-.\" $OpenBSD: openssl.1,v 1.46 2016/08/08 18:13:51 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.47 2016/08/09 17:07:33 jmc Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
.\"
.\" OPENSSL
.\"
-.Dd $Mdocdate: August 8 2016 $
+.Dd $Mdocdate: August 9 2016 $
.Dt OPENSSL 1
.Os
.Sh NAME
.Ar numbits .
If this option is included, the input file is ignored.
.El
-.\"
-.\" EC
-.\"
.Sh EC
.nr nS 1
.Nm "openssl ec"
-.Bk -words
.Op Fl conv_form Ar arg
.Op Fl des
.Op Fl des3
.Op Fl in Ar file
-.Op Fl inform Ar DER | PEM
+.Op Fl inform Cm der | pem
.Op Fl noout
.Op Fl out Ar file
-.Op Fl outform Ar DER | PEM
+.Op Fl outform Cm der | pem
.Op Fl param_enc Ar arg
.Op Fl param_out
.Op Fl passin Ar arg
.Op Fl pubin
.Op Fl pubout
.Op Fl text
-.Ek
.nr nS 0
.Pp
The
command processes EC keys.
They can be converted between various
forms and their components printed out.
-Note:
-.Nm OpenSSL
+.Nm openssl
uses the private key format specified in
.Dq SEC 1: Elliptic Curve Cryptography
.Pq Lk http://www.secg.org/ .
To convert an
-.Nm OpenSSL
EC private key into the PKCS#8 private key format use the
.Nm pkcs8
command.
.Pp
+The PEM private key format uses the header and footer lines:
+.Bd -literal -offset indent
+-----BEGIN EC PRIVATE KEY-----
+-----END EC PRIVATE KEY-----
+.Ed
+.Pp
+The PEM public key format uses the header and footer lines:
+.Bd -literal -offset indent
+-----BEGIN PUBLIC KEY-----
+-----END PUBLIC KEY-----
+.Ed
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl conv_form Ar arg
-This specifies how the points on the elliptic curve are converted
+Specify how the points on the elliptic curve are converted
into octet strings.
Possible values are:
.Cm compressed
-(the default value),
+(the default),
.Cm uncompressed ,
and
.Cm hybrid .
For more information regarding
-the point conversion forms please read the X9.62 standard.
+the point conversion forms see the X9.62 standard.
Note:
Due to patent issues the
.Cm compressed
option is disabled by default for binary curves
and can be enabled by defining the preprocessor macro
-.Ar OPENSSL_EC_BIN_PT_COMP
+.Dv OPENSSL_EC_BIN_PT_COMP
at compile time.
.It Fl des | des3
-These options encrypt the private key with the DES, triple DES, or
+Encrypt the private key with DES, triple DES, or
any other cipher supported by
-.Nm OpenSSL
-before outputting it.
+.Nm openssl .
A pass phrase is prompted for.
If none of these options is specified the key is written in plain text.
This means that using the
it can be use to add or change the pass phrase.
These options can only be used with PEM format output files.
.It Fl in Ar file
-This specifies the input filename to read a key from,
-or standard input if this option is not specified.
+The input file to read a key from,
+or standard input if not specified.
If the key is encrypted a pass phrase will be prompted for.
-.It Fl inform Ar DER | PEM
-This specifies the input format.
-DER with a private key uses
+.It Fl inform Cm der | pem
+The input format.
+.Cm der
+with a private key uses
an ASN.1 DER-encoded SEC1 private key.
When used with a public key it
uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
-PEM is the default format:
+.Cm pem
+is the default format:
it consists of the DER format base64
encoded with additional header and footer lines.
In the case of a private key
PKCS#8 format is also accepted.
.It Fl noout
-Prevents output of the encoded version of the key.
+Do not output the encoded version of the key.
.It Fl out Ar file
-Specifies the output filename to write a key to,
-or standard output if none is specified.
+The output filename to write to,
+or standard output if not specified.
If any encryption options are set then a pass phrase will be prompted for.
-The output filename should
-.Em not
-be the same as the input filename.
-.It Fl outform Ar DER | PEM
-This specifies the output format.
-The options have the same meaning as the
-.Fl inform
-option.
+.It Fl outform Cm der | pem
+The output format.
.It Fl param_enc Ar arg
-This specifies how the elliptic curve parameters are encoded.
+Specify how the elliptic curve parameters are encoded.
Possible value are:
.Cm named_curve ,
i.e. the EC parameters are specified by an OID; or
.Cm implicitlyCA
alternative,
as specified in RFC 3279,
-is currently not implemented in
-.Nm OpenSSL .
+is currently not implemented.
.It Fl passin Ar arg
The key password source.
.It Fl passout Ar arg
with this option a public key is output instead.
This option is automatically set if the input is a public key.
.It Fl text
-Prints out the public/private key components and parameters.
+Print out the public/private key components and parameters.
.El
-.Sh EC NOTES
-The PEM private key format uses the header and footer lines:
-.Bd -literal -offset indent
------BEGIN EC PRIVATE KEY-----
------END EC PRIVATE KEY-----
-.Ed
-.Pp
-The PEM public key format uses the header and footer lines:
-.Bd -literal -offset indent
------BEGIN PUBLIC KEY-----
------END PUBLIC KEY-----
-.Ed
-.Sh EC EXAMPLES
-To encrypt a private key using triple DES:
-.Bd -literal -offset indent
-$ openssl ec -in key.pem -des3 -out keyout.pem
-.Ed
-.Pp
-To convert a private key from PEM to DER format:
-.Bd -literal -offset indent
-$ openssl ec -in key.pem -outform DER -out keyout.der
-.Ed
-.Pp
-To print out the components of a private key to standard output:
-.Bd -literal -offset indent
-$ openssl ec -in key.pem -text -noout
-.Ed
-.Pp
-To just output the public part of a private key:
-.Bd -literal -offset indent
-$ openssl ec -in key.pem -pubout -out pubkey.pem
-.Ed
-.Pp
-To change the parameter encoding to
-.Cm explicit :
-.Bd -literal -offset indent
-$ openssl ec -in key.pem -param_enc explicit -out keyout.pem
-.Ed
-.Pp
-To change the point conversion form to
-.Cm compressed :
-.Bd -literal -offset indent
-$ openssl ec -in key.pem -conv_form compressed -out keyout.pem
-.Ed
-.Sh EC HISTORY
-The
-.Nm ec
-command was first introduced in
-.Nm OpenSSL
-0.9.8.
-.Sh EC AUTHORS
-.An Nils Larsch .
.\"
.\" ECPARAM
.\"