X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fapps%2Fpkcs8.pod;h=6901f1f3f2112ecbb60540a58b68d52e69c2ae1e;hb=623acb90cc7fdd5bd51a850ee6acc45b661daa83;hp=171b58b4b8404f57e3d7e6b46d068287596bb5c3;hpb=dd46d58f65bd3a342bbcd8586680942be643fc7d;p=oweals%2Fopenssl.git diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index 171b58b4b8..6901f1f3f2 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -11,16 +11,18 @@ B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] [B<-noiter>] [B<-nocrypt>] [B<-nooct>] +[B<-embed>] +[B<-nsdb>] [B<-v2 alg>] +[B<-v2prf alg>] [B<-v1 alg>] +[B<-engine id>] =head1 DESCRIPTION @@ -57,14 +59,10 @@ This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. -=item B<-passin password> +=item B<-passin arg> -the input file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassin var> - -read the input file password from the environment variable B. +the input file password source. For more information about the format of B +see the B section in L. =item B<-out filename> @@ -73,14 +71,10 @@ default. If any encryption options are set then a pass phrase will be prompted for. The output filename should B be the same as the input filename. -=item B<-passout password> - -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassout var> +=item B<-passout arg> -read the output file password from the environment variable B. +the output file password source. For more information about the format of B +see the B section in L. =item B<-nocrypt> @@ -93,11 +87,24 @@ code signing software used unencrypted private keys. =item B<-nooct> -This option generates private keys in a broken format that some software +This option generates RSA private keys in a broken format that some software uses. Specifically the private key should be enclosed in a OCTET STRING but some software just includes the structure itself without the surrounding OCTET STRING. +=item B<-embed> + +This option generates DSA keys in a broken format. The DSA parameters are +embedded inside the PrivateKey structure. In this form the OCTET STRING +contains an ASN1 SEQUENCE consisting of two structures: a SEQUENCE containing +the parameters and an ASN1 INTEGER containing the private key. + +=item B<-nsdb> + +This option generates DSA keys in a broken format compatible with Netscape +private key databases. The PrivateKey contains a SEQUENCE consisting of +the public and private keys respectively. + =item B<-v2 alg> This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 @@ -112,11 +119,24 @@ private keys with OpenSSL then this doesn't matter. The B argument is the encryption algorithm to use, valid values include B, B and B. It is recommended that B is used. +=item B<-v2prf alg> + +This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value +values would be B. If this option isn't set then the default +for the cipher is used or B if there is no default. + =item B<-v1 alg> This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete list of possible algorithms is included below. +=item B<-engine id> + +specifying an engine (by its unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES @@ -182,6 +202,11 @@ DES: openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem +Convert a private from traditional to PKCS#5 v2.0 format using AES with +256 bits in CBC mode and B PRF: + + openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -out enckey.pem + Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (DES): @@ -202,11 +227,16 @@ Convert a private key from any PKCS#8 format to traditional format: =head1 STANDARDS -Test vectors from this implementation were posted to the pkcs-tng mailing -list using triple DES, DES and RC2 with high iteration counts, several -people confirmed that they could decrypt the private keys produced and -Therefore it can be assumed that the PKCS#5 v2.0 implementation is -reasonably accurate at least as far as these algorithms are concerned. +Test vectors from this PKCS#5 v2.0 implementation were posted to the +pkcs-tng mailing list using triple DES, DES and RC2 with high iteration +counts, several people confirmed that they could decrypt the private +keys produced and Therefore it can be assumed that the PKCS#5 v2.0 +implementation is reasonably accurate at least as far as these +algorithms are concerned. + +The format of PKCS#8 DSA (and other) private keys is not well documented: +it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA +PKCS#8 private key format complies with this standard. =head1 BUGS @@ -219,6 +249,7 @@ the old format at present. =head1 SEE ALSO -dsa(1), rsa(1), genrsa(1), gendsa(1) +L, L, L, +L =cut