1 files changed, 209 insertions, 3 deletions
diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
index e5f12dfb6b..0aae966742 100644
--- a/src/usr.sbin/openssl/openssl.1
+++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.68 2010/10/06 13:21:02 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.69 2010/10/08 05:38:24 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: October 6 2010 $
+.Dd $Mdocdate: October 8 2010 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -278,6 +278,8 @@ Superseded by
 .Cm genpkey
 and
 .Cm pkeyparam .
+.It Cm ec
+Elliptic curve (EC) key processing.
 .It Cm enc
 Encoding with ciphers.
 .It Cm engine
@@ -2506,6 +2508,210 @@ PEM format DSA parameters use the header and footer lines:
 DSA parameter generation is a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.
 .\"
+.\" EC
+.\"
+.Sh EC
+.Nm openssl ec
+.Bk -words
+.Op Fl des
+.Op Fl des3
+.Op Fl noout
+.Op Fl param_out
+.Op Fl pubin
+.Op Fl pubout
+.Op Fl text
+.Op Fl conv_form Ar arg
+.Op Fl engine Ar id
+.Op Fl in Ar filename
+.Op Fl inform Ar PEM|DER
+.Op Fl out Ar filename
+.Op Fl outform Ar PEM|DER
+.Op Fl param_enc Ar arg
+.Op Fl passin Ar arg
+.Op Fl passout Ar arg
+.Ek
+.Pp
+The
+.Nm ec
+command processes EC keys.
+They can be converted between various
+forms and their components printed out.
+Note:
+.Nm OpenSSL
+uses the private key format specified in
+.Dq SEC 1: Elliptic Curve Cryptography
+.Pq Pa http://www.secg.org/ .
+To convert an
+.Nm OpenSSL
+EC private key into the PKCS#8 private key format use the
+.Nm pkcs8
+command.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl conv_form
+This specifies how the points on the elliptic curve are converted
+into octet strings.
+Possible values are:
+.Cm compressed
+(the default value),
+.Cm uncompressed ,
+and
+.Cm hybrid .
+For more information regarding
+the point conversion forms please read the X9.62 standard.
+Note:
+Due to patent issues the
+.Cm compressed
+option is disabled by default for binary curves
+and can be enabled by defining the preprocessor macro
+.Ar OPENSSL_EC_BIN_PT_COMP
+at compile time.
+.It Fl des | des3
+These options encrypt the private key with the DES, triple DES, or
+any other cipher supported by
+.Nm OpenSSL
+before outputting it.
+A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text.
+This means that using the
+.Nm ec
+utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key,
+or by setting the encryption options
+it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+.It Fl engine Ar id
+Specifying an engine (by its unique
+.Ar id
+string) will cause
+.Nm ec
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed.
+The engine will then be set as the default
+for all available algorithms.
+.It Fl in Ar filename
+This specifies the input filename to read a key from,
+or standard input if this option is not specified.
+If the key is encrypted a pass phrase will be prompted for.
+.It Fl inform Ar DER | PEM
+This specifies the input format.
+DER with a private key uses
+an ASN.1 DER-encoded SEC1 private key.
+When used with a public key it
+uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
+PEM is the default format:
+it consists of the DER format base64
+encoded with additional header and footer lines.
+In the case of a private key
+PKCS#8 format is also accepted.
+.It Fl noout
+Prevents output of the encoded version of the key.
+.It Fl out Ar filename
+Specifies the output filename to write a key to,
+or standard output if none is specified.
+If any encryption options are set then a pass phrase will be prompted for.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl outform Ar DER | PEM
+This specifies the output format.
+The options have the same meaning as the
+.Fl inform
+option.
+.It Fl param_enc Ar arg
+This specifies how the elliptic curve parameters are encoded.
+Possible value are:
+.Cm named_curve ,
+i.e. the EC parameters are specified by an OID; or
+.Cm explicit ,
+where the EC parameters are explicitly given
+(see RFC 3279 for the definition of the EC parameter structures).
+The default value is
+.Cm named_curve .
+Note: the
+.Cm implicitlyCA
+alternative,
+as specified in RFC 3279,
+is currently not implemented in
+.Nm OpenSSL .
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg ,
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg ,
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl pubin
+By default a private key is read from the input file;
+with this option a public key is read instead.
+.It Fl pubout
+By default a private key is output;
+with this option a public key is output instead.
+This option is automatically set if the input is a public key.
+.It Fl text
+Prints out the public/private key components and parameters.
+.El
+.Sh EC NOTES
+The PEM private key format uses the header and footer lines:
+.Bd -literal -offset indent
+-----BEGIN EC PRIVATE KEY-----
+-----END EC PRIVATE KEY-----
+.Ed
+.Pp
+The PEM public key format uses the header and footer lines:
+.Bd -literal -offset indent
+-----BEGIN PUBLIC KEY-----
+-----END PUBLIC KEY-----
+.Ed
+.Sh EC EXAMPLES
+To encrypt a private key using triple DES:
+.Bd -literal -offset indent
+$ openssl ec -in key.pem -des3 -out keyout.pem
+.Ed
+.Pp
+To convert a private key from PEM to DER format:
+.Bd -literal -offset indent
+$ openssl ec -in key.pem -outform DER -out keyout.der
+.Ed
+.Pp
+To print out the components of a private key to standard output:
+.Bd -literal -offset indent
+$ openssl ec -in key.pem -text -noout
+.Ed
+.Pp
+To just output the public part of a private key:
+.Bd -literal -offset indent
+$ openssl ec -in key.pem -pubout -out pubkey.pem
+.Ed
+.Pp
+To change the parameter encoding to
+.Cm explicit :
+.Bd -literal -offset indent
+$ openssl ec -in key.pem -param_enc explicit -out keyout.pem
+.Ed
+.Pp
+To change the point conversion form to
+.Cm compressed :
+.Bd -literal -offset indent
+$ openssl ec -in key.pem -conv_form compressed -out keyout.pem
+.Ed
+.Sh EC HISTORY
+The
+.Nm ec
+command was first introduced in
+.Nm OpenSSL
+0.9.8.
+.Sh EC AUTHORS
+.An Nils Larsch .
+.\"
 .\" ENC
 .\"
 .Sh ENC
@@ -2632,7 +2838,7 @@ option.
 .It Fl md Ar digest
 Use
 .Ar digest
-to create a key from a passphrase.
+to create a key from a pass phrase.
 .Ar digest
 may be one of
 .Dq md2 ,

diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index e5f12dfb6b..0aae966742 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.68 2010/10/06 13:21:02 jmc Exp $	1	.\" $OpenBSD: openssl.1,v 1.69 2010/10/08 05:38:24 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: October 6 2010 $	115	.Dd $Mdocdate: October 8 2010 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -278,6 +278,8 @@ Superseded by
278	.Cm genpkey	278	.Cm genpkey
279	and	279	and
280	.Cm pkeyparam .	280	.Cm pkeyparam .
		281	.It Cm ec
		282	Elliptic curve (EC) key processing.
281	.It Cm enc	283	.It Cm enc
282	Encoding with ciphers.	284	Encoding with ciphers.
283	.It Cm engine	285	.It Cm engine
@@ -2506,6 +2508,210 @@ PEM format DSA parameters use the header and footer lines:
2506	DSA parameter generation is a slow process and as a result the same set of	2508	DSA parameter generation is a slow process and as a result the same set of
2507	DSA parameters is often used to generate several distinct keys.	2509	DSA parameters is often used to generate several distinct keys.
2508	.\"	2510	.\"
		2511	.\" EC
		2512	.\"
		2513	.Sh EC
		2514	.Nm openssl ec
		2515	.Bk -words
		2516	.Op Fl des
		2517	.Op Fl des3
		2518	.Op Fl noout
		2519	.Op Fl param_out
		2520	.Op Fl pubin
		2521	.Op Fl pubout
		2522	.Op Fl text
		2523	.Op Fl conv_form Ar arg
		2524	.Op Fl engine Ar id
		2525	.Op Fl in Ar filename
		2526	.Op Fl inform Ar PEM\|DER
		2527	.Op Fl out Ar filename
		2528	.Op Fl outform Ar PEM\|DER
		2529	.Op Fl param_enc Ar arg
		2530	.Op Fl passin Ar arg
		2531	.Op Fl passout Ar arg
		2532	.Ek
		2533	.Pp
		2534	The
		2535	.Nm ec
		2536	command processes EC keys.
		2537	They can be converted between various
		2538	forms and their components printed out.
		2539	Note:
		2540	.Nm OpenSSL
		2541	uses the private key format specified in
		2542	.Dq SEC 1: Elliptic Curve Cryptography
		2543	.Pq Pa http://www.secg.org/ .
		2544	To convert an
		2545	.Nm OpenSSL
		2546	EC private key into the PKCS#8 private key format use the
		2547	.Nm pkcs8
		2548	command.
		2549	.Pp
		2550	The options are as follows:
		2551	.Bl -tag -width Ds
		2552	.It Fl conv_form
		2553	This specifies how the points on the elliptic curve are converted
		2554	into octet strings.
		2555	Possible values are:
		2556	.Cm compressed
		2557	(the default value),
		2558	.Cm uncompressed ,
		2559	and
		2560	.Cm hybrid .
		2561	For more information regarding
		2562	the point conversion forms please read the X9.62 standard.
		2563	Note:
		2564	Due to patent issues the
		2565	.Cm compressed
		2566	option is disabled by default for binary curves
		2567	and can be enabled by defining the preprocessor macro
		2568	.Ar OPENSSL_EC_BIN_PT_COMP
		2569	at compile time.
		2570	.It Fl des \| des3
		2571	These options encrypt the private key with the DES, triple DES, or
		2572	any other cipher supported by
		2573	.Nm OpenSSL
		2574	before outputting it.
		2575	A pass phrase is prompted for.
		2576	If none of these options is specified the key is written in plain text.
		2577	This means that using the
		2578	.Nm ec
		2579	utility to read in an encrypted key with no
		2580	encryption option can be used to remove the pass phrase from a key,
		2581	or by setting the encryption options
		2582	it can be use to add or change the pass phrase.
		2583	These options can only be used with PEM format output files.
		2584	.It Fl engine Ar id
		2585	Specifying an engine (by its unique
		2586	.Ar id
		2587	string) will cause
		2588	.Nm ec
		2589	to attempt to obtain a functional reference to the specified engine,
		2590	thus initialising it if needed.
		2591	The engine will then be set as the default
		2592	for all available algorithms.
		2593	.It Fl in Ar filename
		2594	This specifies the input filename to read a key from,
		2595	or standard input if this option is not specified.
		2596	If the key is encrypted a pass phrase will be prompted for.
		2597	.It Fl inform Ar DER \| PEM
		2598	This specifies the input format.
		2599	DER with a private key uses
		2600	an ASN.1 DER-encoded SEC1 private key.
		2601	When used with a public key it
		2602	uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
		2603	PEM is the default format:
		2604	it consists of the DER format base64
		2605	encoded with additional header and footer lines.
		2606	In the case of a private key
		2607	PKCS#8 format is also accepted.
		2608	.It Fl noout
		2609	Prevents output of the encoded version of the key.
		2610	.It Fl out Ar filename
		2611	Specifies the output filename to write a key to,
		2612	or standard output if none is specified.
		2613	If any encryption options are set then a pass phrase will be prompted for.
		2614	The output filename should
		2615	.Em not
		2616	be the same as the input filename.
		2617	.It Fl outform Ar DER \| PEM
		2618	This specifies the output format.
		2619	The options have the same meaning as the
		2620	.Fl inform
		2621	option.
		2622	.It Fl param_enc Ar arg
		2623	This specifies how the elliptic curve parameters are encoded.
		2624	Possible value are:
		2625	.Cm named_curve ,
		2626	i.e. the EC parameters are specified by an OID; or
		2627	.Cm explicit ,
		2628	where the EC parameters are explicitly given
		2629	(see RFC 3279 for the definition of the EC parameter structures).
		2630	The default value is
		2631	.Cm named_curve .
		2632	Note: the
		2633	.Cm implicitlyCA
		2634	alternative,
		2635	as specified in RFC 3279,
		2636	is currently not implemented in
		2637	.Nm OpenSSL .
		2638	.It Fl passin Ar arg
		2639	The input file password source.
		2640	For more information about the format of
		2641	.Ar arg ,
		2642	see the
		2643	.Sx PASS PHRASE ARGUMENTS
		2644	section above.
		2645	.It Fl passout Ar arg
		2646	The output file password source.
		2647	For more information about the format of
		2648	.Ar arg ,
		2649	see the
		2650	.Sx PASS PHRASE ARGUMENTS
		2651	section above.
		2652	.It Fl pubin
		2653	By default a private key is read from the input file;
		2654	with this option a public key is read instead.
		2655	.It Fl pubout
		2656	By default a private key is output;
		2657	with this option a public key is output instead.
		2658	This option is automatically set if the input is a public key.
		2659	.It Fl text
		2660	Prints out the public/private key components and parameters.
		2661	.El
		2662	.Sh EC NOTES
		2663	The PEM private key format uses the header and footer lines:
		2664	.Bd -literal -offset indent
		2665	-----BEGIN EC PRIVATE KEY-----
		2666	-----END EC PRIVATE KEY-----
		2667	.Ed
		2668	.Pp
		2669	The PEM public key format uses the header and footer lines:
		2670	.Bd -literal -offset indent
		2671	-----BEGIN PUBLIC KEY-----
		2672	-----END PUBLIC KEY-----
		2673	.Ed
		2674	.Sh EC EXAMPLES
		2675	To encrypt a private key using triple DES:
		2676	.Bd -literal -offset indent
		2677	$ openssl ec -in key.pem -des3 -out keyout.pem
		2678	.Ed
		2679	.Pp
		2680	To convert a private key from PEM to DER format:
		2681	.Bd -literal -offset indent
		2682	$ openssl ec -in key.pem -outform DER -out keyout.der
		2683	.Ed
		2684	.Pp
		2685	To print out the components of a private key to standard output:
		2686	.Bd -literal -offset indent
		2687	$ openssl ec -in key.pem -text -noout
		2688	.Ed
		2689	.Pp
		2690	To just output the public part of a private key:
		2691	.Bd -literal -offset indent
		2692	$ openssl ec -in key.pem -pubout -out pubkey.pem
		2693	.Ed
		2694	.Pp
		2695	To change the parameter encoding to
		2696	.Cm explicit :
		2697	.Bd -literal -offset indent
		2698	$ openssl ec -in key.pem -param_enc explicit -out keyout.pem
		2699	.Ed
		2700	.Pp
		2701	To change the point conversion form to
		2702	.Cm compressed :
		2703	.Bd -literal -offset indent
		2704	$ openssl ec -in key.pem -conv_form compressed -out keyout.pem
		2705	.Ed
		2706	.Sh EC HISTORY
		2707	The
		2708	.Nm ec
		2709	command was first introduced in
		2710	.Nm OpenSSL
		2711	0.9.8.
		2712	.Sh EC AUTHORS
		2713	.An Nils Larsch .
		2714	.\"
2509	.\" ENC	2715	.\" ENC
2510	.\"	2716	.\"
2511	.Sh ENC	2717	.Sh ENC
@@ -2632,7 +2838,7 @@ option.
2632	.It Fl md Ar digest	2838	.It Fl md Ar digest
2633	Use	2839	Use
2634	.Ar digest	2840	.Ar digest
2635	to create a key from a passphrase.	2841	to create a key from a pass phrase.
2636	.Ar digest	2842	.Ar digest
2637	may be one of	2843	may be one of
2638	.Dq md2 ,	2844	.Dq md2 ,