提交 b975f15d 编写于 作者: B Bodo Möller

Keep text lines less than 80 characters wide.

上级 1b266dab
...@@ -5,8 +5,8 @@ This is some preliminary documentation for OpenSSL. ...@@ -5,8 +5,8 @@ This is some preliminary documentation for OpenSSL.
BUFFER Library BUFFER Library
============================================================================== ==============================================================================
The buffer library handles simple character arrays. Buffers are used for various The buffer library handles simple character arrays. Buffers are used for
purposes in the library, most notably memory BIOs. various purposes in the library, most notably memory BIOs.
The library uses the BUF_MEM structure defined in buffer.h: The library uses the BUF_MEM structure defined in buffer.h:
...@@ -200,9 +200,10 @@ CURRENTLY SUPPORTED EXTENSIONS. ...@@ -200,9 +200,10 @@ CURRENTLY SUPPORTED EXTENSIONS.
Literal String extensions. Literal String extensions.
In each case the 'value' of the extension is placed directly in the extension. In each case the 'value' of the extension is placed directly in the
Currently supported extensions in this category are: nsBaseUrl, nsRevocationUrl extension. Currently supported extensions in this category are: nsBaseUrl,
nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl, nsSslServerName and nsComment. nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
nsSslServerName and nsComment.
For example: For example:
...@@ -344,13 +345,13 @@ userNotice qualifiers can be set using the syntax: ...@@ -344,13 +345,13 @@ userNotice qualifiers can be set using the syntax:
userNotice.nnn=@notice userNotice.nnn=@notice
The value of the userNotice qualifier is specified in the relevant section. This The value of the userNotice qualifier is specified in the relevant section.
section can include explicitText, organization and noticeNumbers options. This section can include explicitText, organization and noticeNumbers
explicitText and organization are text strings, noticeNumbers is a comma options. explicitText and organization are text strings, noticeNumbers is a
separated list of numbers. The organization and noticeNumbers options (if comma separated list of numbers. The organization and noticeNumbers options
included) must BOTH be present. If you use the userNotice option with IE5 then (if included) must BOTH be present. If you use the userNotice option with IE5
you need the 'ia5org' option at the top level to modify the encoding: otherwise then you need the 'ia5org' option at the top level to modify the encoding:
it will not be interpreted properly. otherwise it will not be interpreted properly.
Example: Example:
...@@ -475,9 +476,9 @@ PKCS12_free(p12); ...@@ -475,9 +476,9 @@ PKCS12_free(p12);
LOW LEVEL FUNCTIONS. LOW LEVEL FUNCTIONS.
In some cases the high level functions do not provide the necessary In some cases the high level functions do not provide the necessary
functionality. For example if you want to generate or parse more complex PKCS#12 functionality. For example if you want to generate or parse more complex
files. The sample pkcs12 application uses the low level functions to display PKCS#12 files. The sample pkcs12 application uses the low level functions
details about the internal structure of a PKCS#12 file. to display details about the internal structure of a PKCS#12 file.
Introduction. Introduction.
...@@ -502,14 +503,16 @@ integrity (so any unencrypted stuff below can't be tampered with). ...@@ -502,14 +503,16 @@ integrity (so any unencrypted stuff below can't be tampered with).
The reason for these levels is so various objects can be encrypted in various The reason for these levels is so various objects can be encrypted in various
ways. For example you might want to encrypt a set of private keys with ways. For example you might want to encrypt a set of private keys with
triple-DES and then include the related certificates either unencrypted or with triple-DES and then include the related certificates either unencrypted or
lower encryption. Yes it's the dreaded crypto laws at work again which with lower encryption. Yes it's the dreaded crypto laws at work again which
allow strong encryption on private keys and only weak encryption on other stuff. allow strong encryption on private keys and only weak encryption on other
stuff.
To build one of these things you turn all certificates and keys into safebags To build one of these things you turn all certificates and keys into safebags
(with optional attributes). You collect the safebags into (one or more) STACKS (with optional attributes). You collect the safebags into (one or more) STACKS
and convert these into authsafes (encrypted or unencrypted). The authsafes are and convert these into authsafes (encrypted or unencrypted). The authsafes
collected into a STACK and added to a PKCS12 structure. Finally a MAC inserted. are collected into a STACK and added to a PKCS12 structure. Finally a MAC
inserted.
Pulling one apart is basically the reverse process. The MAC is verified against Pulling one apart is basically the reverse process. The MAC is verified against
the given password. The authsafes are extracted and each authsafe split into the given password. The authsafes are extracted and each authsafe split into
...@@ -536,9 +539,10 @@ PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey) ...@@ -536,9 +539,10 @@ PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey)
Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure. Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure.
Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo
structure contains a private key data in plain text form it should be free'd up structure contains a private key data in plain text form it should be free'd
as soon as it has been encrypted for security reasons (freeing up the structure up as soon as it has been encrypted for security reasons (freeing up the
zeros out the sensitive data). This can be done with PKCS8_PRIV_KEY_INFO_free(). structure zeros out the sensitive data). This can be done with
PKCS8_PRIV_KEY_INFO_free().
PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage) PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
...@@ -552,9 +556,9 @@ KEY_EX is not limited and can be used for both. ...@@ -552,9 +556,9 @@ KEY_EX is not limited and can be used for both.
PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8) PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
Convert a PKCS8 private key structure into a keybag. This routine embeds the p8 Convert a PKCS8 private key structure into a keybag. This routine embeds the
structure in the keybag so p8 should not be freed up or used after it is called. p8 structure in the keybag so p8 should not be freed up or used after it is
The p8 structure will be freed up when the safebag is freed. called. The p8 structure will be freed up when the safebag is freed.
PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8) PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
...@@ -701,11 +705,13 @@ NID_pbe_WithSHA1And2_Key_TripleDES_CBC ...@@ -701,11 +705,13 @@ NID_pbe_WithSHA1And2_Key_TripleDES_CBC
NID_pbe_WithSHA1And128BitRC2_CBC NID_pbe_WithSHA1And128BitRC2_CBC
NID_pbe_WithSHA1And40BitRC2_CBC NID_pbe_WithSHA1And40BitRC2_CBC
Which you use depends on the implementation you are exporting to. "Export grade"(i.e. cryptograhically challenged) products cannot support all algorithms. Which you use depends on the implementation you are exporting to. "Export
Typically you may be able to use any encryption on shrouded key bags but they grade" (i.e. cryptograhically challenged) products cannot support all
must then be placed in an unencrypted authsafe. Other authsafes may only support algorithms. Typically you may be able to use any encryption on shrouded key
40bit encryption. Of course if you are using SSLeay throughout you can strongly bags but they must then be placed in an unencrypted authsafe. Other authsafes
encrypt everything and have high iteration counts on everything. may only support 40bit encryption. Of course if you are using SSLeay
throughout you can strongly encrypt everything and have high iteration counts
on everything.
3. For decryption routines only the password and length are needed. 3. For decryption routines only the password and length are needed.
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册