From 5388f9862d9aaf3c7cf7a70c1e36e7e983c26cfc Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Fri, 8 Nov 2019 06:08:30 +1000 Subject: [PATCH] Add "sections" to -help output Remove "Valid options" label, since all commands have sections (and [almost] always the first one is "General options"). Have "list --options" ignore section headers Reformat ts's additional help Add output section Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9953) --- apps/asn1pars.c | 19 +++-- apps/ca.c | 72 ++++++++++-------- apps/ciphers.c | 23 +++--- apps/cms.c | 104 +++++++++++++++----------- apps/crl.c | 33 ++++++--- apps/crl2p7.c | 11 ++- apps/dgst.c | 34 +++++---- apps/dhparam.c | 28 ++++--- apps/dsa.c | 28 ++++--- apps/dsaparam.c | 18 +++-- apps/ec.c | 25 ++++--- apps/ecparam.c | 29 +++++--- apps/enc.c | 37 ++++++---- apps/engine.c | 10 ++- apps/errstr.c | 2 + apps/fipsinstall.c | 12 +-- apps/gendsa.c | 11 ++- apps/genpkey.c | 16 ++-- apps/genrsa.c | 17 +++-- apps/include/opt.h | 6 +- apps/info.c | 4 + apps/kdf.c | 8 +- apps/lib/opt.c | 12 ++- apps/list.c | 5 ++ apps/mac.c | 6 ++ apps/nseq.c | 7 +- apps/ocsp.c | 102 ++++++++++++++------------ apps/openssl.c | 2 + apps/passwd.c | 10 ++- apps/pkcs12.c | 78 +++++++++++--------- apps/pkcs7.c | 13 +++- apps/pkcs8.c | 34 +++++---- apps/pkey.c | 30 +++++--- apps/pkeyparam.c | 13 +++- apps/pkeyutl.c | 50 +++++++------ apps/prime.c | 8 +- apps/provider.c | 4 + apps/rand.c | 14 ++-- apps/rehash.c | 5 +- apps/req.c | 62 +++++++++------- apps/rsa.c | 29 +++++--- apps/rsautl.c | 28 ++++--- apps/s_client.c | 178 ++++++++++++++++++++++++--------------------- apps/s_server.c | 154 +++++++++++++++++++++------------------ apps/s_time.c | 44 ++++++----- apps/sess_id.c | 11 ++- apps/smime.c | 65 ++++++++++------- apps/speed.c | 30 +++++--- apps/spkac.c | 17 +++-- apps/srp.c | 17 +++-- apps/storeutl.c | 26 ++++--- apps/ts.c | 78 ++++++++++---------- apps/verify.c | 14 ++-- apps/version.c | 3 + apps/x509.c | 79 +++++++++++--------- 55 files changed, 1057 insertions(+), 718 deletions(-) diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 14f1dcad32..342e12d9b2 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -27,27 +27,32 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS asn1parse_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"oid", OPT_OID, '<', "file of extra oid definitions"}, + + OPT_SECTION("I/O"), {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"}, {"in", OPT_IN, '<', "input file"}, {"out", OPT_OUT, '>', "output file (output format is always DER)"}, - {"i", OPT_INDENT, 0, "indents the output"}, {"noout", OPT_NOOUT, 0, "do not produce any output"}, {"offset", OPT_OFFSET, 'p', "offset into file"}, {"length", OPT_LENGTH, 'p', "length of section in file"}, - {"oid", OPT_OID, '<', "file of extra oid definitions"}, - {"dump", OPT_DUMP, 0, "unknown data in hex form"}, - {"dlimit", OPT_DLIMIT, 'p', - "dump the first arg bytes of unknown data in hex form"}, {"strparse", OPT_STRPARSE, 'p', "offset; a series of these can be used to 'dig'"}, - {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, + {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"}, - {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"}, {"strictpem", OPT_STRICTPEM, 0, "do not attempt base64 decode outside PEM markers"}, {"item", OPT_ITEM, 's', "item to parse and print"}, + {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"}, + + OPT_SECTION("Formatting"), + {"i", OPT_INDENT, 0, "indents the output"}, + {"dump", OPT_DUMP, 0, "unknown data in hex form"}, + {"dlimit", OPT_DLIMIT, 'p', + "dump the first arg bytes of unknown data in hex form"}, {NULL} }; diff --git a/apps/ca.c b/apps/ca.c index b188b9b4dd..824c022502 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -154,10 +154,30 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS ca_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"}, + {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, + {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"}, + {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, + {"out", OPT_OUT, '>', "Where to put the output file(s)"}, + {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, + {"batch", OPT_BATCH, '-', "Don't ask questions"}, + {"msie_hack", OPT_MSIE_HACK, '-', + "msie modifications to handle all Universal Strings"}, + {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, + {"spkac", OPT_SPKAC, '<', + "File contains DN and signed public key and challenge"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + + OPT_SECTION("Configuration"), {"config", OPT_CONFIG, 's', "A config file"}, {"name", OPT_NAME, 's', "The particular CA definition to use"}, + {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, + + OPT_SECTION("Certificate"), {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, {"create_serial", OPT_CREATE_SERIAL, '-', @@ -170,8 +190,21 @@ const OPTIONS ca_options[] = { {"enddate", OPT_ENDDATE, 's', "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, + {"extensions", OPT_EXTENSIONS, 's', + "Extension section (override value in config file)"}, + {"extfile", OPT_EXTFILE, '<', + "Configuration file with X509v3 extensions to add"}, +#ifndef OPENSSL_NO_SM2 + {"sm2-id", OPT_SM2ID, 's', + "Specify an ID string to verify an SM2 certificate request"}, + {"sm2-hex-id", OPT_SM2HEXID, 's', + "Specify a hex ID string to verify an SM2 certificate request"}, +#endif + {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, + {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, + + OPT_SECTION("Signing"), {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, - {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, {"keyfile", OPT_KEYFILE, 's', "Private key"}, {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, @@ -179,31 +212,12 @@ const OPTIONS ca_options[] = { {"cert", OPT_CERT, '<', "The CA cert"}, {"selfsign", OPT_SELFSIGN, '-', "Sign a cert with the key associated with it"}, - {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"}, - {"out", OPT_OUT, '>', "Where to put the output file(s)"}, - {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, - {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, - {"batch", OPT_BATCH, '-', "Don't ask questions"}, - {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, - {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, + + OPT_SECTION("Revocation"), {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"}, - {"msie_hack", OPT_MSIE_HACK, '-', - "msie modifications to handle all those universal strings"}, - {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"}, - {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"}, - {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"}, - {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, - {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, - {"spkac", OPT_SPKAC, '<', - "File contains DN and signed public key and challenge"}, - {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, {"valid", OPT_VALID, 's', "Add a Valid(not-revoked) DB entry about a cert (given in file)"}, - {"extensions", OPT_EXTENSIONS, 's', - "Extension section (override value in config file)"}, - {"extfile", OPT_EXTFILE, '<', - "Configuration file with X509v3 extensions to add"}, {"status", OPT_STATUS, 's', "Shows cert status given the serial number"}, {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, {"crlexts", OPT_CRLEXTS, 's', @@ -215,16 +229,12 @@ const OPTIONS ca_options[] = { "sets compromise time to val and the revocation reason to keyCompromise"}, {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's', "sets compromise time to val and the revocation reason to CACompromise"}, + {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"}, + {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"}, + {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"}, + {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, + OPT_R_OPTIONS, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif -#ifndef OPENSSL_NO_SM2 - {"sm2-id", OPT_SM2ID, 's', - "Specify an ID string to verify an SM2 certificate request"}, - {"sm2-hex-id", OPT_SM2HEXID, 's', - "Specify a hex ID string to verify an SM2 certificate request"}, -#endif {NULL} }; diff --git a/apps/ciphers.c b/apps/ciphers.c index e51fac11ee..c2ac40a3b5 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -31,33 +31,38 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS ciphers_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Output"), {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"}, {"V", OPT_UPPER_V, '-', "Even more verbose"}, + {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, + {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"}, + + OPT_SECTION("Cipher specification"), {"s", OPT_S, '-', "Only supported ciphers"}, #ifndef OPENSSL_NO_SSL3 - {"ssl3", OPT_SSL3, '-', "SSL3 mode"}, + {"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"}, #endif #ifndef OPENSSL_NO_TLS1 - {"tls1", OPT_TLS1, '-', "TLS1 mode"}, + {"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"}, #endif #ifndef OPENSSL_NO_TLS1_1 - {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"}, + {"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"}, #endif #ifndef OPENSSL_NO_TLS1_2 - {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"}, + {"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"}, #endif #ifndef OPENSSL_NO_TLS1_3 - {"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"}, + {"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"}, #endif - {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, #ifndef OPENSSL_NO_PSK - {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"}, + {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"}, #endif #ifndef OPENSSL_NO_SRP - {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"}, + {"srp", OPT_SRP, '-', "Include ciphersuites requiring SRP"}, #endif - {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"}, {"ciphersuites", OPT_CIPHERSUITES, 's', "Configure the TLSv1.3 ciphersuites to use"}, {NULL} diff --git a/apps/cms.c b/apps/cms.c index 468820f3cf..c30bd62bb1 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -91,13 +91,35 @@ const OPTIONS cms_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, {OPT_HELP_STR, 1, '-', " cert.pem... recipient certs for encryption\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, {"outform", OPT_OUTFORM, 'c', "Output format SMIME (default), PEM or DER"}, {"in", OPT_IN, '<', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, + {"debug_decrypt", OPT_DEBUG_DECRYPT, '-', + "Disable MMA protection and return an error if no recipient found" + " (see documentation)"}, + {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, + {"indef", OPT_INDEF, '-', "Same as -stream"}, + {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, + {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, + {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCASTORE, '-', + "Do not load certificates from the default certificates store"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + + OPT_SECTION("Action"), {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, {"sign", OPT_SIGN, '-', "Sign message"}, @@ -109,45 +131,42 @@ const OPTIONS cms_options[] = { "Exit non-zero on verification failure"}, {"verify_receipt", OPT_VERIFY_RECEIPT, '<', "Verify receipts; exit if receipt signatures do not verify"}, - {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, - {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"}, - {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"}, {"digest_verify", OPT_DIGEST_VERIFY, '-', "Verify a CMS \"DigestedData\" object and output it"}, {"digest_create", OPT_DIGEST_CREATE, '-', "Create a CMS \"DigestedData\" object"}, {"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"}, - {"uncompress", OPT_UNCOMPRESS, '-', "Uncompress a CMS \"CompressedData\" object"}, + {"uncompress", OPT_UNCOMPRESS, '-', + "Uncompress a CMS \"CompressedData\" object"}, {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-', "Decrypt CMS \"EncryptedData\" object using symmetric key"}, {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-', "Create CMS \"EncryptedData\" object using symmetric key"}, - {"debug_decrypt", OPT_DEBUG_DECRYPT, '-', - "Disable MMA protection and return an error if no recipient found" - " (see documentation)"}, + {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"}, + {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"}, + {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, + {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-', + "Do not verify signed content signatures"}, + {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-', + "Do not verify signed attribute signatures"}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + + OPT_SECTION("Formatting"), {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, {"asciicrlf", OPT_ASCIICRLF, '-', "Perform CRLF canonicalisation when signing"}, - {"nointern", OPT_NOINTERN, '-', - "Don't search certificates in message for signer"}, - {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, - {"nocerts", OPT_NOCERTS, '-', - "Don't include signers certificate when signing"}, - {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, {"binary", OPT_BINARY, '-', "Don't translate message to text"}, {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, - {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-', - "Do not verify signed content signatures"}, - {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-', - "Do not verify signed attribute signatures"}, - {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, - {"indef", OPT_INDEF, '-', "Same as -stream"}, - {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, - {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, - {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + {"noout", OPT_NOOUT, '-', + "For the -cmsout operation do not output the parsed CMS structure"}, {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, {"receipt_request_all", OPT_RR_ALL, '-', "When signing, create a receipt request for all recipients"}, @@ -155,54 +174,51 @@ const OPTIONS cms_options[] = { "When signing, create a receipt request for first recipient"}, {"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, - {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, - {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, - {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, - {"no-CAstore", OPT_NOCASTORE, '-', - "Do not load certificates from the default certificates store"}, {"content", OPT_CONTENT, '<', "Supply or override content for detached signature"}, {"print", OPT_PRINT, '-', "For the -cmsout operation print out all fields of the CMS structure"}, + {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, + + OPT_SECTION("Keying"), {"secretkey", OPT_SECRETKEY, 's', "Use specified hex-encoded key to decrypt/encrypt recipients or content"}, {"secretkeyid", OPT_SECRETKEYID, 's', "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"}, {"pwri_password", OPT_PWRI_PASSWORD, 's', "Specific password for recipient"}, - {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"inkey", OPT_INKEY, 's', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, + + OPT_SECTION("Mail header"), + {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"}, {"to", OPT_TO, 's', "To address"}, {"from", OPT_FROM, 's', "From address"}, {"subject", OPT_SUBJECT, 's', "Subject"}, {"signer", OPT_SIGNER, 's', "Signer certificate file"}, {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, - {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, - {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, - {"inkey", OPT_INKEY, 's', - "Input private key (if not signer or recipient)"}, - {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, - {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, {"receipt_request_from", OPT_RR_FROM, 's', "Create signed receipt request with specified email address"}, {"receipt_request_to", OPT_RR_TO, 's', "Create signed receipt targeted to specified address"}, + + OPT_SECTION("Encryption"), + {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, - OPT_R_OPTIONS, - OPT_V_OPTIONS, + + OPT_SECTION("Key-wrapping"), {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, # ifndef OPENSSL_NO_DES {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, # endif -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif + + OPT_R_OPTIONS, + OPT_V_OPTIONS, {NULL} }; diff --git a/apps/crl.c b/apps/crl.c index f7f4fb7150..14410f3512 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -28,13 +28,28 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS crl_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format; default PEM"}, + {"verify", OPT_VERIFY, '-', "Verify CRL signature"}, + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file - default stdin"}, - {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, - {"out", OPT_OUT, '>', "output file - default stdout"}, - {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"}, + {"inform", OPT_INFORM, 'F', "Input format; default PEM"}, {"key", OPT_KEY, '<', "CRL signing Private key to use"}, + {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "output file - default stdout"}, + {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + {"text", OPT_TEXT, '-', "Print out a text format version"}, + {"hash", OPT_HASH, '-', "Print hash value"}, +#ifndef OPENSSL_NO_MD5 + {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"}, +#endif + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"", OPT_MD, '-', "Any supported digest"}, + + OPT_SECTION("CRL"), {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, {"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"}, {"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"}, @@ -43,6 +58,8 @@ const OPTIONS crl_options[] = { {"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"}, {"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" }, {"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"}, + + OPT_SECTION("Certificate"), {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"}, {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"}, {"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"}, @@ -52,14 +69,6 @@ const OPTIONS crl_options[] = { "Do not load certificates from the default certificates directory"}, {"no-CAstore", OPT_NOCASTORE, '-', "Do not load certificates from the default certificates store"}, - {"verify", OPT_VERIFY, '-', "Verify CRL signature"}, - {"text", OPT_TEXT, '-', "Print out a text format version"}, - {"hash", OPT_HASH, '-', "Print hash value"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, - {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_MD5 - {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"}, -#endif {NULL} }; diff --git a/apps/crl2p7.c b/apps/crl2p7.c index 6f284cb10e..ffbee4cbff 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -27,14 +27,19 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS crl2pkcs7_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, - {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"}, {"certfile", OPT_CERTFILE, '<', "File of chain of certs to a trusted CA; can be repeated"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {NULL} }; diff --git a/apps/dgst.c b/apps/dgst.c index 531627c40a..7e1afb9bba 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -49,36 +49,40 @@ const OPTIONS dgst_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"}, {OPT_HELP_STR, 1, '-', " file... files to digest (default is stdin)\n"}, + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"list", OPT_LIST, '-', "List digests"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, + {"engine_impl", OPT_ENGINE_IMPL, '-', + "Also use engine given by -engine for digest operations"}, +#endif + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), {"c", OPT_C, '-', "Print the digest with separating colons"}, {"r", OPT_R, '-', "Print the digest in coreutils format"}, {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"sign", OPT_SIGN, 's', "Sign digest using private key"}, - {"verify", OPT_VERIFY, 's', - "Verify a signature using public key"}, - {"prverify", OPT_PRVERIFY, 's', - "Verify a signature using private key"}, - {"signature", OPT_SIGNATURE, '<', "File with signature to verify"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"}, {"hex", OPT_HEX, '-', "Print as hex dump"}, {"binary", OPT_BINARY, '-', "Print in binary form"}, {"d", OPT_DEBUG, '-', "Print debug info"}, {"debug", OPT_DEBUG, '-', "Print debug info"}, - {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-', - "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"}, + + OPT_SECTION("Signing"), + {"sign", OPT_SIGN, 's', "Sign digest using private key"}, + {"verify", OPT_VERIFY, 's', "Verify a signature using public key"}, + {"prverify", OPT_PRVERIFY, 's', "Verify a signature using private key"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"signature", OPT_SIGNATURE, '<', "File with signature to verify"}, {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"}, {"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"}, - {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"}, {"", OPT_DIGEST, '-', "Any supported digest"}, + {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-', + "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"}, + OPT_R_OPTIONS, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, - {"engine_impl", OPT_ENGINE_IMPL, '-', - "Also use engine given by -engine for digest operations"}, -#endif {NULL} }; diff --git a/apps/dhparam.c b/apps/dhparam.c index 7cd69b9270..74758a5dee 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -43,27 +43,33 @@ typedef enum OPTION_choice { const OPTIONS dhparam_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"check", OPT_CHECK, '-', "Check the DH parameters"}, +# ifndef OPENSSL_NO_DSA + {"dsaparam", OPT_DSAPARAM, '-', + "Read or generate DSA parameters, convert to DH"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"}, - {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file"}, - {"check", OPT_CHECK, '-', "Check the DH parameters"}, + {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"}, {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"}, {"noout", OPT_NOOUT, '-', "Don't output any DH parameters"}, - OPT_R_OPTIONS, {"C", OPT_C, '-', "Print C code"}, {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"}, {"3", OPT_3, '-', "Generate parameters using 3 as the generator value"}, {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"}, -# ifndef OPENSSL_NO_DSA - {"dsaparam", OPT_DSAPARAM, '-', - "Read or generate DSA parameters, convert to DH"}, -# endif -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/dsa.c b/apps/dsa.c index 629ba1d9e3..f0c9fc1c52 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -36,18 +36,8 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS dsa_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"}, - {"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"}, - {"in", OPT_IN, 's', "Input key"}, - {"out", OPT_OUT, '>', "Output file"}, - {"noout", OPT_NOOUT, '-', "Don't print key out"}, - {"text", OPT_TEXT, '-', "Print the key in text"}, - {"modulus", OPT_MODULUS, '-', "Print the DSA public value"}, - {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, - {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, # ifndef OPENSSL_NO_RC4 {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"}, @@ -57,6 +47,22 @@ const OPTIONS dsa_options[] = { # ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, # endif + + OPT_SECTION("Input"), + {"in", OPT_IN, 's', "Input key"}, + {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"}, + {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"}, + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key in text"}, + {"modulus", OPT_MODULUS, '-', "Print the DSA public value"}, + {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {NULL} }; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 959c33126a..bea5de3dba 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -37,20 +37,26 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS dsaparam_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, - {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"text", OPT_TEXT, '-', "Print as text"}, {"C", OPT_C, '-', "Output C code"}, {"noout", OPT_NOOUT, '-', "No output"}, + {"verbose", OPT_VERBOSE, '-', "Verbose output"}, {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, + OPT_R_OPTIONS, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif - {"verbose", OPT_VERBOSE, '-', "Verbose output"}, {NULL} }; diff --git a/apps/ec.c b/apps/ec.c index c09d29d378..3d901bbad3 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -44,27 +44,32 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS ec_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input file"}, {"inform", OPT_INFORM, 'f', "Input format - DER or PEM"}, + {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"check", OPT_CHECK, '-', "check key consistency"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + {"param_enc", OPT_PARAM_ENC, 's', + "Specifies the way the ec parameters are encoded"}, + {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file"}, {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"noout", OPT_NOOUT, '-', "Don't print key out"}, {"text", OPT_TEXT, '-', "Print the key"}, {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"}, - {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, {"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"}, - {"check", OPT_CHECK, '-', "check key consistency"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"param_enc", OPT_PARAM_ENC, 's', - "Specifies the way the ec parameters are encoded"}, - {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, - {"", OPT_CIPHER, '-', "Any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif {NULL} }; diff --git a/apps/ecparam.c b/apps/ecparam.c index 6796af6578..307eb1f37e 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -35,31 +35,38 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS ecparam_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, - {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + {"list_curves", OPT_LIST_CURVES, '-', + "Prints a list of all curve 'short names'"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + {"genkey", OPT_GENKEY, '-', "Generate ec key"}, {"in", OPT_IN, '<', "Input file - default stdin"}, + {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + + OPT_SECTION("Output"), {"text", OPT_TEXT, '-', "Print the ec parameters in text form"}, {"C", OPT_C, '-', "Print a 'C' function creating the parameters"}, + {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"}, + {"param_enc", OPT_PARAM_ENC, 's', + "Specifies the way the ec parameters are encoded"}, + + OPT_SECTION("Parameter"), {"check", OPT_CHECK, '-', "Validate the ec parameters"}, {"check_named", OPT_CHECK_NAMED, '-', "Check that named EC curve parameters have not been modified"}, - {"list_curves", OPT_LIST_CURVES, '-', - "Prints a list of all curve 'short names'"}, {"no_seed", OPT_NO_SEED, '-', "If 'explicit' parameters are chosen do not use the seed"}, - {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"}, {"name", OPT_NAME, 's', "Use the ec parameters with specified 'short name'"}, {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, - {"param_enc", OPT_PARAM_ENC, 's', - "Specifies the way the ec parameters are encoded"}, - {"genkey", OPT_GENKEY, '-', "Generate ec key"}, + OPT_R_OPTIONS, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif {NULL} }; diff --git a/apps/enc.c b/apps/enc.c index 243cc1280c..2b23564fab 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -49,30 +49,41 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS enc_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"list", OPT_LIST, '-', "List ciphers"}, #ifndef OPENSSL_NO_DEPRECATED_3_0 {"ciphers", OPT_LIST, '-', "Alias for -list"}, #endif - {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, - {"pass", OPT_PASS, 's', "Passphrase source"}, {"e", OPT_E, '-', "Encrypt"}, {"d", OPT_D, '-', "Decrypt"}, {"p", OPT_P, '-', "Print the iv/key"}, {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + + OPT_SECTION("Input"), + {"in", OPT_IN, '<', "Input file"}, + {"k", OPT_K, 's', "Passphrase"}, + {"kfile", OPT_KFILE, '<', "Read passphrase from file"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"pass", OPT_PASS, 's', "Passphrase source"}, {"v", OPT_V, '-', "Verbose output"}, - {"nopad", OPT_NOPAD, '-', "Disable standard block padding"}, - {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"}, - {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"}, - {"debug", OPT_DEBUG, '-', "Print debug info"}, {"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"}, {"base64", OPT_A, '-', "Same as option -a"}, {"A", OPT_UPPER_A, '-', "Used with -[base64|a] to specify base64 buffer as a single line"}, + + OPT_SECTION("Encryption"), + {"nopad", OPT_NOPAD, '-', "Disable standard block padding"}, + {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"}, + {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"}, + {"debug", OPT_DEBUG, '-', "Print debug info"}, + {"bufsize", OPT_BUFSIZE, 's', "Buffer size"}, - {"k", OPT_K, 's', "Passphrase"}, - {"kfile", OPT_KFILE, '<', "Read passphrase from file"}, {"K", OPT_UPPER_K, 's', "Raw key, in hex"}, {"S", OPT_UPPER_S, 's', "Salt, in hex"}, {"iv", OPT_IV, 's', "IV in hex"}, @@ -80,14 +91,12 @@ const OPTIONS enc_options[] = { {"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"}, {"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"}, {"none", OPT_NONE, '-', "Don't encrypt"}, - {"", OPT_CIPHER, '-', "Any supported cipher"}, - OPT_R_OPTIONS, #ifdef ZLIB {"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, #endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif + {"", OPT_CIPHER, '-', "Any supported cipher"}, + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/engine.c b/apps/engine.c index 8444fe2df6..24dff22c54 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -32,16 +32,20 @@ const OPTIONS engine_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"}, {OPT_HELP_STR, 1, '-', " engine... Engines to load\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"t", OPT_T, '-', "Check that specified engine is available"}, + {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"}, + {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"}, + + OPT_SECTION("Output"), {"v", OPT_V, '-', "List 'control commands' For each specified engine"}, {"vv", OPT_VV, '-', "Also display each command's description"}, {"vvv", OPT_VVV, '-', "Also add the input flags for each command"}, {"vvvv", OPT_VVVV, '-', "Also show internal input flags"}, {"c", OPT_C, '-', "List the capabilities of specified engine"}, - {"t", OPT_T, '-', "Check that specified engine is available"}, {"tt", OPT_TT, '-', "Display error trace for unavailable engines"}, - {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"}, - {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"}, {OPT_MORE_STR, OPT_EOF, 1, "Commands are like \"SO_PATH:/lib/libdriver.so\""}, {NULL} diff --git a/apps/errstr.c b/apps/errstr.c index df0253c416..212b7293cd 100644 --- a/apps/errstr.c +++ b/apps/errstr.c @@ -23,6 +23,8 @@ typedef enum OPTION_choice { const OPTIONS errstr_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"}, {OPT_HELP_STR, 1, '-', " errnum Error number\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {NULL} }; diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index fd28b484b9..8846779932 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -32,18 +32,20 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS fipsinstall_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {OPT_MORE_STR, 0, 0, "e.g: openssl fipsinstall -provider_name fips" - "-section_name fipsinstall -out fips.conf -module ./fips.so" - "-mac_name HMAC -macopt digest:SHA256 -macopt hexkey:00"}, {"verify", OPT_VERIFY, '-', "Verification mode, i.e verify a config file " "instead of generating one"}, - {"in", OPT_IN, '<', "Input config file, used when verifying"}, - {"out", OPT_OUT, '>', "Output config file, used when generating"}, {"module", OPT_MODULE, '<', "File name of the provider module"}, {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"}, {"section_name", OPT_SECTION_NAME, 's', "FIPS Provider config section name (optional)"}, + + OPT_SECTION("Input"), + {"in", OPT_IN, '<', "Input config file, used when verifying"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output config file, used when generating"}, {"mac_name", OPT_MAC_NAME, 's', "MAC name"}, {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. " "See 'PARAMETER NAMES' in the EVP_MAC_ docs"}, diff --git a/apps/gendsa.c b/apps/gendsa.c index 9671b23424..45ae815fd4 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -33,15 +33,18 @@ typedef enum OPTION_choice { const OPTIONS gendsa_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output the key to the specified file"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, OPT_R_OPTIONS, {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif {"verbose", OPT_VERBOSE, '-', "Verbose output"}, {NULL} }; diff --git a/apps/genpkey.c b/apps/genpkey.c index afae4b656c..3ae508c1c8 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -28,20 +28,24 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS genpkey_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"out", OPT_OUT, '>', "Output file"}, - {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"}, - {"pass", OPT_PASS, 's', "Output file pass phrase source"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif {"paramfile", OPT_PARAMFILE, '<', "Parameters file"}, {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"}, {"pkeyopt", OPT_PKEYOPT, 's', "Set the public key algorithm option as opt:value"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"}, + {"pass", OPT_PASS, 's', "Output file pass phrase source"}, {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"}, {"text", OPT_TEXT, '-', "Print the in text"}, {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif + /* This is deliberately last. */ {OPT_HELP_STR, 1, 1, "Order of options may be important! See the documentation.\n"}, diff --git a/apps/genrsa.c b/apps/genrsa.c index ebf9c55329..fe57547f33 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -42,19 +42,26 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS genrsa_options[] = { + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("Input"), {"3", OPT_3, '-', "Use 3 for the E value"}, {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output the key to specified file"}, - OPT_R_OPTIONS, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif {"primes", OPT_PRIMES, 'p', "Specify number of primes"}, {"verbose", OPT_VERBOSE, '-', "Verbose output"}, + {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/include/opt.h b/apps/include/opt.h index 5493563004..59bfdcfefb 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -32,6 +32,7 @@ OPT_V__LAST # define OPT_V_OPTIONS \ + OPT_SECTION("Validation"), \ { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \ { "purpose", OPT_V_PURPOSE, 's', \ "certificate chain purpose"}, \ @@ -124,6 +125,7 @@ OPT_X__LAST # define OPT_X_OPTIONS \ + OPT_SECTION("Extended certificate"), \ { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \ { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \ { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \ @@ -161,6 +163,7 @@ OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST # define OPT_S_OPTIONS \ + OPT_SECTION("TLS/SSL"), \ {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \ {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \ {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \ @@ -254,6 +257,7 @@ OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST # define OPT_R_OPTIONS \ + OPT_SECTION("Random state"), \ {"rand", OPT_R_RAND, 's', "Load the file(s) into the random number generator"}, \ {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"} @@ -309,7 +313,7 @@ typedef struct string_int_pair_st { OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) /* Divide options into sections when displaying usage */ -#define OPT_SECTION(sec) {OPT_SECTION_STR, 1, '-', sec " options:\n"} +#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" } char *opt_progname(const char *argv0); char *opt_getprog(void); diff --git a/apps/info.c b/apps/info.c index 586917298d..ae6e34c9bc 100644 --- a/apps/info.c +++ b/apps/info.c @@ -18,7 +18,11 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS info_options[] = { + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Output"), {"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"}, {"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"}, {"modulesdir", OPT_MODULESDIR, '-', diff --git a/apps/kdf.c b/apps/kdf.c index 35cc0db21c..abd21cee51 100644 --- a/apps/kdf.c +++ b/apps/kdf.c @@ -25,10 +25,14 @@ typedef enum OPTION_choice { const OPTIONS kdf_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n"}, {OPT_HELP_STR, 1, '-', "kdf_name\t KDF algorithm.\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form. " - "See 'Supported Controls' in the EVP_KDF_ docs"}, + {"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form."}, + {OPT_HELP_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs"}, {"keylen", OPT_KEYLEN, 's', "The size of the output derived key"}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, {"binary", OPT_BIN, '-', "Output in binary format (Default is hexadecimal " "output)"}, diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 98979fc2a1..2b9c922135 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -134,8 +134,9 @@ char *opt_init(int ac, char **av, const OPTIONS *o) int duplicated, i; #endif - if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR || - o->name == OPT_SECTION_STR) + if (o->name == OPT_HELP_STR + || o->name == OPT_MORE_STR + || o->name == OPT_SECTION_STR) continue; #ifndef NDEBUG i = o->valtype; @@ -844,7 +845,12 @@ void opt_print(const OPTIONS *o, int width) char *p; help = o->helpstr ? o->helpstr : "(No additional info)"; - if (o->name == OPT_HELP_STR || o->name == OPT_SECTION_STR) { + if (o->name == OPT_HELP_STR) { + opt_printf_stderr(help, prog); + return; + } + if (o->name == OPT_SECTION_STR) { + opt_printf_stderr("\n"); opt_printf_stderr(help, prog); return; } diff --git a/apps/list.c b/apps/list.c index 2e8867df20..a260db80fd 100644 --- a/apps/list.c +++ b/apps/list.c @@ -366,6 +366,7 @@ static void list_options_for_command(const char *command) if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR + || o->name == OPT_SECTION_STR || o->name[0] == '\0') continue; BIO_printf(bio_out, "%s %c\n", o->name, c == '\0' ? '-' : c); @@ -617,7 +618,11 @@ typedef enum HELPLIST_CHOICE { } HELPLIST_CHOICE; const OPTIONS list_options[] = { + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Output"), {"1", OPT_ONE, '-', "List in one column"}, {"verbose", OPT_VERBOSE, '-', "Verbose listing"}, {"commands", OPT_COMMANDS, '-', "List of standard commands"}, diff --git a/apps/mac.c b/apps/mac.c index 8383d0d7b3..0cd3323f3b 100644 --- a/apps/mac.c +++ b/apps/mac.c @@ -28,10 +28,16 @@ const OPTIONS mac_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] mac_name\n"}, {OPT_HELP_STR, 1, '-', "mac_name\t\t MAC algorithm (See list " "-mac-algorithms)"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. " "See 'PARAMETER NAMES' in the EVP_MAC_ docs"}, + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file to MAC (default is stdin)"}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, {"binary", OPT_BIN, '-', "Output in binary format (Default is hexadecimal " "output)"}, diff --git a/apps/nseq.c b/apps/nseq.c index 6c883c0f70..5b7ab67dd1 100644 --- a/apps/nseq.c +++ b/apps/nseq.c @@ -20,9 +20,14 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS nseq_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"}, + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, + + OPT_SECTION("Output"), + {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"}, {"out", OPT_OUT, '>', "Output file"}, {NULL} }; diff --git a/apps/ocsp.c b/apps/ocsp.c index 458c808634..ee38b23388 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -147,31 +147,69 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS ocsp_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"out", OPT_OUTFILE, '>', "Output filename"}, - {"timeout", OPT_TIMEOUT, 'p', - "Connection timeout (in seconds) to the OCSP responder"}, - {"url", OPT_URL, 's', "Responder URL"}, - {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, - {"port", OPT_PORT, 'p', "Port to run responder on"}, {"ignore_err", OPT_IGNORE_ERR, '-', "Ignore error on OCSP request or response and continue running"}, - {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, - {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, - {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, + {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates store"}, + + OPT_SECTION("Responder"), + {"timeout", OPT_TIMEOUT, 'p', + "Connection timeout (in seconds) to the OCSP responder"}, {"resp_no_certs", OPT_RESP_NO_CERTS, '-', "Don't include any certificates in response"}, - {"resp_key_id", OPT_RESP_KEY_ID, '-', - "Identify response by signing certificate key ID"}, # ifdef OCSP_DAEMON {"multi", OPT_MULTI, 'p', "run multiple responder processes"}, # endif {"no_certs", OPT_NO_CERTS, '-', "Don't include any certificates in signed request"}, + {"badsig", OPT_BADSIG, '-', + "Corrupt last byte of loaded OSCP response signature (for test)"}, + {"CA", OPT_CA, '<', "CA certificate"}, + {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, + {"nrequest", OPT_REQUEST, 'p', + "Number of requests to accept (default unlimited)"}, + {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, + {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, + {"sign_other", OPT_SIGN_OTHER, '<', + "Additional certificates to include in signed request"}, + {"index", OPT_INDEX, '<', "Certificate status index file"}, + {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, + {"rsigner", OPT_RSIGNER, '<', + "Responder certificate to sign responses with"}, + {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, + {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, + {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, + {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"}, + {"header", OPT_HEADER, 's', "key=value header to add"}, + {"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"}, + {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, + + OPT_SECTION("Client"), + {"url", OPT_URL, 's', "Responder URL"}, + {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, + {"port", OPT_PORT, 'p', "Port to run responder on"}, + {"out", OPT_OUTFILE, '>', "Output filename"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, + {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, + {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', "Don't check signature on response"}, + {"resp_key_id", OPT_RESP_KEY_ID, '-', + "Identify response by signing certificate key ID"}, {"no_cert_verify", OPT_NO_CERT_VERIFY, '-', "Don't check signing certificate"}, + {"text", OPT_TEXT, '-', "Print text form of request and response"}, + {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, + {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, {"no_cert_checks", OPT_NO_CERT_CHECKS, '-', "Don't do additional checks on signing certificate"}, @@ -181,53 +219,21 @@ const OPTIONS ocsp_options[] = { "Don't verify additional certificates"}, {"no_intern", OPT_NO_INTERN, '-', "Don't search certificates contained in response for signer"}, - {"badsig", OPT_BADSIG, '-', - "Corrupt last byte of loaded OSCP response signature (for test)"}, - {"text", OPT_TEXT, '-', "Print text form of request and response"}, - {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, - {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, - {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"}, - {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, - {"sign_other", OPT_SIGN_OTHER, '<', - "Additional certificates to include in signed request"}, {"verify_other", OPT_VERIFY_OTHER, '<', "Additional certificates to search for signer"}, - {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, - {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, - {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, - {"no-CAstore", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates store"}, + {"path", OPT_PATH, 's', "Path to use in OCSP request"}, + {"cert", OPT_CERT, '<', "Certificate to check"}, + {"serial", OPT_SERIAL, 's', "Serial number to check"}, {"validity_period", OPT_VALIDITY_PERIOD, 'u', "Maximum validity discrepancy in seconds"}, - {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"}, {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, - {"path", OPT_PATH, 's', "Path to use in OCSP request"}, {"issuer", OPT_ISSUER, '<', "Issuer certificate"}, - {"cert", OPT_CERT, '<', "Certificate to check"}, - {"serial", OPT_SERIAL, 's', "Serial number to check"}, - {"index", OPT_INDEX, '<', "Certificate status index file"}, - {"CA", OPT_CA, '<', "CA certificate"}, - {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, - {"nrequest", OPT_REQUEST, 'p', - "Number of requests to accept (default unlimited)"}, - {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, - {"rsigner", OPT_RSIGNER, '<', - "Responder certificate to sign responses with"}, - {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, - {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, - {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, - {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"}, - {"header", OPT_HEADER, 's', "key=value header to add"}, - {"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"}, - {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, + {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, + OPT_V_OPTIONS, {NULL} }; diff --git a/apps/openssl.c b/apps/openssl.c index 123c1ff4ce..9aabad5e09 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -386,6 +386,8 @@ typedef enum HELP_CHOICE { const OPTIONS help_options[] = { {OPT_HELP_STR, 1, '-', "Usage: help [options]\n"}, {OPT_HELP_STR, 1, '-', " help [command]\n"}, + + OPT_SECTION("General"), {"help", OPT_hHELP, '-', "Display this summary"}, {NULL} }; diff --git a/apps/passwd.c b/apps/passwd.c index 956623653f..e305bd268d 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -59,15 +59,22 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS passwd_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Read passwords from file"}, {"noverify", OPT_NOVERIFY, '-', "Never verify when reading password from terminal"}, + {"stdin", OPT_STDIN, '-', "Read passwords from stdin"}, + + OPT_SECTION("Output"), {"quiet", OPT_QUIET, '-', "No warnings"}, {"table", OPT_TABLE, '-', "Format output as table"}, {"reverse", OPT_REVERSE, '-', "Switch table columns"}, + + OPT_SECTION("Cryptographic"), {"salt", OPT_SALT, 's', "Use provided salt"}, - {"stdin", OPT_STDIN, '-', "Read passwords from stdin"}, {"6", OPT_6, '-', "SHA512-based password algorithm"}, {"5", OPT_5, '-', "SHA256-based password algorithm"}, {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"}, @@ -76,6 +83,7 @@ const OPTIONS passwd_options[] = { #ifndef OPENSSL_NO_DES {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"}, #endif + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 781c3ad7ec..96e142ff81 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -62,18 +62,56 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS pkcs12_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, - {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"}, - {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("CA"), + {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, + {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCASTORE, '-', + "Do not load certificates from the default certificates store"}, + + OPT_SECTION("Input"), + {"inkey", OPT_INKEY, 's', "Private key if not infile"}, + {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, + {"name", OPT_NAME, 's', "Use name as friendly name"}, + {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, + {"caname", OPT_CANAME, 's', + "Use name as CA friendly name (can be repeated)"}, + {"in", OPT_IN, '<', "Input filename"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), + {"export", OPT_EXPORT, '-', "Output PKCS12 file"}, + {"LMK", OPT_LMK, '-', + "Add local machine keyset attribute to private key"}, + {"macalg", OPT_MACALG, 's', + "Digest algorithm used in MAC (default SHA1)"}, + {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, + {"out", OPT_OUT, '>', "Output filename"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"password", OPT_PASSWORD, 's', "Set import/export password source"}, {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"}, {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"}, {"noout", OPT_NOOUT, '-', "Don't output anything, just verify"}, - {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, {"chain", OPT_CHAIN, '-', "Add certificate chain"}, {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"}, {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"}, + {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, + {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, + {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"}, + {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"}, + + OPT_SECTION("Encryption"), # ifndef OPENSSL_NO_RC2 {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (default RC2-40)"}, @@ -83,42 +121,14 @@ const OPTIONS pkcs12_options[] = { {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"}, {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"}, # endif - {"export", OPT_EXPORT, '-', "Output PKCS12 file"}, {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, {"maciter", OPT_MACITER, '-', "Use MAC iteration"}, {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, - {"LMK", OPT_LMK, '-', - "Add local machine keyset attribute to private key"}, {"nodes", OPT_NODES, '-', "Don't encrypt private keys"}, - {"macalg", OPT_MACALG, 's', - "Digest algorithm used in MAC (default SHA1)"}, - {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, - OPT_R_OPTIONS, - {"inkey", OPT_INKEY, 's', "Private key if not infile"}, - {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, - {"name", OPT_NAME, 's', "Use name as friendly name"}, - {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, - {"caname", OPT_CANAME, 's', - "Use name as CA friendly name (can be repeated)"}, - {"in", OPT_IN, '<', "Input filename"}, - {"out", OPT_OUT, '>', "Output filename"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"password", OPT_PASSWORD, 's', "Set import/export password source"}, - {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, - {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, - {"CAstore", OPT_CASTORE, ':', "URI to store if CA's"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, - {"no-CAstore", OPT_NOCASTORE, '-', - "Do not load certificates from the default certificates store"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/pkcs7.c b/apps/pkcs7.c index a385f90980..bd1cb1013c 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -27,9 +27,17 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS pkcs7_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + + OPT_SECTION("Output"), {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"out", OPT_OUT, '>', "Output file"}, {"noout", OPT_NOOUT, '-', "Don't output encoded data"}, @@ -37,9 +45,6 @@ const OPTIONS pkcs7_options[] = { {"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"}, {"print_certs", OPT_PRINT_CERTS, '-', "Print_certs print any certs or crl in the input"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {NULL} }; diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 26ab0eefe6..1ccaff06f8 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -30,31 +30,39 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS pkcs8_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"}, - {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, - {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, - {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"}, - {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"}, - {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"}, - OPT_R_OPTIONS, - {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"}, + {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"}, {"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"}, - {"iter", OPT_ITER, 'p', "Specify the iteration count"}, + + OPT_SECTION("Input"), + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif + {"iter", OPT_ITER, 'p', "Specify the iteration count"}, + {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"}, + #ifndef OPENSSL_NO_SCRYPT + OPT_SECTION("Scrypt"), {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"}, {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"}, {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"}, {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"}, #endif + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/pkey.c b/apps/pkey.c index 0806b4e045..6100f8dcd3 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -23,27 +23,33 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS pkey_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"check", OPT_CHECK, '-', "Check key consistency"}, + {"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"}, + {"", OPT_MD, '-', "Any supported cipher"}, + + OPT_SECTION("Input"), + {"in", OPT_IN, 's', "Input key"}, {"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"}, - {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"in", OPT_IN, 's', "Input key"}, - {"out", OPT_OUT, '>', "Output file"}, {"pubin", OPT_PUBIN, '-', "Read public key from input (default is private key)"}, + {"traditional", OPT_TRADITIONAL, '-', + "Use traditional format for private keys"}, + + OPT_SECTION("Output"), + {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"out", OPT_OUT, '>', "Output file"}, {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"}, {"text", OPT_TEXT, '-', "Output in plaintext as well"}, {"noout", OPT_NOOUT, '-', "Don't output the key"}, - {"", OPT_MD, '-', "Any supported cipher"}, - {"traditional", OPT_TRADITIONAL, '-', - "Use traditional format for private keys"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif - {"check", OPT_CHECK, '-', "Check key consistency"}, - {"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"}, + {NULL} }; diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index 1b037aea8b..552ba56d99 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -22,15 +22,20 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS pkeyparam_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, - {"text", OPT_TEXT, '-', "Print parameters as text"}, - {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif {"check", OPT_CHECK, '-', "Check key param consistency"}, + + OPT_SECTION("Input"), + {"in", OPT_IN, '<', "Input file"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"text", OPT_TEXT, '-', "Print parameters as text"}, + {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"}, {NULL} }; diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 6b012211e4..a8cd2a0e3e 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -49,41 +49,49 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS pkeyutl_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"in", OPT_IN, '<', "Input file - default stdin"}, - {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"}, - {"digest", OPT_DIGEST, 's', - "Specify the digest algorithm when signing the raw input data"}, - {"out", OPT_OUT, '>', "Output file - default stdout"}, - {"pubin", OPT_PUBIN, '-', "Input is a public key"}, - {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"}, - {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"}, - {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"engine_impl", OPT_ENGINE_IMPL, '-', + "Also use engine given by -engine for crypto operations"}, +#endif {"sign", OPT_SIGN, '-', "Sign input data with private key"}, {"verify", OPT_VERIFY, '-', "Verify with public key"}, - {"verifyrecover", OPT_VERIFYRECOVER, '-', - "Verify with public key, recover original data"}, - {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"}, {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"}, {"derive", OPT_DERIVE, '-', "Derive shared secret"}, - {"kdf", OPT_KDF, 's', "Use KDF algorithm"}, - {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"}, - {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"}, + + OPT_SECTION("Input"), + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"}, + {"pubin", OPT_PUBIN, '-', "Input is a public key"}, {"inkey", OPT_INKEY, 's', "Input private key file"}, - {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"}, {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"}, + {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"}, + {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, + {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"}, {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"verifyrecover", OPT_VERIFYRECOVER, '-', + "Verify with public key, recover original data"}, + + OPT_SECTION("Signing/Derivation"), + {"digest", OPT_DIGEST, 's', + "Specify the digest algorithm when signing the raw input data"}, {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, {"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's', "Public key option that is read as a passphrase argument opt:passphrase"}, + {"kdf", OPT_KDF, 's', "Use KDF algorithm"}, + {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"}, + OPT_R_OPTIONS, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"engine_impl", OPT_ENGINE_IMPL, '-', - "Also use engine given by -engine for crypto operations"}, -#endif {NULL} }; diff --git a/apps/prime.c b/apps/prime.c index 55cdad81a0..5df9ee0363 100644 --- a/apps/prime.c +++ b/apps/prime.c @@ -22,13 +22,17 @@ const OPTIONS prime_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"}, {OPT_HELP_STR, 1, '-', " number Number to check for primality\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"bits", OPT_BITS, 'p', "Size of number in bits"}, + {"checks", OPT_CHECKS, 'p', "Number of checks"}, + + OPT_SECTION("Output"), {"hex", OPT_HEX, '-', "Hex output"}, {"generate", OPT_GENERATE, '-', "Generate a prime"}, - {"bits", OPT_BITS, 'p', "Size of number in bits"}, {"safe", OPT_SAFE, '-', "When used with -generate, generate a safe prime"}, - {"checks", OPT_CHECKS, 'p', "Number of checks"}, {NULL} }; diff --git a/apps/provider.c b/apps/provider.c index 325a7424cd..47bc056b63 100644 --- a/apps/provider.c +++ b/apps/provider.c @@ -28,7 +28,11 @@ typedef enum OPTION_choice { const OPTIONS provider_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] provider...\n"}, {OPT_HELP_STR, 1, '-', " provider... Providers to load\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Output"), {"v", OPT_V, '-', "List the algorithm names of specified provider"}, {"vv", OPT_VV, '-', "List the algorithm names of specified providers,"}, {OPT_MORE_STR, 0, '-', "categorised by operation type"}, diff --git a/apps/rand.c b/apps/rand.c index b35b84ae27..8b23a03f6e 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -26,15 +26,19 @@ typedef enum OPTION_choice { const OPTIONS rand_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"out", OPT_OUT, '>', "Output file"}, - OPT_R_OPTIONS, - {"base64", OPT_BASE64, '-', "Base64 encode output"}, - {"hex", OPT_HEX, '-', "Hex encode output"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"base64", OPT_BASE64, '-', "Base64 encode output"}, + {"hex", OPT_HEX, '-', "Hex encode output"}, + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/rehash.c b/apps/rehash.c index a1fc37902e..ec1cf07506 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -452,12 +452,15 @@ typedef enum OPTION_choice { const OPTIONS rehash_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"h", OPT_HELP, '-', "Display this summary"}, {"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"}, {"old", OPT_OLD, '-', "Use old-style hash to generate links"}, {"n", OPT_N, '-', "Do not remove existing links"}, + + OPT_SECTION("Output"), {"v", OPT_VERBOSE, '-', "Verbose output"}, {NULL} }; diff --git a/apps/req.c b/apps/req.c index 70b4f0d657..3667ac7bce 100644 --- a/apps/req.c +++ b/apps/req.c @@ -95,37 +95,26 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS req_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, - {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"keygen_engine", OPT_KEYGEN_ENGINE, 's', + "Specify engine to be used for key generation operations"}, {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, - {"key", OPT_KEY, 's', "Private key to use"}, - {"keyform", OPT_KEYFORM, 'f', "Key file format"}, - {"pubkey", OPT_PUBKEY, '-', "Output public key"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, +#endif + + OPT_SECTION("Certificate"), {"new", OPT_NEW, '-', "New request"}, {"config", OPT_CONFIG, '<', "Request template file"}, - {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, - {"passin", OPT_PASSIN, 's', "Private key password source"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - OPT_R_OPTIONS, - {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, - {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, - {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, - {"batch", OPT_BATCH, '-', - "Do not ask anything during request generation"}, - {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, - {"modulus", OPT_MODULUS, '-', "RSA modulus"}, - {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, - {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, - {"noout", OPT_NOOUT, '-', "Do not output REQ"}, - {"verbose", OPT_VERBOSE, '-', "Verbose output"}, {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"reqopt", OPT_REQOPT, 's', "Various request text options"}, {"text", OPT_TEXT, '-', "Text form of request"}, {"x509", OPT_X509, '-', - "Output a x509 structure instead of a cert request"}, + "Output an x509 structure instead of a cert request"}, {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, @@ -140,18 +129,37 @@ const OPTIONS req_options[] = { {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, + + OPT_SECTION("Keys and Signing"), + {"key", OPT_KEY, 's', "Private key to use"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format"}, + {"pubkey", OPT_PUBKEY, '-', "Output public key"}, + {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, + {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, + {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"keygen_engine", OPT_KEYGEN_ENGINE, 's', - "Specify engine to be used for key generation operations"}, -#endif #ifndef OPENSSL_NO_SM2 {"sm2-id", OPT_SM2ID, 's', "Specify an ID string to verify an SM2 certificate request"}, {"sm2-hex-id", OPT_SM2HEXID, 's', "Specify a hex ID string to verify an SM2 certificate request"}, #endif + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"batch", OPT_BATCH, '-', + "Do not ask anything during request generation"}, + {"verbose", OPT_VERBOSE, '-', "Verbose output"}, + {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, + {"noout", OPT_NOOUT, '-', "Do not output REQ"}, + {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, + {"modulus", OPT_MODULUS, '-', "RSA modulus"}, + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/rsa.c b/apps/rsa.c index 7c0620c6f2..82b34e7ca3 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -37,29 +37,36 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS rsa_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"}, - {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"}, + {"check", OPT_CHECK, '-', "Verify key consistency"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, + {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, - {"pubout", OPT_PUBOUT, '-', "Output a public key"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"}, + {"pubout", OPT_PUBOUT, '-', "Output a public key"}, {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"noout", OPT_NOOUT, '-', "Don't print key out"}, {"text", OPT_TEXT, '-', "Print the key in text"}, {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, - {"check", OPT_CHECK, '-', "Verify key consistency"}, - {"", OPT_CIPHER, '-', "Any supported cipher"}, + # if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4) + OPT_SECTION("PVK"), {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"}, {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"}, {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"}, -# endif -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, # endif {NULL} }; diff --git a/apps/rsautl.c b/apps/rsautl.c index 6939e42a4d..99f1c44007 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -38,31 +38,37 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS rsautl_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"sign", OPT_SIGN, '-', "Sign with private key"}, + {"verify", OPT_VERIFY, '-', "Verify with public key"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, {"inkey", OPT_INKEY, 's', "Input key"}, {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, {"pubin", OPT_PUBIN, '-', "Input is an RSA public"}, {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"}, + {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, {"ssl", OPT_SSL, '-', "Use SSL v2 padding"}, {"raw", OPT_RSA_RAW, '-', "Use no padding"}, {"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"}, + {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"}, {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"}, - {"sign", OPT_SIGN, '-', "Sign with private key"}, - {"verify", OPT_VERIFY, '-', "Verify with public key"}, {"asn1parse", OPT_ASN1PARSE, '-', "Run output through asn1parse; useful with -verify"}, {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, - {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"}, - {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, - {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"}, - {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + OPT_R_OPTIONS, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif {NULL} }; diff --git a/apps/s_client.c b/apps/s_client.c index fa5cb95f68..ee1951834b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -605,7 +605,21 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS s_client_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's', + "Specify engine to be used for client certificate operations"}, +#endif + {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"}, +#ifndef OPENSSL_NO_CT + {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"}, + {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"}, + {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"}, +#endif + + OPT_SECTION("Network"), {"host", OPT_HOST, 's', "Use -connect instead"}, {"port", OPT_PORT, 'p', "Use -connect instead"}, {"connect", OPT_CONNECT, 's', @@ -622,6 +636,18 @@ const OPTIONS s_client_options[] = { #ifdef AF_INET6 {"6", OPT_6, '-', "Use IPv6 only"}, #endif + {"maxfraglen", OPT_MAXFRAGLEN, 'p', + "Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"}, + {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "}, + {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p', + "Size used to split data for encrypt pipelines"}, + {"max_pipelines", OPT_MAX_PIPELINES, 'p', + "Maximum number of encrypt/decrypt pipelines to be used"}, + {"read_buf", OPT_READ_BUF, 'p', + "Default read buffer size to be used for connections"}, + {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, + + OPT_SECTION("Identity"), {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, {"certform", OPT_CERTFORM, 'F', @@ -646,16 +672,19 @@ const OPTIONS s_client_options[] = { "DANE TLSA rrdata presentation form"}, {"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-', "Disable name checks when matching DANE-EE(3) TLSA records"}, + {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"}, + {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, + {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"}, + {"name", OPT_PROTOHOST, 's', + "Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""}, + + OPT_SECTION("Session"), {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, - {"showcerts", OPT_SHOWCERTS, '-', - "Show all certificates sent by the server"}, - {"debug", OPT_DEBUG, '-', "Extra output"}, - {"msg", OPT_MSG, '-', "Show protocol messages"}, - {"msgfile", OPT_MSGFILE, '>', - "File to send output of -msg or -trace, instead of stdout"}, - {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"}, - {"state", OPT_STATE, '-', "Print the ssl states"}, + {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, + {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"}, + + OPT_SECTION("Input/Output"), {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, {"quiet", OPT_QUIET, '-', "No s_client output"}, {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"}, @@ -664,51 +693,35 @@ const OPTIONS s_client_options[] = { "Use the appropriate STARTTLS command before starting TLS"}, {"xmpphost", OPT_XMPPHOST, 's', "Alias of -name option for \"-starttls xmpp[-server]\""}, - OPT_R_OPTIONS, - {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, - {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"}, -#ifndef OPENSSL_NO_SRTP - {"use_srtp", OPT_USE_SRTP, 's', - "Offer SRTP key management with a colon-separated profile list"}, -#endif - {"keymatexport", OPT_KEYMATEXPORT, 's', - "Export keying material using label"}, - {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', - "Export len bytes of keying material (default 20)"}, - {"maxfraglen", OPT_MAXFRAGLEN, 'p', - "Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"}, - {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, - {"name", OPT_PROTOHOST, 's', - "Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""}, - {"CRL", OPT_CRL, '<', "CRL file to use"}, - {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"}, - {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"}, - {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', - "Close connection on verification error"}, - {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"}, {"brief", OPT_BRIEF, '-', "Restrict output to brief summary of connection parameters"}, {"prexit", OPT_PREXIT, '-', "Print session information when the program exits"}, + + OPT_SECTION("Debug"), + {"showcerts", OPT_SHOWCERTS, '-', + "Show all certificates sent by the server"}, + {"debug", OPT_DEBUG, '-', "Extra output"}, + {"msg", OPT_MSG, '-', "Show protocol messages"}, + {"msgfile", OPT_MSGFILE, '>', + "File to send output of -msg or -trace, instead of stdout"}, + {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"}, + {"state", OPT_STATE, '-', "Print the ssl states"}, + {"keymatexport", OPT_KEYMATEXPORT, 's', + "Export keying material using label"}, + {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', + "Export len bytes of keying material (default 20)"}, {"security_debug", OPT_SECURITY_DEBUG, '-', "Enable security debug messages"}, {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-', "Output more security debug output"}, - {"cert_chain", OPT_CERT_CHAIN, '<', - "Certificate chain file (in PEM format)"}, - {"chainCApath", OPT_CHAINCAPATH, '/', - "Use dir as certificate store path to build CA certificate chain"}, - {"verifyCApath", OPT_VERIFYCAPATH, '/', - "Use dir as certificate store path to verify CA certificate"}, - {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, - {"chainCAfile", OPT_CHAINCAFILE, '<', - "CA file for certificate chain (PEM format)"}, - {"verifyCAfile", OPT_VERIFYCAFILE, '<', - "CA file for certificate verification (PEM format)"}, - {"chainCAstore", OPT_CHAINCASTORE, ':', - "CA store URI for certificate chain"}, - {"verifyCAstore", OPT_VERIFYCASTORE, ':', - "CA store URI for certificate verification"}, +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"}, +#endif +#ifdef WATT32 + {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, +#endif + {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"}, {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, {"servername", OPT_SERVERNAME, 's', "Set TLS extension servername (SNI) in ClientHello (default)"}, @@ -724,17 +737,9 @@ const OPTIONS s_client_options[] = { {"alpn", OPT_ALPN, 's', "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, {"async", OPT_ASYNC, '-', "Support asynchronous operation"}, - {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"}, - {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "}, - {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p', - "Size used to split data for encrypt pipelines"}, - {"max_pipelines", OPT_MAX_PIPELINES, 'p', - "Maximum number of encrypt/decrypt pipelines to be used"}, - {"read_buf", OPT_READ_BUF, 'p', - "Default read buffer size to be used for connections"}, - OPT_S_OPTIONS, - OPT_V_OPTIONS, - OPT_X_OPTIONS, + {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, + + OPT_SECTION("Protocol and version"), #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, #endif @@ -766,16 +771,16 @@ const OPTIONS s_client_options[] = { {"sctp", OPT_SCTP, '-', "Use SCTP"}, {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"}, #endif -#ifndef OPENSSL_NO_SSL_TRACE - {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"}, +#ifndef OPENSSL_NO_NEXTPROTONEG + {"nextprotoneg", OPT_NEXTPROTONEG, 's', + "Enable NPN extension, considering named protocols supported (comma-separated list)"}, #endif -#ifdef WATT32 - {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, + {"early_data", OPT_EARLY_DATA, '<', "File to send as early data"}, + {"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"}, +#ifndef OPENSSL_NO_SRTP + {"use_srtp", OPT_USE_SRTP, 's', + "Offer SRTP key management with a colon-separated profile list"}, #endif - {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, - {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"}, - {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, - {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"}, #ifndef OPENSSL_NO_SRP {"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"}, {"srppass", OPT_SRPPASS, 's', "Password for 'user'"}, @@ -785,24 +790,33 @@ const OPTIONS s_client_options[] = { "Tolerate other than the known g N values."}, {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"}, #endif -#ifndef OPENSSL_NO_NEXTPROTONEG - {"nextprotoneg", OPT_NEXTPROTONEG, 's', - "Enable NPN extension, considering named protocols supported (comma-separated list)"}, -#endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's', - "Specify engine to be used for client certificate operations"}, -#endif -#ifndef OPENSSL_NO_CT - {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"}, - {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"}, - {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"}, -#endif - {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"}, - {"early_data", OPT_EARLY_DATA, '<', "File to send as early data"}, - {"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"}, - {NULL, OPT_EOF, 0x00, NULL} + + OPT_R_OPTIONS, + OPT_S_OPTIONS, + OPT_V_OPTIONS, + {"CRL", OPT_CRL, '<', "CRL file to use"}, + {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"}, + {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', + "Close connection on verification error"}, + {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"}, + {"cert_chain", OPT_CERT_CHAIN, '<', + "Certificate chain file (in PEM format)"}, + {"chainCApath", OPT_CHAINCAPATH, '/', + "Use dir as certificate store path to build CA certificate chain"}, + {"chainCAstore", OPT_CHAINCASTORE, ':', + "CA store URI for certificate chain"}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<', + "CA file for certificate verification (PEM format)"}, + {"verifyCApath", OPT_VERIFYCAPATH, '/', + "Use dir as certificate store path to verify CA certificate"}, + {"verifyCAstore", OPT_VERIFYCASTORE, ':', + "CA store URI for certificate verification"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, + OPT_X_OPTIONS, + {NULL} }; typedef enum PROTOCOL_choice { diff --git a/apps/s_server.c b/apps/s_server.c index 03ff1b410e..5fa7c2fb42 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -761,26 +761,50 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS s_server_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"ssl_config", OPT_SSL_CONFIG, 's', + "Configure SSL_CTX using the configuration 'val'"}, +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-', "trace protocol messages"}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + + OPT_SECTION("Network"), {"port", OPT_PORT, 'p', "TCP/IP port to listen on for connections (default is " PORT ")"}, {"accept", OPT_ACCEPT, 's', "TCP/IP optional host and port to listen on for connections (default is *:" PORT ")"}, #ifdef AF_UNIX {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"}, + {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"}, #endif {"4", OPT_4, '-', "Use IPv4 only"}, {"6", OPT_6, '-', "Use IPv6 only"}, -#ifdef AF_UNIX - {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"}, -#endif + + OPT_SECTION("Identity"), {"context", OPT_CONTEXT, 's', "Set session ID context"}, + {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCASTORE, '-', + "Do not load certificates from the default certificates store URI"}, + {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"}, {"Verify", OPT_UPPER_V_VERIFY, 'n', "Turn on peer certificate verification, must have a cert"}, {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, + {"cert2", OPT_CERT2, '<', + "Certificate file to use for servername; default is" TEST_CERT2}, + {"key2", OPT_KEY2, '<', + "-Private Key file to use for servername if not in -cert2"}, {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, - {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"}, {"serverinfo", OPT_SERVERINFO, 's', "PEM serverinfo file for certificate"}, {"certform", OPT_CERTFORM, 'F', @@ -800,42 +824,24 @@ const OPTIONS s_server_options[] = { {"dkeyform", OPT_DKEYFORM, 'F', "Second key format (PEM, DER or ENGINE) PEM default"}, {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"}, + {"servername", OPT_SERVERNAME, 's', + "Servername for HostName TLS extension"}, + {"servername_fatal", OPT_SERVERNAME_FATAL, '-', + "mismatch send fatal alert (default warning alert)"}, + {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"}, {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, - {"debug", OPT_DEBUG, '-', "Print more output"}, - {"msg", OPT_MSG, '-', "Show protocol messages"}, - {"msgfile", OPT_MSGFILE, '>', - "File to send output of -msg or -trace, instead of stdout"}, - {"state", OPT_STATE, '-', "Print the SSL states"}, - {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, - {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, - {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, - {"no-CAstore", OPT_NOCASTORE, '-', - "Do not load certificates from the default certificates store URI"}, - {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, + {"quiet", OPT_QUIET, '-', "No server output"}, {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-', "Disable caching and tickets if ephemeral (EC)DH is used"}, {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"}, {"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"}, - {"servername", OPT_SERVERNAME, 's', - "Servername for HostName TLS extension"}, - {"servername_fatal", OPT_SERVERNAME_FATAL, '-', - "mismatch send fatal alert (default warning alert)"}, - {"cert2", OPT_CERT2, '<', - "Certificate file to use for servername; default is" TEST_CERT2}, - {"key2", OPT_KEY2, '<', - "-Private Key file to use for servername if not in -cert2"}, {"tlsextdebug", OPT_TLSEXTDEBUG, '-', "Hex dump of all TLS extensions received"}, {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"}, {"id_prefix", OPT_ID_PREFIX, 's', "Generate SSL/TLS session IDs prefixed by arg"}, - OPT_R_OPTIONS, {"keymatexport", OPT_KEYMATEXPORT, 's', "Export keying material using label"}, {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', @@ -843,10 +849,6 @@ const OPTIONS s_server_options[] = { {"CRL", OPT_CRL, '<', "CRL file to use"}, {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"}, - {"cert_chain", OPT_CERT_CHAIN, '<', - "certificate chain file in PEM format"}, - {"dcert_chain", OPT_DCERT_CHAIN, '<', - "second certificate chain file in PEM format"}, {"chainCApath", OPT_CHAINCAPATH, '/', "use dir as certificate store path to build CA certificate chain"}, {"chainCAstore", OPT_CHAINCASTORE, ':', @@ -863,14 +865,13 @@ const OPTIONS s_server_options[] = { "Close connection on verification error"}, {"verify_quiet", OPT_VERIFY_QUIET, '-', "No verify output except verify errors"}, - {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, - {"chainCAfile", OPT_CHAINCAFILE, '<', - "CA file for certificate chain (PEM format)"}, {"verifyCAfile", OPT_VERIFYCAFILE, '<', "CA file for certificate verification (PEM format)"}, {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"}, {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"}, + #ifndef OPENSSL_NO_OCSP + OPT_SECTION("OCSP"), {"status", OPT_STATUS, '-', "Request certificate status from server"}, {"status_verbose", OPT_STATUS_VERBOSE, '-', "Print more output in certificate status callback"}, @@ -880,9 +881,8 @@ const OPTIONS s_server_options[] = { {"status_file", OPT_STATUS_FILE, '<', "File containing DER encoded OCSP Response"}, #endif -#ifndef OPENSSL_NO_SSL_TRACE - {"trace", OPT_TRACE, '-', "trace protocol messages"}, -#endif + + OPT_SECTION("Debug"), {"security_debug", OPT_SECURITY_DEBUG, '-', "Print output from SSL/TLS security framework"}, {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-', @@ -891,20 +891,28 @@ const OPTIONS s_server_options[] = { "Restrict output to brief summary of connection parameters"}, {"rev", OPT_REV, '-', "act as a simple test server which just sends back with the received text reversed"}, + {"debug", OPT_DEBUG, '-', "Print more output"}, + {"msg", OPT_MSG, '-', "Show protocol messages"}, + {"msgfile", OPT_MSGFILE, '>', + "File to send output of -msg or -trace, instead of stdout"}, + {"state", OPT_STATE, '-', "Print the SSL states"}, {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"}, - {"ssl_config", OPT_SSL_CONFIG, 's', - "Configure SSL_CTX using the configuration 'val'"}, - {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "}, - {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p', - "Size used to split data for encrypt pipelines"}, {"max_pipelines", OPT_MAX_PIPELINES, 'p', "Maximum number of encrypt/decrypt pipelines to be used"}, + {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"}, + {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"}, + + OPT_SECTION("Network"), + {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, + {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, + {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"read_buf", OPT_READ_BUF, 'p', "Default read buffer size to be used for connections"}, - OPT_S_OPTIONS, - OPT_V_OPTIONS, - OPT_X_OPTIONS, - {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, + {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p', + "Size used to split data for encrypt pipelines"}, + {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "}, + + OPT_SECTION("Server identity"), {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"}, #ifndef OPENSSL_NO_PSK {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"}, @@ -916,6 +924,19 @@ const OPTIONS s_server_options[] = { {"srpuserseed", OPT_SRPUSERSEED, 's', "A seed string for a default user salt"}, #endif + + OPT_SECTION("Protocol and version"), + {"max_early_data", OPT_MAX_EARLY, 'n', + "The maximum number of bytes of early data as advertised in tickets"}, + {"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n', + "The maximum number of bytes of early data (hard limit)"}, + {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"}, + {"num_tickets", OPT_S_NUM_TICKETS, 'n', + "The number of TLSv1.3 session tickets that a server will automatically issue" }, + {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"}, + {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"}, + {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"}, + {"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"}, #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, #endif @@ -933,12 +954,9 @@ const OPTIONS s_server_options[] = { #endif #ifndef OPENSSL_NO_DTLS {"dtls", OPT_DTLS, '-', "Use any DTLS version"}, - {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, - {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"listen", OPT_LISTEN, '-', "Listen for a DTLS ClientHello with a cookie and then connect"}, #endif - {"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"}, #ifndef OPENSSL_NO_DTLS1 {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, #endif @@ -949,34 +967,32 @@ const OPTIONS s_server_options[] = { {"sctp", OPT_SCTP, '-', "Use SCTP"}, {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"}, #endif +#ifndef OPENSSL_NO_SRTP + {"use_srtp", OPT_SRTP_PROFILES, 's', + "Offer SRTP key management with a colon-separated profile list"}, +#endif #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, #endif #ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Set the advertised protocols for the NPN extension (comma-separated list)"}, -#endif -#ifndef OPENSSL_NO_SRTP - {"use_srtp", OPT_SRTP_PROFILES, 's', - "Offer SRTP key management with a colon-separated profile list"}, #endif {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif - {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"}, - {"max_early_data", OPT_MAX_EARLY, 'n', - "The maximum number of bytes of early data as advertised in tickets"}, - {"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n', - "The maximum number of bytes of early data (hard limit)"}, - {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"}, - {"num_tickets", OPT_S_NUM_TICKETS, 'n', - "The number of TLSv1.3 session tickets that a server will automatically issue" }, - {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"}, - {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"}, - {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"}, - {NULL, OPT_EOF, 0, NULL} + + OPT_R_OPTIONS, + OPT_S_OPTIONS, + OPT_V_OPTIONS, + {"cert_chain", OPT_CERT_CHAIN, '<', + "certificate chain file in PEM format"}, + {"dcert_chain", OPT_DCERT_CHAIN, '<', + "second certificate chain file in PEM format"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, + OPT_X_OPTIONS, + {NULL} }; #define IS_PROT_FLAG(o) \ diff --git a/apps/s_time.c b/apps/s_time.c index 43bec59037..d5816a1b16 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -52,31 +52,18 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS s_time_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Connection"), {"connect", OPT_CONNECT, 's', "Where to connect as post:port (default is " SSL_CONNECT_NAME ")"}, - {"cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used"}, - {"ciphersuites", OPT_CIPHERSUITES, 's', - "Specify TLSv1.3 ciphersuites to be used"}, - {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, - {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, - {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, - {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, - {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, - {"no-CAstore", OPT_NOCASTORE, '-', - "Do not load certificates from the default certificates store URI"}, {"new", OPT_NEW, '-', "Just time new connections"}, {"reuse", OPT_REUSE, '-', "Just time connection reuse"}, {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"}, - {"verify", OPT_VERIFY, 'p', - "Turn on peer certificate verification, set depth"}, - {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR}, - {"www", OPT_WWW, 's', "Fetch specified page from the site"}, + {"cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used"}, + {"ciphersuites", OPT_CIPHERSUITES, 's', + "Specify TLSv1.3 ciphersuites to be used"}, #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, #endif @@ -92,6 +79,25 @@ const OPTIONS s_time_options[] = { #ifndef OPENSSL_NO_TLS1_3 {"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"}, #endif + {"verify", OPT_VERIFY, 'p', + "Turn on peer certificate verification, set depth"}, + {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR}, + {"www", OPT_WWW, 's', "Fetch specified page from the site"}, + + OPT_SECTION("Certificate"), + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"}, + {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, + {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCASTORE, '-', + "Do not load certificates from the default certificates store URI"}, + {NULL} }; diff --git a/apps/sess_id.c b/apps/sess_id.c index d8e1827776..5183ea93ed 100644 --- a/apps/sess_id.c +++ b/apps/sess_id.c @@ -25,16 +25,21 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS sess_id_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"context", OPT_CONTEXT, 's', "Set the session ID context"}, + + OPT_SECTION("Input"), + {"in", OPT_IN, 's', "Input file - default stdin"}, {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file - default stdout"}, {"outform", OPT_OUTFORM, 'f', "Output format - default PEM (PEM, DER or NSS)"}, - {"in", OPT_IN, 's', "Input file - default stdin"}, - {"out", OPT_OUT, '>', "Output file - default stdout"}, {"text", OPT_TEXT, '-', "Print ssl session id details"}, {"cert", OPT_CERT, '-', "Output certificate "}, {"noout", OPT_NOOUT, '-', "Don't output the encoded session info"}, - {"context", OPT_CONTEXT, 's', "Set the session ID context"}, {NULL} }; diff --git a/apps/smime.c b/apps/smime.c index 26bd028bea..ec36ea1867 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -52,39 +52,62 @@ const OPTIONS smime_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, {OPT_HELP_STR, 1, '-', " cert.pem... recipient certs for encryption\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'c', + "Output format SMIME (default), PEM or DER"}, + {"inkey", OPT_INKEY, 's', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"stream", OPT_STREAM, '-', "Enable CMS streaming" }, + {"indef", OPT_INDEF, '-', "Same as -stream" }, + {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, + + OPT_SECTION("Action"), {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, {"sign", OPT_SIGN, '-', "Sign message"}, + {"resign", OPT_RESIGN, '-', "Resign a signed message"}, {"verify", OPT_VERIFY, '-', "Verify signed message"}, + + OPT_SECTION("Signing/Encryption"), + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, {"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"}, {"nointern", OPT_NOINTERN, '-', "Don't search certificates in message for signer"}, - {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, - {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, - {"nocerts", OPT_NOCERTS, '-', - "Don't include signers certificate when signing"}, {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, {"binary", OPT_BINARY, '-', "Don't translate message to text"}, - {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, {"signer", OPT_SIGNER, 's', "Signer certificate file"}, - {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"}, - {"in", OPT_IN, '<', "Input file"}, - {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, - {"inkey", OPT_INKEY, 's', - "Input private key (if not signer or recipient)"}, - {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, - {"out", OPT_OUT, '>', "Output file"}, - {"outform", OPT_OUTFORM, 'c', - "Output format SMIME (default), PEM or DER"}, {"content", OPT_CONTENT, '<', "Supply or override content for detached signature"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + + OPT_SECTION("Verification/Decryption"), + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"}, + + OPT_SECTION("Email"), {"to", OPT_TO, 's', "To address"}, {"from", OPT_FROM, 's', "From address"}, {"subject", OPT_SUBJECT, 's', "Subject"}, {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, + + OPT_SECTION("Certificate chain"), {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"}, {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, @@ -94,22 +117,12 @@ const OPTIONS smime_options[] = { "Do not load certificates from the default certificates directory"}, {"no-CAstore", OPT_NOCASTORE, '-', "Do not load certificates from the default certificates store"}, - {"resign", OPT_RESIGN, '-', "Resign a signed message"}, {"nochain", OPT_NOCHAIN, '-', "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" }, - {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, - {"stream", OPT_STREAM, '-', "Enable CMS streaming" }, - {"indef", OPT_INDEF, '-', "Same as -stream" }, - {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"}, + OPT_R_OPTIONS, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, - {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_V_OPTIONS, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {NULL} }; diff --git a/apps/speed.c b/apps/speed.c index 75d3149ae0..45cee2c2c5 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -316,17 +316,9 @@ typedef enum OPTION_choice { const OPTIONS speed_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] ciphers...\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"}, - {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"}, -#ifndef OPENSSL_NO_CMAC - {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"}, -#endif - {"decrypt", OPT_DECRYPT, '-', - "Time decryption instead of encryption (only EVP)"}, - {"aead", OPT_AEAD, '-', - "Benchmark EVP-named AEAD cipher in TLS-like sequence"}, {"mb", OPT_MB, '-', "Enable (tls1>=1) multi-block mode on EVP-named cipher"}, {"mr", OPT_MR, '-', "Produce machine readable output"}, @@ -337,19 +329,33 @@ const OPTIONS speed_options[] = { {"async_jobs", OPT_ASYNCJOBS, 'p', "Enable async mode and start specified number of jobs"}, #endif - OPT_R_OPTIONS, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif + {"primes", OPT_PRIMES, 'p', "Specify number of primes (for RSA only)"}, + + OPT_SECTION("Selection"), + {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"}, + {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"}, +#ifndef OPENSSL_NO_CMAC + {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"}, +#endif + {"decrypt", OPT_DECRYPT, '-', + "Time decryption instead of encryption (only EVP)"}, + {"aead", OPT_AEAD, '-', + "Benchmark EVP-named AEAD cipher in TLS-like sequence"}, + + OPT_SECTION("Timing"), {"elapsed", OPT_ELAPSED, '-', "Use wall-clock time instead of CPU user time as divisor"}, - {"primes", OPT_PRIMES, 'p', "Specify number of primes (for RSA only)"}, {"seconds", OPT_SECONDS, 'p', "Run benchmarks for specified amount of seconds"}, {"bytes", OPT_BYTES, 'p', "Run [non-PKI] benchmarks on custom-sized buffer"}, {"misalign", OPT_MISALIGN, 'p', "Use specified offset to mis-align buffers"}, + + OPT_R_OPTIONS, {NULL} }; diff --git a/apps/spkac.c b/apps/spkac.c index 0ac644dd20..75e246a110 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -28,22 +28,27 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS spkac_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"spksect", OPT_SPKSECT, 's', + "Specify the name of an SPKAC-dedicated section of configuration"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, - {"out", OPT_OUT, '>', "Output file"}, {"key", OPT_KEY, '<', "Create SPKAC using private key"}, {"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"challenge", OPT_CHALLENGE, 's', "Challenge string"}, {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file"}, {"noout", OPT_NOOUT, '-', "Don't print SPKAC"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"verify", OPT_VERIFY, '-', "Verify SPKAC signature"}, - {"spksect", OPT_SPKSECT, 's', - "Specify the name of an SPKAC-dedicated section of configuration"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {NULL} }; diff --git a/apps/srp.c b/apps/srp.c index e9d9b67b79..b980ecbbb5 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -197,24 +197,29 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS srp_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"}, {"config", OPT_CONFIG, '<', "A config file"}, {"name", OPT_NAME, 's', "The particular srp definition to use"}, - {"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("Action"), {"add", OPT_ADD, '-', "Add a user and srp verifier"}, - {"modify", OPT_MODIFY, '-', - "Modify the srp verifier of an existing user"}, + {"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"}, {"delete", OPT_DELETE, '-', "Delete user from verifier file"}, {"list", OPT_LIST, '-', "List users"}, + + OPT_SECTION("Configuration"), + {"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"}, {"gn", OPT_GN, 's', "Set g and N values to be used for new verifier"}, {"userinfo", OPT_USERINFO, 's', "Additional info to be set for user"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + OPT_R_OPTIONS, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif {NULL} }; diff --git a/apps/storeutl.c b/apps/storeutl.c index f557f4d3ed..980120a39d 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -31,12 +31,16 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS storeutl_options[] = { - {OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\nValid options are:\n"}, + {OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"out", OPT_OUT, '>', "Output file - default stdout"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"text", OPT_TEXT, '-', "Print a text form of the objects"}, - {"noout", OPT_NOOUT, '-', "No PEM output, just status"}, + {"", OPT_MD, '-', "Any supported digest"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + + OPT_SECTION("Search"), {"certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only"}, {"keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only"}, {"crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only"}, @@ -45,11 +49,15 @@ const OPTIONS storeutl_options[] = { {"serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number"}, {"fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex"}, {"alias", OPT_CRITERION_ALIAS, 's', "Search by alias"}, - {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"r", OPT_RECURSIVE, '-', "Recurse through names"}, + + OPT_SECTION("Input"), + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"text", OPT_TEXT, '-', "Print a text form of the objects"}, + {"noout", OPT_NOOUT, '-', "No PEM output, just status"}, {NULL} }; diff --git a/apps/ts.c b/apps/ts.c index 9fdba649c1..196e97b9b0 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -90,39 +90,43 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS ts_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"config", OPT_CONFIG, '<', "Configuration file"}, {"section", OPT_SECTION, 's', "Section to use within config file"}, - {"query", OPT_QUERY, '-', "Generate a TS query"}, - {"data", OPT_DATA, '<', "File to hash"}, - {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"}, - OPT_R_OPTIONS, - {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"}, - {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"}, - {"cert", OPT_CERT, '-', "Put cert request into query"}, - {"in", OPT_IN, '<', "Input file"}, - {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"}, - {"out", OPT_OUT, '>', "Output file"}, - {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"}, - {"text", OPT_TEXT, '-', "Output text (not DER)"}, - {"reply", OPT_REPLY, '-', "Generate a TS reply"}, - {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif {"inkey", OPT_INKEY, 's', "File with private key for reply"}, {"signer", OPT_SIGNER, 's', "Signer certificate file"}, {"chain", OPT_CHAIN, '<', "File with signer CA chain"}, - {"verify", OPT_VERIFY, '-', "Verify a TS response"}, {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"}, {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"}, {"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"}, {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"}, + {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"}, + {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"", OPT_MD, '-', "Any supported digest"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif - {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"}, + + OPT_SECTION("Query"), + {"query", OPT_QUERY, '-', "Generate a TS query"}, + {"data", OPT_DATA, '<', "File to hash"}, + {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"}, + {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"}, + {"cert", OPT_CERT, '-', "Put cert request into query"}, + {"in", OPT_IN, '<', "Input file"}, + + OPT_SECTION("Verify"), + {"verify", OPT_VERIFY, '-', "Verify a TS response"}, + {"reply", OPT_REPLY, '-', "Generate a TS reply"}, + {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"}, + {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"}, + {"out", OPT_OUT, '>', "Output file"}, + {"text", OPT_TEXT, '-', "Output text (not DER)"}, + + OPT_R_OPTIONS, OPT_V_OPTIONS, - {OPT_HELP_STR, 1, '-', "\n"}, {NULL} }; @@ -130,26 +134,26 @@ const OPTIONS ts_options[] = { * This command is so complex, special help is needed. */ static char* opt_helplist[] = { + "", "Typical uses:", - "ts -query [-rand file...] [-config file] [-data file]", - " [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]", - " [-in file] [-out file] [-text]", - " or", - "ts -reply [-config file] [-section tsa_section]", - " [-queryfile file] [-passin password]", - " [-signer tsa_cert.pem] [-inkey private_key.pem]", - " [-chain certs_file.pem] [-tspolicy oid]", - " [-in file] [-token_in] [-out file] [-token_out]", + " openssl ts -query [-rand file...] [-config file] [-data file]", + " [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]", + " [-in file] [-out file] [-text]", + "", + " openssl ts -reply [-config file] [-section tsa_section]", + " [-queryfile file] [-passin password]", + " [-signer tsa_cert.pem] [-inkey private_key.pem]", + " [-chain certs_file.pem] [-tspolicy oid]", + " [-in file] [-token_in] [-out file] [-token_out]", # ifndef OPENSSL_NO_ENGINE - " [-text] [-engine id]", + " [-text] [-engine id]", # else - " [-text]", + " [-text]", # endif - " or", - "ts -verify -CApath dir -CAfile file.pem -CAstore uri -untrusted file.pem", - " [-data file] [-digest hexstring]", - " [-queryfile file] -in file [-token_in]", - " [[options specific to 'ts -verify']]", + "", + " openssl ts -verify -CApath dir -CAfile file.pem -CAstore uri", + " -untrusted file.pem [-data file] [-digest hexstring]", + " [-queryfile file] -in file [-token_in] ...", NULL, }; diff --git a/apps/verify.c b/apps/verify.c index 7b18de2bab..bb8f84c84d 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -36,10 +36,17 @@ typedef enum OPTION_choice { const OPTIONS verify_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif {"verbose", OPT_VERBOSE, '-', "Print extra information about the operations being performed."}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + + OPT_SECTION("Certificate chain"), {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, {"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"}, @@ -57,11 +64,8 @@ const OPTIONS verify_options[] = { "Attempt to download CRL information for this certificate"}, {"show_chain", OPT_SHOW_CHAIN, '-', "Display information about the certificate chain"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + OPT_V_OPTIONS, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif #ifndef OPENSSL_NO_SM2 {"sm2-id", OPT_SM2ID, 's', "Specify an ID string to verify an SM2 certificate"}, diff --git a/apps/version.c b/apps/version.c index 7350ccf78f..2b06f9221b 100644 --- a/apps/version.c +++ b/apps/version.c @@ -37,7 +37,10 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS version_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + + OPT_SECTION("Output"), {"a", OPT_A, '-', "Show all data"}, {"b", OPT_B, '-', "Show build date"}, {"d", OPT_D, '-', "Show configuration directory"}, diff --git a/apps/x509.c b/apps/x509.c index 3a5d561293..b4ef74c0cf 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -65,15 +65,23 @@ typedef enum OPTION_choice { } OPTION_CHOICE; const OPTIONS x509_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"inform", OPT_INFORM, 'f', "Input format - default PEM (one of DER or PEM)"}, {"in", OPT_IN, '<', "Input file - default stdin"}, + {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, {"outform", OPT_OUTFORM, 'f', "Output format - default PEM (one of DER or PEM)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, - {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, + {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, + + OPT_SECTION("Output"), {"serial", OPT_SERIAL, '-', "Print serial number value"}, {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, @@ -81,21 +89,37 @@ const OPTIONS x509_options[] = { {"subject", OPT_SUBJECT, '-', "Print subject DN"}, {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, {"email", OPT_EMAIL, '-', "Print email address(es)"}, - {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, - {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, - {"dates", OPT_DATES, '-', "Both Before and After dates"}, {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, - {"fingerprint", OPT_FINGERPRINT, '-', - "Print the certificate fingerprint"}, + {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"}, {"alias", OPT_ALIAS, '-', "Output certificate alias"}, {"noout", OPT_NOOUT, '-', "No output, just status"}, - {"nocert", OPT_NOCERT, '-', "No certificate output"}, {"ocspid", OPT_OCSPID, '-', "Print OCSP hash values for the subject name and public key"}, {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, + {"nocert", OPT_NOCERT, '-', "No certificate output"}, {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, + {"x509toreq", OPT_X509TOREQ, '-', + "Output a certification request object"}, + {"checkend", OPT_CHECKEND, 'M', + "Check whether the cert expires in the next arg seconds"}, + {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, + {"text", OPT_TEXT, '-', "Print the certificate in text form"}, + {"ext", OPT_EXT, 's', "Print various X509V3 extensions"}, + {"C", OPT_C, '-', "Print out C code forms"}, +#ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', + "Print old-style (MD5) issuer hash value"}, + {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, +#endif + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + + OPT_SECTION("Certificate"), + {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, + {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, + {"dates", OPT_DATES, '-', "Both Before and After dates"}, {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, @@ -104,51 +128,34 @@ const OPTIONS x509_options[] = { {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, {"days", OPT_DAYS, 'n', "How long till expiry of a signed certificate - def 30 days"}, - {"checkend", OPT_CHECKEND, 'M', - "Check whether the cert expires in the next arg seconds"}, - {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"}, - {"x509toreq", OPT_X509TOREQ, '-', - "Output a certification request object"}, - {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, - {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, - {"CAkey", OPT_CAKEY, 's', - "The CA key, must be PEM format; if not in CAfile"}, - {"CAcreateserial", OPT_CACREATESERIAL, '-', - "Create serial number file if it does not exist"}, - {"CAserial", OPT_CASERIAL, 's', "Serial file"}, {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, - {"text", OPT_TEXT, '-', "Print the certificate in text form"}, - {"ext", OPT_EXT, 's', "Print various X509V3 extensions"}, - {"C", OPT_C, '-', "Print out C code forms"}, - {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, - OPT_R_OPTIONS, {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"}, + {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"}, + + OPT_SECTION("CA"), + {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, + {"CAkey", OPT_CAKEY, 's', + "The CA key, must be PEM format; if not in CAfile"}, + {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, + OPT_R_OPTIONS, {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"CAcreateserial", OPT_CACREATESERIAL, '-', + "Create serial number file if it does not exist"}, + {"CAserial", OPT_CASERIAL, 's', "Serial file"}, {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, - {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"}, - {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"}, {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, {"clrreject", OPT_CLRREJECT, '-', "Clears all the prohibited or rejected uses of the certificate"}, {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_MD5 - {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', - "Print old-style (MD5) issuer hash value"}, - {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', - "Print old-style (MD5) subject hash value"}, -#endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"preserve_dates", OPT_PRESERVE_DATES, '-', "preserve existing dates when signing"}, {NULL} }; -- 2.25.1