• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1=pod
2
3=begin comment
4{- join("\n", @autowarntext) -}
5
6=end comment
7
8=head1 NAME
9
10openssl-ec - EC key processing
11
12=head1 SYNOPSIS
13
14B<openssl> B<ec>
15[B<-help>]
16[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
17[B<-outform> B<DER>|B<PEM>]
18[B<-in> I<filename>|I<uri>]
19[B<-passin> I<arg>]
20[B<-out> I<filename>]
21[B<-passout> I<arg>]
22[B<-des>]
23[B<-des3>]
24[B<-idea>]
25[B<-text>]
26[B<-noout>]
27[B<-param_out>]
28[B<-pubin>]
29[B<-pubout>]
30[B<-conv_form> I<arg>]
31[B<-param_enc> I<arg>]
32[B<-no_public>]
33[B<-check>]
34{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
35
36=head1 DESCRIPTION
37
38The L<openssl-ec(1)> command processes EC keys. They can be converted between
39various forms and their components printed out. B<Note> OpenSSL uses the
40private key format specified in 'SEC 1: Elliptic Curve Cryptography'
41(http://www.secg.org/). To convert an OpenSSL EC private key into the
42PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
43
44=head1 OPTIONS
45
46=over 4
47
48=item B<-help>
49
50Print out a usage message.
51
52=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
53
54The key input format; unspecified by default.
55See L<openssl-format-options(1)> for details.
56
57=item B<-outform> B<DER>|B<PEM>
58
59The key output format; the default is B<PEM>.
60See L<openssl-format-options(1)> for details.
61
62Private keys are an SEC1 private key or PKCS#8 format.
63Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
64
65=item B<-in> I<filename>|I<uri>
66
67This specifies the input to read a key from or standard input if this
68option is not specified. If the key is encrypted a pass phrase will be
69prompted for.
70
71=item B<-out> I<filename>
72
73This specifies the output filename to write a key to or standard output by
74is not specified. If any encryption options are set then a pass phrase will be
75prompted for. The output filename should B<not> be the same as the input
76filename.
77
78=item B<-passin> I<arg>, B<-passout> I<arg>
79
80The password source for the input and output file.
81For more information about the format of B<arg>
82see L<openssl-passphrase-options(1)>.
83
84=item B<-des>|B<-des3>|B<-idea>
85
86These options encrypt the private key with the DES, triple DES, IDEA or
87any other cipher supported by OpenSSL before outputting it. A pass phrase is
88prompted for.
89If none of these options is specified the key is written in plain text. This
90means that using this command to read in an encrypted key with no
91encryption option can be used to remove the pass phrase from a key, or by
92setting the encryption options it can be use to add or change the pass phrase.
93These options can only be used with PEM format output files.
94
95=item B<-text>
96
97Prints out the public, private key components and parameters.
98
99=item B<-noout>
100
101This option prevents output of the encoded version of the key.
102
103=item B<-param_out>
104
105Print the elliptic curve parameters.
106
107=item B<-pubin>
108
109By default, a private key is read from the input file. With this option a
110public key is read instead.
111
112=item B<-pubout>
113
114By default a private key is output. With this option a public
115key will be output instead. This option is automatically set if the input is
116a public key.
117
118=item B<-conv_form> I<arg>
119
120This specifies how the points on the elliptic curve are converted
121into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
122default value) and B<hybrid>. For more information regarding
123the point conversion forms please read the X9.62 standard.
124B<Note> Due to patent issues the B<compressed> option is disabled
125by default for binary curves and can be enabled by defining
126the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
127
128=item B<-param_enc> I<arg>
129
130This specifies how the elliptic curve parameters are encoded.
131Possible value are: B<named_curve>, i.e. the ec parameters are
132specified by an OID, or B<explicit> where the ec parameters are
133explicitly given (see RFC 3279 for the definition of the
134EC parameters structures). The default value is B<named_curve>.
135B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
136is currently not implemented in OpenSSL.
137
138=item B<-no_public>
139
140This option omits the public key components from the private key output.
141
142=item B<-check>
143
144This option checks the consistency of an EC private or public key.
145
146{- $OpenSSL::safe::opt_engine_item -}
147
148{- $OpenSSL::safe::opt_provider_item -}
149
150=back
151
152The L<openssl-pkey(1)> command is capable of performing all the operations
153this command can, as well as supporting other public key types.
154
155=head1 EXAMPLES
156
157The documentation for the L<openssl-pkey(1)> command contains examples
158equivalent to the ones listed here.
159
160To encrypt a private key using triple DES:
161
162 openssl ec -in key.pem -des3 -out keyout.pem
163
164To convert a private key from PEM to DER format:
165
166 openssl ec -in key.pem -outform DER -out keyout.der
167
168To print out the components of a private key to standard output:
169
170 openssl ec -in key.pem -text -noout
171
172To just output the public part of a private key:
173
174 openssl ec -in key.pem -pubout -out pubkey.pem
175
176To change the parameters encoding to B<explicit>:
177
178 openssl ec -in key.pem -param_enc explicit -out keyout.pem
179
180To change the point conversion form to B<compressed>:
181
182 openssl ec -in key.pem -conv_form compressed -out keyout.pem
183
184=head1 SEE ALSO
185
186L<openssl(1)>,
187L<openssl-pkey(1)>,
188L<openssl-ecparam(1)>,
189L<openssl-dsa(1)>,
190L<openssl-rsa(1)>
191
192=head1 HISTORY
193
194The B<-engine> option was deprecated in OpenSSL 3.0.
195
196The B<-conv_form> and B<-no_public> options are no longer supported
197with keys loaded from an engine in OpenSSL 3.0.
198
199=head1 COPYRIGHT
200
201Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved.
202
203Licensed under the Apache License 2.0 (the "License").  You may not use
204this file except in compliance with the License.  You can obtain a copy
205in the file LICENSE in the source distribution or at
206L<https://www.openssl.org/source/license.html>.
207
208=cut
209