The branch master has been updated
via 018aaeb47874272e157d35c05c68e826301d57f5 (commit)
from 9484b67dfb0fc69326b4d94c2040751b205baa24 (commit)
- Log -----------------------------------------------------------------
commit 018aaeb47874272e157d35c05c68e826301d57f5
Author: Rich Salz <rs...@akamai.com>
Date: Sat Oct 12 17:45:56 2019 -0400
Refactor -engine documentation
Common wording courtesy Richard Levitte.
Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10128)
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 13 +++++++++++++
doc/man1/openssl-ca.pod.in | 11 +++--------
doc/man1/openssl-dgst.pod.in | 13 +++++--------
doc/man1/openssl-dhparam.pod.in | 9 ++-------
doc/man1/{openssl-dsa.pod => openssl-dsa.pod.in} | 14 +++++++-------
doc/man1/openssl-dsaparam.pod.in | 10 +++-------
doc/man1/{openssl-ec.pod => openssl-ec.pod.in} | 14 +++++++-------
doc/man1/openssl-ecparam.pod.in | 9 ++-------
doc/man1/openssl-enc.pod.in | 8 +++++---
doc/man1/openssl-gendsa.pod.in | 15 +++++----------
.../{openssl-genpkey.pod => openssl-genpkey.pod.in} | 17 ++++++++---------
doc/man1/openssl-genrsa.pod.in | 11 +++--------
doc/man1/openssl-pkcs12.pod.in | 3 +++
doc/man1/{openssl-pkcs7.pod => openssl-pkcs7.pod.in} | 14 +++++++-------
doc/man1/openssl-pkcs8.pod.in | 11 +++--------
doc/man1/{openssl-pkey.pod => openssl-pkey.pod.in} | 16 ++++++++--------
.../{openssl-pkeyparam.pod => openssl-pkeyparam.pod.in} | 16 ++++++++--------
doc/man1/openssl-pkeyutl.pod.in | 9 ++-------
doc/man1/openssl-req.pod.in | 11 +++--------
doc/man1/{openssl-rsa.pod => openssl-rsa.pod.in} | 14 +++++++-------
doc/man1/openssl-s_client.pod.in | 11 +++--------
doc/man1/openssl-s_server.pod.in | 11 +++--------
doc/man1/openssl-speed.pod.in | 11 +++--------
doc/man1/{openssl-spkac.pod => openssl-spkac.pod.in} | 14 +++++++-------
.../{openssl-storeutl.pod => openssl-storeutl.pod.in} | 16 ++++++++--------
doc/man1/openssl-ts.pod.in | 9 ++-------
doc/man1/openssl-verify.pod.in | 16 ++++++----------
doc/man1/openssl-x509.pod.in | 11 +++--------
doc/man1/openssl.pod | 13 +++++++++++++
doc/perlvars.pm | 8 ++++++++
30 files changed, 160 insertions(+), 198 deletions(-)
rename doc/man1/{openssl-dsa.pod => openssl-dsa.pod.in} (93%)
rename doc/man1/{openssl-ec.pod => openssl-ec.pod.in} (94%)
rename doc/man1/{openssl-genpkey.pod => openssl-genpkey.pod.in} (96%)
rename doc/man1/{openssl-pkcs7.pod => openssl-pkcs7.pod.in} (87%)
rename doc/man1/{openssl-pkey.pod => openssl-pkey.pod.in} (92%)
rename doc/man1/{openssl-pkeyparam.pod => openssl-pkeyparam.pod.in} (85%)
rename doc/man1/{openssl-rsa.pod => openssl-rsa.pod.in} (93%)
rename doc/man1/{openssl-spkac.pod => openssl-spkac.pod.in} (92%)
rename doc/man1/{openssl-storeutl.pod => openssl-storeutl.pod.in} (90%)
diff --git a/.gitignore b/.gitignore
index 659be22843..91d2c03b40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,28 +31,41 @@ doc/man1/openssl-cms.pod
doc/man1/openssl-crl.pod
doc/man1/openssl-dgst.pod
doc/man1/openssl-dhparam.pod
+doc/man1/openssl-dsa.pod
doc/man1/openssl-dsaparam.pod
+doc/man1/openssl-ec.pod
doc/man1/openssl-ecparam.pod
doc/man1/openssl-enc.pod
+doc/man1/openssl-engine.pod
doc/man1/openssl-gendsa.pod
+doc/man1/openssl-genpkey.pod
doc/man1/openssl-genrsa.pod
+doc/man1/openssl-info.pod
+doc/man1/openssl-list.pod
doc/man1/openssl-ocsp.pod
doc/man1/openssl-passwd.pod
doc/man1/openssl-pkcs12.pod
+doc/man1/openssl-pkcs7.pod
doc/man1/openssl-pkcs8.pod
+doc/man1/openssl-pkey.pod
+doc/man1/openssl-pkeyparam.pod
doc/man1/openssl-pkeyutl.pod
doc/man1/openssl-rand.pod
doc/man1/openssl-req.pod
+doc/man1/openssl-rsa.pod
doc/man1/openssl-rsautl.pod
doc/man1/openssl-s_client.pod
doc/man1/openssl-s_server.pod
doc/man1/openssl-s_time.pod
doc/man1/openssl-smime.pod
doc/man1/openssl-speed.pod
+doc/man1/openssl-spkac.pod
doc/man1/openssl-srp.pod
+doc/man1/openssl-storeutl.pod
doc/man1/openssl-ts.pod
doc/man1/openssl-verify.pod
doc/man1/openssl-x509.pod
+doc/man1/openssl.pod
# error code files
/crypto/err/openssl.txt.old
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index ca8ebb8c70..44e581e0d9 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -48,7 +48,6 @@ B<openssl> B<ca>
[B<-msie_hack>]
[B<-extensions> I<section>]
[B<-extfile> I<section>]
-[B<-engine> I<id>]
[B<-subj> I<arg>]
[B<-utf8>]
[B<-sigopt> I<nm>:I<v>]
@@ -58,6 +57,7 @@ B<openssl> B<ca>
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<certreq>...]
=for openssl ifdef engine sm2-id sm2-hex-id
@@ -253,13 +253,6 @@ An additional configuration file to read certificate
extensions from
(using the default section unless the B<-extensions> option is also
used).
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<ca>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-subj> I<arg>
Supersedes subject name given in the request.
@@ -310,6 +303,8 @@ certificate. The argument for this option is string of
hexadecimal digits.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CRL OPTIONS
diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in
index 4472b2ffe0..4563ad1d5e 100644
--- a/doc/man1/openssl-dgst.pod.in
+++ b/doc/man1/openssl-dgst.pod.in
@@ -27,7 +27,7 @@ B<openssl> B<dgst>|I<digest>
[B<-hmac> I<key>]
[B<-fips-fingerprint>]
[B<-engine> I<id>]
-[B<-engine_impl>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
[I<file> ...]
@@ -168,13 +168,6 @@ option.
Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
-=item B<-engine> I<id>
-
-Use engine I<id> for operations (including private key storage).
-This engine is not used as source for digest algorithms, unless it is
-also specified in the configuration file or B<-engine_impl> is also
-specified.
-
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
@@ -182,6 +175,10 @@ engine I<id> for digest operations.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+The engine is not used for digests unless the B<-engine_impl> option is
+used or it is configured to do so, see L<config(5)/Engine Configuration
Module>.
+
=item I<file> ...
File or files to digest. If no files are specified then standard input is
diff --git a/doc/man1/openssl-dhparam.pod.in b/doc/man1/openssl-dhparam.pod.in
index d55931fae8..e125330b36 100644
--- a/doc/man1/openssl-dhparam.pod.in
+++ b/doc/man1/openssl-dhparam.pod.in
@@ -21,7 +21,7 @@ B<openssl dhparam>
[B<-2>]
[B<-3>]
[B<-5>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
[I<numbits>]
@@ -102,12 +102,7 @@ This option prints out the DH parameters in human readable
form.
This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<dhparam>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
{- $OpenSSL::safe::opt_r_item -}
diff --git a/doc/man1/openssl-dsa.pod b/doc/man1/openssl-dsa.pod.in
similarity index 93%
rename from doc/man1/openssl-dsa.pod
rename to doc/man1/openssl-dsa.pod.in
index 8c7b03781e..548d36874f 100644
--- a/doc/man1/openssl-dsa.pod
+++ b/doc/man1/openssl-dsa.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-dsa - DSA key processing
@@ -31,7 +36,7 @@ B<openssl> B<dsa>
[B<-modulus>]
[B<-pubin>]
[B<-pubout>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef pvk-string pvk-weak pvk-none engine
@@ -113,12 +118,7 @@ By default, a private key is output. With this option a
public
key will be output instead. This option is automatically set if the input is
a public key.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause L<openssl-dsa(1)>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=back
diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in
index cfe7c31e59..bab743672f 100644
--- a/doc/man1/openssl-dsaparam.pod.in
+++ b/doc/man1/openssl-dsaparam.pod.in
@@ -17,9 +17,9 @@ B<openssl dsaparam>
[B<-text>]
[B<-C>]
[B<-genkey>]
-[B<-engine> I<id>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<numbits>]
=head1 DESCRIPTION
@@ -75,12 +75,6 @@ be loaded by calling the get_dsaXXX() function.
This option will generate a DSA either using the specified or generated
parameters.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
=item B<-verbose>
@@ -88,6 +82,8 @@ Print extra details about the operations being performed.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<numbits>
This option specifies that a parameter set should be generated of size
diff --git a/doc/man1/openssl-ec.pod b/doc/man1/openssl-ec.pod.in
similarity index 94%
rename from doc/man1/openssl-ec.pod
rename to doc/man1/openssl-ec.pod.in
index 2646c126b5..d20b49afcf 100644
--- a/doc/man1/openssl-ec.pod
+++ b/doc/man1/openssl-ec.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-ec - EC key processing
@@ -26,7 +31,7 @@ B<openssl> B<ec>
[B<-param_enc> I<arg>]
[B<-no_public>]
[B<-check>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -131,12 +136,7 @@ This option omits the public key components from the
private key output.
This option checks the consistency of an EC private or public key.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=back
diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in
index 823ca51273..ae2240ca59 100644
--- a/doc/man1/openssl-ecparam.pod.in
+++ b/doc/man1/openssl-ecparam.pod.in
@@ -24,7 +24,7 @@ B<openssl ecparam>
[B<-param_enc> I<arg>]
[B<-no_seed>]
[B<-genkey>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
=for openssl ifdef engine
@@ -122,12 +122,7 @@ is included in the ECParameters structure (see RFC 3279).
This option will generate an EC private key using the specified parameters.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<ecparam>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
{- $OpenSSL::safe::opt_r_item -}
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index 0f1508e97a..cff127d211 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@@ -37,7 +37,7 @@ B<openssl> B<enc>|I<cipher>
[B<-nopad>]
[B<-debug>]
[B<-none>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
=for openssl ifdef z engine
@@ -192,6 +192,8 @@ Use NULL cipher (no encryption or decryption of input).
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 NOTES
@@ -204,8 +206,8 @@ Use the L<openssl-list(1)> command to get a list of
supported ciphers.
Engines which provide entirely new encryption algorithms (such as the ccgost
engine which provides gost89 algorithm) should be configured in the
-configuration file. Engines specified on the command line using -engine
-options can only be used for hardware-assisted implementations of
+configuration file. Engines specified on the command line using B<-engine>
+option can only be used for hardware-assisted implementations of
ciphers which are supported by the OpenSSL core or another engine specified
in the configuration file.
diff --git a/doc/man1/openssl-gendsa.pod.in b/doc/man1/openssl-gendsa.pod.in
index c15fdc9d03..46b9c70bba 100644
--- a/doc/man1/openssl-gendsa.pod.in
+++ b/doc/man1/openssl-gendsa.pod.in
@@ -22,9 +22,9 @@ B<openssl> B<gendsa>
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-engine> I<id>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<paramfile>]
=for openssl ifdef engine
@@ -53,25 +53,20 @@ These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-verbose>
Print extra details about the operations being performed.
+{- $OpenSSL::safe::opt_r_item -}
+
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<paramfile>
The DSA parameter file to use. The parameters in this file determine
the size of the private key. DSA parameters can be generated and
examined using the L<openssl-dsaparam(1)> command.
-{- $OpenSSL::safe::opt_r_item -}
-
=back
=head1 NOTES
diff --git a/doc/man1/openssl-genpkey.pod b/doc/man1/openssl-genpkey.pod.in
similarity index 96%
rename from doc/man1/openssl-genpkey.pod
rename to doc/man1/openssl-genpkey.pod.in
index 69c642cdf7..c031f238af 100644
--- a/doc/man1/openssl-genpkey.pod
+++ b/doc/man1/openssl-genpkey.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-genpkey - generate a private key
@@ -12,12 +17,12 @@ B<openssl> B<genpkey>
[B<-outform> B<DER>|B<PEM>]
[B<-pass> I<arg>]
[B<-I<cipher>>]
-[B<-engine> I<id>]
[B<-paramfile> I<file>]
[B<-algorithm> I<alg>]
[B<-pkeyopt> I<opt>:I<value>]
[B<-genparam>]
[B<-text>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -53,14 +58,6 @@ see L<openssl(1)/Pass Phrase Options>.
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. If used this option should precede all other
-options.
-
=item B<-algorithm> I<alg>
Public key algorithm to use such as RSA, DSA or DH. If used this option must
@@ -105,6 +102,8 @@ are mutually exclusive.
Print an (unencrypted) text representation of private and public keys and
parameters along with the PEM or DER structure.
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 KEY GENERATION OPTIONS
diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in
index 16b887be99..8a815ee960 100644
--- a/doc/man1/openssl-genrsa.pod.in
+++ b/doc/man1/openssl-genrsa.pod.in
@@ -24,10 +24,10 @@ B<openssl> B<genrsa>
[B<-des3>]
[B<-idea>]
[B<-f4>|B<-3>]
-[B<-engine> I<id>]
[B<-primes> I<num>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[B<numbits>]
=for openssl ifdef engine
@@ -65,13 +65,6 @@ for if it is not supplied via the B<-passout> argument.
The public exponent to use, either 65537 or 3. The default is 65537.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-primes> I<num>
Specify the number of primes to use while generating the RSA key. The I<num>
@@ -85,6 +78,8 @@ Print extra details about the operations being performed.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item B<numbits>
The size of the private key to generate in bits. This must be the last option
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 86c9de4670..bc2f4963d5 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -41,6 +41,7 @@ B<openssl> B<pkcs12>
[B<-CSP> I<name>]
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -271,6 +272,8 @@ Write I<name> as a Microsoft CSP name.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 NOTES
diff --git a/doc/man1/openssl-pkcs7.pod b/doc/man1/openssl-pkcs7.pod.in
similarity index 87%
rename from doc/man1/openssl-pkcs7.pod
rename to doc/man1/openssl-pkcs7.pod.in
index adfe54ec0e..f62b69b52b 100644
--- a/doc/man1/openssl-pkcs7.pod
+++ b/doc/man1/openssl-pkcs7.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-pkcs7 - PKCS#7 utility
@@ -15,7 +20,7 @@ B<openssl> B<pkcs7>
[B<-print_certs>]
[B<-text>]
[B<-noout>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -67,12 +72,7 @@ issuer names.
Don't output the encoded version of the PKCS#7 structure (or certificates
is B<-print_certs> is set).
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=back
diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in
index b53f0ee8ce..34b469ddbc 100644
--- a/doc/man1/openssl-pkcs8.pod.in
+++ b/doc/man1/openssl-pkcs8.pod.in
@@ -23,12 +23,12 @@ B<openssl> B<pkcs8>
[B<-v2> I<alg>]
[B<-v2prf> I<alg>]
[B<-v1> I<alg>]
-[B<-engine> I<id>]
[B<-scrypt>]
[B<-scrypt_N> I<N>]
[B<-scrypt_r> I<r>]
[B<-scrypt_p> I<p>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine scrypt scrypt_N scrypt_r scrypt_p
@@ -135,13 +135,6 @@ This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm
should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 form is used.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-scrypt>
Uses the B<scrypt> algorithm for private key encryption using default
@@ -155,6 +148,8 @@ Sets the scrypt I<N>, I<r> or I<p> parameters.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 NOTES
diff --git a/doc/man1/openssl-pkey.pod b/doc/man1/openssl-pkey.pod.in
similarity index 92%
rename from doc/man1/openssl-pkey.pod
rename to doc/man1/openssl-pkey.pod.in
index b1aa4af454..e2905b6934 100644
--- a/doc/man1/openssl-pkey.pod
+++ b/doc/man1/openssl-pkey.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-pkey - public or private key processing tool
@@ -21,9 +26,9 @@ B<openssl> B<pkey>
[B<-noout>]
[B<-pubin>]
[B<-pubout>]
-[B<-engine> I<id>]
[B<-check>]
[B<-pubcheck>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -99,13 +104,6 @@ By default a private key is output: with this option a
public
key will be output instead. This option is automatically set if
the input is a public key.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-check>
This option checks the consistency of a key pair for both public and private
@@ -116,6 +114,8 @@ components.
This option checks the correctness of either a public key or the public
component
of a key pair.
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 EXAMPLES
diff --git a/doc/man1/openssl-pkeyparam.pod b/doc/man1/openssl-pkeyparam.pod.in
similarity index 85%
rename from doc/man1/openssl-pkeyparam.pod
rename to doc/man1/openssl-pkeyparam.pod.in
index 36ff7f5245..4488119121 100644
--- a/doc/man1/openssl-pkeyparam.pod
+++ b/doc/man1/openssl-pkeyparam.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-pkeyparam - public key algorithm parameter processing tool
@@ -12,8 +17,8 @@ B<openssl> B<pkeyparam>
[B<-out> I<filename>]
[B<-text>]
[B<-noout>]
-[B<-engine> I<id>]
[B<-check>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -48,17 +53,12 @@ Prints out the parameters in plain text in addition to the
encoded version.
Do not output the encoded version of the parameters.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-check>
This option checks the correctness of parameters.
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 EXAMPLES
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index 27f1d26ac8..c239a0469a 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -34,7 +34,7 @@ B<openssl> B<pkeyutl>
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
[B<-asn1parse>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-engine_impl>]
{- $OpenSSL::safe::opt_r_synopsis -}
@@ -179,12 +179,7 @@ hex dump the output data.
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=item B<-engine_impl>
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 17ffe9ade6..cd49679d04 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -45,11 +45,11 @@ B<openssl> B<req>
[B<-sigopt> I<nm>:I<v>]
[B<-batch>]
[B<-verbose>]
-[B<-engine> I<id>]
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine keygen_engine sm2-id sm2-hex-id
@@ -301,13 +301,6 @@ Non-interactive mode.
Print extra details about the operations being performed.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-keygen_engine> I<id>
Specifies an engine (by its unique I<id> string) which would be used
@@ -327,6 +320,8 @@ argument for this option is string of hexadecimal digits.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CONFIGURATION FILE FORMAT
diff --git a/doc/man1/openssl-rsa.pod b/doc/man1/openssl-rsa.pod.in
similarity index 93%
rename from doc/man1/openssl-rsa.pod
rename to doc/man1/openssl-rsa.pod.in
index 9e1be94a26..b391487719 100644
--- a/doc/man1/openssl-rsa.pod
+++ b/doc/man1/openssl-rsa.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-rsa - RSA key processing tool
@@ -34,7 +39,7 @@ B<openssl> B<rsa>
[B<-pubout>]
[B<-RSAPublicKey_in>]
[B<-RSAPublicKey_out>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef pvk-strong pvk-weak pvk-none engine
@@ -126,12 +131,7 @@ the input is a public key.
Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=back
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index f010e60679..8bd6c9eec1 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -112,7 +112,6 @@ B<openssl> B<s_client>
[B<-starttls> I<protocol>]
[B<-xmpphost> I<hostname>]
[B<-name> I<hostname>]
-[B<-engine> I<id>]
[B<-tlsextdebug>]
[B<-no_ticket>]
[B<-sess_out> I<filename>]
@@ -131,6 +130,7 @@ B<openssl> B<s_client>
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<host>:I<port>]
=for openssl ifdef engine ssl_client_engine ct noct ctlogfile
@@ -628,13 +628,6 @@ Output SSL session to I<filename>.
Load SSL session from I<filename>. The client will attempt to resume a
connection from this session.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-serverinfo> I<types>
A list of comma-separated TLS Extension Types (numbers between 0 and
@@ -707,6 +700,8 @@ I<localhost> on port I<4433>.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CONNECTED COMMANDS
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index ed2d049081..743ad616d5 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -166,7 +166,6 @@ B<openssl> B<s_server>
[B<-nextprotoneg> I<val>]
[B<-use_srtp> I<val>]
[B<-alpn> I<val>]
-[B<-engine> I<val>]
[B<-keylogfile> I<outfile>]
[B<-max_early_data> I<int>]
[B<-early_data>]
@@ -177,6 +176,7 @@ B<openssl> B<s_server>
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
@@ -676,13 +676,6 @@ Protocol names are printable ASCII strings, for example
"http/1.1" or
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
-=item B<-engine> I<val>
-
-Specifying an engine (by its unique id string in I<val>) will cause
-this command to attempt to obtain a functional reference to the
-specified engine, thus initialising it if needed. The engine will then be
-set as the default for all available algorithms.
-
=item B<-keylogfile> I<outfile>
Appends TLS secrets to the specified keylog file such that external programs
@@ -722,6 +715,8 @@ by the client in binary mode.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CONNECTED COMMANDS
diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in
index 164bf3d9d7..6e1bb642e1 100644
--- a/doc/man1/openssl-speed.pod.in
+++ b/doc/man1/openssl-speed.pod.in
@@ -9,7 +9,6 @@ openssl-speed - test library performance
B<openssl speed>
[B<-help>]
-[B<-engine> I<id>]
[B<-elapsed>]
[B<-evp> I<algo>]
[B<-hmac> I<algo>]
@@ -19,6 +18,7 @@ B<openssl speed>
[B<-seconds> I<num>]
[B<-bytes> I<num>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<algorithm> ...]
=for openssl ifdef cmac multi async_jobs engine
@@ -38,13 +38,6 @@ the B<rand> algorithm name.
Print out a usage message.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-elapsed>
When calculating operations- or bytes-per-second, use wall-clock time
@@ -86,6 +79,8 @@ Run benchmarks on I<num>-byte buffers. Affects ciphers,
digests and the CSPRNG.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<algorithm> ...
If any I<algorithm> is given, then those algorithms are tested, otherwise a
diff --git a/doc/man1/openssl-spkac.pod b/doc/man1/openssl-spkac.pod.in
similarity index 92%
rename from doc/man1/openssl-spkac.pod
rename to doc/man1/openssl-spkac.pod.in
index a36d5364d9..bfb17d1208 100644
--- a/doc/man1/openssl-spkac.pod
+++ b/doc/man1/openssl-spkac.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-spkac - SPKAC printing and generating utility
@@ -19,7 +24,7 @@ B<openssl> B<spkac>
[B<-spksect> I<section>]
[B<-noout>]
[B<-verify>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@@ -92,12 +97,7 @@ being created).
Verifies the digital signature on the supplied SPKAC.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=back
diff --git a/doc/man1/openssl-storeutl.pod b/doc/man1/openssl-storeutl.pod.in
similarity index 90%
rename from doc/man1/openssl-storeutl.pod
rename to doc/man1/openssl-storeutl.pod.in
index 0ceb1cea97..3bfca0873e 100644
--- a/doc/man1/openssl-storeutl.pod
+++ b/doc/man1/openssl-storeutl.pod.in
@@ -1,5 +1,10 @@
=pod
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
=head1 NAME
openssl-storeutl - STORE utility
@@ -12,7 +17,6 @@ B<openssl> B<storeutl>
[B<-noout>]
[B<-passin> I<arg>]
[B<-text> I<arg>]
-[B<-engine> I<id>]
[B<-r>]
[B<-certs>]
[B<-keys>]
@@ -23,6 +27,7 @@ B<openssl> B<storeutl>
[B<-alias> I<arg>]
[B<-fingerprint> I<arg>]
[B<-I<digest>>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
I<uri> ...
=head1 DESCRIPTION
@@ -57,13 +62,6 @@ see L<openssl(1)/Pass Phrase Options>.
Prints out the objects in text form, similarly to the B<-text> output from
L<openssl-x509(1)>, L<openssl-pkey(1)>, etc.
-=item B<-engine> I<id>
-
-specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
-
=item B<-r>
Fetch objects recursively when possible.
@@ -110,6 +108,8 @@ Search for an object having the given fingerprint.
The digest that was used to compute the fingerprint given with B<-fingerprint>.
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 SEE ALSO
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index f6202fa92f..0eb4f8031a 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -37,7 +37,7 @@ B<-reply>
[B<-out> I<response.tsr>]
[B<-token_out>]
[B<-text>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
B<openssl> B<ts>
B<-verify>
@@ -303,12 +303,7 @@ response (TimeStampResp). (Optional)
If this option is specified the output is human-readable text format
instead of DER. (Optional)
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. Default is built-in. (Optional)
+{- $OpenSSL::safe::opt_engine_item -}
=back
diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in
index 100cff4a6b..ab8257a5e4 100644
--- a/doc/man1/openssl-verify.pod.in
+++ b/doc/man1/openssl-verify.pod.in
@@ -16,7 +16,6 @@ B<openssl> B<verify>
[B<-crl_download>]
[B<-crl_check>]
[B<-crl_check_all>]
-[B<-engine> I<id>]
[B<-explicit_policy>]
[B<-extended_crl>]
[B<-ignore_critical>]
@@ -49,6 +48,7 @@ B<openssl> B<verify>
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-->]
[I<certificate> ...]
@@ -101,15 +101,6 @@ If a valid CRL cannot be found an error occurs.
Checks the validity of B<all> certificates in the chain by attempting
to look up valid CRLs.
-=item B<-engine> I<id>
-
-Specifying an engine I<id> will cause this command to attempt to load the
-specified engine.
-The engine will then be set as the default for all its supported algorithms.
-If you want to load certificates or CRLs that require engine support via any of
-the B<-trusted>, B<-untrusted> or B<-CRLfile> options, the B<-engine> option
-must be specified before those options.
-
=item B<-explicit_policy>
Set policy variable require-explicit-policy (see RFC5280).
@@ -303,6 +294,11 @@ certificate. The argument for this option is string of
hexadecimal digits.
{- $OpenSSL::safe::opt_trust_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+To load certificates or CRLs that require engine support, specify the
+B<-engine> option before any of the
+B<-trusted>, B<-untrusted> or B<-CRLfile> options.
+
=item B<-->
Indicates the last option. All arguments following this are assumed to be
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index 5dfb9bb0e6..a69d219f74 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -63,10 +63,10 @@ B<openssl> B<x509>
[B<-extfile> I<filename>]
[B<-extensions> I<section>]
[B<-sigopt> I<nm>:I<v>]
-[B<-engine> I<id>]
[B<-preserve_dates>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine subject_hash_old issuer_hash_old
@@ -117,13 +117,6 @@ Any digest supported by the L<openssl-dgst(1)> command can
be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-preserve_dates>
When signing a certificate, preserve the "notBefore" and "notAfter" dates
@@ -132,6 +125,8 @@ Cannot be used with the B<-days> option.
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head2 Display Options
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 2e58b1bb3e..5ef537434c 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -933,6 +933,19 @@ name.
=back
+=head2 Engine Options
+
+=over 4
+
+=item B<-engine> I<id>
+
+Use the engine identified by I<id> and use all the methods it
+implements (algorithms, key storage, etc.), unless specified otherwise in
+the command-specific documentation or it is configured to do so, as described
+in L<config(5)/Engine Configuration Module>.
+
+=back
+
=head1 ENVIRONMENT
The OpenSSL library can be take some configuration parameters from the
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index 5425c87e03..4e9dc31ac2 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -85,6 +85,14 @@ $OpenSSL::safe::opt_r_item = ""
. "\n"
. "See L<openssl(1)/Random State Options> for details.";
+# Engine option
+$OpenSSL::safe::opt_engine_synopsis = ""
+. "[B<-engine> I<id>]";
+$OpenSSL::safe::opt_engine_item = ""
+. "=item B<-engine> I<id>\n"
+. "\n"
+. "See L<openssl(1)/Engine Options>.";
+
# Trusted certs options
$OpenSSL::safe::opt_trust_synopsis = ""
. "[B<-CAfile> I<file>]\n"
