=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v retrieving revision 1.72 retrieving revision 1.73 diff -c -r1.72 -r1.73 *** src/usr.bin/openssl/openssl.1 2016/09/15 17:49:03 1.72 --- src/usr.bin/openssl/openssl.1 2016/09/15 20:54:28 1.73 *************** *** 1,4 **** ! .\" $OpenBSD: openssl.1,v 1.72 2016/09/15 17:49:03 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" --- 1,4 ---- ! .\" $OpenBSD: openssl.1,v 1.73 2016/09/15 20:54:28 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" *************** *** 4946,4958 **** only the signing certificate identifier is included. The default is no. .El - .\" - .\" SPKAC - .\" .Sh SPKAC .nr nS 1 .Nm "openssl spkac" - .Bk -words .Op Fl challenge Ar string .Op Fl in Ar file .Op Fl key Ar keyfile --- 4946,4954 ---- *************** *** 4963,4987 **** .Op Fl spkac Ar spkacname .Op Fl spksect Ar section .Op Fl verify - .Ek .nr nS 0 .Pp The .Nm spkac ! command processes Netscape signed public key and challenge ! .Pq SPKAC ! files. It can print out their contents, verify the signature, and produce its own SPKACs from a supplied private key. .Pp The options are as follows: .Bl -tag -width Ds .It Fl challenge Ar string ! Specifies the challenge string if an SPKAC is being created. .It Fl in Ar file ! This specifies the input ! .Ar file ! to read from, or standard input if this option is not specified. Ignored if the .Fl key option is used. --- 4959,4979 ---- .Op Fl spkac Ar spkacname .Op Fl spksect Ar section .Op Fl verify .nr nS 0 .Pp The .Nm spkac ! command processes signed public key and challenge (SPKAC) files. It can print out their contents, verify the signature, and produce its own SPKACs from a supplied private key. .Pp The options are as follows: .Bl -tag -width Ds .It Fl challenge Ar string ! The challenge string, if an SPKAC is being created. .It Fl in Ar file ! The input file to read from, ! or standard input if not specified. Ignored if the .Fl key option is used. *************** *** 4992,5065 **** .Fl in , noout , spksect , and .Fl verify ! options are ignored if present. .It Fl noout ! Don't output the text version of the SPKAC ! .Pq not used if an SPKAC is being created . .It Fl out Ar file ! Specifies the output ! .Ar file ! to write to, or standard output by default. .It Fl passin Ar arg The key password source. .It Fl pubkey ! Output the public key of an SPKAC ! .Pq not used if an SPKAC is being created . .It Fl spkac Ar spkacname ! Allows an alternative name for the variable containing the SPKAC. The default is "SPKAC". This option affects both generated and input SPKAC files. .It Fl spksect Ar section ! Allows an alternative name for the .Ar section containing the SPKAC. - The default is the default section. .It Fl verify ! Verifies the digital signature on the supplied SPKAC. .El - .Sh SPKAC EXAMPLES - Print out the contents of an SPKAC: - .Pp - .Dl $ openssl spkac -in spkac.cnf - .Pp - Verify the signature of an SPKAC: - .Pp - .Dl $ openssl spkac -in spkac.cnf -noout -verify - .Pp - Create an SPKAC using the challenge string - .Qq hello : - .Pp - .Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf - .Pp - Example of an SPKAC, - .Pq long lines split up for clarity : - .Bd -unfilled -offset indent - SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e - PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e - PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e - 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e - 4= - .Ed - .Sh SPKAC NOTES - A created SPKAC with suitable DN components appended can be fed into - the - .Nm ca - utility. - .Pp - SPKACs are typically generated by Netscape when a form is submitted - containing the - .Em KEYGEN - tag as part of the certificate enrollment process. - .Pp - The challenge string permits a primitive form of proof of possession - of private key. - By checking the SPKAC signature and a random challenge - string, some guarantee is given that the user knows the private key - corresponding to the public key being certified. - This is important in some applications. - Without this it is possible for a previous SPKAC - to be used in a - .Qq replay attack . .\" .\" VERIFY .\" --- 4984,5010 ---- .Fl in , noout , spksect , and .Fl verify ! options are ignored, if present. .It Fl noout ! Do not output the text version of the SPKAC. .It Fl out Ar file ! The output file to write to, ! or standard output if not specified. .It Fl passin Ar arg The key password source. .It Fl pubkey ! Output the public key of an SPKAC. .It Fl spkac Ar spkacname ! An alternative name for the variable containing the SPKAC. The default is "SPKAC". This option affects both generated and input SPKAC files. .It Fl spksect Ar section ! An alternative name for the .Ar section containing the SPKAC. .It Fl verify ! Verify the digital signature on the supplied SPKAC. .El .\" .\" VERIFY .\"