OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
{"keyfile", OPT_KEYFILE, 's', "Private key"},
- {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
{"cert", OPT_CERT, '<', "The CA cert"},
{"certform", OPT_CERTFORM, 'F',
- "certificate input format (DER or PEM); default PEM"},
+ "certificate input format (DER/PEM/P12); has no effect"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
certfile = opt_arg();
break;
case OPT_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &certformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &certformat))
goto opthelp;
break;
case OPT_SELFSIGN:
}
}
pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key");
- if (key != NULL)
- OPENSSL_cleanse(key, strlen(key));
+ cleanse(key);
if (pkey == NULL)
/* load_key() has already printed an appropriate message */
goto end;
DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(OSSL_CMP_ITAV)
-/* start TODO remove when PR #11755 is merged */
-static char *get_passwd(const char *pass, const char *desc)
-{
- char *result = NULL;
-
- app_passwd(pass, NULL, &result, NULL);
- return result;
-}
-
-static void cleanse(char *str)
-{
- if (str != NULL)
- OPENSSL_cleanse(str, strlen(str));
-}
-
-static void clear_free(char *str)
-{
- if (str != NULL)
- OPENSSL_clear_free(str, strlen(str));
-}
-
-static int load_key_cert_crl(const char *uri, int maybe_stdin,
- const char *pass, const char *desc,
- EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl)
-{
- PW_CB_DATA uidata;
- OSSL_STORE_CTX *ctx = NULL;
- int ret = 0;
-
- if (ppkey != NULL)
- *ppkey = NULL;
- if (pcert != NULL)
- *pcert = NULL;
- if (pcrl != NULL)
- *pcrl = NULL;
-
- uidata.password = pass;
- uidata.prompt_info = uri;
-
- ctx = OSSL_STORE_open(uri, get_ui_method(), &uidata, NULL, NULL);
- if (ctx == NULL) {
- BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n",
- uri, desc);
- goto end;
- }
-
- for (;;) {
- OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
- int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
- const char *infostr =
- info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
- int err = 0;
-
- if (info == NULL) {
- if (OSSL_STORE_eof(ctx))
- ret = 1;
- break;
- }
-
- switch (type) {
- case OSSL_STORE_INFO_PKEY:
- if (ppkey != NULL && *ppkey == NULL)
- err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL);
- break;
- case OSSL_STORE_INFO_CERT:
- if (pcert != NULL && *pcert == NULL)
- err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL);
- break;
- case OSSL_STORE_INFO_CRL:
- if (pcrl != NULL && *pcrl == NULL)
- err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL);
- break;
- default:
- /* skip any other type */
- break;
- }
- OSSL_STORE_INFO_free(info);
- if (err) {
- BIO_printf(bio_err, "Could not read %s of %s from %s\n",
- infostr, desc, uri);
- break;
- }
- }
-
- end:
- if (ctx != NULL)
- OSSL_STORE_close(ctx);
- if (!ret)
- ERR_print_errors(bio_err);
- return ret;
-}
-
-static
-EVP_PKEY *load_key_preliminary(const char *uri, int format, int may_stdin,
- const char *pass, ENGINE *e, const char *desc)
-{
- EVP_PKEY *pkey = NULL;
-
- if (desc == NULL)
- desc = "private key";
-
- if (format == FORMAT_ENGINE) {
- if (e == NULL) {
- BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
- } else {
-#ifndef OPENSSL_NO_ENGINE
- PW_CB_DATA cb_data;
-
- cb_data.password = pass;
- cb_data.prompt_info = uri;
- if (ENGINE_init(e)) {
- pkey = ENGINE_load_private_key(e, uri,
- (UI_METHOD *)get_ui_method(),
- &cb_data);
- ENGINE_finish(e);
- }
- if (pkey == NULL) {
- BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
- ERR_print_errors(bio_err);
- }
-#else
- BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
-#endif
- }
- } else {
- (void)load_key_cert_crl(uri, may_stdin, pass, desc, &pkey, NULL, NULL);
- }
-
- if (pkey == NULL) {
- BIO_printf(bio_err, "Unable to load %s\n", desc);
- ERR_print_errors(bio_err);
- }
- return pkey;
-}
-
-static X509 *load_cert_pass(const char *uri, int maybe_stdin,
- const char *pass, const char *desc)
-{
- X509 *cert = NULL;
-
- if (desc == NULL)
- desc = "certificate";
- (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, NULL, &cert, NULL);
- if (cert == NULL) {
- BIO_printf(bio_err, "Unable to load %s\n", desc);
- ERR_print_errors(bio_err);
- }
- return cert;
-}
-/* end TODO remove when PR #11755 is merged */
-
static char *opt_config = NULL;
#define CMP_SECTION "cmp"
#define SECTION_NAME_MAX 40 /* max length of section name */
const char *pass, ENGINE *e, const char *desc)
{
char *pass_string = get_passwd(pass, desc);
- EVP_PKEY *pkey = load_key_preliminary(uri, format, 0, pass_string, e, desc);
+ EVP_PKEY *pkey = load_key(uri, format, 0, pass_string, e, desc);
clear_free(pass_string);
return pkey;
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
OPT_SECTION("Mail header"),
if (operation == SMIME_ENCRYPT) {
if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
goto end;
- cert = load_cert(opt_arg(), FORMAT_PEM,
+ cert = load_cert(opt_arg(), FORMAT_UNDEF,
"recipient certificate file");
if (cert == NULL)
goto end;
if ((encerts = sk_X509_new_null()) == NULL)
goto end;
while (*argv) {
- if ((cert = load_cert(*argv, FORMAT_PEM,
+ if ((cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file")) == NULL)
goto end;
sk_X509_push(encerts, cert);
}
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
- if ((recip = load_cert(recipfile, FORMAT_PEM,
+ if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (originatorfile != NULL) {
- if ((originator = load_cert(originatorfile, FORMAT_PEM,
+ if ((originator = load_cert(originatorfile, FORMAT_UNDEF,
"originator certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (operation == SMIME_SIGN_RECEIPT) {
- if ((signer = load_cert(signerfile, FORMAT_PEM,
+ if ((signer = load_cert(signerfile, FORMAT_UNDEF,
"receipt signer certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
+ signer = load_cert(signerfile, FORMAT_UNDEF,
+ "signer certificate");
if (signer == NULL) {
ret = 2;
goto end;
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
- {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
+ {"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"},
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
- {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"},
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "output file - default stdout"},
outfile = opt_arg();
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_KEY:
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
- {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"hex", OPT_HEX, '-', "Print as hex dump"},
{"binary", OPT_BINARY, '-', "Print in binary form"},
{"d", OPT_DEBUG, '-', "Print debug info"},
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
- {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
- {"inform", OPT_INFORM, 'f', "Input format - DER or PEM"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"check", OPT_CHECK, '-', "check key consistency"},
goto end;
}
/* wiping secret data as we no longer need it */
- OPENSSL_cleanse(hkey, strlen(hkey));
+ cleanse(hkey);
}
if ((benc = BIO_new(BIO_f_cipher())) == NULL)
int set_name_ex(unsigned long *flags, const char *arg);
int set_ext_copy(int *copy_type, const char *arg);
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
+char *get_passwd(const char *pass, const char *desc);
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc);
-X509 *load_cert(const char *file, int format, const char *desc);
-X509_CRL *load_crl(const char *infile, int format, const char *desc);
-EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
+X509 *load_cert_pass(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc);
+/* the format parameter is meanwhile not needed anymore and thus ignored */
+X509 *load_cert(const char *uri, int format, const char *desc);
+X509_CRL *load_crl(const char *uri, int format, const char *desc);
+void cleanse(char *str);
+void clear_free(char *str);
+EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
-EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
const char *pass, const char *desc);
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
const char *pass, const char *desc);
+int load_key_cert_crl(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc,
+ EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl);
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
"build certificate chain for the extended certificates"}, \
{ "xcertform", OPT_X_CERTFORM, 'F', \
- "format of Extended certificate (PEM or DER) PEM default " }, \
+ "format of Extended certificate (PEM/DER/P12); has no effect" }, \
{ "xkeyform", OPT_X_KEYFORM, 'F', \
- "format of Extended certificate's key (PEM or DER) PEM default"}
+ "format of Extended certificate's key (DER/PEM/P12); has no effect"}
# define OPT_X_CASES \
OPT_X__FIRST: case OPT_X__LAST: break; \
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
+#include <openssl/store.h>
#include <openssl/pkcs12.h>
#include <openssl/ui.h>
#include <openssl/safestack.h>
static char *app_get_pass(const char *arg, int keepbio);
+char *get_passwd(const char *pass, const char *desc)
+{
+ char *result = NULL;
+
+ if (desc == NULL)
+ desc = "<unknown>";
+ if (!app_passwd(pass, NULL, &result, NULL))
+ BIO_printf(bio_err, "Error getting password for %s\n", desc);
+ if (pass != NULL && result == NULL) {
+ BIO_printf(bio_err,
+ "Trying plain input string (better precede with 'pass:')\n");
+ result = OPENSSL_strdup(pass);
+ if (result == NULL)
+ BIO_printf(bio_err, "Out of memory getting password for %s\n", desc);
+ }
+ return result;
+}
+
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2)
{
int same = arg1 != NULL && arg2 != NULL && strcmp(arg1, arg2) == 0;
return 1;
}
-static int load_pkcs12(BIO *in, const char *desc,
- pem_password_cb *pem_cb, PW_CB_DATA *cb_data,
- EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+X509 *load_cert_pass(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc)
{
- const char *pass;
- char tpass[PEM_BUFSIZE];
- int len, ret = 0;
- PKCS12 *p12;
+ X509 *cert = NULL;
- p12 = d2i_PKCS12_bio(in, NULL);
- if (p12 == NULL) {
- if (desc != NULL)
- BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
- else
- BIO_printf(bio_err, "Error loading PKCS12 file\n");
- goto die;
- }
- /* See if an empty password will do */
- if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) {
- pass = "";
- } else {
- if (pem_cb == NULL)
- pem_cb = (pem_password_cb *)password_callback;
- len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
- if (len < 0) {
- BIO_printf(bio_err, "Passphrase callback error for %s\n",
- desc != NULL ? desc : "PKCS12 input");
- goto die;
- }
- if (len < PEM_BUFSIZE)
- tpass[len] = 0;
- if (!PKCS12_verify_mac(p12, tpass, len)) {
- BIO_printf(bio_err,
- "Mac verify error (wrong password?) in PKCS12 file for %s\n",
- desc != NULL ? desc : "PKCS12 input");
- goto die;
- }
- pass = tpass;
- }
- ret = PKCS12_parse(p12, pass, pkey, cert, ca);
- die:
- PKCS12_free(p12);
- return ret;
-}
-
-X509 *load_cert(const char *file, int format, const char *desc)
-{
- X509 *x = NULL;
- BIO *cert;
-
- if (format == FORMAT_HTTP) {
-#if !defined(OPENSSL_NO_SOCK)
- x = X509_load_http(file, NULL, NULL, 0 /* timeout */);
-#endif
- return x;
- }
-
- if (file == NULL) {
+ if (desc == NULL)
+ desc = "certificate";
+ if (uri == NULL) {
unbuffer(stdin);
- cert = dup_bio_in(format);
- } else {
- cert = bio_open_default(file, 'r', format);
+ uri = "";
}
- if (cert == NULL)
- goto end;
-
- if (format == FORMAT_ASN1) {
- x = d2i_X509_bio(cert, NULL);
- } else if (format == FORMAT_PEM) {
- x = PEM_read_bio_X509_AUX(cert, NULL,
- (pem_password_cb *)password_callback, NULL);
- } else if (format == FORMAT_PKCS12) {
- if (!load_pkcs12(cert, desc, NULL, NULL, NULL, &x, NULL))
- goto end;
- } else {
- print_format_error(format,
-#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
- OPT_FMT_HTTP |
-#endif
- OPT_FMT_PEMDER | OPT_FMT_PKCS12);
- }
-
- end:
- if (x == NULL && desc != NULL) {
+ (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, NULL, &cert, NULL);
+ if (cert == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
- BIO_free(cert);
- return x;
+ return cert;
}
-X509_CRL *load_crl(const char *infile, int format, const char *desc)
+/* the format parameter is meanwhile not needed anymore and thus ignored */
+X509 *load_cert(const char *uri, int format, const char *desc)
{
- X509_CRL *x = NULL;
- BIO *in = NULL;
-
- if (format == FORMAT_HTTP) {
-#if !defined(OPENSSL_NO_SOCK)
- x = X509_CRL_load_http(infile, NULL, NULL, 0 /* timeout */);
-#endif
- return x;
- }
+ return load_cert_pass(uri, 0, NULL, desc);
+}
- in = bio_open_default(infile, 'r', format);
- if (in == NULL)
- goto end;
- if (format == FORMAT_ASN1) {
- x = d2i_X509_CRL_bio(in, NULL);
- } else if (format == FORMAT_PEM) {
- x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
- } else
- print_format_error(format, OPT_FMT_PEMDER);
+/* the format parameter is meanwhile not needed anymore and thus ignored */
+X509_CRL *load_crl(const char *uri, int format, const char *desc)
+{
+ X509_CRL *crl = NULL;
- end:
- if (x == NULL && desc != NULL) {
+ if (desc == NULL)
+ desc = "CRL";
+ (void)load_key_cert_crl(uri, 0, NULL, desc, NULL, NULL, &crl);
+ if (crl == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
- BIO_free(in);
- return x;
+ return crl;
}
X509_REQ *load_csr(const char *file, int format, const char *desc)
X509_REQ *req = NULL;
BIO *in;
+ if (desc == NULL)
+ desc = "CSR";
in = bio_open_default(file, 'r', format);
if (in == NULL)
goto end;
print_format_error(format, OPT_FMT_PEMDER);
end:
- if (req == NULL && desc != NULL) {
+ if (req == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
return req;
}
-EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
+void cleanse(char *str)
+{
+ if (str != NULL)
+ OPENSSL_cleanse(str, strlen(str));
+}
+
+void clear_free(char *str)
+{
+ if (str != NULL)
+ OPENSSL_clear_free(str, strlen(str));
+}
+
+EVP_PKEY *load_key(const char *uri, int format, int may_stdin,
const char *pass, ENGINE *e, const char *desc)
{
- BIO *key = NULL;
EVP_PKEY *pkey = NULL;
- PW_CB_DATA cb_data;
- cb_data.password = pass;
- cb_data.prompt_info = file;
+ if (desc == NULL)
+ desc = "private key";
- if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
- BIO_printf(bio_err, "No keyfile specified\n");
- goto end;
- }
if (format == FORMAT_ENGINE) {
if (e == NULL) {
- BIO_printf(bio_err, "No engine specified\n");
+ BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
} else {
#ifndef OPENSSL_NO_ENGINE
+ PW_CB_DATA cb_data;
+
+ cb_data.password = pass;
+ cb_data.prompt_info = uri;
if (ENGINE_init(e)) {
- pkey = ENGINE_load_private_key(e, file,
+ pkey = ENGINE_load_private_key(e, uri,
(UI_METHOD *)get_ui_method(),
&cb_data);
ENGINE_finish(e);
}
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
ERR_print_errors(bio_err);
}
#else
- BIO_printf(bio_err, "Engines not supported\n");
+ BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
#endif
}
- goto end;
- }
- if (file == NULL && maybe_stdin) {
- unbuffer(stdin);
- key = dup_bio_in(format);
- } else {
- key = bio_open_default(file, 'r', format);
- }
- if (key == NULL)
- goto end;
- if (format == FORMAT_ASN1) {
- pkey = d2i_PrivateKey_bio(key, NULL);
- } else if (format == FORMAT_PEM) {
- pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data);
- } else if (format == FORMAT_PKCS12) {
- if (!load_pkcs12(key, desc,
- (pem_password_cb *)password_callback, &cb_data,
- &pkey, NULL, NULL))
- goto end;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
- } else if (format == FORMAT_MSBLOB) {
- pkey = b2i_PrivateKey_bio(key);
- } else if (format == FORMAT_PVK) {
- pkey = b2i_PVK_bio(key, wrap_password_callback, &cb_data);
-#endif
} else {
- print_format_error(format, OPT_FMT_PEMDER | OPT_FMT_PKCS12
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
- | OPT_FMT_MSBLOB | FORMAT_PVK
-#endif
-#ifndef OPENSSL_NO_ENGINE
- | OPT_FMT_ENGINE
-#endif
- );
+ (void)load_key_cert_crl(uri, may_stdin, pass, desc, &pkey, NULL, NULL);
}
- end:
- BIO_free(key);
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
return pkey;
}
-EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc)
{
- BIO *key = NULL;
EVP_PKEY *pkey = NULL;
- PW_CB_DATA cb_data;
- cb_data.password = pass;
- cb_data.prompt_info = file;
+ if (desc == NULL)
+ desc = "public key";
- if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
- BIO_printf(bio_err, "No keyfile specified\n");
- goto end;
- }
if (format == FORMAT_ENGINE) {
if (e == NULL) {
- BIO_printf(bio_err, "No engine specified\n");
+ BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
} else {
#ifndef OPENSSL_NO_ENGINE
- pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(),
+ PW_CB_DATA cb_data;
+
+ cb_data.password = pass;
+ cb_data.prompt_info = uri;
+ pkey = ENGINE_load_public_key(e, uri, (UI_METHOD *)get_ui_method(),
&cb_data);
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
ERR_print_errors(bio_err);
}
#else
- BIO_printf(bio_err, "Engines not supported\n");
+ BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
#endif
}
- goto end;
- }
- if (file == NULL && maybe_stdin) {
- unbuffer(stdin);
- key = dup_bio_in(format);
} else {
- key = bio_open_default(file, 'r', format);
+ (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, &pkey,
+ NULL, NULL);
}
- if (key == NULL)
- goto end;
- if (format == FORMAT_ASN1) {
- pkey = d2i_PUBKEY_bio(key, NULL);
- } else if (format == FORMAT_ASN1RSA) {
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
- rsa = d2i_RSAPublicKey_bio(key, NULL);
- if (rsa) {
- pkey = EVP_PKEY_new();
- if (pkey != NULL)
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- } else
-#else
- BIO_printf(bio_err, "RSA keys not supported\n");
-#endif
- pkey = NULL;
- } else if (format == FORMAT_PEMRSA) {
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
- rsa = PEM_read_bio_RSAPublicKey(key, NULL,
- (pem_password_cb *)password_callback,
- &cb_data);
- if (rsa != NULL) {
- pkey = EVP_PKEY_new();
- if (pkey != NULL)
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- } else
-#else
- BIO_printf(bio_err, "RSA keys not supported\n");
-#endif
- pkey = NULL;
- } else if (format == FORMAT_PEM) {
- pkey = PEM_read_bio_PUBKEY(key, NULL,
- (pem_password_cb *)password_callback,
- &cb_data);
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
- } else if (format == FORMAT_MSBLOB) {
- pkey = b2i_PublicKey_bio(key);
-#endif
- } else {
- print_format_error(format, OPT_FMT_PEMDER
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
- | OPT_FMT_MSBLOB
-#endif
- );
- }
- end:
- BIO_free(key);
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
*pcrls = NULL;
}
- if (desc != NULL) {
- BIO_printf(bio_err, "Unable to load %s for %s\n",
- pcerts ? "certificates" : "CRLs", desc);
- ERR_print_errors(bio_err);
- }
+ BIO_printf(bio_err, "Unable to load %s\n", desc != NULL ? desc :
+ pcerts != NULL ? "certificates" : "CRLs");
}
return rv;
}
return load_certs_crls(file, format, pass, desc, NULL, crls);
}
+/*
+ * Load those types of credentials for which the result pointer is not NULL.
+ * Reads from stdio if uri is NULL and maybe_stdin is nonzero.
+ * For each type the first credential found in the store is loaded.
+ * May yield partial result even if rv == 0.
+ */
+int load_key_cert_crl(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc,
+ EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl)
+{
+ PW_CB_DATA uidata;
+ OSSL_STORE_CTX *ctx = NULL;
+ int ret = 0;
+ /* TODO make use of the engine reference 'eng' when loading pkeys */
+
+ if (ppkey != NULL)
+ *ppkey = NULL;
+ if (pcert != NULL)
+ *pcert = NULL;
+ if (pcrl != NULL)
+ *pcrl = NULL;
+
+ if (desc == NULL)
+ desc = "key/certificate/CRL";
+ uidata.password = pass;
+ uidata.prompt_info = uri;
+
+ if (uri == NULL) {
+ BIO *bio;
+
+ if (!maybe_stdin) {
+ BIO_printf(bio_err, "No filename or uri specified for loading %s\n",
+ desc);
+ goto end;
+ }
+ unbuffer(stdin);
+ bio = BIO_new_fp(stdin, 0);
+ if (bio != NULL)
+ ctx = OSSL_STORE_attach(bio, NULL, "file", NULL,
+ get_ui_method(), &uidata, NULL, NULL);
+ uri = "<stdin>";
+ } else {
+ ctx = OSSL_STORE_open(uri, get_ui_method(), &uidata, NULL, NULL);
+ }
+ if (ctx == NULL) {
+ BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n",
+ uri, desc);
+ goto end;
+ }
+
+ for (;;) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
+ int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
+ const char *infostr =
+ info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
+ int err = 0;
+
+ if (info == NULL) {
+ if (OSSL_STORE_eof(ctx))
+ ret = 1;
+ break;
+ }
+
+ switch (type) {
+ case OSSL_STORE_INFO_PKEY:
+ if (ppkey != NULL && *ppkey == NULL)
+ err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL);
+ break;
+ case OSSL_STORE_INFO_CERT:
+ if (pcert != NULL && *pcert == NULL)
+ err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL);
+ break;
+ case OSSL_STORE_INFO_CRL:
+ if (pcrl != NULL && *pcrl == NULL)
+ err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL);
+ break;
+ default:
+ /* skip any other type */
+ break;
+ }
+ OSSL_STORE_INFO_free(info);
+ if (err) {
+ BIO_printf(bio_err, "Could not read %s of %s from %s\n",
+ infostr, desc, uri);
+ break;
+ }
+ }
+
+ end:
+ OSSL_STORE_close(ctx);
+ if (!ret)
+ ERR_print_errors(bio_err);
+ return ret;
+}
+
+
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
/* Return error for unknown extensions */
#define X509V3_EXT_DEFAULT 0
exc->build_chain = 1;
break;
case OPT_X_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->certform))
return 0;
break;
case OPT_X_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->keyform))
return 0;
break;
}
path = opt_arg();
break;
case OPT_ISSUER:
- issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
+ issuer = load_cert(opt_arg(), FORMAT_UNDEF,
+ "issuer certificate");
if (issuer == NULL)
goto end;
if (issuers == NULL) {
break;
case OPT_CERT:
X509_free(cert);
- cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
+ cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate");
if (cert == NULL)
goto end;
if (cert_id_md == NULL)
if (rsignfile != NULL) {
if (rkeyfile == NULL)
rkeyfile = rsignfile;
- rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
+ rsigner = load_cert(rsignfile, FORMAT_UNDEF,
+ "responder certificate");
if (rsigner == NULL) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
if (signfile != NULL) {
if (keyfile == NULL)
keyfile = signfile;
- signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
+ signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate");
if (signer == NULL) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
- {"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"pubin", OPT_PUBIN, '-',
"Read public key from input (default is private key)"},
{"inkey", OPT_INKEY, 's', "Input private key file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
- {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
+ {"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"},
{"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
passinarg = opt_arg();
break;
case OPT_PEERFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &peerform))
goto opthelp;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
goto opthelp;
break;
case OPT_R_CASES:
break;
case KEY_CERT:
- x = load_cert(keyfile, keyform, "Certificate");
+ x = load_cert(keyfile, FORMAT_UNDEF, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
OPT_SECTION("Keys and Signing"),
{"key", OPT_KEY, 's', "Private key to use"},
- {"keyform", OPT_KEYFORM, 'f', "Key file format"},
+ {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to send the key to"},
{"passin", OPT_PASSIN, 's', "Private key password source"},
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
- {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inkey", OPT_INKEY, 's', "Input key"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
{"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
ret = 0;
goto end;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_IN:
break;
case KEY_CERT:
- x = load_cert(keyfile, keyformat, "Certificate");
+ x = load_cert(keyfile, FORMAT_UNDEF, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
OPT_SECTION("Identity"),
{"cert", OPT_CERT, '<', "Client certificate file to use"},
{"certform", OPT_CERTFORM, 'F',
- "Client certificate file format (PEM or DER) PEM default"},
+ "Client certificate file format (PEM/DER/P12); has no effect"},
{"cert_chain", OPT_CERT_CHAIN, '<',
"Client certificate chain file (in PEM format)"},
{"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"},
{"key", OPT_KEY, 's', "Private key file to use; default is: -cert file"},
- {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"},
+ {"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
sess_in = opt_arg();
break;
case OPT_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &cert_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &cert_format))
goto opthelp;
break;
case OPT_CRLFORM:
fallback_scsv = 1;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &key_format))
goto opthelp;
break;
case OPT_PASS:
OPENSSL_clear_free(cbuf, BUFSIZZ);
OPENSSL_clear_free(sbuf, BUFSIZZ);
OPENSSL_clear_free(mbuf, BUFSIZZ);
- if (proxypass != NULL)
- OPENSSL_clear_free(proxypass, strlen(proxypass));
+ clear_free(proxypass);
release_engine(e);
BIO_free(bio_c_out);
bio_c_out = NULL;
{"cert2", OPT_CERT2, '<',
"Certificate file to use for servername; default is" TEST_CERT2},
{"certform", OPT_CERTFORM, 'F',
- "Server certificate file format (PEM or DER) PEM default"},
+ "Server certificate file format (PEM/DER/P12); has no effect"},
{"cert_chain", OPT_CERT_CHAIN, '<',
"Server certificate chain file in PEM format"},
{"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
"Private key file to use; default is -cert file or else" TEST_CERT},
{"key2", OPT_KEY2, '<',
"-Private Key file to use for servername if not in -cert2"},
- {"keyform", OPT_KEYFORM, 'f',
- "Key format (PEM, DER or ENGINE) PEM default"},
+ {"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"dcert", OPT_DCERT, '<',
"Second server certificate file to use (usually for DSA)"},
{"dcertform", OPT_DCERTFORM, 'F',
- "Second server certificate file format (PEM or DER) PEM default"},
+ "Second server certificate file format (PEM/DER/P12); has no effect"},
{"dcert_chain", OPT_DCERT_CHAIN, '<',
"second server certificate chain file in PEM format"},
{"dkey", OPT_DKEY, '<',
"Second private key file to use (usually for DSA)"},
{"dkeyform", OPT_DKEYFORM, 'F',
- "Second key file format (PEM, DER or ENGINE) PEM default"},
+ "Second key file format (ENGINE, other values ignored)"},
{"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
{"servername", OPT_SERVERNAME, 's',
s_serverinfo_file = opt_arg();
break;
case OPT_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_cert_format))
goto opthelp;
break;
case OPT_KEY:
s_key_file = opt_arg();
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format))
goto opthelp;
break;
case OPT_PASS:
#endif
break;
case OPT_DCERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dcert_format))
goto opthelp;
break;
case OPT_DCERT:
s_dcert_file = opt_arg();
break;
case OPT_DKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_dkey_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dkey_format))
goto opthelp;
break;
case OPT_DPASS:
"Output format SMIME (default), PEM or DER"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
if (encerts == NULL)
goto end;
while (*argv != NULL) {
- cert = load_cert(*argv, FORMAT_PEM,
+ cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file");
if (cert == NULL)
goto end;
}
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
- if ((recip = load_cert(recipfile, FORMAT_PEM,
+ if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, FORMAT_PEM,
+ signer = load_cert(signerfile, FORMAT_UNDEF,
"signer certificate");
if (signer == NULL)
goto end;
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"key", OPT_KEY, '<', "Create SPKAC using private key"},
- {"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"challenge", OPT_CHALLENGE, 's', "Challenge string"},
{"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
STACK_OF(X509) *chain = NULL;
int num_untrusted;
- x = load_cert(file, FORMAT_PEM, "certificate file");
+ x = load_cert(file, FORMAT_UNDEF, "certificate file");
if (x == NULL)
goto end;
#endif
{"inform", OPT_INFORM, 'f',
- "Input format - default PEM (one of DER or PEM)"},
+ "CSR input format (DER or PEM) - default PEM"},
{"in", OPT_IN, '<', "Input file - default stdin"},
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
{"outform", OPT_OUTFORM, 'f',
- "Output format - default PEM (one of DER or PEM)"},
+ "Output format (DER or PEM) - default PEM"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
{"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
- {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
- {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
+ {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
+ {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format (ENGINE, other values ignored)"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"CAcreateserial", OPT_CACREATESERIAL, '-',
"Create serial number file if it does not exist"},
ret = 0;
goto end;
case OPT_INFORM:
- if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
+ if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
goto opthelp;
break;
case OPT_IN:
goto opthelp;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAformat))
goto opthelp;
break;
case OPT_CAKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:
if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
goto end;
} else {
- x = load_cert(infile, informat, "Certificate");
+ x = load_cert(infile, FORMAT_UNDEF, "Certificate");
if (x == NULL)
goto end;
if (fkey != NULL && !X509_set_pubkey(x, fkey))
{
int loader_ret;
+ if (ctx == NULL)
+ return 1;
OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx);
loader_ret = ctx->loader->close(ctx->loader_ctx);
[B<-md> I<arg>]
[B<-policy> I<arg>]
[B<-keyfile> I<arg>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-key> I<arg>]
[B<-passin> I<arg>]
[B<-cert> I<file>]
-[B<-certform> B<DER>|<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-selfsign>]
[B<-in> I<file>]
[B<-inform> B<DER>|<PEM>]
The CA certificate file.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
The format of the data in certificate input files.
-The default is PEM.
+This option has no effect and is retained for backward compatibility only.
=item B<-keyfile> I<filename>
The private key to sign requests with.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key file; the default is B<PEM>.
+The format of the private key input file; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>
The B<-section> option was added in OpenSSL 3.0.0.
+The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 SEE ALSO
L<openssl(1)>,
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-stream>]
[B<-indef>]
[B<-noindef>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
-[I<cert.pem> ...]
+[I<recipient-cert> ...]
=for openssl ifdef des-wrap engine
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the private key file; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
-the signers certificates. The certificates should be in PEM format.
+the signers certificates.
=item B<-certsout> I<file>
{- $OpenSSL::safe::opt_provider_item -}
-=item I<cert.pem> ...
+=item I<recipient-cert> ...
One or more certificates of message recipients: used when encrypting
a message.
The -no_alt_chains option was added in OpenSSL 1.0.2b.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-text>]
[B<-in> I<filename>]
[B<-out> I<filename>]
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and output formats of the CRL; the default is B<PEM>.
+The CRL input format.
+This option has no effect and is retained for backward compatibility only.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The CRL output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-key> I<filename>
The private key to be used to sign the CRL.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
-The format of the private key file; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
+The format of the private key file.
+This option has no effect and is retained for backward compatibility only.
=item B<-in> I<filename>
Output the text form of a DER encoded certificate:
- openssl crl -in crl.der -inform DER -text -noout
+ openssl crl -in crl.der -text -noout
=head1 BUGS
L<openssl-x509(1)>,
L<ossl_store-file(7)>
+=head1 HISTORY
+
+The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the key to sign with; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
B<openssl> B<ec>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-passin> I<arg>]
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The input and formats; the default is B<PEM>.
+The key input format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
Private keys are an SEC1 private key or PKCS#8 format.
=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
-multiple times. The certificate specified in I<filename> must be in
-PEM format. This option B<MUST> come before any B<-cert> options.
+multiple times.
+This option B<MUST> come before any B<-cert> options.
=item B<-cert> I<filename>
B<openssl> B<pkey>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-passin> I<arg>]
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The input and formats; the default is B<PEM>.
+The key input format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
[B<-out> I<file>]
[B<-sigfile> I<file>]
[B<-inkey> I<file>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-peerkey> I<file>]
-[B<-peerform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-rev>]
The input key file, by default it should be a private key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
The peer key file, used by key derivation (agreement) operations.
-=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The peer key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pubin>
L<EVP_PKEY_CTX_set_hkdf_md(3)>,
L<EVP_PKEY_CTX_set_tls1_prf_md(3)>,
+=head1 HISTORY
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
=head1 COPYRIGHT
[B<-pkeyopt> I<opt>:I<value>]
[B<-nodes>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-keyout> I<filename>]
[B<-keygen_engine> I<id>]
[B<-I<digest>>]
This specifies the file to read the private key from. It also
accepts PKCS#8 format private keys for PEM format files.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the private key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-keyout> I<filename>
The B<-section> option was added in OpenSSL 3.0.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
B<openssl> B<rsa>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-passin> I<arg>]
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The input and formats; the default is B<PEM>.
+The key input format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-inform> B<DER>|B<PEM>
[B<-rev>]
[B<-out> I<file>]
[B<-inkey> I<file>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-sign>]
The input key file, by default it should be an RSA private key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pubin>
This command was deprecated in OpenSSL 3.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
[B<-verifyCApath> I<dir>]
[B<-verifyCAstore> I<uri>]
[B<-cert> I<filename>]
-[B<-certform> B<DER>|B<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-cert_chain> I<filename>]
[B<-build_chain>]
[B<-CRL> I<filename>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pass> I<arg>]
[B<-chainCAfile> I<filename>]
[B<-chainCApath> I<directory>]
The chain for the client certificate may be specified using B<-cert_chain>.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
The client certificate file format to use; the default is B<PEM>.
-see L<openssl(1)/Format Options>.
+This option has no effect and is retained for backward compatibility only.
=item B<-cert_chain>
The client private key file to use.
If not specified then the certificate file will be used to read also the key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>
The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
The B<-name> option was added in OpenSSL 1.1.1.
+The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
[B<-Verify> I<int>]
[B<-cert> I<infile>]
[B<-cert2> I<infile>]
-[B<-certform> B<DER>|B<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-cert_chain> I<infile>]
[B<-build_chain>]
[B<-serverinfo> I<val>]
[B<-key> I<infile>]
[B<-key2> I<infile>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
-[B<-dcertform> B<DER>|B<PEM>]
+[B<-dcertform> B<DER>|B<PEM>|B<P12>]
[B<-dcert_chain> I<infile>]
[B<-dkey> I<infile>]
-[B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
for example the DSS cipher suites require a certificate containing a DSS
(DSA) key. If not specified then the filename F<server.pem> will be used.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
-The server certificate file format; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
+The server certificate file format.
+This option has no effect and is retained for backward compatibility only.
=item B<-cert_chain>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<val>
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform> B<DER>|B<PEM>
+=item B<-dcertform> B<DER>|B<PEM>|B<P12>
-The format of the additional certificate file; the default is B<PEM>.
-See L<openssl(1)/Format Options>.
+The format of the additional certificate file.
+This option has no effect and is retained for backward compatibility only.
-=item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the additional private key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options>.
=item B<-dpass> I<val>
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
+All B<-keyform> and B<-dkeyform> values except B<ENGINE>
+have become obsolete in OpenSSL 3.0.0 and have no effect.
+
+The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
[B<-recip> I< file>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-inkey> I<file_or_id>]
[B<-out> I<file>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
-I<cert.pem> ...
+I<recipcert> ...
=for openssl ifdef engine
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-stream>, B<-indef>, B<-noindef>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
-the signers certificates. The certificates should be in PEM format.
+the signers certificates.
=item B<-signer> I<file>
{- $OpenSSL::safe::opt_provider_item -}
-=item I<cert.pem> ...
+=item I<recipcert> ...
One or more certificates of message recipients, used when encrypting
a message.
The -no_alt_chains option was added in OpenSSL 1.1.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-key> I<keyfile>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-challenge> I<string>]
[B<-pubkey>]
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
L<openssl(1)>,
L<openssl-ca(1)>
+=head1 HISTORY
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
One or more certificates to verify. If no certificates are given,
this command will attempt to read a certificate from standard input.
-Certificates must be in PEM format.
If a certificate chain has multiple problems, this program tries to
display all of them.
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
-[B<-CAform> B<DER>|B<PEM>]
-[B<-CAkeyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-CAform> B<DER>|B<PEM>|B<P12>]
+[B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-serial>]
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The
input and formats; the default is B<PEM>.
+The
CSR input format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
-The input is normally an X.509 certificate, but this can change if other
-options such as B<-req> are used.
+The input is normally an X.509 certificate file of any format,
+but this can change if other options such as B<-req> are used.
+
+B<-outform> B<DER>|B<PEM>
+
+The output format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
=item B<-signkey> I<arg>
This option causes the input file to be self signed using the supplied
-private key or engine. The private key's format is specified with the
-B<-keyform> option.
+private key or engine.
It sets the issuer name to the subject name (i.e., makes it self-issued)
and changes the public key to the supplied value (unless overridden by
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
-=item B<-CAform> B<DER>|B<PEM>, B<-CAkeyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-CAform> B<DER>|B<PEM>|B<P12>,
+
+The format for the CA certificate.
+This option has no effect and is retained for backward compatibility.
-The format for the CA certificate and key; the default is B<PEM>.
+=item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+
+The format for the CA key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-days> I<arg>
It can also be used in conjunction with b<-new> and B<-subj> to directly
generate a certificate containing any desired public key.
-The format of the key file can be specified using the B<-keyform> option.
-
=item B<-subj> I<arg>
When a certificate is created set its subject name to the given value.
version of the DN using SHA1. This means that any directories using the old
form must have their links rebuilt using L<openssl-rehash(1)> or similar.
+All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
+have become obsolete in OpenSSL 3.0.0 and have no effect.
+
+The B<-CAform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
=head2 Format Options
Several OpenSSL commands can take input or generate output in a variety
-of formats. The list of acceptable formats, and the default, is
+of formats.
+Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
+files in any of the B<DER>, B<PEM>, or B<P12> formats,
+while specifying their input format is no more needed.
+
+The list of acceptable formats, and the default, is
described in each command documentation. The list of formats is
described below. Both uppercase and lowercase are accepted.
=item B<-keyform> I<format>
Format of a private key input source.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
=item B<-CRLform> I<format>
=over 4
-=item B<-xchain_build>
-
-Specify whether the application should build the certificate chain to be
-provided to the server for the extra certificates via the B<-xkey>,
-B<-xcert>, and B<-xchain> options.
-
=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
specified, the callback returning the first valid chain will be in use by the
client.
-=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
-
-The input format for the extra certificate and key, respectively.
-See L<openssl(1)/Format Options> for details.
-
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
provided to the server for the extra certificates via the B<-xkey>,
B<-xcert>, and B<-xchain> options.
-=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
+=item B<-xcertform> B<DER>|B<PEM>|B<P12>
-The input format for the extra certificate and key, respectively.
-See L<openssl(1)/Format Options> for details.
+The input format for the extra certificate.
+This option has no effect and is retained for backward compatibility only.
+
+=item B<-xkeyform> B<DER>|B<PEM>|B<P12>
+
+The input format for the extra key.
+This option has no effect and is retained for backward compatibility only.
=back
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
+The B<-xcertform> and B<-xkeyform> options
+are obsolete since OpenSSL 3.0.0 and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
projects / oweals / openssl.git / commitdiff