APPS: Remove all traces of special SM2 treatment.

SM2 IDs are now passed entirely as '-pkeyopt', '-sigopt' or '-vfyopt'
values, just like any other valid option.

Fixes #11293

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)

5 files changed, 53 insertions, 53 deletions

diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 5192b25fa5..e07295cffc 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -53,17 +53,16 @@ B<openssl> B<ca>
 [B<-subj> I<arg>]
 [B<-utf8>]
 [B<-sigopt> I<nm>:I<v>]
+[B<-vfyopt> I<nm>:I<v>]
 [B<-create_serial>]
 [B<-rand_serial>]
 [B<-multivalue-rdn>]
-[B<-sm2-id> I<string>]
-[B<-sm2-hex-id> I<hex-string>]
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_provider_synopsis -}
 [I<certreq>...]
 
-=for openssl ifdef engine sm2-id sm2-hex-id
+=for openssl ifdef engine
 
 =head1 DESCRIPTION
 
@@ -147,9 +146,18 @@ See L<openssl(1)/Format Options> for details.
 
 =item B<-sigopt> I<nm>:I<v>
 
-Pass options to the signature algorithm during sign or verify operations.
+Pass options to the signature algorithm during sign operations.
 Names and values of these options are algorithm-specific.
 
+=item B<-vfyopt> I<nm>:I<v>
+
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+
+This often needs to be given while signing too, because the input
+certificate signature request is verified against its own public key,
+and that verification may need its own set of options.
+
 =item B<-key> I<password>
 
 =for openssl foreign manual ps(1)
@@ -297,16 +305,6 @@ C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
 
 If B<-multi-rdn> is not used then the UID value is C<123456+CN=John Doe>.
 
-=item B<-sm2-id> I<string>
-
-Specify the ID string to use when verifying an SM2 certificate. The ID string is
-required by the SM2 signature algorithm for signing and verification.
-
-=item B<-sm2-hex-id> I<hex-string>
-
-Specify a binary ID string to use when signing or verifying using an SM2
-certificate. The argument for this option is string of hexadecimal digits.
-
 {- $OpenSSL::safe::opt_r_item -}
 
 {- $OpenSSL::safe::opt_engine_item -}
@@ -617,7 +615,9 @@ Sign a certificate request:
 
 Sign an SM2 certificate request:
 
- openssl ca -in sm2.csr -out sm2.crt -md sm3 -sigopt "sm2_id:1234567812345678" -sm2-id "1234567812345678"
+ openssl ca -in sm2.csr -out sm2.crt -md sm3 \
+         -sigopt "distid:1234567812345678" \
+         -vfyopt "distid:1234567812345678"
 
 Sign a certificate request, using CA extensions:
 
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index 583ea68734..8f9060a239 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -321,18 +321,18 @@ must be known for this to work. If the size of the file cannot be determined
 =head1 SM2
 
 The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For
-the sign and verify operations, SM2 requires an ID string to be passed in. The
-following B<-pkeyopt> value is supported:
+the sign and verify operations, SM2 requires an Distinguishing ID string to
+be passed in. The following B<-pkeyopt> value is supported:
 
 =over 4
 
-=item B<sm2_id:>I<string>
+=item B<distid:>I<string>
 
 This sets the ID string used in SM2 sign or verify operations. While verifying
 an SM2 signature, the ID string must be the same one used when signing the data.
 Otherwise the verification will fail.
 
-=item B<sm2_hex_id:>I<hex_string>
+=item B<hexdistid:>I<hex_string>
 
 This sets the ID string used in SM2 sign or verify operations. While verifying
 an SM2 signature, the ID string must be the same one used when signing the data.
@@ -382,12 +382,12 @@ Derive using the same algorithm, but read key from environment variable MYPASS:
 Sign some data using an L<SM2(7)> private key and a specific ID:
 
  openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \
-    -pkeyopt sm2_id:someid
+    -pkeyopt distid:someid
 
 Verify some data using an L<SM2(7)> certificate and a specific ID:
 
  openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \
-    -rawin -digest sm3 -pkeyopt sm2_id:someid
+    -rawin -digest sm3 -pkeyopt distid:someid
 
 =head1 SEE ALSO
 
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index ca3416e799..c8abeb368d 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -45,16 +45,15 @@ B<openssl> B<req>
 [B<-subject>]
 [B<-subj> I<arg>]
 [B<-sigopt> I<nm>:I<v>]
+[B<-vfyopt> I<nm>:I<v>]
 [B<-batch>]
 [B<-verbose>]
-[B<-sm2-id> I<string>]
-[B<-sm2-hex-id> I<hex-string>]
 {- $OpenSSL::safe::opt_name_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_provider_synopsis -}
 
-=for openssl ifdef engine keygen_engine sm2-id sm2-hex-id
+=for openssl ifdef engine keygen_engine
 
 =head1 DESCRIPTION
 
@@ -85,9 +84,22 @@ options (B<-new> and B<-newkey>) are not specified.
 
 =item B<-sigopt> I<nm>:I<v>
 
-Pass options to the signature algorithm during sign or verify operations.
+Pass options to the signature algorithm during sign operations.
 Names and values of these options are algorithm-specific.
 
+=item B<-vfyopt> I<nm>:I<v>
+
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+
+=begin comment
+
+Maybe it would be preferable to only have -opts instead of -sigopt and
+-vfyopt?  They are both present here to be compatible with L<openssl-ca(1)>,
+which supports both options for good reasons.
+
+=end comment
+
 =item B<-passin> I<arg>, B<-passout> I<arg>
 
 The password source for the input and output file.
@@ -313,16 +325,6 @@ Print extra details about the operations being performed.
 Specifies an engine (by its unique I<id> string) which would be used
 for key generation operations.
 
-=item B<-sm2-id>
-
-Specify the ID string to use when verifying an SM2 certificate request. The ID
-string is required by the SM2 signature algorithm for signing and verification.
-
-=item B<-sm2-hex-id>
-
-Specify a binary ID string to use when verifying an SM2 certificate request. The
-argument for this option is string of hexadecimal digits.
-
 {- $OpenSSL::safe::opt_name_item -}
 
 {- $OpenSSL::safe::opt_r_item -}
@@ -531,11 +533,11 @@ Generate a self signed root certificate:
 Create an SM2 private key and then generate a certificate request from it:
 
  openssl ecparam -genkey -name SM2 -out sm2.key
- openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "sm2_id:1234567812345678"
+ openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "distid:1234567812345678"
 
 Examine and verify an SM2 certificate request:
 
- openssl req -verify -in sm2.csr -sm3 -sm2-id 1234567812345678
+ openssl req -verify -in sm2.csr -sm3 -vfyopt "distid:1234567812345678"
 
 Example of a file pointed to by the B<oid_file> option:
 
diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in
index 7a15e73721..821f88dae9 100644
--- a/doc/man1/openssl-verify.pod.in
+++ b/doc/man1/openssl-verify.pod.in
@@ -12,11 +12,10 @@ B<openssl> B<verify>
 [B<-CRLfile> I<file>]
 [B<-crl_download>]
 [B<-show_chain>]
-[B<-sm2-id> I<hexstring>]
-[B<-sm2-hex-id> I<hexstring>]
 [B<-verbose>]
 [B<-trusted> I<file>]
 [B<-untrusted> I<file>]
+[B<-vfyopt> I<nm>:I<v>]
 {- $OpenSSL::safe::opt_name_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_engine_synopsis -}
@@ -25,7 +24,7 @@ B<openssl> B<verify>
 [B<-->]
 [I<certificate> ...]
 
-=for openssl ifdef engine sm2-id sm2-hex-id
+=for openssl ifdef engine
 
 =head1 DESCRIPTION
 
@@ -59,16 +58,6 @@ Display information about the certificate chain that has been built (if
 successful). Certificates in the chain that came from the untrusted list will be
 flagged as "untrusted".
 
-=item B<-sm2-id> I<hexstring>
-
-Specify the ID string to use when verifying an SM2 certificate. The ID string is
-required by the SM2 signature algorithm for signing and verification.
-
-=item B<-sm2-hex-id> I<hexstring>
-
-Specify a binary ID string to use when signing or verifying using an SM2
-certificate. The argument for this option is string of hexadecimal digits.
-
 =item B<-verbose>
 
 Print extra information about the operations being performed.
@@ -81,6 +70,11 @@ A file of trusted certificates.
 
 A file of untrusted certificates.
 
+=item B<-vfyopt> I<nm>:I<v>
+
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+
 {- $OpenSSL::safe::opt_name_item -}
 
 {- $OpenSSL::safe::opt_engine_item -}
@@ -159,8 +153,6 @@ L<ossl_store-file(7)>
 
 The B<-show_chain> option was added in OpenSSL 1.1.0.
 
-The B<-sm2-id> and B<-sm2-hex-id> options were added in OpenSSL 3.0.
-
 =head1 COPYRIGHT
 
 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index 98b4e71231..568a2053fc 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -71,6 +71,7 @@ B<openssl> B<x509>
 [B<-extfile> I<filename>]
 [B<-extensions> I<section>]
 [B<-sigopt> I<nm>:I<v>]
+[B<-vfyopt> I<nm>:I<v>]
 [B<-preserve_dates>]
 {- $OpenSSL::safe::opt_name_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
@@ -371,7 +372,12 @@ for testing.
 
 =item B<-sigopt> I<nm>:I<v>
 
-Pass options to the signature algorithm during sign or verify operations.
+Pass options to the signature algorithm during sign operations.
+Names and values of these options are algorithm-specific.
+
+=item B<-vfyopt> I<nm>:I<v>
+
+Pass options to the signature algorithm during verify operations.
 Names and values of these options are algorithm-specific.
 
 =item B<-passin> I<arg>