} OPTION_CHOICE;
const OPTIONS asn1parse_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"oid", OPT_OID, '<', "file of extra oid definitions"},
+
+ OPT_SECTION("I/O"),
{"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
{"in", OPT_IN, '<', "input file"},
{"out", OPT_OUT, '>', "output file (output format is always DER)"},
- {"i", OPT_INDENT, 0, "indents the output"},
{"noout", OPT_NOOUT, 0, "do not produce any output"},
{"offset", OPT_OFFSET, 'p', "offset into file"},
{"length", OPT_LENGTH, 'p', "length of section in file"},
- {"oid", OPT_OID, '<', "file of extra oid definitions"},
- {"dump", OPT_DUMP, 0, "unknown data in hex form"},
- {"dlimit", OPT_DLIMIT, 'p',
- "dump the first arg bytes of unknown data in hex form"},
{"strparse", OPT_STRPARSE, 'p',
"offset; a series of these can be used to 'dig'"},
- {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
+ {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
{"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
- {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
{"strictpem", OPT_STRICTPEM, 0,
"do not attempt base64 decode outside PEM markers"},
{"item", OPT_ITEM, 's', "item to parse and print"},
+ {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
+
+ OPT_SECTION("Formatting"),
+ {"i", OPT_INDENT, 0, "indents the output"},
+ {"dump", OPT_DUMP, 0, "unknown data in hex form"},
+ {"dlimit", OPT_DLIMIT, 'p',
+ "dump the first arg bytes of unknown data in hex form"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS ca_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
+ {"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
+ {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
+ {"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
+ {"out", OPT_OUT, '>', "Where to put the output file(s)"},
+ {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
+ {"batch", OPT_BATCH, '-', "Don't ask questions"},
+ {"msie_hack", OPT_MSIE_HACK, '-',
+ "msie modifications to handle all Universal Strings"},
+ {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"},
+ {"spkac", OPT_SPKAC, '<',
+ "File contains DN and signed public key and challenge"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
+ OPT_SECTION("Configuration"),
{"config", OPT_CONFIG, 's', "A config file"},
{"name", OPT_NAME, 's', "The particular CA definition to use"},
+ {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
+
+ OPT_SECTION("Certificate"),
{"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
{"create_serial", OPT_CREATE_SERIAL, '-',
{"enddate", OPT_ENDDATE, 's',
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
+ {"extensions", OPT_EXTENSIONS, 's',
+ "Extension section (override value in config file)"},
+ {"extfile", OPT_EXTFILE, '<',
+ "Configuration file with X509v3 extensions to add"},
+#ifndef OPENSSL_NO_SM2
+ {"sm2-id", OPT_SM2ID, 's',
+ "Specify an ID string to verify an SM2 certificate request"},
+ {"sm2-hex-id", OPT_SM2HEXID, 's',
+ "Specify a hex ID string to verify an SM2 certificate request"},
+#endif
+ {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"},
+ {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+
+ OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
- {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
{"keyfile", OPT_KEYFILE, 's', "Private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"cert", OPT_CERT, '<', "The CA cert"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
- {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
- {"out", OPT_OUT, '>', "Where to put the output file(s)"},
- {"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
- {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
- {"batch", OPT_BATCH, '-', "Don't ask questions"},
- {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"},
- {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+
+ OPT_SECTION("Revocation"),
{"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
- {"msie_hack", OPT_MSIE_HACK, '-',
- "msie modifications to handle all those universal strings"},
- {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
- {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
- {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
- {"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
- {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"},
- {"spkac", OPT_SPKAC, '<',
- "File contains DN and signed public key and challenge"},
- {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
{"valid", OPT_VALID, 's',
"Add a Valid(not-revoked) DB entry about a cert (given in file)"},
- {"extensions", OPT_EXTENSIONS, 's',
- "Extension section (override value in config file)"},
- {"extfile", OPT_EXTFILE, '<',
- "Configuration file with X509v3 extensions to add"},
{"status", OPT_STATUS, 's', "Shows cert status given the serial number"},
{"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
{"crlexts", OPT_CRLEXTS, 's',
"sets compromise time to val and the revocation reason to keyCompromise"},
{"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
"sets compromise time to val and the revocation reason to CACompromise"},
+ {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
+ {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
+ {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
+ {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
+
OPT_R_OPTIONS,
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
-#ifndef OPENSSL_NO_SM2
- {"sm2-id", OPT_SM2ID, 's',
- "Specify an ID string to verify an SM2 certificate request"},
- {"sm2-hex-id", OPT_SM2HEXID, 's',
- "Specify a hex ID string to verify an SM2 certificate request"},
-#endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS ciphers_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Output"),
{"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
{"V", OPT_UPPER_V, '-', "Even more verbose"},
+ {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
+ {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
+
+ OPT_SECTION("Cipher specification"),
{"s", OPT_S, '-', "Only supported ciphers"},
#ifndef OPENSSL_NO_SSL3
- {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
+ {"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"},
#endif
#ifndef OPENSSL_NO_TLS1
- {"tls1", OPT_TLS1, '-', "TLS1 mode"},
+ {"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"},
#endif
#ifndef OPENSSL_NO_TLS1_1
- {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+ {"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"},
#endif
#ifndef OPENSSL_NO_TLS1_2
- {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
+ {"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"},
#endif
#ifndef OPENSSL_NO_TLS1_3
- {"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},
+ {"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"},
#endif
- {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
#ifndef OPENSSL_NO_PSK
- {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
+ {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"},
#endif
#ifndef OPENSSL_NO_SRP
- {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"},
+ {"srp", OPT_SRP, '-', "Include ciphersuites requiring SRP"},
#endif
- {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
{"ciphersuites", OPT_CIPHERSUITES, 's',
"Configure the TLSv1.3 ciphersuites to use"},
{NULL}
{OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
{OPT_HELP_STR, 1, '-',
" cert.pem... recipient certs for encryption\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
{"outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER"},
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
+ {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
+ "Disable MMA protection and return an error if no recipient found"
+ " (see documentation)"},
+ {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
+ {"indef", OPT_INDEF, '-', "Same as -stream"},
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
+ {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
+ {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+ {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Action"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
"Exit non-zero on verification failure"},
{"verify_receipt", OPT_VERIFY_RECEIPT, '<',
"Verify receipts; exit if receipt signatures do not verify"},
- {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
- {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
- {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
{"digest_verify", OPT_DIGEST_VERIFY, '-',
"Verify a CMS \"DigestedData\" object and output it"},
{"digest_create", OPT_DIGEST_CREATE, '-',
"Create a CMS \"DigestedData\" object"},
{"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
- {"uncompress", OPT_UNCOMPRESS, '-', "Uncompress a CMS \"CompressedData\" object"},
+ {"uncompress", OPT_UNCOMPRESS, '-',
+ "Uncompress a CMS \"CompressedData\" object"},
{"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
"Decrypt CMS \"EncryptedData\" object using symmetric key"},
{"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
"Create CMS \"EncryptedData\" object using symmetric key"},
- {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
- "Disable MMA protection and return an error if no recipient found"
- " (see documentation)"},
+ {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
+ {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
+ {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
+ {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
+ "Do not verify signed content signatures"},
+ {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
+ "Do not verify signed attribute signatures"},
+ {"nointern", OPT_NOINTERN, '-',
+ "Don't search certificates in message for signer"},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
+
+ OPT_SECTION("Formatting"),
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing"},
- {"nointern", OPT_NOINTERN, '-',
- "Don't search certificates in message for signer"},
- {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
- {"nocerts", OPT_NOCERTS, '-',
- "Don't include signers certificate when signing"},
- {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+ {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"binary", OPT_BINARY, '-', "Don't translate message to text"},
{"keyid", OPT_KEYID, '-', "Use subject key identifier"},
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
- {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
- "Do not verify signed content signatures"},
- {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
- "Do not verify signed attribute signatures"},
- {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
- {"indef", OPT_INDEF, '-', "Same as -stream"},
- {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
- {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
- {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"},
+ {"nocerts", OPT_NOCERTS, '-',
+ "Don't include signers certificate when signing"},
+ {"noout", OPT_NOOUT, '-',
+ "For the -cmsout operation do not output the parsed CMS structure"},
{"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
{"receipt_request_all", OPT_RR_ALL, '-',
"When signing, create a receipt request for all recipients"},
"When signing, create a receipt request for first recipient"},
{"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
{"certfile", OPT_CERTFILE, '<', "Other certificates file"},
- {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
- {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
- {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
- {"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
- {"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
- {"no-CAstore", OPT_NOCASTORE, '-',
- "Do not load certificates from the default certificates store"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"print", OPT_PRINT, '-',
"For the -cmsout operation print out all fields of the CMS structure"},
+ {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+
+ OPT_SECTION("Keying"),
{"secretkey", OPT_SECRETKEY, 's',
"Use specified hex-encoded key to decrypt/encrypt recipients or content"},
{"secretkeyid", OPT_SECRETKEYID, 's',
"Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
{"pwri_password", OPT_PWRI_PASSWORD, 's',
"Specific password for recipient"},
- {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"inkey", OPT_INKEY, 's',
+ "Input private key (if not signer or recipient)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+ {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
+
+ OPT_SECTION("Mail header"),
+ {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
{"to", OPT_TO, 's', "To address"},
{"from", OPT_FROM, 's', "From address"},
{"subject", OPT_SUBJECT, 's', "Subject"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
- {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
- {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
- {"inkey", OPT_INKEY, 's',
- "Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
- {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
{"receipt_request_from", OPT_RR_FROM, 's',
"Create signed receipt request with specified email address"},
{"receipt_request_to", OPT_RR_TO, 's',
"Create signed receipt targeted to specified address"},
+
+ OPT_SECTION("Encryption"),
+ {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
- OPT_R_OPTIONS,
- OPT_V_OPTIONS,
+
+ OPT_SECTION("Key-wrapping"),
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
{"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
# ifndef OPENSSL_NO_DES
{"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
# endif
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+
+ OPT_R_OPTIONS,
+ OPT_V_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS crl_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
+ {"verify", OPT_VERIFY, '-', "Verify CRL signature"},
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
- {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
- {"out", OPT_OUT, '>', "output file - default stdout"},
- {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"},
+ {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
+ {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "output file - default stdout"},
+ {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
+ {"text", OPT_TEXT, '-', "Print out a text format version"},
+ {"hash", OPT_HASH, '-', "Print hash value"},
+#ifndef OPENSSL_NO_MD5
+ {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
+#endif
+ {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"", OPT_MD, '-', "Any supported digest"},
+
+ OPT_SECTION("CRL"),
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
{"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
{"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
{"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
{"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
+
+ OPT_SECTION("Certificate"),
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
{"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"},
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
- {"verify", OPT_VERIFY, '-', "Verify CRL signature"},
- {"text", OPT_TEXT, '-', "Print out a text format version"},
- {"hash", OPT_HASH, '-', "Print hash value"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
- {"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_MD5
- {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
-#endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS crl2pkcs7_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
- {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
+ {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
{"certfile", OPT_CERTFILE, '<',
"File of chain of certs to a trusted CA; can be repeated"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{NULL}
};
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
{OPT_HELP_STR, 1, '-',
" file... files to digest (default is stdin)\n"},
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List digests"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+ {"engine_impl", OPT_ENGINE_IMPL, '-',
+ "Also use engine given by -engine for digest operations"},
+#endif
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
+ OPT_SECTION("Output"),
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"sign", OPT_SIGN, 's', "Sign digest using private key"},
- {"verify", OPT_VERIFY, 's',
- "Verify a signature using public key"},
- {"prverify", OPT_PRVERIFY, 's',
- "Verify a signature using private key"},
- {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
{"hex", OPT_HEX, '-', "Print as hex dump"},
{"binary", OPT_BINARY, '-', "Print in binary form"},
{"d", OPT_DEBUG, '-', "Print debug info"},
{"debug", OPT_DEBUG, '-', "Print debug info"},
- {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
- "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
+
+ OPT_SECTION("Signing"),
+ {"sign", OPT_SIGN, 's', "Sign digest using private key"},
+ {"verify", OPT_VERIFY, 's', "Verify a signature using public key"},
+ {"prverify", OPT_PRVERIFY, 's', "Verify a signature using private key"},
+ {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
+ {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
- {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
{"", OPT_DIGEST, '-', "Any supported digest"},
+ {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
+ "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
+
OPT_R_OPTIONS,
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
- {"engine_impl", OPT_ENGINE_IMPL, '-',
- "Also use engine given by -engine for digest operations"},
-#endif
{NULL}
};
const OPTIONS dhparam_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"check", OPT_CHECK, '-', "Check the DH parameters"},
+# ifndef OPENSSL_NO_DSA
+ {"dsaparam", OPT_DSAPARAM, '-',
+ "Read or generate DSA parameters, convert to DH"},
+# endif
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
- {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
- {"check", OPT_CHECK, '-', "Check the DH parameters"},
+ {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
- OPT_R_OPTIONS,
{"C", OPT_C, '-', "Print C code"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"3", OPT_3, '-', "Generate parameters using 3 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
-# ifndef OPENSSL_NO_DSA
- {"dsaparam", OPT_DSAPARAM, '-',
- "Read or generate DSA parameters, convert to DH"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+
+ OPT_R_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS dsa_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
- {"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
- {"in", OPT_IN, 's', "Input key"},
- {"out", OPT_OUT, '>', "Output file"},
- {"noout", OPT_NOOUT, '-', "Don't print key out"},
- {"text", OPT_TEXT, '-', "Print the key in text"},
- {"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
- {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
- {"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
# ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, 's', "Input key"},
+ {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
+ {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
+ {"noout", OPT_NOOUT, '-', "Don't print key out"},
+ {"text", OPT_TEXT, '-', "Print the key in text"},
+ {"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
+ {"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
+ {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+
{NULL}
};
} OPTION_CHOICE;
const OPTIONS dsaparam_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
- {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+ {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"text", OPT_TEXT, '-', "Print as text"},
{"C", OPT_C, '-', "Output C code"},
{"noout", OPT_NOOUT, '-', "No output"},
+ {"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
+
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
- {"verbose", OPT_VERBOSE, '-', "Verbose output"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS ec_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
{"inform", OPT_INFORM, 'f', "Input format - DER or PEM"},
+ {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"check", OPT_CHECK, '-', "check key consistency"},
+ {"", OPT_CIPHER, '-', "Any supported cipher"},
+ {"param_enc", OPT_PARAM_ENC, 's',
+ "Specifies the way the ec parameters are encoded"},
+ {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key"},
{"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
- {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
- {"check", OPT_CHECK, '-', "check key consistency"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"param_enc", OPT_PARAM_ENC, 's',
- "Specifies the way the ec parameters are encoded"},
- {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
- {"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS ecparam_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
- {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
+ {"list_curves", OPT_LIST_CURVES, '-',
+ "Prints a list of all curve 'short names'"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ {"genkey", OPT_GENKEY, '-', "Generate ec key"},
{"in", OPT_IN, '<', "Input file - default stdin"},
+ {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
+
+ OPT_SECTION("Output"),
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
{"C", OPT_C, '-', "Print a 'C' function creating the parameters"},
+ {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
+ {"param_enc", OPT_PARAM_ENC, 's',
+ "Specifies the way the ec parameters are encoded"},
+
+ OPT_SECTION("Parameter"),
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
{"check_named", OPT_CHECK_NAMED, '-',
"Check that named EC curve parameters have not been modified"},
- {"list_curves", OPT_LIST_CURVES, '-',
- "Prints a list of all curve 'short names'"},
{"no_seed", OPT_NO_SEED, '-',
"If 'explicit' parameters are chosen do not use the seed"},
- {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
{"name", OPT_NAME, 's',
"Use the ec parameters with specified 'short name'"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
- {"param_enc", OPT_PARAM_ENC, 's',
- "Specifies the way the ec parameters are encoded"},
- {"genkey", OPT_GENKEY, '-', "Generate ec key"},
+
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS enc_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List ciphers"},
#ifndef OPENSSL_NO_DEPRECATED_3_0
{"ciphers", OPT_LIST, '-', "Alias for -list"},
#endif
- {"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
- {"pass", OPT_PASS, 's', "Passphrase source"},
{"e", OPT_E, '-', "Encrypt"},
{"d", OPT_D, '-', "Decrypt"},
{"p", OPT_P, '-', "Print the iv/key"},
{"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, '<', "Input file"},
+ {"k", OPT_K, 's', "Passphrase"},
+ {"kfile", OPT_KFILE, '<', "Read passphrase from file"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"pass", OPT_PASS, 's', "Passphrase source"},
{"v", OPT_V, '-', "Verbose output"},
- {"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
- {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
- {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
- {"debug", OPT_DEBUG, '-', "Print debug info"},
{"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
{"base64", OPT_A, '-', "Same as option -a"},
{"A", OPT_UPPER_A, '-',
"Used with -[base64|a] to specify base64 buffer as a single line"},
+
+ OPT_SECTION("Encryption"),
+ {"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
+ {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
+ {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
+ {"debug", OPT_DEBUG, '-', "Print debug info"},
+
{"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
- {"k", OPT_K, 's', "Passphrase"},
- {"kfile", OPT_KFILE, '<', "Read passphrase from file"},
{"K", OPT_UPPER_K, 's', "Raw key, in hex"},
{"S", OPT_UPPER_S, 's', "Salt, in hex"},
{"iv", OPT_IV, 's', "IV in hex"},
{"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"},
{"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"},
{"none", OPT_NONE, '-', "Don't encrypt"},
- {"", OPT_CIPHER, '-', "Any supported cipher"},
- OPT_R_OPTIONS,
#ifdef ZLIB
{"z", OPT_Z, '-', "Use zlib as the 'encryption'"},
#endif
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
+ {"", OPT_CIPHER, '-', "Any supported cipher"},
+
+ OPT_R_OPTIONS,
{NULL}
};
{OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
{OPT_HELP_STR, 1, '-',
" engine... Engines to load\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"t", OPT_T, '-', "Check that specified engine is available"},
+ {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
+ {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
+
+ OPT_SECTION("Output"),
{"v", OPT_V, '-', "List 'control commands' For each specified engine"},
{"vv", OPT_VV, '-', "Also display each command's description"},
{"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
{"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
{"c", OPT_C, '-', "List the capabilities of specified engine"},
- {"t", OPT_T, '-', "Check that specified engine is available"},
{"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
- {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
- {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
{OPT_MORE_STR, OPT_EOF, 1,
"Commands are like \"SO_PATH:/lib/libdriver.so\""},
{NULL}
const OPTIONS errstr_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
{OPT_HELP_STR, 1, '-', " errnum Error number\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {OPT_MORE_STR, 0, 0, "e.g: openssl fipsinstall -provider_name fips"
- "-section_name fipsinstall -out fips.conf -module ./fips.so"
- "-mac_name HMAC -macopt digest:SHA256 -macopt hexkey:00"},
{"verify", OPT_VERIFY, '-', "Verification mode, i.e verify a config file "
"instead of generating one"},
- {"in", OPT_IN, '<', "Input config file, used when verifying"},
- {"out", OPT_OUT, '>', "Output config file, used when generating"},
{"module", OPT_MODULE, '<', "File name of the provider module"},
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
{"section_name", OPT_SECTION_NAME, 's',
"FIPS Provider config section name (optional)"},
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, '<', "Input config file, used when verifying"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output config file, used when generating"},
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. "
"See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
const OPTIONS gendsa_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output the key to the specified file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS genpkey_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"out", OPT_OUT, '>', "Output file"},
- {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
- {"pass", OPT_PASS, 's', "Output file pass phrase source"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
{"pkeyopt", OPT_PKEYOPT, 's',
"Set the public key algorithm option as opt:value"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
+ {"pass", OPT_PASS, 's', "Output file pass phrase source"},
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
{"text", OPT_TEXT, '-', "Print the in text"},
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
+
/* This is deliberately last. */
{OPT_HELP_STR, 1, 1,
"Order of options may be important! See the documentation.\n"},
} OPTION_CHOICE;
const OPTIONS genrsa_options[] = {
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Input"),
{"3", OPT_3, '-', "Use 3 for the E value"},
{"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
{"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output the key to specified file"},
- OPT_R_OPTIONS,
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
+ {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
+
+ OPT_R_OPTIONS,
{NULL}
};
OPT_V__LAST
# define OPT_V_OPTIONS \
+ OPT_SECTION("Validation"), \
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
{ "purpose", OPT_V_PURPOSE, 's', \
"certificate chain purpose"}, \
OPT_X__LAST
# define OPT_X_OPTIONS \
+ OPT_SECTION("Extended certificate"), \
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
# define OPT_S_OPTIONS \
+ OPT_SECTION("TLS/SSL"), \
{"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
{"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
{"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
# define OPT_R_OPTIONS \
+ OPT_SECTION("Random state"), \
{"rand", OPT_R_RAND, 's', "Load the file(s) into the random number generator"}, \
{"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
/* Divide options into sections when displaying usage */
-#define OPT_SECTION(sec) {OPT_SECTION_STR, 1, '-', sec " options:\n"}
+#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" }
char *opt_progname(const char *argv0);
char *opt_getprog(void);
} OPTION_CHOICE;
const OPTIONS info_options[] = {
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Output"),
{"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"},
{"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"},
{"modulesdir", OPT_MODULESDIR, '-',
const OPTIONS kdf_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n"},
{OPT_HELP_STR, 1, '-', "kdf_name\t KDF algorithm.\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form. "
- "See 'Supported Controls' in the EVP_KDF_ docs"},
+ {"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form."},
+ {OPT_HELP_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs"},
{"keylen", OPT_KEYLEN, 's', "The size of the output derived key"},
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"binary", OPT_BIN, '-', "Output in binary format (Default is hexadecimal "
"output)"},
int duplicated, i;
#endif
- if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR ||
- o->name == OPT_SECTION_STR)
+ if (o->name == OPT_HELP_STR
+ || o->name == OPT_MORE_STR
+ || o->name == OPT_SECTION_STR)
continue;
#ifndef NDEBUG
i = o->valtype;
char *p;
help = o->helpstr ? o->helpstr : "(No additional info)";
- if (o->name == OPT_HELP_STR || o->name == OPT_SECTION_STR) {
+ if (o->name == OPT_HELP_STR) {
+ opt_printf_stderr(help, prog);
+ return;
+ }
+ if (o->name == OPT_SECTION_STR) {
+ opt_printf_stderr("\n");
opt_printf_stderr(help, prog);
return;
}
if (o->name == OPT_HELP_STR
|| o->name == OPT_MORE_STR
+ || o->name == OPT_SECTION_STR
|| o->name[0] == '\0')
continue;
BIO_printf(bio_out, "%s %c\n", o->name, c == '\0' ? '-' : c);
} HELPLIST_CHOICE;
const OPTIONS list_options[] = {
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Output"),
{"1", OPT_ONE, '-', "List in one column"},
{"verbose", OPT_VERBOSE, '-', "Verbose listing"},
{"commands", OPT_COMMANDS, '-', "List of standard commands"},
{OPT_HELP_STR, 1, '-', "Usage: %s [options] mac_name\n"},
{OPT_HELP_STR, 1, '-', "mac_name\t\t MAC algorithm (See list "
"-mac-algorithms)"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. "
"See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file to MAC (default is stdin)"},
+
+ OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"binary", OPT_BIN, '-', "Output in binary format (Default is hexadecimal "
"output)"},
} OPTION_CHOICE;
const OPTIONS nseq_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
+
+ OPT_SECTION("Output"),
+ {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
{"out", OPT_OUT, '>', "Output file"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS ocsp_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"out", OPT_OUTFILE, '>', "Output filename"},
- {"timeout", OPT_TIMEOUT, 'p',
- "Connection timeout (in seconds) to the OCSP responder"},
- {"url", OPT_URL, 's', "Responder URL"},
- {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
- {"port", OPT_PORT, 'p', "Port to run responder on"},
{"ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running"},
- {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
- {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
- {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
+ {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
+ {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates store"},
+
+ OPT_SECTION("Responder"),
+ {"timeout", OPT_TIMEOUT, 'p',
+ "Connection timeout (in seconds) to the OCSP responder"},
{"resp_no_certs", OPT_RESP_NO_CERTS, '-',
"Don't include any certificates in response"},
- {"resp_key_id", OPT_RESP_KEY_ID, '-',
- "Identify response by signing certificate key ID"},
# ifdef OCSP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
# endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
+ {"badsig", OPT_BADSIG, '-',
+ "Corrupt last byte of loaded OSCP response signature (for test)"},
+ {"CA", OPT_CA, '<', "CA certificate"},
+ {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
+ {"nrequest", OPT_REQUEST, 'p',
+ "Number of requests to accept (default unlimited)"},
+ {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
+ {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
+ {"sign_other", OPT_SIGN_OTHER, '<',
+ "Additional certificates to include in signed request"},
+ {"index", OPT_INDEX, '<', "Certificate status index file"},
+ {"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
+ {"rsigner", OPT_RSIGNER, '<',
+ "Responder certificate to sign responses with"},
+ {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
+ {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
+ {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
+ {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},
+ {"header", OPT_HEADER, 's', "key=value header to add"},
+ {"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"},
+ {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
+
+ OPT_SECTION("Client"),
+ {"url", OPT_URL, 's', "Responder URL"},
+ {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
+ {"port", OPT_PORT, 'p', "Port to run responder on"},
+ {"out", OPT_OUTFILE, '>', "Output filename"},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
+ {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
+ {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
"Don't check signature on response"},
+ {"resp_key_id", OPT_RESP_KEY_ID, '-',
+ "Identify response by signing certificate key ID"},
{"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
"Don't check signing certificate"},
+ {"text", OPT_TEXT, '-', "Print text form of request and response"},
+ {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
+ {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
{"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate"},
"Don't verify additional certificates"},
{"no_intern", OPT_NO_INTERN, '-',
"Don't search certificates contained in response for signer"},
- {"badsig", OPT_BADSIG, '-',
- "Corrupt last byte of loaded OSCP response signature (for test)"},
- {"text", OPT_TEXT, '-', "Print text form of request and response"},
- {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
- {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
- {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
{"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
- {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
- {"sign_other", OPT_SIGN_OTHER, '<',
- "Additional certificates to include in signed request"},
{"verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer"},
- {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
- {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
- {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
- {"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
- {"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
- {"no-CAstore", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates store"},
+ {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+ {"cert", OPT_CERT, '<', "Certificate to check"},
+ {"serial", OPT_SERIAL, 's', "Serial number to check"},
{"validity_period", OPT_VALIDITY_PERIOD, 'u',
"Maximum validity discrepancy in seconds"},
- {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
{"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
{"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
{"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
- {"path", OPT_PATH, 's', "Path to use in OCSP request"},
{"issuer", OPT_ISSUER, '<', "Issuer certificate"},
- {"cert", OPT_CERT, '<', "Certificate to check"},
- {"serial", OPT_SERIAL, 's', "Serial number to check"},
- {"index", OPT_INDEX, '<', "Certificate status index file"},
- {"CA", OPT_CA, '<', "CA certificate"},
- {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
- {"nrequest", OPT_REQUEST, 'p',
- "Number of requests to accept (default unlimited)"},
- {"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
- {"rsigner", OPT_RSIGNER, '<',
- "Responder certificate to sign responses with"},
- {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
- {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
- {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
- {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},
- {"header", OPT_HEADER, 's', "key=value header to add"},
- {"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"},
- {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
+ {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
+
OPT_V_OPTIONS,
{NULL}
};
const OPTIONS help_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: help [options]\n"},
{OPT_HELP_STR, 1, '-', " help [command]\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_hHELP, '-', "Display this summary"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS passwd_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Read passwords from file"},
{"noverify", OPT_NOVERIFY, '-',
"Never verify when reading password from terminal"},
+ {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
+
+ OPT_SECTION("Output"),
{"quiet", OPT_QUIET, '-', "No warnings"},
{"table", OPT_TABLE, '-', "Format output as table"},
{"reverse", OPT_REVERSE, '-', "Switch table columns"},
+
+ OPT_SECTION("Cryptographic"),
{"salt", OPT_SALT, 's', "Use provided salt"},
- {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
{"6", OPT_6, '-', "SHA512-based password algorithm"},
{"5", OPT_5, '-', "SHA256-based password algorithm"},
{"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
#ifndef OPENSSL_NO_DES
{"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
#endif
+
OPT_R_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS pkcs12_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
- {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"},
- {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("CA"),
+ {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
+ {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
+ {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
+
+ OPT_SECTION("Input"),
+ {"inkey", OPT_INKEY, 's', "Private key if not infile"},
+ {"certfile", OPT_CERTFILE, '<', "Load certs from file"},
+ {"name", OPT_NAME, 's', "Use name as friendly name"},
+ {"CSP", OPT_CSP, 's', "Microsoft CSP name"},
+ {"caname", OPT_CANAME, 's',
+ "Use name as CA friendly name (can be repeated)"},
+ {"in", OPT_IN, '<', "Input filename"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
+ OPT_SECTION("Output"),
+ {"export", OPT_EXPORT, '-', "Output PKCS12 file"},
+ {"LMK", OPT_LMK, '-',
+ "Add local machine keyset attribute to private key"},
+ {"macalg", OPT_MACALG, 's',
+ "Digest algorithm used in MAC (default SHA1)"},
+ {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
+ {"out", OPT_OUT, '>', "Output filename"},
+ {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+ {"password", OPT_PASSWORD, 's', "Set import/export password source"},
{"nocerts", OPT_NOCERTS, '-', "Don't output certificates"},
{"clcerts", OPT_CLCERTS, '-', "Only output client certificates"},
{"cacerts", OPT_CACERTS, '-', "Only output CA certificates"},
{"noout", OPT_NOOUT, '-', "Don't output anything, just verify"},
- {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
{"chain", OPT_CHAIN, '-', "Add certificate chain"},
{"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
{"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
+ {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
+ {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
+ {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"},
+ {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"},
+
+ OPT_SECTION("Encryption"),
# ifndef OPENSSL_NO_RC2
{"descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default RC2-40)"},
{"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
{"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
# endif
- {"export", OPT_EXPORT, '-', "Output PKCS12 file"},
{"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
{"maciter", OPT_MACITER, '-', "Use MAC iteration"},
{"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
{"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
- {"LMK", OPT_LMK, '-',
- "Add local machine keyset attribute to private key"},
{"nodes", OPT_NODES, '-', "Don't encrypt private keys"},
- {"macalg", OPT_MACALG, 's',
- "Digest algorithm used in MAC (default SHA1)"},
- {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
- OPT_R_OPTIONS,
- {"inkey", OPT_INKEY, 's', "Private key if not infile"},
- {"certfile", OPT_CERTFILE, '<', "Load certs from file"},
- {"name", OPT_NAME, 's', "Use name as friendly name"},
- {"CSP", OPT_CSP, 's', "Microsoft CSP name"},
- {"caname", OPT_CANAME, 's',
- "Use name as CA friendly name (can be repeated)"},
- {"in", OPT_IN, '<', "Input filename"},
- {"out", OPT_OUT, '>', "Output filename"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"password", OPT_PASSWORD, 's', "Set import/export password source"},
- {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
- {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
- {"CAstore", OPT_CASTORE, ':', "URI to store if CA's"},
- {"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
- {"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
- {"no-CAstore", OPT_NOCASTORE, '-',
- "Do not load certificates from the default certificates store"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+
+ OPT_R_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS pkcs7_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
+ {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+
+ OPT_SECTION("Output"),
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't output encoded data"},
{"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"},
{"print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS pkcs8_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
- {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
- {"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
- {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
- {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
- {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
- OPT_R_OPTIONS,
- {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
{"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
+ {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
{"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"},
- {"iter", OPT_ITER, 'p', "Specify the iteration count"},
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, '<', "Input file"},
+ {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
+ {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
+ {"iter", OPT_ITER, 'p', "Specify the iteration count"},
+ {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
+
#ifndef OPENSSL_NO_SCRYPT
+ OPT_SECTION("Scrypt"),
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
{"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
{"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
{"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
#endif
+
+ OPT_R_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS pkey_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+ {"check", OPT_CHECK, '-', "Check key consistency"},
+ {"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
+ {"", OPT_MD, '-', "Any supported cipher"},
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, 's', "Input key"},
{"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"},
- {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"in", OPT_IN, 's', "Input key"},
- {"out", OPT_OUT, '>', "Output file"},
{"pubin", OPT_PUBIN, '-',
"Read public key from input (default is private key)"},
+ {"traditional", OPT_TRADITIONAL, '-',
+ "Use traditional format for private keys"},
+
+ OPT_SECTION("Output"),
+ {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
+ {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+ {"out", OPT_OUT, '>', "Output file"},
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"},
{"text", OPT_TEXT, '-', "Output in plaintext as well"},
{"noout", OPT_NOOUT, '-', "Don't output the key"},
- {"", OPT_MD, '-', "Any supported cipher"},
- {"traditional", OPT_TRADITIONAL, '-',
- "Use traditional format for private keys"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
- {"check", OPT_CHECK, '-', "Check key consistency"},
- {"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
+
{NULL}
};
} OPTION_CHOICE;
const OPTIONS pkeyparam_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
- {"text", OPT_TEXT, '-', "Print parameters as text"},
- {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
{"check", OPT_CHECK, '-', "Check key param consistency"},
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, '<', "Input file"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"text", OPT_TEXT, '-', "Print parameters as text"},
+ {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS pkeyutl_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"in", OPT_IN, '<', "Input file - default stdin"},
- {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
- {"digest", OPT_DIGEST, 's',
- "Specify the digest algorithm when signing the raw input data"},
- {"out", OPT_OUT, '>', "Output file - default stdout"},
- {"pubin", OPT_PUBIN, '-', "Input is a public key"},
- {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
- {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
- {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+ {"engine_impl", OPT_ENGINE_IMPL, '-',
+ "Also use engine given by -engine for crypto operations"},
+#endif
{"sign", OPT_SIGN, '-', "Sign input data with private key"},
{"verify", OPT_VERIFY, '-', "Verify with public key"},
- {"verifyrecover", OPT_VERIFYRECOVER, '-',
- "Verify with public key, recover original data"},
- {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
{"derive", OPT_DERIVE, '-', "Derive shared secret"},
- {"kdf", OPT_KDF, 's', "Use KDF algorithm"},
- {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
- {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, '<', "Input file - default stdin"},
+ {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
+ {"pubin", OPT_PUBIN, '-', "Input is a public key"},
{"inkey", OPT_INKEY, 's', "Input private key file"},
- {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
{"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
+ {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
+ {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
+ {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
{"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
+ {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
+ {"verifyrecover", OPT_VERIFYRECOVER, '-',
+ "Verify with public key, recover original data"},
+
+ OPT_SECTION("Signing/Derivation"),
+ {"digest", OPT_DIGEST, 's',
+ "Specify the digest algorithm when signing the raw input data"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
{"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
"Public key option that is read as a passphrase argument opt:passphrase"},
+ {"kdf", OPT_KDF, 's', "Use KDF algorithm"},
+ {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
+
OPT_R_OPTIONS,
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
- {"engine_impl", OPT_ENGINE_IMPL, '-',
- "Also use engine given by -engine for crypto operations"},
-#endif
{NULL}
};
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"},
{OPT_HELP_STR, 1, '-',
" number Number to check for primality\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"bits", OPT_BITS, 'p', "Size of number in bits"},
+ {"checks", OPT_CHECKS, 'p', "Number of checks"},
+
+ OPT_SECTION("Output"),
{"hex", OPT_HEX, '-', "Hex output"},
{"generate", OPT_GENERATE, '-', "Generate a prime"},
- {"bits", OPT_BITS, 'p', "Size of number in bits"},
{"safe", OPT_SAFE, '-',
"When used with -generate, generate a safe prime"},
- {"checks", OPT_CHECKS, 'p', "Number of checks"},
{NULL}
};
const OPTIONS provider_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] provider...\n"},
{OPT_HELP_STR, 1, '-', " provider... Providers to load\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Output"),
{"v", OPT_V, '-', "List the algorithm names of specified provider"},
{"vv", OPT_VV, '-', "List the algorithm names of specified providers,"},
{OPT_MORE_STR, 0, '-', "categorised by operation type"},
const OPTIONS rand_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"out", OPT_OUT, '>', "Output file"},
- OPT_R_OPTIONS,
- {"base64", OPT_BASE64, '-', "Base64 encode output"},
- {"hex", OPT_HEX, '-', "Hex encode output"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"base64", OPT_BASE64, '-', "Base64 encode output"},
+ {"hex", OPT_HEX, '-', "Hex encode output"},
+
+ OPT_R_OPTIONS,
{NULL}
};
const OPTIONS rehash_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"h", OPT_HELP, '-', "Display this summary"},
{"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"},
{"old", OPT_OLD, '-', "Use old-style hash to generate links"},
{"n", OPT_N, '-', "Do not remove existing links"},
+
+ OPT_SECTION("Output"),
{"v", OPT_VERBOSE, '-', "Verbose output"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS req_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
- {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+ {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
+ "Specify engine to be used for key generation operations"},
{"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
- {"key", OPT_KEY, 's', "Private key to use"},
- {"keyform", OPT_KEYFORM, 'f', "Key file format"},
- {"pubkey", OPT_PUBKEY, '-', "Output public key"},
+ {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+ {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
+#endif
+
+ OPT_SECTION("Certificate"),
{"new", OPT_NEW, '-', "New request"},
{"config", OPT_CONFIG, '<', "Request template file"},
- {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
- {"passin", OPT_PASSIN, 's', "Private key password source"},
- {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- OPT_R_OPTIONS,
- {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
- {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
- {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
- {"batch", OPT_BATCH, '-',
- "Do not ask anything during request generation"},
- {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
- {"modulus", OPT_MODULUS, '-', "RSA modulus"},
- {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
- {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
- {"noout", OPT_NOOUT, '-', "Do not output REQ"},
- {"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
{"reqopt", OPT_REQOPT, 's', "Various request text options"},
{"text", OPT_TEXT, '-', "Text form of request"},
{"x509", OPT_X509, '-',
- "Output a x509 structure instead of a cert request"},
+ "Output an x509 structure instead of a cert request"},
{OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
{"subj", OPT_SUBJ, 's', "Set or modify request subject"},
{"subject", OPT_SUBJECT, '-', "Output the request's subject"},
{"reqexts", OPT_REQEXTS, 's',
"Request extension section (override value in config file)"},
{"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
+
+ OPT_SECTION("Keys and Signing"),
+ {"key", OPT_KEY, 's', "Private key to use"},
+ {"keyform", OPT_KEYFORM, 'f', "Key file format"},
+ {"pubkey", OPT_PUBKEY, '-', "Output public key"},
+ {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
+ {"passin", OPT_PASSIN, 's', "Private key password source"},
+ {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+ {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
+ {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
+ {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
- {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
- "Specify engine to be used for key generation operations"},
-#endif
#ifndef OPENSSL_NO_SM2
{"sm2-id", OPT_SM2ID, 's',
"Specify an ID string to verify an SM2 certificate request"},
{"sm2-hex-id", OPT_SM2HEXID, 's',
"Specify a hex ID string to verify an SM2 certificate request"},
#endif
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+ {"batch", OPT_BATCH, '-',
+ "Do not ask anything during request generation"},
+ {"verbose", OPT_VERBOSE, '-', "Verbose output"},
+ {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
+ {"noout", OPT_NOOUT, '-', "Do not output REQ"},
+ {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
+ {"modulus", OPT_MODULUS, '-', "RSA modulus"},
+
+ OPT_R_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS rsa_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
- {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
+ {"check", OPT_CHECK, '-', "Verify key consistency"},
+ {"", OPT_CIPHER, '-', "Any supported cipher"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
+ {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
- {"pubout", OPT_PUBOUT, '-', "Output a public key"},
- {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
+ {"pubout", OPT_PUBOUT, '-', "Output a public key"},
{"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
+ {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
- {"check", OPT_CHECK, '-', "Verify key consistency"},
- {"", OPT_CIPHER, '-', "Any supported cipher"},
+
# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+ OPT_SECTION("PVK"),
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS rsautl_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"sign", OPT_SIGN, '-', "Sign with private key"},
+ {"verify", OPT_VERIFY, '-', "Verify with public key"},
+ {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
+ {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
{"inkey", OPT_INKEY, 's', "Input key"},
{"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
{"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
{"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
+ {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
{"ssl", OPT_SSL, '-', "Use SSL v2 padding"},
{"raw", OPT_RSA_RAW, '-', "Use no padding"},
{"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"},
+ {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
{"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
- {"sign", OPT_SIGN, '-', "Sign with private key"},
- {"verify", OPT_VERIFY, '-', "Verify with public key"},
{"asn1parse", OPT_ASN1PARSE, '-',
"Run output through asn1parse; useful with -verify"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
- {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
- {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
- {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
- {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS s_client_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+ {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
+ "Specify engine to be used for client certificate operations"},
+#endif
+ {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
+#ifndef OPENSSL_NO_CT
+ {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
+ {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
+ {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
+#endif
+
+ OPT_SECTION("Network"),
{"host", OPT_HOST, 's', "Use -connect instead"},
{"port", OPT_PORT, 'p', "Use -connect instead"},
{"connect", OPT_CONNECT, 's',
#ifdef AF_INET6
{"6", OPT_6, '-', "Use IPv6 only"},
#endif
+ {"maxfraglen", OPT_MAXFRAGLEN, 'p',
+ "Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
+ {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
+ {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
+ "Size used to split data for encrypt pipelines"},
+ {"max_pipelines", OPT_MAX_PIPELINES, 'p',
+ "Maximum number of encrypt/decrypt pipelines to be used"},
+ {"read_buf", OPT_READ_BUF, 'p',
+ "Default read buffer size to be used for connections"},
+ {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
+
+ OPT_SECTION("Identity"),
{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
{"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
{"certform", OPT_CERTFORM, 'F',
"DANE TLSA rrdata presentation form"},
{"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-',
"Disable name checks when matching DANE-EE(3) TLSA records"},
+ {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
+ {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
+ {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
+ {"name", OPT_PROTOHOST, 's',
+ "Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
+
+ OPT_SECTION("Session"),
{"reconnect", OPT_RECONNECT, '-',
"Drop and re-make the connection with the same Session-ID"},
- {"showcerts", OPT_SHOWCERTS, '-',
- "Show all certificates sent by the server"},
- {"debug", OPT_DEBUG, '-', "Extra output"},
- {"msg", OPT_MSG, '-', "Show protocol messages"},
- {"msgfile", OPT_MSGFILE, '>',
- "File to send output of -msg or -trace, instead of stdout"},
- {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
- {"state", OPT_STATE, '-', "Print the ssl states"},
+ {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
+ {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
+
+ OPT_SECTION("Input/Output"),
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
{"quiet", OPT_QUIET, '-', "No s_client output"},
{"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"},
"Use the appropriate STARTTLS command before starting TLS"},
{"xmpphost", OPT_XMPPHOST, 's',
"Alias of -name option for \"-starttls xmpp[-server]\""},
- OPT_R_OPTIONS,
- {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
- {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
-#ifndef OPENSSL_NO_SRTP
- {"use_srtp", OPT_USE_SRTP, 's',
- "Offer SRTP key management with a colon-separated profile list"},
-#endif
- {"keymatexport", OPT_KEYMATEXPORT, 's',
- "Export keying material using label"},
- {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
- "Export len bytes of keying material (default 20)"},
- {"maxfraglen", OPT_MAXFRAGLEN, 'p',
- "Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
- {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
- {"name", OPT_PROTOHOST, 's',
- "Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
- {"CRL", OPT_CRL, '<', "CRL file to use"},
- {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
- {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
- {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
- "Close connection on verification error"},
- {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
{"brief", OPT_BRIEF, '-',
"Restrict output to brief summary of connection parameters"},
{"prexit", OPT_PREXIT, '-',
"Print session information when the program exits"},
+
+ OPT_SECTION("Debug"),
+ {"showcerts", OPT_SHOWCERTS, '-',
+ "Show all certificates sent by the server"},
+ {"debug", OPT_DEBUG, '-', "Extra output"},
+ {"msg", OPT_MSG, '-', "Show protocol messages"},
+ {"msgfile", OPT_MSGFILE, '>',
+ "File to send output of -msg or -trace, instead of stdout"},
+ {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
+ {"state", OPT_STATE, '-', "Print the ssl states"},
+ {"keymatexport", OPT_KEYMATEXPORT, 's',
+ "Export keying material using label"},
+ {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
+ "Export len bytes of keying material (default 20)"},
{"security_debug", OPT_SECURITY_DEBUG, '-',
"Enable security debug messages"},
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
"Output more security debug output"},
- {"cert_chain", OPT_CERT_CHAIN, '<',
- "Certificate chain file (in PEM format)"},
- {"chainCApath", OPT_CHAINCAPATH, '/',
- "Use dir as certificate store path to build CA certificate chain"},
- {"verifyCApath", OPT_VERIFYCAPATH, '/',
- "Use dir as certificate store path to verify CA certificate"},
- {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
- {"chainCAfile", OPT_CHAINCAFILE, '<',
- "CA file for certificate chain (PEM format)"},
- {"verifyCAfile", OPT_VERIFYCAFILE, '<',
- "CA file for certificate verification (PEM format)"},
- {"chainCAstore", OPT_CHAINCASTORE, ':',
- "CA store URI for certificate chain"},
- {"verifyCAstore", OPT_VERIFYCASTORE, ':',
- "CA store URI for certificate verification"},
+#ifndef OPENSSL_NO_SSL_TRACE
+ {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
+#endif
+#ifdef WATT32
+ {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
+#endif
+ {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
{"servername", OPT_SERVERNAME, 's',
"Set TLS extension servername (SNI) in ClientHello (default)"},
{"alpn", OPT_ALPN, 's',
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
- {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
- {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
- {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
- "Size used to split data for encrypt pipelines"},
- {"max_pipelines", OPT_MAX_PIPELINES, 'p',
- "Maximum number of encrypt/decrypt pipelines to be used"},
- {"read_buf", OPT_READ_BUF, 'p',
- "Default read buffer size to be used for connections"},
- OPT_S_OPTIONS,
- OPT_V_OPTIONS,
- OPT_X_OPTIONS,
+ {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
+
+ OPT_SECTION("Protocol and version"),
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
#endif
{"sctp", OPT_SCTP, '-', "Use SCTP"},
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
-#ifndef OPENSSL_NO_SSL_TRACE
- {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ {"nextprotoneg", OPT_NEXTPROTONEG, 's',
+ "Enable NPN extension, considering named protocols supported (comma-separated list)"},
#endif
-#ifdef WATT32
- {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
+ {"early_data", OPT_EARLY_DATA, '<', "File to send as early data"},
+ {"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"},
+#ifndef OPENSSL_NO_SRTP
+ {"use_srtp", OPT_USE_SRTP, 's',
+ "Offer SRTP key management with a colon-separated profile list"},
#endif
- {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
- {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
- {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
- {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
#ifndef OPENSSL_NO_SRP
{"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"},
{"srppass", OPT_SRPPASS, 's', "Password for 'user'"},
"Tolerate other than the known g N values."},
{"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"},
#endif
-#ifndef OPENSSL_NO_NEXTPROTONEG
- {"nextprotoneg", OPT_NEXTPROTONEG, 's',
- "Enable NPN extension, considering named protocols supported (comma-separated list)"},
-#endif
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
- {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
- "Specify engine to be used for client certificate operations"},
-#endif
-#ifndef OPENSSL_NO_CT
- {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
- {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
- {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
-#endif
- {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
- {"early_data", OPT_EARLY_DATA, '<', "File to send as early data"},
- {"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"},
- {NULL, OPT_EOF, 0x00, NULL}
+
+ OPT_R_OPTIONS,
+ OPT_S_OPTIONS,
+ OPT_V_OPTIONS,
+ {"CRL", OPT_CRL, '<', "CRL file to use"},
+ {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
+ {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
+ {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
+ "Close connection on verification error"},
+ {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
+ {"cert_chain", OPT_CERT_CHAIN, '<',
+ "Certificate chain file (in PEM format)"},
+ {"chainCApath", OPT_CHAINCAPATH, '/',
+ "Use dir as certificate store path to build CA certificate chain"},
+ {"chainCAstore", OPT_CHAINCASTORE, ':',
+ "CA store URI for certificate chain"},
+ {"verifyCAfile", OPT_VERIFYCAFILE, '<',
+ "CA file for certificate verification (PEM format)"},
+ {"verifyCApath", OPT_VERIFYCAPATH, '/',
+ "Use dir as certificate store path to verify CA certificate"},
+ {"verifyCAstore", OPT_VERIFYCASTORE, ':',
+ "CA store URI for certificate verification"},
+ {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
+ {"chainCAfile", OPT_CHAINCAFILE, '<',
+ "CA file for certificate chain (PEM format)"},
+ OPT_X_OPTIONS,
+ {NULL}
};
typedef enum PROTOCOL_choice {
} OPTION_CHOICE;
const OPTIONS s_server_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"ssl_config", OPT_SSL_CONFIG, 's',
+ "Configure SSL_CTX using the configuration 'val'"},
+#ifndef OPENSSL_NO_SSL_TRACE
+ {"trace", OPT_TRACE, '-', "trace protocol messages"},
+#endif
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
+ OPT_SECTION("Network"),
{"port", OPT_PORT, 'p',
"TCP/IP port to listen on for connections (default is " PORT ")"},
{"accept", OPT_ACCEPT, 's',
"TCP/IP optional host and port to listen on for connections (default is *:" PORT ")"},
#ifdef AF_UNIX
{"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
+ {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
#endif
{"4", OPT_4, '-', "Use IPv4 only"},
{"6", OPT_6, '-', "Use IPv6 only"},
-#ifdef AF_UNIX
- {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
-#endif
+
+ OPT_SECTION("Identity"),
{"context", OPT_CONTEXT, 's', "Set session ID context"},
+ {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+ {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store URI"},
+ {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
{"Verify", OPT_UPPER_V_VERIFY, 'n',
"Turn on peer certificate verification, must have a cert"},
{"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
+ {"cert2", OPT_CERT2, '<',
+ "Certificate file to use for servername; default is" TEST_CERT2},
+ {"key2", OPT_KEY2, '<',
+ "-Private Key file to use for servername if not in -cert2"},
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
- {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
{"serverinfo", OPT_SERVERINFO, 's',
"PEM serverinfo file for certificate"},
{"certform", OPT_CERTFORM, 'F',
{"dkeyform", OPT_DKEYFORM, 'F',
"Second key format (PEM, DER or ENGINE) PEM default"},
{"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
+ {"servername", OPT_SERVERNAME, 's',
+ "Servername for HostName TLS extension"},
+ {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
+ "mismatch send fatal alert (default warning alert)"},
+
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
- {"debug", OPT_DEBUG, '-', "Print more output"},
- {"msg", OPT_MSG, '-', "Show protocol messages"},
- {"msgfile", OPT_MSGFILE, '>',
- "File to send output of -msg or -trace, instead of stdout"},
- {"state", OPT_STATE, '-', "Print the SSL states"},
- {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
- {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
- {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
- {"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
- {"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
- {"no-CAstore", OPT_NOCASTORE, '-',
- "Do not load certificates from the default certificates store URI"},
- {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
+
{"quiet", OPT_QUIET, '-', "No server output"},
{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
"Disable caching and tickets if ephemeral (EC)DH is used"},
{"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
{"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
- {"servername", OPT_SERVERNAME, 's',
- "Servername for HostName TLS extension"},
- {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
- "mismatch send fatal alert (default warning alert)"},
- {"cert2", OPT_CERT2, '<',
- "Certificate file to use for servername; default is" TEST_CERT2},
- {"key2", OPT_KEY2, '<',
- "-Private Key file to use for servername if not in -cert2"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
{"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"},
{"id_prefix", OPT_ID_PREFIX, 's',
"Generate SSL/TLS session IDs prefixed by arg"},
- OPT_R_OPTIONS,
{"keymatexport", OPT_KEYMATEXPORT, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
{"CRL", OPT_CRL, '<', "CRL file to use"},
{"crl_download", OPT_CRL_DOWNLOAD, '-',
"Download CRL from distribution points"},
- {"cert_chain", OPT_CERT_CHAIN, '<',
- "certificate chain file in PEM format"},
- {"dcert_chain", OPT_DCERT_CHAIN, '<',
- "second certificate chain file in PEM format"},
{"chainCApath", OPT_CHAINCAPATH, '/',
"use dir as certificate store path to build CA certificate chain"},
{"chainCAstore", OPT_CHAINCASTORE, ':',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-',
"No verify output except verify errors"},
- {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
- {"chainCAfile", OPT_CHAINCAFILE, '<',
- "CA file for certificate chain (PEM format)"},
{"verifyCAfile", OPT_VERIFYCAFILE, '<',
"CA file for certificate verification (PEM format)"},
{"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+
#ifndef OPENSSL_NO_OCSP
+ OPT_SECTION("OCSP"),
{"status", OPT_STATUS, '-', "Request certificate status from server"},
{"status_verbose", OPT_STATUS_VERBOSE, '-',
"Print more output in certificate status callback"},
{"status_file", OPT_STATUS_FILE, '<',
"File containing DER encoded OCSP Response"},
#endif
-#ifndef OPENSSL_NO_SSL_TRACE
- {"trace", OPT_TRACE, '-', "trace protocol messages"},
-#endif
+
+ OPT_SECTION("Debug"),
{"security_debug", OPT_SECURITY_DEBUG, '-',
"Print output from SSL/TLS security framework"},
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
"Restrict output to brief summary of connection parameters"},
{"rev", OPT_REV, '-',
"act as a simple test server which just sends back with the received text reversed"},
+ {"debug", OPT_DEBUG, '-', "Print more output"},
+ {"msg", OPT_MSG, '-', "Show protocol messages"},
+ {"msgfile", OPT_MSGFILE, '>',
+ "File to send output of -msg or -trace, instead of stdout"},
+ {"state", OPT_STATE, '-', "Print the SSL states"},
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
- {"ssl_config", OPT_SSL_CONFIG, 's',
- "Configure SSL_CTX using the configuration 'val'"},
- {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
- {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
- "Size used to split data for encrypt pipelines"},
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
+ {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
+ {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
+
+ OPT_SECTION("Network"),
+ {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
+ {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
+ {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
{"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
- OPT_S_OPTIONS,
- OPT_V_OPTIONS,
- OPT_X_OPTIONS,
- {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
+ {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
+ "Size used to split data for encrypt pipelines"},
+ {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
+
+ OPT_SECTION("Server identity"),
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"},
#ifndef OPENSSL_NO_PSK
{"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
{"srpuserseed", OPT_SRPUSERSEED, 's',
"A seed string for a default user salt"},
#endif
+
+ OPT_SECTION("Protocol and version"),
+ {"max_early_data", OPT_MAX_EARLY, 'n',
+ "The maximum number of bytes of early data as advertised in tickets"},
+ {"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
+ "The maximum number of bytes of early data (hard limit)"},
+ {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
+ {"num_tickets", OPT_S_NUM_TICKETS, 'n',
+ "The number of TLSv1.3 session tickets that a server will automatically issue" },
+ {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
+ {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
+ {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
+ {"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
#endif
#endif
#ifndef OPENSSL_NO_DTLS
{"dtls", OPT_DTLS, '-', "Use any DTLS version"},
- {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
- {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
{"listen", OPT_LISTEN, '-',
"Listen for a DTLS ClientHello with a cookie and then connect"},
#endif
- {"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
#ifndef OPENSSL_NO_DTLS1
{"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
#endif
{"sctp", OPT_SCTP, '-', "Use SCTP"},
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
+#ifndef OPENSSL_NO_SRTP
+ {"use_srtp", OPT_SRTP_PROFILES, 's',
+ "Offer SRTP key management with a colon-separated profile list"},
+#endif
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
"Set the advertised protocols for the NPN extension (comma-separated list)"},
-#endif
-#ifndef OPENSSL_NO_SRTP
- {"use_srtp", OPT_SRTP_PROFILES, 's',
- "Offer SRTP key management with a colon-separated profile list"},
#endif
{"alpn", OPT_ALPN, 's',
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
- {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
- {"max_early_data", OPT_MAX_EARLY, 'n',
- "The maximum number of bytes of early data as advertised in tickets"},
- {"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
- "The maximum number of bytes of early data (hard limit)"},
- {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
- {"num_tickets", OPT_S_NUM_TICKETS, 'n',
- "The number of TLSv1.3 session tickets that a server will automatically issue" },
- {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
- {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
- {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
- {NULL, OPT_EOF, 0, NULL}
+
+ OPT_R_OPTIONS,
+ OPT_S_OPTIONS,
+ OPT_V_OPTIONS,
+ {"cert_chain", OPT_CERT_CHAIN, '<',
+ "certificate chain file in PEM format"},
+ {"dcert_chain", OPT_DCERT_CHAIN, '<',
+ "second certificate chain file in PEM format"},
+ {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
+ {"chainCAfile", OPT_CHAINCAFILE, '<',
+ "CA file for certificate chain (PEM format)"},
+ OPT_X_OPTIONS,
+ {NULL}
};
#define IS_PROT_FLAG(o) \
} OPTION_CHOICE;
const OPTIONS s_time_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Connection"),
{"connect", OPT_CONNECT, 's',
"Where to connect as post:port (default is " SSL_CONNECT_NAME ")"},
- {"cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used"},
- {"ciphersuites", OPT_CIPHERSUITES, 's',
- "Specify TLSv1.3 ciphersuites to be used"},
- {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
- {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
- {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
- {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
- {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
- {"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
- {"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
- {"no-CAstore", OPT_NOCASTORE, '-',
- "Do not load certificates from the default certificates store URI"},
{"new", OPT_NEW, '-', "Just time new connections"},
{"reuse", OPT_REUSE, '-', "Just time connection reuse"},
{"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
- {"verify", OPT_VERIFY, 'p',
- "Turn on peer certificate verification, set depth"},
- {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
- {"www", OPT_WWW, 's', "Fetch specified page from the site"},
+ {"cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used"},
+ {"ciphersuites", OPT_CIPHERSUITES, 's',
+ "Specify TLSv1.3 ciphersuites to be used"},
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
#endif
#ifndef OPENSSL_NO_TLS1_3
{"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
#endif
+ {"verify", OPT_VERIFY, 'p',
+ "Turn on peer certificate verification, set depth"},
+ {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
+ {"www", OPT_WWW, 's', "Fetch specified page from the site"},
+
+ OPT_SECTION("Certificate"),
+ {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
+ {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
+ {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+ {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store URI"},
+
{NULL}
};
} OPTION_CHOICE;
const OPTIONS sess_id_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"context", OPT_CONTEXT, 's', "Set the session ID context"},
+
+ OPT_SECTION("Input"),
+ {"in", OPT_IN, 's', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file - default stdout"},
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (PEM, DER or NSS)"},
- {"in", OPT_IN, 's', "Input file - default stdin"},
- {"out", OPT_OUT, '>', "Output file - default stdout"},
{"text", OPT_TEXT, '-', "Print ssl session id details"},
{"cert", OPT_CERT, '-', "Output certificate "},
{"noout", OPT_NOOUT, '-', "Don't output the encoded session info"},
- {"context", OPT_CONTEXT, 's', "Set the session ID context"},
{NULL}
};
{OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
{OPT_HELP_STR, 1, '-',
" cert.pem... recipient certs for encryption\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"in", OPT_IN, '<', "Input file"},
+ {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
+ {"out", OPT_OUT, '>', "Output file"},
+ {"outform", OPT_OUTFORM, 'c',
+ "Output format SMIME (default), PEM or DER"},
+ {"inkey", OPT_INKEY, 's',
+ "Input private key (if not signer or recipient)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+ {"stream", OPT_STREAM, '-', "Enable CMS streaming" },
+ {"indef", OPT_INDEF, '-', "Same as -stream" },
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
+
+ OPT_SECTION("Action"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
+ {"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
+
+ OPT_SECTION("Signing/Encryption"),
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
+ {"", OPT_CIPHER, '-', "Any supported cipher"},
{"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"},
{"nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer"},
- {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
- {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
- {"nocerts", OPT_NOCERTS, '-',
- "Don't include signers certificate when signing"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"binary", OPT_BINARY, '-', "Don't translate message to text"},
- {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
- {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
- {"in", OPT_IN, '<', "Input file"},
- {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
- {"inkey", OPT_INKEY, 's',
- "Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
- {"out", OPT_OUT, '>', "Output file"},
- {"outform", OPT_OUTFORM, 'c',
- "Output format SMIME (default), PEM or DER"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
+ {"nocerts", OPT_NOCERTS, '-',
+ "Don't include signers certificate when signing"},
+
+ OPT_SECTION("Verification/Decryption"),
+ {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
+
+ {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
+ {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
+
+ OPT_SECTION("Email"),
{"to", OPT_TO, 's', "To address"},
{"from", OPT_FROM, 's', "From address"},
{"subject", OPT_SUBJECT, 's', "Subject"},
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
+ {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+
+ OPT_SECTION("Certificate chain"),
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
- {"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
- {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
- {"stream", OPT_STREAM, '-', "Enable CMS streaming" },
- {"indef", OPT_INDEF, '-', "Same as -stream" },
- {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
+
OPT_R_OPTIONS,
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
- {"", OPT_CIPHER, '-', "Any supported cipher"},
OPT_V_OPTIONS,
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
{NULL}
};
const OPTIONS speed_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] ciphers...\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"},
- {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"},
-#ifndef OPENSSL_NO_CMAC
- {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"},
-#endif
- {"decrypt", OPT_DECRYPT, '-',
- "Time decryption instead of encryption (only EVP)"},
- {"aead", OPT_AEAD, '-',
- "Benchmark EVP-named AEAD cipher in TLS-like sequence"},
{"mb", OPT_MB, '-',
"Enable (tls1>=1) multi-block mode on EVP-named cipher"},
{"mr", OPT_MR, '-', "Produce machine readable output"},
{"async_jobs", OPT_ASYNCJOBS, 'p',
"Enable async mode and start specified number of jobs"},
#endif
- OPT_R_OPTIONS,
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
+ {"primes", OPT_PRIMES, 'p', "Specify number of primes (for RSA only)"},
+
+ OPT_SECTION("Selection"),
+ {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"},
+ {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"},
+#ifndef OPENSSL_NO_CMAC
+ {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"},
+#endif
+ {"decrypt", OPT_DECRYPT, '-',
+ "Time decryption instead of encryption (only EVP)"},
+ {"aead", OPT_AEAD, '-',
+ "Benchmark EVP-named AEAD cipher in TLS-like sequence"},
+
+ OPT_SECTION("Timing"),
{"elapsed", OPT_ELAPSED, '-',
"Use wall-clock time instead of CPU user time as divisor"},
- {"primes", OPT_PRIMES, 'p', "Specify number of primes (for RSA only)"},
{"seconds", OPT_SECONDS, 'p',
"Run benchmarks for specified amount of seconds"},
{"bytes", OPT_BYTES, 'p',
"Run [non-PKI] benchmarks on custom-sized buffer"},
{"misalign", OPT_MISALIGN, 'p',
"Use specified offset to mis-align buffers"},
+
+ OPT_R_OPTIONS,
{NULL}
};
} OPTION_CHOICE;
const OPTIONS spkac_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+ {"spksect", OPT_SPKSECT, 's',
+ "Specify the name of an SPKAC-dedicated section of configuration"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
+ OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
- {"out", OPT_OUT, '>', "Output file"},
{"key", OPT_KEY, '<', "Create SPKAC using private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"challenge", OPT_CHALLENGE, 's', "Challenge string"},
{"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"verify", OPT_VERIFY, '-', "Verify SPKAC signature"},
- {"spksect", OPT_SPKSECT, 's',
- "Specify the name of an SPKAC-dedicated section of configuration"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS srp_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"},
{"config", OPT_CONFIG, '<', "A config file"},
{"name", OPT_NAME, 's', "The particular srp definition to use"},
- {"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Action"),
{"add", OPT_ADD, '-', "Add a user and srp verifier"},
- {"modify", OPT_MODIFY, '-',
- "Modify the srp verifier of an existing user"},
+ {"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"},
{"delete", OPT_DELETE, '-', "Delete user from verifier file"},
{"list", OPT_LIST, '-', "List users"},
+
+ OPT_SECTION("Configuration"),
+ {"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"},
{"gn", OPT_GN, 's', "Set g and N values to be used for new verifier"},
{"userinfo", OPT_USERINFO, 's', "Additional info to be set for user"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
{NULL}
};
} OPTION_CHOICE;
const OPTIONS storeutl_options[] = {
- {OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\nValid options are:\n"},
+ {OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"out", OPT_OUT, '>', "Output file - default stdout"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"text", OPT_TEXT, '-', "Print a text form of the objects"},
- {"noout", OPT_NOOUT, '-', "No PEM output, just status"},
+ {"", OPT_MD, '-', "Any supported digest"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
+ OPT_SECTION("Search"),
{"certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only"},
{"keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only"},
{"crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only"},
{"serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number"},
{"fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex"},
{"alias", OPT_CRITERION_ALIAS, 's', "Search by alias"},
- {"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
{"r", OPT_RECURSIVE, '-', "Recurse through names"},
+
+ OPT_SECTION("Input"),
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+
+ OPT_SECTION("Output"),
+ {"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"text", OPT_TEXT, '-', "Print a text form of the objects"},
+ {"noout", OPT_NOOUT, '-', "No PEM output, just status"},
{NULL}
};
} OPTION_CHOICE;
const OPTIONS ts_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"config", OPT_CONFIG, '<', "Configuration file"},
{"section", OPT_SECTION, 's', "Section to use within config file"},
- {"query", OPT_QUERY, '-', "Generate a TS query"},
- {"data", OPT_DATA, '<', "File to hash"},
- {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
- OPT_R_OPTIONS,
- {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
- {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
- {"cert", OPT_CERT, '-', "Put cert request into query"},
- {"in", OPT_IN, '<', "Input file"},
- {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
- {"out", OPT_OUT, '>', "Output file"},
- {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
- {"text", OPT_TEXT, '-', "Output text (not DER)"},
- {"reply", OPT_REPLY, '-', "Generate a TS reply"},
- {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
{"inkey", OPT_INKEY, 's', "File with private key for reply"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"chain", OPT_CHAIN, '<', "File with signer CA chain"},
- {"verify", OPT_VERIFY, '-', "Verify a TS response"},
{"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
{"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
{"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
+ {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
+ {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"", OPT_MD, '-', "Any supported digest"},
-# ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
- {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
+
+ OPT_SECTION("Query"),
+ {"query", OPT_QUERY, '-', "Generate a TS query"},
+ {"data", OPT_DATA, '<', "File to hash"},
+ {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
+ {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
+ {"cert", OPT_CERT, '-', "Put cert request into query"},
+ {"in", OPT_IN, '<', "Input file"},
+
+ OPT_SECTION("Verify"),
+ {"verify", OPT_VERIFY, '-', "Verify a TS response"},
+ {"reply", OPT_REPLY, '-', "Generate a TS reply"},
+ {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
+ {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
+ {"out", OPT_OUT, '>', "Output file"},
+ {"text", OPT_TEXT, '-', "Output text (not DER)"},
+
+ OPT_R_OPTIONS,
OPT_V_OPTIONS,
- {OPT_HELP_STR, 1, '-', "\n"},
{NULL}
};
* This command is so complex, special help is needed.
*/
static char* opt_helplist[] = {
+ "",
"Typical uses:",
- "ts -query [-rand file...] [-config file] [-data file]",
- " [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
- " [-in file] [-out file] [-text]",
- " or",
- "ts -reply [-config file] [-section tsa_section]",
- " [-queryfile file] [-passin password]",
- " [-signer tsa_cert.pem] [-inkey private_key.pem]",
- " [-chain certs_file.pem] [-tspolicy oid]",
- " [-in file] [-token_in] [-out file] [-token_out]",
+ " openssl ts -query [-rand file...] [-config file] [-data file]",
+ " [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
+ " [-in file] [-out file] [-text]",
+ "",
+ " openssl ts -reply [-config file] [-section tsa_section]",
+ " [-queryfile file] [-passin password]",
+ " [-signer tsa_cert.pem] [-inkey private_key.pem]",
+ " [-chain certs_file.pem] [-tspolicy oid]",
+ " [-in file] [-token_in] [-out file] [-token_out]",
# ifndef OPENSSL_NO_ENGINE
- " [-text] [-engine id]",
+ " [-text] [-engine id]",
# else
- " [-text]",
+ " [-text]",
# endif
- " or",
- "ts -verify -CApath dir -CAfile file.pem -CAstore uri -untrusted file.pem",
- " [-data file] [-digest hexstring]",
- " [-queryfile file] -in file [-token_in]",
- " [[options specific to 'ts -verify']]",
+ "",
+ " openssl ts -verify -CApath dir -CAfile file.pem -CAstore uri",
+ " -untrusted file.pem [-data file] [-digest hexstring]",
+ " [-queryfile file] -in file [-token_in] ...",
NULL,
};
const OPTIONS verify_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
{"verbose", OPT_VERBOSE, '-',
"Print extra information about the operations being performed."},
+ {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+
+ OPT_SECTION("Certificate chain"),
{"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
{"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"},
"Attempt to download CRL information for this certificate"},
{"show_chain", OPT_SHOW_CHAIN, '-',
"Display information about the certificate chain"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+
OPT_V_OPTIONS,
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
#ifndef OPENSSL_NO_SM2
{"sm2-id", OPT_SM2ID, 's',
"Specify an ID string to verify an SM2 certificate"},
} OPTION_CHOICE;
const OPTIONS version_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+
+ OPT_SECTION("Output"),
{"a", OPT_A, '-', "Show all data"},
{"b", OPT_B, '-', "Show build date"},
{"d", OPT_D, '-', "Show configuration directory"},
} OPTION_CHOICE;
const OPTIONS x509_options[] = {
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+
{"inform", OPT_INFORM, 'f',
"Input format - default PEM (one of DER or PEM)"},
{"in", OPT_IN, '<', "Input file - default stdin"},
+ {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (one of DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
- {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
+ {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
+
+ OPT_SECTION("Output"),
{"serial", OPT_SERIAL, '-', "Print serial number value"},
{"subject_hash", OPT_HASH, '-', "Print subject hash value"},
{"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
{"subject", OPT_SUBJECT, '-', "Print subject DN"},
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
{"email", OPT_EMAIL, '-', "Print email address(es)"},
- {"startdate", OPT_STARTDATE, '-', "Set notBefore field"},
- {"enddate", OPT_ENDDATE, '-', "Set notAfter field"},
{"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"},
- {"dates", OPT_DATES, '-', "Both Before and After dates"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{"pubkey", OPT_PUBKEY, '-', "Output the public key"},
- {"fingerprint", OPT_FINGERPRINT, '-',
- "Print the certificate fingerprint"},
+ {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"},
{"alias", OPT_ALIAS, '-', "Output certificate alias"},
{"noout", OPT_NOOUT, '-', "No output, just status"},
- {"nocert", OPT_NOCERT, '-', "No certificate output"},
{"ocspid", OPT_OCSPID, '-',
"Print OCSP hash values for the subject name and public key"},
{"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
+ {"nocert", OPT_NOCERT, '-', "No certificate output"},
{"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"},
+ {"x509toreq", OPT_X509TOREQ, '-',
+ "Output a certification request object"},
+ {"checkend", OPT_CHECKEND, 'M',
+ "Check whether the cert expires in the next arg seconds"},
+ {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
+ {"text", OPT_TEXT, '-', "Print the certificate in text form"},
+ {"ext", OPT_EXT, 's', "Print various X509V3 extensions"},
+ {"C", OPT_C, '-', "Print out C code forms"},
+#ifndef OPENSSL_NO_MD5
+ {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) subject hash value"},
+#endif
+ {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+
+ OPT_SECTION("Certificate"),
+ {"startdate", OPT_STARTDATE, '-', "Set notBefore field"},
+ {"enddate", OPT_ENDDATE, '-', "Set notAfter field"},
+ {"dates", OPT_DATES, '-', "Both Before and After dates"},
{"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
{"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"},
{"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"},
{"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
{"days", OPT_DAYS, 'n',
"How long till expiry of a signed certificate - def 30 days"},
- {"checkend", OPT_CHECKEND, 'M',
- "Check whether the cert expires in the next arg seconds"},
- {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
{"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
- {"x509toreq", OPT_X509TOREQ, '-',
- "Output a certification request object"},
- {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
- {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"},
- {"CAkey", OPT_CAKEY, 's',
- "The CA key, must be PEM format; if not in CAfile"},
- {"CAcreateserial", OPT_CACREATESERIAL, '-',
- "Create serial number file if it does not exist"},
- {"CAserial", OPT_CASERIAL, 's', "Serial file"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
- {"text", OPT_TEXT, '-', "Print the certificate in text form"},
- {"ext", OPT_EXT, 's', "Print various X509V3 extensions"},
- {"C", OPT_C, '-', "Print out C code forms"},
- {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
- OPT_R_OPTIONS,
{"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
{"certopt", OPT_CERTOPT, 's', "Various certificate text options"},
{"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"},
{"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
{"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
+ {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"},
+ {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"},
+
+ OPT_SECTION("CA"),
+ {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"},
+ {"CAkey", OPT_CAKEY, 's',
+ "The CA key, must be PEM format; if not in CAfile"},
+ {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
+ OPT_R_OPTIONS,
{"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
+ {"CAcreateserial", OPT_CACREATESERIAL, '-',
+ "Create serial number file if it does not exist"},
+ {"CAserial", OPT_CASERIAL, 's', "Serial file"},
{"new", OPT_NEW, '-', "Generate a certificate from scratch"},
- {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"},
- {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"},
{"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
{"clrreject", OPT_CLRREJECT, '-',
"Clears all the prohibited or rejected uses of the certificate"},
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"},
{"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_MD5
- {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
- "Print old-style (MD5) issuer hash value"},
- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
- "Print old-style (MD5) subject hash value"},
-#endif
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
{"preserve_dates", OPT_PRESERVE_DATES, '-', "preserve existing dates when signing"},
{NULL}
};