diff options
| author | Rich Salz <rsalz@openssl.org> | 2016-05-20 08:11:46 -0400 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-05-20 08:11:46 -0400 |
| commit | 1bc74519a2a57ef8e67484ca92890fa94d3dd66f (patch) | |
| tree | e6f9e69d03548ad1e73bf805957a46dec95853b1 /doc/apps | |
| parent | e990ec5234d9daad66359833c40e4536d7fce499 (diff) | |
| download | openssl-1bc74519a2a57ef8e67484ca92890fa94d3dd66f.tar.gz | |
Fix nits in pod files.
Add doc-nit-check to help find future issues.
Make podchecker be almost clean.
Remove trailing whitespace.
Tab expansion
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'doc/apps')
37 files changed, 251 insertions, 265 deletions
diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index be56e0adf4..a84083af0b 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -103,7 +102,7 @@ B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>. =item B<-verify> verifies certificates against the CA certificate for "demoCA". If no certificates -are specified on the command line it tries to verify the file "newcert.pem". +are specified on the command line it tries to verify the file "newcert.pem". =item B<files> @@ -148,7 +147,7 @@ enter cacert.pem when prompted for the CA file name. Create a DSA certificate request and private key (a different set of parameters can optionally be created first): - openssl req -out newreq.pem -newkey dsa:dsap.pem + openssl req -out newreq.pem -newkey dsa:dsap.pem Sign the request: @@ -169,7 +168,7 @@ be wrong. In this case the command: perl -S CA.pl -can be used and the B<OPENSSL_CONF> environment variable changed to point to +can be used and the B<OPENSSL_CONF> environment variable changed to point to the correct path of the configuration file "openssl.cnf". The script is intended as a simple front end for the B<openssl> program for use diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod index cd30797eb9..e231a93548 100644 --- a/doc/apps/asn1parse.pod +++ b/doc/apps/asn1parse.pod @@ -92,7 +92,7 @@ L<ASN1_generate_nconf(3)> format. If B<file> only is present then the string is obtained from the default section using the name B<asn1>. The encoded data is passed through the ASN1 parser and printed out as though it came from a file, the contents can thus be examined and written to a -file using the B<out> option. +file using the B<out> option. =item B<-strictpem> @@ -108,20 +108,20 @@ END marker in a PEM file. The output will typically contain lines like this: - 0:d=0 hl=4 l= 681 cons: SEQUENCE + 0:d=0 hl=4 l= 681 cons: SEQUENCE ..... 229:d=3 hl=3 l= 141 prim: BIT STRING - 373:d=2 hl=3 l= 162 cons: cont [ 3 ] - 376:d=3 hl=3 l= 159 cons: SEQUENCE - 379:d=4 hl=2 l= 29 cons: SEQUENCE + 373:d=2 hl=3 l= 162 cons: cont [ 3 ] + 376:d=3 hl=3 l= 159 cons: SEQUENCE + 379:d=4 hl=2 l= 29 cons: SEQUENCE 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier - 386:d=5 hl=2 l= 22 prim: OCTET STRING - 410:d=4 hl=2 l= 112 cons: SEQUENCE + 386:d=5 hl=2 l= 22 prim: OCTET STRING + 410:d=4 hl=2 l= 112 cons: SEQUENCE 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier - 417:d=5 hl=2 l= 105 prim: OCTET STRING - 524:d=4 hl=2 l= 12 cons: SEQUENCE + 417:d=5 hl=2 l= 105 prim: OCTET STRING + 524:d=4 hl=2 l= 12 cons: SEQUENCE ..... @@ -133,27 +133,27 @@ the contents octets. The B<-i> option can be used to make the output more readable. -Some knowledge of the ASN.1 structure is needed to interpret the output. +Some knowledge of the ASN.1 structure is needed to interpret the output. In this example the BIT STRING at offset 229 is the certificate public key. The contents octets of this will contain the public key information. This can be examined using the option B<-strparse 229> to yield: - 0:d=0 hl=3 l= 137 cons: SEQUENCE + 0:d=0 hl=3 l= 137 cons: SEQUENCE 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 135:d=1 hl=2 l= 3 prim: INTEGER :010001 =head1 NOTES If an OID is not part of OpenSSL's internal table it will be represented in -numerical form (for example 1.2.3.4). The file passed to the B<-oid> option +numerical form (for example 1.2.3.4). The file passed to the B<-oid> option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white space. The second column is the "short name" which is a single word followed by white space. The final column is the rest of the line and is the "long name". B<asn1parse> displays the long name. Example: -C<1.2.3.4 shortName A long name> +C<1.2.3.4 shortName A long name> =head1 EXAMPLES diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 6c2948501c..de3744e302 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -101,7 +100,7 @@ section for information on the required input and output format. =item B<-infiles> if present this should be the last option, all subsequent arguments -are taken as the names of files containing certificate requests. +are taken as the names of files containing certificate requests. =item B<-out filename> @@ -195,7 +194,7 @@ need this option. =item B<-preserveDN> Normally the DN order of a certificate is the same as the order of the -fields in the relevant policy section. When this option is set the order +fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. @@ -245,7 +244,7 @@ characters may be escaped by \ (backslash), no spaces are skipped. =item B<-utf8> -this option causes field values to be interpreted as UTF8 strings, by +this option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. @@ -366,7 +365,7 @@ any) used. This specifies a file containing additional B<OBJECT IDENTIFIERS>. Each line of the file should consist of the numerical form of the object identifier followed by white space then the short name followed -by white space and finally the long name. +by white space and finally the long name. =item B<oid_section> @@ -398,7 +397,7 @@ an EGD socket (see L<RAND_egd(3)>). =item B<default_days> the same as the B<-days> option. The number of days to certify -a certificate for. +a certificate for. =item B<default_startdate> @@ -521,7 +520,7 @@ this can be regarded more of a quirk than intended behaviour. The input to the B<-spkac> command line option is a Netscape signed public key and challenge. This will usually come from -the B<KEYGEN> tag in an HTML form to create a new private key. +the B<KEYGEN> tag in an HTML form to create a new private key. It is however possible to create SPKACs using the B<spkac> utility. The file should contain the variable SPKAC set to the value of @@ -581,18 +580,18 @@ A sample configuration file with the relevant sections for B<ca>: [ ca ] default_ca = CA_default # The default ca section - + [ CA_default ] dir = ./demoCA # top dir database = $dir/index.txt # index file. - new_certs_dir = $dir/newcerts # new certs dir - + new_certs_dir = $dir/newcerts # new certs dir + certificate = $dir/cacert.pem # The CA cert serial = $dir/serial # serial no file private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file - + default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use @@ -600,9 +599,9 @@ A sample configuration file with the relevant sections for B<ca>: policy = policy_any # default policy email_in_dn = no # Don't add the email into cert DN - name_opt = ca_default # Subject name display option - cert_opt = ca_default # Certificate display option - copy_extensions = none # Don't copy extensions from request + name_opt = ca_default # Subject name display option + cert_opt = ca_default # Certificate display option + copy_extensions = none # Don't copy extensions from request [ policy_any ] countryName = supplied @@ -636,7 +635,7 @@ be overridden by the B<-config> command line option. =head1 RESTRICTIONS -The text database index file is a critical part of the process and +The text database index file is a critical part of the process and if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current CRL: however there is no option to do this. @@ -704,7 +703,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid. =head1 SEE ALSO L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>, -L<config(5)>, L<x509v3_config(5)> +L<config(5)>, L<x509v3_config(5)> =cut diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 4876ef1521..2552f220ba 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -186,13 +186,13 @@ B<EncrytedData> type and output the content. =item B<-sign_receipt> -Generate and output a signed receipt for the supplied message. The input +Generate and output a signed receipt for the supplied message. The input message B<must> contain a signed receipt request. Functionality is otherwise similar to the B<-sign> operation. =item B<-verify_receipt receipt> -Verify a signed receipt in filename B<receipt>. The input message B<must> +Verify a signed receipt in filename B<receipt>. The input message B<must> contain the original receipt request. Functionality is otherwise similar to the B<-verify> operation. @@ -256,7 +256,7 @@ is S/MIME and it uses the multipart/signed MIME content type. this option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of MIME +off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs. =item B<-noout> @@ -298,11 +298,11 @@ default digest algorithm for the signing key will be used (usually SHA1). the encryption algorithm to use. For example triple DES (168 bits) - B<-des3> or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the -EVP_get_cipherbyname() function) can also be used preceded by a dash, for +EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers supported by your version of OpenSSL. -If not specified triple DES is used. Only used with B<-encrypt> and +If not specified triple DES is used. Only used with B<-encrypt> and B<-EncryptedData_create> commands. =item B<-nointern> @@ -408,7 +408,7 @@ address where receipts should be supplied. =item B<-receipt_request_to emailaddress> -Add an explicit email address where signed receipts should be sent to. This +Add an explicit email address where signed receipts should be sent to. This option B<must> but supplied if a signed receipt it requested. =item B<-receipt_request_print> @@ -436,7 +436,7 @@ B<KEKRecipientInfo> structures. set the encapsulated content type to B<type> if not supplied the B<Data> type is used. The B<type> argument can be any valid OID name in either text or -numerical format. +numerical format. =item B<-inkey file> @@ -469,7 +469,7 @@ all others. =item B<cert.pem...> one or more certificates of message recipients: used when encrypting -a message. +a message. =item B<-to, -from, -subject> @@ -534,7 +534,7 @@ attempt is made to locate the recipient by trying each potential recipient in turn using the supplied private key. To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not and if no recipients match the message -is "decrypted" using a random key which will typically output garbage. +is "decrypted" using a random key which will typically output garbage. The B<-debug_decrypt> option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see L<CMS_decrypt(3)>). @@ -598,29 +598,29 @@ be processed by the older B<smime> command. Create a cleartext signed message: openssl cms -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem + -signer mycert.pem Create an opaque signed message openssl cms -sign -in message.txt -text -out mail.msg -nodetach \ - -signer mycert.pem + -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: openssl cms -sign -in in.txt -text -out mail.msg \ - -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem + -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers, use key identifier: openssl cms -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem -signer othercert.pem -keyid + -signer mycert.pem -signer othercert.pem -keyid Send a signed message under Unix directly to sendmail, including headers: openssl cms -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed message" | sendmail someone@somewhere + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: @@ -629,15 +629,15 @@ Verify a message and extract the signer's certificate if successful: Send encrypted mail using triple DES: openssl cms -encrypt -in in.txt -from steve@openssl.org \ - -to someone@somewhere -subject "Encrypted message" \ - -des3 user.pem -out mail.msg + -to someone@somewhere -subject "Encrypted message" \ + -des3 user.pem -out mail.msg Sign and encrypt mail: openssl cms -sign -in ml.txt -signer my.pem -text \ - | openssl cms -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed and Encrypted message" -des3 user.pem + | openssl cms -encrypt -out mail.msg \ + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the message being encrypted already has MIME headers. @@ -654,7 +654,7 @@ it with: -----BEGIN PKCS7----- -----END PKCS7----- -and using the command, +and using the command, openssl cms -verify -inform PEM -in signature.pem -content content.txt @@ -673,17 +673,17 @@ Add a signer to an existing message: Sign mail using RSA-PSS: openssl cms -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem -keyopt rsa_padding_mode:pss + -signer mycert.pem -keyopt rsa_padding_mode:pss Create encrypted mail using RSA-OAEP: openssl cms -encrypt -in plain.txt -out mail.msg \ - -recip cert.pem -keyopt rsa_padding_mode:oaep + -recip cert.pem -keyopt rsa_padding_mode:oaep Use SHA256 KDF with an ECDH certificate: openssl cms -encrypt -in plain.txt -out mail.msg \ - -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 + -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 =head1 BUGS @@ -715,7 +715,7 @@ The B<keyopt> option was first added in OpenSSL 1.1.0 The use of B<-recip> to specify the recipient when encrypting mail was first added to OpenSSL 1.1.0 -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added to OpenSSL 1.1.0. diff --git a/doc/apps/config.pod b/doc/apps/config.pod index baa886b5ae..499bc9e11a 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -1,4 +1,3 @@ - =pod =for comment openssl_manual_section:5 @@ -63,14 +62,14 @@ functionality: any sub command uses the master OpenSSL configuration file unless an option is used in the sub command to use an alternative configuration file. -To enable library configuration the default section needs to contain an +To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default name is B<openssl_conf> which is used by the B<openssl> utility. Other applications may use an alternative name such as B<myapplicaton_conf>. The configuration section should consist of a set of name value pairs which contain specific module configuration information. The B<name> represents -the name of the I<configuration module> the meaning of the B<value> is +the name of the I<configuration module> the meaning of the B<value> is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g. @@ -102,7 +101,7 @@ B<all> the B<openssl> utility sub commands can see the new objects as well as any compliant applications. For example: [new_oids] - + some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5 @@ -141,7 +140,7 @@ For example: [bar_section] ... "bar" ENGINE specific commands ... -The command B<engine_id> is used to give the ENGINE name. If used this +The command B<engine_id> is used to give the ENGINE name. If used this command must be first. For example: [engine_section] @@ -168,7 +167,7 @@ The command B<default_algorithms> sets the default algorithms an ENGINE will supply using the functions ENGINE_set_default_string(). If the name matches none of the above command names it is assumed to be a -ctrl command which is sent to the ENGINE. The value of the command is the +ctrl command which is sent to the ENGINE. The value of the command is the argument to the ctrl command. If the value is the string B<EMPTY> then no value is sent to the command. @@ -266,7 +265,7 @@ Here is a sample configuration file using some of the features mentioned above. # This is the default section. - + HOME=/temp RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config @@ -296,7 +295,7 @@ the B<TEMP> or B<TMP> environment variables but they may not be set to any value at all. If you just include the environment variable names and the variable doesn't exist then this will cause an error when an attempt is made to load the configuration file. By making use of the -default section both values can be looked up with B<TEMP> taking +default section both values can be looked up with B<TEMP> taking priority and B</tmp> used if neither is defined: TMP=/tmp diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index bb1092c750..cb5969ad83 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -42,7 +42,7 @@ the DER form with header and footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod index f32940273d..26ec889549 100644 --- a/doc/apps/crl2pkcs7.pod +++ b/doc/apps/crl2pkcs7.pod @@ -74,8 +74,8 @@ Create a PKCS#7 structure from a certificate and CRL: Creates a PKCS#7 structure in DER format with no CRL from several different certificates: - openssl crl2pkcs7 -nocrl -certfile newcert.pem - -certfile demoCA/cacert.pem -outform DER -out p7.der + openssl crl2pkcs7 -nocrl -certfile newcert.pem + -certfile demoCA/cacert.pem -outform DER -out p7.der =head1 NOTES diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index ce26a5607d..75b8ad9b1e 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -156,7 +156,7 @@ a file or files containing random data used to seed the random number generator, or an EGD socket (see L<RAND_egd(3)>). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for -all others. +all others. =item B<-fips-fingerprint> diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index b72ca7ec14..771ef1b0ad 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod @@ -44,7 +44,7 @@ additional header and footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in> I<filename> @@ -123,7 +123,7 @@ for all available algorithms. The program B<dhparam> combines the functionality of the programs B<dh> and B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh> -programs are retained for now but may have different purposes in future +programs are retained for now but may have different purposes in future versions of OpenSSL. =head1 NOTES diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 1f0e5ddc42..3a244cf3b0 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod @@ -59,7 +59,7 @@ PKCS#8 format is also accepted. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -149,7 +149,7 @@ To encrypt a private key using triple DES: openssl dsa -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl dsa -in key.pem -outform DER -out keyout.der diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod index 0a3727a32b..753f3b19d5 100644 --- a/doc/apps/dsaparam.pod +++ b/doc/apps/dsaparam.pod @@ -41,7 +41,7 @@ of the B<DER> format base64 encoded with additional header and footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod index 738b718dfd..c1b6bb0714 100644 --- a/doc/apps/ec.pod +++ b/doc/apps/ec.pod @@ -31,7 +31,7 @@ B<openssl> B<ec> =head1 DESCRIPTION The B<ec> command processes EC keys. They can be converted between various -forms and their components printed out. B<Note> OpenSSL uses the +forms and their components printed out. B<Note> OpenSSL uses the private key format specified in 'SEC 1: Elliptic Curve Cryptography' (http://www.secg.org/). To convert an OpenSSL EC private key into the PKCS#8 private key format use the B<pkcs8> command. @@ -55,7 +55,7 @@ PKCS#8 format is also accepted. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -83,7 +83,7 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. =item B<-des|-des3|-idea> -These options encrypt the private key with the DES, triple DES, IDEA or +These options encrypt the private key with the DES, triple DES, IDEA or any other cipher supported by OpenSSL before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This @@ -130,7 +130,7 @@ the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time. This specifies how the elliptic curve parameters are encoded. Possible value are: B<named_curve>, i.e. the ec parameters are specified by an OID, or B<explicit> where the ec parameters are -explicitly given (see RFC 3279 for the definition of the +explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B<named_curve>. B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279, is currently not implemented in OpenSSL. @@ -170,7 +170,7 @@ To encrypt a private key using triple DES: openssl ec -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl ec -in key.pem -outform DER -out keyout.der diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod index fb0181ff95..a41e005625 100644 --- a/doc/apps/ecparam.pod +++ b/doc/apps/ecparam.pod @@ -41,12 +41,12 @@ Print out a usage message. This specifies the input format. The B<DER> option uses an ASN.1 DER encoded form compatible with RFC 3279 EcpkParameters. The PEM form is the default -format: it consists of the B<DER> format base64 encoded with additional +format: it consists of the B<DER> format base64 encoded with additional header and footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -102,7 +102,7 @@ the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time. This specifies how the elliptic curve parameters are encoded. Possible value are: B<named_curve>, i.e. the ec parameters are specified by an OID, or B<explicit> where the ec parameters are -explicitly given (see RFC 3279 for the definition of the +explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B<named_curve>. B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279, is currently not implemented in OpenSSL. @@ -141,7 +141,7 @@ PEM format EC parameters use the header and footer lines: -----END EC PARAMETERS----- OpenSSL is currently not able to generate new groups and therefore -B<ecparam> can only create EC parameters from known (named) curves. +B<ecparam> can only create EC parameters from known (named) curves. =head1 EXAMPLES diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 3b58aebebd..7abd980065 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -257,7 +257,7 @@ authentication tag. desx DESX algorithm. gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) - gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine) + gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine) idea-cbc IDEA algorithm in CBC mode idea same as idea-cbc @@ -283,13 +283,13 @@ authentication tag. rc5-ecb RC5 cipher in ECB mode rc5-ofb RC5 cipher in OFB mode - aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode - aes[128|192|256] Alias for aes-[128|192|256]-cbc - aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode - aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode - aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode - aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode - aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode + aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode + aes[128|192|256] Alias for aes-[128|192|256]-cbc + aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode + aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode + aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode + aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode + aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode =head1 EXAMPLES @@ -299,11 +299,11 @@ Just base64 encode a binary file: Decode the same file - openssl base64 -d -in file.b64 -out file.bin + openssl base64 -d -in file.b64 -out file.bin Encrypt a file using triple DES in CBC mode using a prompted password: - openssl des3 -salt -in file.txt -out file.des3 + openssl des3 -salt -in file.txt -out file.des3 Decrypt a file using a supplied password: diff --git a/doc/apps/engine.pod b/doc/apps/engine.pod index 59c4234408..32274df4cb 100644 --- a/doc/apps/engine.pod +++ b/doc/apps/engine.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -52,6 +51,7 @@ Tests if each specified engine is available, and displays the answer. Displays an error trace for any unavailable engine. =item B<-pre> I<command> + =item B<-post> I<command> Command-line configuration of engines. diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod index 4349de1458..fea95f85ba 100644 --- a/doc/apps/errstr.pod +++ b/doc/apps/errstr.pod @@ -11,7 +11,7 @@ B<openssl errstr error_code> =head1 DESCRIPTION Sometimes an application will not load error message and only -numerical forms will be available. The B<errstr> utility can be used to +numerical forms will be available. The B<errstr> utility can be used to display the meaning of the hex code. The hex code is the hex digits after the second colon. @@ -22,7 +22,7 @@ The error code: 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107: can be displayed with: - + openssl errstr 2006D080 to produce the error message: diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index 204ab2a580..5d61b73d53 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod @@ -213,12 +213,12 @@ Encrypt output private key using 128 bit AES and the passphrase "hello": Generate a 2048 bit RSA key using 3 as the public exponent: openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ - -pkeyopt rsa_keygen_pubexp:3 + -pkeyopt rsa_keygen_pubexp:3 Generate 1024 bit DSA parameters: openssl genpkey -genparam -algorithm DSA -out dsap.pem \ - -pkeyopt dsa_paramgen_bits:1024 + -pkeyopt dsa_paramgen_bits:1024 Generate DSA key from parameters: @@ -227,7 +227,7 @@ Generate DSA key from parameters: Generate 1024 bit DH parameters: openssl genpkey -genparam -algorithm DH -out dhp.pem \ - -pkeyopt dh_paramgen_prime_len:1024 + -pkeyopt dh_paramgen_prime_len:1024 Output RFC5114 2048 bit DH parameters with 224 bit subgroup: @@ -240,8 +240,8 @@ Generate DH key from parameters: Generate EC parameters: openssl genpkey -genparam -algorithm EC -out ecp.pem \ - -pkeyopt ec_paramgen_curve:secp384r1 \ - -pkeyopt ec_param_enc:named_curve + -pkeyopt ec_paramgen_curve:secp384r1 \ + -pkeyopt ec_param_enc:named_curve Generate EC key from parameters: @@ -250,8 +250,8 @@ Generate EC key from parameters: Generate EC key directly: openssl genpkey -algorithm EC -out eckey.pem \ - -pkeyopt ec_paramgen_curve:P-384 \ - -pkeyopt ec_param_enc:named_curve + -pkeyopt ec_paramgen_curve:P-384 \ + -pkeyopt ec_param_enc:named_curve =head1 HISTORY diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 1d50d4b349..60047947a1 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -337,13 +337,13 @@ option. =item B<-nrequest number> -The OCSP server will exit after receiving B<number> requests, default unlimited. +The OCSP server will exit after receiving B<number> requests, default unlimited. =item B<-nmin minutes>, B<-ndays days> Number of minutes or days when fresh revocation information is available: used in the -B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is -omitted meaning fresh revocation information is immediately available. +B<nextUpdate> field. If neither option is present then the B<nextUpdate> field +is omitted meaning fresh revocation information is immediately available. =back @@ -413,7 +413,7 @@ Create an OCSP request and write it to a file: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der -Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the +Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the response to a file, print it out in text form, and verify the response: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ @@ -427,7 +427,7 @@ OCSP server on port 8888 using a standard B<ca> configuration, and a separate responder certificate. All requests and responses are printed to a file. openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem - -text -out log.txt + -text -out log.txt As above but exit after processing one request: diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod index a3bb8f093f..46d0bb108d 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/openssl.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index f64669ce45..012d09c72a 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -337,7 +336,7 @@ Output only client certificates to a file: openssl pkcs12 -in file.p12 -clcerts -out file.pem Don't encrypt the private key: - + openssl pkcs12 -in file.p12 -out file.pem -nodes Print some info about a PKCS#12 file: diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index 81354e2c33..abbcab2bef 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod @@ -37,7 +37,7 @@ the DER form with header and footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -100,7 +100,7 @@ For compatibility with some CAs it will also accept: There is no option to print out all the fields of a PKCS#7 file. -This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they +This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they cannot currently parse, for example, the new CMS as described in RFC2630. =head1 SEE ALSO diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod index ddc2b58692..fd564c443f 100644 --- a/doc/apps/pkey.pod +++ b/doc/apps/pkey.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -42,7 +41,7 @@ This specifies the input format DER or PEM. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -76,7 +75,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. =item B<-text> prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. =item B<-text_pub> @@ -116,7 +115,7 @@ To encrypt a private key using triple DES: openssl pkey -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl pkey -in key.pem -outform DER -out keyout.der @@ -135,7 +134,7 @@ To just output the public part of a private key: =head1 SEE ALSO L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>, -L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> +L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> =cut diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod index 153871db4d..7472de03ce 100644 --- a/doc/apps/pkeyparam.pod +++ b/doc/apps/pkeyparam.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -40,7 +39,7 @@ this option is not specified. =item B<-text> -prints out the parameters in plain text in addition to the encoded version. +prints out the parameters in plain text in addition to the encoded version. =item B<-noout> @@ -69,7 +68,7 @@ PEM format is supported because the key type is determined by the PEM headers. =head1 SEE ALSO L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>, -L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> +L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> =cut diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod index e937a87736..73818db278 100644 --- a/doc/apps/pkeyutl.pod +++ b/doc/apps/pkeyutl.pod @@ -84,11 +84,11 @@ the peer key format PEM, DER or ENGINE. Default is PEM. =item B<-pubin> -the input file is a public key. +the input file is a public key. =item B<-certin> -the input is a certificate containing a public key. +the input is a certificate containing a public key. =item B<-rev> @@ -198,7 +198,7 @@ This sets the RSA padding mode. Acceptable values for B<mode> are B<pkcs1> for PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep> for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS. -In PKCS#1 padding if the message digest is not set then the supplied data is +In PKCS#1 padding if the message digest is not set then the supplied data is signed or verified directly instead of using a B<DigestInfo> structure. If a digest is set then the a B<DigestInfo> structure is used and its the length must correspond to the digest type. diff --git a/doc/apps/req.pod b/doc/apps/req.pod index acfbb25aeb..e98d3a40b5 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -70,7 +69,7 @@ footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -257,7 +256,7 @@ a variety of purposes. =item B<-utf8> -this option causes field values to be interpreted as UTF8 strings, by +this option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. @@ -272,7 +271,7 @@ set multiple options. See the L<x509(1)> manual page for details. =item B<-reqopt> customise the output format used with B<-text>. The B<option> argument can be -a single option or multiple options separated by commas. +a single option or multiple options separated by commas. See discussion of the B<-certopt> parameter in the L<x509(1)> command. @@ -342,7 +341,7 @@ overridden by the B<-keyout> option. This specifies a file containing additional B<OBJECT IDENTIFIERS>. Each line of the file should consist of the numerical form of the object identifier followed by white space then the short name followed -by white space and finally the long name. +by white space and finally the long name. =item B<oid_section> @@ -376,7 +375,7 @@ This option masks out the use of certain string types in certain fields. Most users will not need to change this option. It can be set to several values B<default> which is also the default -option uses PrintableStrings, T61Strings and BMPStrings if the +option uses PrintableStrings, T61Strings and BMPStrings if the B<pkix> value is used then only PrintableStrings and BMPStrings will be used. This follows the PKIX recommendation in RFC2459. If the B<utf8only> option is used then only UTF8Strings will be used: this @@ -388,7 +387,7 @@ problems with BMPStrings and UTF8Strings: in particular Netscape. this specifies the configuration file section containing a list of extensions to add to the certificate request. It can be overridden -by the B<-reqexts> command line switch. See the +by the B<-reqexts> command line switch. See the L<x509v3_config(5)> manual page for details of the extension section format. @@ -499,8 +498,8 @@ Generate a self signed root certificate: Example of a file pointed to by the B<oid_file> option: - 1.2.3.4 shortName A longer Name - 1.2.3.6 otherName Other longer Name + 1.2.3.4 shortName A longer Name + 1.2.3.6 otherName Other longer Name Example of a section pointed to by B<oid_section> making use of variable expansion: @@ -511,34 +510,34 @@ expansion: Sample configuration file prompting for field values: [ req ] - default_bits = 2048 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes - req_extensions = v3_ca + default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes + req_extensions = v3_ca dirstring_type = nobmp [ req_distinguished_name ] - countryName = Country Name (2 letter code) - countryName_default = AU - countryName_min = 2 - countryName_max = 2 + countryName = Country Name (2 letter code) + countryName_default = AU + countryName_min = 2 + countryName_max = 2 - localityName = Locality Name (eg, city) + localityName = Locality Name (eg, city) - organizationalUnitName = Organizational Unit Name (eg, section) + organizationalUnitName = Organizational Unit Name (eg, section) - commonName = Common Name (eg, YOUR name) - commonName_max = 64 + commonName = Common Name (eg, YOUR name) + commonName_max = 64 - emailAddress = Email Address - emailAddress_max = 40 + emailAddress = Email Address + emailAddress_max = 40 [ req_attributes ] - challengePassword = A challenge password - challengePassword_min = 4 - challengePassword_max = 20 + challengePassword = A challenge password + challengePassword_min = 4 + challengePassword_max = 20 [ v3_ca ] @@ -549,27 +548,27 @@ Sample configuration file prompting for field values: Sample configuration containing all field values: - RANDFILE = $ENV::HOME/.rnd + RANDFILE = $ENV::HOME/.rnd [ req ] - default_bits = 2048 - default_keyfile = keyfile.pem - distinguished_name = req_distinguished_name - attributes = req_attributes - prompt = no - output_password = mypass + default_bits = 2048 + default_keyfile = keyfile.pem + distinguished_name = req_distinguished_name + attributes = req_attributes + prompt = no + output_password = mypass [ req_distinguished_name ] - C = GB - ST = Test State or Province - L = Test Locality - O = Organization Name - OU = Organizational Unit Name - CN = Common Name - emailAddress = test@email.address + C = GB + ST = Test State or Province + L = Test Locality + O = Organization Name + OU = Organizational Unit Name + CN = Common Name + emailAddress = test@email.address [ req_attributes ] - challengePassword = A challenge password + challengePassword = A challenge password =head1 NOTES @@ -596,13 +595,13 @@ by the script in an extendedKeyUsage extension. The following messages are frequently asked about: - Using configuration from /some/path/openssl.cnf - Unable to load config info + Using configuration from /some/path/openssl.cnf + Unable to load config info This is followed some time later by... - unable to find 'distinguished_name' in config - problems making Certificate Request + unable to find 'distinguished_name' in config + problems making Certificate Request The first error message is the clue: it can't find the configuration file! Certain operations (like examining a certificate request) don't @@ -652,7 +651,7 @@ address in subjectAltName should be input by the user. L<x509(1)>, L<ca(1)>, L<genrsa(1)>, L<gendsa(1)>, L<config(5)>, -L<x509v3_config(5)> +L<x509v3_config(5)> =cut diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index e216bac5ed..9be51f9c8d 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -61,7 +60,7 @@ section. =item B<-outform DER|NET|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -100,7 +99,7 @@ These options can only be used with PEM format output files. =item B<-text> prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. =item B<-noout> @@ -176,7 +175,7 @@ To encrypt a private key using triple DES: openssl rsa -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl rsa -in key.pem -outform DER -out keyout.der @@ -203,7 +202,7 @@ without having to manually edit them. =head1 SEE ALSO L<pkcs8(1)>, L<dsa(1)>, L<genrsa(1)>, -L<gendsa(1)> +L<gendsa(1)> =cut diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod index 94c5dce9ba..3fb2e402c7 100644 --- a/doc/apps/rsautl.pod +++ b/doc/apps/rsautl.pod @@ -61,7 +61,7 @@ the input file is an RSA public key. =item B<-certin> -the input is a certificate containing an RSA public key. +the input is a certificate containing an RSA public key. =item B<-sign> @@ -136,24 +136,24 @@ example in certs/pca-cert.pem . Running B<asn1parse> as follows yields: openssl asn1parse -in pca-cert.pem - 0:d=0 hl=4 l= 742 cons: SEQUENCE - 4:d=1 hl=4 l= 591 cons: SEQUENCE - 8:d=2 hl=2 l= 3 cons: cont [ 0 ] + 0:d=0 hl=4 l= 742 cons: SEQUENCE + 4:d=1 hl=4 l= 591 cons: SEQUENCE + 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :00 - 16:d=2 hl=2 l= 13 cons: SEQUENCE + 16:d=2 hl=2 l= 13 cons: SEQUENCE 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption - 29:d=3 hl=2 l= 0 prim: NULL - 31:d=2 hl=2 l= 92 cons: SEQUENCE - 33:d=3 hl=2 l= 11 cons: SET - 35:d=4 hl=2 l= 9 cons: SEQUENCE + 29:d=3 hl=2 l= 0 prim: NULL + 31:d=2 hl=2 l= 92 cons: SEQUENCE + 33:d=3 hl=2 l= 11 cons: SET + 35:d=4 hl=2 l= 9 cons: SEQUENCE 37:d=5 hl=2 l= 3 prim: OBJECT :countryName 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU .... - 599:d=1 hl=2 l= 13 cons: SEQUENCE + 599:d=1 hl=2 l= 13 cons: SEQUENCE 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption - 612:d=2 hl=2 l= 0 prim: NULL - 614:d=1 hl=3 l= 129 prim: BIT STRING + 612:d=2 hl=2 l= 0 prim: NULL + 614:d=1 hl=3 l= 129 prim: BIT STRING The final BIT STRING contains the actual signature. It can be extracted with: @@ -161,18 +161,18 @@ The final BIT STRING contains the actual signature. It can be extracted with: openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 The certificate public key can be extracted with: - + openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem The signature can be analysed with: openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin - 0:d=0 hl=2 l= 32 cons: SEQUENCE - 2:d=1 hl=2 l= 12 cons: SEQUENCE + 0:d=0 hl=2 l= 32 cons: SEQUENCE + 2:d=1 hl=2 l= 12 cons: SEQUENCE 4:d=2 hl=2 l= 8 prim: OBJECT :md5 - 14:d=2 hl=2 l= 0 prim: NULL - 16:d=1 hl=2 l= 16 prim: OCTET STRING + 14:d=2 hl=2 l= 0 prim: NULL + 16:d=1 hl=2 l= 16 prim: OCTET STRING 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. This is the parsed version of an ASN1 DigestInfo structure. It can be seen that diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 029da4f539..0021983c7a 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -416,7 +415,7 @@ print out a hex dump of any TLS extensions received from the server. =item B<-no_ticket> -disable RFC4507bis session ticket support. +disable RFC4507bis session ticket support. =item B<-sess_out filename> @@ -444,7 +443,7 @@ all others. =item B<-serverinfo types> -a list of comma-separated TLS Extension Types (numbers between 0 and +a list of comma-separated TLS Extension Types (numbers between 0 and 65535). Each type will be sent as an empty ClientHello TLS Extension. The server's response (if any) will be encoded and displayed as a PEM file. diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 6417451111..d7ddb748c1 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index d8ef3c4290..5a4381e305 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index dbfc19d5c8..3eed13fd18 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -57,7 +56,7 @@ output if this option is not specified. =item B<-text> prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. =item B<-cert> diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 4dc737893a..1d25a411ce 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -170,7 +170,7 @@ is S/MIME and it uses the multipart/signed MIME content type. this option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of MIME +off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs. =item B<-CAfile file> @@ -201,7 +201,7 @@ default digest algorithm for the signing key will be used (usually SHA1). the encryption algorithm to use. For example DES (56 bits) - B<-des>, triple DES (168 bits) - B<-des3>, -EVP_get_cipherbyname() function) can also be used preceded by a dash, for +EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers supported by your version of OpenSSL. @@ -301,7 +301,7 @@ all others. =item B<cert.pem...> one or more certificates of message recipients: used when encrypting -a message. +a message. =item B<-to, -from, -subject> @@ -398,29 +398,29 @@ the signers certificates. Create a cleartext signed message: openssl smime -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem + -signer mycert.pem Create an opaque signed message: openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ - -signer mycert.pem + -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: openssl smime -sign -in in.txt -text -out mail.msg \ - -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem + -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers: openssl smime -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem -signer othercert.pem + -signer mycert.pem -signer othercert.pem Send a signed message under Unix directly to sendmail, including headers: openssl smime -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed message" | sendmail someone@somewhere + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: @@ -429,15 +429,15 @@ Verify a message and extract the signer's certificate if successful: Send encrypted mail using triple DES: openssl smime -encrypt -in in.txt -from steve@openssl.org \ - -to someone@somewhere -subject "Encrypted message" \ - -des3 user.pem -out mail.msg + -to someone@somewhere -subject "Encrypted message" \ + -des3 user.pem -out mail.msg Sign and encrypt mail: openssl smime -sign -in ml.txt -signer my.pem -text \ - | openssl smime -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed and Encrypted message" -des3 user.pem + | openssl smime -encrypt -out mail.msg \ + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the message being encrypted already has MIME headers. @@ -454,7 +454,7 @@ it with: -----BEGIN PKCS7----- -----END PKCS7----- -and using the command: +and using the command: openssl smime -verify -inform PEM -in signature.pem -content content.txt diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index dc41003516..0f41a15bf2 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -522,13 +522,13 @@ To create a time stamp request for design1.txt with SHA-1 without nonce and policy and no certificate is required in the response: openssl ts -query -data design1.txt -no_nonce \ - -out design1.tsq + -out design1.tsq To create a similar time stamp request with specifying the message imprint explicitly: openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ - -no_nonce -out design1.tsq + -no_nonce -out design1.tsq To print the content of the previous request in human readable format: @@ -540,7 +540,7 @@ specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file): openssl ts -query -data design2.txt -md5 \ - -tspolicy tsa_policy1 -cert -out design2.tsq + -tspolicy tsa_policy1 -cert -out design2.tsq =head2 Time Stamp Response @@ -557,7 +557,7 @@ tsakey.pem is the private key of the TSA. To create a time stamp response for a request: openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ - -signer tsacert.pem -out design1.tsr + -signer tsacert.pem -out design1.tsr If you want to use the settings in the config file you could just write: @@ -589,20 +589,20 @@ valid response: To verify a time stamp reply against a request: openssl ts -verify -queryfile design1.tsq -in design1.tsr \ - -CAfile cacert.pem -untrusted tsacert.pem + -CAfile cacert.pem -untrusted tsacert.pem To verify a time stamp reply that includes the certificate chain: openssl ts -verify -queryfile design2.tsq -in design2.tsr \ - -CAfile cacert.pem + -CAfile cacert.pem To verify a time stamp token against the original data file: openssl ts -verify -data design2.txt -in design2.tsr \ - -CAfile cacert.pem + -CAfile cacert.pem To verify a time stamp token against a message imprint: openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ - -in design2.tsr -CAfile cacert.pem + -in design2.tsr -CAfile cacert.pem You could also look at the 'test' directory for more examples. diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod index 7f30b71232..e325697384 100644 --- a/doc/apps/tsget.pod +++ b/doc/apps/tsget.pod @@ -33,15 +33,15 @@ line. The tool sends the following HTTP request for each time stamp request: - POST url HTTP/1.1 - User-Agent: OpenTSA tsget.pl/<version> - Host: <host>:<port> - Pragma: no-cache - Content-Type: application/timestamp-query - Accept: application/timestamp-reply - Content-Length: length of body + POST url HTTP/1.1 + User-Agent: OpenTSA tsget.pl/<version> + Host: <host>:<port> + Pragma: no-cache + Content-Type: application/timestamp-query + Accept: application/timestamp-reply + Content-Length: length of body - ...binary request specified by the user... + ...binary request specified by the user... B<tsget> expects a response of type application/timestamp-reply, which is written to a file without any interpretation. @@ -142,7 +142,7 @@ time stamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests and at port 8443 for HTTPS requests, the TSA service is available at the /tsa absolute path. -Get a time stamp response for file1.tsq over HTTP, output is written to +Get a time stamp response for file1.tsq over HTTP, output is written to file1.tsr: tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq @@ -151,40 +151,40 @@ Get a time stamp response for file1.tsq and file2.tsq over HTTP showing progress, output is written to file1.reply and file2.reply respectively: tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \ - file1.tsq file2.tsq + file1.tsq file2.tsq Create a time stamp request, write it to file3.tsq, send it to the server and write the response to file3.tsr: openssl ts -query -data file3.txt -cert | tee file3.tsq \ - | tsget -h http://tsa.opentsa.org:8080/tsa \ - -o file3.tsr + | tsget -h http://tsa.opentsa.org:8080/tsa \ + -o file3.tsr Get a time stamp response for file1.tsq over HTTPS without client authentication: tsget -h https://tsa.opentsa.org:8443/tsa \ - -C cacerts.pem file1.tsq + -C cacerts.pem file1.tsq Get a time stamp response for file1.tsq over HTTPS with certificate-based client authentication (it will ask for the passphrase if client_key.pem is protected): tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ - -k client_key.pem -c client_cert.pem file1.tsq + -k client_key.pem -c client_cert.pem file1.tsq You can shorten the previous command line if you make use of the B<TSGET> environment variable. The following commands do the same as the previous example: TSGET='-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ - -k client_key.pem -c client_cert.pem' + -k client_key.pem -c client_cert.pem' export TSGET tsget file1.tsq =head1 SEE ALSO -L<openssl(1)>, L<ts(1)>, L<curl(1)>, +L<openssl(1)>, L<ts(1)>, L<curl(1)>, B<RFC 3161> =cut diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 17dce23c2c..f42b80646c 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -148,8 +148,8 @@ Set policy variable inhibit-policy-mapping (see RFC5280). =item B<-no_check_time> -This option suppresses checking the validity period of certificates and CRLs -against the current time. If option B<-attime timestamp> is used to specify +This option suppresses checking the validity period of certificates and CRLs +against the current time. If option B<-attime timestamp> is used to specify a verification time, the check is not suppressed. =item B<-partial_chain> diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index ce6f5f7e63..eb6d06d7b7 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -93,7 +92,7 @@ obsolete. =item B<-outform DER|PEM|NET> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -322,7 +321,7 @@ can thus behave like a "mini CA". =item B<-signkey filename> this option causes the input file to be self signed using the supplied -private key. +private key. If the input file is a certificate it sets the issuer name to the subject name (i.e. makes it self signed) changes the public key to the @@ -403,7 +402,7 @@ an even number of hex digits with the serial number to use. After each use the serial number is incremented and written out to the file again. The default filename consists of the CA certificate file base name with -".srl" appended. For example if the CA certificate file is called +".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". =item B<-CAcreateserial> @@ -707,20 +706,20 @@ Convert a certificate request into a self signed certificate using extensions for a CA: openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ - -signkey key.pem -out cacert.pem + -signkey key.pem -out cacert.pem Sign a certificate request using the CA certificate above and add user certificate extensions: openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ - -CA cacert.pem -CAkey key.pem -CAcreateserial + -CA cacert.pem -CAkey key.pem -CAcreateserial Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" openssl x509 -in cert.pem -addtrust clientAuth \ - -setalias "Steve's Class 1 CA" -out trust.pem + -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES @@ -854,7 +853,7 @@ if the keyUsage extension is present. The extended key usage extension must be absent or include the "email protection" OID. Netscape certificate type must be absent or must have the S/MIME CA bit set: this is used as a work around if the basicConstraints -extension is absent. +extension is absent. =item B<CRL Signing> @@ -884,7 +883,7 @@ dates rather than an offset from the current time. L<req(1)>, L<ca(1)>, L<genrsa(1)>, L<gendsa(1)>, L<verify(1)>, -L<x509v3_config(5)> +L<x509v3_config(5)> =head1 HISTORY @@ -892,7 +891,7 @@ The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using -the old form must have their links rebuilt using B<c_rehash> or similar. +the old form must have their links rebuilt using B<c_rehash> or similar. =cut diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod index ec96e2fda0..10967b9cbc 100644 --- a/doc/apps/x509v3_config.pod +++ b/doc/apps/x509v3_config.pod @@ -108,19 +108,19 @@ These can either be object short names or the dotted numerical form of OIDs. While any OID can be used only certain values make sense. In particular the following PKIX, NS and MS values are meaningful: - Value Meaning - ----- ------- - serverAuth SSL/TLS Web Server Authentication. - clientAuth SSL/TLS Web Client Authentication. - codeSigning Code signing. - emailProtection E-mail Protection (S/MIME). - timeStamping Trusted Timestamping - OCSPSigning OCSP Signing - ipsecIKE ipsec Internet Key Exchnage - msCodeInd Microsoft Individual Code Signing (authenticode) - msCodeCom Microsoft Commercial Code Signing (authenticode) - msCTLSign Microsoft Trust List Signing - msEFS Microsoft Encrypted File System + Value Meaning + ----- ------- + serverAuth SSL/TLS Web Server Authentication. + clientAuth SSL/TLS Web Client Authentication. + codeSigning Code signing. + emailProtection E-mail Protection (S/MIME). + timeStamping Trusted Timestamping + OCSPSigning OCSP Signing + ipsecIKE ipsec Internet Key Exchnage + msCodeInd Microsoft Individual Code Signing (authenticode) + msCodeCom Microsoft Commercial Code Signing (authenticode) + msCTLSign Microsoft Trust List Signing + msEFS Microsoft Encrypted File System Examples: |