1 files changed, 127 insertions, 1 deletions
diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
index 386699c6ff..73cbf23686 100644
--- a/src/usr.sbin/openssl/openssl.1
+++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.73 2010/10/09 10:03:44 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.74 2010/10/09 18:22:46 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -316,6 +316,8 @@ PKCS#7 data management.
 PKCS#8 data management.
 .It Cm pkcs12
 PKCS#12 data management.
+.It Cm pkey
+Public and private key management.
 .It Cm rand
 Generate pseudo-random bytes.
 .It Cm req
@@ -5018,6 +5020,130 @@ $ openssl -in keycerts.pem -export -name "My PKCS#12 file" \e
        -out fixed.p12
 .Ed
 .\"
+.\" PKEY
+.\"
+.Sh PKEY
+.Cm openssl pkey
+.Bk -words
+.Op Ar cipher
+.Op Fl noout
+.Op Fl pubin
+.Op Fl pubout
+.Op Fl text
+.Op Fl text_pub
+.Op Fl engine Ar id
+.Op Fl in Ar filename
+.Op Fl inform Ar DER | PEM
+.Op Fl out Ar filename
+.Op Fl outform Ar DER | PEM
+.Op Fl passin Ar arg
+.Op Fl passout Ar arg
+.Ek
+.Pp
+The
+.Nm pkey
+command processes public or private keys.
+They can be converted between various forms
+and their components printed out.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Ar cipher
+These options encrypt the private key with the supplied cipher.
+Any algorithm name accepted by
+.Fn EVP_get_cipherbyname
+is acceptable, such as
+.Cm des3 .
+.It Fl engine Ar id
+Specifying an engine (by its unique
+.Ar id
+string) will cause
+.Nm pkey
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed.
+The engine will then be set as the default
+for all available algorithms.
+.It Fl in Ar filename
+This specifies the input filename to read a key from,
+or standard input if this option is not specified.
+If the key is encrypted a pass phrase will be prompted for.
+.It Fl inform Ar DER | PEM
+This specifies the input format, DER or PEM.
+.It Fl noout
+Do not output the encoded version of the key.
+.It Fl out Ar filename
+This specifies the output filename to write a key to,
+or standard output if this option is not specified.
+If any encryption options are set then a pass phrase
+will be prompted for.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl outform Ar DER | PEM
+This specifies the output format;
+the options have the same meaning as the
+.Fl inform
+option.
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl pubin
+By default a private key is read from the input file:
+with this option a public key is read instead.
+.It Fl pubout
+By default a private key is output:
+with this option a public key will be output instead.
+This option is automatically set if
+the input is a public key.
+.It Fl text
+Print out the various public or private key components in
+plain text in addition to the encoded version.
+.It Fl text_pub
+Print out only public key components
+even if a private key is being processed.
+.El
+.Sh PKEY EXAMPLES
+To remove the pass phrase on an RSA private key:
+.Bd -literal -offset indent
+$ openssl pkey -in key.pem -out keyout.pem
+.Ed
+.Pp
+To encrypt a private key using triple DES:
+.Bd -literal -offset indent
+$ openssl pkey -in key.pem -des3 -out keyout.pem
+.Ed
+.Pp
+To convert a private key from PEM to DER format:
+.Bd -literal -offset indent
+$ openssl pkey -in key.pem -outform DER -out keyout.der
+.Ed
+.Pp
+To print the components of a private key to standard output:
+.Bd -literal -offset indent
+$ openssl pkey -in key.pem -text -noout
+.Ed
+.Pp
+To print the public components of a private key to standard output:
+.Bd -literal -offset indent
+$ openssl pkey -in key.pem -text_pub -noout
+.Ed
+.Pp
+To just output the public part of a private key:
+.Bd -literal -offset indent
+$ openssl pkey -in key.pem -pubout -out pubkey.pem
+.Ed
+.\"
 .\" RAND
 .\"
 .Sh RAND

diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index 386699c6ff..73cbf23686 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.73 2010/10/09 10:03:44 jmc Exp $	1	.\" $OpenBSD: openssl.1,v 1.74 2010/10/09 18:22:46 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -316,6 +316,8 @@ PKCS#7 data management.
316	PKCS#8 data management.	316	PKCS#8 data management.
317	.It Cm pkcs12	317	.It Cm pkcs12
318	PKCS#12 data management.	318	PKCS#12 data management.
		319	.It Cm pkey
		320	Public and private key management.
319	.It Cm rand	321	.It Cm rand
320	Generate pseudo-random bytes.	322	Generate pseudo-random bytes.
321	.It Cm req	323	.It Cm req
@@ -5018,6 +5020,130 @@ $ openssl -in keycerts.pem -export -name "My PKCS#12 file" \e
5018	-out fixed.p12	5020	-out fixed.p12
5019	.Ed	5021	.Ed
5020	.\"	5022	.\"
		5023	.\" PKEY
		5024	.\"
		5025	.Sh PKEY
		5026	.Cm openssl pkey
		5027	.Bk -words
		5028	.Op Ar cipher
		5029	.Op Fl noout
		5030	.Op Fl pubin
		5031	.Op Fl pubout
		5032	.Op Fl text
		5033	.Op Fl text_pub
		5034	.Op Fl engine Ar id
		5035	.Op Fl in Ar filename
		5036	.Op Fl inform Ar DER \| PEM
		5037	.Op Fl out Ar filename
		5038	.Op Fl outform Ar DER \| PEM
		5039	.Op Fl passin Ar arg
		5040	.Op Fl passout Ar arg
		5041	.Ek
		5042	.Pp
		5043	The
		5044	.Nm pkey
		5045	command processes public or private keys.
		5046	They can be converted between various forms
		5047	and their components printed out.
		5048	.Pp
		5049	The options are as follows:
		5050	.Bl -tag -width Ds
		5051	.It Ar cipher
		5052	These options encrypt the private key with the supplied cipher.
		5053	Any algorithm name accepted by
		5054	.Fn EVP_get_cipherbyname
		5055	is acceptable, such as
		5056	.Cm des3 .
		5057	.It Fl engine Ar id
		5058	Specifying an engine (by its unique
		5059	.Ar id
		5060	string) will cause
		5061	.Nm pkey
		5062	to attempt to obtain a functional reference to the specified engine,
		5063	thus initialising it if needed.
		5064	The engine will then be set as the default
		5065	for all available algorithms.
		5066	.It Fl in Ar filename
		5067	This specifies the input filename to read a key from,
		5068	or standard input if this option is not specified.
		5069	If the key is encrypted a pass phrase will be prompted for.
		5070	.It Fl inform Ar DER \| PEM
		5071	This specifies the input format, DER or PEM.
		5072	.It Fl noout
		5073	Do not output the encoded version of the key.
		5074	.It Fl out Ar filename
		5075	This specifies the output filename to write a key to,
		5076	or standard output if this option is not specified.
		5077	If any encryption options are set then a pass phrase
		5078	will be prompted for.
		5079	The output filename should
		5080	.Em not
		5081	be the same as the input filename.
		5082	.It Fl outform Ar DER \| PEM
		5083	This specifies the output format;
		5084	the options have the same meaning as the
		5085	.Fl inform
		5086	option.
		5087	.It Fl passin Ar arg
		5088	The input file password source.
		5089	For more information about the format of
		5090	.Ar arg
		5091	see the
		5092	.Sx PASS PHRASE ARGUMENTS
		5093	section above.
		5094	.It Fl passout Ar arg
		5095	The output file password source.
		5096	For more information about the format of
		5097	.Ar arg
		5098	see the
		5099	.Sx PASS PHRASE ARGUMENTS
		5100	section above.
		5101	.It Fl pubin
		5102	By default a private key is read from the input file:
		5103	with this option a public key is read instead.
		5104	.It Fl pubout
		5105	By default a private key is output:
		5106	with this option a public key will be output instead.
		5107	This option is automatically set if
		5108	the input is a public key.
		5109	.It Fl text
		5110	Print out the various public or private key components in
		5111	plain text in addition to the encoded version.
		5112	.It Fl text_pub
		5113	Print out only public key components
		5114	even if a private key is being processed.
		5115	.El
		5116	.Sh PKEY EXAMPLES
		5117	To remove the pass phrase on an RSA private key:
		5118	.Bd -literal -offset indent
		5119	$ openssl pkey -in key.pem -out keyout.pem
		5120	.Ed
		5121	.Pp
		5122	To encrypt a private key using triple DES:
		5123	.Bd -literal -offset indent
		5124	$ openssl pkey -in key.pem -des3 -out keyout.pem
		5125	.Ed
		5126	.Pp
		5127	To convert a private key from PEM to DER format:
		5128	.Bd -literal -offset indent
		5129	$ openssl pkey -in key.pem -outform DER -out keyout.der
		5130	.Ed
		5131	.Pp
		5132	To print the components of a private key to standard output:
		5133	.Bd -literal -offset indent
		5134	$ openssl pkey -in key.pem -text -noout
		5135	.Ed
		5136	.Pp
		5137	To print the public components of a private key to standard output:
		5138	.Bd -literal -offset indent
		5139	$ openssl pkey -in key.pem -text_pub -noout
		5140	.Ed
		5141	.Pp
		5142	To just output the public part of a private key:
		5143	.Bd -literal -offset indent
		5144	$ openssl pkey -in key.pem -pubout -out pubkey.pem
		5145	.Ed
		5146	.\"
5021	.\" RAND	5147	.\" RAND
5022	.\"	5148	.\"
5023	.Sh RAND	5149	.Sh RAND