diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index 727cce12..34438cbb 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -2,7 +2,7 @@ =head1 NAME -CA.pl - friendlier interface for OpenSSL certificate programs +CA.pl - friendlier interface for GmSSL certificate programs =head1 SYNOPSIS @@ -32,7 +32,7 @@ B B<-revoke> [B<-extra-ca> extra-params] B [B] =head1 DESCRIPTION The B script is a perl script that supplies the relevant command line -arguments to the B command for some common certificate operations. +arguments to the B command for some common certificate operations. It is intended to simplify the process of certificate creation and management by the use of some simple options. @@ -48,18 +48,18 @@ prints a usage message. creates a new self signed certificate. The private key is written to the file "newkey.pem" and the request written to the file "newreq.pem". -This argument invokes B command. +This argument invokes B command. =item B<-newreq> creates a new certificate request. The private key is written to the file "newkey.pem" and the request written to the file "newreq.pem". -Executes B command below the hood. +Executes B command below the hood. =item B<-newreq-nodes> is like B<-newreq> except that the private key will not be encrypted. -Uses B command. +Uses B command. =item B<-newca> @@ -68,7 +68,7 @@ and B<-xsign> options). The user is prompted to enter the filename of the CA certificates (which should also contain the private key) or by hitting ENTER details of the CA will be prompted for. The relevant files and directories are created in a directory called "demoCA" in the current directory. -B and B commands are get invoked. +B and B commands are get invoked. =item B<-pkcs12> @@ -80,31 +80,31 @@ B<-sign> option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the "friendly name" for the certificate (which is typically displayed in the browser list box), otherwise the name "My Certificate" is used. -Delegates work to B command. +Delegates work to B command. =item B<-sign>, B<-signcert>, B<-xsign> calls the B program to sign a certificate request. It expects the request to be in the file "newreq.pem". The new certificate is written to the file "newcert.pem" except in the case of the B<-xsign> option when it is written -to standard output. Leverages B command. +to standard output. Leverages B command. =item B<-signCA> this option is the same as the B<-signreq> option except it uses the configuration file section B and so makes the signed request a valid CA certificate. This is useful when creating intermediate CA from a root CA. -Extra params are passed on to B command. +Extra params are passed on to B command. =item B<-signcert> this option is the same as B<-sign> except it expects a self signed certificate to be present in the file "newreq.pem". -Extra params are passed on to B and B commands. +Extra params are passed on to B and B commands. =item B<-crl> -generate a CRL. Executes B command. +generate a CRL. Executes B command. =item B<-revoke certfile [reason]> @@ -112,23 +112,23 @@ revoke the certificate contained in the specified B. An optional reason may be specified, and must be one of: B, B, B, B, B, B, B, or B. -Leverages B command. +Leverages B command. =item B<-verify> verifies certificates against the CA certificate for "demoCA". If no certificates are specified on the command line it tries to verify the file "newcert.pem". -Invokes B command. +Invokes B command. =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> The purpose of these parameters is to allow optional parameters to be supplied -to B that this command executes. The B<-extra-cmd> are specific to the -option being used and the B command getting invoked. For example -when this command invokes B extra parameters can be passed on +to B that this command executes. The B<-extra-cmd> are specific to the +option being used and the B command getting invoked. For example +when this command invokes B extra parameters can be passed on with the B<-extra-req> parameter. The -B commands being invoked per option are documented below. -Users should consult B command documentation for more information. +B commands being invoked per option are documented below. +Users should consult B command documentation for more information. =back @@ -154,11 +154,11 @@ directly. The following example shows the steps that would typically be taken. Create some DSA parameters: - openssl dsaparam -out dsap.pem 1024 + gmssl dsaparam -out dsap.pem 1024 Create a DSA CA certificate and private key: - openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + gmssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem Create the CA directories and files: @@ -169,7 +169,7 @@ enter cacert.pem when prompted for the CA file name. Create a DSA certificate request and private key (a different set of parameters can optionally be created first): - openssl req -out newreq.pem -newkey dsa:dsap.pem + gmssl req -out newreq.pem -newkey dsa:dsap.pem Sign the request: @@ -193,9 +193,9 @@ be wrong. In this case the command: can be used and the B environment variable changed to point to the correct path of the configuration file "openssl.cnf". -The script is intended as a simple front end for the B program for use +The script is intended as a simple front end for the B program for use by a beginner. Its behaviour isn't always what is wanted. For more control over the -behaviour of the certificate commands call the B command directly. +behaviour of the certificate commands call the B command directly. =head1 ENVIRONMENT VARIABLES @@ -212,7 +212,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod index 10a5aba5..988a0934 100644 --- a/doc/apps/asn1parse.pod +++ b/doc/apps/asn1parse.pod @@ -6,7 +6,7 @@ asn1parse - ASN.1 parsing tool =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-in filename>] @@ -145,7 +145,7 @@ be examined using the option B<-strparse 229> to yield: =head1 NOTES -If an OID is not part of OpenSSL's internal table it will be represented in +If an OID is not part of GmSSL's internal table it will be represented in numerical form (for example 1.2.3.4). The file passed to the B<-oid> option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white @@ -159,23 +159,23 @@ C<1.2.3.4 shortName A long name> Parse a file: - openssl asn1parse -in file.pem + gmssl asn1parse -in file.pem Parse a DER file: - openssl asn1parse -inform DER -in file.der + gmssl asn1parse -inform DER -in file.der Generate a simple UTF8String: - openssl asn1parse -genstr 'UTF8:Hello World' + gmssl asn1parse -genstr 'UTF8:Hello World' Generate and write out a UTF8String, don't print parsed output: - openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der + gmssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der Generate using a config file: - openssl asn1parse -genconf asn1.cnf -noout -out asn1.der + gmssl asn1parse -genconf asn1.cnf -noout -out asn1.der Example config file: @@ -200,7 +200,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 5d4cfda1..76d9d5d8 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -6,7 +6,7 @@ ca - sample minimal CA application =head1 SYNOPSIS -B B +B B [B<-help>] [B<-verbose>] [B<-config filename>] @@ -151,7 +151,7 @@ self-signed certificate. =item B<-passin arg> the key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-notext> @@ -174,7 +174,7 @@ the number of days to certify the certificate for. =item B<-md alg> the message digest to use. -Any digest supported by the OpenSSL B command can be used. +Any digest supported by the GmSSL B command can be used. This option also applies to CRLs. =item B<-policy arg> @@ -261,7 +261,7 @@ serial number. This option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example: -I +I If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. @@ -436,7 +436,7 @@ if the value B is given, the valid certificate entries in the database must have unique subjects. if the value B is given, several valid certificate entries may have the exact same subject. The default value is B, to be compatible with older (pre 0.9.8) -versions of OpenSSL. However, to make CA certificate roll-over easier, +versions of GmSSL. However, to make CA certificate roll-over easier, it's recommended to use the value B, especially if combined with the B<-selfsign> command line option. @@ -491,7 +491,7 @@ For convenience the values B are accepted by both to produce a reasonable output. If neither option is present the format used in earlier versions of -OpenSSL is used. Use of the old format is B discouraged because +GmSSL is used. Use of the old format is B discouraged because it only displays fields mentioned in the B section, mishandles multicharacter string types and does not display extensions. @@ -555,30 +555,30 @@ demoCA/index.txt. Sign a certificate request: - openssl ca -in req.pem -out newcert.pem + gmssl ca -in req.pem -out newcert.pem Sign a certificate request, using CA extensions: - openssl ca -in req.pem -extensions v3_ca -out newcert.pem + gmssl ca -in req.pem -extensions v3_ca -out newcert.pem Generate a CRL - openssl ca -gencrl -out crl.pem + gmssl ca -gencrl -out crl.pem Sign several requests: - openssl ca -infiles req1.pem req2.pem req3.pem + gmssl ca -infiles req1.pem req2.pem req3.pem Certify a Netscape SPKAC: - openssl ca -spkac spkac.txt + gmssl ca -spkac spkac.txt A sample SPKAC file (the SPKAC line has been truncated for clarity): SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 CN=Steve Test - emailAddress=steve@openssl.org - 0.OU=OpenSSL Group + emailAddress=steve@gmssl.org + 0.OU=GmSSL Group 1.OU=Another Group A sample configuration file with the relevant sections for B: @@ -714,7 +714,7 @@ L, L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index c1d1cb25..ac3790bf 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -6,7 +6,7 @@ ciphers - SSL cipher display and cipher list tool =head1 SYNOPSIS -B B +B B [B<-help>] [B<-s>] [B<-v>] @@ -24,7 +24,7 @@ B B =head1 DESCRIPTION -The B command converts textual OpenSSL cipher lists into ordered +The B command converts textual GmSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist. @@ -97,7 +97,7 @@ TLSv1.1 were negotiated. =item B<-stdname> -precede each ciphersuite by its standard name: only available is OpenSSL +precede each ciphersuite by its standard name: only available is GmSSL is built with tracing enabled (B argument to Configure). =item B @@ -168,14 +168,14 @@ When used, this must be the first cipherstring specified. The ciphers included in B, but not enabled by default. Currently this includes all RC4 and anonymous ciphers. Note that this rule does not cover B, which is not included by B (use B if -necessary). Note that RC4 based ciphersuites are not built into OpenSSL by +necessary). Note that RC4 based ciphersuites are not built into GmSSL by default (see the enable-weak-ssl-ciphers option to Configure). =item B All cipher suites except the B ciphers (which must be explicitly enabled if needed). -As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. +As of GmSSL 1.0.0, the B cipher suites are sensibly ordered by default. =item B @@ -195,7 +195,7 @@ encryption. "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these -ciphersuites have been removed as of OpenSSL 1.1.0. +ciphersuites have been removed as of GmSSL 1.1.0. =item B, B @@ -225,7 +225,7 @@ Cipher suites using RSA key exchange, authentication or either respectively. Cipher suites using static DH key agreement and DH certificates signed by CAs with RSA and DSS keys or either respectively. -All these cipher suites have been removed in OpenSSL 1.1.0. +All these cipher suites have been removed in GmSSL 1.1.0. =item B, B, B @@ -262,7 +262,7 @@ Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. Cipher suites effectively using DH authentication, i.e. the certificates carry DH keys. -All these cipher suites have been removed in OpenSSL 1.1.0. +All these cipher suites have been removed in GmSSL 1.1.0. =item B, B @@ -312,7 +312,7 @@ cipher suites using triple DES. =item B Cipher suites using DES (not triple DES). -All these cipher suites have been removed in OpenSSL 1.1.0. +All these cipher suites have been removed in GmSSL 1.1.0. =item B @@ -396,7 +396,7 @@ permissible. =head1 CIPHER SUITE NAMES The following lists give the SSL or TLS cipher suites names from the -relevant specification and their OpenSSL equivalents. It should be noted, +relevant specification and their GmSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. @@ -489,7 +489,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. =head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0 Note: these ciphers require an engine which including GOST cryptographic -algorithms, such as the B engine, included in the OpenSSL distribution. +algorithms, such as the B engine, included in the GmSSL distribution. TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89 TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89 @@ -670,7 +670,7 @@ Note: these ciphers can also be used in SSL v3. TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE-PSK-CHACHA20-POLY1305 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA-PSK-CHACHA20-POLY1305 -=head2 Older names used by OpenSSL +=head2 Older names used by GmSSL The following names are accepted by older releases: @@ -679,41 +679,41 @@ The following names are accepted by older releases: =head1 NOTES -Some compiled versions of OpenSSL may not include all the ciphers +Some compiled versions of GmSSL may not include all the ciphers listed here because some ciphers were excluded at compile time. =head1 EXAMPLES -Verbose listing of all OpenSSL ciphers including NULL ciphers: +Verbose listing of all GmSSL ciphers including NULL ciphers: - openssl ciphers -v 'ALL:eNULL' + gmssl ciphers -v 'ALL:eNULL' Include all ciphers except NULL and anonymous DH then sort by strength: - openssl ciphers -v 'ALL:!ADH:@STRENGTH' + gmssl ciphers -v 'ALL:!ADH:@STRENGTH' Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL): - openssl ciphers -v 'ALL:!aNULL' + gmssl ciphers -v 'ALL:!aNULL' Include only 3DES ciphers and then place RSA ciphers last: - openssl ciphers -v '3DES:+RSA' + gmssl ciphers -v '3DES:+RSA' Include all RC4 ciphers but leave out those without authentication: - openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' + gmssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' Include all ciphers with RSA authentication but leave out ciphers without encryption. - openssl ciphers -v 'RSA:!COMPLEMENTOFALL' + gmssl ciphers -v 'RSA:!COMPLEMENTOFALL' Set security level to 2 and display all ciphers consistent with level 2: - openssl ciphers -s -v 'ALL:@SECLEVEL=2' + gmssl ciphers -s -v 'ALL:@SECLEVEL=2' =head1 SEE ALSO @@ -721,13 +721,13 @@ L, L, L =head1 HISTORY -The B<-V> option for the B command was added in OpenSSL 1.0.0. +The B<-V> option for the B command was added in GmSSL 1.0.0. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index b97120a0..b2975a72 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -6,7 +6,7 @@ cms - CMS utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-encrypt>] [B<-decrypt>] @@ -173,12 +173,12 @@ Verify a CMS B type and output the content. =item B<-compress> -Create a CMS B type. OpenSSL must be compiled with B +Create a CMS B type. GmSSL must be compiled with B support for this option to work, otherwise it will output an error. =item B<-uncompress> -Uncompress a CMS B type and output the content. OpenSSL must be +Uncompress a CMS B type and output the content. GmSSL must be compiled with B support for this option to work, otherwise it will output an error. @@ -303,7 +303,7 @@ the encryption algorithm to use. For example triple DES (168 bits) - B<-des3> or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L|enc(1)> for a list of ciphers -supported by your version of OpenSSL. +supported by your version of GmSSL. If not specified triple DES is used. Only used with B<-encrypt> and B<-EncryptedData_create> commands. @@ -459,7 +459,7 @@ or to modify default parameters for ECDH. =item B<-passin arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-rand file(s)> @@ -600,46 +600,46 @@ be processed by the older B command. Create a cleartext signed message: - openssl cms -sign -in message.txt -text -out mail.msg \ + gmssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem Create an opaque signed message - openssl cms -sign -in message.txt -text -out mail.msg -nodetach \ + gmssl cms -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: - openssl cms -sign -in in.txt -text -out mail.msg \ + gmssl cms -sign -in in.txt -text -out mail.msg \ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers, use key identifier: - openssl cms -sign -in message.txt -text -out mail.msg \ + gmssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -signer othercert.pem -keyid Send a signed message under Unix directly to sendmail, including headers: - openssl cms -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ + gmssl cms -sign -in in.txt -text -signer mycert.pem \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: - openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt + gmssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt Send encrypted mail using triple DES: - openssl cms -encrypt -in in.txt -from steve@openssl.org \ + gmssl cms -encrypt -in in.txt -from steve@gmssl.org \ -to someone@somewhere -subject "Encrypted message" \ -des3 user.pem -out mail.msg Sign and encrypt mail: - openssl cms -sign -in ml.txt -signer my.pem -text \ - | openssl cms -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ + gmssl cms -sign -in ml.txt -signer my.pem -text \ + | gmssl cms -encrypt -out mail.msg \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the @@ -647,7 +647,7 @@ message being encrypted already has MIME headers. Decrypt mail: - openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem + gmssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the @@ -659,33 +659,33 @@ it with: and using the command, - openssl cms -verify -inform PEM -in signature.pem -content content.txt + gmssl cms -verify -inform PEM -in signature.pem -content content.txt alternatively you can base64 decode the signature and use - openssl cms -verify -inform DER -in signature.der -content content.txt + gmssl cms -verify -inform DER -in signature.der -content content.txt Create an encrypted message using 128 bit Camellia: - openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem + gmssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem Add a signer to an existing message: - openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg + gmssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg Sign mail using RSA-PSS: - openssl cms -sign -in message.txt -text -out mail.msg \ + gmssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -keyopt rsa_padding_mode:pss Create encrypted mail using RSA-OAEP: - openssl cms -encrypt -in plain.txt -out mail.msg \ + gmssl cms -encrypt -in plain.txt -out mail.msg \ -recip cert.pem -keyopt rsa_padding_mode:oaep Use SHA256 KDF with an ECDH certificate: - openssl cms -encrypt -in plain.txt -out mail.msg \ + gmssl cms -encrypt -in plain.txt -out mail.msg \ -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 =head1 BUGS @@ -711,25 +711,25 @@ No revocation checking is done on the signer's certificate. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 +added in GmSSL 1.0.0 -The B option was first added in OpenSSL 1.1.0 +The B option was first added in GmSSL 1.1.0 The use of B<-recip> to specify the recipient when encrypting mail was first -added to OpenSSL 1.1.0 +added to GmSSL 1.1.0 -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to GmSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added -to OpenSSL 1.1.0. +to GmSSL 1.1.0. -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to GmSSL 1.1.0. =head1 COPYRIGHT Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/config.pod b/doc/apps/config.pod index a9cde895..f0902919 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -1,17 +1,17 @@ =pod -=for comment openssl_manual_section:5 +=for comment gmssl_manual_section:5 =head1 NAME -config - OpenSSL CONF library configuration files +config - GmSSL CONF library configuration files =head1 DESCRIPTION -The OpenSSL CONF library can be used to read configuration files. -It is used for the OpenSSL master configuration file B +The GmSSL CONF library can be used to read configuration files. +It is used for the GmSSL master configuration file B and in a few other places like B files and certificate extension -files for the B utility. OpenSSL applications can also use the +files for the B utility. GmSSL applications can also use the CONF library for their own purposes. A configuration file is divided into a number of sections. Each section @@ -56,15 +56,15 @@ the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. =head1 OPENSSL LIBRARY CONFIGURATION Applications can automatically configure certain -aspects of OpenSSL using the master OpenSSL configuration file, or optionally -an alternative configuration file. The B utility includes this -functionality: any sub command uses the master OpenSSL configuration file +aspects of GmSSL using the master GmSSL configuration file, or optionally +an alternative configuration file. The B utility includes this +functionality: any sub command uses the master GmSSL configuration file unless an option is used in the sub command to use an alternative configuration file. To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default -name is B which is used by the B utility. Other +name is B which is used by the B utility. Other applications may use an alternative name such as B. The configuration section should consist of a set of name value pairs which @@ -73,9 +73,9 @@ the name of the I the meaning of the B is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g. - openssl_conf = openssl_init + gmssl_conf = gmssl_init - [openssl_init] + [gmssl_init] oid_section = new_oids engines = engine_section @@ -95,9 +95,9 @@ The features of each configuration module are described below. This module has the name B. The value of this variable points to a section containing name value pairs of OIDs: the name is the OID short and long name, the value is the numerical form of the OID. Although some of -the B utility sub commands already have their own ASN1 OBJECT section +the B utility sub commands already have their own ASN1 OBJECT section functionality not all do. By using the ASN1 OBJECT configuration module -B the B utility sub commands can see the new objects as well +B the B utility sub commands can see the new objects as well as any compliant applications. For example: [new_oids] @@ -241,7 +241,7 @@ For example: If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't -exist. For example in a previous version of OpenSSL the default OpenSSL +exist. For example in a previous version of GmSSL the default GmSSL master configuration file used the value of B which may not be defined on non Unix systems and would cause an error. @@ -304,13 +304,13 @@ priority and B used if neither is defined: # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename -Simple OpenSSL library configuration example to enter FIPS mode: +Simple GmSSL library configuration example to enter FIPS mode: # Default appname: should match "appname" parameter (if any) # supplied to CONF_modules_load_file et al. - openssl_conf = openssl_conf_section + gmssl_conf = gmssl_conf_section - [openssl_conf_section] + [gmssl_conf_section] # Configuration module list alg_section = evp_sect @@ -319,15 +319,15 @@ Simple OpenSSL library configuration example to enter FIPS mode: fips_mode = yes Note: in the above example you will get an error in non FIPS capable versions -of OpenSSL. +of GmSSL. -More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: +More complex GmSSL library configuration. Add OID and don't enter FIPS mode: # Default appname: should match "appname" parameter (if any) # supplied to CONF_modules_load_file et al. - openssl_conf = openssl_conf_section + gmssl_conf = gmssl_conf_section - [openssl_conf_section] + [gmssl_conf_section] # Configuration module list alg_section = evp_sect oid_section = new_oids @@ -344,12 +344,12 @@ More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: newoid2 = New OID 2 long name, 1.2.3.4.2 The above examples can be used with any application supporting library -configuration if "openssl_conf" is modified to match the appropriate "appname". +configuration if "gmssl_conf" is modified to match the appropriate "appname". For example if the second sample file above is saved to "example.cnf" then the command line: - OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 + OPENSSL_CONF=example.cnf gmssl asn1parse -genstr OID:1.2.3.4.1 will output: @@ -378,7 +378,7 @@ L, L, L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index 2fad2101..481a671f 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -6,7 +6,7 @@ crl - CRL utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -76,7 +76,7 @@ a directory by issuer name. =item B<-hash_old> outputs the "hash" of the CRL issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. +as used by GmSSL versions before 1.0.0. =item B<-issuer> @@ -115,11 +115,11 @@ The PEM CRL format uses the header and footer lines: Convert a CRL file from PEM to DER: - openssl crl -in crl.pem -outform DER -out crl.der + gmssl crl -in crl.pem -outform DER -out crl.der Output the text form of a DER encoded certificate: - openssl crl -in crl.der -text -noout + gmssl crl -in crl.der -text -noout =head1 BUGS @@ -134,7 +134,7 @@ L, L, L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod index 8c679ea8..12ddce86 100644 --- a/doc/apps/crl2pkcs7.pod +++ b/doc/apps/crl2pkcs7.pod @@ -6,7 +6,7 @@ crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -69,12 +69,12 @@ included in the output file and a CRL is not read from the input file. Create a PKCS#7 structure from a certificate and CRL: - openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem + gmssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem Creates a PKCS#7 structure in DER format with no CRL from several different certificates: - openssl crl2pkcs7 -nocrl -certfile newcert.pem + gmssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile demoCA/cacert.pem -outform DER -out p7.der =head1 NOTES @@ -97,7 +97,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index 3f1b02ca..268dfaf3 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -2,11 +2,11 @@ =head1 NAME -dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5, blake2b, blake2s - message digests +dgst, sha, sha1, mdc2, ripemd160, sha224, sm3, sha384, sha512, md4, md5, blake2b, blake2s - message digests =head1 SYNOPSIS -B B +B B [B<-help>] [B<-I>] [B<-c>] @@ -27,7 +27,7 @@ B B [B<-engine_impl>] [B] -B +B [I] [B<...>] @@ -39,7 +39,7 @@ signatures using message digests. The generic name, B, may be used with an option specifying the algorithm to be used. -The default digest is I. +The default digest is I. A supported I name may also be used as the command name. To see the list of supported algorithms, use the I command. @@ -102,7 +102,7 @@ Names and values of these options are algorithm-specific. =item B<-passin arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-verify filename> @@ -161,7 +161,7 @@ all others. =item B<-fips-fingerprint> compute HMAC using a specific key -for certain OpenSSL-FIPS operations. +for certain GmSSL-FIPS operations. =item B<-engine id> @@ -186,13 +186,13 @@ used. =head1 EXAMPLES To create a hex-encoded message digest of a file: - openssl dgst -md5 -hex file.txt + gmssl dgst -md5 -hex file.txt To sign a file using SHA-256 with binary file output: - openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt + gmssl dgst -sm3 -sign privatekey.pem -out signature.sign file.txt To verify a signature: - openssl dgst -sha256 -verify publickey.pem \ + gmssl dgst -sm3 -verify publickey.pem \ -signature signature.sign \ file.txt @@ -200,7 +200,7 @@ To verify a signature: =head1 NOTES The digest mechanisms that are available will depend on the options -used when building OpenSSL. +used when building GmSSL. The B command can be used to list them. New or agile applications should use probably use SHA-256. Other digests, @@ -219,20 +219,20 @@ particular ECDSA and DSA. The signing and verify options should only be used if a single file is being signed or verified. -Hex signatures cannot be verified using B. Instead, use "xxd -r" +Hex signatures cannot be verified using B. Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to verification. =head1 HISTORY -The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0 -The FIPS-related options were removed in OpenSSL 1.1.0 +The default digest was changed from MD5 to SM3 in GmSSL 2.0 +The FIPS-related options were removed in GmSSL 2.0 =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index addd88a5..d7f56487 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod @@ -6,7 +6,7 @@ dhparam - DH parameter manipulation and generation =head1 SYNOPSIS -B +B [B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] @@ -123,9 +123,9 @@ for all available algorithms. =head1 WARNINGS The program B combines the functionality of the programs B and -B in previous versions of OpenSSL. The B and B +B in previous versions of GmSSL. The B and B programs are retained for now but may have different purposes in future -versions of OpenSSL. +versions of GmSSL. =head1 NOTES @@ -134,7 +134,7 @@ PEM format DH parameters use the header and footer lines: -----BEGIN DH PARAMETERS----- -----END DH PARAMETERS----- -OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 +GmSSL currently only supports the older PKCS#3 DH, not the newer X9.42 DH. This program manipulates DH parameters not keys. @@ -151,7 +151,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 0e4f508f..c159ba83 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod @@ -6,7 +6,7 @@ dsa - DSA key processing =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -71,7 +71,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -83,7 +83,7 @@ filename. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> @@ -143,23 +143,23 @@ The PEM public key format uses the header and footer lines: To remove the pass phrase on a DSA private key: - openssl dsa -in key.pem -out keyout.pem + gmssl dsa -in key.pem -out keyout.pem To encrypt a private key using triple DES: - openssl dsa -in key.pem -des3 -out keyout.pem + gmssl dsa -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl dsa -in key.pem -outform DER -out keyout.der + gmssl dsa -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl dsa -in key.pem -text -noout + gmssl dsa -in key.pem -text -noout To just output the public part of a private key: - openssl dsa -in key.pem -pubout -out pubkey.pem + gmssl dsa -in key.pem -pubout -out pubkey.pem =head1 SEE ALSO @@ -170,7 +170,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod index 08ad47fa..7be32673 100644 --- a/doc/apps/dsaparam.pod +++ b/doc/apps/dsaparam.pod @@ -6,7 +6,7 @@ dsaparam - DSA parameter manipulation and generation =head1 SYNOPSIS -B +B [B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] @@ -116,7 +116,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod index a5f920e8..773296ae 100644 --- a/doc/apps/ec.pod +++ b/doc/apps/ec.pod @@ -6,7 +6,7 @@ ec - EC key processing =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -16,7 +16,7 @@ B B [B<-passout arg>] [B<-des>] [B<-des3>] -[B<-idea>] +[B<-sms4>] [B<-text>] [B<-noout>] [B<-param_out>] @@ -31,9 +31,9 @@ B B =head1 DESCRIPTION The B command processes EC keys. They can be converted between various -forms and their components printed out. B OpenSSL uses the +forms and their components printed out. B GmSSL uses the private key format specified in 'SEC 1: Elliptic Curve Cryptography' -(http://www.secg.org/). To convert an OpenSSL EC private key into the +(http://www.secg.org/). To convert an GmSSL EC private key into the PKCS#8 private key format use the B command. =head1 OPTIONS @@ -67,7 +67,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -79,12 +79,12 @@ filename. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. -=item B<-des|-des3|-idea> +=item B<-des|-des3|-sms4> -These options encrypt the private key with the DES, triple DES, IDEA or -any other cipher supported by OpenSSL before outputting it. A pass phrase is +These options encrypt the private key with the DES, triple DES, SMS4 or +any other cipher supported by GmSSL before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using the B utility to read in an encrypted key with no @@ -133,7 +133,7 @@ specified by an OID, or B where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B. B the B alternative, as specified in RFC 3279, -is currently not implemented in OpenSSL. +is currently not implemented in GmSSL. =item B<-no_public> @@ -168,27 +168,27 @@ The PEM public key format uses the header and footer lines: To encrypt a private key using triple DES: - openssl ec -in key.pem -des3 -out keyout.pem + gmssl ec -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl ec -in key.pem -outform DER -out keyout.der + gmssl ec -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl ec -in key.pem -text -noout + gmssl ec -in key.pem -text -noout To just output the public part of a private key: - openssl ec -in key.pem -pubout -out pubkey.pem + gmssl ec -in key.pem -pubout -out pubkey.pem To change the parameters encoding to B: - openssl ec -in key.pem -param_enc explicit -out keyout.pem + gmssl ec -in key.pem -param_enc explicit -out keyout.pem To change the point conversion form to B: - openssl ec -in key.pem -conv_form compressed -out keyout.pem + gmssl ec -in key.pem -conv_form compressed -out keyout.pem =head1 SEE ALSO @@ -198,7 +198,7 @@ L, L, L Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod index 51678964..1cea4bcb 100644 --- a/doc/apps/ecparam.pod +++ b/doc/apps/ecparam.pod @@ -6,7 +6,7 @@ ecparam - EC parameter manipulation and generation =head1 SYNOPSIS -B +B [B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] @@ -105,7 +105,7 @@ specified by an OID, or B where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B. B the B alternative, as specified in RFC 3279, -is currently not implemented in OpenSSL. +is currently not implemented in GmSSL. =item B<-no_seed> @@ -140,34 +140,34 @@ PEM format EC parameters use the header and footer lines: -----BEGIN EC PARAMETERS----- -----END EC PARAMETERS----- -OpenSSL is currently not able to generate new groups and therefore +GmSSL is currently not able to generate new groups and therefore B can only create EC parameters from known (named) curves. =head1 EXAMPLES To create EC parameters with the group 'prime192v1': - openssl ecparam -out ec_param.pem -name prime192v1 + gmssl ecparam -out ec_param.pem -name prime192v1 To create EC parameters with explicit parameters: - openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit + gmssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit To validate given EC parameters: - openssl ecparam -in ec_param.pem -check + gmssl ecparam -in ec_param.pem -check To create EC parameters and a private key: - openssl ecparam -out ec_key.pem -name prime192v1 -genkey + gmssl ecparam -out ec_key.pem -name prime192v1 -genkey To change the point encoding to 'compressed': - openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed + gmssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed To print out the EC parameters to standard output: - openssl ecparam -in ec_param.pem -noout -text + gmssl ecparam -in ec_param.pem -noout -text =head1 SEE ALSO @@ -177,7 +177,7 @@ L, L Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index b3bf82ad..15818e1b 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -6,7 +6,7 @@ enc - symmetric cipher routines =head1 SYNOPSIS -B +B [B<-help>] [B<-ciphers>] [B<-in filename>] @@ -63,7 +63,7 @@ the output filename, standard output by default. =item B<-pass arg> the password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-e> @@ -90,24 +90,24 @@ if the B<-a> option is set then base64 process the data on one line. =item B<-k password> the password to derive the key from. This is for compatibility with previous -versions of OpenSSL. Superseded by the B<-pass> argument. +versions of GmSSL. Superseded by the B<-pass> argument. =item B<-kfile filename> read the password to derive the key from the first line of B. -This is for compatibility with previous versions of OpenSSL. Superseded by +This is for compatibility with previous versions of GmSSL. Superseded by the B<-pass> argument. =item B<-md digest> Use the specified digest to create the key from the passphrase. -The default algorithm is sha-256. +The default algorithm is SM3. =item B<-nosalt> don't use a salt in the key derivation routines. This option B be used except for test purposes or compatibility with ancient versions of -OpenSSL. +GmSSL. =item B<-salt> @@ -158,7 +158,7 @@ debug the BIOs used for I/O. =item B<-z> Compress or decompress clear text using zlib before encryption or after -decryption. This option exists only if OpenSSL with compiled with zlib +decryption. This option exists only if GmSSL with compiled with zlib or zlib-dynamic option. =item B<-none> @@ -169,8 +169,8 @@ Use NULL cipher (no encryption or decryption of input). =head1 NOTES -The program can be called either as B or -B. But the first form doesn't work with +The program can be called either as B or +B. But the first form doesn't work with engine-provided ciphers, because this form is processed before the configuration file is read and any ENGINEs loaded. @@ -178,7 +178,7 @@ Engines which provide entirely new encryption algorithms (such as ccgost engine which provides gost89 algorithm) should be configured in the configuration file. Engines, specified in the command line using -engine options can only be used for hardware-assisted implementations of -ciphers, which are supported by OpenSSL core or other engine, specified +ciphers, which are supported by GmSSL core or other engine, specified in the configuration file. When enc command lists supported ciphers, ciphers provided by engines, @@ -188,7 +188,7 @@ A password will be prompted for to derive the key and IV if necessary. The B<-salt> option should B be used if the key is being derived from a password unless you want compatibility with previous versions of -OpenSSL. +GmSSL. Without the B<-salt> option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason @@ -218,8 +218,8 @@ Blowfish and RC5 algorithms use a 128 bit key. Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file. The output of the B command run with -unsupported options (for example B) includes a -list of ciphers, supported by your version of OpenSSL, including +unsupported options (for example B) includes a +list of ciphers, supported by your version of GmSSL, including ones provided by configured engines. The B program does not support authenticated encryption modes @@ -300,32 +300,32 @@ authentication tag. Just base64 encode a binary file: - openssl base64 -in file.bin -out file.b64 + gmssl base64 -in file.bin -out file.b64 Decode the same file - openssl base64 -d -in file.b64 -out file.bin + gmssl base64 -d -in file.b64 -out file.bin Encrypt a file using triple DES in CBC mode using a prompted password: - openssl des3 -salt -in file.txt -out file.des3 + gmssl des3 -salt -in file.txt -out file.des3 Decrypt a file using a supplied password: - openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword + gmssl des3 -d -salt -in file.des3 -out file.txt -k mypassword Encrypt a file then base64 encode it (so it can be sent via mail for example) using Blowfish in CBC mode: - openssl bf -a -salt -in file.txt -out file.bf + gmssl bf -a -salt -in file.txt -out file.bf Base64 decode a file then decrypt it: - openssl bf -d -salt -a -in file.bf -out file.txt + gmssl bf -d -salt -a -in file.bf -out file.txt Decrypt some data using a supplied 40 bit RC4 key: - openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 + gmssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 =head1 BUGS @@ -345,7 +345,7 @@ The default digest was changed from MD5 to SHA256 in Openssl 1.1. Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/engine.pod b/doc/apps/engine.pod index 674ab565..0a5b5b82 100644 --- a/doc/apps/engine.pod +++ b/doc/apps/engine.pod @@ -6,7 +6,7 @@ engine - load and query engines =head1 SYNOPSIS -B +B [ I ] [B<-v>] [B<-vv>] @@ -67,7 +67,7 @@ See the example below. To list all the commands available to a dynamic engine: - % openssl engine -t -tt -vvvv dynamic + % gmssl engine -t -tt -vvvv dynamic (dynamic) Dynamic engine loading support [ unavailable ] SO_PATH: Specifies the path to the new ENGINE shared library @@ -87,7 +87,7 @@ To list all the commands available to a dynamic engine: To list the capabilities of the I engine: - % openssl engine -c + % gmssl engine -c (rsax) RSAX engine support [RSA] (dynamic) Dynamic engine loading support @@ -96,7 +96,7 @@ To list the capabilities of the I engine: Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod index 8dfe49a5..ad33f222 100644 --- a/doc/apps/errstr.pod +++ b/doc/apps/errstr.pod @@ -6,7 +6,7 @@ errstr - lookup error codes =head1 SYNOPSIS -B +B =head1 DESCRIPTION @@ -27,7 +27,7 @@ The error code: can be displayed with: - openssl errstr 2006D080 + gmssl errstr 2006D080 to produce the error message: @@ -37,7 +37,7 @@ to produce the error message: Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod index 4fd17147..7ef070be 100644 --- a/doc/apps/gendsa.pod +++ b/doc/apps/gendsa.pod @@ -6,7 +6,7 @@ gendsa - generate a DSA private key from a set of parameters =head1 SYNOPSIS -B B +B B [B<-help>] [B<-out filename>] [B<-aes128>] @@ -25,7 +25,7 @@ B B =head1 DESCRIPTION The B command generates a DSA private key from a DSA parameter file -(which will be typically generated by the B command). +(which will be typically generated by the B command). =head1 OPTIONS @@ -65,7 +65,7 @@ for all available algorithms. This option specifies the DSA parameter file to use. The parameters in this file determine the size of the private key. DSA parameters can be generated -and examined using the B command. +and examined using the B command. =back @@ -83,7 +83,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index e77fc7ef..ef81fbc4 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod @@ -6,7 +6,7 @@ genpkey - generate a private key =head1 SYNOPSIS -B B +B B [B<-help>] [B<-out filename>] [B<-outform PEM|DER>] @@ -43,7 +43,7 @@ This specifies the output format DER or PEM. =item B<-pass arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-cipher> @@ -93,7 +93,7 @@ parameters along with the PEM or DER structure. =head1 KEY GENERATION OPTIONS The options supported by each algorithm and indeed each implementation of an -algorithm can vary. The options for the OpenSSL implementations are detailed +algorithm can vary. The options for the GmSSL implementations are detailed below. =head1 RSA KEY GENERATION OPTIONS @@ -154,7 +154,7 @@ key from a named curve without the need to use an explicit parameter file. =item B -the EC curve to use. OpenSSL supports NIST curve names such as "P-256". +the EC curve to use. GmSSL supports NIST curve names such as "P-256". =item B @@ -166,7 +166,7 @@ the encoding to use for parameters. The "encoding" parameter must be either =head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS Gost 2001 support is not enabled by default. To enable this algorithm, -one should load the ccgost engine in the OpenSSL configuration file. +one should load the ccgost engine in the GmSSL configuration file. See README.gost file in the engines/ccgost directory of the source distribution for more details. @@ -207,69 +207,69 @@ can be used. Generate an RSA private key using default parameters: - openssl genpkey -algorithm RSA -out key.pem + gmssl genpkey -algorithm RSA -out key.pem Encrypt output private key using 128 bit AES and the passphrase "hello": - openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello + gmssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello Generate a 2048 bit RSA key using 3 as the public exponent: - openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ + gmssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3 Generate 1024 bit DSA parameters: - openssl genpkey -genparam -algorithm DSA -out dsap.pem \ + gmssl genpkey -genparam -algorithm DSA -out dsap.pem \ -pkeyopt dsa_paramgen_bits:1024 Generate DSA key from parameters: - openssl genpkey -paramfile dsap.pem -out dsakey.pem + gmssl genpkey -paramfile dsap.pem -out dsakey.pem Generate 1024 bit DH parameters: - openssl genpkey -genparam -algorithm DH -out dhp.pem \ + gmssl genpkey -genparam -algorithm DH -out dhp.pem \ -pkeyopt dh_paramgen_prime_len:1024 Output RFC5114 2048 bit DH parameters with 224 bit subgroup: - openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 + gmssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 Generate DH key from parameters: - openssl genpkey -paramfile dhp.pem -out dhkey.pem + gmssl genpkey -paramfile dhp.pem -out dhkey.pem Generate EC parameters: - openssl genpkey -genparam -algorithm EC -out ecp.pem \ + gmssl genpkey -genparam -algorithm EC -out ecp.pem \ -pkeyopt ec_paramgen_curve:secp384r1 \ -pkeyopt ec_param_enc:named_curve Generate EC key from parameters: - openssl genpkey -paramfile ecp.pem -out eckey.pem + gmssl genpkey -paramfile ecp.pem -out eckey.pem Generate EC key directly: - openssl genpkey -algorithm EC -out eckey.pem \ + gmssl genpkey -algorithm EC -out eckey.pem \ -pkeyopt ec_paramgen_curve:P-384 \ -pkeyopt ec_param_enc:named_curve Generate an X25519 private key: - openssl genpkey -algorithm X25519 -out xkey.pem + gmssl genpkey -algorithm X25519 -out xkey.pem =head1 HISTORY The ability to use NIST curve names, and to generate an EC key directly, -were added in OpenSSL 1.0.2. +were added in GmSSL 1.0.2. =head1 COPYRIGHT Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod index 38e83f72..1d4a4d15 100644 --- a/doc/apps/genrsa.pod +++ b/doc/apps/genrsa.pod @@ -6,7 +6,7 @@ genrsa - generate an RSA private key =head1 SYNOPSIS -B B +B B [B<-help>] [B<-out filename>] [B<-passout arg>] @@ -45,7 +45,7 @@ standard output is used. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> @@ -107,7 +107,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/openssl.pod b/doc/apps/gmssl.pod similarity index 88% rename from doc/apps/openssl.pod rename to doc/apps/gmssl.pod index a7e65ff7..93c5fe31 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/gmssl.pod @@ -2,27 +2,27 @@ =head1 NAME -openssl - OpenSSL command line tool +gmssl - GmSSL command line tool =head1 SYNOPSIS -B +B I [ I ] [ I ] -B B [ B | B | B | B | B | B] +B B [ B | B | B | B | B | B] -B BI [ I ] +B BI [ I ] =head1 DESCRIPTION -OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL +GmSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. -The B program is a command line tool for using the various -cryptography functions of OpenSSL's B library from the shell. +The B program is a command line tool for using the various +cryptography functions of GmSSL's B library from the shell. It can be used for o Creation and management of private keys, public keys and parameters @@ -36,14 +36,14 @@ It can be used for =head1 COMMAND SUMMARY -The B program provides a rich variety of commands (I in the +The B program provides a rich variety of commands (I in the SYNOPSIS above), each of which often has a wealth of options and arguments (I and I in the SYNOPSIS). The list parameters B, B, and B output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, -respectively, that are available in the present B utility. +respectively, that are available in the present B utility. The list parameters B and B list all cipher and message digest names, one entry per line. Aliases are listed as: @@ -60,7 +60,7 @@ and prints I. In both cases, the output goes to B and nothing is printed to B. Additional command line arguments are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the -availability of ciphers in the B program. (BI is +availability of ciphers in the B program. (BI is not able to detect pseudo-commands such as B, B, or BI itself.) @@ -118,11 +118,11 @@ L|genpkey(1)> and L|pkeyparam(1)> =item L|ec(1)> -EC (Elliptic curve) key processing +EC/SM2 (Elliptic curve) key processing =item L|ecparam(1)> -EC parameter manipulation and generation +EC/SM2 parameter manipulation and generation =item L|enc(1)> @@ -209,14 +209,14 @@ by L|pkeyutl(1)> This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but -internally uses mostly all functionality of the OpenSSL B library. +internally uses mostly all functionality of the GmSSL B library. =item L|s_server(1)> This implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all -functionality of the OpenSSL B library. It provides both an own command +functionality of the GmSSL B library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver. @@ -250,7 +250,7 @@ X.509 Certificate Verification. =item L|version(1)> -OpenSSL Version Information. +GmSSL Version Information. =item L|x509(1)> @@ -262,9 +262,9 @@ X.509 Certificate Data Management. =over 10 -=item B +=item B -MD2 Digest +SM3 Digest =item B @@ -312,9 +312,9 @@ SHA-512 Digest Base64 Encoding -=item B +=item B -Blowfish Cipher +SMS4 Cipher =item B @@ -414,7 +414,7 @@ L, L, L, L, L, L, L, L, L, L, L, L, L, -L, L, L, +L, L, L, L, L, L, L, L, L, L, @@ -426,7 +426,7 @@ L, L, L =head1 HISTORY -The BIB<-algorithms> pseudo-commands were added in OpenSSL 1.0.0; +The BIB<-algorithms> pseudo-commands were added in GmSSL 1.0.0; For notes on the availability of other commands, see their individual manual pages. @@ -434,7 +434,7 @@ manual pages. Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/list.pod b/doc/apps/list.pod index e6e1f176..72eb41d4 100644 --- a/doc/apps/list.pod +++ b/doc/apps/list.pod @@ -6,7 +6,7 @@ list - list algorithms and features =head1 SYNOPSIS -B +B [B<-help>] [B<-commands>] [B<-digest-commands>] @@ -73,7 +73,7 @@ of the installation. Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/nseq.pod b/doc/apps/nseq.pod index a90f8a00..9cc5bf27 100644 --- a/doc/apps/nseq.pod +++ b/doc/apps/nseq.pod @@ -6,7 +6,7 @@ nseq - create or examine a Netscape certificate sequence =head1 SYNOPSIS -B B +B B [B<-help>] [B<-in filename>] [B<-out filename>] @@ -49,11 +49,11 @@ a file of certificates. Output the certificates in a Netscape certificate sequence - openssl nseq -in nseq.pem -out certs.pem + gmssl nseq -in nseq.pem -out certs.pem Create a Netscape certificate sequence - openssl nseq -in certs.pem -toseq -out nseq.pem + gmssl nseq -in certs.pem -toseq -out nseq.pem =head1 NOTES @@ -76,7 +76,7 @@ output files and allowing multiple certificate files to be used. Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index ec82088f..fa89fa88 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -6,7 +6,7 @@ ocsp - Online Certificate Status Protocol utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-out file>] [B<-issuer file>] @@ -287,7 +287,7 @@ By default this additional check is not performed. =item B<-[digest]> this option sets digest algorithm to use for certificate identification in the -OCSP request. Any digest supported by the OpenSSL B command can be used. +OCSP request. Any digest supported by the GmSSL B command can be used. The default is SHA-1. This option may be used multiple times to specify the digest used by subsequent certificate identifiers. @@ -362,7 +362,7 @@ the OCSP request checked using the responder certificate's public key. Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process. The locations of the trusted certificates used to build the chain can be specified by the B -and B options or they will be looked for in the standard OpenSSL +and B options or they will be looked for in the standard GmSSL certificates directory. If the initial verify fails then the OCSP verify process halts with an @@ -390,7 +390,7 @@ If the OCSP responder is a "global responder" which can give details about multiple CAs and has its own separate certificate chain then its root CA can be trusted for OCSP signing. For example: - openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem + gmssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem Alternatively the responder certificate itself can be explicitly trusted with the B<-VAfile> option. @@ -416,49 +416,49 @@ script using the B and B options. Create an OCSP request and write it to a file: - openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der + gmssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the response to a file, print it out in text form, and verify the response: - openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ + gmssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url http://ocsp.myhost.com/ -resp_text -respout resp.der Read in an OCSP response and print out text form: - openssl ocsp -respin resp.der -text -noverify + gmssl ocsp -respin resp.der -text -noverify OCSP server on port 8888 using a standard B configuration, and a separate responder certificate. All requests and responses are printed to a file. - openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -text -out log.txt As above but exit after processing one request: - openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -nrequest 1 Query status information using an internally generated request: - openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 Query status information using request read from a file, and write the response to a second file. - openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to GmSSL 1.1.0. =head1 COPYRIGHT Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod index 87dd8d86..fedd79ec 100644 --- a/doc/apps/passwd.pod +++ b/doc/apps/passwd.pod @@ -6,7 +6,7 @@ passwd - compute password hashes =head1 SYNOPSIS -B +B [B<-help>] [B<-crypt>] [B<-1>] @@ -78,17 +78,17 @@ to each password hash. =head1 EXAMPLES -B prints B. +B prints B. -B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. +B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. -B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. +B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index 3dea46cd..0d35e439 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -6,7 +6,7 @@ pkcs12 - PKCS#12 file utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-export>] [B<-chain>] @@ -77,13 +77,13 @@ default. They are all written in PEM format. the PKCS#12 file (i.e. input file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passout arg> pass phrase source to encrypt any outputted private keys with. For more information about the format of B see the B section -in L. +in L. =item B<-password arg> @@ -198,13 +198,13 @@ displays them. the PKCS#12 file (i.e. output file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passin password> pass phrase source to decrypt any input private keys with. For more information about the format of B see the B section in -L. +L. =item B<-chain> @@ -339,27 +339,27 @@ utility. Parse a PKCS#12 file and output it to a file: - openssl pkcs12 -in file.p12 -out file.pem + gmssl pkcs12 -in file.p12 -out file.pem Output only client certificates to a file: - openssl pkcs12 -in file.p12 -clcerts -out file.pem + gmssl pkcs12 -in file.p12 -clcerts -out file.pem Don't encrypt the private key: - openssl pkcs12 -in file.p12 -out file.pem -nodes + gmssl pkcs12 -in file.p12 -out file.pem -nodes Print some info about a PKCS#12 file: - openssl pkcs12 -in file.p12 -info -noout + gmssl pkcs12 -in file.p12 -info -noout Create a PKCS#12 file: - openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" + gmssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" Include some extra certificates: - openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ + gmssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ -certfile othercerts.pem =head1 SEE ALSO @@ -370,7 +370,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index d238946b..46944071 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod @@ -6,7 +6,7 @@ pkcs7 - PKCS#7 utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -78,11 +78,11 @@ for all available algorithms. Convert a PKCS#7 file from PEM to DER: - openssl pkcs7 -in file.pem -outform DER -out file.der + gmssl pkcs7 -in file.pem -outform DER -out file.der Output all certificates in a file: - openssl pkcs7 -in file.pem -print_certs -out certs.pem + gmssl pkcs7 -in file.pem -print_certs -out certs.pem =head1 NOTES @@ -111,7 +111,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index dee64a00..d7653c44 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -6,7 +6,7 @@ pkcs8 - PKCS#8 format private key conversion tool =head1 SYNOPSIS -B B +B B [B<-help>] [B<-topk8>] [B<-inform PEM|DER>] @@ -70,7 +70,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -82,7 +82,7 @@ filename. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-iter count> @@ -224,43 +224,43 @@ allow strong encryption algorithms like triple DES or 128 bit RC2 to be used. Convert a private key to PKCS#8 format using default parameters (AES with 256 bit key and B): - openssl pkcs8 -in key.pem -topk8 -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -out enckey.pem Convert a private key to PKCS#8 unencrypted format: - openssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem Convert a private key to PKCS#5 v2.0 format using triple DES: - openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem Convert a private key to PKCS#5 v2.0 format using AES with 256 bits in CBC mode and B PRF: - openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (DES): - openssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm (3DES): - openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES + gmssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES Read a DER unencrypted PKCS#8 format private key: - openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem + gmssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem Convert a private key from any PKCS#8 encrypted format to traditional format: - openssl pkcs8 -in pk8.pem -traditional -out key.pem + gmssl pkcs8 -in pk8.pem -traditional -out key.pem Convert a private key to PKCS#8 format, encrypting with AES-256 and with one million iterations of the password: - openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem + gmssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem =head1 STANDARDS @@ -272,7 +272,7 @@ implementation is reasonably accurate at least as far as these algorithms are concerned. The format of PKCS#8 DSA (and other) private keys is not well documented: -it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA +it is hidden away in PKCS#11 v2.01, section 11.9. GmSSL's default DSA PKCS#8 private key format complies with this standard. =head1 BUGS @@ -287,13 +287,13 @@ L =head1 HISTORY -The B<-iter> option was added to OpenSSL 1.1.0. +The B<-iter> option was added to GmSSL 1.1.0. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod index 2119c70c..dbe9585e 100644 --- a/doc/apps/pkey.pod +++ b/doc/apps/pkey.pod @@ -6,7 +6,7 @@ pkey - public or private key processing tool =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -54,7 +54,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -66,7 +66,7 @@ filename. =item B<-passout password> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-traditional> @@ -116,27 +116,27 @@ for all available algorithms. To remove the pass phrase on an RSA private key: - openssl pkey -in key.pem -out keyout.pem + gmssl pkey -in key.pem -out keyout.pem To encrypt a private key using triple DES: - openssl pkey -in key.pem -des3 -out keyout.pem + gmssl pkey -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl pkey -in key.pem -outform DER -out keyout.der + gmssl pkey -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl pkey -in key.pem -text -noout + gmssl pkey -in key.pem -text -noout To print out the public components of a private key to standard output: - openssl pkey -in key.pem -text_pub -noout + gmssl pkey -in key.pem -text_pub -noout To just output the public part of a private key: - openssl pkey -in key.pem -pubout -out pubkey.pem + gmssl pkey -in key.pem -pubout -out pubkey.pem =head1 SEE ALSO @@ -147,7 +147,7 @@ L, L, L Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod index 755915ff..b25b1c8f 100644 --- a/doc/apps/pkeyparam.pod +++ b/doc/apps/pkeyparam.pod @@ -6,7 +6,7 @@ pkeyparam - public key algorithm parameter processing tool =head1 SYNOPSIS -B B +B B [B<-help>] [B<-in filename>] [B<-out filename>] @@ -58,7 +58,7 @@ for all available algorithms. Print out text version of parameters: - openssl pkeyparam -in param.pem -text + gmssl pkeyparam -in param.pem -text =head1 NOTES @@ -74,7 +74,7 @@ L, L, L Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod index ceb9de34..ab0c7b05 100644 --- a/doc/apps/pkeyutl.pod +++ b/doc/apps/pkeyutl.pod @@ -6,7 +6,7 @@ pkeyutl - public key algorithm utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-in file>] [B<-out file>] @@ -71,7 +71,7 @@ the key format PEM, DER or ENGINE. Default is PEM. =item B<-passin arg> the input key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-peerkey file> @@ -164,7 +164,7 @@ engine B for crypto operations. =head1 NOTES The operations and options supported vary according to the key algorithm -and its implementation. The OpenSSL operations and options are indicated below. +and its implementation. The GmSSL operations and options are indicated below. Unless otherwise mentioned all algorithms support the B option which specifies the digest in use for sign, verify and verifyrecover operations. @@ -250,28 +250,28 @@ additional options. Sign some data using a private key: - openssl pkeyutl -sign -in file -inkey key.pem -out sig + gmssl pkeyutl -sign -in file -inkey key.pem -out sig Recover the signed data (e.g. if an RSA key is used): - openssl pkeyutl -verifyrecover -in sig -inkey key.pem + gmssl pkeyutl -verifyrecover -in sig -inkey key.pem Verify the signature (e.g. a DSA key): - openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem + gmssl pkeyutl -verify -in file -sigfile sig -inkey key.pem Sign data using a message digest value (this is currently only valid for RSA): - openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256 + gmssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256 Derive a shared secret value: - openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret + gmssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret Hexdump 48 bytes of TLS1 PRF using digest B and shared secret and seed consisting of the single byte 0xFF: - openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \ + gmssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \ -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump =head1 SEE ALSO @@ -284,7 +284,7 @@ L, L Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/rand.pod b/doc/apps/rand.pod index 0faf6872..ba451873 100644 --- a/doc/apps/rand.pod +++ b/doc/apps/rand.pod @@ -6,7 +6,7 @@ rand - generate pseudo-random bytes =head1 SYNOPSIS -B +B [B<-help>] [B<-out> I] [B<-rand> I] @@ -17,7 +17,7 @@ I =head1 DESCRIPTION The B command outputs I pseudo-random bytes after seeding -the random number generator once. As in other B command +the random number generator once. As in other B command line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd> in addition to the files given in the B<-rand> option. A new I<$HOME>/B<.rnd> or B<.rnd> file will be written back if enough @@ -61,7 +61,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/rehash.pod b/doc/apps/rehash.pod index 936fda61..ec5c0b8c 100644 --- a/doc/apps/rehash.pod +++ b/doc/apps/rehash.pod @@ -1,7 +1,7 @@ =pod =for comment -Original text by James Westby, contributed under the OpenSSL license. +Original text by James Westby, contributed under the GmSSL license. =head1 NAME @@ -9,7 +9,7 @@ c_rehash, rehash - Create symbolic links to files named by the hash values =head1 SYNOPSIS -B +B B B<[-h]> B<[-help]> @@ -23,7 +23,7 @@ I =head1 DESCRIPTION -On some platforms, the OpenSSL B command is available as +On some platforms, the GmSSL B command is available as an external script called B. They are functionally equivalent, except for minor differences noted below. @@ -32,7 +32,7 @@ C<.pem>, C<.crt>, C<.cer>, or C<.crl> file in the specified directory list and creates symbolic links for each file, where the name of the link is the hash value. (If the platform does not support symbolic links, a copy is made.) -This utility is useful as many programs that use OpenSSL require +This utility is useful as many programs that use GmSSL require directories to be set up like this in order to find certificates. If any directories are named on the command line, then those are @@ -66,7 +66,7 @@ more than one such object appears in the file. =head2 Script Configuration The B script -uses the B program to compute the hashes and +uses the B program to compute the hashes and fingerprints. If not found in the user's B, then set the B environment variable to the full pathname. Any program can be used, it will be invoked as follows for either @@ -123,7 +123,7 @@ Ignored if directories are listed on the command line. =head1 SEE ALSO -L, +L, L. L. @@ -131,7 +131,7 @@ L. Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 8362f53d..b834560c 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -6,7 +6,7 @@ req - PKCS#10 certificate request and certificate generating utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -81,7 +81,7 @@ options (B<-new> and B<-newkey>) are not specified. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -91,7 +91,7 @@ default. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-text> @@ -194,7 +194,7 @@ will not be encrypted. =item B<-[digest]> this specifies the message digest to sign the request. -Any digest supported by the OpenSSL B command can be used. +Any digest supported by the GmSSL B command can be used. This overrides the digest algorithm specified in the configuration file. @@ -220,7 +220,7 @@ characters may be escaped by \ (backslash), no spaces are skipped. this option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example: -I +I If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. @@ -365,7 +365,7 @@ option. For compatibility B is an equivalent option. =item B This option specifies the digest algorithm to use. -Any digest supported by the OpenSSL B command can be used. +Any digest supported by the GmSSL B command can be used. If not present then MD5 is used. This option can be overridden on the command line. @@ -415,7 +415,7 @@ configuration file, must be valid UTF8 strings. this specifies the section containing any request attributes: its format is the same as B. Typically these may contain the challengePassword or unstructuredName types. They are currently ignored -by OpenSSL's request signing utilities but some CAs might want them. +by GmSSL's request signing utilities but some CAs might want them. =item B @@ -467,7 +467,7 @@ they will be ignored. So for example a second organizationName can be input by calling it "1.organizationName". The actual permitted field names are any object identifier short or -long names. These are compiled into OpenSSL and include the usual +long names. These are compiled into GmSSL and include the usual values such as commonName, countryName, localityName, organizationName, organizationalUnitName, stateOrProvinceName. Additionally emailAddress is include as well as name, surname, givenName initials and dnQualifier. @@ -481,20 +481,20 @@ will be treated as though they were a DirectoryString. Examine and verify certificate request: - openssl req -in req.pem -text -verify -noout + gmssl req -in req.pem -text -verify -noout Create a private key and then generate a certificate request from it: - openssl genrsa -out key.pem 2048 - openssl req -new -key key.pem -out req.pem + gmssl genrsa -out key.pem 2048 + gmssl req -new -key key.pem -out req.pem The same but just using req: - openssl req -newkey rsa:2048 -keyout key.pem -out req.pem + gmssl req -newkey rsa:2048 -keyout key.pem -out req.pem Generate a self signed root certificate: - openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem + gmssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem Example of a file pointed to by the B option: @@ -632,13 +632,13 @@ line switch if it is present. =head1 BUGS -OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively +GmSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause problems if you need characters that aren't available in PrintableStrings and you don't want to or can't use BMPStrings. As a consequence of the T61String handling the only correct way to represent -accented characters in OpenSSL is to use a BMPString: unfortunately Netscape +accented characters in GmSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form. @@ -657,7 +657,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index 8e9943fe..4b4e37e4 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -6,7 +6,7 @@ rsa - RSA key processing tool =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|NET|DER>] [B<-outform PEM|NET|DER>] @@ -72,7 +72,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -84,7 +84,7 @@ filename. =item B<-passout password> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> @@ -169,27 +169,27 @@ to the B utility with the B<-inform NET> option. To remove the pass phrase on an RSA private key: - openssl rsa -in key.pem -out keyout.pem + gmssl rsa -in key.pem -out keyout.pem To encrypt a private key using triple DES: - openssl rsa -in key.pem -des3 -out keyout.pem + gmssl rsa -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl rsa -in key.pem -outform DER -out keyout.der + gmssl rsa -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl rsa -in key.pem -text -noout + gmssl rsa -in key.pem -text -noout To just output the public part of a private key: - openssl rsa -in key.pem -pubout -out pubkey.pem + gmssl rsa -in key.pem -pubout -out pubkey.pem Output the public part of a private key in B format: - openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem + gmssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem =head1 BUGS @@ -208,7 +208,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod index 038f00be..ff00be6e 100644 --- a/doc/apps/rsautl.pod +++ b/doc/apps/rsautl.pod @@ -6,7 +6,7 @@ rsautl - RSA utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-in file>] [B<-out file>] @@ -107,15 +107,15 @@ used to sign or verify small pieces of data. Sign some data using a private key: - openssl rsautl -sign -in file -inkey key.pem -out sig + gmssl rsautl -sign -in file -inkey key.pem -out sig Recover the signed data - openssl rsautl -verify -in sig -inkey key.pem + gmssl rsautl -verify -in sig -inkey key.pem Examine the raw signed data: - openssl rsautl -verify -in file -inkey key.pem -raw -hexdump + gmssl rsautl -verify -in file -inkey key.pem -raw -hexdump 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ @@ -134,7 +134,7 @@ It is possible to analyse the signature of certificates using this utility in conjunction with B. Consider the self signed example in certs/pca-cert.pem . Running B as follows yields: - openssl asn1parse -in pca-cert.pem + gmssl asn1parse -in pca-cert.pem 0:d=0 hl=4 l= 742 cons: SEQUENCE 4:d=1 hl=4 l= 591 cons: SEQUENCE @@ -158,15 +158,15 @@ example in certs/pca-cert.pem . Running B as follows yields: The final BIT STRING contains the actual signature. It can be extracted with: - openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 + gmssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 The certificate public key can be extracted with: - openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem + gmssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem The signature can be analysed with: - openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin + gmssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin 0:d=0 hl=2 l= 32 cons: SEQUENCE 2:d=1 hl=2 l= 12 cons: SEQUENCE @@ -179,11 +179,11 @@ This is the parsed version of an ASN1 DigestInfo structure. It can be seen that the digest used was md5. The actual part of the certificate that was signed can be extracted with: - openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 + gmssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 and its digest computed with: - openssl md5 -c tbs + gmssl md5 -c tbs MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 which it can be seen agrees with the recovered value above. @@ -196,7 +196,7 @@ L, L, L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index b617c415..173b26ca 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -6,7 +6,7 @@ s_client - SSL/TLS client program =head1 SYNOPSIS -B B +B B [B<-help>] [B<-connect host:port>] [B<-proxy host:port>] @@ -172,7 +172,7 @@ The private format to use: DER or PEM. PEM is the default. =item B<-pass arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-verify depth> @@ -231,7 +231,7 @@ fields that specify the usage, selector, matching type and associated data, with the last of these encoded in hexadecimal. Optional whitespace is ignored in the associated data field. For example: - $ openssl s_client -brief -starttls smtp \ + $ gmssl s_client -brief -starttls smtp \ -connect smtp.example.com:25 \ -dane_tlsa_domain smtp.example.com \ -dane_tlsa_rrdata "2 1 1 @@ -308,7 +308,7 @@ show all protocol messages with hex dump. =item B<-trace> -show verbose trace output of protocol messages. OpenSSL needs to be compiled +show verbose trace output of protocol messages. GmSSL needs to be compiled with B for this option to work. =item B<-msgfile> @@ -410,15 +410,15 @@ option enables various workarounds. =item B<-comp> Enables support for SSL/TLS compression. -This option was introduced in OpenSSL 1.1.0. +This option was introduced in GmSSL 1.1.0. TLS compression is not recommended and is off by default as of -OpenSSL 1.1.0. +GmSSL 1.1.0. =item B<-no_comp> Disables support for SSL/TLS compression. TLS compression is not recommended and is off by default as of -OpenSSL 1.1.0. +GmSSL 1.1.0. =item B<-brief> @@ -536,7 +536,7 @@ connection will be closed down. B can be used to debug SSL servers. To connect to an SSL HTTP server the command: - openssl s_client -connect servername:443 + gmssl s_client -connect servername:443 would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. @@ -545,7 +545,7 @@ If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs>, B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these -options B submitting a bug report to an OpenSSL mailing list. +options B submitting a bug report to an GmSSL mailing list. A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty @@ -589,13 +589,13 @@ L, L, L =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to GmSSL 1.1.0. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 94065ba7..880c24e5 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -6,7 +6,7 @@ s_server - SSL/TLS server program =head1 SYNOPSIS -B B +B B [B<-help>] [B<-port port>] [B<-accept val>] @@ -186,7 +186,7 @@ The private format to use: DER or PEM. PEM is the default. =item B<-pass arg> The private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-dcert filename>, B<-dkey keyname> @@ -291,7 +291,7 @@ Show all protocol messages with hex dump. =item B<-trace> -Show verbose trace output of protocol messages. OpenSSL needs to be compiled +Show verbose trace output of protocol messages. GmSSL needs to be compiled with B for this option to work. =item B<-msgfile> @@ -387,15 +387,15 @@ option enables various workarounds. =item B<-comp> Enable negotiation of TLS compression. -This option was introduced in OpenSSL 1.1.0. +This option was introduced in GmSSL 1.1.0. TLS compression is not recommended and is off by default as of -OpenSSL 1.1.0. +GmSSL 1.1.0. =item B<-no_comp> Disable negotiation of TLS compression. TLS compression is not recommended and is off by default as of -OpenSSL 1.1.0. +GmSSL 1.1.0. =item B<-brief> @@ -558,13 +558,13 @@ print out some session cache status information. B can be used to debug SSL clients. To accept connections from a web browser the command: - openssl s_server -accept 443 -www + gmssl s_server -accept 443 -www can be used for example. Most web browsers (in particular Netscape and MSIE) only support RSA cipher suites, so they cannot connect to servers which don't use a certificate -carrying an RSA key or a version of OpenSSL with RSA disabled. +carrying an RSA key or a version of GmSSL with RSA disabled. Although specifying an empty list of CAs when requesting a client certificate is strictly speaking a protocol violation, some SSL clients interpret this to @@ -580,7 +580,7 @@ read and not a model of how things should be done. A typical SSL server program would be much simpler. The output of common ciphers is wrong: it just gives the list of ciphers that -OpenSSL recognizes and the client supports. +GmSSL recognizes and the client supports. There should be a way for the B program to print out details of any unknown cipher suites a client says it supports. @@ -592,13 +592,13 @@ L, L, L =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to GmSSL 1.1.0. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index acadd300..4b799c51 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod @@ -6,7 +6,7 @@ s_time - SSL/TLS performance timing program =head1 SYNOPSIS -B B +B B [B<-help>] [B<-connect host:port>] [B<-www page>] @@ -142,7 +142,7 @@ and the link speed determine how many connections B can establish. B can be used to measure the performance of an SSL connection. To connect to an SSL HTTP server and get the default page the command - openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] + gmssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] would typically be used (https uses port 443). 'commoncipher' is a cipher to which both client and server can agree, see the L command @@ -152,7 +152,7 @@ If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs> and B<-ssl3> options can be tried in case it is a buggy server. In particular you should play with these -options B submitting a bug report to an OpenSSL mailing list. +options B submitting a bug report to an GmSSL mailing list. A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty @@ -186,7 +186,7 @@ L, L, L Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index 19ac9a75..f5ad8e89 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod @@ -6,7 +6,7 @@ sess_id - SSL/TLS session handling utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER|NSS>] @@ -155,7 +155,7 @@ L, L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 7980e35e..d096145e 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -6,7 +6,7 @@ smime - S/MIME utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-encrypt>] [B<-decrypt>] @@ -206,7 +206,7 @@ the encryption algorithm to use. For example DES (56 bits) - B<-des>, triple DES (168 bits) - B<-des3>, EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L|enc(1)> for list of ciphers -supported by your version of OpenSSL. +supported by your version of GmSSL. If not specified triple DES is used. Only used with B<-encrypt>. @@ -291,7 +291,7 @@ multiple times to specify successive keys. =item B<-passin arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-rand file(s)> @@ -400,46 +400,46 @@ the signers certificates. Create a cleartext signed message: - openssl smime -sign -in message.txt -text -out mail.msg \ + gmssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem Create an opaque signed message: - openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ + gmssl smime -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: - openssl smime -sign -in in.txt -text -out mail.msg \ + gmssl smime -sign -in in.txt -text -out mail.msg \ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers: - openssl smime -sign -in message.txt -text -out mail.msg \ + gmssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -signer othercert.pem Send a signed message under Unix directly to sendmail, including headers: - openssl smime -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ + gmssl smime -sign -in in.txt -text -signer mycert.pem \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: - openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt + gmssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt Send encrypted mail using triple DES: - openssl smime -encrypt -in in.txt -from steve@openssl.org \ + gmssl smime -encrypt -in in.txt -from steve@gmssl.org \ -to someone@somewhere -subject "Encrypted message" \ -des3 user.pem -out mail.msg Sign and encrypt mail: - openssl smime -sign -in ml.txt -signer my.pem -text \ - | openssl smime -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ + gmssl smime -sign -in ml.txt -signer my.pem -text \ + | gmssl smime -encrypt -out mail.msg \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the @@ -447,7 +447,7 @@ message being encrypted already has MIME headers. Decrypt mail: - openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem + gmssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the @@ -459,19 +459,19 @@ it with: and using the command: - openssl smime -verify -inform PEM -in signature.pem -content content.txt + gmssl smime -verify -inform PEM -in signature.pem -content content.txt Alternatively you can base64 decode the signature and use: - openssl smime -verify -inform DER -in signature.der -content content.txt + gmssl smime -verify -inform DER -in signature.der -content content.txt Create an encrypted message using 128 bit Camellia: - openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem + gmssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem Add a signer to an existing message: - openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg + gmssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg =head1 BUGS @@ -499,15 +499,15 @@ structures may cause parsing errors. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 +added in GmSSL 1.0.0 -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to GmSSL 1.1.0. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/speed.pod b/doc/apps/speed.pod index ad81bfbc..466af692 100644 --- a/doc/apps/speed.pod +++ b/doc/apps/speed.pod @@ -6,7 +6,7 @@ speed - test library performance =head1 SYNOPSIS -B +B [B<-help>] [B<-engine id>] [B<-elapsed>] @@ -59,7 +59,7 @@ the above are tested. Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod index 8955bc44..cb1c8208 100644 --- a/doc/apps/spkac.pod +++ b/doc/apps/spkac.pod @@ -6,7 +6,7 @@ spkac - SPKAC printing and generating utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-in filename>] [B<-out filename>] @@ -53,7 +53,7 @@ present. =item B<-passin password> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-challenge string> @@ -97,15 +97,15 @@ for all available algorithms. Print out the contents of an SPKAC: - openssl spkac -in spkac.cnf + gmssl spkac -in spkac.cnf Verify the signature of an SPKAC: - openssl spkac -in spkac.cnf -noout -verify + gmssl spkac -in spkac.cnf -noout -verify Create an SPKAC using the challenge string "hello": - openssl spkac -key key.pem -challenge hello -out spkac.cnf + gmssl spkac -key key.pem -challenge hello -out spkac.cnf Example of an SPKAC, (long lines split up for clarity): @@ -139,7 +139,7 @@ L Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index 02b2adaa..e535120e 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -6,7 +6,7 @@ ts - Time Stamping Authority tool (client/server) =head1 SYNOPSIS -B B +B B B<-query> [B<-rand> file:file...] [B<-config> configfile] @@ -20,7 +20,7 @@ B<-query> [B<-out> request.tsq] [B<-text>] -B B +B B B<-reply> [B<-config> configfile] [B<-section> tsa_section] @@ -38,7 +38,7 @@ B<-reply> [B<-text>] [B<-engine> id] -B B +B B B<-verify> [B<-data> file_to_hash] [B<-digest> digest_bytes] @@ -160,7 +160,7 @@ in use. (Optional) =item B<-[digest]> The message digest to apply to the data file. -Any digest supported by the OpenSSL B command can be used. +Any digest supported by the GmSSL B command can be used. The default is SHA-1. (Optional) =item B<-tspolicy> object_id @@ -233,7 +233,7 @@ The name of the file containing a DER encoded time stamp request. (Optional) =item B<-passin> password_src Specifies the password source for the private key of the TSA. See -B in L. (Optional) +B in L. (Optional) =item B<-signer> tsa_cert.pem @@ -425,9 +425,9 @@ generation a new file is created with serial number 1. (Mandatory) =item B -Specifies the OpenSSL engine that will be set as the default for +Specifies the GmSSL engine that will be set as the default for all available algorithms. The default value is builtin, you can specify -any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM). +any other engines supported by GmSSL (e.g. use chil for the NCipher HSM). (Optional) =item B @@ -514,32 +514,32 @@ overridden by the B<-config> command line option. All the examples below presume that B is set to a proper configuration file, e.g. the example configuration file -openssl/apps/openssl.cnf will do. +gmssl/apps/openssl.cnf will do. =head2 Time Stamp Request To create a time stamp request for design1.txt with SHA-1 without nonce and policy and no certificate is required in the response: - openssl ts -query -data design1.txt -no_nonce \ + gmssl ts -query -data design1.txt -no_nonce \ -out design1.tsq To create a similar time stamp request with specifying the message imprint explicitly: - openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ + gmssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ -no_nonce -out design1.tsq To print the content of the previous request in human readable format: - openssl ts -query -in design1.tsq -text + gmssl ts -query -in design1.tsq -text To create a time stamp request which includes the MD-5 digest of design2.txt, requests the signer certificate and nonce, specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file): - openssl ts -query -data design2.txt -md5 \ + gmssl ts -query -data design2.txt -md5 \ -tspolicy tsa_policy1 -cert -out design2.tsq =head2 Time Stamp Response @@ -556,52 +556,52 @@ tsakey.pem is the private key of the TSA. To create a time stamp response for a request: - openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ + gmssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ -signer tsacert.pem -out design1.tsr If you want to use the settings in the config file you could just write: - openssl ts -reply -queryfile design1.tsq -out design1.tsr + gmssl ts -reply -queryfile design1.tsq -out design1.tsr To print a time stamp reply to stdout in human readable format: - openssl ts -reply -in design1.tsr -text + gmssl ts -reply -in design1.tsr -text To create a time stamp token instead of time stamp response: - openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out + gmssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out To print a time stamp token to stdout in human readable format: - openssl ts -reply -in design1_token.der -token_in -text -token_out + gmssl ts -reply -in design1_token.der -token_in -text -token_out To extract the time stamp token from a response: - openssl ts -reply -in design1.tsr -out design1_token.der -token_out + gmssl ts -reply -in design1.tsr -out design1_token.der -token_out To add 'granted' status info to a time stamp token thereby creating a valid response: - openssl ts -reply -in design1_token.der -token_in -out design1.tsr + gmssl ts -reply -in design1_token.der -token_in -out design1.tsr =head2 Time Stamp Verification To verify a time stamp reply against a request: - openssl ts -verify -queryfile design1.tsq -in design1.tsr \ + gmssl ts -verify -queryfile design1.tsq -in design1.tsr \ -CAfile cacert.pem -untrusted tsacert.pem To verify a time stamp reply that includes the certificate chain: - openssl ts -verify -queryfile design2.tsq -in design2.tsr \ + gmssl ts -verify -queryfile design2.tsq -in design2.tsr \ -CAfile cacert.pem To verify a time stamp token against the original data file: - openssl ts -verify -data design2.txt -in design2.tsr \ + gmssl ts -verify -data design2.txt -in design2.tsr \ -CAfile cacert.pem To verify a time stamp token against a message imprint: - openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ + gmssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ -in design2.tsr -CAfile cacert.pem You could also look at the 'test' directory for more examples. @@ -621,7 +621,7 @@ L. Pure TCP/IP protocol is not supported. =item * The file containing the last serial number of the TSA is not locked when being read or written. This is a problem if more than one -instance of L is trying to create a time stamp +instance of L is trying to create a time stamp response at the same time. This is not an issue when using the apache server module, it does proper locking. @@ -636,7 +636,7 @@ test/testtsa). =head1 SEE ALSO -L, L, L, +L, L, L, L, L, L, L @@ -644,7 +644,7 @@ L Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod index cf7817a0..ad7e4479 100644 --- a/doc/apps/tsget.pod +++ b/doc/apps/tsget.pod @@ -26,7 +26,7 @@ B<-h> server_url The B command can be used for sending a time stamp request, as specified in B, to a time stamp server over HTTP or HTTPS and storing the time stamp response in a file. This tool cannot be used for creating the -requests and verifying responses, you can use the OpenSSL B command to +requests and verifying responses, you can use the GmSSL B command to do that. B can send several requests to the server without closing the TCP connection if more than one requests are specified on the command line. @@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) (HTTPS) The path containing the trusted CA certificates to verify the peer's certificate. The directory must be prepared with the B -OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of +GmSSL utility. Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) =item B<-rand> file:file... @@ -156,7 +156,7 @@ progress, output is written to file1.reply and file2.reply respectively: Create a time stamp request, write it to file3.tsq, send it to the server and write the response to file3.tsr: - openssl ts -query -data file3.txt -cert | tee file3.tsq \ + gmssl ts -query -data file3.txt -cert | tee file3.tsq \ | tsget -h http://tsa.opentsa.org:8080/tsa \ -o file3.tsr @@ -184,14 +184,14 @@ example: =head1 SEE ALSO -L, L, L, +L, L, L, B =head1 COPYRIGHT Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 8ba5ff67..53496d38 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -6,7 +6,7 @@ verify - Utility to verify certificates =head1 SYNOPSIS -B B +B B [B<-help>] [B<-CAfile file>] [B<-CApath directory>] @@ -140,7 +140,7 @@ signing keys. =item B<-ignore_critical> Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by RFC5280). +supported by GmSSL the certificate is rejected (as required by RFC5280). If this option is set critical extensions are ignored. =item B<-inhibit_any> @@ -199,15 +199,15 @@ When constructing the certificate chain, use the trusted certificates specified via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via B<-untrusted>. This can be useful in environments with Bridge or Cross-Certified CAs. -As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. +As of GmSSL 1.1.0 this option is on by default and cannot be disabled. =item B<-no_alt_chains> By default, unless B<-trusted_first> is specified, when building a certificate -chain, if the first certificate chain found is not trusted, then OpenSSL will +chain, if the first certificate chain found is not trusted, then GmSSL will attempt to replace untrusted issuer certificates with certificates from the trust store to see if an alternative chain can be found that is trusted. -As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no +As of GmSSL 1.1.0, with B<-trusted_first> always on, this option has no effect. =item B<-untrusted file> @@ -292,7 +292,7 @@ Supported policy names include: B, B, B, B, B. These mimics the combinations of purpose and trust settings used in SSL, CMS and S/MIME. -As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not +As of GmSSL 1.1.0, the trust model is inferred from the purpose when not specified, so the B<-verify_name> options are functionally equivalent to the corresponding B<-purpose> settings. @@ -367,7 +367,7 @@ the B section of the B utility. The third operation is to check the trust settings on the root CA. The root CA should be trusted for the supplied purpose. -For compatibility with previous versions of OpenSSL, a certificate with no +For compatibility with previous versions of GmSSL, a certificate with no trust settings is considered to be valid for all purposes. The final operation is to check the validity of the certificate chain. The validity @@ -527,22 +527,22 @@ The root CA is marked to reject the specified purpose. =item B -not used as of OpenSSL 1.1.0 as a result of the deprecation of the +not used as of GmSSL 1.1.0 as a result of the deprecation of the B<-issuer_checks> option. =item B -Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +Not used as of GmSSL 1.1.0 as a result of the deprecation of the B<-issuer_checks> option. =item B -Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +Not used as of GmSSL 1.1.0 as a result of the deprecation of the B<-issuer_checks> option. =item B -Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +Not used as of GmSSL 1.1.0 as a result of the deprecation of the B<-issuer_checks> option. =item B @@ -694,7 +694,7 @@ trusted certificates with matching subject name must either appear in a file (as B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only the certificates in the file will be recognised. -Previous versions of OpenSSL assume certificates with matching subject name are identical and +Previous versions of GmSSL assume certificates with matching subject name are identical and mishandled them. Previous versions of this documentation swapped the meaning of the @@ -707,16 +707,16 @@ L =head1 HISTORY -The B<-show_chain> option was first added to OpenSSL 1.1.0. +The B<-show_chain> option was first added to GmSSL 1.1.0. -The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and +The B<-issuer_checks> option is deprecated as of GmSSL 1.1.0 and is silently ignored. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/version.pod b/doc/apps/version.pod index a97ed204..88eb5e6b 100644 --- a/doc/apps/version.pod +++ b/doc/apps/version.pod @@ -2,11 +2,11 @@ =head1 NAME -version - print OpenSSL version information +version - print GmSSL version information =head1 SYNOPSIS -B +B [B<-help>] [B<-a>] [B<-v>] @@ -19,7 +19,7 @@ B =head1 DESCRIPTION -This command is used to print out version information about OpenSSL. +This command is used to print out version information about GmSSL. =head1 OPTIONS @@ -35,11 +35,11 @@ all information, this is the same as setting all the other flags. =item B<-v> -the current OpenSSL version. +the current GmSSL version. =item B<-b> -the date the current version of OpenSSL was built. +the date the current version of GmSSL was built. =item B<-o> @@ -65,14 +65,14 @@ ENGINESDIR setting. =head1 NOTES -The output of B would typically be used when sending +The output of B would typically be used when sending in a bug report. =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index cddfc8ce..b0263d58 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -6,7 +6,7 @@ x509 - Certificate display and signing utility =head1 SYNOPSIS -B B +B B [B<-help>] [B<-inform DER|PEM|NET>] [B<-outform DER|PEM|NET>] @@ -110,7 +110,7 @@ default. the digest to use. This affects any signing or display option that uses a message digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. -Any digest supported by the OpenSSL B command can be used. +Any digest supported by the GmSSL B command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. @@ -162,7 +162,7 @@ outputs the certificate serial number. =item B<-subject_hash> -outputs the "hash" of the certificate subject name. This is used in OpenSSL to +outputs the "hash" of the certificate subject name. This is used in GmSSL to form an index to allow certificates in a directory to be looked up by subject name. @@ -181,12 +181,12 @@ synonym for "-subject_hash" for backward compatibility reasons. =item B<-subject_hash_old> outputs the "hash" of the certificate subject name using the older algorithm -as used by OpenSSL versions before 1.0.0. +as used by GmSSL versions before 1.0.0. =item B<-issuer_hash_old> outputs the "hash" of the certificate issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. +as used by GmSSL versions before 1.0.0. =item B<-subject> @@ -257,7 +257,7 @@ may be trusted for SSL client but not SSL server use. See the description of the B utility for more information on the meaning of trust settings. -Future versions of OpenSSL will recognize trust settings on any +Future versions of GmSSL will recognize trust settings on any certificate: not just root CAs. @@ -294,9 +294,9 @@ adds a trusted certificate use. Any object name can be used here but currently only B (SSL client use), B (SSL server use), B (S/MIME email) and B are used. -As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or +As of GmSSL 1.1.0, the last of these blocks all purposes when rejected or enables all purposes when trusted. -Other OpenSSL applications may define additional uses. +Other GmSSL applications may define additional uses. =item B<-addreject arg> @@ -338,7 +338,7 @@ the request. =item B<-passin arg> the key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-clrext> @@ -442,7 +442,7 @@ The format or B can be specified using the B<-keyform> option. The B command line switch determines how the subject and issuer names are displayed. If no B switch is present the default "oneline" -format is used which is compatible with previous versions of OpenSSL. +format is used which is compatible with previous versions of GmSSL. Each option is described in detail below, all options can be preceded by a B<-> to turn the option off. Only the first four will normally be used. @@ -541,7 +541,7 @@ DER encoding of the structure to be unambiguously determined. =item B -dump any field whose OID is not recognised by OpenSSL. +dump any field whose OID is not recognised by GmSSL. =item B, B, B, B @@ -667,58 +667,58 @@ line. Display the contents of a certificate: - openssl x509 -in cert.pem -noout -text + gmssl x509 -in cert.pem -noout -text Display the certificate serial number: - openssl x509 -in cert.pem -noout -serial + gmssl x509 -in cert.pem -noout -serial Display the certificate subject name: - openssl x509 -in cert.pem -noout -subject + gmssl x509 -in cert.pem -noout -subject Display the certificate subject name in RFC2253 form: - openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 + gmssl x509 -in cert.pem -noout -subject -nameopt RFC2253 Display the certificate subject name in oneline form on a terminal supporting UTF8: - openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb + gmssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb Display the certificate MD5 fingerprint: - openssl x509 -in cert.pem -noout -fingerprint + gmssl x509 -in cert.pem -noout -fingerprint Display the certificate SHA1 fingerprint: - openssl x509 -sha1 -in cert.pem -noout -fingerprint + gmssl x509 -sha1 -in cert.pem -noout -fingerprint Convert a certificate from PEM to DER format: - openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER + gmssl x509 -in cert.pem -inform PEM -out cert.der -outform DER Convert a certificate to a certificate request: - openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem + gmssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem Convert a certificate request into a self signed certificate using extensions for a CA: - openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ + gmssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ -signkey key.pem -out cacert.pem Sign a certificate request using the CA certificate above and add user certificate extensions: - openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ + gmssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" - openssl x509 -in cert.pem -addtrust clientAuth \ + gmssl x509 -in cert.pem -addtrust clientAuth \ -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES @@ -888,8 +888,8 @@ L =head1 HISTORY The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options -before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding -of the distinguished name. In OpenSSL 1.0.0 and later it is based on a +before GmSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding +of the distinguished name. In GmSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using B or similar. @@ -897,7 +897,7 @@ the old form must have their links rebuilt using B or similar. Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod index edfd76e1..03e06500 100644 --- a/doc/apps/x509v3_config.pod +++ b/doc/apps/x509v3_config.pod @@ -1,6 +1,6 @@ =pod -=for comment openssl_manual_section:5 +=for comment gmssl_manual_section:5 =head1 NAME @@ -8,7 +8,7 @@ x509v3_config - X509 V3 certificate extension configuration format =head1 DESCRIPTION -Several of the OpenSSL utilities can add extensions to a certificate or +Several of the GmSSL utilities can add extensions to a certificate or certificate request based on the contents of a configuration file. Typically the application will contain an option to point to an extension @@ -447,7 +447,7 @@ B, B, B, B, B. =head1 ARBITRARY EXTENSIONS -If an extension is not supported by the OpenSSL code then it must be encoded +If an extension is not supported by the GmSSL code then it must be encoded using the arbitrary extension format. It is also possible to use the arbitrary format for supported extensions. Extreme care should be taken to ensure that the data is formatted correctly for the given extension type. @@ -507,7 +507,7 @@ will produce an error but the equivalent form: is valid. -Due to the behaviour of the OpenSSL B library the same field name +Due to the behaviour of the GmSSL B library the same field name can only occur once in a section. This means that: subjectAltName=@alt_section @@ -533,7 +533,7 @@ L Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L.