From ecacd12edb99d739f012912174233320c5f8262f Mon Sep 17 00:00:00 2001 From: markm Date: Tue, 28 Jan 2003 22:58:14 +0000 Subject: Update for OpenSSL 0.9.7. No assembler code at the moment. This will follow. --- secure/usr.bin/openssl/Makefile | 46 +- secure/usr.bin/openssl/man/CA.pl.1 | 302 ++++++++++++ secure/usr.bin/openssl/man/asn1parse.1 | 251 ++++++++++ secure/usr.bin/openssl/man/ca.1 | 694 +++++++++++++++++++++++++++ secure/usr.bin/openssl/man/ciphers.1 | 497 ++++++++++++++++++++ secure/usr.bin/openssl/man/config.1 | 282 +++++++++++ secure/usr.bin/openssl/man/crl.1 | 237 ++++++++++ secure/usr.bin/openssl/man/crl2pkcs7.1 | 216 +++++++++ secure/usr.bin/openssl/man/dgst.1 | 223 +++++++++ secure/usr.bin/openssl/man/dhparam.1 | 249 ++++++++++ secure/usr.bin/openssl/man/dsa.1 | 275 +++++++++++ secure/usr.bin/openssl/man/dsaparam.1 | 222 +++++++++ secure/usr.bin/openssl/man/enc.1 | 399 ++++++++++++++++ secure/usr.bin/openssl/man/gendsa.1 | 184 ++++++++ secure/usr.bin/openssl/man/genrsa.1 | 209 +++++++++ secure/usr.bin/openssl/man/nseq.1 | 199 ++++++++ secure/usr.bin/openssl/man/ocsp.1 | 451 ++++++++++++++++++ secure/usr.bin/openssl/man/openssl.1 | 407 ++++++++++++++++ secure/usr.bin/openssl/man/passwd.1 | 203 ++++++++ secure/usr.bin/openssl/man/pkcs12.1 | 429 +++++++++++++++++ secure/usr.bin/openssl/man/pkcs7.1 | 223 +++++++++ secure/usr.bin/openssl/man/pkcs8.1 | 348 ++++++++++++++ secure/usr.bin/openssl/man/rand.1 | 177 +++++++ secure/usr.bin/openssl/man/req.1 | 693 +++++++++++++++++++++++++++ secure/usr.bin/openssl/man/rsa.1 | 301 ++++++++++++ secure/usr.bin/openssl/man/rsautl.1 | 312 +++++++++++++ secure/usr.bin/openssl/man/s_client.1 | 347 ++++++++++++++ secure/usr.bin/openssl/man/s_server.1 | 385 +++++++++++++++ secure/usr.bin/openssl/man/sess_id.1 | 258 ++++++++++ secure/usr.bin/openssl/man/smime.1 | 473 +++++++++++++++++++ secure/usr.bin/openssl/man/speed.1 | 188 ++++++++ secure/usr.bin/openssl/man/spkac.1 | 248 ++++++++++ secure/usr.bin/openssl/man/verify.1 | 408 ++++++++++++++++ secure/usr.bin/openssl/man/version.1 | 186 ++++++++ secure/usr.bin/openssl/man/x509.1 | 829 +++++++++++++++++++++++++++++++++ 35 files changed, 11334 insertions(+), 17 deletions(-) create mode 100644 secure/usr.bin/openssl/man/CA.pl.1 create mode 100644 secure/usr.bin/openssl/man/asn1parse.1 create mode 100644 secure/usr.bin/openssl/man/ca.1 create mode 100644 secure/usr.bin/openssl/man/ciphers.1 create mode 100644 secure/usr.bin/openssl/man/config.1 create mode 100644 secure/usr.bin/openssl/man/crl.1 create mode 100644 secure/usr.bin/openssl/man/crl2pkcs7.1 create mode 100644 secure/usr.bin/openssl/man/dgst.1 create mode 100644 secure/usr.bin/openssl/man/dhparam.1 create mode 100644 secure/usr.bin/openssl/man/dsa.1 create mode 100644 secure/usr.bin/openssl/man/dsaparam.1 create mode 100644 secure/usr.bin/openssl/man/enc.1 create mode 100644 secure/usr.bin/openssl/man/gendsa.1 create mode 100644 secure/usr.bin/openssl/man/genrsa.1 create mode 100644 secure/usr.bin/openssl/man/nseq.1 create mode 100644 secure/usr.bin/openssl/man/ocsp.1 create mode 100644 secure/usr.bin/openssl/man/openssl.1 create mode 100644 secure/usr.bin/openssl/man/passwd.1 create mode 100644 secure/usr.bin/openssl/man/pkcs12.1 create mode 100644 secure/usr.bin/openssl/man/pkcs7.1 create mode 100644 secure/usr.bin/openssl/man/pkcs8.1 create mode 100644 secure/usr.bin/openssl/man/rand.1 create mode 100644 secure/usr.bin/openssl/man/req.1 create mode 100644 secure/usr.bin/openssl/man/rsa.1 create mode 100644 secure/usr.bin/openssl/man/rsautl.1 create mode 100644 secure/usr.bin/openssl/man/s_client.1 create mode 100644 secure/usr.bin/openssl/man/s_server.1 create mode 100644 secure/usr.bin/openssl/man/sess_id.1 create mode 100644 secure/usr.bin/openssl/man/smime.1 create mode 100644 secure/usr.bin/openssl/man/speed.1 create mode 100644 secure/usr.bin/openssl/man/spkac.1 create mode 100644 secure/usr.bin/openssl/man/verify.1 create mode 100644 secure/usr.bin/openssl/man/version.1 create mode 100644 secure/usr.bin/openssl/man/x509.1 (limited to 'secure/usr.bin') diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile index be75e6a..9109390 100644 --- a/secure/usr.bin/openssl/Makefile +++ b/secure/usr.bin/openssl/Makefile @@ -1,28 +1,40 @@ # $FreeBSD$ -OPENSSL_SRC= ${.CURDIR}/../../../crypto/openssl/apps -LCRYPTO_SRC= ${.CURDIR}/../../../crypto/openssl/crypto - -.PATH: ${OPENSSL_SRC} ${.CURDIR}/../../lib/libcrypto/man - -PROG= openssl +PROG= xopenssl +PROGNAME= openssl DPADD= ${LIBSSL} ${LIBCRYPTO} LDADD= -lssl -lcrypto -MLINKS= openssl.1 ssl.8 + +NOLINT= true + +.include "../../lib/libcrypto/Makefile.inc" CFLAGS+= -DMONOLITH -I${.CURDIR} -WITH_RSA?= YES -.if ${WITH_RSA} == NO -CFLAGS+= -DNO_RSA -DNO_SSL2 -.endif +SRCS+= app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \ + dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c engine.c errstr.c \ + gendh.c gendsa.c genrsa.c nseq.c ocsp.c openssl.c passwd.c \ + pkcs12.c pkcs7.c pkcs8.c rand.c req.c rsa.c rsautl.c s_cb.c \ + s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \ + speed.c spkac.c verify.c version.c x509.c -SRCS= app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \ - dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c errstr.c gendh.c \ - gendsa.c genrsa.c nseq.c openssl.c passwd.c pkcs12.c pkcs7.c \ - pkcs8.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \ - s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c \ - spkac.c verify.c version.c x509.o +MAN1= CA.pl.1 asn1parse.1 ca.1 ciphers.1 config.1 crl.1 crl2pkcs7.1 \ + dgst.1 dhparam.1 dsa.1 dsaparam.1 enc.1 gendsa.1 genrsa.1 \ + nseq.1 ocsp.1 openssl.1 passwd.1 pkcs12.1 pkcs7.1 pkcs8.1 \ + rand.1 req.1 rsa.1 rsautl.1 s_client.1 s_server.1 sess_id.1 \ + smime.1 speed.1 spkac.1 verify.1 version.1 x509.1 .include + +.PATH: ${LCRYPTO_SRC}/apps \ + ${.CURDIR}/man + +mann-update: + for i in `( cd ${LCRYPTO_DOC}/apps ; ls *.pod )` ; do \ + cp ${LCRYPTO_DOC}/apps/$$i . ;\ + pod2man --section=3 --release="0.9.7" --center="OpenSSL" \ + $$i > ${.CURDIR}/man/$${i%%.pod}.1 ;\ + rm $$i ;\ + echo $${i%%.pod} ;\ + done diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 new file mode 100644 index 0000000..a20c295 --- /dev/null +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -0,0 +1,302 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:04:57 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "CA.pl 3" +.TH CA.pl 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +\&\s-1CA\s0.pl \- friendlier interface for OpenSSL certificate programs +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fB\s-1CA\s0.pl\fR +[\fB\-?\fR] +[\fB\-h\fR] +[\fB\-help\fR] +[\fB\-newcert\fR] +[\fB\-newreq\fR] +[\fB\-newreq-nodes\fR] +[\fB\-newca\fR] +[\fB\-xsign\fR] +[\fB\-sign\fR] +[\fB\-signreq\fR] +[\fB\-signcert\fR] +[\fB\-verify\fR] +[\fBfiles\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line +arguments to the \fBopenssl\fR command for some common certificate operations. +It is intended to simplify the process of certificate creation and management +by the use of some simple options. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4 +.IX Item "?, -h, -help" +prints a usage message. +.Ip "\fB\-newcert\fR" 4 +.IX Item "-newcert" +creates a new self signed certificate. The private key and certificate are +written to the file \*(L"newreq.pem\*(R". +.Ip "\fB\-newreq\fR" 4 +.IX Item "-newreq" +creates a new certificate request. The private key and request are +written to the file \*(L"newreq.pem\*(R". +.Ip "\fB\-newreq-nowdes\fR" 4 +.IX Item "-newreq-nowdes" +is like \fB\-newreq\fR except that the private key will not be encrypted. +.Ip "\fB\-newca\fR" 4 +.IX Item "-newca" +creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR +and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0 +certificates (which should also contain the private key) or by hitting \s-1ENTER\s0 +details of the \s-1CA\s0 will be prompted for. The relevant files and directories +are created in a directory called \*(L"demoCA\*(R" in the current directory. +.Ip "\fB\-pkcs12\fR" 4 +.IX Item "-pkcs12" +create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0 +certificate. It expects the user certificate and private key to be in the +file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem, +it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the +\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser. +If there is an additional argument on the command line it will be used as the +\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser +list box), otherwise the name \*(L"My Certificate\*(R" is used. +.Ip "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4 +.IX Item "-sign, -signreq, -xsign" +calls the \fBca\fR program to sign a certificate request. It expects the request +to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file +\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written +to standard output. +.Ip "\fB\-signCA\fR" 4 +.IX Item "-signCA" +this option is the same as the \fB\-signreq\fR option except it uses the configuration +file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This +is useful when creating intermediate \s-1CA\s0 from a root \s-1CA\s0. +.Ip "\fB\-signcert\fR" 4 +.IX Item "-signcert" +this option is the same as \fB\-sign\fR except it expects a self signed certificate +to be present in the file \*(L"newreq.pem\*(R". +.Ip "\fB\-verify\fR" 4 +.IX Item "-verify" +verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates +are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R". +.Ip "\fBfiles\fR" 4 +.IX Item "files" +one or more optional certificate file names for use with the \fB\-verify\fR command. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a \s-1CA\s0 hierarchy: +.PP +.Vb 1 +\& CA.pl -newca +.Ve +Complete certificate creation example: create a \s-1CA\s0, create a request, sign +the request and finally create a PKCS#12 file containing it. +.PP +.Vb 4 +\& CA.pl -newca +\& CA.pl -newreq +\& CA.pl -signreq +\& CA.pl -pkcs12 "My Test Certificate" +.Ve +.SH "DSA CERTIFICATES" +.IX Header "DSA CERTIFICATES" +Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to +use it with \s-1DSA\s0 certificates and requests using the req(1) command +directly. The following example shows the steps that would typically be taken. +.PP +Create some \s-1DSA\s0 parameters: +.PP +.Vb 1 +\& openssl dsaparam -out dsap.pem 1024 +.Ve +Create a \s-1DSA\s0 \s-1CA\s0 certificate and private key: +.PP +.Vb 1 +\& openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem +.Ve +Create the \s-1CA\s0 directories and files: +.PP +.Vb 1 +\& CA.pl -newca +.Ve +enter cacert.pem when prompted for the \s-1CA\s0 file name. +.PP +Create a \s-1DSA\s0 certificate request and private key (a different set of parameters +can optionally be created first): +.PP +.Vb 1 +\& openssl req -out newreq.pem -newkey dsa:dsap.pem +.Ve +Sign the request: +.PP +.Vb 1 +\& CA.pl -signreq +.Ve +.SH "NOTES" +.IX Header "NOTES" +Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script. +.PP +If the demoCA directory already exists then the \fB\-newca\fR command will not +overwrite it and will do nothing. This can happen if a previous call using +the \fB\-newca\fR option terminated abnormally. To get the correct behaviour +delete the demoCA directory if it already exists. +.PP +Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script +directly (for example Win32) and the default configuration file location may +be wrong. In this case the command: +.PP +.Vb 1 +\& perl -S CA.pl +.Ve +can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to +the correct path of the configuration file \*(L"openssl.cnf\*(R". +.PP +The script is intended as a simple front end for the \fBopenssl\fR program for use +by a beginner. Its behaviour isn't always what is wanted. For more control over the +behaviour of the certificate commands call the \fBopenssl\fR command directly. +.SH "ENVIRONMENT VARIABLES" +.IX Header "ENVIRONMENT VARIABLES" +The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration +file location to be specified, it should contain the full path to the +configuration file, not just its directory. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +x509(1), ca(1), req(1), pkcs12(1), +config(5) diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1 new file mode 100644 index 0000000..76eadb2 --- /dev/null +++ b/secure/usr.bin/openssl/man/asn1parse.1 @@ -0,0 +1,251 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:04:58 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "asn1parse 3" +.TH asn1parse 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +asn1parse \- \s-1ASN\s0.1 parsing tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBasn1parse\fR +[\fB\-inform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-offset number\fR] +[\fB\-length number\fR] +[\fB\-i\fR] +[\fB\-oid filename\fR] +[\fB\-strparse offset\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN\s0.1 +structures. It can also be used to extract data from \s-1ASN\s0.1 formatted data. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-inform\fR \fBDER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +the input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64 +encoded. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +the input file, default is standard input +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +output file to place the \s-1DER\s0 encoded data into. If this +option is not present then no data will be output. This is most useful when +combined with the \fB\-strparse\fR option. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +don't output the parsed version of the input file. +.Ip "\fB\-offset number\fR" 4 +.IX Item "-offset number" +starting offset to begin parsing, default is start of file. +.Ip "\fB\-length number\fR" 4 +.IX Item "-length number" +number of bytes to parse, default is until end of file. +.Ip "\fB\-i\fR" 4 +.IX Item "-i" +indents the output according to the \*(L"depth\*(R" of the structures. +.Ip "\fB\-oid filename\fR" 4 +.IX Item "-oid filename" +a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this +file is described in the \s-1NOTES\s0 section below. +.Ip "\fB\-strparse offset\fR" 4 +.IX Item "-strparse offset" +parse the contents octets of the \s-1ASN\s0.1 object starting at \fBoffset\fR. This +option can be used multiple times to \*(L"drill down\*(R" into a nested structure. +.Sh "\s-1OUTPUT\s0" +.IX Subsection "OUTPUT" +The output will typically contain lines like this: +.PP +.Vb 1 +\& 0:d=0 hl=4 l= 681 cons: SEQUENCE +.Ve +\&..... +.PP +.Vb 10 +\& 229:d=3 hl=3 l= 141 prim: BIT STRING +\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ] +\& 376:d=3 hl=3 l= 159 cons: SEQUENCE +\& 379:d=4 hl=2 l= 29 cons: SEQUENCE +\& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +\& 386:d=5 hl=2 l= 22 prim: OCTET STRING +\& 410:d=4 hl=2 l= 112 cons: SEQUENCE +\& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +\& 417:d=5 hl=2 l= 105 prim: OCTET STRING +\& 524:d=4 hl=2 l= 12 cons: SEQUENCE +.Ve +\&..... +.PP +This example is part of a self signed certificate. Each line starts with the +offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased +within the scope of any \s-1SET\s0 or \s-1SEQUENCE\s0. \fBhl=XX\fR gives the header length +(tag and length octets) of the current type. \fBl=XX\fR gives the length of +the contents octets. +.PP +The \fB\-i\fR option can be used to make the output more readable. +.PP +Some knowledge of the \s-1ASN\s0.1 structure is needed to interpret the output. +.PP +In this example the \s-1BIT\s0 \s-1STRING\s0 at offset 229 is the certificate public key. +The contents octets of this will contain the public key information. This can +be examined using the option \fB\-strparse 229\fR to yield: +.PP +.Vb 3 +\& 0:d=0 hl=3 l= 137 cons: SEQUENCE +\& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 +\& 135:d=1 hl=2 l= 3 prim: INTEGER :010001 +.Ve +.SH "NOTES" +.IX Header "NOTES" +If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in +numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option +allows additional OIDs to be included. Each line consists of three columns, +the first column is the \s-1OID\s0 in numerical format and should be followed by white +space. The second column is the \*(L"short name\*(R" which is a single word followed +by white space. The final column is the rest of the line and is the +\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example: +.PP +\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR +.SH "BUGS" +.IX Header "BUGS" +There should be options to change the format of input lines. The output of some +\&\s-1ASN\s0.1 types is not well handled (if at all). diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1 new file mode 100644 index 0000000..bccbbc4 --- /dev/null +++ b/secure/usr.bin/openssl/man/ca.1 @@ -0,0 +1,694 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:04:59 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "ca 3" +.TH ca 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +ca \- sample minimal \s-1CA\s0 application +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBca\fR +[\fB\-verbose\fR] +[\fB\-config filename\fR] +[\fB\-name section\fR] +[\fB\-gencrl\fR] +[\fB\-revoke file\fR] +[\fB\-crl_reason reason\fR] +[\fB\-crl_hold instruction\fR] +[\fB\-crl_compromise time\fR] +[\fB\-crl_CA_compromise time\fR] +[\fB\-subj arg\fR] +[\fB\-crldays days\fR] +[\fB\-crlhours hours\fR] +[\fB\-crlexts section\fR] +[\fB\-startdate date\fR] +[\fB\-enddate date\fR] +[\fB\-days arg\fR] +[\fB\-md arg\fR] +[\fB\-policy arg\fR] +[\fB\-keyfile arg\fR] +[\fB\-key arg\fR] +[\fB\-passin arg\fR] +[\fB\-cert file\fR] +[\fB\-in file\fR] +[\fB\-out file\fR] +[\fB\-notext\fR] +[\fB\-outdir dir\fR] +[\fB\-infiles\fR] +[\fB\-spkac file\fR] +[\fB\-ss_cert file\fR] +[\fB\-preserveDN\fR] +[\fB\-noemailDN\fR] +[\fB\-batch\fR] +[\fB\-msie_hack\fR] +[\fB\-extensions section\fR] +[\fB\-extfile section\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used +to sign certificate requests in a variety of forms and generate +CRLs it also maintains a text database of issued certificates +and their status. +.PP +The options descriptions will be divided into each purpose. +.SH "CA OPTIONS" +.IX Header "CA OPTIONS" +.Ip "\fB\-config filename\fR" 4 +.IX Item "-config filename" +specifies the configuration file to use. +.Ip "\fB\-name section\fR" 4 +.IX Item "-name section" +specifies the configuration file section to use (overrides +\&\fBdefault_ca\fR in the \fBca\fR section). +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +an input filename containing a single certificate request to be +signed by the \s-1CA\s0. +.Ip "\fB\-ss_cert filename\fR" 4 +.IX Item "-ss_cert filename" +a single self signed certificate to be signed by the \s-1CA\s0. +.Ip "\fB\-spkac filename\fR" 4 +.IX Item "-spkac filename" +a file containing a single Netscape signed public key and challenge +and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR +section for information on the required format. +.Ip "\fB\-infiles\fR" 4 +.IX Item "-infiles" +if present this should be the last option, all subsequent arguments +are assumed to the the names of files containing certificate requests. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +the output file to output certificates to. The default is standard +output. The certificate details will also be printed out to this +file. +.Ip "\fB\-outdir directory\fR" 4 +.IX Item "-outdir directory" +the directory to output certificates to. The certificate will be +written to a filename consisting of the serial number in hex with +\&\*(L".pem\*(R" appended. +.Ip "\fB\-cert\fR" 4 +.IX Item "-cert" +the \s-1CA\s0 certificate file. +.Ip "\fB\-keyfile filename\fR" 4 +.IX Item "-keyfile filename" +the private key to sign requests with. +.Ip "\fB\-key password\fR" 4 +.IX Item "-key password" +the password used to encrypt the private key. Since on some +systems the command line arguments are visible (e.g. Unix with +the 'ps' utility) this option should be used with caution. +.Ip "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-verbose\fR" 4 +.IX Item "-verbose" +this prints extra details about the operations being performed. +.Ip "\fB\-notext\fR" 4 +.IX Item "-notext" +don't output the text form of a certificate to the output file. +.Ip "\fB\-startdate date\fR" 4 +.IX Item "-startdate date" +this allows the start date to be explicitly set. The format of the +date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). +.Ip "\fB\-enddate date\fR" 4 +.IX Item "-enddate date" +this allows the expiry date to be explicitly set. The format of the +date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). +.Ip "\fB\-days arg\fR" 4 +.IX Item "-days arg" +the number of days to certify the certificate for. +.Ip "\fB\-md alg\fR" 4 +.IX Item "-md alg" +the message digest to use. Possible values include md5, sha1 and mdc2. +This option also applies to CRLs. +.Ip "\fB\-policy arg\fR" 4 +.IX Item "-policy arg" +this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in +the configuration file which decides which fields should be mandatory +or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section +for more information. +.Ip "\fB\-msie_hack\fR" 4 +.IX Item "-msie_hack" +this is a legacy option to make \fBca\fR work with very old versions of +the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings +for almost everything. Since the old control has various security bugs +its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not +need this option. +.Ip "\fB\-preserveDN\fR" 4 +.IX Item "-preserveDN" +Normally the \s-1DN\s0 order of a certificate is the same as the order of the +fields in the relevant policy section. When this option is set the order +is the same as the request. This is largely for compatibility with the +older \s-1IE\s0 enrollment control which would only accept certificates if their +DNs match the order of the request. This is not needed for Xenroll. +.Ip "\fB\-noemailDN\fR" 4 +.IX Item "-noemailDN" +The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the +request \s-1DN\s0, however it is good policy just having the e-mail set into +the altName extension of the certificate. When this option is set the +\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in +the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be +used in the configuration file to enable this behaviour. +.Ip "\fB\-batch\fR" 4 +.IX Item "-batch" +this sets the batch mode. In this mode no questions will be asked +and all certificates will be certified automatically. +.Ip "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +the section of the configuration file containing certificate extensions +to be added when a certificate is issued (defaults to \fBx509_extensions\fR +unless the \fB\-extfile\fR option is used). If no extension section is +present then, a V1 certificate is created. If the extension section +is present (even if it is empty), then a V3 certificate is created. +.Ip "\fB\-extfile file\fR" 4 +.IX Item "-extfile file" +an additional configuration file to read certificate extensions from +(using the default section unless the \fB\-extensions\fR option is also +used). +.SH "CRL OPTIONS" +.IX Header "CRL OPTIONS" +.Ip "\fB\-gencrl\fR" 4 +.IX Item "-gencrl" +this option generates a \s-1CRL\s0 based on information in the index file. +.Ip "\fB\-crldays num\fR" 4 +.IX Item "-crldays num" +the number of days before the next \s-1CRL\s0 is due. That is the days from +now to place in the \s-1CRL\s0 nextUpdate field. +.Ip "\fB\-crlhours num\fR" 4 +.IX Item "-crlhours num" +the number of hours before the next \s-1CRL\s0 is due. +.Ip "\fB\-revoke filename\fR" 4 +.IX Item "-revoke filename" +a filename containing a certificate to revoke. +.Ip "\fB\-crl_reason reason\fR" 4 +.IX Item "-crl_reason reason" +revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, +\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR, +\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case +insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2. +.Sp +In practive \fBremoveFromCRL\fR is not particularly useful because it is only used +in delta CRLs which are not currently implemented. +.Ip "\fB\-crl_hold instruction\fR" 4 +.IX Item "-crl_hold instruction" +This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold +instruction to \fBinstruction\fR which must be an \s-1OID\s0. Although any \s-1OID\s0 can be +used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0) +\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used. +.Ip "\fB\-crl_compromise time\fR" 4 +.IX Item "-crl_compromise time" +This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to +\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR. +.Ip "\fB\-crl_CA_compromise time\fR" 4 +.IX Item "-crl_CA_compromise time" +This is the same as \fBcrl_compromise\fR except the revocation reason is set to +\&\fBCACompromise\fR. +.Ip "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +supersedes subject name given in the request. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +.Ip "\fB\-crlexts section\fR" 4 +.IX Item "-crlexts section" +the section of the configuration file containing \s-1CRL\s0 extensions to +include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is +created, if the \s-1CRL\s0 extension section is present (even if it is +empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are +\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted +that some software (for example Netscape) can't handle V2 CRLs. +.SH "CONFIGURATION FILE OPTIONS" +.IX Header "CONFIGURATION FILE OPTIONS" +The section of the configuration file containing options for \fBca\fR +is found as follows: If the \fB\-name\fR command line option is used, +then it names the section to be used. Otherwise the section to +be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section +of the configuration file (or in the default section of the +configuration file). Besides \fBdefault_ca\fR, the following options are +read directly from the \fBca\fR section: + \s-1RANDFILE\s0 + preserve + msie_hack +With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may +change in future releases. +.PP +Many of the configuration file options are identical to command line +options. Where the option is present in the configuration file +and the command line the command line value is used. Where an +option is described as mandatory then it must be present in +the configuration file or the command line equivalent (if +any) used. +.Ip "\fBoid_file\fR" 4 +.IX Item "oid_file" +This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. +.Ip "\fBoid_section\fR" 4 +.IX Item "oid_section" +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by \fB=\fR and the numerical form. The short +and long names are the same when this option is used. +.Ip "\fBnew_certs_dir\fR" 4 +.IX Item "new_certs_dir" +the same as the \fB\-outdir\fR command line option. It specifies +the directory where new certificates will be placed. Mandatory. +.Ip "\fBcertificate\fR" 4 +.IX Item "certificate" +the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 +certificate. Mandatory. +.Ip "\fBprivate_key\fR" 4 +.IX Item "private_key" +same as the \fB\-keyfile\fR option. The file containing the +\&\s-1CA\s0 private key. Mandatory. +.Ip "\fB\s-1RANDFILE\s0\fR" 4 +.IX Item "RANDFILE" +a file used to read and write random number seed information, or +an \s-1EGD\s0 socket (see RAND_egd(3)). +.Ip "\fBdefault_days\fR" 4 +.IX Item "default_days" +the same as the \fB\-days\fR option. The number of days to certify +a certificate for. +.Ip "\fBdefault_startdate\fR" 4 +.IX Item "default_startdate" +the same as the \fB\-startdate\fR option. The start date to certify +a certificate for. If not set the current time is used. +.Ip "\fBdefault_enddate\fR" 4 +.IX Item "default_enddate" +the same as the \fB\-enddate\fR option. Either this option or +\&\fBdefault_days\fR (or the command line equivalents) must be +present. +.Ip "\fBdefault_crl_hours default_crl_days\fR" 4 +.IX Item "default_crl_hours default_crl_days" +the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These +will only be used if neither command line option is present. At +least one of these must be present to generate a \s-1CRL\s0. +.Ip "\fBdefault_md\fR" 4 +.IX Item "default_md" +the same as the \fB\-md\fR option. The message digest to use. Mandatory. +.Ip "\fBdatabase\fR" 4 +.IX Item "database" +the text database file to use. Mandatory. This file must be present +though initially it will be empty. +.Ip "\fBserialfile\fR" 4 +.IX Item "serialfile" +a text file containing the next serial number to use in hex. Mandatory. +This file must be present and contain a valid serial number. +.Ip "\fBx509_extensions\fR" 4 +.IX Item "x509_extensions" +the same as \fB\-extensions\fR. +.Ip "\fBcrl_extensions\fR" 4 +.IX Item "crl_extensions" +the same as \fB\-crlexts\fR. +.Ip "\fBpreserve\fR" 4 +.IX Item "preserve" +the same as \fB\-preserveDN\fR +.Ip "\fBemail_in_dn\fR" 4 +.IX Item "email_in_dn" +the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed +from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present +the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN\s0. +.Ip "\fBmsie_hack\fR" 4 +.IX Item "msie_hack" +the same as \fB\-msie_hack\fR +.Ip "\fBpolicy\fR" 4 +.IX Item "policy" +the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section +for more information. +.Ip "\fBnameopt\fR, \fBcertopt\fR" 4 +.IX Item "nameopt, certopt" +these options allow the format used to display the certificate details +when asking the user to confirm signing. All the options supported by +the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used +here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set +and cannot be disabled (this is because the certificate signature cannot +be displayed because the certificate has not been signed at this point). +.Sp +For convenience the values \fBdefault_ca\fR are accepted by both to produce +a reasonable output. +.Sp +If neither option is present the format used in earlier versions of +OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because +it only displays fields mentioned in the \fBpolicy\fR section, mishandles +multicharacter string types and does not display extensions. +.Ip "\fBcopy_extensions\fR" 4 +.IX Item "copy_extensions" +determines how extensions in certificate requests should be handled. +If set to \fBnone\fR or this option is not present then extensions are +ignored and not copied to the certificate. If set to \fBcopy\fR then any +extensions present in the request that are not already present are copied +to the certificate. If set to \fBcopyall\fR then all extensions in the +request are copied to the certificate: if the extension is already present +in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before +using this option. +.Sp +The main use of this option is to allow a certificate request to supply +values for certain extensions such as subjectAltName. +.SH "POLICY FORMAT" +.IX Header "POLICY FORMAT" +The policy section consists of a set of variables corresponding to +certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value +must match the same field in the \s-1CA\s0 certificate. If the value is +\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then +it may be present. Any fields not mentioned in the policy section +are silently deleted, unless the \fB\-preserveDN\fR option is set but +this can be regarded more of a quirk than intended behaviour. +.SH "SPKAC FORMAT" +.IX Header "SPKAC FORMAT" +The input to the \fB\-spkac\fR command line option is a Netscape +signed public key and challenge. This will usually come from +the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. +It is however possible to create SPKACs using the \fBspkac\fR utility. +.PP +The file should contain the variable \s-1SPKAC\s0 set to the value of +the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs. +If you need to include the same component twice then it can be +preceded by a number and a '.'. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Note: these examples assume that the \fBca\fR directory structure is +already set up and the relevant files already exist. This usually +involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a +serial number file and an empty index file and placing them in +the relevant directories. +.PP +To use the sample configuration file below the directories demoCA, +demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0 +certificate would be copied to demoCA/cacert.pem and its private +key to demoCA/private/cakey.pem. A file demoCA/serial would be +created containing for example \*(L"01\*(R" and the empty index file +demoCA/index.txt. +.PP +Sign a certificate request: +.PP +.Vb 1 +\& openssl ca -in req.pem -out newcert.pem +.Ve +Sign a certificate request, using \s-1CA\s0 extensions: +.PP +.Vb 1 +\& openssl ca -in req.pem -extensions v3_ca -out newcert.pem +.Ve +Generate a \s-1CRL\s0 +.PP +.Vb 1 +\& openssl ca -gencrl -out crl.pem +.Ve +Sign several requests: +.PP +.Vb 1 +\& openssl ca -infiles req1.pem req2.pem req3.pem +.Ve +Certify a Netscape \s-1SPKAC:\s0 +.PP +.Vb 1 +\& openssl ca -spkac spkac.txt +.Ve +A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): +.PP +.Vb 5 +\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 +\& CN=Steve Test +\& emailAddress=steve@openssl.org +\& 0.OU=OpenSSL Group +\& 1.OU=Another Group +.Ve +A sample configuration file with the relevant sections for \fBca\fR: +.PP +.Vb 2 +\& [ ca ] +\& default_ca = CA_default # The default ca section +.Ve +.Vb 1 +\& [ CA_default ] +.Ve +.Vb 3 +\& dir = ./demoCA # top dir +\& database = $dir/index.txt # index file. +\& new_certs_dir = $dir/newcerts # new certs dir +.Ve +.Vb 4 +\& certificate = $dir/cacert.pem # The CA cert +\& serial = $dir/serial # serial no file +\& private_key = $dir/private/cakey.pem# CA private key +\& RANDFILE = $dir/private/.rand # random number file +.Ve +.Vb 3 +\& default_days = 365 # how long to certify for +\& default_crl_days= 30 # how long before next CRL +\& default_md = md5 # md to use +.Ve +.Vb 2 +\& policy = policy_any # default policy +\& email_in_dn = no # Don't add the email into cert DN +.Ve +.Vb 3 +\& nameopt = default_ca # Subject name display option +\& certopt = default_ca # Certificate display option +\& copy_extensions = none # Don't copy extensions from request +.Ve +.Vb 7 +\& [ policy_any ] +\& countryName = supplied +\& stateOrProvinceName = optional +\& organizationName = optional +\& organizationalUnitName = optional +\& commonName = supplied +\& emailAddress = optional +.Ve +.SH "FILES" +.IX Header "FILES" +Note: the location of all files can change either by compile time options, +configuration file entries, environment variables or command line options. +The values below reflect the default values. +.PP +.Vb 10 +\& /usr/local/ssl/lib/openssl.cnf - master configuration file +\& ./demoCA - main CA directory +\& ./demoCA/cacert.pem - CA certificate +\& ./demoCA/private/cakey.pem - CA private key +\& ./demoCA/serial - CA serial number file +\& ./demoCA/serial.old - CA serial number backup file +\& ./demoCA/index.txt - CA text database file +\& ./demoCA/index.txt.old - CA text database backup file +\& ./demoCA/certs - certificate output file +\& ./demoCA/.rnd - CA random seed information +.Ve +.SH "ENVIRONMENT VARIABLES" +.IX Header "ENVIRONMENT VARIABLES" +\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can +be overridden by the \fB\-config\fR command line option. +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +The text database index file is a critical part of the process and +if corrupted it can be difficult to fix. It is theoretically possible +to rebuild the index file from all the issued certificates and a current +\&\s-1CRL:\s0 however there is no option to do this. +.PP +V2 \s-1CRL\s0 features like delta \s-1CRL\s0 support and \s-1CRL\s0 numbers are not currently +supported. +.PP +Although several requests can be input and handled at once it is only +possible to include one \s-1SPKAC\s0 or self signed certificate. +.SH "BUGS" +.IX Header "BUGS" +The use of an in memory text database can cause problems when large +numbers of certificates are present because, as the name implies +the database has to be kept in memory. +.PP +It is not possible to certify two certificates with the same \s-1DN:\s0 this +is a side effect of how the text database is indexed and it cannot easily +be fixed without introducing other problems. Some S/MIME clients can use +two certificates with the same \s-1DN\s0 for separate signing and encryption +keys. +.PP +The \fBca\fR command really needs rewriting or the required functionality +exposed at either a command or interface level so a more friendly utility +(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and +\&\fB\s-1CA\s0.pl\fR help a little but not very much. +.PP +Any fields in a request that are not present in a policy are silently +deleted. This does not happen if the \fB\-preserveDN\fR option is used. To +enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN\s0, as suggested by +RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR +option can be used. The behaviour should be more friendly and +configurable. +.PP +Cancelling some commands by refusing to certify a certificate can +create an empty file. +.SH "WARNINGS" +.IX Header "WARNINGS" +The \fBca\fR command is quirky and at times downright unfriendly. +.PP +The \fBca\fR utility was originally meant as an example of how to do things +in a \s-1CA\s0. It was not supposed to be used as a full blown \s-1CA\s0 itself: +nevertheless some people are using it for this purpose. +.PP +The \fBca\fR command is effectively a single user command: no locking is +done on the various files and attempts to run more than one \fBca\fR command +on the same database can have unpredictable results. +.PP +The \fBcopy_extensions\fR option should be used with caution. If care is +not taken then it can be a security risk. For example if a certificate +request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the +\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot +this when the certificate is displayed then this will hand the requestor +a valid \s-1CA\s0 certificate. +.PP +This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR +and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file. +Then if the request contains a basicConstraints extension it will be +ignored. +.PP +It is advisable to also include values for other extensions such +as \fBkeyUsage\fR to prevent a request supplying its own values. +.PP +Additional restrictions can be placed on the \s-1CA\s0 certificate itself. +For example if the \s-1CA\s0 certificate has: +.PP +.Vb 1 +\& basicConstraints = CA:TRUE, pathlen:0 +.Ve +then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +req(1), spkac(1), x509(1), CA.pl(1), +config(5) diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 new file mode 100644 index 0000000..1083d22 --- /dev/null +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -0,0 +1,497 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:01 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "ciphers 3" +.TH ciphers 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +ciphers \- \s-1SSL\s0 cipher display and cipher list tool. +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBciphers\fR +[\fB\-v\fR] +[\fB\-ssl2\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fBcipherlist\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered +\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine +the appropriate cipherlist. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-v\fR" 4 +.IX Item "-v" +verbose option. List ciphers with a complete description of +protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange, +authentication, encryption and mac algorithms used along with any key size +restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher. +Note that without the \fB\-v\fR option, ciphers may seem to appear twice +in a cipher list; this is when similar ciphers are available for +\&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1. +.Ip "\fB\-ssl3\fR" 4 +.IX Item "-ssl3" +only include \s-1SSL\s0 v3 ciphers. +.Ip "\fB\-ssl2\fR" 4 +.IX Item "-ssl2" +only include \s-1SSL\s0 v2 ciphers. +.Ip "\fB\-tls1\fR" 4 +.IX Item "-tls1" +only include \s-1TLS\s0 v1 ciphers. +.Ip "\fB\-h\fR, \fB\-?\fR" 4 +.IX Item "-h, -?" +print a brief usage message. +.Ip "\fBcipherlist\fR" 4 +.IX Item "cipherlist" +a cipher list to convert to a cipher preference list. If it is not included +then the default cipher list will be used. The format is described below. +.SH "CIPHER LIST FORMAT" +.IX Header "CIPHER LIST FORMAT" +The cipher list consists of one or more \fIcipher strings\fR separated by colons. +Commas or spaces are also acceptable separators but colons are normally used. +.PP +The actual cipher string can take several different forms. +.PP +It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR. +.PP +It can represent a list of cipher suites containing a certain algorithm, or +cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers +suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3 +algorithms. +.PP +Lists of cipher suites can be combined in a single cipher string using the +\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example +\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0 +algorithms. +.PP +Each cipher string can be optionally preceded by the characters \fB!\fR, +\&\fB-\fR or \fB+\fR. +.PP +If \fB!\fR is used then the ciphers are permanently deleted from the list. +The ciphers deleted can never reappear in the list even if they are +explicitly stated. +.PP +If \fB-\fR is used then the ciphers are deleted from the list, but some or +all of the ciphers can be added again by later options. +.PP +If \fB+\fR is used then the ciphers are moved to the end of the list. This +option doesn't add any new ciphers it just moves matching existing ones. +.PP +If none of these characters is present then the string is just interpreted +as a list of ciphers to be appended to the current preference list. If the +list includes any ciphers already present they will be ignored: that is they +will not moved to the end of the list. +.PP +Additionally the cipher string \fB@STRENGTH\fR can be used at any point to sort +the current cipher list in order of encryption algorithm key length. +.SH "CIPHER STRINGS" +.IX Header "CIPHER STRINGS" +The following is a list of all permitted cipher strings and their meanings. +.Ip "\fB\s-1DEFAULT\s0\fR" 4 +.IX Item "DEFAULT" +the default cipher list. This is determined at compile time and is normally +\&\fB\s-1ALL:\s0!ADH:RC4+RSA:+SSLv2:@STRENGTH\fR. This must be the first cipher string +specified. +.Ip "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 +.IX Item "COMPLEMENTOFDEFAULT" +the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently +this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is +not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary). +.Ip "\fB\s-1ALL\s0\fR" 4 +.IX Item "ALL" +all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled. +.Ip "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 +.IX Item "COMPLEMENTOFALL" +the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR. +.Ip "\fB\s-1HIGH\s0\fR" 4 +.IX Item "HIGH" +\&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger +than 128 bits. +.Ip "\fB\s-1MEDIUM\s0\fR" 4 +.IX Item "MEDIUM" +\&\*(L"medium\*(R" encryption cipher suites, currently those using 128 bit encryption. +.Ip "\fB\s-1LOW\s0\fR" 4 +.IX Item "LOW" +\&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms +but excluding export cipher suites. +.Ip "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 +.IX Item "EXP, EXPORT" +export encryption algorithms. Including 40 and 56 bits algorithms. +.Ip "\fB\s-1EXPORT40\s0\fR" 4 +.IX Item "EXPORT40" +40 bit export encryption algorithms +.Ip "\fB\s-1EXPORT56\s0\fR" 4 +.IX Item "EXPORT56" +56 bit export encryption algorithms. +.Ip "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 +.IX Item "eNULL, NULL" +the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no +encryption at all and are a security risk they are disabled unless explicitly +included. +.Ip "\fBaNULL\fR" 4 +.IX Item "aNULL" +the cipher suites offering no authentication. This is currently the anonymous +\&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R" +attack and so their use is normally discouraged. +.Ip "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 +.IX Item "kRSA, RSA" +cipher suites using \s-1RSA\s0 key exchange. +.Ip "\fBkEDH\fR" 4 +.IX Item "kEDH" +cipher suites using ephemeral \s-1DH\s0 key agreement. +.Ip "\fBkDHr\fR, \fBkDHd\fR" 4 +.IX Item "kDHr, kDHd" +cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 +and \s-1DSS\s0 keys respectively. Not implemented. +.Ip "\fBaRSA\fR" 4 +.IX Item "aRSA" +cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys. +.Ip "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 +.IX Item "aDSS, DSS" +cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. +.Ip "\fBaDH\fR" 4 +.IX Item "aDH" +cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry +\&\s-1DH\s0 keys. Not implemented. +.Ip "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 +.IX Item "kFZA, aFZA, eFZA, FZA" +ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all +\&\s-1FORTEZZA\s0 algorithms. Not implemented. +.Ip "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 +.IX Item "TLSv1, SSLv3, SSLv2" +\&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. +.Ip "\fB\s-1DH\s0\fR" 4 +.IX Item "DH" +cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0. +.Ip "\fB\s-1ADH\s0\fR" 4 +.IX Item "ADH" +anonymous \s-1DH\s0 cipher suites. +.Ip "\fB\s-1AES\s0\fR" 4 +.IX Item "AES" +cipher suites using \s-1AES\s0. +.Ip "\fB3DES\fR" 4 +.IX Item "3DES" +cipher suites using triple \s-1DES\s0. +.Ip "\fB\s-1DES\s0\fR" 4 +.IX Item "DES" +cipher suites using \s-1DES\s0 (not triple \s-1DES\s0). +.Ip "\fB\s-1RC4\s0\fR" 4 +.IX Item "RC4" +cipher suites using \s-1RC4\s0. +.Ip "\fB\s-1RC2\s0\fR" 4 +.IX Item "RC2" +cipher suites using \s-1RC2\s0. +.Ip "\fB\s-1IDEA\s0\fR" 4 +.IX Item "IDEA" +cipher suites using \s-1IDEA\s0. +.Ip "\fB\s-1MD5\s0\fR" 4 +.IX Item "MD5" +cipher suites using \s-1MD5\s0. +.Ip "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 +.IX Item "SHA1, SHA" +cipher suites using \s-1SHA1\s0. +.SH "CIPHER SUITE NAMES" +.IX Header "CIPHER SUITE NAMES" +The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the +relevant specification and their OpenSSL equivalents. It should be noted, +that several cipher suite names do not include the authentication used, +e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. +.Sh "\s-1SSL\s0 v3.0 cipher suites." +.IX Subsection "SSL v3.0 cipher suites." +.Vb 10 +\& SSL_RSA_WITH_NULL_MD5 NULL-MD5 +\& SSL_RSA_WITH_NULL_SHA NULL-SHA +\& SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 +\& SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 +\& SSL_RSA_WITH_RC4_128_SHA RC4-SHA +\& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 +\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +\& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA +\& SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA +\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA +.Ve +.Vb 12 +\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. +\& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. +\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. +\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. +\& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. +\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. +\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA +\& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA +\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA +\& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA +\& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA +.Ve +.Vb 5 +\& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 +\& SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +\& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA +\& SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA +.Ve +.Vb 3 +\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. +\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. +\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. +.Ve +.Sh "\s-1TLS\s0 v1.0 cipher suites." +.IX Subsection "TLS v1.0 cipher suites." +.Vb 10 +\& TLS_RSA_WITH_NULL_MD5 NULL-MD5 +\& TLS_RSA_WITH_NULL_SHA NULL-SHA +\& TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 +\& TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 +\& TLS_RSA_WITH_RC4_128_SHA RC4-SHA +\& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 +\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +\& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA +\& TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA +\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA +.Ve +.Vb 12 +\& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. +\& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. +\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. +\& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. +\& TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. +\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. +\& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA +\& TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA +\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA +\& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA +\& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA +.Ve +.Vb 5 +\& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 +\& TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +\& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA +\& TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA +.Ve +.Sh "\s-1AES\s0 ciphersuites from \s-1RFC3268\s0, extending \s-1TLS\s0 v1.0" +.IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0" +.Vb 2 +\& TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA +\& TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA +.Ve +.Vb 4 +\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA +\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA +\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA +\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA +.Ve +.Vb 4 +\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA +\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA +\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA +\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA +.Ve +.Vb 2 +\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA +\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA +.Ve +.Sh "Additional Export 1024 and other cipher suites" +.IX Subsection "Additional Export 1024 and other cipher suites" +Note: these ciphers can also be used in \s-1SSL\s0 v3. +.PP +.Vb 5 +\& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA +\& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA +\& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA +\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA +\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA +.Ve +.Sh "\s-1SSL\s0 v2.0 cipher suites." +.IX Subsection "SSL v2.0 cipher suites." +.Vb 7 +\& SSL_CK_RC4_128_WITH_MD5 RC4-MD5 +\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 +\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 +\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 +\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 +\& SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 +\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 +.Ve +.SH "NOTES" +.IX Header "NOTES" +The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL +because there is no support for \s-1DH\s0 certificates. +.PP +Some compiled versions of OpenSSL may not include all the ciphers +listed here because some ciphers were excluded at compile time. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers: +.PP +.Vb 1 +\& openssl ciphers -v 'ALL:eNULL' +.Ve +Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by +strength: +.PP +.Vb 1 +\& openssl ciphers -v 'ALL:!ADH:@STRENGTH' +.Ve +Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last: +.PP +.Vb 1 +\& openssl ciphers -v '3DES:+RSA' +.Ve +Include all \s-1RC4\s0 ciphers but leave out those without authentication: +.PP +.Vb 1 +\& openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' +.Ve +Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without +encryption. +.PP +.Vb 1 +\& openssl ciphers -v 'RSA:!COMPLEMENTOFALL' +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +s_client(1), s_server(1), ssl(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were +added in version 0.9.7. diff --git a/secure/usr.bin/openssl/man/config.1 b/secure/usr.bin/openssl/man/config.1 new file mode 100644 index 0000000..b6d8584 --- /dev/null +++ b/secure/usr.bin/openssl/man/config.1 @@ -0,0 +1,282 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:02 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "config 3" +.TH config 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +config \- OpenSSL \s-1CONF\s0 library configuration files +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The OpenSSL \s-1CONF\s0 library can be used to read configuration files. +It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR +and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension +files for the \fBx509\fR utility. +.PP +A configuration file is divided into a number of sections. Each section +starts with a line \fB[ section_name ]\fR and ends when a new section is +started or end of file is reached. A section name can consist of +alphanumeric characters and underscores. +.PP +The first section of a configuration file is special and is referred +to as the \fBdefault\fR section this is usually unnamed and is from the +start of file until the first named section. When a name is being looked up +it is first looked up in a named section (if any) and then the +default section. +.PP +The environment is mapped onto a section called \fB\s-1ENV\s0\fR. +.PP +Comments can be included by preceding them with the \fB#\fR character +.PP +Each section in a configuration file consists of a number of name and +value pairs of the form \fBname=value\fR +.PP +The \fBname\fR string can contain any alphanumeric characters as well as +a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR. +.PP +The \fBvalue\fR string consists of the string following the \fB=\fR character +until end of line with any leading and trailing white space removed. +.PP +The value string undergoes variable expansion. This can be done by +including the form \fB$var\fR or \fB${var}\fR: this will substitute the value +of the named variable in the current section. It is also possible to +substitute a value from another section using the syntax \fB$section::name\fR +or \fB${section::name}\fR. By using the form \fB$ENV::name\fR environment +variables can be substituted. It is also possible to assign values to +environment variables by using the name \fB\s-1ENV:\s0:name\fR, this will work +if the program looks up environment variables using the \fB\s-1CONF\s0\fR library +instead of calling \fB\f(BIgetenv()\fB\fR directly. +.PP +It is possible to escape certain characters by using any kind of quote +or the \fB\e\fR character. By making the last character of a line a \fB\e\fR +a \fBvalue\fR string can be spread across multiple lines. In addition +the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized. +.SH "NOTES" +.IX Header "NOTES" +If a configuration file attempts to expand a variable that doesn't exist +then an error is flagged and the file will not load. This can happen +if an attempt is made to expand an environment variable that doesn't +exist. For example the default OpenSSL master configuration file used +the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems. +.PP +This can be worked around by including a \fBdefault\fR section to provide +a default value: then if the environment lookup fails the default value +will be used instead. For this to work properly the default value must +be defined earlier in the configuration file than the expansion. See +the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this. +.PP +If the same variable exists in the same section then all but the last +value will be silently ignored. In certain circumstances such as with +DNs the same field may occur multiple times. This is usually worked +around by ignoring any characters before an initial \fB.\fR e.g. +.PP +.Vb 2 +\& 1.OU="My first OU" +\& 2.OU="My Second OU" +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Here is a sample configuration file using some of the features +mentioned above. +.PP +.Vb 1 +\& # This is the default section. +.Ve +.Vb 3 +\& HOME=/temp +\& RANDFILE= ${ENV::HOME}/.rnd +\& configdir=$ENV::HOME/config +.Ve +.Vb 1 +\& [ section_one ] +.Ve +.Vb 1 +\& # We are now in section one. +.Ve +.Vb 2 +\& # Quotes permit leading and trailing whitespace +\& any = " any variable name " +.Ve +.Vb 3 +\& other = A string that can \e +\& cover several lines \e +\& by including \e\e characters +.Ve +.Vb 1 +\& message = Hello World\en +.Ve +.Vb 1 +\& [ section_two ] +.Ve +.Vb 1 +\& greeting = $section_one::message +.Ve +This next example shows how to expand environment variables safely. +.PP +Suppose you want a variable called \fBtmpfile\fR to refer to a +temporary filename. The directory it is placed in can determined by +the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be +set to any value at all. If you just include the environment variable +names and the variable doesn't exist then this will cause an error when +an attempt is made to load the configuration file. By making use of the +default section both values can be looked up with \fB\s-1TEMP\s0\fR taking +priority and \fB/tmp\fR used if neither is defined: +.PP +.Vb 5 +\& TMP=/tmp +\& # The above value is used if TMP isn't in the environment +\& TEMP=$ENV::TMP +\& # The above value is used if TEMP isn't in the environment +\& tmpfile=${ENV::TEMP}/tmp.filename +.Ve +.SH "BUGS" +.IX Header "BUGS" +Currently there is no way to include characters using the octal \fB\ennn\fR +form. Strings are all null terminated so nulls cannot form part of +the value. +.PP +The escaping isn't quite right: if you want to use sequences like \fB\en\fR +you can't use any quote escaping on the same line. +.PP +Files are loaded in a single pass. This means that an variable expansion +will only work if the variables referenced are defined earlier in the +file. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +x509(1), req(1), ca(1) diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1 new file mode 100644 index 0000000..c3103ff --- /dev/null +++ b/secure/usr.bin/openssl/man/crl.1 @@ -0,0 +1,237 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:03 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "crl 3" +.TH crl 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +crl \- \s-1CRL\s0 utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBcrl\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-text\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-hash\fR] +[\fB\-issuer\fR] +[\fB\-lastupdate\fR] +[\fB\-nextupdate\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath dir\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 +structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read from or standard input if this +option is not specified. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write to or standard output by +default. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +print out the \s-1CRL\s0 in text form. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +don't output the encoded version of the \s-1CRL\s0. +.Ip "\fB\-hash\fR" 4 +.IX Item "-hash" +output a hash of the issuer name. This can be use to lookup CRLs in +a directory by issuer name. +.Ip "\fB\-issuer\fR" 4 +.IX Item "-issuer" +output the issuer name. +.Ip "\fB\-lastupdate\fR" 4 +.IX Item "-lastupdate" +output the lastUpdate field. +.Ip "\fB\-nextupdate\fR" 4 +.IX Item "-nextupdate" +output the nextUpdate field. +.Ip "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in +\&\fBfile\fR +.Ip "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in +\&\fBdir\fR. This directory must be a standard certificate directory: that +is a hash of each subject name (using \fBx509 \-hash\fR) should be linked +to each certificate. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 \s-1CRL\s0 format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN X509 CRL----- +\& -----END X509 CRL----- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0 +.PP +.Vb 1 +\& openssl crl -in crl.pem -outform DER -out crl.der +.Ve +Output the text form of a \s-1DER\s0 encoded certificate: +.PP +.Vb 1 +\& openssl crl -in crl.der -text -noout +.Ve +.SH "BUGS" +.IX Header "BUGS" +Ideally it should be possible to create a \s-1CRL\s0 using appropriate options +and files too. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +crl2pkcs7(1), ca(1), x509(1) diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1 new file mode 100644 index 0000000..3f879f4 --- /dev/null +++ b/secure/usr.bin/openssl/man/crl2pkcs7.1 @@ -0,0 +1,216 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:04 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "crl2pkcs7 3" +.TH crl2pkcs7 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +crl2pkcs7 \- Create a PKCS#7 structure from a \s-1CRL\s0 and certificates. +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBcrl2pkcs7\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-certfile filename\fR] +[\fB\-nocrl\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more +certificates and converts them into a PKCS#7 degenerate \*(L"certificates +only\*(R" structure. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 +structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0 +encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a \s-1CRL\s0 from or standard input if this +option is not specified. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write the PKCS#7 structure to or standard +output by default. +.Ip "\fB\-certfile filename\fR" 4 +.IX Item "-certfile filename" +specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format. +All certificates in the file will be added to the PKCS#7 structure. This +option can be used more than once to read certificates form multiple +files. +.Ip "\fB\-nocrl\fR" 4 +.IX Item "-nocrl" +normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is +included in the output file and a \s-1CRL\s0 is not read from the input file. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a PKCS#7 structure from a certificate and \s-1CRL:\s0 +.PP +.Vb 1 +\& openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem +.Ve +Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several +different certificates: +.PP +.Vb 2 +\& openssl crl2pkcs7 -nocrl -certfile newcert.pem +\& -certfile demoCA/cacert.pem -outform DER -out p7.der +.Ve +.SH "NOTES" +.IX Header "NOTES" +The output file is a PKCS#7 signed data structure containing no signers and +just certificates and an optional \s-1CRL\s0. +.PP +This utility can be used to send certificates and CAs to Netscape as part of +the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output +as \s-1MIME\s0 type application/x-x509\-user-cert. +.PP +The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to +install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +pkcs7(1) diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1 new file mode 100644 index 0000000..c9a9096 --- /dev/null +++ b/secure/usr.bin/openssl/man/dgst.1 @@ -0,0 +1,223 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:05 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "dgst 3" +.TH dgst 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBdgst\fR +[\fB\-md5|\-md4|\-md2|\-sha1|\-sha|\-mdc2|\-ripemd160|\-dss1\fR] +[\fB\-c\fR] +[\fB\-d\fR] +[\fB\-hex\fR] +[\fB\-binary\fR] +[\fB\-out filename\fR] +[\fB\-sign filename\fR] +[\fB\-verify filename\fR] +[\fB\-prverify filename\fR] +[\fB\-signature filename\fR] +[\fBfile...\fR] +.PP +[\fBmd5|md4|md2|sha1|sha|mdc2|ripemd160\fR] +[\fB\-c\fR] +[\fB\-d\fR] +[\fBfile...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The digest functions output the message digest of a supplied file or files +in hexadecimal form. They can also be used for digital signing and verification. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-c\fR" 4 +.IX Item "-c" +print out the digest in two digit groups separated by colons, only relevant if +\&\fBhex\fR format output is used. +.Ip "\fB\-d\fR" 4 +.IX Item "-d" +print out \s-1BIO\s0 debugging information. +.Ip "\fB\-hex\fR" 4 +.IX Item "-hex" +digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R" +digest as opposed to a digital signature. +.Ip "\fB\-binary\fR" 4 +.IX Item "-binary" +output the digest or signature in binary form. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +filename to output to, or standard output by default. +.Ip "\fB\-sign filename\fR" 4 +.IX Item "-sign filename" +digitally sign the digest using the private key in \*(L"filename\*(R". +.Ip "\fB\-verify filename\fR" 4 +.IX Item "-verify filename" +verify the signature using the the public key in \*(L"filename\*(R". +The output is either \*(L"Verification \s-1OK\s0\*(R" or \*(L"Verification Failure\*(R". +.Ip "\fB\-prverify filename\fR" 4 +.IX Item "-prverify filename" +verify the signature using the the private key in \*(L"filename\*(R". +.Ip "\fB\-signature filename\fR" 4 +.IX Item "-signature filename" +the actual signature to verify. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fBfile...\fR" 4 +.IX Item "file..." +file or files to digest. If no files are specified then standard input is +used. +.SH "NOTES" +.IX Header "NOTES" +The digest of choice for all new applications is \s-1SHA1\s0. Other digests are +however still widely used. +.PP +If you wish to sign or verify data using the \s-1DSA\s0 algorithm then the dss1 +digest must be used. +.PP +A source of random numbers is required for certain signing algorithms, in +particular \s-1DSA\s0. +.PP +The signing and verify options should only be used if a single file is +being signed or verified. diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1 new file mode 100644 index 0000000..755b3a2 --- /dev/null +++ b/secure/usr.bin/openssl/man/dhparam.1 @@ -0,0 +1,249 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:06 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "dhparam 3" +.TH dhparam 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +dhparam \- \s-1DH\s0 parameter manipulation and generation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl dhparam\fR +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-in\fR \fIfilename\fR] +[\fB\-out\fR \fIfilename\fR] +[\fB\-dsaparam\fR] +[\fB\-noout\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-2\fR] +[\fB\-5\fR] +[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR] +[\fInumbits\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to manipulate \s-1DH\s0 parameter files. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded +form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the +default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with +additional header and footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in\fR \fIfilename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. +.Ip "\fB\-out\fR \fIfilename\fR" 4 +.IX Item "-out filename" +This specifies the output filename parameters to. Standard output is used +if this option is not present. The output filename should \fBnot\fR be the same +as the input filename. +.Ip "\fB\-dsaparam\fR" 4 +.IX Item "-dsaparam" +If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created; +they are converted to \s-1DH\s0 format. Otherwise, \*(L"strong\*(R" primes (such +that (p-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation. +.Sp +\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster, +and the recommended exponent length is shorter, which makes \s-1DH\s0 key +exchange more efficient. Beware that with such DSA-style \s-1DH\s0 +parameters, a fresh \s-1DH\s0 key should be created for each use to +avoid small-subgroup attacks that may be possible otherwise. +.Ip "\fB\-2\fR, \fB\-5\fR" 4 +.IX Item "-2, -5" +The generator to use, either 2 or 5. 2 is the default. If present then the +input file is ignored and parameters are generated instead. +.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fInumbits\fR" 4 +.IX Item "numbits" +this option specifies that a parameter set should be generated of size +\&\fInumbits\fR. It must be the last option. If not present then a value of 512 +is used. If this option is present then the input file is ignored and +parameters are generated instead. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option inhibits the output of the encoded version of the parameters. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +this option prints out the \s-1DH\s0 parameters in human readable form. +.Ip "\fB\-C\fR" 4 +.IX Item "-C" +this option converts the parameters into C code. The parameters can then +be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function. +.SH "WARNINGS" +.IX Header "WARNINGS" +The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and +\&\fBgendh\fR in previous versions of OpenSSL and SSLeay. The \fBdh\fR and \fBgendh\fR +programs are retained for now but may have different purposes in future +versions of OpenSSL. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN DH PARAMETERS----- +\& -----END DH PARAMETERS----- +.Ve +OpenSSL currently only supports the older PKCS#3 \s-1DH\s0, not the newer X9.42 +\&\s-1DH\s0. +.PP +This program manipulates \s-1DH\s0 parameters not keys. +.SH "BUGS" +.IX Header "BUGS" +There should be a way to generate and manipulate \s-1DH\s0 keys. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +dsaparam(1) +.SH "HISTORY" +.IX Header "HISTORY" +The \fBdhparam\fR command was added in OpenSSL 0.9.5. +The \fB\-dsaparam\fR option was added in OpenSSL 0.9.6. diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1 new file mode 100644 index 0000000..8abfe40 --- /dev/null +++ b/secure/usr.bin/openssl/man/dsa.1 @@ -0,0 +1,275 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:07 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "dsa 3" +.TH dsa 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +dsa \- \s-1DSA\s0 key processing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBdsa\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-modulus\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various +forms and their components printed out. \fBNote\fR This command uses the +traditional SSLeay compatible format for private key encryption: newer +applications should use the more secure PKCS#8 format using the \fBpkcs8\fR +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses +an \s-1ASN1\s0 \s-1DER\s0 encoded form of an \s-1ASN\s0.1 \s-1SEQUENCE\s0 consisting of the values of +version (currently zero), p, q, g, the public and private key components +respectively as \s-1ASN\s0.1 INTEGERs. When used with a public key it uses a +SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA\s0. +.Sp +The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 +encoded with additional header and footer lines. In the case of a private key +PKCS#8 format is also accepted. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.Ip "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output by +is not specified. If any encryption options are set then a pass phrase will be +prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.Ip "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-des|\-des3|\-idea\fR" 4 +.IX Item "-des|-des3|-idea" +These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the +\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for. +If none of these options is specified the key is written in plain text. This +means that using the \fBdsa\fR utility to read in an encrypted key with no +encryption option can be used to remove the pass phrase from a key, or by +setting the encryption options it can be use to add or change the pass phrase. +These options can only be used with \s-1PEM\s0 format output files. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +prints out the public, private key components and parameters. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the key. +.Ip "\fB\-modulus\fR" 4 +.IX Item "-modulus" +this option prints out the value of the public key component of the key. +.Ip "\fB\-pubin\fR" 4 +.IX Item "-pubin" +by default a private key is read from the input file: with this option a +public key is read instead. +.Ip "\fB\-pubout\fR" 4 +.IX Item "-pubout" +by default a private key is output. With this option a public +key will be output instead. This option is automatically set if the input is +a public key. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 private key format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN DSA PRIVATE KEY----- +\& -----END DSA PRIVATE KEY----- +.Ve +The \s-1PEM\s0 public key format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN PUBLIC KEY----- +\& -----END PUBLIC KEY----- +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To remove the pass phrase on a \s-1DSA\s0 private key: +.PP +.Vb 1 +\& openssl dsa -in key.pem -out keyout.pem +.Ve +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl dsa -in key.pem -des3 -out keyout.pem +.Ve +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl dsa -in key.pem -outform DER -out keyout.der +.Ve +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl dsa -in key.pem -text -noout +.Ve +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl dsa -in key.pem -pubout -out pubkey.pem +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +dsaparam(1), gendsa(1), rsa(1), +genrsa(1) diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1 new file mode 100644 index 0000000..ae4b089 --- /dev/null +++ b/secure/usr.bin/openssl/man/dsaparam.1 @@ -0,0 +1,222 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:08 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "dsaparam 3" +.TH dsaparam 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +dsaparam \- \s-1DSA\s0 parameter manipulation and generation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl dsaparam\fR +[\fB\-inform DER|PEM\fR] +[\fB\-outform DER|PEM\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +[\fB\-genkey\fR] +[\fBnumbits\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to manipulate or generate \s-1DSA\s0 parameter files. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded +form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting +of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists +of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read parameters from or standard input if +this option is not specified. If the \fBnumbits\fR parameter is included then +this option will be ignored. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename parameters to. Standard output is used +if this option is not present. The output filename should \fBnot\fR be the same +as the input filename. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option inhibits the output of the encoded version of the parameters. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +this option prints out the \s-1DSA\s0 parameters in human readable form. +.Ip "\fB\-C\fR" 4 +.IX Item "-C" +this option converts the parameters into C code. The parameters can then +be loaded by calling the \fB\f(BIget_dsaXXX()\fB\fR function. +.Ip "\fB\-genkey\fR" 4 +.IX Item "-genkey" +this option will generate a \s-1DSA\s0 either using the specified or generated +parameters. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fBnumbits\fR" 4 +.IX Item "numbits" +this option specifies that a parameter set should be generated of size +\&\fBnumbits\fR. It must be the last option. If this option is included then +the input file (if any) is ignored. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN DSA PARAMETERS----- +\& -----END DSA PARAMETERS----- +.Ve +\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of +\&\s-1DSA\s0 parameters is often used to generate several distinct keys. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +gendsa(1), dsa(1), genrsa(1), +rsa(1) diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1 new file mode 100644 index 0000000..dc372f2 --- /dev/null +++ b/secure/usr.bin/openssl/man/enc.1 @@ -0,0 +1,399 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:09 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "enc 3" +.TH enc 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +enc \- symmetric cipher routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl enc \-ciphername\fR +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-pass arg\fR] +[\fB\-e\fR] +[\fB\-d\fR] +[\fB\-a\fR] +[\fB\-A\fR] +[\fB\-k password\fR] +[\fB\-kfile filename\fR] +[\fB\-K key\fR] +[\fB\-iv \s-1IV\s0\fR] +[\fB\-p\fR] +[\fB\-P\fR] +[\fB\-bufsize number\fR] +[\fB\-nopad\fR] +[\fB\-debug\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The symmetric cipher commands allow data to be encrypted or decrypted +using various block and stream ciphers using keys based on passwords +or explicitly provided. Base64 encoding or decoding can also be performed +either by itself or in addition to the encryption or decryption. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +the input filename, standard input by default. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +the output filename, standard output by default. +.Ip "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +the password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-salt\fR" 4 +.IX Item "-salt" +use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR +be used unless compatibility with previous versions of OpenSSL or SSLeay +is required. This option is only present on OpenSSL versions 0.9.5 or +above. +.Ip "\fB\-nosalt\fR" 4 +.IX Item "-nosalt" +don't use a salt in the key derivation routines. This is the default for +compatibility with previous versions of OpenSSL and SSLeay. +.Ip "\fB\-e\fR" 4 +.IX Item "-e" +encrypt the input data: this is the default. +.Ip "\fB\-d\fR" 4 +.IX Item "-d" +decrypt the input data. +.Ip "\fB\-a\fR" 4 +.IX Item "-a" +base64 process the data. This means that if encryption is taking place +the data is base64 encoded after encryption. If decryption is set then +the input data is base64 decoded before being decrypted. +.Ip "\fB\-A\fR" 4 +.IX Item "-A" +if the \fB\-a\fR option is set then base64 process the data on one line. +.Ip "\fB\-k password\fR" 4 +.IX Item "-k password" +the password to derive the key from. This is for compatibility with previous +versions of OpenSSL. Superseded by the \fB\-pass\fR argument. +.Ip "\fB\-kfile filename\fR" 4 +.IX Item "-kfile filename" +read the password to derive the key from the first line of \fBfilename\fR. +This is for computability with previous versions of OpenSSL. Superseded by +the \fB\-pass\fR argument. +.Ip "\fB\-S salt\fR" 4 +.IX Item "-S salt" +the actual salt to use: this must be represented as a string comprised only +of hex digits. +.Ip "\fB\-K key\fR" 4 +.IX Item "-K key" +the actual key to use: this must be represented as a string comprised only +of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified +using the \fB\-iv\fR option. When both a key and a password are specified, the +key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the +password will be taken. It probably does not make much sense to specify +both key and password. +.Ip "\fB\-iv \s-1IV\s0\fR" 4 +.IX Item "-iv IV" +the actual \s-1IV\s0 to use: this must be represented as a string comprised only +of hex digits. When only the key is specified using the \fB\-K\fR option, the +\&\s-1IV\s0 must explicitly be defined. When a password is being specified using +one of the other options, the \s-1IV\s0 is generated from this password. +.Ip "\fB\-p\fR" 4 +.IX Item "-p" +print out the key and \s-1IV\s0 used. +.Ip "\fB\-P\fR" 4 +.IX Item "-P" +print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption +or decryption. +.Ip "\fB\-bufsize number\fR" 4 +.IX Item "-bufsize number" +set the buffer size for I/O +.Ip "\fB\-nopad\fR" 4 +.IX Item "-nopad" +disable standard block padding +.Ip "\fB\-debug\fR" 4 +.IX Item "-debug" +debug the BIOs used for I/O. +.SH "NOTES" +.IX Header "NOTES" +The program can be called either as \fBopenssl ciphername\fR or +\&\fBopenssl enc \-ciphername\fR. +.PP +A password will be prompted for to derive the key and \s-1IV\s0 if necessary. +.PP +The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived +from a password unless you want compatibility with previous versions of +OpenSSL and SSLeay. +.PP +Without the \fB\-salt\fR option it is possible to perform efficient dictionary +attacks on the password and to attack stream cipher encrypted data. The reason +for this is that without the salt the same password always generates the same +encryption key. When the salt is being used the first eight bytes of the +encrypted data are reserved for the salt: it is generated at random when +encrypting a file and read from the encrypted file when it is decrypted. +.PP +Some of the ciphers do not have large keys and others have security +implications if not used correctly. A beginner is advised to just use +a strong block cipher in \s-1CBC\s0 mode such as bf or des3. +.PP +All the block ciphers normally use PKCS#5 padding also known as standard block +padding: this allows a rudimentary integrity or password check to be +performed. However since the chance of random data passing the test is +better than 1 in 256 it isn't a very good test. +.PP +If padding is disabled then the input data must be a multiple of the cipher +block length. +.PP +All \s-1RC2\s0 ciphers have the same key and effective key length. +.PP +Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. +.SH "SUPPORTED CIPHERS" +.IX Header "SUPPORTED CIPHERS" +.Vb 1 +\& base64 Base 64 +.Ve +.Vb 5 +\& bf-cbc Blowfish in CBC mode +\& bf Alias for bf-cbc +\& bf-cfb Blowfish in CFB mode +\& bf-ecb Blowfish in ECB mode +\& bf-ofb Blowfish in OFB mode +.Ve +.Vb 6 +\& cast-cbc CAST in CBC mode +\& cast Alias for cast-cbc +\& cast5-cbc CAST5 in CBC mode +\& cast5-cfb CAST5 in CFB mode +\& cast5-ecb CAST5 in ECB mode +\& cast5-ofb CAST5 in OFB mode +.Ve +.Vb 5 +\& des-cbc DES in CBC mode +\& des Alias for des-cbc +\& des-cfb DES in CBC mode +\& des-ofb DES in OFB mode +\& des-ecb DES in ECB mode +.Ve +.Vb 4 +\& des-ede-cbc Two key triple DES EDE in CBC mode +\& des-ede Alias for des-ede +\& des-ede-cfb Two key triple DES EDE in CFB mode +\& des-ede-ofb Two key triple DES EDE in OFB mode +.Ve +.Vb 5 +\& des-ede3-cbc Three key triple DES EDE in CBC mode +\& des-ede3 Alias for des-ede3-cbc +\& des3 Alias for des-ede3-cbc +\& des-ede3-cfb Three key triple DES EDE CFB mode +\& des-ede3-ofb Three key triple DES EDE in OFB mode +.Ve +.Vb 1 +\& desx DESX algorithm. +.Ve +.Vb 5 +\& idea-cbc IDEA algorithm in CBC mode +\& idea same as idea-cbc +\& idea-cfb IDEA in CFB mode +\& idea-ecb IDEA in ECB mode +\& idea-ofb IDEA in OFB mode +.Ve +.Vb 7 +\& rc2-cbc 128 bit RC2 in CBC mode +\& rc2 Alias for rc2-cbc +\& rc2-cfb 128 bit RC2 in CBC mode +\& rc2-ecb 128 bit RC2 in CBC mode +\& rc2-ofb 128 bit RC2 in CBC mode +\& rc2-64-cbc 64 bit RC2 in CBC mode +\& rc2-40-cbc 40 bit RC2 in CBC mode +.Ve +.Vb 3 +\& rc4 128 bit RC4 +\& rc4-64 64 bit RC4 +\& rc4-40 40 bit RC4 +.Ve +.Vb 5 +\& rc5-cbc RC5 cipher in CBC mode +\& rc5 Alias for rc5-cbc +\& rc5-cfb RC5 cipher in CBC mode +\& rc5-ecb RC5 cipher in CBC mode +\& rc5-ofb RC5 cipher in CBC mode +.Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Just base64 encode a binary file: +.PP +.Vb 1 +\& openssl base64 -in file.bin -out file.b64 +.Ve +Decode the same file +.PP +.Vb 1 +\& openssl base64 -d -in file.b64 -out file.bin +.Ve +Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password: +.PP +.Vb 1 +\& openssl des3 -salt -in file.txt -out file.des3 +.Ve +Decrypt a file using a supplied password: +.PP +.Vb 1 +\& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword +.Ve +Encrypt a file then base64 encode it (so it can be sent via mail for example) +using Blowfish in \s-1CBC\s0 mode: +.PP +.Vb 1 +\& openssl bf -a -salt -in file.txt -out file.bf +.Ve +Base64 decode a file then decrypt it: +.PP +.Vb 1 +\& openssl bf -d -salt -a -in file.bf -out file.txt +.Ve +Decrypt some data using a supplied 40 bit \s-1RC4\s0 key: +.PP +.Vb 1 +\& openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 +.Ve +.SH "BUGS" +.IX Header "BUGS" +The \fB\-A\fR option when used with large files doesn't work properly. +.PP +There should be an option to allow an iteration count to be included. +.PP +The \fBenc\fR program only supports a fixed number of algorithms with +certain parameters. So if, for example, you want to use \s-1RC2\s0 with a +76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program. diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1 new file mode 100644 index 0000000..6ec8233 --- /dev/null +++ b/secure/usr.bin/openssl/man/gendsa.1 @@ -0,0 +1,184 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:10 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "gendsa 3" +.TH gendsa 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +gendsa \- generate a \s-1DSA\s0 private key from a set of parameters +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBgendsa\fR +[\fB\-out filename\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +[\fBparamfile\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file +(which will be typically generated by the \fBopenssl dsaparam\fR command). +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-des|\-des3|\-idea\fR" 4 +.IX Item "-des|-des3|-idea" +These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the +\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for. +If none of these options is specified no encryption is used. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fBparamfile\fR" 4 +.IX Item "paramfile" +This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this +file determine the size of the private key. \s-1DSA\s0 parameters can be generated +and examined using the \fBopenssl dsaparam\fR command. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1DSA\s0 key generation is little more than random number generation so it is +much quicker that \s-1RSA\s0 key generation for example. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +dsaparam(1), dsa(1), genrsa(1), +rsa(1) diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1 new file mode 100644 index 0000000..dfe2627 --- /dev/null +++ b/secure/usr.bin/openssl/man/genrsa.1 @@ -0,0 +1,209 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:11 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "genrsa 3" +.TH genrsa 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +genrsa \- generate an \s-1RSA\s0 private key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBgenrsa\fR +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-f4\fR] +[\fB\-3\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +[\fBnumbits\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBgenrsa\fR command generates an \s-1RSA\s0 private key. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +the output filename. If this argument is not specified then standard output is +used. +.Ip "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-des|\-des3|\-idea\fR" 4 +.IX Item "-des|-des3|-idea" +These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the +\&\s-1IDEA\s0 ciphers respectively before outputting it. If none of these options is +specified no encryption is used. If encryption is used a pass phrase is prompted +for if it is not supplied via the \fB\-passout\fR argument. +.Ip "\fB\-F4|\-3\fR" 4 +.IX Item "-F4|-3" +the public exponent to use, either 65537 or 3. The default is 65537. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fBnumbits\fR" 4 +.IX Item "numbits" +the size of the private key to generate in bits. This must be the last option +specified. The default is 512. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1RSA\s0 private key generation essentially involves the generation of two prime +numbers. When generating a private key various symbols will be output to +indicate the progress of the generation. A \fB.\fR represents each number which +has passed an initial sieve test, \fB+\fR means a number has passed a single +round of the Miller-Rabin primality test. A newline means that the number has +passed all the prime tests (the actual number depends on the key size). +.PP +Because key generation is a random process the time taken to generate a key +may vary somewhat. +.SH "BUGS" +.IX Header "BUGS" +A quirk of the prime generation algorithm is that it cannot generate small +primes. Therefore the number of bits should not be less that 64. For typical +private keys this will not matter because for security reasons they will +be much larger (typically 1024 bits). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +gendsa(1) diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1 new file mode 100644 index 0000000..a47412b --- /dev/null +++ b/secure/usr.bin/openssl/man/nseq.1 @@ -0,0 +1,199 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:12 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "nseq 3" +.TH nseq 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +nseq \- create or examine a netscape certificate sequence +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBnseq\fR +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-toseq\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBnseq\fR command takes a file containing a Netscape certificate +sequence and prints out the certificates contained in it or takes a +file of certificates and converts it into a Netscape certificate +sequence. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read or standard input if this +option is not specified. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename or standard output by default. +.Ip "\fB\-toseq\fR" 4 +.IX Item "-toseq" +normally a Netscape certificate sequence will be input and the output +is the certificates contained in it. With the \fB\-toseq\fR option the +situation is reversed: a Netscape certificate sequence is created from +a file of certificates. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Output the certificates in a Netscape certificate sequence +.PP +.Vb 1 +\& openssl nseq -in nseq.pem -out certs.pem +.Ve +Create a Netscape certificate sequence +.PP +.Vb 1 +\& openssl nseq -in certs.pem -toseq -out nseq.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate: +.PP +.Vb 2 +\& -----BEGIN CERTIFICATE----- +\& -----END CERTIFICATE----- +.Ve +A Netscape certificate sequence is a Netscape specific form that can be sent +to browsers as an alternative to the standard PKCS#7 format when several +certificates are sent to the browser: for example during certificate enrollment. +It is used by Netscape certificate server for example. +.SH "BUGS" +.IX Header "BUGS" +This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and +output files and allowing multiple certificate files to be used. diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 new file mode 100644 index 0000000..c312ec6 --- /dev/null +++ b/secure/usr.bin/openssl/man/ocsp.1 @@ -0,0 +1,451 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:13 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "ocsp 3" +.TH ocsp 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +ocsp \- Online Certificate Status Protocol utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBocsp\fR +[\fB\-out file\fR] +[\fB\-issuer file\fR] +[\fB\-cert file\fR] +[\fB\-serial n\fR] +[\fB\-req_text\fR] +[\fB\-resp_text\fR] +[\fB\-text\fR] +[\fB\-reqout file\fR] +[\fB\-respout file\fR] +[\fB\-reqin file\fR] +[\fB\-respin file\fR] +[\fB\-nonce\fR] +[\fB\-no_nonce\fR] +[\fB\-url responder_url\fR] +[\fB\-host host:n\fR] +[\fB\-path\fR] +[\fB\-CApath file\fR] +[\fB\-CAfile file\fR] +[\fB\-VAfile file\fR] +[\fB\-verify_certs file\fR] +[\fB\-noverify\fR] +[\fB\-trust_other\fR] +[\fB\-no_intern\fR] +[\fB\-no_sig_verify\fR] +[\fB\-no_cert_verify\fR] +[\fB\-no_chain\fR] +[\fB\-no_cert_checks\fR] +[\fB\-validity_period nsec\fR] +[\fB\-status_age nsec\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fB\s-1WARNING:\s0 this documentation is preliminary and subject to change.\fR +.PP +The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to +determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560). +.PP +The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used +to print out requests and responses, create requests and send queries +to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. +.SH "OCSP CLIENT OPTIONS" +.IX Header "OCSP CLIENT OPTIONS" +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specify output filename, default is standard output. +.Ip "\fB\-issuer filename\fR" 4 +.IX Item "-issuer filename" +This specifies the current issuer certificate. This option can be used +multiple times. The certificate specified in \fBfilename\fR must be in +\&\s-1PEM\s0 format. +.Ip "\fB\-cert filename\fR" 4 +.IX Item "-cert filename" +Add the certificate \fBfilename\fR to the request. The issuer certificate +is taken from the previous \fBissuer\fR option, or an error occurs if no +issuer certificate is specified. +.Ip "\fB\-serial num\fR" 4 +.IX Item "-serial num" +Same as the \fBcert\fR option except the certificate with serial number +\&\fBnum\fR is added to the request. The serial number is interpreted as a +decimal integer unless preceded by \fB0x\fR. Negative integers can also +be specified by preceding the value by a \fB-\fR sign. +.Ip "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4 +.IX Item "-signer filename, -signkey filename" +Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR +option and the private key specified by the \fBsignkey\fR option. If +the \fBsignkey\fR option is not present then the private key is read +from the same file as the certificate. If neither option is specified then +the \s-1OCSP\s0 request is not signed. +.Ip "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 +.IX Item "-nonce, -no_nonce" +Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. +Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no +nonce is added: using the \fBnonce\fR option will force addition of a nonce. +If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) +a nonce is automatically added specifying \fBno_nonce\fR overrides this. +.Ip "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 +.IX Item "-req_text, -resp_text, -text" +print out the text form of the \s-1OCSP\s0 request, response or both respectively. +.Ip "\fB\-reqout file\fR, \fB\-respout file\fR" 4 +.IX Item "-reqout file, -respout file" +write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. +.Ip "\fB\-reqin file\fR, \fB\-respin file\fR" 4 +.IX Item "-reqin file, -respin file" +read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored +if \s-1OCSP\s0 request or response creation is implied by other options (for example +with \fBserial\fR, \fBcert\fR and \fBhost\fR options). +.Ip "\fB\-url responder_url\fR" 4 +.IX Item "-url responder_url" +specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. +.Ip "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 +.IX Item "-host hostname:port, -path pathname" +if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host +\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use +or \*(L"/\*(R" by default. +.Ip "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 +.IX Item "-CAfile file, -CApath pathname" +file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify +the signature on the \s-1OCSP\s0 response. +.Ip "\fB\-verify_certs file\fR" 4 +.IX Item "-verify_certs file" +file containing additional certificates to search when attempting to locate +the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's +certificate from the response: this option can be used to supply the necessary +certificate in such cases. +.Ip "\fB\-trust_other\fR" 4 +.IX Item "-trust_other" +the certificates specified by the \fB\-verify_certs\fR option should be explicitly +trusted and no additional checks will be performed on them. This is useful +when the complete responder certificate chain is not available or trusting a +root \s-1CA\s0 is not appropriate. +.Ip "\fB\-VAfile file\fR" 4 +.IX Item "-VAfile file" +file containing explicitly trusted responder certificates. Equivalent to the +\&\fB\-verify_certs\fR and \fB\-trust_other\fR options. +.Ip "\fB\-noverify\fR" 4 +.IX Item "-noverify" +don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This +option will normally only be used for debugging since it disables all verification +of the responders certificate. +.Ip "\fB\-no_intern\fR" 4 +.IX Item "-no_intern" +ignore certificates contained in the \s-1OCSP\s0 response when searching for the +signers certificate. With this option the signers certificate must be specified +with either the \fB\-verify_certs\fR or \fB\-VAfile\fR options. +.Ip "\fB\-no_sig_verify\fR" 4 +.IX Item "-no_sig_verify" +don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid +signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes. +.Ip "\fB\-no_cert_verify\fR" 4 +.IX Item "-no_cert_verify" +don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows +the \s-1OCSP\s0 response to be signed by any certificate it should only be used for +testing purposes. +.Ip "\fB\-no_chain\fR" 4 +.IX Item "-no_chain" +do not use certificates in the response as additional untrusted \s-1CA\s0 +certificates. +.Ip "\fB\-no_cert_checks\fR" 4 +.IX Item "-no_cert_checks" +don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. +That is do not make any checks to see if the signers certificate is authorised +to provide the necessary status information: as a result this option should +only be used for testing purposes. +.Ip "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 +.IX Item "-validity_period nsec, -status_age age" +these options specify the range of times, in seconds, which will be tolerated +in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and +an optional \fBnotAfter\fR time. The current time should fall between these two values, but +the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0 +responder and clients clocks may not be precisely synchronised and so such a check +may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an +acceptable error range in seconds, the default value is 5 minutes. +.Sp +If the \fBnotAfter\fR time is omitted from a response then this means that new status +information is immediately available. In this case the age of the \fBnotBefore\fR field +is checked to see it is not older than \fBage\fR seconds old. By default this additional +check is not performed. +.SH "OCSP SERVER OPTIONS" +.IX Header "OCSP SERVER OPTIONS" +.Ip "\fB\-index indexfile\fR" 4 +.IX Item "-index indexfile" +\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation +information. +.Sp +If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise +it is in client mode. The \fIrequest\fR\|(s) the responder processes can be either specified on +the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the +\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). +.Sp +If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be +present. +.Ip "\fB\-CA file\fR" 4 +.IX Item "-CA file" +\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. +.Ip "\fB\-rsigner file\fR" 4 +.IX Item "-rsigner file" +The certificate to sign \s-1OCSP\s0 responses with. +.Ip "\fB\-rother file\fR" 4 +.IX Item "-rother file" +Additional certificates to include in the \s-1OCSP\s0 response. +.Ip "\fB\-resp_no_certs\fR" 4 +.IX Item "-resp_no_certs" +Don't include any certificates in the \s-1OCSP\s0 response. +.Ip "\fB\-resp_key_id\fR" 4 +.IX Item "-resp_key_id" +Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name. +.Ip "\fB\-rkey file\fR" 4 +.IX Item "-rkey file" +The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the +\&\fBrsigner\fR option is used. +.Ip "\fB\-port portnum\fR" 4 +.IX Item "-port portnum" +Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR +option. +.Ip "\fB\-nrequest number\fR" 4 +.IX Item "-nrequest number" +The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. +.Ip "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 +.IX Item "-nmin minutes, -ndays days" +Number of minutes or days when fresh revocation information is available: used in the +\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is +omitted meaning fresh revocation information is immediately available. +.SH "OCSP Response verification." +.IX Header "OCSP Response verification." +\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0. +.PP +Initially the \s-1OCSP\s0 responder certificate is located and the signature on +the \s-1OCSP\s0 request checked using the responder certificate's public key. +.PP +Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate +building up a certificate chain in the process. The locations of the trusted +certificates used to build the chain can be specified by the \fBCAfile\fR +and \fBCApath\fR options or they will be looked for in the standard OpenSSL +certificates directory. +.PP +If the initial verify fails then the \s-1OCSP\s0 verify process halts with an +error. +.PP +Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0 +responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds. +.PP +Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing +\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning +extended key usage is present in the \s-1OCSP\s0 responder certificate then the +\&\s-1OCSP\s0 verify succeeds. +.PP +Otherwise the root \s-1CA\s0 of the \s-1OCSP\s0 responders \s-1CA\s0 is checked to see if it +is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 verify succeeds. +.PP +If none of these checks is successful then the \s-1OCSP\s0 verify fails. +.PP +What this effectively means if that if the \s-1OCSP\s0 responder certificate is +authorised directly by the \s-1CA\s0 it is issuing revocation information about +(and it is correctly configured) then verification will succeed. +.PP +If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about +multiple CAs and has its own separate certificate chain then its root +\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example: +.PP +.Vb 1 +\& openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem +.Ve +Alternatively the responder certificate itself can be explicitly trusted +with the \fB\-VAfile\fR option. +.SH "NOTES" +.IX Header "NOTES" +As noted, most of the verify options are for testing or debugging purposes. +Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global +\&\s-1VA\s0') \fB\-VAfile\fR options need to be used. +.PP +The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is +not really usable as a full \s-1OCSP\s0 responder. It contains only a very +simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0 +queries. It also handles requests serially meaning it cannot respond to +new requests until it has processed the current one. The text index file +format of revocation is also inefficient for large quantities of revocation +data. +.PP +It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 +script using the \fBrespin\fR and \fBrespout\fR options. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create an \s-1OCSP\s0 request and write it to a file: +.PP +.Vb 1 +\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der +.Ve +Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the +response to a file and print it out in text form +.PP +.Vb 2 +\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e +\& -url http://ocsp.myhost.com/ -resp_text -respout resp.der +.Ve +Read in an \s-1OCSP\s0 response and print out text form: +.PP +.Vb 1 +\& openssl ocsp -respin resp.der -text +.Ve +\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate +responder certificate. All requests and responses are printed to a file. +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem +\& -text -out log.txt +.Ve +As above but exit after processing one request: +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem +\& -nrequest 1 +.Ve +Query status information using internally generated request: +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem +\& -issuer demoCA/cacert.pem -serial 1 +.Ve +Query status information using request read from a file, write response to a +second file. +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem +\& -reqin req.der -respout resp.der +.Ve diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 new file mode 100644 index 0000000..c88e763 --- /dev/null +++ b/secure/usr.bin/openssl/man/openssl.1 @@ -0,0 +1,407 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:15 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "openssl 3" +.TH openssl 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +openssl \- OpenSSL command line tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR +\&\fIcommand\fR +[ \fIcommand_opts\fR ] +[ \fIcommand_args\fR ] +.PP +\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR ] +.PP +\&\fBopenssl\fR \fBno-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0 +v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related +cryptography standards required by them. +.PP +The \fBopenssl\fR program is a command line tool for using the various +cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. +It can be used for +.PP +.Vb 6 +\& o Creation of RSA, DH and DSA key parameters +\& o Creation of X.509 certificates, CSRs and CRLs +\& o Calculation of Message Digests +\& o Encryption and Decryption with Ciphers +\& o SSL/TLS Client and Server Tests +\& o Handling of S/MIME signed or encrypted mail +.Ve +.SH "COMMAND SUMMARY" +.IX Header "COMMAND SUMMARY" +The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the +\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments +(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0). +.PP +The pseudo-commands \fBlist-standard-commands\fR, \fBlist-message-digest-commands\fR, +and \fBlist-cipher-commands\fR output a list (one entry per line) of the names +of all standard commands, message digest commands, or cipher commands, +respectively, that are available in the present \fBopenssl\fR utility. +.PP +The pseudo-command \fBno-\fR\fI\s-1XXX\s0\fR tests whether a command of the +specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it +returns 0 (success) and prints \fBno-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1 +and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and +nothing is printed to \fBstderr\fR. Additional command line arguments +are always ignored. Since for each cipher there is a command of the +same name, this provides an easy way for shell scripts to test for the +availability of ciphers in the \fBopenssl\fR program. (\fBno-\fR\fI\s-1XXX\s0\fR is +not able to detect pseudo-commands such as \fBquit\fR, +\&\fBlist-\fR\fI...\fR\fB\-commands\fR, or \fBno-\fR\fI\s-1XXX\s0\fR itself.) +.Sh "\s-1STANDARD\s0 \s-1COMMANDS\s0" +.IX Subsection "STANDARD COMMANDS" +.Ip "\fBasn1parse\fR" 10 +.IX Item "asn1parse" +Parse an \s-1ASN\s0.1 sequence. +.Ip "\fBca\fR" 10 +.IX Item "ca" +Certificate Authority (\s-1CA\s0) Management. +.Ip "\fBciphers\fR" 10 +.IX Item "ciphers" +Cipher Suite Description Determination. +.Ip "\fBcrl\fR" 10 +.IX Item "crl" +Certificate Revocation List (\s-1CRL\s0) Management. +.Ip "\fBcrl2pkcs7\fR" 10 +.IX Item "crl2pkcs7" +\&\s-1CRL\s0 to PKCS#7 Conversion. +.Ip "\fBdgst\fR" 10 +.IX Item "dgst" +Message Digest Calculation. +.Ip "\fBdh\fR" 10 +.IX Item "dh" +Diffie-Hellman Parameter Management. +Obsoleted by \fBdhparam\fR. +.Ip "\fBdsa\fR" 10 +.IX Item "dsa" +\&\s-1DSA\s0 Data Management. +.Ip "\fBdsaparam\fR" 10 +.IX Item "dsaparam" +\&\s-1DSA\s0 Parameter Generation. +.Ip "\fBenc\fR" 10 +.IX Item "enc" +Encoding with Ciphers. +.Ip "\fBerrstr\fR" 10 +.IX Item "errstr" +Error Number to Error String Conversion. +.Ip "\fBdhparam\fR" 10 +.IX Item "dhparam" +Generation and Management of Diffie-Hellman Parameters. +.Ip "\fBgendh\fR" 10 +.IX Item "gendh" +Generation of Diffie-Hellman Parameters. +Obsoleted by \fBdhparam\fR. +.Ip "\fBgendsa\fR" 10 +.IX Item "gendsa" +Generation of \s-1DSA\s0 Parameters. +.Ip "\fBgenrsa\fR" 10 +.IX Item "genrsa" +Generation of \s-1RSA\s0 Parameters. +.Ip "\fBocsp\fR" 10 +.IX Item "ocsp" +Online Certificate Status Protocol utility. +.Ip "\fBpasswd\fR" 10 +.IX Item "passwd" +Generation of hashed passwords. +.Ip "\fBpkcs12\fR" 10 +.IX Item "pkcs12" +PKCS#12 Data Management. +.Ip "\fBpkcs7\fR" 10 +.IX Item "pkcs7" +PKCS#7 Data Management. +.Ip "\fBrand\fR" 10 +.IX Item "rand" +Generate pseudo-random bytes. +.Ip "\fBreq\fR" 10 +.IX Item "req" +X.509 Certificate Signing Request (\s-1CSR\s0) Management. +.Ip "\fBrsa\fR" 10 +.IX Item "rsa" +\&\s-1RSA\s0 Data Management. +.Ip "\fBrsautl\fR" 10 +.IX Item "rsautl" +\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. +.Ip "\fBs_client\fR" 10 +.IX Item "s_client" +This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent +connection to a remote server speaking \s-1SSL/TLS\s0. It's intended for testing +purposes only and provides only rudimentary interface functionality but +internally uses mostly all functionality of the OpenSSL \fBssl\fR library. +.Ip "\fBs_server\fR" 10 +.IX Item "s_server" +This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote +clients speaking \s-1SSL/TLS\s0. It's intended for testing purposes only and provides +only rudimentary interface functionality but internally uses mostly all +functionality of the OpenSSL \fBssl\fR library. It provides both an own command +line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response +facility to emulate an SSL/TLS-aware webserver. +.Ip "\fBs_time\fR" 10 +.IX Item "s_time" +\&\s-1SSL\s0 Connection Timer. +.Ip "\fBsess_id\fR" 10 +.IX Item "sess_id" +\&\s-1SSL\s0 Session Data Management. +.Ip "\fBsmime\fR" 10 +.IX Item "smime" +S/MIME mail processing. +.Ip "\fBspeed\fR" 10 +.IX Item "speed" +Algorithm Speed Measurement. +.Ip "\fBverify\fR" 10 +.IX Item "verify" +X.509 Certificate Verification. +.Ip "\fBversion\fR" 10 +.IX Item "version" +OpenSSL Version Information. +.Ip "\fBx509\fR" 10 +.IX Item "x509" +X.509 Certificate Data Management. +.Sh "\s-1MESSAGE\s0 \s-1DIGEST\s0 \s-1COMMANDS\s0" +.IX Subsection "MESSAGE DIGEST COMMANDS" +.Ip "\fBmd2\fR" 10 +.IX Item "md2" +\&\s-1MD2\s0 Digest +.Ip "\fBmd5\fR" 10 +.IX Item "md5" +\&\s-1MD5\s0 Digest +.Ip "\fBmdc2\fR" 10 +.IX Item "mdc2" +\&\s-1MDC2\s0 Digest +.Ip "\fBrmd160\fR" 10 +.IX Item "rmd160" +\&\s-1RMD-160\s0 Digest +.Ip "\fBsha\fR" 10 +.IX Item "sha" +\&\s-1SHA\s0 Digest +.Ip "\fBsha1\fR" 10 +.IX Item "sha1" +\&\s-1SHA-1\s0 Digest +.Sh "\s-1ENCODING\s0 \s-1AND\s0 \s-1CIPHER\s0 \s-1COMMANDS\s0" +.IX Subsection "ENCODING AND CIPHER COMMANDS" +.Ip "\fBbase64\fR" 10 +.IX Item "base64" +Base64 Encoding +.Ip "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10 +.IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb" +Blowfish Cipher +.Ip "\fBcast cast-cbc\fR" 10 +.IX Item "cast cast-cbc" +\&\s-1CAST\s0 Cipher +.Ip "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10 +.IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb" +\&\s-1CAST5\s0 Cipher +.Ip "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10 +.IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb" +\&\s-1DES\s0 Cipher +.Ip "\fBdes3 desx des-ede3 des-ede3\-cbc des-ede3\-cfb des-ede3\-ofb\fR" 10 +.IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb" +Triple-DES Cipher +.Ip "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10 +.IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb" +\&\s-1IDEA\s0 Cipher +.Ip "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10 +.IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb" +\&\s-1RC2\s0 Cipher +.Ip "\fBrc4\fR" 10 +.IX Item "rc4" +\&\s-1RC4\s0 Cipher +.Ip "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10 +.IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb" +\&\s-1RC5\s0 Cipher +.SH "PASS PHRASE ARGUMENTS" +.IX Header "PASS PHRASE ARGUMENTS" +Several commands accept password arguments, typically using \fB\-passin\fR +and \fB\-passout\fR for input and output passwords respectively. These allow +the password to be obtained from a variety of sources. Both of these +options take a single argument whose format is described below. If no +password argument is given and a password is required then the user is +prompted to enter one: this will typically be read from the current +terminal with echoing turned off. +.Ip "\fBpass:password\fR" 10 +.IX Item "pass:password" +the actual password is \fBpassword\fR. Since the password is visible +to utilities (like 'ps' under Unix) this form should only be used +where security is not important. +.Ip "\fBenv:var\fR" 10 +.IX Item "env:var" +obtain the password from the environment variable \fBvar\fR. Since +the environment of other processes is visible on certain platforms +(e.g. ps under certain Unix OSes) this option should be used with caution. +.Ip "\fBfile:pathname\fR" 10 +.IX Item "file:pathname" +the first line of \fBpathname\fR is the password. If the same \fBpathname\fR +argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first +line will be used for the input password and the next line for the output +password. \fBpathname\fR need not refer to a regular file: it could for example +refer to a device or named pipe. +.Ip "\fBfd:number\fR" 10 +.IX Item "fd:number" +read the password from the file descriptor \fBnumber\fR. This can be used to +send the data via a pipe for example. +.Ip "\fBstdin\fR" 10 +.IX Item "stdin" +read the password from standard input. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +asn1parse(1), ca(1), config(5), +crl(1), crl2pkcs7(1), dgst(1), +dhparam(1), dsa(1), dsaparam(1), +enc(1), gendsa(1), +genrsa(1), nseq(1), openssl(1), +passwd(1), +pkcs12(1), pkcs7(1), pkcs8(1), +rand(1), req(1), rsa(1), +rsautl(1), s_client(1), +s_server(1), smime(1), spkac(1), +verify(1), version(1), x509(1), +crypto(3), ssl(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2. +The \fBlist-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3; +the \fBno-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a. +For notes on the availability of other commands, see their individual +manual pages. diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1 new file mode 100644 index 0000000..67e5dee --- /dev/null +++ b/secure/usr.bin/openssl/man/passwd.1 @@ -0,0 +1,203 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:16 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "passwd 3" +.TH passwd 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +passwd \- compute password hashes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl passwd\fR +[\fB\-crypt\fR] +[\fB\-1\fR] +[\fB\-apr1\fR] +[\fB\-salt\fR \fIstring\fR] +[\fB\-in\fR \fIfile\fR] +[\fB\-stdin\fR] +[\fB\-noverify\fR] +[\fB\-quiet\fR] +[\fB\-table\fR] +{\fIpassword\fR} +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpasswd\fR command computes the hash of a password typed at +run-time or the hash of each password in a list. The password list is +taken from the named file for option \fB\-in file\fR, from stdin for +option \fB\-stdin\fR, or from the command line, or from the terminal otherwise. +The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password +algorithm \fB1\fR and its Apache variant \fBapr1\fR are available. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-crypt\fR" 4 +.IX Item "-crypt" +Use the \fBcrypt\fR algorithm (default). +.Ip "\fB\-1\fR" 4 +.IX Item "-1" +Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR. +.Ip "\fB\-apr1\fR" 4 +.IX Item "-apr1" +Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm). +.Ip "\fB\-salt\fR \fIstring\fR" 4 +.IX Item "-salt string" +Use the specified salt. +When reading a password from the terminal, this implies \fB\-noverify\fR. +.Ip "\fB\-in\fR \fIfile\fR" 4 +.IX Item "-in file" +Read passwords from \fIfile\fR. +.Ip "\fB\-stdin\fR" 4 +.IX Item "-stdin" +Read passwords from \fBstdin\fR. +.Ip "\fB\-noverify\fR" 4 +.IX Item "-noverify" +Don't verify when reading a password from the terminal. +.Ip "\fB\-quiet\fR" 4 +.IX Item "-quiet" +Don't output warnings when passwords given at the command line are truncated. +.Ip "\fB\-table\fR" 4 +.IX Item "-table" +In the output list, prepend the cleartext password and a \s-1TAB\s0 character +to each password hash. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +\&\fBopenssl passwd \-crypt \-salt xx password\fR prints \fBxxj31ZMTZzkVA\fR. +.PP +\&\fBopenssl passwd \-1 \-salt xxxxxxxx password\fR prints \fB$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.\fR. +.PP +\&\fBopenssl passwd \-apr1 \-salt xxxxxxxx password\fR prints \fB$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0\fR. diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 new file mode 100644 index 0000000..89e23c5 --- /dev/null +++ b/secure/usr.bin/openssl/man/pkcs12.1 @@ -0,0 +1,429 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:17 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "pkcs12 3" +.TH pkcs12 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +pkcs12 \- PKCS#12 file utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkcs12\fR +[\fB\-export\fR] +[\fB\-chain\fR] +[\fB\-inkey filename\fR] +[\fB\-certfile filename\fR] +[\fB\-name name\fR] +[\fB\-caname name\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-noout\fR] +[\fB\-nomacver\fR] +[\fB\-nocerts\fR] +[\fB\-clcerts\fR] +[\fB\-cacerts\fR] +[\fB\-nokeys\fR] +[\fB\-info\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-nodes\fR] +[\fB\-noiter\fR] +[\fB\-maciter\fR] +[\fB\-twopass\fR] +[\fB\-descert\fR] +[\fB\-certpbe\fR] +[\fB\-keypbe\fR] +[\fB\-keyex\fR] +[\fB\-keysig\fR] +[\fB\-password arg\fR] +[\fB\-passin arg\fR] +[\fB\-passout arg\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as +\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several +programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +There are a lot of options the meaning of some depends of whether a PKCS#12 file +is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12 +file can be created by using the \fB\-export\fR option (see below). +.SH "PARSING OPTIONS" +.IX Header "PARSING OPTIONS" +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies filename of the PKCS#12 file to be parsed. Standard input is used +by default. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +The filename to write certificates and private keys to, standard output by default. +They are all written in \s-1PEM\s0 format. +.Ip "\fB\-pass arg\fR, \fB\-passin arg\fR" 4 +.IX Item "-pass arg, -passin arg" +the PKCS#12 file (i.e. input file) password source. For more information about the +format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in +openssl(1). +.Ip "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +pass phrase source to encrypt any outputed private keys with. For more information +about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in +openssl(1). +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option inhibits output of the keys and certificates to the output file version +of the PKCS#12 file. +.Ip "\fB\-clcerts\fR" 4 +.IX Item "-clcerts" +only output client certificates (not \s-1CA\s0 certificates). +.Ip "\fB\-cacerts\fR" 4 +.IX Item "-cacerts" +only output \s-1CA\s0 certificates (not client certificates). +.Ip "\fB\-nocerts\fR" 4 +.IX Item "-nocerts" +no certificates at all will be output. +.Ip "\fB\-nokeys\fR" 4 +.IX Item "-nokeys" +no private keys will be output. +.Ip "\fB\-info\fR" 4 +.IX Item "-info" +output additional information about the PKCS#12 file structure, algorithms used and +iteration counts. +.Ip "\fB\-des\fR" 4 +.IX Item "-des" +use \s-1DES\s0 to encrypt private keys before outputting. +.Ip "\fB\-des3\fR" 4 +.IX Item "-des3" +use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. +.Ip "\fB\-idea\fR" 4 +.IX Item "-idea" +use \s-1IDEA\s0 to encrypt private keys before outputting. +.Ip "\fB\-nodes\fR" 4 +.IX Item "-nodes" +don't encrypt the private keys at all. +.Ip "\fB\-nomacver\fR" 4 +.IX Item "-nomacver" +don't attempt to verify the integrity \s-1MAC\s0 before reading the file. +.Ip "\fB\-twopass\fR" 4 +.IX Item "-twopass" +prompt for separate integrity and encryption passwords: most software +always assumes these are the same so this option will render such +PKCS#12 files unreadable. +.SH "FILE CREATION OPTIONS" +.IX Header "FILE CREATION OPTIONS" +.Ip "\fB\-export\fR" 4 +.IX Item "-export" +This option specifies that a PKCS#12 file will be created rather than +parsed. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies filename to write the PKCS#12 file to. Standard output is used +by default. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +The filename to read certificates and private keys from, standard input by default. +They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and +its corresponding certificate should be present. If additional certificates are +present they will also be included in the PKCS#12 file. +.Ip "\fB\-inkey filename\fR" 4 +.IX Item "-inkey filename" +file to read private key from. If not present then a private key must be present +in the input file. +.Ip "\fB\-name friendlyname\fR" 4 +.IX Item "-name friendlyname" +This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name +is typically displayed in list boxes by software importing the file. +.Ip "\fB\-certfile filename\fR" 4 +.IX Item "-certfile filename" +A filename to read additional certificates from. +.Ip "\fB\-caname friendlyname\fR" 4 +.IX Item "-caname friendlyname" +This specifies the \*(L"friendly name\*(R" for other certificates. This option may be +used multiple times to specify names for all certificates in the order they +appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0 +displays them. +.Ip "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 +.IX Item "-pass arg, -passout arg" +the PKCS#12 file (i.e. output file) password source. For more information about +the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in +openssl(1). +.Ip "\fB\-passin password\fR" 4 +.IX Item "-passin password" +pass phrase source to decrypt any input private keys with. For more information +about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in +openssl(1). +.Ip "\fB\-chain\fR" 4 +.IX Item "-chain" +if this option is present then an attempt is made to include the entire +certificate chain of the user certificate. The standard \s-1CA\s0 store is used +for this search. If the search fails it is considered a fatal error. +.Ip "\fB\-descert\fR" 4 +.IX Item "-descert" +encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12 +file unreadable by some \*(L"export grade\*(R" software. By default the private +key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0. +.Ip "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 +.IX Item "-keypbe alg, -certpbe alg" +these options allow the algorithm used to encrypt the private key and +certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms +can be selected it is advisable only to use PKCS#12 algorithms. See the list +in the \fB\s-1NOTES\s0\fR section for more information. +.Ip "\fB\-keyex|\-keysig\fR" 4 +.IX Item "-keyex|-keysig" +specifies that the private key is to be used for key exchange or just signing. +This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally +\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for +encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR +option marks the key for signing only. Signing only keys can be used for +S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client +authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support +the use of signing only keys for \s-1SSL\s0 client authentication. +.Ip "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 +.IX Item "-nomaciter, -noiter" +these options affect the iteration counts on the \s-1MAC\s0 and key algorithms. +Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave +these options alone. +.Sp +To discourage attacks by using large dictionaries of common passwords the +algorithm that derives keys from passwords can have an iteration count applied +to it: this causes a certain part of the algorithm to be repeated and slows it +down. The \s-1MAC\s0 is used to check the file integrity but since it will normally +have the same password as the keys and certificates it could also be attacked. +By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using +these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since +this reduces the file security you should not use these options unless you +really have to. Most software supports both \s-1MAC\s0 and key iteration counts. +\&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR +option. +.Ip "\fB\-maciter\fR" 4 +.IX Item "-maciter" +This option is included for compatibility with previous versions, it used +to be needed to use \s-1MAC\s0 iterations counts but they are now used by default. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.SH "NOTES" +.IX Header "NOTES" +Although there are a large number of options most of them are very rarely +used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used +for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used. +.PP +If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present +then all certificates will be output in the order they appear in the input +PKCS#12 files. There is no guarantee that the first certificate present is +the one corresponding to the private key. Certain software which requires +a private key and certificate and assumes the first certificate in the +file is the one corresponding to the private key: this may not always +be the case. Using the \fB\-clcerts\fR option will solve this problem by only +outputting the certificate corresponding to the private key. If the \s-1CA\s0 +certificates are required then they can be output to a separate file using +the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates. +.PP +The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption +algorithms for private keys and certificates to be specified. Normally +the defaults are fine but occasionally software can't handle triple \s-1DES\s0 +encrypted private keys, then the option \fB\-keypbe \s-1PBE-SHA1\-RC2\-40\s0\fR can +be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete +description of all algorithms is contained in the \fBpkcs8\fR manual page. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Parse a PKCS#12 file and output it to a file: +.PP +.Vb 1 +\& openssl pkcs12 -in file.p12 -out file.pem +.Ve +Output only client certificates to a file: +.PP +.Vb 1 +\& openssl pkcs12 -in file.p12 -clcerts -out file.pem +.Ve +Don't encrypt the private key: +.PP +.Vb 1 +\& openssl pkcs12 -in file.p12 -out file.pem -nodes +.Ve +Print some info about a PKCS#12 file: +.PP +.Vb 1 +\& openssl pkcs12 -in file.p12 -info -noout +.Ve +Create a PKCS#12 file: +.PP +.Vb 1 +\& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" +.Ve +Include some extra certificates: +.PP +.Vb 2 +\& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \e +\& -certfile othercerts.pem +.Ve +.SH "BUGS" +.IX Header "BUGS" +Some would argue that the PKCS#12 standard is one big bug :\-) +.PP +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. +.PP +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption +error when extracting private keys. +.PP +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: +.PP +.Vb 2 +\& old-openssl -in bad.p12 -out keycerts.pem +\& openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +pkcs8(1) diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1 new file mode 100644 index 0000000..539985d --- /dev/null +++ b/secure/usr.bin/openssl/man/pkcs7.1 @@ -0,0 +1,223 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:19 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "pkcs7 3" +.TH pkcs7 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +pkcs7 \- PKCS#7 utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkcs7\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-print_certs\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7 +v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of +the \s-1DER\s0 form with header and footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read from or standard input if this +option is not specified. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write to or standard output by +default. +.Ip "\fB\-print_certs\fR" 4 +.IX Item "-print_certs" +prints out any certificates or CRLs contained in the file. They are +preceded by their subject and issuer names in one line format. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +prints out certificates details in full rather than just subject and +issuer names. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +don't output the encoded version of the PKCS#7 structure (or certificates +is \fB\-print_certs\fR is set). +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0 +.PP +.Vb 1 +\& openssl pkcs7 -in file.pem -outform DER -out file.der +.Ve +Output all certificates in a file: +.PP +.Vb 1 +\& openssl pkcs7 -in file.pem -print_certs -out certs.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 PKCS#7 format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN PKCS7----- +\& -----END PKCS7----- +.Ve +For compatibility with some CAs it will also accept: +.PP +.Vb 2 +\& -----BEGIN CERTIFICATE----- +\& -----END CERTIFICATE----- +.Ve +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +There is no option to print out all the fields of a PKCS#7 file. +.PP +This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they +cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630\s0. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +crl2pkcs7(1) diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1 new file mode 100644 index 0000000..ff9883a --- /dev/null +++ b/secure/usr.bin/openssl/man/pkcs8.1 @@ -0,0 +1,348 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:20 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "pkcs8 3" +.TH pkcs8 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +pkcs8 \- PKCS#8 format private key conversion tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBpkcs8\fR +[\fB\-topk8\fR] +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-noiter\fR] +[\fB\-nocrypt\fR] +[\fB\-nooct\fR] +[\fB\-embed\fR] +[\fB\-nsdb\fR] +[\fB\-v2 alg\fR] +[\fB\-v1 alg\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle +both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo +format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-topk8\fR" 4 +.IX Item "-topk8" +Normally a PKCS#8 private key is expected on input and a traditional format +private key will be written. With the \fB\-topk8\fR option the situation is +reversed: it reads a traditional format private key and writes a PKCS#8 +format key. +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. If a PKCS#8 format key is expected on input +then either a \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR encoded version of a PKCS#8 key will be +expected. Otherwise the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR format of the traditional format +private key is used. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.Ip "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output by +default. If any encryption options are set then a pass phrase will be +prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.Ip "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-nocrypt\fR" 4 +.IX Item "-nocrypt" +PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo +structures using an appropriate password based encryption algorithm. With +this option an unencrypted PrivateKeyInfo structure is expected or output. +This option does not encrypt private keys at all and should only be used +when absolutely necessary. Certain software such as some versions of Java +code signing software used unencrypted private keys. +.Ip "\fB\-nooct\fR" 4 +.IX Item "-nooct" +This option generates \s-1RSA\s0 private keys in a broken format that some software +uses. Specifically the private key should be enclosed in a \s-1OCTET\s0 \s-1STRING\s0 +but some software just includes the structure itself without the +surrounding \s-1OCTET\s0 \s-1STRING\s0. +.Ip "\fB\-embed\fR" 4 +.IX Item "-embed" +This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are +embedded inside the PrivateKey structure. In this form the \s-1OCTET\s0 \s-1STRING\s0 +contains an \s-1ASN1\s0 \s-1SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing +the parameters and an \s-1ASN1\s0 \s-1INTEGER\s0 containing the private key. +.Ip "\fB\-nsdb\fR" 4 +.IX Item "-nsdb" +This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape +private key databases. The PrivateKey contains a \s-1SEQUENCE\s0 consisting of +the public and private keys respectively. +.Ip "\fB\-v2 alg\fR" 4 +.IX Item "-v2 alg" +This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 +private keys are encrypted with the password based encryption algorithm +called \fBpbeWithMD5AndDES-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it +was the strongest encryption algorithm supported in PKCS#5 v1.5. Using +the \fB\-v2\fR option PKCS#5 v2.0 algorithms are used which can use any +encryption algorithm such as 168 bit triple \s-1DES\s0 or 128 bit \s-1RC2\s0 however +not many implementations support PKCS#5 v2.0 yet. If you are just using +private keys with OpenSSL then this doesn't matter. +.Sp +The \fBalg\fR argument is the encryption algorithm to use, valid values include +\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used. +.Ip "\fB\-v1 alg\fR" 4 +.IX Item "-v1 alg" +This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete +list of possible algorithms is included below. +.SH "NOTES" +.IX Header "NOTES" +The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following +headers and footers: +.PP +.Vb 2 +\& -----BEGIN ENCRYPTED PRIVATE KEY----- +\& -----END ENCRYPTED PRIVATE KEY----- +.Ve +The unencrypted form uses: +.PP +.Vb 2 +\& -----BEGIN PRIVATE KEY----- +\& -----END PRIVATE KEY----- +.Ve +Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration +counts are more secure that those encrypted using the traditional +SSLeay compatible formats. So if additional security is considered +important the keys should be converted. +.PP +The default encryption is only 56 bits because this is the encryption +that most current implementations of PKCS#8 will support. +.PP +Some software may use PKCS#12 password based encryption algorithms +with PKCS#8 format private keys: these are handled automatically +but there is no option to produce them. +.PP +It is possible to write out \s-1DER\s0 encoded encrypted private keys in +PKCS#8 format because the encryption details are included at an \s-1ASN1\s0 +level whereas the traditional format includes them at a \s-1PEM\s0 level. +.SH "PKCS#5 v1.5 and PKCS#12 algorithms." +.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms." +Various algorithms can be used with the \fB\-v1\fR command line option, +including PKCS#5 v1.5 and PKCS#12. These are described in more detail +below. +.Ip "\fB\s-1PBE-MD2\-DES\s0 \s-1PBE-MD5\-DES\s0\fR" 4 +.IX Item "PBE-MD2-DES PBE-MD5-DES" +These algorithms were included in the original PKCS#5 v1.5 specification. +They only offer 56 bits of protection since they both use \s-1DES\s0. +.Ip "\fB\s-1PBE-SHA1\-RC2\-64\s0 \s-1PBE-MD2\-RC2\-64\s0 \s-1PBE-MD5\-RC2\-64\s0 \s-1PBE-SHA1\-DES\s0\fR" 4 +.IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES" +These algorithms are not mentioned in the original PKCS#5 v1.5 specification +but they use the same key derivation algorithm and are supported by some +software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or +56 bit \s-1DES\s0. +.Ip "\fB\s-1PBE-SHA1\-RC4\-128\s0 \s-1PBE-SHA1\-RC4\-40\s0 \s-1PBE-SHA1\-3DES\s0 \s-1PBE-SHA1\-2DES\s0 \s-1PBE-SHA1\-RC2\-128\s0 \s-1PBE-SHA1\-RC2\-40\s0\fR" 4 +.IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40" +These algorithms use the PKCS#12 password based encryption algorithm and +allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Convert a private from traditional to PKCS#5 v2.0 format using triple +\&\s-1DES:\s0 +.PP +.Vb 1 +\& openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem +.Ve +Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm +(\s-1DES\s0): +.PP +.Vb 1 +\& openssl pkcs8 -in key.pem -topk8 -out enckey.pem +.Ve +Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm +(3DES): +.PP +.Vb 1 +\& openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES +.Ve +Read a \s-1DER\s0 unencrypted PKCS#8 format private key: +.PP +.Vb 1 +\& openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem +.Ve +Convert a private key from any PKCS#8 format to traditional format: +.PP +.Vb 1 +\& openssl pkcs8 -in pk8.pem -out key.pem +.Ve +.SH "STANDARDS" +.IX Header "STANDARDS" +Test vectors from this PKCS#5 v2.0 implementation were posted to the +pkcs-tng mailing list using triple \s-1DES\s0, \s-1DES\s0 and \s-1RC2\s0 with high iteration +counts, several people confirmed that they could decrypt the private +keys produced and Therefore it can be assumed that the PKCS#5 v2.0 +implementation is reasonably accurate at least as far as these +algorithms are concerned. +.PP +The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented: +it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0 +PKCS#8 private key format complies with this standard. +.SH "BUGS" +.IX Header "BUGS" +There should be an option that prints out the encryption algorithm +in use and other details such as the iteration count. +.PP +PKCS#8 using triple \s-1DES\s0 and PKCS#5 v2.0 should be the default private +key format for OpenSSL: for compatibility several of the utilities use +the old format at present. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +dsa(1), rsa(1), genrsa(1), +gendsa(1) diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1 new file mode 100644 index 0000000..37c5c07 --- /dev/null +++ b/secure/usr.bin/openssl/man/rand.1 @@ -0,0 +1,177 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:21 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "rand 3" +.TH rand 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +rand \- generate pseudo-random bytes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl rand\fR +[\fB\-out\fR \fIfile\fR] +[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR] +[\fB\-base64\fR] +\&\fInum\fR +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding +the random number generator once. As in other \fBopenssl\fR command +line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR +in addition to the files given in the \fB\-rand\fR option. A new +\&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough +seeding was obtained from these sources. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-out\fR \fIfile\fR" 4 +.IX Item "-out file" +Write to \fIfile\fR instead of standard output. +.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4 +.IX Item "-rand file" +Use specified file or files or \s-1EGD\s0 socket (see RAND_egd(3)) +for seeding the random number generator. +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fB\-base64\fR" 4 +.IX Item "-base64" +Perform base64 encoding on the output. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +RAND_bytes(3) diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 new file mode 100644 index 0000000..1ae330e --- /dev/null +++ b/secure/usr.bin/openssl/man/req.1 @@ -0,0 +1,693 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:22 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "req 3" +.TH req 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +req \- PKCS#10 certificate request and certificate generating utility. +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBreq\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-text\fR] +[\fB\-pubkey\fR] +[\fB\-noout\fR] +[\fB\-verify\fR] +[\fB\-modulus\fR] +[\fB\-new\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +[\fB\-newkey rsa:bits\fR] +[\fB\-newkey dsa:file\fR] +[\fB\-nodes\fR] +[\fB\-key filename\fR] +[\fB\-keyform PEM|DER\fR] +[\fB\-keyout filename\fR] +[\fB\-[md5|sha1|md2|mdc2]\fR] +[\fB\-config filename\fR] +[\fB\-subj arg\fR] +[\fB\-x509\fR] +[\fB\-days n\fR] +[\fB\-set_serial n\fR] +[\fB\-asn1\-kludge\fR] +[\fB\-newhdr\fR] +[\fB\-extensions section\fR] +[\fB\-reqexts section\fR] +[\fB\-utf8\fR] +[\fB\-nameopt\fR] +[\fB\-batch\fR] +[\fB\-verbose\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBreq\fR command primarily creates and processes certificate requests +in PKCS#10 format. It can additionally create self signed certificates +for use as root CAs for example. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded +form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it +consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and +footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a request from or standard input +if this option is not specified. A request is only read if the creation +options (\fB\-new\fR and \fB\-newkey\fR) are not specified. +.Ip "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write to or standard output by +default. +.Ip "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +prints out the certificate request in text form. +.Ip "\fB\-pubkey\fR" 4 +.IX Item "-pubkey" +outputs the public key. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the request. +.Ip "\fB\-modulus\fR" 4 +.IX Item "-modulus" +this option prints out the value of the modulus of the public key +contained in the request. +.Ip "\fB\-verify\fR" 4 +.IX Item "-verify" +verifies the signature on the request. +.Ip "\fB\-new\fR" 4 +.IX Item "-new" +this option generates a new certificate request. It will prompt +the user for the relevant field values. The actual fields +prompted for and their maximum and minimum sizes are specified +in the configuration file and any requested extensions. +.Sp +If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private +key using information specified in the configuration file. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fB\-newkey arg\fR" 4 +.IX Item "-newkey arg" +this option creates a new certificate request and a new private +key. The argument takes one of two forms. \fBrsa:nbits\fR, where +\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR +in size. \fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters +in the file \fBfilename\fR. +.Ip "\fB\-key filename\fR" 4 +.IX Item "-key filename" +This specifies the file to read the private key from. It also +accepts PKCS#8 format private keys for \s-1PEM\s0 format files. +.Ip "\fB\-keyform PEM|DER\fR" 4 +.IX Item "-keyform PEM|DER" +the format of the private key file specified in the \fB\-key\fR +argument. \s-1PEM\s0 is the default. +.Ip "\fB\-keyout filename\fR" 4 +.IX Item "-keyout filename" +this gives the filename to write the newly created private key to. +If this option is not specified then the filename present in the +configuration file is used. +.Ip "\fB\-nodes\fR" 4 +.IX Item "-nodes" +if this option is specified then if a private key is created it +will not be encrypted. +.Ip "\fB\-[md5|sha1|md2|mdc2]\fR" 4 +.IX Item "-[md5|sha1|md2|mdc2]" +this specifies the message digest to sign the request with. This +overrides the digest algorithm specified in the configuration file. +This option is ignored for \s-1DSA\s0 requests: they always use \s-1SHA1\s0. +.Ip "\fB\-config filename\fR" 4 +.IX Item "-config filename" +this allows an alternative configuration file to be specified, +this overrides the compile time filename or any specified in +the \fB\s-1OPENSSL_CONF\s0\fR environment variable. +.Ip "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +sets subject name for new request or supersedes the subject name +when processing a request. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +.Ip "\fB\-x509\fR" 4 +.IX Item "-x509" +this option outputs a self signed certificate instead of a certificate +request. This is typically used to generate a test certificate or +a self signed root \s-1CA\s0. The extensions added to the certificate +(if any) are specified in the configuration file. Unless specified +using the \fBset_serial\fR option \fB0\fR will be used for the serial +number. +.Ip "\fB\-days n\fR" 4 +.IX Item "-days n" +when the \fB\-x509\fR option is being used this specifies the number of +days to certify the certificate for. The default is 30 days. +.Ip "\fB\-set_serial n\fR" 4 +.IX Item "-set_serial n" +serial number to use when outputting a self signed certificate. This +may be specified as a decimal value or a hex value if preceded by \fB0x\fR. +It is possible to use negative serial numbers but this is not recommended. +.Ip "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +.PD 0 +.Ip "\fB\-reqexts section\fR" 4 +.IX Item "-reqexts section" +.PD +these options specify alternative sections to include certificate +extensions (if the \fB\-x509\fR option is present) or certificate +request extensions. This allows several different sections to +be used in the same configuration file to specify requests for +a variety of purposes. +.Ip "\fB\-utf8\fR" 4 +.IX Item "-utf8" +this option causes field values to be interpreted as \s-1UTF8\s0 strings, by +default they are interpreted as \s-1ASCII\s0. This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.Ip "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the x509(1) manual page for details. +.Ip "\fB\-asn1\-kludge\fR" 4 +.IX Item "-asn1-kludge" +by default the \fBreq\fR command outputs certificate requests containing +no attributes in the correct PKCS#10 format. However certain CAs will only +accept requests containing no attributes in an invalid form: this +option produces this invalid format. +.Sp +More precisely the \fBAttributes\fR in a PKCS#10 certificate request +are defined as a \fB\s-1SET\s0 \s-1OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so +if no attributes are present then they should be encoded as an +empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty +\&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does. +.Sp +It should be noted that very few CAs still require the use of this option. +.Ip "\fB\-newhdr\fR" 4 +.IX Item "-newhdr" +Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed +request. Some software (Netscape certificate server) and some CAs need this. +.Ip "\fB\-batch\fR" 4 +.IX Item "-batch" +non-interactive mode. +.Ip "\fB\-verbose\fR" 4 +.IX Item "-verbose" +print extra details about the operations being performed. +.SH "CONFIGURATION FILE FORMAT" +.IX Header "CONFIGURATION FILE FORMAT" +The configuration options are specified in the \fBreq\fR section of +the configuration file. As with all configuration files if no +value is specified in the specific section (i.e. \fBreq\fR) then +the initial unnamed or \fBdefault\fR section is searched too. +.PP +The options available are described in detail below. +.Ip "\fBinput_password output_password\fR" 4 +.IX Item "input_password output_password" +The passwords for the input private key file (if present) and +the output private key file (if one will be created). The +command line options \fBpassin\fR and \fBpassout\fR override the +configuration file values. +.Ip "\fBdefault_bits\fR" 4 +.IX Item "default_bits" +This specifies the default key size in bits. If not specified then +512 is used. It is used if the \fB\-new\fR option is used. It can be +overridden by using the \fB\-newkey\fR option. +.Ip "\fBdefault_keyfile\fR" 4 +.IX Item "default_keyfile" +This is the default filename to write a private key to. If not +specified the key is written to standard output. This can be +overridden by the \fB\-keyout\fR option. +.Ip "\fBoid_file\fR" 4 +.IX Item "oid_file" +This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. +.Ip "\fBoid_section\fR" 4 +.IX Item "oid_section" +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by \fB=\fR and the numerical form. The short +and long names are the same when this option is used. +.Ip "\fB\s-1RANDFILE\s0\fR" 4 +.IX Item "RANDFILE" +This specifies a filename in which random number seed information is +placed and read from, or an \s-1EGD\s0 socket (see RAND_egd(3)). +It is used for private key generation. +.Ip "\fBencrypt_key\fR" 4 +.IX Item "encrypt_key" +If this is set to \fBno\fR then if a private key is generated it is +\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line +option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. +.Ip "\fBdefault_md\fR" 4 +.IX Item "default_md" +This option specifies the digest algorithm to use. Possible values +include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This +option can be overridden on the command line. +.Ip "\fBstring_mask\fR" 4 +.IX Item "string_mask" +This option masks out the use of certain string types in certain +fields. Most users will not need to change this option. +.Sp +It can be set to several values \fBdefault\fR which is also the default +option uses PrintableStrings, T61Strings and BMPStrings if the +\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will +be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the +\&\fButf8only\fR option is used then only UTF8Strings will be used: this +is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR +option just uses PrintableStrings and T61Strings: certain software has +problems with BMPStrings and UTF8Strings: in particular Netscape. +.Ip "\fBreq_extensions\fR" 4 +.IX Item "req_extensions" +this specifies the configuration file section containing a list of +extensions to add to the certificate request. It can be overridden +by the \fB\-reqexts\fR command line switch. +.Ip "\fBx509_extensions\fR" 4 +.IX Item "x509_extensions" +this specifies the configuration file section containing a list of +extensions to add to certificate generated when the \fB\-x509\fR switch +is used. It can be overridden by the \fB\-extensions\fR command line switch. +.Ip "\fBprompt\fR" 4 +.IX Item "prompt" +if set to the value \fBno\fR this disables prompting of certificate fields +and just takes values from the config file directly. It also changes the +expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. +.Ip "\fButf8\fR" 4 +.IX Item "utf8" +if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 +strings, by default they are interpreted as \s-1ASCII\s0. This means that +the field values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.Ip "\fBattributes\fR" 4 +.IX Item "attributes" +this specifies the section containing any request attributes: its format +is the same as \fBdistinguished_name\fR. Typically these may contain the +challengePassword or unstructuredName types. They are currently ignored +by OpenSSL's request signing utilities but some CAs might want them. +.Ip "\fBdistinguished_name\fR" 4 +.IX Item "distinguished_name" +This specifies the section containing the distinguished name fields to +prompt for when generating a certificate or certificate request. The format +is described in the next section. +.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" +.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" +There are two separate formats for the distinguished name and attribute +sections. If the \fBprompt\fR option is set to \fBno\fR then these sections +just consist of field names and values: for example, +.PP +.Vb 3 +\& CN=My Name +\& OU=My Organization +\& emailAddress=someone@somewhere.org +.Ve +This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file +with all the field names and values and just pass it to \fBreq\fR. An example +of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section. +.PP +Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the +file contains field prompting information. It consists of lines of the form: +.PP +.Vb 4 +\& fieldName="prompt" +\& fieldName_default="default field value" +\& fieldName_min= 2 +\& fieldName_max= 4 +.Ve +\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0). +The \*(L"prompt\*(R" string is used to ask the user to enter the relevant +details. If the user enters nothing then the default value is used if no +default value is present then the field is omitted. A field can +still be omitted if a default value is present if the user just +enters the '.' character. +.PP +The number of characters entered must be between the fieldName_min and +fieldName_max limits: there may be additional restrictions based +on the field being used (for example countryName can only ever be +two characters long and must fit in a PrintableString). +.PP +Some fields (such as organizationName) can be used more than once +in a \s-1DN\s0. This presents a problem because configuration files will +not recognize the same name occurring twice. To avoid this problem +if the fieldName contains some characters followed by a full stop +they will be ignored. So for example a second organizationName can +be input by calling it \*(L"1.organizationName\*(R". +.PP +The actual permitted field names are any object identifier short or +long names. These are compiled into OpenSSL and include the usual +values such as commonName, countryName, localityName, organizationName, +organizationUnitName, stateOrPrivinceName. Additionally emailAddress +is include as well as name, surname, givenName initials and dnQualifier. +.PP +Additional object identifiers can be defined with the \fBoid_file\fR or +\&\fBoid_section\fR options in the configuration file. Any additional fields +will be treated as though they were a DirectoryString. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Examine and verify certificate request: +.PP +.Vb 1 +\& openssl req -in req.pem -text -verify -noout +.Ve +Create a private key and then generate a certificate request from it: +.PP +.Vb 2 +\& openssl genrsa -out key.pem 1024 +\& openssl req -new -key key.pem -out req.pem +.Ve +The same but just using req: +.PP +.Vb 1 +\& openssl req -newkey rsa:1024 -keyout key.pem -out req.pem +.Ve +Generate a self signed root certificate: +.PP +.Vb 1 +\& openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem +.Ve +Example of a file pointed to by the \fBoid_file\fR option: +.PP +.Vb 2 +\& 1.2.3.4 shortName A longer Name +\& 1.2.3.6 otherName Other longer Name +.Ve +Example of a section pointed to by \fBoid_section\fR making use of variable +expansion: +.PP +.Vb 2 +\& testoid1=1.2.3.5 +\& testoid2=${testoid1}.6 +.Ve +Sample configuration file prompting for field values: +.PP +.Vb 6 +\& [ req ] +\& default_bits = 1024 +\& default_keyfile = privkey.pem +\& distinguished_name = req_distinguished_name +\& attributes = req_attributes +\& x509_extensions = v3_ca +.Ve +.Vb 1 +\& dirstring_type = nobmp +.Ve +.Vb 5 +\& [ req_distinguished_name ] +\& countryName = Country Name (2 letter code) +\& countryName_default = AU +\& countryName_min = 2 +\& countryName_max = 2 +.Ve +.Vb 1 +\& localityName = Locality Name (eg, city) +.Ve +.Vb 1 +\& organizationalUnitName = Organizational Unit Name (eg, section) +.Ve +.Vb 2 +\& commonName = Common Name (eg, YOUR name) +\& commonName_max = 64 +.Ve +.Vb 2 +\& emailAddress = Email Address +\& emailAddress_max = 40 +.Ve +.Vb 4 +\& [ req_attributes ] +\& challengePassword = A challenge password +\& challengePassword_min = 4 +\& challengePassword_max = 20 +.Ve +.Vb 1 +\& [ v3_ca ] +.Ve +.Vb 3 +\& subjectKeyIdentifier=hash +\& authorityKeyIdentifier=keyid:always,issuer:always +\& basicConstraints = CA:true +.Ve +Sample configuration containing all field values: +.PP +.Vb 1 +\& RANDFILE = $ENV::HOME/.rnd +.Ve +.Vb 7 +\& [ req ] +\& default_bits = 1024 +\& default_keyfile = keyfile.pem +\& distinguished_name = req_distinguished_name +\& attributes = req_attributes +\& prompt = no +\& output_password = mypass +.Ve +.Vb 8 +\& [ req_distinguished_name ] +\& C = GB +\& ST = Test State or Province +\& L = Test Locality +\& O = Organization Name +\& OU = Organizational Unit Name +\& CN = Common Name +\& emailAddress = test@email.address +.Ve +.Vb 2 +\& [ req_attributes ] +\& challengePassword = A challenge password +.Ve +.SH "NOTES" +.IX Header "NOTES" +The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: +.PP +.Vb 2 +\& -----BEGIN CERTIFICATE REQUEST----- +\& -----END CERTIFICATE REQUEST----- +.Ve +some software (some versions of Netscape certificate server) instead needs: +.PP +.Vb 2 +\& -----BEGIN NEW CERTIFICATE REQUEST----- +\& -----END NEW CERTIFICATE REQUEST----- +.Ve +which is produced with the \fB\-newhdr\fR option but is otherwise compatible. +Either form is accepted transparently on input. +.PP +The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions +added. It includes the \fBkeyUsage\fR extension which determines the type of +key (signature only or general purpose) and any additional OIDs entered +by the script in an extendedKeyUsage extension. +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" +The following messages are frequently asked about: +.PP +.Vb 2 +\& Using configuration from /some/path/openssl.cnf +\& Unable to load config info +.Ve +This is followed some time later by... +.PP +.Vb 2 +\& unable to find 'distinguished_name' in config +\& problems making Certificate Request +.Ve +The first error message is the clue: it can't find the configuration +file! Certain operations (like examining a certificate request) don't +need a configuration file so its use isn't enforced. Generation of +certificates or requests however does need a configuration file. This +could be regarded as a bug. +.PP +Another puzzling message is this: +.PP +.Vb 2 +\& Attributes: +\& a0:00 +.Ve +this is displayed when no attributes are present and the request includes +the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0 +0x00). If you just see: +.PP +.Vb 1 +\& Attributes: +.Ve +then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but +it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR +for more information. +.SH "ENVIRONMENT VARIABLES" +.IX Header "ENVIRONMENT VARIABLES" +The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration +file location to be specified, it will be overridden by the \fB\-config\fR command +line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR +environment variable serves the same purpose but its use is discouraged. +.SH "BUGS" +.IX Header "BUGS" +OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively +treats them as \s-1ISO-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour. +This can cause problems if you need characters that aren't available in +PrintableStrings and you don't want to or can't use BMPStrings. +.PP +As a consequence of the T61String handling the only correct way to represent +accented characters in OpenSSL is to use a BMPString: unfortunately Netscape +currently chokes on these. If you have to use accented characters with Netscape +and \s-1MSIE\s0 then you currently need to use the invalid T61String form. +.PP +The current prompting is not very friendly. It doesn't allow you to confirm what +you've just entered. Other things like extensions in certificate requests are +statically defined in the configuration file. Some of these: like an email +address in subjectAltName should be input by the user. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +x509(1), ca(1), genrsa(1), +gendsa(1), config(5) diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1 new file mode 100644 index 0000000..ea57b93 --- /dev/null +++ b/secure/usr.bin/openssl/man/rsa.1 @@ -0,0 +1,301 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:23 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "rsa 3" +.TH rsa 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +rsa \- \s-1RSA\s0 key processing tool +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBrsa\fR +[\fB\-inform PEM|NET|DER\fR] +[\fB\-outform PEM|NET|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-sgckey\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-idea\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-modulus\fR] +[\fB\-check\fR] +[\fB\-pubin\fR] +[\fB\-pubout\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various +forms and their components printed out. \fBNote\fR this command uses the +traditional SSLeay compatible format for private key encryption: newer +applications should use the more secure PKCS#8 format using the \fBpkcs8\fR +utility. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-inform DER|NET|PEM\fR" 4 +.IX Item "-inform DER|NET|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded +form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. +The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 +encoded with additional header and footer lines. On input PKCS#8 format private +keys are also accepted. The \fB\s-1NET\s0\fR form is a format is described in the \fB\s-1NOTES\s0\fR +section. +.Ip "\fB\-outform DER|NET|PEM\fR" 4 +.IX Item "-outform DER|NET|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. +.Ip "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write a key to or standard output if this +option is not specified. If any encryption options are set then a pass phrase +will be prompted for. The output filename should \fBnot\fR be the same as the input +filename. +.Ip "\fB\-passout password\fR" 4 +.IX Item "-passout password" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-sgckey\fR" 4 +.IX Item "-sgckey" +use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0 +keys. +.Ip "\fB\-des|\-des3|\-idea\fR" 4 +.IX Item "-des|-des3|-idea" +These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the +\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for. +If none of these options is specified the key is written in plain text. This +means that using the \fBrsa\fR utility to read in an encrypted key with no +encryption option can be used to remove the pass phrase from a key, or by +setting the encryption options it can be use to add or change the pass phrase. +These options can only be used with \s-1PEM\s0 format output files. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +prints out the various public or private key components in +plain text in addition to the encoded version. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the key. +.Ip "\fB\-modulus\fR" 4 +.IX Item "-modulus" +this option prints out the value of the modulus of the key. +.Ip "\fB\-check\fR" 4 +.IX Item "-check" +this option checks the consistency of an \s-1RSA\s0 private key. +.Ip "\fB\-pubin\fR" 4 +.IX Item "-pubin" +by default a private key is read from the input file: with this +option a public key is read instead. +.Ip "\fB\-pubout\fR" 4 +.IX Item "-pubout" +by default a private key is output: with this option a public +key will be output instead. This option is automatically set if +the input is a public key. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 private key format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN RSA PRIVATE KEY----- +\& -----END RSA PRIVATE KEY----- +.Ve +The \s-1PEM\s0 public key format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN PUBLIC KEY----- +\& -----END PUBLIC KEY----- +.Ve +The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers +and Microsoft \s-1IIS\s0 .key files, this uses unsalted \s-1RC4\s0 for its encryption. +It is not very secure and so should only be used when necessary. +.PP +Some newer version of \s-1IIS\s0 have additional data in the exported .key +files. To use these with the utility, view the file with a binary editor +and look for the string \*(L"private-key\*(R", then trace back to the byte +sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data +from this point onwards to another file and use that as the input +to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get +an error after entering the password try the \fB\-sgckey\fR option. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +To remove the pass phrase on an \s-1RSA\s0 private key: +.PP +.Vb 1 +\& openssl rsa -in key.pem -out keyout.pem +.Ve +To encrypt a private key using triple \s-1DES:\s0 +.PP +.Vb 1 +\& openssl rsa -in key.pem -des3 -out keyout.pem +.Ve +To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl rsa -in key.pem -outform DER -out keyout.der +.Ve +To print out the components of a private key to standard output: +.PP +.Vb 1 +\& openssl rsa -in key.pem -text -noout +.Ve +To just output the public part of a private key: +.PP +.Vb 1 +\& openssl rsa -in key.pem -pubout -out pubkey.pem +.Ve +.SH "BUGS" +.IX Header "BUGS" +The command line password arguments don't currently work with +\&\fB\s-1NET\s0\fR format. +.PP +There should be an option that automatically handles .key files, +without having to manually edit them. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +pkcs8(1), dsa(1), genrsa(1), +gendsa(1) diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1 new file mode 100644 index 0000000..67e3f3e --- /dev/null +++ b/secure/usr.bin/openssl/man/rsautl.1 @@ -0,0 +1,312 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:25 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "rsautl 3" +.TH rsautl 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +rsautl \- \s-1RSA\s0 utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBrsautl\fR +[\fB\-in file\fR] +[\fB\-out file\fR] +[\fB\-inkey file\fR] +[\fB\-pubin\fR] +[\fB\-certin\fR] +[\fB\-sign\fR] +[\fB\-verify\fR] +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-pkcs\fR] +[\fB\-ssl\fR] +[\fB\-raw\fR] +[\fB\-hexdump\fR] +[\fB\-asn1parse\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt +data using the \s-1RSA\s0 algorithm. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read data from or standard input +if this option is not specified. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write to or standard output by +default. +.Ip "\fB\-inkey file\fR" 4 +.IX Item "-inkey file" +the input key file, by default it should be an \s-1RSA\s0 private key. +.Ip "\fB\-pubin\fR" 4 +.IX Item "-pubin" +the input file is an \s-1RSA\s0 public key. +.Ip "\fB\-certin\fR" 4 +.IX Item "-certin" +the input is a certificate containing an \s-1RSA\s0 public key. +.Ip "\fB\-sign\fR" 4 +.IX Item "-sign" +sign the input data and output the signed result. This requires +and \s-1RSA\s0 private key. +.Ip "\fB\-verify\fR" 4 +.IX Item "-verify" +verify the input data and output the recovered data. +.Ip "\fB\-encrypt\fR" 4 +.IX Item "-encrypt" +encrypt the input data using an \s-1RSA\s0 public key. +.Ip "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +decrypt the input data using an \s-1RSA\s0 private key. +.Ip "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4 +.IX Item "-pkcs, -oaep, -ssl, -raw" +the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP\s0, +special padding used in \s-1SSL\s0 v2 backwards compatible handshakes, +or no padding, respectively. +For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used. +.Ip "\fB\-hexdump\fR" 4 +.IX Item "-hexdump" +hex dump the output data. +.Ip "\fB\-asn1parse\fR" 4 +.IX Item "-asn1parse" +asn1parse the output data, this is useful when combined with the +\&\fB\-verify\fR option. +.SH "NOTES" +.IX Header "NOTES" +\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be +used to sign or verify small pieces of data. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Sign some data using a private key: +.PP +.Vb 1 +\& openssl rsautl -sign -in file -inkey key.pem -out sig +.Ve +Recover the signed data +.PP +.Vb 1 +\& openssl rsautl -verify -in sig -inkey key.pem +.Ve +Examine the raw signed data: +.PP +.Vb 1 +\& openssl rsautl -verify -in file -inkey key.pem -raw -hexdump +.Ve +.Vb 8 +\& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ +\& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64 .....hello world +.Ve +The PKCS#1 block formatting is evident from this. If this was done using +encrypt and decrypt the block would have been of type 2 (the second byte) +and random padding data visible instead of the 0xff bytes. +.PP +It is possible to analyse the signature of certificates using this +utility in conjunction with \fBasn1parse\fR. Consider the self signed +example in certs/pca-cert.pem . Running \fBasn1parse\fR as follows yields: +.PP +.Vb 1 +\& openssl asn1parse -in pca-cert.pem +.Ve +.Vb 18 +\& 0:d=0 hl=4 l= 742 cons: SEQUENCE +\& 4:d=1 hl=4 l= 591 cons: SEQUENCE +\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] +\& 10:d=3 hl=2 l= 1 prim: INTEGER :02 +\& 13:d=2 hl=2 l= 1 prim: INTEGER :00 +\& 16:d=2 hl=2 l= 13 cons: SEQUENCE +\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption +\& 29:d=3 hl=2 l= 0 prim: NULL +\& 31:d=2 hl=2 l= 92 cons: SEQUENCE +\& 33:d=3 hl=2 l= 11 cons: SET +\& 35:d=4 hl=2 l= 9 cons: SEQUENCE +\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName +\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU +\& .... +\& 599:d=1 hl=2 l= 13 cons: SEQUENCE +\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption +\& 612:d=2 hl=2 l= 0 prim: NULL +\& 614:d=1 hl=3 l= 129 prim: BIT STRING +.Ve +The final \s-1BIT\s0 \s-1STRING\s0 contains the actual signature. It can be extracted with: +.PP +.Vb 1 +\& openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 +.Ve +The certificate public key can be extracted with: +.PP +.Vb 1 +\& openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem +.Ve +The signature can be analysed with: +.PP +.Vb 1 +\& openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin +.Ve +.Vb 6 +\& 0:d=0 hl=2 l= 32 cons: SEQUENCE +\& 2:d=1 hl=2 l= 12 cons: SEQUENCE +\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5 +\& 14:d=2 hl=2 l= 0 prim: NULL +\& 16:d=1 hl=2 l= 16 prim: OCTET STRING +\& 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. +.Ve +This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that +the digest used was md5. The actual part of the certificate that was signed can +be extracted with: +.PP +.Vb 1 +\& openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 +.Ve +and its digest computed with: +.PP +.Vb 2 +\& openssl md5 -c tbs +\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 +.Ve +which it can be seen agrees with the recovered value above. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +dgst(1), rsa(1), genrsa(1) diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 new file mode 100644 index 0000000..c0c0d0b --- /dev/null +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -0,0 +1,347 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:26 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "s_client 3" +.TH s_client 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +s_client \- \s-1SSL/TLS\s0 client program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_client\fR +[\fB\-connect\fR host:port>] +[\fB\-verify depth\fR] +[\fB\-cert filename\fR] +[\fB\-key filename\fR] +[\fB\-CApath directory\fR] +[\fB\-CAfile filename\fR] +[\fB\-reconnect\fR] +[\fB\-pause\fR] +[\fB\-showcerts\fR] +[\fB\-debug\fR] +[\fB\-msg\fR] +[\fB\-nbio_test\fR] +[\fB\-state\fR] +[\fB\-nbio\fR] +[\fB\-crlf\fR] +[\fB\-ign_eof\fR] +[\fB\-quiet\fR] +[\fB\-ssl2\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-no_ssl2\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-bugs\fR] +[\fB\-cipher cipherlist\fR] +[\fB\-engine id\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects +to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for +\&\s-1SSL\s0 servers. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-connect host:port\fR" 4 +.IX Item "-connect host:port" +This specifies the host and optional port to connect to. If not specified +then an attempt is made to connect to the local host on port 4433. +.Ip "\fB\-cert certname\fR" 4 +.IX Item "-cert certname" +The certificate to use, if one is requested by the server. The default is +not to use a certificate. +.Ip "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +The private key to use. If not specified then the certificate file will +be used. +.Ip "\fB\-verify depth\fR" 4 +.IX Item "-verify depth" +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. +.Ip "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +The directory to use for server certificate verification. This directory +must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are +also used when building the client certificate chain. +.Ip "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. +.Ip "\fB\-reconnect\fR" 4 +.IX Item "-reconnect" +reconnects to the same server 5 times using the same session \s-1ID\s0, this can +be used as a test that session caching is working. +.Ip "\fB\-pause\fR" 4 +.IX Item "-pause" +pauses 1 second between each read and write call. +.Ip "\fB\-showcerts\fR" 4 +.IX Item "-showcerts" +display the whole server certificate chain: normally only the server +certificate itself is displayed. +.Ip "\fB\-prexit\fR" 4 +.IX Item "-prexit" +print session information when the program exits. This will always attempt +to print out information even if the connection fails. Normally information +will only be printed out once if the connection succeeds. This option is useful +because the cipher in use may be renegotiated or the connection may fail +because a client certificate is required or is requested only after an +attempt is made to access a certain \s-1URL\s0. Note: the output produced by this +option is not always accurate because a connection might never have been +established. +.Ip "\fB\-state\fR" 4 +.IX Item "-state" +prints out the \s-1SSL\s0 session states. +.Ip "\fB\-debug\fR" 4 +.IX Item "-debug" +print extensive debugging information including a hex dump of all traffic. +.Ip "\fB\-msg\fR" 4 +.IX Item "-msg" +show all protocol messages with hex dump. +.Ip "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +tests non-blocking I/O +.Ip "\fB\-nbio\fR" 4 +.IX Item "-nbio" +turns on non-blocking I/O +.Ip "\fB\-crlf\fR" 4 +.IX Item "-crlf" +this option translated a line feed from the terminal into \s-1CR+LF\s0 as required +by some servers. +.Ip "\fB\-ign_eof\fR" 4 +.IX Item "-ign_eof" +inhibit shutting down the connection when end of file is reached in the +input. +.Ip "\fB\-quiet\fR" 4 +.IX Item "-quiet" +inhibit printing of session and certificate information. This implicitly +turns on \fB\-ign_eof\fR as well. +.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1" +these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. +.Sp +Unfortunately there are a lot of ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only +support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option. +.Ip "\fB\-bugs\fR" 4 +.IX Item "-bugs" +there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.Ip "\fB\-cipher cipherlist\fR" 4 +.IX Item "-cipher cipherlist" +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. See the \fBciphers\fR +command for more information. +.Ip "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.SH "CONNECTED COMMANDS" +.IX Header "CONNECTED COMMANDS" +If a connection is established with an \s-1SSL\s0 server then any data received +from the server is displayed and any key presses will be sent to the +server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR +have been given), the session will be renegotiated if the line begins with an +\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the +connection will be closed down. +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0 +server the command: +.PP +.Vb 1 +\& openssl s_client -connect servername:443 +.Ve +would typically be used (https uses port 443). If the connection succeeds +then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page. +.PP +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, +\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR can be tried +in case it is a buggy server. In particular you should play with these +options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. +.PP +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it +requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed +and checked. However some servers only request client authentication +after a specific \s-1URL\s0 is requested. To obtain the list in this case it +is necessary to use the \fB\-prexit\fR command and send an \s-1HTTP\s0 request +for an appropriate page. +.PP +If a certificate is specified on the command line using the \fB\-cert\fR +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. +.PP +If there are problems verifying a server certificate then the +\&\fB\-showcerts\fR option can be used to show the whole chain. +.SH "BUGS" +.IX Header "BUGS" +Because this program has a lot of options and also because some of +the techniques used are rather old, the C source of s_client is rather +hard to read and not a model of how things should be done. A typical +\&\s-1SSL\s0 client program would be much simpler. +.PP +The \fB\-verify\fR option should really exit if the server verification +fails. +.PP +The \fB\-prexit\fR option is a bit of a hack. We should really report +information whenever a session is renegotiated. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +sess_id(1), s_server(1), ciphers(1) diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 new file mode 100644 index 0000000..e2fd3e7 --- /dev/null +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -0,0 +1,385 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:27 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "s_server 3" +.TH s_server 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +s_server \- \s-1SSL/TLS\s0 server program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_server\fR +[\fB\-accept port\fR] +[\fB\-context id\fR] +[\fB\-verify depth\fR] +[\fB\-Verify depth\fR] +[\fB\-cert filename\fR] +[\fB\-key keyfile\fR] +[\fB\-dcert filename\fR] +[\fB\-dkey keyfile\fR] +[\fB\-dhparam filename\fR] +[\fB\-nbio\fR] +[\fB\-nbio_test\fR] +[\fB\-crlf\fR] +[\fB\-debug\fR] +[\fB\-msg\fR] +[\fB\-state\fR] +[\fB\-CApath directory\fR] +[\fB\-CAfile filename\fR] +[\fB\-nocert\fR] +[\fB\-cipher cipherlist\fR] +[\fB\-quiet\fR] +[\fB\-no_tmp_rsa\fR] +[\fB\-ssl2\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-no_ssl2\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-no_dhe\fR] +[\fB\-bugs\fR] +[\fB\-hack\fR] +[\fB\-www\fR] +[\fB\-WWW\fR] +[\fB\-HTTP\fR] +[\fB\-engine id\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens +for connections on a given port using \s-1SSL/TLS\s0. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-accept port\fR" 4 +.IX Item "-accept port" +the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. +.Ip "\fB\-context id\fR" 4 +.IX Item "-context id" +sets the \s-1SSL\s0 context id. It can be given any string value. If this option +is not present a default value will be used. +.Ip "\fB\-cert certname\fR" 4 +.IX Item "-cert certname" +The certificate to use, most servers cipher suites require the use of a +certificate and some require a certificate with a certain public key type: +for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0 +(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. +.Ip "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +The private key to use. If not specified then the certificate file will +be used. +.Ip "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4 +.IX Item "-dcert filename, -dkey keyname" +specify an additional certificate and private key, these behave in the +same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default +if they are not specified (no additional certificate and key is used). As +noted above some cipher suites require a certificate containing a key of +a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key +and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys +a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites +by using an appropriate certificate. +.Ip "\fB\-nocert\fR" 4 +.IX Item "-nocert" +if this option is set then no certificate is used. This restricts the +cipher suites available to the anonymous ones (currently just anonymous +\&\s-1DH\s0). +.Ip "\fB\-dhparam filename\fR" 4 +.IX Item "-dhparam filename" +the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys +using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to +load the parameters from the server certificate file. If this fails then +a static set of parameters hard coded into the s_server program will be used. +.Ip "\fB\-no_dhe\fR" 4 +.IX Item "-no_dhe" +if this option is set then no \s-1DH\s0 parameters will be loaded effectively +disabling the ephemeral \s-1DH\s0 cipher suites. +.Ip "\fB\-no_tmp_rsa\fR" 4 +.IX Item "-no_tmp_rsa" +certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option +disables temporary \s-1RSA\s0 key generation. +.Ip "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4 +.IX Item "-verify depth, -Verify depth" +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the \fB\-verify\fR option a certificate is requested but the +client does not have to send one, with the \fB\-Verify\fR option the client +must supply a certificate or an error occurs. +.Ip "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +The directory to use for client certificate verification. This directory +must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are +also used when building the server certificate chain. +.Ip "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted certificates to use during client authentication +and to use when attempting to build the server certificate chain. The list +is also used in the list of acceptable client CAs passed to the client when +a certificate is requested. +.Ip "\fB\-state\fR" 4 +.IX Item "-state" +prints out the \s-1SSL\s0 session states. +.Ip "\fB\-debug\fR" 4 +.IX Item "-debug" +print extensive debugging information including a hex dump of all traffic. +.Ip "\fB\-msg\fR" 4 +.IX Item "-msg" +show all protocol messages with hex dump. +.Ip "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +tests non blocking I/O +.Ip "\fB\-nbio\fR" 4 +.IX Item "-nbio" +turns on non blocking I/O +.Ip "\fB\-crlf\fR" 4 +.IX Item "-crlf" +this option translated a line feed from the terminal into \s-1CR+LF\s0. +.Ip "\fB\-quiet\fR" 4 +.IX Item "-quiet" +inhibit printing of session and certificate information. +.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1" +these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. +.Ip "\fB\-bugs\fR" 4 +.IX Item "-bugs" +there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.Ip "\fB\-hack\fR" 4 +.IX Item "-hack" +this option enables a further workaround for some some early Netscape +\&\s-1SSL\s0 code (?). +.Ip "\fB\-cipher cipherlist\fR" 4 +.IX Item "-cipher cipherlist" +this allows the cipher list used by the server to be modified. When +the client sends a list of supported ciphers the first client cipher +also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist irrelevant. See +the \fBciphers\fR command for more information. +.Ip "\fB\-www\fR" 4 +.IX Item "-www" +sends a status message back to the client when it connects. This includes +lots of information about the ciphers used and various session parameters. +The output is in \s-1HTML\s0 format so this option will normally be used with a +web browser. +.Ip "\fB\-WWW\fR" 4 +.IX Item "-WWW" +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. +.Ip "\fB\-HTTP\fR" 4 +.IX Item "-HTTP" +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. The files loaded are +assumed to contain a complete and correct \s-1HTTP\s0 response (lines that +are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). +.Ip "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause \fBs_server\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.SH "CONNECTED COMMANDS" +.IX Header "CONNECTED COMMANDS" +If a connection request is established with an \s-1SSL\s0 client and neither the +\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received +from the client is displayed and any key presses will be sent to the client. +.PP +Certain single letter commands are also recognized which perform special +operations: these are listed below. +.Ip "\fBq\fR" 4 +.IX Item "q" +end the current \s-1SSL\s0 connection but still accept new connections. +.Ip "\fBQ\fR" 4 +.IX Item "Q" +end the current \s-1SSL\s0 connection and exit. +.Ip "\fBr\fR" 4 +.IX Item "r" +renegotiate the \s-1SSL\s0 session. +.Ip "\fBR\fR" 4 +.IX Item "R" +renegotiate the \s-1SSL\s0 session and request a client certificate. +.Ip "\fBP\fR" 4 +.IX Item "P" +send some plain text down the underlying \s-1TCP\s0 connection: this should +cause the client to disconnect due to a protocol violation. +.Ip "\fBS\fR" 4 +.IX Item "S" +print out some session cache status information. +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from +a web browser the command: +.PP +.Vb 1 +\& openssl s_server -accept 443 -www +.Ve +can be used for example. +.PP +Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher +suites, so they cannot connect to servers which don't use a certificate +carrying an \s-1RSA\s0 key or a version of OpenSSL with \s-1RSA\s0 disabled. +.PP +Although specifying an empty list of CAs when requesting a client certificate +is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to +mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes. +.PP +The session parameters can printed out using the \fBsess_id\fR program. +.SH "BUGS" +.IX Header "BUGS" +Because this program has a lot of options and also because some of +the techniques used are rather old, the C source of s_server is rather +hard to read and not a model of how things should be done. A typical +\&\s-1SSL\s0 server program would be much simpler. +.PP +The output of common ciphers is wrong: it just gives the list of ciphers that +OpenSSL recognizes and the client supports. +.PP +There should be a way for the \fBs_server\fR program to print out details of any +unknown cipher suites a client says it supports. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +sess_id(1), s_client(1), ciphers(1) diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1 new file mode 100644 index 0000000..9a42c14 --- /dev/null +++ b/secure/usr.bin/openssl/man/sess_id.1 @@ -0,0 +1,258 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:28 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "sess_id 3" +.TH sess_id 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +sess_id \- \s-1SSL/TLS\s0 session handling utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBsess_id\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-text\fR] +[\fB\-noout\fR] +[\fB\-context \s-1ID\s0\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure +and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session +master key) in human readable format. Since this is a diagnostic tool that +needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will +not need to use it. +.Ip "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded +format containing session details. The precise format can vary from one version +to the next. The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR +format base64 encoded with additional header and footer lines. +.Ip "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read session information from or standard +input by default. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write session information to or standard +output if this option is not specified. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +prints out the various public or private key components in +plain text in addition to the encoded version. +.Ip "\fB\-cert\fR" 4 +.IX Item "-cert" +if a certificate is present in the session it will be output using this option, +if the \fB\-text\fR option is also present then it will be printed out in text form. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the session. +.Ip "\fB\-context \s-1ID\s0\fR" 4 +.IX Item "-context ID" +this option can set the session id so the output session information uses the +supplied \s-1ID\s0. The \s-1ID\s0 can be any string of characters. This option wont normally +be used. +.SH "OUTPUT" +.IX Header "OUTPUT" +Typical output: +.PP +.Vb 10 +\& SSL-Session: +\& Protocol : TLSv1 +\& Cipher : 0016 +\& Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED +\& Session-ID-ctx: 01000000 +\& Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD +\& Key-Arg : None +\& Start Time: 948459261 +\& Timeout : 300 (sec) +\& Verify return code 0 (ok) +.Ve +Theses are described below in more detail. +.Ip "\fBProtocol\fR" 4 +.IX Item "Protocol" +this is the protocol in use TLSv1, SSLv3 or SSLv2. +.Ip "\fBCipher\fR" 4 +.IX Item "Cipher" +the cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0 +or \s-1TLS\s0 specifications for more information. +.Ip "\fBSession-ID\fR" 4 +.IX Item "Session-ID" +the \s-1SSL\s0 session \s-1ID\s0 in hex format. +.Ip "\fBSession-ID-ctx\fR" 4 +.IX Item "Session-ID-ctx" +the session \s-1ID\s0 context in hex format. +.Ip "\fBMaster-Key\fR" 4 +.IX Item "Master-Key" +this is the \s-1SSL\s0 session master key. +.Ip "\fBKey-Arg\fR" 4 +.IX Item "Key-Arg" +the key argument, this is only used in \s-1SSL\s0 v2. +.Ip "\fBStart Time\fR" 4 +.IX Item "Start Time" +this is the session start time represented as an integer in standard Unix format. +.Ip "\fBTimeout\fR" 4 +.IX Item "Timeout" +the timeout in seconds. +.Ip "\fBVerify return code\fR" 4 +.IX Item "Verify return code" +this is the return code when an \s-1SSL\s0 client certificate is verified. +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 encoded session format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN SSL SESSION PARAMETERS----- +\& -----END SSL SESSION PARAMETERS----- +.Ve +Since the \s-1SSL\s0 session output contains the master key it is possible to read the contents +of an encrypted session using this information. Therefore appropriate security precautions +should be taken if the information is being output by a \*(L"real\*(R" application. This is +however strongly discouraged and should only be used for debugging purposes. +.SH "BUGS" +.IX Header "BUGS" +The cipher and start time should be printed out in human readable form. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +ciphers(1), s_server(1) diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 new file mode 100644 index 0000000..1934b8c --- /dev/null +++ b/secure/usr.bin/openssl/man/smime.1 @@ -0,0 +1,473 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:29 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "smime 3" +.TH smime 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +smime \- S/MIME utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBsmime\fR +[\fB\-encrypt\fR] +[\fB\-decrypt\fR] +[\fB\-sign\fR] +[\fB\-verify\fR] +[\fB\-pk7out\fR] +[\fB\-des\fR] +[\fB\-des3\fR] +[\fB\-rc2\-40\fR] +[\fB\-rc2\-64\fR] +[\fB\-rc2\-128\fR] +[\fB\-in file\fR] +[\fB\-certfile file\fR] +[\fB\-signer file\fR] +[\fB\-recip file\fR] +[\fB\-inform SMIME|PEM|DER\fR] +[\fB\-passin arg\fR] +[\fB\-inkey file\fR] +[\fB\-out file\fR] +[\fB\-outform SMIME|PEM|DER\fR] +[\fB\-content file\fR] +[\fB\-to addr\fR] +[\fB\-from ad\fR] +[\fB\-subject s\fR] +[\fB\-text\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +[cert.pem]... +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and +verify S/MIME messages. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +There are five operation options that set the type of operation to be performed. +The meaning of the other options varies according to the operation type. +.Ip "\fB\-encrypt\fR" 4 +.IX Item "-encrypt" +encrypt mail for the given recipient certificates. Input file is the message +to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. +.Ip "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +decrypt mail using the supplied certificate and private key. Expects an +encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail +is written to the output file. +.Ip "\fB\-sign\fR" 4 +.IX Item "-sign" +sign mail using the supplied certificate and private key. Input file is +the message to be signed. The signed message in \s-1MIME\s0 format is written +to the output file. +.Ip "\fB\-verify\fR" 4 +.IX Item "-verify" +verify signed mail. Expects a signed mail message on input and outputs +the signed data. Both clear text and opaque signing is supported. +.Ip "\fB\-pk7out\fR" 4 +.IX Item "-pk7out" +takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +the input message to be encrypted or signed or the \s-1MIME\s0 message to +be decrypted or verified. +.Ip "\fB\-inform SMIME|PEM|DER\fR" 4 +.IX Item "-inform SMIME|PEM|DER" +this specifies the input format for the PKCS#7 structure. The default +is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR +format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures +instead. This currently only affects the input format of the PKCS#7 +structure, if no PKCS#7 structure is being input (for example with +\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +the message text that has been decrypted or verified or the output \s-1MIME\s0 +format message that has been signed or verified. +.Ip "\fB\-outform SMIME|PEM|DER\fR" 4 +.IX Item "-outform SMIME|PEM|DER" +this specifies the output format for the PKCS#7 structure. The default +is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR +format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures +instead. This currently only affects the output format of the PKCS#7 +structure, if no PKCS#7 structure is being output (for example with +\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. +.Ip "\fB\-content filename\fR" 4 +.IX Item "-content filename" +This specifies a file containing the detached content, this is only +useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 +structure is using the detached signature form where the content is +not included. This option will override any content if the input format +is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied +message if encrypting or signing. If decrypting or verifying it strips +off text headers: if the decrypted or verified message is not of \s-1MIME\s0 +type text/plain then an error occurs. +.Ip "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. +.Ip "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +a directory containing trusted \s-1CA\s0 certificates, only used with +\&\fB\-verify\fR. This directory must be a standard certificate directory: that +is a hash of each subject name (using \fBx509 \-hash\fR) should be linked +to each certificate. +.Ip "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128\fR" 4 +.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128" +the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits) +or 40, 64 or 128 bit \s-1RC2\s0 respectively if not specified 40 bit \s-1RC2\s0 is +used. Only used with \fB\-encrypt\fR. +.Ip "\fB\-nointern\fR" 4 +.IX Item "-nointern" +when verifying a message normally certificates (if any) included in +the message are searched for the signing certificate. With this option +only the certificates specified in the \fB\-certfile\fR option are used. +The supplied certificates can still be used as untrusted CAs however. +.Ip "\fB\-noverify\fR" 4 +.IX Item "-noverify" +do not verify the signers certificate of a signed message. +.Ip "\fB\-nochain\fR" 4 +.IX Item "-nochain" +do not do chain verification of signers certificates: that is don't +use the certificates in the signed message as untrusted CAs. +.Ip "\fB\-nosigs\fR" 4 +.IX Item "-nosigs" +don't try to verify the signatures on the message. +.Ip "\fB\-nocerts\fR" 4 +.IX Item "-nocerts" +when signing a message the signer's certificate is normally included +with this option it is excluded. This will reduce the size of the +signed message but the verifier must have a copy of the signers certificate +available locally (passed using the \fB\-certfile\fR option for example). +.Ip "\fB\-noattr\fR" 4 +.IX Item "-noattr" +normally when a message is signed a set of attributes are included which +include the signing time and supported symmetric algorithms. With this +option they are not included. +.Ip "\fB\-binary\fR" 4 +.IX Item "-binary" +normally the input message is converted to \*(L"canonical\*(R" format which is +effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME +specification. When this option is present no translation occurs. This +is useful when handling binary data which may not be in \s-1MIME\s0 format. +.Ip "\fB\-nodetach\fR" 4 +.IX Item "-nodetach" +when signing a message use opaque signing: this form is more resistant +to translation by mail relays but it cannot be read by mail agents that +do not support S/MIME. Without this option cleartext signing with +the \s-1MIME\s0 type multipart/signed is used. +.Ip "\fB\-certfile file\fR" 4 +.IX Item "-certfile file" +allows additional certificates to be specified. When signing these will +be included with the message. When verifying these will be searched for +the signers certificates. The certificates should be in \s-1PEM\s0 format. +.Ip "\fB\-signer file\fR" 4 +.IX Item "-signer file" +the signers certificate when signing a message. If a message is +being verified then the signers certificates will be written to this +file if the verification was successful. +.Ip "\fB\-recip file\fR" 4 +.IX Item "-recip file" +the recipients certificate when decrypting a message. This certificate +must match one of the recipients of the message or an error occurs. +.Ip "\fB\-inkey file\fR" 4 +.IX Item "-inkey file" +the private key to use when signing or decrypting. This must match the +corresponding certificate. If this option is not specified then the +private key must be included in the certificate file specified with +the \fB\-recip\fR or \fB\-signer\fR file. +.Ip "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.Ip "\fBcert.pem...\fR" 4 +.IX Item "cert.pem..." +one or more certificates of message recipients: used when encrypting +a message. +.Ip "\fB\-to, \-from, \-subject\fR" 4 +.IX Item "-to, -from, -subject" +the relevant mail headers. These are included outside the signed +portion of a message so they may be included manually. If signing +then many S/MIME mail clients check the signers certificate's email +address matches that specified in the From: address. +.SH "NOTES" +.IX Header "NOTES" +The \s-1MIME\s0 message must be sent without any blank lines between the +headers and the output. Some mail programs will automatically add +a blank line. Piping the mail directly to sendmail is one way to +achieve the correct format. +.PP +The supplied message to be signed or encrypted must include the +necessary \s-1MIME\s0 headers or many S/MIME clients wont display it +properly (if at all). You can use the \fB\-text\fR option to automatically +add plain text headers. +.PP +A \*(L"signed and encrypted\*(R" message is one where a signed message is +then encrypted. This can be produced by encrypting an already signed +message: see the examples section. +.PP +This version of the program only allows one signer per message but it +will verify multiple signers on received messages. Some S/MIME clients +choke if a message contains multiple signers. It is possible to sign +messages \*(L"in parallel\*(R" by signing an already signed message. +.PP +The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME +clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 +encrypted data is used for other purposes. +.SH "EXIT CODES" +.IX Header "EXIT CODES" +.Ip "0" 4 +the operation was completely successfully. +.Ip "1" 4 +.IX Item "1" +an error occurred parsing the command options. +.Ip "2" 4 +.IX Item "2" +one of the input files could not be read. +.Ip "3" 4 +.IX Item "3" +an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 +message. +.Ip "4" 4 +.IX Item "4" +an error occurred decrypting or verifying the message. +.Ip "5" 4 +.IX Item "5" +the message was verified correctly but an error occurred writing out +the signers certificates. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create a cleartext signed message: +.PP +.Vb 2 +\& openssl smime -sign -in message.txt -text -out mail.msg \e +\& -signer mycert.pem +.Ve +Create and opaque signed message +.PP +.Vb 2 +\& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e +\& -signer mycert.pem +.Ve +Create a signed message, include some additional certificates and +read the private key from another file: +.PP +.Vb 2 +\& openssl smime -sign -in in.txt -text -out mail.msg \e +\& -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem +.Ve +Send a signed message under Unix directly to sendmail, including headers: +.PP +.Vb 3 +\& openssl smime -sign -in in.txt -text -signer mycert.pem \e +\& -from steve@openssl.org -to someone@somewhere \e +\& -subject "Signed message" | sendmail someone@somewhere +.Ve +Verify a message and extract the signer's certificate if successful: +.PP +.Vb 1 +\& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt +.Ve +Send encrypted mail using triple \s-1DES:\s0 +.PP +.Vb 3 +\& openssl smime -encrypt -in in.txt -from steve@openssl.org \e +\& -to someone@somewhere -subject "Encrypted message" \e +\& -des3 user.pem -out mail.msg +.Ve +Sign and encrypt mail: +.PP +.Vb 4 +\& openssl smime -sign -in ml.txt -signer my.pem -text \e +\& | openssl smime -encrypt -out mail.msg \e +\& -from steve@openssl.org -to someone@somewhere \e +\& -subject "Signed and Encrypted message" -des3 user.pem +.Ve +Note: the encryption command does not include the \fB\-text\fR option because the message +being encrypted already has \s-1MIME\s0 headers. +.PP +Decrypt mail: +.PP +.Vb 1 +\& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem +.Ve +The output from Netscape form signing is a PKCS#7 structure with the +detached signature format. You can use this program to verify the +signature by line wrapping the base64 encoded structure and surrounding +it with: +.PP +.Vb 2 +\& -----BEGIN PKCS7----- +\& -----END PKCS7----- +.Ve +and using the command, +.PP +.Vb 1 +\& openssl smime -verify -inform PEM -in signature.pem -content content.txt +.Ve +alternatively you can base64 decode the signature and use +.PP +.Vb 1 +\& openssl smime -verify -inform DER -in signature.der -content content.txt +.Ve +.SH "BUGS" +.IX Header "BUGS" +The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown +at it but it may choke on others. +.PP +The code currently will only write out the signer's certificate to a file: if the +signer has a separate encryption certificate this must be manually extracted. There +should be some heuristic that determines the correct encryption certificate. +.PP +Ideally a database should be maintained of a certificates for each email address. +.PP +The code doesn't currently take note of the permitted symmetric encryption +algorithms as supplied in the SMIMECapabilities signed attribute. this means the +user has to manually include the correct encryption algorithm. It should store +the list of permitted ciphers in a database and only use those. +.PP +No revocation checking is done on the signer's certificate. +.PP +The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 +structures may cause parsing errors. diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1 new file mode 100644 index 0000000..db174ab --- /dev/null +++ b/secure/usr.bin/openssl/man/speed.1 @@ -0,0 +1,188 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:31 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "speed 3" +.TH speed 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +speed \- test library performance +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl speed\fR +[\fB\-engine id\fR] +[\fBmd2\fR] +[\fBmdc2\fR] +[\fBmd5\fR] +[\fBhmac\fR] +[\fBsha1\fR] +[\fBrmd160\fR] +[\fBidea-cbc\fR] +[\fBrc2\-cbc\fR] +[\fBrc5\-cbc\fR] +[\fBbf-cbc\fR] +[\fBdes-cbc\fR] +[\fBdes-ede3\fR] +[\fBrc4\fR] +[\fBrsa512\fR] +[\fBrsa1024\fR] +[\fBrsa2048\fR] +[\fBrsa4096\fR] +[\fBdsa512\fR] +[\fBdsa1024\fR] +[\fBdsa2048\fR] +[\fBidea\fR] +[\fBrc2\fR] +[\fBdes\fR] +[\fBrsa\fR] +[\fBblowfish\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to test the performance of cryptographic algorithms. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause \fBspeed\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.Ip "\fB[zero or more test algorithms]\fR" 4 +.IX Item "[zero or more test algorithms]" +If any options are given, \fBspeed\fR tests those algorithms, otherwise all of +the above are tested. diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1 new file mode 100644 index 0000000..96a7211 --- /dev/null +++ b/secure/usr.bin/openssl/man/spkac.1 @@ -0,0 +1,248 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:32 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "spkac 3" +.TH spkac 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +spkac \- \s-1SPKAC\s0 printing and generating utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBspkac\fR +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-key keyfile\fR] +[\fB\-passin arg\fR] +[\fB\-challenge string\fR] +[\fB\-pubkey\fR] +[\fB\-spkac spkacname\fR] +[\fB\-spksect section\fR] +[\fB\-noout\fR] +[\fB\-verify\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBspkac\fR command processes Netscape signed public key and challenge +(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and +produce its own SPKACs from a supplied private key. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read from or standard input if this +option is not specified. Ignored if the \fB\-key\fR option is used. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write to or standard output by +default. +.Ip "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The +\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if +present. +.Ip "\fB\-passin password\fR" 4 +.IX Item "-passin password" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). +.Ip "\fB\-challenge string\fR" 4 +.IX Item "-challenge string" +specifies the challenge string if an \s-1SPKAC\s0 is being created. +.Ip "\fB\-spkac spkacname\fR" 4 +.IX Item "-spkac spkacname" +allows an alternative name form the variable containing the +\&\s-1SPKAC\s0. The default is \*(L"\s-1SPKAC\s0\*(R". This option affects both +generated and input \s-1SPKAC\s0 files. +.Ip "\fB\-spksect section\fR" 4 +.IX Item "-spksect section" +allows an alternative name form the section containing the +\&\s-1SPKAC\s0. The default is the default section. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +don't output the text version of the \s-1SPKAC\s0 (not used if an +\&\s-1SPKAC\s0 is being created). +.Ip "\fB\-pubkey\fR" 4 +.IX Item "-pubkey" +output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is +being created). +.Ip "\fB\-verify\fR" 4 +.IX Item "-verify" +verifies the digital signature on the supplied \s-1SPKAC\s0. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Print out the contents of an \s-1SPKAC:\s0 +.PP +.Vb 1 +\& openssl spkac -in spkac.cnf +.Ve +Verify the signature of an \s-1SPKAC:\s0 +.PP +.Vb 1 +\& openssl spkac -in spkac.cnf -noout -verify +.Ve +Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R": +.PP +.Vb 1 +\& openssl spkac -key key.pem -challenge hello -out spkac.cnf +.Ve +Example of an \s-1SPKAC\s0, (long lines split up for clarity): +.PP +.Vb 5 +\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e +\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e +\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e +\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e +\& 4= +.Ve +.SH "NOTES" +.IX Header "NOTES" +A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into +the \fBca\fR utility. +.PP +SPKACs are typically generated by Netscape when a form is submitted +containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment +process. +.PP +The challenge string permits a primitive form of proof of possession +of private key. By checking the \s-1SPKAC\s0 signature and a random challenge +string some guarantee is given that the user knows the private key +corresponding to the public key being certified. This is important in +some applications. Without this it is possible for a previous \s-1SPKAC\s0 +to be used in a \*(L"replay attack\*(R". +.SH "SEE ALSO" +.IX Header "SEE ALSO" +ca(1) diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 new file mode 100644 index 0000000..f9b7d6a --- /dev/null +++ b/secure/usr.bin/openssl/man/verify.1 @@ -0,0 +1,408 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:33 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "verify 3" +.TH verify 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +verify \- Utility to verify certificates. +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBverify\fR +[\fB\-CApath directory\fR] +[\fB\-CAfile file\fR] +[\fB\-purpose purpose\fR] +[\fB\-untrusted file\fR] +[\fB\-help\fR] +[\fB\-issuer_checks\fR] +[\fB\-verbose\fR] +[\fB-\fR] +[certificates] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBverify\fR command verifies certificate chains. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.Ip "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +A directory of trusted certificates. The certificates should have names +of the form: hash.0 or have symbolic links to them of this +form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option +of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically +create symbolic links to a directory of certificates. +.Ip "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file of trusted certificates. The file should contain multiple certificates +in \s-1PEM\s0 format concatenated together. +.Ip "\fB\-untrusted file\fR" 4 +.IX Item "-untrusted file" +A file of untrusted certificates. The file should contain multiple certificates +.Ip "\fB\-purpose purpose\fR" 4 +.IX Item "-purpose purpose" +the intended use for the certificate. Without this option no chain verification +will be done. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, +\&\fBnssslserver\fR, \fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR +section for more information. +.Ip "\fB\-help\fR" 4 +.IX Item "-help" +prints out a usage message. +.Ip "\fB\-verbose\fR" 4 +.IX Item "-verbose" +print extra information about the operations being performed. +.Ip "\fB\-issuer_checks\fR" 4 +.IX Item "-issuer_checks" +print out diagnostics relating to searches for the issuer certificate +of the current certificate. This shows why each candidate issuer +certificate was rejected. However the presence of rejection messages +does not itself imply that anything is wrong: during the normal +verify process several rejections may take place. +.Ip "\fB-\fR" 4 +.IX Item "-" +marks the last option. All arguments following this are assumed to be +certificate files. This is useful if the first certificate filename begins +with a \fB-\fR. +.Ip "\fBcertificates\fR" 4 +.IX Item "certificates" +one or more certificates to verify. If no certificate filenames are included +then an attempt is made to read a certificate from standard input. They should +all be in \s-1PEM\s0 format. +.SH "VERIFY OPERATION" +.IX Header "VERIFY OPERATION" +The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME +verification, therefore this description applies to these verify operations +too. +.PP +There is one crucial difference between the verify operations performed +by the \fBverify\fR program: wherever possible an attempt is made to continue +after an error whereas normally the verify operation would halt on the +first error. This allows all the problems with a certificate chain to be +determined. +.PP +The verify operation consists of a number of separate steps. +.PP +Firstly a certificate chain is built up starting from the supplied certificate +and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built +up. The chain is built up by looking up the issuers certificate of the current +certificate. If a certificate is found which is its own issuer it is assumed +to be the root \s-1CA\s0. +.PP +The process of 'looking up the issuers certificate' itself involves a number +of steps. In versions of OpenSSL before 0.9.5a the first certificate whose +subject name matched the issuer of the current certificate was assumed to be +the issuers certificate. In OpenSSL 0.9.6 and later all certificates +whose subject name matches the issuer name of the current certificate are +subject to further tests. The relevant authority key identifier components +of the current certificate (if present) must match the subject key identifier +(if present) and issuer and serial number of the candidate issuer, in addition +the keyUsage extension of the candidate issuer (if present) must permit +certificate signing. +.PP +The lookup first looks in the list of untrusted certificates and if no match +is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0 +is always looked up in the trusted certificate list: if the certificate to +verify is a root certificate then an exact match must be found in the trusted +list. +.PP +The second operation is to check every untrusted certificate's extensions for +consistency with the supplied purpose. If the \fB\-purpose\fR option is not included +then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions +compatible with the supplied purpose and all other certificates must also be valid +\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in +the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility. +.PP +The third operation is to check the trust settings on the root \s-1CA\s0. The root +\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous +versions of SSLeay and OpenSSL a certificate with no trust settings is considered +to be valid for all purposes. +.PP +The final operation is to check the validity of the certificate chain. The validity +period is checked against the current system time and the notBefore and notAfter +dates in the certificate. The certificate signatures are also checked at this +point. +.PP +If all operations complete successfully then certificate is considered valid. If +any operation fails then the certificate is not valid. +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" +When a verify operation fails the output messages can be somewhat cryptic. The +general form of the error message is: +.PP +.Vb 2 +\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) +\& error 24 at 1 depth lookup:invalid CA certificate +.Ve +The first line contains the name of the certificate being verified followed by +the subject name of the certificate. The second line contains the error number +and the depth. The depth is number of the certificate being verified when a +problem was detected starting with zero for the certificate being verified itself +then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version +of the error number is presented. +.PP +An exhaustive list of the error codes and messages is shown below, this also +includes the name of the error code as defined in the header file x509_vfy.h +Some of the error codes are defined but never returned: these are described +as \*(L"unused\*(R". +.Ip "\fB0 X509_V_OK: ok\fR" 4 +.IX Item "0 X509_V_OK: ok" +the operation was successful. +.Ip "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4 +.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" +the issuer certificate could not be found: this occurs if the issuer certificate +of an untrusted certificate cannot be found. +.Ip "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR" 4 +.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL" +the \s-1CRL\s0 of a certificate could not be found. Unused. +.Ip "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4 +.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature" +the certificate signature could not be decrypted. This means that the actual signature value +could not be determined rather than it not matching the expected value, this is only +meaningful for \s-1RSA\s0 keys. +.Ip "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4 +.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature" +the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value +could not be determined rather than it not matching the expected value. Unused. +.Ip "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4 +.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key" +the public key in the certificate SubjectPublicKeyInfo could not be read. +.Ip "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4 +.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure" +the signature of the certificate is invalid. +.Ip "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4 +.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure" +the signature of the certificate is invalid. Unused. +.Ip "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4 +.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid" +the certificate is not yet valid: the notBefore date is after the current time. +.Ip "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4 +.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired" +the certificate has expired: that is the notAfter date is before the current time. +.Ip "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4 +.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid" +the \s-1CRL\s0 is not yet valid. Unused. +.Ip "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4 +.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired" +the \s-1CRL\s0 has expired. Unused. +.Ip "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4 +.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field" +the certificate notBefore field contains an invalid time. +.Ip "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4 +.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field" +the certificate notAfter field contains an invalid time. +.Ip "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4 +.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field" +the \s-1CRL\s0 lastUpdate field contains an invalid time. Unused. +.Ip "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4 +.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field" +the \s-1CRL\s0 nextUpdate field contains an invalid time. Unused. +.Ip "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4 +.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory" +an error occurred trying to allocate memory. This should never happen. +.Ip "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4 +.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate" +the passed certificate is self signed and the same certificate cannot be found in the list of +trusted certificates. +.Ip "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4 +.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain" +the certificate chain could be built up using the untrusted certificates but the root could not +be found locally. +.Ip "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4 +.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" +the issuer certificate of a locally looked up certificate could not be found. This normally means +the list of trusted certificates is not complete. +.Ip "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4 +.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate" +no signatures could be verified because the chain contains only one certificate and it is not +self signed. +.Ip "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4 +.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long" +the certificate chain length is greater than the supplied maximum depth. Unused. +.Ip "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4 +.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked" +the certificate has been revoked. Unused. +.Ip "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4 +.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate" +a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent +with the supplied purpose. +.Ip "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 +.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" +the basicConstraints pathlength parameter has been exceeded. +.Ip "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4 +.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose" +the supplied certificate cannot be used for the specified purpose. +.Ip "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4 +.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted" +the root \s-1CA\s0 is not marked as trusted for the specified purpose. +.Ip "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4 +.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected" +the root \s-1CA\s0 is marked to reject the specified purpose. +.Ip "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4 +.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch" +the current candidate issuer certificate was rejected because its subject name +did not match the issuer name of the current certificate. Only displayed when +the \fB\-issuer_checks\fR option is set. +.Ip "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4 +.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch" +the current candidate issuer certificate was rejected because its subject key +identifier was present and did not match the authority key identifier current +certificate. Only displayed when the \fB\-issuer_checks\fR option is set. +.Ip "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4 +.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch" +the current candidate issuer certificate was rejected because its issuer name +and serial number was present and did not match the authority key identifier +of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set. +.Ip "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4 +.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing" +the current candidate issuer certificate was rejected because its keyUsage extension +does not permit certificate signing. +.Ip "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4 +.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure" +an application specific error. Unused. +.SH "BUGS" +.IX Header "BUGS" +Although the issuer checks are a considerably improvement over the old technique they still +suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that +trusted certificates with matching subject name must either appear in a file (as specified by the +\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only +the certificates in the file will be recognised. +.PP +Previous versions of OpenSSL assume certificates with matching subject name are identical and +mishandled them. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +x509(1) diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1 new file mode 100644 index 0000000..6337fe9 --- /dev/null +++ b/secure/usr.bin/openssl/man/version.1 @@ -0,0 +1,186 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:34 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "version 3" +.TH version 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +version \- print OpenSSL version information +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl version\fR +[\fB\-a\fR] +[\fB\-v\fR] +[\fB\-b\fR] +[\fB\-o\fR] +[\fB\-f\fR] +[\fB\-p\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This command is used to print out version information about OpenSSL. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-a\fR" 4 +.IX Item "-a" +all information, this is the same as setting all the other flags. +.Ip "\fB\-v\fR" 4 +.IX Item "-v" +the current OpenSSL version. +.Ip "\fB\-b\fR" 4 +.IX Item "-b" +the date the current version of OpenSSL was built. +.Ip "\fB\-o\fR" 4 +.IX Item "-o" +option information: various options set when the library was built. +.Ip "\fB\-c\fR" 4 +.IX Item "-c" +compilation flags. +.Ip "\fB\-p\fR" 4 +.IX Item "-p" +platform setting. +.Ip "\fB\-d\fR" 4 +.IX Item "-d" +\&\s-1OPENSSLDIR\s0 setting. +.SH "NOTES" +.IX Header "NOTES" +The output of \fBopenssl version \-a\fR would typically be used when sending +in a bug report. +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\-d\fR option was added in OpenSSL 0.9.7. diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 new file mode 100644 index 0000000..d1530c5 --- /dev/null +++ b/secure/usr.bin/openssl/man/x509.1 @@ -0,0 +1,829 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:35 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "x509 3" +.TH x509 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +x509 \- Certificate display and signing utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBx509\fR +[\fB\-inform DER|PEM|NET\fR] +[\fB\-outform DER|PEM|NET\fR] +[\fB\-keyform DER|PEM\fR] +[\fB\-CAform DER|PEM\fR] +[\fB\-CAkeyform DER|PEM\fR] +[\fB\-in filename\fR] +[\fB\-out filename\fR] +[\fB\-serial\fR] +[\fB\-hash\fR] +[\fB\-subject\fR] +[\fB\-issuer\fR] +[\fB\-nameopt option\fR] +[\fB\-email\fR] +[\fB\-startdate\fR] +[\fB\-enddate\fR] +[\fB\-purpose\fR] +[\fB\-dates\fR] +[\fB\-modulus\fR] +[\fB\-fingerprint\fR] +[\fB\-alias\fR] +[\fB\-noout\fR] +[\fB\-trustout\fR] +[\fB\-clrtrust\fR] +[\fB\-clrreject\fR] +[\fB\-addtrust arg\fR] +[\fB\-addreject arg\fR] +[\fB\-setalias arg\fR] +[\fB\-days arg\fR] +[\fB\-set_serial n\fR] +[\fB\-signkey filename\fR] +[\fB\-x509toreq\fR] +[\fB\-req\fR] +[\fB\-CA filename\fR] +[\fB\-CAkey filename\fR] +[\fB\-CAcreateserial\fR] +[\fB\-CAserial filename\fR] +[\fB\-text\fR] +[\fB\-C\fR] +[\fB\-md2|\-md5|\-sha1|\-mdc2\fR] +[\fB\-clrext\fR] +[\fB\-extfile filename\fR] +[\fB\-extensions section\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBx509\fR command is a multi purpose certificate utility. It can be +used to display certificate information, convert certificates to +various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit +certificate trust settings. +.PP +Since there are a large number of options they will split up into +various sections. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Sh "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0" +.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS" +.Ip "\fB\-inform DER|PEM|NET\fR" 4 +.IX Item "-inform DER|PEM|NET" +This specifies the input format normally the command will expect an X509 +certificate but this can change if other options such as \fB\-req\fR are +present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 +is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines +added. The \s-1NET\s0 option is an obscure Netscape server format that is now +obsolete. +.Ip "\fB\-outform DER|PEM|NET\fR" 4 +.IX Item "-outform DER|PEM|NET" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.Ip "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a certificate from or standard input +if this option is not specified. +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write to or standard output by +default. +.Ip "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4 +.IX Item "-md2|-md5|-sha1|-mdc2" +the digest to use. This affects any signing or display option that uses a message +digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not +specified then \s-1MD5\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key then +this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. +.Sh "\s-1DISPLAY\s0 \s-1OPTIONS\s0" +.IX Subsection "DISPLAY OPTIONS" +Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options +but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section. +.Ip "\fB\-text\fR" 4 +.IX Item "-text" +prints out the certificate in text form. Full details are output including the +public key, signature algorithms, issuer and subject names, serial number +any extensions present and any trust settings. +.Ip "\fB\-certopt option\fR" 4 +.IX Item "-certopt option" +customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be +a single option or multiple options separated by commas. The \fB\-certopt\fR switch +may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR +section for more information. +.Ip "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the request. +.Ip "\fB\-modulus\fR" 4 +.IX Item "-modulus" +this option prints out the value of the modulus of the public key +contained in the certificate. +.Ip "\fB\-serial\fR" 4 +.IX Item "-serial" +outputs the certificate serial number. +.Ip "\fB\-hash\fR" 4 +.IX Item "-hash" +outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to +form an index to allow certificates in a directory to be looked up by subject +name. +.Ip "\fB\-subject\fR" 4 +.IX Item "-subject" +outputs the subject name. +.Ip "\fB\-issuer\fR" 4 +.IX Item "-issuer" +outputs the issuer name. +.Ip "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information. +.Ip "\fB\-email\fR" 4 +.IX Item "-email" +outputs the email address(es) if any. +.Ip "\fB\-startdate\fR" 4 +.IX Item "-startdate" +prints out the start date of the certificate, that is the notBefore date. +.Ip "\fB\-enddate\fR" 4 +.IX Item "-enddate" +prints out the expiry date of the certificate, that is the notAfter date. +.Ip "\fB\-dates\fR" 4 +.IX Item "-dates" +prints out the start and expiry dates of a certificate. +.Ip "\fB\-fingerprint\fR" 4 +.IX Item "-fingerprint" +prints out the digest of the \s-1DER\s0 encoded version of the whole certificate +(see digest options). +.Ip "\fB\-C\fR" 4 +.IX Item "-C" +this outputs the certificate in the form of a C source file. +.Sh "\s-1TRUST\s0 \s-1SETTINGS\s0" +.IX Subsection "TRUST SETTINGS" +Please note these options are currently experimental and may well change. +.PP +A \fBtrusted certificate\fR is an ordinary certificate which has several +additional pieces of information attached to it such as the permitted +and prohibited uses of the certificate and an \*(L"alias\*(R". +.PP +Normally when a certificate is being verified at least one certificate +must be \*(L"trusted\*(R". By default a trusted certificate must be stored +locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0 +is then usable for any purpose. +.PP +Trust settings currently are only used with a root \s-1CA\s0. They allow a finer +control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0 +may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use. +.PP +See the description of the \fBverify\fR utility for more information on the +meaning of trust settings. +.PP +Future versions of OpenSSL will recognize trust settings on any +certificate: not just root CAs. +.Ip "\fB\-trustout\fR" 4 +.IX Item "-trustout" +this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary +or trusted certificate can be input but by default an ordinary +certificate is output and any trust settings are discarded. With the +\&\fB\-trustout\fR option a trusted certificate is output. A trusted +certificate is automatically output if any trust settings are modified. +.Ip "\fB\-setalias arg\fR" 4 +.IX Item "-setalias arg" +sets the alias of the certificate. This will allow the certificate +to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". +.Ip "\fB\-alias\fR" 4 +.IX Item "-alias" +outputs the certificate alias, if any. +.Ip "\fB\-clrtrust\fR" 4 +.IX Item "-clrtrust" +clears all the permitted or trusted uses of the certificate. +.Ip "\fB\-clrreject\fR" 4 +.IX Item "-clrreject" +clears all the prohibited or rejected uses of the certificate. +.Ip "\fB\-addtrust arg\fR" 4 +.IX Item "-addtrust arg" +adds a trusted certificate use. Any object name can be used here +but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR +(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used. +Other OpenSSL applications may define additional uses. +.Ip "\fB\-addreject arg\fR" 4 +.IX Item "-addreject arg" +adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR +option. +.Ip "\fB\-purpose\fR" 4 +.IX Item "-purpose" +this option performs tests on the certificate extensions and outputs +the results. For a more complete description see the \fB\s-1CERTIFICATE\s0 +\&\s-1EXTENSIONS\s0\fR section. +.Sh "\s-1SIGNING\s0 \s-1OPTIONS\s0" +.IX Subsection "SIGNING OPTIONS" +The \fBx509\fR utility can be used to sign certificates and requests: it +can thus behave like a \*(L"mini \s-1CA\s0\*(R". +.Ip "\fB\-signkey filename\fR" 4 +.IX Item "-signkey filename" +this option causes the input file to be self signed using the supplied +private key. +.Sp +If the input file is a certificate it sets the issuer name to the +subject name (i.e. makes it self signed) changes the public key to the +supplied value and changes the start and end dates. The start date is +set to the current time and the end date is set to a value determined +by the \fB\-days\fR option. Any certificate extensions are retained unless +the \fB\-clrext\fR option is supplied. +.Sp +If the input is a certificate request then a self signed certificate +is created using the supplied private key using the subject name in +the request. +.Ip "\fB\-clrext\fR" 4 +.IX Item "-clrext" +delete any extensions from a certificate. This option is used when a +certificate is being created from another certificate (for example with +the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are +retained. +.Ip "\fB\-keyform PEM|DER\fR" 4 +.IX Item "-keyform PEM|DER" +specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the +\&\fB\-signkey\fR option. +.Ip "\fB\-days arg\fR" 4 +.IX Item "-days arg" +specifies the number of days to make a certificate valid for. The default +is 30 days. +.Ip "\fB\-x509toreq\fR" 4 +.IX Item "-x509toreq" +converts a certificate into a certificate request. The \fB\-signkey\fR option +is used to pass the required private key. +.Ip "\fB\-req\fR" 4 +.IX Item "-req" +by default a certificate is expected on input. With this option a +certificate request is expected instead. +.Ip "\fB\-set_serial n\fR" 4 +.IX Item "-set_serial n" +specifies the serial number to use. This option can be used with either +the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR +option the serial number file (as specified by the \fB\-CAserial\fR or +\&\fB\-CAcreateserial\fR options) is not used. +.Sp +The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative +serial numbers can also be specified but their use is not recommended. +.Ip "\fB\-CA filename\fR" 4 +.IX Item "-CA filename" +specifies the \s-1CA\s0 certificate to be used for signing. When this option is +present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this +\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name +of the \s-1CA\s0 and it is digitally signed using the CAs private key. +.Sp +This option is normally combined with the \fB\-req\fR option. Without the +\&\fB\-req\fR option the input is a certificate which must be self signed. +.Ip "\fB\-CAkey filename\fR" 4 +.IX Item "-CAkey filename" +sets the \s-1CA\s0 private key to sign a certificate with. If this option is +not specified then it is assumed that the \s-1CA\s0 private key is present in +the \s-1CA\s0 certificate file. +.Ip "\fB\-CAserial filename\fR" 4 +.IX Item "-CAserial filename" +sets the \s-1CA\s0 serial number file to use. +.Sp +When the \fB\-CA\fR option is used to sign a certificate it uses a serial +number specified in a file. This file consist of one line containing +an even number of hex digits with the serial number to use. After each +use the serial number is incremented and written out to the file again. +.Sp +The default filename consists of the \s-1CA\s0 certificate file base name with +\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called +\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". +.Ip "\fB\-CAcreateserial\fR" 4 +.IX Item "-CAcreateserial" +with this option the \s-1CA\s0 serial number file is created if it does not exist: +it will contain the serial number \*(L"02\*(R" and the certificate being signed will +have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified +and the serial number file does not exist it is an error. +.Ip "\fB\-extfile filename\fR" 4 +.IX Item "-extfile filename" +file containing certificate extensions to use. If not specified then +no extensions are added to the certificate. +.Ip "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +the section to add certificate extensions from. If this option is not +specified then the extensions should either be contained in the unnamed +(default) section or the default section should contain a variable called +\&\*(L"extensions\*(R" which contains the section to use. +.Sh "\s-1NAME\s0 \s-1OPTIONS\s0" +.IX Subsection "NAME OPTIONS" +The \fBnameopt\fR command line switch determines how the subject and issuer +names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" +format is used which is compatible with previous versions of OpenSSL. +Each option is described in detail below, all options can be preceded by +a \fB-\fR to turn the option off. Only the first four will normally be used. +.Ip "\fBcompat\fR" 4 +.IX Item "compat" +use the old format. This is equivalent to specifying no name options at all. +.Ip "\fB\s-1RFC2253\s0\fR" 4 +.IX Item "RFC2253" +displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, +\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, +\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. +.Ip "\fBoneline\fR" 4 +.IX Item "oneline" +a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to +specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, +\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_spc\fR, \fBspc_eq\fR and \fBsname\fR +options. +.Ip "\fBmultiline\fR" 4 +.IX Item "multiline" +a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, +\&\fBspc_eq\fR, \fBlname\fR and \fBalign\fR. +.Ip "\fBesc_2253\fR" 4 +.IX Item "esc_2253" +escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is +\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string +and a space character at the beginning or end of a string. +.Ip "\fBesc_ctrl\fR" 4 +.IX Item "esc_ctrl" +escape control characters. That is those with \s-1ASCII\s0 values less than +0x20 (space) and the delete (0x7f) character. They are escaped using the +\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the +character value). +.Ip "\fBesc_msb\fR" 4 +.IX Item "esc_msb" +escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than +127. +.Ip "\fBuse_quote\fR" 4 +.IX Item "use_quote" +escapes some characters by surrounding the whole string with \fB"\fR characters, +without the option all escaping is done with the \fB\e\fR character. +.Ip "\fButf8\fR" 4 +.IX Item "utf8" +convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If +you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use +of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct +display of multibyte (international) characters. Is this option is not +present then multibyte characters larger than 0xff will be represented +using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits. +Also if this option is off any UTF8Strings will be converted to their +character form first. +.Ip "\fBno_type\fR" 4 +.IX Item "no_type" +this option does not attempt to interpret multibyte characters in any +way. That is their content octets are merely dumped as though one octet +represents each character. This is useful for diagnostic purposes but +will result in rather odd looking output. +.Ip "\fBshow_type\fR" 4 +.IX Item "show_type" +show the type of the \s-1ASN1\s0 character string. The type precedes the +field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". +.Ip "\fBdump_der\fR" 4 +.IX Item "dump_der" +when this option is set any fields that need to be hexdumped will +be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the +content octets will be displayed. Both options use the \s-1RFC2253\s0 +\&\fB#XXXX...\fR format. +.Ip "\fBdump_nostr\fR" 4 +.IX Item "dump_nostr" +dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this +option is not set then non character string types will be displayed +as though each content octet represents a single character. +.Ip "\fBdump_all\fR" 4 +.IX Item "dump_all" +dump all fields. This option when used with \fBdump_der\fR allows the +\&\s-1DER\s0 encoding of the structure to be unambiguously determined. +.Ip "\fBdump_unknown\fR" 4 +.IX Item "dump_unknown" +dump any field whose \s-1OID\s0 is not recognised by OpenSSL. +.Ip "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 +.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" +these options determine the field separators. The first character is +between RDNs and the second between multiple AVAs (multiple AVAs are +very rare and their use is discouraged). The options ending in +\&\*(L"space\*(R" additionally place a space after the separator to make it +more readable. The \fBsep_multiline\fR uses a linefeed character for +the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also +indents the fields by four characters. +.Ip "\fBdn_rev\fR" 4 +.IX Item "dn_rev" +reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side +effect this also reverses the order of multiple AVAs but this is +permissible. +.Ip "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 +.IX Item "nofname, sname, lname, oid" +these options alter how the field name is displayed. \fBnofname\fR does +not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form +(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. +\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for +diagnostic purpose. +.Ip "\fBalign\fR" 4 +.IX Item "align" +align field values for a more readable output. Only usable with +\&\fBsep_multiline\fR. +.Ip "\fBspc_eq\fR" 4 +.IX Item "spc_eq" +places spaces round the \fB=\fR character which follows the field +name. +.Sh "\s-1TEXT\s0 \s-1OPTIONS\s0" +.IX Subsection "TEXT OPTIONS" +As well as customising the name output format, it is also possible to +customise the actual fields printed using the \fBcertopt\fR options when +the \fBtext\fR option is present. The default behaviour is to print all fields. +.Ip "\fBcompatible\fR" 4 +.IX Item "compatible" +use the old format. This is equivalent to specifying no output options at all. +.Ip "\fBno_header\fR" 4 +.IX Item "no_header" +don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R". +.Ip "\fBno_version\fR" 4 +.IX Item "no_version" +don't print out the version number. +.Ip "\fBno_serial\fR" 4 +.IX Item "no_serial" +don't print out the serial number. +.Ip "\fBno_signame\fR" 4 +.IX Item "no_signame" +don't print out the signature algorithm used. +.Ip "\fBno_validity\fR" 4 +.IX Item "no_validity" +don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. +.Ip "\fBno_subject\fR" 4 +.IX Item "no_subject" +don't print out the subject name. +.Ip "\fBno_issuer\fR" 4 +.IX Item "no_issuer" +don't print out the issuer name. +.Ip "\fBno_pubkey\fR" 4 +.IX Item "no_pubkey" +don't print out the public key. +.Ip "\fBno_sigdump\fR" 4 +.IX Item "no_sigdump" +don't give a hexadecimal dump of the certificate signature. +.Ip "\fBno_aux\fR" 4 +.IX Item "no_aux" +don't print out certificate trust information. +.Ip "\fBno_extensions\fR" 4 +.IX Item "no_extensions" +don't print out any X509V3 extensions. +.Ip "\fBext_default\fR" 4 +.IX Item "ext_default" +retain default extension behaviour: attempt to print out unsupported certificate extensions. +.Ip "\fBext_error\fR" 4 +.IX Item "ext_error" +print an error message for unsupported certificate extensions. +.Ip "\fBext_parse\fR" 4 +.IX Item "ext_parse" +\&\s-1ASN1\s0 parse unsupported extensions. +.Ip "\fBext_dump\fR" 4 +.IX Item "ext_dump" +hex dump unsupported extensions. +.Ip "\fBca_default\fR" 4 +.IX Item "ca_default" +the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR, +\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Note: in these examples the '\e' means the example should be all on one +line. +.PP +Display the contents of a certificate: +.PP +.Vb 1 +\& openssl x509 -in cert.pem -noout -text +.Ve +Display the certificate serial number: +.PP +.Vb 1 +\& openssl x509 -in cert.pem -noout -serial +.Ve +Display the certificate subject name: +.PP +.Vb 1 +\& openssl x509 -in cert.pem -noout -subject +.Ve +Display the certificate subject name in \s-1RFC2253\s0 form: +.PP +.Vb 1 +\& openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 +.Ve +Display the certificate subject name in oneline form on a terminal +supporting \s-1UTF8:\s0 +.PP +.Vb 1 +\& openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb +.Ve +Display the certificate \s-1MD5\s0 fingerprint: +.PP +.Vb 1 +\& openssl x509 -in cert.pem -noout -fingerprint +.Ve +Display the certificate \s-1SHA1\s0 fingerprint: +.PP +.Vb 1 +\& openssl x509 -sha1 -in cert.pem -noout -fingerprint +.Ve +Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format: +.PP +.Vb 1 +\& openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER +.Ve +Convert a certificate to a certificate request: +.PP +.Vb 1 +\& openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem +.Ve +Convert a certificate request into a self signed certificate using +extensions for a \s-1CA:\s0 +.PP +.Vb 2 +\& openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \e +\& -signkey key.pem -out cacert.pem +.Ve +Sign a certificate request using the \s-1CA\s0 certificate above and add user +certificate extensions: +.PP +.Vb 2 +\& openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \e +\& -CA cacert.pem -CAkey key.pem -CAcreateserial +.Ve +Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to +\&\*(L"Steve's Class 1 \s-1CA\s0\*(R" +.PP +.Vb 2 +\& openssl x509 -in cert.pem -addtrust sslclient \e +\& -alias "Steve's Class 1 CA" -out trust.pem +.Ve +.SH "NOTES" +.IX Header "NOTES" +The \s-1PEM\s0 format uses the header and footer lines: +.PP +.Vb 2 +\& -----BEGIN CERTIFICATE----- +\& -----END CERTIFICATE----- +.Ve +it will also handle files containing: +.PP +.Vb 2 +\& -----BEGIN X509 CERTIFICATE----- +\& -----END X509 CERTIFICATE----- +.Ve +Trusted certificates have the lines +.PP +.Vb 2 +\& -----BEGIN TRUSTED CERTIFICATE----- +\& -----END TRUSTED CERTIFICATE----- +.Ve +The conversion to \s-1UTF8\s0 format used with the name options assumes that +T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape +and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect +it is more likely to display the majority of certificates correctly. +.PP +The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate. +This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message +digests the fingerprint of a certificate is unique to that certificate and +two certificates with the same fingerprint can be considered to be the same. +.PP +The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0. +.PP +The \fB\-email\fR option searches the subject name and the subject alternative +name extension. Only unique email addresses will be printed out: it will +not print the same address more than once. +.SH "CERTIFICATE EXTENSIONS" +.IX Header "CERTIFICATE EXTENSIONS" +The \fB\-purpose\fR option checks the certificate extensions and determines +what the certificate can be used for. The actual checks done are rather +complex and include various hacks and workarounds to handle broken +certificates and software. +.PP +The same code is used when verifying untrusted certificates in chains +so this section is useful if a chain is rejected by the verify code. +.PP +The basicConstraints extension \s-1CA\s0 flag is used to determine whether the +certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0, +if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the +\&\s-1CA\s0 flag set to true. +.PP +If the basicConstraints extension is absent then the certificate is +considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according +to the intended use of the certificate. A warning is given in this case +because the certificate should really not be regarded as a \s-1CA:\s0 however +it is allowed to be a \s-1CA\s0 to work around some broken software. +.PP +If the certificate is a V1 certificate (and thus has no extensions) and +it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again +given: this is to work around the problem of Verisign roots which are V1 +self signed certificates. +.PP +If the keyUsage extension is present then additional restraints are +made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the +keyCertSign bit set if the keyUsage extension is present. +.PP +The extended key usage extension places additional restrictions on the +certificate uses. If this extension is present (whether critical or not) +the key can only be used for the purposes specified. +.PP +A complete description of each test is given below. The comments about +basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR +\&\s-1CA\s0 certificates. +.Ip "\fB\s-1SSL\s0 Client\fR" 4 +.IX Item "SSL Client" +The extended key usage extension must be absent or include the \*(L"web client +authentication\*(R" \s-1OID\s0. keyUsage must be absent or it must have the +digitalSignature bit set. Netscape certificate type must be absent or it must +have the \s-1SSL\s0 client bit set. +.Ip "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4 +.IX Item "SSL Client CA" +The extended key usage extension must be absent or include the \*(L"web client +authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have +the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints +extension is absent. +.Ip "\fB\s-1SSL\s0 Server\fR" 4 +.IX Item "SSL Server" +The extended key usage extension must be absent or include the \*(L"web server +authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it +must have the digitalSignature, the keyEncipherment set or both bits set. +Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set. +.Ip "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4 +.IX Item "SSL Server CA" +The extended key usage extension must be absent or include the \*(L"web server +authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must +be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the +basicConstraints extension is absent. +.Ip "\fBNetscape \s-1SSL\s0 Server\fR" 4 +.IX Item "Netscape SSL Server" +For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the +keyEncipherment bit set if the keyUsage extension is present. This isn't +always valid because some cipher suites use the key for digital signing. +Otherwise it is the same as a normal \s-1SSL\s0 server. +.Ip "\fBCommon S/MIME Client Tests\fR" 4 +.IX Item "Common S/MIME Client Tests" +The extended key usage extension must be absent or include the \*(L"email +protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the +S/MIME bit set. If the S/MIME bit is not set in netscape certificate type +then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: +this is because some Verisign certificates don't set the S/MIME bit. +.Ip "\fBS/MIME Signing\fR" 4 +.IX Item "S/MIME Signing" +In addition to the common S/MIME client tests the digitalSignature bit must +be set if the keyUsage extension is present. +.Ip "\fBS/MIME Encryption\fR" 4 +.IX Item "S/MIME Encryption" +In addition to the common S/MIME tests the keyEncipherment bit must be set +if the keyUsage extension is present. +.Ip "\fBS/MIME \s-1CA\s0\fR" 4 +.IX Item "S/MIME CA" +The extended key usage extension must be absent or include the \*(L"email +protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the +S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints +extension is absent. +.Ip "\fB\s-1CRL\s0 Signing\fR" 4 +.IX Item "CRL Signing" +The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit +set. +.Ip "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4 +.IX Item "CRL Signing CA" +The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension +must be present. +.SH "BUGS" +.IX Header "BUGS" +Extensions in certificates are not transferred to certificate requests and +vice versa. +.PP +It is possible to produce invalid certificates or requests by specifying the +wrong private key or using inconsistent options in some cases: these should +be checked. +.PP +There should be options to explicitly set such things as start and end +dates rather than an offset from the current time. +.PP +The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR +is currently being developed. It thus describes the intended behaviour rather +than the current behaviour. It is hoped that it will represent reality in +OpenSSL 0.9.5 and later. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +req(1), ca(1), genrsa(1), +gendsa(1), verify(1) -- cgit v1.1