Merge of stuff from main trunk, all conflicts resolved.
This commit is contained in:
Richard Levitte
@@ -14,6 +14,7 @@ B<openssl> B<rsa>
|
||||
[B<-passin arg>]
|
||||
[B<-out filename>]
|
||||
[B<-passout arg>]
|
||||
[B<-sgckey>]
|
||||
[B<-des>]
|
||||
[B<-des3>]
|
||||
[B<-idea>]
|
||||
@@ -42,9 +43,8 @@ This specifies the input format. The B<DER> option uses an ASN1 DER encoded
|
||||
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
|
||||
The B<PEM> form is the default format: it consists of the B<DER> format base64
|
||||
encoded with additional header and footer lines. On input PKCS#8 format private
|
||||
keys are also accepted. The B<NET> form is a format compatible with older Netscape
|
||||
servers and MS IIS, this uses unsalted RC4 for its encryption. It is not very
|
||||
secure and so should only be used when necessary.
|
||||
keys are also accepted. The B<NET> form is a format is described in the B<NOTES>
|
||||
section.
|
||||
|
||||
=item B<-outform DER|NET|PEM>
|
||||
|
||||
@@ -74,6 +74,11 @@ filename.
|
||||
the output file password source. For more information about the format of B<arg>
|
||||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
|
||||
|
||||
=item B<-sgckey>
|
||||
|
||||
use the modified NET algorithm used with some versions of Microsoft IIS and SGC
|
||||
keys.
|
||||
|
||||
=item B<-des|-des3|-idea>
|
||||
|
||||
These options encrypt the private key with the DES, triple DES, or the
|
||||
@@ -126,6 +131,18 @@ The PEM public key format uses the header and footer lines:
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
The B<NET> form is a format compatible with older Netscape servers
|
||||
and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
|
||||
It is not very secure and so should only be used when necessary.
|
||||
|
||||
Some newer version of IIS have additional data in the exported .key
|
||||
files. To use thse with the utility view the file with a binary editor
|
||||
and look for the string "private-key", then trace back to the byte
|
||||
sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data
|
||||
from this point onwards to another file and use that as the input
|
||||
to the B<rsa> utility with the B<-inform NET> option. If you get
|
||||
an error after entering the password try the B<-sgckey> option.
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
To remove the pass phrase on an RSA private key:
|
||||
@@ -148,6 +165,14 @@ To just output the public part of a private key:
|
||||
|
||||
openssl rsa -in key.pem -pubout -out pubkey.pem
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
The command line password arguments don't currently work with
|
||||
B<NET> format.
|
||||
|
||||
There should be an option that automatically handles .key files,
|
||||
without having to manually edit them.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
|
||||
|
||||
@@ -39,7 +39,8 @@
|
||||
(label . -)
|
||||
(arglist-cont-nonempty . +)
|
||||
(topmost-intro . -)
|
||||
(brace-list-close . +)
|
||||
(brace-list-intro . +)
|
||||
(brace-list-close . 0)
|
||||
(brace-list-intro . 0)
|
||||
(brace-list-open . +)
|
||||
))))
|
||||
|
||||
|
||||
@@ -15,10 +15,27 @@ CRYPTO_set_locking_callback, CRYPTO_set_id_callback - OpenSSL thread support
|
||||
|
||||
int CRYPTO_num_locks(void);
|
||||
|
||||
|
||||
/* struct CRYPTO_dynlock_value needs to be defined by the user */
|
||||
typedef struct CRYPTO_dynlock_value CRYPTO_dynlock;
|
||||
|
||||
void CRYPTO_set_dynlock_create_callback(CRYPTO_dynlock *(*dyn_create_function)
|
||||
(char *file, int line));
|
||||
void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function)
|
||||
(int mode, CRYPTO_dynlock *l, const char *file, int line));
|
||||
void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)
|
||||
(CRYPTO_dynlock *l, const char *file, int line));
|
||||
|
||||
int CRYPTO_get_new_dynlockid(void);
|
||||
|
||||
void CRYPTO_destroy_dynlockid(int i);
|
||||
|
||||
void CRYPTO_lock(int mode, int n, const char *file, int line);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
OpenSSL can safely be used in multi-threaded applications provided
|
||||
that two callback functions are set.
|
||||
that at least two callback functions are set.
|
||||
|
||||
locking_function(int mode, int n, const char *file, int line) is
|
||||
needed to perform locking on shared data stuctures. Multi-threaded
|
||||
@@ -35,9 +52,55 @@ id_function(void) is a function that returns a thread ID. It is not
|
||||
needed on Windows nor on platforms where getpid() returns a different
|
||||
ID for each thread (most notably Linux).
|
||||
|
||||
Additionally, OpenSSL supports dynamic locks, and sometimes, some parts
|
||||
of OpenSSL need it for better performance. To enable this, the following
|
||||
is required:
|
||||
|
||||
=item *
|
||||
Three additional callback function, dyn_create_function, dyn_lock_function
|
||||
and dyn_destroy_function.
|
||||
|
||||
=item *
|
||||
A structure defined with the data that each lock needs to handle.
|
||||
|
||||
struct CRYPTO_dynlock_value has to be defined to contain whatever structure
|
||||
is needed to handle locks.
|
||||
|
||||
dyn_create_function(const char *file, int line) is needed to create a
|
||||
lock. Multi-threaded applications might crash at random if it is not set.
|
||||
|
||||
dyn_lock_function(int mode, CRYPTO_dynlock *l, const char *file, int line)
|
||||
is needed to perform locking off dynamic lock nunmbered n. Multi-threaded
|
||||
applications might crash at random if it is not set.
|
||||
|
||||
dyn_destroy_function(CRYPTO_dynlock *l, const char *file, int line) is
|
||||
needed to destroy the lock l. Multi-threaded applications might crash at
|
||||
random if it is not set.
|
||||
|
||||
CRYPTO_get_new_dynlockid() is used to create locks. It will call
|
||||
dyn_create_function for the actual creation.
|
||||
|
||||
CRYPTO_destroy_dynlockid() is used to destroy locks. It will call
|
||||
dyn_destroy_function for the actual destruction.
|
||||
|
||||
CRYPTO_lock() is used to lock and unlock the locks. mode is a bitfield
|
||||
describing what should be done with the lock. n is the number of the
|
||||
lock as returned from CRYPTO_get_new_dynlockid(). mode can be combined
|
||||
from the following values. These values are pairwise exclusive, with
|
||||
undefined behavior if misused (for example, CRYPTO_READ and CRYPTO_WRITE
|
||||
should not be used together):
|
||||
|
||||
CRYPTO_LOCK 0x01
|
||||
CRYPTO_UNLOCK 0x02
|
||||
CRYPTO_READ 0x04
|
||||
CRYPTO_WRITE 0x08
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
CRYPTO_num_locks() returns the required number of locks.
|
||||
|
||||
CRYPTO_get_new_dynlockid() returns the index to the newly created lock.
|
||||
|
||||
The other functions return no values.
|
||||
|
||||
=head1 NOTE
|
||||
@@ -62,6 +125,7 @@ Solaris, Irix and Win32.
|
||||
CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() are
|
||||
available in all versions of SSLeay and OpenSSL.
|
||||
CRYPTO_num_locks() was added in OpenSSL 0.9.4.
|
||||
All functions dealing with dynamic locks were added in OpenSSL 0.9.5b-dev.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
|
||||
Reference in New Issue
Block a user