ab38
/
xbot
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove openssl doc from prebuilt include/openssl

This commit is contained in:
Aaron Blakely 2024-03-13 07:00:49 -05:00
parent 11e588f8e6
commit 1087327d84
854 changed files with 0 additions and 121676 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
include/openssl-3.2.1/html/man1/CA.pl.html
View File

@ -1,175 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>CA.pl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#ENVIRONMENT">ENVIRONMENT</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>CA.pl - friendlier interface for OpenSSL certificate programs</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>CA.pl</b> <b>-?</b> | <b>-h</b> | <b>-help</b></p>
<p><b>CA.pl</b> <b>-newcert</b> | <b>-newreq</b> | <b>-newreq-nodes</b> | <b>-xsign</b> | <b>-sign</b> | <b>-signCA</b> | <b>-signcert</b> | <b>-crl</b> | <b>-newca</b> [<b>-extra-<i>cmd</i></b> <i>parameter</i>]</p>
<p><b>CA.pl</b> <b>-pkcs12</b> [<i>certname</i>]</p>
<p><b>CA.pl</b> <b>-verify</b> <i>certfile</i> ...</p>
<p><b>CA.pl</b> <b>-revoke</b> <i>certfile</i> [<i>reason</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <b>CA.pl</b> script is a perl script that supplies the relevant command line arguments to the <a href="../man1/openssl.html">openssl(1)</a> command for some common certificate operations. It is intended to simplify the process of certificate creation and management by the use of some simple options.</p>
<p>The script is intended as a simple front end for the <a href="../man1/openssl.html">openssl(1)</a> program for use by a beginner. Its behaviour isn&#39;t always what is wanted. For more control over the behaviour of the certificate commands call the <a href="../man1/openssl.html">openssl(1)</a> command directly.</p>
<p>Most of the filenames mentioned below can be modified by editing the <b>CA.pl</b> script.</p>
<p>Under some environments it may not be possible to run the <b>CA.pl</b> script directly (for example Win32) and the default configuration file location may be wrong. In this case the command:</p>
<pre><code> perl -S CA.pl</code></pre>
<p>can be used and the <b>OPENSSL_CONF</b> environment variable can be set to point to the correct path of the configuration file.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="h--help"><b>-?</b>, <b>-h</b>, <b>-help</b></dt>
<dd>
<p>Prints a usage message.</p>
</dd>
<dt id="newcert"><b>-newcert</b></dt>
<dd>
<p>Creates a new self signed certificate. The private key is written to the file <i>newkey.pem</i> and the request written to the file <i>newreq.pem</i>. Invokes <a href="../man1/openssl-req.html">openssl-req(1)</a>.</p>
</dd>
<dt id="newreq"><b>-newreq</b></dt>
<dd>
<p>Creates a new certificate request. The private key is written to the file <i>newkey.pem</i> and the request written to the file <i>newreq.pem</i>. Executes <a href="../man1/openssl-req.html">openssl-req(1)</a> under the hood.</p>
</dd>
<dt id="newreq-nodes"><b>-newreq-nodes</b></dt>
<dd>
<p>Is like <b>-newreq</b> except that the private key will not be encrypted. Uses <a href="../man1/openssl-req.html">openssl-req(1)</a>.</p>
</dd>
<dt id="newca"><b>-newca</b></dt>
<dd>
<p>Creates a new CA hierarchy for use with the <b>ca</b> program (or the <b>-signcert</b> and <b>-xsign</b> options). The user is prompted to enter the filename of the CA certificates (which should also contain the private key) or by hitting ENTER details of the CA will be prompted for. The relevant files and directories are created in a directory called <i>demoCA</i> in the current directory. Uses <a href="../man1/openssl-req.html">openssl-req(1)</a> and <a href="../man1/openssl-ca.html">openssl-ca(1)</a>.</p>
<p>If the <i>demoCA</i> directory already exists then the <b>-newca</b> command will not overwrite it and will do nothing. This can happen if a previous call using the <b>-newca</b> option terminated abnormally. To get the correct behaviour delete the directory if it already exists.</p>
</dd>
<dt id="pkcs12"><b>-pkcs12</b></dt>
<dd>
<p>Create a PKCS#12 file containing the user certificate, private key and CA certificate. It expects the user certificate and private key to be in the file <i>newcert.pem</i> and the CA certificate to be in the file <i>demoCA/cacert.pem</i>, it creates a file <i>newcert.p12</i>. This command can thus be called after the <b>-sign</b> option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the &quot;friendly name&quot; for the certificate (which is typically displayed in the browser list box), otherwise the name &quot;My Certificate&quot; is used. Delegates work to <a href="../man1/openssl-pkcs12.html">openssl-pkcs12(1)</a>.</p>
</dd>
<dt id="sign--signcert--xsign"><b>-sign</b>, <b>-signcert</b>, <b>-xsign</b></dt>
<dd>
<p>Calls the <a href="../man1/openssl-ca.html">openssl-ca(1)</a> command to sign a certificate request. It expects the request to be in the file <i>newreq.pem</i>. The new certificate is written to the file <i>newcert.pem</i> except in the case of the <b>-xsign</b> option when it is written to standard output.</p>
</dd>
<dt id="signCA"><b>-signCA</b></dt>
<dd>
<p>This option is the same as the <b>-sign</b> option except it uses the configuration file section <b>v3_ca</b> and so makes the signed request a valid CA certificate. This is useful when creating intermediate CA from a root CA. Extra params are passed to <a href="../man1/openssl-ca.html">openssl-ca(1)</a>.</p>
</dd>
<dt id="signcert"><b>-signcert</b></dt>
<dd>
<p>This option is the same as <b>-sign</b> except it expects a self signed certificate to be present in the file <i>newreq.pem</i>. Extra params are passed to <a href="../man1/openssl-x509.html">openssl-x509(1)</a> and <a href="../man1/openssl-ca.html">openssl-ca(1)</a>.</p>
</dd>
<dt id="crl"><b>-crl</b></dt>
<dd>
<p>Generate a CRL. Executes <a href="../man1/openssl-ca.html">openssl-ca(1)</a>.</p>
</dd>
<dt id="revoke-certfile-reason"><b>-revoke</b> <i>certfile</i> [<i>reason</i>]</dt>
<dd>
<p>Revoke the certificate contained in the specified <b>certfile</b>. An optional reason may be specified, and must be one of: <b>unspecified</b>, <b>keyCompromise</b>, <b>CACompromise</b>, <b>affiliationChanged</b>, <b>superseded</b>, <b>cessationOfOperation</b>, <b>certificateHold</b>, or <b>removeFromCRL</b>. Leverages <a href="../man1/openssl-ca.html">openssl-ca(1)</a>.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verifies certificates against the CA certificate for <i>demoCA</i>. If no certificates are specified on the command line it tries to verify the file <i>newcert.pem</i>. Invokes <a href="../man1/openssl-verify.html">openssl-verify(1)</a>.</p>
</dd>
<dt id="extra-cmd-parameter"><b>-extra-<i>cmd</i></b> <i>parameter</i></dt>
<dd>
<p>For each option <b>extra-<i>cmd</i></b>, pass <i>parameter</i> to the <a href="../man1/openssl.html">openssl(1)</a> sub-command with the same name as <i>cmd</i>, if that sub-command is invoked. For example, if <a href="../man1/openssl-req.html">openssl-req(1)</a> is invoked, the <i>parameter</i> given with <b>-extra-req</b> will be passed to it. For multi-word parameters, either repeat the option or quote the <i>parameters</i> so it looks like one word to your shell. See the individual command documentation for more information.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Create a CA hierarchy:</p>
<pre><code> CA.pl -newca</code></pre>
<p>Complete certificate creation example: create a CA, create a request, sign the request and finally create a PKCS#12 file containing it.</p>
<pre><code> CA.pl -newca
CA.pl -newreq
CA.pl -sign
CA.pl -pkcs12 &quot;My Test Certificate&quot;</code></pre>
<h1 id="ENVIRONMENT">ENVIRONMENT</h1>
<p>The environment variable <b>OPENSSL</b> may be used to specify the name of the OpenSSL program. It can be a full pathname, or a relative one.</p>
<p>The environment variable <b>OPENSSL_CONFIG</b> may be used to specify a configuration option and value to the <b>req</b> and <b>ca</b> commands invoked by this script. It&#39;s value should be the option and pathname, as in <code>-config /path/to/conf-file</code>.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, <a href="../man1/openssl-req.html">openssl-req(1)</a>, <a href="../man1/openssl-pkcs12.html">openssl-pkcs12(1)</a>, <a href="../man5/config.html">config(5)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

229
include/openssl-3.2.1/html/man1/openssl-asn1parse.html
View File

@ -1,229 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-asn1parse</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Output">Output</a></li>
</ul>
</li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-asn1parse - ASN.1 parsing command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>asn1parse</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>B64</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-noout</b>] [<b>-offset</b> <i>number</i>] [<b>-length</b> <i>number</i>] [<b>-i</b>] [<b>-oid</b> <i>filename</i>] [<b>-dump</b>] [<b>-dlimit</b> <i>num</i>] [<b>-strparse</b> <i>offset</i>] [<b>-genstr</b> <i>string</i>] [<b>-genconf</b> <i>file</i>] [<b>-strictpem</b>] [<b>-item</b> <i>name</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is a diagnostic utility that can parse ASN.1 structures. It can also be used to extract data from ASN.1 formatted data.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM-B64"><b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>B64</b></dt>
<dd>
<p>The input format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>The input file, default is standard input.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Output file to place the DER encoded data into. If this option is not present then no data will be output. This is most useful when combined with the <b>-strparse</b> option.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Don&#39;t output the parsed version of the input file.</p>
</dd>
<dt id="offset-number"><b>-offset</b> <i>number</i></dt>
<dd>
<p>Starting offset to begin parsing, default is start of file.</p>
</dd>
<dt id="length-number"><b>-length</b> <i>number</i></dt>
<dd>
<p>Number of bytes to parse, default is until end of file.</p>
</dd>
<dt id="i"><b>-i</b></dt>
<dd>
<p>Indents the output according to the &quot;depth&quot; of the structures.</p>
</dd>
<dt id="oid-filename"><b>-oid</b> <i>filename</i></dt>
<dd>
<p>A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this file is described in the NOTES section below.</p>
</dd>
<dt id="dump"><b>-dump</b></dt>
<dd>
<p>Dump unknown data in hex format.</p>
</dd>
<dt id="dlimit-num"><b>-dlimit</b> <i>num</i></dt>
<dd>
<p>Like <b>-dump</b>, but only the first <b>num</b> bytes are output.</p>
</dd>
<dt id="strparse-offset"><b>-strparse</b> <i>offset</i></dt>
<dd>
<p>Parse the contents octets of the ASN.1 object starting at <b>offset</b>. This option can be used multiple times to &quot;drill down&quot; into a nested structure.</p>
</dd>
<dt id="genstr-string--genconf-file"><b>-genstr</b> <i>string</i>, <b>-genconf</b> <i>file</i></dt>
<dd>
<p>Generate encoded data based on <i>string</i>, <i>file</i> or both using <a href="../man3/ASN1_generate_nconf.html">ASN1_generate_nconf(3)</a> format. If <i>file</i> only is present then the string is obtained from the default section using the name <b>asn1</b>. The encoded data is passed through the ASN1 parser and printed out as though it came from a file, the contents can thus be examined and written to a file using the <b>-out</b> option.</p>
</dd>
<dt id="strictpem"><b>-strictpem</b></dt>
<dd>
<p>If this option is used then <b>-inform</b> will be ignored. Without this option any data in a PEM format input file will be treated as being base64 encoded and processed whether it has the normal PEM BEGIN and END markers or not. This option will ignore any data prior to the start of the BEGIN marker, or after an END marker in a PEM file.</p>
</dd>
<dt id="item-name"><b>-item</b> <i>name</i></dt>
<dd>
<p>Attempt to decode and print the data as an <b>ASN1_ITEM</b> <i>name</i>. This can be used to print out the fields of any supported ASN.1 structure if the type is known.</p>
</dd>
</dl>
<h2 id="Output">Output</h2>
<p>The output will typically contain lines like this:</p>
<pre><code> 0:d=0 hl=4 l= 681 cons: SEQUENCE</code></pre>
<p>.....</p>
<pre><code> 229:d=3 hl=3 l= 141 prim: BIT STRING
373:d=2 hl=3 l= 162 cons: cont [ 3 ]
376:d=3 hl=3 l= 159 cons: SEQUENCE
379:d=4 hl=2 l= 29 cons: SEQUENCE
381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
386:d=5 hl=2 l= 22 prim: OCTET STRING
410:d=4 hl=2 l= 112 cons: SEQUENCE
412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
417:d=5 hl=2 l= 105 prim: OCTET STRING
524:d=4 hl=2 l= 12 cons: SEQUENCE</code></pre>
<p>.....</p>
<p>This example is part of a self-signed certificate. Each line starts with the offset in decimal. <code>d=XX</code> specifies the current depth. The depth is increased within the scope of any SET or SEQUENCE. <code>hl=XX</code> gives the header length (tag and length octets) of the current type. <code>l=XX</code> gives the length of the contents octets.</p>
<p>The <b>-i</b> option can be used to make the output more readable.</p>
<p>Some knowledge of the ASN.1 structure is needed to interpret the output.</p>
<p>In this example the BIT STRING at offset 229 is the certificate public key. The contents octets of this will contain the public key information. This can be examined using the option <code>-strparse 229</code> to yield:</p>
<pre><code> 0:d=0 hl=3 l= 137 cons: SEQUENCE
3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
135:d=1 hl=2 l= 3 prim: INTEGER :010001</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>If an OID is not part of OpenSSL&#39;s internal table it will be represented in numerical form (for example 1.2.3.4). The file passed to the <b>-oid</b> option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white space. The second column is the &quot;short name&quot; which is a single word followed by whitespace. The final column is the rest of the line and is the &quot;long name&quot;. Example:</p>
<p><code>1.2.3.4 shortName A long name</code></p>
<p>For any OID with an associated short and long name, this command will display the long name.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Parse a file:</p>
<pre><code> openssl asn1parse -in file.pem</code></pre>
<p>Parse a DER file:</p>
<pre><code> openssl asn1parse -inform DER -in file.der</code></pre>
<p>Generate a simple UTF8String:</p>
<pre><code> openssl asn1parse -genstr &#39;UTF8:Hello World&#39;</code></pre>
<p>Generate and write out a UTF8String, don&#39;t print parsed output:</p>
<pre><code> openssl asn1parse -genstr &#39;UTF8:Hello World&#39; -noout -out utf8.der</code></pre>
<p>Generate using a config file:</p>
<pre><code> openssl asn1parse -genconf asn1.cnf -noout -out asn1.der</code></pre>
<p>Example config file:</p>
<pre><code> asn1=SEQUENCE:seq_sect
[seq_sect]
field1=BOOL:TRUE
field2=EXP:0, UTF8:some random string</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>There should be options to change the format of output lines. The output of some ASN.1 types is not well handled (if at all).</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man3/ASN1_generate_nconf.html">ASN1_generate_nconf(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

749
include/openssl-3.2.1/html/man1/openssl-ca.html
View File

@ -1,749 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-ca</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#CRL-OPTIONS">CRL OPTIONS</a></li>
<li><a href="#CONFIGURATION-FILE-OPTIONS">CONFIGURATION FILE OPTIONS</a></li>
<li><a href="#POLICY-FORMAT">POLICY FORMAT</a></li>
<li><a href="#SPKAC-FORMAT">SPKAC FORMAT</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#FILES">FILES</a></li>
<li><a href="#RESTRICTIONS">RESTRICTIONS</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#WARNINGS">WARNINGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-ca - sample minimal CA application</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>ca</b> [<b>-help</b>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-config</b> <i>filename</i>] [<b>-name</b> <i>section</i>] [<b>-section</b> <i>section</i>] [<b>-gencrl</b>] [<b>-revoke</b> <i>file</i>] [<b>-valid</b> <i>file</i>] [<b>-status</b> <i>serial</i>] [<b>-updatedb</b>] [<b>-crl_reason</b> <i>reason</i>] [<b>-crl_hold</b> <i>instruction</i>] [<b>-crl_compromise</b> <i>time</i>] [<b>-crl_CA_compromise</b> <i>time</i>] [<b>-crl_lastupdate</b> <i>date</i>] [<b>-crl_nextupdate</b> <i>date</i>] [<b>-crldays</b> <i>days</i>] [<b>-crlhours</b> <i>hours</i>] [<b>-crlsec</b> <i>seconds</i>] [<b>-crlexts</b> <i>section</i>] [<b>-startdate</b> <i>date</i>] [<b>-enddate</b> <i>date</i>] [<b>-days</b> <i>arg</i>] [<b>-md</b> <i>arg</i>] [<b>-policy</b> <i>arg</i>] [<b>-keyfile</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-key</b> <i>arg</i>] [<b>-passin</b> <i>arg</i>] [<b>-cert</b> <i>file</i>] [<b>-certform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>] [<b>-selfsign</b>] [<b>-in</b> <i>file</i>] [<b>-inform</b> <b>DER</b>|&lt;PEM&gt;] [<b>-out</b> <i>file</i>] [<b>-notext</b>] [<b>-dateopt</b>] [<b>-outdir</b> <i>dir</i>] [<b>-infiles</b>] [<b>-spkac</b> <i>file</i>] [<b>-ss_cert</b> <i>file</i>] [<b>-preserveDN</b>] [<b>-noemailDN</b>] [<b>-batch</b>] [<b>-msie_hack</b>] [<b>-extensions</b> <i>section</i>] [<b>-extfile</b> <i>section</i>] [<b>-subj</b> <i>arg</i>] [<b>-utf8</b>] [<b>-sigopt</b> <i>nm</i>:<i>v</i>] [<b>-vfyopt</b> <i>nm</i>:<i>v</i>] [<b>-create_serial</b>] [<b>-rand_serial</b>] [<b>-multivalue-rdn</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>certreq</i>...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command emulates a CA application. See the <b>WARNINGS</b> especially when considering to use it productively.</p>
<p>It generates certificates bearing X.509 version 3. Unless specified otherwise, key identifier extensions are included as described in <a href="../man5/x509v3_config.html">x509v3_config(5)</a>.</p>
<p>It can be used to sign certificate requests (CSRs) in a variety of forms and generate certificate revocation lists (CRLs). It also maintains a text database of issued certificates and their status. When signing certificates, a single request can be specified with the <b>-in</b> option, or multiple requests can be processed by specifying a set of <b>certreq</b> files after all options.</p>
<p>Note that there are also very lean ways of generating certificates: the <b>req</b> and <b>x509</b> commands can be used for directly creating certificates. See <a href="../man1/openssl-req.html">openssl-req(1)</a> and <a href="../man1/openssl-x509.html">openssl-x509(1)</a> for details.</p>
<p>The descriptions of the <b>ca</b> command options are divided into each purpose.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>This prints extra details about the operations being performed.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>This prints fewer details about the operations being performed, which may be handy during batch scripts or pipelines.</p>
</dd>
<dt id="config-filename"><b>-config</b> <i>filename</i></dt>
<dd>
<p>Specifies the configuration file to use. Optional; for a description of the default value, see <a href="../man1/openssl.html">&quot;COMMAND SUMMARY&quot; in openssl(1)</a>.</p>
</dd>
<dt id="name-section--section-section"><b>-name</b> <i>section</i>, <b>-section</b> <i>section</i></dt>
<dd>
<p>Specifies the configuration file section to use (overrides <b>default_ca</b> in the <b>ca</b> section).</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>An input filename containing a single certificate request (CSR) to be signed by the CA.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The format to use when loading certificate request (CSR) input files; by default PEM is tried first. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="ss_cert-filename"><b>-ss_cert</b> <i>filename</i></dt>
<dd>
<p>A single self-signed certificate to be signed by the CA.</p>
</dd>
<dt id="spkac-filename"><b>-spkac</b> <i>filename</i></dt>
<dd>
<p>A file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the <b>SPKAC FORMAT</b> section for information on the required input and output format.</p>
</dd>
<dt id="infiles"><b>-infiles</b></dt>
<dd>
<p>If present this should be the last option, all subsequent arguments are taken as the names of files containing certificate requests.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>The output file to output certificates to. The default is standard output. The certificate details will also be printed out to this file in PEM format (except that <b>-spkac</b> outputs DER format).</p>
</dd>
<dt id="outdir-directory"><b>-outdir</b> <i>directory</i></dt>
<dd>
<p>The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with <i>.pem</i> appended.</p>
</dd>
<dt id="cert-filename"><b>-cert</b> <i>filename</i></dt>
<dd>
<p>The CA certificate, which must match with <b>-keyfile</b>.</p>
</dd>
<dt id="certform-DER-PEM-P12"><b>-certform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b></dt>
<dd>
<p>The format of the data in certificate input files; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="keyfile-filename-uri"><b>-keyfile</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The CA private key to sign certificate requests with. This must match with <b>-cert</b>.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The format of the private key input file; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="sigopt-nm:v"><b>-sigopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during sign operations. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="vfyopt-nm:v"><b>-vfyopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific.</p>
<p>This often needs to be given while signing too, because the self-signature of a certificate signing request (CSR) is verified against the included public key, and that verification may need its own set of options.</p>
</dd>
<dt id="key-password"><b>-key</b> <i>password</i></dt>
<dd>
<p>The password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g., when using <a href="../man1/ps.html">ps(1)</a> on Unix), this option should be used with caution. Better use <b>-passin</b>.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The key password source for key files and certificate PKCS#12 files. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="selfsign"><b>-selfsign</b></dt>
<dd>
<p>Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with <b>-keyfile</b>). Certificate requests signed with a different key are ignored. If <b>-spkac</b>, <b>-ss_cert</b> or <b>-gencrl</b> are given, <b>-selfsign</b> is ignored.</p>
<p>A consequence of using <b>-selfsign</b> is that the self-signed certificate appears among the entries in the certificate database (see the configuration option <b>database</b>), and uses the same serial number counter as all other certificates sign with the self-signed certificate.</p>
</dd>
<dt id="notext"><b>-notext</b></dt>
<dd>
<p>Don&#39;t output the text form of a certificate to the output file.</p>
</dd>
<dt id="dateopt"><b>-dateopt</b></dt>
<dd>
<p>Specify the date output format. Values are: rfc_822 and iso_8601. Defaults to rfc_822.</p>
</dd>
<dt id="startdate-date"><b>-startdate</b> <i>date</i></dt>
<dd>
<p>This allows the start date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In both formats, seconds SS and timezone Z must be present.</p>
</dd>
<dt id="enddate-date"><b>-enddate</b> <i>date</i></dt>
<dd>
<p>This allows the expiry date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In both formats, seconds SS and timezone Z must be present.</p>
</dd>
<dt id="days-arg"><b>-days</b> <i>arg</i></dt>
<dd>
<p>The number of days to certify the certificate for.</p>
</dd>
<dt id="md-alg"><b>-md</b> <i>alg</i></dt>
<dd>
<p>The message digest to use. Any digest supported by the <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a> command can be used. For signing algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message digest that is set is ignored. This option also applies to CRLs.</p>
</dd>
<dt id="policy-arg"><b>-policy</b> <i>arg</i></dt>
<dd>
<p>This option defines the CA &quot;policy&quot; to use. This is a section in the configuration file which decides which fields should be mandatory or match the CA certificate. Check out the <b>POLICY FORMAT</b> section for more information.</p>
</dd>
<dt id="msie_hack"><b>-msie_hack</b></dt>
<dd>
<p>This is a deprecated option to make this command work with very old versions of the IE certificate enrollment control &quot;certenr3&quot;. It used UniversalStrings for almost everything. Since the old control has various security bugs its use is strongly discouraged.</p>
</dd>
<dt id="preserveDN"><b>-preserveDN</b></dt>
<dd>
<p>Normally the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll.</p>
</dd>
<dt id="noemailDN"><b>-noemailDN</b></dt>
<dd>
<p>The DN of a certificate can contain the EMAIL field if present in the request DN, however, it is good policy just having the e-mail set into the altName extension of the certificate. When this option is set the EMAIL field is removed from the certificate&#39; subject and set only in the, eventually present, extensions. The <b>email_in_dn</b> keyword can be used in the configuration file to enable this behaviour.</p>
</dd>
<dt id="batch"><b>-batch</b></dt>
<dd>
<p>This sets the batch mode. In this mode no questions will be asked and all certificates will be certified automatically.</p>
</dd>
<dt id="extensions-section"><b>-extensions</b> <i>section</i></dt>
<dd>
<p>The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to <b>x509_extensions</b> unless the <b>-extfile</b> option is used).</p>
<p>See the <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for details of the extension section format.</p>
</dd>
<dt id="extfile-file"><b>-extfile</b> <i>file</i></dt>
<dd>
<p>An additional configuration file to read certificate extensions from (using the default section unless the <b>-extensions</b> option is also used).</p>
</dd>
<dt id="subj-arg"><b>-subj</b> <i>arg</i></dt>
<dd>
<p>Supersedes subject name given in the request.</p>
<p>The arg must be formatted as <code>/type0=value0/type1=value1/type2=...</code>. Special characters may be escaped by <code>\</code> (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate. Giving a single <code>/</code> will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a <code>+</code> character instead of a <code>/</code> between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:</p>
<p><code>/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe</code></p>
</dd>
<dt id="utf8"><b>-utf8</b></dt>
<dd>
<p>This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings.</p>
</dd>
<dt id="create_serial"><b>-create_serial</b></dt>
<dd>
<p>If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. To get random serial numbers, use the <b>-rand_serial</b> flag instead; this should only be used for simple error-recovery.</p>
</dd>
<dt id="rand_serial"><b>-rand_serial</b></dt>
<dd>
<p>Generate a large random number to use as the serial number. This overrides any option or configuration to use a serial number file.</p>
</dd>
<dt id="multivalue-rdn"><b>-multivalue-rdn</b></dt>
<dd>
<p>This option has been deprecated and has no effect.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="CRL-OPTIONS">CRL OPTIONS</h1>
<dl>
<dt id="gencrl"><b>-gencrl</b></dt>
<dd>
<p>This option generates a CRL based on information in the index file.</p>
</dd>
<dt id="crl_lastupdate-time"><b>-crl_lastupdate</b> <i>time</i></dt>
<dd>
<p>Allows the value of the CRL&#39;s lastUpdate field to be explicitly set; if this option is not present, the current time is used. Accepts times in YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure).</p>
</dd>
<dt id="crl_nextupdate-time"><b>-crl_nextupdate</b> <i>time</i></dt>
<dd>
<p>Allows the value of the CRL&#39;s nextUpdate field to be explicitly set; if this option is present, any values given for <b>-crldays</b>, <b>-crlhours</b> and <b>-crlsec</b> are ignored. Accepts times in the same formats as <b>-crl_lastupdate</b>.</p>
</dd>
<dt id="crldays-num"><b>-crldays</b> <i>num</i></dt>
<dd>
<p>The number of days before the next CRL is due. That is the days from now to place in the CRL nextUpdate field.</p>
</dd>
<dt id="crlhours-num"><b>-crlhours</b> <i>num</i></dt>
<dd>
<p>The number of hours before the next CRL is due.</p>
</dd>
<dt id="crlsec-num"><b>-crlsec</b> <i>num</i></dt>
<dd>
<p>The number of seconds before the next CRL is due.</p>
</dd>
<dt id="revoke-filename"><b>-revoke</b> <i>filename</i></dt>
<dd>
<p>A filename containing a certificate to revoke.</p>
</dd>
<dt id="valid-filename"><b>-valid</b> <i>filename</i></dt>
<dd>
<p>A filename containing a certificate to add a Valid certificate entry.</p>
</dd>
<dt id="status-serial"><b>-status</b> <i>serial</i></dt>
<dd>
<p>Displays the revocation status of the certificate with the specified serial number and exits.</p>
</dd>
<dt id="updatedb"><b>-updatedb</b></dt>
<dd>
<p>Updates the database index to purge expired certificates.</p>
</dd>
<dt id="crl_reason-reason"><b>-crl_reason</b> <i>reason</i></dt>
<dd>
<p>Revocation reason, where <i>reason</i> is one of: <b>unspecified</b>, <b>keyCompromise</b>, <b>CACompromise</b>, <b>affiliationChanged</b>, <b>superseded</b>, <b>cessationOfOperation</b>, <b>certificateHold</b> or <b>removeFromCRL</b>. The matching of <i>reason</i> is case insensitive. Setting any revocation reason will make the CRL v2.</p>
<p>In practice <b>removeFromCRL</b> is not particularly useful because it is only used in delta CRLs which are not currently implemented.</p>
</dd>
<dt id="crl_hold-instruction"><b>-crl_hold</b> <i>instruction</i></dt>
<dd>
<p>This sets the CRL revocation reason code to <b>certificateHold</b> and the hold instruction to <i>instruction</i> which must be an OID. Although any OID can be used only <b>holdInstructionNone</b> (the use of which is discouraged by RFC2459) <b>holdInstructionCallIssuer</b> or <b>holdInstructionReject</b> will normally be used.</p>
</dd>
<dt id="crl_compromise-time"><b>-crl_compromise</b> <i>time</i></dt>
<dd>
<p>This sets the revocation reason to <b>keyCompromise</b> and the compromise time to <i>time</i>. <i>time</i> should be in GeneralizedTime format that is <i>YYYYMMDDHHMMSSZ</i>.</p>
</dd>
<dt id="crl_CA_compromise-time"><b>-crl_CA_compromise</b> <i>time</i></dt>
<dd>
<p>This is the same as <b>crl_compromise</b> except the revocation reason is set to <b>CACompromise</b>.</p>
</dd>
<dt id="crlexts-section"><b>-crlexts</b> <i>section</i></dt>
<dd>
<p>The section of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and <b>not</b> CRL entry extensions. It should be noted that some software (for example Netscape) can&#39;t handle V2 CRLs. See <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for details of the extension section format.</p>
</dd>
</dl>
<h1 id="CONFIGURATION-FILE-OPTIONS">CONFIGURATION FILE OPTIONS</h1>
<p>The section of the configuration file containing options for this command is found as follows: If the <b>-name</b> command line option is used, then it names the section to be used. Otherwise the section to be used must be named in the <b>default_ca</b> option of the <b>ca</b> section of the configuration file (or in the default section of the configuration file). Besides <b>default_ca</b>, the following options are read directly from the <b>ca</b> section: RANDFILE preserve msie_hack With the exception of <b>RANDFILE</b>, this is probably a bug and may change in future releases.</p>
<p>Many of the configuration file options are identical to command line options. Where the option is present in the configuration file and the command line the command line value is used. Where an option is described as mandatory then it must be present in the configuration file or the command line equivalent (if any) used.</p>
<dl>
<dt id="oid_file"><b>oid_file</b></dt>
<dd>
<p>This specifies a file containing additional <b>OBJECT IDENTIFIERS</b>. Each line of the file should consist of the numerical form of the object identifier followed by whitespace then the short name followed by whitespace and finally the long name.</p>
</dd>
<dt id="oid_section"><b>oid_section</b></dt>
<dd>
<p>This specifies a section in the configuration file containing extra object identifiers. Each line should consist of the short name of the object identifier followed by <b>=</b> and the numerical form. The short and long names are the same when this option is used.</p>
</dd>
<dt id="new_certs_dir"><b>new_certs_dir</b></dt>
<dd>
<p>The same as the <b>-outdir</b> command line option. It specifies the directory where new certificates will be placed. Mandatory.</p>
</dd>
<dt id="certificate"><b>certificate</b></dt>
<dd>
<p>The same as <b>-cert</b>. It gives the file containing the CA certificate. Mandatory.</p>
</dd>
<dt id="private_key"><b>private_key</b></dt>
<dd>
<p>Same as the <b>-keyfile</b> option. The file containing the CA private key. Mandatory.</p>
</dd>
<dt id="RANDFILE"><b>RANDFILE</b></dt>
<dd>
<p>At startup the specified file is loaded into the random number generator, and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is not necessary anymore, see the <a href="#HISTORY">&quot;HISTORY&quot;</a> section.</p>
</dd>
<dt id="default_days"><b>default_days</b></dt>
<dd>
<p>The same as the <b>-days</b> option. The number of days to certify a certificate for.</p>
</dd>
<dt id="default_startdate"><b>default_startdate</b></dt>
<dd>
<p>The same as the <b>-startdate</b> option. The start date to certify a certificate for. If not set the current time is used.</p>
</dd>
<dt id="default_enddate"><b>default_enddate</b></dt>
<dd>
<p>The same as the <b>-enddate</b> option. Either this option or <b>default_days</b> (or the command line equivalents) must be present.</p>
</dd>
<dt id="default_crl_hours-default_crl_days"><b>default_crl_hours default_crl_days</b></dt>
<dd>
<p>The same as the <b>-crlhours</b> and the <b>-crldays</b> options. These will only be used if neither command line option is present. At least one of these must be present to generate a CRL.</p>
</dd>
<dt id="default_md"><b>default_md</b></dt>
<dd>
<p>The same as the <b>-md</b> option. Mandatory except where the signing algorithm does not require a digest (i.e. Ed25519 and Ed448).</p>
</dd>
<dt id="database"><b>database</b></dt>
<dd>
<p>The text database file to use. Mandatory. This file must be present though initially it will be empty.</p>
</dd>
<dt id="unique_subject"><b>unique_subject</b></dt>
<dd>
<p>If the value <b>yes</b> is given, the valid certificate entries in the database must have unique subjects. if the value <b>no</b> is given, several valid certificate entries may have the exact same subject. The default value is <b>yes</b>, to be compatible with older (pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, it&#39;s recommended to use the value <b>no</b>, especially if combined with the <b>-selfsign</b> command line option.</p>
<p>Note that it is valid in some circumstances for certificates to be created without any subject. In the case where there are multiple certificates without subjects this does not count as a duplicate.</p>
</dd>
<dt id="serial"><b>serial</b></dt>
<dd>
<p>A text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number.</p>
</dd>
<dt id="crlnumber"><b>crlnumber</b></dt>
<dd>
<p>A text file containing the next CRL number to use in hex. The crl number will be inserted in the CRLs only if this file exists. If this file is present, it must contain a valid CRL number.</p>
</dd>
<dt id="x509_extensions"><b>x509_extensions</b></dt>
<dd>
<p>A fallback to the <b>-extensions</b> option.</p>
</dd>
<dt id="crl_extensions"><b>crl_extensions</b></dt>
<dd>
<p>A fallback to the <b>-crlexts</b> option.</p>
</dd>
<dt id="preserve"><b>preserve</b></dt>
<dd>
<p>The same as <b>-preserveDN</b></p>
</dd>
<dt id="email_in_dn"><b>email_in_dn</b></dt>
<dd>
<p>The same as <b>-noemailDN</b>. If you want the EMAIL field to be removed from the DN of the certificate simply set this to &#39;no&#39;. If not present the default is to allow for the EMAIL filed in the certificate&#39;s DN.</p>
</dd>
<dt id="msie_hack1"><b>msie_hack</b></dt>
<dd>
<p>The same as <b>-msie_hack</b></p>
</dd>
<dt id="policy"><b>policy</b></dt>
<dd>
<p>The same as <b>-policy</b>. Mandatory. See the <b>POLICY FORMAT</b> section for more information.</p>
</dd>
<dt id="name_opt-cert_opt"><b>name_opt</b>, <b>cert_opt</b></dt>
<dd>
<p>These options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by the <b>x509</b> utilities <b>-nameopt</b> and <b>-certopt</b> switches can be used here, except the <b>no_signame</b> and <b>no_sigdump</b> are permanently set and cannot be disabled (this is because the certificate signature cannot be displayed because the certificate has not been signed at this point).</p>
<p>For convenience the values <b>ca_default</b> are accepted by both to produce a reasonable output.</p>
<p>If neither option is present the format used in earlier versions of OpenSSL is used. Use of the old format is <b>strongly</b> discouraged because it only displays fields mentioned in the <b>policy</b> section, mishandles multicharacter string types and does not display extensions.</p>
</dd>
<dt id="copy_extensions"><b>copy_extensions</b></dt>
<dd>
<p>Determines how extensions in certificate requests should be handled. If set to <b>none</b> or this option is not present then extensions are ignored and not copied to the certificate. If set to <b>copy</b> then any extensions present in the request that are not already present are copied to the certificate. If set to <b>copyall</b> then all extensions in the request are copied to the certificate: if the extension is already present in the certificate it is deleted first. See the <b>WARNINGS</b> section before using this option.</p>
<p>The main use of this option is to allow a certificate request to supply values for certain extensions such as subjectAltName.</p>
</dd>
</dl>
<h1 id="POLICY-FORMAT">POLICY FORMAT</h1>
<p>The policy section consists of a set of variables corresponding to certificate DN fields. If the value is &quot;match&quot; then the field value must match the same field in the CA certificate. If the value is &quot;supplied&quot; then it must be present. If the value is &quot;optional&quot; then it may be present. Any fields not mentioned in the policy section are silently deleted, unless the <b>-preserveDN</b> option is set but this can be regarded more of a quirk than intended behaviour.</p>
<h1 id="SPKAC-FORMAT">SPKAC FORMAT</h1>
<p>The input to the <b>-spkac</b> command line option is a Netscape signed public key and challenge. This will usually come from the <b>KEYGEN</b> tag in an HTML form to create a new private key. It is however possible to create SPKACs using <a href="../man1/openssl-spkac.html">openssl-spkac(1)</a>.</p>
<p>The file should contain the variable SPKAC set to the value of the SPKAC and also the required DN components as name value pairs. If you need to include the same component twice then it can be preceded by a number and a &#39;.&#39;.</p>
<p>When processing SPKAC format, the output is DER if the <b>-out</b> flag is used, but PEM format if sending to stdout or the <b>-outdir</b> flag is used.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Note: these examples assume that the directory structure this command assumes is already set up and the relevant files already exist. This usually involves creating a CA certificate and private key with <a href="../man1/openssl-req.html">openssl-req(1)</a>, a serial number file and an empty index file and placing them in the relevant directories.</p>
<p>To use the sample configuration file below the directories <i>demoCA</i>, <i>demoCA/private</i> and <i>demoCA/newcerts</i> would be created. The CA certificate would be copied to <i>demoCA/cacert.pem</i> and its private key to <i>demoCA/private/cakey.pem</i>. A file <i>demoCA/serial</i> would be created containing for example &quot;01&quot; and the empty index file <i>demoCA/index.txt</i>.</p>
<p>Sign a certificate request:</p>
<pre><code> openssl ca -in req.pem -out newcert.pem</code></pre>
<p>Sign an SM2 certificate request:</p>
<pre><code> openssl ca -in sm2.csr -out sm2.crt -md sm3 \
-sigopt &quot;distid:1234567812345678&quot; \
-vfyopt &quot;distid:1234567812345678&quot;</code></pre>
<p>Sign a certificate request, using CA extensions:</p>
<pre><code> openssl ca -in req.pem -extensions v3_ca -out newcert.pem</code></pre>
<p>Generate a CRL</p>
<pre><code> openssl ca -gencrl -out crl.pem</code></pre>
<p>Sign several requests:</p>
<pre><code> openssl ca -infiles req1.pem req2.pem req3.pem</code></pre>
<p>Certify a Netscape SPKAC:</p>
<pre><code> openssl ca -spkac spkac.txt</code></pre>
<p>A sample SPKAC file (the SPKAC line has been truncated for clarity):</p>
<pre><code> SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
CN=Steve Test
emailAddress=steve@openssl.org
0.OU=OpenSSL Group
1.OU=Another Group</code></pre>
<p>A sample configuration file with the relevant sections for this command:</p>
<pre><code> [ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
#rand_serial = yes # for random serial#&#39;s
private_key = $dir/private/cakey.pem# CA private key
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_any # default policy
email_in_dn = no # Don&#39;t add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don&#39;t copy extensions from request
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional</code></pre>
<h1 id="FILES">FILES</h1>
<p>Note: the location of all files can change either by compile time options, configuration file entries, environment variables or command line options. The values below reflect the default values.</p>
<pre><code> /usr/local/ssl/lib/openssl.cnf - master configuration file
./demoCA - main CA directory
./demoCA/cacert.pem - CA certificate
./demoCA/private/cakey.pem - CA private key
./demoCA/serial - CA serial number file
./demoCA/serial.old - CA serial number backup file
./demoCA/index.txt - CA text database file
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - certificate output file</code></pre>
<h1 id="RESTRICTIONS">RESTRICTIONS</h1>
<p>The text database index file is a critical part of the process and if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current CRL: however there is no option to do this.</p>
<p>V2 CRL features like delta CRLs are not currently supported.</p>
<p>Although several requests can be input and handled at once it is only possible to include one SPKAC or self-signed certificate.</p>
<h1 id="BUGS">BUGS</h1>
<p>This command is quirky and at times downright unfriendly.</p>
<p>The use of an in-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory.</p>
<p>This command really needs rewriting or the required functionality exposed at either a command or interface level so that a more user-friendly replacement could handle things properly. The script <b>CA.pl</b> helps a little but not very much.</p>
<p>Any fields in a request that are not present in a policy are silently deleted. This does not happen if the <b>-preserveDN</b> option is used. To enforce the absence of the EMAIL field within the DN, as suggested by RFCs, regardless the contents of the request&#39; subject the <b>-noemailDN</b> option can be used. The behaviour should be more friendly and configurable.</p>
<p>Canceling some commands by refusing to certify a certificate can create an empty file.</p>
<h1 id="WARNINGS">WARNINGS</h1>
<p>This command was originally meant as an example of how to do things in a CA. Its code does not have production quality. It was not supposed to be used as a full blown CA itself, nevertheless some people are using it for this purpose at least internally. When doing so, specific care should be taken to properly secure the private key(s) used for signing certificates. It is advisable to keep them in a secure HW storage such as a smart card or HSM and access them via a suitable engine or crypto provider.</p>
<p>This command is effectively a single user command: no locking is done on the various files and attempts to run more than one <b>openssl ca</b> command on the same database can have unpredictable results.</p>
<p>The <b>copy_extensions</b> option should be used with caution. If care is not taken then it can be a security risk. For example if a certificate request contains a basicConstraints extension with CA:TRUE and the <b>copy_extensions</b> value is set to <b>copyall</b> and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate. This situation can be avoided by setting <b>copy_extensions</b> to <b>copy</b> and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored.</p>
<p>It is advisable to also include values for other extensions such as <b>keyUsage</b> to prevent a request supplying its own values.</p>
<p>Additional restrictions can be placed on the CA certificate itself. For example if the CA certificate has:</p>
<pre><code> basicConstraints = CA:TRUE, pathlen:0</code></pre>
<p>then even if a certificate is issued with CA:TRUE it will not be valid.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>Since OpenSSL 1.1.1, the program follows RFC5280. Specifically, certificate validity period (specified by any of <b>-startdate</b>, <b>-enddate</b> and <b>-days</b>) and CRL last/next update time (specified by any of <b>-crl_lastupdate</b>, <b>-crl_nextupdate</b>, <b>-crldays</b>, <b>-crlhours</b> and <b>-crlsec</b>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later.</p>
<p>OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved seeding mechanism. The new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring randomness. This option is retained mainly for compatibility reasons.</p>
<p>The <b>-section</b> option was added in OpenSSL 3.0.0.</p>
<p>The <b>-multivalue-rdn</b> option has become obsolete in OpenSSL 3.0.0 and has no effect.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>Since OpenSSL 3.2, generated certificates bear X.509 version 3, and key identifier extensions are included by default.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-req.html">openssl-req(1)</a>, <a href="../man1/openssl-spkac.html">openssl-spkac(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man1/CA.pl.html">CA.pl(1)</a>, <a href="../man5/config.html">config(5)</a>, <a href="../man5/x509v3_config.html">x509v3_config(5)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

843
include/openssl-3.2.1/html/man1/openssl-ciphers.html
View File

@ -1,843 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-ciphers</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#CIPHER-LIST-FORMAT">CIPHER LIST FORMAT</a></li>
<li><a href="#CIPHER-STRINGS">CIPHER STRINGS</a></li>
<li><a href="#CIPHER-SUITE-NAMES">CIPHER SUITE NAMES</a>
<ul>
<li><a href="#SSL-v3.0-cipher-suites">SSL v3.0 cipher suites</a></li>
<li><a href="#TLS-v1.0-cipher-suites">TLS v1.0 cipher suites</a></li>
<li><a href="#AES-cipher-suites-from-RFC3268-extending-TLS-v1.0">AES cipher suites from RFC3268, extending TLS v1.0</a></li>
<li><a href="#Camellia-cipher-suites-from-RFC4132-extending-TLS-v1.0">Camellia cipher suites from RFC4132, extending TLS v1.0</a></li>
<li><a href="#SEED-cipher-suites-from-RFC4162-extending-TLS-v1.0">SEED cipher suites from RFC4162, extending TLS v1.0</a></li>
<li><a href="#GOST-cipher-suites-from-draft-chudov-cryptopro-cptls-extending-TLS-v1.0">GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0</a></li>
<li><a href="#GOST-cipher-suites-extending-TLS-v1.2">GOST cipher suites, extending TLS v1.2</a></li>
<li><a href="#Additional-Export-1024-and-other-cipher-suites">Additional Export 1024 and other cipher suites</a></li>
<li><a href="#Elliptic-curve-cipher-suites">Elliptic curve cipher suites</a></li>
<li><a href="#TLS-v1.2-cipher-suites">TLS v1.2 cipher suites</a></li>
<li><a href="#ARIA-cipher-suites-from-RFC6209-extending-TLS-v1.2">ARIA cipher suites from RFC6209, extending TLS v1.2</a></li>
<li><a href="#Camellia-HMAC-Based-cipher-suites-from-RFC6367-extending-TLS-v1.2">Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2</a></li>
<li><a href="#Pre-shared-keying-PSK-cipher-suites">Pre-shared keying (PSK) cipher suites</a></li>
<li><a href="#ChaCha20-Poly1305-cipher-suites-extending-TLS-v1.2">ChaCha20-Poly1305 cipher suites, extending TLS v1.2</a></li>
<li><a href="#TLS-v1.3-cipher-suites">TLS v1.3 cipher suites</a></li>
<li><a href="#Older-names-used-by-OpenSSL">Older names used by OpenSSL</a></li>
</ul>
</li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-ciphers - SSL cipher display and cipher list command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>ciphers</b> [<b>-help</b>] [<b>-s</b>] [<b>-v</b>] [<b>-V</b>] [<b>-ssl3</b>] [<b>-tls1</b>] [<b>-tls1_1</b>] [<b>-tls1_2</b>] [<b>-tls1_3</b>] [<b>-s</b>] [<b>-psk</b>] [<b>-srp</b>] [<b>-stdname</b>] [<b>-convert</b> <i>name</i>] [<b>-ciphersuites</b> <i>val</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>cipherlist</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command converts textual OpenSSL cipher lists into ordered SSL cipher preference lists. It can be used to determine the appropriate cipherlist.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print a usage message.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="s"><b>-s</b></dt>
<dd>
<p>Only list supported ciphers: those consistent with the security level, and minimum and maximum protocol version. This is closer to the actual cipher list an application will support.</p>
<p>PSK and SRP ciphers are not enabled by default: they require <b>-psk</b> or <b>-srp</b> to enable them.</p>
<p>It also does not change the default list of supported signature algorithms.</p>
<p>On a server the list of supported ciphers might also exclude other ciphers depending on the configured certificates and presence of DH parameters.</p>
<p>If this option is not used then all ciphers that match the cipherlist will be listed.</p>
</dd>
<dt id="psk"><b>-psk</b></dt>
<dd>
<p>When combined with <b>-s</b> includes cipher suites which require PSK.</p>
</dd>
<dt id="srp"><b>-srp</b></dt>
<dd>
<p>When combined with <b>-s</b> includes cipher suites which require SRP. This option is deprecated.</p>
</dd>
<dt id="v"><b>-v</b></dt>
<dd>
<p>Verbose output: For each cipher suite, list details as provided by <a href="../man3/SSL_CIPHER_description.html">SSL_CIPHER_description(3)</a>.</p>
</dd>
<dt id="V"><b>-V</b></dt>
<dd>
<p>Like <b>-v</b>, but include the official cipher suite values in hex.</p>
</dd>
<dt id="tls1_3--tls1_2--tls1_1--tls1--ssl3"><b>-tls1_3</b>, <b>-tls1_2</b>, <b>-tls1_1</b>, <b>-tls1</b>, <b>-ssl3</b></dt>
<dd>
<p>In combination with the <b>-s</b> option, list the ciphers which could be used if the specified protocol were negotiated. Note that not all protocols and flags may be available, depending on how OpenSSL was built.</p>
</dd>
<dt id="stdname"><b>-stdname</b></dt>
<dd>
<p>Precede each cipher suite by its standard name.</p>
</dd>
<dt id="convert-name"><b>-convert</b> <i>name</i></dt>
<dd>
<p>Convert a standard cipher <i>name</i> to its OpenSSL name.</p>
</dd>
<dt id="ciphersuites-val"><b>-ciphersuites</b> <i>val</i></dt>
<dd>
<p>Sets the list of TLSv1.3 ciphersuites. This list will be combined with any TLSv1.2 and below ciphersuites that have been configured. The format for this list is a simple colon (&quot;:&quot;) separated list of TLSv1.3 ciphersuite names. By default this value is:</p>
<pre><code> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</code></pre>
</dd>
<dt id="cipherlist"><b>cipherlist</b></dt>
<dd>
<p>A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher preference list. This list will be combined with any TLSv1.3 ciphersuites that have been configured. If it is not included then the default cipher list will be used. The format is described below.</p>
</dd>
</dl>
<h1 id="CIPHER-LIST-FORMAT">CIPHER LIST FORMAT</h1>
<p>The cipher list consists of one or more <i>cipher strings</i> separated by colons. Commas or spaces are also acceptable separators but colons are normally used.</p>
<p>The cipher string may reference a cipher using its standard name from the IANA TLS Cipher Suites Registry (<a href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4">https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4</a>).</p>
<p>The actual cipher string can take several different forms.</p>
<p>It can consist of a single cipher suite such as <b>RC4-SHA</b>.</p>
<p>It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example <b>SHA1</b> represents all ciphers suites using the digest algorithm SHA1 and <b>SSLv3</b> represents all SSL v3 algorithms.</p>
<p>Lists of cipher suites can be combined in a single cipher string using the <b>+</b> character. This is used as a logical <b>and</b> operation. For example <b>SHA1+DES</b> represents all cipher suites containing the SHA1 <b>and</b> the DES algorithms.</p>
<p>Each cipher string can be optionally preceded by the characters <b>!</b>, <b>-</b> or <b>+</b>.</p>
<p>If <b>!</b> is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated.</p>
<p>If <b>-</b> is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options.</p>
<p>If <b>+</b> is used then the ciphers are moved to the end of the list. This option doesn&#39;t add any new ciphers it just moves matching existing ones.</p>
<p>If none of these characters is present then the string is just interpreted as a list of ciphers to be appended to the current preference list. If the list includes any ciphers already present they will be ignored: that is they will not moved to the end of the list.</p>
<p>The cipher string <b>@STRENGTH</b> can be used at any point to sort the current cipher list in order of encryption algorithm key length.</p>
<p>The cipher string <b>@SECLEVEL</b>=<i>n</i> can be used at any point to set the security level to <i>n</i>, which should be a number between zero and five, inclusive. See <a href="../man3/SSL_CTX_set_security_level.html">SSL_CTX_set_security_level(3)</a> for a description of what each level means.</p>
<p>The cipher list can be prefixed with the <b>DEFAULT</b> keyword, which enables the default cipher list as defined below. Unlike cipher strings, this prefix may not be combined with other strings using <b>+</b> character. For example, <b>DEFAULT+DES</b> is not valid.</p>
<p>The content of the default list is determined at compile time and normally corresponds to <b>ALL:!COMPLEMENTOFDEFAULT:!eNULL</b>.</p>
<h1 id="CIPHER-STRINGS">CIPHER STRINGS</h1>
<p>The following is a list of all permitted cipher strings and their meanings.</p>
<dl>
<dt id="COMPLEMENTOFDEFAULT"><b>COMPLEMENTOFDEFAULT</b></dt>
<dd>
<p>The ciphers included in <b>ALL</b>, but not enabled by default. Currently this includes all RC4 and anonymous ciphers. Note that this rule does not cover <b>eNULL</b>, which is not included by <b>ALL</b> (use <b>COMPLEMENTOFALL</b> if necessary). Note that RC4 based cipher suites are not built into OpenSSL by default (see the enable-weak-ssl-ciphers option to Configure).</p>
</dd>
<dt id="ALL"><b>ALL</b></dt>
<dd>
<p>All cipher suites except the <b>eNULL</b> ciphers (which must be explicitly enabled if needed). As of OpenSSL 1.0.0, the <b>ALL</b> cipher suites are sensibly ordered by default.</p>
</dd>
<dt id="COMPLEMENTOFALL"><b>COMPLEMENTOFALL</b></dt>
<dd>
<p>The cipher suites not enabled by <b>ALL</b>, currently <b>eNULL</b>.</p>
</dd>
<dt id="HIGH"><b>HIGH</b></dt>
<dd>
<p>&quot;High&quot; encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.</p>
</dd>
<dt id="MEDIUM"><b>MEDIUM</b></dt>
<dd>
<p>&quot;Medium&quot; encryption cipher suites, currently some of those using 128 bit encryption.</p>
</dd>
<dt id="LOW"><b>LOW</b></dt>
<dd>
<p>&quot;Low&quot; encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these cipher suites have been removed as of OpenSSL 1.1.0.</p>
</dd>
<dt id="eNULL-NULL"><b>eNULL</b>, <b>NULL</b></dt>
<dd>
<p>The &quot;NULL&quot; ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are not enabled via either the <b>DEFAULT</b> or <b>ALL</b> cipher strings. Be careful when building cipherlists out of lower-level primitives such as <b>kRSA</b> or <b>aECDSA</b> as these do overlap with the <b>eNULL</b> ciphers. When in doubt, include <b>!eNULL</b> in your cipherlist.</p>
</dd>
<dt id="aNULL"><b>aNULL</b></dt>
<dd>
<p>The cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to &quot;man in the middle&quot; attacks and so their use is discouraged. These are excluded from the <b>DEFAULT</b> ciphers, but included in the <b>ALL</b> ciphers. Be careful when building cipherlists out of lower-level primitives such as <b>kDHE</b> or <b>AES</b> as these do overlap with the <b>aNULL</b> ciphers. When in doubt, include <b>!aNULL</b> in your cipherlist.</p>
</dd>
<dt id="kRSA-aRSA-RSA"><b>kRSA</b>, <b>aRSA</b>, <b>RSA</b></dt>
<dd>
<p>Cipher suites using RSA key exchange or authentication. <b>RSA</b> is an alias for <b>kRSA</b>.</p>
</dd>
<dt id="kDHr-kDHd-kDH"><b>kDHr</b>, <b>kDHd</b>, <b>kDH</b></dt>
<dd>
<p>Cipher suites using static DH key agreement and DH certificates signed by CAs with RSA and DSS keys or either respectively. All these cipher suites have been removed in OpenSSL 1.1.0.</p>
</dd>
<dt id="kDHE-kEDH-DH"><b>kDHE</b>, <b>kEDH</b>, <b>DH</b></dt>
<dd>
<p>Cipher suites using ephemeral DH key agreement, including anonymous cipher suites.</p>
</dd>
<dt id="DHE-EDH"><b>DHE</b>, <b>EDH</b></dt>
<dd>
<p>Cipher suites using authenticated ephemeral DH key agreement.</p>
</dd>
<dt id="ADH"><b>ADH</b></dt>
<dd>
<p>Anonymous DH cipher suites, note that this does not include anonymous Elliptic Curve DH (ECDH) cipher suites.</p>
</dd>
<dt id="kEECDH-kECDHE-ECDH"><b>kEECDH</b>, <b>kECDHE</b>, <b>ECDH</b></dt>
<dd>
<p>Cipher suites using ephemeral ECDH key agreement, including anonymous cipher suites.</p>
</dd>
<dt id="ECDHE-EECDH"><b>ECDHE</b>, <b>EECDH</b></dt>
<dd>
<p>Cipher suites using authenticated ephemeral ECDH key agreement.</p>
</dd>
<dt id="AECDH"><b>AECDH</b></dt>
<dd>
<p>Anonymous Elliptic Curve Diffie-Hellman cipher suites.</p>
</dd>
<dt id="aDSS-DSS"><b>aDSS</b>, <b>DSS</b></dt>
<dd>
<p>Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.</p>
</dd>
<dt id="aDH"><b>aDH</b></dt>
<dd>
<p>Cipher suites effectively using DH authentication, i.e. the certificates carry DH keys. All these cipher suites have been removed in OpenSSL 1.1.0.</p>
</dd>
<dt id="aECDSA-ECDSA"><b>aECDSA</b>, <b>ECDSA</b></dt>
<dd>
<p>Cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA keys.</p>
</dd>
<dt id="TLSv1.2-TLSv1.0-SSLv3"><b>TLSv1.2</b>, <b>TLSv1.0</b>, <b>SSLv3</b></dt>
<dd>
<p>Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or SSL v3.0 respectively. Note: there are no cipher suites specific to TLS v1.1. Since this is only the minimum version, if, for example, TLSv1.0 is negotiated then both TLSv1.0 and SSLv3.0 cipher suites are available.</p>
<p>Note: these cipher strings <b>do not</b> change the negotiated version of SSL or TLS, they only affect the list of available cipher suites.</p>
</dd>
<dt id="AES128-AES256-AES"><b>AES128</b>, <b>AES256</b>, <b>AES</b></dt>
<dd>
<p>cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.</p>
</dd>
<dt id="AESGCM"><b>AESGCM</b></dt>
<dd>
<p>AES in Galois Counter Mode (GCM): these cipher suites are only supported in TLS v1.2.</p>
</dd>
<dt id="AESCCM-AESCCM8"><b>AESCCM</b>, <b>AESCCM8</b></dt>
<dd>
<p>AES in Cipher Block Chaining - Message Authentication Mode (CCM): these cipher suites are only supported in TLS v1.2. <b>AESCCM</b> references CCM cipher suites using both 16 and 8 octet Integrity Check Value (ICV) while <b>AESCCM8</b> only references 8 octet ICV.</p>
</dd>
<dt id="ARIA128-ARIA256-ARIA"><b>ARIA128</b>, <b>ARIA256</b>, <b>ARIA</b></dt>
<dd>
<p>Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit ARIA.</p>
</dd>
<dt id="CAMELLIA128-CAMELLIA256-CAMELLIA"><b>CAMELLIA128</b>, <b>CAMELLIA256</b>, <b>CAMELLIA</b></dt>
<dd>
<p>Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit CAMELLIA.</p>
</dd>
<dt id="CHACHA20"><b>CHACHA20</b></dt>
<dd>
<p>Cipher suites using ChaCha20.</p>
</dd>
<dt id="DES"><b>3DES</b></dt>
<dd>
<p>Cipher suites using triple DES.</p>
</dd>
<dt id="DES1"><b>DES</b></dt>
<dd>
<p>Cipher suites using DES (not triple DES). All these cipher suites have been removed in OpenSSL 1.1.0.</p>
</dd>
<dt id="RC4"><b>RC4</b></dt>
<dd>
<p>Cipher suites using RC4.</p>
</dd>
<dt id="RC2"><b>RC2</b></dt>
<dd>
<p>Cipher suites using RC2.</p>
</dd>
<dt id="IDEA"><b>IDEA</b></dt>
<dd>
<p>Cipher suites using IDEA.</p>
</dd>
<dt id="SEED"><b>SEED</b></dt>
<dd>
<p>Cipher suites using SEED.</p>
</dd>
<dt id="MD5"><b>MD5</b></dt>
<dd>
<p>Cipher suites using MD5.</p>
</dd>
<dt id="SHA1-SHA"><b>SHA1</b>, <b>SHA</b></dt>
<dd>
<p>Cipher suites using SHA1.</p>
</dd>
<dt id="SHA256-SHA384"><b>SHA256</b>, <b>SHA384</b></dt>
<dd>
<p>Cipher suites using SHA256 or SHA384.</p>
</dd>
<dt id="aGOST"><b>aGOST</b></dt>
<dd>
<p>Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication (needs an engine supporting GOST algorithms).</p>
</dd>
<dt id="aGOST01"><b>aGOST01</b></dt>
<dd>
<p>Cipher suites using GOST R 34.10-2001 authentication.</p>
</dd>
<dt id="kGOST"><b>kGOST</b></dt>
<dd>
<p>Cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357.</p>
</dd>
<dt id="GOST94"><b>GOST94</b></dt>
<dd>
<p>Cipher suites, using HMAC based on GOST R 34.11-94.</p>
</dd>
<dt id="GOST89MAC"><b>GOST89MAC</b></dt>
<dd>
<p>Cipher suites using GOST 28147-89 MAC <b>instead of</b> HMAC.</p>
</dd>
<dt id="PSK"><b>PSK</b></dt>
<dd>
<p>All cipher suites using pre-shared keys (PSK).</p>
</dd>
<dt id="kPSK-kECDHEPSK-kDHEPSK-kRSAPSK"><b>kPSK</b>, <b>kECDHEPSK</b>, <b>kDHEPSK</b>, <b>kRSAPSK</b></dt>
<dd>
<p>Cipher suites using PSK key exchange, ECDHE_PSK, DHE_PSK or RSA_PSK.</p>
</dd>
<dt id="aPSK"><b>aPSK</b></dt>
<dd>
<p>Cipher suites using PSK authentication (currently all PSK modes apart from RSA_PSK).</p>
</dd>
<dt id="SUITEB128-SUITEB128ONLY-SUITEB192"><b>SUITEB128</b>, <b>SUITEB128ONLY</b>, <b>SUITEB192</b></dt>
<dd>
<p>Enables suite B mode of operation using 128 (permitting 192 bit mode by peer) 128 bit (not permitting 192 bit by peer) or 192 bit level of security respectively. If used these cipherstrings should appear first in the cipher list and anything after them is ignored. Setting Suite B mode has additional consequences required to comply with RFC6460. In particular the supported signature algorithms is reduced to support only ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be used and only the two suite B compliant cipher suites (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are permissible.</p>
</dd>
<dt id="CBC"><b>CBC</b></dt>
<dd>
<p>All cipher suites using encryption algorithm in Cipher Block Chaining (CBC) mode. These cipher suites are only supported in TLS v1.2 and earlier. Currently it&#39;s an alias for the following cipherstrings: <b>SSL_DES</b>, <b>SSL_3DES</b>, <b>SSL_RC2</b>, <b>SSL_IDEA</b>, <b>SSL_AES128</b>, <b>SSL_AES256</b>, <b>SSL_CAMELLIA128</b>, <b>SSL_CAMELLIA256</b>, <b>SSL_SEED</b>.</p>
</dd>
</dl>
<h1 id="CIPHER-SUITE-NAMES">CIPHER SUITE NAMES</h1>
<p>The following lists give the SSL or TLS cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.</p>
<h2 id="SSL-v3.0-cipher-suites">SSL v3.0 cipher suites</h2>
<pre><code> SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented.
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented.
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented.</code></pre>
<h2 id="TLS-v1.0-cipher-suites">TLS v1.0 cipher suites</h2>
<pre><code> TLS_RSA_WITH_NULL_MD5 NULL-MD5
TLS_RSA_WITH_NULL_SHA NULL-SHA
TLS_RSA_WITH_RC4_128_MD5 RC4-MD5
TLS_RSA_WITH_RC4_128_SHA RC4-SHA
TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA</code></pre>
<h2 id="AES-cipher-suites-from-RFC3268-extending-TLS-v1.0">AES cipher suites from RFC3268, extending TLS v1.0</h2>
<pre><code> TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA</code></pre>
<h2 id="Camellia-cipher-suites-from-RFC4132-extending-TLS-v1.0">Camellia cipher suites from RFC4132, extending TLS v1.0</h2>
<pre><code> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH-DSS-CAMELLIA128-SHA
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH-DSS-CAMELLIA256-SHA
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH-RSA-CAMELLIA128-SHA
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH-RSA-CAMELLIA256-SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE-DSS-CAMELLIA128-SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE-DSS-CAMELLIA256-SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE-RSA-CAMELLIA128-SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE-RSA-CAMELLIA256-SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA</code></pre>
<h2 id="SEED-cipher-suites-from-RFC4162-extending-TLS-v1.0">SEED cipher suites from RFC4162, extending TLS v1.0</h2>
<pre><code> TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA
TLS_DH_DSS_WITH_SEED_CBC_SHA DH-DSS-SEED-SHA
TLS_DH_RSA_WITH_SEED_CBC_SHA DH-RSA-SEED-SHA
TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE-DSS-SEED-SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE-RSA-SEED-SHA
TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA</code></pre>
<h2 id="GOST-cipher-suites-from-draft-chudov-cryptopro-cptls-extending-TLS-v1.0">GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0</h2>
<p>Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the <b>gost</b> engine, which isn&#39;t part of the OpenSSL distribution.</p>
<pre><code> TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94-NULL-GOST94
TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001-NULL-GOST94</code></pre>
<h2 id="GOST-cipher-suites-extending-TLS-v1.2">GOST cipher suites, extending TLS v1.2</h2>
<p>Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the <b>gost</b> engine, which isn&#39;t part of the OpenSSL distribution.</p>
<pre><code> TLS_GOSTR341112_256_WITH_28147_CNT_IMIT GOST2012-GOST8912-GOST8912
TLS_GOSTR341112_256_WITH_NULL_GOSTR3411 GOST2012-NULL-GOST12</code></pre>
<p>Note: GOST2012-GOST8912-GOST8912 is an alias for two ciphers ID old LEGACY-GOST2012-GOST8912-GOST8912 and new IANA-GOST2012-GOST8912-GOST8912</p>
<h2 id="Additional-Export-1024-and-other-cipher-suites">Additional Export 1024 and other cipher suites</h2>
<p>Note: these ciphers can also be used in SSL v3.</p>
<pre><code> TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA</code></pre>
<h2 id="Elliptic-curve-cipher-suites">Elliptic curve cipher suites</h2>
<pre><code> TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE-RSA-NULL-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE-RSA-RC4-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA
TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE-ECDSA-NULL-SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA
TLS_ECDH_anon_WITH_NULL_SHA AECDH-NULL-SHA
TLS_ECDH_anon_WITH_RC4_128_SHA AECDH-RC4-SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH-DES-CBC3-SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH-AES128-SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH-AES256-SHA</code></pre>
<h2 id="TLS-v1.2-cipher-suites">TLS v1.2 cipher suites</h2>
<pre><code> TLS_RSA_WITH_NULL_SHA256 NULL-SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH-RSA-AES128-SHA256
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH-RSA-AES256-SHA256
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH-RSA-AES128-GCM-SHA256
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH-RSA-AES256-GCM-SHA384
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH-DSS-AES128-SHA256
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH-DSS-AES256-SHA256
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH-DSS-AES128-GCM-SHA256
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH-DSS-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH-AES128-SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH-AES256-SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH-AES128-GCM-SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH-AES256-GCM-SHA384
RSA_WITH_AES_128_CCM AES128-CCM
RSA_WITH_AES_256_CCM AES256-CCM
DHE_RSA_WITH_AES_128_CCM DHE-RSA-AES128-CCM
DHE_RSA_WITH_AES_256_CCM DHE-RSA-AES256-CCM
RSA_WITH_AES_128_CCM_8 AES128-CCM8
RSA_WITH_AES_256_CCM_8 AES256-CCM8
DHE_RSA_WITH_AES_128_CCM_8 DHE-RSA-AES128-CCM8
DHE_RSA_WITH_AES_256_CCM_8 DHE-RSA-AES256-CCM8
ECDHE_ECDSA_WITH_AES_128_CCM ECDHE-ECDSA-AES128-CCM
ECDHE_ECDSA_WITH_AES_256_CCM ECDHE-ECDSA-AES256-CCM
ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8
ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8</code></pre>
<h2 id="ARIA-cipher-suites-from-RFC6209-extending-TLS-v1.2">ARIA cipher suites from RFC6209, extending TLS v1.2</h2>
<p>Note: the CBC modes mentioned in this RFC are not supported.</p>
<pre><code> TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128-GCM-SHA256
TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256-GCM-SHA384
TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE-RSA-ARIA128-GCM-SHA256
TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE-RSA-ARIA256-GCM-SHA384
TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE-DSS-ARIA128-GCM-SHA256
TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE-DSS-ARIA256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE-ECDSA-ARIA128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE-ECDSA-ARIA256-GCM-SHA384
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE-ARIA128-GCM-SHA256
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE-ARIA256-GCM-SHA384
TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK-ARIA128-GCM-SHA256
TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK-ARIA256-GCM-SHA384
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE-PSK-ARIA128-GCM-SHA256
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE-PSK-ARIA256-GCM-SHA384
TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA-PSK-ARIA128-GCM-SHA256
TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA-PSK-ARIA256-GCM-SHA384</code></pre>
<h2 id="Camellia-HMAC-Based-cipher-suites-from-RFC6367-extending-TLS-v1.2">Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2</h2>
<pre><code> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384</code></pre>
<h2 id="Pre-shared-keying-PSK-cipher-suites">Pre-shared keying (PSK) cipher suites</h2>
<pre><code> PSK_WITH_NULL_SHA PSK-NULL-SHA
DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA
RSA_PSK_WITH_NULL_SHA RSA-PSK-NULL-SHA
PSK_WITH_RC4_128_SHA PSK-RC4-SHA
PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA
PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
DHE_PSK_WITH_RC4_128_SHA DHE-PSK-RC4-SHA
DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE-PSK-3DES-EDE-CBC-SHA
DHE_PSK_WITH_AES_128_CBC_SHA DHE-PSK-AES128-CBC-SHA
DHE_PSK_WITH_AES_256_CBC_SHA DHE-PSK-AES256-CBC-SHA
RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA
RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA
RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA
RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA
PSK_WITH_AES_128_GCM_SHA256 PSK-AES128-GCM-SHA256
PSK_WITH_AES_256_GCM_SHA384 PSK-AES256-GCM-SHA384
DHE_PSK_WITH_AES_128_GCM_SHA256 DHE-PSK-AES128-GCM-SHA256
DHE_PSK_WITH_AES_256_GCM_SHA384 DHE-PSK-AES256-GCM-SHA384
RSA_PSK_WITH_AES_128_GCM_SHA256 RSA-PSK-AES128-GCM-SHA256
RSA_PSK_WITH_AES_256_GCM_SHA384 RSA-PSK-AES256-GCM-SHA384
PSK_WITH_AES_128_CBC_SHA256 PSK-AES128-CBC-SHA256
PSK_WITH_AES_256_CBC_SHA384 PSK-AES256-CBC-SHA384
PSK_WITH_NULL_SHA256 PSK-NULL-SHA256
PSK_WITH_NULL_SHA384 PSK-NULL-SHA384
DHE_PSK_WITH_AES_128_CBC_SHA256 DHE-PSK-AES128-CBC-SHA256
DHE_PSK_WITH_AES_256_CBC_SHA384 DHE-PSK-AES256-CBC-SHA384
DHE_PSK_WITH_NULL_SHA256 DHE-PSK-NULL-SHA256
DHE_PSK_WITH_NULL_SHA384 DHE-PSK-NULL-SHA384
RSA_PSK_WITH_AES_128_CBC_SHA256 RSA-PSK-AES128-CBC-SHA256
RSA_PSK_WITH_AES_256_CBC_SHA384 RSA-PSK-AES256-CBC-SHA384
RSA_PSK_WITH_NULL_SHA256 RSA-PSK-NULL-SHA256
RSA_PSK_WITH_NULL_SHA384 RSA-PSK-NULL-SHA384
PSK_WITH_AES_128_GCM_SHA256 PSK-AES128-GCM-SHA256
PSK_WITH_AES_256_GCM_SHA384 PSK-AES256-GCM-SHA384
ECDHE_PSK_WITH_RC4_128_SHA ECDHE-PSK-RC4-SHA
ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE-PSK-3DES-EDE-CBC-SHA
ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE-PSK-AES128-CBC-SHA
ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE-PSK-AES256-CBC-SHA
ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE-PSK-AES128-CBC-SHA256
ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE-PSK-AES256-CBC-SHA384
ECDHE_PSK_WITH_NULL_SHA ECDHE-PSK-NULL-SHA
ECDHE_PSK_WITH_NULL_SHA256 ECDHE-PSK-NULL-SHA256
ECDHE_PSK_WITH_NULL_SHA384 ECDHE-PSK-NULL-SHA384
PSK_WITH_CAMELLIA_128_CBC_SHA256 PSK-CAMELLIA128-SHA256
PSK_WITH_CAMELLIA_256_CBC_SHA384 PSK-CAMELLIA256-SHA384
DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 DHE-PSK-CAMELLIA128-SHA256
DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 DHE-PSK-CAMELLIA256-SHA384
RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 RSA-PSK-CAMELLIA128-SHA256
RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 RSA-PSK-CAMELLIA256-SHA384
ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-PSK-CAMELLIA128-SHA256
ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-PSK-CAMELLIA256-SHA384
PSK_WITH_AES_128_CCM PSK-AES128-CCM
PSK_WITH_AES_256_CCM PSK-AES256-CCM
DHE_PSK_WITH_AES_128_CCM DHE-PSK-AES128-CCM
DHE_PSK_WITH_AES_256_CCM DHE-PSK-AES256-CCM
PSK_WITH_AES_128_CCM_8 PSK-AES128-CCM8
PSK_WITH_AES_256_CCM_8 PSK-AES256-CCM8
DHE_PSK_WITH_AES_128_CCM_8 DHE-PSK-AES128-CCM8
DHE_PSK_WITH_AES_256_CCM_8 DHE-PSK-AES256-CCM8</code></pre>
<h2 id="ChaCha20-Poly1305-cipher-suites-extending-TLS-v1.2">ChaCha20-Poly1305 cipher suites, extending TLS v1.2</h2>
<pre><code> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE-RSA-CHACHA20-POLY1305
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK-CHACHA20-POLY1305
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE-PSK-CHACHA20-POLY1305
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE-PSK-CHACHA20-POLY1305
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA-PSK-CHACHA20-POLY1305</code></pre>
<h2 id="TLS-v1.3-cipher-suites">TLS v1.3 cipher suites</h2>
<pre><code> TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256</code></pre>
<h2 id="Older-names-used-by-OpenSSL">Older names used by OpenSSL</h2>
<p>The following names are accepted by older releases:</p>
<pre><code> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA (DHE-RSA-DES-CBC3-SHA)
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA (DHE-DSS-DES-CBC3-SHA)</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>Some compiled versions of OpenSSL may not include all the ciphers listed here because some ciphers were excluded at compile time.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Verbose listing of all OpenSSL ciphers including NULL ciphers:</p>
<pre><code> openssl ciphers -v &#39;ALL:eNULL&#39;</code></pre>
<p>Include all ciphers except NULL and anonymous DH then sort by strength:</p>
<pre><code> openssl ciphers -v &#39;ALL:!ADH:@STRENGTH&#39;</code></pre>
<p>Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):</p>
<pre><code> openssl ciphers -v &#39;ALL:!aNULL&#39;</code></pre>
<p>Include only 3DES ciphers and then place RSA ciphers last:</p>
<pre><code> openssl ciphers -v &#39;3DES:+RSA&#39;</code></pre>
<p>Include all RC4 ciphers but leave out those without authentication:</p>
<pre><code> openssl ciphers -v &#39;RC4:!COMPLEMENTOFDEFAULT&#39;</code></pre>
<p>Include all ciphers with RSA authentication but leave out ciphers without encryption.</p>
<pre><code> openssl ciphers -v &#39;RSA:!COMPLEMENTOFALL&#39;</code></pre>
<p>Set security level to 2 and display all ciphers consistent with level 2:</p>
<pre><code> openssl ciphers -s -v &#39;ALL:@SECLEVEL=2&#39;</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a>, <a href="../man1/openssl-s_server.html">openssl-s_server(1)</a>, <a href="../man7/ssl.html">ssl(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-V</b> option was added in OpenSSL 1.0.0.</p>
<p>The <b>-stdname</b> is only available if OpenSSL is built with tracing enabled (<b>enable-ssl-trace</b> argument to Configure) before OpenSSL 1.1.1.</p>
<p>The <b>-convert</b> option was added in OpenSSL 1.1.1.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

71
include/openssl-3.2.1/html/man1/openssl-cmds.html
View File

@ -1,71 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-cmds</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>asn1parse, ca, ciphers, cmp, cms, crl, crl2pkcs7, dgst, dhparam, dsa, dsaparam, ec, ecparam, enc, engine, errstr, gendsa, genpkey, genrsa, info, kdf, mac, nseq, ocsp, passwd, pkcs12, pkcs7, pkcs8, pkey, pkeyparam, pkeyutl, prime, rand, rehash, req, rsa, rsautl, s_client, s_server, s_time, sess_id, smime, speed, spkac, srp, storeutl, ts, verify, version, x509 - OpenSSL application commands</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <i>cmd</i> <b>-help</b> | [<i>-option</i> | <i>-option</i> <i>arg</i>] ... [<i>arg</i>] ...</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>Every <i>cmd</i> listed above is a (sub-)command of the <a href="../man1/openssl.html">openssl(1)</a> application. It has its own detailed manual page at <b>openssl-<i>cmd</i></b>(1). For example, to view the manual page for the <b>openssl dgst</b> command, type <code>man openssl-dgst</code>.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<p>Among others, every subcommand has a help option.</p>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message for the subcommand.</p>
</dd>
</dl>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-asn1parse.html">openssl-asn1parse(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, <a href="../man1/openssl-ciphers.html">openssl-ciphers(1)</a>, <a href="../man1/openssl-cmp.html">openssl-cmp(1)</a>, <a href="../man1/openssl-cms.html">openssl-cms(1)</a>, <a href="../man1/openssl-crl.html">openssl-crl(1)</a>, <a href="../man1/openssl-crl2pkcs7.html">openssl-crl2pkcs7(1)</a>, <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a>, <a href="../man1/openssl-dhparam.html">openssl-dhparam(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a>, <a href="../man1/openssl-ec.html">openssl-ec(1)</a>, <a href="../man1/openssl-ecparam.html">openssl-ecparam(1)</a>, <a href="../man1/openssl-enc.html">openssl-enc(1)</a>, <a href="../man1/openssl-engine.html">openssl-engine(1)</a>, <a href="../man1/openssl-errstr.html">openssl-errstr(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-info.html">openssl-info(1)</a>, <a href="../man1/openssl-kdf.html">openssl-kdf(1)</a>, <a href="../man1/openssl-mac.html">openssl-mac(1)</a>, <a href="../man1/openssl-nseq.html">openssl-nseq(1)</a>, <a href="../man1/openssl-ocsp.html">openssl-ocsp(1)</a>, <a href="../man1/openssl-passwd.html">openssl-passwd(1)</a>, <a href="../man1/openssl-pkcs12.html">openssl-pkcs12(1)</a>, <a href="../man1/openssl-pkcs7.html">openssl-pkcs7(1)</a>, <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a>, <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a>, <a href="../man1/openssl-pkeyparam.html">openssl-pkeyparam(1)</a>, <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a>, <a href="../man1/openssl-prime.html">openssl-prime(1)</a>, <a href="../man1/openssl-rand.html">openssl-rand(1)</a>, <a href="../man1/openssl-rehash.html">openssl-rehash(1)</a>, <a href="../man1/openssl-req.html">openssl-req(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-rsautl.html">openssl-rsautl(1)</a>, <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a>, <a href="../man1/openssl-s_server.html">openssl-s_server(1)</a>, <a href="../man1/openssl-s_time.html">openssl-s_time(1)</a>, <a href="../man1/openssl-sess_id.html">openssl-sess_id(1)</a>, <a href="../man1/openssl-smime.html">openssl-smime(1)</a>, <a href="../man1/openssl-speed.html">openssl-speed(1)</a>, <a href="../man1/openssl-spkac.html">openssl-spkac(1)</a>, <a href="../man1/openssl-srp.html">openssl-srp(1)</a>, <a href="../man1/openssl-storeutl.html">openssl-storeutl(1)</a>, <a href="../man1/openssl-ts.html">openssl-ts(1)</a>, <a href="../man1/openssl-verify.html">openssl-verify(1)</a>, <a href="../man1/openssl-version.html">openssl-version(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>,</p>
<h1 id="HISTORY">HISTORY</h1>
<p>Initially, the manual page entry for the <code>openssl <i>cmd</i></code> command used to be available at <i>cmd</i>(1). Later, the alias <b>openssl-<i>cmd</i></b>(1) was introduced, which made it easier to group the openssl commands using the <a href="../man1/apropos.html">apropos(1)</a> command or the shell&#39;s tab completion.</p>
<p>In order to reduce cluttering of the global manual page namespace, the manual page entries without the &#39;openssl-&#39; prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

1225
include/openssl-3.2.1/html/man1/openssl-cmp.html
View File

File diff suppressed because it is too large Load Diff

888
include/openssl-3.2.1/html/man1/openssl-cms.html
View File

@ -1,888 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-cms</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#General-options">General options</a></li>
<li><a href="#Operation-options">Operation options</a></li>
<li><a href="#File-format-options">File format options</a></li>
<li><a href="#Keys-and-password-options">Keys and password options</a></li>
<li><a href="#Encryption-and-decryption-options">Encryption and decryption options</a></li>
<li><a href="#Signing-options">Signing options</a></li>
<li><a href="#Verification-options">Verification options</a></li>
<li><a href="#Output-options">Output options</a></li>
<li><a href="#Printing-options">Printing options</a></li>
<li><a href="#Validation-options">Validation options</a></li>
</ul>
</li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#CADES-BASIC-ELECTRONIC-SIGNATURE-CADES-BES">CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)</a></li>
<li><a href="#EXIT-CODES">EXIT CODES</a></li>
<li><a href="#COMPATIBILITY-WITH-PKCS-7-FORMAT">COMPATIBILITY WITH PKCS#7 FORMAT</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-cms - CMS command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>cms</b> [<b>-help</b>]</p>
<p>General options:</p>
<p>[<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-config</b> <i>configfile</i>]</p>
<p>Operation options:</p>
<p>[<b>-encrypt</b>] [<b>-decrypt</b>] [<b>-sign</b>] [<b>-verify</b>] [<b>-resign</b>] [<b>-sign_receipt</b>] [<b>-verify_receipt</b> <i>receipt</i>] [<b>-digest</b> <i>digest</i>] [<b>-digest_create</b>] [<b>-digest_verify</b>] [<b>-compress</b>] [<b>-uncompress</b>] [<b>-EncryptedData_encrypt</b>] [<b>-EncryptedData_decrypt</b>] [<b>-data_create</b>] [<b>-data_out</b>] [<b>-cmsout</b>]</p>
<p>File format options:</p>
<p>[<b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b>] [<b>-rctform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b>] [<b>-stream</b>] [<b>-indef</b>] [<b>-noindef</b>] [<b>-binary</b>] [<b>-crlfeol</b>] [<b>-asciicrlf</b>]</p>
<p>Keys and password options:</p>
<p>[<b>-pwri_password</b> <i>password</i>] [<b>-secretkey</b> <i>key</i>] [<b>-secretkeyid</b> <i>id</i>] [<b>-inkey</b> <i>filename</i>|<i>uri</i>] [<b>-passin</b> <i>arg</i>] [<b>-keyopt</b> <i>name</i>:<i>parameter</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>]</p>
<p>Encryption options:</p>
<p>[<b>-originator</b> <i>file</i>] [<b>-recip</b> <i>file</i>] [<i>recipient-cert</i> ...] [<b>-<i>cipher</i></b>] [<b>-wrap</b> <i>cipher</i>] [<b>-aes128-wrap</b>] [<b>-aes192-wrap</b>] [<b>-aes256-wrap</b>] [<b>-des3-wrap</b>] [<b>-debug_decrypt</b>]</p>
<p>Signing options:</p>
<p>[<b>-md</b> <i>digest</i>] [<b>-signer</b> <i>file</i>] [<b>-certfile</b> <i>file</i>] [<b>-cades</b>] [<b>-nodetach</b>] [<b>-nocerts</b>] [<b>-noattr</b>] [<b>-nosmimecap</b>] [<b>-receipt_request_all</b>] [<b>-receipt_request_first</b>] [<b>-receipt_request_from</b> <i>emailaddress</i>] [<b>-receipt_request_to</b> <i>emailaddress</i>]</p>
<p>Verification options:</p>
<p>[<b>-signer</b> <i>file</i>] [<b>-content</b> <i>filename</i>] [<b>-no_content_verify</b>] [<b>-no_attr_verify</b>] [<b>-nosigs</b>] [<b>-noverify</b>] [<b>-nointern</b>] [<b>-cades</b>] [<b>-verify_retcode</b>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>]</p>
<p>Output options:</p>
<p>[<b>-keyid</b>] [<b>-econtent_type</b> <i>type</i>] [<b>-text</b>] [<b>-certsout</b> <i>file</i>] [<b>-to</b> <i>addr</i>] [<b>-from</b> <i>addr</i>] [<b>-subject</b> <i>subj</i>]</p>
<p>Printing options:</p>
<p>[<b>-noout</b>] [<b>-print</b>] [<b>-nameopt</b> <i>option</i>] [<b>-receipt_request_print</b>]</p>
<p>Validation options:</p>
<p>[<b>-allow_proxy_certs</b>] [<b>-attime</b> <i>timestamp</i>] [<b>-no_check_time</b>] [<b>-check_ss_sig</b>] [<b>-crl_check</b>] [<b>-crl_check_all</b>] [<b>-explicit_policy</b>] [<b>-extended_crl</b>] [<b>-ignore_critical</b>] [<b>-inhibit_any</b>] [<b>-inhibit_map</b>] [<b>-partial_chain</b>] [<b>-policy</b> <i>arg</i>] [<b>-policy_check</b>] [<b>-policy_print</b>] [<b>-purpose</b> <i>purpose</i>] [<b>-suiteB_128</b>] [<b>-suiteB_128_only</b>] [<b>-suiteB_192</b>] [<b>-trusted_first</b>] [<b>-no_alt_chains</b>] [<b>-use_deltas</b>] [<b>-auth_level</b> <i>num</i>] [<b>-verify_depth</b> <i>num</i>] [<b>-verify_email</b> <i>email</i>] [<b>-verify_hostname</b> <i>hostname</i>] [<b>-verify_ip</b> <i>ip</i>] [<b>-verify_name</b> <i>name</i>] [<b>-x509_strict</b>] [<b>-issuer_checks</b>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command handles data in CMS format such as S/MIME v3.1 email messages. It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<p>There are a number of operation options that set the type of operation to be performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt, digest_create, digest_verify, compress, uncompress, EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout. The relevance of the other options depends on the operation type and their meaning may vary according to it.</p>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
</dl>
<h2 id="General-options">General options</h2>
<dl>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>The input message to be encrypted or signed or the message to be decrypted or verified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>The message text that has been decrypted or verified or the output MIME format message that has been signed or verified.</p>
</dd>
<dt id="config-configfile"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Configuration Option&quot; in openssl(1)</a>.</p>
</dd>
</dl>
<h2 id="Operation-options">Operation options</h2>
<dl>
<dt id="encrypt"><b>-encrypt</b></dt>
<dd>
<p>Encrypt data for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted data in MIME format. The actual CMS type is <b>EnvelopedData</b>.</p>
<p>Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text.</p>
</dd>
<dt id="decrypt"><b>-decrypt</b></dt>
<dd>
<p>Decrypt data using the supplied certificate and private key. Expects encrypted datain MIME format for the input file. The decrypted data is written to the output file.</p>
</dd>
<dt id="sign"><b>-sign</b></dt>
<dd>
<p>Sign data using the supplied certificate and private key. Input file is the message to be signed. The signed data in MIME format is written to the output file.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify signed data. Expects a signed data on input and outputs the signed data. Both clear text and opaque signing is supported.</p>
</dd>
<dt id="resign"><b>-resign</b></dt>
<dd>
<p>Resign a message: take an existing message and one or more new signers.</p>
</dd>
<dt id="sign_receipt"><b>-sign_receipt</b></dt>
<dd>
<p>Generate and output a signed receipt for the supplied message. The input message <b>must</b> contain a signed receipt request. Functionality is otherwise similar to the <b>-sign</b> operation.</p>
</dd>
<dt id="verify_receipt-receipt"><b>-verify_receipt</b> <i>receipt</i></dt>
<dd>
<p>Verify a signed receipt in filename <b>receipt</b>. The input message <b>must</b> contain the original receipt request. Functionality is otherwise similar to the <b>-verify</b> operation.</p>
</dd>
<dt id="digest-digest"><b>-digest</b> <i>digest</i></dt>
<dd>
<p>When used with <b>-sign</b>, provides the digest in hexadecimal form instead of computing it from the original message content. Cannot be combined with <b>-in</b> or <b>-nodetach</b>.</p>
<p>This operation is the CMS equivalent of <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a> signing. When signing a pre-computed digest, the security relies on the digest and its computation from the original message being trusted.</p>
</dd>
<dt id="digest_create"><b>-digest_create</b></dt>
<dd>
<p>Create a CMS <b>DigestedData</b> type.</p>
</dd>
<dt id="digest_verify"><b>-digest_verify</b></dt>
<dd>
<p>Verify a CMS <b>DigestedData</b> type and output the content.</p>
</dd>
<dt id="compress"><b>-compress</b></dt>
<dd>
<p>Create a CMS <b>CompressedData</b> type. OpenSSL must be compiled with <b>zlib</b> support for this option to work, otherwise it will output an error.</p>
</dd>
<dt id="uncompress"><b>-uncompress</b></dt>
<dd>
<p>Uncompress a CMS <b>CompressedData</b> type and output the content. OpenSSL must be compiled with <b>zlib</b> support for this option to work, otherwise it will output an error.</p>
</dd>
<dt id="EncryptedData_encrypt"><b>-EncryptedData_encrypt</b></dt>
<dd>
<p>Encrypt content using supplied symmetric key and algorithm using a CMS <b>EncryptedData</b> type and output the content.</p>
</dd>
<dt id="EncryptedData_decrypt"><b>-EncryptedData_decrypt</b></dt>
<dd>
<p>Decrypt content using supplied symmetric key and algorithm using a CMS <b>EncryptedData</b> type and output the content.</p>
</dd>
<dt id="data_create"><b>-data_create</b></dt>
<dd>
<p>Create a CMS <b>Data</b> type.</p>
</dd>
<dt id="data_out"><b>-data_out</b></dt>
<dd>
<p><b>Data</b> type and output the content.</p>
</dd>
<dt id="cmsout"><b>-cmsout</b></dt>
<dd>
<p>Takes an input message and writes out a PEM encoded CMS structure.</p>
</dd>
</dl>
<h2 id="File-format-options">File format options</h2>
<dl>
<dt id="inform-DER-PEM-SMIME"><b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b></dt>
<dd>
<p>The input format of the CMS structure (if one is being read); the default is <b>SMIME</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM-SMIME"><b>-outform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b></dt>
<dd>
<p>The output format of the CMS structure (if one is being written); the default is <b>SMIME</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="rctform-DER-PEM-SMIME"><b>-rctform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b></dt>
<dd>
<p>The signed receipt format for use with the <b>-receipt_verify</b>; the default is <b>SMIME</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="stream--indef"><b>-stream</b>, <b>-indef</b></dt>
<dd>
<p>The <b>-stream</b> and <b>-indef</b> options are equivalent and enable streaming I/O for encoding operations. This permits single pass processing of data without the need to hold the entire contents in memory, potentially supporting very large files. Streaming is automatically set for S/MIME signing with detached data if the output format is <b>SMIME</b> it is currently off by default for all other operations.</p>
</dd>
<dt id="noindef"><b>-noindef</b></dt>
<dd>
<p>Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it.</p>
</dd>
<dt id="binary"><b>-binary</b></dt>
<dd>
<p>Normally the input message is converted to &quot;canonical&quot; format which is effectively using CR and LF as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in MIME format.</p>
</dd>
<dt id="crlfeol"><b>-crlfeol</b></dt>
<dd>
<p>Normally the output file uses a single <b>LF</b> as end of line. When this option is present <b>CRLF</b> is used instead.</p>
</dd>
<dt id="asciicrlf"><b>-asciicrlf</b></dt>
<dd>
<p>When signing use ASCII CRLF format canonicalisation. This strips trailing whitespace from all lines, deletes trailing blank lines at EOF and sets the encapsulated content type. This option is normally used with detached content and an output signature format of DER. This option is not normally needed when verifying as it is enabled automatically if the encapsulated content format is detected.</p>
</dd>
</dl>
<h2 id="Keys-and-password-options">Keys and password options</h2>
<dl>
<dt id="pwri_password-password"><b>-pwri_password</b> <i>password</i></dt>
<dd>
<p>Specify password for recipient.</p>
</dd>
<dt id="secretkey-key"><b>-secretkey</b> <i>key</i></dt>
<dd>
<p>Specify symmetric key to use. The key must be supplied in hex format and be consistent with the algorithm used. Supported by the <b>-EncryptedData_encrypt</b> <b>-EncryptedData_decrypt</b>, <b>-encrypt</b> and <b>-decrypt</b> options. When used with <b>-encrypt</b> or <b>-decrypt</b> the supplied key is used to wrap or unwrap the content encryption key using an AES key in the <b>KEKRecipientInfo</b> type.</p>
</dd>
<dt id="secretkeyid-id"><b>-secretkeyid</b> <i>id</i></dt>
<dd>
<p>The key identifier for the supplied symmetric key for <b>KEKRecipientInfo</b> type. This option <b>must</b> be present if the <b>-secretkey</b> option is used with <b>-encrypt</b>. With <b>-decrypt</b> operations the <i>id</i> is used to locate the relevant key if it is not supplied then an attempt is used to decrypt any <b>KEKRecipientInfo</b> structures.</p>
</dd>
<dt id="inkey-filename-uri"><b>-inkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the <b>-recip</b> or <b>-signer</b> file. When signing this option can be used multiple times to specify successive keys.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The private key password source. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="keyopt-name:parameter"><b>-keyopt</b> <i>name</i>:<i>parameter</i></dt>
<dd>
<p>For signing and encryption this option can be used multiple times to set customised parameters for the preceding key or certificate. It can currently be used to set RSA-PSS for signing, RSA-OAEP for encryption or to modify default parameters for ECDH.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The format of the private key file; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
</dl>
<h2 id="Encryption-and-decryption-options">Encryption and decryption options</h2>
<dl>
<dt id="originator-file"><b>-originator</b> <i>file</i></dt>
<dd>
<p>A certificate of the originator of the encrypted message. Necessary for decryption when Key Agreement is in use for a shared key.</p>
</dd>
<dt id="recip-file"><b>-recip</b> <i>file</i></dt>
<dd>
<p>When decrypting a message this specifies the certificate of the recipient. The certificate must match one of the recipients of the message.</p>
<p>When encrypting a message this option may be used multiple times to specify each recipient. This form <b>must</b> be used if customised parameters are required (for example to specify RSA-OAEP).</p>
<p>Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this option.</p>
</dd>
<dt id="recipient-cert"><i>recipient-cert</i> ...</dt>
<dd>
<p>This is an alternative to using the <b>-recip</b> option when encrypting a message. One or more certificate filenames may be given.</p>
</dd>
<dt id="cipher"><b>-<i>cipher</i></b></dt>
<dd>
<p>The encryption algorithm to use. For example triple DES (168 bits) - <b>-des3</b> or 256 bit AES - <b>-aes256</b>. Any standard algorithm name (as used by the EVP_get_cipherbyname() function) can also be used preceded by a dash, for example <b>-aes-128-cbc</b>. See <a href="../man1/openssl-enc.html">openssl-enc(1)</a> for a list of ciphers supported by your version of OpenSSL.</p>
<p>Currently the AES variants with GCM mode are the only supported AEAD algorithms.</p>
<p>If not specified triple DES is used. Only used with <b>-encrypt</b> and <b>-EncryptedData_create</b> commands.</p>
</dd>
<dt id="wrap-cipher"><b>-wrap</b> <i>cipher</i></dt>
<dd>
<p>Cipher algorithm to use for key wrap when encrypting the message using Key Agreement for key transport. The algorithm specified should be suitable for key wrap.</p>
</dd>
<dt id="aes128-wrap--aes192-wrap--aes256-wrap--des3-wrap"><b>-aes128-wrap</b>, <b>-aes192-wrap</b>, <b>-aes256-wrap</b>, <b>-des3-wrap</b></dt>
<dd>
<p>Use AES128, AES192, AES256, or 3DES-EDE, respectively, to wrap key. Depending on the OpenSSL build options used, <b>-des3-wrap</b> may not be supported.</p>
</dd>
<dt id="debug_decrypt"><b>-debug_decrypt</b></dt>
<dd>
<p>This option sets the <b>CMS_DEBUG_DECRYPT</b> flag. This option should be used with caution: see the notes section below.</p>
</dd>
</dl>
<h2 id="Signing-options">Signing options</h2>
<dl>
<dt id="md-digest"><b>-md</b> <i>digest</i></dt>
<dd>
<p>Digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually SHA1).</p>
</dd>
<dt id="signer-file"><b>-signer</b> <i>file</i></dt>
<dd>
<p>A signing certificate. When signing or resigning a message, this option can be used multiple times if more than one signer is required.</p>
</dd>
<dt id="certfile-file"><b>-certfile</b> <i>file</i></dt>
<dd>
<p>Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="cades"><b>-cades</b></dt>
<dd>
<p>When used with <b>-sign</b>, add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute to the SignerInfo, in order to make the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES).</p>
</dd>
<dt id="nodetach"><b>-nodetach</b></dt>
<dd>
<p>When signing a message use opaque signing: this form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the MIME type multipart/signed is used.</p>
</dd>
<dt id="nocerts"><b>-nocerts</b></dt>
<dd>
<p>When signing a message the signer&#39;s certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the <b>-certfile</b> option for example).</p>
</dd>
<dt id="noattr"><b>-noattr</b></dt>
<dd>
<p>Normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included.</p>
</dd>
<dt id="nosmimecap"><b>-nosmimecap</b></dt>
<dd>
<p>Exclude the list of supported algorithms from signed attributes, other options such as signing time and content type are still included.</p>
</dd>
<dt id="receipt_request_all--receipt_request_first"><b>-receipt_request_all</b>, <b>-receipt_request_first</b></dt>
<dd>
<p>For <b>-sign</b> option include a signed receipt request. Indicate requests should be provided by all recipient or first tier recipients (those mailed directly and not from a mailing list). Ignored it <b>-receipt_request_from</b> is included.</p>
</dd>
<dt id="receipt_request_from-emailaddress"><b>-receipt_request_from</b> <i>emailaddress</i></dt>
<dd>
<p>For <b>-sign</b> option include a signed receipt request. Add an explicit email address where receipts should be supplied.</p>
</dd>
<dt id="receipt_request_to-emailaddress"><b>-receipt_request_to</b> <i>emailaddress</i></dt>
<dd>
<p>Add an explicit email address where signed receipts should be sent to. This option <b>must</b> but supplied if a signed receipt is requested.</p>
</dd>
</dl>
<h2 id="Verification-options">Verification options</h2>
<dl>
<dt id="signer-file1"><b>-signer</b> <i>file</i></dt>
<dd>
<p>If a message has been verified successfully then the signers certificate(s) will be written to this file if the verification was successful.</p>
</dd>
<dt id="content-filename"><b>-content</b> <i>filename</i></dt>
<dd>
<p>This specifies a file containing the detached content for operations taking S/MIME input, such as the <b>-verify</b> command. This is only usable if the CMS structure is using the detached signature form where the content is not included. This option will override any content if the input format is S/MIME and it uses the multipart/signed MIME content type.</p>
</dd>
<dt id="no_content_verify"><b>-no_content_verify</b></dt>
<dd>
<p>Do not verify signed content signatures.</p>
</dd>
<dt id="no_attr_verify"><b>-no_attr_verify</b></dt>
<dd>
<p>Do not verify signed attribute signatures.</p>
</dd>
<dt id="nosigs"><b>-nosigs</b></dt>
<dd>
<p>Don&#39;t verify message signature.</p>
</dd>
<dt id="noverify"><b>-noverify</b></dt>
<dd>
<p>Do not verify the signers certificate of a signed message.</p>
</dd>
<dt id="nointern"><b>-nointern</b></dt>
<dd>
<p>When verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the <b>-certfile</b> option are used. The supplied certificates can still be used as untrusted CAs however.</p>
</dd>
<dt id="cades1"><b>-cades</b></dt>
<dd>
<p>When used with <b>-verify</b>, require and check signer certificate digest. See the NOTES section for more details.</p>
</dd>
<dt id="verify_retcode"><b>-verify_retcode</b></dt>
<dd>
<p>Exit nonzero on verification failure.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
</dl>
<h2 id="Output-options">Output options</h2>
<dl>
<dt id="keyid"><b>-keyid</b></dt>
<dd>
<p>Use subject key identifier to identify certificates instead of issuer name and serial number. The supplied certificate <b>must</b> include a subject key identifier extension. Supported by <b>-sign</b> and <b>-encrypt</b> options.</p>
</dd>
<dt id="econtent_type-type"><b>-econtent_type</b> <i>type</i></dt>
<dd>
<p>Set the encapsulated content type to <i>type</i> if not supplied the <b>Data</b> type is used. The <i>type</i> argument can be any valid OID name in either text or numerical format.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>This option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs.</p>
</dd>
<dt id="certsout-file"><b>-certsout</b> <i>file</i></dt>
<dd>
<p>Any certificates contained in the input message are written to <i>file</i>.</p>
</dd>
<dt id="to--from--subject"><b>-to</b>, <b>-from</b>, <b>-subject</b></dt>
<dd>
<p>The relevant email headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate&#39;s email address matches that specified in the From: address.</p>
</dd>
</dl>
<h2 id="Printing-options">Printing options</h2>
<dl>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>For the <b>-cmsout</b> operation do not output the parsed CMS structure. This is useful if the syntax of the CMS structure is being checked.</p>
</dd>
<dt id="print"><b>-print</b></dt>
<dd>
<p>For the <b>-cmsout</b> operation print out all fields of the CMS structure. This implies <b>-noout</b>. This is mainly useful for testing purposes.</p>
</dd>
<dt id="nameopt-option"><b>-nameopt</b> <i>option</i></dt>
<dd>
<p>For the <b>-cmsout</b> operation when <b>-print</b> option is in use, specifies printing options for string fields. For most cases <b>utf8</b> is reasonable value. See <a href="../man1/openssl-namedisplay-options.html">openssl-namedisplay-options(1)</a> for details.</p>
</dd>
<dt id="receipt_request_print"><b>-receipt_request_print</b></dt>
<dd>
<p>For the <b>-verify</b> operation print out the contents of any signed receipt requests.</p>
</dd>
</dl>
<h2 id="Validation-options">Validation options</h2>
<dl>
<dt id="allow_proxy_certs--attime--no_check_time--check_ss_sig--crl_check--crl_check_all--explicit_policy--extended_crl--ignore_critical--inhibit_any--inhibit_map--no_alt_chains--partial_chain--policy--policy_check--policy_print--purpose--suiteB_128--suiteB_128_only--suiteB_192--trusted_first--use_deltas--auth_level--verify_depth--verify_email--verify_hostname--verify_ip--verify_name--x509_strict--issuer_checks"><b>-allow_proxy_certs</b>, <b>-attime</b>, <b>-no_check_time</b>, <b>-check_ss_sig</b>, <b>-crl_check</b>, <b>-crl_check_all</b>, <b>-explicit_policy</b>, <b>-extended_crl</b>, <b>-ignore_critical</b>, <b>-inhibit_any</b>, <b>-inhibit_map</b>, <b>-no_alt_chains</b>, <b>-partial_chain</b>, <b>-policy</b>, <b>-policy_check</b>, <b>-policy_print</b>, <b>-purpose</b>, <b>-suiteB_128</b>, <b>-suiteB_128_only</b>, <b>-suiteB_192</b>, <b>-trusted_first</b>, <b>-use_deltas</b>, <b>-auth_level</b>, <b>-verify_depth</b>, <b>-verify_email</b>, <b>-verify_hostname</b>, <b>-verify_ip</b>, <b>-verify_name</b>, <b>-x509_strict</b> <b>-issuer_checks</b></dt>
<dd>
<p>Set various options of certificate chain verification. See <a href="../man1/openssl-verification-options.html">&quot;Verification Options&quot; in openssl-verification-options(1)</a> for details.</p>
<p>Any validation errors cause the command to exit.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>The MIME message must be sent without any blank lines between the headers and the output. Some mail programs will automatically add a blank line. Piping the mail directly to sendmail is one way to achieve the correct format.</p>
<p>The supplied message to be signed or encrypted must include the necessary MIME headers or many S/MIME clients won&#39;t display it properly (if at all). You can use the <b>-text</b> option to automatically add plain text headers.</p>
<p>A &quot;signed and encrypted&quot; message is one where a signed message is then encrypted. This can be produced by encrypting an already signed message: see the examples section.</p>
<p>This version of the program only allows one signer per message but it will verify multiple signers on received messages. Some S/MIME clients choke if a message contains multiple signers. It is possible to sign messages &quot;in parallel&quot; by signing an already signed message.</p>
<p>The options <b>-encrypt</b> and <b>-decrypt</b> reflect common usage in S/MIME clients. Strictly speaking these process CMS enveloped data: CMS encrypted data is used for other purposes.</p>
<p>The <b>-resign</b> option uses an existing message digest when adding a new signer. This means that attributes must be present in at least one existing signer using the same message digest or this operation will fail.</p>
<p>The <b>-stream</b> and <b>-indef</b> options enable streaming I/O support. As a result the encoding is BER using indefinite length constructed encoding and no longer DER. Streaming is supported for the <b>-encrypt</b> operation and the <b>-sign</b> operation if the content is not detached.</p>
<p>Streaming is always used for the <b>-sign</b> operation with detached data but since the content is no longer part of the CMS structure the encoding remains DER.</p>
<p>If the <b>-decrypt</b> option is used without a recipient certificate then an attempt is made to locate the recipient by trying each potential recipient in turn using the supplied private key. To thwart the MMA attack (Bleichenbacher&#39;s attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not and if no recipients match the message is &quot;decrypted&quot; using a random key which will typically output garbage. The <b>-debug_decrypt</b> option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see <a href="../man3/CMS_decrypt.html">CMS_decrypt(3)</a>).</p>
<h1 id="CADES-BASIC-ELECTRONIC-SIGNATURE-CADES-BES">CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)</h1>
<p>A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains:</p>
<ul>
<li><p>The signed user data as defined in CMS (RFC 3852);</p>
</li>
<li><p>Content-type of the EncapsulatedContentInfo value being signed;</p>
</li>
<li><p>Message-digest of the eContent OCTET STRING within encapContentInfo being signed;</p>
</li>
<li><p>An ESS signingCertificate or ESS signingCertificateV2 attribute, as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. An ESS signingCertificate attribute only allows for SHA-1 as digest algorithm. An ESS signingCertificateV2 attribute allows for any digest algorithm.</p>
</li>
<li><p>The digital signature value computed on the user data and, when present, on the signed attributes.</p>
<p>NOTE that the <b>-cades</b> option applies to the <b>-sign</b> or <b>-verify</b> operations. With this option, the <b>-verify</b> operation also requires that the signingCertificate attribute is present and checks that the given identifiers match the verification trust chain built during the verification process.</p>
</li>
</ul>
<h1 id="EXIT-CODES">EXIT CODES</h1>
<dl>
<dt id="pod0">0</dt>
<dd>
<p>The operation was completely successfully.</p>
</dd>
<dt id="pod1">1</dt>
<dd>
<p>An error occurred parsing the command options.</p>
</dd>
<dt id="pod2">2</dt>
<dd>
<p>One of the input files could not be read.</p>
</dd>
<dt id="pod3">3</dt>
<dd>
<p>An error occurred creating the CMS file or when reading the MIME message.</p>
</dd>
<dt id="pod4">4</dt>
<dd>
<p>An error occurred decrypting or verifying the message.</p>
</dd>
<dt id="pod5">5</dt>
<dd>
<p>The message was verified correctly but an error occurred writing out the signers certificates.</p>
</dd>
</dl>
<h1 id="COMPATIBILITY-WITH-PKCS-7-FORMAT">COMPATIBILITY WITH PKCS#7 FORMAT</h1>
<p><a href="../man1/openssl-smime.html">openssl-smime(1)</a> can only process the older <b>PKCS#7</b> format. <b>openssl cms</b> supports Cryptographic Message Syntax format. Use of some features will result in messages which cannot be processed by applications which only support the older format. These are detailed below.</p>
<p>The use of the <b>-keyid</b> option with <b>-sign</b> or <b>-encrypt</b>.</p>
<p>The <b>-outform</b> <i>PEM</i> option uses different headers.</p>
<p>The <b>-compress</b> option.</p>
<p>The <b>-secretkey</b> option when used with <b>-encrypt</b>.</p>
<p>The use of PSS with <b>-sign</b>.</p>
<p>The use of OAEP or non-RSA keys with <b>-encrypt</b>.</p>
<p>Additionally the <b>-EncryptedData_create</b> and <b>-data_create</b> type cannot be processed by the older <a href="../man1/openssl-smime.html">openssl-smime(1)</a> command.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Create a cleartext signed message:</p>
<pre><code> openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem</code></pre>
<p>Create an opaque signed message</p>
<pre><code> openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
-signer mycert.pem</code></pre>
<p>Create a signed message, include some additional certificates and read the private key from another file:</p>
<pre><code> openssl cms -sign -in in.txt -text -out mail.msg \
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem</code></pre>
<p>Create a signed message with two signers, use key identifier:</p>
<pre><code> openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -signer othercert.pem -keyid</code></pre>
<p>Send a signed message under Unix directly to sendmail, including headers:</p>
<pre><code> openssl cms -sign -in in.txt -text -signer mycert.pem \
-from steve@openssl.org -to someone@somewhere \
-subject &quot;Signed message&quot; | sendmail someone@somewhere</code></pre>
<p>Verify a message and extract the signer&#39;s certificate if successful:</p>
<pre><code> openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt</code></pre>
<p>Send encrypted mail using triple DES:</p>
<pre><code> openssl cms -encrypt -in in.txt -from steve@openssl.org \
-to someone@somewhere -subject &quot;Encrypted message&quot; \
-des3 user.pem -out mail.msg</code></pre>
<p>Sign and encrypt mail:</p>
<pre><code> openssl cms -sign -in ml.txt -signer my.pem -text \
| openssl cms -encrypt -out mail.msg \
-from steve@openssl.org -to someone@somewhere \
-subject &quot;Signed and Encrypted message&quot; -des3 user.pem</code></pre>
<p>Note: the encryption command does not include the <b>-text</b> option because the message being encrypted already has MIME headers.</p>
<p>Decrypt a message:</p>
<pre><code> openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem</code></pre>
<p>The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with:</p>
<pre><code> -----BEGIN PKCS7-----
-----END PKCS7-----</code></pre>
<p>and using the command,</p>
<pre><code> openssl cms -verify -inform PEM -in signature.pem -content content.txt</code></pre>
<p>alternatively you can base64 decode the signature and use</p>
<pre><code> openssl cms -verify -inform DER -in signature.der -content content.txt</code></pre>
<p>Create an encrypted message using 128 bit Camellia:</p>
<pre><code> openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem</code></pre>
<p>Add a signer to an existing message:</p>
<pre><code> openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg</code></pre>
<p>Sign a message using RSA-PSS:</p>
<pre><code> openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -keyopt rsa_padding_mode:pss</code></pre>
<p>Create an encrypted message using RSA-OAEP:</p>
<pre><code> openssl cms -encrypt -in plain.txt -out mail.msg \
-recip cert.pem -keyopt rsa_padding_mode:oaep</code></pre>
<p>Use SHA256 KDF with an ECDH certificate:</p>
<pre><code> openssl cms -encrypt -in plain.txt -out mail.msg \
-recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256</code></pre>
<p>Print CMS signed binary data in human-readable form:</p>
<p>openssl cms -in signed.cms -binary -inform DER -cmsout -print</p>
<h1 id="BUGS">BUGS</h1>
<p>The MIME parser isn&#39;t very clever: it seems to handle most messages that I&#39;ve thrown at it but it may choke on others.</p>
<p>The code currently will only write out the signer&#39;s certificate to a file: if the signer has a separate encryption certificate this must be manually extracted. There should be some heuristic that determines the correct encryption certificate.</p>
<p>Ideally a database should be maintained of a certificates for each email address.</p>
<p>The code doesn&#39;t currently take note of the permitted symmetric encryption algorithms as supplied in the SMIMECapabilities signed attribute. this means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those.</p>
<p>No revocation checking is done on the signer&#39;s certificate.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The use of multiple <b>-signer</b> options and the <b>-resign</b> command were first added in OpenSSL 1.0.0.</p>
<p>The <b>-keyopt</b> option was added in OpenSSL 1.0.2.</p>
<p>Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.</p>
<p>The use of non-RSA keys with <b>-encrypt</b> and <b>-decrypt</b> was added in OpenSSL 1.0.2.</p>
<p>The -no_alt_chains option was added in OpenSSL 1.0.2b.</p>
<p>The <b>-nameopt</b> option was added in OpenSSL 3.0.0.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-digest</b> option was added in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

218
include/openssl-3.2.1/html/man1/openssl-crl.html
View File

@ -1,218 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-crl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-crl - CRL command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>crl</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-key</b> <i>filename</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>] [<b>-dateopt</b>] [<b>-text</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-gendelta</b> <i>filename</i>] [<b>-badsig</b>] [<b>-verify</b>] [<b>-noout</b>] [<b>-hash</b>] [<b>-hash_old</b>] [<b>-fingerprint</b>] [<b>-crlnumber</b>] [<b>-issuer</b>] [<b>-lastupdate</b>] [<b>-nextupdate</b>] [<b>-nameopt</b> <i>option</i>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes CRL files in DER or PEM format.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The CRL input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The CRL output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="key-filename"><b>-key</b> <i>filename</i></dt>
<dd>
<p>The private key to be used to sign the CRL.</p>
</dd>
<dt id="keyform-DER-PEM-P12"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b></dt>
<dd>
<p>The format of the private key file; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read from or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="gendelta-filename"><b>-gendelta</b> <i>filename</i></dt>
<dd>
<p>Output a comparison of the main CRL and the one specified here.</p>
</dd>
<dt id="badsig"><b>-badsig</b></dt>
<dd>
<p>Corrupt the signature before writing it; this can be useful for testing.</p>
</dd>
<dt id="dateopt"><b>-dateopt</b></dt>
<dd>
<p>Specify the date output format. Values are: rfc_822 and iso_8601. Defaults to rfc_822.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Print out the CRL in text form.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify the signature in the CRL.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Don&#39;t output the encoded version of the CRL.</p>
</dd>
<dt id="fingerprint"><b>-fingerprint</b></dt>
<dd>
<p>Output the fingerprint of the CRL.</p>
</dd>
<dt id="crlnumber"><b>-crlnumber</b></dt>
<dd>
<p>Output the number of the CRL.</p>
</dd>
<dt id="hash"><b>-hash</b></dt>
<dd>
<p>Output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name.</p>
</dd>
<dt id="hash_old"><b>-hash_old</b></dt>
<dd>
<p>Outputs the &quot;hash&quot; of the CRL issuer name using the older algorithm as used by OpenSSL before version 1.0.0.</p>
</dd>
<dt id="issuer"><b>-issuer</b></dt>
<dd>
<p>Output the issuer name.</p>
</dd>
<dt id="lastupdate"><b>-lastupdate</b></dt>
<dd>
<p>Output the lastUpdate field.</p>
</dd>
<dt id="nextupdate"><b>-nextupdate</b></dt>
<dd>
<p>Output the nextUpdate field.</p>
</dd>
<dt id="nameopt-option"><b>-nameopt</b> <i>option</i></dt>
<dd>
<p>This specifies how the subject or issuer names are displayed. See <a href="../man1/openssl-namedisplay-options.html">openssl-namedisplay-options(1)</a> for details.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Convert a CRL file from PEM to DER:</p>
<pre><code> openssl crl -in crl.pem -outform DER -out crl.der</code></pre>
<p>Output the text form of a DER encoded certificate:</p>
<pre><code> openssl crl -in crl.der -text -noout</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>Ideally it should be possible to create a CRL using appropriate options and files too.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-crl2pkcs7.html">openssl-crl2pkcs7(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

133
include/openssl-3.2.1/html/man1/openssl-crl2pkcs7.html
View File

@ -1,133 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-crl2pkcs7</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>crl2pkcs7</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-certfile</b> <i>filename</i>] [<b>-nocrl</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command takes an optional CRL and one or more certificates and converts them into a PKCS#7 degenerate &quot;certificates only&quot; structure.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The input format of the CRL; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The output format of the PKCS#7 object; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read a CRL from or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename to write the PKCS#7 structure to or standard output by default.</p>
</dd>
<dt id="certfile-filename"><b>-certfile</b> <i>filename</i></dt>
<dd>
<p>Specifies a filename containing one or more certificates in <b>PEM</b> format. All certificates in the file will be added to the PKCS#7 structure. This option can be used more than once to read certificates from multiple files.</p>
</dd>
<dt id="nocrl"><b>-nocrl</b></dt>
<dd>
<p>Normally a CRL is included in the output file. With this option no CRL is included in the output file and a CRL is not read from the input file.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Create a PKCS#7 structure from a certificate and CRL:</p>
<pre><code> openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem</code></pre>
<p>Creates a PKCS#7 structure in DER format with no CRL from several different certificates:</p>
<pre><code> openssl crl2pkcs7 -nocrl -certfile newcert.pem
-certfile demoCA/cacert.pem -outform DER -out p7.der</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>The output file is a PKCS#7 signed data structure containing no signers and just certificates and an optional CRL.</p>
<p>This command can be used to send certificates and CAs to Netscape as part of the certificate enrollment process. This involves sending the DER encoded output as MIME type application/x-x509-user-cert.</p>
<p>The <b>PEM</b> encoded form with the header and footer lines removed can be used to install user certificates and CAs in MSIE using the Xenroll control.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkcs7.html">openssl-pkcs7(1)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

297
include/openssl-3.2.1/html/man1/openssl-dgst.html
View File

@ -1,297 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-dgst</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-dgst - perform digest operations</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>dgst</b>|<i>digest</i> [<b>-<i>digest</i></b>] [<b>-list</b>] [<b>-help</b>] [<b>-c</b>] [<b>-d</b>] [<b>-debug</b>] [<b>-hex</b>] [<b>-binary</b>] [<b>-xoflen</b> <i>length</i>] [<b>-r</b>] [<b>-out</b> <i>filename</i>] [<b>-sign</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-passin</b> <i>arg</i>] [<b>-verify</b> <i>filename</i>] [<b>-prverify</b> <i>filename</i>] [<b>-signature</b> <i>filename</i>] [<b>-sigopt</b> <i>nm</i>:<i>v</i>] [<b>-hmac</b> <i>key</i>] [<b>-mac</b> <i>alg</i>] [<b>-macopt</b> <i>nm</i>:<i>v</i>] [<b>-fips-fingerprint</b>] [<b>-engine</b> <i>id</i>] [<b>-engine_impl</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>file</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command output the message digest of a supplied file or files in hexadecimal, and also generates and verifies digital signatures using message digests.</p>
<p>The generic name, <b>openssl dgst</b>, may be used with an option specifying the algorithm to be used. The default digest is <b>sha256</b>. A supported <i>digest</i> name may also be used as the sub-command name. To see the list of supported algorithms, use <code>openssl list -digest-algorithms</code></p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="digest"><b>-<i>digest</i></b></dt>
<dd>
<p>Specifies name of a supported digest to be used. See option <b>-list</b> below :</p>
</dd>
<dt id="list"><b>-list</b></dt>
<dd>
<p>Prints out a list of supported message digests.</p>
</dd>
<dt id="c"><b>-c</b></dt>
<dd>
<p>Print out the digest in two digit groups separated by colons, only relevant if the <b>-hex</b> option is given as well.</p>
</dd>
<dt id="d--debug"><b>-d</b>, <b>-debug</b></dt>
<dd>
<p>Print out BIO debugging information.</p>
</dd>
<dt id="hex"><b>-hex</b></dt>
<dd>
<p>Digest is to be output as a hex dump. This is the default case for a &quot;normal&quot; digest as opposed to a digital signature. See NOTES below for digital signatures using <b>-hex</b>.</p>
</dd>
<dt id="binary"><b>-binary</b></dt>
<dd>
<p>Output the digest or signature in binary form.</p>
</dd>
<dt id="xoflen-length"><b>-xoflen</b> <i>length</i></dt>
<dd>
<p>Set the output length for XOF algorithms, such as <b>shake128</b> and <b>shake256</b>. This option is not supported for signing operations.</p>
<p>For OpenSSL providers it is recommended to set this value for shake algorithms, since the default values are set to only supply half of the maximum security strength.</p>
<p>For backwards compatibility reasons the default xoflen length for <b>shake128</b> is 16 (bytes) which results in a security strength of only 64 bits. To ensure the maximum security strength of 128 bits, the xoflen should be set to at least 32.</p>
<p>For backwards compatibility reasons the default xoflen length for <b>shake256</b> is 32 (bytes) which results in a security strength of only 128 bits. To ensure the maximum security strength of 256 bits, the xoflen should be set to at least 64.</p>
</dd>
<dt id="r"><b>-r</b></dt>
<dd>
<p>Output the digest in the &quot;coreutils&quot; format, including newlines. Used by programs like <a href="../man1/sha1sum.html">sha1sum(1)</a>.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Filename to output to, or standard output by default.</p>
</dd>
<dt id="sign-filename-uri"><b>-sign</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>Digitally sign the digest using the given private key. Note this option does not support Ed25519 or Ed448 private keys. Use the <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a> command instead for this.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The format of the key to sign with; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="sigopt-nm:v"><b>-sigopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during sign or verify operations. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The private key password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="verify-filename"><b>-verify</b> <i>filename</i></dt>
<dd>
<p>Verify the signature using the public key in &quot;filename&quot;. The output is either &quot;Verified OK&quot; or &quot;Verification Failure&quot;.</p>
</dd>
<dt id="prverify-filename"><b>-prverify</b> <i>filename</i></dt>
<dd>
<p>Verify the signature using the private key in &quot;filename&quot;.</p>
</dd>
<dt id="signature-filename"><b>-signature</b> <i>filename</i></dt>
<dd>
<p>The actual signature to verify.</p>
</dd>
<dt id="hmac-key"><b>-hmac</b> <i>key</i></dt>
<dd>
<p>Create a hashed MAC using &quot;key&quot;.</p>
<p>The <a href="../man1/openssl-mac.html">openssl-mac(1)</a> command should be preferred to using this command line option.</p>
</dd>
<dt id="mac-alg"><b>-mac</b> <i>alg</i></dt>
<dd>
<p>Create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms which are not based on hash, for instance <b>gost-mac</b> algorithm, supported by the <b>gost</b> engine. MAC keys and other options should be set via <b>-macopt</b> parameter.</p>
<p>The <a href="../man1/openssl-mac.html">openssl-mac(1)</a> command should be preferred to using this command line option.</p>
</dd>
<dt id="macopt-nm:v"><b>-macopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Passes options to MAC algorithm, specified by <b>-mac</b> key. Following options are supported by both by <b>HMAC</b> and <b>gost-mac</b>:</p>
<dl>
<dt id="key:string"><b>key</b>:<i>string</i></dt>
<dd>
<p>Specifies MAC key as alphanumeric string (use if key contain printable characters only). String length must conform to any restrictions of the MAC algorithm for example exactly 32 chars for gost-mac.</p>
</dd>
<dt id="hexkey:string"><b>hexkey</b>:<i>string</i></dt>
<dd>
<p>Specifies MAC key in hexadecimal form (two hex digits per byte). Key length must conform to any restrictions of the MAC algorithm for example exactly 32 chars for gost-mac.</p>
</dd>
</dl>
<p>The <a href="../man1/openssl-mac.html">openssl-mac(1)</a> command should be preferred to using this command line option.</p>
</dd>
<dt id="fips-fingerprint"><b>-fips-fingerprint</b></dt>
<dd>
<p>Compute HMAC using a specific key for certain OpenSSL-FIPS operations.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
<p>The engine is not used for digests unless the <b>-engine_impl</b> option is used or it is configured to do so, see <a href="../man5/config.html">&quot;Engine Configuration Module&quot; in config(5)</a>.</p>
</dd>
<dt id="engine_impl-id"><b>-engine_impl</b> <i>id</i></dt>
<dd>
<p>When used with the <b>-engine</b> option, it specifies to also use engine <i>id</i> for digest operations.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="file"><i>file</i> ...</dt>
<dd>
<p>File or files to digest. If no files are specified then standard input is used.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>To create a hex-encoded message digest of a file:</p>
<pre><code> openssl dgst -md5 -hex file.txt
or
openssl md5 file.txt</code></pre>
<p>To sign a file using SHA-256 with binary file output:</p>
<pre><code> openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
or
openssl sha256 -sign privatekey.pem -out signature.sign file.txt</code></pre>
<p>To verify a signature:</p>
<pre><code> openssl dgst -sha256 -verify publickey.pem \
-signature signature.sign \
file.txt</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>The digest mechanisms that are available will depend on the options used when building OpenSSL. The <code>openssl list -digest-algorithms</code> command can be used to list them.</p>
<p>New or agile applications should use probably use SHA-256. Other digests, particularly SHA-1 and MD5, are still widely used for interoperating with existing formats and protocols.</p>
<p>When signing a file, this command will automatically determine the algorithm (RSA, ECC, etc) to use for signing based on the private key&#39;s ASN.1 info. When verifying signatures, it only handles the RSA, DSA, or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as x.509, CMS, and S/MIME.</p>
<p>A source of random numbers is required for certain signing algorithms, in particular ECDSA and DSA.</p>
<p>The signing and verify options should only be used if a single file is being signed or verified.</p>
<p>Hex signatures cannot be verified using <b>openssl</b>. Instead, use &quot;xxd -r&quot; or similar program to transform the hex signature into a binary signature prior to verification.</p>
<p>The <a href="../man1/openssl-mac.html">openssl-mac(1)</a> command is preferred over the <b>-hmac</b>, <b>-mac</b> and <b>-macopt</b> command line options.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl-mac.html">openssl-mac(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. The FIPS-related options were removed in OpenSSL 1.1.0.</p>
<p>The <b>-engine</b> and <b>-engine_impl</b> options were deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

170
include/openssl-3.2.1/html/man1/openssl-dhparam.html
View File

@ -1,170 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-dhparam</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-dhparam - DH parameter manipulation and generation</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl dhparam</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-dsaparam</b>] [<b>-check</b>] [<b>-noout</b>] [<b>-text</b>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-2</b>] [<b>-3</b>] [<b>-5</b>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>numbits</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to manipulate DH parameter files.</p>
<p>See <a href="../man1/openssl-genpkey.html">&quot;EXAMPLES&quot; in openssl-genpkey(1)</a> for examples on how to generate a key using a named safe prime group without generating intermediate parameters.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM--outform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b>, <b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The input format and output format; the default is <b>PEM</b>. The object is compatible with the PKCS#3 <b>DHparameter</b> structure. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read parameters from or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename parameters to. Standard output is used if this option is not present. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="dsaparam"><b>-dsaparam</b></dt>
<dd>
<p>If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, safe primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.</p>
<p>DH parameter generation with the <b>-dsaparam</b> option is much faster. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.</p>
</dd>
<dt id="check"><b>-check</b></dt>
<dd>
<p>Performs numerous checks to see if the supplied parameters are valid and displays a warning if not.</p>
</dd>
<dt id="pod-2--3--5"><b>-2</b>, <b>-3</b>, <b>-5</b></dt>
<dd>
<p>The generator to use, either 2, 3 or 5. If present then the input file is ignored and parameters are generated instead. If not present but <i>numbits</i> is present, parameters are generated with the default generator 2.</p>
</dd>
<dt id="numbits"><i>numbits</i></dt>
<dd>
<p>This option specifies that a parameter set should be generated of size <i>numbits</i>. It must be the last option. If this option is present then the input file is ignored and parameters are generated instead. If this option is not present but a generator (<b>-2</b>, <b>-3</b> or <b>-5</b>) is present, parameters are generated with a default length of 2048 bits. The minimum length is 512 bits. The maximum length is 10000 bits.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option inhibits the output of the encoded version of the parameters.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>This option prints out the DH parameters in human readable form.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>This option enables the output of progress messages, which is handy when running commands interactively that may take a long time to execute.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>This option suppresses the output of progress messages, which may be undesirable in batch scripts or pipelines.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>This command replaces the <b>dh</b> and <b>gendh</b> commands of previous releases.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkeyparam.html">openssl-pkeyparam(1)</a>, <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-C</b> option was removed in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

202
include/openssl-3.2.1/html/man1/openssl-dsa.html
View File

@ -1,202 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-dsa</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-dsa - DSA key processing</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>dsa</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-passin</b> <i>arg</i>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-aes128</b>] [<b>-aes192</b>] [<b>-aes256</b>] [<b>-aria128</b>] [<b>-aria192</b>] [<b>-aria256</b>] [<b>-camellia128</b>] [<b>-camellia192</b>] [<b>-camellia256</b>] [<b>-des</b>] [<b>-des3</b>] [<b>-idea</b>] [<b>-text</b>] [<b>-noout</b>] [<b>-modulus</b>] [<b>-pubin</b>] [<b>-pubout</b>] [<b>-pvk-strong</b>] [<b>-pvk-weak</b>] [<b>-pvk-none</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes DSA keys. They can be converted between various forms and their components printed out. <b>Note</b> This command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the <b>pkcs8</b></p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The key input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The key output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>Private keys are a sequence of <b>ASN.1 INTEGERS</b>: the version (zero), <b>p</b>, <b>q</b>, <b>g</b>, and the public and private key components. Public keys are a <b>SubjectPublicKeyInfo</b> structure with the <b>DSA</b> type.</p>
<p>The <b>PEM</b> format also accepts PKCS#8 data.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write a key to or standard output by is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="passin-arg--passout-arg"><b>-passin</b> <i>arg</i>, <b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the input and output file. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="aes128--aes192--aes256--aria128--aria192--aria256--camellia128--camellia192--camellia256--des--des3--idea"><b>-aes128</b>, <b>-aes192</b>, <b>-aes256</b>, <b>-aria128</b>, <b>-aria192</b>, <b>-aria256</b>, <b>-camellia128</b>, <b>-camellia192</b>, <b>-camellia256</b>, <b>-des</b>, <b>-des3</b>, <b>-idea</b></dt>
<dd>
<p>These options encrypt the private key with the specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that this command can be used to remove the pass phrase from a key by not giving any encryption option is given, or to add or change the pass phrase by setting them. These options can only be used with PEM format output files.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the public, private key components and parameters.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option prevents output of the encoded version of the key.</p>
</dd>
<dt id="modulus"><b>-modulus</b></dt>
<dd>
<p>This option prints out the value of the public key component of the key.</p>
</dd>
<dt id="pubin"><b>-pubin</b></dt>
<dd>
<p>By default, a private key is read from the input. With this option a public key is read instead. If the input contains no public key but a private key, its public part is used.</p>
</dd>
<dt id="pubout"><b>-pubout</b></dt>
<dd>
<p>By default, a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key.</p>
</dd>
<dt id="pvk-strong"><b>-pvk-strong</b></dt>
<dd>
<p>Enable &#39;Strong&#39; PVK encoding level (default).</p>
</dd>
<dt id="pvk-weak"><b>-pvk-weak</b></dt>
<dd>
<p>Enable &#39;Weak&#39; PVK encoding level.</p>
</dd>
<dt id="pvk-none"><b>-pvk-none</b></dt>
<dd>
<p>Don&#39;t enforce PVK encoding.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<p>The <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a> command is capable of performing all the operations this command can, as well as supporting other public key types.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The documentation for the <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a> command contains examples equivalent to the ones listed here.</p>
<p>To remove the pass phrase on a DSA private key:</p>
<pre><code> openssl dsa -in key.pem -out keyout.pem</code></pre>
<p>To encrypt a private key using triple DES:</p>
<pre><code> openssl dsa -in key.pem -des3 -out keyout.pem</code></pre>
<p>To convert a private key from PEM to DER format:</p>
<pre><code> openssl dsa -in key.pem -outform DER -out keyout.der</code></pre>
<p>To print out the components of a private key to standard output:</p>
<pre><code> openssl dsa -in key.pem -text -noout</code></pre>
<p>To just output the public part of a private key:</p>
<pre><code> openssl dsa -in key.pem -pubout -out pubkey.pem</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a>, <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

165
include/openssl-3.2.1/html/man1/openssl-dsaparam.html
View File

@ -1,165 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-dsaparam</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-dsaparam - DSA parameter manipulation and generation</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl dsaparam</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-noout</b>] [<b>-text</b>] [<b>-genkey</b>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>numbits</i>] [<i>numqbits</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to manipulate or generate DSA parameter files.</p>
<p>DSA parameter generation can be a slow process and as a result the same set of DSA parameters is often used to generate several distinct keys.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The DSA parameters input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The DSA parameters output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>Parameters are a sequence of <b>ASN.1 INTEGER</b>s: <b>p</b>, <b>q</b>, and <b>g</b>. This is compatible with RFC 2459 <b>DSS-Parms</b> structure.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read parameters from or standard input if this option is not specified. If the <i>numbits</i> parameter is included then this option will be ignored.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename parameters to. Standard output is used if this option is not present. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option inhibits the output of the encoded version of the parameters.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>This option prints out the DSA parameters in human readable form.</p>
</dd>
<dt id="genkey"><b>-genkey</b></dt>
<dd>
<p>This option will generate a DSA either using the specified or generated parameters.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Print extra details about the operations being performed.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Print fewer details about the operations being performed, which may be handy during batch scripts and pipelines.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="numbits"><i>numbits</i></dt>
<dd>
<p>This optional argument specifies that a parameter set should be generated of size <i>numbits</i>. If this argument is included then the input file (if any) is ignored.</p>
</dd>
<dt id="numqbits"><i>numqbits</i></dt>
<dd>
<p>This optional argument specifies that a parameter set should be generated with a subprime parameter q of size <i>numqbits</i>. It must be the last argument. If this argument is included then the input file (if any) is ignored.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkeyparam.html">openssl-pkeyparam(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-C</b> option was removed in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

212
include/openssl-3.2.1/html/man1/openssl-ec.html
View File

@ -1,212 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-ec</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-ec - EC key processing</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>ec</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>|<i>uri</i>] [<b>-passin</b> <i>arg</i>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-des</b>] [<b>-des3</b>] [<b>-idea</b>] [<b>-text</b>] [<b>-noout</b>] [<b>-param_out</b>] [<b>-pubin</b>] [<b>-pubout</b>] [<b>-conv_form</b> <i>arg</i>] [<b>-param_enc</b> <i>arg</i>] [<b>-no_public</b>] [<b>-check</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <a href="../man1/openssl-ec.html">openssl-ec(1)</a> command processes EC keys. They can be converted between various forms and their components printed out. <b>Note</b> OpenSSL uses the private key format specified in &#39;SEC 1: Elliptic Curve Cryptography&#39; (http://www.secg.org/). To convert an OpenSSL EC private key into the PKCS#8 private key format use the <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a> command.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM-P12-ENGINE"><b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The key output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>Private keys are an SEC1 private key or PKCS#8 format. Public keys are a <b>SubjectPublicKeyInfo</b> as specified in IETF RFC 3280.</p>
</dd>
<dt id="in-filename-uri"><b>-in</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This specifies the input to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write a key to or standard output by is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="passin-arg--passout-arg"><b>-passin</b> <i>arg</i>, <b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the input and output file. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="des--des3--idea"><b>-des</b>|<b>-des3</b>|<b>-idea</b></dt>
<dd>
<p>These options encrypt the private key with the DES, triple DES, IDEA or any other cipher supported by OpenSSL before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using this command to read in an encrypted key with no encryption option can be used to remove the pass phrase from a key, or by setting the encryption options it can be use to add or change the pass phrase. These options can only be used with PEM format output files.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the public, private key components and parameters.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option prevents output of the encoded version of the key.</p>
</dd>
<dt id="param_out"><b>-param_out</b></dt>
<dd>
<p>Print the elliptic curve parameters.</p>
</dd>
<dt id="pubin"><b>-pubin</b></dt>
<dd>
<p>By default a private key is read from the input. With this option a public key is read instead. If the input contains no public key but a private key, its public part is used.</p>
</dd>
<dt id="pubout"><b>-pubout</b></dt>
<dd>
<p>By default a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key.</p>
</dd>
<dt id="conv_form-arg"><b>-conv_form</b> <i>arg</i></dt>
<dd>
<p>This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: <b>compressed</b>, <b>uncompressed</b> (the default value) and <b>hybrid</b>. For more information regarding the point conversion forms please read the X9.62 standard. <b>Note</b> Due to patent issues the <b>compressed</b> option is disabled by default for binary curves and can be enabled by defining the preprocessor macro <b>OPENSSL_EC_BIN_PT_COMP</b> at compile time.</p>
</dd>
<dt id="param_enc-arg"><b>-param_enc</b> <i>arg</i></dt>
<dd>
<p>This specifies how the elliptic curve parameters are encoded. Possible value are: <b>named_curve</b>, i.e. the ec parameters are specified by an OID, or <b>explicit</b> where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is <b>named_curve</b>. <b>Note</b> the <b>implicitlyCA</b> alternative, as specified in RFC 3279, is currently not implemented in OpenSSL.</p>
</dd>
<dt id="no_public"><b>-no_public</b></dt>
<dd>
<p>This option omits the public key components from the private key output.</p>
</dd>
<dt id="check"><b>-check</b></dt>
<dd>
<p>This option checks the consistency of an EC private or public key.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<p>The <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a> command is capable of performing all the operations this command can, as well as supporting other public key types.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The documentation for the <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a> command contains examples equivalent to the ones listed here.</p>
<p>To encrypt a private key using triple DES:</p>
<pre><code> openssl ec -in key.pem -des3 -out keyout.pem</code></pre>
<p>To convert a private key from PEM to DER format:</p>
<pre><code> openssl ec -in key.pem -outform DER -out keyout.der</code></pre>
<p>To print out the components of a private key to standard output:</p>
<pre><code> openssl ec -in key.pem -text -noout</code></pre>
<p>To just output the public part of a private key:</p>
<pre><code> openssl ec -in key.pem -pubout -out pubkey.pem</code></pre>
<p>To change the parameters encoding to <b>explicit</b>:</p>
<pre><code> openssl ec -in key.pem -param_enc explicit -out keyout.pem</code></pre>
<p>To change the point conversion form to <b>compressed</b>:</p>
<pre><code> openssl ec -in key.pem -conv_form compressed -out keyout.pem</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a>, <a href="../man1/openssl-ecparam.html">openssl-ecparam(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-conv_form</b> and <b>-no_public</b> options are no longer supported with keys loaded from an engine in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

214
include/openssl-3.2.1/html/man1/openssl-ecparam.html
View File

@ -1,214 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-ecparam</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-ecparam - EC parameter manipulation and generation</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl ecparam</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-noout</b>] [<b>-text</b>] [<b>-check</b>] [<b>-check_named</b>] [<b>-name</b> <i>arg</i>] [<b>-list_curves</b>] [<b>-conv_form</b> <i>arg</i>] [<b>-param_enc</b> <i>arg</i>] [<b>-no_seed</b>] [<b>-genkey</b>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to manipulate or generate EC parameter files.</p>
<p>OpenSSL is currently not able to generate new groups and therefore this command can only create EC parameters from known (named) curves.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The EC parameters input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The EC parameters output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>Parameters are encoded as <b>EcpkParameters</b> as specified in IETF RFC 3279.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read parameters from or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename parameters to. Standard output is used if this option is not present. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option inhibits the output of the encoded version of the parameters.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>This option prints out the EC parameters in human readable form.</p>
</dd>
<dt id="check"><b>-check</b></dt>
<dd>
<p>Validate the elliptic curve parameters.</p>
</dd>
<dt id="check_named"><b>-check_named</b></dt>
<dd>
<p>Validate the elliptic name curve parameters by checking if the curve parameters match any built-in curves.</p>
</dd>
<dt id="name-arg"><b>-name</b> <i>arg</i></dt>
<dd>
<p>Use the EC parameters with the specified &#39;short&#39; name. Use <b>-list_curves</b> to get a list of all currently implemented EC parameters.</p>
</dd>
<dt id="list_curves"><b>-list_curves</b></dt>
<dd>
<p>Print out a list of all currently implemented EC parameters names and exit.</p>
</dd>
<dt id="conv_form-arg"><b>-conv_form</b> <i>arg</i></dt>
<dd>
<p>This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: <b>compressed</b>, <b>uncompressed</b> (the default value) and <b>hybrid</b>. For more information regarding the point conversion forms please read the X9.62 standard. <b>Note</b> Due to patent issues the <b>compressed</b> option is disabled by default for binary curves and can be enabled by defining the preprocessor macro <b>OPENSSL_EC_BIN_PT_COMP</b> at compile time.</p>
</dd>
<dt id="param_enc-arg"><b>-param_enc</b> <i>arg</i></dt>
<dd>
<p>This specifies how the elliptic curve parameters are encoded. Possible value are: <b>named_curve</b>, i.e. the ec parameters are specified by an OID, or <b>explicit</b> where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is <b>named_curve</b>. <b>Note</b> the <b>implicitlyCA</b> alternative, as specified in RFC 3279, is currently not implemented in OpenSSL.</p>
</dd>
<dt id="no_seed"><b>-no_seed</b></dt>
<dd>
<p>This option inhibits that the &#39;seed&#39; for the parameter generation is included in the ECParameters structure (see RFC 3279).</p>
</dd>
<dt id="genkey"><b>-genkey</b></dt>
<dd>
<p>This option will generate an EC private key using the specified parameters.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<p>The <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a> and <a href="../man1/openssl-pkeyparam.html">openssl-pkeyparam(1)</a> commands are capable of performing all the operations this command can, as well as supporting other public key types.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The documentation for the <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a> and <a href="../man1/openssl-pkeyparam.html">openssl-pkeyparam(1)</a> commands contains examples equivalent to the ones listed here.</p>
<p>To create EC parameters with the group &#39;prime192v1&#39;:</p>
<pre><code> openssl ecparam -out ec_param.pem -name prime192v1</code></pre>
<p>To create EC parameters with explicit parameters:</p>
<pre><code> openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit</code></pre>
<p>To validate given EC parameters:</p>
<pre><code> openssl ecparam -in ec_param.pem -check</code></pre>
<p>To create EC parameters and a private key:</p>
<pre><code> openssl ecparam -out ec_key.pem -name prime192v1 -genkey</code></pre>
<p>To change the point encoding to &#39;compressed&#39;:</p>
<pre><code> openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed</code></pre>
<p>To print out the EC parameters to standard output:</p>
<pre><code> openssl ecparam -in ec_param.pem -noout -text</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkeyparam.html">openssl-pkeyparam(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-ec.html">openssl-ec(1)</a>, <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-C</b> option was removed in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

465
include/openssl-3.2.1/html/man1/openssl-enc.html
View File

@ -1,465 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-enc</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SUPPORTED-CIPHERS">SUPPORTED CIPHERS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-enc - symmetric cipher routines</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>enc</b>|<i>cipher</i> [<b>-<i>cipher</i></b>] [<b>-help</b>] [<b>-list</b>] [<b>-ciphers</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-pass</b> <i>arg</i>] [<b>-e</b>] [<b>-d</b>] [<b>-a</b>] [<b>-base64</b>] [<b>-A</b>] [<b>-k</b> <i>password</i>] [<b>-kfile</b> <i>filename</i>] [<b>-K</b> <i>key</i>] [<b>-iv</b> <i>IV</i>] [<b>-S</b> <i>salt</i>] [<b>-salt</b>] [<b>-nosalt</b>] [<b>-z</b>] [<b>-md</b> <i>digest</i>] [<b>-iter</b> <i>count</i>] [<b>-pbkdf2</b>] [<b>-saltlen</b> <i>size</i>] [<b>-p</b>] [<b>-P</b>] [<b>-bufsize</b> <i>number</i>] [<b>-nopad</b>] [<b>-v</b>] [<b>-debug</b>] [<b>-none</b>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<p><b>openssl</b> <i>cipher</i> [<b>...</b>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The symmetric cipher commands allow data to be encrypted or decrypted using various block and stream ciphers using keys based on passwords or explicitly provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="cipher"><b>-<i>cipher</i></b></dt>
<dd>
<p>The cipher to use.</p>
</dd>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="list"><b>-list</b></dt>
<dd>
<p>List all supported ciphers.</p>
</dd>
<dt id="ciphers"><b>-ciphers</b></dt>
<dd>
<p>Alias of -list to display all supported ciphers.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>The input filename, standard input by default.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>The output filename, standard output by default.</p>
</dd>
<dt id="pass-arg"><b>-pass</b> <i>arg</i></dt>
<dd>
<p>The password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="e"><b>-e</b></dt>
<dd>
<p>Encrypt the input data: this is the default.</p>
</dd>
<dt id="d"><b>-d</b></dt>
<dd>
<p>Decrypt the input data.</p>
</dd>
<dt id="a"><b>-a</b></dt>
<dd>
<p>Base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data is base64 decoded before being decrypted.</p>
</dd>
<dt id="base64"><b>-base64</b></dt>
<dd>
<p>Same as <b>-a</b></p>
</dd>
<dt id="A"><b>-A</b></dt>
<dd>
<p>If the <b>-a</b> option is set then base64 process the data on one line.</p>
</dd>
<dt id="k-password"><b>-k</b> <i>password</i></dt>
<dd>
<p>The password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the <b>-pass</b> argument.</p>
</dd>
<dt id="kfile-filename"><b>-kfile</b> <i>filename</i></dt>
<dd>
<p>Read the password to derive the key from the first line of <i>filename</i>. This is for compatibility with previous versions of OpenSSL. Superseded by the <b>-pass</b> argument.</p>
</dd>
<dt id="md-digest"><b>-md</b> <i>digest</i></dt>
<dd>
<p>Use the specified digest to create the key from the passphrase. The default algorithm is sha-256.</p>
</dd>
<dt id="iter-count"><b>-iter</b> <i>count</i></dt>
<dd>
<p>Use a given number of iterations on the password in deriving the encryption key. High values increase the time required to brute-force the resulting file. This option enables the use of PBKDF2 algorithm to derive the key.</p>
</dd>
<dt id="pbkdf2"><b>-pbkdf2</b></dt>
<dd>
<p>Use PBKDF2 algorithm with a default iteration count of 10000 unless otherwise specified by the <b>-iter</b> command line option.</p>
</dd>
<dt id="saltlen"><b>-saltlen</b></dt>
<dd>
<p>Set the salt length to use when using the <b>-pbkdf2</b> option. For compatibility reasons, the default is 8 bytes. The maximum value is currently 16 bytes. If the <b>-pbkdf2</b> option is not used, then this option is ignored and a fixed salt length of 8 is used. The salt length used when encrypting must also be used when decrypting.</p>
</dd>
<dt id="nosalt"><b>-nosalt</b></dt>
<dd>
<p>Don&#39;t use a salt in the key derivation routines. This option <b>SHOULD NOT</b> be used except for test purposes or compatibility with ancient versions of OpenSSL.</p>
</dd>
<dt id="salt"><b>-salt</b></dt>
<dd>
<p>Use salt (randomly generated or provide with <b>-S</b> option) when encrypting, this is the default.</p>
</dd>
<dt id="S-salt"><b>-S</b> <i>salt</i></dt>
<dd>
<p>The actual salt to use: this must be represented as a string of hex digits. If this option is used while encrypting, the same exact value will be needed again during decryption. This salt may be truncated or zero padded to match the salt length (See <b>-saltlen</b>).</p>
</dd>
<dt id="K-key"><b>-K</b> <i>key</i></dt>
<dd>
<p>The actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the IV must additionally specified using the <b>-iv</b> option. When both a key and a password are specified, the key given with the <b>-K</b> option will be used and the IV generated from the password will be taken. It does not make much sense to specify both key and password.</p>
</dd>
<dt id="iv-IV"><b>-iv</b> <i>IV</i></dt>
<dd>
<p>The actual IV to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the <b>-K</b> option, the IV must explicitly be defined. When a password is being specified using one of the other options, the IV is generated from this password.</p>
</dd>
<dt id="p"><b>-p</b></dt>
<dd>
<p>Print out the key and IV used.</p>
</dd>
<dt id="P"><b>-P</b></dt>
<dd>
<p>Print out the key and IV used then immediately exit: don&#39;t do any encryption or decryption.</p>
</dd>
<dt id="bufsize-number"><b>-bufsize</b> <i>number</i></dt>
<dd>
<p>Set the buffer size for I/O.</p>
</dd>
<dt id="nopad"><b>-nopad</b></dt>
<dd>
<p>Disable standard block padding.</p>
</dd>
<dt id="v"><b>-v</b></dt>
<dd>
<p>Verbose print; display some statistics about I/O and buffer sizes.</p>
</dd>
<dt id="debug"><b>-debug</b></dt>
<dd>
<p>Debug the BIOs used for I/O.</p>
</dd>
<dt id="z"><b>-z</b></dt>
<dd>
<p>Compress or decompress encrypted data using zlib after encryption or before decryption. This option exists only if OpenSSL was compiled with the zlib or zlib-dynamic option.</p>
</dd>
<dt id="none"><b>-none</b></dt>
<dd>
<p>Use NULL cipher (no encryption or decryption of input).</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>The program can be called either as <code>openssl <i>cipher</i></code> or <code>openssl enc -<i>cipher</i></code>. The first form doesn&#39;t work with engine-provided ciphers, because this form is processed before the configuration file is read and any ENGINEs loaded. Use the <a href="../man1/openssl-list.html">openssl-list(1)</a> command to get a list of supported ciphers.</p>
<p>Engines which provide entirely new encryption algorithms (such as the ccgost engine which provides gost89 algorithm) should be configured in the configuration file. Engines specified on the command line using <b>-engine</b> option can only be used for hardware-assisted implementations of ciphers which are supported by the OpenSSL core or another engine specified in the configuration file.</p>
<p>When the enc command lists supported ciphers, ciphers provided by engines, specified in the configuration files are listed too.</p>
<p>A password will be prompted for to derive the key and IV if necessary.</p>
<p>The <b>-salt</b> option should <b>ALWAYS</b> be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL.</p>
<p>Without the <b>-salt</b> option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key.</p>
<p>When the salt is generated at random (that means when encrypting using a passphrase without explicit salt given using <b>-S</b> option), the first bytes of the encrypted data are reserved to store the salt for later decrypting.</p>
<p>Some of the ciphers do not have large keys and others have security implications if not used correctly. A beginner is advised to just use a strong block cipher, such as AES, in CBC mode.</p>
<p>All the block ciphers normally use PKCS#5 padding, also known as standard block padding. This allows a rudimentary integrity or password check to be performed. However, since the chance of random data passing the test is better than 1 in 256 it isn&#39;t a very good test.</p>
<p>If padding is disabled then the input data must be a multiple of the cipher block length.</p>
<p>All RC2 ciphers have the same key and effective key length.</p>
<p>Blowfish and RC5 algorithms use a 128 bit key.</p>
<p>Please note that OpenSSL 3.0 changed the effect of the <b>-S</b> option. Any explicit salt value specified via this option is no longer prepended to the ciphertext when encrypting, and must again be explicitly provided when decrypting. Conversely, when the <b>-S</b> option is used during decryption, the ciphertext is expected to not have a prepended salt value.</p>
<p>When using OpenSSL 3.0 or later to decrypt data that was encrypted with an explicit salt under OpenSSL 1.1.1 do not use the <b>-S</b> option, the salt will then be read from the ciphertext. To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use the <b>-S</b> option, the salt will be then be generated randomly and prepended to the output.</p>
<h1 id="SUPPORTED-CIPHERS">SUPPORTED CIPHERS</h1>
<p>Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file. The output when invoking this command with the <b>-list</b> option (that is <code>openssl enc -list</code>) is a list of ciphers, supported by your version of OpenSSL, including ones provided by configured engines.</p>
<p>This command does not support authenticated encryption modes like CCM and GCM, and will not support such modes in the future. This is due to having to begin streaming output (e.g., to standard output when <b>-out</b> is not used) before the authentication tag could be validated. When this command is used in a pipeline, the receiving end will not be able to roll back upon authentication failure. The AEAD modes currently in common use also suffer from catastrophic failure of confidentiality and/or integrity upon reuse of key/iv/nonce, and since <b>openssl enc</b> places the entire burden of key/iv/nonce management upon the user, the risk of exposing AEAD modes is too great to allow. These key/iv/nonce management issues also affect other modes currently exposed in this command, but the failure modes are less extreme in these cases, and the functionality cannot be removed with a stable release branch. For bulk encryption of data, whether using authenticated encryption modes or other modes, <a href="../man1/openssl-cms.html">openssl-cms(1)</a> is recommended, as it provides a standard data format and performs the needed key/iv/nonce management.</p>
<p>When enc is used with key wrapping modes the input data cannot be streamed, meaning it must be processed in a single pass. Consequently, the input data size must be less than the buffer size (-bufsize arg, default to 8*1024 bytes). The &#39;*-wrap&#39; ciphers require the input to be a multiple of 8 bytes long, because no padding is involved. The &#39;*-wrap-pad&#39; ciphers allow any input length. In both cases, no IV is needed. See example below.</p>
<pre><code> base64 Base 64
bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
blowfish Alias for bf-cbc
bf-cfb Blowfish in CFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode
cast-cbc CAST in CBC mode
cast Alias for cast-cbc
cast5-cbc CAST5 in CBC mode
cast5-cfb CAST5 in CFB mode
cast5-ecb CAST5 in ECB mode
cast5-ofb CAST5 in OFB mode
chacha20 ChaCha20 algorithm
des-cbc DES in CBC mode
des Alias for des-cbc
des-cfb DES in CFB mode
des-ofb DES in OFB mode
des-ecb DES in ECB mode
des-ede-cbc Two key triple DES EDE in CBC mode
des-ede Two key triple DES EDE in ECB mode
des-ede-cfb Two key triple DES EDE in CFB mode
des-ede-ofb Two key triple DES EDE in OFB mode
des-ede3-cbc Three key triple DES EDE in CBC mode
des-ede3 Three key triple DES EDE in ECB mode
des3 Alias for des-ede3-cbc
des-ede3-cfb Three key triple DES EDE CFB mode
des-ede3-ofb Three key triple DES EDE in OFB mode
desx DESX algorithm.
gost89 GOST 28147-89 in CFB mode (provided by ccgost engine)
gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine)
idea-cbc IDEA algorithm in CBC mode
idea same as idea-cbc
idea-cfb IDEA in CFB mode
idea-ecb IDEA in ECB mode
idea-ofb IDEA in OFB mode
rc2-cbc 128 bit RC2 in CBC mode
rc2 Alias for rc2-cbc
rc2-cfb 128 bit RC2 in CFB mode
rc2-ecb 128 bit RC2 in ECB mode
rc2-ofb 128 bit RC2 in OFB mode
rc2-64-cbc 64 bit RC2 in CBC mode
rc2-40-cbc 40 bit RC2 in CBC mode
rc4 128 bit RC4
rc4-64 64 bit RC4
rc4-40 40 bit RC4
rc5-cbc RC5 cipher in CBC mode
rc5 Alias for rc5-cbc
rc5-cfb RC5 cipher in CFB mode
rc5-ecb RC5 cipher in ECB mode
rc5-ofb RC5 cipher in OFB mode
seed-cbc SEED cipher in CBC mode
seed Alias for seed-cbc
seed-cfb SEED cipher in CFB mode
seed-ecb SEED cipher in ECB mode
seed-ofb SEED cipher in OFB mode
sm4-cbc SM4 cipher in CBC mode
sm4 Alias for sm4-cbc
sm4-cfb SM4 cipher in CFB mode
sm4-ctr SM4 cipher in CTR mode
sm4-ecb SM4 cipher in ECB mode
sm4-ofb SM4 cipher in OFB mode
aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
aes[128|192|256] Alias for aes-[128|192|256]-cbc
aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
aes-[128|192|256]-ctr 128/192/256 bit AES in CTR mode
aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES
aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode
aria[128|192|256] Alias for aria-[128|192|256]-cbc
aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode
aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode
aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode
aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode
camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode
camellia[128|192|256] Alias for camellia-[128|192|256]-cbc
camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode
camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
camellia-[128|192|256]-ctr 128/192/256 bit Camellia in CTR mode
camellia-[128|192|256]-ecb 128/192/256 bit Camellia in ECB mode
camellia-[128|192|256]-ofb 128/192/256 bit Camellia in OFB mode</code></pre>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Just base64 encode a binary file:</p>
<pre><code> openssl base64 -in file.bin -out file.b64</code></pre>
<p>Decode the same file</p>
<pre><code> openssl base64 -d -in file.b64 -out file.bin</code></pre>
<p>Encrypt a file using AES-128 using a prompted password and PBKDF2 key derivation:</p>
<pre><code> openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128</code></pre>
<p>Decrypt a file using a supplied password:</p>
<pre><code> openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
-pass pass:&lt;password&gt;</code></pre>
<p>Encrypt a file then base64 encode it (so it can be sent via mail for example) using AES-256 in CTR mode and PBKDF2 key derivation:</p>
<pre><code> openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256</code></pre>
<p>Base64 decode a file then decrypt it using a password supplied in a file:</p>
<pre><code> openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
-pass file:&lt;passfile&gt;</code></pre>
<p>AES key wrapping:</p>
<pre><code> openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
or
openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>The <b>-A</b> option when used with large files doesn&#39;t work properly.</p>
<p>The <b>openssl enc</b> command only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a 76 bit key or RC4 with an 84 bit key you can&#39;t use this program.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.</p>
<p>The <b>-list</b> option was added in OpenSSL 1.1.1e.</p>
<p>The <b>-ciphers</b> and <b>-engine</b> options were deprecated in OpenSSL 3.0.</p>
<p>The <b>-saltlen</b> option was added in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

148
include/openssl-3.2.1/html/man1/openssl-engine.html
View File

@ -1,148 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-engine</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#ENVIRONMENT">ENVIRONMENT</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-engine - load and query engines</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl engine</b> [<b>-help</b>] [<b>-v</b>] [<b>-vv</b>] [<b>-vvv</b>] [<b>-vvvv</b>] [<b>-c</b>] [<b>-t</b>] [<b>-tt</b>] [<b>-pre</b> <i>command</i>] ... [<b>-post</b> <i>command</i>] ... [<i>engine</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command has been deprecated. Providers should be used instead of engines.</p>
<p>This command is used to query the status and capabilities of the specified <i>engine</i>s. Engines may be specified before and after all other command-line flags. Only those specified are queried.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Display an option summary.</p>
</dd>
<dt id="v--vv--vvv--vvvv"><b>-v</b> <b>-vv</b> <b>-vvv</b> <b>-vvvv</b></dt>
<dd>
<p>Provides information about each specified engine. The first flag lists all the possible run-time control commands; the second adds a description of each command; the third adds the input flags, and the final option adds the internal input flags.</p>
</dd>
<dt id="c"><b>-c</b></dt>
<dd>
<p>Lists the capabilities of each engine.</p>
</dd>
<dt id="t"><b>-t</b></dt>
<dd>
<p>Tests if each specified engine is available, and displays the answer.</p>
</dd>
<dt id="tt"><b>-tt</b></dt>
<dd>
<p>Displays an error trace for any unavailable engine.</p>
</dd>
<dt id="pre-command"><b>-pre</b> <i>command</i></dt>
<dd>
</dd>
<dt id="post-command"><b>-post</b> <i>command</i></dt>
<dd>
<p>Command-line configuration of engines. The <b>-pre</b> command is given to the engine before it is loaded and the <b>-post</b> command is given after the engine is loaded. The <i>command</i> is of the form <i>cmd</i>:<i>val</i> where <i>cmd</i> is the command, and <i>val</i> is the value for the command. See the example below.</p>
<p>These two options are cumulative, so they may be given more than once in the same command.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>To list all the commands available to a dynamic engine:</p>
<pre><code> $ openssl engine -t -tt -vvvv dynamic
(dynamic) Dynamic engine loading support
[ unavailable ]
SO_PATH: Specifies the path to the new ENGINE shared library
(input flags): STRING
NO_VCHECK: Specifies to continue even if version checking fails (boolean)
(input flags): NUMERIC
ID: Specifies an ENGINE id name for loading
(input flags): STRING
LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
(input flags): NUMERIC
DIR_LOAD: Specifies whether to load from &#39;DIR_ADD&#39; directories (0=no,1=yes,2=mandatory)
(input flags): NUMERIC
DIR_ADD: Adds a directory from which ENGINEs can be loaded
(input flags): STRING
LOAD: Load up the ENGINE specified by other settings
(input flags): NO_INPUT</code></pre>
<p>To list the capabilities of the <b>rsax</b> engine:</p>
<pre><code> $ openssl engine -c
(rsax) RSAX engine support
[RSA]
(dynamic) Dynamic engine loading support</code></pre>
<h1 id="ENVIRONMENT">ENVIRONMENT</h1>
<dl>
<dt id="OPENSSL_ENGINES"><b>OPENSSL_ENGINES</b></dt>
<dd>
<p>The path to the engines directory.</p>
</dd>
</dl>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man5/config.html">config(5)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>This command was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

72
include/openssl-3.2.1/html/man1/openssl-errstr.html
View File

@ -1,72 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-errstr</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-errstr - lookup error codes</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl errstr</b> [<b>-help</b>] <i>error_code...</i></p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>Sometimes an application will not load error message texts and only numerical forms will be available. This command can be used to display the meaning of the hex code. The hex code is the hex digits after the second colon.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Display a usage message.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The error code:</p>
<pre><code> 27594:error:2006D080:lib(32)::reason(128)::107:</code></pre>
<p>can be displayed with:</p>
<pre><code> openssl errstr 2006D080</code></pre>
<p>to produce the error message:</p>
<pre><code> error:2006D080:BIO routines::no such file</code></pre>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

267
include/openssl-3.2.1/html/man1/openssl-fipsinstall.html
View File

@ -1,267 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-fipsinstall</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-fipsinstall - perform FIPS configuration installation</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl fipsinstall</b> [<b>-help</b>] [<b>-in</b> <i>configfilename</i>] [<b>-out</b> <i>configfilename</i>] [<b>-module</b> <i>modulefilename</i>] [<b>-provider_name</b> <i>providername</i>] [<b>-section_name</b> <i>sectionname</i>] [<b>-verify</b>] [<b>-mac_name</b> <i>macname</i>] [<b>-macopt</b> <i>nm</i>:<i>v</i>] [<b>-noout</b>] [<b>-quiet</b>] [<b>-pedantic</b>] [<b>-no_conditional_errors</b>] [<b>-no_security_checks</b>] [<b>-ems_check</b>] [<b>-no_drbg_truncated_digests</b>] [<b>-self_test_onload</b>] [<b>-self_test_oninstall</b>] [<b>-corrupt_desc</b> <i>selftest_description</i>] [<b>-corrupt_type</b> <i>selftest_type</i>] [<b>-config</b> <i>parent_config</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to generate a FIPS module configuration file. This configuration file can be used each time a FIPS module is loaded in order to pass data to the FIPS module self tests. The FIPS module always verifies its MAC, but optionally only needs to run the KAT&#39;s once, at installation.</p>
<p>The generated configuration file consists of:</p>
<dl>
<dt id="A-MAC-of-the-FIPS-module-file">- A MAC of the FIPS module file.</dt>
<dd>
</dd>
<dt id="A-test-status-indicator">- A test status indicator.</dt>
<dd>
<p>This indicates if the Known Answer Self Tests (KAT&#39;s) have successfully run.</p>
</dd>
<dt id="A-MAC-of-the-status-indicator">- A MAC of the status indicator.</dt>
<dd>
</dd>
<dt id="A-control-for-conditional-self-tests-errors">- A control for conditional self tests errors.</dt>
<dd>
<p>By default if a continuous test (e.g a key pair test) fails then the FIPS module will enter an error state, and no services or cryptographic algorithms will be able to be accessed after this point. The default value of &#39;1&#39; will cause the fips module error state to be entered. If the value is &#39;0&#39; then the module error state will not be entered. Regardless of whether the error state is entered or not, the current operation (e.g. key generation) will return an error. The user is responsible for retrying the operation if the module error state is not entered.</p>
</dd>
<dt id="A-control-to-indicate-whether-run-time-security-checks-are-done">- A control to indicate whether run-time security checks are done.</dt>
<dd>
<p>This indicates if run-time checks related to enforcement of security parameters such as minimum security strength of keys and approved curve names are used. The default value of &#39;1&#39; will perform the checks. If the value is &#39;0&#39; the checks are not performed and FIPS compliance must be done by procedures documented in the relevant Security Policy.</p>
</dd>
</dl>
<p>This file is described in <a href="../man5/fips_config.html">fips_config(5)</a>.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print a usage message.</p>
</dd>
<dt id="module-filename"><b>-module</b> <i>filename</i></dt>
<dd>
<p>Filename of the FIPS module to perform an integrity check on. The path provided in the filename is used to load the module when it is activated, and this overrides the environment variable <b>OPENSSL_MODULES</b>.</p>
</dd>
<dt id="out-configfilename"><b>-out</b> <i>configfilename</i></dt>
<dd>
<p>Filename to output the configuration data to; the default is standard output.</p>
</dd>
<dt id="in-configfilename"><b>-in</b> <i>configfilename</i></dt>
<dd>
<p>Input filename to load configuration data from. Must be used if the <b>-verify</b> option is specified.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify that the input configuration file contains the correct information.</p>
</dd>
<dt id="provider_name-providername"><b>-provider_name</b> <i>providername</i></dt>
<dd>
<p>Name of the provider inside the configuration file. The default value is <code>fips</code>.</p>
</dd>
<dt id="section_name-sectionname"><b>-section_name</b> <i>sectionname</i></dt>
<dd>
<p>Name of the section inside the configuration file. The default value is <code>fips_sect</code>.</p>
</dd>
<dt id="mac_name-name"><b>-mac_name</b> <i>name</i></dt>
<dd>
<p>Specifies the name of a supported MAC algorithm which will be used. The MAC mechanisms that are available will depend on the options used when building OpenSSL. To see the list of supported MAC&#39;s use the command <code>openssl list -mac-algorithms</code>. The default is <b>HMAC</b>.</p>
</dd>
<dt id="macopt-nm:v"><b>-macopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Passes options to the MAC algorithm. A comprehensive list of controls can be found in the EVP_MAC implementation documentation. Common control strings used for this command are:</p>
<dl>
<dt id="key:string"><b>key</b>:<i>string</i></dt>
<dd>
<p>Specifies the MAC key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. If no key is provided, the default that was specified when OpenSSL was configured is used.</p>
</dd>
<dt id="hexkey:string"><b>hexkey</b>:<i>string</i></dt>
<dd>
<p>Specifies the MAC key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. If no key is provided, the default that was specified when OpenSSL was configured is used.</p>
</dd>
<dt id="digest:string"><b>digest</b>:<i>string</i></dt>
<dd>
<p>Used by HMAC as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. To see the list of supported digests, use the command <code>openssl list -digest-commands</code>. The default digest is SHA-256.</p>
</dd>
</dl>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Disable logging of the self tests.</p>
</dd>
<dt id="pedantic"><b>-pedantic</b></dt>
<dd>
<p>Configure the module so that it is strictly FIPS compliant rather than being backwards compatible. This enables conditional errors, security checks etc. Note that any previous configuration options will be overwritten and any subsequent configuration options that violate FIPS compliance will result in an error.</p>
</dd>
<dt id="no_conditional_errors"><b>-no_conditional_errors</b></dt>
<dd>
<p>Configure the module to not enter an error state if a conditional self test fails as described above.</p>
</dd>
<dt id="no_security_checks"><b>-no_security_checks</b></dt>
<dd>
<p>Configure the module to not perform run-time security checks as described above.</p>
<p>Enabling the configuration option &quot;no-fips-securitychecks&quot; provides another way to turn off the check at compile time.</p>
</dd>
<dt id="ems_check"><b>-ems_check</b></dt>
<dd>
<p>Configure the module to enable a run-time Extended Master Secret (EMS) check when using the TLS1_PRF KDF algorithm. This check is disabled by default. See RFC 7627 for information related to EMS.</p>
</dd>
<dt id="no_drbg_truncated_digests"><b>-no_drbg_truncated_digests</b></dt>
<dd>
<p>Configure the module to not allow truncated digests to be used with Hash and HMAC DRBGs. See FIPS 140-3 IG D.R for details.</p>
</dd>
<dt id="self_test_onload"><b>-self_test_onload</b></dt>
<dd>
<p>Do not write the two fields related to the &quot;test status indicator&quot; and &quot;MAC status indicator&quot; to the output configuration file. Without these fields the self tests KATS will run each time the module is loaded. This option could be used for cross compiling, since the self tests need to run at least once on each target machine. Once the self tests have run on the target machine the user could possibly then add the 2 fields into the configuration using some other mechanism.</p>
<p>This is the default.</p>
</dd>
<dt id="self_test_oninstall"><b>-self_test_oninstall</b></dt>
<dd>
<p>The converse of <b>-self_test_oninstall</b>. The two fields related to the &quot;test status indicator&quot; and &quot;MAC status indicator&quot; are written to the output configuration file.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Do not output pass/fail messages. Implies <b>-noout</b>.</p>
</dd>
<dt id="corrupt_desc-selftest_description--corrupt_type-selftest_type"><b>-corrupt_desc</b> <i>selftest_description</i>, <b>-corrupt_type</b> <i>selftest_type</i></dt>
<dd>
<p>The corrupt options can be used to test failure of one or more self tests by name. Either option or both may be used to select the tests to corrupt. Refer to the entries for <b>st-desc</b> and <b>st-type</b> in <a href="../man7/OSSL_PROVIDER-FIPS.html">OSSL_PROVIDER-FIPS(7)</a> for values that can be used.</p>
</dd>
<dt id="config-parent_config"><b>-config</b> <i>parent_config</i></dt>
<dd>
<p>Test that a FIPS provider can be loaded from the specified configuration file. A previous call to this application needs to generate the extra configuration data that is included by the base <code>parent_config</code> configuration file. See <a href="../man5/config.html">config(5)</a> for further information on how to set up a provider section. All other options are ignored if &#39;-config&#39; is used.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>Self tests results are logged by default if the options <b>-quiet</b> and <b>-noout</b> are not specified, or if either of the options <b>-corrupt_desc</b> or <b>-corrupt_type</b> are used. If the base configuration file is set up to autoload the fips module, then the fips module will be loaded and self tested BEFORE the fipsinstall application has a chance to set up its own self test callback. As a result of this the self test output and the options <b>-corrupt_desc</b> and <b>-corrupt_type</b> will be ignored. For normal usage the base configuration file should use the default provider when generating the fips configuration file.</p>
<p>The <b>-self_test_oninstall</b> option was added and the <b>-self_test_onload</b> option was made the default in OpenSSL 3.1.</p>
<p>The command and all remaining options were added in OpenSSL 3.0.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Calculate the mac of a FIPS module <i>fips.so</i> and run a FIPS self test for the module, and save the <i>fips.cnf</i> configuration file:</p>
<pre><code> openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips</code></pre>
<p>Verify that the configuration file <i>fips.cnf</i> contains the correct info:</p>
<pre><code> openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify</code></pre>
<p>Corrupt any self tests which have the description <code>SHA1</code>:</p>
<pre><code> openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
-corrupt_desc &#39;SHA1&#39;</code></pre>
<p>Validate that the fips module can be loaded from a base configuration file:</p>
<pre><code> export OPENSSL_CONF_INCLUDE=&lt;path of configuration files&gt;
export OPENSSL_MODULES=&lt;provider-path&gt;
openssl fipsinstall -config&#39; &#39;default.cnf&#39;</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man5/config.html">config(5)</a>, <a href="../man5/fips_config.html">fips_config(5)</a>, <a href="../man7/OSSL_PROVIDER-FIPS.html">OSSL_PROVIDER-FIPS(7)</a>, <a href="../man3/EVP_MAC.html">EVP_MAC(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

161
include/openssl-3.2.1/html/man1/openssl-format-options.html
View File

@ -1,161 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-format-options</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Format-Options">Format Options</a></li>
<li><a href="#Format-Option-Arguments">Format Option Arguments</a></li>
</ul>
</li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-format-options - OpenSSL command input and output format options</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <i>command</i> [ <i>options</i> ... ] [ <i>parameters</i> ... ]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>Several OpenSSL commands can take input or generate output in a variety of formats.</p>
<p>Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from files in any of the <b>DER</b>, <b>PEM</b> or <b>P12</b> formats. Specifying their input format is no more needed and the openssl commands will automatically try all the possible formats. However if the <b>DER</b> or <b>PEM</b> input format is specified it will be enforced.</p>
<p>In order to access a key via an engine the input format <b>ENGINE</b> may be used; alternatively the key identifier in the &lt;uri&gt; argument of the respective key option may be preceded by <code>org.openssl.engine:</code>. See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a> for an example usage of the latter.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<h2 id="Format-Options">Format Options</h2>
<p>The options to specify the format are as follows. Refer to the individual man page to see which options are accepted.</p>
<dl>
<dt id="inform-format--outform-format"><b>-inform</b> <i>format</i>, <b>-outform</b> <i>format</i></dt>
<dd>
<p>The format of the input or output streams.</p>
</dd>
<dt id="keyform-format"><b>-keyform</b> <i>format</i></dt>
<dd>
<p>Format of a private key input source.</p>
</dd>
<dt id="CRLform-format"><b>-CRLform</b> <i>format</i></dt>
<dd>
<p>Format of a CRL input source.</p>
</dd>
</dl>
<h2 id="Format-Option-Arguments">Format Option Arguments</h2>
<p>The possible format arguments are described below. Both uppercase and lowercase are accepted.</p>
<p>The list of acceptable format arguments, and the default, is described in each command documentation.</p>
<dl>
<dt id="DER"><b>DER</b></dt>
<dd>
<p>A binary format, encoded or parsed according to Distinguished Encoding Rules (DER) of the ASN.1 data language.</p>
</dd>
<dt id="ENGINE"><b>ENGINE</b></dt>
<dd>
<p>Used to specify that the cryptographic material is in an OpenSSL <b>engine</b>. An engine must be configured or specified using the <b>-engine</b> option. A password or PIN may be supplied to the engine using the <b>-passin</b> option.</p>
</dd>
<dt id="P12"><b>P12</b></dt>
<dd>
<p>A DER-encoded file containing a PKCS#12 object. It might be necessary to provide a decryption password to retrieve the private key.</p>
</dd>
<dt id="PEM"><b>PEM</b></dt>
<dd>
<p>A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is a block of base-64 encoding (defined in IETF RFC 4648), with specific lines used to mark the start and end:</p>
<pre><code> Text before the BEGIN line is ignored.
----- BEGIN object-type -----
OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
----- END object-type -----
Text after the END line is also ignored</code></pre>
<p>The <i>object-type</i> must match the type of object that is expected. For example a <code>BEGIN X509 CERTIFICATE</code> will not match if the command is trying to read a private key. The types supported include:</p>
<pre><code> ANY PRIVATE KEY
CERTIFICATE
CERTIFICATE REQUEST
CMS
DH PARAMETERS
DSA PARAMETERS
DSA PUBLIC KEY
EC PARAMETERS
EC PRIVATE KEY
ECDSA PUBLIC KEY
ENCRYPTED PRIVATE KEY
PARAMETERS
PKCS #7 SIGNED DATA
PKCS7
PRIVATE KEY
PUBLIC KEY
RSA PRIVATE KEY
SSL SESSION PARAMETERS
TRUSTED CERTIFICATE
X509 CRL
X9.42 DH PARAMETERS</code></pre>
<p>The following legacy <i>object-type</i>&#39;s are also supported for compatibility with earlier releases:</p>
<pre><code> DSA PRIVATE KEY
NEW CERTIFICATE REQUEST
RSA PUBLIC KEY
X509 CERTIFICATE</code></pre>
</dd>
<dt id="SMIME"><b>SMIME</b></dt>
<dd>
<p>An S/MIME object as described in IETF RFC 8551. Earlier versions were known as CMS and are compatible. Note that the parsing is simple and might fail to parse some legal data.</p>
</dd>
</dl>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

136
include/openssl-3.2.1/html/man1/openssl-gendsa.html
View File

@ -1,136 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-gendsa</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-gendsa - generate a DSA private key from a set of parameters</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>gendsa</b> [<b>-help</b>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-aes128</b>] [<b>-aes192</b>] [<b>-aes256</b>] [<b>-aria128</b>] [<b>-aria192</b>] [<b>-aria256</b>] [<b>-camellia128</b>] [<b>-camellia192</b>] [<b>-camellia256</b>] [<b>-des</b>] [<b>-des3</b>] [<b>-idea</b>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>paramfile</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command generates a DSA private key from a DSA parameter file (which will be typically generated by the <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a> command).</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Output the key to the specified file. If this argument is not specified then standard output is used.</p>
</dd>
<dt id="passout-arg"><b>-passout</b> <i>arg</i></dt>
<dd>
<p>The passphrase used for the output file. See <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="aes128--aes192--aes256--aria128--aria192--aria256--camellia128--camellia192--camellia256--des--des3--idea"><b>-aes128</b>, <b>-aes192</b>, <b>-aes256</b>, <b>-aria128</b>, <b>-aria192</b>, <b>-aria256</b>, <b>-camellia128</b>, <b>-camellia192</b>, <b>-camellia256</b>, <b>-des</b>, <b>-des3</b>, <b>-idea</b></dt>
<dd>
<p>These options encrypt the private key with specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified no encryption is used.</p>
<p>Note that all options must be given before the <i>paramfile</i> argument.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Print extra details about the operations being performed.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Print fewer details about the operations being performed, which may be handy during batch scripts and pipelines.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="paramfile"><i>paramfile</i></dt>
<dd>
<p>The DSA parameter file to use. The parameters in this file determine the size of the private key. DSA parameters can be generated and examined using the <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a> command.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>DSA key generation is little more than random number generation so it is much quicker that RSA key generation for example.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-dsaparam.html">openssl-dsaparam(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

568
include/openssl-3.2.1/html/man1/openssl-genpkey.html
View File

@ -1,568 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-genpkey</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#KEY-GENERATION-OPTIONS">KEY GENERATION OPTIONS</a>
<ul>
<li><a href="#RSA-Key-Generation-Options">RSA Key Generation Options</a></li>
<li><a href="#RSA-PSS-Key-Generation-Options">RSA-PSS Key Generation Options</a></li>
<li><a href="#EC-Key-Generation-Options">EC Key Generation Options</a></li>
<li><a href="#DH-Key-Generation-Options">DH Key Generation Options</a></li>
</ul>
</li>
<li><a href="#PARAMETER-GENERATION-OPTIONS">PARAMETER GENERATION OPTIONS</a>
<ul>
<li><a href="#DSA-Parameter-Generation-Options">DSA Parameter Generation Options</a></li>
<li><a href="#DH-Parameter-Generation-Options">DH Parameter Generation Options</a></li>
<li><a href="#EC-Parameter-Generation-Options">EC Parameter Generation Options</a></li>
</ul>
</li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-genpkey - generate a private key or key pair</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>genpkey</b> [<b>-help</b>] [<b>-out</b> <i>filename</i>] [<b>-outpubkey</b> <i>filename</i>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-pass</b> <i>arg</i>] [<b>-<i>cipher</i></b>] [<b>-paramfile</b> <i>file</i>] [<b>-algorithm</b> <i>alg</i>] [<b>-pkeyopt</b> <i>opt</i>:<i>value</i>] [<b>-genparam</b>] [<b>-text</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-config</b> <i>configfile</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command generates a private key or key pair.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Output the private key to the specified file. If this argument is not specified then standard output is used.</p>
</dd>
<dt id="outpubkey-filename"><b>-outpubkey</b> <i>filename</i></dt>
<dd>
<p>Output the public key to the specified file. If this argument is not specified then the public key is not output.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The output format, except when <b>-genparam</b> is given; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>When <b>-genparam</b> is given, <b>-outform</b> is ignored.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Output &quot;status dots&quot; while generating keys.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Do not output &quot;status dots&quot; while generating keys.</p>
</dd>
<dt id="pass-arg"><b>-pass</b> <i>arg</i></dt>
<dd>
<p>The output file password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="cipher"><b>-<i>cipher</i></b></dt>
<dd>
<p>This option encrypts the private key with the supplied cipher. Any algorithm name accepted by EVP_get_cipherbyname() is acceptable such as <b>des3</b>.</p>
</dd>
<dt id="algorithm-alg"><b>-algorithm</b> <i>alg</i></dt>
<dd>
<p>Public key algorithm to use such as RSA, DSA, DH or DHX. If used this option must precede any <b>-pkeyopt</b> options. The options <b>-paramfile</b> and <b>-algorithm</b> are mutually exclusive. Engines or providers may add algorithms in addition to the standard built-in ones.</p>
<p>Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC, X25519, X448, ED25519 and ED448.</p>
<p>Valid built-in algorithm names for parameter generation (see the <b>-genparam</b> option) are DH, DSA and EC.</p>
<p>Note that the algorithm name X9.42 DH may be used as a synonym for DHX keys and PKCS#3 refers to DH Keys. Some options are not shared between DH and DHX keys.</p>
</dd>
<dt id="pkeyopt-opt:value"><b>-pkeyopt</b> <i>opt</i>:<i>value</i></dt>
<dd>
<p>Set the public key algorithm option <i>opt</i> to <i>value</i>. The precise set of options supported depends on the public key algorithm used and its implementation. See <a href="#KEY-GENERATION-OPTIONS">&quot;KEY GENERATION OPTIONS&quot;</a> and <a href="#PARAMETER-GENERATION-OPTIONS">&quot;PARAMETER GENERATION OPTIONS&quot;</a> below for more details.</p>
<p>To list the possible <i>opt</i> values for an algorithm use: <b>openssl</b> <b>genpkey</b> -algorithm XXX -help</p>
</dd>
<dt id="genparam"><b>-genparam</b></dt>
<dd>
<p>Generate a set of parameters instead of a private key. If used this option must precede any <b>-algorithm</b>, <b>-paramfile</b> or <b>-pkeyopt</b> options.</p>
</dd>
<dt id="paramfile-filename"><b>-paramfile</b> <i>filename</i></dt>
<dd>
<p>Some public key algorithms generate a private key based on a set of parameters. They can be supplied using this option. If this option is used the public key algorithm used is determined by the parameters. If used this option must precede any <b>-pkeyopt</b> options. The options <b>-paramfile</b> and <b>-algorithm</b> are mutually exclusive.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Print an (unencrypted) text representation of private and public keys and parameters along with the PEM or DER structure.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="config-configfile"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Configuration Option&quot; in openssl(1)</a>.</p>
</dd>
</dl>
<h1 id="KEY-GENERATION-OPTIONS">KEY GENERATION OPTIONS</h1>
<p>The options supported by each algorithm and indeed each implementation of an algorithm can vary. The options for the OpenSSL implementations are detailed below. There are no key generation options defined for the X25519, X448, ED25519 or ED448 algorithms.</p>
<h2 id="RSA-Key-Generation-Options">RSA Key Generation Options</h2>
<dl>
<dt id="rsa_keygen_bits:numbits"><b>rsa_keygen_bits:numbits</b></dt>
<dd>
<p>The number of bits in the generated key. If not specified 2048 is used.</p>
</dd>
<dt id="rsa_keygen_primes:numprimes"><b>rsa_keygen_primes:numprimes</b></dt>
<dd>
<p>The number of primes in the generated key. If not specified 2 is used.</p>
</dd>
<dt id="rsa_keygen_pubexp:value"><b>rsa_keygen_pubexp:value</b></dt>
<dd>
<p>The RSA public exponent value. This can be a large decimal or hexadecimal value if preceded by <code>0x</code>. Default value is 65537.</p>
</dd>
</dl>
<h2 id="RSA-PSS-Key-Generation-Options">RSA-PSS Key Generation Options</h2>
<p>Note: by default an <b>RSA-PSS</b> key has no parameter restrictions.</p>
<dl>
<dt id="rsa_keygen_bits:numbits-rsa_keygen_primes:numprimes-rsa_keygen_pubexp:value"><b>rsa_keygen_bits</b>:<i>numbits</i>, <b>rsa_keygen_primes</b>:<i>numprimes</i>, <b>rsa_keygen_pubexp</b>:<i>value</i></dt>
<dd>
<p>These options have the same meaning as the <b>RSA</b> algorithm.</p>
</dd>
<dt id="rsa_pss_keygen_md:digest"><b>rsa_pss_keygen_md</b>:<i>digest</i></dt>
<dd>
<p>If set the key is restricted and can only use <i>digest</i> for signing.</p>
</dd>
<dt id="rsa_pss_keygen_mgf1_md:digest"><b>rsa_pss_keygen_mgf1_md</b>:<i>digest</i></dt>
<dd>
<p>If set the key is restricted and can only use <i>digest</i> as it&#39;s MGF1 parameter.</p>
</dd>
<dt id="rsa_pss_keygen_saltlen:len"><b>rsa_pss_keygen_saltlen</b>:<i>len</i></dt>
<dd>
<p>If set the key is restricted and <i>len</i> specifies the minimum salt length.</p>
</dd>
</dl>
<h2 id="EC-Key-Generation-Options">EC Key Generation Options</h2>
<p>The EC key generation options can also be used for parameter generation.</p>
<dl>
<dt id="ec_paramgen_curve:curve"><b>ec_paramgen_curve</b>:<i>curve</i></dt>
<dd>
<p>The EC curve to use. OpenSSL supports NIST curve names such as &quot;P-256&quot;.</p>
</dd>
<dt id="ec_param_enc:encoding"><b>ec_param_enc</b>:<i>encoding</i></dt>
<dd>
<p>The encoding to use for parameters. The <i>encoding</i> parameter must be either <b>named_curve</b> or <b>explicit</b>. The default value is <b>named_curve</b>.</p>
</dd>
</dl>
<h2 id="DH-Key-Generation-Options">DH Key Generation Options</h2>
<dl>
<dt id="group:name"><b>group</b>:<i>name</i></dt>
<dd>
<p>The <b>paramfile</b> option is not required if a named group is used here. See the <a href="#DH-Parameter-Generation-Options">&quot;DH Parameter Generation Options&quot;</a> section below.</p>
</dd>
</dl>
<h1 id="PARAMETER-GENERATION-OPTIONS">PARAMETER GENERATION OPTIONS</h1>
<p>The options supported by each algorithm and indeed each implementation of an algorithm can vary. The options for the OpenSSL implementations are detailed below.</p>
<h2 id="DSA-Parameter-Generation-Options">DSA Parameter Generation Options</h2>
<dl>
<dt id="dsa_paramgen_bits:numbits"><b>dsa_paramgen_bits</b>:<i>numbits</i></dt>
<dd>
<p>The number of bits in the generated prime. If not specified 2048 is used.</p>
</dd>
<dt id="dsa_paramgen_q_bits:numbits"><b>dsa_paramgen_q_bits</b>:<i>numbits</i></dt>
<dd>
</dd>
<dt id="qbits:numbits"><b>qbits</b>:<i>numbits</i></dt>
<dd>
<p>The number of bits in the q parameter. Must be one of 160, 224 or 256. If not specified 224 is used.</p>
</dd>
<dt id="dsa_paramgen_md:digest"><b>dsa_paramgen_md</b>:<i>digest</i></dt>
<dd>
</dd>
<dt id="digest:digest"><b>digest</b>:<i>digest</i></dt>
<dd>
<p>The digest to use during parameter generation. Must be one of <b>sha1</b>, <b>sha224</b> or <b>sha256</b>. If set, then the number of bits in <b>q</b> will match the output size of the specified digest and the <b>dsa_paramgen_q_bits</b> parameter will be ignored. If not set, then a digest will be used that gives an output matching the number of bits in <b>q</b>, i.e. <b>sha1</b> if q length is 160, <b>sha224</b> if it 224 or <b>sha256</b> if it is 256.</p>
</dd>
<dt id="properties:query"><b>properties</b>:<i>query</i></dt>
<dd>
<p>The <i>digest</i> property <i>query</i> string to use when fetching a digest from a provider.</p>
</dd>
<dt id="type:type"><b>type</b>:<i>type</i></dt>
<dd>
<p>The type of generation to use. Set this to 1 to use legacy FIPS186-2 parameter generation. The default of 0 uses FIPS186-4 parameter generation.</p>
</dd>
<dt id="gindex:index"><b>gindex</b>:<i>index</i></dt>
<dd>
<p>The index to use for canonical generation and verification of the generator g. Set this to a positive value ranging from 0..255 to use this mode. Larger values will only use the bottom byte. This <i>index</i> must then be reused during key validation to verify the value of g. If this value is not set then g is not verifiable. The default value is -1.</p>
</dd>
<dt id="hexseed:seed"><b>hexseed</b>:<i>seed</i></dt>
<dd>
<p>The seed <i>seed</i> data to use instead of generating a random seed internally. This should be used for testing purposes only. This will either produced fixed values for the generated parameters OR it will fail if the seed did not generate valid primes.</p>
</dd>
</dl>
<h2 id="DH-Parameter-Generation-Options">DH Parameter Generation Options</h2>
<p>For most use cases it is recommended to use the <b>group</b> option rather than the <b>type</b> options. Note that the <b>group</b> option is not used by default if no parameter generation options are specified.</p>
<dl>
<dt id="group:name1"><b>group</b>:<i>name</i></dt>
<dd>
</dd>
<dt id="dh_param:name"><b>dh_param</b>:<i>name</i></dt>
<dd>
<p>Use a named DH group to select constant values for the DH parameters. All other options will be ignored if this value is set.</p>
<p>Valid values that are associated with the <b>algorithm</b> of <b>&quot;DH&quot;</b> are: &quot;ffdhe2048&quot;, &quot;ffdhe3072&quot;, &quot;ffdhe4096&quot;, &quot;ffdhe6144&quot;, &quot;ffdhe8192&quot;, &quot;modp_1536&quot;, &quot;modp_2048&quot;, &quot;modp_3072&quot;, &quot;modp_4096&quot;, &quot;modp_6144&quot;, &quot;modp_8192&quot;.</p>
<p>Valid values that are associated with the <b>algorithm</b> of <b>&quot;DHX&quot;</b> are the RFC5114 names &quot;dh_1024_160&quot;, &quot;dh_2048_224&quot;, &quot;dh_2048_256&quot;.</p>
</dd>
<dt id="dh_rfc5114:num"><b>dh_rfc5114</b>:<i>num</i></dt>
<dd>
<p>If this option is set, then the appropriate RFC5114 parameters are used instead of generating new parameters. The value <i>num</i> can be one of 1, 2 or 3 that are equivalent to using the option <b>group</b> with one of &quot;dh_1024_160&quot;, &quot;dh_2048_224&quot; or &quot;dh_2048_256&quot;. All other options will be ignored if this value is set.</p>
</dd>
<dt id="pbits:numbits"><b>pbits</b>:<i>numbits</i></dt>
<dd>
</dd>
<dt id="dh_paramgen_prime_len:numbits"><b>dh_paramgen_prime_len</b>:<i>numbits</i></dt>
<dd>
<p>The number of bits in the prime parameter <i>p</i>. The default is 2048.</p>
</dd>
<dt id="qbits:numbits1"><b>qbits</b>:<i>numbits</i></dt>
<dd>
</dd>
<dt id="dh_paramgen_subprime_len:numbits"><b>dh_paramgen_subprime_len</b>:<i>numbits</i></dt>
<dd>
<p>The number of bits in the sub prime parameter <i>q</i>. The default is 224. Only relevant if used in conjunction with the <b>dh_paramgen_type</b> option to generate DHX parameters.</p>
</dd>
<dt id="safeprime-generator:value"><b>safeprime-generator</b>:<i>value</i></dt>
<dd>
</dd>
<dt id="dh_paramgen_generator:value"><b>dh_paramgen_generator</b>:<i>value</i></dt>
<dd>
<p>The value to use for the generator <i>g</i>. The default is 2. The <b>algorithm</b> option must be <b>&quot;DH&quot;</b> for this parameter to be used.</p>
</dd>
<dt id="type:string"><b>type</b>:<i>string</i></dt>
<dd>
<p>The type name of DH parameters to generate. Valid values are:</p>
<dl>
<dt id="generator">&quot;generator&quot;</dt>
<dd>
<p>Use a safe prime generator with the option <b>safeprime_generator</b> The <b>algorithm</b> option must be <b>&quot;DH&quot;</b>.</p>
</dd>
<dt id="fips186_4">&quot;fips186_4&quot;</dt>
<dd>
<p>FIPS186-4 parameter generation. The <b>algorithm</b> option must be <b>&quot;DHX&quot;</b>.</p>
</dd>
<dt id="fips186_2">&quot;fips186_2&quot;</dt>
<dd>
<p>FIPS186-4 parameter generation. The <b>algorithm</b> option must be <b>&quot;DHX&quot;</b>.</p>
</dd>
<dt id="group">&quot;group&quot;</dt>
<dd>
<p>Can be used with the option <b>pbits</b> to select one of &quot;ffdhe2048&quot;, &quot;ffdhe3072&quot;, &quot;ffdhe4096&quot;, &quot;ffdhe6144&quot; or &quot;ffdhe8192&quot;. The <b>algorithm</b> option must be <b>&quot;DH&quot;</b>.</p>
</dd>
<dt id="default">&quot;default&quot;</dt>
<dd>
<p>Selects a default type based on the <b>algorithm</b>. This is used by the OpenSSL default provider to set the type for backwards compatibility. If <b>algorithm</b> is <b>&quot;DH&quot;</b> then <b>&quot;generator&quot;</b> is used. If <b>algorithm</b> is <b>&quot;DHX&quot;</b> then <b>&quot;fips186_2&quot;</b> is used.</p>
</dd>
</dl>
</dd>
<dt id="dh_paramgen_type:value"><b>dh_paramgen_type</b>:<i>value</i></dt>
<dd>
<p>The type of DH parameters to generate. Valid values are 0, 1, 2 or 3 which correspond to setting the option <b>type</b> to &quot;generator&quot;, &quot;fips186_2&quot;, &quot;fips186_4&quot; or &quot;group&quot;.</p>
</dd>
<dt id="digest:digest1"><b>digest</b>:<i>digest</i></dt>
<dd>
<p>The digest to use during parameter generation. Must be one of <b>sha1</b>, <b>sha224</b> or <b>sha256</b>. If set, then the number of bits in <b>qbits</b> will match the output size of the specified digest and the <b>qbits</b> parameter will be ignored. If not set, then a digest will be used that gives an output matching the number of bits in <b>q</b>, i.e. <b>sha1</b> if q length is 160, <b>sha224</b> if it is 224 or <b>sha256</b> if it is 256. This is only used by &quot;fips186_4&quot; and &quot;fips186_2&quot; key generation.</p>
</dd>
<dt id="properties:query1"><b>properties</b>:<i>query</i></dt>
<dd>
<p>The <i>digest</i> property <i>query</i> string to use when fetching a digest from a provider. This is only used by &quot;fips186_4&quot; and &quot;fips186_2&quot; key generation.</p>
</dd>
<dt id="gindex:index1"><b>gindex</b>:<i>index</i></dt>
<dd>
<p>The index to use for canonical generation and verification of the generator g. Set this to a positive value ranging from 0..255 to use this mode. Larger values will only use the bottom byte. This <i>index</i> must then be reused during key validation to verify the value of g. If this value is not set then g is not verifiable. The default value is -1. This is only used by &quot;fips186_4&quot; and &quot;fips186_2&quot; key generation.</p>
</dd>
<dt id="hexseed:seed1"><b>hexseed</b>:<i>seed</i></dt>
<dd>
<p>The seed <i>seed</i> data to use instead of generating a random seed internally. This should be used for testing purposes only. This will either produced fixed values for the generated parameters OR it will fail if the seed did not generate valid primes. This is only used by &quot;fips186_4&quot; and &quot;fips186_2&quot; key generation.</p>
</dd>
</dl>
<h2 id="EC-Parameter-Generation-Options">EC Parameter Generation Options</h2>
<p>The EC parameter generation options are the same as for key generation. See <a href="#EC-Key-Generation-Options">&quot;EC Key Generation Options&quot;</a> above.</p>
<h1 id="NOTES">NOTES</h1>
<p>The use of the genpkey program is encouraged over the algorithm specific utilities because additional algorithm options and ENGINE provided algorithms can be used.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Generate an RSA private key using default parameters:</p>
<pre><code> openssl genpkey -algorithm RSA -out key.pem</code></pre>
<p>Encrypt output private key using 128 bit AES and the passphrase &quot;hello&quot;:</p>
<pre><code> openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello</code></pre>
<p>Generate a 2048 bit RSA key using 3 as the public exponent:</p>
<pre><code> openssl genpkey -algorithm RSA -out key.pem \
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3</code></pre>
<p>Generate 2048 bit DSA parameters that can be validated: The output values for gindex and seed are required for key validation purposes and are not saved to the output pem file).</p>
<pre><code> openssl genpkey -genparam -algorithm DSA -out dsap.pem -pkeyopt pbits:2048 \
-pkeyopt qbits:224 -pkeyopt digest:SHA256 -pkeyopt gindex:1 -text</code></pre>
<p>Generate DSA key from parameters:</p>
<pre><code> openssl genpkey -paramfile dsap.pem -out dsakey.pem</code></pre>
<p>Generate 4096 bit DH Key using safe prime group ffdhe4096:</p>
<pre><code> openssl genpkey -algorithm DH -out dhkey.pem -pkeyopt group:ffdhe4096</code></pre>
<p>Generate 2048 bit X9.42 DH key with 256 bit subgroup using RFC5114 group3:</p>
<pre><code> openssl genpkey -algorithm DHX -out dhkey.pem -pkeyopt dh_rfc5114:3</code></pre>
<p>Generate a DH key using a DH parameters file:</p>
<pre><code> openssl genpkey -paramfile dhp.pem -out dhkey.pem</code></pre>
<p>Output DH parameters for safe prime group ffdhe2048:</p>
<pre><code> openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt group:ffdhe2048</code></pre>
<p>Output 2048 bit X9.42 DH parameters with 224 bit subgroup using RFC5114 group2:</p>
<pre><code> openssl genpkey -genparam -algorithm DHX -out dhp.pem -pkeyopt dh_rfc5114:2</code></pre>
<p>Output 2048 bit X9.42 DH parameters with 224 bit subgroup using FIP186-4 keygen:</p>
<pre><code> openssl genpkey -genparam -algorithm DHX -out dhp.pem -text \
-pkeyopt pbits:2048 -pkeyopt qbits:224 -pkeyopt digest:SHA256 \
-pkeyopt gindex:1 -pkeyopt dh_paramgen_type:2</code></pre>
<p>Output 1024 bit X9.42 DH parameters with 160 bit subgroup using FIP186-2 keygen:</p>
<pre><code> openssl genpkey -genparam -algorithm DHX -out dhp.pem -text \
-pkeyopt pbits:1024 -pkeyopt qbits:160 -pkeyopt digest:SHA1 \
-pkeyopt gindex:1 -pkeyopt dh_paramgen_type:1</code></pre>
<p>Output 2048 bit DH parameters:</p>
<pre><code> openssl genpkey -genparam -algorithm DH -out dhp.pem \
-pkeyopt dh_paramgen_prime_len:2048</code></pre>
<p>Output 2048 bit DH parameters using a generator:</p>
<pre><code> openssl genpkey -genparam -algorithm DH -out dhpx.pem \
-pkeyopt dh_paramgen_prime_len:2048 \
-pkeyopt dh_paramgen_type:1</code></pre>
<p>Generate EC parameters:</p>
<pre><code> openssl genpkey -genparam -algorithm EC -out ecp.pem \
-pkeyopt ec_paramgen_curve:secp384r1 \
-pkeyopt ec_param_enc:named_curve</code></pre>
<p>Generate EC key from parameters:</p>
<pre><code> openssl genpkey -paramfile ecp.pem -out eckey.pem</code></pre>
<p>Generate EC key directly:</p>
<pre><code> openssl genpkey -algorithm EC -out eckey.pem \
-pkeyopt ec_paramgen_curve:P-384 \
-pkeyopt ec_param_enc:named_curve</code></pre>
<p>Generate an X25519 private key:</p>
<pre><code> openssl genpkey -algorithm X25519 -out xkey.pem</code></pre>
<p>Generate an ED448 private key:</p>
<pre><code> openssl genpkey -algorithm ED448 -out xkey.pem</code></pre>
<h1 id="HISTORY">HISTORY</h1>
<p>The ability to use NIST curve names, and to generate an EC key directly, were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in OpenSSL 1.1.0. The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

149
include/openssl-3.2.1/html/man1/openssl-genrsa.html
View File

@ -1,149 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-genrsa</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-genrsa - generate an RSA private key</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>genrsa</b> [<b>-help</b>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-aes128</b>] [<b>-aes192</b>] [<b>-aes256</b>] [<b>-aria128</b>] [<b>-aria192</b>] [<b>-aria256</b>] [<b>-camellia128</b>] [<b>-camellia192</b>] [<b>-camellia256</b>] [<b>-des</b>] [<b>-des3</b>] [<b>-idea</b>] [<b>-F4</b>] [<b>-f4</b>] [<b>-3</b>] [<b>-primes</b> <i>num</i>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-traditional</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>numbits</b>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command generates an RSA private key.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Output the key to the specified file. If this argument is not specified then standard output is used.</p>
</dd>
<dt id="passout-arg"><b>-passout</b> <i>arg</i></dt>
<dd>
<p>The output file password source. For more information about the format see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="aes128--aes192--aes256--aria128--aria192--aria256--camellia128--camellia192--camellia256--des--des3--idea"><b>-aes128</b>, <b>-aes192</b>, <b>-aes256</b>, <b>-aria128</b>, <b>-aria192</b>, <b>-aria256</b>, <b>-camellia128</b>, <b>-camellia192</b>, <b>-camellia256</b>, <b>-des</b>, <b>-des3</b>, <b>-idea</b></dt>
<dd>
<p>These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the <b>-passout</b> argument.</p>
</dd>
<dt id="F4--f4--3"><b>-F4</b>, <b>-f4</b>, <b>-3</b></dt>
<dd>
<p>The public exponent to use, either 65537 or 3. The default is 65537. The <b>-3</b> option has been deprecated.</p>
</dd>
<dt id="primes-num"><b>-primes</b> <i>num</i></dt>
<dd>
<p>Specify the number of primes to use while generating the RSA key. The <i>num</i> parameter must be a positive integer that is greater than 1 and less than 16. If <i>num</i> is greater than 2, then the generated key is called a &#39;multi-prime&#39; RSA key, which is defined in RFC 8017.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Print extra details about the operations being performed.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Print fewer details about the operations being performed, which may be handy during batch scripts and pipelines.</p>
</dd>
<dt id="traditional"><b>-traditional</b></dt>
<dd>
<p>Write the key using the traditional PKCS#1 format instead of the PKCS#8 format.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="numbits"><b>numbits</b></dt>
<dd>
<p>The size of the private key to generate in bits. This must be the last option specified. The default is 2048 and values less than 512 are not allowed.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>RSA private key generation essentially involves the generation of two or more prime numbers. When generating a private key various symbols will be output to indicate the progress of the generation. A <b>.</b> represents each number which has passed an initial sieve test, <b>+</b> means a number has passed a single round of the Miller-Rabin primality test, <b>*</b> means the current prime starts a regenerating progress due to some failed tests. A newline means that the number has passed all the prime tests (the actual number depends on the key size).</p>
<p>Because key generation is a random process the time taken to generate a key may vary somewhat. But in general, more primes lead to less generation time of a key.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

112
include/openssl-3.2.1/html/man1/openssl-info.html
View File

@ -1,112 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-info</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-info - print OpenSSL built-in information</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl info</b> [<b>-help</b>] [<b>-configdir</b>] [<b>-enginesdir</b>] [<b>-modulesdir</b> ] [<b>-dsoext</b>] [<b>-dirnamesep</b>] [<b>-listsep</b>] [<b>-seeds</b>] [<b>-cpusettings</b>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to print out information about OpenSSL. The information is written exactly as it is with no extra text, which makes useful for scripts.</p>
<p>As a consequence, only one item may be chosen for each run of this command.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="configdir"><b>-configdir</b></dt>
<dd>
<p>Outputs the default directory for OpenSSL configuration files.</p>
</dd>
<dt id="enginesdir"><b>-enginesdir</b></dt>
<dd>
<p>Outputs the default directory for OpenSSL engine modules.</p>
</dd>
<dt id="modulesdir"><b>-modulesdir</b></dt>
<dd>
<p>Outputs the default directory for OpenSSL dynamically loadable modules other than engine modules.</p>
</dd>
<dt id="dsoext"><b>-dsoext</b></dt>
<dd>
<p>Outputs the DSO extension OpenSSL uses.</p>
</dd>
<dt id="dirnamesep"><b>-dirnamesep</b></dt>
<dd>
<p>Outputs the separator character between a directory specification and a filename. Note that on some operating systems, this is not the same as the separator between directory elements.</p>
</dd>
<dt id="listsep"><b>-listsep</b></dt>
<dd>
<p>Outputs the OpenSSL list separator character. This is typically used to construct <code>$PATH</code> (<code>%PATH%</code> on Windows) style lists.</p>
</dd>
<dt id="seeds"><b>-seeds</b></dt>
<dd>
<p>Outputs the randomness seed sources.</p>
</dd>
<dt id="cpusettings"><b>-cpusettings</b></dt>
<dd>
<p>Outputs the OpenSSL CPU settings info.</p>
</dd>
</dl>
<h1 id="HISTORY">HISTORY</h1>
<p>This command was added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

254
include/openssl-3.2.1/html/man1/openssl-kdf.html
View File

@ -1,254 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-kdf</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-kdf - perform Key Derivation Function operations</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl kdf</b> [<b>-help</b>] [<b>-cipher</b>] [<b>-digest</b>] [<b>-mac</b>] [<b>-kdfopt</b> <i>nm</i>:<i>v</i>] [<b>-keylen</b> <i>num</i>] [<b>-out</b> <i>filename</i>] [<b>-binary</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] <i>kdf_name</i></p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The key derivation functions generate a derived key from either a secret or password.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print a usage message.</p>
</dd>
<dt id="keylen-num"><b>-keylen</b> <i>num</i></dt>
<dd>
<p>The output size of the derived key. This field is required.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Filename to output to, or standard output by default.</p>
</dd>
<dt id="binary"><b>-binary</b></dt>
<dd>
<p>Output the derived key in binary form. Uses hexadecimal text format if not specified.</p>
</dd>
<dt id="cipher-name"><b>-cipher</b> <i>name</i></dt>
<dd>
<p>Specify the cipher to be used by the KDF. Not all KDFs require a cipher and it is an error to use this option in such cases.</p>
</dd>
<dt id="digest-name"><b>-digest</b> <i>name</i></dt>
<dd>
<p>Specify the digest to be used by the KDF. Not all KDFs require a digest and it is an error to use this option in such cases. To see the list of supported digests, use <code>openssl list -digest-commands</code>.</p>
</dd>
<dt id="mac-name"><b>-mac</b> <i>name</i></dt>
<dd>
<p>Specify the MAC to be used by the KDF. Not all KDFs require a MAC and it is an error to use this option in such cases.</p>
</dd>
<dt id="kdfopt-nm:v"><b>-kdfopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Passes options to the KDF algorithm. A comprehensive list of parameters can be found in <a href="../man3/EVP_KDF.html">&quot;PARAMETERS&quot; in EVP_KDF(3)</a>. Common parameter names used by EVP_KDF_CTX_set_params() are:</p>
<dl>
<dt id="key:string"><b>key:</b><i>string</i></dt>
<dd>
<p>Specifies the secret key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the KDF algorithm. A key must be specified for most KDF algorithms.</p>
</dd>
<dt id="hexkey:string"><b>hexkey:</b><i>string</i></dt>
<dd>
<p>Alternative to the <b>key:</b> option where the secret key is specified in hexadecimal form (two hex digits per byte).</p>
</dd>
<dt id="pass:string"><b>pass:</b><i>string</i></dt>
<dd>
<p>Specifies the password as an alphanumeric string (use if the password contains printable characters only). The password must be specified for PBKDF2 and scrypt.</p>
</dd>
<dt id="hexpass:string"><b>hexpass:</b><i>string</i></dt>
<dd>
<p>Alternative to the <b>pass:</b> option where the password is specified in hexadecimal form (two hex digits per byte).</p>
</dd>
<dt id="salt:string"><b>salt:</b><i>string</i></dt>
<dd>
<p>Specifies a non-secret unique cryptographic salt as an alphanumeric string (use if it contains printable characters only). The length must conform to any restrictions of the KDF algorithm. A salt parameter is required for several KDF algorithms, such as <a href="../man7/EVP_KDF-PBKDF2.html">EVP_KDF-PBKDF2(7)</a>.</p>
</dd>
<dt id="hexsalt:string"><b>hexsalt:</b><i>string</i></dt>
<dd>
<p>Alternative to the <b>salt:</b> option where the salt is specified in hexadecimal form (two hex digits per byte).</p>
</dd>
<dt id="info:string"><b>info:</b><i>string</i></dt>
<dd>
<p>Some KDF implementations, such as <a href="../man7/EVP_KDF-HKDF.html">EVP_KDF-HKDF(7)</a>, take an &#39;info&#39; parameter for binding the derived key material to application- and context-specific information. Specifies the info, fixed info, other info or shared info argument as an alphanumeric string (use if it contains printable characters only). The length must conform to any restrictions of the KDF algorithm.</p>
</dd>
<dt id="hexinfo:string"><b>hexinfo:</b><i>string</i></dt>
<dd>
<p>Alternative to the <b>info:</b> option where the info is specified in hexadecimal form (two hex digits per byte).</p>
</dd>
<dt id="digest:string"><b>digest:</b><i>string</i></dt>
<dd>
<p>This option is identical to the <b>-digest</b> option.</p>
</dd>
<dt id="cipher:string"><b>cipher:</b><i>string</i></dt>
<dd>
<p>This option is identical to the <b>-cipher</b> option.</p>
</dd>
<dt id="mac:string"><b>mac:</b><i>string</i></dt>
<dd>
<p>This option is identical to the <b>-mac</b> option.</p>
</dd>
</dl>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="kdf_name"><i>kdf_name</i></dt>
<dd>
<p>Specifies the name of a supported KDF algorithm which will be used. The supported algorithms names include TLS1-PRF, HKDF, SSKDF, PBKDF2, SSHKDF, X942KDF-ASN1, X942KDF-CONCAT, X963KDF and SCRYPT.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Use TLS1-PRF to create a hex-encoded derived key from a secret key and seed:</p>
<pre><code> openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:secret \
-kdfopt seed:seed TLS1-PRF</code></pre>
<p>Use HKDF to create a hex-encoded derived key from a secret key, salt and info:</p>
<pre><code> openssl kdf -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret \
-kdfopt salt:salt -kdfopt info:label HKDF</code></pre>
<p>Use SSKDF with KMAC to create a hex-encoded derived key from a secret key, salt and info:</p>
<pre><code> openssl kdf -keylen 64 -kdfopt mac:KMAC-128 -kdfopt maclen:20 \
-kdfopt hexkey:b74a149a161545 -kdfopt hexinfo:348a37a2 \
-kdfopt hexsalt:3638271ccd68a2 SSKDF</code></pre>
<p>Use SSKDF with HMAC to create a hex-encoded derived key from a secret key, salt and info:</p>
<pre><code> openssl kdf -keylen 16 -kdfopt mac:HMAC -kdfopt digest:SHA2-256 \
-kdfopt hexkey:b74a149a -kdfopt hexinfo:348a37a2 \
-kdfopt hexsalt:3638271c SSKDF</code></pre>
<p>Use SSKDF with Hash to create a hex-encoded derived key from a secret key, salt and info:</p>
<pre><code> openssl kdf -keylen 14 -kdfopt digest:SHA2-256 \
-kdfopt hexkey:6dbdc23f045488 \
-kdfopt hexinfo:a1b2c3d4 SSKDF</code></pre>
<p>Use SSHKDF to create a hex-encoded derived key from a secret key, hash and session_id:</p>
<pre><code> openssl kdf -keylen 16 -kdfopt digest:SHA2-256 \
-kdfopt hexkey:0102030405 \
-kdfopt hexxcghash:06090A \
-kdfopt hexsession_id:01020304 \
-kdfopt type:A SSHKDF</code></pre>
<p>Use PBKDF2 to create a hex-encoded derived key from a password and salt:</p>
<pre><code> openssl kdf -keylen 32 -kdfopt digest:SHA256 -kdfopt pass:password \
-kdfopt salt:salt -kdfopt iter:2 PBKDF2</code></pre>
<p>Use scrypt to create a hex-encoded derived key from a password and salt:</p>
<pre><code> openssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \
-kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \
-kdfopt maxmem_bytes:10485760 SCRYPT</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>The KDF mechanisms that are available will depend on the options used when building OpenSSL.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a>, <a href="../man3/EVP_KDF.html">EVP_KDF(3)</a>, <a href="../man7/EVP_KDF-SCRYPT.html">EVP_KDF-SCRYPT(7)</a>, <a href="../man7/EVP_KDF-TLS1_PRF.html">EVP_KDF-TLS1_PRF(7)</a>, <a href="../man7/EVP_KDF-PBKDF2.html">EVP_KDF-PBKDF2(7)</a>, <a href="../man7/EVP_KDF-HKDF.html">EVP_KDF-HKDF(7)</a>, <a href="../man7/EVP_KDF-SS.html">EVP_KDF-SS(7)</a>, <a href="../man7/EVP_KDF-SSHKDF.html">EVP_KDF-SSHKDF(7)</a>, <a href="../man7/EVP_KDF-X942-ASN1.html">EVP_KDF-X942-ASN1(7)</a>, <a href="../man7/EVP_KDF-X942-CONCAT.html">EVP_KDF-X942-CONCAT(7)</a>, <a href="../man7/EVP_KDF-X963.html">EVP_KDF-X963(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>Added in OpenSSL 3.0</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

334
include/openssl-3.2.1/html/man1/openssl-list.html
View File

@ -1,334 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-list</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Display-of-algorithm-names">Display of algorithm names</a></li>
</ul>
</li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-list - list algorithms and features</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl list</b> [<b>-help</b>] [<b>-verbose</b>] [<b>-select</b> <i>name</i>] [<b>-1</b>] [<b>-all-algorithms</b>] [<b>-commands</b>] [<b>-standard-commands</b>] [<b>-digest-algorithms</b>] [<b>-digest-commands</b>] [<b>-kdf-algorithms</b>] [<b>-mac-algorithms</b>] [<b>-random-instances</b>] [<b>-random-generators</b>] [<b>-cipher-algorithms</b>] [<b>-cipher-commands</b>] [<b>-encoders</b>] [<b>-decoders</b>] [<b>-key-managers</b>] [<b>-key-exchange-algorithms</b>] [<b>-kem-algorithms</b>] [<b>-signature-algorithms</b>] [<b>-asymcipher-algorithms</b>] [<b>-public-key-algorithms</b>] [<b>-public-key-methods</b>] [<b>-store-loaders</b>] [<b>-providers</b>] [<b>-engines</b>] [<b>-disabled</b>] [<b>-objects</b>] [<b>-options</b> <i>command</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to generate list of algorithms or disabled features.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Display a usage message.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Displays extra information. The options below where verbosity applies say a bit more about what that means.</p>
</dd>
<dt id="select-name"><b>-select</b> <i>name</i></dt>
<dd>
<p>Only list algorithms that match this name.</p>
</dd>
<dt id="pod-1"><b>-1</b></dt>
<dd>
<p>List the commands, digest-commands, or cipher-commands in a single column. If used, this option must be given first.</p>
</dd>
<dt id="all-algorithms"><b>-all-algorithms</b></dt>
<dd>
<p>Display lists of all algorithms. These include:</p>
<dl>
<dt id="Asymmetric-ciphers">Asymmetric ciphers</dt>
<dd>
</dd>
<dt id="Decoders">Decoders</dt>
<dd>
</dd>
<dt id="Digests">Digests</dt>
<dd>
</dd>
<dt id="Encoders">Encoders</dt>
<dd>
</dd>
<dt id="Key-derivation-algorithms-KDF">Key derivation algorithms (KDF)</dt>
<dd>
</dd>
<dt id="Key-encapsulation-methods-KEM">Key encapsulation methods (KEM)</dt>
<dd>
</dd>
<dt id="Key-exchange-algorithms-KEX">Key exchange algorithms (KEX)</dt>
<dd>
</dd>
<dt id="Key-managers">Key managers</dt>
<dd>
</dd>
<dt id="Message-authentication-code-algorithms-MAC">Message authentication code algorithms (MAC)</dt>
<dd>
</dd>
<dt id="Random-number-generators-RNG-DRBG">Random number generators (RNG, DRBG)</dt>
<dd>
</dd>
<dt id="Signature-algorithms">Signature algorithms</dt>
<dd>
</dd>
<dt id="Store-loaders">Store loaders</dt>
<dd>
</dd>
<dt id="Symmetric-ciphers">Symmetric ciphers</dt>
<dd>
</dd>
</dl>
</dd>
<dt id="commands"><b>-commands</b></dt>
<dd>
<p>Display a list of standard commands.</p>
</dd>
<dt id="standard-commands"><b>-standard-commands</b></dt>
<dd>
<p>List of standard commands.</p>
</dd>
<dt id="digest-commands"><b>-digest-commands</b></dt>
<dd>
<p>This option is deprecated. Use <b>digest-algorithms</b> instead.</p>
<p>Display a list of message digest commands, which are typically used as input to the <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a> or <a href="../man1/openssl-speed.html">openssl-speed(1)</a> commands.</p>
</dd>
<dt id="cipher-commands"><b>-cipher-commands</b></dt>
<dd>
<p>This option is deprecated. Use <b>cipher-algorithms</b> instead.</p>
<p>Display a list of cipher commands, which are typically used as input to the <a href="../man1/openssl-enc.html">openssl-enc(1)</a> or <a href="../man1/openssl-speed.html">openssl-speed(1)</a> commands.</p>
</dd>
<dt id="cipher-algorithms--digest-algorithms--kdf-algorithms--mac-algorithms"><b>-cipher-algorithms</b>, <b>-digest-algorithms</b>, <b>-kdf-algorithms</b>, <b>-mac-algorithms</b>,</dt>
<dd>
<p>Display a list of symmetric cipher, digest, kdf and mac algorithms. See <a href="#Display-of-algorithm-names">&quot;Display of algorithm names&quot;</a> for a description of how names are displayed.</p>
<p>In verbose mode, the algorithms provided by a provider will get additional information on what parameters each implementation supports.</p>
</dd>
<dt id="random-instances"><b>-random-instances</b></dt>
<dd>
<p>List the primary, public and private random number generator details.</p>
</dd>
<dt id="random-generators"><b>-random-generators</b></dt>
<dd>
<p>Display a list of random number generators. See <a href="#Display-of-algorithm-names">&quot;Display of algorithm names&quot;</a> for a description of how names are displayed.</p>
</dd>
<dt id="encoders"><b>-encoders</b></dt>
<dd>
<p>Display a list of encoders. See <a href="#Display-of-algorithm-names">&quot;Display of algorithm names&quot;</a> for a description of how names are displayed.</p>
<p>In verbose mode, the algorithms provided by a provider will get additional information on what parameters each implementation supports.</p>
</dd>
<dt id="decoders"><b>-decoders</b></dt>
<dd>
<p>Display a list of decoders. See <a href="#Display-of-algorithm-names">&quot;Display of algorithm names&quot;</a> for a description of how names are displayed.</p>
<p>In verbose mode, the algorithms provided by a provider will get additional information on what parameters each implementation supports.</p>
</dd>
<dt id="public-key-algorithms"><b>-public-key-algorithms</b></dt>
<dd>
<p>Display a list of public key algorithms, with each algorithm as a block of multiple lines, all but the first are indented. The options <b>key-exchange-algorithms</b>, <b>kem-algorithms</b>, <b>signature-algorithms</b>, and <b>asymcipher-algorithms</b> will display similar info.</p>
</dd>
<dt id="public-key-methods"><b>-public-key-methods</b></dt>
<dd>
<p>Display a list of public key methods.</p>
</dd>
<dt id="key-managers"><b>-key-managers</b></dt>
<dd>
<p>Display a list of key managers.</p>
</dd>
<dt id="key-exchange-algorithms"><b>-key-exchange-algorithms</b></dt>
<dd>
<p>Display a list of key exchange algorithms.</p>
</dd>
<dt id="kem-algorithms"><b>-kem-algorithms</b></dt>
<dd>
<p>Display a list of key encapsulation algorithms.</p>
</dd>
<dt id="signature-algorithms"><b>-signature-algorithms</b></dt>
<dd>
<p>Display a list of signature algorithms.</p>
</dd>
<dt id="asymcipher-algorithms"><b>-asymcipher-algorithms</b></dt>
<dd>
<p>Display a list of asymmetric cipher algorithms.</p>
</dd>
<dt id="store-loaders"><b>-store-loaders</b></dt>
<dd>
<p>Display a list of store loaders.</p>
</dd>
<dt id="providers"><b>-providers</b></dt>
<dd>
<p>Display a list of all loaded providers with their names, version and status.</p>
<p>In verbose mode, the full version and all provider parameters will additionally be displayed.</p>
</dd>
<dt id="engines"><b>-engines</b></dt>
<dd>
<p>This option is deprecated.</p>
<p>Display a list of loaded engines.</p>
</dd>
<dt id="disabled"><b>-disabled</b></dt>
<dd>
<p>Display a list of disabled features, those that were compiled out of the installation.</p>
</dd>
<dt id="objects"><b>-objects</b></dt>
<dd>
<p>Display a list of built in objects, i.e. OIDs with names. They&#39;re listed in the format described in <a href="../man5/config.html">&quot;ASN1 Object Configuration Module&quot; in config(5)</a>.</p>
</dd>
<dt id="options-command"><b>-options</b> <i>command</i></dt>
<dd>
<p>Output a two-column list of the options accepted by the specified <i>command</i>. The first is the option name, and the second is a one-character indication of what type of parameter it takes, if any. This is an internal option, used for checking that the documentation is complete.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h2 id="Display-of-algorithm-names">Display of algorithm names</h2>
<p>Algorithm names may be displayed in one of two manners:</p>
<dl>
<dt id="Legacy-implementations">Legacy implementations</dt>
<dd>
<p>Legacy implementations will simply display the main name of the algorithm on a line of its own, or in the form <code>&lt;foo </code> bar&gt;&gt; to show that <code>foo</code> is an alias for the main name, <code>bar</code></p>
</dd>
<dt id="Provided-implementations">Provided implementations</dt>
<dd>
<p>Implementations from a provider are displayed like this if the implementation is labeled with a single name:</p>
<pre><code> foo @ bar</code></pre>
<p>or like this if it&#39;s labeled with multiple names:</p>
<pre><code> { foo1, foo2 } @bar</code></pre>
<p>In both cases, <code>bar</code> is the name of the provider.</p>
</dd>
</dl>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engines</b>, <b>-digest-commands</b>, and <b>-cipher-commands</b> options were deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

188
include/openssl-3.2.1/html/man1/openssl-mac.html
View File

@ -1,188 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-mac</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-mac - perform Message Authentication Code operations</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl mac</b> [<b>-help</b>] [<b>-cipher</b>] [<b>-digest</b>] [<b>-macopt</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-binary</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] <i>mac_name</i></p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The message authentication code functions output the MAC of a supplied input file.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print a usage message.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>Input filename to calculate a MAC for, or standard input by default. Standard input is used if the filename is &#39;-&#39;. Files and standard input are expected to be in binary format.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Filename to output to, or standard output by default.</p>
</dd>
<dt id="binary"><b>-binary</b></dt>
<dd>
<p>Output the MAC in binary form. Uses hexadecimal text format if not specified.</p>
</dd>
<dt id="cipher-name"><b>-cipher</b> <i>name</i></dt>
<dd>
<p>Used by CMAC and GMAC to specify the cipher algorithm. For CMAC it should be a CBC mode cipher e.g. AES-128-CBC. For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.</p>
</dd>
<dt id="digest-name"><b>-digest</b> <i>name</i></dt>
<dd>
<p>Used by HMAC as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. To see the list of supported digests, use <code>openssl list -digest-commands</code>.</p>
</dd>
<dt id="macopt-nm:v"><b>-macopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Passes options to the MAC algorithm. A comprehensive list of controls can be found in the EVP_MAC implementation documentation. Common parameter names used by EVP_MAC_CTX_get_params() are:</p>
<dl>
<dt id="key:string"><b>key:</b><i>string</i></dt>
<dd>
<p>Specifies the MAC key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm.</p>
</dd>
<dt id="hexkey:string"><b>hexkey:</b><i>string</i></dt>
<dd>
<p>Specifies the MAC key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm.</p>
</dd>
<dt id="iv:string"><b>iv:</b><i>string</i></dt>
<dd>
<p>Used by GMAC to specify an IV as an alphanumeric string (use if the IV contains printable characters only).</p>
</dd>
<dt id="hexiv:string"><b>hexiv:</b><i>string</i></dt>
<dd>
<p>Used by GMAC to specify an IV in hexadecimal form (two hex digits per byte).</p>
</dd>
<dt id="size:int"><b>size:</b><i>int</i></dt>
<dd>
<p>Used by KMAC128 or KMAC256 to specify an output length. The default sizes are 32 or 64 bytes respectively.</p>
</dd>
<dt id="custom:string"><b>custom:</b><i>string</i></dt>
<dd>
<p>Used by KMAC128 or KMAC256 to specify a customization string. The default is the empty string &quot;&quot;.</p>
</dd>
<dt id="digest:string"><b>digest:</b><i>string</i></dt>
<dd>
<p>This option is identical to the <b>-digest</b> option.</p>
</dd>
<dt id="cipher:string"><b>cipher:</b><i>string</i></dt>
<dd>
<p>This option is identical to the <b>-cipher</b> option.</p>
</dd>
</dl>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="mac_name"><i>mac_name</i></dt>
<dd>
<p>Specifies the name of a supported MAC algorithm which will be used. To see the list of supported MAC&#39;s use the command <code>openssl list -mac-algorithms</code>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>To create a hex-encoded HMAC-SHA1 MAC of a file and write to stdout: \ openssl mac -digest SHA1 \ -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \ -in msg.bin HMAC</p>
<p>To create a SipHash MAC from a file with a binary file output: \ openssl mac -macopt hexkey:000102030405060708090A0B0C0D0E0F \ -in msg.bin -out out.bin -binary SipHash</p>
<p>To create a hex-encoded CMAC-AES-128-CBC MAC from a file:\ openssl mac -cipher AES-128-CBC \ -macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \ -in msg.bin CMAC</p>
<p>To create a hex-encoded KMAC128 MAC from a file with a Customisation String &#39;Tag&#39; and output length of 16: \ openssl mac -macopt custom:Tag -macopt hexkey:40414243444546 \ -macopt size:16 -in msg.bin KMAC128</p>
<p>To create a hex-encoded GMAC-AES-128-GCM with a IV from a file: \ openssl mac -cipher AES-128-GCM -macopt hexiv:E0E00F19FED7BA0136A797F3 \ -macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B -in msg.bin GMAC</p>
<h1 id="NOTES">NOTES</h1>
<p>The MAC mechanisms that are available will depend on the options used when building OpenSSL. Use <code>openssl list -mac-algorithms</code> to list them.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man3/EVP_MAC.html">EVP_MAC(3)</a>, <a href="../man7/EVP_MAC-CMAC.html">EVP_MAC-CMAC(7)</a>, <a href="../man7/EVP_MAC-GMAC.html">EVP_MAC-GMAC(7)</a>, <a href="../man7/EVP_MAC-HMAC.html">EVP_MAC-HMAC(7)</a>, <a href="../man7/EVP_MAC-KMAC.html">EVP_MAC-KMAC(7)</a>, <a href="../man7/EVP_MAC-Siphash.html">EVP_MAC-Siphash(7)</a>, <a href="../man7/EVP_MAC-Poly1305.html">EVP_MAC-Poly1305(7)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

185
include/openssl-3.2.1/html/man1/openssl-namedisplay-options.html
View File

@ -1,185 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-namedisplay-options</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Name-Format-Option-Arguments">Name Format Option Arguments</a></li>
</ul>
</li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-namedisplay-options - Distinguished name display options</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <i>command</i> [ <i>options</i> ... ] [ <i>parameters</i> ... ]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>OpenSSL provides fine-grain control over how the subject and issuer DN&#39;s are displayed. This is specified by using the <b>-nameopt</b> option, which takes a comma-separated list of options from the following set. An option may be preceded by a minus sign, <code>-</code>, to turn it off. The default value is <code>utf8,sep_comma_plus_space</code>. The first four are the most commonly used.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<h2 id="Name-Format-Option-Arguments">Name Format Option Arguments</h2>
<p>The DN output format can be fine tuned with the following flags.</p>
<dl>
<dt id="compat"><b>compat</b></dt>
<dd>
<p>Display the name using an old format from previous OpenSSL versions.</p>
</dd>
<dt id="RFC2253"><b>RFC2253</b></dt>
<dd>
<p>Display the name using the format defined in RFC 2253. It is equivalent to <b>esc_2253</b>, <b>esc_ctrl</b>, <b>esc_msb</b>, <b>utf8</b>, <b>dump_nostr</b>, <b>dump_unknown</b>, <b>dump_der</b>, <b>sep_comma_plus</b>, <b>dn_rev</b> and <b>sname</b>.</p>
</dd>
<dt id="oneline"><b>oneline</b></dt>
<dd>
<p>Display the name in one line, using a format that is more readable RFC 2253. It is equivalent to <b>esc_2253</b>, <b>esc_ctrl</b>, <b>esc_msb</b>, <b>utf8</b>, <b>dump_nostr</b>, <b>dump_der</b>, <b>use_quote</b>, <b>sep_comma_plus_space</b>, <b>space_eq</b> and <b>sname</b> options.</p>
</dd>
<dt id="multiline"><b>multiline</b></dt>
<dd>
<p>Display the name using multiple lines. It is equivalent to <b>esc_ctrl</b>, <b>esc_msb</b>, <b>sep_multiline</b>, <b>space_eq</b>, <b>lname</b> and <b>align</b>.</p>
</dd>
<dt id="esc_2253"><b>esc_2253</b></dt>
<dd>
<p>Escape the &quot;special&quot; characters in a field, as required by RFC 2253. That is, any of the characters <code>,+&quot;&lt;&gt;;</code>, <code>#</code> at the beginning of a string and leading or trailing spaces.</p>
</dd>
<dt id="esc_2254"><b>esc_2254</b></dt>
<dd>
<p>Escape the &quot;special&quot; characters in a field as required by RFC 2254 in a field. That is, the <b>NUL</b> character and of <code>()*</code>.</p>
</dd>
<dt id="esc_ctrl"><b>esc_ctrl</b></dt>
<dd>
<p>Escape non-printable ASCII characters, codes less than 0x20 (space) or greater than 0x7F (DELETE). They are displayed using RFC 2253 <code>\XX</code> notation where <b>XX</b> are the two hex digits representing the character value.</p>
</dd>
<dt id="esc_msb"><b>esc_msb</b></dt>
<dd>
<p>Escape any characters with the most significant bit set, that is with values larger than 127, as described in <b>esc_ctrl</b>.</p>
</dd>
<dt id="use_quote"><b>use_quote</b></dt>
<dd>
<p>Escapes some characters by surrounding the entire string with quotation marks, <code>&quot;</code>. Without this option, individual special characters are preceded with a backslash character, <code>\</code>.</p>
</dd>
<dt id="utf8"><b>utf8</b></dt>
<dd>
<p>Convert all strings to UTF-8 format first as required by RFC 2253. If the output device is UTF-8 compatible, then using this option (and not setting <b>esc_msb</b>) may give the correct display of multibyte characters. If this option is not set, then multibyte characters larger than 0xFF will be output as <code>\UXXXX</code> for 16 bits or <code>\WXXXXXXXX</code> for 32 bits. In addition, any UTF8Strings will be converted to their character form first.</p>
</dd>
<dt id="ignore_type"><b>ignore_type</b></dt>
<dd>
<p>This option does not attempt to interpret multibyte characters in any way. That is, the content octets are merely dumped as though one octet represents each character. This is useful for diagnostic purposes but will result in rather odd looking output.</p>
</dd>
<dt id="show_type"><b>show_type</b></dt>
<dd>
<p>Display the type of the ASN1 character string before the value, such as <code>BMPSTRING: Hello World</code>.</p>
</dd>
<dt id="dump_der"><b>dump_der</b></dt>
<dd>
<p>Any fields that would be output in hex format are displayed using the DER encoding of the field. If not set, just the content octets are displayed. Either way, the <b>#XXXX...</b> format of RFC 2253 is used.</p>
</dd>
<dt id="dump_nostr"><b>dump_nostr</b></dt>
<dd>
<p>Dump non-character strings, such as ASN.1 <b>OCTET STRING</b>. If this option is not set, then non character string types will be displayed as though each content octet represents a single character.</p>
</dd>
<dt id="dump_all"><b>dump_all</b></dt>
<dd>
<p>Dump all fields. When this used with <b>dump_der</b>, this allows the DER encoding of the structure to be unambiguously determined.</p>
</dd>
<dt id="dump_unknown"><b>dump_unknown</b></dt>
<dd>
<p>Dump any field whose OID is not recognised by OpenSSL.</p>
</dd>
<dt id="sep_comma_plus-sep_comma_plus_space-sep_semi_plus_space-sep_multiline"><b>sep_comma_plus</b>, <b>sep_comma_plus_space</b>, <b>sep_semi_plus_space</b>, <b>sep_multiline</b></dt>
<dd>
<p>Specify the field separators. The first word is used between the Relative Distinguished Names (RDNs) and the second is between multiple Attribute Value Assertions (AVAs). Multiple AVAs are very rare and their use is discouraged. The options ending in &quot;space&quot; additionally place a space after the separator to make it more readable. The <b>sep_multiline</b> starts each field on its own line, and uses &quot;plus space&quot; for the AVA separator. It also indents the fields by four characters. The default value is <b>sep_comma_plus_space</b>.</p>
</dd>
<dt id="dn_rev"><b>dn_rev</b></dt>
<dd>
<p>Reverse the fields of the DN as required by RFC 2253. This also reverses the order of multiple AVAs in a field, but this is permissible as there is no ordering on values.</p>
</dd>
<dt id="nofname-sname-lname-oid"><b>nofname</b>, <b>sname</b>, <b>lname</b>, <b>oid</b></dt>
<dd>
<p>Specify how the field name is displayed. <b>nofname</b> does not display the field at all. <b>sname</b> uses the &quot;short name&quot; form (CN for commonName for example). <b>lname</b> uses the long form. <b>oid</b> represents the OID in numerical form and is useful for diagnostic purpose.</p>
</dd>
<dt id="align"><b>align</b></dt>
<dd>
<p>Align field values for a more readable output. Only usable with <b>sep_multiline</b>.</p>
</dd>
<dt id="space_eq"><b>space_eq</b></dt>
<dd>
<p>Places spaces round the equal sign, <code>=</code>, character which follows the field name.</p>
</dd>
</dl>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

102
include/openssl-3.2.1/html/man1/openssl-nseq.html
View File

@ -1,102 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-nseq</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-nseq - create or examine a Netscape certificate sequence</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>nseq</b> [<b>-help</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-toseq</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command takes a file containing a Netscape certificate sequence and prints out the certificates contained in it or takes a file of certificates and converts it into a Netscape certificate sequence.</p>
<p>A Netscape certificate sequence is an old Netscape-specific format that can be sometimes be sent to browsers as an alternative to the standard PKCS#7 format when several certificates are sent to the browser, for example during certificate enrollment. It was also used by Netscape certificate server.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename or standard output by default.</p>
</dd>
<dt id="toseq"><b>-toseq</b></dt>
<dd>
<p>Normally a Netscape certificate sequence will be input and the output is the certificates contained in it. With the <b>-toseq</b> option the situation is reversed: a Netscape certificate sequence is created from a file of certificates.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Output the certificates in a Netscape certificate sequence</p>
<pre><code> openssl nseq -in nseq.pem -out certs.pem</code></pre>
<p>Create a Netscape certificate sequence</p>
<pre><code> openssl nseq -in certs.pem -toseq -out nseq.pem</code></pre>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

476
include/openssl-3.2.1/html/man1/openssl-ocsp.html
View File

@ -1,476 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-ocsp</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a>
<ul>
<li><a href="#OCSP-Client">OCSP Client</a></li>
<li><a href="#OCSP-Server">OCSP Server</a></li>
</ul>
</li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#OCSP-Client-Options">OCSP Client Options</a></li>
<li><a href="#OCSP-Server-Options">OCSP Server Options</a></li>
</ul>
</li>
<li><a href="#OCSP-RESPONSE-VERIFICATION">OCSP RESPONSE VERIFICATION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-ocsp - Online Certificate Status Protocol command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<h2 id="OCSP-Client">OCSP Client</h2>
<p><b>openssl</b> <b>ocsp</b> [<b>-help</b>] [<b>-out</b> <i>file</i>] [<b>-issuer</b> <i>file</i>] [<b>-cert</b> <i>file</i>] [<b>-no_certs</b>] [<b>-serial</b> <i>n</i>] [<b>-signer</b> <i>file</i>] [<b>-signkey</b> <i>file</i>] [<b>-sign_other</b> <i>file</i>] [<b>-nonce</b>] [<b>-no_nonce</b>] [<b>-req_text</b>] [<b>-resp_text</b>] [<b>-text</b>] [<b>-reqout</b> <i>file</i>] [<b>-respout</b> <i>file</i>] [<b>-reqin</b> <i>file</i>] [<b>-respin</b> <i>file</i>] [<b>-url</b> <i>URL</i>] [<b>-host</b> <i>host</i>:<i>port</i>] [<b>-path</b> <i>pathname</i>] [<b>-proxy</b> <i>[http[s]://][userinfo@]host[:port][/path]</i>] [<b>-no_proxy</b> <i>addresses</i>] [<b>-header</b>] [<b>-timeout</b> <i>seconds</i>] [<b>-VAfile</b> <i>file</i>] [<b>-validity_period</b> <i>n</i>] [<b>-status_age</b> <i>n</i>] [<b>-noverify</b>] [<b>-verify_other</b> <i>file</i>] [<b>-trust_other</b>] [<b>-no_intern</b>] [<b>-no_signature_verify</b>] [<b>-no_cert_verify</b>] [<b>-no_chain</b>] [<b>-no_cert_checks</b>] [<b>-no_explicit</b>] [<b>-port</b> <i>num</i>] [<b>-ignore_err</b>]</p>
<h2 id="OCSP-Server">OCSP Server</h2>
<p><b>openssl</b> <b>ocsp</b> [<b>-index</b> <i>file</i>] [<b>-CA</b> <i>file</i>] [<b>-rsigner</b> <i>file</i>] [<b>-rkey</b> <i>file</i>] [<b>-passin</b> <i>arg</i>] [<b>-rother</b> <i>file</i>] [<b>-rsigopt</b> <i>nm</i>:<i>v</i>] [<b>-rmd</b> <i>digest</i>] [<b>-badsig</b>] [<b>-resp_no_certs</b>] [<b>-nmin</b> <i>n</i>] [<b>-ndays</b> <i>n</i>] [<b>-resp_key_id</b>] [<b>-nrequest</b> <i>n</i>] [<b>-multi</b> <i>process-count</i>] [<b>-rcid</b> <i>digest</i>] [<b>-<i>digest</i></b>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>] [<b>-allow_proxy_certs</b>] [<b>-attime</b> <i>timestamp</i>] [<b>-no_check_time</b>] [<b>-check_ss_sig</b>] [<b>-crl_check</b>] [<b>-crl_check_all</b>] [<b>-explicit_policy</b>] [<b>-extended_crl</b>] [<b>-ignore_critical</b>] [<b>-inhibit_any</b>] [<b>-inhibit_map</b>] [<b>-partial_chain</b>] [<b>-policy</b> <i>arg</i>] [<b>-policy_check</b>] [<b>-policy_print</b>] [<b>-purpose</b> <i>purpose</i>] [<b>-suiteB_128</b>] [<b>-suiteB_128_only</b>] [<b>-suiteB_192</b>] [<b>-trusted_first</b>] [<b>-no_alt_chains</b>] [<b>-use_deltas</b>] [<b>-auth_level</b> <i>num</i>] [<b>-verify_depth</b> <i>num</i>] [<b>-verify_email</b> <i>email</i>] [<b>-verify_hostname</b> <i>hostname</i>] [<b>-verify_ip</b> <i>ip</i>] [<b>-verify_name</b> <i>name</i>] [<b>-x509_strict</b>] [<b>-issuer_checks</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate (RFC 2560).</p>
<p>This command performs many common OCSP tasks. It can be used to print out requests and responses, create requests and send queries to an OCSP responder and behave like a mini OCSP server itself.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<p>This command operates as either a client or a server. The options are described below, divided into those two modes.</p>
<h2 id="OCSP-Client-Options">OCSP Client Options</h2>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>specify output filename, default is standard output.</p>
</dd>
<dt id="issuer-filename"><b>-issuer</b> <i>filename</i></dt>
<dd>
<p>This specifies the current issuer certificate. The input can be in PEM, DER, or PKCS#12 format.</p>
<p>This option can be used multiple times. This option <b>MUST</b> come before any <b>-cert</b> options.</p>
</dd>
<dt id="cert-filename"><b>-cert</b> <i>filename</i></dt>
<dd>
<p>Add the certificate <i>filename</i> to the request. The input can be in PEM, DER, or PKCS#12 format.</p>
<p>This option can be used multiple times. The issuer certificate is taken from the previous <b>-issuer</b> option, or an error occurs if no issuer certificate is specified.</p>
</dd>
<dt id="no_certs"><b>-no_certs</b></dt>
<dd>
<p>Don&#39;t include any certificates in signed request.</p>
</dd>
<dt id="serial-num"><b>-serial</b> <i>num</i></dt>
<dd>
<p>Same as the <b>-cert</b> option except the certificate with serial number <b>num</b> is added to the request. The serial number is interpreted as a decimal integer unless preceded by <code>0x</code>. Negative integers can also be specified by preceding the value by a <code>-</code> sign.</p>
</dd>
<dt id="signer-filename--signkey-filename"><b>-signer</b> <i>filename</i>, <b>-signkey</b> <i>filename</i></dt>
<dd>
<p>Sign the OCSP request using the certificate specified in the <b>-signer</b> option and the private key specified by the <b>-signkey</b> option. The input can be in PEM, DER, or PKCS#12 format.</p>
<p>If the <b>-signkey</b> option is not present then the private key is read from the same file as the certificate. If neither option is specified then the OCSP request is not signed.</p>
</dd>
<dt id="sign_other-filename"><b>-sign_other</b> <i>filename</i></dt>
<dd>
<p>Additional certificates to include in the signed request. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="nonce--no_nonce"><b>-nonce</b>, <b>-no_nonce</b></dt>
<dd>
<p>Add an OCSP nonce extension to a request or disable OCSP nonce addition. Normally if an OCSP request is input using the <b>-reqin</b> option no nonce is added: using the <b>-nonce</b> option will force addition of a nonce. If an OCSP request is being created (using <b>-cert</b> and <b>-serial</b> options) a nonce is automatically added specifying <b>-no_nonce</b> overrides this.</p>
</dd>
<dt id="req_text--resp_text--text"><b>-req_text</b>, <b>-resp_text</b>, <b>-text</b></dt>
<dd>
<p>Print out the text form of the OCSP request, response or both respectively.</p>
</dd>
<dt id="reqout-file--respout-file"><b>-reqout</b> <i>file</i>, <b>-respout</b> <i>file</i></dt>
<dd>
<p>Write out the DER encoded certificate request or response to <i>file</i>.</p>
</dd>
<dt id="reqin-file--respin-file"><b>-reqin</b> <i>file</i>, <b>-respin</b> <i>file</i></dt>
<dd>
<p>Read OCSP request or response file from <i>file</i>. These option are ignored if OCSP request or response creation is implied by other options (for example with <b>-serial</b>, <b>-cert</b> and <b>-host</b> options).</p>
</dd>
<dt id="url-responder_url"><b>-url</b> <i>responder_url</i></dt>
<dd>
<p>Specify the responder host and optionally port and path via a URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. The optional userinfo and fragment components are ignored. Any given query component is handled as part of the path component. For details, see the <b>-host</b> and <b>-path</b> options described next.</p>
</dd>
<dt id="host-host:port--path-pathname"><b>-host</b> <i>host</i>:<i>port</i>, <b>-path</b> <i>pathname</i></dt>
<dd>
<p>If the <b>-host</b> option is present then the OCSP request is sent to the host <i>host</i> on port <i>port</i>. The <i>host</i> may be a domain name or an IP (v4 or v6) address, such as <code>127.0.0.1</code> or <code>[::1]</code> for localhost. The <b>-path</b> option specifies the HTTP pathname to use or &quot;/&quot; by default. This is equivalent to specifying <b>-url</b> with scheme http:// and the given <i>host</i>, <i>port</i>, and optional <i>pathname</i>.</p>
</dd>
<dt id="proxy-http-s-:-userinfo-host-:port-path"><b>-proxy</b> <i>[http[s]://][userinfo@]host[:port][/path]</i></dt>
<dd>
<p>The HTTP(S) proxy server to use for reaching the OCSP server unless <b>-no_proxy</b> applies, see below. The proxy port defaults to 80 or 443 if the scheme is <code>https</code>; apart from that the optional <code>http://</code> or <code>https://</code> prefix is ignored, as well as any userinfo and path components. Defaults to the environment variable <code>http_proxy</code> if set, else <code>HTTP_PROXY</code> in case no TLS is used, otherwise <code>https_proxy</code> if set, else <code>HTTPS_PROXY</code>.</p>
</dd>
<dt id="no_proxy-addresses"><b>-no_proxy</b> <i>addresses</i></dt>
<dd>
<p>List of IP addresses and/or DNS names of servers not to use an HTTP(S) proxy for, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in &quot;...&quot;). Default is from the environment variable <code>no_proxy</code> if set, else <code>NO_PROXY</code>.</p>
</dd>
<dt id="header-name-value"><b>-header</b> <i>name</i>=<i>value</i></dt>
<dd>
<p>Adds the header <i>name</i> with the specified <i>value</i> to the OCSP request that is sent to the responder. This may be repeated.</p>
</dd>
<dt id="timeout-seconds"><b>-timeout</b> <i>seconds</i></dt>
<dd>
<p>Connection timeout to the OCSP responder in seconds. On POSIX systems, when running as an OCSP responder, this option also limits the time that the responder is willing to wait for the client request. This time is measured from the time the responder accepts the connection until the complete request is received.</p>
</dd>
<dt id="verify_other-file"><b>-verify_other</b> <i>file</i></dt>
<dd>
<p>File or URI containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer&#39;s certificate from the response: this option can be used to supply the necessary certificate in such cases. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="trust_other"><b>-trust_other</b></dt>
<dd>
<p>The certificates specified by the <b>-verify_other</b> option should be explicitly trusted and no additional checks will be performed on them. This is useful when the complete responder certificate chain is not available or trusting a root CA is not appropriate.</p>
</dd>
<dt id="VAfile-file"><b>-VAfile</b> <i>file</i></dt>
<dd>
<p>File or URI containing explicitly trusted responder certificates. Equivalent to the <b>-verify_other</b> and <b>-trust_other</b> options. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="noverify"><b>-noverify</b></dt>
<dd>
<p>Don&#39;t attempt to verify the OCSP response signature or the nonce values. This option will normally only be used for debugging since it disables all verification of the responders certificate.</p>
</dd>
<dt id="no_intern"><b>-no_intern</b></dt>
<dd>
<p>Ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the <b>-verify_other</b> or <b>-VAfile</b> options.</p>
</dd>
<dt id="no_signature_verify"><b>-no_signature_verify</b></dt>
<dd>
<p>Don&#39;t check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes.</p>
</dd>
<dt id="no_cert_verify"><b>-no_cert_verify</b></dt>
<dd>
<p>Don&#39;t verify the OCSP response signers certificate at all. Since this option allows the OCSP response to be signed by any certificate it should only be used for testing purposes.</p>
</dd>
<dt id="no_chain"><b>-no_chain</b></dt>
<dd>
<p>Do not use certificates in the response as additional untrusted CA certificates.</p>
</dd>
<dt id="no_explicit"><b>-no_explicit</b></dt>
<dd>
<p>Do not explicitly trust the root CA if it is set to be trusted for OCSP signing.</p>
</dd>
<dt id="no_cert_checks"><b>-no_cert_checks</b></dt>
<dd>
<p>Don&#39;t perform any additional checks on the OCSP response signers certificate. That is do not make any checks to see if the signers certificate is authorised to provide the necessary status information: as a result this option should only be used for testing purposes.</p>
</dd>
<dt id="validity_period-nsec--status_age-age"><b>-validity_period</b> <i>nsec</i>, <b>-status_age</b> <i>age</i></dt>
<dd>
<p>These options specify the range of times, in seconds, which will be tolerated in an OCSP response. Each certificate status response includes a <b>notBefore</b> time and an optional <b>notAfter</b> time. The current time should fall between these two values, but the interval between the two times may be only a few seconds. In practice the OCSP responder and clients clocks may not be precisely synchronised and so such a check may fail. To avoid this the <b>-validity_period</b> option can be used to specify an acceptable error range in seconds, the default value is 5 minutes.</p>
<p>If the <b>notAfter</b> time is omitted from a response then this means that new status information is immediately available. In this case the age of the <b>notBefore</b> field is checked to see it is not older than <i>age</i> seconds old. By default this additional check is not performed.</p>
</dd>
<dt id="rcid-digest"><b>-rcid</b> <i>digest</i></dt>
<dd>
<p>This option sets the digest algorithm to use for certificate identification in the OCSP response. Any digest supported by the <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a> command can be used. The default is the same digest algorithm used in the request.</p>
</dd>
<dt id="digest"><b>-<i>digest</i></b></dt>
<dd>
<p>This option sets digest algorithm to use for certificate identification in the OCSP request. Any digest supported by the OpenSSL <b>dgst</b> command can be used. The default is SHA-1. This option may be used multiple times to specify the digest used by subsequent certificate identifiers.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="allow_proxy_certs--attime--no_check_time--check_ss_sig--crl_check--crl_check_all--explicit_policy--extended_crl--ignore_critical--inhibit_any--inhibit_map--no_alt_chains--partial_chain--policy--policy_check--policy_print--purpose--suiteB_128--suiteB_128_only--suiteB_192--trusted_first--use_deltas--auth_level--verify_depth--verify_email--verify_hostname--verify_ip--verify_name--x509_strict--issuer_checks"><b>-allow_proxy_certs</b>, <b>-attime</b>, <b>-no_check_time</b>, <b>-check_ss_sig</b>, <b>-crl_check</b>, <b>-crl_check_all</b>, <b>-explicit_policy</b>, <b>-extended_crl</b>, <b>-ignore_critical</b>, <b>-inhibit_any</b>, <b>-inhibit_map</b>, <b>-no_alt_chains</b>, <b>-partial_chain</b>, <b>-policy</b>, <b>-policy_check</b>, <b>-policy_print</b>, <b>-purpose</b>, <b>-suiteB_128</b>, <b>-suiteB_128_only</b>, <b>-suiteB_192</b>, <b>-trusted_first</b>, <b>-use_deltas</b>, <b>-auth_level</b>, <b>-verify_depth</b>, <b>-verify_email</b>, <b>-verify_hostname</b>, <b>-verify_ip</b>, <b>-verify_name</b>, <b>-x509_strict</b> <b>-issuer_checks</b></dt>
<dd>
<p>Set various options of certificate chain verification. See <a href="../man1/openssl-verification-options.html">&quot;Verification Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h2 id="OCSP-Server-Options">OCSP Server Options</h2>
<dl>
<dt id="index-indexfile"><b>-index</b> <i>indexfile</i></dt>
<dd>
<p>The <i>indexfile</i> parameter is the name of a text index file in <b>ca</b> format containing certificate revocation information.</p>
<p>If the <b>-index</b> option is specified then this command switches to responder mode, otherwise it is in client mode. The request(s) the responder processes can be either specified on the command line (using <b>-issuer</b> and <b>-serial</b> options), supplied in a file (using the <b>-reqin</b> option) or via external OCSP clients (if <b>-port</b> or <b>-url</b> is specified).</p>
<p>If the <b>-index</b> option is present then the <b>-CA</b> and <b>-rsigner</b> options must also be present.</p>
</dd>
<dt id="CA-file"><b>-CA</b> <i>file</i></dt>
<dd>
<p>CA certificates corresponding to the revocation information in the index file given with <b>-index</b>. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="rsigner-file"><b>-rsigner</b> <i>file</i></dt>
<dd>
<p>The certificate to sign OCSP responses with. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="rkey-file"><b>-rkey</b> <i>file</i></dt>
<dd>
<p>The private key to sign OCSP responses with: if not present the file specified in the <b>-rsigner</b> option is used.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The private key password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="rother-file"><b>-rother</b> <i>file</i></dt>
<dd>
<p>Additional certificates to include in the OCSP response. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="rsigopt-nm:v"><b>-rsigopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm when signing OCSP responses. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="rmd-digest"><b>-rmd</b> <i>digest</i></dt>
<dd>
<p>The digest to use when signing the response.</p>
</dd>
<dt id="badsig"><b>-badsig</b></dt>
<dd>
<p>Corrupt the response signature before writing it; this can be useful for testing.</p>
</dd>
<dt id="resp_no_certs"><b>-resp_no_certs</b></dt>
<dd>
<p>Don&#39;t include any certificates in the OCSP response.</p>
</dd>
<dt id="resp_key_id"><b>-resp_key_id</b></dt>
<dd>
<p>Identify the signer certificate using the key ID, default is to use the subject name.</p>
</dd>
<dt id="port-portnum"><b>-port</b> <i>portnum</i></dt>
<dd>
<p>Port to listen for OCSP requests on. Both IPv4 and IPv6 are possible. The port may also be specified using the <b>-url</b> option. A <code>0</code> argument indicates that any available port shall be chosen automatically.</p>
</dd>
<dt id="ignore_err"><b>-ignore_err</b></dt>
<dd>
<p>Ignore malformed requests or responses: When acting as an OCSP client, retry if a malformed response is received. When acting as an OCSP responder, continue running instead of terminating upon receiving a malformed request.</p>
</dd>
<dt id="nrequest-number"><b>-nrequest</b> <i>number</i></dt>
<dd>
<p>The OCSP server will exit after receiving <i>number</i> requests, default unlimited.</p>
</dd>
<dt id="multi-process-count"><b>-multi</b> <i>process-count</i></dt>
<dd>
<p>Run the specified number of OCSP responder child processes, with the parent process respawning child processes as needed. Child processes will detect changes in the CA index file and automatically reload it. When running as a responder <b>-timeout</b> option is recommended to limit the time each child is willing to wait for the client&#39;s OCSP response. This option is available on POSIX systems (that support the fork() and other required unix system-calls).</p>
</dd>
<dt id="nmin-minutes--ndays-days"><b>-nmin</b> <i>minutes</i>, <b>-ndays</b> <i>days</i></dt>
<dd>
<p>Number of minutes or days when fresh revocation information is available: used in the <b>nextUpdate</b> field. If neither option is present then the <b>nextUpdate</b> field is omitted meaning fresh revocation information is immediately available.</p>
</dd>
</dl>
<h1 id="OCSP-RESPONSE-VERIFICATION">OCSP RESPONSE VERIFICATION</h1>
<p>OCSP Response follows the rules specified in RFC2560.</p>
<p>Initially the OCSP responder certificate is located and the signature on the OCSP request checked using the responder certificate&#39;s public key.</p>
<p>Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process. The locations of the trusted certificates used to build the chain can be specified by the <b>-CAfile</b>, <b>-CApath</b> or <b>-CAstore</b> options or they will be looked for in the standard OpenSSL certificates directory.</p>
<p>If the initial verify fails then the OCSP verify process halts with an error.</p>
<p>Otherwise the issuing CA certificate in the request is compared to the OCSP responder certificate: if there is a match then the OCSP verify succeeds.</p>
<p>Otherwise the OCSP responder certificate&#39;s CA is checked against the issuing CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds.</p>
<p>Otherwise, if <b>-no_explicit</b> is <b>not</b> set the root CA of the OCSP responders CA is checked to see if it is trusted for OCSP signing. If it is the OCSP verify succeeds.</p>
<p>If none of these checks is successful then the OCSP verify fails.</p>
<p>What this effectively means if that if the OCSP responder certificate is authorised directly by the CA it is issuing revocation information about (and it is correctly configured) then verification will succeed.</p>
<p>If the OCSP responder is a &quot;global responder&quot; which can give details about multiple CAs and has its own separate certificate chain then its root CA can be trusted for OCSP signing. For example:</p>
<pre><code> openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem</code></pre>
<p>Alternatively the responder certificate itself can be explicitly trusted with the <b>-VAfile</b> option.</p>
<h1 id="NOTES">NOTES</h1>
<p>As noted, most of the verify options are for testing or debugging purposes. Normally only the <b>-CApath</b>, <b>-CAfile</b>, <b>-CAstore</b> and (if the responder is a &#39;global VA&#39;) <b>-VAfile</b> options need to be used.</p>
<p>The OCSP server is only useful for test and demonstration purposes: it is not really usable as a full OCSP responder. It contains only a very simple HTTP request handling and can only handle the POST form of OCSP queries. It also handles requests serially meaning it cannot respond to new requests until it has processed the current one. The text index file format of revocation is also inefficient for large quantities of revocation data.</p>
<p>It is possible to run this command in responder mode via a CGI script using the <b>-reqin</b> and <b>-respout</b> options.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Create an OCSP request and write it to a file:</p>
<pre><code> openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der</code></pre>
<p>Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the response to a file, print it out in text form, and verify the response:</p>
<pre><code> openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
-url http://ocsp.myhost.com/ -resp_text -respout resp.der</code></pre>
<p>Read in an OCSP response and print out text form:</p>
<pre><code> openssl ocsp -respin resp.der -text -noverify</code></pre>
<p>OCSP server on port 8888 using a standard <b>ca</b> configuration, and a separate responder certificate. All requests and responses are printed to a file.</p>
<pre><code> openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
-text -out log.txt</code></pre>
<p>As above but exit after processing one request:</p>
<pre><code> openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
-nrequest 1</code></pre>
<p>Query status information using an internally generated request:</p>
<pre><code> openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-issuer demoCA/cacert.pem -serial 1</code></pre>
<p>Query status information using request read from a file, and write the response to a second file.</p>
<pre><code> openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-reqin req.der -respout resp.der</code></pre>
<h1 id="HISTORY">HISTORY</h1>
<p>The -no_alt_chains option was added in OpenSSL 1.1.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

91
include/openssl-3.2.1/html/man1/openssl-passphrase-options.html
View File

@ -1,91 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-passphrase-options</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Pass-Phrase-Option-Arguments">Pass Phrase Option Arguments</a></li>
</ul>
</li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-passphrase-options - Pass phrase options</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <i>command</i> [ <i>options</i> ... ] [ <i>parameters</i> ... ]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>Several OpenSSL commands accept password arguments, typically using <b>-passin</b> and <b>-passout</b> for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.</p>
<p>Note that character encoding may be relevant, please see <a href="../man7/passphrase-encoding.html">passphrase-encoding(7)</a>.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<h2 id="Pass-Phrase-Option-Arguments">Pass Phrase Option Arguments</h2>
<p>Pass phrase arguments can be formatted as follows.</p>
<dl>
<dt id="pass:password"><b>pass:</b><i>password</i></dt>
<dd>
<p>The actual password is <i>password</i>. Since the password is visible to utilities (like &#39;ps&#39; under Unix) this form should only be used where security is not important.</p>
</dd>
<dt id="env:var"><b>env:</b><i>var</i></dt>
<dd>
<p>Obtain the password from the environment variable <i>var</i>. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution.</p>
</dd>
<dt id="file:pathname"><b>file:</b><i>pathname</i></dt>
<dd>
<p>The first line of <i>pathname</i> is the password. If the same <i>pathname</i> argument is supplied to <b>-passin</b> and <b>-passout</b> arguments then the first line will be used for the input password and the next line for the output password. <i>pathname</i> need not refer to a regular file: it could for example refer to a device or named pipe.</p>
</dd>
<dt id="fd:number"><b>fd:</b><i>number</i></dt>
<dd>
<p>Read the password from the file descriptor <i>number</i>. This can be used to send the data via a pipe for example.</p>
</dd>
<dt id="stdin"><b>stdin</b></dt>
<dd>
<p>Read the password from standard input.</p>
</dd>
</dl>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

164
include/openssl-3.2.1/html/man1/openssl-passwd.html
View File

@ -1,164 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-passwd</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-passwd - compute password hashes</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl passwd</b> [<b>-help</b>] [<b>-1</b>] [<b>-apr1</b>] [<b>-aixmd5</b>] [<b>-5</b>] [<b>-6</b>] [<b>-salt</b> <i>string</i>] [<b>-in</b> <i>file</i>] [<b>-stdin</b>] [<b>-noverify</b>] [<b>-quiet</b>] [<b>-table</b>] [<b>-reverse</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>password</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option <b>-in</b>, from stdin for option <b>-stdin</b>, or from the command line, or from the terminal otherwise.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="pod-1"><b>-1</b></dt>
<dd>
<p>Use the MD5 based BSD password algorithm <b>1</b> (default).</p>
</dd>
<dt id="apr1"><b>-apr1</b></dt>
<dd>
<p>Use the <b>apr1</b> algorithm (Apache variant of the BSD algorithm).</p>
</dd>
<dt id="aixmd5"><b>-aixmd5</b></dt>
<dd>
<p>Use the <b>AIX MD5</b> algorithm (AIX variant of the BSD algorithm).</p>
</dd>
<dt id="pod-5"><b>-5</b></dt>
<dd>
</dd>
<dt id="pod-6"><b>-6</b></dt>
<dd>
<p>Use the <b>SHA256</b> / <b>SHA512</b> based algorithms defined by Ulrich Drepper. See <a href="https://www.akkadia.org/drepper/SHA-crypt.txt">https://www.akkadia.org/drepper/SHA-crypt.txt</a>.</p>
</dd>
<dt id="salt-string"><b>-salt</b> <i>string</i></dt>
<dd>
<p>Use the specified salt. When reading a password from the terminal, this implies <b>-noverify</b>.</p>
</dd>
<dt id="in-file"><b>-in</b> <i>file</i></dt>
<dd>
<p>Read passwords from <i>file</i>.</p>
</dd>
<dt id="stdin"><b>-stdin</b></dt>
<dd>
<p>Read passwords from <b>stdin</b>.</p>
</dd>
<dt id="noverify"><b>-noverify</b></dt>
<dd>
<p>Don&#39;t verify when reading a password from the terminal.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Don&#39;t output warnings when passwords given at the command line are truncated.</p>
</dd>
<dt id="table"><b>-table</b></dt>
<dd>
<p>In the output list, prepend the cleartext password and a TAB character to each password hash.</p>
</dd>
<dt id="reverse"><b>-reverse</b></dt>
<dd>
<p>When the <b>-table</b> option is used, reverse the order of cleartext and hash.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<pre><code> % openssl passwd -1 -salt xxxxxxxx password
$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
% openssl passwd -apr1 -salt xxxxxxxx password
$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0
% openssl passwd -aixmd5 -salt xxxxxxxx password
xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/</code></pre>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-crypt</b> option was removed in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

447
include/openssl-3.2.1/html/man1/openssl-pkcs12.html
View File

@ -1,447 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-pkcs12</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#PKCS-12-input-parsing-options">PKCS#12 input (parsing) options</a></li>
<li><a href="#PKCS-12-output-export-options">PKCS#12 output (export) options</a></li>
</ul>
</li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-pkcs12 - PKCS#12 file command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>pkcs12</b> [<b>-help</b>] [<b>-passin</b> <i>arg</i>] [<b>-passout</b> <i>arg</i>] [<b>-password</b> <i>arg</i>] [<b>-twopass</b>] [<b>-in</b> <i>filename</i>|<i>uri</i>] [<b>-out</b> <i>filename</i>] [<b>-nokeys</b>] [<b>-nocerts</b>] [<b>-noout</b>] [<b>-legacy</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>]</p>
<p>PKCS#12 input (parsing) options: [<b>-info</b>] [<b>-nomacver</b>] [<b>-clcerts</b>] [<b>-cacerts</b>]</p>
<p>[<b>-aes128</b>] [<b>-aes192</b>] [<b>-aes256</b>] [<b>-aria128</b>] [<b>-aria192</b>] [<b>-aria256</b>] [<b>-camellia128</b>] [<b>-camellia192</b>] [<b>-camellia256</b>] [<b>-des</b>] [<b>-des3</b>] [<b>-idea</b>] [<b>-noenc</b>] [<b>-nodes</b>]</p>
<p>PKCS#12 output (export) options:</p>
<p>[<b>-export</b>] [<b>-inkey</b> <i>filename</i>|<i>uri</i>] [<b>-certfile</b> <i>filename</i>] [<b>-passcerts</b> <i>arg</i>] [<b>-chain</b>] [<b>-untrusted</b> <i>filename</i>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>] [<b>-name</b> <i>name</i>] [<b>-caname</b> <i>name</i>] [<b>-CSP</b> <i>name</i>] [<b>-LMK</b>] [<b>-keyex</b>] [<b>-keysig</b>] [<b>-keypbe</b> <i>cipher</i>] [<b>-certpbe</b> <i>cipher</i>] [<b>-descert</b>] [<b>-macalg</b> <i>digest</i>] [<b>-iter</b> <i>count</i>] [<b>-noiter</b>] [<b>-nomaciter</b>] [<b>-maciter</b>] [<b>-macsaltlen</b>] [<b>-nomac</b>] [<b>-jdktrust</b> <i>usage</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<p>There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the <b>-export</b> option (see below). The PKCS#12 export encryption and MAC options such as <b>-certpbe</b> and <b>-iter</b> and many further options such as <b>-chain</b> are relevant only with <b>-export</b>. Conversely, the options regarding encryption of private keys when outputting PKCS#12 input are relevant only when the <b>-export</b> option is not given.</p>
<p>The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.</p>
<p>When encountering problems loading legacy PKCS#12 files that involve, for example, RC2-40-CBC, try using the <b>-legacy</b> option and, if needed, the <b>-provider-path</b> option.</p>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The password source for the input, and for encrypting any private keys that are output. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="passout-arg"><b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for output files.</p>
</dd>
<dt id="password-arg"><b>-password</b> <i>arg</i></dt>
<dd>
<p>With <b>-export</b>, <b>-password</b> is equivalent to <b>-passout</b>, otherwise it is equivalent to <b>-passin</b>.</p>
</dd>
<dt id="twopass"><b>-twopass</b></dt>
<dd>
<p>Prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such PKCS#12 files unreadable. Cannot be used in combination with the options <b>-password</b>, <b>-passin</b> if importing from PKCS#12, or <b>-passout</b> if exporting.</p>
</dd>
<dt id="nokeys"><b>-nokeys</b></dt>
<dd>
<p>No private keys will be output.</p>
</dd>
<dt id="nocerts"><b>-nocerts</b></dt>
<dd>
<p>No certificates will be output.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option inhibits all credentials output, and so the input is just verified.</p>
</dd>
<dt id="legacy"><b>-legacy</b></dt>
<dd>
<p>Use legacy mode of operation and automatically load the legacy provider. If OpenSSL is not installed system-wide, it is necessary to also use, for example, <code>-provider-path ./providers</code> or to set the environment variable <b>OPENSSL_MODULES</b> to point to the directory where the providers can be found.</p>
<p>In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
</dl>
<h2 id="PKCS-12-input-parsing-options">PKCS#12 input (parsing) options</h2>
<dl>
<dt id="in-filename-uri"><b>-in</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This specifies the input filename or URI. Standard input is used by default. Without the <b>-export</b> option this must be PKCS#12 file to be parsed. For use with the <b>-export</b> option see the <a href="#PKCS-12-output-export-options">&quot;PKCS#12 output (export) options&quot;</a> section.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.</p>
</dd>
<dt id="info"><b>-info</b></dt>
<dd>
<p>Output additional information about the PKCS#12 file structure, algorithms used and iteration counts.</p>
</dd>
<dt id="nomacver"><b>-nomacver</b></dt>
<dd>
<p>Don&#39;t attempt to verify the integrity MAC.</p>
</dd>
<dt id="clcerts"><b>-clcerts</b></dt>
<dd>
<p>Only output client certificates (not CA certificates).</p>
</dd>
<dt id="cacerts"><b>-cacerts</b></dt>
<dd>
<p>Only output CA certificates (not client certificates).</p>
</dd>
<dt id="aes128--aes192--aes256"><b>-aes128</b>, <b>-aes192</b>, <b>-aes256</b></dt>
<dd>
<p>Use AES to encrypt private keys before outputting.</p>
</dd>
<dt id="aria128--aria192--aria256"><b>-aria128</b>, <b>-aria192</b>, <b>-aria256</b></dt>
<dd>
<p>Use ARIA to encrypt private keys before outputting.</p>
</dd>
<dt id="camellia128--camellia192--camellia256"><b>-camellia128</b>, <b>-camellia192</b>, <b>-camellia256</b></dt>
<dd>
<p>Use Camellia to encrypt private keys before outputting.</p>
</dd>
<dt id="des"><b>-des</b></dt>
<dd>
<p>Use DES to encrypt private keys before outputting.</p>
</dd>
<dt id="des3"><b>-des3</b></dt>
<dd>
<p>Use triple DES to encrypt private keys before outputting.</p>
</dd>
<dt id="idea"><b>-idea</b></dt>
<dd>
<p>Use IDEA to encrypt private keys before outputting.</p>
</dd>
<dt id="noenc"><b>-noenc</b></dt>
<dd>
<p>Don&#39;t encrypt private keys at all.</p>
</dd>
<dt id="nodes"><b>-nodes</b></dt>
<dd>
<p>This option is deprecated since OpenSSL 3.0; use <b>-noenc</b> instead.</p>
</dd>
</dl>
<h2 id="PKCS-12-output-export-options">PKCS#12 output (export) options</h2>
<dl>
<dt id="export"><b>-export</b></dt>
<dd>
<p>This option specifies that a PKCS#12 file will be created rather than parsed.</p>
</dd>
<dt id="out-filename1"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies filename to write the PKCS#12 file to. Standard output is used by default.</p>
</dd>
<dt id="in-filename-uri1"><b>-in</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This specifies the input filename or URI. Standard input is used by default. With the <b>-export</b> option this is a file with certificates and a key, or a URI that refers to a key accessed via an engine. The order of credentials in a file doesn&#39;t matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 output file.</p>
</dd>
<dt id="inkey-filename-uri"><b>-inkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The private key input for PKCS12 output. If this option is not specified then the input file (<b>-in</b> argument) must contain a private key. If no engine is used, the argument is taken as a file. If the <b>-engine</b> option is used or the URI has prefix <code>org.openssl.engine:</code> then the rest of the URI is taken as key identifier for the given engine.</p>
</dd>
<dt id="certfile-filename"><b>-certfile</b> <i>filename</i></dt>
<dd>
<p>An input file with extra certificates to be added to the PKCS#12 output if the <b>-export</b> option is given.</p>
</dd>
<dt id="passcerts-arg"><b>-passcerts</b> <i>arg</i></dt>
<dd>
<p>The password source for certificate input such as <b>-certfile</b> and <b>-untrusted</b>. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="chain"><b>-chain</b></dt>
<dd>
<p>If this option is present then the certificate chain of the end entity certificate is built and included in the PKCS#12 output file. The end entity certificate is the first one read from the <b>-in</b> file if no key is given, else the first certificate matching the given key. The standard CA trust store is used for chain building, as well as any untrusted CA certificates given with the <b>-untrusted</b> option.</p>
</dd>
<dt id="untrusted-filename"><b>-untrusted</b> <i>filename</i></dt>
<dd>
<p>An input file of untrusted certificates that may be used for chain building, which is relevant only when a PKCS#12 file is created with the <b>-export</b> option and the <b>-chain</b> option is given as well. Any certificates that are actually part of the chain are added to the output.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="name-friendlyname"><b>-name</b> <i>friendlyname</i></dt>
<dd>
<p>This specifies the &quot;friendly name&quot; for the certificates and private key. This name is typically displayed in list boxes by software importing the file.</p>
</dd>
<dt id="caname-friendlyname"><b>-caname</b> <i>friendlyname</i></dt>
<dd>
<p>This specifies the &quot;friendly name&quot; for other certificates. This option may be used multiple times to specify names for all certificates in the order they appear. Netscape ignores friendly names on other certificates whereas MSIE displays them.</p>
</dd>
<dt id="CSP-name"><b>-CSP</b> <i>name</i></dt>
<dd>
<p>Write <i>name</i> as a Microsoft CSP name. The password source for the input, and for encrypting any private keys that are output. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="LMK"><b>-LMK</b></dt>
<dd>
<p>Add the &quot;Local Key Set&quot; identifier to the attributes.</p>
</dd>
<dt id="keyex--keysig"><b>-keyex</b>|<b>-keysig</b></dt>
<dd>
<p>Specifies that the private key is to be used for key exchange or just signing. This option is only interpreted by MSIE and similar MS software. Normally &quot;export grade&quot; software will only allow 512 bit RSA keys to be used for encryption purposes but arbitrary length keys for signing. The <b>-keysig</b> option marks the key for signing only. Signing only keys can be used for S/MIME signing, authenticode (ActiveX control signing) and SSL client authentication, however, due to a bug only MSIE 5.0 and later support the use of signing only keys for SSL client authentication.</p>
</dd>
<dt id="keypbe-alg--certpbe-alg"><b>-keypbe</b> <i>alg</i>, <b>-certpbe</b> <i>alg</i></dt>
<dd>
<p>These options allow the algorithm used to encrypt the private key and certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name can be used (see <a href="#NOTES">&quot;NOTES&quot;</a> section for more information). If a cipher name (as output by <code>openssl list -cipher-algorithms</code>) is specified then it is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only use PKCS#12 algorithms.</p>
<p>Special value <code>NONE</code> disables encryption of the private key and certificates.</p>
</dd>
<dt id="descert"><b>-descert</b></dt>
<dd>
<p>Encrypt the certificates using triple DES. By default the private key and the certificates are encrypted using AES-256-CBC unless the &#39;-legacy&#39; option is used. If &#39;-descert&#39; is used with the &#39;-legacy&#39; then both, the private key and the certificates are encrypted using triple DES.</p>
</dd>
<dt id="macalg-digest"><b>-macalg</b> <i>digest</i></dt>
<dd>
<p>Specify the MAC digest algorithm. If not included SHA256 will be used.</p>
</dd>
<dt id="iter-count"><b>-iter</b> <i>count</i></dt>
<dd>
<p>This option specifies the iteration count for the encryption key and MAC. The default value is 2048.</p>
<p>To discourage attacks by using large dictionaries of common passwords the algorithm that derives keys from passwords can have an iteration count applied to it: this causes a certain part of the algorithm to be repeated and slows it down. The MAC is used to check the file integrity but since it will normally have the same password as the keys and certificates it could also be attacked.</p>
</dd>
<dt id="noiter--nomaciter"><b>-noiter</b>, <b>-nomaciter</b></dt>
<dd>
<p>By default both encryption and MAC iteration counts are set to 2048, using these options the MAC and encryption iteration counts can be set to 1, since this reduces the file security you should not use these options unless you really have to. Most software supports both MAC and encryption iteration counts. MSIE 4.0 doesn&#39;t support MAC iteration counts so it needs the <b>-nomaciter</b> option.</p>
</dd>
<dt id="maciter"><b>-maciter</b></dt>
<dd>
<p>This option is included for compatibility with previous versions, it used to be needed to use MAC iterations counts but they are now used by default.</p>
</dd>
<dt id="macsaltlen"><b>-macsaltlen</b></dt>
<dd>
<p>This option specifies the salt length in bytes for the MAC. The salt length should be at least 16 bytes as per NIST SP 800-132. The default value is 8 bytes for backwards compatibility.</p>
</dd>
<dt id="nomac"><b>-nomac</b></dt>
<dd>
<p>Do not attempt to provide the MAC integrity. This can be useful with the FIPS provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS algorithm and cannot be supported by the FIPS provider.</p>
</dd>
<dt id="jdktrust"><b>-jdktrust</b></dt>
<dd>
<p>Export pkcs12 file in a format compatible with Java keystore usage. This option accepts a string parameter indicating the trust oid name to be granted to the certificate it is associated with. Currently only &quot;anyExtendedKeyUsage&quot; is defined. Note that, as Java keystores do not accept PKCS12 files with both trusted certificates and keypairs, use of this option implies the setting of the <b>-nokeys</b> option</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>Although there are a large number of options most of them are very rarely used. For PKCS#12 file parsing only <b>-in</b> and <b>-out</b> need to be used for PKCS#12 file creation <b>-export</b> and <b>-name</b> are also used.</p>
<p>If none of the <b>-clcerts</b>, <b>-cacerts</b> or <b>-nocerts</b> options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is the one corresponding to the private key. Certain software which tries to get a private key and the corresponding certificate might assume that the first certificate in the file is the one corresponding to the private key, but that may not always be the case. Using the <b>-clcerts</b> option will solve this problem by only outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the <b>-nokeys</b> <b>-cacerts</b> options to just output CA certificates.</p>
<p>The <b>-keypbe</b> and <b>-certpbe</b> algorithms allow the precise encryption algorithms for private keys and certificates to be specified. Normally the defaults are fine but occasionally software can&#39;t handle triple DES encrypted private keys, then the option <b>-keypbe</b> <i>PBE-SHA1-RC2-40</i> can be used to reduce the private key encryption to 40 bit RC2. A complete description of all algorithms is contained in <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a>.</p>
<p>Prior 1.1 release passwords containing non-ASCII characters were encoded in non-compliant manner, which limited interoperability, in first hand with Windows. But switching to standard-compliant password encoding poses problem accessing old data protected with broken encoding. For this reason even legacy encodings is attempted when reading the data. If you use PKCS#12 files in production application you are advised to convert the data, because implemented heuristic approach is not MT-safe, its sole goal is to facilitate the data upgrade with this command.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Parse a PKCS#12 file and output it to a PEM file:</p>
<pre><code> openssl pkcs12 -in file.p12 -out file.pem</code></pre>
<p>Output only client certificates to a file:</p>
<pre><code> openssl pkcs12 -in file.p12 -clcerts -out file.pem</code></pre>
<p>Don&#39;t encrypt the private key:</p>
<pre><code> openssl pkcs12 -in file.p12 -out file.pem -noenc</code></pre>
<p>Print some info about a PKCS#12 file:</p>
<pre><code> openssl pkcs12 -in file.p12 -info -noout</code></pre>
<p>Print some info about a PKCS#12 file in legacy mode:</p>
<pre><code> openssl pkcs12 -in file.p12 -info -noout -legacy</code></pre>
<p>Create a PKCS#12 file from a PEM file that may contain a key and certificates:</p>
<pre><code> openssl pkcs12 -export -in file.pem -out file.p12 -name &quot;My PSE&quot;</code></pre>
<p>Include some extra certificates:</p>
<pre><code> openssl pkcs12 -export -in file.pem -out file.p12 -name &quot;My PSE&quot; \
-certfile othercerts.pem</code></pre>
<p>Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:</p>
<pre><code> openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a>, <a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0. The <b>-nodes</b> option was deprecated in OpenSSL 3.0, too; use <b>-noenc</b> instead.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

148
include/openssl-3.2.1/html/man1/openssl-pkcs7.html
View File

@ -1,148 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-pkcs7</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-pkcs7 - PKCS#7 command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>pkcs7</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-print</b>] [<b>-print_certs</b>] [<b>-quiet</b>] [<b>-text</b>] [<b>-noout</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes PKCS#7 files. Note that it only understands PKCS#7 v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as described in IETF RFC 2630.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM--outform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b>, <b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The input and formats; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>The data is a PKCS#7 Version 1.5 structure.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read from or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="print"><b>-print</b></dt>
<dd>
<p>Print out the full PKCS7 object.</p>
</dd>
<dt id="print_certs"><b>-print_certs</b></dt>
<dd>
<p>Prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>When used with -print_certs, prints out just the PEM-encoded certificates without any other output.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out certificate details in full rather than just subject and issuer names.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Don&#39;t output the encoded version of the PKCS#7 structure (or certificates if <b>-print_certs</b> is set).</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Convert a PKCS#7 file from PEM to DER:</p>
<pre><code> openssl pkcs7 -in file.pem -outform DER -out file.der</code></pre>
<p>Output all certificates in a file:</p>
<pre><code> openssl pkcs7 -in file.pem -print_certs -out certs.pem</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-crl2pkcs7.html">openssl-crl2pkcs7(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

286
include/openssl-3.2.1/html/man1/openssl-pkcs8.html
View File

@ -1,286 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-pkcs8</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#PKCS-5-V1.5-AND-PKCS-12-ALGORITHMS">PKCS#5 V1.5 AND PKCS#12 ALGORITHMS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#STANDARDS">STANDARDS</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-pkcs8 - PKCS#8 format private key conversion command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>pkcs8</b> [<b>-help</b>] [<b>-topk8</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-passin</b> <i>arg</i>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-iter</b> <i>count</i>] [<b>-noiter</b>] [<b>-nocrypt</b>] [<b>-traditional</b>] [<b>-v2</b> <i>alg</i>] [<b>-v2prf</b> <i>alg</i>] [<b>-v1</b> <i>alg</i>] [<b>-scrypt</b>] [<b>-scrypt_N</b> <i>N</i>] [<b>-scrypt_r</b> <i>r</i>] [<b>-scrypt_p</b> <i>p</i>] [<b>-saltlen</b> <i>size</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes private keys in PKCS#8 format. It can handle both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="topk8"><b>-topk8</b></dt>
<dd>
<p>Normally a PKCS#8 private key is expected on input and a private key will be written to the output file. With the <b>-topk8</b> option the situation is reversed: it reads a private key and writes a PKCS#8 format key.</p>
</dd>
<dt id="inform-DER-PEM--outform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b>, <b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The input and formats; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>If a key is being converted from PKCS#8 form (i.e. the <b>-topk8</b> option is not used) then the input file must be in PKCS#8 format. An encrypted key is expected unless <b>-nocrypt</b> is included.</p>
<p>If <b>-topk8</b> is not used and <b>PEM</b> mode is set the output file will be an unencrypted private key in PKCS#8 format. If the <b>-traditional</b> option is used then a traditional format private key is written instead.</p>
<p>If <b>-topk8</b> is not used and <b>DER</b> mode is set the output file will be an unencrypted private key in traditional DER format.</p>
<p>If <b>-topk8</b> is used then any supported private key can be used for the input file in a format specified by <b>-inform</b>. The output file will be encrypted PKCS#8 format using the specified encryption parameters unless <b>-nocrypt</b> is included.</p>
</dd>
<dt id="traditional"><b>-traditional</b></dt>
<dd>
<p>When this option is present and <b>-topk8</b> is not a traditional format private key is written.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for.</p>
</dd>
<dt id="passin-arg--passout-arg"><b>-passin</b> <i>arg</i>, <b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the input and output file. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write a key to or standard output by default. If any encryption options are set then a pass phrase will be prompted for. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="iter-count"><b>-iter</b> <i>count</i></dt>
<dd>
<p>When creating new PKCS#8 containers, use a given number of iterations on the password in deriving the encryption key for the PKCS#8 output. High values increase the time required to brute-force a PKCS#8 container.</p>
</dd>
<dt id="noiter"><b>-noiter</b></dt>
<dd>
<p>When creating new PKCS#8 containers, use 1 as iteration count.</p>
</dd>
<dt id="nocrypt"><b>-nocrypt</b></dt>
<dd>
<p>PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo structures using an appropriate password based encryption algorithm. With this option an unencrypted PrivateKeyInfo structure is expected or output. This option does not encrypt private keys at all and should only be used when absolutely necessary. Certain software such as some versions of Java code signing software used unencrypted private keys.</p>
</dd>
<dt id="v2-alg"><b>-v2</b> <i>alg</i></dt>
<dd>
<p>This option sets the PKCS#5 v2.0 algorithm.</p>
<p>The <i>alg</i> argument is the encryption algorithm to use, valid values include <b>aes128</b>, <b>aes256</b> and <b>des3</b>. If this option isn&#39;t specified then <b>aes256</b> is used.</p>
</dd>
<dt id="v2prf-alg"><b>-v2prf</b> <i>alg</i></dt>
<dd>
<p>This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value value would be <b>hmacWithSHA256</b>. If this option isn&#39;t set then the default for the cipher is used or <b>hmacWithSHA256</b> if there is no default.</p>
<p>Some implementations may not support custom PRF algorithms and may require the <b>hmacWithSHA1</b> option to work.</p>
</dd>
<dt id="v1-alg"><b>-v1</b> <i>alg</i></dt>
<dd>
<p>This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some older implementations may not support PKCS#5 v2.0 and may require this option. If not specified PKCS#5 v2.0 form is used.</p>
</dd>
<dt id="scrypt"><b>-scrypt</b></dt>
<dd>
<p>Uses the <b>scrypt</b> algorithm for private key encryption using default parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit key. These parameters can be modified using the <b>-scrypt_N</b>, <b>-scrypt_r</b>, <b>-scrypt_p</b> and <b>-v2</b> options.</p>
</dd>
<dt id="scrypt_N-N--scrypt_r-r--scrypt_p-p"><b>-scrypt_N</b> <i>N</i>, <b>-scrypt_r</b> <i>r</i>, <b>-scrypt_p</b> <i>p</i></dt>
<dd>
<p>Sets the scrypt <i>N</i>, <i>r</i> or <i>p</i> parameters.</p>
</dd>
<dt id="saltlen"><b>-saltlen</b></dt>
<dd>
<p>Sets the length (in bytes) of the salt to use for the PBE algorithm. If this value is not specified, the default for PBES2 is 16 (128 bits) and 8 (64 bits) for PBES1.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit AES with HMAC and SHA256 is used.</p>
<p>Some older implementations do not support PKCS#5 v2.0 format and require the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak encryption algorithms such as 56 bit DES.</p>
<p>Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts are more secure that those encrypted using the traditional SSLeay compatible formats. So if additional security is considered important the keys should be converted.</p>
<p>It is possible to write out DER encoded encrypted private keys in PKCS#8 format because the encryption details are included at an ASN1 level whereas the traditional format includes them at a PEM level.</p>
<h1 id="PKCS-5-V1.5-AND-PKCS-12-ALGORITHMS">PKCS#5 V1.5 AND PKCS#12 ALGORITHMS</h1>
<p>Various algorithms can be used with the <b>-v1</b> command line option, including PKCS#5 v1.5 and PKCS#12. These are described in more detail below.</p>
<dl>
<dt id="PBE-MD2-DES-PBE-MD5-DES"><b>PBE-MD2-DES PBE-MD5-DES</b></dt>
<dd>
<p>These algorithms were included in the original PKCS#5 v1.5 specification. They only offer 56 bits of protection since they both use DES.</p>
</dd>
<dt id="PBE-SHA1-RC2-64-PBE-MD2-RC2-64-PBE-MD5-RC2-64-PBE-SHA1-DES"><b>PBE-SHA1-RC2-64</b>, <b>PBE-MD2-RC2-64</b>, <b>PBE-MD5-RC2-64</b>, <b>PBE-SHA1-DES</b></dt>
<dd>
<p>These algorithms are not mentioned in the original PKCS#5 v1.5 specification but they use the same key derivation algorithm and are supported by some software. They are mentioned in PKCS#5 v2.0. They use either 64 bit RC2 or 56 bit DES.</p>
</dd>
<dt id="PBE-SHA1-RC4-128-PBE-SHA1-RC4-40-PBE-SHA1-3DES-PBE-SHA1-2DES-PBE-SHA1-RC2-128-PBE-SHA1-RC2-40"><b>PBE-SHA1-RC4-128</b>, <b>PBE-SHA1-RC4-40</b>, <b>PBE-SHA1-3DES</b>, <b>PBE-SHA1-2DES</b>, <b>PBE-SHA1-RC2-128</b>, <b>PBE-SHA1-RC2-40</b></dt>
<dd>
<p>These algorithms use the PKCS#12 password based encryption algorithm and allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Convert a private key to PKCS#8 format using default parameters (AES with 256 bit key and <b>hmacWithSHA256</b>):</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -out enckey.pem</code></pre>
<p>Convert a private key to PKCS#8 unencrypted format:</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem</code></pre>
<p>Convert a private key to PKCS#5 v2.0 format using triple DES:</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem</code></pre>
<p>Convert a private key to PKCS#5 v2.0 format using AES with 256 bits in CBC mode and <b>hmacWithSHA512</b> PRF:</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem</code></pre>
<p>Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (DES):</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem</code></pre>
<p>Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm (3DES):</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES</code></pre>
<p>Read a DER unencrypted PKCS#8 format private key:</p>
<pre><code> openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem</code></pre>
<p>Convert a private key from any PKCS#8 encrypted format to traditional format:</p>
<pre><code> openssl pkcs8 -in pk8.pem -traditional -out key.pem</code></pre>
<p>Convert a private key to PKCS#8 format, encrypting with AES-256 and with one million iterations of the password:</p>
<pre><code> openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem</code></pre>
<h1 id="STANDARDS">STANDARDS</h1>
<p>Test vectors from this PKCS#5 v2.0 implementation were posted to the pkcs-tng mailing list using triple DES, DES and RC2 with high iteration counts, several people confirmed that they could decrypt the private keys produced and therefore, it can be assumed that the PKCS#5 v2.0 implementation is reasonably accurate at least as far as these algorithms are concerned.</p>
<p>The format of PKCS#8 DSA (and other) private keys is not well documented: it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL&#39;s default DSA PKCS#8 private key format complies with this standard.</p>
<h1 id="BUGS">BUGS</h1>
<p>There should be an option that prints out the encryption algorithm in use and other details such as the iteration count.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-iter</b> option was added in OpenSSL 1.1.0.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

254
include/openssl-3.2.1/html/man1/openssl-pkey.html
View File

@ -1,254 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-pkey</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#General-options">General options</a></li>
<li><a href="#Input-options">Input options</a></li>
<li><a href="#Output-options">Output options</a></li>
</ul>
</li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-pkey - public or private key processing command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>pkey</b> [<b>-help</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-check</b>] [<b>-pubcheck</b>] [<b>-in</b> <i>filename</i>|<i>uri</i>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-passin</b> <i>arg</i>] [<b>-pubin</b>] [<b>-out</b> <i>filename</i>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-<i>cipher</i></b>] [<b>-passout</b> <i>arg</i>] [<b>-traditional</b>] [<b>-pubout</b>] [<b>-noout</b>] [<b>-text</b>] [<b>-text_pub</b>] [<b>-ec_conv_form</b> <i>arg</i>] [<b>-ec_param_enc</b> <i>arg</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes public or private keys. They can be converted between various forms and their components printed.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<h2 id="General-options">General options</h2>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="check"><b>-check</b></dt>
<dd>
<p>This option checks the consistency of a key pair for both public and private components.</p>
</dd>
<dt id="pubcheck"><b>-pubcheck</b></dt>
<dd>
<p>This option checks the correctness of either a public key or the public component of a key pair.</p>
</dd>
</dl>
<h2 id="Input-options">Input options</h2>
<dl>
<dt id="in-filename-uri"><b>-in</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This specifies the input to read a key from or standard input if this option is not specified. If the key input is encrypted and <b>-passin</b> is not given a pass phrase will be prompted for.</p>
</dd>
<dt id="inform-DER-PEM-P12-ENGINE"><b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The password source for the key input.</p>
<p>For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="pubin"><b>-pubin</b></dt>
<dd>
<p>By default a private key is read from the input. With this option a public key is read instead. If the input contains no public key but a private key, its public part is used.</p>
</dd>
</dl>
<h2 id="Output-options">Output options</h2>
<dl>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to save the encoded and/or text output of key or standard output if this option is not specified. If any cipher option is set but no <b>-passout</b> is given then a pass phrase will be prompted for. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The key output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="cipher"><b>-<i>cipher</i></b></dt>
<dd>
<p>Encrypt the PEM encoded private key with the supplied cipher. Any algorithm name accepted by EVP_get_cipherbyname() is acceptable such as <b>aes128</b>. Encryption is not supported for DER output.</p>
</dd>
<dt id="passout-arg"><b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the output file.</p>
<p>For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="traditional"><b>-traditional</b></dt>
<dd>
<p>Normally a private key is written using standard format: this is PKCS#8 form with the appropriate encryption algorithm (if any). If the <b>-traditional</b> option is specified then the older &quot;traditional&quot; format is used instead.</p>
</dd>
<dt id="pubout"><b>-pubout</b></dt>
<dd>
<p>By default the private and public key is output; this option restricts the output to the public components. This option is automatically set if the input is a public key.</p>
<p>When combined with <b>-text</b>, this is equivalent to <b>-text_pub</b>.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Do not output the key in encoded form.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Output the various key components in plain text (possibly in addition to the PEM encoded form). This cannot be combined with encoded output in DER format.</p>
</dd>
<dt id="text_pub"><b>-text_pub</b></dt>
<dd>
<p>Output in text form only the public key components (also for private keys). This cannot be combined with encoded output in DER format.</p>
</dd>
<dt id="ec_conv_form-arg"><b>-ec_conv_form</b> <i>arg</i></dt>
<dd>
<p>This option only applies to elliptic-curve based keys.</p>
<p>This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: <b>compressed</b> (the default value), <b>uncompressed</b> and <b>hybrid</b>. For more information regarding the point conversion forms please read the X9.62 standard. <b>Note</b> Due to patent issues the <b>compressed</b> option is disabled by default for binary curves and can be enabled by defining the preprocessor macro <b>OPENSSL_EC_BIN_PT_COMP</b> at compile time.</p>
</dd>
<dt id="ec_param_enc-arg"><b>-ec_param_enc</b> <i>arg</i></dt>
<dd>
<p>This option only applies to elliptic curve based public and private keys.</p>
<p>This specifies how the elliptic curve parameters are encoded. Possible value are: <b>named_curve</b>, i.e. the ec parameters are specified by an OID, or <b>explicit</b> where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is <b>named_curve</b>. <b>Note</b> the <b>implicitlyCA</b> alternative, as specified in RFC 3279, is currently not implemented in OpenSSL.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>To remove the pass phrase on a private key:</p>
<pre><code> openssl pkey -in key.pem -out keyout.pem</code></pre>
<p>To encrypt a private key using triple DES:</p>
<pre><code> openssl pkey -in key.pem -des3 -out keyout.pem</code></pre>
<p>To convert a private key from PEM to DER format:</p>
<pre><code> openssl pkey -in key.pem -outform DER -out keyout.der</code></pre>
<p>To print out the components of a private key to standard output:</p>
<pre><code> openssl pkey -in key.pem -text -noout</code></pre>
<p>To print out the public components of a private key to standard output:</p>
<pre><code> openssl pkey -in key.pem -text_pub -noout</code></pre>
<p>To just output the public part of a private key:</p>
<pre><code> openssl pkey -in key.pem -pubout -out pubkey.pem</code></pre>
<p>To change the EC parameters encoding to <b>explicit</b>:</p>
<pre><code> openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem</code></pre>
<p>To change the EC point conversion form to <b>compressed</b>:</p>
<pre><code> openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

129
include/openssl-3.2.1/html/man1/openssl-pkeyparam.html
View File

@ -1,129 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-pkeyparam</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-pkeyparam - public key algorithm parameter processing command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>pkeyparam</b> [<b>-help</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-text</b>] [<b>-noout</b>] [<b>-check</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes public key algorithm parameters. They can be checked for correctness and their components printed out.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read parameters from or standard input if this option is not specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write parameters to or standard output if this option is not specified.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the parameters in plain text in addition to the encoded version.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Do not output the encoded version of the parameters.</p>
</dd>
<dt id="check"><b>-check</b></dt>
<dd>
<p>This option checks the correctness of parameters.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Print out text version of parameters:</p>
<pre><code> openssl pkeyparam -in param.pem -text</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>There are no <b>-inform</b> or <b>-outform</b> options for this command because only PEM format is supported because the key type is determined by the PEM headers.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

431
include/openssl-3.2.1/html/man1/openssl-pkeyutl.html
View File

@ -1,431 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-pkeyutl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RSA-ALGORITHM">RSA ALGORITHM</a></li>
<li><a href="#RSA-PSS-ALGORITHM">RSA-PSS ALGORITHM</a></li>
<li><a href="#DSA-ALGORITHM">DSA ALGORITHM</a></li>
<li><a href="#DH-ALGORITHM">DH ALGORITHM</a></li>
<li><a href="#EC-ALGORITHM">EC ALGORITHM</a></li>
<li><a href="#X25519-AND-X448-ALGORITHMS">X25519 AND X448 ALGORITHMS</a></li>
<li><a href="#ED25519-AND-ED448-ALGORITHMS">ED25519 AND ED448 ALGORITHMS</a></li>
<li><a href="#SM2">SM2</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-pkeyutl - public key algorithm command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>pkeyutl</b> [<b>-help</b>] [<b>-in</b> <i>file</i>] [<b>-rawin</b>] [<b>-digest</b> <i>algorithm</i>] [<b>-out</b> <i>file</i>] [<b>-sigfile</b> <i>file</i>] [<b>-inkey</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-passin</b> <i>arg</i>] [<b>-peerkey</b> <i>file</i>] [<b>-peerform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-pubin</b>] [<b>-certin</b>] [<b>-rev</b>] [<b>-sign</b>] [<b>-verify</b>] [<b>-verifyrecover</b>] [<b>-encrypt</b>] [<b>-decrypt</b>] [<b>-derive</b>] [<b>-kdf</b> <i>algorithm</i>] [<b>-kdflen</b> <i>length</i>] [<b>-pkeyopt</b> <i>opt</i>:<i>value</i>] [<b>-pkeyopt_passin</b> <i>opt</i>[:<i>passarg</i>]] [<b>-hexdump</b>] [<b>-asn1parse</b>] [<b>-engine</b> <i>id</i>] [<b>-engine_impl</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-config</b> <i>configfile</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command can be used to perform low-level public key operations using any supported algorithm.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read data from or standard input if this option is not specified.</p>
</dd>
<dt id="rawin"><b>-rawin</b></dt>
<dd>
<p>This indicates that the input data is raw data, which is not hashed by any message digest algorithm. The user can specify a digest algorithm by using the <b>-digest</b> option. This option can only be used with <b>-sign</b> and <b>-verify</b> and must be used with the Ed25519 and Ed448 algorithms.</p>
</dd>
<dt id="digest-algorithm"><b>-digest</b> <i>algorithm</i></dt>
<dd>
<p>This specifies the digest algorithm which is used to hash the input data before signing or verifying it with the input key. This option could be omitted if the signature algorithm does not require one (for instance, EdDSA). If this option is omitted but the signature algorithm requires one, a default value will be used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the default digest algorithm. For SM2, it will be SM3. If this option is present, then the <b>-rawin</b> option must be also specified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="sigfile-file"><b>-sigfile</b> <i>file</i></dt>
<dd>
<p>Signature file, required for <b>-verify</b> operations only</p>
</dd>
<dt id="inkey-filename-uri"><b>-inkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The input key, by default it should be a private key.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The input key password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="peerkey-file"><b>-peerkey</b> <i>file</i></dt>
<dd>
<p>The peer key file, used by key derivation (agreement) operations.</p>
</dd>
<dt id="peerform-DER-PEM-P12-ENGINE"><b>-peerform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The peer key format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="pubin"><b>-pubin</b></dt>
<dd>
<p>By default a private key is read from the key input. With this option a public key is read instead. If the input contains no public key but a private key, its public part is used.</p>
</dd>
<dt id="certin"><b>-certin</b></dt>
<dd>
<p>The input is a certificate containing a public key.</p>
</dd>
<dt id="rev"><b>-rev</b></dt>
<dd>
<p>Reverse the order of the input buffer. This is useful for some libraries (such as CryptoAPI) which represent the buffer in little endian format.</p>
</dd>
<dt id="sign"><b>-sign</b></dt>
<dd>
<p>Sign the input data (which must be a hash) and output the signed result. This requires a private key.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify the input data (which must be a hash) against the signature file and indicate if the verification succeeded or failed.</p>
</dd>
<dt id="verifyrecover"><b>-verifyrecover</b></dt>
<dd>
<p>Verify the input data (which must be a hash) and output the recovered data.</p>
</dd>
<dt id="encrypt"><b>-encrypt</b></dt>
<dd>
<p>Encrypt the input data using a public key.</p>
</dd>
<dt id="decrypt"><b>-decrypt</b></dt>
<dd>
<p>Decrypt the input data using a private key.</p>
</dd>
<dt id="derive"><b>-derive</b></dt>
<dd>
<p>Derive a shared secret using the peer key.</p>
</dd>
<dt id="kdf-algorithm"><b>-kdf</b> <i>algorithm</i></dt>
<dd>
<p>Use key derivation function <i>algorithm</i>. The supported algorithms are at present <b>TLS1-PRF</b> and <b>HKDF</b>. Note: additional parameters and the KDF output length will normally have to be set for this to work. See <a href="../man3/EVP_PKEY_CTX_set_hkdf_md.html">EVP_PKEY_CTX_set_hkdf_md(3)</a> and <a href="../man3/EVP_PKEY_CTX_set_tls1_prf_md.html">EVP_PKEY_CTX_set_tls1_prf_md(3)</a> for the supported string parameters of each algorithm.</p>
</dd>
<dt id="kdflen-length"><b>-kdflen</b> <i>length</i></dt>
<dd>
<p>Set the output length for KDF.</p>
</dd>
<dt id="pkeyopt-opt:value"><b>-pkeyopt</b> <i>opt</i>:<i>value</i></dt>
<dd>
<p>Public key options specified as opt:value. See NOTES below for more details.</p>
</dd>
<dt id="pkeyopt_passin-opt-:passarg"><b>-pkeyopt_passin</b> <i>opt</i>[:<i>passarg</i>]</dt>
<dd>
<p>Allows reading a public key option <i>opt</i> from stdin or a password source. If only <i>opt</i> is specified, the user will be prompted to enter a password on stdin. Alternatively, <i>passarg</i> can be specified which can be any value supported by <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="hexdump"><b>-hexdump</b></dt>
<dd>
<p>hex dump the output data.</p>
</dd>
<dt id="asn1parse"><b>-asn1parse</b></dt>
<dd>
<p>Parse the ASN.1 output data, this is useful when combined with the <b>-verifyrecover</b> option when an ASN1 structure is signed.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="engine_impl"><b>-engine_impl</b></dt>
<dd>
<p>When used with the <b>-engine</b> option, it specifies to also use engine <i>id</i> for crypto operations.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="config-configfile"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Configuration Option&quot; in openssl(1)</a>.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>The operations and options supported vary according to the key algorithm and its implementation. The OpenSSL operations and options are indicated below.</p>
<p>Unless otherwise mentioned all algorithms support the <b>digest:</b><i>alg</i> option which specifies the digest in use for sign, verify and verifyrecover operations. The value <i>alg</i> should represent a digest name as used in the EVP_get_digestbyname() function for example <b>sha1</b>. This value is not used to hash the input data. It is used (by some algorithms) for sanity-checking the lengths of data passed in and for creating the structures that make up the signature (e.g. <b>DigestInfo</b> in RSASSA PKCS#1 v1.5 signatures).</p>
<p>This command does not hash the input data (except where -rawin is used) but rather it will use the data directly as input to the signature algorithm. Depending on the key type, signature type, and mode of padding, the maximum acceptable lengths of input data differ. The signed data can&#39;t be longer than the key modulus with RSA. In case of ECDSA and DSA the data shouldn&#39;t be longer than the field size, otherwise it will be silently truncated to the field size. In any event the input size must not be larger than the largest supported digest size.</p>
<p>In other words, if the value of digest is <b>sha1</b> the input should be the 20 bytes long binary encoding of the SHA-1 hash function output.</p>
<h1 id="RSA-ALGORITHM">RSA ALGORITHM</h1>
<p>The RSA algorithm generally supports the encrypt, decrypt, sign, verify and verifyrecover operations. However, some padding modes support only a subset of these operations. The following additional <b>pkeyopt</b> values are supported:</p>
<dl>
<dt id="rsa_padding_mode:mode"><b>rsa_padding_mode:</b><i>mode</i></dt>
<dd>
<p>This sets the RSA padding mode. Acceptable values for <i>mode</i> are <b>pkcs1</b> for PKCS#1 padding, <b>none</b> for no padding, <b>oaep</b> for <b>OAEP</b> mode, <b>x931</b> for X9.31 mode and <b>pss</b> for PSS.</p>
<p>In PKCS#1 padding, if the message digest is not set, then the supplied data is signed or verified directly instead of using a <b>DigestInfo</b> structure. If a digest is set, then the <b>DigestInfo</b> structure is used and its length must correspond to the digest type.</p>
<p>Note, for <b>pkcs1</b> padding, as a protection against the Bleichenbacher attack, the decryption will not fail in case of padding check failures. Use <b>none</b> and manual inspection of the decrypted message to verify if the decrypted value has correct PKCS#1 v1.5 padding.</p>
<p>For <b>oaep</b> mode only encryption and decryption is supported.</p>
<p>For <b>x931</b> if the digest type is set it is used to format the block data otherwise the first byte is used to specify the X9.31 digest ID. Sign, verify and verifyrecover are can be performed in this mode.</p>
<p>For <b>pss</b> mode only sign and verify are supported and the digest type must be specified.</p>
</dd>
<dt id="rsa_pss_saltlen:len"><b>rsa_pss_saltlen:</b><i>len</i></dt>
<dd>
<p>For <b>pss</b> mode only this option specifies the salt length. Three special values are supported: <b>digest</b> sets the salt length to the digest length, <b>max</b> sets the salt length to the maximum permissible value. When verifying <b>auto</b> causes the salt length to be automatically determined based on the <b>PSS</b> block structure.</p>
</dd>
<dt id="rsa_mgf1_md:digest"><b>rsa_mgf1_md:</b><i>digest</i></dt>
<dd>
<p>For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not explicitly set in PSS mode then the signing digest is used.</p>
</dd>
<dt id="rsa_oaep_md:digest"><b>rsa_oaep_md:</b><i>digest</i></dt>
<dd>
<p>Sets the digest used for the OAEP hash function. If not explicitly set then SHA1 is used.</p>
</dd>
<dt id="rsa_pkcs1_implicit_rejection:flag"><b>rsa_pkcs1_implicit_rejection:</b><i>flag</i></dt>
<dd>
<p>Disables (when set to 0) or enables (when set to 1) the use of implicit rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a protection against Bleichenbacher attack, the library will generate a deterministic random plaintext that it will return to the caller in case of padding check failure. When disabled, it&#39;s the callers&#39; responsibility to handle the returned errors in a side-channel free manner.</p>
</dd>
</dl>
<h1 id="RSA-PSS-ALGORITHM">RSA-PSS ALGORITHM</h1>
<p>The RSA-PSS algorithm is a restricted version of the RSA algorithm which only supports the sign and verify operations with PSS padding. The following additional <b>-pkeyopt</b> values are supported:</p>
<dl>
<dt id="rsa_padding_mode:mode-rsa_pss_saltlen:len-rsa_mgf1_md:digest"><b>rsa_padding_mode:</b><i>mode</i>, <b>rsa_pss_saltlen:</b><i>len</i>, <b>rsa_mgf1_md:</b><i>digest</i></dt>
<dd>
<p>These have the same meaning as the <b>RSA</b> algorithm with some additional restrictions. The padding mode can only be set to <b>pss</b> which is the default value.</p>
<p>If the key has parameter restrictions then the digest, MGF1 digest and salt length are set to the values specified in the parameters. The digest and MG cannot be changed and the salt length cannot be set to a value less than the minimum restriction.</p>
</dd>
</dl>
<h1 id="DSA-ALGORITHM">DSA ALGORITHM</h1>
<p>The DSA algorithm supports signing and verification operations only. Currently there are no additional <b>-pkeyopt</b> options other than <b>digest</b>. The SHA1 digest is assumed by default.</p>
<h1 id="DH-ALGORITHM">DH ALGORITHM</h1>
<p>The DH algorithm only supports the derivation operation and no additional <b>-pkeyopt</b> options.</p>
<h1 id="EC-ALGORITHM">EC ALGORITHM</h1>
<p>The EC algorithm supports sign, verify and derive operations. The sign and verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for the <b>-pkeyopt</b> <b>digest</b> option.</p>
<h1 id="X25519-AND-X448-ALGORITHMS">X25519 AND X448 ALGORITHMS</h1>
<p>The X25519 and X448 algorithms support key derivation only. Currently there are no additional options.</p>
<h1 id="ED25519-AND-ED448-ALGORITHMS">ED25519 AND ED448 ALGORITHMS</h1>
<p>These algorithms only support signing and verifying. OpenSSL only implements the &quot;pure&quot; variants of these algorithms so raw data can be passed directly to them without hashing them first. The option <b>-rawin</b> must be used with these algorithms with no <b>-digest</b> specified. Additionally OpenSSL only supports &quot;oneshot&quot; operation with these algorithms. This means that the entire file to be signed/verified must be read into memory before processing it. Signing or Verifying very large files should be avoided. Additionally the size of the file must be known for this to work. If the size of the file cannot be determined (for example if the input is stdin) then the sign or verify operation will fail.</p>
<h1 id="SM2">SM2</h1>
<p>The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For the sign and verify operations, SM2 requires an Distinguishing ID string to be passed in. The following <b>-pkeyopt</b> value is supported:</p>
<dl>
<dt id="distid:string"><b>distid:</b><i>string</i></dt>
<dd>
<p>This sets the ID string used in SM2 sign or verify operations. While verifying an SM2 signature, the ID string must be the same one used when signing the data. Otherwise the verification will fail.</p>
</dd>
<dt id="hexdistid:hex_string"><b>hexdistid:</b><i>hex_string</i></dt>
<dd>
<p>This sets the ID string used in SM2 sign or verify operations. While verifying an SM2 signature, the ID string must be the same one used when signing the data. Otherwise the verification will fail. The ID string provided with this option should be a valid hexadecimal value.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Sign some data using a private key:</p>
<pre><code> openssl pkeyutl -sign -in file -inkey key.pem -out sig</code></pre>
<p>Recover the signed data (e.g. if an RSA key is used):</p>
<pre><code> openssl pkeyutl -verifyrecover -in sig -inkey key.pem</code></pre>
<p>Verify the signature (e.g. a DSA key):</p>
<pre><code> openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem</code></pre>
<p>Sign data using a message digest value (this is currently only valid for RSA):</p>
<pre><code> openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256</code></pre>
<p>Derive a shared secret value:</p>
<pre><code> openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret</code></pre>
<p>Hexdump 48 bytes of TLS1 PRF using digest <b>SHA256</b> and shared secret and seed consisting of the single byte 0xFF:</p>
<pre><code> openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
-pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump</code></pre>
<p>Derive a key using <b>scrypt</b> where the password is read from command line:</p>
<pre><code> openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass \
-pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1</code></pre>
<p>Derive using the same algorithm, but read key from environment variable MYPASS:</p>
<pre><code> openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass:env:MYPASS \
-pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1</code></pre>
<p>Sign some data using an <a href="../man7/SM2.html">SM2(7)</a> private key and a specific ID:</p>
<pre><code> openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \
-pkeyopt distid:someid</code></pre>
<p>Verify some data using an <a href="../man7/SM2.html">SM2(7)</a> certificate and a specific ID:</p>
<pre><code> openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \
-rawin -digest sm3 -pkeyopt distid:someid</code></pre>
<p>Decrypt some data using a private key with OAEP padding using SHA256:</p>
<pre><code> openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \
-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-genpkey.html">openssl-genpkey(1)</a>, <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a>, <a href="../man1/openssl-rsautl.html">openssl-rsautl(1)</a> <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-kdf.html">openssl-kdf(1)</a> <a href="../man3/EVP_PKEY_CTX_set_hkdf_md.html">EVP_PKEY_CTX_set_hkdf_md(3)</a>, <a href="../man3/EVP_PKEY_CTX_set_tls1_prf_md.html">EVP_PKEY_CTX_set_tls1_prf_md(3)</a>,</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

103
include/openssl-3.2.1/html/man1/openssl-prime.html
View File

@ -1,103 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-prime</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-prime - compute prime numbers</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl prime</b> [<b>-help</b>] [<b>-hex</b>] [<b>-generate</b>] [<b>-bits</b> <i>num</i>] [<b>-safe</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-checks</b> <i>num</i>] [<i>number</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command checks if the specified numbers are prime.</p>
<p>If no numbers are given on the command line, the <b>-generate</b> flag should be used to generate primes according to the requirements specified by the rest of the flags.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Display an option summary.</p>
</dd>
<dt id="hex"><b>-hex</b></dt>
<dd>
<p>Generate hex output.</p>
</dd>
<dt id="generate"><b>-generate</b></dt>
<dd>
<p>Generate a prime number.</p>
</dd>
<dt id="bits-num"><b>-bits</b> <i>num</i></dt>
<dd>
<p>Generate a prime with <i>num</i> bits.</p>
</dd>
<dt id="safe"><b>-safe</b></dt>
<dd>
<p>When used with <b>-generate</b>, generates a &quot;safe&quot; prime. If the number generated is <i>n</i>, then check that <code>(<i>n</i>-1)/2</code> is also prime.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="checks-num"><b>-checks</b> <i>num</i></dt>
<dd>
<p>This parameter is ignored.</p>
</dd>
</dl>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

113
include/openssl-3.2.1/html/man1/openssl-rand.html
View File

@ -1,113 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-rand</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-rand - generate pseudo-random bytes</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl rand</b> [<b>-help</b>] [<b>-out</b> <i>file</i>] [<b>-base64</b>] [<b>-hex</b>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] <i>num</i></p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command generates <i>num</i> random bytes using a cryptographically secure pseudo random number generator (CSPRNG).</p>
<p>The random bytes are generated using the <a href="../man3/RAND_bytes.html">RAND_bytes(3)</a> function, which provides a security level of 256 bits, provided it managed to seed itself successfully from a trusted operating system entropy source. Otherwise, the command will fail with a nonzero error code. For more details, see <a href="../man3/RAND_bytes.html">RAND_bytes(3)</a>, <a href="../man7/RAND.html">RAND(7)</a>, and <a href="../man7/EVP_RAND.html">EVP_RAND(7)</a>.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="out-file"><b>-out</b> <i>file</i></dt>
<dd>
<p>Write to <i>file</i> instead of standard output.</p>
</dd>
<dt id="base64"><b>-base64</b></dt>
<dd>
<p>Perform base64 encoding on the output.</p>
</dd>
<dt id="hex"><b>-hex</b></dt>
<dd>
<p>Show the output as a hex string.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man3/RAND_bytes.html">RAND_bytes(3)</a>, <a href="../man7/RAND.html">RAND(7)</a>, <a href="../man7/EVP_RAND.html">EVP_RAND(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

146
include/openssl-3.2.1/html/man1/openssl-rehash.html
View File

@ -1,146 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-rehash</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a>
<ul>
<li><a href="#Script-Configuration">Script Configuration</a></li>
</ul>
</li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#ENVIRONMENT">ENVIRONMENT</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-rehash, c_rehash - Create symbolic links to files named by the hash values</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>rehash</b> [<b>-h</b>] [<b>-help</b>] [<b>-old</b>] [<b>-compat</b>] [<b>-n</b>] [<b>-v</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>directory</i>] ...</p>
<p><b>c_rehash</b> [<b>-h</b>] [<b>-help</b>] [<b>-old</b>] [<b>-n</b>] [<b>-v</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>directory</i>] ...</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is generally equivalent to the external script <b>c_rehash</b>, except for minor differences noted below.</p>
<p><b>openssl rehash</b> scans directories and calculates a hash value of each <i>.pem</i>, <i>.crt</i>, <i>.cer</i>, or <i>.crl</i> file in the specified directory list and creates symbolic links for each file, where the name of the link is the hash value. (If the platform does not support symbolic links, a copy is made.) This command is useful as many programs that use OpenSSL require directories to be set up like this in order to find certificates.</p>
<p>If any directories are named on the command line, then those are processed in turn. If not, then the <b>SSL_CERT_DIR</b> environment variable is consulted; this should be a colon-separated list of directories, like the Unix <b>PATH</b> variable. If that is not set then the default directory (installation-specific but often <i>/usr/local/ssl/certs</i>) is processed.</p>
<p>In order for a directory to be processed, the user must have write permissions on that directory, otherwise an error will be generated.</p>
<p>The links created are of the form <i>HHHHHHHH.D</i>, where each <i>H</i> is a hexadecimal character and <i>D</i> is a single decimal digit. When a directory is processed, all links in it that have a name in that syntax are first removed, even if they are being used for some other purpose. To skip the removal step, use the <b>-n</b> flag. Hashes for CRL&#39;s look similar except the letter <b>r</b> appears after the period, like this: <i>HHHHHHHH.</i><b>r</b><i>D</i>.</p>
<p>Multiple objects may have the same hash; they will be indicated by incrementing the <i>D</i> value. Duplicates are found by comparing the full SHA-1 fingerprint. A warning will be displayed if a duplicate is found.</p>
<p>A warning will also be displayed if there are files that cannot be parsed as either a certificate or a CRL or if more than one such object appears in the file.</p>
<h2 id="Script-Configuration">Script Configuration</h2>
<p>The <b>c_rehash</b> script uses the <b>openssl</b> program to compute the hashes and fingerprints. If not found in the user&#39;s <b>PATH</b>, then set the <b>OPENSSL</b> environment variable to the full pathname. Any program can be used, it will be invoked as follows for either a certificate or CRL:</p>
<pre><code> $OPENSSL x509 -hash -fingerprint -noout -in FILENAME
$OPENSSL crl -hash -fingerprint -noout -in FILENAME</code></pre>
<p>where <i>FILENAME</i> is the filename. It must output the hash of the file on the first line, and the fingerprint on the second, optionally prefixed with some text and an equals sign.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help--h"><b>-help</b> <b>-h</b></dt>
<dd>
<p>Display a brief usage message.</p>
</dd>
<dt id="old"><b>-old</b></dt>
<dd>
<p>Use old-style hashing (MD5, as opposed to SHA-1) for generating links to be used for releases before 1.0.0. Note that current versions will not use the old style.</p>
</dd>
<dt id="n"><b>-n</b></dt>
<dd>
<p>Do not remove existing links. This is needed when keeping new and old-style links in the same directory.</p>
</dd>
<dt id="compat"><b>-compat</b></dt>
<dd>
<p>Generate links for both old-style (MD5) and new-style (SHA1) hashing. This allows releases before 1.0.0 to use these links along-side newer releases.</p>
</dd>
<dt id="v"><b>-v</b></dt>
<dd>
<p>Print messages about old links removed and new links created. By default, this command only lists each directory as it is processed.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="ENVIRONMENT">ENVIRONMENT</h1>
<dl>
<dt id="OPENSSL"><b>OPENSSL</b></dt>
<dd>
<p>The path to an executable to use to generate hashes and fingerprints (see above).</p>
</dd>
<dt id="SSL_CERT_DIR"><b>SSL_CERT_DIR</b></dt>
<dd>
<p>Colon separated list of directories to operate on. Ignored if directories are listed on the command line.</p>
</dd>
</dl>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-crl.html">openssl-crl(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

698
include/openssl-3.2.1/html/man1/openssl-req.html
View File

@ -1,698 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-req</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#CONFIGURATION-FILE-FORMAT">CONFIGURATION FILE FORMAT</a></li>
<li><a href="#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT">DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#DIAGNOSTICS">DIAGNOSTICS</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-req - PKCS#10 certificate request and certificate generating command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>req</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>] [<b>-passin</b> <i>arg</i>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-text</b>] [<b>-pubkey</b>] [<b>-noout</b>] [<b>-verify</b>] [<b>-modulus</b>] [<b>-new</b>] [<b>-newkey</b> <i>arg</i>] [<b>-pkeyopt</b> <i>opt</i>:<i>value</i>] [<b>-noenc</b>] [<b>-nodes</b>] [<b>-key</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-keyout</b> <i>filename</i>] [<b>-keygen_engine</b> <i>id</i>] [<b>-<i>digest</i></b>] [<b>-config</b> <i>filename</i>] [<b>-section</b> <i>name</i>] [<b>-x509</b>] [<b>-x509v1</b>] [<b>-CA</b> <i>filename</i>|<i>uri</i>] [<b>-CAkey</b> <i>filename</i>|<i>uri</i>] [<b>-days</b> <i>n</i>] [<b>-set_serial</b> <i>n</i>] [<b>-newhdr</b>] [<b>-copy_extensions</b> <i>arg</i>] [<b>-extensions</b> <i>section</i>] [<b>-reqexts</b> <i>section</i>] [<b>-addext</b> <i>ext</i>] [<b>-precert</b>] [<b>-utf8</b>] [<b>-reqopt</b>] [<b>-subject</b>] [<b>-subj</b> <i>arg</i>] [<b>-multivalue-rdn</b>] [<b>-sigopt</b> <i>nm</i>:<i>v</i>] [<b>-vfyopt</b> <i>nm</i>:<i>v</i>] [<b>-batch</b>] [<b>-verbose</b>] [<b>-quiet</b>] [<b>-nameopt</b> <i>option</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command primarily creates and processes certificate requests (CSRs) in PKCS#10 format. It can additionally create self-signed certificates for use as root CAs for example.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The CSR input file format to use; by default PEM is tried first. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The output format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>The data is a PKCS#10 object.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read a request from. This defaults to standard input unless <b>-x509</b> or <b>-CA</b> is specified. A request is only read if the creation options (<b>-new</b> or <b>-newkey</b> or <b>-precert</b>) are not specified.</p>
</dd>
<dt id="sigopt-nm:v"><b>-sigopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during sign operations. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="vfyopt-nm:v"><b>-vfyopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The password source for private key and certificate input. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="passout-arg"><b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the output file. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the certificate request in text form.</p>
</dd>
<dt id="subject"><b>-subject</b></dt>
<dd>
<p>Prints out the certificate request subject (or certificate subject if <b>-x509</b> is in use).</p>
</dd>
<dt id="pubkey"><b>-pubkey</b></dt>
<dd>
<p>Prints out the public key.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option prevents output of the encoded version of the certificate request.</p>
</dd>
<dt id="modulus"><b>-modulus</b></dt>
<dd>
<p>Prints out the value of the modulus of the public key contained in the request.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verifies the self-signature on the request.</p>
</dd>
<dt id="new"><b>-new</b></dt>
<dd>
<p>This option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions.</p>
<p>If the <b>-key</b> option is not given it will generate a new private key using information specified in the configuration file or given with the <b>-newkey</b> and <b>-pkeyopt</b> options, else by default an RSA key with 2048 bits length.</p>
</dd>
<dt id="newkey-arg"><b>-newkey</b> <i>arg</i></dt>
<dd>
<p>This option is used to generate a new private key unless <b>-key</b> is given. It is subsequently used as if it was given using the <b>-key</b> option.</p>
<p>This option implies the <b>-new</b> flag to create a new certificate request or a new certificate in case <b>-x509</b> is used.</p>
<p>The argument takes one of several forms.</p>
<p>[<b>rsa:</b>]<i>nbits</i> generates an RSA key <i>nbits</i> in size. If <i>nbits</i> is omitted, i.e., <b>-newkey</b> <b>rsa</b> is specified, the default key size specified in the configuration file with the <b>default_bits</b> option is used if present, else 2048.</p>
<p>All other algorithms support the <b>-newkey</b> <i>algname</i>:<i>file</i> form, where <i>file</i> is an algorithm parameter file, created with <code>openssl genpkey -genparam</code> or an X.509 certificate for a key with appropriate algorithm.</p>
<p><b>param:</b><i>file</i> generates a key using the parameter file or certificate <i>file</i>, the algorithm is determined by the parameters.</p>
<p><i>algname</i>[:<i>file</i>] generates a key using the given algorithm <i>algname</i>. If a parameter file <i>file</i> is given then the parameters specified there are used, where the algorithm parameters must match <i>algname</i>. If algorithm parameters are not given, any necessary parameters should be specified via the <b>-pkeyopt</b> option.</p>
<p><b>dsa:</b><i>filename</i> generates a DSA key using the parameters in the file <i>filename</i>. <b>ec:</b><i>filename</i> generates EC key (usable both with ECDSA or ECDH algorithms), <b>gost2001:</b><i>filename</i> generates GOST R 34.10-2001 key (requires <b>gost</b> engine configured in the configuration file). If just <b>gost2001</b> is specified a parameter set should be specified by <b>-pkeyopt</b> <i>paramset:X</i></p>
</dd>
<dt id="pkeyopt-opt:value"><b>-pkeyopt</b> <i>opt</i>:<i>value</i></dt>
<dd>
<p>Set the public key algorithm option <i>opt</i> to <i>value</i>. The precise set of options supported depends on the public key algorithm used and its implementation. See <a href="../man1/openssl-genpkey.html">&quot;KEY GENERATION OPTIONS&quot; in openssl-genpkey(1)</a> for more details.</p>
</dd>
<dt id="key-filename-uri"><b>-key</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This option provides the private key for signing a new certificate or certificate request. Unless <b>-in</b> is given, the corresponding public key is placed in the new certificate or certificate request, resulting in a self-signature.</p>
<p>For certificate signing this option is overridden by the <b>-CA</b> option.</p>
<p>This option also accepts PKCS#8 format private keys for PEM format files.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The format of the private key; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="keyout-filename"><b>-keyout</b> <i>filename</i></dt>
<dd>
<p>This gives the filename to write any private key to that has been newly created or read from <b>-key</b>. If neither the <b>-keyout</b> option nor the <b>-key</b> option are given then the filename specified in the configuration file with the <b>default_keyfile</b> option is used, if present. Thus, if you want to write the private key and the <b>-key</b> option is provided, you should provide the <b>-keyout</b> option explicitly. If a new key is generated and no filename is specified the key is written to standard output.</p>
</dd>
<dt id="noenc"><b>-noenc</b></dt>
<dd>
<p>If this option is specified then if a private key is created it will not be encrypted.</p>
</dd>
<dt id="nodes"><b>-nodes</b></dt>
<dd>
<p>This option is deprecated since OpenSSL 3.0; use <b>-noenc</b> instead.</p>
</dd>
<dt id="digest"><b>-<i>digest</i></b></dt>
<dd>
<p>This specifies the message digest to sign the request. Any digest supported by the OpenSSL <b>dgst</b> command can be used. This overrides the digest algorithm specified in the configuration file.</p>
<p>Some public key algorithms may override this choice. For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use GOST R 34.11-94 (<b>-md_gost94</b>), Ed25519 and Ed448 never use any digest.</p>
</dd>
<dt id="config-filename"><b>-config</b> <i>filename</i></dt>
<dd>
<p>This allows an alternative configuration file to be specified. Optional; for a description of the default value, see <a href="../man1/openssl.html">&quot;COMMAND SUMMARY&quot; in openssl(1)</a>.</p>
</dd>
<dt id="section-name"><b>-section</b> <i>name</i></dt>
<dd>
<p>Specifies the name of the section to use; the default is <b>req</b>.</p>
</dd>
<dt id="subj-arg"><b>-subj</b> <i>arg</i></dt>
<dd>
<p>Sets subject name for new request or supersedes the subject name when processing a certificate request.</p>
<p>The arg must be formatted as <code>/type0=value0/type1=value1/type2=...</code>. Special characters may be escaped by <code>\</code> (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the request. Giving a single <code>/</code> will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a <code>+</code> character instead of a <code>/</code> between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:</p>
<p><code>/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe</code></p>
</dd>
<dt id="multivalue-rdn"><b>-multivalue-rdn</b></dt>
<dd>
<p>This option has been deprecated and has no effect.</p>
</dd>
<dt id="x509"><b>-x509</b></dt>
<dd>
<p>This option outputs a certificate instead of a certificate request. This is typically used to generate test certificates. It is implied by the <b>-CA</b> option.</p>
<p>This option implies the <b>-new</b> flag if <b>-in</b> is not given.</p>
<p>If an existing request is specified with the <b>-in</b> option, it is converted to a certificate; otherwise a request is created from scratch.</p>
<p>Unless specified using the <b>-set_serial</b> option, a large random number will be used for the serial number.</p>
<p>Unless the <b>-copy_extensions</b> option is used, X.509 extensions are not copied from any provided request input file.</p>
<p>X.509 extensions to be added can be specified in the configuration file, possibly using the <b>-config</b> and <b>-extensions</b> options, and/or using the <b>-addext</b> option.</p>
<p>Unless <b>-x509v1</b> is given, generated certificates bear X.509 version 3. Unless specified otherwise, key identifier extensions are included as described in <a href="../man5/x509v3_config.html">x509v3_config(5)</a>.</p>
</dd>
<dt id="x509v1"><b>-x509v1</b></dt>
<dd>
<p>Request generation of certificates with X.509 version 1. This implies <b>-x509</b>. If X.509 extensions are given, anyway X.509 version 3 is set.</p>
</dd>
<dt id="CA-filename-uri"><b>-CA</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>Specifies the &quot;CA&quot; certificate to be used for signing a new certificate and implies use of <b>-x509</b>. When present, this behaves like a &quot;micro CA&quot; as follows: The subject name of the &quot;CA&quot; certificate is placed as issuer name in the new certificate, which is then signed using the &quot;CA&quot; key given as specified below.</p>
</dd>
<dt id="CAkey-filename-uri"><b>-CAkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>Sets the &quot;CA&quot; private key to sign a certificate with. The private key must match the public key of the certificate given with <b>-CA</b>. If this option is not provided then the key must be present in the <b>-CA</b> input.</p>
</dd>
<dt id="days-n"><b>-days</b> <i>n</i></dt>
<dd>
<p>When <b>-x509</b> is in use this specifies the number of days to certify the certificate for, otherwise it is ignored. <i>n</i> should be a positive integer. The default is 30 days.</p>
</dd>
<dt id="set_serial-n"><b>-set_serial</b> <i>n</i></dt>
<dd>
<p>Serial number to use when outputting a self-signed certificate. This may be specified as a decimal value or a hex value if preceded by <code>0x</code>. If not given, a large random number will be used.</p>
</dd>
<dt id="copy_extensions-arg"><b>-copy_extensions</b> <i>arg</i></dt>
<dd>
<p>Determines how X.509 extensions in certificate requests should be handled when <b>-x509</b> is in use. If <i>arg</i> is <b>none</b> or this option is not present then extensions are ignored. If <i>arg</i> is <b>copy</b> or <b>copyall</b> then all extensions in the request are copied to the certificate.</p>
<p>The main use of this option is to allow a certificate request to supply values for certain extensions such as subjectAltName.</p>
</dd>
<dt id="extensions-section--reqexts-section"><b>-extensions</b> <i>section</i>, <b>-reqexts</b> <i>section</i></dt>
<dd>
<p>Can be used to override the name of the configuration file section from which X.509 extensions are included in the certificate (when <b>-x509</b> is in use) or certificate request. This allows several different sections to be used in the same configuration file to specify requests for a variety of purposes.</p>
</dd>
<dt id="addext-ext"><b>-addext</b> <i>ext</i></dt>
<dd>
<p>Add a specific extension to the certificate (if <b>-x509</b> is in use) or certificate request. The argument must have the form of a <code>key=value</code> pair as it would appear in a config file.</p>
<p>This option can be given multiple times.</p>
</dd>
<dt id="precert"><b>-precert</b></dt>
<dd>
<p>A poison extension will be added to the certificate, making it a &quot;pre-certificate&quot; (see RFC6962). This can be submitted to Certificate Transparency logs in order to obtain signed certificate timestamps (SCTs). These SCTs can then be embedded into the pre-certificate as an extension, before removing the poison and signing the certificate.</p>
<p>This implies the <b>-new</b> flag.</p>
</dd>
<dt id="utf8"><b>-utf8</b></dt>
<dd>
<p>This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings.</p>
</dd>
<dt id="reqopt-option"><b>-reqopt</b> <i>option</i></dt>
<dd>
<p>Customise the printing format used with <b>-text</b>. The <i>option</i> argument can be a single option or multiple options separated by commas.</p>
<p>See discussion of the <b>-certopt</b> parameter in the <a href="../man1/openssl-x509.html">openssl-x509(1)</a> command.</p>
</dd>
<dt id="newhdr"><b>-newhdr</b></dt>
<dd>
<p>Adds the word <b>NEW</b> to the PEM file header and footer lines on the outputted request. Some software (Netscape certificate server) and some CAs need this.</p>
</dd>
<dt id="batch"><b>-batch</b></dt>
<dd>
<p>Non-interactive mode.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Print extra details about the operations being performed.</p>
</dd>
<dt id="quiet"><b>-quiet</b></dt>
<dd>
<p>Print fewer details about the operations being performed, which may be handy during batch scripts or pipelines (specifically &quot;progress dots&quot; during key generation are suppressed).</p>
</dd>
<dt id="keygen_engine-id"><b>-keygen_engine</b> <i>id</i></dt>
<dd>
<p>Specifies an engine (by its unique <i>id</i> string) which would be used for key generation operations.</p>
</dd>
<dt id="nameopt-option"><b>-nameopt</b> <i>option</i></dt>
<dd>
<p>This specifies how the subject or issuer names are displayed. See <a href="../man1/openssl-namedisplay-options.html">openssl-namedisplay-options(1)</a> for details.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="CONFIGURATION-FILE-FORMAT">CONFIGURATION FILE FORMAT</h1>
<p>The configuration options are specified in the <b>req</b> section of the configuration file. An alternate name be specified by using the <b>-section</b> option. As with all configuration files, if no value is specified in the specific section then the initial unnamed or <b>default</b> section is searched too.</p>
<p>The options available are described in detail below.</p>
<dl>
<dt id="input_password-output_password"><b>input_password</b>, <b>output_password</b></dt>
<dd>
<p>The passwords for the input private key file (if present) and the output private key file (if one will be created). The command line options <b>passin</b> and <b>passout</b> override the configuration file values.</p>
</dd>
<dt id="default_bits"><b>default_bits</b></dt>
<dd>
<p>Specifies the default key size in bits.</p>
<p>This option is used in conjunction with the <b>-new</b> option to generate a new key. It can be overridden by specifying an explicit key size in the <b>-newkey</b> option. The smallest accepted key size is 512 bits. If no key size is specified then 2048 bits is used.</p>
</dd>
<dt id="default_keyfile"><b>default_keyfile</b></dt>
<dd>
<p>This is the default filename to write a private key to. If not specified the key is written to standard output. This can be overridden by the <b>-keyout</b> option.</p>
</dd>
<dt id="oid_file"><b>oid_file</b></dt>
<dd>
<p>This specifies a file containing additional <b>OBJECT IDENTIFIERS</b>. Each line of the file should consist of the numerical form of the object identifier followed by whitespace then the short name followed by whitespace and finally the long name.</p>
</dd>
<dt id="oid_section"><b>oid_section</b></dt>
<dd>
<p>This specifies a section in the configuration file containing extra object identifiers. Each line should consist of the short name of the object identifier followed by <b>=</b> and the numerical form. The short and long names are the same when this option is used.</p>
</dd>
<dt id="RANDFILE"><b>RANDFILE</b></dt>
<dd>
<p>At startup the specified file is loaded into the random number generator, and at exit 256 bytes will be written to it. It is used for private key generation.</p>
</dd>
<dt id="encrypt_key"><b>encrypt_key</b></dt>
<dd>
<p>If this is set to <b>no</b> then if a private key is generated it is <b>not</b> encrypted. This is equivalent to the <b>-noenc</b> command line option. For compatibility <b>encrypt_rsa_key</b> is an equivalent option.</p>
</dd>
<dt id="default_md"><b>default_md</b></dt>
<dd>
<p>This option specifies the digest algorithm to use. Any digest supported by the OpenSSL <b>dgst</b> command can be used. This option can be overridden on the command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore any digest that has been set.</p>
</dd>
<dt id="string_mask"><b>string_mask</b></dt>
<dd>
<p>This option masks out the use of certain string types in certain fields. Most users will not need to change this option.</p>
<p>It can be set to several values <b>default</b> which is also the default option uses PrintableStrings, T61Strings and BMPStrings if the <b>pkix</b> value is used then only PrintableStrings and BMPStrings will be used. This follows the PKIX recommendation in RFC2459. If the <b>utf8only</b> option is used then only UTF8Strings will be used: this is the PKIX recommendation in RFC2459 after 2003. Finally the <b>nombstr</b> option just uses PrintableStrings and T61Strings: certain software has problems with BMPStrings and UTF8Strings: in particular Netscape.</p>
</dd>
<dt id="req_extensions"><b>req_extensions</b></dt>
<dd>
<p>This specifies the configuration file section containing a list of extensions to add to the certificate request. It can be overridden by the <b>-reqexts</b> command line switch. See the <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for details of the extension section format.</p>
</dd>
<dt id="x509_extensions"><b>x509_extensions</b></dt>
<dd>
<p>This specifies the configuration file section containing a list of extensions to add to certificate generated when <b>-x509</b> is in use. It can be overridden by the <b>-extensions</b> command line switch.</p>
</dd>
<dt id="prompt"><b>prompt</b></dt>
<dd>
<p>If set to the value <b>no</b> this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of the <b>distinguished_name</b> and <b>attributes</b> sections.</p>
</dd>
<dt id="utf81"><b>utf8</b></dt>
<dd>
<p>If set to the value <b>yes</b> then field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings.</p>
</dd>
<dt id="attributes"><b>attributes</b></dt>
<dd>
<p>This specifies the section containing any request attributes: its format is the same as <b>distinguished_name</b>. Typically these may contain the challengePassword or unstructuredName types. They are currently ignored by OpenSSL&#39;s request signing utilities but some CAs might want them.</p>
</dd>
<dt id="distinguished_name"><b>distinguished_name</b></dt>
<dd>
<p>This specifies the section containing the distinguished name fields to prompt for when generating a certificate or certificate request. The format is described in the next section.</p>
</dd>
</dl>
<h1 id="DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT">DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT</h1>
<p>There are two separate formats for the distinguished name and attribute sections. If the <b>prompt</b> option is set to <b>no</b> then these sections just consist of field names and values: for example,</p>
<pre><code> CN=My Name
OU=My Organization
emailAddress=someone@somewhere.org</code></pre>
<p>This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to this command. An example of this kind of configuration file is contained in the <b>EXAMPLES</b> section.</p>
<p>Alternatively if the <b>prompt</b> option is absent or not set to <b>no</b> then the file contains field prompting information. It consists of lines of the form:</p>
<pre><code> fieldName=&quot;prompt&quot;
fieldName_default=&quot;default field value&quot;
fieldName_min= 2
fieldName_max= 4</code></pre>
<p>&quot;fieldName&quot; is the field name being used, for example commonName (or CN). The &quot;prompt&quot; string is used to ask the user to enter the relevant details. If the user enters nothing then the default value is used if no default value is present then the field is omitted. A field can still be omitted if a default value is present if the user just enters the &#39;.&#39; character.</p>
<p>The number of characters entered must be between the fieldName_min and fieldName_max limits: there may be additional restrictions based on the field being used (for example countryName can only ever be two characters long and must fit in a PrintableString).</p>
<p>Some fields (such as organizationName) can be used more than once in a DN. This presents a problem because configuration files will not recognize the same name occurring twice. To avoid this problem if the fieldName contains some characters followed by a full stop they will be ignored. So for example a second organizationName can be input by calling it &quot;1.organizationName&quot;.</p>
<p>The actual permitted field names are any object identifier short or long names. These are compiled into OpenSSL and include the usual values such as commonName, countryName, localityName, organizationName, organizationalUnitName, stateOrProvinceName. Additionally emailAddress is included as well as name, surname, givenName, initials, and dnQualifier.</p>
<p>Additional object identifiers can be defined with the <b>oid_file</b> or <b>oid_section</b> options in the configuration file. Any additional fields will be treated as though they were a DirectoryString.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Examine and verify certificate request:</p>
<pre><code> openssl req -in req.pem -text -verify -noout</code></pre>
<p>Create a private key and then generate a certificate request from it:</p>
<pre><code> openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem</code></pre>
<p>The same but just using req:</p>
<pre><code> openssl req -newkey rsa:2048 -keyout key.pem -out req.pem</code></pre>
<p>Generate a self-signed root certificate:</p>
<pre><code> openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem</code></pre>
<p>Create an SM2 private key and then generate a certificate request from it:</p>
<pre><code> openssl ecparam -genkey -name SM2 -out sm2.key
openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt &quot;distid:1234567812345678&quot;</code></pre>
<p>Examine and verify an SM2 certificate request:</p>
<pre><code> openssl req -verify -in sm2.csr -sm3 -vfyopt &quot;distid:1234567812345678&quot;</code></pre>
<p>Example of a file pointed to by the <b>oid_file</b> option:</p>
<pre><code> 1.2.3.4 shortName A longer Name
1.2.3.6 otherName Other longer Name</code></pre>
<p>Example of a section pointed to by <b>oid_section</b> making use of variable expansion:</p>
<pre><code> testoid1=1.2.3.5
testoid2=${testoid1}.6</code></pre>
<p>Sample configuration file prompting for field values:</p>
<pre><code> [ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical, CA:true</code></pre>
<p>Sample configuration containing all field values:</p>
<pre><code> [ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = GB
ST = Test State or Province
L = Test Locality
O = Organization Name
OU = Organizational Unit Name
CN = Common Name
emailAddress = test@email.address
[ req_attributes ]
challengePassword = A challenge password</code></pre>
<p>Example of giving the most common attributes (subject and extensions) on the command line:</p>
<pre><code> openssl req -new -subj &quot;/C=GB/CN=foo&quot; \
-addext &quot;subjectAltName = DNS:foo.co.uk&quot; \
-addext &quot;certificatePolicies = 1.2.3.4&quot; \
-newkey rsa:2048 -keyout key.pem -out req.pem</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>The certificate requests generated by <b>Xenroll</b> with MSIE have extensions added. It includes the <b>keyUsage</b> extension which determines the type of key (signature only or general purpose) and any additional OIDs entered by the script in an <b>extendedKeyUsage</b> extension.</p>
<h1 id="DIAGNOSTICS">DIAGNOSTICS</h1>
<p>The following messages are frequently asked about:</p>
<pre><code> Using configuration from /some/path/openssl.cnf
Unable to load config info</code></pre>
<p>This is followed some time later by:</p>
<pre><code> unable to find &#39;distinguished_name&#39; in config
problems making Certificate Request</code></pre>
<p>The first error message is the clue: it can&#39;t find the configuration file! Certain operations (like examining a certificate request) don&#39;t need a configuration file so its use isn&#39;t enforced. Generation of certificates or requests however does need a configuration file. This could be regarded as a bug.</p>
<p>Another puzzling message is this:</p>
<pre><code> Attributes:
a0:00</code></pre>
<p>this is displayed when no attributes are present and the request includes the correct empty <b>SET OF</b> structure (the DER encoding of which is 0xa0 0x00). If you just see:</p>
<pre><code> Attributes:</code></pre>
<p>then the <b>SET OF</b> is missing and the encoding is technically invalid (but it is tolerated). See the description of the command line option <b>-asn1-kludge</b> for more information.</p>
<h1 id="BUGS">BUGS</h1>
<p>OpenSSL&#39;s handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause problems if you need characters that aren&#39;t available in PrintableStrings and you don&#39;t want to or can&#39;t use BMPStrings.</p>
<p>As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form.</p>
<p>The current prompting is not very friendly. It doesn&#39;t allow you to confirm what you&#39;ve just entered. Other things like extensions in certificate requests are statically defined in the configuration file. Some of these: like an email address in subjectAltName should be input by the user.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a>, <a href="../man5/config.html">config(5)</a>, <a href="../man5/x509v3_config.html">x509v3_config(5)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-section</b> option was added in OpenSSL 3.0.0.</p>
<p>The <b>-multivalue-rdn</b> option has become obsolete in OpenSSL 3.0.0 and has no effect.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0. The &lt;-nodes&gt; option was deprecated in OpenSSL 3.0, too; use <b>-noenc</b> instead.</p>
<p>The <b>-reqexts</b> option has been made an alias of <b>-extensions</b> in OpenSSL 3.2.</p>
<p>Since OpenSSL 3.2, generated certificates bear X.509 version 3 unless <b>-x509v1</b> is given, and key identifier extensions are included by default.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

228
include/openssl-3.2.1/html/man1/openssl-rsa.html
View File

@ -1,228 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-rsa</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-rsa - RSA key processing command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>rsa</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-in</b> <i>filename</i>|<i>uri</i>] [<b>-passin</b> <i>arg</i>] [<b>-out</b> <i>filename</i>] [<b>-passout</b> <i>arg</i>] [<b>-aes128</b>] [<b>-aes192</b>] [<b>-aes256</b>] [<b>-aria128</b>] [<b>-aria192</b>] [<b>-aria256</b>] [<b>-camellia128</b>] [<b>-camellia192</b>] [<b>-camellia256</b>] [<b>-des</b>] [<b>-des3</b>] [<b>-idea</b>] [<b>-text</b>] [<b>-noout</b>] [<b>-modulus</b>] [<b>-traditional</b>] [<b>-check</b>] [<b>-pubin</b>] [<b>-pubout</b>] [<b>-RSAPublicKey_in</b>] [<b>-RSAPublicKey_out</b>] [<b>-pvk-strong</b>] [<b>-pvk-weak</b>] [<b>-pvk-none</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes RSA keys. They can be converted between various forms and their components printed out.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM-P12-ENGINE"><b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The key output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="traditional"><b>-traditional</b></dt>
<dd>
<p>When writing a private key, use the traditional PKCS#1 format instead of the PKCS#8 format.</p>
</dd>
<dt id="in-filename-uri"><b>-in</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This specifies the input to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for.</p>
</dd>
<dt id="passin-arg--passout-arg"><b>-passin</b> <i>arg</i>, <b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the input and output file. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write a key to or standard output if this option is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should <b>not</b> be the same as the input filename.</p>
</dd>
<dt id="aes128--aes192--aes256--aria128--aria192--aria256--camellia128--camellia192--camellia256--des--des3--idea"><b>-aes128</b>, <b>-aes192</b>, <b>-aes256</b>, <b>-aria128</b>, <b>-aria192</b>, <b>-aria256</b>, <b>-camellia128</b>, <b>-camellia192</b>, <b>-camellia256</b>, <b>-des</b>, <b>-des3</b>, <b>-idea</b></dt>
<dd>
<p>These options encrypt the private key with the specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that this command can be used to remove the pass phrase from a key by not giving any encryption option is given, or to add or change the pass phrase by setting them. These options can only be used with PEM format output files.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the various public or private key components in plain text in addition to the encoded version.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option prevents output of the encoded version of the key.</p>
</dd>
<dt id="modulus"><b>-modulus</b></dt>
<dd>
<p>This option prints out the value of the modulus of the key.</p>
</dd>
<dt id="check"><b>-check</b></dt>
<dd>
<p>This option checks the consistency of an RSA private key.</p>
</dd>
<dt id="pubin"><b>-pubin</b></dt>
<dd>
<p>By default a private key is read from the input. With this option a public key is read instead. If the input contains no public key but a private key, its public part is used.</p>
</dd>
<dt id="pubout"><b>-pubout</b></dt>
<dd>
<p>By default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key.</p>
</dd>
<dt id="RSAPublicKey_in--RSAPublicKey_out"><b>-RSAPublicKey_in</b>, <b>-RSAPublicKey_out</b></dt>
<dd>
<p>Like <b>-pubin</b> and <b>-pubout</b> except <b>RSAPublicKey</b> format is used instead.</p>
</dd>
<dt id="pvk-strong"><b>-pvk-strong</b></dt>
<dd>
<p>Enable &#39;Strong&#39; PVK encoding level (default).</p>
</dd>
<dt id="pvk-weak"><b>-pvk-weak</b></dt>
<dd>
<p>Enable &#39;Weak&#39; PVK encoding level.</p>
</dd>
<dt id="pvk-none"><b>-pvk-none</b></dt>
<dd>
<p>Don&#39;t enforce PVK encoding.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>The <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a> command is capable of performing all the operations this command can, as well as supporting other public key types.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The documentation for the <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a> command contains examples equivalent to the ones listed here.</p>
<p>To remove the pass phrase on an RSA private key:</p>
<pre><code> openssl rsa -in key.pem -out keyout.pem</code></pre>
<p>To encrypt a private key using triple DES:</p>
<pre><code> openssl rsa -in key.pem -des3 -out keyout.pem</code></pre>
<p>To convert a private key from PEM to DER format:</p>
<pre><code> openssl rsa -in key.pem -outform DER -out keyout.der</code></pre>
<p>To print out the components of a private key to standard output:</p>
<pre><code> openssl rsa -in key.pem -text -noout</code></pre>
<p>To just output the public part of a private key:</p>
<pre><code> openssl rsa -in key.pem -pubout -out pubkey.pem</code></pre>
<p>Output the public part of a private key in <b>RSAPublicKey</b> format:</p>
<pre><code> openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>There should be an option that automatically handles <i>.key</i> files, without having to manually edit them.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a>, <a href="../man1/openssl-pkcs8.html">openssl-pkcs8(1)</a>, <a href="../man1/openssl-dsa.html">openssl-dsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

275
include/openssl-3.2.1/html/man1/openssl-rsautl.html
View File

@ -1,275 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-rsautl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-rsautl - RSA command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>rsautl</b> [<b>-help</b>] [<b>-in</b> <i>file</i>] [<b>-passin</b> <i>arg</i>] [<b>-rev</b>] [<b>-out</b> <i>file</i>] [<b>-inkey</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-pubin</b>] [<b>-certin</b>] [<b>-sign</b>] [<b>-verify</b>] [<b>-encrypt</b>] [<b>-decrypt</b>] [<b>-pkcs</b>] [<b>-x931</b>] [<b>-oaep</b>] [<b>-raw</b>] [<b>-hexdump</b>] [<b>-asn1parse</b>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command has been deprecated. The <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a> command should be used instead.</p>
<p>This command can be used to sign, verify, encrypt and decrypt data using the RSA algorithm.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read data from or standard input if this option is not specified.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The passphrase used in the output file. See see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="rev"><b>-rev</b></dt>
<dd>
<p>Reverse the order of the input.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="inkey-filename-uri"><b>-inkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The input key, by default it should be an RSA private key.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="pubin"><b>-pubin</b></dt>
<dd>
<p>By default a private key is read from the key input. With this option a public key is read instead. If the input contains no public key but a private key, its public part is used.</p>
</dd>
<dt id="certin"><b>-certin</b></dt>
<dd>
<p>The input is a certificate containing an RSA public key.</p>
</dd>
<dt id="sign"><b>-sign</b></dt>
<dd>
<p>Sign the input data and output the signed result. This requires an RSA private key.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify the input data and output the recovered data.</p>
</dd>
<dt id="encrypt"><b>-encrypt</b></dt>
<dd>
<p>Encrypt the input data using an RSA public key.</p>
</dd>
<dt id="decrypt"><b>-decrypt</b></dt>
<dd>
<p>Decrypt the input data using an RSA private key.</p>
</dd>
<dt id="pkcs--oaep--x931--raw"><b>-pkcs</b>, <b>-oaep</b>, <b>-x931</b>, <b>-raw</b></dt>
<dd>
<p>The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, ANSI X9.31, or no padding, respectively. For signatures, only <b>-pkcs</b> and <b>-raw</b> can be used.</p>
<p>Note: because of protection against Bleichenbacher attacks, decryption using PKCS#1 v1.5 mode will not return errors in case padding check failed. Use <b>-raw</b> and inspect the returned value manually to check if the padding is correct.</p>
</dd>
<dt id="hexdump"><b>-hexdump</b></dt>
<dd>
<p>Hex dump the output data.</p>
</dd>
<dt id="asn1parse"><b>-asn1parse</b></dt>
<dd>
<p>Parse the ASN.1 output data, this is useful when combined with the <b>-verify</b> option.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>Since this command uses the RSA algorithm directly, it can only be used to sign or verify small pieces of data.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Examples equivalent to these can be found in the documentation for the non-deprecated <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a> command.</p>
<p>Sign some data using a private key:</p>
<pre><code> openssl rsautl -sign -in file -inkey key.pem -out sig</code></pre>
<p>Recover the signed data</p>
<pre><code> openssl rsautl -verify -in sig -inkey key.pem</code></pre>
<p>Examine the raw signed data:</p>
<pre><code> openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64 .....hello world</code></pre>
<p>The PKCS#1 block formatting is evident from this. If this was done using encrypt and decrypt the block would have been of type 2 (the second byte) and random padding data visible instead of the 0xff bytes.</p>
<p>It is possible to analyse the signature of certificates using this command in conjunction with <a href="../man1/openssl-asn1parse.html">openssl-asn1parse(1)</a>. Consider the self signed example in <i>certs/pca-cert.pem</i>. Running <a href="../man1/openssl-asn1parse.html">openssl-asn1parse(1)</a> as follows yields:</p>
<pre><code> openssl asn1parse -in pca-cert.pem
0:d=0 hl=4 l= 742 cons: SEQUENCE
4:d=1 hl=4 l= 591 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :00
16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
29:d=3 hl=2 l= 0 prim: NULL
31:d=2 hl=2 l= 92 cons: SEQUENCE
33:d=3 hl=2 l= 11 cons: SET
35:d=4 hl=2 l= 9 cons: SEQUENCE
37:d=5 hl=2 l= 3 prim: OBJECT :countryName
42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
....
599:d=1 hl=2 l= 13 cons: SEQUENCE
601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
612:d=2 hl=2 l= 0 prim: NULL
614:d=1 hl=3 l= 129 prim: BIT STRING</code></pre>
<p>The final BIT STRING contains the actual signature. It can be extracted with:</p>
<pre><code> openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614</code></pre>
<p>The certificate public key can be extracted with:</p>
<pre><code> openssl x509 -in test/testx509.pem -pubkey -noout &gt;pubkey.pem</code></pre>
<p>The signature can be analysed with:</p>
<pre><code> openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
0:d=0 hl=2 l= 32 cons: SEQUENCE
2:d=1 hl=2 l= 12 cons: SEQUENCE
4:d=2 hl=2 l= 8 prim: OBJECT :md5
14:d=2 hl=2 l= 0 prim: NULL
16:d=1 hl=2 l= 16 prim: OCTET STRING
0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..</code></pre>
<p>This is the parsed version of an ASN1 DigestInfo structure. It can be seen that the digest used was md5. The actual part of the certificate that was signed can be extracted with:</p>
<pre><code> openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4</code></pre>
<p>and its digest computed with:</p>
<pre><code> openssl md5 -c tbs
MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5</code></pre>
<p>which it can be seen agrees with the recovered value above.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-pkeyutl.html">openssl-pkeyutl(1)</a>, <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a>, <a href="../man1/openssl-rsa.html">openssl-rsa(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>This command was deprecated in OpenSSL 3.0.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

970
include/openssl-3.2.1/html/man1/openssl-s_client.html
View File

File diff suppressed because one or more lines are too long

972
include/openssl-3.2.1/html/man1/openssl-s_server.html
View File

File diff suppressed because one or more lines are too long

193
include/openssl-3.2.1/html/man1/openssl-s_time.html
View File

@ -1,193 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-s_time</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-s_time - SSL/TLS performance timing program</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>s_time</b> [<b>-help</b>] [<b>-connect</b> <i>host</i>:<i>port</i>] [<b>-www</b> <i>page</i>] [<b>-cert</b> <i>filename</i>] [<b>-key</b> <i>filename</i>] [<b>-reuse</b>] [<b>-new</b>] [<b>-verify</b> <i>depth</i>] [<b>-time</b> <i>seconds</i>] [<b>-ssl3</b>] [<b>-tls1</b>] [<b>-tls1_1</b>] [<b>-tls1_2</b>] [<b>-tls1_3</b>] [<b>-bugs</b>] [<b>-cipher</b> <i>cipherlist</i>] [<b>-ciphersuites</b> <i>val</i>] [<b>-nameopt</b> <i>option</i>] [<b>-cafile</b> <i>file</i>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It can request a page from the server and includes the time to transfer the payload data in its timing measurements. It measures the number of connections within a given timeframe, the amount of data transferred (if any), and calculates the average time spent for one connection.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="connect-host:port"><b>-connect</b> <i>host</i>:<i>port</i></dt>
<dd>
<p>This specifies the host and optional port to connect to.</p>
</dd>
<dt id="www-page"><b>-www</b> <i>page</i></dt>
<dd>
<p>This specifies the page to GET from the server. A value of &#39;/&#39; gets the <i>index.html</i> page. If this parameter is not specified, then this command will only perform the handshake to establish SSL connections but not transfer any payload data.</p>
</dd>
<dt id="cert-certname"><b>-cert</b> <i>certname</i></dt>
<dd>
<p>The certificate to use, if one is requested by the server. The default is not to use a certificate. The file is in PEM format.</p>
</dd>
<dt id="key-keyfile"><b>-key</b> <i>keyfile</i></dt>
<dd>
<p>The private key to use. If not specified then the certificate file will be used. The file is in PEM format.</p>
</dd>
<dt id="verify-depth"><b>-verify</b> <i>depth</i></dt>
<dd>
<p>The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.</p>
</dd>
<dt id="new"><b>-new</b></dt>
<dd>
<p>Performs the timing test using a new session ID for each connection. If neither <b>-new</b> nor <b>-reuse</b> are specified, they are both on by default and executed in sequence.</p>
</dd>
<dt id="reuse"><b>-reuse</b></dt>
<dd>
<p>Performs the timing test using the same session ID; this can be used as a test that session caching is working. If neither <b>-new</b> nor <b>-reuse</b> are specified, they are both on by default and executed in sequence.</p>
</dd>
<dt id="bugs"><b>-bugs</b></dt>
<dd>
<p>There are several known bugs in SSL and TLS implementations. Adding this option enables various workarounds.</p>
</dd>
<dt id="cipher-cipherlist"><b>-cipher</b> <i>cipherlist</i></dt>
<dd>
<p>This allows the TLSv1.2 and below cipher list sent by the client to be modified. This list will be combined with any TLSv1.3 ciphersuites that have been configured. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See <a href="../man1/openssl-ciphers.html">openssl-ciphers(1)</a> for more information.</p>
</dd>
<dt id="ciphersuites-val"><b>-ciphersuites</b> <i>val</i></dt>
<dd>
<p>This allows the TLSv1.3 ciphersuites sent by the client to be modified. This list will be combined with any TLSv1.2 and below ciphersuites that have been configured. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See <a href="../man1/openssl-ciphers.html">openssl-ciphers(1)</a> for more information. The format for this list is a simple colon (&quot;:&quot;) separated list of TLSv1.3 ciphersuite names.</p>
</dd>
<dt id="time-length"><b>-time</b> <i>length</i></dt>
<dd>
<p>Specifies how long (in seconds) this command should establish connections and optionally transfer payload data from a server. Server and client performance and the link speed determine how many connections it can establish.</p>
</dd>
<dt id="nameopt-option"><b>-nameopt</b> <i>option</i></dt>
<dd>
<p>This specifies how the subject or issuer names are displayed. See <a href="../man1/openssl-namedisplay-options.html">openssl-namedisplay-options(1)</a> for details.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="cafile-file"><b>-cafile</b> <i>file</i></dt>
<dd>
<p>This is an obsolete synonym for <b>-CAfile</b>.</p>
</dd>
<dt id="ssl3--tls1--tls1_1--tls1_2--tls1_3"><b>-ssl3</b>, <b>-tls1</b>, <b>-tls1_1</b>, <b>-tls1_2</b>, <b>-tls1_3</b></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;TLS Version Options&quot; in openssl(1)</a>.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>This command can be used to measure the performance of an SSL connection. To connect to an SSL HTTP server and get the default page the command</p>
<pre><code> openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]</code></pre>
<p>would typically be used (https uses port 443). <i>commoncipher</i> is a cipher to which both client and server can agree, see the <a href="../man1/openssl-ciphers.html">openssl-ciphers(1)</a> command for details.</p>
<p>If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the <b>-bugs</b> and <b>-ssl3</b> options can be tried in case it is a buggy server. In particular you should play with these options <b>before</b> submitting a bug report to an OpenSSL mailing list.</p>
<p>A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty list to choose from. This is normally because the server is not sending the clients certificate authority in its &quot;acceptable CA list&quot; when it requests a certificate. By using <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a> the CA list can be viewed and checked. However, some servers only request client authentication after a specific URL is requested. To obtain the list in this case it is necessary to use the <b>-prexit</b> option of <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a> and send an HTTP request for an appropriate page.</p>
<p>If a certificate is specified on the command line using the <b>-cert</b> option it will not be used unless the server specifically requests a client certificate. Therefore, merely including a client certificate on the command line is no guarantee that the certificate works.</p>
<h1 id="BUGS">BUGS</h1>
<p>Because this program does not have all the options of the <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a> program to turn protocols on and off, you may not be able to measure the performance of all protocols with all servers.</p>
<p>The <b>-verify</b> option should really exit if the server verification fails.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-cafile</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a>, <a href="../man1/openssl-s_server.html">openssl-s_server(1)</a>, <a href="../man1/openssl-ciphers.html">openssl-ciphers(1)</a>, <a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

188
include/openssl-3.2.1/html/man1/openssl-sess_id.html
View File

@ -1,188 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-sess_id</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#OUTPUT">OUTPUT</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-sess_id - SSL/TLS session handling command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>sess_id</b> [<b>-help</b>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>|<b>NSS</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-text</b>] [<b>-cert</b>] [<b>-noout</b>] [<b>-context</b> <i>ID</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes the encoded version of the SSL session structure and optionally prints out SSL session details (for example the SSL session master key) in human readable format. Since this is a diagnostic tool that needs some knowledge of the SSL protocol to use properly, most users will not need to use it.</p>
<p>The precise format of the data can vary across OpenSSL versions and is not documented.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="inform-DER-PEM--outform-DER-PEM-NSS"><b>-inform</b> <b>DER</b>|<b>PEM</b>, <b>-outform</b> <b>DER</b>|<b>PEM</b>|<b>NSS</b></dt>
<dd>
<p>The input and output formats; the default is PEM. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
<p>For <b>NSS</b> output, the session ID and master key are reported in NSS &quot;keylog&quot; format.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read session information from or standard input by default.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write session information to or standard output if this option is not specified.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the various public or private key components in plain text in addition to the encoded version.</p>
</dd>
<dt id="cert"><b>-cert</b></dt>
<dd>
<p>If a certificate is present in the session it will be output using this option, if the <b>-text</b> option is also present then it will be printed out in text form.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option prevents output of the encoded version of the session.</p>
</dd>
<dt id="context-ID"><b>-context</b> <i>ID</i></dt>
<dd>
<p>This option can set the session id so the output session information uses the supplied ID. The ID can be any string of characters. This option won&#39;t normally be used.</p>
</dd>
</dl>
<h1 id="OUTPUT">OUTPUT</h1>
<p>Typical output:</p>
<pre><code> SSL-Session:
Protocol : TLSv1
Cipher : 0016
Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
Session-ID-ctx: 01000000
Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
Key-Arg : None
Start Time: 948459261
Timeout : 300 (sec)
Verify return code 0 (ok)</code></pre>
<p>These are described below in more detail.</p>
<dl>
<dt id="Protocol"><b>Protocol</b></dt>
<dd>
<p>This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3.</p>
</dd>
<dt id="Cipher"><b>Cipher</b></dt>
<dd>
<p>The cipher used this is the actual raw SSL or TLS cipher code, see the SSL or TLS specifications for more information.</p>
</dd>
<dt id="Session-ID"><b>Session-ID</b></dt>
<dd>
<p>The SSL session ID in hex format.</p>
</dd>
<dt id="Session-ID-ctx"><b>Session-ID-ctx</b></dt>
<dd>
<p>The session ID context in hex format.</p>
</dd>
<dt id="Master-Key"><b>Master-Key</b></dt>
<dd>
<p>This is the SSL session master key.</p>
</dd>
<dt id="Start-Time"><b>Start Time</b></dt>
<dd>
<p>This is the session start time represented as an integer in standard Unix format.</p>
</dd>
<dt id="Timeout"><b>Timeout</b></dt>
<dd>
<p>The timeout in seconds.</p>
</dd>
<dt id="Verify-return-code"><b>Verify return code</b></dt>
<dd>
<p>This is the return code when an SSL client certificate is verified.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>Since the SSL session output contains the master key it is possible to read the contents of an encrypted session using this information. Therefore, appropriate security precautions should be taken if the information is being output by a &quot;real&quot; application. This is however strongly discouraged and should only be used for debugging purposes.</p>
<h1 id="BUGS">BUGS</h1>
<p>The cipher and start time should be printed out in human readable form.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-ciphers.html">openssl-ciphers(1)</a>, <a href="../man1/openssl-s_server.html">openssl-s_server(1)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

489
include/openssl-3.2.1/html/man1/openssl-smime.html
View File

@ -1,489 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-smime</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXIT-CODES">EXIT CODES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-smime - S/MIME command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>smime</b> [<b>-help</b>] [<b>-encrypt</b>] [<b>-decrypt</b>] [<b>-sign</b>] [<b>-resign</b>] [<b>-verify</b>] [<b>-pk7out</b>] [<b>-binary</b>] [<b>-crlfeol</b>] [<b>-<i>cipher</i></b>] [<b>-in</b> <i>file</i>] [<b>-certfile</b> <i>file</i>] [<b>-signer</b> <i>file</i>] [<b>-nointern</b>] [<b>-noverify</b>] [<b>-nochain</b>] [<b>-nosigs</b>] [<b>-nocerts</b>] [<b>-noattr</b>] [<b>-nodetach</b>] [<b>-nosmimecap</b>] [<b>-recip</b> <i> file</i>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-passin</b> <i>arg</i>] [<b>-inkey</b> <i>filename</i>|<i>uri</i>] [<b>-out</b> <i>file</i>] [<b>-content</b> <i>file</i>] [<b>-to</b> <i>addr</i>] [<b>-from</b> <i>ad</i>] [<b>-subject</b> <i>s</i>] [<b>-text</b>] [<b>-indef</b>] [<b>-noindef</b>] [<b>-stream</b>] [<b>-md</b> <i>digest</i>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-allow_proxy_certs</b>] [<b>-attime</b> <i>timestamp</i>] [<b>-no_check_time</b>] [<b>-check_ss_sig</b>] [<b>-crl_check</b>] [<b>-crl_check_all</b>] [<b>-explicit_policy</b>] [<b>-extended_crl</b>] [<b>-ignore_critical</b>] [<b>-inhibit_any</b>] [<b>-inhibit_map</b>] [<b>-partial_chain</b>] [<b>-policy</b> <i>arg</i>] [<b>-policy_check</b>] [<b>-policy_print</b>] [<b>-purpose</b> <i>purpose</i>] [<b>-suiteB_128</b>] [<b>-suiteB_128_only</b>] [<b>-suiteB_192</b>] [<b>-trusted_first</b>] [<b>-no_alt_chains</b>] [<b>-use_deltas</b>] [<b>-auth_level</b> <i>num</i>] [<b>-verify_depth</b> <i>num</i>] [<b>-verify_email</b> <i>email</i>] [<b>-verify_hostname</b> <i>hostname</i>] [<b>-verify_ip</b> <i>ip</i>] [<b>-verify_name</b> <i>name</i>] [<b>-x509_strict</b>] [<b>-issuer_checks</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-config</b> <i>configfile</i>] <i>recipcert</i> ...</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command handles S/MIME mail. It can encrypt, decrypt, sign and verify S/MIME messages.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<p>There are six operation options that set the type of operation to be performed: <b>-encrypt</b>, <b>-decrypt</b>, <b>-sign</b>, <b>-resign</b>, <b>-verify</b>, and <b>-pk7out</b>. These are mutually exclusive. The meaning of the other options varies according to the operation type.</p>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="encrypt"><b>-encrypt</b></dt>
<dd>
<p>Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in MIME format.</p>
<p>Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text.</p>
</dd>
<dt id="decrypt"><b>-decrypt</b></dt>
<dd>
<p>Decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in MIME format for the input file. The decrypted mail is written to the output file.</p>
</dd>
<dt id="sign"><b>-sign</b></dt>
<dd>
<p>Sign mail using the supplied certificate and private key. Input file is the message to be signed. The signed message in MIME format is written to the output file.</p>
</dd>
<dt id="resign"><b>-resign</b></dt>
<dd>
<p>Resign a message: take an existing message and one or more new signers.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify signed mail. Expects a signed mail message on input and outputs the signed data. Both clear text and opaque signing is supported.</p>
</dd>
<dt id="pk7out"><b>-pk7out</b></dt>
<dd>
<p>Takes an input message and writes out a PEM encoded PKCS#7 structure.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>The input message to be encrypted or signed or the MIME message to be decrypted or verified.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>The message text that has been decrypted or verified or the output MIME format message that has been signed or verified.</p>
</dd>
<dt id="inform-DER-PEM-SMIME"><b>-inform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b></dt>
<dd>
<p>The input format of the PKCS#7 (S/MIME) structure (if one is being read); the default is <b>SMIME</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="outform-DER-PEM-SMIME"><b>-outform</b> <b>DER</b>|<b>PEM</b>|<b>SMIME</b></dt>
<dd>
<p>The output format of the PKCS#7 (S/MIME) structure (if one is being written); the default is <b>SMIME</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="stream--indef--noindef"><b>-stream</b>, <b>-indef</b>, <b>-noindef</b></dt>
<dd>
<p>The <b>-stream</b> and <b>-indef</b> options are equivalent and enable streaming I/O for encoding operations. This permits single pass processing of data without the need to hold the entire contents in memory, potentially supporting very large files. Streaming is automatically set for S/MIME signing with detached data if the output format is <b>SMIME</b> it is currently off by default for all other operations.</p>
</dd>
<dt id="noindef"><b>-noindef</b></dt>
<dd>
<p>Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it.</p>
</dd>
<dt id="content-filename"><b>-content</b> <i>filename</i></dt>
<dd>
<p>This specifies a file containing the detached content, this is only useful with the <b>-verify</b> command. This is only usable if the PKCS#7 structure is using the detached signature form where the content is not included. This option will override any content if the input format is S/MIME and it uses the multipart/signed MIME content type.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>This option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs.</p>
</dd>
<dt id="md-digest"><b>-md</b> <i>digest</i></dt>
<dd>
<p>Digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually SHA1).</p>
</dd>
<dt id="cipher"><b>-<i>cipher</i></b></dt>
<dd>
<p>The encryption algorithm to use. For example DES (56 bits) - <b>-des</b>, triple DES (168 bits) - <b>-des3</b>, EVP_get_cipherbyname() function) can also be used preceded by a dash, for example <b>-aes-128-cbc</b>. See <a href="../man1/openssl-enc.html">openssl-enc(1)</a> for list of ciphers supported by your version of OpenSSL.</p>
<p>If not specified triple DES is used. Only used with <b>-encrypt</b>.</p>
</dd>
<dt id="nointern"><b>-nointern</b></dt>
<dd>
<p>When verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the <b>-certfile</b> option are used. The supplied certificates can still be used as untrusted CAs however.</p>
</dd>
<dt id="noverify"><b>-noverify</b></dt>
<dd>
<p>Do not verify the signers certificate of a signed message.</p>
</dd>
<dt id="nochain"><b>-nochain</b></dt>
<dd>
<p>Do not do chain verification of signers certificates; that is, do not use the certificates in the signed message as untrusted CAs.</p>
</dd>
<dt id="nosigs"><b>-nosigs</b></dt>
<dd>
<p>Don&#39;t try to verify the signatures on the message.</p>
</dd>
<dt id="nocerts"><b>-nocerts</b></dt>
<dd>
<p>When signing a message the signer&#39;s certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the <b>-certfile</b> option for example).</p>
</dd>
<dt id="noattr"><b>-noattr</b></dt>
<dd>
<p>Normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included.</p>
</dd>
<dt id="nodetach"><b>-nodetach</b></dt>
<dd>
<p>When signing a message use opaque signing. This form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the MIME type multipart/signed is used.</p>
</dd>
<dt id="nosmimecap"><b>-nosmimecap</b></dt>
<dd>
<p>When signing a message, do not include the <b>SMIMECapabilities</b> attribute.</p>
</dd>
<dt id="binary"><b>-binary</b></dt>
<dd>
<p>Normally the input message is converted to &quot;canonical&quot; format which is effectively using CR and LF as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in MIME format.</p>
</dd>
<dt id="crlfeol"><b>-crlfeol</b></dt>
<dd>
<p>Normally the output file uses a single <b>LF</b> as end of line. When this option is present <b>CRLF</b> is used instead.</p>
</dd>
<dt id="certfile-file"><b>-certfile</b> <i>file</i></dt>
<dd>
<p>Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The input can be in PEM, DER, or PKCS#12 format.</p>
</dd>
<dt id="signer-file"><b>-signer</b> <i>file</i></dt>
<dd>
<p>A signing certificate when signing or resigning a message, this option can be used multiple times if more than one signer is required. If a message is being verified then the signers certificates will be written to this file if the verification was successful.</p>
</dd>
<dt id="nocerts1"><b>-nocerts</b></dt>
<dd>
<p>Don&#39;t include signers certificate when signing.</p>
</dd>
<dt id="noattr1"><b>-noattr</b></dt>
<dd>
<p>Don&#39;t include any signed attributes when signing.</p>
</dd>
<dt id="recip-file"><b>-recip</b> <i>file</i></dt>
<dd>
<p>The recipients certificate when decrypting a message. This certificate must match one of the recipients of the message or an error occurs.</p>
</dd>
<dt id="inkey-filename-uri"><b>-inkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the <b>-recip</b> or <b>-signer</b> file. When signing this option can be used multiple times to specify successive keys.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The private key password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="to--from--subject"><b>-to</b>, <b>-from</b>, <b>-subject</b></dt>
<dd>
<p>The relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate&#39;s email address matches that specified in the From: address.</p>
</dd>
<dt id="allow_proxy_certs--attime--no_check_time--check_ss_sig--crl_check--crl_check_all--explicit_policy--extended_crl--ignore_critical--inhibit_any--inhibit_map--no_alt_chains--partial_chain--policy--policy_check--policy_print--purpose--suiteB_128--suiteB_128_only--suiteB_192--trusted_first--use_deltas--auth_level--verify_depth--verify_email--verify_hostname--verify_ip--verify_name--x509_strict--issuer_checks"><b>-allow_proxy_certs</b>, <b>-attime</b>, <b>-no_check_time</b>, <b>-check_ss_sig</b>, <b>-crl_check</b>, <b>-crl_check_all</b>, <b>-explicit_policy</b>, <b>-extended_crl</b>, <b>-ignore_critical</b>, <b>-inhibit_any</b>, <b>-inhibit_map</b>, <b>-no_alt_chains</b>, <b>-partial_chain</b>, <b>-policy</b>, <b>-policy_check</b>, <b>-policy_print</b>, <b>-purpose</b>, <b>-suiteB_128</b>, <b>-suiteB_128_only</b>, <b>-suiteB_192</b>, <b>-trusted_first</b>, <b>-use_deltas</b>, <b>-auth_level</b>, <b>-verify_depth</b>, <b>-verify_email</b>, <b>-verify_hostname</b>, <b>-verify_ip</b>, <b>-verify_name</b>, <b>-x509_strict</b> <b>-issuer_checks</b></dt>
<dd>
<p>Set various options of certificate chain verification. See <a href="../man1/openssl-verification-options.html">&quot;Verification Options&quot; in openssl-verification-options(1)</a> for details.</p>
<p>Any verification errors cause the command to exit.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="config-configfile"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Configuration Option&quot; in openssl(1)</a>.</p>
</dd>
<dt id="recipcert"><i>recipcert</i> ...</dt>
<dd>
<p>One or more certificates of message recipients, used when encrypting a message.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>The MIME message must be sent without any blank lines between the headers and the output. Some mail programs will automatically add a blank line. Piping the mail directly to sendmail is one way to achieve the correct format.</p>
<p>The supplied message to be signed or encrypted must include the necessary MIME headers or many S/MIME clients won&#39;t display it properly (if at all). You can use the <b>-text</b> option to automatically add plain text headers.</p>
<p>A &quot;signed and encrypted&quot; message is one where a signed message is then encrypted. This can be produced by encrypting an already signed message: see the examples section.</p>
<p>This version of the program only allows one signer per message but it will verify multiple signers on received messages. Some S/MIME clients choke if a message contains multiple signers. It is possible to sign messages &quot;in parallel&quot; by signing an already signed message.</p>
<p>The options <b>-encrypt</b> and <b>-decrypt</b> reflect common usage in S/MIME clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 encrypted data is used for other purposes.</p>
<p>The <b>-resign</b> option uses an existing message digest when adding a new signer. This means that attributes must be present in at least one existing signer using the same message digest or this operation will fail.</p>
<p>The <b>-stream</b> and <b>-indef</b> options enable streaming I/O support. As a result the encoding is BER using indefinite length constructed encoding and no longer DER. Streaming is supported for the <b>-encrypt</b> operation and the <b>-sign</b> operation if the content is not detached.</p>
<p>Streaming is always used for the <b>-sign</b> operation with detached data but since the content is no longer part of the PKCS#7 structure the encoding remains DER.</p>
<h1 id="EXIT-CODES">EXIT CODES</h1>
<dl>
<dt id="pod0">0</dt>
<dd>
<p>The operation was completely successfully.</p>
</dd>
<dt id="pod1">1</dt>
<dd>
<p>An error occurred parsing the command options.</p>
</dd>
<dt id="pod2">2</dt>
<dd>
<p>One of the input files could not be read.</p>
</dd>
<dt id="pod3">3</dt>
<dd>
<p>An error occurred creating the PKCS#7 file or when reading the MIME message.</p>
</dd>
<dt id="pod4">4</dt>
<dd>
<p>An error occurred decrypting or verifying the message.</p>
</dd>
<dt id="pod5">5</dt>
<dd>
<p>The message was verified correctly but an error occurred writing out the signers certificates.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Create a cleartext signed message:</p>
<pre><code> openssl smime -sign -in message.txt -text -out mail.msg \
-signer mycert.pem</code></pre>
<p>Create an opaque signed message:</p>
<pre><code> openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
-signer mycert.pem</code></pre>
<p>Create a signed message, include some additional certificates and read the private key from another file:</p>
<pre><code> openssl smime -sign -in in.txt -text -out mail.msg \
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem</code></pre>
<p>Create a signed message with two signers:</p>
<pre><code> openssl smime -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -signer othercert.pem</code></pre>
<p>Send a signed message under Unix directly to sendmail, including headers:</p>
<pre><code> openssl smime -sign -in in.txt -text -signer mycert.pem \
-from steve@openssl.org -to someone@somewhere \
-subject &quot;Signed message&quot; | sendmail someone@somewhere</code></pre>
<p>Verify a message and extract the signer&#39;s certificate if successful:</p>
<pre><code> openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt</code></pre>
<p>Send encrypted mail using triple DES:</p>
<pre><code> openssl smime -encrypt -in in.txt -from steve@openssl.org \
-to someone@somewhere -subject &quot;Encrypted message&quot; \
-des3 user.pem -out mail.msg</code></pre>
<p>Sign and encrypt mail:</p>
<pre><code> openssl smime -sign -in ml.txt -signer my.pem -text \
| openssl smime -encrypt -out mail.msg \
-from steve@openssl.org -to someone@somewhere \
-subject &quot;Signed and Encrypted message&quot; -des3 user.pem</code></pre>
<p>Note: the encryption command does not include the <b>-text</b> option because the message being encrypted already has MIME headers.</p>
<p>Decrypt mail:</p>
<pre><code> openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem</code></pre>
<p>The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with:</p>
<pre><code> -----BEGIN PKCS7-----
-----END PKCS7-----</code></pre>
<p>and using the command:</p>
<pre><code> openssl smime -verify -inform PEM -in signature.pem -content content.txt</code></pre>
<p>Alternatively you can base64 decode the signature and use:</p>
<pre><code> openssl smime -verify -inform DER -in signature.der -content content.txt</code></pre>
<p>Create an encrypted message using 128 bit Camellia:</p>
<pre><code> openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem</code></pre>
<p>Add a signer to an existing message:</p>
<pre><code> openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>The MIME parser isn&#39;t very clever: it seems to handle most messages that I&#39;ve thrown at it but it may choke on others.</p>
<p>The code currently will only write out the signer&#39;s certificate to a file: if the signer has a separate encryption certificate this must be manually extracted. There should be some heuristic that determines the correct encryption certificate.</p>
<p>Ideally a database should be maintained of a certificates for each email address.</p>
<p>The code doesn&#39;t currently take note of the permitted symmetric encryption algorithms as supplied in the SMIMECapabilities signed attribute. This means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those.</p>
<p>No revocation checking is done on the signer&#39;s certificate.</p>
<p>The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 structures may cause parsing errors.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The use of multiple <b>-signer</b> options and the <b>-resign</b> command were first added in OpenSSL 1.0.0</p>
<p>The -no_alt_chains option was added in OpenSSL 1.1.0.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

213
include/openssl-3.2.1/html/man1/openssl-speed.html
View File

@ -1,213 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-speed</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-speed - test library performance</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl speed</b> [<b>-help</b>] [<b>-config</b> <i>filename</i>] [<b>-elapsed</b>] [<b>-evp</b> <i>algo</i>] [<b>-hmac</b> <i>algo</i>] [<b>-cmac</b> <i>algo</i>] [<b>-mb</b>] [<b>-aead</b>] [<b>-kem-algorithms</b>] [<b>-signature-algorithms</b>] [<b>-multi</b> <i>num</i>] [<b>-async_jobs</b> <i>num</i>] [<b>-misalign</b> <i>num</i>] [<b>-decrypt</b>] [<b>-primes</b> <i>num</i>] [<b>-seconds</b> <i>num</i>] [<b>-bytes</b> <i>num</i>] [<b>-mr</b>] [<b>-mlock</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<i>algorithm</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to test the performance of cryptographic algorithms.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="config-filename"><b>-config</b> <i>filename</i></dt>
<dd>
<p>Specifies the configuration file to use. Optional; for a description of the default value, see <a href="../man1/openssl.html">&quot;COMMAND SUMMARY&quot; in openssl(1)</a>.</p>
</dd>
<dt id="elapsed"><b>-elapsed</b></dt>
<dd>
<p>When calculating operations- or bytes-per-second, use wall-clock time instead of CPU user time as divisor. It can be useful when testing speed of hardware engines.</p>
</dd>
<dt id="evp-algo"><b>-evp</b> <i>algo</i></dt>
<dd>
<p>Use the specified cipher or message digest algorithm via the EVP interface. If <i>algo</i> is an AEAD cipher, then you can pass <b>-aead</b> to benchmark a TLS-like sequence. And if <i>algo</i> is a multi-buffer capable cipher, e.g. aes-128-cbc-hmac-sha1, then <b>-mb</b> will time multi-buffer operation.</p>
<p>To see the algorithms supported with this option, use <code>openssl list -digest-algorithms</code> or <code>openssl list -cipher-algorithms</code> command.</p>
</dd>
<dt id="multi-num"><b>-multi</b> <i>num</i></dt>
<dd>
<p>Run multiple operations in parallel.</p>
</dd>
<dt id="async_jobs-num"><b>-async_jobs</b> <i>num</i></dt>
<dd>
<p>Enable async mode and start specified number of jobs.</p>
</dd>
<dt id="misalign-num"><b>-misalign</b> <i>num</i></dt>
<dd>
<p>Misalign the buffers by the specified number of bytes.</p>
</dd>
<dt id="hmac-digest"><b>-hmac</b> <i>digest</i></dt>
<dd>
<p>Time the HMAC algorithm using the specified message digest.</p>
</dd>
<dt id="cmac-cipher"><b>-cmac</b> <i>cipher</i></dt>
<dd>
<p>Time the CMAC algorithm using the specified cipher e.g. <code>openssl speed -cmac aes128</code>.</p>
</dd>
<dt id="decrypt"><b>-decrypt</b></dt>
<dd>
<p>Time the decryption instead of encryption. Affects only the EVP testing.</p>
</dd>
<dt id="mb"><b>-mb</b></dt>
<dd>
<p>Enable multi-block mode on EVP-named cipher.</p>
</dd>
<dt id="aead"><b>-aead</b></dt>
<dd>
<p>Benchmark EVP-named AEAD cipher in TLS-like sequence.</p>
</dd>
<dt id="kem-algorithms"><b>-kem-algorithms</b></dt>
<dd>
<p>Benchmark KEM algorithms: key generation, encapsulation, decapsulation.</p>
</dd>
<dt id="signature-algorithms"><b>-signature-algorithms</b></dt>
<dd>
<p>Benchmark signature algorithms: key generation, signature, verification.</p>
</dd>
<dt id="primes-num"><b>-primes</b> <i>num</i></dt>
<dd>
<p>Generate a <i>num</i>-prime RSA key and use it to run the benchmarks. This option is only effective if RSA algorithm is specified to test.</p>
</dd>
<dt id="seconds-num"><b>-seconds</b> <i>num</i></dt>
<dd>
<p>Run benchmarks for <i>num</i> seconds.</p>
</dd>
<dt id="bytes-num"><b>-bytes</b> <i>num</i></dt>
<dd>
<p>Run benchmarks on <i>num</i>-byte buffers. Affects ciphers, digests and the CSPRNG. The limit on the size of the buffer is INT_MAX - 64 bytes, which for a 32-bit int would be 2147483583 bytes.</p>
</dd>
<dt id="mr"><b>-mr</b></dt>
<dd>
<p>Produce the summary in a mechanical, machine-readable, format.</p>
</dd>
<dt id="mlock"><b>-mlock</b></dt>
<dd>
<p>Lock memory into RAM for more deterministic measurements.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="algorithm"><i>algorithm</i> ...</dt>
<dd>
<p>If any <i>algorithm</i> is given, then those algorithms are tested, otherwise a pre-compiled grand selection is tested.</p>
</dd>
</dl>
<h1 id="BUGS">BUGS</h1>
<p>The <i>algorithm</i> can be selected only from a pre-compiled subset of things that the <code>openssl speed</code> command knows about. To test any additional digest or cipher algorithm supported by OpenSSL use the <code>-evp</code> option.</p>
<p>There is no way to test the speed of any additional public key algorithms supported by third party providers with the <code>openssl speed</code> command.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>DSA512 was removed in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

194
include/openssl-3.2.1/html/man1/openssl-spkac.html
View File

@ -1,194 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-spkac</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-spkac - SPKAC printing and generating command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>spkac</b> [<b>-help</b>] [<b>-in</b> <i>filename</i>] [<b>-out</b> <i>filename</i>] [<b>-digest</b> <i>digest</i>] [<b>-key</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-passin</b> <i>arg</i>] [<b>-challenge</b> <i>string</i>] [<b>-pubkey</b>] [<b>-spkac</b> <i>spkacname</i>] [<b>-spksect</b> <i>section</i>] [<b>-noout</b>] [<b>-verify</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command processes Netscape signed public key and challenge (SPKAC) files. It can print out their contents, verify the signature and produce its own SPKACs from a supplied private key.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="in-filename"><b>-in</b> <i>filename</i></dt>
<dd>
<p>This specifies the input filename to read from or standard input if this option is not specified. Ignored if the <b>-key</b> option is used.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>Specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="digest-digest"><b>-digest</b> <i>digest</i></dt>
<dd>
<p>Use the specified <i>digest</i> to sign a created SPKAC file. The default digest algorithm is MD5.</p>
</dd>
<dt id="key-filename-uri"><b>-key</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>Create an SPKAC file using the private key specified by <i>filename</i> or <i>uri</i>. The <b>-in</b>, <b>-noout</b>, <b>-spksect</b> and <b>-verify</b> options are ignored if present.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The input file password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="challenge-string"><b>-challenge</b> <i>string</i></dt>
<dd>
<p>Specifies the challenge string if an SPKAC is being created.</p>
</dd>
<dt id="spkac-spkacname"><b>-spkac</b> <i>spkacname</i></dt>
<dd>
<p>Allows an alternative name form the variable containing the SPKAC. The default is &quot;SPKAC&quot;. This option affects both generated and input SPKAC files.</p>
</dd>
<dt id="spksect-section"><b>-spksect</b> <i>section</i></dt>
<dd>
<p>Allows an alternative name form the section containing the SPKAC. The default is the default section.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>Don&#39;t output the text version of the SPKAC (not used if an SPKAC is being created).</p>
</dd>
<dt id="pubkey"><b>-pubkey</b></dt>
<dd>
<p>Output the public key of an SPKAC (not used if an SPKAC is being created).</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verifies the digital signature on the supplied SPKAC.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Print out the contents of an SPKAC:</p>
<pre><code> openssl spkac -in spkac.cnf</code></pre>
<p>Verify the signature of an SPKAC:</p>
<pre><code> openssl spkac -in spkac.cnf -noout -verify</code></pre>
<p>Create an SPKAC using the challenge string &quot;hello&quot;:</p>
<pre><code> openssl spkac -key key.pem -challenge hello -out spkac.cnf</code></pre>
<p>Example of an SPKAC, (long lines split up for clarity):</p>
<pre><code> SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\
1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\
8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\
FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\
h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\
dq+NQ3F+X4deMx9AaEglZtULwV4=</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>A created SPKAC with suitable DN components appended can be fed to <a href="../man1/openssl-ca.html">openssl-ca(1)</a>.</p>
<p>SPKACs are typically generated by Netscape when a form is submitted containing the <b>KEYGEN</b> tag as part of the certificate enrollment process.</p>
<p>The challenge string permits a primitive form of proof of possession of private key. By checking the SPKAC signature and a random challenge string some guarantee is given that the user knows the private key corresponding to the public key being certified. This is important in some applications. Without this it is possible for a previous SPKAC to be used in a &quot;replay attack&quot;.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-digest</b> option was added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

158
include/openssl-3.2.1/html/man1/openssl-srp.html
View File

@ -1,158 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-srp</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-srp - maintain SRP password file</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl srp</b> [<b>-help</b>] [<b>-verbose</b>] [<b>-add</b>] [<b>-modify</b>] [<b>-delete</b>] [<b>-list</b>] [<b>-name</b> <i>section</i>] [<b>-srpvfile</b> <i>file</i>] [<b>-gn</b> <i>identifier</i>] [<b>-userinfo</b> <i>text</i>] [<b>-passin</b> <i>arg</i>] [<b>-passout</b> <i>arg</i>] [<b>-engine</b> <i>id</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>-config</b> <i>configfile</i>] [<i>user</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is deprecated. It is used to maintain an SRP (secure remote password) file. At most one of the <b>-add</b>, <b>-modify</b>, <b>-delete</b>, and <b>-list</b> options can be specified. These options take zero or more usernames as parameters and perform the appropriate operation on the SRP file. For <b>-list</b>, if no <i>user</i> is given then all users are displayed.</p>
<p>The configuration file to use, and the section within the file, can be specified with the <b>-config</b> and <b>-name</b> flags, respectively.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Display an option summary.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Generate verbose output while processing.</p>
</dd>
<dt id="add"><b>-add</b></dt>
<dd>
<p>Add a user and SRP verifier.</p>
</dd>
<dt id="modify"><b>-modify</b></dt>
<dd>
<p>Modify the SRP verifier of an existing user.</p>
</dd>
<dt id="delete"><b>-delete</b></dt>
<dd>
<p>Delete user from verifier file.</p>
</dd>
<dt id="list"><b>-list</b></dt>
<dd>
<p>List users.</p>
</dd>
<dt id="name"><b>-name</b></dt>
<dd>
<p>The particular SRP definition to use.</p>
</dd>
<dt id="srpvfile-file"><b>-srpvfile</b> <i>file</i></dt>
<dd>
<p>If the config file is not specified, <b>-srpvfile</b> can be used to specify the file to operate on.</p>
</dd>
<dt id="gn"><b>-gn</b></dt>
<dd>
<p>Specifies the <b>g</b> and <b>N</b> values, using one of the strengths defined in IETF RFC 5054.</p>
</dd>
<dt id="userinfo"><b>-userinfo</b></dt>
<dd>
<p>specifies additional information to add when adding or modifying a user.</p>
</dd>
<dt id="passin-arg--passout-arg"><b>-passin</b> <i>arg</i>, <b>-passout</b> <i>arg</i></dt>
<dd>
<p>The password source for the input and output file. For more information about the format of <b>arg</b> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="config-configfile"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Configuration Option&quot; in openssl(1)</a>.</p>
<p>[<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>]</p>
</dd>
</dl>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

175
include/openssl-3.2.1/html/man1/openssl-storeutl.html
View File

@ -1,175 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-storeutl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-storeutl - STORE command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>storeutl</b> [<b>-help</b>] [<b>-out</b> <i>file</i>] [<b>-noout</b>] [<b>-passin</b> <i>arg</i>] [<b>-text</b> <i>arg</i>] [<b>-r</b>] [<b>-certs</b>] [<b>-keys</b>] [<b>-crls</b>] [<b>-subject</b> <i>arg</i>] [<b>-issuer</b> <i>arg</i>] [<b>-serial</b> <i>arg</i>] [<b>-alias</b> <i>arg</i>] [<b>-fingerprint</b> <i>arg</i>] [<b>-<i>digest</i></b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] <i>uri</i></p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command can be used to display the contents (after decryption as the case may be) fetched from the given URI.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>this option prevents output of the PEM data.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>the key password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the objects in text form, similarly to the <b>-text</b> output from <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man1/openssl-pkey.html">openssl-pkey(1)</a>, etc.</p>
</dd>
<dt id="r"><b>-r</b></dt>
<dd>
<p>Fetch objects recursively when possible.</p>
</dd>
<dt id="certs"><b>-certs</b></dt>
<dd>
</dd>
<dt id="keys"><b>-keys</b></dt>
<dd>
</dd>
<dt id="crls"><b>-crls</b></dt>
<dd>
<p>Only select the certificates, keys or CRLs from the given URI. However, if this URI would return a set of names (URIs), those are always returned.</p>
<p>Note that all options must be given before the <i>uri</i> argument.</p>
</dd>
<dt id="subject-arg"><b>-subject</b> <i>arg</i></dt>
<dd>
<p>Search for an object having the subject name <i>arg</i>.</p>
<p>The arg must be formatted as <code>/type0=value0/type1=value1/type2=...</code>. Special characters may be escaped by <code>\</code> (backslash), whitespace is retained. Empty values are permitted but are ignored for the search. That is, a search with an empty value will have the same effect as not specifying the type at all. Giving a single <code>/</code> will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a <code>+</code> character instead of a <code>/</code> between the AttributeValueAssertions (AVAs) that specify the members of the set.</p>
<p>Example:</p>
<p><code>/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe</code></p>
</dd>
<dt id="issuer-arg"><b>-issuer</b> <i>arg</i></dt>
<dd>
</dd>
<dt id="serial-arg"><b>-serial</b> <i>arg</i></dt>
<dd>
<p>Search for an object having the given issuer name and serial number. These two options <i>must</i> be used together. The issuer arg must be formatted as <code>/type0=value0/type1=value1/type2=...</code>, characters may be escaped by \ (backslash), no spaces are skipped. The serial arg may be specified as a decimal value or a hex value if preceded by <code>0x</code>.</p>
</dd>
<dt id="alias-arg"><b>-alias</b> <i>arg</i></dt>
<dd>
<p>Search for an object having the given alias.</p>
</dd>
<dt id="fingerprint-arg"><b>-fingerprint</b> <i>arg</i></dt>
<dd>
<p>Search for an object having the given fingerprint.</p>
</dd>
<dt id="digest"><b>-<i>digest</i></b></dt>
<dd>
<p>The digest that was used to compute the fingerprint given with <b>-fingerprint</b>.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>This command was added in OpenSSL 1.1.1.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

596
include/openssl-3.2.1/html/man1/openssl-ts.html
View File

@ -1,596 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-ts</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Timestamp-Request-generation">Timestamp Request generation</a></li>
<li><a href="#Timestamp-Response-generation">Timestamp Response generation</a></li>
<li><a href="#Timestamp-Response-verification">Timestamp Response verification</a></li>
</ul>
</li>
<li><a href="#CONFIGURATION-FILE-OPTIONS">CONFIGURATION FILE OPTIONS</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a>
<ul>
<li><a href="#Timestamp-Request">Timestamp Request</a></li>
<li><a href="#Timestamp-Response">Timestamp Response</a></li>
<li><a href="#Timestamp-Verification">Timestamp Verification</a></li>
</ul>
</li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-ts - Time Stamping Authority command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>ts</b> <b>-help</b></p>
<p><b>openssl</b> <b>ts</b> <b>-query</b> [<b>-config</b> <i>configfile</i>] [<b>-data</b> <i>file_to_hash</i>] [<b>-digest</b> <i>digest_bytes</i>] [<b>-<i>digest</i></b>] [<b>-tspolicy</b> <i>object_id</i>] [<b>-no_nonce</b>] [<b>-cert</b>] [<b>-in</b> <i>request.tsq</i>] [<b>-out</b> <i>request.tsq</i>] [<b>-text</b>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<p><b>openssl</b> <b>ts</b> <b>-reply</b> [<b>-config</b> <i>configfile</i>] [<b>-section</b> <i>tsa_section</i>] [<b>-queryfile</b> <i>request.tsq</i>] [<b>-passin</b> <i>password_src</i>] [<b>-signer</b> <i>tsa_cert.pem</i>] [<b>-inkey</b> <i>filename</i>|<i>uri</i>] [<b>-<i>digest</i></b>] [<b>-chain</b> <i>certs_file.pem</i>] [<b>-tspolicy</b> <i>object_id</i>] [<b>-in</b> <i>response.tsr</i>] [<b>-token_in</b>] [<b>-out</b> <i>response.tsr</i>] [<b>-token_out</b>] [<b>-text</b>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<p><b>openssl</b> <b>ts</b> <b>-verify</b> [<b>-data</b> <i>file_to_hash</i>] [<b>-digest</b> <i>digest_bytes</i>] [<b>-queryfile</b> <i>request.tsq</i>] [<b>-in</b> <i>response.tsr</i>] [<b>-token_in</b>] [<b>-untrusted</b> <i>files</i>|<i>uris</i>] [<b>-CAfile</b> <i>file</i>] [<b>-CApath</b> <i>dir</i>] [<b>-CAstore</b> <i>uri</i>] [<b>-allow_proxy_certs</b>] [<b>-attime</b> <i>timestamp</i>] [<b>-no_check_time</b>] [<b>-check_ss_sig</b>] [<b>-crl_check</b>] [<b>-crl_check_all</b>] [<b>-explicit_policy</b>] [<b>-extended_crl</b>] [<b>-ignore_critical</b>] [<b>-inhibit_any</b>] [<b>-inhibit_map</b>] [<b>-partial_chain</b>] [<b>-policy</b> <i>arg</i>] [<b>-policy_check</b>] [<b>-policy_print</b>] [<b>-purpose</b> <i>purpose</i>] [<b>-suiteB_128</b>] [<b>-suiteB_128_only</b>] [<b>-suiteB_192</b>] [<b>-trusted_first</b>] [<b>-no_alt_chains</b>] [<b>-use_deltas</b>] [<b>-auth_level</b> <i>num</i>] [<b>-verify_depth</b> <i>num</i>] [<b>-verify_email</b> <i>email</i>] [<b>-verify_hostname</b> <i>hostname</i>] [<b>-verify_ip</b> <i>ip</i>] [<b>-verify_name</b> <i>name</i>] [<b>-x509_strict</b>] [<b>-issuer_checks</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is a basic Time Stamping Authority (TSA) client and server application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A TSA can be part of a PKI deployment and its role is to provide long term proof of the existence of a certain datum before a particular time. Here is a brief description of the protocol:</p>
<ol>
<li><p>The TSA client computes a one-way hash value for a data file and sends the hash to the TSA.</p>
</li>
<li><p>The TSA attaches the current date and time to the received hash value, signs them and sends the timestamp token back to the client. By creating this token the TSA certifies the existence of the original data file at the time of response generation.</p>
</li>
<li><p>The TSA client receives the timestamp token and verifies the signature on it. It also checks if the token contains the same hash value that it had sent to the TSA.</p>
</li>
</ol>
<p>There is one DER encoded protocol data unit defined for transporting a timestamp request to the TSA and one for sending the timestamp response back to the client. This command has three main functions: creating a timestamp request based on a data file, creating a timestamp response based on a request, verifying if a response corresponds to a particular request or a data file.</p>
<p>There is no support for sending the requests/responses automatically over HTTP or TCP yet as suggested in RFC 3161. The users must send the requests either by ftp or e-mail.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="query"><b>-query</b></dt>
<dd>
<p>Generate a TS query. For details see <a href="#Timestamp-Request-generation">&quot;Timestamp Request generation&quot;</a>.</p>
</dd>
<dt id="reply"><b>-reply</b></dt>
<dd>
<p>Generate a TS reply. For details see <a href="#Timestamp-Response-generation">&quot;Timestamp Response generation&quot;</a>.</p>
</dd>
<dt id="verify"><b>-verify</b></dt>
<dd>
<p>Verify a TS response. For details see <a href="#Timestamp-Response-verification">&quot;Timestamp Response verification&quot;</a>.</p>
</dd>
</dl>
<h2 id="Timestamp-Request-generation">Timestamp Request generation</h2>
<p>The <b>-query</b> command can be used for creating and printing a timestamp request with the following options:</p>
<dl>
<dt id="config-configfile"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>The configuration file to use. Optional; for a description of the default value, see <a href="../man1/openssl.html">&quot;COMMAND SUMMARY&quot; in openssl(1)</a>.</p>
</dd>
<dt id="data-file_to_hash"><b>-data</b> <i>file_to_hash</i></dt>
<dd>
<p>The data file for which the timestamp request needs to be created. stdin is the default if neither the <b>-data</b> nor the <b>-digest</b> parameter is specified. (Optional)</p>
</dd>
<dt id="digest-digest_bytes"><b>-digest</b> <i>digest_bytes</i></dt>
<dd>
<p>It is possible to specify the message imprint explicitly without the data file. The imprint must be specified in a hexadecimal format, two characters per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or 1AF601...). The number of bytes must match the message digest algorithm in use. (Optional)</p>
</dd>
<dt id="digest"><b>-<i>digest</i></b></dt>
<dd>
<p>The message digest to apply to the data file. Any digest supported by the <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a> command can be used. The default is SHA-256. (Optional)</p>
</dd>
<dt id="tspolicy-object_id"><b>-tspolicy</b> <i>object_id</i></dt>
<dd>
<p>The policy that the client expects the TSA to use for creating the timestamp token. Either the dotted OID notation or OID names defined in the config file can be used. If no policy is requested the TSA will use its own default policy. (Optional)</p>
</dd>
<dt id="no_nonce"><b>-no_nonce</b></dt>
<dd>
<p>No nonce is specified in the request if this option is given. Otherwise a 64 bit long pseudo-random none is included in the request. It is recommended to use nonce to protect against replay-attacks. (Optional)</p>
</dd>
<dt id="cert"><b>-cert</b></dt>
<dd>
<p>The TSA is expected to include its signing certificate in the response. (Optional)</p>
</dd>
<dt id="in-request.tsq"><b>-in</b> <i>request.tsq</i></dt>
<dd>
<p>This option specifies a previously created timestamp request in DER format that will be printed into the output file. Useful when you need to examine the content of a request in human-readable format. (Optional)</p>
</dd>
<dt id="out-request.tsq"><b>-out</b> <i>request.tsq</i></dt>
<dd>
<p>Name of the output file to which the request will be written. Default is stdout. (Optional)</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>If this option is specified the output is human-readable text format instead of DER. (Optional)</p>
</dd>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
</dl>
<h2 id="Timestamp-Response-generation">Timestamp Response generation</h2>
<p>A timestamp response (TimeStampResp) consists of a response status and the timestamp token itself (ContentInfo), if the token generation was successful. The <b>-reply</b> command is for creating a timestamp response or timestamp token based on a request and printing the response/token in human-readable format. If <b>-token_out</b> is not specified the output is always a timestamp response (TimeStampResp), otherwise it is a timestamp token (ContentInfo).</p>
<dl>
<dt id="config-configfile1"><b>-config</b> <i>configfile</i></dt>
<dd>
<p>The configuration file to use. Optional; for a description of the default value, see <a href="../man1/openssl.html">&quot;COMMAND SUMMARY&quot; in openssl(1)</a>. See <a href="#CONFIGURATION-FILE-OPTIONS">&quot;CONFIGURATION FILE OPTIONS&quot;</a> for configurable variables.</p>
</dd>
<dt id="section-tsa_section"><b>-section</b> <i>tsa_section</i></dt>
<dd>
<p>The name of the config file section containing the settings for the response generation. If not specified the default TSA section is used, see <a href="#CONFIGURATION-FILE-OPTIONS">&quot;CONFIGURATION FILE OPTIONS&quot;</a> for details. (Optional)</p>
</dd>
<dt id="queryfile-request.tsq"><b>-queryfile</b> <i>request.tsq</i></dt>
<dd>
<p>The name of the file containing a DER encoded timestamp request. (Optional)</p>
</dd>
<dt id="passin-password_src"><b>-passin</b> <i>password_src</i></dt>
<dd>
<p>Specifies the password source for the private key of the TSA. See description in <a href="../man1/openssl.html">openssl(1)</a>. (Optional)</p>
</dd>
<dt id="signer-tsa_cert.pem"><b>-signer</b> <i>tsa_cert.pem</i></dt>
<dd>
<p>The signer certificate of the TSA in PEM format. The TSA signing certificate must have exactly one extended key usage assigned to it: timeStamping. The extended key usage must also be critical, otherwise the certificate is going to be refused. Overrides the <b>signer_cert</b> variable of the config file. (Optional)</p>
</dd>
<dt id="inkey-filename-uri"><b>-inkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The signer private key of the TSA in PEM format. Overrides the <b>signer_key</b> config file option. (Optional)</p>
</dd>
<dt id="digest1"><b>-<i>digest</i></b></dt>
<dd>
<p>Signing digest to use. Overrides the <b>signer_digest</b> config file option. (Mandatory unless specified in the config file)</p>
</dd>
<dt id="chain-certs_file.pem"><b>-chain</b> <i>certs_file.pem</i></dt>
<dd>
<p>The collection of certificates in PEM format that will all be included in the response in addition to the signer certificate if the <b>-cert</b> option was used for the request. This file is supposed to contain the certificate chain for the signer certificate from its issuer upwards. The <b>-reply</b> command does not build a certificate chain automatically. (Optional)</p>
</dd>
<dt id="tspolicy-object_id1"><b>-tspolicy</b> <i>object_id</i></dt>
<dd>
<p>The default policy to use for the response unless the client explicitly requires a particular TSA policy. The OID can be specified either in dotted notation or with its name. Overrides the <b>default_policy</b> config file option. (Optional)</p>
</dd>
<dt id="in-response.tsr"><b>-in</b> <i>response.tsr</i></dt>
<dd>
<p>Specifies a previously created timestamp response or timestamp token (if <b>-token_in</b> is also specified) in DER format that will be written to the output file. This option does not require a request, it is useful e.g. when you need to examine the content of a response or token or you want to extract the timestamp token from a response. If the input is a token and the output is a timestamp response a default &#39;granted&#39; status info is added to the token. (Optional)</p>
</dd>
<dt id="token_in"><b>-token_in</b></dt>
<dd>
<p>This flag can be used together with the <b>-in</b> option and indicates that the input is a DER encoded timestamp token (ContentInfo) instead of a timestamp response (TimeStampResp). (Optional)</p>
</dd>
<dt id="out-response.tsr"><b>-out</b> <i>response.tsr</i></dt>
<dd>
<p>The response is written to this file. The format and content of the file depends on other options (see <b>-text</b>, <b>-token_out</b>). The default is stdout. (Optional)</p>
</dd>
<dt id="token_out"><b>-token_out</b></dt>
<dd>
<p>The output is a timestamp token (ContentInfo) instead of timestamp response (TimeStampResp). (Optional)</p>
</dd>
<dt id="text1"><b>-text</b></dt>
<dd>
<p>If this option is specified the output is human-readable text format instead of DER. (Optional)</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h2 id="Timestamp-Response-verification">Timestamp Response verification</h2>
<p>The <b>-verify</b> command is for verifying if a timestamp response or timestamp token is valid and matches a particular timestamp request or data file. The <b>-verify</b> command does not use the configuration file.</p>
<dl>
<dt id="data-file_to_hash1"><b>-data</b> <i>file_to_hash</i></dt>
<dd>
<p>The response or token must be verified against file_to_hash. The file is hashed with the message digest algorithm specified in the token. The <b>-digest</b> and <b>-queryfile</b> options must not be specified with this one. (Optional)</p>
</dd>
<dt id="digest-digest_bytes1"><b>-digest</b> <i>digest_bytes</i></dt>
<dd>
<p>The response or token must be verified against the message digest specified with this option. The number of bytes must match the message digest algorithm specified in the token. The <b>-data</b> and <b>-queryfile</b> options must not be specified with this one. (Optional)</p>
</dd>
<dt id="queryfile-request.tsq1"><b>-queryfile</b> <i>request.tsq</i></dt>
<dd>
<p>The original timestamp request in DER format. The <b>-data</b> and <b>-digest</b> options must not be specified with this one. (Optional)</p>
</dd>
<dt id="in-response.tsr1"><b>-in</b> <i>response.tsr</i></dt>
<dd>
<p>The timestamp response that needs to be verified in DER format. (Mandatory)</p>
</dd>
<dt id="token_in1"><b>-token_in</b></dt>
<dd>
<p>This flag can be used together with the <b>-in</b> option and indicates that the input is a DER encoded timestamp token (ContentInfo) instead of a timestamp response (TimeStampResp). (Optional)</p>
</dd>
<dt id="untrusted-files-uris"><b>-untrusted</b> <i>files</i>|<i>uris</i></dt>
<dd>
<p>A set of additional untrusted certificates which may be needed when building the certificate chain for the TSA&#39;s signing certificate. These do not need to contain the TSA signing certificate and intermediate CA certificates as far as the response already includes them. (Optional)</p>
<p>Multiple sources may be given, separated by commas and/or whitespace. Each file may contain multiple certificates.</p>
</dd>
<dt id="CAfile-file--CApath-dir--CAstore-uri"><b>-CAfile</b> <i>file</i>, <b>-CApath</b> <i>dir</i>, <b>-CAstore</b> <i>uri</i></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details. At least one of <b>-CAfile</b>, <b>-CApath</b> or <b>-CAstore</b> must be specified.</p>
</dd>
<dt id="allow_proxy_certs--attime--no_check_time--check_ss_sig--crl_check--crl_check_all--explicit_policy--extended_crl--ignore_critical--inhibit_any--inhibit_map--no_alt_chains--partial_chain--policy--policy_check--policy_print--purpose--suiteB_128--suiteB_128_only--suiteB_192--trusted_first--use_deltas--auth_level--verify_depth--verify_email--verify_hostname--verify_ip--verify_name--x509_strict--issuer_checks"><b>-allow_proxy_certs</b>, <b>-attime</b>, <b>-no_check_time</b>, <b>-check_ss_sig</b>, <b>-crl_check</b>, <b>-crl_check_all</b>, <b>-explicit_policy</b>, <b>-extended_crl</b>, <b>-ignore_critical</b>, <b>-inhibit_any</b>, <b>-inhibit_map</b>, <b>-no_alt_chains</b>, <b>-partial_chain</b>, <b>-policy</b>, <b>-policy_check</b>, <b>-policy_print</b>, <b>-purpose</b>, <b>-suiteB_128</b>, <b>-suiteB_128_only</b>, <b>-suiteB_192</b>, <b>-trusted_first</b>, <b>-use_deltas</b>, <b>-auth_level</b>, <b>-verify_depth</b>, <b>-verify_email</b>, <b>-verify_hostname</b>, <b>-verify_ip</b>, <b>-verify_name</b>, <b>-x509_strict</b> <b>-issuer_checks</b></dt>
<dd>
<p>Set various options of certificate chain verification. See <a href="../man1/openssl-verification-options.html">&quot;Verification Options&quot; in openssl-verification-options(1)</a> for details.</p>
<p>Any verification errors cause the command to exit.</p>
</dd>
</dl>
<h1 id="CONFIGURATION-FILE-OPTIONS">CONFIGURATION FILE OPTIONS</h1>
<p>The <b>-query</b> and <b>-reply</b> commands make use of a configuration file. See <a href="../man5/config.html">config(5)</a> for a general description of the syntax of the config file. The <b>-query</b> command uses only the symbolic OID names section and it can work without it. However, the <b>-reply</b> command needs the config file for its operation.</p>
<p>When there is a command line switch equivalent of a variable the switch always overrides the settings in the config file.</p>
<dl>
<dt id="tsa-section-default_tsa"><b>tsa</b> section, <b>default_tsa</b></dt>
<dd>
<p>This is the main section and it specifies the name of another section that contains all the options for the <b>-reply</b> command. This default section can be overridden with the <b>-section</b> command line switch. (Optional)</p>
</dd>
<dt id="oid_file"><b>oid_file</b></dt>
<dd>
<p>This specifies a file containing additional <b>OBJECT IDENTIFIERS</b>. Each line of the file should consist of the numerical form of the object identifier followed by whitespace then the short name followed by whitespace and finally the long name. (Optional)</p>
</dd>
<dt id="oid_section"><b>oid_section</b></dt>
<dd>
<p>This specifies a section in the configuration file containing extra object identifiers. Each line should consist of the short name of the object identifier followed by <b>=</b> and the numerical form. The short and long names are the same when this option is used. (Optional)</p>
</dd>
<dt id="RANDFILE"><b>RANDFILE</b></dt>
<dd>
<p>At startup the specified file is loaded into the random number generator, and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is not necessary anymore, see the <a href="#HISTORY">&quot;HISTORY&quot;</a> section.</p>
</dd>
<dt id="serial"><b>serial</b></dt>
<dd>
<p>The name of the file containing the hexadecimal serial number of the last timestamp response created. This number is incremented by 1 for each response. If the file does not exist at the time of response generation a new file is created with serial number 1. (Mandatory)</p>
</dd>
<dt id="crypto_device"><b>crypto_device</b></dt>
<dd>
<p>Specifies the OpenSSL engine that will be set as the default for all available algorithms. The default value is built-in, you can specify any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM). (Optional)</p>
</dd>
<dt id="signer_cert"><b>signer_cert</b></dt>
<dd>
<p>TSA signing certificate in PEM format. The same as the <b>-signer</b> command line option. (Optional)</p>
</dd>
<dt id="certs"><b>certs</b></dt>
<dd>
<p>A file containing a set of PEM encoded certificates that need to be included in the response. The same as the <b>-chain</b> command line option. (Optional)</p>
</dd>
<dt id="signer_key"><b>signer_key</b></dt>
<dd>
<p>The private key of the TSA in PEM format. The same as the <b>-inkey</b> command line option. (Optional)</p>
</dd>
<dt id="signer_digest"><b>signer_digest</b></dt>
<dd>
<p>Signing digest to use. The same as the <b>-<i>digest</i></b> command line option. (Mandatory unless specified on the command line)</p>
</dd>
<dt id="default_policy"><b>default_policy</b></dt>
<dd>
<p>The default policy to use when the request does not mandate any policy. The same as the <b>-tspolicy</b> command line option. (Optional)</p>
</dd>
<dt id="other_policies"><b>other_policies</b></dt>
<dd>
<p>Comma separated list of policies that are also acceptable by the TSA and used only if the request explicitly specifies one of them. (Optional)</p>
</dd>
<dt id="digests"><b>digests</b></dt>
<dd>
<p>The list of message digest algorithms that the TSA accepts. At least one algorithm must be specified. (Mandatory)</p>
</dd>
<dt id="accuracy"><b>accuracy</b></dt>
<dd>
<p>The accuracy of the time source of the TSA in seconds, milliseconds and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of the components is missing zero is assumed for that field. (Optional)</p>
</dd>
<dt id="clock_precision_digits"><b>clock_precision_digits</b></dt>
<dd>
<p>Specifies the maximum number of digits, which represent the fraction of seconds, that need to be included in the time field. The trailing zeros must be removed from the time, so there might actually be fewer digits, or no fraction of seconds at all. Supported only on UNIX platforms. The maximum value is 6, default is 0. (Optional)</p>
</dd>
<dt id="ordering"><b>ordering</b></dt>
<dd>
<p>If this option is yes the responses generated by this TSA can always be ordered, even if the time difference between two responses is less than the sum of their accuracies. Default is no. (Optional)</p>
</dd>
<dt id="tsa_name"><b>tsa_name</b></dt>
<dd>
<p>Set this option to yes if the subject name of the TSA must be included in the TSA name field of the response. Default is no. (Optional)</p>
</dd>
<dt id="ess_cert_id_chain"><b>ess_cert_id_chain</b></dt>
<dd>
<p>The SignedData objects created by the TSA always contain the certificate identifier of the signing certificate in a signed attribute (see RFC 2634, Enhanced Security Services). If this variable is set to no, only this signing certificate identifier is included in the SigningCertificate signed attribute. If this variable is set to yes and the <b>certs</b> variable or the <b>-chain</b> option is specified then the certificate identifiers of the chain will also be included, where the <b>-chain</b> option overrides the <b>certs</b> variable. Default is no. (Optional)</p>
</dd>
<dt id="ess_cert_id_alg"><b>ess_cert_id_alg</b></dt>
<dd>
<p>This option specifies the hash function to be used to calculate the TSA&#39;s public key certificate identifier. Default is sha256. (Optional)</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>All the examples below presume that <b>OPENSSL_CONF</b> is set to a proper configuration file, e.g. the example configuration file <i>openssl/apps/openssl.cnf</i> will do.</p>
<h2 id="Timestamp-Request">Timestamp Request</h2>
<p>To create a timestamp request for <i>design1.txt</i> with SHA-256 digest, without nonce and policy, and without requirement for a certificate in the response:</p>
<pre><code> openssl ts -query -data design1.txt -no_nonce \
-out design1.tsq</code></pre>
<p>To create a similar timestamp request with specifying the message imprint explicitly:</p>
<pre><code> openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-no_nonce -out design1.tsq</code></pre>
<p>To print the content of the previous request in human readable format:</p>
<pre><code> openssl ts -query -in design1.tsq -text</code></pre>
<p>To create a timestamp request which includes the SHA-512 digest of <i>design2.txt</i>, requests the signer certificate and nonce, and specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file):</p>
<pre><code> openssl ts -query -data design2.txt -sha512 \
-tspolicy tsa_policy1 -cert -out design2.tsq</code></pre>
<h2 id="Timestamp-Response">Timestamp Response</h2>
<p>Before generating a response a signing certificate must be created for the TSA that contains the <b>timeStamping</b> critical extended key usage extension without any other key usage extensions. You can add this line to the user certificate section of the config file to generate a proper certificate;</p>
<pre><code> extendedKeyUsage = critical,timeStamping</code></pre>
<p>See <a href="../man1/openssl-req.html">openssl-req(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, and <a href="../man1/openssl-x509.html">openssl-x509(1)</a> for instructions. The examples below assume that <i>cacert.pem</i> contains the certificate of the CA, <i>tsacert.pem</i> is the signing certificate issued by <i>cacert.pem</i> and <i>tsakey.pem</i> is the private key of the TSA.</p>
<p>To create a timestamp response for a request:</p>
<pre><code> openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
-signer tsacert.pem -out design1.tsr</code></pre>
<p>If you want to use the settings in the config file you could just write:</p>
<pre><code> openssl ts -reply -queryfile design1.tsq -out design1.tsr</code></pre>
<p>To print a timestamp reply to stdout in human readable format:</p>
<pre><code> openssl ts -reply -in design1.tsr -text</code></pre>
<p>To create a timestamp token instead of timestamp response:</p>
<pre><code> openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out</code></pre>
<p>To print a timestamp token to stdout in human readable format:</p>
<pre><code> openssl ts -reply -in design1_token.der -token_in -text -token_out</code></pre>
<p>To extract the timestamp token from a response:</p>
<pre><code> openssl ts -reply -in design1.tsr -out design1_token.der -token_out</code></pre>
<p>To add &#39;granted&#39; status info to a timestamp token thereby creating a valid response:</p>
<pre><code> openssl ts -reply -in design1_token.der -token_in -out design1.tsr</code></pre>
<h2 id="Timestamp-Verification">Timestamp Verification</h2>
<p>To verify a timestamp reply against a request:</p>
<pre><code> openssl ts -verify -queryfile design1.tsq -in design1.tsr \
-CAfile cacert.pem -untrusted tsacert.pem</code></pre>
<p>To verify a timestamp reply that includes the certificate chain:</p>
<pre><code> openssl ts -verify -queryfile design2.tsq -in design2.tsr \
-CAfile cacert.pem</code></pre>
<p>To verify a timestamp token against the original data file: openssl ts -verify -data design2.txt -in design2.tsr \ -CAfile cacert.pem</p>
<p>To verify a timestamp token against a message imprint: openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ -in design2.tsr -CAfile cacert.pem</p>
<p>You could also look at the &#39;test&#39; directory for more examples.</p>
<h1 id="BUGS">BUGS</h1>
<ul>
<li><p>No support for timestamps over SMTP, though it is quite easy to implement an automatic e-mail based TSA with <a href="../man1/procmail.html">procmail(1)</a> and <a href="../man1/perl.html">perl(1)</a>. HTTP server support is provided in the form of a separate apache module. HTTP client support is provided by <a href="../man1/tsget.html">tsget(1)</a>. Pure TCP/IP protocol is not supported.</p>
</li>
<li><p>The file containing the last serial number of the TSA is not locked when being read or written. This is a problem if more than one instance of <a href="../man1/openssl.html">openssl(1)</a> is trying to create a timestamp response at the same time. This is not an issue when using the apache server module, it does proper locking.</p>
</li>
<li><p>Look for the FIXME word in the source files.</p>
</li>
<li><p>The source code should really be reviewed by somebody else, too.</p>
</li>
<li><p>More testing is needed, I have done only some basic tests (see test/testtsa).</p>
</li>
</ul>
<h1 id="HISTORY">HISTORY</h1>
<p>OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved seeding mechanism. The new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring randomness. This option is retained mainly for compatibility reasons.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/tsget.html">tsget(1)</a>, <a href="../man1/openssl-req.html">openssl-req(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man5/config.html">config(5)</a>, <a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

564
include/openssl-3.2.1/html/man1/openssl-verification-options.html
View File

@ -1,564 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-verification-options</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a>
<ul>
<li><a href="#Trust-Anchors">Trust Anchors</a></li>
<li><a href="#Certification-Path-Building">Certification Path Building</a></li>
<li><a href="#Certification-Path-Validation">Certification Path Validation</a></li>
</ul>
</li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Trusted-Certificate-Options">Trusted Certificate Options</a></li>
<li><a href="#Verification-Options">Verification Options</a></li>
<li><a href="#Extended-Verification-Options">Extended Verification Options</a></li>
<li><a href="#Certificate-Extensions">Certificate Extensions</a>
<ul>
<li><a href="#Basic-Constraints">Basic Constraints</a></li>
<li><a href="#Key-Usage">Key Usage</a></li>
<li><a href="#Extended-Key-Usage">Extended Key Usage</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-verification-options - generic X.509 certificate verification options</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <i>command</i> [ <i>options</i> ... ] [ <i>parameters</i> ... ]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>There are many situations where X.509 certificates are verified within the OpenSSL libraries and in various OpenSSL commands.</p>
<p>Certificate verification is implemented by <a href="../man3/X509_verify_cert.html">X509_verify_cert(3)</a>. It is a complicated process consisting of a number of steps and depending on numerous options. The most important of them are detailed in the following sections.</p>
<p>In a nutshell, a valid chain of certificates needs to be built up and verified starting from the <i>target certificate</i> that is to be verified and ending in a certificate that due to some policy is trusted. Verification is done relative to the given <i>purpose</i>, which is the intended use of the target certificate, such as SSL server, or by default for any purpose.</p>
<p>The details of how each OpenSSL command handles errors are documented on the specific command page.</p>
<p>DANE support is documented in <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a>, <a href="../man3/SSL_CTX_dane_enable.html">SSL_CTX_dane_enable(3)</a>, <a href="../man3/SSL_set1_host.html">SSL_set1_host(3)</a>, <a href="../man3/X509_VERIFY_PARAM_set_flags.html">X509_VERIFY_PARAM_set_flags(3)</a>, and <a href="../man3/X509_check_host.html">X509_check_host(3)</a>.</p>
<h2 id="Trust-Anchors">Trust Anchors</h2>
<p>In general, according to RFC 4158 and RFC 5280, a <i>trust anchor</i> is any public key and related subject distinguished name (DN) that for some reason is considered trusted and thus is acceptable as the root of a chain of certificates.</p>
<p>In practice, trust anchors are given in the form of certificates, where their essential fields are the public key and the subject DN. In addition to the requirements in RFC 5280, OpenSSL checks the validity period of such certificates and makes use of some further fields. In particular, the subject key identifier extension, if present, is used for matching trust anchors during chain building.</p>
<p>In the most simple and common case, trust anchors are by default all self-signed &quot;root&quot; CA certificates that are placed in the <i>trust store</i>, which is a collection of certificates that are trusted for certain uses. This is akin to what is used in the trust stores of Mozilla Firefox, or Apple&#39;s and Microsoft&#39;s certificate stores, ...</p>
<p>From the OpenSSL perspective, a trust anchor is a certificate that should be augmented with an explicit designation for which uses of a target certificate the certificate may serve as a trust anchor. In PEM encoding, this is indicated by the <code>TRUSTED CERTIFICATE</code> string. Such a designation provides a set of positive trust attributes explicitly stating trust for the listed purposes and/or a set of negative trust attributes explicitly rejecting the use for the listed purposes. The purposes are encoded using the values defined for the extended key usages (EKUs) that may be given in X.509 extensions of end-entity certificates. See also the <a href="#Extended-Key-Usage">&quot;Extended Key Usage&quot;</a> section below.</p>
<p>The currently recognized uses are <b>clientAuth</b> (SSL client use), <b>serverAuth</b> (SSL server use), <b>emailProtection</b> (S/MIME email use), <b>codeSigning</b> (object signer use), <b>OCSPSigning</b> (OCSP responder use), <b>OCSP</b> (OCSP request use), <b>timeStamping</b> (TSA server use), and <b>anyExtendedKeyUsage</b>. As of OpenSSL 1.1.0, the last of these blocks all uses when rejected or enables all uses when trusted.</p>
<p>A certificate, which may be CA certificate or an end-entity certificate, is considered a trust anchor for the given use if and only if all the following conditions hold:</p>
<ul>
<li><p>It is an an element of the trust store.</p>
</li>
<li><p>It does not have a negative trust attribute rejecting the given use.</p>
</li>
<li><p>It has a positive trust attribute accepting the given use or (by default) one of the following compatibility conditions apply: It is self-signed or the <b>-partial_chain</b> option is given (which corresponds to the <b>X509_V_FLAG_PARTIAL_CHAIN</b> flag being set).</p>
</li>
</ul>
<h2 id="Certification-Path-Building">Certification Path Building</h2>
<p>First, a certificate chain is built up starting from the target certificate and ending in a trust anchor.</p>
<p>The chain is built up iteratively, looking up in turn a certificate with suitable key usage that matches as an issuer of the current &quot;subject&quot; certificate as described below. If there is such a certificate, the first one found that is currently valid is taken, otherwise the one that expired most recently of all such certificates. For efficiency, no backtracking is performed, thus any further candidate issuer certificates that would match equally are ignored.</p>
<p>When a self-signed certificate has been added, chain construction stops. In this case it must fully match a trust anchor, otherwise chain building fails.</p>
<p>A candidate issuer certificate matches a subject certificate if all of the following conditions hold:</p>
<ul>
<li><p>Its subject name matches the issuer name of the subject certificate.</p>
</li>
<li><p>If the subject certificate has an authority key identifier extension, each of its sub-fields equals the corresponding subject key identifier, serial number, and issuer field of the candidate issuer certificate, as far as the respective fields are present in both certificates.</p>
</li>
<li><p>The certificate signature algorithm used to sign the subject certificate is supported and equals the public key algorithm of the candidate issuer certificate.</p>
</li>
</ul>
<p>The lookup first searches for issuer certificates in the trust store. If it does not find a match there it consults the list of untrusted (&quot;intermediate&quot; CA) certificates, if provided.</p>
<h2 id="Certification-Path-Validation">Certification Path Validation</h2>
<p>When the certificate chain building process was successful the chain components and their links are checked thoroughly.</p>
<p>The first step is to check that each certificate is well-formed. Part of these checks are enabled only if the <b>-x509_strict</b> option is given.</p>
<p>The second step is to check the extensions of every untrusted certificate for consistency with the supplied purpose. If the <b>-purpose</b> option is not given then no such checks are done except for SSL/TLS connection setup, where by default <code>sslserver</code> or <code>sslclient</code>, are checked. The target or &quot;leaf&quot; certificate, as well as any other untrusted certificates, must have extensions compatible with the specified purpose. All certificates except the target or &quot;leaf&quot; must also be valid CA certificates. The precise extensions required are described in more detail in <a href="../man1/openssl-x509.html">&quot;CERTIFICATE EXTENSIONS&quot; in openssl-x509(1)</a>.</p>
<p>The third step is to check the trust settings on the last certificate (which typically is a self-signed root CA certificate). It must be trusted for the given use. For compatibility with previous versions of OpenSSL, a self-signed certificate with no trust attributes is considered to be valid for all uses.</p>
<p>The fourth, and final, step is to check the validity of the certificate chain. For each element in the chain, including the root CA certificate, the validity period as specified by the <code>notBefore</code> and <code>notAfter</code> fields is checked against the current system time. The <b>-attime</b> flag may be used to use a reference time other than &quot;now.&quot; The certificate signature is checked as well (except for the signature of the typically self-signed root CA certificate, which is verified only if the <b>-check_ss_sig</b> option is given). When verifying a certificate signature the keyUsage extension (if present) of the candidate issuer certificate is checked to permit digitalSignature for signing proxy certificates or to permit keyCertSign for signing other certificates, respectively. If all operations complete successfully then certificate is considered valid. If any operation fails then the certificate is not valid.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<h2 id="Trusted-Certificate-Options">Trusted Certificate Options</h2>
<p>The following options specify how to supply the certificates that can be used as trust anchors for certain uses. As mentioned, a collection of such certificates is called a <i>trust store</i>.</p>
<p>Note that OpenSSL does not provide a default set of trust anchors. Many Linux distributions include a system default and configure OpenSSL to point to that. Mozilla maintains an influential trust store that can be found at <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/</a>.</p>
<p>The certificates to add to the trust store can be specified using following options.</p>
<dl>
<dt id="CAfile-file"><b>-CAfile</b> <i>file</i></dt>
<dd>
<p>Load the specified file which contains a trusted certificate in DER format or potentially several of them in case the input is in PEM format. PEM-encoded certificates may also have trust attributes set.</p>
</dd>
<dt id="no-CAfile"><b>-no-CAfile</b></dt>
<dd>
<p>Do not load the default file of trusted certificates.</p>
</dd>
<dt id="CApath-dir"><b>-CApath</b> <i>dir</i></dt>
<dd>
<p>Use the specified directory as a collection of trusted certificates, i.e., a trust store. Files should be named with the hash value of the X.509 SubjectName of each certificate. This is so that the library can extract the IssuerName, hash it, and directly lookup the file to get the issuer certificate. See <a href="../man1/openssl-rehash.html">openssl-rehash(1)</a> for information on creating this type of directory.</p>
</dd>
<dt id="no-CApath"><b>-no-CApath</b></dt>
<dd>
<p>Do not use the default directory of trusted certificates.</p>
</dd>
<dt id="CAstore-uri"><b>-CAstore</b> <i>uri</i></dt>
<dd>
<p>Use <i>uri</i> as a store of CA certificates. The URI may indicate a single certificate, as well as a collection of them. With URIs in the <code>file:</code> scheme, this acts as <b>-CAfile</b> or <b>-CApath</b>, depending on if the URI indicates a single file or directory. See <a href="../man7/ossl_store-file.html">ossl_store-file(7)</a> for more information on the <code>file:</code> scheme.</p>
<p>These certificates are also used when building the server certificate chain (for example with <a href="../man1/openssl-s_server.html">openssl-s_server(1)</a>) or client certificate chain (for example with <a href="../man1/openssl-s_time.html">openssl-s_time(1)</a>).</p>
</dd>
<dt id="no-CAstore"><b>-no-CAstore</b></dt>
<dd>
<p>Do not use the default store of trusted CA certificates.</p>
</dd>
</dl>
<h2 id="Verification-Options">Verification Options</h2>
<p>The certificate verification can be fine-tuned with the following flags.</p>
<dl>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Print extra information about the operations being performed.</p>
</dd>
<dt id="attime-timestamp"><b>-attime</b> <i>timestamp</i></dt>
<dd>
<p>Perform validation checks using time specified by <i>timestamp</i> and not current system time. <i>timestamp</i> is the number of seconds since January 1, 1970 (i.e., the Unix Epoch).</p>
</dd>
<dt id="no_check_time"><b>-no_check_time</b></dt>
<dd>
<p>This option suppresses checking the validity period of certificates and CRLs against the current time. If option <b>-attime</b> is used to specify a verification time, the check is not suppressed.</p>
</dd>
<dt id="x509_strict"><b>-x509_strict</b></dt>
<dd>
<p>This disables non-compliant workarounds for broken certificates. Thus errors are thrown on certificates not compliant with RFC 5280.</p>
<p>When this option is set, among others, the following certificate well-formedness conditions are checked:</p>
<ul>
<li><p>The basicConstraints of CA certificates must be marked critical.</p>
</li>
<li><p>CA certificates must explicitly include the keyUsage extension.</p>
</li>
<li><p>If a pathlenConstraint is given the key usage keyCertSign must be allowed.</p>
</li>
<li><p>The pathlenConstraint must not be given for non-CA certificates.</p>
</li>
<li><p>The issuer name of any certificate must not be empty.</p>
</li>
<li><p>The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty.</p>
</li>
<li><p>If a subjectAlternativeName extension is given it must not be empty.</p>
</li>
<li><p>The signatureAlgorithm field and the cert signature must be consistent.</p>
</li>
<li><p>Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical.</p>
</li>
<li><p>The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed.</p>
</li>
<li><p>The subjectKeyIdentifier must be given for all X.509v3 CA certs.</p>
</li>
</ul>
</dd>
<dt id="ignore_critical"><b>-ignore_critical</b></dt>
<dd>
<p>Normally if an unhandled critical extension is present that is not supported by OpenSSL the certificate is rejected (as required by RFC5280). If this option is set critical extensions are ignored.</p>
</dd>
<dt id="issuer_checks"><b>-issuer_checks</b></dt>
<dd>
<p>Ignored.</p>
</dd>
<dt id="crl_check"><b>-crl_check</b></dt>
<dd>
<p>Checks end entity certificate validity by attempting to look up a valid CRL. If a valid CRL cannot be found an error occurs.</p>
</dd>
<dt id="crl_check_all"><b>-crl_check_all</b></dt>
<dd>
<p>Checks the validity of <b>all</b> certificates in the chain by attempting to look up valid CRLs.</p>
</dd>
<dt id="use_deltas"><b>-use_deltas</b></dt>
<dd>
<p>Enable support for delta CRLs.</p>
</dd>
<dt id="extended_crl"><b>-extended_crl</b></dt>
<dd>
<p>Enable extended CRL features such as indirect CRLs and alternate CRL signing keys.</p>
</dd>
<dt id="suiteB_128_only--suiteB_128--suiteB_192"><b>-suiteB_128_only</b>, <b>-suiteB_128</b>, <b>-suiteB_192</b></dt>
<dd>
<p>Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or 192 bit, or only 192 bit Level of Security respectively. See RFC6460 for details. In particular the supported signature algorithms are reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves P-256 and P-384.</p>
</dd>
<dt id="auth_level-level"><b>-auth_level</b> <i>level</i></dt>
<dd>
<p>Set the certificate chain authentication security level to <i>level</i>. The authentication security level determines the acceptable signature and public key strength when verifying certificate chains. For a certificate chain to validate, the public keys of all the certificates must meet the specified security <i>level</i>. The signature algorithm security level is enforced for all the certificates in the chain except for the chain&#39;s <i>trust anchor</i>, which is either directly trusted or validated by means other than its signature. See <a href="../man3/SSL_CTX_set_security_level.html">SSL_CTX_set_security_level(3)</a> for the definitions of the available levels. The default security level is -1, or &quot;not set&quot;. At security level 0 or lower all algorithms are acceptable. Security level 1 requires at least 80-bit-equivalent security and is broadly interoperable, though it will, for example, reject MD5 signatures or RSA keys shorter than 1024 bits.</p>
</dd>
<dt id="partial_chain"><b>-partial_chain</b></dt>
<dd>
<p>Allow verification to succeed if an incomplete chain can be built. That is, a chain ending in a certificate that normally would not be trusted (because it has no matching positive trust attributes and is not self-signed) but is an element of the trust store. This certificate may be self-issued or belong to an intermediate CA.</p>
</dd>
<dt id="check_ss_sig"><b>-check_ss_sig</b></dt>
<dd>
<p>Verify the signature of the last certificate in a chain if the certificate is supposedly self-signed. This is prohibited and will result in an error if it is a non-conforming CA certificate with key usage restrictions not including the keyCertSign bit. This verification is disabled by default because it doesn&#39;t add any security.</p>
</dd>
<dt id="allow_proxy_certs"><b>-allow_proxy_certs</b></dt>
<dd>
<p>Allow the verification of proxy certificates.</p>
</dd>
<dt id="trusted_first"><b>-trusted_first</b></dt>
<dd>
<p>As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.</p>
<p>When constructing the certificate chain, the trusted certificates specified via <b>-CAfile</b>, <b>-CApath</b>, <b>-CAstore</b> or <b>-trusted</b> are always used before any certificates specified via <b>-untrusted</b>.</p>
</dd>
<dt id="no_alt_chains"><b>-no_alt_chains</b></dt>
<dd>
<p>As of OpenSSL 1.1.0, since <b>-trusted_first</b> always on, this option has no effect.</p>
</dd>
<dt id="trusted-file"><b>-trusted</b> <i>file</i></dt>
<dd>
<p>Parse <i>file</i> as a set of one or more certificates. Each of them qualifies as trusted if has a suitable positive trust attribute or it is self-signed or the <b>-partial_chain</b> option is specified. This option implies the <b>-no-CAfile</b>, <b>-no-CApath</b>, and <b>-no-CAstore</b> options and it cannot be used with the <b>-CAfile</b>, <b>-CApath</b> or <b>-CAstore</b> options, so only certificates specified using the <b>-trusted</b> option are trust anchors. This option may be used multiple times.</p>
</dd>
<dt id="untrusted-file"><b>-untrusted</b> <i>file</i></dt>
<dd>
<p>Parse <i>file</i> as a set of one or more certificates. All certificates (typically of intermediate CAs) are considered untrusted and may be used to construct a certificate chain from the target certificate to a trust anchor. This option may be used multiple times.</p>
</dd>
<dt id="policy-arg"><b>-policy</b> <i>arg</i></dt>
<dd>
<p>Enable policy processing and add <i>arg</i> to the user-initial-policy-set (see RFC5280). The policy <i>arg</i> can be an object name an OID in numeric form. This argument can appear more than once.</p>
</dd>
<dt id="explicit_policy"><b>-explicit_policy</b></dt>
<dd>
<p>Set policy variable require-explicit-policy (see RFC5280).</p>
</dd>
<dt id="policy_check"><b>-policy_check</b></dt>
<dd>
<p>Enables certificate policy processing.</p>
</dd>
<dt id="policy_print"><b>-policy_print</b></dt>
<dd>
<p>Print out diagnostics related to policy processing.</p>
</dd>
<dt id="inhibit_any"><b>-inhibit_any</b></dt>
<dd>
<p>Set policy variable inhibit-any-policy (see RFC5280).</p>
</dd>
<dt id="inhibit_map"><b>-inhibit_map</b></dt>
<dd>
<p>Set policy variable inhibit-policy-mapping (see RFC5280).</p>
</dd>
<dt id="purpose-purpose"><b>-purpose</b> <i>purpose</i></dt>
<dd>
<p>The intended use for the certificate. Currently defined purposes are <code>sslclient</code>, <code>sslserver</code>, <code>nssslserver</code>, <code>smimesign</code>, <code>smimeencrypt</code>, <code>crlsign</code>, <code>ocsphelper</code>, <code>timestampsign</code>, <code>codesign</code> and <code>any</code>. If peer certificate verification is enabled, by default the TLS implementation as well as the commands <b>s_client</b> and <b>s_server</b> check for consistency with TLS server or TLS client use, respectively.</p>
<p>While IETF RFC 5280 says that <b>id-kp-serverAuth</b> and <b>id-kp-clientAuth</b> are only for WWW use, in practice they are used for all kinds of TLS clients and servers, and this is what OpenSSL assumes as well.</p>
</dd>
<dt id="verify_depth-num"><b>-verify_depth</b> <i>num</i></dt>
<dd>
<p>Limit the certificate chain to <i>num</i> intermediate CA certificates. A maximal depth chain can have up to <i>num</i>+2 certificates, since neither the end-entity certificate nor the trust-anchor certificate count against the <b>-verify_depth</b> limit.</p>
</dd>
<dt id="verify_email-email"><b>-verify_email</b> <i>email</i></dt>
<dd>
<p>Verify if <i>email</i> matches the email address in Subject Alternative Name or the email in the subject Distinguished Name.</p>
</dd>
<dt id="verify_hostname-hostname"><b>-verify_hostname</b> <i>hostname</i></dt>
<dd>
<p>Verify if <i>hostname</i> matches DNS name in Subject Alternative Name or Common Name in the subject certificate.</p>
</dd>
<dt id="verify_ip-ip"><b>-verify_ip</b> <i>ip</i></dt>
<dd>
<p>Verify if <i>ip</i> matches the IP address in Subject Alternative Name of the subject certificate.</p>
</dd>
<dt id="verify_name-name"><b>-verify_name</b> <i>name</i></dt>
<dd>
<p>Use default verification policies like trust model and required certificate policies identified by <i>name</i>. The trust model determines which auxiliary trust or reject OIDs are applicable to verifying the given certificate chain. They can be given using the <b>-addtrust</b> and <b>-addreject</b> options for <a href="../man1/openssl-x509.html">openssl-x509(1)</a>. Supported policy names include: <b>default</b>, <b>pkcs7</b>, <b>smime_sign</b>, <b>ssl_client</b>, <b>ssl_server</b>. These mimics the combinations of purpose and trust settings used in SSL, CMS and S/MIME. As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not specified, so the <b>-verify_name</b> options are functionally equivalent to the corresponding <b>-purpose</b> settings.</p>
</dd>
</dl>
<h2 id="Extended-Verification-Options">Extended Verification Options</h2>
<p>Sometimes there may be more than one certificate chain leading to an end-entity certificate. This usually happens when a root or intermediate CA signs a certificate for another a CA in other organization. Another reason is when a CA might have intermediates that use two different signature formats, such as a SHA-1 and a SHA-256 digest.</p>
<p>The following options can be used to provide data that will allow the OpenSSL command to generate an alternative chain.</p>
<dl>
<dt id="xkey-infile--xcert-infile--xchain"><b>-xkey</b> <i>infile</i>, <b>-xcert</b> <i>infile</i>, <b>-xchain</b></dt>
<dd>
<p>Specify an extra certificate, private key and certificate chain. These behave in the same manner as the <b>-cert</b>, <b>-key</b> and <b>-cert_chain</b> options. When specified, the callback returning the first valid chain will be in use by the client.</p>
</dd>
<dt id="xchain_build"><b>-xchain_build</b></dt>
<dd>
<p>Specify whether the application should build the certificate chain to be provided to the server for the extra certificates via the <b>-xkey</b>, <b>-xcert</b>, and <b>-xchain</b> options.</p>
</dd>
<dt id="xcertform-DER-PEM-P12"><b>-xcertform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b></dt>
<dd>
<p>The input format for the extra certificate. This option has no effect and is retained for backward compatibility only.</p>
</dd>
<dt id="xkeyform-DER-PEM-P12"><b>-xkeyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b></dt>
<dd>
<p>The input format for the extra key. This option has no effect and is retained for backward compatibility only.</p>
</dd>
</dl>
<h2 id="Certificate-Extensions">Certificate Extensions</h2>
<p>Options like <b>-purpose</b> lead to checking the certificate extensions, which determine what the target certificate and intermediate CA certificates can be used for.</p>
<h3 id="Basic-Constraints">Basic Constraints</h3>
<p>The basicConstraints extension CA flag is used to determine whether the certificate can be used as a CA. If the CA flag is true then it is a CA, if the CA flag is false then it is not a CA. <b>All</b> CAs should have the CA flag set to true.</p>
<p>If the basicConstraints extension is absent, which includes the case that it is an X.509v1 certificate, then the certificate is considered to be a &quot;possible CA&quot; and other extensions are checked according to the intended use of the certificate. The treatment of certificates without basicConstraints as a CA is presently supported, but this could change in the future.</p>
<h3 id="Key-Usage">Key Usage</h3>
<p>If the keyUsage extension is present then additional restraints are made on the uses of the certificate. A CA certificate <b>must</b> have the keyCertSign bit set if the keyUsage extension is present.</p>
<h3 id="Extended-Key-Usage">Extended Key Usage</h3>
<p>The extKeyUsage (EKU) extension places additional restrictions on the certificate uses. If this extension is present (whether critical or not) the key can only be used for the purposes specified.</p>
<p>A complete description of each check is given below. The comments about basicConstraints and keyUsage and X.509v1 certificates above apply to <b>all</b> CA certificates.</p>
<dl>
<dt id="SSL-Client"><b>SSL Client</b></dt>
<dd>
<p>The extended key usage extension must be absent or include the &quot;web client authentication&quot; OID. The keyUsage extension must be absent or it must have the digitalSignature bit set. The Netscape certificate type must be absent or it must have the SSL client bit set.</p>
</dd>
<dt id="SSL-Client-CA"><b>SSL Client CA</b></dt>
<dd>
<p>The extended key usage extension must be absent or include the &quot;web client authentication&quot; OID. The Netscape certificate type must be absent or it must have the SSL CA bit set. This is used as a work around if the basicConstraints extension is absent.</p>
</dd>
<dt id="SSL-Server"><b>SSL Server</b></dt>
<dd>
<p>The extended key usage extension must be absent or include the &quot;web server authentication&quot; and/or one of the SGC OIDs. The keyUsage extension must be absent or it must have the digitalSignature, the keyEncipherment set or both bits set. The Netscape certificate type must be absent or have the SSL server bit set.</p>
</dd>
<dt id="SSL-Server-CA"><b>SSL Server CA</b></dt>
<dd>
<p>The extended key usage extension must be absent or include the &quot;web server authentication&quot; and/or one of the SGC OIDs. The Netscape certificate type must be absent or the SSL CA bit must be set. This is used as a work around if the basicConstraints extension is absent.</p>
</dd>
<dt id="Netscape-SSL-Server"><b>Netscape SSL Server</b></dt>
<dd>
<p>For Netscape SSL clients to connect to an SSL server it must have the keyEncipherment bit set if the keyUsage extension is present. This isn&#39;t always valid because some cipher suites use the key for digital signing. Otherwise it is the same as a normal SSL server.</p>
</dd>
<dt id="Common-S-MIME-Client-Tests"><b>Common S/MIME Client Tests</b></dt>
<dd>
<p>The extended key usage extension must be absent or include the &quot;email protection&quot; OID. The Netscape certificate type must be absent or should have the S/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type then the SSL client bit is tolerated as an alternative but a warning is shown. This is because some Verisign certificates don&#39;t set the S/MIME bit.</p>
</dd>
<dt id="S-MIME-Signing"><b>S/MIME Signing</b></dt>
<dd>
<p>In addition to the common S/MIME client tests the digitalSignature bit or the nonRepudiation bit must be set if the keyUsage extension is present.</p>
</dd>
<dt id="S-MIME-Encryption"><b>S/MIME Encryption</b></dt>
<dd>
<p>In addition to the common S/MIME tests the keyEncipherment bit must be set if the keyUsage extension is present.</p>
</dd>
<dt id="S-MIME-CA"><b>S/MIME CA</b></dt>
<dd>
<p>The extended key usage extension must be absent or include the &quot;email protection&quot; OID. The Netscape certificate type must be absent or must have the S/MIME CA bit set. This is used as a work around if the basicConstraints extension is absent.</p>
</dd>
<dt id="CRL-Signing"><b>CRL Signing</b></dt>
<dd>
<p>The keyUsage extension must be absent or it must have the CRL signing bit set.</p>
</dd>
<dt id="CRL-Signing-CA"><b>CRL Signing CA</b></dt>
<dd>
<p>The normal CA tests apply. Except in this case the basicConstraints extension must be present.</p>
</dd>
</dl>
<h1 id="BUGS">BUGS</h1>
<p>The issuer checks still suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that trusted certificates with matching subject name must appear in a file (as specified by the <b>-CAfile</b> option), a directory (as specified by <b>-CApath</b>), or a store (as specified by <b>-CAstore</b>). If there are multiple such matches, possibly in multiple locations, only the first one (in the mentioned order of locations) is recognised.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/X509_verify_cert.html">X509_verify_cert(3)</a>, <a href="../man1/openssl-verify.html">openssl-verify(1)</a>, <a href="../man1/openssl-ocsp.html">openssl-ocsp(1)</a>, <a href="../man1/openssl-ts.html">openssl-ts(1)</a>, <a href="../man1/openssl-s_client.html">openssl-s_client(1)</a>, <a href="../man1/openssl-s_server.html">openssl-s_server(1)</a>, <a href="../man1/openssl-smime.html">openssl-smime(1)</a>, <a href="../man1/openssl-cmp.html">openssl-cmp(1)</a>, <a href="../man1/openssl-cms.html">openssl-cms(1)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The checks enabled by <b>-x509_strict</b> have been extended in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

179
include/openssl-3.2.1/html/man1/openssl-verify.html
View File

@ -1,179 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-verify</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#DIAGNOSTICS">DIAGNOSTICS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-verify - certificate verification command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>verify</b> [<b>-help</b>] [<b>-CRLfile</b> <i>filename</i>|<i>uri</i>] [<b>-crl_download</b>] [<b>-show_chain</b>] [<b>-verbose</b>] [<b>-trusted</b> <i>filename</i>|<i>uri</i>] [<b>-untrusted</b> <i>filename</i>|<i>uri</i>] [<b>-vfyopt</b> <i>nm</i>:<i>v</i>] [<b>-nameopt</b> <i>option</i>] [<b>-CAfile</b> <i>file</i>] [<b>-no-CAfile</b>] [<b>-CApath</b> <i>dir</i>] [<b>-no-CApath</b>] [<b>-CAstore</b> <i>uri</i>] [<b>-no-CAstore</b>] [<b>-engine</b> <i>id</i>] [<b>-allow_proxy_certs</b>] [<b>-attime</b> <i>timestamp</i>] [<b>-no_check_time</b>] [<b>-check_ss_sig</b>] [<b>-crl_check</b>] [<b>-crl_check_all</b>] [<b>-explicit_policy</b>] [<b>-extended_crl</b>] [<b>-ignore_critical</b>] [<b>-inhibit_any</b>] [<b>-inhibit_map</b>] [<b>-partial_chain</b>] [<b>-policy</b> <i>arg</i>] [<b>-policy_check</b>] [<b>-policy_print</b>] [<b>-purpose</b> <i>purpose</i>] [<b>-suiteB_128</b>] [<b>-suiteB_128_only</b>] [<b>-suiteB_192</b>] [<b>-trusted_first</b>] [<b>-no_alt_chains</b>] [<b>-use_deltas</b>] [<b>-auth_level</b> <i>num</i>] [<b>-verify_depth</b> <i>num</i>] [<b>-verify_email</b> <i>email</i>] [<b>-verify_hostname</b> <i>hostname</i>] [<b>-verify_ip</b> <i>ip</i>] [<b>-verify_name</b> <i>name</i>] [<b>-x509_strict</b>] [<b>-issuer_checks</b>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>] [<b>--</b>] [<i>certificate</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command verifies certificate chains. If a certificate chain has multiple problems, this program attempts to display all of them.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="CRLfile-filename-uri"><b>-CRLfile</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>The file or URI should contain one or more CRLs in PEM or DER format. This option can be specified more than once to include CRLs from multiple sources.</p>
</dd>
<dt id="crl_download"><b>-crl_download</b></dt>
<dd>
<p>Attempt to download CRL information for certificates via their CDP entries.</p>
</dd>
<dt id="show_chain"><b>-show_chain</b></dt>
<dd>
<p>Display information about the certificate chain that has been built (if successful). Certificates in the chain that came from the untrusted list will be flagged as &quot;untrusted&quot;.</p>
</dd>
<dt id="verbose"><b>-verbose</b></dt>
<dd>
<p>Print extra information about the operations being performed.</p>
</dd>
<dt id="trusted-filename-uri"><b>-trusted</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>A file or URI of (more or less) trusted certificates. See <a href="../man1/openssl-verification-options.html">openssl-verification-options(1)</a> for more information on trust settings.</p>
<p>This option can be specified more than once to load certificates from multiple sources.</p>
</dd>
<dt id="untrusted-filename-uri"><b>-untrusted</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>A file or URI of untrusted certificates to use for chain building. This option can be specified more than once to load certificates from multiple sources.</p>
</dd>
<dt id="vfyopt-nm:v"><b>-vfyopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="nameopt-option"><b>-nameopt</b> <i>option</i></dt>
<dd>
<p>This specifies how the subject or issuer names are displayed. See <a href="../man1/openssl-namedisplay-options.html">openssl-namedisplay-options(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
<p>To load certificates or CRLs that require engine support, specify the <b>-engine</b> option before any of the <b>-trusted</b>, <b>-untrusted</b> or <b>-CRLfile</b> options.</p>
</dd>
<dt id="CAfile-file--no-CAfile--CApath-dir--no-CApath--CAstore-uri--no-CAstore"><b>-CAfile</b> <i>file</i>, <b>-no-CAfile</b>, <b>-CApath</b> <i>dir</i>, <b>-no-CApath</b>, <b>-CAstore</b> <i>uri</i>, <b>-no-CAstore</b></dt>
<dd>
<p>See <a href="../man1/openssl-verification-options.html">&quot;Trusted Certificate Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="allow_proxy_certs--attime--no_check_time--check_ss_sig--crl_check--crl_check_all--explicit_policy--extended_crl--ignore_critical--inhibit_any--inhibit_map--no_alt_chains--partial_chain--policy--policy_check--policy_print--purpose--suiteB_128--suiteB_128_only--suiteB_192--trusted_first--use_deltas--auth_level--verify_depth--verify_email--verify_hostname--verify_ip--verify_name--x509_strict--issuer_checks"><b>-allow_proxy_certs</b>, <b>-attime</b>, <b>-no_check_time</b>, <b>-check_ss_sig</b>, <b>-crl_check</b>, <b>-crl_check_all</b>, <b>-explicit_policy</b>, <b>-extended_crl</b>, <b>-ignore_critical</b>, <b>-inhibit_any</b>, <b>-inhibit_map</b>, <b>-no_alt_chains</b>, <b>-partial_chain</b>, <b>-policy</b>, <b>-policy_check</b>, <b>-policy_print</b>, <b>-purpose</b>, <b>-suiteB_128</b>, <b>-suiteB_128_only</b>, <b>-suiteB_192</b>, <b>-trusted_first</b>, <b>-use_deltas</b>, <b>-auth_level</b>, <b>-verify_depth</b>, <b>-verify_email</b>, <b>-verify_hostname</b>, <b>-verify_ip</b>, <b>-verify_name</b>, <b>-x509_strict</b> <b>-issuer_checks</b></dt>
<dd>
<p>Set various options of certificate chain verification. See <a href="../man1/openssl-verification-options.html">&quot;Verification Options&quot; in openssl-verification-options(1)</a> for details.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
<dt id="pod"><b>--</b></dt>
<dd>
<p>Indicates the last option. All arguments following this are assumed to be certificate files. This is useful if the first certificate filename begins with a <b>-</b>.</p>
</dd>
<dt id="certificate"><i>certificate</i> ...</dt>
<dd>
<p>One or more target certificates to verify, one per file. If no certificates are given, this command will attempt to read a single certificate from standard input.</p>
</dd>
</dl>
<h1 id="DIAGNOSTICS">DIAGNOSTICS</h1>
<p>When a verify operation fails the output messages can be somewhat cryptic. The general form of the error message is:</p>
<pre><code> server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
error 24 at 1 depth lookup:invalid CA certificate</code></pre>
<p>The first line contains the name of the certificate being verified followed by the subject name of the certificate. The second line contains the error number and the depth. The depth is number of the certificate being verified when a problem was detected starting with zero for the target (&quot;leaf&quot;) certificate itself then 1 for the CA that signed the target certificate and so on. Finally a textual version of the error number is presented.</p>
<p>A list of the error codes and messages can be found in <a href="../man3/X509_STORE_CTX_get_error.html">X509_STORE_CTX_get_error(3)</a>; the full list is defined in the header file <i>&lt;openssl/x509_vfy.h&gt;</i>.</p>
<p>This command ignores many errors, in order to allow all the problems with a certificate chain to be determined.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl-verification-options.html">openssl-verification-options(1)</a>, <a href="../man1/openssl-x509.html">openssl-x509(1)</a>, <a href="../man7/ossl_store-file.html">ossl_store-file(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <b>-show_chain</b> option was added in OpenSSL 1.1.0.</p>
<p>The <b>-engine option</b> was deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

128
include/openssl-3.2.1/html/man1/openssl-version.html
View File

@ -1,128 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-version</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-version - print OpenSSL version information</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl version</b> [<b>-help</b>] [<b>-a</b>] [<b>-v</b>] [<b>-b</b>] [<b>-o</b>] [<b>-f</b>] [<b>-p</b>] [<b>-d</b>] [<b>-e</b>] [<b>-m</b>] [<b>-r</b>] [<b>-c</b>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is used to print out version information about OpenSSL.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="a"><b>-a</b></dt>
<dd>
<p>All information, this is the same as setting all the other flags.</p>
</dd>
<dt id="v"><b>-v</b></dt>
<dd>
<p>The current OpenSSL version.</p>
</dd>
<dt id="b"><b>-b</b></dt>
<dd>
<p>The date the current version of OpenSSL was built.</p>
</dd>
<dt id="o"><b>-o</b></dt>
<dd>
<p>Option information: various options set when the library was built.</p>
</dd>
<dt id="f"><b>-f</b></dt>
<dd>
<p>Compilation flags.</p>
</dd>
<dt id="p"><b>-p</b></dt>
<dd>
<p>Platform setting.</p>
</dd>
<dt id="d"><b>-d</b></dt>
<dd>
<p>OPENSSLDIR setting.</p>
</dd>
<dt id="e"><b>-e</b></dt>
<dd>
<p>ENGINESDIR settings.</p>
</dd>
<dt id="m"><b>-m</b></dt>
<dd>
<p>MODULESDIR settings.</p>
</dd>
<dt id="r"><b>-r</b></dt>
<dd>
<p>The random number generator source settings.</p>
</dd>
<dt id="c"><b>-c</b></dt>
<dd>
<p>The OpenSSL CPU settings info.</p>
</dd>
</dl>
<h1 id="NOTES">NOTES</h1>
<p>The output of <code>openssl version -a</code> would typically be used when sending in a bug report.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

790
include/openssl-3.2.1/html/man1/openssl-x509.html
View File

@ -1,790 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>openssl-x509</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a>
<ul>
<li><a href="#Input-Output-and-General-Purpose-Options">Input, Output, and General Purpose Options</a></li>
<li><a href="#Certificate-Printing-Options">Certificate Printing Options</a></li>
<li><a href="#Certificate-Checking-Options">Certificate Checking Options</a></li>
<li><a href="#Certificate-Output-Options">Certificate Output Options</a></li>
<li><a href="#Micro-CA-Options">Micro-CA Options</a></li>
<li><a href="#Trust-Settings">Trust Settings</a></li>
<li><a href="#Generic-options">Generic options</a></li>
<li><a href="#Text-Printing-Flags">Text Printing Flags</a></li>
</ul>
</li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>openssl-x509 - Certificate display and signing command</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>openssl</b> <b>x509</b> [<b>-help</b>] [<b>-in</b> <i>filename</i>|<i>uri</i>] [<b>-passin</b> <i>arg</i>] [<b>-new</b>] [<b>-x509toreq</b>] [<b>-req</b>] [<b>-copy_extensions</b> <i>arg</i>] [<b>-inform</b> <b>DER</b>|<b>PEM</b>] [<b>-vfyopt</b> <i>nm</i>:<i>v</i>] [<b>-key</b> <i>filename</i>|<i>uri</i>] [<b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-signkey</b> <i>filename</i>|<i>uri</i>] [<b>-out</b> <i>filename</i>] [<b>-outform</b> <b>DER</b>|<b>PEM</b>] [<b>-nocert</b>] [<b>-noout</b>] [<b>-dateopt</b>] [<b>-text</b>] [<b>-certopt</b> <i>option</i>] [<b>-fingerprint</b>] [<b>-alias</b>] [<b>-serial</b>] [<b>-startdate</b>] [<b>-enddate</b>] [<b>-dates</b>] [<b>-subject</b>] [<b>-issuer</b>] [<b>-nameopt</b> <i>option</i>] [<b>-email</b>] [<b>-hash</b>] [<b>-subject_hash</b>] [<b>-subject_hash_old</b>] [<b>-issuer_hash</b>] [<b>-issuer_hash_old</b>] [<b>-ext</b> <i>extensions</i>] [<b>-ocspid</b>] [<b>-ocsp_uri</b>] [<b>-purpose</b>] [<b>-pubkey</b>] [<b>-modulus</b>] [<b>-checkend</b> <i>num</i>] [<b>-checkhost</b> <i>host</i>] [<b>-checkemail</b> <i>host</i>] [<b>-checkip</b> <i>ipaddr</i>] [<b>-set_serial</b> <i>n</i>] [<b>-next_serial</b>] [<b>-days</b> <i>arg</i>] [<b>-preserve_dates</b>] [<b>-subj</b> <i>arg</i>] [<b>-force_pubkey</b> <i>filename</i>] [<b>-clrext</b>] [<b>-extfile</b> <i>filename</i>] [<b>-extensions</b> <i>section</i>] [<b>-sigopt</b> <i>nm</i>:<i>v</i>] [<b>-badsig</b>] [<b>-<i>digest</i></b>] [<b>-CA</b> <i>filename</i>|<i>uri</i>] [<b>-CAform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>] [<b>-CAkey</b> <i>filename</i>|<i>uri</i>] [<b>-CAkeyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b>] [<b>-CAserial</b> <i>filename</i>] [<b>-CAcreateserial</b>] [<b>-trustout</b>] [<b>-setalias</b> <i>arg</i>] [<b>-clrtrust</b>] [<b>-addtrust</b> <i>arg</i>] [<b>-clrreject</b>] [<b>-addreject</b> <i>arg</i>] [<b>-rand</b> <i>files</i>] [<b>-writerand</b> <i>file</i>] [<b>-engine</b> <i>id</i>] [<b>-provider</b> <i>name</i>] [<b>-provider-path</b> <i>path</i>] [<b>-propquery</b> <i>propq</i>]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command is a multi-purposes certificate handling command. It can be used to print certificate information, convert certificates to various forms, edit certificate trust settings, generate certificates from scratch or from certification requests and then self-signing them or signing them like a &quot;micro CA&quot;.</p>
<p>Generated certificates bear X.509 version 3. Unless specified otherwise, key identifier extensions are included as described in <a href="../man5/x509v3_config.html">x509v3_config(5)</a>.</p>
<p>Since there are a large number of options they will split up into various sections.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<h2 id="Input-Output-and-General-Purpose-Options">Input, Output, and General Purpose Options</h2>
<dl>
<dt id="help"><b>-help</b></dt>
<dd>
<p>Print out a usage message.</p>
</dd>
<dt id="in-filename-uri"><b>-in</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This specifies the input to read a certificate from or the input file for reading a certificate request if the <b>-req</b> flag is used. In both cases this defaults to standard input.</p>
<p>This option cannot be combined with the <b>-new</b> flag.</p>
</dd>
<dt id="passin-arg"><b>-passin</b> <i>arg</i></dt>
<dd>
<p>The key and certificate file password source. For more information about the format of <i>arg</i> see <a href="../man1/openssl-passphrase-options.html">openssl-passphrase-options(1)</a>.</p>
</dd>
<dt id="new"><b>-new</b></dt>
<dd>
<p>Generate a certificate from scratch, not using an input certificate or certificate request. So this excludes the <b>-in</b> and <b>-req</b> options. Instead, the <b>-subj</b> option needs to be given. The public key to include can be given with the <b>-force_pubkey</b> option and defaults to the key given with the <b>-key</b> (or <b>-signkey</b>) option, which implies self-signature.</p>
</dd>
<dt id="x509toreq"><b>-x509toreq</b></dt>
<dd>
<p>Output a PKCS#10 certificate request (rather than a certificate). The <b>-key</b> (or <b>-signkey</b>) option must be used to provide the private key for self-signing; the corresponding public key is placed in the subjectPKInfo field.</p>
<p>X.509 extensions included in a certificate input are not copied by default. X.509 extensions to be added can be specified using the <b>-extfile</b> option.</p>
</dd>
<dt id="req"><b>-req</b></dt>
<dd>
<p>By default a certificate is expected on input. With this option a PKCS#10 certificate request is expected instead, which must be correctly self-signed.</p>
<p>X.509 extensions included in the request are not copied by default. X.509 extensions to be added can be specified using the <b>-extfile</b> option.</p>
</dd>
<dt id="copy_extensions-arg"><b>-copy_extensions</b> <i>arg</i></dt>
<dd>
<p>Determines how to handle X.509 extensions when converting from a certificate to a request using the <b>-x509toreq</b> option or converting from a request to a certificate using the <b>-req</b> option. If <i>arg</i> is <b>none</b> or this option is not present then extensions are ignored. If <i>arg</i> is <b>copy</b> or <b>copyall</b> then all extensions are copied, except that subject identifier and authority key identifier extensions are not taken over when producing a certificate request.</p>
<p>The <b>-ext</b> option can be used to further restrict which extensions to copy.</p>
</dd>
<dt id="inform-DER-PEM"><b>-inform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The input file format to use; by default PEM is tried first. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="vfyopt-nm:v"><b>-vfyopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific.</p>
</dd>
<dt id="key-filename-uri"><b>-key</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This option provides the private key for signing a new certificate or certificate request. Unless <b>-force_pubkey</b> is given, the corresponding public key is placed in the new certificate or certificate request, resulting in a self-signature.</p>
<p>This option cannot be used in conjunction with the <b>-CA</b> option.</p>
<p>It sets the issuer name to the subject name (i.e., makes it self-issued). Unless the <b>-preserve_dates</b> option is supplied, it sets the validity start date to the current time and the end date to a value determined by the <b>-days</b> option.</p>
</dd>
<dt id="signkey-filename-uri"><b>-signkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>This option is an alias of <b>-key</b>.</p>
</dd>
<dt id="keyform-DER-PEM-P12-ENGINE"><b>-keyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The key input format; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="out-filename"><b>-out</b> <i>filename</i></dt>
<dd>
<p>This specifies the output filename to write to or standard output by default.</p>
</dd>
<dt id="outform-DER-PEM"><b>-outform</b> <b>DER</b>|<b>PEM</b></dt>
<dd>
<p>The output format; the default is <b>PEM</b>. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="nocert"><b>-nocert</b></dt>
<dd>
<p>Do not output a certificate (except for printing as requested by below options).</p>
</dd>
<dt id="noout"><b>-noout</b></dt>
<dd>
<p>This option prevents output except for printing as requested by below options.</p>
</dd>
</dl>
<h2 id="Certificate-Printing-Options">Certificate Printing Options</h2>
<p>Note: the <b>-alias</b> and <b>-purpose</b> options are also printing options but are described in the <a href="#Trust-Settings">&quot;Trust Settings&quot;</a> section.</p>
<dl>
<dt id="dateopt"><b>-dateopt</b></dt>
<dd>
<p>Specify the date output format. Values are: rfc_822 and iso_8601. Defaults to rfc_822.</p>
</dd>
<dt id="text"><b>-text</b></dt>
<dd>
<p>Prints out the certificate in text form. Full details are printed including the public key, signature algorithms, issuer and subject names, serial number any extensions present and any trust settings.</p>
</dd>
<dt id="certopt-option"><b>-certopt</b> <i>option</i></dt>
<dd>
<p>Customise the print format used with <b>-text</b>. The <i>option</i> argument can be a single option or multiple options separated by commas. The <b>-certopt</b> switch may be also be used more than once to set multiple options. See the <a href="#Text-Printing-Flags">&quot;Text Printing Flags&quot;</a> section for more information.</p>
</dd>
<dt id="fingerprint"><b>-fingerprint</b></dt>
<dd>
<p>Calculates and prints the digest of the DER encoded version of the entire certificate (see digest options). This is commonly called a &quot;fingerprint&quot;. Because of the nature of message digests, the fingerprint of a certificate is unique to that certificate and two certificates with the same fingerprint can be considered to be the same.</p>
</dd>
<dt id="alias"><b>-alias</b></dt>
<dd>
<p>Prints the certificate &quot;alias&quot; (nickname), if any.</p>
</dd>
<dt id="serial"><b>-serial</b></dt>
<dd>
<p>Prints the certificate serial number.</p>
</dd>
<dt id="startdate"><b>-startdate</b></dt>
<dd>
<p>Prints out the start date of the certificate, that is the notBefore date.</p>
</dd>
<dt id="enddate"><b>-enddate</b></dt>
<dd>
<p>Prints out the expiry date of the certificate, that is the notAfter date.</p>
</dd>
<dt id="dates"><b>-dates</b></dt>
<dd>
<p>Prints out the start and expiry dates of a certificate.</p>
</dd>
<dt id="subject"><b>-subject</b></dt>
<dd>
<p>Prints the subject name.</p>
</dd>
<dt id="issuer"><b>-issuer</b></dt>
<dd>
<p>Prints the issuer name.</p>
</dd>
<dt id="nameopt-option"><b>-nameopt</b> <i>option</i></dt>
<dd>
<p>This specifies how the subject or issuer names are displayed. See <a href="../man1/openssl-namedisplay-options.html">openssl-namedisplay-options(1)</a> for details.</p>
</dd>
<dt id="email"><b>-email</b></dt>
<dd>
<p>Prints the email address(es) if any.</p>
</dd>
<dt id="hash"><b>-hash</b></dt>
<dd>
<p>Synonym for &quot;-subject_hash&quot; for backward compatibility reasons.</p>
</dd>
<dt id="subject_hash"><b>-subject_hash</b></dt>
<dd>
<p>Prints the &quot;hash&quot; of the certificate subject name. This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name.</p>
</dd>
<dt id="subject_hash_old"><b>-subject_hash_old</b></dt>
<dd>
<p>Prints the &quot;hash&quot; of the certificate subject name using the older algorithm as used by OpenSSL before version 1.0.0.</p>
</dd>
<dt id="issuer_hash"><b>-issuer_hash</b></dt>
<dd>
<p>Prints the &quot;hash&quot; of the certificate issuer name.</p>
</dd>
<dt id="issuer_hash_old"><b>-issuer_hash_old</b></dt>
<dd>
<p>Prints the &quot;hash&quot; of the certificate issuer name using the older algorithm as used by OpenSSL before version 1.0.0.</p>
</dd>
<dt id="ext-extensions"><b>-ext</b> <i>extensions</i></dt>
<dd>
<p>Prints out the certificate extensions in text form. Can also be used to restrict which extensions to copy. Extensions are specified with a comma separated string, e.g., &quot;subjectAltName, subjectKeyIdentifier&quot;. See the <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for the extension names.</p>
</dd>
<dt id="ocspid"><b>-ocspid</b></dt>
<dd>
<p>Prints the OCSP hash values for the subject name and public key.</p>
</dd>
<dt id="ocsp_uri"><b>-ocsp_uri</b></dt>
<dd>
<p>Prints the OCSP responder address(es) if any.</p>
</dd>
<dt id="purpose"><b>-purpose</b></dt>
<dd>
<p>This option performs tests on the certificate extensions and outputs the results. For a more complete description see <a href="../man1/openssl-verification-options.html">&quot;Certificate Extensions&quot; in openssl-verification-options(1)</a>.</p>
</dd>
<dt id="pubkey"><b>-pubkey</b></dt>
<dd>
<p>Prints the certificate&#39;s SubjectPublicKeyInfo block in PEM format.</p>
</dd>
<dt id="modulus"><b>-modulus</b></dt>
<dd>
<p>This option prints out the value of the modulus of the public key contained in the certificate.</p>
</dd>
</dl>
<h2 id="Certificate-Checking-Options">Certificate Checking Options</h2>
<dl>
<dt id="checkend-arg"><b>-checkend</b> <i>arg</i></dt>
<dd>
<p>Checks if the certificate expires within the next <i>arg</i> seconds and exits nonzero if yes it will expire or zero if not.</p>
</dd>
<dt id="checkhost-host"><b>-checkhost</b> <i>host</i></dt>
<dd>
<p>Check that the certificate matches the specified host.</p>
</dd>
<dt id="checkemail-email"><b>-checkemail</b> <i>email</i></dt>
<dd>
<p>Check that the certificate matches the specified email address.</p>
</dd>
<dt id="checkip-ipaddr"><b>-checkip</b> <i>ipaddr</i></dt>
<dd>
<p>Check that the certificate matches the specified IP address.</p>
</dd>
</dl>
<h2 id="Certificate-Output-Options">Certificate Output Options</h2>
<dl>
<dt id="set_serial-n"><b>-set_serial</b> <i>n</i></dt>
<dd>
<p>Specifies the serial number to use. This option can be used with the <b>-key</b>, <b>-signkey</b>, or <b>-CA</b> options. If used in conjunction with the <b>-CA</b> option the serial number file (as specified by the <b>-CAserial</b> option) is not used.</p>
<p>The serial number can be decimal or hex (if preceded by <code>0x</code>).</p>
</dd>
<dt id="next_serial"><b>-next_serial</b></dt>
<dd>
<p>Set the serial to be one more than the number in the certificate.</p>
</dd>
<dt id="days-arg"><b>-days</b> <i>arg</i></dt>
<dd>
<p>Specifies the number of days until a newly generated certificate expires. The default is 30. Cannot be used together with the <b>-preserve_dates</b> option.</p>
</dd>
<dt id="preserve_dates"><b>-preserve_dates</b></dt>
<dd>
<p>When signing a certificate, preserve &quot;notBefore&quot; and &quot;notAfter&quot; dates of any input certificate instead of adjusting them to current time and duration. Cannot be used together with the <b>-days</b> option.</p>
</dd>
<dt id="subj-arg"><b>-subj</b> <i>arg</i></dt>
<dd>
<p>When a certificate is created set its subject name to the given value. When the certificate is self-signed the issuer name is set to the same value.</p>
<p>The arg must be formatted as <code>/type0=value0/type1=value1/type2=...</code>. Special characters may be escaped by <code>\</code> (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the certificate. Giving a single <code>/</code> will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a <code>+</code> character instead of a <code>/</code> between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:</p>
<p><code>/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe</code></p>
<p>This option can be used with the <b>-new</b> and <b>-force_pubkey</b> options to create a new certificate without providing an input certificate or certificate request.</p>
</dd>
<dt id="force_pubkey-filename"><b>-force_pubkey</b> <i>filename</i></dt>
<dd>
<p>When a new certificate or certificate request is created set its public key to the given key instead of the key contained in the input or given with the <b>-key</b> (or <b>-signkey</b>) option. If the input contains no public key but a private key, its public part is used.</p>
<p>This option can be used in conjunction with b&lt;-new&gt; and <b>-subj</b> to directly generate a certificate containing any desired public key.</p>
<p>This option is also useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH.</p>
</dd>
<dt id="clrext"><b>-clrext</b></dt>
<dd>
<p>When transforming a certificate to a new certificate by default all certificate extensions are retained.</p>
<p>When transforming a certificate or certificate request, the <b>-clrext</b> option prevents taking over any extensions from the source. In any case, when producing a certificate request, neither subject identifier nor authority key identifier extensions are included.</p>
</dd>
<dt id="extfile-filename"><b>-extfile</b> <i>filename</i></dt>
<dd>
<p>Configuration file containing certificate and request X.509 extensions to add.</p>
</dd>
<dt id="extensions-section"><b>-extensions</b> <i>section</i></dt>
<dd>
<p>The section in the extfile to add X.509 extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called &quot;extensions&quot; which contains the section to use.</p>
<p>See the <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for details of the extension section format.</p>
<p>Unless specified otherwise, key identifier extensions are included as described in <a href="../man5/x509v3_config.html">x509v3_config(5)</a>.</p>
</dd>
<dt id="sigopt-nm:v"><b>-sigopt</b> <i>nm</i>:<i>v</i></dt>
<dd>
<p>Pass options to the signature algorithm during sign operations. This option may be given multiple times. Names and values provided using this option are algorithm-specific.</p>
</dd>
<dt id="badsig"><b>-badsig</b></dt>
<dd>
<p>Corrupt the signature before writing it; this can be useful for testing.</p>
</dd>
<dt id="digest"><b>-<i>digest</i></b></dt>
<dd>
<p>The digest to use. This affects any signing or printing option that uses a message digest, such as the <b>-fingerprint</b>, <b>-key</b>, and <b>-CA</b> options. Any digest supported by the <a href="../man1/openssl-dgst.html">openssl-dgst(1)</a> command can be used. If not specified then SHA1 is used with <b>-fingerprint</b> or the default digest for the signing algorithm is used, typically SHA256.</p>
</dd>
</dl>
<h2 id="Micro-CA-Options">Micro-CA Options</h2>
<dl>
<dt id="CA-filename-uri"><b>-CA</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>Specifies the &quot;CA&quot; certificate to be used for signing. When present, this behaves like a &quot;micro CA&quot; as follows: The subject name of the &quot;CA&quot; certificate is placed as issuer name in the new certificate, which is then signed using the &quot;CA&quot; key given as detailed below.</p>
<p>This option cannot be used in conjunction with <b>-key</b> (or <b>-signkey</b>). This option is normally combined with the <b>-req</b> option referencing a CSR. Without the <b>-req</b> option the input must be an existing certificate unless the <b>-new</b> option is given, which generates a certificate from scratch.</p>
</dd>
<dt id="CAform-DER-PEM-P12"><b>-CAform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>,</dt>
<dd>
<p>The format for the CA certificate; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="CAkey-filename-uri"><b>-CAkey</b> <i>filename</i>|<i>uri</i></dt>
<dd>
<p>Sets the CA private key to sign a certificate with. The private key must match the public key of the certificate given with <b>-CA</b>. If this option is not provided then the key must be present in the <b>-CA</b> input.</p>
</dd>
<dt id="CAkeyform-DER-PEM-P12-ENGINE"><b>-CAkeyform</b> <b>DER</b>|<b>PEM</b>|<b>P12</b>|<b>ENGINE</b></dt>
<dd>
<p>The format for the CA key; unspecified by default. See <a href="../man1/openssl-format-options.html">openssl-format-options(1)</a> for details.</p>
</dd>
<dt id="CAserial-filename"><b>-CAserial</b> <i>filename</i></dt>
<dd>
<p>Sets the CA serial number file to use.</p>
<p>When creating a certificate with this option and with the <b>-CA</b> option, the certificate serial number is stored in the given file. This file consists of one line containing an even number of hex digits with the serial number used last time. After reading this number, it is incremented and used, and the file is updated.</p>
<p>The default filename consists of the CA certificate file base name with <i>.srl</i> appended. For example if the CA certificate file is called <i>mycacert.pem</i> it expects to find a serial number file called <i>mycacert.srl</i>.</p>
<p>If the <b>-CA</b> option is specified and neither &lt;-CAserial&gt; or &lt;-CAcreateserial&gt; is given and the default serial number file does not exist, a random number is generated; this is the recommended practice.</p>
</dd>
<dt id="CAcreateserial"><b>-CAcreateserial</b></dt>
<dd>
<p>With this option and the <b>-CA</b> option the CA serial number file is created if it does not exist. A random number is generated, used for the certificate, and saved into the serial number file determined as described above.</p>
</dd>
</dl>
<h2 id="Trust-Settings">Trust Settings</h2>
<p>A <b>trusted certificate</b> is an ordinary certificate which has several additional pieces of information attached to it such as the permitted and prohibited uses of the certificate and possibly an &quot;alias&quot; (nickname).</p>
<p>Normally when a certificate is being verified at least one certificate must be &quot;trusted&quot;. By default a trusted certificate must be stored locally and must be a root CA: any certificate chain ending in this CA is then usable for any purpose.</p>
<p>Trust settings currently are only used with a root CA. They allow a finer control over the purposes the root CA can be used for. For example, a CA may be trusted for SSL client but not SSL server use.</p>
<p>See <a href="../man1/openssl-verification-options.html">openssl-verification-options(1)</a> for more information on the meaning of trust settings.</p>
<p>Future versions of OpenSSL will recognize trust settings on any certificate: not just root CAs.</p>
<dl>
<dt id="trustout"><b>-trustout</b></dt>
<dd>
<p>Mark any certificate PEM output as &lt;trusted&gt; certificate rather than ordinary. An ordinary or trusted certificate can be input but by default an ordinary certificate is output and any trust settings are discarded. With the <b>-trustout</b> option a trusted certificate is output. A trusted certificate is automatically output if any trust settings are modified.</p>
</dd>
<dt id="setalias-arg"><b>-setalias</b> <i>arg</i></dt>
<dd>
<p>Sets the &quot;alias&quot; of the certificate. This will allow the certificate to be referred to using a nickname for example &quot;Steve&#39;s Certificate&quot;.</p>
</dd>
<dt id="clrtrust"><b>-clrtrust</b></dt>
<dd>
<p>Clears all the permitted or trusted uses of the certificate.</p>
</dd>
<dt id="addtrust-arg"><b>-addtrust</b> <i>arg</i></dt>
<dd>
<p>Adds a trusted certificate use. Any object name can be used here but currently only <b>clientAuth</b>, <b>serverAuth</b>, <b>emailProtection</b>, and <b>anyExtendedKeyUsage</b> are defined. As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or enables all purposes when trusted. Other OpenSSL applications may define additional uses.</p>
</dd>
<dt id="clrreject"><b>-clrreject</b></dt>
<dd>
<p>Clears all the prohibited or rejected uses of the certificate.</p>
</dd>
<dt id="addreject-arg"><b>-addreject</b> <i>arg</i></dt>
<dd>
<p>Adds a prohibited trust anchor purpose. It accepts the same values as the <b>-addtrust</b> option.</p>
</dd>
</dl>
<h2 id="Generic-options">Generic options</h2>
<dl>
<dt id="rand-files--writerand-file"><b>-rand</b> <i>files</i>, <b>-writerand</b> <i>file</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for details.</p>
</dd>
<dt id="engine-id"><b>-engine</b> <i>id</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Engine Options&quot; in openssl(1)</a>. This option is deprecated.</p>
</dd>
<dt id="provider-name"><b>-provider</b> <i>name</i></dt>
<dd>
</dd>
<dt id="provider-path-path"><b>-provider-path</b> <i>path</i></dt>
<dd>
</dd>
<dt id="propquery-propq"><b>-propquery</b> <i>propq</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Provider Options&quot; in openssl(1)</a>, <a href="../man7/provider.html">provider(7)</a>, and <a href="../man7/property.html">property(7)</a>.</p>
</dd>
</dl>
<h2 id="Text-Printing-Flags">Text Printing Flags</h2>
<p>As well as customising the name printing format, it is also possible to customise the actual fields printed using the <b>certopt</b> option when the <b>text</b> option is present. The default behaviour is to print all fields.</p>
<dl>
<dt id="compatible"><b>compatible</b></dt>
<dd>
<p>Use the old format. This is equivalent to specifying no printing options at all.</p>
</dd>
<dt id="no_header"><b>no_header</b></dt>
<dd>
<p>Don&#39;t print header information: that is the lines saying &quot;Certificate&quot; and &quot;Data&quot;.</p>
</dd>
<dt id="no_version"><b>no_version</b></dt>
<dd>
<p>Don&#39;t print out the version number.</p>
</dd>
<dt id="no_serial"><b>no_serial</b></dt>
<dd>
<p>Don&#39;t print out the serial number.</p>
</dd>
<dt id="no_signame"><b>no_signame</b></dt>
<dd>
<p>Don&#39;t print out the signature algorithm used.</p>
</dd>
<dt id="no_validity"><b>no_validity</b></dt>
<dd>
<p>Don&#39;t print the validity, that is the <b>notBefore</b> and <b>notAfter</b> fields.</p>
</dd>
<dt id="no_subject"><b>no_subject</b></dt>
<dd>
<p>Don&#39;t print out the subject name.</p>
</dd>
<dt id="no_issuer"><b>no_issuer</b></dt>
<dd>
<p>Don&#39;t print out the issuer name.</p>
</dd>
<dt id="no_pubkey"><b>no_pubkey</b></dt>
<dd>
<p>Don&#39;t print out the public key.</p>
</dd>
<dt id="no_sigdump"><b>no_sigdump</b></dt>
<dd>
<p>Don&#39;t give a hexadecimal dump of the certificate signature.</p>
</dd>
<dt id="no_aux"><b>no_aux</b></dt>
<dd>
<p>Don&#39;t print out certificate trust information.</p>
</dd>
<dt id="no_extensions"><b>no_extensions</b></dt>
<dd>
<p>Don&#39;t print out any X509V3 extensions.</p>
</dd>
<dt id="ext_default"><b>ext_default</b></dt>
<dd>
<p>Retain default extension behaviour: attempt to print out unsupported certificate extensions.</p>
</dd>
<dt id="ext_error"><b>ext_error</b></dt>
<dd>
<p>Print an error message for unsupported certificate extensions.</p>
</dd>
<dt id="ext_parse"><b>ext_parse</b></dt>
<dd>
<p>ASN1 parse unsupported extensions.</p>
</dd>
<dt id="ext_dump"><b>ext_dump</b></dt>
<dd>
<p>Hex dump unsupported extensions.</p>
</dd>
<dt id="ca_default"><b>ca_default</b></dt>
<dd>
<p>The value used by <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, equivalent to <b>no_issuer</b>, <b>no_pubkey</b>, <b>no_header</b>, and <b>no_version</b>.</p>
</dd>
</dl>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Note: in these examples the &#39;\&#39; means the example should be all on one line.</p>
<p>Print the contents of a certificate:</p>
<pre><code> openssl x509 -in cert.pem -noout -text</code></pre>
<p>Print the &quot;Subject Alternative Name&quot; extension of a certificate:</p>
<pre><code> openssl x509 -in cert.pem -noout -ext subjectAltName</code></pre>
<p>Print more extensions of a certificate:</p>
<pre><code> openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType</code></pre>
<p>Print the certificate serial number:</p>
<pre><code> openssl x509 -in cert.pem -noout -serial</code></pre>
<p>Print the certificate subject name:</p>
<pre><code> openssl x509 -in cert.pem -noout -subject</code></pre>
<p>Print the certificate subject name in RFC2253 form:</p>
<pre><code> openssl x509 -in cert.pem -noout -subject -nameopt RFC2253</code></pre>
<p>Print the certificate subject name in oneline form on a terminal supporting UTF8:</p>
<pre><code> openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb</code></pre>
<p>Print the certificate SHA1 fingerprint:</p>
<pre><code> openssl x509 -sha1 -in cert.pem -noout -fingerprint</code></pre>
<p>Convert a certificate from PEM to DER format:</p>
<pre><code> openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER</code></pre>
<p>Convert a certificate to a certificate request:</p>
<pre><code> openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem</code></pre>
<p>Convert a certificate request into a self-signed certificate using extensions for a CA:</p>
<pre><code> openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-key key.pem -out cacert.pem</code></pre>
<p>Sign a certificate request using the CA certificate above and add user certificate extensions:</p>
<pre><code> openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
-CA cacert.pem -CAkey key.pem -CAcreateserial</code></pre>
<p>Set a certificate to be trusted for SSL client use and change set its alias to &quot;Steve&#39;s Class 1 CA&quot;</p>
<pre><code> openssl x509 -in cert.pem -addtrust clientAuth \
-setalias &quot;Steve&#39;s Class 1 CA&quot; -out trust.pem</code></pre>
<h1 id="NOTES">NOTES</h1>
<p>The conversion to UTF8 format used with the name options assumes that T61Strings use the ISO8859-1 character set. This is wrong but Netscape and MSIE do this as do many certificates. So although this is incorrect it is more likely to print the majority of certificates correctly.</p>
<p>The <b>-email</b> option searches the subject name and the subject alternative name extension. Only unique email addresses will be printed out: it will not print the same address more than once.</p>
<h1 id="BUGS">BUGS</h1>
<p>It is possible to produce invalid certificates or requests by specifying the wrong private key, using unsuitable X.509 extensions, or using inconsistent options in some cases: these should be checked.</p>
<p>There should be options to explicitly set such things as start and end dates rather than an offset from the current time.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-req.html">openssl-req(1)</a>, <a href="../man1/openssl-ca.html">openssl-ca(1)</a>, <a href="../man1/openssl-genrsa.html">openssl-genrsa(1)</a>, <a href="../man1/openssl-gendsa.html">openssl-gendsa(1)</a>, <a href="../man1/openssl-verify.html">openssl-verify(1)</a>, <a href="../man5/x509v3_config.html">x509v3_config(5)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The hash algorithm used in the <b>-subject_hash</b> and <b>-issuer_hash</b> options before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using <a href="../man1/openssl-rehash.html">openssl-rehash(1)</a> or similar.</p>
<p>The <b>-signkey</b> option has been renamed to <b>-key</b> in OpenSSL 3.0, keeping the old name as an alias.</p>
<p>The <b>-engine</b> option was deprecated in OpenSSL 3.0.</p>
<p>The <b>-C</b> option was removed in OpenSSL 3.0.</p>
<p>Since OpenSSL 3.2, generated certificates bear X.509 version 3, and key identifier extensions are included by default.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

1006
include/openssl-3.2.1/html/man1/openssl.html
View File

File diff suppressed because it is too large Load Diff

190
include/openssl-3.2.1/html/man1/tsget.html
View File

@ -1,190 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>tsget</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#OPTIONS">OPTIONS</a></li>
<li><a href="#ENVIRONMENT-VARIABLES">ENVIRONMENT VARIABLES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>tsget - Time Stamping HTTP/HTTPS client</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<p><b>tsget</b> <b>-h</b> <i>server_url</i> [<b>-e</b> <i>extension</i>] [<b>-o</b> <i>output</i>] [<b>-v</b>] [<b>-d</b>] [<b>-k</b> <i>private_key.pem</i>] [<b>-p</b> <i>key_password</i>] [<b>-c</b> <i>client_cert.pem</i>] [<b>-C</b> <i>CA_certs.pem</i>] [<b>-P</b> <i>CA_path</i>] [<b>-r</b> <i>files</i>] [<b>-g</b> <i>EGD_socket</i>] [<i>request</i> ...]</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This command can be used for sending a timestamp request, as specified in RFC 3161, to a timestamp server over HTTP or HTTPS and storing the timestamp response in a file. It cannot be used for creating the requests and verifying responses, you have to use <a href="../man1/openssl-ts.html">openssl-ts(1)</a> to do that. This command can send several requests to the server without closing the TCP connection if more than one requests are specified on the command line.</p>
<p>This command sends the following HTTP request for each timestamp request:</p>
<pre><code> POST url HTTP/1.1
User-Agent: OpenTSA tsget.pl/&lt;version&gt;
Host: &lt;host&gt;:&lt;port&gt;
Pragma: no-cache
Content-Type: application/timestamp-query
Accept: application/timestamp-reply
Content-Length: length of body
...binary request specified by the user...</code></pre>
<p>It expects a response of type application/timestamp-reply, which is written to a file without any interpretation.</p>
<h1 id="OPTIONS">OPTIONS</h1>
<dl>
<dt id="h-server_url"><b>-h</b> <i>server_url</i></dt>
<dd>
<p>The URL of the HTTP/HTTPS server listening for timestamp requests.</p>
</dd>
<dt id="e-extension"><b>-e</b> <i>extension</i></dt>
<dd>
<p>If the <b>-o</b> option is not given this argument specifies the extension of the output files. The base name of the output file will be the same as those of the input files. Default extension is <i>.tsr</i>. (Optional)</p>
</dd>
<dt id="o-output"><b>-o</b> <i>output</i></dt>
<dd>
<p>This option can be specified only when just one request is sent to the server. The timestamp response will be written to the given output file. &#39;-&#39; means standard output. In case of multiple timestamp requests or the absence of this argument the names of the output files will be derived from the names of the input files and the default or specified extension argument. (Optional)</p>
</dd>
<dt id="v"><b>-v</b></dt>
<dd>
<p>The name of the currently processed request is printed on standard error. (Optional)</p>
</dd>
<dt id="d"><b>-d</b></dt>
<dd>
<p>Switches on verbose mode for the underlying perl module <a>WWW::Curl::Easy</a>. You can see detailed debug messages for the connection. (Optional)</p>
</dd>
<dt id="k-private_key.pem"><b>-k</b> <i>private_key.pem</i></dt>
<dd>
<p>(HTTPS) In case of certificate-based client authentication over HTTPS <i>private_key.pem</i> must contain the private key of the user. The private key file can optionally be protected by a passphrase. The <b>-c</b> option must also be specified. (Optional)</p>
</dd>
<dt id="p-key_password"><b>-p</b> <i>key_password</i></dt>
<dd>
<p>(HTTPS) Specifies the passphrase for the private key specified by the <b>-k</b> argument. If this option is omitted and the key is passphrase protected, it will be prompted for. (Optional)</p>
</dd>
<dt id="c-client_cert.pem"><b>-c</b> <i>client_cert.pem</i></dt>
<dd>
<p>(HTTPS) In case of certificate-based client authentication over HTTPS <i>client_cert.pem</i> must contain the X.509 certificate of the user. The <b>-k</b> option must also be specified. If this option is not specified no certificate-based client authentication will take place. (Optional)</p>
</dd>
<dt id="C-CA_certs.pem"><b>-C</b> <i>CA_certs.pem</i></dt>
<dd>
<p>(HTTPS) The trusted CA certificate store. The certificate chain of the peer&#39;s certificate must include one of the CA certificates specified in this file. Either option <b>-C</b> or option <b>-P</b> must be given in case of HTTPS. (Optional)</p>
</dd>
<dt id="P-CA_path"><b>-P</b> <i>CA_path</i></dt>
<dd>
<p>(HTTPS) The path containing the trusted CA certificates to verify the peer&#39;s certificate. The directory must be prepared with <a href="../man1/openssl-rehash.html">openssl-rehash(1)</a>. Either option <b>-C</b> or option <b>-P</b> must be given in case of HTTPS. (Optional)</p>
</dd>
<dt id="r-files"><b>-r</b> <i>files</i></dt>
<dd>
<p>See <a href="../man1/openssl.html">&quot;Random State Options&quot; in openssl(1)</a> for more information.</p>
</dd>
<dt id="g-EGD_socket"><b>-g</b> <i>EGD_socket</i></dt>
<dd>
<p>The name of an EGD socket to get random data from. (Optional)</p>
</dd>
<dt id="request"><i>request</i> ...</dt>
<dd>
<p>List of files containing RFC 3161 DER-encoded timestamp requests. If no requests are specified only one request will be sent to the server and it will be read from the standard input. (Optional)</p>
</dd>
</dl>
<h1 id="ENVIRONMENT-VARIABLES">ENVIRONMENT VARIABLES</h1>
<p>The <b>TSGET</b> environment variable can optionally contain default arguments. The content of this variable is added to the list of command line arguments.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The examples below presume that <i>file1.tsq</i> and <i>file2.tsq</i> contain valid timestamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests and at port 8443 for HTTPS requests, the TSA service is available at the /tsa absolute path.</p>
<p>Get a timestamp response for <i>file1.tsq</i> over HTTP, output is written to <i>file1.tsr</i>:</p>
<pre><code> tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq</code></pre>
<p>Get a timestamp response for <i>file1.tsq</i> and <i>file2.tsq</i> over HTTP showing progress, output is written to <i>file1.reply</i> and <i>file2.reply</i> respectively:</p>
<pre><code> tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \
file1.tsq file2.tsq</code></pre>
<p>Create a timestamp request, write it to <i>file3.tsq</i>, send it to the server and write the response to <i>file3.tsr</i>:</p>
<pre><code> openssl ts -query -data file3.txt -cert | tee file3.tsq \
| tsget -h http://tsa.opentsa.org:8080/tsa \
-o file3.tsr</code></pre>
<p>Get a timestamp response for <i>file1.tsq</i> over HTTPS without client authentication:</p>
<pre><code> tsget -h https://tsa.opentsa.org:8443/tsa \
-C cacerts.pem file1.tsq</code></pre>
<p>Get a timestamp response for <i>file1.tsq</i> over HTTPS with certificate-based client authentication (it will ask for the passphrase if <i>client_key.pem</i> is protected):</p>
<pre><code> tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
-k client_key.pem -c client_cert.pem file1.tsq</code></pre>
<p>You can shorten the previous command line if you make use of the <b>TSGET</b> environment variable. The following commands do the same as the previous example:</p>
<pre><code> TSGET=&#39;-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
-k client_key.pem -c client_cert.pem&#39;
export TSGET
tsget file1.tsq</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man1/openssl.html">openssl(1)</a>, <a href="../man1/openssl-ts.html">openssl-ts(1)</a>, <a>WWW::Curl::Easy</a>, <a href="https://www.rfc-editor.org/rfc/rfc3161.html">https://www.rfc-editor.org/rfc/rfc3161.html</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

120
include/openssl-3.2.1/html/man3/ADMISSIONS.html
View File

@ -1,120 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ADMISSIONS</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ADMISSIONS, ADMISSIONS_get0_admissionAuthority, ADMISSIONS_get0_namingAuthority, ADMISSIONS_get0_professionInfos, ADMISSIONS_set0_admissionAuthority, ADMISSIONS_set0_namingAuthority, ADMISSIONS_set0_professionInfos, ADMISSION_SYNTAX, ADMISSION_SYNTAX_get0_admissionAuthority, ADMISSION_SYNTAX_get0_contentsOfAdmissions, ADMISSION_SYNTAX_set0_admissionAuthority, ADMISSION_SYNTAX_set0_contentsOfAdmissions, NAMING_AUTHORITY, NAMING_AUTHORITY_get0_authorityId, NAMING_AUTHORITY_get0_authorityURL, NAMING_AUTHORITY_get0_authorityText, NAMING_AUTHORITY_set0_authorityId, NAMING_AUTHORITY_set0_authorityURL, NAMING_AUTHORITY_set0_authorityText, PROFESSION_INFO, PROFESSION_INFOS, PROFESSION_INFO_get0_addProfessionInfo, PROFESSION_INFO_get0_namingAuthority, PROFESSION_INFO_get0_professionItems, PROFESSION_INFO_get0_professionOIDs, PROFESSION_INFO_get0_registrationNumber, PROFESSION_INFO_set0_addProfessionInfo, PROFESSION_INFO_set0_namingAuthority, PROFESSION_INFO_set0_professionItems, PROFESSION_INFO_set0_professionOIDs, PROFESSION_INFO_set0_registrationNumber - Accessors and settors for ADMISSION_SYNTAX</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> typedef struct NamingAuthority_st NAMING_AUTHORITY;
typedef struct ProfessionInfo_st PROFESSION_INFO;
typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS;
typedef struct Admissions_st ADMISSIONS;
typedef struct AdmissionSyntax_st ADMISSION_SYNTAX;
const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(
const NAMING_AUTHORITY *n);
void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n,
ASN1_OBJECT* namingAuthorityId);
const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(
const NAMING_AUTHORITY *n);
void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n,
ASN1_IA5STRING* namingAuthorityUrl);
const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(
const NAMING_AUTHORITY *n);
void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n,
ASN1_STRING* namingAuthorityText);
const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority(
const ADMISSION_SYNTAX *as);
void ADMISSION_SYNTAX_set0_admissionAuthority(
ADMISSION_SYNTAX *as, GENERAL_NAME *aa);
const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
const ADMISSION_SYNTAX *as);
void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
ADMISSION_SYNTAX *as, STACK_OF(ADMISSIONS) *a);
const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a);
void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa);
const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a);
void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na);
const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a);
void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi);
const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo(
const PROFESSION_INFO *pi);
void PROFESSION_INFO_set0_addProfessionInfo(
PROFESSION_INFO *pi, ASN1_OCTET_STRING *aos);
const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority(
const PROFESSION_INFO *pi);
void PROFESSION_INFO_set0_namingAuthority(
PROFESSION_INFO *pi, NAMING_AUTHORITY *na);
const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems(
const PROFESSION_INFO *pi);
void PROFESSION_INFO_set0_professionItems(
PROFESSION_INFO *pi, STACK_OF(ASN1_STRING) *as);
const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs(
const PROFESSION_INFO *pi);
void PROFESSION_INFO_set0_professionOIDs(
PROFESSION_INFO *pi, STACK_OF(ASN1_OBJECT) *po);
const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber(
const PROFESSION_INFO *pi);
void PROFESSION_INFO_set0_registrationNumber(
PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <b>PROFESSION_INFOS</b>, <b>ADMISSION_SYNTAX</b>, <b>ADMISSIONS</b>, and <b>PROFESSION_INFO</b> types are opaque structures representing the analogous types defined in the Common PKI Specification published by <a href="https://www.t7ev.org">https://www.t7ev.org</a>. Knowledge of those structures and their semantics is assumed.</p>
<p>The conventional routines to convert between DER and the local format are described in <a href="../man3/d2i_X509.html">d2i_X509(3)</a>. The conventional routines to allocate and free the types are defined in <a href="../man3/X509_dup.html">X509_dup(3)</a>.</p>
<p>The <b>PROFESSION_INFOS</b> type is a stack of <b>PROFESSION_INFO</b>; see <a href="../man3/DEFINE_STACK_OF.html">DEFINE_STACK_OF(3)</a> for details.</p>
<p>The <b>NAMING_AUTHORITY</b> type has an authority ID and URL, and text fields. The NAMING_AUTHORITY_get0_authorityId(), NAMING_AUTHORITY_get0_get0_authorityURL(), and NAMING_AUTHORITY_get0_get0_authorityText(), functions return pointers to those values within the object. The NAMING_AUTHORITY_set0_authorityId(), NAMING_AUTHORITY_set0_get0_authorityURL(), and NAMING_AUTHORITY_set0_get0_authorityText(), functions free any existing value and set the pointer to the specified value.</p>
<p>The <b>ADMISSION_SYNTAX</b> type has an authority name and a stack of <b>ADMISSION</b> objects. The ADMISSION_SYNTAX_get0_admissionAuthority() and ADMISSION_SYNTAX_get0_contentsOfAdmissions() functions return pointers to those values within the object. The ADMISSION_SYNTAX_set0_admissionAuthority() and ADMISSION_SYNTAX_set0_contentsOfAdmissions() functions free any existing value and set the pointer to the specified value.</p>
<p>The <b>ADMISSION</b> type has an authority name, authority object, and a stack of <b>PROFESSION_INFO</b> items. The ADMISSIONS_get0_admissionAuthority(), ADMISSIONS_get0_namingAuthority(), and ADMISSIONS_get0_professionInfos() functions return pointers to those values within the object. The ADMISSIONS_set0_admissionAuthority(), ADMISSIONS_set0_namingAuthority(), and ADMISSIONS_set0_professionInfos() functions free any existing value and set the pointer to the specified value.</p>
<p>The <b>PROFESSION_INFO</b> type has a name authority, stacks of profession Items and OIDs, a registration number, and additional profession info. The functions PROFESSION_INFO_get0_addProfessionInfo(), PROFESSION_INFO_get0_namingAuthority(), PROFESSION_INFO_get0_professionItems(), PROFESSION_INFO_get0_professionOIDs(), and PROFESSION_INFO_get0_registrationNumber() functions return pointers to those values within the object. The PROFESSION_INFO_set0_addProfessionInfo(), PROFESSION_INFO_set0_namingAuthority(), PROFESSION_INFO_set0_professionItems(), PROFESSION_INFO_set0_professionOIDs(), and PROFESSION_INFO_set0_registrationNumber() functions free any existing value and set the pointer to the specified value.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>Described above. Note that all of the <i>get0</i> functions return a pointer to the internal data structure and must not be freed.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/X509_dup.html">X509_dup(3)</a>, <a href="../man3/d2i_X509.html">d2i_X509(3)</a>,</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

169
include/openssl-3.2.1/html/man3/ASN1_EXTERN_FUNCS.html
View File

@ -1,169 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_EXTERN_FUNCS</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_EXTERN_FUNCS, ASN1_ex_d2i, ASN1_ex_d2i_ex, ASN1_ex_i2d, ASN1_ex_new_func, ASN1_ex_new_ex_func, ASN1_ex_free_func, ASN1_ex_print_func, IMPLEMENT_EXTERN_ASN1 - ASN.1 external function support</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1t.h&gt;
typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
const ASN1_ITEM *it, int tag, int aclass, char opt,
ASN1_TLC *ctx);
typedef int ASN1_ex_d2i_ex(ASN1_VALUE **pval, const unsigned char **in, long len,
const ASN1_ITEM *it, int tag, int aclass, char opt,
ASN1_TLC *ctx, OSSL_LIB_CTX *libctx,
const char *propq);
typedef int ASN1_ex_i2d(const ASN1_VALUE **pval, unsigned char **out,
const ASN1_ITEM *it, int tag, int aclass);
typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
typedef int ASN1_ex_new_ex_func(ASN1_VALUE **pval, const ASN1_ITEM *it,
OSSL_LIB_CTX *libctx, const char *propq);
typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
typedef int ASN1_ex_print_func(BIO *out, const ASN1_VALUE **pval,
int indent, const char *fname,
const ASN1_PCTX *pctx);
struct ASN1_EXTERN_FUNCS_st {
void *app_data;
ASN1_ex_new_func *asn1_ex_new;
ASN1_ex_free_func *asn1_ex_free;
ASN1_ex_free_func *asn1_ex_clear;
ASN1_ex_d2i *asn1_ex_d2i;
ASN1_ex_i2d *asn1_ex_i2d;
ASN1_ex_print_func *asn1_ex_print;
ASN1_ex_new_ex_func *asn1_ex_new_ex;
ASN1_ex_d2i_ex *asn1_ex_d2i_ex;
};
typedef struct ASN1_EXTERN_FUNCS_st ASN1_EXTERN_FUNCS;
#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs)</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN.1 data structures templates are typically defined in OpenSSL using a series of macros such as ASN1_SEQUENCE(), ASN1_SEQUENCE_END() and so on. Instead templates can also be defined based entirely on external functions. These external functions are called to perform operations such as creating a new <b>ASN1_VALUE</b> or converting an <b>ASN1_VALUE</b> to or from DER encoding.</p>
<p>The macro IMPLEMENT_EXTERN_ASN1() can be used to create such an externally defined structure. The name of the structure should be supplied in the <i>sname</i> parameter. The tag for the structure (e.g. typically <b>V_ASN1_SEQUENCE</b>) should be supplied in the <i>tag</i> parameter. Finally a pointer to an <b>ASN1_EXTERN_FUNCS</b> structure should be supplied in the <i>fptrs</i> parameter.</p>
<p>The <b>ASN1_EXTERN_FUNCS</b> structure has the following entries.</p>
<dl>
<dt id="app_data"><i>app_data</i></dt>
<dd>
<p>A pointer to arbitrary application specific data.</p>
</dd>
<dt id="asn1_ex_new"><i>asn1_ex_new</i></dt>
<dd>
<p>A &quot;new&quot; function responsible for constructing a new <b>ASN1_VALUE</b> object. The newly constructed value should be stored in <i>*pval</i>. The <i>it</i> parameter is a pointer to the <b>ASN1_ITEM</b> template object created via the IMPLEMENT_EXTERN_ASN1() macro.</p>
<p>Returns a positive value on success or 0 on error.</p>
</dd>
<dt id="asn1_ex_free"><i>asn1_ex_free</i></dt>
<dd>
<p>A &quot;free&quot; function responsible for freeing the <b>ASN1_VALUE</b> passed in <i>*pval</i> that was previously allocated via a &quot;new&quot; function. The <i>it</i> parameter is a pointer to the <b>ASN1_ITEM</b> template object created via the IMPLEMENT_EXTERN_ASN1() macro.</p>
</dd>
<dt id="asn1_ex_clear"><i>asn1_ex_clear</i></dt>
<dd>
<p>A &quot;clear&quot; function responsible for clearing any data in the <b>ASN1_VALUE</b> passed in <i>*pval</i> and making it suitable for reuse. The <i>it</i> parameter is a pointer to the <b>ASN1_ITEM</b> template object created via the IMPLEMENT_EXTERN_ASN1() macro.</p>
</dd>
<dt id="asn1_ex_d2i"><i>asn1_ex_d2i</i></dt>
<dd>
<p>A &quot;d2i&quot; function responsible for converting DER data with the tag <i>tag</i> and class <i>class</i> into an <b>ASN1_VALUE</b>. If <i>*pval</i> is non-NULL then the <b>ASN_VALUE</b> it points to should be reused. Otherwise a new <b>ASN1_VALUE</b> should be allocated and stored in <i>*pval</i>. <i>*in</i> points to the DER data to be decoded and <i>len</i> is the length of that data. After decoding <i>*in</i> should be updated to point at the next byte after the decoded data. If the <b>ASN1_VALUE</b> is considered optional in this context then <i>opt</i> will be nonzero. Otherwise it will be zero. The <i>it</i> parameter is a pointer to the <b>ASN1_ITEM</b> template object created via the IMPLEMENT_EXTERN_ASN1() macro. A pointer to the current <b>ASN1_TLC</b> context (which may be required for other ASN1 function calls) is passed in the <i>ctx</i> parameter.</p>
<p>The <i>asn1_ex_d2i</i> entry may be NULL if <i>asn1_ex_d2i_ex</i> has been specified instead.</p>
<p>Returns &lt;= 0 on error or a positive value on success.</p>
</dd>
<dt id="asn1_ex_i2d"><i>asn1_ex_i2d</i></dt>
<dd>
<p>An &quot;i2d&quot; function responsible for converting an <b>ASN1_VALUE</b> into DER encoding. On entry <i>*pval</i> will contain the <b>ASN1_VALUE</b> to be encoded. If default tagging is to be used then <i>tag</i> will be -1 on entry. Otherwise if implicit tagging should be used then <i>tag</i> and <i>aclass</i> will be the tag and associated class.</p>
<p>If <i>out</i> is not NULL then this function should write the DER encoded data to the buffer in <i>*out</i>, and then increment <i>*out</i> to point to immediately after the data just written.</p>
<p>If <i>out</i> is NULL then no data should be written but the length calculated and returned as if it were.</p>
<p>The <i>asn1_ex_i2d</i> entry may be NULL if <i>asn1_ex_i2d_ex</i> has been specified instead.</p>
<p>The return value should be negative if a fatal error occurred, or 0 if a non-fatal error occurred. Otherwise it should return the length of the encoded data.</p>
</dd>
<dt id="asn1_ex_print"><i>asn1_ex_print</i></dt>
<dd>
<p>A &quot;print&quot; function. <i>out</i> is the BIO to print the output to. <i>*pval</i> is the <b>ASN1_VALUE</b> to be printed. <i>indent</i> is the number of spaces of indenting to be printed before any data is printed. <i>fname</i> is currently unused and is always &quot;&quot;. <i>pctx</i> is a pointer to the <b>ASN1_PCTX</b> for the print operation.</p>
<p>Returns 0 on error or a positive value on success. If the return value is 2 then an additional newline will be printed after the data printed by this function.</p>
</dd>
<dt id="asn1_ex_new_ex"><i>asn1_ex_new_ex</i></dt>
<dd>
<p>This is the same as <i>asn1_ex_new</i> except that it is additionally passed the OSSL_LIB_CTX to be used in <i>libctx</i> and any property query string to be used for algorithm fetching in the <i>propq</i> parameter. See <a href="../man7/crypto.html">&quot;ALGORITHM FETCHING&quot; in crypto(7)</a> for further details. If <i>asn1_ex_new_ex</i> is non NULL, then it will always be called in preference to <i>asn1_ex_new</i>.</p>
</dd>
<dt id="asn1_ex_d2i_ex"><i>asn1_ex_d2i_ex</i></dt>
<dd>
<p>This is the same as <i>asn1_ex_d2i</i> except that it is additionally passed the OSSL_LIB_CTX to be used in <i>libctx</i> and any property query string to be used for algorithm fetching in the <i>propq</i> parameter. See <a href="../man7/crypto.html">&quot;ALGORITHM FETCHING&quot; in crypto(7)</a> for further details. If <i>asn1_ex_d2i_ex</i> is non NULL, then it will always be called in preference to <i>asn1_ex_d2i</i>.</p>
</dd>
</dl>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>Return values for the various callbacks are as described above.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ASN1_item_new_ex.html">ASN1_item_new_ex(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The <i>asn1_ex_new_ex</i> and <i>asn1_ex_d2i_ex</i> callbacks were added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

116
include/openssl-3.2.1/html/man3/ASN1_INTEGER_get_int64.html
View File

@ -1,116 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_INTEGER_get_int64</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_INTEGER_get_uint64, ASN1_INTEGER_set_uint64, ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_set, BN_to_ASN1_INTEGER, ASN1_INTEGER_to_BN, ASN1_ENUMERATED_get_int64, ASN1_ENUMERATED_get, ASN1_ENUMERATED_set_int64, ASN1_ENUMERATED_set, BN_to_ASN1_ENUMERATED, ASN1_ENUMERATED_to_BN - ASN.1 INTEGER and ENUMERATED utilities</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a);
long ASN1_INTEGER_get(const ASN1_INTEGER *a);
int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r);
int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a);
int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r);
ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai);
BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn);
int ASN1_ENUMERATED_get_int64(int64_t *pr, const ASN1_ENUMERATED *a);
long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a);
int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t r);
int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai);
BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>These functions convert to and from <b>ASN1_INTEGER</b> and <b>ASN1_ENUMERATED</b> structures.</p>
<p>ASN1_INTEGER_get_int64() converts an <b>ASN1_INTEGER</b> into an <b>int64_t</b> type If successful it returns 1 and sets <i>*pr</i> to the value of <i>a</i>. If it fails (due to invalid type or the value being too big to fit into an <b>int64_t</b> type) it returns 0.</p>
<p>ASN1_INTEGER_get_uint64() is similar to ASN1_INTEGER_get_int64_t() except it converts to a <b>uint64_t</b> type and an error is returned if the passed integer is negative.</p>
<p>ASN1_INTEGER_get() also returns the value of <i>a</i> but it returns 0 if <i>a</i> is NULL and -1 on error (which is ambiguous because -1 is a legitimate value for an <b>ASN1_INTEGER</b>). New applications should use ASN1_INTEGER_get_int64() instead.</p>
<p>ASN1_INTEGER_set_int64() sets the value of <b>ASN1_INTEGER</b> <i>a</i> to the <b>int64_t</b> value <i>r</i>.</p>
<p>ASN1_INTEGER_set_uint64() sets the value of <b>ASN1_INTEGER</b> <i>a</i> to the <b>uint64_t</b> value <i>r</i>.</p>
<p>ASN1_INTEGER_set() sets the value of <b>ASN1_INTEGER</b> <i>a</i> to the <i>long</i> value <i>v</i>.</p>
<p>BN_to_ASN1_INTEGER() converts <b>BIGNUM</b> <i>bn</i> to an <b>ASN1_INTEGER</b>. If <i>ai</i> is NULL a new <b>ASN1_INTEGER</b> structure is returned. If <i>ai</i> is not NULL then the existing structure will be used instead.</p>
<p>ASN1_INTEGER_to_BN() converts ASN1_INTEGER <i>ai</i> into a <b>BIGNUM</b>. If <i>bn</i> is NULL a new <b>BIGNUM</b> structure is returned. If <i>bn</i> is not NULL then the existing structure will be used instead.</p>
<p>ASN1_ENUMERATED_get_int64(), ASN1_ENUMERATED_set_int64(), ASN1_ENUMERATED_set(), BN_to_ASN1_ENUMERATED() and ASN1_ENUMERATED_to_BN() behave in an identical way to their ASN1_INTEGER counterparts except they operate on an <b>ASN1_ENUMERATED</b> value.</p>
<p>ASN1_ENUMERATED_get() returns the value of <i>a</i> in a similar way to ASN1_INTEGER_get() but it returns <b>0xffffffffL</b> if the value of <i>a</i> will not fit in a long type. New applications should use ASN1_ENUMERATED_get_int64() instead.</p>
<h1 id="NOTES">NOTES</h1>
<p>In general an <b>ASN1_INTEGER</b> or <b>ASN1_ENUMERATED</b> type can contain an integer of almost arbitrary size and so cannot always be represented by a C <b>int64_t</b> type. However, in many cases (for example version numbers) they represent small integers which can be more easily manipulated if converted to an appropriate C integer type.</p>
<h1 id="BUGS">BUGS</h1>
<p>The ambiguous return values of ASN1_INTEGER_get() and ASN1_ENUMERATED_get() mean these functions should be avoided if possible. They are retained for compatibility. Normally the ambiguous return values are not legitimate values for the fields they represent.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_INTEGER_set_int64(), ASN1_INTEGER_set(), ASN1_ENUMERATED_set_int64() and ASN1_ENUMERATED_set() return 1 for success and 0 for failure. They will only fail if a memory allocation error occurs.</p>
<p>ASN1_INTEGER_get_int64() and ASN1_ENUMERATED_get_int64() return 1 for success and 0 for failure. They will fail if the passed type is incorrect (this will only happen if there is a programming error) or if the value exceeds the range of an <b>int64_t</b> type.</p>
<p>BN_to_ASN1_INTEGER() and BN_to_ASN1_ENUMERATED() return an <b>ASN1_INTEGER</b> or <b>ASN1_ENUMERATED</b> structure respectively or NULL if an error occurs. They will only fail due to a memory allocation error.</p>
<p>ASN1_INTEGER_to_BN() and ASN1_ENUMERATED_to_BN() return a <b>BIGNUM</b> structure of NULL if an error occurs. They can fail if the passed type is incorrect (due to programming error) or due to a memory allocation failure.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>ASN1_INTEGER_set_int64(), ASN1_INTEGER_get_int64(), ASN1_ENUMERATED_set_int64() and ASN1_ENUMERATED_get_int64() were added in OpenSSL 1.1.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

63
include/openssl-3.2.1/html/man3/ASN1_INTEGER_new.html
View File

@ -1,63 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_INTEGER_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_INTEGER_new, ASN1_INTEGER_free - ASN1_INTEGER allocation functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
ASN1_INTEGER *ASN1_INTEGER_new(void);
void ASN1_INTEGER_free(ASN1_INTEGER *a);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN1_INTEGER_new() returns an allocated <b>ASN1_INTEGER</b> structure.</p>
<p>ASN1_INTEGER_free() frees up a single <b>ASN1_INTEGER</b> object.</p>
<p><b>ASN1_INTEGER</b> structure representing the ASN.1 INTEGER type</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_INTEGER_new() return a valid <b>ASN1_INTEGER</b> structure or NULL if an error occurred.</p>
<p>ASN1_INTEGER_free() does not return a value.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

59
include/openssl-3.2.1/html/man3/ASN1_ITEM_lookup.html
View File

@ -1,59 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_ITEM_lookup</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_ITEM_lookup, ASN1_ITEM_get - lookup ASN.1 structures</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
const ASN1_ITEM *ASN1_ITEM_lookup(const char *name);
const ASN1_ITEM *ASN1_ITEM_get(size_t i);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN1_ITEM_lookup() returns the <b>ASN1_ITEM</b> named <i>name</i>.</p>
<p>ASN1_ITEM_get() returns the <b>ASN1_ITEM</b> with index <i>i</i>. This function returns NULL if the index <i>i</i> is out of range.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_ITEM_lookup() and ASN1_ITEM_get() return a valid <b>ASN1_ITEM</b> structure or NULL if an error occurred.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

68
include/openssl-3.2.1/html/man3/ASN1_OBJECT_new.html
View File

@ -1,68 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_OBJECT_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_OBJECT_new, ASN1_OBJECT_free - object allocation functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
ASN1_OBJECT *ASN1_OBJECT_new(void);
void ASN1_OBJECT_free(ASN1_OBJECT *a);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <b>ASN1_OBJECT</b> allocation routines, allocate and free an <b>ASN1_OBJECT</b> structure, which represents an ASN1 OBJECT IDENTIFIER.</p>
<p>ASN1_OBJECT_new() allocates and initializes an <b>ASN1_OBJECT</b> structure.</p>
<p>ASN1_OBJECT_free() frees up the <b>ASN1_OBJECT</b> structure <i>a</i>. If <i>a</i> is NULL, nothing is done.</p>
<h1 id="NOTES">NOTES</h1>
<p>Although ASN1_OBJECT_new() allocates a new <b>ASN1_OBJECT</b> structure it is almost never used in applications. The ASN1 object utility functions such as OBJ_nid2obj() are used instead.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>If the allocation fails, ASN1_OBJECT_new() returns NULL and sets an error code that can be obtained by <a href="../man3/ERR_get_error.html">ERR_get_error(3)</a>. Otherwise it returns a pointer to the newly allocated structure.</p>
<p>ASN1_OBJECT_free() returns no value.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a>, <a href="../man3/d2i_ASN1_OBJECT.html">d2i_ASN1_OBJECT(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

82
include/openssl-3.2.1/html/man3/ASN1_STRING_TABLE_add.html
View File

@ -1,82 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_STRING_TABLE_add</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a>
<ul>
<li><a href="#Types">Types</a></li>
<li><a href="#Functions">Functions</a></li>
</ul>
</li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_STRING_TABLE, ASN1_STRING_TABLE_add, ASN1_STRING_TABLE_get, ASN1_STRING_TABLE_cleanup - ASN1_STRING_TABLE manipulation functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
typedef struct asn1_string_table_st ASN1_STRING_TABLE;
int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize,
unsigned long mask, unsigned long flags);
ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
void ASN1_STRING_TABLE_cleanup(void);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<h2 id="Types">Types</h2>
<p><b>ASN1_STRING_TABLE</b> is a table which holds string information (basically minimum size, maximum size, type and etc) for a NID object.</p>
<h2 id="Functions">Functions</h2>
<p>ASN1_STRING_TABLE_add() adds a new <b>ASN1_STRING_TABLE</b> item into the local ASN1 string table based on the <i>nid</i> along with other parameters.</p>
<p>If the item is already in the table, fields of <b>ASN1_STRING_TABLE</b> are updated (depending on the values of those parameters, e.g., <i>minsize</i> and <i>maxsize</i> &gt;= 0, <i>mask</i> and <i>flags</i> != 0). If the <i>nid</i> is standard, a copy of the standard <b>ASN1_STRING_TABLE</b> is created and updated with other parameters.</p>
<p>ASN1_STRING_TABLE_get() searches for an <b>ASN1_STRING_TABLE</b> item based on <i>nid</i>. It will search the local table first, then the standard one.</p>
<p>ASN1_STRING_TABLE_cleanup() frees all <b>ASN1_STRING_TABLE</b> items added by ASN1_STRING_TABLE_add().</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_STRING_TABLE_add() returns 1 on success, 0 if an error occurred.</p>
<p>ASN1_STRING_TABLE_get() returns a valid <b>ASN1_STRING_TABLE</b> structure or NULL if nothing is found.</p>
<p>ASN1_STRING_TABLE_cleanup() does not return a value.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

107
include/openssl-3.2.1/html/man3/ASN1_STRING_length.html
View File

@ -1,107 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_STRING_length</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_STRING_dup, ASN1_STRING_cmp, ASN1_STRING_set, ASN1_STRING_length, ASN1_STRING_type, ASN1_STRING_get0_data, ASN1_STRING_data, ASN1_STRING_to_UTF8 - ASN1_STRING utility functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
int ASN1_STRING_length(ASN1_STRING *x);
const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
unsigned char *ASN1_STRING_data(ASN1_STRING *x);
ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *a);
int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b);
int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
int ASN1_STRING_type(const ASN1_STRING *x);
int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>These functions allow an <b>ASN1_STRING</b> structure to be manipulated.</p>
<p>ASN1_STRING_length() returns the length of the content of <i>x</i>.</p>
<p>ASN1_STRING_get0_data() returns an internal pointer to the data of <i>x</i>. Since this is an internal pointer it should <b>not</b> be freed or modified in any way.</p>
<p>ASN1_STRING_data() is similar to ASN1_STRING_get0_data() except the returned value is not constant. This function is deprecated: applications should use ASN1_STRING_get0_data() instead.</p>
<p>ASN1_STRING_dup() returns a copy of the structure <i>a</i>.</p>
<p>ASN1_STRING_cmp() compares <i>a</i> and <i>b</i> returning 0 if the two are identical. The string types and content are compared.</p>
<p>ASN1_STRING_set() sets the data of string <i>str</i> to the buffer <i>data</i> or length <i>len</i>. The supplied data is copied. If <i>len</i> is -1 then the length is determined by strlen(data).</p>
<p>ASN1_STRING_type() returns the type of <i>x</i>, using standard constants such as <b>V_ASN1_OCTET_STRING</b>.</p>
<p>ASN1_STRING_to_UTF8() converts the string <i>in</i> to UTF8 format, the converted data is allocated in a buffer in <i>*out</i>. The length of <i>out</i> is returned or a negative error code. The buffer <i>*out</i> should be freed using OPENSSL_free().</p>
<h1 id="NOTES">NOTES</h1>
<p>Almost all ASN1 types in OpenSSL are represented as an <b>ASN1_STRING</b> structure. Other types such as <b>ASN1_OCTET_STRING</b> are simply typedef&#39;ed to <b>ASN1_STRING</b> and the functions call the <b>ASN1_STRING</b> equivalents. <b>ASN1_STRING</b> is also used for some <b>CHOICE</b> types which consist entirely of primitive string types such as <b>DirectoryString</b> and <b>Time</b>.</p>
<p>These functions should <b>not</b> be used to examine or modify <b>ASN1_INTEGER</b> or <b>ASN1_ENUMERATED</b> types: the relevant <b>INTEGER</b> or <b>ENUMERATED</b> utility functions should be used instead.</p>
<p>In general it cannot be assumed that the data returned by ASN1_STRING_data() is null terminated or does not contain embedded nulls. The actual format of the data will depend on the actual string type itself: for example for an IA5String the data will be ASCII, for a BMPString two bytes per character in big endian format, and for a UTF8String it will be in UTF8 format.</p>
<p>Similar care should be take to ensure the data is in the correct format when calling ASN1_STRING_set().</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_STRING_length() returns the length of the content of <i>x</i>.</p>
<p>ASN1_STRING_get0_data() and ASN1_STRING_data() return an internal pointer to the data of <i>x</i>.</p>
<p>ASN1_STRING_dup() returns a valid <b>ASN1_STRING</b> structure or NULL if an error occurred.</p>
<p>ASN1_STRING_cmp() returns an integer greater than, equal to, or less than 0, according to whether <i>a</i> is greater than, equal to, or less than <i>b</i>.</p>
<p>ASN1_STRING_set() returns 1 on success or 0 on error.</p>
<p>ASN1_STRING_type() returns the type of <i>x</i>.</p>
<p>ASN1_STRING_to_UTF8() returns the number of bytes in output string <i>out</i> or a negative value if an error occurred.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

69
include/openssl-3.2.1/html/man3/ASN1_STRING_new.html
View File

@ -1,69 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_STRING_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_STRING_new, ASN1_STRING_type_new, ASN1_STRING_free - ASN1_STRING allocation functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
ASN1_STRING *ASN1_STRING_new(void);
ASN1_STRING *ASN1_STRING_type_new(int type);
void ASN1_STRING_free(ASN1_STRING *a);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN1_STRING_new() returns an allocated <b>ASN1_STRING</b> structure. Its type is undefined.</p>
<p>ASN1_STRING_type_new() returns an allocated <b>ASN1_STRING</b> structure of type <i>type</i>.</p>
<p>ASN1_STRING_free() frees up <i>a</i>. If <i>a</i> is NULL nothing is done.</p>
<h1 id="NOTES">NOTES</h1>
<p>Other string types call the <b>ASN1_STRING</b> functions. For example ASN1_OCTET_STRING_new() calls ASN1_STRING_type_new(V_ASN1_OCTET_STRING).</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_STRING_new() and ASN1_STRING_type_new() return a valid <b>ASN1_STRING</b> structure or NULL if an error occurred.</p>
<p>ASN1_STRING_free() does not return a value.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

103
include/openssl-3.2.1/html/man3/ASN1_STRING_print_ex.html
View File

@ -1,103 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_STRING_print_ex</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_tag2str, ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print - ASN1_STRING output routines</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags);
int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags);
int ASN1_STRING_print(BIO *out, const ASN1_STRING *str);
const char *ASN1_tag2str(int tag);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>These functions output an <b>ASN1_STRING</b> structure. <b>ASN1_STRING</b> is used to represent all the ASN1 string types.</p>
<p>ASN1_STRING_print_ex() outputs <i>str</i> to <i>out</i>, the format is determined by the options <i>flags</i>. ASN1_STRING_print_ex_fp() is identical except it outputs to <i>fp</i> instead.</p>
<p>ASN1_STRING_print() prints <i>str</i> to <i>out</i> but using a different format to ASN1_STRING_print_ex(). It replaces unprintable characters (other than CR, LF) with &#39;.&#39;.</p>
<p>ASN1_tag2str() returns a human-readable name of the specified ASN.1 <i>tag</i>.</p>
<h1 id="NOTES">NOTES</h1>
<p>ASN1_STRING_print() is a deprecated function which should be avoided; use ASN1_STRING_print_ex() instead.</p>
<p>Although there are a large number of options frequently <b>ASN1_STRFLGS_RFC2253</b> is suitable, or on UTF8 terminals <b>ASN1_STRFLGS_RFC2253 &amp; ~ASN1_STRFLGS_ESC_MSB</b>.</p>
<p>The complete set of supported options for <i>flags</i> is listed below.</p>
<p>Various characters can be escaped. If <b>ASN1_STRFLGS_ESC_2253</b> is set the characters determined by RFC2253 are escaped. If <b>ASN1_STRFLGS_ESC_CTRL</b> is set control characters are escaped. If <b>ASN1_STRFLGS_ESC_MSB</b> is set characters with the MSB set are escaped: this option should <b>not</b> be used if the terminal correctly interprets UTF8 sequences.</p>
<p>Escaping takes several forms.</p>
<p>If the character being escaped is a 16 bit character then the form &quot;\UXXXX&quot; is used using exactly four characters for the hex representation. If it is 32 bits then &quot;\WXXXXXXXX&quot; is used using eight characters of its hex representation. These forms will only be used if UTF8 conversion is not set (see below).</p>
<p>Printable characters are normally escaped using the backslash &#39;\&#39; character. If <b>ASN1_STRFLGS_ESC_QUOTE</b> is set then the whole string is instead surrounded by double quote characters: this is arguably more readable than the backslash notation. Other characters use the &quot;\XX&quot; using exactly two characters of the hex representation.</p>
<p>If <b>ASN1_STRFLGS_UTF8_CONVERT</b> is set then characters are converted to UTF8 format first. If the terminal supports the display of UTF8 sequences then this option will correctly display multi byte characters.</p>
<p>If <b>ASN1_STRFLGS_IGNORE_TYPE</b> is set then the string type is not interpreted at all: everything is assumed to be one byte per character. This is primarily for debugging purposes and can result in confusing output in multi character strings.</p>
<p>If <b>ASN1_STRFLGS_SHOW_TYPE</b> is set then the string type itself is printed out before its value (for example &quot;BMPSTRING&quot;), this actually uses ASN1_tag2str().</p>
<p>The content of a string instead of being interpreted can be &quot;dumped&quot;: this just outputs the value of the string using the form #XXXX using hex format for each octet.</p>
<p>If <b>ASN1_STRFLGS_DUMP_ALL</b> is set then any type is dumped.</p>
<p>Normally non character string types (such as OCTET STRING) are assumed to be one byte per character, if <b>ASN1_STRFLGS_DUMP_UNKNOWN</b> is set then they will be dumped instead.</p>
<p>When a type is dumped normally just the content octets are printed, if <b>ASN1_STRFLGS_DUMP_DER</b> is set then the complete encoding is dumped instead (including tag and length octets).</p>
<p><b>ASN1_STRFLGS_RFC2253</b> includes all the flags required by RFC2253. It is equivalent to: ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_STRING_print_ex() and ASN1_STRING_print_ex_fp() return the number of characters written or -1 if an error occurred.</p>
<p>ASN1_STRING_print() returns 1 on success or 0 on error.</p>
<p>ASN1_tag2str() returns a human-readable name of the specified ASN.1 <i>tag</i>.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/X509_NAME_print_ex.html">X509_NAME_print_ex(3)</a>, <a href="../man3/ASN1_tag2str.html">ASN1_tag2str(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

203
include/openssl-3.2.1/html/man3/ASN1_TIME_set.html
View File

@ -1,203 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_TIME_set</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_TIME_set, ASN1_UTCTIME_set, ASN1_GENERALIZEDTIME_set, ASN1_TIME_adj, ASN1_UTCTIME_adj, ASN1_GENERALIZEDTIME_adj, ASN1_TIME_check, ASN1_UTCTIME_check, ASN1_GENERALIZEDTIME_check, ASN1_TIME_set_string, ASN1_UTCTIME_set_string, ASN1_GENERALIZEDTIME_set_string, ASN1_TIME_set_string_X509, ASN1_TIME_normalize, ASN1_TIME_to_tm, ASN1_TIME_print, ASN1_TIME_print_ex, ASN1_UTCTIME_print, ASN1_GENERALIZEDTIME_print, ASN1_TIME_diff, ASN1_TIME_cmp_time_t, ASN1_UTCTIME_cmp_time_t, ASN1_TIME_compare, ASN1_TIME_to_generalizedtime, ASN1_TIME_dup, ASN1_UTCTIME_dup, ASN1_GENERALIZEDTIME_dup - ASN.1 Time functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t);
ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
time_t t);
ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day,
long offset_sec);
ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
int offset_day, long offset_sec);
ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
time_t t, int offset_day,
long offset_sec);
int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str);
int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str);
int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s,
const char *str);
int ASN1_TIME_normalize(ASN1_TIME *s);
int ASN1_TIME_check(const ASN1_TIME *t);
int ASN1_UTCTIME_check(const ASN1_UTCTIME *t);
int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *t);
int ASN1_TIME_print(BIO *b, const ASN1_TIME *s);
int ASN1_TIME_print_ex(BIO *bp, const ASN1_TIME *tm, unsigned long flags);
int ASN1_UTCTIME_print(BIO *b, const ASN1_UTCTIME *s);
int ASN1_GENERALIZEDTIME_print(BIO *b, const ASN1_GENERALIZEDTIME *s);
int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm);
int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from,
const ASN1_TIME *to);
int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t);
int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
int ASN1_TIME_compare(const ASN1_TIME *a, const ASN1_TIME *b);
ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
ASN1_GENERALIZEDTIME **out);
ASN1_TIME *ASN1_TIME_dup(const ASN1_TIME *t);
ASN1_UTCTIME *ASN1_UTCTIME_dup(const ASN1_UTCTIME *t);
ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_dup(const ASN1_GENERALIZEDTIME *t);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The ASN1_TIME_set(), ASN1_UTCTIME_set() and ASN1_GENERALIZEDTIME_set() functions set the structure <i>s</i> to the time represented by the time_t value <i>t</i>. If <i>s</i> is NULL a new time structure is allocated and returned.</p>
<p>The ASN1_TIME_adj(), ASN1_UTCTIME_adj() and ASN1_GENERALIZEDTIME_adj() functions set the time structure <i>s</i> to the time represented by the time <i>offset_day</i> and <i>offset_sec</i> after the time_t value <i>t</i>. The values of <i>offset_day</i> or <i>offset_sec</i> can be negative to set a time before <i>t</i>. The <i>offset_sec</i> value can also exceed the number of seconds in a day. If <i>s</i> is NULL a new structure is allocated and returned.</p>
<p>The ASN1_TIME_set_string(), ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() functions set the time structure <i>s</i> to the time represented by string <i>str</i> which must be in appropriate ASN.1 time format (for example YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ). If <i>s</i> is NULL this function performs a format check on <i>str</i> only. The string <i>str</i> is copied into <i>s</i>.</p>
<p>ASN1_TIME_set_string_X509() sets <b>ASN1_TIME</b> structure <i>s</i> to the time represented by string <i>str</i> which must be in appropriate time format that RFC 5280 requires, which means it only allows YYMMDDHHMMSSZ and YYYYMMDDHHMMSSZ (leap second is rejected), all other ASN.1 time format are not allowed. If <i>s</i> is NULL this function performs a format check on <i>str</i> only.</p>
<p>The ASN1_TIME_normalize() function converts an <b>ASN1_GENERALIZEDTIME</b> or <b>ASN1_UTCTIME</b> into a time value that can be used in a certificate. It should be used after the ASN1_TIME_set_string() functions and before ASN1_TIME_print() functions to get consistent (i.e. GMT) results.</p>
<p>The ASN1_TIME_check(), ASN1_UTCTIME_check() and ASN1_GENERALIZEDTIME_check() functions check the syntax of the time structure <i>s</i>.</p>
<p>The ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() functions print the time structure <i>s</i> to BIO <i>b</i> in human readable format. It will be of the format MMM DD HH:MM:SS YYYY [GMT], for example &quot;Feb 3 00:55:52 2015 GMT&quot;, which does not include a newline. If the time structure has invalid format it prints out &quot;Bad time value&quot; and returns an error. The output for generalized time may include a fractional part following the second.</p>
<p>ASN1_TIME_print_ex() provides <i>flags</i> to specify the output format of the datetime. This can be either <b>ASN1_DTFLGS_RFC822</b> or <b>ASN1_DTFLGS_ISO8601</b>.</p>
<p>ASN1_TIME_to_tm() converts the time <i>s</i> to the standard <i>tm</i> structure. If <i>s</i> is NULL, then the current time is converted. The output time is GMT. The <i>tm_sec</i>, <i>tm_min</i>, <i>tm_hour</i>, <i>tm_mday</i>, <i>tm_wday</i>, <i>tm_yday</i>, <i>tm_mon</i> and <i>tm_year</i> fields of <i>tm</i> structure are set to proper values, whereas all other fields are set to 0. If <i>tm</i> is NULL this function performs a format check on <i>s</i> only. If <i>s</i> is in Generalized format with fractional seconds, e.g. YYYYMMDDHHMMSS.SSSZ, the fractional seconds will be lost while converting <i>s</i> to <i>tm</i> structure.</p>
<p>ASN1_TIME_diff() sets <i>*pday</i> and <i>*psec</i> to the time difference between <i>from</i> and <i>to</i>. If <i>to</i> represents a time later than <i>from</i> then one or both (depending on the time difference) of <i>*pday</i> and <i>*psec</i> will be positive. If <i>to</i> represents a time earlier than <i>from</i> then one or both of <i>*pday</i> and <i>*psec</i> will be negative. If <i>to</i> and <i>from</i> represent the same time then <i>*pday</i> and <i>*psec</i> will both be zero. If both <i>*pday</i> and <i>*psec</i> are nonzero they will always have the same sign. The value of <i>*psec</i> will always be less than the number of seconds in a day. If <i>from</i> or <i>to</i> is NULL the current time is used.</p>
<p>The ASN1_TIME_cmp_time_t() and ASN1_UTCTIME_cmp_time_t() functions compare the two times represented by the time structure <i>s</i> and the time_t <i>t</i>.</p>
<p>The ASN1_TIME_compare() function compares the two times represented by the time structures <i>a</i> and <i>b</i>.</p>
<p>The ASN1_TIME_to_generalizedtime() function converts an <b>ASN1_TIME</b> to an <b>ASN1_GENERALIZEDTIME</b>, regardless of year. If either <i>out</i> or <i>*out</i> are NULL, then a new object is allocated and must be freed after use.</p>
<p>The ASN1_TIME_dup(), ASN1_UTCTIME_dup() and ASN1_GENERALIZEDTIME_dup() functions duplicate the time structure <i>t</i> and return the duplicated result correspondingly.</p>
<h1 id="NOTES">NOTES</h1>
<p>The <b>ASN1_TIME</b> structure corresponds to the ASN.1 structure <b>Time</b> defined in RFC5280 et al. The time setting functions obey the rules outlined in RFC5280: if the date can be represented by UTCTime it is used, else GeneralizedTime is used.</p>
<p>The <b>ASN1_TIME</b>, <b>ASN1_UTCTIME</b> and <b>ASN1_GENERALIZEDTIME</b> structures are represented as an <b>ASN1_STRING</b> internally and can be freed up using ASN1_STRING_free().</p>
<p>The <b>ASN1_TIME</b> structure can represent years from 0000 to 9999 but no attempt is made to correct ancient calendar changes (for example from Julian to Gregorian calendars).</p>
<p><b>ASN1_UTCTIME</b> is limited to a year range of 1950 through 2049.</p>
<p>Some applications add offset times directly to a time_t value and pass the results to ASN1_TIME_set() (or equivalent). This can cause problems as the time_t value can overflow on some systems resulting in unexpected results. New applications should use ASN1_TIME_adj() instead and pass the offset value in the <i>offset_sec</i> and <i>offset_day</i> parameters instead of directly manipulating a time_t value.</p>
<p>ASN1_TIME_adj() may change the type from <b>ASN1_GENERALIZEDTIME</b> to <b>ASN1_UTCTIME</b>, or vice versa, based on the resulting year. ASN1_GENERALIZEDTIME_adj() and ASN1_UTCTIME_adj() will not modify the type of the return structure.</p>
<p>It is recommended that functions starting with <b>ASN1_TIME</b> be used instead of those starting with <b>ASN1_UTCTIME</b> or <b>ASN1_GENERALIZEDTIME</b>. The functions starting with <b>ASN1_UTCTIME</b> and <b>ASN1_GENERALIZEDTIME</b> act only on that specific time format. The functions starting with <b>ASN1_TIME</b> will operate on either format.</p>
<h1 id="BUGS">BUGS</h1>
<p>ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() do not print out the timezone: it either prints out &quot;GMT&quot; or nothing. But all certificates complying with RFC5280 et al use GMT anyway.</p>
<p>ASN1_TIME_print(), ASN1_TIME_print_ex(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() do not distinguish if they fail because of an I/O error or invalid time format.</p>
<p>Use the ASN1_TIME_normalize() function to normalize the time value before printing to get GMT results.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_TIME_set(), ASN1_UTCTIME_set(), ASN1_GENERALIZEDTIME_set(), ASN1_TIME_adj(), ASN1_UTCTIME_adj() and ASN1_GENERALIZEDTIME_set() return a pointer to a time structure or NULL if an error occurred.</p>
<p>ASN1_TIME_set_string(), ASN1_UTCTIME_set_string(), ASN1_GENERALIZEDTIME_set_string() and ASN1_TIME_set_string_X509() return 1 if the time value is successfully set and 0 otherwise.</p>
<p>ASN1_TIME_normalize() returns 1 on success, and 0 on error.</p>
<p>ASN1_TIME_check(), ASN1_UTCTIME_check and ASN1_GENERALIZEDTIME_check() return 1 if the structure is syntactically correct and 0 otherwise.</p>
<p>ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() return 1 if the time is successfully printed out and 0 if an I/O error occurred an error occurred (I/O error or invalid time format).</p>
<p>ASN1_TIME_to_tm() returns 1 if the time is successfully parsed and 0 if an error occurred (invalid time format).</p>
<p>ASN1_TIME_diff() returns 1 for success and 0 for failure. It can fail if the passed-in time structure has invalid syntax, for example.</p>
<p>ASN1_TIME_cmp_time_t() and ASN1_UTCTIME_cmp_time_t() return -1 if <i>s</i> is before <i>t</i>, 0 if <i>s</i> equals <i>t</i>, or 1 if <i>s</i> is after <i>t</i>. -2 is returned on error.</p>
<p>ASN1_TIME_compare() returns -1 if <i>a</i> is before <i>b</i>, 0 if <i>a</i> equals <i>b</i>, or 1 if <i>a</i> is after <i>b</i>. -2 is returned on error.</p>
<p>ASN1_TIME_to_generalizedtime() returns a pointer to the appropriate time structure on success or NULL if an error occurred.</p>
<p>ASN1_TIME_dup(), ASN1_UTCTIME_dup() and ASN1_GENERALIZEDTIME_dup() return a pointer to a time structure or NULL if an error occurred.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Set a time structure to one hour after the current time and print it out:</p>
<pre><code> #include &lt;time.h&gt;
#include &lt;openssl/asn1.h&gt;
ASN1_TIME *tm;
time_t t;
BIO *b;
t = time(NULL);
tm = ASN1_TIME_adj(NULL, t, 0, 60 * 60);
b = BIO_new_fp(stdout, BIO_NOCLOSE);
ASN1_TIME_print(b, tm);
ASN1_STRING_free(tm);
BIO_free(b);</code></pre>
<p>Determine if one time is later or sooner than the current time:</p>
<pre><code> int day, sec;
if (!ASN1_TIME_diff(&amp;day, &amp;sec, NULL, to))
/* Invalid time format */
if (day &gt; 0 || sec &gt; 0)
printf(&quot;Later\n&quot;);
else if (day &lt; 0 || sec &lt; 0)
printf(&quot;Sooner\n&quot;);
else
printf(&quot;Same\n&quot;);</code></pre>
<h1 id="HISTORY">HISTORY</h1>
<p>The ASN1_TIME_to_tm() function was added in OpenSSL 1.1.1. The ASN1_TIME_set_string_X509() function was added in OpenSSL 1.1.1. The ASN1_TIME_normalize() function was added in OpenSSL 1.1.1. The ASN1_TIME_cmp_time_t() function was added in OpenSSL 1.1.1. The ASN1_TIME_compare() function was added in OpenSSL 1.1.1.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

89
include/openssl-3.2.1/html/man3/ASN1_TYPE_get.html
View File

@ -1,89 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_TYPE_get</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_TYPE_get, ASN1_TYPE_set, ASN1_TYPE_set1, ASN1_TYPE_cmp, ASN1_TYPE_unpack_sequence, ASN1_TYPE_pack_sequence - ASN1_TYPE utility functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
int ASN1_TYPE_get(const ASN1_TYPE *a);
void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t);
ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s,
ASN1_TYPE **t);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>These functions allow an <b>ASN1_TYPE</b> structure to be manipulated. The <b>ASN1_TYPE</b> structure can contain any ASN.1 type or constructed type such as a SEQUENCE: it is effectively equivalent to the ASN.1 ANY type.</p>
<p>ASN1_TYPE_get() returns the type of <i>a</i> or 0 if it fails.</p>
<p>ASN1_TYPE_set() sets the value of <i>a</i> to <i>type</i> and <i>value</i>. This function uses the pointer <i>value</i> internally so it must <b>not</b> be freed up after the call.</p>
<p>ASN1_TYPE_set1() sets the value of <i>a</i> to <i>type</i> a copy of <i>value</i>.</p>
<p>ASN1_TYPE_cmp() compares ASN.1 types <i>a</i> and <i>b</i> and returns 0 if they are identical and nonzero otherwise.</p>
<p>ASN1_TYPE_unpack_sequence() attempts to parse the SEQUENCE present in <i>t</i> using the ASN.1 structure <i>it</i>. If successful it returns a pointer to the ASN.1 structure corresponding to <i>it</i> which must be freed by the caller. If it fails it return NULL.</p>
<p>ASN1_TYPE_pack_sequence() attempts to encode the ASN.1 structure <i>s</i> corresponding to <i>it</i> into an <b>ASN1_TYPE</b>. If successful the encoded <b>ASN1_TYPE</b> is returned. If <i>t</i> and <i>*t</i> are not NULL the encoded type is written to <i>t</i> overwriting any existing data. If <i>t</i> is not NULL but <i>*t</i> is NULL the returned <b>ASN1_TYPE</b> is written to <i>*t</i>.</p>
<h1 id="NOTES">NOTES</h1>
<p>The type and meaning of the <i>value</i> parameter for ASN1_TYPE_set() and ASN1_TYPE_set1() is determined by the <i>type</i> parameter. If <i>type</i> is <b>V_ASN1_NULL</b> <i>value</i> is ignored. If <i>type</i> is <b>V_ASN1_BOOLEAN</b> then the boolean is set to TRUE if <i>value</i> is not NULL. If <i>type</i> is <b>V_ASN1_OBJECT</b> then value is an <b>ASN1_OBJECT</b> structure. Otherwise <i>type</i> is and <b>ASN1_STRING</b> structure. If <i>type</i> corresponds to a primitive type (or a string type) then the contents of the <b>ASN1_STRING</b> contain the content octets of the type. If <i>type</i> corresponds to a constructed type or a tagged type (<b>V_ASN1_SEQUENCE</b>, <b>V_ASN1_SET</b> or <b>V_ASN1_OTHER</b>) then the <b>ASN1_STRING</b> contains the entire ASN.1 encoding verbatim (including tag and length octets).</p>
<p>ASN1_TYPE_cmp() may not return zero if two types are equivalent but have different encodings. For example the single content octet of the boolean TRUE value under BER can have any nonzero encoding but ASN1_TYPE_cmp() will only return zero if the values are the same.</p>
<p>If either or both of the parameters passed to ASN1_TYPE_cmp() is NULL the return value is nonzero. Technically if both parameters are NULL the two types could be absent OPTIONAL fields and so should match, however, passing NULL values could also indicate a programming error (for example an unparsable type which returns NULL) for types which do <b>not</b> match. So applications should handle the case of two absent values separately.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_TYPE_get() returns the type of the <b>ASN1_TYPE</b> argument.</p>
<p>ASN1_TYPE_set() does not return a value.</p>
<p>ASN1_TYPE_set1() returns 1 for success and 0 for failure.</p>
<p>ASN1_TYPE_cmp() returns 0 if the types are identical and nonzero otherwise.</p>
<p>ASN1_TYPE_unpack_sequence() returns a pointer to an ASN.1 structure or NULL on failure.</p>
<p>ASN1_TYPE_pack_sequence() return an <b>ASN1_TYPE</b> structure if it succeeds or NULL on failure.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

307
include/openssl-3.2.1/html/man3/ASN1_aux_cb.html
View File

@ -1,307 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_aux_cb</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb - ASN.1 auxiliary data</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1t.h&gt;
struct ASN1_AUX_st {
void *app_data;
int flags;
int ref_offset; /* Offset of reference value */
int ref_lock; /* Offset to an CRYPTO_RWLOCK */
ASN1_aux_cb *asn1_cb;
int enc_offset; /* Offset of ASN1_ENCODING structure */
ASN1_aux_const_cb *asn1_const_cb; /* for ASN1_OP_I2D_ and ASN1_OP_PRINT_ */
};
typedef struct ASN1_AUX_st ASN1_AUX;
struct ASN1_PRINT_ARG_st {
BIO *out;
int indent;
const ASN1_PCTX *pctx;
};
typedef struct ASN1_PRINT_ARG_st ASN1_PRINT_ARG;
struct ASN1_STREAM_ARG_st {
BIO *out;
BIO *ndef_bio;
unsigned char **boundary;
};
typedef struct ASN1_STREAM_ARG_st ASN1_STREAM_ARG;
typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it,
void *exarg);
typedef int ASN1_aux_const_cb(int operation, const ASN1_VALUE **in,
const ASN1_ITEM *it, void *exarg);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN.1 data structures can be associated with an <b>ASN1_AUX</b> object to supply additional information about the ASN.1 structure. An <b>ASN1_AUX</b> structure is associated with the structure during the definition of the ASN.1 template. For example an <b>ASN1_AUX</b> structure will be associated by using one of the various ASN.1 template definition macros that supply auxiliary information such as ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(), ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb().</p>
<p>An <b>ASN1_AUX</b> structure contains the following information.</p>
<dl>
<dt id="app_data"><i>app_data</i></dt>
<dd>
<p>Arbitrary application data</p>
</dd>
<dt id="flags"><i>flags</i></dt>
<dd>
<p>Flags which indicate the auxiliarly functionality supported.</p>
<p>The <b>ASN1_AFLG_REFCOUNT</b> flag indicates that objects support reference counting.</p>
<p>The <b>ASN1_AFLG_ENCODING</b> flag indicates that the original encoding of the object will be saved.</p>
<p>The <b>ASN1_AFLG_BROKEN</b> flag is a work around for broken encoders where the sequence length value may not be correct. This should generally not be used.</p>
<p>The <b>ASN1_AFLG_CONST_CB</b> flag indicates that the &quot;const&quot; form of the <b>ASN1_AUX</b> callback should be used in preference to the non-const form.</p>
</dd>
<dt id="ref_offset"><i>ref_offset</i></dt>
<dd>
<p>If the <b>ASN1_AFLG_REFCOUNT</b> flag is set then this value is assumed to be an offset into the <b>ASN1_VALUE</b> structure where a <b>CRYPTO_REF_COUNT</b> may be found for the purposes of reference counting.</p>
</dd>
<dt id="ref_lock"><i>ref_lock</i></dt>
<dd>
<p>If the <b>ASN1_AFLG_REFCOUNT</b> flag is set then this value is assumed to be an offset into the <b>ASN1_VALUE</b> structure where a <b>CRYPTO_RWLOCK</b> may be found for the purposes of reference counting.</p>
</dd>
<dt id="asn1_cb"><i>asn1_cb</i></dt>
<dd>
<p>A callback that will be invoked at various points during the processing of the the <b>ASN1_VALLUE</b>. See below for further details.</p>
</dd>
<dt id="enc_offset"><i>enc_offset</i></dt>
<dd>
<p>Offset into the <b>ASN1_VALUE</b> object where the original encoding of the object will be saved if the <b>ASN1_AFLG_ENCODING</b> flag has been set.</p>
</dd>
<dt id="asn1_const_cb"><i>asn1_const_cb</i></dt>
<dd>
<p>A callback that will be invoked at various points during the processing of the the <b>ASN1_VALLUE</b>. This is used in preference to the <i>asn1_cb</i> callback if the <b>ASN1_AFLG_CONST_CB</b> flag is set. See below for further details.</p>
</dd>
</dl>
<p>During the processing of an <b>ASN1_VALUE</b> object the callbacks set via <i>asn1_cb</i> or <i>asn1_const_cb</i> will be invoked as a result of various events indicated via the <i>operation</i> parameter. The value of <i>*in</i> will be the <b>ASN1_VALUE</b> object being processed based on the template in <i>it</i>. An additional operation specific parameter may be passed in <i>exarg</i>. The currently supported operations are as follows. The callbacks should return a positive value on success or zero on error, unless otherwise noted below.</p>
<dl>
<dt id="ASN1_OP_NEW_PRE"><b>ASN1_OP_NEW_PRE</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure prior to an <b>ASN1_VALUE</b> object being allocated. The callback may allocate the <b>ASN1_VALUE</b> itself and store it in <i>*pval</i>. If it does so it should return 2 from the callback. On error it should return 0.</p>
</dd>
<dt id="ASN1_OP_NEW_POST"><b>ASN1_OP_NEW_POST</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure after an <b>ASN1_VALUE</b> object has been allocated. The allocated object is in <i>*pval</i>.</p>
</dd>
<dt id="ASN1_OP_FREE_PRE"><b>ASN1_OP_FREE_PRE</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately before an <b>ASN1_VALUE</b> is freed. If the callback originally constructed the <b>ASN1_VALUE</b> via <b>ASN1_OP_NEW_PRE</b> then it should free it at this point and return 2 from the callback. Otherwise it should return 1 for success or 0 on error.</p>
</dd>
<dt id="ASN1_OP_FREE_POST"><b>ASN1_OP_FREE_POST</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately after <b>ASN1_VALUE</b> sub-structures are freed.</p>
</dd>
<dt id="ASN1_OP_D2I_PRE"><b>ASN1_OP_D2I_PRE</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately before a &quot;d2i&quot; operation for the <b>ASN1_VALUE</b>.</p>
</dd>
<dt id="ASN1_OP_D2I_POST"><b>ASN1_OP_D2I_POST</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately after a &quot;d2i&quot; operation for the <b>ASN1_VALUE</b>.</p>
</dd>
<dt id="ASN1_OP_I2D_PRE"><b>ASN1_OP_I2D_PRE</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately before a &quot;i2d&quot; operation for the <b>ASN1_VALUE</b>.</p>
</dd>
<dt id="ASN1_OP_I2D_POST"><b>ASN1_OP_I2D_POST</b></dt>
<dd>
<p>Invoked when processing a <b>CHOICE</b>, <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately after a &quot;i2d&quot; operation for the <b>ASN1_VALUE</b>.</p>
</dd>
<dt id="ASN1_OP_PRINT_PRE"><b>ASN1_OP_PRINT_PRE</b></dt>
<dd>
<p>Invoked when processing a <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately before printing the <b>ASN1_VALUE</b>. The <i>exarg</i> argument will be a pointer to an <b>ASN1_PRINT_ARG</b> structure (see below).</p>
</dd>
<dt id="ASN1_OP_PRINT_POST"><b>ASN1_OP_PRINT_POST</b></dt>
<dd>
<p>Invoked when processing a <b>SEQUENCE</b> or <b>NDEF_SEQUENCE</b> structure immediately after printing the <b>ASN1_VALUE</b>. The <i>exarg</i> argument will be a pointer to an <b>ASN1_PRINT_ARG</b> structure (see below).</p>
</dd>
<dt id="ASN1_OP_STREAM_PRE"><b>ASN1_OP_STREAM_PRE</b></dt>
<dd>
<p>Invoked immediately prior to streaming the <b>ASN1_VALUE</b> data using indefinite length encoding. The <i>exarg</i> argument will be a pointer to a <b>ASN1_STREAM_ARG</b> structure (see below).</p>
</dd>
<dt id="ASN1_OP_STREAM_POST"><b>ASN1_OP_STREAM_POST</b></dt>
<dd>
<p>Invoked immediately after streaming the <b>ASN1_VALUE</b> data using indefinite length encoding. The <i>exarg</i> argument will be a pointer to a <b>ASN1_STREAM_ARG</b> structure (see below).</p>
</dd>
<dt id="ASN1_OP_DETACHED_PRE"><b>ASN1_OP_DETACHED_PRE</b></dt>
<dd>
<p>Invoked immediately prior to processing the <b>ASN1_VALUE</b> data as a &quot;detached&quot; value (as used in CMS and PKCS7). The <i>exarg</i> argument will be a pointer to a <b>ASN1_STREAM_ARG</b> structure (see below).</p>
</dd>
<dt id="ASN1_OP_DETACHED_POST"><b>ASN1_OP_DETACHED_POST</b></dt>
<dd>
<p>Invoked immediately after processing the <b>ASN1_VALUE</b> data as a &quot;detached&quot; value (as used in CMS and PKCS7). The <i>exarg</i> argument will be a pointer to a <b>ASN1_STREAM_ARG</b> structure (see below).</p>
</dd>
<dt id="ASN1_OP_DUP_PRE"><b>ASN1_OP_DUP_PRE</b></dt>
<dd>
<p>Invoked immediate prior to an ASN1_VALUE being duplicated via a call to ASN1_item_dup().</p>
</dd>
<dt id="ASN1_OP_DUP_POST"><b>ASN1_OP_DUP_POST</b></dt>
<dd>
<p>Invoked immediate after to an ASN1_VALUE has been duplicated via a call to ASN1_item_dup().</p>
</dd>
<dt id="ASN1_OP_GET0_LIBCTX"><b>ASN1_OP_GET0_LIBCTX</b></dt>
<dd>
<p>Invoked in order to obtain the <b>OSSL_LIB_CTX</b> associated with an <b>ASN1_VALUE</b> if any. A pointer to an <b>OSSL_LIB_CTX</b> should be stored in <i>*exarg</i> if such a value exists.</p>
</dd>
<dt id="ASN1_OP_GET0_PROPQ"><b>ASN1_OP_GET0_PROPQ</b></dt>
<dd>
<p>Invoked in order to obtain the property query string associated with an <b>ASN1_VALUE</b> if any. A pointer to the property query string should be stored in <i>*exarg</i> if such a value exists.</p>
</dd>
</dl>
<p>An <b>ASN1_PRINT_ARG</b> object is used during processing of <b>ASN1_OP_PRINT_PRE</b> and <b>ASN1_OP_PRINT_POST</b> callback operations. It contains the following information.</p>
<dl>
<dt id="out"><i>out</i></dt>
<dd>
<p>The <b>BIO</b> being used to print the data out.</p>
</dd>
<dt id="ndef_bio"><i>ndef_bio</i></dt>
<dd>
<p>The current number of indent spaces that should be used for printing this data.</p>
</dd>
<dt id="pctx"><i>pctx</i></dt>
<dd>
<p>The context for the <b>ASN1_PCTX</b> operation.</p>
</dd>
</dl>
<p>An <b>ASN1_STREAM_ARG</b> object is used during processing of <b>ASN1_OP_STREAM_PRE</b>, <b>ASN1_OP_STREAM_POST</b>, <b>ASN1_OP_DETACHED_PRE</b> and <b>ASN1_OP_DETACHED_POST</b> callback operations. It contains the following information.</p>
<dl>
<dt id="out1"><i>out</i></dt>
<dd>
<p>The <b>BIO</b> to stream through</p>
</dd>
<dt id="ndef_bio1"><i>ndef_bio</i></dt>
<dd>
<p>The <b>BIO</b> with filters appended</p>
</dd>
<dt id="boundary"><i>boundary</i></dt>
<dd>
<p>The streaming I/O boundary.</p>
</dd>
</dl>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>The callbacks return 0 on error and a positive value on success. Some operations require specific positive success values as noted above.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ASN1_item_new_ex.html">ASN1_item_new_ex(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The ASN1_aux_const_cb() callback and the <b>ASN1_OP_GET0_LIBCTX</b> and <b>ASN1_OP_GET0_PROPQ</b> operation types were added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

274
include/openssl-3.2.1/html/man3/ASN1_generate_nconf.html
View File

@ -1,274 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_generate_nconf</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#GENERATION-STRING-FORMAT">GENERATION STRING FORMAT</a>
<ul>
<li><a href="#Supported-Types">Supported Types</a></li>
<li><a href="#Modifiers">Modifiers</a></li>
</ul>
</li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_generate_nconf, ASN1_generate_v3 - ASN1 string generation functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf);
ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>These functions generate the ASN1 encoding of a string in an <b>ASN1_TYPE</b> structure.</p>
<p><i>str</i> contains the string to encode. <i>nconf</i> or <i>cnf</i> contains the optional configuration information where additional strings will be read from. <i>nconf</i> will typically come from a config file whereas <i>cnf</i> is obtained from an <b>X509V3_CTX</b> structure, which will typically be used by X509 v3 certificate extension functions. <i>cnf</i> or <i>nconf</i> can be set to NULL if no additional configuration will be used.</p>
<h1 id="GENERATION-STRING-FORMAT">GENERATION STRING FORMAT</h1>
<p>The actual data encoded is determined by the string <i>str</i> and the configuration information. The general format of the string is:</p>
<dl>
<dt id="modifier-type-:value">[<i>modifier</i>,]<i>type</i>[:<i>value</i>]</dt>
<dd>
</dd>
</dl>
<p>That is zero or more comma separated modifiers followed by a type followed by an optional colon and a value. The formats of <i>type</i>, <i>value</i> and <i>modifier</i> are explained below.</p>
<h2 id="Supported-Types">Supported Types</h2>
<p>The supported types are listed below. Case is not significant in the type names. Unless otherwise specified only the <b>ASCII</b> format is permissible.</p>
<dl>
<dt id="BOOLEAN-BOOL"><b>BOOLEAN</b>, <b>BOOL</b></dt>
<dd>
<p>This encodes a boolean type. The <i>value</i> string is mandatory and should be <b>TRUE</b> or <b>FALSE</b>. Additionally <b>TRUE</b>, <b>true</b>, <b>Y</b>, <b>y</b>, <b>YES</b>, <b>yes</b>, <b>FALSE</b>, <b>false</b>, <b>N</b>, <b>n</b>, <b>NO</b> and <b>no</b> are acceptable.</p>
</dd>
<dt id="NULL"><b>NULL</b></dt>
<dd>
<p>Encode the <b>NULL</b> type, the <i>value</i> string must not be present.</p>
</dd>
<dt id="INTEGER-INT"><b>INTEGER</b>, <b>INT</b></dt>
<dd>
<p>Encodes an ASN1 <b>INTEGER</b> type. The <i>value</i> string represents the value of the integer, it can be prefaced by a minus sign and is normally interpreted as a decimal value unless the prefix <b>0x</b> is included.</p>
</dd>
<dt id="ENUMERATED-ENUM"><b>ENUMERATED</b>, <b>ENUM</b></dt>
<dd>
<p>Encodes the ASN1 <b>ENUMERATED</b> type, it is otherwise identical to <b>INTEGER</b>.</p>
</dd>
<dt id="OBJECT-OID"><b>OBJECT</b>, <b>OID</b></dt>
<dd>
<p>Encodes an ASN1 <b>OBJECT IDENTIFIER</b>, the <i>value</i> string can be a short name, a long name or numerical format.</p>
</dd>
<dt id="UTCTIME-UTC"><b>UTCTIME</b>, <b>UTC</b></dt>
<dd>
<p>Encodes an ASN1 <b>UTCTime</b> structure, the value should be in the format <b>YYMMDDHHMMSSZ</b>.</p>
</dd>
<dt id="GENERALIZEDTIME-GENTIME"><b>GENERALIZEDTIME</b>, <b>GENTIME</b></dt>
<dd>
<p>Encodes an ASN1 <b>GeneralizedTime</b> structure, the value should be in the format <b>YYYYMMDDHHMMSSZ</b>.</p>
</dd>
<dt id="OCTETSTRING-OCT"><b>OCTETSTRING</b>, <b>OCT</b></dt>
<dd>
<p>Encodes an ASN1 <b>OCTET STRING</b>. <i>value</i> represents the contents of this structure, the format strings <b>ASCII</b> and <b>HEX</b> can be used to specify the format of <i>value</i>.</p>
</dd>
<dt id="BITSTRING-BITSTR"><b>BITSTRING</b>, <b>BITSTR</b></dt>
<dd>
<p>Encodes an ASN1 <b>BIT STRING</b>. <i>value</i> represents the contents of this structure, the format strings <b>ASCII</b>, <b>HEX</b> and <b>BITLIST</b> can be used to specify the format of <i>value</i>.</p>
<p>If the format is anything other than <b>BITLIST</b> the number of unused bits is set to zero.</p>
</dd>
<dt id="UNIVERSALSTRING-UNIV-IA5-IA5STRING-UTF8-UTF8String-BMP-BMPSTRING-VISIBLESTRING-VISIBLE-PRINTABLESTRING-PRINTABLE-T61-T61STRING-TELETEXSTRING-GeneralString-NUMERICSTRING-NUMERIC"><b>UNIVERSALSTRING</b>, <b>UNIV</b>, <b>IA5</b>, <b>IA5STRING</b>, <b>UTF8</b>, <b>UTF8String</b>, <b>BMP</b>, <b>BMPSTRING</b>, <b>VISIBLESTRING</b>, <b>VISIBLE</b>, <b>PRINTABLESTRING</b>, <b>PRINTABLE</b>, <b>T61</b>, <b>T61STRING</b>, <b>TELETEXSTRING</b>, <b>GeneralString</b>, <b>NUMERICSTRING</b>, <b>NUMERIC</b></dt>
<dd>
<p>These encode the corresponding string types. <i>value</i> represents the contents of this structure. The format can be <b>ASCII</b> or <b>UTF8</b>.</p>
</dd>
<dt id="SEQUENCE-SEQ-SET"><b>SEQUENCE</b>, <b>SEQ</b>, <b>SET</b></dt>
<dd>
<p>Formats the result as an ASN1 <b>SEQUENCE</b> or <b>SET</b> type. <i>value</i> should be a section name which will contain the contents. The field names in the section are ignored and the values are in the generated string format. If <i>value</i> is absent then an empty SEQUENCE will be encoded.</p>
</dd>
</dl>
<h2 id="Modifiers">Modifiers</h2>
<p>Modifiers affect the following structure, they can be used to add EXPLICIT or IMPLICIT tagging, add wrappers or to change the string format of the final type and value. The supported formats are documented below.</p>
<dl>
<dt id="EXPLICIT-EXP"><b>EXPLICIT</b>, <b>EXP</b></dt>
<dd>
<p>Add an explicit tag to the following structure. This string should be followed by a colon and the tag value to use as a decimal value.</p>
<p>By following the number with <b>U</b>, <b>A</b>, <b>P</b> or <b>C</b> UNIVERSAL, APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used, the default is CONTEXT SPECIFIC.</p>
</dd>
<dt id="IMPLICIT-IMP"><b>IMPLICIT</b>, <b>IMP</b></dt>
<dd>
<p>This is the same as <b>EXPLICIT</b> except IMPLICIT tagging is used instead.</p>
</dd>
<dt id="OCTWRAP-SEQWRAP-SETWRAP-BITWRAP"><b>OCTWRAP</b>, <b>SEQWRAP</b>, <b>SETWRAP</b>, <b>BITWRAP</b></dt>
<dd>
<p>The following structure is surrounded by an OCTET STRING, a SEQUENCE, a SET or a BIT STRING respectively. For a BIT STRING the number of unused bits is set to zero.</p>
</dd>
<dt id="FORMAT"><b>FORMAT</b></dt>
<dd>
<p>This specifies the format of the ultimate value. It should be followed by a colon and one of the strings <b>ASCII</b>, <b>UTF8</b>, <b>HEX</b> or <b>BITLIST</b>.</p>
<p>If no format specifier is included then <b>ASCII</b> is used. If <b>UTF8</b> is specified then the value string must be a valid <b>UTF8</b> string. For <b>HEX</b> the output must be a set of hex digits. <b>BITLIST</b> (which is only valid for a BIT STRING) is a comma separated list of the indices of the set bits, all other bits are zero.</p>
</dd>
</dl>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_generate_nconf() and ASN1_generate_v3() return the encoded data as an <b>ASN1_TYPE</b> structure or NULL if an error occurred.</p>
<p>The error codes that can be obtained by <a href="../man3/ERR_get_error.html">ERR_get_error(3)</a>.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>A simple IA5String:</p>
<pre><code> IA5STRING:Hello World</code></pre>
<p>An IA5String explicitly tagged:</p>
<pre><code> EXPLICIT:0,IA5STRING:Hello World</code></pre>
<p>An IA5String explicitly tagged using APPLICATION tagging:</p>
<pre><code> EXPLICIT:0A,IA5STRING:Hello World</code></pre>
<p>A BITSTRING with bits 1 and 5 set and all others zero:</p>
<pre><code> FORMAT:BITLIST,BITSTRING:1,5</code></pre>
<p>A more complex example using a config file to produce a SEQUENCE consisting of a BOOL an OID and a UTF8String:</p>
<pre><code> asn1 = SEQUENCE:seq_section
[seq_section]
field1 = BOOLEAN:TRUE
field2 = OID:commonName
field3 = UTF8:Third field</code></pre>
<p>This example produces an RSAPrivateKey structure, this is the key contained in the file client.pem in all OpenSSL distributions (note: the field names such as &#39;coeff&#39; are ignored and are present just for clarity):</p>
<pre><code> asn1=SEQUENCE:private_key
[private_key]
version=INTEGER:0
n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
e=INTEGER:0x010001
d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
D4BD57
q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
46EC4F
exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
9C0A39B9
exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
E7B2458F
coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
628657053A</code></pre>
<p>This example is the corresponding public key in a SubjectPublicKeyInfo structure:</p>
<pre><code> # Start with a SEQUENCE
asn1=SEQUENCE:pubkeyinfo
# pubkeyinfo contains an algorithm identifier and the public key wrapped
# in a BIT STRING
[pubkeyinfo]
algorithm=SEQUENCE:rsa_alg
pubkey=BITWRAP,SEQUENCE:rsapubkey
# algorithm ID for RSA is just an OID and a NULL
[rsa_alg]
algorithm=OID:rsaEncryption
parameter=NULL
# Actual public key: modulus and exponent
[rsapubkey]
n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
e=INTEGER:0x010001</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

101
include/openssl-3.2.1/html/man3/ASN1_item_d2i_bio.html
View File

@ -1,101 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_item_d2i_bio</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_item_d2i_ex, ASN1_item_d2i, ASN1_item_d2i_bio_ex, ASN1_item_d2i_bio, ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio, ASN1_item_pack, ASN1_item_unpack_ex, ASN1_item_unpack - decode and encode DER-encoded ASN.1 structures</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it,
OSSL_LIB_CTX *libctx, const char *propq);
ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it);
void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x,
OSSL_LIB_CTX *libctx, const char *propq);
void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x,
OSSL_LIB_CTX *libctx, const char *propq);
void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
BIO *ASN1_item_i2d_mem_bio(const ASN1_ITEM *it, const ASN1_VALUE *val);
ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct);
void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it);
void *ASN1_item_unpack_ex(const ASN1_STRING *oct, const ASN1_ITEM *it,
OSSL_LIB_CTX *libctx, const char *propq);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN1_item_d2i_ex() decodes the contents of the data stored in <i>*in</i> of length <i>len</i> which must be a DER-encoded ASN.1 structure, using the ASN.1 template <i>it</i>. It places the result in <i>*pval</i> unless <i>pval</i> is NULL. If <i>*pval</i> is non-NULL on entry then the <b>ASN1_VALUE</b> present there will be reused. Otherwise a new <b>ASN1_VALUE</b> will be allocated. If any algorithm fetches are required during the process then they will use the <b>OSSL_LIB_CTX</b>provided in the <i>libctx</i> parameter and the property query string in <i>propq</i>. See <a href="../man7/crypto.html">&quot;ALGORITHM FETCHING&quot; in crypto(7)</a> for more information about algorithm fetching. On exit <i>*in</i> will be updated to point to the next byte in the buffer after the decoded structure.</p>
<p>ASN1_item_d2i() is the same as ASN1_item_d2i_ex() except that the default OSSL_LIB_CTX is used (i.e. NULL) and with a NULL property query string.</p>
<p>ASN1_item_d2i_bio_ex() decodes the contents of its input BIO <i>in</i>, which must be a DER-encoded ASN.1 structure, using the ASN.1 template <i>it</i> and places the result in <i>*pval</i> unless <i>pval</i> is NULL. If <i>in</i> is NULL it returns NULL, else a pointer to the parsed structure. If any algorithm fetches are required during the process then they will use the <b>OSSL_LIB_CTX</b> provided in the <i>libctx</i> parameter and the property query string in <i>propq</i>. See <a href="../man7/crypto.html">&quot;ALGORITHM FETCHING&quot; in crypto(7)</a> for more information about algorithm fetching.</p>
<p>ASN1_item_d2i_bio() is the same as ASN1_item_d2i_bio_ex() except that the default <b>OSSL_LIB_CTX</b> is used (i.e. NULL) and with a NULL property query string.</p>
<p>ASN1_item_d2i_fp_ex() is the same as ASN1_item_d2i_bio_ex() except that a FILE pointer is provided instead of a BIO.</p>
<p>ASN1_item_d2i_fp() is the same as ASN1_item_d2i_fp_ex() except that the default <b>OSSL_LIB_CTX</b> is used (i.e. NULL) and with a NULL property query string.</p>
<p>ASN1_item_i2d_mem_bio() encodes the given ASN.1 value <i>val</i> using the ASN.1 template <i>it</i> and returns the result in a memory BIO.</p>
<p>ASN1_item_pack() encodes the given ASN.1 value in <i>obj</i> using the ASN.1 template <i>it</i> and returns an <b>ASN1_STRING</b> object. If the passed in <i>*oct</i> is not NULL then this is used to store the returned result, otherwise a new <b>ASN1_STRING</b> object is created. If <i>oct</i> is not NULL and <i>*oct</i> is NULL then the returned return is also set into <i>*oct</i>. If there is an error the optional passed in <b>ASN1_STRING</b> will not be freed, but the previous value may be cleared when ASN1_STRING_set0(*oct, NULL, 0) is called internally.</p>
<p>ASN1_item_unpack() uses ASN1_item_d2i() to decode the DER-encoded <b>ASN1_STRING</b> <i>oct</i> using the ASN.1 template <i>it</i>.</p>
<p>ASN1_item_unpack_ex() is similar to ASN1_item_unpack(), but uses ASN1_item_d2i_ex() so that the <i>libctx</i> and <i>propq</i> can be used when doing algorithm fetching.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_item_d2i_bio(), ASN1_item_unpack_ex() and ASN1_item_unpack() return a pointer to an <b>ASN1_VALUE</b> or NULL on error.</p>
<p>ASN1_item_i2d_mem_bio() returns a pointer to a memory BIO or NULL on error.</p>
<p>ASN1_item_pack() returns a pointer to an <b>ASN1_STRING</b> or NULL on error.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The functions ASN1_item_d2i_ex(), ASN1_item_d2i_bio_ex(), ASN1_item_d2i_fp_ex() and ASN1_item_i2d_mem_bio() were added in OpenSSL 3.0.</p>
<p>The function ASN1_item_unpack_ex() was added in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

60
include/openssl-3.2.1/html/man3/ASN1_item_new.html
View File

@ -1,60 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_item_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_item_new_ex, ASN1_item_new - create new ASN.1 values</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/asn1.h&gt;
ASN1_VALUE *ASN1_item_new_ex(const ASN1_ITEM *it, OSSL_LIB_CTX *libctx,
const char *propq);
ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN1_item_new_ex() creates a new <b>ASN1_VALUE</b> structure based on the <b>ASN1_ITEM</b> template given in the <i>it</i> parameter. If any algorithm fetches are required during the process then they will use the <b>OSSL_LIB_CTX</b> provided in the <i>libctx</i> parameter and the property query string in <i>propq</i>. See <a href="../man7/crypto.html">&quot;ALGORITHM FETCHING&quot; in crypto(7)</a> for more information about algorithm fetching.</p>
<p>ASN1_item_new() is the same as ASN1_item_new_ex() except that the default <b>OSSL_LIB_CTX</b> is used (i.e. NULL) and with a NULL property query string.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASN1_item_new_ex() and ASN1_item_new() return a pointer to the newly created <b>ASN1_VALUE</b> or NULL on error.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The function ASN1_item_new_ex() was added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

212
include/openssl-3.2.1/html/man3/ASN1_item_sign.html
View File

@ -1,212 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASN1_item_sign</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASN1_item_sign, ASN1_item_sign_ex, ASN1_item_sign_ctx, ASN1_item_verify, ASN1_item_verify_ex, ASN1_item_verify_ctx - ASN1 sign and verify</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/x509.h&gt;
int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1,
X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
const void *data, const ASN1_OCTET_STRING *id,
EVP_PKEY *pkey, const EVP_MD *md, OSSL_LIB_CTX *libctx,
const char *propq);
int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
ASN1_BIT_STRING *signature, const void *data,
EVP_PKEY *pkey, const EVP_MD *md);
int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
const void *data, EVP_MD_CTX *ctx);
int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg,
const ASN1_BIT_STRING *signature, const void *data,
const ASN1_OCTET_STRING *id, EVP_PKEY *pkey,
OSSL_LIB_CTX *libctx, const char *propq);
int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
const ASN1_BIT_STRING *signature, const void *data,
EVP_PKEY *pkey);
int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
const ASN1_BIT_STRING *signature, const void *data,
EVP_MD_CTX *ctx);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>ASN1_item_sign_ex() is used to sign arbitrary ASN1 data using a data object <i>data</i>, the ASN.1 structure <i>it</i>, private key <i>pkey</i> and message digest <i>md</i>. The data that is signed is formed by taking the data object in <i>data</i> and converting it to der format using the ASN.1 structure <i>it</i>. The <i>data</i> that will be signed, and a structure containing the signature may both have a copy of the <b>X509_ALGOR</b>. The ASN1_item_sign_ex() function will write the correct <b>X509_ALGOR</b> to the structs based on the algorithms and parameters that have been set up. If one of <i>algor1</i> or <i>algor2</i> points to the <b>X509_ALGOR</b> of the <i>data</i> to be signed, then that <b>X509_ALGOR</b> will first be written before the signature is generated. Examples of valid values that can be used by the ASN.1 structure <i>it</i> are ASN1_ITEM_rptr(X509_CINF), ASN1_ITEM_rptr(X509_REQ_INFO) and ASN1_ITEM_rptr(X509_CRL_INFO). The <b>OSSL_LIB_CTX</b> specified in <i>libctx</i> and the property query string specified in <i>props</i> are used when searching for algorithms in providers. The generated signature is set into <i>signature</i>. The optional parameter <i>id</i> can be NULL, but can be set for special key types. See EVP_PKEY_CTX_set1_id() for further info. The output parameters &lt;algor1&gt; and <i>algor2</i> are ignored if they are NULL.</p>
<p>ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of NULL for the <i>id</i>, <i>libctx</i> and <i>propq</i>.</p>
<p>ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters contained in digest context <i>ctx</i>.</p>
<p>ASN1_item_verify_ex() is used to verify the signature <i>signature</i> of internal data <i>data</i> using the public key <i>pkey</i> and algorithm identifier <i>alg</i>. The data that is verified is formed by taking the data object in <i>data</i> and converting it to der format using the ASN.1 structure <i>it</i>. The <b>OSSL_LIB_CTX</b> specified in <i>libctx</i> and the property query string specified in <i>props</i> are used when searching for algorithms in providers. The optional parameter <i>id</i> can be NULL, but can be set for special key types. See EVP_PKEY_CTX_set1_id() for further info.</p>
<p>ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of NULL for the <i>id</i>, <i>libctx</i> and <i>propq</i>.</p>
<p>ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters contained in digest context <i>ctx</i>.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>All sign functions return the size of the signature in bytes for success and zero for failure.</p>
<p>All verify functions return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was ill-formed or some other error occurred then -1 is returned.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>In the following example a &#39;MyObject&#39; object is signed using the key contained in an EVP_MD_CTX. The signature is written to MyObject.signature. The object is then output in DER format and then loaded back in and verified.</p>
<pre><code> #include &lt;openssl/x509.h&gt;
#include &lt;openssl/asn1t.h&gt;
/* An object used to store the ASN1 data fields that will be signed */
typedef struct MySignInfoObject_st
{
ASN1_INTEGER *version;
X509_ALGOR sig_alg;
} MySignInfoObject;
DECLARE_ASN1_FUNCTIONS(MySignInfoObject)
/*
* A higher level object containing the ASN1 fields, signature alg and
* output signature.
*/
typedef struct MyObject_st
{
MySignInfoObject info;
X509_ALGOR sig_alg;
ASN1_BIT_STRING *signature;
} MyObject;
DECLARE_ASN1_FUNCTIONS(MyObject)
/* The ASN1 definition of MySignInfoObject */
ASN1_SEQUENCE_cb(MySignInfoObject, NULL) = {
ASN1_SIMPLE(MySignInfoObject, version, ASN1_INTEGER)
ASN1_EMBED(MySignInfoObject, sig_alg, X509_ALGOR),
} ASN1_SEQUENCE_END_cb(MySignInfoObject, MySignInfoObject)
/* new, free, d2i &amp; i2d functions for MySignInfoObject */
IMPLEMENT_ASN1_FUNCTIONS(MySignInfoObject)
/* The ASN1 definition of MyObject */
ASN1_SEQUENCE_cb(MyObject, NULL) = {
ASN1_EMBED(MyObject, info, MySignInfoObject),
ASN1_EMBED(MyObject, sig_alg, X509_ALGOR),
ASN1_SIMPLE(MyObject, signature, ASN1_BIT_STRING)
} ASN1_SEQUENCE_END_cb(MyObject, MyObject)
/* new, free, d2i &amp; i2d functions for MyObject */
IMPLEMENT_ASN1_FUNCTIONS(MyObject)
int test_asn1_item_sign_verify(const char *mdname, EVP_PKEY *pkey, long version)
{
int ret = 0;
unsigned char *obj_der = NULL;
const unsigned char *p = NULL;
MyObject *obj = NULL, *loaded_obj = NULL;
const ASN1_ITEM *it = ASN1_ITEM_rptr(MySignInfoObject);
EVP_MD_CTX *sctx = NULL, *vctx = NULL;
int len;
/* Create MyObject and set its version */
obj = MyObject_new();
if (obj == NULL)
goto err;
if (!ASN1_INTEGER_set(obj-&gt;info.version, version))
goto err;
/* Set the key and digest used for signing */
sctx = EVP_MD_CTX_new();
if (sctx == NULL
|| !EVP_DigestSignInit_ex(sctx, NULL, mdname, NULL, NULL, pkey))
goto err;
/*
* it contains the mapping between ASN.1 data and an object MySignInfoObject
* obj-&gt;info is the &#39;MySignInfoObject&#39; object that will be
* converted into DER data and then signed.
* obj-&gt;signature will contain the output signature.
* obj-&gt;sig_alg is filled with the private key&#39;s signing algorithm id.
* obj-&gt;info.sig_alg is another copy of the signing algorithm id that sits
* within MyObject.
*/
len = ASN1_item_sign_ctx(it, &amp;obj-&gt;sig_alg, &amp;obj-&gt;info.sig_alg,
obj-&gt;signature, &amp;obj-&gt;info, sctx);
if (len &lt;= 0
|| X509_ALGOR_cmp(&amp;obj-&gt;sig_alg, &amp;obj-&gt;info.sig_alg) != 0)
goto err;
/* Output MyObject in der form */
len = i2d_MyObject(obj, &amp;obj_der);
if (len &lt;= 0)
goto err;
/* Set the key and digest used for verifying */
vctx = EVP_MD_CTX_new();
if (vctx == NULL
|| !EVP_DigestVerifyInit_ex(vctx, NULL, mdname, NULL, NULL, pkey))
goto err;
/* Load the der data back into an object */
p = obj_der;
loaded_obj = d2i_MyObject(NULL, &amp;p, len);
if (loaded_obj == NULL)
goto err;
/* Verify the loaded object */
ret = ASN1_item_verify_ctx(it, &amp;loaded_obj-&gt;sig_alg, loaded_obj-&gt;signature,
&amp;loaded_obj-&gt;info, vctx);
err:
OPENSSL_free(obj_der);
MyObject_free(loaded_obj);
MyObject_free(obj);
EVP_MD_CTX_free(sctx);
EVP_MD_CTX_free(vctx);
return ret;
}</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/X509_sign.html">X509_sign(3)</a>, <a href="../man3/X509_verify.html">X509_verify(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>ASN1_item_sign_ex() and ASN1_item_verify_ex() were added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

151
include/openssl-3.2.1/html/man3/ASYNC_WAIT_CTX_new.html
View File

@ -1,151 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASYNC_WAIT_CTX_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd, ASYNC_WAIT_CTX_set_callback, ASYNC_WAIT_CTX_get_callback, ASYNC_WAIT_CTX_set_status, ASYNC_WAIT_CTX_get_status, ASYNC_callback_fn, ASYNC_STATUS_UNSUPPORTED, ASYNC_STATUS_ERR, ASYNC_STATUS_OK, ASYNC_STATUS_EAGAIN - functions to manage waiting for asynchronous jobs to complete</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/async.h&gt;
#define ASYNC_STATUS_UNSUPPORTED 0
#define ASYNC_STATUS_ERR 1
#define ASYNC_STATUS_OK 2
#define ASYNC_STATUS_EAGAIN 3
typedef int (*ASYNC_callback_fn)(void *arg);
ASYNC_WAIT_CTX *ASYNC_WAIT_CTX_new(void);
void ASYNC_WAIT_CTX_free(ASYNC_WAIT_CTX *ctx);
int ASYNC_WAIT_CTX_set_wait_fd(ASYNC_WAIT_CTX *ctx, const void *key,
OSSL_ASYNC_FD fd,
void *custom_data,
void (*cleanup)(ASYNC_WAIT_CTX *, const void *,
OSSL_ASYNC_FD, void *));
int ASYNC_WAIT_CTX_get_fd(ASYNC_WAIT_CTX *ctx, const void *key,
OSSL_ASYNC_FD *fd, void **custom_data);
int ASYNC_WAIT_CTX_get_all_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *fd,
size_t *numfds);
int ASYNC_WAIT_CTX_get_changed_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *addfd,
size_t *numaddfds, OSSL_ASYNC_FD *delfd,
size_t *numdelfds);
int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key);
int ASYNC_WAIT_CTX_set_callback(ASYNC_WAIT_CTX *ctx,
ASYNC_callback_fn callback,
void *callback_arg);
int ASYNC_WAIT_CTX_get_callback(ASYNC_WAIT_CTX *ctx,
ASYNC_callback_fn *callback,
void **callback_arg);
int ASYNC_WAIT_CTX_set_status(ASYNC_WAIT_CTX *ctx, int status);
int ASYNC_WAIT_CTX_get_status(ASYNC_WAIT_CTX *ctx);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>For an overview of how asynchronous operations are implemented in OpenSSL see <a href="../man3/ASYNC_start_job.html">ASYNC_start_job(3)</a>. An <b>ASYNC_WAIT_CTX</b> object represents an asynchronous &quot;session&quot;, i.e. a related set of crypto operations. For example in SSL terms this would have a one-to-one correspondence with an SSL connection.</p>
<p>Application code must create an <b>ASYNC_WAIT_CTX</b> using the ASYNC_WAIT_CTX_new() function prior to calling ASYNC_start_job() (see <a href="../man3/ASYNC_start_job.html">ASYNC_start_job(3)</a>). When the job is started it is associated with the <b>ASYNC_WAIT_CTX</b> for the duration of that job. An <b>ASYNC_WAIT_CTX</b> should only be used for one <b>ASYNC_JOB</b> at any one time, but can be reused after an <b>ASYNC_JOB</b> has finished for a subsequent <b>ASYNC_JOB</b>. When the session is complete (e.g. the SSL connection is closed), application code cleans up with ASYNC_WAIT_CTX_free().</p>
<p><b>ASYNC_WAIT_CTX</b>s can have &quot;wait&quot; file descriptors associated with them. Calling ASYNC_WAIT_CTX_get_all_fds() and passing in a pointer to an <b>ASYNC_WAIT_CTX</b> in the <i>ctx</i> parameter will return the wait file descriptors associated with that job in <i>*fd</i>. The number of file descriptors returned will be stored in <i>*numfds</i>. It is the caller&#39;s responsibility to ensure that sufficient memory has been allocated in <i>*fd</i> to receive all the file descriptors. Calling ASYNC_WAIT_CTX_get_all_fds() with a NULL <i>fd</i> value will return no file descriptors but will still populate <i>*numfds</i>. Therefore, application code is typically expected to call this function twice: once to get the number of fds, and then again when sufficient memory has been allocated. If only one asynchronous engine is being used then normally this call will only ever return one fd. If multiple asynchronous engines are being used then more could be returned.</p>
<p>The function ASYNC_WAIT_CTX_get_changed_fds() can be used to detect if any fds have changed since the last call time ASYNC_start_job() returned <b>ASYNC_PAUSE</b> (or since the <b>ASYNC_WAIT_CTX</b> was created if no <b>ASYNC_PAUSE</b> result has been received). The <i>numaddfds</i> and <i>numdelfds</i> parameters will be populated with the number of fds added or deleted respectively. <i>*addfd</i> and <i>*delfd</i> will be populated with the list of added and deleted fds respectively. Similarly to ASYNC_WAIT_CTX_get_all_fds() either of these can be NULL, but if they are not NULL then the caller is responsible for ensuring sufficient memory is allocated.</p>
<p>Implementers of async aware code (e.g. engines) are encouraged to return a stable fd for the lifetime of the <b>ASYNC_WAIT_CTX</b> in order to reduce the &quot;churn&quot; of regularly changing fds - although no guarantees of this are provided to applications.</p>
<p>Applications can wait for the file descriptor to be ready for &quot;read&quot; using a system function call such as select or poll (being ready for &quot;read&quot; indicates that the job should be resumed). If no file descriptor is made available then an application will have to periodically &quot;poll&quot; the job by attempting to restart it to see if it is ready to continue.</p>
<p>Async aware code (e.g. engines) can get the current <b>ASYNC_WAIT_CTX</b> from the job via <a href="../man3/ASYNC_get_wait_ctx.html">ASYNC_get_wait_ctx(3)</a> and provide a file descriptor to use for waiting on by calling ASYNC_WAIT_CTX_set_wait_fd(). Typically this would be done by an engine immediately prior to calling ASYNC_pause_job() and not by end user code. An existing association with a file descriptor can be obtained using ASYNC_WAIT_CTX_get_fd() and cleared using ASYNC_WAIT_CTX_clear_fd(). Both of these functions requires a <i>key</i> value which is unique to the async aware code. This could be any unique value but a good candidate might be the <b>ENGINE *</b> for the engine. The <i>custom_data</i> parameter can be any value, and will be returned in a subsequent call to ASYNC_WAIT_CTX_get_fd(). The ASYNC_WAIT_CTX_set_wait_fd() function also expects a pointer to a &quot;cleanup&quot; routine. This can be NULL but if provided will automatically get called when the <b>ASYNC_WAIT_CTX</b> is freed, and gives the engine the opportunity to close the fd or any other resources. Note: The &quot;cleanup&quot; routine does not get called if the fd is cleared directly via a call to ASYNC_WAIT_CTX_clear_fd().</p>
<p>An example of typical usage might be an async capable engine. User code would initiate cryptographic operations. The engine would initiate those operations asynchronously and then call ASYNC_WAIT_CTX_set_wait_fd() followed by ASYNC_pause_job() to return control to the user code. The user code can then perform other tasks or wait for the job to be ready by calling &quot;select&quot; or other similar function on the wait file descriptor. The engine can signal to the user code that the job should be resumed by making the wait file descriptor &quot;readable&quot;. Once resumed the engine should clear the wake signal on the wait file descriptor.</p>
<p>As well as a file descriptor, user code may also be notified via a callback. The callback and data pointers are stored within the <b>ASYNC_WAIT_CTX</b> along with an additional status field that can be used for the notification of retries from an engine. This additional method can be used when the user thinks that a file descriptor is too costly in terms of CPU cycles or in some context where a file descriptor is not appropriate.</p>
<p>ASYNC_WAIT_CTX_set_callback() sets the callback and the callback argument. The callback will be called to notify user code when an engine completes a cryptography operation. It is a requirement that the callback function is small and nonblocking as it will be run in the context of a polling mechanism or an interrupt.</p>
<p>ASYNC_WAIT_CTX_get_callback() returns the callback set in the <b>ASYNC_WAIT_CTX</b> structure.</p>
<p>ASYNC_WAIT_CTX_set_status() allows an engine to set the current engine status. The possible status values are the following:</p>
<dl>
<dt id="ASYNC_STATUS_UNSUPPORTED"><b>ASYNC_STATUS_UNSUPPORTED</b></dt>
<dd>
<p>The engine does not support the callback mechanism. This is the default value. The engine must call ASYNC_WAIT_CTX_set_status() to set the status to some value other than <b>ASYNC_STATUS_UNSUPPORTED</b> if it intends to enable the callback mechanism.</p>
</dd>
<dt id="ASYNC_STATUS_ERR"><b>ASYNC_STATUS_ERR</b></dt>
<dd>
<p>The engine has a fatal problem with this request. The user code should clean up this session.</p>
</dd>
<dt id="ASYNC_STATUS_OK"><b>ASYNC_STATUS_OK</b></dt>
<dd>
<p>The request has been successfully submitted.</p>
</dd>
<dt id="ASYNC_STATUS_EAGAIN"><b>ASYNC_STATUS_EAGAIN</b></dt>
<dd>
<p>The engine has some problem which will be recovered soon, such as a buffer is full, so user code should resume the job.</p>
</dd>
</dl>
<p>ASYNC_WAIT_CTX_get_status() allows user code to obtain the current status value. If the status is any value other than <b>ASYNC_STATUS_OK</b> then the user code should not expect to receive a callback from the engine even if one has been set.</p>
<p>An example of the usage of the callback method might be the following. User code would initiate cryptographic operations, and the engine code would dispatch this operation to hardware, and if the dispatch is successful, then the engine code would call ASYNC_pause_job() to return control to the user code. After that, user code can perform other tasks. When the hardware completes the operation, normally it is detected by a polling function or an interrupt, as the user code set a callback by calling ASYNC_WAIT_CTX_set_callback() previously, then the registered callback will be called.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASYNC_WAIT_CTX_new() returns a pointer to the newly allocated <b>ASYNC_WAIT_CTX</b> or NULL on error.</p>
<p>ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd, ASYNC_WAIT_CTX_set_callback, ASYNC_WAIT_CTX_get_callback and ASYNC_WAIT_CTX_set_status all return 1 on success or 0 on error. ASYNC_WAIT_CTX_get_status() returns the engine status.</p>
<h1 id="NOTES">NOTES</h1>
<p>On Windows platforms the <i>&lt;openssl/async.h&gt;</i> header is dependent on some of the types customarily made available by including <i>&lt;windows.h&gt;</i>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer&#39;s responsibility to include <i>&lt;windows.h&gt;</i> prior to <i>&lt;openssl/async.h&gt;</i>.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/crypto.html">crypto(7)</a>, <a href="../man3/ASYNC_start_job.html">ASYNC_start_job(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>ASYNC_WAIT_CTX_new(), ASYNC_WAIT_CTX_free(), ASYNC_WAIT_CTX_set_wait_fd(), ASYNC_WAIT_CTX_get_fd(), ASYNC_WAIT_CTX_get_all_fds(), ASYNC_WAIT_CTX_get_changed_fds() and ASYNC_WAIT_CTX_clear_fd() were added in OpenSSL 1.1.0.</p>
<p>ASYNC_WAIT_CTX_set_callback(), ASYNC_WAIT_CTX_get_callback(), ASYNC_WAIT_CTX_set_status(), and ASYNC_WAIT_CTX_get_status() were added in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

286
include/openssl-3.2.1/html/man3/ASYNC_start_job.html
View File

@ -1,286 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASYNC_start_job</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>ASYNC_get_wait_ctx, ASYNC_init_thread, ASYNC_cleanup_thread, ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, ASYNC_block_pause, ASYNC_unblock_pause, ASYNC_is_capable, ASYNC_stack_alloc_fn, ASYNC_stack_free_fn, ASYNC_set_mem_functions, ASYNC_get_mem_functions - asynchronous job management functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/async.h&gt;
int ASYNC_init_thread(size_t max_size, size_t init_size);
void ASYNC_cleanup_thread(void);
int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *ctx, int *ret,
int (*func)(void *), void *args, size_t size);
int ASYNC_pause_job(void);
ASYNC_JOB *ASYNC_get_current_job(void);
ASYNC_WAIT_CTX *ASYNC_get_wait_ctx(ASYNC_JOB *job);
void ASYNC_block_pause(void);
void ASYNC_unblock_pause(void);
int ASYNC_is_capable(void);
typedef void *(*ASYNC_stack_alloc_fn)(size_t *num);
typedef void (*ASYNC_stack_free_fn)(void *addr);
int ASYNC_set_mem_functions(ASYNC_stack_alloc_fn alloc_fn,
ASYNC_stack_free_fn free_fn);
void ASYNC_get_mem_functions(ASYNC_stack_alloc_fn *alloc_fn,
ASYNC_stack_free_fn *free_fn);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>OpenSSL implements asynchronous capabilities through an <b>ASYNC_JOB</b>. This represents code that can be started and executes until some event occurs. At that point the code can be paused and control returns to user code until some subsequent event indicates that the job can be resumed.</p>
<p>The creation of an <b>ASYNC_JOB</b> is a relatively expensive operation. Therefore, for efficiency reasons, jobs can be created up front and reused many times. They are held in a pool until they are needed, at which point they are removed from the pool, used, and then returned to the pool when the job completes. If the user application is multi-threaded, then ASYNC_init_thread() may be called for each thread that will initiate asynchronous jobs. Before user code exits per-thread resources need to be cleaned up. This will normally occur automatically (see <a href="../man3/OPENSSL_init_crypto.html">OPENSSL_init_crypto(3)</a>) but may be explicitly initiated by using ASYNC_cleanup_thread(). No asynchronous jobs must be outstanding for the thread when ASYNC_cleanup_thread() is called. Failing to ensure this will result in memory leaks.</p>
<p>The <i>max_size</i> argument limits the number of <b>ASYNC_JOB</b>s that will be held in the pool. If <i>max_size</i> is set to 0 then no upper limit is set. When an <b>ASYNC_JOB</b> is needed but there are none available in the pool already then one will be automatically created, as long as the total of <b>ASYNC_JOB</b>s managed by the pool does not exceed <i>max_size</i>. When the pool is first initialised <i>init_size</i> <b>ASYNC_JOB</b>s will be created immediately. If ASYNC_init_thread() is not called before the pool is first used then it will be called automatically with a <i>max_size</i> of 0 (no upper limit) and an <i>init_size</i> of 0 (no <b>ASYNC_JOB</b>s created up front).</p>
<p>An asynchronous job is started by calling the ASYNC_start_job() function. Initially <i>*job</i> should be NULL. <i>ctx</i> should point to an <b>ASYNC_WAIT_CTX</b> object created through the <a href="../man3/ASYNC_WAIT_CTX_new.html">ASYNC_WAIT_CTX_new(3)</a> function. <i>ret</i> should point to a location where the return value of the asynchronous function should be stored on completion of the job. <i>func</i> represents the function that should be started asynchronously. The data pointed to by <i>args</i> and of size <i>size</i> will be copied and then passed as an argument to <i>func</i> when the job starts. ASYNC_start_job will return one of the following values:</p>
<dl>
<dt id="ASYNC_ERR"><b>ASYNC_ERR</b></dt>
<dd>
<p>An error occurred trying to start the job. Check the OpenSSL error queue (e.g. see <a href="../man3/ERR_print_errors.html">ERR_print_errors(3)</a>) for more details.</p>
</dd>
<dt id="ASYNC_NO_JOBS"><b>ASYNC_NO_JOBS</b></dt>
<dd>
<p>There are no jobs currently available in the pool. This call can be retried again at a later time.</p>
</dd>
<dt id="ASYNC_PAUSE"><b>ASYNC_PAUSE</b></dt>
<dd>
<p>The job was successfully started but was &quot;paused&quot; before it completed (see ASYNC_pause_job() below). A handle to the job is placed in <i>*job</i>. Other work can be performed (if desired) and the job restarted at a later time. To restart a job call ASYNC_start_job() again passing the job handle in <i>*job</i>. The <i>func</i>, <i>args</i> and <i>size</i> parameters will be ignored when restarting a job. When restarting a job ASYNC_start_job() <b>must</b> be called from the same thread that the job was originally started from.</p>
</dd>
<dt id="ASYNC_FINISH"><b>ASYNC_FINISH</b></dt>
<dd>
<p>The job completed. <i>*job</i> will be NULL and the return value from <i>func</i> will be placed in <i>*ret</i>.</p>
</dd>
</dl>
<p>At any one time there can be a maximum of one job actively running per thread (you can have many that are paused). ASYNC_get_current_job() can be used to get a pointer to the currently executing <b>ASYNC_JOB</b>. If no job is currently executing then this will return NULL.</p>
<p>If executing within the context of a job (i.e. having been called directly or indirectly by the function &quot;func&quot; passed as an argument to ASYNC_start_job()) then ASYNC_pause_job() will immediately return control to the calling application with <b>ASYNC_PAUSE</b> returned from the ASYNC_start_job() call. A subsequent call to ASYNC_start_job passing in the relevant <b>ASYNC_JOB</b> in the <i>*job</i> parameter will resume execution from the ASYNC_pause_job() call. If ASYNC_pause_job() is called whilst not within the context of a job then no action is taken and ASYNC_pause_job() returns immediately.</p>
<p>ASYNC_get_wait_ctx() can be used to get a pointer to the <b>ASYNC_WAIT_CTX</b> for the <i>job</i>. <b>ASYNC_WAIT_CTX</b>s contain two different ways to notify applications that a job is ready to be resumed. One is a &quot;wait&quot; file descriptor, and the other is a &quot;callback&quot; mechanism.</p>
<p>The &quot;wait&quot; file descriptor associated with <b>ASYNC_WAIT_CTX</b> is used for applications to wait for the file descriptor to be ready for &quot;read&quot; using a system function call such as select or poll (being ready for &quot;read&quot; indicates that the job should be resumed). If no file descriptor is made available then an application will have to periodically &quot;poll&quot; the job by attempting to restart it to see if it is ready to continue.</p>
<p><b>ASYNC_WAIT_CTX</b>s also have a &quot;callback&quot; mechanism to notify applications. The callback is set by an application, and it will be automatically called when an engine completes a cryptography operation, so that the application can resume the paused work flow without polling. An engine could be written to look whether the callback has been set. If it has then it would use the callback mechanism in preference to the file descriptor notifications. If a callback is not set then the engine may use file descriptor based notifications. Please note that not all engines may support the callback mechanism, so the callback may not be used even if it has been set. See ASYNC_WAIT_CTX_new() for more details.</p>
<p>The ASYNC_block_pause() function will prevent the currently active job from pausing. The block will remain in place until a subsequent call to ASYNC_unblock_pause(). These functions can be nested, e.g. if you call ASYNC_block_pause() twice then you must call ASYNC_unblock_pause() twice in order to re-enable pausing. If these functions are called while there is no currently active job then they have no effect. This functionality can be useful to avoid deadlock scenarios. For example during the execution of an <b>ASYNC_JOB</b> an application acquires a lock. It then calls some cryptographic function which invokes ASYNC_pause_job(). This returns control back to the code that created the <b>ASYNC_JOB</b>. If that code then attempts to acquire the same lock before resuming the original job then a deadlock can occur. By calling ASYNC_block_pause() immediately after acquiring the lock and ASYNC_unblock_pause() immediately before releasing it then this situation cannot occur.</p>
<p>Some platforms cannot support async operations. The ASYNC_is_capable() function can be used to detect whether the current platform is async capable or not.</p>
<p>Custom memory allocation functions are supported for the POSIX platform. Custom memory allocation functions allow alternative methods of allocating stack memory such as mmap, or using stack memory from the current thread. Using an ASYNC_stack_alloc_fn callback also allows manipulation of the stack size, which defaults to 32k. The stack size can be altered by allocating a stack of a size different to the requested size, and passing back the new stack size in the callback&#39;s <i>*num</i> parameter.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>ASYNC_init_thread returns 1 on success or 0 otherwise.</p>
<p>ASYNC_start_job returns one of <b>ASYNC_ERR</b>, <b>ASYNC_NO_JOBS</b>, <b>ASYNC_PAUSE</b> or <b>ASYNC_FINISH</b> as described above.</p>
<p>ASYNC_pause_job returns 0 if an error occurred or 1 on success. If called when not within the context of an <b>ASYNC_JOB</b> then this is counted as success so 1 is returned.</p>
<p>ASYNC_get_current_job returns a pointer to the currently executing <b>ASYNC_JOB</b> or NULL if not within the context of a job.</p>
<p>ASYNC_get_wait_ctx() returns a pointer to the <b>ASYNC_WAIT_CTX</b> for the job.</p>
<p>ASYNC_is_capable() returns 1 if the current platform is async capable or 0 otherwise.</p>
<p>ASYNC_set_mem_functions returns 1 if custom stack allocators are supported by the current platform and no allocations have already occurred or 0 otherwise.</p>
<h1 id="NOTES">NOTES</h1>
<p>On Windows platforms the <i>&lt;openssl/async.h&gt;</i> header is dependent on some of the types customarily made available by including <i>&lt;windows.h&gt;</i>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer&#39;s responsibility to include <i>&lt;windows.h&gt;</i> prior to <i>&lt;openssl/async.h&gt;</i>.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The following example demonstrates how to use most of the core async APIs:</p>
<pre><code> #ifdef _WIN32
# include &lt;windows.h&gt;
#endif
#include &lt;stdio.h&gt;
#include &lt;unistd.h&gt;
#include &lt;openssl/async.h&gt;
#include &lt;openssl/crypto.h&gt;
int unique = 0;
void cleanup(ASYNC_WAIT_CTX *ctx, const void *key, OSSL_ASYNC_FD r, void *vw)
{
OSSL_ASYNC_FD *w = (OSSL_ASYNC_FD *)vw;
close(r);
close(*w);
OPENSSL_free(w);
}
int jobfunc(void *arg)
{
ASYNC_JOB *currjob;
unsigned char *msg;
int pipefds[2] = {0, 0};
OSSL_ASYNC_FD *wptr;
char buf = &#39;X&#39;;
currjob = ASYNC_get_current_job();
if (currjob != NULL) {
printf(&quot;Executing within a job\n&quot;);
} else {
printf(&quot;Not executing within a job - should not happen\n&quot;);
return 0;
}
msg = (unsigned char *)arg;
printf(&quot;Passed in message is: %s\n&quot;, msg);
if (pipe(pipefds) != 0) {
printf(&quot;Failed to create pipe\n&quot;);
return 0;
}
wptr = OPENSSL_malloc(sizeof(OSSL_ASYNC_FD));
if (wptr == NULL) {
printf(&quot;Failed to malloc\n&quot;);
return 0;
}
*wptr = pipefds[1];
ASYNC_WAIT_CTX_set_wait_fd(ASYNC_get_wait_ctx(currjob), &amp;unique,
pipefds[0], wptr, cleanup);
/*
* Normally some external event would cause this to happen at some
* later point - but we do it here for demo purposes, i.e.
* immediately signalling that the job is ready to be woken up after
* we return to main via ASYNC_pause_job().
*/
write(pipefds[1], &amp;buf, 1);
/* Return control back to main */
ASYNC_pause_job();
/* Clear the wake signal */
read(pipefds[0], &amp;buf, 1);
printf (&quot;Resumed the job after a pause\n&quot;);
return 1;
}
int main(void)
{
ASYNC_JOB *job = NULL;
ASYNC_WAIT_CTX *ctx = NULL;
int ret;
OSSL_ASYNC_FD waitfd;
fd_set waitfdset;
size_t numfds;
unsigned char msg[13] = &quot;Hello world!&quot;;
printf(&quot;Starting...\n&quot;);
ctx = ASYNC_WAIT_CTX_new();
if (ctx == NULL) {
printf(&quot;Failed to create ASYNC_WAIT_CTX\n&quot;);
abort();
}
for (;;) {
switch (ASYNC_start_job(&amp;job, ctx, &amp;ret, jobfunc, msg, sizeof(msg))) {
case ASYNC_ERR:
case ASYNC_NO_JOBS:
printf(&quot;An error occurred\n&quot;);
goto end;
case ASYNC_PAUSE:
printf(&quot;Job was paused\n&quot;);
break;
case ASYNC_FINISH:
printf(&quot;Job finished with return value %d\n&quot;, ret);
goto end;
}
/* Wait for the job to be woken */
printf(&quot;Waiting for the job to be woken up\n&quot;);
if (!ASYNC_WAIT_CTX_get_all_fds(ctx, NULL, &amp;numfds)
|| numfds &gt; 1) {
printf(&quot;Unexpected number of fds\n&quot;);
abort();
}
ASYNC_WAIT_CTX_get_all_fds(ctx, &amp;waitfd, &amp;numfds);
FD_ZERO(&amp;waitfdset);
FD_SET(waitfd, &amp;waitfdset);
select(waitfd + 1, &amp;waitfdset, NULL, NULL, NULL);
}
end:
ASYNC_WAIT_CTX_free(ctx);
printf(&quot;Finishing\n&quot;);
return 0;
}</code></pre>
<p>The expected output from executing the above example program is:</p>
<pre><code> Starting...
Executing within a job
Passed in message is: Hello world!
Job was paused
Waiting for the job to be woken up
Resumed the job after a pause
Job finished with return value 1
Finishing</code></pre>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/crypto.html">crypto(7)</a>, <a href="../man3/ERR_print_errors.html">ERR_print_errors(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>ASYNC_init_thread, ASYNC_cleanup_thread, ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, ASYNC_get_wait_ctx(), ASYNC_block_pause(), ASYNC_unblock_pause() and ASYNC_is_capable() were first added in OpenSSL 1.1.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

104
include/openssl-3.2.1/html/man3/BF_encrypt.html
View File

@ -1,104 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BF_encrypt</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#NOTE">NOTE</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/blowfish.h&gt;</code></pre>
<p>The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining <b>OPENSSL_API_COMPAT</b> with a suitable version value, see <a href="../man7/openssl_user_macros.html">openssl_user_macros(7)</a>:</p>
<pre><code> void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
BF_KEY *key, int enc);
void BF_cbc_encrypt(const unsigned char *in, unsigned char *out,
long length, BF_KEY *schedule,
unsigned char *ivec, int enc);
void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out,
long length, BF_KEY *schedule,
unsigned char *ivec, int *num, int enc);
void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out,
long length, BF_KEY *schedule,
unsigned char *ivec, int *num);
const char *BF_options(void);
void BF_encrypt(BF_LONG *data, const BF_KEY *key);
void BF_decrypt(BF_LONG *data, const BF_KEY *key);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>All of the functions described on this page are deprecated. Applications should instead use <a href="../man3/EVP_EncryptInit_ex.html">EVP_EncryptInit_ex(3)</a>, <a href="../man3/EVP_EncryptUpdate.html">EVP_EncryptUpdate(3)</a> and <a href="../man3/EVP_EncryptFinal_ex.html">EVP_EncryptFinal_ex(3)</a> or the equivalently named decrypt functions.</p>
<p>This library implements the Blowfish cipher, which was invented and described by Counterpane (see http://www.counterpane.com/blowfish.html ).</p>
<p>Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data. It uses a variable size key, but typically, 128 bit (16 byte) keys are considered good for strong encryption. Blowfish can be used in the same modes as DES (see <a href="../man7/des_modes.html">des_modes(7)</a>). Blowfish is currently one of the faster block ciphers. It is quite a bit faster than DES, and much faster than IDEA or RC2.</p>
<p>Blowfish consists of a key setup phase and the actual encryption or decryption phase.</p>
<p>BF_set_key() sets up the <b>BF_KEY</b> <b>key</b> using the <b>len</b> bytes long key at <b>data</b>.</p>
<p>BF_ecb_encrypt() is the basic Blowfish encryption and decryption function. It encrypts or decrypts the first 64 bits of <b>in</b> using the key <b>key</b>, putting the result in <b>out</b>. <b>enc</b> decides if encryption (<b>BF_ENCRYPT</b>) or decryption (<b>BF_DECRYPT</b>) shall be performed. The vector pointed at by <b>in</b> and <b>out</b> must be 64 bits in length, no less. If they are larger, everything after the first 64 bits is ignored.</p>
<p>The mode functions BF_cbc_encrypt(), BF_cfb64_encrypt() and BF_ofb64_encrypt() all operate on variable length data. They all take an initialization vector <b>ivec</b> which needs to be passed along into the next call of the same function for the same message. <b>ivec</b> may be initialized with anything, but the recipient needs to know what it was initialized with, or it won&#39;t be able to decrypt. Some programs and protocols simplify this, like SSH, where <b>ivec</b> is simply initialized to zero. BF_cbc_encrypt() operates on data that is a multiple of 8 bytes long, while BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt a variable number of bytes (the amount does not have to be an exact multiple of 8). The purpose of the latter two is to simulate stream ciphers, and therefore, they need the parameter <b>num</b>, which is a pointer to an integer where the current offset in <b>ivec</b> is stored between calls. This integer must be initialized to zero when <b>ivec</b> is initialized.</p>
<p>BF_cbc_encrypt() is the Cipher Block Chaining function for Blowfish. It encrypts or decrypts the 64 bits chunks of <b>in</b> using the key <b>schedule</b>, putting the result in <b>out</b>. <b>enc</b> decides if encryption (BF_ENCRYPT) or decryption (BF_DECRYPT) shall be performed. <b>ivec</b> must point at an 8 byte long initialization vector.</p>
<p>BF_cfb64_encrypt() is the CFB mode for Blowfish with 64 bit feedback. It encrypts or decrypts the bytes in <b>in</b> using the key <b>schedule</b>, putting the result in <b>out</b>. <b>enc</b> decides if encryption (<b>BF_ENCRYPT</b>) or decryption (<b>BF_DECRYPT</b>) shall be performed. <b>ivec</b> must point at an 8 byte long initialization vector. <b>num</b> must point at an integer which must be initially zero.</p>
<p>BF_ofb64_encrypt() is the OFB mode for Blowfish with 64 bit feedback. It uses the same parameters as BF_cfb64_encrypt(), which must be initialized the same way.</p>
<p>BF_encrypt() and BF_decrypt() are the lowest level functions for Blowfish encryption. They encrypt/decrypt the first 64 bits of the vector pointed by <b>data</b>, using the key <b>key</b>. These functions should not be used unless you implement &#39;modes&#39; of Blowfish. The alternative is to use BF_ecb_encrypt(). If you still want to use these functions, you should be aware that they take each 32-bit chunk in host-byte order, which is little-endian on little-endian platforms and big-endian on big-endian ones.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>None of the functions presented here return any value.</p>
<h1 id="NOTE">NOTE</h1>
<p>Applications should use the higher level functions <a href="../man3/EVP_EncryptInit.html">EVP_EncryptInit(3)</a> etc. instead of calling these functions directly.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/EVP_EncryptInit.html">EVP_EncryptInit(3)</a>, <a href="../man7/des_modes.html">des_modes(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>All of these functions were deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

109
include/openssl-3.2.1/html/man3/BIO_ADDR.html
View File

@ -1,109 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_ADDR</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RAW-ADDRESSES">RAW ADDRESSES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_ADDR, BIO_ADDR_new, BIO_ADDR_copy, BIO_ADDR_dup, BIO_ADDR_clear, BIO_ADDR_free, BIO_ADDR_rawmake, BIO_ADDR_family, BIO_ADDR_rawaddress, BIO_ADDR_rawport, BIO_ADDR_hostname_string, BIO_ADDR_service_string, BIO_ADDR_path_string - BIO_ADDR routines</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;sys/types.h&gt;
#include &lt;openssl/bio.h&gt;
typedef union bio_addr_st BIO_ADDR;
BIO_ADDR *BIO_ADDR_new(void);
int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src);
BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap);
void BIO_ADDR_free(BIO_ADDR *);
void BIO_ADDR_clear(BIO_ADDR *ap);
int BIO_ADDR_rawmake(BIO_ADDR *ap, int family,
const void *where, size_t wherelen, unsigned short port);
int BIO_ADDR_family(const BIO_ADDR *ap);
int BIO_ADDR_rawaddress(const BIO_ADDR *ap, void *p, size_t *l);
unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap);
char *BIO_ADDR_hostname_string(const BIO_ADDR *ap, int numeric);
char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric);
char *BIO_ADDR_path_string(const BIO_ADDR *ap);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <b>BIO_ADDR</b> type is a wrapper around all types of socket addresses that OpenSSL deals with, currently transparently supporting AF_INET, AF_INET6 and AF_UNIX according to what&#39;s available on the platform at hand.</p>
<p>BIO_ADDR_new() creates a new unfilled <b>BIO_ADDR</b>, to be used with routines that will fill it with information, such as BIO_accept_ex().</p>
<p>BIO_ADDR_copy() copies the contents of <b>src</b> into <b>dst</b>. Neither <b>src</b> or <b>dst</b> can be NULL.</p>
<p>BIO_ADDR_dup() creates a new <b>BIO_ADDR</b>, with a copy of the address data in <b>ap</b>.</p>
<p>BIO_ADDR_free() frees a <b>BIO_ADDR</b> created with BIO_ADDR_new() or BIO_ADDR_dup();</p>
<p>BIO_ADDR_clear() clears any data held within the provided <b>BIO_ADDR</b> and sets it back to an uninitialised state.</p>
<p>BIO_ADDR_rawmake() takes a protocol <b>family</b>, a byte array of size <b>wherelen</b> with an address in network byte order pointed at by <b>where</b> and a port number in network byte order in <b>port</b> (except for the <b>AF_UNIX</b> protocol family, where <b>port</b> is meaningless and therefore ignored) and populates the given <b>BIO_ADDR</b> with them. In case this creates a <b>AF_UNIX</b> <b>BIO_ADDR</b>, <b>wherelen</b> is expected to be the length of the path string (not including the terminating NUL, such as the result of a call to strlen()). Read on about the addresses in <a href="#RAW-ADDRESSES">&quot;RAW ADDRESSES&quot;</a> below.</p>
<p>BIO_ADDR_family() returns the protocol family of the given <b>BIO_ADDR</b>. The possible non-error results are one of the constants AF_INET, AF_INET6 and AF_UNIX. It will also return AF_UNSPEC if the BIO_ADDR has not been initialised.</p>
<p>BIO_ADDR_rawaddress() will write the raw address of the given <b>BIO_ADDR</b> in the area pointed at by <b>p</b> if <b>p</b> is non-NULL, and will set <b>*l</b> to be the amount of bytes the raw address takes up if <b>l</b> is non-NULL. A technique to only find out the size of the address is a call with <b>p</b> set to <b>NULL</b>. The raw address will be in network byte order, most significant byte first. In case this is a <b>AF_UNIX</b> <b>BIO_ADDR</b>, <b>l</b> gets the length of the path string (not including the terminating NUL, such as the result of a call to strlen()). Read on about the addresses in <a href="#RAW-ADDRESSES">&quot;RAW ADDRESSES&quot;</a> below.</p>
<p>BIO_ADDR_rawport() returns the raw port of the given <b>BIO_ADDR</b>. The raw port will be in network byte order.</p>
<p>BIO_ADDR_hostname_string() returns a character string with the hostname of the given <b>BIO_ADDR</b>. If <b>numeric</b> is 1, the string will contain the numerical form of the address. This only works for <b>BIO_ADDR</b> of the protocol families AF_INET and AF_INET6. The returned string has been allocated on the heap and must be freed with OPENSSL_free().</p>
<p>BIO_ADDR_service_string() returns a character string with the service name of the port of the given <b>BIO_ADDR</b>. If <b>numeric</b> is 1, the string will contain the port number. This only works for <b>BIO_ADDR</b> of the protocol families AF_INET and AF_INET6. The returned string has been allocated on the heap and must be freed with OPENSSL_free().</p>
<p>BIO_ADDR_path_string() returns a character string with the path of the given <b>BIO_ADDR</b>. This only works for <b>BIO_ADDR</b> of the protocol family AF_UNIX. The returned string has been allocated on the heap and must be freed with OPENSSL_free().</p>
<h1 id="RAW-ADDRESSES">RAW ADDRESSES</h1>
<p>Both BIO_ADDR_rawmake() and BIO_ADDR_rawaddress() take a pointer to a network byte order address of a specific site. Internally, those are treated as a pointer to <b>struct in_addr</b> (for <b>AF_INET</b>), <b>struct in6_addr</b> (for <b>AF_INET6</b>) or <b>char *</b> (for <b>AF_UNIX</b>), all depending on the protocol family the address is for.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>The string producing functions BIO_ADDR_hostname_string(), BIO_ADDR_service_string() and BIO_ADDR_path_string() will return <b>NULL</b> on error and leave an error indication on the OpenSSL error stack.</p>
<p>BIO_ADDR_copy() returns 1 on success or 0 on error.</p>
<p>All other functions described here return 0 or <b>NULL</b> when the information they should return isn&#39;t available.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/BIO_connect.html">BIO_connect(3)</a>, <a href="../man3/BIO_s_connect.html">BIO_s_connect(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>BIO_ADDR_copy() and BIO_ADDR_dup() were added in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

101
include/openssl-3.2.1/html/man3/BIO_ADDRINFO.html
View File

@ -1,101 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_ADDRINFO</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_lookup_type, BIO_ADDRINFO, BIO_ADDRINFO_next, BIO_ADDRINFO_free, BIO_ADDRINFO_family, BIO_ADDRINFO_socktype, BIO_ADDRINFO_protocol, BIO_ADDRINFO_address, BIO_lookup_ex, BIO_lookup - BIO_ADDRINFO type and routines</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;sys/types.h&gt;
#include &lt;openssl/bio.h&gt;
typedef union bio_addrinfo_st BIO_ADDRINFO;
enum BIO_lookup_type {
BIO_LOOKUP_CLIENT, BIO_LOOKUP_SERVER
};
int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
int family, int socktype, int protocol, BIO_ADDRINFO **res);
int BIO_lookup(const char *host, const char *service,
enum BIO_lookup_type lookup_type,
int family, int socktype, BIO_ADDRINFO **res);
const BIO_ADDRINFO *BIO_ADDRINFO_next(const BIO_ADDRINFO *bai);
int BIO_ADDRINFO_family(const BIO_ADDRINFO *bai);
int BIO_ADDRINFO_socktype(const BIO_ADDRINFO *bai);
int BIO_ADDRINFO_protocol(const BIO_ADDRINFO *bai);
const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai);
void BIO_ADDRINFO_free(BIO_ADDRINFO *bai);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <b>BIO_ADDRINFO</b> type is a wrapper for address information types provided on your platform.</p>
<p><b>BIO_ADDRINFO</b> normally forms a chain of several that can be picked at one by one.</p>
<p>BIO_lookup_ex() looks up a specified <b>host</b> and <b>service</b>, and uses <b>lookup_type</b> to determine what the default address should be if <b>host</b> is <b>NULL</b>. <b>family</b>, <b>socktype</b> and <b>protocol</b> are used to determine what protocol family, socket type and protocol should be used for the lookup. <b>family</b> can be any of AF_INET, AF_INET6, AF_UNIX and AF_UNSPEC. <b>socktype</b> can be SOCK_STREAM, SOCK_DGRAM or 0. Specifying 0 indicates that any type can be used. <b>protocol</b> specifies a protocol such as IPPROTO_TCP, IPPROTO_UDP or IPPORTO_SCTP. If set to 0 than any protocol can be used. <b>res</b> points at a pointer to hold the start of a <b>BIO_ADDRINFO</b> chain.</p>
<p>For the family <b>AF_UNIX</b>, BIO_lookup_ex() will ignore the <b>service</b> parameter and expects the <b>host</b> parameter to hold the path to the socket file.</p>
<p>BIO_lookup() does the same as BIO_lookup_ex() but does not provide the ability to select based on the protocol (any protocol may be returned).</p>
<p>BIO_ADDRINFO_family() returns the family of the given <b>BIO_ADDRINFO</b>. The result will be one of the constants AF_INET, AF_INET6 and AF_UNIX.</p>
<p>BIO_ADDRINFO_socktype() returns the socket type of the given <b>BIO_ADDRINFO</b>. The result will be one of the constants SOCK_STREAM and SOCK_DGRAM.</p>
<p>BIO_ADDRINFO_protocol() returns the protocol id of the given <b>BIO_ADDRINFO</b>. The result will be one of the constants IPPROTO_TCP and IPPROTO_UDP.</p>
<p>BIO_ADDRINFO_address() returns the underlying <b>BIO_ADDR</b> of the given <b>BIO_ADDRINFO</b>.</p>
<p>BIO_ADDRINFO_next() returns the next <b>BIO_ADDRINFO</b> in the chain from the given one.</p>
<p>BIO_ADDRINFO_free() frees the chain of <b>BIO_ADDRINFO</b> starting with the given one.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_lookup_ex() and BIO_lookup() return 1 on success and 0 when an error occurred, and will leave an error indication on the OpenSSL error stack in that case.</p>
<p>All other functions described here return 0 or <b>NULL</b> when the information they should return isn&#39;t available.</p>
<h1 id="NOTES">NOTES</h1>
<p>The BIO_lookup_ex() implementation uses the platform provided getaddrinfo() function. On Linux it is known that specifying 0 for the protocol will not return any SCTP based addresses when calling getaddrinfo(). Therefore, if an SCTP address is required then the <b>protocol</b> parameter to BIO_lookup_ex() should be explicitly set to IPPROTO_SCTP. The same may be true on other platforms.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The BIO_lookup_ex() function was added in OpenSSL 1.1.1.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

127
include/openssl-3.2.1/html/man3/BIO_connect.html
View File

@ -1,127 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_connect</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#FLAGS">FLAGS</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_socket, BIO_bind, BIO_connect, BIO_listen, BIO_accept_ex, BIO_closesocket - BIO socket communication setup routines</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
int BIO_socket(int domain, int socktype, int protocol, int options);
int BIO_bind(int sock, const BIO_ADDR *addr, int options);
int BIO_connect(int sock, const BIO_ADDR *addr, int options);
int BIO_listen(int sock, const BIO_ADDR *addr, int options);
int BIO_accept_ex(int accept_sock, BIO_ADDR *peer, int options);
int BIO_closesocket(int sock);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_socket() creates a socket in the domain <b>domain</b>, of type <b>socktype</b> and <b>protocol</b>. Socket <b>options</b> are currently unused, but is present for future use.</p>
<p>BIO_bind() binds the source address and service to a socket and may be useful before calling BIO_connect(). The options may include <b>BIO_SOCK_REUSEADDR</b>, which is described in <a href="#FLAGS">&quot;FLAGS&quot;</a> below.</p>
<p>BIO_connect() connects <b>sock</b> to the address and service given by <b>addr</b>. Connection <b>options</b> may be zero or any combination of <b>BIO_SOCK_KEEPALIVE</b>, <b>BIO_SOCK_NONBLOCK</b> and <b>BIO_SOCK_NODELAY</b>. The flags are described in <a href="#FLAGS">&quot;FLAGS&quot;</a> below.</p>
<p>BIO_listen() has <b>sock</b> start listening on the address and service given by <b>addr</b>. Connection <b>options</b> may be zero or any combination of <b>BIO_SOCK_KEEPALIVE</b>, <b>BIO_SOCK_NONBLOCK</b>, <b>BIO_SOCK_NODELAY</b>, <b>BIO_SOCK_REUSEADDR</b> and <b>BIO_SOCK_V6_ONLY</b>. The flags are described in <a href="#FLAGS">&quot;FLAGS&quot;</a> below.</p>
<p>BIO_accept_ex() waits for an incoming connections on the given socket <b>accept_sock</b>. When it gets a connection, the address and port of the peer gets stored in <b>peer</b> if that one is non-NULL. Accept <b>options</b> may be zero or <b>BIO_SOCK_NONBLOCK</b>, and is applied on the accepted socket. The flags are described in <a href="#FLAGS">&quot;FLAGS&quot;</a> below.</p>
<p>BIO_closesocket() closes <b>sock</b>.</p>
<h1 id="FLAGS">FLAGS</h1>
<dl>
<dt id="BIO_SOCK_KEEPALIVE">BIO_SOCK_KEEPALIVE</dt>
<dd>
<p>Enables regular sending of keep-alive messages.</p>
</dd>
<dt id="BIO_SOCK_NONBLOCK">BIO_SOCK_NONBLOCK</dt>
<dd>
<p>Sets the socket to nonblocking mode.</p>
</dd>
<dt id="BIO_SOCK_NODELAY">BIO_SOCK_NODELAY</dt>
<dd>
<p>Corresponds to <b>TCP_NODELAY</b>, and disables the Nagle algorithm. With this set, any data will be sent as soon as possible instead of being buffered until there&#39;s enough for the socket to send out in one go.</p>
</dd>
<dt id="BIO_SOCK_REUSEADDR">BIO_SOCK_REUSEADDR</dt>
<dd>
<p>Try to reuse the address and port combination for a recently closed port.</p>
</dd>
<dt id="BIO_SOCK_V6_ONLY">BIO_SOCK_V6_ONLY</dt>
<dd>
<p>When creating an IPv6 socket, make it only listen for IPv6 addresses and not IPv4 addresses mapped to IPv6.</p>
</dd>
<dt id="BIO_SOCK_TFO">BIO_SOCK_TFO</dt>
<dd>
<p>Enables TCP Fast Open on the socket. Uses appropriate APIs on supported operating systems, including Linux, macOS and FreeBSD. Can be used with BIO_connect(), BIO_set_conn_mode(), BIO_set_bind_mode(), and BIO_listen(). On Linux kernels before 4.14, use BIO_set_conn_address() to specify the peer address before starting the TLS handshake.</p>
</dd>
</dl>
<p>These flags are bit flags, so they are to be combined with the <code>|</code> operator, for example:</p>
<pre><code> BIO_connect(sock, addr, BIO_SOCK_KEEPALIVE | BIO_SOCK_NONBLOCK);</code></pre>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_socket() returns the socket number on success or <b>INVALID_SOCKET</b> (-1) on error. When an error has occurred, the OpenSSL error stack will hold the error data and errno has the system error.</p>
<p>BIO_bind(), BIO_connect() and BIO_listen() return 1 on success or 0 on error. When an error has occurred, the OpenSSL error stack will hold the error data and errno has the system error.</p>
<p>BIO_accept_ex() returns the accepted socket on success or <b>INVALID_SOCKET</b> (-1) on error. When an error has occurred, the OpenSSL error stack will hold the error data and errno has the system error.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/BIO_ADDR.html">BIO_ADDR(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>BIO_gethostname(), BIO_get_port(), BIO_get_host_ip(), BIO_get_accept_socket() and BIO_accept() were deprecated in OpenSSL 1.1.0. Use the functions described above instead.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

151
include/openssl-3.2.1/html/man3/BIO_ctrl.html
View File

@ -1,151 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_ctrl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset, BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close, BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending, BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb, BIO_get_ktls_send, BIO_get_ktls_recv, BIO_set_conn_mode, BIO_get_conn_mode, BIO_set_tfo - BIO control operations</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
typedef int BIO_info_cb(BIO *b, int state, int res);
long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
int BIO_reset(BIO *b);
int BIO_seek(BIO *b, int ofs);
int BIO_tell(BIO *b);
int BIO_flush(BIO *b);
int BIO_eof(BIO *b);
int BIO_set_close(BIO *b, long flag);
int BIO_get_close(BIO *b);
int BIO_pending(BIO *b);
int BIO_wpending(BIO *b);
size_t BIO_ctrl_pending(BIO *b);
size_t BIO_ctrl_wpending(BIO *b);
int BIO_get_info_callback(BIO *b, BIO_info_cb **cbp);
int BIO_set_info_callback(BIO *b, BIO_info_cb *cb);
int BIO_get_ktls_send(BIO *b);
int BIO_get_ktls_recv(BIO *b);
int BIO_set_conn_mode(BIO *b, int mode);
int BIO_get_conn_mode(BIO *b);
int BIO_set_tfo(BIO *b, int onoff);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_ctrl(), BIO_callback_ctrl(), BIO_ptr_ctrl() and BIO_int_ctrl() are BIO &quot;control&quot; operations taking arguments of various types. These functions are not normally called directly, various macros are used instead. The standard macros are described below, macros specific to a particular type of BIO are described in the specific BIOs manual page as well as any special features of the standard calls.</p>
<p>BIO_reset() typically resets a BIO to some initial state, in the case of file related BIOs for example it rewinds the file pointer to the start of the file.</p>
<p>BIO_seek() resets a file related BIO&#39;s (that is file descriptor and FILE BIOs) file position pointer to <b>ofs</b> bytes from start of file.</p>
<p>BIO_tell() returns the current file position of a file related BIO.</p>
<p>BIO_flush() normally writes out any internally buffered data, in some cases it is used to signal EOF and that no more data will be written.</p>
<p>BIO_eof() returns 1 if the BIO has read EOF, the precise meaning of &quot;EOF&quot; varies according to the BIO type.</p>
<p>BIO_set_close() sets the BIO <b>b</b> close flag to <b>flag</b>. <b>flag</b> can take the value BIO_CLOSE or BIO_NOCLOSE. Typically BIO_CLOSE is used in a source/sink BIO to indicate that the underlying I/O stream should be closed when the BIO is freed.</p>
<p>BIO_get_close() returns the BIOs close flag.</p>
<p>BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() return the number of pending characters in the BIOs read and write buffers. Not all BIOs support these calls. BIO_ctrl_pending() and BIO_ctrl_wpending() return a size_t type and are functions, BIO_pending() and BIO_wpending() are macros which call BIO_ctrl().</p>
<p>BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for sending. Otherwise, it returns zero. BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for receiving. Otherwise, it returns zero.</p>
<p>BIO_get_conn_mode() returns the BIO connection mode. BIO_set_conn_mode() sets the BIO connection mode.</p>
<p>BIO_set_tfo() disables TCP Fast Open when <b>onoff</b> is 0, and enables TCP Fast Open when <b>onoff</b> is nonzero. Setting the value to 1 is equivalent to setting <b>BIO_SOCK_TFO</b> in BIO_set_conn_mode().</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_reset() normally returns 1 for success and &lt;=0 for failure. File BIOs are an exception, they return 0 for success and -1 for failure.</p>
<p>BIO_seek() and BIO_tell() both return the current file position on success and -1 for failure, except file BIOs which for BIO_seek() always return 0 for success and -1 for failure.</p>
<p>BIO_flush() returns 1 for success and &lt;=0 for failure.</p>
<p>BIO_eof() returns 1 if EOF has been reached, 0 if not, or negative values for failure.</p>
<p>BIO_set_close() returns 1 on success or &lt;=0 for failure.</p>
<p>BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. It also returns other negative values if an error occurs.</p>
<p>BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() return the amount of pending data. BIO_pending() and BIO_wpending() return negative value or 0 on error. BIO_ctrl_pending() and BIO_ctrl_wpending() return 0 on error.</p>
<p>BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for sending. Otherwise, it returns zero. BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for receiving. Otherwise, it returns zero.</p>
<p>BIO_set_conn_mode() returns 1 for success and 0 for failure. BIO_get_conn_mode() returns the current connection mode. Which may contain the bitwise-or of the following flags:</p>
<pre><code> BIO_SOCK_REUSEADDR
BIO_SOCK_V6_ONLY
BIO_SOCK_KEEPALIVE
BIO_SOCK_NONBLOCK
BIO_SOCK_NODELAY
BIO_SOCK_TFO</code></pre>
<p>BIO_set_tfo() returns 1 for success, and 0 for failure.</p>
<h1 id="NOTES">NOTES</h1>
<p>BIO_flush(), because it can write data may return 0 or -1 indicating that the call should be retried later in a similar manner to BIO_write_ex(). The BIO_should_retry() call should be used and appropriate action taken is the call fails.</p>
<p>The return values of BIO_pending() and BIO_wpending() may not reliably determine the amount of pending data in all cases. For example in the case of a file BIO some data may be available in the FILE structures internal buffers but it is not possible to determine this in a portably way. For other types of BIO they may not be supported.</p>
<p>Filter BIOs if they do not internally handle a particular BIO_ctrl() operation usually pass the operation to the next BIO in the chain. This often means there is no need to locate the required BIO for a particular operation, it can be called on a chain and it will be automatically passed to the relevant BIO. However, this can cause unexpected results: for example no current filter BIOs implement BIO_seek(), but this may still succeed if the chain ends in a FILE or file descriptor BIO.</p>
<p>Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() operation.</p>
<h1 id="BUGS">BUGS</h1>
<p>Some of the return values are ambiguous and care should be taken. In particular a return value of 0 can be returned if an operation is not supported, if an error occurred, if EOF has not been reached and in the case of BIO_seek() on a file BIO for a successful operation.</p>
<p>In older versions of OpenSSL the BIO_ctrl_pending() and BIO_ctrl_wpending() could return values greater than INT_MAX on error.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The BIO_get_ktls_send() and BIO_get_ktls_recv() macros were added in OpenSSL 3.0. They were modified to never return -1 in OpenSSL 3.0.4.</p>
<p>The BIO_get_conn_mode(), BIO_set_conn_mode() and BIO_set_tfo() functions were added in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

108
include/openssl-3.2.1/html/man3/BIO_f_base64.html
View File

@ -1,108 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_base64</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_f_base64 - base64 BIO filter</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
#include &lt;openssl/evp.h&gt;
const BIO_METHOD *BIO_f_base64(void);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_base64() returns the base64 BIO method. This is a filter BIO that base64 encodes any data written through it and decodes any data read through it.</p>
<p>Base64 BIOs do not support BIO_gets() or BIO_puts().</p>
<p>For writing, output is by default divided to lines of length 64 characters and there is always a newline at the end of output.</p>
<p>For reading, first line should be at most 1024 characters long. If it is longer then it is ignored completely. Other input lines can be of any length. There must be a newline at the end of input.</p>
<p>This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.</p>
<p>BIO_flush() on a base64 BIO that is being written through is used to signal that no more data is to be encoded: this is used to flush the final block through the BIO.</p>
<p>The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags(). For writing, it causes all data to be written on one line without newline at the end. For reading, it expects the data to be all on one line (with or without a trailing newline).</p>
<h1 id="NOTES">NOTES</h1>
<p>Because of the format of base64 encoding the end of the encoded block cannot always be reliably determined.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_base64() returns the base64 BIO method.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Base64 encode the string &quot;Hello World\n&quot; and write the result to standard output:</p>
<pre><code> BIO *bio, *b64;
char message[] = &quot;Hello World \n&quot;;
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdout, BIO_NOCLOSE);
BIO_push(b64, bio);
BIO_write(b64, message, strlen(message));
BIO_flush(b64);
BIO_free_all(b64);</code></pre>
<p>Read Base64 encoded data from standard input and write the decoded data to standard output:</p>
<pre><code> BIO *bio, *b64, *bio_out;
char inbuf[512];
int inlen;
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdin, BIO_NOCLOSE);
bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
BIO_push(b64, bio);
while ((inlen = BIO_read(b64, inbuf, 512)) &gt; 0)
BIO_write(bio_out, inbuf, inlen);
BIO_flush(bio_out);
BIO_free_all(b64);</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>The ambiguity of EOF in base64 encoded data can cause additional data following the base64 encoded block to be misinterpreted.</p>
<p>There should be some way of specifying a test that the BIO can perform to reliably determine EOF (for example a MIME boundary).</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

89
include/openssl-3.2.1/html/man3/BIO_f_buffer.html
View File

@ -1,89 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_buffer</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_get_buffer_num_lines, BIO_set_read_buffer_size, BIO_set_write_buffer_size, BIO_set_buffer_size, BIO_set_buffer_read_data, BIO_f_buffer - buffering BIO</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
const BIO_METHOD *BIO_f_buffer(void);
long BIO_get_buffer_num_lines(BIO *b);
long BIO_set_read_buffer_size(BIO *b, long size);
long BIO_set_write_buffer_size(BIO *b, long size);
long BIO_set_buffer_size(BIO *b, long size);
long BIO_set_buffer_read_data(BIO *b, void *buf, long num);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_buffer() returns the buffering BIO method.</p>
<p>Data written to a buffering BIO is buffered and periodically written to the next BIO in the chain. Data read from a buffering BIO comes from an internal buffer which is filled from the next BIO in the chain. Both BIO_gets() and BIO_puts() are supported.</p>
<p>Calling BIO_reset() on a buffering BIO clears any buffered data.</p>
<p>BIO_get_buffer_num_lines() returns the number of lines currently buffered.</p>
<p>BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size() set the read, write or both read and write buffer sizes to <b>size</b>. The initial buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any attempt to reduce the buffer size below DEFAULT_BUFFER_SIZE is ignored. Any buffered data is cleared when the buffer is resized.</p>
<p>BIO_set_buffer_read_data() clears the read buffer and fills it with <b>num</b> bytes of <b>buf</b>. If <b>num</b> is larger than the current buffer size the buffer is expanded.</p>
<h1 id="NOTES">NOTES</h1>
<p>These functions, other than BIO_f_buffer(), are implemented as macros.</p>
<p>Buffering BIOs implement BIO_read_ex() and BIO_gets() by using BIO_read_ex() operations on the next BIO in the chain and storing the result in an internal buffer, from which bytes are given back to the caller as appropriate for the call; a BIO_gets() is guaranteed to give the caller a whole line, and BIO_read_ex() is guaranteed to give the caller the number of bytes it asks for, unless there&#39;s an error or end of communication is reached in the next BIO. By prepending a buffering BIO to a chain it is therefore possible to provide BIO_gets() or exact size BIO_read_ex() functionality if the following BIOs do not support it.</p>
<p>Do not add more than one BIO_f_buffer() to a BIO chain. The result of doing so will force a full read of the size of the internal buffer of the top BIO_f_buffer(), which is 4 KiB at a minimum.</p>
<p>Data is only written to the next BIO in the chain when the write buffer fills or when BIO_flush() is called. It is therefore important to call BIO_flush() whenever any pending data should be written such as when removing a buffering BIO using BIO_pop(). BIO_flush() may need to be retried if the ultimate source/sink BIO is non blocking.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_buffer() returns the buffering BIO method.</p>
<p>BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0) or a negative value in case of errors.</p>
<p>BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size() return 1 if the buffer was successfully resized or &lt;=0 for failure.</p>
<p>BIO_set_buffer_read_data() returns 1 if the data was set correctly or &lt;=0 if there was an error.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/bio.html">bio(7)</a>, <a href="../man3/BIO_reset.html">BIO_reset(3)</a>, <a href="../man3/BIO_flush.html">BIO_flush(3)</a>, <a href="../man3/BIO_pop.html">BIO_pop(3)</a>, <a href="../man3/BIO_ctrl.html">BIO_ctrl(3)</a>.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

81
include/openssl-3.2.1/html/man3/BIO_f_cipher.html
View File

@ -1,81 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_cipher</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher BIO filter</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
#include &lt;openssl/evp.h&gt;
const BIO_METHOD *BIO_f_cipher(void);
int BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv, int enc);
int BIO_get_cipher_status(BIO *b);
int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_cipher() returns the cipher BIO method. This is a filter BIO that encrypts any data written through it, and decrypts any data read from it. It is a BIO wrapper for the cipher routines EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal().</p>
<p>Cipher BIOs do not support BIO_gets() or BIO_puts().</p>
<p>BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used to flush and possibly pad the final block through the BIO.</p>
<p>BIO_set_cipher() sets the cipher of BIO <b>b</b> to <b>cipher</b> using key <b>key</b> and IV <b>iv</b>. <b>enc</b> should be set to 1 for encryption and zero for decryption.</p>
<p>When reading from an encryption BIO the final block is automatically decrypted and checked when EOF is detected. BIO_get_cipher_status() is a BIO_ctrl() macro which can be called to determine whether the decryption operation was successful.</p>
<p>BIO_get_cipher_ctx() is a BIO_ctrl() macro which retrieves the internal BIO cipher context. The retrieved context can be used in conjunction with the standard cipher routines to set it up. This is useful when BIO_set_cipher() is not flexible enough for the applications needs.</p>
<h1 id="NOTES">NOTES</h1>
<p>When encrypting BIO_flush() <b>must</b> be called to flush the final block through the BIO. If it is not then the final block will fail a subsequent decrypt.</p>
<p>When decrypting an error on the final block is signaled by a zero return value from the read operation. A successful decrypt followed by EOF will also return zero for the final read. BIO_get_cipher_status() should be called to determine if the decrypt was successful.</p>
<p>As always, if BIO_gets() or BIO_puts() support is needed then it can be achieved by preceding the cipher BIO with a buffering BIO.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_cipher() returns the cipher BIO method.</p>
<p>BIO_set_cipher() returns 1 for success and 0 for failure.</p>
<p>BIO_get_cipher_status() returns 1 for a successful decrypt and &lt;=0 for failure.</p>
<p>BIO_get_cipher_ctx() returns 1 for success and &lt;=0 for failure.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

156
include/openssl-3.2.1/html/man3/BIO_f_md.html
View File

@ -1,156 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_md</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx - message digest BIO filter</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
#include &lt;openssl/evp.h&gt;
const BIO_METHOD *BIO_f_md(void);
int BIO_set_md(BIO *b, EVP_MD *md);
int BIO_get_md(BIO *b, EVP_MD **mdp);
int BIO_get_md_ctx(BIO *b, EVP_MD_CTX **mdcp);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_md() returns the message digest BIO method. This is a filter BIO that digests any data passed through it. It is a BIO wrapper for the digest routines EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal().</p>
<p>Any data written or read through a digest BIO using BIO_read_ex() and BIO_write_ex() is digested.</p>
<p>BIO_gets(), if its <b>size</b> parameter is large enough finishes the digest calculation and returns the digest value. BIO_puts() is not supported.</p>
<p>BIO_reset() reinitialises a digest BIO.</p>
<p>BIO_set_md() sets the message digest of BIO <b>b</b> to <b>md</b>: this must be called to initialize a digest BIO before any data is passed through it. It is a BIO_ctrl() macro.</p>
<p>BIO_get_md() places a pointer to the digest BIOs digest method in <b>mdp</b>. It is a BIO_ctrl() macro.</p>
<p>BIO_get_md_ctx() returns the digest BIOs context into <b>mdcp</b>.</p>
<h1 id="NOTES">NOTES</h1>
<p>The context returned by BIO_get_md_ctx() can be used in calls to EVP_DigestFinal() and also the signature routines EVP_SignFinal() and EVP_VerifyFinal().</p>
<p>The context returned by BIO_get_md_ctx() is an internal context structure. Changes made to this context will affect the digest BIO itself and the context pointer will become invalid when the digest BIO is freed.</p>
<p>After the digest has been retrieved from a digest BIO it must be reinitialized by calling BIO_reset(), or BIO_set_md() before any more data is passed through it.</p>
<p>If an application needs to call BIO_gets() or BIO_puts() through a chain containing digest BIOs then this can be done by prepending a buffering BIO.</p>
<p>Calling BIO_get_md_ctx() will return the context and initialize the BIO state. This allows applications to initialize the context externally if the standard calls such as BIO_set_md() are not sufficiently flexible.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_md() returns the digest BIO method.</p>
<p>BIO_set_md(), BIO_get_md() and BIO_md_ctx() return 1 for success and &lt;=0 for failure.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>The following example creates a BIO chain containing an SHA1 and MD5 digest BIO and passes the string &quot;Hello World&quot; through it. Error checking has been omitted for clarity.</p>
<pre><code> BIO *bio, *mdtmp;
char message[] = &quot;Hello World&quot;;
bio = BIO_new(BIO_s_null());
mdtmp = BIO_new(BIO_f_md());
BIO_set_md(mdtmp, EVP_sha1());
/*
* For BIO_push() we want to append the sink BIO and keep a note of
* the start of the chain.
*/
bio = BIO_push(mdtmp, bio);
mdtmp = BIO_new(BIO_f_md());
BIO_set_md(mdtmp, EVP_md5());
bio = BIO_push(mdtmp, bio);
/* Note: mdtmp can now be discarded */
BIO_write(bio, message, strlen(message));</code></pre>
<p>The next example digests data by reading through a chain instead:</p>
<pre><code> BIO *bio, *mdtmp;
char buf[1024];
int rdlen;
bio = BIO_new_file(file, &quot;rb&quot;);
mdtmp = BIO_new(BIO_f_md());
BIO_set_md(mdtmp, EVP_sha1());
bio = BIO_push(mdtmp, bio);
mdtmp = BIO_new(BIO_f_md());
BIO_set_md(mdtmp, EVP_md5());
bio = BIO_push(mdtmp, bio);
do {
rdlen = BIO_read(bio, buf, sizeof(buf));
/* Might want to do something with the data here */
} while (rdlen &gt; 0);</code></pre>
<p>This next example retrieves the message digests from a BIO chain and outputs them. This could be used with the examples above.</p>
<pre><code> BIO *mdtmp;
unsigned char mdbuf[EVP_MAX_MD_SIZE];
int mdlen;
int i;
mdtmp = bio; /* Assume bio has previously been set up */
do {
EVP_MD *md;
mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
if (!mdtmp)
break;
BIO_get_md(mdtmp, &amp;md);
printf(&quot;%s digest&quot;, OBJ_nid2sn(EVP_MD_get_type(md)));
mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);
for (i = 0; i &lt; mdlen; i++) printf(&quot;:%02X&quot;, mdbuf[i]);
printf(&quot;\n&quot;);
mdtmp = BIO_next(mdtmp);
} while (mdtmp);
BIO_free_all(bio);</code></pre>
<h1 id="BUGS">BUGS</h1>
<p>The lack of support for BIO_puts() and the non standard behaviour of BIO_gets() could be regarded as anomalous. It could be argued that BIO_gets() and BIO_puts() should be passed to the next BIO in the chain and digest the data passed through and that digests should be retrieved using a separate BIO_ctrl() call.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>Before OpenSSL 1.0.0., the call to BIO_get_md_ctx() would only work if the BIO was initialized first.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

58
include/openssl-3.2.1/html/man3/BIO_f_null.html
View File

@ -1,58 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_null</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_f_null - null filter</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
const BIO_METHOD *BIO_f_null(void);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_null() returns the null filter BIO method. This is a filter BIO that does nothing.</p>
<p>All requests to a null filter BIO are passed through to the next BIO in the chain: this means that a BIO chain containing a null filter BIO behaves just as though the BIO was not there.</p>
<h1 id="NOTES">NOTES</h1>
<p>As may be apparent a null filter BIO is not particularly useful.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_null() returns the null filter BIO method.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

80
include/openssl-3.2.1/html/man3/BIO_f_prefix.html
View File

@ -1,80 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_prefix</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_f_prefix, BIO_set_prefix, BIO_set_indent, BIO_get_indent - prefix BIO filter</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
const BIO_METHOD *BIO_f_prefix(void);
long BIO_set_prefix(BIO *b, const char *prefix);
long BIO_set_indent(BIO *b, long indent);
long BIO_get_indent(BIO *b);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_cipher() returns the prefix BIO method. This is a filter for text output, where each line gets automatically prefixed and indented according to user input.</p>
<p>The prefix and the indentation are combined. For each line of output going through this filter, the prefix is output first, then the amount of additional spaces indicated by the indentation, and then the line itself.</p>
<p>By default, there is no prefix, and indentation is set to 0.</p>
<p>BIO_set_prefix() sets the prefix to be used for future lines of text, using <i>prefix</i>. <i>prefix</i> may be NULL, signifying that there should be no prefix. If <i>prefix</i> isn&#39;t NULL, this function makes a copy of it.</p>
<p>BIO_set_indent() sets the indentation to be used for future lines of text, using <i>indent</i>. Negative values are not allowed.</p>
<p>BIO_get_indent() gets the current indentation.</p>
<h1 id="NOTES">NOTES</h1>
<p>BIO_set_prefix(), BIO_set_indent() and BIO_get_indent() are implemented as macros.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_prefix() returns the prefix BIO method.</p>
<p>BIO_set_prefix() returns 1 if the prefix was correctly set, or &lt;=0 on failure.</p>
<p>BIO_set_indent() returns 1 if the prefix was correctly set, or &lt;=0 on failure.</p>
<p>BIO_get_indent() returns the current indentation, or a negative value for failure.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/bio.html">bio(7)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

69
include/openssl-3.2.1/html/man3/BIO_f_readbuffer.html
View File

@ -1,69 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_readbuffer</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_f_readbuffer - read only buffering BIO that supports BIO_tell() and BIO_seek()</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
const BIO_METHOD *BIO_f_readbuffer(void);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_readbuffer() returns the read buffering BIO method.</p>
<p>This BIO filter can be inserted on top of BIO&#39;s that do not support BIO_tell() or BIO_seek() (e.g. A file BIO that uses stdin).</p>
<p>Data read from a read buffering BIO comes from an internal buffer which is filled from the next BIO in the chain.</p>
<p>BIO_gets() is supported for read buffering BIOs. Writing data to a read buffering BIO is not supported.</p>
<p>Calling BIO_reset() on a read buffering BIO does not clear any buffered data.</p>
<h1 id="NOTES">NOTES</h1>
<p>Read buffering BIOs implement BIO_read_ex() by using BIO_read_ex() operations on the next BIO (e.g. a file BIO) in the chain and storing the result in an internal buffer, from which bytes are given back to the caller as appropriate for the call. BIO_read_ex() is guaranteed to give the caller the number of bytes it asks for, unless there&#39;s an error or end of communication is reached in the next BIO. The internal buffer can grow to cache the entire contents of the next BIO in the chain. BIO_seek() uses the internal buffer, so that it can only seek into data that is already read.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_readbuffer() returns the read buffering BIO method.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/bio.html">bio(7)</a>, <a href="../man3/BIO_read.html">BIO_read(3)</a>, <a href="../man3/BIO_gets.html">BIO_gets(3)</a>, <a href="../man3/BIO_reset.html">BIO_reset(3)</a>, <a href="../man3/BIO_ctrl.html">BIO_ctrl(3)</a>.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

258
include/openssl-3.2.1/html/man3/BIO_f_ssl.html
View File

@ -1,258 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_f_ssl</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_do_handshake, BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes, BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl, BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id, BIO_ssl_shutdown - SSL BIO</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
#include &lt;openssl/ssl.h&gt;
const BIO_METHOD *BIO_f_ssl(void);
long BIO_set_ssl(BIO *b, SSL *ssl, long c);
long BIO_get_ssl(BIO *b, SSL **sslp);
long BIO_set_ssl_mode(BIO *b, long client);
long BIO_set_ssl_renegotiate_bytes(BIO *b, long num);
long BIO_set_ssl_renegotiate_timeout(BIO *b, long seconds);
long BIO_get_num_renegotiates(BIO *b);
BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
int BIO_ssl_copy_session_id(BIO *to, BIO *from);
void BIO_ssl_shutdown(BIO *bio);
long BIO_do_handshake(BIO *b);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which is a wrapper round the OpenSSL SSL routines adding a BIO &quot;flavour&quot; to SSL I/O.</p>
<p>I/O performed on an SSL BIO communicates using the SSL protocol with the SSLs read and write BIOs. If an SSL connection is not established then an attempt is made to establish one on the first I/O call.</p>
<p>If a BIO is appended to an SSL BIO using BIO_push() it is automatically used as the SSL BIOs read and write BIOs.</p>
<p>Calling BIO_reset() on an SSL BIO closes down any current SSL connection by calling SSL_shutdown(). BIO_reset() is then sent to the next BIO in the chain: this will typically disconnect the underlying transport. The SSL BIO is then reset to the initial accept or connect state.</p>
<p>If the close flag is set when an SSL BIO is freed then the internal SSL structure is also freed using SSL_free().</p>
<p>BIO_set_ssl() sets the internal SSL pointer of SSL BIO <b>b</b> to <b>ssl</b> using the close flag <b>c</b>.</p>
<p>BIO_get_ssl() retrieves the SSL pointer of SSL BIO <b>b</b>, it can then be manipulated using the standard SSL library functions.</p>
<p>BIO_set_ssl_mode() sets the SSL BIO mode to <b>client</b>. If <b>client</b> is 1 client mode is set. If <b>client</b> is 0 server mode is set.</p>
<p>BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count of SSL BIO <b>b</b> to <b>num</b>. When set after every <b>num</b> bytes of I/O (read and write) the SSL session is automatically renegotiated. <b>num</b> must be at least 512 bytes.</p>
<p>BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout of SSL BIO <b>b</b> to <b>seconds</b>. When the renegotiate timeout elapses the session is automatically renegotiated.</p>
<p>BIO_get_num_renegotiates() returns the total number of session renegotiations due to I/O or timeout of SSL BIO <b>b</b>.</p>
<p>BIO_new_ssl() allocates an SSL BIO using SSL_CTX <b>ctx</b> and using client mode if <b>client</b> is non zero.</p>
<p>BIO_new_ssl_connect() creates a new BIO chain consisting of an SSL BIO (using <b>ctx</b>) followed by a connect BIO.</p>
<p>BIO_new_buffer_ssl_connect() creates a new BIO chain consisting of a buffering BIO, an SSL BIO (using <b>ctx</b>), and a connect BIO.</p>
<p>BIO_ssl_copy_session_id() copies an SSL session id between BIO chains <b>from</b> and <b>to</b>. It does this by locating the SSL BIOs in each chain and calling SSL_copy_session_id() on the internal SSL pointer.</p>
<p>BIO_ssl_shutdown() closes down an SSL connection on BIO chain <b>bio</b>. It does this by locating the SSL BIO in the chain and calling SSL_shutdown() on its internal SSL pointer.</p>
<p>BIO_do_handshake() attempts to complete an SSL handshake on the supplied BIO and establish the SSL connection. For non-SSL BIOs the connection is done typically at TCP level. If domain name resolution yields multiple IP addresses all of them are tried after connect() failures. The function returns 1 if the connection was established successfully. A zero or negative value is returned if the connection could not be established. The call BIO_should_retry() should be used for nonblocking connect BIOs to determine if the call should be retried. If a connection has already been established this call has no effect.</p>
<h1 id="NOTES">NOTES</h1>
<p>SSL BIOs are exceptional in that if the underlying transport is non blocking they can still request a retry in exceptional circumstances. Specifically this will happen if a session renegotiation takes place during a BIO_read_ex() operation, one case where this happens is when step up occurs.</p>
<p>The SSL flag SSL_AUTO_RETRY can be set to disable this behaviour. That is when this flag is set an SSL BIO using a blocking transport will never request a retry.</p>
<p>Since unknown BIO_ctrl() operations are sent through filter BIOs the servers name and port can be set using BIO_set_host() on the BIO returned by BIO_new_ssl_connect() without having to locate the connect BIO first.</p>
<p>Applications do not have to call BIO_do_handshake() but may wish to do so to separate the handshake process from other I/O processing.</p>
<p>BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(), BIO_set_ssl_renegotiate_bytes(), BIO_set_ssl_renegotiate_timeout(), BIO_get_num_renegotiates(), and BIO_do_handshake() are implemented as macros.</p>
<p>BIO_ssl_copy_session_id() is not currently supported on QUIC SSL objects and fails if called on such an object.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_f_ssl() returns the SSL <b>BIO_METHOD</b> structure.</p>
<p>BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(), BIO_set_ssl_renegotiate_bytes(), BIO_set_ssl_renegotiate_timeout() and BIO_get_num_renegotiates() return 1 on success or a value which is less than or equal to 0 if an error occurred.</p>
<p>BIO_new_ssl(), BIO_new_ssl_connect() and BIO_new_buffer_ssl_connect() return a valid <b>BIO</b> structure on success or <b>NULL</b> if an error occurred.</p>
<p>BIO_ssl_copy_session_id() returns 1 on success or 0 on error, or if called on a QUIC SSL object.</p>
<p>BIO_do_handshake() returns 1 if the connection was established successfully. A zero or negative value is returned if the connection could not be established.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>This SSL/TLS client example attempts to retrieve a page from an SSL/TLS web server. The I/O routines are identical to those of the unencrypted example in <a href="../man3/BIO_s_connect.html">BIO_s_connect(3)</a>.</p>
<pre><code> BIO *sbio, *out;
int len;
char tmpbuf[1024];
SSL_CTX *ctx;
SSL *ssl;
/* XXX Seed the PRNG if needed. */
ctx = SSL_CTX_new(TLS_client_method());
/* XXX Set verify paths and mode here. */
sbio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(sbio, &amp;ssl);
if (ssl == NULL) {
fprintf(stderr, &quot;Can&#39;t locate SSL pointer\n&quot;);
ERR_print_errors_fp(stderr);
exit(1);
}
/* XXX We might want to do other things with ssl here */
/* An empty host part means the loopback address */
BIO_set_conn_hostname(sbio, &quot;:https&quot;);
out = BIO_new_fp(stdout, BIO_NOCLOSE);
if (BIO_do_connect(sbio) &lt;= 0) {
fprintf(stderr, &quot;Error connecting to server\n&quot;);
ERR_print_errors_fp(stderr);
exit(1);
}
/* XXX Could examine ssl here to get connection info */
BIO_puts(sbio, &quot;GET / HTTP/1.0\n\n&quot;);
for (;;) {
len = BIO_read(sbio, tmpbuf, 1024);
if (len &lt;= 0)
break;
BIO_write(out, tmpbuf, len);
}
BIO_free_all(sbio);
BIO_free(out);</code></pre>
<p>Here is a simple server example. It makes use of a buffering BIO to allow lines to be read from the SSL BIO using BIO_gets. It creates a pseudo web page containing the actual request from a client and also echoes the request to standard output.</p>
<pre><code> BIO *sbio, *bbio, *acpt, *out;
int len;
char tmpbuf[1024];
SSL_CTX *ctx;
SSL *ssl;
/* XXX Seed the PRNG if needed. */
ctx = SSL_CTX_new(TLS_server_method());
if (!SSL_CTX_use_certificate_file(ctx, &quot;server.pem&quot;, SSL_FILETYPE_PEM)
|| !SSL_CTX_use_PrivateKey_file(ctx, &quot;server.pem&quot;, SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ctx)) {
fprintf(stderr, &quot;Error setting up SSL_CTX\n&quot;);
ERR_print_errors_fp(stderr);
exit(1);
}
/* XXX Other things like set verify locations, EDH temp callbacks. */
/* New SSL BIO setup as server */
sbio = BIO_new_ssl(ctx, 0);
BIO_get_ssl(sbio, &amp;ssl);
if (ssl == NULL) {
fprintf(stderr, &quot;Can&#39;t locate SSL pointer\n&quot;);
ERR_print_errors_fp(stderr);
exit(1);
}
bbio = BIO_new(BIO_f_buffer());
sbio = BIO_push(bbio, sbio);
acpt = BIO_new_accept(&quot;4433&quot;);
/*
* By doing this when a new connection is established
* we automatically have sbio inserted into it. The
* BIO chain is now &#39;swallowed&#39; by the accept BIO and
* will be freed when the accept BIO is freed.
*/
BIO_set_accept_bios(acpt, sbio);
out = BIO_new_fp(stdout, BIO_NOCLOSE);
/* First call to BIO_do_accept() sets up accept BIO */
if (BIO_do_accept(acpt) &lt;= 0) {
fprintf(stderr, &quot;Error setting up accept BIO\n&quot;);
ERR_print_errors_fp(stderr);
exit(1);
}</code></pre>
<p>/* Second call to BIO_do_accept() waits for incoming connection */ if (BIO_do_accept(acpt) &lt;= 0) { fprintf(stderr, &quot;Error accepting connection\n&quot;); ERR_print_errors_fp(stderr); exit(1); }</p>
<pre><code> /* We only want one connection so remove and free accept BIO */
sbio = BIO_pop(acpt);
BIO_free_all(acpt);
if (BIO_do_handshake(sbio) &lt;= 0) {
fprintf(stderr, &quot;Error in SSL handshake\n&quot;);
ERR_print_errors_fp(stderr);
exit(1);
}
BIO_puts(sbio, &quot;HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n&quot;);
BIO_puts(sbio, &quot;\r\nConnection Established\r\nRequest headers:\r\n&quot;);
BIO_puts(sbio, &quot;--------------------------------------------------\r\n&quot;);
for (;;) {
len = BIO_gets(sbio, tmpbuf, 1024);
if (len &lt;= 0)
break;
BIO_write(sbio, tmpbuf, len);
BIO_write(out, tmpbuf, len);
/* Look for blank line signifying end of headers*/
if (tmpbuf[0] == &#39;\r&#39; || tmpbuf[0] == &#39;\n&#39;)
break;
}
BIO_puts(sbio, &quot;--------------------------------------------------\r\n&quot;);
BIO_puts(sbio, &quot;\r\n&quot;);
BIO_flush(sbio);
BIO_free_all(sbio);</code></pre>
<h1 id="HISTORY">HISTORY</h1>
<p>In OpenSSL before 1.0.0 the BIO_pop() call was handled incorrectly, the I/O BIO reference count was incorrectly incremented (instead of decremented) and dissociated with the SSL BIO even if the SSL BIO was not explicitly being popped (e.g. a pop higher up the chain). Applications which included workarounds for this bug (e.g. freeing BIOs more than once) should be modified to handle this fix or they may free up an already freed BIO.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

83
include/openssl-3.2.1/html/man3/BIO_find_type.html
View File

@ -1,83 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_find_type</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_find_type, BIO_next, BIO_method_type - BIO chain traversal</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
BIO *BIO_find_type(BIO *b, int bio_type);
BIO *BIO_next(BIO *b);
int BIO_method_type(const BIO *b);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The BIO_find_type() searches for a BIO of a given type in a chain, starting at BIO <b>b</b>. If <b>type</b> is a specific type (such as <b>BIO_TYPE_MEM</b>) then a search is made for a BIO of that type. If <b>type</b> is a general type (such as <b>BIO_TYPE_SOURCE_SINK</b>) then the next matching BIO of the given general type is searched for. BIO_find_type() returns the next matching BIO or NULL if none is found.</p>
<p>The following general types are defined: <b>BIO_TYPE_DESCRIPTOR</b>, <b>BIO_TYPE_FILTER</b>, and <b>BIO_TYPE_SOURCE_SINK</b>.</p>
<p>For a list of the specific types, see the <i>&lt;openssl/bio.h&gt;</i> header file.</p>
<p>BIO_next() returns the next BIO in a chain. It can be used to traverse all BIOs in a chain or used in conjunction with BIO_find_type() to find all BIOs of a certain type.</p>
<p>BIO_method_type() returns the type of a BIO.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_find_type() returns a matching BIO or NULL for no match.</p>
<p>BIO_next() returns the next BIO in a chain.</p>
<p>BIO_method_type() returns the type of the BIO <b>b</b>.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Traverse a chain looking for digest BIOs:</p>
<pre><code> BIO *btmp;
btmp = in_bio; /* in_bio is chain to search through */
do {
btmp = BIO_find_type(btmp, BIO_TYPE_MD);
if (btmp == NULL)
break; /* Not found */
/* btmp is a digest BIO, do something with it ...*/
...
btmp = BIO_next(btmp);
} while (btmp);</code></pre>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

76
include/openssl-3.2.1/html/man3/BIO_get_data.html
View File

@ -1,76 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_get_data</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_set_data, BIO_get_data, BIO_set_init, BIO_get_init, BIO_set_shutdown, BIO_get_shutdown - functions for managing BIO state information</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
void BIO_set_data(BIO *a, void *ptr);
void *BIO_get_data(BIO *a);
void BIO_set_init(BIO *a, int init);
int BIO_get_init(BIO *a);
void BIO_set_shutdown(BIO *a, int shut);
int BIO_get_shutdown(BIO *a);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>These functions are mainly useful when implementing a custom BIO.</p>
<p>The BIO_set_data() function associates the custom data pointed to by <b>ptr</b> with the BIO. This data can subsequently be retrieved via a call to BIO_get_data(). This can be used by custom BIOs for storing implementation specific information.</p>
<p>The BIO_set_init() function sets the value of the BIO&#39;s &quot;init&quot; flag to indicate whether initialisation has been completed for this BIO or not. A nonzero value indicates that initialisation is complete, whilst zero indicates that it is not. Often initialisation will complete during initial construction of the BIO. For some BIOs however, initialisation may not complete until after additional steps have occurred (for example through calling custom ctrls). The BIO_get_init() function returns the value of the &quot;init&quot; flag.</p>
<p>The BIO_set_shutdown() and BIO_get_shutdown() functions set and get the state of this BIO&#39;s shutdown (i.e. BIO_CLOSE) flag. If set then the underlying resource is also closed when the BIO is freed.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_get_data() returns a pointer to the implementation specific custom data associated with this BIO, or NULL if none has been set.</p>
<p>BIO_get_init() returns the state of the BIO&#39;s init flag.</p>
<p>BIO_get_shutdown() returns the stat of the BIO&#39;s shutdown (i.e. BIO_CLOSE) flag.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/bio.html">bio(7)</a>, <a href="../man3/BIO_meth_new.html">BIO_meth_new(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The functions described here were added in OpenSSL 1.1.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

114
include/openssl-3.2.1/html/man3/BIO_get_ex_new_index.html
View File

@ -1,114 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_get_ex_new_index</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_get_ex_new_index, BIO_set_ex_data, BIO_get_ex_data, BIO_set_app_data, BIO_get_app_data, DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data, DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data, EC_KEY_get_ex_new_index, EC_KEY_set_ex_data, EC_KEY_get_ex_data, ENGINE_get_ex_new_index, ENGINE_set_ex_data, ENGINE_get_ex_data, EVP_PKEY_get_ex_new_index, EVP_PKEY_set_ex_data, EVP_PKEY_get_ex_data, RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data, RSA_set_app_data, RSA_get_app_data, SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data, SSL_set_app_data, SSL_get_app_data, SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data, SSL_CTX_set_app_data, SSL_CTX_get_app_data, SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data, SSL_SESSION_set_app_data, SSL_SESSION_get_app_data, UI_get_ex_new_index, UI_set_ex_data, UI_get_ex_data, UI_set_app_data, UI_get_app_data, X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_ex_data, X509_STORE_CTX_set_app_data, X509_STORE_CTX_get_app_data, X509_STORE_get_ex_new_index, X509_STORE_set_ex_data, X509_STORE_get_ex_data, X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data - application-specific data</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/x509.h&gt;
int TYPE_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func,
CRYPTO_EX_free *free_func);
int TYPE_set_ex_data(TYPE *d, int idx, void *arg);
void *TYPE_get_ex_data(const TYPE *d, int idx);
#define TYPE_set_app_data(TYPE *d, void *arg)
#define TYPE_get_app_data(TYPE *d)</code></pre>
<p>The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining <b>OPENSSL_API_COMPAT</b> with a suitable version value, see <a href="../man7/openssl_user_macros.html">openssl_user_macros(7)</a>:</p>
<pre><code> int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int DH_set_ex_data(DH *type, int idx, void *arg);
void *DH_get_ex_data(DH *type, int idx);
int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int DSA_set_ex_data(DSA *type, int idx, void *arg);
void *DSA_get_ex_data(DSA *type, int idx);
int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int EC_KEY_set_ex_data(EC_KEY *type, int idx, void *arg);
void *EC_KEY_get_ex_data(EC_KEY *type, int idx);
int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int RSA_set_ex_data(RSA *type, int idx, void *arg);
void *RSA_get_ex_data(RSA *type, int idx);
int RSA_set_app_data(RSA *type, void *arg);
void *RSA_get_app_data(RSA *type);
int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int ENGINE_set_ex_data(ENGINE *type, int idx, void *arg);
void *ENGINE_get_ex_data(ENGINE *type, int idx);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>In the description here, <i>TYPE</i> is used a placeholder for any of the OpenSSL datatypes listed in <a href="../man3/CRYPTO_get_ex_new_index.html">CRYPTO_get_ex_new_index(3)</a>.</p>
<p>All functions with a <i>TYPE</i> of <b>DH</b>, <b>DSA</b>, <b>RSA</b> and <b>EC_KEY</b> are deprecated. Applications should instead use EVP_PKEY_set_ex_data(), EVP_PKEY_get_ex_data() and EVP_PKEY_get_ex_new_index().</p>
<p>All functions with a <i>TYPE</i> of <b>ENGINE</b> are deprecated. Applications using engines should be replaced by providers.</p>
<p>These functions handle application-specific data for OpenSSL data structures.</p>
<p>TYPE_get_ex_new_index() is a macro that calls CRYPTO_get_ex_new_index() with the correct <b>index</b> value.</p>
<p>TYPE_set_ex_data() is a function that calls CRYPTO_set_ex_data() with an offset into the opaque exdata part of the TYPE object.</p>
<p>TYPE_get_ex_data() is a function that calls CRYPTO_get_ex_data() with an offset into the opaque exdata part of the TYPE object.</p>
<p>For compatibility with previous releases, the exdata index of zero is reserved for &quot;application data.&quot; There are two convenience functions for this. TYPE_set_app_data() is a macro that invokes TYPE_set_ex_data() with <b>idx</b> set to zero. TYPE_get_app_data() is a macro that invokes TYPE_get_ex_data() with <b>idx</b> set to zero.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>TYPE_get_ex_new_index() returns a new index on success or -1 on error.</p>
<p>TYPE_set_ex_data() returns 1 on success or 0 on error.</p>
<p>TYPE_get_ex_data() returns the application data or NULL if an error occurred.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/CRYPTO_get_ex_new_index.html">CRYPTO_get_ex_new_index(3)</a>.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>The functions DH_get_ex_new_index(), DH_set_ex_data(), DH_get_ex_data(), DSA_get_ex_new_index(), DSA_set_ex_data(), DSA_get_ex_data(), EC_KEY_get_ex_new_index(), EC_KEY_set_ex_data(), EC_KEY_get_ex_data(), ENGINE_get_ex_new_index(), ENGINE_set_ex_data(), ENGINE_get_ex_data(), RSA_get_ex_new_index(), RSA_set_ex_data(), RSA_get_ex_data(), RSA_set_app_data() and RSA_get_app_data() were deprecated in OpenSSL 3.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

111
include/openssl-3.2.1/html/man3/BIO_get_rpoll_descriptor.html
View File

@ -1,111 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_get_rpoll_descriptor</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_get_rpoll_descriptor, BIO_get_wpoll_descriptor - obtain a structure which can be used to determine when a BIO object can next be read or written</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
typedef struct bio_poll_descriptor_st {
uint32_t type;
union {
int fd;
void *custom;
uintptr_t custom_ui;
} value;
} BIO_POLL_DESCRIPTOR;
int BIO_get_rpoll_descriptor(BIO *b, BIO_POLL_DESCRIPTOR *desc);
int BIO_get_wpoll_descriptor(BIO *b, BIO_POLL_DESCRIPTOR *desc);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_get_rpoll_descriptor() and BIO_get_wpoll_descriptor(), on success, fill <i>*desc</i> with a poll descriptor. A poll descriptor is a tagged union structure which represents some kind of OS or non-OS resource which can be used to synchronise on I/O availability events.</p>
<p>BIO_get_rpoll_descriptor() outputs a descriptor which can be used to determine when the BIO can (potentially) next be read, and BIO_get_wpoll_descriptor() outputs a descriptor which can be used to determine when the BIO can (potentially) next be written.</p>
<p>It is permissible for BIO_get_rpoll_descriptor() and BIO_get_wpoll_descriptor() to output the same descriptor.</p>
<p>Poll descriptors can represent different kinds of information. A typical kind of resource which might be represented by a poll descriptor is an OS file descriptor which can be used with APIs such as select().</p>
<p>The kinds of poll descriptor defined by OpenSSL are:</p>
<dl>
<dt id="BIO_POLL_DESCRIPTOR_TYPE_NONE">BIO_POLL_DESCRIPTOR_TYPE_NONE</dt>
<dd>
<p>Represents the absence of a valid poll descriptor. It may be used by BIO_get_rpoll_descriptor() or BIO_get_wpoll_descriptor() to indicate that the BIO is not pollable for readability or writeability respectively.</p>
<p>For this type, no field within the <i>value</i> field of the <b>BIO_POLL_DESCRIPTOR</b> is valid.</p>
</dd>
<dt id="BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD">BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD</dt>
<dd>
<p>The poll descriptor represents an OS socket resource. The field <i>value.fd</i> in the <b>BIO_POLL_DESCRIPTOR</b> is valid if it is not set to -1.</p>
<p>The resource is whatever kind of handle is used by a given OS to represent sockets, which may vary by OS. For example, on Windows, the value is a <b>SOCKET</b> for use with the Winsock API. On POSIX-like platforms, it is a file descriptor.</p>
<p>Where a poll descriptor of this type is output by BIO_get_rpoll_descriptor(), it should be polled for readability to determine when the BIO might next be able to successfully complete a BIO_read() operation; likewise, where a poll descriptor of this type is output by BIO_get_wpoll_descriptor(), it should be polled for writeability to determine when the BIO might next be able to successfully complete a BIO_write() operation.</p>
</dd>
<dt id="BIO_POLL_DESCRIPTOR_CUSTOM_START">BIO_POLL_DESCRIPTOR_CUSTOM_START</dt>
<dd>
<p>Type values beginning with this value (inclusive) are reserved for application allocation for custom poll descriptor types. Any of the definitions in the union field <i>value</i> can be used by the application arbitrarily as opaque values.</p>
</dd>
</dl>
<p>Because poll descriptors are a tagged union structure, they can represent different kinds of information. New types of poll descriptor may be defined, including by applications, according to their needs.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>The functions BIO_get_rpoll_descriptor() and BIO_get_wpoll_descriptor() return 1 on success and 0 on failure.</p>
<p>These functions are permitted to succeed and initialise <i>*desc</i> with a poll descriptor of type <b>BIO_POLL_DESCRIPTOR_TYPE_NONE</b> to indicate that the BIO is not pollable for readability or writeability respectively.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/SSL_handle_events.html">SSL_handle_events(3)</a>, <a href="../man3/SSL_get_event_timeout.html">SSL_get_event_timeout(3)</a>, <a href="../man3/SSL_get_rpoll_descriptor.html">SSL_get_rpoll_descriptor(3)</a>, <a href="../man3/SSL_get_wpoll_descriptor.html">SSL_get_wpoll_descriptor(3)</a>, <a href="../man7/bio.html">bio(7)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The SSL_get_rpoll_descriptor() and SSL_get_wpoll_descriptor() functions were added in OpenSSL 3.2.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

148
include/openssl-3.2.1/html/man3/BIO_meth_new.html
View File

@ -1,148 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_meth_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_get_new_index, BIO_meth_new, BIO_meth_free, BIO_meth_get_read_ex, BIO_meth_set_read_ex, BIO_meth_get_write_ex, BIO_meth_set_write_ex, BIO_meth_get_write, BIO_meth_set_write, BIO_meth_get_read, BIO_meth_set_read, BIO_meth_get_puts, BIO_meth_set_puts, BIO_meth_get_gets, BIO_meth_set_gets, BIO_meth_get_ctrl, BIO_meth_set_ctrl, BIO_meth_get_create, BIO_meth_set_create, BIO_meth_get_destroy, BIO_meth_set_destroy, BIO_meth_get_callback_ctrl, BIO_meth_set_callback_ctrl, BIO_meth_set_sendmmsg, BIO_meth_get_sendmmsg, BIO_meth_set_recvmmsg, BIO_meth_get_recvmmsg - Routines to build up BIO methods</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
int BIO_get_new_index(void);
BIO_METHOD *BIO_meth_new(int type, const char *name);
void BIO_meth_free(BIO_METHOD *biom);
int (*BIO_meth_get_write_ex(const BIO_METHOD *biom))(BIO *, const char *, size_t,
size_t *);
int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int);
int BIO_meth_set_write_ex(BIO_METHOD *biom,
int (*bwrite)(BIO *, const char *, size_t, size_t *));
int BIO_meth_set_write(BIO_METHOD *biom,
int (*write)(BIO *, const char *, int));
int (*BIO_meth_get_read_ex(const BIO_METHOD *biom))(BIO *, char *, size_t, size_t *);
int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int);
int BIO_meth_set_read_ex(BIO_METHOD *biom,
int (*bread)(BIO *, char *, size_t, size_t *));
int BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int));
int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *);
int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *));
int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int);
int BIO_meth_set_gets(BIO_METHOD *biom,
int (*gets)(BIO *, char *, int));
long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *);
int BIO_meth_set_ctrl(BIO_METHOD *biom,
long (*ctrl)(BIO *, int, long, void *));
int (*BIO_meth_get_create(const BIO_METHOD *bion))(BIO *);
int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *));
int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *);
int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *));
long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *);
int BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
long (*callback_ctrl)(BIO *, int, BIO_info_cb *));
ossl_ssize_t (*BIO_meth_get_sendmmsg(const BIO_METHOD *biom))(BIO *,
BIO_MSG *,
size_t,
size_t,
uint64_t);
int BIO_meth_set_sendmmsg(BIO_METHOD *biom,
ossl_ssize_t (*f) (BIO *, BIO_MSG *, size_t,
size_t, uint64_t));
ossl_ssize_t (*BIO_meth_get_recvmmsg(const BIO_METHOD *biom))(BIO *,
BIO_MSG *,
size_t,
size_t,
uint64_t);
int BIO_meth_set_recvmmsg(BIO_METHOD *biom,
ossl_ssize_t (*f) (BIO *, BIO_MSG *, size_t,
size_t, uint64_t));</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The <b>BIO_METHOD</b> type is a structure used for the implementation of new BIO types. It provides a set of functions used by OpenSSL for the implementation of the various BIO capabilities. See the <a href="../man7/bio.html">bio(7)</a> page for more information.</p>
<p>BIO_meth_new() creates a new <b>BIO_METHOD</b> structure. It should be given a unique integer <b>type</b> and a string that represents its <b>name</b>. Use BIO_get_new_index() to get the value for <b>type</b>.</p>
<p>The set of standard OpenSSL provided BIO types is provided in <i>&lt;openssl/bio.h&gt;</i>. Some examples include <b>BIO_TYPE_BUFFER</b> and <b>BIO_TYPE_CIPHER</b>. Filter BIOs should have a type which have the &quot;filter&quot; bit set (<b>BIO_TYPE_FILTER</b>). Source/sink BIOs should have the &quot;source/sink&quot; bit set (<b>BIO_TYPE_SOURCE_SINK</b>). File descriptor based BIOs (e.g. socket, fd, connect, accept etc) should additionally have the &quot;descriptor&quot; bit set (<b>BIO_TYPE_DESCRIPTOR</b>). See the <a href="../man3/BIO_find_type.html">BIO_find_type(3)</a> page for more information.</p>
<p>BIO_meth_free() destroys a <b>BIO_METHOD</b> structure and frees up any memory associated with it.</p>
<p>BIO_meth_get_write_ex() and BIO_meth_set_write_ex() get and set the function used for writing arbitrary length data to the BIO respectively. This function will be called in response to the application calling BIO_write_ex() or BIO_write(). The parameters for the function have the same meaning as for BIO_write_ex(). Older code may call BIO_meth_get_write() and BIO_meth_set_write() instead. Applications should not call both BIO_meth_set_write_ex() and BIO_meth_set_write() or call BIO_meth_get_write() when the function was set with BIO_meth_set_write_ex().</p>
<p>BIO_meth_get_read_ex() and BIO_meth_set_read_ex() get and set the function used for reading arbitrary length data from the BIO respectively. This function will be called in response to the application calling BIO_read_ex() or BIO_read(). The parameters for the function have the same meaning as for BIO_read_ex(). Older code may call BIO_meth_get_read() and BIO_meth_set_read() instead. Applications should not call both BIO_meth_set_read_ex() and BIO_meth_set_read() or call BIO_meth_get_read() when the function was set with BIO_meth_set_read_ex().</p>
<p>BIO_meth_get_puts() and BIO_meth_set_puts() get and set the function used for writing a NULL terminated string to the BIO respectively. This function will be called in response to the application calling BIO_puts(). The parameters for the function have the same meaning as for BIO_puts().</p>
<p>BIO_meth_get_gets() and BIO_meth_set_gets() get and set the function typically used for reading a line of data from the BIO respectively (see the <a href="../man3/BIO_gets.html">BIO_gets(3)</a> page for more information). This function will be called in response to the application calling BIO_gets(). The parameters for the function have the same meaning as for BIO_gets().</p>
<p>BIO_meth_get_ctrl() and BIO_meth_set_ctrl() get and set the function used for processing ctrl messages in the BIO respectively. See the <a href="../man3/BIO_ctrl.html">BIO_ctrl(3)</a> page for more information. This function will be called in response to the application calling BIO_ctrl(). The parameters for the function have the same meaning as for BIO_ctrl().</p>
<p>BIO_meth_get_create() and BIO_meth_set_create() get and set the function used for creating a new instance of the BIO respectively. This function will be called in response to the application calling BIO_new() and passing in a pointer to the current BIO_METHOD. The BIO_new() function will allocate the memory for the new BIO, and a pointer to this newly allocated structure will be passed as a parameter to the function. If a create function is set, BIO_new() will not mark the BIO as initialised on allocation. <a href="../man3/BIO_set_init.html">BIO_set_init(3)</a> must then be called either by the create function, or later, by a BIO ctrl function, once BIO initialisation is complete.</p>
<p>BIO_meth_get_destroy() and BIO_meth_set_destroy() get and set the function used for destroying an instance of a BIO respectively. This function will be called in response to the application calling BIO_free(). A pointer to the BIO to be destroyed is passed as a parameter. The destroy function should be used for BIO specific clean up. The memory for the BIO itself should not be freed by this function.</p>
<p>BIO_meth_get_callback_ctrl() and BIO_meth_set_callback_ctrl() get and set the function used for processing callback ctrl messages in the BIO respectively. See the <a href="../man3/BIO_callback_ctrl.html">BIO_callback_ctrl(3)</a> page for more information. This function will be called in response to the application calling BIO_callback_ctrl(). The parameters for the function have the same meaning as for BIO_callback_ctrl().</p>
<p>BIO_meth_get_sendmmsg(), BIO_meth_set_sendmmsg(), BIO_meth_get_recvmmsg() and BIO_meth_set_recvmmsg() get and set the functions used for handling BIO_sendmmsg() and BIO_recvmmsg() calls respectively. See <a href="../man3/BIO_sendmmsg.html">BIO_sendmmsg(3)</a> for more information.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_get_new_index() returns the new BIO type value or -1 if an error occurred.</p>
<p>BIO_meth_new(int type, const char *name) returns a valid <b>BIO_METHOD</b> or NULL if an error occurred.</p>
<p>The <b>BIO_meth_set</b> functions return 1 on success or 0 on error.</p>
<p>The <b>BIO_meth_get</b> functions return the corresponding function pointers.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man7/bio.html">bio(7)</a>, <a href="../man3/BIO_find_type.html">BIO_find_type(3)</a>, <a href="../man3/BIO_ctrl.html">BIO_ctrl(3)</a>, <a href="../man3/BIO_read_ex.html">BIO_read_ex(3)</a>, <a href="../man3/BIO_new.html">BIO_new(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The functions described here were added in OpenSSL 1.1.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

89
include/openssl-3.2.1/html/man3/BIO_new.html
View File

@ -1,89 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_new</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#EXAMPLES">EXAMPLES</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_new_ex, BIO_new, BIO_up_ref, BIO_free, BIO_vfree, BIO_free_all - BIO allocation and freeing functions</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
BIO *BIO_new_ex(OSSL_LIB_CTX *libctx, const BIO_METHOD *type);
BIO *BIO_new(const BIO_METHOD *type);
int BIO_up_ref(BIO *a);
int BIO_free(BIO *a);
void BIO_vfree(BIO *a);
void BIO_free_all(BIO *a);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>The BIO_new_ex() function returns a new BIO using method <b>type</b> associated with the library context <i>libctx</i> (see OSSL_LIB_CTX(3)). The library context may be NULL to indicate the default library context.</p>
<p>The BIO_new() is the same as BIO_new_ex() except the default library context is always used.</p>
<p>BIO_up_ref() increments the reference count associated with the BIO object.</p>
<p>BIO_free() frees up a single BIO, BIO_vfree() also frees up a single BIO but it does not return a value. If <b>a</b> is NULL nothing is done. Calling BIO_free() may also have some effect on the underlying I/O structure, for example it may close the file being referred to under certain circumstances. For more details see the individual BIO_METHOD descriptions.</p>
<p>BIO_free_all() frees up an entire BIO chain, it does not halt if an error occurs freeing up an individual BIO in the chain. If <b>a</b> is NULL nothing is done.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_new_ex() and BIO_new() return a newly created BIO or NULL if the call fails.</p>
<p>BIO_up_ref() and BIO_free() return 1 for success and 0 for failure.</p>
<p>BIO_free_all() and BIO_vfree() do not return values.</p>
<h1 id="NOTES">NOTES</h1>
<p>If BIO_free() is called on a BIO chain it will only free one BIO resulting in a memory leak.</p>
<p>Calling BIO_free_all() on a single BIO has the same effect as calling BIO_free() on it other than the discarded return value.</p>
<h1 id="HISTORY">HISTORY</h1>
<p>BIO_set() was removed in OpenSSL 1.1.0 as BIO type is now opaque.</p>
<p>BIO_new_ex() was added in OpenSSL 3.0.</p>
<h1 id="EXAMPLES">EXAMPLES</h1>
<p>Create a memory BIO:</p>
<pre><code> BIO *mem = BIO_new(BIO_s_mem());</code></pre>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

81
include/openssl-3.2.1/html/man3/BIO_new_CMS.html
View File

@ -1,81 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_new_CMS</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#NOTES">NOTES</a></li>
<li><a href="#BUGS">BUGS</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#HISTORY">HISTORY</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_new_CMS - CMS streaming filter BIO</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/cms.h&gt;
BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_new_CMS() returns a streaming filter BIO chain based on <b>cms</b>. The output of the filter is written to <b>out</b>. Any data written to the chain is automatically translated to a BER format CMS structure of the appropriate type.</p>
<h1 id="NOTES">NOTES</h1>
<p>The chain returned by this function behaves like a standard filter BIO. It supports non blocking I/O. Content is processed and streamed on the fly and not all held in memory at once: so it is possible to encode very large structures. After all content has been written through the chain BIO_flush() must be called to finalise the structure.</p>
<p>The <b>CMS_STREAM</b> flag must be included in the corresponding <b>flags</b> parameter of the <b>cms</b> creation function.</p>
<p>If an application wishes to write additional data to <b>out</b> BIOs should be removed from the chain using BIO_pop() and freed with BIO_free() until <b>out</b> is reached. If no additional data needs to be written BIO_free_all() can be called to free up the whole chain.</p>
<p>Any content written through the filter is used verbatim: no canonical translation is performed.</p>
<p>It is possible to chain multiple BIOs to, for example, create a triple wrapped signed, enveloped, signed structure. In this case it is the applications responsibility to set the inner content type of any outer CMS_ContentInfo structures.</p>
<p>Large numbers of small writes through the chain should be avoided as this will produce an output consisting of lots of OCTET STRING structures. Prepending a BIO_f_buffer() buffering BIO will prevent this.</p>
<h1 id="BUGS">BUGS</h1>
<p>There is currently no corresponding inverse BIO: i.e. one which can decode a CMS structure on the fly.</p>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_new_CMS() returns a BIO chain when successful or NULL if an error occurred. The error can be obtained from ERR_get_error(3).</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/ERR_get_error.html">ERR_get_error(3)</a>, <a href="../man3/CMS_sign.html">CMS_sign(3)</a>, <a href="../man3/CMS_encrypt.html">CMS_encrypt(3)</a></p>
<h1 id="HISTORY">HISTORY</h1>
<p>The BIO_new_CMS() function was added in OpenSSL 1.0.0.</p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

91
include/openssl-3.2.1/html/man3/BIO_parse_hostserv.html
View File

@ -1,91 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIO_parse_hostserv</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#SYNOPSIS">SYNOPSIS</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
<li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>BIO_hostserv_priorities, BIO_parse_hostserv - utility routines to parse a standard host and service string</p>
<h1 id="SYNOPSIS">SYNOPSIS</h1>
<pre><code> #include &lt;openssl/bio.h&gt;
enum BIO_hostserv_priorities {
BIO_PARSE_PRIO_HOST, BIO_PARSE_PRIO_SERV
};
int BIO_parse_hostserv(const char *hostserv, char **host, char **service,
enum BIO_hostserv_priorities hostserv_prio);</code></pre>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>BIO_parse_hostserv() will parse the information given in <b>hostserv</b>, create strings with the hostname and service name and give those back via <b>host</b> and <b>service</b>. Those will need to be freed after they are used. <b>hostserv_prio</b> helps determine if <b>hostserv</b> shall be interpreted primarily as a hostname or a service name in ambiguous cases.</p>
<p>The syntax the BIO_parse_hostserv() recognises is:</p>
<pre><code> host + &#39;:&#39; + service
host + &#39;:&#39; + &#39;*&#39;
host + &#39;:&#39;
&#39;:&#39; + service
&#39;*&#39; + &#39;:&#39; + service
host
service</code></pre>
<p>The host part can be a name or an IP address. If it&#39;s a IPv6 address, it MUST be enclosed in brackets, such as &#39;[::1]&#39;.</p>
<p>The service part can be a service name or its port number. A service name will be mapped to a port number using the system function getservbyname().</p>
<p>The returned values will depend on the given <b>hostserv</b> string and <b>hostserv_prio</b>, as follows:</p>
<pre><code> host + &#39;:&#39; + service =&gt; *host = &quot;host&quot;, *service = &quot;service&quot;
host + &#39;:&#39; + &#39;*&#39; =&gt; *host = &quot;host&quot;, *service = NULL
host + &#39;:&#39; =&gt; *host = &quot;host&quot;, *service = NULL
&#39;:&#39; + service =&gt; *host = NULL, *service = &quot;service&quot;
&#39;*&#39; + &#39;:&#39; + service =&gt; *host = NULL, *service = &quot;service&quot;
in case no &#39;:&#39; is present in the string, the result depends on
hostserv_prio, as follows:
when hostserv_prio == BIO_PARSE_PRIO_HOST
host =&gt; *host = &quot;host&quot;, *service untouched
when hostserv_prio == BIO_PARSE_PRIO_SERV
service =&gt; *host untouched, *service = &quot;service&quot;</code></pre>
<h1 id="RETURN-VALUES">RETURN VALUES</h1>
<p>BIO_parse_hostserv() returns 1 on success or 0 on error.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p><a href="../man3/BIO_ADDRINFO.html">BIO_ADDRINFO(3)</a></p>
<h1 id="COPYRIGHT">COPYRIGHT</h1>
<p>Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>

Some files were not shown because too many files have changed in this diff Show More