Import OpenSSL 1.1.0f
This commit is contained in:
Steve Dower
Steve Dower
@@ -1,4 +1,3 @@
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
@@ -8,9 +7,10 @@ pkcs12 - PKCS#12 file utility
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl> B<pkcs12>
|
||||
[B<-help>]
|
||||
[B<-export>]
|
||||
[B<-chain>]
|
||||
[B<-inkey filename>]
|
||||
[B<-inkey file_or_id>]
|
||||
[B<-certfile filename>]
|
||||
[B<-name name>]
|
||||
[B<-caname name>]
|
||||
@@ -39,6 +39,8 @@ B<openssl> B<pkcs12>
|
||||
[B<-rand file(s)>]
|
||||
[B<-CAfile file>]
|
||||
[B<-CApath dir>]
|
||||
[B<-no-CAfile>]
|
||||
[B<-no-CApath>]
|
||||
[B<-CSP name>]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
@@ -47,7 +49,7 @@ The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
|
||||
PFX files) to be created and parsed. PKCS#12 files are used by several
|
||||
programs including Netscape, MSIE and MS Outlook.
|
||||
|
||||
=head1 COMMAND OPTIONS
|
||||
=head1 OPTIONS
|
||||
|
||||
There are a lot of options the meaning of some depends of whether a PKCS#12 file
|
||||
is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
|
||||
@@ -57,6 +59,10 @@ file can be created by using the B<-export> option (see below).
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<-help>
|
||||
|
||||
Print out a usage message.
|
||||
|
||||
=item B<-in filename>
|
||||
|
||||
This specifies filename of the PKCS#12 file to be parsed. Standard input is used
|
||||
@@ -71,13 +77,13 @@ default. They are all written in PEM format.
|
||||
|
||||
the PKCS#12 file (i.e. input file) password source. For more information about
|
||||
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
|
||||
L<openssl(1)|openssl(1)>.
|
||||
L<openssl(1)>.
|
||||
|
||||
=item B<-passout arg>
|
||||
|
||||
pass phrase source to encrypt any outputted private keys with. For more
|
||||
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
|
||||
in L<openssl(1)|openssl(1)>.
|
||||
in L<openssl(1)>.
|
||||
|
||||
=item B<-password arg>
|
||||
|
||||
@@ -167,10 +173,12 @@ default. They must all be in PEM format. The order doesn't matter but one
|
||||
private key and its corresponding certificate should be present. If additional
|
||||
certificates are present they will also be included in the PKCS#12 file.
|
||||
|
||||
=item B<-inkey filename>
|
||||
=item B<-inkey file_or_id>
|
||||
|
||||
file to read private key from. If not present then a private key must be present
|
||||
in the input file.
|
||||
If no engine is used, the argument is taken as a file; if an engine is
|
||||
specified, the argument is given to the engine as a key identifier.
|
||||
|
||||
=item B<-name friendlyname>
|
||||
|
||||
@@ -192,13 +200,13 @@ displays them.
|
||||
|
||||
the PKCS#12 file (i.e. output file) password source. For more information about
|
||||
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
|
||||
L<openssl(1)|openssl(1)>.
|
||||
L<openssl(1)>.
|
||||
|
||||
=item B<-passin password>
|
||||
|
||||
pass phrase source to decrypt any input private keys with. For more information
|
||||
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
|
||||
L<openssl(1)|openssl(1)>.
|
||||
L<openssl(1)>.
|
||||
|
||||
=item B<-chain>
|
||||
|
||||
@@ -266,8 +274,8 @@ don't attempt to provide the MAC integrity.
|
||||
=item B<-rand file(s)>
|
||||
|
||||
a file or files containing random data used to seed the random number
|
||||
generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
|
||||
Multiple files can be specified separated by a OS-dependent character.
|
||||
generator, or an EGD socket (see L<RAND_egd(3)>).
|
||||
Multiple files can be specified separated by an OS-dependent character.
|
||||
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
|
||||
all others.
|
||||
|
||||
@@ -281,6 +289,14 @@ CA storage as a directory. This directory must be a standard certificate
|
||||
directory: that is a hash of each subject name (using B<x509 -hash>) should be
|
||||
linked to each certificate.
|
||||
|
||||
=item B<-no-CAfile>
|
||||
|
||||
Do not load the trusted CA certificates from the default file location
|
||||
|
||||
=item B<-no-CApath>
|
||||
|
||||
Do not load the trusted CA certificates from the default directory location
|
||||
|
||||
=item B<-CSP name>
|
||||
|
||||
write B<name> as a Microsoft CSP name.
|
||||
@@ -311,6 +327,16 @@ encrypted private keys, then the option B<-keypbe PBE-SHA1-RC2-40> can
|
||||
be used to reduce the private key encryption to 40 bit RC2. A complete
|
||||
description of all algorithms is contained in the B<pkcs8> manual page.
|
||||
|
||||
Prior 1.1 release passwords containing non-ASCII characters were encoded
|
||||
in non-compliant manner, which limited interoperability, in first hand
|
||||
with Windows. But switching to standard-compliant password encoding
|
||||
poses problem accessing old data protected with broken encoding. For
|
||||
this reason even legacy encodings is attempted when reading the
|
||||
data. If you use PKCS#12 files in production application you are advised
|
||||
to convert the data, because implemented heuristic approach is not
|
||||
MT-safe, its sole goal is to facilitate the data upgrade with this
|
||||
utility.
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
Parse a PKCS#12 file and output it to a file:
|
||||
@@ -322,7 +348,7 @@ Output only client certificates to a file:
|
||||
openssl pkcs12 -in file.p12 -clcerts -out file.pem
|
||||
|
||||
Don't encrypt the private key:
|
||||
|
||||
|
||||
openssl pkcs12 -in file.p12 -out file.pem -nodes
|
||||
|
||||
Print some info about a PKCS#12 file:
|
||||
@@ -338,31 +364,17 @@ Include some extra certificates:
|
||||
openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
|
||||
-certfile othercerts.pem
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
Some would argue that the PKCS#12 standard is one big bug :-)
|
||||
|
||||
Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation
|
||||
routines. Under rare circumstances this could produce a PKCS#12 file encrypted
|
||||
with an invalid key. As a result some PKCS#12 files which triggered this bug
|
||||
from other implementations (MSIE or Netscape) could not be decrypted
|
||||
by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could
|
||||
not be decrypted by other implementations. The chances of producing such
|
||||
a file are relatively small: less than 1 in 256.
|
||||
|
||||
A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
|
||||
files cannot no longer be parsed by the fixed version. Under such circumstances
|
||||
the B<pkcs12> utility will report that the MAC is OK but fail with a decryption
|
||||
error when extracting private keys.
|
||||
|
||||
This problem can be resolved by extracting the private keys and certificates
|
||||
from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12
|
||||
file from the keys and certificates using a newer version of OpenSSL. For example:
|
||||
|
||||
old-openssl -in bad.p12 -out keycerts.pem
|
||||
openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<pkcs8(1)|pkcs8(1)>
|
||||
L<pkcs8(1)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
L<https://www.openssl.org/source/license.html>.
|
||||
|
||||
=cut
|
||||
|
||||
Reference in New Issue
Block a user