abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-07 08:56:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

update manages

Browse Source
This commit is contained in:
Zhi Guan
2017-02-15 18:09:02 +08:00
parent 64fb55bec8
commit 07d577e880
49 changed files with 533 additions and 533 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
doc/apps/CA.pl.pod
View File

@@ -2,7 +2,7 @@
=head1 NAME
CA.pl - friendlier interface for OpenSSL certificate programs
CA.pl - friendlier interface for GmSSL certificate programs
=head1 SYNOPSIS
@@ -32,7 +32,7 @@ B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
=head1 DESCRIPTION
The B<CA.pl> script is a perl script that supplies the relevant command line
arguments to the B<openssl> command for some common certificate operations.
arguments to the B<gmssl> command for some common certificate operations.
It is intended to simplify the process of certificate creation and management
by the use of some simple options.
@@ -48,18 +48,18 @@ prints a usage message.
creates a new self signed certificate. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
This argument invokes B<openssl req> command.
This argument invokes B<gmssl req> command.
=item B<-newreq>
creates a new certificate request. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
Executes B<openssl req> command below the hood.
Executes B<gmssl req> command below the hood.
=item B<-newreq-nodes>
is like B<-newreq> except that the private key will not be encrypted.
Uses B<openssl req> command.
Uses B<gmssl req> command.
=item B<-newca>
@@ -68,7 +68,7 @@ and B<-xsign> options). The user is prompted to enter the filename of the CA
certificates (which should also contain the private key) or by hitting ENTER
details of the CA will be prompted for. The relevant files and directories
are created in a directory called "demoCA" in the current directory.
B<openssl req> and B<openssl ca> commands are get invoked.
B<gmssl req> and B<gmssl ca> commands are get invoked.
=item B<-pkcs12>
@@ -80,31 +80,31 @@ B<-sign> option. The PKCS#12 file can be imported directly into a browser.
If there is an additional argument on the command line it will be used as the
"friendly name" for the certificate (which is typically displayed in the browser
list box), otherwise the name "My Certificate" is used.
Delegates work to B<openssl pkcs12> command.
Delegates work to B<gmssl pkcs12> command.
=item B<-sign>, B<-signcert>, B<-xsign>
calls the B<ca> program to sign a certificate request. It expects the request
to be in the file "newreq.pem". The new certificate is written to the file
"newcert.pem" except in the case of the B<-xsign> option when it is written
to standard output. Leverages B<openssl ca> command.
to standard output. Leverages B<gmssl ca> command.
=item B<-signCA>
this option is the same as the B<-signreq> option except it uses the configuration
file section B<v3_ca> and so makes the signed request a valid CA certificate. This
is useful when creating intermediate CA from a root CA.
Extra params are passed on to B<openssl ca> command.
Extra params are passed on to B<gmssl ca> command.
=item B<-signcert>
this option is the same as B<-sign> except it expects a self signed certificate
to be present in the file "newreq.pem".
Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
Extra params are passed on to B<gmssl x509> and B<gmssl ca> commands.
=item B<-crl>
generate a CRL. Executes B<openssl ca> command.
generate a CRL. Executes B<gmssl ca> command.
=item B<-revoke certfile [reason]>
@@ -112,23 +112,23 @@ revoke the certificate contained in the specified B<certfile>. An optional
reason may be specified, and must be one of: B<unspecified>,
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
Leverages B<openssl ca> command.
Leverages B<gmssl ca> command.
=item B<-verify>
verifies certificates against the CA certificate for "demoCA". If no certificates
are specified on the command line it tries to verify the file "newcert.pem".
Invokes B<openssl verify> command.
Invokes B<gmssl verify> command.
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
The purpose of these parameters is to allow optional parameters to be supplied
to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
option being used and the B<openssl> command getting invoked. For example
when this command invokes B<openssl req> extra parameters can be passed on
to B<gmssl> that this command executes. The B<-extra-cmd> are specific to the
option being used and the B<gmssl> command getting invoked. For example
when this command invokes B<gmssl req> extra parameters can be passed on
with the B<-extra-req> parameter. The
B<openssl> commands being invoked per option are documented below.
Users should consult B<openssl> command documentation for more information.
B<gmssl> commands being invoked per option are documented below.
Users should consult B<gmssl> command documentation for more information.
=back
@@ -154,11 +154,11 @@ directly. The following example shows the steps that would typically be taken.
Create some DSA parameters:
openssl dsaparam -out dsap.pem 1024
gmssl dsaparam -out dsap.pem 1024
Create a DSA CA certificate and private key:
openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
gmssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
Create the CA directories and files:
@@ -169,7 +169,7 @@ enter cacert.pem when prompted for the CA file name.
Create a DSA certificate request and private key (a different set of parameters
can optionally be created first):
openssl req -out newreq.pem -newkey dsa:dsap.pem
gmssl req -out newreq.pem -newkey dsa:dsap.pem
Sign the request:
@@ -193,9 +193,9 @@ be wrong. In this case the command:
can be used and the B<OPENSSL_CONF> environment variable changed to point to
the correct path of the configuration file "openssl.cnf".
The script is intended as a simple front end for the B<openssl> program for use
The script is intended as a simple front end for the B<gmssl> program for use
by a beginner. Its behaviour isn't always what is wanted. For more control over the
behaviour of the certificate commands call the B<openssl> command directly.
behaviour of the certificate commands call the B<gmssl> command directly.
=head1 ENVIRONMENT VARIABLES
@@ -212,7 +212,7 @@ L<config(5)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

16
doc/apps/asn1parse.pod
View File

@@ -6,7 +6,7 @@ asn1parse - ASN.1 parsing tool
=head1 SYNOPSIS
B<openssl> B<asn1parse>
B<gmssl> B<asn1parse>
[B<-help>]
[B<-inform PEM|DER>]
[B<-in filename>]
@@ -145,7 +145,7 @@ be examined using the option B<-strparse 229> to yield:
=head1 NOTES
If an OID is not part of OpenSSL's internal table it will be represented in
If an OID is not part of GmSSL's internal table it will be represented in
numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
allows additional OIDs to be included. Each line consists of three columns,
the first column is the OID in numerical format and should be followed by white
@@ -159,23 +159,23 @@ C<1.2.3.4 shortName A long name>
Parse a file:
openssl asn1parse -in file.pem
gmssl asn1parse -in file.pem
Parse a DER file:
openssl asn1parse -inform DER -in file.der
gmssl asn1parse -inform DER -in file.der
Generate a simple UTF8String:
openssl asn1parse -genstr 'UTF8:Hello World'
gmssl asn1parse -genstr 'UTF8:Hello World'
Generate and write out a UTF8String, don't print parsed output:
openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der
gmssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der
Generate using a config file:
openssl asn1parse -genconf asn1.cnf -noout -out asn1.der
gmssl asn1parse -genconf asn1.cnf -noout -out asn1.der
Example config file:
@@ -200,7 +200,7 @@ L<ASN1_generate_nconf(3)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

28
doc/apps/ca.pod
View File

@@ -6,7 +6,7 @@ ca - sample minimal CA application
=head1 SYNOPSIS
B<openssl> B<ca>
B<gmssl> B<ca>
[B<-help>]
[B<-verbose>]
[B<-config filename>]
@@ -151,7 +151,7 @@ self-signed certificate.
=item B<-passin arg>
the key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-notext>
@@ -174,7 +174,7 @@ the number of days to certify the certificate for.
=item B<-md alg>
the message digest to use.
Any digest supported by the OpenSSL B<dgst> command can be used.
Any digest supported by the GmSSL B<dgst> command can be used.
This option also applies to CRLs.
=item B<-policy arg>
@@ -261,7 +261,7 @@ serial number.
This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
I</DC=org/DC=GmSSL/DC=users/UID=123456+CN=John Doe>
If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
@@ -436,7 +436,7 @@ if the value B<yes> is given, the valid certificate entries in the
database must have unique subjects. if the value B<no> is given,
several valid certificate entries may have the exact same subject.
The default value is B<yes>, to be compatible with older (pre 0.9.8)
versions of OpenSSL. However, to make CA certificate roll-over easier,
versions of GmSSL. However, to make CA certificate roll-over easier,
it's recommended to use the value B<no>, especially if combined with
the B<-selfsign> command line option.
@@ -491,7 +491,7 @@ For convenience the values B<ca_default> are accepted by both to produce
a reasonable output.
If neither option is present the format used in earlier versions of
OpenSSL is used. Use of the old format is B<strongly> discouraged because
GmSSL is used. Use of the old format is B<strongly> discouraged because
it only displays fields mentioned in the B<policy> section, mishandles
multicharacter string types and does not display extensions.
@@ -555,30 +555,30 @@ demoCA/index.txt.
Sign a certificate request:
openssl ca -in req.pem -out newcert.pem
gmssl ca -in req.pem -out newcert.pem
Sign a certificate request, using CA extensions:
openssl ca -in req.pem -extensions v3_ca -out newcert.pem
gmssl ca -in req.pem -extensions v3_ca -out newcert.pem
Generate a CRL
openssl ca -gencrl -out crl.pem
gmssl ca -gencrl -out crl.pem
Sign several requests:
openssl ca -infiles req1.pem req2.pem req3.pem
gmssl ca -infiles req1.pem req2.pem req3.pem
Certify a Netscape SPKAC:
openssl ca -spkac spkac.txt
gmssl ca -spkac spkac.txt
A sample SPKAC file (the SPKAC line has been truncated for clarity):
SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
CN=Steve Test
emailAddress=steve@openssl.org
0.OU=OpenSSL Group
emailAddress=steve@gmssl.org
0.OU=GmSSL Group
1.OU=Another Group
A sample configuration file with the relevant sections for B<ca>:
@@ -714,7 +714,7 @@ L<config(5)>, L<x509v3_config(5)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

46
doc/apps/ciphers.pod
View File

@@ -6,7 +6,7 @@ ciphers - SSL cipher display and cipher list tool
=head1 SYNOPSIS
B<openssl> B<ciphers>
B<gmssl> B<ciphers>
[B<-help>]
[B<-s>]
[B<-v>]
@@ -24,7 +24,7 @@ B<openssl> B<ciphers>
=head1 DESCRIPTION
The B<ciphers> command converts textual OpenSSL cipher lists into ordered
The B<ciphers> command converts textual GmSSL cipher lists into ordered
SSL cipher preference lists. It can be used as a test tool to determine
the appropriate cipherlist.
@@ -97,7 +97,7 @@ TLSv1.1 were negotiated.
=item B<-stdname>
precede each ciphersuite by its standard name: only available is OpenSSL
precede each ciphersuite by its standard name: only available is GmSSL
is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
=item B<cipherlist>
@@ -168,14 +168,14 @@ When used, this must be the first cipherstring specified.
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
necessary). Note that RC4 based ciphersuites are not built into GmSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
All cipher suites except the B<eNULL> ciphers (which must be explicitly enabled
if needed).
As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
As of GmSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
=item B<COMPLEMENTOFALL>
@@ -195,7 +195,7 @@ encryption.
"low" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
ciphersuites have been removed as of OpenSSL 1.1.0.
ciphersuites have been removed as of GmSSL 1.1.0.
=item B<eNULL>, B<NULL>
@@ -225,7 +225,7 @@ Cipher suites using RSA key exchange, authentication or either respectively.
Cipher suites using static DH key agreement and DH certificates signed by CAs
with RSA and DSS keys or either respectively.
All these cipher suites have been removed in OpenSSL 1.1.0.
All these cipher suites have been removed in GmSSL 1.1.0.
=item B<kDHE>, B<kEDH>, B<DH>
@@ -262,7 +262,7 @@ Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
Cipher suites effectively using DH authentication, i.e. the certificates carry
DH keys.
All these cipher suites have been removed in OpenSSL 1.1.0.
All these cipher suites have been removed in GmSSL 1.1.0.
=item B<aECDSA>, B<ECDSA>
@@ -312,7 +312,7 @@ cipher suites using triple DES.
=item B<DES>
Cipher suites using DES (not triple DES).
All these cipher suites have been removed in OpenSSL 1.1.0.
All these cipher suites have been removed in GmSSL 1.1.0.
=item B<RC4>
@@ -396,7 +396,7 @@ permissible.
=head1 CIPHER SUITE NAMES
The following lists give the SSL or TLS cipher suites names from the
relevant specification and their OpenSSL equivalents. It should be noted,
relevant specification and their GmSSL equivalents. It should be noted,
that several cipher suite names do not include the authentication used,
e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
@@ -489,7 +489,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
Note: these ciphers require an engine which including GOST cryptographic
algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
algorithms, such as the B<ccgost> engine, included in the GmSSL distribution.
TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
@@ -670,7 +670,7 @@ Note: these ciphers can also be used in SSL v3.
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE-PSK-CHACHA20-POLY1305
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA-PSK-CHACHA20-POLY1305
=head2 Older names used by OpenSSL
=head2 Older names used by GmSSL
The following names are accepted by older releases:
@@ -679,41 +679,41 @@ The following names are accepted by older releases:
=head1 NOTES
Some compiled versions of OpenSSL may not include all the ciphers
Some compiled versions of GmSSL may not include all the ciphers
listed here because some ciphers were excluded at compile time.
=head1 EXAMPLES
Verbose listing of all OpenSSL ciphers including NULL ciphers:
Verbose listing of all GmSSL ciphers including NULL ciphers:
openssl ciphers -v 'ALL:eNULL'
gmssl ciphers -v 'ALL:eNULL'
Include all ciphers except NULL and anonymous DH then sort by
strength:
openssl ciphers -v 'ALL:!ADH:@STRENGTH'
gmssl ciphers -v 'ALL:!ADH:@STRENGTH'
Include all ciphers except ones with no encryption (eNULL) or no
authentication (aNULL):
openssl ciphers -v 'ALL:!aNULL'
gmssl ciphers -v 'ALL:!aNULL'
Include only 3DES ciphers and then place RSA ciphers last:
openssl ciphers -v '3DES:+RSA'
gmssl ciphers -v '3DES:+RSA'
Include all RC4 ciphers but leave out those without authentication:
openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
gmssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
Include all ciphers with RSA authentication but leave out ciphers without
encryption.
openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
gmssl ciphers -v 'RSA:!COMPLEMENTOFALL'
Set security level to 2 and display all ciphers consistent with level 2:
openssl ciphers -s -v 'ALL:@SECLEVEL=2'
gmssl ciphers -s -v 'ALL:@SECLEVEL=2'
=head1 SEE ALSO
@@ -721,13 +721,13 @@ L<s_client(1)>, L<s_server(1)>, L<ssl(7)>
=head1 HISTORY
The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
The B<-V> option for the B<ciphers> command was added in GmSSL 1.0.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

62
doc/apps/cms.pod
View File

@@ -6,7 +6,7 @@ cms - CMS utility
=head1 SYNOPSIS
B<openssl> B<cms>
B<gmssl> B<cms>
[B<-help>]
[B<-encrypt>]
[B<-decrypt>]
@@ -173,12 +173,12 @@ Verify a CMS B<DigestedData> type and output the content.
=item B<-compress>
Create a CMS B<CompressedData> type. OpenSSL must be compiled with B<zlib>
Create a CMS B<CompressedData> type. GmSSL must be compiled with B<zlib>
support for this option to work, otherwise it will output an error.
=item B<-uncompress>
Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
Uncompress a CMS B<CompressedData> type and output the content. GmSSL must be
compiled with B<zlib> support for this option to work, otherwise it will
output an error.
@@ -303,7 +303,7 @@ the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
supported by your version of OpenSSL.
supported by your version of GmSSL.
If not specified triple DES is used. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
@@ -459,7 +459,7 @@ or to modify default parameters for ECDH.
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-rand file(s)>
@@ -600,46 +600,46 @@ be processed by the older B<smime> command.
Create a cleartext signed message:
openssl cms -sign -in message.txt -text -out mail.msg \
gmssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem
Create an opaque signed message
openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
gmssl cms -sign -in message.txt -text -out mail.msg -nodetach \
-signer mycert.pem
Create a signed message, include some additional certificates and
read the private key from another file:
openssl cms -sign -in in.txt -text -out mail.msg \
gmssl cms -sign -in in.txt -text -out mail.msg \
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
Create a signed message with two signers, use key identifier:
openssl cms -sign -in message.txt -text -out mail.msg \
gmssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -signer othercert.pem -keyid
Send a signed message under Unix directly to sendmail, including headers:
openssl cms -sign -in in.txt -text -signer mycert.pem \
-from steve@openssl.org -to someone@somewhere \
gmssl cms -sign -in in.txt -text -signer mycert.pem \
-from steve@gmssl.org -to someone@somewhere \
-subject "Signed message" | sendmail someone@somewhere
Verify a message and extract the signer's certificate if successful:
openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt
gmssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt
Send encrypted mail using triple DES:
openssl cms -encrypt -in in.txt -from steve@openssl.org \
gmssl cms -encrypt -in in.txt -from steve@gmssl.org \
-to someone@somewhere -subject "Encrypted message" \
-des3 user.pem -out mail.msg
Sign and encrypt mail:
openssl cms -sign -in ml.txt -signer my.pem -text \
| openssl cms -encrypt -out mail.msg \
-from steve@openssl.org -to someone@somewhere \
gmssl cms -sign -in ml.txt -signer my.pem -text \
| gmssl cms -encrypt -out mail.msg \
-from steve@gmssl.org -to someone@somewhere \
-subject "Signed and Encrypted message" -des3 user.pem
Note: the encryption command does not include the B<-text> option because the
@@ -647,7 +647,7 @@ message being encrypted already has MIME headers.
Decrypt mail:
openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
gmssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
The output from Netscape form signing is a PKCS#7 structure with the
detached signature format. You can use this program to verify the
@@ -659,33 +659,33 @@ it with:
and using the command,
openssl cms -verify -inform PEM -in signature.pem -content content.txt
gmssl cms -verify -inform PEM -in signature.pem -content content.txt
alternatively you can base64 decode the signature and use
openssl cms -verify -inform DER -in signature.der -content content.txt
gmssl cms -verify -inform DER -in signature.der -content content.txt
Create an encrypted message using 128 bit Camellia:
openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
gmssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
Add a signer to an existing message:
openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
gmssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
Sign mail using RSA-PSS:
openssl cms -sign -in message.txt -text -out mail.msg \
gmssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -keyopt rsa_padding_mode:pss
Create encrypted mail using RSA-OAEP:
openssl cms -encrypt -in plain.txt -out mail.msg \
gmssl cms -encrypt -in plain.txt -out mail.msg \
-recip cert.pem -keyopt rsa_padding_mode:oaep
Use SHA256 KDF with an ECDH certificate:
openssl cms -encrypt -in plain.txt -out mail.msg \
gmssl cms -encrypt -in plain.txt -out mail.msg \
-recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
=head1 BUGS
@@ -711,25 +711,25 @@ No revocation checking is done on the signer's certificate.
=head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0
added in GmSSL 1.0.0
The B<keyopt> option was first added in OpenSSL 1.1.0
The B<keyopt> option was first added in GmSSL 1.1.0
The use of B<-recip> to specify the recipient when encrypting mail was first
added to OpenSSL 1.1.0
added to GmSSL 1.1.0
Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
Support for RSA-OAEP and RSA-PSS was first added to GmSSL 1.1.0.
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
to OpenSSL 1.1.0.
to GmSSL 1.1.0.
The -no_alt_chains options was first added to OpenSSL 1.1.0.
The -no_alt_chains options was first added to GmSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

48
doc/apps/config.pod
View File

@@ -1,17 +1,17 @@
=pod
=for comment openssl_manual_section:5
=for comment gmssl_manual_section:5
=head1 NAME
config - OpenSSL CONF library configuration files
config - GmSSL CONF library configuration files
=head1 DESCRIPTION
The OpenSSL CONF library can be used to read configuration files.
It is used for the OpenSSL master configuration file B<openssl.cnf>
The GmSSL CONF library can be used to read configuration files.
It is used for the GmSSL master configuration file B<openssl.cnf>
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility. OpenSSL applications can also use the
files for the B<x509> utility. GmSSL applications can also use the
CONF library for their own purposes.
A configuration file is divided into a number of sections. Each section
@@ -56,15 +56,15 @@ the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
=head1 OPENSSL LIBRARY CONFIGURATION
Applications can automatically configure certain
aspects of OpenSSL using the master OpenSSL configuration file, or optionally
an alternative configuration file. The B<openssl> utility includes this
functionality: any sub command uses the master OpenSSL configuration file
aspects of GmSSL using the master GmSSL configuration file, or optionally
an alternative configuration file. The B<gmssl> utility includes this
functionality: any sub command uses the master GmSSL configuration file
unless an option is used in the sub command to use an alternative configuration
file.
To enable library configuration the default section needs to contain an
appropriate line which points to the main configuration section. The default
name is B<openssl_conf> which is used by the B<openssl> utility. Other
name is B<gmssl_conf> which is used by the B<gmssl> utility. Other
applications may use an alternative name such as B<myapplicaton_conf>.
The configuration section should consist of a set of name value pairs which
@@ -73,9 +73,9 @@ the name of the I<configuration module> the meaning of the B<value> is
module specific: it may, for example, represent a further configuration
section containing configuration module specific information. E.g.
openssl_conf = openssl_init
gmssl_conf = gmssl_init
[openssl_init]
[gmssl_init]
oid_section = new_oids
engines = engine_section
@@ -95,9 +95,9 @@ The features of each configuration module are described below.
This module has the name B<oid_section>. The value of this variable points
to a section containing name value pairs of OIDs: the name is the OID short
and long name, the value is the numerical form of the OID. Although some of
the B<openssl> utility sub commands already have their own ASN1 OBJECT section
the B<gmssl> utility sub commands already have their own ASN1 OBJECT section
functionality not all do. By using the ASN1 OBJECT configuration module
B<all> the B<openssl> utility sub commands can see the new objects as well
B<all> the B<gmssl> utility sub commands can see the new objects as well
as any compliant applications. For example:
[new_oids]
@@ -241,7 +241,7 @@ For example:
If a configuration file attempts to expand a variable that doesn't exist
then an error is flagged and the file will not load. This can happen
if an attempt is made to expand an environment variable that doesn't
exist. For example in a previous version of OpenSSL the default OpenSSL
exist. For example in a previous version of GmSSL the default GmSSL
master configuration file used the value of B<HOME> which may not be
defined on non Unix systems and would cause an error.
@@ -304,13 +304,13 @@ priority and B</tmp> used if neither is defined:
# The above value is used if TEMP isn't in the environment
tmpfile=${ENV::TEMP}/tmp.filename
Simple OpenSSL library configuration example to enter FIPS mode:
Simple GmSSL library configuration example to enter FIPS mode:
# Default appname: should match "appname" parameter (if any)
# supplied to CONF_modules_load_file et al.
openssl_conf = openssl_conf_section
gmssl_conf = gmssl_conf_section
[openssl_conf_section]
[gmssl_conf_section]
# Configuration module list
alg_section = evp_sect
@@ -319,15 +319,15 @@ Simple OpenSSL library configuration example to enter FIPS mode:
fips_mode = yes
Note: in the above example you will get an error in non FIPS capable versions
of OpenSSL.
of GmSSL.
More complex OpenSSL library configuration. Add OID and don't enter FIPS mode:
More complex GmSSL library configuration. Add OID and don't enter FIPS mode:
# Default appname: should match "appname" parameter (if any)
# supplied to CONF_modules_load_file et al.
openssl_conf = openssl_conf_section
gmssl_conf = gmssl_conf_section
[openssl_conf_section]
[gmssl_conf_section]
# Configuration module list
alg_section = evp_sect
oid_section = new_oids
@@ -344,12 +344,12 @@ More complex OpenSSL library configuration. Add OID and don't enter FIPS mode:
newoid2 = New OID 2 long name, 1.2.3.4.2
The above examples can be used with any application supporting library
configuration if "openssl_conf" is modified to match the appropriate "appname".
configuration if "gmssl_conf" is modified to match the appropriate "appname".
For example if the second sample file above is saved to "example.cnf" then
the command line:
OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
OPENSSL_CONF=example.cnf gmssl asn1parse -genstr OID:1.2.3.4.1
will output:
@@ -378,7 +378,7 @@ L<x509(1)>, L<req(1)>, L<ca(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

10
doc/apps/crl.pod
View File

@@ -6,7 +6,7 @@ crl - CRL utility
=head1 SYNOPSIS
B<openssl> B<crl>
B<gmssl> B<crl>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -76,7 +76,7 @@ a directory by issuer name.
=item B<-hash_old>
outputs the "hash" of the CRL issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
as used by GmSSL versions before 1.0.0.
=item B<-issuer>
@@ -115,11 +115,11 @@ The PEM CRL format uses the header and footer lines:
Convert a CRL file from PEM to DER:
openssl crl -in crl.pem -outform DER -out crl.der
gmssl crl -in crl.pem -outform DER -out crl.der
Output the text form of a DER encoded certificate:
openssl crl -in crl.der -text -noout
gmssl crl -in crl.der -text -noout
=head1 BUGS
@@ -134,7 +134,7 @@ L<crl2pkcs7(1)>, L<ca(1)>, L<x509(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

8
doc/apps/crl2pkcs7.pod
View File

@@ -6,7 +6,7 @@ crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates
=head1 SYNOPSIS
B<openssl> B<crl2pkcs7>
B<gmssl> B<crl2pkcs7>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -69,12 +69,12 @@ included in the output file and a CRL is not read from the input file.
Create a PKCS#7 structure from a certificate and CRL:
openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
gmssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
Creates a PKCS#7 structure in DER format with no CRL from several
different certificates:
openssl crl2pkcs7 -nocrl -certfile newcert.pem
gmssl crl2pkcs7 -nocrl -certfile newcert.pem
-certfile demoCA/cacert.pem -outform DER -out p7.der
=head1 NOTES
@@ -97,7 +97,7 @@ L<pkcs7(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

28
doc/apps/dgst.pod
View File

@@ -2,11 +2,11 @@
=head1 NAME
dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5, blake2b, blake2s - message digests
dgst, sha, sha1, mdc2, ripemd160, sha224, sm3, sha384, sha512, md4, md5, blake2b, blake2s - message digests
=head1 SYNOPSIS
B<openssl> B<dgst>
B<gmssl> B<dgst>
[B<-help>]
[B<-I<digest>>]
[B<-c>]
@@ -27,7 +27,7 @@ B<openssl> B<dgst>
[B<-engine_impl>]
[B<file...>]
B<openssl>
B<gmssl>
[I<digest>]
[B<...>]
@@ -39,7 +39,7 @@ signatures using message digests.
The generic name, B<dgst>, may be used with an option specifying the
algorithm to be used.
The default digest is I<sha256>.
The default digest is I<sm3>.
A supported I<digest> name may also be used as the command name.
To see the list of supported algorithms, use the I<list --digest-commands>
command.
@@ -102,7 +102,7 @@ Names and values of these options are algorithm-specific.
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-verify filename>
@@ -161,7 +161,7 @@ all others.
=item B<-fips-fingerprint>
compute HMAC using a specific key
for certain OpenSSL-FIPS operations.
for certain GmSSL-FIPS operations.
=item B<-engine id>
@@ -186,13 +186,13 @@ used.
=head1 EXAMPLES
To create a hex-encoded message digest of a file:
openssl dgst -md5 -hex file.txt
gmssl dgst -md5 -hex file.txt
To sign a file using SHA-256 with binary file output:
openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
gmssl dgst -sm3 -sign privatekey.pem -out signature.sign file.txt
To verify a signature:
openssl dgst -sha256 -verify publickey.pem \
gmssl dgst -sm3 -verify publickey.pem \
-signature signature.sign \
file.txt
@@ -200,7 +200,7 @@ To verify a signature:
=head1 NOTES
The digest mechanisms that are available will depend on the options
used when building OpenSSL.
used when building GmSSL.
The B<list digest-commands> command can be used to list them.
New or agile applications should use probably use SHA-256. Other digests,
@@ -219,20 +219,20 @@ particular ECDSA and DSA.
The signing and verify options should only be used if a single file is
being signed or verified.
Hex signatures cannot be verified using B<openssl>. Instead, use "xxd -r"
Hex signatures cannot be verified using B<gmssl>. Instead, use "xxd -r"
or similar program to transform the hex signature into a binary signature
prior to verification.
=head1 HISTORY
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0
The FIPS-related options were removed in OpenSSL 1.1.0
The default digest was changed from MD5 to SM3 in GmSSL 2.0
The FIPS-related options were removed in GmSSL 2.0
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

10
doc/apps/dhparam.pod
View File

@@ -6,7 +6,7 @@ dhparam - DH parameter manipulation and generation
=head1 SYNOPSIS
B<openssl dhparam>
B<gmssl dhparam>
[B<-help>]
[B<-inform DER|PEM>]
[B<-outform DER|PEM>]
@@ -123,9 +123,9 @@ for all available algorithms.
=head1 WARNINGS
The program B<dhparam> combines the functionality of the programs B<dh> and
B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
B<gendh> in previous versions of GmSSL. The B<dh> and B<gendh>
programs are retained for now but may have different purposes in future
versions of OpenSSL.
versions of GmSSL.
=head1 NOTES
@@ -134,7 +134,7 @@ PEM format DH parameters use the header and footer lines:
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
GmSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH.
This program manipulates DH parameters not keys.
@@ -151,7 +151,7 @@ L<dsaparam(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

18
doc/apps/dsa.pod
View File

@@ -6,7 +6,7 @@ dsa - DSA key processing
=head1 SYNOPSIS
B<openssl> B<dsa>
B<gmssl> B<dsa>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -71,7 +71,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-out filename>
@@ -83,7 +83,7 @@ filename.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
@@ -143,23 +143,23 @@ The PEM public key format uses the header and footer lines:
To remove the pass phrase on a DSA private key:
openssl dsa -in key.pem -out keyout.pem
gmssl dsa -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
openssl dsa -in key.pem -des3 -out keyout.pem
gmssl dsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl dsa -in key.pem -outform DER -out keyout.der
gmssl dsa -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl dsa -in key.pem -text -noout
gmssl dsa -in key.pem -text -noout
To just output the public part of a private key:
openssl dsa -in key.pem -pubout -out pubkey.pem
gmssl dsa -in key.pem -pubout -out pubkey.pem
=head1 SEE ALSO
@@ -170,7 +170,7 @@ L<genrsa(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

4
doc/apps/dsaparam.pod
View File

@@ -6,7 +6,7 @@ dsaparam - DSA parameter manipulation and generation
=head1 SYNOPSIS
B<openssl dsaparam>
B<gmssl dsaparam>
[B<-help>]
[B<-inform DER|PEM>]
[B<-outform DER|PEM>]
@@ -116,7 +116,7 @@ L<rsa(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

34
doc/apps/ec.pod
View File

@@ -6,7 +6,7 @@ ec - EC key processing
=head1 SYNOPSIS
B<openssl> B<ec>
B<gmssl> B<ec>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -16,7 +16,7 @@ B<openssl> B<ec>
[B<-passout arg>]
[B<-des>]
[B<-des3>]
[B<-idea>]
[B<-sms4>]
[B<-text>]
[B<-noout>]
[B<-param_out>]
@@ -31,9 +31,9 @@ B<openssl> B<ec>
=head1 DESCRIPTION
The B<ec> command processes EC keys. They can be converted between various
forms and their components printed out. B<Note> OpenSSL uses the
forms and their components printed out. B<Note> GmSSL uses the
private key format specified in 'SEC 1: Elliptic Curve Cryptography'
(http://www.secg.org/). To convert an OpenSSL EC private key into the
(http://www.secg.org/). To convert an GmSSL EC private key into the
PKCS#8 private key format use the B<pkcs8> command.
=head1 OPTIONS
@@ -67,7 +67,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-out filename>
@@ -79,12 +79,12 @@ filename.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-des|-des3|-idea>
=item B<-des|-des3|-sms4>
These options encrypt the private key with the DES, triple DES, IDEA or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
These options encrypt the private key with the DES, triple DES, SMS4 or
any other cipher supported by GmSSL before outputting it. A pass phrase is
prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<ec> utility to read in an encrypted key with no
@@ -133,7 +133,7 @@ specified by an OID, or B<explicit> where the ec parameters are
explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in OpenSSL.
is currently not implemented in GmSSL.
=item B<-no_public>
@@ -168,27 +168,27 @@ The PEM public key format uses the header and footer lines:
To encrypt a private key using triple DES:
openssl ec -in key.pem -des3 -out keyout.pem
gmssl ec -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl ec -in key.pem -outform DER -out keyout.der
gmssl ec -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl ec -in key.pem -text -noout
gmssl ec -in key.pem -text -noout
To just output the public part of a private key:
openssl ec -in key.pem -pubout -out pubkey.pem
gmssl ec -in key.pem -pubout -out pubkey.pem
To change the parameters encoding to B<explicit>:
openssl ec -in key.pem -param_enc explicit -out keyout.pem
gmssl ec -in key.pem -param_enc explicit -out keyout.pem
To change the point conversion form to B<compressed>:
openssl ec -in key.pem -conv_form compressed -out keyout.pem
gmssl ec -in key.pem -conv_form compressed -out keyout.pem
=head1 SEE ALSO
@@ -198,7 +198,7 @@ L<ecparam(1)>, L<dsa(1)>, L<rsa(1)>
Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

20
doc/apps/ecparam.pod
View File

@@ -6,7 +6,7 @@ ecparam - EC parameter manipulation and generation
=head1 SYNOPSIS
B<openssl ecparam>
B<gmssl ecparam>
[B<-help>]
[B<-inform DER|PEM>]
[B<-outform DER|PEM>]
@@ -105,7 +105,7 @@ specified by an OID, or B<explicit> where the ec parameters are
explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in OpenSSL.
is currently not implemented in GmSSL.
=item B<-no_seed>
@@ -140,34 +140,34 @@ PEM format EC parameters use the header and footer lines:
-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
OpenSSL is currently not able to generate new groups and therefore
GmSSL is currently not able to generate new groups and therefore
B<ecparam> can only create EC parameters from known (named) curves.
=head1 EXAMPLES
To create EC parameters with the group 'prime192v1':
openssl ecparam -out ec_param.pem -name prime192v1
gmssl ecparam -out ec_param.pem -name prime192v1
To create EC parameters with explicit parameters:
openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit
gmssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit
To validate given EC parameters:
openssl ecparam -in ec_param.pem -check
gmssl ecparam -in ec_param.pem -check
To create EC parameters and a private key:
openssl ecparam -out ec_key.pem -name prime192v1 -genkey
gmssl ecparam -out ec_key.pem -name prime192v1 -genkey
To change the point encoding to 'compressed':
openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed
gmssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed
To print out the EC parameters to standard output:
openssl ecparam -in ec_param.pem -noout -text
gmssl ecparam -in ec_param.pem -noout -text
=head1 SEE ALSO
@@ -177,7 +177,7 @@ L<ec(1)>, L<dsaparam(1)>
Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

42
doc/apps/enc.pod
View File

@@ -6,7 +6,7 @@ enc - symmetric cipher routines
=head1 SYNOPSIS
B<openssl enc -ciphername>
B<gmssl enc -ciphername>
[B<-help>]
[B<-ciphers>]
[B<-in filename>]
@@ -63,7 +63,7 @@ the output filename, standard output by default.
=item B<-pass arg>
the password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-e>
@@ -90,24 +90,24 @@ if the B<-a> option is set then base64 process the data on one line.
=item B<-k password>
the password to derive the key from. This is for compatibility with previous
versions of OpenSSL. Superseded by the B<-pass> argument.
versions of GmSSL. Superseded by the B<-pass> argument.
=item B<-kfile filename>
read the password to derive the key from the first line of B<filename>.
This is for compatibility with previous versions of OpenSSL. Superseded by
This is for compatibility with previous versions of GmSSL. Superseded by
the B<-pass> argument.
=item B<-md digest>
Use the specified digest to create the key from the passphrase.
The default algorithm is sha-256.
The default algorithm is SM3.
=item B<-nosalt>
don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
used except for test purposes or compatibility with ancient versions of
OpenSSL.
GmSSL.
=item B<-salt>
@@ -158,7 +158,7 @@ debug the BIOs used for I/O.
=item B<-z>
Compress or decompress clear text using zlib before encryption or after
decryption. This option exists only if OpenSSL with compiled with zlib
decryption. This option exists only if GmSSL with compiled with zlib
or zlib-dynamic option.
=item B<-none>
@@ -169,8 +169,8 @@ Use NULL cipher (no encryption or decryption of input).
=head1 NOTES
The program can be called either as B<openssl ciphername> or
B<openssl enc -ciphername>. But the first form doesn't work with
The program can be called either as B<gmssl ciphername> or
B<gmssl enc -ciphername>. But the first form doesn't work with
engine-provided ciphers, because this form is processed before the
configuration file is read and any ENGINEs loaded.
@@ -178,7 +178,7 @@ Engines which provide entirely new encryption algorithms (such as ccgost
engine which provides gost89 algorithm) should be configured in the
configuration file. Engines, specified in the command line using -engine
options can only be used for hardware-assisted implementations of
ciphers, which are supported by OpenSSL core or other engine, specified
ciphers, which are supported by GmSSL core or other engine, specified
in the configuration file.
When enc command lists supported ciphers, ciphers provided by engines,
@@ -188,7 +188,7 @@ A password will be prompted for to derive the key and IV if necessary.
The B<-salt> option should B<ALWAYS> be used if the key is being derived
from a password unless you want compatibility with previous versions of
OpenSSL.
GmSSL.
Without the B<-salt> option it is possible to perform efficient dictionary
attacks on the password and to attack stream cipher encrypted data. The reason
@@ -218,8 +218,8 @@ Blowfish and RC5 algorithms use a 128 bit key.
Note that some of these ciphers can be disabled at compile time
and some are available only if an appropriate engine is configured
in the configuration file. The output of the B<enc> command run with
unsupported options (for example B<openssl enc -help>) includes a
list of ciphers, supported by your version of OpenSSL, including
unsupported options (for example B<gmssl enc -help>) includes a
list of ciphers, supported by your version of GmSSL, including
ones provided by configured engines.
The B<enc> program does not support authenticated encryption modes
@@ -300,32 +300,32 @@ authentication tag.
Just base64 encode a binary file:
openssl base64 -in file.bin -out file.b64
gmssl base64 -in file.bin -out file.b64
Decode the same file
openssl base64 -d -in file.b64 -out file.bin
gmssl base64 -d -in file.b64 -out file.bin
Encrypt a file using triple DES in CBC mode using a prompted password:
openssl des3 -salt -in file.txt -out file.des3
gmssl des3 -salt -in file.txt -out file.des3
Decrypt a file using a supplied password:
openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
gmssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
Encrypt a file then base64 encode it (so it can be sent via mail for example)
using Blowfish in CBC mode:
openssl bf -a -salt -in file.txt -out file.bf
gmssl bf -a -salt -in file.txt -out file.bf
Base64 decode a file then decrypt it:
openssl bf -d -salt -a -in file.bf -out file.txt
gmssl bf -d -salt -a -in file.bf -out file.txt
Decrypt some data using a supplied 40 bit RC4 key:
openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
gmssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
=head1 BUGS
@@ -345,7 +345,7 @@ The default digest was changed from MD5 to SHA256 in Openssl 1.1.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

8
doc/apps/engine.pod
View File

@@ -6,7 +6,7 @@ engine - load and query engines
=head1 SYNOPSIS
B<openssl engine>
B<gmssl engine>
[ I<engine...> ]
[B<-v>]
[B<-vv>]
@@ -67,7 +67,7 @@ See the example below.
To list all the commands available to a dynamic engine:
% openssl engine -t -tt -vvvv dynamic
% gmssl engine -t -tt -vvvv dynamic
(dynamic) Dynamic engine loading support
[ unavailable ]
SO_PATH: Specifies the path to the new ENGINE shared library
@@ -87,7 +87,7 @@ To list all the commands available to a dynamic engine:
To list the capabilities of the I<rsax> engine:
% openssl engine -c
% gmssl engine -c
(rsax) RSAX engine support
[RSA]
(dynamic) Dynamic engine loading support
@@ -96,7 +96,7 @@ To list the capabilities of the I<rsax> engine:
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

6
doc/apps/errstr.pod
View File

@@ -6,7 +6,7 @@ errstr - lookup error codes
=head1 SYNOPSIS
B<openssl errstr error_code>
B<gmssl errstr error_code>
=head1 DESCRIPTION
@@ -27,7 +27,7 @@ The error code:
can be displayed with:
openssl errstr 2006D080
gmssl errstr 2006D080
to produce the error message:
@@ -37,7 +37,7 @@ to produce the error message:
Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

8
doc/apps/gendsa.pod
View File

@@ -6,7 +6,7 @@ gendsa - generate a DSA private key from a set of parameters
=head1 SYNOPSIS
B<openssl> B<gendsa>
B<gmssl> B<gendsa>
[B<-help>]
[B<-out filename>]
[B<-aes128>]
@@ -25,7 +25,7 @@ B<openssl> B<gendsa>
=head1 DESCRIPTION
The B<gendsa> command generates a DSA private key from a DSA parameter file
(which will be typically generated by the B<openssl dsaparam> command).
(which will be typically generated by the B<gmssl dsaparam> command).
=head1 OPTIONS
@@ -65,7 +65,7 @@ for all available algorithms.
This option specifies the DSA parameter file to use. The parameters in this
file determine the size of the private key. DSA parameters can be generated
and examined using the B<openssl dsaparam> command.
and examined using the B<gmssl dsaparam> command.
=back
@@ -83,7 +83,7 @@ L<rsa(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

38
doc/apps/genpkey.pod
View File

@@ -6,7 +6,7 @@ genpkey - generate a private key
=head1 SYNOPSIS
B<openssl> B<genpkey>
B<gmssl> B<genpkey>
[B<-help>]
[B<-out filename>]
[B<-outform PEM|DER>]
@@ -43,7 +43,7 @@ This specifies the output format DER or PEM.
=item B<-pass arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-cipher>
@@ -93,7 +93,7 @@ parameters along with the PEM or DER structure.
=head1 KEY GENERATION OPTIONS
The options supported by each algorithm and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
algorithm can vary. The options for the GmSSL implementations are detailed
below.
=head1 RSA KEY GENERATION OPTIONS
@@ -154,7 +154,7 @@ key from a named curve without the need to use an explicit parameter file.
=item B<ec_paramgen_curve:curve>
the EC curve to use. OpenSSL supports NIST curve names such as "P-256".
the EC curve to use. GmSSL supports NIST curve names such as "P-256".
=item B<ec_param_enc:encoding>
@@ -166,7 +166,7 @@ the encoding to use for parameters. The "encoding" parameter must be either
=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS
Gost 2001 support is not enabled by default. To enable this algorithm,
one should load the ccgost engine in the OpenSSL configuration file.
one should load the ccgost engine in the GmSSL configuration file.
See README.gost file in the engines/ccgost directory of the source
distribution for more details.
@@ -207,69 +207,69 @@ can be used.
Generate an RSA private key using default parameters:
openssl genpkey -algorithm RSA -out key.pem
gmssl genpkey -algorithm RSA -out key.pem
Encrypt output private key using 128 bit AES and the passphrase "hello":
openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
gmssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
Generate a 2048 bit RSA key using 3 as the public exponent:
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
gmssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_keygen_pubexp:3
Generate 1024 bit DSA parameters:
openssl genpkey -genparam -algorithm DSA -out dsap.pem \
gmssl genpkey -genparam -algorithm DSA -out dsap.pem \
-pkeyopt dsa_paramgen_bits:1024
Generate DSA key from parameters:
openssl genpkey -paramfile dsap.pem -out dsakey.pem
gmssl genpkey -paramfile dsap.pem -out dsakey.pem
Generate 1024 bit DH parameters:
openssl genpkey -genparam -algorithm DH -out dhp.pem \
gmssl genpkey -genparam -algorithm DH -out dhp.pem \
-pkeyopt dh_paramgen_prime_len:1024
Output RFC5114 2048 bit DH parameters with 224 bit subgroup:
openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2
gmssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2
Generate DH key from parameters:
openssl genpkey -paramfile dhp.pem -out dhkey.pem
gmssl genpkey -paramfile dhp.pem -out dhkey.pem
Generate EC parameters:
openssl genpkey -genparam -algorithm EC -out ecp.pem \
gmssl genpkey -genparam -algorithm EC -out ecp.pem \
-pkeyopt ec_paramgen_curve:secp384r1 \
-pkeyopt ec_param_enc:named_curve
Generate EC key from parameters:
openssl genpkey -paramfile ecp.pem -out eckey.pem
gmssl genpkey -paramfile ecp.pem -out eckey.pem
Generate EC key directly:
openssl genpkey -algorithm EC -out eckey.pem \
gmssl genpkey -algorithm EC -out eckey.pem \
-pkeyopt ec_paramgen_curve:P-384 \
-pkeyopt ec_param_enc:named_curve
Generate an X25519 private key:
openssl genpkey -algorithm X25519 -out xkey.pem
gmssl genpkey -algorithm X25519 -out xkey.pem
=head1 HISTORY
The ability to use NIST curve names, and to generate an EC key directly,
were added in OpenSSL 1.0.2.
were added in GmSSL 1.0.2.
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

6
doc/apps/genrsa.pod
View File

@@ -6,7 +6,7 @@ genrsa - generate an RSA private key
=head1 SYNOPSIS
B<openssl> B<genrsa>
B<gmssl> B<genrsa>
[B<-help>]
[B<-out filename>]
[B<-passout arg>]
@@ -45,7 +45,7 @@ standard output is used.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
@@ -107,7 +107,7 @@ L<gendsa(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

44
doc/apps/openssl.pod → doc/apps/gmssl.pod
View File

@@ -2,27 +2,27 @@
=head1 NAME
openssl - OpenSSL command line tool
gmssl - GmSSL command line tool
=head1 SYNOPSIS
B<openssl>
B<gmssl>
I<command>
[ I<command_opts> ]
[ I<command_args> ]
B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>]
B<gmssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>]
B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
B<gmssl> B<no->I<XXX> [ I<arbitrary options> ]
=head1 DESCRIPTION
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
GmSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS v1) network protocols and related
cryptography standards required by them.
The B<openssl> program is a command line tool for using the various
cryptography functions of OpenSSL's B<crypto> library from the shell.
The B<gmssl> program is a command line tool for using the various
cryptography functions of GmSSL's B<crypto> library from the shell.
It can be used for
o Creation and management of private keys, public keys and parameters
@@ -36,14 +36,14 @@ It can be used for
=head1 COMMAND SUMMARY
The B<openssl> program provides a rich variety of commands (I<command> in the
The B<gmssl> program provides a rich variety of commands (I<command> in the
SYNOPSIS above), each of which often has a wealth of options and arguments
(I<command_opts> and I<command_args> in the SYNOPSIS).
The list parameters B<standard-commands>, B<digest-commands>,
and B<cipher-commands> output a list (one entry per line) of the names
of all standard commands, message digest commands, or cipher commands,
respectively, that are available in the present B<openssl> utility.
respectively, that are available in the present B<gmssl> utility.
The list parameters B<cipher-algorithms> and
B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
@@ -60,7 +60,7 @@ and prints I<XXX>. In both cases, the output goes to B<stdout> and
nothing is printed to B<stderr>. Additional command line arguments
are always ignored. Since for each cipher there is a command of the
same name, this provides an easy way for shell scripts to test for the
availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
availability of ciphers in the B<gmssl> program. (B<no->I<XXX> is
not able to detect pseudo-commands such as B<quit>,
B<list>, or B<no->I<XXX> itself.)
@@ -118,11 +118,11 @@ L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
=item L<B<ec>|ec(1)>
EC (Elliptic curve) key processing
EC/SM2 (Elliptic curve) key processing
=item L<B<ecparam>|ecparam(1)>
EC parameter manipulation and generation
EC/SM2 parameter manipulation and generation
=item L<B<enc>|enc(1)>
@@ -209,14 +209,14 @@ by L<B<pkeyutl>|pkeyutl(1)>
This implements a generic SSL/TLS client which can establish a transparent
connection to a remote server speaking SSL/TLS. It's intended for testing
purposes only and provides only rudimentary interface functionality but
internally uses mostly all functionality of the OpenSSL B<ssl> library.
internally uses mostly all functionality of the GmSSL B<ssl> library.
=item L<B<s_server>|s_server(1)>
This implements a generic SSL/TLS server which accepts connections from remote
clients speaking SSL/TLS. It's intended for testing purposes only and provides
only rudimentary interface functionality but internally uses mostly all
functionality of the OpenSSL B<ssl> library. It provides both an own command
functionality of the GmSSL B<ssl> library. It provides both an own command
line oriented protocol for testing SSL functions and a simple HTTP response
facility to emulate an SSL/TLS-aware webserver.
@@ -250,7 +250,7 @@ X.509 Certificate Verification.
=item L<B<version>|version(1)>
OpenSSL Version Information.
GmSSL Version Information.
=item L<B<x509>|x509(1)>
@@ -262,9 +262,9 @@ X.509 Certificate Data Management.
=over 10
=item B<md2>
=item B<sm3>
MD2 Digest
SM3 Digest
=item B<md5>
@@ -312,9 +312,9 @@ SHA-512 Digest
Base64 Encoding
=item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
=item B<sms4 sms4-cbc sms4-cfb sms4-ecb sms4-ofb>
Blowfish Cipher
SMS4 Cipher
=item B<cast cast-cbc>
@@ -414,7 +414,7 @@ L<asn1parse(1)>, L<ca(1)>, L<config(5)>,
L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
L<enc(1)>, L<engine(1)>, L<gendsa(1)>, L<genpkey(1)>,
L<genrsa(1)>, L<nseq(1)>, L<openssl(1)>,
L<genrsa(1)>, L<nseq(1)>, L<gmssl(1)>,
L<passwd(1)>,
L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
L<rand(1)>, L<req(1)>, L<rsa(1)>,
@@ -426,7 +426,7 @@ L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
=head1 HISTORY
The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
The B<list->I<XXX>B<-algorithms> pseudo-commands were added in GmSSL 1.0.0;
For notes on the availability of other commands, see their individual
manual pages.
@@ -434,7 +434,7 @@ manual pages.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

4
doc/apps/list.pod
View File

@@ -6,7 +6,7 @@ list - list algorithms and features
=head1 SYNOPSIS
B<openssl list>
B<gmssl list>
[B<-help>]
[B<-commands>]
[B<-digest-commands>]
@@ -73,7 +73,7 @@ of the installation.
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

8
doc/apps/nseq.pod
View File

@@ -6,7 +6,7 @@ nseq - create or examine a Netscape certificate sequence
=head1 SYNOPSIS
B<openssl> B<nseq>
B<gmssl> B<nseq>
[B<-help>]
[B<-in filename>]
[B<-out filename>]
@@ -49,11 +49,11 @@ a file of certificates.
Output the certificates in a Netscape certificate sequence
openssl nseq -in nseq.pem -out certs.pem
gmssl nseq -in nseq.pem -out certs.pem
Create a Netscape certificate sequence
openssl nseq -in certs.pem -toseq -out nseq.pem
gmssl nseq -in certs.pem -toseq -out nseq.pem
=head1 NOTES
@@ -76,7 +76,7 @@ output files and allowing multiple certificate files to be used.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

26
doc/apps/ocsp.pod
View File

@@ -6,7 +6,7 @@ ocsp - Online Certificate Status Protocol utility
=head1 SYNOPSIS
B<openssl> B<ocsp>
B<gmssl> B<ocsp>
[B<-help>]
[B<-out file>]
[B<-issuer file>]
@@ -287,7 +287,7 @@ By default this additional check is not performed.
=item B<-[digest]>
this option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
OCSP request. Any digest supported by the GmSSL B<dgst> command can be used.
The default is SHA-1. This option may be used multiple times to specify the
digest used by subsequent certificate identifiers.
@@ -362,7 +362,7 @@ the OCSP request checked using the responder certificate's public key.
Then a normal certificate verify is performed on the OCSP responder certificate
building up a certificate chain in the process. The locations of the trusted
certificates used to build the chain can be specified by the B<CAfile>
and B<CApath> options or they will be looked for in the standard OpenSSL
and B<CApath> options or they will be looked for in the standard GmSSL
certificates directory.
If the initial verify fails then the OCSP verify process halts with an
@@ -390,7 +390,7 @@ If the OCSP responder is a "global responder" which can give details about
multiple CAs and has its own separate certificate chain then its root
CA can be trusted for OCSP signing. For example:
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
gmssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
Alternatively the responder certificate itself can be explicitly trusted
with the B<-VAfile> option.
@@ -416,49 +416,49 @@ script using the B<reqin> and B<respout> options.
Create an OCSP request and write it to a file:
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
gmssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
response to a file, print it out in text form, and verify the response:
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
gmssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
-url http://ocsp.myhost.com/ -resp_text -respout resp.der
Read in an OCSP response and print out text form:
openssl ocsp -respin resp.der -text -noverify
gmssl ocsp -respin resp.der -text -noverify
OCSP server on port 8888 using a standard B<ca> configuration, and a separate
responder certificate. All requests and responses are printed to a file.
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
gmssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
-text -out log.txt
As above but exit after processing one request:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
gmssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
-nrequest 1
Query status information using an internally generated request:
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
gmssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-issuer demoCA/cacert.pem -serial 1
Query status information using request read from a file, and write the response
to a second file.
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
gmssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-reqin req.der -respout resp.der
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.1.0.
The -no_alt_chains options was first added to GmSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

10
doc/apps/passwd.pod
View File

@@ -6,7 +6,7 @@ passwd - compute password hashes
=head1 SYNOPSIS
B<openssl passwd>
B<gmssl passwd>
[B<-help>]
[B<-crypt>]
[B<-1>]
@@ -78,17 +78,17 @@ to each password hash.
=head1 EXAMPLES
B<openssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>.
B<gmssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>.
B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>.
B<gmssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>.
B<openssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>.
B<gmssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

24
doc/apps/pkcs12.pod
View File

@@ -6,7 +6,7 @@ pkcs12 - PKCS#12 file utility
=head1 SYNOPSIS
B<openssl> B<pkcs12>
B<gmssl> B<pkcs12>
[B<-help>]
[B<-export>]
[B<-chain>]
@@ -77,13 +77,13 @@ default. They are all written in PEM format.
the PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
L<gmssl(1)>.
=item B<-passout arg>
pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
in L<gmssl(1)>.
=item B<-password arg>
@@ -198,13 +198,13 @@ displays them.
the PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
L<gmssl(1)>.
=item B<-passin password>
pass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
L<gmssl(1)>.
=item B<-chain>
@@ -339,27 +339,27 @@ utility.
Parse a PKCS#12 file and output it to a file:
openssl pkcs12 -in file.p12 -out file.pem
gmssl pkcs12 -in file.p12 -out file.pem
Output only client certificates to a file:
openssl pkcs12 -in file.p12 -clcerts -out file.pem
gmssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:
openssl pkcs12 -in file.p12 -out file.pem -nodes
gmssl pkcs12 -in file.p12 -out file.pem -nodes
Print some info about a PKCS#12 file:
openssl pkcs12 -in file.p12 -info -noout
gmssl pkcs12 -in file.p12 -info -noout
Create a PKCS#12 file:
openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
gmssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
Include some extra certificates:
openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
gmssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
-certfile othercerts.pem
=head1 SEE ALSO
@@ -370,7 +370,7 @@ L<pkcs8(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

8
doc/apps/pkcs7.pod
View File

@@ -6,7 +6,7 @@ pkcs7 - PKCS#7 utility
=head1 SYNOPSIS
B<openssl> B<pkcs7>
B<gmssl> B<pkcs7>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -78,11 +78,11 @@ for all available algorithms.
Convert a PKCS#7 file from PEM to DER:
openssl pkcs7 -in file.pem -outform DER -out file.der
gmssl pkcs7 -in file.pem -outform DER -out file.der
Output all certificates in a file:
openssl pkcs7 -in file.pem -print_certs -out certs.pem
gmssl pkcs7 -in file.pem -print_certs -out certs.pem
=head1 NOTES
@@ -111,7 +111,7 @@ L<crl2pkcs7(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

30
doc/apps/pkcs8.pod
View File

@@ -6,7 +6,7 @@ pkcs8 - PKCS#8 format private key conversion tool
=head1 SYNOPSIS
B<openssl> B<pkcs8>
B<gmssl> B<pkcs8>
[B<-help>]
[B<-topk8>]
[B<-inform PEM|DER>]
@@ -70,7 +70,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-out filename>
@@ -82,7 +82,7 @@ filename.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-iter count>
@@ -224,43 +224,43 @@ allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.
Convert a private key to PKCS#8 format using default parameters (AES with
256 bit key and B<hmacWithSHA256>):
openssl pkcs8 -in key.pem -topk8 -out enckey.pem
gmssl pkcs8 -in key.pem -topk8 -out enckey.pem
Convert a private key to PKCS#8 unencrypted format:
openssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem
gmssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem
Convert a private key to PKCS#5 v2.0 format using triple DES:
openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
gmssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
Convert a private key to PKCS#5 v2.0 format using AES with 256 bits in CBC
mode and B<hmacWithSHA512> PRF:
openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem
gmssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(DES):
openssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem
gmssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem
Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
(3DES):
openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
gmssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
Read a DER unencrypted PKCS#8 format private key:
openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
gmssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
Convert a private key from any PKCS#8 encrypted format to traditional format:
openssl pkcs8 -in pk8.pem -traditional -out key.pem
gmssl pkcs8 -in pk8.pem -traditional -out key.pem
Convert a private key to PKCS#8 format, encrypting with AES-256 and with
one million iterations of the password:
openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
gmssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
=head1 STANDARDS
@@ -272,7 +272,7 @@ implementation is reasonably accurate at least as far as these
algorithms are concerned.
The format of PKCS#8 DSA (and other) private keys is not well documented:
it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
it is hidden away in PKCS#11 v2.01, section 11.9. GmSSL's default DSA
PKCS#8 private key format complies with this standard.
=head1 BUGS
@@ -287,13 +287,13 @@ L<gendsa(1)>
=head1 HISTORY
The B<-iter> option was added to OpenSSL 1.1.0.
The B<-iter> option was added to GmSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

20
doc/apps/pkey.pod
View File

@@ -6,7 +6,7 @@ pkey - public or private key processing tool
=head1 SYNOPSIS
B<openssl> B<pkey>
B<gmssl> B<pkey>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -54,7 +54,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-out filename>
@@ -66,7 +66,7 @@ filename.
=item B<-passout password>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-traditional>
@@ -116,27 +116,27 @@ for all available algorithms.
To remove the pass phrase on an RSA private key:
openssl pkey -in key.pem -out keyout.pem
gmssl pkey -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
openssl pkey -in key.pem -des3 -out keyout.pem
gmssl pkey -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl pkey -in key.pem -outform DER -out keyout.der
gmssl pkey -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl pkey -in key.pem -text -noout
gmssl pkey -in key.pem -text -noout
To print out the public components of a private key to standard output:
openssl pkey -in key.pem -text_pub -noout
gmssl pkey -in key.pem -text_pub -noout
To just output the public part of a private key:
openssl pkey -in key.pem -pubout -out pubkey.pem
gmssl pkey -in key.pem -pubout -out pubkey.pem
=head1 SEE ALSO
@@ -147,7 +147,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

6
doc/apps/pkeyparam.pod
View File

@@ -6,7 +6,7 @@ pkeyparam - public key algorithm parameter processing tool
=head1 SYNOPSIS
B<openssl> B<pkeyparam>
B<gmssl> B<pkeyparam>
[B<-help>]
[B<-in filename>]
[B<-out filename>]
@@ -58,7 +58,7 @@ for all available algorithms.
Print out text version of parameters:
openssl pkeyparam -in param.pem -text
gmssl pkeyparam -in param.pem -text
=head1 NOTES
@@ -74,7 +74,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

20
doc/apps/pkeyutl.pod
View File

@@ -6,7 +6,7 @@ pkeyutl - public key algorithm utility
=head1 SYNOPSIS
B<openssl> B<pkeyutl>
B<gmssl> B<pkeyutl>
[B<-help>]
[B<-in file>]
[B<-out file>]
@@ -71,7 +71,7 @@ the key format PEM, DER or ENGINE. Default is PEM.
=item B<-passin arg>
the input key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-peerkey file>
@@ -164,7 +164,7 @@ engine B<id> for crypto operations.
=head1 NOTES
The operations and options supported vary according to the key algorithm
and its implementation. The OpenSSL operations and options are indicated below.
and its implementation. The GmSSL operations and options are indicated below.
Unless otherwise mentioned all algorithms support the B<digest:alg> option
which specifies the digest in use for sign, verify and verifyrecover operations.
@@ -250,28 +250,28 @@ additional options.
Sign some data using a private key:
openssl pkeyutl -sign -in file -inkey key.pem -out sig
gmssl pkeyutl -sign -in file -inkey key.pem -out sig
Recover the signed data (e.g. if an RSA key is used):
openssl pkeyutl -verifyrecover -in sig -inkey key.pem
gmssl pkeyutl -verifyrecover -in sig -inkey key.pem
Verify the signature (e.g. a DSA key):
openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
gmssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
Sign data using a message digest value (this is currently only valid for RSA):
openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256
gmssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256
Derive a shared secret value:
openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret
gmssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret
Hexdump 48 bytes of TLS1 PRF using digest B<SHA256> and shared secret and
seed consisting of the single byte 0xFF:
openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
gmssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
-pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
=head1 SEE ALSO
@@ -284,7 +284,7 @@ L<EVP_PKEY_CTX_set_hkdf_md(3)>, L<EVP_PKEY_CTX_set_tls1_prf_md(3)>
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

6
doc/apps/rand.pod
View File

@@ -6,7 +6,7 @@ rand - generate pseudo-random bytes
=head1 SYNOPSIS
B<openssl rand>
B<gmssl rand>
[B<-help>]
[B<-out> I<file>]
[B<-rand> I<file(s)>]
@@ -17,7 +17,7 @@ I<num>
=head1 DESCRIPTION
The B<rand> command outputs I<num> pseudo-random bytes after seeding
the random number generator once. As in other B<openssl> command
the random number generator once. As in other B<gmssl> command
line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd>
in addition to the files given in the B<-rand> option. A new
I<$HOME>/B<.rnd> or B<.rnd> file will be written back if enough
@@ -61,7 +61,7 @@ L<RAND_bytes(3)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

14
doc/apps/rehash.pod
View File

@@ -1,7 +1,7 @@
=pod
=for comment
Original text by James Westby, contributed under the OpenSSL license.
Original text by James Westby, contributed under the GmSSL license.
=head1 NAME
@@ -9,7 +9,7 @@ c_rehash, rehash - Create symbolic links to files named by the hash values
=head1 SYNOPSIS
B<openssl>
B<gmssl>
B<rehash>
B<[-h]>
B<[-help]>
@@ -23,7 +23,7 @@ I<flags...>
=head1 DESCRIPTION
On some platforms, the OpenSSL B<rehash> command is available as
On some platforms, the GmSSL B<rehash> command is available as
an external script called B<c_rehash>. They are functionally equivalent,
except for minor differences noted below.
@@ -32,7 +32,7 @@ C<.pem>, C<.crt>, C<.cer>, or C<.crl>
file in the specified directory list and creates symbolic links
for each file, where the name of the link is the hash value.
(If the platform does not support symbolic links, a copy is made.)
This utility is useful as many programs that use OpenSSL require
This utility is useful as many programs that use GmSSL require
directories to be set up like this in order to find certificates.
If any directories are named on the command line, then those are
@@ -66,7 +66,7 @@ more than one such object appears in the file.
=head2 Script Configuration
The B<c_rehash> script
uses the B<openssl> program to compute the hashes and
uses the B<gmssl> program to compute the hashes and
fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname.
Any program can be used, it will be invoked as follows for either
@@ -123,7 +123,7 @@ Ignored if directories are listed on the command line.
=head1 SEE ALSO
L<openssl(1)>,
L<gmssl(1)>,
L<crl(1)>.
L<x509(1)>.
@@ -131,7 +131,7 @@ L<x509(1)>.
Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

32
doc/apps/req.pod
View File

@@ -6,7 +6,7 @@ req - PKCS#10 certificate request and certificate generating utility
=head1 SYNOPSIS
B<openssl> B<req>
B<gmssl> B<req>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
@@ -81,7 +81,7 @@ options (B<-new> and B<-newkey>) are not specified.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-out filename>
@@ -91,7 +91,7 @@ default.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-text>
@@ -194,7 +194,7 @@ will not be encrypted.
=item B<-[digest]>
this specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
Any digest supported by the GmSSL B<dgst> command can be used.
This overrides the digest algorithm specified in
the configuration file.
@@ -220,7 +220,7 @@ characters may be escaped by \ (backslash), no spaces are skipped.
this option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
I</DC=org/DC=GmSSL/DC=users/UID=123456+CN=John Doe>
If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
@@ -365,7 +365,7 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option.
=item B<default_md>
This option specifies the digest algorithm to use.
Any digest supported by the OpenSSL B<dgst> command can be used.
Any digest supported by the GmSSL B<dgst> command can be used.
If not present then MD5 is used.
This option can be overridden on the command line.
@@ -415,7 +415,7 @@ configuration file, must be valid UTF8 strings.
this specifies the section containing any request attributes: its format
is the same as B<distinguished_name>. Typically these may contain the
challengePassword or unstructuredName types. They are currently ignored
by OpenSSL's request signing utilities but some CAs might want them.
by GmSSL's request signing utilities but some CAs might want them.
=item B<distinguished_name>
@@ -467,7 +467,7 @@ they will be ignored. So for example a second organizationName can
be input by calling it "1.organizationName".
The actual permitted field names are any object identifier short or
long names. These are compiled into OpenSSL and include the usual
long names. These are compiled into GmSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
organizationalUnitName, stateOrProvinceName. Additionally emailAddress
is include as well as name, surname, givenName initials and dnQualifier.
@@ -481,20 +481,20 @@ will be treated as though they were a DirectoryString.
Examine and verify certificate request:
openssl req -in req.pem -text -verify -noout
gmssl req -in req.pem -text -verify -noout
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem
gmssl genrsa -out key.pem 2048
gmssl req -new -key key.pem -out req.pem
The same but just using req:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
gmssl req -newkey rsa:2048 -keyout key.pem -out req.pem
Generate a self signed root certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
gmssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
Example of a file pointed to by the B<oid_file> option:
@@ -632,13 +632,13 @@ line switch if it is present.
=head1 BUGS
OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
GmSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
As a consequence of the T61String handling the only correct way to represent
accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
accented characters in GmSSL is to use a BMPString: unfortunately Netscape
currently chokes on these. If you have to use accented characters with Netscape
and MSIE then you currently need to use the invalid T61String form.
@@ -657,7 +657,7 @@ L<x509v3_config(5)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

20
doc/apps/rsa.pod
View File

@@ -6,7 +6,7 @@ rsa - RSA key processing tool
=head1 SYNOPSIS
B<openssl> B<rsa>
B<gmssl> B<rsa>
[B<-help>]
[B<-inform PEM|NET|DER>]
[B<-outform PEM|NET|DER>]
@@ -72,7 +72,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-out filename>
@@ -84,7 +84,7 @@ filename.
=item B<-passout password>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
@@ -169,27 +169,27 @@ to the B<rsa> utility with the B<-inform NET> option.
To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem
gmssl rsa -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem
gmssl rsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der
gmssl rsa -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout
gmssl rsa -in key.pem -text -noout
To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
gmssl rsa -in key.pem -pubout -out pubkey.pem
Output the public part of a private key in B<RSAPublicKey> format:
openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
gmssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
=head1 BUGS
@@ -208,7 +208,7 @@ L<gendsa(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

22
doc/apps/rsautl.pod
View File

@@ -6,7 +6,7 @@ rsautl - RSA utility
=head1 SYNOPSIS
B<openssl> B<rsautl>
B<gmssl> B<rsautl>
[B<-help>]
[B<-in file>]
[B<-out file>]
@@ -107,15 +107,15 @@ used to sign or verify small pieces of data.
Sign some data using a private key:
openssl rsautl -sign -in file -inkey key.pem -out sig
gmssl rsautl -sign -in file -inkey key.pem -out sig
Recover the signed data
openssl rsautl -verify -in sig -inkey key.pem
gmssl rsautl -verify -in sig -inkey key.pem
Examine the raw signed data:
openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
gmssl rsautl -verify -in file -inkey key.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
@@ -134,7 +134,7 @@ It is possible to analyse the signature of certificates using this
utility in conjunction with B<asn1parse>. Consider the self signed
example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
openssl asn1parse -in pca-cert.pem
gmssl asn1parse -in pca-cert.pem
0:d=0 hl=4 l= 742 cons: SEQUENCE
4:d=1 hl=4 l= 591 cons: SEQUENCE
@@ -158,15 +158,15 @@ example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
The final BIT STRING contains the actual signature. It can be extracted with:
openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
gmssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
The certificate public key can be extracted with:
openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
gmssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
The signature can be analysed with:
openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
gmssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
0:d=0 hl=2 l= 32 cons: SEQUENCE
2:d=1 hl=2 l= 12 cons: SEQUENCE
@@ -179,11 +179,11 @@ This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
the digest used was md5. The actual part of the certificate that was signed can
be extracted with:
openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
gmssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
and its digest computed with:
openssl md5 -c tbs
gmssl md5 -c tbs
MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
which it can be seen agrees with the recovered value above.
@@ -196,7 +196,7 @@ L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

22
doc/apps/s_client.pod
View File

@@ -6,7 +6,7 @@ s_client - SSL/TLS client program
=head1 SYNOPSIS
B<openssl> B<s_client>
B<gmssl> B<s_client>
[B<-help>]
[B<-connect host:port>]
[B<-proxy host:port>]
@@ -172,7 +172,7 @@ The private format to use: DER or PEM. PEM is the default.
=item B<-pass arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-verify depth>
@@ -231,7 +231,7 @@ fields that specify the usage, selector, matching type and associated
data, with the last of these encoded in hexadecimal. Optional
whitespace is ignored in the associated data field. For example:
$ openssl s_client -brief -starttls smtp \
$ gmssl s_client -brief -starttls smtp \
-connect smtp.example.com:25 \
-dane_tlsa_domain smtp.example.com \
-dane_tlsa_rrdata "2 1 1
@@ -308,7 +308,7 @@ show all protocol messages with hex dump.
=item B<-trace>
show verbose trace output of protocol messages. OpenSSL needs to be compiled
show verbose trace output of protocol messages. GmSSL needs to be compiled
with B<enable-ssl-trace> for this option to work.
=item B<-msgfile>
@@ -410,15 +410,15 @@ option enables various workarounds.
=item B<-comp>
Enables support for SSL/TLS compression.
This option was introduced in OpenSSL 1.1.0.
This option was introduced in GmSSL 1.1.0.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
GmSSL 1.1.0.
=item B<-no_comp>
Disables support for SSL/TLS compression.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
GmSSL 1.1.0.
=item B<-brief>
@@ -536,7 +536,7 @@ connection will be closed down.
B<s_client> can be used to debug SSL servers. To connect to an SSL HTTP
server the command:
openssl s_client -connect servername:443
gmssl s_client -connect servername:443
would typically be used (https uses port 443). If the connection succeeds
then an HTTP command can be given such as "GET /" to retrieve a web page.
@@ -545,7 +545,7 @@ If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the B<-bugs>,
B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
in case it is a buggy server. In particular you should play with these
options B<before> submitting a bug report to an OpenSSL mailing list.
options B<before> submitting a bug report to an GmSSL mailing list.
A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
@@ -589,13 +589,13 @@ L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.1.0.
The -no_alt_chains options was first added to GmSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

22
doc/apps/s_server.pod
View File

@@ -6,7 +6,7 @@ s_server - SSL/TLS server program
=head1 SYNOPSIS
B<openssl> B<s_server>
B<gmssl> B<s_server>
[B<-help>]
[B<-port port>]
[B<-accept val>]
@@ -186,7 +186,7 @@ The private format to use: DER or PEM. PEM is the default.
=item B<-pass arg>
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-dcert filename>, B<-dkey keyname>
@@ -291,7 +291,7 @@ Show all protocol messages with hex dump.
=item B<-trace>
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
Show verbose trace output of protocol messages. GmSSL needs to be compiled
with B<enable-ssl-trace> for this option to work.
=item B<-msgfile>
@@ -387,15 +387,15 @@ option enables various workarounds.
=item B<-comp>
Enable negotiation of TLS compression.
This option was introduced in OpenSSL 1.1.0.
This option was introduced in GmSSL 1.1.0.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
GmSSL 1.1.0.
=item B<-no_comp>
Disable negotiation of TLS compression.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
GmSSL 1.1.0.
=item B<-brief>
@@ -558,13 +558,13 @@ print out some session cache status information.
B<s_server> can be used to debug SSL clients. To accept connections from
a web browser the command:
openssl s_server -accept 443 -www
gmssl s_server -accept 443 -www
can be used for example.
Most web browsers (in particular Netscape and MSIE) only support RSA cipher
suites, so they cannot connect to servers which don't use a certificate
carrying an RSA key or a version of OpenSSL with RSA disabled.
carrying an RSA key or a version of GmSSL with RSA disabled.
Although specifying an empty list of CAs when requesting a client certificate
is strictly speaking a protocol violation, some SSL clients interpret this to
@@ -580,7 +580,7 @@ read and not a model of how things should be done.
A typical SSL server program would be much simpler.
The output of common ciphers is wrong: it just gives the list of ciphers that
OpenSSL recognizes and the client supports.
GmSSL recognizes and the client supports.
There should be a way for the B<s_server> program to print out details of any
unknown cipher suites a client says it supports.
@@ -592,13 +592,13 @@ L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.1.0.
The -no_alt_chains options was first added to GmSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

8
doc/apps/s_time.pod
View File

@@ -6,7 +6,7 @@ s_time - SSL/TLS performance timing program
=head1 SYNOPSIS
B<openssl> B<s_time>
B<gmssl> B<s_time>
[B<-help>]
[B<-connect host:port>]
[B<-www page>]
@@ -142,7 +142,7 @@ and the link speed determine how many connections B<s_time> can establish.
B<s_time> can be used to measure the performance of an SSL connection.
To connect to an SSL HTTP server and get the default page the command
openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
gmssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
would typically be used (https uses port 443). 'commoncipher' is a cipher to
which both client and server can agree, see the L<ciphers(1)> command
@@ -152,7 +152,7 @@ If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the B<-bugs> and
B<-ssl3> options can be tried
in case it is a buggy server. In particular you should play with these
options B<before> submitting a bug report to an OpenSSL mailing list.
options B<before> submitting a bug report to an GmSSL mailing list.
A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
@@ -186,7 +186,7 @@ L<s_client(1)>, L<s_server(1)>, L<ciphers(1)>
Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

4
doc/apps/sess_id.pod
View File

@@ -6,7 +6,7 @@ sess_id - SSL/TLS session handling utility
=head1 SYNOPSIS
B<openssl> B<sess_id>
B<gmssl> B<sess_id>
[B<-help>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER|NSS>]
@@ -155,7 +155,7 @@ L<ciphers(1)>, L<s_server(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

44
doc/apps/smime.pod
View File

@@ -6,7 +6,7 @@ smime - S/MIME utility
=head1 SYNOPSIS
B<openssl> B<smime>
B<gmssl> B<smime>
[B<-help>]
[B<-encrypt>]
[B<-decrypt>]
@@ -206,7 +206,7 @@ the encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
supported by your version of OpenSSL.
supported by your version of GmSSL.
If not specified triple DES is used. Only used with B<-encrypt>.
@@ -291,7 +291,7 @@ multiple times to specify successive keys.
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-rand file(s)>
@@ -400,46 +400,46 @@ the signers certificates.
Create a cleartext signed message:
openssl smime -sign -in message.txt -text -out mail.msg \
gmssl smime -sign -in message.txt -text -out mail.msg \
-signer mycert.pem
Create an opaque signed message:
openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
gmssl smime -sign -in message.txt -text -out mail.msg -nodetach \
-signer mycert.pem
Create a signed message, include some additional certificates and
read the private key from another file:
openssl smime -sign -in in.txt -text -out mail.msg \
gmssl smime -sign -in in.txt -text -out mail.msg \
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
Create a signed message with two signers:
openssl smime -sign -in message.txt -text -out mail.msg \
gmssl smime -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -signer othercert.pem
Send a signed message under Unix directly to sendmail, including headers:
openssl smime -sign -in in.txt -text -signer mycert.pem \
-from steve@openssl.org -to someone@somewhere \
gmssl smime -sign -in in.txt -text -signer mycert.pem \
-from steve@gmssl.org -to someone@somewhere \
-subject "Signed message" | sendmail someone@somewhere
Verify a message and extract the signer's certificate if successful:
openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
gmssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
Send encrypted mail using triple DES:
openssl smime -encrypt -in in.txt -from steve@openssl.org \
gmssl smime -encrypt -in in.txt -from steve@gmssl.org \
-to someone@somewhere -subject "Encrypted message" \
-des3 user.pem -out mail.msg
Sign and encrypt mail:
openssl smime -sign -in ml.txt -signer my.pem -text \
| openssl smime -encrypt -out mail.msg \
-from steve@openssl.org -to someone@somewhere \
gmssl smime -sign -in ml.txt -signer my.pem -text \
| gmssl smime -encrypt -out mail.msg \
-from steve@gmssl.org -to someone@somewhere \
-subject "Signed and Encrypted message" -des3 user.pem
Note: the encryption command does not include the B<-text> option because the
@@ -447,7 +447,7 @@ message being encrypted already has MIME headers.
Decrypt mail:
openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
gmssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
The output from Netscape form signing is a PKCS#7 structure with the
detached signature format. You can use this program to verify the
@@ -459,19 +459,19 @@ it with:
and using the command:
openssl smime -verify -inform PEM -in signature.pem -content content.txt
gmssl smime -verify -inform PEM -in signature.pem -content content.txt
Alternatively you can base64 decode the signature and use:
openssl smime -verify -inform DER -in signature.der -content content.txt
gmssl smime -verify -inform DER -in signature.der -content content.txt
Create an encrypted message using 128 bit Camellia:
openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
gmssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
Add a signer to an existing message:
openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg
gmssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg
=head1 BUGS
@@ -499,15 +499,15 @@ structures may cause parsing errors.
=head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0
added in GmSSL 1.0.0
The -no_alt_chains options was first added to OpenSSL 1.1.0.
The -no_alt_chains options was first added to GmSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

4
doc/apps/speed.pod
View File

@@ -6,7 +6,7 @@ speed - test library performance
=head1 SYNOPSIS
B<openssl speed>
B<gmssl speed>
[B<-help>]
[B<-engine id>]
[B<-elapsed>]
@@ -59,7 +59,7 @@ the above are tested.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

12
doc/apps/spkac.pod
View File

@@ -6,7 +6,7 @@ spkac - SPKAC printing and generating utility
=head1 SYNOPSIS
B<openssl> B<spkac>
B<gmssl> B<spkac>
[B<-help>]
[B<-in filename>]
[B<-out filename>]
@@ -53,7 +53,7 @@ present.
=item B<-passin password>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-challenge string>
@@ -97,15 +97,15 @@ for all available algorithms.
Print out the contents of an SPKAC:
openssl spkac -in spkac.cnf
gmssl spkac -in spkac.cnf
Verify the signature of an SPKAC:
openssl spkac -in spkac.cnf -noout -verify
gmssl spkac -in spkac.cnf -noout -verify
Create an SPKAC using the challenge string "hello":
openssl spkac -key key.pem -challenge hello -out spkac.cnf
gmssl spkac -key key.pem -challenge hello -out spkac.cnf
Example of an SPKAC, (long lines split up for clarity):
@@ -139,7 +139,7 @@ L<ca(1)>
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

52
doc/apps/ts.pod
View File

@@ -6,7 +6,7 @@ ts - Time Stamping Authority tool (client/server)
=head1 SYNOPSIS
B<openssl> B<ts>
B<gmssl> B<ts>
B<-query>
[B<-rand> file:file...]
[B<-config> configfile]
@@ -20,7 +20,7 @@ B<-query>
[B<-out> request.tsq]
[B<-text>]
B<openssl> B<ts>
B<gmssl> B<ts>
B<-reply>
[B<-config> configfile]
[B<-section> tsa_section]
@@ -38,7 +38,7 @@ B<-reply>
[B<-text>]
[B<-engine> id]
B<openssl> B<ts>
B<gmssl> B<ts>
B<-verify>
[B<-data> file_to_hash]
[B<-digest> digest_bytes]
@@ -160,7 +160,7 @@ in use. (Optional)
=item B<-[digest]>
The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
Any digest supported by the GmSSL B<dgst> command can be used.
The default is SHA-1. (Optional)
=item B<-tspolicy> object_id
@@ -233,7 +233,7 @@ The name of the file containing a DER encoded time stamp request. (Optional)
=item B<-passin> password_src
Specifies the password source for the private key of the TSA. See
B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. (Optional)
B<PASS PHRASE ARGUMENTS> in L<gmssl(1)>. (Optional)
=item B<-signer> tsa_cert.pem
@@ -425,9 +425,9 @@ generation a new file is created with serial number 1. (Mandatory)
=item B<crypto_device>
Specifies the OpenSSL engine that will be set as the default for
Specifies the GmSSL engine that will be set as the default for
all available algorithms. The default value is builtin, you can specify
any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM).
any other engines supported by GmSSL (e.g. use chil for the NCipher HSM).
(Optional)
=item B<signer_cert>
@@ -514,32 +514,32 @@ overridden by the B<-config> command line option.
All the examples below presume that B<OPENSSL_CONF> is set to a proper
configuration file, e.g. the example configuration file
openssl/apps/openssl.cnf will do.
gmssl/apps/openssl.cnf will do.
=head2 Time Stamp Request
To create a time stamp request for design1.txt with SHA-1
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
gmssl ts -query -data design1.txt -no_nonce \
-out design1.tsq
To create a similar time stamp request with specifying the message imprint
explicitly:
openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
gmssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-no_nonce -out design1.tsq
To print the content of the previous request in human readable format:
openssl ts -query -in design1.tsq -text
gmssl ts -query -in design1.tsq -text
To create a time stamp request which includes the MD-5 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
openssl ts -query -data design2.txt -md5 \
gmssl ts -query -data design2.txt -md5 \
-tspolicy tsa_policy1 -cert -out design2.tsq
=head2 Time Stamp Response
@@ -556,52 +556,52 @@ tsakey.pem is the private key of the TSA.
To create a time stamp response for a request:
openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
gmssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
-signer tsacert.pem -out design1.tsr
If you want to use the settings in the config file you could just write:
openssl ts -reply -queryfile design1.tsq -out design1.tsr
gmssl ts -reply -queryfile design1.tsq -out design1.tsr
To print a time stamp reply to stdout in human readable format:
openssl ts -reply -in design1.tsr -text
gmssl ts -reply -in design1.tsr -text
To create a time stamp token instead of time stamp response:
openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out
gmssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out
To print a time stamp token to stdout in human readable format:
openssl ts -reply -in design1_token.der -token_in -text -token_out
gmssl ts -reply -in design1_token.der -token_in -text -token_out
To extract the time stamp token from a response:
openssl ts -reply -in design1.tsr -out design1_token.der -token_out
gmssl ts -reply -in design1.tsr -out design1_token.der -token_out
To add 'granted' status info to a time stamp token thereby creating a
valid response:
openssl ts -reply -in design1_token.der -token_in -out design1.tsr
gmssl ts -reply -in design1_token.der -token_in -out design1.tsr
=head2 Time Stamp Verification
To verify a time stamp reply against a request:
openssl ts -verify -queryfile design1.tsq -in design1.tsr \
gmssl ts -verify -queryfile design1.tsq -in design1.tsr \
-CAfile cacert.pem -untrusted tsacert.pem
To verify a time stamp reply that includes the certificate chain:
openssl ts -verify -queryfile design2.tsq -in design2.tsr \
gmssl ts -verify -queryfile design2.tsq -in design2.tsr \
-CAfile cacert.pem
To verify a time stamp token against the original data file:
openssl ts -verify -data design2.txt -in design2.tsr \
gmssl ts -verify -data design2.txt -in design2.tsr \
-CAfile cacert.pem
To verify a time stamp token against a message imprint:
openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
gmssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-in design2.tsr -CAfile cacert.pem
You could also look at the 'test' directory for more examples.
@@ -621,7 +621,7 @@ L<tsget(1)>. Pure TCP/IP protocol is not supported.
=item * The file containing the last serial number of the TSA is not
locked when being read or written. This is a problem if more than one
instance of L<openssl(1)> is trying to create a time stamp
instance of L<gmssl(1)> is trying to create a time stamp
response at the same time. This is not an issue when using the apache
server module, it does proper locking.
@@ -636,7 +636,7 @@ test/testtsa).
=head1 SEE ALSO
L<tsget(1)>, L<openssl(1)>, L<req(1)>,
L<tsget(1)>, L<gmssl(1)>, L<req(1)>,
L<x509(1)>, L<ca(1)>, L<genrsa(1)>,
L<config(5)>
@@ -644,7 +644,7 @@ L<config(5)>
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

10
doc/apps/tsget.pod
View File

@@ -26,7 +26,7 @@ B<-h> server_url
The B<tsget> command can be used for sending a time stamp request, as
specified in B<RFC 3161>, to a time stamp server over HTTP or HTTPS and storing
the time stamp response in a file. This tool cannot be used for creating the
requests and verifying responses, you can use the OpenSSL B<ts(1)> command to
requests and verifying responses, you can use the GmSSL B<ts(1)> command to
do that. B<tsget> can send several requests to the server without closing
the TCP connection if more than one requests are specified on the command
line.
@@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
(HTTPS) The path containing the trusted CA certificates to verify the peer's
certificate. The directory must be prepared with the B<c_rehash>
OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
GmSSL utility. Either option B<-C> or option B<-P> must be given in case of
HTTPS. (Optional)
=item B<-rand> file:file...
@@ -156,7 +156,7 @@ progress, output is written to file1.reply and file2.reply respectively:
Create a time stamp request, write it to file3.tsq, send it to the server and
write the response to file3.tsr:
openssl ts -query -data file3.txt -cert | tee file3.tsq \
gmssl ts -query -data file3.txt -cert | tee file3.tsq \
| tsget -h http://tsa.opentsa.org:8080/tsa \
-o file3.tsr
@@ -184,14 +184,14 @@ example:
=head1 SEE ALSO
L<openssl(1)>, L<ts(1)>, L<curl(1)>,
L<gmssl(1)>, L<ts(1)>, L<curl(1)>,
B<RFC 3161>
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

30
doc/apps/verify.pod
View File

@@ -6,7 +6,7 @@ verify - Utility to verify certificates
=head1 SYNOPSIS
B<openssl> B<verify>
B<gmssl> B<verify>
[B<-help>]
[B<-CAfile file>]
[B<-CApath directory>]
@@ -140,7 +140,7 @@ signing keys.
=item B<-ignore_critical>
Normally if an unhandled critical extension is present which is not
supported by OpenSSL the certificate is rejected (as required by RFC5280).
supported by GmSSL the certificate is rejected (as required by RFC5280).
If this option is set critical extensions are ignored.
=item B<-inhibit_any>
@@ -199,15 +199,15 @@ When constructing the certificate chain, use the trusted certificates specified
via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via
B<-untrusted>.
This can be useful in environments with Bridge or Cross-Certified CAs.
As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
As of GmSSL 1.1.0 this option is on by default and cannot be disabled.
=item B<-no_alt_chains>
By default, unless B<-trusted_first> is specified, when building a certificate
chain, if the first certificate chain found is not trusted, then OpenSSL will
chain, if the first certificate chain found is not trusted, then GmSSL will
attempt to replace untrusted issuer certificates with certificates from the
trust store to see if an alternative chain can be found that is trusted.
As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no
As of GmSSL 1.1.0, with B<-trusted_first> always on, this option has no
effect.
=item B<-untrusted file>
@@ -292,7 +292,7 @@ Supported policy names include: B<default>, B<pkcs7>, B<smime_sign>,
B<ssl_client>, B<ssl_server>.
These mimics the combinations of purpose and trust settings used in SSL, CMS
and S/MIME.
As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not
As of GmSSL 1.1.0, the trust model is inferred from the purpose when not
specified, so the B<-verify_name> options are functionally equivalent to the
corresponding B<-purpose> settings.
@@ -367,7 +367,7 @@ the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
The third operation is to check the trust settings on the root CA. The root CA
should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no
For compatibility with previous versions of GmSSL, a certificate with no
trust settings is considered to be valid for all purposes.
The final operation is to check the validity of the certificate chain. The validity
@@ -527,22 +527,22 @@ The root CA is marked to reject the specified purpose.
=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH>
not used as of OpenSSL 1.1.0 as a result of the deprecation of the
not used as of GmSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<X509_V_ERR_AKID_SKID_MISMATCH>
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
Not used as of GmSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH>
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
Not used as of GmSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN>
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
Not used as of GmSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER>
@@ -694,7 +694,7 @@ trusted certificates with matching subject name must either appear in a file (as
B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only
the certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject name are identical and
Previous versions of GmSSL assume certificates with matching subject name are identical and
mishandled them.
Previous versions of this documentation swapped the meaning of the
@@ -707,16 +707,16 @@ L<x509(1)>
=head1 HISTORY
The B<-show_chain> option was first added to OpenSSL 1.1.0.
The B<-show_chain> option was first added to GmSSL 1.1.0.
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
The B<-issuer_checks> option is deprecated as of GmSSL 1.1.0 and
is silently ignored.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

14
doc/apps/version.pod
View File

@@ -2,11 +2,11 @@
=head1 NAME
version - print OpenSSL version information
version - print GmSSL version information
=head1 SYNOPSIS
B<openssl version>
B<gmssl version>
[B<-help>]
[B<-a>]
[B<-v>]
@@ -19,7 +19,7 @@ B<openssl version>
=head1 DESCRIPTION
This command is used to print out version information about OpenSSL.
This command is used to print out version information about GmSSL.
=head1 OPTIONS
@@ -35,11 +35,11 @@ all information, this is the same as setting all the other flags.
=item B<-v>
the current OpenSSL version.
the current GmSSL version.
=item B<-b>
the date the current version of OpenSSL was built.
the date the current version of GmSSL was built.
=item B<-o>
@@ -65,14 +65,14 @@ ENGINESDIR setting.
=head1 NOTES
The output of B<openssl version -a> would typically be used when sending
The output of B<gmssl version -a> would typically be used when sending
in a bug report.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

52
doc/apps/x509.pod
View File

@@ -6,7 +6,7 @@ x509 - Certificate display and signing utility
=head1 SYNOPSIS
B<openssl> B<x509>
B<gmssl> B<x509>
[B<-help>]
[B<-inform DER|PEM|NET>]
[B<-outform DER|PEM|NET>]
@@ -110,7 +110,7 @@ default.
the digest to use.
This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
Any digest supported by the OpenSSL B<dgst> command can be used.
Any digest supported by the GmSSL B<dgst> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
@@ -162,7 +162,7 @@ outputs the certificate serial number.
=item B<-subject_hash>
outputs the "hash" of the certificate subject name. This is used in OpenSSL to
outputs the "hash" of the certificate subject name. This is used in GmSSL to
form an index to allow certificates in a directory to be looked up by subject
name.
@@ -181,12 +181,12 @@ synonym for "-subject_hash" for backward compatibility reasons.
=item B<-subject_hash_old>
outputs the "hash" of the certificate subject name using the older algorithm
as used by OpenSSL versions before 1.0.0.
as used by GmSSL versions before 1.0.0.
=item B<-issuer_hash_old>
outputs the "hash" of the certificate issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
as used by GmSSL versions before 1.0.0.
=item B<-subject>
@@ -257,7 +257,7 @@ may be trusted for SSL client but not SSL server use.
See the description of the B<verify> utility for more information on the
meaning of trust settings.
Future versions of OpenSSL will recognize trust settings on any
Future versions of GmSSL will recognize trust settings on any
certificate: not just root CAs.
@@ -294,9 +294,9 @@ adds a trusted certificate use.
Any object name can be used here but currently only B<clientAuth> (SSL client
use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and
B<anyExtendedKeyUsage> are used.
As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
As of GmSSL 1.1.0, the last of these blocks all purposes when rejected or
enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
Other GmSSL applications may define additional uses.
=item B<-addreject arg>
@@ -338,7 +338,7 @@ the request.
=item B<-passin arg>
the key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
=item B<-clrext>
@@ -442,7 +442,7 @@ The format or B<key> can be specified using the B<-keyform> option.
The B<nameopt> command line switch determines how the subject and issuer
names are displayed. If no B<nameopt> switch is present the default "oneline"
format is used which is compatible with previous versions of OpenSSL.
format is used which is compatible with previous versions of GmSSL.
Each option is described in detail below, all options can be preceded by
a B<-> to turn the option off. Only the first four will normally be used.
@@ -541,7 +541,7 @@ DER encoding of the structure to be unambiguously determined.
=item B<dump_unknown>
dump any field whose OID is not recognised by OpenSSL.
dump any field whose OID is not recognised by GmSSL.
=item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>,
B<sep_multiline>
@@ -667,58 +667,58 @@ line.
Display the contents of a certificate:
openssl x509 -in cert.pem -noout -text
gmssl x509 -in cert.pem -noout -text
Display the certificate serial number:
openssl x509 -in cert.pem -noout -serial
gmssl x509 -in cert.pem -noout -serial
Display the certificate subject name:
openssl x509 -in cert.pem -noout -subject
gmssl x509 -in cert.pem -noout -subject
Display the certificate subject name in RFC2253 form:
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
gmssl x509 -in cert.pem -noout -subject -nameopt RFC2253
Display the certificate subject name in oneline form on a terminal
supporting UTF8:
openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
gmssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
Display the certificate MD5 fingerprint:
openssl x509 -in cert.pem -noout -fingerprint
gmssl x509 -in cert.pem -noout -fingerprint
Display the certificate SHA1 fingerprint:
openssl x509 -sha1 -in cert.pem -noout -fingerprint
gmssl x509 -sha1 -in cert.pem -noout -fingerprint
Convert a certificate from PEM to DER format:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
gmssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Convert a certificate to a certificate request:
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
gmssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
Convert a certificate request into a self signed certificate using
extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
gmssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user
certificate extensions:
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
gmssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
-CA cacert.pem -CAkey key.pem -CAcreateserial
Set a certificate to be trusted for SSL client use and change set its alias to
"Steve's Class 1 CA"
openssl x509 -in cert.pem -addtrust clientAuth \
gmssl x509 -in cert.pem -addtrust clientAuth \
-setalias "Steve's Class 1 CA" -out trust.pem
=head1 NOTES
@@ -888,8 +888,8 @@ L<x509v3_config(5)>
=head1 HISTORY
The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
before GmSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In GmSSL 1.0.0 and later it is based on a
canonical version of the DN using SHA1. This means that any directories using
the old form must have their links rebuilt using B<c_rehash> or similar.
@@ -897,7 +897,7 @@ the old form must have their links rebuilt using B<c_rehash> or similar.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

10
doc/apps/x509v3_config.pod
View File

@@ -1,6 +1,6 @@
=pod
=for comment openssl_manual_section:5
=for comment gmssl_manual_section:5
=head1 NAME
@@ -8,7 +8,7 @@ x509v3_config - X509 V3 certificate extension configuration format
=head1 DESCRIPTION
Several of the OpenSSL utilities can add extensions to a certificate or
Several of the GmSSL utilities can add extensions to a certificate or
certificate request based on the contents of a configuration file.
Typically the application will contain an option to point to an extension
@@ -447,7 +447,7 @@ B<objsign>, B<reserved>, B<sslCA>, B<emailCA>, B<objCA>.
=head1 ARBITRARY EXTENSIONS
If an extension is not supported by the OpenSSL code then it must be encoded
If an extension is not supported by the GmSSL code then it must be encoded
using the arbitrary extension format. It is also possible to use the arbitrary
format for supported extensions. Extreme care should be taken to ensure that
the data is formatted correctly for the given extension type.
@@ -507,7 +507,7 @@ will produce an error but the equivalent form:
is valid.
Due to the behaviour of the OpenSSL B<conf> library the same field name
Due to the behaviour of the GmSSL B<conf> library the same field name
can only occur once in a section. This means that:
subjectAltName=@alt_section
@@ -533,7 +533,7 @@ L<ASN1_generate_nconf(3)>
Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
Licensed under the GmSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.