=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v retrieving revision 1.46 retrieving revision 1.47 diff -u -r1.46 -r1.47 --- src/usr.bin/openssl/openssl.1 2016/08/08 18:13:51 1.46 +++ src/usr.bin/openssl/openssl.1 2016/08/09 17:07:33 1.47 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.46 2016/08/08 18:13:51 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.47 2016/08/09 17:07:33 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -112,7 +112,7 @@ .\" .\" OPENSSL .\" -.Dd $Mdocdate: August 8 2016 $ +.Dd $Mdocdate: August 9 2016 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -1427,21 +1427,17 @@ .Ar numbits . If this option is included, the input file is ignored. .El -.\" -.\" EC -.\" .Sh EC .nr nS 1 .Nm "openssl ec" -.Bk -words .Op Fl conv_form Ar arg .Op Fl des .Op Fl des3 .Op Fl in Ar file -.Op Fl inform Ar DER | PEM +.Op Fl inform Cm der | pem .Op Fl noout .Op Fl out Ar file -.Op Fl outform Ar DER | PEM +.Op Fl outform Cm der | pem .Op Fl param_enc Ar arg .Op Fl param_out .Op Fl passin Ar arg @@ -1449,7 +1445,6 @@ .Op Fl pubin .Op Fl pubout .Op Fl text -.Ek .nr nS 0 .Pp The @@ -1457,42 +1452,51 @@ command processes EC keys. They can be converted between various forms and their components printed out. -Note: -.Nm OpenSSL +.Nm openssl uses the private key format specified in .Dq SEC 1: Elliptic Curve Cryptography .Pq Lk http://www.secg.org/ . To convert an -.Nm OpenSSL EC private key into the PKCS#8 private key format use the .Nm pkcs8 command. .Pp +The PEM private key format uses the header and footer lines: +.Bd -literal -offset indent +-----BEGIN EC PRIVATE KEY----- +-----END EC PRIVATE KEY----- +.Ed +.Pp +The PEM public key format uses the header and footer lines: +.Bd -literal -offset indent +-----BEGIN PUBLIC KEY----- +-----END PUBLIC KEY----- +.Ed +.Pp The options are as follows: .Bl -tag -width Ds .It Fl conv_form Ar arg -This specifies how the points on the elliptic curve are converted +Specify how the points on the elliptic curve are converted into octet strings. Possible values are: .Cm compressed -(the default value), +(the default), .Cm uncompressed , and .Cm hybrid . For more information regarding -the point conversion forms please read the X9.62 standard. +the point conversion forms see the X9.62 standard. Note: Due to patent issues the .Cm compressed option is disabled by default for binary curves and can be enabled by defining the preprocessor macro -.Ar OPENSSL_EC_BIN_PT_COMP +.Dv OPENSSL_EC_BIN_PT_COMP at compile time. .It Fl des | des3 -These options encrypt the private key with the DES, triple DES, or +Encrypt the private key with DES, triple DES, or any other cipher supported by -.Nm OpenSSL -before outputting it. +.Nm openssl . A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using the @@ -1503,36 +1507,32 @@ it can be use to add or change the pass phrase. These options can only be used with PEM format output files. .It Fl in Ar file -This specifies the input filename to read a key from, -or standard input if this option is not specified. +The input file to read a key from, +or standard input if not specified. If the key is encrypted a pass phrase will be prompted for. -.It Fl inform Ar DER | PEM -This specifies the input format. -DER with a private key uses +.It Fl inform Cm der | pem +The input format. +.Cm der +with a private key uses an ASN.1 DER-encoded SEC1 private key. When used with a public key it uses the SubjectPublicKeyInfo structure as specified in RFC 3280. -PEM is the default format: +.Cm pem +is the default format: it consists of the DER format base64 encoded with additional header and footer lines. In the case of a private key PKCS#8 format is also accepted. .It Fl noout -Prevents output of the encoded version of the key. +Do not output the encoded version of the key. .It Fl out Ar file -Specifies the output filename to write a key to, -or standard output if none is specified. +The output filename to write to, +or standard output if not specified. If any encryption options are set then a pass phrase will be prompted for. -The output filename should -.Em not -be the same as the input filename. -.It Fl outform Ar DER | PEM -This specifies the output format. -The options have the same meaning as the -.Fl inform -option. +.It Fl outform Cm der | pem +The output format. .It Fl param_enc Ar arg -This specifies how the elliptic curve parameters are encoded. +Specify how the elliptic curve parameters are encoded. Possible value are: .Cm named_curve , i.e. the EC parameters are specified by an OID; or @@ -1545,8 +1545,7 @@ .Cm implicitlyCA alternative, as specified in RFC 3279, -is currently not implemented in -.Nm OpenSSL . +is currently not implemented. .It Fl passin Ar arg The key password source. .It Fl passout Ar arg @@ -1559,60 +1558,8 @@ with this option a public key is output instead. This option is automatically set if the input is a public key. .It Fl text -Prints out the public/private key components and parameters. +Print out the public/private key components and parameters. .El -.Sh EC NOTES -The PEM private key format uses the header and footer lines: -.Bd -literal -offset indent ------BEGIN EC PRIVATE KEY----- ------END EC PRIVATE KEY----- -.Ed -.Pp -The PEM public key format uses the header and footer lines: -.Bd -literal -offset indent ------BEGIN PUBLIC KEY----- ------END PUBLIC KEY----- -.Ed -.Sh EC EXAMPLES -To encrypt a private key using triple DES: -.Bd -literal -offset indent -$ openssl ec -in key.pem -des3 -out keyout.pem -.Ed -.Pp -To convert a private key from PEM to DER format: -.Bd -literal -offset indent -$ openssl ec -in key.pem -outform DER -out keyout.der -.Ed -.Pp -To print out the components of a private key to standard output: -.Bd -literal -offset indent -$ openssl ec -in key.pem -text -noout -.Ed -.Pp -To just output the public part of a private key: -.Bd -literal -offset indent -$ openssl ec -in key.pem -pubout -out pubkey.pem -.Ed -.Pp -To change the parameter encoding to -.Cm explicit : -.Bd -literal -offset indent -$ openssl ec -in key.pem -param_enc explicit -out keyout.pem -.Ed -.Pp -To change the point conversion form to -.Cm compressed : -.Bd -literal -offset indent -$ openssl ec -in key.pem -conv_form compressed -out keyout.pem -.Ed -.Sh EC HISTORY -The -.Nm ec -command was first introduced in -.Nm OpenSSL -0.9.8. -.Sh EC AUTHORS -.An Nils Larsch . .\" .\" ECPARAM .\"