Imported Upstream version 1.0.1fupstream/1.0.1f

4 files changed, 54 insertions, 34 deletions

diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod
index ed69952..d326101 100644
--- a/doc/apps/CA.pl.pod
+++ b/doc/apps/CA.pl.pod
@@ -39,13 +39,13 @@ prints a usage message.
 
 =item B<-newcert>
 
-creates a new self signed certificate. The private key and certificate are
-written to the file "newreq.pem".
+creates a new self signed certificate. The private key is written to the file
+"newkey.pem" and the request written to the file "newreq.pem".
 
 =item B<-newreq>
 
-creates a new certificate request. The private key and request are
-written to the file "newreq.pem".
+creates a new certificate request. The private key is written to the file
+"newkey.pem" and the request written to the file "newreq.pem".
 
 =item B<-newreq-nodes>
 
diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod
index 69b2bef..d7d784d 100644
--- a/doc/apps/rsa.pod
+++ b/doc/apps/rsa.pod
@@ -24,6 +24,8 @@ B<openssl> B<rsa>
 [B<-check>]
 [B<-pubin>]
 [B<-pubout>]
+[B<-RSAPublicKey_in>]
+[B<-RSAPublicKey_out>]
 [B<-engine id>]
 
 =head1 DESCRIPTION
@@ -118,6 +120,10 @@ by default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
 
+=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
+
+like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
+
 =item B<-engine id>
 
 specifying an engine (by its unique B<id> string) will cause B<rsa>
@@ -139,6 +145,11 @@ The PEM public key format uses the header and footer lines:
  -----BEGIN PUBLIC KEY-----
  -----END PUBLIC KEY-----
 
+The PEM B<RSAPublicKey> format uses the header and footer lines:
+
+ -----BEGIN RSA PUBLIC KEY-----
+ -----END RSA PUBLIC KEY-----
+
 The B<NET> form is a format compatible with older Netscape servers
 and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
 It is not very secure and so should only be used when necessary.
@@ -173,6 +184,10 @@ To just output the public part of a private key:
 
  openssl rsa -in key.pem -pubout -out pubkey.pem
 
+Output the public part of a private key in B<RSAPublicKey> format:
+
+ openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
+
 =head1 BUGS
 
 The command line password arguments don't currently work with
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 336098f..da68300 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -54,35 +54,37 @@ in PEM format concatenated together.
 =item B<-untrusted file>
 
 A file of untrusted certificates. The file should contain multiple certificates
+in PEM format concatenated together.
 
 =item B<-purpose purpose>
 
-the intended use for the certificate. Without this option no chain verification
-will be done. Currently accepted uses are B<sslclient>, B<sslserver>,
-B<nssslserver>, B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION>
-section for more information.
+The intended use for the certificate. If this option is not specified,
+B<verify> will not consider certificate purpose during chain verification.
+Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
+B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
+information.
 
 =item B<-help>
 
-prints out a usage message.
+Print out a usage message.
 
 =item B<-verbose>
 
-print extra information about the operations being performed.
+Print extra information about the operations being performed.
 
 =item B<-issuer_checks>
 
-print out diagnostics relating to searches for the issuer certificate
-of the current certificate. This shows why each candidate issuer
-certificate was rejected. However the presence of rejection messages
-does not itself imply that anything is wrong: during the normal
-verify process several rejections may take place.
+Print out diagnostics relating to searches for the issuer certificate of the
+current certificate. This shows why each candidate issuer certificate was
+rejected. The presence of rejection messages does not itself imply that
+anything is wrong; during the normal verification process, several
+rejections may take place.
 
 =item B<-policy arg>
 
-Enable policy processing and add B<arg> to the user-initial-policy-set
-(see RFC3280 et al). The policy B<arg> can be an object name an OID in numeric
-form. This argument can appear more than once.
+Enable policy processing and add B<arg> to the user-initial-policy-set (see
+RFC5280). The policy B<arg> can be an object name an OID in numeric form.
+This argument can appear more than once.
 
 =item B<-policy_check>
 
@@ -90,41 +92,40 @@ Enables certificate policy processing.
 
 =item B<-explicit_policy>
 
-Set policy variable require-explicit-policy (see RFC3280 et al).
+Set policy variable require-explicit-policy (see RFC5280).
 
 =item B<-inhibit_any>
 
-Set policy variable inhibit-any-policy (see RFC3280 et al).
+Set policy variable inhibit-any-policy (see RFC5280).
 
 =item B<-inhibit_map>
 
-Set policy variable inhibit-policy-mapping (see RFC3280 et al).
+Set policy variable inhibit-policy-mapping (see RFC5280).
 
 =item B<-policy_print>
 
-Print out diagnostics, related to policy checking
+Print out diagnostics related to policy processing.
 
 =item B<-crl_check>
 
-Checks end entity certificate validity by attempting to lookup a valid CRL.
+Checks end entity certificate validity by attempting to look up a valid CRL.
 If a valid CRL cannot be found an error occurs. 
 
 =item B<-crl_check_all>
 
 Checks the validity of B<all> certificates in the chain by attempting
-to lookup valid CRLs.
+to look up valid CRLs.
 
 =item B<-ignore_critical>
 
 Normally if an unhandled critical extension is present which is not
-supported by OpenSSL the certificate is rejected (as required by
-RFC3280 et al). If this option is set critical extensions are
-ignored.
+supported by OpenSSL the certificate is rejected (as required by RFC5280).
+If this option is set critical extensions are ignored.
 
 =item B<-x509_strict>
 
-Disable workarounds for broken certificates which have to be disabled
-for strict X.509 compliance.
+For strict X.509 compliance, disable non-compliant workarounds for broken
+certificates.
 
 =item B<-extended_crl>
 
@@ -142,16 +143,15 @@ because it doesn't add any security.
 
 =item B<->
 
-marks the last option. All arguments following this are assumed to be
+Indicates the last option. All arguments following this are assumed to be
 certificate files. This is useful if the first certificate filename begins
 with a B<->.
 
 =item B<certificates>
 
-one or more certificates to verify. If no certificate filenames are included
-then an attempt is made to read a certificate from standard input. They should
-all be in PEM format.
-
+One or more certificates to verify. If no certificates are given, B<verify>
+will attempt to read a certificate from standard input. Certificates must be
+in PEM format.
 
 =back
 
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 3002b08..d2d9eb8 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -29,6 +29,7 @@ B<openssl> B<x509>
 [B<-purpose>]
 [B<-dates>]
 [B<-modulus>]
+[B<-pubkey>]
 [B<-fingerprint>]
 [B<-alias>]
 [B<-noout>]
@@ -135,6 +136,10 @@ section for more information.
 
 this option prevents output of the encoded version of the request.
 
+=item B<-pubkey>
+
+outputs the the certificate's SubjectPublicKeyInfo block in PEM format.
+
 =item B<-modulus>
 
 this option prints out the value of the modulus of the public key