From f694fa517c2628d79a49719e25f72134babbdd0c Mon Sep 17 00:00:00 2001 From: Sascha Wildner Date: Mon, 13 Nov 2017 12:47:15 +0100 Subject: [PATCH] Remove various old openssl(1) related manual pages. --- Makefile_upgrade.inc | 44 ++ usr.bin/openssl/Makefile | 1 - usr.bin/openssl/Makefile.man | 60 --- usr.bin/openssl/man/CA.pl.1 | 306 ------------ usr.bin/openssl/man/asn1parse.1 | 314 ------------- usr.bin/openssl/man/c_rehash.1 | 233 --------- usr.bin/openssl/man/ca.1 | 758 ------------------------------ usr.bin/openssl/man/ciphers.1 | 730 ----------------------------- usr.bin/openssl/man/cms.1 | 750 ----------------------------- usr.bin/openssl/man/config.5 | 499 -------------------- usr.bin/openssl/man/crl.1 | 245 ---------- usr.bin/openssl/man/crl2pkcs7.1 | 215 --------- usr.bin/openssl/man/dgst.1 | 307 ------------ usr.bin/openssl/man/dhparam.1 | 262 ----------- usr.bin/openssl/man/dsa.1 | 291 ------------ usr.bin/openssl/man/dsaparam.1 | 228 --------- usr.bin/openssl/man/ec.1 | 315 ------------- usr.bin/openssl/man/ecparam.1 | 301 ------------ usr.bin/openssl/man/enc.1 | 449 ------------------ usr.bin/openssl/man/errstr.1 | 175 ------- usr.bin/openssl/man/gendsa.1 | 195 -------- usr.bin/openssl/man/genpkey.1 | 329 ------------- usr.bin/openssl/man/genrsa.1 | 220 --------- usr.bin/openssl/man/nseq.1 | 199 -------- usr.bin/openssl/man/ocsp.1 | 492 ------------------- usr.bin/openssl/man/openssl.1 | 468 ------------------- usr.bin/openssl/man/passwd.1 | 201 -------- usr.bin/openssl/man/pkcs12.1 | 462 ------------------ usr.bin/openssl/man/pkcs7.1 | 230 --------- usr.bin/openssl/man/pkcs8.1 | 372 --------------- usr.bin/openssl/man/pkey.1 | 260 ----------- usr.bin/openssl/man/pkeyparam.1 | 191 -------- usr.bin/openssl/man/pkeyutl.1 | 342 -------------- usr.bin/openssl/man/rand.1 | 179 ------- usr.bin/openssl/man/req.1 | 771 ------------------------------ usr.bin/openssl/man/rsa.1 | 336 ------------- usr.bin/openssl/man/rsautl.1 | 316 ------------- usr.bin/openssl/man/s_client.1 | 448 ------------------ usr.bin/openssl/man/s_server.1 | 486 ------------------- usr.bin/openssl/man/s_time.1 | 286 ------------ usr.bin/openssl/man/sess_id.1 | 258 ---------- usr.bin/openssl/man/smime.1 | 553 ---------------------- usr.bin/openssl/man/speed.1 | 186 -------- usr.bin/openssl/man/spkac.1 | 256 ---------- usr.bin/openssl/man/ts.1 | 658 -------------------------- usr.bin/openssl/man/tsget.1 | 320 ------------- usr.bin/openssl/man/verify.1 | 512 -------------------- usr.bin/openssl/man/version.1 | 185 -------- usr.bin/openssl/man/x509.1 | 909 ------------------------------------ usr.bin/openssl/man/x509v3_config.5 | 683 --------------------------- 50 files changed, 44 insertions(+), 17742 deletions(-) delete mode 100644 usr.bin/openssl/Makefile.man delete mode 100644 usr.bin/openssl/man/CA.pl.1 delete mode 100644 usr.bin/openssl/man/asn1parse.1 delete mode 100644 usr.bin/openssl/man/c_rehash.1 delete mode 100644 usr.bin/openssl/man/ca.1 delete mode 100644 usr.bin/openssl/man/ciphers.1 delete mode 100644 usr.bin/openssl/man/cms.1 delete mode 100644 usr.bin/openssl/man/config.5 delete mode 100644 usr.bin/openssl/man/crl.1 delete mode 100644 usr.bin/openssl/man/crl2pkcs7.1 delete mode 100644 usr.bin/openssl/man/dgst.1 delete mode 100644 usr.bin/openssl/man/dhparam.1 delete mode 100644 usr.bin/openssl/man/dsa.1 delete mode 100644 usr.bin/openssl/man/dsaparam.1 delete mode 100644 usr.bin/openssl/man/ec.1 delete mode 100644 usr.bin/openssl/man/ecparam.1 delete mode 100644 usr.bin/openssl/man/enc.1 delete mode 100644 usr.bin/openssl/man/errstr.1 delete mode 100644 usr.bin/openssl/man/gendsa.1 delete mode 100644 usr.bin/openssl/man/genpkey.1 delete mode 100644 usr.bin/openssl/man/genrsa.1 delete mode 100644 usr.bin/openssl/man/nseq.1 delete mode 100644 usr.bin/openssl/man/ocsp.1 delete mode 100644 usr.bin/openssl/man/openssl.1 delete mode 100644 usr.bin/openssl/man/passwd.1 delete mode 100644 usr.bin/openssl/man/pkcs12.1 delete mode 100644 usr.bin/openssl/man/pkcs7.1 delete mode 100644 usr.bin/openssl/man/pkcs8.1 delete mode 100644 usr.bin/openssl/man/pkey.1 delete mode 100644 usr.bin/openssl/man/pkeyparam.1 delete mode 100644 usr.bin/openssl/man/pkeyutl.1 delete mode 100644 usr.bin/openssl/man/rand.1 delete mode 100644 usr.bin/openssl/man/req.1 delete mode 100644 usr.bin/openssl/man/rsa.1 delete mode 100644 usr.bin/openssl/man/rsautl.1 delete mode 100644 usr.bin/openssl/man/s_client.1 delete mode 100644 usr.bin/openssl/man/s_server.1 delete mode 100644 usr.bin/openssl/man/s_time.1 delete mode 100644 usr.bin/openssl/man/sess_id.1 delete mode 100644 usr.bin/openssl/man/smime.1 delete mode 100644 usr.bin/openssl/man/speed.1 delete mode 100644 usr.bin/openssl/man/spkac.1 delete mode 100644 usr.bin/openssl/man/ts.1 delete mode 100644 usr.bin/openssl/man/tsget.1 delete mode 100644 usr.bin/openssl/man/verify.1 delete mode 100644 usr.bin/openssl/man/version.1 delete mode 100644 usr.bin/openssl/man/x509.1 delete mode 100644 usr.bin/openssl/man/x509v3_config.5 diff --git a/Makefile_upgrade.inc b/Makefile_upgrade.inc index 0ca446f359..c1d0a9e916 100644 --- a/Makefile_upgrade.inc +++ b/Makefile_upgrade.inc @@ -3294,6 +3294,50 @@ TO_REMOVE+=/usr/share/man/man5/dm.conf.5.gz TO_REMOVE+=/usr/share/man/man8/dm.8.gz TO_REMOVE+=/usr/games/strfile TO_REMOVE+=/usr/games/unstr +TO_REMOVE+=/usr/share/man/man1/CA.pl.1.gz +TO_REMOVE+=/usr/share/man/man1/asn1parse.1.gz +TO_REMOVE+=/usr/share/man/man1/c_rehash.1.gz +TO_REMOVE+=/usr/share/man/man1/ca.1.gz +TO_REMOVE+=/usr/share/man/man1/ciphers.1.gz +TO_REMOVE+=/usr/share/man/man1/cms.1.gz +TO_REMOVE+=/usr/share/man/man1/crl.1.gz +TO_REMOVE+=/usr/share/man/man1/crl2pkcs7.1.gz +TO_REMOVE+=/usr/share/man/man1/dgst.1.gz +TO_REMOVE+=/usr/share/man/man1/dhparam.1.gz +TO_REMOVE+=/usr/share/man/man1/dsa.1.gz +TO_REMOVE+=/usr/share/man/man1/dsaparam.1.gz +TO_REMOVE+=/usr/share/man/man1/ec.1.gz +TO_REMOVE+=/usr/share/man/man1/ecparam.1.gz +TO_REMOVE+=/usr/share/man/man1/enc.1.gz +TO_REMOVE+=/usr/share/man/man1/errstr.1.gz +TO_REMOVE+=/usr/share/man/man1/gendsa.1.gz +TO_REMOVE+=/usr/share/man/man1/genpkey.1.gz +TO_REMOVE+=/usr/share/man/man1/genrsa.1.gz +TO_REMOVE+=/usr/share/man/man1/nseq.1.gz +TO_REMOVE+=/usr/share/man/man1/ocsp.1.gz +TO_REMOVE+=/usr/share/man/man1/pkcs12.1.gz +TO_REMOVE+=/usr/share/man/man1/pkcs7.1.gz +TO_REMOVE+=/usr/share/man/man1/pkcs8.1.gz +TO_REMOVE+=/usr/share/man/man1/pkey.1.gz +TO_REMOVE+=/usr/share/man/man1/pkeyparam.1.gz +TO_REMOVE+=/usr/share/man/man1/pkeyutl.1.gz +TO_REMOVE+=/usr/share/man/man1/rand.1.gz +TO_REMOVE+=/usr/share/man/man1/req.1.gz +TO_REMOVE+=/usr/share/man/man1/rsa.1.gz +TO_REMOVE+=/usr/share/man/man1/rsautl.1.gz +TO_REMOVE+=/usr/share/man/man1/s_client.1.gz +TO_REMOVE+=/usr/share/man/man1/s_server.1.gz +TO_REMOVE+=/usr/share/man/man1/s_time.1.gz +TO_REMOVE+=/usr/share/man/man1/sess_id.1.gz +TO_REMOVE+=/usr/share/man/man1/smime.1.gz +TO_REMOVE+=/usr/share/man/man1/speed.1.gz +TO_REMOVE+=/usr/share/man/man1/spkac.1.gz +TO_REMOVE+=/usr/share/man/man1/ts.1.gz +TO_REMOVE+=/usr/share/man/man1/tsget.1.gz +TO_REMOVE+=/usr/share/man/man1/version.1.gz +TO_REMOVE+=/usr/share/man/man1/x509.1.gz +TO_REMOVE+=/usr/share/man/man5/config.5.gz +TO_REMOVE+=/usr/share/man/man5/x509v3_config.5.gz .if !defined(WANT_INSTALLER) TO_REMOVE+=/usr/sbin/dfuibe_installer diff --git a/usr.bin/openssl/Makefile b/usr.bin/openssl/Makefile index 464bd92754..d84e8d4204 100644 --- a/usr.bin/openssl/Makefile +++ b/usr.bin/openssl/Makefile @@ -3,7 +3,6 @@ PROG= openssl WARNS?= 2 -.include "Makefile.man" .include "${.CURDIR}/../../lib/librecrypto/Makefile.inc" DPADD+= ${LIBRESSL} ${LIBRECRYPTO} diff --git a/usr.bin/openssl/Makefile.man b/usr.bin/openssl/Makefile.man deleted file mode 100644 index 7fe08d9ed4..0000000000 --- a/usr.bin/openssl/Makefile.man +++ /dev/null @@ -1,60 +0,0 @@ -# DO NOT EDIT: generated from man-makefile-update target -MAN+= CA.pl.1 -MAN+= asn1parse.1 -MAN+= c_rehash.1 -MAN+= ca.1 -MAN+= ciphers.1 -MAN+= cms.1 -MAN+= config.5 -MAN+= crl.1 -MAN+= crl2pkcs7.1 -MAN+= dgst.1 -MLINKS+= dgst.1 sha.1 -MLINKS+= dgst.1 sha1.1 -MLINKS+= dgst.1 mdc2.1 -MLINKS+= dgst.1 ripemd160.1 -MLINKS+= dgst.1 sha224.1 -MLINKS+= dgst.1 sha256.1 -MLINKS+= dgst.1 sha384.1 -MLINKS+= dgst.1 sha512.1 -MLINKS+= dgst.1 md2.1 -MLINKS+= dgst.1 md4.1 -MLINKS+= dgst.1 md5.1 -MLINKS+= dgst.1 dss1.1 -MAN+= dhparam.1 -MAN+= dsa.1 -MAN+= dsaparam.1 -MAN+= ec.1 -MAN+= ecparam.1 -MAN+= enc.1 -MAN+= errstr.1 -MAN+= gendsa.1 -MAN+= genpkey.1 -MAN+= genrsa.1 -MAN+= nseq.1 -MAN+= ocsp.1 -MAN+= openssl.1 -MAN+= passwd.1 -MAN+= pkcs12.1 -MAN+= pkcs7.1 -MAN+= pkcs8.1 -MAN+= pkey.1 -MAN+= pkeyparam.1 -MAN+= pkeyutl.1 -MAN+= rand.1 -MAN+= req.1 -MAN+= rsa.1 -MAN+= rsautl.1 -MAN+= s_client.1 -MAN+= s_server.1 -MAN+= s_time.1 -MAN+= sess_id.1 -MAN+= smime.1 -MAN+= speed.1 -MAN+= spkac.1 -MAN+= ts.1 -MAN+= tsget.1 -MAN+= verify.1 -MAN+= version.1 -MAN+= x509.1 -MAN+= x509v3_config.5 diff --git a/usr.bin/openssl/man/CA.pl.1 b/usr.bin/openssl/man/CA.pl.1 deleted file mode 100644 index a6b37341e6..0000000000 --- a/usr.bin/openssl/man/CA.pl.1 +++ /dev/null @@ -1,306 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CA.PL 1" -.TH CA.PL 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -CA.pl \- friendlier interface for OpenSSL certificate programs -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fB\s-1CA\s0.pl\fR -[\fB\-?\fR] -[\fB\-h\fR] -[\fB\-help\fR] -[\fB\-newcert\fR] -[\fB\-newreq\fR] -[\fB\-newreq\-nodes\fR] -[\fB\-newca\fR] -[\fB\-xsign\fR] -[\fB\-sign\fR] -[\fB\-signreq\fR] -[\fB\-signcert\fR] -[\fB\-verify\fR] -[\fBfiles\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line -arguments to the \fBopenssl\fR command for some common certificate operations. -It is intended to simplify the process of certificate creation and management -by the use of some simple options. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4 -.IX Item "?, -h, -help" -prints a usage message. -.IP "\fB\-newcert\fR" 4 -.IX Item "-newcert" -creates a new self signed certificate. The private key is written to the file -\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R". -.IP "\fB\-newreq\fR" 4 -.IX Item "-newreq" -creates a new certificate request. The private key is written to the file -\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R". -.IP "\fB\-newreq\-nodes\fR" 4 -.IX Item "-newreq-nodes" -is like \fB\-newreq\fR except that the private key will not be encrypted. -.IP "\fB\-newca\fR" 4 -.IX Item "-newca" -creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR -and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0 -certificates (which should also contain the private key) or by hitting \s-1ENTER\s0 -details of the \s-1CA\s0 will be prompted for. The relevant files and directories -are created in a directory called \*(L"demoCA\*(R" in the current directory. -.IP "\fB\-pkcs12\fR" 4 -.IX Item "-pkcs12" -create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0 -certificate. It expects the user certificate and private key to be in the -file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem, -it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the -\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser. -If there is an additional argument on the command line it will be used as the -\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser -list box), otherwise the name \*(L"My Certificate\*(R" is used. -.IP "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4 -.IX Item "-sign, -signreq, -xsign" -calls the \fBca\fR program to sign a certificate request. It expects the request -to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file -\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written -to standard output. -.IP "\fB\-signCA\fR" 4 -.IX Item "-signCA" -this option is the same as the \fB\-signreq\fR option except it uses the configuration -file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This -is useful when creating intermediate \s-1CA\s0 from a root \s-1CA.\s0 -.IP "\fB\-signcert\fR" 4 -.IX Item "-signcert" -this option is the same as \fB\-sign\fR except it expects a self signed certificate -to be present in the file \*(L"newreq.pem\*(R". -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates -are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R". -.IP "\fBfiles\fR" 4 -.IX Item "files" -one or more optional certificate file names for use with the \fB\-verify\fR command. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a \s-1CA\s0 hierarchy: -.PP -.Vb 1 -\& CA.pl \-newca -.Ve -.PP -Complete certificate creation example: create a \s-1CA,\s0 create a request, sign -the request and finally create a PKCS#12 file containing it. -.PP -.Vb 4 -\& CA.pl \-newca -\& CA.pl \-newreq -\& CA.pl \-signreq -\& CA.pl \-pkcs12 "My Test Certificate" -.Ve -.SH "DSA CERTIFICATES" -.IX Header "DSA CERTIFICATES" -Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to -use it with \s-1DSA\s0 certificates and requests using the \fIreq\fR\|(1) command -directly. The following example shows the steps that would typically be taken. -.PP -Create some \s-1DSA\s0 parameters: -.PP -.Vb 1 -\& openssl dsaparam \-out dsap.pem 1024 -.Ve -.PP -Create a \s-1DSA CA\s0 certificate and private key: -.PP -.Vb 1 -\& openssl req \-x509 \-newkey dsa:dsap.pem \-keyout cacert.pem \-out cacert.pem -.Ve -.PP -Create the \s-1CA\s0 directories and files: -.PP -.Vb 1 -\& CA.pl \-newca -.Ve -.PP -enter cacert.pem when prompted for the \s-1CA\s0 file name. -.PP -Create a \s-1DSA\s0 certificate request and private key (a different set of parameters -can optionally be created first): -.PP -.Vb 1 -\& openssl req \-out newreq.pem \-newkey dsa:dsap.pem -.Ve -.PP -Sign the request: -.PP -.Vb 1 -\& CA.pl \-signreq -.Ve -.SH "NOTES" -.IX Header "NOTES" -Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script. -.PP -If the demoCA directory already exists then the \fB\-newca\fR command will not -overwrite it and will do nothing. This can happen if a previous call using -the \fB\-newca\fR option terminated abnormally. To get the correct behaviour -delete the demoCA directory if it already exists. -.PP -Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script -directly (for example Win32) and the default configuration file location may -be wrong. In this case the command: -.PP -.Vb 1 -\& perl \-S CA.pl -.Ve -.PP -can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to -the correct path of the configuration file \*(L"openssl.cnf\*(R". -.PP -The script is intended as a simple front end for the \fBopenssl\fR program for use -by a beginner. Its behaviour isn't always what is wanted. For more control over the -behaviour of the certificate commands call the \fBopenssl\fR command directly. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it should contain the full path to the -configuration file, not just its directory. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIreq\fR\|(1), \fIpkcs12\fR\|(1), -\&\fIconfig\fR\|(5) diff --git a/usr.bin/openssl/man/asn1parse.1 b/usr.bin/openssl/man/asn1parse.1 deleted file mode 100644 index f2e2ff038f..0000000000 --- a/usr.bin/openssl/man/asn1parse.1 +++ /dev/null @@ -1,314 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ASN1PARSE 1" -.TH ASN1PARSE 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -asn1parse \- ASN.1 parsing tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBasn1parse\fR -[\fB\-inform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-offset number\fR] -[\fB\-length number\fR] -[\fB\-i\fR] -[\fB\-oid filename\fR] -[\fB\-dump\fR] -[\fB\-dlimit num\fR] -[\fB\-strparse offset\fR] -[\fB\-genstr string\fR] -[\fB\-genconf file\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN.1\s0 -structures. It can also be used to extract data from \s-1ASN.1\s0 formatted data. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-inform\fR \fBDER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -the input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64 -encoded. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input file, default is standard input -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -output file to place the \s-1DER\s0 encoded data into. If this -option is not present then no data will be output. This is most useful when -combined with the \fB\-strparse\fR option. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the parsed version of the input file. -.IP "\fB\-offset number\fR" 4 -.IX Item "-offset number" -starting offset to begin parsing, default is start of file. -.IP "\fB\-length number\fR" 4 -.IX Item "-length number" -number of bytes to parse, default is until end of file. -.IP "\fB\-i\fR" 4 -.IX Item "-i" -indents the output according to the \*(L"depth\*(R" of the structures. -.IP "\fB\-oid filename\fR" 4 -.IX Item "-oid filename" -a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this -file is described in the \s-1NOTES\s0 section below. -.IP "\fB\-dump\fR" 4 -.IX Item "-dump" -dump unknown data in hex format. -.IP "\fB\-dlimit num\fR" 4 -.IX Item "-dlimit num" -like \fB\-dump\fR, but only the first \fBnum\fR bytes are output. -.IP "\fB\-strparse offset\fR" 4 -.IX Item "-strparse offset" -parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This -option can be used multiple times to \*(L"drill down\*(R" into a nested structure. -.IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4 -.IX Item "-genstr string, -genconf file" -generate encoded data based on \fBstring\fR, \fBfile\fR or both using -\&\fIASN1_generate_nconf\fR\|(3) format. If \fBfile\fR only is -present then the string is obtained from the default section using the name -\&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as -though it came from a file, the contents can thus be examined and written to a -file using the \fBout\fR option. -.SS "\s-1OUTPUT\s0" -.IX Subsection "OUTPUT" -The output will typically contain lines like this: -.PP -.Vb 1 -\& 0:d=0 hl=4 l= 681 cons: SEQUENCE -.Ve -.PP -\&..... -.PP -.Vb 10 -\& 229:d=3 hl=3 l= 141 prim: BIT STRING -\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ] -\& 376:d=3 hl=3 l= 159 cons: SEQUENCE -\& 379:d=4 hl=2 l= 29 cons: SEQUENCE -\& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -\& 386:d=5 hl=2 l= 22 prim: OCTET STRING -\& 410:d=4 hl=2 l= 112 cons: SEQUENCE -\& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -\& 417:d=5 hl=2 l= 105 prim: OCTET STRING -\& 524:d=4 hl=2 l= 12 cons: SEQUENCE -.Ve -.PP -\&..... -.PP -This example is part of a self signed certificate. Each line starts with the -offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased -within the scope of any \s-1SET\s0 or \s-1SEQUENCE. \s0\fBhl=XX\fR gives the header length -(tag and length octets) of the current type. \fBl=XX\fR gives the length of -the contents octets. -.PP -The \fB\-i\fR option can be used to make the output more readable. -.PP -Some knowledge of the \s-1ASN.1\s0 structure is needed to interpret the output. -.PP -In this example the \s-1BIT STRING\s0 at offset 229 is the certificate public key. -The contents octets of this will contain the public key information. This can -be examined using the option \fB\-strparse 229\fR to yield: -.PP -.Vb 3 -\& 0:d=0 hl=3 l= 137 cons: SEQUENCE -\& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 -\& 135:d=1 hl=2 l= 3 prim: INTEGER :010001 -.Ve -.SH "NOTES" -.IX Header "NOTES" -If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in -numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option -allows additional OIDs to be included. Each line consists of three columns, -the first column is the \s-1OID\s0 in numerical format and should be followed by white -space. The second column is the \*(L"short name\*(R" which is a single word followed -by white space. The final column is the rest of the line and is the -\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example: -.PP -\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Parse a file: -.PP -.Vb 1 -\& openssl asn1parse \-in file.pem -.Ve -.PP -Parse a \s-1DER\s0 file: -.PP -.Vb 1 -\& openssl asn1parse \-inform DER \-in file.der -.Ve -.PP -Generate a simple UTF8String: -.PP -.Vb 1 -\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq -.Ve -.PP -Generate and write out a UTF8String, don't print parsed output: -.PP -.Vb 1 -\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq \-noout \-out utf8.der -.Ve -.PP -Generate using a config file: -.PP -.Vb 1 -\& openssl asn1parse \-genconf asn1.cnf \-noout \-out asn1.der -.Ve -.PP -Example config file: -.PP -.Vb 1 -\& asn1=SEQUENCE:seq_sect -\& -\& [seq_sect] -\& -\& field1=BOOL:TRUE -\& field2=EXP:0, UTF8:some random string -.Ve -.SH "BUGS" -.IX Header "BUGS" -There should be options to change the format of output lines. The output of some -\&\s-1ASN.1\s0 types is not well handled (if at all). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIASN1_generate_nconf\fR\|(3) diff --git a/usr.bin/openssl/man/c_rehash.1 b/usr.bin/openssl/man/c_rehash.1 deleted file mode 100644 index 45485512c7..0000000000 --- a/usr.bin/openssl/man/c_rehash.1 +++ /dev/null @@ -1,233 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "C_REHASH 1" -.TH C_REHASH 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -c_rehash \- Create symbolic links to files named by the hash values -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBc_rehash\fR -\&\fB[\-old]\fR -\&\fB[\-h]\fR -\&\fB[\-n]\fR -\&\fB[\-v]\fR -[ \fIdirectory\fR...] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBc_rehash\fR scans directories and calculates a hash value of each -\&\f(CW\*(C`.pem\*(C'\fR, \f(CW\*(C`.crt\*(C'\fR, \f(CW\*(C`.cer\*(C'\fR, or \f(CW\*(C`.crl\*(C'\fR -file in the specified directory list and creates symbolic links -for each file, where the name of the link is the hash value. -(If the platform does not support symbolic links, a copy is made.) -This utility is useful as many programs that use OpenSSL require -directories to be set up like this in order to find certificates. -.PP -If any directories are named on the command line, then those are -processed in turn. If not, then the \fB\s-1SSL_CERT_DIR\s0\fR environment variable -is consulted; this shold be a colon-separated list of directories, -like the Unix \fB\s-1PATH\s0\fR variable. -If that is not set then the default directory (installation-specific -but often \fB/usr/local/ssl/certs\fR) is processed. -.PP -In order for a directory to be processed, the user must have write -permissions on that directory, otherwise it will be skipped. -The links created are of the form \f(CW\*(C`HHHHHHHH.D\*(C'\fR, where each \fBH\fR -is a hexadecimal character and \fBD\fR is a single decimal digit. -When processing a directory, \fBc_rehash\fR will first remove all links -that have a name in that syntax. If you have links in that format -used for other purposes, they will be removed. -To skip the removal step, use the \fB\-n\fR flag. -Hashes for \s-1CRL\s0's look similar except the letter \fBr\fR appears after -the period, like this: \f(CW\*(C`HHHHHHHH.rD\*(C'\fR. -.PP -Multiple objects may have the same hash; they will be indicated by -incrementing the \fBD\fR value. Duplicates are found by comparing the -full \s-1SHA\-1\s0 fingerprint. A warning will be displayed if a duplicate -is found. -.PP -A warning will also be displayed if there are files that -cannot be parsed as either a certificate or a \s-1CRL.\s0 -.PP -The program uses the \fBopenssl\fR program to compute the hashes and -fingerprints. If not found in the user's \fB\s-1PATH\s0\fR, then set the -\&\fB\s-1OPENSSL\s0\fR environment variable to the full pathname. -Any program can be used, it will be invoked as follows for either -a certificate or \s-1CRL:\s0 -.PP -.Vb 2 -\& $OPENSSL x509 \-hash \-fingerprint \-noout \-in FILENAME -\& $OPENSSL crl \-hash \-fingerprint \-noout \-in FILENAME -.Ve -.PP -where \fB\s-1FILENAME\s0\fR is the filename. It must output the hash of the -file on the first line, and the fingerprint on the second, -optionally prefixed with some text and an equals sign. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-old\fR" 4 -.IX Item "-old" -Use old-style hashing (\s-1MD5,\s0 as opposed to \s-1SHA\-1\s0) for generating -links for releases before 1.0.0. Note that current versions will -not use the old style. -.IP "\fB\-h\fR" 4 -.IX Item "-h" -Display a brief usage message. -.IP "\fB\-n\fR" 4 -.IX Item "-n" -Do not remove existing links. -This is needed when keeping new and old-style links in the same directory. -.IP "\fB\-v\fR" 4 -.IX Item "-v" -Print messages about old links removed and new links created. -By default, \fBc_rehash\fR only lists each directory as it is processed. -.SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" -.IP "\fB\s-1OPENSSL\s0\fR" 4 -.IX Item "OPENSSL" -The path to an executable to use to generate hashes and -fingerprints (see above). -.IP "\fB\s-1SSL_CERT_DIR\s0\fR" 4 -.IX Item "SSL_CERT_DIR" -Colon separated list of directories to operate on. -Ignored if directories are listed on the command line. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIopenssl\fR\|(1), -\&\fIcrl\fR\|(1). -\&\fIx509\fR\|(1). diff --git a/usr.bin/openssl/man/ca.1 b/usr.bin/openssl/man/ca.1 deleted file mode 100644 index aec7ac52d9..0000000000 --- a/usr.bin/openssl/man/ca.1 +++ /dev/null @@ -1,758 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CA 1" -.TH CA 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ca \- sample minimal CA application -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBca\fR -[\fB\-verbose\fR] -[\fB\-config filename\fR] -[\fB\-name section\fR] -[\fB\-gencrl\fR] -[\fB\-revoke file\fR] -[\fB\-status serial\fR] -[\fB\-updatedb\fR] -[\fB\-crl_reason reason\fR] -[\fB\-crl_hold instruction\fR] -[\fB\-crl_compromise time\fR] -[\fB\-crl_CA_compromise time\fR] -[\fB\-crldays days\fR] -[\fB\-crlhours hours\fR] -[\fB\-crlexts section\fR] -[\fB\-startdate date\fR] -[\fB\-enddate date\fR] -[\fB\-days arg\fR] -[\fB\-md arg\fR] -[\fB\-policy arg\fR] -[\fB\-keyfile arg\fR] -[\fB\-keyform PEM|DER\fR] -[\fB\-key arg\fR] -[\fB\-passin arg\fR] -[\fB\-cert file\fR] -[\fB\-selfsign\fR] -[\fB\-in file\fR] -[\fB\-out file\fR] -[\fB\-notext\fR] -[\fB\-outdir dir\fR] -[\fB\-infiles\fR] -[\fB\-spkac file\fR] -[\fB\-ss_cert file\fR] -[\fB\-preserveDN\fR] -[\fB\-noemailDN\fR] -[\fB\-batch\fR] -[\fB\-msie_hack\fR] -[\fB\-extensions section\fR] -[\fB\-extfile section\fR] -[\fB\-engine id\fR] -[\fB\-subj arg\fR] -[\fB\-utf8\fR] -[\fB\-multivalue\-rdn\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used -to sign certificate requests in a variety of forms and generate -CRLs it also maintains a text database of issued certificates -and their status. -.PP -The options descriptions will be divided into each purpose. -.SH "CA OPTIONS" -.IX Header "CA OPTIONS" -.IP "\fB\-config filename\fR" 4 -.IX Item "-config filename" -specifies the configuration file to use. -.IP "\fB\-name section\fR" 4 -.IX Item "-name section" -specifies the configuration file section to use (overrides -\&\fBdefault_ca\fR in the \fBca\fR section). -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -an input filename containing a single certificate request to be -signed by the \s-1CA.\s0 -.IP "\fB\-ss_cert filename\fR" 4 -.IX Item "-ss_cert filename" -a single self signed certificate to be signed by the \s-1CA.\s0 -.IP "\fB\-spkac filename\fR" 4 -.IX Item "-spkac filename" -a file containing a single Netscape signed public key and challenge -and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR -section for information on the required input and output format. -.IP "\fB\-infiles\fR" 4 -.IX Item "-infiles" -if present this should be the last option, all subsequent arguments -are assumed to the the names of files containing certificate requests. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output file to output certificates to. The default is standard -output. The certificate details will also be printed out to this -file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format). -.IP "\fB\-outdir directory\fR" 4 -.IX Item "-outdir directory" -the directory to output certificates to. The certificate will be -written to a filename consisting of the serial number in hex with -\&\*(L".pem\*(R" appended. -.IP "\fB\-cert\fR" 4 -.IX Item "-cert" -the \s-1CA\s0 certificate file. -.IP "\fB\-keyfile filename\fR" 4 -.IX Item "-keyfile filename" -the private key to sign requests with. -.IP "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -the format of the data in the private key file. -The default is \s-1PEM.\s0 -.IP "\fB\-key password\fR" 4 -.IX Item "-key password" -the password used to encrypt the private key. Since on some -systems the command line arguments are visible (e.g. Unix with -the 'ps' utility) this option should be used with caution. -.IP "\fB\-selfsign\fR" 4 -.IX Item "-selfsign" -indicates the issued certificates are to be signed with the key -the certificate requests were signed with (given with \fB\-keyfile\fR). -Cerificate requests signed with a different key are ignored. If -\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is -ignored. -.Sp -A consequence of using \fB\-selfsign\fR is that the self-signed -certificate appears among the entries in the certificate database -(see the configuration option \fBdatabase\fR), and uses the same -serial number counter as all other certificates sign with the -self-signed certificate. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-verbose\fR" 4 -.IX Item "-verbose" -this prints extra details about the operations being performed. -.IP "\fB\-notext\fR" 4 -.IX Item "-notext" -don't output the text form of a certificate to the output file. -.IP "\fB\-startdate date\fR" 4 -.IX Item "-startdate date" -this allows the start date to be explicitly set. The format of the -date is \s-1YYMMDDHHMMSSZ \s0(the same as an \s-1ASN1\s0 UTCTime structure). -.IP "\fB\-enddate date\fR" 4 -.IX Item "-enddate date" -this allows the expiry date to be explicitly set. The format of the -date is \s-1YYMMDDHHMMSSZ \s0(the same as an \s-1ASN1\s0 UTCTime structure). -.IP "\fB\-days arg\fR" 4 -.IX Item "-days arg" -the number of days to certify the certificate for. -.IP "\fB\-md alg\fR" 4 -.IX Item "-md alg" -the message digest to use. Possible values include md5, sha1 and mdc2. -This option also applies to CRLs. -.IP "\fB\-policy arg\fR" 4 -.IX Item "-policy arg" -this option defines the \s-1CA \s0\*(L"policy\*(R" to use. This is a section in -the configuration file which decides which fields should be mandatory -or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section -for more information. -.IP "\fB\-msie_hack\fR" 4 -.IX Item "-msie_hack" -this is a legacy option to make \fBca\fR work with very old versions of -the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings -for almost everything. Since the old control has various security bugs -its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not -need this option. -.IP "\fB\-preserveDN\fR" 4 -.IX Item "-preserveDN" -Normally the \s-1DN\s0 order of a certificate is the same as the order of the -fields in the relevant policy section. When this option is set the order -is the same as the request. This is largely for compatibility with the -older \s-1IE\s0 enrollment control which would only accept certificates if their -DNs match the order of the request. This is not needed for Xenroll. -.IP "\fB\-noemailDN\fR" 4 -.IX Item "-noemailDN" -The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the -request \s-1DN,\s0 however it is good policy just having the e\-mail set into -the altName extension of the certificate. When this option is set the -\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in -the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be -used in the configuration file to enable this behaviour. -.IP "\fB\-batch\fR" 4 -.IX Item "-batch" -this sets the batch mode. In this mode no questions will be asked -and all certificates will be certified automatically. -.IP "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -the section of the configuration file containing certificate extensions -to be added when a certificate is issued (defaults to \fBx509_extensions\fR -unless the \fB\-extfile\fR option is used). If no extension section is -present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. See the:w -\&\fIx509v3_config\fR\|(5) manual page for details of the -extension section format. -.IP "\fB\-extfile file\fR" 4 -.IX Item "-extfile file" -an additional configuration file to read certificate extensions from -(using the default section unless the \fB\-extensions\fR option is also -used). -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -supersedes subject name given in the request. -The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. -.IP "\fB\-utf8\fR" 4 -.IX Item "-utf8" -this option causes field values to be interpreted as \s-1UTF8\s0 strings, by -default they are interpreted as \s-1ASCII.\s0 This means that the field -values, whether prompted from a terminal or obtained from a -configuration file, must be valid \s-1UTF8\s0 strings. -.IP "\fB\-multivalue\-rdn\fR" 4 -.IX Item "-multivalue-rdn" -this option causes the \-subj argument to be interpretedt with full -support for multivalued RDNs. Example: -.Sp -\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR -.Sp -If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. -.SH "CRL OPTIONS" -.IX Header "CRL OPTIONS" -.IP "\fB\-gencrl\fR" 4 -.IX Item "-gencrl" -this option generates a \s-1CRL\s0 based on information in the index file. -.IP "\fB\-crldays num\fR" 4 -.IX Item "-crldays num" -the number of days before the next \s-1CRL\s0 is due. That is the days from -now to place in the \s-1CRL\s0 nextUpdate field. -.IP "\fB\-crlhours num\fR" 4 -.IX Item "-crlhours num" -the number of hours before the next \s-1CRL\s0 is due. -.IP "\fB\-revoke filename\fR" 4 -.IX Item "-revoke filename" -a filename containing a certificate to revoke. -.IP "\fB\-status serial\fR" 4 -.IX Item "-status serial" -displays the revocation status of the certificate with the specified -serial number and exits. -.IP "\fB\-updatedb\fR" 4 -.IX Item "-updatedb" -Updates the database index to purge expired certificates. -.IP "\fB\-crl_reason reason\fR" 4 -.IX Item "-crl_reason reason" -revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, -\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR, -\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case -insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2. -.Sp -In practive \fBremoveFromCRL\fR is not particularly useful because it is only used -in delta CRLs which are not currently implemented. -.IP "\fB\-crl_hold instruction\fR" 4 -.IX Item "-crl_hold instruction" -This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold -instruction to \fBinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be -used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0) -\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used. -.IP "\fB\-crl_compromise time\fR" 4 -.IX Item "-crl_compromise time" -This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to -\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR. -.IP "\fB\-crl_CA_compromise time\fR" 4 -.IX Item "-crl_CA_compromise time" -This is the same as \fBcrl_compromise\fR except the revocation reason is set to -\&\fBCACompromise\fR. -.IP "\fB\-crlexts section\fR" 4 -.IX Item "-crlexts section" -the section of the configuration file containing \s-1CRL\s0 extensions to -include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is -created, if the \s-1CRL\s0 extension section is present (even if it is -empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are -\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted -that some software (for example Netscape) can't handle V2 CRLs. See -\&\fIx509v3_config\fR\|(5) manual page for details of the -extension section format. -.SH "CONFIGURATION FILE OPTIONS" -.IX Header "CONFIGURATION FILE OPTIONS" -The section of the configuration file containing options for \fBca\fR -is found as follows: If the \fB\-name\fR command line option is used, -then it names the section to be used. Otherwise the section to -be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section -of the configuration file (or in the default section of the -configuration file). Besides \fBdefault_ca\fR, the following options are -read directly from the \fBca\fR section: - \s-1RANDFILE -\&\s0 preserve - msie_hack -With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may -change in future releases. -.PP -Many of the configuration file options are identical to command line -options. Where the option is present in the configuration file -and the command line the command line value is used. Where an -option is described as mandatory then it must be present in -the configuration file or the command line equivalent (if -any) used. -.IP "\fBoid_file\fR" 4 -.IX Item "oid_file" -This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR. -Each line of the file should consist of the numerical form of the -object identifier followed by white space then the short name followed -by white space and finally the long name. -.IP "\fBoid_section\fR" 4 -.IX Item "oid_section" -This specifies a section in the configuration file containing extra -object identifiers. Each line should consist of the short name of the -object identifier followed by \fB=\fR and the numerical form. The short -and long names are the same when this option is used. -.IP "\fBnew_certs_dir\fR" 4 -.IX Item "new_certs_dir" -the same as the \fB\-outdir\fR command line option. It specifies -the directory where new certificates will be placed. Mandatory. -.IP "\fBcertificate\fR" 4 -.IX Item "certificate" -the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 -certificate. Mandatory. -.IP "\fBprivate_key\fR" 4 -.IX Item "private_key" -same as the \fB\-keyfile\fR option. The file containing the -\&\s-1CA\s0 private key. Mandatory. -.IP "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -a file used to read and write random number seed information, or -an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -.IP "\fBdefault_days\fR" 4 -.IX Item "default_days" -the same as the \fB\-days\fR option. The number of days to certify -a certificate for. -.IP "\fBdefault_startdate\fR" 4 -.IX Item "default_startdate" -the same as the \fB\-startdate\fR option. The start date to certify -a certificate for. If not set the current time is used. -.IP "\fBdefault_enddate\fR" 4 -.IX Item "default_enddate" -the same as the \fB\-enddate\fR option. Either this option or -\&\fBdefault_days\fR (or the command line equivalents) must be -present. -.IP "\fBdefault_crl_hours default_crl_days\fR" 4 -.IX Item "default_crl_hours default_crl_days" -the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These -will only be used if neither command line option is present. At -least one of these must be present to generate a \s-1CRL.\s0 -.IP "\fBdefault_md\fR" 4 -.IX Item "default_md" -the same as the \fB\-md\fR option. The message digest to use. Mandatory. -.IP "\fBdatabase\fR" 4 -.IX Item "database" -the text database file to use. Mandatory. This file must be present -though initially it will be empty. -.IP "\fBunique_subject\fR" 4 -.IX Item "unique_subject" -if the value \fByes\fR is given, the valid certificate entries in the -database must have unique subjects. if the value \fBno\fR is given, -several valid certificate entries may have the exact same subject. -The default value is \fByes\fR, to be compatible with older (pre 0.9.8) -versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier, -it's recommended to use the value \fBno\fR, especially if combined with -the \fB\-selfsign\fR command line option. -.IP "\fBserial\fR" 4 -.IX Item "serial" -a text file containing the next serial number to use in hex. Mandatory. -This file must be present and contain a valid serial number. -.IP "\fBcrlnumber\fR" 4 -.IX Item "crlnumber" -a text file containing the next \s-1CRL\s0 number to use in hex. The crl number -will be inserted in the CRLs only if this file exists. If this file is -present, it must contain a valid \s-1CRL\s0 number. -.IP "\fBx509_extensions\fR" 4 -.IX Item "x509_extensions" -the same as \fB\-extensions\fR. -.IP "\fBcrl_extensions\fR" 4 -.IX Item "crl_extensions" -the same as \fB\-crlexts\fR. -.IP "\fBpreserve\fR" 4 -.IX Item "preserve" -the same as \fB\-preserveDN\fR -.IP "\fBemail_in_dn\fR" 4 -.IX Item "email_in_dn" -the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed -from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present -the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0 -.IP "\fBmsie_hack\fR" 4 -.IX Item "msie_hack" -the same as \fB\-msie_hack\fR -.IP "\fBpolicy\fR" 4 -.IX Item "policy" -the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section -for more information. -.IP "\fBname_opt\fR, \fBcert_opt\fR" 4 -.IX Item "name_opt, cert_opt" -these options allow the format used to display the certificate details -when asking the user to confirm signing. All the options supported by -the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used -here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set -and cannot be disabled (this is because the certificate signature cannot -be displayed because the certificate has not been signed at this point). -.Sp -For convenience the values \fBca_default\fR are accepted by both to produce -a reasonable output. -.Sp -If neither option is present the format used in earlier versions of -OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because -it only displays fields mentioned in the \fBpolicy\fR section, mishandles -multicharacter string types and does not display extensions. -.IP "\fBcopy_extensions\fR" 4 -.IX Item "copy_extensions" -determines how extensions in certificate requests should be handled. -If set to \fBnone\fR or this option is not present then extensions are -ignored and not copied to the certificate. If set to \fBcopy\fR then any -extensions present in the request that are not already present are copied -to the certificate. If set to \fBcopyall\fR then all extensions in the -request are copied to the certificate: if the extension is already present -in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before -using this option. -.Sp -The main use of this option is to allow a certificate request to supply -values for certain extensions such as subjectAltName. -.SH "POLICY FORMAT" -.IX Header "POLICY FORMAT" -The policy section consists of a set of variables corresponding to -certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value -must match the same field in the \s-1CA\s0 certificate. If the value is -\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then -it may be present. Any fields not mentioned in the policy section -are silently deleted, unless the \fB\-preserveDN\fR option is set but -this can be regarded more of a quirk than intended behaviour. -.SH "SPKAC FORMAT" -.IX Header "SPKAC FORMAT" -The input to the \fB\-spkac\fR command line option is a Netscape -signed public key and challenge. This will usually come from -the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. -It is however possible to create SPKACs using the \fBspkac\fR utility. -.PP -The file should contain the variable \s-1SPKAC\s0 set to the value of -the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs. -If you need to include the same component twice then it can be -preceded by a number and a '.'. -.PP -When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR -flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR -flag is used. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: these examples assume that the \fBca\fR directory structure is -already set up and the relevant files already exist. This usually -involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a -serial number file and an empty index file and placing them in -the relevant directories. -.PP -To use the sample configuration file below the directories demoCA, -demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0 -certificate would be copied to demoCA/cacert.pem and its private -key to demoCA/private/cakey.pem. A file demoCA/serial would be -created containing for example \*(L"01\*(R" and the empty index file -demoCA/index.txt. -.PP -Sign a certificate request: -.PP -.Vb 1 -\& openssl ca \-in req.pem \-out newcert.pem -.Ve -.PP -Sign a certificate request, using \s-1CA\s0 extensions: -.PP -.Vb 1 -\& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem -.Ve -.PP -Generate a \s-1CRL\s0 -.PP -.Vb 1 -\& openssl ca \-gencrl \-out crl.pem -.Ve -.PP -Sign several requests: -.PP -.Vb 1 -\& openssl ca \-infiles req1.pem req2.pem req3.pem -.Ve -.PP -Certify a Netscape \s-1SPKAC:\s0 -.PP -.Vb 1 -\& openssl ca \-spkac spkac.txt -.Ve -.PP -A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): -.PP -.Vb 5 -\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 -\& CN=Steve Test -\& emailAddress=steve@openssl.org -\& 0.OU=OpenSSL Group -\& 1.OU=Another Group -.Ve -.PP -A sample configuration file with the relevant sections for \fBca\fR: -.PP -.Vb 2 -\& [ ca ] -\& default_ca = CA_default # The default ca section -\& -\& [ CA_default ] -\& -\& dir = ./demoCA # top dir -\& database = $dir/index.txt # index file. -\& new_certs_dir = $dir/newcerts # new certs dir -\& -\& certificate = $dir/cacert.pem # The CA cert -\& serial = $dir/serial # serial no file -\& private_key = $dir/private/cakey.pem# CA private key -\& RANDFILE = $dir/private/.rand # random number file -\& -\& default_days = 365 # how long to certify for -\& default_crl_days= 30 # how long before next CRL -\& default_md = md5 # md to use -\& -\& policy = policy_any # default policy -\& email_in_dn = no # Don\*(Aqt add the email into cert DN -\& -\& name_opt = ca_default # Subject name display option -\& cert_opt = ca_default # Certificate display option -\& copy_extensions = none # Don\*(Aqt copy extensions from request -\& -\& [ policy_any ] -\& countryName = supplied -\& stateOrProvinceName = optional -\& organizationName = optional -\& organizationalUnitName = optional -\& commonName = supplied -\& emailAddress = optional -.Ve -.SH "FILES" -.IX Header "FILES" -Note: the location of all files can change either by compile time options, -configuration file entries, environment variables or command line options. -The values below reflect the default values. -.PP -.Vb 10 -\& /usr/local/ssl/lib/openssl.cnf \- master configuration file -\& ./demoCA \- main CA directory -\& ./demoCA/cacert.pem \- CA certificate -\& ./demoCA/private/cakey.pem \- CA private key -\& ./demoCA/serial \- CA serial number file -\& ./demoCA/serial.old \- CA serial number backup file -\& ./demoCA/index.txt \- CA text database file -\& ./demoCA/index.txt.old \- CA text database backup file -\& ./demoCA/certs \- certificate output file -\& ./demoCA/.rnd \- CA random seed information -.Ve -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can -be overridden by the \fB\-config\fR command line option. -.SH "RESTRICTIONS" -.IX Header "RESTRICTIONS" -The text database index file is a critical part of the process and -if corrupted it can be difficult to fix. It is theoretically possible -to rebuild the index file from all the issued certificates and a current -\&\s-1CRL:\s0 however there is no option to do this. -.PP -V2 \s-1CRL\s0 features like delta CRLs are not currently supported. -.PP -Although several requests can be input and handled at once it is only -possible to include one \s-1SPKAC\s0 or self signed certificate. -.SH "BUGS" -.IX Header "BUGS" -The use of an in memory text database can cause problems when large -numbers of certificates are present because, as the name implies -the database has to be kept in memory. -.PP -The \fBca\fR command really needs rewriting or the required functionality -exposed at either a command or interface level so a more friendly utility -(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and -\&\fB\s-1CA\s0.pl\fR help a little but not very much. -.PP -Any fields in a request that are not present in a policy are silently -deleted. This does not happen if the \fB\-preserveDN\fR option is used. To -enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by -RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR -option can be used. The behaviour should be more friendly and -configurable. -.PP -Cancelling some commands by refusing to certify a certificate can -create an empty file. -.SH "WARNINGS" -.IX Header "WARNINGS" -The \fBca\fR command is quirky and at times downright unfriendly. -.PP -The \fBca\fR utility was originally meant as an example of how to do things -in a \s-1CA.\s0 It was not supposed to be used as a full blown \s-1CA\s0 itself: -nevertheless some people are using it for this purpose. -.PP -The \fBca\fR command is effectively a single user command: no locking is -done on the various files and attempts to run more than one \fBca\fR command -on the same database can have unpredictable results. -.PP -The \fBcopy_extensions\fR option should be used with caution. If care is -not taken then it can be a security risk. For example if a certificate -request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the -\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot -this when the certificate is displayed then this will hand the requestor -a valid \s-1CA\s0 certificate. -.PP -This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR -and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file. -Then if the request contains a basicConstraints extension it will be -ignored. -.PP -It is advisable to also include values for other extensions such -as \fBkeyUsage\fR to prevent a request supplying its own values. -.PP -Additional restrictions can be placed on the \s-1CA\s0 certificate itself. -For example if the \s-1CA\s0 certificate has: -.PP -.Vb 1 -\& basicConstraints = CA:TRUE, pathlen:0 -.Ve -.PP -then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIreq\fR\|(1), \fIspkac\fR\|(1), \fIx509\fR\|(1), \s-1\fICA\s0.pl\fR\|(1), -\&\fIconfig\fR\|(5), \fIx509v3_config\fR\|(5) diff --git a/usr.bin/openssl/man/ciphers.1 b/usr.bin/openssl/man/ciphers.1 deleted file mode 100644 index d2eb0aadad..0000000000 --- a/usr.bin/openssl/man/ciphers.1 +++ /dev/null @@ -1,730 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CIPHERS 1" -.TH CIPHERS 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ciphers \- SSL cipher display and cipher list tool. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBciphers\fR -[\fB\-v\fR] -[\fB\-V\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fBcipherlist\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBciphers\fR command converts textual OpenSSL cipher lists into ordered -\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine -the appropriate cipherlist. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-v\fR" 4 -.IX Item "-v" -Verbose option. List ciphers with a complete description of -protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange, -authentication, encryption and mac algorithms used along with any key size -restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher. -Note that without the \fB\-v\fR option, ciphers may seem to appear twice -in a cipher list; this is when similar ciphers are available for -\&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1. -.IP "\fB\-V\fR" 4 -.IX Item "-V" -Like \fB\-v\fR, but include cipher suite codes in output (hex format). -.IP "\fB\-ssl3\fR, \fB\-tls1\fR" 4 -.IX Item "-ssl3, -tls1" -This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. -.IP "\fB\-ssl2\fR" 4 -.IX Item "-ssl2" -Only include SSLv2 ciphers. -.IP "\fB\-h\fR, \fB\-?\fR" 4 -.IX Item "-h, -?" -Print a brief usage message. -.IP "\fBcipherlist\fR" 4 -.IX Item "cipherlist" -A cipher list to convert to a cipher preference list. If it is not included -then the default cipher list will be used. The format is described below. -.SH "CIPHER LIST FORMAT" -.IX Header "CIPHER LIST FORMAT" -The cipher list consists of one or more \fIcipher strings\fR separated by colons. -Commas or spaces are also acceptable separators but colons are normally used. -.PP -The actual cipher string can take several different forms. -.PP -It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR. -.PP -It can represent a list of cipher suites containing a certain algorithm, or -cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers -suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3 -algorithms. -.PP -Lists of cipher suites can be combined in a single cipher string using the -\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example -\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1 \s0\fBand\fR the \s-1DES\s0 -algorithms. -.PP -Each cipher string can be optionally preceded by the characters \fB!\fR, -\&\fB\-\fR or \fB+\fR. -.PP -If \fB!\fR is used then the ciphers are permanently deleted from the list. -The ciphers deleted can never reappear in the list even if they are -explicitly stated. -.PP -If \fB\-\fR is used then the ciphers are deleted from the list, but some or -all of the ciphers can be added again by later options. -.PP -If \fB+\fR is used then the ciphers are moved to the end of the list. This -option doesn't add any new ciphers it just moves matching existing ones. -.PP -If none of these characters is present then the string is just interpreted -as a list of ciphers to be appended to the current preference list. If the -list includes any ciphers already present they will be ignored: that is they -will not moved to the end of the list. -.PP -Additionally the cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort -the current cipher list in order of encryption algorithm key length. -.SH "CIPHER STRINGS" -.IX Header "CIPHER STRINGS" -The following is a list of all permitted cipher strings and their meanings. -.IP "\fB\s-1DEFAULT\s0\fR" 4 -.IX Item "DEFAULT" -The default cipher list. -This is determined at compile time and is normally -\&\fB\s-1ALL:\s0!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2\fR. -When used, this must be the first cipherstring specified. -.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 -.IX Item "COMPLEMENTOFDEFAULT" -the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently -this is \fB\s-1ADH\s0\fR and \fB\s-1AECDH\s0\fR. Note that this rule does not cover \fBeNULL\fR, -which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary). -.IP "\fB\s-1ALL\s0\fR" 4 -.IX Item "ALL" -all cipher suites except the \fBeNULL\fR ciphers which must be explicitly enabled; -as of OpenSSL, the \fB\s-1ALL\s0\fR cipher suites are reasonably ordered by default -.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 -.IX Item "COMPLEMENTOFALL" -the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR. -.IP "\fB\s-1HIGH\s0\fR" 4 -.IX Item "HIGH" -\&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger -than 128 bits, and some cipher suites with 128\-bit keys. -.IP "\fB\s-1MEDIUM\s0\fR" 4 -.IX Item "MEDIUM" -\&\*(L"medium\*(R" encryption cipher suites, currently some of those using 128 bit encryption. -.IP "\fB\s-1LOW\s0\fR" 4 -.IX Item "LOW" -Low strength encryption cipher suites, currently those using 64 or 56 bit -encryption algorithms but excluding export cipher suites. -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 -.IX Item "EXP, EXPORT" -Export strength encryption algorithms. Including 40 and 56 bits algorithms. -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fB\s-1EXPORT40\s0\fR" 4 -.IX Item "EXPORT40" -40\-bit export encryption algorithms -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fB\s-1EXPORT56\s0\fR" 4 -.IX Item "EXPORT56" -56\-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of -56 bit export ciphers is empty unless OpenSSL has been explicitly configured -with support for experimental ciphers. -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 -.IX Item "eNULL, NULL" -The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no -encryption at all and are a security risk they are not enabled via either the -\&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings. -Be careful when building cipherlists out of lower-level primitives such as -\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. -When in doubt, include \fB!eNULL\fR in your cipherlist. -.IP "\fBaNULL\fR" 4 -.IX Item "aNULL" -The cipher suites offering no authentication. This is currently the anonymous -\&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable -to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged. -These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR -ciphers. -Be careful when building cipherlists out of lower-level primitives such as -\&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers. -When in doubt, include \fB!aNULL\fR in your cipherlist. -.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 -.IX Item "kRSA, RSA" -cipher suites using \s-1RSA\s0 key exchange. -.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4 -.IX Item "kDHr, kDHd, kDH" -cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 -and \s-1DSS\s0 keys or either respectively. -.IP "\fBkDHE\fR, \fBkEDH\fR" 4 -.IX Item "kDHE, kEDH" -cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher -suites. -.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4 -.IX Item "DHE, EDH" -cipher suites using authenticated ephemeral \s-1DH\s0 key agreement. -.IP "\fB\s-1ADH\s0\fR" 4 -.IX Item "ADH" -anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic -Curve \s-1DH \s0(\s-1ECDH\s0) cipher suites. -.IP "\fB\s-1DH\s0\fR" 4 -.IX Item "DH" -cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s0 and fixed \s-1DH.\s0 -.IP "\fBkECDHr\fR, \fBkECDHe\fR, \fBkECDH\fR" 4 -.IX Item "kECDHr, kECDHe, kECDH" -cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0 -keys or either respectively. -.IP "\fBkECDHE\fR, \fBkEECDH\fR" 4 -.IX Item "kECDHE, kEECDH" -cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous -cipher suites. -.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4 -.IX Item "ECDHE, EECDH" -cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement. -.IP "\fB\s-1AECDH\s0\fR" 4 -.IX Item "AECDH" -anonymous Elliptic Curve Diffie Hellman cipher suites. -.IP "\fB\s-1ECDH\s0\fR" 4 -.IX Item "ECDH" -cipher suites using \s-1ECDH\s0 key exchange, including anonymous, ephemeral and -fixed \s-1ECDH.\s0 -.IP "\fBaRSA\fR" 4 -.IX Item "aRSA" -cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys. -.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 -.IX Item "aDSS, DSS" -cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. -.IP "\fBaDH\fR" 4 -.IX Item "aDH" -cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry -\&\s-1DH\s0 keys. -.IP "\fBaECDH\fR" 4 -.IX Item "aECDH" -cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates -carry \s-1ECDH\s0 keys. -.IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4 -.IX Item "aECDSA, ECDSA" -cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0 -keys. -.IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 -.IX Item "kFZA, aFZA, eFZA, FZA" -ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all -\&\s-1FORTEZZA\s0 algorithms. Not implemented. -.IP "\fBTLSv1.2\fR, \fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 -.IX Item "TLSv1.2, TLSv1, SSLv3, SSLv2" -\&\s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. Note: -there are no ciphersuites specific to \s-1TLS\s0 v1.1. -.IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4 -.IX Item "AES128, AES256, AES" -cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0 -.IP "\fB\s-1AESGCM\s0\fR" 4 -.IX Item "AESGCM" -\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these ciphersuites are only supported -in \s-1TLS\s0 v1.2. -.IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4 -.IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA" -cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit -\&\s-1CAMELLIA.\s0 -.IP "\fB3DES\fR" 4 -.IX Item "3DES" -cipher suites using triple \s-1DES.\s0 -.IP "\fB\s-1DES\s0\fR" 4 -.IX Item "DES" -cipher suites using \s-1DES \s0(not triple \s-1DES\s0). -.IP "\fB\s-1RC4\s0\fR" 4 -.IX Item "RC4" -cipher suites using \s-1RC4.\s0 -.IP "\fB\s-1RC2\s0\fR" 4 -.IX Item "RC2" -cipher suites using \s-1RC2.\s0 -.IP "\fB\s-1IDEA\s0\fR" 4 -.IX Item "IDEA" -cipher suites using \s-1IDEA.\s0 -.IP "\fB\s-1SEED\s0\fR" 4 -.IX Item "SEED" -cipher suites using \s-1SEED.\s0 -.IP "\fB\s-1MD5\s0\fR" 4 -.IX Item "MD5" -cipher suites using \s-1MD5.\s0 -.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 -.IX Item "SHA1, SHA" -cipher suites using \s-1SHA1.\s0 -.IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4 -.IX Item "SHA256, SHA384" -ciphersuites using \s-1SHA256\s0 or \s-1SHA384.\s0 -.IP "\fBaGOST\fR" 4 -.IX Item "aGOST" -cipher suites using \s-1GOST R 34.10 \s0(either 2001 or 94) for authenticaction -(needs an engine supporting \s-1GOST\s0 algorithms). -.IP "\fBaGOST01\fR" 4 -.IX Item "aGOST01" -cipher suites using \s-1GOST R 34.10\-2001\s0 authentication. -.IP "\fBaGOST94\fR" 4 -.IX Item "aGOST94" -cipher suites using \s-1GOST R 34.10\-94\s0 authentication (note that R 34.10\-94 -standard has been expired so use \s-1GOST R 34.10\-2001\s0) -.IP "\fBkGOST\fR" 4 -.IX Item "kGOST" -cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0 -.IP "\fB\s-1GOST94\s0\fR" 4 -.IX Item "GOST94" -cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0 -.IP "\fB\s-1GOST89MAC\s0\fR" 4 -.IX Item "GOST89MAC" -cipher suites using \s-1GOST 28147\-89 MAC \s0\fBinstead of\fR \s-1HMAC.\s0 -.IP "\fB\s-1PSK\s0\fR" 4 -.IX Item "PSK" -cipher suites using pre-shared keys (\s-1PSK\s0). -.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4 -.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192" -enables suite B mode operation using 128 (permitting 192 bit mode by peer) -128 bit (not permitting 192 bit by peer) or 192 bit level of security -respectively. If used these cipherstrings should appear first in the cipher -list and anything after them is ignored. Setting Suite B mode has additional -consequences required to comply with \s-1RFC6460.\s0 In particular the supported -signature algorithms is reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 -only the elliptic curves P\-256 and P\-384 can be used and only the two suite B -compliant ciphersuites (\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and -\&\s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are permissible. -.SH "CIPHER SUITE NAMES" -.IX Header "CIPHER SUITE NAMES" -The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the -relevant specification and their OpenSSL equivalents. It should be noted, -that several cipher suite names do not include the authentication used, -e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. -.SS "\s-1SSL\s0 v3.0 cipher suites." -.IX Subsection "SSL v3.0 cipher suites." -.Vb 10 -\& SSL_RSA_WITH_NULL_MD5 NULL\-MD5 -\& SSL_RSA_WITH_NULL_SHA NULL\-SHA -\& SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP\-RC4\-MD5 -\& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5 -\& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA -\& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP\-RC2\-CBC\-MD5 -\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA -\& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-DES\-CBC\-SHA -\& SSL_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA -\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA -\& -\& SSL_DH_DSS_WITH_DES_CBC_SHA DH\-DSS\-DES\-CBC\-SHA -\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA -\& SSL_DH_RSA_WITH_DES_CBC_SHA DH\-RSA\-DES\-CBC\-SHA -\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA -\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA -\& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA -\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA -\& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-RSA\-DES\-CBC\-SHA -\& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH\-RSA\-DES\-CBC\-SHA -\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA -\& -\& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP\-ADH\-RC4\-MD5 -\& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 -\& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP\-ADH\-DES\-CBC\-SHA -\& SSL_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA -\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA -\& -\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. -\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. -\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. -.Ve -.SS "\s-1TLS\s0 v1.0 cipher suites." -.IX Subsection "TLS v1.0 cipher suites." -.Vb 10 -\& TLS_RSA_WITH_NULL_MD5 NULL\-MD5 -\& TLS_RSA_WITH_NULL_SHA NULL\-SHA -\& TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP\-RC4\-MD5 -\& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5 -\& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA -\& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP\-RC2\-CBC\-MD5 -\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA -\& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-DES\-CBC\-SHA -\& TLS_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA -\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA -\& -\& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA -\& TLS_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA -\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA -\& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-RSA\-DES\-CBC\-SHA -\& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH\-RSA\-DES\-CBC\-SHA -\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA -\& -\& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP\-ADH\-RC4\-MD5 -\& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 -\& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP\-ADH\-DES\-CBC\-SHA -\& TLS_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA -\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA -.Ve -.SS "\s-1AES\s0 ciphersuites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0" -.IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0" -.Vb 2 -\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA -\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA -\& -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA -\& -\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA -\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA -\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA -\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA -\& -\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA -\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA -.Ve -.SS "Camellia ciphersuites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0" -.IX Subsection "Camellia ciphersuites from RFC4132, extending TLS v1.0" -.Vb 2 -\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA -\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA -\& -\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA -\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA -\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA -\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA -\& -\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA -\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA -\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA -\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA -\& -\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA -\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA -.Ve -.SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0" -.IX Subsection "SEED ciphersuites from RFC4162, extending TLS v1.0" -.Vb 1 -\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA -\& -\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA -\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA -\& -\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA -\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA -\& -\& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA -.Ve -.SS "\s-1GOST\s0 ciphersuites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0" -.IX Subsection "GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0" -Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic -algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distribution. -.PP -.Vb 4 -\& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89 -\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89 -\& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94 -\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94 -.Ve -.SS "Additional Export 1024 and other cipher suites" -.IX Subsection "Additional Export 1024 and other cipher suites" -Note: these ciphers can also be used in \s-1SSL\s0 v3. -.PP -.Vb 5 -\& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024\-DES\-CBC\-SHA -\& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024\-RC4\-SHA -\& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024\-DHE\-DSS\-DES\-CBC\-SHA -\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024\-DHE\-DSS\-RC4\-SHA -\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA -.Ve -.SS "Elliptic curve cipher suites." -.IX Subsection "Elliptic curve cipher suites." -.Vb 5 -\& TLS_ECDH_RSA_WITH_NULL_SHA ECDH\-RSA\-NULL\-SHA -\& TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH\-RSA\-RC4\-SHA -\& TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH\-RSA\-DES\-CBC3\-SHA -\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH\-RSA\-AES128\-SHA -\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH\-RSA\-AES256\-SHA -\& -\& TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH\-ECDSA\-NULL\-SHA -\& TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH\-ECDSA\-RC4\-SHA -\& TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH\-ECDSA\-DES\-CBC3\-SHA -\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH\-ECDSA\-AES128\-SHA -\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH\-ECDSA\-AES256\-SHA -\& -\& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA -\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA -\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA -\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA -\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA -\& -\& TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE\-ECDSA\-NULL\-SHA -\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA -\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA -\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA -\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA -\& -\& TLS_ECDH_anon_WITH_NULL_SHA AECDH\-NULL\-SHA -\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA -\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA -\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA -\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA -.Ve -.SS "\s-1TLS\s0 v1.2 cipher suites" -.IX Subsection "TLS v1.2 cipher suites" -.Vb 1 -\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256 -\& -\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256 -\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256 -\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256 -\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384 -\& -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256 -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256 -\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256 -\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256 -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256 -\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256 -\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384 -\& -\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256 -\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256 -\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256 -\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256 -\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256 -\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256 -\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH\-RSA\-AES128\-SHA256 -\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH\-RSA\-AES256\-SHA384 -\& TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH\-RSA\-AES128\-GCM\-SHA256 -\& TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH\-ECDSA\-AES128\-SHA256 -\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH\-ECDSA\-AES256\-SHA384 -\& TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH\-ECDSA\-AES128\-GCM\-SHA256 -\& TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH\-ECDSA\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256 -\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384 -\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256 -\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256 -\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384 -\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256 -\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384 -\& -\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256 -\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256 -\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256 -\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384 -.Ve -.SS "Pre shared keying (\s-1PSK\s0) cipheruites" -.IX Subsection "Pre shared keying (PSK) cipheruites" -.Vb 4 -\& TLS_PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA -\& TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA -\& TLS_PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA -\& TLS_PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA -.Ve -.SS "Deprecated \s-1SSL\s0 v2.0 cipher suites." -.IX Subsection "Deprecated SSL v2.0 cipher suites." -.Vb 7 -\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 -\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. -\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-CBC\-MD5 -\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. -\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 -\& SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. -\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 -.Ve -.SH "NOTES" -.IX Header "NOTES" -Some compiled versions of OpenSSL may not include all the ciphers -listed here because some ciphers were excluded at compile time. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers: -.PP -.Vb 1 -\& openssl ciphers \-v \*(AqALL:eNULL\*(Aq -.Ve -.PP -Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by -strength: -.PP -.Vb 1 -\& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq -.Ve -.PP -Include all ciphers except ones with no encryption (eNULL) or no -authentication (aNULL): -.PP -.Vb 1 -\& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq -.Ve -.PP -Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last: -.PP -.Vb 1 -\& openssl ciphers \-v \*(Aq3DES:+RSA\*(Aq -.Ve -.PP -Include all \s-1RC4\s0 ciphers but leave out those without authentication: -.PP -.Vb 1 -\& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq -.Ve -.PP -Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without -encryption. -.PP -.Vb 1 -\& openssl ciphers \-v \*(AqRSA:!COMPLEMENTOFALL\*(Aq -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options -for cipherlist strings were added in OpenSSL 0.9.7. -The \fB\-V\fR option for the \fBciphers\fR command was added in OpenSSL 1.0.0. diff --git a/usr.bin/openssl/man/cms.1 b/usr.bin/openssl/man/cms.1 deleted file mode 100644 index 867bc7d7d0..0000000000 --- a/usr.bin/openssl/man/cms.1 +++ /dev/null @@ -1,750 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CMS 1" -.TH CMS 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -cms \- CMS utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBcms\fR -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-sign\fR] -[\fB\-verify\fR] -[\fB\-cmsout\fR] -[\fB\-resign\fR] -[\fB\-data_create\fR] -[\fB\-data_out\fR] -[\fB\-digest_create\fR] -[\fB\-digest_verify\fR] -[\fB\-compress\fR] -[\fB\-uncompress\fR] -[\fB\-EncryptedData_encrypt\fR] -[\fB\-sign_receipt\fR] -[\fB\-verify_receipt receipt\fR] -[\fB\-in filename\fR] -[\fB\-inform SMIME|PEM|DER\fR] -[\fB\-rctform SMIME|PEM|DER\fR] -[\fB\-out filename\fR] -[\fB\-outform SMIME|PEM|DER\fR] -[\fB\-stream \-indef \-noindef\fR] -[\fB\-noindef\fR] -[\fB\-content filename\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-print\fR] -[\fB\-CAfile file\fR] -[\fB\-CApath dir\fR] -[\fB\-no_alt_chains\fR] -[\fB\-md digest\fR] -[\fB\-[cipher]\fR] -[\fB\-nointern\fR] -[\fB\-no_signer_cert_verify\fR] -[\fB\-nocerts\fR] -[\fB\-noattr\fR] -[\fB\-nosmimecap\fR] -[\fB\-binary\fR] -[\fB\-nodetach\fR] -[\fB\-certfile file\fR] -[\fB\-certsout file\fR] -[\fB\-signer file\fR] -[\fB\-recip file\fR] -[\fB\-keyid\fR] -[\fB\-receipt_request_all \-receipt_request_first\fR] -[\fB\-receipt_request_from emailaddress\fR] -[\fB\-receipt_request_to emailaddress\fR] -[\fB\-receipt_request_print\fR] -[\fB\-secretkey key\fR] -[\fB\-secretkeyid id\fR] -[\fB\-econtent_type type\fR] -[\fB\-inkey file\fR] -[\fB\-keyopt name:parameter\fR] -[\fB\-passin arg\fR] -[\fB\-rand file(s)\fR] -[\fBcert.pem...\fR] -[\fB\-to addr\fR] -[\fB\-from addr\fR] -[\fB\-subject subj\fR] -[cert.pem]... -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBcms\fR command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and -verify, compress and uncompress S/MIME messages. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -There are fourteen operation options that set the type of operation to be -performed. The meaning of the other options varies according to the operation -type. -.IP "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt mail for the given recipient certificates. Input file is the message -to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. The -actual \s-1CMS\s0 type is EnvelopedData. -.IP "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt mail using the supplied certificate and private key. Expects an -encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail -is written to the output file. -.IP "\fB\-debug_decrypt\fR" 4 -.IX Item "-debug_decrypt" -this option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used -with caution: see the notes section below. -.IP "\fB\-sign\fR" 4 -.IX Item "-sign" -sign mail using the supplied certificate and private key. Input file is -the message to be signed. The signed message in \s-1MIME\s0 format is written -to the output file. -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verify signed mail. Expects a signed mail message on input and outputs -the signed data. Both clear text and opaque signing is supported. -.IP "\fB\-cmsout\fR" 4 -.IX Item "-cmsout" -takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure. -.IP "\fB\-resign\fR" 4 -.IX Item "-resign" -resign a message: take an existing message and one or more new signers. -.IP "\fB\-data_create\fR" 4 -.IX Item "-data_create" -Create a \s-1CMS \s0\fBData\fR type. -.IP "\fB\-data_out\fR" 4 -.IX Item "-data_out" -\&\fBData\fR type and output the content. -.IP "\fB\-digest_create\fR" 4 -.IX Item "-digest_create" -Create a \s-1CMS \s0\fBDigestedData\fR type. -.IP "\fB\-digest_verify\fR" 4 -.IX Item "-digest_verify" -Verify a \s-1CMS \s0\fBDigestedData\fR type and output the content. -.IP "\fB\-compress\fR" 4 -.IX Item "-compress" -Create a \s-1CMS \s0\fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR -support for this option to work, otherwise it will output an error. -.IP "\fB\-uncompress\fR" 4 -.IX Item "-uncompress" -Uncompress a \s-1CMS \s0\fBCompressedData\fR type and output the content. OpenSSL must be -compiled with \fBzlib\fR support for this option to work, otherwise it will -output an error. -.IP "\fB\-EncryptedData_encrypt\fR" 4 -.IX Item "-EncryptedData_encrypt" -Encrypt content using supplied symmetric key and algorithm using a \s-1CMS -\&\s0\fBEncrytedData\fR type and output the content. -.IP "\fB\-sign_receipt\fR" 4 -.IX Item "-sign_receipt" -Generate and output a signed receipt for the supplied message. The input -message \fBmust\fR contain a signed receipt request. Functionality is otherwise -similar to the \fB\-sign\fR operation. -.IP "\fB\-verify_receipt receipt\fR" 4 -.IX Item "-verify_receipt receipt" -Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR -contain the original receipt request. Functionality is otherwise similar -to the \fB\-verify\fR operation. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input message to be encrypted or signed or the message to be decrypted -or verified. -.IP "\fB\-inform SMIME|PEM|DER\fR" 4 -.IX Item "-inform SMIME|PEM|DER" -this specifies the input format for the \s-1CMS\s0 structure. The default -is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to expect \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures -instead. This currently only affects the input format of the \s-1CMS\s0 -structure, if no \s-1CMS\s0 structure is being input (for example with -\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. -.IP "\fB\-rctform SMIME|PEM|DER\fR" 4 -.IX Item "-rctform SMIME|PEM|DER" -specify the format for a signed receipt for use with the \fB\-receipt_verify\fR -operation. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the message text that has been decrypted or verified or the output \s-1MIME\s0 -format message that has been signed or verified. -.IP "\fB\-outform SMIME|PEM|DER\fR" 4 -.IX Item "-outform SMIME|PEM|DER" -this specifies the output format for the \s-1CMS\s0 structure. The default -is \fB\s-1SMIME\s0\fR which writes an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to write \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures -instead. This currently only affects the output format of the \s-1CMS\s0 -structure, if no \s-1CMS\s0 structure is being output (for example with -\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. -.IP "\fB\-stream \-indef \-noindef\fR" 4 -.IX Item "-stream -indef -noindef" -the \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O -for encoding operations. This permits single pass processing of data without -the need to hold the entire contents in memory, potentially supporting very -large files. Streaming is automatically set for S/MIME signing with detached -data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all -other operations. -.IP "\fB\-noindef\fR" 4 -.IX Item "-noindef" -disable streaming I/O where it would produce and indefinite length constructed -encoding. This option currently has no effect. In future streaming will be -enabled by default on all relevant operations and this option will disable it. -.IP "\fB\-content filename\fR" 4 -.IX Item "-content filename" -This specifies a file containing the detached content, this is only -useful with the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0 -structure is using the detached signature form where the content is -not included. This option will override any content if the input format -is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied -message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME \s0 -type text/plain then an error occurs. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -for the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This -is useful when combined with the \fB\-print\fR option or if the syntax of the \s-1CMS\s0 -structure is being checked. -.IP "\fB\-print\fR" 4 -.IX Item "-print" -for the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This -is mainly useful for testing purposes. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. -.IP "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -a directory containing trusted \s-1CA\s0 certificates, only used with -\&\fB\-verify\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.IP "\fB\-md digest\fR" 4 -.IX Item "-md digest" -digest algorithm to use when signing or resigning. If not present then the -default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). -.IP "\fB\-[cipher]\fR" 4 -.IX Item "-[cipher]" -the encryption algorithm to use. For example triple \s-1DES \s0(168 bits) \- \fB\-des3\fR -or 256 bit \s-1AES \- \s0\fB\-aes256\fR. Any standard algorithm name (as used by the -\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for -example \fB\-aes_128_cbc\fR. See \fBenc\fR for a list of ciphers -supported by your version of OpenSSL. -.Sp -If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and -\&\fB\-EncryptedData_create\fR commands. -.IP "\fB\-nointern\fR" 4 -.IX Item "-nointern" -when verifying a message normally certificates (if any) included in -the message are searched for the signing certificate. With this option -only the certificates specified in the \fB\-certfile\fR option are used. -The supplied certificates can still be used as untrusted CAs however. -.IP "\fB\-no_signer_cert_verify\fR" 4 -.IX Item "-no_signer_cert_verify" -do not verify the signers certificate of a signed message. -.IP "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -when signing a message the signer's certificate is normally included -with this option it is excluded. This will reduce the size of the -signed message but the verifier must have a copy of the signers certificate -available locally (passed using the \fB\-certfile\fR option for example). -.IP "\fB\-noattr\fR" 4 -.IX Item "-noattr" -normally when a message is signed a set of attributes are included which -include the signing time and supported symmetric algorithms. With this -option they are not included. -.IP "\fB\-nosmimecap\fR" 4 -.IX Item "-nosmimecap" -exclude the list of supported algorithms from signed attributes, other options -such as signing time and content type are still included. -.IP "\fB\-binary\fR" 4 -.IX Item "-binary" -normally the input message is converted to \*(L"canonical\*(R" format which is -effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME -specification. When this option is present no translation occurs. This -is useful when handling binary data which may not be in \s-1MIME\s0 format. -.IP "\fB\-nodetach\fR" 4 -.IX Item "-nodetach" -when signing a message use opaque signing: this form is more resistant -to translation by mail relays but it cannot be read by mail agents that -do not support S/MIME. Without this option cleartext signing with -the \s-1MIME\s0 type multipart/signed is used. -.IP "\fB\-certfile file\fR" 4 -.IX Item "-certfile file" -allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in \s-1PEM\s0 format. -.IP "\fB\-certsout file\fR" 4 -.IX Item "-certsout file" -any certificates contained in the message are written to \fBfile\fR. -.IP "\fB\-signer file\fR" 4 -.IX Item "-signer file" -a signing certificate when signing or resigning a message, this option can be -used multiple times if more than one signer is required. If a message is being -verified then the signers certificates will be written to this file if the -verification was successful. -.IP "\fB\-recip file\fR" 4 -.IX Item "-recip file" -when decrypting a message this specifies the recipients certificate. The -certificate must match one of the recipients of the message or an error -occurs. -.Sp -When encrypting a message this option may be used multiple times to specify -each recipient. This form \fBmust\fR be used if customised parameters are -required (for example to specify RSA-OAEP). -.IP "\fB\-keyid\fR" 4 -.IX Item "-keyid" -use subject key identifier to identify certificates instead of issuer name and -serial number. The supplied certificate \fBmust\fR include a subject key -identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options. -.IP "\fB\-receipt_request_all \-receipt_request_first\fR" 4 -.IX Item "-receipt_request_all -receipt_request_first" -for \fB\-sign\fR option include a signed receipt request. Indicate requests should -be provided by all receipient or first tier recipients (those mailed directly -and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included. -.IP "\fB\-receipt_request_from emailaddress\fR" 4 -.IX Item "-receipt_request_from emailaddress" -for \fB\-sign\fR option include a signed receipt request. Add an explicit email -address where receipts should be supplied. -.IP "\fB\-receipt_request_to emailaddress\fR" 4 -.IX Item "-receipt_request_to emailaddress" -Add an explicit email address where signed receipts should be sent to. This -option \fBmust\fR but supplied if a signed receipt it requested. -.IP "\fB\-receipt_request_print\fR" 4 -.IX Item "-receipt_request_print" -For the \fB\-verify\fR operation print out the contents of any signed receipt -requests. -.IP "\fB\-secretkey key\fR" 4 -.IX Item "-secretkey key" -specify symmetric key to use. The key must be supplied in hex format and be -consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR -\&\fB\-EncrryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used -with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the -content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type. -.IP "\fB\-secretkeyid id\fR" 4 -.IX Item "-secretkeyid id" -the key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type. -This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with -\&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fBid\fR is used to locate the -relevant key if it is not supplied then an attempt is used to decrypt any -\&\fBKEKRecipientInfo\fR structures. -.IP "\fB\-econtent_type type\fR" 4 -.IX Item "-econtent_type type" -set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type -is used. The \fBtype\fR argument can be any valid \s-1OID\s0 name in either text or -numerical format. -.IP "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the private key to use when signing or decrypting. This must match the -corresponding certificate. If this option is not specified then the -private key must be included in the certificate file specified with -the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used -multiple times to specify successive keys. -.IP "\fB\-keyopt name:opt\fR" 4 -.IX Item "-keyopt name:opt" -for signing and encryption this option can be used multiple times to -set customised parameters for the preceding key or certificate. It can -currently be used to set RSA-PSS for signing, RSA-OAEP for encryption -or to modify default parameters for \s-1ECDH.\s0 -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fBcert.pem...\fR" 4 -.IX Item "cert.pem..." -one or more certificates of message recipients: used when encrypting -a message. -.IP "\fB\-to, \-from, \-subject\fR" 4 -.IX Item "-to, -from, -subject" -the relevant mail headers. These are included outside the signed -portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email -address matches that specified in the From: address. -.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig \-no_alt_chains\fR" 4 -.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains" -Set various certificate chain valiadition option. See the -\&\fBverify\fR manual page for details. -.SH "NOTES" -.IX Header "NOTES" -The \s-1MIME\s0 message must be sent without any blank lines between the -headers and the output. Some mail programs will automatically add -a blank line. Piping the mail directly to sendmail is one way to -achieve the correct format. -.PP -The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients wont display it -properly (if at all). You can use the \fB\-text\fR option to automatically -add plain text headers. -.PP -A \*(L"signed and encrypted\*(R" message is one where a signed message is -then encrypted. This can be produced by encrypting an already signed -message: see the examples section. -.PP -This version of the program only allows one signer per message but it -will verify multiple signers on received messages. Some S/MIME clients -choke if a message contains multiple signers. It is possible to sign -messages \*(L"in parallel\*(R" by signing an already signed message. -.PP -The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME -clients. Strictly speaking these process \s-1CMS\s0 enveloped data: \s-1CMS\s0 -encrypted data is used for other purposes. -.PP -The \fB\-resign\fR option uses an existing message digest when adding a new -signer. This means that attributes must be present in at least one existing -signer using the same message digest or this operation will fail. -.PP -The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support. -As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding -and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the -\&\fB\-sign\fR operation if the content is not detached. -.PP -Streaming is always used for the \fB\-sign\fR operation with detached data but -since the content is no longer part of the \s-1CMS\s0 structure the encoding -remains \s-1DER.\s0 -.PP -If the \fB\-decrypt\fR option is used without a recipient certificate then an -attempt is made to locate the recipient by trying each potential recipient -in turn using the supplied private key. To thwart the \s-1MMA\s0 attack -(Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are -tried whether they succeed or not and if no recipients match the message -is \*(L"decrypted\*(R" using a random key which will typically output garbage. -The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection -and return an error if no recipient can be found: this option should be used -with caution. For a fuller description see \fICMS_decrypt\fR\|(3)). -.SH "EXIT CODES" -.IX Header "EXIT CODES" -.IP "0" 4 -the operation was completely successfully. -.IP "1" 4 -.IX Item "1" -an error occurred parsing the command options. -.IP "2" 4 -.IX Item "2" -one of the input files could not be read. -.IP "3" 4 -.IX Item "3" -an error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0 -message. -.IP "4" 4 -.IX Item "4" -an error occurred decrypting or verifying the message. -.IP "5" 4 -.IX Item "5" -the message was verified correctly but an error occurred writing out -the signers certificates. -.SH "COMPATIBILITY WITH PKCS#7 format." -.IX Header "COMPATIBILITY WITH PKCS#7 format." -The \fBsmime\fR utility can only process the older \fBPKCS#7\fR format. The \fBcms\fR -utility supports Cryptographic Message Syntax format. Use of some features -will result in messages which cannot be processed by applications which only -support the older format. These are detailed below. -.PP -The use of the \fB\-keyid\fR option with \fB\-sign\fR or \fB\-encrypt\fR. -.PP -The \fB\-outform \s-1PEM\s0\fR option uses different headers. -.PP -The \fB\-compress\fR option. -.PP -The \fB\-secretkey\fR option when used with \fB\-encrypt\fR. -.PP -The use of \s-1PSS\s0 with \fB\-sign\fR. -.PP -The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR. -.PP -Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot -be processed by the older \fBsmime\fR command. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a cleartext signed message: -.PP -.Vb 2 -\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem -.Ve -.PP -Create an opaque signed message -.PP -.Vb 2 -\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e -\& \-signer mycert.pem -.Ve -.PP -Create a signed message, include some additional certificates and -read the private key from another file: -.PP -.Vb 2 -\& openssl cms \-sign \-in in.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem -.Ve -.PP -Create a signed message with two signers, use key identifier: -.PP -.Vb 2 -\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-signer othercert.pem \-keyid -.Ve -.PP -Send a signed message under Unix directly to sendmail, including headers: -.PP -.Vb 3 -\& openssl cms \-sign \-in in.txt \-text \-signer mycert.pem \e -\& \-from steve@openssl.org \-to someone@somewhere \e -\& \-subject "Signed message" | sendmail someone@somewhere -.Ve -.PP -Verify a message and extract the signer's certificate if successful: -.PP -.Vb 1 -\& openssl cms \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt -.Ve -.PP -Send encrypted mail using triple \s-1DES:\s0 -.PP -.Vb 3 -\& openssl cms \-encrypt \-in in.txt \-from steve@openssl.org \e -\& \-to someone@somewhere \-subject "Encrypted message" \e -\& \-des3 user.pem \-out mail.msg -.Ve -.PP -Sign and encrypt mail: -.PP -.Vb 4 -\& openssl cms \-sign \-in ml.txt \-signer my.pem \-text \e -\& | openssl cms \-encrypt \-out mail.msg \e -\& \-from steve@openssl.org \-to someone@somewhere \e -\& \-subject "Signed and Encrypted message" \-des3 user.pem -.Ve -.PP -Note: the encryption command does not include the \fB\-text\fR option because the -message being encrypted already has \s-1MIME\s0 headers. -.PP -Decrypt mail: -.PP -.Vb 1 -\& openssl cms \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem -.Ve -.PP -The output from Netscape form signing is a PKCS#7 structure with the -detached signature format. You can use this program to verify the -signature by line wrapping the base64 encoded structure and surrounding -it with: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- -\& \-\-\-\-\-END PKCS7\-\-\-\-\- -.Ve -.PP -and using the command, -.PP -.Vb 1 -\& openssl cms \-verify \-inform PEM \-in signature.pem \-content content.txt -.Ve -.PP -alternatively you can base64 decode the signature and use -.PP -.Vb 1 -\& openssl cms \-verify \-inform DER \-in signature.der \-content content.txt -.Ve -.PP -Create an encrypted message using 128 bit Camellia: -.PP -.Vb 1 -\& openssl cms \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem -.Ve -.PP -Add a signer to an existing message: -.PP -.Vb 1 -\& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg -.Ve -.PP -Sign mail using RSA-PSS: -.PP -.Vb 2 -\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-keyopt rsa_padding_mode:pss -.Ve -.PP -Create encrypted mail using RSA-OAEP: -.PP -.Vb 2 -\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e -\& \-recip cert.pem \-keyopt rsa_padding_mode:oaep -.Ve -.PP -Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate: -.PP -.Vb 2 -\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e -\& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256 -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've -thrown at it but it may choke on others. -.PP -The code currently will only write out the signer's certificate to a file: if -the signer has a separate encryption certificate this must be manually -extracted. There should be some heuristic that determines the correct -encryption certificate. -.PP -Ideally a database should be maintained of a certificates for each email -address. -.PP -The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. this means the -user has to manually include the correct encryption algorithm. It should store -the list of permitted ciphers in a database and only use those. -.PP -No revocation checking is done on the signer's certificate. -.SH "HISTORY" -.IX Header "HISTORY" -The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first -added in OpenSSL 1.0.0 -.PP -The \fBkeyopt\fR option was first added in OpenSSL 1.1.0 -.PP -The use of \fB\-recip\fR to specify the recipient when encrypting mail was first -added to OpenSSL 1.1.0 -.PP -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. -.PP -The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was first added -to OpenSSL 1.1.0. -.PP -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/usr.bin/openssl/man/config.5 b/usr.bin/openssl/man/config.5 deleted file mode 100644 index d08512c932..0000000000 --- a/usr.bin/openssl/man/config.5 +++ /dev/null @@ -1,499 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CONFIG 5" -.TH CONFIG 5 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -config \- OpenSSL CONF library configuration files -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The OpenSSL \s-1CONF\s0 library can be used to read configuration files. -It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR -and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension -files for the \fBx509\fR utility. OpenSSL applications can also use the -\&\s-1CONF\s0 library for their own purposes. -.PP -A configuration file is divided into a number of sections. Each section -starts with a line \fB[ section_name ]\fR and ends when a new section is -started or end of file is reached. A section name can consist of -alphanumeric characters and underscores. -.PP -The first section of a configuration file is special and is referred -to as the \fBdefault\fR section this is usually unnamed and is from the -start of file until the first named section. When a name is being looked up -it is first looked up in a named section (if any) and then the -default section. -.PP -The environment is mapped onto a section called \fB\s-1ENV\s0\fR. -.PP -Comments can be included by preceding them with the \fB#\fR character -.PP -Each section in a configuration file consists of a number of name and -value pairs of the form \fBname=value\fR -.PP -The \fBname\fR string can contain any alphanumeric characters as well as -a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR. -.PP -The \fBvalue\fR string consists of the string following the \fB=\fR character -until end of line with any leading and trailing white space removed. -.PP -The value string undergoes variable expansion. This can be done by -including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value -of the named variable in the current section. It is also possible to -substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR -or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment -variables can be substituted. It is also possible to assign values to -environment variables by using the name \fBENV::name\fR, this will work -if the program looks up environment variables using the \fB\s-1CONF\s0\fR library -instead of calling \fB\f(BIgetenv()\fB\fR directly. -.PP -It is possible to escape certain characters by using any kind of quote -or the \fB\e\fR character. By making the last character of a line a \fB\e\fR -a \fBvalue\fR string can be spread across multiple lines. In addition -the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized. -.SH "OPENSSL LIBRARY CONFIGURATION" -.IX Header "OPENSSL LIBRARY CONFIGURATION" -In OpenSSL 0.9.7 and later applications can automatically configure certain -aspects of OpenSSL using the master OpenSSL configuration file, or optionally -an alternative configuration file. The \fBopenssl\fR utility includes this -functionality: any sub command uses the master OpenSSL configuration file -unless an option is used in the sub command to use an alternative configuration -file. -.PP -To enable library configuration the default section needs to contain an -appropriate line which points to the main configuration section. The default -name is \fBopenssl_conf\fR which is used by the \fBopenssl\fR utility. Other -applications may use an alternative name such as \fBmyapplicaton_conf\fR. -.PP -The configuration section should consist of a set of name value pairs which -contain specific module configuration information. The \fBname\fR represents -the name of the \fIconfiguration module\fR the meaning of the \fBvalue\fR is -module specific: it may, for example, represent a further configuration -section containing configuration module specific information. E.g. -.PP -.Vb 1 -\& openssl_conf = openssl_init -\& -\& [openssl_init] -\& -\& oid_section = new_oids -\& engines = engine_section -\& -\& [new_oids] -\& -\& ... new oids here ... -\& -\& [engine_section] -\& -\& ... engine stuff here ... -.Ve -.PP -The features of each configuration module are described below. -.SS "\s-1ASN1 OBJECT CONFIGURATION MODULE\s0" -.IX Subsection "ASN1 OBJECT CONFIGURATION MODULE" -This module has the name \fBoid_section\fR. The value of this variable points -to a section containing name value pairs of OIDs: the name is the \s-1OID\s0 short -and long name, the value is the numerical form of the \s-1OID.\s0 Although some of -the \fBopenssl\fR utility sub commands already have their own \s-1ASN1 OBJECT\s0 section -functionality not all do. By using the \s-1ASN1 OBJECT\s0 configuration module -\&\fBall\fR the \fBopenssl\fR utility sub commands can see the new objects as well -as any compliant applications. For example: -.PP -.Vb 1 -\& [new_oids] -\& -\& some_new_oid = 1.2.3.4 -\& some_other_oid = 1.2.3.5 -.Ve -.PP -In OpenSSL 0.9.8 it is also possible to set the value to the long name followed -by a comma and the numerical \s-1OID\s0 form. For example: -.PP -.Vb 1 -\& shortName = some object long name, 1.2.3.4 -.Ve -.SS "\s-1ENGINE CONFIGURATION MODULE\s0" -.IX Subsection "ENGINE CONFIGURATION MODULE" -This \s-1ENGINE\s0 configuration module has the name \fBengines\fR. The value of this -variable points to a section containing further \s-1ENGINE\s0 configuration -information. -.PP -The section pointed to by \fBengines\fR is a table of engine names (though see -\&\fBengine_id\fR below) and further sections containing configuration information -specific to each \s-1ENGINE.\s0 -.PP -Each \s-1ENGINE\s0 specific section is used to set default algorithms, load -dynamic, perform initialization and send ctrls. The actual operation performed -depends on the \fIcommand\fR name which is the name of the name value pair. The -currently supported commands are listed below. -.PP -For example: -.PP -.Vb 1 -\& [engine_section] -\& -\& # Configure ENGINE named "foo" -\& foo = foo_section -\& # Configure ENGINE named "bar" -\& bar = bar_section -\& -\& [foo_section] -\& ... foo ENGINE specific commands ... -\& -\& [bar_section] -\& ... "bar" ENGINE specific commands ... -.Ve -.PP -The command \fBengine_id\fR is used to give the \s-1ENGINE\s0 name. If used this -command must be first. For example: -.PP -.Vb 3 -\& [engine_section] -\& # This would normally handle an ENGINE named "foo" -\& foo = foo_section -\& -\& [foo_section] -\& # Override default name and use "myfoo" instead. -\& engine_id = myfoo -.Ve -.PP -The command \fBdynamic_path\fR loads and adds an \s-1ENGINE\s0 from the given path. It -is equivalent to sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed -by \fB\s-1LIST_ADD\s0\fR with value 2 and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0 If this is -not the required behaviour then alternative ctrls can be sent directly -to the dynamic \s-1ENGINE\s0 using ctrl commands. -.PP -The command \fBinit\fR determines whether to initialize the \s-1ENGINE.\s0 If the value -is \fB0\fR the \s-1ENGINE\s0 will not be initialized, if \fB1\fR and attempt it made to -initialized the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present -then an attempt will be made to initialize the \s-1ENGINE\s0 after all commands in -its section have been processed. -.PP -The command \fBdefault_algorithms\fR sets the default algorithms an \s-1ENGINE\s0 will -supply using the functions \fB\f(BIENGINE_set_default_string()\fB\fR -.PP -If the name matches none of the above command names it is assumed to be a -ctrl command which is sent to the \s-1ENGINE.\s0 The value of the command is the -argument to the ctrl command. If the value is the string \fB\s-1EMPTY\s0\fR then no -value is sent to the command. -.PP -For example: -.PP -.Vb 1 -\& [engine_section] -\& -\& # Configure ENGINE named "foo" -\& foo = foo_section -\& -\& [foo_section] -\& # Load engine from DSO -\& dynamic_path = /some/path/fooengine.so -\& # A foo specific ctrl. -\& some_ctrl = some_value -\& # Another ctrl that doesn\*(Aqt take a value. -\& other_ctrl = EMPTY -\& # Supply all default algorithms -\& default_algorithms = ALL -.Ve -.SS "\s-1EVP CONFIGURATION MODULE\s0" -.IX Subsection "EVP CONFIGURATION MODULE" -This modules has the name \fBalg_section\fR which points to a section containing -algorithm commands. -.PP -Currently the only algorithm command supported is \fBfips_mode\fR whose -value should be a boolean string such as \fBon\fR or \fBoff\fR. If the value is -\&\fBon\fR this attempt to enter \s-1FIPS\s0 mode. If the call fails or the library is -not \s-1FIPS\s0 capable then an error occurs. -.PP -For example: -.PP -.Vb 1 -\& alg_section = evp_settings -\& -\& [evp_settings] -\& -\& fips_mode = on -.Ve -.SH "NOTES" -.IX Header "NOTES" -If a configuration file attempts to expand a variable that doesn't exist -then an error is flagged and the file will not load. This can happen -if an attempt is made to expand an environment variable that doesn't -exist. For example in a previous version of OpenSSL the default OpenSSL -master configuration file used the value of \fB\s-1HOME\s0\fR which may not be -defined on non Unix systems and would cause an error. -.PP -This can be worked around by including a \fBdefault\fR section to provide -a default value: then if the environment lookup fails the default value -will be used instead. For this to work properly the default value must -be defined earlier in the configuration file than the expansion. See -the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this. -.PP -If the same variable exists in the same section then all but the last -value will be silently ignored. In certain circumstances such as with -DNs the same field may occur multiple times. This is usually worked -around by ignoring any characters before an initial \fB.\fR e.g. -.PP -.Vb 2 -\& 1.OU="My first OU" -\& 2.OU="My Second OU" -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Here is a sample configuration file using some of the features -mentioned above. -.PP -.Vb 1 -\& # This is the default section. -\& -\& HOME=/temp -\& RANDFILE= ${ENV::HOME}/.rnd -\& configdir=$ENV::HOME/config -\& -\& [ section_one ] -\& -\& # We are now in section one. -\& -\& # Quotes permit leading and trailing whitespace -\& any = " any variable name " -\& -\& other = A string that can \e -\& cover several lines \e -\& by including \e\e characters -\& -\& message = Hello World\en -\& -\& [ section_two ] -\& -\& greeting = $section_one::message -.Ve -.PP -This next example shows how to expand environment variables safely. -.PP -Suppose you want a variable called \fBtmpfile\fR to refer to a -temporary filename. The directory it is placed in can determined by -the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be -set to any value at all. If you just include the environment variable -names and the variable doesn't exist then this will cause an error when -an attempt is made to load the configuration file. By making use of the -default section both values can be looked up with \fB\s-1TEMP\s0\fR taking -priority and \fB/tmp\fR used if neither is defined: -.PP -.Vb 5 -\& TMP=/tmp -\& # The above value is used if TMP isn\*(Aqt in the environment -\& TEMP=$ENV::TMP -\& # The above value is used if TEMP isn\*(Aqt in the environment -\& tmpfile=${ENV::TEMP}/tmp.filename -.Ve -.PP -Simple OpenSSL library configuration example to enter \s-1FIPS\s0 mode: -.PP -.Vb 3 -\& # Default appname: should match "appname" parameter (if any) -\& # supplied to CONF_modules_load_file et al. -\& openssl_conf = openssl_conf_section -\& -\& [openssl_conf_section] -\& # Configuration module list -\& alg_section = evp_sect -\& -\& [evp_sect] -\& # Set to "yes" to enter FIPS mode if supported -\& fips_mode = yes -.Ve -.PP -Note: in the above example you will get an error in non \s-1FIPS\s0 capable versions -of OpenSSL. -.PP -More complex OpenSSL library configuration. Add \s-1OID\s0 and don't enter \s-1FIPS\s0 mode: -.PP -.Vb 3 -\& # Default appname: should match "appname" parameter (if any) -\& # supplied to CONF_modules_load_file et al. -\& openssl_conf = openssl_conf_section -\& -\& [openssl_conf_section] -\& # Configuration module list -\& alg_section = evp_sect -\& oid_section = new_oids -\& -\& [evp_sect] -\& # This will have no effect as FIPS mode is off by default. -\& # Set to "yes" to enter FIPS mode, if supported -\& fips_mode = no -\& -\& [new_oids] -\& # New OID, just short name -\& newoid1 = 1.2.3.4.1 -\& # New OID shortname and long name -\& newoid2 = New OID 2 long name, 1.2.3.4.2 -.Ve -.PP -The above examples can be used with with any application supporting library -configuration if \*(L"openssl_conf\*(R" is modified to match the appropriate \*(L"appname\*(R". -.PP -For example if the second sample file above is saved to \*(L"example.cnf\*(R" then -the command line: -.PP -.Vb 1 -\& OPENSSL_CONF=example.cnf openssl asn1parse \-genstr OID:1.2.3.4.1 -.Ve -.PP -will output: -.PP -.Vb 1 -\& 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 -.Ve -.PP -showing that the \s-1OID \s0\*(L"newoid1\*(R" has been added as \*(L"1.2.3.4.1\*(R". -.SH "BUGS" -.IX Header "BUGS" -Currently there is no way to include characters using the octal \fB\ennn\fR -form. Strings are all null terminated so nulls cannot form part of -the value. -.PP -The escaping isn't quite right: if you want to use sequences like \fB\en\fR -you can't use any quote escaping on the same line. -.PP -Files are loaded in a single pass. This means that an variable expansion -will only work if the variables referenced are defined earlier in the -file. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIx509\fR\|(1), \fIreq\fR\|(1), \fIca\fR\|(1) diff --git a/usr.bin/openssl/man/crl.1 b/usr.bin/openssl/man/crl.1 deleted file mode 100644 index 0e2a89b293..0000000000 --- a/usr.bin/openssl/man/crl.1 +++ /dev/null @@ -1,245 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CRL 1" -.TH CRL 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -crl \- CRL utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBcrl\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-text\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-nameopt option\fR] -[\fB\-noout\fR] -[\fB\-hash\fR] -[\fB\-issuer\fR] -[\fB\-lastupdate\fR] -[\fB\-nextupdate\fR] -[\fB\-CAfile file\fR] -[\fB\-CApath dir\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 -structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read from or standard input if this -option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -print out the \s-1CRL\s0 in text form. -.IP "\fB\-nameopt option\fR" 4 -.IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. See -the description of \fB\-nameopt\fR in \fIx509\fR\|(1). -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the encoded version of the \s-1CRL.\s0 -.IP "\fB\-hash\fR" 4 -.IX Item "-hash" -output a hash of the issuer name. This can be use to lookup CRLs in -a directory by issuer name. -.IP "\fB\-hash_old\fR" 4 -.IX Item "-hash_old" -outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. -.IP "\fB\-issuer\fR" 4 -.IX Item "-issuer" -output the issuer name. -.IP "\fB\-lastupdate\fR" 4 -.IX Item "-lastupdate" -output the lastUpdate field. -.IP "\fB\-nextupdate\fR" 4 -.IX Item "-nextupdate" -output the nextUpdate field. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in -\&\fBfile\fR -.IP "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in -\&\fBdir\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM CRL\s0 format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN X509 CRL\-\-\-\-\- -\& \-\-\-\-\-END X509 CRL\-\-\-\-\- -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0 -.PP -.Vb 1 -\& openssl crl \-in crl.pem \-outform DER \-out crl.der -.Ve -.PP -Output the text form of a \s-1DER\s0 encoded certificate: -.PP -.Vb 1 -\& openssl crl \-in crl.der \-text \-noout -.Ve -.SH "BUGS" -.IX Header "BUGS" -Ideally it should be possible to create a \s-1CRL\s0 using appropriate options -and files too. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIcrl2pkcs7\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1) diff --git a/usr.bin/openssl/man/crl2pkcs7.1 b/usr.bin/openssl/man/crl2pkcs7.1 deleted file mode 100644 index a6ab2e98f9..0000000000 --- a/usr.bin/openssl/man/crl2pkcs7.1 +++ /dev/null @@ -1,215 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CRL2PKCS7 1" -.TH CRL2PKCS7 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBcrl2pkcs7\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-certfile filename\fR] -[\fB\-nocrl\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more -certificates and converts them into a PKCS#7 degenerate \*(L"certificates -only\*(R" structure. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 -structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0 -encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a \s-1CRL\s0 from or standard input if this -option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write the PKCS#7 structure to or standard -output by default. -.IP "\fB\-certfile filename\fR" 4 -.IX Item "-certfile filename" -specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format. -All certificates in the file will be added to the PKCS#7 structure. This -option can be used more than once to read certificates form multiple -files. -.IP "\fB\-nocrl\fR" 4 -.IX Item "-nocrl" -normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is -included in the output file and a \s-1CRL\s0 is not read from the input file. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a PKCS#7 structure from a certificate and \s-1CRL:\s0 -.PP -.Vb 1 -\& openssl crl2pkcs7 \-in crl.pem \-certfile cert.pem \-out p7.pem -.Ve -.PP -Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several -different certificates: -.PP -.Vb 2 -\& openssl crl2pkcs7 \-nocrl \-certfile newcert.pem -\& \-certfile demoCA/cacert.pem \-outform DER \-out p7.der -.Ve -.SH "NOTES" -.IX Header "NOTES" -The output file is a PKCS#7 signed data structure containing no signers and -just certificates and an optional \s-1CRL.\s0 -.PP -This utility can be used to send certificates and CAs to Netscape as part of -the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output -as \s-1MIME\s0 type application/x\-x509\-user\-cert. -.PP -The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to -install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIpkcs7\fR\|(1) diff --git a/usr.bin/openssl/man/dgst.1 b/usr.bin/openssl/man/dgst.1 deleted file mode 100644 index 3cccadc904..0000000000 --- a/usr.bin/openssl/man/dgst.1 +++ /dev/null @@ -1,307 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "DGST 1" -.TH DGST 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 \- message digests -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBdgst\fR -[\fB\-sha|\-sha1|\-mdc2|\-ripemd160|\-sha224|\-sha256|\-sha384|\-sha512|\-md2|\-md4|\-md5|\-dss1\fR] -[\fB\-c\fR] -[\fB\-d\fR] -[\fB\-hex\fR] -[\fB\-binary\fR] -[\fB\-r\fR] -[\fB\-non\-fips\-allow\fR] -[\fB\-out filename\fR] -[\fB\-sign filename\fR] -[\fB\-keyform arg\fR] -[\fB\-passin arg\fR] -[\fB\-verify filename\fR] -[\fB\-prverify filename\fR] -[\fB\-signature filename\fR] -[\fB\-hmac key\fR] -[\fB\-non\-fips\-allow\fR] -[\fB\-fips\-fingerprint\fR] -[\fBfile...\fR] -.PP -\&\fBopenssl\fR -[\fIdigest\fR] -[\fB...\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The digest functions output the message digest of a supplied file or files -in hexadecimal. The digest functions also generate and verify digital -signatures using message digests. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-c\fR" 4 -.IX Item "-c" -print out the digest in two digit groups separated by colons, only relevant if -\&\fBhex\fR format output is used. -.IP "\fB\-d\fR" 4 -.IX Item "-d" -print out \s-1BIO\s0 debugging information. -.IP "\fB\-hex\fR" 4 -.IX Item "-hex" -digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R" -digest as opposed to a digital signature. See \s-1NOTES\s0 below for digital -signatures using \fB\-hex\fR. -.IP "\fB\-binary\fR" 4 -.IX Item "-binary" -output the digest or signature in binary form. -.IP "\fB\-r\fR" 4 -.IX Item "-r" -output the digest in the \*(L"coreutils\*(R" format used by programs like \fBsha1sum\fR. -.IP "\fB\-non\-fips\-allow\fR" 4 -.IX Item "-non-fips-allow" -Allow use of non \s-1FIPS\s0 digest when in \s-1FIPS\s0 mode. This has no effect when not in -\&\s-1FIPS\s0 mode. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -filename to output to, or standard output by default. -.IP "\fB\-sign filename\fR" 4 -.IX Item "-sign filename" -digitally sign the digest using the private key in \*(L"filename\*(R". -.IP "\fB\-keyform arg\fR" 4 -.IX Item "-keyform arg" -Specifies the key format to sign digest with. The \s-1DER, PEM, P12,\s0 -and \s-1ENGINE\s0 formats are supported. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -Use engine \fBid\fR for operations (including private key storage). -This engine is not used as source for digest algorithms, unless it is -also specified in the configuration file. -.IP "\fB\-sigopt nm:v\fR" 4 -.IX Item "-sigopt nm:v" -Pass options to the signature algorithm during sign or verify operations. -Names and values of these options are algorithm-specific. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-verify filename\fR" 4 -.IX Item "-verify filename" -verify the signature using the the public key in \*(L"filename\*(R". -The output is either \*(L"Verification \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R". -.IP "\fB\-prverify filename\fR" 4 -.IX Item "-prverify filename" -verify the signature using the the private key in \*(L"filename\*(R". -.IP "\fB\-signature filename\fR" 4 -.IX Item "-signature filename" -the actual signature to verify. -.IP "\fB\-hmac key\fR" 4 -.IX Item "-hmac key" -create a hashed \s-1MAC\s0 using \*(L"key\*(R". -.IP "\fB\-mac alg\fR" 4 -.IX Item "-mac alg" -create \s-1MAC \s0(keyed Message Authentication Code). The most popular \s-1MAC\s0 -algorithm is \s-1HMAC \s0(hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms -which are not based on hash, for instance \fBgost-mac\fR algorithm, -supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set -via \fB\-macopt\fR parameter. -.IP "\fB\-macopt nm:v\fR" 4 -.IX Item "-macopt nm:v" -Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key. -Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR: -.RS 4 -.IP "\fBkey:string\fR" 8 -.IX Item "key:string" -Specifies \s-1MAC\s0 key as alphnumeric string (use if key contain printable -characters only). String length must conform to any restrictions of -the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac. -.IP "\fBhexkey:string\fR" 8 -.IX Item "hexkey:string" -Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte). -Key length must conform to any restrictions of the \s-1MAC\s0 algorithm -for example exactly 32 chars for gost-mac. -.RE -.RS 4 -.RE -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-non\-fips\-allow\fR" 4 -.IX Item "-non-fips-allow" -enable use of non-FIPS algorithms such as \s-1MD5\s0 even in \s-1FIPS\s0 mode. -.IP "\fB\-fips\-fingerprint\fR" 4 -.IX Item "-fips-fingerprint" -compute \s-1HMAC\s0 using a specific key -for certain OpenSSL-FIPS operations. -.IP "\fBfile...\fR" 4 -.IX Item "file..." -file or files to digest. If no files are specified then standard input is -used. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To create a hex-encoded message digest of a file: - openssl dgst \-md5 \-hex file.txt -.PP -To sign a file using \s-1SHA\-256\s0 with binary file output: - openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt -.PP -To verify a signature: - openssl dgst \-sha256 \-verify publickey.pem \e - \-signature signature.sign \e - file.txt -.SH "NOTES" -.IX Header "NOTES" -The digest of choice for all new applications is \s-1SHA1.\s0 Other digests are -however still widely used. -.PP -When signing a file, \fBdgst\fR will automatically determine the algorithm -(\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info. -When verifying signatures, it only handles the \s-1RSA, DSA,\s0 or \s-1ECDSA\s0 signature -itself, not the related data to identify the signer and algorithm used in -formats such as x.509, \s-1CMS,\s0 and S/MIME. -.PP -A source of random numbers is required for certain signing algorithms, in -particular \s-1ECDSA\s0 and \s-1DSA.\s0 -.PP -The signing and verify options should only be used if a single file is -being signed or verified. -.PP -Hex signatures cannot be verified using \fBopenssl\fR. Instead, use \*(L"xxd \-r\*(R" -or similar program to transform the hex signature into a binary signature -prior to verification. diff --git a/usr.bin/openssl/man/dhparam.1 b/usr.bin/openssl/man/dhparam.1 deleted file mode 100644 index a988f5498e..0000000000 --- a/usr.bin/openssl/man/dhparam.1 +++ /dev/null @@ -1,262 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "DHPARAM 1" -.TH DHPARAM 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -dhparam \- DH parameter manipulation and generation -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl dhparam\fR -[\fB\-inform DER|PEM\fR] -[\fB\-outform DER|PEM\fR] -[\fB\-in\fR \fIfilename\fR] -[\fB\-out\fR \fIfilename\fR] -[\fB\-dsaparam\fR] -[\fB\-check\fR] -[\fB\-noout\fR] -[\fB\-text\fR] -[\fB\-C\fR] -[\fB\-2\fR] -[\fB\-5\fR] -[\fB\-rand\fR \fIfile(s)\fR] -[\fB\-engine id\fR] -[\fInumbits\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to manipulate \s-1DH\s0 parameter files. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded -form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the -default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with -additional header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in\fR \fIfilename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read parameters from or standard input if -this option is not specified. -.IP "\fB\-out\fR \fIfilename\fR" 4 -.IX Item "-out filename" -This specifies the output filename parameters to. Standard output is used -if this option is not present. The output filename should \fBnot\fR be the same -as the input filename. -.IP "\fB\-dsaparam\fR" 4 -.IX Item "-dsaparam" -If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created; -they are converted to \s-1DH\s0 format. Otherwise, \*(L"strong\*(R" primes (such -that (p\-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation. -.Sp -\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster, -and the recommended exponent length is shorter, which makes \s-1DH\s0 key -exchange more efficient. Beware that with such DSA-style \s-1DH\s0 -parameters, a fresh \s-1DH\s0 key should be created for each use to -avoid small-subgroup attacks that may be possible otherwise. -.IP "\fB\-check\fR" 4 -.IX Item "-check" -check if the parameters are valid primes and generator. -.IP "\fB\-2\fR, \fB\-5\fR" 4 -.IX Item "-2, -5" -The generator to use, either 2 or 5. If present then the -input file is ignored and parameters are generated instead. If not -present but \fBnumbits\fR is present, parameters are generated with the -default generator 2. -.IP "\fB\-rand\fR \fIfile(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fInumbits\fR" 4 -.IX Item "numbits" -this option specifies that a parameter set should be generated of size -\&\fInumbits\fR. It must be the last option. If this option is present then -the input file is ignored and parameters are generated instead. If -this option is not present but a generator (\fB\-2\fR or \fB\-5\fR) is -present, parameters are generated with a default length of 2048 bits. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option inhibits the output of the encoded version of the parameters. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -this option prints out the \s-1DH\s0 parameters in human readable form. -.IP "\fB\-C\fR" 4 -.IX Item "-C" -this option converts the parameters into C code. The parameters can then -be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "WARNINGS" -.IX Header "WARNINGS" -The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and -\&\fBgendh\fR in previous versions of OpenSSL and SSLeay. The \fBdh\fR and \fBgendh\fR -programs are retained for now but may have different purposes in future -versions of OpenSSL. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN DH PARAMETERS\-\-\-\-\- -\& \-\-\-\-\-END DH PARAMETERS\-\-\-\-\- -.Ve -.PP -OpenSSL currently only supports the older PKCS#3 \s-1DH,\s0 not the newer X9.42 -\&\s-1DH.\s0 -.PP -This program manipulates \s-1DH\s0 parameters not keys. -.SH "BUGS" -.IX Header "BUGS" -There should be a way to generate and manipulate \s-1DH\s0 keys. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdsaparam\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The \fBdhparam\fR command was added in OpenSSL 0.9.5. -The \fB\-dsaparam\fR option was added in OpenSSL 0.9.6. diff --git a/usr.bin/openssl/man/dsa.1 b/usr.bin/openssl/man/dsa.1 deleted file mode 100644 index 40881fbea7..0000000000 --- a/usr.bin/openssl/man/dsa.1 +++ /dev/null @@ -1,291 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "DSA 1" -.TH DSA 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -dsa \- DSA key processing -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBdsa\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-aes128\fR] -[\fB\-aes192\fR] -[\fB\-aes256\fR] -[\fB\-camellia128\fR] -[\fB\-camellia192\fR] -[\fB\-camellia256\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-modulus\fR] -[\fB\-pubin\fR] -[\fB\-pubout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various -forms and their components printed out. \fBNote\fR This command uses the -traditional SSLeay compatible format for private key encryption: newer -applications should use the more secure PKCS#8 format using the \fBpkcs8\fR -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses -an \s-1ASN1 DER\s0 encoded form of an \s-1ASN.1 SEQUENCE\s0 consisting of the values of -version (currently zero), p, q, g, the public and private key components -respectively as \s-1ASN.1\s0 INTEGERs. When used with a public key it uses a -SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA.\s0 -.Sp -The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 -encoded with additional header and footer lines. In the case of a private key -PKCS#8 format is also accepted. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output by -is not specified. If any encryption options are set then a pass phrase will be -prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.IP "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" -These options encrypt the private key with the specified -cipher before outputting it. A pass phrase is prompted for. -If none of these options is specified the key is written in plain text. This -means that using the \fBdsa\fR utility to read in an encrypted key with no -encryption option can be used to remove the pass phrase from a key, or by -setting the encryption options it can be use to add or change the pass phrase. -These options can only be used with \s-1PEM\s0 format output files. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the public, private key components and parameters. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the key. -.IP "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the public key component of the key. -.IP "\fB\-pubin\fR" 4 -.IX Item "-pubin" -by default a private key is read from the input file: with this option a -public key is read instead. -.IP "\fB\-pubout\fR" 4 -.IX Item "-pubout" -by default a private key is output. With this option a public -key will be output instead. This option is automatically set if the input is -a public key. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 private key format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\- -\& \-\-\-\-\-END DSA PRIVATE KEY\-\-\-\-\- -.Ve -.PP -The \s-1PEM\s0 public key format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\- -\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\- -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To remove the pass phrase on a \s-1DSA\s0 private key: -.PP -.Vb 1 -\& openssl dsa \-in key.pem \-out keyout.pem -.Ve -.PP -To encrypt a private key using triple \s-1DES:\s0 -.PP -.Vb 1 -\& openssl dsa \-in key.pem \-des3 \-out keyout.pem -.Ve -.PP -To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl dsa \-in key.pem \-outform DER \-out keyout.der -.Ve -.PP -To print out the components of a private key to standard output: -.PP -.Vb 1 -\& openssl dsa \-in key.pem \-text \-noout -.Ve -.PP -To just output the public part of a private key: -.PP -.Vb 1 -\& openssl dsa \-in key.pem \-pubout \-out pubkey.pem -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdsaparam\fR\|(1), \fIgendsa\fR\|(1), \fIrsa\fR\|(1), -\&\fIgenrsa\fR\|(1) diff --git a/usr.bin/openssl/man/dsaparam.1 b/usr.bin/openssl/man/dsaparam.1 deleted file mode 100644 index e146b39a62..0000000000 --- a/usr.bin/openssl/man/dsaparam.1 +++ /dev/null @@ -1,228 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "DSAPARAM 1" -.TH DSAPARAM 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -dsaparam \- DSA parameter manipulation and generation -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl dsaparam\fR -[\fB\-inform DER|PEM\fR] -[\fB\-outform DER|PEM\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-text\fR] -[\fB\-C\fR] -[\fB\-rand file(s)\fR] -[\fB\-genkey\fR] -[\fB\-engine id\fR] -[\fBnumbits\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to manipulate or generate \s-1DSA\s0 parameter files. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded -form compatible with \s-1RFC2459 \s0(\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting -of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists -of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read parameters from or standard input if -this option is not specified. If the \fBnumbits\fR parameter is included then -this option will be ignored. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename parameters to. Standard output is used -if this option is not present. The output filename should \fBnot\fR be the same -as the input filename. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option inhibits the output of the encoded version of the parameters. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -this option prints out the \s-1DSA\s0 parameters in human readable form. -.IP "\fB\-C\fR" 4 -.IX Item "-C" -this option converts the parameters into C code. The parameters can then -be loaded by calling the \fB\f(BIget_dsaXXX()\fB\fR function. -.IP "\fB\-genkey\fR" 4 -.IX Item "-genkey" -this option will generate a \s-1DSA\s0 either using the specified or generated -parameters. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fBnumbits\fR" 4 -.IX Item "numbits" -this option specifies that a parameter set should be generated of size -\&\fBnumbits\fR. It must be the last option. If this option is included then -the input file (if any) is ignored. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN DSA PARAMETERS\-\-\-\-\- -\& \-\-\-\-\-END DSA PARAMETERS\-\-\-\-\- -.Ve -.PP -\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of -\&\s-1DSA\s0 parameters is often used to generate several distinct keys. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgendsa\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIrsa\fR\|(1) diff --git a/usr.bin/openssl/man/ec.1 b/usr.bin/openssl/man/ec.1 deleted file mode 100644 index e16cc5b0fe..0000000000 --- a/usr.bin/openssl/man/ec.1 +++ /dev/null @@ -1,315 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "EC 1" -.TH EC 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ec \- EC key processing -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBec\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-param_out\fR] -[\fB\-pubin\fR] -[\fB\-pubout\fR] -[\fB\-conv_form arg\fR] -[\fB\-param_enc arg\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various -forms and their components printed out. \fBNote\fR OpenSSL uses the -private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography' -(http://www.secg.org/). To convert a OpenSSL \s-1EC\s0 private key into the -PKCS#8 private key format use the \fBpkcs8\fR command. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses -an \s-1ASN.1 DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it -uses the SubjectPublicKeyInfo structure as specified in \s-1RFC 3280.\s0 -The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 -encoded with additional header and footer lines. In the case of a private key -PKCS#8 format is also accepted. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output by -is not specified. If any encryption options are set then a pass phrase will be -prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.IP "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-des|\-des3|\-idea\fR" 4 -.IX Item "-des|-des3|-idea" -These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or -any other cipher supported by OpenSSL before outputting it. A pass phrase is -prompted for. -If none of these options is specified the key is written in plain text. This -means that using the \fBec\fR utility to read in an encrypted key with no -encryption option can be used to remove the pass phrase from a key, or by -setting the encryption options it can be use to add or change the pass phrase. -These options can only be used with \s-1PEM\s0 format output files. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the public, private key components and parameters. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the key. -.IP "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the public key component of the key. -.IP "\fB\-pubin\fR" 4 -.IX Item "-pubin" -by default a private key is read from the input file: with this option a -public key is read instead. -.IP "\fB\-pubout\fR" 4 -.IX Item "-pubout" -by default a private key is output. With this option a public -key will be output instead. This option is automatically set if the input is -a public key. -.IP "\fB\-conv_form\fR" 4 -.IX Item "-conv_form" -This specifies how the points on the elliptic curve are converted -into octet strings. Possible values are: \fBcompressed\fR (the default -value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding -the point conversion forms please read the X9.62 standard. -\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled -by default for binary curves and can be enabled by defining -the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. -.IP "\fB\-param_enc arg\fR" 4 -.IX Item "-param_enc arg" -This specifies how the elliptic curve parameters are encoded. -Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are -specified by a \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are -explicitly given (see \s-1RFC 3279\s0 for the definition of the -\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. -\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC 3279,\s0 -is currently not implemented in OpenSSL. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 private key format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\- -\& \-\-\-\-\-END EC PRIVATE KEY\-\-\-\-\- -.Ve -.PP -The \s-1PEM\s0 public key format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\- -\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\- -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To encrypt a private key using triple \s-1DES:\s0 -.PP -.Vb 1 -\& openssl ec \-in key.pem \-des3 \-out keyout.pem -.Ve -.PP -To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl ec \-in key.pem \-outform DER \-out keyout.der -.Ve -.PP -To print out the components of a private key to standard output: -.PP -.Vb 1 -\& openssl ec \-in key.pem \-text \-noout -.Ve -.PP -To just output the public part of a private key: -.PP -.Vb 1 -\& openssl ec \-in key.pem \-pubout \-out pubkey.pem -.Ve -.PP -To change the parameters encoding to \fBexplicit\fR: -.PP -.Vb 1 -\& openssl ec \-in key.pem \-param_enc explicit \-out keyout.pem -.Ve -.PP -To change the point conversion form to \fBcompressed\fR: -.PP -.Vb 1 -\& openssl ec \-in key.pem \-conv_form compressed \-out keyout.pem -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIecparam\fR\|(1), \fIdsa\fR\|(1), \fIrsa\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The ec command was first introduced in OpenSSL 0.9.8. -.SH "AUTHOR" -.IX Header "AUTHOR" -Nils Larsch for the OpenSSL project (http://www.openssl.org). diff --git a/usr.bin/openssl/man/ecparam.1 b/usr.bin/openssl/man/ecparam.1 deleted file mode 100644 index 804e3c9804..0000000000 --- a/usr.bin/openssl/man/ecparam.1 +++ /dev/null @@ -1,301 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ECPARAM 1" -.TH ECPARAM 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ecparam \- EC parameter manipulation and generation -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl ecparam\fR -[\fB\-inform DER|PEM\fR] -[\fB\-outform DER|PEM\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-text\fR] -[\fB\-C\fR] -[\fB\-check\fR] -[\fB\-name arg\fR] -[\fB\-list_curves\fR] -[\fB\-conv_form arg\fR] -[\fB\-param_enc arg\fR] -[\fB\-no_seed\fR] -[\fB\-rand file(s)\fR] -[\fB\-genkey\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to manipulate or generate \s-1EC\s0 parameter files. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN.1 DER\s0 encoded -form compatible with \s-1RFC 3279\s0 EcpkParameters. The \s-1PEM\s0 form is the default -format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional -header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read parameters from or standard input if -this option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename parameters to. Standard output is used -if this option is not present. The output filename should \fBnot\fR be the same -as the input filename. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -This option inhibits the output of the encoded version of the parameters. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -This option prints out the \s-1EC\s0 parameters in human readable form. -.IP "\fB\-C\fR" 4 -.IX Item "-C" -This option converts the \s-1EC\s0 parameters into C code. The parameters can then -be loaded by calling the \fB\f(BIget_ec_group_XXX()\fB\fR function. -.IP "\fB\-check\fR" 4 -.IX Item "-check" -Validate the elliptic curve parameters. -.IP "\fB\-name arg\fR" 4 -.IX Item "-name arg" -Use the \s-1EC\s0 parameters with the specified 'short' name. Use \fB\-list_curves\fR -to get a list of all currently implemented \s-1EC\s0 parameters. -.IP "\fB\-list_curves\fR" 4 -.IX Item "-list_curves" -If this options is specified \fBecparam\fR will print out a list of all -currently implemented \s-1EC\s0 parameters names and exit. -.IP "\fB\-conv_form\fR" 4 -.IX Item "-conv_form" -This specifies how the points on the elliptic curve are converted -into octet strings. Possible values are: \fBcompressed\fR (the default -value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding -the point conversion forms please read the X9.62 standard. -\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled -by default for binary curves and can be enabled by defining -the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. -.IP "\fB\-param_enc arg\fR" 4 -.IX Item "-param_enc arg" -This specifies how the elliptic curve parameters are encoded. -Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are -specified by a \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are -explicitly given (see \s-1RFC 3279\s0 for the definition of the -\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. -\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC 3279,\s0 -is currently not implemented in OpenSSL. -.IP "\fB\-no_seed\fR" 4 -.IX Item "-no_seed" -This option inhibits that the 'seed' for the parameter generation -is included in the ECParameters structure (see \s-1RFC 3279\s0). -.IP "\fB\-genkey\fR" 4 -.IX Item "-genkey" -This option will generate a \s-1EC\s0 private key using the specified parameters. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1PEM\s0 format \s-1EC\s0 parameters use the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN EC PARAMETERS\-\-\-\-\- -\& \-\-\-\-\-END EC PARAMETERS\-\-\-\-\- -.Ve -.PP -OpenSSL is currently not able to generate new groups and therefore -\&\fBecparam\fR can only create \s-1EC\s0 parameters from known (named) curves. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To create \s-1EC\s0 parameters with the group 'prime192v1': -.PP -.Vb 1 -\& openssl ecparam \-out ec_param.pem \-name prime192v1 -.Ve -.PP -To create \s-1EC\s0 parameters with explicit parameters: -.PP -.Vb 1 -\& openssl ecparam \-out ec_param.pem \-name prime192v1 \-param_enc explicit -.Ve -.PP -To validate given \s-1EC\s0 parameters: -.PP -.Vb 1 -\& openssl ecparam \-in ec_param.pem \-check -.Ve -.PP -To create \s-1EC\s0 parameters and a private key: -.PP -.Vb 1 -\& openssl ecparam \-out ec_key.pem \-name prime192v1 \-genkey -.Ve -.PP -To change the point encoding to 'compressed': -.PP -.Vb 1 -\& openssl ecparam \-in ec_in.pem \-out ec_out.pem \-conv_form compressed -.Ve -.PP -To print out the \s-1EC\s0 parameters to standard output: -.PP -.Vb 1 -\& openssl ecparam \-in ec_param.pem \-noout \-text -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIec\fR\|(1), \fIdsaparam\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The ecparam command was first introduced in OpenSSL 0.9.8. -.SH "AUTHOR" -.IX Header "AUTHOR" -Nils Larsch for the OpenSSL project (http://www.openssl.org) diff --git a/usr.bin/openssl/man/enc.1 b/usr.bin/openssl/man/enc.1 deleted file mode 100644 index 928f07f29e..0000000000 --- a/usr.bin/openssl/man/enc.1 +++ /dev/null @@ -1,449 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ENC 1" -.TH ENC 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -enc \- symmetric cipher routines -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl enc \-ciphername\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-pass arg\fR] -[\fB\-e\fR] -[\fB\-d\fR] -[\fB\-a/\-base64\fR] -[\fB\-A\fR] -[\fB\-k password\fR] -[\fB\-kfile filename\fR] -[\fB\-K key\fR] -[\fB\-iv \s-1IV\s0\fR] -[\fB\-S salt\fR] -[\fB\-salt\fR] -[\fB\-nosalt\fR] -[\fB\-z\fR] -[\fB\-md\fR] -[\fB\-p\fR] -[\fB\-P\fR] -[\fB\-bufsize number\fR] -[\fB\-nopad\fR] -[\fB\-debug\fR] -[\fB\-none\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The symmetric cipher commands allow data to be encrypted or decrypted -using various block and stream ciphers using keys based on passwords -or explicitly provided. Base64 encoding or decoding can also be performed -either by itself or in addition to the encryption or decryption. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input filename, standard input by default. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output filename, standard output by default. -.IP "\fB\-pass arg\fR" 4 -.IX Item "-pass arg" -the password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-salt\fR" 4 -.IX Item "-salt" -use a salt in the key derivation routines. This is the default. -.IP "\fB\-nosalt\fR" 4 -.IX Item "-nosalt" -don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be -used except for test purposes or compatibility with ancient versions of OpenSSL -and SSLeay. -.IP "\fB\-e\fR" 4 -.IX Item "-e" -encrypt the input data: this is the default. -.IP "\fB\-d\fR" 4 -.IX Item "-d" -decrypt the input data. -.IP "\fB\-a\fR" 4 -.IX Item "-a" -base64 process the data. This means that if encryption is taking place -the data is base64 encoded after encryption. If decryption is set then -the input data is base64 decoded before being decrypted. -.IP "\fB\-base64\fR" 4 -.IX Item "-base64" -same as \fB\-a\fR -.IP "\fB\-A\fR" 4 -.IX Item "-A" -if the \fB\-a\fR option is set then base64 process the data on one line. -.IP "\fB\-k password\fR" 4 -.IX Item "-k password" -the password to derive the key from. This is for compatibility with previous -versions of OpenSSL. Superseded by the \fB\-pass\fR argument. -.IP "\fB\-kfile filename\fR" 4 -.IX Item "-kfile filename" -read the password to derive the key from the first line of \fBfilename\fR. -This is for compatibility with previous versions of OpenSSL. Superseded by -the \fB\-pass\fR argument. -.IP "\fB\-nosalt\fR" 4 -.IX Item "-nosalt" -do not use a salt -.IP "\fB\-salt\fR" 4 -.IX Item "-salt" -use salt (randomly generated or provide with \fB\-S\fR option) when -encrypting (this is the default). -.IP "\fB\-S salt\fR" 4 -.IX Item "-S salt" -the actual salt to use: this must be represented as a string of hex digits. -.IP "\fB\-K key\fR" 4 -.IX Item "-K key" -the actual key to use: this must be represented as a string comprised only -of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified -using the \fB\-iv\fR option. When both a key and a password are specified, the -key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the -password will be taken. It probably does not make much sense to specify -both key and password. -.IP "\fB\-iv \s-1IV\s0\fR" 4 -.IX Item "-iv IV" -the actual \s-1IV\s0 to use: this must be represented as a string comprised only -of hex digits. When only the key is specified using the \fB\-K\fR option, the -\&\s-1IV\s0 must explicitly be defined. When a password is being specified using -one of the other options, the \s-1IV\s0 is generated from this password. -.IP "\fB\-p\fR" 4 -.IX Item "-p" -print out the key and \s-1IV\s0 used. -.IP "\fB\-P\fR" 4 -.IX Item "-P" -print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption -or decryption. -.IP "\fB\-bufsize number\fR" 4 -.IX Item "-bufsize number" -set the buffer size for I/O -.IP "\fB\-nopad\fR" 4 -.IX Item "-nopad" -disable standard block padding -.IP "\fB\-debug\fR" 4 -.IX Item "-debug" -debug the BIOs used for I/O. -.IP "\fB\-z\fR" 4 -.IX Item "-z" -Compress or decompress clear text using zlib before encryption or after -decryption. This option exists only if OpenSSL with compiled with zlib -or zlib-dynamic option. -.IP "\fB\-none\fR" 4 -.IX Item "-none" -Use \s-1NULL\s0 cipher (no encryption or decryption of input). -.SH "NOTES" -.IX Header "NOTES" -The program can be called either as \fBopenssl ciphername\fR or -\&\fBopenssl enc \-ciphername\fR. But the first form doesn't work with -engine-provided ciphers, because this form is processed before the -configuration file is read and any ENGINEs loaded. -.PP -Engines which provide entirely new encryption algorithms (such as ccgost -engine which provides gost89 algorithm) should be configured in the -configuration file. Engines, specified in the command line using \-engine -options can only be used for hadrware-assisted implementations of -ciphers, which are supported by OpenSSL core or other engine, specified -in the configuration file. -.PP -When enc command lists supported ciphers, ciphers provided by engines, -specified in the configuration files are listed too. -.PP -A password will be prompted for to derive the key and \s-1IV\s0 if necessary. -.PP -The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived -from a password unless you want compatibility with previous versions of -OpenSSL and SSLeay. -.PP -Without the \fB\-salt\fR option it is possible to perform efficient dictionary -attacks on the password and to attack stream cipher encrypted data. The reason -for this is that without the salt the same password always generates the same -encryption key. When the salt is being used the first eight bytes of the -encrypted data are reserved for the salt: it is generated at random when -encrypting a file and read from the encrypted file when it is decrypted. -.PP -Some of the ciphers do not have large keys and others have security -implications if not used correctly. A beginner is advised to just use -a strong block cipher in \s-1CBC\s0 mode such as bf or des3. -.PP -All the block ciphers normally use PKCS#5 padding also known as standard block -padding: this allows a rudimentary integrity or password check to be -performed. However since the chance of random data passing the test is -better than 1 in 256 it isn't a very good test. -.PP -If padding is disabled then the input data must be a multiple of the cipher -block length. -.PP -All \s-1RC2\s0 ciphers have the same key and effective key length. -.PP -Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. -.SH "SUPPORTED CIPHERS" -.IX Header "SUPPORTED CIPHERS" -Note that some of these ciphers can be disabled at compile time -and some are available only if an appropriate engine is configured -in the configuration file. The output of the \fBenc\fR command run with -unsupported options (for example \fBopenssl enc \-help\fR) includes a -list of ciphers, supported by your versesion of OpenSSL, including -ones provided by configured engines. -.PP -The \fBenc\fR program does not support authenticated encryption modes -like \s-1CCM\s0 and \s-1GCM.\s0 The utility does not store or retrieve the -authentication tag. -.PP -.Vb 1 -\& base64 Base 64 -\& -\& bf\-cbc Blowfish in CBC mode -\& bf Alias for bf\-cbc -\& bf\-cfb Blowfish in CFB mode -\& bf\-ecb Blowfish in ECB mode -\& bf\-ofb Blowfish in OFB mode -\& -\& cast\-cbc CAST in CBC mode -\& cast Alias for cast\-cbc -\& cast5\-cbc CAST5 in CBC mode -\& cast5\-cfb CAST5 in CFB mode -\& cast5\-ecb CAST5 in ECB mode -\& cast5\-ofb CAST5 in OFB mode -\& -\& des\-cbc DES in CBC mode -\& des Alias for des\-cbc -\& des\-cfb DES in CBC mode -\& des\-ofb DES in OFB mode -\& des\-ecb DES in ECB mode -\& -\& des\-ede\-cbc Two key triple DES EDE in CBC mode -\& des\-ede Two key triple DES EDE in ECB mode -\& des\-ede\-cfb Two key triple DES EDE in CFB mode -\& des\-ede\-ofb Two key triple DES EDE in OFB mode -\& -\& des\-ede3\-cbc Three key triple DES EDE in CBC mode -\& des\-ede3 Three key triple DES EDE in ECB mode -\& des3 Alias for des\-ede3\-cbc -\& des\-ede3\-cfb Three key triple DES EDE CFB mode -\& des\-ede3\-ofb Three key triple DES EDE in OFB mode -\& -\& desx DESX algorithm. -\& -\& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine) -\& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine) -\& -\& idea\-cbc IDEA algorithm in CBC mode -\& idea same as idea\-cbc -\& idea\-cfb IDEA in CFB mode -\& idea\-ecb IDEA in ECB mode -\& idea\-ofb IDEA in OFB mode -\& -\& rc2\-cbc 128 bit RC2 in CBC mode -\& rc2 Alias for rc2\-cbc -\& rc2\-cfb 128 bit RC2 in CFB mode -\& rc2\-ecb 128 bit RC2 in ECB mode -\& rc2\-ofb 128 bit RC2 in OFB mode -\& rc2\-64\-cbc 64 bit RC2 in CBC mode -\& rc2\-40\-cbc 40 bit RC2 in CBC mode -\& -\& rc4 128 bit RC4 -\& rc4\-64 64 bit RC4 -\& rc4\-40 40 bit RC4 -\& -\& rc5\-cbc RC5 cipher in CBC mode -\& rc5 Alias for rc5\-cbc -\& rc5\-cfb RC5 cipher in CFB mode -\& rc5\-ecb RC5 cipher in ECB mode -\& rc5\-ofb RC5 cipher in OFB mode -\& -\& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode -\& aes\-[128|192|256] Alias for aes\-[128|192|256]\-cbc -\& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode -\& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode -\& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode -\& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode -\& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode -.Ve -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Just base64 encode a binary file: -.PP -.Vb 1 -\& openssl base64 \-in file.bin \-out file.b64 -.Ve -.PP -Decode the same file -.PP -.Vb 1 -\& openssl base64 \-d \-in file.b64 \-out file.bin -.Ve -.PP -Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password: -.PP -.Vb 1 -\& openssl des3 \-salt \-in file.txt \-out file.des3 -.Ve -.PP -Decrypt a file using a supplied password: -.PP -.Vb 1 -\& openssl des3 \-d \-salt \-in file.des3 \-out file.txt \-k mypassword -.Ve -.PP -Encrypt a file then base64 encode it (so it can be sent via mail for example) -using Blowfish in \s-1CBC\s0 mode: -.PP -.Vb 1 -\& openssl bf \-a \-salt \-in file.txt \-out file.bf -.Ve -.PP -Base64 decode a file then decrypt it: -.PP -.Vb 1 -\& openssl bf \-d \-salt \-a \-in file.bf \-out file.txt -.Ve -.PP -Decrypt some data using a supplied 40 bit \s-1RC4\s0 key: -.PP -.Vb 1 -\& openssl rc4\-40 \-in file.rc4 \-out file.txt \-K 0102030405 -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \fB\-A\fR option when used with large files doesn't work properly. -.PP -There should be an option to allow an iteration count to be included. -.PP -The \fBenc\fR program only supports a fixed number of algorithms with -certain parameters. So if, for example, you want to use \s-1RC2\s0 with a -76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program. diff --git a/usr.bin/openssl/man/errstr.1 b/usr.bin/openssl/man/errstr.1 deleted file mode 100644 index 6f47ab2f5e..0000000000 --- a/usr.bin/openssl/man/errstr.1 +++ /dev/null @@ -1,175 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ERRSTR 1" -.TH ERRSTR 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -errstr \- lookup error codes -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl errstr error_code\fR -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Sometimes an application will not load error message and only -numerical forms will be available. The \fBerrstr\fR utility can be used to -display the meaning of the hex code. The hex code is the hex digits after the -second colon. -.SH "EXAMPLE" -.IX Header "EXAMPLE" -The error code: -.PP -.Vb 1 -\& 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107: -.Ve -.PP -can be displayed with: -.PP -.Vb 1 -\& openssl errstr 2006D080 -.Ve -.PP -to produce the error message: -.PP -.Vb 1 -\& error:2006D080:BIO routines:BIO_new_file:no such file -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIerr\fR\|(3), -\&\fIERR_load_crypto_strings\fR\|(3), -\&\fISSL_load_error_strings\fR\|(3) diff --git a/usr.bin/openssl/man/gendsa.1 b/usr.bin/openssl/man/gendsa.1 deleted file mode 100644 index 66bdc9f8eb..0000000000 --- a/usr.bin/openssl/man/gendsa.1 +++ /dev/null @@ -1,195 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "GENDSA 1" -.TH GENDSA 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -gendsa \- generate a DSA private key from a set of parameters -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBgendsa\fR -[\fB\-out filename\fR] -[\fB\-aes128\fR] -[\fB\-aes192\fR] -[\fB\-aes256\fR] -[\fB\-camellia128\fR] -[\fB\-camellia192\fR] -[\fB\-camellia256\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-rand file(s)\fR] -[\fB\-engine id\fR] -[\fBparamfile\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file -(which will be typically generated by the \fBopenssl dsaparam\fR command). -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" -These options encrypt the private key with specified -cipher before outputting it. A pass phrase is prompted for. -If none of these options is specified no encryption is used. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fBparamfile\fR" 4 -.IX Item "paramfile" -This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this -file determine the size of the private key. \s-1DSA\s0 parameters can be generated -and examined using the \fBopenssl dsaparam\fR command. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1DSA\s0 key generation is little more than random number generation so it is -much quicker that \s-1RSA\s0 key generation for example. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdsaparam\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIrsa\fR\|(1) diff --git a/usr.bin/openssl/man/genpkey.1 b/usr.bin/openssl/man/genpkey.1 deleted file mode 100644 index 8b22cb5d93..0000000000 --- a/usr.bin/openssl/man/genpkey.1 +++ /dev/null @@ -1,329 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "GENPKEY 1" -.TH GENPKEY 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -genpkey \- generate a private key -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBgenpkey\fR -[\fB\-out filename\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-pass arg\fR] -[\fB\-cipher\fR] -[\fB\-engine id\fR] -[\fB\-paramfile file\fR] -[\fB\-algorithm alg\fR] -[\fB\-pkeyopt opt:value\fR] -[\fB\-genparam\fR] -[\fB\-text\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBgenpkey\fR command generates a private key. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output filename. If this argument is not specified then standard output is -used. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 -.IP "\fB\-pass arg\fR" 4 -.IX Item "-pass arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-cipher\fR" 4 -.IX Item "-cipher" -This option encrypts the private key with the supplied cipher. Any algorithm -name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. If used this option should precede all other -options. -.IP "\fB\-algorithm alg\fR" 4 -.IX Item "-algorithm alg" -public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must -precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR -are mutually exclusive. -.IP "\fB\-pkeyopt opt:value\fR" 4 -.IX Item "-pkeyopt opt:value" -set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of -options supported depends on the public key algorithm used and its -implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR below for more details. -.IP "\fB\-genparam\fR" 4 -.IX Item "-genparam" -generate a set of parameters instead of a private key. If used this option must -precede and \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options. -.IP "\fB\-paramfile filename\fR" 4 -.IX Item "-paramfile filename" -Some public key algorithms generate a private key based on a set of parameters. -They can be supplied using this option. If this option is used the public key -algorithm used is determined by the parameters. If used this option must -precede and \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR -are mutually exclusive. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -Print an (unencrypted) text representation of private and public keys and -parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure. -.SH "KEY GENERATION OPTIONS" -.IX Header "KEY GENERATION OPTIONS" -The options supported by each algorith and indeed each implementation of an -algorithm can vary. The options for the OpenSSL implementations are detailed -below. -.SH "RSA KEY GENERATION OPTIONS" -.IX Header "RSA KEY GENERATION OPTIONS" -.IP "\fBrsa_keygen_bits:numbits\fR" 4 -.IX Item "rsa_keygen_bits:numbits" -The number of bits in the generated key. If not specified 1024 is used. -.IP "\fBrsa_keygen_pubexp:value\fR" 4 -.IX Item "rsa_keygen_pubexp:value" -The \s-1RSA\s0 public exponent value. This can be a large decimal or -hexadecimal value if preceded by \fB0x\fR. Default value is 65537. -.SH "DSA PARAMETER GENERATION OPTIONS" -.IX Header "DSA PARAMETER GENERATION OPTIONS" -.IP "\fBdsa_paramgen_bits:numbits\fR" 4 -.IX Item "dsa_paramgen_bits:numbits" -The number of bits in the generated parameters. If not specified 1024 is used. -.SH "DH PARAMETER GENERATION OPTIONS" -.IX Header "DH PARAMETER GENERATION OPTIONS" -.IP "\fBdh_paramgen_prime_len:numbits\fR" 4 -.IX Item "dh_paramgen_prime_len:numbits" -The number of bits in the prime parameter \fBp\fR. -.IP "\fBdh_paramgen_generator:value\fR" 4 -.IX Item "dh_paramgen_generator:value" -The value to use for the generator \fBg\fR. -.IP "\fBdh_rfc5114:num\fR" 4 -.IX Item "dh_rfc5114:num" -If this option is set then the appropriate \s-1RFC5114\s0 parameters are used -instead of generating new parameters. The value \fBnum\fR can take the -values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of -1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup -and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections -2.1, 2.2 and 2.3 respectively. -.SH "EC PARAMETER GENERATION OPTIONS" -.IX Header "EC PARAMETER GENERATION OPTIONS" -.IP "\fBec_paramgen_curve:curve\fR" 4 -.IX Item "ec_paramgen_curve:curve" -the \s-1EC\s0 curve to use. -.SH "GOST2001 KEY GENERATION AND PARAMETER OPTIONS" -.IX Header "GOST2001 KEY GENERATION AND PARAMETER OPTIONS" -Gost 2001 support is not enabled by default. To enable this algorithm, -one should load the ccgost engine in the OpenSSL configuration file. -See \s-1README\s0.gost file in the engines/ccgost directiry of the source -distribution for more details. -.PP -Use of a parameter file for the \s-1GOST R 34.10\s0 algorithm is optional. -Parameters can be specified during key generation directly as well as -during generation of parameter file. -.IP "\fBparamset:name\fR" 4 -.IX Item "paramset:name" -Specifies \s-1GOST R 34.10\-2001\s0 parameter set according to \s-1RFC 4357.\s0 -Parameter set can be specified using abbreviated name, object short name or -numeric \s-1OID.\s0 Following parameter sets are supported: -.Sp -.Vb 7 -\& paramset OID Usage -\& A 1.2.643.2.2.35.1 Signature -\& B 1.2.643.2.2.35.2 Signature -\& C 1.2.643.2.2.35.3 Signature -\& XA 1.2.643.2.2.36.0 Key exchange -\& XB 1.2.643.2.2.36.1 Key exchange -\& test 1.2.643.2.2.35.0 Test purposes -.Ve -.SH "NOTES" -.IX Header "NOTES" -The use of the genpkey program is encouraged over the algorithm specific -utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms -can be used. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Generate an \s-1RSA\s0 private key using default parameters: -.PP -.Vb 1 -\& openssl genpkey \-algorithm RSA \-out key.pem -.Ve -.PP -Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R": -.PP -.Vb 1 -\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello -.Ve -.PP -Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent: -.PP -.Vb 2 -\& openssl genpkey \-algorithm RSA \-out key.pem \-pkeyopt rsa_keygen_bits:2048 \e -\& \-pkeyopt rsa_keygen_pubexp:3 -.Ve -.PP -Generate 1024 bit \s-1DSA\s0 parameters: -.PP -.Vb 2 -\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e -\& \-pkeyopt dsa_paramgen_bits:1024 -.Ve -.PP -Generate \s-1DSA\s0 key from parameters: -.PP -.Vb 1 -\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem -.Ve -.PP -Generate 1024 bit \s-1DH\s0 parameters: -.PP -.Vb 2 -\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e -\& \-pkeyopt dh_paramgen_prime_len:1024 -.Ve -.PP -Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup: -.PP -.Vb 1 -\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2 -.Ve -.PP -Generate \s-1DH\s0 key from parameters: -.PP -.Vb 1 -\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem -.Ve diff --git a/usr.bin/openssl/man/genrsa.1 b/usr.bin/openssl/man/genrsa.1 deleted file mode 100644 index 0c9d6619d6..0000000000 --- a/usr.bin/openssl/man/genrsa.1 +++ /dev/null @@ -1,220 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "GENRSA 1" -.TH GENRSA 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -genrsa \- generate an RSA private key -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBgenrsa\fR -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-aes128\fR] -[\fB\-aes192\fR] -[\fB\-aes256\fR] -[\fB\-camellia128\fR] -[\fB\-camellia192\fR] -[\fB\-camellia256\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-f4\fR] -[\fB\-3\fR] -[\fB\-rand file(s)\fR] -[\fB\-engine id\fR] -[\fBnumbits\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBgenrsa\fR command generates an \s-1RSA\s0 private key. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the output filename. If this argument is not specified then standard output is -used. -.IP "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" -These options encrypt the private key with specified -cipher before outputting it. If none of these options is -specified no encryption is used. If encryption is used a pass phrase is prompted -for if it is not supplied via the \fB\-passout\fR argument. -.IP "\fB\-F4|\-3\fR" 4 -.IX Item "-F4|-3" -the public exponent to use, either 65537 or 3. The default is 65537. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fBnumbits\fR" 4 -.IX Item "numbits" -the size of the private key to generate in bits. This must be the last option -specified. The default is 512. -.SH "NOTES" -.IX Header "NOTES" -\&\s-1RSA\s0 private key generation essentially involves the generation of two prime -numbers. When generating a private key various symbols will be output to -indicate the progress of the generation. A \fB.\fR represents each number which -has passed an initial sieve test, \fB+\fR means a number has passed a single -round of the Miller-Rabin primality test. A newline means that the number has -passed all the prime tests (the actual number depends on the key size). -.PP -Because key generation is a random process the time taken to generate a key -may vary somewhat. -.SH "BUGS" -.IX Header "BUGS" -A quirk of the prime generation algorithm is that it cannot generate small -primes. Therefore the number of bits should not be less that 64. For typical -private keys this will not matter because for security reasons they will -be much larger (typically 1024 bits). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgendsa\fR\|(1) diff --git a/usr.bin/openssl/man/nseq.1 b/usr.bin/openssl/man/nseq.1 deleted file mode 100644 index 64b06ce30f..0000000000 --- a/usr.bin/openssl/man/nseq.1 +++ /dev/null @@ -1,199 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "NSEQ 1" -.TH NSEQ 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -nseq \- create or examine a netscape certificate sequence -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBnseq\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-toseq\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBnseq\fR command takes a file containing a Netscape certificate -sequence and prints out the certificates contained in it or takes a -file of certificates and converts it into a Netscape certificate -sequence. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read or standard input if this -option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename or standard output by default. -.IP "\fB\-toseq\fR" 4 -.IX Item "-toseq" -normally a Netscape certificate sequence will be input and the output -is the certificates contained in it. With the \fB\-toseq\fR option the -situation is reversed: a Netscape certificate sequence is created from -a file of certificates. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Output the certificates in a Netscape certificate sequence -.PP -.Vb 1 -\& openssl nseq \-in nseq.pem \-out certs.pem -.Ve -.PP -Create a Netscape certificate sequence -.PP -.Vb 1 -\& openssl nseq \-in certs.pem \-toseq \-out nseq.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -.Ve -.PP -A Netscape certificate sequence is a Netscape specific form that can be sent -to browsers as an alternative to the standard PKCS#7 format when several -certificates are sent to the browser: for example during certificate enrollment. -It is used by Netscape certificate server for example. -.SH "BUGS" -.IX Header "BUGS" -This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and -output files and allowing multiple certificate files to be used. diff --git a/usr.bin/openssl/man/ocsp.1 b/usr.bin/openssl/man/ocsp.1 deleted file mode 100644 index a92ef4b59e..0000000000 --- a/usr.bin/openssl/man/ocsp.1 +++ /dev/null @@ -1,492 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "OCSP 1" -.TH OCSP 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ocsp \- Online Certificate Status Protocol utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBocsp\fR -[\fB\-out file\fR] -[\fB\-issuer file\fR] -[\fB\-cert file\fR] -[\fB\-serial n\fR] -[\fB\-signer file\fR] -[\fB\-signkey file\fR] -[\fB\-sign_other file\fR] -[\fB\-no_certs\fR] -[\fB\-req_text\fR] -[\fB\-resp_text\fR] -[\fB\-text\fR] -[\fB\-reqout file\fR] -[\fB\-respout file\fR] -[\fB\-reqin file\fR] -[\fB\-respin file\fR] -[\fB\-nonce\fR] -[\fB\-no_nonce\fR] -[\fB\-url \s-1URL\s0\fR] -[\fB\-host host:n\fR] -[\fB\-path\fR] -[\fB\-CApath dir\fR] -[\fB\-CAfile file\fR] -[\fB\-no_alt_chains\fR] -[\fB\-VAfile file\fR] -[\fB\-validity_period n\fR] -[\fB\-status_age n\fR] -[\fB\-noverify\fR] -[\fB\-verify_other file\fR] -[\fB\-trust_other\fR] -[\fB\-no_intern\fR] -[\fB\-no_signature_verify\fR] -[\fB\-no_cert_verify\fR] -[\fB\-no_chain\fR] -[\fB\-no_cert_checks\fR] -[\fB\-no_explicit\fR] -[\fB\-port num\fR] -[\fB\-index file\fR] -[\fB\-CA file\fR] -[\fB\-rsigner file\fR] -[\fB\-rkey file\fR] -[\fB\-rother file\fR] -[\fB\-resp_no_certs\fR] -[\fB\-nmin n\fR] -[\fB\-ndays n\fR] -[\fB\-resp_key_id\fR] -[\fB\-nrequest n\fR] -[\fB\-md5|\-sha1|...\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to -determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0). -.PP -The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used -to print out requests and responses, create requests and send queries -to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. -.SH "OCSP CLIENT OPTIONS" -.IX Header "OCSP CLIENT OPTIONS" -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specify output filename, default is standard output. -.IP "\fB\-issuer filename\fR" 4 -.IX Item "-issuer filename" -This specifies the current issuer certificate. This option can be used -multiple times. The certificate specified in \fBfilename\fR must be in -\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options. -.IP "\fB\-cert filename\fR" 4 -.IX Item "-cert filename" -Add the certificate \fBfilename\fR to the request. The issuer certificate -is taken from the previous \fBissuer\fR option, or an error occurs if no -issuer certificate is specified. -.IP "\fB\-serial num\fR" 4 -.IX Item "-serial num" -Same as the \fBcert\fR option except the certificate with serial number -\&\fBnum\fR is added to the request. The serial number is interpreted as a -decimal integer unless preceded by \fB0x\fR. Negative integers can also -be specified by preceding the value by a \fB\-\fR sign. -.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4 -.IX Item "-signer filename, -signkey filename" -Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR -option and the private key specified by the \fBsignkey\fR option. If -the \fBsignkey\fR option is not present then the private key is read -from the same file as the certificate. If neither option is specified then -the \s-1OCSP\s0 request is not signed. -.IP "\fB\-sign_other filename\fR" 4 -.IX Item "-sign_other filename" -Additional certificates to include in the signed request. -.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 -.IX Item "-nonce, -no_nonce" -Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. -Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no -nonce is added: using the \fBnonce\fR option will force addition of a nonce. -If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) -a nonce is automatically added specifying \fBno_nonce\fR overrides this. -.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 -.IX Item "-req_text, -resp_text, -text" -print out the text form of the \s-1OCSP\s0 request, response or both respectively. -.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4 -.IX Item "-reqout file, -respout file" -write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. -.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4 -.IX Item "-reqin file, -respin file" -read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored -if \s-1OCSP\s0 request or response creation is implied by other options (for example -with \fBserial\fR, \fBcert\fR and \fBhost\fR options). -.IP "\fB\-url responder_url\fR" 4 -.IX Item "-url responder_url" -specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS \s0(\s-1SSL/TLS\s0) URLs can be specified. -.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 -.IX Item "-host hostname:port, -path pathname" -if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host -\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use -or \*(L"/\*(R" by default. -.IP "\fB\-timeout seconds\fR" 4 -.IX Item "-timeout seconds" -connection timeout to the \s-1OCSP\s0 responder in seconds -.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 -.IX Item "-CAfile file, -CApath pathname" -file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify -the signature on the \s-1OCSP\s0 response. -.IP "\fB\-no_alt_chains\fR" 4 -.IX Item "-no_alt_chains" -See \fBverify\fR manual page for details. -.IP "\fB\-verify_other file\fR" 4 -.IX Item "-verify_other file" -file containing additional certificates to search when attempting to locate -the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's -certificate from the response: this option can be used to supply the necessary -certificate in such cases. -.IP "\fB\-trust_other\fR" 4 -.IX Item "-trust_other" -the certificates specified by the \fB\-verify_other\fR option should be explicitly -trusted and no additional checks will be performed on them. This is useful -when the complete responder certificate chain is not available or trusting a -root \s-1CA\s0 is not appropriate. -.IP "\fB\-VAfile file\fR" 4 -.IX Item "-VAfile file" -file containing explicitly trusted responder certificates. Equivalent to the -\&\fB\-verify_other\fR and \fB\-trust_other\fR options. -.IP "\fB\-noverify\fR" 4 -.IX Item "-noverify" -don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This -option will normally only be used for debugging since it disables all verification -of the responders certificate. -.IP "\fB\-no_intern\fR" 4 -.IX Item "-no_intern" -ignore certificates contained in the \s-1OCSP\s0 response when searching for the -signers certificate. With this option the signers certificate must be specified -with either the \fB\-verify_other\fR or \fB\-VAfile\fR options. -.IP "\fB\-no_signature_verify\fR" 4 -.IX Item "-no_signature_verify" -don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid -signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes. -.IP "\fB\-no_cert_verify\fR" 4 -.IX Item "-no_cert_verify" -don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows -the \s-1OCSP\s0 response to be signed by any certificate it should only be used for -testing purposes. -.IP "\fB\-no_chain\fR" 4 -.IX Item "-no_chain" -do not use certificates in the response as additional untrusted \s-1CA\s0 -certificates. -.IP "\fB\-no_explicit\fR" 4 -.IX Item "-no_explicit" -do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing. -.IP "\fB\-no_cert_checks\fR" 4 -.IX Item "-no_cert_checks" -don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. -That is do not make any checks to see if the signers certificate is authorised -to provide the necessary status information: as a result this option should -only be used for testing purposes. -.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 -.IX Item "-validity_period nsec, -status_age age" -these options specify the range of times, in seconds, which will be tolerated -in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and -an optional \fBnotAfter\fR time. The current time should fall between these two values, but -the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0 -responder and clients clocks may not be precisely synchronised and so such a check -may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an -acceptable error range in seconds, the default value is 5 minutes. -.Sp -If the \fBnotAfter\fR time is omitted from a response then this means that new status -information is immediately available. In this case the age of the \fBnotBefore\fR field -is checked to see it is not older than \fBage\fR seconds old. By default this additional -check is not performed. -.IP "\fB\-md5|\-sha1|\-sha256|\-ripemod160|...\fR" 4 -.IX Item "-md5|-sha1|-sha256|-ripemod160|..." -this option sets digest algorithm to use for certificate identification -in the \s-1OCSP\s0 request. By default \s-1SHA\-1\s0 is used. -.SH "OCSP SERVER OPTIONS" -.IX Header "OCSP SERVER OPTIONS" -.IP "\fB\-index indexfile\fR" 4 -.IX Item "-index indexfile" -\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation -information. -.Sp -If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise -it is in client mode. The request(s) the responder processes can be either specified on -the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the -\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). -.Sp -If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be -present. -.IP "\fB\-CA file\fR" 4 -.IX Item "-CA file" -\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. -.IP "\fB\-rsigner file\fR" 4 -.IX Item "-rsigner file" -The certificate to sign \s-1OCSP\s0 responses with. -.IP "\fB\-rother file\fR" 4 -.IX Item "-rother file" -Additional certificates to include in the \s-1OCSP\s0 response. -.IP "\fB\-resp_no_certs\fR" 4 -.IX Item "-resp_no_certs" -Don't include any certificates in the \s-1OCSP\s0 response. -.IP "\fB\-resp_key_id\fR" 4 -.IX Item "-resp_key_id" -Identify the signer certificate using the key \s-1ID,\s0 default is to use the subject name. -.IP "\fB\-rkey file\fR" 4 -.IX Item "-rkey file" -The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the -\&\fBrsigner\fR option is used. -.IP "\fB\-port portnum\fR" 4 -.IX Item "-port portnum" -Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR -option. -.IP "\fB\-nrequest number\fR" 4 -.IX Item "-nrequest number" -The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. -.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 -.IX Item "-nmin minutes, -ndays days" -Number of minutes or days when fresh revocation information is available: used in the -\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is -omitted meaning fresh revocation information is immediately available. -.SH "OCSP Response verification." -.IX Header "OCSP Response verification." -\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0 -.PP -Initially the \s-1OCSP\s0 responder certificate is located and the signature on -the \s-1OCSP\s0 request checked using the responder certificate's public key. -.PP -Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate -building up a certificate chain in the process. The locations of the trusted -certificates used to build the chain can be specified by the \fBCAfile\fR -and \fBCApath\fR options or they will be looked for in the standard OpenSSL -certificates directory. -.PP -If the initial verify fails then the \s-1OCSP\s0 verify process halts with an -error. -.PP -Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0 -responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds. -.PP -Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing -\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning -extended key usage is present in the \s-1OCSP\s0 responder certificate then the -\&\s-1OCSP\s0 verify succeeds. -.PP -Otherwise, if \fB\-no_explicit\fR is \fBnot\fR set the root \s-1CA\s0 of the \s-1OCSP\s0 responders -\&\s-1CA\s0 is checked to see if it is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 -verify succeeds. -.PP -If none of these checks is successful then the \s-1OCSP\s0 verify fails. -.PP -What this effectively means if that if the \s-1OCSP\s0 responder certificate is -authorised directly by the \s-1CA\s0 it is issuing revocation information about -(and it is correctly configured) then verification will succeed. -.PP -If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about -multiple CAs and has its own separate certificate chain then its root -\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example: -.PP -.Vb 1 -\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem -.Ve -.PP -Alternatively the responder certificate itself can be explicitly trusted -with the \fB\-VAfile\fR option. -.SH "NOTES" -.IX Header "NOTES" -As noted, most of the verify options are for testing or debugging purposes. -Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global -\&\s-1VA\s0') \fB\-VAfile\fR options need to be used. -.PP -The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is -not really usable as a full \s-1OCSP\s0 responder. It contains only a very -simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0 -queries. It also handles requests serially meaning it cannot respond to -new requests until it has processed the current one. The text index file -format of revocation is also inefficient for large quantities of revocation -data. -.PP -It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 -script using the \fBrespin\fR and \fBrespout\fR options. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create an \s-1OCSP\s0 request and write it to a file: -.PP -.Vb 1 -\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der -.Ve -.PP -Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the -response to a file and print it out in text form -.PP -.Vb 2 -\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e -\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der -.Ve -.PP -Read in an \s-1OCSP\s0 response and print out text form: -.PP -.Vb 1 -\& openssl ocsp \-respin resp.der \-text -.Ve -.PP -\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate -responder certificate. All requests and responses are printed to a file. -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-text \-out log.txt -.Ve -.PP -As above but exit after processing one request: -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-nrequest 1 -.Ve -.PP -Query status information using internally generated request: -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-issuer demoCA/cacert.pem \-serial 1 -.Ve -.PP -Query status information using request read from a file, write response to a -second file. -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-reqin req.der \-respout resp.der -.Ve -.SH "HISTORY" -.IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/usr.bin/openssl/man/openssl.1 b/usr.bin/openssl/man/openssl.1 deleted file mode 100644 index 6732b02be9..0000000000 --- a/usr.bin/openssl/man/openssl.1 +++ /dev/null @@ -1,468 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "OPENSSL 1" -.TH OPENSSL 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -openssl \- OpenSSL command line tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR -\&\fIcommand\fR -[ \fIcommand_opts\fR ] -[ \fIcommand_args\fR ] -.PP -\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR | \fBlist-cipher-algorithms\fR | \fBlist-message-digest-algorithms\fR | \fBlist-public-key-algorithms\fR] -.PP -\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0 -v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related -cryptography standards required by them. -.PP -The \fBopenssl\fR program is a command line tool for using the various -cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. -It can be used for -.PP -.Vb 8 -\& o Creation and management of private keys, public keys and parameters -\& o Public key cryptographic operations -\& o Creation of X.509 certificates, CSRs and CRLs -\& o Calculation of Message Digests -\& o Encryption and Decryption with Ciphers -\& o SSL/TLS Client and Server Tests -\& o Handling of S/MIME signed or encrypted mail -\& o Time Stamp requests, generation and verification -.Ve -.SH "COMMAND SUMMARY" -.IX Header "COMMAND SUMMARY" -The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the -\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments -(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0). -.PP -The pseudo-commands \fBlist-standard-commands\fR, \fBlist-message-digest-commands\fR, -and \fBlist-cipher-commands\fR output a list (one entry per line) of the names -of all standard commands, message digest commands, or cipher commands, -respectively, that are available in the present \fBopenssl\fR utility. -.PP -The pseudo-commands \fBlist-cipher-algorithms\fR and -\&\fBlist-message-digest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as: -.PP -.Vb 1 -\& from => to -.Ve -.PP -The pseudo-command \fBlist-public-key-algorithms\fR lists all supported public -key algorithms. -.PP -The pseudo-command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the -specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it -returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1 -and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and -nothing is printed to \fBstderr\fR. Additional command line arguments -are always ignored. Since for each cipher there is a command of the -same name, this provides an easy way for shell scripts to test for the -availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fI\s-1XXX\s0\fR is -not able to detect pseudo-commands such as \fBquit\fR, -\&\fBlist\-\fR\fI...\fR\fB\-commands\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.) -.SS "\s-1STANDARD COMMANDS\s0" -.IX Subsection "STANDARD COMMANDS" -.IP "\fBasn1parse\fR" 10 -.IX Item "asn1parse" -Parse an \s-1ASN.1\s0 sequence. -.IP "\fBca\fR" 10 -.IX Item "ca" -Certificate Authority (\s-1CA\s0) Management. -.IP "\fBciphers\fR" 10 -.IX Item "ciphers" -Cipher Suite Description Determination. -.IP "\fBcms\fR" 10 -.IX Item "cms" -\&\s-1CMS \s0(Cryptographic Message Syntax) utility -.IP "\fBcrl\fR" 10 -.IX Item "crl" -Certificate Revocation List (\s-1CRL\s0) Management. -.IP "\fBcrl2pkcs7\fR" 10 -.IX Item "crl2pkcs7" -\&\s-1CRL\s0 to PKCS#7 Conversion. -.IP "\fBdgst\fR" 10 -.IX Item "dgst" -Message Digest Calculation. -.IP "\fBdh\fR" 10 -.IX Item "dh" -Diffie-Hellman Parameter Management. -Obsoleted by \fBdhparam\fR. -.IP "\fBdhparam\fR" 10 -.IX Item "dhparam" -Generation and Management of Diffie-Hellman Parameters. Superseded by -\&\fBgenpkey\fR and \fBpkeyparam\fR -.IP "\fBdsa\fR" 10 -.IX Item "dsa" -\&\s-1DSA\s0 Data Management. -.IP "\fBdsaparam\fR" 10 -.IX Item "dsaparam" -\&\s-1DSA\s0 Parameter Generation and Management. Superseded by -\&\fBgenpkey\fR and \fBpkeyparam\fR -.IP "\fBec\fR" 10 -.IX Item "ec" -\&\s-1EC \s0(Elliptic curve) key processing -.IP "\fBecparam\fR" 10 -.IX Item "ecparam" -\&\s-1EC\s0 parameter manipulation and generation -.IP "\fBenc\fR" 10 -.IX Item "enc" -Encoding with Ciphers. -.IP "\fBengine\fR" 10 -.IX Item "engine" -Engine (loadble module) information and manipulation. -.IP "\fBerrstr\fR" 10 -.IX Item "errstr" -Error Number to Error String Conversion. -.IP "\fBgendh\fR" 10 -.IX Item "gendh" -Generation of Diffie-Hellman Parameters. -Obsoleted by \fBdhparam\fR. -.IP "\fBgendsa\fR" 10 -.IX Item "gendsa" -Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by -\&\fBgenpkey\fR and \fBpkey\fR -.IP "\fBgenpkey\fR" 10 -.IX Item "genpkey" -Generation of Private Key or Parameters. -.IP "\fBgenrsa\fR" 10 -.IX Item "genrsa" -Generation of \s-1RSA\s0 Private Key. Superceded by \fBgenpkey\fR. -.IP "\fBnseq\fR" 10 -.IX Item "nseq" -Create or examine a netscape certificate sequence -.IP "\fBocsp\fR" 10 -.IX Item "ocsp" -Online Certificate Status Protocol utility. -.IP "\fBpasswd\fR" 10 -.IX Item "passwd" -Generation of hashed passwords. -.IP "\fBpkcs12\fR" 10 -.IX Item "pkcs12" -PKCS#12 Data Management. -.IP "\fBpkcs7\fR" 10 -.IX Item "pkcs7" -PKCS#7 Data Management. -.IP "\fBpkey\fR" 10 -.IX Item "pkey" -Public and private key management. -.IP "\fBpkeyparam\fR" 10 -.IX Item "pkeyparam" -Public key algorithm parameter management. -.IP "\fBpkeyutl\fR" 10 -.IX Item "pkeyutl" -Public key algorithm cryptographic operation utility. -.IP "\fBrand\fR" 10 -.IX Item "rand" -Generate pseudo-random bytes. -.IP "\fBreq\fR" 10 -.IX Item "req" -PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management. -.IP "\fBrsa\fR" 10 -.IX Item "rsa" -\&\s-1RSA\s0 key management. -.IP "\fBrsautl\fR" 10 -.IX Item "rsautl" -\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. Superseded -by \fBpkeyutl\fR -.IP "\fBs_client\fR" 10 -.IX Item "s_client" -This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent -connection to a remote server speaking \s-1SSL/TLS.\s0 It's intended for testing -purposes only and provides only rudimentary interface functionality but -internally uses mostly all functionality of the OpenSSL \fBssl\fR library. -.IP "\fBs_server\fR" 10 -.IX Item "s_server" -This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote -clients speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides -only rudimentary interface functionality but internally uses mostly all -functionality of the OpenSSL \fBssl\fR library. It provides both an own command -line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response -facility to emulate an SSL/TLS\-aware webserver. -.IP "\fBs_time\fR" 10 -.IX Item "s_time" -\&\s-1SSL\s0 Connection Timer. -.IP "\fBsess_id\fR" 10 -.IX Item "sess_id" -\&\s-1SSL\s0 Session Data Management. -.IP "\fBsmime\fR" 10 -.IX Item "smime" -S/MIME mail processing. -.IP "\fBspeed\fR" 10 -.IX Item "speed" -Algorithm Speed Measurement. -.IP "\fBspkac\fR" 10 -.IX Item "spkac" -\&\s-1SPKAC\s0 printing and generating utility -.IP "\fBts\fR" 10 -.IX Item "ts" -Time Stamping Authority tool (client/server) -.IP "\fBverify\fR" 10 -.IX Item "verify" -X.509 Certificate Verification. -.IP "\fBversion\fR" 10 -.IX Item "version" -OpenSSL Version Information. -.IP "\fBx509\fR" 10 -.IX Item "x509" -X.509 Certificate Data Management. -.SS "\s-1MESSAGE DIGEST COMMANDS\s0" -.IX Subsection "MESSAGE DIGEST COMMANDS" -.IP "\fBmd2\fR" 10 -.IX Item "md2" -\&\s-1MD2\s0 Digest -.IP "\fBmd5\fR" 10 -.IX Item "md5" -\&\s-1MD5\s0 Digest -.IP "\fBmdc2\fR" 10 -.IX Item "mdc2" -\&\s-1MDC2\s0 Digest -.IP "\fBrmd160\fR" 10 -.IX Item "rmd160" -\&\s-1RMD\-160\s0 Digest -.IP "\fBsha\fR" 10 -.IX Item "sha" -\&\s-1SHA\s0 Digest -.IP "\fBsha1\fR" 10 -.IX Item "sha1" -\&\s-1SHA\-1\s0 Digest -.IP "\fBsha224\fR" 10 -.IX Item "sha224" -\&\s-1SHA\-224\s0 Digest -.IP "\fBsha256\fR" 10 -.IX Item "sha256" -\&\s-1SHA\-256\s0 Digest -.IP "\fBsha384\fR" 10 -.IX Item "sha384" -\&\s-1SHA\-384\s0 Digest -.IP "\fBsha512\fR" 10 -.IX Item "sha512" -\&\s-1SHA\-512\s0 Digest -.SS "\s-1ENCODING AND CIPHER COMMANDS\s0" -.IX Subsection "ENCODING AND CIPHER COMMANDS" -.IP "\fBbase64\fR" 10 -.IX Item "base64" -Base64 Encoding -.IP "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10 -.IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb" -Blowfish Cipher -.IP "\fBcast cast-cbc\fR" 10 -.IX Item "cast cast-cbc" -\&\s-1CAST\s0 Cipher -.IP "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10 -.IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb" -\&\s-1CAST5\s0 Cipher -.IP "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10 -.IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb" -\&\s-1DES\s0 Cipher -.IP "\fBdes3 desx des\-ede3 des\-ede3\-cbc des\-ede3\-cfb des\-ede3\-ofb\fR" 10 -.IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb" -Triple-DES Cipher -.IP "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10 -.IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb" -\&\s-1IDEA\s0 Cipher -.IP "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10 -.IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb" -\&\s-1RC2\s0 Cipher -.IP "\fBrc4\fR" 10 -.IX Item "rc4" -\&\s-1RC4\s0 Cipher -.IP "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10 -.IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb" -\&\s-1RC5\s0 Cipher -.SH "PASS PHRASE ARGUMENTS" -.IX Header "PASS PHRASE ARGUMENTS" -Several commands accept password arguments, typically using \fB\-passin\fR -and \fB\-passout\fR for input and output passwords respectively. These allow -the password to be obtained from a variety of sources. Both of these -options take a single argument whose format is described below. If no -password argument is given and a password is required then the user is -prompted to enter one: this will typically be read from the current -terminal with echoing turned off. -.IP "\fBpass:password\fR" 10 -.IX Item "pass:password" -the actual password is \fBpassword\fR. Since the password is visible -to utilities (like 'ps' under Unix) this form should only be used -where security is not important. -.IP "\fBenv:var\fR" 10 -.IX Item "env:var" -obtain the password from the environment variable \fBvar\fR. Since -the environment of other processes is visible on certain platforms -(e.g. ps under certain Unix OSes) this option should be used with caution. -.IP "\fBfile:pathname\fR" 10 -.IX Item "file:pathname" -the first line of \fBpathname\fR is the password. If the same \fBpathname\fR -argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first -line will be used for the input password and the next line for the output -password. \fBpathname\fR need not refer to a regular file: it could for example -refer to a device or named pipe. -.IP "\fBfd:number\fR" 10 -.IX Item "fd:number" -read the password from the file descriptor \fBnumber\fR. This can be used to -send the data via a pipe for example. -.IP "\fBstdin\fR" 10 -.IX Item "stdin" -read the password from standard input. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIconfig\fR\|(5), -\&\fIcrl\fR\|(1), \fIcrl2pkcs7\fR\|(1), \fIdgst\fR\|(1), -\&\fIdhparam\fR\|(1), \fIdsa\fR\|(1), \fIdsaparam\fR\|(1), -\&\fIenc\fR\|(1), \fIgendsa\fR\|(1), \fIgenpkey\fR\|(1), -\&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIopenssl\fR\|(1), -\&\fIpasswd\fR\|(1), -\&\fIpkcs12\fR\|(1), \fIpkcs7\fR\|(1), \fIpkcs8\fR\|(1), -\&\fIrand\fR\|(1), \fIreq\fR\|(1), \fIrsa\fR\|(1), -\&\fIrsautl\fR\|(1), \fIs_client\fR\|(1), -\&\fIs_server\fR\|(1), \fIs_time\fR\|(1), -\&\fIsmime\fR\|(1), \fIspkac\fR\|(1), -\&\fIverify\fR\|(1), \fIversion\fR\|(1), \fIx509\fR\|(1), -\&\fIcrypto\fR\|(3), \fIssl\fR\|(3), \fIx509v3_config\fR\|(5) -.SH "HISTORY" -.IX Header "HISTORY" -The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2. -The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3; -The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-algorithms\fR pseudo-commands were added in OpenSSL 1.0.0; -the \fBno\-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a. -For notes on the availability of other commands, see their individual -manual pages. diff --git a/usr.bin/openssl/man/passwd.1 b/usr.bin/openssl/man/passwd.1 deleted file mode 100644 index b2d50dd1f7..0000000000 --- a/usr.bin/openssl/man/passwd.1 +++ /dev/null @@ -1,201 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PASSWD 1" -.TH PASSWD 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -passwd \- compute password hashes -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl passwd\fR -[\fB\-crypt\fR] -[\fB\-1\fR] -[\fB\-apr1\fR] -[\fB\-salt\fR \fIstring\fR] -[\fB\-in\fR \fIfile\fR] -[\fB\-stdin\fR] -[\fB\-noverify\fR] -[\fB\-quiet\fR] -[\fB\-table\fR] -{\fIpassword\fR} -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpasswd\fR command computes the hash of a password typed at -run-time or the hash of each password in a list. The password list is -taken from the named file for option \fB\-in file\fR, from stdin for -option \fB\-stdin\fR, or from the command line, or from the terminal otherwise. -The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password -algorithm \fB1\fR and its Apache variant \fBapr1\fR are available. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-crypt\fR" 4 -.IX Item "-crypt" -Use the \fBcrypt\fR algorithm (default). -.IP "\fB\-1\fR" 4 -.IX Item "-1" -Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR. -.IP "\fB\-apr1\fR" 4 -.IX Item "-apr1" -Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm). -.IP "\fB\-salt\fR \fIstring\fR" 4 -.IX Item "-salt string" -Use the specified salt. -When reading a password from the terminal, this implies \fB\-noverify\fR. -.IP "\fB\-in\fR \fIfile\fR" 4 -.IX Item "-in file" -Read passwords from \fIfile\fR. -.IP "\fB\-stdin\fR" 4 -.IX Item "-stdin" -Read passwords from \fBstdin\fR. -.IP "\fB\-noverify\fR" 4 -.IX Item "-noverify" -Don't verify when reading a password from the terminal. -.IP "\fB\-quiet\fR" 4 -.IX Item "-quiet" -Don't output warnings when passwords given at the command line are truncated. -.IP "\fB\-table\fR" 4 -.IX Item "-table" -In the output list, prepend the cleartext password and a \s-1TAB\s0 character -to each password hash. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -\&\fBopenssl passwd \-crypt \-salt xx password\fR prints \fBxxj31ZMTZzkVA\fR. -.PP -\&\fBopenssl passwd \-1 \-salt xxxxxxxx password\fR prints \fB\f(CB$1\fB$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.\fR. -.PP -\&\fBopenssl passwd \-apr1 \-salt xxxxxxxx password\fR prints \fB\f(CB$apr1\fB$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0\fR. diff --git a/usr.bin/openssl/man/pkcs12.1 b/usr.bin/openssl/man/pkcs12.1 deleted file mode 100644 index ac5a28758b..0000000000 --- a/usr.bin/openssl/man/pkcs12.1 +++ /dev/null @@ -1,462 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PKCS12 1" -.TH PKCS12 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -pkcs12 \- PKCS#12 file utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkcs12\fR -[\fB\-export\fR] -[\fB\-chain\fR] -[\fB\-inkey filename\fR] -[\fB\-certfile filename\fR] -[\fB\-name name\fR] -[\fB\-caname name\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-noout\fR] -[\fB\-nomacver\fR] -[\fB\-nocerts\fR] -[\fB\-clcerts\fR] -[\fB\-cacerts\fR] -[\fB\-nokeys\fR] -[\fB\-info\fR] -[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR] -[\fB\-noiter\fR] -[\fB\-maciter | \-nomaciter | \-nomac\fR] -[\fB\-twopass\fR] -[\fB\-descert\fR] -[\fB\-certpbe cipher\fR] -[\fB\-keypbe cipher\fR] -[\fB\-macalg digest\fR] -[\fB\-keyex\fR] -[\fB\-keysig\fR] -[\fB\-password arg\fR] -[\fB\-passin arg\fR] -[\fB\-passout arg\fR] -[\fB\-rand file(s)\fR] -[\fB\-CAfile file\fR] -[\fB\-CApath dir\fR] -[\fB\-CSP name\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as -\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several -programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -There are a lot of options the meaning of some depends of whether a PKCS#12 file -is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 -file can be created by using the \fB\-export\fR option (see below). -.SH "PARSING OPTIONS" -.IX Header "PARSING OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies filename of the PKCS#12 file to be parsed. Standard input is used -by default. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -The filename to write certificates and private keys to, standard output by -default. They are all written in \s-1PEM\s0 format. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the PKCS#12 file (i.e. input file) password source. For more information about -the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in -\&\fIopenssl\fR\|(1). -.IP "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -pass phrase source to encrypt any outputted private keys with. For more -information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section -in \fIopenssl\fR\|(1). -.IP "\fB\-password arg\fR" 4 -.IX Item "-password arg" -With \-export, \-password is equivalent to \-passout. -Otherwise, \-password is equivalent to \-passin. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option inhibits output of the keys and certificates to the output file -version of the PKCS#12 file. -.IP "\fB\-clcerts\fR" 4 -.IX Item "-clcerts" -only output client certificates (not \s-1CA\s0 certificates). -.IP "\fB\-cacerts\fR" 4 -.IX Item "-cacerts" -only output \s-1CA\s0 certificates (not client certificates). -.IP "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -no certificates at all will be output. -.IP "\fB\-nokeys\fR" 4 -.IX Item "-nokeys" -no private keys will be output. -.IP "\fB\-info\fR" 4 -.IX Item "-info" -output additional information about the PKCS#12 file structure, algorithms used and -iteration counts. -.IP "\fB\-des\fR" 4 -.IX Item "-des" -use \s-1DES\s0 to encrypt private keys before outputting. -.IP "\fB\-des3\fR" 4 -.IX Item "-des3" -use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. -.IP "\fB\-idea\fR" 4 -.IX Item "-idea" -use \s-1IDEA\s0 to encrypt private keys before outputting. -.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4 -.IX Item "-aes128, -aes192, -aes256" -use \s-1AES\s0 to encrypt private keys before outputting. -.IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4 -.IX Item "-camellia128, -camellia192, -camellia256" -use Camellia to encrypt private keys before outputting. -.IP "\fB\-nodes\fR" 4 -.IX Item "-nodes" -don't encrypt the private keys at all. -.IP "\fB\-nomacver\fR" 4 -.IX Item "-nomacver" -don't attempt to verify the integrity \s-1MAC\s0 before reading the file. -.IP "\fB\-twopass\fR" 4 -.IX Item "-twopass" -prompt for separate integrity and encryption passwords: most software -always assumes these are the same so this option will render such -PKCS#12 files unreadable. -.SH "FILE CREATION OPTIONS" -.IX Header "FILE CREATION OPTIONS" -.IP "\fB\-export\fR" 4 -.IX Item "-export" -This option specifies that a PKCS#12 file will be created rather than -parsed. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies filename to write the PKCS#12 file to. Standard output is used -by default. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -The filename to read certificates and private keys from, standard input by -default. They must all be in \s-1PEM\s0 format. The order doesn't matter but one -private key and its corresponding certificate should be present. If additional -certificates are present they will also be included in the PKCS#12 file. -.IP "\fB\-inkey filename\fR" 4 -.IX Item "-inkey filename" -file to read private key from. If not present then a private key must be present -in the input file. -.IP "\fB\-name friendlyname\fR" 4 -.IX Item "-name friendlyname" -This specifies the \*(L"friendly name\*(R" for the certificate and private key. This -name is typically displayed in list boxes by software importing the file. -.IP "\fB\-certfile filename\fR" 4 -.IX Item "-certfile filename" -A filename to read additional certificates from. -.IP "\fB\-caname friendlyname\fR" 4 -.IX Item "-caname friendlyname" -This specifies the \*(L"friendly name\*(R" for other certificates. This option may be -used multiple times to specify names for all certificates in the order they -appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0 -displays them. -.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 -.IX Item "-pass arg, -passout arg" -the PKCS#12 file (i.e. output file) password source. For more information about -the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in -\&\fIopenssl\fR\|(1). -.IP "\fB\-passin password\fR" 4 -.IX Item "-passin password" -pass phrase source to decrypt any input private keys with. For more information -about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in -\&\fIopenssl\fR\|(1). -.IP "\fB\-chain\fR" 4 -.IX Item "-chain" -if this option is present then an attempt is made to include the entire -certificate chain of the user certificate. The standard \s-1CA\s0 store is used -for this search. If the search fails it is considered a fatal error. -.IP "\fB\-descert\fR" 4 -.IX Item "-descert" -encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12 -file unreadable by some \*(L"export grade\*(R" software. By default the private -key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2.\s0 -.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 -.IX Item "-keypbe alg, -certpbe alg" -these options allow the algorithm used to encrypt the private key and -certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name -can be used (see \fB\s-1NOTES\s0\fR section for more information). If a cipher name -(as output by the \fBlist-cipher-algorithms\fR command is specified then it -is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only -use PKCS#12 algorithms. -.IP "\fB\-keyex|\-keysig\fR" 4 -.IX Item "-keyex|-keysig" -specifies that the private key is to be used for key exchange or just signing. -This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally -\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for -encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR -option marks the key for signing only. Signing only keys can be used for -S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client -authentication, however due to a bug only \s-1MSIE 5.0\s0 and later support -the use of signing only keys for \s-1SSL\s0 client authentication. -.IP "\fB\-macalg digest\fR" 4 -.IX Item "-macalg digest" -specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used. -.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 -.IX Item "-nomaciter, -noiter" -these options affect the iteration counts on the \s-1MAC\s0 and key algorithms. -Unless you wish to produce files compatible with \s-1MSIE 4.0\s0 you should leave -these options alone. -.Sp -To discourage attacks by using large dictionaries of common passwords the -algorithm that derives keys from passwords can have an iteration count applied -to it: this causes a certain part of the algorithm to be repeated and slows it -down. The \s-1MAC\s0 is used to check the file integrity but since it will normally -have the same password as the keys and certificates it could also be attacked. -By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using -these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since -this reduces the file security you should not use these options unless you -really have to. Most software supports both \s-1MAC\s0 and key iteration counts. -\&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR -option. -.IP "\fB\-maciter\fR" 4 -.IX Item "-maciter" -This option is included for compatibility with previous versions, it used -to be needed to use \s-1MAC\s0 iterations counts but they are now used by default. -.IP "\fB\-nomac\fR" 4 -.IX Item "-nomac" -don't attempt to provide the \s-1MAC\s0 integrity. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -\&\s-1CA\s0 storage as a file. -.IP "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -\&\s-1CA\s0 storage as a directory. This directory must be a standard certificate -directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be -linked to each certificate. -.IP "\fB\-CSP name\fR" 4 -.IX Item "-CSP name" -write \fBname\fR as a Microsoft \s-1CSP\s0 name. -.SH "NOTES" -.IX Header "NOTES" -Although there are a large number of options most of them are very rarely -used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used -for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used. -.PP -If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present -then all certificates will be output in the order they appear in the input -PKCS#12 files. There is no guarantee that the first certificate present is -the one corresponding to the private key. Certain software which requires -a private key and certificate and assumes the first certificate in the -file is the one corresponding to the private key: this may not always -be the case. Using the \fB\-clcerts\fR option will solve this problem by only -outputting the certificate corresponding to the private key. If the \s-1CA\s0 -certificates are required then they can be output to a separate file using -the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates. -.PP -The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption -algorithms for private keys and certificates to be specified. Normally -the defaults are fine but occasionally software can't handle triple \s-1DES\s0 -encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can -be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete -description of all algorithms is contained in the \fBpkcs8\fR manual page. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Parse a PKCS#12 file and output it to a file: -.PP -.Vb 1 -\& openssl pkcs12 \-in file.p12 \-out file.pem -.Ve -.PP -Output only client certificates to a file: -.PP -.Vb 1 -\& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem -.Ve -.PP -Don't encrypt the private key: -.PP -.Vb 1 -\& openssl pkcs12 \-in file.p12 \-out file.pem \-nodes -.Ve -.PP -Print some info about a PKCS#12 file: -.PP -.Vb 1 -\& openssl pkcs12 \-in file.p12 \-info \-noout -.Ve -.PP -Create a PKCS#12 file: -.PP -.Vb 1 -\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" -.Ve -.PP -Include some extra certificates: -.PP -.Vb 2 -\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e -\& \-certfile othercerts.pem -.Ve -.SH "BUGS" -.IX Header "BUGS" -Some would argue that the PKCS#12 standard is one big bug :\-) -.PP -Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation -routines. Under rare circumstances this could produce a PKCS#12 file encrypted -with an invalid key. As a result some PKCS#12 files which triggered this bug -from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted -by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could -not be decrypted by other implementations. The chances of producing such -a file are relatively small: less than 1 in 256. -.PP -A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 -files cannot no longer be parsed by the fixed version. Under such circumstances -the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption -error when extracting private keys. -.PP -This problem can be resolved by extracting the private keys and certificates -from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 -file from the keys and certificates using a newer version of OpenSSL. For example: -.PP -.Vb 2 -\& old\-openssl \-in bad.p12 \-out keycerts.pem -\& openssl \-in keycerts.pem \-export \-name "My PKCS#12 file" \-out fixed.p12 -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIpkcs8\fR\|(1) diff --git a/usr.bin/openssl/man/pkcs7.1 b/usr.bin/openssl/man/pkcs7.1 deleted file mode 100644 index dcd8c10e58..0000000000 --- a/usr.bin/openssl/man/pkcs7.1 +++ /dev/null @@ -1,230 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PKCS7 1" -.TH PKCS7 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -pkcs7 \- PKCS#7 utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkcs7\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-print_certs\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7 -v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read from or standard input if this -option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.IP "\fB\-print_certs\fR" 4 -.IX Item "-print_certs" -prints out any certificates or CRLs contained in the file. They are -preceded by their subject and issuer names in one line format. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out certificates details in full rather than just subject and -issuer names. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the encoded version of the PKCS#7 structure (or certificates -is \fB\-print_certs\fR is set). -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0 -.PP -.Vb 1 -\& openssl pkcs7 \-in file.pem \-outform DER \-out file.der -.Ve -.PP -Output all certificates in a file: -.PP -.Vb 1 -\& openssl pkcs7 \-in file.pem \-print_certs \-out certs.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 PKCS#7 format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- -\& \-\-\-\-\-END PKCS7\-\-\-\-\- -.Ve -.PP -For compatibility with some CAs it will also accept: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -.Ve -.SH "RESTRICTIONS" -.IX Header "RESTRICTIONS" -There is no option to print out all the fields of a PKCS#7 file. -.PP -This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they -cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630.\s0 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIcrl2pkcs7\fR\|(1) diff --git a/usr.bin/openssl/man/pkcs8.1 b/usr.bin/openssl/man/pkcs8.1 deleted file mode 100644 index 168ff05623..0000000000 --- a/usr.bin/openssl/man/pkcs8.1 +++ /dev/null @@ -1,372 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PKCS8 1" -.TH PKCS8 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -pkcs8 \- PKCS#8 format private key conversion tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkcs8\fR -[\fB\-topk8\fR] -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-noiter\fR] -[\fB\-nocrypt\fR] -[\fB\-nooct\fR] -[\fB\-embed\fR] -[\fB\-nsdb\fR] -[\fB\-v2 alg\fR] -[\fB\-v2prf alg\fR] -[\fB\-v1 alg\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle -both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo -format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-topk8\fR" 4 -.IX Item "-topk8" -Normally a PKCS#8 private key is expected on input and a traditional format -private key will be written. With the \fB\-topk8\fR option the situation is -reversed: it reads a traditional format private key and writes a PKCS#8 -format key. -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. If a PKCS#8 format key is expected on input -then either a \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR encoded version of a PKCS#8 key will be -expected. Otherwise the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR format of the traditional format -private key is used. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output by -default. If any encryption options are set then a pass phrase will be -prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.IP "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-nocrypt\fR" 4 -.IX Item "-nocrypt" -PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo -structures using an appropriate password based encryption algorithm. With -this option an unencrypted PrivateKeyInfo structure is expected or output. -This option does not encrypt private keys at all and should only be used -when absolutely necessary. Certain software such as some versions of Java -code signing software used unencrypted private keys. -.IP "\fB\-nooct\fR" 4 -.IX Item "-nooct" -This option generates \s-1RSA\s0 private keys in a broken format that some software -uses. Specifically the private key should be enclosed in a \s-1OCTET STRING\s0 -but some software just includes the structure itself without the -surrounding \s-1OCTET STRING.\s0 -.IP "\fB\-embed\fR" 4 -.IX Item "-embed" -This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are -embedded inside the PrivateKey structure. In this form the \s-1OCTET STRING\s0 -contains an \s-1ASN1 SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing -the parameters and an \s-1ASN1 INTEGER\s0 containing the private key. -.IP "\fB\-nsdb\fR" 4 -.IX Item "-nsdb" -This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape -private key databases. The PrivateKey contains a \s-1SEQUENCE\s0 consisting of -the public and private keys respectively. -.IP "\fB\-v2 alg\fR" 4 -.IX Item "-v2 alg" -This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 -private keys are encrypted with the password based encryption algorithm -called \fBpbeWithMD5AndDES\-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it -was the strongest encryption algorithm supported in PKCS#5 v1.5. Using -the \fB\-v2\fR option PKCS#5 v2.0 algorithms are used which can use any -encryption algorithm such as 168 bit triple \s-1DES\s0 or 128 bit \s-1RC2\s0 however -not many implementations support PKCS#5 v2.0 yet. If you are just using -private keys with OpenSSL then this doesn't matter. -.Sp -The \fBalg\fR argument is the encryption algorithm to use, valid values include -\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used. -.IP "\fB\-v2prf alg\fR" 4 -.IX Item "-v2prf alg" -This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value -values would be \fBhmacWithSHA256\fR. If this option isn't set then the default -for the cipher is used or \fBhmacWithSHA1\fR if there is no default. -.IP "\fB\-v1 alg\fR" 4 -.IX Item "-v1 alg" -This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete -list of possible algorithms is included below. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following -headers and footers: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN ENCRYPTED PRIVATE KEY\-\-\-\-\- -\& \-\-\-\-\-END ENCRYPTED PRIVATE KEY\-\-\-\-\- -.Ve -.PP -The unencrypted form uses: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- -\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\- -.Ve -.PP -Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration -counts are more secure that those encrypted using the traditional -SSLeay compatible formats. So if additional security is considered -important the keys should be converted. -.PP -The default encryption is only 56 bits because this is the encryption -that most current implementations of PKCS#8 will support. -.PP -Some software may use PKCS#12 password based encryption algorithms -with PKCS#8 format private keys: these are handled automatically -but there is no option to produce them. -.PP -It is possible to write out \s-1DER\s0 encoded encrypted private keys in -PKCS#8 format because the encryption details are included at an \s-1ASN1\s0 -level whereas the traditional format includes them at a \s-1PEM\s0 level. -.SH "PKCS#5 v1.5 and PKCS#12 algorithms." -.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms." -Various algorithms can be used with the \fB\-v1\fR command line option, -including PKCS#5 v1.5 and PKCS#12. These are described in more detail -below. -.IP "\fB\s-1PBE\-MD2\-DES PBE\-MD5\-DES\s0\fR" 4 -.IX Item "PBE-MD2-DES PBE-MD5-DES" -These algorithms were included in the original PKCS#5 v1.5 specification. -They only offer 56 bits of protection since they both use \s-1DES.\s0 -.IP "\fB\s-1PBE\-SHA1\-RC2\-64 PBE\-MD2\-RC2\-64 PBE\-MD5\-RC2\-64 PBE\-SHA1\-DES\s0\fR" 4 -.IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES" -These algorithms are not mentioned in the original PKCS#5 v1.5 specification -but they use the same key derivation algorithm and are supported by some -software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or -56 bit \s-1DES.\s0 -.IP "\fB\s-1PBE\-SHA1\-RC4\-128 PBE\-SHA1\-RC4\-40 PBE\-SHA1\-3DES PBE\-SHA1\-2DES PBE\-SHA1\-RC2\-128 PBE\-SHA1\-RC2\-40\s0\fR" 4 -.IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40" -These algorithms use the PKCS#12 password based encryption algorithm and -allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Convert a private from traditional to PKCS#5 v2.0 format using triple -\&\s-1DES:\s0 -.PP -.Vb 1 -\& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem -.Ve -.PP -Convert a private from traditional to PKCS#5 v2.0 format using \s-1AES\s0 with -256 bits in \s-1CBC\s0 mode and \fBhmacWithSHA256\fR \s-1PRF:\s0 -.PP -.Vb 1 -\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA256 \-out enckey.pem -.Ve -.PP -Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm -(\s-1DES\s0): -.PP -.Vb 1 -\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem -.Ve -.PP -Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm -(3DES): -.PP -.Vb 1 -\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem \-v1 PBE\-SHA1\-3DES -.Ve -.PP -Read a \s-1DER\s0 unencrypted PKCS#8 format private key: -.PP -.Vb 1 -\& openssl pkcs8 \-inform DER \-nocrypt \-in key.der \-out key.pem -.Ve -.PP -Convert a private key from any PKCS#8 format to traditional format: -.PP -.Vb 1 -\& openssl pkcs8 \-in pk8.pem \-out key.pem -.Ve -.SH "STANDARDS" -.IX Header "STANDARDS" -Test vectors from this PKCS#5 v2.0 implementation were posted to the -pkcs-tng mailing list using triple \s-1DES, DES\s0 and \s-1RC2\s0 with high iteration -counts, several people confirmed that they could decrypt the private -keys produced and Therefore it can be assumed that the PKCS#5 v2.0 -implementation is reasonably accurate at least as far as these -algorithms are concerned. -.PP -The format of PKCS#8 \s-1DSA \s0(and other) private keys is not well documented: -it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0 -PKCS#8 private key format complies with this standard. -.SH "BUGS" -.IX Header "BUGS" -There should be an option that prints out the encryption algorithm -in use and other details such as the iteration count. -.PP -PKCS#8 using triple \s-1DES\s0 and PKCS#5 v2.0 should be the default private -key format for OpenSSL: for compatibility several of the utilities use -the old format at present. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdsa\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIgendsa\fR\|(1) diff --git a/usr.bin/openssl/man/pkey.1 b/usr.bin/openssl/man/pkey.1 deleted file mode 100644 index 91d9416f18..0000000000 --- a/usr.bin/openssl/man/pkey.1 +++ /dev/null @@ -1,260 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PKEY 1" -.TH PKEY 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -pkey \- public or private key processing tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkey\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-cipher\fR] -[\fB\-text\fR] -[\fB\-text_pub\fR] -[\fB\-noout\fR] -[\fB\-pubin\fR] -[\fB\-pubout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkey\fR command processes public or private keys. They can be converted -between various forms and their components printed out. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format \s-1DER\s0 or \s-1PEM.\s0 -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output if this -option is not specified. If any encryption options are set then a pass phrase -will be prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.IP "\fB\-passout password\fR" 4 -.IX Item "-passout password" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-cipher\fR" 4 -.IX Item "-cipher" -These options encrypt the private key with the supplied cipher. Any algorithm -name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the various public or private key components in -plain text in addition to the encoded version. -.IP "\fB\-text_pub\fR" 4 -.IX Item "-text_pub" -print out only public key components even if a private key is being processed. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -do not output the encoded version of the key. -.IP "\fB\-pubin\fR" 4 -.IX Item "-pubin" -by default a private key is read from the input file: with this -option a public key is read instead. -.IP "\fB\-pubout\fR" 4 -.IX Item "-pubout" -by default a private key is output: with this option a public -key will be output instead. This option is automatically set if -the input is a public key. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To remove the pass phrase on an \s-1RSA\s0 private key: -.PP -.Vb 1 -\& openssl pkey \-in key.pem \-out keyout.pem -.Ve -.PP -To encrypt a private key using triple \s-1DES:\s0 -.PP -.Vb 1 -\& openssl pkey \-in key.pem \-des3 \-out keyout.pem -.Ve -.PP -To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl pkey \-in key.pem \-outform DER \-out keyout.der -.Ve -.PP -To print out the components of a private key to standard output: -.PP -.Vb 1 -\& openssl pkey \-in key.pem \-text \-noout -.Ve -.PP -To print out the public components of a private key to standard output: -.PP -.Vb 1 -\& openssl pkey \-in key.pem \-text_pub \-noout -.Ve -.PP -To just output the public part of a private key: -.PP -.Vb 1 -\& openssl pkey \-in key.pem \-pubout \-out pubkey.pem -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1), -\&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1) diff --git a/usr.bin/openssl/man/pkeyparam.1 b/usr.bin/openssl/man/pkeyparam.1 deleted file mode 100644 index f7a2e75b2e..0000000000 --- a/usr.bin/openssl/man/pkeyparam.1 +++ /dev/null @@ -1,191 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PKEYPARAM 1" -.TH PKEYPARAM 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -pkeyparam \- public key algorithm parameter processing tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkeyparam\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkey\fR command processes public or private keys. They can be converted -between various forms and their components printed out. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read parameters from or standard input if -this option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write parameters to or standard output if -this option is not specified. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the parameters in plain text in addition to the encoded version. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -do not output the encoded version of the parameters. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "EXAMPLE" -.IX Header "EXAMPLE" -Print out text version of parameters: -.PP -.Vb 1 -\& openssl pkeyparam \-in param.pem \-text -.Ve -.SH "NOTES" -.IX Header "NOTES" -There are no \fB\-inform\fR or \fB\-outform\fR options for this command because only -\&\s-1PEM\s0 format is supported because the key type is determined by the \s-1PEM\s0 headers. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1), -\&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1) diff --git a/usr.bin/openssl/man/pkeyutl.1 b/usr.bin/openssl/man/pkeyutl.1 deleted file mode 100644 index d53ce593bb..0000000000 --- a/usr.bin/openssl/man/pkeyutl.1 +++ /dev/null @@ -1,342 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "PKEYUTL 1" -.TH PKEYUTL 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -pkeyutl \- public key algorithm utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBpkeyutl\fR -[\fB\-in file\fR] -[\fB\-out file\fR] -[\fB\-sigfile file\fR] -[\fB\-inkey file\fR] -[\fB\-keyform PEM|DER\fR] -[\fB\-passin arg\fR] -[\fB\-peerkey file\fR] -[\fB\-peerform PEM|DER\fR] -[\fB\-pubin\fR] -[\fB\-certin\fR] -[\fB\-rev\fR] -[\fB\-sign\fR] -[\fB\-verify\fR] -[\fB\-verifyrecover\fR] -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-derive\fR] -[\fB\-pkeyopt opt:value\fR] -[\fB\-hexdump\fR] -[\fB\-asn1parse\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBpkeyutl\fR command can be used to perform public key operations using -any supported algorithm. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read data from or standard input -if this option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.IP "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the input key file, by default it should be a private key. -.IP "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -the key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-peerkey file\fR" 4 -.IX Item "-peerkey file" -the peer key file, used by key derivation (agreement) operations. -.IP "\fB\-peerform PEM|DER\fR" 4 -.IX Item "-peerform PEM|DER" -the peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB\-pubin\fR" 4 -.IX Item "-pubin" -the input file is a public key. -.IP "\fB\-certin\fR" 4 -.IX Item "-certin" -the input is a certificate containing a public key. -.IP "\fB\-rev\fR" 4 -.IX Item "-rev" -reverse the order of the input buffer. This is useful for some libraries -(such as CryptoAPI) which represent the buffer in little endian format. -.IP "\fB\-sign\fR" 4 -.IX Item "-sign" -sign the input data and output the signed result. This requires -a private key. -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verify the input data against the signature file and indicate if the -verification succeeded or failed. -.IP "\fB\-verifyrecover\fR" 4 -.IX Item "-verifyrecover" -verify the input data and output the recovered data. -.IP "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt the input data using a public key. -.IP "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt the input data using a private key. -.IP "\fB\-derive\fR" 4 -.IX Item "-derive" -derive a shared secret using the peer key. -.IP "\fB\-hexdump\fR" 4 -.IX Item "-hexdump" -hex dump the output data. -.IP "\fB\-asn1parse\fR" 4 -.IX Item "-asn1parse" -asn1parse the output data, this is useful when combined with the -\&\fB\-verifyrecover\fR option when an \s-1ASN1\s0 structure is signed. -.SH "NOTES" -.IX Header "NOTES" -The operations and options supported vary according to the key algorithm -and its implementation. The OpenSSL operations and options are indicated below. -.PP -Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option -which specifies the digest in use for sign, verify and verifyrecover operations. -The value \fBalg\fR should represent a digest name as used in the -\&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR. -This value is used only for sanity-checking the lengths of data passed in to -the \fBpkeyutl\fR and for creating the structures that make up the signature -(e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures). -In case of \s-1RSA, ECDSA\s0 and \s-1DSA\s0 signatures, this utility -will not perform hashing on input data but rather use the data directly as -input of signature algorithm. Depending on key type, signature type and mode -of padding, the maximum acceptable lengths of input data differ. In general, -with \s-1RSA\s0 the signed data can't be longer than the key modulus, in case of \s-1ECDSA\s0 -and \s-1DSA\s0 the data shouldn't be longer than field size, otherwise it will be -silently truncated to field size. -.PP -In other words, if the value of digest is \fBsha1\fR the input should be 20 bytes -long binary encoding of \s-1SHA\-1\s0 hash function output. -.SH "RSA ALGORITHM" -.IX Header "RSA ALGORITHM" -The \s-1RSA\s0 algorithm supports encrypt, decrypt, sign, verify and verifyrecover -operations in general. Some padding modes only support some of these -operations however. -.IP "\-\fBrsa_padding_mode:mode\fR" 4 -.IX Item "-rsa_padding_mode:mode" -This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for -PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR -for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0 -.Sp -In PKCS#1 padding if the message digest is not set then the supplied data is -signed or verified directly instead of using a \fBDigestInfo\fR structure. If a -digest is set then the a \fBDigestInfo\fR structure is used and its the length -must correspond to the digest type. -.Sp -For \fBoeap\fR mode only encryption and decryption is supported. -.Sp -For \fBx931\fR if the digest type is set it is used to format the block data -otherwise the first byte is used to specify the X9.31 digest \s-1ID.\s0 Sign, -verify and verifyrecover are can be performed in this mode. -.Sp -For \fBpss\fR mode only sign and verify are supported and the digest type must be -specified. -.IP "\fBrsa_pss_saltlen:len\fR" 4 -.IX Item "rsa_pss_saltlen:len" -For \fBpss\fR mode only this option specifies the salt length. Two special values -are supported: \-1 sets the salt length to the digest length. When signing \-2 -sets the salt length to the maximum permissible value. When verifying \-2 causes -the salt length to be automatically determined based on the \fB\s-1PSS\s0\fR block -structure. -.SH "DSA ALGORITHM" -.IX Header "DSA ALGORITHM" -The \s-1DSA\s0 algorithm supports signing and verification operations only. Currently -there are no additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 -digest can be used and this digest is assumed by default. -.SH "DH ALGORITHM" -.IX Header "DH ALGORITHM" -The \s-1DH\s0 algorithm only supports the derivation operation and no additional -options. -.SH "EC ALGORITHM" -.IX Header "EC ALGORITHM" -The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and -verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH.\s0 Currently there are no -additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 digest can be used and -this digest is assumed by default. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Sign some data using a private key: -.PP -.Vb 1 -\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig -.Ve -.PP -Recover the signed data (e.g. if an \s-1RSA\s0 key is used): -.PP -.Vb 1 -\& openssl pkeyutl \-verifyrecover \-in sig \-inkey key.pem -.Ve -.PP -Verify the signature (e.g. a \s-1DSA\s0 key): -.PP -.Vb 1 -\& openssl pkeyutl \-verify \-in file \-sigfile sig \-inkey key.pem -.Ve -.PP -Sign data using a message digest value (this is currently only valid for \s-1RSA\s0): -.PP -.Vb 1 -\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig \-pkeyopt digest:sha256 -.Ve -.PP -Derive a shared secret value: -.PP -.Vb 1 -\& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgenpkey\fR\|(1), \fIpkey\fR\|(1), \fIrsautl\fR\|(1) -\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1) diff --git a/usr.bin/openssl/man/rand.1 b/usr.bin/openssl/man/rand.1 deleted file mode 100644 index a088d6d154..0000000000 --- a/usr.bin/openssl/man/rand.1 +++ /dev/null @@ -1,179 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "RAND 1" -.TH RAND 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -rand \- generate pseudo\-random bytes -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl rand\fR -[\fB\-out\fR \fIfile\fR] -[\fB\-rand\fR \fIfile(s)\fR] -[\fB\-base64\fR] -[\fB\-hex\fR] -\&\fInum\fR -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding -the random number generator once. As in other \fBopenssl\fR command -line tools, \s-1PRNG\s0 seeding uses the file \fI\f(CI$HOME\fI/\fR\fB.rnd\fR or \fB.rnd\fR -in addition to the files given in the \fB\-rand\fR option. A new -\&\fI\f(CI$HOME\fI\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough -seeding was obtained from these sources. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-out\fR \fIfile\fR" 4 -.IX Item "-out file" -Write to \fIfile\fR instead of standard output. -.IP "\fB\-rand\fR \fIfile(s)\fR" 4 -.IX Item "-rand file(s)" -Use specified file or files or \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)) -for seeding the random number generator. -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-base64\fR" 4 -.IX Item "-base64" -Perform base64 encoding on the output. -.IP "\fB\-hex\fR" 4 -.IX Item "-hex" -Show the output as a hex string. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIRAND_bytes\fR\|(3) diff --git a/usr.bin/openssl/man/req.1 b/usr.bin/openssl/man/req.1 deleted file mode 100644 index 46c548f1a8..0000000000 --- a/usr.bin/openssl/man/req.1 +++ /dev/null @@ -1,771 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "REQ 1" -.TH REQ 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -req \- PKCS#10 certificate request and certificate generating utility. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBreq\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-text\fR] -[\fB\-pubkey\fR] -[\fB\-noout\fR] -[\fB\-verify\fR] -[\fB\-modulus\fR] -[\fB\-new\fR] -[\fB\-rand file(s)\fR] -[\fB\-newkey rsa:bits\fR] -[\fB\-newkey alg:file\fR] -[\fB\-nodes\fR] -[\fB\-key filename\fR] -[\fB\-keyform PEM|DER\fR] -[\fB\-keyout filename\fR] -[\fB\-keygen_engine id\fR] -[\fB\-[digest]\fR] -[\fB\-config filename\fR] -[\fB\-multivalue\-rdn\fR] -[\fB\-x509\fR] -[\fB\-days n\fR] -[\fB\-set_serial n\fR] -[\fB\-asn1\-kludge\fR] -[\fB\-no\-asn1\-kludge\fR] -[\fB\-newhdr\fR] -[\fB\-extensions section\fR] -[\fB\-reqexts section\fR] -[\fB\-utf8\fR] -[\fB\-nameopt\fR] -[\fB\-reqopt\fR] -[\fB\-subject\fR] -[\fB\-subj arg\fR] -[\fB\-batch\fR] -[\fB\-verbose\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBreq\fR command primarily creates and processes certificate requests -in PKCS#10 format. It can additionally create self signed certificates -for use as root CAs for example. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded -form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it -consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and -footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (\fB\-new\fR and \fB\-newkey\fR) are not specified. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write to or standard output by -default. -.IP "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the certificate request in text form. -.IP "\fB\-subject\fR" 4 -.IX Item "-subject" -prints out the request subject (or certificate subject if \fB\-x509\fR is -specified) -.IP "\fB\-pubkey\fR" 4 -.IX Item "-pubkey" -outputs the public key. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the request. -.IP "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the public key -contained in the request. -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies the signature on the request. -.IP "\fB\-new\fR" 4 -.IX Item "-new" -this option generates a new certificate request. It will prompt -the user for the relevant field values. The actual fields -prompted for and their maximum and minimum sizes are specified -in the configuration file and any requested extensions. -.Sp -If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private -key using information specified in the configuration file. -.IP "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -Replaces subject field of input request with specified data and outputs -modified request. The arg must be formatted as -\&\fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-newkey arg\fR" 4 -.IX Item "-newkey arg" -this option creates a new certificate request and a new private -key. The argument takes one of several forms. \fBrsa:nbits\fR, where -\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR -in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified, -the default key size, specified in the configuration file is used. -.Sp -All other algorithms support the \fB\-newkey alg:file\fR form, where file may be -an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command -or and X.509 certificate for a key with approriate algorithm. -.Sp -\&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR, -the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm -\&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an -error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters, -if neccessary should be specified via \fB\-pkeyopt\fR parameter. -.Sp -\&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters -in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with -\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST R -34.10\-2001\s0 key (requires \fBccgost\fR engine configured in the configuration -file). If just \fBgost2001\fR is specified a parameter set should be -specified by \fB\-pkeyopt paramset:X\fR -.IP "\fB\-pkeyopt opt:value\fR" 4 -.IX Item "-pkeyopt opt:value" -set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of -options supported depends on the public key algorithm used and its -implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR in the \fBgenpkey\fR manual page -for more details. -.IP "\fB\-key filename\fR" 4 -.IX Item "-key filename" -This specifies the file to read the private key from. It also -accepts PKCS#8 format private keys for \s-1PEM\s0 format files. -.IP "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -the format of the private key file specified in the \fB\-key\fR -argument. \s-1PEM\s0 is the default. -.IP "\fB\-keyout filename\fR" 4 -.IX Item "-keyout filename" -this gives the filename to write the newly created private key to. -If this option is not specified then the filename present in the -configuration file is used. -.IP "\fB\-nodes\fR" 4 -.IX Item "-nodes" -if this option is specified then if a private key is created it -will not be encrypted. -.IP "\fB\-[digest]\fR" 4 -.IX Item "-[digest]" -this specifies the message digest to sign the request with (such as -\&\fB\-md5\fR, \fB\-sha1\fR). This overrides the digest algorithm specified in -the configuration file. -.Sp -Some public key algorithms may override this choice. For instance, \s-1DSA\s0 -signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use -\&\s-1GOST R 34.11\-94 \s0(\fB\-md_gost94\fR). -.IP "\fB\-config filename\fR" 4 -.IX Item "-config filename" -this allows an alternative configuration file to be specified, -this overrides the compile time filename or any specified in -the \fB\s-1OPENSSL_CONF\s0\fR environment variable. -.IP "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -sets subject name for new request or supersedes the subject name -when processing a request. -The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. -.IP "\fB\-multivalue\-rdn\fR" 4 -.IX Item "-multivalue-rdn" -this option causes the \-subj argument to be interpreted with full -support for multivalued RDNs. Example: -.Sp -\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR -.Sp -If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. -.IP "\fB\-x509\fR" 4 -.IX Item "-x509" -this option outputs a self signed certificate instead of a certificate -request. This is typically used to generate a test certificate or -a self signed root \s-1CA.\s0 The extensions added to the certificate -(if any) are specified in the configuration file. Unless specified -using the \fBset_serial\fR option, a large random number will be used for -the serial number. -.IP "\fB\-days n\fR" 4 -.IX Item "-days n" -when the \fB\-x509\fR option is being used this specifies the number of -days to certify the certificate for. The default is 30 days. -.IP "\fB\-set_serial n\fR" 4 -.IX Item "-set_serial n" -serial number to use when outputting a self signed certificate. This -may be specified as a decimal value or a hex value if preceded by \fB0x\fR. -It is possible to use negative serial numbers but this is not recommended. -.IP "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -.PD 0 -.IP "\fB\-reqexts section\fR" 4 -.IX Item "-reqexts section" -.PD -these options specify alternative sections to include certificate -extensions (if the \fB\-x509\fR option is present) or certificate -request extensions. This allows several different sections to -be used in the same configuration file to specify requests for -a variety of purposes. -.IP "\fB\-utf8\fR" 4 -.IX Item "-utf8" -this option causes field values to be interpreted as \s-1UTF8\s0 strings, by -default they are interpreted as \s-1ASCII.\s0 This means that the field -values, whether prompted from a terminal or obtained from a -configuration file, must be valid \s-1UTF8\s0 strings. -.IP "\fB\-nameopt option\fR" 4 -.IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. The -\&\fBoption\fR argument can be a single option or multiple options separated by -commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to -set multiple options. See the \fIx509\fR\|(1) manual page for details. -.IP "\fB\-reqopt\fR" 4 -.IX Item "-reqopt" -customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be -a single option or multiple options separated by commas. -.Sp -See discission of the \fB\-certopt\fR parameter in the \fBx509\fR -command. -.IP "\fB\-asn1\-kludge\fR" 4 -.IX Item "-asn1-kludge" -by default the \fBreq\fR command outputs certificate requests containing -no attributes in the correct PKCS#10 format. However certain CAs will only -accept requests containing no attributes in an invalid form: this -option produces this invalid format. -.Sp -More precisely the \fBAttributes\fR in a PKCS#10 certificate request -are defined as a \fB\s-1SET OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so -if no attributes are present then they should be encoded as an -empty \fB\s-1SET OF\s0\fR. The invalid form does not include the empty -\&\fB\s-1SET OF\s0\fR whereas the correct form does. -.Sp -It should be noted that very few CAs still require the use of this option. -.IP "\fB\-no\-asn1\-kludge\fR" 4 -.IX Item "-no-asn1-kludge" -Reverses effect of \fB\-asn1\-kludge\fR -.IP "\fB\-newhdr\fR" 4 -.IX Item "-newhdr" -Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted -request. Some software (Netscape certificate server) and some CAs need this. -.IP "\fB\-batch\fR" 4 -.IX Item "-batch" -non-interactive mode. -.IP "\fB\-verbose\fR" 4 -.IX Item "-verbose" -print extra details about the operations being performed. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB\-keygen_engine id\fR" 4 -.IX Item "-keygen_engine id" -specifies an engine (by its unique \fBid\fR string) which would be used -for key generation operations. -.SH "CONFIGURATION FILE FORMAT" -.IX Header "CONFIGURATION FILE FORMAT" -The configuration options are specified in the \fBreq\fR section of -the configuration file. As with all configuration files if no -value is specified in the specific section (i.e. \fBreq\fR) then -the initial unnamed or \fBdefault\fR section is searched too. -.PP -The options available are described in detail below. -.IP "\fBinput_password output_password\fR" 4 -.IX Item "input_password output_password" -The passwords for the input private key file (if present) and -the output private key file (if one will be created). The -command line options \fBpassin\fR and \fBpassout\fR override the -configuration file values. -.IP "\fBdefault_bits\fR" 4 -.IX Item "default_bits" -Specifies the default key size in bits. -.Sp -This option is used in conjunction with the \fB\-new\fR option to generate -a new key. It can be overridden by specifying an explicit key size in -the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If -no key size is specified then 2048 bits is used. -.IP "\fBdefault_keyfile\fR" 4 -.IX Item "default_keyfile" -This is the default filename to write a private key to. If not -specified the key is written to standard output. This can be -overridden by the \fB\-keyout\fR option. -.IP "\fBoid_file\fR" 4 -.IX Item "oid_file" -This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR. -Each line of the file should consist of the numerical form of the -object identifier followed by white space then the short name followed -by white space and finally the long name. -.IP "\fBoid_section\fR" 4 -.IX Item "oid_section" -This specifies a section in the configuration file containing extra -object identifiers. Each line should consist of the short name of the -object identifier followed by \fB=\fR and the numerical form. The short -and long names are the same when this option is used. -.IP "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -This specifies a filename in which random number seed information is -placed and read from, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -It is used for private key generation. -.IP "\fBencrypt_key\fR" 4 -.IX Item "encrypt_key" -If this is set to \fBno\fR then if a private key is generated it is -\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line -option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. -.IP "\fBdefault_md\fR" 4 -.IX Item "default_md" -This option specifies the digest algorithm to use. Possible values -include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This -option can be overridden on the command line. -.IP "\fBstring_mask\fR" 4 -.IX Item "string_mask" -This option masks out the use of certain string types in certain -fields. Most users will not need to change this option. -.Sp -It can be set to several values \fBdefault\fR which is also the default -option uses PrintableStrings, T61Strings and BMPStrings if the -\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will -be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459.\s0 If the -\&\fButf8only\fR option is used then only UTF8Strings will be used: this -is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR -option just uses PrintableStrings and T61Strings: certain software has -problems with BMPStrings and UTF8Strings: in particular Netscape. -.IP "\fBreq_extensions\fR" 4 -.IX Item "req_extensions" -this specifies the configuration file section containing a list of -extensions to add to the certificate request. It can be overridden -by the \fB\-reqexts\fR command line switch. See the -\&\fIx509v3_config\fR\|(5) manual page for details of the -extension section format. -.IP "\fBx509_extensions\fR" 4 -.IX Item "x509_extensions" -this specifies the configuration file section containing a list of -extensions to add to certificate generated when the \fB\-x509\fR switch -is used. It can be overridden by the \fB\-extensions\fR command line switch. -.IP "\fBprompt\fR" 4 -.IX Item "prompt" -if set to the value \fBno\fR this disables prompting of certificate fields -and just takes values from the config file directly. It also changes the -expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. -.IP "\fButf8\fR" 4 -.IX Item "utf8" -if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 -strings, by default they are interpreted as \s-1ASCII.\s0 This means that -the field values, whether prompted from a terminal or obtained from a -configuration file, must be valid \s-1UTF8\s0 strings. -.IP "\fBattributes\fR" 4 -.IX Item "attributes" -this specifies the section containing any request attributes: its format -is the same as \fBdistinguished_name\fR. Typically these may contain the -challengePassword or unstructuredName types. They are currently ignored -by OpenSSL's request signing utilities but some CAs might want them. -.IP "\fBdistinguished_name\fR" 4 -.IX Item "distinguished_name" -This specifies the section containing the distinguished name fields to -prompt for when generating a certificate or certificate request. The format -is described in the next section. -.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" -.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" -There are two separate formats for the distinguished name and attribute -sections. If the \fBprompt\fR option is set to \fBno\fR then these sections -just consist of field names and values: for example, -.PP -.Vb 3 -\& CN=My Name -\& OU=My Organization -\& emailAddress=someone@somewhere.org -.Ve -.PP -This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file -with all the field names and values and just pass it to \fBreq\fR. An example -of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section. -.PP -Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the -file contains field prompting information. It consists of lines of the form: -.PP -.Vb 4 -\& fieldName="prompt" -\& fieldName_default="default field value" -\& fieldName_min= 2 -\& fieldName_max= 4 -.Ve -.PP -\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0). -The \*(L"prompt\*(R" string is used to ask the user to enter the relevant -details. If the user enters nothing then the default value is used if no -default value is present then the field is omitted. A field can -still be omitted if a default value is present if the user just -enters the '.' character. -.PP -The number of characters entered must be between the fieldName_min and -fieldName_max limits: there may be additional restrictions based -on the field being used (for example countryName can only ever be -two characters long and must fit in a PrintableString). -.PP -Some fields (such as organizationName) can be used more than once -in a \s-1DN.\s0 This presents a problem because configuration files will -not recognize the same name occurring twice. To avoid this problem -if the fieldName contains some characters followed by a full stop -they will be ignored. So for example a second organizationName can -be input by calling it \*(L"1.organizationName\*(R". -.PP -The actual permitted field names are any object identifier short or -long names. These are compiled into OpenSSL and include the usual -values such as commonName, countryName, localityName, organizationName, -organizationalUnitName, stateOrProvinceName. Additionally emailAddress -is include as well as name, surname, givenName initials and dnQualifier. -.PP -Additional object identifiers can be defined with the \fBoid_file\fR or -\&\fBoid_section\fR options in the configuration file. Any additional fields -will be treated as though they were a DirectoryString. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Examine and verify certificate request: -.PP -.Vb 1 -\& openssl req \-in req.pem \-text \-verify \-noout -.Ve -.PP -Create a private key and then generate a certificate request from it: -.PP -.Vb 2 -\& openssl genrsa \-out key.pem 2048 -\& openssl req \-new \-key key.pem \-out req.pem -.Ve -.PP -The same but just using req: -.PP -.Vb 1 -\& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem -.Ve -.PP -Generate a self signed root certificate: -.PP -.Vb 1 -\& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem -.Ve -.PP -Example of a file pointed to by the \fBoid_file\fR option: -.PP -.Vb 2 -\& 1.2.3.4 shortName A longer Name -\& 1.2.3.6 otherName Other longer Name -.Ve -.PP -Example of a section pointed to by \fBoid_section\fR making use of variable -expansion: -.PP -.Vb 2 -\& testoid1=1.2.3.5 -\& testoid2=${testoid1}.6 -.Ve -.PP -Sample configuration file prompting for field values: -.PP -.Vb 6 -\& [ req ] -\& default_bits = 2048 -\& default_keyfile = privkey.pem -\& distinguished_name = req_distinguished_name -\& attributes = req_attributes -\& x509_extensions = v3_ca -\& -\& dirstring_type = nobmp -\& -\& [ req_distinguished_name ] -\& countryName = Country Name (2 letter code) -\& countryName_default = AU -\& countryName_min = 2 -\& countryName_max = 2 -\& -\& localityName = Locality Name (eg, city) -\& -\& organizationalUnitName = Organizational Unit Name (eg, section) -\& -\& commonName = Common Name (eg, YOUR name) -\& commonName_max = 64 -\& -\& emailAddress = Email Address -\& emailAddress_max = 40 -\& -\& [ req_attributes ] -\& challengePassword = A challenge password -\& challengePassword_min = 4 -\& challengePassword_max = 20 -\& -\& [ v3_ca ] -\& -\& subjectKeyIdentifier=hash -\& authorityKeyIdentifier=keyid:always,issuer:always -\& basicConstraints = CA:true -.Ve -.PP -Sample configuration containing all field values: -.PP -.Vb 1 -\& RANDFILE = $ENV::HOME/.rnd -\& -\& [ req ] -\& default_bits = 2048 -\& default_keyfile = keyfile.pem -\& distinguished_name = req_distinguished_name -\& attributes = req_attributes -\& prompt = no -\& output_password = mypass -\& -\& [ req_distinguished_name ] -\& C = GB -\& ST = Test State or Province -\& L = Test Locality -\& O = Organization Name -\& OU = Organizational Unit Name -\& CN = Common Name -\& emailAddress = test@email.address -\& -\& [ req_attributes ] -\& challengePassword = A challenge password -.Ve -.SH "NOTES" -.IX Header "NOTES" -The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN CERTIFICATE REQUEST\-\-\-\-\- -\& \-\-\-\-\-END CERTIFICATE REQUEST\-\-\-\-\- -.Ve -.PP -some software (some versions of Netscape certificate server) instead needs: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN NEW CERTIFICATE REQUEST\-\-\-\-\- -\& \-\-\-\-\-END NEW CERTIFICATE REQUEST\-\-\-\-\- -.Ve -.PP -which is produced with the \fB\-newhdr\fR option but is otherwise compatible. -Either form is accepted transparently on input. -.PP -The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions -added. It includes the \fBkeyUsage\fR extension which determines the type of -key (signature only or general purpose) and any additional OIDs entered -by the script in an extendedKeyUsage extension. -.SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -The following messages are frequently asked about: -.PP -.Vb 2 -\& Using configuration from /some/path/openssl.cnf -\& Unable to load config info -.Ve -.PP -This is followed some time later by... -.PP -.Vb 2 -\& unable to find \*(Aqdistinguished_name\*(Aq in config -\& problems making Certificate Request -.Ve -.PP -The first error message is the clue: it can't find the configuration -file! Certain operations (like examining a certificate request) don't -need a configuration file so its use isn't enforced. Generation of -certificates or requests however does need a configuration file. This -could be regarded as a bug. -.PP -Another puzzling message is this: -.PP -.Vb 2 -\& Attributes: -\& a0:00 -.Ve -.PP -this is displayed when no attributes are present and the request includes -the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0 -0x00). If you just see: -.PP -.Vb 1 -\& Attributes: -.Ve -.PP -then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but -it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR -for more information. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it will be overridden by the \fB\-config\fR command -line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR -environment variable serves the same purpose but its use is discouraged. -.SH "BUGS" -.IX Header "BUGS" -OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively -treats them as \s-1ISO\-8859\-1 \s0(Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour. -This can cause problems if you need characters that aren't available in -PrintableStrings and you don't want to or can't use BMPStrings. -.PP -As a consequence of the T61String handling the only correct way to represent -accented characters in OpenSSL is to use a BMPString: unfortunately Netscape -currently chokes on these. If you have to use accented characters with Netscape -and \s-1MSIE\s0 then you currently need to use the invalid T61String form. -.PP -The current prompting is not very friendly. It doesn't allow you to confirm what -you've just entered. Other things like extensions in certificate requests are -statically defined in the configuration file. Some of these: like an email -address in subjectAltName should be input by the user. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIgendsa\fR\|(1), \fIconfig\fR\|(5), -\&\fIx509v3_config\fR\|(5) diff --git a/usr.bin/openssl/man/rsa.1 b/usr.bin/openssl/man/rsa.1 deleted file mode 100644 index d1ce9680f3..0000000000 --- a/usr.bin/openssl/man/rsa.1 +++ /dev/null @@ -1,336 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "RSA 1" -.TH RSA 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -rsa \- RSA key processing tool -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBrsa\fR -[\fB\-inform PEM|NET|DER\fR] -[\fB\-outform PEM|NET|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-sgckey\fR] -[\fB\-aes128\fR] -[\fB\-aes192\fR] -[\fB\-aes256\fR] -[\fB\-camellia128\fR] -[\fB\-camellia192\fR] -[\fB\-camellia256\fR] -[\fB\-des\fR] -[\fB\-des3\fR] -[\fB\-idea\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-modulus\fR] -[\fB\-check\fR] -[\fB\-pubin\fR] -[\fB\-pubout\fR] -[\fB\-RSAPublicKey_in\fR] -[\fB\-RSAPublicKey_out\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various -forms and their components printed out. \fBNote\fR this command uses the -traditional SSLeay compatible format for private key encryption: newer -applications should use the more secure PKCS#8 format using the \fBpkcs8\fR -utility. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-inform DER|NET|PEM\fR" 4 -.IX Item "-inform DER|NET|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded -form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. -The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 -encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. The \fB\s-1NET\s0\fR form is a format is described in the \fB\s-1NOTES\s0\fR -section. -.IP "\fB\-outform DER|NET|PEM\fR" 4 -.IX Item "-outform DER|NET|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write a key to or standard output if this -option is not specified. If any encryption options are set then a pass phrase -will be prompted for. The output filename should \fBnot\fR be the same as the input -filename. -.IP "\fB\-passout password\fR" 4 -.IX Item "-passout password" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-sgckey\fR" 4 -.IX Item "-sgckey" -use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0 -keys. -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" -These options encrypt the private key with the specified -cipher before outputting it. A pass phrase is prompted for. -If none of these options is specified the key is written in plain text. This -means that using the \fBrsa\fR utility to read in an encrypted key with no -encryption option can be used to remove the pass phrase from a key, or by -setting the encryption options it can be use to add or change the pass phrase. -These options can only be used with \s-1PEM\s0 format output files. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the various public or private key components in -plain text in addition to the encoded version. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the key. -.IP "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the key. -.IP "\fB\-check\fR" 4 -.IX Item "-check" -this option checks the consistency of an \s-1RSA\s0 private key. -.IP "\fB\-pubin\fR" 4 -.IX Item "-pubin" -by default a private key is read from the input file: with this -option a public key is read instead. -.IP "\fB\-pubout\fR" 4 -.IX Item "-pubout" -by default a private key is output: with this option a public -key will be output instead. This option is automatically set if -the input is a public key. -.IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4 -.IX Item "-RSAPublicKey_in, -RSAPublicKey_out" -like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 private key format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- -\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- -.Ve -.PP -The \s-1PEM\s0 public key format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\- -\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\- -.Ve -.PP -The \s-1PEM \s0\fBRSAPublicKey\fR format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN RSA PUBLIC KEY\-\-\-\-\- -\& \-\-\-\-\-END RSA PUBLIC KEY\-\-\-\-\- -.Ve -.PP -The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers -and Microsoft \s-1IIS \s0.key files, this uses unsalted \s-1RC4\s0 for its encryption. -It is not very secure and so should only be used when necessary. -.PP -Some newer version of \s-1IIS\s0 have additional data in the exported .key -files. To use these with the utility, view the file with a binary editor -and look for the string \*(L"private-key\*(R", then trace back to the byte -sequence 0x30, 0x82 (this is an \s-1ASN1 SEQUENCE\s0). Copy all the data -from this point onwards to another file and use that as the input -to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get -an error after entering the password try the \fB\-sgckey\fR option. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -To remove the pass phrase on an \s-1RSA\s0 private key: -.PP -.Vb 1 -\& openssl rsa \-in key.pem \-out keyout.pem -.Ve -.PP -To encrypt a private key using triple \s-1DES:\s0 -.PP -.Vb 1 -\& openssl rsa \-in key.pem \-des3 \-out keyout.pem -.Ve -.PP -To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl rsa \-in key.pem \-outform DER \-out keyout.der -.Ve -.PP -To print out the components of a private key to standard output: -.PP -.Vb 1 -\& openssl rsa \-in key.pem \-text \-noout -.Ve -.PP -To just output the public part of a private key: -.PP -.Vb 1 -\& openssl rsa \-in key.pem \-pubout \-out pubkey.pem -.Ve -.PP -Output the public part of a private key in \fBRSAPublicKey\fR format: -.PP -.Vb 1 -\& openssl rsa \-in key.pem \-RSAPublicKey_out \-out pubkey.pem -.Ve -.SH "BUGS" -.IX Header "BUGS" -The command line password arguments don't currently work with -\&\fB\s-1NET\s0\fR format. -.PP -There should be an option that automatically handles .key files, -without having to manually edit them. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIpkcs8\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIgendsa\fR\|(1) diff --git a/usr.bin/openssl/man/rsautl.1 b/usr.bin/openssl/man/rsautl.1 deleted file mode 100644 index 28dab54bd3..0000000000 --- a/usr.bin/openssl/man/rsautl.1 +++ /dev/null @@ -1,316 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "RSAUTL 1" -.TH RSAUTL 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -rsautl \- RSA utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBrsautl\fR -[\fB\-in file\fR] -[\fB\-out file\fR] -[\fB\-inkey file\fR] -[\fB\-pubin\fR] -[\fB\-certin\fR] -[\fB\-sign\fR] -[\fB\-verify\fR] -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-pkcs\fR] -[\fB\-ssl\fR] -[\fB\-raw\fR] -[\fB\-hexdump\fR] -[\fB\-asn1parse\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt -data using the \s-1RSA\s0 algorithm. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read data from or standard input -if this option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.IP "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the input key file, by default it should be an \s-1RSA\s0 private key. -.IP "\fB\-pubin\fR" 4 -.IX Item "-pubin" -the input file is an \s-1RSA\s0 public key. -.IP "\fB\-certin\fR" 4 -.IX Item "-certin" -the input is a certificate containing an \s-1RSA\s0 public key. -.IP "\fB\-sign\fR" 4 -.IX Item "-sign" -sign the input data and output the signed result. This requires -and \s-1RSA\s0 private key. -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verify the input data and output the recovered data. -.IP "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt the input data using an \s-1RSA\s0 public key. -.IP "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt the input data using an \s-1RSA\s0 private key. -.IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4 -.IX Item "-pkcs, -oaep, -ssl, -raw" -the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0 -special padding used in \s-1SSL\s0 v2 backwards compatible handshakes, -or no padding, respectively. -For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used. -.IP "\fB\-hexdump\fR" 4 -.IX Item "-hexdump" -hex dump the output data. -.IP "\fB\-asn1parse\fR" 4 -.IX Item "-asn1parse" -asn1parse the output data, this is useful when combined with the -\&\fB\-verify\fR option. -.SH "NOTES" -.IX Header "NOTES" -\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be -used to sign or verify small pieces of data. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Sign some data using a private key: -.PP -.Vb 1 -\& openssl rsautl \-sign \-in file \-inkey key.pem \-out sig -.Ve -.PP -Recover the signed data -.PP -.Vb 1 -\& openssl rsautl \-verify \-in sig \-inkey key.pem -.Ve -.PP -Examine the raw signed data: -.PP -.Vb 1 -\& openssl rsautl \-verify \-in file \-inkey key.pem \-raw \-hexdump -\& -\& 0000 \- 00 01 ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0010 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0020 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0030 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0040 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0050 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0060 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................ -\& 0070 \- ff ff ff ff 00 68 65 6c\-6c 6f 20 77 6f 72 6c 64 .....hello world -.Ve -.PP -The PKCS#1 block formatting is evident from this. If this was done using -encrypt and decrypt the block would have been of type 2 (the second byte) -and random padding data visible instead of the 0xff bytes. -.PP -It is possible to analyse the signature of certificates using this -utility in conjunction with \fBasn1parse\fR. Consider the self signed -example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields: -.PP -.Vb 1 -\& openssl asn1parse \-in pca\-cert.pem -\& -\& 0:d=0 hl=4 l= 742 cons: SEQUENCE -\& 4:d=1 hl=4 l= 591 cons: SEQUENCE -\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] -\& 10:d=3 hl=2 l= 1 prim: INTEGER :02 -\& 13:d=2 hl=2 l= 1 prim: INTEGER :00 -\& 16:d=2 hl=2 l= 13 cons: SEQUENCE -\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 29:d=3 hl=2 l= 0 prim: NULL -\& 31:d=2 hl=2 l= 92 cons: SEQUENCE -\& 33:d=3 hl=2 l= 11 cons: SET -\& 35:d=4 hl=2 l= 9 cons: SEQUENCE -\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName -\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU -\& .... -\& 599:d=1 hl=2 l= 13 cons: SEQUENCE -\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 612:d=2 hl=2 l= 0 prim: NULL -\& 614:d=1 hl=3 l= 129 prim: BIT STRING -.Ve -.PP -The final \s-1BIT STRING\s0 contains the actual signature. It can be extracted with: -.PP -.Vb 1 -\& openssl asn1parse \-in pca\-cert.pem \-out sig \-noout \-strparse 614 -.Ve -.PP -The certificate public key can be extracted with: -.PP -.Vb 1 -\& openssl x509 \-in test/testx509.pem \-pubkey \-noout >pubkey.pem -.Ve -.PP -The signature can be analysed with: -.PP -.Vb 1 -\& openssl rsautl \-in sig \-verify \-asn1parse \-inkey pubkey.pem \-pubin -\& -\& 0:d=0 hl=2 l= 32 cons: SEQUENCE -\& 2:d=1 hl=2 l= 12 cons: SEQUENCE -\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5 -\& 14:d=2 hl=2 l= 0 prim: NULL -\& 16:d=1 hl=2 l= 16 prim: OCTET STRING -\& 0000 \- f3 46 9e aa 1a 4a 73 c9\-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. -.Ve -.PP -This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that -the digest used was md5. The actual part of the certificate that was signed can -be extracted with: -.PP -.Vb 1 -\& openssl asn1parse \-in pca\-cert.pem \-out tbs \-noout \-strparse 4 -.Ve -.PP -and its digest computed with: -.PP -.Vb 2 -\& openssl md5 \-c tbs -\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 -.Ve -.PP -which it can be seen agrees with the recovered value above. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1) diff --git a/usr.bin/openssl/man/s_client.1 b/usr.bin/openssl/man/s_client.1 deleted file mode 100644 index 7001c596ad..0000000000 --- a/usr.bin/openssl/man/s_client.1 +++ /dev/null @@ -1,448 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "S_CLIENT 1" -.TH S_CLIENT 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -s_client \- SSL/TLS client program -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBs_client\fR -[\fB\-connect host:port\fR] -[\fB\-servername name\fR] -[\fB\-verify depth\fR] -[\fB\-verify_return_error\fR] -[\fB\-cert filename\fR] -[\fB\-certform DER|PEM\fR] -[\fB\-key filename\fR] -[\fB\-keyform DER|PEM\fR] -[\fB\-pass arg\fR] -[\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] -[\fB\-no_alt_chains\fR] -[\fB\-reconnect\fR] -[\fB\-pause\fR] -[\fB\-showcerts\fR] -[\fB\-debug\fR] -[\fB\-msg\fR] -[\fB\-nbio_test\fR] -[\fB\-state\fR] -[\fB\-nbio\fR] -[\fB\-crlf\fR] -[\fB\-ign_eof\fR] -[\fB\-no_ign_eof\fR] -[\fB\-quiet\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fB\-no_ssl2\fR] -[\fB\-no_ssl3\fR] -[\fB\-no_tls1\fR] -[\fB\-no_tls1_1\fR] -[\fB\-no_tls1_2\fR] -[\fB\-fallback_scsv\fR] -[\fB\-bugs\fR] -[\fB\-cipher cipherlist\fR] -[\fB\-serverpref\fR] -[\fB\-starttls protocol\fR] -[\fB\-engine id\fR] -[\fB\-tlsextdebug\fR] -[\fB\-no_ticket\fR] -[\fB\-sess_out filename\fR] -[\fB\-sess_in filename\fR] -[\fB\-rand file(s)\fR] -[\fB\-serverinfo types\fR] -[\fB\-status\fR] -[\fB\-nextprotoneg protocols\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects -to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool for -\&\s-1SSL\s0 servers. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-connect host:port\fR" 4 -.IX Item "-connect host:port" -This specifies the host and optional port to connect to. If not specified -then an attempt is made to connect to the local host on port 4433. -.IP "\fB\-servername name\fR" 4 -.IX Item "-servername name" -Set the \s-1TLS SNI \s0(Server Name Indication) extension in the ClientHello message. -.IP "\fB\-cert certname\fR" 4 -.IX Item "-cert certname" -The certificate to use, if one is requested by the server. The default is -not to use a certificate. -.IP "\fB\-certform format\fR" 4 -.IX Item "-certform format" -The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. -.IP "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -The private key to use. If not specified then the certificate file will -be used. -.IP "\fB\-keyform format\fR" 4 -.IX Item "-keyform format" -The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. -.IP "\fB\-pass arg\fR" 4 -.IX Item "-pass arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-verify depth\fR" 4 -.IX Item "-verify depth" -The verify depth to use. This specifies the maximum length of the -server certificate chain and turns on server certificate verification. -Currently the verify operation continues after errors so all the problems -with a certificate chain can be seen. As a side effect the connection -will never fail due to a server certificate verify failure. -.IP "\fB\-verify_return_error\fR" 4 -.IX Item "-verify_return_error" -Return verification errors instead of continuing. This will typically -abort the handshake with a fatal error. -.IP "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -The directory to use for server certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are -also used when building the client certificate chain. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file containing trusted certificates to use during server authentication -and to use when attempting to build the client certificate chain. -.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig \-no_alt_chains\fR" 4 -.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains" -Set various certificate chain valiadition option. See the -\&\fBverify\fR manual page for details. -.IP "\fB\-reconnect\fR" 4 -.IX Item "-reconnect" -reconnects to the same server 5 times using the same session \s-1ID,\s0 this can -be used as a test that session caching is working. -.IP "\fB\-pause\fR" 4 -.IX Item "-pause" -pauses 1 second between each read and write call. -.IP "\fB\-showcerts\fR" 4 -.IX Item "-showcerts" -display the whole server certificate chain: normally only the server -certificate itself is displayed. -.IP "\fB\-prexit\fR" 4 -.IX Item "-prexit" -print session information when the program exits. This will always attempt -to print out information even if the connection fails. Normally information -will only be printed out once if the connection succeeds. This option is useful -because the cipher in use may be renegotiated or the connection may fail -because a client certificate is required or is requested only after an -attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this -option is not always accurate because a connection might never have been -established. -.IP "\fB\-state\fR" 4 -.IX Item "-state" -prints out the \s-1SSL\s0 session states. -.IP "\fB\-debug\fR" 4 -.IX Item "-debug" -print extensive debugging information including a hex dump of all traffic. -.IP "\fB\-msg\fR" 4 -.IX Item "-msg" -show all protocol messages with hex dump. -.IP "\fB\-nbio_test\fR" 4 -.IX Item "-nbio_test" -tests non-blocking I/O -.IP "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non-blocking I/O -.IP "\fB\-crlf\fR" 4 -.IX Item "-crlf" -this option translated a line feed from the terminal into \s-1CR+LF\s0 as required -by some servers. -.IP "\fB\-ign_eof\fR" 4 -.IX Item "-ign_eof" -inhibit shutting down the connection when end of file is reached in the -input. -.IP "\fB\-quiet\fR" 4 -.IX Item "-quiet" -inhibit printing of session and certificate information. This implicitly -turns on \fB\-ign_eof\fR as well. -.IP "\fB\-no_ign_eof\fR" 4 -.IX Item "-no_ign_eof" -shut down the connection when end of file is reached in the input. -Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR. -.IP "\fB\-psk_identity identity\fR" 4 -.IX Item "-psk_identity identity" -Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite. -.IP "\fB\-psk key\fR" 4 -.IX Item "-psk key" -Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is -given as a hexadecimal number without leading 0x, for example \-psk -1a2b3c4d. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" -These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. -By default the initial handshake uses a \fIversion-flexible\fR method which will -negotiate the highest mutually supported protocol version. -.IP "\fB\-fallback_scsv\fR" 4 -.IX Item "-fallback_scsv" -Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello. -.IP "\fB\-bugs\fR" 4 -.IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this -option enables various workarounds. -.IP "\fB\-cipher cipherlist\fR" 4 -.IX Item "-cipher cipherlist" -this allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. See the \fBciphers\fR -command for more information. -.IP "\fB\-serverpref\fR" 4 -.IX Item "-serverpref" -use the server's cipher preferences; only used for \s-1SSLV2.\s0 -.IP "\fB\-starttls protocol\fR" 4 -.IX Item "-starttls protocol" -send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication. -\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only -supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R". -.IP "\fB\-tlsextdebug\fR" 4 -.IX Item "-tlsextdebug" -print out a hex dump of any \s-1TLS\s0 extensions received from the server. -.IP "\fB\-no_ticket\fR" 4 -.IX Item "-no_ticket" -disable RFC4507bis session ticket support. -.IP "\fB\-sess_out filename\fR" 4 -.IX Item "-sess_out filename" -output \s-1SSL\s0 session to \fBfilename\fR -.IP "\fB\-sess_in sess.pem\fR" 4 -.IX Item "-sess_in sess.pem" -load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a -connection from this session. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-serverinfo types\fR" 4 -.IX Item "-serverinfo types" -a list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and -65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension. -The server's response (if any) will be encoded and displayed as a \s-1PEM\s0 -file. -.IP "\fB\-status\fR" 4 -.IX Item "-status" -sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server -response (if any) is printed out. -.IP "\fB\-nextprotoneg protocols\fR" 4 -.IX Item "-nextprotoneg protocols" -enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a list of -comma-separated protocol names that the client should advertise -support for. The list should contain most wanted protocols first. -Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or -\&\*(L"spdy/3\*(R". -Empty list of protocols is treated specially and will cause the client to -advertise support for the \s-1TLS\s0 extension but disconnect just after -reciving ServerHello with a list of server supported protocols. -.SH "CONNECTED COMMANDS" -.IX Header "CONNECTED COMMANDS" -If a connection is established with an \s-1SSL\s0 server then any data received -from the server is displayed and any key presses will be sent to the -server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR -have been given), the session will be renegotiated if the line begins with an -\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the -connection will be closed down. -.SH "NOTES" -.IX Header "NOTES" -\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0 -server the command: -.PP -.Vb 1 -\& openssl s_client \-connect servername:443 -.Ve -.PP -would typically be used (https uses port 443). If the connection succeeds -then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page. -.PP -If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, -\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried -in case it is a buggy server. In particular you should play with these -options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. -.PP -A frequent problem when attempting to get client certificates working -is that a web client complains it has no certificates or gives an empty -list to choose from. This is normally because the server is not sending -the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it -requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed -and checked. However some servers only request client authentication -after a specific \s-1URL\s0 is requested. To obtain the list in this case it -is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request -for an appropriate page. -.PP -If a certificate is specified on the command line using the \fB\-cert\fR -option it will not be used unless the server specifically requests -a client certificate. Therefor merely including a client certificate -on the command line is no guarantee that the certificate works. -.PP -If there are problems verifying a server certificate then the -\&\fB\-showcerts\fR option can be used to show the whole chain. -.PP -Since the SSLv23 client hello cannot include compression methods or extensions -these will only be supported if its use is disabled, for example by using the -\&\fB\-no_sslv2\fR option. -.PP -The \fBs_client\fR utility is a test tool and is designed to continue the -handshake after any certificate verification errors. As a result it will -accept any certificate chain (trusted or not) sent by the peer. None test -applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0 -attack. This behaviour can be changed by with the \fB\-verify_return_error\fR -option: any verify errors are then returned aborting the handshake. -.SH "BUGS" -.IX Header "BUGS" -Because this program has a lot of options and also because some of -the techniques used are rather old, the C source of s_client is rather -hard to read and not a model of how things should be done. A typical -\&\s-1SSL\s0 client program would be much simpler. -.PP -The \fB\-prexit\fR option is a bit of a hack. We should really report -information whenever a session is renegotiated. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/usr.bin/openssl/man/s_server.1 b/usr.bin/openssl/man/s_server.1 deleted file mode 100644 index 9de6fbb0ba..0000000000 --- a/usr.bin/openssl/man/s_server.1 +++ /dev/null @@ -1,486 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "S_SERVER 1" -.TH S_SERVER 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -s_server \- SSL/TLS server program -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBs_server\fR -[\fB\-accept port\fR] -[\fB\-context id\fR] -[\fB\-verify depth\fR] -[\fB\-Verify depth\fR] -[\fB\-crl_check\fR] -[\fB\-crl_check_all\fR] -[\fB\-cert filename\fR] -[\fB\-certform DER|PEM\fR] -[\fB\-key keyfile\fR] -[\fB\-keyform DER|PEM\fR] -[\fB\-pass arg\fR] -[\fB\-dcert filename\fR] -[\fB\-dcertform DER|PEM\fR] -[\fB\-dkey keyfile\fR] -[\fB\-dkeyform DER|PEM\fR] -[\fB\-dpass arg\fR] -[\fB\-dhparam filename\fR] -[\fB\-nbio\fR] -[\fB\-nbio_test\fR] -[\fB\-crlf\fR] -[\fB\-debug\fR] -[\fB\-msg\fR] -[\fB\-state\fR] -[\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] -[\fB\-no_alt_chains\fR] -[\fB\-nocert\fR] -[\fB\-cipher cipherlist\fR] -[\fB\-serverpref\fR] -[\fB\-quiet\fR] -[\fB\-no_tmp_rsa\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fB\-no_ssl2\fR] -[\fB\-no_ssl3\fR] -[\fB\-no_tls1\fR] -[\fB\-no_dhe\fR] -[\fB\-bugs\fR] -[\fB\-hack\fR] -[\fB\-www\fR] -[\fB\-WWW\fR] -[\fB\-HTTP\fR] -[\fB\-engine id\fR] -[\fB\-tlsextdebug\fR] -[\fB\-no_ticket\fR] -[\fB\-id_prefix arg\fR] -[\fB\-rand file(s)\fR] -[\fB\-serverinfo file\fR] -[\fB\-no_resumption_on_reneg\fR] -[\fB\-status\fR] -[\fB\-status_verbose\fR] -[\fB\-status_timeout nsec\fR] -[\fB\-status_url url\fR] -[\fB\-nextprotoneg protocols\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens -for connections on a given port using \s-1SSL/TLS.\s0 -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-accept port\fR" 4 -.IX Item "-accept port" -the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. -.IP "\fB\-context id\fR" 4 -.IX Item "-context id" -sets the \s-1SSL\s0 context id. It can be given any string value. If this option -is not present a default value will be used. -.IP "\fB\-cert certname\fR" 4 -.IX Item "-cert certname" -The certificate to use, most servers cipher suites require the use of a -certificate and some require a certificate with a certain public key type: -for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS -\&\s0(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. -.IP "\fB\-certform format\fR" 4 -.IX Item "-certform format" -The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. -.IP "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -The private key to use. If not specified then the certificate file will -be used. -.IP "\fB\-keyform format\fR" 4 -.IX Item "-keyform format" -The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. -.IP "\fB\-pass arg\fR" 4 -.IX Item "-pass arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4 -.IX Item "-dcert filename, -dkey keyname" -specify an additional certificate and private key, these behave in the -same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default -if they are not specified (no additional certificate and key is used). As -noted above some cipher suites require a certificate containing a key of -a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key -and some a \s-1DSS \s0(\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys -a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites -by using an appropriate certificate. -.IP "\fB\-dcertform format\fR, \fB\-dkeyform format\fR, \fB\-dpass arg\fR" 4 -.IX Item "-dcertform format, -dkeyform format, -dpass arg" -additional certificate and private key format and passphrase respectively. -.IP "\fB\-nocert\fR" 4 -.IX Item "-nocert" -if this option is set then no certificate is used. This restricts the -cipher suites available to the anonymous ones (currently just anonymous -\&\s-1DH\s0). -.IP "\fB\-dhparam filename\fR" 4 -.IX Item "-dhparam filename" -the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys -using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to -load the parameters from the server certificate file. If this fails then -a static set of parameters hard coded into the s_server program will be used. -.IP "\fB\-no_dhe\fR" 4 -.IX Item "-no_dhe" -if this option is set then no \s-1DH\s0 parameters will be loaded effectively -disabling the ephemeral \s-1DH\s0 cipher suites. -.IP "\fB\-no_tmp_rsa\fR" 4 -.IX Item "-no_tmp_rsa" -certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option -disables temporary \s-1RSA\s0 key generation. -.IP "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4 -.IX Item "-verify depth, -Verify depth" -The verify depth to use. This specifies the maximum length of the -client certificate chain and makes the server request a certificate from -the client. With the \fB\-verify\fR option a certificate is requested but the -client does not have to send one, with the \fB\-Verify\fR option the client -must supply a certificate or an error occurs. -.Sp -If the ciphersuite cannot request a client certificate (for example an -anonymous ciphersuite or \s-1PSK\s0) this option has no effect. -.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4 -.IX Item "-crl_check, -crl_check_all" -Check the peer certificate has not been revoked by its \s-1CA.\s0 -The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR -option all CRLs of all CAs in the chain are checked. -.IP "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -The directory to use for client certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are -also used when building the server certificate chain. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file containing trusted certificates to use during client authentication -and to use when attempting to build the server certificate chain. The list -is also used in the list of acceptable client CAs passed to the client when -a certificate is requested. -.IP "\fB\-no_alt_chains\fR" 4 -.IX Item "-no_alt_chains" -See the \fBverify\fR manual page for details. -.IP "\fB\-state\fR" 4 -.IX Item "-state" -prints out the \s-1SSL\s0 session states. -.IP "\fB\-debug\fR" 4 -.IX Item "-debug" -print extensive debugging information including a hex dump of all traffic. -.IP "\fB\-msg\fR" 4 -.IX Item "-msg" -show all protocol messages with hex dump. -.IP "\fB\-nbio_test\fR" 4 -.IX Item "-nbio_test" -tests non blocking I/O -.IP "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non blocking I/O -.IP "\fB\-crlf\fR" 4 -.IX Item "-crlf" -this option translated a line feed from the terminal into \s-1CR+LF.\s0 -.IP "\fB\-quiet\fR" 4 -.IX Item "-quiet" -inhibit printing of session and certificate information. -.IP "\fB\-psk_hint hint\fR" 4 -.IX Item "-psk_hint hint" -Use the \s-1PSK\s0 identity hint \fBhint\fR when using a \s-1PSK\s0 cipher suite. -.IP "\fB\-psk key\fR" 4 -.IX Item "-psk key" -Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is -given as a hexadecimal number without leading 0x, for example \-psk -1a2b3c4d. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" -These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. -By default the initial handshake uses a \fIversion-flexible\fR method which will -negotiate the highest mutually supported protocol version. -.IP "\fB\-bugs\fR" 4 -.IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this -option enables various workarounds. -.IP "\fB\-hack\fR" 4 -.IX Item "-hack" -this option enables a further workaround for some some early Netscape -\&\s-1SSL\s0 code (?). -.IP "\fB\-cipher cipherlist\fR" 4 -.IX Item "-cipher cipherlist" -this allows the cipher list used by the server to be modified. When -the client sends a list of supported ciphers the first client cipher -also included in the server list is used. Because the client specifies -the preference order, the order of the server cipherlist irrelevant. See -the \fBciphers\fR command for more information. -.IP "\fB\-serverpref\fR" 4 -.IX Item "-serverpref" -use the server's cipher preferences, rather than the client's preferences. -.IP "\fB\-tlsextdebug\fR" 4 -.IX Item "-tlsextdebug" -print out a hex dump of any \s-1TLS\s0 extensions received from the server. -.IP "\fB\-no_ticket\fR" 4 -.IX Item "-no_ticket" -disable RFC4507bis session ticket support. -.IP "\fB\-www\fR" 4 -.IX Item "-www" -sends a status message back to the client when it connects. This includes -lots of information about the ciphers used and various session parameters. -The output is in \s-1HTML\s0 format so this option will normally be used with a -web browser. -.IP "\fB\-WWW\fR" 4 -.IX Item "-WWW" -emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the \s-1URL\s0 https://myhost/page.html is -requested the file ./page.html will be loaded. -.IP "\fB\-HTTP\fR" 4 -.IX Item "-HTTP" -emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the \s-1URL\s0 https://myhost/page.html is -requested the file ./page.html will be loaded. The files loaded are -assumed to contain a complete and correct \s-1HTTP\s0 response (lines that -are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBs_server\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB\-id_prefix arg\fR" 4 -.IX Item "-id_prefix arg" -generate \s-1SSL/TLS\s0 session IDs prefixed by \fBarg\fR. This is mostly useful -for testing any \s-1SSL/TLS\s0 code (eg. proxies) that wish to deal with multiple -servers, when each of which might be generating a unique range of session -IDs (eg. with a certain prefix). -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-serverinfo file\fR" 4 -.IX Item "-serverinfo file" -a file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block -must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length, -followed by \*(L"length\*(R" bytes of extension data). If the client sends -an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding -ServerHello extension will be returned. -.IP "\fB\-no_resumption_on_reneg\fR" 4 -.IX Item "-no_resumption_on_reneg" -set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. -.IP "\fB\-status\fR" 4 -.IX Item "-status" -enables certificate status request support (aka \s-1OCSP\s0 stapling). -.IP "\fB\-status_verbose\fR" 4 -.IX Item "-status_verbose" -enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives -a verbose printout of the \s-1OCSP\s0 response. -.IP "\fB\-status_timeout nsec\fR" 4 -.IX Item "-status_timeout nsec" -sets the timeout for \s-1OCSP\s0 response to \fBnsec\fR seconds. -.IP "\fB\-status_url url\fR" 4 -.IX Item "-status_url url" -sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the -server certificate. Without this option an error is returned if the server -certificate does not contain a responder address. -.IP "\fB\-nextprotoneg protocols\fR" 4 -.IX Item "-nextprotoneg protocols" -enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a -comma-separated list of supported protocol names. -The list should contain most wanted protocols first. -Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or -\&\*(L"spdy/3\*(R". -.SH "CONNECTED COMMANDS" -.IX Header "CONNECTED COMMANDS" -If a connection request is established with an \s-1SSL\s0 client and neither the -\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received -from the client is displayed and any key presses will be sent to the client. -.PP -Certain single letter commands are also recognized which perform special -operations: these are listed below. -.IP "\fBq\fR" 4 -.IX Item "q" -end the current \s-1SSL\s0 connection but still accept new connections. -.IP "\fBQ\fR" 4 -.IX Item "Q" -end the current \s-1SSL\s0 connection and exit. -.IP "\fBr\fR" 4 -.IX Item "r" -renegotiate the \s-1SSL\s0 session. -.IP "\fBR\fR" 4 -.IX Item "R" -renegotiate the \s-1SSL\s0 session and request a client certificate. -.IP "\fBP\fR" 4 -.IX Item "P" -send some plain text down the underlying \s-1TCP\s0 connection: this should -cause the client to disconnect due to a protocol violation. -.IP "\fBS\fR" 4 -.IX Item "S" -print out some session cache status information. -.SH "NOTES" -.IX Header "NOTES" -\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from -a web browser the command: -.PP -.Vb 1 -\& openssl s_server \-accept 443 \-www -.Ve -.PP -can be used for example. -.PP -Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher -suites, so they cannot connect to servers which don't use a certificate -carrying an \s-1RSA\s0 key or a version of OpenSSL with \s-1RSA\s0 disabled. -.PP -Although specifying an empty list of CAs when requesting a client certificate -is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to -mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes. -.PP -The session parameters can printed out using the \fBsess_id\fR program. -.SH "BUGS" -.IX Header "BUGS" -Because this program has a lot of options and also because some of -the techniques used are rather old, the C source of s_server is rather -hard to read and not a model of how things should be done. A typical -\&\s-1SSL\s0 server program would be much simpler. -.PP -The output of common ciphers is wrong: it just gives the list of ciphers that -OpenSSL recognizes and the client supports. -.PP -There should be a way for the \fBs_server\fR program to print out details of any -unknown cipher suites a client says it supports. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/usr.bin/openssl/man/s_time.1 b/usr.bin/openssl/man/s_time.1 deleted file mode 100644 index 7e6e923b0f..0000000000 --- a/usr.bin/openssl/man/s_time.1 +++ /dev/null @@ -1,286 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "S_TIME 1" -.TH S_TIME 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -s_time \- SSL/TLS performance timing program -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBs_time\fR -[\fB\-connect host:port\fR] -[\fB\-www page\fR] -[\fB\-cert filename\fR] -[\fB\-key filename\fR] -[\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] -[\fB\-reuse\fR] -[\fB\-new\fR] -[\fB\-verify depth\fR] -[\fB\-nbio\fR] -[\fB\-time seconds\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-bugs\fR] -[\fB\-cipher cipherlist\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBs_time\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a -remote host using \s-1SSL/TLS.\s0 It can request a page from the server and includes -the time to transfer the payload data in its timing measurements. It measures -the number of connections within a given timeframe, the amount of data -transferred (if any), and calculates the average time spent for one connection. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-connect host:port\fR" 4 -.IX Item "-connect host:port" -This specifies the host and optional port to connect to. -.IP "\fB\-www page\fR" 4 -.IX Item "-www page" -This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the -index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only -perform the handshake to establish \s-1SSL\s0 connections but not transfer any -payload data. -.IP "\fB\-cert certname\fR" 4 -.IX Item "-cert certname" -The certificate to use, if one is requested by the server. The default is -not to use a certificate. The file is in \s-1PEM\s0 format. -.IP "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -The private key to use. If not specified then the certificate file will -be used. The file is in \s-1PEM\s0 format. -.IP "\fB\-verify depth\fR" 4 -.IX Item "-verify depth" -The verify depth to use. This specifies the maximum length of the -server certificate chain and turns on server certificate verification. -Currently the verify operation continues after errors so all the problems -with a certificate chain can be seen. As a side effect the connection -will never fail due to a server certificate verify failure. -.IP "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -The directory to use for server certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are -also used when building the client certificate chain. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file containing trusted certificates to use during server authentication -and to use when attempting to build the client certificate chain. -.IP "\fB\-new\fR" 4 -.IX Item "-new" -performs the timing test using a new session \s-1ID\s0 for each connection. -If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default -and executed in sequence. -.IP "\fB\-reuse\fR" 4 -.IX Item "-reuse" -performs the timing test using the same session \s-1ID\s0; this can be used as a test -that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are -specified, they are both on by default and executed in sequence. -.IP "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non-blocking I/O. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR" 4 -.IX Item "-ssl2, -ssl3" -these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default -the initial handshake uses a method which should be compatible with all -servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. -The timing program is not as rich in options to turn protocols on and off as -the \fIs_client\fR\|(1) program and may not connect to all servers. -.Sp -Unfortunately there are a lot of ancient and broken servers in use which -cannot handle this technique and will fail to connect. Some servers only -work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option; others -will only support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option. -.IP "\fB\-bugs\fR" 4 -.IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this -option enables various workarounds. -.IP "\fB\-cipher cipherlist\fR" 4 -.IX Item "-cipher cipherlist" -this allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. -See the \fIciphers\fR\|(1) command for more information. -.IP "\fB\-time length\fR" 4 -.IX Item "-time length" -specifies how long (in seconds) \fBs_time\fR should establish connections and -optionally transfer payload data from a server. Server and client performance -and the link speed determine how many connections \fBs_time\fR can establish. -.SH "NOTES" -.IX Header "NOTES" -\&\fBs_time\fR can be used to measure the performance of an \s-1SSL\s0 connection. -To connect to an \s-1SSL HTTP\s0 server and get the default page the command -.PP -.Vb 1 -\& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3] -.Ve -.PP -would typically be used (https uses port 443). 'commoncipher' is a cipher to -which both client and server can agree, see the \fIciphers\fR\|(1) command -for details. -.PP -If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, -\&\fB\-ssl3\fR options can be tried -in case it is a buggy server. In particular you should play with these -options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. -.PP -A frequent problem when attempting to get client certificates working -is that a web client complains it has no certificates or gives an empty -list to choose from. This is normally because the server is not sending -the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it -requests a certificate. By using \fIs_client\fR\|(1) the \s-1CA\s0 list can be -viewed and checked. However some servers only request client authentication -after a specific \s-1URL\s0 is requested. To obtain the list in this case it -is necessary to use the \fB\-prexit\fR option of \fIs_client\fR\|(1) and -send an \s-1HTTP\s0 request for an appropriate page. -.PP -If a certificate is specified on the command line using the \fB\-cert\fR -option it will not be used unless the server specifically requests -a client certificate. Therefor merely including a client certificate -on the command line is no guarantee that the certificate works. -.SH "BUGS" -.IX Header "BUGS" -Because this program does not have all the options of the -\&\fIs_client\fR\|(1) program to turn protocols on and off, you may not be -able to measure the performance of all protocols with all servers. -.PP -The \fB\-verify\fR option should really exit if the server verification -fails. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1) diff --git a/usr.bin/openssl/man/sess_id.1 b/usr.bin/openssl/man/sess_id.1 deleted file mode 100644 index 2d7130cae7..0000000000 --- a/usr.bin/openssl/man/sess_id.1 +++ /dev/null @@ -1,258 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SESS_ID 1" -.TH SESS_ID 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -sess_id \- SSL/TLS session handling utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBsess_id\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-context \s-1ID\s0\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure -and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session -master key) in human readable format. Since this is a diagnostic tool that -needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will -not need to use it. -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded -format containing session details. The precise format can vary from one version -to the next. The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR -format base64 encoded with additional header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read session information from or standard -input by default. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write session information to or standard -output if this option is not specified. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the various public or private key components in -plain text in addition to the encoded version. -.IP "\fB\-cert\fR" 4 -.IX Item "-cert" -if a certificate is present in the session it will be output using this option, -if the \fB\-text\fR option is also present then it will be printed out in text form. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the session. -.IP "\fB\-context \s-1ID\s0\fR" 4 -.IX Item "-context ID" -this option can set the session id so the output session information uses the -supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option wont normally -be used. -.SH "OUTPUT" -.IX Header "OUTPUT" -Typical output: -.PP -.Vb 10 -\& SSL\-Session: -\& Protocol : TLSv1 -\& Cipher : 0016 -\& Session\-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED -\& Session\-ID\-ctx: 01000000 -\& Master\-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD -\& Key\-Arg : None -\& Start Time: 948459261 -\& Timeout : 300 (sec) -\& Verify return code 0 (ok) -.Ve -.PP -Theses are described below in more detail. -.IP "\fBProtocol\fR" 4 -.IX Item "Protocol" -this is the protocol in use TLSv1, SSLv3 or SSLv2. -.IP "\fBCipher\fR" 4 -.IX Item "Cipher" -the cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0 -or \s-1TLS\s0 specifications for more information. -.IP "\fBSession-ID\fR" 4 -.IX Item "Session-ID" -the \s-1SSL\s0 session \s-1ID\s0 in hex format. -.IP "\fBSession-ID-ctx\fR" 4 -.IX Item "Session-ID-ctx" -the session \s-1ID\s0 context in hex format. -.IP "\fBMaster-Key\fR" 4 -.IX Item "Master-Key" -this is the \s-1SSL\s0 session master key. -.IP "\fBKey-Arg\fR" 4 -.IX Item "Key-Arg" -the key argument, this is only used in \s-1SSL\s0 v2. -.IP "\fBStart Time\fR" 4 -.IX Item "Start Time" -this is the session start time represented as an integer in standard Unix format. -.IP "\fBTimeout\fR" 4 -.IX Item "Timeout" -the timeout in seconds. -.IP "\fBVerify return code\fR" 4 -.IX Item "Verify return code" -this is the return code when an \s-1SSL\s0 client certificate is verified. -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 encoded session format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN SSL SESSION PARAMETERS\-\-\-\-\- -\& \-\-\-\-\-END SSL SESSION PARAMETERS\-\-\-\-\- -.Ve -.PP -Since the \s-1SSL\s0 session output contains the master key it is possible to read the contents -of an encrypted session using this information. Therefore appropriate security precautions -should be taken if the information is being output by a \*(L"real\*(R" application. This is -however strongly discouraged and should only be used for debugging purposes. -.SH "BUGS" -.IX Header "BUGS" -The cipher and start time should be printed out in human readable form. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIciphers\fR\|(1), \fIs_server\fR\|(1) diff --git a/usr.bin/openssl/man/smime.1 b/usr.bin/openssl/man/smime.1 deleted file mode 100644 index ec3a9fb883..0000000000 --- a/usr.bin/openssl/man/smime.1 +++ /dev/null @@ -1,553 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SMIME 1" -.TH SMIME 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -smime \- S/MIME utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBsmime\fR -[\fB\-encrypt\fR] -[\fB\-decrypt\fR] -[\fB\-sign\fR] -[\fB\-resign\fR] -[\fB\-verify\fR] -[\fB\-pk7out\fR] -[\fB\-[cipher]\fR] -[\fB\-in file\fR] -[\fB\-no_alt_chains\fR] -[\fB\-certfile file\fR] -[\fB\-signer file\fR] -[\fB\-recip file\fR] -[\fB\-inform SMIME|PEM|DER\fR] -[\fB\-passin arg\fR] -[\fB\-inkey file\fR] -[\fB\-out file\fR] -[\fB\-outform SMIME|PEM|DER\fR] -[\fB\-content file\fR] -[\fB\-to addr\fR] -[\fB\-from ad\fR] -[\fB\-subject s\fR] -[\fB\-text\fR] -[\fB\-indef\fR] -[\fB\-noindef\fR] -[\fB\-stream\fR] -[\fB\-rand file(s)\fR] -[\fB\-md digest\fR] -[cert.pem]... -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and -verify S/MIME messages. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -There are six operation options that set the type of operation to be performed. -The meaning of the other options varies according to the operation type. -.IP "\fB\-encrypt\fR" 4 -.IX Item "-encrypt" -encrypt mail for the given recipient certificates. Input file is the message -to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. -.IP "\fB\-decrypt\fR" 4 -.IX Item "-decrypt" -decrypt mail using the supplied certificate and private key. Expects an -encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail -is written to the output file. -.IP "\fB\-sign\fR" 4 -.IX Item "-sign" -sign mail using the supplied certificate and private key. Input file is -the message to be signed. The signed message in \s-1MIME\s0 format is written -to the output file. -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verify signed mail. Expects a signed mail message on input and outputs -the signed data. Both clear text and opaque signing is supported. -.IP "\fB\-pk7out\fR" 4 -.IX Item "-pk7out" -takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. -.IP "\fB\-resign\fR" 4 -.IX Item "-resign" -resign a message: take an existing message and one or more new signers. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -the input message to be encrypted or signed or the \s-1MIME\s0 message to -be decrypted or verified. -.IP "\fB\-inform SMIME|PEM|DER\fR" 4 -.IX Item "-inform SMIME|PEM|DER" -this specifies the input format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the input format of the PKCS#7 -structure, if no PKCS#7 structure is being input (for example with -\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -the message text that has been decrypted or verified or the output \s-1MIME\s0 -format message that has been signed or verified. -.IP "\fB\-outform SMIME|PEM|DER\fR" 4 -.IX Item "-outform SMIME|PEM|DER" -this specifies the output format for the PKCS#7 structure. The default -is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR -format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures -instead. This currently only affects the output format of the PKCS#7 -structure, if no PKCS#7 structure is being output (for example with -\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. -.IP "\fB\-stream \-indef \-noindef\fR" 4 -.IX Item "-stream -indef -noindef" -the \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O -for encoding operations. This permits single pass processing of data without -the need to hold the entire contents in memory, potentially supporting very -large files. Streaming is automatically set for S/MIME signing with detached -data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all -other operations. -.IP "\fB\-noindef\fR" 4 -.IX Item "-noindef" -disable streaming I/O where it would produce and indefinite length constructed -encoding. This option currently has no effect. In future streaming will be -enabled by default on all relevant operations and this option will disable it. -.IP "\fB\-content filename\fR" 4 -.IX Item "-content filename" -This specifies a file containing the detached content, this is only -useful with the \fB\-verify\fR command. This is only usable if the PKCS#7 -structure is using the detached signature form where the content is -not included. This option will override any content if the input format -is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied -message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME \s0 -type text/plain then an error occurs. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. -.IP "\fB\-CApath dir\fR" 4 -.IX Item "-CApath dir" -a directory containing trusted \s-1CA\s0 certificates, only used with -\&\fB\-verify\fR. This directory must be a standard certificate directory: that -is a hash of each subject name (using \fBx509 \-hash\fR) should be linked -to each certificate. -.IP "\fB\-md digest\fR" 4 -.IX Item "-md digest" -digest algorithm to use when signing or resigning. If not present then the -default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). -.IP "\fB\-[cipher]\fR" 4 -.IX Item "-[cipher]" -the encryption algorithm to use. For example \s-1DES \s0(56 bits) \- \fB\-des\fR, -triple \s-1DES \s0(168 bits) \- \fB\-des3\fR, -\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for -example \fB\-aes_128_cbc\fR. See \fBenc\fR for list of ciphers -supported by your version of OpenSSL. -.Sp -If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR. -.IP "\fB\-nointern\fR" 4 -.IX Item "-nointern" -when verifying a message normally certificates (if any) included in -the message are searched for the signing certificate. With this option -only the certificates specified in the \fB\-certfile\fR option are used. -The supplied certificates can still be used as untrusted CAs however. -.IP "\fB\-noverify\fR" 4 -.IX Item "-noverify" -do not verify the signers certificate of a signed message. -.IP "\fB\-nochain\fR" 4 -.IX Item "-nochain" -do not do chain verification of signers certificates: that is don't -use the certificates in the signed message as untrusted CAs. -.IP "\fB\-nosigs\fR" 4 -.IX Item "-nosigs" -don't try to verify the signatures on the message. -.IP "\fB\-nocerts\fR" 4 -.IX Item "-nocerts" -when signing a message the signer's certificate is normally included -with this option it is excluded. This will reduce the size of the -signed message but the verifier must have a copy of the signers certificate -available locally (passed using the \fB\-certfile\fR option for example). -.IP "\fB\-noattr\fR" 4 -.IX Item "-noattr" -normally when a message is signed a set of attributes are included which -include the signing time and supported symmetric algorithms. With this -option they are not included. -.IP "\fB\-binary\fR" 4 -.IX Item "-binary" -normally the input message is converted to \*(L"canonical\*(R" format which is -effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME -specification. When this option is present no translation occurs. This -is useful when handling binary data which may not be in \s-1MIME\s0 format. -.IP "\fB\-nodetach\fR" 4 -.IX Item "-nodetach" -when signing a message use opaque signing: this form is more resistant -to translation by mail relays but it cannot be read by mail agents that -do not support S/MIME. Without this option cleartext signing with -the \s-1MIME\s0 type multipart/signed is used. -.IP "\fB\-certfile file\fR" 4 -.IX Item "-certfile file" -allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in \s-1PEM\s0 format. -.IP "\fB\-signer file\fR" 4 -.IX Item "-signer file" -a signing certificate when signing or resigning a message, this option can be -used multiple times if more than one signer is required. If a message is being -verified then the signers certificates will be written to this file if the -verification was successful. -.IP "\fB\-recip file\fR" 4 -.IX Item "-recip file" -the recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. -.IP "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the private key to use when signing or decrypting. This must match the -corresponding certificate. If this option is not specified then the -private key must be included in the certificate file specified with -the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used -multiple times to specify successive keys. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fBcert.pem...\fR" 4 -.IX Item "cert.pem..." -one or more certificates of message recipients: used when encrypting -a message. -.IP "\fB\-to, \-from, \-subject\fR" 4 -.IX Item "-to, -from, -subject" -the relevant mail headers. These are included outside the signed -portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email -address matches that specified in the From: address. -.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig \-no_alt_chains\fR" 4 -.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains" -Set various options of certificate chain verification. See -\&\fBverify\fR manual page for details. -.SH "NOTES" -.IX Header "NOTES" -The \s-1MIME\s0 message must be sent without any blank lines between the -headers and the output. Some mail programs will automatically add -a blank line. Piping the mail directly to sendmail is one way to -achieve the correct format. -.PP -The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients wont display it -properly (if at all). You can use the \fB\-text\fR option to automatically -add plain text headers. -.PP -A \*(L"signed and encrypted\*(R" message is one where a signed message is -then encrypted. This can be produced by encrypting an already signed -message: see the examples section. -.PP -This version of the program only allows one signer per message but it -will verify multiple signers on received messages. Some S/MIME clients -choke if a message contains multiple signers. It is possible to sign -messages \*(L"in parallel\*(R" by signing an already signed message. -.PP -The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME -clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 -encrypted data is used for other purposes. -.PP -The \fB\-resign\fR option uses an existing message digest when adding a new -signer. This means that attributes must be present in at least one existing -signer using the same message digest or this operation will fail. -.PP -The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support. -As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding -and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the -\&\fB\-sign\fR operation if the content is not detached. -.PP -Streaming is always used for the \fB\-sign\fR operation with detached data but -since the content is no longer part of the PKCS#7 structure the encoding -remains \s-1DER.\s0 -.SH "EXIT CODES" -.IX Header "EXIT CODES" -.IP "0" 4 -the operation was completely successfully. -.IP "1" 4 -.IX Item "1" -an error occurred parsing the command options. -.IP "2" 4 -.IX Item "2" -one of the input files could not be read. -.IP "3" 4 -.IX Item "3" -an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 -message. -.IP "4" 4 -.IX Item "4" -an error occurred decrypting or verifying the message. -.IP "5" 4 -.IX Item "5" -the message was verified correctly but an error occurred writing out -the signers certificates. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create a cleartext signed message: -.PP -.Vb 2 -\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem -.Ve -.PP -Create an opaque signed message: -.PP -.Vb 2 -\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e -\& \-signer mycert.pem -.Ve -.PP -Create a signed message, include some additional certificates and -read the private key from another file: -.PP -.Vb 2 -\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem -.Ve -.PP -Create a signed message with two signers: -.PP -.Vb 2 -\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e -\& \-signer mycert.pem \-signer othercert.pem -.Ve -.PP -Send a signed message under Unix directly to sendmail, including headers: -.PP -.Vb 3 -\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e -\& \-from steve@openssl.org \-to someone@somewhere \e -\& \-subject "Signed message" | sendmail someone@somewhere -.Ve -.PP -Verify a message and extract the signer's certificate if successful: -.PP -.Vb 1 -\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt -.Ve -.PP -Send encrypted mail using triple \s-1DES:\s0 -.PP -.Vb 3 -\& openssl smime \-encrypt \-in in.txt \-from steve@openssl.org \e -\& \-to someone@somewhere \-subject "Encrypted message" \e -\& \-des3 user.pem \-out mail.msg -.Ve -.PP -Sign and encrypt mail: -.PP -.Vb 4 -\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e -\& | openssl smime \-encrypt \-out mail.msg \e -\& \-from steve@openssl.org \-to someone@somewhere \e -\& \-subject "Signed and Encrypted message" \-des3 user.pem -.Ve -.PP -Note: the encryption command does not include the \fB\-text\fR option because the -message being encrypted already has \s-1MIME\s0 headers. -.PP -Decrypt mail: -.PP -.Vb 1 -\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem -.Ve -.PP -The output from Netscape form signing is a PKCS#7 structure with the -detached signature format. You can use this program to verify the -signature by line wrapping the base64 encoded structure and surrounding -it with: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\- -\& \-\-\-\-\-END PKCS7\-\-\-\-\- -.Ve -.PP -and using the command: -.PP -.Vb 1 -\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt -.Ve -.PP -Alternatively you can base64 decode the signature and use: -.PP -.Vb 1 -\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt -.Ve -.PP -Create an encrypted message using 128 bit Camellia: -.PP -.Vb 1 -\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem -.Ve -.PP -Add a signer to an existing message: -.PP -.Vb 1 -\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg -.Ve -.SH "BUGS" -.IX Header "BUGS" -The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've -thrown at it but it may choke on others. -.PP -The code currently will only write out the signer's certificate to a file: if -the signer has a separate encryption certificate this must be manually -extracted. There should be some heuristic that determines the correct -encryption certificate. -.PP -Ideally a database should be maintained of a certificates for each email -address. -.PP -The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. This means the -user has to manually include the correct encryption algorithm. It should store -the list of permitted ciphers in a database and only use those. -.PP -No revocation checking is done on the signer's certificate. -.PP -The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 -structures may cause parsing errors. -.SH "HISTORY" -.IX Header "HISTORY" -The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first -added in OpenSSL 1.0.0 -.PP -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/usr.bin/openssl/man/speed.1 b/usr.bin/openssl/man/speed.1 deleted file mode 100644 index a5afdabe0f..0000000000 --- a/usr.bin/openssl/man/speed.1 +++ /dev/null @@ -1,186 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SPEED 1" -.TH SPEED 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -speed \- test library performance -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl speed\fR -[\fB\-engine id\fR] -[\fBmd2\fR] -[\fBmdc2\fR] -[\fBmd5\fR] -[\fBhmac\fR] -[\fBsha1\fR] -[\fBrmd160\fR] -[\fBidea-cbc\fR] -[\fBrc2\-cbc\fR] -[\fBrc5\-cbc\fR] -[\fBbf-cbc\fR] -[\fBdes-cbc\fR] -[\fBdes\-ede3\fR] -[\fBrc4\fR] -[\fBrsa512\fR] -[\fBrsa1024\fR] -[\fBrsa2048\fR] -[\fBrsa4096\fR] -[\fBdsa512\fR] -[\fBdsa1024\fR] -[\fBdsa2048\fR] -[\fBidea\fR] -[\fBrc2\fR] -[\fBdes\fR] -[\fBrsa\fR] -[\fBblowfish\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to test the performance of cryptographic algorithms. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB[zero or more test algorithms]\fR" 4 -.IX Item "[zero or more test algorithms]" -If any options are given, \fBspeed\fR tests those algorithms, otherwise all of -the above are tested. diff --git a/usr.bin/openssl/man/spkac.1 b/usr.bin/openssl/man/spkac.1 deleted file mode 100644 index 4fef3f09c8..0000000000 --- a/usr.bin/openssl/man/spkac.1 +++ /dev/null @@ -1,256 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SPKAC 1" -.TH SPKAC 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -spkac \- SPKAC printing and generating utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBspkac\fR -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-key keyfile\fR] -[\fB\-passin arg\fR] -[\fB\-challenge string\fR] -[\fB\-pubkey\fR] -[\fB\-spkac spkacname\fR] -[\fB\-spksect section\fR] -[\fB\-noout\fR] -[\fB\-verify\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBspkac\fR command processes Netscape signed public key and challenge -(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and -produce its own SPKACs from a supplied private key. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read from or standard input if this -option is not specified. Ignored if the \fB\-key\fR option is used. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specifies the output filename to write to or standard output by -default. -.IP "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" -create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The -\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if -present. -.IP "\fB\-passin password\fR" 4 -.IX Item "-passin password" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-challenge string\fR" 4 -.IX Item "-challenge string" -specifies the challenge string if an \s-1SPKAC\s0 is being created. -.IP "\fB\-spkac spkacname\fR" 4 -.IX Item "-spkac spkacname" -allows an alternative name form the variable containing the -\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both -generated and input \s-1SPKAC\s0 files. -.IP "\fB\-spksect section\fR" 4 -.IX Item "-spksect section" -allows an alternative name form the section containing the -\&\s-1SPKAC.\s0 The default is the default section. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -don't output the text version of the \s-1SPKAC \s0(not used if an -\&\s-1SPKAC\s0 is being created). -.IP "\fB\-pubkey\fR" 4 -.IX Item "-pubkey" -output the public key of an \s-1SPKAC \s0(not used if an \s-1SPKAC\s0 is -being created). -.IP "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies the digital signature on the supplied \s-1SPKAC.\s0 -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Print out the contents of an \s-1SPKAC:\s0 -.PP -.Vb 1 -\& openssl spkac \-in spkac.cnf -.Ve -.PP -Verify the signature of an \s-1SPKAC:\s0 -.PP -.Vb 1 -\& openssl spkac \-in spkac.cnf \-noout \-verify -.Ve -.PP -Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R": -.PP -.Vb 1 -\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf -.Ve -.PP -Example of an \s-1SPKAC, \s0(long lines split up for clarity): -.PP -.Vb 5 -\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e -\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e -\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e -\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e -\& 4= -.Ve -.SH "NOTES" -.IX Header "NOTES" -A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into -the \fBca\fR utility. -.PP -SPKACs are typically generated by Netscape when a form is submitted -containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment -process. -.PP -The challenge string permits a primitive form of proof of possession -of private key. By checking the \s-1SPKAC\s0 signature and a random challenge -string some guarantee is given that the user knows the private key -corresponding to the public key being certified. This is important in -some applications. Without this it is possible for a previous \s-1SPKAC\s0 -to be used in a \*(L"replay attack\*(R". -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIca\fR\|(1) diff --git a/usr.bin/openssl/man/ts.1 b/usr.bin/openssl/man/ts.1 deleted file mode 100644 index a03a2f2298..0000000000 --- a/usr.bin/openssl/man/ts.1 +++ /dev/null @@ -1,658 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "TS 1" -.TH TS 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ts \- Time Stamping Authority tool (client/server) -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBts\fR -\&\fB\-query\fR -[\fB\-rand\fR file:file...] -[\fB\-config\fR configfile] -[\fB\-data\fR file_to_hash] -[\fB\-digest\fR digest_bytes] -[\fB\-md2\fR|\fB\-md4\fR|\fB\-md5\fR|\fB\-sha\fR|\fB\-sha1\fR|\fB\-mdc2\fR|\fB\-ripemd160\fR|\fB...\fR] -[\fB\-policy\fR object_id] -[\fB\-no_nonce\fR] -[\fB\-cert\fR] -[\fB\-in\fR request.tsq] -[\fB\-out\fR request.tsq] -[\fB\-text\fR] -.PP -\&\fBopenssl\fR \fBts\fR -\&\fB\-reply\fR -[\fB\-config\fR configfile] -[\fB\-section\fR tsa_section] -[\fB\-queryfile\fR request.tsq] -[\fB\-passin\fR password_src] -[\fB\-signer\fR tsa_cert.pem] -[\fB\-inkey\fR private.pem] -[\fB\-chain\fR certs_file.pem] -[\fB\-policy\fR object_id] -[\fB\-in\fR response.tsr] -[\fB\-token_in\fR] -[\fB\-out\fR response.tsr] -[\fB\-token_out\fR] -[\fB\-text\fR] -[\fB\-engine\fR id] -.PP -\&\fBopenssl\fR \fBts\fR -\&\fB\-verify\fR -[\fB\-data\fR file_to_hash] -[\fB\-digest\fR digest_bytes] -[\fB\-queryfile\fR request.tsq] -[\fB\-in\fR response.tsr] -[\fB\-token_in\fR] -[\fB\-CApath\fR trusted_cert_path] -[\fB\-CAfile\fR trusted_certs.pem] -[\fB\-untrusted\fR cert_file.pem] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server -application as specified in \s-1RFC 3161 \s0(Time-Stamp Protocol, \s-1TSP\s0). A -\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long -term proof of the existence of a certain datum before a particular -time. Here is a brief description of the protocol: -.IP "1." 4 -The \s-1TSA\s0 client computes a one-way hash value for a data file and sends -the hash to the \s-1TSA.\s0 -.IP "2." 4 -The \s-1TSA\s0 attaches the current date and time to the received hash value, -signs them and sends the time stamp token back to the client. By -creating this token the \s-1TSA\s0 certifies the existence of the original -data file at the time of response generation. -.IP "3." 4 -The \s-1TSA\s0 client receives the time stamp token and verifies the -signature on it. It also checks if the token contains the same hash -value that it had sent to the \s-1TSA.\s0 -.PP -There is one \s-1DER\s0 encoded protocol data unit defined for transporting a time -stamp request to the \s-1TSA\s0 and one for sending the time stamp response -back to the client. The \fBts\fR command has three main functions: -creating a time stamp request based on a data file, -creating a time stamp response based on a request, verifying if a -response corresponds to a particular request or a data file. -.PP -There is no support for sending the requests/responses automatically -over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the -requests either by ftp or e\-mail. -.SH "OPTIONS" -.IX Header "OPTIONS" -.SS "Time Stamp Request generation" -.IX Subsection "Time Stamp Request generation" -The \fB\-query\fR switch can be used for creating and printing a time stamp -request with the following options: -.IP "\fB\-rand\fR file:file..." 4 -.IX Item "-rand file:file..." -The files containing random data for seeding the random number -generator. Multiple files can be specified, the separator is \fB;\fR for -MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional) -.IP "\fB\-config\fR configfile" 4 -.IX Item "-config configfile" -The configuration file to use, this option overrides the -\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. Only the \s-1OID\s0 section -of the config file is used with the \fB\-query\fR command. (Optional) -.IP "\fB\-data\fR file_to_hash" 4 -.IX Item "-data file_to_hash" -The data file for which the time stamp request needs to be -created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR -parameter is specified. (Optional) -.IP "\fB\-digest\fR digest_bytes" 4 -.IX Item "-digest digest_bytes" -It is possible to specify the message imprint explicitly without the data -file. The imprint must be specified in a hexadecimal format, two characters -per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or -1AF601...). The number of bytes must match the message digest algorithm -in use. (Optional) -.IP "\fB\-md2\fR|\fB\-md4\fR|\fB\-md5\fR|\fB\-sha\fR|\fB\-sha1\fR|\fB\-mdc2\fR|\fB\-ripemd160\fR|\fB...\fR" 4 -.IX Item "-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160|..." -The message digest to apply to the data file, it supports all the message -digest algorithms that are supported by the openssl \fBdgst\fR command. -The default is \s-1SHA\-1. \s0(Optional) -.IP "\fB\-policy\fR object_id" 4 -.IX Item "-policy object_id" -The policy that the client expects the \s-1TSA\s0 to use for creating the -time stamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined -in the config file can be used. If no policy is requested the \s-1TSA\s0 will -use its own default policy. (Optional) -.IP "\fB\-no_nonce\fR" 4 -.IX Item "-no_nonce" -No nonce is specified in the request if this option is -given. Otherwise a 64 bit long pseudo-random none is -included in the request. It is recommended to use nonce to -protect against replay-attacks. (Optional) -.IP "\fB\-cert\fR" 4 -.IX Item "-cert" -The \s-1TSA\s0 is expected to include its signing certificate in the -response. (Optional) -.IP "\fB\-in\fR request.tsq" 4 -.IX Item "-in request.tsq" -This option specifies a previously created time stamp request in \s-1DER\s0 -format that will be printed into the output file. Useful when you need -to examine the content of a request in human-readable -.Sp -format. (Optional) -.IP "\fB\-out\fR request.tsq" 4 -.IX Item "-out request.tsq" -Name of the output file to which the request will be written. Default -is stdout. (Optional) -.IP "\fB\-text\fR" 4 -.IX Item "-text" -If this option is specified the output is human-readable text format -instead of \s-1DER. \s0(Optional) -.SS "Time Stamp Response generation" -.IX Subsection "Time Stamp Response generation" -A time stamp response (TimeStampResp) consists of a response status -and the time stamp token itself (ContentInfo), if the token generation was -successful. The \fB\-reply\fR command is for creating a time stamp -response or time stamp token based on a request and printing the -response/token in human-readable format. If \fB\-token_out\fR is not -specified the output is always a time stamp response (TimeStampResp), -otherwise it is a time stamp token (ContentInfo). -.IP "\fB\-config\fR configfile" 4 -.IX Item "-config configfile" -The configuration file to use, this option overrides the -\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fB\s-1CONFIGURATION FILE -OPTIONS\s0\fR for configurable variables. (Optional) -.IP "\fB\-section\fR tsa_section" 4 -.IX Item "-section tsa_section" -The name of the config file section conatining the settings for the -response generation. If not specified the default \s-1TSA\s0 section is -used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional) -.IP "\fB\-queryfile\fR request.tsq" 4 -.IX Item "-queryfile request.tsq" -The name of the file containing a \s-1DER\s0 encoded time stamp request. (Optional) -.IP "\fB\-passin\fR password_src" 4 -.IX Item "-passin password_src" -Specifies the password source for the private key of the \s-1TSA.\s0 See -\&\fB\s-1PASS PHRASE ARGUMENTS\s0\fR in \fIopenssl\fR\|(1). (Optional) -.IP "\fB\-signer\fR tsa_cert.pem" 4 -.IX Item "-signer tsa_cert.pem" -The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing -certificate must have exactly one extended key usage assigned to it: -timeStamping. The extended key usage must also be critical, otherwise -the certificate is going to be refused. Overrides the \fBsigner_cert\fR -variable of the config file. (Optional) -.IP "\fB\-inkey\fR private.pem" 4 -.IX Item "-inkey private.pem" -The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the -\&\fBsigner_key\fR config file option. (Optional) -.IP "\fB\-chain\fR certs_file.pem" 4 -.IX Item "-chain certs_file.pem" -The collection of certificates in \s-1PEM\s0 format that will all -be included in the response in addition to the signer certificate if -the \fB\-cert\fR option was used for the request. This file is supposed to -contain the certificate chain for the signer certificate from its -issuer upwards. The \fB\-reply\fR command does not build a certificate -chain automatically. (Optional) -.IP "\fB\-policy\fR object_id" 4 -.IX Item "-policy object_id" -The default policy to use for the response unless the client -explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified -either in dotted notation or with its name. Overrides the -\&\fBdefault_policy\fR config file option. (Optional) -.IP "\fB\-in\fR response.tsr" 4 -.IX Item "-in response.tsr" -Specifies a previously created time stamp response or time stamp token -(if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written -to the output file. This option does not require a request, it is -useful e.g. when you need to examine the content of a response or -token or you want to extract the time stamp token from a response. If -the input is a token and the output is a time stamp response a default -\&'granted' status info is added to the token. (Optional) -.IP "\fB\-token_in\fR" 4 -.IX Item "-token_in" -This flag can be used together with the \fB\-in\fR option and indicates -that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead -of a time stamp response (TimeStampResp). (Optional) -.IP "\fB\-out\fR response.tsr" 4 -.IX Item "-out response.tsr" -The response is written to this file. The format and content of the -file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is -stdout. (Optional) -.IP "\fB\-token_out\fR" 4 -.IX Item "-token_out" -The output is a time stamp token (ContentInfo) instead of time stamp -response (TimeStampResp). (Optional) -.IP "\fB\-text\fR" 4 -.IX Item "-text" -If this option is specified the output is human-readable text format -instead of \s-1DER. \s0(Optional) -.IP "\fB\-engine\fR id" 4 -.IX Item "-engine id" -Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. Default is builtin. (Optional) -.SS "Time Stamp Response verification" -.IX Subsection "Time Stamp Response verification" -The \fB\-verify\fR command is for verifying if a time stamp response or time -stamp token is valid and matches a particular time stamp request or -data file. The \fB\-verify\fR command does not use the configuration file. -.IP "\fB\-data\fR file_to_hash" 4 -.IX Item "-data file_to_hash" -The response or token must be verified against file_to_hash. The file -is hashed with the message digest algorithm specified in the token. -The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one. -(Optional) -.IP "\fB\-digest\fR digest_bytes" 4 -.IX Item "-digest digest_bytes" -The response or token must be verified against the message digest specified -with this option. The number of bytes must match the message digest algorithm -specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be -specified with this one. (Optional) -.IP "\fB\-queryfile\fR request.tsq" 4 -.IX Item "-queryfile request.tsq" -The original time stamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR -options must not be specified with this one. (Optional) -.IP "\fB\-in\fR response.tsr" 4 -.IX Item "-in response.tsr" -The time stamp response that needs to be verified in \s-1DER\s0 format. (Mandatory) -.IP "\fB\-token_in\fR" 4 -.IX Item "-token_in" -This flag can be used together with the \fB\-in\fR option and indicates -that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead -of a time stamp response (TimeStampResp). (Optional) -.IP "\fB\-CApath\fR trusted_cert_path" 4 -.IX Item "-CApath trusted_cert_path" -The name of the directory containing the trused \s-1CA\s0 certificates of the -client. See the similar option of \fIverify\fR\|(1) for additional -details. Either this option or \fB\-CAfile\fR must be specified. (Optional) -.IP "\fB\-CAfile\fR trusted_certs.pem" 4 -.IX Item "-CAfile trusted_certs.pem" -The name of the file containing a set of trusted self-signed \s-1CA \s0 -certificates in \s-1PEM\s0 format. See the similar option of -\&\fIverify\fR\|(1) for additional details. Either this option -or \fB\-CApath\fR must be specified. -(Optional) -.IP "\fB\-untrusted\fR cert_file.pem" 4 -.IX Item "-untrusted cert_file.pem" -Set of additional untrusted certificates in \s-1PEM\s0 format which may be -needed when building the certificate chain for the \s-1TSA\s0's signing -certificate. This file must contain the \s-1TSA\s0 signing certificate and -all intermediate \s-1CA\s0 certificates unless the response includes them. -(Optional) -.SH "CONFIGURATION FILE OPTIONS" -.IX Header "CONFIGURATION FILE OPTIONS" -The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file -defined by the \fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fIconfig\fR\|(5) -for a general description of the syntax of the config file. The -\&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section -and it can work without it. However, the \fB\-reply\fR command needs the -config file for its operation. -.PP -When there is a command line switch equivalent of a variable the -switch always overrides the settings in the config file. -.IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4 -.IX Item "tsa section, default_tsa" -This is the main section and it specifies the name of another section -that contains all the options for the \fB\-reply\fR command. This default -section can be overridden with the \fB\-section\fR command line switch. (Optional) -.IP "\fBoid_file\fR" 4 -.IX Item "oid_file" -See \fIca\fR\|(1) for description. (Optional) -.IP "\fBoid_section\fR" 4 -.IX Item "oid_section" -See \fIca\fR\|(1) for description. (Optional) -.IP "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -See \fIca\fR\|(1) for description. (Optional) -.IP "\fBserial\fR" 4 -.IX Item "serial" -The name of the file containing the hexadecimal serial number of the -last time stamp response created. This number is incremented by 1 for -each response. If the file does not exist at the time of response -generation a new file is created with serial number 1. (Mandatory) -.IP "\fBcrypto_device\fR" 4 -.IX Item "crypto_device" -Specifies the OpenSSL engine that will be set as the default for -all available algorithms. The default value is builtin, you can specify -any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0). -(Optional) -.IP "\fBsigner_cert\fR" 4 -.IX Item "signer_cert" -\&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR -command line option. (Optional) -.IP "\fBcerts\fR" 4 -.IX Item "certs" -A file containing a set of \s-1PEM\s0 encoded certificates that need to be -included in the response. The same as the \fB\-chain\fR command line -option. (Optional) -.IP "\fBsigner_key\fR" 4 -.IX Item "signer_key" -The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR -command line option. (Optional) -.IP "\fBdefault_policy\fR" 4 -.IX Item "default_policy" -The default policy to use when the request does not mandate any -policy. The same as the \fB\-policy\fR command line option. (Optional) -.IP "\fBother_policies\fR" 4 -.IX Item "other_policies" -Comma separated list of policies that are also acceptable by the \s-1TSA\s0 -and used only if the request explicitly specifies one of them. (Optional) -.IP "\fBdigests\fR" 4 -.IX Item "digests" -The list of message digest algorithms that the \s-1TSA\s0 accepts. At least -one algorithm must be specified. (Mandatory) -.IP "\fBaccuracy\fR" 4 -.IX Item "accuracy" -The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds -and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of -the components is missing zero is assumed for that field. (Optional) -.IP "\fBclock_precision_digits\fR" 4 -.IX Item "clock_precision_digits" -Specifies the maximum number of digits, which represent the fraction of -seconds, that need to be included in the time field. The trailing zeroes -must be removed from the time, so there might actually be fewer digits, -or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms. -The maximum value is 6, default is 0. -(Optional) -.IP "\fBordering\fR" 4 -.IX Item "ordering" -If this option is yes the responses generated by this \s-1TSA\s0 can always -be ordered, even if the time difference between two responses is less -than the sum of their accuracies. Default is no. (Optional) -.IP "\fBtsa_name\fR" 4 -.IX Item "tsa_name" -Set this option to yes if the subject name of the \s-1TSA\s0 must be included in -the \s-1TSA\s0 name field of the response. Default is no. (Optional) -.IP "\fBess_cert_id_chain\fR" 4 -.IX Item "ess_cert_id_chain" -The SignedData objects created by the \s-1TSA\s0 always contain the -certificate identifier of the signing certificate in a signed -attribute (see \s-1RFC 2634,\s0 Enhanced Security Services). If this option -is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option -is specified then the certificate identifiers of the chain will also -be included in the SigningCertificate signed attribute. If this -variable is set to no, only the signing certificate identifier is -included. Default is no. (Optional) -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -\&\fB\s-1OPENSSL_CONF\s0\fR contains the path of the configuration file and can be -overridden by the \fB\-config\fR command line option. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper -configuration file, e.g. the example configuration file -openssl/apps/openssl.cnf will do. -.SS "Time Stamp Request" -.IX Subsection "Time Stamp Request" -To create a time stamp request for design1.txt with \s-1SHA\-1 \s0 -without nonce and policy and no certificate is required in the response: -.PP -.Vb 2 -\& openssl ts \-query \-data design1.txt \-no_nonce \e -\& \-out design1.tsq -.Ve -.PP -To create a similar time stamp request with specifying the message imprint -explicitly: -.PP -.Vb 2 -\& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e -\& \-no_nonce \-out design1.tsq -.Ve -.PP -To print the content of the previous request in human readable format: -.PP -.Vb 1 -\& openssl ts \-query \-in design1.tsq \-text -.Ve -.PP -To create a time stamp request which includes the \s-1MD\-5\s0 digest -of design2.txt, requests the signer certificate and nonce, -specifies a policy id (assuming the tsa_policy1 name is defined in the -\&\s-1OID\s0 section of the config file): -.PP -.Vb 2 -\& openssl ts \-query \-data design2.txt \-md5 \e -\& \-policy tsa_policy1 \-cert \-out design2.tsq -.Ve -.SS "Time Stamp Response" -.IX Subsection "Time Stamp Response" -Before generating a response a signing certificate must be created for -the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension -without any other key usage extensions. You can add the -\&'extendedKeyUsage = critical,timeStamping' line to the user certificate section -of the config file to generate a proper certificate. See \fIreq\fR\|(1), -\&\fIca\fR\|(1), \fIx509\fR\|(1) for instructions. The examples -below assume that cacert.pem contains the certificate of the \s-1CA,\s0 -tsacert.pem is the signing certificate issued by cacert.pem and -tsakey.pem is the private key of the \s-1TSA.\s0 -.PP -To create a time stamp response for a request: -.PP -.Vb 2 -\& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e -\& \-signer tsacert.pem \-out design1.tsr -.Ve -.PP -If you want to use the settings in the config file you could just write: -.PP -.Vb 1 -\& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr -.Ve -.PP -To print a time stamp reply to stdout in human readable format: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1.tsr \-text -.Ve -.PP -To create a time stamp token instead of time stamp response: -.PP -.Vb 1 -\& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out -.Ve -.PP -To print a time stamp token to stdout in human readable format: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out -.Ve -.PP -To extract the time stamp token from a response: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out -.Ve -.PP -To add 'granted' status info to a time stamp token thereby creating a -valid response: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr -.Ve -.SS "Time Stamp Verification" -.IX Subsection "Time Stamp Verification" -To verify a time stamp reply against a request: -.PP -.Vb 2 -\& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e -\& \-CAfile cacert.pem \-untrusted tsacert.pem -.Ve -.PP -To verify a time stamp reply that includes the certificate chain: -.PP -.Vb 2 -\& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e -\& \-CAfile cacert.pem -.Ve -.PP -To verify a time stamp token against the original data file: - openssl ts \-verify \-data design2.txt \-in design2.tsr \e - \-CAfile cacert.pem -.PP -To verify a time stamp token against a message imprint: - openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e - \-in design2.tsr \-CAfile cacert.pem -.PP -You could also look at the 'test' directory for more examples. -.SH "BUGS" -.IX Header "BUGS" -If you find any bugs or you have suggestions please write to -Zoltan Glozik . Known issues: -.IP "\(bu" 4 -No support for time stamps over \s-1SMTP,\s0 though it is quite easy -to implement an automatic e\-mail based \s-1TSA\s0 with \fIprocmail\fR\|(1) -and \fIperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of -a separate apache module. \s-1HTTP\s0 client support is provided by -\&\fItsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported. -.IP "\(bu" 4 -The file containing the last serial number of the \s-1TSA\s0 is not -locked when being read or written. This is a problem if more than one -instance of \fIopenssl\fR\|(1) is trying to create a time stamp -response at the same time. This is not an issue when using the apache -server module, it does proper locking. -.IP "\(bu" 4 -Look for the \s-1FIXME\s0 word in the source files. -.IP "\(bu" 4 -The source code should really be reviewed by somebody else, too. -.IP "\(bu" 4 -More testing is needed, I have done only some basic tests (see -test/testtsa). -.SH "AUTHOR" -.IX Header "AUTHOR" -Zoltan Glozik , OpenTSA project (http://www.opentsa.org) -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fItsget\fR\|(1), \fIopenssl\fR\|(1), \fIreq\fR\|(1), -\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIconfig\fR\|(5) diff --git a/usr.bin/openssl/man/tsget.1 b/usr.bin/openssl/man/tsget.1 deleted file mode 100644 index c3a3005b1c..0000000000 --- a/usr.bin/openssl/man/tsget.1 +++ /dev/null @@ -1,320 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "TSGET 1" -.TH TSGET 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -tsget \- Time Stamping HTTP/HTTPS client -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBtsget\fR -\&\fB\-h\fR server_url -[\fB\-e\fR extension] -[\fB\-o\fR output] -[\fB\-v\fR] -[\fB\-d\fR] -[\fB\-k\fR private_key.pem] -[\fB\-p\fR key_password] -[\fB\-c\fR client_cert.pem] -[\fB\-C\fR CA_certs.pem] -[\fB\-P\fR CA_path] -[\fB\-r\fR file:file...] -[\fB\-g\fR EGD_socket] -[request]... -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBtsget\fR command can be used for sending a time stamp request, as -specified in \fB\s-1RFC 3161\s0\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing -the time stamp response in a file. This tool cannot be used for creating the -requests and verifying responses, you can use the OpenSSL \fB\f(BIts\fB\|(1)\fR command to -do that. \fBtsget\fR can send several requests to the server without closing -the \s-1TCP\s0 connection if more than one requests are specified on the command -line. -.PP -The tool sends the following \s-1HTTP\s0 request for each time stamp request: -.PP -.Vb 7 -\& POST url HTTP/1.1 -\& User\-Agent: OpenTSA tsget.pl/ -\& Host: : -\& Pragma: no\-cache -\& Content\-Type: application/timestamp\-query -\& Accept: application/timestamp\-reply -\& Content\-Length: length of body -\& -\& ...binary request specified by the user... -.Ve -.PP -\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is -written to a file without any interpretation. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-h\fR server_url" 4 -.IX Item "-h server_url" -The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for time stamp requests. -.IP "\fB\-e\fR extension" 4 -.IX Item "-e extension" -If the \fB\-o\fR option is not given this argument specifies the extension of the -output files. The base name of the output file will be the same as those of -the input files. Default extension is '.tsr'. (Optional) -.IP "\fB\-o\fR output" 4 -.IX Item "-o output" -This option can be specified only when just one request is sent to the -server. The time stamp response will be written to the given output file. '\-' -means standard output. In case of multiple time stamp requests or the absence -of this argument the names of the output files will be derived from the names -of the input files and the default or specified extension argument. (Optional) -.IP "\fB\-v\fR" 4 -.IX Item "-v" -The name of the currently processed request is printed on standard -error. (Optional) -.IP "\fB\-d\fR" 4 -.IX Item "-d" -Switches on verbose mode for the underlying \fBcurl\fR library. You can see -detailed debug messages for the connection. (Optional) -.IP "\fB\-k\fR private_key.pem" 4 -.IX Item "-k private_key.pem" -(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0 - must contain the private key of the user. The private key -file can optionally be protected by a passphrase. The \fB\-c\fR option must also -be specified. (Optional) -.IP "\fB\-p\fR key_password" 4 -.IX Item "-p key_password" -(\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR -argument. If this option is omitted and the key is passphrase protected \fBtsget\fR -will ask for it. (Optional) -.IP "\fB\-c\fR client_cert.pem" 4 -.IX Item "-c client_cert.pem" -(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0 - must contain the X.509 certificate of the user. The \fB\-k\fR -option must also be specified. If this option is not specified no -certificate-based client authentication will take place. (Optional) -.IP "\fB\-C\fR CA_certs.pem" 4 -.IX Item "-C CA_certs.pem" -(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's -certificate must include one of the \s-1CA\s0 certificates specified in this file. -Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS. \s0(Optional) -.IP "\fB\-P\fR CA_path" 4 -.IX Item "-P CA_path" -(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's -certificate. The directory must be prepared with the \fBc_rehash\fR -OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of -\&\s-1HTTPS. \s0(Optional) -.IP "\fB\-rand\fR file:file..." 4 -.IX Item "-rand file:file..." -The files containing random data for seeding the random number -generator. Multiple files can be specified, the separator is \fB;\fR for -MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional) -.IP "\fB\-g\fR EGD_socket" 4 -.IX Item "-g EGD_socket" -The name of an \s-1EGD\s0 socket to get random data from. (Optional) -.IP "[request]..." 4 -.IX Item "[request]..." -List of files containing \fB\s-1RFC 3161\s0\fR DER-encoded time stamp requests. If no -requests are specified only one request will be sent to the server and it will be -read from the standard input. (Optional) -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The \fB\s-1TSGET\s0\fR environment variable can optionally contain default -arguments. The content of this variable is added to the list of command line -arguments. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid -time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests -and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa -absolute path. -.PP -Get a time stamp response for file1.tsq over \s-1HTTP,\s0 output is written to -file1.tsr: -.PP -.Vb 1 -\& tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq -.Ve -.PP -Get a time stamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing -progress, output is written to file1.reply and file2.reply respectively: -.PP -.Vb 2 -\& tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e -\& file1.tsq file2.tsq -.Ve -.PP -Create a time stamp request, write it to file3.tsq, send it to the server and -write the response to file3.tsr: -.PP -.Vb 3 -\& openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e -\& | tsget \-h http://tsa.opentsa.org:8080/tsa \e -\& \-o file3.tsr -.Ve -.PP -Get a time stamp response for file1.tsq over \s-1HTTPS\s0 without client -authentication: -.PP -.Vb 2 -\& tsget \-h https://tsa.opentsa.org:8443/tsa \e -\& \-C cacerts.pem file1.tsq -.Ve -.PP -Get a time stamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based -client authentication (it will ask for the passphrase if client_key.pem is -protected): -.PP -.Vb 2 -\& tsget \-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e -\& \-k client_key.pem \-c client_cert.pem file1.tsq -.Ve -.PP -You can shorten the previous command line if you make use of the \fB\s-1TSGET\s0\fR -environment variable. The following commands do the same as the previous -example: -.PP -.Vb 4 -\& TSGET=\*(Aq\-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e -\& \-k client_key.pem \-c client_cert.pem\*(Aq -\& export TSGET -\& tsget file1.tsq -.Ve -.SH "AUTHOR" -.IX Header "AUTHOR" -Zoltan Glozik , OpenTSA project (http://www.opentsa.org) -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), -\&\fB\s-1RFC 3161\s0\fR diff --git a/usr.bin/openssl/man/verify.1 b/usr.bin/openssl/man/verify.1 deleted file mode 100644 index ecafaf4abf..0000000000 --- a/usr.bin/openssl/man/verify.1 +++ /dev/null @@ -1,512 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "VERIFY 1" -.TH VERIFY 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -verify \- Utility to verify certificates. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBverify\fR -[\fB\-CApath directory\fR] -[\fB\-CAfile file\fR] -[\fB\-purpose purpose\fR] -[\fB\-policy arg\fR] -[\fB\-ignore_critical\fR] -[\fB\-attime timestamp\fR] -[\fB\-check_ss_sig\fR] -[\fB\-crlfile file\fR] -[\fB\-crl_download\fR] -[\fB\-crl_check\fR] -[\fB\-crl_check_all\fR] -[\fB\-policy_check\fR] -[\fB\-explicit_policy\fR] -[\fB\-inhibit_any\fR] -[\fB\-inhibit_map\fR] -[\fB\-x509_strict\fR] -[\fB\-extended_crl\fR] -[\fB\-use_deltas\fR] -[\fB\-policy_print\fR] -[\fB\-no_alt_chains\fR] -[\fB\-untrusted file\fR] -[\fB\-help\fR] -[\fB\-issuer_checks\fR] -[\fB\-trusted file\fR] -[\fB\-verbose\fR] -[\fB\-\fR] -[certificates] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBverify\fR command verifies certificate chains. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.IP "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -A directory of trusted certificates. The certificates should have names -of the form: hash.0 or have symbolic links to them of this -form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option -of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically -create symbolic links to a directory of certificates. -.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4 -.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together." -.PD 0 -.IP "\fB\-attime timestamp\fR" 4 -.IX Item "-attime timestamp" -.PD -Perform validation checks using time specified by \fBtimestamp\fR and not -current system time. \fBtimestamp\fR is the number of seconds since -01.01.1970 (\s-1UNIX\s0 time). -.IP "\fB\-check_ss_sig\fR" 4 -.IX Item "-check_ss_sig" -Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default -because it doesn't add any security. -.IP "\fB\-crlfile file\fR" 4 -.IX Item "-crlfile file" -File containing one or more \s-1CRL\s0's (in \s-1PEM\s0 format) to load. -.IP "\fB\-crl_download\fR" 4 -.IX Item "-crl_download" -Attempt to download \s-1CRL\s0 information for this certificate. -.IP "\fB\-crl_check\fR" 4 -.IX Item "-crl_check" -Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 -If a valid \s-1CRL\s0 cannot be found an error occurs. -.IP "\fB\-untrusted file\fR" 4 -.IX Item "-untrusted file" -A file of untrusted certificates. The file should contain multiple certificates -in \s-1PEM\s0 format concatenated together. -.IP "\fB\-purpose purpose\fR" 4 -.IX Item "-purpose purpose" -The intended use for the certificate. If this option is not specified, -\&\fBverify\fR will not consider certificate purpose during chain verification. -Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR, -\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more -information. -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Print out a usage message. -.IP "\fB\-verbose\fR" 4 -.IX Item "-verbose" -Print extra information about the operations being performed. -.IP "\fB\-issuer_checks\fR" 4 -.IX Item "-issuer_checks" -Print out diagnostics relating to searches for the issuer certificate of the -current certificate. This shows why each candidate issuer certificate was -rejected. The presence of rejection messages does not itself imply that -anything is wrong; during the normal verification process, several -rejections may take place. -.IP "\fB\-policy arg\fR" 4 -.IX Item "-policy arg" -Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see -\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form. -This argument can appear more than once. -.IP "\fB\-policy_check\fR" 4 -.IX Item "-policy_check" -Enables certificate policy processing. -.IP "\fB\-explicit_policy\fR" 4 -.IX Item "-explicit_policy" -Set policy variable require-explicit-policy (see \s-1RFC5280\s0). -.IP "\fB\-inhibit_any\fR" 4 -.IX Item "-inhibit_any" -Set policy variable inhibit-any-policy (see \s-1RFC5280\s0). -.IP "\fB\-inhibit_map\fR" 4 -.IX Item "-inhibit_map" -Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0). -.IP "\fB\-no_alt_chains\fR" 4 -.IX Item "-no_alt_chains" -When building a certificate chain, if the first certificate chain found is not -trusted, then OpenSSL will continue to check to see if an alternative chain can -be found that is trusted. With this option that behaviour is suppressed so that -only the first chain found is ever used. Using this option will force the -behaviour to match that of previous OpenSSL versions. -.IP "\fB\-trusted file\fR" 4 -.IX Item "-trusted file" -A file of additional trusted certificates. The file should contain multiple -certificates in \s-1PEM\s0 format concatenated together. -.IP "\fB\-policy_print\fR" 4 -.IX Item "-policy_print" -Print out diagnostics related to policy processing. -.IP "\fB\-crl_check\fR" 4 -.IX Item "-crl_check" -Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 -If a valid \s-1CRL\s0 cannot be found an error occurs. -.IP "\fB\-crl_check_all\fR" 4 -.IX Item "-crl_check_all" -Checks the validity of \fBall\fR certificates in the chain by attempting -to look up valid CRLs. -.IP "\fB\-ignore_critical\fR" 4 -.IX Item "-ignore_critical" -Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0). -If this option is set critical extensions are ignored. -.IP "\fB\-x509_strict\fR" 4 -.IX Item "-x509_strict" -For strict X.509 compliance, disable non-compliant workarounds for broken -certificates. -.IP "\fB\-extended_crl\fR" 4 -.IX Item "-extended_crl" -Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0 -signing keys. -.IP "\fB\-use_deltas\fR" 4 -.IX Item "-use_deltas" -Enable support for delta CRLs. -.IP "\fB\-check_ss_sig\fR" 4 -.IX Item "-check_ss_sig" -Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default -because it doesn't add any security. -.IP "\fB\-\fR" 4 -.IX Item "-" -Indicates the last option. All arguments following this are assumed to be -certificate files. This is useful if the first certificate filename begins -with a \fB\-\fR. -.IP "\fBcertificates\fR" 4 -.IX Item "certificates" -One or more certificates to verify. If no certificates are given, \fBverify\fR -will attempt to read a certificate from standard input. Certificates must be -in \s-1PEM\s0 format. -.SH "VERIFY OPERATION" -.IX Header "VERIFY OPERATION" -The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME -verification, therefore this description applies to these verify operations -too. -.PP -There is one crucial difference between the verify operations performed -by the \fBverify\fR program: wherever possible an attempt is made to continue -after an error whereas normally the verify operation would halt on the -first error. This allows all the problems with a certificate chain to be -determined. -.PP -The verify operation consists of a number of separate steps. -.PP -Firstly a certificate chain is built up starting from the supplied certificate -and ending in the root \s-1CA.\s0 It is an error if the whole chain cannot be built -up. The chain is built up by looking up the issuers certificate of the current -certificate. If a certificate is found which is its own issuer it is assumed -to be the root \s-1CA.\s0 -.PP -The process of 'looking up the issuers certificate' itself involves a number -of steps. In versions of OpenSSL before 0.9.5a the first certificate whose -subject name matched the issuer of the current certificate was assumed to be -the issuers certificate. In OpenSSL 0.9.6 and later all certificates -whose subject name matches the issuer name of the current certificate are -subject to further tests. The relevant authority key identifier components -of the current certificate (if present) must match the subject key identifier -(if present) and issuer and serial number of the candidate issuer, in addition -the keyUsage extension of the candidate issuer (if present) must permit -certificate signing. -.PP -The lookup first looks in the list of untrusted certificates and if no match -is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0 -is always looked up in the trusted certificate list: if the certificate to -verify is a root certificate then an exact match must be found in the trusted -list. -.PP -The second operation is to check every untrusted certificate's extensions for -consistency with the supplied purpose. If the \fB\-purpose\fR option is not included -then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions -compatible with the supplied purpose and all other certificates must also be valid -\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in -the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility. -.PP -The third operation is to check the trust settings on the root \s-1CA.\s0 The root -\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous -versions of SSLeay and OpenSSL a certificate with no trust settings is considered -to be valid for all purposes. -.PP -The final operation is to check the validity of the certificate chain. The validity -period is checked against the current system time and the notBefore and notAfter -dates in the certificate. The certificate signatures are also checked at this -point. -.PP -If all operations complete successfully then certificate is considered valid. If -any operation fails then the certificate is not valid. -.SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -When a verify operation fails the output messages can be somewhat cryptic. The -general form of the error message is: -.PP -.Vb 2 -\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -\& error 24 at 1 depth lookup:invalid CA certificate -.Ve -.PP -The first line contains the name of the certificate being verified followed by -the subject name of the certificate. The second line contains the error number -and the depth. The depth is number of the certificate being verified when a -problem was detected starting with zero for the certificate being verified itself -then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version -of the error number is presented. -.PP -An exhaustive list of the error codes and messages is shown below, this also -includes the name of the error code as defined in the header file x509_vfy.h -Some of the error codes are defined but never returned: these are described -as \*(L"unused\*(R". -.IP "\fB0 X509_V_OK: ok\fR" 4 -.IX Item "0 X509_V_OK: ok" -the operation was successful. -.IP "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4 -.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" -the issuer certificate of a looked up certificate could not be found. This -normally means the list of trusted certificates is not complete. -.IP "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4 -.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL" -the \s-1CRL\s0 of a certificate could not be found. -.IP "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4 -.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature" -the certificate signature could not be decrypted. This means that the actual signature value -could not be determined rather than it not matching the expected value, this is only -meaningful for \s-1RSA\s0 keys. -.IP "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4 -.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature" -the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value -could not be determined rather than it not matching the expected value. Unused. -.IP "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4 -.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key" -the public key in the certificate SubjectPublicKeyInfo could not be read. -.IP "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4 -.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure" -the signature of the certificate is invalid. -.IP "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4 -.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure" -the signature of the certificate is invalid. -.IP "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4 -.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid" -the certificate is not yet valid: the notBefore date is after the current time. -.IP "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4 -.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired" -the certificate has expired: that is the notAfter date is before the current time. -.IP "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4 -.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid" -the \s-1CRL\s0 is not yet valid. -.IP "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4 -.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired" -the \s-1CRL\s0 has expired. -.IP "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4 -.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field" -the certificate notBefore field contains an invalid time. -.IP "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4 -.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field" -the certificate notAfter field contains an invalid time. -.IP "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4 -.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field" -the \s-1CRL\s0 lastUpdate field contains an invalid time. -.IP "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4 -.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field" -the \s-1CRL\s0 nextUpdate field contains an invalid time. -.IP "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4 -.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory" -an error occurred trying to allocate memory. This should never happen. -.IP "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4 -.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate" -the passed certificate is self signed and the same certificate cannot be found in the list of -trusted certificates. -.IP "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4 -.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain" -the certificate chain could be built up using the untrusted certificates but the root could not -be found locally. -.IP "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4 -.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" -the issuer certificate could not be found: this occurs if the issuer -certificate of an untrusted certificate cannot be found. -.IP "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4 -.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate" -no signatures could be verified because the chain contains only one certificate and it is not -self signed. -.IP "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4 -.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long" -the certificate chain length is greater than the supplied maximum depth. Unused. -.IP "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4 -.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked" -the certificate has been revoked. -.IP "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4 -.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate" -a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent -with the supplied purpose. -.IP "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 -.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" -the basicConstraints pathlength parameter has been exceeded. -.IP "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4 -.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose" -the supplied certificate cannot be used for the specified purpose. -.IP "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4 -.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted" -the root \s-1CA\s0 is not marked as trusted for the specified purpose. -.IP "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4 -.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected" -the root \s-1CA\s0 is marked to reject the specified purpose. -.IP "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4 -.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch" -the current candidate issuer certificate was rejected because its subject name -did not match the issuer name of the current certificate. Only displayed when -the \fB\-issuer_checks\fR option is set. -.IP "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4 -.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch" -the current candidate issuer certificate was rejected because its subject key -identifier was present and did not match the authority key identifier current -certificate. Only displayed when the \fB\-issuer_checks\fR option is set. -.IP "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4 -.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch" -the current candidate issuer certificate was rejected because its issuer name -and serial number was present and did not match the authority key identifier -of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set. -.IP "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4 -.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing" -the current candidate issuer certificate was rejected because its keyUsage extension -does not permit certificate signing. -.IP "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4 -.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure" -an application specific error. Unused. -.SH "BUGS" -.IX Header "BUGS" -Although the issuer checks are a considerable improvement over the old technique they still -suffer from limitations in the underlying X509_LOOKUP \s-1API.\s0 One consequence of this is that -trusted certificates with matching subject name must either appear in a file (as specified by the -\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only -the certificates in the file will be recognised. -.PP -Previous versions of OpenSSL assume certificates with matching subject name are identical and -mishandled them. -.PP -Previous versions of this documentation swapped the meaning of the -\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and -\&\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIx509\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/usr.bin/openssl/man/version.1 b/usr.bin/openssl/man/version.1 deleted file mode 100644 index 5a03d3f11f..0000000000 --- a/usr.bin/openssl/man/version.1 +++ /dev/null @@ -1,185 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "VERSION 1" -.TH VERSION 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -version \- print OpenSSL version information -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl version\fR -[\fB\-a\fR] -[\fB\-v\fR] -[\fB\-b\fR] -[\fB\-o\fR] -[\fB\-f\fR] -[\fB\-p\fR] -[\fB\-d\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This command is used to print out version information about OpenSSL. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-a\fR" 4 -.IX Item "-a" -all information, this is the same as setting all the other flags. -.IP "\fB\-v\fR" 4 -.IX Item "-v" -the current OpenSSL version. -.IP "\fB\-b\fR" 4 -.IX Item "-b" -the date the current version of OpenSSL was built. -.IP "\fB\-o\fR" 4 -.IX Item "-o" -option information: various options set when the library was built. -.IP "\fB\-f\fR" 4 -.IX Item "-f" -compilation flags. -.IP "\fB\-p\fR" 4 -.IX Item "-p" -platform setting. -.IP "\fB\-d\fR" 4 -.IX Item "-d" -\&\s-1OPENSSLDIR\s0 setting. -.SH "NOTES" -.IX Header "NOTES" -The output of \fBopenssl version \-a\fR would typically be used when sending -in a bug report. -.SH "HISTORY" -.IX Header "HISTORY" -The \fB\-d\fR option was added in OpenSSL 0.9.7. diff --git a/usr.bin/openssl/man/x509.1 b/usr.bin/openssl/man/x509.1 deleted file mode 100644 index a4968868de..0000000000 --- a/usr.bin/openssl/man/x509.1 +++ /dev/null @@ -1,909 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "X509 1" -.TH X509 1 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -x509 \- Certificate display and signing utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBx509\fR -[\fB\-inform DER|PEM|NET\fR] -[\fB\-outform DER|PEM|NET\fR] -[\fB\-keyform DER|PEM\fR] -[\fB\-CAform DER|PEM\fR] -[\fB\-CAkeyform DER|PEM\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-serial\fR] -[\fB\-hash\fR] -[\fB\-subject_hash\fR] -[\fB\-issuer_hash\fR] -[\fB\-ocspid\fR] -[\fB\-subject\fR] -[\fB\-issuer\fR] -[\fB\-nameopt option\fR] -[\fB\-email\fR] -[\fB\-ocsp_uri\fR] -[\fB\-startdate\fR] -[\fB\-enddate\fR] -[\fB\-purpose\fR] -[\fB\-dates\fR] -[\fB\-checkend num\fR] -[\fB\-modulus\fR] -[\fB\-pubkey\fR] -[\fB\-fingerprint\fR] -[\fB\-alias\fR] -[\fB\-noout\fR] -[\fB\-trustout\fR] -[\fB\-clrtrust\fR] -[\fB\-clrreject\fR] -[\fB\-addtrust arg\fR] -[\fB\-addreject arg\fR] -[\fB\-setalias arg\fR] -[\fB\-days arg\fR] -[\fB\-set_serial n\fR] -[\fB\-signkey filename\fR] -[\fB\-passin arg\fR] -[\fB\-x509toreq\fR] -[\fB\-req\fR] -[\fB\-CA filename\fR] -[\fB\-CAkey filename\fR] -[\fB\-CAcreateserial\fR] -[\fB\-CAserial filename\fR] -[\fB\-force_pubkey key\fR] -[\fB\-text\fR] -[\fB\-certopt option\fR] -[\fB\-C\fR] -[\fB\-md2|\-md5|\-sha1|\-mdc2\fR] -[\fB\-clrext\fR] -[\fB\-extfile filename\fR] -[\fB\-extensions section\fR] -[\fB\-engine id\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBx509\fR command is a multi purpose certificate utility. It can be -used to display certificate information, convert certificates to -various forms, sign certificate requests like a \*(L"mini \s-1CA\*(R"\s0 or edit -certificate trust settings. -.PP -Since there are a large number of options they will split up into -various sections. -.SH "OPTIONS" -.IX Header "OPTIONS" -.SS "\s-1INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS\s0" -.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS" -.IP "\fB\-inform DER|PEM|NET\fR" 4 -.IX Item "-inform DER|PEM|NET" -This specifies the input format normally the command will expect an X509 -certificate but this can change if other options such as \fB\-req\fR are -present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 -is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines -added. The \s-1NET\s0 option is an obscure Netscape server format that is now -obsolete. -.IP "\fB\-outform DER|PEM|NET\fR" 4 -.IX Item "-outform DER|PEM|NET" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a certificate from or standard input -if this option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write to or standard output by -default. -.IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4 -.IX Item "-md2|-md5|-sha1|-mdc2" -the digest to use. This affects any signing or display option that uses a message -digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not -specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key -then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.SS "\s-1DISPLAY OPTIONS\s0" -.IX Subsection "DISPLAY OPTIONS" -Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options -but are described in the \fB\s-1TRUST SETTINGS\s0\fR section. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -prints out the certificate in text form. Full details are output including the -public key, signature algorithms, issuer and subject names, serial number -any extensions present and any trust settings. -.IP "\fB\-certopt option\fR" 4 -.IX Item "-certopt option" -customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be -a single option or multiple options separated by commas. The \fB\-certopt\fR switch -may be also be used more than once to set multiple options. See the \fB\s-1TEXT OPTIONS\s0\fR -section for more information. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the request. -.IP "\fB\-pubkey\fR" 4 -.IX Item "-pubkey" -outputs the the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format. -.IP "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the public key -contained in the certificate. -.IP "\fB\-serial\fR" 4 -.IX Item "-serial" -outputs the certificate serial number. -.IP "\fB\-subject_hash\fR" 4 -.IX Item "-subject_hash" -outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to -form an index to allow certificates in a directory to be looked up by subject -name. -.IP "\fB\-issuer_hash\fR" 4 -.IX Item "-issuer_hash" -outputs the \*(L"hash\*(R" of the certificate issuer name. -.IP "\fB\-ocspid\fR" 4 -.IX Item "-ocspid" -outputs the \s-1OCSP\s0 hash values for the subject name and public key. -.IP "\fB\-hash\fR" 4 -.IX Item "-hash" -synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons. -.IP "\fB\-subject_hash_old\fR" 4 -.IX Item "-subject_hash_old" -outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm -as used by OpenSSL versions before 1.0.0. -.IP "\fB\-issuer_hash_old\fR" 4 -.IX Item "-issuer_hash_old" -outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. -.IP "\fB\-subject\fR" 4 -.IX Item "-subject" -outputs the subject name. -.IP "\fB\-issuer\fR" 4 -.IX Item "-issuer" -outputs the issuer name. -.IP "\fB\-nameopt option\fR" 4 -.IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. The -\&\fBoption\fR argument can be a single option or multiple options separated by -commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to -set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information. -.IP "\fB\-email\fR" 4 -.IX Item "-email" -outputs the email address(es) if any. -.IP "\fB\-ocsp_uri\fR" 4 -.IX Item "-ocsp_uri" -outputs the \s-1OCSP\s0 responder address(es) if any. -.IP "\fB\-startdate\fR" 4 -.IX Item "-startdate" -prints out the start date of the certificate, that is the notBefore date. -.IP "\fB\-enddate\fR" 4 -.IX Item "-enddate" -prints out the expiry date of the certificate, that is the notAfter date. -.IP "\fB\-dates\fR" 4 -.IX Item "-dates" -prints out the start and expiry dates of a certificate. -.IP "\fB\-checkend arg\fR" 4 -.IX Item "-checkend arg" -checks if the certificate expires within the next \fBarg\fR seconds and exits -non-zero if yes it will expire or zero if not. -.IP "\fB\-fingerprint\fR" 4 -.IX Item "-fingerprint" -prints out the digest of the \s-1DER\s0 encoded version of the whole certificate -(see digest options). -.IP "\fB\-C\fR" 4 -.IX Item "-C" -this outputs the certificate in the form of a C source file. -.SS "\s-1TRUST SETTINGS\s0" -.IX Subsection "TRUST SETTINGS" -Please note these options are currently experimental and may well change. -.PP -A \fBtrusted certificate\fR is an ordinary certificate which has several -additional pieces of information attached to it such as the permitted -and prohibited uses of the certificate and an \*(L"alias\*(R". -.PP -Normally when a certificate is being verified at least one certificate -must be \*(L"trusted\*(R". By default a trusted certificate must be stored -locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0 -is then usable for any purpose. -.PP -Trust settings currently are only used with a root \s-1CA.\s0 They allow a finer -control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0 -may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use. -.PP -See the description of the \fBverify\fR utility for more information on the -meaning of trust settings. -.PP -Future versions of OpenSSL will recognize trust settings on any -certificate: not just root CAs. -.IP "\fB\-trustout\fR" 4 -.IX Item "-trustout" -this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary -or trusted certificate can be input but by default an ordinary -certificate is output and any trust settings are discarded. With the -\&\fB\-trustout\fR option a trusted certificate is output. A trusted -certificate is automatically output if any trust settings are modified. -.IP "\fB\-setalias arg\fR" 4 -.IX Item "-setalias arg" -sets the alias of the certificate. This will allow the certificate -to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". -.IP "\fB\-alias\fR" 4 -.IX Item "-alias" -outputs the certificate alias, if any. -.IP "\fB\-clrtrust\fR" 4 -.IX Item "-clrtrust" -clears all the permitted or trusted uses of the certificate. -.IP "\fB\-clrreject\fR" 4 -.IX Item "-clrreject" -clears all the prohibited or rejected uses of the certificate. -.IP "\fB\-addtrust arg\fR" 4 -.IX Item "-addtrust arg" -adds a trusted certificate use. Any object name can be used here -but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR -(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used. -Other OpenSSL applications may define additional uses. -.IP "\fB\-addreject arg\fR" 4 -.IX Item "-addreject arg" -adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR -option. -.IP "\fB\-purpose\fR" 4 -.IX Item "-purpose" -this option performs tests on the certificate extensions and outputs -the results. For a more complete description see the \fB\s-1CERTIFICATE -EXTENSIONS\s0\fR section. -.SS "\s-1SIGNING OPTIONS\s0" -.IX Subsection "SIGNING OPTIONS" -The \fBx509\fR utility can be used to sign certificates and requests: it -can thus behave like a \*(L"mini \s-1CA\*(R".\s0 -.IP "\fB\-signkey filename\fR" 4 -.IX Item "-signkey filename" -this option causes the input file to be self signed using the supplied -private key. -.Sp -If the input file is a certificate it sets the issuer name to the -subject name (i.e. makes it self signed) changes the public key to the -supplied value and changes the start and end dates. The start date is -set to the current time and the end date is set to a value determined -by the \fB\-days\fR option. Any certificate extensions are retained unless -the \fB\-clrext\fR option is supplied. -.Sp -If the input is a certificate request then a self signed certificate -is created using the supplied private key using the subject name in -the request. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the key password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-clrext\fR" 4 -.IX Item "-clrext" -delete any extensions from a certificate. This option is used when a -certificate is being created from another certificate (for example with -the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are -retained. -.IP "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the -\&\fB\-signkey\fR option. -.IP "\fB\-days arg\fR" 4 -.IX Item "-days arg" -specifies the number of days to make a certificate valid for. The default -is 30 days. -.IP "\fB\-x509toreq\fR" 4 -.IX Item "-x509toreq" -converts a certificate into a certificate request. The \fB\-signkey\fR option -is used to pass the required private key. -.IP "\fB\-req\fR" 4 -.IX Item "-req" -by default a certificate is expected on input. With this option a -certificate request is expected instead. -.IP "\fB\-set_serial n\fR" 4 -.IX Item "-set_serial n" -specifies the serial number to use. This option can be used with either -the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR -option the serial number file (as specified by the \fB\-CAserial\fR or -\&\fB\-CAcreateserial\fR options) is not used. -.Sp -The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative -serial numbers can also be specified but their use is not recommended. -.IP "\fB\-CA filename\fR" 4 -.IX Item "-CA filename" -specifies the \s-1CA\s0 certificate to be used for signing. When this option is -present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this -\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name -of the \s-1CA\s0 and it is digitally signed using the CAs private key. -.Sp -This option is normally combined with the \fB\-req\fR option. Without the -\&\fB\-req\fR option the input is a certificate which must be self signed. -.IP "\fB\-CAkey filename\fR" 4 -.IX Item "-CAkey filename" -sets the \s-1CA\s0 private key to sign a certificate with. If this option is -not specified then it is assumed that the \s-1CA\s0 private key is present in -the \s-1CA\s0 certificate file. -.IP "\fB\-CAserial filename\fR" 4 -.IX Item "-CAserial filename" -sets the \s-1CA\s0 serial number file to use. -.Sp -When the \fB\-CA\fR option is used to sign a certificate it uses a serial -number specified in a file. This file consist of one line containing -an even number of hex digits with the serial number to use. After each -use the serial number is incremented and written out to the file again. -.Sp -The default filename consists of the \s-1CA\s0 certificate file base name with -\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called -\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". -.IP "\fB\-CAcreateserial\fR" 4 -.IX Item "-CAcreateserial" -with this option the \s-1CA\s0 serial number file is created if it does not exist: -it will contain the serial number \*(L"02\*(R" and the certificate being signed will -have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified -and the serial number file does not exist it is an error. -.IP "\fB\-extfile filename\fR" 4 -.IX Item "-extfile filename" -file containing certificate extensions to use. If not specified then -no extensions are added to the certificate. -.IP "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -the section to add certificate extensions from. If this option is not -specified then the extensions should either be contained in the unnamed -(default) section or the default section should contain a variable called -\&\*(L"extensions\*(R" which contains the section to use. See the -\&\fIx509v3_config\fR\|(5) manual page for details of the -extension section format. -.IP "\fB\-force_pubkey key\fR" 4 -.IX Item "-force_pubkey key" -when a certificate is created set its public key to \fBkey\fR instead of the -key in the certificate or certificate request. This option is useful for -creating certificates where the algorithm can't normally sign requests, for -example \s-1DH.\s0 -.Sp -The format or \fBkey\fR can be specified using the \fB\-keyform\fR option. -.SS "\s-1NAME OPTIONS\s0" -.IX Subsection "NAME OPTIONS" -The \fBnameopt\fR command line switch determines how the subject and issuer -names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" -format is used which is compatible with previous versions of OpenSSL. -Each option is described in detail below, all options can be preceded by -a \fB\-\fR to turn the option off. Only the first four will normally be used. -.IP "\fBcompat\fR" 4 -.IX Item "compat" -use the old format. This is equivalent to specifying no name options at all. -.IP "\fB\s-1RFC2253\s0\fR" 4 -.IX Item "RFC2253" -displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, -\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, -\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. -.IP "\fBoneline\fR" 4 -.IX Item "oneline" -a oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to -specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, -\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR -options. -.IP "\fBmultiline\fR" 4 -.IX Item "multiline" -a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, -\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR. -.IP "\fBesc_2253\fR" 4 -.IX Item "esc_2253" -escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is -\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string -and a space character at the beginning or end of a string. -.IP "\fBesc_ctrl\fR" 4 -.IX Item "esc_ctrl" -escape control characters. That is those with \s-1ASCII\s0 values less than -0x20 (space) and the delete (0x7f) character. They are escaped using the -\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the -character value). -.IP "\fBesc_msb\fR" 4 -.IX Item "esc_msb" -escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than -127. -.IP "\fBuse_quote\fR" 4 -.IX Item "use_quote" -escapes some characters by surrounding the whole string with \fB"\fR characters, -without the option all escaping is done with the \fB\e\fR character. -.IP "\fButf8\fR" 4 -.IX Item "utf8" -convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If -you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use -of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct -display of multibyte (international) characters. Is this option is not -present then multibyte characters larger than 0xff will be represented -using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits. -Also if this option is off any UTF8Strings will be converted to their -character form first. -.IP "\fBignore_type\fR" 4 -.IX Item "ignore_type" -this option does not attempt to interpret multibyte characters in any -way. That is their content octets are merely dumped as though one octet -represents each character. This is useful for diagnostic purposes but -will result in rather odd looking output. -.IP "\fBshow_type\fR" 4 -.IX Item "show_type" -show the type of the \s-1ASN1\s0 character string. The type precedes the -field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". -.IP "\fBdump_der\fR" 4 -.IX Item "dump_der" -when this option is set any fields that need to be hexdumped will -be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the -content octets will be displayed. Both options use the \s-1RFC2253 -\&\s0\fB#XXXX...\fR format. -.IP "\fBdump_nostr\fR" 4 -.IX Item "dump_nostr" -dump non character string types (for example \s-1OCTET STRING\s0) if this -option is not set then non character string types will be displayed -as though each content octet represents a single character. -.IP "\fBdump_all\fR" 4 -.IX Item "dump_all" -dump all fields. This option when used with \fBdump_der\fR allows the -\&\s-1DER\s0 encoding of the structure to be unambiguously determined. -.IP "\fBdump_unknown\fR" 4 -.IX Item "dump_unknown" -dump any field whose \s-1OID\s0 is not recognised by OpenSSL. -.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 -.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" -these options determine the field separators. The first character is -between RDNs and the second between multiple AVAs (multiple AVAs are -very rare and their use is discouraged). The options ending in -\&\*(L"space\*(R" additionally place a space after the separator to make it -more readable. The \fBsep_multiline\fR uses a linefeed character for -the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also -indents the fields by four characters. If no field separator is specified -then \fBsep_comma_plus_space\fR is used by default. -.IP "\fBdn_rev\fR" 4 -.IX Item "dn_rev" -reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side -effect this also reverses the order of multiple AVAs but this is -permissible. -.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 -.IX Item "nofname, sname, lname, oid" -these options alter how the field name is displayed. \fBnofname\fR does -not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form -(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. -\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for -diagnostic purpose. -.IP "\fBalign\fR" 4 -.IX Item "align" -align field values for a more readable output. Only usable with -\&\fBsep_multiline\fR. -.IP "\fBspace_eq\fR" 4 -.IX Item "space_eq" -places spaces round the \fB=\fR character which follows the field -name. -.SS "\s-1TEXT OPTIONS\s0" -.IX Subsection "TEXT OPTIONS" -As well as customising the name output format, it is also possible to -customise the actual fields printed using the \fBcertopt\fR options when -the \fBtext\fR option is present. The default behaviour is to print all fields. -.IP "\fBcompatible\fR" 4 -.IX Item "compatible" -use the old format. This is equivalent to specifying no output options at all. -.IP "\fBno_header\fR" 4 -.IX Item "no_header" -don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R". -.IP "\fBno_version\fR" 4 -.IX Item "no_version" -don't print out the version number. -.IP "\fBno_serial\fR" 4 -.IX Item "no_serial" -don't print out the serial number. -.IP "\fBno_signame\fR" 4 -.IX Item "no_signame" -don't print out the signature algorithm used. -.IP "\fBno_validity\fR" 4 -.IX Item "no_validity" -don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. -.IP "\fBno_subject\fR" 4 -.IX Item "no_subject" -don't print out the subject name. -.IP "\fBno_issuer\fR" 4 -.IX Item "no_issuer" -don't print out the issuer name. -.IP "\fBno_pubkey\fR" 4 -.IX Item "no_pubkey" -don't print out the public key. -.IP "\fBno_sigdump\fR" 4 -.IX Item "no_sigdump" -don't give a hexadecimal dump of the certificate signature. -.IP "\fBno_aux\fR" 4 -.IX Item "no_aux" -don't print out certificate trust information. -.IP "\fBno_extensions\fR" 4 -.IX Item "no_extensions" -don't print out any X509V3 extensions. -.IP "\fBext_default\fR" 4 -.IX Item "ext_default" -retain default extension behaviour: attempt to print out unsupported certificate extensions. -.IP "\fBext_error\fR" 4 -.IX Item "ext_error" -print an error message for unsupported certificate extensions. -.IP "\fBext_parse\fR" 4 -.IX Item "ext_parse" -\&\s-1ASN1\s0 parse unsupported extensions. -.IP "\fBext_dump\fR" 4 -.IX Item "ext_dump" -hex dump unsupported extensions. -.IP "\fBca_default\fR" 4 -.IX Item "ca_default" -the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR, -\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: in these examples the '\e' means the example should be all on one -line. -.PP -Display the contents of a certificate: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-text -.Ve -.PP -Display the certificate serial number: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-serial -.Ve -.PP -Display the certificate subject name: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-subject -.Ve -.PP -Display the certificate subject name in \s-1RFC2253\s0 form: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253 -.Ve -.PP -Display the certificate subject name in oneline form on a terminal -supporting \s-1UTF8:\s0 -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb -.Ve -.PP -Display the certificate \s-1MD5\s0 fingerprint: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-fingerprint -.Ve -.PP -Display the certificate \s-1SHA1\s0 fingerprint: -.PP -.Vb 1 -\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint -.Ve -.PP -Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER -.Ve -.PP -Convert a certificate to a certificate request: -.PP -.Vb 1 -\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem -.Ve -.PP -Convert a certificate request into a self signed certificate using -extensions for a \s-1CA:\s0 -.PP -.Vb 2 -\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e -\& \-signkey key.pem \-out cacert.pem -.Ve -.PP -Sign a certificate request using the \s-1CA\s0 certificate above and add user -certificate extensions: -.PP -.Vb 2 -\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e -\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial -.Ve -.PP -Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to -\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0 -.PP -.Vb 2 -\& openssl x509 \-in cert.pem \-addtrust clientAuth \e -\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -.Ve -.PP -it will also handle files containing: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\- -.Ve -.PP -Trusted certificates have the lines -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\- -.Ve -.PP -The conversion to \s-1UTF8\s0 format used with the name options assumes that -T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape -and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect -it is more likely to display the majority of certificates correctly. -.PP -The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate. -This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message -digests the fingerprint of a certificate is unique to that certificate and -two certificates with the same fingerprint can be considered to be the same. -.PP -The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1.\s0 -.PP -The \fB\-email\fR option searches the subject name and the subject alternative -name extension. Only unique email addresses will be printed out: it will -not print the same address more than once. -.SH "CERTIFICATE EXTENSIONS" -.IX Header "CERTIFICATE EXTENSIONS" -The \fB\-purpose\fR option checks the certificate extensions and determines -what the certificate can be used for. The actual checks done are rather -complex and include various hacks and workarounds to handle broken -certificates and software. -.PP -The same code is used when verifying untrusted certificates in chains -so this section is useful if a chain is rejected by the verify code. -.PP -The basicConstraints extension \s-1CA\s0 flag is used to determine whether the -certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0 -if the \s-1CA\s0 flag is false then it is not a \s-1CA. \s0\fBAll\fR CAs should have the -\&\s-1CA\s0 flag set to true. -.PP -If the basicConstraints extension is absent then the certificate is -considered to be a \*(L"possible \s-1CA\*(R"\s0 other extensions are checked according -to the intended use of the certificate. A warning is given in this case -because the certificate should really not be regarded as a \s-1CA:\s0 however -it is allowed to be a \s-1CA\s0 to work around some broken software. -.PP -If the certificate is a V1 certificate (and thus has no extensions) and -it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again -given: this is to work around the problem of Verisign roots which are V1 -self signed certificates. -.PP -If the keyUsage extension is present then additional restraints are -made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the -keyCertSign bit set if the keyUsage extension is present. -.PP -The extended key usage extension places additional restrictions on the -certificate uses. If this extension is present (whether critical or not) -the key can only be used for the purposes specified. -.PP -A complete description of each test is given below. The comments about -basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR -\&\s-1CA\s0 certificates. -.IP "\fB\s-1SSL\s0 Client\fR" 4 -.IX Item "SSL Client" -The extended key usage extension must be absent or include the \*(L"web client -authentication\*(R" \s-1OID. \s0 keyUsage must be absent or it must have the -digitalSignature bit set. Netscape certificate type must be absent or it must -have the \s-1SSL\s0 client bit set. -.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4 -.IX Item "SSL Client CA" -The extended key usage extension must be absent or include the \*(L"web client -authentication\*(R" \s-1OID.\s0 Netscape certificate type must be absent or it must have -the \s-1SSL CA\s0 bit set: this is used as a work around if the basicConstraints -extension is absent. -.IP "\fB\s-1SSL\s0 Server\fR" 4 -.IX Item "SSL Server" -The extended key usage extension must be absent or include the \*(L"web server -authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it -must have the digitalSignature, the keyEncipherment set or both bits set. -Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set. -.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4 -.IX Item "SSL Server CA" -The extended key usage extension must be absent or include the \*(L"web server -authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must -be absent or the \s-1SSL CA\s0 bit must be set: this is used as a work around if the -basicConstraints extension is absent. -.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4 -.IX Item "Netscape SSL Server" -For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the -keyEncipherment bit set if the keyUsage extension is present. This isn't -always valid because some cipher suites use the key for digital signing. -Otherwise it is the same as a normal \s-1SSL\s0 server. -.IP "\fBCommon S/MIME Client Tests\fR" 4 -.IX Item "Common S/MIME Client Tests" -The extended key usage extension must be absent or include the \*(L"email -protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the -S/MIME bit set. If the S/MIME bit is not set in netscape certificate type -then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: -this is because some Verisign certificates don't set the S/MIME bit. -.IP "\fBS/MIME Signing\fR" 4 -.IX Item "S/MIME Signing" -In addition to the common S/MIME client tests the digitalSignature bit must -be set if the keyUsage extension is present. -.IP "\fBS/MIME Encryption\fR" 4 -.IX Item "S/MIME Encryption" -In addition to the common S/MIME tests the keyEncipherment bit must be set -if the keyUsage extension is present. -.IP "\fBS/MIME \s-1CA\s0\fR" 4 -.IX Item "S/MIME CA" -The extended key usage extension must be absent or include the \*(L"email -protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or must have the -S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints -extension is absent. -.IP "\fB\s-1CRL\s0 Signing\fR" 4 -.IX Item "CRL Signing" -The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit -set. -.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4 -.IX Item "CRL Signing CA" -The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension -must be present. -.SH "BUGS" -.IX Header "BUGS" -Extensions in certificates are not transferred to certificate requests and -vice versa. -.PP -It is possible to produce invalid certificates or requests by specifying the -wrong private key or using inconsistent options in some cases: these should -be checked. -.PP -There should be options to explicitly set such things as start and end -dates rather than an offset from the current time. -.PP -The code to implement the verify behaviour described in the \fB\s-1TRUST SETTINGS\s0\fR -is currently being developed. It thus describes the intended behaviour rather -than the current behaviour. It is hoped that it will represent reality in -OpenSSL 0.9.5 and later. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), -\&\fIgendsa\fR\|(1), \fIverify\fR\|(1), -\&\fIx509v3_config\fR\|(5) -.SH "HISTORY" -.IX Header "HISTORY" -Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5.\s0 -.PP -The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options -before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding -of the distinguished name. In OpenSSL 1.0.0 and later it is based on a -canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using -the old form must have their links rebuilt using \fBc_rehash\fR or similar. diff --git a/usr.bin/openssl/man/x509v3_config.5 b/usr.bin/openssl/man/x509v3_config.5 deleted file mode 100644 index 43cb8c5fd8..0000000000 --- a/usr.bin/openssl/man/x509v3_config.5 +++ /dev/null @@ -1,683 +0,0 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "X509V3_CONFIG 5" -.TH X509V3_CONFIG 5 "2016-05-03" "1.0.2h" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -x509v3_config \- X509 V3 certificate extension configuration format -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Several of the OpenSSL utilities can add extensions to a certificate or -certificate request based on the contents of a configuration file. -.PP -Typically the application will contain an option to point to an extension -section. Each line of the extension section takes the form: -.PP -.Vb 1 -\& extension_name=[critical,] extension_options -.Ve -.PP -If \fBcritical\fR is present then the extension will be critical. -.PP -The format of \fBextension_options\fR depends on the value of \fBextension_name\fR. -.PP -There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR -extensions, \fIraw\fR and \fIarbitrary\fR extensions. -.PP -String extensions simply have a string which contains either the value itself -or how it is obtained. -.PP -For example: -.PP -.Vb 1 -\& nsComment="This is a Comment" -.Ve -.PP -Multi-valued extensions have a short form and a long form. The short form -is a list of names and values: -.PP -.Vb 1 -\& basicConstraints=critical,CA:true,pathlen:1 -.Ve -.PP -The long form allows the values to be placed in a separate section: -.PP -.Vb 1 -\& basicConstraints=critical,@bs_section -\& -\& [bs_section] -\& -\& CA=true -\& pathlen=1 -.Ve -.PP -Both forms are equivalent. -.PP -The syntax of raw extensions is governed by the extension code: it can -for example contain data in multiple sections. The correct syntax to -use is defined by the extension code itself: check out the certificate -policies extension for an example. -.PP -If an extension type is unsupported then the \fIarbitrary\fR extension syntax -must be used, see the \s-1ARBITRARY EXTENSIONS\s0 section for more details. -.SH "STANDARD EXTENSIONS" -.IX Header "STANDARD EXTENSIONS" -The following sections describe each supported extension in detail. -.SS "Basic Constraints." -.IX Subsection "Basic Constraints." -This is a multi valued extension which indicates whether a certificate is -a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or -\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by an -non-negative value can be included. -.PP -For example: -.PP -.Vb 1 -\& basicConstraints=CA:TRUE -\& -\& basicConstraints=CA:FALSE -\& -\& basicConstraints=critical,CA:TRUE, pathlen:0 -.Ve -.PP -A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field -set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the -extension entirely. Some software may require the inclusion of basicConstraints -with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates. -.PP -The pathlen parameter indicates the maximum number of CAs that can appear -below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can -only be used to sign end user certificates and not further CAs. -.SS "Key Usage." -.IX Subsection "Key Usage." -Key usage is a multi valued extension consisting of a list of names of the -permitted key usages. -.PP -The supporte names are: digitalSignature, nonRepudiation, keyEncipherment, -dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly -and decipherOnly. -.PP -Examples: -.PP -.Vb 1 -\& keyUsage=digitalSignature, nonRepudiation -\& -\& keyUsage=critical, keyCertSign -.Ve -.SS "Extended Key Usage." -.IX Subsection "Extended Key Usage." -This extensions consists of a list of usages indicating purposes for which -the certificate public key can be used for, -.PP -These can either be object short names of the dotted numerical form of OIDs. -While any \s-1OID\s0 can be used only certain values make sense. In particular the -following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful: -.PP -.Vb 10 -\& Value Meaning -\& \-\-\-\-\- \-\-\-\-\-\-\- -\& serverAuth SSL/TLS Web Server Authentication. -\& clientAuth SSL/TLS Web Client Authentication. -\& codeSigning Code signing. -\& emailProtection E\-mail Protection (S/MIME). -\& timeStamping Trusted Timestamping -\& msCodeInd Microsoft Individual Code Signing (authenticode) -\& msCodeCom Microsoft Commercial Code Signing (authenticode) -\& msCTLSign Microsoft Trust List Signing -\& msSGC Microsoft Server Gated Crypto -\& msEFS Microsoft Encrypted File System -\& nsSGC Netscape Server Gated Crypto -.Ve -.PP -Examples: -.PP -.Vb 2 -\& extendedKeyUsage=critical,codeSigning,1.2.3.4 -\& extendedKeyUsage=nsSGC,msSGC -.Ve -.SS "Subject Key Identifier." -.IX Subsection "Subject Key Identifier." -This is really a string extension and can take two possible values. Either -the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0 -or a hex string giving the extension value to include. The use of the hex -string is strongly discouraged. -.PP -Example: -.PP -.Vb 1 -\& subjectKeyIdentifier=hash -.Ve -.SS "Authority Key Identifier." -.IX Subsection "Authority Key Identifier." -The authority key identifier extension permits two options. keyid and issuer: -both can take the optional value \*(L"always\*(R". -.PP -If the keyid option is present an attempt is made to copy the subject key -identifier from the parent certificate. If the value \*(L"always\*(R" is present -then an error is returned if the option fails. -.PP -The issuer option copies the issuer and serial number from the issuer -certificate. This will only be done if the keyid option fails or -is not included unless the \*(L"always\*(R" flag will always include the value. -.PP -Example: -.PP -.Vb 1 -\& authorityKeyIdentifier=keyid,issuer -.Ve -.SS "Subject Alternative Name." -.IX Subsection "Subject Alternative Name." -The subject alternative name extension allows various literal values to be -included in the configuration file. These include \fBemail\fR (an email address) -\&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a -registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR -(a distinguished name) and otherName. -.PP -The email option include a special 'copy' value. This will automatically -include and email addresses contained in the certificate subject name in -the extension. -.PP -The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format. -.PP -The value of \fBdirName\fR should point to a section containing the distinguished -name to use as a set of name value pairs. Multi values AVAs can be formed by -prefacing the name with a \fB+\fR character. -.PP -otherName can include arbitrary data associated with an \s-1OID:\s0 the value -should be the \s-1OID\s0 followed by a semicolon and the content in standard -\&\fIASN1_generate_nconf\fR\|(3) format. -.PP -Examples: -.PP -.Vb 5 -\& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ -\& subjectAltName=IP:192.168.7.1 -\& subjectAltName=IP:13::17 -\& subjectAltName=email:my@other.address,RID:1.2.3.4 -\& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier -\& -\& subjectAltName=dirName:dir_sect -\& -\& [dir_sect] -\& C=UK -\& O=My Organization -\& OU=My Unit -\& CN=My Name -.Ve -.SS "Issuer Alternative Name." -.IX Subsection "Issuer Alternative Name." -The issuer alternative name option supports all the literal options of -subject alternative name. It does \fBnot\fR support the email:copy option because -that would not make sense. It does support an additional issuer:copy option -that will copy all the subject alternative name values from the issuer -certificate (if possible). -.PP -Example: -.PP -.Vb 1 -\& issuserAltName = issuer:copy -.Ve -.SS "Authority Info Access." -.IX Subsection "Authority Info Access." -The authority information access extension gives details about how to access -certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location -where \fIlocation\fR has the same syntax as subject alternative name (except -that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only -certain values are meaningful, for example \s-1OCSP\s0 and caIssuers. -.PP -Example: -.PP -.Vb 2 -\& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -\& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html -.Ve -.SS "\s-1CRL\s0 distribution points." -.IX Subsection "CRL distribution points." -This is a multi-valued extension whose options can be either in name:value pair -using the same form as subject alternative name or a single value representing -a section name containing all the distribution point fields. -.PP -For a name:value pair a new DistributionPoint with the fullName field set to -the given value both the cRLissuer and reasons fields are omitted in this case. -.PP -In the single option case the section indicated contains values for each -field. In this section: -.PP -If the name is \*(L"fullname\*(R" the value field should contain the full name -of the distribution point in the same format as subject alternative name. -.PP -If the name is \*(L"relativename\*(R" then the value field should contain a section -name whose contents represent a \s-1DN\s0 fragment to be placed in this field. -.PP -The name \*(L"CRLIssuer\*(R" if present should contain a value for this field in -subject alternative name format. -.PP -If the name is \*(L"reasons\*(R" the value field should consist of a comma -separated field containing the reasons. Valid reasons are: \*(L"keyCompromise\*(R", -\&\*(L"CACompromise\*(R", \*(L"affiliationChanged\*(R", \*(L"superseded\*(R", \*(L"cessationOfOperation\*(R", -\&\*(L"certificateHold\*(R", \*(L"privilegeWithdrawn\*(R" and \*(L"AACompromise\*(R". -.PP -Simple examples: -.PP -.Vb 2 -\& crlDistributionPoints=URI:http://myhost.com/myca.crl -\& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl -.Ve -.PP -Full distribution point example: -.PP -.Vb 1 -\& crlDistributionPoints=crldp1_section -\& -\& [crldp1_section] -\& -\& fullname=URI:http://myhost.com/myca.crl -\& CRLissuer=dirName:issuer_sect -\& reasons=keyCompromise, CACompromise -\& -\& [issuer_sect] -\& C=UK -\& O=Organisation -\& CN=Some Name -.Ve -.SS "Issuing Distribution Point" -.IX Subsection "Issuing Distribution Point" -This extension should only appear in CRLs. It is a multi valued extension -whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution -points extension with a few differences. -.PP -The names \*(L"reasons\*(R" and \*(L"CRLissuer\*(R" are not recognized. -.PP -The name \*(L"onlysomereasons\*(R" is accepted which sets this field. The value is -in the same format as the \s-1CRL\s0 distribution point \*(L"reasons\*(R" field. -.PP -The names \*(L"onlyuser\*(R", \*(L"onlyCA\*(R", \*(L"onlyAA\*(R" and \*(L"indirectCRL\*(R" are also accepted -the values should be a boolean value (\s-1TRUE\s0 or \s-1FALSE\s0) to indicate the value of -the corresponding field. -.PP -Example: -.PP -.Vb 1 -\& issuingDistributionPoint=critical, @idp_section -\& -\& [idp_section] -\& -\& fullname=URI:http://myhost.com/myca.crl -\& indirectCRL=TRUE -\& onlysomereasons=keyCompromise, CACompromise -\& -\& [issuer_sect] -\& C=UK -\& O=Organisation -\& CN=Some Name -.Ve -.SS "Certificate Policies." -.IX Subsection "Certificate Policies." -This is a \fIraw\fR extension. All the fields of this extension can be set by -using the appropriate syntax. -.PP -If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just -include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas, -for example: -.PP -.Vb 1 -\& certificatePolicies= 1.2.4.5, 1.1.3.4 -.Ve -.PP -If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to -be specified in a separate section: this is done by using the \f(CW@section\fR syntax -instead of a literal \s-1OID\s0 value. -.PP -The section referred to must include the policy \s-1OID\s0 using the name -policyIdentifier, cPSuri qualifiers can be included using the syntax: -.PP -.Vb 1 -\& CPS.nnn=value -.Ve -.PP -userNotice qualifiers can be set using the syntax: -.PP -.Vb 1 -\& userNotice.nnn=@notice -.Ve -.PP -The value of the userNotice qualifier is specified in the relevant section. -This section can include explicitText, organization and noticeNumbers -options. explicitText and organization are text strings, noticeNumbers is a -comma separated list of numbers. The organization and noticeNumbers options -(if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0 -then you need the 'ia5org' option at the top level to modify the encoding: -otherwise it will not be interpreted properly. -.PP -Example: -.PP -.Vb 1 -\& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect -\& -\& [polsect] -\& -\& policyIdentifier = 1.3.5.8 -\& CPS.1="http://my.host.name/" -\& CPS.2="http://my.your.name/" -\& userNotice.1=@notice -\& -\& [notice] -\& -\& explicitText="Explicit Text Here" -\& organization="Organisation Name" -\& noticeNumbers=1,2,3,4 -.Ve -.PP -The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0 -it can only be of type DisplayText. In \s-1RFC3280\s0 IA5Strring is also permissible. -Some software (for example some versions of \s-1MSIE\s0) may require ia5org. -.SS "Policy Constraints" -.IX Subsection "Policy Constraints" -This is a multi-valued extension which consisting of the names -\&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative intger -value. At least one component must be present. -.PP -Example: -.PP -.Vb 1 -\& policyConstraints = requireExplicitPolicy:3 -.Ve -.SS "Inhibit Any Policy" -.IX Subsection "Inhibit Any Policy" -This is a string extension whose value must be a non negative integer. -.PP -Example: -.PP -.Vb 1 -\& inhibitAnyPolicy = 2 -.Ve -.SS "Name Constraints" -.IX Subsection "Name Constraints" -The name constraints extension is a multi-valued extension. The name should -begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of -the name and the value follows the syntax of subjectAltName except email:copy -is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and -subnet mask separated by a \fB/\fR. -.PP -Examples: -.PP -.Vb 1 -\& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 -\& -\& nameConstraints=permitted;email:.somedomain.com -\& -\& nameConstraints=excluded;email:.com -.Ve -.SS "\s-1OCSP\s0 No Check" -.IX Subsection "OCSP No Check" -The \s-1OCSP\s0 No Check extension is a string extension but its value is ignored. -.PP -Example: -.PP -.Vb 1 -\& noCheck = ignored -.Ve -.SH "DEPRECATED EXTENSIONS" -.IX Header "DEPRECATED EXTENSIONS" -The following extensions are non standard, Netscape specific and largely -obsolete. Their use in new applications is discouraged. -.SS "Netscape String extensions." -.IX Subsection "Netscape String extensions." -Netscape Comment (\fBnsComment\fR) is a string extension containing a comment -which will be displayed when the certificate is viewed in some browsers. -.PP -Example: -.PP -.Vb 1 -\& nsComment = "Some Random Comment" -.Ve -.PP -Other supported extensions in this category are: \fBnsBaseUrl\fR, -\&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR -and \fBnsSslServerName\fR. -.SS "Netscape Certificate Type" -.IX Subsection "Netscape Certificate Type" -This is a multi-valued extensions which consists of a list of flags to be -included. It was used to indicate the purposes for which a certificate could -be used. The basicConstraints, keyUsage and extended key usage extensions are -now used instead. -.PP -Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR, -\&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR. -.SH "ARBITRARY EXTENSIONS" -.IX Header "ARBITRARY EXTENSIONS" -If an extension is not supported by the OpenSSL code then it must be encoded -using the arbitrary extension format. It is also possible to use the arbitrary -format for supported extensions. Extreme care should be taken to ensure that -the data is formatted correctly for the given extension type. -.PP -There are two ways to encode arbitrary extensions. -.PP -The first way is to use the word \s-1ASN1\s0 followed by the extension content -using the same syntax as \fIASN1_generate_nconf\fR\|(3). -For example: -.PP -.Vb 1 -\& 1.2.3.4=critical,ASN1:UTF8String:Some random data -\& -\& 1.2.3.4=ASN1:SEQUENCE:seq_sect -\& -\& [seq_sect] -\& -\& field1 = UTF8:field1 -\& field2 = UTF8:field2 -.Ve -.PP -It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any -extension. -.PP -.Vb 2 -\& 1.2.3.4=critical,DER:01:02:03:04 -\& 1.2.3.4=DER:01020304 -.Ve -.PP -The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension -Any extension can be placed in this form to override the default behaviour. -For example: -.PP -.Vb 1 -\& basicConstraints=critical,DER:00:01:02:03 -.Ve -.SH "WARNING" -.IX Header "WARNING" -There is no guarantee that a specific implementation will process a given -extension. It may therefore be sometimes possible to use certificates for -purposes prohibited by their extensions because a specific application does -not recognize or honour the values of the relevant extensions. -.PP -The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create -totally invalid extensions if they are not used carefully. -.SH "NOTES" -.IX Header "NOTES" -If an extension is multi-value and a field value must contain a comma the long -form must be used otherwise the comma would be misinterpreted as a field -separator. For example: -.PP -.Vb 1 -\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar -.Ve -.PP -will produce an error but the equivalent form: -.PP -.Vb 1 -\& subjectAltName=@subject_alt_section -\& -\& [subject_alt_section] -\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar -.Ve -.PP -is valid. -.PP -Due to the behaviour of the OpenSSL \fBconf\fR library the same field name -can only occur once in a section. This means that: -.PP -.Vb 1 -\& subjectAltName=@alt_section -\& -\& [alt_section] -\& -\& email=steve@here -\& email=steve@there -.Ve -.PP -will only recognize the last value. This can be worked around by using the form: -.PP -.Vb 1 -\& [alt_section] -\& -\& email.1=steve@here -\& email.2=steve@there -.Ve -.SH "HISTORY" -.IX Header "HISTORY" -The X509v3 extension code was first added to OpenSSL 0.9.2. -.PP -Policy mappings, inhibit any policy and name constraints support was added in -OpenSSL 0.9.8 -.PP -The \fBdirectoryName\fR and \fBotherName\fR option as well as the \fB\s-1ASN1\s0\fR option -for arbitrary extensions was added in OpenSSL 0.9.8 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1), -\&\fIASN1_generate_nconf\fR\|(3) -- 2.11.4.GIT