Add 'align' option to nameopt.

Add default values for display by the 'ca' utility
to openssl.cnf

Update docs.

diff --git a/apps/apps.c b/apps/apps.c
index ab30e53ba5c74f9c15dc8db29407986c370d2d8e..d8d9140075346e0a6099bf85375cb894ab548542 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -796,6 +796,7 @@ int set_name_ex(unsigned long *flags, const char *arg)
                { "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
                { "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
                { "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
                { "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
                { "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
                { "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},

+               { "align", XN_FLAG_FN_ALIGN, 0},

                { "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
                { "space_eq", XN_FLAG_SPC_EQ, 0},
                { "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
                { "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
                { "space_eq", XN_FLAG_SPC_EQ, 0},
                { "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index c089a21f2702cffd0d2613c802c3394ad00a2ead..f02b2bdf84278f3fcfcfdf303b60f8d6a6a11c64 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -48,6 +48,11 @@ RANDFILE     = $dir/private/.rand    # private random number file
 
 x509_extensions        = usr_cert              # The extentions to add to the cert
 
 
 x509_extensions        = usr_cert              # The extentions to add to the cert
 

+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt       = ca_default            # Subject Name options
+cert_opt       = ca_default            # Certificate field options
+

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crl_extensions       = crl_ext
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crl_extensions       = crl_ext

diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 5adf805a94854cfa164f89ca4cfd3cb209c62838..e441a620c141104c86a8c9cf133a8f8b5f7e43bd 100644 (file)
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -317,6 +317,23 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 

+=item B<nameopt>, B<certopt>
+
+these options allow the format used to display the certificate details
+when asking the user to confirm signing. All the options supported by
+the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
+here, except the B<no_signame> and B<no_sigdump> are permanently set
+and cannot be disabled (this is because the certificate signature cannot
+be displayed because the certificate has not been signed at this point).
+
+For convenience the values B<default_ca> are accepted by both to produce
+a reasonable output.
+
+If neither option is present the format used in earlier versions of
+OpenSSL is used. Use of the old format is B<strongly> discouraged because
+it only displays fields mentioned in the B<policy> section, mishandles
+multicharacter string types and does not display extensions.
+

 =back
 
 =head1 POLICY FORMAT
 =back
 
 =head1 POLICY FORMAT


@@ -407,6 +424,9 @@ A sample configuration file with the relevant sections for B<ca>:
 
  policy         = policy_any            # default policy
 
 
  policy         = policy_any            # default policy
 

+ nameopt       = default_ca            # Subject name display option
+ certopt       = default_ca            # Certificate display option
+

  [ policy_any ]
  countryName            = supplied
  stateOrProvinceName    = optional
  [ policy_any ]
  countryName            = supplied
  stateOrProvinceName    = optional


@@ -420,7 +440,7 @@ A sample configuration file with the relevant sections for B<ca>:
 The B<ca> command is quirky and at times downright unfriendly.
 
 The B<ca> utility was originally meant as an example of how to do things
 The B<ca> command is quirky and at times downright unfriendly.
 
 The B<ca> utility was originally meant as an example of how to do things

-in a CA. It was not supposed be be used as a full blown CA itself:
+in a CA. It was not supposed to be used as a full blown CA itself:

 nevertheless some people are using it for this purpose.
 
 The B<ca> command is effectively a single user command: no locking is
 nevertheless some people are using it for this purpose.
 
 The B<ca> command is effectively a single user command: no locking is


@@ -487,9 +507,8 @@ exposed at either a command or interface level so a more friendly utility
 B<CA.pl> help a little but not very much.
 
 Any fields in a request that are not present in a policy are silently
 B<CA.pl> help a little but not very much.
 
 Any fields in a request that are not present in a policy are silently

-deleted. This does not happen if the B<-preserveDN> option is used but
-the extra fields are not displayed when the user is asked to certify
-a request. The behaviour should be more friendly and configurable.
+deleted. This does not happen if the B<-preserveDN> option is used.
+The behaviour should be more friendly and configurable.

 
 Cancelling some commands by refusing to certify a certificate can
 create an empty file.
 
 Cancelling some commands by refusing to certify a certificate can
 create an empty file.

diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index dab9fa1333e0b2f59e08ef140c5fb8a5556b8ce4..a584785b477a9624ae37dcf5ff9ab873109f06ff 100644 (file)
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -115,9 +115,10 @@ any extensions present and any trust settings.
 
 =item B<-certopt option>
 
 
 =item B<-certopt option>
 

-customise the output format used with B<-text>. This option may be used more
-than once to set multiple options. See the B<OUTPUT OPTIONS> section for
-more information.
+customise the output format used with B<-text>. The B<option> argument can be
+a single option or multiple options separated by commas. The B<-certopt> switch
+may be also be used more than once to set multiple options. See the B<TEXT OPTIONS>
+section for more information.

 
 =item B<-noout>
 
 
 =item B<-noout>
 


@@ -148,9 +149,10 @@ outputs the issuer name.
 
 =item B<-nameopt option>
 
 
 =item B<-nameopt option>
 

-option which determines how the subject or issuer names are displayed. This
-option may be used more than once to set multiple options. See the B<NAME
-OPTIONS> section for more information.
+option which determines how the subject or issuer names are displayed. The
+B<option> argument can be a single option or multiple options separated by
+commas.  Alternatively the B<-nameopt> switch may be used more than once to
+set multiple options. See the B<NAME OPTIONS> section for more information.

 
 =item B<-email>
 
 
 =item B<-email>
 


@@ -390,7 +392,7 @@ options.
 =item B<multiline>
 
 a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
 =item B<multiline>
 
 a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,

-B<spc_eq> and B<lname>.
+B<spc_eq>, B<lname> and B<align>.

 
 =item B<esc_2253>
 
 
 =item B<esc_2253>
 


@@ -485,6 +487,11 @@ not display the field at all. B<sname> uses the "short name" form
 B<oid> represents the OID in numerical form and is useful for
 diagnostic purpose.
 
 B<oid> represents the OID in numerical form and is useful for
 diagnostic purpose.
 

+=item B<align>
+
+align field values for a more readable output. Only usable with
+B<sep_multiline>.
+

 =item B<spc_eq>
 
 places spaces round the B<=> character which follows the field
 =item B<spc_eq>
 
 places spaces round the B<=> character which follows the field


@@ -492,7 +499,7 @@ name.
 
 =back
 
 
 =back
 

-=head1 OUTPUT OPTIONS
+=head1 TEXT OPTIONS

 
 As well as customising the name output format, it is also possible to
 customise the actual fields printed using the B<certopt> options when
 
 As well as customising the name output format, it is also possible to
 customise the actual fields printed using the B<certopt> options when


@@ -562,6 +569,13 @@ ASN1 parse unsupported extensions.
 
 hex dump unsupported extensions.
 
 
 hex dump unsupported extensions.
 

+=item B<ca_default>
+
+the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>, B<no_header>,
+B<no_version>, B<no_sigdump> and B<no_signame>.
+
+
+

 =over 4
 
 =back
 =over 4
 
 =back


@@ -590,7 +604,7 @@ Display the certificate subject name in RFC2253 form:
 Display the certificate subject name in oneline form on a terminal
 supporting UTF8:
 
 Display the certificate subject name in oneline form on a terminal
 supporting UTF8:
 

- openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb
+ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb

 
 Display the certificate MD5 fingerprint:
 
 
 Display the certificate MD5 fingerprint: