUBLIC KEY----- -\& -----END PUBLIC KEY----- -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To remove the pass phrase on a \s-1DSA\s0 private key: -.PP -.Vb 1 -\& openssl dsa -in key.pem -out keyout.pem -.Ve -To encrypt a private key using triple \s-1DES:\s0 -.PP -.Vb 1 -\& openssl dsa -in key.pem -des3 -out keyout.pem -.Ve -To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl dsa -in key.pem -outform DER -out keyout.der -.Ve -To print out the components of a private key to standard output: -.PP -.Vb 1 -\& openssl dsa -in key.pem -text -noout -.Ve -To just output the public part of a private key: -.PP -.Vb 1 -\& openssl dsa -in key.pem -pubout -out pubkey.pem -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -dsaparam(1), gendsa(1), rsa(1), -genrsa(1) diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1 deleted file mode 100644 index d42f5bfb5863..000000000000 --- a/secure/usr.bin/openssl/man/dsaparam.1 +++ /dev/null @@ -1,229 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:32 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "DSAPARAM 1" -.TH DSAPARAM 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -dsaparam \- \s-1DSA\s0 parameter manipulation and generation -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl dsaparam\fR -[\fB\-inform DER|PEM\fR] -[\fB\-outform DER|PEM\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-text\fR] -[\fB\-C\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[\fB\-genkey\fR] -[\fB\-engine id\fR] -[\fBnumbits\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to manipulate or generate \s-1DSA\s0 parameter files. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded -form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting -of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists -of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read parameters from or standard input if -this option is not specified. If the \fBnumbits\fR parameter is included then -this option will be ignored. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename parameters to. Standard output is used -if this option is not present. The output filename should \fBnot\fR be the same -as the input filename. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option inhibits the output of the encoded version of the parameters. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -this option prints out the \s-1DSA\s0 parameters in human readable form. -.Ip "\fB\-C\fR" 4 -.IX Item "-C" -this option converts the parameters into C code. The parameters can then -be loaded by calling the \fB\f(BIget_dsaXXX()\fB\fR function. -.Ip "\fB\-genkey\fR" 4 -.IX Item "-genkey" -this option will generate a \s-1DSA\s0 either using the specified or generated -parameters. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fBnumbits\fR" 4 -.IX Item "numbits" -this option specifies that a parameter set should be generated of size -\&\fBnumbits\fR. It must be the last option. If this option is included then -the input file (if any) is ignored. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN DSA PARAMETERS----- -\& -----END DSA PARAMETERS----- -.Ve -\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of -\&\s-1DSA\s0 parameters is often used to generate several distinct keys. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -gendsa(1), dsa(1), genrsa(1), -rsa(1) diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1 deleted file mode 100644 index 22a4222f0f3f..000000000000 --- a/secure/usr.bin/openssl/man/enc.1 +++ /dev/null @@ -1,399 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:33 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "ENC 1" -.TH ENC 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -enc \- symmetric cipher routines -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl enc \-ciphername\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-pass arg\fR] -[\fB\-e\fR] -[\fB\-d\fR] -[\fB\-a\fR] -[\fB\-A\fR] -[\fB\-k password\fR] -[\fB\-kfile filename\fR] -[\fB\-K key\fR] -[\fB\-iv \s-1IV\s0\fR] -[\fB\-p\fR] -[\fB\-P\fR] -[\fB\-bufsize number\fR] -[\fB\-nopad\fR] -[\fB\-debug\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The symmetric cipher commands allow data to be encrypted or decrypted -using various block and stream ciphers using keys based on passwords -or explicitly provided. Base64 encoding or decoding can also be performed -either by itself or in addition to the encryption or decryption. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input filename, standard input by default. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output filename, standard output by default. -.Ip "\fB\-pass arg\fR" 4 -.IX Item "-pass arg" -the password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-salt\fR" 4 -.IX Item "-salt" -use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR -be used unless compatibility with previous versions of OpenSSL or SSLeay -is required. This option is only present on OpenSSL versions 0.9.5 or -above. -.Ip "\fB\-nosalt\fR" 4 -.IX Item "-nosalt" -don't use a salt in the key derivation routines. This is the default for -compatibility with previous versions of OpenSSL and SSLeay. -.Ip "\fB\-e\fR" 4 -.IX Item "-e" -encrypt the input data: this is the default. -.Ip "\fB\-d\fR" 4 -.IX Item "-d" -decrypt the input data. -.Ip "\fB\-a\fR" 4 -.IX Item "-a" -base64 process the data. This means that if encryption is taking place -the data is base64 encoded after encryption. If decryption is set then -the input data is base64 decoded before being decrypted. -.Ip "\fB\-A\fR" 4 -.IX Item "-A" -if the \fB\-a\fR option is set then base64 process the data on one line. -.Ip "\fB\-k password\fR" 4 -.IX Item "-k password" -the password to derive the key from. This is for compatibility with previous -versions of OpenSSL. Superseded by the \fB\-pass\fR argument. -.Ip "\fB\-kfile filename\fR" 4 -.IX Item "-kfile filename" -read the password to derive the key from the first line of \fBfilename\fR. -This is for computability with previous versions of OpenSSL. Superseded by -the \fB\-pass\fR argument. -.Ip "\fB\-S salt\fR" 4 -.IX Item "-S salt" -the actual salt to use: this must be represented as a string comprised only -of hex digits. -.Ip "\fB\-K key\fR" 4 -.IX Item "-K key" -the actual key to use: this must be represented as a string comprised only -of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified -using the \fB\-iv\fR option. When both a key and a password are specified, the -key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the -password will be taken. It probably does not make much sense to specify -both key and password. -.Ip "\fB\-iv \s-1IV\s0\fR" 4 -.IX Item "-iv IV" -the actual \s-1IV\s0 to use: this must be represented as a string comprised only -of hex digits. When only the key is specified using the \fB\-K\fR option, the -\&\s-1IV\s0 must explicitly be defined. When a password is being specified using -one of the other options, the \s-1IV\s0 is generated from this password. -.Ip "\fB\-p\fR" 4 -.IX Item "-p" -print out the key and \s-1IV\s0 used. -.Ip "\fB\-P\fR" 4 -.IX Item "-P" -print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption -or decryption. -.Ip "\fB\-bufsize number\fR" 4 -.IX Item "-bufsize number" -set the buffer size for I/O -.Ip "\fB\-nopad\fR" 4 -.IX Item "-nopad" -disable standard block padding -.Ip "\fB\-debug\fR" 4 -.IX Item "-debug" -debug the BIOs used for I/O. -.SH "NOTES" -.IX Header "NOTES" -The program can be called either as \fBopenssl ciphername\fR or -\&\fBopenssl enc \-ciphername\fR. -.PP -A password will be prompted for to derive the key and \s-1IV\s0 if necessary. -.PP -The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived -from a password unless you want compatibility with previous versions of -OpenSSL and SSLeay. -.PP -Without the \fB\-salt\fR option it is possible to perform efficient dictionary -attacks on the password and to attack stream cipher encrypted data. The reason -for this is that without the salt the same password always generates the same -encryption key. When the salt is being used the first eight bytes of the -encrypted data are reserved for the salt: it is generated at random when -encrypting a file and read from the encrypted file when it is decrypted. -.PP -Some of the ciphers do not have large keys and others have security -implications if not used correctly. A beginner is advised to just use -a strong block cipher in \s-1CBC\s0 mode such as bf or des3. -.PP -All the block ciphers normally use PKCS#5 padding also known as standard block -padding: this allows a rudimentary integrity or password check to be -performed. However since the chance of random data passing the test is -better than 1 in 256 it isn't a very good test. -.PP -If padding is disabled then the input data must be a multiple of the cipher -block length. -.PP -All \s-1RC2\s0 ciphers have the same key and effective key length. -.PP -Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. -.SH "SUPPORTED CIPHERS" -.IX Header "SUPPORTED CIPHERS" -.Vb 1 -\& base64 Base 64 -.Ve -.Vb 5 -\& bf-cbc Blowfish in CBC mode -\& bf Alias for bf-cbc -\& bf-cfb Blowfish in CFB mode -\& bf-ecb Blowfish in ECB mode -\& bf-ofb Blowfish in OFB mode -.Ve -.Vb 6 -\& cast-cbc CAST in CBC mode -\& cast Alias for cast-cbc -\& cast5-cbc CAST5 in CBC mode -\& cast5-cfb CAST5 in CFB mode -\& cast5-ecb CAST5 in ECB mode -\& cast5-ofb CAST5 in OFB mode -.Ve -.Vb 5 -\& des-cbc DES in CBC mode -\& des Alias for des-cbc -\& des-cfb DES in CBC mode -\& des-ofb DES in OFB mode -\& des-ecb DES in ECB mode -.Ve -.Vb 4 -\& des-ede-cbc Two key triple DES EDE in CBC mode -\& des-ede Alias for des-ede -\& des-ede-cfb Two key triple DES EDE in CFB mode -\& des-ede-ofb Two key triple DES EDE in OFB mode -.Ve -.Vb 5 -\& des-ede3-cbc Three key triple DES EDE in CBC mode -\& des-ede3 Alias for des-ede3-cbc -\& des3 Alias for des-ede3-cbc -\& des-ede3-cfb Three key triple DES EDE CFB mode -\& des-ede3-ofb Three key triple DES EDE in OFB mode -.Ve -.Vb 1 -\& desx DESX algorithm. -.Ve -.Vb 5 -\& idea-cbc IDEA algorithm in CBC mode -\& idea same as idea-cbc -\& idea-cfb IDEA in CFB mode -\& idea-ecb IDEA in ECB mode -\& idea-ofb IDEA in OFB mode -.Ve -.Vb 7 -\& rc2-cbc 128 bit RC2 in CBC mode -\& rc2 Alias for rc2-cbc -\& rc2-cfb 128 bit RC2 in CBC mode -\& rc2-ecb 128 bit RC2 in CBC mode -\& rc2-ofb 128 bit RC2 in CBC mode -\& rc2-64-cbc 64 bit RC2 in CBC mode -\& rc2-40-cbc 40 bit RC2 in CBC mode -.Ve -.Vb 3 -\& rc4 128 bit RC4 -\& rc4-64 64 bit RC4 -\& rc4-40 40 bit RC4 -.Ve -.Vb 5 -\& rc5-cbc RC5 cipher in CBC mode -\& rc5 Alias for rc5-cbc -\& rc5-cfb RC5 cipher in CBC mode -\& rc5-ecb RC5 cipher in CBC mode -\& rc5-ofb RC5 cipher in CBC mode -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Just base64 encode a binary file: -.PP -.Vb 1 -\& openssl base64 -in file.bin -out file.b64 -.Ve -Decode the same file -.PP -.Vb 1 -\& openssl base64 -d -in file.b64 -out file.bin -.Ve -Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password: -.PP -.Vb 1 -\& openssl des3 -salt -in file.txt -out file.des3 -.Ve -Decrypt a file using a supplied password: -.PP -.Vb 1 -\& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword -.Ve -Encrypt a file then base64 encode it (so it can be sent via mail for example) -using Blowfish in \s-1CBC\s0 mode: -.PP -.Vb 1 -\& openssl bf -a -salt -in file.txt -out file.bf -.Ve -Base64 decode a file then decrypt it: -.PP -.Vb 1 -\& openssl bf -d -salt -a -in file.bf -out file.txt -.Ve -Decrypt some data using a supplied 40 bit \s-1RC4\s0 key: -.PP -.Vb 1 -\& openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \fB\-A\fR option when used with large files doesn't work properly. -.PP -There should be an option to allow an iteration count to be included. -.PP -The \fBenc\fR program only supports a fixed number of algorithms with -certain parameters. So if, for example, you want to use \s-1RC2\s0 with a -76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program. diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1 deleted file mode 100644 index 97aff778b4e6..000000000000 --- a/secure/usr.bin/openssl/man/gendsa.1 +++ /dev/null @@ -1,191 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:33 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "GENDSA 1" -.TH GENDSA 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -gendsa \- generate a \s-1DSA\s0 private key from a set of parameters -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBgendsa\fR -[\fB\-out filename\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[\fB\-engine id\fR] -[\fBparamfile\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file -(which will be typically generated by the \fBopenssl dsaparam\fR command). -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-des|\-des3|\-idea\fR" 4 -.IX Item "-des|-des3|-idea" -These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the -\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for. -If none of these options is specified no encryption is used. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.Ip "\fBparamfile\fR" 4 -.IX Item "paramfile" -This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this -file determine the size of the private key. \s-1DSA\s0 parameters can be generated -and examined using the \fBopenssl dsaparam\fR command. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1DSA\s0 key generation is little more than random number generation so it is -much quicker that \s-1RSA\s0 key generation for example. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -dsaparam(1), dsa(1), genrsa(1), -rsa(1) diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1 deleted file mode 100644 index 883bde2b143c..000000000000 --- a/secure/usr.bin/openssl/man/genrsa.1 +++ /dev/null @@ -1,216 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:33 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "GENRSA 1" -.TH GENRSA 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -genrsa \- generate an \s-1RSA\s0 private key -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBgenrsa\fR -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-f4\fR] -[\fB\-3\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[\fB\-engine id\fR] -[\fBnumbits\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBgenrsa\fR command generates an \s-1RSA\s0 private key. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output filename. If this argument is not specified then standard output is -used. -.Ip "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-des|\-des3|\-idea\fR" 4 -.IX Item "-des|-des3|-idea" -These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the -\&\s-1IDEA\s0 ciphers respectively before outputting it. If none of these options is -specified no encryption is used. If encryption is used a pass phrase is prompted -for if it is not supplied via the \fB\-passout\fR argument. -.Ip "\fB\-F4|\-3\fR" 4 -.IX Item "-F4|-3" -the public exponent to use, either 65537 or 3. The default is 65537. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.Ip "\fBnumbits\fR" 4 -.IX Item "numbits" -the size of the private key to generate in bits. This must be the last option -specified. The default is 512. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1RSA\s0 private key generation essentially involves the generation of two prime -numbers. When generating a private key various symbols will be output to -indicate the progress of the generation. A \fB.\fR represents each number which -has passed an initial sieve test, \fB+\fR means a number has passed a single -round of the Miller-Rabin primality test. A newline means that the number has -passed all the prime tests (the actual number depends on the key size). -.PP -Because key generation is a random process the time taken to generate a key -may vary somewhat. -.SH "BUGS" -.IX Header "BUGS" -A quirk of the prime generation algorithm is that it cannot generate small -primes. Therefore the number of bits should not be less that 64. For typical -private keys this will not matter because for security reasons they will -be much larger (typically 1024 bits). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -gendsa(1) diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1 deleted file mode 100644 index 763605607a11..000000000000 --- a/secure/usr.bin/openssl/man/nseq.1 +++ /dev/null @@ -1,199 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:33 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "NSEQ 1" -.TH NSEQ 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -nseq \- create or examine a netscape certificate sequence -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBnseq\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-toseq\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBnseq\fR command takes a file containing a Netscape certificate -sequence and prints out the certificates contained in it or takes a -file of certificates and converts it into a Netscape certificate -sequence. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read or standard input if this -option is not specified. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename or standard output by default. -.Ip "\fB\-toseq\fR" 4 -.IX Item "-toseq" -normally a Netscape certificate sequence will be input and the output -is the certificates contained in it. With the \fB\-toseq\fR option the -situation is reversed: a Netscape certificate sequence is created from -a file of certificates. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Output the certificates in a Netscape certificate sequence -.PP -.Vb 1 -\& openssl nseq -in nseq.pem -out certs.pem -.Ve -Create a Netscape certificate sequence -.PP -.Vb 1 -\& openssl nseq -in certs.pem -toseq -out nseq.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate: -.PP -.Vb 2 -\& -----BEGIN CERTIFICATE----- -\& -----END CERTIFICATE----- -.Ve -A Netscape certificate sequence is a Netscape specific form that can be sent -to browsers as an alternative to the standard PKCS#7 format when several -certificates are sent to the browser: for example during certificate enrollment. -It is used by Netscape certificate server for example. -.SH "BUGS" -.IX Header "BUGS" -This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and -output files and allowing multiple certificate files to be used. diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 deleted file mode 100644 index f1a68ad8942f..000000000000 --- a/secure/usr.bin/openssl/man/ocsp.1 +++ /dev/null @@ -1,451 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:33 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "OCSP 1" -.TH OCSP 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -ocsp \- Online Certificate Status Protocol utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBocsp\fR -[\fB\-out file\fR] -[\fB\-issuer file\fR] -[\fB\-cert file\fR] -[\fB\-serial n\fR] -[\fB\-req_text\fR] -[\fB\-resp_text\fR] -[\fB\-text\fR] -[\fB\-reqout file\fR] -[\fB\-respout file\fR] -[\fB\-reqin file\fR] -[\fB\-respin file\fR] -[\fB\-nonce\fR] -[\fB\-no_nonce\fR] -[\fB\-url responder_url\fR] -[\fB\-host host:n\fR] -[\fB\-path\fR] -[\fB\-CApath file\fR] -[\fB\-CAfile file\fR] -[\fB\-VAfile file\fR] -[\fB\-verify_certs file\fR] -[\fB\-noverify\fR] -[\fB\-trust_other\fR] -[\fB\-no_intern\fR] -[\fB\-no_sig_verify\fR] -[\fB\-no_cert_verify\fR] -[\fB\-no_chain\fR] -[\fB\-no_cert_checks\fR] -[\fB\-validity_period nsec\fR] -[\fB\-status_age nsec\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fB\s-1WARNING:\s0 this documentation is preliminary and subject to change.\fR -.PP -The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to -determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560). -.PP -The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used -to print out requests and responses, create requests and send queries -to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. -.SH "OCSP CLIENT OPTIONS" -.IX Header "OCSP CLIENT OPTIONS" -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specify output filename, default is standard output. -.Ip "\fB\-issuer filename\fR" 4 -.IX Item "-issuer filename" -This specifies the current issuer certificate. This option can be used -multiple times. The certificate specified in \fBfilename\fR must be in -\&\s-1PEM\s0 format. -.Ip "\fB\-cert filename\fR" 4 -.IX Item "-cert filename" -Add the certificate \fBfilename\fR to the request. The issuer certificate -is taken from the previous \fBissuer\fR option, or an error occurs if no -issuer certificate is specified. -.Ip "\fB\-serial num\fR" 4 -.IX Item "-serial num" -Same as the \fBcert\fR option except the certificate with serial number -\&\fBnum\fR is added to the request. The serial number is interpreted as a -decimal integer unless preceded by \fB0x\fR. Negative integers can also -be specified by preceding the value by a \fB-\fR sign. -.Ip "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4 -.IX Item "-signer filename, -signkey filename" -Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR -option and the private key specified by the \fBsignkey\fR option. If -the \fBsignkey\fR option is not present then the private key is read -from the same file as the certificate. If neither option is specified then -the \s-1OCSP\s0 request is not signed. -.Ip "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 -.IX Item "-nonce, -no_nonce" -Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. -Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no -nonce is added: using the \fBnonce\fR option will force addition of a nonce. -If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) -a nonce is automatically added specifying \fBno_nonce\fR overrides this. -.Ip "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 -.IX Item "-req_text, -resp_text, -text" -print out the text form of the \s-1OCSP\s0 request, response or both respectively. -.Ip "\fB\-reqout file\fR, \fB\-respout file\fR" 4 -.IX Item "-reqout file, -respout file" -write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. -.Ip "\fB\-reqin file\fR, \fB\-respin file\fR" 4 -.IX Item "-reqin file, -respin file" -read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored -if \s-1OCSP\s0 request or response creation is implied by other options (for example -with \fBserial\fR, \fBcert\fR and \fBhost\fR options). -.Ip "\fB\-url responder_url\fR" 4 -.IX Item "-url responder_url" -specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. -.Ip "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 -.IX Item "-host hostname:port, -path pathname" -if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host -\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use -or \*(L"/\*(R" by default. -.Ip "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 -.IX Item "-CAfile file, -CApath pathname" -file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify -the signature on the \s-1OCSP\s0 response. -.Ip "\fB\-verify_certs file\fR" 4 -.IX Item "-verify_certs file" -file containing additional certificates to search when attempting to locate -the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's -certificate from the response: this option can be used to supply the necessary -certificate in such cases. -.Ip "\fB\-trust_other\fR" 4 -.IX Item "-trust_other" -the certificates specified by the \fB\-verify_certs\fR option should be explicitly -trusted and no additional checks will be performed on them. This is useful -when the complete responder certificate chain is not available or trusting a -root \s-1CA\s0 is not appropriate. -.Ip "\fB\-VAfile file\fR" 4 -.IX Item "-VAfile file" -file containing explicitly trusted responder certificates. Equivalent to the -\&\fB\-verify_certs\fR and \fB\-trust_other\fR options. -.Ip "\fB\-noverify\fR" 4 -.IX Item "-noverify" -don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This -option will normally only be used for debugging since it disables all verification -of the responders certificate. -.Ip "\fB\-no_intern\fR" 4 -.IX Item "-no_intern" -ignore certificates contained in the \s-1OCSP\s0 response when searching for the -signers certificate. With this option the signers certificate must be specified -with either the \fB\-verify_certs\fR or \fB\-VAfile\fR options. -.Ip "\fB\-no_sig_verify\fR" 4 -.IX Item "-no_sig_verify" -don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid -signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes. -.Ip "\fB\-no_cert_verify\fR" 4 -.IX Item "-no_cert_verify" -don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows -the \s-1OCSP\s0 response to be signed by any certificate it should only be used for -testing purposes. -.Ip "\fB\-no_chain\fR" 4 -.IX Item "-no_chain" -do not use certificates in the response as additional untrusted \s-1CA\s0 -certificates. -.Ip "\fB\-no_cert_checks\fR" 4 -.IX Item "-no_cert_checks" -don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. -That is do not make any checks to see if the signers certificate is authorised -to provide the necessary status information: as a result this option should -only be used for testing purposes. -.Ip "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 -.IX Item "-validity_period nsec, -status_age age" -these options specify the range of times, in seconds, which will be tolerated -in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and -an optional \fBnotAfter\fR time. The current time should fall between these two values, but -the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0 -responder and clients clocks may not be precisely synchronised and so such a check -may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an -acceptable error range in seconds, the default value is 5 minutes. -.Sp -If the \fBnotAfter\fR time is omitted from a response then this means that new status -information is immediately available. In this case the age of the \fBnotBefore\fR field -is checked to see it is not older than \fBage\fR seconds old. By default this additional -check is not performed. -.SH "OCSP SERVER OPTIONS" -.IX Header "OCSP SERVER OPTIONS" -.Ip "\fB\-index indexfile\fR" 4 -.IX Item "-index indexfile" -\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation -information. -.Sp -If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise -it is in client mode. The \fIrequest\fR\|(s) the responder processes can be either specified on -the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the -\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). -.Sp -If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be -present. -.Ip "\fB\-CA file\fR" 4 -.IX Item "-CA file" -\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. -.Ip "\fB\-rsigner file\fR" 4 -.IX Item "-rsigner file" -The certificate to sign \s-1OCSP\s0 responses with. -.Ip "\fB\-rother file\fR" 4 -.IX Item "-rother file" -Additional certificates to include in the \s-1OCSP\s0 response. -.Ip "\fB\-resp_no_certs\fR" 4 -.IX Item "-resp_no_certs" -Don't include any certificates in the \s-1OCSP\s0 response. -.Ip "\fB\-resp_key_id\fR" 4 -.IX Item "-resp_key_id" -Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name. -.Ip "\fB\-rkey file\fR" 4 -.IX Item "-rkey file" -The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the -\&\fBrsigner\fR option is used. -.Ip "\fB\-port portnum\fR" 4 -.IX Item "-port portnum" -Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR -option. -.Ip "\fB\-nrequest number\fR" 4 -.IX Item "-nrequest number" -The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. -.Ip "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 -.IX Item "-nmin minutes, -ndays days" -Number of minutes or days when fresh revocation information is available: used in the -\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is -omitted meaning fresh revocation information is immediately available. -.SH "OCSP Response verification." -.IX Header "OCSP Response verification." -\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0. -.PP -Initially the \s-1OCSP\s0 responder certificate is located and the signature on -the \s-1OCSP\s0 request checked using the responder certificate's public key. -.PP -Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate -building up a certificate chain in the process. The locations of the trusted -certificates used to build the chain can be specified by the \fBCAfile\fR -and \fBCApath\fR options or they will be looked for in the standard OpenSSL -certificates directory. -.PP -If the initial verify fails then the \s-1OCSP\s0 verify process halts with an -error. -.PP -Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0 -responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds. -.PP -Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing -\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning -extended key usage is present in the \s-1OCSP\s0 responder certificate then the -\&\s-1OCSP\s0 verify succeeds. -.PP -Otherwise the root \s-1CA\s0 of the \s-1OCSP\s0 responders \s-1CA\s0 is checked to see if it -is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 verify succeeds. -.PP -If none of these checks is successful then the \s-1OCSP\s0 verify fails. -.PP -What this effectively means if that if the \s-1OCSP\s0 responder certificate is -authorised directly by the \s-1CA\s0 it is issuing revocation information about -(and it is correctly configured) then verification will succeed. -.PP -If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about -multiple CAs and has its own separate certificate chain then its root -\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example: -.PP -.Vb 1 -\& openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem -.Ve -Alternatively the responder certificate itself can be explicitly trusted -with the \fB\-VAfile\fR option. -.SH "NOTES" -.IX Header "NOTES" -As noted, most of the verify options are for testing or debugging purposes. -Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global -\&\s-1VA\s0') \fB\-VAfile\fR options need to be used. -.PP -The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is -not really usable as a full \s-1OCSP\s0 responder. It contains only a very -simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0 -queries. It also handles requests serially meaning it cannot respond to -new requests until it has processed the current one. The text index file -format of revocation is also inefficient for large quantities of revocation -data. -.PP -It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 -script using the \fBrespin\fR and \fBrespout\fR options. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create an \s-1OCSP\s0 request and write it to a file: -.PP -.Vb 1 -\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der -.Ve -Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the -response to a file and print it out in text form -.PP -.Vb 2 -\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e -\& -url http://ocsp.myhost.com/ -resp_text -respout resp.der -.Ve -Read in an \s-1OCSP\s0 response and print out text form: -.PP -.Vb 1 -\& openssl ocsp -respin resp.der -text -.Ve -\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate -responder certificate. All requests and responses are printed to a file. -.PP -.Vb 2 -\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -\& -text -out log.txt -.Ve -As above but exit after processing one request: -.PP -.Vb 2 -\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -\& -nrequest 1 -.Ve -Query status information using internally generated request: -.PP -.Vb 2 -\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -\& -issuer demoCA/cacert.pem -serial 1 -.Ve -Query status information using request read from a file, write response to a -second file. -.PP -.Vb 2 -\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -\& -reqin req.der -respout resp.der -.Ve diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 deleted file mode 100644 index 54d4f99083db..000000000000 --- a/secure/usr.bin/openssl/man/openssl.1 +++ /dev/null @@ -1,407 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:34 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "OPENSSL 1" -.TH OPENSSL 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -openssl \- OpenSSL command line tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR -\&\fIcommand\fR -[ \fIcommand_opts\fR ] -[ \fIcommand_args\fR ] -.PP -\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR ] -.PP -\&\fBopenssl\fR \fBno-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0 -v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related -cryptography standards required by them. -.PP -The \fBopenssl\fR program is a command line tool for using the various -cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. -It can be used for -.PP -.Vb 6 -\& o Creation of RSA, DH and DSA key parameters -\& o Creation of X.509 certificates, CSRs and CRLs -\& o Calculation of Message Digests -\& o Encryption and Decryption with Ciphers -\& o SSL/TLS Client and Server Tests -\& o Handling of S/MIME signed or encrypted mail -.Ve -.SH "COMMAND SUMMARY" -.IX Header "COMMAND SUMMARY" -The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the -\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments -(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0). -.PP -The pseudo-commands \fBlist-standard-commands\fR, \fBlist-message-digest-commands\fR, -and \fBlist-cipher-commands\fR output a list (one entry per line) of the names -of all standard commands, message digest commands, or cipher commands, -respectively, that are available in the present \fBopenssl\fR utility. -.PP -The pseudo-command \fBno-\fR\fI\s-1XXX\s0\fR tests whether a command of the -specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it -returns 0 (success) and prints \fBno-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1 -and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and -nothing is printed to \fBstderr\fR. Additional command line arguments -are always ignored. Since for each cipher there is a command of the -same name, this provides an easy way for shell scripts to test for the -availability of ciphers in the \fBopenssl\fR program. (\fBno-\fR\fI\s-1XXX\s0\fR is -not able to detect pseudo-commands such as \fBquit\fR, -\&\fBlist-\fR\fI...\fR\fB\-commands\fR, or \fBno-\fR\fI\s-1XXX\s0\fR itself.) -.Sh "\s-1STANDARD\s0 \s-1COMMANDS\s0" -.IX Subsection "STANDARD COMMANDS" -.Ip "\fBasn1parse\fR" 10 -.IX Item "asn1parse" -Parse an \s-1ASN\s0.1 sequence. -.Ip "\fBca\fR" 10 -.IX Item "ca" -Certificate Authority (\s-1CA\s0) Management. -.Ip "\fBciphers\fR" 10 -.IX Item "ciphers" -Cipher Suite Description Determination. -.Ip "\fBcrl\fR" 10 -.IX Item "crl" -Certificate Revocation List (\s-1CRL\s0) Management. -.Ip "\fBcrl2pkcs7\fR" 10 -.IX Item "crl2pkcs7" -\&\s-1CRL\s0 to PKCS#7 Conversion. -.Ip "\fBdgst\fR" 10 -.IX Item "dgst" -Message Digest Calculation. -.Ip "\fBdh\fR" 10 -.IX Item "dh" -Diffie-Hellman Parameter Management. -Obsoleted by \fBdhparam\fR. -.Ip "\fBdsa\fR" 10 -.IX Item "dsa" -\&\s-1DSA\s0 Data Management. -.Ip "\fBdsaparam\fR" 10 -.IX Item "dsaparam" -\&\s-1DSA\s0 Parameter Generation. -.Ip "\fBenc\fR" 10 -.IX Item "enc" -Encoding with Ciphers. -.Ip "\fBerrstr\fR" 10 -.IX Item "errstr" -Error Number to Error String Conversion. -.Ip "\fBdhparam\fR" 10 -.IX Item "dhparam" -Generation and Management of Diffie-Hellman Parameters. -.Ip "\fBgendh\fR" 10 -.IX Item "gendh" -Generation of Diffie-Hellman Parameters. -Obsoleted by \fBdhparam\fR. -.Ip "\fBgendsa\fR" 10 -.IX Item "gendsa" -Generation of \s-1DSA\s0 Parameters. -.Ip "\fBgenrsa\fR" 10 -.IX Item "genrsa" -Generation of \s-1RSA\s0 Parameters. -.Ip "\fBocsp\fR" 10 -.IX Item "ocsp" -Online Certificate Status Protocol utility. -.Ip "\fBpasswd\fR" 10 -.IX Item "passwd" -Generation of hashed passwords. -.Ip "\fBpkcs12\fR" 10 -.IX Item "pkcs12" -PKCS#12 Data Management. -.Ip "\fBpkcs7\fR" 10 -.IX Item "pkcs7" -PKCS#7 Data Management. -.Ip "\fBrand\fR" 10 -.IX Item "rand" -Generate pseudo-random bytes. -.Ip "\fBreq\fR" 10 -.IX Item "req" -X.509 Certificate Signing Request (\s-1CSR\s0) Management. -.Ip "\fBrsa\fR" 10 -.IX Item "rsa" -\&\s-1RSA\s0 Data Management. -.Ip "\fBrsautl\fR" 10 -.IX Item "rsautl" -\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. -.Ip "\fBs_client\fR" 10 -.IX Item "s_client" -This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent -connection to a remote server speaking \s-1SSL/TLS\s0. It's intended for testing -purposes only and provides only rudimentary interface functionality but -internally uses mostly all functionality of the OpenSSL \fBssl\fR library. -.Ip "\fBs_server\fR" 10 -.IX Item "s_server" -This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote -clients speaking \s-1SSL/TLS\s0. It's intended for testing purposes only and provides -only rudimentary interface functionality but internally uses mostly all -functionality of the OpenSSL \fBssl\fR library. It provides both an own command -line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response -facility to emulate an SSL/TLS-aware webserver. -.Ip "\fBs_time\fR" 10 -.IX Item "s_time" -\&\s-1SSL\s0 Connection Timer. -.Ip "\fBsess_id\fR" 10 -.IX Item "sess_id" -\&\s-1SSL\s0 Session Data Management. -.Ip "\fBsmime\fR" 10 -.IX Item "smime" -S/MIME mail processing. -.Ip "\fBspeed\fR" 10 -.IX Item "speed" -Algorithm Speed Measurement. -.Ip "\fBverify\fR" 10 -.IX Item "verify" -X.509 Certificate Verification. -.Ip "\fBversion\fR" 10 -.IX Item "version" -OpenSSL Version Information. -.Ip "\fBx509\fR" 10 -.IX Item "x509" -X.509 Certificate Data Management. -.Sh "\s-1MESSAGE\s0 \s-1DIGEST\s0 \s-1COMMANDS\s0" -.IX Subsection "MESSAGE DIGEST COMMANDS" -.Ip "\fBmd2\fR" 10 -.IX Item "md2" -\&\s-1MD2\s0 Digest -.Ip "\fBmd5\fR" 10 -.IX Item "md5" -\&\s-1MD5\s0 Digest -.Ip "\fBmdc2\fR" 10 -.IX Item "mdc2" -\&\s-1MDC2\s0 Digest -.Ip "\fBrmd160\fR" 10 -.IX Item "rmd160" -\&\s-1RMD-160\s0 Digest -.Ip "\fBsha\fR" 10 -.IX Item "sha" -\&\s-1SHA\s0 Digest -.Ip "\fBsha1\fR" 10 -.IX Item "sha1" -\&\s-1SHA-1\s0 Digest -.Sh "\s-1ENCODING\s0 \s-1AND\s0 \s-1CIPHER\s0 \s-1COMMANDS\s0" -.IX Subsection "ENCODING AND CIPHER COMMANDS" -.Ip "\fBbase64\fR" 10 -.IX Item "base64" -Base64 Encoding -.Ip "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10 -.IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb" -Blowfish Cipher -.Ip "\fBcast cast-cbc\fR" 10 -.IX Item "cast cast-cbc" -\&\s-1CAST\s0 Cipher -.Ip "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10 -.IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb" -\&\s-1CAST5\s0 Cipher -.Ip "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10 -.IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb" -\&\s-1DES\s0 Cipher -.Ip "\fBdes3 desx des-ede3 des-ede3\-cbc des-ede3\-cfb des-ede3\-ofb\fR" 10 -.IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb" -Triple-DES Cipher -.Ip "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10 -.IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb" -\&\s-1IDEA\s0 Cipher -.Ip "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10 -.IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb" -\&\s-1RC2\s0 Cipher -.Ip "\fBrc4\fR" 10 -.IX Item "rc4" -\&\s-1RC4\s0 Cipher -.Ip "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10 -.IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb" -\&\s-1RC5\s0 Cipher -.SH "PASS PHRASE ARGUMENTS" -.IX Header "PASS PHRASE ARGUMENTS" -Several commands accept password arguments, typically using \fB\-passin\fR -and \fB\-passout\fR for input and output passwords respectively. These allow -the password to be obtained from a variety of sources. Both of these -options take a single argument whose format is described below. If no -password argument is given and a password is required then the user is -prompted to enter one: this will typically be read from the current -terminal with echoing turned off. -.Ip "\fBpass:password\fR" 10 -.IX Item "pass:password" -the actual password is \fBpassword\fR. Since the password is visible -to utilities (like 'ps' under Unix) this form should only be used -where security is not important. -.Ip "\fBenv:var\fR" 10 -.IX Item "env:var" -obtain the password from the environment variable \fBvar\fR. Since -the environment of other processes is visible on certain platforms -(e.g. ps under certain Unix OSes) this option should be used with caution. -.Ip "\fBfile:pathname\fR" 10 -.IX Item "file:pathname" -the first line of \fBpathname\fR is the password. If the same \fBpathname\fR -argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first -line will be used for the input password and the next line for the output -password. \fBpathname\fR need not refer to a regular file: it could for example -refer to a device or named pipe. -.Ip "\fBfd:number\fR" 10 -.IX Item "fd:number" -read the password from the file descriptor \fBnumber\fR. This can be used to -send the data via a pipe for example. -.Ip "\fBstdin\fR" 10 -.IX Item "stdin" -read the password from standard input. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -asn1parse(1), ca(1), config(5), -crl(1), crl2pkcs7(1), dgst(1), -dhparam(1), dsa(1), dsaparam(1), -enc(1), gendsa(1), -genrsa(1), nseq(1), openssl(1), -passwd(1), -pkcs12(1), pkcs7(1), pkcs8(1), -rand(1), req(1), rsa(1), -rsautl(1), s_client(1), -s_server(1), smime(1), spkac(1), -verify(1), version(1), x509(1), -crypto(3), ssl(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2. -The \fBlist-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3; -the \fBno-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a. -For notes on the availability of other commands, see their individual -manual pages. diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1 deleted file mode 100644 index 456822309a15..000000000000 --- a/secure/usr.bin/openssl/man/passwd.1 +++ /dev/null @@ -1,203 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:34 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "PASSWD 1" -.TH PASSWD 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -passwd \- compute password hashes -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl passwd\fR -[\fB\-crypt\fR] -[\fB\-1\fR] -[\fB\-apr1\fR] -[\fB\-salt\fR \fIstring\fR] -[\fB\-in\fR \fIfile\fR] -[\fB\-stdin\fR] -[\fB\-noverify\fR] -[\fB\-quiet\fR] -[\fB\-table\fR] -{\fIpassword\fR} -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpasswd\fR command computes the hash of a password typed at -run-time or the hash of each password in a list. The password list is -taken from the named file for option \fB\-in file\fR, from stdin for -option \fB\-stdin\fR, or from the command line, or from the terminal otherwise. -The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password -algorithm \fB1\fR and its Apache variant \fBapr1\fR are available. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-crypt\fR" 4 -.IX Item "-crypt" -Use the \fBcrypt\fR algorithm (default). -.Ip "\fB\-1\fR" 4 -.IX Item "-1" -Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR. -.Ip "\fB\-apr1\fR" 4 -.IX Item "-apr1" -Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm). -.Ip "\fB\-salt\fR \fIstring\fR" 4 -.IX Item "-salt string" -Use the specified salt. -When reading a password from the terminal, this implies \fB\-noverify\fR. -.Ip "\fB\-in\fR \fIfile\fR" 4 -.IX Item "-in file" -Read passwords from \fIfile\fR. -.Ip "\fB\-stdin\fR" 4 -.IX Item "-stdin" -Read passwords from \fBstdin\fR. -.Ip "\fB\-noverify\fR" 4 -.IX Item "-noverify" -Don't verify when reading a password from the terminal. -.Ip "\fB\-quiet\fR" 4 -.IX Item "-quiet" -Don't output warnings when passwords given at the command line are truncated. -.Ip "\fB\-table\fR" 4 -.IX Item "-table" -In the output list, prepend the cleartext password and a \s-1TAB\s0 character -to each password hash. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -\&\fBopenssl passwd \-crypt \-salt xx password\fR prints \fBxxj31ZMTZzkVA\fR. -.PP -\&\fBopenssl passwd \-1 \-salt xxxxxxxx password\fR prints \fB$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.\fR. -.PP -\&\fBopenssl passwd \-apr1 \-salt xxxxxxxx password\fR prints \fB$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0\fR. diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 deleted file mode 100644 index 47624917166c..000000000000 --- a/secure/usr.bin/openssl/man/pkcs12.1 +++ /dev/null @@ -1,429 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:35 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "PKCS12 1" -.TH PKCS12 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -pkcs12 \- PKCS#12 file utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkcs12\fR -[\fB\-export\fR] -[\fB\-chain\fR] -[\fB\-inkey filename\fR] -[\fB\-certfile filename\fR] -[\fB\-name name\fR] -[\fB\-caname name\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-nomacver\fR] -[\fB\-nocerts\fR] -[\fB\-clcerts\fR] -[\fB\-cacerts\fR] -[\fB\-nokeys\fR] -[\fB\-info\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-nodes\fR] -[\fB\-noiter\fR] -[\fB\-maciter\fR] -[\fB\-twopass\fR] -[\fB\-descert\fR] -[\fB\-certpbe\fR] -[\fB\-keypbe\fR] -[\fB\-keyex\fR] -[\fB\-keysig\fR] -[\fB\-password arg\fR] -[\fB\-passin arg\fR] -[\fB\-passout arg\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as -\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several -programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -There are a lot of options the meaning of some depends of whether a PKCS#12 file -is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12 -file can be created by using the \fB\-export\fR option (see below). -.SH "PARSING OPTIONS" -.IX Header "PARSING OPTIONS" -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies filename of the PKCS#12 file to be parsed. Standard input is used -by default. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -The filename to write certificates and private keys to, standard output by default. -They are all written in \s-1PEM\s0 format. -.Ip "\fB\-pass arg\fR, \fB\-passin arg\fR" 4 -.IX Item "-pass arg, -passin arg" -the PKCS#12 file (i.e. input file) password source. For more information about the -format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -pass phrase source to encrypt any outputed private keys with. For more information -about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option inhibits output of the keys and certificates to the output file version -of the PKCS#12 file. -.Ip "\fB\-clcerts\fR" 4 -.IX Item "-clcerts" -only output client certificates (not \s-1CA\s0 certificates). -.Ip "\fB\-cacerts\fR" 4 -.IX Item "-cacerts" -only output \s-1CA\s0 certificates (not client certificates). -.Ip "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -no certificates at all will be output. -.Ip "\fB\-nokeys\fR" 4 -.IX Item "-nokeys" -no private keys will be output. -.Ip "\fB\-info\fR" 4 -.IX Item "-info" -output additional information about the PKCS#12 file structure, algorithms used and -iteration counts. -.Ip "\fB\-des\fR" 4 -.IX Item "-des" -use \s-1DES\s0 to encrypt private keys before outputting. -.Ip "\fB\-des3\fR" 4 -.IX Item "-des3" -use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. -.Ip "\fB\-idea\fR" 4 -.IX Item "-idea" -use \s-1IDEA\s0 to encrypt private keys before outputting. -.Ip "\fB\-nodes\fR" 4 -.IX Item "-nodes" -don't encrypt the private keys at all. -.Ip "\fB\-nomacver\fR" 4 -.IX Item "-nomacver" -don't attempt to verify the integrity \s-1MAC\s0 before reading the file. -.Ip "\fB\-twopass\fR" 4 -.IX Item "-twopass" -prompt for separate integrity and encryption passwords: most software -always assumes these are the same so this option will render such -PKCS#12 files unreadable. -.SH "FILE CREATION OPTIONS" -.IX Header "FILE CREATION OPTIONS" -.Ip "\fB\-export\fR" 4 -.IX Item "-export" -This option specifies that a PKCS#12 file will be created rather than -parsed. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies filename to write the PKCS#12 file to. Standard output is used -by default. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -The filename to read certificates and private keys from, standard input by default. -They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and -its corresponding certificate should be present. If additional certificates are -present they will also be included in the PKCS#12 file. -.Ip "\fB\-inkey filename\fR" 4 -.IX Item "-inkey filename" -file to read private key from. If not present then a private key must be present -in the input file. -.Ip "\fB\-name friendlyname\fR" 4 -.IX Item "-name friendlyname" -This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name -is typically displayed in list boxes by software importing the file. -.Ip "\fB\-certfile filename\fR" 4 -.IX Item "-certfile filename" -A filename to read additional certificates from. -.Ip "\fB\-caname friendlyname\fR" 4 -.IX Item "-caname friendlyname" -This specifies the \*(L"friendly name\*(R" for other certificates. This option may be -used multiple times to specify names for all certificates in the order they -appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0 -displays them. -.Ip "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 -.IX Item "-pass arg, -passout arg" -the PKCS#12 file (i.e. output file) password source. For more information about -the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-passin password\fR" 4 -.IX Item "-passin password" -pass phrase source to decrypt any input private keys with. For more information -about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-chain\fR" 4 -.IX Item "-chain" -if this option is present then an attempt is made to include the entire -certificate chain of the user certificate. The standard \s-1CA\s0 store is used -for this search. If the search fails it is considered a fatal error. -.Ip "\fB\-descert\fR" 4 -.IX Item "-descert" -encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12 -file unreadable by some \*(L"export grade\*(R" software. By default the private -key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0. -.Ip "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 -.IX Item "-keypbe alg, -certpbe alg" -these options allow the algorithm used to encrypt the private key and -certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms -can be selected it is advisable only to use PKCS#12 algorithms. See the list -in the \fB\s-1NOTES\s0\fR section for more information. -.Ip "\fB\-keyex|\-keysig\fR" 4 -.IX Item "-keyex|-keysig" -specifies that the private key is to be used for key exchange or just signing. -This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally -\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for -encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR -option marks the key for signing only. Signing only keys can be used for -S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client -authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support -the use of signing only keys for \s-1SSL\s0 client authentication. -.Ip "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 -.IX Item "-nomaciter, -noiter" -these options affect the iteration counts on the \s-1MAC\s0 and key algorithms. -Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave -these options alone. -.Sp -To discourage attacks by using large dictionaries of common passwords the -algorithm that derives keys from passwords can have an iteration count applied -to it: this causes a certain part of the algorithm to be repeated and slows it -down. The \s-1MAC\s0 is used to check the file integrity but since it will normally -have the same password as the keys and certificates it could also be attacked. -By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using -these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since -this reduces the file security you should not use these options unless you -really have to. Most software supports both \s-1MAC\s0 and key iteration counts. -\&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR -option. -.Ip "\fB\-maciter\fR" 4 -.IX Item "-maciter" -This option is included for compatibility with previous versions, it used -to be needed to use \s-1MAC\s0 iterations counts but they are now used by default. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.SH "NOTES" -.IX Header "NOTES" -Although there are a large number of options most of them are very rarely -used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used -for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used. -.PP -If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present -then all certificates will be output in the order they appear in the input -PKCS#12 files. There is no guarantee that the first certificate present is -the one corresponding to the private key. Certain software which requires -a private key and certificate and assumes the first certificate in the -file is the one corresponding to the private key: this may not always -be the case. Using the \fB\-clcerts\fR option will solve this problem by only -outputting the certificate corresponding to the private key. If the \s-1CA\s0 -certificates are required then they can be output to a separate file using -the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates. -.PP -The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption -algorithms for private keys and certificates to be specified. Normally -the defaults are fine but occasionally software can't handle triple \s-1DES\s0 -encrypted private keys, then the option \fB\-keypbe \s-1PBE-SHA1\-RC2\-40\s0\fR can -be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete -description of all algorithms is contained in the \fBpkcs8\fR manual page. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Parse a PKCS#12 file and output it to a file: -.PP -.Vb 1 -\& openssl pkcs12 -in file.p12 -out file.pem -.Ve -Output only client certificates to a file: -.PP -.Vb 1 -\& openssl pkcs12 -in file.p12 -clcerts -out file.pem -.Ve -Don't encrypt the private key: -.PP -.Vb 1 -\& openssl pkcs12 -in file.p12 -out file.pem -nodes -.Ve -Print some info about a PKCS#12 file: -.PP -.Vb 1 -\& openssl pkcs12 -in file.p12 -info -noout -.Ve -Create a PKCS#12 file: -.PP -.Vb 1 -\& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" -.Ve -Include some extra certificates: -.PP -.Vb 2 -\& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \e -\& -certfile othercerts.pem -.Ve -.SH "BUGS" -.IX Header "BUGS" -Some would argue that the PKCS#12 standard is one big bug :\-) -.PP -Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation -routines. Under rare circumstances this could produce a PKCS#12 file encrypted -with an invalid key. As a result some PKCS#12 files which triggered this bug -from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted -by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could -not be decrypted by other implementations. The chances of producing such -a file are relatively small: less than 1 in 256. -.PP -A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 -files cannot no longer be parsed by the fixed version. Under such circumstances -the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption -error when extracting private keys. -.PP -This problem can be resolved by extracting the private keys and certificates -from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 -file from the keys and certificates using a newer version of OpenSSL. For example: -.PP -.Vb 2 -\& old-openssl -in bad.p12 -out keycerts.pem -\& openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -pkcs8(1) diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1 deleted file mode 100644 index 4603b97b750b..000000000000 --- a/secure/usr.bin/openssl/man/pkcs7.1 +++ /dev/null @@ -1,230 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:35 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "PKCS7 1" -.TH PKCS7 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -pkcs7 \- PKCS#7 utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkcs7\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-print_certs\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7 -v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read from or standard input if this -option is not specified. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.Ip "\fB\-print_certs\fR" 4 -.IX Item "-print_certs" -prints out any certificates or CRLs contained in the file. They are -preceded by their subject and issuer names in one line format. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out certificates details in full rather than just subject and -issuer names. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the encoded version of the PKCS#7 structure (or certificates -is \fB\-print_certs\fR is set). -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0 -.PP -.Vb 1 -\& openssl pkcs7 -in file.pem -outform DER -out file.der -.Ve -Output all certificates in a file: -.PP -.Vb 1 -\& openssl pkcs7 -in file.pem -print_certs -out certs.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 PKCS#7 format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN PKCS7----- -\& -----END PKCS7----- -.Ve -For compatibility with some CAs it will also accept: -.PP -.Vb 2 -\& -----BEGIN CERTIFICATE----- -\& -----END CERTIFICATE----- -.Ve -.SH "RESTRICTIONS" -.IX Header "RESTRICTIONS" -There is no option to print out all the fields of a PKCS#7 file. -.PP -This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they -cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630\s0. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -crl2pkcs7(1) diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1 deleted file mode 100644 index 198138c17278..000000000000 --- a/secure/usr.bin/openssl/man/pkcs8.1 +++ /dev/null @@ -1,355 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:35 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "PKCS8 1" -.TH PKCS8 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -pkcs8 \- PKCS#8 format private key conversion tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkcs8\fR -[\fB\-topk8\fR] -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-noiter\fR] -[\fB\-nocrypt\fR] -[\fB\-nooct\fR] -[\fB\-embed\fR] -[\fB\-nsdb\fR] -[\fB\-v2 alg\fR] -[\fB\-v1 alg\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle -both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo -format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-topk8\fR" 4 -.IX Item "-topk8" -Normally a PKCS#8 private key is expected on input and a traditional format -private key will be written. With the \fB\-topk8\fR option the situation is -reversed: it reads a traditional format private key and writes a PKCS#8 -format key. -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. If a PKCS#8 format key is expected on input -then either a \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR encoded version of a PKCS#8 key will be -expected. Otherwise the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR format of the traditional format -private key is used. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output by -default. If any encryption options are set then a pass phrase will be -prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.Ip "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-nocrypt\fR" 4 -.IX Item "-nocrypt" -PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo -structures using an appropriate password based encryption algorithm. With -this option an unencrypted PrivateKeyInfo structure is expected or output. -This option does not encrypt private keys at all and should only be used -when absolutely necessary. Certain software such as some versions of Java -code signing software used unencrypted private keys. -.Ip "\fB\-nooct\fR" 4 -.IX Item "-nooct" -This option generates \s-1RSA\s0 private keys in a broken format that some software -uses. Specifically the private key should be enclosed in a \s-1OCTET\s0 \s-1STRING\s0 -but some software just includes the structure itself without the -surrounding \s-1OCTET\s0 \s-1STRING\s0. -.Ip "\fB\-embed\fR" 4 -.IX Item "-embed" -This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are -embedded inside the PrivateKey structure. In this form the \s-1OCTET\s0 \s-1STRING\s0 -contains an \s-1ASN1\s0 \s-1SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing -the parameters and an \s-1ASN1\s0 \s-1INTEGER\s0 containing the private key. -.Ip "\fB\-nsdb\fR" 4 -.IX Item "-nsdb" -This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape -private key databases. The PrivateKey contains a \s-1SEQUENCE\s0 consisting of -the public and private keys respectively. -.Ip "\fB\-v2 alg\fR" 4 -.IX Item "-v2 alg" -This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 -private keys are encrypted with the password based encryption algorithm -called \fBpbeWithMD5AndDES-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it -was the strongest encryption algorithm supported in PKCS#5 v1.5. Using -the \fB\-v2\fR option PKCS#5 v2.0 algorithms are used which can use any -encryption algorithm such as 168 bit triple \s-1DES\s0 or 128 bit \s-1RC2\s0 however -not many implementations support PKCS#5 v2.0 yet. If you are just using -private keys with OpenSSL then this doesn't matter. -.Sp -The \fBalg\fR argument is the encryption algorithm to use, valid values include -\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used. -.Ip "\fB\-v1 alg\fR" 4 -.IX Item "-v1 alg" -This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete -list of possible algorithms is included below. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following -headers and footers: -.PP -.Vb 2 -\& -----BEGIN ENCRYPTED PRIVATE KEY----- -\& -----END ENCRYPTED PRIVATE KEY----- -.Ve -The unencrypted form uses: -.PP -.Vb 2 -\& -----BEGIN PRIVATE KEY----- -\& -----END PRIVATE KEY----- -.Ve -Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration -counts are more secure that those encrypted using the traditional -SSLeay compatible formats. So if additional security is considered -important the keys should be converted. -.PP -The default encryption is only 56 bits because this is the encryption -that most current implementations of PKCS#8 will support. -.PP -Some software may use PKCS#12 password based encryption algorithms -with PKCS#8 format private keys: these are handled automatically -but there is no option to produce them. -.PP -It is possible to write out \s-1DER\s0 encoded encrypted private keys in -PKCS#8 format because the encryption details are included at an \s-1ASN1\s0 -level whereas the traditional format includes them at a \s-1PEM\s0 level. -.SH "PKCS#5 v1.5 and PKCS#12 algorithms." -.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms." -Various algorithms can be used with the \fB\-v1\fR command line option, -including PKCS#5 v1.5 and PKCS#12. These are described in more detail -below. -.Ip "\fB\s-1PBE-MD2\-DES\s0 \s-1PBE-MD5\-DES\s0\fR" 4 -.IX Item "PBE-MD2-DES PBE-MD5-DES" -These algorithms were included in the original PKCS#5 v1.5 specification. -They only offer 56 bits of protection since they both use \s-1DES\s0. -.Ip "\fB\s-1PBE-SHA1\-RC2\-64\s0 \s-1PBE-MD2\-RC2\-64\s0 \s-1PBE-MD5\-RC2\-64\s0 \s-1PBE-SHA1\-DES\s0\fR" 4 -.IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES" -These algorithms are not mentioned in the original PKCS#5 v1.5 specification -but they use the same key derivation algorithm and are supported by some -software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or -56 bit \s-1DES\s0. -.Ip "\fB\s-1PBE-SHA1\-RC4\-128\s0 \s-1PBE-SHA1\-RC4\-40\s0 \s-1PBE-SHA1\-3DES\s0 \s-1PBE-SHA1\-2DES\s0 \s-1PBE-SHA1\-RC2\-128\s0 \s-1PBE-SHA1\-RC2\-40\s0\fR" 4 -.IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40" -These algorithms use the PKCS#12 password based encryption algorithm and -allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Convert a private from traditional to PKCS#5 v2.0 format using triple -\&\s-1DES:\s0 -.PP -.Vb 1 -\& openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem -.Ve -Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm -(\s-1DES\s0): -.PP -.Vb 1 -\& openssl pkcs8 -in key.pem -topk8 -out enckey.pem -.Ve -Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm -(3DES): -.PP -.Vb 1 -\& openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES -.Ve -Read a \s-1DER\s0 unencrypted PKCS#8 format private key: -.PP -.Vb 1 -\& openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem -.Ve -Convert a private key from any PKCS#8 format to traditional format: -.PP -.Vb 1 -\& openssl pkcs8 -in pk8.pem -out key.pem -.Ve -.SH "STANDARDS" -.IX Header "STANDARDS" -Test vectors from this PKCS#5 v2.0 implementation were posted to the -pkcs-tng mailing list using triple \s-1DES\s0, \s-1DES\s0 and \s-1RC2\s0 with high iteration -counts, several people confirmed that they could decrypt the private -keys produced and Therefore it can be assumed that the PKCS#5 v2.0 -implementation is reasonably accurate at least as far as these -algorithms are concerned. -.PP -The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented: -it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0 -PKCS#8 private key format complies with this standard. -.SH "BUGS" -.IX Header "BUGS" -There should be an option that prints out the encryption algorithm -in use and other details such as the iteration count. -.PP -PKCS#8 using triple \s-1DES\s0 and PKCS#5 v2.0 should be the default private -key format for OpenSSL: for compatibility several of the utilities use -the old format at present. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -dsa(1), rsa(1), genrsa(1), -gendsa(1) diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1 deleted file mode 100644 index 0f50a63bfaf2..000000000000 --- a/secure/usr.bin/openssl/man/rand.1 +++ /dev/null @@ -1,177 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:35 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "RAND 1" -.TH RAND 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -rand \- generate pseudo-random bytes -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl rand\fR -[\fB\-out\fR \fIfile\fR] -[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR] -[\fB\-base64\fR] -\&\fInum\fR -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding -the random number generator once. As in other \fBopenssl\fR command -line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR -in addition to the files given in the \fB\-rand\fR option. A new -\&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough -seeding was obtained from these sources. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-out\fR \fIfile\fR" 4 -.IX Item "-out file" -Write to \fIfile\fR instead of standard output. -.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4 -.IX Item "-rand file" -Use specified file or files or \s-1EGD\s0 socket (see RAND_egd(3)) -for seeding the random number generator. -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fB\-base64\fR" 4 -.IX Item "-base64" -Perform base64 encoding on the output. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -RAND_bytes(3) diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 deleted file mode 100644 index 7f2ee69fdeac..000000000000 --- a/secure/usr.bin/openssl/man/req.1 +++ /dev/null @@ -1,700 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:35 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "REQ 1" -.TH REQ 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -req \- PKCS#10 certificate request and certificate generating utility. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBreq\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-text\fR] -[\fB\-pubkey\fR] -[\fB\-noout\fR] -[\fB\-verify\fR] -[\fB\-modulus\fR] -[\fB\-new\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[\fB\-newkey rsa:bits\fR] -[\fB\-newkey dsa:file\fR] -[\fB\-nodes\fR] -[\fB\-key filename\fR] -[\fB\-keyform PEM|DER\fR] -[\fB\-keyout filename\fR] -[\fB\-[md5|sha1|md2|mdc2]\fR] -[\fB\-config filename\fR] -[\fB\-subj arg\fR] -[\fB\-x509\fR] -[\fB\-days n\fR] -[\fB\-set_serial n\fR] -[\fB\-asn1\-kludge\fR] -[\fB\-newhdr\fR] -[\fB\-extensions section\fR] -[\fB\-reqexts section\fR] -[\fB\-utf8\fR] -[\fB\-nameopt\fR] -[\fB\-batch\fR] -[\fB\-verbose\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBreq\fR command primarily creates and processes certificate requests -in PKCS#10 format. It can additionally create self signed certificates -for use as root CAs for example. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded -form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it -consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and -footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (\fB\-new\fR and \fB\-newkey\fR) are not specified. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write to or standard output by -default. -.Ip "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out the certificate request in text form. -.Ip "\fB\-pubkey\fR" 4 -.IX Item "-pubkey" -outputs the public key. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the request. -.Ip "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the public key -contained in the request. -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies the signature on the request. -.Ip "\fB\-new\fR" 4 -.IX Item "-new" -this option generates a new certificate request. It will prompt -the user for the relevant field values. The actual fields -prompted for and their maximum and minimum sizes are specified -in the configuration file and any requested extensions. -.Sp -If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private -key using information specified in the configuration file. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fB\-newkey arg\fR" 4 -.IX Item "-newkey arg" -this option creates a new certificate request and a new private -key. The argument takes one of two forms. \fBrsa:nbits\fR, where -\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR -in size. \fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters -in the file \fBfilename\fR. -.Ip "\fB\-key filename\fR" 4 -.IX Item "-key filename" -This specifies the file to read the private key from. It also -accepts PKCS#8 format private keys for \s-1PEM\s0 format files. -.Ip "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -the format of the private key file specified in the \fB\-key\fR -argument. \s-1PEM\s0 is the default. -.Ip "\fB\-keyout filename\fR" 4 -.IX Item "-keyout filename" -this gives the filename to write the newly created private key to. -If this option is not specified then the filename present in the -configuration file is used. -.Ip "\fB\-nodes\fR" 4 -.IX Item "-nodes" -if this option is specified then if a private key is created it -will not be encrypted. -.Ip "\fB\-[md5|sha1|md2|mdc2]\fR" 4 -.IX Item "-[md5|sha1|md2|mdc2]" -this specifies the message digest to sign the request with. This -overrides the digest algorithm specified in the configuration file. -This option is ignored for \s-1DSA\s0 requests: they always use \s-1SHA1\s0. -.Ip "\fB\-config filename\fR" 4 -.IX Item "-config filename" -this allows an alternative configuration file to be specified, -this overrides the compile time filename or any specified in -the \fB\s-1OPENSSL_CONF\s0\fR environment variable. -.Ip "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -sets subject name for new request or supersedes the subject name -when processing a request. -The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. -.Ip "\fB\-x509\fR" 4 -.IX Item "-x509" -this option outputs a self signed certificate instead of a certificate -request. This is typically used to generate a test certificate or -a self signed root \s-1CA\s0. The extensions added to the certificate -(if any) are specified in the configuration file. Unless specified -using the \fBset_serial\fR option \fB0\fR will be used for the serial -number. -.Ip "\fB\-days n\fR" 4 -.IX Item "-days n" -when the \fB\-x509\fR option is being used this specifies the number of -days to certify the certificate for. The default is 30 days. -.Ip "\fB\-set_serial n\fR" 4 -.IX Item "-set_serial n" -serial number to use when outputting a self signed certificate. This -may be specified as a decimal value or a hex value if preceded by \fB0x\fR. -It is possible to use negative serial numbers but this is not recommended. -.Ip "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -.PD 0 -.Ip "\fB\-reqexts section\fR" 4 -.IX Item "-reqexts section" -.PD -these options specify alternative sections to include certificate -extensions (if the \fB\-x509\fR option is present) or certificate -request extensions. This allows several different sections to -be used in the same configuration file to specify requests for -a variety of purposes. -.Ip "\fB\-utf8\fR" 4 -.IX Item "-utf8" -this option causes field values to be interpreted as \s-1UTF8\s0 strings, by -default they are interpreted as \s-1ASCII\s0. This means that the field -values, whether prompted from a terminal or obtained from a -configuration file, must be valid \s-1UTF8\s0 strings. -.Ip "\fB\-nameopt option\fR" 4 -.IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. The -\&\fBoption\fR argument can be a single option or multiple options separated by -commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to -set multiple options. See the x509(1) manual page for details. -.Ip "\fB\-asn1\-kludge\fR" 4 -.IX Item "-asn1-kludge" -by default the \fBreq\fR command outputs certificate requests containing -no attributes in the correct PKCS#10 format. However certain CAs will only -accept requests containing no attributes in an invalid form: this -option produces this invalid format. -.Sp -More precisely the \fBAttributes\fR in a PKCS#10 certificate request -are defined as a \fB\s-1SET\s0 \s-1OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so -if no attributes are present then they should be encoded as an -empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty -\&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does. -.Sp -It should be noted that very few CAs still require the use of this option. -.Ip "\fB\-newhdr\fR" 4 -.IX Item "-newhdr" -Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed -request. Some software (Netscape certificate server) and some CAs need this. -.Ip "\fB\-batch\fR" 4 -.IX Item "-batch" -non-interactive mode. -.Ip "\fB\-verbose\fR" 4 -.IX Item "-verbose" -print extra details about the operations being performed. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "CONFIGURATION FILE FORMAT" -.IX Header "CONFIGURATION FILE FORMAT" -The configuration options are specified in the \fBreq\fR section of -the configuration file. As with all configuration files if no -value is specified in the specific section (i.e. \fBreq\fR) then -the initial unnamed or \fBdefault\fR section is searched too. -.PP -The options available are described in detail below. -.Ip "\fBinput_password output_password\fR" 4 -.IX Item "input_password output_password" -The passwords for the input private key file (if present) and -the output private key file (if one will be created). The -command line options \fBpassin\fR and \fBpassout\fR override the -configuration file values. -.Ip "\fBdefault_bits\fR" 4 -.IX Item "default_bits" -This specifies the default key size in bits. If not specified then -512 is used. It is used if the \fB\-new\fR option is used. It can be -overridden by using the \fB\-newkey\fR option. -.Ip "\fBdefault_keyfile\fR" 4 -.IX Item "default_keyfile" -This is the default filename to write a private key to. If not -specified the key is written to standard output. This can be -overridden by the \fB\-keyout\fR option. -.Ip "\fBoid_file\fR" 4 -.IX Item "oid_file" -This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. -Each line of the file should consist of the numerical form of the -object identifier followed by white space then the short name followed -by white space and finally the long name. -.Ip "\fBoid_section\fR" 4 -.IX Item "oid_section" -This specifies a section in the configuration file containing extra -object identifiers. Each line should consist of the short name of the -object identifier followed by \fB=\fR and the numerical form. The short -and long names are the same when this option is used. -.Ip "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -This specifies a filename in which random number seed information is -placed and read from, or an \s-1EGD\s0 socket (see RAND_egd(3)). -It is used for private key generation. -.Ip "\fBencrypt_key\fR" 4 -.IX Item "encrypt_key" -If this is set to \fBno\fR then if a private key is generated it is -\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line -option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. -.Ip "\fBdefault_md\fR" 4 -.IX Item "default_md" -This option specifies the digest algorithm to use. Possible values -include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This -option can be overridden on the command line. -.Ip "\fBstring_mask\fR" 4 -.IX Item "string_mask" -This option masks out the use of certain string types in certain -fields. Most users will not need to change this option. -.Sp -It can be set to several values \fBdefault\fR which is also the default -option uses PrintableStrings, T61Strings and BMPStrings if the -\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will -be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the -\&\fButf8only\fR option is used then only UTF8Strings will be used: this -is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR -option just uses PrintableStrings and T61Strings: certain software has -problems with BMPStrings and UTF8Strings: in particular Netscape. -.Ip "\fBreq_extensions\fR" 4 -.IX Item "req_extensions" -this specifies the configuration file section containing a list of -extensions to add to the certificate request. It can be overridden -by the \fB\-reqexts\fR command line switch. -.Ip "\fBx509_extensions\fR" 4 -.IX Item "x509_extensions" -this specifies the configuration file section containing a list of -extensions to add to certificate generated when the \fB\-x509\fR switch -is used. It can be overridden by the \fB\-extensions\fR command line switch. -.Ip "\fBprompt\fR" 4 -.IX Item "prompt" -if set to the value \fBno\fR this disables prompting of certificate fields -and just takes values from the config file directly. It also changes the -expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. -.Ip "\fButf8\fR" 4 -.IX Item "utf8" -if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 -strings, by default they are interpreted as \s-1ASCII\s0. This means that -the field values, whether prompted from a terminal or obtained from a -configuration file, must be valid \s-1UTF8\s0 strings. -.Ip "\fBattributes\fR" 4 -.IX Item "attributes" -this specifies the section containing any request attributes: its format -is the same as \fBdistinguished_name\fR. Typically these may contain the -challengePassword or unstructuredName types. They are currently ignored -by OpenSSL's request signing utilities but some CAs might want them. -.Ip "\fBdistinguished_name\fR" 4 -.IX Item "distinguished_name" -This specifies the section containing the distinguished name fields to -prompt for when generating a certificate or certificate request. The format -is described in the next section. -.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" -.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" -There are two separate formats for the distinguished name and attribute -sections. If the \fBprompt\fR option is set to \fBno\fR then these sections -just consist of field names and values: for example, -.PP -.Vb 3 -\& CN=My Name -\& OU=My Organization -\& emailAddress=someone@somewhere.org -.Ve -This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file -with all the field names and values and just pass it to \fBreq\fR. An example -of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section. -.PP -Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the -file contains field prompting information. It consists of lines of the form: -.PP -.Vb 4 -\& fieldName="prompt" -\& fieldName_default="default field value" -\& fieldName_min= 2 -\& fieldName_max= 4 -.Ve -\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0). -The \*(L"prompt\*(R" string is used to ask the user to enter the relevant -details. If the user enters nothing then the default value is used if no -default value is present then the field is omitted. A field can -still be omitted if a default value is present if the user just -enters the '.' character. -.PP -The number of characters entered must be between the fieldName_min and -fieldName_max limits: there may be additional restrictions based -on the field being used (for example countryName can only ever be -two characters long and must fit in a PrintableString). -.PP -Some fields (such as organizationName) can be used more than once -in a \s-1DN\s0. This presents a problem because configuration files will -not recognize the same name occurring twice. To avoid this problem -if the fieldName contains some characters followed by a full stop -they will be ignored. So for example a second organizationName can -be input by calling it \*(L"1.organizationName\*(R". -.PP -The actual permitted field names are any object identifier short or -long names. These are compiled into OpenSSL and include the usual -values such as commonName, countryName, localityName, organizationName, -organizationUnitName, stateOrProvinceName. Additionally emailAddress -is include as well as name, surname, givenName initials and dnQualifier. -.PP -Additional object identifiers can be defined with the \fBoid_file\fR or -\&\fBoid_section\fR options in the configuration file. Any additional fields -will be treated as though they were a DirectoryString. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Examine and verify certificate request: -.PP -.Vb 1 -\& openssl req -in req.pem -text -verify -noout -.Ve -Create a private key and then generate a certificate request from it: -.PP -.Vb 2 -\& openssl genrsa -out key.pem 1024 -\& openssl req -new -key key.pem -out req.pem -.Ve -The same but just using req: -.PP -.Vb 1 -\& openssl req -newkey rsa:1024 -keyout key.pem -out req.pem -.Ve -Generate a self signed root certificate: -.PP -.Vb 1 -\& openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem -.Ve -Example of a file pointed to by the \fBoid_file\fR option: -.PP -.Vb 2 -\& 1.2.3.4 shortName A longer Name -\& 1.2.3.6 otherName Other longer Name -.Ve -Example of a section pointed to by \fBoid_section\fR making use of variable -expansion: -.PP -.Vb 2 -\& testoid1=1.2.3.5 -\& testoid2=${testoid1}.6 -.Ve -Sample configuration file prompting for field values: -.PP -.Vb 6 -\& [ req ] -\& default_bits = 1024 -\& default_keyfile = privkey.pem -\& distinguished_name = req_distinguished_name -\& attributes = req_attributes -\& x509_extensions = v3_ca -.Ve -.Vb 1 -\& dirstring_type = nobmp -.Ve -.Vb 5 -\& [ req_distinguished_name ] -\& countryName = Country Name (2 letter code) -\& countryName_default = AU -\& countryName_min = 2 -\& countryName_max = 2 -.Ve -.Vb 1 -\& localityName = Locality Name (eg, city) -.Ve -.Vb 1 -\& organizationalUnitName = Organizational Unit Name (eg, section) -.Ve -.Vb 2 -\& commonName = Common Name (eg, YOUR name) -\& commonName_max = 64 -.Ve -.Vb 2 -\& emailAddress = Email Address -\& emailAddress_max = 40 -.Ve -.Vb 4 -\& [ req_attributes ] -\& challengePassword = A challenge password -\& challengePassword_min = 4 -\& challengePassword_max = 20 -.Ve -.Vb 1 -\& [ v3_ca ] -.Ve -.Vb 3 -\& subjectKeyIdentifier=hash -\& authorityKeyIdentifier=keyid:always,issuer:always -\& basicConstraints = CA:true -.Ve -Sample configuration containing all field values: -.PP -.Vb 1 -\& RANDFILE = $ENV::HOME/.rnd -.Ve -.Vb 7 -\& [ req ] -\& default_bits = 1024 -\& default_keyfile = keyfile.pem -\& distinguished_name = req_distinguished_name -\& attributes = req_attributes -\& prompt = no -\& output_password = mypass -.Ve -.Vb 8 -\& [ req_distinguished_name ] -\& C = GB -\& ST = Test State or Province -\& L = Test Locality -\& O = Organization Name -\& OU = Organizational Unit Name -\& CN = Common Name -\& emailAddress = test@email.address -.Ve -.Vb 2 -\& [ req_attributes ] -\& challengePassword = A challenge password -.Ve -.SH "NOTES" -.IX Header "NOTES" -The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: -.PP -.Vb 2 -\& -----BEGIN CERTIFICATE REQUEST----- -\& -----END CERTIFICATE REQUEST----- -.Ve -some software (some versions of Netscape certificate server) instead needs: -.PP -.Vb 2 -\& -----BEGIN NEW CERTIFICATE REQUEST----- -\& -----END NEW CERTIFICATE REQUEST----- -.Ve -which is produced with the \fB\-newhdr\fR option but is otherwise compatible. -Either form is accepted transparently on input. -.PP -The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions -added. It includes the \fBkeyUsage\fR extension which determines the type of -key (signature only or general purpose) and any additional OIDs entered -by the script in an extendedKeyUsage extension. -.SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -The following messages are frequently asked about: -.PP -.Vb 2 -\& Using configuration from /some/path/openssl.cnf -\& Unable to load config info -.Ve -This is followed some time later by... -.PP -.Vb 2 -\& unable to find 'distinguished_name' in config -\& problems making Certificate Request -.Ve -The first error message is the clue: it can't find the configuration -file! Certain operations (like examining a certificate request) don't -need a configuration file so its use isn't enforced. Generation of -certificates or requests however does need a configuration file. This -could be regarded as a bug. -.PP -Another puzzling message is this: -.PP -.Vb 2 -\& Attributes: -\& a0:00 -.Ve -this is displayed when no attributes are present and the request includes -the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0 -0x00). If you just see: -.PP -.Vb 1 -\& Attributes: -.Ve -then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but -it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR -for more information. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it will be overridden by the \fB\-config\fR command -line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR -environment variable serves the same purpose but its use is discouraged. -.SH "BUGS" -.IX Header "BUGS" -OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively -treats them as \s-1ISO-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour. -This can cause problems if you need characters that aren't available in -PrintableStrings and you don't want to or can't use BMPStrings. -.PP -As a consequence of the T61String handling the only correct way to represent -accented characters in OpenSSL is to use a BMPString: unfortunately Netscape -currently chokes on these. If you have to use accented characters with Netscape -and \s-1MSIE\s0 then you currently need to use the invalid T61String form. -.PP -The current prompting is not very friendly. It doesn't allow you to confirm what -you've just entered. Other things like extensions in certificate requests are -statically defined in the configuration file. Some of these: like an email -address in subjectAltName should be input by the user. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -x509(1), ca(1), genrsa(1), -gendsa(1), config(5) diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1 deleted file mode 100644 index ec6a38154a46..000000000000 --- a/secure/usr.bin/openssl/man/rsa.1 +++ /dev/null @@ -1,308 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:36 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "RSA 1" -.TH RSA 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -rsa \- \s-1RSA\s0 key processing tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBrsa\fR -[\fB\-inform PEM|NET|DER\fR] -[\fB\-outform PEM|NET|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-sgckey\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-modulus\fR] -[\fB\-check\fR] -[\fB\-pubin\fR] -[\fB\-pubout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various -forms and their components printed out. \fBNote\fR this command uses the -traditional SSLeay compatible format for private key encryption: newer -applications should use the more secure PKCS#8 format using the \fBpkcs8\fR -utility. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|NET|PEM\fR" 4 -.IX Item "-inform DER|NET|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded -form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. -The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 -encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. The \fB\s-1NET\s0\fR form is a format is described in the \fB\s-1NOTES\s0\fR -section. -.Ip "\fB\-outform DER|NET|PEM\fR" 4 -.IX Item "-outform DER|NET|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output if this -option is not specified. If any encryption options are set then a pass phrase -will be prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.Ip "\fB\-passout password\fR" 4 -.IX Item "-passout password" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-sgckey\fR" 4 -.IX Item "-sgckey" -use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0 -keys. -.Ip "\fB\-des|\-des3|\-idea\fR" 4 -.IX Item "-des|-des3|-idea" -These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the -\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for. -If none of these options is specified the key is written in plain text. This -means that using the \fBrsa\fR utility to read in an encrypted key with no -encryption option can be used to remove the pass phrase from a key, or by -setting the encryption options it can be use to add or change the pass phrase. -These options can only be used with \s-1PEM\s0 format output files. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out the various public or private key components in -plain text in addition to the encoded version. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the key. -.Ip "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the key. -.Ip "\fB\-check\fR" 4 -.IX Item "-check" -this option checks the consistency of an \s-1RSA\s0 private key. -.Ip "\fB\-pubin\fR" 4 -.IX Item "-pubin" -by default a private key is read from the input file: with this -option a public key is read instead. -.Ip "\fB\-pubout\fR" 4 -.IX Item "-pubout" -by default a private key is output: with this option a public -key will be output instead. This option is automatically set if -the input is a public key. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 private key format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN RSA PRIVATE KEY----- -\& -----END RSA PRIVATE KEY----- -.Ve -The \s-1PEM\s0 public key format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN PUBLIC KEY----- -\& -----END PUBLIC KEY----- -.Ve -The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers -and Microsoft \s-1IIS\s0 .key files, this uses unsalted \s-1RC4\s0 for its encryption. -It is not very secure and so should only be used when necessary. -.PP -Some newer version of \s-1IIS\s0 have additional data in the exported .key -files. To use these with the utility, view the file with a binary editor -and look for the string \*(L"private-key\*(R", then trace back to the byte -sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data -from this point onwards to another file and use that as the input -to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get -an error after entering the password try the \fB\-sgckey\fR option. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To remove the pass phrase on an \s-1RSA\s0 private key: -.PP -.Vb 1 -\& openssl rsa -in key.pem -out keyout.pem -.Ve -To encrypt a private key using triple \s-1DES:\s0 -.PP -.Vb 1 -\& openssl rsa -in key.pem -des3 -out keyout.pem -.Ve -To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl rsa -in key.pem -outform DER -out keyout.der -.Ve -To print out the components of a private key to standard output: -.PP -.Vb 1 -\& openssl rsa -in key.pem -text -noout -.Ve -To just output the public part of a private key: -.PP -.Vb 1 -\& openssl rsa -in key.pem -pubout -out pubkey.pem -.Ve -.SH "BUGS" -.IX Header "BUGS" -The command line password arguments don't currently work with -\&\fB\s-1NET\s0\fR format. -.PP -There should be an option that automatically handles .key files, -without having to manually edit them. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -pkcs8(1), dsa(1), genrsa(1), -gendsa(1) diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1 deleted file mode 100644 index 0ba4a9df2362..000000000000 --- a/secure/usr.bin/openssl/man/rsautl.1 +++ /dev/null @@ -1,312 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:36 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "RSAUTL 1" -.TH RSAUTL 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -rsautl \- \s-1RSA\s0 utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBrsautl\fR -[\fB\-in file\fR] -[\fB\-out file\fR] -[\fB\-inkey file\fR] -[\fB\-pubin\fR] -[\fB\-certin\fR] -[\fB\-sign\fR] -[\fB\-verify\fR] -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-pkcs\fR] -[\fB\-ssl\fR] -[\fB\-raw\fR] -[\fB\-hexdump\fR] -[\fB\-asn1parse\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt -data using the \s-1RSA\s0 algorithm. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read data from or standard input -if this option is not specified. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.Ip "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the input key file, by default it should be an \s-1RSA\s0 private key. -.Ip "\fB\-pubin\fR" 4 -.IX Item "-pubin" -the input file is an \s-1RSA\s0 public key. -.Ip "\fB\-certin\fR" 4 -.IX Item "-certin" -the input is a certificate containing an \s-1RSA\s0 public key. -.Ip "\fB\-sign\fR" 4 -.IX Item "-sign" -sign the input data and output the signed result. This requires -and \s-1RSA\s0 private key. -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verify the input data and output the recovered data. -.Ip "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt the input data using an \s-1RSA\s0 public key. -.Ip "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt the input data using an \s-1RSA\s0 private key. -.Ip "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4 -.IX Item "-pkcs, -oaep, -ssl, -raw" -the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP\s0, -special padding used in \s-1SSL\s0 v2 backwards compatible handshakes, -or no padding, respectively. -For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used. -.Ip "\fB\-hexdump\fR" 4 -.IX Item "-hexdump" -hex dump the output data. -.Ip "\fB\-asn1parse\fR" 4 -.IX Item "-asn1parse" -asn1parse the output data, this is useful when combined with the -\&\fB\-verify\fR option. -.SH "NOTES" -.IX Header "NOTES" -\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be -used to sign or verify small pieces of data. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Sign some data using a private key: -.PP -.Vb 1 -\& openssl rsautl -sign -in file -inkey key.pem -out sig -.Ve -Recover the signed data -.PP -.Vb 1 -\& openssl rsautl -verify -in sig -inkey key.pem -.Ve -Examine the raw signed data: -.PP -.Vb 1 -\& openssl rsautl -verify -in file -inkey key.pem -raw -hexdump -.Ve -.Vb 8 -\& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ -\& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64 .....hello world -.Ve -The PKCS#1 block formatting is evident from this. If this was done using -encrypt and decrypt the block would have been of type 2 (the second byte) -and random padding data visible instead of the 0xff bytes. -.PP -It is possible to analyse the signature of certificates using this -utility in conjunction with \fBasn1parse\fR. Consider the self signed -example in certs/pca-cert.pem . Running \fBasn1parse\fR as follows yields: -.PP -.Vb 1 -\& openssl asn1parse -in pca-cert.pem -.Ve -.Vb 18 -\& 0:d=0 hl=4 l= 742 cons: SEQUENCE -\& 4:d=1 hl=4 l= 591 cons: SEQUENCE -\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] -\& 10:d=3 hl=2 l= 1 prim: INTEGER :02 -\& 13:d=2 hl=2 l= 1 prim: INTEGER :00 -\& 16:d=2 hl=2 l= 13 cons: SEQUENCE -\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 29:d=3 hl=2 l= 0 prim: NULL -\& 31:d=2 hl=2 l= 92 cons: SEQUENCE -\& 33:d=3 hl=2 l= 11 cons: SET -\& 35:d=4 hl=2 l= 9 cons: SEQUENCE -\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName -\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU -\& .... -\& 599:d=1 hl=2 l= 13 cons: SEQUENCE -\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 612:d=2 hl=2 l= 0 prim: NULL -\& 614:d=1 hl=3 l= 129 prim: BIT STRING -.Ve -The final \s-1BIT\s0 \s-1STRING\s0 contains the actual signature. It can be extracted with: -.PP -.Vb 1 -\& openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 -.Ve -The certificate public key can be extracted with: -.PP -.Vb 1 -\& openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem -.Ve -The signature can be analysed with: -.PP -.Vb 1 -\& openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin -.Ve -.Vb 6 -\& 0:d=0 hl=2 l= 32 cons: SEQUENCE -\& 2:d=1 hl=2 l= 12 cons: SEQUENCE -\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5 -\& 14:d=2 hl=2 l= 0 prim: NULL -\& 16:d=1 hl=2 l= 16 prim: OCTET STRING -\& 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. -.Ve -This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that -the digest used was md5. The actual part of the certificate that was signed can -be extracted with: -.PP -.Vb 1 -\& openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 -.Ve -and its digest computed with: -.PP -.Vb 2 -\& openssl md5 -c tbs -\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 -.Ve -which it can be seen agrees with the recovered value above. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -dgst(1), rsa(1), genrsa(1) diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 deleted file mode 100644 index 8e9583c50af8..000000000000 --- a/secure/usr.bin/openssl/man/s_client.1 +++ /dev/null @@ -1,347 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:36 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "S_CLIENT 1" -.TH S_CLIENT 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -s_client \- \s-1SSL/TLS\s0 client program -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBs_client\fR -[\fB\-connect\fR host:port>] -[\fB\-verify depth\fR] -[\fB\-cert filename\fR] -[\fB\-key filename\fR] -[\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] -[\fB\-reconnect\fR] -[\fB\-pause\fR] -[\fB\-showcerts\fR] -[\fB\-debug\fR] -[\fB\-msg\fR] -[\fB\-nbio_test\fR] -[\fB\-state\fR] -[\fB\-nbio\fR] -[\fB\-crlf\fR] -[\fB\-ign_eof\fR] -[\fB\-quiet\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fB\-no_ssl2\fR] -[\fB\-no_ssl3\fR] -[\fB\-no_tls1\fR] -[\fB\-bugs\fR] -[\fB\-cipher cipherlist\fR] -[\fB\-engine id\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects -to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for -\&\s-1SSL\s0 servers. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-connect host:port\fR" 4 -.IX Item "-connect host:port" -This specifies the host and optional port to connect to. If not specified -then an attempt is made to connect to the local host on port 4433. -.Ip "\fB\-cert certname\fR" 4 -.IX Item "-cert certname" -The certificate to use, if one is requested by the server. The default is -not to use a certificate. -.Ip "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -The private key to use. If not specified then the certificate file will -be used. -.Ip "\fB\-verify depth\fR" 4 -.IX Item "-verify depth" -The verify depth to use. This specifies the maximum length of the -server certificate chain and turns on server certificate verification. -Currently the verify operation continues after errors so all the problems -with a certificate chain can be seen. As a side effect the connection -will never fail due to a server certificate verify failure. -.Ip "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -The directory to use for server certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are -also used when building the client certificate chain. -.Ip "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file containing trusted certificates to use during server authentication -and to use when attempting to build the client certificate chain. -.Ip "\fB\-reconnect\fR" 4 -.IX Item "-reconnect" -reconnects to the same server 5 times using the same session \s-1ID\s0, this can -be used as a test that session caching is working. -.Ip "\fB\-pause\fR" 4 -.IX Item "-pause" -pauses 1 second between each read and write call. -.Ip "\fB\-showcerts\fR" 4 -.IX Item "-showcerts" -display the whole server certificate chain: normally only the server -certificate itself is displayed. -.Ip "\fB\-prexit\fR" 4 -.IX Item "-prexit" -print session information when the program exits. This will always attempt -to print out information even if the connection fails. Normally information -will only be printed out once if the connection succeeds. This option is useful -because the cipher in use may be renegotiated or the connection may fail -because a client certificate is required or is requested only after an -attempt is made to access a certain \s-1URL\s0. Note: the output produced by this -option is not always accurate because a connection might never have been -established. -.Ip "\fB\-state\fR" 4 -.IX Item "-state" -prints out the \s-1SSL\s0 session states. -.Ip "\fB\-debug\fR" 4 -.IX Item "-debug" -print extensive debugging information including a hex dump of all traffic. -.Ip "\fB\-msg\fR" 4 -.IX Item "-msg" -show all protocol messages with hex dump. -.Ip "\fB\-nbio_test\fR" 4 -.IX Item "-nbio_test" -tests non-blocking I/O -.Ip "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non-blocking I/O -.Ip "\fB\-crlf\fR" 4 -.IX Item "-crlf" -this option translated a line feed from the terminal into \s-1CR+LF\s0 as required -by some servers. -.Ip "\fB\-ign_eof\fR" 4 -.IX Item "-ign_eof" -inhibit shutting down the connection when end of file is reached in the -input. -.Ip "\fB\-quiet\fR" 4 -.IX Item "-quiet" -inhibit printing of session and certificate information. This implicitly -turns on \fB\-ign_eof\fR as well. -.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1" -these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default -the initial handshake uses a method which should be compatible with all -servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. -.Sp -Unfortunately there are a lot of ancient and broken servers in use which -cannot handle this technique and will fail to connect. Some servers only -work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only -support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option. -.Ip "\fB\-bugs\fR" 4 -.IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this -option enables various workarounds. -.Ip "\fB\-cipher cipherlist\fR" 4 -.IX Item "-cipher cipherlist" -this allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. See the \fBciphers\fR -command for more information. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.SH "CONNECTED COMMANDS" -.IX Header "CONNECTED COMMANDS" -If a connection is established with an \s-1SSL\s0 server then any data received -from the server is displayed and any key presses will be sent to the -server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR -have been given), the session will be renegotiated if the line begins with an -\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the -connection will be closed down. -.SH "NOTES" -.IX Header "NOTES" -\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0 -server the command: -.PP -.Vb 1 -\& openssl s_client -connect servername:443 -.Ve -would typically be used (https uses port 443). If the connection succeeds -then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page. -.PP -If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, -\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR can be tried -in case it is a buggy server. In particular you should play with these -options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. -.PP -A frequent problem when attempting to get client certificates working -is that a web client complains it has no certificates or gives an empty -list to choose from. This is normally because the server is not sending -the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it -requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed -and checked. However some servers only request client authentication -after a specific \s-1URL\s0 is requested. To obtain the list in this case it -is necessary to use the \fB\-prexit\fR command and send an \s-1HTTP\s0 request -for an appropriate page. -.PP -If a certificate is specified on the command line using the \fB\-cert\fR -option it will not be used unless the server specifically requests -a client certificate. Therefor merely including a client certificate -on the command line is no guarantee that the certificate works. -.PP -If there are problems verifying a server certificate then the -\&\fB\-showcerts\fR option can be used to show the whole chain. -.SH "BUGS" -.IX Header "BUGS" -Because this program has a lot of options and also because some of -the techniques used are rather old, the C source of s_client is rather -hard to read and not a model of how things should be done. A typical -\&\s-1SSL\s0 client program would be much simpler. -.PP -The \fB\-verify\fR option should really exit if the server verification -fails. -.PP -The \fB\-prexit\fR option is a bit of a hack. We should really report -information whenever a session is renegotiated. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -sess_id(1), s_server(1), ciphers(1) diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 deleted file mode 100644 index 50e0835b240a..000000000000 --- a/secure/usr.bin/openssl/man/s_server.1 +++ /dev/null @@ -1,385 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:37 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "S_SERVER 1" -.TH S_SERVER 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -s_server \- \s-1SSL/TLS\s0 server program -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBs_server\fR -[\fB\-accept port\fR] -[\fB\-context id\fR] -[\fB\-verify depth\fR] -[\fB\-Verify depth\fR] -[\fB\-cert filename\fR] -[\fB\-key keyfile\fR] -[\fB\-dcert filename\fR] -[\fB\-dkey keyfile\fR] -[\fB\-dhparam filename\fR] -[\fB\-nbio\fR] -[\fB\-nbio_test\fR] -[\fB\-crlf\fR] -[\fB\-debug\fR] -[\fB\-msg\fR] -[\fB\-state\fR] -[\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] -[\fB\-nocert\fR] -[\fB\-cipher cipherlist\fR] -[\fB\-quiet\fR] -[\fB\-no_tmp_rsa\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fB\-no_ssl2\fR] -[\fB\-no_ssl3\fR] -[\fB\-no_tls1\fR] -[\fB\-no_dhe\fR] -[\fB\-bugs\fR] -[\fB\-hack\fR] -[\fB\-www\fR] -[\fB\-WWW\fR] -[\fB\-HTTP\fR] -[\fB\-engine id\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens -for connections on a given port using \s-1SSL/TLS\s0. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-accept port\fR" 4 -.IX Item "-accept port" -the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. -.Ip "\fB\-context id\fR" 4 -.IX Item "-context id" -sets the \s-1SSL\s0 context id. It can be given any string value. If this option -is not present a default value will be used. -.Ip "\fB\-cert certname\fR" 4 -.IX Item "-cert certname" -The certificate to use, most servers cipher suites require the use of a -certificate and some require a certificate with a certain public key type: -for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0 -(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. -.Ip "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -The private key to use. If not specified then the certificate file will -be used. -.Ip "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4 -.IX Item "-dcert filename, -dkey keyname" -specify an additional certificate and private key, these behave in the -same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default -if they are not specified (no additional certificate and key is used). As -noted above some cipher suites require a certificate containing a key of -a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key -and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys -a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites -by using an appropriate certificate. -.Ip "\fB\-nocert\fR" 4 -.IX Item "-nocert" -if this option is set then no certificate is used. This restricts the -cipher suites available to the anonymous ones (currently just anonymous -\&\s-1DH\s0). -.Ip "\fB\-dhparam filename\fR" 4 -.IX Item "-dhparam filename" -the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys -using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to -load the parameters from the server certificate file. If this fails then -a static set of parameters hard coded into the s_server program will be used. -.Ip "\fB\-no_dhe\fR" 4 -.IX Item "-no_dhe" -if this option is set then no \s-1DH\s0 parameters will be loaded effectively -disabling the ephemeral \s-1DH\s0 cipher suites. -.Ip "\fB\-no_tmp_rsa\fR" 4 -.IX Item "-no_tmp_rsa" -certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option -disables temporary \s-1RSA\s0 key generation. -.Ip "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4 -.IX Item "-verify depth, -Verify depth" -The verify depth to use. This specifies the maximum length of the -client certificate chain and makes the server request a certificate from -the client. With the \fB\-verify\fR option a certificate is requested but the -client does not have to send one, with the \fB\-Verify\fR option the client -must supply a certificate or an error occurs. -.Ip "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -The directory to use for client certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are -also used when building the server certificate chain. -.Ip "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file containing trusted certificates to use during client authentication -and to use when attempting to build the server certificate chain. The list -is also used in the list of acceptable client CAs passed to the client when -a certificate is requested. -.Ip "\fB\-state\fR" 4 -.IX Item "-state" -prints out the \s-1SSL\s0 session states. -.Ip "\fB\-debug\fR" 4 -.IX Item "-debug" -print extensive debugging information including a hex dump of all traffic. -.Ip "\fB\-msg\fR" 4 -.IX Item "-msg" -show all protocol messages with hex dump. -.Ip "\fB\-nbio_test\fR" 4 -.IX Item "-nbio_test" -tests non blocking I/O -.Ip "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non blocking I/O -.Ip "\fB\-crlf\fR" 4 -.IX Item "-crlf" -this option translated a line feed from the terminal into \s-1CR+LF\s0. -.Ip "\fB\-quiet\fR" 4 -.IX Item "-quiet" -inhibit printing of session and certificate information. -.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1" -these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default -the initial handshake uses a method which should be compatible with all -servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. -.Ip "\fB\-bugs\fR" 4 -.IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this -option enables various workarounds. -.Ip "\fB\-hack\fR" 4 -.IX Item "-hack" -this option enables a further workaround for some some early Netscape -\&\s-1SSL\s0 code (?). -.Ip "\fB\-cipher cipherlist\fR" 4 -.IX Item "-cipher cipherlist" -this allows the cipher list used by the server to be modified. When -the client sends a list of supported ciphers the first client cipher -also included in the server list is used. Because the client specifies -the preference order, the order of the server cipherlist irrelevant. See -the \fBciphers\fR command for more information. -.Ip "\fB\-www\fR" 4 -.IX Item "-www" -sends a status message back to the client when it connects. This includes -lots of information about the ciphers used and various session parameters. -The output is in \s-1HTML\s0 format so this option will normally be used with a -web browser. -.Ip "\fB\-WWW\fR" 4 -.IX Item "-WWW" -emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the \s-1URL\s0 https://myhost/page.html is -requested the file ./page.html will be loaded. -.Ip "\fB\-HTTP\fR" 4 -.IX Item "-HTTP" -emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the \s-1URL\s0 https://myhost/page.html is -requested the file ./page.html will be loaded. The files loaded are -assumed to contain a complete and correct \s-1HTTP\s0 response (lines that -are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBs_server\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.SH "CONNECTED COMMANDS" -.IX Header "CONNECTED COMMANDS" -If a connection request is established with an \s-1SSL\s0 client and neither the -\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received -from the client is displayed and any key presses will be sent to the client. -.PP -Certain single letter commands are also recognized which perform special -operations: these are listed below. -.Ip "\fBq\fR" 4 -.IX Item "q" -end the current \s-1SSL\s0 connection but still accept new connections. -.Ip "\fBQ\fR" 4 -.IX Item "Q" -end the current \s-1SSL\s0 connection and exit. -.Ip "\fBr\fR" 4 -.IX Item "r" -renegotiate the \s-1SSL\s0 session. -.Ip "\fBR\fR" 4 -.IX Item "R" -renegotiate the \s-1SSL\s0 session and request a client certificate. -.Ip "\fBP\fR" 4 -.IX Item "P" -send some plain text down the underlying \s-1TCP\s0 connection: this should -cause the client to disconnect due to a protocol violation. -.Ip "\fBS\fR" 4 -.IX Item "S" -print out some session cache status information. -.SH "NOTES" -.IX Header "NOTES" -\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from -a web browser the command: -.PP -.Vb 1 -\& openssl s_server -accept 443 -www -.Ve -can be used for example. -.PP -Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher -suites, so they cannot connect to servers which don't use a certificate -carrying an \s-1RSA\s0 key or a version of OpenSSL with \s-1RSA\s0 disabled. -.PP -Although specifying an empty list of CAs when requesting a client certificate -is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to -mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes. -.PP -The session parameters can printed out using the \fBsess_id\fR program. -.SH "BUGS" -.IX Header "BUGS" -Because this program has a lot of options and also because some of -the techniques used are rather old, the C source of s_server is rather -hard to read and not a model of how things should be done. A typical -\&\s-1SSL\s0 server program would be much simpler. -.PP -The output of common ciphers is wrong: it just gives the list of ciphers that -OpenSSL recognizes and the client supports. -.PP -There should be a way for the \fBs_server\fR program to print out details of any -unknown cipher suites a client says it supports. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -sess_id(1), s_client(1), ciphers(1) diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1 deleted file mode 100644 index 87063c1fe429..000000000000 --- a/secure/usr.bin/openssl/man/sess_id.1 +++ /dev/null @@ -1,258 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:37 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "SESS_ID 1" -.TH SESS_ID 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -sess_id \- \s-1SSL/TLS\s0 session handling utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBsess_id\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-context \s-1ID\s0\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure -and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session -master key) in human readable format. Since this is a diagnostic tool that -needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will -not need to use it. -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded -format containing session details. The precise format can vary from one version -to the next. The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR -format base64 encoded with additional header and footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read session information from or standard -input by default. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write session information to or standard -output if this option is not specified. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out the various public or private key components in -plain text in addition to the encoded version. -.Ip "\fB\-cert\fR" 4 -.IX Item "-cert" -if a certificate is present in the session it will be output using this option, -if the \fB\-text\fR option is also present then it will be printed out in text form. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the session. -.Ip "\fB\-context \s-1ID\s0\fR" 4 -.IX Item "-context ID" -this option can set the session id so the output session information uses the -supplied \s-1ID\s0. The \s-1ID\s0 can be any string of characters. This option wont normally -be used. -.SH "OUTPUT" -.IX Header "OUTPUT" -Typical output: -.PP -.Vb 10 -\& SSL-Session: -\& Protocol : TLSv1 -\& Cipher : 0016 -\& Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED -\& Session-ID-ctx: 01000000 -\& Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD -\& Key-Arg : None -\& Start Time: 948459261 -\& Timeout : 300 (sec) -\& Verify return code 0 (ok) -.Ve -Theses are described below in more detail. -.Ip "\fBProtocol\fR" 4 -.IX Item "Protocol" -this is the protocol in use TLSv1, SSLv3 or SSLv2. -.Ip "\fBCipher\fR" 4 -.IX Item "Cipher" -the cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0 -or \s-1TLS\s0 specifications for more information. -.Ip "\fBSession-ID\fR" 4 -.IX Item "Session-ID" -the \s-1SSL\s0 session \s-1ID\s0 in hex format. -.Ip "\fBSession-ID-ctx\fR" 4 -.IX Item "Session-ID-ctx" -the session \s-1ID\s0 context in hex format. -.Ip "\fBMaster-Key\fR" 4 -.IX Item "Master-Key" -this is the \s-1SSL\s0 session master key. -.Ip "\fBKey-Arg\fR" 4 -.IX Item "Key-Arg" -the key argument, this is only used in \s-1SSL\s0 v2. -.Ip "\fBStart Time\fR" 4 -.IX Item "Start Time" -this is the session start time represented as an integer in standard Unix format. -.Ip "\fBTimeout\fR" 4 -.IX Item "Timeout" -the timeout in seconds. -.Ip "\fBVerify return code\fR" 4 -.IX Item "Verify return code" -this is the return code when an \s-1SSL\s0 client certificate is verified. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 encoded session format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN SSL SESSION PARAMETERS----- -\& -----END SSL SESSION PARAMETERS----- -.Ve -Since the \s-1SSL\s0 session output contains the master key it is possible to read the contents -of an encrypted session using this information. Therefore appropriate security precautions -should be taken if the information is being output by a \*(L"real\*(R" application. This is -however strongly discouraged and should only be used for debugging purposes. -.SH "BUGS" -.IX Header "BUGS" -The cipher and start time should be printed out in human readable form. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -ciphers(1), s_server(1) diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 deleted file mode 100644 index 64323c5793a4..000000000000 --- a/secure/usr.bin/openssl/man/smime.1 +++ /dev/null @@ -1,473 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:37 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "SMIME 1" -.TH SMIME 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -smime \- S/MIME utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBsmime\fR -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-sign\fR] -[\fB\-verify\fR] -[\fB\-pk7out\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-rc2\-40\fR] -[\fB\-rc2\-64\fR] -[\fB\-rc2\-128\fR] -[\fB\-in file\fR] -[\fB\-certfile file\fR] -[\fB\-signer file\fR] -[\fB\-recip file\fR] -[\fB\-inform SMIME|PEM|DER\fR] -[\fB\-passin arg\fR] -[\fB\-inkey file\fR] -[\fB\-out file\fR] -[\fB\-outform SMIME|PEM|DER\fR] -[\fB\-content file\fR] -[\fB\-to addr\fR] -[\fB\-from ad\fR] -[\fB\-subject s\fR] -[\fB\-text\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[cert.pem]... -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and -verify S/MIME messages. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -There are five operation options that set the type of operation to be performed. -The meaning of the other options varies according to the operation type. -.Ip "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt mail for the given recipient certificates. Input file is the message -to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. -.Ip "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt mail using the supplied certificate and private key. Expects an -encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail -is written to the output file. -.Ip "\fB\-sign\fR" 4 -.IX Item "-sign" -sign mail using the supplied certificate and private key. Input file is -the message to be signed. The signed message in \s-1MIME\s0 format is written -to the output file. -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verify signed mail. Expects a signed mail message on input and outputs -the signed data. Both clear text and opaque signing is supported. -.Ip "\fB\-pk7out\fR" 4 -.IX Item "-pk7out" -takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input message to be encrypted or signed or the \s-1MIME\s0 message to -be decrypted or verified. -.Ip "\fB\-inform SMIME|PEM|DER\fR" 4 -.IX Item "-inform SMIME|PEM|DER" -this specifies the input format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the input format of the PKCS#7 -structure, if no PKCS#7 structure is being input (for example with -\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the message text that has been decrypted or verified or the output \s-1MIME\s0 -format message that has been signed or verified. -.Ip "\fB\-outform SMIME|PEM|DER\fR" 4 -.IX Item "-outform SMIME|PEM|DER" -this specifies the output format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the output format of the PKCS#7 -structure, if no PKCS#7 structure is being output (for example with -\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. -.Ip "\fB\-content filename\fR" 4 -.IX Item "-content filename" -This specifies a file containing the detached content, this is only -useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 -structure is using the detached signature form where the content is -not included. This option will override any content if the input format -is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied -message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME\s0 -type text/plain then an error occurs. -.Ip "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. -.Ip "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -a directory containing trusted \s-1CA\s0 certificates, only used with -\&\fB\-verify\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.Ip "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128\fR" 4 -.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128" -the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits) -or 40, 64 or 128 bit \s-1RC2\s0 respectively if not specified 40 bit \s-1RC2\s0 is -used. Only used with \fB\-encrypt\fR. -.Ip "\fB\-nointern\fR" 4 -.IX Item "-nointern" -when verifying a message normally certificates (if any) included in -the message are searched for the signing certificate. With this option -only the certificates specified in the \fB\-certfile\fR option are used. -The supplied certificates can still be used as untrusted CAs however. -.Ip "\fB\-noverify\fR" 4 -.IX Item "-noverify" -do not verify the signers certificate of a signed message. -.Ip "\fB\-nochain\fR" 4 -.IX Item "-nochain" -do not do chain verification of signers certificates: that is don't -use the certificates in the signed message as untrusted CAs. -.Ip "\fB\-nosigs\fR" 4 -.IX Item "-nosigs" -don't try to verify the signatures on the message. -.Ip "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -when signing a message the signer's certificate is normally included -with this option it is excluded. This will reduce the size of the -signed message but the verifier must have a copy of the signers certificate -available locally (passed using the \fB\-certfile\fR option for example). -.Ip "\fB\-noattr\fR" 4 -.IX Item "-noattr" -normally when a message is signed a set of attributes are included which -include the signing time and supported symmetric algorithms. With this -option they are not included. -.Ip "\fB\-binary\fR" 4 -.IX Item "-binary" -normally the input message is converted to \*(L"canonical\*(R" format which is -effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME -specification. When this option is present no translation occurs. This -is useful when handling binary data which may not be in \s-1MIME\s0 format. -.Ip "\fB\-nodetach\fR" 4 -.IX Item "-nodetach" -when signing a message use opaque signing: this form is more resistant -to translation by mail relays but it cannot be read by mail agents that -do not support S/MIME. Without this option cleartext signing with -the \s-1MIME\s0 type multipart/signed is used. -.Ip "\fB\-certfile file\fR" 4 -.IX Item "-certfile file" -allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in \s-1PEM\s0 format. -.Ip "\fB\-signer file\fR" 4 -.IX Item "-signer file" -the signers certificate when signing a message. If a message is -being verified then the signers certificates will be written to this -file if the verification was successful. -.Ip "\fB\-recip file\fR" 4 -.IX Item "-recip file" -the recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. -.Ip "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the private key to use when signing or decrypting. This must match the -corresponding certificate. If this option is not specified then the -private key must be included in the certificate file specified with -the \fB\-recip\fR or \fB\-signer\fR file. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fBcert.pem...\fR" 4 -.IX Item "cert.pem..." -one or more certificates of message recipients: used when encrypting -a message. -.Ip "\fB\-to, \-from, \-subject\fR" 4 -.IX Item "-to, -from, -subject" -the relevant mail headers. These are included outside the signed -portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email -address matches that specified in the From: address. -.SH "NOTES" -.IX Header "NOTES" -The \s-1MIME\s0 message must be sent without any blank lines between the -headers and the output. Some mail programs will automatically add -a blank line. Piping the mail directly to sendmail is one way to -achieve the correct format. -.PP -The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients wont display it -properly (if at all). You can use the \fB\-text\fR option to automatically -add plain text headers. -.PP -A \*(L"signed and encrypted\*(R" message is one where a signed message is -then encrypted. This can be produced by encrypting an already signed -message: see the examples section. -.PP -This version of the program only allows one signer per message but it -will verify multiple signers on received messages. Some S/MIME clients -choke if a message contains multiple signers. It is possible to sign -messages \*(L"in parallel\*(R" by signing an already signed message. -.PP -The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME -clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 -encrypted data is used for other purposes. -.SH "EXIT CODES" -.IX Header "EXIT CODES" -.Ip "0" 4 -the operation was completely successfully. -.Ip "1" 4 -.IX Item "1" -an error occurred parsing the command options. -.Ip "2" 4 -.IX Item "2" -one of the input files could not be read. -.Ip "3" 4 -.IX Item "3" -an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 -message. -.Ip "4" 4 -.IX Item "4" -an error occurred decrypting or verifying the message. -.Ip "5" 4 -.IX Item "5" -the message was verified correctly but an error occurred writing out -the signers certificates. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a cleartext signed message: -.PP -.Vb 2 -\& openssl smime -sign -in message.txt -text -out mail.msg \e -\& -signer mycert.pem -.Ve -Create and opaque signed message -.PP -.Vb 2 -\& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e -\& -signer mycert.pem -.Ve -Create a signed message, include some additional certificates and -read the private key from another file: -.PP -.Vb 2 -\& openssl smime -sign -in in.txt -text -out mail.msg \e -\& -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem -.Ve -Send a signed message under Unix directly to sendmail, including headers: -.PP -.Vb 3 -\& openssl smime -sign -in in.txt -text -signer mycert.pem \e -\& -from steve@openssl.org -to someone@somewhere \e -\& -subject "Signed message" | sendmail someone@somewhere -.Ve -Verify a message and extract the signer's certificate if successful: -.PP -.Vb 1 -\& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt -.Ve -Send encrypted mail using triple \s-1DES:\s0 -.PP -.Vb 3 -\& openssl smime -encrypt -in in.txt -from steve@openssl.org \e -\& -to someone@somewhere -subject "Encrypted message" \e -\& -des3 user.pem -out mail.msg -.Ve -Sign and encrypt mail: -.PP -.Vb 4 -\& openssl smime -sign -in ml.txt -signer my.pem -text \e -\& | openssl smime -encrypt -out mail.msg \e -\& -from steve@openssl.org -to someone@somewhere \e -\& -subject "Signed and Encrypted message" -des3 user.pem -.Ve -Note: the encryption command does not include the \fB\-text\fR option because the message -being encrypted already has \s-1MIME\s0 headers. -.PP -Decrypt mail: -.PP -.Vb 1 -\& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem -.Ve -The output from Netscape form signing is a PKCS#7 structure with the -detached signature format. You can use this program to verify the -signature by line wrapping the base64 encoded structure and surrounding -it with: -.PP -.Vb 2 -\& -----BEGIN PKCS7----- -\& -----END PKCS7----- -.Ve -and using the command, -.PP -.Vb 1 -\& openssl smime -verify -inform PEM -in signature.pem -content content.txt -.Ve -alternatively you can base64 decode the signature and use -.PP -.Vb 1 -\& openssl smime -verify -inform DER -in signature.der -content content.txt -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown -at it but it may choke on others. -.PP -The code currently will only write out the signer's certificate to a file: if the -signer has a separate encryption certificate this must be manually extracted. There -should be some heuristic that determines the correct encryption certificate. -.PP -Ideally a database should be maintained of a certificates for each email address. -.PP -The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. this means the -user has to manually include the correct encryption algorithm. It should store -the list of permitted ciphers in a database and only use those. -.PP -No revocation checking is done on the signer's certificate. -.PP -The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 -structures may cause parsing errors. diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1 deleted file mode 100644 index fba9d81d6758..000000000000 --- a/secure/usr.bin/openssl/man/speed.1 +++ /dev/null @@ -1,188 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:37 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "SPEED 1" -.TH SPEED 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -speed \- test library performance -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl speed\fR -[\fB\-engine id\fR] -[\fBmd2\fR] -[\fBmdc2\fR] -[\fBmd5\fR] -[\fBhmac\fR] -[\fBsha1\fR] -[\fBrmd160\fR] -[\fBidea-cbc\fR] -[\fBrc2\-cbc\fR] -[\fBrc5\-cbc\fR] -[\fBbf-cbc\fR] -[\fBdes-cbc\fR] -[\fBdes-ede3\fR] -[\fBrc4\fR] -[\fBrsa512\fR] -[\fBrsa1024\fR] -[\fBrsa2048\fR] -[\fBrsa4096\fR] -[\fBdsa512\fR] -[\fBdsa1024\fR] -[\fBdsa2048\fR] -[\fBidea\fR] -[\fBrc2\fR] -[\fBdes\fR] -[\fBrsa\fR] -[\fBblowfish\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to test the performance of cryptographic algorithms. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBspeed\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.Ip "\fB[zero or more test algorithms]\fR" 4 -.IX Item "[zero or more test algorithms]" -If any options are given, \fBspeed\fR tests those algorithms, otherwise all of -the above are tested. diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1 deleted file mode 100644 index 4841c4772f6b..000000000000 --- a/secure/usr.bin/openssl/man/spkac.1 +++ /dev/null @@ -1,255 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:38 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "SPKAC 1" -.TH SPKAC 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -spkac \- \s-1SPKAC\s0 printing and generating utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBspkac\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-key keyfile\fR] -[\fB\-passin arg\fR] -[\fB\-challenge string\fR] -[\fB\-pubkey\fR] -[\fB\-spkac spkacname\fR] -[\fB\-spksect section\fR] -[\fB\-noout\fR] -[\fB\-verify\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBspkac\fR command processes Netscape signed public key and challenge -(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and -produce its own SPKACs from a supplied private key. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read from or standard input if this -option is not specified. Ignored if the \fB\-key\fR option is used. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.Ip "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The -\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if -present. -.Ip "\fB\-passin password\fR" 4 -.IX Item "-passin password" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-challenge string\fR" 4 -.IX Item "-challenge string" -specifies the challenge string if an \s-1SPKAC\s0 is being created. -.Ip "\fB\-spkac spkacname\fR" 4 -.IX Item "-spkac spkacname" -allows an alternative name form the variable containing the -\&\s-1SPKAC\s0. The default is \*(L"\s-1SPKAC\s0\*(R". This option affects both -generated and input \s-1SPKAC\s0 files. -.Ip "\fB\-spksect section\fR" 4 -.IX Item "-spksect section" -allows an alternative name form the section containing the -\&\s-1SPKAC\s0. The default is the default section. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the text version of the \s-1SPKAC\s0 (not used if an -\&\s-1SPKAC\s0 is being created). -.Ip "\fB\-pubkey\fR" 4 -.IX Item "-pubkey" -output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is -being created). -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies the digital signature on the supplied \s-1SPKAC\s0. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Print out the contents of an \s-1SPKAC:\s0 -.PP -.Vb 1 -\& openssl spkac -in spkac.cnf -.Ve -Verify the signature of an \s-1SPKAC:\s0 -.PP -.Vb 1 -\& openssl spkac -in spkac.cnf -noout -verify -.Ve -Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R": -.PP -.Vb 1 -\& openssl spkac -key key.pem -challenge hello -out spkac.cnf -.Ve -Example of an \s-1SPKAC\s0, (long lines split up for clarity): -.PP -.Vb 5 -\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e -\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e -\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e -\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e -\& 4= -.Ve -.SH "NOTES" -.IX Header "NOTES" -A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into -the \fBca\fR utility. -.PP -SPKACs are typically generated by Netscape when a form is submitted -containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment -process. -.PP -The challenge string permits a primitive form of proof of possession -of private key. By checking the \s-1SPKAC\s0 signature and a random challenge -string some guarantee is given that the user knows the private key -corresponding to the public key being certified. This is important in -some applications. Without this it is possible for a previous \s-1SPKAC\s0 -to be used in a \*(L"replay attack\*(R". -.SH "SEE ALSO" -.IX Header "SEE ALSO" -ca(1) diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 deleted file mode 100644 index f2ea59900f39..000000000000 --- a/secure/usr.bin/openssl/man/verify.1 +++ /dev/null @@ -1,408 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:38 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "VERIFY 1" -.TH VERIFY 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -verify \- Utility to verify certificates. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBverify\fR -[\fB\-CApath directory\fR] -[\fB\-CAfile file\fR] -[\fB\-purpose purpose\fR] -[\fB\-untrusted file\fR] -[\fB\-help\fR] -[\fB\-issuer_checks\fR] -[\fB\-verbose\fR] -[\fB-\fR] -[certificates] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBverify\fR command verifies certificate chains. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -A directory of trusted certificates. The certificates should have names -of the form: hash.0 or have symbolic links to them of this -form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option -of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically -create symbolic links to a directory of certificates. -.Ip "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file of trusted certificates. The file should contain multiple certificates -in \s-1PEM\s0 format concatenated together. -.Ip "\fB\-untrusted file\fR" 4 -.IX Item "-untrusted file" -A file of untrusted certificates. The file should contain multiple certificates -.Ip "\fB\-purpose purpose\fR" 4 -.IX Item "-purpose purpose" -the intended use for the certificate. Without this option no chain verification -will be done. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, -\&\fBnssslserver\fR, \fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR -section for more information. -.Ip "\fB\-help\fR" 4 -.IX Item "-help" -prints out a usage message. -.Ip "\fB\-verbose\fR" 4 -.IX Item "-verbose" -print extra information about the operations being performed. -.Ip "\fB\-issuer_checks\fR" 4 -.IX Item "-issuer_checks" -print out diagnostics relating to searches for the issuer certificate -of the current certificate. This shows why each candidate issuer -certificate was rejected. However the presence of rejection messages -does not itself imply that anything is wrong: during the normal -verify process several rejections may take place. -.Ip "\fB-\fR" 4 -.IX Item "-" -marks the last option. All arguments following this are assumed to be -certificate files. This is useful if the first certificate filename begins -with a \fB-\fR. -.Ip "\fBcertificates\fR" 4 -.IX Item "certificates" -one or more certificates to verify. If no certificate filenames are included -then an attempt is made to read a certificate from standard input. They should -all be in \s-1PEM\s0 format. -.SH "VERIFY OPERATION" -.IX Header "VERIFY OPERATION" -The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME -verification, therefore this description applies to these verify operations -too. -.PP -There is one crucial difference between the verify operations performed -by the \fBverify\fR program: wherever possible an attempt is made to continue -after an error whereas normally the verify operation would halt on the -first error. This allows all the problems with a certificate chain to be -determined. -.PP -The verify operation consists of a number of separate steps. -.PP -Firstly a certificate chain is built up starting from the supplied certificate -and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built -up. The chain is built up by looking up the issuers certificate of the current -certificate. If a certificate is found which is its own issuer it is assumed -to be the root \s-1CA\s0. -.PP -The process of 'looking up the issuers certificate' itself involves a number -of steps. In versions of OpenSSL before 0.9.5a the first certificate whose -subject name matched the issuer of the current certificate was assumed to be -the issuers certificate. In OpenSSL 0.9.6 and later all certificates -whose subject name matches the issuer name of the current certificate are -subject to further tests. The relevant authority key identifier components -of the current certificate (if present) must match the subject key identifier -(if present) and issuer and serial number of the candidate issuer, in addition -the keyUsage extension of the candidate issuer (if present) must permit -certificate signing. -.PP -The lookup first looks in the list of untrusted certificates and if no match -is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0 -is always looked up in the trusted certificate list: if the certificate to -verify is a root certificate then an exact match must be found in the trusted -list. -.PP -The second operation is to check every untrusted certificate's extensions for -consistency with the supplied purpose. If the \fB\-purpose\fR option is not included -then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions -compatible with the supplied purpose and all other certificates must also be valid -\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in -the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility. -.PP -The third operation is to check the trust settings on the root \s-1CA\s0. The root -\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous -versions of SSLeay and OpenSSL a certificate with no trust settings is considered -to be valid for all purposes. -.PP -The final operation is to check the validity of the certificate chain. The validity -period is checked against the current system time and the notBefore and notAfter -dates in the certificate. The certificate signatures are also checked at this -point. -.PP -If all operations complete successfully then certificate is considered valid. If -any operation fails then the certificate is not valid. -.SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -When a verify operation fails the output messages can be somewhat cryptic. The -general form of the error message is: -.PP -.Vb 2 -\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -\& error 24 at 1 depth lookup:invalid CA certificate -.Ve -The first line contains the name of the certificate being verified followed by -the subject name of the certificate. The second line contains the error number -and the depth. The depth is number of the certificate being verified when a -problem was detected starting with zero for the certificate being verified itself -then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version -of the error number is presented. -.PP -An exhaustive list of the error codes and messages is shown below, this also -includes the name of the error code as defined in the header file x509_vfy.h -Some of the error codes are defined but never returned: these are described -as \*(L"unused\*(R". -.Ip "\fB0 X509_V_OK: ok\fR" 4 -.IX Item "0 X509_V_OK: ok" -the operation was successful. -.Ip "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4 -.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" -the issuer certificate could not be found: this occurs if the issuer certificate -of an untrusted certificate cannot be found. -.Ip "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR" 4 -.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL" -the \s-1CRL\s0 of a certificate could not be found. Unused. -.Ip "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4 -.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature" -the certificate signature could not be decrypted. This means that the actual signature value -could not be determined rather than it not matching the expected value, this is only -meaningful for \s-1RSA\s0 keys. -.Ip "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4 -.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature" -the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value -could not be determined rather than it not matching the expected value. Unused. -.Ip "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4 -.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key" -the public key in the certificate SubjectPublicKeyInfo could not be read. -.Ip "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4 -.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure" -the signature of the certificate is invalid. -.Ip "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4 -.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure" -the signature of the certificate is invalid. Unused. -.Ip "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4 -.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid" -the certificate is not yet valid: the notBefore date is after the current time. -.Ip "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4 -.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired" -the certificate has expired: that is the notAfter date is before the current time. -.Ip "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4 -.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid" -the \s-1CRL\s0 is not yet valid. Unused. -.Ip "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4 -.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired" -the \s-1CRL\s0 has expired. Unused. -.Ip "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4 -.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field" -the certificate notBefore field contains an invalid time. -.Ip "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4 -.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field" -the certificate notAfter field contains an invalid time. -.Ip "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4 -.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field" -the \s-1CRL\s0 lastUpdate field contains an invalid time. Unused. -.Ip "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4 -.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field" -the \s-1CRL\s0 nextUpdate field contains an invalid time. Unused. -.Ip "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4 -.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory" -an error occurred trying to allocate memory. This should never happen. -.Ip "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4 -.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate" -the passed certificate is self signed and the same certificate cannot be found in the list of -trusted certificates. -.Ip "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4 -.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain" -the certificate chain could be built up using the untrusted certificates but the root could not -be found locally. -.Ip "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4 -.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" -the issuer certificate of a locally looked up certificate could not be found. This normally means -the list of trusted certificates is not complete. -.Ip "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4 -.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate" -no signatures could be verified because the chain contains only one certificate and it is not -self signed. -.Ip "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4 -.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long" -the certificate chain length is greater than the supplied maximum depth. Unused. -.Ip "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4 -.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked" -the certificate has been revoked. Unused. -.Ip "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4 -.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate" -a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent -with the supplied purpose. -.Ip "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 -.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" -the basicConstraints pathlength parameter has been exceeded. -.Ip "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4 -.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose" -the supplied certificate cannot be used for the specified purpose. -.Ip "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4 -.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted" -the root \s-1CA\s0 is not marked as trusted for the specified purpose. -.Ip "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4 -.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected" -the root \s-1CA\s0 is marked to reject the specified purpose. -.Ip "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4 -.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch" -the current candidate issuer certificate was rejected because its subject name -did not match the issuer name of the current certificate. Only displayed when -the \fB\-issuer_checks\fR option is set. -.Ip "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4 -.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch" -the current candidate issuer certificate was rejected because its subject key -identifier was present and did not match the authority key identifier current -certificate. Only displayed when the \fB\-issuer_checks\fR option is set. -.Ip "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4 -.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch" -the current candidate issuer certificate was rejected because its issuer name -and serial number was present and did not match the authority key identifier -of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set. -.Ip "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4 -.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing" -the current candidate issuer certificate was rejected because its keyUsage extension -does not permit certificate signing. -.Ip "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4 -.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure" -an application specific error. Unused. -.SH "BUGS" -.IX Header "BUGS" -Although the issuer checks are a considerably improvement over the old technique they still -suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that -trusted certificates with matching subject name must either appear in a file (as specified by the -\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only -the certificates in the file will be recognised. -.PP -Previous versions of OpenSSL assume certificates with matching subject name are identical and -mishandled them. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -x509(1) diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1 deleted file mode 100644 index 730647dcd5a3..000000000000 --- a/secure/usr.bin/openssl/man/version.1 +++ /dev/null @@ -1,186 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:38 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "VERSION 1" -.TH VERSION 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -version \- print OpenSSL version information -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl version\fR -[\fB\-a\fR] -[\fB\-v\fR] -[\fB\-b\fR] -[\fB\-o\fR] -[\fB\-f\fR] -[\fB\-p\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to print out version information about OpenSSL. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Ip "\fB\-a\fR" 4 -.IX Item "-a" -all information, this is the same as setting all the other flags. -.Ip "\fB\-v\fR" 4 -.IX Item "-v" -the current OpenSSL version. -.Ip "\fB\-b\fR" 4 -.IX Item "-b" -the date the current version of OpenSSL was built. -.Ip "\fB\-o\fR" 4 -.IX Item "-o" -option information: various options set when the library was built. -.Ip "\fB\-c\fR" 4 -.IX Item "-c" -compilation flags. -.Ip "\fB\-p\fR" 4 -.IX Item "-p" -platform setting. -.Ip "\fB\-d\fR" 4 -.IX Item "-d" -\&\s-1OPENSSLDIR\s0 setting. -.SH "NOTES" -.IX Header "NOTES" -The output of \fBopenssl version \-a\fR would typically be used when sending -in a bug report. -.SH "HISTORY" -.IX Header "HISTORY" -The \fB\-d\fR option was added in OpenSSL 0.9.7. diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 deleted file mode 100644 index 380d1a0ae74c..000000000000 --- a/secure/usr.bin/openssl/man/x509.1 +++ /dev/null @@ -1,836 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:38 2003 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "X509 1" -.TH X509 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC -.SH "NAME" -x509 \- Certificate display and signing utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBx509\fR -[\fB\-inform DER|PEM|NET\fR] -[\fB\-outform DER|PEM|NET\fR] -[\fB\-keyform DER|PEM\fR] -[\fB\-CAform DER|PEM\fR] -[\fB\-CAkeyform DER|PEM\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-serial\fR] -[\fB\-hash\fR] -[\fB\-subject\fR] -[\fB\-issuer\fR] -[\fB\-nameopt option\fR] -[\fB\-email\fR] -[\fB\-startdate\fR] -[\fB\-enddate\fR] -[\fB\-purpose\fR] -[\fB\-dates\fR] -[\fB\-modulus\fR] -[\fB\-fingerprint\fR] -[\fB\-alias\fR] -[\fB\-noout\fR] -[\fB\-trustout\fR] -[\fB\-clrtrust\fR] -[\fB\-clrreject\fR] -[\fB\-addtrust arg\fR] -[\fB\-addreject arg\fR] -[\fB\-setalias arg\fR] -[\fB\-days arg\fR] -[\fB\-set_serial n\fR] -[\fB\-signkey filename\fR] -[\fB\-x509toreq\fR] -[\fB\-req\fR] -[\fB\-CA filename\fR] -[\fB\-CAkey filename\fR] -[\fB\-CAcreateserial\fR] -[\fB\-CAserial filename\fR] -[\fB\-text\fR] -[\fB\-C\fR] -[\fB\-md2|\-md5|\-sha1|\-mdc2\fR] -[\fB\-clrext\fR] -[\fB\-extfile filename\fR] -[\fB\-extensions section\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBx509\fR command is a multi purpose certificate utility. It can be -used to display certificate information, convert certificates to -various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit -certificate trust settings. -.PP -Since there are a large number of options they will split up into -various sections. -.SH "OPTIONS" -.IX Header "OPTIONS" -.Sh "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0" -.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS" -.Ip "\fB\-inform DER|PEM|NET\fR" 4 -.IX Item "-inform DER|PEM|NET" -This specifies the input format normally the command will expect an X509 -certificate but this can change if other options such as \fB\-req\fR are -present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 -is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines -added. The \s-1NET\s0 option is an obscure Netscape server format that is now -obsolete. -.Ip "\fB\-outform DER|PEM|NET\fR" 4 -.IX Item "-outform DER|PEM|NET" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a certificate from or standard input -if this option is not specified. -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write to or standard output by -default. -.Ip "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4 -.IX Item "-md2|-md5|-sha1|-mdc2" -the digest to use. This affects any signing or display option that uses a message -digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not -specified then \s-1MD5\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key then -this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. -.Ip "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.Sh "\s-1DISPLAY\s0 \s-1OPTIONS\s0" -.IX Subsection "DISPLAY OPTIONS" -Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options -but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section. -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out the certificate in text form. Full details are output including the -public key, signature algorithms, issuer and subject names, serial number -any extensions present and any trust settings. -.Ip "\fB\-certopt option\fR" 4 -.IX Item "-certopt option" -customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be -a single option or multiple options separated by commas. The \fB\-certopt\fR switch -may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR -section for more information. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the request. -.Ip "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the public key -contained in the certificate. -.Ip "\fB\-serial\fR" 4 -.IX Item "-serial" -outputs the certificate serial number. -.Ip "\fB\-hash\fR" 4 -.IX Item "-hash" -outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to -form an index to allow certificates in a directory to be looked up by subject -name. -.Ip "\fB\-subject\fR" 4 -.IX Item "-subject" -outputs the subject name. -.Ip "\fB\-issuer\fR" 4 -.IX Item "-issuer" -outputs the issuer name. -.Ip "\fB\-nameopt option\fR" 4 -.IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. The -\&\fBoption\fR argument can be a single option or multiple options separated by -commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to -set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information. -.Ip "\fB\-email\fR" 4 -.IX Item "-email" -outputs the email address(es) if any. -.Ip "\fB\-startdate\fR" 4 -.IX Item "-startdate" -prints out the start date of the certificate, that is the notBefore date. -.Ip "\fB\-enddate\fR" 4 -.IX Item "-enddate" -prints out the expiry date of the certificate, that is the notAfter date. -.Ip "\fB\-dates\fR" 4 -.IX Item "-dates" -prints out the start and expiry dates of a certificate. -.Ip "\fB\-fingerprint\fR" 4 -.IX Item "-fingerprint" -prints out the digest of the \s-1DER\s0 encoded version of the whole certificate -(see digest options). -.Ip "\fB\-C\fR" 4 -.IX Item "-C" -this outputs the certificate in the form of a C source file. -.Sh "\s-1TRUST\s0 \s-1SETTINGS\s0" -.IX Subsection "TRUST SETTINGS" -Please note these options are currently experimental and may well change. -.PP -A \fBtrusted certificate\fR is an ordinary certificate which has several -additional pieces of information attached to it such as the permitted -and prohibited uses of the certificate and an \*(L"alias\*(R". -.PP -Normally when a certificate is being verified at least one certificate -must be \*(L"trusted\*(R". By default a trusted certificate must be stored -locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0 -is then usable for any purpose. -.PP -Trust settings currently are only used with a root \s-1CA\s0. They allow a finer -control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0 -may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use. -.PP -See the description of the \fBverify\fR utility for more information on the -meaning of trust settings. -.PP -Future versions of OpenSSL will recognize trust settings on any -certificate: not just root CAs. -.Ip "\fB\-trustout\fR" 4 -.IX Item "-trustout" -this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary -or trusted certificate can be input but by default an ordinary -certificate is output and any trust settings are discarded. With the -\&\fB\-trustout\fR option a trusted certificate is output. A trusted -certificate is automatically output if any trust settings are modified. -.Ip "\fB\-setalias arg\fR" 4 -.IX Item "-setalias arg" -sets the alias of the certificate. This will allow the certificate -to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". -.Ip "\fB\-alias\fR" 4 -.IX Item "-alias" -outputs the certificate alias, if any. -.Ip "\fB\-clrtrust\fR" 4 -.IX Item "-clrtrust" -clears all the permitted or trusted uses of the certificate. -.Ip "\fB\-clrreject\fR" 4 -.IX Item "-clrreject" -clears all the prohibited or rejected uses of the certificate. -.Ip "\fB\-addtrust arg\fR" 4 -.IX Item "-addtrust arg" -adds a trusted certificate use. Any object name can be used here -but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR -(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used. -Other OpenSSL applications may define additional uses. -.Ip "\fB\-addreject arg\fR" 4 -.IX Item "-addreject arg" -adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR -option. -.Ip "\fB\-purpose\fR" 4 -.IX Item "-purpose" -this option performs tests on the certificate extensions and outputs -the results. For a more complete description see the \fB\s-1CERTIFICATE\s0 -\&\s-1EXTENSIONS\s0\fR section. -.Sh "\s-1SIGNING\s0 \s-1OPTIONS\s0" -.IX Subsection "SIGNING OPTIONS" -The \fBx509\fR utility can be used to sign certificates and requests: it -can thus behave like a \*(L"mini \s-1CA\s0\*(R". -.Ip "\fB\-signkey filename\fR" 4 -.IX Item "-signkey filename" -this option causes the input file to be self signed using the supplied -private key. -.Sp -If the input file is a certificate it sets the issuer name to the -subject name (i.e. makes it self signed) changes the public key to the -supplied value and changes the start and end dates. The start date is -set to the current time and the end date is set to a value determined -by the \fB\-days\fR option. Any certificate extensions are retained unless -the \fB\-clrext\fR option is supplied. -.Sp -If the input is a certificate request then a self signed certificate -is created using the supplied private key using the subject name in -the request. -.Ip "\fB\-clrext\fR" 4 -.IX Item "-clrext" -delete any extensions from a certificate. This option is used when a -certificate is being created from another certificate (for example with -the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are -retained. -.Ip "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the -\&\fB\-signkey\fR option. -.Ip "\fB\-days arg\fR" 4 -.IX Item "-days arg" -specifies the number of days to make a certificate valid for. The default -is 30 days. -.Ip "\fB\-x509toreq\fR" 4 -.IX Item "-x509toreq" -converts a certificate into a certificate request. The \fB\-signkey\fR option -is used to pass the required private key. -.Ip "\fB\-req\fR" 4 -.IX Item "-req" -by default a certificate is expected on input. With this option a -certificate request is expected instead. -.Ip "\fB\-set_serial n\fR" 4 -.IX Item "-set_serial n" -specifies the serial number to use. This option can be used with either -the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR -option the serial number file (as specified by the \fB\-CAserial\fR or -\&\fB\-CAcreateserial\fR options) is not used. -.Sp -The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative -serial numbers can also be specified but their use is not recommended. -.Ip "\fB\-CA filename\fR" 4 -.IX Item "-CA filename" -specifies the \s-1CA\s0 certificate to be used for signing. When this option is -present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this -\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name -of the \s-1CA\s0 and it is digitally signed using the CAs private key. -.Sp -This option is normally combined with the \fB\-req\fR option. Without the -\&\fB\-req\fR option the input is a certificate which must be self signed. -.Ip "\fB\-CAkey filename\fR" 4 -.IX Item "-CAkey filename" -sets the \s-1CA\s0 private key to sign a certificate with. If this option is -not specified then it is assumed that the \s-1CA\s0 private key is present in -the \s-1CA\s0 certificate file. -.Ip "\fB\-CAserial filename\fR" 4 -.IX Item "-CAserial filename" -sets the \s-1CA\s0 serial number file to use. -.Sp -When the \fB\-CA\fR option is used to sign a certificate it uses a serial -number specified in a file. This file consist of one line containing -an even number of hex digits with the serial number to use. After each -use the serial number is incremented and written out to the file again. -.Sp -The default filename consists of the \s-1CA\s0 certificate file base name with -\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called -\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". -.Ip "\fB\-CAcreateserial\fR" 4 -.IX Item "-CAcreateserial" -with this option the \s-1CA\s0 serial number file is created if it does not exist: -it will contain the serial number \*(L"02\*(R" and the certificate being signed will -have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified -and the serial number file does not exist it is an error. -.Ip "\fB\-extfile filename\fR" 4 -.IX Item "-extfile filename" -file containing certificate extensions to use. If not specified then -no extensions are added to the certificate. -.Ip "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -the section to add certificate extensions from. If this option is not -specified then the extensions should either be contained in the unnamed -(default) section or the default section should contain a variable called -\&\*(L"extensions\*(R" which contains the section to use. -.Sh "\s-1NAME\s0 \s-1OPTIONS\s0" -.IX Subsection "NAME OPTIONS" -The \fBnameopt\fR command line switch determines how the subject and issuer -names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" -format is used which is compatible with previous versions of OpenSSL. -Each option is described in detail below, all options can be preceded by -a \fB-\fR to turn the option off. Only the first four will normally be used. -.Ip "\fBcompat\fR" 4 -.IX Item "compat" -use the old format. This is equivalent to specifying no name options at all. -.Ip "\fB\s-1RFC2253\s0\fR" 4 -.IX Item "RFC2253" -displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, -\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, -\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. -.Ip "\fBoneline\fR" 4 -.IX Item "oneline" -a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to -specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, -\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_spc\fR, \fBspc_eq\fR and \fBsname\fR -options. -.Ip "\fBmultiline\fR" 4 -.IX Item "multiline" -a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, -\&\fBspc_eq\fR, \fBlname\fR and \fBalign\fR. -.Ip "\fBesc_2253\fR" 4 -.IX Item "esc_2253" -escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is -\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string -and a space character at the beginning or end of a string. -.Ip "\fBesc_ctrl\fR" 4 -.IX Item "esc_ctrl" -escape control characters. That is those with \s-1ASCII\s0 values less than -0x20 (space) and the delete (0x7f) character. They are escaped using the -\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the -character value). -.Ip "\fBesc_msb\fR" 4 -.IX Item "esc_msb" -escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than -127. -.Ip "\fBuse_quote\fR" 4 -.IX Item "use_quote" -escapes some characters by surrounding the whole string with \fB"\fR characters, -without the option all escaping is done with the \fB\e\fR character. -.Ip "\fButf8\fR" 4 -.IX Item "utf8" -convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If -you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use -of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct -display of multibyte (international) characters. Is this option is not -present then multibyte characters larger than 0xff will be represented -using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits. -Also if this option is off any UTF8Strings will be converted to their -character form first. -.Ip "\fBno_type\fR" 4 -.IX Item "no_type" -this option does not attempt to interpret multibyte characters in any -way. That is their content octets are merely dumped as though one octet -represents each character. This is useful for diagnostic purposes but -will result in rather odd looking output. -.Ip "\fBshow_type\fR" 4 -.IX Item "show_type" -show the type of the \s-1ASN1\s0 character string. The type precedes the -field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". -.Ip "\fBdump_der\fR" 4 -.IX Item "dump_der" -when this option is set any fields that need to be hexdumped will -be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the -content octets will be displayed. Both options use the \s-1RFC2253\s0 -\&\fB#XXXX...\fR format. -.Ip "\fBdump_nostr\fR" 4 -.IX Item "dump_nostr" -dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this -option is not set then non character string types will be displayed -as though each content octet represents a single character. -.Ip "\fBdump_all\fR" 4 -.IX Item "dump_all" -dump all fields. This option when used with \fBdump_der\fR allows the -\&\s-1DER\s0 encoding of the structure to be unambiguously determined. -.Ip "\fBdump_unknown\fR" 4 -.IX Item "dump_unknown" -dump any field whose \s-1OID\s0 is not recognised by OpenSSL. -.Ip "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 -.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" -these options determine the field separators. The first character is -between RDNs and the second between multiple AVAs (multiple AVAs are -very rare and their use is discouraged). The options ending in -\&\*(L"space\*(R" additionally place a space after the separator to make it -more readable. The \fBsep_multiline\fR uses a linefeed character for -the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also -indents the fields by four characters. -.Ip "\fBdn_rev\fR" 4 -.IX Item "dn_rev" -reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side -effect this also reverses the order of multiple AVAs but this is -permissible. -.Ip "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 -.IX Item "nofname, sname, lname, oid" -these options alter how the field name is displayed. \fBnofname\fR does -not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form -(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. -\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for -diagnostic purpose. -.Ip "\fBalign\fR" 4 -.IX Item "align" -align field values for a more readable output. Only usable with -\&\fBsep_multiline\fR. -.Ip "\fBspc_eq\fR" 4 -.IX Item "spc_eq" -places spaces round the \fB=\fR character which follows the field -name. -.Sh "\s-1TEXT\s0 \s-1OPTIONS\s0" -.IX Subsection "TEXT OPTIONS" -As well as customising the name output format, it is also possible to -customise the actual fields printed using the \fBcertopt\fR options when -the \fBtext\fR option is present. The default behaviour is to print all fields. -.Ip "\fBcompatible\fR" 4 -.IX Item "compatible" -use the old format. This is equivalent to specifying no output options at all. -.Ip "\fBno_header\fR" 4 -.IX Item "no_header" -don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R". -.Ip "\fBno_version\fR" 4 -.IX Item "no_version" -don't print out the version number. -.Ip "\fBno_serial\fR" 4 -.IX Item "no_serial" -don't print out the serial number. -.Ip "\fBno_signame\fR" 4 -.IX Item "no_signame" -don't print out the signature algorithm used. -.Ip "\fBno_validity\fR" 4 -.IX Item "no_validity" -don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. -.Ip "\fBno_subject\fR" 4 -.IX Item "no_subject" -don't print out the subject name. -.Ip "\fBno_issuer\fR" 4 -.IX Item "no_issuer" -don't print out the issuer name. -.Ip "\fBno_pubkey\fR" 4 -.IX Item "no_pubkey" -don't print out the public key. -.Ip "\fBno_sigdump\fR" 4 -.IX Item "no_sigdump" -don't give a hexadecimal dump of the certificate signature. -.Ip "\fBno_aux\fR" 4 -.IX Item "no_aux" -don't print out certificate trust information. -.Ip "\fBno_extensions\fR" 4 -.IX Item "no_extensions" -don't print out any X509V3 extensions. -.Ip "\fBext_default\fR" 4 -.IX Item "ext_default" -retain default extension behaviour: attempt to print out unsupported certificate extensions. -.Ip "\fBext_error\fR" 4 -.IX Item "ext_error" -print an error message for unsupported certificate extensions. -.Ip "\fBext_parse\fR" 4 -.IX Item "ext_parse" -\&\s-1ASN1\s0 parse unsupported extensions. -.Ip "\fBext_dump\fR" 4 -.IX Item "ext_dump" -hex dump unsupported extensions. -.Ip "\fBca_default\fR" 4 -.IX Item "ca_default" -the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR, -\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: in these examples the '\e' means the example should be all on one -line. -.PP -Display the contents of a certificate: -.PP -.Vb 1 -\& openssl x509 -in cert.pem -noout -text -.Ve -Display the certificate serial number: -.PP -.Vb 1 -\& openssl x509 -in cert.pem -noout -serial -.Ve -Display the certificate subject name: -.PP -.Vb 1 -\& openssl x509 -in cert.pem -noout -subject -.Ve -Display the certificate subject name in \s-1RFC2253\s0 form: -.PP -.Vb 1 -\& openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 -.Ve -Display the certificate subject name in oneline form on a terminal -supporting \s-1UTF8:\s0 -.PP -.Vb 1 -\& openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb -.Ve -Display the certificate \s-1MD5\s0 fingerprint: -.PP -.Vb 1 -\& openssl x509 -in cert.pem -noout -fingerprint -.Ve -Display the certificate \s-1SHA1\s0 fingerprint: -.PP -.Vb 1 -\& openssl x509 -sha1 -in cert.pem -noout -fingerprint -.Ve -Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER -.Ve -Convert a certificate to a certificate request: -.PP -.Vb 1 -\& openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem -.Ve -Convert a certificate request into a self signed certificate using -extensions for a \s-1CA:\s0 -.PP -.Vb 2 -\& openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \e -\& -signkey key.pem -out cacert.pem -.Ve -Sign a certificate request using the \s-1CA\s0 certificate above and add user -certificate extensions: -.PP -.Vb 2 -\& openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \e -\& -CA cacert.pem -CAkey key.pem -CAcreateserial -.Ve -Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to -\&\*(L"Steve's Class 1 \s-1CA\s0\*(R" -.PP -.Vb 2 -\& openssl x509 -in cert.pem -addtrust clientAuth \e -\& -setalias "Steve's Class 1 CA" -out trust.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 format uses the header and footer lines: -.PP -.Vb 2 -\& -----BEGIN CERTIFICATE----- -\& -----END CERTIFICATE----- -.Ve -it will also handle files containing: -.PP -.Vb 2 -\& -----BEGIN X509 CERTIFICATE----- -\& -----END X509 CERTIFICATE----- -.Ve -Trusted certificates have the lines -.PP -.Vb 2 -\& -----BEGIN TRUSTED CERTIFICATE----- -\& -----END TRUSTED CERTIFICATE----- -.Ve -The conversion to \s-1UTF8\s0 format used with the name options assumes that -T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape -and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect -it is more likely to display the majority of certificates correctly. -.PP -The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate. -This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message -digests the fingerprint of a certificate is unique to that certificate and -two certificates with the same fingerprint can be considered to be the same. -.PP -The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0. -.PP -The \fB\-email\fR option searches the subject name and the subject alternative -name extension. Only unique email addresses will be printed out: it will -not print the same address more than once. -.SH "CERTIFICATE EXTENSIONS" -.IX Header "CERTIFICATE EXTENSIONS" -The \fB\-purpose\fR option checks the certificate extensions and determines -what the certificate can be used for. The actual checks done are rather -complex and include various hacks and workarounds to handle broken -certificates and software. -.PP -The same code is used when verifying untrusted certificates in chains -so this section is useful if a chain is rejected by the verify code. -.PP -The basicConstraints extension \s-1CA\s0 flag is used to determine whether the -certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0, -if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the -\&\s-1CA\s0 flag set to true. -.PP -If the basicConstraints extension is absent then the certificate is -considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according -to the intended use of the certificate. A warning is given in this case -because the certificate should really not be regarded as a \s-1CA:\s0 however -it is allowed to be a \s-1CA\s0 to work around some broken software. -.PP -If the certificate is a V1 certificate (and thus has no extensions) and -it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again -given: this is to work around the problem of Verisign roots which are V1 -self signed certificates. -.PP -If the keyUsage extension is present then additional restraints are -made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the -keyCertSign bit set if the keyUsage extension is present. -.PP -The extended key usage extension places additional restrictions on the -certificate uses. If this extension is present (whether critical or not) -the key can only be used for the purposes specified. -.PP -A complete description of each test is given below. The comments about -basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR -\&\s-1CA\s0 certificates. -.Ip "\fB\s-1SSL\s0 Client\fR" 4 -.IX Item "SSL Client" -The extended key usage extension must be absent or include the \*(L"web client -authentication\*(R" \s-1OID\s0. keyUsage must be absent or it must have the -digitalSignature bit set. Netscape certificate type must be absent or it must -have the \s-1SSL\s0 client bit set. -.Ip "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4 -.IX Item "SSL Client CA" -The extended key usage extension must be absent or include the \*(L"web client -authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have -the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints -extension is absent. -.Ip "\fB\s-1SSL\s0 Server\fR" 4 -.IX Item "SSL Server" -The extended key usage extension must be absent or include the \*(L"web server -authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it -must have the digitalSignature, the keyEncipherment set or both bits set. -Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set. -.Ip "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4 -.IX Item "SSL Server CA" -The extended key usage extension must be absent or include the \*(L"web server -authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must -be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the -basicConstraints extension is absent. -.Ip "\fBNetscape \s-1SSL\s0 Server\fR" 4 -.IX Item "Netscape SSL Server" -For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the -keyEncipherment bit set if the keyUsage extension is present. This isn't -always valid because some cipher suites use the key for digital signing. -Otherwise it is the same as a normal \s-1SSL\s0 server. -.Ip "\fBCommon S/MIME Client Tests\fR" 4 -.IX Item "Common S/MIME Client Tests" -The extended key usage extension must be absent or include the \*(L"email -protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the -S/MIME bit set. If the S/MIME bit is not set in netscape certificate type -then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: -this is because some Verisign certificates don't set the S/MIME bit. -.Ip "\fBS/MIME Signing\fR" 4 -.IX Item "S/MIME Signing" -In addition to the common S/MIME client tests the digitalSignature bit must -be set if the keyUsage extension is present. -.Ip "\fBS/MIME Encryption\fR" 4 -.IX Item "S/MIME Encryption" -In addition to the common S/MIME tests the keyEncipherment bit must be set -if the keyUsage extension is present. -.Ip "\fBS/MIME \s-1CA\s0\fR" 4 -.IX Item "S/MIME CA" -The extended key usage extension must be absent or include the \*(L"email -protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the -S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints -extension is absent. -.Ip "\fB\s-1CRL\s0 Signing\fR" 4 -.IX Item "CRL Signing" -The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit -set. -.Ip "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4 -.IX Item "CRL Signing CA" -The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension -must be present. -.SH "BUGS" -.IX Header "BUGS" -Extensions in certificates are not transferred to certificate requests and -vice versa. -.PP -It is possible to produce invalid certificates or requests by specifying the -wrong private key or using inconsistent options in some cases: these should -be checked. -.PP -There should be options to explicitly set such things as start and end -dates rather than an offset from the current time. -.PP -The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR -is currently being developed. It thus describes the intended behaviour rather -than the current behaviour. It is hoped that it will represent reality in -OpenSSL 0.9.5 and later. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -req(1), ca(1), genrsa(1), -gendsa(1), verify(1) diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile deleted file mode 100644 index 03f331619eae..000000000000 --- a/secure/usr.bin/scp/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $FreeBSD$ - -PROG= scp -CFLAGS+=-I${SSHDIR} - -DPADD= ${LIBSSH} -LDADD= -lssh - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile deleted file mode 100644 index 32fa7cdf6305..000000000000 --- a/secure/usr.bin/sftp/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -# $FreeBSD$ - -PROG= sftp -SRCS= sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c -CFLAGS+=-I${SSHDIR} - -DPADD= ${LIBSSH} ${LIBCRYPTO} -LDADD= -lssh -lcrypto - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile deleted file mode 100644 index ab4a2b4009f0..000000000000 --- a/secure/usr.bin/ssh-add/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $FreeBSD$ - -PROG= ssh-add -CFLAGS+=-I${SSHDIR} - -DPADD= ${LIBSSH} ${LIBCRYPTO} -LDADD= -lssh -lcrypto - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile deleted file mode 100644 index 0fbd96d48096..000000000000 --- a/secure/usr.bin/ssh-agent/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $FreeBSD$ - -PROG= ssh-agent -CFLAGS+=-I${SSHDIR} - -DPADD= ${LIBSSH} ${LIBCRYPTO} -LDADD= -lssh -lcrypto - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile deleted file mode 100644 index 8140cde80344..000000000000 --- a/secure/usr.bin/ssh-keygen/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $FreeBSD$ - -PROG= ssh-keygen -CFLAGS+=-I${SSHDIR} - -DPADD= ${LIBSSH} ${LIBCRYPTO} -LDADD= -lssh -lcrypto - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile deleted file mode 100644 index 6c9be5ec9e57..000000000000 --- a/secure/usr.bin/ssh-keyscan/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $FreeBSD$ - -PROG= ssh-keyscan -CFLAGS+=-I${SSHDIR} - -DPADD= ${LIBSSH} ${LIBCRYPTO} ${LIBZ} -LDADD= -lssh -lcrypto -lz - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile deleted file mode 100644 index 204e95a131e6..000000000000 --- a/secure/usr.bin/ssh/Makefile +++ /dev/null @@ -1,36 +0,0 @@ -# $FreeBSD$ -# - -PROG= ssh -CFLAGS+=-I${SSHDIR} -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MAN= ssh.1 ssh_config.5 -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c authfd.c hostfile.c msg.c readconf.c clientloop.c sshtty.c \ - sshconnect.c sshconnect1.c sshconnect2.c - -.if defined(MAKE_KERBEROS4) -DISTRIBUTION=krb4 -CFLAGS+= -DKRB4 -LDADD+= -lkrb -lcom_err -DPADD+= ${LIBKRB} ${LIBCOM_ERR} -.endif - -.if defined(MAKE_KERBEROS5) -DISTRIBUTION=krb5 -CFLAGS+= -DKRB5 -DHEIMDAL -LDADD+= -lkrb5 -lasn1 -lcom_err -lmd -L${.OBJDIR}/../../../kerberos5/lib/libroken -lroken -lcrypt -DPADD+= ${LIBKRB5} ${LIBCOM_ERR} ${LIBASN1} ${LIBMD} ${LIBCRYPT} -.endif - -.if defined(X11BASE) -CFLAGS+= -DXAUTH_PATH=\"${X11BASE}/bin/xauth\" -.endif - -LDADD+= -lssh -lcrypto -lutil -lz -DPADD+= ${LIBSSH} ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.include <bsd.prog.mk> - -.PATH: ${SSHDIR} diff --git a/secure/usr.bin/telnet/Makefile b/secure/usr.bin/telnet/Makefile deleted file mode 100644 index 74cf075d18d9..000000000000 --- a/secure/usr.bin/telnet/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $FreeBSD$ - -PROG= telnet - -SRCS= authenc.c commands.c main.c network.c ring.c sys_bsd.c \ - telnet.c terminal.c utilities.c - -CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \ - -DENCRYPTION -DAUTHENTICATION -DIPSEC -DINET6 \ - -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ - -WARNS?= 2 - -DPADD= ${LIBTERMCAP} ${LIBTELNET} ${LIBMP} \ - ${LIBCRYPTO} ${LIBCRYPT} ${LIBIPSEC} ${LIBPAM} -LDADD= -ltermcap ${LIBTELNET} -lmp \ - -lcrypto -lcrypt -lipsec ${MINUSLPAM} - -.include <bsd.prog.mk> - -.PATH: ${TELNETDIR}/telnet |