From cceb2acfcae3202f3613282b08e6819a550708fd Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Thu, 19 Jan 2017 21:02:29 +0800 Subject: [PATCH] update manuals --- README.md | 47 ++++++++++++++++++---- crypto/objects/objects.txt | 14 +++---- doc/apps/CA.pl.pod | 14 +++---- doc/apps/asn1parse.pod | 14 +++---- doc/apps/c_rehash.pod | 8 ++-- doc/apps/ca.pod | 24 ++++++------ doc/apps/ciphers.pod | 34 ++++++++-------- doc/apps/cms.pod | 60 ++++++++++++++--------------- doc/apps/config.pod | 50 ++++++++++++------------ doc/apps/crl.pod | 8 ++-- doc/apps/crl2pkcs7.pod | 6 +-- doc/apps/dgst.pod | 20 +++++----- doc/apps/dhparam.pod | 12 +++--- doc/apps/dsa.pod | 16 ++++---- doc/apps/dsaparam.pod | 2 +- doc/apps/ec.pod | 36 ++++++++--------- doc/apps/ecparam.pod | 22 +++++------ doc/apps/enc.pod | 38 +++++++++--------- doc/apps/errstr.pod | 4 +- doc/apps/gendsa.pod | 6 +-- doc/apps/genpkey.pod | 24 ++++++------ doc/apps/genrsa.pod | 4 +- doc/apps/{openssl.pod => gmssl.pod} | 34 ++++++++-------- doc/apps/nseq.pod | 6 +-- doc/apps/ocsp.pod | 22 +++++------ doc/apps/passwd.pod | 8 ++-- doc/apps/pkcs12.pod | 34 ++++++++-------- doc/apps/pkcs7.pod | 6 +-- doc/apps/pkcs8.pod | 24 ++++++------ doc/apps/pkey.pod | 18 ++++----- doc/apps/pkeyparam.pod | 4 +- doc/apps/pkeyutl.pod | 16 ++++---- doc/apps/rand.pod | 4 +- doc/apps/req.pod | 26 ++++++------- doc/apps/rsa.pod | 18 ++++----- doc/apps/rsautl.pod | 20 +++++----- doc/apps/s_client.pod | 10 ++--- doc/apps/s_server.pod | 12 +++--- doc/apps/s_time.pod | 6 +-- doc/apps/sess_id.pod | 2 +- doc/apps/smime.pod | 42 ++++++++++---------- doc/apps/speed.pod | 2 +- doc/apps/spkac.pod | 10 ++--- doc/apps/ts.pod | 50 ++++++++++++------------ doc/apps/tsget.pod | 8 ++-- doc/apps/verify.pod | 18 ++++----- doc/apps/version.pod | 14 +++---- doc/apps/x509.pod | 50 ++++++++++++------------ doc/apps/x509v3_config.pod | 14 +++---- 49 files changed, 487 insertions(+), 454 deletions(-) rename doc/apps/{openssl.pod => gmssl.pod} (91%) diff --git a/README.md b/README.md index 804dff4d..0033d80f 100644 --- a/README.md +++ b/README.md @@ -67,15 +67,48 @@ GmSSL是一个开源的密码工具箱,支持SM2/SM3/SM4/SM9等国密(国家 $ gmssl pkeyutl -sign -pkeyopt ec_sign_algor:sm2 -inkey signkey.pem \ -in -out .sig ``` + 可以将公钥从`signkey.pem`中导出并发发布给验证签名的一方 + ```sh + $ gmssl pkey -in signkey.pem -out vrfykey.pem + $ gmssl pkeyutl -verify -pkeyopt ec_sign_algor:sm2 -inkey vrfykey.pem \ + -in -sigfile .sig + ``` + ## 项目文档 -- [编译与安装](https://github.com/guanzhi/GmSSL/wiki/编译和安装) -- 密码算法:[SM1分组密码](https://github.com/guanzhi/GmSSL/wiki/SM1和SSF33分组密码);[SSF33分组密码](https://github.com/guanzhi/GmSSL/wiki/SM1和SSF33分组密码);[SM2椭圆曲线公钥密码](https://github.com/guanzhi/GmSSL/wiki/SM2椭圆曲线公钥密码);[SM3密码杂凑算法](https://github.com/guanzhi/GmSSL/wiki/SM3密码杂凑算法);[SM4/SMS4分组密码](https://github.com/guanzhi/GmSSL/wiki/SM4分组密码);[SM9基于身份的密码](https://github.com/guanzhi/GmSSL/wiki/SM9身份密码);[ZUC序列密码](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/zuc.md);[CPK组合公钥密码](https://github.com/guanzhi/GmSSL/wiki/CPK组合公钥) -- 安全协议:国密SSL VPN协议;国密IPSec VPN协议 -- [GmSSL命令行工具](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/gmsslcli.md) -- [GmSSL编码风格 (GmSSL Coding Style)](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/codingstyle.md) -- GmSSL编程接口:国密应用编程接口(GmSSL SAF/SDF/SKF/SOF API);GmSSL EVP API](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/evp.md);[GmSSL Java API](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/java.md);[国密算法标识OID](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/oid.md) -- [中华人民共和国密码行业标准(共44项)]() +用户手册: + +[编译与安装](https://github.com/guanzhi/GmSSL/wiki/install); +[命令行工具手册](https://github.com/guanzhi/GmSSL/wiki/commands.md); + [GmSSL EVP API](https://github.com/guanzhimSSL/blob/develop/doc/gmssl/evp.md); + [GmSSL Java API](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/java.md); + +密码算法 + +[SM1分组密码](https://github.com/guanzhi/GmSSL/wiki/sm1) +[SSF33分组密码](https://github.com/guanzhi/GmSSL/wiki/ssf33) +[SM2椭圆曲线公钥密码](https://github.com/guanzhi/GmSSL/wiki/sm2) +[SM3密码杂凑算法](https://github.com/guanzhi/GmSSL/wiki/sm3) +[SM4/SMS4分组密码](https://github.com/guanzhi/GmSSL/wiki/sms4) +[SM9基于身份的密码](https://github.com/guanzhi/GmSSL/wiki/sm9) +[ZUC序列密码](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/zuc.md) +[CPK组合公钥密码](https://github.com/guanzhi/GmSSL/wiki/cpk) +[BF-IBE (Boneh-Franklin Identity-Based Encryption)](https://github.com/guanzhi/GmSSL/wiki/bfibe) +[BB~1~-IBE (Boneh-Boyen Identity-Based Encryption)](https://github.com/guanzhi/GmSSL/wiki/bb1-ibe) + +安全协议: + +[SSL/TLS协议]()、 +[国密SSL VPN协议](); +[国密IPSec VPN协议](); + +开发者: +[GmSSL编码风格 (Coding Style)](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/codingstyle.md); +[开发路线 (Road Map)](); + +国密应用编程接口(GmSSL SAF/SDF/SKF/SOF API); +- 标准规范:[中华人民共和国密码行业标准(共44项)](); + [国密算法标识OID](https://github.com/guanzhi/GmSSL/blob/develop/doc/gmssl/oid.md) diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 87b92c05..f0fc30b9 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -1440,13 +1440,13 @@ sm-scheme 302 3 : sm9encrypt sm-scheme 401 : SM3 : sm3 sm-scheme 401 2 : HMAC-SM3 : hmac-sm3 -sm-scheme 501 : SM2Sign-with-SM3 : sm2sign-with-sm3 -sm-scheme 502 : SM2Sign-with-SHA1 : sm2sign-with-sha1 -sm-scheme 503 : SM2Sign-with-SHA256 : sm2sign-with-sha256 -sm-scheme 504 : SM2Sign-with-SHA511 : sm2sign-with-sha512 -sm-scheme 505 : SM2Sign-with-SHA224 : sm2sign-with-sha224 -sm-scheme 506 : SM2Sign-with-SHA384 : sm2sign-with-sha384 -sm-scheme 507 : SM2Sign-with-RMD160 : sm2sign-with-rmd160 +sm-scheme 501 1 : SM2Sign-with-SM3 : sm2sign-with-sm3 +sm-scheme 501 2 : SM2Sign-with-SHA1 : sm2sign-with-sha1 +sm-scheme 501 3 : SM2Sign-with-SHA256 : sm2sign-with-sha256 +sm-scheme 501 4 : SM2Sign-with-SHA511 : sm2sign-with-sha512 +sm-scheme 501 5 : SM2Sign-with-SHA224 : sm2sign-with-sha224 +sm-scheme 501 6 : SM2Sign-with-SHA384 : sm2sign-with-sha384 +sm-scheme 501 7 : SM2Sign-with-RMD160 : sm2sign-with-rmd160 sm-scheme 301 101 : wapip192v1 diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index d326101c..ea462fe8 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -3,7 +3,7 @@ =head1 NAME -CA.pl - friendlier interface for OpenSSL certificate programs +CA.pl - friendlier interface for GmSSL certificate programs =head1 SYNOPSIS @@ -25,7 +25,7 @@ B =head1 DESCRIPTION The B script is a perl script that supplies the relevant command line -arguments to the B command for some common certificate operations. +arguments to the B command for some common certificate operations. It is intended to simplify the process of certificate creation and management by the use of some simple options. @@ -122,11 +122,11 @@ directly. The following example shows the steps that would typically be taken. Create some DSA parameters: - openssl dsaparam -out dsap.pem 1024 + gmssl dsaparam -out dsap.pem 1024 Create a DSA CA certificate and private key: - openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + gmssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem Create the CA directories and files: @@ -137,7 +137,7 @@ enter cacert.pem when prompted for the CA file name. Create a DSA certificate request and private key (a different set of parameters can optionally be created first): - openssl req -out newreq.pem -newkey dsa:dsap.pem + gmssl req -out newreq.pem -newkey dsa:dsap.pem Sign the request: @@ -161,9 +161,9 @@ be wrong. In this case the command: can be used and the B environment variable changed to point to the correct path of the configuration file "openssl.cnf". -The script is intended as a simple front end for the B program for use +The script is intended as a simple front end for the B program for use by a beginner. Its behaviour isn't always what is wanted. For more control over the -behaviour of the certificate commands call the B command directly. +behaviour of the certificate commands call the B command directly. =head1 ENVIRONMENT VARIABLES diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod index 76a765da..feea3577 100644 --- a/doc/apps/asn1parse.pod +++ b/doc/apps/asn1parse.pod @@ -6,7 +6,7 @@ asn1parse - ASN.1 parsing tool =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-in filename>] [B<-out filename>] @@ -131,7 +131,7 @@ be examined using the option B<-strparse 229> to yield: =head1 NOTES -If an OID is not part of OpenSSL's internal table it will be represented in +If an OID is not part of GmSSL's internal table it will be represented in numerical form (for example 1.2.3.4). The file passed to the B<-oid> option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white @@ -145,23 +145,23 @@ C<1.2.3.4 shortName A long name> Parse a file: - openssl asn1parse -in file.pem + gmssl asn1parse -in file.pem Parse a DER file: - openssl asn1parse -inform DER -in file.der + gmssl asn1parse -inform DER -in file.der Generate a simple UTF8String: - openssl asn1parse -genstr 'UTF8:Hello World' + gmssl asn1parse -genstr 'UTF8:Hello World' Generate and write out a UTF8String, don't print parsed output: - openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der + gmssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der Generate using a config file: - openssl asn1parse -genconf asn1.cnf -noout -out asn1.der + gmssl asn1parse -genconf asn1.cnf -noout -out asn1.der Example config file: diff --git a/doc/apps/c_rehash.pod b/doc/apps/c_rehash.pod index ccce29e4..3160a746 100644 --- a/doc/apps/c_rehash.pod +++ b/doc/apps/c_rehash.pod @@ -1,7 +1,7 @@ =pod =for comment -Original text by James Westby, contributed under the OpenSSL license. +Original text by James Westby, contributed under the GmSSL license. =head1 NAME @@ -23,7 +23,7 @@ C<.pem>, C<.crt>, C<.cer>, or C<.crl> file in the specified directory list and creates symbolic links for each file, where the name of the link is the hash value. (If the platform does not support symbolic links, a copy is made.) -This utility is useful as many programs that use OpenSSL require +This utility is useful as many programs that use GmSSL require directories to be set up like this in order to find certificates. If any directories are named on the command line, then those are @@ -52,7 +52,7 @@ is found. A warning will also be displayed if there are files that cannot be parsed as either a certificate or a CRL. -The program uses the B program to compute the hashes and +The program uses the B program to compute the hashes and fingerprints. If not found in the user's B, then set the B environment variable to the full pathname. Any program can be used, it will be invoked as follows for either @@ -109,6 +109,6 @@ Ignored if directories are listed on the command line. =head1 SEE ALSO -L, +L, L. L. diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index c90e6482..d43e6bdb 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -7,7 +7,7 @@ ca - sample minimal CA application =head1 SYNOPSIS -B B +B B [B<-verbose>] [B<-config filename>] [B<-name section>] @@ -141,7 +141,7 @@ self-signed certificate. =item B<-passin arg> the key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-verbose> @@ -248,7 +248,7 @@ configuration file, must be valid UTF8 strings. this option causes the -subj argument to be interpretedt with full support for multivalued RDNs. Example: -I +I If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. @@ -419,7 +419,7 @@ if the value B is given, the valid certificate entries in the database must have unique subjects. if the value B is given, several valid certificate entries may have the exact same subject. The default value is B, to be compatible with older (pre 0.9.8) -versions of OpenSSL. However, to make CA certificate roll-over easier, +versions of GmSSL. However, to make CA certificate roll-over easier, it's recommended to use the value B, especially if combined with the B<-selfsign> command line option. @@ -474,7 +474,7 @@ For convenience the values B are accepted by both to produce a reasonable output. If neither option is present the format used in earlier versions of -OpenSSL is used. Use of the old format is B discouraged because +GmSSL is used. Use of the old format is B discouraged because it only displays fields mentioned in the B section, mishandles multicharacter string types and does not display extensions. @@ -538,30 +538,30 @@ demoCA/index.txt. Sign a certificate request: - openssl ca -in req.pem -out newcert.pem + gmssl ca -in req.pem -out newcert.pem Sign a certificate request, using CA extensions: - openssl ca -in req.pem -extensions v3_ca -out newcert.pem + gmssl ca -in req.pem -extensions v3_ca -out newcert.pem Generate a CRL - openssl ca -gencrl -out crl.pem + gmssl ca -gencrl -out crl.pem Sign several requests: - openssl ca -infiles req1.pem req2.pem req3.pem + gmssl ca -infiles req1.pem req2.pem req3.pem Certify a Netscape SPKAC: - openssl ca -spkac spkac.txt + gmssl ca -spkac spkac.txt A sample SPKAC file (the SPKAC line has been truncated for clarity): SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 CN=Steve Test - emailAddress=steve@openssl.org - 0.OU=OpenSSL Group + emailAddress=steve@gmssl.org + 0.OU=GmSSL Group 1.OU=Another Group A sample configuration file with the relevant sections for B: diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 1c26e3b3..85d6b9b7 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -6,7 +6,7 @@ ciphers - SSL cipher display and cipher list tool. =head1 SYNOPSIS -B B +B B [B<-v>] [B<-V>] [B<-ssl2>] @@ -16,7 +16,7 @@ B B =head1 DESCRIPTION -The B command converts textual OpenSSL cipher lists into ordered +The B command converts textual GmSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist. @@ -122,7 +122,7 @@ which is not included by B (use B if necessary). =item B all cipher suites except the B ciphers which must be explicitly enabled; -as of OpenSSL, the B cipher suites are reasonably ordered by default +as of GmSSL, the B cipher suites are reasonably ordered by default =item B @@ -152,8 +152,8 @@ export encryption algorithms. Including 40 and 56 bits algorithms. =item B -56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of -56 bit export ciphers is empty unless OpenSSL has been explicitly configured +56 bit export encryption algorithms. In GmSSL 0.9.8c and later the set of +56 bit export ciphers is empty unless GmSSL has been explicitly configured with support for experimental ciphers. =item B, B @@ -348,7 +348,7 @@ ECDHE-ECDSA-AES256-GCM-SHA384) are permissible. =head1 CIPHER SUITE NAMES The following lists give the SSL or TLS cipher suites names from the -relevant specification and their OpenSSL equivalents. It should be noted, +relevant specification and their GmSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. @@ -469,7 +469,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. =head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0 Note: these ciphers require an engine which including GOST cryptographic -algorithms, such as the B engine, included in the OpenSSL distribution. +algorithms, such as the B engine, included in the GmSSL distribution. TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89 TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89 @@ -591,37 +591,37 @@ Note: these ciphers can also be used in SSL v3. =head1 NOTES -Some compiled versions of OpenSSL may not include all the ciphers +Some compiled versions of GmSSL may not include all the ciphers listed here because some ciphers were excluded at compile time. =head1 EXAMPLES -Verbose listing of all OpenSSL ciphers including NULL ciphers: +Verbose listing of all GmSSL ciphers including NULL ciphers: - openssl ciphers -v 'ALL:eNULL' + gmssl ciphers -v 'ALL:eNULL' Include all ciphers except NULL and anonymous DH then sort by strength: - openssl ciphers -v 'ALL:!ADH:@STRENGTH' + gmssl ciphers -v 'ALL:!ADH:@STRENGTH' Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL): - openssl ciphers -v 'ALL:!aNULL' + gmssl ciphers -v 'ALL:!aNULL' Include only 3DES ciphers and then place RSA ciphers last: - openssl ciphers -v '3DES:+RSA' + gmssl ciphers -v '3DES:+RSA' Include all RC4 ciphers but leave out those without authentication: - openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' + gmssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' Include all chiphers with RSA authentication but leave out ciphers without encryption. - openssl ciphers -v 'RSA:!COMPLEMENTOFALL' + gmssl ciphers -v 'RSA:!COMPLEMENTOFALL' =head1 SEE ALSO @@ -630,7 +630,7 @@ L, L, L =head1 HISTORY The B and B selection options -for cipherlist strings were added in OpenSSL 0.9.7. -The B<-V> option for the B command was added in OpenSSL 1.0.0. +for cipherlist strings were added in GmSSL 0.9.7. +The B<-V> option for the B command was added in GmSSL 1.0.0. =cut diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 4eaedbcd..fe03b6ac 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -6,7 +6,7 @@ cms - CMS utility =head1 SYNOPSIS -B B +B B [B<-encrypt>] [B<-decrypt>] [B<-sign>] @@ -134,12 +134,12 @@ Verify a CMS B type and output the content. =item B<-compress> -Create a CMS B type. OpenSSL must be compiled with B +Create a CMS B type. GmSSL must be compiled with B support for this option to work, otherwise it will output an error. =item B<-uncompress> -Uncompress a CMS B type and output the content. OpenSSL must be +Uncompress a CMS B type and output the content. GmSSL must be compiled with B support for this option to work, otherwise it will output an error. @@ -256,7 +256,7 @@ the encryption algorithm to use. For example triple DES (168 bits) - B<-des3> or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes_128_cbc>. See L|enc(1)> for a list of ciphers -supported by your version of OpenSSL. +supported by your version of GmSSL. If not specified triple DES is used. Only used with B<-encrypt> and B<-EncryptedData_create> commands. @@ -398,7 +398,7 @@ or to modify default parameters for ECDH. =item B<-passin arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-rand file(s)> @@ -533,46 +533,46 @@ be processed by the older B command. Create a cleartext signed message: - openssl cms -sign -in message.txt -text -out mail.msg \ + gmssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem Create an opaque signed message - openssl cms -sign -in message.txt -text -out mail.msg -nodetach \ + gmssl cms -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: - openssl cms -sign -in in.txt -text -out mail.msg \ + gmssl cms -sign -in in.txt -text -out mail.msg \ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers, use key identifier: - openssl cms -sign -in message.txt -text -out mail.msg \ + gmssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -signer othercert.pem -keyid Send a signed message under Unix directly to sendmail, including headers: - openssl cms -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ + gmssl cms -sign -in in.txt -text -signer mycert.pem \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: - openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt + gmssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt Send encrypted mail using triple DES: - openssl cms -encrypt -in in.txt -from steve@openssl.org \ + gmssl cms -encrypt -in in.txt -from steve@gmssl.org \ -to someone@somewhere -subject "Encrypted message" \ -des3 user.pem -out mail.msg Sign and encrypt mail: - openssl cms -sign -in ml.txt -signer my.pem -text \ - | openssl cms -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ + gmssl cms -sign -in ml.txt -signer my.pem -text \ + | gmssl cms -encrypt -out mail.msg \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the @@ -580,7 +580,7 @@ message being encrypted already has MIME headers. Decrypt mail: - openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem + gmssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the @@ -592,33 +592,33 @@ it with: and using the command, - openssl cms -verify -inform PEM -in signature.pem -content content.txt + gmssl cms -verify -inform PEM -in signature.pem -content content.txt alternatively you can base64 decode the signature and use - openssl cms -verify -inform DER -in signature.der -content content.txt + gmssl cms -verify -inform DER -in signature.der -content content.txt Create an encrypted message using 128 bit Camellia: - openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem + gmssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem Add a signer to an existing message: - openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg + gmssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg Sign mail using RSA-PSS: - openssl cms -sign -in message.txt -text -out mail.msg \ + gmssl cms -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -keyopt rsa_padding_mode:pss Create encrypted mail using RSA-OAEP: - openssl cms -encrypt -in plain.txt -out mail.msg \ + gmssl cms -encrypt -in plain.txt -out mail.msg \ -recip cert.pem -keyopt rsa_padding_mode:oaep Use SHA256 KDF with an ECDH certificate: - openssl cms -encrypt -in plain.txt -out mail.msg \ + gmssl cms -encrypt -in plain.txt -out mail.msg \ -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 =head1 BUGS @@ -644,18 +644,18 @@ No revocation checking is done on the signer's certificate. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 +added in GmSSL 1.0.0 -The B option was first added in OpenSSL 1.1.0 +The B option was first added in GmSSL 1.1.0 The use of B<-recip> to specify the recipient when encrypting mail was first -added to OpenSSL 1.1.0 +added to GmSSL 1.1.0 -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to GmSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added -to OpenSSL 1.1.0. +to GmSSL 1.1.0. -The -no_alt_chains options was first added to OpenSSL 1.0.2b. +The -no_alt_chains options was first added to GmSSL 1.0.2b. =cut diff --git a/doc/apps/config.pod b/doc/apps/config.pod index e1259152..460e7b1b 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -1,18 +1,18 @@ =pod -=for comment openssl_manual_section:5 +=for comment gmssl_manual_section:5 =head1 NAME -config - OpenSSL CONF library configuration files +config - GmSSL CONF library configuration files =head1 DESCRIPTION -The OpenSSL CONF library can be used to read configuration files. -It is used for the OpenSSL master configuration file B +The GmSSL CONF library can be used to read configuration files. +It is used for the GmSSL master configuration file B and in a few other places like B files and certificate extension -files for the B utility. OpenSSL applications can also use the +files for the B utility. GmSSL applications can also use the CONF library for their own purposes. A configuration file is divided into a number of sections. Each section @@ -56,16 +56,16 @@ the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. =head1 OPENSSL LIBRARY CONFIGURATION -In OpenSSL 0.9.7 and later applications can automatically configure certain -aspects of OpenSSL using the master OpenSSL configuration file, or optionally -an alternative configuration file. The B utility includes this -functionality: any sub command uses the master OpenSSL configuration file +In GmSSL 0.9.7 and later applications can automatically configure certain +aspects of GmSSL using the master GmSSL configuration file, or optionally +an alternative configuration file. The B utility includes this +functionality: any sub command uses the master GmSSL configuration file unless an option is used in the sub command to use an alternative configuration file. To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default -name is B which is used by the B utility. Other +name is B which is used by the B utility. Other applications may use an alternative name such as B. The configuration section should consist of a set of name value pairs which @@ -74,9 +74,9 @@ the name of the I the meaning of the B is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g. - openssl_conf = openssl_init + gmssl_conf = gmssl_init - [openssl_init] + [gmssl_init] oid_section = new_oids engines = engine_section @@ -96,9 +96,9 @@ The features of each configuration module are described below. This module has the name B. The value of this variable points to a section containing name value pairs of OIDs: the name is the OID short and long name, the value is the numerical form of the OID. Although some of -the B utility sub commands already have their own ASN1 OBJECT section +the B utility sub commands already have their own ASN1 OBJECT section functionality not all do. By using the ASN1 OBJECT configuration module -B the B utility sub commands can see the new objects as well +B the B utility sub commands can see the new objects as well as any compliant applications. For example: [new_oids] @@ -106,7 +106,7 @@ as any compliant applications. For example: some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5 -In OpenSSL 0.9.8 it is also possible to set the value to the long name followed +In GmSSL 0.9.8 it is also possible to set the value to the long name followed by a comma and the numerical OID form. For example: shortName = some object long name, 1.2.3.4 @@ -214,7 +214,7 @@ For example: If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't -exist. For example in a previous version of OpenSSL the default OpenSSL +exist. For example in a previous version of GmSSL the default GmSSL master configuration file used the value of B which may not be defined on non Unix systems and would cause an error. @@ -277,13 +277,13 @@ priority and B used if neither is defined: # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename -Simple OpenSSL library configuration example to enter FIPS mode: +Simple GmSSL library configuration example to enter FIPS mode: # Default appname: should match "appname" parameter (if any) # supplied to CONF_modules_load_file et al. - openssl_conf = openssl_conf_section + gmssl_conf = gmssl_conf_section - [openssl_conf_section] + [gmssl_conf_section] # Configuration module list alg_section = evp_sect @@ -292,15 +292,15 @@ Simple OpenSSL library configuration example to enter FIPS mode: fips_mode = yes Note: in the above example you will get an error in non FIPS capable versions -of OpenSSL. +of GmSSL. -More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: +More complex GmSSL library configuration. Add OID and don't enter FIPS mode: # Default appname: should match "appname" parameter (if any) # supplied to CONF_modules_load_file et al. - openssl_conf = openssl_conf_section + gmssl_conf = gmssl_conf_section - [openssl_conf_section] + [gmssl_conf_section] # Configuration module list alg_section = evp_sect oid_section = new_oids @@ -317,12 +317,12 @@ More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: newoid2 = New OID 2 long name, 1.2.3.4.2 The above examples can be used with with any application supporting library -configuration if "openssl_conf" is modified to match the appropriate "appname". +configuration if "gmssl_conf" is modified to match the appropriate "appname". For example if the second sample file above is saved to "example.cnf" then the command line: - OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 + OPENSSL_CONF=example.cnf gmssl asn1parse -genstr OID:1.2.3.4.1 will output: diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index 044a9da9..628d8fef 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -6,7 +6,7 @@ crl - CRL utility =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-text>] @@ -71,7 +71,7 @@ a directory by issuer name. =item B<-hash_old> outputs the "hash" of the CRL issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. +as used by GmSSL versions before 1.0.0. =item B<-issuer> @@ -110,11 +110,11 @@ The PEM CRL format uses the header and footer lines: Convert a CRL file from PEM to DER: - openssl crl -in crl.pem -outform DER -out crl.der + gmssl crl -in crl.pem -outform DER -out crl.der Output the text form of a DER encoded certificate: - openssl crl -in crl.der -text -noout + gmssl crl -in crl.der -text -noout =head1 BUGS diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod index 3797bc0d..c7184039 100644 --- a/doc/apps/crl2pkcs7.pod +++ b/doc/apps/crl2pkcs7.pod @@ -6,7 +6,7 @@ crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates. =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -64,12 +64,12 @@ included in the output file and a CRL is not read from the input file. Create a PKCS#7 structure from a certificate and CRL: - openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem + gmssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem Creates a PKCS#7 structure in DER format with no CRL from several different certificates: - openssl crl2pkcs7 -nocrl -certfile newcert.pem + gmssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile demoCA/cacert.pem -outform DER -out p7.der =head1 NOTES diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index 9e15798d..8aa58434 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -2,12 +2,12 @@ =head1 NAME -dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests +dgst, sha, sha1, mdc2, ripemd160, sha224, sm3, sha384, sha512, md2, md4, md5, dss1 - message digests =head1 SYNOPSIS -B B -[B<-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1>] +B B +[B<-sha|-sha1|-mdc2|-ripemd160|-sha224|-sm3|-sha384|-sha512|-md2|-md4|-md5|-dss1>] [B<-c>] [B<-d>] [B<-hex>] @@ -27,7 +27,7 @@ B B [B<-fips-fingerprint>] [B] -B +B [I] [B<...>] @@ -101,7 +101,7 @@ Names and values of these options are algorithm-specific. =item B<-passin arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-verify filename> @@ -164,7 +164,7 @@ enable use of non-FIPS algorithms such as MD5 even in FIPS mode. =item B<-fips-fingerprint> compute HMAC using a specific key -for certain OpenSSL-FIPS operations. +for certain GmSSL-FIPS operations. =item B @@ -177,13 +177,13 @@ used. =head1 EXAMPLES To create a hex-encoded message digest of a file: - openssl dgst -md5 -hex file.txt + gmssl dgst -md5 -hex file.txt To sign a file using SHA-256 with binary file output: - openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt + gmssl dgst -sm3 -sign privatekey.pem -out signature.sign file.txt To verify a signature: - openssl dgst -sha256 -verify publickey.pem \ + gmssl dgst -sm3 -verify publickey.pem \ -signature signature.sign \ file.txt @@ -205,7 +205,7 @@ particular ECDSA and DSA. The signing and verify options should only be used if a single file is being signed or verified. -Hex signatures cannot be verified using B. Instead, use "xxd -r" +Hex signatures cannot be verified using B. Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to verification. diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index 1cd4c766..ad766913 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod @@ -6,7 +6,7 @@ dhparam - DH parameter manipulation and generation =head1 SYNOPSIS -B +B [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-in> I] @@ -117,9 +117,9 @@ for all available algorithms. =head1 WARNINGS The program B combines the functionality of the programs B and -B in previous versions of OpenSSL and SSLeay. The B and B +B in previous versions of GmSSL and SSLeay. The B and B programs are retained for now but may have different purposes in future -versions of OpenSSL. +versions of GmSSL. =head1 NOTES @@ -128,7 +128,7 @@ PEM format DH parameters use the header and footer lines: -----BEGIN DH PARAMETERS----- -----END DH PARAMETERS----- -OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 +GmSSL currently only supports the older PKCS#3 DH, not the newer X9.42 DH. This program manipulates DH parameters not keys. @@ -143,7 +143,7 @@ L =head1 HISTORY -The B command was added in OpenSSL 0.9.5. -The B<-dsaparam> option was added in OpenSSL 0.9.6. +The B command was added in GmSSL 0.9.5. +The B<-dsaparam> option was added in GmSSL 0.9.6. =cut diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 8bf6cc9d..9d31b1a1 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod @@ -6,7 +6,7 @@ dsa - DSA key processing =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -66,7 +66,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -78,7 +78,7 @@ filename. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> @@ -138,23 +138,23 @@ The PEM public key format uses the header and footer lines: To remove the pass phrase on a DSA private key: - openssl dsa -in key.pem -out keyout.pem + gmssl dsa -in key.pem -out keyout.pem To encrypt a private key using triple DES: - openssl dsa -in key.pem -des3 -out keyout.pem + gmssl dsa -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl dsa -in key.pem -outform DER -out keyout.der + gmssl dsa -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl dsa -in key.pem -text -noout + gmssl dsa -in key.pem -text -noout To just output the public part of a private key: - openssl dsa -in key.pem -pubout -out pubkey.pem + gmssl dsa -in key.pem -pubout -out pubkey.pem =head1 SEE ALSO diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod index ba5ec4d7..d07be6a0 100644 --- a/doc/apps/dsaparam.pod +++ b/doc/apps/dsaparam.pod @@ -6,7 +6,7 @@ dsaparam - DSA parameter manipulation and generation =head1 SYNOPSIS -B +B [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-in filename>] diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod index 5c7b45d4..ef5969ad 100644 --- a/doc/apps/ec.pod +++ b/doc/apps/ec.pod @@ -6,7 +6,7 @@ ec - EC key processing =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -15,7 +15,7 @@ B B [B<-passout arg>] [B<-des>] [B<-des3>] -[B<-idea>] +[B<-sms4>] [B<-text>] [B<-noout>] [B<-param_out>] @@ -28,9 +28,9 @@ B B =head1 DESCRIPTION The B command processes EC keys. They can be converted between various -forms and their components printed out. B OpenSSL uses the +forms and their components printed out. B GmSSL uses the private key format specified in 'SEC 1: Elliptic Curve Cryptography' -(http://www.secg.org/). To convert a OpenSSL EC private key into the +(http://www.secg.org/). To convert a GmSSL EC private key into the PKCS#8 private key format use the B command. =head1 COMMAND OPTIONS @@ -60,7 +60,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -72,12 +72,12 @@ filename. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. -=item B<-des|-des3|-idea> +=item B<-des|-des3|-sms4> -These options encrypt the private key with the DES, triple DES, IDEA or -any other cipher supported by OpenSSL before outputting it. A pass phrase is +These options encrypt the private key with the DES, triple DES, SMS4 or +any other cipher supported by GmSSL before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using the B utility to read in an encrypted key with no @@ -126,7 +126,7 @@ specified by a OID, or B where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B. B the B alternative ,as specified in RFC 3279, -is currently not implemented in OpenSSL. +is currently not implemented in GmSSL. =item B<-engine id> @@ -153,27 +153,27 @@ The PEM public key format uses the header and footer lines: To encrypt a private key using triple DES: - openssl ec -in key.pem -des3 -out keyout.pem + gmssl ec -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl ec -in key.pem -outform DER -out keyout.der + gmssl ec -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl ec -in key.pem -text -noout + gmssl ec -in key.pem -text -noout To just output the public part of a private key: - openssl ec -in key.pem -pubout -out pubkey.pem + gmssl ec -in key.pem -pubout -out pubkey.pem To change the parameters encoding to B: - openssl ec -in key.pem -param_enc explicit -out keyout.pem + gmssl ec -in key.pem -param_enc explicit -out keyout.pem To change the point conversion form to B: - openssl ec -in key.pem -conv_form compressed -out keyout.pem + gmssl ec -in key.pem -conv_form compressed -out keyout.pem =head1 SEE ALSO @@ -181,10 +181,10 @@ L, L, L =head1 HISTORY -The ec command was first introduced in OpenSSL 0.9.8. +The ec command was first introduced in GmSSL 0.9.8. =head1 AUTHOR -Nils Larsch for the OpenSSL project (http://www.openssl.org). +Nils Larsch for the GmSSL project (http://www.openssl.org). =cut diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod index 88e9d1e8..459e3852 100644 --- a/doc/apps/ecparam.pod +++ b/doc/apps/ecparam.pod @@ -6,7 +6,7 @@ ecparam - EC parameter manipulation and generation =head1 SYNOPSIS -B +B [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-in filename>] @@ -100,7 +100,7 @@ specified by a OID, or B where the ec parameters are explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B. B the B alternative ,as specified in RFC 3279, -is currently not implemented in OpenSSL. +is currently not implemented in GmSSL. =item B<-no_seed> @@ -135,34 +135,34 @@ PEM format EC parameters use the header and footer lines: -----BEGIN EC PARAMETERS----- -----END EC PARAMETERS----- -OpenSSL is currently not able to generate new groups and therefore +GmSSL is currently not able to generate new groups and therefore B can only create EC parameters from known (named) curves. =head1 EXAMPLES To create EC parameters with the group 'prime192v1': - openssl ecparam -out ec_param.pem -name prime192v1 + gmssl ecparam -out ec_param.pem -name prime192v1 To create EC parameters with explicit parameters: - openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit + gmssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit To validate given EC parameters: - openssl ecparam -in ec_param.pem -check + gmssl ecparam -in ec_param.pem -check To create EC parameters and a private key: - openssl ecparam -out ec_key.pem -name prime192v1 -genkey + gmssl ecparam -out ec_key.pem -name prime192v1 -genkey To change the point encoding to 'compressed': - openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed + gmssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed To print out the EC parameters to standard output: - openssl ecparam -in ec_param.pem -noout -text + gmssl ecparam -in ec_param.pem -noout -text =head1 SEE ALSO @@ -170,10 +170,10 @@ L, L =head1 HISTORY -The ecparam command was first introduced in OpenSSL 0.9.8. +The ecparam command was first introduced in GmSSL 0.9.8. =head1 AUTHOR -Nils Larsch for the OpenSSL project (http://www.openssl.org) +Nils Larsch for the GmSSL project (http://www.openssl.org) =cut diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 41791ad6..920c6f2d 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -6,7 +6,7 @@ enc - symmetric cipher routines =head1 SYNOPSIS -B +B [B<-in filename>] [B<-out filename>] [B<-pass arg>] @@ -53,7 +53,7 @@ the output filename, standard output by default. =item B<-pass arg> the password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-salt> @@ -62,7 +62,7 @@ use a salt in the key derivation routines. This is the default. =item B<-nosalt> don't use a salt in the key derivation routines. This option B be -used except for test purposes or compatibility with ancient versions of OpenSSL +used except for test purposes or compatibility with ancient versions of GmSSL and SSLeay. =item B<-e> @@ -90,12 +90,12 @@ if the B<-a> option is set then base64 process the data on one line. =item B<-k password> the password to derive the key from. This is for compatibility with previous -versions of OpenSSL. Superseded by the B<-pass> argument. +versions of GmSSL. Superseded by the B<-pass> argument. =item B<-kfile filename> read the password to derive the key from the first line of B. -This is for compatibility with previous versions of OpenSSL. Superseded by +This is for compatibility with previous versions of GmSSL. Superseded by the B<-pass> argument. =item B<-nosalt> @@ -151,7 +151,7 @@ debug the BIOs used for I/O. =item B<-z> Compress or decompress clear text using zlib before encryption or after -decryption. This option exists only if OpenSSL with compiled with zlib +decryption. This option exists only if GmSSL with compiled with zlib or zlib-dynamic option. =item B<-none> @@ -162,8 +162,8 @@ Use NULL cipher (no encryption or decryption of input). =head1 NOTES -The program can be called either as B or -B. But the first form doesn't work with +The program can be called either as B or +B. But the first form doesn't work with engine-provided ciphers, because this form is processed before the configuration file is read and any ENGINEs loaded. @@ -171,7 +171,7 @@ Engines which provide entirely new encryption algorithms (such as ccgost engine which provides gost89 algorithm) should be configured in the configuration file. Engines, specified in the command line using -engine options can only be used for hadrware-assisted implementations of -ciphers, which are supported by OpenSSL core or other engine, specified +ciphers, which are supported by GmSSL core or other engine, specified in the configuration file. When enc command lists supported ciphers, ciphers provided by engines, @@ -181,7 +181,7 @@ A password will be prompted for to derive the key and IV if necessary. The B<-salt> option should B be used if the key is being derived from a password unless you want compatibility with previous versions of -OpenSSL and SSLeay. +GmSSL and SSLeay. Without the B<-salt> option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason @@ -211,8 +211,8 @@ Blowfish and RC5 algorithms use a 128 bit key. Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file. The output of the B command run with -unsupported options (for example B) includes a -list of ciphers, supported by your versesion of OpenSSL, including +unsupported options (for example B) includes a +list of ciphers, supported by your versesion of GmSSL, including ones provided by configured engines. The B program does not support authenticated encryption modes @@ -293,32 +293,32 @@ authentication tag. Just base64 encode a binary file: - openssl base64 -in file.bin -out file.b64 + gmssl base64 -in file.bin -out file.b64 Decode the same file - openssl base64 -d -in file.b64 -out file.bin + gmssl base64 -d -in file.b64 -out file.bin Encrypt a file using triple DES in CBC mode using a prompted password: - openssl des3 -salt -in file.txt -out file.des3 + gmssl des3 -salt -in file.txt -out file.des3 Decrypt a file using a supplied password: - openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword + gmssl des3 -d -salt -in file.des3 -out file.txt -k mypassword Encrypt a file then base64 encode it (so it can be sent via mail for example) using Blowfish in CBC mode: - openssl bf -a -salt -in file.txt -out file.bf + gmssl bf -a -salt -in file.txt -out file.bf Base64 decode a file then decrypt it: - openssl bf -d -salt -a -in file.bf -out file.txt + gmssl bf -d -salt -a -in file.bf -out file.txt Decrypt some data using a supplied 40 bit RC4 key: - openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 + gmssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 =head1 BUGS diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod index b3c6ccfc..684288df 100644 --- a/doc/apps/errstr.pod +++ b/doc/apps/errstr.pod @@ -6,7 +6,7 @@ errstr - lookup error codes =head1 SYNOPSIS -B +B =head1 DESCRIPTION @@ -23,7 +23,7 @@ The error code: can be displayed with: - openssl errstr 2006D080 + gmssl errstr 2006D080 to produce the error message: diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod index d9f56be8..d4c5d698 100644 --- a/doc/apps/gendsa.pod +++ b/doc/apps/gendsa.pod @@ -6,7 +6,7 @@ gendsa - generate a DSA private key from a set of parameters =head1 SYNOPSIS -B B +B B [B<-out filename>] [B<-aes128>] [B<-aes192>] @@ -24,7 +24,7 @@ B B =head1 DESCRIPTION The B command generates a DSA private key from a DSA parameter file -(which will be typically generated by the B command). +(which will be typically generated by the B command). =head1 OPTIONS @@ -55,7 +55,7 @@ for all available algorithms. This option specifies the DSA parameter file to use. The parameters in this file determine the size of the private key. DSA parameters can be generated -and examined using the B command. +and examined using the B command. =back diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index 929edcd2..e328911d 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod @@ -6,7 +6,7 @@ genpkey - generate a private key =head1 SYNOPSIS -B B +B B [B<-out filename>] [B<-outform PEM|DER>] [B<-pass arg>] @@ -38,7 +38,7 @@ This specifies the output format DER or PEM. =item B<-pass arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-cipher> @@ -88,7 +88,7 @@ parameters along with the PEM or DER structure. =head1 KEY GENERATION OPTIONS The options supported by each algorith and indeed each implementation of an -algorithm can vary. The options for the OpenSSL implementations are detailed +algorithm can vary. The options for the GmSSL implementations are detailed below. =head1 RSA KEY GENERATION OPTIONS @@ -152,7 +152,7 @@ the EC curve to use. =head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS Gost 2001 support is not enabled by default. To enable this algorithm, -one should load the ccgost engine in the OpenSSL configuration file. +one should load the ccgost engine in the GmSSL configuration file. See README.gost file in the engines/ccgost directiry of the source distribution for more details. @@ -190,38 +190,38 @@ can be used. Generate an RSA private key using default parameters: - openssl genpkey -algorithm RSA -out key.pem + gmssl genpkey -algorithm RSA -out key.pem Encrypt output private key using 128 bit AES and the passphrase "hello": - openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello + gmssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello Generate a 2048 bit RSA key using 3 as the public exponent: - openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ + gmssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3 Generate 1024 bit DSA parameters: - openssl genpkey -genparam -algorithm DSA -out dsap.pem \ + gmssl genpkey -genparam -algorithm DSA -out dsap.pem \ -pkeyopt dsa_paramgen_bits:1024 Generate DSA key from parameters: - openssl genpkey -paramfile dsap.pem -out dsakey.pem + gmssl genpkey -paramfile dsap.pem -out dsakey.pem Generate 1024 bit DH parameters: - openssl genpkey -genparam -algorithm DH -out dhp.pem \ + gmssl genpkey -genparam -algorithm DH -out dhp.pem \ -pkeyopt dh_paramgen_prime_len:1024 Output RFC5114 2048 bit DH parameters with 224 bit subgroup: - openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 + gmssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 Generate DH key from parameters: - openssl genpkey -paramfile dhp.pem -out dhkey.pem + gmssl genpkey -paramfile dhp.pem -out dhkey.pem =cut diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod index cb03d09b..1db6beb7 100644 --- a/doc/apps/genrsa.pod +++ b/doc/apps/genrsa.pod @@ -6,7 +6,7 @@ genrsa - generate an RSA private key =head1 SYNOPSIS -B B +B B [B<-out filename>] [B<-passout arg>] [B<-aes128>] @@ -46,7 +46,7 @@ used. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> diff --git a/doc/apps/openssl.pod b/doc/apps/gmssl.pod similarity index 91% rename from doc/apps/openssl.pod rename to doc/apps/gmssl.pod index 3586c0aa..bde17ade 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/gmssl.pod @@ -14,13 +14,13 @@ I B [ B | B | B | B | B | B] -B BI [ I ] +B BI [ I ] =head1 DESCRIPTION -OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL +GmSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related -cryptography standards required by them. GmSSL is a fork of OpenSSL with +cryptography standards required by them. GmSSL is a fork of GmSSL with Chinese cryptography algorithms and standards. The B program is a command line tool for using the various @@ -120,11 +120,11 @@ L|genpkey(1)> and L|pkeyparam(1)> =item L|ec(1)> -EC (Elliptic curve) key processing +EC/SM2 (Elliptic curve) key processing =item L|ecparam(1)> -EC parameter manipulation and generation +EC/SM2 parameter manipulation and generation =item L|enc(1)> @@ -211,14 +211,14 @@ by L|pkeyutl(1)> This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but -internally uses mostly all functionality of the OpenSSL B library. +internally uses mostly all functionality of the GmSSL B library. =item L|s_server(1)> This implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all -functionality of the OpenSSL B library. It provides both an own command +functionality of the GmSSL B library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver. @@ -252,7 +252,7 @@ X.509 Certificate Verification. =item L|version(1)> -OpenSSL Version Information. +GmSSL Version Information. =item L|x509(1)> @@ -264,9 +264,9 @@ X.509 Certificate Data Management. =over 10 -=item B +=item B -MD2 Digest +SM3 Digest =item B @@ -314,9 +314,9 @@ SHA-512 Digest Base64 Encoding -=item B +=item B -Blowfish Cipher +SMS4 Cipher =item B @@ -401,7 +401,7 @@ L, L, L, L, L, L, L, L, L, L, L, L, -L, L, L, +L, L, L, L, L, L, L, L, L, L, @@ -413,10 +413,10 @@ L, L, L =head1 HISTORY -The openssl(1) document appeared in OpenSSL 0.9.2. -The BIB<-commands> pseudo-commands were added in OpenSSL 0.9.3; -The BIB<-algorithms> pseudo-commands were added in OpenSSL 1.0.0; -the BI pseudo-commands were added in OpenSSL 0.9.5a. +The gmssl(1) document appeared in GmSSL 0.9.2. +The BIB<-commands> pseudo-commands were added in GmSSL 0.9.3; +The BIB<-algorithms> pseudo-commands were added in GmSSL 1.0.0; +the BI pseudo-commands were added in GmSSL 0.9.5a. For notes on the availability of other commands, see their individual manual pages. diff --git a/doc/apps/nseq.pod b/doc/apps/nseq.pod index 989c3108..1130b941 100644 --- a/doc/apps/nseq.pod +++ b/doc/apps/nseq.pod @@ -6,7 +6,7 @@ nseq - create or examine a netscape certificate sequence =head1 SYNOPSIS -B B +B B [B<-in filename>] [B<-out filename>] [B<-toseq>] @@ -44,11 +44,11 @@ a file of certificates. Output the certificates in a Netscape certificate sequence - openssl nseq -in nseq.pem -out certs.pem + gmssl nseq -in nseq.pem -out certs.pem Create a Netscape certificate sequence - openssl nseq -in certs.pem -toseq -out nseq.pem + gmssl nseq -in certs.pem -toseq -out nseq.pem =head1 NOTES diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 4639502a..e299167b 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -6,7 +6,7 @@ ocsp - Online Certificate Status Protocol utility =head1 SYNOPSIS -B B +B B [B<-out file>] [B<-issuer file>] [B<-cert file>] @@ -297,7 +297,7 @@ the OCSP request checked using the responder certificate's public key. Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process. The locations of the trusted certificates used to build the chain can be specified by the B -and B options or they will be looked for in the standard OpenSSL +and B options or they will be looked for in the standard GmSSL certificates directory. If the initial verify fails then the OCSP verify process halts with an @@ -325,7 +325,7 @@ If the OCSP responder is a "global responder" which can give details about multiple CAs and has its own separate certificate chain then its root CA can be trusted for OCSP signing. For example: - openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem + gmssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem Alternatively the responder certificate itself can be explicitly trusted with the B<-VAfile> option. @@ -351,42 +351,42 @@ script using the B and B options. Create an OCSP request and write it to a file: - openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der + gmssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the response to a file and print it out in text form - openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ + gmssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url http://ocsp.myhost.com/ -resp_text -respout resp.der Read in an OCSP response and print out text form: - openssl ocsp -respin resp.der -text + gmssl ocsp -respin resp.der -text OCSP server on port 8888 using a standard B configuration, and a separate responder certificate. All requests and responses are printed to a file. - openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -text -out log.txt As above but exit after processing one request: - openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -nrequest 1 Query status information using internally generated request: - openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 Query status information using request read from a file, write response to a second file. - openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem + gmssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.0.2b. +The -no_alt_chains options was first added to GmSSL 1.0.2b. =cut diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod index f4498254..0aa26062 100644 --- a/doc/apps/passwd.pod +++ b/doc/apps/passwd.pod @@ -6,7 +6,7 @@ passwd - compute password hashes =head1 SYNOPSIS -B +B [B<-crypt>] [B<-1>] [B<-apr1>] @@ -73,10 +73,10 @@ to each password hash. =head1 EXAMPLES -B prints B. +B prints B. -B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. +B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. -B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. +B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. =cut diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index 8e0d9179..3b783900 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -7,7 +7,7 @@ pkcs12 - PKCS#12 file utility =head1 SYNOPSIS -B B +B B [B<-export>] [B<-chain>] [B<-inkey filename>] @@ -71,13 +71,13 @@ default. They are all written in PEM format. the PKCS#12 file (i.e. input file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passout arg> pass phrase source to encrypt any outputted private keys with. For more information about the format of B see the B section -in L. +in L. =item B<-password arg> @@ -192,13 +192,13 @@ displays them. the PKCS#12 file (i.e. output file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passin password> pass phrase source to decrypt any input private keys with. For more information about the format of B see the B section in -L. +L. =item B<-chain> @@ -315,38 +315,38 @@ description of all algorithms is contained in the B manual page. Parse a PKCS#12 file and output it to a file: - openssl pkcs12 -in file.p12 -out file.pem + gmssl pkcs12 -in file.p12 -out file.pem Output only client certificates to a file: - openssl pkcs12 -in file.p12 -clcerts -out file.pem + gmssl pkcs12 -in file.p12 -clcerts -out file.pem Don't encrypt the private key: - openssl pkcs12 -in file.p12 -out file.pem -nodes + gmssl pkcs12 -in file.p12 -out file.pem -nodes Print some info about a PKCS#12 file: - openssl pkcs12 -in file.p12 -info -noout + gmssl pkcs12 -in file.p12 -info -noout Create a PKCS#12 file: - openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" + gmssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" Include some extra certificates: - openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ + gmssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ -certfile othercerts.pem =head1 BUGS Some would argue that the PKCS#12 standard is one big bug :-) -Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +Versions of GmSSL before 0.9.6a had a bug in the PKCS#12 key generation routines. Under rare circumstances this could produce a PKCS#12 file encrypted with an invalid key. As a result some PKCS#12 files which triggered this bug from other implementations (MSIE or Netscape) could not be decrypted -by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +by GmSSL and similarly GmSSL could produce PKCS#12 files which could not be decrypted by other implementations. The chances of producing such a file are relatively small: less than 1 in 256. @@ -356,11 +356,11 @@ the B utility will report that the MAC is OK but fail with a decryption error when extracting private keys. This problem can be resolved by extracting the private keys and certificates -from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 -file from the keys and certificates using a newer version of OpenSSL. For example: +from the PKCS#12 file using an older version of GmSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of GmSSL. For example: - old-openssl -in bad.p12 -out keycerts.pem - openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + old-gmssl -in bad.p12 -out keycerts.pem + gmssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 =head1 SEE ALSO diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index acfb8100..e0964a8d 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod @@ -6,7 +6,7 @@ pkcs7 - PKCS#7 utility =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -73,11 +73,11 @@ for all available algorithms. Convert a PKCS#7 file from PEM to DER: - openssl pkcs7 -in file.pem -outform DER -out file.der + gmssl pkcs7 -in file.pem -outform DER -out file.der Output all certificates in a file: - openssl pkcs7 -in file.pem -print_certs -out certs.pem + gmssl pkcs7 -in file.pem -print_certs -out certs.pem =head1 NOTES diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index 6901f1f3..db625d8e 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -6,7 +6,7 @@ pkcs8 - PKCS#8 format private key conversion tool =head1 SYNOPSIS -B B +B B [B<-topk8>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -62,7 +62,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -74,7 +74,7 @@ filename. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-nocrypt> @@ -114,7 +114,7 @@ was the strongest encryption algorithm supported in PKCS#5 v1.5. Using the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any encryption algorithm such as 168 bit triple DES or 128 bit RC2 however not many implementations support PKCS#5 v2.0 yet. If you are just using -private keys with OpenSSL then this doesn't matter. +private keys with GmSSL then this doesn't matter. The B argument is the encryption algorithm to use, valid values include B, B and B. It is recommended that B is used. @@ -200,30 +200,30 @@ allow strong encryption algorithms like triple DES or 128 bit RC2 to be used. Convert a private from traditional to PKCS#5 v2.0 format using triple DES: - openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem Convert a private from traditional to PKCS#5 v2.0 format using AES with 256 bits in CBC mode and B PRF: - openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -out enckey.pem Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (DES): - openssl pkcs8 -in key.pem -topk8 -out enckey.pem + gmssl pkcs8 -in key.pem -topk8 -out enckey.pem Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm (3DES): - openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES + gmssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES Read a DER unencrypted PKCS#8 format private key: - openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem + gmssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem Convert a private key from any PKCS#8 format to traditional format: - openssl pkcs8 -in pk8.pem -out key.pem + gmssl pkcs8 -in pk8.pem -out key.pem =head1 STANDARDS @@ -235,7 +235,7 @@ implementation is reasonably accurate at least as far as these algorithms are concerned. The format of PKCS#8 DSA (and other) private keys is not well documented: -it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA +it is hidden away in PKCS#11 v2.01, section 11.9. GmSSL's default DSA PKCS#8 private key format complies with this standard. =head1 BUGS @@ -244,7 +244,7 @@ There should be an option that prints out the encryption algorithm in use and other details such as the iteration count. PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private -key format for OpenSSL: for compatibility several of the utilities use +key format for GmSSL: for compatibility several of the utilities use the old format at present. =head1 SEE ALSO diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod index 4851223f..753341b0 100644 --- a/doc/apps/pkey.pod +++ b/doc/apps/pkey.pod @@ -7,7 +7,7 @@ pkey - public or private key processing tool =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -49,7 +49,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -61,7 +61,7 @@ filename. =item B<-passout password> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-cipher> @@ -105,27 +105,27 @@ for all available algorithms. To remove the pass phrase on an RSA private key: - openssl pkey -in key.pem -out keyout.pem + gmssl pkey -in key.pem -out keyout.pem To encrypt a private key using triple DES: - openssl pkey -in key.pem -des3 -out keyout.pem + gmssl pkey -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl pkey -in key.pem -outform DER -out keyout.der + gmssl pkey -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl pkey -in key.pem -text -noout + gmssl pkey -in key.pem -text -noout To print out the public components of a private key to standard output: - openssl pkey -in key.pem -text_pub -noout + gmssl pkey -in key.pem -text_pub -noout To just output the public part of a private key: - openssl pkey -in key.pem -pubout -out pubkey.pem + gmssl pkey -in key.pem -pubout -out pubkey.pem =head1 SEE ALSO diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod index 154f6721..8dbed5d9 100644 --- a/doc/apps/pkeyparam.pod +++ b/doc/apps/pkeyparam.pod @@ -7,7 +7,7 @@ pkeyparam - public key algorithm parameter processing tool =head1 SYNOPSIS -B B +B B [B<-in filename>] [B<-out filename>] [B<-text>] @@ -54,7 +54,7 @@ for all available algorithms. Print out text version of parameters: - openssl pkeyparam -in param.pem -text + gmssl pkeyparam -in param.pem -text =head1 NOTES diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod index 27be9a90..364159ec 100644 --- a/doc/apps/pkeyutl.pod +++ b/doc/apps/pkeyutl.pod @@ -6,7 +6,7 @@ pkeyutl - public key algorithm utility =head1 SYNOPSIS -B B +B B [B<-in file>] [B<-out file>] [B<-sigfile file>] @@ -59,7 +59,7 @@ the key format PEM, DER or ENGINE. =item B<-passin arg> the input key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-peerkey file> @@ -131,7 +131,7 @@ B<-verifyrecover> option when an ASN1 structure is signed. =head1 NOTES The operations and options supported vary according to the key algorithm -and its implementation. The OpenSSL operations and options are indicated below. +and its implementation. The GmSSL operations and options are indicated below. Unless otherwise mentioned all algorithms support the B option which specifies the digest in use for sign, verify and verifyrecover operations. @@ -198,23 +198,23 @@ this digest is assumed by default. Sign some data using a private key: - openssl pkeyutl -sign -in file -inkey key.pem -out sig + gmssl pkeyutl -sign -in file -inkey key.pem -out sig Recover the signed data (e.g. if an RSA key is used): - openssl pkeyutl -verifyrecover -in sig -inkey key.pem + gmssl pkeyutl -verifyrecover -in sig -inkey key.pem Verify the signature (e.g. a DSA key): - openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem + gmssl pkeyutl -verify -in file -sigfile sig -inkey key.pem Sign data using a message digest value (this is currently only valid for RSA): - openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256 + gmssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256 Derive a shared secret value: - openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret + gmssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret =head1 SEE ALSO diff --git a/doc/apps/rand.pod b/doc/apps/rand.pod index d1d213ef..fe047fe7 100644 --- a/doc/apps/rand.pod +++ b/doc/apps/rand.pod @@ -6,7 +6,7 @@ rand - generate pseudo-random bytes =head1 SYNOPSIS -B +B [B<-out> I] [B<-rand> I] [B<-base64>] @@ -16,7 +16,7 @@ I =head1 DESCRIPTION The B command outputs I pseudo-random bytes after seeding -the random number generator once. As in other B command +the random number generator once. As in other B command line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd> in addition to the files given in the B<-rand> option. A new I<$HOME>/B<.rnd> or B<.rnd> file will be written back if enough diff --git a/doc/apps/req.pod b/doc/apps/req.pod index df68cb09..bf879665 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -7,7 +7,7 @@ req - PKCS#10 certificate request and certificate generating utility. =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -80,7 +80,7 @@ options (B<-new> and B<-newkey>) are not specified. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -90,7 +90,7 @@ default. =item B<-passout arg> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-text> @@ -225,7 +225,7 @@ characters may be escaped by \ (backslash), no spaces are skipped. this option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example: -I +I If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. @@ -436,7 +436,7 @@ configuration file, must be valid UTF8 strings. this specifies the section containing any request attributes: its format is the same as B. Typically these may contain the challengePassword or unstructuredName types. They are currently ignored -by OpenSSL's request signing utilities but some CAs might want them. +by GmSSL's request signing utilities but some CAs might want them. =item B @@ -488,7 +488,7 @@ they will be ignored. So for example a second organizationName can be input by calling it "1.organizationName". The actual permitted field names are any object identifier short or -long names. These are compiled into OpenSSL and include the usual +long names. These are compiled into GmSSL and include the usual values such as commonName, countryName, localityName, organizationName, organizationUnitName, stateOrProvinceName. Additionally emailAddress is include as well as name, surname, givenName initials and dnQualifier. @@ -502,20 +502,20 @@ will be treated as though they were a DirectoryString. Examine and verify certificate request: - openssl req -in req.pem -text -verify -noout + gmssl req -in req.pem -text -verify -noout Create a private key and then generate a certificate request from it: - openssl genrsa -out key.pem 1024 - openssl req -new -key key.pem -out req.pem + gmssl genrsa -out key.pem 1024 + gmssl req -new -key key.pem -out req.pem The same but just using req: - openssl req -newkey rsa:1024 -keyout key.pem -out req.pem + gmssl req -newkey rsa:1024 -keyout key.pem -out req.pem Generate a self signed root certificate: - openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem + gmssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem Example of a file pointed to by the B option: @@ -654,13 +654,13 @@ environment variable serves the same purpose but its use is discouraged. =head1 BUGS -OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively +GmSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause problems if you need characters that aren't available in PrintableStrings and you don't want to or can't use BMPStrings. As a consequence of the T61String handling the only correct way to represent -accented characters in OpenSSL is to use a BMPString: unfortunately Netscape +accented characters in GmSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form. diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index 21cbf8ee..0fd89031 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -7,7 +7,7 @@ rsa - RSA key processing tool =head1 SYNOPSIS -B B +B B [B<-inform PEM|NET|DER>] [B<-outform PEM|NET|DER>] [B<-in filename>] @@ -69,7 +69,7 @@ prompted for. =item B<-passin arg> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-out filename> @@ -81,7 +81,7 @@ filename. =item B<-passout password> the output file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-sgckey> @@ -172,27 +172,27 @@ an error after entering the password try the B<-sgckey> option. To remove the pass phrase on an RSA private key: - openssl rsa -in key.pem -out keyout.pem + gmssl rsa -in key.pem -out keyout.pem To encrypt a private key using triple DES: - openssl rsa -in key.pem -des3 -out keyout.pem + gmssl rsa -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: - openssl rsa -in key.pem -outform DER -out keyout.der + gmssl rsa -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: - openssl rsa -in key.pem -text -noout + gmssl rsa -in key.pem -text -noout To just output the public part of a private key: - openssl rsa -in key.pem -pubout -out pubkey.pem + gmssl rsa -in key.pem -pubout -out pubkey.pem Output the public part of a private key in B format: - openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem + gmssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem =head1 BUGS diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod index 1a498c2f..aa69a46f 100644 --- a/doc/apps/rsautl.pod +++ b/doc/apps/rsautl.pod @@ -6,7 +6,7 @@ rsautl - RSA utility =head1 SYNOPSIS -B B +B B [B<-in file>] [B<-out file>] [B<-inkey file>] @@ -97,15 +97,15 @@ used to sign or verify small pieces of data. Sign some data using a private key: - openssl rsautl -sign -in file -inkey key.pem -out sig + gmssl rsautl -sign -in file -inkey key.pem -out sig Recover the signed data - openssl rsautl -verify -in sig -inkey key.pem + gmssl rsautl -verify -in sig -inkey key.pem Examine the raw signed data: - openssl rsautl -verify -in file -inkey key.pem -raw -hexdump + gmssl rsautl -verify -in file -inkey key.pem -raw -hexdump 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ @@ -124,7 +124,7 @@ It is possible to analyse the signature of certificates using this utility in conjunction with B. Consider the self signed example in certs/pca-cert.pem . Running B as follows yields: - openssl asn1parse -in pca-cert.pem + gmssl asn1parse -in pca-cert.pem 0:d=0 hl=4 l= 742 cons: SEQUENCE 4:d=1 hl=4 l= 591 cons: SEQUENCE @@ -148,15 +148,15 @@ example in certs/pca-cert.pem . Running B as follows yields: The final BIT STRING contains the actual signature. It can be extracted with: - openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 + gmssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 The certificate public key can be extracted with: - openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem + gmssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem The signature can be analysed with: - openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin + gmssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin 0:d=0 hl=2 l= 32 cons: SEQUENCE 2:d=1 hl=2 l= 12 cons: SEQUENCE @@ -169,11 +169,11 @@ This is the parsed version of an ASN1 DigestInfo structure. It can be seen that the digest used was md5. The actual part of the certificate that was signed can be extracted with: - openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 + gmssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 and its digest computed with: - openssl md5 -c tbs + gmssl md5 -c tbs MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 which it can be seen agrees with the recovered value above. diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 84d05270..0ad2b437 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -7,7 +7,7 @@ s_client - SSL/TLS client program =head1 SYNOPSIS -B B +B B [B<-connect host:port>] [B<-servername name>] [B<-verify depth>] @@ -95,7 +95,7 @@ The private format to use: DER or PEM. PEM is the default. =item B<-pass arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-verify depth> @@ -308,7 +308,7 @@ connection will be closed down. B can be used to debug SSL servers. To connect to an SSL HTTP server the command: - openssl s_client -connect servername:443 + gmssl s_client -connect servername:443 would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. @@ -317,7 +317,7 @@ If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these -options B submitting a bug report to an OpenSSL mailing list. +options B submitting a bug report to an GmSSL mailing list. A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty @@ -364,6 +364,6 @@ L, L, L =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.0.2b. +The -no_alt_chains options was first added to GmSSL 1.0.2b. =cut diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index baca7792..5a76678a 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -7,7 +7,7 @@ s_server - SSL/TLS server program =head1 SYNOPSIS -B B +B B [B<-accept port>] [B<-context id>] [B<-verify depth>] @@ -105,7 +105,7 @@ The private format to use: DER or PEM. PEM is the default. =item B<-pass arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-dcert filename>, B<-dkey keyname> @@ -380,13 +380,13 @@ print out some session cache status information. B can be used to debug SSL clients. To accept connections from a web browser the command: - openssl s_server -accept 443 -www + gmssl s_server -accept 443 -www can be used for example. Most web browsers (in particular Netscape and MSIE) only support RSA cipher suites, so they cannot connect to servers which don't use a certificate -carrying an RSA key or a version of OpenSSL with RSA disabled. +carrying an RSA key or a version of GmSSL with RSA disabled. Although specifying an empty list of CAs when requesting a client certificate is strictly speaking a protocol violation, some SSL clients interpret this to @@ -402,7 +402,7 @@ hard to read and not a model of how things should be done. A typical SSL server program would be much simpler. The output of common ciphers is wrong: it just gives the list of ciphers that -OpenSSL recognizes and the client supports. +GmSSL recognizes and the client supports. There should be a way for the B program to print out details of any unknown cipher suites a client says it supports. @@ -413,6 +413,6 @@ L, L, L =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.0.2b. +The -no_alt_chains options was first added to GmSSL 1.0.2b. =cut diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index 5a38aa2e..917c94e2 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod @@ -7,7 +7,7 @@ s_time - SSL/TLS performance timing program =head1 SYNOPSIS -B B +B B [B<-connect host:port>] [B<-www page>] [B<-cert filename>] @@ -130,7 +130,7 @@ and the link speed determine how many connections B can establish. B can be used to measure the performance of an SSL connection. To connect to an SSL HTTP server and get the default page the command - openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] + gmssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] would typically be used (https uses port 443). 'commoncipher' is a cipher to which both client and server can agree, see the L command @@ -140,7 +140,7 @@ If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, B<-ssl3> options can be tried in case it is a buggy server. In particular you should play with these -options B submitting a bug report to an OpenSSL mailing list. +options B submitting a bug report to an GmSSL mailing list. A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index 9988d2cd..ae33f034 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod @@ -7,7 +7,7 @@ sess_id - SSL/TLS session handling utility =head1 SYNOPSIS -B B +B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index d5618c8f..4ee55a02 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -6,7 +6,7 @@ smime - S/MIME utility =head1 SYNOPSIS -B B +B B [B<-encrypt>] [B<-decrypt>] [B<-sign>] @@ -158,7 +158,7 @@ the encryption algorithm to use. For example DES (56 bits) - B<-des>, triple DES (168 bits) - B<-des3>, EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes_128_cbc>. See L|enc(1)> for list of ciphers -supported by your version of OpenSSL. +supported by your version of GmSSL. If not specified triple DES is used. Only used with B<-encrypt>. @@ -238,7 +238,7 @@ multiple times to specify successive keys. =item B<-passin arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-rand file(s)> @@ -341,46 +341,46 @@ the signers certificates. Create a cleartext signed message: - openssl smime -sign -in message.txt -text -out mail.msg \ + gmssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem Create an opaque signed message: - openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ + gmssl smime -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: - openssl smime -sign -in in.txt -text -out mail.msg \ + gmssl smime -sign -in in.txt -text -out mail.msg \ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers: - openssl smime -sign -in message.txt -text -out mail.msg \ + gmssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -signer othercert.pem Send a signed message under Unix directly to sendmail, including headers: - openssl smime -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ + gmssl smime -sign -in in.txt -text -signer mycert.pem \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: - openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt + gmssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt Send encrypted mail using triple DES: - openssl smime -encrypt -in in.txt -from steve@openssl.org \ + gmssl smime -encrypt -in in.txt -from steve@gmssl.org \ -to someone@somewhere -subject "Encrypted message" \ -des3 user.pem -out mail.msg Sign and encrypt mail: - openssl smime -sign -in ml.txt -signer my.pem -text \ - | openssl smime -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ + gmssl smime -sign -in ml.txt -signer my.pem -text \ + | gmssl smime -encrypt -out mail.msg \ + -from steve@gmssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the @@ -388,7 +388,7 @@ message being encrypted already has MIME headers. Decrypt mail: - openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem + gmssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the @@ -400,19 +400,19 @@ it with: and using the command: - openssl smime -verify -inform PEM -in signature.pem -content content.txt + gmssl smime -verify -inform PEM -in signature.pem -content content.txt Alternatively you can base64 decode the signature and use: - openssl smime -verify -inform DER -in signature.der -content content.txt + gmssl smime -verify -inform DER -in signature.der -content content.txt Create an encrypted message using 128 bit Camellia: - openssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem + gmssl smime -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem Add a signer to an existing message: - openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg + gmssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg =head1 BUGS @@ -440,8 +440,8 @@ structures may cause parsing errors. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 +added in GmSSL 1.0.0 -The -no_alt_chains options was first added to OpenSSL 1.0.2b. +The -no_alt_chains options was first added to GmSSL 1.0.2b. =cut diff --git a/doc/apps/speed.pod b/doc/apps/speed.pod index 1cd1998d..e1302827 100644 --- a/doc/apps/speed.pod +++ b/doc/apps/speed.pod @@ -6,7 +6,7 @@ speed - test library performance =head1 SYNOPSIS -B +B [B<-engine id>] [B] [B] diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod index 97fb80e4..6e3f6a80 100644 --- a/doc/apps/spkac.pod +++ b/doc/apps/spkac.pod @@ -6,7 +6,7 @@ spkac - SPKAC printing and generating utility =head1 SYNOPSIS -B B +B B [B<-in filename>] [B<-out filename>] [B<-key keyfile>] @@ -48,7 +48,7 @@ present. =item B<-passin password> the input file password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-challenge string> @@ -92,15 +92,15 @@ for all available algorithms. Print out the contents of an SPKAC: - openssl spkac -in spkac.cnf + gmssl spkac -in spkac.cnf Verify the signature of an SPKAC: - openssl spkac -in spkac.cnf -noout -verify + gmssl spkac -in spkac.cnf -noout -verify Create an SPKAC using the challenge string "hello": - openssl spkac -key key.pem -challenge hello -out spkac.cnf + gmssl spkac -key key.pem -challenge hello -out spkac.cnf Example of an SPKAC, (long lines split up for clarity): diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index d6aa47d3..4dfa48cb 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -6,7 +6,7 @@ ts - Time Stamping Authority tool (client/server) =head1 SYNOPSIS -B B +B B B<-query> [B<-rand> file:file...] [B<-config> configfile] @@ -20,7 +20,7 @@ B<-query> [B<-out> request.tsq] [B<-text>] -B B +B B B<-reply> [B<-config> configfile] [B<-section> tsa_section] @@ -37,7 +37,7 @@ B<-reply> [B<-text>] [B<-engine> id] -B B +B B B<-verify> [B<-data> file_to_hash] [B<-digest> digest_bytes] @@ -127,7 +127,7 @@ in use. (Optional) =item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> The message digest to apply to the data file, it supports all the message -digest algorithms that are supported by the openssl B command. +digest algorithms that are supported by the gmssl B command. The default is SHA-1. (Optional) =item B<-policy> object_id @@ -200,7 +200,7 @@ The name of the file containing a DER encoded time stamp request. (Optional) =item B<-passin> password_src Specifies the password source for the private key of the TSA. See -B in L. (Optional) +B in L. (Optional) =item B<-signer> tsa_cert.pem @@ -375,9 +375,9 @@ generation a new file is created with serial number 1. (Mandatory) =item B -Specifies the OpenSSL engine that will be set as the default for +Specifies the GmSSL engine that will be set as the default for all available algorithms. The default value is builtin, you can specify -any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM). +any other engines supported by GmSSL (e.g. use chil for the NCipher HSM). (Optional) =item B @@ -459,32 +459,32 @@ overridden by the B<-config> command line option. All the examples below presume that B is set to a proper configuration file, e.g. the example configuration file -openssl/apps/openssl.cnf will do. +gmssl/apps/openssl.cnf will do. =head2 Time Stamp Request To create a time stamp request for design1.txt with SHA-1 without nonce and policy and no certificate is required in the response: - openssl ts -query -data design1.txt -no_nonce \ + gmssl ts -query -data design1.txt -no_nonce \ -out design1.tsq To create a similar time stamp request with specifying the message imprint explicitly: - openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ + gmssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ -no_nonce -out design1.tsq To print the content of the previous request in human readable format: - openssl ts -query -in design1.tsq -text + gmssl ts -query -in design1.tsq -text To create a time stamp request which includes the MD-5 digest of design2.txt, requests the signer certificate and nonce, specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file): - openssl ts -query -data design2.txt -md5 \ + gmssl ts -query -data design2.txt -md5 \ -policy tsa_policy1 -cert -out design2.tsq =head2 Time Stamp Response @@ -501,52 +501,52 @@ tsakey.pem is the private key of the TSA. To create a time stamp response for a request: - openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ + gmssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ -signer tsacert.pem -out design1.tsr If you want to use the settings in the config file you could just write: - openssl ts -reply -queryfile design1.tsq -out design1.tsr + gmssl ts -reply -queryfile design1.tsq -out design1.tsr To print a time stamp reply to stdout in human readable format: - openssl ts -reply -in design1.tsr -text + gmssl ts -reply -in design1.tsr -text To create a time stamp token instead of time stamp response: - openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out + gmssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out To print a time stamp token to stdout in human readable format: - openssl ts -reply -in design1_token.der -token_in -text -token_out + gmssl ts -reply -in design1_token.der -token_in -text -token_out To extract the time stamp token from a response: - openssl ts -reply -in design1.tsr -out design1_token.der -token_out + gmssl ts -reply -in design1.tsr -out design1_token.der -token_out To add 'granted' status info to a time stamp token thereby creating a valid response: - openssl ts -reply -in design1_token.der -token_in -out design1.tsr + gmssl ts -reply -in design1_token.der -token_in -out design1.tsr =head2 Time Stamp Verification To verify a time stamp reply against a request: - openssl ts -verify -queryfile design1.tsq -in design1.tsr \ + gmssl ts -verify -queryfile design1.tsq -in design1.tsr \ -CAfile cacert.pem -untrusted tsacert.pem To verify a time stamp reply that includes the certificate chain: - openssl ts -verify -queryfile design2.tsq -in design2.tsr \ + gmssl ts -verify -queryfile design2.tsq -in design2.tsr \ -CAfile cacert.pem To verify a time stamp token against the original data file: - openssl ts -verify -data design2.txt -in design2.tsr \ + gmssl ts -verify -data design2.txt -in design2.tsr \ -CAfile cacert.pem To verify a time stamp token against a message imprint: - openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ + gmssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ -in design2.tsr -CAfile cacert.pem You could also look at the 'test' directory for more examples. @@ -566,7 +566,7 @@ L. Pure TCP/IP protocol is not supported. =item * The file containing the last serial number of the TSA is not locked when being read or written. This is a problem if more than one -instance of L is trying to create a time stamp +instance of L is trying to create a time stamp response at the same time. This is not an issue when using the apache server module, it does proper locking. @@ -587,7 +587,7 @@ Zoltan Glozik , OpenTSA project (http://www.opentsa.org) =head1 SEE ALSO -L, L, L, +L, L, L, L, L, L, L diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod index 56db985c..35f1e43c 100644 --- a/doc/apps/tsget.pod +++ b/doc/apps/tsget.pod @@ -26,7 +26,7 @@ B<-h> server_url The B command can be used for sending a time stamp request, as specified in B, to a time stamp server over HTTP or HTTPS and storing the time stamp response in a file. This tool cannot be used for creating the -requests and verifying responses, you can use the OpenSSL B command to +requests and verifying responses, you can use the GmSSL B command to do that. B can send several requests to the server without closing the TCP connection if more than one requests are specified on the command line. @@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) (HTTPS) The path containing the trusted CA certificates to verify the peer's certificate. The directory must be prepared with the B -OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of +GmSSL utility. Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) =item B<-rand> file:file... @@ -156,7 +156,7 @@ progress, output is written to file1.reply and file2.reply respectively: Create a time stamp request, write it to file3.tsq, send it to the server and write the response to file3.tsr: - openssl ts -query -data file3.txt -cert | tee file3.tsq \ + gmssl ts -query -data file3.txt -cert | tee file3.tsq \ | tsget -h http://tsa.opentsa.org:8080/tsa \ -o file3.tsr @@ -188,7 +188,7 @@ Zoltan Glozik , OpenTSA project (http://www.opentsa.org) =head1 SEE ALSO -L, L, L, +L, L, L, B =cut diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index bffa6c0e..70836830 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -6,7 +6,7 @@ verify - Utility to verify certificates. =head1 SYNOPSIS -B B +B B [B<-CApath directory>] [B<-CAfile file>] [B<-purpose purpose>] @@ -134,10 +134,10 @@ Set policy variable inhibit-policy-mapping (see RFC5280). =item B<-no_alt_chains> When building a certificate chain, if the first certificate chain found is not -trusted, then OpenSSL will continue to check to see if an alternative chain can +trusted, then GmSSL will continue to check to see if an alternative chain can be found that is trusted. With this option that behaviour is suppressed so that only the first chain found is ever used. Using this option will force the -behaviour to match that of previous OpenSSL versions. +behaviour to match that of previous GmSSL versions. =item B<-trusted file> @@ -161,7 +161,7 @@ to look up valid CRLs. =item B<-ignore_critical> Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by RFC5280). +supported by GmSSL the certificate is rejected (as required by RFC5280). If this option is set critical extensions are ignored. =item B<-x509_strict> @@ -218,9 +218,9 @@ certificate. If a certificate is found which is its own issuer it is assumed to be the root CA. The process of 'looking up the issuers certificate' itself involves a number -of steps. In versions of OpenSSL before 0.9.5a the first certificate whose +of steps. In versions of GmSSL before 0.9.5a the first certificate whose subject name matched the issuer of the current certificate was assumed to be -the issuers certificate. In OpenSSL 0.9.6 and later all certificates +the issuers certificate. In GmSSL 0.9.6 and later all certificates whose subject name matches the issuer name of the current certificate are subject to further tests. The relevant authority key identifier components of the current certificate (if present) must match the subject key identifier @@ -243,7 +243,7 @@ the B section of the B utility. The third operation is to check the trust settings on the root CA. The root CA should be trusted for the supplied purpose. For compatibility with previous -versions of SSLeay and OpenSSL a certificate with no trust settings is considered +versions of SSLeay and GmSSL a certificate with no trust settings is considered to be valid for all purposes. The final operation is to check the validity of the certificate chain. The validity @@ -434,7 +434,7 @@ trusted certificates with matching subject name must either appear in a file (as B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only the certificates in the file will be recognised. -Previous versions of OpenSSL assume certificates with matching subject name are identical and +Previous versions of GmSSL assume certificates with matching subject name are identical and mishandled them. Previous versions of this documentation swapped the meaning of the @@ -447,6 +447,6 @@ L =head1 HISTORY -The -no_alt_chains options was first added to OpenSSL 1.0.2b. +The -no_alt_chains options was first added to GmSSL 1.0.2b. =cut diff --git a/doc/apps/version.pod b/doc/apps/version.pod index 58f543bc..faf2e212 100644 --- a/doc/apps/version.pod +++ b/doc/apps/version.pod @@ -2,11 +2,11 @@ =head1 NAME -version - print OpenSSL version information +version - print GmSSL version information =head1 SYNOPSIS -B +B [B<-a>] [B<-v>] [B<-b>] @@ -17,7 +17,7 @@ B =head1 DESCRIPTION -This command is used to print out version information about OpenSSL. +This command is used to print out version information about GmSSL. =head1 OPTIONS @@ -29,11 +29,11 @@ all information, this is the same as setting all the other flags. =item B<-v> -the current OpenSSL version. +the current GmSSL version. =item B<-b> -the date the current version of OpenSSL was built. +the date the current version of GmSSL was built. =item B<-o> @@ -55,11 +55,11 @@ OPENSSLDIR setting. =head1 NOTES -The output of B would typically be used when sending +The output of B would typically be used when sending in a bug report. =head1 HISTORY -The B<-d> option was added in OpenSSL 0.9.7. +The B<-d> option was added in GmSSL 0.9.7. =cut diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index a1326ede..fa3d07df 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -7,7 +7,7 @@ x509 - Certificate display and signing utility =head1 SYNOPSIS -B B +B B [B<-inform DER|PEM|NET>] [B<-outform DER|PEM|NET>] [B<-keyform DER|PEM>] @@ -156,7 +156,7 @@ outputs the certificate serial number. =item B<-subject_hash> -outputs the "hash" of the certificate subject name. This is used in OpenSSL to +outputs the "hash" of the certificate subject name. This is used in GmSSL to form an index to allow certificates in a directory to be looked up by subject name. @@ -175,12 +175,12 @@ synonym for "-subject_hash" for backward compatibility reasons. =item B<-subject_hash_old> outputs the "hash" of the certificate subject name using the older algorithm -as used by OpenSSL versions before 1.0.0. +as used by GmSSL versions before 1.0.0. =item B<-issuer_hash_old> outputs the "hash" of the certificate issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. +as used by GmSSL versions before 1.0.0. =item B<-subject> @@ -253,7 +253,7 @@ may be trusted for SSL client but not SSL server use. See the description of the B utility for more information on the meaning of trust settings. -Future versions of OpenSSL will recognize trust settings on any +Future versions of GmSSL will recognize trust settings on any certificate: not just root CAs. @@ -289,7 +289,7 @@ clears all the prohibited or rejected uses of the certificate. adds a trusted certificate use. Any object name can be used here but currently only B (SSL client use), B (SSL server use) and B (S/MIME email) are used. -Other OpenSSL applications may define additional uses. +Other GmSSL applications may define additional uses. =item B<-addreject arg> @@ -330,7 +330,7 @@ the request. =item B<-passin arg> the key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-clrext> @@ -434,7 +434,7 @@ The format or B can be specified using the B<-keyform> option. The B command line switch determines how the subject and issuer names are displayed. If no B switch is present the default "oneline" -format is used which is compatible with previous versions of OpenSSL. +format is used which is compatible with previous versions of GmSSL. Each option is described in detail below, all options can be preceded by a B<-> to turn the option off. Only the first four will normally be used. @@ -528,7 +528,7 @@ DER encoding of the structure to be unambiguously determined. =item B -dump any field whose OID is not recognised by OpenSSL. +dump any field whose OID is not recognised by GmSSL. =item B, B, B, B @@ -653,58 +653,58 @@ line. Display the contents of a certificate: - openssl x509 -in cert.pem -noout -text + gmssl x509 -in cert.pem -noout -text Display the certificate serial number: - openssl x509 -in cert.pem -noout -serial + gmssl x509 -in cert.pem -noout -serial Display the certificate subject name: - openssl x509 -in cert.pem -noout -subject + gmssl x509 -in cert.pem -noout -subject Display the certificate subject name in RFC2253 form: - openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 + gmssl x509 -in cert.pem -noout -subject -nameopt RFC2253 Display the certificate subject name in oneline form on a terminal supporting UTF8: - openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb + gmssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb Display the certificate MD5 fingerprint: - openssl x509 -in cert.pem -noout -fingerprint + gmssl x509 -in cert.pem -noout -fingerprint Display the certificate SHA1 fingerprint: - openssl x509 -sha1 -in cert.pem -noout -fingerprint + gmssl x509 -sha1 -in cert.pem -noout -fingerprint Convert a certificate from PEM to DER format: - openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER + gmssl x509 -in cert.pem -inform PEM -out cert.der -outform DER Convert a certificate to a certificate request: - openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem + gmssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem Convert a certificate request into a self signed certificate using extensions for a CA: - openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ + gmssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ -signkey key.pem -out cacert.pem Sign a certificate request using the CA certificate above and add user certificate extensions: - openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ + gmssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" - openssl x509 -in cert.pem -addtrust clientAuth \ + gmssl x509 -in cert.pem -addtrust clientAuth \ -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES @@ -868,7 +868,7 @@ dates rather than an offset from the current time. The code to implement the verify behaviour described in the B is currently being developed. It thus describes the intended behaviour rather than the current behaviour. It is hoped that it will represent reality in -OpenSSL 0.9.5 and later. +GmSSL 0.9.5 and later. =head1 SEE ALSO @@ -878,11 +878,11 @@ L =head1 HISTORY -Before OpenSSL 0.9.8, the default digest for RSA keys was MD5. +Before GmSSL 0.9.8, the default digest for RSA keys was MD5. The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options -before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding -of the distinguished name. In OpenSSL 1.0.0 and later it is based on a +before GmSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding +of the distinguished name. In GmSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using B or similar. diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod index c82cea1d..18a8b630 100644 --- a/doc/apps/x509v3_config.pod +++ b/doc/apps/x509v3_config.pod @@ -1,6 +1,6 @@ =pod -=for comment openssl_manual_section:5 +=for comment gmssl_manual_section:5 =head1 NAME @@ -8,7 +8,7 @@ x509v3_config - X509 V3 certificate extension configuration format =head1 DESCRIPTION -Several of the OpenSSL utilities can add extensions to a certificate or +Several of the GmSSL utilities can add extensions to a certificate or certificate request based on the contents of a configuration file. Typically the application will contain an option to point to an extension @@ -433,7 +433,7 @@ B, B, B, B, B. =head1 ARBITRARY EXTENSIONS -If an extension is not supported by the OpenSSL code then it must be encoded +If an extension is not supported by the GmSSL code then it must be encoded using the arbitrary extension format. It is also possible to use the arbitrary format for supported extensions. Extreme care should be taken to ensure that the data is formatted correctly for the given extension type. @@ -493,7 +493,7 @@ will produce an error but the equivalent form: is valid. -Due to the behaviour of the OpenSSL B library the same field name +Due to the behaviour of the GmSSL B library the same field name can only occur once in a section. This means that: subjectAltName=@alt_section @@ -512,13 +512,13 @@ will only recognize the last value. This can be worked around by using the form: =head1 HISTORY -The X509v3 extension code was first added to OpenSSL 0.9.2. +The X509v3 extension code was first added to GmSSL 0.9.2. Policy mappings, inhibit any policy and name constraints support was added in -OpenSSL 0.9.8 +GmSSL 0.9.8 The B and B option as well as the B option -for arbitrary extensions was added in OpenSSL 0.9.8 +for arbitrary extensions was added in GmSSL 0.9.8 =head1 SEE ALSO