[openssl] master update
dev at ddvo.net
dev at ddvo.net
Fri May 15 18:21:13 UTC 2020
The branch master has been updated
via 6d382c74b375f1f8c44f04ec3de95ff781598a3b (commit)
via 60d5331350a5e557908eed0ba7420dba2ad3b79f (commit)
via db71d315479762eefbf2bcda8be3b44b1867133f (commit)
from c6601bd2d728d4c61711a016c6267fb45910e7cd (commit)
- Log -----------------------------------------------------------------
commit 6d382c74b375f1f8c44f04ec3de95ff781598a3b
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed May 6 13:51:50 2020 +0200
Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c
This also adds the more flexible and general load_key_cert_crl()
as well as helper functions get_passwd(), cleanse(), and clear_free()
to be used also in apps/cmp.c etc.
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)
commit 60d5331350a5e557908eed0ba7420dba2ad3b79f
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri May 8 10:56:14 2020 +0200
Nit-fix: remove whitespace in doc/man3/EVP_PKEY_fromdata.pod causing warning
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)
commit db71d315479762eefbf2bcda8be3b44b1867133f
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu May 7 21:37:28 2020 +0200
Guard use of struct tms with #ifdef __TMS like done earlier in apps/lib/apps.c
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 9 +-
apps/cmp.c | 153 +-------------
apps/cms.c | 15 +-
apps/crl.c | 6 +-
apps/dgst.c | 2 +-
apps/dsa.c | 2 +-
apps/ec.c | 2 +-
apps/enc.c | 2 +-
apps/include/apps.h | 17 +-
apps/include/opt.h | 4 +-
apps/lib/apps.c | 432 ++++++++++++++++++---------------------
apps/lib/s_cb.c | 4 +-
apps/ocsp.c | 10 +-
apps/pkey.c | 2 +-
apps/pkeyutl.c | 10 +-
apps/req.c | 2 +-
apps/rsa.c | 2 +-
apps/rsautl.c | 6 +-
apps/s_client.c | 11 +-
apps/s_server.c | 17 +-
apps/smime.c | 8 +-
apps/spkac.c | 2 +-
apps/verify.c | 2 +-
apps/x509.c | 20 +-
crypto/store/store_lib.c | 2 +
doc/man1/openssl-ca.pod.in | 18 +-
doc/man1/openssl-cms.pod.in | 14 +-
doc/man1/openssl-crl.pod.in | 24 ++-
doc/man1/openssl-dgst.pod.in | 4 +
doc/man1/openssl-ec.pod.in | 12 +-
doc/man1/openssl-ocsp.pod.in | 4 +-
doc/man1/openssl-pkey.pod.in | 12 +-
doc/man1/openssl-pkeyutl.pod.in | 14 +-
doc/man1/openssl-req.pod.in | 8 +-
doc/man1/openssl-rsa.pod.in | 12 +-
doc/man1/openssl-rsautl.pod.in | 8 +-
doc/man1/openssl-s_client.pod.in | 16 +-
doc/man1/openssl-s_server.pod.in | 32 +--
doc/man1/openssl-smime.pod.in | 14 +-
doc/man1/openssl-spkac.pod.in | 10 +-
doc/man1/openssl-verify.pod.in | 1 -
doc/man1/openssl-x509.pod.in | 42 ++--
doc/man1/openssl.pod | 34 +--
doc/man3/EVP_PKEY_fromdata.pod | 2 +-
44 files changed, 472 insertions(+), 551 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index a18ff0998e..d91b39c91c 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -215,12 +215,12 @@ const OPTIONS ca_options[] = {
OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
{"keyfile", OPT_KEYFILE, 's', "Private key"},
- {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
{"cert", OPT_CERT, '<', "The CA cert"},
{"certform", OPT_CERTFORM, 'F',
- "certificate input format (DER or PEM); default PEM"},
+ "certificate input format (DER/PEM/P12); has no effect"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
@@ -385,7 +385,7 @@ opthelp:
certfile = opt_arg();
break;
case OPT_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &certformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &certformat))
goto opthelp;
break;
case OPT_SELFSIGN:
@@ -573,8 +573,7 @@ end_of_options:
}
}
pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key");
- if (key != NULL)
- OPENSSL_cleanse(key, strlen(key));
+ cleanse(key);
if (pkey == NULL)
/* load_key() has already printed an appropriate message */
goto end;
diff --git a/apps/cmp.c b/apps/cmp.c
index 7375b795ca..7a2ce2963d 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -46,157 +46,6 @@ DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(OSSL_CMP_ITAV)
-/* start TODO remove when PR #11755 is merged */
-static char *get_passwd(const char *pass, const char *desc)
-{
- char *result = NULL;
-
- app_passwd(pass, NULL, &result, NULL);
- return result;
-}
-
-static void cleanse(char *str)
-{
- if (str != NULL)
- OPENSSL_cleanse(str, strlen(str));
-}
-
-static void clear_free(char *str)
-{
- if (str != NULL)
- OPENSSL_clear_free(str, strlen(str));
-}
-
-static int load_key_cert_crl(const char *uri, int maybe_stdin,
- const char *pass, const char *desc,
- EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl)
-{
- PW_CB_DATA uidata;
- OSSL_STORE_CTX *ctx = NULL;
- int ret = 0;
-
- if (ppkey != NULL)
- *ppkey = NULL;
- if (pcert != NULL)
- *pcert = NULL;
- if (pcrl != NULL)
- *pcrl = NULL;
-
- uidata.password = pass;
- uidata.prompt_info = uri;
-
- ctx = OSSL_STORE_open(uri, get_ui_method(), &uidata, NULL, NULL);
- if (ctx == NULL) {
- BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n",
- uri, desc);
- goto end;
- }
-
- for (;;) {
- OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
- int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
- const char *infostr =
- info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
- int err = 0;
-
- if (info == NULL) {
- if (OSSL_STORE_eof(ctx))
- ret = 1;
- break;
- }
-
- switch (type) {
- case OSSL_STORE_INFO_PKEY:
- if (ppkey != NULL && *ppkey == NULL)
- err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL);
- break;
- case OSSL_STORE_INFO_CERT:
- if (pcert != NULL && *pcert == NULL)
- err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL);
- break;
- case OSSL_STORE_INFO_CRL:
- if (pcrl != NULL && *pcrl == NULL)
- err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL);
- break;
- default:
- /* skip any other type */
- break;
- }
- OSSL_STORE_INFO_free(info);
- if (err) {
- BIO_printf(bio_err, "Could not read %s of %s from %s\n",
- infostr, desc, uri);
- break;
- }
- }
-
- end:
- if (ctx != NULL)
- OSSL_STORE_close(ctx);
- if (!ret)
- ERR_print_errors(bio_err);
- return ret;
-}
-
-static
-EVP_PKEY *load_key_preliminary(const char *uri, int format, int may_stdin,
- const char *pass, ENGINE *e, const char *desc)
-{
- EVP_PKEY *pkey = NULL;
-
- if (desc == NULL)
- desc = "private key";
-
- if (format == FORMAT_ENGINE) {
- if (e == NULL) {
- BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
- } else {
-#ifndef OPENSSL_NO_ENGINE
- PW_CB_DATA cb_data;
-
- cb_data.password = pass;
- cb_data.prompt_info = uri;
- if (ENGINE_init(e)) {
- pkey = ENGINE_load_private_key(e, uri,
- (UI_METHOD *)get_ui_method(),
- &cb_data);
- ENGINE_finish(e);
- }
- if (pkey == NULL) {
- BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
- ERR_print_errors(bio_err);
- }
-#else
- BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
-#endif
- }
- } else {
- (void)load_key_cert_crl(uri, may_stdin, pass, desc, &pkey, NULL, NULL);
- }
-
- if (pkey == NULL) {
- BIO_printf(bio_err, "Unable to load %s\n", desc);
- ERR_print_errors(bio_err);
- }
- return pkey;
-}
-
-static X509 *load_cert_pass(const char *uri, int maybe_stdin,
- const char *pass, const char *desc)
-{
- X509 *cert = NULL;
-
- if (desc == NULL)
- desc = "certificate";
- (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, NULL, &cert, NULL);
- if (cert == NULL) {
- BIO_printf(bio_err, "Unable to load %s\n", desc);
- ERR_print_errors(bio_err);
- }
- return cert;
-}
-/* end TODO remove when PR #11755 is merged */
-
static char *opt_config = NULL;
#define CMP_SECTION "cmp"
#define SECTION_NAME_MAX 40 /* max length of section name */
@@ -832,7 +681,7 @@ static EVP_PKEY *load_key_pwd(const char *uri, int format,
const char *pass, ENGINE *e, const char *desc)
{
char *pass_string = get_passwd(pass, desc);
- EVP_PKEY *pkey = load_key_preliminary(uri, format, 0, pass_string, e, desc);
+ EVP_PKEY *pkey = load_key(uri, format, 0, pass_string, e, desc);
clear_free(pass_string);
return pkey;
diff --git a/apps/cms.c b/apps/cms.c
index 0c8af3dab7..6b5577ecee 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -196,7 +196,7 @@ const OPTIONS cms_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
OPT_SECTION("Mail header"),
@@ -576,7 +576,7 @@ int cms_main(int argc, char **argv)
if (operation == SMIME_ENCRYPT) {
if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
goto end;
- cert = load_cert(opt_arg(), FORMAT_PEM,
+ cert = load_cert(opt_arg(), FORMAT_UNDEF,
"recipient certificate file");
if (cert == NULL)
goto end;
@@ -756,7 +756,7 @@ int cms_main(int argc, char **argv)
if ((encerts = sk_X509_new_null()) == NULL)
goto end;
while (*argv) {
- if ((cert = load_cert(*argv, FORMAT_PEM,
+ if ((cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file")) == NULL)
goto end;
sk_X509_push(encerts, cert);
@@ -774,7 +774,7 @@ int cms_main(int argc, char **argv)
}
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
- if ((recip = load_cert(recipfile, FORMAT_PEM,
+ if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -782,7 +782,7 @@ int cms_main(int argc, char **argv)
}
if (originatorfile != NULL) {
- if ((originator = load_cert(originatorfile, FORMAT_PEM,
+ if ((originator = load_cert(originatorfile, FORMAT_UNDEF,
"originator certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -790,7 +790,7 @@ int cms_main(int argc, char **argv)
}
if (operation == SMIME_SIGN_RECEIPT) {
- if ((signer = load_cert(signerfile, FORMAT_PEM,
+ if ((signer = load_cert(signerfile, FORMAT_UNDEF,
"receipt signer certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -1019,7 +1019,8 @@ int cms_main(int argc, char **argv)
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
+ signer = load_cert(signerfile, FORMAT_UNDEF,
+ "signer certificate");
if (signer == NULL) {
ret = 2;
goto end;
diff --git a/apps/crl.c b/apps/crl.c
index 8028fef5de..d417642cce 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -34,9 +34,9 @@ const OPTIONS crl_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
- {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
+ {"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"},
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
- {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"},
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "output file - default stdout"},
@@ -122,7 +122,7 @@ int crl_main(int argc, char **argv)
outfile = opt_arg();
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_KEY:
diff --git a/apps/dgst.c b/apps/dgst.c
index 90aaf982ae..da162e6ed6 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -64,7 +64,7 @@ const OPTIONS dgst_options[] = {
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
- {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"hex", OPT_HEX, '-', "Print as hex dump"},
{"binary", OPT_BINARY, '-', "Print in binary form"},
{"d", OPT_DEBUG, '-', "Print debug info"},
diff --git a/apps/dsa.c b/apps/dsa.c
index 65397ab053..8ef802e0da 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -48,7 +48,7 @@ const OPTIONS dsa_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
- {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
diff --git a/apps/ec.c b/apps/ec.c
index 9cf6e1a545..43e2be1346 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -49,7 +49,7 @@ const OPTIONS ec_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
- {"inform", OPT_INFORM, 'f', "Input format - DER or PEM"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"check", OPT_CHECK, '-', "check key consistency"},
diff --git a/apps/enc.c b/apps/enc.c
index d7e99b43e7..4d59391c22 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -538,7 +538,7 @@ int enc_main(int argc, char **argv)
goto end;
}
/* wiping secret data as we no longer need it */
- OPENSSL_cleanse(hkey, strlen(hkey));
+ cleanse(hkey);
}
if ((benc = BIO_new(BIO_f_cipher())) == NULL)
diff --git a/apps/include/apps.h b/apps/include/apps.h
index e168942e19..7789bd2b0a 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -102,19 +102,28 @@ int set_cert_ex(unsigned long *flags, const char *arg);
int set_name_ex(unsigned long *flags, const char *arg);
int set_ext_copy(int *copy_type, const char *arg);
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
+char *get_passwd(const char *pass, const char *desc);
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc);
-X509 *load_cert(const char *file, int format, const char *desc);
-X509_CRL *load_crl(const char *infile, int format, const char *desc);
-EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
+X509 *load_cert_pass(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc);
+/* the format parameter is meanwhile not needed anymore and thus ignored */
+X509 *load_cert(const char *uri, int format, const char *desc);
+X509_CRL *load_crl(const char *uri, int format, const char *desc);
+void cleanse(char *str);
+void clear_free(char *str);
+EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
-EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
const char *pass, const char *desc);
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
const char *pass, const char *desc);
+int load_key_cert_crl(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc,
+ EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl);
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
diff --git a/apps/include/opt.h b/apps/include/opt.h
index b4753dc42e..5afbad1bbe 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -132,9 +132,9 @@
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
"build certificate chain for the extended certificates"}, \
{ "xcertform", OPT_X_CERTFORM, 'F', \
- "format of Extended certificate (PEM or DER) PEM default " }, \
+ "format of Extended certificate (PEM/DER/P12); has no effect" }, \
{ "xkeyform", OPT_X_KEYFORM, 'F', \
- "format of Extended certificate's key (PEM or DER) PEM default"}
+ "format of Extended certificate's key (DER/PEM/P12); has no effect"}
# define OPT_X_CASES \
OPT_X__FIRST: case OPT_X__LAST: break; \
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 6facdf3e5b..8063a0e272 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -29,6 +29,7 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
+#include <openssl/store.h>
#include <openssl/pkcs12.h>
#include <openssl/ui.h>
#include <openssl/safestack.h>
@@ -209,6 +210,24 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *userdata)
static char *app_get_pass(const char *arg, int keepbio);
+char *get_passwd(const char *pass, const char *desc)
+{
+ char *result = NULL;
+
+ if (desc == NULL)
+ desc = "<unknown>";
+ if (!app_passwd(pass, NULL, &result, NULL))
+ BIO_printf(bio_err, "Error getting password for %s\n", desc);
+ if (pass != NULL && result == NULL) {
+ BIO_printf(bio_err,
+ "Trying plain input string (better precede with 'pass:')\n");
+ result = OPENSSL_strdup(pass);
+ if (result == NULL)
+ BIO_printf(bio_err, "Out of memory getting password for %s\n", desc);
+ }
+ return result;
+}
+
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2)
{
int same = arg1 != NULL && arg2 != NULL && strcmp(arg1, arg2) == 0;
@@ -412,126 +431,44 @@ int add_oid_section(CONF *conf)
return 1;
}
-static int load_pkcs12(BIO *in, const char *desc,
- pem_password_cb *pem_cb, PW_CB_DATA *cb_data,
- EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
-{
- const char *pass;
- char tpass[PEM_BUFSIZE];
- int len, ret = 0;
- PKCS12 *p12;
-
- p12 = d2i_PKCS12_bio(in, NULL);
- if (p12 == NULL) {
- if (desc != NULL)
- BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
- else
- BIO_printf(bio_err, "Error loading PKCS12 file\n");
- goto die;
- }
- /* See if an empty password will do */
- if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) {
- pass = "";
- } else {
- if (pem_cb == NULL)
- pem_cb = (pem_password_cb *)password_callback;
- len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
- if (len < 0) {
- BIO_printf(bio_err, "Passphrase callback error for %s\n",
- desc != NULL ? desc : "PKCS12 input");
- goto die;
- }
- if (len < PEM_BUFSIZE)
- tpass[len] = 0;
- if (!PKCS12_verify_mac(p12, tpass, len)) {
- BIO_printf(bio_err,
- "Mac verify error (wrong password?) in PKCS12 file for %s\n",
- desc != NULL ? desc : "PKCS12 input");
- goto die;
- }
- pass = tpass;
- }
- ret = PKCS12_parse(p12, pass, pkey, cert, ca);
- die:
- PKCS12_free(p12);
- return ret;
-}
-
-X509 *load_cert(const char *file, int format, const char *desc)
+X509 *load_cert_pass(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc)
{
- X509 *x = NULL;
- BIO *cert;
-
- if (format == FORMAT_HTTP) {
-#if !defined(OPENSSL_NO_SOCK)
- x = X509_load_http(file, NULL, NULL, 0 /* timeout */);
-#endif
- return x;
- }
+ X509 *cert = NULL;
- if (file == NULL) {
+ if (desc == NULL)
+ desc = "certificate";
+ if (uri == NULL) {
unbuffer(stdin);
- cert = dup_bio_in(format);
- } else {
- cert = bio_open_default(file, 'r', format);
+ uri = "";
}
- if (cert == NULL)
- goto end;
-
- if (format == FORMAT_ASN1) {
- x = d2i_X509_bio(cert, NULL);
- } else if (format == FORMAT_PEM) {
- x = PEM_read_bio_X509_AUX(cert, NULL,
- (pem_password_cb *)password_callback, NULL);
- } else if (format == FORMAT_PKCS12) {
- if (!load_pkcs12(cert, desc, NULL, NULL, NULL, &x, NULL))
- goto end;
- } else {
- print_format_error(format,
-#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
- OPT_FMT_HTTP |
-#endif
- OPT_FMT_PEMDER | OPT_FMT_PKCS12);
- }
-
- end:
- if (x == NULL && desc != NULL) {
+ (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, NULL, &cert, NULL);
+ if (cert == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
- BIO_free(cert);
- return x;
+ return cert;
}
-X509_CRL *load_crl(const char *infile, int format, const char *desc)
+/* the format parameter is meanwhile not needed anymore and thus ignored */
+X509 *load_cert(const char *uri, int format, const char *desc)
{
- X509_CRL *x = NULL;
- BIO *in = NULL;
-
- if (format == FORMAT_HTTP) {
-#if !defined(OPENSSL_NO_SOCK)
- x = X509_CRL_load_http(infile, NULL, NULL, 0 /* timeout */);
-#endif
- return x;
- }
+ return load_cert_pass(uri, 0, NULL, desc);
+}
- in = bio_open_default(infile, 'r', format);
- if (in == NULL)
- goto end;
- if (format == FORMAT_ASN1) {
- x = d2i_X509_CRL_bio(in, NULL);
- } else if (format == FORMAT_PEM) {
- x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
- } else
- print_format_error(format, OPT_FMT_PEMDER);
+/* the format parameter is meanwhile not needed anymore and thus ignored */
+X509_CRL *load_crl(const char *uri, int format, const char *desc)
+{
+ X509_CRL *crl = NULL;
- end:
- if (x == NULL && desc != NULL) {
+ if (desc == NULL)
+ desc = "CRL";
+ (void)load_key_cert_crl(uri, 0, NULL, desc, NULL, NULL, &crl);
+ if (crl == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
- BIO_free(in);
- return x;
+ return crl;
}
X509_REQ *load_csr(const char *file, int format, const char *desc)
@@ -539,6 +476,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
X509_REQ *req = NULL;
BIO *in;
+ if (desc == NULL)
+ desc = "CSR";
in = bio_open_default(file, 'r', format);
if (in == NULL)
goto end;
@@ -551,7 +490,7 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
print_format_error(format, OPT_FMT_PEMDER);
end:
- if (req == NULL && desc != NULL) {
+ if (req == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
@@ -559,173 +498,92 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
return req;
}
-EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
+void cleanse(char *str)
+{
+ if (str != NULL)
+ OPENSSL_cleanse(str, strlen(str));
+}
+
+void clear_free(char *str)
+{
+ if (str != NULL)
+ OPENSSL_clear_free(str, strlen(str));
+}
+
+EVP_PKEY *load_key(const char *uri, int format, int may_stdin,
const char *pass, ENGINE *e, const char *desc)
{
- BIO *key = NULL;
EVP_PKEY *pkey = NULL;
- PW_CB_DATA cb_data;
- cb_data.password = pass;
- cb_data.prompt_info = file;
+ if (desc == NULL)
+ desc = "private key";
- if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
- BIO_printf(bio_err, "No keyfile specified\n");
- goto end;
- }
if (format == FORMAT_ENGINE) {
if (e == NULL) {
- BIO_printf(bio_err, "No engine specified\n");
+ BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
} else {
#ifndef OPENSSL_NO_ENGINE
+ PW_CB_DATA cb_data;
+
+ cb_data.password = pass;
+ cb_data.prompt_info = uri;
if (ENGINE_init(e)) {
- pkey = ENGINE_load_private_key(e, file,
+ pkey = ENGINE_load_private_key(e, uri,
(UI_METHOD *)get_ui_method(),
&cb_data);
ENGINE_finish(e);
}
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
ERR_print_errors(bio_err);
}
#else
- BIO_printf(bio_err, "Engines not supported\n");
+ BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
#endif
}
- goto end;
- }
- if (file == NULL && maybe_stdin) {
- unbuffer(stdin);
- key = dup_bio_in(format);
} else {
- key = bio_open_default(file, 'r', format);
- }
- if (key == NULL)
- goto end;
- if (format == FORMAT_ASN1) {
- pkey = d2i_PrivateKey_bio(key, NULL);
- } else if (format == FORMAT_PEM) {
- pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data);
- } else if (format == FORMAT_PKCS12) {
- if (!load_pkcs12(key, desc,
- (pem_password_cb *)password_callback, &cb_data,
- &pkey, NULL, NULL))
- goto end;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
- } else if (format == FORMAT_MSBLOB) {
- pkey = b2i_PrivateKey_bio(key);
- } else if (format == FORMAT_PVK) {
- pkey = b2i_PVK_bio(key, wrap_password_callback, &cb_data);
-#endif
- } else {
- print_format_error(format, OPT_FMT_PEMDER | OPT_FMT_PKCS12
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
- | OPT_FMT_MSBLOB | FORMAT_PVK
-#endif
-#ifndef OPENSSL_NO_ENGINE
- | OPT_FMT_ENGINE
-#endif
- );
+ (void)load_key_cert_crl(uri, may_stdin, pass, desc, &pkey, NULL, NULL);
}
- end:
- BIO_free(key);
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
return pkey;
}
-EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc)
{
- BIO *key = NULL;
EVP_PKEY *pkey = NULL;
- PW_CB_DATA cb_data;
- cb_data.password = pass;
- cb_data.prompt_info = file;
+ if (desc == NULL)
+ desc = "public key";
- if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
- BIO_printf(bio_err, "No keyfile specified\n");
- goto end;
- }
if (format == FORMAT_ENGINE) {
if (e == NULL) {
- BIO_printf(bio_err, "No engine specified\n");
+ BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
} else {
#ifndef OPENSSL_NO_ENGINE
- pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(),
+ PW_CB_DATA cb_data;
+
+ cb_data.password = pass;
+ cb_data.prompt_info = uri;
+ pkey = ENGINE_load_public_key(e, uri, (UI_METHOD *)get_ui_method(),
&cb_data);
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
ERR_print_errors(bio_err);
}
#else
- BIO_printf(bio_err, "Engines not supported\n");
+ BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
#endif
}
- goto end;
- }
- if (file == NULL && maybe_stdin) {
- unbuffer(stdin);
- key = dup_bio_in(format);
- } else {
- key = bio_open_default(file, 'r', format);
- }
- if (key == NULL)
- goto end;
- if (format == FORMAT_ASN1) {
- pkey = d2i_PUBKEY_bio(key, NULL);
- } else if (format == FORMAT_ASN1RSA) {
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
- rsa = d2i_RSAPublicKey_bio(key, NULL);
- if (rsa) {
- pkey = EVP_PKEY_new();
- if (pkey != NULL)
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- } else
-#else
- BIO_printf(bio_err, "RSA keys not supported\n");
-#endif
- pkey = NULL;
- } else if (format == FORMAT_PEMRSA) {
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
- rsa = PEM_read_bio_RSAPublicKey(key, NULL,
- (pem_password_cb *)password_callback,
- &cb_data);
- if (rsa != NULL) {
- pkey = EVP_PKEY_new();
- if (pkey != NULL)
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- } else
-#else
- BIO_printf(bio_err, "RSA keys not supported\n");
-#endif
- pkey = NULL;
- } else if (format == FORMAT_PEM) {
- pkey = PEM_read_bio_PUBKEY(key, NULL,
- (pem_password_cb *)password_callback,
- &cb_data);
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
- } else if (format == FORMAT_MSBLOB) {
- pkey = b2i_PublicKey_bio(key);
-#endif
} else {
- print_format_error(format, OPT_FMT_PEMDER
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
- | OPT_FMT_MSBLOB
-#endif
- );
+ (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, &pkey,
+ NULL, NULL);
}
- end:
- BIO_free(key);
- if (pkey == NULL && desc != NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
@@ -807,11 +665,8 @@ static int load_certs_crls(const char *file, int format,
sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
*pcrls = NULL;
}
- if (desc != NULL) {
- BIO_printf(bio_err, "Unable to load %s for %s\n",
- pcerts ? "certificates" : "CRLs", desc);
- ERR_print_errors(bio_err);
- }
+ BIO_printf(bio_err, "Unable to load %s\n", desc != NULL ? desc :
+ pcerts != NULL ? "certificates" : "CRLs");
}
return rv;
}
@@ -847,6 +702,102 @@ int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
return load_certs_crls(file, format, pass, desc, NULL, crls);
}
+/*
+ * Load those types of credentials for which the result pointer is not NULL.
+ * Reads from stdio if uri is NULL and maybe_stdin is nonzero.
+ * For each type the first credential found in the store is loaded.
+ * May yield partial result even if rv == 0.
+ */
+int load_key_cert_crl(const char *uri, int maybe_stdin,
+ const char *pass, const char *desc,
+ EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl)
+{
+ PW_CB_DATA uidata;
+ OSSL_STORE_CTX *ctx = NULL;
+ int ret = 0;
+ /* TODO make use of the engine reference 'eng' when loading pkeys */
+
+ if (ppkey != NULL)
+ *ppkey = NULL;
+ if (pcert != NULL)
+ *pcert = NULL;
+ if (pcrl != NULL)
+ *pcrl = NULL;
+
+ if (desc == NULL)
+ desc = "key/certificate/CRL";
+ uidata.password = pass;
+ uidata.prompt_info = uri;
+
+ if (uri == NULL) {
+ BIO *bio;
+
+ if (!maybe_stdin) {
+ BIO_printf(bio_err, "No filename or uri specified for loading %s\n",
+ desc);
+ goto end;
+ }
+ unbuffer(stdin);
+ bio = BIO_new_fp(stdin, 0);
+ if (bio != NULL)
+ ctx = OSSL_STORE_attach(bio, NULL, "file", NULL,
+ get_ui_method(), &uidata, NULL, NULL);
+ uri = "<stdin>";
+ } else {
+ ctx = OSSL_STORE_open(uri, get_ui_method(), &uidata, NULL, NULL);
+ }
+ if (ctx == NULL) {
+ BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n",
+ uri, desc);
+ goto end;
+ }
+
+ for (;;) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
+ int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
+ const char *infostr =
+ info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
+ int err = 0;
+
+ if (info == NULL) {
+ if (OSSL_STORE_eof(ctx))
+ ret = 1;
+ break;
+ }
+
+ switch (type) {
+ case OSSL_STORE_INFO_PKEY:
+ if (ppkey != NULL && *ppkey == NULL)
+ err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL);
+ break;
+ case OSSL_STORE_INFO_CERT:
+ if (pcert != NULL && *pcert == NULL)
+ err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL);
+ break;
+ case OSSL_STORE_INFO_CRL:
+ if (pcrl != NULL && *pcrl == NULL)
+ err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL);
+ break;
+ default:
+ /* skip any other type */
+ break;
+ }
+ OSSL_STORE_INFO_free(info);
+ if (err) {
+ BIO_printf(bio_err, "Could not read %s of %s from %s\n",
+ infostr, desc, uri);
+ break;
+ }
+ }
+
+ end:
+ OSSL_STORE_close(ctx);
+ if (!ret)
+ ERR_print_errors(bio_err);
+ return ret;
+}
+
+
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
/* Return error for unknown extensions */
#define X509V3_EXT_DEFAULT 0
@@ -2320,17 +2271,30 @@ double app_tminterval(int stop, int usertime)
double app_tminterval(int stop, int usertime)
{
double ret = 0;
- struct tms rus;
- clock_t now = times(&rus);
+ clock_t now;
static clock_t tmstart;
+ long int tck = sysconf(_SC_CLK_TCK);
+# ifdef __TMS
+ struct tms rus;
+ now = times(&rus);
if (usertime)
now = rus.tms_utime;
+# else
+ if (usertime)
+ now = clock(); /* sum of user and kernel times */
+ else {
+ struct timeval tv;
+ gettimeofday(&tv, NULL);
+ now = (clock_t)((unsigned long long)tv.tv_sec * tck +
+ (unsigned long long)tv.tv_usec * (1000000 / tck)
+ );
+ }
+# endif
if (stop == TM_START) {
tmstart = now;
} else {
- long int tck = sysconf(_SC_CLK_TCK);
ret = (now - tmstart) / (double)tck;
}
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 5f2f2792fa..34bc4a9995 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -1094,11 +1094,11 @@ int args_excert(int opt, SSL_EXCERT **pexc)
exc->build_chain = 1;
break;
case OPT_X_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->certform))
return 0;
break;
case OPT_X_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->keyform))
return 0;
break;
}
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 5f9c5cf326..fd03611fe9 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -404,7 +404,8 @@ int ocsp_main(int argc, char **argv)
path = opt_arg();
break;
case OPT_ISSUER:
- issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
+ issuer = load_cert(opt_arg(), FORMAT_UNDEF,
+ "issuer certificate");
if (issuer == NULL)
goto end;
if (issuers == NULL) {
@@ -416,7 +417,7 @@ int ocsp_main(int argc, char **argv)
break;
case OPT_CERT:
X509_free(cert);
- cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
+ cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate");
if (cert == NULL)
goto end;
if (cert_id_md == NULL)
@@ -560,7 +561,8 @@ int ocsp_main(int argc, char **argv)
if (rsignfile != NULL) {
if (rkeyfile == NULL)
rkeyfile = rsignfile;
- rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
+ rsigner = load_cert(rsignfile, FORMAT_UNDEF,
+ "responder certificate");
if (rsigner == NULL) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
@@ -653,7 +655,7 @@ redo_accept:
if (signfile != NULL) {
if (keyfile == NULL)
keyfile = signfile;
- signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
+ signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate");
if (signer == NULL) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
diff --git a/apps/pkey.c b/apps/pkey.c
index ec68185663..8aafcb4277 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -57,7 +57,7 @@ const OPTIONS pkey_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
- {"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"pubin", OPT_PUBIN, '-',
"Read public key from input (default is private key)"},
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 1e3802045f..231547e291 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -71,11 +71,11 @@ const OPTIONS pkeyutl_options[] = {
{"inkey", OPT_INKEY, 's', "Input private key file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
- {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
+ {"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"},
{"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
@@ -157,11 +157,11 @@ int pkeyutl_main(int argc, char **argv)
passinarg = opt_arg();
break;
case OPT_PEERFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &peerform))
goto opthelp;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
goto opthelp;
break;
case OPT_R_CASES:
@@ -519,7 +519,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
break;
case KEY_CERT:
- x = load_cert(keyfile, keyform, "Certificate");
+ x = load_cert(keyfile, FORMAT_UNDEF, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
diff --git a/apps/req.c b/apps/req.c
index cba6952cad..a2212b988d 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -137,7 +137,7 @@ const OPTIONS req_options[] = {
OPT_SECTION("Keys and Signing"),
{"key", OPT_KEY, 's', "Private key to use"},
- {"keyform", OPT_KEYFORM, 'f', "Key file format"},
+ {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to send the key to"},
{"passin", OPT_PASSIN, 's', "Private key password source"},
diff --git a/apps/rsa.c b/apps/rsa.c
index bb9bcb0bb2..9f91b72d20 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -45,7 +45,7 @@ const OPTIONS rsa_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
- {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
+ {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
diff --git a/apps/rsautl.c b/apps/rsautl.c
index f74ea3164f..0f9789c39c 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -51,7 +51,7 @@ const OPTIONS rsautl_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inkey", OPT_INKEY, 's', "Input key"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
{"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
@@ -101,7 +101,7 @@ int rsautl_main(int argc, char **argv)
ret = 0;
goto end;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_IN:
@@ -197,7 +197,7 @@ int rsautl_main(int argc, char **argv)
break;
case KEY_CERT:
- x = load_cert(keyfile, keyformat, "Certificate");
+ x = load_cert(keyfile, FORMAT_UNDEF, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
diff --git a/apps/s_client.c b/apps/s_client.c
index 875ebf2253..8bab4e2827 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -636,12 +636,12 @@ const OPTIONS s_client_options[] = {
OPT_SECTION("Identity"),
{"cert", OPT_CERT, '<', "Client certificate file to use"},
{"certform", OPT_CERTFORM, 'F',
- "Client certificate file format (PEM or DER) PEM default"},
+ "Client certificate file format (PEM/DER/P12); has no effect"},
{"cert_chain", OPT_CERT_CHAIN, '<',
"Client certificate chain file (in PEM format)"},
{"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"},
{"key", OPT_KEY, 's', "Private key file to use; default is: -cert file"},
- {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"},
+ {"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
@@ -1144,7 +1144,7 @@ int s_client_main(int argc, char **argv)
sess_in = opt_arg();
break;
case OPT_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &cert_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &cert_format))
goto opthelp;
break;
case OPT_CRLFORM:
@@ -1378,7 +1378,7 @@ int s_client_main(int argc, char **argv)
fallback_scsv = 1;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &key_format))
goto opthelp;
break;
case OPT_PASS:
@@ -3137,8 +3137,7 @@ int s_client_main(int argc, char **argv)
OPENSSL_clear_free(cbuf, BUFSIZZ);
OPENSSL_clear_free(sbuf, BUFSIZZ);
OPENSSL_clear_free(mbuf, BUFSIZZ);
- if (proxypass != NULL)
- OPENSSL_clear_free(proxypass, strlen(proxypass));
+ clear_free(proxypass);
release_engine(e);
BIO_free(bio_c_out);
bio_c_out = NULL;
diff --git a/apps/s_server.c b/apps/s_server.c
index 7ac4221860..bbc311befd 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -813,7 +813,7 @@ const OPTIONS s_server_options[] = {
{"cert2", OPT_CERT2, '<',
"Certificate file to use for servername; default is" TEST_CERT2},
{"certform", OPT_CERTFORM, 'F',
- "Server certificate file format (PEM or DER) PEM default"},
+ "Server certificate file format (PEM/DER/P12); has no effect"},
{"cert_chain", OPT_CERT_CHAIN, '<',
"Server certificate chain file in PEM format"},
{"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
@@ -823,19 +823,18 @@ const OPTIONS s_server_options[] = {
"Private key file to use; default is -cert file or else" TEST_CERT},
{"key2", OPT_KEY2, '<',
"-Private Key file to use for servername if not in -cert2"},
- {"keyform", OPT_KEYFORM, 'f',
- "Key format (PEM, DER or ENGINE) PEM default"},
+ {"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"dcert", OPT_DCERT, '<',
"Second server certificate file to use (usually for DSA)"},
{"dcertform", OPT_DCERTFORM, 'F',
- "Second server certificate file format (PEM or DER) PEM default"},
+ "Second server certificate file format (PEM/DER/P12); has no effect"},
{"dcert_chain", OPT_DCERT_CHAIN, '<',
"second server certificate chain file in PEM format"},
{"dkey", OPT_DKEY, '<',
"Second private key file to use (usually for DSA)"},
{"dkeyform", OPT_DKEYFORM, 'F',
- "Second key file format (PEM, DER or ENGINE) PEM default"},
+ "Second key file format (ENGINE, other values ignored)"},
{"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
{"servername", OPT_SERVERNAME, 's',
@@ -1246,14 +1245,14 @@ int s_server_main(int argc, char *argv[])
s_serverinfo_file = opt_arg();
break;
case OPT_CERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_cert_format))
goto opthelp;
break;
case OPT_KEY:
s_key_file = opt_arg();
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format))
goto opthelp;
break;
case OPT_PASS:
@@ -1268,14 +1267,14 @@ int s_server_main(int argc, char *argv[])
#endif
break;
case OPT_DCERTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dcert_format))
goto opthelp;
break;
case OPT_DCERT:
s_dcert_file = opt_arg();
break;
case OPT_DKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_dkey_format))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dkey_format))
goto opthelp;
break;
case OPT_DPASS:
diff --git a/apps/smime.c b/apps/smime.c
index 50f03fdc04..6b7d51b76a 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -63,7 +63,7 @@ const OPTIONS smime_options[] = {
"Output format SMIME (default), PEM or DER"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
- {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
@@ -429,7 +429,7 @@ int smime_main(int argc, char **argv)
if (encerts == NULL)
goto end;
while (*argv != NULL) {
- cert = load_cert(*argv, FORMAT_PEM,
+ cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file");
if (cert == NULL)
goto end;
@@ -448,7 +448,7 @@ int smime_main(int argc, char **argv)
}
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
- if ((recip = load_cert(recipfile, FORMAT_PEM,
+ if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -548,7 +548,7 @@ int smime_main(int argc, char **argv)
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, FORMAT_PEM,
+ signer = load_cert(signerfile, FORMAT_UNDEF,
"signer certificate");
if (signer == NULL)
goto end;
diff --git a/apps/spkac.c b/apps/spkac.c
index 03cc3d9199..2b4009d457 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -40,7 +40,7 @@ const OPTIONS spkac_options[] = {
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"key", OPT_KEY, '<', "Create SPKAC using private key"},
- {"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"challenge", OPT_CHALLENGE, 's', "Challenge string"},
{"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
diff --git a/apps/verify.c b/apps/verify.c
index 558866806f..e0eaaabe20 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -256,7 +256,7 @@ static int check(X509_STORE *ctx, const char *file,
STACK_OF(X509) *chain = NULL;
int num_untrusted;
- x = load_cert(file, FORMAT_PEM, "certificate file");
+ x = load_cert(file, FORMAT_UNDEF, "certificate file");
if (x == NULL)
goto end;
diff --git a/apps/x509.c b/apps/x509.c
index a2a52e41b1..ea083abc64 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -78,13 +78,13 @@ const OPTIONS x509_options[] = {
#endif
{"inform", OPT_INFORM, 'f',
- "Input format - default PEM (one of DER or PEM)"},
+ "CSR input format (DER or PEM) - default PEM"},
{"in", OPT_IN, '<', "Input file - default stdin"},
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
{"outform", OPT_OUTFORM, 'f',
- "Output format - default PEM (one of DER or PEM)"},
+ "Output format (DER or PEM) - default PEM"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
@@ -152,8 +152,8 @@ const OPTIONS x509_options[] = {
{"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
- {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
- {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
+ {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
+ {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format (ENGINE, other values ignored)"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"CAcreateserial", OPT_CACREATESERIAL, '-',
"Create serial number file if it does not exist"},
@@ -228,7 +228,7 @@ int x509_main(int argc, char **argv)
ret = 0;
goto end;
case OPT_INFORM:
- if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
+ if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
goto opthelp;
break;
case OPT_IN:
@@ -239,15 +239,15 @@ int x509_main(int argc, char **argv)
goto opthelp;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAformat))
goto opthelp;
break;
case OPT_CAKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:
@@ -631,7 +631,7 @@ int x509_main(int argc, char **argv)
if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
goto end;
} else {
- x = load_cert(infile, informat, "Certificate");
+ x = load_cert(infile, FORMAT_UNDEF, "Certificate");
if (x == NULL)
goto end;
if (fkey != NULL && !X509_set_pubkey(x, fkey))
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 15c0862019..e1fc591894 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -231,6 +231,8 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
{
int loader_ret;
+ if (ctx == NULL)
+ return 1;
OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx);
loader_ret = ctx->loader->close(ctx->loader_ctx);
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 0202661845..35b36afbb4 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -32,11 +32,11 @@ B<openssl> B<ca>
[B<-md> I<arg>]
[B<-policy> I<arg>]
[B<-keyfile> I<arg>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-key> I<arg>]
[B<-passin> I<arg>]
[B<-cert> I<file>]
-[B<-certform> B<DER>|<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-selfsign>]
[B<-in> I<file>]
[B<-inform> B<DER>|<PEM>]
@@ -142,18 +142,19 @@ F<.pem> appended.
The CA certificate file.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
The format of the data in certificate input files.
-The default is PEM.
+This option has no effect and is retained for backward compatibility only.
=item B<-keyfile> I<filename>
The private key to sign requests with.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key file; the default is B<PEM>.
+The format of the private key input file; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>
@@ -788,6 +789,11 @@ retained mainly for compatibility reasons.
The B<-section> option was added in OpenSSL 3.0.0.
+The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 SEE ALSO
L<openssl(1)>,
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index 4fbb7c0e16..375d358703 100644
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -36,7 +36,7 @@ B<openssl> B<cms>
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-stream>]
[B<-indef>]
[B<-noindef>]
@@ -82,7 +82,7 @@ B<openssl> B<cms>
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
-[I<cert.pem> ...]
+[I<recipient-cert> ...]
=for openssl ifdef des-wrap engine
@@ -235,9 +235,10 @@ The output format of the CMS structure (if one is being written);
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the private key file; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
@@ -370,7 +371,7 @@ the MIME type multipart/signed is used.
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
-the signers certificates. The certificates should be in PEM format.
+the signers certificates.
=item B<-certsout> I<file>
@@ -493,7 +494,7 @@ Any verification errors cause the command to exit.
{- $OpenSSL::safe::opt_provider_item -}
-=item I<cert.pem> ...
+=item I<recipient-cert> ...
One or more certificates of message recipients: used when encrypting
a message.
@@ -766,6 +767,9 @@ was added in OpenSSL 1.0.2.
The -no_alt_chains option was added in OpenSSL 1.0.2b.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in
index 409f0b6020..19e72f1b60 100644
--- a/doc/man1/openssl-crl.pod.in
+++ b/doc/man1/openssl-crl.pod.in
@@ -12,7 +12,7 @@ B<openssl> B<crl>
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-text>]
[B<-in> I<filename>]
[B<-out> I<filename>]
@@ -45,19 +45,24 @@ This command processes CRL files in DER or PEM format.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and output formats of the CRL; the default is B<PEM>.
+The CRL input format.
+This option has no effect and is retained for backward compatibility only.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The CRL output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-key> I<filename>
The private key to be used to sign the CRL.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
-The format of the private key file; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
+The format of the private key file.
+This option has no effect and is retained for backward compatibility only.
=item B<-in> I<filename>
@@ -136,7 +141,7 @@ Convert a CRL file from PEM to DER:
Output the text form of a DER encoded certificate:
- openssl crl -in crl.der -inform DER -text -noout
+ openssl crl -in crl.der -text -noout
=head1 BUGS
@@ -151,6 +156,11 @@ L<openssl-ca(1)>,
L<openssl-x509(1)>,
L<ossl_store-file(7)>
+=head1 HISTORY
+
+The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in
index 84bd133f84..22c07a5a7f 100644
--- a/doc/man1/openssl-dgst.pod.in
+++ b/doc/man1/openssl-dgst.pod.in
@@ -103,6 +103,7 @@ command instead for this.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the key to sign with; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>
@@ -247,6 +248,9 @@ L<openssl-mac(1)>
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in
index cad26289b4..c1e92ef51e 100644
--- a/doc/man1/openssl-ec.pod.in
+++ b/doc/man1/openssl-ec.pod.in
@@ -13,7 +13,7 @@ openssl-ec - EC key processing
B<openssl> B<ec>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-passin> I<arg>]
@@ -52,9 +52,15 @@ PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The input and formats; the default is B<PEM>.
+The key input format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
Private keys are an SEC1 private key or PKCS#8 format.
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index e227f50e75..a738ddbdd7 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -103,8 +103,8 @@ specify output filename, default is standard output.
=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
-multiple times. The certificate specified in I<filename> must be in
-PEM format. This option B<MUST> come before any B<-cert> options.
+multiple times.
+This option B<MUST> come before any B<-cert> options.
=item B<-cert> I<filename>
diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in
index a678bd7516..de1bef954c 100644
--- a/doc/man1/openssl-pkey.pod.in
+++ b/doc/man1/openssl-pkey.pod.in
@@ -13,7 +13,7 @@ openssl-pkey - public or private key processing command
B<openssl> B<pkey>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-passin> I<arg>]
@@ -48,9 +48,15 @@ converted between various forms and their components printed out.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The input and formats; the default is B<PEM>.
+The key input format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index 0a65f6acc5..d823f0b851 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -15,10 +15,10 @@ B<openssl> B<pkeyutl>
[B<-out> I<file>]
[B<-sigfile> I<file>]
[B<-inkey> I<file>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-peerkey> I<file>]
-[B<-peerform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-rev>]
@@ -89,9 +89,10 @@ Signature file, required for B<-verify> operations only
The input key file, by default it should be a private key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
@@ -103,9 +104,10 @@ see L<openssl(1)/Pass Phrase Options>.
The peer key file, used by key derivation (agreement) operations.
-=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The peer key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pubin>
@@ -402,6 +404,10 @@ L<openssl-kdf(1)>
L<EVP_PKEY_CTX_set_hkdf_md(3)>,
L<EVP_PKEY_CTX_set_tls1_prf_md(3)>,
+=head1 HISTORY
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 397bf552ad..ab6b3d78a2 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -25,7 +25,7 @@ B<openssl> B<req>
[B<-pkeyopt> I<opt>:I<value>]
[B<-nodes>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-keyout> I<filename>]
[B<-keygen_engine> I<id>]
[B<-I<digest>>]
@@ -186,9 +186,10 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
This specifies the file to read the private key from. It also
accepts PKCS#8 format private keys for PEM format files.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the private key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-keyout> I<filename>
@@ -691,6 +692,9 @@ L<x509v3_config(5)>
The B<-section> option was added in OpenSSL 3.0.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in
index 5dacdf9313..b2477b2b2c 100644
--- a/doc/man1/openssl-rsa.pod.in
+++ b/doc/man1/openssl-rsa.pod.in
@@ -13,7 +13,7 @@ openssl-rsa - RSA key processing command
B<openssl> B<rsa>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-passin> I<arg>]
@@ -61,9 +61,15 @@ L<openssl-pkcs8(1)> command.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The input and formats; the default is B<PEM>.
+The key input format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-inform> B<DER>|B<PEM>
diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
index 2461db537d..5383fe2116 100644
--- a/doc/man1/openssl-rsautl.pod.in
+++ b/doc/man1/openssl-rsautl.pod.in
@@ -14,7 +14,7 @@ B<openssl> B<rsautl>
[B<-rev>]
[B<-out> I<file>]
[B<-inkey> I<file>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-sign>]
@@ -76,9 +76,10 @@ default.
The input key file, by default it should be an RSA private key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pubin>
@@ -237,6 +238,9 @@ L<openssl-genrsa(1)>
This command was deprecated in OpenSSL 3.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 5f04358a84..4d6b54a5e3 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -29,14 +29,14 @@ B<openssl> B<s_client>
[B<-verifyCApath> I<dir>]
[B<-verifyCAstore> I<uri>]
[B<-cert> I<filename>]
-[B<-certform> B<DER>|B<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-cert_chain> I<filename>]
[B<-build_chain>]
[B<-CRL> I<filename>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pass> I<arg>]
[B<-chainCAfile> I<filename>]
[B<-chainCApath> I<directory>]
@@ -240,10 +240,10 @@ The default is not to use a certificate.
The chain for the client certificate may be specified using B<-cert_chain>.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
The client certificate file format to use; the default is B<PEM>.
-see L<openssl(1)/Format Options>.
+This option has no effect and is retained for backward compatibility only.
=item B<-cert_chain>
@@ -273,9 +273,10 @@ Download CRL from distribution points in the certificate.
The client private key file to use.
If not specified then the certificate file will be used to read also the key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>
@@ -894,6 +895,11 @@ L<ossl_store-file(7)>
The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
The B<-name> option was added in OpenSSL 1.1.1.
+The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index c9f4bfc11b..8e5da51c40 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -20,19 +20,19 @@ B<openssl> B<s_server>
[B<-Verify> I<int>]
[B<-cert> I<infile>]
[B<-cert2> I<infile>]
-[B<-certform> B<DER>|B<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-cert_chain> I<infile>]
[B<-build_chain>]
[B<-serverinfo> I<val>]
[B<-key> I<infile>]
[B<-key2> I<infile>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
-[B<-dcertform> B<DER>|B<PEM>]
+[B<-dcertform> B<DER>|B<PEM>|B<P12>]
[B<-dcert_chain> I<infile>]
[B<-dkey> I<infile>]
-[B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
@@ -220,10 +220,10 @@ certificate and some require a certificate with a certain public key type:
for example the DSS cipher suites require a certificate containing a DSS
(DSA) key. If not specified then the filename F<server.pem> will be used.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
-The server certificate file format; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
+The server certificate file format.
+This option has no effect and is retained for backward compatibility only.
=item B<-cert_chain>
@@ -248,9 +248,10 @@ ServerHello extension will be returned.
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<val>
@@ -276,14 +277,15 @@ A file containing untrusted certificates to use when attempting to build the
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform> B<DER>|B<PEM>
+=item B<-dcertform> B<DER>|B<PEM>|B<P12>
-The format of the additional certificate file; the default is B<PEM>.
-See L<openssl(1)/Format Options>.
+The format of the additional certificate file.
+This option has no effect and is retained for backward compatibility only.
-=item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the additional private key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options>.
=item B<-dpass> I<val>
@@ -822,6 +824,12 @@ The -no_alt_chains option was added in OpenSSL 1.1.0.
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
+All B<-keyform> and B<-dkeyform> values except B<ENGINE>
+have become obsolete in OpenSSL 3.0.0 and have no effect.
+
+The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in
index 13a0e4a47e..4dce01a46e 100644
--- a/doc/man1/openssl-smime.pod.in
+++ b/doc/man1/openssl-smime.pod.in
@@ -32,7 +32,7 @@ B<openssl> B<smime>
[B<-recip> I< file>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-inkey> I<file_or_id>]
[B<-out> I<file>]
@@ -50,7 +50,7 @@ B<openssl> B<smime>
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
-I<cert.pem> ...
+I<recipcert> ...
=for openssl ifdef engine
@@ -125,9 +125,10 @@ The output format of the PKCS#7 (S/MIME) structure (if one is being written);
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-stream>, B<-indef>, B<-noindef>
@@ -235,7 +236,7 @@ option is present B<CRLF> is used instead.
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
-the signers certificates. The certificates should be in PEM format.
+the signers certificates.
=item B<-signer> I<file>
@@ -291,7 +292,7 @@ Any verification errors cause the command to exit.
{- $OpenSSL::safe::opt_provider_item -}
-=item I<cert.pem> ...
+=item I<recipcert> ...
One or more certificates of message recipients, used when encrypting
a message.
@@ -479,6 +480,9 @@ added in OpenSSL 1.0.0
The -no_alt_chains option was added in OpenSSL 1.1.0.
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in
index 72e4788fd1..ca7d097d85 100644
--- a/doc/man1/openssl-spkac.pod.in
+++ b/doc/man1/openssl-spkac.pod.in
@@ -16,7 +16,7 @@ B<openssl> B<spkac>
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-key> I<keyfile>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-challenge> I<string>]
[B<-pubkey>]
@@ -59,9 +59,10 @@ Create an SPKAC file using the private key in I<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
@@ -148,6 +149,11 @@ to be used in a "replay attack".
L<openssl(1)>,
L<openssl-ca(1)>
+=head1 HISTORY
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in
index e4e394faa6..7271efe833 100644
--- a/doc/man1/openssl-verify.pod.in
+++ b/doc/man1/openssl-verify.pod.in
@@ -99,7 +99,6 @@ with a B<->.
One or more certificates to verify. If no certificates are given,
this command will attempt to read a certificate from standard input.
-Certificates must be in PEM format.
If a certificate chain has multiple problems, this program tries to
display all of them.
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index b8fd2a4041..918c91b34b 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -11,9 +11,9 @@ B<openssl> B<x509>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
-[B<-CAform> B<DER>|B<PEM>]
-[B<-CAkeyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-CAform> B<DER>|B<PEM>|B<P12>]
+[B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-serial>]
@@ -100,13 +100,18 @@ various sections.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and formats; the default is B<PEM>.
+The CSR input format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
-The input is normally an X.509 certificate, but this can change if other
-options such as B<-req> are used.
+The input is normally an X.509 certificate file of any format,
+but this can change if other options such as B<-req> are used.
+
+B<-outform> B<DER>|B<PEM>
+
+The output format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
@@ -355,8 +360,7 @@ can thus behave like a "mini CA".
=item B<-signkey> I<arg>
This option causes the input file to be self signed using the supplied
-private key or engine. The private key's format is specified with the
-B<-keyform> option.
+private key or engine.
It sets the issuer name to the subject name (i.e., makes it self-issued)
and changes the public key to the supplied value (unless overridden by
@@ -392,14 +396,21 @@ certificate is being created from another certificate (for example with
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
-=item B<-CAform> B<DER>|B<PEM>, B<-CAkeyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-CAform> B<DER>|B<PEM>|B<P12>,
+
+The format for the CA certificate.
+This option has no effect and is retained for backward compatibility.
-The format for the CA certificate and key; the default is B<PEM>.
+=item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+
+The format for the CA key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-days> I<arg>
@@ -502,8 +513,6 @@ self-signed, for instance when the key cannot be used for signing, such as DH.
It can also be used in conjunction with b<-new> and B<-subj> to directly
generate a certificate containing any desired public key.
-The format of the key file can be specified using the B<-keyform> option.
-
=item B<-subj> I<arg>
When a certificate is created set its subject name to the given value.
@@ -821,6 +830,11 @@ of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
version of the DN using SHA1. This means that any directories using the old
form must have their links rebuilt using L<openssl-rehash(1)> or similar.
+All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
+have become obsolete in OpenSSL 3.0.0 and have no effect.
+
+The B<-CAform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 1cdcd8b8bb..7170a98448 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -525,7 +525,12 @@ parameters start with a minus sign:
=head2 Format Options
Several OpenSSL commands can take input or generate output in a variety
-of formats. The list of acceptable formats, and the default, is
+of formats.
+Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
+files in any of the B<DER>, B<PEM>, or B<P12> formats,
+while specifying their input format is no more needed.
+
+The list of acceptable formats, and the default, is
described in each command documentation. The list of formats is
described below. Both uppercase and lowercase are accepted.
@@ -618,6 +623,8 @@ The format of the input or output streams.
=item B<-keyform> I<format>
Format of a private key input source.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
=item B<-CRLform> I<format>
@@ -789,12 +796,6 @@ OpenSSL command to generate an alternative chain.
=over 4
-=item B<-xchain_build>
-
-Specify whether the application should build the certificate chain to be
-provided to the server for the extra certificates via the B<-xkey>,
-B<-xcert>, and B<-xchain> options.
-
=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
@@ -802,21 +803,21 @@ in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When
specified, the callback returning the first valid chain will be in use by the
client.
-=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
-
-The input format for the extra certificate and key, respectively.
-See L<openssl(1)/Format Options> for details.
-
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
provided to the server for the extra certificates via the B<-xkey>,
B<-xcert>, and B<-xchain> options.
-=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
+=item B<-xcertform> B<DER>|B<PEM>|B<P12>
-The input format for the extra certificate and key, respectively.
-See L<openssl(1)/Format Options> for details.
+The input format for the extra certificate.
+This option has no effect and is retained for backward compatibility only.
+
+=item B<-xkeyform> B<DER>|B<PEM>|B<P12>
+
+The input format for the extra key.
+This option has no effect and is retained for backward compatibility only.
=back
@@ -1403,6 +1404,9 @@ manual pages.
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
+The B<-xcertform> and B<-xkeyform> options
+are obsolete since OpenSSL 3.0.0 and have no effect.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/EVP_PKEY_fromdata.pod b/doc/man3/EVP_PKEY_fromdata.pod
index 71ba642180..526109386e 100644
--- a/doc/man3/EVP_PKEY_fromdata.pod
+++ b/doc/man3/EVP_PKEY_fromdata.pod
@@ -103,7 +103,7 @@ TODO Write a set of cookbook documents and link to them.
OSSL_PARAM_ulong("d", &rsa_d),
OSSL_PARAM_END
};
-
+
int main()
{
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
More information about the openssl-commits
mailing list