diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.sbin/openssl/openssl.1 | 221 | 
1 files changed, 111 insertions, 110 deletions
| diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index a181d5f8bb..0b01b82d22 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: openssl.1,v 1.36 2004/02/18 21:06:40 jmc Exp $ | 1 | .\" $OpenBSD: openssl.1,v 1.37 2004/02/25 13:43:19 jmc Exp $ | 
| 2 | .\" ==================================================================== | 2 | .\" ==================================================================== | 
| 3 | .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | 3 | .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | 
| 4 | .\" | 4 | .\" | 
| @@ -5003,24 +5003,24 @@ should be input by the user. | |||
| 5003 | .Sh RSA | 5003 | .Sh RSA | 
| 5004 | .Cm openssl rsa | 5004 | .Cm openssl rsa | 
| 5005 | .Bk -words | 5005 | .Bk -words | 
| 5006 | .Op Fl inform Ar DER | NET | PEM | ||
| 5007 | .Op Fl outform Ar DER | NET | PEM | ||
| 5008 | .Op Fl in Ar file | ||
| 5009 | .Op Fl passin Ar arg | ||
| 5010 | .Op Fl out Ar file | ||
| 5011 | .Op Fl passout Ar arg | ||
| 5012 | .Op Fl sgckey | ||
| 5013 | .Oo | 5006 | .Oo | 
| 5014 | .Fl des | des3 | aes128 | | 5007 | .Fl aes128 | aes192 | aes256 | | 
| 5015 | .Fl aes192 | aes256 | 5008 | .Fl des | des3 | 
| 5016 | .Oc | 5009 | .Oc | 
| 5017 | .Op Fl text | ||
| 5018 | .Op Fl noout | ||
| 5019 | .Op Fl modulus | ||
| 5020 | .Op Fl check | 5010 | .Op Fl check | 
| 5011 | .Op Fl modulus | ||
| 5012 | .Op Fl noout | ||
| 5021 | .Op Fl pubin | 5013 | .Op Fl pubin | 
| 5022 | .Op Fl pubout | 5014 | .Op Fl pubout | 
| 5015 | .Op Fl sgckey | ||
| 5016 | .Op Fl text | ||
| 5023 | .Op Fl engine Ar id | 5017 | .Op Fl engine Ar id | 
| 5018 | .Op Fl in Ar file | ||
| 5019 | .Op Fl inform Ar DER | NET | PEM | ||
| 5020 | .Op Fl out Ar file | ||
| 5021 | .Op Fl outform Ar DER | NET | PEM | ||
| 5022 | .Op Fl passin Ar arg | ||
| 5023 | .Op Fl passout Ar arg | ||
| 5024 | .Ek | 5024 | .Ek | 
| 5025 | .Pp | 5025 | .Pp | 
| 5026 | The | 5026 | The | 
| @@ -5038,6 +5038,36 @@ utility. | |||
| 5038 | .Pp | 5038 | .Pp | 
| 5039 | The options are as follows: | 5039 | The options are as follows: | 
| 5040 | .Bl -tag -width "XXXX" | 5040 | .Bl -tag -width "XXXX" | 
| 5041 | .It Xo | ||
| 5042 | .Fl aes128 | aes192 | aes256 | | ||
| 5043 | .Fl des | des3 | ||
| 5044 | .Xc | ||
| 5045 | These options encrypt the private key with the AES, DES, | ||
| 5046 | or the triple DES ciphers, respectively, before outputting it. | ||
| 5047 | A pass phrase is prompted for. | ||
| 5048 | If none of these options is specified the key is written in plain text. | ||
| 5049 | This means that using the | ||
| 5050 | .Nm rsa | ||
| 5051 | utility to read in an encrypted key with no encryption option can be used | ||
| 5052 | to remove the pass phrase from a key, or by setting the encryption options | ||
| 5053 | it can be used to add or change the pass phrase. | ||
| 5054 | These options can only be used with PEM format output files. | ||
| 5055 | .It Fl check | ||
| 5056 | This option checks the consistency of an RSA private key. | ||
| 5057 | .It Fl engine Ar id | ||
| 5058 | Specifying an engine (by it's unique | ||
| 5059 | .Ar id | ||
| 5060 | string) will cause | ||
| 5061 | .Nm rsa | ||
| 5062 | to attempt to obtain a functional reference to the specified engine, | ||
| 5063 | thus initialising it if needed. | ||
| 5064 | The engine will then be set as the default for all available algorithms. | ||
| 5065 | .It Fl in Ar file | ||
| 5066 | This specifies the input | ||
| 5067 | .Ar file | ||
| 5068 | to read a key from, or standard input if this | ||
| 5069 | option is not specified. | ||
| 5070 | If the key is encrypted, a pass phrase will be prompted for. | ||
| 5041 | .It Fl inform Ar DER | NET | PEM | 5071 | .It Fl inform Ar DER | NET | PEM | 
| 5042 | This specifies the input format. | 5072 | This specifies the input format. | 
| 5043 | The | 5073 | The | 
| @@ -5055,16 +5085,22 @@ The | |||
| 5055 | form is a format described in the | 5085 | form is a format described in the | 
| 5056 | .Sx RSA NOTES | 5086 | .Sx RSA NOTES | 
| 5057 | section. | 5087 | section. | 
| 5088 | .It Fl noout | ||
| 5089 | This option prevents output of the encoded version of the key. | ||
| 5090 | .It Fl modulus | ||
| 5091 | This option prints out the value of the modulus of the key. | ||
| 5092 | .It Fl out Ar file | ||
| 5093 | This specifies the output | ||
| 5094 | .Ar file | ||
| 5095 | to write a key to, or standard output if this option is not specified. | ||
| 5096 | If any encryption options are set, then a pass phrase will be prompted for. | ||
| 5097 | The output filename should | ||
| 5098 | .Em not | ||
| 5099 | be the same as the input filename. | ||
| 5058 | .It Fl outform Ar DER | NET | PEM | 5100 | .It Fl outform Ar DER | NET | PEM | 
| 5059 | This specifies the output format; the options have the same meaning as the | 5101 | This specifies the output format; the options have the same meaning as the | 
| 5060 | .Fl inform | 5102 | .Fl inform | 
| 5061 | option. | 5103 | option. | 
| 5062 | .It Fl in Ar file | ||
| 5063 | This specifies the input | ||
| 5064 | .Ar file | ||
| 5065 | to read a key from, or standard input if this | ||
| 5066 | option is not specified. | ||
| 5067 | If the key is encrypted, a pass phrase will be prompted for. | ||
| 5068 | .It Fl passin Ar arg | 5104 | .It Fl passin Ar arg | 
| 5069 | The input file password source. | 5105 | The input file password source. | 
| 5070 | For more information about the format of | 5106 | For more information about the format of | 
| @@ -5072,63 +5108,27 @@ For more information about the format of | |||
| 5072 | see the | 5108 | see the | 
| 5073 | .Sx PASS PHRASE ARGUMENTS | 5109 | .Sx PASS PHRASE ARGUMENTS | 
| 5074 | section above. | 5110 | section above. | 
| 5075 | .It Fl out Ar file | 5111 | .It Fl passout Ar arg | 
| 5076 | This specifies the output | ||
| 5077 | .Ar file | ||
| 5078 | to write a key to, or standard output if this option is not specified. | ||
| 5079 | If any encryption options are set then, a pass phrase will be prompted for. | ||
| 5080 | The output filename should | ||
| 5081 | .Em not | ||
| 5082 | be the same as the input filename. | ||
| 5083 | .It Fl passout Ar password | ||
| 5084 | The output file password source. | 5112 | The output file password source. | 
| 5085 | For more information about the format of | 5113 | For more information about the format of | 
| 5086 | .Ar arg , | 5114 | .Ar arg , | 
| 5087 | see the | 5115 | see the | 
| 5088 | .Sx PASS PHRASE ARGUMENTS | 5116 | .Sx PASS PHRASE ARGUMENTS | 
| 5089 | section above. | 5117 | section above. | 
| 5118 | .It Fl pubin | ||
| 5119 | By default, a private key is read from the input file; with this | ||
| 5120 | option a public key is read instead. | ||
| 5121 | .It Fl pubout | ||
| 5122 | By default, a private key is output; | ||
| 5123 | with this option a public key will be output instead. | ||
| 5124 | This option is automatically set if the input is a public key. | ||
| 5090 | .It Fl sgckey | 5125 | .It Fl sgckey | 
| 5091 | Use the modified | 5126 | Use the modified | 
| 5092 | .Em NET | 5127 | .Em NET | 
| 5093 | algorithm used with some versions of Microsoft IIS and SGC keys. | 5128 | algorithm used with some versions of Microsoft IIS and SGC keys. | 
| 5094 | .It Xo | ||
| 5095 | .Fl des | des3 | aes128 | | ||
| 5096 | .Fl aes192 | aes256 | ||
| 5097 | .Xc | ||
| 5098 | These options encrypt the private key with the DES, triple DES, or the | ||
| 5099 | AES ciphers, respectively, before outputting it. | ||
| 5100 | A pass phrase is prompted for. | ||
| 5101 | If none of these options is specified the key is written in plain text. | ||
| 5102 | This means that using the | ||
| 5103 | .Nm rsa | ||
| 5104 | utility to read in an encrypted key with no encryption option can be used | ||
| 5105 | to remove the pass phrase from a key, or by setting the encryption options | ||
| 5106 | it can be used to add or change the pass phrase. | ||
| 5107 | These options can only be used with PEM format output files. | ||
| 5108 | .It Fl text | 5129 | .It Fl text | 
| 5109 | Prints out the various public or private key components in | 5130 | Prints out the various public or private key components in | 
| 5110 | plain text, in addition to the encoded version. | 5131 | plain text, in addition to the encoded version. | 
| 5111 | .It Fl noout | ||
| 5112 | This option prevents output of the encoded version of the key. | ||
| 5113 | .It Fl modulus | ||
| 5114 | This option prints out the value of the modulus of the key. | ||
| 5115 | .It Fl check | ||
| 5116 | This option checks the consistency of an RSA private key. | ||
| 5117 | .It Fl pubin | ||
| 5118 | By default, a private key is read from the input file: with this | ||
| 5119 | option a public key is read instead. | ||
| 5120 | .It Fl pubout | ||
| 5121 | By default, a private key is output: | ||
| 5122 | with this option a public key will be output instead. | ||
| 5123 | This option is automatically set if the input is a public key. | ||
| 5124 | .It Fl engine Ar id | ||
| 5125 | Specifying an engine (by it's unique | ||
| 5126 | .Ar id | ||
| 5127 | string) will cause | ||
| 5128 | .Nm rsa | ||
| 5129 | to attempt to obtain a functional reference to the specified engine, | ||
| 5130 | thus initialising it if needed. | ||
| 5131 | The engine will then be set as the default for all available algorithms. | ||
| 5132 | .El | 5132 | .El | 
| 5133 | .Sh RSA NOTES | 5133 | .Sh RSA NOTES | 
| 5134 | The PEM private key format uses the header and footer lines: | 5134 | The PEM private key format uses the header and footer lines: | 
| @@ -5199,20 +5199,20 @@ without having to manually edit them. | |||
| 5199 | .Sh RSAUTL | 5199 | .Sh RSAUTL | 
| 5200 | .Nm openssl rsautl | 5200 | .Nm openssl rsautl | 
| 5201 | .Bk -words | 5201 | .Bk -words | 
| 5202 | .Op Fl in Ar file | 5202 | .Op Fl asn1parse | 
| 5203 | .Op Fl out Ar file | ||
| 5204 | .Op Fl inkey Ar file | ||
| 5205 | .Op Fl keyform Ar DER | PEM | ||
| 5206 | .Op Fl pubin | ||
| 5207 | .Op Fl certin | 5203 | .Op Fl certin | 
| 5208 | .Op Fl sign | ||
| 5209 | .Op Fl verify | ||
| 5210 | .Op Fl encrypt | ||
| 5211 | .Op Fl decrypt | 5204 | .Op Fl decrypt | 
| 5212 | .Op Fl pkcs | oaep | ssl | raw | 5205 | .Op Fl encrypt | 
| 5213 | .Op Fl hexdump | 5206 | .Op Fl hexdump | 
| 5214 | .Op Fl asn1parse | 5207 | .Op Fl oaep | pkcs | raw | ssl | 
| 5208 | .Op Fl pubin | ||
| 5209 | .Op Fl sign | ||
| 5210 | .Op Fl verify | ||
| 5215 | .Op Fl engine Ar id | 5211 | .Op Fl engine Ar id | 
| 5212 | .Op Fl in Ar file | ||
| 5213 | .Op Fl inkey Ar file | ||
| 5214 | .Op Fl keyform Ar DER | PEM | ||
| 5215 | .Op Fl out Ar file | ||
| 5216 | .Ek | 5216 | .Ek | 
| 5217 | .Pp | 5217 | .Pp | 
| 5218 | The | 5218 | The | 
| @@ -5222,59 +5222,60 @@ data using the RSA algorithm. | |||
| 5222 | .Pp | 5222 | .Pp | 
| 5223 | The options are as follows: | 5223 | The options are as follows: | 
| 5224 | .Bl -tag -width "XXXX" | 5224 | .Bl -tag -width "XXXX" | 
| 5225 | .It Fl asn1parse | ||
| 5226 | Asn1parse the output data; this is useful when combined with the | ||
| 5227 | .Fl verify | ||
| 5228 | option. | ||
| 5229 | .It Fl certin | ||
| 5230 | The input is a certificate containing an RSA public key. | ||
| 5231 | .It Fl decrypt | ||
| 5232 | Decrypt the input data using an RSA private key. | ||
| 5233 | .It Fl encrypt | ||
| 5234 | Encrypt the input data using an RSA public key. | ||
| 5235 | .It Fl engine Ar id | ||
| 5236 | Specifying an engine (by it's unique | ||
| 5237 | .Ar id | ||
| 5238 | string) will cause | ||
| 5239 | .Nm rsautl | ||
| 5240 | to attempt to obtain a functional reference to the specified engine, | ||
| 5241 | thus initialising it if needed. | ||
| 5242 | The engine will then be set as the default for all available algorithms. | ||
| 5243 | .It Fl hexdump | ||
| 5244 | Hex dump the output data. | ||
| 5225 | .It Fl in Ar file | 5245 | .It Fl in Ar file | 
| 5226 | This specifies the input | 5246 | This specifies the input | 
| 5227 | .Ar file | 5247 | .Ar file | 
| 5228 | to read data from, or standard input | 5248 | to read data from, or standard input | 
| 5229 | if this option is not specified. | 5249 | if this option is not specified. | 
| 5230 | .It Fl out Ar file | ||
| 5231 | Specifies the output | ||
| 5232 | .Ar file | ||
| 5233 | to write to, or standard output by | ||
| 5234 | default. | ||
| 5235 | .It Fl inkey Ar file | 5250 | .It Fl inkey Ar file | 
| 5236 | The input key file, by default it should be an RSA private key. | 5251 | The input key file, by default it should be an RSA private key. | 
| 5237 | .It Fl keyform Ar DER | PEM | 5252 | .It Fl keyform Ar DER | PEM | 
| 5238 | Private ket format. | 5253 | Private ket format. | 
| 5239 | Default is | 5254 | Default is | 
| 5240 | .Ar PEM . | 5255 | .Ar PEM . | 
| 5256 | .It Fl oaep | pkcs | raw | ssl | ||
| 5257 | The padding to use: | ||
| 5258 | PKCS#1 OAEP, PKCS#1 v1.5 | ||
| 5259 | .Pq the default , | ||
| 5260 | no padding, | ||
| 5261 | or special padding used in SSL v2 backwards compatible handshakes, respectively. | ||
| 5262 | For signatures, only | ||
| 5263 | .Fl pkcs | ||
| 5264 | and | ||
| 5265 | .Fl raw | ||
| 5266 | can be used. | ||
| 5267 | .It Fl out Ar file | ||
| 5268 | Specifies the output | ||
| 5269 | .Ar file | ||
| 5270 | to write to, or standard output by | ||
| 5271 | default. | ||
| 5241 | .It Fl pubin | 5272 | .It Fl pubin | 
| 5242 | The input file is an RSA public key. | 5273 | The input file is an RSA public key. | 
| 5243 | .It Fl certin | ||
| 5244 | The input is a certificate containing an RSA public key. | ||
| 5245 | .It Fl sign | 5274 | .It Fl sign | 
| 5246 | Sign the input data and output the signed result. | 5275 | Sign the input data and output the signed result. | 
| 5247 | This requires an RSA private key. | 5276 | This requires an RSA private key. | 
| 5248 | .It Fl verify | 5277 | .It Fl verify | 
| 5249 | Verify the input data and output the recovered data. | 5278 | Verify the input data and output the recovered data. | 
| 5250 | .It Fl encrypt | ||
| 5251 | Encrypt the input data using an RSA public key. | ||
| 5252 | .It Fl decrypt | ||
| 5253 | Decrypt the input data using an RSA private key. | ||
| 5254 | .It Fl pkcs | oaep | ssl | raw | ||
| 5255 | The padding to use: PKCS#1 v1.5 | ||
| 5256 | .Pq the default , | ||
| 5257 | PKCS#1 OAEP, special padding used in SSL v2 backwards compatible handshakes, | ||
| 5258 | or no padding, respectively. | ||
| 5259 | For signatures, only | ||
| 5260 | .Fl pkcs | ||
| 5261 | and | ||
| 5262 | .Fl raw | ||
| 5263 | can be used. | ||
| 5264 | .It Fl hexdump | ||
| 5265 | Hex dump the output data. | ||
| 5266 | .It Fl asn1parse | ||
| 5267 | Asn1parse the output data; this is useful when combined with the | ||
| 5268 | .Fl verify | ||
| 5269 | option. | ||
| 5270 | .It Fl engine Ar id | ||
| 5271 | Specifying an engine (by it's unique | ||
| 5272 | .Ar id | ||
| 5273 | string) will cause | ||
| 5274 | .Nm rsautl | ||
| 5275 | to attempt to obtain a functional reference to the specified engine, | ||
| 5276 | thus initialising it if needed. | ||
| 5277 | The engine will then be set as the default for all available algorithms. | ||
| 5278 | .El | 5279 | .El | 
| 5279 | .Sh RSAUTL NOTES | 5280 | .Sh RSAUTL NOTES | 
| 5280 | .Nm rsautl , | 5281 | .Nm rsautl , | 
| @@ -5346,7 +5347,7 @@ It can be extracted with: | |||
| 5346 | .Pp | 5347 | .Pp | 
| 5347 | The certificate public key can be extracted with: | 5348 | The certificate public key can be extracted with: | 
| 5348 | .Pp | 5349 | .Pp | 
| 5349 | .Dl $ openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem | 5350 | .Dl $ openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem | 
| 5350 | .Pp | 5351 | .Pp | 
| 5351 | The signature can be analysed with: | 5352 | The signature can be analysed with: | 
| 5352 | .Pp | 5353 | .Pp | 
| @@ -5363,7 +5364,7 @@ The signature can be analysed with: | |||
| 5363 | This is the parsed version of an ASN1 | 5364 | This is the parsed version of an ASN1 | 
| 5364 | .Em DigestInfo | 5365 | .Em DigestInfo | 
| 5365 | structure. | 5366 | structure. | 
| 5366 | It can be seen that the digest used was md5. | 5367 | It can be seen that the digest used was MD5. | 
| 5367 | The actual part of the certificate that was signed can be extracted with: | 5368 | The actual part of the certificate that was signed can be extracted with: | 
| 5368 | .Pp | 5369 | .Pp | 
| 5369 | .Dl "$ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4" | 5370 | .Dl "$ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4" | 
