diff --git a/apps/pkey.c b/apps/pkey.c index 50584f298c..5d12cc059a 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -58,24 +58,24 @@ const OPTIONS pkey_options[] = { "Key input format (ENGINE, other values ignored)"}, {"passin", OPT_PASSIN, 's', "Key input pass phrase source"}, {"pubin", OPT_PUBIN, '-', - "Read public key from input (default is private key)"}, + "Read only public components from key input"}, OPT_SECTION("Output"), - {"out", OPT_OUT, '>', "Output file"}, - {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"out", OPT_OUT, '>', "Output file for encoded and/or text output"}, + {"outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)"}, {"", OPT_CIPHER, '-', "Any supported cipher to be used for encryption"}, {"passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source"}, {"traditional", OPT_TRADITIONAL, '-', "Use traditional format for private key PEM output"}, - {"pubout", OPT_PUBOUT, '-', "Output public key components only"}, - {"noout", OPT_NOOUT, '-', "Don't output the key"}, + {"pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components"}, + {"noout", OPT_NOOUT, '-', "Do not output the key in encoded form"}, + {"text", OPT_TEXT, '-', "Output key components in plaintext"}, {"text_pub", OPT_TEXT_PUB, '-', - "Output public key components in text form"}, - {"text", OPT_TEXT, '-', "Output private components in plaintext as well"}, + "Output only public key components in text form"}, {"ec_conv_form", OPT_EC_CONV_FORM, 's', - "Specifies the point conversion form "}, + "Specifies the EC point conversion form in the encoding"}, {"ec_param_enc", OPT_EC_PARAM_ENC, 's', - "Specifies the way the ec parameters are encoded"}, + "Specifies the way the EC parameters are encoded"}, {NULL} }; @@ -91,7 +91,7 @@ int pkey_main(int argc, char **argv) char *passinarg = NULL, *passoutarg = NULL, *prog; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM; - int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1; + int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1; int private = 0, traditional = 0, check = 0, pub_check = 0; #ifndef OPENSSL_NO_EC EC_KEY *eckey; @@ -136,13 +136,13 @@ int pkey_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_PUBIN: - pubin = pubout = pubtext = 1; + pubin = pubout = 1; break; case OPT_PUBOUT: pubout = 1; break; case OPT_TEXT_PUB: - pubtext = text = 1; + text_pub = 1; break; case OPT_TEXT: text = 1; @@ -195,15 +195,28 @@ int pkey_main(int argc, char **argv) if (argc != 0) goto opthelp; - private = !noout && !pubout ? 1 : 0; - if (text && !pubtext) - private = 1; + if (noout && pubout) + BIO_printf(bio_err, + "Warning: The -pubout option is ignored with -noout\n"); + if (text && text_pub) + BIO_printf(bio_err, + "Warning: The -text option is ignored with -text_pub\n"); + if (traditional && (noout || outformat != FORMAT_PEM)) + BIO_printf(bio_err, + "Warning: The -traditional is ignored since there is no PEM output\n"); + private = (!noout && !pubout) || (text && !text_pub); - if (outformat == FORMAT_ASN1 && passoutarg != NULL) { - BIO_printf(bio_err, "The -passout option is not supported for DER output\n"); - goto end; + if (cipher == NULL) { + if (passoutarg != NULL) + BIO_printf(bio_err, + "Warning: The -passout option is ignored without a cipher option\n"); + } else { + if (noout || outformat != FORMAT_PEM) { + BIO_printf(bio_err, + "Error: Cipher options are supported only for PEM output\n"); + goto end; + } } - if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; @@ -291,6 +304,11 @@ int pkey_main(int argc, char **argv) } } } else if (outformat == FORMAT_ASN1) { + if (text || text_pub) { + BIO_printf(bio_err, + "Error: Text output cannot be combined with DER output\n"); + goto end; + } if (pubout) { if (!i2d_PUBKEY_bio(out, pkey)) goto end; @@ -305,15 +323,13 @@ int pkey_main(int argc, char **argv) } } - if (text) { - if (pubtext) { - if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0) - goto end; - } else { - assert(private); - if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0) - goto end; - } + if (text_pub) { + if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0) + goto end; + } else if (text) { + assert(private); + if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0) + goto end; } ret = 0; diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index f48471bc40..df031fb258 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -27,8 +27,8 @@ B B [B<-traditional>] [B<-pubout>] [B<-noout>] -[B<-text_pub>] [B<-text>] +[B<-text_pub>] [B<-ec_conv_form> I] [B<-ec_param_enc> I] @@ -73,7 +73,7 @@ or the public component of a key pair. This specifies the input to read a key from or standard input if this option is not specified. -If the key is encrypted and B<-passin> is not given +If the key input is encrypted and B<-passin> is not given a pass phrase will be prompted for. =item B<-inform> B|B|B|B @@ -91,8 +91,8 @@ see L. =item B<-pubin> -By default a private key is read from the input file: with this -option a public key is read instead. +By default a private key is read from the input. +With this option only the public components are read. =back @@ -102,9 +102,9 @@ option a public key is read instead. =item B<-out> I -This specifies the output filename to write a key to +This specifies the output filename to save the encoded and/or text output of key or standard output if this option is not specified. -If any encryption option is set but no B<-passout> is given +If any cipher option is set but no B<-passout> is given then a pass phrase will be prompted for. The output filename should B be the same as the input filename. @@ -115,13 +115,13 @@ See L for details. =item B<-I> -These options encrypt the private key with the supplied cipher. Any algorithm +Encrypt the PEM encoded private key with the supplied cipher. Any algorithm name accepted by EVP_get_cipherbyname() is acceptable such as B. +Encryption is not supported for DER output. =item B<-passout> I The password source for the output file. -The -passout option is not supported for DER output. For more information about the format of B see L. @@ -134,22 +134,24 @@ option is specified then the older "traditional" format is used instead. =item B<-pubout> -By default the encoded private key is output: -with this option the encoded public key will be output instead. +By default the encoded private and public key is output; +this option restricts the encoded output to the public components. This option is automatically set if the input is a public key. =item B<-noout> -Do not output the encoded version of the key. +Do not output the key in encoded form. =item B<-text> -Output the various public or private key components in -plain text (possibly in addition to the encoded version). +Output the various key components in plain text +(possibly in addition to the PEM encoded form). +This cannot be combined with encoded output in DER format. =item B<-text_pub> -Output in text form the public key components (also for private keys). +Output in text form only the public key components (also for private keys). +This cannot be combined with encoded output in DER format. =item B<-ec_conv_form> I