diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-06 13:51:50 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-15 20:20:08 +0200 |
| commit | 6d382c74b375f1f8c44f04ec3de95ff781598a3b (patch) | |
| tree | 4991b57879da3810fbf912c3d169232755380432 /doc | |
| parent | 60d5331350a5e557908eed0ba7420dba2ad3b79f (diff) | |
Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c
This also adds the more flexible and general load_key_cert_crl()
as well as helper functions get_passwd(), cleanse(), and clear_free()
to be used also in apps/cmp.c etc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/openssl-ca.pod.in | 18 | ||||
| -rw-r--r-- | doc/man1/openssl-cms.pod.in | 14 | ||||
| -rw-r--r-- | doc/man1/openssl-crl.pod.in | 24 | ||||
| -rw-r--r-- | doc/man1/openssl-dgst.pod.in | 4 | ||||
| -rw-r--r-- | doc/man1/openssl-ec.pod.in | 12 | ||||
| -rw-r--r-- | doc/man1/openssl-ocsp.pod.in | 4 | ||||
| -rw-r--r-- | doc/man1/openssl-pkey.pod.in | 12 | ||||
| -rw-r--r-- | doc/man1/openssl-pkeyutl.pod.in | 14 | ||||
| -rw-r--r-- | doc/man1/openssl-req.pod.in | 8 | ||||
| -rw-r--r-- | doc/man1/openssl-rsa.pod.in | 12 | ||||
| -rw-r--r-- | doc/man1/openssl-rsautl.pod.in | 8 | ||||
| -rw-r--r-- | doc/man1/openssl-s_client.pod.in | 16 | ||||
| -rw-r--r-- | doc/man1/openssl-s_server.pod.in | 32 | ||||
| -rw-r--r-- | doc/man1/openssl-smime.pod.in | 14 | ||||
| -rw-r--r-- | doc/man1/openssl-spkac.pod.in | 10 | ||||
| -rw-r--r-- | doc/man1/openssl-verify.pod.in | 1 | ||||
| -rw-r--r-- | doc/man1/openssl-x509.pod.in | 42 | ||||
| -rw-r--r-- | doc/man1/openssl.pod | 34 |
18 files changed, 188 insertions, 91 deletions
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 0202661845..35b36afbb4 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -32,11 +32,11 @@ B<openssl> B<ca> [B<-md> I<arg>] [B<-policy> I<arg>] [B<-keyfile> I<arg>] -[B<-keyform> B<DER>|B<PEM>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-key> I<arg>] [B<-passin> I<arg>] [B<-cert> I<file>] -[B<-certform> B<DER>|<PEM>] +[B<-certform> B<DER>|B<PEM>|B<P12>] [B<-selfsign>] [B<-in> I<file>] [B<-inform> B<DER>|<PEM>] @@ -142,18 +142,19 @@ F<.pem> appended. The CA certificate file. -=item B<-certform> B<DER>|B<PEM> +=item B<-certform> B<DER>|B<PEM>|B<P12> The format of the data in certificate input files. -The default is PEM. +This option has no effect and is retained for backward compatibility only. =item B<-keyfile> I<filename> The private key to sign requests with. -=item B<-keyform> B<DER>|B<PEM> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format of the private key file; the default is B<PEM>. +The format of the private key input file; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-sigopt> I<nm>:I<v> @@ -788,6 +789,11 @@ retained mainly for compatibility reasons. The B<-section> option was added in OpenSSL 3.0.0. +The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. + +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 SEE ALSO L<openssl(1)>, diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 4fbb7c0e16..375d358703 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -36,7 +36,7 @@ B<openssl> B<cms> [B<-inform> B<DER>|B<PEM>|B<SMIME>] [B<-outform> B<DER>|B<PEM>|B<SMIME>] [B<-rctform> B<DER>|B<PEM>|B<SMIME>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-stream>] [B<-indef>] [B<-noindef>] @@ -82,7 +82,7 @@ B<openssl> B<cms> {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} -[I<cert.pem> ...] +[I<recipient-cert> ...] =for openssl ifdef des-wrap engine @@ -235,9 +235,10 @@ The output format of the CMS structure (if one is being written); the default is B<SMIME>. See L<openssl(1)/Format Options> for details. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The format of the private key file; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-rctform> B<DER>|B<PEM>|B<SMIME> @@ -370,7 +371,7 @@ the MIME type multipart/signed is used. Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in PEM format. +the signers certificates. =item B<-certsout> I<file> @@ -493,7 +494,7 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_provider_item -} -=item I<cert.pem> ... +=item I<recipient-cert> ... One or more certificates of message recipients: used when encrypting a message. @@ -766,6 +767,9 @@ was added in OpenSSL 1.0.2. The -no_alt_chains option was added in OpenSSL 1.0.2b. +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index 409f0b6020..19e72f1b60 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -12,7 +12,7 @@ B<openssl> B<crl> [B<-inform> B<DER>|B<PEM>] [B<-outform> B<DER>|B<PEM>] [B<-key> I<filename>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>] [B<-text>] [B<-in> I<filename>] [B<-out> I<filename>] @@ -45,19 +45,24 @@ This command processes CRL files in DER or PEM format. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM> -The input and output formats of the CRL; the default is B<PEM>. +The CRL input format. +This option has no effect and is retained for backward compatibility only. + +=item B<-outform> B<DER>|B<PEM> + +The CRL output format; the default is B<PEM>. See L<openssl(1)/Format Options> for details. =item B<-key> I<filename> The private key to be used to sign the CRL. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12> -The format of the private key file; the default is B<PEM>. -See L<openssl(1)/Format Options> for details. +The format of the private key file. +This option has no effect and is retained for backward compatibility only. =item B<-in> I<filename> @@ -136,7 +141,7 @@ Convert a CRL file from PEM to DER: Output the text form of a DER encoded certificate: - openssl crl -in crl.der -inform DER -text -noout + openssl crl -in crl.der -text -noout =head1 BUGS @@ -151,6 +156,11 @@ L<openssl-ca(1)>, L<openssl-x509(1)>, L<ossl_store-file(7)> +=head1 HISTORY + +The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index 84bd133f84..22c07a5a7f 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -103,6 +103,7 @@ command instead for this. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The format of the key to sign with; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-sigopt> I<nm>:I<v> @@ -247,6 +248,9 @@ L<openssl-mac(1)> The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. The FIPS-related options were removed in OpenSSL 1.1.0. +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index cad26289b4..c1e92ef51e 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -13,7 +13,7 @@ openssl-ec - EC key processing B<openssl> B<ec> [B<-help>] -[B<-inform> B<DER>|B<PEM>] +[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-outform> B<DER>|B<PEM>] [B<-in> I<filename>] [B<-passin> I<arg>] @@ -52,9 +52,15 @@ PKCS#8 private key format use the L<openssl-pkcs8(1)> command. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The input and formats; the default is B<PEM>. +The key input format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. +See L<openssl(1)/Format Options> for details. + +=item B<-outform> B<DER>|B<PEM> + +The key output formats; the default is B<PEM>. See L<openssl(1)/Format Options> for details. Private keys are an SEC1 private key or PKCS#8 format. diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index e227f50e75..a738ddbdd7 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -103,8 +103,8 @@ specify output filename, default is standard output. =item B<-issuer> I<filename> This specifies the current issuer certificate. This option can be used -multiple times. The certificate specified in I<filename> must be in -PEM format. This option B<MUST> come before any B<-cert> options. +multiple times. +This option B<MUST> come before any B<-cert> options. =item B<-cert> I<filename> diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index a678bd7516..de1bef954c 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -13,7 +13,7 @@ openssl-pkey - public or private key processing command B<openssl> B<pkey> [B<-help>] -[B<-inform> B<DER>|B<PEM>] +[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-outform> B<DER>|B<PEM>] [B<-in> I<filename>] [B<-passin> I<arg>] @@ -48,9 +48,15 @@ converted between various forms and their components printed out. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The input and formats; the default is B<PEM>. +The key input format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. +See L<openssl(1)/Format Options> for details. + +=item B<-outform> B<DER>|B<PEM> + +The key output formats; the default is B<PEM>. See L<openssl(1)/Format Options> for details. =item B<-in> I<filename> diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 0a65f6acc5..d823f0b851 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -15,10 +15,10 @@ B<openssl> B<pkeyutl> [B<-out> I<file>] [B<-sigfile> I<file>] [B<-inkey> I<file>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-passin> I<arg>] [B<-peerkey> I<file>] -[B<-peerform> B<DER>|B<PEM>|B<ENGINE>] +[B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-pubin>] [B<-certin>] [B<-rev>] @@ -89,9 +89,10 @@ Signature file, required for B<-verify> operations only The input key file, by default it should be a private key. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-passin> I<arg> @@ -103,9 +104,10 @@ see L<openssl(1)/Pass Phrase Options>. The peer key file, used by key derivation (agreement) operations. -=item B<-peerform> B<DER>|B<PEM>|B<ENGINE> +=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The peer key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-pubin> @@ -402,6 +404,10 @@ L<openssl-kdf(1)> L<EVP_PKEY_CTX_set_hkdf_md(3)>, L<EVP_PKEY_CTX_set_tls1_prf_md(3)>, +=head1 HISTORY + +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. =head1 COPYRIGHT diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 397bf552ad..ab6b3d78a2 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -25,7 +25,7 @@ B<openssl> B<req> [B<-pkeyopt> I<opt>:I<value>] [B<-nodes>] [B<-key> I<filename>] -[B<-keyform> B<DER>|B<PEM>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-keyout> I<filename>] [B<-keygen_engine> I<id>] [B<-I<digest>>] @@ -186,9 +186,10 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details. This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEM format files. -=item B<-keyform> B<DER>|B<PEM> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The format of the private key; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-keyout> I<filename> @@ -691,6 +692,9 @@ L<x509v3_config(5)> The B<-section> option was added in OpenSSL 3.0.0. +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index 5dacdf9313..b2477b2b2c 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -13,7 +13,7 @@ openssl-rsa - RSA key processing command B<openssl> B<rsa> [B<-help>] -[B<-inform> B<DER>|B<PEM>] +[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-outform> B<DER>|B<PEM>] [B<-in> I<filename>] [B<-passin> I<arg>] @@ -61,9 +61,15 @@ L<openssl-pkcs8(1)> command. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The input and formats; the default is B<PEM>. +The key input format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. +See L<openssl(1)/Format Options> for details. + +=item B<-outform> B<DER>|B<PEM> + +The key output format; the default is B<PEM>. See L<openssl(1)/Format Options> for details. =item B<-inform> B<DER>|B<PEM> diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index 2461db537d..5383fe2116 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -14,7 +14,7 @@ B<openssl> B<rsautl> [B<-rev>] [B<-out> I<file>] [B<-inkey> I<file>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-pubin>] [B<-certin>] [B<-sign>] @@ -76,9 +76,10 @@ default. The input key file, by default it should be an RSA private key. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-pubin> @@ -237,6 +238,9 @@ L<openssl-genrsa(1)> This command was deprecated in OpenSSL 3.0. +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 5f04358a84..4d6b54a5e3 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -29,14 +29,14 @@ B<openssl> B<s_client> [B<-verifyCApath> I<dir>] [B<-verifyCAstore> I<uri>] [B<-cert> I<filename>] -[B<-certform> B<DER>|B<PEM>] +[B<-certform> B<DER>|B<PEM>|B<P12>] [B<-cert_chain> I<filename>] [B<-build_chain>] [B<-CRL> I<filename>] [B<-CRLform> B<DER>|B<PEM>] [B<-crl_download>] [B<-key> I<filename>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-pass> I<arg>] [B<-chainCAfile> I<filename>] [B<-chainCApath> I<directory>] @@ -240,10 +240,10 @@ The default is not to use a certificate. The chain for the client certificate may be specified using B<-cert_chain>. -=item B<-certform> B<DER>|B<PEM> +=item B<-certform> B<DER>|B<PEM>|B<P12> The client certificate file format to use; the default is B<PEM>. -see L<openssl(1)/Format Options>. +This option has no effect and is retained for backward compatibility only. =item B<-cert_chain> @@ -273,9 +273,10 @@ Download CRL from distribution points in the certificate. The client private key file to use. If not specified then the certificate file will be used to read also the key. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-pass> I<arg> @@ -894,6 +895,11 @@ L<ossl_store-file(7)> The B<-no_alt_chains> option was added in OpenSSL 1.1.0. The B<-name> option was added in OpenSSL 1.1.1. +The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. + +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index c9f4bfc11b..8e5da51c40 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -20,19 +20,19 @@ B<openssl> B<s_server> [B<-Verify> I<int>] [B<-cert> I<infile>] [B<-cert2> I<infile>] -[B<-certform> B<DER>|B<PEM>] +[B<-certform> B<DER>|B<PEM>|B<P12>] [B<-cert_chain> I<infile>] [B<-build_chain>] [B<-serverinfo> I<val>] [B<-key> I<infile>] [B<-key2> I<infile>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-pass> I<val>] [B<-dcert> I<infile>] -[B<-dcertform> B<DER>|B<PEM>] +[B<-dcertform> B<DER>|B<PEM>|B<P12>] [B<-dcert_chain> I<infile>] [B<-dkey> I<infile>] -[B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-dpass> I<val>] [B<-nbio_test>] [B<-crlf>] @@ -220,10 +220,10 @@ certificate and some require a certificate with a certain public key type: for example the DSS cipher suites require a certificate containing a DSS (DSA) key. If not specified then the filename F<server.pem> will be used. -=item B<-certform> B<DER>|B<PEM> +=item B<-certform> B<DER>|B<PEM>|B<P12> -The server certificate file format; the default is B<PEM>. -See L<openssl(1)/Format Options> for details. +The server certificate file format. +This option has no effect and is retained for backward compatibility only. =item B<-cert_chain> @@ -248,9 +248,10 @@ ServerHello extension will be returned. The private key to use. If not specified then the certificate file will be used. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-pass> I<val> @@ -276,14 +277,15 @@ A file containing untrusted certificates to use when attempting to build the server certificate chain when a certificate specified via the B<-dcert> option is in use. -=item B<-dcertform> B<DER>|B<PEM> +=item B<-dcertform> B<DER>|B<PEM>|B<P12> -The format of the additional certificate file; the default is B<PEM>. -See L<openssl(1)/Format Options>. +The format of the additional certificate file. +This option has no effect and is retained for backward compatibility only. -=item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The format of the additional private key; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options>. =item B<-dpass> I<val> @@ -822,6 +824,12 @@ The -no_alt_chains option was added in OpenSSL 1.1.0. The -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. +All B<-keyform> and B<-dkeyform> values except B<ENGINE> +have become obsolete in OpenSSL 3.0.0 and have no effect. + +The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 13a0e4a47e..4dce01a46e 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -32,7 +32,7 @@ B<openssl> B<smime> [B<-recip> I< file>] [B<-inform> B<DER>|B<PEM>|B<SMIME>] [B<-outform> B<DER>|B<PEM>|B<SMIME>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-passin> I<arg>] [B<-inkey> I<file_or_id>] [B<-out> I<file>] @@ -50,7 +50,7 @@ B<openssl> B<smime> {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} -I<cert.pem> ... +I<recipcert> ... =for openssl ifdef engine @@ -125,9 +125,10 @@ The output format of the PKCS#7 (S/MIME) structure (if one is being written); the default is B<SMIME>. See L<openssl(1)/Format Options> for details. -=item B<-keyform> B<DER>|B<PEM> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-stream>, B<-indef>, B<-noindef> @@ -235,7 +236,7 @@ option is present B<CRLF> is used instead. Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in PEM format. +the signers certificates. =item B<-signer> I<file> @@ -291,7 +292,7 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_provider_item -} -=item I<cert.pem> ... +=item I<recipcert> ... One or more certificates of message recipients, used when encrypting a message. @@ -479,6 +480,9 @@ added in OpenSSL 1.0.0 The -no_alt_chains option was added in OpenSSL 1.1.0. +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in index 72e4788fd1..ca7d097d85 100644 --- a/doc/man1/openssl-spkac.pod.in +++ b/doc/man1/openssl-spkac.pod.in @@ -16,7 +16,7 @@ B<openssl> B<spkac> [B<-in> I<filename>] [B<-out> I<filename>] [B<-key> I<keyfile>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-passin> I<arg>] [B<-challenge> I<string>] [B<-pubkey>] @@ -59,9 +59,10 @@ Create an SPKAC file using the private key in I<keyfile>. The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if present. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B<ENGINE>; all others have become obsolete. See L<openssl(1)/Format Options> for details. =item B<-passin> I<arg> @@ -148,6 +149,11 @@ to be used in a "replay attack". L<openssl(1)>, L<openssl-ca(1)> +=head1 HISTORY + +All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index e4e394faa6..7271efe833 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -99,7 +99,6 @@ with a B<->. One or more certificates to verify. If no certificates are given, this command will attempt to read a certificate from standard input. -Certificates must be in PEM format. If a certificate chain has multiple problems, this program tries to display all of them. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index b8fd2a4041..918c91b34b 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -11,9 +11,9 @@ B<openssl> B<x509> [B<-help>] [B<-inform> B<DER>|B<PEM>] [B<-outform> B<DER>|B<PEM>] -[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] -[B<-CAform> B<DER>|B<PEM>] -[B<-CAkeyform> B<DER>|B<PEM>|B<ENGINE>] +[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] +[B<-CAform> B<DER>|B<PEM>|B<P12>] +[B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] [B<-in> I<filename>] [B<-out> I<filename>] [B<-serial>] @@ -100,13 +100,18 @@ various sections. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM> -The input and formats; the default is B<PEM>. +The CSR input format; the default is B<PEM>. See L<openssl(1)/Format Options> for details. -The input is normally an X.509 certificate, but this can change if other -options such as B<-req> are used. +The input is normally an X.509 certificate file of any format, +but this can change if other options such as B<-req> are used. + +B<-outform> B<DER>|B<PEM> + +The output format; the default is B<PEM>. +See L<openssl(1)/Format Options> for details. =item B<-in> I<filename> @@ -355,8 +360,7 @@ can thus behave like a "mini CA". =item B<-signkey> I<arg> This option causes the input file to be self signed using the supplied -private key or engine. The private key's format is specified with the -B<-keyform> option. +private key or engine. It sets the issuer name to the subject name (i.e., makes it self-issued) and changes the public key to the supplied value (unless overridden by @@ -392,14 +396,21 @@ certificate is being created from another certificate (for example with the B<-signkey> or the B<-CA> options). Normally all extensions are retained. -=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> +=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key format; the default is B<PEM>. +The only value with effect is B< |