diff options
Diffstat (limited to 'secure/usr.bin')
40 files changed, 1666 insertions, 102 deletions
diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile index 76665dd37ff6..82e7e8d20b25 100644 --- a/secure/usr.bin/openssl/Makefile +++ b/secure/usr.bin/openssl/Makefile @@ -13,7 +13,8 @@ LDADD= -lssl -lcrypto CFLAGS+= -DMONOLITH -I${.CURDIR} SRCS+= app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \ - dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c engine.c errstr.c \ + dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c \ + engine.c errstr.c \ gendh.c gendsa.c genrsa.c nseq.c ocsp.c openssl.c passwd.c \ pkcs12.c pkcs7.c pkcs8.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c \ s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \ diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man index f82cd8a17b47..b87642fbf181 100644 --- a/secure/usr.bin/openssl/Makefile.man +++ b/secure/usr.bin/openssl/Makefile.man @@ -10,7 +10,10 @@ MAN+= dgst.1 MAN+= dhparam.1 MAN+= dsa.1 MAN+= dsaparam.1 +MAN+= ec.1 +MAN+= ecparam.1 MAN+= enc.1 +MAN+= errstr.1 MAN+= gendsa.1 MAN+= genrsa.1 MAN+= nseq.1 @@ -34,6 +37,7 @@ MAN+= spkac.1 MAN+= verify.1 MAN+= version.1 MAN+= x509.1 +MAN+= x509v3_config.1 MLINKS+= dgst.1 md5.1 MLINKS+= dgst.1 md4.1 MLINKS+= dgst.1 md2.1 diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 index 17db72700fc5..a8f74cb2a345 100644 --- a/secure/usr.bin/openssl/man/CA.pl.1 +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "CA.PL 1" -.TH CA.PL 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH CA.PL 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" CA.pl \- friendlier interface for OpenSSL certificate programs .SH "SYNOPSIS" @@ -167,8 +167,8 @@ written to the file \*(L"newreq.pem\*(R". .IX Item "-newreq" creates a new certificate request. The private key and request are written to the file \*(L"newreq.pem\*(R". -.IP "\fB\-newreq\-nowdes\fR" 4 -.IX Item "-newreq-nowdes" +.IP "\fB\-newreq\-nodes\fR" 4 +.IX Item "-newreq-nodes" is like \fB\-newreq\fR except that the private key will not be encrypted. .IP "\fB\-newca\fR" 4 .IX Item "-newca" diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1 index d1a81e8eea02..f9cabeaa2409 100644 --- a/secure/usr.bin/openssl/man/asn1parse.1 +++ b/secure/usr.bin/openssl/man/asn1parse.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "ASN1PARSE 1" -.TH ASN1PARSE 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH ASN1PARSE 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" asn1parse \- ASN.1 parsing tool .SH "SYNOPSIS" @@ -144,6 +144,8 @@ asn1parse \- ASN.1 parsing tool [\fB\-i\fR] [\fB\-oid filename\fR] [\fB\-strparse offset\fR] +[\fB\-genstr string\fR] +[\fB\-genconf file\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN\s0.1 @@ -182,6 +184,14 @@ file is described in the \s-1NOTES\s0 section below. .IX Item "-strparse offset" parse the contents octets of the \s-1ASN\s0.1 object starting at \fBoffset\fR. This option can be used multiple times to \*(L"drill down\*(R" into a nested structure. +.IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4 +.IX Item "-genstr string, -genconf file" +generate encoded data based on \fBstring\fR, \fBfile\fR or both using +\&\fIASN1_generate_nconf()\fR format. If \fBfile\fR only is present then the string +is obtained from the default section using the name \fBasn1\fR. The encoded +data is passed through the \s-1ASN1\s0 parser and printed out as though it came +from a file, the contents can thus be examined and written to a file +using the \fBout\fR option. .Sh "\s-1OUTPUT\s0" .IX Subsection "OUTPUT" The output will typically contain lines like this: @@ -237,7 +247,53 @@ by white space. The final column is the rest of the line and is the \&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example: .PP \&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Parse a file: +.PP +.Vb 1 +\& openssl asn1parse -in file.pem +.Ve +.PP +Parse a \s-1DER\s0 file: +.PP +.Vb 1 +\& openssl asn1parse -inform DER -in file.der +.Ve +.PP +Generate a simple UTF8String: +.PP +.Vb 1 +\& openssl asn1parse -genstr 'UTF8:Hello World' +.Ve +.PP +Generate and write out a UTF8String, don't print parsed output: +.PP +.Vb 1 +\& openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der +.Ve +.PP +Generate using a config file: +.PP +.Vb 1 +\& openssl asn1parse -genconf asn1.cnf -noout -out asn1.der +.Ve +.PP +Example config file: +.PP +.Vb 1 +\& asn1=SEQUENCE:seq_sect +.Ve +.PP +.Vb 1 +\& [seq_sect] +.Ve +.PP +.Vb 2 +\& field1=BOOL:TRUE +\& field2=EXP:0, UTF8:some random string +.Ve .SH "BUGS" .IX Header "BUGS" -There should be options to change the format of input lines. The output of some +There should be options to change the format of output lines. The output of some \&\s-1ASN\s0.1 types is not well handled (if at all). diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1 index ab85a0c7b247..528f1d78176d 100644 --- a/secure/usr.bin/openssl/man/ca.1 +++ b/secure/usr.bin/openssl/man/ca.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "CA 1" -.TH CA 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH CA 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" ca \- sample minimal CA application .SH "SYNOPSIS" @@ -144,7 +144,6 @@ ca \- sample minimal CA application [\fB\-crl_hold instruction\fR] [\fB\-crl_compromise time\fR] [\fB\-crl_CA_compromise time\fR] -[\fB\-subj arg\fR] [\fB\-crldays days\fR] [\fB\-crlhours hours\fR] [\fB\-crlexts section\fR] @@ -157,6 +156,7 @@ ca \- sample minimal CA application [\fB\-key arg\fR] [\fB\-passin arg\fR] [\fB\-cert file\fR] +[\fB\-selfsign\fR] [\fB\-in file\fR] [\fB\-out file\fR] [\fB\-notext\fR] @@ -171,6 +171,9 @@ ca \- sample minimal CA application [\fB\-extensions section\fR] [\fB\-extfile section\fR] [\fB\-engine id\fR] +[\fB\-subj arg\fR] +[\fB\-utf8\fR] +[\fB\-multivalue\-rdn\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used @@ -225,6 +228,19 @@ the private key to sign requests with. the password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g. Unix with the 'ps' utility) this option should be used with caution. +.IP "\fB\-selfsign\fR" 4 +.IX Item "-selfsign" +indicates the issued certificates are to be signed with the key +the certificate requests were signed with (given with \fB\-keyfile\fR). +Cerificate requests signed with a different key are ignored. If +\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is +ignored. +.Sp +A consequence of using \fB\-selfsign\fR is that the self-signed +certificate appears among the entries in the certificate database +(see the configuration option \fBdatabase\fR), and uses the same +serial number counter as all other certificates sign with the +self-signed certificate. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" the key password source. For more information about the format of \fBarg\fR @@ -300,6 +316,25 @@ specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +.IP "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +supersedes subject name given in the request. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +.IP "\fB\-utf8\fR" 4 +.IX Item "-utf8" +this option causes field values to be interpreted as \s-1UTF8\s0 strings, by +default they are interpreted as \s-1ASCII\s0. This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fB\-multivalue\-rdn\fR" 4 +.IX Item "-multivalue-rdn" +this option causes the \-subj argument to be interpretedt with full +support for multivalued RDNs. Example: +.Sp +\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR +.Sp +If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. .SH "CRL OPTIONS" .IX Header "CRL OPTIONS" .IP "\fB\-gencrl\fR" 4 @@ -338,11 +373,6 @@ This sets the revocation reason to \fBkeyCompromise\fR and the compromise time t .IX Item "-crl_CA_compromise time" This is the same as \fBcrl_compromise\fR except the revocation reason is set to \&\fBCACompromise\fR. -.IP "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -supersedes subject name given in the request. -The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. .IP "\fB\-crlexts section\fR" 4 .IX Item "-crlexts section" the section of the configuration file containing \s-1CRL\s0 extensions to @@ -425,10 +455,24 @@ the same as the \fB\-md\fR option. The message digest to use. Mandatory. .IX Item "database" the text database file to use. Mandatory. This file must be present though initially it will be empty. +.IP "\fBunique_subject\fR" 4 +.IX Item "unique_subject" +if the value \fByes\fR is given, the valid certificate entries in the +database must have unique subjects. if the value \fBno\fR is given, +several valid certificate entries may have the exact same subject. +The default value is \fByes\fR, to be compatible with older (pre 0.9.8) +versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier, +it's recommended to use the value \fBno\fR, especially if combined with +the \fB\-selfsign\fR command line option. .IP "\fBserial\fR" 4 .IX Item "serial" a text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number. +.IP "\fBcrlnumber\fR" 4 +.IX Item "crlnumber" +a text file containing the next \s-1CRL\s0 number to use in hex. The crl number +will be inserted in the CRLs only if this file exists. If this file is +present, it must contain a valid \s-1CRL\s0 number. .IP "\fBx509_extensions\fR" 4 .IX Item "x509_extensions" the same as \fB\-extensions\fR. @@ -450,8 +494,8 @@ the same as \fB\-msie_hack\fR .IX Item "policy" the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section for more information. -.IP "\fBnameopt\fR, \fBcertopt\fR" 4 -.IX Item "nameopt, certopt" +.IP "\fBname_opt\fR, \fBcert_opt\fR" 4 +.IX Item "name_opt, cert_opt" these options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used @@ -590,8 +634,8 @@ A sample configuration file with the relevant sections for \fBca\fR: .Ve .PP .Vb 3 -\& nameopt = ca_default # Subject name display option -\& certopt = ca_default # Certificate display option +\& name_opt = ca_default # Subject name display option +\& cert_opt = ca_default # Certificate display option \& copy_extensions = none # Don't copy extensions from request .Ve .PP @@ -633,8 +677,7 @@ if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current \&\s-1CRL:\s0 however there is no option to do this. .PP -V2 \s-1CRL\s0 features like delta \s-1CRL\s0 support and \s-1CRL\s0 numbers are not currently -supported. +V2 \s-1CRL\s0 features like delta CRLs are not currently supported. .PP Although several requests can be input and handled at once it is only possible to include one \s-1SPKAC\s0 or self signed certificate. @@ -644,12 +687,6 @@ The use of an in memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory. .PP -It is not possible to certify two certificates with the same \s-1DN:\s0 this -is a side effect of how the text database is indexed and it cannot easily -be fixed without introducing other problems. Some S/MIME clients can use -two certificates with the same \s-1DN\s0 for separate signing and encryption -keys. -.PP The \fBca\fR command really needs rewriting or the required functionality exposed at either a command or interface level so a more friendly utility (perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 index b539f130fc10..bf3310352837 100644 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "CIPHERS 1" -.TH CIPHERS 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH CIPHERS 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" ciphers \- SSL cipher display and cipher list tool. .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1 index 2151b2b39f3d..54766011129f 100644 --- a/secure/usr.bin/openssl/man/crl.1 +++ b/secure/usr.bin/openssl/man/crl.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "CRL 1" -.TH CRL 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH CRL 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" crl \- CRL utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1 index 4a6f9568f398..49bb3e4051eb 100644 --- a/secure/usr.bin/openssl/man/crl2pkcs7.1 +++ b/secure/usr.bin/openssl/man/crl2pkcs7.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "CRL2PKCS7 1" -.TH CRL2PKCS7 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH CRL2PKCS7 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates. .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1 index cb6be3710cb2..2db68aa78011 100644 --- a/secure/usr.bin/openssl/man/dgst.1 +++ b/secure/usr.bin/openssl/man/dgst.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "DGST 1" -.TH DGST 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH DGST 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests .SH "SYNOPSIS" @@ -142,6 +142,7 @@ dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests [\fB\-binary\fR] [\fB\-out filename\fR] [\fB\-sign filename\fR] +[\fB\-passin arg\fR] [\fB\-verify filename\fR] [\fB\-prverify filename\fR] [\fB\-signature filename\fR] @@ -177,6 +178,10 @@ filename to output to, or standard output by default. .IP "\fB\-sign filename\fR" 4 .IX Item "-sign filename" digitally sign the digest using the private key in \*(L"filename\*(R". +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-verify filename\fR" 4 .IX Item "-verify filename" verify the signature using the the public key in \*(L"filename\*(R". diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1 index 08bf6901f0de..2f211fbab84e 100644 --- a/secure/usr.bin/openssl/man/dhparam.1 +++ b/secure/usr.bin/openssl/man/dhparam.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "DHPARAM 1" -.TH DHPARAM 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH DHPARAM 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" dhparam \- DH parameter manipulation and generation .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1 index 1c870769ddaa..60ed53d2aecb 100644 --- a/secure/usr.bin/openssl/man/dsa.1 +++ b/secure/usr.bin/openssl/man/dsa.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "DSA 1" -.TH DSA 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH DSA 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" dsa \- DSA key processing .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1 index 86eb3684ea74..894f572393df 100644 --- a/secure/usr.bin/openssl/man/dsaparam.1 +++ b/secure/usr.bin/openssl/man/dsaparam.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "DSAPARAM 1" -.TH DSAPARAM 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH DSAPARAM 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" dsaparam \- DSA parameter manipulation and generation .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1 new file mode 100644 index 000000000000..668866937966 --- /dev/null +++ b/secure/usr.bin/openssl/man/ec.1 @@ -0,0 +1,307 @@ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EC 1" +.TH EC 1 "2006-07-29" "0.9.8b" "OpenSSL" +.SH "NAME" +ec \- EC key processing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBec\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-param_out\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +[\fB\-conv_form arg\fR] +[\fB\-param_enc arg\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various +forms and their components printed out. \fBNote\fR OpenSSL uses the +private key format specified in '\s-1SEC\s0 1: Elliptic Curve Cryptography' +(http://www.secg.org/). To convert a OpenSSL \s-1EC\s0 private key into the +PKCS#8 private key format use the \fBpkcs8\fR command. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses +an \s-1ASN\s0.1 \s-1DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it +uses the SubjectPublicKeyInfo structur as specified in \s-1RFC\s0 3280. +The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 +encoded with additional header and footer lines. In the case of a private key +PKCS#8 format is also accepted. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output by +is not specified. If any encryption options are set then a pass phrase will be +prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-des|\-des3|\-idea\fR" 4 +.IX Item "-des|-des3|-idea" +These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, \s-1IDEA\s0 or +any other cipher supported by OpenSSL before outputting it. A pass phrase is +prompted for. +If none of these options is specified the key is written in plain text. This +means that using the \fBec\fR utility to read in an encrypted key with no +encryption option can be used to remove the pass phrase from a key, or by +setting the encryption options it can be use to add or change the pass phrase. +These options can only be used with \s-1PEM\s0 format output files. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +prints out the public, private key components and parameters. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the key. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +this option prints out the value of the public key component of the key. +.IP "\fB\-pubin\fR" 4 +.IX Item "-pubin" +by default a private key is read from the input file: with this option a +public key is read instead. +.IP "\fB\-pubout\fR" 4 +.IX Item "-pubout" +by default a private key is output. With this option a public +key will be output instead. This option is automatically set if the input is +a public key. +.IP "\fB\-conv_form\fR" 4 +.IX Item "-conv_form" +This specifies how the points on the elliptic curve are converted +into octet strings. Possible values are: \fBcompressed\fR (the default +value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding +the point conversion forms please read the X9.62 standard. +\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled +by default for binary curves and can be enabled by defining +the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. +.IP "\fB\-param_enc arg\fR" 4 +.IX Item "-param_enc arg" +This specifies how the elliptic curve parameters are encoded. +Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are +specified by a \s-1OID\s0, or \fBexplicit\fR where the ec parameters are +explicitly given (see \s-1RFC\s0 3279 for the definition of the +\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. +\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC\s0 3279, +is currently not implemented in OpenSSL. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 private key format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN EC PRIVATE KEY----- +\& -----END EC PRIVATE KEY----- +.Ve +.PP +The \s-1PEM\s0 public key format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN PUBLIC KEY----- +\& -----END PUBLIC KEY----- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl ec -in key.pem -des3 -out keyout.pem +.Ve +.PP +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl ec -in key.pem -outform DER -out keyout.der +.Ve +.PP +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl ec -in key.pem -text -noout +.Ve +.PP +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl ec -in key.pem -pubout -out pubkey.pem +.Ve +.PP +To change the parameters encoding to \fBexplicit\fR: +.PP +.Vb 1 +\& openssl ec -in key.pem -param_enc explicit -out keyout.pem +.Ve +.PP +To change the point conversion form to \fBcompressed\fR: +.PP +.Vb 1 +\& openssl ec -in key.pem -conv_form compressed -out keyout.pem +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIecparam\fR\|(1), \fIdsa\fR\|(1), \fIrsa\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +The ec command was first introduced in OpenSSL 0.9.8. +.SH "AUTHOR" +.IX Header "AUTHOR" +Nils Larsch for the OpenSSL project (http://www.openssl.org). diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1 new file mode 100644 index 000000000000..7f7e8478a34b --- /dev/null +++ b/secure/usr.bin/openssl/man/ecparam.1 @@ -0,0 +1,293 @@ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ECPARAM 1" +.TH ECPARAM 1 "2006-07-29" "0.9.8b" "OpenSSL" +.SH "NAME" +ecparam \- EC parameter manipulation and generation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl ecparam\fR +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-check\fR] +[\fB\-name arg\fR] +[\fB\-list_curve\fR] +[\fB\-conv_form arg\fR] +[\fB\-param_enc arg\fR] +[\fB\-no_seed\fR] +[\fB\-rand file(s)\fR] +[\fB\-genkey\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to manipulate or generate \s-1EC\s0 parameter files. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN\s0.1 \s-1DER\s0 encoded +form compatible with \s-1RFC\s0 3279 EcpkParameters. The \s-1PEM\s0 form is the default +format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional +header and footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename parameters to. Standard output is used +if this option is not present. The output filename should \fBnot\fR be the same +as the input filename. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +This option inhibits the output of the encoded version of the parameters. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +This option prints out the \s-1EC\s0 parameters in human readable form. +.IP "\fB\-C\fR" 4 +.IX Item "-C" +This option converts the \s-1EC\s0 parameters into C code. The parameters can then +be loaded by calling the \fB\f(BIget_ec_group_XXX()\fB\fR function. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +Validate the elliptic curve parameters. +.IP "\fB\-name arg\fR" 4 +.IX Item "-name arg" +Use the \s-1EC\s0 parameters with the specified 'short' name. Use \fB\-list_curves\fR +to get a list of all currently implemented \s-1EC\s0 parameters. +.IP "\fB\-list_curves\fR" 4 +.IX Item "-list_curves" +If this options is specified \fBecparam\fR will print out a list of all +currently implemented \s-1EC\s0 parameters names and exit. +.IP "\fB\-conv_form\fR" 4 +.IX Item "-conv_form" +This specifies how the points on the elliptic curve are converted +into octet strings. Possible values are: \fBcompressed\fR (the default +value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding +the point conversion forms please read the X9.62 standard. +\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled +by default for binary curves and can be enabled by defining +the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. +.IP "\fB\-param_enc arg\fR" 4 +.IX Item "-param_enc arg" +This specifies how the elliptic curve parameters are encoded. +Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are +specified by a \s-1OID\s0, or \fBexplicit\fR where the ec parameters are +explicitly given (see \s-1RFC\s0 3279 for the definition of the +\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. +\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC\s0 3279, +is currently not implemented in OpenSSL. +.IP "\fB\-no_seed\fR" 4 +.IX Item "-no_seed" +This option inhibits that the 'seed' for the parameter generation +is included in the ECParameters structure (see \s-1RFC\s0 3279). +.IP "\fB\-genkey\fR" 4 +.IX Item "-genkey" +This option will generate a \s-1EC\s0 private key using the specified parameters. +.IP "\fB\-rand file(s)\fR" 4 +.IX Item "-rand file(s)" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1PEM\s0 format \s-1EC\s0 parameters use the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN EC PARAMETERS----- +\& -----END EC PARAMETERS----- +.Ve +.PP +OpenSSL is currently not able to generate new groups and therefore +\&\fBecparam\fR can only create \s-1EC\s0 parameters from known (named) curves. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To create \s-1EC\s0 parameters with the group 'prime192v1': +.PP +.Vb 1 +\& openssl ecparam -out ec_param.pem -name prime192v1 +.Ve +.PP +To create \s-1EC\s0 parameters with explicit parameters: +.PP +.Vb 1 +\& openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit +.Ve +.PP +To validate given \s-1EC\s0 parameters: +.PP +.Vb 1 +\& openssl ecparam -in ec_param.pem -check +.Ve +.PP +To create \s-1EC\s0 parameters and a private key: +.PP +.Vb 1 +\& openssl ecparam -out ec_key.pem -name prime192v1 -genkey +.Ve +.PP +To change the point encoding to 'compressed': +.PP +.Vb 1 +\& openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed +.Ve +.PP +To print out the \s-1EC\s0 parameters to standard output: +.PP +.Vb 1 +\& openssl ecparam -in ec_param.pem -noout -text +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIec\fR\|(1), \fIdsaparam\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +The ecparam command was first introduced in OpenSSL 0.9.8. +.SH "AUTHOR" +.IX Header "AUTHOR" +Nils Larsch for the OpenSSL project (http://www.openssl.org) diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1 index 9152e4ae4013..61eaedd4e5ea 100644 --- a/secure/usr.bin/openssl/man/enc.1 +++ b/secure/usr.bin/openssl/man/enc.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "ENC 1" -.TH ENC 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH ENC 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" enc \- symmetric cipher routines .SH "SYNOPSIS" @@ -302,14 +302,14 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. .PP .Vb 4 \& des-ede-cbc Two key triple DES EDE in CBC mode -\& des-ede Alias for des-ede +\& des-ede Two key triple DES EDE in ECB mode \& des-ede-cfb Two key triple DES EDE in CFB mode \& des-ede-ofb Two key triple DES EDE in OFB mode .Ve .PP .Vb 5 \& des-ede3-cbc Three key triple DES EDE in CBC mode -\& des-ede3 Alias for des-ede3-cbc +\& des-ede3 Three key triple DES EDE in ECB mode \& des3 Alias for des-ede3-cbc \& des-ede3-cfb Three key triple DES EDE CFB mode \& des-ede3-ofb Three key triple DES EDE in OFB mode @@ -330,9 +330,9 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. .Vb 7 \& rc2-cbc 128 bit RC2 in CBC mode \& rc2 Alias for rc2-cbc -\& rc2-cfb 128 bit RC2 in CBC mode -\& rc2-ecb 128 bit RC2 in CBC mode -\& rc2-ofb 128 bit RC2 in CBC mode +\& rc2-cfb 128 bit RC2 in CFB mode +\& rc2-ecb 128 bit RC2 in ECB mode +\& rc2-ofb 128 bit RC2 in OFB mode \& rc2-64-cbc 64 bit RC2 in CBC mode \& rc2-40-cbc 40 bit RC2 in CBC mode .Ve @@ -346,9 +346,9 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. .Vb 5 \& rc5-cbc RC5 cipher in CBC mode \& rc5 Alias for rc5-cbc -\& rc5-cfb RC5 cipher in CBC mode -\& rc5-ecb RC5 cipher in CBC mode -\& rc5-ofb RC5 cipher in CBC mode +\& rc5-cfb RC5 cipher in CFB mode +\& rc5-ecb RC5 cipher in ECB mode +\& rc5-ofb RC5 cipher in OFB mode .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1 new file mode 100644 index 000000000000..a2cc57145a17 --- /dev/null +++ b/secure/usr.bin/openssl/man/errstr.1 @@ -0,0 +1,167 @@ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ERRSTR 1" +.TH ERRSTR 1 "2006-07-29" "0.9.8b" "OpenSSL" +.SH "NAME" +errstr \- lookup error codes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl errstr error_code\fR +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Sometimes an application will not load error message and only +numerical forms will be available. The \fBerrstr\fR utility can be used to +display the meaning of the hex code. The hex code is the hex digits after the +second colon. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +The error code: +.PP +.Vb 1 +\& 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107: +.Ve +.PP +can be displayed with: +.PP +.Vb 1 +\& openssl errstr 2006D080 +.Ve +.PP +to produce the error message: +.PP +.Vb 1 +\& error:2006D080:BIO routines:BIO_new_file:no such file +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIerr\fR\|(3), +\&\fIERR_load_crypto_strings\fR\|(3), +\&\fISSL_load_error_strings\fR\|(3) diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1 index 1d69e336541b..2c5bd5441c2a 100644 --- a/secure/usr.bin/openssl/man/gendsa.1 +++ b/secure/usr.bin/openssl/man/gendsa.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "GENDSA 1" -.TH GENDSA 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH GENDSA 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" gendsa \- generate a DSA private key from a set of parameters .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1 index 589d10b14577..41e32c17548e 100644 --- a/secure/usr.bin/openssl/man/genrsa.1 +++ b/secure/usr.bin/openssl/man/genrsa.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "GENRSA 1" -.TH GENRSA 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH GENRSA 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" genrsa \- generate an RSA private key .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1 index 605e69989f38..7737e485a9bc 100644 --- a/secure/usr.bin/openssl/man/nseq.1 +++ b/secure/usr.bin/openssl/man/nseq.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "NSEQ 1" -.TH NSEQ 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH NSEQ 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" nseq \- create or examine a netscape certificate sequence .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 index 66694b557cf9..14f15cec5f1e 100644 --- a/secure/usr.bin/openssl/man/ocsp.1 +++ b/secure/usr.bin/openssl/man/ocsp.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "OCSP 1" -.TH OCSP 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH OCSP 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" ocsp \- Online Certificate Status Protocol utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 index d29225f3e726..55ef87e17824 100644 --- a/secure/usr.bin/openssl/man/openssl.1 +++ b/secure/usr.bin/openssl/man/openssl.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "OPENSSL 1" -.TH OPENSSL 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH OPENSSL 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" openssl \- OpenSSL command line tool .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1 index 55bb623698b1..63c35de2fab2 100644 --- a/secure/usr.bin/openssl/man/passwd.1 +++ b/secure/usr.bin/openssl/man/passwd.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "PASSWD 1" -.TH PASSWD 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH PASSWD 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" passwd \- compute password hashes .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 index 0eb76901524a..16486403bd5a 100644 --- a/secure/usr.bin/openssl/man/pkcs12.1 +++ b/secure/usr.bin/openssl/man/pkcs12.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "PKCS12 1" -.TH PKCS12 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH PKCS12 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" pkcs12 \- PKCS#12 file utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1 index 18f1e2c8abe6..72bf255c0589 100644 --- a/secure/usr.bin/openssl/man/pkcs7.1 +++ b/secure/usr.bin/openssl/man/pkcs7.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "PKCS7 1" -.TH PKCS7 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH PKCS7 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" pkcs7 \- PKCS#7 utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1 index fcf25e77ded0..3ebc833cb1ff 100644 --- a/secure/usr.bin/openssl/man/pkcs8.1 +++ b/secure/usr.bin/openssl/man/pkcs8.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "PKCS8 1" -.TH PKCS8 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH PKCS8 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" pkcs8 \- PKCS#8 format private key conversion tool .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1 index b7b351c82a5b..9bc63033bee0 100644 --- a/secure/usr.bin/openssl/man/rand.1 +++ b/secure/usr.bin/openssl/man/rand.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "RAND 1" -.TH RAND 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH RAND 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" rand \- generate pseudo\-random bytes .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 index 0b4718d0c396..031e81df6465 100644 --- a/secure/usr.bin/openssl/man/req.1 +++ b/secure/usr.bin/openssl/man/req.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "REQ 1" -.TH REQ 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH REQ 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" req \- PKCS#10 certificate request and certificate generating utility. .SH "SYNOPSIS" @@ -157,6 +157,7 @@ req \- PKCS#10 certificate request and certificate generating utility. [\fB\-[md5|sha1|md2|mdc2]\fR] [\fB\-config filename\fR] [\fB\-subj arg\fR] +[\fB\-multivalue\-rdn\fR] [\fB\-x509\fR] [\fB\-days n\fR] [\fB\-set_serial n\fR] @@ -275,6 +276,14 @@ sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, characters may be escaped by \e (backslash), no spaces are skipped. +.IP "\fB\-multivalue\-rdn\fR" 4 +.IX Item "-multivalue-rdn" +this option causes the \-subj argument to be interpreted with full +support for multivalued RDNs. Example: +.Sp +\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR +.Sp +If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. .IP "\fB\-x509\fR" 4 .IX Item "-x509" this option outputs a self signed certificate instead of a certificate diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1 index e0ee2fe40151..717db817b87d 100644 --- a/secure/usr.bin/openssl/man/rsa.1 +++ b/secure/usr.bin/openssl/man/rsa.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "RSA 1" -.TH RSA 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH RSA 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" rsa \- RSA key processing tool .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1 index a46de4687547..5d1541b2771b 100644 --- a/secure/usr.bin/openssl/man/rsautl.1 +++ b/secure/usr.bin/openssl/man/rsautl.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "RSAUTL 1" -.TH RSAUTL 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH RSAUTL 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" rsautl \- RSA utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 index 3c1afbcac409..04b042f81f1e 100644 --- a/secure/usr.bin/openssl/man/s_client.1 +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "S_CLIENT 1" -.TH S_CLIENT 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH S_CLIENT 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" s_client \- SSL/TLS client program .SH "SYNOPSIS" @@ -138,7 +138,10 @@ s_client \- SSL/TLS client program [\fB\-connect host:port\fR] [\fB\-verify depth\fR] [\fB\-cert filename\fR] +[\fB\-certform DER|PEM\fR] [\fB\-key filename\fR] +[\fB\-keyform DER|PEM\fR] +[\fB\-pass arg\fR] [\fB\-CApath directory\fR] [\fB\-CAfile filename\fR] [\fB\-reconnect\fR] @@ -178,10 +181,20 @@ then an attempt is made to connect to the local host on port 4433. .IX Item "-cert certname" The certificate to use, if one is requested by the server. The default is not to use a certificate. +.IP "\fB\-certform format\fR" 4 +.IX Item "-certform format" +The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default. .IP "\fB\-key keyfile\fR" 4 .IX Item "-key keyfile" The private key to use. If not specified then the certificate file will be used. +.IP "\fB\-keyform format\fR" 4 +.IX Item "-keyform format" +The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default. +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +the private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-verify depth\fR" 4 .IX Item "-verify depth" The verify depth to use. This specifies the maximum length of the diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 index 79d774fbe94b..0e17647b5f17 100644 --- a/secure/usr.bin/openssl/man/s_server.1 +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "S_SERVER 1" -.TH S_SERVER 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH S_SERVER 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" s_server \- SSL/TLS server program .SH "SYNOPSIS" @@ -140,9 +140,15 @@ s_server \- SSL/TLS server program [\fB\-verify depth\fR] [\fB\-Verify depth\fR] [\fB\-cert filename\fR] +[\fB\-certform DER|PEM\fR] [\fB\-key keyfile\fR] +[\fB\-keyform DER|PEM\fR] +[\fB\-pass arg\fR] [\fB\-dcert filename\fR] +[\fB\-dcertform DER|PEM\fR] [\fB\-dkey keyfile\fR] +[\fB\-dkeyform DER|PEM\fR] +[\fB\-dpass arg\fR] [\fB\-dhparam filename\fR] [\fB\-nbio\fR] [\fB\-nbio_test\fR] @@ -190,10 +196,20 @@ The certificate to use, most servers cipher suites require the use of a certificate and some require a certificate with a certain public key type: for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0 (\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. +.IP "\fB\-certform format\fR" 4 +.IX Item "-certform format" +The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default. .IP "\fB\-key keyfile\fR" 4 .IX Item "-key keyfile" The private key to use. If not specified then the certificate file will be used. +.IP "\fB\-keyform format\fR" 4 +.IX Item "-keyform format" +The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default. +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +the private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4 .IX Item "-dcert filename, -dkey keyname" specify an additional certificate and private key, these behave in the @@ -204,6 +220,9 @@ a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites by using an appropriate certificate. +.IP "\fB\-dcertform format\fR, \fB\-dkeyform format\fR, \fB\-dpass arg\fR" 4 +.IX Item "-dcertform format, -dkeyform format, -dpass arg" +addtional certificate and private key format and passphrase respectively. .IP "\fB\-nocert\fR" 4 .IX Item "-nocert" if this option is set then no certificate is used. This restricts the diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1 index 03b6e0e0d9a3..60ac6e28e4b4 100644 --- a/secure/usr.bin/openssl/man/s_time.1 +++ b/secure/usr.bin/openssl/man/s_time.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "S_TIME 1" -.TH S_TIME 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH S_TIME 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" s_time \- SSL/TLS performance timing program .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1 index 4ade266f6028..c71a12837454 100644 --- a/secure/usr.bin/openssl/man/sess_id.1 +++ b/secure/usr.bin/openssl/man/sess_id.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "SESS_ID 1" -.TH SESS_ID 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH SESS_ID 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" sess_id \- SSL/TLS session handling utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 index 66f86bc547b3..c283c7316b11 100644 --- a/secure/usr.bin/openssl/man/smime.1 +++ b/secure/usr.bin/openssl/man/smime.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "SMIME 1" -.TH SMIME 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH SMIME 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" smime \- S/MIME utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1 index d659da2181c8..841ea5c28719 100644 --- a/secure/usr.bin/openssl/man/speed.1 +++ b/secure/usr.bin/openssl/man/speed.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "SPEED 1" -.TH SPEED 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH SPEED 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" speed \- test library performance .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1 index 64bb77db3723..60691e3a69da 100644 --- a/secure/usr.bin/openssl/man/spkac.1 +++ b/secure/usr.bin/openssl/man/spkac.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "SPKAC 1" -.TH SPKAC 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH SPKAC 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" spkac \- SPKAC printing and generating utility .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 index 2c6eec4f877f..3fc0cfe763ec 100644 --- a/secure/usr.bin/openssl/man/verify.1 +++ b/secure/usr.bin/openssl/man/verify.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "VERIFY 1" -.TH VERIFY 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH VERIFY 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" verify \- Utility to verify certificates. .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1 index 9bb441dcc0ed..87b840e8bbe0 100644 --- a/secure/usr.bin/openssl/man/version.1 +++ b/secure/usr.bin/openssl/man/version.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "VERSION 1" -.TH VERSION 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH VERSION 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" version \- print OpenSSL version information .SH "SYNOPSIS" diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 index a61b51314fe7..a798d1fdaf8b 100644 --- a/secure/usr.bin/openssl/man/x509.1 +++ b/secure/usr.bin/openssl/man/x509.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "X509 1" -.TH X509 1 "2005-02-25" "0.9.7d" "OpenSSL" +.TH X509 1 "2006-07-29" "0.9.8b" "OpenSSL" .SH "NAME" x509 \- Certificate display and signing utility .SH "SYNOPSIS" @@ -144,6 +144,8 @@ x509 \- Certificate display and signing utility [\fB\-out filename\fR] [\fB\-serial\fR] [\fB\-hash\fR] +[\fB\-subject_hash\fR] +[\fB\-issuer_hash\fR] [\fB\-subject\fR] [\fB\-issuer\fR] [\fB\-nameopt option\fR] @@ -215,8 +217,8 @@ default. .IX Item "-md2|-md5|-sha1|-mdc2" the digest to use. This affects any signing or display option that uses a message digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not -specified then \s-1MD5\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key then -this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. +specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key +then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR @@ -248,11 +250,17 @@ contained in the certificate. .IP "\fB\-serial\fR" 4 .IX Item "-serial" outputs the certificate serial number. -.IP "\fB\-hash\fR" 4 -.IX Item "-hash" +.IP "\fB\-subject_hash\fR" 4 +.IX Item "-subject_hash" outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name. +.IP "\fB\-issuer_hash\fR" 4 +.IX Item "-issuer_hash" +outputs the \*(L"hash\*(R" of the certificate issuer name. +.IP "\fB\-hash\fR" 4 +.IX Item "-hash" +synonym for \*(L"\-hash\*(R" for backward compatibility reasons. .IP "\fB\-subject\fR" 4 .IX Item "-subject" outputs the subject name. @@ -838,3 +846,6 @@ OpenSSL 0.9.5 and later. .IX Header "SEE ALSO" \&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), \&\fIgendsa\fR\|(1), \fIverify\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5\s0. diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1 new file mode 100644 index 000000000000..c97538c95163 --- /dev/null +++ b/secure/usr.bin/openssl/man/x509v3_config.1 @@ -0,0 +1,642 @@ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509V3_CONFIG 1" +.TH X509V3_CONFIG 1 "2006-07-29" "0.9.8b" "OpenSSL" +.SH "NAME" +x509v3_config \- X509 V3 certificate extension configuration format +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Several of the OpenSSL utilities can add extensions to a certificate or +certificate request based on the contents of a configuration file. +.PP +Typically the application will contain an option to point to an extension +section. Each line of the extension section takes the form: +.PP +.Vb 1 +\& extension_name=[critical,] extension_options +.Ve +.PP +If \fBcritical\fR is present then the extension will be critical. +.PP +The format of \fBextension_options\fR depends on the value of \fBextension_name\fR. +.PP +There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR +extensions, \fIraw\fR and \fIarbitrary\fR extensions. +.PP +String extensions simply have a string which contains either the value itself +or how it is obtained. +.PP +For example: +.PP +.Vb 1 +\& nsComment="This is a Comment" +.Ve +.PP +Multi-valued extensions have a short form and a long form. The short form +is a list of names and values: +.PP +.Vb 1 +\& basicConstraints=critical,CA:true,pathlen:1 +.Ve +.PP +The long form allows the values to be placed in a separate section: +.PP +.Vb 1 +\& basicConstraints=critical,@bs_section +.Ve +.PP +.Vb 1 +\& [bs_section] +.Ve +.PP +.Vb 2 +\& CA=true +\& pathlen=1 +.Ve +.PP +Both forms are equivalent. +.PP +The syntax of raw extensions is governed by the extension code: it can +for example contain data in multiple sections. The correct syntax to +use is defined by the extension code itself: check out the certificate +policies extension for an example. +.PP +If an extension type is unsupported then the \fIarbitrary\fR extension syntax +must be used, see the \s-1ARBITRART\s0 \s-1EXTENSIONS\s0 section for more details. +.SH "STANDARD EXTENSIONS" +.IX Header "STANDARD EXTENSIONS" +The following sections describe each supported extension in detail. +.Sh "Basic Constraints." +.IX Subsection "Basic Constraints." +This is a multi valued extension which indicates whether a certificate is +a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or +\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by an +non-negative value can be included. +.PP +For example: +.PP +.Vb 1 +\& basicConstraints=CA:TRUE +.Ve +.PP +.Vb 1 +\& basicConstraints=CA:FALSE +.Ve +.PP +.Vb 1 +\& basicConstraints=critical,CA:TRUE, pathlen:0 +.Ve +.PP +A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field +set to \s-1TRUE\s0. An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the +extension entirely. Some software may require the inclusion of basicConstraints +with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates. +.PP +The pathlen parameter indicates the maximum number of CAs that can appear +below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can +only be used to sign end user certificates and not further CAs. +.Sh "Key Usage." +.IX Subsection "Key Usage." +Key usage is a multi valued extension consisting of a list of names of the +permitted key usages. +.PP +The supporte names are: digitalSignature, nonRepudiation, keyEncipherment, +dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly +and decipherOnly. +.PP +Examples: +.PP +.Vb 1 +\& keyUsage=digitalSignature, nonRepudiation +.Ve +.PP +.Vb 1 +\& keyUsage=critical, keyCertSign +.Ve +.Sh "Extended Key Usage." +.IX Subsection "Extended Key Usage." +This extensions consists of a list of usages indicating purposes for which +the certificate public key can be used for, +.PP +These can either be object short names of the dotted numerical form of OIDs. +While any \s-1OID\s0 can be used only certain values make sense. In particular the +following \s-1PKIX\s0, \s-1NS\s0 and \s-1MS\s0 values are meaningful: +.PP +.Vb 13 +\& Value Meaning +\& ----- ------- +\& serverAuth SSL/TLS Web Server Authentication. +\& clientAuth SSL/TLS Web Client Authentication. +\& codeSigning Code signing. +\& emailProtection E-mail Protection (S/MIME). +\& timeStamping Trusted Timestamping +\& msCodeInd Microsoft Individual Code Signing (authenticode) +\& msCodeCom Microsoft Commercial Code Signing (authenticode) +\& msCTLSign Microsoft Trust List Signing +\& msSGC Microsoft Server Gated Crypto +\& msEFS Microsoft Encrypted File System +\& nsSGC Netscape Server Gated Crypto +.Ve +.PP +Examples: +.PP +.Vb 2 +\& extendedKeyUsage=critical,codeSigning,1.2.3.4 +\& extendedKeyUsage=nsSGC,msSGC +.Ve +.Sh "Subject Key Identifier." +.IX Subsection "Subject Key Identifier." +This is really a string extension and can take two possible values. Either +the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0 +or a hex string giving the extension value to include. The use of the hex +string is strongly discouraged. +.PP +Example: +.PP +.Vb 1 +\& subjectKeyIdentifier=hash +.Ve +.Sh "Authority Key Identifier." +.IX Subsection "Authority Key Identifier." +The authority key identifier extension permits two options. keyid and issuer: +both can take the optional value \*(L"always\*(R". +.PP +If the keyid option is present an attempt is made to copy the subject key +identifier from the parent certificate. If the value \*(L"always\*(R" is present +then an error is returned if the option fails. +.PP +The issuer option copies the issuer and serial number from the issuer +certificate. This will only be done if the keyid option fails or +is not included unless the \*(L"always\*(R" flag will always include the value. +.PP +Example: +.PP +.Vb 1 +\& authorityKeyIdentifier=keyid,issuer +.Ve +.Sh "Subject Alternative Name." +.IX Subsection "Subject Alternative Name." +The subject alternative name extension allows various literal values to be +included in the configuration file. These include \fBemail\fR (an email address) +\&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a +registered \s-1ID:\s0 \s-1OBJECT\s0 \s-1IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR +(a distinguished name) and otherName. +.PP +The email option include a special 'copy' value. This will automatically +include and email addresses contained in the certificate subject name in +the extension. +.PP +The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format. +.PP +The value of \fBdirName\fR should point to a section containing the distinguished +name to use as a set of name value pairs. Multi values AVAs can be formed by +preceeding the name with a \fB+\fR character. +.PP +otherName can include arbitrary data associated with an \s-1OID:\s0 the value +should be the \s-1OID\s0 followed by a semicolon and the content in standard +\&\fIASN1_generate_nconf()\fR format. +.PP +Examples: +.PP +.Vb 5 +\& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ +\& subjectAltName=IP:192.168.7.1 +\& subjectAltName=IP:13::17 +\& subjectAltName=email:my@other.address,RID:1.2.3.4 +\& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier +.Ve +.PP +.Vb 1 +\& subjectAltName=dirName:dir_sect +.Ve +.PP +.Vb 5 +\& [dir_sect] +\& C=UK +\& O=My Organization +\& OU=My Unit +\& CN=My Name +.Ve +.Sh "Issuer Alternative Name." +.IX Subsection "Issuer Alternative Name." +The issuer alternative name option supports all the literal options of +subject alternative name. It does \fBnot\fR support the email:copy option because +that would not make sense. It does support an additional issuer:copy option +that will copy all the subject alternative name values from the issuer +certificate (if possible). +.PP +Example: +.PP +.Vb 1 +\& issuserAltName = issuer:copy +.Ve +.Sh "Authority Info Access." +.IX Subsection "Authority Info Access." +The authority information access extension gives details about how to access +certain information relating to the \s-1CA\s0. Its syntax is accessOID;location +where \fIlocation\fR has the same syntax as subject alternative name (except +that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only +certain values are meaningful, for example \s-1OCSP\s0 and caIssuers. +.PP +Example: +.PP +.Vb 2 +\& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +\& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html +.Ve +.Sh "\s-1CRL\s0 distribution points." +.IX Subsection "CRL distribution points." +This is a multi-valued extension that supports all the literal options of +subject alternative name. Of the few software packages that currently interpret +this extension most only interpret the \s-1URI\s0 option. +.PP +Currently each option will set a new DistributionPoint with the fullName +field set to the given value. +.PP +Other fields like cRLissuer and reasons cannot currently be set or displayed: +at this time no examples were available that used these fields. +.PP +Examples: +.PP +.Vb 2 +\& crlDistributionPoints=URI:http://myhost.com/myca.crl +\& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl +.Ve +.Sh "Certificate Policies." +.IX Subsection "Certificate Policies." +This is a \fIraw\fR extension. All the fields of this extension can be set by +using the appropriate syntax. +.PP +If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just +include the value of that \s-1OID\s0. Multiple OIDs can be set separated by commas, +for example: +.PP +.Vb 1 +\& certificatePolicies= 1.2.4.5, 1.1.3.4 +.Ve +.PP +If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to +be specified in a separate section: this is done by using the \f(CW@section\fR syntax +instead of a literal \s-1OID\s0 value. +.PP +The section referred to must include the policy \s-1OID\s0 using the name +policyIdentifier, cPSuri qualifiers can be included using the syntax: +.PP +.Vb 1 +\& CPS.nnn=value +.Ve +.PP +userNotice qualifiers can be set using the syntax: +.PP +.Vb 1 +\& userNotice.nnn=@notice +.Ve +.PP +The value of the userNotice qualifier is specified in the relevant section. +This section can include explicitText, organization and noticeNumbers +options. explicitText and organization are text strings, noticeNumbers is a +comma separated list of numbers. The organization and noticeNumbers options +(if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0 +then you need the 'ia5org' option at the top level to modify the encoding: +otherwise it will not be interpreted properly. +.PP +Example: +.PP +.Vb 1 +\& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect +.Ve +.PP +.Vb 1 +\& [polsect] +.Ve +.PP +.Vb 4 +\& policyIdentifier = 1.3.5.8 +\& CPS.1="http://my.host.name/" +\& CPS.2="http://my.your.name/" +\& userNotice.1=@notice +.Ve +.PP +.Vb 1 +\& [notice] +.Ve +.PP +.Vb 3 +\& explicitText="Explicit Text Here" +\& organization="Organisation Name" +\& noticeNumbers=1,2,3,4 +.Ve +.PP +The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0 +it can only be of type DisplayText. In \s-1RFC3280\s0 IA5Strring is also permissible. +Some software (for example some versions of \s-1MSIE\s0) may require ia5org. +.Sh "Policy Constraints" +.IX Subsection "Policy Constraints" +This is a multi-valued extension which consisting of the names +\&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative intger +value. At least one component must be present. +.PP +Example: +.PP +.Vb 1 +\& policyConstraints = requireExplicitPolicy:3 +.Ve +.Sh "Inhibit Any Policy" +.IX Subsection "Inhibit Any Policy" +This is a string extension whose value must be a non negative integer. +.PP +Example: +.PP +.Vb 1 +\& inhibitAnyPolicy = 2 +.Ve +.Sh "Name Constraints" +.IX Subsection "Name Constraints" +The name constraints extension is a multi-valued extension. The name should +begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of +the name and the value follows the syntax of subjectAltName except email:copy +is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and +subnet mask separated by a \fB/\fR. +.PP +Examples: +.PP +.Vb 1 +\& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 +.Ve +.PP +.Vb 1 +\& nameConstraints=permitted;email:.somedomain.com +.Ve +.PP +.Vb 1 +\& nameConstraints=excluded;email:.com +.Ve +.SH "DEPRECATED EXTENSIONS" +.IX Header "DEPRECATED EXTENSIONS" +The following extensions are non standard, Netscape specific and largely +obsolete. Their use in new applications is discouraged. +.Sh "Netscape String extensions." +.IX Subsection "Netscape String extensions." +Netscape Comment (\fBnsComment\fR) is a string extension containing a comment +which will be displayed when the certificate is viewed in some browsers. +.PP +Example: +.PP +.Vb 1 +\& nsComment = "Some Random Comment" +.Ve +.PP +Other supported extensions in this category are: \fBnsBaseUrl\fR, +\&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR +and \fBnsSslServerName\fR. +.Sh "Netscape Certificate Type" +.IX Subsection "Netscape Certificate Type" +This is a multi-valued extensions which consists of a list of flags to be +included. It was used to indicate the purposes for which a certificate could +be used. The basicConstraints, keyUsage and extended key usage extensions are +now used instead. +.PP +Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR, +\&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR. +.SH "ARBITRARY EXTENSIONS" +.IX Header "ARBITRARY EXTENSIONS" +If an extension is not supported by the OpenSSL code then it must be encoded +using the arbitrary extension format. It is also possible to use the arbitrary +format for supported extensions. Extreme care should be taken to ensure that +the data is formatted correctly for the given extension type. +.PP +There are two ways to encode arbitrary extensions. +.PP +The first way is to use the word \s-1ASN1\s0 followed by the extension content +using the same syntax as \fIASN1_generate_nconf()\fR. For example: +.PP +.Vb 1 +\& 1.2.3.4=critical,ASN1:UTF8String:Some random data +.Ve +.PP +.Vb 1 +\& 1.2.3.4=ASN1:SEQUENCE:seq_sect +.Ve +.PP +.Vb 1 +\& [seq_sect] +.Ve +.PP +.Vb 2 +\& field1 = UTF8:field1 +\& field2 = UTF8:field2 +.Ve +.PP +It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any +extension. +.PP +.Vb 2 +\& 1.2.3.4=critical,DER:01:02:03:04 +\& 1.2.3.4=DER:01020304 +.Ve +.PP +The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension +Any extension can be placed in this form to override the default behaviour. +For example: +.PP +.Vb 1 +\& basicConstraints=critical,DER:00:01:02:03 +.Ve +.SH "WARNING" +.IX Header "WARNING" +There is no guarantee that a specific implementation will process a given +extension. It may therefore be sometimes possible to use certificates for +purposes prohibited by their extensions because a specific application does +not recognize or honour the values of the relevant extensions. +.PP +The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create +totally invalid extensions if they are not used carefully. +.SH "NOTES" +.IX Header "NOTES" +If an extension is multi-value and a field value must contain a comma the long +form must be used otherwise the comma would be misinterpreted as a field +separator. For example: +.PP +.Vb 1 +\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar +.Ve +.PP +will produce an error but the equivalent form: +.PP +.Vb 1 +\& subjectAltName=@subject_alt_section +.Ve +.PP +.Vb 2 +\& [subject_alt_section] +\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar +.Ve +.PP +is valid. +.PP +Due to the behaviour of the OpenSSL \fBconf\fR library the same field name +can only occur once in a section. This means that: +.PP +.Vb 1 +\& subjectAltName=@alt_section +.Ve +.PP +.Vb 1 +\& [alt_section] +.Ve +.PP +.Vb 2 +\& email=steve@here +\& email=steve@there +.Ve +.PP +will only recognize the last value. This can be worked around by using the form: +.PP +.Vb 1 +\& [alt_section] +.Ve +.PP +.Vb 2 +\& email.1=steve@here +\& email.2=steve@there +.Ve +.SH "HISTORY" +.IX Header "HISTORY" +The X509v3 extension code was first added to OpenSSL 0.9.2. +.PP +Policy mappings, inhibit any policy and name constraints support was added in +OpenSSL 0.9.8 +.PP +The \fBdirectoryName\fR and \fBotherName\fR option as well as the \fB\s-1ASN1\s0\fR option +for arbitrary extensions was added in OpenSSL 0.9.8 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1) |