diff --git a/src/_openssl b/src/_openssl index 9e93be0..94b734e 100644 --- a/src/_openssl +++ b/src/_openssl @@ -25,1515 +25,2358 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ------------------------------------------------------------------------------ - -# openssl command [ command_opts ] [ command_args ] +# Description +# ----------- +# +# Completion script for OpenSSL 3.5.3 (https://www.openssl-library.org/) +# +# ------------------------------------------------------------------------------ +# Authors +# ------- +# +# * Aaron Schrab +# * Dimitris Apostolou +# * Shohei Yoshida +# +# ------------------------------------------------------------------------------ _openssl() { - local openssl_commands cmd cmds - if [[ "$CURRENT" -lt 2 ]]; then - # I do not think this can happen... - return - elif [[ "$CURRENT" -eq 2 ]]; then - # first parameter, the command - openssl_commands=(${(z)${${(f)"$(openssl help 2>&1)"}:#([A-Z]|openssl:Error:)*}}) - _describe 'openssl commands' openssl_commands - else - # $CURRENT -gt 2 - cmd="${words[2]}" - # Note: we could use ${(k)functions} to get a list of all functions and - # filter those that start with _openssl_ - # but that would mean defining a new function *somewhere* might mess with - # the completion... - cmds=(asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam \ - ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp \ - passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa \ - rsautl s_client s_server s_time sess_id smime speed spkac srp ts \ - verify version x509) - # check if $cmd is in $cmds, the list of supported commands - if [[ "${cmds[(r)$cmd]}" == "${cmd}" ]]; then - # we should be able to complete $cmd - # run _openssl_$cmd with the remaining words from the command line - shift words - (( CURRENT-- )) - _openssl_${cmd} - elif [[ ${${=${"$(openssl help 2>&1)"/*Cipher commands[^)]#)/}}[(re)$cmd]} == "$cmd" ]]; then - # $cmd is a cipher command, which is practically an alias to enc - shift words - (( CURRENT-- )) - _openssl_enc - elif [[ ${${=${${"$(openssl help 2>&1)"%%Cipher commands*}/*Message Digest commands[^)]#)/}}[(re)$cmd]} == "$cmd" ]]; then - # $cmd is a message digest command, which is practically an alias to dgst - shift words - (( CURRENT-- )) - _openssl_dgst - fi - fi + typeset -A opt_args + local context state line + local curcontext="$curcontext" + local ret=1 + + local -a openssl_tls_flags=( + '-ssl3[enable SSL3 protocol]' + '-no_ssl3[disable SSL3 protocol]' + '-tls1[enable TLS1 protocol]' + '-no_tls1[disable TLS1 protocol]' + '-tls1_1[enable TLS1.1 protocol]' + '-no_tls1_1[disable TLS1.1 protocol]' + '-tls1_2[enable TLS1.2 protocol]' + '-no_tls1_2[disable TLS1.2 protocol]' + '-tls1_3[enable TLS1.3 protocol]' + '-no_tls1_3[disable TLS1.3 protocol]' + ) + + local -a openssl_dtls_flags=( + '-dtls[use DTLS instead of TLS]' + '-dtls1[use DTLS1 instead of TLS]' + '-dtls2[use DTLS2 instead of TLS]' + ) + + local -a openssl_extended_verification_flags=( + '-xkey[extra private key file]:file:_files' + '-xcert[extra certificate file]:file:_files' + '-xchain[extra certificate chain file]:file:_files' + '-xchain_build[build the certificate chain for the extra certificates]' + '-xcertform[extra certificate format]:format[DER PEM P12]' + ) + + local -a openssl_supported_commands_flags=( + '-bugs[set various bug workarounds]' + '(-comp -no_comp)-no_comp[disable support for SSL/TLS compression]' + '(-comp -no_comp)-comp[enable support for SSL/TLS compression]' + '-no_ticket[disable support for session tickets]' + '-serverpref[use server and not client preference order when determining cipher suite]' + '-client_renegotiation[allow servers to accept client-initiated renegotiation]' + '-legacy_renegotiation[permit the use of unsafe legacy renegotiation]' + '-no_renegotiation[disable all attempts at renegotiation in (D)TLSv1.2 and earlier]' + '-no_resumption_on_reneg[set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION]' + '(-legacy_server_connect -no_legacy_server_connect)-legacy_server_connect[permit unsafe legacy renegotiation]' + '(-legacy_server_connect -no_legacy_server_connect)-no_legacy_server_connect[prohibit unsafe legacy renegotiation]' + '-prioritize_chacha[prioritize ChaCha ciphers when the client has a ChaCha20 cipher]' + '-allow_no_dhe_kex[allow a non-(ec)dhe based key exchange mode on resumption]' + '-strict[enable strict mode protocol handling]' + '-sigalgs[set signature algorithms for TLSv1.2 and TLSv1.3]:alg:_openssl_signature_algorithms' + '-client_sigalgs[set signature algorithms for client authentication for TLSv1.2 and TLSv1.3]:alg:_openssl_signature_algorithms' + '-groups[set the supported groups(colon separated NIST name or OpenSSL OID name)]:groups:_openssl_groups' + '-curves[set the curves groups]:groups:_openssl_groups' + '-named_curve[set the temporary curve for ephemeral ECDH modes]:curve' + '-cipher[set the TLSv1.2 and below ciphersuite list to ciphers]:ciphers' + '-ciphersuites[set the available ciphersuites for TLSv1.3]:ciphers' + '-min_protocol[minimum supported protocol]:protocol:_openssl_tls_protocols' + '-max_protocol[maximum supported protocol]:protocol:_openssl_tls_protocols' + '-record_padding[padding length for TLSv1.3 records]:padding' + '-no_middlebox[turn of middlebox compatibility]' + ) + + local -a openssl_provider_options=( + '-provider[provider ID to be loaded and initialized]:provider' + '-provider-path[search path that is to be used for looking for providers]:path:_files -/' + '*-provparam[configuration parameter key to value val in provider name]:key_value' + '-propquery[property query clause to be used when fetching algorithms from the loaded providers]:query' + ) + + local -a openssl_trusted_certificate_options=( + '-CAfile[load the specified file which contains a certificate or several of them]:file:_files' + '-no-CAfile[do not load the default file of trusted certificates]' + '-CApath[directory as a collection of trusted certificates]:dir:_files -/' + '-no-CApath[do not use the default directory of trusted certificates]' + '-CAstore[URI as a store of CA certificates]:uri' + '-no-CAstore[do not use the default store of trusted CA certificates]' + ) + + local -a openssl_random_state_options=( + '-rand[file containing random data used to seed the random number generator]:file:_files' + '-writerand[file to be written the seed data]:file:_files' + ) + + local -a openssl_verification_options=( + '-allow_proxy_certs[allow the verification of proxy certificates]' + '-attime[perform validation checks using time specified by timestamp and not current system time]:time' + '-no_check_time[suppresses checking the validity period of certificates and CRLs against the current time]' + '-check_ss_sig[verify the signature of the last certificate in a chain if the certificate is supposedly self-signed]' + '-crl_check[checks end entity certificate validity by attempting to look up a valid CRL]' + '-crl_check_all[checks the validity of all certificates in the chain by attempting to look up valid CRL]' + '-explicit_policy[set policy variable require-explicit-policy]' + '-extended_crl[enable extended CRL features]' + '-ignore_critical[ignore critical extensions]' + '-inhibit_any[set policy variable inhibit-any-policy]' + '-inhibit_map[set policy variable inhibit-policy-mapping]' + '-partial_chain[allow verification to succeed if an incomplete chain can be built]' + '-policy[enable policy processing and add arg to the user-initial-policy-set]:policy' + '-policy_check[enables certificate policy processing]' + '-policy_print[print out diagnostics related to policy processing]' + '-purpose[a high-level specification of the intended use of the target certificate]:purpose' + '-suiteB_128[enable the Suite B mode operation at 128 bit Level of Security]' + '-suiteB_128_only[enable only the Suite B mode operation at 128 bit Level of Security]' + '-suiteB_192[enable the Suite B mode operation at 192 bit Level of Security]' + '-use_deltas[enable support for delta CRLs]' + '-auth_level[set the certificate chain authentication security level]:level' + '-verify_depth[limit the certificate chain to num intermediate CA certificates]:depth' + '-verify_email[verify the email address in Subject Alternative Name or the email]:email' + '-verify_hostname[verify hostname in Subject Alternative Name or Common Name]:hostname' + '-verify_ip[verify IP addresses in Subject Alternative Name of the subject certificate]:ip' + '-x509_strict[disables non-compliant workarounds for broken certificates]' + ) + + _arguments -C -A "-*" \ + '(- *)-help[show help]' \ + '(- *)-version[show version]' \ + '1: :_openssl_subcommands' \ + '*::arg:->args' \ + && ret=0 + + case "$state" in + (args) + local subcmd=${words[1]} + if (( $+functions[_openssl_${subcmd}] )); then + _openssl_${subcmd} && ret=0 + else + local -a cipher_flags=($(openssl enc -list | tail -n +2 )) + local -a ciphers=() + for flag in $cipher_flags[@] + do + ciphers+=(${flag:1}) + done + + if (( $ciphers[(I)$subcmd] )); then + _openssl_enc 1 && ret=0 + else + local -a digest_flags=($(openssl dgst -list | tail -n +2 )) + local -a digests=() + for flag in $digest_flags[@] + do + digests+=(${flag:1}) + done + + if (( $digests[(I)$subcmd] )); then + _openssl_dgst 1 && ret=0 + fi + fi + fi + + ;; + esac + + return ret } +_openssl_subcommands() { + local -a commands=( + 'asn1parse:Parse an ASN.1 sequence' + 'ca:Certificate Authority Management' + 'ciphers:Cipher Suite Description Determination' + 'cmp:Certificate Management Protocol(CMP) application' + 'cms:Cryptographic Message Syntax command' + 'crl:Certificate Revocation List Management' + 'crl2pkcs7:CRL to PKCS#7 Conversion' + 'dgst:Message Digest calculation' + 'dhparam: Generation and Management of Diffie-Hellman Parameters' + 'dsa: DSA Data Management' + 'dsaparam:DSA Parameter Generation and Management' + 'ec:Elliptic curve key processing' + 'ecparam:EC parameter manipulation and generation' + 'enc:Encryption, decryption, and encoding' + 'engine:Engine (loadable module) information and manipulation' + 'errstr:Error Number to Error String Conversion' + 'fipsinstall:FIPS configuration installation' + 'gendsa:Generation of DSA Private Key from Parameters' + 'genpkey:Generation of Private Key or Parameters' + 'genrsa:Generation of RSA Private Key' + "help:Display information about a command's options" + 'info:Display diverse information built into the OpenSSL libraries' + 'list:List algorithms and features' + 'mac:Message Authentication Code Calculation' + 'nseq:Create or examine a Netscape certificate sequence' + 'ocsp:Online Certificate Status Protocol command' + 'passwd:Generation of hashed passwords' + 'pkcs12:PKCS#12 Data Management' + 'pkcs7:PKCS#7 Data Management' + 'pkcs8:PKCS#8 format private key conversion command' + 'pkey:Public and private key management' + 'pkeyparam:Public key algorithm parameter management' + 'pkeyutl:Public key algorithm cryptographic operation command' + 'prime:Compute prime numbers' + 'rand:Generate pseudo-random bytes' + 'rehash:Create symbolic links to certificate and CRL files named by the hash values' + 'req:PKCS#10 X.509 Certificate Signing Request Management' + 'rsautl:RSA command for signing, verification, encryption, and decryption' + 's_client:SSL/TLS client program' + 's_server:SSL/TLS server program' + 's_time:SSL Connection Timer' + 'sess_id:SSL Session Data Management' + 'smime:S/MIME mail processing' + 'speed:Algorithm Speed Measurement' + 'spkac:SPKAC printing and generating command' + 'srp:Maintain SRP password file(deprecated)' + 'storeutl:Command to list and display certificates, keys, CRLs, etc' + 'ts:Time Stamping Authority command' + 'verify:X.509 Certificate Verification' + 'version:OpenSSL Version Information' + 'x509:X.509 Certificate Data Management' + + # Message Digest Commands + 'blake2b512:BLAKE2b-512 Digest' + 'blake2s256:BLAKE2s-256 Digest' + 'md2:MD2 Digest' + 'md4:MD4 Digest' + 'md5:MD5 Digest' + 'mdc2:MDC2 Digest' + 'rmd160:RMD-160 Digest' + 'sha1:SHA-1 Digest' + 'sha224:SHA-2 224 Digest' + 'sha256:SHA-2 256 Digest' + 'sha384:SHA-2 384 Digest' + 'sha512:SHA-2 512 Digest' + 'sha3-224:SHA-3 224 Digest' + 'sha3-256:SHA-3 256 Digest' + 'sha3-384:SHA-3 384 Digest' + 'sha3-512:SHA-3 512 Digest' + 'keccak-224:KECCAK 224 Digest' + 'keccak-256:KECCAK 256 Digest' + 'keccak-384:KECCAK 384 Digest' + 'keccak-512:KECCAK 512 Digest' + 'shake128:SHA-3 SHAKE128 Digest' + 'shake256:SHA-3 SHAKE256 Digest' + 'sm3:SM3 Digest' + + # Encryption, Decryption, and Encoding Commands + 'aes128:AES-128 Cipher' + 'aes-128-cbc:AES-128 CBC Cipher' + 'aes-128-cfb:AES-128 CFB Cipher' + 'aes-128-ctr:AES-128 CTR Cipher' + 'aes-128-ecb:AES-128 ECB Cipher' + 'aes-128-ofb:AES-128 OFB Cipher' + 'aes192:AES-192 Cipher' + 'aes-192-cbc:AES-192 CBC Cipher' + 'aes-192-cfb:AES-192 CFB Cipher' + 'aes-192-ctr:AES-192 CTR Cipher' + 'aes-192-ecb:AES-192 ECB Cipher' + 'aes-192-ofb:AES-192 OFB Cipher' + 'aes256:AES-256 Cipher' + 'aes-256-cbc:AES-256 CBC Cipher' + 'aes-256-cfb:AES-256 CFB Cipher' + 'aes-256-ctr:AES-256 CTR Cipher' + 'aes-256-ecb:AES-256 ECB Cipher' + 'aes-256-ofb:AES-256 OFB Cipher' + + 'aria128:Aria-128 Cipher' + 'aria-128-cbc:Aria-128 CBC Cipher' + 'aria-128-cfb:Aria-128 CFB Cipher' + 'aria-128-ctr:Aria-128 CTR Cipher' + 'aria-128-ecb:Aria-128 ECB Cipher' + 'aria-128-ofb:Aria-128 OFB Cipher' + 'aria192:Aria-192 Cipher' + 'aria-192-cbc:Aria-192 CBC Cipher' + 'aria-192-cfb:Aria-192 CFB Cipher' + 'aria-192-ctr:Aria-192 CTR Cipher' + 'aria-192-ecb:Aria-192 ECB Cipher' + 'aria-192-ofb:Aria-192 OFB Cipher' + 'aria256:Aria-256 Cipher' + 'aria-256-cbc:Aria-256 CBC Cipher' + 'aria-256-cfb:Aria-256 CFB Cipher' + 'aria-256-ctr:Aria-256 CTR Cipher' + 'aria-256-ecb:Aria-256 ECB Cipher' + 'aria-256-ofb:Aria-256 OFB Cipher' + + 'base64:Base64 Encoding' + + 'bf:Blowfish Cipher' + 'bf-cbc:Blowfish CBC Cipher' + 'bf-cfb:Blowfish CFB Cipher' + 'bf-ecb:Blowfish ECB Cipher' + 'bf-ofb:Blowfish OFB Cipher' + + 'camellia128:Camellia-128 Cipher' + 'camellia-128-cbc:Camellia-128 CBC Cipher' + 'camellia-128-cfb:Camellia-128 CFB Cipher' + 'camellia-128-ctr:Camellia-128 CTR Cipher' + 'camellia-128-ecb:Camellia-128 ECB Cipher' + 'camellia-128-ofb:Camellia-128 OFB Cipher' + 'camellia192:Camellia-192 Cipher' + 'camellia-192-cbc:Camellia-192 CBC Cipher' + 'camellia-192-cfb:Camellia-192 CFB Cipher' + 'camellia-192-ctr:Camellia-192 CTR Cipher' + 'camellia-192-ecb:Camellia-192 ECB Cipher' + 'camellia-192-ofb:Camellia-192 OFB Cipher' + 'camellia256:Camellia-256 Cipher' + 'camellia-256-cbc:Camellia-256 CBC Cipher' + 'camellia-256-cfb:Camellia-256 CFB Cipher' + 'camellia-256-ctr:Camellia-256 CTR Cipher' + 'camellia-256-ecb:Camellia-256 ECB Cipher' + 'camellia-256-ofb:Camellia-256 OFB Cipher' + + 'cast:CAST Cipher' + 'cast-cbc:CAST CBC Cipher' + + 'cast5-cbc:CAST5 CBC Cipher' + 'cast5-cfb:CAST5 CFB Cipher' + 'cast5-ecb:CAST5 ECB Cipher' + 'cast5-ofb:CAST5 OFB Cipher' + + 'chacha20:Chacha20 Cipher' + + 'des:DES Ciper' + 'des-cbc:DES CBC Ciper' + 'des-cfb:DES CFB Ciper' + 'des-ecb:DES ECB Ciper' + 'des-ede:DES EDE Ciper' + 'des-ede-cbc:DES EDE CBC Ciper' + 'des-ede-cfb:DES EDE CFB Ciper' + 'des-ede-ofb:DES EDE OFB Ciper' + 'des-ofb:DES OFB Ciper' + + 'des3:Triple-DES Ciper' + 'desx:Triple-DES X Ciper' + 'des-ede3:Triple-DES EDE Ciper' + 'des-ede3-cbc:Triple-DES EDE CBC Ciper' + 'des-ede3-cfb:Triple-DES EDE CFB Ciper' + 'des-ede3-ofb:Triple-DES EDE OFB Ciper' + + 'idea:IDEA Ciper' + 'idea-cbc:IDEA CBC Ciper' + 'idea-cfb:IDEA CFB Ciper' + 'idea-ecb:IDEA ECB Ciper' + 'idea-ofb:IDEA OFB Ciper' + + 'rc2:RC2 Ciper' + 'rc2-cbc:RC2 CBC Ciper' + 'rc2-cfb:RC2 CFB Ciper' + 'rc2-ecb:RC2 ECB Ciper' + 'rc2-ofb:RC2 OFB Ciper' + + 'rc4:RC4 Ciper' + + 'rc5:RC5 Ciper' + 'rc5-cbc:RC5 CBC Ciper' + 'rc5-cfb:RC5 CFB Ciper' + 'rc5-ecb:RC5 ECB Ciper' + 'rc5-ofb:RC5 OFB Ciper' + + 'seed:SEED Ciper' + 'seed-cbc:SEED CBC Ciper' + 'seed-cfb:SEED CFB Ciper' + 'seed-ecb:SEED ECB Ciper' + 'seed-ofb:SEED OFB Ciper' + + 'sm4:SM4 Ciper' + 'sm4-cbc:SM4 CBC Ciper' + 'sm4-cfb:SM4 CFB Ciper' + 'sm4-ctr:SM4 CTR Ciper' + 'sm4-ecb:SM4 ECB Ciper' + 'sm4-ofb:SM4 OFB Ciper' + ) + + _describe -t commands 'command' commands "$@" +} + +# +# Commands +# _openssl_asn1parse() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format - one of DER PEM]:format:(DER PEM)' \ + _arguments \ + '(- *)-help[display this summary]' \ + '-inform[input format]:format:(DER PEM B64)' \ '-in[input file]:file:_files' \ - '-out[output file (output format is always DER]:file:_files' \ - "-noout[don't produce any output]" \ - '-offset[offset into file]:number: ' \ - '-length[length of section in file]:number: ' \ - '-i[indent entries]' \ - '-dump[dump unknown data in hex form]' \ - '-dlimit[dump the first arg bytes of unknown data in hex form]:number: ' \ + '-out[output file(output format is always DER)]:file:_files' \ + '-noout[do not produce any output]' \ + '-offset[offset into file]:number' \ + '-length[length of section in file]:number' \ + '-i[indents the output]' \ '-oid[file of extra oid definitions]:file:_files' \ - "-strparse[a series of these can be used to 'dig' into multiple ASN1 blob wrappings]:offset:" \ - '-genstr[string to generate ASN1 structure from]:str:' \ - '-genconf[file to generate ASN1 structure from]:file:_files' + '-dump[unknown data in hex form]' \ + '-dlimit[dump the first arg bytes of unknown data in hex form]:bytes' \ + '-strparse[a series of these can be used to "dig"]:offset' \ + '-genstr[string to generate ASN1 structure from]:val' \ + '-genconf[file to generate ASN1 structure from]:file:_files' \ + '-strictpem[strict PEM]' \ + '-item[item to parse and print]:val' } - _openssl_ca() { - # written for openssl 1.0.1k - _arguments -C \ - '-verbose[talk a lot while doing things]' \ - '-config[a config file]:file:_files' \ - '-name[the particular CA definition to use]:section: ' \ - '-gencrl[generate a new CRL]' \ - '-crldays[days is when the next CRL is due]:days: ' \ - '-crlhours[hours is when the next CRL is due]:hours: ' \ - '-startdate[certificate validity notBefore]:date: ' \ - '-enddate[certificate validity notAfter (overrides -days)]:date: ' \ - '-days[number of days to certify the certificate for]:days: ' \ - '-md[md to use, one of md2, md5, sha or sha1]:alg:(md2 md5 sha sha1)' \ - "-policy[the CA 'policy' to support]:policy: " \ - '-keyfile[private key file]:file:_files' \ - '-keyform[private key file format (PEM or ENGINE)]:format:(PEM ENGINE)' \ - '-key[key to decode the private key if it is encrypted]:password: ' \ - '-cert[the CA certificate]:file:_files' \ - '-selfsign[sign a certificate with the key associated with it]' \ - '-in[the input PEM encoded certificate request(s)]:file:_files' \ - '-out[where to put the output file(s)]:file:_files' \ - '-outdir[where to put output certificates]:dir:_files -/' \ - '-infiles[the last argument, requests to process]:*:files:_files' \ - '-spkac[file contains DN and signed public key and challenge]:file:_files' \ - '-ss_cert[file contains a self signed cert to sign]:file:_files' \ - "-preserveDN[don't re-order the DN]" \ - "-noemailDN[don't add the EMAIL field into certificate' subject]" \ - "-batch[don't ask questions]" \ - '-msie_hack[msie modifications to handle all those universal strings]' \ - '-revoke[revoke a certificate (given in file)]:file:_files' \ - "-subj[use arg instead of request's subject]:subject: " \ - '-utf8[input characters are UTF8 (default ASCII)]' \ - '-multivalue-rdn[enable support for multivalued RDNs]' \ - '-extensions[extension section (override value in config file)]:section: ' \ - '-extfile[configuration file with X509v3 extensions to add]:file:_files' \ - '-crlexts[CRL extension section (override value in config file)]:section: ' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-status[shows certificate status given the serial number]:serial: ' \ - '-updatedb[updates db for expired certificates]' + _arguments \ + '(- *)-help[print out a usage message]' \ + '-verbose[prints extra details about the operations being performed]' \ + '-quiet[prints fewer details about the operations being performed]' \ + '-config[specifies the configuration file to use]:file:_files' \ + '(-name -section)'{-name,-section}'[specifies the configuration file section to use]:section' \ + '-in[input filename containing a single certificate request to be signed by the CA]:file:_files' \ + '-inform[format to use when loading certificate request (CSR) input files]:type:(DER PEM)' \ + '-ss_cert[single self-signed certificate to be signed by the CA]:file:_files' \ + '-spkac[file containing a single Netscape signed public key and challenge to be signed by the CA]:file:_files' \ + '-infiles[all subsequent arguments are taken as the names f files containing certificate requests]' \ + '-out[output file to output certificates to]:file:_files' \ + '-outdir[directory to output certificates to]:dir:_files -/' \ + '-cert[CA certificate]:file:_files' \ + '-certform[format of the data in certificate input files]:format:(DER PEM P12)' \ + '-keyfile[CA private key to sign certificate requests with]:file_or_uri:_files' \ + '-keyform[format of the private key input file]:format:(DER PEM P12 ENGINE)' \ + '-sigopt[pass options to the signature algorithm during sign operations]:option' \ + '-vfyopt[pass options to the signature algorithm during verify operations]:option' \ + '-key[The password used to encrypt the private key]:password' \ + '-passin[key password source for key files and certificate PKCS#12 files]:arg' \ + '-selfsign[certificates are to be signed with the key given with -keyfile]' \ + '-notext[do not output the text form of a certificate to the output file]' \ + '-dateopt[specify the date output format]:format:(rfc_822 iso_8601)' \ + '(-startdate -not_before)'{-startdate,-not_before}'[start date to be explicitly set]:date' \ + '(-enddate -not_after)'{-enddate,-not_after}'[expiry date to be explicitly set]:date' \ + '-days[number of days from today to certify the certificate for]:days' \ + '-md[message digest to use]:algorithm:(sha256 sha1 md5)' \ + '-policy[CA policy to use]:policy' \ + '-preserveDN[preserve DN order of a certificate]' \ + '-noemailDN[remove EMAIL field from the certificate]' \ + '-batch[enable batch mode]' \ + '-extensions[section of the configuration file to be added when certificate is issued]:section' \ + '-extfile[additional configuration file to read certificate extensions from]:file:_files' \ + '-subj[supersedes subject name given in the request]:subject' \ + '-utf8[field values to be interpreted as UTF8 string]' \ + '-create_serial[creates a new random serial to be used as next serial number]' \ + '-rand_serial[generate a large random number to use as the serial number]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-gencrl[generates a CRL based on information in the index file]' \ + "-crl_lastupdate[allows the value of the CRL's lastUpdate field to be explicitly set]:time" \ + "-crl_nextupdate[allows the value of the CRL's nextUpdate field to be explicitly set]:time" \ + '-crldays[number of days before the next CRL is due]:days' \ + '-crlhours[number of hours before the next CRL is due]:hours' \ + '-crlsec[number of seconds before the next CRL is due]:seconds' \ + '-revoke[filename containing a certificate to revoke]:file:_files' \ + '-valid[filename containing a certificate to add a Valid certificate entry]:file:_files' \ + '-status[displays the revocation status of the certificate with the specified serial number]:serial' \ + '-updatedb[updates the database index to purge expired certificates]' \ + '-crl_reason[revocation reason]:reason:(unspecified keyCompromise CACompromise affiliationChanged superseded cessationOfOperation certificateHold removeFromCRL)' \ + '-crl_hold[sets the CRL revocation reason code to certificateHold and the hold instruction]:insn:(holdInstructionCallIssuer holdInstructionReject)' \ + '-crl_compromise[sets the revocation reason to keyCompromise and the compromise time]:time' \ + '-crl_CA_compromise[same as crl_compromise except the revocation reason is set to CACompromise]:time' \ + '-crlexts[section of the configuration file containing CRL extensions to include]:section' \ + '*:: :_files' } - _openssl_ciphers() { - # written for openssl 1.0.1k - _arguments -C \ - '-v[verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL]' \ - '-V[even more verbose]' \ - '-ssl2[SSL2 mode]' \ - '-ssl3[SSL3 mode]' \ - '-tls1[TLS1 mode]' \ - ':cipher suite:_list_ciphers' + _arguments \ + '(- *)-help[print help message]' \ + $openssl_provider_options[@] \ + '-s[only list supported ciphers]' \ + '-psk[include cipher suites which require PSK]' \ + '-srp[include cipher suites which require SRP]'\ + '-v[verbose output]' \ + '-V[like -v but include the official cipher suites values in hex]' \ + '-ssl3[list ciphers which could be used in SSL3 protocol negotiation]' \ + '-tls1[list ciphers which could be used in TLS1 protocol negotiation]' \ + '-tls1_1[list ciphers which could be used in TLS1.1 protocol negotiation]' \ + '-tls1_2[list ciphers which could be used in TLS1.2 protocol negotiation]' \ + '-tls1_3[list ciphers which could be used in TLS1.3 protocol negotiation]' \ + '-stdname[precede each cipher suite by its standard name]' \ + '-convert[connvert a standard cipher name to its OpenSSL name]:name' \ + '-ciphersuites[sets the list of TLSv1.3 ciphersuites]:suites' \ + '*:cipher_suite:_openssl_list_ciphers' } +_openssl_cmp() { + local -a info_types=(signKeyPairTypes caCerts rootCaCert certReqTemplate crlStatusList) + local -a mac_algorithms=( + hmacWithMD5 hmacWithRMD160 hmacWithSHA1 hmacWithSHA224 hmacWithSHA256 hmacWithSHA384 + hmacWithSHA512 hmac-sha1 + ) + + _arguments \ + '(- *)-help[print help message]' \ + '-config[configuration file]:file:_files' \ + '-section[sections names to use within config file defining CMP options]:names' \ + '-verbosity[level of verbosity]:level:_openssl_cmp_verbosity_level' \ + '-cmd[CMP command to execute]:command:_openssl_cmp_commands' \ + '-infotype[InfoType name to use for requesting specific info in gem]:type:(($info_types))' \ + '-profile[name of a certificate profile in the PKIHeader generalInfo field]:name' \ + '-geninfo[a comma-separated list of InfoTypeAndValue]:values' \ + '-template[file to save any CRMF certTemplate in DER format]:file:_files' \ + '-keyspec[file to save any keySpec]:file:_files' \ + '-newkey[private or public key file or URI to be requested]:file_or_uri:_files' \ + '-newkeypass[pass phrase source for the key given with -newkey option]:source:_openssl_pass_phrase_options' \ + '-centralkeygen[request central key generation for certificate enrollment]' \ + '-newkeyout[file to save centrally generated private key in PEM format]:file:_files' \ + '-subject[X.509 Distinguished Name(DN) to use as subject field in requested certificate]:name' \ + '-days[number of days new certificate is requested to be valid for]:days' \ + '-reqexts[name of section in OpenSSL config file defining certificate request extensions]:name' \ + '-sans[addresses, email addresses, DNS names, URIS to add as SAN certificate request extension]:spec' \ + '-san_nodefault[disable to be copied from the reference certificate]' \ + '-policies[name of section to be set as certificate request extension]:name' \ + '-policy_oids[one or more OIDs to add as certificate policies request extension]:names' \ + '-policy_oids_critical[set policies given with -policy_oids as critical]' \ + '-popo[Proof-of-possession(POPO) method to use for IR/CR/KUR]:number:(0 1 2)' \ + '-csr[PKCS#10 CSR containing a certificate request]:file:_files' \ + '-out_trusted[trusted certificate file or URI to use for validating newly enrolled certificate]:file_or_uri:_files' \ + '-implicit_confirm[request implicit confirmation of newly enrolled certificates]' \ + '-disable_confirm[do not send certificate confirmation message for newly enrolled certificate]' \ + '-certout[file where any newly enrolled certificate should be saved]:file:_files' \ + '-chainout[file where the chain of any newly enrolled certificate should be saved]:file:_files' \ + '-oldcert[certificate file or URI to be updated message or to be revoked in RR messages]:file_or_uri:_files' \ + '-issuer[X.509 Distinguished Name(ND) to place as the issuer field]:name' \ + '-serial[serial number of certificate to be revoked in revocation request]:number' \ + '-revreason[CRLReason number to be included in revocation request]:reason:_openssl_cmp_revocation_reasons' \ + '-server[domain name or IP address and optionally port of CMP server to connect]:domain_or_ip' \ + '-proxy[proxy server to use for reaching CMP server]:domain_or_ip' \ + '-no_proxy[list of IP addresses and/or DNS names not to use proxy for]:addresses' \ + '-recipient[Distinguished Name(DN) to use in recipient field of CMP request message headers]:name' \ + '-path[HTTP path at CMP server to use for POST requests]:path' \ + '-keep_alive[keep alive type]:value:(0 1 2)' \ + '-msg_timeout[seconds a CMP request-response message round trip is allowed to take]:seconds' \ + '-total_timeout[maximum total seconds a transaction may take]:seconds' \ + '-trusted[certificate files or uris to use as trust anchors]:file_or_uri:_files' \ + '-untrusted[non-trusted intermediate CA certificate files or URIs]:file_or_uri:_files' \ + '-srvcert[CMP server certificate file or URI to expect and directly trust]:file_or_uri:_files' \ + '-expect_sender[Distinguished Name(DN) expected in the sender field of incoming CMP messages]:name' \ + '-ignore_keyusage[ignore key usage restrictions in CMP signer certificates]' \ + '-unprotected_errors[accept missing or invalid protection of negative responses from server]' \ + '-no_cache_extracerts[do not cache certificates in extraCerts field of CMP messages received]' \ + '-srvcert[file where to save successfully validated certificate]:file:_files' \ + '-extracertsout[file where to save the list of certificates contained in extraCert field]:file:_files' \ + '-cacertsout[file where to save the list of CA certificates contained in caPubs field]:file:_files' \ + '-oldwithold[root CA certificate to include in a genm request of infoType "rootCaCert"]:file:_files' \ + '-newwithnew[file to save newWithNew certificate received in a genp message]:file:_files' \ + '-newwithold[file to save any newWithOld certificate received in a genp message]:file:_files' \ + '-oldwithold[file to save any oldWithNew certificate received in a genp message]:file:_files' \ + '-crlcert[certificate to derive CRL issuer data for the source field]:file:_files' \ + '-oldcrl[CRL to obtain an update for in a genm request with infoType "crlStatusList"]:file:_files' \ + '-crlout[file to save any CRL received in a genp message of infoType "crls"]:file:_files' \ + '-ref[reference number/string/value to use as fallback senderKID]:value' \ + '-secret[source of a secret value to use with MAC-based message protection]:source:_openssl_pass_phrase_options' \ + "-cert[client's current CMP signer certificate file or URI]:file_or_uri:_files" \ + '-own_trusted[list of certificates to be used as trusted anchors]:file_or_uri:_files' \ + "-key[private key file or URI for the client's current certificate]:file_or_uri:_files" \ + '-keypass[pass pharse source for the private key]:source:_openssl_pass_phrase_options' \ + '-digest[digest to use in MSG_SIG_ALG and as the on-way function(OWF) in MSG_MAC_ALG]:digest:_openssl_digests' \ + '-mac[MAC algorithm in MSG_MAC_ALG]:alg:(($mac_algorithms))' \ + '-extracerts[certificates files or URIs to append in extraCerts field]:file_or_uri:_files' \ + '-unprotected_errors[send request messages without CMP-level protection]' \ + '-certform[file format to use when saving a certificate]:format:(PEM DER)' \ + '-crlform[file format to use when saving a CRL]:format(PEM DER)' \ + '-keyform[format of the key input]:format:(PEM DER P12 ENGINE)' \ + '-otherpass[pass phrase source for certificate]:source:_openssl_pass_phrase_options' \ + $openssl_provider_options[@] \ + $openssl_random_state_options[@] \ + '-tls_used[make the CMP client use TLS for message exchange]' \ + "-tls_cert[client's TLS certificate file or URI for authenticating to TLS server]:file_or_uri:_files" \ + "-tls_key[private key for client's TLS certificate]:file_or_uri:_files" \ + "-tls_keypass[pass phrase source for client's private TLS key]:source:_openssl_pass_phrase_options" \ + '-tls_extra[extra certificates file or URI to provite to TLS server during handshake]:file_or_uri:_files' \ + '-tls_trusted[trusted certificates to use for validating TLS server certificate]:file_or_uri:_files' \ + '-tls_host[address to be checked during hostname validation]:name' \ + '-batch[do not interactively prompt for input]' \ + '-repeat[number of times to invoke the command with the same parameters]:number' \ + '-reqin[files to take the sequence of CMP requests to send to server]:files:_files' \ + '-reqin_new_tid[use a fresh transaction ID for CMP request messages]' \ + '-reqout[file to save the sequence of CMP requests]:file:_files' \ + '-reqout_only[file to save the first CMP requests created by client]:file:_files' \ + '-rspin[files to save sequence of CMP responses]:file:_files' \ + '-rspout[file to save sequence of actually used CMP responses]:files:_files' \ + '-use_mock_srv[test the client using the internal CMP server mock-up at API level]' \ + '-port[port number of CMP mock-up server]:number' \ + '-max_msgs[maximum number of CMP messages that mock-up server should handle]:number' \ + '-srv_ref[reference value to use as snderKID of server]:value' \ + '-srv_secret[password source for server authentication with a pre-shared key]:arg' \ + '-srv_cert[certificate file or URI of the server]:file_or_uri:_files' \ + '-srv_cert[private key file or URI by the server for signing messages]:file_or_uri:_files' \ + '-srv_keypass[server private key file pass phrase source]:arg' \ + '-srv_trusted[trusted certificates for client authentication]:file_or_uri:_files' \ + '-srv_untrusted[untrusted intermediate CA certs files or URIs]:file_or_uri:_files' \ + '-ref_cert[certificate file or URI to be expected for RR messages]:file_or_uri:_files' \ + '-rsp_cert[certificate file or URI to be returned as mock enrollment result]:file_or_uri:_files' \ + '-rsp_key[private key to be returned as central key generation result]:file_or_uri:_files' \ + '-rsp_keypass[pass phrase source for rsp_cert and rsp_key]:arg' \ + '-rsp_crl[CRL file or URI to be returned in genp of type "crls"]:file_or_uri:_files' \ + '-rsp_extracerts[extra certificates to be include in mock certification responses]:file_or_uri:_files' \ + '-rsp_capubs[CA certificates to be included in mock Initialization Response message]:file_or_uri:_files' \ + '-rsp_newwithnew[certificate to be returned in newWithNew field of genp]:file_or_uri:_files' \ + '-rsp_newwithold[certificate to be returned in newWithPld field of genp]:file_or_uri:_files' \ + '-rsp_oldwithnew[certificate to be returned in oldWithNew field of genp]:file_or_uri:_files' \ + '-poll_count[number of times the client must poll before receiving a certificate]:number' \ + '-check_after[checkAfter value to include in poll response]:number' \ + '-grant_implicitconf[grant implicit confirmation of newly enrolled certificate]' \ + '-pkistatus[PKIStatus to be include in server response]:number' \ + '-failure[a single failure info bit number to be include in server response]:number' \ + '-failurebits[number representing failure bits to be include in server response]:number' \ + '-statusstring[text to be include as status string in server response]:str' \ + '-send_error[force server to reply with error message]' \ + '-send_unprotected[send reponse message without CMP-level protection]' \ + '-send_unprot_err[server shall send unprotected error message]' \ + '-accept_unprotected[accept missing or invalid protection of requests]' \ + '-accept_unprot_err[accept unprotected error messages from client]' \ + '-accept_raverified[accept RAVERIFIED as proof of possession(POPO)]' \ + $openssl_verification_options[@] +} + +_openssl_cmp_verbosity_level() { + local -a levels=( + '0:EMERG' + '1:ALERT' + '2:CRIT' + '3:ERR' + '4:WARN' + '5:NOTE' + '6:INFO(Default)' + '7:DEBUG' + '8:TRACE' + ) + + _describe -t levels 'levels' levels "$@" +} + +_openssl_cmp_commands() { + local -a commands=( + "ir:Initialization Request" + "cr:Certificate Request" + "p10cr:PKCS#10 Certification Request (for legacy support)" + "kur:Key Update Request" + "rr:Revocation Request" + "genm:General Message" + ) + + _describe -t commands 'commands' commands "$@" +} + +_openssl_cmp_revocation_reasons() { + local -a reasons=( + '0:unspecified' + '1:keyCompromise' + '2:cACompromise' + '3:affiliationChanged' + '4:superseded' + '5:cessationOfOperation' + '6:certificateHold' + '8:removeFromCRL' + '9:privilegeWithdrawn' + '10:aACompromise' + ) + + _describe -t reasons 'reasons' reasons "$@" +} _openssl_cms() { - # written for openssl 1.0.1k - _arguments -C \ - '-encrypt[encrypt message]' \ - '-decrypt[decrypt encrypted message]' \ - '-sign[sign message]' \ - '-verify[verify signed message]' \ - '-cmsout[output CMS structure]' \ - '-des3[encrypt with triple DES]' \ - '-des[encrypt with DES]' \ - '-seed[encrypt with SEED]' \ - '-rc2-40[encrypt with RC2-40 (default)]' \ - '-rc2-64[encrypt with RC2-64]' \ - '-rc2-128[encrypt with RC2-128]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - "-nointern[don't search certificates in message for signer]" \ - "-nosigs[don't verify message signature]" \ - "-noverify[don't verify signers certificate]" \ - "-nocerts[don't include signers certificate when signing]" \ - '-nodetach[use opaque signing]' \ - "-noattr[don't include any signed attributes]" \ - "-binary[don't translate message to text]" \ - '-certfile[other certificates file]:file:_files' \ - '-certsout[certificate output file]:file:_files' \ - '-signer[signer certificate file]:file:_files' \ - '-recip[recipient certificate file for decryption]:file:_files' \ - '-keyid[use subject key identifier]' \ - '-in[input file]:file:_files' \ - '-inform[input format SMIME (default), PEM or DER]:format:(SMIME PEM DER)' \ - '-inkey[input private key (if not signer or recipient)]:file:_files' \ - '-keyform[input private key format (PEM or ENGINE)]:format:(PEM ENGINE)' \ - '-out[output file]:file:_files' \ - '-outform[output format SMIME (default), PEM or DER]:format:(SMIME PEM DER)' \ - '-content[supply or override content for detached signature]:file:_files' \ - '-to[to address mail head]:address: ' \ - '-from[from address mail head]:address: ' \ - '-subject[subject mail head]:subject: ' \ - '-text[include or delete text MIME headers]' \ - '-CApath[trusted certificates directory]:dir:_files -/' \ - '-CAfile[trusted certificates file]:file:_files' \ - "-crl_check[check revocation status of signer's certificate using CRLs]" \ - "-crl_check_all[check revocation status of signer's certificate chain using CRLs]" \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '*:certificate:_files' -} + local -a ciphers=($(openssl enc -list | tail -n +2 )) + local -a cipher_flags=() + for cipher in $ciphers[@] + do + cipher_flags+=("($ciphers)${cipher}[use ${cipher:1:u} to encrypt]") + done + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-config[config file]:file:_files' \ + '-encrypt[encrypt data for the given recipient certificates]' \ + '-decrypt[decrypt data using the supplied certificate and private key]' \ + '-sign[sign data using the supplied certificate and private key]' \ + '-verify[verify signed data]' \ + '-resign[resign a message]' \ + '-sign_receipt[generate and output a signed receipt for the supplied message]' \ + '-verify_receipt[verify a signed receipt in file receipt]:receipt:_files' \ + '-digest[digest in hexadecimal form instead of computing it]:digest' \ + '-digest_create[create a CMS DigestedData type]' \ + '-digest_verify[verify a CMS DigestedData type and output the content]' \ + '-compress[create a CMS CompressedData type]' \ + '-uncompress[uncompress a CMS CompressedData type and output the content]' \ + '-EncryptedData_encrypt[encrypt content using supplied symmetric key and algorithm]' \ + '-EncryptedData_decrypt[decrypt content using supplied symmetric key and algorithm]' \ + '-data_create[create a CMS Data type]' \ + '-data_out[Data type and output the content]' \ + '-cmsout[take an input message and write out a PEM encoded CMS structure]' \ + '-inform[input format of the CMS structure]:format:(DER PEM SMIME)' \ + '-outform[output format of the CMS structure]:format(DER PEM SMIME)' \ + '-rctform[signed receipt format for use with the -receipt_verify]:format:(DER PEM SMIME)' \ + '(-stream -indef -noindef)'{-stream,-indef}'[enable streaming I/O for encoding operations]' \ + '(-stream -indef -noindef)-noindef[disable streaming I/O for encoding operations]' \ + '-binary[do not convert to canonical format]' \ + '-crlfeol[use CRLF instead of LF as end of line]' \ + '-asciicrlf[strip trailing whitespace from all lines, delete trailing blank lines at EOF]' \ + '-pwri_password[password for recipient]' \ + '-secretkey[symmetric key to use]:key' \ + '-secretkeyid[key identifier for the supplied symmetric key for KEKRecipientInfo type]:id' \ + '-inkey[private key file or URI to use when signing or decrypting]:file_or_uri:_files' \ + '-passin[private key password source]:option:_openssl_pass_phrase_options' \ + '*-keyopt[options for signing and encryption]:option' \ + '-keyform[format of the private key file]:format:(DER PEM P12 ENGINE)' \ + $openssl_provider_options[@] \ + $openssl_random_state_options[@] \ + '-originator[originator of the encrypted message]:file:_files' \ + '-recip[recipient of the certificate when decrypting a message]:file:_files' \ + $cipher_flags[@] \ + '-wrap[cipher algorithm to use for key wrap]:cipher:_openssl_cipher_algorithms' \ + '-debug_decrypt[set the CMS_DEBUG_DECRYPT flag]' \ + '-md[digest algorithm to use when signing or resigning]:digest:_openssl_digests' \ + '-signer[a signing certificate]:file:_files' \ + '-certfile[additional certificates]:file:_files' \ + '-cades[add an ESS signingCertificate or ESS signingCertificateV2 attributes to the SignerInfo]' \ + '-nodetach[use opaque signing]' \ + '-nocerts[do not include signers certificate when signing]' \ + '-noattr[do not include any signed attributes]' \ + '-nosmimecap[exclude list of supported algorithms from signed attributes]' \ + '-no_signing_time[exclude the signing time from signed attributes]' \ + '-receipt_request_all[requests should be provided by all recipient]' \ + '-receipt_request_first[requests should be provided by first tier recipients]' \ + '-receipt_request_from[add an explicit email address where receipts should be supplied]:email_address' \ + '-receipt_request_to[add an explicit email address where signed receipts should be sent to]:email_address' \ + '-signer[signer certificate file]:file:_files' \ + '-content[supply or override content for detached signature]:file:_files' \ + '-no_content_verify[do not verify signed content signatures]' \ + '-no_attr_verify[do not verify signed attribute signatures]' \ + '-nosigs[do not verify message signature]' \ + '-noverify[do not verify the signers certificate of a signed message]' \ + '-nointern[do not search certificates in message for signer]' \ + '-cades[require and check signer certificate digest]' \ + '-verify_retcode[exit non-zero on verification failure]' \ + $openssl_trusted_certificate_options[@] \ + '-keyid[subject key identifier to identify certificates instead of issuer name and serial number]' \ + '-econtent_type[encapsulated content type]:type' \ + '-text[add plain text MIME headers to the supplied message]' \ + '-certsout[output file name to any certificates contained in the input message]:file:_files' \ + '-to[TO email header]:to' \ + '-from[FROM email header]:from' \ + '-subject[SUBJECT email header]:subject' \ + '-noout[do not output the parsed CMS structure]' \ + '-print[print out all fields of the CMS structure]' \ + '-nameopt[printing options for string fields]:nameopt:_openssl_name_display_options' \ + '-receipt_request_print[print out the contents of any signed receipt requests]' \ + $openssl_verification_options[@] \ + '*::recipient_cert:_files' +} _openssl_crl() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format - default PEM (DER or PEM)]:format:(PEM DER)' \ - '-outform[output format - default PEM]:format:(PEM DER)' \ - '-text[print out a text format version]' \ - '-in[input file - default stdin]:file:_files' \ - '-out[output file - default stdout]:file:_files' \ - '-hash[print hash value]' \ - '-hash_old[print old-style (MD5) hash value]' \ - '-fingerprint[print the crl fingerprint]' \ - '-issuer[print issuer DN]' \ - '-lastupdate[print lastUpdate field]' \ - '-nextupdate[print nextUpdate field]' \ - '-crlnumber[print CRL number]' \ - '-noout[no CRL output]' \ - '-CAfile[verify CRL using certificates in the specified file]:file:_files' \ - '-CApath[verify CRL using certificates in the specified directory]:dir:_files -/' \ - '*-nameopt[various certificate name options]:options:_nameopts' + _arguments \ + '(- *)-help[print help message]' \ + '-inform[CRL input format]:format:(DER PEM)' \ + '-outform[CRL output format]:format:(DER PEM)' \ + '-key[private key to be used to sign the CRL]:key:_files' \ + '-keyform[format of private key file]:format:(DER PEM P12)' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-gendelta[output a comparison of the main CRL and this file]:file:_files' \ + '-badsig[corrupt the signature before writing it]'\ + '-dateopt[date output format]:format:(rfc_822 iso_8601)' \ + '-text[print out the CRL in text form]' \ + '-verify[verify the signature in the CRL]' \ + '-noout[do not output the encoded version of the CRL]' \ + '-fingerprint[output the fingerprint of the CRL]' \ + '-crlnumber[output the number of the CRL]' \ + '-hash[output a hash of the issuer name]' \ + '-hash_old[output the hash of the CRL issuer name using the older algorithm]' \ + '-issuer[output the issuer name]' \ + '-lastupdate[output the lastUpdate field]' \ + '-nextupdate[output the nextUpdate field]' \ + '-nameopt[specify how the subject or issuer names are displayed]:option:_openssl_name_display_options' \ + $openssl_trusted_certificate_options[@] \ + $openssl_provider_options[@] } - _openssl_crl2pkcs7() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format - DER or PEM]:format:(PEM DER)' \ - '-outform[output format - DER or PEM]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-certfile[certificates file of chain to a trusted CA (can be used more than once)]:file:_files' \ - "-nocrl[no crl to load, just certs from '-certfile']" + _arguments \ + '(- *)-help[print help message]' \ + '-inform[input format of the CRL]:format:(DER PEM)' \ + '-outform[output format of the PKCS#7 object]:format:(DER PEM)' \ + '-in[input file name to read a CRL from]:file:_files' \ + '-out[output file name to write the PKCS#7 structure]:file:_files' \ + '-certfile[file containing one or more certificates in PEM format]:file:_files' \ + '-nocrl[no CRL is included in the output file]' \ + $openssl_provider_options[@] } - _openssl_dgst() { - # written for openssl 1.0.1k - local digests - digests=(-dss1 -md4 -md5 -mdc2 -ripemd160 -sha -sha1 -sha224 -sha256 -sha384 -sha512 -whirlpool) - # -hmac is listed twice because it's documented twice by openssl - _arguments -C -A '-*' \ - '(-r -hex -binary)-c[to output the digest with separating colons]' \ - '(-c -hex -binary)-r[to output the digest in coreutils format]' \ - '-d[to output debug info]' \ - '(-c -r -binary)-hex[output as hex dump]' \ - '(-c -r -hex)-binary[output in binary form]' \ - '-hmac[set the HMAC key to arg]:key: ' \ - '-non-fips-allow[allow use of non FIPS digest]' \ - '-sign[sign digest using private key in the specified file]:file:_files' \ - '-verify[verify a signature using public key in the specified file]:file:_files' \ - '-prverify[verify a signature using private key in the specified file]:file:_files' \ - '-keyform[key file format (PEM or ENGINE)]:format:(PEM ENGINE)' \ - '-out[output to filename rather than stdout]:file:_files' \ - '-signature[signature to verify]:file:_files' \ - '-sigopt[signature parameter]:nm\:v: ' \ - '-hmac[create hashed MAC with key]:key: ' \ - '-mac[create MAC (not necessarily HMAC)]:algorithm: ' \ - '-macopt[MAC algorithm parameters or key]:nm\:v: ' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - "($digests)-dss1[use the dss1 message digest algorithm]" \ - "($digests)-md4[to use the md4 message digest algorithm]" \ - "($digests)-md5[to use the md5 message digest algorithm]" \ - "($digests)-mdc2[to use the mdc2 message digest algorithm]" \ - "($digests)-ripemd160[to use the ripemd160 message digest algorithm]" \ - "($digests)-sha[to use the sha message digest algorithm]" \ - "($digests)-sha1[to use the sha1 message digest algorithm]" \ - "($digests)-sha224[to use the sha224 message digest algorithm]" \ - "($digests)-sha256[to use the sha256 message digest algorithm]" \ - "($digests)-sha384[to use the sha384 message digest algorithm]" \ - "($digests)-sha512[to use the sha512 message digest algorithm]" \ - "($digests)-whirlpool[to use the whirlpool message digest algorithm]" \ - '*:file:_files' + local not_need_digest_flags=$1 + local -a digest_flags=() + + if (( not_need_digest_flags != 1 )); then + local -a digests=($(openssl dgst -list | tail -n +2)) + for digest in $digests[@] + do + digest_flags+=("${digest}[use ${digest:1} message digest algorithm]") + done + fi + + _arguments \ + '(- *)-help[print help message]' \ + $digest_flags[@] \ + '(- *)-list[print out a list of supported message digests]' \ + '-c[print out the digest in two digit groups separated by colons]' \ + '(-d --debug)'{-d,--debug}'[print out BIO debugging information]' \ + '-hex[digest is to be output as a hex dump]' \ + '-binary[output the digest or signature in binary form]' \ + '-xoflen[output length for XOF algorithms]:length' \ + '-r[output the digest in the "coreutils" format]' \ + '-out[output file name]:file:_files' \ + '-sign[private key file or URI to sign the digest]:file_or_uri:_files' \ + '-keyform[format of the key to sign with]:format:(DER PEM P12 ENGINE)' \ + '-sigopt[options of signature algorithms during sign or verify operations]:options' \ + '-passin[private key password source]:source:_openssl_pass_phrase_options' \ + '-verify[public key file to verify the signature]:file:_files' \ + '-prverify[private key file to verify the signature]:file:_files' \ + '-signature[actual signature file to verify]:file:_files' \ + '-hmac[key to create a hashed MAC]:key' \ + '-mac[MAC algorithm]:alg:_openssl_mac_algorithms' \ + '-macopt[options of MAC algorithm]:options' \ + '-fips-fingerprint[compute HMAC using a specific key for certain OpenSSL-FIPS operations]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '*::file:_files' } - -_openssl_dh() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-check[check the DH parameters]' \ - '-text[print a text form of the DH parameters]' \ - '-C[output C code]' \ - '-noout[no output]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' -} - - _openssl_dhparam() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-dsaparam[read or generate DSA parameters, convert to DH]' \ - '-check[check the DH parameters]' \ - '-text[print a text form of the DH parameters]' \ - '-C[output C code]' \ - '-2[generate parameters using 2 as the generator value]' \ - '-5[generate parameters using 5 as the generator value]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-noout[no output]' \ - ':numbits: ' + _arguments \ + '(- *)-help[print help message]' \ + '-inform[input format(default is PEM)]:format:(DER PEM)' \ + '-outform[output format(default is PEM)]:format:(DER PEM)' \ + '-in[input file name to read a CRL from]:file:_files' \ + '-out[output file name to write the PKCS#7 structure]:file:_files' \ + '-dsaparam[read or create DSA parameters]' \ + '-check[perform numerous checks to see]' \ + '(-2 -3 -5)-2[generator use 2]' \ + '(-2 -3 -5)-3[generator use 3]' \ + '(-2 -3 -5)-5[generator use 5]' \ + '-noout[inhibit the output of the encoded version of the parameters]' \ + '-text[print out the DH parameters in human readable form]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-quiet[suppress the output of progress messages]' \ + '*::numbits' } - _openssl_dsa() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-passin[input file pass phrase source]:file:_files' \ - '-out[output file]:file:_files' \ - '-passout[output file pass phrase source]:file:_files' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-des[encrypt PEM output with cbc des]' \ - '-des3[encrypt PEM output with ede cbc des using 168 bit key]' \ - '-idea[encrypt PEM output with cbc idea]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - '-seed[encrypt PEM output with cbc seed]' \ - '-text[print the key in text]' \ - "-noout[don't print key out]" \ - '-modulus[print the DSA public value]' + _arguments \ + '(- *)-help[print help message]' \ + '-inform[key input format]:format:(DER PEM)' \ + '-outform[key output format(default: PEM)]:format:(DER PEM)' \ + '-in[input file name]:file:_files' \ + '-out[output file name to write a key]:file:_files' \ + '-passin[password source for input file]:source:_openssl_pass_phrase_options' \ + '-passout[password source for output file]:source:_openssl_pass_phrase_options' \ + '-aes128[encrypt the private key with aes128 before outputting it]' \ + '-aes192[encrypt the private key with aes192 before outputting it]' \ + '-aes256[encrypt the private key with aes256 before outputting it]' \ + '-aria128[encrypt the private key with aria128 before outputting it]' \ + '-aria192[encrypt the private key with aria192 before outputting it]' \ + '-aria256[encrypt the private key with aria256 before outputting it]' \ + '-camellia128[encrypt the private key with camellia128 before outputting it]' \ + '-camellia192[encrypt the private key with camellia192 before outputting it]' \ + '-camellia256[encrypt the private key with camellia256 before outputting it]' \ + '-des[encrypt the private key with des before outputting it]' \ + '-des3[encrypt the private key with des3 before outputting it]' \ + '-idea[encrypt the private key with idea before outputting it]' \ + '-text[print out the public, private key components and parameters]' \ + '-noout[prevent output of the encoded version of the key]' \ + '-modulus[print out the value of the public key component of the key]' \ + '-pubin[read public key instead of private key]' \ + '-pubout[output public key instead of private key]' \ + '-pvk-strong[enable "Strong" PVK encoding level]' \ + '-pvk-weak[enable "Weak" PVK encoding level]' \ + '-pvk-none[do not enforce PVK encoding]' \ + $openssl_provider_options[@] } - _openssl_dsaparam() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-text[print as text]' \ - '-C[output C code]' \ - '-noout[no output]' \ - '-genkey[generate a DSA key]' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - ':numbits: ' + _arguments \ + '(- *)-help[print help message]' \ + '-inform[DSA parameters input format]:format:(DER PEM)' \ + '-outform[DSA parameters output format]:format:(DER PEM)' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-noout[inhibit the output of the encoded version of the parameters]' \ + '-text[print out the DSA parameters in human readable form]' \ + '-genkey[generate a DSA either using the specified or generated parameters]' \ + '-verbose[print extra details about the operations being performed]' \ + '-quiet[print fewer details about the operations being performed]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '1:numbits' \ + '2:numqbits' } - _openssl_ec() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-passin[input file pass phrase source]:file:_files' \ - '-out[output file]:file:_files' \ - '-passout[output file pass phrase source]:file:_files' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - "-des[encrypt PEM output, instead of 'des' every other cipher supported by OpenSSL can be used]" \ - '-text[print the key]' \ - "-noout[don't print key out]" \ + _arguments \ + '(- *)-help[print help message]' \ + '-inform[key input format]:format:(DER PEM P12 ENGINE)' \ + '-outform[key output format]:format:(DER PEM)' \ + '-in[input file name or input URI]:file_or_uri:_files' \ + '-out[output file name]:file:_files' \ + '-passin[passowrd source for input file]:source:_openssl_pass_phrase_options' \ + '-passout[passowrd source for output file]:source:_openssl_pass_phrase_options' \ + '-des[encrypt the private key with DES]' \ + '-des3[encrypt the private key with DES3]' \ + '-idea[encrypt the private key with IDEA]' \ + '-text[print out the public, private key components and parameters]' \ + '-noout[prevents output of the encoded version of the key]' \ '-param_out[print the elliptic curve parameters]' \ - '-conv_form[specifies the point conversion form]:form:(compressed uncompressed hybrid)' \ - '-param_enc[specifies the way the ec parameters are encoded in the asn1 der encoding]:encoding:(named_curve explicit)' + '-pubin[read public key from the input instead of private key]' \ + '-pubout[output public key instead of private key]' \ + '-conv_form[how to convert points on the elliptic curve]:how:(compressed uncompressed hybrid)' \ + '-param_enc[how to encode the elliptic curve parameters]:how:(named_curve explicit)' \ + '-no_public[omit the public key components from the private key output]' \ + '-check[check the consistency of an EC private or public key]' \ + $openssl_provider_options[@] } - _openssl_ecparam() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file - default stdin]:file:_files' \ - '-out[output file - default stdout]:file:_files' \ - '-noout[do not print the ec parameter]' \ - '-text[print the ec parameters in text form]' \ - '-check[validate the ec parameters]' \ - "-C[print a 'C' function creating the parameters]" \ - "-name[use the ec parameters with 'short name' name]:name: " \ - "-list_curves[prints a list of all currently available curve 'short names']" \ - '-conv_form[specifies the point conversion form]:form:(compressed uncompressed hybrid)' \ - '-param_enc[specifies the way the ec parameters are encoded in the asn1 der encoding]:encoding:(named_curve explicit)' \ - "-no_seed[if 'explicit' parameters are chosen do not use the seed]" \ - '-genkey[generate ec key]' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' -} + local -a short_names=($(openssl ecparam -list_curves | awk -F: '/^\s+\S+\s*:/{ print $1 }')) + _arguments \ + '(- *)-help[print help message]' \ + '-inform[EC parameters input format]:format:(DER PEM)' \ + '-outform[EC parameters output format]:format:(DER PEM)' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-noout[inhibit the output of the encoded version of the parameters]' \ + '-text[print out the EC parameters in human readable form]' \ + '-check[validate the elliptic curve parameters]' \ + '-check_named[validate the elliptic name curve parameters]' \ + '-name[use the EC parameters with the specified short name]:name:(($short_names))' \ + '-list_curves[print out a list of all currently implemented EC parameters name]' \ + '-conv_form[specify how the points on the elliptic curve are converted into octet strings]:type:(compressed uncompressed hybrid)' \ + '-param_enc[specify the how the elliptic curve parameters are encoded]:type:(named_curve explicit)' \ + '-no_seed[inhibit that the seed for the parameter generation]' \ + '-genkey[generate an EC private key]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] +} _openssl_enc() { - # written for openssl 1.0.1k - local ciphers - ciphers=(-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb -aes-128-cfb1 \ - -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb \ - -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 \ - -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc \ - -aes-256-cbc-hmac-sha1 -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 \ - -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts \ - -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb \ - -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 \ - -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb \ - -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 \ - -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb \ - -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 \ - -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb \ - -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc \ - -cast5-cfb -cast5-ecb -cast5-ofb -des -des-cbc -des-cfb -des-cfb1 \ - -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb \ - -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 \ - -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc \ - -id-aes128-GCM -id-aes192-GCM -id-aes256-GCM -idea -idea-cbc \ - -idea-cfb -idea-ecb -idea-ofb -rc2 -rc2-40-cbc -rc2-64-cbc \ - -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5 \ - -rc5 -rc5-cbc -rc5-cfb -rc5-ecb -rc5-ofb -seed -seed-cbc -seed-cfb \ - -seed-ecb -seed-ofb) - _arguments -C \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-pass[pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-e[encrypt]' \ - '-d[decrypt]' \ - '(-a -base64)'{-a,-base64}'[base64 encode/decode, depending on encryption flag]' \ - '-k[the password to derive the key from]:password: ' \ - '-kfile[read the password to derive the key from the first line of the file]:file:_files' \ - '-md[the md to use to create a key from a passphrase]:alg:(md2 md5 sha sha1)' \ - '-S[the actual salt to use]:salt: ' \ - '-K[the actual key to use]:key: ' \ - '-iv[the actual IV to use]:IV: ' \ + local not_need_cipher_flags=$1 + local -a cipher_flags=() + + if (( not_need_cipher_flags != 1 )); then + local -a ciphers=($(openssl enc -list | tail -n +2 )) + + for cipher in $ciphers[@] + do + cipher_flags+=("($ciphers)${cipher}[use ${cipher:1}]") + done + fi + + _arguments \ + '(- *)-help[print help message]' \ + '(- *)'{-list,-ciphers}'[list all supported ciphers]' \ + $cipher_flags[@] \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-pass[password source]:source:_openssl_pass_phrase_options' \ + '-e[encrypt the input data(default behavior)]' \ + '-e[decrypt the input data]' \ + '(-a -base64)'{-a,-base64}'[Base64 proess the data]' \ + '-A[base64 encoding produces output without any newline character]' \ + '-k[password to derive the key from]:password' \ + '-kfile[file to read the password from the first line]:file:_files' \ + '-md[digest to create the key from the passphrase]:digest:(md2 md5 sha1 shar256)' \ + '-iter[interation count on the password in deriving the encryption key]:count' \ + '-pbkdf2[use PBKDF2 algorithm with a default iteration count of 10000]' \ + '-saltlen[salt length to use when using th -pbkdf2 option]:length' \ + '-nosalt[do not use a salt in the key derivation routines]' \ + '-salt[use salt when encrypting]' \ + '-S[actual salt to use]:salt' \ + '-K[actual key to use]:key' \ + '-iv[actual IV to use]:iv' \ '-p[print out the key and IV used]' \ - '-P[print out the key and IV used the exit]' \ - '-bufsize[set the buffer size for I/O]:size: ' \ + '-P[print out the key and IV used then immediately exit]' \ + '-bufsize[buffer size of I/O]:size' \ '-nopad[disable standard block padding]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - "(${ciphers})-aes-128-cbc[cipher types]" \ - "(${ciphers})-aes-128-cbc-hmac-sha1[cipher types]" \ - "(${ciphers})-aes-128-cfb[cipher types]" \ - "(${ciphers})-aes-128-cfb1[cipher types]" \ - "(${ciphers})-aes-128-cfb8[cipher types]" \ - "(${ciphers})-aes-128-ctr[cipher types]" \ - "(${ciphers})-aes-128-ecb[cipher types]" \ - "(${ciphers})-aes-128-gcm[cipher types]" \ - "(${ciphers})-aes-128-ofb[cipher types]" \ - "(${ciphers})-aes-128-xts[cipher types]" \ - "(${ciphers})-aes-192-cbc[cipher types]" \ - "(${ciphers})-aes-192-cfb[cipher types]" \ - "(${ciphers})-aes-192-cfb1[cipher types]" \ - "(${ciphers})-aes-192-cfb8[cipher types]" \ - "(${ciphers})-aes-192-ctr[cipher types]" \ - "(${ciphers})-aes-192-ecb[cipher types]" \ - "(${ciphers})-aes-192-gcm[cipher types]" \ - "(${ciphers})-aes-192-ofb[cipher types]" \ - "(${ciphers})-aes-256-cbc[cipher types]" \ - "(${ciphers})-aes-256-cbc-hmac-sha1[cipher types]" \ - "(${ciphers})-aes-256-cfb[cipher types]" \ - "(${ciphers})-aes-256-cfb1[cipher types]" \ - "(${ciphers})-aes-256-cfb8[cipher types]" \ - "(${ciphers})-aes-256-ctr[cipher types]" \ - "(${ciphers})-aes-256-ecb[cipher types]" \ - "(${ciphers})-aes-256-gcm[cipher types]" \ - "(${ciphers})-aes-256-ofb[cipher types]" \ - "(${ciphers})-aes-256-xts[cipher types]" \ - "(${ciphers})-aes128[cipher types]" \ - "(${ciphers})-aes192[cipher types]" \ - "(${ciphers})-aes256[cipher types]" \ - "(${ciphers})-bf[cipher types]" \ - "(${ciphers})-bf-cbc[cipher types]" \ - "(${ciphers})-bf-cfb[cipher types]" \ - "(${ciphers})-bf-ecb[cipher types]" \ - "(${ciphers})-bf-ofb[cipher types]" \ - "(${ciphers})-blowfish[cipher types]" \ - "(${ciphers})-camellia-128-cbc[cipher types]" \ - "(${ciphers})-camellia-128-cfb[cipher types]" \ - "(${ciphers})-camellia-128-cfb1[cipher types]" \ - "(${ciphers})-camellia-128-cfb8[cipher types]" \ - "(${ciphers})-camellia-128-ecb[cipher types]" \ - "(${ciphers})-camellia-128-ofb[cipher types]" \ - "(${ciphers})-camellia-192-cbc[cipher types]" \ - "(${ciphers})-camellia-192-cfb[cipher types]" \ - "(${ciphers})-camellia-192-cfb1[cipher types]" \ - "(${ciphers})-camellia-192-cfb8[cipher types]" \ - "(${ciphers})-camellia-192-ecb[cipher types]" \ - "(${ciphers})-camellia-192-ofb[cipher types]" \ - "(${ciphers})-camellia-256-cbc[cipher types]" \ - "(${ciphers})-camellia-256-cfb[cipher types]" \ - "(${ciphers})-camellia-256-cfb1[cipher types]" \ - "(${ciphers})-camellia-256-cfb8[cipher types]" \ - "(${ciphers})-camellia-256-ecb[cipher types]" \ - "(${ciphers})-camellia-256-ofb[cipher types]" \ - "(${ciphers})-camellia128[cipher types]" \ - "(${ciphers})-camellia192[cipher types]" \ - "(${ciphers})-camellia256[cipher types]" \ - "(${ciphers})-cast[cipher types]" \ - "(${ciphers})-cast-cbc[cipher types]" \ - "(${ciphers})-cast5-cbc[cipher types]" \ - "(${ciphers})-cast5-cfb[cipher types]" \ - "(${ciphers})-cast5-ecb[cipher types]" \ - "(${ciphers})-cast5-ofb[cipher types]" \ - "(${ciphers})-des[cipher types]" \ - "(${ciphers})-des-cbc[cipher types]" \ - "(${ciphers})-des-cfb[cipher types]" \ - "(${ciphers})-des-cfb1[cipher types]" \ - "(${ciphers})-des-cfb8[cipher types]" \ - "(${ciphers})-des-ecb[cipher types]" \ - "(${ciphers})-des-ede[cipher types]" \ - "(${ciphers})-des-ede-cbc[cipher types]" \ - "(${ciphers})-des-ede-cfb[cipher types]" \ - "(${ciphers})-des-ede-ofb[cipher types]" \ - "(${ciphers})-des-ede3[cipher types]" \ - "(${ciphers})-des-ede3-cbc[cipher types]" \ - "(${ciphers})-des-ede3-cfb[cipher types]" \ - "(${ciphers})-des-ede3-cfb1[cipher types]" \ - "(${ciphers})-des-ede3-cfb8[cipher types]" \ - "(${ciphers})-des-ede3-ofb[cipher types]" \ - "(${ciphers})-des-ofb[cipher types]" \ - "(${ciphers})-des3[cipher types]" \ - "(${ciphers})-desx[cipher types]" \ - "(${ciphers})-desx-cbc[cipher types]" \ - "(${ciphers})-id-aes128-GCM[cipher types]" \ - "(${ciphers})-id-aes192-GCM[cipher types]" \ - "(${ciphers})-id-aes256-GCM[cipher types]" \ - "(${ciphers})-idea[cipher types]" \ - "(${ciphers})-idea-cbc[cipher types]" \ - "(${ciphers})-idea-cfb[cipher types]" \ - "(${ciphers})-idea-ecb[cipher types]" \ - "(${ciphers})-idea-ofb[cipher types]" \ - "(${ciphers})-rc2[cipher types]" \ - "(${ciphers})-rc2-40-cbc[cipher types]" \ - "(${ciphers})-rc2-64-cbc[cipher types]" \ - "(${ciphers})-rc2-cbc[cipher types]" \ - "(${ciphers})-rc2-cfb[cipher types]" \ - "(${ciphers})-rc2-ecb[cipher types]" \ - "(${ciphers})-rc2-ofb[cipher types]" \ - "(${ciphers})-rc4[cipher types]" \ - "(${ciphers})-rc4-40[cipher types]" \ - "(${ciphers})-rc4-hmac-md5[cipher types]" \ - "(${ciphers})-rc5[cipher types]" \ - "(${ciphers})-rc5-cbc[cipher types]" \ - "(${ciphers})-rc5-cfb[cipher types]" \ - "(${ciphers})-rc5-ecb[cipher types]" \ - "(${ciphers})-rc5-ofb[cipher types]" \ - "(${ciphers})-seed[cipher types]" \ - "(${ciphers})-seed-cbc[cipher types]" \ - "(${ciphers})-seed-cfb[cipher types]" \ - "(${ciphers})-seed-ecb[cipher types]" \ - "(${ciphers})-seed-ofb[cipher types]" + '-v[verbose print]' \ + '-debug[debug the BIOs used for I/O]' \ + '-z[compress or decompress encrypted data using zlib after encrypting or before decryption]' \ + '-none[use NULL cipher]' \ + '-skeymgmt[name of the EVP_SKEYMGMT to be used]:name' \ + '-skeyopt[opaque symmetric key options]:options' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] } - -_openssl_engine() { - # written for openssl 1.0.1k - _arguments -C \ - '(-vv -vvv -vvvv)-v[verbose mode, for each engine, list its "control commands"]' \ - "(-v -vvv -vvvv)-vv[like -v, but additionally display each command's description]" \ - '(-v -vv -vvvv)-vvv[like -vv, but also add the input flags for each command]' \ - '(-v -vv -vvv)-vvvv[like -vvv, but also show internal input flags]' \ - '-c[for each engine, also list the capabilities]' \ - '(-tt)-t[for each engine, check that they are really available]' \ - '(-t)-tt[display error trace for unavailable engines]' \ - "-pre[runs command 'cmd' against the ENGINE before any attempts to load it (if -t is used)]:cmd: " \ - "-post[runs command 'cmd' against the ENGINE after loading it (only used if -t is also provided)]:cmd: " \ - '*:engine:_engines' - # TODO: can cmd (for -pre and -post) be completed? -} - - _openssl_errstr() { - # written for openssl 1.0.1k - # written for openssl 1.0.2a - _arguments -C \ - '-stats' \ - ':errno: ' + _arguments \ + '(- *)-help[print help message]' \ + '*:error_code' } - -_openssl_gendh() { - # written for openssl 1.0.1k - _arguments -C \ - "-out[output the key to 'file']:file:_files" \ - '-2[use 2 as the generator value]' \ - '-5[use 5 as the generator value]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - ':numbits: ' +_openssl_fipsinstall() { + _arguments \ + '(- *)-help[print help message]' \ + '-module[file name of the FIPS module]:file:_files' \ + '-out[file name to output configuration data to]:file:_files' \ + '-in[input file name to load configuration data from]:_files' \ + '-verify[verify the input configuration file]' \ + '-provider_name[name of the provider inside the configuration file(default: "fips")]:name' \ + '-section_name[name of the section inside the configuration file(default: "fips_sect")]:name' \ + '-mac_name[name of a supported MAC algorithm]:name:_openssl_mac_algorithms' \ + '-macopt[options of the MAC algorithm]:option' \ + '-noout[disable logging of the self tests]' \ + '-pedantic[strictly FIPS compliant]' \ + '-no_conditional_errors[not enter an error state]' \ + '-no_security_checks[not perform run-time security checks]' \ + '-ems_check[enable a run-time Extended Master Secret]' \ + '-no_short_mac[not allow short MAC outputs]' \ + '-hmac_key_check[not allow small keys sizes when using HMAC]' \ + '-kmac_key_check[not allow small keys sizes when using KMAC]' \ + '-no_drbg_truncated_digests[not allow truncated digests with Hash and HMAC DRBGs]' \ + '-signature_digest_check[enforce signature algorithms to use digests]' \ + '-tls13_kdf_digest_check[enable a run-time digest check when deriving a key by TLS13 KDF]' \ + '-tls1_prf_digest_check[enable a run-time digest check when deriving a key by TLS_PRF]' \ + '-sshkdf_digest_check[enable a run-time digest check when deriving a key by SSHKDF]' \ + '-x963kdf_digest_check[enable a run-time digest check when deriving a key by X963KDF]' \ + '-dsa_sign_disabled[not allow DSA signing]' \ + '-tdes_encrypt_disabled[not allow Triple-DES encryption]' \ + '-rsa_pkcs15_padding_disabled[not allow PKCS#1 version 1.5 padding]' \ + '-rsa_pss_saltlen_check[enable a run-time salt length check]' \ + '-rsa_sign_x931_disabled[not allow X9.31 padding]' \ + '-hkdf_key_check[enable a run-time short key-derivation key check when deriving a key by HKDF]'\ + '-kbkdf_key_check[enable a run-time short key-derivation key check when deriving a key by KBKDF]'\ + '-tls13_kdf_key_check[enable a run-time short key-derivation key check when deriving a key by TLS13 KFD]'\ + '-tls1_prf_key_check[enable a run-time short key-derivation key check when deriving a key by TLS_PRF]'\ + '-sshkdf_key_check[enable a run-time short key-derivation key check when deriving a key by SSHKDF]'\ + '-sskdf_key_check[enable a run-time short key-derivation key check when deriving a key by SSKDF]'\ + '-x963kdf_key_check[enable a run-time short key-derivation key check when deriving a key by X963KDF]'\ + '-x942kdf_key_check[enable a run-time short key-derivation key check when deriving a key by X942KDF]'\ + '-no_pbkdf2_lower_bound_check[not perform run-time lower bound check for PBKDF2]' \ + '-ecdh_cofactor_check[enable a run-time check that ECDH uses the EC curves cofactor value]' \ + '-self_test_onload[do not write two fields related to "test status indicator" and "MAC status indicator"]' \ + '-self_test_oninstall[ write two fields related to "test status indicator" and "MAC status indicator]' \ + '-quiet[do not output pass/fail messages]' \ + '-corrupt_desc[currupt description to be used to test failure]:description' \ + '-corrupt_type[currupt type to be used to test failure]:type' \ + '-config[configuration file]:file:_files' } - _openssl_gendsa() { - # written for openssl 1.0.1k - _arguments -C \ - "-out[output the key to 'file']:file:_files" \ - '-des[encrypt the generated key with DES in cbc mode]' \ - '-des3[encrypt the generated key with DES in ede cbc mode (168 bit key)]' \ - '-idea[encrypt the generated key with IDEA in cbc mode]' \ - '-seed[encrypt PEM output with cbc seed]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - ':dsaparam-file:_files' + _arguments \ + '(- *)-help[print help message]' \ + '-out[output file name]' \ + '-passout[passphrase used for the output file]:option:_openssl_pass_phrase_options'\ + '-aes128[encrypt the private key with aes128 before outputting it]' \ + '-aes192[encrypt the private key with aes192 before outputting it]' \ + '-aes256[encrypt the private key with aes256 before outputting it]' \ + '-aria128[encrypt the private key with aria128 before outputting it]' \ + '-aria192[encrypt the private key with aria192 before outputting it]' \ + '-aria256[encrypt the private key with aria256 before outputting it]' \ + '-camellia128[encrypt the private key with camellia128 before outputting it]' \ + '-camellia192[encrypt the private key with camellia192 before outputting it]' \ + '-camellia256[encrypt the private key with camellia256 before outputting it]' \ + '-des[encrypt the private key with des before outputting it]' \ + '-des3[encrypt the private key with des3 before outputting it]' \ + '-idea[encrypt the private key with idea before outputting it]' \ + '-verbose[print extra details about the operations being performed]' \ + '-quiet[print fewer details about the operations being performed]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '*:paramfile:_files' } - _openssl_genpkey() { - # written for openssl 1.0.1k - local ciphers cipher_opts - if ! ciphers=( ${$(openssl list-cipher-algorithms | cut -d' ' -f1)} ) 2>/dev/null ; then - ciphers=( ${$(openssl list -cipher-algorithms | cut -d' ' -f1)} ) - fi - cipher_opts=() - for alg in ${ciphers}; do - cipher_opts=(${cipher_opts} "(${${(l:32:: ::-:)ciphers[@]}// / })-${alg}[use this cipher to encrypt the key]") - done - _arguments -C \ - '-out[output file]:file:_files' \ - '-outform[output format]:format:(PEM DER)' \ - '-pass[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - $cipher_opts \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '(-algorithm)-paramfile[parameters file]:file:_files' \ - '(-paramfile)-algorithm[the public key algorithm]:algorithm:(EC RSA DSA DH)' \ - '-pkeyopt[public key options]:option\:value: ' \ - '-genparam[generate parameters, not key]' \ - '-text[print the in text]' - # NB: options order may be important! See the manual page. - # TODO: complete pkeyopts - # However: "The precise set of options supported depends on the public key - # algorithm used and its implementation." -} + local -a builtin_algorithms=( + RSA DSA DH DHX EC + RSA RSA-PSS EC X25519 X448 ED25519 ED448 + ML-DSA-44 ML-DSA-5 ML-DSA-87 + ML-KEM-512 ML-KEM-768 ML-KEM-1024 + ) + local -a ciphers=($(openssl enc -list | tail -n +2 )) + local -a cipher_flags=() + for cipher in $ciphers[@] + do + cipher_flags+=("($ciphers)${cipher}[use ${cipher:1}]") + done + + _arguments \ + '(- *)-help[print help message]' \ + '-out[output private key file]:file:_files' \ + '-outpubkey[output public key file]:file:_files' \ + '-outform[output format]:format:(DER PEM)' \ + '-verbose[output "status dots" while generating keys]' \ + '-quiet[do not output "status dots" while generating keys]' \ + '-pass[output file password source]:source:_openssl_pass_phrase_options' \ + $cipher_flags[@] \ + '-algorithm[public key algorithm]:alg:(($builtin_algorithms))' \ + '-pkeyopt[public key algorithm option]:option' \ + '-genparam[generate a set of parameters instead of a private key]' \ + '-paramfile[file to supply public key parameters]:file:_files' \ + '-text[print an (unencrypted) text representation of private and public keys and parameters]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-config[configuration file]:file:_files' +} _openssl_genrsa() { - # written for openssl 1.0.1k - _arguments -C \ - '-des[encrypt the generated key with DES in cbc mode]' \ - '-des3[encrypt the generated key with DES in ede cbc mode (168 bit key)]' \ - '-idea[encrypt the generated key with IDEA in cbc mode]' \ - '-seed[encrypt PEM output with cbc seed]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - '-out[output the key to file]:file:_files' \ - '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-f4[use F4 (0x10001) for the E value]' \ - '-3[use 3 for the E value]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - ':numbits: ' + _arguments \ + '(- *)-help[print help message]' \ + '-out[output key file name]:file:_files' \ + '-passout[output file password source]:source:_openssl_pass_phrase_options' \ + '-aes128[encrypt the private key with AES128]' \ + '-aes192[encrypt the private key with AES192]' \ + '-aes256[encrypt the private key with AES256]' \ + '-aria128[encrypt the private key with ARIA128]' \ + '-aria192[encrypt the private key with ARIA192]' \ + '-aria256[encrypt the private key with ARIA256]' \ + '-camellia128[encrypt the private key with CAMELLIA128]' \ + '-camellia192[encrypt the private key with CAMELLIA192]' \ + '-camellia256[encrypt the private key with CAMELLIA256]' \ + '-des[encrypt the private key with DES]' \ + '-des3[encrypt the private key with DES3]' \ + '-idea[encrypt the private key with IDEA]' \ + '(-F4 -f4)'{-F4,-f4}'[use 65537 as public exponent]' \ + '-primes[specify the number of primes to use while generating the RSA key]:num' \ + '-verbose[print extra details about the operations being performed]' \ + '-quiet[print fewer details about the operations being performed]' \ + '-traditional[write the key using the traditional PKCS#1 format]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '::numbits' } +_openssl_help() { + local -a commands=( + # Standard commands + asn1parse ca ciphers cmp + cms crl crl2pkcs7 dgst + dhparam dsa dsaparam ec + ecparam enc engine errstr + fipsinstall gendsa genpkey genrsa + help info kdf list + mac nseq ocsp passwd + pkcs12 pkcs7 pkcs8 pkey + pkeyparam pkeyutl prime rand + rehash req rsa rsautl + s_client s_server s_time sess_id + skeyutl smime speed spkac + srp storeutl ts verify + version x509 + + # Message Digest commands (see the `dgst' command for more details) + blake2b512 blake2s256 md4 md5 + rmd160 sha1 sha224 sha256 + sha3-224 sha3-256 sha3-384 sha3-512 + sha384 sha512 sha512-224 sha512-256 + shake128 shake256 sm3 + + # Cipher commands (see the `enc' command for more details) + aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb + aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb + aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb + aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 + aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb + aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 + aria-256-ctr aria-256-ecb aria-256-ofb base64 + bf bf-cbc bf-cfb bf-ecb + bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc + camellia-192-ecb camellia-256-cbc camellia-256-ecb cast + cast-cbc cast5-cbc cast5-cfb cast5-ecb + cast5-ofb des des-cbc des-cfb + des-ecb des-ede des-ede-cbc des-ede-cfb + des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb + des-ede3-ofb des-ofb des3 desx + rc2 rc2-40-cbc rc2-64-cbc rc2-cbc + rc2-cfb rc2-ecb rc2-ofb rc4 + rc4-40 seed seed-cbc seed-cfb + seed-ecb seed-ofb sm4-cbc sm4-cfb + sm4-ctr sm4-ecb sm4-ofb zlib + zstd + ) + + _values commands $commands +} + +_openssl_info() { + _arguments \ + '(- *)-help[print help message]' \ + '-configdir[outputs the default directory for OpenSSL configuration files]' \ + '-enginesdir[outputs the default directory for OpenSSL engine modules]' \ + '-modulesdir[outputs the default directory for OpenSSL dynamically loadable modules]' \ + '-dsoext[outputs the DSO extension OpenSSL uses]' \ + '-dirnamesep[outputs the separator character between a directory specification and a filename]' \ + '-listsep[outputs the OpenSSL list separator character]' \ + '-seeds[outputs the randomness seed sources]' \ + '-cpusettings[outputs the OpenSSL CPU settings info]' \ + '-windowscontext[outputs the Windows install context]' +} + +_openssl_list() { + _arguments \ + '(- *)-help[print help message]' \ + '-verbose[displays extra information]' \ + '-select[only list algorithms that match this name]:name' \ + '-1[list the commands, digest-commands, or cipher-commands in a single column]' \ + '-all-algorithms[display lists of all algorithms]' \ + '-commands[display a list of standard command]' \ + '-standard-commands[display list of standard commands]' \ + '-digest-commands[display a list of message digest commands(deprecated)]' \ + '-cipher-commands[display a list of cipher commands(deprecated)]' \ + '-cipher-algorithms[display a list of symmetric cipher algorithms]' \ + '-digest-algorithms[display a list of digest algorithms]' \ + '-kdf-algorithms[display a list of kdf algorithms]' \ + '-mac-algorithms[display a list of mac algorithms]' \ + '-random-instances[list the primary, public and private random number generator details]' \ + '-random-generators[display a list of random number generators]' \ + '-encoders[display a list of encoders]' \ + '-decoders[display a list of decoders]' \ + '-public-key-algorithms[display a list of public key algorithms]' \ + '-public-key-methods[display a list of public key methods]' \ + '-key-managers[display a list of key managers]' \ + '-skey-managers[display a list of symmetric key managers]' \ + '-key-exchange-algorithms[display a list of key exchange algorithms]' \ + '-kem-algorithms[display a list of key encapsulation algorithms]' \ + '-tls-groups[display a list of the IANA names of all available TLS groups]' \ + '-all-tls-groups[display a list of the names of all available TLS groups]' \ + '-tls1_2[list TLS groups compatible with TLS 1.2]'\ + '-tls1_3[list TLS groups compatible with TLS 1.3]'\ + '-signature-algorithms[display a list of signature algorithms]' \ + '-tls-signature-algorithms[display the list of signature algorithms available for TLS handshakes]' \ + '-asymcipher-algorithms[display a list of asymmetric cipher algorithms]' \ + '-store-loaders[display a list of store loaders]' \ + '-providers[display a list of all loaded providers with their names, version and status]' \ + '-disabled[display a list of disabled features]' \ + '-objects[display a list of built in objects]' \ + '-options[output a two-column list of the options accepted by the specified command]:command:_openssl_help' \ + $openssl_provider_options[@] +} + +_openssl_mac() { + local -a cbc_or_gcm_ciphers=( + AES-128-CBC AES-192-CBC AES-256-CBC + AES-128-GCM AES-192-GCM AES-256-GCM + ) + + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name to calculate a MAC]:file:_files' \ + '-out[output file name]:file:_files' \ + '-binary[output the MAC in binary form]' \ + '-cipher[specify the cipher algorithm]:ciper:(($cbc_or_gcm_ciphers))' \ + '-digest[use HMAC as an alphanumeric string]:name:_openssl_digests' \ + '-macopt[options to the MAC algorithm]:options:_openssl_macopts' \ + $openssl_provider_options[@] \ + '*:mac_name:_openssl_mac_algorithms' +} _openssl_nseq() { - # written for openssl 1.0.1k - _arguments -C \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-toseq[output NS Sequence file]' + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name to read]:file:_files' \ + '-out[output file name]:file:_files' \ + '-toseq[output Netscape certificate sequence]' \ + $openssl_provider_options[@] } - _openssl_ocsp() { - # written for openssl 1.0.1k - _arguments -C \ - '-out[output filename]:file:_files' \ - '-issuer[issuer certificate]:file:_files' \ - '-cert[certificate to check]:file:_files' \ - '-serial[serial number to check]:serial: ' \ - '-signer[certificate to sign OCSP request with]:file:_files' \ - '-signkey[private key to sign OCSP request with]:file:_files' \ - '-sign_other[additional certificates to include in signed request]:file:_files' \ - "-no_certs[don't include any certificates in signed request]" \ - '-req_text[print text form of request]' \ - '-resp_text[print text form of response]' \ - '-text[print text form of request and response]' \ - '-reqout[write DER encoded OCSP request to "file"]:file:_files' \ - '-respout[write DER encoded OCSP response to "file"]:file:_files' \ - '-reqin[read DER encoded OCSP request from "file"]:file:_files' \ - '-respin[read DER encoded OCSP response from "file"]:file:_files' \ - '-nonce[add OCSP nonce to request]' \ - "-no_nonce[don't add OCSP nonce to request]" \ - '-url[OCSP responder URL]:URL: ' \ - '-host[send OCSP request to given host on given port]:host\:port: ' \ - '-path[path to use in OCSP request]' \ - '-CApath[trusted certificates directory]:directory:_files -/' \ - '-CAfile[trusted certificates file]:file:_files' \ - '-VAfile[validator certificates file]:file:_files' \ - '-validity_period[maximum validity discrepancy in seconds]:seconds: ' \ - '-status_age[maximum status age in seconds]:seconds: ' \ - "-noverify[don't verify response at all]" \ - '-verify_other[additional certificates to search for signer]:file:_files' \ - "-trust_other[don't verify additional certificates]" \ - "-no_intern[don't search certificates contained in response for signer]" \ - "-no_signature_verify[don't check signature on response]" \ - "-no_cert_verify[don't check signing certificate]" \ - "-no_chain[don't chain verify response]" \ - "-no_cert_checks[don't do additional checks on signing certificate]" \ - '-port[port to run responder on]:port: ' \ - '-index[certificate status index file]:file:_files' \ - '-CA[CA certificate]:file:_files' \ - '-rsigner[responder certificate to sign responses with]:file:_files' \ - '-rkey[responder key to sign responses with]:file:_files' \ - '-rother[other certificates to include in response]:file:_files' \ - "-resp_no_certs[don't include any certificates in response]" \ - '-nmin[number of minutes before next update]:minutes: ' \ - '-ndays[number of days before next update]:days: ' \ - '-resp_key_id[identify response by signing certificate key ID]' \ - '-nrequest[number of requests to accept (default unlimited)]:limit: ' \ - '-dss1[use specified digest in the request]' \ - '-md4[use specified digest in the request]' \ - '-md5[use specified digest in the request]' \ - '-mdc2[use specified digest in the request]' \ - '-ripemd160[use specified digest in the request]' \ - '-ripemd[use specified digest in the request]' \ - '-rmd160[use specified digest in the request]' \ - '-sha1[use specified digest in the request]' \ - '-sha224[use specified digest in the request]' \ - '-sha256[use specified digest in the request]' \ - '-sha384[use specified digest in the request]' \ - '-sha512[use specified digest in the request]' \ - '-sha[use specified digest in the request]' \ - '-ssl2-md5[use specified digest in the request]' \ - '-ssl3-md5[use specified digest in the request]' \ - '-ssl3-sha1[use specified digest in the request]' \ - '-whirlpool[use specified digest in the request]' \ - '-timeout[timeout connection to OCSP responder after n seconds]:seconds: ' -} + local -a digests=($(openssl dgst -list | tail -n +2)) + local -a digest_flags=() + for digest in $digests[@] + do + digest_flags+=("${digest}[use ${digest:1} message digest algorithm]") + done + _arguments \ + '(- *)-help[print help message]' \ + '-out[output file name]:file:_files' \ + '-issuer[specify the current issuer certificate]:file:_files' \ + '-cert[certificate file name to request]:file:_files' \ + '-no_certs[do not include any certificates in signed request]' \ + '-serial[serial number of certificate]:num' \ + '-signer[signer to sign the OSCP request]:file:_files' \ + '-signkey[private key to sign the OCSP request]:file:_files' \ + '-sign_other[additional certificates to include in the signed request]:file:_files' \ + '(-nonce -no_nonce)-nonce[add an OCSP nonce extension to a request]' \ + '(-nonce -no_nonce)-no-nonce[disable OCSP nonce addition]' \ + '-req_text[print out the text form of the OCSP request]' \ + '-resp_text[print out the text form of the OCSP response]' \ + '-text[print out the text form of the OCSP both request and response]' \ + '-reqout[write out the DER-encoded OCSP request to file]:file:_files' \ + '-respout[write out the DER-encoded OCSP response to file]:file:_files' \ + '-reqin[read OCSP request from file]:file:_files' \ + '-respin[read OCSP response from file]:file:_files' \ + '-url[responder host and optionally port and path via a URL]:url:_urls' \ + '-host[host and port to be sent the OCSP request]:host' \ + '-path[HTTP path to be sent the OCSP request]:path' \ + '-proxy[HTTP(S) proxy server to use for reaching the OCSP server]:address' \ + '-no_proxy[list of IP addresses and DNS names of servers not to use an HTTP(S) proxy for]:addresses' \ + '*-head[add the header name with the specified value to the OCSP request]:key_value' \ + '-timeout[connection timeout to the OCSP responder in seconds]:seconds' \ + '-verify_other[file or URI containing additional certificates to search for signer]:file:_files' \ + '-trust_other[do not verify additional certificates]' \ + '-VAfile[file or URI containing explicitly trusted responder certificates]:file:_files' \ + '-noverify[do not attempt to verify the OCSP response signature or the nonce values]' \ + '-no_intern[ignore certificates contained in the OCSP response]' \ + '-no_signature_verify[do not check the signature on the OCSP response]' \ + '-no_cert_verify[do not verify the OCSP response signers certificate at all]' \ + '-no_chain[do not use certificates in the response as additional untrusted CA certificates]' \ + '-no_explicit[do not explicitly trust the root CA]' \ + '-no_cert_checks[do not perform any additional checks on the OCSP response signers certificate]' \ + '-validity_period[acceptable error range in seconds]:nsec' \ + '-status_age[maximum status age in seconds]:seconds: ' \ + '-rcid[digest algorithm to use for certificate identification in the OCSP response]:digest:_openssl_digests' \ + $digest_flags[@] \ + $openssl_trusted_certificate_options[@] \ + $openssl_verification_options[@] \ + $openssl_provider_options[@] \ + '-index[index file parameter]:file:_files' \ + '-CA[index file of CA certificate corresponding to the revocation information]:file:_files' \ + '-rsigner[certificate to sign OCSP responses with]:file:_files' \ + '-rkey[private key to sign OCSP responses with]:file:_files' \ + '-passin[private key password source]:source:_openssl_pass_phrase_options' \ + '-rother[additional certificates to include in the OCSP response]:file:_files' \ + '-rsigopt[pass options to the signature algorithm when signing OCSP responses]:option' \ + '-rmd[digest to use when signing the reponse]:digest:_openssl_digests' \ + '-badsig[corrupt the response signature before writing it]' \ + '-resp_no_certs[do not include any certificates in the OCSP response]' \ + '-resp_key_id[identify the signer certificate using the key ID]'\ + '-port[port to listen for OCSP requests on]:port' \ + '-ignore_err[ignore malformed requests or responses]' \ + '-nrequest[request number that OCSP server will exit after this number of requests]:number' \ + '-multi[run the specified number of OCSP responder child processes]:process_count' \ + '-nmin[number of minites when fresh revocation information]:minites' \ + '-nmin[number of days when fresh revocation information]:minites' +} _openssl_passwd() { - # written for openssl 1.0.1k - _arguments -C \ - '-crypt[standard Unix password algorithm (default)]' \ - '-1[MD5-based password algorithm]' \ - '-apr1[MD5-based password algorithm, Apache variant]' \ - '-salt[use provided salt]:salt: ' \ - '-in[read passwords from file]:file:_files' \ + _arguments \ + '(- *)-help[print help message]' \ + '-1[use the MD5 based BSD password algorithms(default)]' \ + '-apr[use the apr1 algorithms(Apache variant of the BSD algorithm)]' \ + '-aixmd5[use the AIX MD5 algorithm]' \ + '-5[use the SHA256 based algorithms defined by Ulrich Drepper]' \ + '-6[use the SHA512 based algorithms defined by Ulrich Drepper]' \ + '-salt[use the specified salt]:salt' \ + '-in[read passwords from file]:file' \ '-stdin[read passwords from stdin]' \ - '-noverify[never verify when reading password from terminal]' \ - '-quiet[no warnings]' \ + '-noverify[do not verify when reading a password from the terminal]' \ + '-quiet[do not output warnings when passwords given at the command line are truncated]' \ '-table[format output as table]' \ - '-reverse[switch table columns]' \ - '*:password:' + '-reverse[when the -table -option is used, reverse the order of cleartext and hash]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '*::password' } - _openssl_pkcs12() { - # written for openssl 1.0.2d - local algorithms - algorithms=(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc \ - aes-256-ecb bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc \ - camellia-128-ecb camellia-192-cbc camellia-192-ecb \ - camellia-256-cbc camellia-256-ecb cast-cbc cast5-cbc cast5-cfb \ - cast5-ecb cast5-ofb des-cbc des-cfb des-ecb des-ede des-ede-cbc \ - des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb \ - des-ede3-ofb des-ofb idea-cbc idea-cfb idea-ecb idea-ofb \ - rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 \ - rc4-40 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed-cbc seed-cfb \ - seed-ecb seed-ofb PBE-MD2-DES PBE-MD5-DES PBE-SHA1-RC2-64 \ - PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES PBE-SHA1-RC4-128 \ - PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 \ - PBE-SHA1-RC2-40) - _arguments -C \ - '-export[output PKCS12 file]' \ - '-chain[add certificate chain]' \ - '-inkey[private key if not infile]:file:_files' \ - '-certfile[add all certs in the specified file]:file:_files' \ - "-CApath[PEM format directory of CA's]:file:_files" \ - "-CAfile[PEM format file of CA's]:file:_files" \ - '-name[use specified friendly name]:name: ' \ - '*-caname[use specified CA friendly name]:name: ' \ - '-in[input filename]:file:_files' \ - '-out[output filename]:file:_files' \ - "-noout[don't output anything, just verify]" \ - "-nomacver[don't verify MAC]" \ - "-nocerts[don't output certificates]" \ + _arguments \ + '(- *)-help[print help message]' \ + '-passin[input password source]:source:_openssl_pass_phrase_options' \ + '-passout[output password source]:source:_openssl_pass_phrase_options' \ + '-password[password source]:source:_openssl_pass_phrase_options' \ + '-twopass[prompt for separate integrity and encryption passwords]' \ + '-nokeys[no private keys will be output]' \ + '-nocerts[no certificates will be output]' \ + '-noout[inhibit all credentials output]' \ + '-legacy[use legacy mode of operation and automatically load the legacy provider]' \ + $openssl_provider_options[@] \ + $openssl_random_state_options[@] \ + '-in[input file name or URI]:file_or_uri:_files' \ + '-out[output file name]:file:_files' \ + '-info[output additional information about the PKCS#12]' \ + '-nomacver[do not attempt to verify the integrity MAC]' \ '-clcerts[only output client certificates]' \ '-cacerts[only output CA certificates]' \ - "-nokeys[don't output private keys]" \ - '-info[give info about PKCS#12 structure]' \ - '-des[encrypt private keys with DES]' \ - '-des3[encrypt private keys with triple DES (default)]' \ - '-idea[encrypt private keys with idea]' \ - '-seed[encrypt private keys with seed]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - "-nodes[don't encrypt private keys]" \ - "-noiter[don't use encryption iteration]" \ - "-nomaciter[don't use MAC iteration]" \ - '-maciter[use MAC iteration]' \ - "-nomac[don't generate MAC]" \ - '-twopass[separate MAC, encryption passwords]' \ - '-descert[encrypt PKCS#12 certificates with triple DES (default RC2-40)]' \ - "-certpbe[specify certificate PBE algorithm (default RC2-40)]:alg:(${algorithms})" \ - '-keypbe[specify private key PBE algorithm (default 3DES)]:alg:(${algorithms})' \ - '-macalg[digest algorithm used in MAC (default SHA1)]:alg:_list_message_digest_algorithms' \ - '-keyex[set MS key exchange type]' \ - '-keysig[set MS key signature type]' \ - '-password[set import/export password source]:pass phrase source:_pass_phrase_source' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-CSP[Microsoft CSP name]:name: ' \ - '-LMK[add local machine keyset attribute to private key]' + '-aes128[encrypt the private key with AES128]' \ + '-aes192[encrypt the private key with AES192]' \ + '-aes256[encrypt the private key with AES256]' \ + '-aria128[encrypt the private key with ARIA128]' \ + '-aria192[encrypt the private key with ARIA192]' \ + '-aria256[encrypt the private key with ARIA256]' \ + '-camellia128[encrypt the private key with CAMELLIA128]' \ + '-camellia192[encrypt the private key with CAMELLIA192]' \ + '-camellia256[encrypt the private key with CAMELLIA256]' \ + '-des[encrypt the private key with DES]' \ + '-des3[encrypt the private key with DES3]' \ + '-idea[encrypt the private key with IDEA]' \ + '-noenc[do not encrypt private keys at all]' \ + '-export[create PKCS#12 file rather than parsed]' \ + '-inkey[private key input file or URI for PKCS12 output]:file_or_uri:_files' \ + '-certfile[extra certificates input file]:file:_files' \ + '-passcerts[password source for certificate input]:source:_openssl_pass_phrase_options' \ + '-chain[certificate chain is built and included in the PKCS#12 output file]' \ + '-untrusted[untrusted certificates input file]:file:_files' \ + $openssl_trusted_certificate_options[@] \ + '-name["friendly name" for the certificates and private key]:name' \ + '-caname["friendly name" for other certificates]:name' \ + '-CSP[name as a Microsoft CSP name]:name' \ + '-LMK[add the "Local Key Set" identifier to the attributes]' \ + '-keyex[private key is to be used for key exchange]' \ + '-keysig[private key is to be used for just signing]' \ + '-keypbe[algorithm used to encrypt the private key]:alg:_openssl_cipher_algorithms' \ + '-certpbe[algorithm used to encrypt certificates]:alg:_openssl_cipher_algorithms' \ + '-descert[encrypt the certificates using triple DES]' \ + '-macalg[MAC digest algorithm]:digest:_openssl_digests' \ + '-pbmac1_pbkdf2[use PBMAC1 with PBKDF2 for MAC protection]' \ + '-pbmac1_pbkdf2_md[PBKDF2 KDF digest algorithm]:alg:_openssl_digests' \ + '-iter[iteration count for the encryption key and MAC]:count' \ + '-noiter[set iteration count to 1 for encryption]' \ + '-nomaciter[set iteration count to 1 for MAC]' \ + '-macsaltlen[salt length in bytes for the MAC]:length' \ + '-nomac[do not attempt to provide the MAC integrity]' \ + '-jdktrust[export pkcs12 file in a foormat compatible with Java keystore usage]:usage:(anyExtendedKeyUsage)' } - _openssl_pkcs7() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-print_certs[print any certs or crl in the input]' \ - '-text[print full details of certificates]' \ - "-noout[don't output encoded data]" \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' + _arguments \ + '(- *)-help[print help message]' \ + '-inform[input format]:format:(DER PEM)' \ + '-outform[output format]:format:(DER PEM)' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-print[print out the full PKCS7 object]' \ + '-print_certs[print out any certificates or CRLs contained in the file]' \ + '-quiet[print out just the PEM-encoded certificates without any other output]' \ + '-text[print out certificate details in full]' \ + '-noout[do not output the encoded version of the PKCS#7 structure]' \ + $openssl_provider_options[@] } - _openssl_pkcs8() { - # written for openssl 1.0.2d - _arguments -C \ - '-in[input file]:file:_files' \ - '-inform[input format]:format:(PEM DER)' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-outform[output format]:format:(PEM DER)' \ - '-out[output file]:file:_files' \ - '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-topk8[output PKCS8 file]' \ - '-nooct[use (nonstandard) no octet format]' \ - '-embed[use (nonstandard) embedded DSA parameters format]' \ - '-nsdb[use (nonstandard) DSA Netscape DB format]' \ - '-noiter[use 1 as iteration count]' \ - '-nocrypt[use or expect unencrypted private key]' \ - '-v2[use PKCS#5 v2.0 and given cipher]:alg:(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed seed-cbc seed-cfb seed-ecb seed-ofb)' \ - '-v2prf[set the PRF algorithm to use with PKCS#5 v2.0]:alg:(hmacWithMD5 hmacWithRMD160 hmacWithSHA1 hmacWithSHA224 hmacWithSHA256 hmacWithSHA384 hmacWithSHA512)' \ - '-v1[use PKCS#5 v1.5 and given cipher]:obj:(PBE-MD2-DES PBE-MD5-DES PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40)' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' -} + local -a prf_algorithms=( + hmacWithMD5 hmacWithRMD160 hmacWithSHA1 hmacWithSHA224 hmacWithSHA256 hmacWithSHA384 hmacWithSHA512 + ) + _arguments \ + '(- *)-help[print help message]' \ + '-topk8[read a private key and write a PkCS#8 format key]' \ + '-inform[input format]:format:(DER PEM)' \ + '-outform[output format]:format:(DER PEM)' \ + '-traditional[traditional format]' \ + '-in[input file name]:file:_files' \ + '-passin[input password source]:source:_openssl_pass_phrase_options' \ + '-passout[output password source]:source:_openssl_pass_phrase_options' \ + '-out[output file name]:files:_files' \ + '-iter[number of iterations to create PKCS#8 containers]:count' \ + '-noiter[use 1 as iteration count]' \ + '-nocrypt[output unencrypted PrivateKeyInfo structure]' \ + '-v2[algorithm for PKCS#5 v2.0]:alg:_openssl_cipher_algorithms' \ + '-v2prf[PRF algorithm to use with PKCS#5 v2.0]:alg:(($prf_algorithms))' \ + '-v1[algorithm for PKCS#5 v1.5 or PKCS#12]:alg:_openssl_cipher_algorithms' \ + '-scrypt[use the script algorithm for private key encryption]' \ + '-scrypt_N[scrypt "N" parameter]:n' \ + '-scrypt_r[scrypt "r" parameter]:r' \ + '-scrypt_p[scrypt "p" parameter]:p' \ + '-saltlen[length of the salt to use for the PBE algorithm]:length' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] +} _openssl_pkey() { - # written for openssl 1.0.1k - _arguments -C \ - '-in[input file]:file:_files' \ - '-inform[input format]:format:(PEM DER)' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-outform[output format]:format:(PEM DER)' \ - '-out[output file]:file:_files' \ - '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' + _arguments \ + '(- *)-help[print help message]' \ + $openssl_provider_options[@] \ + '-check[check the consistency of a key pair for both public and private components]' \ + '-pubcheck[check the correctness of either a public key or the public components of a key pair]' \ + '-in[input file or URI]:file_or_uri:_files' \ + '-inform[key input format]:format:(DER PEM P12 ENGINE)' \ + '-passin[password source for the key input]:source:_openssl_pass_phrase_options' \ + '-pubin[read public key instead of private key]' \ + '-out[output file name]' \ + '-outform[key output format]:format:(DER PEM)' \ + '-cipher[cipher to encrypt the PEM encoded private key]:cipher:_openssl_ciphers' \ + '-passout[password source for the output file]:source:_openssl_pass_phrase_options' \ + '-traditional[use older "traditional" format]' \ + '-pubout[output the public components]' \ + '-noout[do not output the key in encoded form]' \ + '-text[output the various key components in plain text]' \ + '-text_pub[output only the public key components in text form]' \ + '-ec_conv_form[specify how the points on the elliptic-curve curve are converted into octet strings]:type:(compressed uncompressed hybrid)' \ + '-ec_param_enc[specify how the elliptic curve parameters are encoded]:type:(named_curve explicit)' } - _openssl_pkeyparam() { - # written for openssl 1.0.1k - _arguments -C \ - '-in[the input filename to read parameters from]:file:_files' \ - '-out[the output filename to write parameters]:file:_files' \ - '-text[prints out the parameters in plain text in addition to the encoded version]' \ + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-text[print out the parameters in plain text]' \ '-noout[do not output the encoded version of the parameters]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' + '-check[check the correctness of parameters]' \ + $openssl_provider_options[@] } - _openssl_pkeyutl() { - # written for openssl 1.0.1k - _arguments -C \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-sigfile[signature file (verify operation only)]:file:_files' \ - '-inkey[input key]:file:_files' \ - '-keyform[private key format]:format:(PEM DER)' \ - '-pubin[input is a public key]' \ - '-certin[input is a certificate carrying a public key]' \ - '-pkeyopt[public key options]:option\:value:_pkeyopts' \ - '-sign[sign with private key]' \ - '-verify[verify with public key]' \ - '-verifyrecover[verify with public key, recover original data]' \ - '-encrypt[encrypt with public key]' \ - '-decrypt[decrypt with private key]' \ - '-derive[derive shared secret]' \ - '-hexdump[hex dump output]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-passin[pass phrase source]:pass phrase source:_pass_phrase_source' + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name]:file:_files' \ + '-rawin[indicate that signature or verification input data is raw data]' \ + '-digest[digest algorithm to be used to hash the input data]:digest:_openssl_digests' \ + '-out[output file name]:file:_files' \ + '-secret[shared-secret output file name]:file:_files' \ + '-sigfile[signature file]:file:_files' \ + '-inkey[input key file name or URI]:file_or_uri:_files' \ + '-keyform[key format]:format:(DER PEM P12 ENGINE)' \ + '-passin[input key password source]:source:_openssl_pass_phrase_options' \ + '-pubin[read public key instead of private key]' \ + '-certin[input is a certificate containing a public key]' \ + '-rev[reverse the order of the input buffer]' \ + '-sign[sign the input data and output the signed result]' \ + '-verify[verify the input data against the signature]'\ + '-verifyrecover[verify the given signature and output the recovered data]' \ + '-encrypt[encrypt the input data using a public key]' \ + '-decrypt[decrypt the input data using a private key]' \ + '-derive[derive a shared secret using own private (EC)DH key and peer key]' \ + '-peerkey[file containing the peer public or private (EC)DH key]:file:_files' \ + '-peerform[peer key format]:format:(DER PEM P12 ENGINE)' \ + '-encap[use a Key Encapsulation Mechanism to encapsulate a shared-secret]' \ + '-decap[decode an encapsulated secret with a private key]' \ + '-kemop[specify KEM mode for key algorithm]:mode' \ + '-kdf[key derivation function algorithm]:algorithm:(TLS1-PRF HKDF)' \ + '-kdflen[output length for KDF]:length' \ + '-pkeyopt[public key options]:options' \ + '-pkeyopt_passin[public key option from stdin or a password source]:option:_openssl_pass_phrase_options' \ + '-hexdump[hex dump the output data]' \ + '-asn1parse[parse the ASN.1 output data to check its DER encoding]'\ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-config[configuration file]:file:_files' } - _openssl_prime() { - # written for openssl 1.0.1k - _arguments -C \ - '-hex[hex]' \ - '-checks[number of checks]:checks: ' \ - ':number:' + _arguments \ + '(- *)-help[print help message]' \ + '-hex[generate hex output]' \ + '-generate[generate a prime number]' \ + '-bits[how many bits to generate a prime]:num' \ + '-safe[generates a safe prime]' \ + $openssl_provider_options[@] \ + '*::number:' } - _openssl_rand() { - # written for openssl 1.0.1k - _arguments -C \ - '-out[write to file]:file:_files' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-base64[base64 encode output]' \ - '-hex[hex encode output]' \ - ':num:' + _arguments \ + '(- *)-help[print help message]' \ + '-out[output file name]:file:_files' \ + '-base64[perform base64 encoding on the output]' \ + '-hex[show the output as a hex string]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '*:num' } +_openssl_rehash() { + _arguments \ + '(- *)-help[print help message]' \ + '-old[use old-tyle hashing for generating links]' \ + '-n[do not remove existing links]' \ + '-compat[generate links for both old-style(MD5) and new-style(SHA1) hashing]' \ + '-v[print messages about old links removed and new links created]' \ + $openssl_provider_options[@] \ + '*::dir:_files -/' +} _openssl_req() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-text[text form of request]' \ - '-pubkey[output public key]' \ - '-noout[do not output REQ]' \ - '-verify[verify signature on REQ]' \ - '-modulus[RSA modulus]' \ - "-nodes[don't encrypt the output key]" \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - "-subject[output the request's subject]" \ - '-passin[private key pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-key[use the private key contained in the specified file]:file:_files' \ - '-keyform[key file format]:format:(PEM DER)' \ - '-keyout[file to send the key to]:file:_files' \ - '-rand[files to use for random number input]:file:_rand_files' \ - "-newkey rsa\:-[generate a new RSA key of the specified number of bits in size]:bits: " \ - "-newkey dsa\:[generate a new DSA key, parameters taken from CA in the specified file]:file:_files" \ - "-newkey ec\:[generate a new EC key, parameters taken from CA in the specified file]:file:_files" \ - '-md2[digest to sign with]' \ - '-md4[digest to sign with]' \ - '-md5[digest to sign with]' \ - '-mdc2[digest to sign with]' \ - '-sha1[digest to sign with]' \ - '-config[request template file]:file:_files' \ - '-subj[set or modify request subject]:subject: ' \ - '-multivalue-rdn[enable support for multivalued RDNs]' \ - '-new[new request]' \ - '-batch[do not ask anything during request generation]' \ - '-x509[output a x509 structure instead of a certificate request]' \ - '-days[number of days a certificate generated by -x509 is valid for]:days: ' \ - '-set_serial[serial number to use for a certificate generated by -x509]:serial: ' \ - '-newhdr[output "NEW" in the header lines]' \ - "-asn1-kludge[output the 'request' in a format that is wrong but some CA's have been reported as requiring]" \ - '-extensions[specify certificate extension section (override value in config file)]:section: ' \ - '-reqexts[specify request extension section (override value in config file)]:section: ' \ - '-utf8[input characters are UTF8 (default ASCII)]' \ - '*-nameopt[various certificate name options]:options:_nameopts' \ - '*-reqopt[- various request text options]:options:_certopts' - # TODO: complete -extensions and -reqexts -} + local -a digests=($(openssl dgst -list | tail -n +2)) + local -a digest_flags=() + for digest in $digests[@] + do + digest_flags+=("($digests)${digest}[use ${digest:1} message digest algorithm]") + done + local -a cipher_flags=($(openssl enc -list | tail -n +2 )) + local -a ciphers=() + for flag in $cipher_flags[@] + do + ciphers+=("${flag:1}") + done + + _arguments \ + '(- *)-help[print help message]' \ + '-inform[CSR input file format]:format:(DER PEM)' \ + '-outform[output format]:format:(DER PEM)' \ + '-cipher[cipher to use]:cipher:(($ciphers))' \ + '-in[input file name]:file:_files' \ + '-sigopt[options of the signature algorithm during sign operations]:options' \ + '-vfyopt[options of the signature algorithm during verify operations]:options' \ + '-passin[password source for private key and certificate input]:source:_openssl_pass_phrase_options' \ + '-passout[password source for the output file]:source:_openssl_pass_phrase_options' \ + '-out[output file name]:file:_files' \ + '-text[print out the certificate request in text form]' \ + '-subject[print out the certificate request subject]' \ + '-pubkey[print out the public key]' \ + '-noout[prevent output of the encoded version of the certificate request]' \ + '-modules[print out the value of the modulus of the public key]' \ + '-verify[verify the self-signed on the request]' \ + '-new[generate a new certificate request]' \ + '-newkey[generate a new private key]:arg' \ + '-pkeyopt[option of public key algorithm]:option' \ + '-key[private key file or URI]:file_or_uri:_files' \ + '-keyform[format of the private key]:format:(DER PEM P12 ENGINE)' \ + '-keyout[output private key file name]:file:_files' \ + '-noenc[create private key it will not be encrypted]' \ + $digest_flags[@] \ + '-config[config file name]:file:_files' \ + '-section[section name]:section' \ + '-subj[subject name for new request or superseded the subject name]:subject' \ + '-x509[output certificate instead of a certificate request]' \ + '-x509v1[request generation of certificates with X.509 version 1]' \ + '-CA["CA" certificate file or URI]:file_or_uri:_files' \ + '-CAkey["CA" private key file or URI]:file_or_uri:_files' \ + '-not_before[start date to be explicitly set]:date'\ + '-not_after[expiry date to be explicitly set]:date'\ + '-days[the number of days from today to certify the certificate for]:days' \ + '-set_serial[serial number to use when outputting a self-signed certificate]:serial' \ + '-copy_extensions[how X.509 extensions in certificate requests should be handled]:type:(none copy copyall)' \ + '-extensions[specify certificate extension section (override value in config file)]:section' \ + '-reqexts[specify request extension section (override value in config file)]:section ' \ + '-addext[add a specific extension to the certificate]:ext' \ + '-precert[add poison extension to the certificate]' \ + '-utf8[interpret field values as UTF8 strings]' \ + '-reqopt[options to customize the printing format]:option:_openssl_text_printing_options' \ + '-newhdr[add the word NEW to the PEM file header and footer lines]' \ + '-batch[non-interactive mode]' \ + '-verbose[print extra details about the operations being performed]' \ + '-quiet[print fewer details about the operations being performed]' \ + '-keygen_engine[engine for key generation operations]:id' \ + '-nameopt[how subject or issuer names are displayed]:option:_openssl_name_display_options' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] +} _openssl_rsa() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER NET)' \ - '-outform[output format]:format:(PEM DER NET)' \ - '-in[input file]:file:_files' \ - '-sgckey[use IIS SGC key format]' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-out[output file]:file:_files' \ - '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-des[encrypt PEM output with cbc des]' \ - '-des3[encrypt PEM output with ede cbc des using 168 bit key]' \ - '-idea[encrypt PEM output with cbc idea]' \ - '-seed[encrypt PEM output with cbc seed]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - '-text[print the key in text]' \ - "-noout[don't print key out]" \ - '-modulus[print the RSA key modulus]' \ - '-check[verify key consistency]' \ - '-pubin[expect a public key in input file]' \ - '-pubout[output a public key]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' + _arguments \ + '(- *)-help[print help message]' \ + '-inform[key input format]:format:(DER PEM P12 ENGINE)' \ + '-outform[key output format]:format:(DER PEM)' \ + '-traditional[use the traditional PKCS#1 format instead of PKCS#8 format]' \ + '-in[input file or URI]:file_or_uri:_files' \ + '-passin[input password source]:source:_openssl_pass_phrase_options' \ + '-passout[output password source]:source:_openssl_pass_phrase_options' \ + '-out[output file name]:file:_files' \ + '-aes128[encrypt the private key with AES128]' \ + '-aes192[encrypt the private key with AES192]' \ + '-aes256[encrypt the private key with AES256]' \ + '-aria128[encrypt the private key with ARIA128]' \ + '-aria192[encrypt the private key with ARIA192]' \ + '-aria256[encrypt the private key with ARIA256]' \ + '-camellia128[encrypt the private key with CAMELLIA128]' \ + '-camellia192[encrypt the private key with CAMELLIA192]' \ + '-camellia256[encrypt the private key with CAMELLIA256]' \ + '-des[encrypt the private key with DES]' \ + '-des3[encrypt the private key with DES3]' \ + '-idea[encrypt the private key with IDEA]' \ + '-text[print out the various public or private key components in plain text]' \ + '-noout[prevent output of the encoded version of the key]' \ + '-module[print out the value of the modules of the key]'\ + '-check[check the consistency of an RSA private key]' \ + '-pubin[read public key instead of private key]' \ + '-pubout[output public key instead of private key]' \ + '-RSAPublicKey_in[read RSA public key instead of private key]' \ + '-RSAPublicKey_out[output RSA public key instead of private key]' \ + '-pvk-strong[enable "Strong" PVK encoding level(default)]' \ + '-pvk-weak[enable "Weak" PVK encoding level]' \ + '-pvk-none[do not enforce PVK encoding]' \ + $openssl_provider_options[@] } - _openssl_rsautl() { - # written for openssl 1.0.1k - _arguments -C \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-inkey[input key]:file:_files' \ - '-keyform[private key format]:format:(PEM DER)' \ - '-pubin[input is an RSA public]' \ - '-certin[input is a certificate carrying an RSA public key]' \ - '-ssl[use SSL v2 padding]' \ - '-raw[use no padding]' \ - '-pkcs[use PKCS#1 v1.5 padding (default)]' \ - '-oaep[use PKCS#1 OAEP]' \ - '-sign[sign with private key]' \ - '-verify[verify with public key]' \ - '-encrypt[encrypt with public key]' \ - '-decrypt[decrypt with private key]' \ - '-hexdump[hex dump output]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-passin[pass phrase source]:pass phrase source:_pass_phrase_source' + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name]:file:_files' \ + '-passin[pass phrase option]:option:_openssl_pass_phrase_options' \ + '-rev[reverse the order of the input]' \ + '-out[output file name]:file:_files' \ + '-inkey[input key file or URI]:file_or_uri:_files' \ + '-keyform[key format]:format:(DER PEM P12 ENGINE)' \ + '-pubin[read public key instead of private key]' \ + '-certin[input is a certificate containing an RSA public key]' \ + '-sign[sign the input data and output the signed result]' \ + '-verify[verify the input data and output the recovered data]' \ + '-encrypt[encrypt the input data using an RSA public key]' \ + '-decrypt[decrypt the input data using an RSA private key]' \ + '-pkcs[use PKCS#1 for padding]' \ + '-oaep[use OAEP for padding]' \ + '-x931[use ANSI X9.31 for padding]' \ + '-raw[do not use padding]' \ + '-hexdump[hex dump the output data]' \ + '-asn1parse[parse the ASN.1 output data]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] } - _openssl_s_client() { - # written for openssl 1.0.1k - _arguments -C \ - '(-6)-4[use IPv4 only]' \ - '(-4)-6[use IPv6 only]' \ - '(-connect)-host[use -connect instead]:host: ' \ - '(-connect)-port[use -connect instead]:port: ' \ - '(-host -port)-connect[who to connect to (default is localhost:4433)]:host\:port: ' \ - '-verify[turn on peer certificate verification]:depth: ' \ - '-verify_return_error[return verification errors]' \ - '-cert[certificate file to use, PEM format assumed]:file:_files' \ - '-certform[certificate format (PEM or DER) PEM default]:format:(PEM DER)' \ - '-key[private key file to use, in cert file if not specified but cert file is]:file:_files' \ - '-keyform[key format (PEM or DER) PEM default]:format:(PEM DER)' \ - '-pass[private key file pass phrase source]:pass phrase source:_pass_phrase_source' \ - "-CApath[PEM format directory of CA's]:directory:_files -/" \ - "-CAfile[PEM format file of CA's]:file:_files" \ - '-reconnect[drop and re-make the connection with the same Session-ID]' \ - '-pause[sleep(1) after each read(2) and write(2) system call]' \ - '-prexit[print session information even on connection failure]' \ - '-showcerts[show all certificates in the chain]' \ - '-debug[extra output]' \ - '-msg[show protocol messages]' \ - '-nbio_test[more ssl protocol testing]' \ - "-state[print the 'ssl' states]" \ - '-nbio[run with non-blocking IO]' \ - '-crlf[convert LF from terminal into CRLF]' \ - '-quiet[no s_client output]' \ - '(-no_ign_eof)-ign_eof[ignore input eof (default when -quiet)]' \ - "(-ign_eof)-no_ign_eof[don't ignore input eof]" \ - '-psk_identity[PSK identity]:identity: ' \ - '-psk[PSK in hex (without 0x)]:key: ' \ - "-srpuser[SRP authentication for 'user']:user: " \ - "-srppass[password for 'user']:password: " \ - '-srp_lateuser[SRP username into second ClientHello message]' \ - '-srp_moregroups[tolerate other than the known g N values]' \ - '-srp_strength[minimal length in bits for N (default 1024)]:int: ' \ - '(-no_ssl2 -ssl3 -tls1 -tls1_1 -tls1_2 -dtls1)-ssl2[just use SSLv2]' \ - '(-no_ssl3 -ssl2 -tls1 -tls1_1 -tls1_2 -dtls1)-ssl3[just use SSLv3]' \ - '(-no_tls1_2 -ssl2 -ssl3 -tls1 -tls1_1 -dtls1)-tls1_2[just use TLSv1.2]' \ - '(-no_tls1_1 -ssl2 -ssl3 -tls1 -tls1_1 -dtls1)-tls1_1[just use TLSv1.1]' \ - '(-no_tls1 -ssl2 -ssl3 -tls1 -tls1_1 -dtls1)-tls1[just use TLSv1.0]' \ - '(-no_dtls1 -ssl2 -ssl3 -tls1 -tls1_1 -tls1_2)-dtls1[just use DTLSv1]' \ - '-fallback_scsv[send TLS_FALLBACK_SCSV]' \ - '-mtu[set the link layer MTU]' \ - '(-tls1_2)-no_tls1_2[turn off TLSv1.2]' \ - '(-tls1_1)-no_tls1_1[turn off TLSv1.1]' \ - '(-tls1)-no_tls1[turn off TLSv1.0]' \ - '(-ssl3)-no_ssl3[turn off SSLv3]' \ - '(-ssl2)-no_ssl2[turn off SSLv2]' \ - '-bugs[switch on all SSL implementation bug workarounds]' \ - "-serverpref[use server's cipher preferences (only SSLv2)]" \ - '-cipher[preferred cipher to use]:cipher suite:_list_ciphers' \ - "-starttls[use the STARTTLS command before starting TLS for those protocols that support it]:protocol:(smtp pop3 imap ftp xmpp)" \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-sess_out[file to write SSL session to]:file:_files' \ - '-sess_in[file to read SSL session from]:file:_files' \ - '-servername[set TLS extension servername in ClientHello]:host: ' \ - '-tlsextdebug[hex dump of all TLS extensions received]' \ - '-status[request certificate status from server]' \ - '-no_ticket[disable use of RFC4507bis session tickets]' \ - '-nextprotoneg[enable NPN extension, considering named protocols supported (comma-separated list)]:protocols: ' \ - '-legacy_renegotiation[enable use of legacy renegotiation (dangerous)]' \ - '-use_srtp[offer SRTP key management with a colon-separated profile list]:profiles: ' \ - '-keymatexport[export keying material using label]:label: ' \ - '-keymatexportlen[export len bytes of keying material (default 20)]:len: ' -} + local tls_start_protocols=(smtp pop3 imap ftp xmpp xmpp-server irc postgres mysql lmtp nntp sieve ldap) + _arguments \ + '(- *)-help[print help message]' \ + '-ssl_config[section of the configuration file to configure the SSL_CTX object]:section' \ + '-connect[host and optional port to connect to]:host_port' \ + '-host[host to connect to]:host' \ + '-port[port to connect to]:port' \ + '-bind[host address and port to bind as the source for the connection]:host_port' \ + '-proxy[proxy host and port]:host_port' \ + '-proxy_user[proxy user for basic(base64) authenticate]' \ + '-proxy_pass[proxy password source]:option:_openssl_pass_phrase_options' \ + '-unix[connect over the specified Unix-domain socket]:path:_files' \ + '(-4 -6)-4[use IPv4 only]' \ + '(-4 -6)-6[use IPv6 only]' \ + '-quic[connect using the QUIC protocol]' \ + '-servername[set the TLS SNI extension in the ClientHello to the given value]:name' \ + '-noservername[suppress sending of the SNI extension in the ClientHello message]' \ + '-cert[client certificate path]:file:_files' \ + '-certform[client certificate file format]:format:(DER PEM P12)' \ + '-cert_chain[file or URI of untrusted certificates to build the certificate chain]:file_or_uri:_files' \ + '-build_chain[whether the application build build the client certificate chain]' \ + "-CRL[CRL file to use to check the server's certificate]" \ + '-CRLform[CRL file format]:format:(DER PEM)' \ + '-crl_download[download CRL from distribution points in the certificate]' \ + '-key[client private key to use(file or URI)]:file_or_uri:_files' \ + '-keyform[key format]:format:(DER PEM P12 ENGINE)' \ + '-pass[private key and certificate file password source]:option:_openssl_pass_phrase_options' \ + '-verify[verify depth]:depth' \ + '-verify_return_error[returns verification error instead of continuing]' \ + '-verify_quiet[limit verify output to only errors]' \ + '-verifyCAfile[file in PEM format containing trusted certificates to verify]:file:_files' \ + '-verifyCApath[directory containing trusted certificates to verify]:dir:_files -/' \ + '-verifyCAstore[URI of a tstore containing trusted certificatesto verify]:uri:_urls' \ + '-chainCAfile[file in PEM format containing certificates to build client certificate chain]:file:_files' \ + '-chainCApath[directory containing trusted certificates for building client certificate chain]:dir:_files -/' \ + '-chainCAstore[URI of a store containing trusted certificate to build client certificate chain]:uri:_urls' \ + '-requestCAfile[file containing a list of certificates to be sent to the server]:file:_files' \ + '-dane_tlsa_domain[enable DANE TLSA authentication and specify the TLSA base domain]:domain' \ + '-dane_tlsa_rrdata[use one or more times to specify the RRDATA fields of the DANE TLSA RRset]:rrdata' \ + '-dane_ee_no_namechecks[disable server name checks when authenticating via DANE-EE TLSA records]' \ + '-reconnect[reconnect to the same server 5 time using the same sess_id ID]' \ + '-showcerts[display the server certificate list as sent by the server]' \ + '-prexit[print session information when the program exits]' \ + '-no-interactive[run the client in a non-interactive mode]' \ + '-state[print out the SSL session states]' \ + '-debug[print extensive debugging information including a hex dump of all traffic]' \ + '-nocommands[do not use interactive command letters]' \ + '-adv[use advanced command mode]' \ + '-security_debug[enable security debug messages]' \ + '-security_debug_verbose[output more security debug output]' \ + '-msg[show protocol messages]' \ + '-timeout[enable send/receive timeout on DTLS connections]' \ + '-mtu[set MTU of the link layer]:size' \ + '-no_ems[disable Extended master secret negotiation]' \ + '-keymatexport[export keying materials using the specified label]:label' \ + '-keymatexportlen[export the specified number of bytes of keying material(default 20)]:len' \ + '-trace[show verbose trace output of protocol messages]' \ + '-msgfile[file to send output of -msg or -trace to]:file:_files' \ + '-nbio_test[test nonblocking I/O]' \ + '-nbio[turn on nonblocking I/O]' \ + '-crlf[translate a line feed from the terminal into CF+LF]' \ + '-ign_eof[inhibit shutting down the connection when end of file is reached in the input]' \ + '-quiet[inhibit printing of session and certificate information]' \ + '-no_ign_eof[shut down the connection when end of file is reached in the input]' \ + '-psk_identity[PSK identity when using a PSK cipher suite]:identity' \ + '-psk[PSK key when using a PSK cipher suite]:key' \ + '-psk_session[use the pem encoded SSL_SESSION data stored in file as the basic of a PSK]:file:_files' \ + '-sctp[use SCTP for the transport protocol instead of UDO in DTLS]' \ + '-sctp_label_bug[use the incorrect behaviour of older OpenSSL implementations for DTLS/SCTP]' \ + '-fallback_scsv[send TLS_FALLBACK_SCSV in the ClientHello]' \ + '-async[switch on asynchronous mode]' \ + '-maxfraglen[enable Maximum Fragment Length Negotiation]:len:(512 1024 2048 4096)' \ + '-max_send_frag[maximum size of data fragment to send]:size' \ + '-split_send_frag[size used to split data for encrypt pipelines]:size' \ + '-max_pipelines[maximum number of encrypt/decrypt pipelines]:number' \ + '-read_buf[default read buffer size for connections]:size' \ + '-ignore_unexpected_eof[enable the peer does not need to send the close_notify alert]' \ + '-no_tx_cert_comp[disable support for sending TLSv1.3 compressed certificates]' \ + '-no_rx_cert_comp[disable support for receiving TLSv1.3 compressed certificate]' \ + '-brief[only provide a brief summary of connections parameters]' \ + '-starttls[send the protocol-specific message to switch to TLS for communication]:protocol:(($tls_start_protocols))' \ + '-xmpphost[host for the "to" attribute of the stream element]:host' \ + '-name[hostname information for various protocols]:hostname' \ + '-tlsextdebug[print out a hex dump of any TLS extensions received from the server]' \ + '-sess_out[output SSL session to file]:file:_files' \ + '-sess_in[load SSL session from this file]:file:_files' \ + '-serverinfo[list of comma-separated TLS Extension Types]:types' \ + '-status[send a certificate status request to the server(OCSP stapling)]' \ + '-alpn[enable Application-Layer Protocol Negotiation]:protocols' \ + '-nextprotoneg[enable Next Protocol Negotiation extension]:protocols' \ + '(-ct -noct)-ct[enable Certificate Transparency]' \ + '(-ct -noct)-noct[disable Certificate Transparency]' \ + '-ctlogfile[file containing a list of known Certificate Transparency]' \ + '-keylogfile[keylog file for appending TLS secrets]:file:_files' \ + '-early_data[file to read the content and attempt to send it as early data]:file:_files' \ + '-enable_pha[send the Post-Handshake Authentication extension]' \ + '-use_srtp[offer SRTP key management]:value' \ + '-ktls[enable kernel TLS for sending and receiving]' \ + '-tfo[enable creation of connections via TCP fast open]' \ + $openssl_tls_flags[@] \ + $openssl_dtls_flags[@] \ + '-nameopt[how the subject or issuer names are displayed]:option:_openssl_name_display_options' \ + $openssl_extended_verification_flags[@] \ + $openssl_trusted_certificate_options[@] \ + $openssl_supported_commands_flags[@] \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-ssl_client_engine[specified engine to be used for client certificate operations]:id' \ + $openssl_verification_options[@] \ + '-enable_server_rpk[enable support for receiving raw public keys from the server]' \ + '-enable_client_rpk[enable support for sending raw public keys to the server]' \ + '*::host_port' +} _openssl_s_server() { - # written for openssl 1.0.1k - _arguments -C \ - '-accept[port to accept on (default is 4433)]:port: ' \ - '-context[set session ID context]:id: ' \ - '-verify[turn on peer certificate verification]:depth: ' \ - '-Verify[turn on peer certificate verification, must have a cert]:depth: ' \ - '-verify_return_error[return verification errors]' \ - '-cert[certificate file to use (default is server.pem)]:file:_files' \ - '-crl_check[check the peer certificate has not been revoked by its CA]' \ - '-crl_check_all[check the peer certificate has not been revoked by its CA or any other CRL in the CA chain]' \ - '-certform[certificate format]:format:(PEM DER)' \ - '-key[Private Key file to use, in cert file if not specified (default is server.pem)]:file:_files' \ - '-keyform[key format]:format:(PEM DER ENGINE)' \ - '-pass[private key file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-dcert[second certificate file to use (usually for DSA)]:file:_files' \ - '-dcertform[second certificate format]:format:(PEM DER)' \ - '-dkey[second private key file to use (usually for DSA)]:file:_files' \ - '-dkeyform[second key format]:format:(PEM DER ENGINE)' \ - '-dpass[second private key file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-dhparam[DH parameter file to use, in cert file if not specified or a default set of parameters is used]:file:_files' \ - '-named_curve[elliptic curve name to use for ephemeral ECDH keys. (default is nistp256)]:named curve:_list_curves' \ - '-nbio[run with non-blocking IO]' \ - '-nbio_test[test with the non-blocking test bio]' \ - '-crlf[convert LF from terminal into CRLF]' \ - '-debug[print more output]' \ - '-msg[show protocol messages]' \ - '-state[print the SSL states]' \ - "-CApath[PEM format directory of CA's]:file:_files -/" \ - "-CAfile[PEM format file of CA's]:file:_files" \ - "-nocert[don't use any certificates (Anon-DH)]" \ - '-cipher[preferred cipher to use]:cipher suite:_list_ciphers' \ - "-serverpref[use server's cipher preferences]" \ - '-quiet[no server output]' \ - '-no_tmp_rsa[do not generate a tmp RSA key]' \ - '-psk_hint[PSK identity hint to use]:hint: ' \ - '-psk[PSK in hex (without 0x)]:PSK: ' \ - '-srpvfile[the verifier file for SRP]:file:_files' \ - '-srpuserseed[a seed string for a default user salt]:seed: ' \ - '-ssl2[just talk SSLv2]' \ - '-ssl3[just talk SSLv3]' \ - '-tls1_2[just talk TLSv1.2]' \ - '-tls1_1[just talk TLSv1.1]' \ - '-tls1[just talk TLSv1]' \ - '-dtls1[just talk DTLSv1]' \ - '-timeout[enable timeouts]' \ - '-mtu[set link layer MTU]' \ - '-chain[read a certificate chain]' \ - '-no_ssl2[just disable SSLv2]' \ - '-no_ssl3[just disable SSLv3]' \ - '-no_tls1[just disable TLSv1]' \ - '-no_tls1_1[just disable TLSv1.1]' \ - '-no_tls1_2[just disable TLSv1.2]' \ - '-no_dhe[disable ephemeral DH]' \ - '-no_ecdhe[disable ephemeral ECDH]' \ - '-bugs[turn on SSL bug compatibility]' \ - '-hack[workaround for early Netscape code]' \ - "-www[respond to a 'GET /' with a status page]" \ - "-WWW[respond to a 'GET / HTTP/1.0' with file ./]" \ - "-HTTP[respond to a 'GET / HTTP/1.0' with file ./ with the assumption it contains a complete HTTP response]" \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-id_prefix[generate SSL/TLS session IDs prefixed by arg]:prefix: ' \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-servername[servername for HostName TLS extension]:hostname: ' \ - '-servername_fatal[on mismatch send fatal alert (default warning alert)]' \ - '-cert2[certificate file to use for servername (default is server2.pem)]:file:_files' \ - '-key2[Private Key file to use for servername, in cert file if not specified (default is server2.pem)]:file:_files' \ - '-tlsextdebug[hex dump of all TLS extensions received]' \ - '-no_ticket[disable use of RFC4507bis session tickets]' \ - '-legacy_renegotiation[enable use of legacy renegotiation (dangerous)]' \ - '-nextprotoneg[set the advertised protocols for the NPN extension (comma-separated list)]:protocol:(http/1.0 http/1.1)' \ - '-use_srtp[offer SRTP key management with a colon-separated profile list]:profiles: ' \ - '-4[use IPv4 only]' \ - '-6[use IPv6 only]' \ - '-keymatexport[export keying material using label]:label: ' \ - '-keymatexportlen[export len bytes of keying material (default 20)]:length: ' \ - '-status[respond to certificate status requests]' \ - '-status_verbose[enable status request verbose printout]' \ - '-status_timeout[status request responder timeout]:seconds: ' \ - '-status_url[status request fallback URL]:URL: ' - # TODO: srtp profiles + _arguments \ + '(- *)-help[print help message]' \ + '-port[TCP port to listen on for connections(default: 4433)]:port' \ + '-accept[optional TCP host and port to listen on for connections(default: *:4433)]:host_port' \ + '-unix[Unix domain socket path]:path:_files' \ + '(-4 -6)-4[use IPv4 only]' \ + '(-4 -6)-6[use IPv6 only]' \ + '-unlink[for -unix, unlink any existing socket first]' \ + '-context[SSL context ID]:id' \ + '(-verify -Verify)'{-verify,-Verify}'[verify depth]:depth' \ + '-cert[certificate file]:file:_files' \ + '-cert2[certificate file to use for servername(default: server2.pem)]:file:_files' \ + '-certform[server certificate file format]:format:(DER PEM P12)' \ + '-cert_chain[file or URI of untrusted certificates to build the certificate chain]:file_or_uri:_files' \ + '-build_chain[application should build the server certificate chain]' \ + '-serverinfo[file containing one or more blocks of PEM data]:file:_files' \ + '-key[private key file or URI]:file_or_uri:_files' \ + '-key2[private key file or URI to use for servername]:file_or_uri:_files' \ + '-keyform[key format]:format:(DER PEM P12 ENGINE)' \ + '-pass[private key and certificate file password source]:source:_openssl_pass_phrase_options' \ + '-dcert[additional certificate file]:file:_files' \ + '-dkey[additional private key file or URI]:file_or_uri:_files' \ + '-dcert_chain[file or URI of untrusted certificates to build the server certificate chain]:file_or_uri:_files' \ + '-dcertform[format of the additional certificate file]:format:(DER PEM P12)' \ + '-dkeyform[format of the additional private key]:format:(DER PEM P12 ENGINE)' \ + '-dpass[passphrase for the additional private key and certificate]:pass:_openssl_pass_phrase_options' \ + '-nbio_test[test non blocking I/O]' \ + '-crlf[translate a line feed from the terminal into CR+LF]' \ + '-debug[print extensive debugging information including a hex dump of all traffic]' \ + '-security_debug[print output from SSL/TLS security framework]' \ + '-security_debug_verbose[print more output from SSL/TLS security framework]' \ + '-msg[show all protocol messages with hex dump]' \ + '-msgfile[file to send output of -msg or -trace to]:file:_files' \ + '-state[print the SSL session states]' \ + '-CRL[CRL file]:file:_files' \ + '-CRLform[CRL file format]:format:(DER PEM)' \ + '-crl_download[download CRLs from distribution points]' \ + '-verifyCAfile[file in PEM format CA containing trusted certificates to verify client certificates]:file:_files' \ + '-verifyCApath[directory containing trusted certificates to verify client certificates]:dir:_files -/' \ + '-verifyCAstore[URI of a store containing trusted certificates to verify client certificates]:uri:_urls' \ + '-chainCAfile[file in PEM format containing trusted certificates to build the server certificate chain]:file:_files' \ + '-chainCApath[directory containing trusted certificates for building server certificate chain]:dir:_files -/' \ + '-chainCAstore[URI of a store containing trusted certificates for building server certificate chain]:uri:_urls' \ + '-nocert[no certificate is used]' \ + '-quiet[inhibit printing of session and certificate information]' \ + '-no_resume_ephemeral[disable caching and tickets if ephemeral (EC)DH is used]' \ + '-tlsextdebug[print a hex dump of any TLS extensions received from the server]' \ + '-www[send a status message back to the client when it connects]' \ + '(-WWW -HTTP)'{-WWW,-HTTP}'[emulate a simple web server]' \ + '-http_server_binmode[acting as web-server open files in binary mode]' \ + '-no_ca_names[disable TLS Extension CA Names]' \ + '-ignore_unexpected_eof[peer does not need to send the close_notify alert]' \ + '-servername[servername for HostName TLS extension]' \ + '-servername_fatal[send fatal alert on servername mismatch]' \ + '-id_prefix[generate SSL/TLS session IDs prefixed by this ID]:id' \ + '-keymatexport[export keying material using label]:label' \ + '-keymatexportlen[export the given number of bytes of keying material(default: 20)]:length' \ + '-no_cache[disable session cache]' \ + '-ext_cache[disable internal cache]' \ + '-verify_return_error[close the connection when verification errors occur]' \ + '-verify_quiet[no verify output except verify errors]' \ + '(-no_ign_eof -ign_eof)-ign_eof[ignore input EOF]' \ + '(-no_ign_eof -ign_eof)-no_ign_eof[do not ignore input EOF]' \ + '-no_ems[disable Extended master secret negotiation]' \ + '-status[enable certificate status request support]' \ + '-status_verbose[enable certificate status request support and verbose output of OCSP response]' \ + '-status_timeout[set the timeout for OCSP reponse to the given seconds]:seconds' \ + '-proxy[HTTP(S) proxy server]:proxy' \ + '-no_proxy[list of IP addresses and/or DNS names not to use an HTTP(S) proxy for]:addresses' \ + '-status_url[set a fallback responder URL]:url:_urls' \ + '-status_file[status file]:file:_files' \ + '-ssl_config[configure SSL_CTX using the given configure value]:config' \ + '-trace[show verbose trace output of protocol messages]' \ + '-brief[provide a brief summary of connection parameters]' \ + '-rev[simple echo server that sends back received text reserved]' \ + '-async[switch on asynchronous mode]' \ + '-max_send_frag[maximum size of data fragment to send]:size' \ + '-split_send_frag[size used to split data for encrypt pipelines]:size' \ + '-max_pipelines[maximum number of encrypt/decrypt pipelines]:number' \ + '-naccept[server will exit after receiving the specified number of connections(default: unlimited)]:number' \ + '-read_buf[default read buffer size for connections]:size' \ + '-no_tx_cert_comp[disable support for sending TLSv1.3 compressed certificates]' \ + '-no_rx_cert_comp[disable support for receiving TLSv1.3 compressed certificates]' \ + '-no_comp[disable negotiation of TLS compression]' \ + '-num_tickets[control the number of tickets that will be sent to the client after a full handshake in TLSv1.3]' \ + '-dhparam[DH parameter file to use]:file:_files' \ + '-nbio[turn on non blocking I/O]' \ + '-timeout[enable timeout]' \ + '-mtu[set link-layer MTU]:size' \ + '-psk_identity[PSK identify when using a PSK cipher suite]:id' \ + '-psk_hint[PSK identity hint when using a PSK cipher suite]:hint' \ + '-psk[PSK key when using a PSK cipher suite]:key' \ + '-psk_session[file contains pem encoded SSL_SESSION data]:file:_files' \ + '-srpvfile[verifier file for SRP]:file:_files' \ + '-listen[listen on a UDP port for incoming connections]' \ + '-sctp[use SCTP for the transport protocol instead of UDP in DTLS]' \ + '-sctp_label_bug[allow communication with older broken implementations]' \ + '-use_srtp[offer SRTP key management with a colon-separated profile list]:list' \ + '-no_dhe[no DH parameters will be loaded]' \ + '-alpn[enable the Application-Layer Protocol Negotiation extension]:protocol' \ + '-nextprotoneg[enable the Next Protocol Negotiation extension]:protocol' \ + '-ktls[enable kernel TLS for sending and receiving]' \ + '-sendfile[SSL_sendfile will be used instead of BIO_write to send response]' \ + '-zerocopy_sendfile[SSL_sendfile will use the zerocopy TX mode]' \ + '-keylogfile[append TLS secrets to the specified keylog file]:file:_files' \ + '-max_early_data[change the default maximum early data bytes for new sessions and incoming early data]:size' \ + '-recv_max_early_data[hard limit on the maximum number of early data bytes that will be accepted]:bytes' \ + '-early_data[accept early data where possible]' \ + '-stateless[require TLSv1.3 cookies]' \ + '(-anti_replay -no_anti_replay)-anti_replay[switch replay protection on]' \ + '(-anti_replay -no_anti_replay)-no_anti_replay[switch replay protection off]' \ + '-tfo[enable acceptance of TCP fast Open connections]' \ + '-cert_comp[pre-compresses certificates that will be sent during the handshake]' \ + '-nameopt[how the subject or issuer names are displayed]:how:_openssl_name_display_options' \ + $openssl_tls_flags[@] \ + $openssl_dtls_flags[@] \ + $openssl_supported_commands_flags[@] \ + $openssl_extended_verification_flags[@] \ + $openssl_trusted_certificate_options[@] \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + $openssl_verification_options[@] \ + '-enable_server_rpk[enable support for sending raw public keys to the client]' \ + '-enable_client_rpk[enable support for receiving raw public keys from the client]' } - _openssl_s_time() { - # written for openssl 1.0.1k - _arguments -C \ - '-connect[host:port to connect to (default is localhost:4433)]:host\:port: ' \ - '-nbio[run with non-blocking IO]' \ - '-ssl2[just use SSLv2]' \ - '-ssl3[just use SSLv3]' \ - '-bugs[turn on SSL bug compatibility]' \ - '-new[just time new connections]' \ - '-reuse[just time connection reuse]' \ - "-www[retrieve the specified page from the site]:page: " \ - '-time[max number of seconds to collect data, default 30]:seconds: ' \ - '-verify[turn on peer certificate verification]:depth: ' \ - '-cert[certificate file to use, PEM format assumed]:file:_files' \ - '-key[RSA file to use, PEM format assumed, key is in cert file]:file:_files' \ - "-CApath[PEM format directory of CA's]:file:_files -/" \ - "-CAfile[PEM format file of CA's]:file:_files" \ - '-cipher[preferred cipher to use]:cipher suite:_list_ciphers' + _arguments \ + '(- *)-help[print help message]' \ + '-connect[host and optional port to connect to]:host_port' \ + '-www[page to GET from the server. "/" gets the index.html page]:page' \ + '-cert[certificate to use]:certificate' \ + '-key[private key to use]:key:_files' \ + '-verify[verify depth to use]:depth' \ + '-new[performs the timing test using a new session ID for each connection]' \ + '-reuse[performs the timing test using the same session ID]' \ + '-bugs[enable various workaround for known SSL and TLS implementations]' \ + '-cipher[allow TLSv1.2 and cipher list sent by the client to be modified]:ciperlist:_openssl_list_ciphers' \ + '-ciphersuites[allow the TLSv1.3 ciphersuites sent by the client to be modified]:val' \ + '-time[specify how long seconds this command should establish connections]:seconds' \ + '-nameopt[specify how the subject or issuer names are displayed]:option:_openssl_nameopts' \ + $openssl_trusted_certificate_options[@] \ + $openssl_provider_options[@] \ + $openssl_tls_flags[@] } - _openssl_sess_id() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format]:format:(PEM DER)' \ - '-outform[output format]:format:(PEM DER)' \ - '-in[input file (default stdin)]:file:_files' \ - '-out[output file (default stdout)]:file:_files' \ + _arguments \ + '(- *)-help[print help message]' \ + '-context[set the session ID context]:id' \ + '-in[input file(default stdin)]:file:_files' \ + '-inform[input format(default PEM)]:format:(DER PEM)' \ + '-out[output file(default stdout)]:file:_files' \ + '-outform[output format(default PEM)]:format:(PEM DER NSS)' \ '-text[print ssl session id details]' \ - '-cert[output certificate ]' \ - '-noout[no CRL output]' \ - '-context[set the session ID context]:id: ' + '-cert[output certificate]' \ + '-noout[do not output the encoded session info]' } - _openssl_smime() { - # written for openssl 1.0.1k - _arguments -C \ - '-encrypt[encrypt message]' \ - '-decrypt[decrypt encrypted message]' \ - '-sign[sign message]' \ - '-verify[verify signed message]' \ - '-pk7out[output PKCS#7 structure]' \ - '-des3[encrypt with triple DES]' \ - '-des[encrypt with DES]' \ - '-seed[encrypt with SEED]' \ - '-rc2-40[encrypt with RC2-40 (default)]' \ - '-rc2-64[encrypt with RC2-64]' \ - '-rc2-128[encrypt with RC2-128]' \ - '-aes128[encrypt PEM output with cbc aes]' \ - '-aes192[encrypt PEM output with cbc aes]' \ - '-aes256[encrypt PEM output with cbc aes]' \ - '-camellia128[encrypt PEM output with cbc camellia]' \ - '-camellia192[encrypt PEM output with cbc camellia]' \ - '-camellia256[encrypt PEM output with cbc camellia]' \ - "-nointern[don't search certificates in message for signer]" \ - "-nosigs[don't verify message signature]" \ - "-noverify[don't verify signers certificate]" \ - "-nocerts[don't include signers certificate when signing]" \ - '-nodetach[use opaque signing]' \ - "-noattr[don't include any signed attributes]" \ - "-binary[don't translate message to text]" \ - '-certfile[other certificates file]:file:_files' \ - '-signer[signer certificate file]:file:_files' \ - '-recip[recipient certificate file for decryption]:file:_files' \ - '-in[input file]:file:_files' \ - '-inform[input format]:format:(SMIME PEM DER)' \ - '-inkey[input private key (if not signer or recipient)]:file:_files' \ - '-keyform[input private key format]:format:(PEM ENGINE)' \ - '-out[output file]:file:_files' \ - '-outform[output format]:format:(SMIME PEM DER)' \ - '-content[supply or override content for detached signature]:file:_files' \ - '-to[to address]:address: ' \ - '-from[from address]:address: ' \ - '-subject[subject]:subject: ' \ - '-text[include or delete text MIME headers]' \ - '-CApath[trusted certificates directory]:directory:_files -/' \ - '-CAfile[trusted certificates file]:file:_files' \ - "-crl_check[check revocation status of signer's certificate using CRLs]" \ - "-crl_check_all[check revocation status of signer's certificate chain using CRLs]" \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-rand[files to use for random number input]:file:_rand_files' \ - ':certificate:_files' -} + local -a ciphers=($(openssl enc -list | tail -n +2 )) + local -a cipher_flags=() + for cipher in $ciphers[@] + do + cipher_flags+=("($ciphers)${cipher}[use ${cipher:1}]") + done + _arguments \ + '(- *)-help[print help message]' \ + '-encrypt[encrypt message]' \ + '-decrypt[decrypt message]' \ + '-sign[sign message using the supplied certificate and private key]' \ + '-resign[resign a message]' \ + '-verify[verify signed message]' \ + '-pk7out[write out a PEM encoded PKCS#7 structure]' \ + '-in[input message file]:file:_files' \ + '-out[output file name]:file:_files' \ + '-inform[input format]:format:(DER PEM SMIME)' \ + '-outform[output format]:format(DER PEM SMIME)' \ + '-keyform[key format]:format:(DER PEM P12 ENGINE)' \ + '(-stream -indef)'{-stream,-indef}'[enable streaming I/O for encoding operations]' \ + '-noindef[disable streaming I/O]' \ + '-content[file containing the detached content]:file:_files' \ + '-text[add plain text MIME headers to the supplied message]' \ + '-md[digest algorithm to use when signing or resigning]:digest:(sha256 sha1 md5' \ + $cipher_flags[@] \ + '-nointern[use only the certificate in the -certificate]' \ + '-noverify[do not verify the signers certificate of a signed message]' \ + '-nochain[do not do chain verifier of signers certificates]' \ + '-nosigs[do not try to verify the signatures on the message]' \ + '-nocerts[reduce the size of the signed message]' \ + '-noattr[do not include attributes in the mssage]' \ + '-nodetach[use opaque signing]' \ + '-nosmimecap[do not include the SMIMECapabilities attribute]' \ + '-binary[do not convert message to "canonical" format]' \ + '-crlfeol[use CRLF instead of LF as end of line in output file]' \ + '-certfile[additional certificate file]:file:_files' \ + '*-signer[signing certificate]:file:_files' \ + '-recip[recipients certificate when decrypting a message]:file:_files' \ + '-inkey[private key file or URI for signing or decrypting]:file_or_uri:_files' \ + '-passin[private key password source]:source:_openssl_pass_phrase_options' \ + '-to["To" mail header]:addr' \ + '-from["From" mail header]:addr' \ + '-subject["Subject" mail header]:subject' \ + $openssl_verification_options[@] \ + $openssl_trusted_certificate_options[@]\ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-config[config file]:file:_files' \ + '*::recip_rert:_files' +} _openssl_speed() { - # written for openssl 1.0.1k - local algorithms - algorithms=(mdc2 md4 md5 hmac sha1 sha256 sha512 whirlpoolrmd160 idea-cbc \ - seed-cbc rc2-cbc rc5-cbc bf-cbc des-cbc des-ede3 aes-128-cbc \ - aes-192-cbc aes-256-cbc aes-128-ige aes-192-ige aes-256-ige \ - camellia-128-cbc camellia-192-cbc camellia-256-cbc rc4 rsa512 \ - rsa1024 rsa2048 rsa4096 dsa512 dsa1024 dsa2048 ecdsap160 \ - ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521 ecdsak163 \ - ecdsak233 ecdsak283 ecdsak409 ecdsak571 ecdsab163 ecdsab233 \ - ecdsab283 ecdsab409 ecdsab571 ecdsa ecdhp160 ecdhp192 ecdhp224 \ - ecdhp256 ecdhp384 ecdhp521 ecdhk163 ecdhk233 ecdhk283 ecdhk409 \ - ecdhk571 ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571 ecdh idea \ - seed rc2 des aes camellia rsa blowfish) - _arguments -C \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-evp[use the specified EVP]:EVP: ' \ - '-decrypt[time decryption instead of encryption (only EVP)]' \ - '-mr[produce machine readable output]' \ - '-multi[run n benchmarks in parallel]:benchmarks: ' \ - "*:algorithm:(${algorithms})" -} + # NOTE extract algorithms from speed.c and check if 'openssl speed -seconds 1 $alg' succeed + local -a speed_algorithms=( + md2 mdc2 md4 md5 hmac sha1 sha256 sha512 whirlpool ripemd rmd160 + ripemd160 rc4 des-cbc des-ede3 aes-128-cbc aes-192-cbc aes-256-cbc + camellia-128-cbc camellia-192-cbc camellia-256-cbc rc2-cbc rc2 rc5-cbc + rc5 idea-cbc idea seed-cbc seed bf-cbc blowfish bf cast-cbc cast cast5 + ghash rand kmac128 kmac256 dsa1024 dsa2048 rsa512 rsa1024 rsa2048 + rsa3072 rsa4096 rsa7680 rsa15360 ffdh2048 ffdh3072 ffdh4096 ffdh6144 + ffdh8192 ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521 + ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571 ecdsab163 ecdsab233 + ecdsab283 ecdsab409 ecdsab571 ecdsabrp256r1 ecdsabrp256t1 + ecdsabrp384r1 ecdsabrp384t1 ecdsabrp512r1 ecdsabrp512t1 ecdhp160 + ecdhp192 ecdhp224 ecdhp256 ecdhp384 ecdhp521 ecdhk163 ecdhk233 + ecdhk283 ecdhk409 ecdhk571 ecdhb163 ecdhb233 ecdhb283 ecdhb409 + ecdhb571 ecdhbrp256r1 ecdhbrp256t1 ecdhbrp384r1 ecdhbrp384t1 + ecdhbrp512r1 ecdhbrp512t1 ecdhx25519 ecdhx448 curveSM2 + ) + _arguments \ + '(- *)-help[print help message]' \ + '-config[configuration file]:file:_files' \ + '-elapsed[use wall-clock time instead of CPU user time as divisor]' \ + '-evp[use specified cipher or message digest algorithm via the EVP interface]:alg: _alternative "ciphers\:cipher\:_openssl_digests" "digests\:digest\:_openssl_cipher_algorithms"' \ + '-multi[run multiple operations in parallel]:number' \ + '-async_jobs[enable async mode and start specified number of jobs]:number' \ + '-misalign[misalign the buffers by the specified number of bytes]:number' \ + '-hmac[time the HMAC algorithm using the given message digest]:digest:_openssl_digests' \ + '-cmac[time the CMAC algorithm using the given cipher]:cipher:_openssl_cipher_algorithms' \ + '-decrypt[time the decryption instead of encryption]' \ + '-mb[enable multi-block mode on EVP-named cipher]' \ + '-aead[benchmark EVP-named AEAD cipher in TLS-like sequence]' \ + '-kem-algorithms[benchmark KEM algorithms]' \ + '-signature-algorithms[benchmark signature algorithms]' \ + '-primes[generate n prime RSA key and use it to run the benchmarks]:number' \ + '-seconds[run benchmarks for the given seconds]:number' \ + '-bytes[run benchmarks on num-byte buffers]:bytes' \ + '-mr[produce the summary in a machine-readable format]' \ + '-mlock[lock memory into RAM for more determining measurements]' \ + '-testmode[run the speed command in testmode]' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '*::alg:(($speed_algorithms))' +} _openssl_spkac() { - # written for openssl 1.0.1k - _arguments -C \ - '-in[input file]:file:_files' \ - '-out[output file]:file:_files' \ - '-key[create SPKAC using private key]:file:_files' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-challenge[challenge string]:string: ' \ - '-spkac[alternative SPKAC name]:spkacname: ' \ - '-spksect[alternative section name]:section: ' \ - "-noout[don't print SPKAC]" \ - '-pubkey[output public key]' \ - '-verify[verify SPKAC signature]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' + _arguments \ + '(- *)-help[print help message]' \ + '-in[input file name]:file:_files' \ + '-out[output file name]:file:_files' \ + '-digest[digest to sign a created SPKAC file]:digest:_openssl_digests' \ + '-key[private key file or URI to create an SPKAC file]:file_or_uri:_files' \ + '-keyform[key format]:format:(DER PEM P12 ENGINE)' \ + '-passin[input file password source]:option:_openssl_pass_phrase_options' \ + '-challenge[challenge string]:string' \ + '-spkac[alternative name form the variable containing the SPKAC(default "SPKAC")]:name' \ + '-spksect[allow an alternative name form the section containing the SPKAC]:section' \ + '-noout[do not output the text version of the SPKAC]' \ + '-pubkey[output the public key of an SPKAC]' \ + '-verify[verify the digital signature on the supplied SPKAC]' \ + $openssl_provider_options[@] } - _openssl_srp() { - # written for openssl 1.0.1k - _arguments -C \ - '-verbose[talk a lot while doing things]' \ - '-config[a config file]:file:_files' \ - '-name[the particular srp definition to use]:definition: ' \ - '-srpvfile[the srp verifier file name]:file:_files' \ - '(-modify -delete -list)-add[add an user and srp verifier]' \ - '(-add -delete -list)-modify[modify the srp verifier of an existing user]' \ - '(-add -modify -list)-delete[delete user from verifier file]' \ - '(-add -modify -delete)-list[list user]' \ - '-gn[g and N values to be used for new verifier]:g and N: ' \ - '-userinfo[additional info to be set for user]:userinfo: ' \ - '-passin[input file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-passout[output file pass phrase source]:pass phrase source:_pass_phrase_source' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '-rand[files to use for random number input]:file:_rand_files' \ - ':user:' + _arguments \ + '(- *)-help[print help message]' \ + '-verbose[generate verbose output while processing]' \ + '(-add -modify -delete -list)-add[add a user and SRP verifier]' \ + '(-add -modify -delete -list)-modify[modify the SRP verifier of an existing user]' \ + '(-add -modify -delete -list)-delete[delete user from verifier file]' \ + '(- *)-list[list users]' \ + '-name[particular SRP definition to use]:name' \ + '-srpvfile[srp verifier file name]:file:_files' \ + '-gn[specify the "g" and "N" value]:g_and_N' \ + '-userinfo[additional information to add when adding or modifying a user]:info' \ + '-passin[password source for input file]:option:_openssl_pass_phrase_options' \ + '-passout[password source for output file]:option:_openssl_pass_phrase_options' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] \ + '-config[config file]:file:_files' \ + '*::user' } +_openssl_storeutl() { + _arguments \ + '(- *)-help[print help message]' \ + '-out[output file name]:file:_files' \ + '-noout[prevent output of the PEM data]' \ + '-passin[key password source]:option:_openssl_pass_phrase_options' \ + '-text[print out the objects in text form]' \ + '-r[fetch objects recursively when possible]'\ + '-certs[only select the certificates from the given URI]' \ + '-keys[only select the keys from the given URI]' \ + '-crls[only select the CRLs from the given URI]' \ + '-subject[search for an object having the subject name arg]:arg' \ + '-issuer[search for an object having the given issuer name]:name' \ + '-serial[search for an object having the given serial number]:serial_number' \ + '-alias[search for an object having the given alias]:alias' \ + '-fingerprint[search for an object having the given fingerprint]:fingerprint' \ + '-digest[digest that was used to compute the fingerprint given with -fingerprint]' \ + $openssl_provider_options[@] \ + '*:uri:_urls' +} _openssl_ts() { - # written for openssl 1.0.1k - # written for openssl 1.0.2e - local action digests - digests=(-dss1 -md4 -md5 -mdc2 -ripemd160 -sha -sha1 -sha224 -sha256 \ - -sha384 -sha512 -whirlpool) - if [[ "${CURRENT}" -eq 2 ]]; then - # first parameter to ts - _values 'openssl time stamp action' '-query[time stamp request generation]' '-reply[time stamp response generation]' '-verify[time stamp response verification]' + if [[ CURRENT -eq 2 ]]; then + _arguments \ + '(- *)-help[print help message]' \ + '-query[generate a TS query]' \ + '-reply[generate a TS reply]' \ + '-verify[verify a TS response]' else - action="${words[2]}" - case "${action}" in - -query) - _arguments -C \ - '-rand[files to use for random number input]:file:_rand_files' \ - '-config[config file to use]:file:_files' \ - '(-digest)-data[data file for which the time stamp request needs to be created]:file:_files' \ - '(-data)-digest[digest of the data file]:bytes: ' \ - "($digests)-dss1[use the dss1 message digest algorithm]" \ - "($digests)-md4[to use the md4 message digest algorithm]" \ - "($digests)-md5[to use the md5 message digest algorithm]" \ - "($digests)-mdc2[to use the mdc2 message digest algorithm]" \ - "($digests)-ripemd160[to use the ripemd160 message digest algorithm]" \ - "($digests)-sha[to use the sha message digest algorithm]" \ - "($digests)-sha1[to use the sha1 message digest algorithm]" \ - "($digests)-sha224[to use the sha224 message digest algorithm]" \ - "($digests)-sha256[to use the sha256 message digest algorithm]" \ - "($digests)-sha384[to use the sha384 message digest algorithm]" \ - "($digests)-sha512[to use the sha512 message digest algorithm]" \ - "($digests)-whirlpool[to use the whirlpool message digest algorithm]" \ - '-policy[policy to use for creating the time stamp token]:policy ID: ' \ - '-no_nonce[do not include a nonce in the request]' \ - '-cert[request a signing certificate in the response]' \ - '-in[use the previously created time stamp request]:file:_files' \ - '-out[name of the output file to which the request will be written]:file:_files' \ - '-text[output in human-readable format instead of DER]' + local -a digests=($(openssl dgst -list | tail -n +2)) + local -a digest_flags=() + for digest in $digests[@] + do + digest_flags+=("${digest}[use ${digest:1} message digest algorithm]") + done + + case $words[2] in + (-query) + _arguments \ + '-config[configuration file]:file:_files' \ + '-data[data file for creating timestamp request]:file:_files' \ + '-digest[message imprint in a hexadecimal format]:digest' \ + $digest_flags[@] \ + '-tspolicy[policy that the client expects the TSA for creating the timestamp token]:oid' \ + '-no_nonce[no nonce instead of 64bit long pseudo-random nonce]' \ + '-cert[TSA is expected to include its signing certificates in the response]' \ + '-in[previously created timestamp request]:file:_files' \ + '-out[output file name]:file:_files' \ + '-text[output human-readable text format instead of DER]' \ + $openssl_random_state_options[@] ;; - -reply) - _arguments -C \ - '-config[config file to use]:file:_files' \ - '-section[config file section for response generation]:section: ' \ - '-queryfile[file containing a DER encoded time stamp request]:file:_files' \ - '-passin[private key password source]:pass phrase source:_pass_phrase_source' \ + (-reply) + _arguments \ + '-config[configuration file]:file:_files' \ + '-section[name of the config file section for the response generation]:section' \ + '-queryfile[file containing a DER encoded timestamp request]:file:_files' \ + '-passin[password source for the private key of the TSA]:source:_openssl_pass_phrase_options' \ '-signer[signer certificate of the TSA in PEM format]:file:_files' \ - '-inkey[signer private key in PEM format]:file:_files' \ - '-chain[signer certificate chain in PEM format]:file:_files' \ - '-policy[default policy to use for response]:policy ID: ' \ - '-in[use the previously created time stamp response in DER format]:file:_files' \ - '-token_in[the parameter to -in is a time stamp token in DER format]' \ - '-out[name of the output file to which the response will be written]:file:_files' \ - '-token_out[output a time stamp token instead of a time stamp response]' \ - '-text[output in human-readable format instead of DER]' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' + '-inkey[signer private key file or URI of the TSA in PEM format]:file_or_uri:_files' \ + $digest_flags[@] \ + '-chain[certificate chain]:file:_files' \ + '-tspolicy[policy to use for the response]:oid' \ + '-in[previously created timestamp response or timestamp token]:file:_files' \ + '-token_in[input is a DER encoded timestamp token instead of a timestamp response]' \ + '-out[output file name to write the response]:file:_files' \ + '-token_out[output is a timestamp token instead of timestamp response]' \ + '-text[output human-readable text format instead of DER]' \ + $openssl_provider_options[@] ;; - -verify) - _arguments -C \ - '(-digest -queryfile)-data[verify response against the specified file]:file:_files' \ - '(-data -queryfile)-digest[verify the response against the specified message digest]:digest bytes: ' \ - '(-data -digest)-queryfile[the original time stamp request in DER format]:file:_files' \ - '-in[time stamp response that needs to be verified in DER format]:file:_files' \ - '-token_in[the parameter to -in is a time stamp token in DER format]' \ - '-CApath[directory containing the trusted CA certificates of the client]:directory:_files -/' \ - '-CAFile[file containing a set of trusted self-signed CA certificates in PEM format]:file:_files' \ - '-untrusted[set of additional untrusted certificates in PEM format which may be needed when building the certificate chain]:file:_files' + (-verify) + _arguments \ + '-data[file to hash to be verified against response or token]:file_to_hash:_files' \ + '-digest[message digest to be verified against reponse or token]:bytes' \ + '-queryfile[original timestamp request file in DER format]:file:_files' \ + '-in[timestamp response file in DER format]:file:_files' \ + '-token_in[input is a DER encoded timestamp token instead of a timestamp response]' \ + '-untrusted[set of additional untrusted certificates files or URIs]:file_or_uri:_files' \ + $openssl_trusted_certificate_options[@] \ + $openssl_verification_options[@] ;; esac fi } - _openssl_verify() { - # written for openssl 1.0.1k - _arguments -C \ - '-CApath[a directory of trusted certificates]:directory:_files -/' \ - '-CAfile[file A file of trusted certificates]:file:_files' \ - '-purpose[the intended use for the certificate]:purpose:(sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper timestampsign)' \ - '*-policy[enable policy processing and add arg to the user-initial-policy-set]:object name or OID: ' \ - '-ignore_critical[ignore critical extensions]' \ - '-attime[perform validation checks using the given time]:timestamp: ' \ - '-check_ss_sig[verify the signature on the self-signed root CA]' \ - "-crlfile[file containing one or more CRL's (in PEM format) to load]:file:_files" \ - '-crl_check[check end entity certificate in CRL]' \ - '-crl_check_all[check all certificates in CRL]' \ - '-policy_check[enables certificate policy processing]' \ - '-explicit_policy[set policy variable require-explicit-policy]' \ - '-inhibit_any[set policy variable inhibit-any-policy]' \ - '-inhibit_map[set policy variable inhibit-policy-mapping]' \ - '-x509_strict[strict X.509-compliance]' \ - '-extended_crl[enable extended CRL features]' \ - '-use_deltas[enable support for delta CRLs]' \ - '-policy_print[print out diagnostics related to policy processing]' \ - '-untrusted[a file of untrusted certificates]:file:_files' \ - '(-*)-help[print out a usage message]' \ - '-issuer_checks[print out diagnostics relating to searches for the issuer certificate of the current certificate]' \ + _arguments -S \ + '(- *)-help[print help message]' \ + '-CRLfile[file or URL should contains one or more CRLs in PEM or DER format]:file_or_uri:_files' \ + '-crl_download[attempt to download CRL information for certificates via their CDP entries]' \ + '-show_chain[display information about the certificate chain that has been built]' \ '-verbose[print extra information about the operations being performed]' \ - '*:certificate:_files' - # TODO: - may be used to separate certificates from options - # TODO: Do not hardcode purposes + '-trusted[file or URI of trusted certificates]:file_or_uri:_files' \ + '-untrusted[file or URI of untrusted certificates to use for chain building]:file_or_uri:_files' \ + '-vfyopt[pass options to the signature algorithms during verify operations]:options' \ + '-nameopt[specify how the subject or issuer names are displayed]:nameopt:_openssl_nameopts' \ + $openssl_trusted_certificate_options[@] \ + $openssl_verification_options[@] \ + $openssl_provider_options[@] \ + '*::certificate:_files' } - _openssl_version() { - # written for openssl 1.0.1k - _arguments -C \ - '-a[all information, this is the same as setting all the other flags]' \ - '-v[the current OpenSSL version]' \ - '-b[the date the current version of OpenSSL was built]' \ - '-o[option information: various options set when the library was built]' \ + _arguments \ + '(- *)-help[print help message]' \ + '-a[all information]' \ + '-v[current OpenSSL version]' \ + '-b[date the current version of OpenSSL was built]' \ + '-o[option information, options set when the library was built]' \ '-f[compilation flags]' \ '-p[platform setting]' \ - '-d[OPENSSLDIR setting]' + '-d[OPENSSLDIR setting]' \ + '-e[ENGINESDIR settings]' \ + '-m[MODULESDIR settings]' \ + '-r[random number generator source settings]' \ + '-c[OpenSSL CPU settings info]' \ + '-w[OPENSSL OSSL_WINCTX build time variable]' } - _openssl_x509() { - # written for openssl 1.0.1k - _arguments -C \ - '-inform[input format - default PEM (one of DER, NET or PEM)]:format:(DER NET PEM)' \ - '-outform[output format - default PEM (one of DER, NET or PEM)]:arg:(DER NET PEM)' \ - '-keyform[private key format - default PEM]:arg:(DER PEM)' \ - '-CAform[CA format - default PEM]:arg:(DER PEM)' \ - '-CAkeyform[CA key format - default PEM]:arg:(DER PEM)' \ - '-in[input file - default stdin]:file:_files' \ - '-out[output file - default stdout]:file:_files' \ - '-passin[private key password source]:pass phrase source:_pass_phrase_source' \ - '-serial[print serial number value]' \ - '-subject_hash[print subject hash value]' \ - '-subject_hash_old[print old-style (MD5) subject hash value]' \ - '-issuer_hash[print issuer hash value]' \ - '-issuer_hash_old[print old-style (MD5) issuer hash value]' \ - '-hash[synonym for -subject_hash]' \ - '-subject[print subject DN]' \ - '-issuer[print issuer DN]' \ - '-email[print email address(es)]' \ - '-startdate[notBefore field]' \ - '-enddate[notAfter field]' \ - '-purpose[print out certificate purposes]' \ - '-dates[both Before and After dates]' \ - '-modulus[print the RSA key modulus]' \ - '-pubkey[output the public key]' \ - '-fingerprint[print the certificate fingerprint]' \ - '-alias[output certificate alias]' \ - '-noout[no certificate output]' \ - '-ocspid[print OCSP hash values for the subject name and public key]' \ - '-ocsp_uri[print OCSP Responder URL(s)]' \ - '-trustout[output a "trusted" certificate]' \ - '-clrtrust[clear all trusted purposes]' \ - '-clrreject[clear all rejected purposes]' \ - '-addtrust[trust certificate for a given purpose]:purpose:(clientAuth serverAuth emailProtection)' \ - '-addreject[reject certificate for a given purpose]:purpose:(clientAuth serverAuth emailProtection)' \ - '-setalias[set certificate alias]:alias: ' \ - '-days[how long till expiry of a signed certificate (default 30 days)]:days: ' \ - '-checkend[check whether the cert expires in the specified time]:seconds: ' \ - '-signkey[self sign cert with arg]:file:_files' \ - '-x509toreq[output a certification request object]' \ - '-req[input is a certificate request, sign and output]' \ - '-CA[set the CA certificate, must be PEM format]:file:_files' \ - '-CAkey[set the CA key, must be PEM format]:file:_files' \ - '-CAcreateserial[create serial number file if it does not exist]' \ - '-CAserial[serial file]:file:_files' \ - '-set_serial[serial number to use]' \ - '-text[print the certificate in text form]' \ - '-C[print out C code forms]' \ - '(-md5 -sha1 -mdc2)-md2[digest to use]' \ - '(-md2 -sha1 -mdc2)-md5[digest to use]' \ - '(-md2 -md5 -mdc2)-sha1[digest to use]' \ - '(-md2 -md5 -sha1)-mdc2[digest to use]' \ - '-extfile[configuration file with X509V3 extensions to add]' \ - '-extensions[section from config file with X509V3 extensions to add]' \ - '-clrext[delete extensions before signing and input certificate]' \ - '*-nameopt[various certificate name options]:options:_nameopts' \ - '-engine[use the specified engine, possibly a hardware device]:engine:_engines' \ - '*-certopt[various certificate text options]:options:_certopts' + local -a digests=($(openssl dgst -list | tail -n +2)) + local -a digest_flags=() + for digest in $digests[@] + do + digest_flags+=("${digest}[use ${digest:1} message digest algorithm]") + done + + _arguments \ + '(- *)-help[print help message]' \ + '(-in -new)-in[input file or URI for reading a certificate request]:file_or_uri:_files' \ + '-passin[key and certificate file password source]:source:_openssl_pass_phrase_options' \ + '(-in -new)-new[generate a certificate from scratch]' \ + '-x509toreq[output a PKCS#10 certificate request]' \ + '-req[expect a PKCS#10 certificate request]' \ + '-copy_extensions[how to handle X.509 extensions when converting from a certificate to a request]:how:(none copy copyall)' \ + '-inform[input file format]:format:(DER PEM)' \ + '-vfyopt[options of the signature algorithm during verify operations]:option' \ + '(-key -signkey)'{-key,-signkey}'[private key file or URI for a new certificate or certificate request]:file_or_uri:_files' \ + '-keyform[key input format]:format:(DER PEM P12 ENGINE)' \ + '-out[output file name]:file:_files' \ + '-outform[output format]:format:(DER PEM)' \ + '-nocert[do not output a certificate]' \ + '-noout[prevent output except for printing as requested]' \ + '-dataopt[data output format(default: rfc_822)]:format:(rfc_822 iso_8601)' \ + '-text[print out the certificate in text form]' \ + '-certopt[option to customize the print format used with -text]:option:_openssl_text_printing_options' \ + '-fingerprint[calculate and print the digest of the DER encoded version of the entire certificate]' \ + '-alias[print the certificate "alias"(nickname) if any]' \ + '-serial[print the certificate serial number]' \ + '-startdate[print out the start date of the certificate]' \ + '-enddate[print out the expiry date of the certificate]' \ + '-dates[print out the start and expiry dates of a certificate]' \ + '-subject[print the subject name]' \ + '-issuer[print the issuer name]' \ + '-nameopt[how the subject or issuer names are displayed]:option:_openssl_nameopts' \ + '-email[print the email address(es) if any]' \ + '(-hash -subject_hash)'{-hash,-subject_hash}'[print the "hash" of the certificate subject name]' \ + '-subject_hash_old[print the "hash" of the certificate subject name using the older algorithm]' \ + '-issuer_hash[print the "hash" of the certificate issuer name]' \ + '-issuer_hash_old[print the "hash" of the certificate issuer name using the older algorithm]' \ + '-ext[print out the certificate extensions in text form]:extensions:_openssl_certificate_extensions' \ + '-ocspid[print the OCSP hash values for the subject name and public key]' \ + '-ocsp_uri[print the OCSP responder address(es) if any]' \ + '-purpose[perform tests on the certificate extensions and output the result]' \ + "-pubkey[print the certificate's SubjectPublicKeyInfo block in PEM format]" \ + '-modulus[print out the value of the modulus of the public key contained in the certificate]' \ + '-checkend[check if the certificate expires within the given seconds]:seconds' \ + '-checkhost[check that the certificate matches the specified host]:host' \ + '-checkemail[check that the certificate matches the specified email address]:email' \ + '-checkip[check that the certificate matches the specified IP address]:ip' \ + '-set_serial[serial number to use]:serial_number' \ + '-next_serial[serial to be one more than the number in the certificate]' \ + '-not_before[start date to be explicitly set]:date' \ + '-not_after[expiry date to be explicitly set]:date' \ + '-days[the number of days from today until a newly generated certificate expires]:days' \ + '-preserve_dates[preserve "notBefore" and "notAfter" dates of any input certificate]' \ + '-set_issuer[issuer name for certicate created]:issuer' \ + '(-set_subject -subj)'{-set_subject,-subj}'[subject name for certicate created]:subject' \ + '-force_pubkey[public key file to be set in certicate created]:file:_files' \ + '-clrext[prevents taking over any extensions from the source]' \ + '-extfile[configuration file containing certificate and request X.509 extensions to add]:file:_files' \ + '-extensions[section in the extfile to add X.509 extensions form]:section' \ + '-sigopt[options to the signature algorithm during sign operations]:options' \ + '-badsig[currupt the signature before writing it]' \ + $digest_flags[@] \ + '-CA["CA" certificate file or URI]:file_or_uri:_files' \ + '-CAform[format for the CA certificate]:format:(DER PEM P12)' \ + '-CAkey[CA private key file or URI to sign a certificate with]:file_or_uri:_files' \ + '-CAkeyform[format for the CA key]:format:(DER PEM P12 ENGINE)' \ + '-CAserial[CA serial number file to use]:file:_files' \ + '-CAcreateserial[create CA serial number file if it does not exist]' \ + '-trustout[mark any certificate PEM output as certificate rather than ordinary]' \ + '-setalias[set the "alias" of the certificate]:alias' \ + '-clrtrust[clear all the permitted or trusted uses of the certificate]' \ + '-addtrust[add a trusted certificate use]:name:(clientAuth serverAuth emailProtection anyExtendedKeyUsage)' \ + '-clrreject[clear all the prohibited or rejected use of the certificate]' \ + '-addreject[add a prohibited trust anchor purpose]:arg:(clientAuth serverAuth emailProtection anyExtendedKeyUsage)' \ + $openssl_random_state_options[@] \ + $openssl_provider_options[@] } +# +# Utilities +# -_pass_phrase_source() { - # pass:password - # env:var - # file:pathname - # fd:number - # stdin - _values -S : 'pass phrase source' \ - 'pass[obtain the password from the command line]:password: ' \ - 'env[obtain the password from the environment variable var]:var:_parameters -g "*export*"' \ - 'file[obtain the password from a file]:file:_files' \ - 'fd[read the password from the file descriptor number]:number: ' \ - 'stdin[read the password from standard input]' +_openssl_certificate_extensions() { + # See x509v3_config document + + local -a extensions=( + basicConstraints keyUsage extendedKeyUsage subjectKeyIdentifier authorityKeyIdentifier + subjectAltName issuerAltName authorityInfoAccess crlDistributionPoints + issuingDistributionPoint certificatePolicies policyConstraints + inhibitAnyPolicy nameConstraints noCheck tlsfeature + ) + + _values -s , extensions $extensions } +_openssl_digests() { + # openssl list -digest-commands is deprecated, use another command instead + local -a digest_flags=($(openssl dgst -list | tail -n +2)) + local -a digests=() -_rand_files() { - # FIXME: this does not allow using multiple files separated by : - # the following would probably work, but how to generate $files? - #_values -s : -S ' ' 'random source file or directory' ${files} - _files + for flag in $digest_flags[@] + do + digests+=(${flag:1}) + done + + _values 'digests' ${digests} } +_openssl_cipher_algorithms() { + local -a encrypt_flags=($(openssl enc -list | tail -n +2)) + local -a encrypts=() -_engines() { - # openssl engines - local engines - engines=(${${${(@f)"$(_call_program engines openssl engine)"}%)*}#\(}) - _values 'engines' ${engines} + for flag in $encrypt_flags[@] + do + encrypts+=(${flag:1}) + done + + _values 'encrypts' ${encrypts} } +_openssl_groups() { + local -a groups=(P-256 P-384 P-521 X25519 X448 ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192) + _values -s ':' groups $groups +} -_list_ciphers() { +_openssl_list_ciphers() { # openssl ciphers local ciphers # add cipher suites @@ -1608,80 +2451,121 @@ _list_ciphers() { _values -s : 'cipher suite' ${ciphers} } +_openssl_mac_algorithms() { + # openssl list -mac-algorithms + local algorithms=( + BLAKE2BMAC BLAKE2SMAC CMAC HMAC KMAC128 KMAC256 SIPHASH POLY1305 + ) -_list_curves() { - # openssl ecparam -list_curves - local curves not_curves - curves="$(_call_program list_curves openssl ecparam -list_curves)" - # identify lines that do not contain curve names but only descriptions - not_curves=(${${(f)curves[@]}:#*:*}) - # remove non-curve lines, trailing descriptions and leading spaces - curves=(${${${${(f)curves[@]}:|not_curves}%:*}##* }) - _values 'named curves' ${curves} + _values algorithms $algorithms } +_openssl_macopts() { + local -a options=( + 'key\:[MAC key as an alphanumeric string]' + 'hexkey\:[MAC key in hexadecimal form]' + 'iv\:[IV as an alphanumeric string to be used by GMAC]' + 'hexiv\:[IV in hexadecimal form to be used by GMAC]' + 'size\:[output length to be used by KMAC128 or KMAC256]' + 'custom\:[customization string to be used by KMAC128 or KMAC256]' + 'digest\:[digest]' + 'cipher\:[cipher]' + ) -_list_message_digest_algorithms() { - # openssl list-message-digest-algorithms - local algorithms - algorithms=(${${(@f)"$(_call_program message_digest_algorithms openssl list-message-digest-algorithms)"}%% *}) - _values 'message digest algorithms' ${algorithms} + _values 'options' ${options} } +_openssl_name_display_options() { + local -a options=( + 'compat:display the name using an old format from previous OpenSSL versions' + 'RFC2253:display the name using the format defined in RFC 2253' + 'oneline:display the name in one line more readable RFC 2253' + 'multiline:display the name using multiple lines' + 'esc_2253:escape the "special" characters in a field, as required by RFC 2253' + 'esc_2254:escape the "special" characters in a field as required by RFC 2254 in a field' + 'esc_ctrl:escape non-printable ASCII characters' + 'esc_msb:escape any characters with the most significant bit set' + 'use_quote:escapes some characters by surrounding the entire string with quotation marks' + 'utf8:convert all strings to UTF-8 format first as required by RFC 2253' + 'ignore_type:not attempt to interpret multibyte characters in any way' + 'show_type:display the type of the ASN1 character string before the value' + 'dump_der:output in hex format are displayed using the DER encoding of the field' + 'dump_nostr:dump non-character strings, such as ASN.1 OCTET STRING' + 'dump_all:dump all fields' + 'dump_unknown:dump any field whose OID is not recognised by OpenSSL' + 'sep_comma_plus:set comma as a separator' + 'sep_comma_plus_space:set comma as a separator and put space after the separator' + 'sep_semi_plus_space:set semi-colon as a separator and put space after the separator' + 'sep_multiline:start each field on its own line' + 'dn_rev:reverse the fields of the DN as required by RFC 2253' + 'nofname:does not display the field at all' + 'sname:use short name form' + 'lname:use long name form' + 'oid:represent the OID in numerical form' + 'align:align field values' + 'space_eq:place spaces round the equal sign' + ) -_nameopts() { - _values -s ',' -w 'nameopts' \ - '(-compat compat)'{-compat,compat}'[use the old format. This is equivalent to specifying no name options at all]' \ - '(-RFC2253 RFC2253)'{-RFC2253,RFC2253}'[displays names compatible with RFC2253 equivalent to esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der, sep_comma_plus, dn_rev and sname]' \ - '(-oneline oneline)'{-oneline,oneline}'[a oneline format which is more readable than RFC2253. Equivalent to esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and sname options]' \ - '(-multiline multiline)'{-multiline,multiline}'[a multiline format. Equivalent to esc_ctrl, esc_msb, sep_multiline, space_eq, lname and align]' \ - '(-esc_2253 esc_2253)'{-esc_2253,esc_2253}'[escape the "special" characters required by RFC2253 in a field]' \ - '(-esc_ctrl esc_ctrl)'{-esc_ctrl,esc_ctrl}'[escape control characters]' \ - '(-esc_msb esc_msb)'{-esc_msb,esc_msb}'[escape characters with the MSB set]' \ - '(-use_quote use_quote)'{-use_quote,use_quote}'[escapes some characters by surrounding the whole string with " characters]' \ - '(-utf8 utf8)'{-utf8,utf8}'[convert all strings to UTF8 format first]' \ - '(-ignore_type ignore_type)'{-ignore_type,ignore_type}'[this option does not attempt to interpret multibyte characters in any way]' \ - '(-show_type show_type)'{-show_type,show_type}'[show the type of the ASN1 character string]' \ - '(-dump_der dump_der)'{-dump_der,dump_der}'[use DER encoding when hexdumping fields]' \ - '(-dump_nostr dump_nostr)'{-dump_nostr,dump_nostr}'[dump non character string types]' \ - '(-dump_all dump_all)'{-dump_all,dump_all}'[dump all fields]' \ - '(-dump_unknown dump_unknown)'{-dump_unknown,dump_unknown}'[dump any field whose OID is not recognised by OpenSSL]' \ - '(-sep_comma_plus sep_comma_plus)'{-sep_comma_plus,sep_comma_plus}'[these options determine the field separators]' \ - '(-sep_comma_plus_space sep_comma_plus_space)'{-sep_comma_plus_space,sep_comma_plus_space}'[these options determine the field separators]' \ - '(-sep_semi_plus_space sep_semi_plus_space)'{-sep_semi_plus_space,sep_semi_plus_space}'[these options determine the field separators]' \ - '(-sep_multiline sep_multiline)'{-sep_multiline,sep_multiline}'[these options determine the field separators]' \ - '(-dn_rev dn_rev)'{-dn_rev,dn_rev}'[reverse the fields of the DN]' \ - '(-nofname nofname)'{-nofname,nofname}'[do not display field names]' \ - '(-sname sname)'{-sname,sname}'[display field names in short form]' \ - '(-lname lname)'{-lname,lname}'[display field names in long form]' \ - '(-oid oid)'{-oid,oid}'[display field names in numerical form]' \ - '(-align align)'{-align,align}'[align field values for a more readable output. Only usable with sep_multiline]' \ - '(-space_eq space_eq)'{-space_eq,space_eq}'[places spaces around the = character which follows the field name]' + _values 'options' ${options} } +_openssl_pass_phrase_options() { + local -a options=( + 'pass[actual password]:password' + 'env[obtain password from the environment variable]:var:_parameters -g "*export*"' + 'file[read the password from the file]:file:_files' + 'fd[read the password from the file descriptor number]:number' + 'stdin[read the password from standard input]' + ) -_certopts() { - _values -s ',' -w 'certopts' \ - 'compatible[use the old format. This is equivalent to specifying no output options at all]' \ - "no_header[don't print header information: that is the lines saying \"Certificate\" and \"Data\"]" \ - "no_version[don't print out the version number]" \ - "no_serial[don't print out the serial number]" \ - "no_signame[don't print out the signature algorithm used]" \ - "no_validity[don't print the validity, that is the notBefore and notAfter fields]" \ - "no_subject[don't print out the subject name]" \ - "no_issuer[don't print out the issuer name]" \ - "no_pubkey[don't print out the public key]" \ - "no_sigdump[don't give a hexadecimal dump of the certificate signature]" \ - "no_aux[don't print out certificate trust information]" \ - "no_extensions[don't print out any X509V3 extensions]" \ - 'ext_default[retain default extension behaviour: attempt to print out unsupported certificate extensions]' \ - 'ext_error[print an error message for unsupported certificate extensions]' \ - 'ext_parse[ASN1 parse unsupported extensions]' \ - 'ext_dump[hex dump unsupported extensions]' \ - '(no_issuer no_pubkey no_header no_version no_sigdump no_signame)ca_default[the value used by the ca utility, equivalent to no_issuer, no_pubkey, no_header, no_version, no_sigdump and no_signame]' + _values -S : 'options' ${options} } +_openssl_signature_algorithms() { + local -a algorithms=( + RSA DSA ECDSA + SHA1 SHA224 SHA224 SHA384 SHA512 + ecdsa_secp256r1_sha256 ed25519 rsa_pss_pss_sha256 + ) + + _values -s ':' algorithms $algorithms +} + +_openssl_text_printing_options() { + local -a options=( + 'compatible[use the old format]' + 'no_header[do not print header information]' + 'no_version[do not print out the version number]' + 'no_serial[do not print the serial number]' + 'no_signame[do not print out the signature algorithm used]' + 'no_validity[do not print the validity]' + 'no_subject[do not print out the subject name]' + 'no_issuer[do not print out the issuer name]' + 'no_pubkey[do not print out the public key]' + 'no_sigdump[do not give a hexadecimal dump of the certificate signature]' + 'no_aux[do not print out certificate trust information]' + 'no_extensions[do not print out any X509V3 extensions]' + 'ext_default[retain default extension behavior]' + 'ext_error[print an error message for unsupported certificate extensions]' + 'ext_parse[ASN1 parse unsupported extensions]' + 'ext_dump[Hex dump unsupported extensions]' + 'ca_default[equivalent to no_issuer, no_pubkey, no_header and no_version]' + ) + + _values -s , options $options +} + +_openssl_tls_protocols() { + local -a protocols=(SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 DTLSv1 DTLSv1.2 None) + _values protocols $protocols +} _openssl "$@" +# Local Variables: +# mode: Shell-Script +# sh-indentation: 2 +# indent-tabs-mode: nil +# sh-basic-offset: 2 +# End: # vim: ft=zsh sw=2 ts=2 et