diff options
Diffstat (limited to 'crypto/openssl/doc')
-rw-r--r-- | crypto/openssl/doc/HOWTO/certificates.txt | 55 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/ca.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/dhparam.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/dsa.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/dsaparam.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/gendsa.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/genrsa.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/pkcs7.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/pkcs8.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/req.pod | 10 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/rsa.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/spkac.pod | 8 | ||||
-rw-r--r-- | crypto/openssl/doc/apps/x509.pod | 11 | ||||
-rw-r--r-- | crypto/openssl/doc/crypto/BN_generate_prime.pod | 2 | ||||
-rw-r--r-- | crypto/openssl/doc/crypto/EVP_SealInit.pod | 26 | ||||
-rw-r--r-- | crypto/openssl/doc/standards.txt | 9 |
16 files changed, 158 insertions, 35 deletions
diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt index 8804864..82166e0 100644 --- a/crypto/openssl/doc/HOWTO/certificates.txt +++ b/crypto/openssl/doc/HOWTO/certificates.txt @@ -1,6 +1,8 @@ <DRAFT!> HOWTO certificates +1. Introduction + How you handle certificates depend a great deal on what your role is. Your role can be one or several of: @@ -13,12 +15,14 @@ Certificate authorities should read ca.txt. In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, -/usr/local/ssr/ or somewhere else. The name is openssl.cnf, and +/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and is better described in another HOWTO <config.txt?>. If you want to use a different configuration file, use the argument '-config {file}' with the command shown below. +2. Relationship with keys + Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private @@ -26,22 +30,25 @@ keys, so before you create a certificate or a certificate request, you need to create a private key. Private keys are generated with 'openssl genrsa' if you want a RSA -private key, or 'openssl gendsa' if you want a DSA private key. More -info on how to handle these commands are found in the manual pages for -those commands or by running them with the argument '-h'. For the -sake of the description in this file, let's assume that the private -key ended up in the file privkey.pem (which is the default in some -cases). - - -Let's start with the most normal way of getting a certificate. Most -often, you want or need to get a certificate from a certificate -authority. To handle that, the certificate authority needs a -certificate request (or, as some certificate authorities like to put +private key, or 'openssl gendsa' if you want a DSA private key. +Further information on how to create private keys can be found in +another HOWTO <keys.txt?>. The rest of this text assumes you have +a private key in the file privkey.pem. + + +3. Creating a certificate request + +To create a certificate, you need to start with a certificate +request (or, as some certificate authorities like to put it, "certificate signing request", since that's exactly what they do, they sign it and give you the result back, thus making it authentic -according to their policies) from you. To generate a request, use the -command 'openssl req' like this: +according to their policies). A certificate request can then be sent +to a certificate authority to get it signed into a certificate, or if +you have your own certificate authority, you may sign it yourself, or +if you need a self-signed certificate (because you just want a test +certificate or because you are setting up your own CA). + +The certificate is created like this: openssl req -new -key privkey.pem -out cert.csr @@ -55,9 +62,25 @@ When the certificate authority has then done the checks the need to do (and probably gotten payment from you), they will hand over your new certificate to you. +Section 5 will tell you more on how to handle the certificate you +received. + + +4. Creating a self-signed certificate + +If you don't want to deal with another certificate authority, or just +want to create a test certificate for yourself, or are setting up a +certificate authority of your own, you may want to make the requested +certificate a self-signed one. If you have created a certificate +request as shown above, you can sign it using the 'openssl x509' +command, for example like this (to create a self-signed CA +certificate): + + openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \ + -signkey privkey.pem -out cacert.pem -trustout -[fill in on how to create a self-signed certificate] +5. What to do with the certificate If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod index 183cd47..de66c53 100644 --- a/crypto/openssl/doc/apps/ca.pod +++ b/crypto/openssl/doc/apps/ca.pod @@ -43,6 +43,7 @@ B<openssl> B<ca> [B<-msie_hack>] [B<-extensions section>] [B<-extfile section>] +[B<-engine id>] =head1 DESCRIPTION @@ -195,6 +196,13 @@ an additional configuration file to read certificate extensions from (using the default section unless the B<-extensions> option is also used). +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 CRL OPTIONS diff --git a/crypto/openssl/doc/apps/dhparam.pod b/crypto/openssl/doc/apps/dhparam.pod index ff8a6e5..c31db95 100644 --- a/crypto/openssl/doc/apps/dhparam.pod +++ b/crypto/openssl/doc/apps/dhparam.pod @@ -18,6 +18,7 @@ B<openssl dhparam> [B<-2>] [B<-5>] [B<-rand> I<file(s)>] +[B<-engine id>] [I<numbits>] =head1 DESCRIPTION @@ -96,6 +97,13 @@ this option prints out the DH parameters in human readable form. this option converts the parameters into C code. The parameters can then be loaded by calling the B<get_dh>I<numbits>B<()> function. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 WARNINGS diff --git a/crypto/openssl/doc/apps/dsa.pod b/crypto/openssl/doc/apps/dsa.pod index 28e534b..ed06b88 100644 --- a/crypto/openssl/doc/apps/dsa.pod +++ b/crypto/openssl/doc/apps/dsa.pod @@ -21,6 +21,7 @@ B<openssl> B<dsa> [B<-modulus>] [B<-pubin>] [B<-pubout>] +[B<-engine id>] =head1 DESCRIPTION @@ -106,6 +107,13 @@ by default a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/crypto/openssl/doc/apps/dsaparam.pod b/crypto/openssl/doc/apps/dsaparam.pod index 50c2f61..b9b1b93 100644 --- a/crypto/openssl/doc/apps/dsaparam.pod +++ b/crypto/openssl/doc/apps/dsaparam.pod @@ -16,6 +16,7 @@ B<openssl dsaparam> [B<-C>] [B<-rand file(s)>] [B<-genkey>] +[B<-engine id>] [B<numbits>] =head1 DESCRIPTION @@ -82,6 +83,13 @@ this option specifies that a parameter set should be generated of size B<numbits>. It must be the last option. If this option is included then the input file (if any) is ignored. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/crypto/openssl/doc/apps/gendsa.pod b/crypto/openssl/doc/apps/gendsa.pod index 74318fe..2c56cc7 100644 --- a/crypto/openssl/doc/apps/gendsa.pod +++ b/crypto/openssl/doc/apps/gendsa.pod @@ -12,6 +12,7 @@ B<openssl> B<gendsa> [B<-des3>] [B<-idea>] [B<-rand file(s)>] +[B<-engine id>] [B<paramfile>] =head1 DESCRIPTION @@ -37,6 +38,13 @@ Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =item B<paramfile> This option specifies the DSA parameter file to use. The parameters in this diff --git a/crypto/openssl/doc/apps/genrsa.pod b/crypto/openssl/doc/apps/genrsa.pod index cdcc03c..25af4d1 100644 --- a/crypto/openssl/doc/apps/genrsa.pod +++ b/crypto/openssl/doc/apps/genrsa.pod @@ -15,6 +15,7 @@ B<openssl> B<genrsa> [B<-f4>] [B<-3>] [B<-rand file(s)>] +[B<-engine id>] [B<numbits>] =head1 DESCRIPTION @@ -54,6 +55,13 @@ Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =item B<numbits> the size of the private key to generate in bits. This must be the last option diff --git a/crypto/openssl/doc/apps/pkcs7.pod b/crypto/openssl/doc/apps/pkcs7.pod index 9871c0e..a0a6363 100644 --- a/crypto/openssl/doc/apps/pkcs7.pod +++ b/crypto/openssl/doc/apps/pkcs7.pod @@ -14,6 +14,7 @@ B<openssl> B<pkcs7> [B<-print_certs>] [B<-text>] [B<-noout>] +[B<-engine id>] =head1 DESCRIPTION @@ -59,6 +60,13 @@ issuer names. don't output the encoded version of the PKCS#7 structure (or certificates is B<-print_certs> is set). +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 EXAMPLES diff --git a/crypto/openssl/doc/apps/pkcs8.pod b/crypto/openssl/doc/apps/pkcs8.pod index a56b2dd..68ecd65 100644 --- a/crypto/openssl/doc/apps/pkcs8.pod +++ b/crypto/openssl/doc/apps/pkcs8.pod @@ -21,6 +21,7 @@ B<openssl> B<pkcs8> [B<-nsdb>] [B<-v2 alg>] [B<-v1 alg>] +[B<-engine id>] =head1 DESCRIPTION @@ -122,6 +123,13 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used. This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete list of possible algorithms is included below. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod index 7a3b6bb..e2b5d0d 100644 --- a/crypto/openssl/doc/apps/req.pod +++ b/crypto/openssl/doc/apps/req.pod @@ -41,6 +41,7 @@ B<openssl> B<req> [B<-nameopt>] [B<-batch>] [B<-verbose>] +[B<-engine id>] =head1 DESCRIPTION @@ -244,6 +245,13 @@ non-interactive mode. print extra details about the operations being performed. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 CONFIGURATION FILE FORMAT @@ -406,7 +414,7 @@ be input by calling it "1.organizationName". The actual permitted field names are any object identifier short or long names. These are compiled into OpenSSL and include the usual values such as commonName, countryName, localityName, organizationName, -organizationUnitName, stateOrPrivinceName. Additionally emailAddress +organizationUnitName, stateOrProvinceName. Additionally emailAddress is include as well as name, surname, givenName initials and dnQualifier. Additional object identifiers can be defined with the B<oid_file> or diff --git a/crypto/openssl/doc/apps/rsa.pod b/crypto/openssl/doc/apps/rsa.pod index ef74f1a..4d76409 100644 --- a/crypto/openssl/doc/apps/rsa.pod +++ b/crypto/openssl/doc/apps/rsa.pod @@ -24,6 +24,7 @@ B<openssl> B<rsa> [B<-check>] [B<-pubin>] [B<-pubout>] +[B<-engine id>] =head1 DESCRIPTION @@ -117,6 +118,13 @@ by default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/crypto/openssl/doc/apps/spkac.pod b/crypto/openssl/doc/apps/spkac.pod index bb84dfb..c3f1ff9 100644 --- a/crypto/openssl/doc/apps/spkac.pod +++ b/crypto/openssl/doc/apps/spkac.pod @@ -17,7 +17,7 @@ B<openssl> B<spkac> [B<-spksect section>] [B<-noout>] [B<-verify>] - +[B<-engine id>] =head1 DESCRIPTION @@ -79,6 +79,12 @@ being created). verifies the digital signature on the supplied SPKAC. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. =back diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod index 674bfd1..50343cd 100644 --- a/crypto/openssl/doc/apps/x509.pod +++ b/crypto/openssl/doc/apps/x509.pod @@ -50,6 +50,7 @@ B<openssl> B<x509> [B<-clrext>] [B<-extfile filename>] [B<-extensions section>] +[B<-engine id>] =head1 DESCRIPTION @@ -98,6 +99,12 @@ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not specified then MD5 is used. If the key being used to sign with is a DSA key then this option has no effect: SHA1 is always used with DSA keys. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. =back @@ -637,8 +644,8 @@ certificate extensions: Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" - openssl x509 -in cert.pem -addtrust sslclient \ - -alias "Steve's Class 1 CA" -out trust.pem + openssl x509 -in cert.pem -addtrust clientAuth \ + -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES diff --git a/crypto/openssl/doc/crypto/BN_generate_prime.pod b/crypto/openssl/doc/crypto/BN_generate_prime.pod index 6ea2379..7dccacb 100644 --- a/crypto/openssl/doc/crypto/BN_generate_prime.pod +++ b/crypto/openssl/doc/crypto/BN_generate_prime.pod @@ -70,7 +70,7 @@ If B<do_trial_division == 0>, this test is skipped. Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin probabilistic primality test with B<checks> iterations. If -B<checks == BN_prime_check>, a number of iterations is used that +B<checks == BN_prime_checks>, a number of iterations is used that yields a false positive rate of at most 2^-80 for random input. If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called diff --git a/crypto/openssl/doc/crypto/EVP_SealInit.pod b/crypto/openssl/doc/crypto/EVP_SealInit.pod index 25ef07f..b5e477e 100644 --- a/crypto/openssl/doc/crypto/EVP_SealInit.pod +++ b/crypto/openssl/doc/crypto/EVP_SealInit.pod @@ -18,22 +18,28 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption =head1 DESCRIPTION The EVP envelope routines are a high level interface to envelope -encryption. They generate a random key and then "envelope" it by -using public key encryption. Data can then be encrypted using this -key. +encryption. They generate a random key and IV (if required) then +"envelope" it by using public key encryption. Data can then be +encrypted using this key. EVP_SealInit() initializes a cipher context B<ctx> for encryption -with cipher B<type> using a random secret key and IV supplied in -the B<iv> parameter. B<type> is normally supplied by a function such -as EVP_des_cbc(). The secret key is encrypted using one or more public -keys, this allows the same encrypted data to be decrypted using any -of the corresponding private keys. B<ek> is an array of buffers where -the public key encrypted secret key will be written, each buffer must -contain enough room for the corresponding encrypted key: that is +with cipher B<type> using a random secret key and IV. B<type> is normally +supplied by a function such as EVP_des_cbc(). The secret key is encrypted +using one or more public keys, this allows the same encrypted data to be +decrypted using any of the corresponding private keys. B<ek> is an array of +buffers where the public key encrypted secret key will be written, each buffer +must contain enough room for the corresponding encrypted key: that is B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual size of each encrypted secret key is written to the array B<ekl>. B<pubk> is an array of B<npubk> public keys. +The B<iv> parameter is a buffer where the generated IV is written to. It must +contain enough room for the corresponding cipher's IV, as determined by (for +example) EVP_CIPHER_iv_length(type). + +If the cipher does not require an IV then the B<iv> parameter is ignored +and can be B<NULL>. + EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual diff --git a/crypto/openssl/doc/standards.txt b/crypto/openssl/doc/standards.txt index 44d263b..edbe2f3 100644 --- a/crypto/openssl/doc/standards.txt +++ b/crypto/openssl/doc/standards.txt @@ -45,10 +45,6 @@ whole or at least great parts) in OpenSSL. 2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski. March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL) -2437 PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski, - J. Staddon. October 1998. (Format: TXT=73529 bytes) (Obsoletes - RFC2313) (Status: INFORMATIONAL) - PKCS#8: Private-Key Information Syntax Standard PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. @@ -87,6 +83,11 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. Ford, D. Solo. April 2002. (Format: TXT=295556 bytes) (Obsoletes RFC2459) (Status: PROPOSED STANDARD) +3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography + Specifications Version 2.1. J. Jonsson, B. Kaliski. February 2003. + (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status: + INFORMATIONAL) + Related: -------- |