Command docs: replacables are in italics, options always start with a dash Quite a lot of replacables were still bold, and some options were mentioned without a beginning dash. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10065)
diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod index 17745d6..1e4d223 100644 --- a/doc/man1/CA.pl.pod +++ b/doc/man1/CA.pl.pod
@@ -120,7 +120,7 @@ certificates are specified on the command line it tries to verify the file "newcert.pem". Invokes B<openssl verify> command. -=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params> +=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params> The purpose of these parameters is to allow optional parameters to be supplied to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
diff --git a/doc/man1/openssl-asn1parse.pod b/doc/man1/openssl-asn1parse.pod index 73824bf..7b81c51 100644 --- a/doc/man1/openssl-asn1parse.pod +++ b/doc/man1/openssl-asn1parse.pod
@@ -39,7 +39,7 @@ =item B<-inform> B<DER>|B<PEM> -The input format. I<DER> is binary format and I<PEM> (the default) is base64 +The input format. B<DER> is binary format and B<PEM> (the default) is base64 encoded. =item B<-in> I<filename> @@ -88,12 +88,12 @@ =item B<-genstr> I<string>, B<-genconf> I<file> -Generate encoded data based on B<string>, B<file> or both using -L<ASN1_generate_nconf(3)> format. If B<file> only is +Generate encoded data based on I<string>, I<file> or both using +L<ASN1_generate_nconf(3)> format. If I<file> only is present then the string is obtained from the default section using the name B<asn1>. The encoded data is passed through the ASN1 parser and printed out as though it came from a file, the contents can thus be examined and written to a -file using the B<out> option. +file using the B<-out> option. =item B<-strictpem> @@ -105,8 +105,8 @@ =item B<-item> I<name> -Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to -print out the fields of any supported ASN.1 structure if the type is known. +Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used +to print out the fields of any supported ASN.1 structure if the type is known. =back
diff --git a/doc/man1/openssl-ca.pod b/doc/man1/openssl-ca.pod index 4ba230f..4780f2a 100644 --- a/doc/man1/openssl-ca.pod +++ b/doc/man1/openssl-ca.pod
@@ -251,7 +251,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<ca> +Specifying an engine (by its unique I<id> string) will cause B<ca> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -259,7 +259,7 @@ =item B<-subj> I<arg> Supersedes subject name given in the request. -The arg must be formatted as I</type0=value0/type1=value1/type2=...>. +The arg must be formatted as C</type0=value0/type1=value1/type2=...>. Keyword characters may be escaped by \ (backslash), and whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate. @@ -291,7 +291,7 @@ I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> -If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. +If B<-multi-rdn> is not used then the UID value is I<123456+CN=John Doe>. =item B<-rand> I<files> @@ -353,9 +353,9 @@ =item B<-crl_reason> I<reason> -Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>, +Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>, -B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case +B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case insensitive. Setting any revocation reason will make the CRL v2. In practice B<removeFromCRL> is not particularly useful because it is only used @@ -364,14 +364,14 @@ =item B<-crl_hold> I<instruction> This sets the CRL revocation reason code to B<certificateHold> and the hold -instruction to B<instruction> which must be an OID. Although any OID can be +instruction to I<instruction> which must be an OID. Although any OID can be used only B<holdInstructionNone> (the use of which is discouraged by RFC2459) B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used. =item B<-crl_compromise> I<time> This sets the revocation reason to B<keyCompromise> and the compromise time to -B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>. +I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>. =item B<-crl_CA_compromise> I<time>
diff --git a/doc/man1/openssl-ciphers.pod b/doc/man1/openssl-ciphers.pod index 0ed7d14..ca1f8fc 100644 --- a/doc/man1/openssl-ciphers.pod +++ b/doc/man1/openssl-ciphers.pod
@@ -22,7 +22,7 @@ [B<-stdname>] [B<-convert> I<name>] [B<-ciphersuites> I<val>] -[B<cipherlist>] +[I<cipherlist>] =for comment ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp @@ -87,7 +87,7 @@ =item B<-convert> I<name> -Convert a standard cipher B<name> to its OpenSSL name. +Convert a standard cipher I<name> to its OpenSSL name. =item B<-ciphersuites> I<val> @@ -147,8 +147,8 @@ The cipher string B<@STRENGTH> can be used at any point to sort the current cipher list in order of encryption algorithm key length. -The cipher string B<@SECLEVEL=n> can be used at any point to set the security -level to B<n>, which should be a number between zero and five, inclusive. +The cipher string B<@SECLEVEL>=I<n> can be used at any point to set the security +level to I<n>, which should be a number between zero and five, inclusive. See L<SSL_CTX_set_security_level> for a description of what each level means. The cipher list can be prefixed with the B<DEFAULT> keyword, which enables
diff --git a/doc/man1/openssl-cmds.pod b/doc/man1/openssl-cmds.pod index cab89f1..5c4f06e 100644 --- a/doc/man1/openssl-cmds.pod +++ b/doc/man1/openssl-cmds.pod
@@ -57,13 +57,13 @@ =for comment generic -B<openssl> B<cmd> [B<-help>] [B<...>] +B<openssl> I<cmd> B<-help> | [I<-option> | I<-option> I<arg>] ... [I<arg>] ... =head1 DESCRIPTION -Every B<cmd> listed above is a (sub-)command of the L<openssl(1)> application. -It has its own detailed manual page at B<openssl-cmd(1)>. For example, to view -the manual page for the B<openssl dgst> command, type B<man openssl-dgst>. +Every I<cmd> listed above is a (sub-)command of the L<openssl(1)> application. +It has its own detailed manual page at B<openssl-I<cmd>>(1). For example, to +view the manual page for the B<openssl dgst> command, type C<man openssl-dgst>. =head1 OPTIONS @@ -132,8 +132,8 @@ =head1 HISTORY -Initially, the manual page entry for the B<openssl cmd> command used -to be available at B<cmd(1)>. Later, the alias B<openssl-cmd(1)> was +Initially, the manual page entry for the C<openssl I<cmd>> command used +to be available at I<cmd>(1). Later, the alias B<openssl-I<cmd>>(1) was introduced, which made it easier to group the openssl commands using the L<apropos(1)> command or the shell's tab completion.
diff --git a/doc/man1/openssl-cms.pod b/doc/man1/openssl-cms.pod index 1de618d..24cf797 100644 --- a/doc/man1/openssl-cms.pod +++ b/doc/man1/openssl-cms.pod
@@ -385,7 +385,7 @@ =item B<-certsout> I<file> -Any certificates contained in the message are written to B<file>. +Any certificates contained in the message are written to I<file>. =item B<-signer> I<file> @@ -446,14 +446,14 @@ The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type. This option B<must> be present if the B<-secretkey> option is used with -B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the +B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the relevant key if it is not supplied then an attempt is used to decrypt any B<KEKRecipientInfo> structures. =item B<-econtent_type> I<type> -Set the encapsulated content type to B<type> if not supplied the B<Data> type -is used. The B<type> argument can be any valid OID name in either text or +Set the encapsulated content type to I<type> if not supplied the B<Data> type +is used. The I<type> argument can be any valid OID name in either text or numerical format. =item B<-inkey> I<file> @@ -766,7 +766,7 @@ The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0. -The B<keyopt> option was added in OpenSSL 1.0.2. +The B<-keyopt> option was added in OpenSSL 1.0.2. Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
diff --git a/doc/man1/openssl-crl.pod b/doc/man1/openssl-crl.pod index 7a715fd..acf3465 100644 --- a/doc/man1/openssl-crl.pod +++ b/doc/man1/openssl-crl.pod
@@ -95,12 +95,12 @@ =item B<-CAfile> I<file> Verify the signature on a CRL by looking up the issuing certificate in -B<file>. +I<file>. =item B<-CApath> I<dir> Verify the signature on a CRL by looking up the issuing certificate in -B<dir>. This directory must be a standard certificate directory: that +I<dir>. This directory must be a standard certificate directory: that is a hash of each subject name (using B<x509 -hash>) should be linked to each certificate.
diff --git a/doc/man1/openssl-dgst.pod b/doc/man1/openssl-dgst.pod index ebafece..436b2fd 100644 --- a/doc/man1/openssl-dgst.pod +++ b/doc/man1/openssl-dgst.pod
@@ -39,7 +39,7 @@ The generic name, B<dgst>, may be used with an option specifying the algorithm to be used. -The default digest is I<sha256>. +The default digest is B<sha256>. A supported I<digest> name may also be used as the command name. To see the list of supported algorithms, use the I<list --digest-commands> command. @@ -60,7 +60,7 @@ =item B<-c> Print out the digest in two digit groups separated by colons, only relevant if -B<hex> format output is used. +the B<-hex> option is given as well. =item B<-d> @@ -103,7 +103,7 @@ =item B<-passin> I<arg> -The private key password source. For more information about the format of B<arg> +The private key password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-verify> I<filename> @@ -144,13 +144,13 @@ =over 4 -=item B<key:string> +=item B<key>:I<string> Specifies MAC key as alphanumeric string (use if key contain printable characters only). String length must conform to any restrictions of the MAC algorithm for example exactly 32 chars for gost-mac. -=item B<hexkey:string> +=item B<hexkey>:I<string> Specifies MAC key in hexadecimal form (two hex digits per byte). Key length must conform to any restrictions of the MAC algorithm @@ -179,7 +179,7 @@ =item B<-engine> I<id> -Use engine B<id> for operations (including private key storage). +Use engine I<id> for operations (including private key storage). This engine is not used as source for digest algorithms, unless it is also specified in the configuration file or B<-engine_impl> is also specified. @@ -187,7 +187,7 @@ =item B<-engine_impl> When used with the B<-engine> option, it specifies to also use -engine B<id> for digest operations. +engine I<id> for digest operations. =item I<file> ...
diff --git a/doc/man1/openssl-dhparam.pod b/doc/man1/openssl-dhparam.pod index 79fda3d..0abd0d9 100644 --- a/doc/man1/openssl-dhparam.pod +++ b/doc/man1/openssl-dhparam.pod
@@ -83,7 +83,7 @@ The generator to use, either 2, 3 or 5. If present then the input file is ignored and parameters are generated instead. If not -present but B<numbits> is present, parameters are generated with the +present but I<numbits> is present, parameters are generated with the default generator 2. =item B<-rand> I<files> @@ -122,7 +122,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<dhparam> +Specifying an engine (by its unique I<id> string) will cause B<dhparam> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-dsa.pod b/doc/man1/openssl-dsa.pod index 9c34dde..6f7ccb6 100644 --- a/doc/man1/openssl-dsa.pod +++ b/doc/man1/openssl-dsa.pod
@@ -75,7 +75,7 @@ =item B<-passin> I<arg> -The input file password source. For more information about the format of B<arg> +The input file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-out> I<filename> @@ -87,7 +87,7 @@ =item B<-passout> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> @@ -125,7 +125,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<dsa> +Specifying an engine (by its unique I<id> string) will cause B<dsa> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-dsaparam.pod b/doc/man1/openssl-dsaparam.pod index 133c206..5ae64ae 100644 --- a/doc/man1/openssl-dsaparam.pod +++ b/doc/man1/openssl-dsaparam.pod
@@ -49,7 +49,7 @@ =item B<-in> I<filename> This specifies the input filename to read parameters from or standard input if -this option is not specified. If the B<numbits> parameter is included then +this option is not specified. If the I<numbits> parameter is included then this option will be ignored. =item B<-out> I<filename> @@ -90,7 +90,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<dsaparam> +Specifying an engine (by its unique I<id> string) will cause B<dsaparam> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -99,10 +99,10 @@ Print extra details about the operations being performed. -=item B<numbits> +=item I<numbits> This option specifies that a parameter set should be generated of size -B<numbits>. It must be the last option. If this option is included then +I<numbits>. It must be the last option. If this option is included then the input file (if any) is ignored. =back
diff --git a/doc/man1/openssl-ec.pod b/doc/man1/openssl-ec.pod index b43af6d..dfc01bc 100644 --- a/doc/man1/openssl-ec.pod +++ b/doc/man1/openssl-ec.pod
@@ -68,7 +68,7 @@ =item B<-passin> I<arg> -The input file password source. For more information about the format of B<arg> +The input file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-out> I<filename> @@ -80,7 +80,7 @@ =item B<-passout> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-des>|B<-des3>|B<-idea> @@ -113,7 +113,7 @@ key will be output instead. This option is automatically set if the input is a public key. -=item B<-conv_form> +=item B<-conv_form> I<arg> This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: B<compressed> (the default @@ -143,7 +143,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<ec> +Specifying an engine (by its unique I<id> string) will cause B<ec> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-ecparam.pod b/doc/man1/openssl-ecparam.pod index e8de181..46a93ca 100644 --- a/doc/man1/openssl-ecparam.pod +++ b/doc/man1/openssl-ecparam.pod
@@ -96,7 +96,7 @@ If this options is specified B<ecparam> will print out a list of all currently implemented EC parameters names and exit. -=item B<-conv_form> +=item B<-conv_form> I<arg> This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: B<compressed>, B<uncompressed> (the @@ -139,7 +139,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<ecparam> +Specifying an engine (by its unique I<id> string) will cause B<ecparam> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-enc.pod b/doc/man1/openssl-enc.pod index 9c4954f..8c6f279 100644 --- a/doc/man1/openssl-enc.pod +++ b/doc/man1/openssl-enc.pod
@@ -72,7 +72,7 @@ =item B<-pass> I<arg> -The password source. For more information about the format of B<arg> +The password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-e> @@ -104,7 +104,7 @@ =item B<-kfile> I<filename> -Read the password to derive the key from the first line of B<filename>. +Read the password to derive the key from the first line of I<filename>. This is for compatibility with previous versions of OpenSSL. Superseded by the B<-pass> argument. @@ -202,7 +202,7 @@ =head1 NOTES The program can be called either as B<openssl cipher> or -B<openssl enc -cipher>. The first form doesn't work with +B<openssl enc -I<cipher>>. The first form doesn't work with engine-provided ciphers, because this form is processed before the configuration file is read and any ENGINEs loaded. Use the B<list> command to get a list of supported ciphers. @@ -251,7 +251,7 @@ Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file. The output of the B<enc> command run with -the B<-ciphers> option (that is B<openssl enc -ciphers>) produces a +the B<-I<ciphers>> option (that is B<openssl enc -I<ciphers>>) produces a list of ciphers, supported by your version of OpenSSL, including ones provided by configured engines.
diff --git a/doc/man1/openssl-engine.pod b/doc/man1/openssl-engine.pod index 5838333..f04baf7 100644 --- a/doc/man1/openssl-engine.pod +++ b/doc/man1/openssl-engine.pod
@@ -15,14 +15,14 @@ [B<-c>] [B<-t>] [B<-tt>] -[B<-pre> I<command>] -[B<-post> I<command>] +[B<-pre> I<command>] ... +[B<-post> I<command>] ... [I<engine> ...] =head1 DESCRIPTION The B<engine> command is used to query the status and capabilities -of the specified B<engine>'s. +of the specified I<engine>'s. Engines may be specified before and after all other command-line flags. Only those specified are queried. @@ -56,10 +56,13 @@ Command-line configuration of engines. The B<-pre> command is given to the engine before it is loaded and the B<-post> command is given after the engine is loaded. -The I<command> is of the form I<cmd:val> where I<cmd> is the command, +The I<command> is of the form I<cmd>:I<val> where I<cmd> is the command, and I<val> is the value for the command. See the example below. +These two options are cumulative, so they may be given more than once in the +same command. + =back =head1 EXAMPLES
diff --git a/doc/man1/openssl-errstr.pod b/doc/man1/openssl-errstr.pod index c910f84..97ac1eb 100644 --- a/doc/man1/openssl-errstr.pod +++ b/doc/man1/openssl-errstr.pod
@@ -6,7 +6,7 @@ =head1 SYNOPSIS -B<openssl errstr error_code> +B<openssl errstr> I<error_code> =head1 DESCRIPTION
diff --git a/doc/man1/openssl-fipsinstall.pod b/doc/man1/openssl-fipsinstall.pod index daa6d60..c6e2cde 100644 --- a/doc/man1/openssl-fipsinstall.pod +++ b/doc/man1/openssl-fipsinstall.pod
@@ -83,20 +83,20 @@ =over 4 -=item B<key:string> +=item B<key>:I<string> Specifies the MAC key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. -=item B<hexkey:string> +=item B<hexkey>:I<string> Specifies the MAC key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. -=item B<digest:string> +=item B<digest>:I<string> Used by HMAC as an alphanumeric string (use if the key contains printable characters only).
diff --git a/doc/man1/openssl-gendsa.pod b/doc/man1/openssl-gendsa.pod index 445c176..80367d9 100644 --- a/doc/man1/openssl-gendsa.pod +++ b/doc/man1/openssl-gendsa.pod
@@ -25,7 +25,7 @@ [B<-writerand> I<file>] [B<-engine> I<id>] [B<-verbose>] -[B<paramfile>] +[I<paramfile>] =for comment ifdef engine @@ -67,7 +67,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<gendsa> +Specifying an engine (by its unique I<id> string) will cause B<gendsa> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -76,11 +76,11 @@ Print extra details about the operations being performed. -=item B<paramfile> +=item I<paramfile> -This option specifies the DSA parameter file to use. The parameters in this -file determine the size of the private key. DSA parameters can be generated -and examined using the B<openssl dsaparam> command. +The DSA parameter file to use. The parameters in this file determine +the size of the private key. DSA parameters can be generated and +examined using the B<openssl dsaparam> command. =back
diff --git a/doc/man1/openssl-genpkey.pod b/doc/man1/openssl-genpkey.pod index 085f7cb..0e58674 100644 --- a/doc/man1/openssl-genpkey.pod +++ b/doc/man1/openssl-genpkey.pod
@@ -15,7 +15,7 @@ [B<-engine> I<id>] [B<-paramfile> I<file>] [B<-algorithm> I<alg>] -[B<-pkeyopt> I<opt:value>] +[B<-pkeyopt> I<opt>:I<value>] [B<-genparam>] [B<-text>] @@ -44,7 +44,7 @@ =item B<-pass> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-I<cipher>> @@ -54,7 +54,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<genpkey> +Specifying an engine (by its unique I<id> string) will cause B<genpkey> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. If used this option should precede all other @@ -79,9 +79,9 @@ or X9.42 DH parameters are required. See L<DH Parameter Generation Options> below for more details. -=item B<-pkeyopt> I<opt:value> +=item B<-pkeyopt> I<opt>:I<value> -Set the public key algorithm option B<opt> to B<value>. The precise set of +Set the public key algorithm option I<opt> to I<value>. The precise set of options supported depends on the public key algorithm used and its implementation. See L<KEY GENERATION OPTIONS> and L<PARAMETER GENERATION OPTIONS> below for more details. @@ -138,22 +138,23 @@ =over 4 -=item B<rsa_keygen_bits:numbits>, B<rsa_keygen_primes:numprimes>, B<rsa_keygen_pubexp:value> +=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>, +B<rsa_keygen_pubexp>:I<value> These options have the same meaning as the B<RSA> algorithm. -=item B<rsa_pss_keygen_md:digest> +=item B<rsa_pss_keygen_md>:I<digest> -If set the key is restricted and can only use B<digest> for signing. +If set the key is restricted and can only use I<digest> for signing. -=item B<rsa_pss_keygen_mgf1_md:digest> +=item B<rsa_pss_keygen_mgf1_md>:I<digest> -If set the key is restricted and can only use B<digest> as it's MGF1 +If set the key is restricted and can only use I<digest> as it's MGF1 parameter. -=item B<rsa_pss_keygen_saltlen:len> +=item B<rsa_pss_keygen_saltlen>:I<len> -If set the key is restricted and B<len> specifies the minimum salt length. +If set the key is restricted and I<len> specifies the minimum salt length. =back @@ -163,14 +164,14 @@ =over 4 -=item B<ec_paramgen_curve:curve> +=item B<ec_paramgen_curve>:I<curve> The EC curve to use. OpenSSL supports NIST curve names such as "P-256". -=item B<ec_param_enc:encoding> +=item B<ec_param_enc>:I<encoding> -The encoding to use for parameters. The "encoding" parameter must be either -"named_curve" or "explicit". The default value is "named_curve". +The encoding to use for parameters. The I<encoding> parameter must be either +B<named_curve> or B<explicit>. The default value is B<named_curve>. =back @@ -184,16 +185,16 @@ =over 4 -=item B<dsa_paramgen_bits:numbits> +=item B<dsa_paramgen_bits>:I<numbits> The number of bits in the generated prime. If not specified 2048 is used. -=item B<dsa_paramgen_q_bits:numbits> +=item B<dsa_paramgen_q_bits>:I<numbits> The number of bits in the q parameter. Must be one of 160, 224 or 256. If not specified 224 is used. -=item B<dsa_paramgen_md:digest> +=item B<dsa_paramgen_md>:I<digest> The digest to use during parameter generation. Must be one of B<sha1>, B<sha224> or B<sha256>. If set, then the number of bits in B<q> will match the output size @@ -208,30 +209,30 @@ =over 4 -=item B<dh_paramgen_prime_len:numbits> +=item B<dh_paramgen_prime_len>:I<numbits> -The number of bits in the prime parameter B<p>. The default is 2048. +The number of bits in the prime parameter I<p>. The default is 2048. -=item B<dh_paramgen_subprime_len:numbits> +=item B<dh_paramgen_subprime_len>:I<numbits> -The number of bits in the sub prime parameter B<q>. The default is 256 if the +The number of bits in the sub prime parameter I<q>. The default is 256 if the prime is at least 2048 bits long or 160 otherwise. Only relevant if used in conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters. -=item B<dh_paramgen_generator:value> +=item B<dh_paramgen_generator>:I<value> -The value to use for the generator B<g>. The default is 2. +The value to use for the generator I<g>. The default is 2. -=item B<dh_paramgen_type:value> +=item B<dh_paramgen_type>:I<value> The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH. The default is 0. -=item B<dh_rfc5114:num> +=item B<dh_rfc5114>:I<num> If this option is set, then the appropriate RFC5114 parameters are used -instead of generating new parameters. The value B<num> can take the -values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of +instead of generating new parameters. The value I<num> can be one of +1, 2 or 3 corresponding to RFC5114 DH parameters consisting of 1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections 2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
diff --git a/doc/man1/openssl-genrsa.pod b/doc/man1/openssl-genrsa.pod index 829b4a4..575990d 100644 --- a/doc/man1/openssl-genrsa.pod +++ b/doc/man1/openssl-genrsa.pod
@@ -22,8 +22,7 @@ [B<-des>] [B<-des3>] [B<-idea>] -[B<-f4>] -[B<-3>] +[B<-f4>|B<-3>] [B<-rand> I<files>] [B<-writerand> I<file>] [B<-engine> I<id>] @@ -80,16 +79,16 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<genrsa> +Specifying an engine (by its unique I<id> string) will cause B<genrsa> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B<-primes> I<num> -Specify the number of primes to use while generating the RSA key. The B<num> +Specify the number of primes to use while generating the RSA key. The I<num> parameter must be a positive integer that is greater than 1 and less than 16. -If B<num> is greater than 2, then the generated key is called a 'multi-prime' +If I<num> is greater than 2, then the generated key is called a 'multi-prime' RSA key, which is defined in RFC 8017. =item B<-verbose>
diff --git a/doc/man1/openssl-mac.pod b/doc/man1/openssl-mac.pod index f43ca78..e7df184 100644 --- a/doc/man1/openssl-mac.pod +++ b/doc/man1/openssl-mac.pod
@@ -12,7 +12,7 @@ [B<-in> I<filename>] [B<-out> I<filename>] [B<-binary>] -B<mac_name> +I<mac_name> =head1 DESCRIPTION @@ -51,55 +51,55 @@ =over 4 -=item B<key:string> +=item B<key:>I<string> Specifies the MAC key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. -=item B<hexkey:string> +=item B<hexkey:>I<string> Specifies the MAC key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. -=item B<digest:string> +=item B<digest:>I<string> Used by HMAC as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. To see the list of supported digests, use the command I<list -digest-commands>. -=item B<cipher:string> +=item B<cipher:>I<string> Used by CMAC and GMAC to specify the cipher algorithm. For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC or DES-EDE3-CBC. For GMAC it should be a GCM mode cipher e.g. AES-128-GCM. -=item B<iv:string> +=item B<iv:>I<string> Used by GMAC to specify an IV as an alphanumeric string (use if the IV contains printable characters only). -=item B<hexiv:string> +=item B<hexiv:>I<string> Used by GMAC to specify an IV in hexadecimal form (two hex digits per byte). -=item B<outlen:int> +=item B<outlen:>I<int> Used by KMAC128 or KMAC256 to specify an output length. The default sizes are 32 or 64 bytes respectively. -=item B<custom:string> +=item B<custom:>I<string> Used by KMAC128 or KMAC256 to specify a customization string. The default is the empty string "". =back -=item B<mac_name> +=item I<mac_name> Specifies the name of a supported MAC algorithm which will be used. To see the list of supported MAC's use the command I<list -mac-algorithms>.
diff --git a/doc/man1/openssl-ocsp.pod b/doc/man1/openssl-ocsp.pod index b53404d..23b5968 100644 --- a/doc/man1/openssl-ocsp.pod +++ b/doc/man1/openssl-ocsp.pod
@@ -26,7 +26,7 @@ [B<-nonce>] [B<-no_nonce>] [B<-url> I<URL>] -[B<-host> I<host:port>] +[B<-host> I<host>:I<port>] [B<-multi> I<process-count>] [B<-header>] [B<-path>] @@ -121,27 +121,27 @@ =item B<-issuer> I<filename> This specifies the current issuer certificate. This option can be used -multiple times. The certificate specified in B<filename> must be in +multiple times. The certificate specified in I<filename> must be in PEM format. This option B<MUST> come before any B<-cert> options. =item B<-cert> I<filename> -Add the certificate B<filename> to the request. The issuer certificate -is taken from the previous B<issuer> option, or an error occurs if no +Add the certificate I<filename> to the request. The issuer certificate +is taken from the previous B<-issuer> option, or an error occurs if no issuer certificate is specified. =item B<-serial> I<num> -Same as the B<cert> option except the certificate with serial number +Same as the B<-cert> option except the certificate with serial number B<num> is added to the request. The serial number is interpreted as a decimal integer unless preceded by B<0x>. Negative integers can also be specified by preceding the value by a B<-> sign. =item B<-signer> I<filename>, B<-signkey> I<filename> -Sign the OCSP request using the certificate specified in the B<signer> -option and the private key specified by the B<signkey> option. If -the B<signkey> option is not present then the private key is read +Sign the OCSP request using the certificate specified in the B<-signer> +option and the private key specified by the B<-signkey> option. If +the B<-signkey> option is not present then the private key is read from the same file as the certificate. If neither option is specified then the OCSP request is not signed. @@ -152,10 +152,10 @@ =item B<-nonce>, B<-no_nonce> Add an OCSP nonce extension to a request or disable OCSP nonce addition. -Normally if an OCSP request is input using the B<reqin> option no -nonce is added: using the B<nonce> option will force addition of a nonce. -If an OCSP request is being created (using B<cert> and B<serial> options) -a nonce is automatically added specifying B<no_nonce> overrides this. +Normally if an OCSP request is input using the B<-reqin> option no +nonce is added: using the B<-nonce> option will force addition of a nonce. +If an OCSP request is being created (using B<-cert> and B<-serial> options) +a nonce is automatically added specifying B<-no_nonce> overrides this. =item B<-req_text>, B<-resp_text>, B<-text> @@ -163,28 +163,28 @@ =item B<-reqout> I<file>, B<-respout> I<file> -Write out the DER encoded certificate request or response to B<file>. +Write out the DER encoded certificate request or response to I<file>. =item B<-reqin> I<file>, B<-respin> I<file> -Read OCSP request or response file from B<file>. These option are ignored +Read OCSP request or response file from I<file>. These option are ignored if OCSP request or response creation is implied by other options (for example -with B<serial>, B<cert> and B<host> options). +with B<-serial>, B<-cert> and B<-host> options). =item B<-url> I<responder_url> Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. -=item B<-host> I<hostname:port>, B<-path> I<pathname> +=item B<-host> I<hostname>:I<port>, B<-path> I<pathname> -If the B<host> option is present then the OCSP request is sent to the host -B<hostname> on port B<port>. B<path> specifies the HTTP pathname to use -or "/" by default. This is equivalent to specifying B<-url> with scheme +If the B<-host> option is present then the OCSP request is sent to the host +I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname +to use or "/" by default. This is equivalent to specifying B<-url> with scheme http:// and the given hostname, port, and pathname. -=item B<-header> I<name=value> +=item B<-header> I<name>=I<value> -Adds the header B<name> with the specified B<value> to the OCSP request +Adds the header I<name> with the specified I<value> to the OCSP request that is sent to the responder. This may be repeated. @@ -303,7 +303,7 @@ If the B<notAfter> time is omitted from a response then this means that new status information is immediately available. In this case the age of the -B<notBefore> field is checked to see it is not older than B<age> seconds old. +B<notBefore> field is checked to see it is not older than I<age> seconds old. By default this additional check is not performed. =item B<-rcid> I<digest> @@ -327,21 +327,22 @@ =item B<-index> I<indexfile> -The B<indexfile> parameter is the name of a text index file in B<ca> +The I<indexfile> parameter is the name of a text index file in B<ca> format containing certificate revocation information. -If the B<index> option is specified the B<ocsp> utility is in responder +If the B<-index> option is specified the B<ocsp> utility is in responder mode, otherwise it is in client mode. The request(s) the responder -processes can be either specified on the command line (using B<issuer> -and B<serial> options), supplied in a file (using the B<reqin> option) -or via external OCSP clients (if B<port> or B<url> is specified). +processes can be either specified on the command line (using B<-issuer> +and B<-serial> options), supplied in a file (using the B<-reqin> option) +or via external OCSP clients (if B<-port> or B<-url> is specified). -If the B<index> option is present then the B<CA> and B<rsigner> options +If the B<-index> option is present then the B<-CA> and B<-rsigner> options must also be present. =item B<-CA> I<file> -CA certificate corresponding to the revocation information in B<indexfile>. +CA certificate corresponding to the revocation information in the index +file given with B<-index>. =item B<-rsigner> I<file> @@ -363,7 +364,7 @@ =item B<-rkey> I<file> The private key to sign OCSP responses with: if not present the file -specified in the B<rsigner> option is used. +specified in the B<-rsigner> option is used. =item B<-rsigopt> I<nm>:I<v> @@ -383,7 +384,7 @@ =item B<-nrequest> I<number> -The OCSP server will exit after receiving B<number> requests, default unlimited. +The OCSP server will exit after receiving I<number> requests, default unlimited. =item B<-nmin> I<minutes>, B<-ndays> I<days> @@ -403,8 +404,8 @@ Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process. The locations of the trusted -certificates used to build the chain can be specified by the B<CAfile> -and B<CApath> options or they will be looked for in the standard OpenSSL +certificates used to build the chain can be specified by the B<-CAfile> +and B<-CApath> options or they will be looked for in the standard OpenSSL certificates directory. If the initial verify fails then the OCSP verify process halts with an @@ -452,7 +453,7 @@ data. It is possible to run the B<ocsp> application in responder mode via a CGI -script using the B<reqin> and B<respout> options. +script using the B<-reqin> and B<-respout> options. =head1 EXAMPLES
diff --git a/doc/man1/openssl-passwd.pod b/doc/man1/openssl-passwd.pod index a312030..43a1ba9 100644 --- a/doc/man1/openssl-passwd.pod +++ b/doc/man1/openssl-passwd.pod
@@ -32,8 +32,9 @@ run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in>, from stdin for option B<-stdin>, or from the command line, or from the terminal otherwise. -The Unix standard algorithm B<crypt> and the MD5-based BSD password -algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available. +The Unix standard algorithm B<-crypt> and the MD5-based BSD password +algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are +available. =head1 OPTIONS
diff --git a/doc/man1/openssl-pkcs12.pod b/doc/man1/openssl-pkcs12.pod index 72f601a..c64c324 100644 --- a/doc/man1/openssl-pkcs12.pod +++ b/doc/man1/openssl-pkcs12.pod
@@ -79,13 +79,13 @@ =item B<-passin> I<arg> The PKCS#12 file (i.e. input file) password source. For more information about -the format of B<arg> +the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-passout> I<arg> Pass phrase source to encrypt any outputted private keys with. For more -information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section +information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-password> I<arg> @@ -207,13 +207,13 @@ =item B<-pass> I<arg>, B<-passout> I<arg> The PKCS#12 file (i.e. output file) password source. For more information about -the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in +the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-passin> I<password> Pass phrase source to decrypt any input private keys with. For more information -about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in +about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-chain> @@ -312,7 +312,7 @@ =item B<-CSP> I<name> -Write B<name> as a Microsoft CSP name. +Write I<name> as a Microsoft CSP name. =back
diff --git a/doc/man1/openssl-pkcs8.pod b/doc/man1/openssl-pkcs8.pod index 1dcda10..fe8ff8e 100644 --- a/doc/man1/openssl-pkcs8.pod +++ b/doc/man1/openssl-pkcs8.pod
@@ -75,7 +75,7 @@ =item B<-passin> I<arg> -The input file password source. For more information about the format of B<arg> +The input file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-out> I<filename> @@ -87,7 +87,7 @@ =item B<-passout> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-iter> I<count> @@ -121,7 +121,7 @@ This option sets the PKCS#5 v2.0 algorithm. -The B<alg> argument is the encryption algorithm to use, valid values include +The I<alg> argument is the encryption algorithm to use, valid values include B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256> is used. @@ -142,7 +142,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<pkcs8> +Specifying an engine (by its unique I<id> string) will cause B<pkcs8> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -156,7 +156,7 @@ =item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p> -Sets the scrypt B<N>, B<r> or B<p> parameters. +Sets the scrypt I<N>, I<r> or I<p> parameters. =back
diff --git a/doc/man1/openssl-pkey.pod b/doc/man1/openssl-pkey.pod index ea64ecf..8aa39d7 100644 --- a/doc/man1/openssl-pkey.pod +++ b/doc/man1/openssl-pkey.pod
@@ -57,7 +57,7 @@ =item B<-passin> I<arg> -The input file password source. For more information about the format of B<arg> +The input file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-out> I<filename> @@ -67,9 +67,9 @@ will be prompted for. The output filename should B<not> be the same as the input filename. -=item B<-passout> I<password> +=item B<-passout> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-traditional> @@ -109,7 +109,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<pkey> +Specifying an engine (by its unique I<id> string) will cause B<pkey> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-pkeyparam.pod b/doc/man1/openssl-pkeyparam.pod index 34ae7c9..7ebd803 100644 --- a/doc/man1/openssl-pkeyparam.pod +++ b/doc/man1/openssl-pkeyparam.pod
@@ -50,7 +50,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<pkeyparam> +Specifying an engine (by its unique I<id> string) will cause B<pkeyparam> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-pkeyutl.pod b/doc/man1/openssl-pkeyutl.pod index 3532fa6..cbda869 100644 --- a/doc/man1/openssl-pkeyutl.pod +++ b/doc/man1/openssl-pkeyutl.pod
@@ -29,8 +29,8 @@ [B<-derive>] [B<-kdf> I<algorithm>] [B<-kdflen> I<length>] -[B<-pkeyopt> I<opt:value>] -[B<-pkeyopt_passin> I<opt:passarg>] +[B<-pkeyopt> I<opt>:I<value>] +[B<-pkeyopt_passin> I<opt>[:I<passarg>]] [B<-hexdump>] [B<-asn1parse>] [B<-rand> I<files>] @@ -82,7 +82,7 @@ =item B<-sigfile> I<file> -Signature file, required for B<verify> operations only +Signature file, required for B<-verify> operations only =item B<-inkey> I<file> @@ -94,7 +94,7 @@ =item B<-passin> I<arg> -The input key password source. For more information about the format of B<arg> +The input key password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-peerkey> I<file> @@ -103,7 +103,7 @@ =item B<-peerform> B<DER>|B<PEM>|B<ENGINE> -The peer key format PEM, DER or ENGINE. Default is PEM. +The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>. =item B<-pubin> @@ -146,7 +146,7 @@ =item B<-kdf> I<algorithm> -Use key derivation function B<algorithm>. The supported algorithms are +Use key derivation function I<algorithm>. The supported algorithms are at present B<TLS1-PRF> and B<HKDF>. Note: additional parameters and the KDF output length will normally have to be set for this to work. @@ -157,16 +157,16 @@ Set the output length for KDF. -=item B<-pkeyopt> I<opt:value> +=item B<-pkeyopt> I<opt>:I<value> Public key options specified as opt:value. See NOTES below for more details. -=item B<-pkeyopt_passin> I<opt:passarg> +=item B<-pkeyopt_passin> I<opt>[:I<passarg>] -Allows reading a public key option B<opt> from stdin or a password source. If -only opt is specified, the user will be prompted to enter the value on stdin. -Alternatively, passarg can be specified which can be any value supported by -B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. +Allows reading a public key option I<opt> from stdin or a password source. +If only I<opt> is specified, the user will be prompted to enter a password on +stdin. Alternatively, I<passarg> can be specified which can be any value +supported by B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. =item B<-hexdump> @@ -191,7 +191,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<pkeyutl> +Specifying an engine (by its unique I<id> string) will cause B<pkeyutl> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -199,7 +199,7 @@ =item B<-engine_impl> When used with the B<-engine> option, it specifies to also use -engine B<id> for crypto operations. +engine I<id> for crypto operations. =back @@ -208,9 +208,9 @@ The operations and options supported vary according to the key algorithm and its implementation. The OpenSSL operations and options are indicated below. -Unless otherwise mentioned all algorithms support the B<digest:alg> option +Unless otherwise mentioned all algorithms support the B<digest:>I<alg> option which specifies the digest in use for sign, verify and verifyrecover operations. -The value B<alg> should represent a digest name as used in the +The value I<alg> should represent a digest name as used in the EVP_get_digestbyname() function for example B<sha1>. This value is not used to hash the input data. It is used (by some algorithms) for sanity-checking the lengths of data passed in to the B<pkeyutl> and for creating the structures that @@ -237,9 +237,9 @@ =over 4 -=item B<rsa_padding_mode:mode> +=item B<rsa_padding_mode:>I<mode> -This sets the RSA padding mode. Acceptable values for B<mode> are B<pkcs1> for +This sets the RSA padding mode. Acceptable values for I<mode> are B<pkcs1> for PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep> for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS. @@ -257,15 +257,15 @@ For B<pss> mode only sign and verify are supported and the digest type must be specified. -=item B<rsa_pss_saltlen:len> +=item B<rsa_pss_saltlen:>I<len> For B<pss> mode only this option specifies the salt length. Three special -values are supported: "digest" sets the salt length to the digest length, -"max" sets the salt length to the maximum permissible value. When verifying -"auto" causes the salt length to be automatically determined based on the +values are supported: B<digest> sets the salt length to the digest length, +B<max> sets the salt length to the maximum permissible value. When verifying +B<auto> causes the salt length to be automatically determined based on the B<PSS> block structure. -=item B<rsa_mgf1_md:digest> +=item B<rsa_mgf1_md:>I<digest> For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not explicitly set in PSS mode then the signing digest is used. @@ -276,11 +276,12 @@ The RSA-PSS algorithm is a restricted version of the RSA algorithm which only supports the sign and verify operations with PSS padding. The following -additional B<pkeyopt> values are supported: +additional B<-pkeyopt> values are supported: =over 4 -=item B<rsa_padding_mode:mode>, B<rsa_pss_saltlen:len>, B<rsa_mgf1_md:digest> +=item B<rsa_padding_mode:>I<mode>, B<rsa_pss_saltlen:>I<len>, +B<rsa_mgf1_md:>I<digest> These have the same meaning as the B<RSA> algorithm with some additional restrictions. The padding mode can only be set to B<pss> which is the @@ -319,8 +320,8 @@ These algorithms only support signing and verifying. OpenSSL only implements the "pure" variants of these algorithms so raw data can be passed directly to them -without hashing them first. The option "-rawin" must be used with these -algorithms with no "-digest" specified. Additionally OpenSSL only supports +without hashing them first. The option B<-rawin> must be used with these +algorithms with no B<-digest> specified. Additionally OpenSSL only supports "oneshot" operation with these algorithms. This means that the entire file to be signed/verified must be read into memory before processing it. Signing or Verifying very large files should be avoided. Additionally the size of the file @@ -331,17 +332,17 @@ The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For the sign and verify operations, SM2 requires an ID string to be passed in. The -following B<pkeyopt> value is supported: +following B<-pkeyopt> value is supported: =over 4 -=item B<sm2_id:string> +=item B<sm2_id:>I<string> This sets the ID string used in SM2 sign or verify operations. While verifying an SM2 signature, the ID string must be the same one used when signing the data. Otherwise the verification will fail. -=item B<sm2_hex_id:hex_string> +=item B<sm2_hex_id:>I<hex_string> This sets the ID string used in SM2 sign or verify operations. While verifying an SM2 signature, the ID string must be the same one used when signing the data.
diff --git a/doc/man1/openssl-prime.pod b/doc/man1/openssl-prime.pod index 3f5eb2e..61b7a8f 100644 --- a/doc/man1/openssl-prime.pod +++ b/doc/man1/openssl-prime.pod
@@ -41,16 +41,16 @@ =item B<-bits> I<num> -Generate a prime with B<num> bits. +Generate a prime with I<num> bits. =item B<-safe> When used with B<-generate>, generates a "safe" prime. If the number -generated is B<n>, then check that B<(n-1)/2> is also prime. +generated is I<n>, then check that C<(I<n>-1)/2> is also prime. =item B<-checks> I<num> -Perform the checks B<num> times to see that the generated number +Perform the checks I<num> times to see that the generated number is prime. The default is 20. =back
diff --git a/doc/man1/openssl-rehash.pod b/doc/man1/openssl-rehash.pod index 8ee45eb..9d09bfa 100644 --- a/doc/man1/openssl-rehash.pod +++ b/doc/man1/openssl-rehash.pod
@@ -45,17 +45,17 @@ In order for a directory to be processed, the user must have write permissions on that directory, otherwise an error will be generated. -The links created are of the form C<HHHHHHHH.D>, where each B<H> -is a hexadecimal character and B<D> is a single decimal digit. +The links created are of the form I<HHHHHHHH.D>, where each I<H> +is a hexadecimal character and I<D> is a single decimal digit. When processing a directory, B<rehash> will first remove all links that have a name in that syntax, even if they are being used for some other purpose. To skip the removal step, use the B<-n> flag. Hashes for CRL's look similar except the letter B<r> appears after -the period, like this: C<HHHHHHHH.rD>. +the period, like this: I<HHHHHHHH.>B<r>I<D>. Multiple objects may have the same hash; they will be indicated by -incrementing the B<D> value. Duplicates are found by comparing the +incrementing the I<D> value. Duplicates are found by comparing the full SHA-1 fingerprint. A warning will be displayed if a duplicate is found. @@ -75,7 +75,7 @@ $OPENSSL x509 -hash -fingerprint -noout -in FILENAME $OPENSSL crl -hash -fingerprint -noout -in FILENAME -where B<FILENAME> is the filename. It must output the hash of the +where I<FILENAME> is the filename. It must output the hash of the file on the first line, and the fingerprint on the second, optionally prefixed with some text and an equals sign.
diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod index 30c339b..d380be7 100644 --- a/doc/man1/openssl-req.pod +++ b/doc/man1/openssl-req.pod
@@ -22,8 +22,7 @@ [B<-new>] [B<-rand> I<files>] [B<-writerand> I<file>] -[B<-newkey> I<rsa:bits>] -[B<-newkey> I<alg:file>] +[B<-newkey> I<arg>] [B<-nodes>] [B<-key> I<filename>] [B<-keyform> B<DER>|B<PEM>] @@ -103,7 +102,7 @@ =item B<-passout> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-text> @@ -157,32 +156,33 @@ =item B<-newkey> I<arg> This option creates a new certificate request and a new private -key. The argument takes one of several forms. B<rsa:nbits>, where -B<nbits> is the number of bits, generates an RSA key B<nbits> -in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified, +key. The argument takes one of several forms. + +B<rsa:>I<nbits>, where +I<nbits> is the number of bits, generates an RSA key I<nbits> +in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified, the default key size, specified in the configuration file is used. -All other algorithms support the B<-newkey> I<alg:file> form, where file may be -an algorithm parameter file, created by the B<genpkey -genparam> command -or and X.509 certificate for a key with appropriate algorithm. +All other algorithms support the B<-newkey> I<alg>:I<file> form, where file +may be an algorithm parameter file, created with B<genpkey -genparam> +or an X.509 certificate for a key with appropriate algorithm. -B<param:file> generates a key using the parameter file or certificate B<file>, -the algorithm is determined by the parameters. B<algname:file> use algorithm -B<algname> and parameter file B<file>: the two algorithms must match or an -error occurs. B<algname> just uses algorithm B<algname>, and parameters, -if necessary should be specified via B<-pkeyopt> parameter. +B<param:>I<file> generates a key using the parameter file or certificate +I<file>, the algorithm is determined by the parameters. I<algname>:I<file> +use algorithm I<algname> and parameter file I<file>: the two algorithms must +match or an error occurs. I<algname> just uses algorithm I<algname>, and +parameters, if necessary should be specified via B<-pkeyopt> parameter. -B<dsa:filename> generates a DSA key using the parameters -in the file B<filename>. B<ec:filename> generates EC key (usable both with -ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R -34.10-2001 key (requires B<ccgost> engine configured in the configuration +B<dsa:>I<filename> generates a DSA key using the parameters +in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with +ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R +34.10-2001 key (requires B<gost> engine configured in the configuration file). If just B<gost2001> is specified a parameter set should be specified by B<-pkeyopt> I<paramset:X> +=item B<-pkeyopt> I<opt>:I<value> -=item B<-pkeyopt> I<opt:value> - -Set the public key algorithm option B<opt> to B<value>. The precise set of +Set the public key algorithm option I<opt> to I<value>. The precise set of options supported depends on the public key algorithm used and its implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page for more details. @@ -249,7 +249,7 @@ request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified -using the B<set_serial> option, a large random number will be used for +using the B<-set_serial> option, a large random number will be used for the serial number. If existing request is specified with the B<-in> option, it is converted @@ -258,7 +258,7 @@ =item B<-days> I<n> When the B<-x509> option is being used this specifies the number of -days to certify the certificate for, otherwise it is ignored. B<n> should +days to certify the certificate for, otherwise it is ignored. I<n> should be a positive integer. The default is 30 days. =item B<-set_serial> I<n> @@ -304,13 +304,13 @@ =item B<-nameopt> I<option> Option which determines how the subject or issuer names are displayed. The -B<option> argument can be a single option or multiple options separated by +I<option> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the L<x509(1)> manual page for details. -=item B<-reqopt> +=item B<-reqopt> I<option> -Customise the output format used with B<-text>. The B<option> argument can be +Customise the output format used with B<-text>. The I<option> argument can be a single option or multiple options separated by commas. See discussion of the B<-certopt> parameter in the L<x509(1)> @@ -331,14 +331,14 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<req> +Specifying an engine (by its unique I<id> string) will cause B<req> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B<-keygen_engine> I<id> -Specifies an engine (by its unique B<id> string) which would be used +Specifies an engine (by its unique I<id> string) which would be used for key generation operations. =item B<-sm2-id>
diff --git a/doc/man1/openssl-rsa.pod b/doc/man1/openssl-rsa.pod index 6b8fa44..52655fa 100644 --- a/doc/man1/openssl-rsa.pod +++ b/doc/man1/openssl-rsa.pod
@@ -75,7 +75,7 @@ =item B<-passin> I<arg> -The input file password source. For more information about the format of B<arg> +The input file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-out> I<filename> @@ -85,9 +85,9 @@ will be prompted for. The output filename should B<not> be the same as the input filename. -=item B<-passout> I<password> +=item B<-passout> I<arg> -The output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> @@ -134,7 +134,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<rsa> +Specifying an engine (by its unique I<id> string) will cause B<rsa> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-s_client.pod b/doc/man1/openssl-s_client.pod index ddf3f48..5064118 100644 --- a/doc/man1/openssl-s_client.pod +++ b/doc/man1/openssl-s_client.pod
@@ -283,7 +283,7 @@ =item B<-pass> I<arg> -the private key password source. For more information about the format of B<arg> +the private key password source. For more information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-verify> I<depth> @@ -302,7 +302,7 @@ =item B<-nameopt> I<option> Option which determines how the subject or issuer names are displayed. The -B<option> argument can be a single option or multiple options separated by +I<option> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the L<x509(1)> manual page for details. @@ -360,7 +360,7 @@ =item B<-dane_tlsa_rrdata> I<rrdata> Use one or more times to specify the RRDATA fields of the DANE TLSA -RRset associated with the target service. The B<rrdata> value is +RRset associated with the target service. The I<rrdata> value is specied in "presentation form", that is four whitespace separated fields that specify the usage, selector, matching type and associated data, with the last of these encoded in hexadecimal. Optional @@ -481,19 +481,19 @@ =item B<-psk_identity> I<identity> -Use the PSK identity B<identity> when using a PSK cipher suite. +Use the PSK identity I<identity> when using a PSK cipher suite. The default value is "Client_identity" (without the quotes). =item B<-psk> I<key> -Use the PSK key B<key> when using a PSK cipher suite. The key is +Use the PSK key I<key> when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. This option must be provided in order to use a PSK cipher. =item B<-psk_session> I<file> -Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK. +Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK. Note that this will only work if TLSv1.3 is negotiated. =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> @@ -622,7 +622,7 @@ =item B<-starttls> I<protocol> Send the protocol-specific message(s) to switch to TLS for communication. -B<protocol> is a keyword for the intended protocol. Currently, the only +I<protocol> is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", "irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap". @@ -659,16 +659,16 @@ =item B<-sess_out> I<filename> -Output SSL session to B<filename>. +Output SSL session to I<filename>. -=item B<-sess_in> I<sess.pem> +=item B<-sess_in> I<filename> -Load SSL session from B<filename>. The client will attempt to resume a +Load SSL session from I<filename>. The client will attempt to resume a connection from this session. =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<s_client> +Specifying an engine (by its unique I<id> string) will cause B<s_client> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -702,7 +702,7 @@ These flags enable the Enable the Application-Layer Protocol Negotiation or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the IETF standard and replaces NPN. -The B<protocols> list is a comma-separated list of protocol names that +The I<protocols> list is a comma-separated list of protocol names that the client should advertise support for. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3".
diff --git a/doc/man1/openssl-s_server.pod b/doc/man1/openssl-s_server.pod index 8c3e790..09eb501 100644 --- a/doc/man1/openssl-s_server.pod +++ b/doc/man1/openssl-s_server.pod
@@ -274,7 +274,7 @@ =item B<-nameopt> I<val> Option which determines how the subject or issuer names are displayed. The -B<val> argument can be a single option or multiple options separated by +I<val> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the L<x509(1)> manual page for details. @@ -441,7 +441,7 @@ =item B<-id_prefix> I<val> -Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful +Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple servers, when each of which might be generating a unique range of session IDs (eg. with a certain prefix). @@ -475,7 +475,7 @@ =item B<-status_timeout> I<int> -Sets the timeout for OCSP response to B<int> seconds. +Sets the timeout for OCSP response to I<int> seconds. =item B<-status_url> I<val> @@ -652,24 +652,24 @@ =item B<-psk_identity> I<val> -Expect the client to send PSK identity B<val> when using a PSK +Expect the client to send PSK identity I<val> when using a PSK cipher suite, and warn if they do not. By default, the expected PSK identity is the string "Client_identity". =item B<-psk_hint> I<val> -Use the PSK identity hint B<val> when using a PSK cipher suite. +Use the PSK identity hint I<val> when using a PSK cipher suite. =item B<-psk> I<val> -Use the PSK key B<val> when using a PSK cipher suite. The key is +Use the PSK key I<val> when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. This option must be provided in order to use a PSK cipher. =item B<-psk_session> I<file> -Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK. +Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK. Note that this will only work if TLSv1.3 is negotiated. =item B<-listen> @@ -713,7 +713,7 @@ These flags enable the Enable the Application-Layer Protocol Negotiation or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the IETF standard and replaces NPN. -The B<val> list is a comma-separated list of supported protocol +The I<val> list is a comma-separated list of supported protocol names. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". @@ -721,7 +721,7 @@ =item B<-engine> I<val> -Specifying an engine (by its unique id string in B<val>) will cause B<s_server> +Specifying an engine (by its unique id string in I<val>) will cause B<s_server> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-s_time.pod b/doc/man1/openssl-s_time.pod index fa3dd68..bc01903 100644 --- a/doc/man1/openssl-s_time.pod +++ b/doc/man1/openssl-s_time.pod
@@ -8,7 +8,7 @@ B<openssl> B<s_time> [B<-help>] -[B<-connect> I<host:port>] +[B<-connect> I<host>:I<port>] [B<-www> I<page>] [B<-cert> I<filename>] [B<-key> I<filename>] @@ -48,7 +48,7 @@ Print out a usage message. -=item B<-connect> I<host:port> +=item B<-connect> I<host>:I<port> This specifies the host and optional port to connect to. @@ -80,7 +80,7 @@ =item B<-nameopt> I<option> Option which determines how the subject or issuer names are displayed. The -B<option> argument can be a single option or multiple options separated by +I<option> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the L<x509(1)> manual page for details. @@ -161,7 +161,7 @@ openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] -would typically be used (https uses port 443). 'commoncipher' is a cipher to +would typically be used (https uses port 443). I<commoncipher> is a cipher to which both client and server can agree, see the L<ciphers(1)> command for details.
diff --git a/doc/man1/openssl-sess_id.pod b/doc/man1/openssl-sess_id.pod index ffec191..259b9aa 100644 --- a/doc/man1/openssl-sess_id.pod +++ b/doc/man1/openssl-sess_id.pod
@@ -9,7 +9,7 @@ B<openssl> B<sess_id> [B<-help>] [B<-inform> B<DER>|B<PEM>] -[B<-outform> B<DER>|B<PEM>|B<MSS>] +[B<-outform> B<DER>|B<PEM>|B<NSS>] [B<-in> I<filename>] [B<-out> I<filename>] [B<-text>] @@ -41,9 +41,9 @@ =item B<-outform> B<DER>|B<PEM>|B<NSS> -This specifies the output format. The B<PEM> and B<DER> options have the same meaning -and default as the B<-inform> option. The B<NSS> option outputs the session id and -the master key in NSS keylog format. +This specifies the output format. The B<PEM> and B<DER> options have the same +meaning and default as the B<-inform> option. The B<NSS> option outputs the +session id and the master key in NSS keylog format. =item B<-in> I<filename>
diff --git a/doc/man1/openssl-smime.pod b/doc/man1/openssl-smime.pod index 5fbbcae..559b7aa 100644 --- a/doc/man1/openssl-smime.pod +++ b/doc/man1/openssl-smime.pod
@@ -295,7 +295,7 @@ =item B<-passin> I<arg> -The private key password source. For more information about the format of B<arg> +The private key password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-rand> I<files>
diff --git a/doc/man1/openssl-speed.pod b/doc/man1/openssl-speed.pod index cd64684..0165dd1 100644 --- a/doc/man1/openssl-speed.pod +++ b/doc/man1/openssl-speed.pod
@@ -28,7 +28,7 @@ This command is used to test the performance of cryptographic algorithms. To see the list of supported algorithms, use the I<list --digest-commands> or I<list --cipher-commands> command. The global CSPRNG is denoted by -the I<rand> algorithm name. +the B<rand> algorithm name. =head1 OPTIONS @@ -40,7 +40,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<speed> +Specifying an engine (by its unique I<id> string) will cause B<speed> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -54,8 +54,8 @@ =item B<-evp> I<algo> Use the specified cipher or message digest algorithm via the EVP interface. -If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a -TLS-like sequence. And if B<algo> is a multi-buffer capable cipher, e.g. +If I<algo> is an AEAD cipher, then you can pass B<-aead> to benchmark a +TLS-like sequence. And if I<algo> is a multi-buffer capable cipher, e.g. aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation. =item B<-hmac> I<digest> @@ -84,16 +84,16 @@ =item B<-primes> I<num> -Generate a B<num>-prime RSA key and use it to run the benchmarks. This option +Generate a I<num>-prime RSA key and use it to run the benchmarks. This option is only effective if RSA algorithm is specified to test. =item B<-seconds> I<num> -Run benchmarks for B<num> seconds. +Run benchmarks for I<num> seconds. =item B<-bytes> I<num> -Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG. +Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG. =item I<algorithm> ...
diff --git a/doc/man1/openssl-spkac.pod b/doc/man1/openssl-spkac.pod index 03df087..e4ad670 100644 --- a/doc/man1/openssl-spkac.pod +++ b/doc/man1/openssl-spkac.pod
@@ -49,7 +49,7 @@ =item B<-key> I<keyfile> -Create an SPKAC file using the private key in B<keyfile>. The +Create an SPKAC file using the private key in I<keyfile>. The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if present. @@ -58,9 +58,9 @@ Whether the key format is PEM, DER, or an engine-backed key. The default is PEM. -=item B<-passin> I<password> +=item B<-passin> I<arg> -The input file password source. For more information about the format of B<arg> +The input file password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-challenge> I<string> @@ -94,7 +94,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<spkac> +Specifying an engine (by its unique I<id> string) will cause B<spkac> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
diff --git a/doc/man1/openssl-srp.pod b/doc/man1/openssl-srp.pod index 0323940..926f96b 100644 --- a/doc/man1/openssl-srp.pod +++ b/doc/man1/openssl-srp.pod
@@ -32,7 +32,7 @@ can be specified. These options take zero or more usernames as parameters and perform the appropriate operation on the SRP file. -For B<-list>, if no B<user> is given then all users are displayed. +For B<-list>, if no I<user> is given then all users are displayed. The configuration file to use, and the section within the file, can be specified with the B<-config> and B<-name> flags, respectively. @@ -42,7 +42,7 @@ The B<-userinfo> option specifies additional information to add when adding or modifying a user. -The B<-gn> flag specifies the B<g> and B<N> values, using one of +The B<-gn> flag specifies the I<g> and I<N> values, using one of the strengths defined in IETF RFC 5054. The B<-passin> and B<-passout> arguments are parsed as described in
diff --git a/doc/man1/openssl-storeutl.pod b/doc/man1/openssl-storeutl.pod index a0a2c31..79e65c4 100644 --- a/doc/man1/openssl-storeutl.pod +++ b/doc/man1/openssl-storeutl.pod
@@ -49,7 +49,7 @@ =item B<-passin> I<arg> -the key password source. For more information about the format of B<arg> +the key password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-text> @@ -59,7 +59,7 @@ =item B<-engine> I<id> -specifying an engine (by its unique B<id> string) will cause B<storeutl> +specifying an engine (by its unique I<id> string) will cause B<storeutl> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -80,7 +80,7 @@ =item B<-subject> I<arg> -Search for an object having the subject name B<arg>. +Search for an object having the subject name I<arg>. The arg must be formatted as I</type0=value0/type1=value1/type2=...>. Keyword characters may be escaped by \ (backslash), and whitespace is retained. Empty values are permitted but are ignored for the search. That is,
diff --git a/doc/man1/openssl-ts.pod b/doc/man1/openssl-ts.pod index d9dd7e4..99995b2 100644 --- a/doc/man1/openssl-ts.pod +++ b/doc/man1/openssl-ts.pod
@@ -314,7 +314,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<ts> +Specifying an engine (by its unique I<id> string) will cause B<ts> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. Default is built-in. (Optional)
diff --git a/doc/man1/openssl-verify.pod b/doc/man1/openssl-verify.pod index a83ffad..91c369e 100644 --- a/doc/man1/openssl-verify.pod +++ b/doc/man1/openssl-verify.pod
@@ -52,7 +52,7 @@ [B<-sm2-id> I<string>] [B<-sm2-hex-id> I<hex-string>] [B<-->] -[certificates] +[I<certificate> ...] =for comment ifdef engine sm2-id sm2-hex-id @@ -70,14 +70,14 @@ =item B<-CAfile> I<file> -A B<file> of trusted certificates. +A I<file> of trusted certificates. The file should contain one or more certificates in PEM format. =item B<-CApath> I<directory> A directory of trusted certificates. The certificates should have names -of the form: hash.0 or have symbolic links to them of this -form ("hash" is the hashed certificate subject name: see the B<-hash> option +of the form: F<I<hash>.0> or have symbolic links to them of this +form (I<hash> is the hashed certificate subject name: see the B<-hash> option of the B<x509> utility). Under Unix the B<c_rehash> script will automatically create symbolic links to a directory of certificates. @@ -95,8 +95,8 @@ =item B<-attime> I<timestamp> -Perform validation checks using time specified by B<timestamp> and not -current system time. B<timestamp> is the number of seconds since +Perform validation checks using time specified by I<timestamp> and not +current system time. I<timestamp> is the number of seconds since 01.01.1970 (UNIX time). =item B<-check_ss_sig> @@ -106,9 +106,9 @@ =item B<-CRLfile> I<file> -The B<file> should contain one or more CRLs in PEM format. +The I<file> should contain one or more CRLs in PEM format. This option can be specified more than once to include CRLs from multiple -B<files>. +I<file>s. =item B<-crl_download> @@ -126,7 +126,7 @@ =item B<-engine> I<id> -Specifying an engine B<id> will cause L<verify(1)> to attempt to load the +Specifying an engine I<id> will cause L<verify(1)> to attempt to load the specified engine. The engine will then be set as the default for all its supported algorithms. If you want to load certificates or CRLs that require engine support via any of @@ -159,7 +159,7 @@ =item B<-nameopt> I<option> Option which determines how the subject or issuer names are displayed. The -B<option> argument can be a single option or multiple options separated by +I<option> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the L<x509(1)> manual page for details. @@ -177,8 +177,8 @@ =item B<-policy> I<arg> -Enable policy processing and add B<arg> to the user-initial-policy-set (see -RFC5280). The policy B<arg> can be an object name an OID in numeric form. +Enable policy processing and add I<arg> to the user-initial-policy-set (see +RFC5280). The policy I<arg> can be an object name an OID in numeric form. This argument can appear more than once. =item B<-policy_check> @@ -224,22 +224,22 @@ =item B<-untrusted> I<file> -A B<file> of additional untrusted certificates (intermediate issuer CAs) used +A I<file> of additional untrusted certificates (intermediate issuer CAs) used to construct a certificate chain from the subject certificate to a trust-anchor. -The B<file> should contain one or more certificates in PEM format. +The I<file> should contain one or more certificates in PEM format. This option can be specified more than once to include untrusted certificates -from multiple B<files>. +from multiple I<file>s. =item B<-trusted> I<file> -A B<file> of trusted certificates, which must be self-signed, unless the +A I<file> of trusted certificates, which must be self-signed, unless the B<-partial_chain> option is specified. -The B<file> contains one or more certificates in PEM format. +The I<file> contains one or more certificates in PEM format. With this option, no additional (e.g., default) certificate lists are consulted. -That is, the only trust-anchors are those listed in B<file>. +That is, the only trust-anchors are those listed in I<file>. This option can be specified more than once to include trusted certificates -from multiple B<files>. +from multiple I<file>s. This option implies the B<-no-CAfile> and B<-no-CApath> options. This option cannot be used in combination with either of the B<-CAfile> or B<-CApath> options. @@ -254,11 +254,11 @@ =item B<-auth_level> I<level> -Set the certificate chain authentication security level to B<level>. +Set the certificate chain authentication security level to I<level>. The authentication security level determines the acceptable signature and public key strength when verifying certificate chains. For a certificate chain to validate, the public keys of all the certificates -must meet the specified security B<level>. +must meet the specified security I<level>. The signature algorithm security level is enforced for all the certificates in the chain except for the chain's I<trust anchor>, which is either directly trusted or validated by means other than its signature. @@ -272,30 +272,30 @@ =item B<-verify_depth> I<num> -Limit the certificate chain to B<num> intermediate CA certificates. -A maximal depth chain can have up to B<num+2> certificates, since neither the +Limit the certificate chain to I<num> intermediate CA certificates. +A maximal depth chain can have up to I<num>+2 certificates, since neither the end-entity certificate nor the trust-anchor certificate count against the B<-verify_depth> limit. =item B<-verify_email> I<email> -Verify if the B<email> matches the email address in Subject Alternative Name or +Verify if I<email> matches the email address in Subject Alternative Name or the email in the subject Distinguished Name. =item B<-verify_hostname> I<hostname> -Verify if the B<hostname> matches DNS name in Subject Alternative Name or +Verify if I<hostname> matches DNS name in Subject Alternative Name or Common Name in the subject certificate. =item B<-verify_ip> I<ip> -Verify if the B<ip> matches the IP address in Subject Alternative Name of +Verify if I<ip> matches the IP address in Subject Alternative Name of the subject certificate. =item B<-verify_name> I<name> Use default verification policies like trust model and required certificate -policies identified by B<name>. +policies identified by I<name>. The trust model determines which auxiliary trust or reject OIDs are applicable to verifying the given certificate chain. See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line @@ -335,7 +335,7 @@ certificate files. This is useful if the first certificate filename begins with a B<->. -=item B<certificates> +=item I<certificate> ... One or more certificates to verify. If no certificates are given, B<verify> will attempt to read a certificate from standard input. Certificates must be
diff --git a/doc/man1/openssl-x509.pod b/doc/man1/openssl-x509.pod index bd653ed..a3ea203 100644 --- a/doc/man1/openssl-x509.pod +++ b/doc/man1/openssl-x509.pod
@@ -136,7 +136,7 @@ =item B<-engine> I<id> -Specifying an engine (by its unique B<id> string) will cause B<x509> +Specifying an engine (by its unique I<id> string) will cause B<x509> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -170,7 +170,7 @@ =item B<-certopt> I<option> -Customise the output format used with B<-text>. The B<option> argument +Customise the output format used with B<-text>. The I<option> argument can be a single option or multiple options separated by commas. The B<-certopt> switch may be also be used more than once to set multiple options. See the B<TEXT OPTIONS> section for more information. @@ -231,7 +231,7 @@ =item B<-nameopt> I<option> Option which determines how the subject or issuer names are displayed. The -B<option> argument can be a single option or multiple options separated by +I<option> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the B<NAME OPTIONS> section for more information. @@ -257,7 +257,7 @@ =item B<-checkend> I<arg> -Checks if the certificate expires within the next B<arg> seconds and exits +Checks if the certificate expires within the next I<arg> seconds and exits nonzero if yes it will expire or zero if not. =item B<-fingerprint> @@ -372,7 +372,7 @@ =item B<-passin> I<arg> -The key password source. For more information about the format of B<arg> +The key password source. For more information about the format of I<arg> see L<openssl(1)/Pass phrase options>. =item B<-clrext> @@ -470,7 +470,7 @@ =item B<-force_pubkey> I<filename> -When a certificate is created set its public key to the key in B<filename> +When a certificate is created set its public key to the key in I<filename> instead of the key contained in the input or given with the B<-signkey> option. This option is useful for creating self-issued certificates that are not @@ -499,8 +499,8 @@ =head2 Name Options -The B<nameopt> command line switch determines how the subject and issuer -names are displayed. If no B<nameopt> switch is present the default "oneline" +The B<-nameopt> command line switch determines how the subject and issuer +names are displayed. If no B<-nameopt> switch is present the default "oneline" format is used which is compatible with previous versions of OpenSSL. Each option is described in detail below, all options can be preceded by a B<-> to turn the option off. Only the first four will normally be used.
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index baa7bde..a8643a9 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod
@@ -8,10 +8,10 @@ B<openssl> I<command> -[ I<command_opts> ] -[ I<command_args> ] +[ I<command_opts> ... ] +[ I<command_args> ... ] -B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<mac-algorithms> | B<public-key-algorithms>] +B<openssl> B<list> [ B<-standard-commands> | B<-digest-commands> | B<-cipher-commands> | B<-cipher-algorithms> | B<-digest-algorithms> | B<-mac-algorithms> | B<-public-key-algorithms>] B<openssl> B<no->I<XXX> [ I<arbitrary options> ] @@ -52,18 +52,18 @@ depends on the configuration flags specified when the OpenSSL was built. -The list parameters B<standard-commands>, B<digest-commands>, -and B<cipher-commands> output a list (one entry per line) of the names +The list options B<-standard-commands>, B<-digest-commands>, +and B<-cipher-commands> output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present B<openssl> utility. -The list parameters B<cipher-algorithms>, B<digest-algorithms>, -and B<mac-algorithms> list all cipher, message digest, and message +The list parameters B<-cipher-algorithms>, B<-digest-algorithms>, +and B<-mac-algorithms> list all cipher, message digest, and message authentication code names, one entry per line. Aliases are listed as: from => to -The list parameter B<public-key-algorithms> lists all supported public +The list parameter B<-public-key-algorithms> lists all supported public key algorithms. The command B<no->I<XXX> tests whether a command of the @@ -514,29 +514,29 @@ =over 4 -=item B<pass:password> +=item B<pass:>I<password> -The actual password is B<password>. Since the password is visible +The actual password is I<password>. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. -=item B<env:var> +=item B<env:>I<var> -Obtain the password from the environment variable B<var>. Since +Obtain the password from the environment variable I<var>. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. -=item B<file:pathname> +=item B<file:>I<pathname> -The first line of B<pathname> is the password. If the same B<pathname> +The first line of I<pathname> is the password. If the same I<pathname> argument is supplied to B<-passin> and B<-passout> arguments then the first line will be used for the input password and the next line for the output -password. B<pathname> need not refer to a regular file: it could for example +password. I<pathname> need not refer to a regular file: it could for example refer to a device or named pipe. -=item B<fd:number> +=item B<fd:>I<number> -Read the password from the file descriptor B<number>. This can be used to +Read the password from the file descriptor I<number>. This can be used to send the data via a pipe for example. =item B<stdin> @@ -671,7 +671,7 @@ =head1 HISTORY -The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0; +The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0; For notes on the availability of other commands, see their individual manual pages.