diff --git a/doc/man1/openssl-asn1parse.pod.in b/doc/man1/openssl-asn1parse.pod.in index bafcc225d9..62b7e626ef 100644 --- a/doc/man1/openssl-asn1parse.pod.in +++ b/doc/man1/openssl-asn1parse.pod.in @@ -41,7 +41,7 @@ Print out a usage message. =item B<-inform> B|B The input format; the default is B. -See L for details. +See L for details. =item B<-in> I diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 64a7054d63..8442c4450b 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -156,7 +156,7 @@ The CA private key to sign requests with. This must match with B<-cert>. The format of the private key input file; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-sigopt> I:I @@ -186,7 +186,7 @@ Better use B<-passin>. The key password source for key files and certificate PKCS#12 files. For more information about the format of B -see L. +see L. =item B<-selfsign> diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index fc2bae1bce..f5872f2261 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -228,25 +228,25 @@ format message that has been signed or verified. The input format of the CMS structure (if one is being read); the default is B. -See L for details. +See L for details. =item B<-outform> B|B|B The output format of the CMS structure (if one is being written); the default is B. -See L for details. +See L for details. =item B<-keyform> B|B|B|B The format of the private key file; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-rctform> B|B|B The signed receipt format for use with the B<-receipt_verify>; the default is B. -See L for details. +See L for details. =item B<-stream>, B<-indef> @@ -293,7 +293,7 @@ is mainly useful for testing purposes. For the B<-cmsout> operation when B<-print> option is in use, specifies printing options for string fields. For most cases B is reasonable value. -See L for details. +See L for details. =item B<-md> I @@ -484,7 +484,7 @@ or to modify default parameters for ECDH. =item B<-passin> I The private key password source. For more information about the format of B -see L. +see L. =item B<-to>, B<-from>, B<-subject> diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index 19e72f1b60..98404c7b4a 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -53,7 +53,7 @@ This option has no effect and is retained for backward compatibility only. =item B<-outform> B|B The CRL output format; the default is B. -See L for details. +See L for details. =item B<-key> I diff --git a/doc/man1/openssl-crl2pkcs7.pod.in b/doc/man1/openssl-crl2pkcs7.pod.in index bc39d6dcae..5dcd7a933b 100644 --- a/doc/man1/openssl-crl2pkcs7.pod.in +++ b/doc/man1/openssl-crl2pkcs7.pod.in @@ -34,12 +34,12 @@ Print out a usage message. =item B<-inform> B|B The input format of the CRL; the default is B. -See L for details. +See L for details. =item B<-outform> B|B The output format of the PKCS#7 object; the default is B. -See L for details. +See L for details. =item B<-in> I diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index 6276fab434..6679973c0e 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -110,7 +110,7 @@ command instead for this. The format of the key to sign with; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-sigopt> I:I @@ -120,7 +120,7 @@ Names and values of these options are algorithm-specific. =item B<-passin> I The private key password source. For more information about the format of I -see L. +see L. =item B<-verify> I diff --git a/doc/man1/openssl-dhparam.pod.in b/doc/man1/openssl-dhparam.pod.in index 2b67943f1f..778747df59 100644 --- a/doc/man1/openssl-dhparam.pod.in +++ b/doc/man1/openssl-dhparam.pod.in @@ -42,7 +42,7 @@ Print out a usage message. The input format and output format; the default is B. The object is compatible with the PKCS#3 B structure. -See L for details. +See L for details. =item B<-in> I diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in index bce965c322..f1839341ed 100644 --- a/doc/man1/openssl-dsa.pod.in +++ b/doc/man1/openssl-dsa.pod.in @@ -58,7 +58,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B The input and formats; the default is B. -See L for details. +See L for details. Private keys are a sequence of B: the version (zero), B

, B, B, and the public and private key components. Public keys @@ -83,7 +83,7 @@ filename. The password source for the input and output file. For more information about the format of B -see L. +see L. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in index 42aea39a06..f7c3eafb0f 100644 --- a/doc/man1/openssl-dsaparam.pod.in +++ b/doc/man1/openssl-dsaparam.pod.in @@ -39,7 +39,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B This option has become obsolete. -See L for details. +See L for details. Parameters are a sequence of Bs: B

, B, and B. This is compatible with RFC 2459 B structure. diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index 2ba107d031..befae6990b 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -55,12 +55,12 @@ Print out a usage message. The key input format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-outform> B|B The key output formats; the default is B. -See L for details. +See L for details. Private keys are an SEC1 private key or PKCS#8 format. Public keys are a B as specified in IETF RFC 3280. @@ -82,7 +82,7 @@ filename. The password source for the input and output file. For more information about the format of B -see L. +see L. =item B<-des>|B<-des3>|B<-idea> diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in index a77ddd0128..26fd0af97b 100644 --- a/doc/man1/openssl-ecparam.pod.in +++ b/doc/man1/openssl-ecparam.pod.in @@ -46,7 +46,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B The input and formats; the default is B. -See L for details. +See L for details. Parameters are encoded as B as specified in IETF RFC 3279. diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index 675e360d5e..2665ddc2af 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -79,7 +79,7 @@ The output filename, standard output by default. =item B<-pass> I The password source. For more information about the format of I -see L. +see L. =item B<-e> diff --git a/doc/man1/openssl-format-options.pod b/doc/man1/openssl-format-options.pod new file mode 100644 index 0000000000..20b62f9b15 --- /dev/null +++ b/doc/man1/openssl-format-options.pod @@ -0,0 +1,143 @@ +=pod + +=head1 NAME + +openssl-format-options - OpenSSL command input and output format options + +=head1 SYNOPSIS + +B +I +[ I ... ] +[ I ... ] + +=head1 DESCRIPTION + +Several OpenSSL commands can take input or generate output in a variety +of formats. +Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from +files in any of the B, B or B formats, +while specifying their input format is no more needed. +In order to access a key via an engine the input format B may be used; +alternatively the key identifier in the argument of the respective key +option may be preceded by C. +See L for an example usage of the latter. + +=head1 OPTIONS + +=head2 Format Options + +The options to specify the format are as follows. +Refer to the individual man page to see which options are accepted. + +=over 4 + +=item B<-inform> I, B<-outform> I + +The format of the input or output streams. + +=item B<-keyform> I + +Format of a private key input source. +The only value with effect is B; all others have become obsolete. +See L for details. + +=item B<-CRLform> I + +Format of a CRL input source. + +=back + +=head2 Format Option Arguments + +The possible format arguments are described below. +Both uppercase and lowercase are accepted. + +The list of acceptable format arguments, and the default, +is described in each command documentation. + +=over 4 + +=item B + +A binary format, encoded or parsed according to Distinguished Encoding Rules +(DER) of the ASN.1 data language. + +=item B + +Used to specify that the cryptographic material is in an OpenSSL B. +An engine must be configured or specified using the B<-engine> option. +A password or PIN may be supplied to the engine using the B<-passin> option. + +=item B + +A DER-encoded file containing a PKCS#12 object. +It might be necessary to provide a decryption password to retrieve +the private key. + +=item B + +A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is +a block of base-64 encoding (defined in IETF RFC 4648), with specific +lines used to mark the start and end: + + Text before the BEGIN line is ignored. + ----- BEGIN object-type ----- + OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX + xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK + UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== + ----- END object-type ----- + Text after the END line is also ignored + +The I must match the type of object that is expected. +For example a C will not match if the command +is trying to read a private key. The types supported include: + + ANY PRIVATE KEY + CERTIFICATE + CERTIFICATE REQUEST + CMS + DH PARAMETERS + DSA PARAMETERS + DSA PUBLIC KEY + EC PARAMETERS + EC PRIVATE KEY + ECDSA PUBLIC KEY + ENCRYPTED PRIVATE KEY + PARAMETERS + PKCS #7 SIGNED DATA + PKCS7 + PRIVATE KEY + PUBLIC KEY + RSA PRIVATE KEY + SSL SESSION PARAMETERS + TRUSTED CERTIFICATE + X509 CRL + X9.42 DH PARAMETERS + +The following legacy I's are also supported for compatibility +with earlier releases: + + DSA PRIVATE KEY + NEW CERTIFICATE REQUEST + RSA PUBLIC KEY + X509 CERTIFICATE + +=item B + +An S/MIME object as described in IETF RFC 8551. +Earlier versions were known as CMS and are compatible. +Note that the parsing is simple and might fail to parse some legal data. + +=back + +=head1 COPYRIGHT + +Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man1/openssl-gendsa.pod.in b/doc/man1/openssl-gendsa.pod.in index 3b7579c5a5..e62e0706cb 100644 --- a/doc/man1/openssl-gendsa.pod.in +++ b/doc/man1/openssl-gendsa.pod.in @@ -51,7 +51,7 @@ standard output is used. =item B<-passout> I The passphrase used for the output file. -See L. +See L. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> diff --git a/doc/man1/openssl-genpkey.pod.in b/doc/man1/openssl-genpkey.pod.in index 97a60c6968..14b5767c94 100644 --- a/doc/man1/openssl-genpkey.pod.in +++ b/doc/man1/openssl-genpkey.pod.in @@ -47,14 +47,14 @@ standard output is used. =item B<-outform> B|B The output format, except when B<-genparam> is given; the default is B. -See L for details. +See L for details. When B<-genparam> is given, B<-outform> is ignored. =item B<-pass> I The output file password source. For more information about the format of I -see L. +see L. =item B<-I> diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in index cc4ad6ae0d..f524bb860b 100644 --- a/doc/man1/openssl-genrsa.pod.in +++ b/doc/man1/openssl-genrsa.pod.in @@ -58,7 +58,7 @@ standard output is used. =item B<-passout> I The output file password source. For more information about the format -see L. +see L. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> diff --git a/doc/man1/openssl-namefmt-options.pod b/doc/man1/openssl-namefmt-options.pod new file mode 100644 index 0000000000..d92abd406b --- /dev/null +++ b/doc/man1/openssl-namefmt-options.pod @@ -0,0 +1,179 @@ +=pod + +=head1 NAME + +openssl-namefmt-options - DN display options + +=head1 SYNOPSIS + +B +I +[ I ... ] +[ I ... ] + +=head1 DESCRIPTION + +OpenSSL provides fine-grain control over how the subject and issuer DN's are +displayed. +This is specified by using the B<-nameopt> option, which takes a +comma-separated list of options from the following set. +An option may be preceded by a minus sign, C<->, to turn it off. +The default value is C. +The first four are the most commonly used. + +=head1 OPTIONS + +=head2 Name Format Option Arguments + +The DN output format can be fine tuned with the following flags. + +=over 4 + +=item B + +Display the name using an old format from previous OpenSSL versions. + +=item B + +Display the name using the format defined in RFC 2253. +It is equivalent to B, B, B, B, +B, B, B, B, B +and B. + +=item B + +Display the name in one line, using a format that is more readable +RFC 2253. +It is equivalent to B, B, B, B, +B, B, B, B, +B and B options. + +=item B + +Display the name using multiple lines. +It is equivalent to B, B, B, B, +B and B. + +=item B + +Escape the "special" characters in a field, as required by RFC 2253. +That is, any of the characters C<,+"EE;>, C<#> at the beginning of +a string and leading or trailing spaces. + +=item B + +Escape the "special" characters in a field as required by RFC 2254 in a field. +That is, the B character and of C<()*>. + +=item B + +Escape non-printable ASCII characters, codes less than 0x20 (space) +or greater than 0x7F (DELETE). They are displayed using RFC 2253 C<\XX> +notation where B are the two hex digits representing the character value. + +=item B + +Escape any characters with the most significant bit set, that is with +values larger than 127, as described in B. + +=item B + +Escapes some characters by surrounding the entire string with quotation +marks, C<">. +Without this option, individual special characters are preceded with +a backslash character, C<\>. + +=item B + +Convert all strings to UTF-8 format first as required by RFC 2253. +If the output device is UTF-8 compatible, then using this option (and +not setting B) may give the correct display of multibyte +characters. +If this option is not set, then multibyte characters larger than 0xFF +will be output as C<\UXXXX> for 16 bits or C<\WXXXXXXXX> for 32 bits. +In addition, any UTF8Strings will be converted to their character form first. + +=item B + +This option does not attempt to interpret multibyte characters in any +way. That is, the content octets are merely dumped as though one octet +represents each character. This is useful for diagnostic purposes but +will result in rather odd looking output. + +=item B + +Display the type of the ASN1 character string before the value, +such as C. + +=item B + +Any fields that would be output in hex format are displayed using +the DER encoding of the field. +If not set, just the content octets are displayed. +Either way, the B<#XXXX...> format of RFC 2253 is used. + +=item B + +Dump non-character strings, such as ASN.1 B. +If this option is not set, then non character string types will be displayed +as though each content octet represents a single character. + +=item B + +Dump all fields. When this used with B, this allows the +DER encoding of the structure to be unambiguously determined. + +=item B + +Dump any field whose OID is not recognised by OpenSSL. + +=item B, B, B, +B + +Specify the field separators. The first word is used between the +Relative Distinguished Names (RDNs) and the second is between +multiple Attribute Value Assertions (AVAs). Multiple AVAs are +very rare and their use is discouraged. +The options ending in "space" additionally place a space after the separator to make it more readable. +The B starts each field on its own line, and uses "plus space" +for the AVA separator. +It also indents the fields by four characters. +The default value is B. + +=item B + +Reverse the fields of the DN as required by RFC 2253. +This also reverses the order of multiple AVAs in a field, but this is +permissible as there is no ordering on values. + +=item B, B, B, B + +Specify how the field name is displayed. +B does not display the field at all. +B uses the "short name" form (CN for commonName for example). +B uses the long form. +B represents the OID in numerical form and is useful for +diagnostic purpose. + +=item B + +Align field values for a more readable output. Only usable with +B. + +=item B + +Places spaces round the equal sign, C<=>, character which follows the field +name. + +=back + +=head1 COPYRIGHT + +Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index 614a4dae83..a3e9d3e504 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -314,7 +314,7 @@ specified in the B<-rsigner> option is used. =item B<-passin> I The private key password source. For more information about the format of I -see L. +see L. =item B<-rother> I diff --git a/doc/man1/openssl-passphrase-options.pod b/doc/man1/openssl-passphrase-options.pod new file mode 100644 index 0000000000..abc43fb41e --- /dev/null +++ b/doc/man1/openssl-passphrase-options.pod @@ -0,0 +1,75 @@ +=pod + +=head1 NAME + +openssl-passphrase-options - Pass phrase options + +=head1 SYNOPSIS + +B +I +[ I ... ] +[ I ... ] + +=head1 DESCRIPTION + +Several OpenSSL commands accept password arguments, typically using B<-passin> +and B<-passout> for input and output passwords respectively. These allow +the password to be obtained from a variety of sources. Both of these +options take a single argument whose format is described below. If no +password argument is given and a password is required then the user is +prompted to enter one: this will typically be read from the current +terminal with echoing turned off. + +Note that character encoding may be relevant, please see +L. + +=head1 OPTIONS + +=head2 Pass Phrase Option Arguments + +Pass phrase arguments can be formatted as follows. + +=over 4 + +=item BI + +The actual password is I. Since the password is visible +to utilities (like 'ps' under Unix) this form should only be used +where security is not important. + +=item BI + +Obtain the password from the environment variable I. Since +the environment of other processes is visible on certain platforms +(e.g. ps under certain Unix OSes) this option should be used with caution. + +=item BI + +The first line of I is the password. If the same I +argument is supplied to B<-passin> and B<-passout> arguments then the first +line will be used for the input password and the next line for the output +password. I need not refer to a regular file: it could for example +refer to a device or named pipe. + +=item BI + +Read the password from the file descriptor I. This can be used to +send the data via a pipe for example. + +=item B + +Read the password from standard input. + +=back + +=head1 COPYRIGHT + +Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 3b573be6d1..b9565144da 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -95,9 +95,10 @@ Print out a usage message. =item B<-passin> I -The password source for input files. +The password source for the input, and for encrypting any private keys that +are output. For more information about the format of B -see L. +see L. =item B<-passout> I diff --git a/doc/man1/openssl-pkcs7.pod.in b/doc/man1/openssl-pkcs7.pod.in index fff54d312a..3a28adc1ab 100644 --- a/doc/man1/openssl-pkcs7.pod.in +++ b/doc/man1/openssl-pkcs7.pod.in @@ -42,7 +42,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B The input and formats; the default is B. -See L for details. +See L for details. The data is a PKCS#7 Version 1.5 structure. diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in index 968583ee0a..6ff6e8bc75 100644 --- a/doc/man1/openssl-pkcs8.pod.in +++ b/doc/man1/openssl-pkcs8.pod.in @@ -55,7 +55,7 @@ reversed: it reads a private key and writes a PKCS#8 format key. =item B<-inform> B|B, B<-outform> B|B The input and formats; the default is B. -See L for details. +See L for details. If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is not used) then the input file must be in PKCS#8 format. An encrypted @@ -88,7 +88,7 @@ prompted for. The password source for the input and output file. For more information about the format of B -see L. +see L. =item B<-out> I diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index b1afeb534b..14a8a63841 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -51,12 +51,12 @@ Print out a usage message. The key input format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-outform> B|B The key output formats; the default is B. -See L for details. +See L for details. =item B<-in> I|I @@ -68,7 +68,7 @@ prompted for. The password source for the input and output file. For more information about the format of B -see L. +see L. =item B<-out> I diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index a35c4dae65..b657440f7e 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -93,12 +93,12 @@ The input key, by default it should be a private key. The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-passin> I The input key password source. For more information about the format of I -see L. +see L. =item B<-peerkey> I @@ -108,7 +108,7 @@ The peer key file, used by key derivation (agreement) operations. The peer key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-pubin> diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 8fa5191702..9b3242d28a 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -72,7 +72,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B The input and formats; the default is B. -See L for details. +See L for details. The data is a PKCS#10 object. @@ -104,7 +104,7 @@ which supports both options for good reasons. The password source for the input and output file. For more information about the format of B -see L. +see L. =item B<-out> I @@ -190,7 +190,7 @@ accepts PKCS#8 format private keys for PEM format files. The format of the private key; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-keyout> I diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index f2e7f3474c..1eebef83ef 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -62,12 +62,12 @@ Print out a usage message. The key input format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-outform> B|B The key output format; the default is B. -See L for details. +See L for details. =item B<-traditional> @@ -84,7 +84,7 @@ prompted for. The password source for the input and output file. For more information about the format of B -see L. +see L. =item B<-out> I diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index fed453b940..fca0fdbf4c 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -60,7 +60,7 @@ if this option is not specified. =item B<-passin> I The passphrase used in the output file. -See see L. +See see L. =item B<-rev> @@ -79,7 +79,7 @@ The input key, by default it should be an RSA private key. The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-pubin> diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index ddaa69c1b7..66fd051591 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -198,7 +198,7 @@ the network. Use with caution. The proxy password source, used with the B<-proxy_user> flag. For more information about the format of B -see L. +see L. =item B<-unix> I @@ -263,7 +263,7 @@ CRL file to use to check the server's certificate. =item B<-CRLform> B|B The CRL file format; the default is B. -See L for details. +See L for details. =item B<-crl_download> @@ -278,13 +278,13 @@ If not specified then the certificate file will be used to read also the key. The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-pass> I the private key and certifiate file password source. For more information about the format of I -see L. +see L. =item B<-verify> I diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index e568fbab0a..23693956a2 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -261,13 +261,13 @@ The private Key file to use for servername if not given via B<-cert2>. The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-pass> I The private key and certificate file password source. For more information about the format of I, -see L. +see L. =item B<-dcert> I, B<-dkey> I|I @@ -296,13 +296,13 @@ This option has no effect and is retained for backward compatibility only. The format of the additional private key; the default is B. The only value with effect is B; all others have become obsolete. -See L. +See L. =item B<-dpass> I The passphrase for the additional private key and certificate. For more information about the format of I, -see L. +see L. =item B<-nbio_test> @@ -335,7 +335,7 @@ The CRL file to use. =item B<-CRLform> B|B The CRL file format; the default is B. -See L for details. +See L for details. =item B<-crl_download> diff --git a/doc/man1/openssl-sess_id.pod.in b/doc/man1/openssl-sess_id.pod.in index 67cc0e7e2d..6af88b4c38 100644 --- a/doc/man1/openssl-sess_id.pod.in +++ b/doc/man1/openssl-sess_id.pod.in @@ -40,7 +40,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B|B The input and output formats; the default is PEM. -See L for details. +See L for details. For B output, the session ID and master key are reported in NSS "keylog" format. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index aa2dfaf8c5..563340b152 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -117,19 +117,19 @@ format message that has been signed or verified. The input format of the PKCS#7 (S/MIME) structure (if one is being read); the default is B. -See L for details. +See L for details. =item B<-outform> B|B|B The output format of the PKCS#7 (S/MIME) structure (if one is being written); the default is B. -See L for details. +See L for details. =item B<-keyform> B|B|B|B The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-stream>, B<-indef>, B<-noindef> @@ -270,7 +270,7 @@ multiple times to specify successive keys. =item B<-passin> I The private key password source. For more information about the format of I -see L. +see L. =item B<-to>, B<-from>, B<-subject> diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in index 31df6b3b59..2a596ed314 100644 --- a/doc/man1/openssl-spkac.pod.in +++ b/doc/man1/openssl-spkac.pod.in @@ -62,12 +62,12 @@ present. The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-passin> I The input file password source. For more information about the format of I -see L. +see L. =item B<-challenge> I diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in index 930b128506..8a2730265f 100644 --- a/doc/man1/openssl-srp.pod.in +++ b/doc/man1/openssl-srp.pod.in @@ -70,7 +70,7 @@ adding or modifying a user. The password source for the input and output file. For more information about the format of B -see L. +see L. {- $OpenSSL::safe::opt_engine_item -} diff --git a/doc/man1/openssl-storeutl.pod.in b/doc/man1/openssl-storeutl.pod.in index b831310695..404639e6fd 100644 --- a/doc/man1/openssl-storeutl.pod.in +++ b/doc/man1/openssl-storeutl.pod.in @@ -55,7 +55,7 @@ this option prevents output of the PEM data. =item B<-passin> I the key password source. For more information about the format of I -see L. +see L. =item B<-text> diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index c74f71b10a..d91d06f0fd 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -336,8 +336,8 @@ all intermediate CA certificates unless the response includes them. =item B<-CAfile> I, B<-CApath> I

, B<-CAstore> I -See L for details. -At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. +See L for details. +At least one of B<-CAfile>, B<-CApath> or B<-CAstore> must be specified. {- $OpenSSL::safe::opt_v_item -} diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 8d7b2c1c67..af1c7e3a43 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -74,6 +74,61 @@ valid. If any operation fails then the certificate is not valid. =head1 OPTIONS +=head2 Trusted Certificate Options + +The following options specify how to select the trusted root certificates, +also known as trust anchors. +A collection of trusted roots is called a I. + +Note that OpenSSL does not provide a default set of trust anchors. Many +Linux distributions include a system default and configure OpenSSL to point +to that. Mozilla maintains an influential trust store that can be found at +L. + +The certificates to trust can be specified using following options. + +=over 4 + +=item B<-CAfile> I + +Load the specified file which contains one or more PEM-format certificates +of CA's that are trusted. + +=item B<-no-CAfile> + +Do not load the default file of trusted certificates. + +=item B<-CApath> I + +Use the specified directory as a list of trust certificates. That is, +files should be named with the hash of the X.509 SubjectName of each +certificate. This is so that the library can extract the IssuerName, +hash it, and directly lookup the file to get the issuer certificate. +See L for information on creating this type of directory. + +=item B<-no-CApath> + +Do not use the default directory of trusted certificates. + +=item B<-CAstore> I + +Use I as a store of trusted CA certificates. The URI may +indicate a single certificate, as well as a collection of them. +With URIs in the C scheme, this acts as B<-CAfile> or +B<-CApath>, depending on if the URI indicates a single file or +directory. +See L for more information on the C scheme. + +These certificates are also used when building the server certificate +chain (for example with L) or client certificate +chain (for example with L). + +=item B<-no-CAstore> + +Do not use the default store. + +=back + =head2 Verification Options The certificate verification can be fine-tuned with the following flags. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index ffa2ab4aed..a3f7639284 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -101,7 +101,7 @@ Print out a usage message. =item B<-inform> B|B The CSR input format; the default is B. -See L for details. +See L for details. The input is normally an X.509 certificate file of any format, but this can change if other options such as B<-req> are used. @@ -109,7 +109,7 @@ but this can change if other options such as B<-req> are used. B<-outform> B|B The output format; the default is B. -See L for details. +See L for details. =item B<-in> I @@ -382,7 +382,7 @@ Names and values of these options are algorithm-specific. The key and certificate file password source. For more information about the format of I -see L. +see L. =item B<-clrext> @@ -395,7 +395,7 @@ retained. The key format; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-CAform> B|B|B, @@ -406,7 +406,7 @@ This option has no effect and is retained for backward compatibility. The format for the CA key; the default is B. The only value with effect is B; all others have become obsolete. -See L for details. +See L for details. =item B<-days> I diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index b10ff1cf8c..9daa13189e 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -523,215 +523,11 @@ parameters start with a minus sign: =head2 Format Options -Several OpenSSL commands can take input or generate output in a variety -of formats. -Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from -files in any of the B, B or B formats, -while specifying their input format is no more needed. -In order to access a key via an engine the input format B may be used; -alternatively the key identifier in the argument of the respective key -option may be preceded by C. -See L for an example usage of the latter. - -The list of acceptable formats, and the default, is -described in each command documentation. The list of formats is -described below. Both uppercase and lowercase are accepted. - -=over 4 - -=item B - -A binary format, encoded or parsed according to Distinguished Encoding Rules -(DER) of the ASN.1 data language. - -=item B - -Used to specify that the cryptographic material is in an OpenSSL B. -An engine must be configured or specified using the B<-engine> option. -A password or PIN may be supplied to the engine using the B<-passin> option. - -=item B - -A DER-encoded file containing a PKCS#12 object. -It might be necessary to provide a decryption password to retrieve -the private key. - -=item B - -A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is -a block of base-64 encoding (defined in IETF RFC 4648), with specific -lines used to mark the start and end: - - Text before the BEGIN line is ignored. - ----- BEGIN object-type ----- - OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX - xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK - UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== - ----- END object-type ----- - Text after the END line is also ignored - -The I must match the type of object that is expected. -For example a C will not match if the command -is trying to read a private key. The types supported include: - - ANY PRIVATE KEY - CERTIFICATE - CERTIFICATE REQUEST - CMS - DH PARAMETERS - DSA PARAMETERS - DSA PUBLIC KEY - EC PARAMETERS - EC PRIVATE KEY - ECDSA PUBLIC KEY - ENCRYPTED PRIVATE KEY - PARAMETERS - PKCS #7 SIGNED DATA - PKCS7 - PRIVATE KEY - PUBLIC KEY - RSA PRIVATE KEY - SSL SESSION PARAMETERS - TRUSTED CERTIFICATE - X509 CRL - X9.42 DH PARAMETERS - -The following legacy I's are also supported for compatibility -with earlier releases: - - DSA PRIVATE KEY - NEW CERTIFICATE REQUEST - RSA PUBLIC KEY - X509 CERTIFICATE - -=item B - -An S/MIME object as described in IETF RFC 8551. -Earlier versions were known as CMS and are compatible. -Note that the parsing is simple and might fail to parse some legal data. - -=back - -The options to specify the format are as follows. Refer to the individual -man page to see which options are accepted. - -=over 4 - -=item B<-inform> I, B<-outform> I - -The format of the input or output streams. - -=item B<-keyform> I - -Format of a private key input source. -The only value with effect is B; all others have become obsolete. -See L for details. - -=item B<-CRLform> I - -Format of a CRL input source. - -=back +See L for manual page. =head2 Pass Phrase Options -Several commands accept password arguments, typically using B<-passin> -and B<-passout> for input and output passwords respectively. These allow -the password to be obtained from a variety of sources. Both of these -options take a single argument whose format is described below. If no -password argument is given and a password is required then the user is -prompted to enter one: this will typically be read from the current -terminal with echoing turned off. - -Note that character encoding may be relevant, please see -L. - -=over 4 - -=item BI - -The actual password is I. Since the password is visible -to utilities (like 'ps' under Unix) this form should only be used -where security is not important. - -=item BI - -Obtain the password from the environment variable I. Since -the environment of other processes is visible on certain platforms -(e.g. ps under certain Unix OSes) this option should be used with caution. - -=item BI - -The first line of I is the password. If the same I -argument is supplied to B<-passin> and B<-passout> arguments then the first -line will be used for the input password and the next line for the output -password. I need not refer to a regular file: it could for example -refer to a device or named pipe. - -=item BI - -Read the password from the file descriptor I. This can be used to -send the data via a pipe for example. - -=item B - -Read the password from standard input. - -=back - -=head2 Trusted Certificate Options - -Part of validating a certificate includes verifying that the chain of CA's -can be traced up to an existing trusted root. The following options specify -how to list the trusted roots, also known as trust anchors. A collection -of trusted roots is called a I. - -Note that OpenSSL does not provide a default set of trust anchors. Many -Linux distributions include a system default and configure OpenSSL to point -to that. Mozilla maintains an influential trust store that can be found at -L. - -=over 4 - -=item B<-CAfile> I - -Load the specified file which contains one or more PEM-format certificates -of CA's that are trusted. - -=item B<-no-CAfile> - -Do not load the default file of trusted certificates. - -=item B<-CApath> I - -Use the specified directory as a list of trust certificates. That is, -files should be named with the hash of the X.509 SubjectName of each -certificate. This is so that the library can extract the IssuerName, -hash it, and directly lookup the file to get the issuer certificate. -See L for information on creating this type of directory. - -=item B<-no-CApath> - -Do not use the default directory of trusted certificates. - -=item B<-CAstore> I - -Use I as a store of trusted CA certificates. The URI may -indicate a single certificate, as well as a collection of them. -With URIs in the C scheme, this acts as B<-CAfile> or -B<-CApath>, depending on if the URI indicates a single file or -directory. -See L for more information on the C scheme. - -These certificates are also used when building the server certificate -chain (for example with L) or client certificate -chain (for example with L). - -=item B<-no-CAstore> - -Do not use the default store. - -=back +See the L manual page. =head2 Random State Options @@ -763,159 +559,13 @@ This file can be used in a subsequent command invocation. =back -=head2 Verification Options +=head2 Certificate Verification Options See the L manual page. =head2 Name Format Options -OpenSSL provides fine-grain control over how the subject and issuer DN's are -displayed. -This is specified by using the B<-nameopt> option, which takes a -comma-separated list of options from the following set. -An option may be preceded by a minus sign, C<->, to turn it off. -The default value is C. -The first four are the most commonly used. - -=over 4 - -=item B - -Display the name using an old format from previous OpenSSL versions. - -=item B - -Display the name using the format defined in RFC 2253. -It is equivalent to B, B, B, B, -B, B, B, B, B -and B. - -=item B - -Display the name in one line, using a format that is more readable -RFC 2253. -It is equivalent to B, B, B, B, -B, B, B, B, -B and B options. - -=item B - -Display the name using multiple lines. -It is equivalent to B, B, B, B, -B and B. - -=item B - -Escape the "special" characters in a field, as required by RFC 2253. -That is, any of the characters C<,+"EE;>, C<#> at the beginning of -a string and leading or trailing spaces. - -=item B - -Escape the "special" characters in a field as required by RFC 2254 in a field. -That is, the B character and of C<()*>. - -=item B - -Escape non-printable ASCII characters, codes less than 0x20 (space) -or greater than 0x7F (DELETE). They are displayed using RFC 2253 C<\XX> -notation where B are the two hex digits representing the character value. - -=item B - -Escape any characters with the most significant bit set, that is with -values larger than 127, as described in B. - -=item B - -Escapes some characters by surrounding the entire string with quotation -marks, C<">. -Without this option, individual special characters are preceded with -a backslash character, C<\>. - -=item B - -Convert all strings to UTF-8 format first as required by RFC 2253. -If the output device is UTF-8 compatible, then using this option (and -not setting B) may give the correct display of multibyte -characters. -If this option is not set, then multibyte characters larger than 0xFF -will be output as C<\UXXXX> for 16 bits or C<\WXXXXXXXX> for 32 bits. -In addition, any UTF8Strings will be converted to their character form first. - -=item B - -This option does not attempt to interpret multibyte characters in any -way. That is, the content octets are merely dumped as though one octet -represents each character. This is useful for diagnostic purposes but -will result in rather odd looking output. - -=item B - -Display the type of the ASN1 character string before the value, -such as C. - -=item B - -Any fields that would be output in hex format are displayed using -the DER encoding of the field. -If not set, just the content octets are displayed. -Either way, the B<#XXXX...> format of RFC 2253 is used. - -=item B - -Dump non-character strings, such as ASN.1 B. -If this option is not set, then non character string types will be displayed -as though each content octet represents a single character. - -=item B - -Dump all fields. When this used with B, this allows the -DER encoding of the structure to be unambiguously determined. - -=item B - -Dump any field whose OID is not recognised by OpenSSL. - -=item B, B, B, -B - -Specify the field separators. The first word is used between the -Relative Distinguished Names (RDNs) and the second is between -multiple Attribute Value Assertions (AVAs). Multiple AVAs are -very rare and their use is discouraged. -The options ending in "space" additionally place a space after the separator to make it more readable. -The B starts each field on its own line, and uses "plus space" -for the AVA separator. -It also indents the fields by four characters. -The default value is B. - -=item B - -Reverse the fields of the DN as required by RFC 2253. -This also reverses the order of multiple AVAs in a field, but this is -permissible as there is no ordering on values. - -=item B, B, B, B - -Specify how the field name is displayed. -B does not display the field at all. -B uses the "short name" form (CN for commonName for example). -B uses the long form. -B represents the OID in numerical form and is useful for -diagnostic purpose. - -=item B - -Align field values for a more readable output. Only usable with -B. - -=item B - -Places spaces round the equal sign, C<=>, character which follows the field -name. - -=back +See the L manual page. =head2 TLS Version Options diff --git a/doc/perlvars.pm b/doc/perlvars.pm index 6fd71da15c..c13e224197 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -79,7 +79,7 @@ $OpenSSL::safe::opt_name_item = "" . "=item B<-nameopt> I