]>
Commit | Line | Data |
---|---|---|
2c789c82 BM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b6b66573 | 5 | openssl-ec - EC key processing |
2c789c82 BM |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<ec> | |
169394d4 | 10 | [B<-help>] |
e8769719 RS |
11 | [B<-inform> B<DER>|B<PEM>] |
12 | [B<-outform> B<DER>|B<PEM>] | |
13 | [B<-in> I<filename>] | |
14 | [B<-passin> I<arg>] | |
15 | [B<-out> I<filename>] | |
16 | [B<-passout> I<arg>] | |
2c789c82 BM |
17 | [B<-des>] |
18 | [B<-des3>] | |
19 | [B<-idea>] | |
20 | [B<-text>] | |
21 | [B<-noout>] | |
22 | [B<-param_out>] | |
23 | [B<-pubin>] | |
24 | [B<-pubout>] | |
e8769719 RS |
25 | [B<-conv_form> I<arg>] |
26 | [B<-param_enc> I<arg>] | |
16754806 | 27 | [B<-no_public>] |
7565cbc4 | 28 | [B<-check>] |
e8769719 | 29 | [B<-engine> I<id>] |
2c789c82 | 30 | |
1738c0ce RS |
31 | =for comment ifdef engine |
32 | ||
2c789c82 BM |
33 | =head1 DESCRIPTION |
34 | ||
35a810bb RL |
35 | The L<openssl-ec(1)> command processes EC keys. They can be converted between |
36 | various forms and their components printed out. B<Note> OpenSSL uses the | |
2c789c82 | 37 | private key format specified in 'SEC 1: Elliptic Curve Cryptography' |
35ed393e | 38 | (http://www.secg.org/). To convert an OpenSSL EC private key into the |
35a810bb | 39 | PKCS#8 private key format use the L<openssl-pkcs8(1)> command. |
2c789c82 | 40 | |
3dfda1a6 | 41 | =head1 OPTIONS |
2c789c82 BM |
42 | |
43 | =over 4 | |
44 | ||
169394d4 MR |
45 | =item B<-help> |
46 | ||
47 | Print out a usage message. | |
48 | ||
e8769719 | 49 | =item B<-inform> B<DER>|B<PEM> |
2c789c82 BM |
50 | |
51 | This specifies the input format. The B<DER> option with a private key uses | |
52 | an ASN.1 DER encoded SEC1 private key. When used with a public key it | |
2b4ffc65 | 53 | uses the SubjectPublicKeyInfo structure as specified in RFC 3280. |
2c789c82 BM |
54 | The B<PEM> form is the default format: it consists of the B<DER> format base64 |
55 | encoded with additional header and footer lines. In the case of a private key | |
56 | PKCS#8 format is also accepted. | |
57 | ||
e8769719 | 58 | =item B<-outform> B<DER>|B<PEM> |
2c789c82 | 59 | |
7477c83e TM |
60 | This specifies the output format, the options have the same meaning and default |
61 | as the B<-inform> option. | |
2c789c82 | 62 | |
e8769719 | 63 | =item B<-in> I<filename> |
2c789c82 BM |
64 | |
65 | This specifies the input filename to read a key from or standard input if this | |
66 | option is not specified. If the key is encrypted a pass phrase will be | |
67 | prompted for. | |
68 | ||
e8769719 | 69 | =item B<-out> I<filename> |
2c789c82 BM |
70 | |
71 | This specifies the output filename to write a key to or standard output by | |
72 | is not specified. If any encryption options are set then a pass phrase will be | |
73 | prompted for. The output filename should B<not> be the same as the input | |
74 | filename. | |
75 | ||
3a4e43de | 76 | =item B<-passin> I<arg>, B<-passout> I<arg> |
2c789c82 | 77 | |
3a4e43de RS |
78 | The password source for the input and output file. |
79 | For more information about the format of B<arg> | |
80 | see L<openssl(1)/Pass Phrase Options>. | |
2c789c82 | 81 | |
e8769719 | 82 | =item B<-des>|B<-des3>|B<-idea> |
2c789c82 | 83 | |
1bc74519 | 84 | These options encrypt the private key with the DES, triple DES, IDEA or |
2c789c82 BM |
85 | any other cipher supported by OpenSSL before outputting it. A pass phrase is |
86 | prompted for. | |
87 | If none of these options is specified the key is written in plain text. This | |
35a810bb | 88 | means that using this command to read in an encrypted key with no |
2c789c82 BM |
89 | encryption option can be used to remove the pass phrase from a key, or by |
90 | setting the encryption options it can be use to add or change the pass phrase. | |
91 | These options can only be used with PEM format output files. | |
92 | ||
93 | =item B<-text> | |
94 | ||
c4de074e | 95 | Prints out the public, private key components and parameters. |
2c789c82 BM |
96 | |
97 | =item B<-noout> | |
98 | ||
c4de074e | 99 | This option prevents output of the encoded version of the key. |
2c789c82 | 100 | |
2c789c82 BM |
101 | =item B<-pubin> |
102 | ||
c4de074e | 103 | By default, a private key is read from the input file. With this option a |
2c789c82 BM |
104 | public key is read instead. |
105 | ||
106 | =item B<-pubout> | |
107 | ||
c4de074e | 108 | By default a private key is output. With this option a public |
2c789c82 BM |
109 | key will be output instead. This option is automatically set if the input is |
110 | a public key. | |
111 | ||
2f0ea936 | 112 | =item B<-conv_form> I<arg> |
2c789c82 BM |
113 | |
114 | This specifies how the points on the elliptic curve are converted | |
115 | into octet strings. Possible values are: B<compressed> (the default | |
116 | value), B<uncompressed> and B<hybrid>. For more information regarding | |
117 | the point conversion forms please read the X9.62 standard. | |
118 | B<Note> Due to patent issues the B<compressed> option is disabled | |
119 | by default for binary curves and can be enabled by defining | |
120 | the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time. | |
121 | ||
e8769719 | 122 | =item B<-param_enc> I<arg> |
2c789c82 BM |
123 | |
124 | This specifies how the elliptic curve parameters are encoded. | |
125 | Possible value are: B<named_curve>, i.e. the ec parameters are | |
35ed393e | 126 | specified by an OID, or B<explicit> where the ec parameters are |
1bc74519 | 127 | explicitly given (see RFC 3279 for the definition of the |
2c789c82 | 128 | EC parameters structures). The default value is B<named_curve>. |
aebb9aac | 129 | B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279, |
2c789c82 BM |
130 | is currently not implemented in OpenSSL. |
131 | ||
16754806 DSH |
132 | =item B<-no_public> |
133 | ||
134 | This option omits the public key components from the private key output. | |
135 | ||
7565cbc4 DSH |
136 | =item B<-check> |
137 | ||
c4de074e | 138 | This option checks the consistency of an EC private or public key. |
7565cbc4 | 139 | |
e8769719 | 140 | =item B<-engine> I<id> |
2c789c82 | 141 | |
35a810bb | 142 | Specifying an engine (by its unique I<id> string) will cause this command |
2c789c82 BM |
143 | to attempt to obtain a functional reference to the specified engine, |
144 | thus initialising it if needed. The engine will then be set as the default | |
145 | for all available algorithms. | |
146 | ||
147 | =back | |
148 | ||
149 | =head1 NOTES | |
150 | ||
151 | The PEM private key format uses the header and footer lines: | |
152 | ||
153 | -----BEGIN EC PRIVATE KEY----- | |
154 | -----END EC PRIVATE KEY----- | |
155 | ||
156 | The PEM public key format uses the header and footer lines: | |
157 | ||
158 | -----BEGIN PUBLIC KEY----- | |
159 | -----END PUBLIC KEY----- | |
160 | ||
161 | =head1 EXAMPLES | |
162 | ||
163 | To encrypt a private key using triple DES: | |
164 | ||
165 | openssl ec -in key.pem -des3 -out keyout.pem | |
166 | ||
1bc74519 | 167 | To convert a private key from PEM to DER format: |
2c789c82 BM |
168 | |
169 | openssl ec -in key.pem -outform DER -out keyout.der | |
170 | ||
171 | To print out the components of a private key to standard output: | |
172 | ||
173 | openssl ec -in key.pem -text -noout | |
174 | ||
175 | To just output the public part of a private key: | |
176 | ||
177 | openssl ec -in key.pem -pubout -out pubkey.pem | |
178 | ||
179 | To change the parameters encoding to B<explicit>: | |
180 | ||
181 | openssl ec -in key.pem -param_enc explicit -out keyout.pem | |
182 | ||
183 | To change the point conversion form to B<compressed>: | |
184 | ||
185 | openssl ec -in key.pem -conv_form compressed -out keyout.pem | |
186 | ||
187 | =head1 SEE ALSO | |
188 | ||
b6b66573 DMSP |
189 | L<openssl(1)>, |
190 | L<openssl-ecparam(1)>, | |
191 | L<openssl-dsa(1)>, | |
192 | L<openssl-rsa(1)> | |
2c789c82 | 193 | |
e2f92610 RS |
194 | =head1 COPYRIGHT |
195 | ||
b6b66573 | 196 | Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 197 | |
449040b4 | 198 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
199 | this file except in compliance with the License. You can obtain a copy |
200 | in the file LICENSE in the source distribution or at | |
201 | L<https://www.openssl.org/source/license.html>. | |
202 | ||
203 | =cut |