| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame^] | 1 | =pod |
| 2 | |
| 3 | =for comment |
| 4 | Original text by James Westby, contributed under the OpenSSL license. |
| 5 | |
| 6 | =head1 NAME |
| 7 | |
| 8 | openssl-c_rehash, openssl-rehash, |
| 9 | c_rehash, rehash - Create symbolic links to files named by the hash values |
| 10 | |
| 11 | =head1 SYNOPSIS |
| 12 | |
| 13 | B<openssl> |
| 14 | B<rehash> |
| 15 | B<[-h]> |
| 16 | B<[-help]> |
| 17 | B<[-old]> |
| 18 | B<[-n]> |
| 19 | B<[-v]> |
| 20 | [ I<directory>...] |
| 21 | |
| 22 | B<c_rehash> |
| 23 | I<flags...> |
| 24 | |
| 25 | =head1 DESCRIPTION |
| 26 | |
| 27 | On some platforms, the OpenSSL B<rehash> command is available as |
| 28 | an external script called B<c_rehash>. They are functionally equivalent, |
| 29 | except for minor differences noted below. |
| 30 | |
| 31 | B<rehash> scans directories and calculates a hash value of each |
| 32 | C<.pem>, C<.crt>, C<.cer>, or C<.crl> |
| 33 | file in the specified directory list and creates symbolic links |
| 34 | for each file, where the name of the link is the hash value. |
| 35 | (If the platform does not support symbolic links, a copy is made.) |
| 36 | This utility is useful as many programs that use OpenSSL require |
| 37 | directories to be set up like this in order to find certificates. |
| 38 | |
| 39 | If any directories are named on the command line, then those are |
| 40 | processed in turn. If not, then the B<SSL_CERT_DIR> environment variable |
| 41 | is consulted; this should be a colon-separated list of directories, |
| 42 | like the Unix B<PATH> variable. |
| 43 | If that is not set then the default directory (installation-specific |
| 44 | but often B</usr/local/ssl/certs>) is processed. |
| 45 | |
| 46 | In order for a directory to be processed, the user must have write |
| 47 | permissions on that directory, otherwise an error will be generated. |
| 48 | |
| 49 | The links created are of the form C<HHHHHHHH.D>, where each B<H> |
| 50 | is a hexadecimal character and B<D> is a single decimal digit. |
| 51 | When processing a directory, B<rehash> will first remove all links |
| 52 | that have a name in that syntax, even if they are being used for some |
| 53 | other purpose. |
| 54 | To skip the removal step, use the B<-n> flag. |
| 55 | Hashes for CRL's look similar except the letter B<r> appears after |
| 56 | the period, like this: C<HHHHHHHH.rD>. |
| 57 | |
| 58 | Multiple objects may have the same hash; they will be indicated by |
| 59 | incrementing the B<D> value. Duplicates are found by comparing the |
| 60 | full SHA-1 fingerprint. A warning will be displayed if a duplicate |
| 61 | is found. |
| 62 | |
| 63 | A warning will also be displayed if there are files that |
| 64 | cannot be parsed as either a certificate or a CRL or if |
| 65 | more than one such object appears in the file. |
| 66 | |
| 67 | =head2 Script Configuration |
| 68 | |
| 69 | The B<c_rehash> script |
| 70 | uses the B<openssl> program to compute the hashes and |
| 71 | fingerprints. If not found in the user's B<PATH>, then set the |
| 72 | B<OPENSSL> environment variable to the full pathname. |
| 73 | Any program can be used, it will be invoked as follows for either |
| 74 | a certificate or CRL: |
| 75 | |
| 76 | $OPENSSL x509 -hash -fingerprint -noout -in FILENAME |
| 77 | $OPENSSL crl -hash -fingerprint -noout -in FILENAME |
| 78 | |
| 79 | where B<FILENAME> is the filename. It must output the hash of the |
| 80 | file on the first line, and the fingerprint on the second, |
| 81 | optionally prefixed with some text and an equals sign. |
| 82 | |
| 83 | =head1 OPTIONS |
| 84 | |
| 85 | =over 4 |
| 86 | |
| 87 | =item B<-help> B<-h> |
| 88 | |
| 89 | Display a brief usage message. |
| 90 | |
| 91 | =item B<-old> |
| 92 | |
| 93 | Use old-style hashing (MD5, as opposed to SHA-1) for generating |
| 94 | links to be used for releases before 1.0.0. |
| 95 | Note that current versions will not use the old style. |
| 96 | |
| 97 | =item B<-n> |
| 98 | |
| 99 | Do not remove existing links. |
| 100 | This is needed when keeping new and old-style links in the same directory. |
| 101 | |
| 102 | =item B<-compat> |
| 103 | |
| 104 | Generate links for both old-style (MD5) and new-style (SHA1) hashing. |
| 105 | This allows releases before 1.0.0 to use these links along-side newer |
| 106 | releases. |
| 107 | |
| 108 | =item B<-v> |
| 109 | |
| 110 | Print messages about old links removed and new links created. |
| 111 | By default, B<rehash> only lists each directory as it is processed. |
| 112 | |
| 113 | =back |
| 114 | |
| 115 | =head1 ENVIRONMENT |
| 116 | |
| 117 | =over 4 |
| 118 | |
| 119 | =item B<OPENSSL> |
| 120 | |
| 121 | The path to an executable to use to generate hashes and |
| 122 | fingerprints (see above). |
| 123 | |
| 124 | =item B<SSL_CERT_DIR> |
| 125 | |
| 126 | Colon separated list of directories to operate on. |
| 127 | Ignored if directories are listed on the command line. |
| 128 | |
| 129 | =back |
| 130 | |
| 131 | =head1 SEE ALSO |
| 132 | |
| 133 | L<openssl(1)>, |
| 134 | L<crl(1)>. |
| 135 | L<x509(1)>. |
| 136 | |
| 137 | =head1 COPYRIGHT |
| 138 | |
| 139 | Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 140 | |
| 141 | Licensed under the OpenSSL license (the "License"). You may not use |
| 142 | this file except in compliance with the License. You can obtain a copy |
| 143 | in the file LICENSE in the source distribution or at |
| 144 | L<https://www.openssl.org/source/license.html>. |
| 145 | |
| 146 | =cut |