diff options
author | Rich Salz <rsalz@akamai.com> | 2015-08-27 12:28:08 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2015-08-27 14:27:28 -0400 |
commit | c03726ca4153fca8d66185837008aa078969d386 (patch) | |
tree | 9a3c88f2041fe4f33677c0500c33226c203e1ce7 /doc/apps | |
parent | ad775e04f6dab51b7f929b54f5aa3c2393f957c5 (diff) | |
download | openssl-c03726ca4153fca8d66185837008aa078969d386.zip openssl-c03726ca4153fca8d66185837008aa078969d386.tar.gz openssl-c03726ca4153fca8d66185837008aa078969d386.tar.bz2 |
Various doc fixes.
Make all mention of digest algorithm use "any supported algorithm"
RT2071, some new manpages from Victor B. Wagner <vitus@cryptocom.ru>:
X509_LOOKUP_hash_dir.pod
X509_check_ca.pod
X509_check_issued.pod
RT 1600:
Remove references to non-existant objects(3)
Add RETURN VALUES to BIO_do_accept page.
RT1818:
RSA_sign Can return values other than 0 on failure.
RT3634:
Fix AES CBC aliases (Steffen Nurpmeso <sdaoden@yandex.com>)
RT3678:
Some clarifications to BIO_new_pair
(Devchandra L Meetei <dlmeetei@gmail.com>)
RT3787:
Fix some EVP_ function return values
(Laetitia Baudoin <lbaudoin@google.com>)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'doc/apps')
-rw-r--r-- | doc/apps/ca.pod | 5 | ||||
-rw-r--r-- | doc/apps/dgst.pod | 4 | ||||
-rw-r--r-- | doc/apps/enc.pod | 2 | ||||
-rw-r--r-- | doc/apps/ocsp.pod | 6 | ||||
-rw-r--r-- | doc/apps/openssl.pod | 16 | ||||
-rw-r--r-- | doc/apps/req.pod | 19 | ||||
-rw-r--r-- | doc/apps/ts.pod | 8 | ||||
-rw-r--r-- | doc/apps/x509.pod | 15 |
8 files changed, 40 insertions, 35 deletions
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index be0153a..3a3d1b6 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -167,7 +167,8 @@ the number of days to certify the certificate for. =item B<-md alg> -the message digest to use. Possible values include md5, sha1 and mdc2. +the message digest to use. +Any digest supported by the OpenSSL B<dgst> command can be used. This option also applies to CRLs. =item B<-policy arg> @@ -406,7 +407,7 @@ least one of these must be present to generate a CRL. =item B<default_md> -the same as the B<-md> option. The message digest to use. Mandatory. +the same as the B<-md> option. Mandatory. =item B<database> diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index 96d3cc0..1b1a7e1 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -185,6 +185,10 @@ To verify a signature: =head1 NOTES +The digest mechanisms that are available will depend on the options +used when building OpenSSL. +The B<list digest-commands> command can be used to list them. + New or agile applications should use probably use SHA-256. Other digests, particularly SHA-1 and MD5, are still widely used for interoperating with existing formats and protocols. diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 1d25cf3..26e678c 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -282,7 +282,7 @@ authentication tag. rc5-ofb RC5 cipher in OFB mode aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode - aes-[128|192|256] Alias for aes-[128|192|256]-cbc + aes[128|192|256] Alias for aes-[128|192|256]-cbc aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index a9b29b0..2566966 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -261,10 +261,12 @@ information is immediately available. In this case the age of the B<notBefore> f is checked to see it is not older than B<age> seconds old. By default this additional check is not performed. -=item B<-md5|-sha1|-sha256|-ripemod160|...> +=item B<-[digest]> this option sets digest algorithm to use for certificate identification -in the OCSP request. By default SHA-1 is used. +in the OCSP request. +Any digest supported by the OpenSSL B<dgst> command can be used. +The default is SHA-1. =back diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod index d996eda..30ea9bd 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/openssl.pod @@ -12,7 +12,7 @@ I<command> [ I<command_opts> ] [ I<command_args> ] -B<openssl> [ B<list-standard-commands> | B<list-message-digest-commands> | B<list-cipher-commands> | B<list-cipher-algorithms> | B<list-message-digest-algorithms> | B<list-public-key-algorithms>] +B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>] B<openssl> B<no->I<XXX> [ I<arbitrary options> ] @@ -41,20 +41,20 @@ The B<openssl> program provides a rich variety of commands (I<command> in the SYNOPSIS above), each of which often has a wealth of options and arguments (I<command_opts> and I<command_args> in the SYNOPSIS). -The pseudo-commands B<list-standard-commands>, B<list-message-digest-commands>, -and B<list-cipher-commands> output a list (one entry per line) of the names +The list parameters B<standard-commands>, B<digest-commands>, +and B<cipher-commands> output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present B<openssl> utility. -The pseudo-commands B<list-cipher-algorithms> and -B<list-message-digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as: +The list parameters B<cipher-algorithms> and +B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as: from => to -The pseudo-command B<list-public-key-algorithms> lists all supported public +The list parameter B<public-key-algorithms> lists all supported public key algorithms. -The pseudo-command B<no->I<XXX> tests whether a command of the +The command B<no->I<XXX> tests whether a command of the specified name is available. If no command named I<XXX> exists, it returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1 and prints I<XXX>. In both cases, the output goes to B<stdout> and @@ -63,7 +63,7 @@ are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the B<openssl> program. (B<no->I<XXX> is not able to detect pseudo-commands such as B<quit>, -B<list->I<...>B<-commands>, or B<no->I<XXX> itself.) +B<list>, or B<no->I<XXX> itself.) =head2 STANDARD COMMANDS diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 3cbabb7..46bbfe6 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -127,13 +127,6 @@ in the configuration file and any requested extensions. If the B<-key> option is not used it will generate a new RSA private key using information specified in the configuration file. -=item B<-subj arg> - -Replaces subject field of input request with specified data and outputs -modified request. The arg must be formatted as -I</type0=value0/type1=value1/type2=...>, -characters may be escaped by \ (backslash), no spaces are skipped. - =item B<-rand file(s)> a file or files containing random data used to seed the random number @@ -198,8 +191,9 @@ will not be encrypted. =item B<-[digest]> -this specifies the message digest to sign the request with (such as -B<-md5>, B<-sha1>). This overrides the digest algorithm specified in +this specifies the message digest to sign the request. +Any digest supported by the OpenSSL B<dgst> command can be used. +This overrides the digest algorithm specified in the configuration file. Some public key algorithms may override this choice. For instance, DSA @@ -385,9 +379,10 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option. =item B<default_md> -This option specifies the digest algorithm to use. Possible values -include B<md5 sha1 mdc2>. If not present then MD5 is used. This -option can be overridden on the command line. +This option specifies the digest algorithm to use. +Any digest supported by the OpenSSL B<dgst> command can be used. +If not present then MD5 is used. +This option can be overridden on the command line. =item B<string_mask> diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index ff086d8..7a55b61 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -12,7 +12,7 @@ B<-query> [B<-config> configfile] [B<-data> file_to_hash] [B<-digest> digest_bytes] -[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>] +[B<-[digest]>] [B<-policy> object_id] [B<-no_nonce>] [B<-cert>] @@ -124,10 +124,10 @@ per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or 1AF601...). The number of bytes must match the message digest algorithm in use. (Optional) -=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> +=item B<-[digest]> -The message digest to apply to the data file, it supports all the message -digest algorithms that are supported by the openssl B<dgst> command. +The message digest to apply to the data file. +Any digest supported by the OpenSSL B<dgst> command can be used. The default is SHA-1. (Optional) =item B<-policy> object_id diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 0c6aaef..a06393d 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -55,7 +55,7 @@ B<openssl> B<x509> [B<-text>] [B<-certopt option>] [B<-C>] -[B<-md2|-md5|-sha1|-mdc2>] +[B<-[digest]>] [B<-clrext>] [B<-extfile filename>] [B<-extensions section>] @@ -101,12 +101,15 @@ if this option is not specified. This specifies the output filename to write to or standard output by default. -=item B<-md2|-md5|-sha1|-mdc2> +=item B<-[digest]> -the digest to use. This affects any signing or display option that uses a message -digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not -specified then SHA1 is used. If the key being used to sign with is a DSA key -then this option has no effect: SHA1 is always used with DSA keys. +the digest to use. +This affects any signing or display option that uses a message +digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. +Any digest supported by the OpenSSL B<dgst> command can be used. +If not specified then SHA1 is used. +Note that if a DSA key is used for signing, then this flag is ignored +and SHA1 is used. =item B<-engine id> |