Add cmd-nits make target.
Listing options should stop when it hits the "parameters" separator.
Add missing .pod.in files to doc/man1/build.info
Tweak find-doc-nits to try openssl-XXX before XXX for POD files and
change an error messavge to be more useful.
Fix the following pages: ca, cms, crl, dgst, enc,
engine, errstr, gendsa, genrsa, list, ocsp, passwd, pkcs7, pkcs12, rand,
rehash, req, rsautil, s_server, speed, s_time,
sess_id, smime, srp, ts, x509.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10873)
-$(RM) `find . -name '*{- platform->depext() -}' \! -name '.*' \! -type d -print`
-$(RM) `find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -print`
$(RM) core
- $(RM) tags TAGS doc-nits
+ $(RM) tags TAGS doc-nits cmd-nits
$(RM) -r test/test-runs
$(RM) openssl.pc libcrypto.pc libssl.pc
-$(RM) `find . -type l \! -name '.*' -print`
generate: generate_apps generate_crypto_bn generate_crypto_objects \
generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids
-.PHONY: doc-nits
+.PHONY: doc-nits cmd-nits
doc-nits: build_generated
(cd $(SRCDIR); $(PERL) util/find-doc-nits -n -l -e )
+cmd-nits: build_generated apps/openssl
+ (cd $(SRCDIR); $(PERL) util/find-doc-nits -c )
+
# Test coverage is a good idea for the future
#coverage: $(PROGRAMS) $(TESTPROGRAMS)
# ...
for ( ; o->name != NULL; o++) {
char c = o->valtype;
+ if (o->name == OPT_PARAM_STR)
+ break;
+
if (o->name == OPT_HELP_STR
|| o->name == OPT_MORE_STR
|| o->name == OPT_SECTION_STR
- || o->name == OPT_PARAM_STR
|| o->name[0] == '\0')
continue;
BIO_printf(bio_out, "%s %c\n", o->name, c == '\0' ? '-' : c);
{"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
openssl-x509.pod
DEPEND[openssl-ca.pod]=../perlvars.pm
-GENERATE[openssl-ca.pod]=openssl-ca.pod.in
DEPEND[openssl-cms.pod]=../perlvars.pm
-GENERATE[openssl-cms.pod]=openssl-cms.pod.in
DEPEND[openssl-crl.pod]=../perlvars.pm
-GENERATE[openssl-crl.pod]=openssl-crl.pod.in
DEPEND[openssl-dgst.pod]=../perlvars.pm
-GENERATE[openssl-dgst.pod]=openssl-dgst.pod.in
DEPEND[openssl-dhparam.pod]=../perlvars.pm
-GENERATE[openssl-dhparam.pod]=openssl-dhparam.pod.in
DEPEND[openssl-dsa.pod]=../perlvars.pm
-GENERATE[openssl-dsa.pod]=openssl-dsa.pod.in
DEPEND[openssl-dsaparam.pod]=../perlvars.pm
-GENERATE[openssl-dsaparam.pod]=openssl-dsaparam.pod.in
DEPEND[openssl-ec.pod]=../perlvars.pm
-GENERATE[openssl-ec.pod]=openssl-ec.pod.in
DEPEND[openssl-ecparam.pod]=../perlvars.pm
-GENERATE[openssl-ecparam.pod]=openssl-ecparam.pod.in
-DEPEND[openssl-ec.pod]=../perlvars.pm
DEPEND[openssl-enc.pod]=../perlvars.pm
-GENERATE[openssl-enc.pod]=openssl-enc.pod.in
DEPEND[openssl-gendsa.pod]=../perlvars.pm
-GENERATE[openssl-gendsa.pod]=openssl-gendsa.pod.in
DEPEND[openssl-genpkey.pod]=../perlvars.pm
-GENERATE[openssl-genpkey.pod]=openssl-genpkey.pod.in
DEPEND[openssl-genrsa.pod]=../perlvars.pm
-GENERATE[openssl-genrsa.pod]=openssl-genrsa.pod.in
DEPEND[openssl-ocsp.pod]=../perlvars.pm
-GENERATE[openssl-ocsp.pod]=openssl-ocsp.pod.in
DEPEND[openssl-passwd.pod]=../perlvars.pm
-GENERATE[openssl-passwd.pod]=openssl-passwd.pod.in
+DEPEND[openssl-pkcs12.pod]=../perlvars.pm
DEPEND[openssl-pkcs7.pod]=../perlvars.pm
-GENERATE[openssl-pkcs7.pod]=openssl-pkcs7.pod.in
DEPEND[openssl-pkcs8.pod]=../perlvars.pm
-GENERATE[openssl-pkcs8.pod]=openssl-pkcs8.pod.in
-DEPEND[openssl-pkcs12.pod]=../perlvars.pm
-GENERATE[openssl-pkcs12.pod]=openssl-pkcs12.pod.in
DEPEND[openssl-pkey.pod]=../perlvars.pm
-GENERATE[openssl-pkey.pod]=openssl-pkey.pod.in
DEPEND[openssl-pkeyparam.pod]=../perlvars.pm
-GENERATE[openssl-pkeyparam.pod]=openssl-pkeyparam.pod.in
DEPEND[openssl-pkeyutl.pod]=../perlvars.pm
-GENERATE[openssl-pkeyutl.pod]=openssl-pkeyutl.pod.in
DEPEND[openssl-rand.pod]=../perlvars.pm
-GENERATE[openssl-rand.pod]=openssl-rand.pod.in
DEPEND[openssl-req.pod]=../perlvars.pm
-GENERATE[openssl-req.pod]=openssl-req.pod.in
DEPEND[openssl-rsa.pod]=../perlvars.pm
-GENERATE[openssl-rsa.pod]=openssl-rsa.pod.in
DEPEND[openssl-rsautl.pod]=../perlvars.pm
-GENERATE[openssl-rsautl.pod]=openssl-rsautl.pod.in
DEPEND[openssl-s_client.pod]=../perlvars.pm
-GENERATE[openssl-s_client.pod]=openssl-s_client.pod.in
DEPEND[openssl-s_server.pod]=../perlvars.pm
-GENERATE[openssl-s_server.pod]=openssl-s_server.pod.in
DEPEND[openssl-s_time.pod]=../perlvars.pm
-GENERATE[openssl-s_time.pod]=openssl-s_time.pod.in
DEPEND[openssl-smime.pod]=../perlvars.pm
-GENERATE[openssl-smime.pod]=openssl-smime.pod.in
DEPEND[openssl-speed.pod]=../perlvars.pm
-GENERATE[openssl-speed.pod]=openssl-speed.pod.in
DEPEND[openssl-spkac.pod]=../perlvars.pm
-GENERATE[openssl-spkac.pod]=openssl-spkac.pod.in
DEPEND[openssl-srp.pod]=../perlvars.pm
-GENERATE[openssl-srp.pod]=openssl-srp.pod.in
DEPEND[openssl-storeutl.pod]=../perlvars.pm
-GENERATE[openssl-storeutl.pod]=openssl-storeutl.pod.in
DEPEND[openssl-ts.pod]=../perlvars.pm
-GENERATE[openssl-ts.pod]=openssl-ts.pod.in
DEPEND[openssl-verify.pod]=../perlvars.pm
-GENERATE[openssl-verify.pod]=openssl-verify.pod.in
DEPEND[openssl-x509.pod]=../perlvars.pm
+
+GENERATE[openssl-ca.pod]=openssl-ca.pod.in
+GENERATE[openssl-cms.pod]=openssl-cms.pod.in
+GENERATE[openssl-crl.pod]=openssl-crl.pod.in
+GENERATE[openssl-dgst.pod]=openssl-dgst.pod.in
+GENERATE[openssl-dhparam.pod]=openssl-dhparam.pod.in
+GENERATE[openssl-dsa.pod]=openssl-dsa.pod.in
+GENERATE[openssl-dsaparam.pod]=openssl-dsaparam.pod.in
+GENERATE[openssl-ec.pod]=openssl-ec.pod.in
+GENERATE[openssl-ecparam.pod]=openssl-ecparam.pod.in
+GENERATE[openssl-enc.pod]=openssl-enc.pod.in
+GENERATE[openssl-gendsa.pod]=openssl-gendsa.pod.in
+GENERATE[openssl-genpkey.pod]=openssl-genpkey.pod.in
+GENERATE[openssl-genrsa.pod]=openssl-genrsa.pod.in
+GENERATE[openssl-ocsp.pod]=openssl-ocsp.pod.in
+GENERATE[openssl-passwd.pod]=openssl-passwd.pod.in
+GENERATE[openssl-pkcs12.pod]=openssl-pkcs12.pod.in
+GENERATE[openssl-pkcs7.pod]=openssl-pkcs7.pod.in
+GENERATE[openssl-pkcs8.pod]=openssl-pkcs8.pod.in
+GENERATE[openssl-pkey.pod]=openssl-pkey.pod.in
+GENERATE[openssl-pkeyparam.pod]=openssl-pkeyparam.pod.in
+GENERATE[openssl-pkeyutl.pod]=openssl-pkeyutl.pod.in
+GENERATE[openssl-rand.pod]=openssl-rand.pod.in
+GENERATE[openssl-req.pod]=openssl-req.pod.in
+GENERATE[openssl-rsa.pod]=openssl-rsa.pod.in
+GENERATE[openssl-rsautl.pod]=openssl-rsautl.pod.in
+GENERATE[openssl-s_client.pod]=openssl-s_client.pod.in
+GENERATE[openssl-s_server.pod]=openssl-s_server.pod.in
+GENERATE[openssl-s_time.pod]=openssl-s_time.pod.in
+GENERATE[openssl-smime.pod]=openssl-smime.pod.in
+GENERATE[openssl-speed.pod]=openssl-speed.pod.in
+GENERATE[openssl-spkac.pod]=openssl-spkac.pod.in
+GENERATE[openssl-srp.pod]=openssl-srp.pod.in
+GENERATE[openssl-storeutl.pod]=openssl-storeutl.pod.in
+GENERATE[openssl-ts.pod]=openssl-ts.pod.in
+GENERATE[openssl-verify.pod]=openssl-verify.pod.in
GENERATE[openssl-x509.pod]=openssl-x509.pod.in
[B<-crl_CA_compromise> I<time>]
[B<-crldays> I<days>]
[B<-crlhours> I<hours>]
+[B<-crlsec> I<seconds>]
[B<-crlexts> I<section>]
[B<-startdate> I<date>]
[B<-enddate> I<date>]
The number of hours before the next CRL is due.
+=item B<-crlsec> I<num>
+
+The number of seconds before the next CRL is due.
+
=item B<-revoke> I<filename>
A filename containing a certificate to revoke.
[B<-help>]
[B<-encrypt>]
[B<-decrypt>]
+[B<-debug_decrypt>]
[B<-sign>]
[B<-verify>]
+[B<-verify_retcode>]
+[B<-no_attr_verify>]
+[B<-nosigs>]
+[B<-no_content_verify>]
[B<-cmsout>]
[B<-resign>]
[B<-cades>]
[B<-digest_verify>]
[B<-compress>]
[B<-uncompress>]
+[B<-EncryptedData_decrypt>]
[B<-EncryptedData_encrypt>]
[B<-sign_receipt>]
[B<-verify_receipt> I<receipt>]
[B<-stream>]
[B<-indef>]
[B<-noindef>]
-[B<-noindef>]
[B<-content> I<filename>]
[B<-text>]
[B<-noout>]
[B<-receipt_request_from> I<emailaddress>]
[B<-receipt_request_to> I<emailaddress>]
[B<-receipt_request_print>]
+[B<-pwri_password> I<password>]
[B<-secretkey> I<key>]
[B<-secretkeyid> I<id>]
[B<-econtent_type> I<type>]
{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<cert.pem> ...]
=for openssl ifdef des-wrap engine
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
+=item B<-verify_retcode>
+
+Exit nonzero on verification failure.
+
+=item B<-no_attr_verify>
+
+Do not verify signed attribute signatures.
+
+=item B<-no_content_verify>
+
+Do not verify signed content signatures.
+
+=item B<-nosigs>
+
+Don't verify message signature.
+
=item B<-cmsout>
Takes an input message and writes out a PEM encoded CMS structure.
compiled with B<zlib> support for this option to work, otherwise it will
output an error.
+=item B<-EncryptedData_decrypt>
+
+Decrypt content using supplied symmetric key and algorithm using a CMS
+B<EncryptedData> type and output the content.
+
=item B<-EncryptedData_encrypt>
Encrypt content using supplied symmetric key and algorithm using a CMS
is B<SMIME>.
See L<openssl(1)/Format Options> for details.
-=item B<-stream>, B<-indef>, B<-noindef>
+=item B<-stream>, B<-indef>
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
For the B<-verify> operation print out the contents of any signed receipt
requests.
+=item B<-pwri_password> I<password>
+
+Specify password for recipient.
+
=item B<-secretkey> I<key>
Specify symmetric key to use. The key must be supplied in hex format and be
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<cert.pem> ...
One or more certificates of message recipients: used when encrypting
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
+[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-text>]
[B<-in> I<filename>]
[B<-out> I<filename>]
+[B<-gendelta> I<filename>]
+[B<-badsig>]
+[B<-verify>]
[B<-noout>]
[B<-hash>]
+[B<-hash_old>]
+[B<-fingerprint>]
+[B<-crlnumber>]
[B<-issuer>]
[B<-lastupdate>]
[B<-nextupdate>]
The input and output formats of the CRL; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
+=item B<-key> I<filename>
+
+The private key to be used to sign the CRL.
+
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The format of the private key file; the default is B<PEM>.
Specifies the output filename to write to or standard output by
default.
+=item B<-gendelta> I<filename>
+
+Output a comparison of the main CRL and the one specified here.
+
+=item B<-badsig>
+
+Corrupt the signature before writing it; this can be useful
+for testing.
+
=item B<-text>
Print out the CRL in text form.
+=item B<-verify>
+
+Verify the signature in the CRL.
+
=item B<-noout>
Don't output the encoded version of the CRL.
+=item B<-fingerprint>
+
+Output the fingerprint of the CRL.
+
+=item B<-crlnumber>
+
+Output the number of the CRL.
+
=item B<-hash>
Output a hash of the issuer name. This can be use to lookup CRLs in
[B<-help>]
[B<-c>]
[B<-d>]
+[B<-debug>]
[B<-list>]
[B<-hex>]
[B<-binary>]
[B<-signature> I<filename>]
[B<-sigopt> I<nm>:I<v>]
[B<-hmac> I<key>]
+[B<-mac> I<alg>]
+[B<-macopt> I<nm>:I<v>]
[B<-fips-fingerprint>]
-[B<-engine> I<id>]
-[B<-engine_impl> I<id>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+[B<-engine_impl> I<id>]
{- $OpenSSL::safe::opt_r_synopsis -}
[I<file> ...]
Print out the digest in two digit groups separated by colons, only relevant if
the B<-hex> option is given as well.
-=item B<-d>
+=item B<-d>, B<-debug>
Print out BIO debugging information.
The engine is not used for digests unless the B<-engine_impl> option is
used or it is configured to do so, see L<config(5)/Engine Configuration Module>.
-=item B<-engine_impl>
+=item B<-engine_impl> I<id>
When used with the B<-engine> option, it specifies to also use
engine I<id> for digest operations.
[B<-P>]
[B<-bufsize> I<number>]
[B<-nopad>]
+[B<-v>]
[B<-debug>]
[B<-none>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
-=for openssl ifdef z engine
+=for openssl ifdef z engine ciphers
B<openssl> I<cipher> [B<...>]
Disable standard block padding.
+=item B<-v>
+
+Verbose print; display some statistics about I/O and buffer sizes.
+
=item B<-debug>
Debug the BIOs used for I/O.
=head1 SYNOPSIS
B<openssl engine>
+[B<-help>]
[B<-v>]
[B<-vv>]
[B<-vvv>]
=over 4
+=item B<-help>
+
+Display an option summary.
+
=item B<-v> B<-vv> B<-vvv> B<-vvvv>
Provides information about each specified engine. The first flag lists
=head1 SYNOPSIS
-B<openssl errstr> I<error_code>
+B<openssl errstr>
+[B<-help>]
+I<error_code...>
=head1 DESCRIPTION
-Sometimes an application will not load error message and only
+Sometimes an application will not load error message texts and only
numerical forms will be available. This command can be
used to display the meaning of the hex code. The hex code is the hex digits
after the second colon.
=head1 OPTIONS
-None.
+=over 4
+
+=item B<-help>
+
+Display a usage message.
+
+=back
=head1 EXAMPLES
The error code:
- 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
+ 27594:error:2006D080:lib(32)::reason(128)::107:
can be displayed with:
to produce the error message:
- error:2006D080:BIO routines:BIO_new_file:no such file
+ error:2006D080:BIO routines::no such file
=head1 COPYRIGHT
B<openssl> B<gendsa>
[B<-help>]
[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
Output the key to the specified file. If this argument is not specified then
standard output is used.
+=item B<-passout> I<arg>
+
+The passphrase used for the output file.
+See L<openssl(1)/Pass Phrase Options>.
+
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
These options encrypt the private key with specified
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-f4>|B<-3>]
+[B<-F4>]
+[B<-f4>]
+[B<-3>]
[B<-primes> I<num>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> argument.
-=item B<-F4>|B<-3>
+=item B<-F4>, B<-f4>, B<-3>
The public exponent to use, either 65537 or 3. The default is 65537.
[B<-public-key-methods>]
[B<-engines>]
[B<-disabled>]
+[B<-objects>]
+[B<-options> I<command>]
=head1 DESCRIPTION
Display a list of built in objects, i.e. OIDs with names. They're listed in the
format described in L<config(5)/ASN1 Object Configuration Module>.
+=item B<-options> I<command>
+
+Output a two-column list of the options accepted by the specified I<command>.
+The first is the option name, and the second is a one-character indication
+of what type of parameter it takes, if any.
+This is an internal option, used for checking that the documentation
+is complete.
+
=back
=head2 Display of algorithm names
[B<-host> I<host>:I<port>]
[B<-multi> I<process-count>]
[B<-header>]
+[B<-timeout> I<seconds>]
[B<-path>]
[B<-VAfile> I<file>]
[B<-validity_period> I<n>]
[B<-passin> I<arg>]
[B<-rother> I<file>]
[B<-rsigopt> I<nm>:I<v>]
+[B<-rmd> I<digest>]
+[B<-badsig>]
[B<-resp_no_certs>]
[B<-nmin> I<n>]
[B<-ndays> I<n>]
Pass options to the signature algorithm when signing OCSP responses.
Names and values of these options are algorithm-specific.
+=item B<-rmd> I<digest>
+
+The digest to use when signing the response.
+
+=item B<-badsig>
+
+Corrupt the response signature before writing it; this can be useful
+for testing.
+
=item B<-port> I<portnum>
Port to listen for OCSP requests on. The port may also be specified
[B<-noverify>]
[B<-quiet>]
[B<-table>]
+[B<-reverse>]
{- $OpenSSL::safe::opt_r_synopsis -}
[I<password>]
In the output list, prepend the cleartext password and a TAB character
to each password hash.
+=item B<-reverse>
+
+When the B<-table> option is used, reverse the order of cleartext and hash.
+
{- $OpenSSL::safe::opt_r_item -}
=back
[B<-cacerts>]
[B<-nokeys>]
[B<-info>]
-[B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>]
-[B<-iter> I<count> | B<-noiter> | B<-nomaciter>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-aria128>]
+[B<-aria192>]
+[B<-aria256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
+[B<-nodes>]
+[B<-iter> I<count>]
+[B<-noiter>]
+[B<-nomaciter>]
[B<-maciter>]
[B<-nomac>]
[B<-twopass>]
[B<-password> I<arg>]
[B<-passin> I<arg>]
[B<-passout> I<arg>]
+[B<-LMK>]
[B<-CSP> I<name>]
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
Don't attempt to provide the MAC integrity.
+=item B<-LMK>
+
+Add the "Local Key Set" identifier to the attributes.
+
=item B<-CSP> I<name>
Write I<name> as a Microsoft CSP name.
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-out> I<filename>]
+[B<-print>]
[B<-print_certs>]
[B<-text>]
[B<-noout>]
v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as
described in IETF RFC 2630.
-There is no option to print out all the fields of a PKCS#7 file.
-
=head1 OPTIONS
=over 4
Specifies the output filename to write to or standard output by
default.
+=item B<-print>
+
+Print out the full PKCS7 object.
+
=item B<-print_certs>
Prints out any certificates or CRLs contained in the file. They are
=item B<-text>
-Prints out certificates details in full rather than just subject and
+Prints out certificate details in full rather than just subject and
issuer names.
=item B<-noout>
Don't output the encoded version of the PKCS#7 structure (or certificates
-is B<-print_certs> is set).
+if B<-print_certs> is set).
{- $OpenSSL::safe::opt_engine_item -}
[B<-out> I<file>]
[B<-base64>]
[B<-hex>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
I<num>
Show the output as a hex string.
+{- $OpenSSL::safe::opt_engine_item -}
+
{- $OpenSSL::safe::opt_r_item -}
=back
[B<-h>]
[B<-help>]
[B<-old>]
+[B<-compat>]
[B<-n>]
[B<-v>]
[I<directory>] ...
=head1 DESCRIPTION
-On some platforms, this command isn't available, and the external
-script B<c_rehash> has to be used instead. They are functionally
-equivalent, except for minor differences noted below.
+This command is generally equivalent to the external
+script B<c_rehash>,
+except for minor differences noted below.
B<openssl rehash> scans directories and calculates a hash value of
each F<.pem>, F<.crt>, F<.cer>, or F<.crl>
[B<-modulus>]
[B<-new>]
[B<-newkey> I<arg>]
+[B<-pkeyopt> I<opt>:I<value>]
[B<-nodes>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>]
B<openssl> B<rsautl>
[B<-help>]
[B<-in> I<file>]
+[B<-passin> I<arg>]
+[B<-rev>]
[B<-out> I<file>]
[B<-inkey> I<file>]
[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-encrypt>]
[B<-decrypt>]
[B<-pkcs>]
+[B<-x931>]
+[B<-oaep>]
+[B<-ssl>]
+[B<-raw>]
+[B<-pkcs>]
[B<-ssl>]
[B<-raw>]
[B<-hexdump>]
[B<-asn1parse>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
=for openssl ifdef engine
This specifies the input filename to read data from or standard input
if this option is not specified.
+=item B<-passin> I<arg>
+
+The passphrase used in the output file.
+See see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-rev>
+
+Reverse the order of the input.
+
=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
Decrypt the input data using an RSA private key.
-=item B<-pkcs>, B<-oaep>, B<-ssl>, B<-raw>
+=item B<-pkcs>, B<-oaep>, B<-x931> B<-ssl>, B<-raw>
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+ANSI X9.31,
special padding used in SSL v2 backwards compatible handshakes,
or no padding, respectively.
For signatures, only B<-pkcs> and B<-raw> can be used.
Parse the ASN.1 output data, this is useful when combined with the
B<-verify> option.
+{- $OpenSSL::safe::opt_engine_item -}
+
{- $OpenSSL::safe::opt_r_item -}
=back
[B<-id_prefix> I<val>]
[B<-keymatexport> I<val>]
[B<-keymatexportlen> I<+int>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-CRL> I<infile>]
[B<-crl_download>]
[B<-cert_chain> I<infile>]
[B<-alpn> I<val>]
[B<-keylogfile> I<outfile>]
[B<-max_early_data> I<int>]
+[B<-recv_max_early_data> I<int>]
[B<-early_data>]
+[B<-stateless>]
[B<-anti_replay>]
[B<-no_anti_replay>]
[B<-http_server_binmode>]
flag). The default value is approximately 16k. The argument must be an integer
greater than or equal to 0.
+=item B<-recv_max_early_data> I<int>
+
+Specify the hard limit on the maximum number of early data bytes that will
+be accepted.
+
=item B<-early_data>
Accept early data where possible. Cannot be used in conjunction with B<-www>,
B<-WWW>, B<-HTTP> or B<-rev>.
+=item B<-stateless>
+
+Require TLSv1.3 cookies.
+
=item B<-anti_replay>, B<-no_anti_replay>
Switches replay protection on or off, respectively. Replay protection is on by
[B<-new>]
[B<-verify> I<depth>]
[B<-time> I<seconds>]
-{- $OpenSSL::safe::opt_versiontls_synopsis -}
+[B<-ssl3>]
+[B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-tls1_3>]
[B<-bugs>]
[B<-cipher> I<cipherlist>]
[B<-ciphersuites> I<val>]
{- $OpenSSL::safe::opt_name_synopsis -}
+[B<-cafile> I<file>]
{- $OpenSSL::safe::opt_trust_synopsis -}
=for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3
{- $OpenSSL::safe::opt_trust_item -}
-{- $OpenSSL::safe::opt_versiontls_item -}
+=item B<-cafile> I<file>
+
+This is an obsolete synonym for B<-CAfile>.
+
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
+
+See L<openssl(1)/TLS Version Options>.
=back
The B<-verify> option should really exit if the server verification
fails.
+=head1 HISTORY
+
+The B<-cafile> option was deprecated in OpenSSL 3.0.
+
=head1 SEE ALSO
L<openssl(1)>,
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-text>]
+[B<-cert>]
[B<-noout>]
[B<-context> I<ID>]
[B<-in> I<file>]
[B<-certfile> I<file>]
[B<-signer> I<file>]
+[B<-nointern>]
+[B<-noverify>]
+[B<-nochain>]
+[B<-nosigs>]
+[B<-nocerts>]
+[B<-noattr>]
+[B<-nodetach>]
+[B<-nosmimecap>]
[B<-recip> I< file>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-stream>]
[B<-md> I<digest>]
{- $OpenSSL::safe::opt_trust_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
I<cert.pem> ...
=item B<-nochain>
-Do not do chain verification of signers certificates: that is don't
+Do not do chain verification of signers certificates; that is, do not
use the certificates in the signed message as untrusted CAs.
=item B<-nosigs>
include the signing time and supported symmetric algorithms. With this
option they are not included.
+=item B<-nodetach>
+
+When signing a message use opaque signing. This form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME. Without this option cleartext signing with
+the MIME type multipart/signed is used.
+
+=item B<-nosmimecap>
+
+When signing a message, do not include the B<SMIMECapabilities> attribute.
+
=item B<-binary>
Normally the input message is converted to "canonical" format which is
Normally the output file uses a single B<LF> as end of line. When this
option is present B<CRLF> is used instead.
-=item B<-nodetach>
-
-When signing a message use opaque signing: this form is more resistant
-to translation by mail relays but it cannot be read by mail agents that
-do not support S/MIME. Without this option cleartext signing with
-the MIME type multipart/signed is used.
-
=item B<-certfile> I<file>
Allows additional certificates to be specified. When signing these will
verified then the signers certificates will be written to this file if the
verification was successful.
+=item B<-nocerts>
+
+Don't include signers certificate when signing.
+
+=item B<-noattr>
+
+Don't include any signed attributes when signing.
+
=item B<-recip> I<file>
The recipients certificate when decrypting a message. This certificate
{- $OpenSSL::safe::opt_trust_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
{- $OpenSSL::safe::opt_r_item -}
=item I<cert.pem> ...
[B<-evp> I<algo>]
[B<-hmac> I<algo>]
[B<-cmac> I<algo>]
+[B<-mb>]
+[B<-aead>]
+[B<-multi> I<num>]
+[B<-async_jobs> I<num>]
+[B<-misalign> I<num>]
[B<-decrypt>]
[B<-primes> I<num>]
[B<-seconds> I<num>]
[B<-bytes> I<num>]
+[B<-mr>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
[I<algorithm> ...]
TLS-like sequence. And if I<algo> is a multi-buffer capable cipher, e.g.
aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
+=item B<-multi> I<num>
+
+Run multiple operations in parallel.
+
+=item B<-async_jobs> I<num>
+
+Enable async mode and start specified number of jobs.
+
+=item B<-misalign> I<num>
+
+Misalign the buffers by the specified number of bytes.
+
=item B<-hmac> I<digest>
Time the HMAC algorithm using the specified message digest.
Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
+=item B<-mr>
+
+Produce the summary in a mechanical, machine-readable, format.
+
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_engine_item -}
[B<-userinfo> I<text>]
[B<-passin> I<arg>]
[B<-passout> I<arg>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
[I<user> ...]
For more information about the format of B<arg>
see L<openssl(1)/Pass Phrase Options>.
+{- $OpenSSL::safe::opt_engine_item -}
+
{- $OpenSSL::safe::opt_r_synopsis -}
=back
=head1 SYNOPSIS
+B<openssl> B<ts>
+B<-help>
+
B<openssl> B<ts>
B<-query>
[B<-config> I<configfile>]
=head1 OPTIONS
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=back
+
=head2 Timestamp Request generation
The B<-query> switch can be used for creating and printing a timestamp
[B<-serial>]
[B<-hash>]
[B<-subject_hash>]
+[B<-subject_hash_old>]
[B<-issuer_hash>]
+[B<-issuer_hash_old>]
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
[B<-days> I<arg>]
[B<-set_serial> I<n>]
[B<-signkey> I<filename>]
+[B<-badsig>]
[B<-passin> I<arg>]
[B<-x509toreq>]
[B<-req>]
[B<-CAcreateserial>]
[B<-CAserial> I<filename>]
[B<-new>]
+[B<-next_serial>]
+[B<-nocert>]
[B<-force_pubkey> I<filename>]
[B<-subj> I<arg>]
[B<-text>]
[B<-ext> I<extensions>]
[B<-certopt> I<option>]
+[B<-checkhost> I<host>]
+[B<-checkemail> I<host>]
+[B<-checkip> I<ipaddr>]
[B<-C>]
[B<-I<digest>>]
[B<-clrext>]
B<-certopt> switch may be also be used more than once to set multiple
options. See the L</Text Options> section for more information.
+=item B<-checkhost> I<host>
+
+Check that the certificate matches the specified host.
+
+=item B<-checkemail> I<email>
+
+Check that the certificate matches the specified email address.
+
+=item B<-checkip> I<ipaddr>
+
+Check that the certificate matches the specified IP address.
+
=item B<-noout>
This option prevents output of the encoded version of the certificate.
It retains any certificate extensions unless the B<-clrext> option is supplied;
this includes, for example, any existing key identifier extensions.
+=item B<-badsig>
+
+Corrupt the signature before writing it; this can be useful
+for testing.
+
=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> and <-force_pubkey> options need to be given.
+=item B<-next_serial>
+
+Set the serial to be one more than the number in the certificate.
+
+=item B<-nocert>
+
+Do not generate or output a certificate.
+
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
}
next;
}
- next unless /\[B<-([^ >]+)/;
- my $opt = $1;
+ my $opt;
+ if ( /\[B<-([^ >]+)/ ) {
+ $opt = $1;
+ } elsif ( /^B<-([^ >]+)/ ) {
+ $opt = $1;
+ } else {
+ next;
+ }
$opt = $1 if $opt =~ /I<(.*)/;
$docopts{$1} = 1;
}
my @unimpl = sort grep { !defined $cmdopts{$_} } keys %docopts;
foreach ( @unimpl ) {
next if defined $skips{$_} || defined $localskips{$_};
- err("$cmd documented but not implemented -$_");
+ err("$doc: $cmd does not implement -$_");
}
}
# See if each has a manpage.
foreach my $cmd ( @commands ) {
next if $cmd eq 'help' || $cmd eq 'exit';
- my $doc = "doc/man1/$cmd.pod";
- $doc = "doc/man1/openssl-$cmd.pod" if -f "doc/man1/openssl-$cmd.pod";
+ my $doc = "doc/man1/openssl-$cmd.pod";
+ # Handle "tsget" and "CA.pl" pod pages
+ $doc = "doc/man1/$cmd.pod" if -f "doc/man1/$cmd.pod";
if ( ! -f "$doc" ) {
err("$doc does not exist");
} else {