From: Rich Salz Date: Thu, 10 Oct 2019 01:48:33 +0000 (-0400) Subject: Document the -inform, etc., in openssl.pod X-Git-Tag: openssl-3.0.0-alpha1~1088 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=777182a0c77ee374e43b94546f49b25f37945c0e;p=oweals%2Fopenssl.git Document the -inform, etc., in openssl.pod Add P12 format description. Remove PEM NOTES sections; it's in openssl.pod Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10142) --- diff --git a/doc/man1/openssl-asn1parse.pod b/doc/man1/openssl-asn1parse.pod index 5e755596c2..698ce47897 100644 --- a/doc/man1/openssl-asn1parse.pod +++ b/doc/man1/openssl-asn1parse.pod @@ -39,8 +39,8 @@ Print out a usage message. =item B<-inform> B|B -The input format. B is binary format and B (the default) is base64 -encoded. +The input format; the default is B. +See L for details. =item B<-in> I diff --git a/doc/man1/openssl-ca.pod b/doc/man1/openssl-ca.pod index 5ff5fd954c..e3d6c7b17c 100644 --- a/doc/man1/openssl-ca.pod +++ b/doc/man1/openssl-ca.pod @@ -135,8 +135,8 @@ The private key to sign requests with. =item B<-keyform> B|B -The format of the data in the private key file. -The default is PEM. +The format of the private key file; the default is B. +See L for details. =item B<-sigopt> I:I diff --git a/doc/man1/openssl-cms.pod b/doc/man1/openssl-cms.pod index 54620fef32..ff601cc548 100644 --- a/doc/man1/openssl-cms.pod +++ b/doc/man1/openssl-cms.pod @@ -25,10 +25,11 @@ B B [B<-sign_receipt>] [B<-verify_receipt> I] [B<-in> I] -[B<-inform> B|B|B] -[B<-rctform> B|B|B] [B<-out> I] +[B<-inform> B|B|B] [B<-outform> B|B|B] +[B<-rctform> B|B|B] +[B<-keyform> B|B|B] [B<-stream>] [B<-indef>] [B<-noindef>] @@ -216,33 +217,33 @@ to the B<-verify> operation. The input message to be encrypted or signed or the message to be decrypted or verified. +=item B<-out> I + +The message text that has been decrypted or verified or the output MIME +format message that has been signed or verified. + =item B<-inform> B|B|B -This specifies the input format for the CMS structure. The default -is B which reads an S/MIME format message. B and B -format change this to expect PEM and DER format CMS structures -instead. This currently only affects the input format of the CMS -structure, if no CMS structure is being input (for example with -B<-encrypt> or B<-sign>) this option has no effect. +The input format of the CMS structure (if one is being read); +the default is B. +See L for details. -=item B<-rctform> B|B|B +=item B<-outform> B|B|B -Specify the format for a signed receipt for use with the B<-receipt_verify> -operation. +The output format of the CMS structure (if one is being written); +the default is B. +See L for details. -=item B<-out> I +=item B<-keyform> B|B|B -The message text that has been decrypted or verified or the output MIME -format message that has been signed or verified. +The format of the private key file; the default is B. +See L for details. -=item B<-outform> B|B|B +=item B<-rctform> B|B|B -This specifies the output format for the CMS structure. The default -is B which writes an S/MIME format message. B and B -format change this to write PEM and DER format CMS structures -instead. This currently only affects the output format of the CMS -structure, if no CMS structure is being output (for example with -B<-verify> or B<-decrypt>) this option has no effect. +The signed receipt format for use with the B<-receipt_verify>; the default +is B. +See L for details. =item B<-stream>, B<-indef>, B<-noindef> diff --git a/doc/man1/openssl-crl.pod b/doc/man1/openssl-crl.pod index 9e5f6ca7c0..911af026bb 100644 --- a/doc/man1/openssl-crl.pod +++ b/doc/man1/openssl-crl.pod @@ -10,6 +10,7 @@ B B [B<-help>] [B<-inform> B|B] [B<-outform> B|B] +[B<-keyform> B|B|B] [B<-text>] [B<-in> I] [B<-out> I] @@ -38,16 +39,15 @@ This command processes CRL files in DER or PEM format. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. B format is DER encoded CRL -structure. B (the default) is a base64 encoded version of -the DER form with header and footer lines. +The input and output formats of the CRL; the default is B. +See L for details. -=item B<-outform> B|B +=item B<-keyform> B|B|B -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The format of the private key file; the default is B. +See L for details. =item B<-in> I @@ -100,13 +100,6 @@ See L for more information. =back -=head1 NOTES - -The PEM CRL format uses the header and footer lines: - - -----BEGIN X509 CRL----- - -----END X509 CRL----- - =head1 EXAMPLES Convert a CRL file from PEM to DER: diff --git a/doc/man1/openssl-crl2pkcs7.pod b/doc/man1/openssl-crl2pkcs7.pod index 8b0f33bbd1..70662d4e0f 100644 --- a/doc/man1/openssl-crl2pkcs7.pod +++ b/doc/man1/openssl-crl2pkcs7.pod @@ -31,15 +31,13 @@ Print out a usage message. =item B<-inform> B|B -This specifies the CRL input format. B format is DER encoded CRL -structure.B (the default) is a base64 encoded version of -the DER form with header and footer lines. The default format is PEM. +The input format of the CRL; the default is B. +See L for details. =item B<-outform> B|B -This specifies the PKCS#7 structure output format. B format is DER -encoded PKCS#7 structure.B (the default) is a base64 encoded version of -the DER form with header and footer lines. The default format is PEM. +The output format of the PKCS#7 object; the default is B. +See L for details. =item B<-in> I diff --git a/doc/man1/openssl-dgst.pod b/doc/man1/openssl-dgst.pod index e165be94f3..7ea47480bc 100644 --- a/doc/man1/openssl-dgst.pod +++ b/doc/man1/openssl-dgst.pod @@ -17,7 +17,7 @@ B B|I [B<-r>] [B<-out> I] [B<-sign> I] -[B<-keyform> I] +[B<-keyform> B|B|B|B] [B<-passin> I] [B<-verify> I] [B<-prverify> I] @@ -94,10 +94,10 @@ Digitally sign the digest using the private key in "filename". Note this option does not support Ed25519 or Ed448 private keys. Use the L command instead for this. -=item B<-keyform> I +=item B<-keyform> B|B|B|B -Specifies the key format to sign digest with. The DER, PEM, P12, -and ENGINE formats are supported. +The format of the key to sign with; the default is B. +See L for details. =item B<-sigopt> I:I diff --git a/doc/man1/openssl-dhparam.pod b/doc/man1/openssl-dhparam.pod index a28d1b81f8..cbd52b00fb 100644 --- a/doc/man1/openssl-dhparam.pod +++ b/doc/man1/openssl-dhparam.pod @@ -39,17 +39,11 @@ This command is used to manipulate DH parameter files. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. The B option uses an ASN1 DER encoded -form compatible with the PKCS#3 DHparameter structure. The PEM form is the -default format: it consists of the B format base64 encoded with -additional header and footer lines. - -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The input format and output format; the default is B. +The object is compatible with the PKCS#3 B structure. +See L for details. =item B<-in> I @@ -130,11 +124,6 @@ may have different purposes in future versions of OpenSSL. =head1 NOTES -PEM format DH parameters use the header and footer lines: - - -----BEGIN DH PARAMETERS----- - -----END DH PARAMETERS----- - OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 DH. diff --git a/doc/man1/openssl-dsa.pod b/doc/man1/openssl-dsa.pod index ef219adaed..8c7b03781e 100644 --- a/doc/man1/openssl-dsa.pod +++ b/doc/man1/openssl-dsa.pod @@ -50,22 +50,16 @@ applications should use the more secure PKCS#8 format using the B Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. The B option with a private key uses -an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of -version (currently zero), p, q, g, the public and private key components -respectively as ASN.1 INTEGERs. When used with a public key it uses a -SubjectPublicKeyInfo structure: it is an error if the key is not DSA. +The input and formats; the default is B. +See L for details. -The B form is the default format: it consists of the B format base64 -encoded with additional header and footer lines. In the case of a private key -PKCS#8 format is also accepted. +Private keys are a sequence of B: the version (zero), B

, +B, B, and the public and and private key components. Public keys +are a B structure with the B type. -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The B format also accepts PKCS#8 data. =item B<-in> I @@ -128,18 +122,6 @@ for all available algorithms. =back -=head1 NOTES - -The PEM private key format uses the header and footer lines: - - -----BEGIN DSA PRIVATE KEY----- - -----END DSA PRIVATE KEY----- - -The PEM public key format uses the header and footer lines: - - -----BEGIN PUBLIC KEY----- - -----END PUBLIC KEY----- - =head1 EXAMPLES To remove the pass phrase on a DSA private key: diff --git a/doc/man1/openssl-dsaparam.pod b/doc/man1/openssl-dsaparam.pod index 5c145ef1fb..0c85ca0d1d 100644 --- a/doc/man1/openssl-dsaparam.pod +++ b/doc/man1/openssl-dsaparam.pod @@ -26,6 +26,9 @@ B This command is used to manipulate or generate DSA parameter files. +DSA parameter generation can be a slow process and as a result the same set of +DSA parameters is often used to generate several distinct keys. + =head1 OPTIONS =over 4 @@ -34,17 +37,13 @@ This command is used to manipulate or generate DSA parameter files. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. The B option uses an ASN1 DER encoded -form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting -of p, q and g respectively. The PEM form is the default format: it consists -of the B format base64 encoded with additional header and footer lines. +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +Parameters are a sequence of Bs: B

, B, and B. +This is compatible with RFC 2459 B structure. =item B<-in> I @@ -99,16 +98,6 @@ the input file (if any) is ignored. =back -=head1 NOTES - -PEM format DSA parameters use the header and footer lines: - - -----BEGIN DSA PARAMETERS----- - -----END DSA PARAMETERS----- - -DSA parameter generation is a slow process and as a result the same set of -DSA parameters is often used to generate several distinct keys. - =head1 SEE ALSO L, diff --git a/doc/man1/openssl-ec.pod b/doc/man1/openssl-ec.pod index d0d54bcb0b..2646c126b5 100644 --- a/doc/man1/openssl-ec.pod +++ b/doc/man1/openssl-ec.pod @@ -46,19 +46,13 @@ PKCS#8 private key format use the L command. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. The B option with a private key uses -an ASN.1 DER encoded SEC1 private key. When used with a public key it -uses the SubjectPublicKeyInfo structure as specified in RFC 3280. -The B form is the default format: it consists of the B format base64 -encoded with additional header and footer lines. In the case of a private key -PKCS#8 format is also accepted. +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +Private keys are an SEC1 private key or PKCS#8 format. +Public keys are a B as specified in IETF RFC 3280. =item B<-in> I @@ -146,18 +140,6 @@ for all available algorithms. =back -=head1 NOTES - -The PEM private key format uses the header and footer lines: - - -----BEGIN EC PRIVATE KEY----- - -----END EC PRIVATE KEY----- - -The PEM public key format uses the header and footer lines: - - -----BEGIN PUBLIC KEY----- - -----END PUBLIC KEY----- - =head1 EXAMPLES To encrypt a private key using triple DES: diff --git a/doc/man1/openssl-ecparam.pod b/doc/man1/openssl-ecparam.pod index 09c6927320..c761980953 100644 --- a/doc/man1/openssl-ecparam.pod +++ b/doc/man1/openssl-ecparam.pod @@ -33,6 +33,9 @@ B This command is used to manipulate or generate EC parameter files. +OpenSSL is currently not able to generate new groups and therefore +this command can only create EC parameters from known (named) curves. + =head1 OPTIONS =over 4 @@ -41,17 +44,12 @@ This command is used to manipulate or generate EC parameter files. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. The B option uses an ASN.1 DER encoded -form compatible with RFC 3279 EcpkParameters. The PEM form is the default -format: it consists of the B format base64 encoded with additional -header and footer lines. +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +Parameters are encoded as B as specified in IETF RFC 3279. =item B<-in> I @@ -137,16 +135,6 @@ for all available algorithms. =back -=head1 NOTES - -PEM format EC parameters use the header and footer lines: - - -----BEGIN EC PARAMETERS----- - -----END EC PARAMETERS----- - -OpenSSL is currently not able to generate new groups and therefore -B can only create EC parameters from known (named) curves. - =head1 EXAMPLES To create EC parameters with the group 'prime192v1': diff --git a/doc/man1/openssl-genpkey.pod b/doc/man1/openssl-genpkey.pod index 3c2ff77f73..69c642cdf7 100644 --- a/doc/man1/openssl-genpkey.pod +++ b/doc/man1/openssl-genpkey.pod @@ -40,7 +40,8 @@ standard output is used. =item B<-outform> B|B -This specifies the output format DER or PEM. The default format is PEM. +The output format; the default is B. +See L for details. =item B<-pass> I diff --git a/doc/man1/openssl-nseq.pod b/doc/man1/openssl-nseq.pod index 6a5f266987..5404e1f340 100644 --- a/doc/man1/openssl-nseq.pod +++ b/doc/man1/openssl-nseq.pod @@ -19,6 +19,11 @@ sequence and prints out the certificates contained in it or takes a file of certificates and converts it into a Netscape certificate sequence. +A Netscape certificate sequence is an old Netscape-specific format that +can be sometimes be sent to browsers as an alternative to the standard PKCS#7 +format when several certificates are sent to the browser, for example during +certificate enrollment. It was also used by Netscape certificate server. + =head1 OPTIONS =over 4 @@ -55,23 +60,6 @@ Create a Netscape certificate sequence openssl nseq -in certs.pem -toseq -out nseq.pem -=head1 NOTES - -The B encoded form uses the same headers and footers as a certificate: - - -----BEGIN CERTIFICATE----- - -----END CERTIFICATE----- - -A Netscape certificate sequence is a Netscape specific format that can be sent -to browsers as an alternative to the standard PKCS#7 format when several -certificates are sent to the browser: for example during certificate enrollment. -It is used by Netscape certificate server for example. - -=head1 BUGS - -This program needs a few more options: like allowing DER or PEM input and -output files and allowing multiple certificate files to be used. - =head1 COPYRIGHT Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-pkcs7.pod b/doc/man1/openssl-pkcs7.pod index b11973f206..adfe54ec0e 100644 --- a/doc/man1/openssl-pkcs7.pod +++ b/doc/man1/openssl-pkcs7.pod @@ -21,7 +21,11 @@ B B =head1 DESCRIPTION -This command processes PKCS#7 files in DER or PEM format. +This command processes PKCS#7 files. Note that it only understands PKCS#7 +v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as +described in IETF RFC 2630. + +There is no option to print out all the fields of a PKCS#7 file. =head1 OPTIONS @@ -31,16 +35,12 @@ This command processes PKCS#7 files in DER or PEM format. Print out a usage message. -=item B<-inform> B|B - -This specifies the input format. B format is DER encoded PKCS#7 -v1.5 structure.B (the default) is a base64 encoded version of -the DER form with header and footer lines. +=item B<-inform> B|B, B<-outform> B|B -=item B<-outform> B|B +The input and formats; the default is B. +See L for details. -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The data is a PKCS#7 Version 1.5 structure. =item B<-in> I @@ -86,25 +86,6 @@ Output all certificates in a file: openssl pkcs7 -in file.pem -print_certs -out certs.pem -=head1 NOTES - -The PEM PKCS#7 format uses the header and footer lines: - - -----BEGIN PKCS7----- - -----END PKCS7----- - -For compatibility with some CAs it will also accept: - - -----BEGIN CERTIFICATE----- - -----END CERTIFICATE----- - -=head1 RESTRICTIONS - -There is no option to print out all the fields of a PKCS#7 file. - -This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they -cannot currently parse, for example, the new CMS as described in RFC2630. - =head1 SEE ALSO L, diff --git a/doc/man1/openssl-pkcs8.pod b/doc/man1/openssl-pkcs8.pod index e3d779a165..f923c986a0 100644 --- a/doc/man1/openssl-pkcs8.pod +++ b/doc/man1/openssl-pkcs8.pod @@ -52,15 +52,27 @@ Normally a PKCS#8 private key is expected on input and a private key will be written to the output file. With the B<-topk8> option the situation is reversed: it reads a private key and writes a PKCS#8 format key. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format: see L for more details. The default -format is PEM. +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B +If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is +not used) then the input file must be in PKCS#8 format. An encrypted +key is expected unless B<-nocrypt> is included. + +If B<-topk8> is not used and B mode is set the output file will be an +unencrypted private key in PKCS#8 format. If the B<-traditional> option is +used then a traditional format private key is written instead. + +If B<-topk8> is not used and B mode is set the output file will be an +unencrypted private key in traditional DER format. + +If B<-topk8> is used then any supported private key can be used for the input +file in a format specified by B<-inform>. The output file will be encrypted +PKCS#8 format using the specified encryption parameters unless B<-nocrypt> +is included. -This specifies the output format: see L for more details. The default -format is PEM. =item B<-traditional> @@ -148,27 +160,6 @@ Sets the scrypt I, I or I

parameters. =back -=head1 KEY FORMATS - -Various different formats are used by this command. These are detailed -below. - -If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is -not used) then the input file must be in PKCS#8 format. An encrypted -key is expected unless B<-nocrypt> is included. - -If B<-topk8> is not used and B mode is set the output file will be an -unencrypted private key in PKCS#8 format. If the B<-traditional> option is -used then a traditional format private key is written instead. - -If B<-topk8> is not used and B mode is set the output file will be an -unencrypted private key in traditional DER format. - -If B<-topk8> is used then any supported private key can be used for the input -file in a format specified by B<-inform>. The output file will be encrypted -PKCS#8 format using the specified encryption parameters unless B<-nocrypt> -is included. - =head1 NOTES By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit @@ -178,17 +169,6 @@ Some older implementations do not support PKCS#5 v2.0 format and require the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak encryption algorithms such as 56 bit DES. -The encrypted form of a PEM encode PKCS#8 files uses the following -headers and footers: - - -----BEGIN ENCRYPTED PRIVATE KEY----- - -----END ENCRYPTED PRIVATE KEY----- - -The unencrypted form uses: - - -----BEGIN PRIVATE KEY----- - -----END PRIVATE KEY----- - Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts are more secure that those encrypted using the traditional SSLeay compatible formats. So if additional security is considered diff --git a/doc/man1/openssl-pkey.pod b/doc/man1/openssl-pkey.pod index 0290ee2662..b1aa4af454 100644 --- a/doc/man1/openssl-pkey.pod +++ b/doc/man1/openssl-pkey.pod @@ -40,14 +40,10 @@ converted between various forms and their components printed out. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format DER or PEM. The default format is PEM. - -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The input and formats; the default is B. +See L for details. =item B<-in> I diff --git a/doc/man1/openssl-pkeyutl.pod b/doc/man1/openssl-pkeyutl.pod index 58c90436b8..13519399fa 100644 --- a/doc/man1/openssl-pkeyutl.pod +++ b/doc/man1/openssl-pkeyutl.pod @@ -90,7 +90,8 @@ The input key file, by default it should be a private key. =item B<-keyform> B|B|B -The key format PEM, DER or ENGINE. Default is PEM. +The key format; the default is B. +See L for details. =item B<-passin> I @@ -103,7 +104,8 @@ The peer key file, used by key derivation (agreement) operations. =item B<-peerform> B|B|B -The peer key format B, B or B. Default is B. +The peer key format; the default is B. +See L for details. =item B<-pubin> diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod index b84a4c92ab..f976b7948e 100644 --- a/doc/man1/openssl-req.pod +++ b/doc/man1/openssl-req.pod @@ -67,17 +67,12 @@ for use as root CAs for example. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format. The B option uses an ASN1 DER encoded -form compatible with the PKCS#10. The B form is the default format: it -consists of the B format base64 encoded with additional header and -footer lines. +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The data is a PKCS#10 object. =item B<-in> I @@ -182,8 +177,8 @@ accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B -The format of the private key file specified in the B<-key> -argument. PEM is the default. +The format of the private key; the default is B. +See L for details. =item B<-keyout> I @@ -628,23 +623,10 @@ on the command line: =head1 NOTES -The header and footer lines in the B format are normally: - - -----BEGIN CERTIFICATE REQUEST----- - -----END CERTIFICATE REQUEST----- - -some software (some versions of Netscape certificate server) instead needs: - - -----BEGIN NEW CERTIFICATE REQUEST----- - -----END NEW CERTIFICATE REQUEST----- - -which is produced with the B<-newhdr> option but is otherwise compatible. -Either form is accepted transparently on input. - The certificate requests generated by B with MSIE have extensions added. It includes the B extension which determines the type of key (signature only or general purpose) and any additional OIDs entered -by the script in an extendedKeyUsage extension. +by the script in an B extension. =head1 DIAGNOSTICS diff --git a/doc/man1/openssl-rsa.pod b/doc/man1/openssl-rsa.pod index ed6505c138..9e1be94a26 100644 --- a/doc/man1/openssl-rsa.pod +++ b/doc/man1/openssl-rsa.pod @@ -54,18 +54,16 @@ L command. Print out a usage message. -=item B<-inform> B|B -This specifies the input format. The B option uses an ASN1 DER encoded -form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. -The B form is the default format: it consists of the B format base64 -encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. +=item B<-inform> B|B, B<-outform> B|B + +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B +=item B<-inform> B|B -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The data is a PKCS#1 B or B object. +On input, PKCS#8 format private keys are also accepted. =item B<-in> I @@ -137,23 +135,6 @@ for all available algorithms. =back -=head1 NOTES - -The PEM private key format uses the header and footer lines: - - -----BEGIN RSA PRIVATE KEY----- - -----END RSA PRIVATE KEY----- - -The PEM public key format uses the header and footer lines: - - -----BEGIN PUBLIC KEY----- - -----END PUBLIC KEY----- - -The PEM B format uses the header and footer lines: - - -----BEGIN RSA PUBLIC KEY----- - -----END RSA PUBLIC KEY----- - =head1 EXAMPLES To remove the pass phrase on an RSA private key: diff --git a/doc/man1/openssl-rsautl.pod b/doc/man1/openssl-rsautl.pod index 0b5fc73830..cc85cc4b21 100644 --- a/doc/man1/openssl-rsautl.pod +++ b/doc/man1/openssl-rsautl.pod @@ -57,7 +57,8 @@ The input key file, by default it should be an RSA private key. =item B<-keyform> B|B|B -The key format PEM, DER or ENGINE. +The key format; the default is B. +See L for details. =item B<-pubin> diff --git a/doc/man1/openssl-s_client.pod b/doc/man1/openssl-s_client.pod index 0bb8781947..2dc64f578f 100644 --- a/doc/man1/openssl-s_client.pod +++ b/doc/man1/openssl-s_client.pod @@ -22,6 +22,7 @@ B B [B<-verify_return_error>] [B<-cert> I] [B<-certform> B|B] +[B<-CRLform> B|B] [B<-key> I] [B<-keyform> B|B] [B<-cert_chain> I] @@ -244,6 +245,11 @@ not to use a certificate. The certificate format to use: DER or PEM. PEM is the default. +=item B<-CRLform> B|B + +The CRL format; the default is B. +See L for details. + =item B<-key> I The private key to use. If not specified then the certificate file will @@ -251,7 +257,8 @@ be used. =item B<-keyform> I -The private format to use: DER or PEM. PEM is the default. +The key format; the default is B. +See L for details. =item B<-cert_chain> @@ -280,6 +287,7 @@ B<-xcert> I, B<-xchain> options. =item B<-xcertform> B|B, B<-xkeyform> B|B Extra certificate and private key format respectively. +See L for details. =item B<-pass> I diff --git a/doc/man1/openssl-s_server.pod b/doc/man1/openssl-s_server.pod index 5cbfeb0f5e..be70cfcff5 100644 --- a/doc/man1/openssl-s_server.pod +++ b/doc/man1/openssl-s_server.pod @@ -23,7 +23,7 @@ B B [B<-serverinfo> I] [B<-certform> B|B] [B<-key> I] -[B<-keyform> I] +[B<-keyform> B|B] [B<-pass> I] [B<-dcert> I] [B<-dcertform> B|B] @@ -64,7 +64,6 @@ B B [B<-verifyCApath> I

] [B<-no_cache>] [B<-ext_cache>] -[B<-CRLform> B|B] [B<-verify_return_error>] [B<-verify_quiet>] [B<-build_chain>] @@ -151,6 +150,7 @@ B B [B<-xcert>] [B<-xchain>] [B<-xchain_build>] +[B<-CRLform> B|B] [B<-xcertform> B|B] [B<-xkeyform> B|B] [B<-nbio>] @@ -290,22 +290,25 @@ followed by "length" bytes of extension data). If the client sends an empty TLS ClientHello extension matching the type, the corresponding ServerHello extension will be returned. -=item B<-certform> B|B +=item B<-certform> B|B, B<-CRLForm> B|B -The certificate format to use: DER or PEM. PEM is the default. +The certificate and CRL format; the default is PEM. +See L for details. =item B<-key> I The private key to use. If not specified then the certificate file will be used. -=item B<-keyform> I +=item B<-keyform> B|B] -The private format to use: DER or PEM. PEM is the default. +The key format; the default is B. +See L for details. =item B<-pass> I -The private key password source. For more information about the format of B +The private key password source. +For more information about the format of I, see L. =item B<-dcert> I, B<-dkey> I @@ -325,9 +328,16 @@ A file containing trusted certificates to use when attempting to build the server certificate chain when a certificate specified via the B<-dcert> option is in use. -=item B<-dcertform> B|B, B<-dkeyform> B|B, B<-dpass> I +=item B<-dcertform> B|B, B<-dkeyform> B|B + +The format of the certificate and private key; the default is B +see L. -Additional certificate and private key format and passphrase respectively. +=item B<-dpass> I + +The passphrase for the additional private key. +For more information about the format of I, +see L. =item B<-xkey> I, B<-xcert> I, B<-xchain> @@ -344,7 +354,9 @@ B<-xcert> I, B<-xchain> options. =item B<-xcertform> B|B, B<-xkeyform> B|B -Extra certificate and private key format respectively. +The format for the extra certificate and private key, respectively; +the default format is B. +see L. =item B<-nbio_test> diff --git a/doc/man1/openssl-sess_id.pod b/doc/man1/openssl-sess_id.pod index 9e0b74f512..9bd31a351e 100644 --- a/doc/man1/openssl-sess_id.pod +++ b/doc/man1/openssl-sess_id.pod @@ -24,6 +24,9 @@ the SSL session master key) in human readable format. Since this is a diagnostic tool that needs some knowledge of the SSL protocol to use properly, most users will not need to use it. +The precise format of the data can vary across OpenSSL versions and +is not documented. + =head1 OPTIONS =over 4 @@ -32,18 +35,13 @@ properly, most users will not need to use it. Print out a usage message. -=item B<-inform> B|B - -This specifies the input format. The B option uses an ASN1 DER encoded -format containing session details. The precise format can vary from one version -to the next. The B form is the default format: it consists of the B -format base64 encoded with additional header and footer lines. +=item B<-inform> B|B, B<-outform> B|B|B -=item B<-outform> B|B|B +The input and output formats; the default is PEM. +See L for details. -This specifies the output format. The B and B options have the same -meaning and default as the B<-inform> option. The B option outputs the -session id and the master key in NSS keylog format. +For B output, the session ID and master key are reported in NSS "keylog" +format. =item B<-in> I @@ -134,11 +132,6 @@ This is the return code when an SSL client certificate is verified. =head1 NOTES -The PEM encoded session format uses the header and footer lines: - - -----BEGIN SSL SESSION PARAMETERS----- - -----END SSL SESSION PARAMETERS----- - Since the SSL session output contains the master key it is possible to read the contents of an encrypted session using this information. Therefore appropriate security precautions should be taken if diff --git a/doc/man1/openssl-smime.pod b/doc/man1/openssl-smime.pod index ac377160a3..935a89b678 100644 --- a/doc/man1/openssl-smime.pod +++ b/doc/man1/openssl-smime.pod @@ -53,10 +53,11 @@ B B [B<-signer> I] [B<-recip> I< file>] [B<-inform> B|B|B] +[B<-outform> B|B|B] +[B<-keyform> B|B|B] [B<-passin> I] [B<-inkey> I] [B<-out> I] -[B<-outform> B|B|B] [B<-content> I] [B<-to> I] [B<-from> I] @@ -126,28 +127,27 @@ Resign a message: take an existing message and one or more new signers. The input message to be encrypted or signed or the MIME message to be decrypted or verified. -=item B<-inform> B|B|B - -This specifies the input format for the PKCS#7 structure. The default -is B which reads an S/MIME format message. B and B -format change this to expect PEM and DER format PKCS#7 structures -instead. This currently only affects the input format of the PKCS#7 -structure, if no PKCS#7 structure is being input (for example with -B<-encrypt> or B<-sign>) this option has no effect. - =item B<-out> I The message text that has been decrypted or verified or the output MIME format message that has been signed or verified. +=item B<-inform> B|B|B + +The input format of the PKCS#7 (S/MIME) structure (if one is being read); +the default is B. +See L for details. + =item B<-outform> B|B|B -This specifies the output format for the PKCS#7 structure. The default -is B which write an S/MIME format message. B and B -format change this to write PEM and DER format PKCS#7 structures -instead. This currently only affects the output format of the PKCS#7 -structure, if no PKCS#7 structure is being output (for example with -B<-verify> or B<-decrypt>) this option has no effect. +The output format of the PKCS#7 (S/MIME) structure (if one is being written); +the default is B. +See L for details. + +=item B<-keyform> B|B + +The key format; the default is B. +See L for details. =item B<-stream>, B<-indef>, B<-noindef> diff --git a/doc/man1/openssl-spkac.pod b/doc/man1/openssl-spkac.pod index 8de83444c7..a36d5364d9 100644 --- a/doc/man1/openssl-spkac.pod +++ b/doc/man1/openssl-spkac.pod @@ -55,8 +55,8 @@ present. =item B<-keyform> B|B|B -Whether the key format is PEM, DER, or an engine-backed key. -The default is PEM. +The key format; the default is B. +See L for details. =item B<-passin> I diff --git a/doc/man1/openssl-x509.pod b/doc/man1/openssl-x509.pod index 4e13d2d881..d843ff3975 100644 --- a/doc/man1/openssl-x509.pod +++ b/doc/man1/openssl-x509.pod @@ -90,18 +90,13 @@ various sections. Print out a usage message. -=item B<-inform> B|B +=item B<-inform> B|B, B<-outform> B|B -This specifies the input format normally the command will expect an X509 -certificate but this can change if other options such as B<-req> are -present. The DER format is the DER encoding of the certificate and PEM -is the base64 encoding of the DER encoding with header and footer lines -added. The default format is PEM. +The input and formats; the default is B. +See L for details. -=item B<-outform> B|B - -This specifies the output format, the options have the same meaning and default -as the B<-inform> option. +The input is normally an X.509 certificate, but this can change if other +options such as B<-req> are used. =item B<-in> I @@ -376,8 +371,13 @@ retained. =item B<-keyform> B|B -Specifies the format (DER or PEM) of the private key file used in the -B<-signkey> option. +The key format; the default is B. +See L for details. + +=item B<-CAform> B|B, B<-CAkeyform> B|B + +The format for the CA certificate and key; the default is B. +See L for details. =item B<-days> I @@ -782,21 +782,6 @@ Set a certificate to be trusted for SSL client use and change set its alias to =head1 NOTES -The PEM format uses the header and footer lines: - - -----BEGIN CERTIFICATE----- - -----END CERTIFICATE----- - -it will also handle files containing: - - -----BEGIN X509 CERTIFICATE----- - -----END X509 CERTIFICATE----- - -Trusted certificates have the lines - - -----BEGIN TRUSTED CERTIFICATE----- - -----END TRUSTED CERTIFICATE----- - The conversion to UTF8 format used with the name options assumes that T61Strings use the ISO8859-1 character set. This is wrong but Netscape and MSIE do this as do many certificates. So although this is incorrect diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index fe037c5243..2de4fceeb3 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -516,6 +516,109 @@ parameters start with a minus sign: =back +=head2 Format Options + +Several OpenSSL commands can take input or generate output in a variety +of formats. The list of acceptable formats, and the default, is +described in each command documentation. The list of formats is +described below. Both uppercase and lowercase are accepted. + +=over 4 + +=item B + +A binary format, encoded or parsed according to Distinguished Encoding Rules +(DER) of the ASN.1 data language. + +=item B + +Used to specify that the cryptographic material is in an OpenSSL B. +An engine must be configured or specified using the B<-engine> option. +In addition, the B<-input> flag can be used to name a specific object in +the engine. +A password, such as the B<-passin> flag often must be specified as well. + +=item B + +A DER-encoded file containing a PKCS#12 object. +It might be necessary to provide a decryption password to retrieve +the private key. + +=item B + +A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is +a block of base-64 encoding (defined in IETF RFC 4648), with specific +lines used to mark the start and end: + + Text before the BEGIN line is ignored. + ----- BEGIN object-type ----- + OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX + xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK + UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== + ----- END object-type ----- + Text after the END line is also ignored + +The I must match the type of object that is expected. +For example a C will not match if the command +is trying to read a private key. The types supported include: + + ANY PRIVATE KEY + CERTIFICATE + CERTIFICATE REQUEST + CMS + DH PARAMETERS + DSA PARAMETERS + DSA PUBLIC KEY + EC PARAMETERS + EC PRIVATE KEY + ECDSA PUBLIC KEY + ENCRYPTED PRIVATE KEY + PARAMETERS + PKCS #7 SIGNED DATA + PKCS7 + PRIVATE KEY + PUBLIC KEY + RSA PRIVATE KEY + SSL SESSION PARAMETERS + TRUSTED CERTIFICATE + X509 CRL + X9.42 DH PARAMETERS + +The following legacy I's are also supported for compatibility +with earlier releases: + + DSA PRIVATE KEY + NEW CERTIFICATE REQUEST + RSA PUBLIC KEY + X509 CERTIFICATE + +=item B + +An S/MIME object as described in IETF RFC 8551. +Earlier versions were known as CMS and are compatible. +Note that the parsing is simple and might fail to parse some legal data. + +=back + +The options to specify the format are as follows. Refer to the individual +manpage to see which options are accepted. + +=over 4 + +=item B<-inform> I, B<-outform> I + +The format of the input or output streams. + +=item B<-keyform> I + +Format of a private key input source. + +=item B<-CRLform> I + +Format of a CRL input source. + +=back + =head2 Pass Phrase Options Several commands accept password arguments, typically using B<-passin>