From 2866441a9027b0f7f07c675ba450eff897e16a91 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Thu, 19 Jun 2014 14:32:53 +0200 Subject: [PATCH] sort the options in verify man page alphabetically just making sure the options are listed in the alphabetical order both in SYNOPSIS and DESCRIPTION, no text changes --- doc/apps/verify.pod | 160 ++++++++++++++++++++++---------------------- 1 file changed, 80 insertions(+), 80 deletions(-) diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 4a5d767399..bf640685a3 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -7,37 +7,37 @@ verify - Utility to verify certificates. =head1 SYNOPSIS B B -[B<-CApath directory>] [B<-CAfile file>] +[B<-CApath directory>] +[B<-attime timestamp>] [B<-check_ss_sig>] -[B<-trusted_first>] -[B<-purpose purpose>] -[B<-policy arg>] -[B<-ignore_critical>] [B<-crl_check>] [B<-crl_check_all>] -[B<-policy_check>] [B<-explicit_policy>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-x509_strict>] [B<-extended_crl>] -[B<-use_deltas>] -[B<-policy_print>] -[B<-untrusted file>] [B<-help>] +[B<-ignore_critical>] +[B<-inhibit_any>] +[B<-inhibit_map>] [B<-issuer_checks>] -[B<-attime timestamp>] [B<-partial_chain>] +[B<-policy arg>] +[B<-policy_check>] +[B<-policy_print>] +[B<-purpose purpose>] [B<-suiteB_128>] [B<-suiteB_128_only>] [B<-suiteB_192>] +[B<-trusted_first>] +[B<-untrusted file>] +[B<-use_deltas>] [B<-verbose>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] [B<-verify_ip ip>] [B<-verify_name name>] +[B<-x509_strict>] [B<->] [certificates] @@ -50,6 +50,11 @@ The B command verifies certificate chains. =over 4 +=item B<-CAfile file> + +A file of trusted certificates. The file should contain multiple certificates +in PEM format concatenated together. + =item B<-CApath directory> A directory of trusted certificates. The certificates should have names @@ -58,37 +63,53 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option of the B utility). Under Unix the B script will automatically create symbolic links to a directory of certificates. -=item B<-CAfile file> +=item B<-attime timestamp> -A file of trusted certificates. The file should contain multiple certificates -in PEM format concatenated together. +Perform validation checks using time specified by B and not +current system time. B is the number of seconds since +01.01.1970 (UNIX time). -=item B<-untrusted file> +=item B<-check_ss_sig> -A file of untrusted certificates. The file should contain multiple certificates -in PEM format concatenated together. +Verify the signature on the self-signed root CA. This is disabled by default +because it doesn't add any security. -=item B<-trusted_first> +=item B<-crl_check> -Use certificates in CA file or CA directory before certificates in untrusted -file when building the trust chain to verify certificates. -This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +Checks end entity certificate validity by attempting to look up a valid CRL. +If a valid CRL cannot be found an error occurs. -=item B<-purpose purpose> +=item B<-crl_check_all> -The intended use for the certificate. If this option is not specified, -B will not consider certificate purpose during chain verification. -Currently accepted uses are B, B, B, -B, B. See the B section for more -information. +Checks the validity of B certificates in the chain by attempting +to look up valid CRLs. + +=item B<-explicit_policy> + +Set policy variable require-explicit-policy (see RFC5280). + +=item B<-extended_crl> + +Enable extended CRL features such as indirect CRLs and alternate CRL +signing keys. =item B<-help> Print out a usage message. -=item B<-verbose> +=item B<-ignore_critical> -Print extra information about the operations being performed. +Normally if an unhandled critical extension is present which is not +supported by OpenSSL the certificate is rejected (as required by RFC5280). +If this option is set critical extensions are ignored. + +=item B<-inhibit_any> + +Set policy variable inhibit-any-policy (see RFC5280). + +=item B<-inhibit_map> + +Set policy variable inhibit-policy-mapping (see RFC5280). =item B<-issuer_checks> @@ -98,11 +119,9 @@ rejected. The presence of rejection messages does not itself imply that anything is wrong; during the normal verification process, several rejections may take place. -=item B<-attime timestamp> +=item B<-partial_chain> -Perform validation checks using time specified by B and not -current system time. B is the number of seconds since -01.01.1970 (UNIX time). +Allow partial certificate chain if at least one certificate is in trusted store. =item B<-policy arg> @@ -114,68 +133,44 @@ This argument can appear more than once. Enables certificate policy processing. -=item B<-explicit_policy> - -Set policy variable require-explicit-policy (see RFC5280). - -=item B<-inhibit_any> - -Set policy variable inhibit-any-policy (see RFC5280). - -=item B<-inhibit_map> - -Set policy variable inhibit-policy-mapping (see RFC5280). - =item B<-policy_print> Print out diagnostics related to policy processing. -=item B<-crl_check> - -Checks end entity certificate validity by attempting to look up a valid CRL. -If a valid CRL cannot be found an error occurs. - -=item B<-crl_check_all> +=item B<-purpose purpose> -Checks the validity of B certificates in the chain by attempting -to look up valid CRLs. +The intended use for the certificate. If this option is not specified, +B will not consider certificate purpose during chain verification. +Currently accepted uses are B, B, B, +B, B. See the B section for more +information. -=item B<-ignore_critical> +=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192> -Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by RFC5280). -If this option is set critical extensions are ignored. +enable the Suite B mode operation at 128 bit Level of Security, 128 bit or +192 bit, or only 192 bit Level of Security respectively. +See RFC6460 for details. In particular the supported signature algorithms are +reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves +P-256 and P-384. -=item B<-x509_strict> +=item B<-trusted_first> -For strict X.509 compliance, disable non-compliant workarounds for broken -certificates. +Use certificates in CA file or CA directory before certificates in untrusted +file when building the trust chain to verify certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. -=item B<-extended_crl> +=item B<-untrusted file> -Enable extended CRL features such as indirect CRLs and alternate CRL -signing keys. +A file of untrusted certificates. The file should contain multiple certificates +in PEM format concatenated together. =item B<-use_deltas> Enable support for delta CRLs. -=item B<-check_ss_sig> - -Verify the signature on the self-signed root CA. This is disabled by default -because it doesn't add any security. - -=item B<-partial_chain> - -Allow partial certificate chain if at least one certificate is in trusted store. - -=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192> +=item B<-verbose> -enable the Suite B mode operation at 128 bit Level of Security, 128 bit or -192 bit, or only 192 bit Level of Security respectively. -See RFC6460 for details. In particular the supported signature algorithms are -reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves -P-256 and P-384. +Print extra information about the operations being performed. =item B<-verify_depth num> @@ -202,6 +197,11 @@ Use default verification options like trust model and required certificate policies identified by B. Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server. +=item B<-x509_strict> + +For strict X.509 compliance, disable non-compliant workarounds for broken +certificates. + =item B<-> Indicates the last option. All arguments following this are assumed to be -- 2.40.0