From 3562e78743202e43aec8727005182a2558117eca Mon Sep 17 00:00:00 2001 From: marha Date: Sun, 28 Jun 2009 22:07:26 +0000 Subject: Checked in the following released items: xkeyboard-config-1.4.tar.gz ttf-bitstream-vera-1.10.tar.gz font-alias-1.0.1.tar.gz font-sun-misc-1.0.0.tar.gz font-sun-misc-1.0.0.tar.gz font-sony-misc-1.0.0.tar.gz font-schumacher-misc-1.0.0.tar.gz font-mutt-misc-1.0.0.tar.gz font-misc-misc-1.0.0.tar.gz font-misc-meltho-1.0.0.tar.gz font-micro-misc-1.0.0.tar.gz font-jis-misc-1.0.0.tar.gz font-isas-misc-1.0.0.tar.gz font-dec-misc-1.0.0.tar.gz font-daewoo-misc-1.0.0.tar.gz font-cursor-misc-1.0.0.tar.gz font-arabic-misc-1.0.0.tar.gz font-winitzki-cyrillic-1.0.0.tar.gz font-misc-cyrillic-1.0.0.tar.gz font-cronyx-cyrillic-1.0.0.tar.gz font-screen-cyrillic-1.0.1.tar.gz font-xfree86-type1-1.0.1.tar.gz font-adobe-utopia-type1-1.0.1.tar.gz font-ibm-type1-1.0.0.tar.gz font-bitstream-type1-1.0.0.tar.gz font-bitstream-speedo-1.0.0.tar.gz font-bh-ttf-1.0.0.tar.gz font-bh-type1-1.0.0.tar.gz font-bitstream-100dpi-1.0.0.tar.gz font-bh-lucidatypewriter-100dpi-1.0.0.tar.gz font-bh-100dpi-1.0.0.tar.gz font-adobe-utopia-100dpi-1.0.1.tar.gz font-adobe-100dpi-1.0.0.tar.gz font-util-1.0.1.tar.gz font-bitstream-75dpi-1.0.0.tar.gz font-bh-lucidatypewriter-75dpi-1.0.0.tar.gz font-adobe-utopia-75dpi-1.0.1.tar.gz font-bh-75dpi-1.0.0.tar.gz bdftopcf-1.0.1.tar.gz font-adobe-75dpi-1.0.0.tar.gz mkfontscale-1.0.6.tar.gz openssl-0.9.8k.tar.gz bigreqsproto-1.0.2.tar.gz xtrans-1.2.2.tar.gz resourceproto-1.0.2.tar.gz inputproto-1.4.4.tar.gz compositeproto-0.4.tar.gz damageproto-1.1.0.tar.gz zlib-1.2.3.tar.gz xkbcomp-1.0.5.tar.gz freetype-2.3.9.tar.gz pthreads-w32-2-8-0-release.tar.gz pixman-0.12.0.tar.gz kbproto-1.0.3.tar.gz evieext-1.0.2.tar.gz fixesproto-4.0.tar.gz recordproto-1.13.2.tar.gz randrproto-1.2.2.tar.gz scrnsaverproto-1.1.0.tar.gz renderproto-0.9.3.tar.gz xcmiscproto-1.1.2.tar.gz fontsproto-2.0.2.tar.gz xextproto-7.0.3.tar.gz xproto-7.0.14.tar.gz libXdmcp-1.0.2.tar.gz libxkbfile-1.0.5.tar.gz libfontenc-1.0.4.tar.gz libXfont-1.3.4.tar.gz libX11-1.1.5.tar.gz libXau-1.0.4.tar.gz libxcb-1.1.tar.gz xorg-server-1.5.3.tar.gz --- openssl/doc/HOWTO/certificates.txt | 105 + openssl/doc/HOWTO/keys.txt | 73 + openssl/doc/HOWTO/proxy_certificates.txt | 322 + openssl/doc/README | 12 + openssl/doc/apps/CA.pl.pod | 179 + openssl/doc/apps/asn1parse.pod | 171 + openssl/doc/apps/ca.pod | 671 ++ openssl/doc/apps/ciphers.pod | 434 ++ openssl/doc/apps/config.pod | 279 + openssl/doc/apps/crl.pod | 117 + openssl/doc/apps/crl2pkcs7.pod | 91 + openssl/doc/apps/dgst.pod | 115 + openssl/doc/apps/dhparam.pod | 141 + openssl/doc/apps/dsa.pod | 158 + openssl/doc/apps/dsaparam.pod | 110 + openssl/doc/apps/ec.pod | 190 + openssl/doc/apps/ecparam.pod | 179 + openssl/doc/apps/enc.pod | 279 + openssl/doc/apps/errstr.pod | 39 + openssl/doc/apps/gendsa.pod | 66 + openssl/doc/apps/genrsa.pod | 96 + openssl/doc/apps/nseq.pod | 70 + openssl/doc/apps/ocsp.pod | 365 + openssl/doc/apps/openssl.pod | 361 + openssl/doc/apps/passwd.pod | 82 + openssl/doc/apps/pkcs12.pod | 330 + openssl/doc/apps/pkcs7.pod | 105 + openssl/doc/apps/pkcs8.pod | 243 + openssl/doc/apps/rand.pod | 55 + openssl/doc/apps/req.pod | 611 ++ openssl/doc/apps/rsa.pod | 189 + openssl/doc/apps/rsautl.pod | 183 + openssl/doc/apps/s_client.pod | 297 + openssl/doc/apps/s_server.pod | 348 + openssl/doc/apps/s_time.pod | 173 + openssl/doc/apps/sess_id.pod | 151 + openssl/doc/apps/smime.pod | 385 ++ openssl/doc/apps/speed.pod | 59 + openssl/doc/apps/spkac.pod | 133 + openssl/doc/apps/verify.pod | 328 + openssl/doc/apps/version.pod | 64 + openssl/doc/apps/x509.pod | 832 +++ openssl/doc/apps/x509v3_config.pod | 456 ++ openssl/doc/c-indentation.el | 45 + openssl/doc/crypto/ASN1_OBJECT_new.pod | 43 + openssl/doc/crypto/ASN1_STRING_length.pod | 81 + openssl/doc/crypto/ASN1_STRING_new.pod | 44 + openssl/doc/crypto/ASN1_STRING_print_ex.pod | 96 + openssl/doc/crypto/ASN1_generate_nconf.pod | 262 + openssl/doc/crypto/BIO_ctrl.pod | 128 + openssl/doc/crypto/BIO_f_base64.pod | 81 + openssl/doc/crypto/BIO_f_buffer.pod | 69 + openssl/doc/crypto/BIO_f_cipher.pod | 76 + openssl/doc/crypto/BIO_f_md.pod | 138 + openssl/doc/crypto/BIO_f_null.pod | 32 + openssl/doc/crypto/BIO_f_ssl.pod | 313 + openssl/doc/crypto/BIO_find_type.pod | 98 + openssl/doc/crypto/BIO_new.pod | 65 + openssl/doc/crypto/BIO_push.pod | 69 + openssl/doc/crypto/BIO_read.pod | 66 + openssl/doc/crypto/BIO_s_accept.pod | 195 + openssl/doc/crypto/BIO_s_bio.pod | 182 + openssl/doc/crypto/BIO_s_connect.pod | 192 + openssl/doc/crypto/BIO_s_fd.pod | 89 + openssl/doc/crypto/BIO_s_file.pod | 144 + openssl/doc/crypto/BIO_s_mem.pod | 115 + openssl/doc/crypto/BIO_s_null.pod | 37 + openssl/doc/crypto/BIO_s_socket.pod | 63 + openssl/doc/crypto/BIO_set_callback.pod | 108 + openssl/doc/crypto/BIO_should_retry.pod | 114 + openssl/doc/crypto/BN_BLINDING_new.pod | 109 + openssl/doc/crypto/BN_CTX_new.pod | 53 + openssl/doc/crypto/BN_CTX_start.pod | 52 + openssl/doc/crypto/BN_add.pod | 126 + openssl/doc/crypto/BN_add_word.pod | 61 + openssl/doc/crypto/BN_bn2bin.pod | 95 + openssl/doc/crypto/BN_cmp.pod | 48 + openssl/doc/crypto/BN_copy.pod | 34 + openssl/doc/crypto/BN_generate_prime.pod | 102 + openssl/doc/crypto/BN_mod_inverse.pod | 36 + openssl/doc/crypto/BN_mod_mul_montgomery.pod | 101 + openssl/doc/crypto/BN_mod_mul_reciprocal.pod | 81 + openssl/doc/crypto/BN_new.pod | 53 + openssl/doc/crypto/BN_num_bytes.pod | 57 + openssl/doc/crypto/BN_rand.pod | 58 + openssl/doc/crypto/BN_set_bit.pod | 66 + openssl/doc/crypto/BN_swap.pod | 23 + openssl/doc/crypto/BN_zero.pod | 59 + openssl/doc/crypto/CONF_modules_free.pod | 47 + openssl/doc/crypto/CONF_modules_load_file.pod | 60 + openssl/doc/crypto/CRYPTO_set_ex_data.pod | 51 + openssl/doc/crypto/DH_generate_key.pod | 50 + openssl/doc/crypto/DH_generate_parameters.pod | 73 + openssl/doc/crypto/DH_get_ex_new_index.pod | 36 + openssl/doc/crypto/DH_new.pod | 40 + openssl/doc/crypto/DH_set_method.pod | 129 + openssl/doc/crypto/DH_size.pod | 33 + openssl/doc/crypto/DSA_SIG_new.pod | 40 + openssl/doc/crypto/DSA_do_sign.pod | 47 + openssl/doc/crypto/DSA_dup_DH.pod | 36 + openssl/doc/crypto/DSA_generate_key.pod | 34 + openssl/doc/crypto/DSA_generate_parameters.pod | 105 + openssl/doc/crypto/DSA_get_ex_new_index.pod | 36 + openssl/doc/crypto/DSA_new.pod | 42 + openssl/doc/crypto/DSA_set_method.pod | 143 + openssl/doc/crypto/DSA_sign.pod | 66 + openssl/doc/crypto/DSA_size.pod | 33 + openssl/doc/crypto/ERR_GET_LIB.pod | 51 + openssl/doc/crypto/ERR_clear_error.pod | 29 + openssl/doc/crypto/ERR_error_string.pod | 73 + openssl/doc/crypto/ERR_get_error.pod | 76 + openssl/doc/crypto/ERR_load_crypto_strings.pod | 46 + openssl/doc/crypto/ERR_load_strings.pod | 54 + openssl/doc/crypto/ERR_print_errors.pod | 51 + openssl/doc/crypto/ERR_put_error.pod | 44 + openssl/doc/crypto/ERR_remove_state.pod | 34 + openssl/doc/crypto/ERR_set_mark.pod | 38 + openssl/doc/crypto/EVP_BytesToKey.pod | 67 + openssl/doc/crypto/EVP_DigestInit.pod | 256 + openssl/doc/crypto/EVP_EncryptInit.pod | 511 ++ openssl/doc/crypto/EVP_OpenInit.pod | 63 + openssl/doc/crypto/EVP_PKEY_new.pod | 47 + openssl/doc/crypto/EVP_PKEY_set1_RSA.pod | 80 + openssl/doc/crypto/EVP_SealInit.pod | 85 + openssl/doc/crypto/EVP_SignInit.pod | 95 + openssl/doc/crypto/EVP_VerifyInit.pod | 86 + openssl/doc/crypto/OBJ_nid2obj.pod | 149 + openssl/doc/crypto/OPENSSL_Applink.pod | 21 + openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod | 101 + openssl/doc/crypto/OPENSSL_config.pod | 82 + openssl/doc/crypto/OPENSSL_ia32cap.pod | 43 + .../doc/crypto/OPENSSL_load_builtin_modules.pod | 51 + openssl/doc/crypto/OpenSSL_add_all_algorithms.pod | 66 + openssl/doc/crypto/PKCS12_create.pod | 75 + openssl/doc/crypto/PKCS12_parse.pod | 50 + openssl/doc/crypto/PKCS7_decrypt.pod | 53 + openssl/doc/crypto/PKCS7_encrypt.pod | 65 + openssl/doc/crypto/PKCS7_sign.pod | 101 + openssl/doc/crypto/PKCS7_verify.pod | 116 + openssl/doc/crypto/RAND_add.pod | 77 + openssl/doc/crypto/RAND_bytes.pod | 50 + openssl/doc/crypto/RAND_cleanup.pod | 29 + openssl/doc/crypto/RAND_egd.pod | 88 + openssl/doc/crypto/RAND_load_file.pod | 53 + openssl/doc/crypto/RAND_set_rand_method.pod | 83 + openssl/doc/crypto/RSA_blinding_on.pod | 43 + openssl/doc/crypto/RSA_check_key.pod | 67 + openssl/doc/crypto/RSA_generate_key.pod | 69 + openssl/doc/crypto/RSA_get_ex_new_index.pod | 120 + openssl/doc/crypto/RSA_new.pod | 41 + .../doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 124 + openssl/doc/crypto/RSA_print.pod | 49 + openssl/doc/crypto/RSA_private_encrypt.pod | 70 + openssl/doc/crypto/RSA_public_encrypt.pod | 84 + openssl/doc/crypto/RSA_set_method.pod | 202 + openssl/doc/crypto/RSA_sign.pod | 62 + openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod | 59 + openssl/doc/crypto/RSA_size.pod | 33 + openssl/doc/crypto/SMIME_read_PKCS7.pod | 71 + openssl/doc/crypto/SMIME_write_PKCS7.pod | 61 + openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod | 72 + openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod | 114 + openssl/doc/crypto/X509_NAME_get_index_by_NID.pod | 106 + openssl/doc/crypto/X509_NAME_print_ex.pod | 105 + openssl/doc/crypto/X509_new.pod | 37 + openssl/doc/crypto/bio.pod | 54 + openssl/doc/crypto/blowfish.pod | 112 + openssl/doc/crypto/bn.pod | 181 + openssl/doc/crypto/bn_internal.pod | 226 + openssl/doc/crypto/buffer.pod | 73 + openssl/doc/crypto/crypto.pod | 85 + openssl/doc/crypto/d2i_ASN1_OBJECT.pod | 29 + openssl/doc/crypto/d2i_DHparams.pod | 30 + openssl/doc/crypto/d2i_DSAPublicKey.pod | 83 + openssl/doc/crypto/d2i_PKCS8PrivateKey.pod | 56 + openssl/doc/crypto/d2i_RSAPublicKey.pod | 67 + openssl/doc/crypto/d2i_X509.pod | 231 + openssl/doc/crypto/d2i_X509_ALGOR.pod | 30 + openssl/doc/crypto/d2i_X509_CRL.pod | 37 + openssl/doc/crypto/d2i_X509_NAME.pod | 31 + openssl/doc/crypto/d2i_X509_REQ.pod | 36 + openssl/doc/crypto/d2i_X509_SIG.pod | 30 + openssl/doc/crypto/des.pod | 358 + openssl/doc/crypto/des_modes.pod | 255 + openssl/doc/crypto/dh.pod | 78 + openssl/doc/crypto/dsa.pod | 114 + openssl/doc/crypto/ecdsa.pod | 210 + openssl/doc/crypto/engine.pod | 599 ++ openssl/doc/crypto/err.pod | 187 + openssl/doc/crypto/evp.pod | 45 + openssl/doc/crypto/hmac.pod | 102 + openssl/doc/crypto/lh_stats.pod | 60 + openssl/doc/crypto/lhash.pod | 294 + openssl/doc/crypto/md5.pod | 101 + openssl/doc/crypto/mdc2.pod | 64 + openssl/doc/crypto/pem.pod | 476 ++ openssl/doc/crypto/rand.pod | 175 + openssl/doc/crypto/rc4.pod | 62 + openssl/doc/crypto/ripemd.pod | 66 + openssl/doc/crypto/rsa.pod | 123 + openssl/doc/crypto/sha.pod | 70 + openssl/doc/crypto/threads.pod | 175 + openssl/doc/crypto/ui.pod | 194 + openssl/doc/crypto/ui_compat.pod | 55 + openssl/doc/crypto/x509.pod | 64 + openssl/doc/fingerprints.txt | 57 + openssl/doc/openssl-shared.txt | 32 + openssl/doc/openssl.txt | 1254 ++++ openssl/doc/openssl_button.gif | Bin 0 -> 2063 bytes openssl/doc/openssl_button.html | 7 + openssl/doc/ssl/SSL_CIPHER_get_name.pod | 112 + .../doc/ssl/SSL_COMP_add_compression_method.pod | 70 + openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 39 + openssl/doc/ssl/SSL_CTX_add_session.pod | 73 + openssl/doc/ssl/SSL_CTX_ctrl.pod | 34 + openssl/doc/ssl/SSL_CTX_flush_sessions.pod | 49 + openssl/doc/ssl/SSL_CTX_free.pod | 41 + openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod | 53 + openssl/doc/ssl/SSL_CTX_get_verify_mode.pod | 50 + openssl/doc/ssl/SSL_CTX_load_verify_locations.pod | 124 + openssl/doc/ssl/SSL_CTX_new.pod | 94 + openssl/doc/ssl/SSL_CTX_sess_number.pod | 76 + openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod | 51 + openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod | 87 + openssl/doc/ssl/SSL_CTX_sessions.pod | 34 + openssl/doc/ssl/SSL_CTX_set_cert_store.pod | 57 + .../doc/ssl/SSL_CTX_set_cert_verify_callback.pod | 75 + openssl/doc/ssl/SSL_CTX_set_cipher_list.pod | 70 + openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod | 94 + openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod | 94 + openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod | 76 + .../doc/ssl/SSL_CTX_set_generate_session_id.pod | 150 + openssl/doc/ssl/SSL_CTX_set_info_callback.pod | 153 + openssl/doc/ssl/SSL_CTX_set_max_cert_list.pod | 77 + openssl/doc/ssl/SSL_CTX_set_mode.pod | 81 + openssl/doc/ssl/SSL_CTX_set_msg_callback.pod | 99 + openssl/doc/ssl/SSL_CTX_set_options.pod | 244 + openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod | 63 + openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod | 137 + openssl/doc/ssl/SSL_CTX_set_session_id_context.pod | 83 + openssl/doc/ssl/SSL_CTX_set_ssl_version.pod | 61 + openssl/doc/ssl/SSL_CTX_set_timeout.pod | 59 + openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 170 + openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 166 + openssl/doc/ssl/SSL_CTX_set_verify.pod | 294 + openssl/doc/ssl/SSL_CTX_use_certificate.pod | 169 + openssl/doc/ssl/SSL_SESSION_free.pod | 55 + openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod | 61 + openssl/doc/ssl/SSL_SESSION_get_time.pod | 64 + openssl/doc/ssl/SSL_accept.pod | 76 + openssl/doc/ssl/SSL_alert_type_string.pod | 228 + openssl/doc/ssl/SSL_clear.pod | 69 + openssl/doc/ssl/SSL_connect.pod | 73 + openssl/doc/ssl/SSL_do_handshake.pod | 75 + openssl/doc/ssl/SSL_free.pod | 44 + openssl/doc/ssl/SSL_get_SSL_CTX.pod | 26 + openssl/doc/ssl/SSL_get_ciphers.pod | 42 + openssl/doc/ssl/SSL_get_client_CA_list.pod | 53 + openssl/doc/ssl/SSL_get_current_cipher.pod | 43 + openssl/doc/ssl/SSL_get_default_timeout.pod | 41 + openssl/doc/ssl/SSL_get_error.pod | 114 + .../doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod | 61 + openssl/doc/ssl/SSL_get_ex_new_index.pod | 59 + openssl/doc/ssl/SSL_get_fd.pod | 44 + openssl/doc/ssl/SSL_get_peer_cert_chain.pod | 52 + openssl/doc/ssl/SSL_get_peer_certificate.pod | 55 + openssl/doc/ssl/SSL_get_rbio.pod | 40 + openssl/doc/ssl/SSL_get_session.pod | 73 + openssl/doc/ssl/SSL_get_verify_result.pod | 57 + openssl/doc/ssl/SSL_get_version.pod | 46 + openssl/doc/ssl/SSL_library_init.pod | 52 + openssl/doc/ssl/SSL_load_client_CA_file.pod | 62 + openssl/doc/ssl/SSL_new.pod | 44 + openssl/doc/ssl/SSL_pending.pod | 43 + openssl/doc/ssl/SSL_read.pod | 124 + openssl/doc/ssl/SSL_rstate_string.pod | 59 + openssl/doc/ssl/SSL_session_reused.pod | 45 + openssl/doc/ssl/SSL_set_bio.pod | 34 + openssl/doc/ssl/SSL_set_connect_state.pod | 55 + openssl/doc/ssl/SSL_set_fd.pod | 54 + openssl/doc/ssl/SSL_set_session.pod | 57 + openssl/doc/ssl/SSL_set_shutdown.pod | 72 + openssl/doc/ssl/SSL_set_verify_result.pod | 38 + openssl/doc/ssl/SSL_shutdown.pod | 125 + openssl/doc/ssl/SSL_state_string.pod | 45 + openssl/doc/ssl/SSL_want.pod | 77 + openssl/doc/ssl/SSL_write.pod | 109 + openssl/doc/ssl/d2i_SSL_SESSION.pod | 66 + openssl/doc/ssl/ssl.pod | 736 ++ openssl/doc/ssleay.txt | 7030 ++++++++++++++++++++ openssl/doc/standards.txt | 281 + 291 files changed, 40521 insertions(+) create mode 100644 openssl/doc/HOWTO/certificates.txt create mode 100644 openssl/doc/HOWTO/keys.txt create mode 100644 openssl/doc/HOWTO/proxy_certificates.txt create mode 100644 openssl/doc/README create mode 100644 openssl/doc/apps/CA.pl.pod create mode 100644 openssl/doc/apps/asn1parse.pod create mode 100644 openssl/doc/apps/ca.pod create mode 100644 openssl/doc/apps/ciphers.pod create mode 100644 openssl/doc/apps/config.pod create mode 100644 openssl/doc/apps/crl.pod create mode 100644 openssl/doc/apps/crl2pkcs7.pod create mode 100644 openssl/doc/apps/dgst.pod create mode 100644 openssl/doc/apps/dhparam.pod create mode 100644 openssl/doc/apps/dsa.pod create mode 100644 openssl/doc/apps/dsaparam.pod create mode 100644 openssl/doc/apps/ec.pod create mode 100644 openssl/doc/apps/ecparam.pod create mode 100644 openssl/doc/apps/enc.pod create mode 100644 openssl/doc/apps/errstr.pod create mode 100644 openssl/doc/apps/gendsa.pod create mode 100644 openssl/doc/apps/genrsa.pod create mode 100644 openssl/doc/apps/nseq.pod create mode 100644 openssl/doc/apps/ocsp.pod create mode 100644 openssl/doc/apps/openssl.pod create mode 100644 openssl/doc/apps/passwd.pod create mode 100644 openssl/doc/apps/pkcs12.pod create mode 100644 openssl/doc/apps/pkcs7.pod create mode 100644 openssl/doc/apps/pkcs8.pod create mode 100644 openssl/doc/apps/rand.pod create mode 100644 openssl/doc/apps/req.pod create mode 100644 openssl/doc/apps/rsa.pod create mode 100644 openssl/doc/apps/rsautl.pod create mode 100644 openssl/doc/apps/s_client.pod create mode 100644 openssl/doc/apps/s_server.pod create mode 100644 openssl/doc/apps/s_time.pod create mode 100644 openssl/doc/apps/sess_id.pod create mode 100644 openssl/doc/apps/smime.pod create mode 100644 openssl/doc/apps/speed.pod create mode 100644 openssl/doc/apps/spkac.pod create mode 100644 openssl/doc/apps/verify.pod create mode 100644 openssl/doc/apps/version.pod create mode 100644 openssl/doc/apps/x509.pod create mode 100644 openssl/doc/apps/x509v3_config.pod create mode 100644 openssl/doc/c-indentation.el create mode 100644 openssl/doc/crypto/ASN1_OBJECT_new.pod create mode 100644 openssl/doc/crypto/ASN1_STRING_length.pod create mode 100644 openssl/doc/crypto/ASN1_STRING_new.pod create mode 100644 openssl/doc/crypto/ASN1_STRING_print_ex.pod create mode 100644 openssl/doc/crypto/ASN1_generate_nconf.pod create mode 100644 openssl/doc/crypto/BIO_ctrl.pod create mode 100644 openssl/doc/crypto/BIO_f_base64.pod create mode 100644 openssl/doc/crypto/BIO_f_buffer.pod create mode 100644 openssl/doc/crypto/BIO_f_cipher.pod create mode 100644 openssl/doc/crypto/BIO_f_md.pod create mode 100644 openssl/doc/crypto/BIO_f_null.pod create mode 100644 openssl/doc/crypto/BIO_f_ssl.pod create mode 100644 openssl/doc/crypto/BIO_find_type.pod create mode 100644 openssl/doc/crypto/BIO_new.pod create mode 100644 openssl/doc/crypto/BIO_push.pod create mode 100644 openssl/doc/crypto/BIO_read.pod create mode 100644 openssl/doc/crypto/BIO_s_accept.pod create mode 100644 openssl/doc/crypto/BIO_s_bio.pod create mode 100644 openssl/doc/crypto/BIO_s_connect.pod create mode 100644 openssl/doc/crypto/BIO_s_fd.pod create mode 100644 openssl/doc/crypto/BIO_s_file.pod create mode 100644 openssl/doc/crypto/BIO_s_mem.pod create mode 100644 openssl/doc/crypto/BIO_s_null.pod create mode 100644 openssl/doc/crypto/BIO_s_socket.pod create mode 100644 openssl/doc/crypto/BIO_set_callback.pod create mode 100644 openssl/doc/crypto/BIO_should_retry.pod create mode 100644 openssl/doc/crypto/BN_BLINDING_new.pod create mode 100644 openssl/doc/crypto/BN_CTX_new.pod create mode 100644 openssl/doc/crypto/BN_CTX_start.pod create mode 100644 openssl/doc/crypto/BN_add.pod create mode 100644 openssl/doc/crypto/BN_add_word.pod create mode 100644 openssl/doc/crypto/BN_bn2bin.pod create mode 100644 openssl/doc/crypto/BN_cmp.pod create mode 100644 openssl/doc/crypto/BN_copy.pod create mode 100644 openssl/doc/crypto/BN_generate_prime.pod create mode 100644 openssl/doc/crypto/BN_mod_inverse.pod create mode 100644 openssl/doc/crypto/BN_mod_mul_montgomery.pod create mode 100644 openssl/doc/crypto/BN_mod_mul_reciprocal.pod create mode 100644 openssl/doc/crypto/BN_new.pod create mode 100644 openssl/doc/crypto/BN_num_bytes.pod create mode 100644 openssl/doc/crypto/BN_rand.pod create mode 100644 openssl/doc/crypto/BN_set_bit.pod create mode 100644 openssl/doc/crypto/BN_swap.pod create mode 100644 openssl/doc/crypto/BN_zero.pod create mode 100644 openssl/doc/crypto/CONF_modules_free.pod create mode 100644 openssl/doc/crypto/CONF_modules_load_file.pod create mode 100644 openssl/doc/crypto/CRYPTO_set_ex_data.pod create mode 100644 openssl/doc/crypto/DH_generate_key.pod create mode 100644 openssl/doc/crypto/DH_generate_parameters.pod create mode 100644 openssl/doc/crypto/DH_get_ex_new_index.pod create mode 100644 openssl/doc/crypto/DH_new.pod create mode 100644 openssl/doc/crypto/DH_set_method.pod create mode 100644 openssl/doc/crypto/DH_size.pod create mode 100644 openssl/doc/crypto/DSA_SIG_new.pod create mode 100644 openssl/doc/crypto/DSA_do_sign.pod create mode 100644 openssl/doc/crypto/DSA_dup_DH.pod create mode 100644 openssl/doc/crypto/DSA_generate_key.pod create mode 100644 openssl/doc/crypto/DSA_generate_parameters.pod create mode 100644 openssl/doc/crypto/DSA_get_ex_new_index.pod create mode 100644 openssl/doc/crypto/DSA_new.pod create mode 100644 openssl/doc/crypto/DSA_set_method.pod create mode 100644 openssl/doc/crypto/DSA_sign.pod create mode 100644 openssl/doc/crypto/DSA_size.pod create mode 100644 openssl/doc/crypto/ERR_GET_LIB.pod create mode 100644 openssl/doc/crypto/ERR_clear_error.pod create mode 100644 openssl/doc/crypto/ERR_error_string.pod create mode 100644 openssl/doc/crypto/ERR_get_error.pod create mode 100644 openssl/doc/crypto/ERR_load_crypto_strings.pod create mode 100644 openssl/doc/crypto/ERR_load_strings.pod create mode 100644 openssl/doc/crypto/ERR_print_errors.pod create mode 100644 openssl/doc/crypto/ERR_put_error.pod create mode 100644 openssl/doc/crypto/ERR_remove_state.pod create mode 100644 openssl/doc/crypto/ERR_set_mark.pod create mode 100644 openssl/doc/crypto/EVP_BytesToKey.pod create mode 100644 openssl/doc/crypto/EVP_DigestInit.pod create mode 100644 openssl/doc/crypto/EVP_EncryptInit.pod create mode 100644 openssl/doc/crypto/EVP_OpenInit.pod create mode 100644 openssl/doc/crypto/EVP_PKEY_new.pod create mode 100644 openssl/doc/crypto/EVP_PKEY_set1_RSA.pod create mode 100644 openssl/doc/crypto/EVP_SealInit.pod create mode 100644 openssl/doc/crypto/EVP_SignInit.pod create mode 100644 openssl/doc/crypto/EVP_VerifyInit.pod create mode 100644 openssl/doc/crypto/OBJ_nid2obj.pod create mode 100644 openssl/doc/crypto/OPENSSL_Applink.pod create mode 100644 openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod create mode 100644 openssl/doc/crypto/OPENSSL_config.pod create mode 100644 openssl/doc/crypto/OPENSSL_ia32cap.pod create mode 100644 openssl/doc/crypto/OPENSSL_load_builtin_modules.pod create mode 100644 openssl/doc/crypto/OpenSSL_add_all_algorithms.pod create mode 100644 openssl/doc/crypto/PKCS12_create.pod create mode 100644 openssl/doc/crypto/PKCS12_parse.pod create mode 100644 openssl/doc/crypto/PKCS7_decrypt.pod create mode 100644 openssl/doc/crypto/PKCS7_encrypt.pod create mode 100644 openssl/doc/crypto/PKCS7_sign.pod create mode 100644 openssl/doc/crypto/PKCS7_verify.pod create mode 100644 openssl/doc/crypto/RAND_add.pod create mode 100644 openssl/doc/crypto/RAND_bytes.pod create mode 100644 openssl/doc/crypto/RAND_cleanup.pod create mode 100644 openssl/doc/crypto/RAND_egd.pod create mode 100644 openssl/doc/crypto/RAND_load_file.pod create mode 100644 openssl/doc/crypto/RAND_set_rand_method.pod create mode 100644 openssl/doc/crypto/RSA_blinding_on.pod create mode 100644 openssl/doc/crypto/RSA_check_key.pod create mode 100644 openssl/doc/crypto/RSA_generate_key.pod create mode 100644 openssl/doc/crypto/RSA_get_ex_new_index.pod create mode 100644 openssl/doc/crypto/RSA_new.pod create mode 100644 openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod create mode 100644 openssl/doc/crypto/RSA_print.pod create mode 100644 openssl/doc/crypto/RSA_private_encrypt.pod create mode 100644 openssl/doc/crypto/RSA_public_encrypt.pod create mode 100644 openssl/doc/crypto/RSA_set_method.pod create mode 100644 openssl/doc/crypto/RSA_sign.pod create mode 100644 openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod create mode 100644 openssl/doc/crypto/RSA_size.pod create mode 100644 openssl/doc/crypto/SMIME_read_PKCS7.pod create mode 100644 openssl/doc/crypto/SMIME_write_PKCS7.pod create mode 100644 openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod create mode 100644 openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod create mode 100644 openssl/doc/crypto/X509_NAME_get_index_by_NID.pod create mode 100644 openssl/doc/crypto/X509_NAME_print_ex.pod create mode 100644 openssl/doc/crypto/X509_new.pod create mode 100644 openssl/doc/crypto/bio.pod create mode 100644 openssl/doc/crypto/blowfish.pod create mode 100644 openssl/doc/crypto/bn.pod create mode 100644 openssl/doc/crypto/bn_internal.pod create mode 100644 openssl/doc/crypto/buffer.pod create mode 100644 openssl/doc/crypto/crypto.pod create mode 100644 openssl/doc/crypto/d2i_ASN1_OBJECT.pod create mode 100644 openssl/doc/crypto/d2i_DHparams.pod create mode 100644 openssl/doc/crypto/d2i_DSAPublicKey.pod create mode 100644 openssl/doc/crypto/d2i_PKCS8PrivateKey.pod create mode 100644 openssl/doc/crypto/d2i_RSAPublicKey.pod create mode 100644 openssl/doc/crypto/d2i_X509.pod create mode 100644 openssl/doc/crypto/d2i_X509_ALGOR.pod create mode 100644 openssl/doc/crypto/d2i_X509_CRL.pod create mode 100644 openssl/doc/crypto/d2i_X509_NAME.pod create mode 100644 openssl/doc/crypto/d2i_X509_REQ.pod create mode 100644 openssl/doc/crypto/d2i_X509_SIG.pod create mode 100644 openssl/doc/crypto/des.pod create mode 100644 openssl/doc/crypto/des_modes.pod create mode 100644 openssl/doc/crypto/dh.pod create mode 100644 openssl/doc/crypto/dsa.pod create mode 100644 openssl/doc/crypto/ecdsa.pod create mode 100644 openssl/doc/crypto/engine.pod create mode 100644 openssl/doc/crypto/err.pod create mode 100644 openssl/doc/crypto/evp.pod create mode 100644 openssl/doc/crypto/hmac.pod create mode 100644 openssl/doc/crypto/lh_stats.pod create mode 100644 openssl/doc/crypto/lhash.pod create mode 100644 openssl/doc/crypto/md5.pod create mode 100644 openssl/doc/crypto/mdc2.pod create mode 100644 openssl/doc/crypto/pem.pod create mode 100644 openssl/doc/crypto/rand.pod create mode 100644 openssl/doc/crypto/rc4.pod create mode 100644 openssl/doc/crypto/ripemd.pod create mode 100644 openssl/doc/crypto/rsa.pod create mode 100644 openssl/doc/crypto/sha.pod create mode 100644 openssl/doc/crypto/threads.pod create mode 100644 openssl/doc/crypto/ui.pod create mode 100644 openssl/doc/crypto/ui_compat.pod create mode 100644 openssl/doc/crypto/x509.pod create mode 100644 openssl/doc/fingerprints.txt create mode 100644 openssl/doc/openssl-shared.txt create mode 100644 openssl/doc/openssl.txt create mode 100644 openssl/doc/openssl_button.gif create mode 100644 openssl/doc/openssl_button.html create mode 100644 openssl/doc/ssl/SSL_CIPHER_get_name.pod create mode 100644 openssl/doc/ssl/SSL_COMP_add_compression_method.pod create mode 100644 openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod create mode 100644 openssl/doc/ssl/SSL_CTX_add_session.pod create mode 100644 openssl/doc/ssl/SSL_CTX_ctrl.pod create mode 100644 openssl/doc/ssl/SSL_CTX_flush_sessions.pod create mode 100644 openssl/doc/ssl/SSL_CTX_free.pod create mode 100644 openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod create mode 100644 openssl/doc/ssl/SSL_CTX_get_verify_mode.pod create mode 100644 openssl/doc/ssl/SSL_CTX_load_verify_locations.pod create mode 100644 openssl/doc/ssl/SSL_CTX_new.pod create mode 100644 openssl/doc/ssl/SSL_CTX_sess_number.pod create mode 100644 openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod create mode 100644 openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod create mode 100644 openssl/doc/ssl/SSL_CTX_sessions.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_cert_store.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_cert_verify_callback.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_cipher_list.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_generate_session_id.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_info_callback.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_max_cert_list.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_mode.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_msg_callback.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_options.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_session_id_context.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_ssl_version.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_timeout.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod create mode 100644 openssl/doc/ssl/SSL_CTX_set_verify.pod create mode 100644 openssl/doc/ssl/SSL_CTX_use_certificate.pod create mode 100644 openssl/doc/ssl/SSL_SESSION_free.pod create mode 100644 openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod create mode 100644 openssl/doc/ssl/SSL_SESSION_get_time.pod create mode 100644 openssl/doc/ssl/SSL_accept.pod create mode 100644 openssl/doc/ssl/SSL_alert_type_string.pod create mode 100644 openssl/doc/ssl/SSL_clear.pod create mode 100644 openssl/doc/ssl/SSL_connect.pod create mode 100644 openssl/doc/ssl/SSL_do_handshake.pod create mode 100644 openssl/doc/ssl/SSL_free.pod create mode 100644 openssl/doc/ssl/SSL_get_SSL_CTX.pod create mode 100644 openssl/doc/ssl/SSL_get_ciphers.pod create mode 100644 openssl/doc/ssl/SSL_get_client_CA_list.pod create mode 100644 openssl/doc/ssl/SSL_get_current_cipher.pod create mode 100644 openssl/doc/ssl/SSL_get_default_timeout.pod create mode 100644 openssl/doc/ssl/SSL_get_error.pod create mode 100644 openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod create mode 100644 openssl/doc/ssl/SSL_get_ex_new_index.pod create mode 100644 openssl/doc/ssl/SSL_get_fd.pod create mode 100644 openssl/doc/ssl/SSL_get_peer_cert_chain.pod create mode 100644 openssl/doc/ssl/SSL_get_peer_certificate.pod create mode 100644 openssl/doc/ssl/SSL_get_rbio.pod create mode 100644 openssl/doc/ssl/SSL_get_session.pod create mode 100644 openssl/doc/ssl/SSL_get_verify_result.pod create mode 100644 openssl/doc/ssl/SSL_get_version.pod create mode 100644 openssl/doc/ssl/SSL_library_init.pod create mode 100644 openssl/doc/ssl/SSL_load_client_CA_file.pod create mode 100644 openssl/doc/ssl/SSL_new.pod create mode 100644 openssl/doc/ssl/SSL_pending.pod create mode 100644 openssl/doc/ssl/SSL_read.pod create mode 100644 openssl/doc/ssl/SSL_rstate_string.pod create mode 100644 openssl/doc/ssl/SSL_session_reused.pod create mode 100644 openssl/doc/ssl/SSL_set_bio.pod create mode 100644 openssl/doc/ssl/SSL_set_connect_state.pod create mode 100644 openssl/doc/ssl/SSL_set_fd.pod create mode 100644 openssl/doc/ssl/SSL_set_session.pod create mode 100644 openssl/doc/ssl/SSL_set_shutdown.pod create mode 100644 openssl/doc/ssl/SSL_set_verify_result.pod create mode 100644 openssl/doc/ssl/SSL_shutdown.pod create mode 100644 openssl/doc/ssl/SSL_state_string.pod create mode 100644 openssl/doc/ssl/SSL_want.pod create mode 100644 openssl/doc/ssl/SSL_write.pod create mode 100644 openssl/doc/ssl/d2i_SSL_SESSION.pod create mode 100644 openssl/doc/ssl/ssl.pod create mode 100644 openssl/doc/ssleay.txt create mode 100644 openssl/doc/standards.txt (limited to 'openssl/doc') diff --git a/openssl/doc/HOWTO/certificates.txt b/openssl/doc/HOWTO/certificates.txt new file mode 100644 index 000000000..a8a34c7ab --- /dev/null +++ b/openssl/doc/HOWTO/certificates.txt @@ -0,0 +1,105 @@ + + HOWTO certificates + +1. Introduction + +How you handle certificates depend a great deal on what your role is. +Your role can be one or several of: + + - User of some client software + - User of some server software + - Certificate authority + +This file is for users who wish to get a certificate of their own. +Certificate authorities should read ca.txt. + +In all the cases shown below, the standard configuration file, as +compiled into openssl, will be used. You may find it in /etc/, +/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and +is better described in another HOWTO . If you want to +use a different configuration file, use the argument '-config {file}' +with the command shown below. + + +2. Relationship with keys + +Certificates are related to public key cryptography by containing a +public key. To be useful, there must be a corresponding private key +somewhere. With OpenSSL, public keys are easily derived from private +keys, so before you create a certificate or a certificate request, you +need to create a private key. + +Private keys are generated with 'openssl genrsa' if you want a RSA +private key, or 'openssl gendsa' if you want a DSA private key. +Further information on how to create private keys can be found in +another HOWTO . The rest of this text assumes you have +a private key in the file privkey.pem. + + +3. Creating a certificate request + +To create a certificate, you need to start with a certificate +request (or, as some certificate authorities like to put +it, "certificate signing request", since that's exactly what they do, +they sign it and give you the result back, thus making it authentic +according to their policies). A certificate request can then be sent +to a certificate authority to get it signed into a certificate, or if +you have your own certificate authority, you may sign it yourself, or +if you need a self-signed certificate (because you just want a test +certificate or because you are setting up your own CA). + +The certificate request is created like this: + + openssl req -new -key privkey.pem -out cert.csr + +Now, cert.csr can be sent to the certificate authority, if they can +handle files in PEM format. If not, use the extra argument '-outform' +followed by the keyword for the format to use (see another HOWTO +). In some cases, that isn't sufficient and you will +have to be more creative. + +When the certificate authority has then done the checks the need to +do (and probably gotten payment from you), they will hand over your +new certificate to you. + +Section 5 will tell you more on how to handle the certificate you +received. + + +4. Creating a self-signed test certificate + +If you don't want to deal with another certificate authority, or just +want to create a test certificate for yourself. This is similar to +creating a certificate request, but creates a certificate instead of +a certificate request. This is NOT the recommended way to create a +CA certificate, see ca.txt. + + openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 + + +5. What to do with the certificate + +If you created everything yourself, or if the certificate authority +was kind enough, your certificate is a raw DER thing in PEM format. +Your key most definitely is if you have followed the examples above. +However, some (most?) certificate authorities will encode them with +things like PKCS7 or PKCS12, or something else. Depending on your +applications, this may be perfectly OK, it all depends on what they +know how to decode. If not, There are a number of OpenSSL tools to +convert between some (most?) formats. + +So, depending on your application, you may have to convert your +certificate and your key to various formats, most often also putting +them together into one file. The ways to do this is described in +another HOWTO , I will just mention the simplest case. +In the case of a raw DER thing in PEM format, and assuming that's all +right for yor applications, simply concatenating the certificate and +the key into a new file and using that one should be enough. With +some applications, you don't even have to do that. + + +By now, you have your cetificate and your private key and can start +using the software that depend on it. + +-- +Richard Levitte diff --git a/openssl/doc/HOWTO/keys.txt b/openssl/doc/HOWTO/keys.txt new file mode 100644 index 000000000..7ae2a3a11 --- /dev/null +++ b/openssl/doc/HOWTO/keys.txt @@ -0,0 +1,73 @@ + + HOWTO keys + +1. Introduction + +Keys are the basis of public key algorithms and PKI. Keys usually +come in pairs, with one half being the public key and the other half +being the private key. With OpenSSL, the private key contains the +public key information as well, so a public key doesn't need to be +generated separately. + +Public keys come in several flavors, using different cryptographic +algorithms. The most popular ones associated with certificates are +RSA and DSA, and this HOWTO will show how to generate each of them. + + +2. To generate a RSA key + +A RSA key can be used both for encryption and for signing. + +Generating a key for the RSA algorithm is quite easy, all you have to +do is the following: + + openssl genrsa -des3 -out privkey.pem 2048 + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for RSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + + +3. To generate a DSA key + +A DSA key can be used for signing only. This is important to keep +in mind to know what kind of purposes a certificate request with a +DSA key can really be used for. + +Generating a key for the DSA algorithm is a two-step process. First, +you have to generate parameters from which to generate the key: + + openssl dsaparam -out dsaparam.pem 2048 + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for DSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + +When that is done, you can generate a key using the parameters in +question (actually, several keys can be generated from the same +parameters): + + openssl gendsa -des3 -out privkey.pem dsaparam.pem + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +-- +Richard Levitte diff --git a/openssl/doc/HOWTO/proxy_certificates.txt b/openssl/doc/HOWTO/proxy_certificates.txt new file mode 100644 index 000000000..3d36b02f6 --- /dev/null +++ b/openssl/doc/HOWTO/proxy_certificates.txt @@ -0,0 +1,322 @@ + + HOWTO proxy certificates + +0. WARNING + +NONE OF THE CODE PRESENTED HERE HAVE BEEN CHECKED! They are just an +example to show you how things can be done. There may be typos or +type conflicts, and you will have to resolve them. + +1. Introduction + +Proxy certificates are defined in RFC 3820. They are really usual +certificates with the mandatory extension proxyCertInfo. + +Proxy certificates are issued by an End Entity (typically a user), +either directly with the EE certificate as issuing certificate, or by +extension through an already issued proxy certificate.. They are used +to extend rights to some other entity (a computer process, typically, +or sometimes to the user itself), so it can perform operations in the +name of the owner of the EE certificate. + +See http://www.ietf.org/rfc/rfc3820.txt for more information. + + +2. A warning about proxy certificates + +Noone seems to have tested proxy certificates with security in mind. +Basically, to this date, it seems that proxy certificates have only +been used in a world that's highly aware of them. What would happen +if an unsuspecting application is to validate a chain of certificates +that contains proxy certificates? It would usually consider the leaf +to be the certificate to check for authorisation data, and since proxy +certificates are controlled by the EE certificate owner alone, it's +would be normal to consider what the EE certificate owner could do +with them. + +subjectAltName and issuerAltName are forbidden in proxy certificates, +and this is enforced in OpenSSL. The subject must be the same as the +issuer, with one commonName added on. + +Possible threats are, as far as has been imagined so far: + + - impersonation through commonName (think server certificates). + - use of additional extensions, possibly non-standard ones used in + certain environments, that would grant extra or different + authorisation rights. + +For this reason, OpenSSL requires that the use of proxy certificates +be explicitely allowed. Currently, this can be done using the +following methods: + + - if the application calls X509_verify_cert() itself, it can do the + following prior to that call (ctx is the pointer passed in the call + to X509_verify_cert()): + + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); + + - in all other cases, proxy certificate validation can be enabled + before starting the application by setting the envirnoment variable + OPENSSL_ALLOW_PROXY with some non-empty value. + +There are thoughts to allow proxy certificates with a line in the +default openssl.cnf, but that's still in the future. + + +3. How to create proxy cerificates + +It's quite easy to create proxy certificates, by taking advantage of +the lack of checks of the 'openssl x509' application (*ahem*). But +first, you need to create a configuration section that contains a +definition of the proxyCertInfo extension, a little like this: + + [ v3_proxy ] + # A proxy certificate MUST NEVER be a CA certificate. + basicConstraints=CA:FALSE + + # Usual authority key ID + authorityKeyIdentifier=keyid,issuer:always + + # Now, for the extension that marks this certificate as a proxy one + proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB + +It's also possible to give the proxy extension in a separate section: + + proxyCertInfo=critical,@proxy_ext + + [ proxy_ext ] + language=id-ppl-anyLanguage + pathlen=0 + policy=text:BC + +The policy value has a specific syntax, {syntag}:{string}, where the +syntag determines what will be done with the string. The recognised +syntags are as follows: + + text indicates that the string is simply the bytes, not + encoded in any kind of way: + + policy=text:räksmörgås + + Previous versions of this design had a specific tag + for UTF-8 text. However, since the bytes are copied + as-is anyway, there's no need for it. Instead, use + the text: tag, like this: + + policy=text:räksmörgÃ¥s + + hex indicates the string is encoded in hex, with colons + between each byte (every second hex digit): + + policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73 + + Previous versions of this design had a tag to insert a + complete DER blob. However, the only legal use for + this would be to surround the bytes that would go with + the hex: tag with what's needed to construct a correct + OCTET STRING. Since hex: does that, the DER tag felt + superfluous, and was therefore removed. + + file indicates that the text of the policy should really be + taken from a file. The string is then really a file + name. This is useful for policies that are large + (more than a few of lines) XML documents, for example. + +The 'policy' setting can be split up in multiple lines like this: + + 0.policy=This is + 1.polisy= a multi- + 2.policy=line policy. + +NOTE: the proxy policy value is the part that determines the rights +granted to the process using the proxy certificate. The value is +completely dependent on the application reading and interpretting it! + +Now that you have created an extension section for your proxy +certificate, you can now easily create a proxy certificate like this: + + openssl req -new -config openssl.cnf \ + -out proxy.req -keyout proxy.key + openssl x509 -req -CAcreateserial -in proxy.req -days 7 \ + -out proxy.crt -CA user.crt -CAkey user.key \ + -extfile openssl.cnf -extensions v3_proxy + +It's just as easy to create a proxy certificate using another proxy +certificate as issuer (note that I'm using a different configuration +section for it): + + openssl req -new -config openssl.cnf \ + -out proxy2.req -keyout proxy2.key + openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \ + -out proxy2.crt -CA proxy.crt -CAkey proxy.key \ + -extfile openssl.cnf -extensions v3_proxy2 + + +4. How to have your application interpret the policy? + +The basic way to interpret proxy policies is to prepare some default +rights, then do a check of the proxy certificate against the a chain +of proxy certificates, user certificate and CA certificates, and see +what rights came out by the end. Sounds easy, huh? It almost is. + +The slightly complicated part is how to pass data between your +application and the certificate validation procedure. + +You need the following ingredients: + + - a callback routing that will be called for every certificate that's + validated. It will be called several times for each certificates, + so you must be attentive to when it's a good time to do the proxy + policy interpretation and check, as well as to fill in the defaults + when the EE certificate is checked. + + - a structure of data that's shared between your application code and + the callback. + + - a wrapper function that sets it all up. + + - an ex_data index function that creates an index into the generic + ex_data store that's attached to an X509 validation context. + +This is some cookbook code for you to fill in: + + /* In this example, I will use a view of granted rights as a bit + array, one bit for each possible right. */ + typedef struct your_rights { + unsigned char rights[total_rights / 8]; + } YOUR_RIGHTS; + + /* The following procedure will create an index for the ex_data + store in the X509 validation context the first time it's called. + Subsequent calls will return the same index. */ + static int get_proxy_auth_ex_data_idx(void) + { + static volatile int idx = -1; + if (idx < 0) + { + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + if (idx < 0) + { + idx = X509_STORE_CTX_get_ex_new_index(0, + "for verify callback", + NULL,NULL,NULL); + } + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + } + return idx; + } + + /* Callback to be given to the X509 validation procedure. */ + static int verify_callback(int ok, X509_STORE_CTX *ctx) + { + if (ok == 1) /* It's REALLY important you keep the proxy policy + check within this secion. It's important to know + that when ok is 1, the certificates are checked + from top to bottom. You get the CA root first, + followed by the possible chain of intermediate + CAs, followed by the EE certificate, followed by + the possible proxy certificates. */ + { + X509 *xs = ctx->current_cert; + + if (xs->ex_flags & EXFLAG_PROXY) + { + YOUR_RIGHTS *rights = + (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx, + get_proxy_auth_ex_data_idx()); + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL); + + switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) + { + case NID_Independent: + /* Do whatever you need to grant explicit rights to + this particular proxy certificate, usually by + pulling them from some database. If there are none + to be found, clear all rights (making this and any + subsequent proxy certificate void of any rights). + */ + memset(rights->rights, 0, sizeof(rights->rights)); + break; + case NID_id_ppl_inheritAll: + /* This is basically a NOP, we simply let the current + rights stand as they are. */ + break; + default: + /* This is usually the most complex section of code. + You really do whatever you want as long as you + follow RFC 3820. In the example we use here, the + simplest thing to do is to build another, temporary + bit array and fill it with the rights granted by + the current proxy certificate, then use it as a + mask on the accumulated rights bit array, and + voilà, you now have a new accumulated rights bit + array. */ + { + int i; + YOUR_RIGHTS tmp_rights; + memset(tmp_rights.rights, 0, sizeof(tmp_rights.rights)); + + /* process_rights() is supposed to be a procedure + that takes a string and it's length, interprets + it and sets the bits in the YOUR_RIGHTS pointed + at by the third argument. */ + process_rights((char *) pci->proxyPolicy->policy->data, + pci->proxyPolicy->policy->length, + &tmp_rights); + + for(i = 0; i < total_rights / 8; i++) + rights->rights[i] &= tmp_rights.rights[i]; + } + break; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + } + else if (!(xs->ex_flags & EXFLAG_CA)) + { + /* We have a EE certificate, let's use it to set default! + */ + YOUR_RIGHTS *rights = + (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx, + get_proxy_auth_ex_data_idx()); + + /* The following procedure finds out what rights the owner + of the current certificate has, and sets them in the + YOUR_RIGHTS structure pointed at by the second + argument. */ + set_default_rights(xs, rights); + } + } + return ok; + } + + static int my_X509_verify_cert(X509_STORE_CTX *ctx, + YOUR_RIGHTS *needed_rights) + { + int i; + int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) = ctx->verify_cb; + YOUR_RIGHTS rights; + + X509_STORE_CTX_set_verify_cb(ctx, verify_callback); + X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(), &rights); + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); + ok = X509_verify_cert(ctx); + + if (ok == 1) + { + ok = check_needed_rights(rights, needed_rights); + } + + X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb); + + return ok; + } + +If you use SSL or TLS, you can easily set up a callback to have the +certificates checked properly, using the code above: + + SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert, &needed_rights); + + +-- +Richard Levitte diff --git a/openssl/doc/README b/openssl/doc/README new file mode 100644 index 000000000..6ecc14d99 --- /dev/null +++ b/openssl/doc/README @@ -0,0 +1,12 @@ + + apps/openssl.pod .... Documentation of OpenSSL `openssl' command + crypto/crypto.pod ... Documentation of OpenSSL crypto.h+libcrypto.a + ssl/ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a + openssl.txt ......... Assembled documentation files for OpenSSL [not final] + ssleay.txt .......... Assembled documentation of ancestor SSLeay [obsolete] + standards.txt ....... Assembled pointers to standards, RFCs or internet drafts + that are related to OpenSSL. + + An archive of HTML documents for the SSLeay library is available from + http://www.columbia.edu/~ariel/ssleay/ + diff --git a/openssl/doc/apps/CA.pl.pod b/openssl/doc/apps/CA.pl.pod new file mode 100644 index 000000000..ed69952f3 --- /dev/null +++ b/openssl/doc/apps/CA.pl.pod @@ -0,0 +1,179 @@ + +=pod + +=head1 NAME + +CA.pl - friendlier interface for OpenSSL certificate programs + +=head1 SYNOPSIS + +B +[B<-?>] +[B<-h>] +[B<-help>] +[B<-newcert>] +[B<-newreq>] +[B<-newreq-nodes>] +[B<-newca>] +[B<-xsign>] +[B<-sign>] +[B<-signreq>] +[B<-signcert>] +[B<-verify>] +[B] + +=head1 DESCRIPTION + +The B script is a perl script that supplies the relevant command line +arguments to the B command for some common certificate operations. +It is intended to simplify the process of certificate creation and management +by the use of some simple options. + +=head1 COMMAND OPTIONS + +=over 4 + +=item B, B<-h>, B<-help> + +prints a usage message. + +=item B<-newcert> + +creates a new self signed certificate. The private key and certificate are +written to the file "newreq.pem". + +=item B<-newreq> + +creates a new certificate request. The private key and request are +written to the file "newreq.pem". + +=item B<-newreq-nodes> + +is like B<-newreq> except that the private key will not be encrypted. + +=item B<-newca> + +creates a new CA hierarchy for use with the B program (or the B<-signcert> +and B<-xsign> options). The user is prompted to enter the filename of the CA +certificates (which should also contain the private key) or by hitting ENTER +details of the CA will be prompted for. The relevant files and directories +are created in a directory called "demoCA" in the current directory. + +=item B<-pkcs12> + +create a PKCS#12 file containing the user certificate, private key and CA +certificate. It expects the user certificate and private key to be in the +file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem, +it creates a file "newcert.p12". This command can thus be called after the +B<-sign> option. The PKCS#12 file can be imported directly into a browser. +If there is an additional argument on the command line it will be used as the +"friendly name" for the certificate (which is typically displayed in the browser +list box), otherwise the name "My Certificate" is used. + +=item B<-sign>, B<-signreq>, B<-xsign> + +calls the B program to sign a certificate request. It expects the request +to be in the file "newreq.pem". The new certificate is written to the file +"newcert.pem" except in the case of the B<-xsign> option when it is written +to standard output. + + +=item B<-signCA> + +this option is the same as the B<-signreq> option except it uses the configuration +file section B and so makes the signed request a valid CA certificate. This +is useful when creating intermediate CA from a root CA. + +=item B<-signcert> + +this option is the same as B<-sign> except it expects a self signed certificate +to be present in the file "newreq.pem". + +=item B<-verify> + +verifies certificates against the CA certificate for "demoCA". If no certificates +are specified on the command line it tries to verify the file "newcert.pem". + +=item B + +one or more optional certificate file names for use with the B<-verify> command. + +=back + +=head1 EXAMPLES + +Create a CA hierarchy: + + CA.pl -newca + +Complete certificate creation example: create a CA, create a request, sign +the request and finally create a PKCS#12 file containing it. + + CA.pl -newca + CA.pl -newreq + CA.pl -signreq + CA.pl -pkcs12 "My Test Certificate" + +=head1 DSA CERTIFICATES + +Although the B creates RSA CAs and requests it is still possible to +use it with DSA certificates and requests using the L command +directly. The following example shows the steps that would typically be taken. + +Create some DSA parameters: + + openssl dsaparam -out dsap.pem 1024 + +Create a DSA CA certificate and private key: + + openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + +Create the CA directories and files: + + CA.pl -newca + +enter cacert.pem when prompted for the CA file name. + +Create a DSA certificate request and private key (a different set of parameters +can optionally be created first): + + openssl req -out newreq.pem -newkey dsa:dsap.pem + +Sign the request: + + CA.pl -signreq + +=head1 NOTES + +Most of the filenames mentioned can be modified by editing the B script. + +If the demoCA directory already exists then the B<-newca> command will not +overwrite it and will do nothing. This can happen if a previous call using +the B<-newca> option terminated abnormally. To get the correct behaviour +delete the demoCA directory if it already exists. + +Under some environments it may not be possible to run the B script +directly (for example Win32) and the default configuration file location may +be wrong. In this case the command: + + perl -S CA.pl + +can be used and the B environment variable changed to point to +the correct path of the configuration file "openssl.cnf". + +The script is intended as a simple front end for the B program for use +by a beginner. Its behaviour isn't always what is wanted. For more control over the +behaviour of the certificate commands call the B command directly. + +=head1 ENVIRONMENT VARIABLES + +The variable B if defined allows an alternative configuration +file location to be specified, it should contain the full path to the +configuration file, not just its directory. + +=head1 SEE ALSO + +L, L, L, L, +L + +=cut diff --git a/openssl/doc/apps/asn1parse.pod b/openssl/doc/apps/asn1parse.pod new file mode 100644 index 000000000..542d96906 --- /dev/null +++ b/openssl/doc/apps/asn1parse.pod @@ -0,0 +1,171 @@ +=pod + +=head1 NAME + +asn1parse - ASN.1 parsing tool + +=head1 SYNOPSIS + +B B +[B<-inform PEM|DER>] +[B<-in filename>] +[B<-out filename>] +[B<-noout>] +[B<-offset number>] +[B<-length number>] +[B<-i>] +[B<-oid filename>] +[B<-strparse offset>] +[B<-genstr string>] +[B<-genconf file>] + +=head1 DESCRIPTION + +The B command is a diagnostic utility that can parse ASN.1 +structures. It can also be used to extract data from ASN.1 formatted data. + +=head1 OPTIONS + +=over 4 + +=item B<-inform> B + +the input format. B is binary format and B (the default) is base64 +encoded. + +=item B<-in filename> + +the input file, default is standard input + +=item B<-out filename> + +output file to place the DER encoded data into. If this +option is not present then no data will be output. This is most useful when +combined with the B<-strparse> option. + +=item B<-noout> + +don't output the parsed version of the input file. + +=item B<-offset number> + +starting offset to begin parsing, default is start of file. + +=item B<-length number> + +number of bytes to parse, default is until end of file. + +=item B<-i> + +indents the output according to the "depth" of the structures. + +=item B<-oid filename> + +a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this +file is described in the NOTES section below. + +=item B<-strparse offset> + +parse the contents octets of the ASN.1 object starting at B. This +option can be used multiple times to "drill down" into a nested structure. + +=item B<-genstr string>, B<-genconf file> + +generate encoded data based on B, B or both using +ASN1_generate_nconf() format. If B only is present then the string +is obtained from the default section using the name B. The encoded +data is passed through the ASN1 parser and printed out as though it came +from a file, the contents can thus be examined and written to a file +using the B option. + +=back + +=head2 OUTPUT + +The output will typically contain lines like this: + + 0:d=0 hl=4 l= 681 cons: SEQUENCE + +..... + + 229:d=3 hl=3 l= 141 prim: BIT STRING + 373:d=2 hl=3 l= 162 cons: cont [ 3 ] + 376:d=3 hl=3 l= 159 cons: SEQUENCE + 379:d=4 hl=2 l= 29 cons: SEQUENCE + 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier + 386:d=5 hl=2 l= 22 prim: OCTET STRING + 410:d=4 hl=2 l= 112 cons: SEQUENCE + 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier + 417:d=5 hl=2 l= 105 prim: OCTET STRING + 524:d=4 hl=2 l= 12 cons: SEQUENCE + +..... + +This example is part of a self signed certificate. Each line starts with the +offset in decimal. B specifies the current depth. The depth is increased +within the scope of any SET or SEQUENCE. B gives the header length +(tag and length octets) of the current type. B gives the length of +the contents octets. + +The B<-i> option can be used to make the output more readable. + +Some knowledge of the ASN.1 structure is needed to interpret the output. + +In this example the BIT STRING at offset 229 is the certificate public key. +The contents octets of this will contain the public key information. This can +be examined using the option B<-strparse 229> to yield: + + 0:d=0 hl=3 l= 137 cons: SEQUENCE + 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 + 135:d=1 hl=2 l= 3 prim: INTEGER :010001 + +=head1 NOTES + +If an OID is not part of OpenSSL's internal table it will be represented in +numerical form (for example 1.2.3.4). The file passed to the B<-oid> option +allows additional OIDs to be included. Each line consists of three columns, +the first column is the OID in numerical format and should be followed by white +space. The second column is the "short name" which is a single word followed +by white space. The final column is the rest of the line and is the +"long name". B displays the long name. Example: + +C<1.2.3.4 shortName A long name> + +=head1 EXAMPLES + +Parse a file: + + openssl asn1parse -in file.pem + +Parse a DER file: + + openssl asn1parse -inform DER -in file.der + +Generate a simple UTF8String: + + openssl asn1parse -genstr 'UTF8:Hello World' + +Generate and write out a UTF8String, don't print parsed output: + + openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der + +Generate using a config file: + + openssl asn1parse -genconf asn1.cnf -noout -out asn1.der + +Example config file: + + asn1=SEQUENCE:seq_sect + + [seq_sect] + + field1=BOOL:TRUE + field2=EXP:0, UTF8:some random string + + +=head1 BUGS + +There should be options to change the format of output lines. The output of some +ASN.1 types is not well handled (if at all). + +=cut diff --git a/openssl/doc/apps/ca.pod b/openssl/doc/apps/ca.pod new file mode 100644 index 000000000..5618c2dc9 --- /dev/null +++ b/openssl/doc/apps/ca.pod @@ -0,0 +1,671 @@ + +=pod + +=head1 NAME + +ca - sample minimal CA application + +=head1 SYNOPSIS + +B B +[B<-verbose>] +[B<-config filename>] +[B<-name section>] +[B<-gencrl>] +[B<-revoke file>] +[B<-crl_reason reason>] +[B<-crl_hold instruction>] +[B<-crl_compromise time>] +[B<-crl_CA_compromise time>] +[B<-crldays days>] +[B<-crlhours hours>] +[B<-crlexts section>] +[B<-startdate date>] +[B<-enddate date>] +[B<-days arg>] +[B<-md arg>] +[B<-policy arg>] +[B<-keyfile arg>] +[B<-key arg>] +[B<-passin arg>] +[B<-cert file>] +[B<-selfsign>] +[B<-in file>] +[B<-out file>] +[B<-notext>] +[B<-outdir dir>] +[B<-infiles>] +[B<-spkac file>] +[B<-ss_cert file>] +[B<-preserveDN>] +[B<-noemailDN>] +[B<-batch>] +[B<-msie_hack>] +[B<-extensions section>] +[B<-extfile section>] +[B<-engine id>] +[B<-subj arg>] +[B<-utf8>] +[B<-multivalue-rdn>] + +=head1 DESCRIPTION + +The B command is a minimal CA application. It can be used +to sign certificate requests in a variety of forms and generate +CRLs it also maintains a text database of issued certificates +and their status. + +The options descriptions will be divided into each purpose. + +=head1 CA OPTIONS + +=over 4 + +=item B<-config filename> + +specifies the configuration file to use. + +=item B<-name section> + +specifies the configuration file section to use (overrides +B in the B section). + +=item B<-in filename> + +an input filename containing a single certificate request to be +signed by the CA. + +=item B<-ss_cert filename> + +a single self signed certificate to be signed by the CA. + +=item B<-spkac filename> + +a file containing a single Netscape signed public key and challenge +and additional field values to be signed by the CA. See the B +section for information on the required format. + +=item B<-infiles> + +if present this should be the last option, all subsequent arguments +are assumed to the the names of files containing certificate requests. + +=item B<-out filename> + +the output file to output certificates to. The default is standard +output. The certificate details will also be printed out to this +file. + +=item B<-outdir directory> + +the directory to output certificates to. The certificate will be +written to a filename consisting of the serial number in hex with +".pem" appended. + +=item B<-cert> + +the CA certificate file. + +=item B<-keyfile filename> + +the private key to sign requests with. + +=item B<-key password> + +the password used to encrypt the private key. Since on some +systems the command line arguments are visible (e.g. Unix with +the 'ps' utility) this option should be used with caution. + +=item B<-selfsign> + +indicates the issued certificates are to be signed with the key +the certificate requests were signed with (given with B<-keyfile>). +Cerificate requests signed with a different key are ignored. If +B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is +ignored. + +A consequence of using B<-selfsign> is that the self-signed +certificate appears among the entries in the certificate database +(see the configuration option B), and uses the same +serial number counter as all other certificates sign with the +self-signed certificate. + +=item B<-passin arg> + +the key password source. For more information about the format of B +see the B section in L. + +=item B<-verbose> + +this prints extra details about the operations being performed. + +=item B<-notext> + +don't output the text form of a certificate to the output file. + +=item B<-startdate date> + +this allows the start date to be explicitly set. The format of the +date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure). + +=item B<-enddate date> + +this allows the expiry date to be explicitly set. The format of the +date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure). + +=item B<-days arg> + +the number of days to certify the certificate for. + +=item B<-md alg> + +the message digest to use. Possible values include md5, sha1 and mdc2. +This option also applies to CRLs. + +=item B<-policy arg> + +this option defines the CA "policy" to use. This is a section in +the configuration file which decides which fields should be mandatory +or match the CA certificate. Check out the B section +for more information. + +=item B<-msie_hack> + +this is a legacy option to make B work with very old versions of +the IE certificate enrollment control "certenr3". It used UniversalStrings +for almost everything. Since the old control has various security bugs +its use is strongly discouraged. The newer control "Xenroll" does not +need this option. + +=item B<-preserveDN> + +Normally the DN order of a certificate is the same as the order of the +fields in the relevant policy section. When this option is set the order +is the same as the request. This is largely for compatibility with the +older IE enrollment control which would only accept certificates if their +DNs match the order of the request. This is not needed for Xenroll. + +=item B<-noemailDN> + +The DN of a certificate can contain the EMAIL field if present in the +request DN, however it is good policy just having the e-mail set into +the altName extension of the certificate. When this option is set the +EMAIL field is removed from the certificate' subject and set only in +the, eventually present, extensions. The B keyword can be +used in the configuration file to enable this behaviour. + +=item B<-batch> + +this sets the batch mode. In this mode no questions will be asked +and all certificates will be certified automatically. + +=item B<-extensions section> + +the section of the configuration file containing certificate extensions +to be added when a certificate is issued (defaults to B +unless the B<-extfile> option is used). If no extension section is +present then, a V1 certificate is created. If the extension section +is present (even if it is empty), then a V3 certificate is created. + +=item B<-extfile file> + +an additional configuration file to read certificate extensions from +(using the default section unless the B<-extensions> option is also +used). + +=item B<-engine id> + +specifying an engine (by it's unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + +=item B<-subj arg> + +supersedes subject name given in the request. +The arg must be formatted as I, +characters may be escaped by \ (backslash), no spaces are skipped. + +=item B<-utf8> + +this option causes field values to be interpreted as UTF8 strings, by +default they are interpreted as ASCII. This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid UTF8 strings. + +=item B<-multivalue-rdn> + +this option causes the -subj argument to be interpretedt with full +support for multivalued RDNs. Example: + +I + +If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. + +=back + +=head1 CRL OPTIONS + +=over 4 + +=item B<-gencrl> + +this option generates a CRL based on information in the index file. + +=item B<-crldays num> + +the number of days before the next CRL is due. That is the days from +now to place in the CRL nextUpdate field. + +=item B<-crlhours num> + +the number of hours before the next CRL is due. + +=item B<-revoke filename> + +a filename containing a certificate to revoke. + +=item B<-crl_reason reason> + +revocation reason, where B is one of: B, B, +B, B, B, B, +B or B. The matching of B is case +insensitive. Setting any revocation reason will make the CRL v2. + +In practive B is not particularly useful because it is only used +in delta CRLs which are not currently implemented. + +=item B<-crl_hold instruction> + +This sets the CRL revocation reason code to B and the hold +instruction to B which must be an OID. Although any OID can be +used only B (the use of which is discouraged by RFC2459) +B or B will normally be used. + +=item B<-crl_compromise time> + +This sets the revocation reason to B and the compromise time to +B