]>
Commit | Line | Data |
---|---|---|
1 | =pod | |
2 | ||
3 | =begin comment | |
4 | {- join("\n", @autowarntext) -} | |
5 | ||
6 | =end comment | |
7 | ||
8 | =head1 NAME | |
9 | ||
10 | openssl-ec - EC key processing | |
11 | ||
12 | =head1 SYNOPSIS | |
13 | ||
14 | B<openssl> B<ec> | |
15 | [B<-help>] | |
16 | [B<-inform> B<DER>|B<PEM>] | |
17 | [B<-outform> B<DER>|B<PEM>] | |
18 | [B<-in> I<filename>] | |
19 | [B<-passin> I<arg>] | |
20 | [B<-out> I<filename>] | |
21 | [B<-passout> I<arg>] | |
22 | [B<-des>] | |
23 | [B<-des3>] | |
24 | [B<-idea>] | |
25 | [B<-text>] | |
26 | [B<-noout>] | |
27 | [B<-param_out>] | |
28 | [B<-pubin>] | |
29 | [B<-pubout>] | |
30 | [B<-conv_form> I<arg>] | |
31 | [B<-param_enc> I<arg>] | |
32 | [B<-no_public>] | |
33 | [B<-check>] | |
34 | {- $OpenSSL::safe::opt_engine_synopsis -} | |
35 | ||
36 | =for openssl ifdef engine | |
37 | ||
38 | =head1 DESCRIPTION | |
39 | ||
40 | This command has been deprecated. | |
41 | The L<openssl-pkey(1)> command should be used instead. | |
42 | ||
43 | The L<openssl-ec(1)> command processes EC keys. They can be converted between | |
44 | various forms and their components printed out. B<Note> OpenSSL uses the | |
45 | private key format specified in 'SEC 1: Elliptic Curve Cryptography' | |
46 | (http://www.secg.org/). To convert an OpenSSL EC private key into the | |
47 | PKCS#8 private key format use the L<openssl-pkcs8(1)> command. | |
48 | ||
49 | =head1 OPTIONS | |
50 | ||
51 | =over 4 | |
52 | ||
53 | =item B<-help> | |
54 | ||
55 | Print out a usage message. | |
56 | ||
57 | =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> | |
58 | ||
59 | The input and formats; the default is B<PEM>. | |
60 | See L<openssl(1)/Format Options> for details. | |
61 | ||
62 | Private keys are an SEC1 private key or PKCS#8 format. | |
63 | Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280. | |
64 | ||
65 | =item B<-in> I<filename> | |
66 | ||
67 | This specifies the input filename to read a key from or standard input if this | |
68 | option is not specified. If the key is encrypted a pass phrase will be | |
69 | prompted for. | |
70 | ||
71 | =item B<-out> I<filename> | |
72 | ||
73 | This specifies the output filename to write a key to or standard output by | |
74 | is not specified. If any encryption options are set then a pass phrase will be | |
75 | prompted for. The output filename should B<not> be the same as the input | |
76 | filename. | |
77 | ||
78 | =item B<-passin> I<arg>, B<-passout> I<arg> | |
79 | ||
80 | The password source for the input and output file. | |
81 | For more information about the format of B<arg> | |
82 | see L<openssl(1)/Pass Phrase Options>. | |
83 | ||
84 | =item B<-des>|B<-des3>|B<-idea> | |
85 | ||
86 | These options encrypt the private key with the DES, triple DES, IDEA or | |
87 | any other cipher supported by OpenSSL before outputting it. A pass phrase is | |
88 | prompted for. | |
89 | If none of these options is specified the key is written in plain text. This | |
90 | means that using this command to read in an encrypted key with no | |
91 | encryption option can be used to remove the pass phrase from a key, or by | |
92 | setting the encryption options it can be use to add or change the pass phrase. | |
93 | These options can only be used with PEM format output files. | |
94 | ||
95 | =item B<-text> | |
96 | ||
97 | Prints out the public, private key components and parameters. | |
98 | ||
99 | =item B<-noout> | |
100 | ||
101 | This option prevents output of the encoded version of the key. | |
102 | ||
103 | =item B<-pubin> | |
104 | ||
105 | By default, a private key is read from the input file. With this option a | |
106 | public key is read instead. | |
107 | ||
108 | =item B<-pubout> | |
109 | ||
110 | By default a private key is output. With this option a public | |
111 | key will be output instead. This option is automatically set if the input is | |
112 | a public key. | |
113 | ||
114 | =item B<-conv_form> I<arg> | |
115 | ||
116 | This specifies how the points on the elliptic curve are converted | |
117 | into octet strings. Possible values are: B<compressed> (the default | |
118 | value), B<uncompressed> and B<hybrid>. For more information regarding | |
119 | the point conversion forms please read the X9.62 standard. | |
120 | B<Note> Due to patent issues the B<compressed> option is disabled | |
121 | by default for binary curves and can be enabled by defining | |
122 | the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time. | |
123 | ||
124 | =item B<-param_enc> I<arg> | |
125 | ||
126 | This specifies how the elliptic curve parameters are encoded. | |
127 | Possible value are: B<named_curve>, i.e. the ec parameters are | |
128 | specified by an OID, or B<explicit> where the ec parameters are | |
129 | explicitly given (see RFC 3279 for the definition of the | |
130 | EC parameters structures). The default value is B<named_curve>. | |
131 | B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279, | |
132 | is currently not implemented in OpenSSL. | |
133 | ||
134 | =item B<-no_public> | |
135 | ||
136 | This option omits the public key components from the private key output. | |
137 | ||
138 | =item B<-check> | |
139 | ||
140 | This option checks the consistency of an EC private or public key. | |
141 | ||
142 | {- $OpenSSL::safe::opt_engine_item -} | |
143 | ||
144 | =back | |
145 | ||
146 | =head1 EXAMPLES | |
147 | ||
148 | Examples equivalent to these can be found in the documentation for the | |
149 | non-deprecated L<openssl-pkey(1)> command. | |
150 | ||
151 | To encrypt a private key using triple DES: | |
152 | ||
153 | openssl ec -in key.pem -des3 -out keyout.pem | |
154 | ||
155 | To convert a private key from PEM to DER format: | |
156 | ||
157 | openssl ec -in key.pem -outform DER -out keyout.der | |
158 | ||
159 | To print out the components of a private key to standard output: | |
160 | ||
161 | openssl ec -in key.pem -text -noout | |
162 | ||
163 | To just output the public part of a private key: | |
164 | ||
165 | openssl ec -in key.pem -pubout -out pubkey.pem | |
166 | ||
167 | To change the parameters encoding to B<explicit>: | |
168 | ||
169 | openssl ec -in key.pem -param_enc explicit -out keyout.pem | |
170 | ||
171 | To change the point conversion form to B<compressed>: | |
172 | ||
173 | openssl ec -in key.pem -conv_form compressed -out keyout.pem | |
174 | ||
175 | =head1 SEE ALSO | |
176 | ||
177 | L<openssl(1)>, | |
178 | L<openssl-pkey(1)>, | |
179 | L<openssl-ecparam(1)>, | |
180 | L<openssl-dsa(1)>, | |
181 | L<openssl-rsa(1)> | |
182 | ||
183 | =head1 HISTORY | |
184 | ||
185 | This command was deprecated in OpenSSL 3.0. | |
186 | ||
187 | =head1 COPYRIGHT | |
188 | ||
189 | Copyright 2003-2020 The OpenSSL Project Authors. All Rights Reserved. | |
190 | ||
191 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
192 | this file except in compliance with the License. You can obtain a copy | |
193 | in the file LICENSE in the source distribution or at | |
194 | L<https://www.openssl.org/source/license.html>. | |
195 | ||
196 | =cut |