1=pod 2 3=begin comment 4{- join("\n", @autowarntext) -} 5 6=end comment 7 8=head1 NAME 9 10openssl-ec - EC key processing 11 12=head1 SYNOPSIS 13 14B<openssl> B<ec> 15[B<-help>] 16[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 17[B<-outform> B<DER>|B<PEM>] 18[B<-in> I<filename>|I<uri>] 19[B<-passin> I<arg>] 20[B<-out> I<filename>] 21[B<-passout> I<arg>] 22[B<-des>] 23[B<-des3>] 24[B<-idea>] 25[B<-text>] 26[B<-noout>] 27[B<-param_out>] 28[B<-pubin>] 29[B<-pubout>] 30[B<-conv_form> I<arg>] 31[B<-param_enc> I<arg>] 32[B<-no_public>] 33[B<-check>] 34{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 35 36=head1 DESCRIPTION 37 38The L<openssl-ec(1)> command processes EC keys. They can be converted between 39various forms and their components printed out. B<Note> OpenSSL uses the 40private key format specified in 'SEC 1: Elliptic Curve Cryptography' 41(http://www.secg.org/). To convert an OpenSSL EC private key into the 42PKCS#8 private key format use the L<openssl-pkcs8(1)> command. 43 44=head1 OPTIONS 45 46=over 4 47 48=item B<-help> 49 50Print out a usage message. 51 52=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 53 54The key input format; unspecified by default. 55See L<openssl-format-options(1)> for details. 56 57=item B<-outform> B<DER>|B<PEM> 58 59The key output format; the default is B<PEM>. 60See L<openssl-format-options(1)> for details. 61 62Private keys are an SEC1 private key or PKCS#8 format. 63Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280. 64 65=item B<-in> I<filename>|I<uri> 66 67This specifies the input to read a key from or standard input if this 68option is not specified. If the key is encrypted a pass phrase will be 69prompted for. 70 71=item B<-out> I<filename> 72 73This specifies the output filename to write a key to or standard output by 74is not specified. If any encryption options are set then a pass phrase will be 75prompted for. The output filename should B<not> be the same as the input 76filename. 77 78=item B<-passin> I<arg>, B<-passout> I<arg> 79 80The password source for the input and output file. 81For more information about the format of B<arg> 82see L<openssl-passphrase-options(1)>. 83 84=item B<-des>|B<-des3>|B<-idea> 85 86These options encrypt the private key with the DES, triple DES, IDEA or 87any other cipher supported by OpenSSL before outputting it. A pass phrase is 88prompted for. 89If none of these options is specified the key is written in plain text. This 90means that using this command to read in an encrypted key with no 91encryption option can be used to remove the pass phrase from a key, or by 92setting the encryption options it can be use to add or change the pass phrase. 93These options can only be used with PEM format output files. 94 95=item B<-text> 96 97Prints out the public, private key components and parameters. 98 99=item B<-noout> 100 101This option prevents output of the encoded version of the key. 102 103=item B<-param_out> 104 105Print the elliptic curve parameters. 106 107=item B<-pubin> 108 109By default a private key is read from the input. 110With this option a public key is read instead. 111If the input contains no public key but a private key, its public part is used. 112 113=item B<-pubout> 114 115By default a private key is output. With this option a public 116key will be output instead. This option is automatically set if the input is 117a public key. 118 119=item B<-conv_form> I<arg> 120 121This specifies how the points on the elliptic curve are converted 122into octet strings. Possible values are: B<compressed>, B<uncompressed> (the 123default value) and B<hybrid>. For more information regarding 124the point conversion forms please read the X9.62 standard. 125B<Note> Due to patent issues the B<compressed> option is disabled 126by default for binary curves and can be enabled by defining 127the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time. 128 129=item B<-param_enc> I<arg> 130 131This specifies how the elliptic curve parameters are encoded. 132Possible value are: B<named_curve>, i.e. the ec parameters are 133specified by an OID, or B<explicit> where the ec parameters are 134explicitly given (see RFC 3279 for the definition of the 135EC parameters structures). The default value is B<named_curve>. 136B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279, 137is currently not implemented in OpenSSL. 138 139=item B<-no_public> 140 141This option omits the public key components from the private key output. 142 143=item B<-check> 144 145This option checks the consistency of an EC private or public key. 146 147{- $OpenSSL::safe::opt_engine_item -} 148 149{- $OpenSSL::safe::opt_provider_item -} 150 151=back 152 153The L<openssl-pkey(1)> command is capable of performing all the operations 154this command can, as well as supporting other public key types. 155 156=head1 EXAMPLES 157 158The documentation for the L<openssl-pkey(1)> command contains examples 159equivalent to the ones listed here. 160 161To encrypt a private key using triple DES: 162 163 openssl ec -in key.pem -des3 -out keyout.pem 164 165To convert a private key from PEM to DER format: 166 167 openssl ec -in key.pem -outform DER -out keyout.der 168 169To print out the components of a private key to standard output: 170 171 openssl ec -in key.pem -text -noout 172 173To just output the public part of a private key: 174 175 openssl ec -in key.pem -pubout -out pubkey.pem 176 177To change the parameters encoding to B<explicit>: 178 179 openssl ec -in key.pem -param_enc explicit -out keyout.pem 180 181To change the point conversion form to B<compressed>: 182 183 openssl ec -in key.pem -conv_form compressed -out keyout.pem 184 185=head1 SEE ALSO 186 187L<openssl(1)>, 188L<openssl-pkey(1)>, 189L<openssl-ecparam(1)>, 190L<openssl-dsa(1)>, 191L<openssl-rsa(1)> 192 193=head1 HISTORY 194 195The B<-engine> option was deprecated in OpenSSL 3.0. 196 197The B<-conv_form> and B<-no_public> options are no longer supported 198with keys loaded from an engine in OpenSSL 3.0. 199 200=head1 COPYRIGHT 201 202Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. 203 204Licensed under the Apache License 2.0 (the "License"). You may not use 205this file except in compliance with the License. You can obtain a copy 206in the file LICENSE in the source distribution or at 207L<https://www.openssl.org/source/license.html>. 208 209=cut 210