Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10073)
15 files changed:
[B<-verify_name> I<name>]
[B<-x509_strict>]
[B<-md> I<digest>]
[B<-verify_name> I<name>]
[B<-x509_strict>]
[B<-md> I<digest>]
[B<-nointern>]
[B<-noverify>]
[B<-nocerts>]
[B<-nointern>]
[B<-noverify>]
[B<-nocerts>]
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
=head1 SYNOPSIS
B<openssl dgst>
=head1 SYNOPSIS
B<openssl dgst>
[B<-help>]
[B<-c>]
[B<-d>]
[B<-help>]
[B<-c>]
[B<-d>]
Print out a usage message.
Print out a usage message.
Specifies name of a supported digest to be used. To see the list of
supported digests, use the command C<list --digest-commands>.
Specifies name of a supported digest to be used. To see the list of
supported digests, use the command C<list --digest-commands>.
=head1 SYNOPSIS
B<openssl>
=head1 SYNOPSIS
B<openssl>
[B<-help>]
[B<-ciphers>]
[B<-in> I<filename>]
[B<-help>]
[B<-ciphers>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-pass> I<arg>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-pass> I<arg>]
[B<-engine> I<id>]
[B<-paramfile> I<file>]
[B<-algorithm> I<alg>]
[B<-engine> I<id>]
[B<-paramfile> I<file>]
[B<-algorithm> I<alg>]
The output file password source. For more information about the format of B<arg>
see L<openssl(1)/Pass phrase options>.
The output file password source. For more information about the format of B<arg>
see L<openssl(1)/Pass phrase options>.
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
[B<-resp_key_id>]
[B<-nrequest> I<n>]
[B<-rcid> I<digest>]
[B<-resp_key_id>]
[B<-nrequest> I<n>]
[B<-rcid> I<digest>]
in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can
be used. The default is the same digest algorithm used in the request.
in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can
be used. The default is the same digest algorithm used in the request.
This option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
This option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
[B<-writerand> I<file>]
[B<-nocrypt>]
[B<-traditional>]
[B<-writerand> I<file>]
[B<-nocrypt>]
[B<-traditional>]
-[B<-v2 alg>]
-[B<-v2prf alg>]
-[B<-v1 alg>]
+[B<-v2> I<alg>]
+[B<-v2prf> I<alg>]
+[B<-v1> I<alg>]
[B<-engine> I<id>]
[B<-scrypt>]
[B<-scrypt_N> I<N>]
[B<-engine> I<id>]
[B<-scrypt>]
[B<-scrypt_N> I<N>]
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
This option sets the PKCS#5 v2.0 algorithm.
This option sets the PKCS#5 v2.0 algorithm.
B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
is used.
B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
is used.
This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
value would be B<hmacWithSHA256>. If this option isn't set then the default
This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
value would be B<hmacWithSHA256>. If this option isn't set then the default
Some implementations may not support custom PRF algorithms and may require
the B<hmacWithSHA1> option to work.
Some implementations may not support custom PRF algorithms and may require
the B<hmacWithSHA1> option to work.
This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
[B<-out> I<filename>]
[B<-passout> I<arg>]
[B<-traditional>]
[B<-out> I<filename>]
[B<-passout> I<arg>]
[B<-traditional>]
[B<-text>]
[B<-text_pub>]
[B<-noout>]
[B<-text>]
[B<-text_pub>]
[B<-noout>]
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
These options encrypt the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
These options encrypt the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
[B<-keyform> B<DER>|B<PEM>]
[B<-keyout> I<filename>]
[B<-keygen_engine> I<id>]
[B<-keyform> B<DER>|B<PEM>]
[B<-keyout> I<filename>]
[B<-keygen_engine> I<id>]
[B<-config> I<filename>]
[B<-multivalue-rdn>]
[B<-x509>]
[B<-config> I<filename>]
[B<-multivalue-rdn>]
[B<-x509>]
If this option is specified then if a private key is created it
will not be encrypted.
If this option is specified then if a private key is created it
will not be encrypted.
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-pkcs, -oaep, -ssl, -raw>
+=item B<-pkcs>, B<-oaep>, B<-ssl>, B<-raw>
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
special padding used in SSL v2 backwards compatible handshakes,
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
special padding used in SSL v2 backwards compatible handshakes,
[B<-WWW>]
[B<-servername>]
[B<-servername_fatal>]
[B<-WWW>]
[B<-servername>]
[B<-servername_fatal>]
-[B<-cert2 infile>]
-[B<-key2 infile>]
+[B<-cert2> I<infile>]
+[B<-key2> I<infile>]
[B<-tlsextdebug>]
[B<-HTTP>]
[B<-id_prefix> I<val>]
[B<-tlsextdebug>]
[B<-HTTP>]
[B<-id_prefix> I<val>]
[B<-pk7out>]
[B<-binary>]
[B<-crlfeol>]
[B<-pk7out>]
[B<-binary>]
[B<-crlfeol>]
[B<-in> I<file>]
[B<-CAfile> I<file>]
[B<-CApath> I<dir>]
[B<-in> I<file>]
[B<-CAfile> I<file>]
[B<-CApath> I<dir>]
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
One or more certificates of message recipients: used when encrypting
a message.
One or more certificates of message recipients: used when encrypting
a message.
-=item B<-to, -from, -subject>
+=item B<-to>, B<-from>, B<-subject>
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
[B<-serial> I<arg>]
[B<-alias> I<arg>]
[B<-fingerprint> I<arg>]
[B<-serial> I<arg>]
[B<-alias> I<arg>]
[B<-fingerprint> I<arg>]
B<uri> ...
=head1 DESCRIPTION
B<uri> ...
=head1 DESCRIPTION
Search for an object having the given fingerprint.
Search for an object having the given fingerprint.
The digest that was used to compute the fingerprint given with B<-fingerprint>.
The digest that was used to compute the fingerprint given with B<-fingerprint>.
[B<-config> I<configfile>]
[B<-data> I<file_to_hash>]
[B<-digest> I<digest_bytes>]
[B<-config> I<configfile>]
[B<-data> I<file_to_hash>]
[B<-digest> I<digest_bytes>]
[B<-tspolicy> I<object_id>]
[B<-no_nonce>]
[B<-cert>]
[B<-tspolicy> I<object_id>]
[B<-no_nonce>]
[B<-cert>]
[B<-passin> I<password_src>]
[B<-signer> I<tsa_cert.pem>]
[B<-inkey> I<file_or_id>]
[B<-passin> I<password_src>]
[B<-signer> I<tsa_cert.pem>]
[B<-inkey> I<file_or_id>]
[B<-chain> I<certs_file.pem>]
[B<-tspolicy> I<object_id>]
[B<-in> I<response.tsr>]
[B<-chain> I<certs_file.pem>]
[B<-tspolicy> I<object_id>]
[B<-in> I<response.tsr>]
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
Signing digest to use. Overrides the B<signer_digest> config file
option. (Mandatory unless specified in the config file)
Signing digest to use. Overrides the B<signer_digest> config file
option. (Mandatory unless specified in the config file)
=item B<signer_digest>
Signing digest to use. The same as the
=item B<signer_digest>
Signing digest to use. The same as the
-B<->I<digest> command line option. (Mandatory unless specified on the command
+B<-I<digest>> command line option. (Mandatory unless specified on the command
line)
=item B<default_policy>
line)
=item B<default_policy>
[B<-verify_name> I<name>]
[B<-x509_strict>]
[B<-show_chain>]
[B<-verify_name> I<name>]
[B<-x509_strict>]
[B<-show_chain>]
-[B<-sm2-id string>]
-[B<-sm2-hex-id hex-string>]
-[B<->]
+[B<-sm2-id> I<string>]
+[B<-sm2-hex-id> I<hex-string>]
+[B<-->]
[certificates]
=for comment ifdef engine sm2-id sm2-hex-id
[certificates]
=for comment ifdef engine sm2-id sm2-hex-id
Specify a binary ID string to use when signing or verifying using an SM2
certificate. The argument for this option is string of hexadecimal digits.
Specify a binary ID string to use when signing or verifying using an SM2
certificate. The argument for this option is string of hexadecimal digits.
Indicates the last option. All arguments following this are assumed to be
certificate files. This is useful if the first certificate filename begins
Indicates the last option. All arguments following this are assumed to be
certificate files. This is useful if the first certificate filename begins
[B<-ext> I<extensions>]
[B<-certopt> I<option>]
[B<-C>]
[B<-ext> I<extensions>]
[B<-certopt> I<option>]
[B<-C>]
[B<-clrext>]
[B<-extfile> I<filename>]
[B<-extensions> I<section>]
[B<-clrext>]
[B<-extfile> I<filename>]
[B<-extensions> I<section>]
This specifies the output filename to write to or standard output by
default.
This specifies the output filename to write to or standard output by
default.
The digest to use.
This affects any signing or display option that uses a message
The digest to use.
This affects any signing or display option that uses a message