diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2000-02-16 23:16:01 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2000-02-16 23:16:01 +0000 |
commit | a3fe382e2d2d794c598921cd39117581a2a8941b (patch) | |
tree | 2845b270bbe0705f5844c16d23fb398af3ef3f3f /doc/apps | |
parent | bd03b99b9bb860e062f08ec6d919c0841d951833 (diff) | |
download | openssl-new-a3fe382e2d2d794c598921cd39117581a2a8941b.tar.gz |
Pass phrase reorganisation.
Diffstat (limited to 'doc/apps')
-rw-r--r-- | doc/apps/dsa.pod | 26 | ||||
-rw-r--r-- | doc/apps/genrsa.pod | 22 | ||||
-rw-r--r-- | doc/apps/openssl.pod | 43 | ||||
-rw-r--r-- | doc/apps/pkcs12.pod | 51 | ||||
-rw-r--r-- | doc/apps/pkcs8.pod | 26 | ||||
-rw-r--r-- | doc/apps/req.pod | 30 | ||||
-rw-r--r-- | doc/apps/rsa.pod | 24 | ||||
-rw-r--r-- | doc/apps/spkac.pod | 13 |
8 files changed, 106 insertions, 129 deletions
diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 8196df1ef0..28e534bb95 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod @@ -10,11 +10,9 @@ B<openssl> B<dsa> [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] [B<-des>] [B<-des3>] [B<-idea>] @@ -58,14 +56,10 @@ This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. -=item B<-passin password> +=item B<-passin arg> -the input file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassin var> - -read the input file password from the environment variable B<var>. +the input file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-out filename> @@ -74,14 +68,10 @@ is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should B<not> be the same as the input filename. -=item B<-passout password> - -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassout var> +=item B<-passout arg> -read the output file password from the environment variable B<var>. +the output file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-des|-des3|-idea> diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod index fe3c5b43e5..4f2947bb38 100644 --- a/doc/apps/genrsa.pod +++ b/doc/apps/genrsa.pod @@ -8,8 +8,7 @@ genrsa - generate an RSA private key B<openssl> B<genrsa> [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] [B<-des>] [B<-des3>] [B<-idea>] @@ -31,21 +30,17 @@ The B<genrsa> command generates an RSA private key. the output filename. If this argument is not specified then standard output is used. -=item B<-passout password> +=item B<-passout arg> -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassout var> - -read the output file password from the environment variable B<var>. +the output file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-des|-des3|-idea> These options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted -for if it is not supplied via the B<-passout> or B<-envpassout> arguments. +for if it is not supplied via the B<-passout> argument. =item B<-F4|-3> @@ -69,9 +64,10 @@ specified. The default is 512. RSA private key generation essentially involves the generation of two prime numbers. When generating a private key various symbols will be output to -indicate the progress of the generation. A B<.> represents each number tested. -A B<+> means a number has passed a single primality test. A newline means that -the number has passed all the prime tests (currently set to 5 single tests). +indicate the progress of the generation. A B<.> represents each number which +has passed an initial sieve test, B<+> means a number has passed a single +round of the Miller-Rabin primality test. A newline means that the number has +passed all the prime tests (the actual number depends on the key size). Because key generation is a random process the time taken to generate a key may vary somewhat. diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod index c6f6771f03..1c529e689c 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/openssl.pod @@ -233,6 +233,49 @@ RC5 Cipher =back +=head1 PASS PHRASE ARGUMENTS + +Several commands accept password arguments, typically using B<-passin> +and B<-passout> for input and output passwords respectively. These allow +the password to be obtained from a variety of sources. Both of these +options take a single argument whose format is described below. If no +password argument is given and a password is required then the user is +prompted to enter one: this will typically be read from the current +terminal with echoing turned off. + +=over 10 + +=item B<pass:password> + +the actual password is B<password>. Since the password is visible +to utilities (like 'ps' under Unix) this form should only be used +where security is not important. + +=item B<env:var> + +obtain the password from the environment variable B<var>. Since +the environment of other processes is visible on certain platforms +(e.g. ps under certain Unix OSes) this option should be used with caution. + +=item B<file:pathname> + +the first line of B<pathname> is the password. If the same B<pathname> +argument is supplied to B<-passin> and B<-passout> arguments then the first +line will be used for the input password and the next line for the output +password. B<pathname> need not refer to a regular file: it could for example +refer to a device or named pipe. + +=item B<fd:number> + +read the password from the file descriptor B<number>. This can be used to +send the data via a pipe for example. + +=item B<stdin> + +read the password from standard input. + +=back + =head1 SEE ALSO L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>, diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index d8cace9d0a..0aa2f8e16d 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -35,12 +35,9 @@ B<openssl> B<pkcs12> [B<-keypbe>] [B<-keyex>] [B<-keysig>] -[B<-password password>] -[B<-envpass var>] -[B<-passin password>] -[B<-envpassin var>] -[B<-passout password>] -[B<-envpassout var>] +[B<-password arg>] +[B<-passin arg>] +[B<-passout arg>] [B<-rand file(s)>] =head1 DESCRIPTION @@ -69,23 +66,17 @@ by default. The filename to write certificates and private keys to, standard output by default. They are all written in PEM format. -=item B<-pass password>, B<-passin password> +=item B<-pass arg>, B<-passin arg> -the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make -the command line visible this option should be used with caution. +the PKCS#12 file (i.e. input file) password source. For more information about the +format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in +L<openssl(1)|openssl(1)>. -=item B<-envpass var>, B<-envpassin password> +=item B<-passout arg> -read the PKCS#12 file password from the environment variable B<var>. - -=item B<-passout password> - -pass phrase to encrypt any outputed private keys with. Since certain utilities like -"ps" make the command line visible this option should be used with caution. - -=item B<-envpass var>, B<-envpassin password> - -read the outputed private keys file password from the environment variable B<var>. +pass phrase source to encrypt any outputed private keys with. For more information +about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in +L<openssl(1)|openssl(1)>. =item B<-noout> @@ -183,23 +174,17 @@ used multiple times to specify names for all certificates in the order they appear. Netscape ignores friendly names on other certificates whereas MSIE displays them. -=item B<-pass password>, B<-passout password> +=item B<-pass arg>, B<-passout arg> -the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps" -make the command line visible this option should be used with caution. - -=item B<-envpass var>, B<-envpassout var> - -read the PKCS#12 file password from the environment variable B<var>. +the PKCS#12 file (i.e. output file) password source. For more information about +the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in +L<openssl(1)|openssl(1)>. =item B<-passin password> -pass phrase to decrypt the input private key with. Since certain utilities like -"ps" make the command line visible this option should be used with caution. - -=item B<-envpassin password> - -read the input private key file password from the environment variable B<var>. +pass phrase source to decrypt any input private keys with. For more information +about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in +L<openssl(1)|openssl(1)>. =item B<-chain> diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index df2635613f..a56b2dd002 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -11,11 +11,9 @@ B<openssl> B<pkcs8> [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] [B<-noiter>] [B<-nocrypt>] [B<-nooct>] @@ -59,14 +57,10 @@ This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. -=item B<-passin password> +=item B<-passin arg> -the input file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassin var> - -read the input file password from the environment variable B<var>. +the input file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-out filename> @@ -75,14 +69,10 @@ default. If any encryption options are set then a pass phrase will be prompted for. The output filename should B<not> be the same as the input filename. -=item B<-passout password> - -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassout var> +=item B<-passout arg> -read the output file password from the environment variable B<var>. +the output file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-nocrypt> diff --git a/doc/apps/req.pod b/doc/apps/req.pod index a66410dbb4..f5cb441b92 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -11,11 +11,9 @@ B<openssl> B<req> [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] [B<-text>] [B<-noout>] [B<-verify>] @@ -63,28 +61,20 @@ This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (B<-new> and B<-newkey>) are not specified. -=item B<-passin password> +=item B<-passin arg> -the input file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassin var> - -read the input file password from the environment variable B<var>. +the input file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-out filename> This specifies the output filename to write to or standard output by default. -=item B<-passout password> - -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassout var> +=item B<-passout arg> -read the output file password from the environment variable B<var>. +the output file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-text> @@ -207,8 +197,8 @@ The options available are described in detail below. The passwords for the input private key file (if present) and the output private key file (if one will be created). The -command line options B<passin>, B<envpassin>, B<passout> and -B<envpassout> override the configuration file values. +command line options B<passin> and B<passout> override the +configuration file values. =item B<default_bits> diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index b381cc5bcc..62ad62e23d 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -11,11 +11,9 @@ B<openssl> B<rsa> [B<-inform PEM|NET|DER>] [B<-outform PEM|NET|DER>] [B<-in filename>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] [B<-des>] [B<-des3>] [B<-idea>] @@ -59,14 +57,10 @@ This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. -=item B<-passin password> +=item B<-passin arg> -the input file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassin var> - -read the input file password from the environment variable B<var>. +the input file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-out filename> @@ -77,12 +71,8 @@ filename. =item B<-passout password> -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassout var> - -read the output file password from the environment variable B<var>. +the output file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-des|-des3|-idea> diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod index 846b9a93a7..bb84dfbe33 100644 --- a/doc/apps/spkac.pod +++ b/doc/apps/spkac.pod @@ -10,8 +10,7 @@ B<openssl> B<spkac> [B<-in filename>] [B<-out filename>] [B<-key keyfile>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-challenge string>] [B<-pubkey>] [B<-spkac spkacname>] @@ -48,14 +47,8 @@ present. =item B<-passin password> -the private key file password. Since certain utilities like "ps" make the -command line visible this option should be used with caution. Ignored if -the B<-key> argument is not used. - -=item B<-envpassin var> - -read the private key file password from the environment variable B<var>. -Ignored if the B<-key> argument is not used. +the input file password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. =item B<-challenge string> |