Manual Pages for UNIX Operating System command usage for man openssl

Standards, Environments, and Macros                    openssl(5)



NAME
     openssl - OpenSSL cryptographic  and  Secure  Sockets  Layer
     toolkit

DESCRIPTION
     OpenSSL is a cryptography toolkit that implements the Secure
     Sockets  Layer  (SSLv2/v3) and Transport Layer Security (TLS
     v1) network protocols.


     The following features are omitted  from  the  binaries  for
     issues  including but not limited to patents, trademark, and
     US export restrictions: ECC, IDEA, MDC2, RC3,  RC5,  Dynamic
     Engine  Loading, 4758_CCA Engine, AEP Engine, Atalla Engine,
     CHIL  Engine,  CSWIFT  Engine,  GMP  Engine,  NURON  Engine,
     PadLock Engine, Sureware Engine, and UBSEC Engine.


     A new PKCS#11 engine has  been  included  with  ENGINE  name
     pkcs11.   The  engine  was  developed  in  Sun  and  is  not
     integrated in the OpenSSL project.


     The PKCS#11 engine is configured to use the Solaris  Crypto-
     graphic   Framework.  See  cryptoadm(1M)  for  configuration
     information.


     The PKCS#11 engine can support the following set of  mechan-
     isms:     CKM_AES_CBC,     CKM_AES_ECB,    CKM_BLOWFISH_CBC,
     CKM_DES_CBC,   CKM_DES_ECB,   CKM_DES3_CBC,    CKM_DES3_ECB,
     CKM_DSA,   CKM_MD5,  CKM_RC4,  CKM_RSA_PKCS,  CKM_RSA_X_509,
     CKM_SHA_1,   CKM_SHA224,   CKM_SHA256,    CKM_SHA384,    and
     CKM_SHA512.


     The set of mechanisms available depends on installed  Crypto
     Framework providers. To see what mechanisms can be offloaded
     to the Cryptographic Framework through the PKCS#11 engine on
     a given machine, run the following command:

       /usr/sfw/bin/openssl engine -vvv -t -c




     Due  to  requirements  of  the  PKCS#11  standard  regarding
     fork(2) behavior, some applications that use the OpenSSL EVP
     interfaces and fork()  with  active  crypto  contexts  might
     experience unexpected behavior.





SunOS 5.11          Last change: 23 Nov 2009                    1






Standards, Environments, and Macros                    openssl(5)



  Using FIPS Mode
     A FIPS Capable OpenSSL is  available  in  /lib/openssl/fips-
     140.  To  use  this  version of OpenSSL on a per-application
     basis, LD_LIBRARY_PATH can be set. crle(1) can  be  used  to
     select this version of OpenSSL for all applications.


     Example:

       # crle -a /lib/libcrypto.so.0.9.8 -o \
          /lib/openssl/fips-140
       # crle -64 -a /lib/64/libcrypto.so.0.9.8 -o \
          /lib/openssl/fips-140/64



     The FIPS Capable libcrypto and  the  non-FIPS  Capable  lib-
     crypto  are ABI compatible. One exception to this is the use
     of the CRYPTO_NUM_LOCKS preprocessor macro. Instead of using
     CRYPTO_NUM_LOCKS,  the  CRYPTO_num_locks(3openssl)  function
     should be used instead.


     Even when a FIPS Capable OpenSSL is used applications cannot
     automatically  claim  FIPS  compliance. See the OpenSSL FIPS
     140-2 User Guide at http://openssl.org/  for  more  informa-
     tion.


     openssl(1openssl) can be run in FIPS mode. The environmental
     variable,  OPENSSL_FIPS,  must  be  set and the FIPS Capable
     OpenSSL libraries must be used.


     Example:

       # export LD_LIBRARY_PATH=/lib/openssl/fips-140
       # export OPENSSL_FIPS=1
       # openssl version
       OpenSSL 0.9.8k-fips 25 Mar 2009 (security fixes for: CVE-
       2009-1377 CVE-2009-1378 CVE-2009-1379)


  Building an OpenSSL Application
     To build an OpenSSL application, use the following  cc  com-
     mand line options:

       cc [ flag... ] file... -lcrypto -lssl [ library... ]







SunOS 5.11          Last change: 23 Nov 2009                    2






Standards, Environments, and Macros                    openssl(5)



     To build an OpenSSL application which supports a  FIPS  mode
     of operation, use the following cc command line options:

       cc -I/usr/include/openssl/fips-140 -L/lib/openssl/fips-140 \
          [ flag... ] file... -lcrypto -lssl [ library... ]


  Accessing RSA Keys in PKCS#11 Keystores
     OpenSSL can access RSA keys in PKCS#11 keystores  using  the
     following functions of the ENGINE API:

       EVP_PKEY *ENGINE_load_private_key(ENGINE *e,
        const char *key_id, UI_METHOD *ui_method,
        void *callback_data)

       EVP_PKEY *ENGINE_load_public_key(ENGINE *e,
        const char *key_id, UI_METHOD *ui_method,
        void *callback_data)



     key_id, formerly for filenames only, can be now also set  to
     a PKCS#11 URI. The EVP_PKEY structure is newly allocated and
     caller is responsible to free the structure later. To  avoid
     clashes   with   existing   filenames,  file://  prefix  for
     filenames is now also accepted but  only  when  the  PKCS#11
     engine is in use. The PKCS#11 URI specification follows:

       pkcs11:[token=][:manuf=][;serial=]
          [;model=][;object=]
          [;objecttype=(public|private|cert)]
          [;passphrasedialog=(builtin|exec:)]



     The ordering of keywords is  not  significant.  The  PKCS#11
     engine  uses the keystore for the slot chosen for public key
     operations, which  is  metaslot  on  a  standard  configured
     machine.  Currently,  the PKCS#11 engine ignores the object-
     type keyword. The only mandatory keyword is object which  is
     the  key  object label. For information on how to use a dif-
     ferent,   possibly   hardware,   keystore   with   metaslot,
     seelibpkcs11(3LIB).


     The token PIN is provided by  way  of  the  passphrasedialog
     keyword  and  is  either read from the terminal (builtin) or
     from the output of an external  command  (exec:).  The
     PIN  is used to log into the token and by default is deleted
     from the memory then. The keyword pin is  intentionally  not
     provided  due  to inherent security problems of possible use
     of a password in the process arguments.



SunOS 5.11          Last change: 23 Nov 2009                    3






Standards, Environments, and Macros                    openssl(5)



     Due to fork safety issues the application must  re-login  if
     the  child  continues  to use the PKCS#11 engine. It is done
     inside of the engine automatically if fork is  detected  and
     in  that  case,  exec:  option of the passphrasedialog
     keyword can be used. Alternatively, an environment  variable
     OPENSSL_PKCS11_PIN_CACHING_POLICY  can  be used to allow the
     PIN to be cached in memory and reused in the child.  It  can
     be set to none which is the default, memory to store the PIN
     in memory, and mlocked-memory to keep the PIN  in  a  locked
     page  using  mlock(3C).  PRIV_PROC_LOCK_MEMORY  privilege is
     required in that case.


     Sensitive parts of private keys  are  never  read  from  the
     token  to  the  process  memory no matter whether the key is
     tagged with sensitive flag or not. The PKCS#11  engine  uses
     the  public  components  as  a  search  key to get a PKCS#11
     object handle to the private key.


     To use the RSA keys by reference, high level  API  functions
     such   as   RSA_public_decrypt(),   EVP_PKEY_set1_RSA(),  or
     EVP_SignInit() must be used. Low level  functions  might  go
     around the engine and fail to make use of the feature.

  Additional Documentation
     Extensive additional documentation for  OpenSSL  modules  is
     available       in      the      /usr/share/man/man1openssl,
     /usr/share/man/man3openssl, /usr/share/man/man5openssl,  and
     /usr/share/man/man7openssl directories.


     To view the license terms, attribution,  and  copyright  for
     OpenSSL, see /var/sadm/pkg/SUNWopensslr/install/copyright.

EXAMPLES
     Example 1 Generating and Printing a Public Key


     The following example generates  and  prints  a  public  key
     stored in an already initilized PKCS#11 keystore. Notice the
     use of -engine pkcs11 and -inform e.


       $ pktool gencert keystore=pkcs11 label=mykey \
          subject="CN=test" keytype=rsa keylen=1024 serial=01
       $ openssl rsa -in "pkcs11:object=mykey;passphrasedialog=builtin"\
          -pubout -text -engine pkcs11 -inform e


ATTRIBUTES




SunOS 5.11          Last change: 23 Nov 2009                    4






Standards, Environments, and Macros                    openssl(5)



     See attributes(5) for a description of the following  attri-
     butes:



     ____________________________________________________________
   |        ATTRIBUTE TYPE       |        ATTRIBUTE VALUE      |
   | ____________________________|_____________________________|_
   |  Availability               |  library/security/openssl,  |
   |                             |  library/security/openssl   |
   |_____________________________|_____________________________|
   | Interface Stability         | Volatile                    |
   |_____________________________|_____________________________|


SEE ALSO
     crle(1),  cryptoadm(1M),   libpkcs11(3LIB),   attributes(5),
     privileges(5)


     /usr/share/man/man1openssl/openssl.1openssl,
     /usr/share/man/man1openssl/CRYPTO_num_locks.3openssl,
     /usr/share/man/man3openssl/engine.3,
     /usr/share/man/man3openssl/evp.3


     OpenSSL FIPS 140-2 User Guide at http://openssl.org/




























SunOS 5.11          Last change: 23 Nov 2009                    5