From f07fb9b24be9ae2d21647257d830da565561df3b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 8 Feb 2000 01:34:59 +0000 Subject: [PATCH] Add command line password options to the reamining utilities, amend docs. --- CHANGES | 3 ++ apps/dsa.c | 4 +-- apps/gendsa.c | 19 ++++++++++- apps/genrsa.c | 37 +++++++++++++++------ apps/pkcs12.c | 78 ++++++++++++++++++++++++++++++++++----------- apps/pkcs8.c | 28 ++++++++-------- apps/rsa.c | 4 +-- apps/spkac.c | 22 +++++++++++-- crypto/bn/bntest.c | 6 ++-- doc/apps/genrsa.pod | 22 +++++++++++-- doc/apps/pkcs12.pod | 41 +++++++++++++++++------- doc/apps/spkac.pod | 13 ++++++++ 12 files changed, 211 insertions(+), 66 deletions(-) diff --git a/CHANGES b/CHANGES index 91d89b795b..3c09b1e831 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + *) Add command line password options to the remaining applications. + [Steve Henson] + *) Bug fix for BN_div_recp() for numerators with an even number of bits. [Ulf Möller] diff --git a/apps/dsa.c b/apps/dsa.c index c9b9d71c71..6198ea94ea 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -195,8 +195,8 @@ bad: BIO_printf(bio_err," -passin arg input file pass phrase\n"); BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n"); BIO_printf(bio_err," -out arg output file\n"); - BIO_printf(bio_err," -passout arg input file pass phrase\n"); - BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n"); + BIO_printf(bio_err," -passout arg output file pass phrase\n"); + BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n"); BIO_printf(bio_err," -des encrypt PEM output with cbc des\n"); BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n"); #ifndef NO_IDEA diff --git a/apps/gendsa.c b/apps/gendsa.c index 49ae0a0676..0c56b1410a 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -79,6 +79,7 @@ int MAIN(int argc, char **argv) int ret=1; char *outfile=NULL; char *inrand=NULL,*dsaparams=NULL; + char *passout = NULL; BIO *out=NULL,*in=NULL; EVP_CIPHER *enc=NULL; @@ -98,6 +99,22 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } + else if (strcmp(*argv,"-envpassout") == 0) + { + if (--argc < 1) goto bad; + if(!(passout= getenv(*(++argv)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + goto bad; + } + } + else if (strcmp(*argv,"-passout") == 0) + { + if (--argc < 1) goto bad; + passout= *(++argv); + } else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -188,7 +205,7 @@ bad: app_RAND_write_file(NULL, bio_err); - if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL,NULL)) + if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,PEM_cb, passout)) goto end; ret=0; end: diff --git a/apps/genrsa.c b/apps/genrsa.c index ab760f6ad4..63fd45ee98 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -84,6 +84,7 @@ int MAIN(int argc, char **argv) EVP_CIPHER *enc=NULL; unsigned long f4=RSA_F4; char *outfile=NULL; + char *passout = NULL; char *inrand=NULL; BIO *out=NULL; @@ -127,6 +128,22 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-idea") == 0) enc=EVP_idea_cbc(); #endif + else if (strcmp(*argv,"-envpassout") == 0) + { + if (--argc < 1) goto bad; + if(!(passout= getenv(*(++argv)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + goto bad; + } + } + else if (strcmp(*argv,"-passout") == 0) + { + if (--argc < 1) goto bad; + passout= *(++argv); + } else break; argv++; @@ -136,17 +153,19 @@ int MAIN(int argc, char **argv) { bad: BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n"); - BIO_printf(bio_err," -des - encrypt the generated key with DES in cbc mode\n"); - BIO_printf(bio_err," -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key)\n"); + BIO_printf(bio_err," -des encrypt the generated key with DES in cbc mode\n"); + BIO_printf(bio_err," -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)\n"); #ifndef NO_IDEA - BIO_printf(bio_err," -idea - encrypt the generated key with IDEA in cbc mode\n"); + BIO_printf(bio_err," -idea encrypt the generated key with IDEA in cbc mode\n"); #endif - BIO_printf(bio_err," -out file - output the key to 'file\n"); - BIO_printf(bio_err," -f4 - use F4 (0x10001) for the E value\n"); - BIO_printf(bio_err," -3 - use 3 for the E value\n"); + BIO_printf(bio_err," -out file output the key to 'file\n"); + BIO_printf(bio_err," -passout arg output file pass phrase\n"); + BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n"); + BIO_printf(bio_err," -f4 use F4 (0x10001) for the E value\n"); + BIO_printf(bio_err," -3 use 3 for the E value\n"); BIO_printf(bio_err," -rand file:file:...\n"); - BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); - BIO_printf(bio_err," the random number generator\n"); + BIO_printf(bio_err," load the file (or the files in the directory) into\n"); + BIO_printf(bio_err," the random number generator\n"); goto err; } @@ -190,7 +209,7 @@ bad: l+=rsa->e->d[i]; } BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l); - if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,NULL,NULL)) + if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,PEM_cb, passout)) goto err; ret=0; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 0c8dc47767..dd008c468a 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -61,13 +61,12 @@ #include #include #include +#include "apps.h" #include -#include -#include #include +#include #include -#include "apps.h" #define PROG pkcs12_main EVP_CIPHER *enc; @@ -80,9 +79,9 @@ EVP_CIPHER *enc; #define CACERTS 0x10 int get_cert_chain(X509 *cert, STACK_OF(X509) **chain); -int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options); -int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options); -int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options); +int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); +int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass); +int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass); int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name); void hex_prin(BIO *out, unsigned char *buf, int len); int alg_print(BIO *x, X509_ALGOR *alg); @@ -111,6 +110,7 @@ int MAIN(int argc, char **argv) int noprompt = 0; STACK *canames = NULL; char *cpass = NULL, *mpass = NULL; + char *passin = NULL, *passout = NULL; apps_startup(); @@ -198,6 +198,36 @@ int MAIN(int argc, char **argv) args++; outfile = *args; } else badarg = 1; + } else if (!strcmp(*args,"-passin")) { + if (args[1]) { + args++; + passin = *args; + } else badarg = 1; + } else if (!strcmp(*args,"-envpassin")) { + if (args[1]) { + args++; + if(!(passin= getenv(*args))) { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badarg = 1; + } + } else badarg = 1; + } else if (!strcmp(*args,"-envpassout")) { + if (args[1]) { + args++; + if(!(passout= getenv(*args))) { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badarg = 1; + } + } else badarg = 1; + } else if (!strcmp(*args,"-passout")) { + if (args[1]) { + args++; + passout = *args; + } else badarg = 1; } else if (!strcmp (*args, "-envpass")) { if (args[1]) { args++; @@ -206,7 +236,6 @@ int MAIN(int argc, char **argv) "Can't read environment variable %s\n", *args); goto end; } - noprompt = 1; } else badarg = 1; } else if (!strcmp (*args, "-password")) { if (args[1]) { @@ -254,11 +283,22 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-keysig set MS key signature type\n"); BIO_printf (bio_err, "-password p set import/export password (NOT RECOMMENDED)\n"); BIO_printf (bio_err, "-envpass p set import/export password from environment\n"); + BIO_printf (bio_err, "-passin p input file pass phrase\n"); + BIO_printf (bio_err, "-envpassin p environment variable containing input file pass phrase\n"); + BIO_printf (bio_err, "-passout p output file pass phrase\n"); + BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n"); goto end; } - if(cpass) mpass = cpass; - else { + if(!cpass) { + if(export_cert) cpass = passout; + else cpass = passin; + } + + if(cpass) { + mpass = cpass; + noprompt = 1; + } else { cpass = pass; mpass = macpass; } @@ -337,7 +377,7 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_push_info("process -export_cert"); #endif - key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, NULL); + key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin); if (!inkey) (void) BIO_reset(in); else BIO_free(inkey); if (!key) { @@ -504,7 +544,7 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_push_info("output keys and certificates"); #endif - if (!dump_certs_keys_p12 (out, p12, cpass, -1, options)) { + if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors (bio_err); goto end; @@ -524,7 +564,7 @@ int MAIN(int argc, char **argv) } int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, - int passlen, int options) + int passlen, int options, char *pempass) { STACK *asafes, *bags; int i, bagnid; @@ -546,7 +586,7 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, } else continue; if (!bags) return 0; if (!dump_certs_pkeys_bags (out, bags, pass, passlen, - options)) { + options, pempass)) { sk_pop_free (bags, PKCS12_SAFEBAG_free); return 0; } @@ -557,19 +597,19 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, } int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass, - int passlen, int options) + int passlen, int options, char *pempass) { int i; for (i = 0; i < sk_num (bags); i++) { if (!dump_certs_pkeys_bag (out, (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen, - options)) return 0; + options, pempass)) return 0; } return 1; } int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, - int passlen, int options) + int passlen, int options, char *pempass) { EVP_PKEY *pkey; PKCS8_PRIV_KEY_INFO *p8; @@ -584,7 +624,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, p8 = bag->value.keybag; if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; print_attribs (out, p8->attributes, "Key Attributes"); - PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL); + PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass); EVP_PKEY_free(pkey); break; @@ -600,7 +640,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; print_attribs (out, p8->attributes, "Key Attributes"); PKCS8_PRIV_KEY_INFO_free(p8); - PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL); + PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass); EVP_PKEY_free(pkey); break; @@ -623,7 +663,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n"); print_attribs (out, bag->attrib, "Bag Attributes"); return dump_certs_pkeys_bags (out, bag->value.safes, pass, - passlen, options); + passlen, options, pempass); default: BIO_printf (bio_err, "Warning unsupported bag type: "); diff --git a/apps/pkcs8.c b/apps/pkcs8.c index be1e0c177e..cb55464f21 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -176,22 +176,22 @@ int MAIN(int argc, char **argv) bad: BIO_printf(bio_err, "Usage pkcs8 [options]\n"); BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); + BIO_printf(bio_err, "-in file input file\n"); + BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); BIO_printf(bio_err, "-passin arg input file pass phrase\n"); BIO_printf(bio_err, "-envpassin arg environment variable containing input file pass phrase\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-passout arg input file pass phrase\n"); - BIO_printf(bio_err, "-envpassout arg environment variable containing input file pass phrase\n"); - BIO_printf(bio_err, "-topk8 output PKCS8 file\n"); - BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n"); - BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n"); - BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n"); - BIO_printf(bio_err, "-noiter use 1 as iteration count\n"); - BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n"); - BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); - BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); + BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-passout arg output file pass phrase\n"); + BIO_printf(bio_err, "-envpassout arg environment variable containing outut file pass phrase\n"); + BIO_printf(bio_err, "-topk8 output PKCS8 file\n"); + BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n"); + BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n"); + BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n"); + BIO_printf(bio_err, "-noiter use 1 as iteration count\n"); + BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n"); + BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); + BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); return (1); } diff --git a/apps/rsa.c b/apps/rsa.c index 2df3fe374c..1313ddc3e3 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -201,8 +201,8 @@ bad: BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n"); BIO_printf(bio_err," -in arg input file\n"); BIO_printf(bio_err," -out arg output file\n"); - BIO_printf(bio_err," -passout arg input file pass phrase\n"); - BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n"); + BIO_printf(bio_err," -passout arg output file pass phrase\n"); + BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n"); BIO_printf(bio_err," -des encrypt PEM output with cbc des\n"); BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n"); #ifndef NO_IDEA diff --git a/apps/spkac.c b/apps/spkac.c index 34b0026e01..e3f434d24c 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -80,7 +80,7 @@ int MAIN(int argc, char **argv) int i,badops=0, ret = 1; BIO *in = NULL,*out = NULL, *key = NULL; int verify=0,noout=0,pubkey=0; - char *infile = NULL,*outfile = NULL,*prog; + char *infile = NULL,*outfile = NULL,*prog, *passin = NULL; char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL; char *challenge = NULL, *keyfile = NULL; LHASH *conf = NULL; @@ -106,6 +106,22 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } + else if (strcmp(*argv,"-passin") == 0) + { + if (--argc < 1) goto bad; + passin= *(++argv); + } + else if (strcmp(*argv,"-envpassin") == 0) + { + if (--argc < 1) goto bad; + if(!(passin= getenv(*(++argv)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badops = 1; + } + } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; @@ -145,6 +161,8 @@ bad: BIO_printf(bio_err," -in arg input file\n"); BIO_printf(bio_err," -out arg output file\n"); BIO_printf(bio_err," -key arg create SPKAC using private key\n"); + BIO_printf(bio_err," -passin arg input file pass phrase\n"); + BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n"); BIO_printf(bio_err," -challenge arg challenge string\n"); BIO_printf(bio_err," -spkac arg alternative SPKAC name\n"); BIO_printf(bio_err," -noout don't print SPKAC\n"); @@ -163,7 +181,7 @@ bad: ERR_print_errors(bio_err); goto end; } - pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL); + pkey = PEM_read_bio_PrivateKey(key, NULL, PEM_cb, passin); if(!pkey) { BIO_printf(bio_err, "Error reading private key\n"); ERR_print_errors(bio_err); diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index 8b3f9ead3e..cec21646da 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -72,9 +72,9 @@ #include "../bio/bss_file.c" #endif -const num0 = 100; /* number of tests */ -const num1 = 50; /* additional tests for some functions */ -const num2 = 5; /* number of tests for slow functions */ +const int num0 = 100; /* number of tests */ +const int num1 = 50; /* additional tests for some functions */ +const int num2 = 5; /* number of tests for slow functions */ int test_add(BIO *bp); int test_sub(BIO *bp); diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod index 9eca3254ca..fe3c5b43e5 100644 --- a/doc/apps/genrsa.pod +++ b/doc/apps/genrsa.pod @@ -4,11 +4,12 @@ genrsa - generate an RSA private key - =head1 SYNOPSIS B B [B<-out filename>] +[B<-passout password>] +[B<-envpassout var>] [B<-des>] [B<-des3>] [B<-idea>] @@ -25,11 +26,26 @@ The B command generates an RSA private key. =over 4 +=item B<-out filename> + +the output filename. If this argument is not specified then standard output is +used. + +=item B<-passout password> + +the output file password. Since certain utilities like "ps" make the command line +visible this option should be used with caution. + +=item B<-envpassout var> + +read the output file password from the environment variable B. + =item B<-des|-des3|-idea> These options encrypt the private key with the DES, triple DES, or the -IDEA ciphers respectively before outputting it. A pass phrase is prompted for. -If none of these options is specified no encryption is used. +IDEA ciphers respectively before outputting it. If none of these options is +specified no encryption is used. If encryption is used a pass phrase is prompted +for if it is not supplied via the B<-passout> or B<-envpassout> arguments. =item B<-F4|-3> diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index 3643a19fe5..3d2ed36c10 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -37,6 +37,10 @@ B B [B<-keysig>] [B<-password password>] [B<-envpass var>] +[B<-passin password>] +[B<-envpassin var>] +[B<-passout password>] +[B<-envpassout var>] =head1 DESCRIPTION @@ -64,15 +68,24 @@ by default. The filename to write certificates and private keys to, standard output by default. They are all written in PEM format. -=item B<-pass password> +=item B<-pass password>, B<-passin password> -the PKCS#12 file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. +the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make +the command line visible this option should be used with caution. -=item B<-envpass var> +=item B<-envpass var>, B<-envpassin password> read the PKCS#12 file password from the environment variable B. +=item B<-passout password> + +pass phrase to encrypt any outputed private keys with. Since certain utilities like +"ps" make the command line visible this option should be used with caution. + +=item B<-envpass var>, B<-envpassin password> + +read the outputed private keys file password from the environment variable B. + =item B<-noout> this option inhibits output of the keys and certificates to the output file version @@ -169,15 +182,24 @@ used multiple times to specify names for all certificates in the order they appear. Netscape ignores friendly names on other certificates whereas MSIE displays them. -=item B<-pass password> +=item B<-pass password>, B<-passout password> -the PKCS#12 file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. +the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps" +make the command line visible this option should be used with caution. -=item B<-envpass var> +=item B<-envpass var>, B<-envpassout var> read the PKCS#12 file password from the environment variable B. +=item B<-passin password> + +pass phrase to decrypt the input private key with. Since certain utilities like +"ps" make the command line visible this option should be used with caution. + +=item B<-envpassin password> + +read the input private key file password from the environment variable B. + =item B<-chain> if this option is present then an attempt is made to include the entire @@ -277,9 +299,6 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) -Need password options for the PEM files: this will probably be fixed before -release. - =head1 SEE ALSO L diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod index c58768e8b3..846b9a93a7 100644 --- a/doc/apps/spkac.pod +++ b/doc/apps/spkac.pod @@ -10,6 +10,8 @@ B B [B<-in filename>] [B<-out filename>] [B<-key keyfile>] +[B<-passin password>] +[B<-envpassin var>] [B<-challenge string>] [B<-pubkey>] [B<-spkac spkacname>] @@ -44,6 +46,17 @@ create an SPKAC file using the private key in B. The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if present. +=item B<-passin password> + +the private key file password. Since certain utilities like "ps" make the +command line visible this option should be used with caution. Ignored if +the B<-key> argument is not used. + +=item B<-envpassin var> + +read the private key file password from the environment variable B. +Ignored if the B<-key> argument is not used. + =item B<-challenge string> specifies the challenge string if an SPKAC is being created. -- 2.25.1