Add command line password options to the reamining utilities,

amend docs.

Add command line password options to the reamining utilities,
amend docs.
f07fb9b2 · Dr. Stephen Henson · 1e8f28c4 · f07fb9b2 · f07fb9b2 · f07fb9b2
12 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@

 Changes between 0.9.4 and 0.9.5  [xx XXX 2000]

+  *) Add command line password options to the remaining applications.
+     [Steve Henson]
+
  *) Bug fix for BN_div_recp() for numerators with an even number of
     bits.
     [Ulf Möller]

--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -195,8 +195,8 @@ bad:
 		BIO_printf(bio_err," -passin arg     input file pass phrase\n");
 		BIO_printf(bio_err," -envpassin arg  environment variable containing input file pass phrase\n");
 		BIO_printf(bio_err," -out arg        output file\n");
-		BIO_printf(bio_err," -passout arg    input file pass phrase\n");
-		BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n");
+		BIO_printf(bio_err," -passout arg    output file pass phrase\n");
+		BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef NO_IDEA

--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -79,6 +79,7 @@ int MAIN(int argc, char **argv)
 	int ret=1;
 	char *outfile=NULL;
 	char *inrand=NULL,*dsaparams=NULL;
+	char *passout = NULL;
 	BIO *out=NULL,*in=NULL;
 	EVP_CIPHER *enc=NULL;

@@ -98,6 +99,22 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-envpassout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if(!(passout= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				goto bad;
+				}
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passout= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -188,7 +205,7 @@ bad:

 	app_RAND_write_file(NULL, bio_err);

-	if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL,NULL))
+	if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,PEM_cb, passout))
 		goto end;
 	ret=0;
 end:

--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -84,6 +84,7 @@ int MAIN(int argc, char **argv)
 	EVP_CIPHER *enc=NULL;
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
+	char *passout = NULL;
 	char *inrand=NULL;
 	BIO *out=NULL;

@@ -127,6 +128,22 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
+		else if (strcmp(*argv,"-envpassout") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passout= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				goto bad;
+				}
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passout= *(++argv);
+			}
 		else
 			break;
 		argv++;
@@ -136,17 +153,19 @@ int MAIN(int argc, char **argv)
 		{
 bad:
 		BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n");
-		BIO_printf(bio_err," -des      - encrypt the generated key with DES in cbc mode\n");
-		BIO_printf(bio_err," -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
+		BIO_printf(bio_err," -des            encrypt the generated key with DES in cbc mode\n");
+		BIO_printf(bio_err," -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #ifndef NO_IDEA
-		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
+		BIO_printf(bio_err," -idea           encrypt the generated key with IDEA in cbc mode\n");
 #endif
-		BIO_printf(bio_err," -out file - output the key to 'file\n");
-		BIO_printf(bio_err," -f4       - use F4 (0x10001) for the E value\n");
-		BIO_printf(bio_err," -3        - use 3 for the E value\n");
+		BIO_printf(bio_err," -out file       output the key to 'file\n");
+		BIO_printf(bio_err," -passout arg    output file pass phrase\n");
+		BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
+		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
+		BIO_printf(bio_err," -3              use 3 for the E value\n");
 		BIO_printf(bio_err," -rand file:file:...\n");
-		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
-		BIO_printf(bio_err,"             the random number generator\n");
+		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"                 the random number generator\n");
 		goto err;
 		}
 		
@@ -190,7 +209,7 @@ bad:
 		l+=rsa->e->d[i];
 		}
 	BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
-	if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,NULL,NULL))
+	if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,PEM_cb, passout))
 		goto err;

 	ret=0;

--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -61,13 +61,12 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include "apps.h"
 #include <openssl/crypto.h>
-#include <openssl/des.h>
-#include <openssl/pem.h>
 #include <openssl/err.h>
+#include <openssl/pem.h>
 #include <openssl/pkcs12.h>

-#include "apps.h"
 #define PROG pkcs12_main

 EVP_CIPHER *enc;
@@ -80,9 +79,9 @@ EVP_CIPHER *enc;
 #define CACERTS		0x10

 int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
-int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options);
-int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options);
-int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options);
+int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
 int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
 void hex_prin(BIO *out, unsigned char *buf, int len);
 int alg_print(BIO *x, X509_ALGOR *alg);
@@ -111,6 +110,7 @@ int MAIN(int argc, char **argv)
    int noprompt = 0;
    STACK *canames = NULL;
    char *cpass = NULL, *mpass = NULL;
+    char *passin = NULL, *passout = NULL;

    apps_startup();

@@ -198,6 +198,36 @@ int MAIN(int argc, char **argv)
 			args++;	
 			outfile = *args;
 		    } else badarg = 1;
+		} else if (!strcmp(*args,"-passin")) {
+		    if (args[1]) {
+			args++;	
+			passin = *args;
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-envpassin")) {
+		    if (args[1]) {
+			args++;	
+			if(!(passin= getenv(*args))) {
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badarg = 1;
+			}
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-envpassout")) {
+		    if (args[1]) {
+			args++;	
+			if(!(passout= getenv(*args))) {
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badarg = 1;
+			}
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-passout")) {
+		    if (args[1]) {
+			args++;	
+			passout = *args;
+		    } else badarg = 1;
 		} else if (!strcmp (*args, "-envpass")) {
 		    if (args[1]) {
 			args++;	
@@ -206,7 +236,6 @@ int MAIN(int argc, char **argv)
 				 "Can't read environment variable %s\n", *args);
 				goto end;
 			}
-			noprompt = 1;
 		    } else badarg = 1;
 		} else if (!strcmp (*args, "-password")) {
 		    if (args[1]) {
@@ -254,11 +283,22 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-keysig       set MS key signature type\n");
 	BIO_printf (bio_err, "-password p   set import/export password (NOT RECOMMENDED)\n");
 	BIO_printf (bio_err, "-envpass p    set import/export password from environment\n");
+	BIO_printf (bio_err, "-passin p     input file pass phrase\n");
+	BIO_printf (bio_err, "-envpassin p  environment variable containing input file pass phrase\n");
+	BIO_printf (bio_err, "-passout p    output file pass phrase\n");
+	BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n");
    	goto end;
    }

-    if(cpass) mpass = cpass;
-    else {
+    if(!cpass) {
+    	if(export_cert) cpass = passout;
+    	else cpass = passin;
+    }
+
+    if(cpass) {
+	mpass = cpass;
+	noprompt = 1;
+    } else {
 	cpass = pass;
 	mpass = macpass;
    }
@@ -337,7 +377,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("process -export_cert");
 #endif
-	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, NULL);
+	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin);
 	if (!inkey) (void) BIO_reset(in);
 	else BIO_free(inkey);
 	if (!key) {
@@ -504,7 +544,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("output keys and certificates");
 #endif
-    if (!dump_certs_keys_p12 (out, p12, cpass, -1, options)) {
+    if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
 	BIO_printf(bio_err, "Error outputting keys and certificates\n");
 	ERR_print_errors (bio_err);
 	goto end;
@@ -524,7 +564,7 @@ int MAIN(int argc, char **argv)
 }

 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
-	     int passlen, int options)
+	     int passlen, int options, char *pempass)
 {
 	STACK *asafes, *bags;
 	int i, bagnid;
@@ -546,7 +586,7 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 		} else continue;
 		if (!bags) return 0;
 	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
-							 options)) {
+						 options, pempass)) {
 			sk_pop_free (bags, PKCS12_SAFEBAG_free);
 			return 0;
 		}
@@ -557,19 +597,19 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 }

 int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
-	     int passlen, int options)
+	     int passlen, int options, char *pempass)
 {
 	int i;
 	for (i = 0; i < sk_num (bags); i++) {
 		if (!dump_certs_pkeys_bag (out,
 			 (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
-					 		options)) return 0;
+					 	options, pempass)) return 0;
 	}
 	return 1;
 }

 int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
-	     int passlen, int options)
+	     int passlen, int options, char *pempass)
 {
 	EVP_PKEY *pkey;
 	PKCS8_PRIV_KEY_INFO *p8;
@@ -584,7 +624,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		p8 = bag->value.keybag;
 		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
 		print_attribs (out, p8->attributes, "Key Attributes");
-		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
+		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
 		EVP_PKEY_free(pkey);
 	break;

@@ -600,7 +640,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
 		print_attribs (out, p8->attributes, "Key Attributes");
 		PKCS8_PRIV_KEY_INFO_free(p8);
-		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
+		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
 		EVP_PKEY_free(pkey);
 	break;

@@ -623,7 +663,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
 		print_attribs (out, bag->attrib, "Bag Attributes");
 		return dump_certs_pkeys_bags (out, bag->value.safes, pass,
-							    passlen, options);
+							    passlen, options, pempass);
 					
 	default:
 		BIO_printf (bio_err, "Warning unsupported bag type: ");

--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -176,22 +176,22 @@ int MAIN(int argc, char **argv)
 		bad:
 		BIO_printf(bio_err, "Usage pkcs8 [options]\n");
 		BIO_printf(bio_err, "where options are\n");
-		BIO_printf(bio_err, "-in file   input file\n");
-		BIO_printf(bio_err, "-inform X  input format (DER or PEM)\n");
+		BIO_printf(bio_err, "-in file        input file\n");
+		BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
 		BIO_printf(bio_err, "-passin arg     input file pass phrase\n");
 		BIO_printf(bio_err, "-envpassin arg  environment variable containing input file pass phrase\n");
-		BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
-		BIO_printf(bio_err, "-out file  output file\n");
-		BIO_printf(bio_err, "-passout arg    input file pass phrase\n");
-		BIO_printf(bio_err, "-envpassout arg environment variable containing input file pass phrase\n");
-		BIO_printf(bio_err, "-topk8     output PKCS8 file\n");
-		BIO_printf(bio_err, "-nooct     use (nonstandard) no octet format\n");
-		BIO_printf(bio_err, "-embed     use (nonstandard) embedded DSA parameters format\n");
-		BIO_printf(bio_err, "-nsdb      use (nonstandard) DSA Netscape DB format\n");
-		BIO_printf(bio_err, "-noiter    use 1 as iteration count\n");
-		BIO_printf(bio_err, "-nocrypt   use or expect unencrypted private key\n");
-		BIO_printf(bio_err, "-v2 alg    use PKCS#5 v2.0 and cipher \"alg\"\n");
-		BIO_printf(bio_err, "-v1 obj    use PKCS#5 v1.5 and cipher \"alg\"\n");
+		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
+		BIO_printf(bio_err, "-out file       output file\n");
+		BIO_printf(bio_err, "-passout arg    output file pass phrase\n");
+		BIO_printf(bio_err, "-envpassout arg environment variable containing outut file pass phrase\n");
+		BIO_printf(bio_err, "-topk8          output PKCS8 file\n");
+		BIO_printf(bio_err, "-nooct          use (nonstandard) no octet format\n");
+		BIO_printf(bio_err, "-embed          use (nonstandard) embedded DSA parameters format\n");
+		BIO_printf(bio_err, "-nsdb           use (nonstandard) DSA Netscape DB format\n");
+		BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
+		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
+		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
+		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
 		return (1);
 	}


--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -201,8 +201,8 @@ bad:
 		BIO_printf(bio_err," -envpassin arg  environment variable containing input file pass phrase\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -out arg        output file\n");
-		BIO_printf(bio_err," -passout arg    input file pass phrase\n");
-		BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n");
+		BIO_printf(bio_err," -passout arg    output file pass phrase\n");
+		BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef NO_IDEA

--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -80,7 +80,7 @@ int MAIN(int argc, char **argv)
 	int i,badops=0, ret = 1;
 	BIO *in = NULL,*out = NULL, *key = NULL;
 	int verify=0,noout=0,pubkey=0;
-	char *infile = NULL,*outfile = NULL,*prog;
+	char *infile = NULL,*outfile = NULL,*prog, *passin = NULL;
 	char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
 	char *challenge = NULL, *keyfile = NULL;
 	LHASH *conf = NULL;
@@ -106,6 +106,22 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passin= *(++argv);
+			}
+		else if (strcmp(*argv,"-envpassin") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passin= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -145,6 +161,8 @@ bad:
 		BIO_printf(bio_err," -in arg        input file\n");
 		BIO_printf(bio_err," -out arg       output file\n");
 		BIO_printf(bio_err," -key arg       create SPKAC using private key\n");
+		BIO_printf(bio_err," -passin arg    input file pass phrase\n");
+		BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
 		BIO_printf(bio_err," -challenge arg challenge string\n");
 		BIO_printf(bio_err," -spkac arg     alternative SPKAC name\n");
 		BIO_printf(bio_err," -noout         don't print SPKAC\n");
@@ -163,7 +181,7 @@ bad:
 			ERR_print_errors(bio_err);
 			goto end;
 		}
-		pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
+		pkey = PEM_read_bio_PrivateKey(key, NULL, PEM_cb, passin);
 		if(!pkey) {
 			BIO_printf(bio_err, "Error reading private key\n");
 			ERR_print_errors(bio_err);

--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -72,9 +72,9 @@
 #include "../bio/bss_file.c"
 #endif

-const num0 = 100; /* number of tests */
-const num1 = 50;  /* additional tests for some functions */
-const num2 = 5;   /* number of tests for slow functions */
+const int num0 = 100; /* number of tests */
+const int num1 = 50;  /* additional tests for some functions */
+const int num2 = 5;   /* number of tests for slow functions */

 int test_add(BIO *bp);
 int test_sub(BIO *bp);

--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -4,11 +4,12 @@

 genrsa - generate an RSA private key

-
 =head1 SYNOPSIS

 B<openssl> B<genrsa>
 [B<-out filename>]
+[B<-passout password>]
+[B<-envpassout var>]
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
@@ -25,11 +26,26 @@ The B<genrsa> command generates an RSA private key.

 =over 4

+=item B<-out filename>
+
+the output filename. If this argument is not specified then standard output is
+used.  
+
+=item B<-passout password>
+
+the output file password. Since certain utilities like "ps" make the command line
+visible this option should be used with caution.
+
+=item B<-envpassout var>
+
+read the output file password from the environment variable B<var>.
+
 =item B<-des|-des3|-idea>

 These options encrypt the private key with the DES, triple DES, or the 
-IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
-If none of these options is specified no encryption is used.
+IDEA ciphers respectively before outputting it. If none of these options is
+specified no encryption is used. If encryption is used a pass phrase is prompted
+for if it is not supplied via the B<-passout> or B<-envpassout> arguments.

 =item B<-F4|-3>


--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -37,6 +37,10 @@ B<openssl> B<pkcs12>
 [B<-keysig>]
 [B<-password password>]
 [B<-envpass var>]
+[B<-passin password>]
+[B<-envpassin var>]
+[B<-passout password>]
+[B<-envpassout var>]

 =head1 DESCRIPTION

@@ -64,15 +68,24 @@ by default.
 The filename to write certificates and private keys to, standard output by default.
 They are all written in PEM format.

-=item B<-pass password>
+=item B<-pass password>, B<-passin password>

-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
+the command line visible this option should be used with caution.

-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassin password>

 read the PKCS#12 file password from the environment variable B<var>.

+=item B<-passout password>
+
+pass phrase to encrypt any outputed private keys with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpass var>, B<-envpassin password>
+
+read the outputed private keys file password from the environment variable B<var>.
+
 =item B<-noout>

 this option inhibits output of the keys and certificates to the output file version
@@ -169,15 +182,24 @@ used multiple times to specify names for all certificates in the order they
 appear. Netscape ignores friendly names on other certificates whereas MSIE
 displays them.

-=item B<-pass password>
+=item B<-pass password>, B<-passout password>

-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
+make the command line visible this option should be used with caution.

-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassout var>

 read the PKCS#12 file password from the environment variable B<var>.

+=item B<-passin password>
+
+pass phrase to decrypt the input private key with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpassin password>
+
+read the input private key file password from the environment variable B<var>.
+
 =item B<-chain>

 if this option is present then an attempt is made to include the entire
@@ -277,9 +299,6 @@ Include some extra certificates:

 Some would argue that the PKCS#12 standard is one big bug :-)

-Need password options for the PEM files: this will probably be fixed before
-release.
-
 =head1 SEE ALSO

 L<pkcs8(1)|pkcs8(1)>

--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -10,6 +10,8 @@ B<openssl> B<spkac>
 [B<-in filename>]
 [B<-out filename>]
 [B<-key keyfile>]
+[B<-passin password>]
+[B<-envpassin var>]
 [B<-challenge string>]
 [B<-pubkey>]
 [B<-spkac spkacname>]
@@ -44,6 +46,17 @@ create an SPKAC file using the private key in B<keyfile>. The
 B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
 present.

+=item B<-passin password>
+
+the private key file password. Since certain utilities like "ps" make the
+command line visible this option should be used with caution. Ignored if
+the B<-key> argument is not used.
+
+=item B<-envpassin var>
+
+read the private key file password from the environment variable B<var>.
+Ignored if the B<-key> argument is not used.
+
 =item B<-challenge string>

 specifies the challenge string if an SPKAC is being created.