abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-07 08:56:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'liushaotong-master'

Browse Source
This commit is contained in:
zhaoxiaomeng
2017-07-15 09:33:39 +08:00
parent 2ebf8ad9f0 d32b15a7d2
commit 6ec549e6dc
9 changed files with 741 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
doc/apps/ca.pod
View File

@@ -64,6 +64,9 @@ and their status.
The options descriptions will be divided into each purpose.
ca指令是CA中很小的应用。它可以用来签发各种形式的用户证书并产生CRL。它还可以用来更新证书库。
在这些指令的介绍中,将尽可能地对它们进行分类介绍。
=head1 OPTIONS
=over 4
@@ -72,70 +75,99 @@ The options descriptions will be divided into each purpose.
Print out a usage message.
显示用法信息。
=item B<-verbose>
this prints extra details about the operations being performed.
输出更详细的一些操作过程信息。
=item B<-config filename>
specifies the configuration file to use.
指定将要使用的配置文件。
=item B<-name section>
specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
指定将要使用的配置文件部分覆盖ca部分中的default_ca部分
=item B<-in filename>
an input filename containing a single certificate request to be
signed by the CA.
一个输入文件名包含了一个要由CA签名的单独证书请求。
=item B<-ss_cert filename>
a single self-signed certificate to be signed by the CA.
一个要由CA签名的自签名证书。
=item B<-spkac filename>
a file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
section for information on the required input and output format.
一个包含了一个单独的Netscape签名的公钥和其他附加用户信息。
关于输入输出格式的信息具体可以参考SPKAC部分。
=item B<-infiles>
if present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
该选项总是作为指令的最后一个选项,其后面所有的参数都被认为是证书请求文件。
=item B<-out filename>
the output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in PEM format (except that B<-spkac> outputs DER format).
输出文件输出签发好的证书。默认值为标准输出。输出的证书都是PEM编码的除了spkac输出DER编码
=item B<-outdir directory>
the directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
".pem" appended.
将新生成的证书输出到目录。新生成证书将会序列号加“pem”后缀成为一个完整的证书文件名。
=item B<-cert>
the CA certificate file.
CA证书文件。
=item B<-keyfile filename>
the private key to sign requests with.
用于签署请求的私钥。
=item B<-keyform PEM|DER>
the format of the data in the private key file.
The default is PEM.
私钥文件中数据的格式。默认为PEM。
=item B<-key password>
the password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
用于加密私钥的密码。因为在某些系统上命令行参数是可见的例如使用“ps”实用程序的Unix应谨慎使用此指令。
=item B<-selfsign>
indicates the issued certificates are to be signed with the key
@@ -150,35 +182,54 @@ certificate appears among the entries in the certificate database
serial number counter as all other certificates sign with the
self-signed certificate.
表示发出的证书将使用证书请求签名的密钥(以-keyfile命名进行签名。
使用不同密钥签名的证书请求将被忽略。如果给出-spkac-ss_cert或-gencrl则忽略-selfsign
使用-selfsign的结果是自签名证书出现在证书数据库的条目中并使用与其他证书相同的序列号计数器。
=item B<-passin arg>
the key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
给定了读取私钥文件的时候需要提供的口令。
=item B<-notext>
don't output the text form of a certificate to the output file.
不把证书的文本形式输出到输出文件。
=item B<-startdate date>
this allows the start date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
设置证书的生效时间其参数格式是“YYMMDDHHMMSSZ”。
=item B<-enddate date>
this allows the expiry date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
设置证书的到期时间其参数格式是“YYMMDDHHMMSSZ”。
=item B<-days arg>
the number of days to certify the certificate for.
设置证书的有效天数。
=item B<-md alg>
the message digest to use.
Any digest supported by the GmSSL B<dgst> command can be used.
This option also applies to CRLs.
消息摘要使用。
可以使用GmSSL dgst命令支持的任何摘要。
该选项也适用于CRLs。
=item B<-policy arg>
this option defines the CA "policy" to use. This is a section in
@@ -186,6 +237,9 @@ the configuration file which decides which fields should be mandatory
or match the CA certificate. Check out the B<POLICY FORMAT> section
for more information.
该选项定义了CA的匹配策略。这是配置文件中的一部分它决定了哪些字段应该是必须的
或与CA证书匹配。查看policy format部分来了解更多信息。
=item B<-msie_hack>
this is a legacy option to make B<ca> work with very old versions of
@@ -194,6 +248,10 @@ for almost everything. Since the old control has various security bugs
its use is strongly discouraged. The newer control "Xenroll" does not
need this option.
这是一个遗留的项目它可以使ca可以使用非常老的ie证书注册控件centenr3.它几乎所有东西
都使用了UniversalStrings。我们非常不推荐使用旧版控件应为它有很多的安全漏洞。新的控件
Xenroll不需要这一项。
=item B<-preserveDN>
Normally the DN order of a certificate is the same as the order of the
@@ -202,6 +260,10 @@ is the same as the request. This is largely for compatibility with the
older IE enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
使指令在签发证书的时候让证书主体名称内的各项内容顺序跟证书请求中的顺序保持一致。
而在默认情况下,证书主题名称内的各个选项顺序是按照配置文件中的证书匹配策略子段的
选项顺序进行排列的。
=item B<-noemailDN>
The DN of a certificate can contain the EMAIL field if present in the
@@ -211,11 +273,17 @@ EMAIL field is removed from the certificate' subject and set only in
the, eventually present, extensions. The B<email_in_dn> keyword can be
used in the configuration file to enable this behaviour.
一个证书的主体名称可以包含E-mail项目但是将电子邮件放在主体别名中会更好一点。
当你启用这个选项后e-mail会从证书主体名称移除并最终设在主体别名中。
可以在配置文件中使用email_in_dn来启用这个行为。
=item B<-batch>
this sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
该选项设定batch模式。在这一模式中ca指令不提示用户输入任何信息而直接签发所有输入的证书请求。
=item B<-extensions section>
the section of the configuration file containing certificate extensions
@@ -226,12 +294,18 @@ is present (even if it is empty), then a V3 certificate is created. See the:w
L<x509v3_config(5)> manual page for details of the
extension section format.
配置文件部分包含了颁发证书时要添加的证书扩展名默认为x509_extensions,除非使用-extfile选项
如果没有扩展部分则创建V1证书。如果存在扩展部分即使该部分为空则创建V3证书。
有关扩展部分格式的详细信息请参阅x509v3_config5手册页。
=item B<-extfile file>
an additional configuration file to read certificate extensions from
(using the default section unless the B<-extensions> option is also
used).
一个专门用来保存X.509 v3扩展项信息的文件。
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<ca>
@@ -239,12 +313,17 @@ to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
指定一个引擎通过其唯一的id字符串会导致ca尝试获取对指定engine设备的功能引用
并进行初始化如果需要。这个engine将被设置为所有可用算法的默认。
=item B<-subj arg>
supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
重新填写用户的证书主体名称。subj选项的参数格式为/type0=value0/type1=value1/type2...,字符可能会被\转义,空格不被跳过。
=item B<-utf8>
this option causes field values to be interpreted as UTF8 strings, by
@@ -252,17 +331,23 @@ default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
这一选项字段值转为UTF8字符串默认情况下为ASCII。这意味着字段值无论从终端提示还是从配置文件获取都必须是有效的UTF8字符串。
=item B<-create_serial>
if reading serial from the text file as specified in the configuration
fails, specifying this option creates a new random serial to be used as next
serial number.
如果从配置中指定的文本文件读取序列失败,该选项可以创造一个新的随机序列作为下一个序列号。
=item B<-multivalue-rdn>
This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
该选项可以解释-subj参数并完全支持多RND。
I</DC=org/DC=GmSSL/DC=users/UID=123456+CN=John Doe>
If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
@@ -277,32 +362,46 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
this option generates a CRL based on information in the index file.
该选项用于生成一个基于索引文件信息的CFL
=item B<-crldays num>
the number of days before the next CRL is due. That is the days from
now to place in the CRL nextUpdate field.
以“天”为单位设置CRL的有效期。
=item B<-crlhours num>
the number of hours before the next CRL is due.
以小时为单位设置CRL有效期。
=item B<-revoke filename>
a filename containing a certificate to revoke.
一个包含要撤销的证书的文件名
=item B<-valid filename>
a filename containing a certificate to add a Valid certificate entry.
一个包含添加有效证书条目的证书的文件名。
=item B<-status serial>
displays the revocation status of the certificate with the specified
serial number and exits.
显示具有指定序列号的证书的撤销状态并退出。
=item B<-updatedb>
Updates the database index to purge expired certificates.
更新数据库索引清除以过期的证书。
=item B<-crl_reason reason>
revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
@@ -313,6 +412,10 @@ insensitive. Setting any revocation reason will make the CRL v2.
In practice B<removeFromCRL> is not particularly useful because it is only used
in delta CRLs which are not currently implemented.
撤销原因其中的原因有未指定key妥协CA妥协联系改变supersededcessationofoperationinsensitive。设置任何撤销原因将使CRL变成v2.
实际上removeFromCRL不是特别有用因为因为它仅用于当前未实现的deltaCRL。
=item B<-crl_hold instruction>
This sets the CRL revocation reason code to B<certificateHold> and the hold
@@ -320,16 +423,23 @@ instruction to B<instruction> which must be an OID. Although any OID can be
used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
这会将CRL撤销原因代码设置为certificatehold并将指令的保持指令设置为必须是OID的指令。
虽然任何OID只能使用holdInstructionNone*RFC2459不鼓励使用它但通常会使用holdInstructionCallIssuer或holdInstruvtionReject。
=item B<-crl_compromise time>
This sets the revocation reason to B<keyCompromise> and the compromise time to
B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
将撤销原因设置为keyCompromise并将妥协时间设为time。time应为广义时间格式YYYYMMDDHHMMSSZ。
=item B<-crl_CA_compromise time>
This is the same as B<crl_compromise> except the revocation reason is set to
B<CACompromise>.
该选项与crl_compromise一样除了撤销原因是CACompromise。
=item B<-crlexts section>
the section of the configuration file containing CRL extensions to
@@ -341,6 +451,8 @@ that some software (for example Netscape) can't handle V2 CRLs. See
L<x509v3_config(5)> manual page for details of the
extension section format.
这部分包含CRL扩展的配置文件。 如果不存在CRL扩展部分则创建V1 CRL如果存在CRL扩展部分即使为空则创建V2 CRL。 指定的CRL扩展是CRL扩展而不是CRL条目扩展。 应该注意的是某些软件例如Netscape无法处理V2 CRL。 有关扩展部分格式的详细信息请参阅x509v3_config5手册页。
=back
=head1 CONFIGURATION FILE OPTIONS
@@ -365,6 +477,10 @@ option is described as mandatory then it must be present in
the configuration file or the command line equivalent (if
any) used.
包含ca选项的配置文件部分如下所示如果使用-name命令行选项则命名要使用的部分。 否则要使用的部分必须在配置文件或配置文件的默认部分的ca部分的default_ca选项中命名。 除了default_ca以下选项直接从ca部分读取RANDFILE preserve msie_hack除了RANDFILE之外这可能是一个错误可能会在将来的版本中更改。
许多配置文件选项与命令行选项相同。 在配置文件和命令行中存在选项的地方,使用命令行值。 在某个选项被描述为强制性的情况下,它必须存在于配置文件或命令行等效(如果有的话)中。
=over 4
=item B<oid_file>
@@ -374,6 +490,9 @@ Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
by white space and finally the long name.
这指定一个包含其他对象标识符的文件。 文件的每一行应由对象标识符的数字形式组成
,后跟空格,短名称后跟空格,最后是长名称。
=item B<oid_section>
This specifies a section in the configuration file containing extra
@@ -381,57 +500,80 @@ object identifiers. Each line should consist of the short name of the
object identifier followed by B<=> and the numerical form. The short
and long names are the same when this option is used.
这指定了配置文件中包含额外对象标识符的部分。 每一行都应该包含对象标识符的短名称,
后面是=和数字形式。 当使用此选项时,短名称和长名称相同。
=item B<new_certs_dir>
the same as the B<-outdir> command line option. It specifies
the directory where new certificates will be placed. Mandatory.
与-outdir命令行选项相同。 它指定将放置新证书的目录。强制性。
=item B<certificate>
the same as B<-cert>. It gives the file containing the CA
certificate. Mandatory.
与-cert命令行选项相同。它给出包含CA证书的文件。强制性。
=item B<private_key>
same as the B<-keyfile> option. The file containing the
CA private key. Mandatory.
与-keyfile选项相同。文件包含CA私钥。强制性。
=item B<RANDFILE>
a file used to read and write random number seed information, or
an EGD socket (see L<RAND_egd(3)>).
用于读取和写入随机数种子信息的文件或EGD套接字请参阅RAND_egd3
=item B<default_days>
the same as the B<-days> option. The number of days to certify
a certificate for.
和-days相同。认证证书的天数。
=item B<default_startdate>
the same as the B<-startdate> option. The start date to certify
a certificate for. If not set the current time is used.
和-startdate相同。认证证书的开始日期。 如果未设置,则使用当前时间。
=item B<default_enddate>
the same as the B<-enddate> option. Either this option or
B<default_days> (or the command line equivalents) must be
present.
和-enddate相同。该选项或default_days或命令行等效项必须存在。
=item B<default_crl_hours default_crl_days>
the same as the B<-crlhours> and the B<-crldays> options. These
will only be used if neither command line option is present. At
least one of these must be present to generate a CRL.
与-crlhours和-crldays选项一样。 只有在命令行选项不存在的情况下才会使用这些。 必须至少有一个必须存在才能生成CRL。
=item B<default_md>
the same as the B<-md> option. Mandatory.
和-md一样。强制性。
=item B<database>
the text database file to use. Mandatory. This file must be present
though initially it will be empty.
要使用的文本数据库文件。强制性。该文件必须存在但一开始它是空的。
=item B<unique_subject>
if the value B<yes> is given, the valid certificate entries in the
@@ -442,44 +584,63 @@ versions of GmSSL. However, to make CA certificate roll-over easier,
it's recommended to use the value B<no>, especially if combined with
the B<-selfsign> command line option.
如果给出值yes则数据库中的有效证书条目必须具有唯一主题。 如果给出值no几个有效的证书条目可能具有完全相同的主题。 默认值为yes与GmSSL的旧版0.9.8)版本兼容。 但是为了使CA证书转换更容易建议使用值no特别是如果与-selfsign命令行选项相结合。
=item B<serial>
a text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
一个包含了下一个要使用序列号的十六进制文本文件。强制性。
该文件必须存在并包含有效的序列号。
=item B<crlnumber>
a text file containing the next CRL number to use in hex. The crl number
will be inserted in the CRLs only if this file exists. If this file is
present, it must contain a valid CRL number.
包含用于十六进制的下一个CRL编号的文本文件。 只有当此文件存在时crl号才会插入到CRL中。 如果此文件存在它必须包含有效的CRL号码。
=item B<x509_extensions>
the same as B<-extensions>.
和-extensions一样
=item B<crl_extensions>
the same as B<-crlexts>.
和-crlexts一样
=item B<preserve>
the same as B<-preserveDN>
和-peserveDN一样
=item B<email_in_dn>
the same as B<-noemailDN>. If you want the EMAIL field to be removed
from the DN of the certificate simply set this to 'no'. If not present
the default is to allow for the EMAIL filed in the certificate's DN.
the default is to allow for the EMAIL field in the certificate's DN.
和-noemailDN一样。如果您希望将EMAIL字段从证书的DN中删除请将其设置为“否”。 如果不存在默认值是允许证书的DN中的EMAIL字段。
=item B<msie_hack>
the same as B<-msie_hack>
和-msie_hack一样
=item B<policy>
the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
for more information.
和-policy一样。强制性。更多详情请参考POLICY FORMAT部分。
=item B<name_opt>, B<cert_opt>
these options allow the format used to display the certificate details
@@ -497,6 +658,12 @@ GmSSL is used. Use of the old format is B<strongly> discouraged because
it only displays fields mentioned in the B<policy> section, mishandles
multicharacter string types and does not display extensions.
这些选项允许在询问用户确认签名时用于显示证书详细信息的格式。 x509 utilities -nameopt和-certopt开关支持的所有选项可以在这里使用除了no_signame和no_sigdump被永久设置并且不能禁用这是因为证书签名无法显示因为证书尚未在此签名 点)。
为方便起见ca_default值被两者接受以产生合理的输出。
如果两个选项不存在则使用早期版本的GmSSL中使用的格式。 强烈建议不要使用旧格式,因为它仅显示策略部分中提及的字段,处理多字符串字符串类型,并且不显示扩展名。
=item B<copy_extensions>
determines how extensions in certificate requests should be handled.
@@ -511,6 +678,11 @@ using this option.
The main use of this option is to allow a certificate request to supply
values for certain extensions such as subjectAltName.
确定如何处理证书请求中的扩展。 如果设置为none或此选项不存在则扩展名将被忽略不会复制到证书。 如果设置为复制,请求中存在的任何尚未存在的扩展名将复制到证书。 如果设置为copyall则请求中的所有扩展都将复制到证书中如果扩展名已经存在于证书中则首先将其删除。 使用此选项之前,请参阅警告部分。
此选项的主要用途是允许证书请求为某些扩展名如subjectAltName提供值。
=back
=head1 POLICY FORMAT

153
doc/apps/ciphers.pod
View File

@@ -30,6 +30,9 @@ The B<ciphers> command converts textual GmSSL cipher lists into ordered
SSL cipher preference lists. It can be used as a test tool to determine
the appropriate cipherlist.
ciphers命令将GmSSL文本密码列表转换成有序的SSL密码偏好列表。它可以用作测试工具
来决定适当的密码列表。
=head1 OPTIONS
=over 4
@@ -38,6 +41,8 @@ the appropriate cipherlist.
Print a usage message.
打印使用信息。
=item B<-s>
Only list supported ciphers: those consistent with the security level, and
@@ -55,58 +60,89 @@ depending on the configured certificates and presence of DH parameters.
If this option is not used then all ciphers that match the cipherlist will be
listed.
只列出了支持的密码:那些与安全级别一致的密码,最小和最大的协议版本。
这更接近应用程序将支持的实际密码列表。
默认情况下PSK和SRP密码未启用
它也不会更改支持的签名算法的默认列表。
在服务器上支持的密码列表也可能会根据配置的证书和DH参数的存在来排除其他密码。
如果不使用此选项,则将列出与密码列表匹配的所有密码。
=item B<-psk>
When combined with B<-s> includes cipher suites which require PSK.
当与-s组合时包含了需要PSK的密码套件。
=item B<-srp>
When combined with B<-s> includes cipher suites which require SRP.
当与-s组合时包含了需要SRP的密码套件。
=item B<-v>
Verbose output: For each ciphersuite, list details as provided by
L<SSL_CIPHER_description(3)>.
详细的列出所有加密套件。
=item B<-V>
Like B<-v>, but include the official cipher suite values in hex.
和-v相似但包含十六进制官方密码套件。
=item B<-tls1_3>
In combination with the B<-s> option, list the ciphers which would be used if
TLSv1.3 were negotiated.
结合了-s选项。列出了如果TVSv1.3达成协议要使用的密码。
=item B<-tls1_2>
In combination with the B<-s> option, list the ciphers which would be used if
TLSv1.2 were negotiated.
结合了-s选项。列出了如果TVSv1.2达成协议要使用的密码。
=item B<-ssl3>
In combination with the B<-s> option, list the ciphers which would be used if
SSLv3 were negotiated.
结合了-s选项。列出了如果SSLv3达成协议要使用的密码。
=item B<-tls1>
In combination with the B<-s> option, list the ciphers which would be used if
TLSv1 were negotiated.
结合了-s选项。列出了如果TVSv1达成协议要使用的密码。
=item B<-tls1_1>
In combination with the B<-s> option, list the ciphers which would be used if
TLSv1.1 were negotiated.
结合了-s选项。列出了如果TVSv1.1达成协议要使用的密码。
=item B<-stdname>
precede each ciphersuite by its standard name: only available is GmSSL
is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
在每个密码套件之前加上其标准名称只有可用的GmSSL是使用跟踪启用enable-ssl-trace参数配置构建的。
=item B<cipherlist>
a cipher list to convert to a cipher preference list. If it is not included
then the default cipher list will be used. The format is described below.
一个用于转换为密码偏好列表的密码表。如果不包括,那么将使用默认密码列表。格式如下所述。
=back
=head1 CIPHER LIST FORMAT
@@ -152,6 +188,30 @@ cipher list in order of encryption algorithm key length.
The cipher string B<@SECLEVEL=n> can be used at any point to set the security
level to B<n>.
密码列表由一个或多个由冒号分隔的密码串组成。逗号或空格也是可接受的分隔符,但通常使用冒号。
实际的密码串可以采取几种不同的形式。
它可以由单个加密套件组成如RC4-SHA。
它可以表示包含某种算法或某种类型的密码套件的密码套件列表。例如SHA1表示使用摘要算法SHA1的所有密码套件SSLv3表示所有SSL v3算法。
密码套件列表可以使用+字符组合在单个密码字符串中。这被用作逻辑和操作。例如SHA1 + DES表示包含SHA1和DES算法的所有密码套件。
每个密码字符串都可以前面加上字符!, - 或+。
如果!然后使用密码从列表中永久删除。删除的密码永远不会重新出现在列表中,即使它们被明确声明。
如果使用,则从列表中删除密码,但是可以通过稍后的选项再次添加一些或所有密码。
如果使用+,则将密码移动到列表的末尾。此选项不会添加任何新的密码,它只是移动匹配现有的密码。
如果这些字符都不存在,则该字符串将被解释为要附加到当前偏好列表的密码列表。如果列表中包含已经存在的任何密码,那么它们将被忽略:它们不会移动到列表的末尾。
可以在任何时候使用密码字符串@STRENGTH按照加密算法密钥长度的顺序对当前密码列表进行排序。
可以在任何时候使用密码字符串@ SECLEVEL = n来将安全级别设置为n。
=head1 CIPHER STRINGS
The following is a list of all permitted cipher strings and their meanings.
@@ -165,6 +225,8 @@ This is determined at compile time and is normally
B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>.
When used, this must be the first cipherstring specified.
默认密码列表。 这是在编译时确定的通常是ALLCOMPLEMENTOFDEFAULTeNULL。 使用时,必须是指定的第一个密码。
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
@@ -173,32 +235,45 @@ not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary). Note that RC4 based ciphersuites are not built into GmSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
密码包含在ALL中但默认情况下未启用。 目前这包括所有RC4和匿名密码。 请注意此规则不涵盖eNULL不包括在所有内容中如有必要请使用COMPLEMENTOFALL。 请注意默认情况下基于RC4的密码套件不会内置到GmSSL中请参阅配置的enable-weak-ssl-ciphers选项
=item B<ALL>
All cipher suites except the B<eNULL> ciphers (which must be explicitly enabled
if needed).
As of GmSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
除eNULL密码之外的所有密码套件必要时必须明确启用。 从GmSSL 1.0.0开始默认情况下ALL密码套件被明确地排序。
=item B<COMPLEMENTOFALL>
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
密码套件未被ALL启用目前为eNULL
=item B<HIGH>
"high" encryption cipher suites. This currently means those with key lengths
larger than 128 bits, and some cipher suites with 128-bit keys.
“高”加密密码套件。 这当前是指密钥长度大于128位的密码
以及一些128位密钥的密码套件。
=item B<MEDIUM>
"medium" encryption cipher suites, currently some of those using 128 bit
encryption.
“中”加密密码套件目前有些使用128位加密。
=item B<LOW>
"low" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
ciphersuites have been removed as of GmSSL 1.1.0.
“低”加密密码套件目前使用64或56位加密算法但不包括导出密码套件。 所有这些密码套件已经从GmSSL 1.1.0移除。
=item B<eNULL>, B<NULL>
The "NULL" ciphers that is those offering no encryption. Because these offer no
@@ -208,6 +283,8 @@ Be careful when building cipherlists out of lower-level primitives such as
B<kRSA> or B<aECDSA> as these do overlap with the B<eNULL> ciphers. When in
doubt, include B<!eNULL> in your cipherlist.
“NULL”密码是不提供加密功能的密码。 因为这些不提供任何加密并且是一个安全风险它们不能通过DEFAULT或ALL密码字符串启用。 从低级原语如kRSA或aECDSA构建密码列表时要小心因为它们与eNULL密码重叠。 如有疑问请在您的密码列表中加入eNULL。
=item B<aNULL>
The cipher suites offering no authentication. This is currently the anonymous
@@ -219,58 +296,83 @@ Be careful when building cipherlists out of lower-level primitives such as
B<kDHE> or B<AES> as these do overlap with the B<aNULL> ciphers.
When in doubt, include B<!aNULL> in your cipherlist.
密码套件不提供认证。 这是目前的匿名DH算法和匿名ECDH算法。 这些密码套件容易受到“中间人”攻击,所以不鼓励使用它们。 这些被排除在DEFAULT密码之外但被包含在ALL密码中。 在使用kDHE或AES等低级原语构建密码列表时要小心因为它们与aNULL密码重叠。 如有疑问请在您的密码列表中加入aNULL。
=item B<kRSA>, B<aRSA>, B<RSA>
Cipher suites using RSA key exchange, authentication or either respectively.
密码套件使用RSA密钥交换认证或分别。
=item B<kDHr>, B<kDHd>, B<kDH>
Cipher suites using static DH key agreement and DH certificates signed by CAs
with RSA and DSS keys or either respectively.
All these cipher suites have been removed in GmSSL 1.1.0.
使用静态DH密钥协议的密码套件和由CA与RSA和DSS密钥分别签署的DH证书。 所有这些密码套件已在GmSSL 1.1.0中删除。
=item B<kDHE>, B<kEDH>, B<DH>
Cipher suites using ephemeral DH key agreement, including anonymous cipher
suites.
密码套件使用短暂的DH密钥协议包括匿名密码套件。
=item B<DHE>, B<EDH>
Cipher suites using authenticated ephemeral DH key agreement.
密码套件使用经认证的短时DH密钥协议。
=item B<ADH>
Anonymous DH cipher suites, note that this does not include anonymous Elliptic
Curve DH (ECDH) cipher suites.
匿名DH密码套件请注意这不包括匿名椭圆曲线DHECDH密码套件。
=item B<kEECDH>, B<kECDHE>, B<ECDH>
Cipher suites using ephemeral ECDH key agreement, including anonymous
cipher suites.
密码套件使用短暂的ECDH密钥协议包括匿名密码套件。
=item B<ECDHE>, B<EECDH>
Cipher suites using authenticated ephemeral ECDH key agreement.
密码套件使用经认证的短暂ECDH密钥协议。
=item B<AECDH>
Anonymous Elliptic Curve Diffie-Hellman cipher suites.
匿名椭圆曲线Diffie-Hellman密码套件。
=item B<aDSS>, B<DSS>
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
使用DSS认证的密码套件即证书携带DSS密钥.
=item B<aDH>
Cipher suites effectively using DH authentication, i.e. the certificates carry
DH keys.
All these cipher suites have been removed in GmSSL 1.1.0.
密码套件有效地使用DH认证即证书携带DH密钥。
所有这些密码套件已在GmSSL 1.1.0中删除。
=item B<aECDSA>, B<ECDSA>
Cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
keys.
使用ECDSA身份验证的密码套件即证书包含ECDSA键。
=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or
@@ -282,15 +384,21 @@ then both TLSv1.0 and SSLv3.0 ciphersuites are available.
Note: these cipher strings B<do not> change the negotiated version of SSL or
TLS, they only affect the list of available cipher suites.
=item B<AES128>, B<AES256>, B<AES>
cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
密码套件使用128位AES256位AES或128或256位AES。
=item B<AESGCM>
AES in Galois Counter Mode (GCM): these ciphersuites are only supported
in TLS v1.2.
AES在Galois计数器模式GCM这些密码器仅在TLS v1.2中支持。
=item B<AESCCM>, B<AESCCM8>
AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
@@ -298,86 +406,127 @@ ciphersuites are only supported in TLS v1.2. B<AESCCM> references CCM
cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
while B<AESCCM8> only references 8 octet ICV.
密码块链中的AES - 消息认证模式CCMTLS v1.2中仅支持这些密码。 AESCCM参考CCM密码套件使用16和8个字节的完整性检查值ICV而AESCCM8仅引用8个八位字节的ICV。
=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
CAMELLIA.
密码套件使用128位CAMELLIA256位CAMELLIA或128或256位CAMELLIA。
=item B<CHACHA20>
cipher suites using ChaCha20.
密码套件使用ChaCha20。
=item B<3DES>
cipher suites using triple DES.
密码套件使用三重DES
=item B<DES>
Cipher suites using DES (not triple DES).
All these cipher suites have been removed in GmSSL 1.1.0.
密码套件使用DES不是三重DES。 所有这些密码套件已在GmSSL 1.1.0中删除。
=item B<RC4>
Cipher suites using RC4.
密码套件使用RC4
=item B<RC2>
Cipher suites using RC2.
密码套件使用RC2
=item B<IDEA>
Cipher suites using IDEA.
密码套件使用IDEA
=item B<SEED>
Cipher suites using SEED.
密码套件使用SEED
=item B<MD5>
Cipher suites using MD5.
密码套件使用MD5
=item B<SHA1>, B<SHA>
Cipher suites using SHA1.
密码套件使用SHA1
=item B<SHA256>, B<SHA384>
Ciphersuites using SHA256 or SHA384.
Cipher suites using SHA256 or SHA384.
密码套件使用SHA256或SHA384
=item B<aGOST>
Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication
(needs an engine supporting GOST algorithms).
密码套件使用GOST R34.102001或94用来认证
=item B<aGOST01>
Cipher suites using GOST R 34.10-2001 authentication.
密码套件采用GOST R 34.10-2001认证。
=item B<kGOST>
Cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357.
密码套件使用VKO 34.10密钥交换在RFC 4357中规定。
=item B<GOST94>
Cipher suites, using HMAC based on GOST R 34.11-94.
密码套件使用基于GOST R 34.11-94的HMAC。
=item B<GOST89MAC>
Cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
密码套件使用GOST 28147-89 MAC B <代替> HMAC。
=item B<PSK>
All cipher suites using pre-shared keys (PSK).
所有使用预共享密钥PSK的密码套件。
=item B<kPSK>, B<kECDHEPSK>, B<kDHEPSK>, B<kRSAPSK>
Cipher suites using PSK key exchange, ECDHE_PSK, DHE_PSK or RSA_PSK.
密码套件使用PSK密钥交换ECDHE_PSKDHE_PSK或RSA_PSK。
=item B<aPSK>
Cipher suites using PSK authentication (currently all PSK modes apart from
RSA_PSK).
使用PSK认证的密码套件目前除了所有的PSK模式
RSA_PSK
=item B<SUITEB128>, B<SUITEB128ONLY>, B<SUITEB192>
Enables suite B mode of operation using 128 (permitting 192 bit mode by peer)
@@ -393,6 +542,8 @@ used and only the two suite B compliant ciphersuites
(ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
permissible.
启用套件B的操作模式使用128位允许对等体的192位模式128位不允许192位对等或192位级别的安全性。 如果使用这些密码应该首先出现在密码列表中,并且忽略它们之后的任何内容。 设置Suite B模式需要符合RFC6460所需的其他后果。 特别地支持的签名算法被简化为仅支持ECDSA和SHA256或SHA384仅可以使用椭圆曲线P-256和P-384并且只能使用两个套件B兼容密码ECDHE-ECDSA-AES128-GCM-SHA256和 ECDHE-ECDSA-AES256-GCM-SHA384
=back
=head1 CIPHER SUITE NAMES

32
doc/apps/crl.pod
View File

@@ -28,6 +28,8 @@ B<gmssl> B<crl>
The B<crl> command processes CRL files in DER or PEM format.
crl命令以DER或PEM格式处理CRL文件。
=head1 OPTIONS
=over 4
@@ -36,67 +38,95 @@ The B<crl> command processes CRL files in DER or PEM format.
Print out a usage message.
输出使用信息。
=item B<-inform DER|PEM>
This specifies the input format. B<DER> format is DER encoded CRL
structure. B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
输入文件的格式。DER是DER编码的CRL对象。PEM默认的格式是base64编码的CRL对象。
=item B<-outform DER|PEM>
This specifies the output format, the options have the same meaning as the
B<-inform> option.
指定文件的输出格式。跟-inform的意思一样。
=item B<-in filename>
This specifies the input filename to read from or standard input if this
option is not specified.
指定的输入文件名,一般为标注输入
=item B<-out filename>
specifies the output filename to write to or standard output by
default.
指定的输出文件名,一般为标准输出
=item B<-text>
print out the CRL in text form.
以文本的格式来打印出CRL
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)>.
决定了名称的显示方式。
=item B<-noout>
don't output the encoded version of the CRL.
不输出CRL文件内容
=item B<-hash>
output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
输出颁发者信息的哈希值。这一项可用于在文件中根据颁发者的哈希值来查询CRL。
=item B<-hash_old>
outputs the "hash" of the CRL issuer name using the older algorithm
as used by GmSSL versions before 1.0.0.
输出CRL颁发者信息的哈希值用GmSSL1.0.0版本以前更加古老的算法。
=item B<-issuer>
output the issuer name.
输出发行者的信息。
=item B<-lastupdate>
output the lastUpdate field.
输出上一次更新的时间。
=item B<-nextupdate>
output the nextUpdate field.
输出下一次更新的时间。
=item B<-CAfile file>
verify the signature on a CRL by looking up the issuing certificate in
B<file>
指定文件来验证该CRL对象是否合法。
=item B<-CApath dir>
verify the signature on a CRL by looking up the issuing certificate in
@@ -104,6 +134,8 @@ B<dir>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
通过查找dir中的颁发证书来验证CRL上的签名。 此目录必须是标准证书目录这是每个主题名称的哈希使用x509 -hash应链接到每个证书。
=back
=head1 NOTES

54
doc/apps/dgst.pod
View File

@@ -46,6 +46,10 @@ A supported I<digest> name may also be used as the command name.
To see the list of supported algorithms, use the I<list --digest-commands>
command.
摘要功能输出所提供文件的消息摘要或是十六进制文件。摘要功能还能使用消息摘要生成和验证数字签名。
通用名称dgst可以与指定要使用算法的选项一起使用。默认的摘要是sm3.支持的digest名称也可作为命令名称。要查看支持的算法列表请使用list --digest-commands。
=head1 OPTIONS
=over 4
@@ -54,75 +58,107 @@ command.
Print out a usage message.
输出使用信息。
=item B<-I<digest>>
Specifies name of a supported digest to be used. To see the list of
supported digests, use the command I<list --digest-commands>.
指定要使用支持摘要的名称。要查看支持的摘要列表使用命令list --digest-commands。
=item B<-c>
print out the digest in two digit groups separated by colons, only relevant if
B<hex> format output is used.
打印两个数组中的摘要的时候用冒号来分隔开。仅仅设置了hex格式输出时有效。
=item B<-d>
print out BIO debugging information.
打印出BIO调试信息值。
=item B<-hex>
digest is to be output as a hex dump. This is the default case for a "normal"
digest as opposed to a digital signature. See NOTES below for digital
signatures using B<-hex>.
摘要将作为十六进制转储输出。 这是“正常”摘要的默认情况,而不是数字签名。 请参阅下面的注释使用-hex的数字签名。
=item B<-binary>
output the digest or signature in binary form.
以二进制的形式来显示摘要结果值。
=item B<-r>
output the digest in the "coreutils" format used by programs like B<sha1sum>.
用coreutils格式来输出摘要值被一些像shalsum的程序使用。
=item B<-out filename>
filename to output to, or standard output by default.
输出对象文件名,默认为标准输出。
=item B<-sign filename>
digitally sign the digest using the private key in "filename".
用filename中的私钥文件对数据进行签名。
=item B<-keyform arg>
Specifies the key format to sign digest with. The DER, PEM, P12,
and ENGINE formats are supported.
指定了签署摘要的密钥格式。该命令中仅仅支持DERPEMP12以及ENGINE格式。
=item B<-sigopt nm:v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
签名或验证签名的操作中,签名算法参数的选项值。
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
私钥密码源。
=item B<-verify filename>
verify the signature using the public key in "filename".
The output is either "Verification OK" or "Verification Failure".
使用filename中的公钥验证签名。
输出要么是验证通过要么是验证失败。
=item B<-prverify filename>
verify the signature using the private key in "filename".
使用filename中的公钥验证签名。
=item B<-signature filename>
the actual signature to verify.
实际要验证的签名
=item B<-hmac key>
create a hashed MAC using "key".
用key创建哈希MAC
=item B<-mac alg>
create MAC (keyed Message Authentication Code). The most popular MAC
@@ -131,11 +167,15 @@ which are not based on hash, for instance B<gost-mac> algorithm,
supported by B<ccgost> engine. MAC keys and other options should be set
via B<-macopt> parameter.
创建MAC密钥消息认证码。 最流行的MAC算法是HMAC基于散列的MAC但是还有其他MAC算法不是基于哈希的比如gost-mac算法由ccgost引擎支持。 应通过-macopt参数设置MAC密钥和其他选项。
=item B<-macopt nm:v>
Passes options to MAC algorithm, specified by B<-mac> key.
Following options are supported by both by B<HMAC> and B<gost-mac>:
通过命令到MAC算法由-mac指定。
=over 8
=item B<key:string>
@@ -144,12 +184,16 @@ Specifies MAC key as alphanumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the MAC algorithm for example exactly 32 chars for gost-mac.
指定MAC密钥值作为字母字符串。字符串长度必须符合摘要算法的限制条件例如对gost-mac来说是32字节。
=item B<hexkey:string>
Specifies MAC key in hexadecimal form (two hex digits per byte).
Key length must conform to any restrictions of the MAC algorithm
for example exactly 32 chars for gost-mac.
指定MAC密钥值作为十六进制字符串。字符串长度必须符合摘要算法的限制条件例如对gost-mac来说是32字节。
=back
=item B<-rand file(s)>
@@ -160,11 +204,15 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
产生随机数种子的文件
=item B<-fips-fingerprint>
compute HMAC using a specific key
for certain GmSSL-FIPS operations.
用指定的密钥计算HMAC为了有关的GMSSL-FIPS操作。
=item B<-engine id>
Use engine B<id> for operations (including private key storage).
@@ -172,16 +220,22 @@ This engine is not used as source for digest algorithms, unless it is
also specified in the configuration file or B<-engine_impl> is also
specified.
使用引擎ID进行操作包括私钥存储。 此引擎不用作摘要算法的源,除非在配置文件中也指定了引擎,还指定了-engine_impl。
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
engine B<id> for digest operations.
当与-engine选项一起使用时它还指定还使用引擎ID进行摘要操作。
=item B<file...>
file or files to digest. If no files are specified then standard input is
used.
要摘要的文件。如果没有指定文件,就使用标准输入。
=back

38
doc/apps/ec.pod
View File

@@ -38,6 +38,8 @@ private key format specified in 'SEC 1: Elliptic Curve Cryptography'
(http://www.secg.org/). To convert an GmSSL EC private key into the
PKCS#8 private key format use the B<pkcs8> command.
ec命令处理EC密钥。 它们可以在各种形式之间进行转换,并将其组件打印出来。 注意GmSSL使用“SEC 1椭圆曲线加密”http://www.secg.org/)中指定的私钥格式。 要将GmSSL EC私钥转换为PKCS8私钥格式请使用pkcs8命令。
=head1 OPTIONS
=over 4
@@ -46,6 +48,8 @@ PKCS#8 private key format use the B<pkcs8> command.
Print out a usage message.
输出使用信息。
=item B<-inform DER|PEM>
This specifies the input format. The B<DER> option with a private key uses
@@ -55,22 +59,30 @@ The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
该指令指出了输入文件格式。DER选项是一个私钥它用ASN.1 DER编码的SEC1私钥文件。当为公钥时用RFC3280指定的SubjectPublicKeyInfo结构。默认的是PEM格式它也接受PKCS#8格式的私钥。
=item B<-outform DER|PEM>
This specifies the output format, the options have the same meaning as the
B<-inform> option.
该指令指出了输出格式。与-inform指令意义相同。
=item B<-in filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
如果未指定此选项,则指定从或从标准输入读取密钥的输入文件名。 如果密钥加密,将提示输入密码。
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
指定私钥包含口令存放方式。
=item B<-out filename>
This specifies the output filename to write a key to or standard output by
@@ -78,11 +90,15 @@ is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
这指定了未指定要写入或输出的标准输出的输出文件名。 如果设置了任何加密选项,则会提示输入密码。 输出文件名不能与输入文件名相同。
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
输出文件口令保护存放方式。
=item B<-des|-des3|-sms4>
These options encrypt the private key with the DES, triple DES, SMS4 or
@@ -94,29 +110,41 @@ encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with PEM format output files.
这些选项在输出之前使用DES三重DESSMS4或GmSSL支持的任何其他密码加密私钥。 提示通行短语。 如果没有指定这些选项,则键将以纯文本形式写入。 这意味着使用ec实用程序读取加密密钥无加密选项可用于从密钥中删除密码短语或通过设置可用于添加或更改密码短语的加密选项。 这些选项只能用于PEM格式的输出文件。
=item B<-text>
prints out the public, private key components and parameters.
输出公钥和私钥的组成参数。
=item B<-noout>
this option prevents output of the encoded version of the key.
不输出密钥信息。
=item B<-modulus>
this option prints out the value of the public key component of the key.
该选项输出公钥组件值。
=item B<-pubin>
by default a private key is read from the input file: with this option a
public key is read instead.
默认读取为私钥,输入该指令后,从输入文件中读取公钥。
=item B<-pubout>
by default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
输入该指令后,公钥值到输出文件中。默认保存私钥到输出文件。如果输入是公钥该选项将自动设置。
=item B<-conv_form>
This specifies how the points on the elliptic curve are converted
@@ -127,6 +155,8 @@ B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
这指定椭圆曲线上的点如何转换为八位字节串。 可能的值有:压缩(默认值),未压缩和混合。 有关点转换表单的更多信息请阅读X9.62标准。 注意由于专利问题压缩选项默认情况下禁用二进制曲线并且可以通过在编译时定义预处理器宏OPENSSL_EC_BIN_PT_COMP来启用。
=item B<-param_enc arg>
This specifies how the elliptic curve parameters are encoded.
@@ -137,14 +167,20 @@ EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in GmSSL.
这指定椭圆曲线参数的编码方式。 可能的值为named_curve即ec参数由OID指定或显式指定ec参数参见RFC 3279以了解EC参数结构的定义。 默认值为named_curve。 注意如RFC 3279所述implicitlyCA替代方案目前尚未在GmSSL中实现
=item B<-no_public>
This option omits the public key components from the private key output.
该指令省略了私钥输出中的公钥组件。
=item B<-check>
this option checks the consistency of an EC private or public key.
该指令检查了EC私钥或公钥的一致性。
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<ec>
@@ -152,6 +188,8 @@ to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
指定引擎。
=back
=head1 NOTES

36
doc/apps/ecparam.pod
View File

@@ -31,6 +31,8 @@ B<gmssl ecparam>
This command is used to manipulate or generate EC parameter files.
此命令用于操作或生成EC参数文件。
=head1 OPTIONS
=over 4
@@ -39,6 +41,8 @@ This command is used to manipulate or generate EC parameter files.
Print out a usage message.
输出使用信息。
=item B<-inform DER|PEM>
This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
@@ -46,49 +50,69 @@ form compatible with RFC 3279 EcpkParameters. The PEM form is the default
format: it consists of the B<DER> format base64 encoded with additional
header and footer lines.
输入文件格式DER或PEM格式。DER采用与RFC 3279EcpkParameters兼容的ASN1的DER标准格式。PEM格式是默认格式它由DER格式base64编码带有附加的页眉和页脚行。
=item B<-outform DER|PEM>
This specifies the output format, the options have the same meaning as the
B<-inform> option.
指出输出格式。和-inform用法相同。
=item B<-in filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified.
指出输入的如果未指定此选项,则指定从或从标准输入读取参数的输入文件名。
=item B<-out filename>
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
as the input filename.
指定输出文件名参数。 如果此选项不存在,则使用标准输出。 输出文件名不能与输入文件名相同
=item B<-noout>
This option inhibits the output of the encoded version of the parameters.
不打印参数编码的版本信息。
=item B<-text>
This option prints out the EC parameters in human readable form.
打印椭圆曲线密钥参数信息值。
=item B<-C>
This option converts the EC parameters into C code. The parameters can then
be loaded by calling the get_ec_group_XXX() function.
用C语言打印椭圆曲线参数。然后可以通过调用get_ec_group_XXX函数来加载参数。
=item B<-check>
Validate the elliptic curve parameters.
验证椭圆曲线密钥参数。
=item B<-name arg>
Use the EC parameters with the specified 'short' name. Use B<-list_curves>
to get a list of all currently implemented EC parameters.
使用EC参数的指定短名称。使用-list_curves来得到所有当前实现的EC参数的列表。
=item B<-list_curves>
If this options is specified B<ecparam> will print out a list of all
currently implemented EC parameters names and exit.
打印所有可用的短名称。
=item B<-conv_form>
This specifies how the points on the elliptic curve are converted
@@ -99,6 +123,8 @@ B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
这指定椭圆曲线上的点如何转换为八位字节串。 可能的值有:压缩(默认值),未压缩和混合。 有关点转换表单的更多信息请阅读X9.62标准。 注意由于专利问题压缩选项默认情况下禁用二进制曲线并且可以通过在编译时定义预处理器宏OPENSSL_EC_BIN_PT_COMP来启用。
=item B<-param_enc arg>
This specifies how the elliptic curve parameters are encoded.
@@ -109,15 +135,21 @@ EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in GmSSL.
这指定椭圆曲线参数的编码方式。 可能的值为named_curve即ec参数由OID指定或显式指定ec参数参见RFC 3279以了解EC参数结构的定义。 默认值为named_curve。 注意如RFC 3279所述implicitlyCA替代方案目前尚未在GmSSL中实现
=item B<-no_seed>
This option inhibits that the 'seed' for the parameter generation
is included in the ECParameters structure (see RFC 3279).
该选项禁止参数生成“seed”包含在ECParameters结构中参见RFC 3279
=item B<-genkey>
This option will generate an EC private key using the specified parameters.
该指令会生成一个指定参数的EC私钥。
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
@@ -126,6 +158,8 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
含有随机数产生种子的文件。
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<ecparam>
@@ -133,6 +167,8 @@ to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
指定硬件引擎。该引擎会被设为所有可行的算法的默认引擎。
=back
=head1 NOTES

57
doc/apps/enc.pod
View File

@@ -42,6 +42,8 @@ using various block and stream ciphers using keys based on passwords
or explicitly provided. Base64 encoding or decoding can also be performed
either by itself or in addition to the encryption or decryption.
对称密码命令允许使用基于密码或明确提供的密钥的各种块和流密码来加密或解密数据。 Base64编码或解码也可以通过本身或加密或解密来执行。
=head1 OPTIONS
=over 4
@@ -50,76 +52,108 @@ either by itself or in addition to the encryption or decryption.
Print out a usage message.
输出使用信息
=item B<-ciphers>
List all supported ciphers.
列出所有支持的密码。
=item B<-in filename>
the input filename, standard input by default.
输入的文件名,默认为标准输入。
=item B<-out filename>
the output filename, standard output by default.
输出的文件名,默认为标准输出。
=item B<-pass arg>
the password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.
指定密码的来源。
=item B<-e>
encrypt the input data: this is the default.
进行加密操作,默认操作。
=item B<-d>
decrypt the input data.
进行解密操作。
=item B<-a>
base64 process the data. This means that if encryption is taking place
the data is base64 encoded after encryption. If decryption is set then
the input data is base64 decoded before being decrypted.
base64处理数据。这意味着加密结果进行64位编码。解密前先进行base64解码。
=item B<-base64>
same as B<-a>
和-a一样。
=item B<-A>
if the B<-a> option is set then base64 process the data on one line.
将生成的结果在文件中只有一行。
=item B<-k password>
the password to derive the key from. This is for compatibility with previous
versions of GmSSL. Superseded by the B<-pass> argument.
加密口令。这是为了当前GmSSL版本的兼容。
=item B<-kfile filename>
read the password to derive the key from the first line of B<filename>.
This is for compatibility with previous versions of GmSSL. Superseded by
the B<-pass> argument.
指定口令存放的文件。
=item B<-md digest>
Use the specified digest to create the key from the passphrase.
The default algorithm is SM3.
运用指定摘要算法来从密码中创建密钥。默认算法为SM3.
=item B<-nosalt>
don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
used except for test purposes or compatibility with ancient versions of
GmSSL.
在密钥导出例程中不使用salt除了测试目的或与以前版本的Gmssl兼容不应使用此选项。
=item B<-salt>
use salt (randomly generated or provide with B<-S> option) when
encrypting (this is the default).
在加密过程中使用salt默认设置
=item B<-S salt>
the actual salt to use: this must be represented as a string of hex digits.
salt的值为16进制。
=item B<-K key>
the actual key to use: this must be represented as a string comprised only
@@ -129,6 +163,10 @@ key given with the B<-K> option will be used and the IV generated from the
password will be taken. It probably does not make much sense to specify
both key and password.
用的实际密钥值这个必须提出它是一个16进制的输入口令。如果没有这个选
项IV必须用-IV选项指定。当key和密钥都指定时用-K选项给定的key将会被使
而使用密钥来产生初始化向量IV。不建议两者都指定。
=item B<-iv IV>
the actual IV to use: this must be represented as a string comprised only
@@ -136,37 +174,56 @@ of hex digits. When only the key is specified using the B<-K> option, the
IV must explicitly be defined. When a password is being specified using
one of the other options, the IV is generated from this password.
实际上使用的初始化向量这个必须提出它是一个16进制的输入口令。如果没有这个选
项IV必须用-IV选项指定。当一个密钥用其中一个选项所指定IV将会与偶这个口令
值来产生。
=item B<-p>
print out the key and IV used.
打印使用的密钥和IV。
=item B<-P>
print out the key and IV used then immediately exit: don't do any encryption
or decryption.
打印使用的key和IV然后直接退出不做加密和解密操作。
=item B<-bufsize number>
set the buffer size for I/O
设置I/O操作的缓冲区大小。
=item B<-nopad>
disable standard block padding
没有数据填充。
=item B<-debug>
debug the BIOs used for I/O.
调试用于I/O的BIO。
=item B<-z>
Compress or decompress clear text using zlib before encryption or after
decryption. This option exists only if GmSSL with compiled with zlib
or zlib-dynamic option.
在加密或解密之后使用zlib压缩或解压缩明文。 只有使用zlib或zlib-
dynamic选项编译的GmSSL时此选项才会存在。
=item B<-none>
Use NULL cipher (no encryption or decryption of input).
不对数据进行加解密操作。
=back
=head1 NOTES

180
doc/apps/gmssl.pod
View File

@@ -27,6 +27,9 @@ The B<gmssl> program is a command line tool for using the various
cryptography functions of GmSSL's B<crypto> library from the shell.
It can be used for
GmSSL是实现安全套接字层SSL v2 / v3和传输层安全TLS v1网络协议
及其所需的相关加密标准的加密工具包。
o Creation and management of private keys, public keys and parameters
o Public key cryptographic operations
o Creation of X.509 certificates, CSRs and CRLs
@@ -36,6 +39,22 @@ It can be used for
o Handling of S/MIME signed or encrypted mail
o Time Stamp requests, generation and verification
创建并管理公钥,私钥和参数。
公钥加密操作。
x509CSR和CRL的创建
计算消息摘要。
密码加密解密
SSC/TLS客户端服务器的测试
处理S / MIME签名或加密的邮件
时间戳请求,生成和验证
=head1 COMMAND SUMMARY
The B<gmssl> program provides a rich variety of commands (I<command> in the
@@ -66,6 +85,24 @@ availability of ciphers in the B<gmssl> program. (B<no->I<XXX> is
not able to detect pseudo-commands such as B<quit>,
B<list>, or B<no->I<XXX> itself.)
gmssl程序提供丰富多样的命令上面的概要中的命令每个命令通常具有
丰富的选项和参数概要中的command_opts和command_args
列表参数standard-commandsdigest-commands和cipher-commands分别输出
目前gmssl实用程序中可用的所有标准命令消息摘要命令或密码命令的列表
(每行一个条目)。
列表参数密码算法和摘要算法列出所有密码和消息摘要名称,每行一个条目。
列表参数public-key-algorithms列出了所有支持的公钥算法。
命令no-XXX测试指定名称的命令是否可用。 如果没有命名为XXX的命令
则返回0成功并打印no-XXX; 否则返回1并打印XXX。 在这两种情况下,
输出到stdout没有什么打印到stderr。 其他命令行参数始终被忽略。
因为每个密码都有一个相同名称的命令这为shell脚本提供了一个简
单的方法来测试gmssl程序中密码的可用性。 (否 - XXX无法检测到伪命令
如quitlist或no-XXX本身。
=head2 Standard Commands
=over 10
@@ -74,138 +111,200 @@ B<list>, or B<no->I<XXX> itself.)
Parse an ASN.1 sequence.
解析ASN1序列
=item L<B<ca>|ca(1)>
Certificate Authority (CA) Management.
CA管理
=item L<B<ciphers>|ciphers(1)>
Cipher Suite Description Determination.
密码套件描述确定。
=item L<B<cms>|cms(1)>
CMS (Cryptographic Message Syntax) utility
CMS有效。
=item L<B<crl>|crl(1)>
Certificate Revocation List (CRL) Management.
CRL管理
=item L<B<crl2pkcs7>|crl2pkcs7(1)>
CRL to PKCS#7 Conversion.
CRL转变为PKCS#7
=item L<B<dgst>|dgst(1)>
Message Digest Calculation.
消息摘要计算
=item B<dh>
Diffie-Hellman Parameter Management.
Obsoleted by L<B<dhparam>|dhparam(1)>.
DH参数管理
=item L<B<dhparam>|dhparam(1)>
Generation and Management of Diffie-Hellman Parameters. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
Diffie-Hellman参数的生成与管理。 被genpkey和pkeyparam取代
=item L<B<dsa>|dsa(1)>
DSA Data Management.
DSA数据管理
=item L<B<dsaparam>|dsaparam(1)>
DSA Parameter Generation and Management. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
DSA参数的生成与管理
=item L<B<ec>|ec(1)>
EC/SM2 (Elliptic curve) key processing
EC/SM2密钥处理
=item L<B<ecparam>|ecparam(1)>
EC/SM2 parameter manipulation and generation
EC / SM2参数的操作和生成
=item L<B<enc>|enc(1)>
Encoding with Ciphers.
密码进行编码
=item L<B<engine>|engine(1)>
Engine (loadable module) information and manipulation.
引擎信息和操作
=item L<B<errstr>|errstr(1)>
Error Number to Error String Conversion.
错误字符串转换的错误编号
=item B<gendh>
Generation of Diffie-Hellman Parameters.
Obsoleted by L<B<dhparam>|dhparam(1)>.
生成Diffie-Hellman参数。 被dhparam淘汰。
=item L<B<gendsa>|gendsa(1)>
Generation of DSA Private Key from Parameters. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
生成从参数的DSA私钥被genpkey pkey淘汰
=item L<B<genpkey>|genpkey(1)>
Generation of Private Key or Parameters.
私钥和参数的生成
=item L<B<genrsa>|genrsa(1)>
Generation of RSA Private Key. Superseded by L<B<genpkey>|genpkey(1)>.
RSA私钥的生成
=item L<B<nseq>|nseq(1)>
Create or examine a Netscape certificate sequence
创建或检查Netscape证书序列
=item L<B<ocsp>|ocsp(1)>
Online Certificate Status Protocol utility.
在线证书状态协议实用程序。
=item L<B<passwd>|passwd(1)>
Generation of hashed passwords.
哈希密码生成
=item L<B<pkcs12>|pkcs12(1)>
PKCS#12 Data Management.
PKCS#12 数据管理
=item L<B<pkcs7>|pkcs7(1)>
PKCS#7 Data Management.
PKCS#7 数据管理
=item L<B<pkey>|pkey(1)>
Public and private key management.
公私钥管理
=item L<B<pkeyparam>|pkeyparam(1)>
Public key algorithm parameter management.
公钥算法参数管理
=item L<B<pkeyutl>|pkeyutl(1)>
Public key algorithm cryptographic operation utility.
公钥算法加密运算实用程序。
=item L<B<rand>|rand(1)>
Generate pseudo-random bytes.
生成伪随机字节
=item L<B<req>|req(1)>
PKCS#10 X.509 Certificate Signing Request (CSR) Management.
PKCS#10 X509 CSR管理
=item L<B<rsa>|rsa(1)>
RSA key management.
RSA密钥管理
=item L<B<rsautl>|rsautl(1)>
RSA utility for signing, verification, encryption, and decryption. Superseded
by L<B<pkeyutl>|pkeyutl(1)>
用于签名验证加密和解密的RSA实用程序。 取而代之的是pkeyutl
=item L<B<s_client>|s_client(1)>
This implements a generic SSL/TLS client which can establish a transparent
@@ -213,6 +312,8 @@ connection to a remote server speaking SSL/TLS. It's intended for testing
purposes only and provides only rudimentary interface functionality but
internally uses mostly all functionality of the GmSSL B<ssl> library.
这实现了通用的SSL / TLS客户端可以建立与远程服务器的SSL / TLS的透明连接。 它仅用于测试目的仅提供基本的接口功能但内部主要使用GmSSL ssl库的所有功能。
=item L<B<s_server>|s_server(1)>
This implements a generic SSL/TLS server which accepts connections from remote
@@ -222,42 +323,62 @@ functionality of the GmSSL B<ssl> library. It provides both an own command
line oriented protocol for testing SSL functions and a simple HTTP response
facility to emulate an SSL/TLS-aware webserver.
这实现了一个通用的SSL / TLS服务器它接受来自远程客户端的SSL / TLS连接。 它仅用于测试目的仅提供基本的接口功能但内部主要使用GmSSL ssl库的所有功能。 它提供了一个用于测试SSL功能的自己的面向命令行的协议和一个简单的HTTP响应工具来模拟一个支持SSL / TLS的Web服务器。
=item L<B<s_time>|s_time(1)>
SSL Connection Timer.
SSL连接计时器
=item L<B<sess_id>|sess_id(1)>
SSL Session Data Management.
SSL会议数据管理。
=item L<B<smime>|smime(1)>
S/MIME mail processing.
S/MIME 邮件处理
=item L<B<speed>|speed(1)>
Algorithm Speed Measurement.
算法速度测量
=item L<B<spkac>|spkac(1)>
SPKAC printing and generating utility
SPKAC打印和生成实用程序。
=item L<B<ts>|ts(1)>
Time Stamping Authority tool (client/server)
时间戳机构工具(客户端/服务器)
=item L<B<verify>|verify(1)>
X.509 Certificate Verification.
X.509证书验证
=item L<B<version>|version(1)>
GmSSL Version Information.
GmSSL 版本信息
=item L<B<x509>|x509(1)>
X.509 Certificate Data Management.
X.509证书数据管理
=back
=head2 Message Digest Commands
@@ -268,42 +389,62 @@ X.509 Certificate Data Management.
SM3 Digest
SM3摘要
=item B<md5>
MD5 Digest
MD5摘要
=item B<mdc2>
MDC2 Digest
MDC2摘要
=item B<rmd160>
RMD-160 Digest
RMD-160摘要
=item B<sha>
SHA Digest
SHA摘要
=item B<sha1>
SHA-1 Digest
SHA-1摘要
=item B<sha224>
SHA-224 Digest
SHA-224摘要
=item B<sha256>
SHA-256 Digest
SHA-256摘要
=item B<sha384>
SHA-384 Digest
SHA-384摘要
=item B<sha512>
SHA-512 Digest
SHA-512摘要
=back
=head2 Encoding and Cipher Commands
@@ -314,42 +455,62 @@ SHA-512 Digest
Base64 Encoding
Base64 编码
=item B<sms4 sms4-cbc sms4-cfb sms4-ecb sms4-ofb>
SMS4 Cipher
SMS4密码
=item B<cast cast-cbc>
CAST Cipher
CAST密码
=item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
CAST5 Cipher
CAST5密码
=item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
DES Cipher
DES密码
=item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
Triple-DES Cipher
三重DES密码
=item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
IDEA Cipher
IDEA密码
=item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
RC2 Cipher
RC2密码
=item B<rc4>
RC4 Cipher
RC4密码
=item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
RC5 Cipher
RC5密码
=back
=head1 OPTIONS
@@ -357,6 +518,8 @@ RC5 Cipher
Details of which options are available depend on the specific command.
This section describes some common options with common behavior.
哪些选项可用的详细信息取决于具体的命令。 本节介绍一些常见的常见选项。
=head2 Common Options
=over 10
@@ -365,6 +528,8 @@ This section describes some common options with common behavior.
Provides a terse summary of all options.
输出所有选项的摘要
=back
=head2 Pass Phrase Options
@@ -377,6 +542,8 @@ password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
几个命令接受密码参数,通常分别使用-passin和-passout来输入和输出密码。 这些允许从各种来源获取密码。 这两个选项都有一个参数,其格式如下所述。 如果没有提供密码参数并且需要密码,则会提示用户输入密码:通常将从当前终端读取,并且回显关闭。
=over 10
=item B<pass:password>
@@ -385,12 +552,17 @@ the actual password is B<password>. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
实际的密码是password。 由于密码对于实用程序是可见的例如Unix下的“ps”
,因此只能在安全性不重要的地方使用此表单。
=item B<env:var>
obtain the password from the environment variable B<var>. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
从环境变量var获取密码。 由于其他进程的环境在某些平台上可见例如某些Unix操作系统下的ps因此谨慎使用此选项。
=item B<file:pathname>
the first line of B<pathname> is the password. If the same B<pathname>
@@ -399,15 +571,23 @@ line will be used for the input password and the next line for the output
password. B<pathname> need not refer to a regular file: it could for example
refer to a device or named pipe.
路径名的第一行是密码。 如果相同的pathname参数提供给-passin和-passout参数
则第一行将用于输入密码,输出密码的下一行将被使用。 路径名不需要引用常规文件:
例如可以参考设备或命名管道。
=item B<fd:number>
read the password from the file descriptor B<number>. This can be used to
send the data via a pipe for example.
从文件描述符编号读取密码。比方说这可以用于通过管道发送数据。
=item B<stdin>
read the password from standard input.
从标准输入读取密码。
=back
=head1 SEE ALSO

19
doc/apps/list.pod
View File

@@ -23,6 +23,8 @@ B<gmssl list>
This command is used to generate list of algorithms or disabled
features.
这条命令用于生成算法或禁用功能的列表。
=head1 OPTIONS
=over 4
@@ -31,15 +33,21 @@ features.
Display out a usage message.
输出使用信息。
=item B<-commands>
Display a list of standard commands.
输出标准命令列表。
=item B<-digest-commands>
Display a list of message digest commands, which are typically used
as input to the L<dgst(1)> or L<speed(1)> commands.
显示消息摘要命令列表通常用作dgst或speed命令的输入。
=item B<-digest-algorithms>
Display a list of message digest algorithms.
@@ -47,11 +55,16 @@ If a line is of the form
foo => bar
then B<foo> is an alias for the official algorithm name, B<bar>.
显示消息摘要算法的列表。
=item B<-cipher-commands>
Display a list of cipher commands, which are typically used as input
to the L<dgst(1)> or L<speed(1)> commands.
显示密码命令列表通常用作dgst或speed命令的输入。
=item B<-cipher-algorithms>
Display a list of cipher algorithms.
@@ -59,16 +72,22 @@ If a line is of the form
foo => bar
then B<foo> is an alias for the official algorithm name, B<bar>.
显示密码算法的列表
=item B<-public-key-algorithms>
Display a list of public key algorithms, with each algorithm as
a block of multiple lines, all but the first are indented.
显示公钥算法列表,每个算法作为多行的块,除第一个都是缩进。
=item B<-disabled>
Display a list of disabled features, those that were compiled out
of the installation.
显示已禁用功能的列表,这些功能是从安装中编译出来的功能。
=back
=head1 COPYRIGHT