#compdef openssl # ------------------------------------------------------------------------------ # Copyright (c) 2011 Github zsh-users - http://github.com/zsh-users # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the zsh-users nor the # names of its contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL ZSH-USERS BE LIABLE FOR ANY # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ------------------------------------------------------------------------------ # openssl command [ command_opts ] [ command_args ] # pseudo commands: # openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms] _openssl() { local openssl_commands cmd cmds if [[ "$CURRENT" -lt 2 ]]; then # I do not think this can happen... return elif [[ "$CURRENT" -eq 2 ]]; then # first parameter, the command openssl_commands=(${(f)"$(openssl list-standard-commands; \ openssl list-message-digest-commands; \ openssl list-cipher-commands)"} \ list-standard-commands \ list-message-digest-commands \ list-cipher-commands \ list-cipher-algorithms \ list-message-digest-algorithms \ list-public-key-algorithms) _describe 'openssl commands' openssl_commands else # $CURRENT -gt 2 cmd="${words[2]}" # Note: we could use ${(k)functions} to get a list of all functions and # filter those that start with _openssl_ # but that would mean defining a new function *somewhere* might mess with # the completion... cmds=(asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam \ ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp \ passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa \ rsautl s_client s_server s_time sess_id smime speed spkac srp ts \ verify version x509) # check if $cmd is in $cmds, the list of supported commands if [[ "${cmds[(r)$cmd]}" == "${cmd}" ]]; then # we should be able to complete $cmd # run _openssl_$cmd with the remaining words from the command line shift words (( CURRENT-- )) _openssl_${cmd} elif [[ "${${(@f)"$(openssl list-cipher-commands)"}[(r)$cmd]}" == "${cmd}" ]]; then # $cmd is a cipher command, which is practically an alias to enc shift words (( CURRENT-- )) _openssl_enc elif [[ "${${(@f)"$(openssl list-message-digest-commands)"}[(r)$cmd]}" == "${cmd}" ]]; then # $cmd is a message digest command, which is practically an alias to dgst shift words (( CURRENT-- )) _openssl_dgst fi fi } _openssl_asn1parse() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format - one of DER PEM]:format:(DER PEM)' \ '-in[input file]:file:_files' \ '-out[output file (output format is always DER]:file:_files' \ "-noout[don't produce any output]" \ '-offset[offset into file]:number: ' \ '-length[length of section in file]:number: ' \ '-i[indent entries]' \ '-dump[dump unknown data in hex form]' \ '-dlimit[dump the first arg bytes of unknown data in hex form]:number: ' \ '-oid[file of extra oid definitions]:file:_files' \ "-strparse[a series of these can be used to 'dig' into multiple ASN1 blob wrappings]:offset:" \ '-genstr[string to generate ASN1 structure from]:str:' \ '-genconf[file to generate ASN1 structure from]:file:_files' } _openssl_ca() { # written for openssl 1.0.1k _arguments -C \ '-verbose[talk alot while doing things]' \ '-config[a config file]:file:_files' \ '-name[the particular CA definition to use]:section: ' \ '-gencrl[generate a new CRL]' \ '-crldays[days is when the next CRL is due]:days: ' \ '-crlhours[hours is when the next CRL is due]:hours: ' \ '-startdate[certificate validity notBefore]:date: ' \ '-enddate[certificate validity notAfter (overrides -days)]:date: ' \ '-days[number of days to certify the certificate for]:days: ' \ '-md[md to use, one of md2, md5, sha or sha1]:alg:(md2 md5 sha sha1)' \ "-policy[the CA 'policy' to support]:policy: " \ '-keyfile[private key file]:file:_files' \ '-keyform[private key file format (PEM or ENGINE)]:format:(PEM ENGINE)' \ '-key[key to decode the private key if it is encrypted]:password: ' \ '-cert[the CA certificate]:file:_files' \ '-selfsign[sign a certificate with the key associated with it]' \ '-in[the input PEM encoded certificate request(s)]:file:_files' \ '-out[where to put the output file(s)]:file:_files' \ '-outdir[where to put output certificates]:dir:_files -/' \ '-infiles[the last argument, requests to process]:*:files:_files' \ '-spkac[file contains DN and signed public key and challenge]:file:_files' \ '-ss_cert[file contains a self signed cert to sign]:file:_files' \ "-preserveDN[don't re-order the DN]" \ "-noemailDN[don't add the EMAIL field into certificate' subject]" \ "-batch[don't ask questions]" \ '-msie_hack[msie modifications to handle all those universal strings]' \ '-revoke[revoke a certificate (given in file)]:file:_files' \ "-subj[use arg instead of request's subject]:subject: " \ '-utf8[input characters are UTF8 (default ASCII)]' \ '-multivalue-rdn[enable support for multivalued RDNs]' \ '-extensions[extension section (override value in config file)]:section: ' \ '-extfile[configuration file with X509v3 extentions to add]:file:_files' \ '-crlexts[CRL extension section (override value in config file)]:section: ' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-status[shows certificate status given the serial number]:serial: ' \ '-updatedb[updates db for expired certificates]' } _openssl_ciphers() { # written for openssl 1.0.1k _arguments -C \ '-v[verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL]' \ '-V[even more verbose]' \ '-ssl2[SSL2 mode]' \ '-ssl3[SSL3 mode]' \ '-tls1[TLS1 mode]' \ ':cipher suite:_list_ciphers' } _openssl_cms() { # written for openssl 1.0.1k _arguments -C \ '-encrypt[encrypt message]' \ '-decrypt[decrypt encrypted message]' \ '-sign[sign message]' \ '-verify[verify signed message]' \ '-cmsout[output CMS structure]' \ '-des3[encrypt with triple DES]' \ '-des[encrypt with DES]' \ '-seed[encrypt with SEED]' \ '-rc2-40[encrypt with RC2-40 (default)]' \ '-rc2-64[encrypt with RC2-64]' \ '-rc2-128[encrypt with RC2-128]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ "-nointern[don't search certificates in message for signer]" \ "-nosigs[don't verify message signature]" \ "-noverify[don't verify signers certificate]" \ "-nocerts[don't include signers certificate when signing]" \ '-nodetach[use opaque signing]' \ "-noattr[don't include any signed attributes]" \ "-binary[don't translate message to text]" \ '-certfile[other certificates file]:file:_files' \ '-certsout[certificate output file]:file:_files' \ '-signer[signer certificate file]:file:_files' \ '-recip[recipient certificate file for decryption]:file:_files' \ '-keyid[use subject key identifier]' \ '-in[input file]:file:_files' \ '-inform[input format SMIME (default), PEM or DER]:format:(SMIME PEM DER)' \ '-inkey[input private key (if not signer or recipient)]:file:_files' \ '-keyform[input private key format (PEM or ENGINE)]:format:(PEM ENGINE)' \ '-out[output file]:file:_files' \ '-outform[output format SMIME (default), PEM or DER]:format:(SMIME PEM DER)' \ '-content[supply or override content for detached signature]:file:_files' \ '-to[to address mail head]:address: ' \ '-from[from address mail head]:address: ' \ '-subject[subject mail head]:subject: ' \ '-text[include or delete text MIME headers]' \ '-CApath[trusted certificates directory]:dir:_files -/' \ '-CAfile[trusted certificates file]:file:_files' \ "-crl_check[check revocation status of signer's certificate using CRLs]" \ "-crl_check_all[check revocation status of signer's certificate chain using CRLs]" \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-rand[files to use for random number input]:file:_rand_files' \ '*:certificate:_files' } _openssl_crl() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format - default PEM (DER or PEM)]:format:(PEM DER)' \ '-outform[output format - default PEM]:format:(PEM DER)' \ '-text[print out a text format version]' \ '-in[input file - default stdin]:file:_files' \ '-out[output file - default stdout]:file:_files' \ '-hash[print hash value]' \ '-hash_old[print old-style (MD5) hash value]' \ '-fingerprint[print the crl fingerprint]' \ '-issuer[print issuer DN]' \ '-lastupdate[print lastUpdate field]' \ '-nextupdate[print nextUpdate field]' \ '-crlnumber[print CRL number]' \ '-noout[no CRL output]' \ '-CAfile[verify CRL using certificates in the specified file]:file:_files' \ '-CApath[verify CRL using certificates in the specified directory]:dir:_files -/' \ '*-nameopt[various certificate name options]:options:_nameopts' } _openssl_crl2pkcs7() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format - DER or PEM]:format:(PEM DER)' \ '-outform[output format - DER or PEM]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-certfile[certificates file of chain to a trusted CA (can be used more than once)]:file:_files' \ "-nocrl[no crl to load, just certs from '-certfile']" } _openssl_dgst() { # written for openssl 1.0.1k local digests digests=(-dss1 -md4 -md5 -mdc2 -ripemd160 -sha -sha1 -sha224 -sha256 -sha384 -sha512 -whirlpool) # -hmac is listed twice because it's documented twice by openssl _arguments -C -A '-*' \ '(-r -hex -binary)-c[to output the digest with separating colons]' \ '(-c -hex -binary)-r[to output the digest in coreutils format]' \ '-d[to output debug info]' \ '(-c -r -binary)-hex[output as hex dump]' \ '(-c -r -hex)-binary[output in binary form]' \ '-hmac[set the HMAC key to arg]:key: ' \ '-non-fips-allow[allow use of non FIPS digest]' \ '-sign[sign digest using private key in the specified file]:file:_files' \ '-verify[verify a signature using public key in the specified file]:file:_files' \ '-prverify[verify a signature using private key in the specified file]:file:_files' \ '-keyform[key file format (PEM or ENGINE)]:format:(PEM ENGINE)' \ '-out[output to filename rather than stdout]:file:_files' \ '-signature[signature to verify]:file:_files' \ '-sigopt[signature parameter]:nm\:v: ' \ '-hmac[create hashed MAC with key]:key: ' \ '-mac[create MAC (not neccessarily HMAC)]:algorithm: ' \ '-macopt[MAC algorithm parameters or key]:nm\:v: ' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ "($digests)-dss1[use the dss1 message digest algorithm]" \ "($digests)-md4[to use the md4 message digest algorithm]" \ "($digests)-md5[to use the md5 message digest algorithm]" \ "($digests)-mdc2[to use the mdc2 message digest algorithm]" \ "($digests)-ripemd160[to use the ripemd160 message digest algorithm]" \ "($digests)-sha[to use the sha message digest algorithm]" \ "($digests)-sha1[to use the sha1 message digest algorithm]" \ "($digests)-sha224[to use the sha224 message digest algorithm]" \ "($digests)-sha256[to use the sha256 message digest algorithm]" \ "($digests)-sha384[to use the sha384 message digest algorithm]" \ "($digests)-sha512[to use the sha512 message digest algorithm]" \ "($digests)-whirlpool[to use the whirlpool message digest algorithm]" \ '*:file:_files' } _openssl_dh() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-check[check the DH parameters]' \ '-text[print a text form of the DH parameters]' \ '-C[output C code]' \ '-noout[no output]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_dhparam() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-dsaparam[read or generate DSA parameters, convert to DH]' \ '-check[check the DH parameters]' \ '-text[print a text form of the DH parameters]' \ '-C[output C code]' \ '-2[generate parameters using 2 as the generator value]' \ '-5[generate parameters using 5 as the generator value]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ '-noout[no output]' \ ':numbits: ' } _openssl_dsa() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-passin[input file pass phrase source]:file:_files' \ '-out[output file]:file:_files' \ '-passout[output file pass phrase source]:file:_files' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-des[encrypt PEM output with cbc des]' \ '-des3[encrypt PEM output with ede cbc des using 168 bit key]' \ '-idea[encrypt PEM output with cbc idea]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ '-seed[encrypt PEM output with cbc seed]' \ '-text[print the key in text]' \ "-noout[don't print key out]" \ '-modulus[print the DSA public value]' } _openssl_dsaparam() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-text[print as text]' \ '-C[output C code]' \ '-noout[no output]' \ '-genkey[generate a DSA key]' \ '-rand[files to use for random number input]:file:_rand_files' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ ':numbits: ' } _openssl_ec() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-passin[input file pass phrase source]:file:_files' \ '-out[output file]:file:_files' \ '-passout[output file pass phrase source]:file:_files' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ "-des[encrypt PEM output, instead of 'des' every other cipher supported by OpenSSL can be used]" \ '-text[print the key]' \ "-noout[don't print key out]" \ '-param_out[print the elliptic curve parameters]' \ '-conv_form[specifies the point conversion form]:form:(compressed uncompressed hybrid)' \ '-param_enc[specifies the way the ec parameters are encoded in the asn1 der encoding]:encoding:(named_curve explicit)' } _openssl_ecparam() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file - default stdin]:file:_files' \ '-out[output file - default stdout]:file:_files' \ '-noout[do not print the ec parameter]' \ '-text[print the ec parameters in text form]' \ '-check[validate the ec parameters]' \ "-C[print a 'C' function creating the parameters]" \ "-name[use the ec parameters with 'short name' name]:name: " \ "-list_curves[prints a list of all currently available curve 'short names']" \ '-conv_form[specifies the point conversion form]:form:(compressed uncompressed hybrid)' \ '-param_enc[specifies the way the ec parameters are encoded in the asn1 der encoding]:encoding:(named_curve explicit)' \ "-no_seed[if 'explicit' parameters are chosen do not use the seed]" \ '-genkey[generate ec key]' \ '-rand[files to use for random number input]:file:_rand_files' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_enc() { # written for openssl 1.0.1k local ciphers ciphers=(-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb -aes-128-cfb1 \ -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb \ -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 \ -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc \ -aes-256-cbc-hmac-sha1 -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 \ -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts \ -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb \ -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 \ -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb \ -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 \ -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb \ -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 \ -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb \ -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc \ -cast5-cfb -cast5-ecb -cast5-ofb -des -des-cbc -des-cfb -des-cfb1 \ -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb \ -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 \ -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc \ -id-aes128-GCM -id-aes192-GCM -id-aes256-GCM -idea -idea-cbc \ -idea-cfb -idea-ecb -idea-ofb -rc2 -rc2-40-cbc -rc2-64-cbc \ -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5 \ -rc5 -rc5-cbc -rc5-cfb -rc5-ecb -rc5-ofb -seed -seed-cbc -seed-cfb \ -seed-ecb -seed-ofb) _arguments -C \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-pass[pass phrase source]:pass phrase source:_pass_phrase_source' \ '-e[encrypt]' \ '-d[decrypt]' \ '(-a -base64)'{-a,-base64}'[base64 encode/decode, depending on encryption flag]' \ '-k[the password to derive the key from]:password: ' \ '-kfile[read the password to derive the key from the first line of the file]:file:_files' \ '-md[the md to use to create a key from a passphrase]:alg:(md2 md5 sha sha1)' \ '-S[the actual salt to use]:salt: ' \ '-K[the actual key to use]:key: ' \ '-iv[the actual IV to use]:IV: ' \ '-p[print out the key and IV used]' \ '-P[print out the key and IV used the exit]' \ '-bufsize[set the buffer size for I/O]:size: ' \ '-nopad[disable standard block padding]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ "(${ciphers})-aes-128-cbc[cipher types]" \ "(${ciphers})-aes-128-cbc-hmac-sha1[cipher types]" \ "(${ciphers})-aes-128-cfb[cipher types]" \ "(${ciphers})-aes-128-cfb1[cipher types]" \ "(${ciphers})-aes-128-cfb8[cipher types]" \ "(${ciphers})-aes-128-ctr[cipher types]" \ "(${ciphers})-aes-128-ecb[cipher types]" \ "(${ciphers})-aes-128-gcm[cipher types]" \ "(${ciphers})-aes-128-ofb[cipher types]" \ "(${ciphers})-aes-128-xts[cipher types]" \ "(${ciphers})-aes-192-cbc[cipher types]" \ "(${ciphers})-aes-192-cfb[cipher types]" \ "(${ciphers})-aes-192-cfb1[cipher types]" \ "(${ciphers})-aes-192-cfb8[cipher types]" \ "(${ciphers})-aes-192-ctr[cipher types]" \ "(${ciphers})-aes-192-ecb[cipher types]" \ "(${ciphers})-aes-192-gcm[cipher types]" \ "(${ciphers})-aes-192-ofb[cipher types]" \ "(${ciphers})-aes-256-cbc[cipher types]" \ "(${ciphers})-aes-256-cbc-hmac-sha1[cipher types]" \ "(${ciphers})-aes-256-cfb[cipher types]" \ "(${ciphers})-aes-256-cfb1[cipher types]" \ "(${ciphers})-aes-256-cfb8[cipher types]" \ "(${ciphers})-aes-256-ctr[cipher types]" \ "(${ciphers})-aes-256-ecb[cipher types]" \ "(${ciphers})-aes-256-gcm[cipher types]" \ "(${ciphers})-aes-256-ofb[cipher types]" \ "(${ciphers})-aes-256-xts[cipher types]" \ "(${ciphers})-aes128[cipher types]" \ "(${ciphers})-aes192[cipher types]" \ "(${ciphers})-aes256[cipher types]" \ "(${ciphers})-bf[cipher types]" \ "(${ciphers})-bf-cbc[cipher types]" \ "(${ciphers})-bf-cfb[cipher types]" \ "(${ciphers})-bf-ecb[cipher types]" \ "(${ciphers})-bf-ofb[cipher types]" \ "(${ciphers})-blowfish[cipher types]" \ "(${ciphers})-camellia-128-cbc[cipher types]" \ "(${ciphers})-camellia-128-cfb[cipher types]" \ "(${ciphers})-camellia-128-cfb1[cipher types]" \ "(${ciphers})-camellia-128-cfb8[cipher types]" \ "(${ciphers})-camellia-128-ecb[cipher types]" \ "(${ciphers})-camellia-128-ofb[cipher types]" \ "(${ciphers})-camellia-192-cbc[cipher types]" \ "(${ciphers})-camellia-192-cfb[cipher types]" \ "(${ciphers})-camellia-192-cfb1[cipher types]" \ "(${ciphers})-camellia-192-cfb8[cipher types]" \ "(${ciphers})-camellia-192-ecb[cipher types]" \ "(${ciphers})-camellia-192-ofb[cipher types]" \ "(${ciphers})-camellia-256-cbc[cipher types]" \ "(${ciphers})-camellia-256-cfb[cipher types]" \ "(${ciphers})-camellia-256-cfb1[cipher types]" \ "(${ciphers})-camellia-256-cfb8[cipher types]" \ "(${ciphers})-camellia-256-ecb[cipher types]" \ "(${ciphers})-camellia-256-ofb[cipher types]" \ "(${ciphers})-camellia128[cipher types]" \ "(${ciphers})-camellia192[cipher types]" \ "(${ciphers})-camellia256[cipher types]" \ "(${ciphers})-cast[cipher types]" \ "(${ciphers})-cast-cbc[cipher types]" \ "(${ciphers})-cast5-cbc[cipher types]" \ "(${ciphers})-cast5-cfb[cipher types]" \ "(${ciphers})-cast5-ecb[cipher types]" \ "(${ciphers})-cast5-ofb[cipher types]" \ "(${ciphers})-des[cipher types]" \ "(${ciphers})-des-cbc[cipher types]" \ "(${ciphers})-des-cfb[cipher types]" \ "(${ciphers})-des-cfb1[cipher types]" \ "(${ciphers})-des-cfb8[cipher types]" \ "(${ciphers})-des-ecb[cipher types]" \ "(${ciphers})-des-ede[cipher types]" \ "(${ciphers})-des-ede-cbc[cipher types]" \ "(${ciphers})-des-ede-cfb[cipher types]" \ "(${ciphers})-des-ede-ofb[cipher types]" \ "(${ciphers})-des-ede3[cipher types]" \ "(${ciphers})-des-ede3-cbc[cipher types]" \ "(${ciphers})-des-ede3-cfb[cipher types]" \ "(${ciphers})-des-ede3-cfb1[cipher types]" \ "(${ciphers})-des-ede3-cfb8[cipher types]" \ "(${ciphers})-des-ede3-ofb[cipher types]" \ "(${ciphers})-des-ofb[cipher types]" \ "(${ciphers})-des3[cipher types]" \ "(${ciphers})-desx[cipher types]" \ "(${ciphers})-desx-cbc[cipher types]" \ "(${ciphers})-id-aes128-GCM[cipher types]" \ "(${ciphers})-id-aes192-GCM[cipher types]" \ "(${ciphers})-id-aes256-GCM[cipher types]" \ "(${ciphers})-idea[cipher types]" \ "(${ciphers})-idea-cbc[cipher types]" \ "(${ciphers})-idea-cfb[cipher types]" \ "(${ciphers})-idea-ecb[cipher types]" \ "(${ciphers})-idea-ofb[cipher types]" \ "(${ciphers})-rc2[cipher types]" \ "(${ciphers})-rc2-40-cbc[cipher types]" \ "(${ciphers})-rc2-64-cbc[cipher types]" \ "(${ciphers})-rc2-cbc[cipher types]" \ "(${ciphers})-rc2-cfb[cipher types]" \ "(${ciphers})-rc2-ecb[cipher types]" \ "(${ciphers})-rc2-ofb[cipher types]" \ "(${ciphers})-rc4[cipher types]" \ "(${ciphers})-rc4-40[cipher types]" \ "(${ciphers})-rc4-hmac-md5[cipher types]" \ "(${ciphers})-rc5[cipher types]" \ "(${ciphers})-rc5-cbc[cipher types]" \ "(${ciphers})-rc5-cfb[cipher types]" \ "(${ciphers})-rc5-ecb[cipher types]" \ "(${ciphers})-rc5-ofb[cipher types]" \ "(${ciphers})-seed[cipher types]" \ "(${ciphers})-seed-cbc[cipher types]" \ "(${ciphers})-seed-cfb[cipher types]" \ "(${ciphers})-seed-ecb[cipher types]" \ "(${ciphers})-seed-ofb[cipher types]" } _openssl_engine() { # written for openssl 1.0.1k _arguments -C \ '(-vv -vvv -vvvv)-v[verbose mode, for each engine, list its "control commands"]' \ "(-v -vvv -vvvv)-vv[like -v, but additionally display each command's description]" \ '(-v -vv -vvvv)-vvv[like -vv, but also add the input flags for each command]' \ '(-v -vv -vvv)-vvvv[like -vvv, but also show internal input flags]' \ '-c[for each engine, also list the capabilities]' \ '(-tt)-t[for each engine, check that they are really available]' \ '(-t)-tt[display error trace for unavailable engines]' \ "-pre[runs command 'cmd' against the ENGINE before any attempts to load it (if -t is used)]:cmd: " \ "-post[runs command 'cmd' against the ENGINE after loading it (only used if -t is also provided)]:cmd: " \ '*:engine:_engines' # TODO: can cmd (for -pre and -post) be completed? } _openssl_errstr() { # written for openssl 1.0.1k # written for openssl 1.0.2a _arguments -C \ '-stats' \ ':errno: ' } _openssl_gendh() { # written for openssl 1.0.1k _arguments -C \ "-out[output the key to 'file']:file:_files" \ '-2[use 2 as the generator value]' \ '-5[use 5 as the generator value]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ ':numbits: ' } _openssl_gendsa() { # written for openssl 1.0.1k _arguments -C \ "-out[output the key to 'file']:file:_files" \ '-des[encrypt the generated key with DES in cbc mode]' \ '-des3[encrypt the generated key with DES in ede cbc mode (168 bit key)]' \ '-idea[encrypt the generated key with IDEA in cbc mode]' \ '-seed[encrypt PEM output with cbc seed]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ ':dsaparam-file:_files' } _openssl_genpkey() { # written for openssl 1.0.1k local ciphers cipher_opts ciphers=( ${$(openssl list-cipher-algorithms | cut -d' ' -f1)} ) cipher_opts=() for alg in ${ciphers}; do cipher_opts=(${cipher_opts} "(${${(l:32:: ::-:)ciphers[@]}// / })-${alg}[use this cipher to encrypt the key]") done _arguments -C \ '-out[output file]:file:_files' \ '-outform[output format]:format:(PEM DER)' \ '-pass[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ $cipher_opts \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '(-algorithm)-paramfile[parameters file]:file:_files' \ '(-paramfile)-algorithm[the public key algorithm]:algorithm:(EC RSA DSA DH)' \ '-pkeyopt[public key options]:option\:value: ' \ '-genparam[generate parameters, not key]' \ '-text[print the in text]' # NB: options order may be important! See the manual page. # TODO: complete pkeyopts # However: "The precise set of options supported depends on the public key # algorithm used and its implementation." } _openssl_genrsa() { # written for openssl 1.0.1k _arguments -C \ '-des[encrypt the generated key with DES in cbc mode]' \ '-des3[encrypt the generated key with DES in ede cbc mode (168 bit key)]' \ '-idea[encrypt the generated key with IDEA in cbc mode]' \ '-seed[encrypt PEM output with cbc seed]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ '-out[output the key to file]:file:_files' \ '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-f4[use F4 (0x10001) for the E value]' \ '-3[use 3 for the E value]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ ':numbits: ' } _openssl_nseq() { # written for openssl 1.0.1k _arguments -C \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-toseq[output NS Sequence file]' } _openssl_ocsp() { # written for openssl 1.0.1k _arguments -C \ '-out[output filename]:file:_files' \ '-issuer[issuer certificate]:file:_files' \ '-cert[certificate to check]:file:_files' \ '-serial[serial number to check]:serial: ' \ '-signer[certificate to sign OCSP request with]:file:_files' \ '-signkey[private key to sign OCSP request with]:file:_files' \ '-sign_other[additional certificates to include in signed request]:file:_files' \ "-no_certs[don't include any certificates in signed request]" \ '-req_text[print text form of request]' \ '-resp_text[print text form of response]' \ '-text[print text form of request and response]' \ '-reqout[write DER encoded OCSP request to "file"]:file:_files' \ '-respout[write DER encoded OCSP reponse to "file"]:file:_files' \ '-reqin[read DER encoded OCSP request from "file"]:file:_files' \ '-respin[read DER encoded OCSP reponse from "file"]:file:_files' \ '-nonce[add OCSP nonce to request]' \ "-no_nonce[don't add OCSP nonce to request]" \ '-url[OCSP responder URL]:URL: ' \ '-host[send OCSP request to given host on given port]:host\:port: ' \ '-path[path to use in OCSP request]' \ '-CApath[trusted certificates directory]:directory:_files -/' \ '-CAfile[trusted certificates file]:file:_files' \ '-VAfile[validator certificates file]:file:_files' \ '-validity_period[maximum validity discrepancy in seconds]:seconds: ' \ '-status_age[maximum status age in seconds]:seconds: ' \ "-noverify[don't verify response at all]" \ '-verify_other[additional certificates to search for signer]:file:_files' \ "-trust_other[don't verify additional certificates]" \ "-no_intern[don't search certificates contained in response for signer]" \ "-no_signature_verify[don't check signature on response]" \ "-no_cert_verify[don't check signing certificate]" \ "-no_chain[don't chain verify response]" \ "-no_cert_checks[don't do additional checks on signing certificate]" \ '-port[port to run responder on]:port: ' \ '-index[certificate status index file]:file:_files' \ '-CA[CA certificate]:file:_files' \ '-rsigner[responder certificate to sign responses with]:file:_files' \ '-rkey[responder key to sign responses with]:file:_files' \ '-rother[other certificates to include in response]:file:_files' \ "-resp_no_certs[don't include any certificates in response]" \ '-nmin[number of minutes before next update]:minutes: ' \ '-ndays[number of days before next update]:days: ' \ '-resp_key_id[identify reponse by signing certificate key ID]' \ '-nrequest[number of requests to accept (default unlimited)]:limit: ' \ '-dss1[use specified digest in the request]' \ '-md4[use specified digest in the request]' \ '-md5[use specified digest in the request]' \ '-mdc2[use specified digest in the request]' \ '-ripemd160[use specified digest in the request]' \ '-ripemd[use specified digest in the request]' \ '-rmd160[use specified digest in the request]' \ '-sha1[use specified digest in the request]' \ '-sha224[use specified digest in the request]' \ '-sha256[use specified digest in the request]' \ '-sha384[use specified digest in the request]' \ '-sha512[use specified digest in the request]' \ '-sha[use specified digest in the request]' \ '-ssl2-md5[use specified digest in the request]' \ '-ssl3-md5[use specified digest in the request]' \ '-ssl3-sha1[use specified digest in the request]' \ '-whirlpool[use specified digest in the request]' \ '-timeout[timeout connection to OCSP responder after n seconds]:seconds: ' } _openssl_passwd() { # written for openssl 1.0.1k _arguments -C \ '-crypt[standard Unix password algorithm (default)]' \ '-1[MD5-based password algorithm]' \ '-apr1[MD5-based password algorithm, Apache variant]' \ '-salt[use provided salt]:salt: ' \ '-in[read passwords from file]:file:_files' \ '-stdin[read passwords from stdin]' \ '-noverify[never verify when reading password from terminal]' \ '-quiet[no warnings]' \ '-table[format output as table]' \ '-reverse[switch table columns]' \ '*:password:' } _openssl_pkcs12() { # written for openssl 1.0.2d local algorithms algorithms=(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc \ aes-256-ecb bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc \ camellia-128-ecb camellia-192-cbc camellia-192-ecb \ camellia-256-cbc camellia-256-ecb cast-cbc cast5-cbc cast5-cfb \ cast5-ecb cast5-ofb des-cbc des-cfb des-ecb des-ede des-ede-cbc \ des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb \ des-ede3-ofb des-ofb idea-cbc idea-cfb idea-ecb idea-ofb \ rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 \ rc4-40 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed-cbc seed-cfb \ seed-ecb seed-ofb PBE-MD2-DES PBE-MD5-DES PBE-SHA1-RC2-64 \ PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES PBE-SHA1-RC4-128 \ PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 \ PBE-SHA1-RC2-40) _arguments -C \ '-export[output PKCS12 file]' \ '-chain[add certificate chain]' \ '-inkey[private key if not infile]:file:_files' \ '-certfile[add all certs in the specified file]:file:_files' \ "-CApath[PEM format directory of CA's]:file:_files" \ "-CAfile[PEM format file of CA's]:file:_files" \ '-name[use specified friendly name]:name: ' \ '*-caname[use specified CA friendly name]:name: ' \ '-in[input filename]:file:_files' \ '-out[output filename]:file:_files' \ "-noout[don't output anything, just verify]" \ "-nomacver[don't verify MAC]" \ "-nocerts[don't output certificates]" \ '-clcerts[only output client certificates]' \ '-cacerts[only output CA certificates]' \ "-nokeys[don't output private keys]" \ '-info[give info about PKCS#12 structure]' \ '-des[encrypt private keys with DES]' \ '-des3[encrypt private keys with triple DES (default)]' \ '-idea[encrypt private keys with idea]' \ '-seed[encrypt private keys with seed]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ "-nodes[don't encrypt private keys]" \ "-noiter[don't use encryption iteration]" \ "-nomaciter[don't use MAC iteration]" \ '-maciter[use MAC iteration]' \ "-nomac[don't generate MAC]" \ '-twopass[separate MAC, encryption passwords]' \ '-descert[encrypt PKCS#12 certificates with triple DES (default RC2-40)]' \ "-certpbe[specify certificate PBE algorithm (default RC2-40)]:alg:(${algorithms})" \ '-keypbe[specify private key PBE algorithm (default 3DES)]:alg:(${algorithms})' \ '-macalg[digest algorithm used in MAC (default SHA1)]:alg:_list_message_digest_algorithms' \ '-keyex[set MS key exchange type]' \ '-keysig[set MS key signature type]' \ '-password[set import/export password source]:pass phrase source:_pass_phrase_source' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ '-CSP[Microsoft CSP name]:name: ' \ '-LMK[add local machine keyset attribute to private key]' } _openssl_pkcs7() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-print_certs[print any certs or crl in the input]' \ '-text[print full details of certificates]' \ "-noout[don't output encoded data]" \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_pkcs8() { # written for openssl 1.0.2d _arguments -C \ '-in[input file]:file:_files' \ '-inform[input format]:format:(PEM DER)' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-outform[output format]:format:(PEM DER)' \ '-out[output file]:file:_files' \ '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-topk8[output PKCS8 file]' \ '-nooct[use (nonstandard) no octet format]' \ '-embed[use (nonstandard) embedded DSA parameters format]' \ '-nsdb[use (nonstandard) DSA Netscape DB format]' \ '-noiter[use 1 as iteration count]' \ '-nocrypt[use or expect unencrypted private key]' \ '-v2[use PKCS#5 v2.0 and given cipher]:alg:(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed seed-cbc seed-cfb seed-ecb seed-ofb)' \ '-v2prf[set the PRF algorithm to use with PKCS#5 v2.0]:alg:(hmacWithMD5 hmacWithRMD160 hmacWithSHA1 hmacWithSHA224 hmacWithSHA256 hmacWithSHA384 hmacWithSHA512)' \ '-v1[use PKCS#5 v1.5 and given cipher]:obj:(PBE-MD2-DES PBE-MD5-DES PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40)' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_pkey() { # written for openssl 1.0.1k _arguments -C \ '-in[input file]:file:_files' \ '-inform[input format]:format:(PEM DER)' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-outform[output format]:format:(PEM DER)' \ '-out[output file]:file:_files' \ '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_pkeyparam() { # written for openssl 1.0.1k _arguments -C \ '-in[the input filename to read parameters from]:file:_files' \ '-out[the output filename to write parameters]:file:_files' \ '-text[prints out the parameters in plain text in addition to the encoded version]' \ '-noout[do not output the encoded version of the parameters]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_pkeyutl() { # written for openssl 1.0.1k _arguments -C \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-sigfile[signature file (verify operation only)]:file:_files' \ '-inkey[input key]:file:_files' \ '-keyform[private key format]:format:(PEM DER)' \ '-pubin[input is a public key]' \ '-certin[input is a certificate carrying a public key]' \ '-pkeyopt[public key options]:option\:value:_pkeyopts' \ '-sign[sign with private key]' \ '-verify[verify with public key]' \ '-verifyrecover[verify with public key, recover original data]' \ '-encrypt[encrypt with public key]' \ '-decrypt[decrypt with private key]' \ '-derive[derive shared secret]' \ '-hexdump[hex dump output]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-passin[pass phrase source]:pass phrase source:_pass_phrase_source' } _openssl_prime() { # written for openssl 1.0.1k _arguments -C \ '-hex[hex]' \ '-checks[number of checks]:checks: ' \ ':number:' } _openssl_rand() { # written for openssl 1.0.1k _arguments -C \ '-out[write to file]:file:_files' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ '-base64[base64 encode output]' \ '-hex[hex encode output]' \ ':num:' } _openssl_req() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-text[text form of request]' \ '-pubkey[output public key]' \ '-noout[do not output REQ]' \ '-verify[verify signature on REQ]' \ '-modulus[RSA modulus]' \ "-nodes[don't encrypt the output key]" \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ "-subject[output the request's subject]" \ '-passin[private key pass phrase source]:pass phrase source:_pass_phrase_source' \ '-key[use the private key contained in the specified file]:file:_files' \ '-keyform[key file format]:format:(PEM DER)' \ '-keyout[file to send the key to]:file:_files' \ '-rand[files to use for random number input]:file:_rand_files' \ "-newkey rsa\:-[generate a new RSA key of the specified number of bits in size]:bits: " \ "-newkey dsa\:[generate a new DSA key, parameters taken from CA in the specified file]:file:_files" \ "-newkey ec\:[generate a new EC key, parameters taken from CA in the specified file]:file:_files" \ '-md2[digest to sign with]' \ '-md4[digest to sign with]' \ '-md5[digest to sign with]' \ '-mdc2[digest to sign with]' \ '-sha1[digest to sign with]' \ '-config[request template file]:file:_files' \ '-subj[set or modify request subject]:subject: ' \ '-multivalue-rdn[enable support for multivalued RDNs]' \ '-new[new request]' \ '-batch[do not ask anything during request generation]' \ '-x509[output a x509 structure instead of a certificate request]' \ '-days[number of days a certificate generated by -x509 is valid for]:days: ' \ '-set_serial[serial number to use for a certificate generated by -x509]:serial: ' \ '-newhdr[output "NEW" in the header lines]' \ "-asn1-kludge[output the 'request' in a format that is wrong but some CA's have been reported as requiring]" \ '-extensions[specify certificate extension section (override value in config file)]:section: ' \ '-reqexts[specify request extension section (override value in config file)]:section: ' \ '-utf8[input characters are UTF8 (default ASCII)]' \ '*-nameopt[various certificate name options]:options:_nameopts' \ '*-reqopt[- various request text options]:options:_certopts' # TODO: complete -extensions and -reqexts } _openssl_rsa() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER NET)' \ '-outform[output format]:format:(PEM DER NET)' \ '-in[input file]:file:_files' \ '-sgckey[use IIS SGC key format]' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-out[output file]:file:_files' \ '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-des[encrypt PEM output with cbc des]' \ '-des3[encrypt PEM output with ede cbc des using 168 bit key]' \ '-idea[encrypt PEM output with cbc idea]' \ '-seed[encrypt PEM output with cbc seed]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ '-text[print the key in text]' \ "-noout[don't print key out]" \ '-modulus[print the RSA key modulus]' \ '-check[verify key consistency]' \ '-pubin[expect a public key in input file]' \ '-pubout[output a public key]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_rsautl() { # written for openssl 1.0.1k _arguments -C \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-inkey[input key]:file:_files' \ '-keyform[private key format]:format:(PEM DER)' \ '-pubin[input is an RSA public]' \ '-certin[input is a certificate carrying an RSA public key]' \ '-ssl[use SSL v2 padding]' \ '-raw[use no padding]' \ '-pkcs[use PKCS#1 v1.5 padding (default)]' \ '-oaep[use PKCS#1 OAEP]' \ '-sign[sign with private key]' \ '-verify[verify with public key]' \ '-encrypt[encrypt with public key]' \ '-decrypt[decrypt with private key]' \ '-hexdump[hex dump output]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-passin[pass phrase source]:pass phrase source:_pass_phrase_source' } _openssl_s_client() { # written for openssl 1.0.1k _arguments -C \ '(-6)-4[use IPv4 only]' \ '(-4)-6[use IPv6 only]' \ '(-connect)-host[use -connect instead]:host: ' \ '(-connect)-port[use -connect instead]:port: ' \ '(-host -port)-connect[who to connect to (default is localhost:4433)]:host\:port: ' \ '-verify[turn on peer certificate verification]:depth: ' \ '-verify_return_error[return verification errors]' \ '-cert[certificate file to use, PEM format assumed]:file:_files' \ '-certform[certificate format (PEM or DER) PEM default]:format:(PEM DER)' \ '-key[private key file to use, in cert file if not specified but cert file is]:file:_files' \ '-keyform[key format (PEM or DER) PEM default]:format:(PEM DER)' \ '-pass[private key file pass phrase source]:pass phrase source:_pass_phrase_source' \ "-CApath[PEM format directory of CA's]:directory:_files -/" \ "-CAfile[PEM format file of CA's]:file:_files" \ '-reconnect[drop and re-make the connection with the same Session-ID]' \ '-pause[sleep(1) after each read(2) and write(2) system call]' \ '-prexit[print session information even on connection failure]' \ '-showcerts[show all certificates in the chain]' \ '-debug[extra output]' \ '-msg[show protocol messages]' \ '-nbio_test[more ssl protocol testing]' \ "-state[print the 'ssl' states]" \ '-nbio[run with non-blocking IO]' \ '-crlf[convert LF from terminal into CRLF]' \ '-quiet[no s_client output]' \ '(-no_ign_eof)-ign_eof[ignore input eof (default when -quiet)]' \ "(-ign_eof)-no_ign_eof[don't ignore input eof]" \ '-psk_identity[PSK identity]:identity: ' \ '-psk[PSK in hex (without 0x)]:key: ' \ "-srpuser[SRP authentification for 'user']:user: " \ "-srppass[password for 'user']:password: " \ '-srp_lateuser[SRP username into second ClientHello message]' \ '-srp_moregroups[tolerate other than the known g N values]' \ '-srp_strength[minimal length in bits for N (default 1024)]:int: ' \ '(-no_ssl2 -ssl3 -tls1 -tls1_1 -tls1_2 -dtls1)-ssl2[just use SSLv2]' \ '(-no_ssl3 -ssl2 -tls1 -tls1_1 -tls1_2 -dtls1)-ssl3[just use SSLv3]' \ '(-no_tls1_2 -ssl2 -ssl3 -tls1 -tls1_1 -dtls1)-tls1_2[just use TLSv1.2]' \ '(-no_tls1_1 -ssl2 -ssl3 -tls1 -tls1_1 -dtls1)-tls1_1[just use TLSv1.1]' \ '(-no_tls1 -ssl2 -ssl3 -tls1 -tls1_1 -dtls1)-tls1[just use TLSv1.0]' \ '(-no_dtls1 -ssl2 -ssl3 -tls1 -tls1_1 -tls1_2)-dtls1[just use DTLSv1]' \ '-fallback_scsv[send TLS_FALLBACK_SCSV]' \ '-mtu[set the link layer MTU]' \ '(-tls1_2)-no_tls1_2[turn off TLSv1.2]' \ '(-tls1_1)-no_tls1_1[turn off TLSv1.1]' \ '(-tls1)-no_tls1[turn off TLSv1.0]' \ '(-ssl3)-no_ssl3[turn off SSLv3]' \ '(-ssl2)-no_ssl2[turn off SSLv2]' \ '-bugs[switch on all SSL implementation bug workarounds]' \ "-serverpref[use server's cipher preferences (only SSLv2)]" \ '-cipher[preferred cipher to use]:cipher suite:_list_ciphers' \ "-starttls[use the STARTTLS command before starting TLS for those protocols that support it]:protocol:(smtp pop3 imap ftp xmpp)" \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ '-sess_out[file to write SSL session to]:file:_files' \ '-sess_in[file to read SSL session from]:file:_files' \ '-servername[set TLS extension servername in ClientHello]:host: ' \ '-tlsextdebug[hex dump of all TLS extensions received]' \ '-status[request certificate status from server]' \ '-no_ticket[disable use of RFC4507bis session tickets]' \ '-nextprotoneg[enable NPN extension, considering named protocols supported (comma-separated list)]:protocols: ' \ '-legacy_renegotiation[enable use of legacy renegotiation (dangerous)]' \ '-use_srtp[offer SRTP key management with a colon-separated profile list]:profiles: ' \ '-keymatexport[export keying material using label]:label: ' \ '-keymatexportlen[export len bytes of keying material (default 20)]:len: ' } _openssl_s_server() { # written for openssl 1.0.1k _arguments -C \ '-accept[port to accept on (default is 4433)]:port: ' \ '-context[set session ID context]:id: ' \ '-verify[turn on peer certificate verification]:depth: ' \ '-Verify[turn on peer certificate verification, must have a cert]:depth: ' \ '-verify_return_error[return verification errors]' \ '-cert[certificate file to use (default is server.pem)]:file:_files' \ '-crl_check[check the peer certificate has not been revoked by its CA]' \ '-crl_check_all[check the peer certificate has not been revoked by its CA or any other CRL in the CA chain]' \ '-certform[certificate format]:format:(PEM DER)' \ '-key[Private Key file to use, in cert file if not specified (default is server.pem)]:file:_files' \ '-keyform[key format]:format:(PEM DER ENGINE)' \ '-pass[private key file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-dcert[second certificate file to use (usually for DSA)]:file:_files' \ '-dcertform[second certificate format]:format:(PEM DER)' \ '-dkey[second private key file to use (usually for DSA)]:file:_files' \ '-dkeyform[second key format]:format:(PEM DER ENGINE)' \ '-dpass[second private key file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-dhparam[DH parameter file to use, in cert file if not specified or a default set of parameters is used]:file:_files' \ '-named_curve[elliptic curve name to use for ephemeral ECDH keys. (default is nistp256)]:named curve:_list_curves' \ '-nbio[run with non-blocking IO]' \ '-nbio_test[test with the non-blocking test bio]' \ '-crlf[convert LF from terminal into CRLF]' \ '-debug[print more output]' \ '-msg[show protocol messages]' \ '-state[print the SSL states]' \ "-CApath[PEM format directory of CA's]:file:_files -/" \ "-CAfile[PEM format file of CA's]:file:_files" \ "-nocert[don't use any certificates (Anon-DH)]" \ '-cipher[preferred cipher to use]:cipher suite:_list_ciphers' \ "-serverpref[use server's cipher preferences]" \ '-quiet[no server output]' \ '-no_tmp_rsa[do not generate a tmp RSA key]' \ '-psk_hint[PSK identity hint to use]:hint: ' \ '-psk[PSK in hex (without 0x)]:PSK: ' \ '-srpvfile[the verifier file for SRP]:file:_files' \ '-srpuserseed[a seed string for a default user salt]:seed: ' \ '-ssl2[just talk SSLv2]' \ '-ssl3[just talk SSLv3]' \ '-tls1_2[just talk TLSv1.2]' \ '-tls1_1[just talk TLSv1.1]' \ '-tls1[just talk TLSv1]' \ '-dtls1[just talk DTLSv1]' \ '-timeout[enable timeouts]' \ '-mtu[set link layer MTU]' \ '-chain[read a certificate chain]' \ '-no_ssl2[just disable SSLv2]' \ '-no_ssl3[just disable SSLv3]' \ '-no_tls1[just disable TLSv1]' \ '-no_tls1_1[just disable TLSv1.1]' \ '-no_tls1_2[just disable TLSv1.2]' \ '-no_dhe[disable ephemeral DH]' \ '-no_ecdhe[disable ephemeral ECDH]' \ '-bugs[turn on SSL bug compatibility]' \ '-hack[workaround for early Netscape code]' \ "-www[respond to a 'GET /' with a status page]" \ "-WWW[respond to a 'GET / HTTP/1.0' with file ./]" \ "-HTTP[respond to a 'GET / HTTP/1.0' with file ./ with the assumption it contains a complete HTTP response]" \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-id_prefix[generate SSL/TLS session IDs prefixed by arg]:prefix: ' \ '-rand[files to use for random number input]:file:_rand_files' \ '-servername[servername for HostName TLS extension]:hostname: ' \ '-servername_fatal[on mismatch send fatal alert (default warning alert)]' \ '-cert2[certificate file to use for servername (default is server2.pem)]:file:_files' \ '-key2[Private Key file to use for servername, in cert file if not specified (default is server2.pem)]:file:_files' \ '-tlsextdebug[hex dump of all TLS extensions received]' \ '-no_ticket[disable use of RFC4507bis session tickets]' \ '-legacy_renegotiation[enable use of legacy renegotiation (dangerous)]' \ '-nextprotoneg[set the advertised protocols for the NPN extension (comma-separated list)]:protocol:(http/1.0 http/1.1)' \ '-use_srtp[offer SRTP key management with a colon-separated profile list]:profiles: ' \ '-4[use IPv4 only]' \ '-6[use IPv6 only]' \ '-keymatexport[export keying material using label]:label: ' \ '-keymatexportlen[export len bytes of keying material (default 20)]:length: ' \ '-status[respond to certificate status requests]' \ '-status_verbose[enable status request verbose printout]' \ '-status_timeout[status request responder timeout]:seconds: ' \ '-status_url[status request fallback URL]:URL: ' # TODO: srtp profiles } _openssl_s_time() { # written for openssl 1.0.1k _arguments -C \ '-connect[host:port to connect to (default is localhost:4433)]:host\:port: ' \ '-nbio[run with non-blocking IO]' \ '-ssl2[just use SSLv2]' \ '-ssl3[just use SSLv3]' \ '-bugs[turn on SSL bug compatibility]' \ '-new[just time new connections]' \ '-reuse[just time connection reuse]' \ "-www[retrieve the specified page from the site]:page: " \ '-time[max number of seconds to collect data, default 30]:seconds: ' \ '-verify[turn on peer certificate verification]:depth: ' \ '-cert[certificate file to use, PEM format assumed]:file:_files' \ '-key[RSA file to use, PEM format assumed, key is in cert file]:file:_files' \ "-CApath[PEM format directory of CA's]:file:_files -/" \ "-CAfile[PEM format file of CA's]:file:_files" \ '-cipher[preferred cipher to use]:cipher suite:_list_ciphers' } _openssl_sess_id() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format]:format:(PEM DER)' \ '-outform[output format]:format:(PEM DER)' \ '-in[input file (default stdin)]:file:_files' \ '-out[output file (default stdout)]:file:_files' \ '-text[print ssl session id details]' \ '-cert[output certificate ]' \ '-noout[no CRL output]' \ '-context[set the session ID context]:id: ' } _openssl_smime() { # written for openssl 1.0.1k _arguments -C \ '-encrypt[encrypt message]' \ '-decrypt[decrypt encrypted message]' \ '-sign[sign message]' \ '-verify[verify signed message]' \ '-pk7out[output PKCS#7 structure]' \ '-des3[encrypt with triple DES]' \ '-des[encrypt with DES]' \ '-seed[encrypt with SEED]' \ '-rc2-40[encrypt with RC2-40 (default)]' \ '-rc2-64[encrypt with RC2-64]' \ '-rc2-128[encrypt with RC2-128]' \ '-aes128[encrypt PEM output with cbc aes]' \ '-aes192[encrypt PEM output with cbc aes]' \ '-aes256[encrypt PEM output with cbc aes]' \ '-camellia128[encrypt PEM output with cbc camellia]' \ '-camellia192[encrypt PEM output with cbc camellia]' \ '-camellia256[encrypt PEM output with cbc camellia]' \ "-nointern[don't search certificates in message for signer]" \ "-nosigs[don't verify message signature]" \ "-noverify[don't verify signers certificate]" \ "-nocerts[don't include signers certificate when signing]" \ '-nodetach[use opaque signing]' \ "-noattr[don't include any signed attributes]" \ "-binary[don't translate message to text]" \ '-certfile[other certificates file]:file:_files' \ '-signer[signer certificate file]:file:_files' \ '-recip[recipient certificate file for decryption]:file:_files' \ '-in[input file]:file:_files' \ '-inform[input format]:format:(SMIME PEM DER)' \ '-inkey[input private key (if not signer or recipient)]:file:_files' \ '-keyform[input private key format]:format:(PEM ENGINE)' \ '-out[output file]:file:_files' \ '-outform[output format]:format:(SMIME PEM DER)' \ '-content[supply or override content for detached signature]:file:_files' \ '-to[to address]:address: ' \ '-from[from address]:address: ' \ '-subject[subject]:subject: ' \ '-text[include or delete text MIME headers]' \ '-CApath[trusted certificates directory]:directory:_files -/' \ '-CAfile[trusted certificates file]:file:_files' \ "-crl_check[check revocation status of signer's certificate using CRLs]" \ "-crl_check_all[check revocation status of signer's certificate chain using CRLs]" \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-rand[files to use for random number input]:file:_rand_files' \ ':certificate:_files' } _openssl_speed() { # written for openssl 1.0.1k local algorithms algorithms=(mdc2 md4 md5 hmac sha1 sha256 sha512 whirlpoolrmd160 idea-cbc \ seed-cbc rc2-cbc rc5-cbc bf-cbc des-cbc des-ede3 aes-128-cbc \ aes-192-cbc aes-256-cbc aes-128-ige aes-192-ige aes-256-ige \ camellia-128-cbc camellia-192-cbc camellia-256-cbc rc4 rsa512 \ rsa1024 rsa2048 rsa4096 dsa512 dsa1024 dsa2048 ecdsap160 \ ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521 ecdsak163 \ ecdsak233 ecdsak283 ecdsak409 ecdsak571 ecdsab163 ecdsab233 \ ecdsab283 ecdsab409 ecdsab571 ecdsa ecdhp160 ecdhp192 ecdhp224 \ ecdhp256 ecdhp384 ecdhp521 ecdhk163 ecdhk233 ecdhk283 ecdhk409 \ ecdhk571 ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571 ecdh idea \ seed rc2 des aes camellia rsa blowfish) _arguments -C \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-evp[use the specified EVP]:EVP: ' \ '-decrypt[time decryption instead of encryption (only EVP)]' \ '-mr[produce machine readable output]' \ '-multi[run n benchmarks in parallel]:benchmarks: ' \ "*:algorithm:(${algorithms})" } _openssl_spkac() { # written for openssl 1.0.1k _arguments -C \ '-in[input file]:file:_files' \ '-out[output file]:file:_files' \ '-key[create SPKAC using private key]:file:_files' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-challenge[challenge string]:string: ' \ '-spkac[alternative SPKAC name]:spkacname: ' \ '-spksect[alternative section name]:section: ' \ "-noout[don't print SPKAC]" \ '-pubkey[output public key]' \ '-verify[verify SPKAC signature]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' } _openssl_srp() { # written for openssl 1.0.1k _arguments -C \ '-verbose[talk alot while doing things]' \ '-config[a config file]:file:_files' \ '-name[the particular srp definition to use]:definition: ' \ '-srpvfile[the srp verifier file name]:file:_files' \ '(-modify -delete -list)-add[add an user and srp verifier]' \ '(-add -delete -list)-modify[modify the srp verifier of an existing user]' \ '(-add -modify -list)-delete[delete user from verifier file]' \ '(-add -modify -delete)-list[list user]' \ '-gn[g and N values to be used for new verifier]:g and N: ' \ '-userinfo[additional info to be set for user]:userinfo: ' \ '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '-rand[files to use for random number input]:file:_rand_files' \ ':user:' } _openssl_ts() { # written for openssl 1.0.1k # written for openssl 1.0.2e local action digests digests=(-dss1 -md4 -md5 -mdc2 -ripemd160 -sha -sha1 -sha224 -sha256 \ -sha384 -sha512 -whirlpool) if [[ "${CURRENT}" -eq 2 ]]; then # first parameter to ts _values 'openssl time stamp action' '-query[time stamp request generation]' '-reply[time stamp response generation]' '-verify[time stamp response verification]' else action="${words[2]}" case "${action}" in -query) _arguments -C \ '-rand[files to use for random number input]:file:_rand_files' \ '-config[config file to use]:file:_files' \ '(-digest)-data[data file for which the time stamp request needs to be created]:file:_files' \ '(-data)-digest[digest of the data file]:bytes: ' \ "($digests)-dss1[use the dss1 message digest algorithm]" \ "($digests)-md4[to use the md4 message digest algorithm]" \ "($digests)-md5[to use the md5 message digest algorithm]" \ "($digests)-mdc2[to use the mdc2 message digest algorithm]" \ "($digests)-ripemd160[to use the ripemd160 message digest algorithm]" \ "($digests)-sha[to use the sha message digest algorithm]" \ "($digests)-sha1[to use the sha1 message digest algorithm]" \ "($digests)-sha224[to use the sha224 message digest algorithm]" \ "($digests)-sha256[to use the sha256 message digest algorithm]" \ "($digests)-sha384[to use the sha384 message digest algorithm]" \ "($digests)-sha512[to use the sha512 message digest algorithm]" \ "($digests)-whirlpool[to use the whirlpool message digest algorithm]" \ '-policy[policy to use for creating the time stamp token]:policy ID: ' \ '-no_nonce[do not include a nonce in the request]' \ '-cert[request a signing certificate in the response]' \ '-in[use the previously created time stamp request]:file:_files' \ '-out[name of the output file to which the request will be written]:file:_files' \ '-text[output in human-readable format instead of DER]' ;; -reply) _arguments -C \ '-config[config file to use]:file:_files' \ '-section[config file section for response generation]:section: ' \ '-queryfile[file containing a DER encoded time stamp request]:file:_files' \ '-passin[private key password source]:pass phrase source:_pass_phrase_source' \ '-signer[signer certificate of the TSA in PEM format]:file:_files' \ '-inkey[signer private key in PEM format]:file:_files' \ '-chain[signer certificate chain in PEM format]:file:_files' \ '-policy[default policy to use for response]:policy ID: ' \ '-in[use the previously created time stamp response in DER format]:file:_files' \ '-token_in[the paramter to -in is a time stamp token in DER format]' \ '-out[name of the output file to which the response will be written]:file:_files' \ '-token_out[output a time stamp token instead of a time stamp response]' \ '-text[output in human-readable format instead of DER]' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' ;; -verify) _arguments -C \ '(-digest -queryfile)-data[verify response against the specified file]:file:_files' \ '(-data -queryfile)-digest[verify the response against the specified message digest]:digest bytes: ' \ '(-data -digest)-queryfile[the original time stamp request in DER format]:file:_files' \ '-in[time stamp response that needs to be verified in DER format]:file:_files' \ '-token_in[the paramter to -in is a time stamp token in DER format]' \ '-CApath[directory containing the trused CA certificates of the client]:directory:_files -/' \ '-CAFile[file containing a set of trusted self-signed CA certificates in PEM format]:file:_files' \ '-untrusted[set of additional untrusted certificates in PEM format which may be needed when building the certificate chain]:file:_files' ;; esac fi } _openssl_verify() { # written for openssl 1.0.1k _arguments -C \ '-CApath[a directory of trusted certificates]:directory:_files -/' \ '-CAfile[file A file of trusted certificates]:file:_files' \ '-purpose[the intended use for the certificate]:purpose:(sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper timestampsign)' \ '*-policy[enable policy processing and add arg to the user-initial-policy-set]:object name or OID: ' \ '-ignore_critical[ignore critical extensions]' \ '-attime[perform validation checks using the given time]:timestamp: ' \ '-check_ss_sig[verify the signature on the self-signed root CA]' \ "-crlfile[file containing one or more CRL's (in PEM format) to load]:file:_files" \ '-crl_check[check end entity certificate in CRL]' \ '-crl_check_all[check all certificates in CRL]' \ '-policy_check[enables certificate policy processing]' \ '-explicit_policy[set policy variable require-explicit-policy]' \ '-inhibit_any[set policy variable inhibit-any-policy]' \ '-inhibit_map[set policy variable inhibit-policy-mapping]' \ '-x509_strict[strict X.509-compliance]' \ '-extended_crl[enable extended CRL features]' \ '-use_deltas[enable support for delta CRLs]' \ '-policy_print[print out diagnostics related to policy processing]' \ '-untrusted[a file of untrusted certificates]:file:_files' \ '(-*)-help[print out a usage message]' \ '-issuer_checks[print out diagnostics relating to searches for the issuer certificate of the current certificate]' \ '-verbose[print extra information about the operations being performed]' \ '*:certificate:_files' # TODO: - may be used to separate certificates from options # TODO: Do not hardcode purposes } _openssl_version() { # written for openssl 1.0.1k _arguments -C \ '-a[all information, this is the same as setting all the other flags]' \ '-v[the current OpenSSL version]' \ '-b[the date the current version of OpenSSL was built]' \ '-o[option information: various options set when the library was built]' \ '-f[compilation flags]' \ '-p[platform setting]' \ '-d[OPENSSLDIR setting]' } _openssl_x509() { # written for openssl 1.0.1k _arguments -C \ '-inform[input format - default PEM (one of DER, NET or PEM)]:format:(DER NET PEM)' \ '-outform[output format - default PEM (one of DER, NET or PEM)]:arg:(DER NET PEM)' \ '-keyform[private key format - default PEM]:arg:(DER PEM)' \ '-CAform[CA format - default PEM]:arg:(DER PEM)' \ '-CAkeyform[CA key format - default PEM]:arg:(DER PEM)' \ '-in[input file - default stdin]:file:_files' \ '-out[output file - default stdout]:file:_files' \ '-passin[private key password source]:pass phrase source:_pass_phrase_source' \ '-serial[print serial number value]' \ '-subject_hash[print subject hash value]' \ '-subject_hash_old[print old-style (MD5) subject hash value]' \ '-issuer_hash[print issuer hash value]' \ '-issuer_hash_old[print old-style (MD5) issuer hash value]' \ '-hash[synonym for -subject_hash]' \ '-subject[print subject DN]' \ '-issuer[print issuer DN]' \ '-email[print email address(es)]' \ '-startdate[notBefore field]' \ '-enddate[notAfter field]' \ '-purpose[print out certificate purposes]' \ '-dates[both Before and After dates]' \ '-modulus[print the RSA key modulus]' \ '-pubkey[output the public key]' \ '-fingerprint[print the certificate fingerprint]' \ '-alias[output certificate alias]' \ '-noout[no certificate output]' \ '-ocspid[print OCSP hash values for the subject name and public key]' \ '-ocsp_uri[print OCSP Responder URL(s)]' \ '-trustout[output a "trusted" certificate]' \ '-clrtrust[clear all trusted purposes]' \ '-clrreject[clear all rejected purposes]' \ '-addtrust[trust certificate for a given purpose]:purpose:(clientAuth serverAuth emailProtection)' \ '-addreject[reject certificate for a given purpose]:purpose:(clientAuth serverAuth emailProtection)' \ '-setalias[set certificate alias]:alias: ' \ '-days[how long till expiry of a signed certificate (default 30 days)]:days: ' \ '-checkend[check whether the cert expires in the specified time]:seconds: ' \ '-signkey[self sign cert with arg]:file:_files' \ '-x509toreq[output a certification request object]' \ '-req[input is a certificate request, sign and output]' \ '-CA[set the CA certificate, must be PEM format]:file:_files' \ '-CAkey[set the CA key, must be PEM format]:file:_files' \ '-CAcreateserial[create serial number file if it does not exist]' \ '-CAserial[serial file]:file:_files' \ '-set_serial[serial number to use]' \ '-text[print the certificate in text form]' \ '-C[print out C code forms]' \ '(-md5 -sha1 -mdc2)-md2[digest to use]' \ '(-md2 -sha1 -mdc2)-md5[digest to use]' \ '(-md2 -md5 -mdc2)-sha1[digest to use]' \ '(-md2 -md5 -sha1)-mdc2[digest to use]' \ '-extfile[configuration file with X509V3 extensions to add]' \ '-extensions[section from config file with X509V3 extensions to add]' \ '-clrext[delete extensions before signing and input certificate]' \ '*-nameopt[various certificate name options]:options:_nameopts' \ '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ '*-certopt[various certificate text options]:options:_certopts' } _pass_phrase_source() { # pass:password # env:var # file:pathname # fd:number # stdin _values -S : 'pass phrase source' \ 'pass[obtain the password from the command line]:password: ' \ 'env[obtain the password from the environment variable var]:var:_parameters -g "*export*"' \ 'file[obtain the password from a file]:file:_files' \ 'fd[read the password from the file descriptor number]:number: ' \ 'stdin[read the password from standard input]' } _rand_files() { # FIXME: this does not allow using multiple files separated by : # the following would probably work, but how to generate $files? #_values -s : -S ' ' 'random source file or directory' ${files} _files } _engines() { # openssl engines local engines engines=(${${${(@f)"$(_call_program engines openssl engine)"}%)*}#\(}) _values 'engines' ${engines} } _list_ciphers() { # openssl ciphers local ciphers # add cipher suites ciphers=(${(@s/:/)"$(_call_program ciphers openssl ciphers)"}) # add static cipher strings ciphers=(${ciphers} \ 'DEFAULT[the default cipher list]' \ 'COMPLEMENTOFDEFAULT[the ciphers included in ALL but not enabled by default]' \ 'ALL[all cipher suites except the eNULL ciphers]' \ 'COMPLEMENTOFALL[the cipher suites not enabled by ALL]' \ 'HIGH["high" encryption cipher suites]' \ 'MEDIUM["medium" encryption cipher suites]' \ 'LOW["low" encryption cipher suites]' \ {EXP,EXPORT}'[export encryption algorithms]' \ 'EXPORT40[40 bit export encryption algorithms]' \ 'EXPORT56[56 bit export encryption algorithms]' \ {eNULL,NULL}'[ciphers offering no encryption]' \ 'aNULL[ciphers offering no authentication]' \ {kRSA,RSA}'[cipher suites rusing RSA key exchange]' \ 'kDHr[cipher suites using DH key agreement signed by CAs with RSA keys]' \ 'kDHd[cipher suites using DH key agreement signed by CAs with DSS keys]' \ 'kDH[cipher suites using DH key agreement]' \ {kDHE,kEDH}'[cipher suites using ephemeral DH key agreement, including anonymous cipher suites]' \ {DHE,EDH}'[cipher suites using authenticated ephemeral DH key agreement]' \ 'ADH[anonymous DH cipher suites, not including anonymous ECDH ciphers]' \ 'DH[cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH]' \ 'kECDHr[cipher suites using fixed ECDH key agreement signed by CAs with RSA keys]' \ 'kECDHe[cipher suites using fixed ECDH key agreement signed by CAs with ECDSA keys]' \ 'kECDH[cipher suites using fixed ECDH key agreement]' \ {kECDHE,kEECDH}'[cipher suites using ephemeral ECDH key agreement, including anonymous cipher suites]' \ {ECDHE,kEECDH}'[cipher suites using authenticated ephemeral ECDH key agreement]' \ 'AECDH[anonymous Elliptic Curve Diffie Hellman cipher suites]' \ 'ECDH[cipher suites using ECDH key exchange, including anonymous, ephemeral and fixed ECDH]' \ 'aRSA[cipher suites using RSA authentication]' \ {aDSS,DSS}'[cipher suites using DSS authentication]' \ 'aDH[cipher suites effectively using DH authentication]' \ 'aECDH[cipher suites effectively using ECDH authentication]' \ {aECDSA,ECDSA}'[cipher suites using ECDSA authentication]' \ 'TLSv1.2[TLSv1.2 cipher suites]' \ 'TLSv1[TLSv1.0 cipher suites]' \ 'SSLv3[SSLv3.0 cipher suites]' \ 'SSLv2[SSLv2.0 cipher suites]' \ 'AES128[cipher suites using 128 bit AES]' \ 'AES256[cipher suites using 256 bit AES]' \ 'AES[cipher suites using AES]' \ 'AESGCM[AES in Galois Counter Mode (GCM)]' \ 'CAMELLIA128[cipher suites using 128 bit CAMELLIA]' \ 'CAMELLIA256[cipher suites using 256 bit CAMELLIA]' \ 'CAMELLIA[cipher suites using CAMELLIA]' \ '3DES[cipher suites using triple DES]' \ 'DES[cipher suites using DES (not triple DES)]' \ 'RC4[cipher suites using RC4]' \ 'RC2[cipher suites using RC2]' \ 'IDEA[cipher suites using IDEA]' \ 'SEED[cipher suites using SEED]' \ 'MD5[cipher suites using MD5]' \ {SHA1,SHA}'[cipher suites using SHA1]' \ 'SHA256[cipher suites using SHA256]' \ 'SHA384[cipher suites using SHA284]' \ 'aGOST[cipher suites using GOST R 34.10 for authenticaction]' \ 'aGOST01[cipher suites using GOST R 34.10-2001 authentication]' \ 'aGOST94[cipher suites using GOST R 34.10-94 authentication]' \ 'kGOST[cipher suites, using VKO 34.10 key exchange]' \ 'GOST94[cipher suites, using HMAC based on GOST R 34.11-94]' \ 'GOST89MAC[cipher suites using GOST 28147-89 MAC instead of HMAC]' \ 'PSK[cipher suites using pre-shared keys (PSK)]' \ 'SUITEB128[suite B mode operation using 128 or 192 bit level of security]' \ 'SUITEB128ONLY[suite B mode operation using 128 bit level of security]' \ 'SUITEB192[suite B mode operation using 192 bit level of security]' \ ) # FIXME: support !, + and - before each cipher suite _values -s : 'cipher suite' ${ciphers} } _list_curves() { # openssl ecparam -list_curves local curves not_curves curves="$(_call_program list_curves openssl ecparam -list_curves)" # identify lines that do not contain curve names but only descriptions not_curves=(${${(f)curves[@]}:#*:*}) # remove non-curve lines, trailing descriptions and leading spaces curves=(${${${${(f)curves[@]}:|not_curves}%:*}##* }) _values 'named curves' ${curves} } _list_message_digest_algorithms() { # openssl list-message-digest-algorithms local algorithms algorithms=(${${(@f)"$(_call_program message_digest_algorithms openssl list-message-digest-algorithms)"}%% *}) _values 'message digest algorithms' ${algorithms} } _nameopts() { _values -s ',' -w 'nameopts' \ '(-compat compat)'{-compat,compat}'[use the old format. This is equivalent to specifying no name options at all]' \ '(-RFC2253 RFC2253)'{-RFC2253,RFC2253}'[displays names compatible with RFC2253 equivalent to esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der, sep_comma_plus, dn_rev and sname]' \ '(-oneline oneline)'{-oneline,oneline}'[a oneline format which is more readable than RFC2253. Equivalent to esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and sname options]' \ '(-multiline multiline)'{-multiline,multiline}'[a multiline format. Equivalent to esc_ctrl, esc_msb, sep_multiline, space_eq, lname and align]' \ '(-esc_2253 esc_2253)'{-esc_2253,esc_2253}'[escape the "special" characters required by RFC2253 in a field]' \ '(-esc_ctrl esc_ctrl)'{-esc_ctrl,esc_ctrl}'[escape control characters]' \ '(-esc_msb esc_msb)'{-esc_msb,esc_msb}'[escape characters with the MSB set]' \ '(-use_quote use_quote)'{-use_quote,use_quote}'[escapes some characters by surrounding the whole string with " characters]' \ '(-utf8 utf8)'{-utf8,utf8}'[convert all strings to UTF8 format first]' \ '(-ignore_type ignore_type)'{-ignore_type,ignore_type}'[this option does not attempt to interpret multibyte characters in any way]' \ '(-show_type show_type)'{-show_type,show_type}'[show the type of the ASN1 character string]' \ '(-dump_der dump_der)'{-dump_der,dump_der}'[use DER encoding when hexdumping fields]' \ '(-dump_nostr dump_nostr)'{-dump_nostr,dump_nostr}'[dump non character string types]' \ '(-dump_all dump_all)'{-dump_all,dump_all}'[dump all fields]' \ '(-dump_unknown dump_unknown)'{-dump_unknown,dump_unknown}'[dump any field whose OID is not recognised by OpenSSL]' \ '(-sep_comma_plus sep_comma_plus)'{-sep_comma_plus,sep_comma_plus}'[these options determine the field separators]' \ '(-sep_comma_plus_space sep_comma_plus_space)'{-sep_comma_plus_space,sep_comma_plus_space}'[these options determine the field separators]' \ '(-sep_semi_plus_space sep_semi_plus_space)'{-sep_semi_plus_space,sep_semi_plus_space}'[these options determine the field separators]' \ '(-sep_multiline sep_multiline)'{-sep_multiline,sep_multiline}'[these options determine the field separators]' \ '(-dn_rev dn_rev)'{-dn_rev,dn_rev}'[reverse the fields of the DN]' \ '(-nofname nofname)'{-nofname,nofname}'[do not display field names]' \ '(-sname sname)'{-sname,sname}'[display field names in short form]' \ '(-lname lname)'{-lname,lname}'[display field names in long form]' \ '(-oid oid)'{-oid,oid}'[display field names in numerical form]' \ '(-align align)'{-align,align}'[align field values for a more readable output. Only usable with sep_multiline]' \ '(-space_eq space_eq)'{-space_eq,space_eq}'[places spaces around the = character which follows the field name]' } _certopts() { _values -s ',' -w 'certopts' \ 'compatible[use the old format. This is equivalent to specifying no output options at all]' \ "no_header[don't print header information: that is the lines saying \"Certificate\" and \"Data\"]" \ "no_version[don't print out the version number]" \ "no_serial[don't print out the serial number]" \ "no_signame[don't print out the signature algorithm used]" \ "no_validity[don't print the validity, that is the notBefore and notAfter fields]" \ "no_subject[don't print out the subject name]" \ "no_issuer[don't print out the issuer name]" \ "no_pubkey[don't print out the public key]" \ "no_sigdump[don't give a hexadecimal dump of the certificate signature]" \ "no_aux[don't print out certificate trust information]" \ "no_extensions[don't print out any X509V3 extensions]" \ 'ext_default[retain default extension behaviour: attempt to print out unsupported certificate extensions]' \ 'ext_error[print an error message for unsupported certificate extensions]' \ 'ext_parse[ASN1 parse unsupported extensions]' \ 'ext_dump[hex dump unsupported extensions]' \ '(no_issuer no_pubkey no_header no_version no_sigdump no_signame)ca_default[the value used by the ca utility, equivalent to no_issuer, no_pubkey, no_header, no_version, no_sigdump and no_signame]' } _openssl "$@" # vim: ft=zsh sw=2 ts=2 et