Add command line password options to the reamining utilities,
amend docs.
diff --git a/CHANGES b/CHANGES
index 91d89b7..3c09b1e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
+ *) Add command line password options to the remaining applications.
+ [Steve Henson]
+
*) Bug fix for BN_div_recp() for numerators with an even number of
bits.
[Ulf Möller]
diff --git a/apps/dsa.c b/apps/dsa.c
index c9b9d71..6198ea9 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -195,8 +195,8 @@
BIO_printf(bio_err," -passin arg input file pass phrase\n");
BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -out arg output file\n");
- BIO_printf(bio_err," -passout arg input file pass phrase\n");
- BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n");
+ BIO_printf(bio_err," -passout arg output file pass phrase\n");
+ BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
BIO_printf(bio_err," -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
#ifndef NO_IDEA
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 49ae0a0..0c56b14 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -79,6 +79,7 @@
int ret=1;
char *outfile=NULL;
char *inrand=NULL,*dsaparams=NULL;
+ char *passout = NULL;
BIO *out=NULL,*in=NULL;
EVP_CIPHER *enc=NULL;
@@ -98,6 +99,22 @@
if (--argc < 1) goto bad;
outfile= *(++argv);
}
+ else if (strcmp(*argv,"-envpassout") == 0)
+ {
+ if (--argc < 1) goto bad;
+ if(!(passout= getenv(*(++argv))))
+ {
+ BIO_printf(bio_err,
+ "Can't read environment variable %s\n",
+ *argv);
+ goto bad;
+ }
+ }
+ else if (strcmp(*argv,"-passout") == 0)
+ {
+ if (--argc < 1) goto bad;
+ passout= *(++argv);
+ }
else if (strcmp(*argv,"-rand") == 0)
{
if (--argc < 1) goto bad;
@@ -188,7 +205,7 @@
app_RAND_write_file(NULL, bio_err);
- if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL,NULL))
+ if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,PEM_cb, passout))
goto end;
ret=0;
end:
diff --git a/apps/genrsa.c b/apps/genrsa.c
index ab760f6..63fd45e 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -84,6 +84,7 @@
EVP_CIPHER *enc=NULL;
unsigned long f4=RSA_F4;
char *outfile=NULL;
+ char *passout = NULL;
char *inrand=NULL;
BIO *out=NULL;
@@ -127,6 +128,22 @@
else if (strcmp(*argv,"-idea") == 0)
enc=EVP_idea_cbc();
#endif
+ else if (strcmp(*argv,"-envpassout") == 0)
+ {
+ if (--argc < 1) goto bad;
+ if(!(passout= getenv(*(++argv))))
+ {
+ BIO_printf(bio_err,
+ "Can't read environment variable %s\n",
+ *argv);
+ goto bad;
+ }
+ }
+ else if (strcmp(*argv,"-passout") == 0)
+ {
+ if (--argc < 1) goto bad;
+ passout= *(++argv);
+ }
else
break;
argv++;
@@ -136,17 +153,19 @@
{
bad:
BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n");
- BIO_printf(bio_err," -des - encrypt the generated key with DES in cbc mode\n");
- BIO_printf(bio_err," -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
+ BIO_printf(bio_err," -des encrypt the generated key with DES in cbc mode\n");
+ BIO_printf(bio_err," -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
#ifndef NO_IDEA
- BIO_printf(bio_err," -idea - encrypt the generated key with IDEA in cbc mode\n");
+ BIO_printf(bio_err," -idea encrypt the generated key with IDEA in cbc mode\n");
#endif
- BIO_printf(bio_err," -out file - output the key to 'file\n");
- BIO_printf(bio_err," -f4 - use F4 (0x10001) for the E value\n");
- BIO_printf(bio_err," -3 - use 3 for the E value\n");
+ BIO_printf(bio_err," -out file output the key to 'file\n");
+ BIO_printf(bio_err," -passout arg output file pass phrase\n");
+ BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
+ BIO_printf(bio_err," -f4 use F4 (0x10001) for the E value\n");
+ BIO_printf(bio_err," -3 use 3 for the E value\n");
BIO_printf(bio_err," -rand file:file:...\n");
- BIO_printf(bio_err," - load the file (or the files in the directory) into\n");
- BIO_printf(bio_err," the random number generator\n");
+ BIO_printf(bio_err," load the file (or the files in the directory) into\n");
+ BIO_printf(bio_err," the random number generator\n");
goto err;
}
@@ -190,7 +209,7 @@
l+=rsa->e->d[i];
}
BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
- if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,NULL,NULL))
+ if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,PEM_cb, passout))
goto err;
ret=0;
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 0c8dc47..dd008c4 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -61,13 +61,12 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include "apps.h"
#include <openssl/crypto.h>
-#include <openssl/des.h>
-#include <openssl/pem.h>
#include <openssl/err.h>
+#include <openssl/pem.h>
#include <openssl/pkcs12.h>
-#include "apps.h"
#define PROG pkcs12_main
EVP_CIPHER *enc;
@@ -80,9 +79,9 @@
#define CACERTS 0x10
int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
-int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options);
-int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options);
-int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options);
+int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
int alg_print(BIO *x, X509_ALGOR *alg);
@@ -111,6 +110,7 @@
int noprompt = 0;
STACK *canames = NULL;
char *cpass = NULL, *mpass = NULL;
+ char *passin = NULL, *passout = NULL;
apps_startup();
@@ -198,6 +198,36 @@
args++;
outfile = *args;
} else badarg = 1;
+ } else if (!strcmp(*args,"-passin")) {
+ if (args[1]) {
+ args++;
+ passin = *args;
+ } else badarg = 1;
+ } else if (!strcmp(*args,"-envpassin")) {
+ if (args[1]) {
+ args++;
+ if(!(passin= getenv(*args))) {
+ BIO_printf(bio_err,
+ "Can't read environment variable %s\n",
+ *argv);
+ badarg = 1;
+ }
+ } else badarg = 1;
+ } else if (!strcmp(*args,"-envpassout")) {
+ if (args[1]) {
+ args++;
+ if(!(passout= getenv(*args))) {
+ BIO_printf(bio_err,
+ "Can't read environment variable %s\n",
+ *argv);
+ badarg = 1;
+ }
+ } else badarg = 1;
+ } else if (!strcmp(*args,"-passout")) {
+ if (args[1]) {
+ args++;
+ passout = *args;
+ } else badarg = 1;
} else if (!strcmp (*args, "-envpass")) {
if (args[1]) {
args++;
@@ -206,7 +236,6 @@
"Can't read environment variable %s\n", *args);
goto end;
}
- noprompt = 1;
} else badarg = 1;
} else if (!strcmp (*args, "-password")) {
if (args[1]) {
@@ -254,11 +283,22 @@
BIO_printf (bio_err, "-keysig set MS key signature type\n");
BIO_printf (bio_err, "-password p set import/export password (NOT RECOMMENDED)\n");
BIO_printf (bio_err, "-envpass p set import/export password from environment\n");
+ BIO_printf (bio_err, "-passin p input file pass phrase\n");
+ BIO_printf (bio_err, "-envpassin p environment variable containing input file pass phrase\n");
+ BIO_printf (bio_err, "-passout p output file pass phrase\n");
+ BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n");
goto end;
}
- if(cpass) mpass = cpass;
- else {
+ if(!cpass) {
+ if(export_cert) cpass = passout;
+ else cpass = passin;
+ }
+
+ if(cpass) {
+ mpass = cpass;
+ noprompt = 1;
+ } else {
cpass = pass;
mpass = macpass;
}
@@ -337,7 +377,7 @@
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("process -export_cert");
#endif
- key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, NULL);
+ key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin);
if (!inkey) (void) BIO_reset(in);
else BIO_free(inkey);
if (!key) {
@@ -504,7 +544,7 @@
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("output keys and certificates");
#endif
- if (!dump_certs_keys_p12 (out, p12, cpass, -1, options)) {
+ if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors (bio_err);
goto end;
@@ -524,7 +564,7 @@
}
int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
- int passlen, int options)
+ int passlen, int options, char *pempass)
{
STACK *asafes, *bags;
int i, bagnid;
@@ -546,7 +586,7 @@
} else continue;
if (!bags) return 0;
if (!dump_certs_pkeys_bags (out, bags, pass, passlen,
- options)) {
+ options, pempass)) {
sk_pop_free (bags, PKCS12_SAFEBAG_free);
return 0;
}
@@ -557,19 +597,19 @@
}
int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
- int passlen, int options)
+ int passlen, int options, char *pempass)
{
int i;
for (i = 0; i < sk_num (bags); i++) {
if (!dump_certs_pkeys_bag (out,
(PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
- options)) return 0;
+ options, pempass)) return 0;
}
return 1;
}
int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
- int passlen, int options)
+ int passlen, int options, char *pempass)
{
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
@@ -584,7 +624,7 @@
p8 = bag->value.keybag;
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
print_attribs (out, p8->attributes, "Key Attributes");
- PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
+ PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
EVP_PKEY_free(pkey);
break;
@@ -600,7 +640,7 @@
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
print_attribs (out, p8->attributes, "Key Attributes");
PKCS8_PRIV_KEY_INFO_free(p8);
- PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
+ PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
EVP_PKEY_free(pkey);
break;
@@ -623,7 +663,7 @@
if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
print_attribs (out, bag->attrib, "Bag Attributes");
return dump_certs_pkeys_bags (out, bag->value.safes, pass,
- passlen, options);
+ passlen, options, pempass);
default:
BIO_printf (bio_err, "Warning unsupported bag type: ");
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index be1e0c1..cb55464 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -176,22 +176,22 @@
bad:
BIO_printf(bio_err, "Usage pkcs8 [options]\n");
BIO_printf(bio_err, "where options are\n");
- BIO_printf(bio_err, "-in file input file\n");
- BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
+ BIO_printf(bio_err, "-in file input file\n");
+ BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
BIO_printf(bio_err, "-passin arg input file pass phrase\n");
BIO_printf(bio_err, "-envpassin arg environment variable containing input file pass phrase\n");
- BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
- BIO_printf(bio_err, "-out file output file\n");
- BIO_printf(bio_err, "-passout arg input file pass phrase\n");
- BIO_printf(bio_err, "-envpassout arg environment variable containing input file pass phrase\n");
- BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
- BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n");
- BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n");
- BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n");
- BIO_printf(bio_err, "-noiter use 1 as iteration count\n");
- BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n");
- BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n");
- BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n");
+ BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
+ BIO_printf(bio_err, "-out file output file\n");
+ BIO_printf(bio_err, "-passout arg output file pass phrase\n");
+ BIO_printf(bio_err, "-envpassout arg environment variable containing outut file pass phrase\n");
+ BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
+ BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n");
+ BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n");
+ BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n");
+ BIO_printf(bio_err, "-noiter use 1 as iteration count\n");
+ BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n");
+ BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n");
+ BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n");
return (1);
}
diff --git a/apps/rsa.c b/apps/rsa.c
index 2df3fe3..1313ddc 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -201,8 +201,8 @@
BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
- BIO_printf(bio_err," -passout arg input file pass phrase\n");
- BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n");
+ BIO_printf(bio_err," -passout arg output file pass phrase\n");
+ BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
BIO_printf(bio_err," -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
#ifndef NO_IDEA
diff --git a/apps/spkac.c b/apps/spkac.c
index 34b0026..e3f434d 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -80,7 +80,7 @@
int i,badops=0, ret = 1;
BIO *in = NULL,*out = NULL, *key = NULL;
int verify=0,noout=0,pubkey=0;
- char *infile = NULL,*outfile = NULL,*prog;
+ char *infile = NULL,*outfile = NULL,*prog, *passin = NULL;
char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
char *challenge = NULL, *keyfile = NULL;
LHASH *conf = NULL;
@@ -106,6 +106,22 @@
if (--argc < 1) goto bad;
outfile= *(++argv);
}
+ else if (strcmp(*argv,"-passin") == 0)
+ {
+ if (--argc < 1) goto bad;
+ passin= *(++argv);
+ }
+ else if (strcmp(*argv,"-envpassin") == 0)
+ {
+ if (--argc < 1) goto bad;
+ if(!(passin= getenv(*(++argv))))
+ {
+ BIO_printf(bio_err,
+ "Can't read environment variable %s\n",
+ *argv);
+ badops = 1;
+ }
+ }
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
@@ -145,6 +161,8 @@
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -key arg create SPKAC using private key\n");
+ BIO_printf(bio_err," -passin arg input file pass phrase\n");
+ BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -challenge arg challenge string\n");
BIO_printf(bio_err," -spkac arg alternative SPKAC name\n");
BIO_printf(bio_err," -noout don't print SPKAC\n");
@@ -163,7 +181,7 @@
ERR_print_errors(bio_err);
goto end;
}
- pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
+ pkey = PEM_read_bio_PrivateKey(key, NULL, PEM_cb, passin);
if(!pkey) {
BIO_printf(bio_err, "Error reading private key\n");
ERR_print_errors(bio_err);
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 8b3f9ea..cec2164 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -72,9 +72,9 @@
#include "../bio/bss_file.c"
#endif
-const num0 = 100; /* number of tests */
-const num1 = 50; /* additional tests for some functions */
-const num2 = 5; /* number of tests for slow functions */
+const int num0 = 100; /* number of tests */
+const int num1 = 50; /* additional tests for some functions */
+const int num2 = 5; /* number of tests for slow functions */
int test_add(BIO *bp);
int test_sub(BIO *bp);
diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index 9eca325..fe3c5b4 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -4,11 +4,12 @@
genrsa - generate an RSA private key
-
=head1 SYNOPSIS
B<openssl> B<genrsa>
[B<-out filename>]
+[B<-passout password>]
+[B<-envpassout var>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -25,11 +26,26 @@
=over 4
+=item B<-out filename>
+
+the output filename. If this argument is not specified then standard output is
+used.
+
+=item B<-passout password>
+
+the output file password. Since certain utilities like "ps" make the command line
+visible this option should be used with caution.
+
+=item B<-envpassout var>
+
+read the output file password from the environment variable B<var>.
+
=item B<-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
-IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
-If none of these options is specified no encryption is used.
+IDEA ciphers respectively before outputting it. If none of these options is
+specified no encryption is used. If encryption is used a pass phrase is prompted
+for if it is not supplied via the B<-passout> or B<-envpassout> arguments.
=item B<-F4|-3>
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index 3643a19..3d2ed36 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -37,6 +37,10 @@
[B<-keysig>]
[B<-password password>]
[B<-envpass var>]
+[B<-passin password>]
+[B<-envpassin var>]
+[B<-passout password>]
+[B<-envpassout var>]
=head1 DESCRIPTION
@@ -64,15 +68,24 @@
The filename to write certificates and private keys to, standard output by default.
They are all written in PEM format.
-=item B<-pass password>
+=item B<-pass password>, B<-passin password>
-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
+the command line visible this option should be used with caution.
-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassin password>
read the PKCS#12 file password from the environment variable B<var>.
+=item B<-passout password>
+
+pass phrase to encrypt any outputed private keys with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpass var>, B<-envpassin password>
+
+read the outputed private keys file password from the environment variable B<var>.
+
=item B<-noout>
this option inhibits output of the keys and certificates to the output file version
@@ -169,15 +182,24 @@
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
-=item B<-pass password>
+=item B<-pass password>, B<-passout password>
-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
+make the command line visible this option should be used with caution.
-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassout var>
read the PKCS#12 file password from the environment variable B<var>.
+=item B<-passin password>
+
+pass phrase to decrypt the input private key with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpassin password>
+
+read the input private key file password from the environment variable B<var>.
+
=item B<-chain>
if this option is present then an attempt is made to include the entire
@@ -277,9 +299,6 @@
Some would argue that the PKCS#12 standard is one big bug :-)
-Need password options for the PEM files: this will probably be fixed before
-release.
-
=head1 SEE ALSO
L<pkcs8(1)|pkcs8(1)>
diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod
index c58768e..846b9a9 100644
--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -10,6 +10,8 @@
[B<-in filename>]
[B<-out filename>]
[B<-key keyfile>]
+[B<-passin password>]
+[B<-envpassin var>]
[B<-challenge string>]
[B<-pubkey>]
[B<-spkac spkacname>]
@@ -44,6 +46,17 @@
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
+=item B<-passin password>
+
+the private key file password. Since certain utilities like "ps" make the
+command line visible this option should be used with caution. Ignored if
+the B<-key> argument is not used.
+
+=item B<-envpassin var>
+
+read the private key file password from the environment variable B<var>.
+Ignored if the B<-key> argument is not used.
+
=item B<-challenge string>
specifies the challenge string if an SPKAC is being created.
