[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Fri Feb 21 12:56:15 UTC 2020
The branch master has been updated
via 92fee4213b80e3980f07260e5816e99b9e146e08 (commit)
via 35eb4588710dc900f53301f87e3a27782b443f76 (commit)
from e1dcac22607f6ecbb5ad4f15fc1a54f54f40c1ba (commit)
- Log -----------------------------------------------------------------
commit 92fee4213b80e3980f07260e5816e99b9e146e08
Author: Pauli <paul.dale at oracle.com>
Date: Tue Feb 18 11:36:08 2020 +1000
pkey: additional EC related options
Add options to change the parameter encoding and point conversions for EC
public and private keys. These options are present in the deprecated 'ec'
utility.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)
commit 35eb4588710dc900f53301f87e3a27782b443f76
Author: Pauli <paul.dale at oracle.com>
Date: Tue Feb 18 09:46:52 2020 +1000
pkey: update command line tool examples in light of deprecations.
Specifically, refer from the deprecated tools to the pkey equivalents.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)
-----------------------------------------------------------------------
Summary of changes:
apps/pkey.c | 69 ++++++++++++++++++++++++++++++++++++++++-
doc/man1/openssl-dsa.pod.in | 3 ++
doc/man1/openssl-ec.pod.in | 3 ++
doc/man1/openssl-ecparam.pod.in | 3 ++
doc/man1/openssl-pkey.pod.in | 36 ++++++++++++++++++++-
doc/man1/openssl-rsa.pod.in | 3 ++
doc/man1/openssl-rsautl.pod.in | 3 ++
7 files changed, 118 insertions(+), 2 deletions(-)
diff --git a/apps/pkey.c b/apps/pkey.c
index 6100f8dcd3..54709f656e 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -15,11 +15,29 @@
#include <openssl/err.h>
#include <openssl/evp.h>
+#ifndef OPENSSL_NO_EC
+# include <openssl/ec.h>
+
+static OPT_PAIR ec_conv_forms[] = {
+ {"compressed", POINT_CONVERSION_COMPRESSED},
+ {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
+ {"hybrid", POINT_CONVERSION_HYBRID},
+ {NULL}
+};
+
+static OPT_PAIR ec_param_enc[] = {
+ {"named_curve", OPENSSL_EC_NAMED_CURVE},
+ {"explicit", 0},
+ {NULL}
+};
+#endif
+
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
- OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK
+ OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
+ OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM
} OPTION_CHOICE;
const OPTIONS pkey_options[] = {
@@ -31,6 +49,10 @@ const OPTIONS pkey_options[] = {
{"check", OPT_CHECK, '-', "Check key consistency"},
{"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
{"", OPT_MD, '-', "Any supported cipher"},
+ {"ec_param_enc", OPT_EC_PARAM_ENC, 's',
+ "Specifies the way the ec parameters are encoded"},
+ {"ec_conv_form", OPT_EC_CONV_FORM, 's',
+ "Specifies the point conversion form "},
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
@@ -65,6 +87,12 @@ int pkey_main(int argc, char **argv)
int informat = FORMAT_PEM, outformat = FORMAT_PEM;
int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
int private = 0, traditional = 0, check = 0, pub_check = 0;
+#ifndef OPENSSL_NO_EC
+ EC_KEY *eckey;
+ int ec_asn1_flag = OPENSSL_EC_NAMED_CURVE, new_ec_asn1_flag = 0;
+ int i, new_ec_form = 0;
+ point_conversion_form_t ec_form = POINT_CONVERSION_UNCOMPRESSED;
+#endif
prog = opt_init(argc, argv, pkey_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -128,6 +156,27 @@ int pkey_main(int argc, char **argv)
case OPT_MD:
if (!opt_cipher(opt_unknown(), &cipher))
goto opthelp;
+ break;
+ case OPT_EC_CONV_FORM:
+#ifdef OPENSSL_NO_EC
+ goto opthelp;
+#else
+ if (!opt_pair(opt_arg(), ec_conv_forms, &i))
+ goto opthelp;
+ new_ec_form = 1;
+ ec_form = i;
+ break;
+#endif
+ case OPT_EC_PARAM_ENC:
+#ifdef OPENSSL_NO_EC
+ goto opthelp;
+#else
+ if (!opt_pair(opt_arg(), ec_param_enc, &i))
+ goto opthelp;
+ new_ec_asn1_flag = 1;
+ ec_asn1_flag = i;
+ break;
+#endif
}
}
argc = opt_num_rest();
@@ -154,6 +203,24 @@ int pkey_main(int argc, char **argv)
if (pkey == NULL)
goto end;
+#ifndef OPENSSL_NO_EC
+ /*
+ * TODO: remove this and use a set params call with a 'pkeyopt' command
+ * line option instead.
+ */
+ if (new_ec_form || new_ec_asn1_flag) {
+ if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (new_ec_form)
+ EC_KEY_set_conv_form(eckey, ec_form);
+
+ if (new_ec_asn1_flag)
+ EC_KEY_set_asn1_flag(eckey, ec_asn1_flag);
+ }
+#endif
+
if (check || pub_check) {
int r;
EVP_PKEY_CTX *ctx;
diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in
index 4ba948a41b..03fcb7d09b 100644
--- a/doc/man1/openssl-dsa.pod.in
+++ b/doc/man1/openssl-dsa.pod.in
@@ -127,6 +127,9 @@ a public key.
=head1 EXAMPLES
+Examples equivalent to these can be found in the documentation for the
+non-deprecated L<openssl-pkey(1)> command.
+
To remove the pass phrase on a DSA private key:
openssl dsa -in key.pem -out keyout.pem
diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in
index 7bf1989295..ed85ca04b8 100644
--- a/doc/man1/openssl-ec.pod.in
+++ b/doc/man1/openssl-ec.pod.in
@@ -145,6 +145,9 @@ This option checks the consistency of an EC private or public key.
=head1 EXAMPLES
+Examples equivalent to these can be found in the documentation for the
+non-deprecated L<openssl-pkey(1)> command.
+
To encrypt a private key using triple DES:
openssl ec -in key.pem -des3 -out keyout.pem
diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in
index c8391b481f..934bf5a380 100644
--- a/doc/man1/openssl-ecparam.pod.in
+++ b/doc/man1/openssl-ecparam.pod.in
@@ -134,6 +134,9 @@ This option will generate an EC private key using the specified parameters.
=head1 EXAMPLES
+Examples equivalent to these can be found in the documentation for the
+non-deprecated L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)> commands.
+
To create EC parameters with the group 'prime192v1':
openssl ecparam -out ec_param.pem -name prime192v1
diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in
index e2905b6934..31bf005f74 100644
--- a/doc/man1/openssl-pkey.pod.in
+++ b/doc/man1/openssl-pkey.pod.in
@@ -28,6 +28,8 @@ B<openssl> B<pkey>
[B<-pubout>]
[B<-check>]
[B<-pubcheck>]
+[B<-ec_conv_form> I<arg>]
+[B<-ec_param_enc> I<arg>]
{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -114,13 +116,37 @@ components.
This option checks the correctness of either a public key or the public component
of a key pair.
+=item B<-ec_conv_form> I<arg>
+
+This option only applies to elliptic curve based public and private keys.
+
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: B<compressed> (the default
+value), B<uncompressed> and B<hybrid>. For more information regarding
+the point conversion forms please read the X9.62 standard.
+B<Note> Due to patent issues the B<compressed> option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
+
+=item B<-ec_param_enc> I<arg>
+
+This option only applies to elliptic curve based public and private keys.
+
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: B<named_curve>, i.e. the ec parameters are
+specified by an OID, or B<explicit> where the ec parameters are
+explicitly given (see RFC 3279 for the definition of the
+EC parameters structures). The default value is B<named_curve>.
+B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
+is currently not implemented in OpenSSL.
+
{- $OpenSSL::safe::opt_engine_item -}
=back
=head1 EXAMPLES
-To remove the pass phrase on an RSA private key:
+To remove the pass phrase on a private key:
openssl pkey -in key.pem -out keyout.pem
@@ -144,6 +170,14 @@ To just output the public part of a private key:
openssl pkey -in key.pem -pubout -out pubkey.pem
+To change the EC parameters encoding to B<explicit>:
+
+ openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
+
+To change the EC point conversion form to B<compressed>:
+
+ openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
+
=head1 SEE ALSO
L<openssl(1)>,
diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in
index a688260270..5b867225ac 100644
--- a/doc/man1/openssl-rsa.pod.in
+++ b/doc/man1/openssl-rsa.pod.in
@@ -140,6 +140,9 @@ Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
=head1 EXAMPLES
+Examples equivalent to these can be found in the documentation for the
+non-deprecated L<openssl-pkey(1)> command.
+
To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem
diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
index b9d0572883..1a3a1516e3 100644
--- a/doc/man1/openssl-rsautl.pod.in
+++ b/doc/man1/openssl-rsautl.pod.in
@@ -135,6 +135,9 @@ used to sign or verify small pieces of data.
=head1 EXAMPLES
+Examples equivalent to these can be found in the documentation for the
+non-deprecated L<openssl-pkeyutl(1)> command.
+
Sign some data using a private key:
openssl rsautl -sign -in file -inkey key.pem -out sig
More information about the openssl-commits
mailing list