=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v retrieving revision 1.72 retrieving revision 1.73 diff -u -r1.72 -r1.73 --- src/usr.bin/openssl/openssl.1 2016/09/15 17:49:03 1.72 +++ src/usr.bin/openssl/openssl.1 2016/09/15 20:54:28 1.73 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.72 2016/09/15 17:49:03 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.73 2016/09/15 20:54:28 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -4946,13 +4946,9 @@ only the signing certificate identifier is included. The default is no. .El -.\" -.\" SPKAC -.\" .Sh SPKAC .nr nS 1 .Nm "openssl spkac" -.Bk -words .Op Fl challenge Ar string .Op Fl in Ar file .Op Fl key Ar keyfile @@ -4963,25 +4959,21 @@ .Op Fl spkac Ar spkacname .Op Fl spksect Ar section .Op Fl verify -.Ek .nr nS 0 .Pp The .Nm spkac -command processes Netscape signed public key and challenge -.Pq SPKAC -files. +command processes signed public key and challenge (SPKAC) files. It can print out their contents, verify the signature, and produce its own SPKACs from a supplied private key. .Pp The options are as follows: .Bl -tag -width Ds .It Fl challenge Ar string -Specifies the challenge string if an SPKAC is being created. +The challenge string, if an SPKAC is being created. .It Fl in Ar file -This specifies the input -.Ar file -to read from, or standard input if this option is not specified. +The input file to read from, +or standard input if not specified. Ignored if the .Fl key option is used. @@ -4992,74 +4984,27 @@ .Fl in , noout , spksect , and .Fl verify -options are ignored if present. +options are ignored, if present. .It Fl noout -Don't output the text version of the SPKAC -.Pq not used if an SPKAC is being created . +Do not output the text version of the SPKAC. .It Fl out Ar file -Specifies the output -.Ar file -to write to, or standard output by default. +The output file to write to, +or standard output if not specified. .It Fl passin Ar arg The key password source. .It Fl pubkey -Output the public key of an SPKAC -.Pq not used if an SPKAC is being created . +Output the public key of an SPKAC. .It Fl spkac Ar spkacname -Allows an alternative name for the variable containing the SPKAC. +An alternative name for the variable containing the SPKAC. The default is "SPKAC". This option affects both generated and input SPKAC files. .It Fl spksect Ar section -Allows an alternative name for the +An alternative name for the .Ar section containing the SPKAC. -The default is the default section. .It Fl verify -Verifies the digital signature on the supplied SPKAC. +Verify the digital signature on the supplied SPKAC. .El -.Sh SPKAC EXAMPLES -Print out the contents of an SPKAC: -.Pp -.Dl $ openssl spkac -in spkac.cnf -.Pp -Verify the signature of an SPKAC: -.Pp -.Dl $ openssl spkac -in spkac.cnf -noout -verify -.Pp -Create an SPKAC using the challenge string -.Qq hello : -.Pp -.Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf -.Pp -Example of an SPKAC, -.Pq long lines split up for clarity : -.Bd -unfilled -offset indent -SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e -PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e -PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e -2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e -4= -.Ed -.Sh SPKAC NOTES -A created SPKAC with suitable DN components appended can be fed into -the -.Nm ca -utility. -.Pp -SPKACs are typically generated by Netscape when a form is submitted -containing the -.Em KEYGEN -tag as part of the certificate enrollment process. -.Pp -The challenge string permits a primitive form of proof of possession -of private key. -By checking the SPKAC signature and a random challenge -string, some guarantee is given that the user knows the private key -corresponding to the public key being certified. -This is important in some applications. -Without this it is possible for a previous SPKAC -to be used in a -.Qq replay attack . .\" .\" VERIFY .\"