{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
{"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
- {"resign", OPT_RESIGN, '-'},
+ {"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
{"verify_retcode", OPT_VERIFY_RETCODE, '-'},
{"verify_receipt", OPT_VERIFY_RECEIPT, '<'},
"Don't include signers certificate when signing"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
- {"nosmimecap", OPT_NOSMIMECAP, '-'},
+ {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
{"binary", OPT_BINARY, '-', "Don't translate message to text"},
{"keyid", OPT_KEYID, '-', "Use subject key identifier"},
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
{"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'},
{"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'},
- {"stream", OPT_INDEF, '-'},
- {"indef", OPT_INDEF, '-'},
- {"noindef", OPT_NOINDEF, '-'},
+ {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
+ {"indef", OPT_INDEF, '-', "Same as -stream"},
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
{"nooldmime", OPT_NOOLDMIME, '-'},
- {"crlfeol", OPT_CRLFEOL, '-'},
+ {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
{"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"},
- {"receipt_request_print", OPT_RR_PRINT, '-'},
+ {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
{"receipt_request_all", OPT_RR_ALL, '-'},
{"receipt_request_first", OPT_RR_FIRST, '-'},
- {"rctform", OPT_RCTFORM, 'F'},
+ {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
{"certfile", OPT_CERTFILE, '<', "Other certificates file"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
"Do not load certificates from the default certificates directory"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
- {"print", OPT_PRINT, '-', "For the -cmsout operation print out all fields of the CMS structure"},
+ {"print", OPT_PRINT, '-',
+ "For the -cmsout operation print out all fields of the CMS structure"},
{"secretkey", OPT_SECRETKEY, 's'},
{"secretkeyid", OPT_SECRETKEYID, 's'},
{"pwri_password", OPT_PWRI_PASSWORD, 's'},
{"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"},
{"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
- {"gendelta", OPT_GENDELTA, '<'},
+ {"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
{"no-CAfile", OPT_NOCAFILE, '-',
{OPT_HELP_STR, 1, '-', "Valid options are:\n"},
{"help", OPT_HELP, '-', "Display this summary"},
{"out", OPT_OUT, '>', "Output the key to the specified file"},
- {"passout", OPT_PASSOUT, 's'},
+ {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"rand", OPT_RAND, 's',
"Load the file(s) into the random number generator"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
{"url", OPT_URL, 's', "Responder URL"},
{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
{"port", OPT_PORT, 'p', "Port to run responder on"},
- {"ignore_err", OPT_IGNORE_ERR, '-'},
+ {"ignore_err", OPT_IGNORE_ERR, '-',
+ "Ignore Error response from OCSP responder, and retry "},
{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
{"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
{"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate"},
- {"no_explicit", OPT_NO_EXPLICIT, '-'},
+ {"no_explicit", OPT_NO_EXPLICIT, '-',
+ "Do not explicitly check the chain, just verify the root"},
{"trust_other", OPT_TRUST_OTHER, '-',
"Don't verify additional certificates"},
{"no_intern", OPT_NO_INTERN, '-',
{"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't output encoded data"},
{"text", OPT_TEXT, '-', "Print full details of certificates"},
- {"print", OPT_PRINT, '-'},
+ {"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"},
{"print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input"},
#ifndef OPENSSL_NO_ENGINE
{"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
{"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
{"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
- {"v2prf", OPT_V2PRF, 's'},
+ {"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"},
{"iter", OPT_ITER, 'p', "Specify the iteration count"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
- {"resign", OPT_RESIGN, '-'},
- {"nochain", OPT_NOCHAIN, '-'},
- {"nosmimecap", OPT_NOSMIMECAP, '-'},
- {"stream", OPT_STREAM, '-'},
- {"indef", OPT_INDEF, '-'},
- {"noindef", OPT_NOINDEF, '-'},
- {"nooldmime", OPT_NOOLDMIME, '-'},
- {"crlfeol", OPT_CRLFEOL, '-'},
+ {"resign", OPT_RESIGN, '-', "Resign a signed message"},
+ {"nochain", OPT_NOCHAIN, '-',
+ "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
+ {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+ {"stream", OPT_STREAM, '-', "Enable CMS streaming" },
+ {"indef", OPT_INDEF, '-', "Same as -stream" },
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
+ {"nooldmime", OPT_NOOLDMIME, '-', NULL},
+ {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
{"rand", OPT_RAND, 's',
"Load the file(s) into the random number generator"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"verify", OPT_VERIFY, '-', "Verify SPKAC signature"},
- {"spksect", OPT_SPKSECT, 's'},
+ {"spksect", OPT_SPKSECT, 's',
+ "Specify the name of an SPKAC-dedicated section of configuration"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
{"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"inkey", OPT_INKEY, '<', "File with private key for reply"},
- {"signer", OPT_SIGNER, 's'},
+ {"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"chain", OPT_CHAIN, '<', "File with signer CA chain"},
{"verify", OPT_VERIFY, '-', "Verify a TS response"},
{"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
{"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
{"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"},
{"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
- {"clrext", OPT_CLREXT, '-', "Clear all rejected purposes"},
+ {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"},
{"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"},
{"addreject", OPT_ADDREJECT, 's',
"Reject certificate for a given purpose"},
{"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'F', "CA key format - default PEM"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
- {"force_pubkey", OPT_FORCE_PUBKEY, '<'},
- {"next_serial", OPT_NEXT_SERIAL, '-'},
- {"clrreject", OPT_CLRREJECT, '-'},
+ {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"},
+ {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
+ {"clrreject", OPT_CLRREJECT, '-',
+ "Clears all the prohibited or rejected uses of the certificate"},
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"},
{"", OPT_MD, '-', "Any supported digest"},
#ifndef OPENSSL_NO_MD5
i2a_ASN1_INTEGER(out, X509_get_serialNumber(x));
BIO_printf(out, "\n");
} else if (next_serial == i) {
- BIGNUM *bnser;
- ASN1_INTEGER *ser;
- ser = X509_get_serialNumber(x);
- bnser = ASN1_INTEGER_to_BN(ser, NULL);
+ ASN1_INTEGER *ser = X509_get_serialNumber(x);
+ BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL);
+
if (!bnser)
goto end;
if (!BN_add_word(bnser, 1))