src/usr.bin/openssl/openssl.1 - diff

Return to openssl.1 CVS log

Up to [local] / src / usr.bin / openssl

Diff for /src/usr.bin/openssl/openssl.1 between version 1.61 and 1.62

version 1.61, 2016/08/24 08:17:24

version 1.62, 2016/08/25 14:37:28

Line 2939

.It Fl text

Print the parameters in plain text, in addition to the encoded version.

.El

.\"

.\" PKEYUTL

.\"

.Sh PKEYUTL

.nr nS 1

.Nm "openssl pkeyutl"

.Bk -words

.Op Fl asn1parse

.Op Fl certin

.Op Fl decrypt

Line 2954

Line 2950

.Op Fl hexdump

.Op Fl in Ar file

.Op Fl inkey Ar file

.Op Fl keyform Ar DER | PEM

.Op Fl keyform Cm der | pem

.Op Fl out Ar file

.Op Fl passin Ar arg

.Op Fl peerform Ar DER | PEM

.Op Fl peerform Cm der | pem

.Op Fl peerkey Ar file

.Op Fl pkeyopt Ar opt : Ns Ar value

.Op Fl pubin

Line 2966

Line 2962

.Op Fl sign

.Op Fl verify

.Op Fl verifyrecover

.Ek

.nr nS 0

.Pp

The

Line 2992

Line 2987

.It Fl hexdump

Hex dump the output data.

.It Fl in Ar file

Specify the input filename to read data from,

The input file to read from,

or standard input if this option is not specified.

or standard input if not specified.

.It Fl inkey Ar file

The input key file.

By default it should be a private key.

.It Fl keyform Ar DER | PEM

.It Fl keyform Cm der | pem

The key format DER or PEM.

The key format.

.It Fl out Ar file

Specify the output filename to write to,

The output file to write to,

or standard output by default.

or standard output if not specified.

.It Fl passin Ar arg

The key password source.

.It Fl peerform Ar DER | PEM

.It Fl peerform Cm der | pem

The peer key format DER or PEM.

The peer key format.

.It Fl peerkey Ar file

The peer key file, used by key derivation (agreement) operations.

.It Fl pkeyopt Ar opt : Ns Ar value

Public key options.

Set the public key algorithm option

.It Fl pubin

.Ar opt

The input file is a public key.

.It Fl rev

.Ar value .

Reverse the order of the input buffer.

Unless otherwise mentioned, all algorithms support the format

This is useful for some libraries (such as CryptoAPI)

.Ar digest : Ns Ar alg ,

which represent the buffer in little endian format.

which specifies the digest to use

.It Fl sigfile Ar file

Signature file (verify operation only).

.It Fl sign

Sign the input data and output the signed result.

This requires a private key.

.It Fl verify

Verify the input data against the signature file and indicate if the

verification succeeded or failed.

.It Fl verifyrecover

Verify the input data and output the recovered data.

.El

.Sh PKEYUTL NOTES

The operations and options supported vary according to the key algorithm

and its implementation.

The

.Nm OpenSSL

operations and options are indicated below.

.Pp

Unless otherwise mentioned all algorithms support the

.Ar digest : Ns Ar alg

option which specifies the digest in use

for sign, verify, and verifyrecover operations.

The value

.Ar alg

should represent a digest name as used in the

.Fn EVP_get_digestbyname

.Xr EVP_get_digestbyname 3

function, for example

function.

.Cm sha1 .

.Pp

.Ss RSA algorithm

The RSA algorithm supports the

encrypt, decrypt, sign, verify, and verifyrecover operations in general.

Some padding modes only support some of these

Line 3072

Line 3045

If a digest is set then a DigestInfo

structure is used and its length

must correspond to the digest type.

.Pp

For oeap mode only encryption and decryption is supported.

.Pp

For x931 if the digest type is set it is used to format the block data;

otherwise the first byte is used to specify the X9.31 digest ID.

Sign, verify, and verifyrecover can be performed in this mode.

.Pp

For pss mode only sign and verify are supported and the digest type must be

specified.

.It rsa_pss_saltlen : Ns Ar len

Line 3090

Line 3060

When verifying -2 causes the salt length to be automatically determined

based on the PSS block structure.

.El

.Ss DSA algorithm

.Pp

The DSA algorithm supports the sign and verify operations.

Currently there are no additional options other than

.Ar digest .

Only the SHA1 digest can be used and this digest is assumed by default.

.Ss DH algorithm

.Pp

The DH algorithm supports the derive operation

and no additional options.

.Ss EC algorithm

.Pp

The EC algorithm supports the sign, verify, and derive operations.

The sign and verify operations use ECDSA and derive uses ECDH.

Currently there are no additional options other than

.Ar digest .

Only the SHA1 digest can be used and this digest is assumed by default.

.Sh PKEYUTL EXAMPLES

.It Fl pubin

Sign some data using a private key:

The input file is a public key.

.Bd -literal -offset indent

.It Fl rev

$ openssl pkeyutl -sign -in file -inkey key.pem -out sig

Reverse the order of the input buffer.

.Ed

.It Fl sigfile Ar file

.Pp

Signature file (verify operation only).

Recover the signed data (e.g. if an RSA key is used):

.It Fl sign

.Bd -literal -offset indent

Sign the input data and output the signed result.

$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem

This requires a private key.

.Ed

.It Fl verify

.Pp

Verify the input data against the signature file and indicate if the

Verify the signature (e.g. a DSA key):

verification succeeded or failed.

.Bd -literal -offset indent

.It Fl verifyrecover

$ openssl pkeyutl -verify -in file -sigfile sig \e

Verify the input data and output the recovered data.

-inkey key.pem

.El

.Ed

.Pp

Sign data using a message digest value (this is currently only valid for RSA):

.Bd -literal -offset indent

$ openssl pkeyutl -sign -in file -inkey key.pem \e

-out sig -pkeyopt digest:sha256

.Ed

.Pp

Derive a shared secret value:

.Bd -literal -offset indent

$ openssl pkeyutl -derive -inkey key.pem \e

-peerkey pubkey.pem -out secret

.Ed

.\"

.\" PRIME

.\"