===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -r1.106 -r1.107
--- src/usr.bin/openssl/openssl.1	2019/07/05 14:33:10	1.106
+++ src/usr.bin/openssl/openssl.1	2019/07/07 02:04:40	1.107
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.106 2019/07/05 14:33:10 inoguchi Exp $
+.\" $OpenBSD: openssl.1,v 1.107 2019/07/07 02:04:40 inoguchi Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: July 5 2019 $
+.Dd $Mdocdate: July 7 2019 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -321,7 +321,7 @@
 .Op Fl keyform Cm pem | der
 .Op Fl md Ar alg
 .Op Fl msie_hack
-.Op Fl multivalue\-rdn
+.Op Fl multivalue-rdn
 .Op Fl name Ar section
 .Op Fl noemailDN
 .Op Fl notext
@@ -428,14 +428,14 @@
 The newer control
 .Qq Xenroll
 does not need this option.
-.It Fl multivalue\-rdn
+.It Fl multivalue-rdn
 This option causes the
 .Fl subj
 argument to be interpreted with full support for multivalued RDNs,
 for example
 .Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" .
 If
-.Fl multivalue\-rdn
+.Fl multivalue-rdn
 is not used, the UID value is set to
 .Qq "123456+CN=John Doe" .
 .It Fl name Ar section
@@ -2449,7 +2449,10 @@
 .Sh PKCS12
 .nr nS 1
 .Nm "openssl pkcs12"
-.Op Fl aes128 | aes192 | aes256 | des | des3
+.Oo
+.Fl aes128 | aes192 | aes256 | camellia128 |
+.Fl camellia192 | camellia256 | des | des3 | idea
+.Oc
 .Op Fl cacerts
 .Op Fl CAfile Ar file
 .Op Fl caname Ar name
@@ -2467,6 +2470,7 @@
 .Op Fl keyex
 .Op Fl keypbe Ar alg
 .Op Fl keysig
+.Op Fl LMK
 .Op Fl macalg Ar alg
 .Op Fl maciter
 .Op Fl name Ar name
@@ -2481,6 +2485,7 @@
 .Op Fl out Ar file
 .Op Fl passin Ar arg
 .Op Fl passout Ar arg
+.Op Fl password Ar arg
 .Op Fl twopass
 .nr nS 0
 .Pp
@@ -2496,9 +2501,14 @@
 .Pp
 The options for parsing a PKCS12 file are as follows:
 .Bl -tag -width "XXXX"
-.It Fl aes128 | aes192 | aes256 | des | des3
-Encrypt private keys
-using AES, DES, or triple DES, respectively.
+.It Xo
+.Fl aes128 | aes192 | aes256 |
+.Fl camellia128 | camellia192 | camellia256 |
+.Fl des | des3 |
+.Fl idea
+.Xc
+Encrypt private keys using AES, CAMELLIA, DES, triple DES
+or the IDEA ciphers, respectively.
 The default is triple DES.
 .It Fl cacerts
 Only output CA certificates
@@ -2603,6 +2613,8 @@
 Signing only keys can be used for S/MIME signing, authenticode
 (ActiveX control signing)
 and SSL client authentication.
+.It Fl LMK
+Add local machine keyset attribute to private key.
 .It Fl macalg Ar alg
 Specify the MAC digest algorithm.
 The default is SHA1.
@@ -2638,6 +2650,16 @@
 The key password source.
 .It Fl passout Ar arg
 The output file password source.
+.It Fl password Ar arg
+With
+.Fl export ,
+.Fl password
+is equivalent to
+.Fl passout .
+Otherwise, 
+.Fl password
+is equivalent to
+.Fl passin .
 .El
 .Sh PKEY
 .nr nS 1
@@ -2959,6 +2981,7 @@
 .Op Fl keyout Ar file
 .Op Fl md4 | md5 | sha1
 .Op Fl modulus
+.Op Fl multivalue-rdn
 .Op Fl nameopt Ar option
 .Op Fl new
 .Op Fl newhdr
@@ -2970,10 +2993,12 @@
 .Op Fl outform Cm der | pem
 .Op Fl passin Ar arg
 .Op Fl passout Ar arg
+.Op Fl pkeyopt Ar opt:value
 .Op Fl pubkey
 .Op Fl reqexts Ar section
 .Op Fl reqopt Ar option
 .Op Fl set_serial Ar n
+.Op Fl sigopt Ar nm:v
 .Op Fl subj Ar arg
 .Op Fl subject
 .Op Fl text
@@ -3042,6 +3067,16 @@
 For instance, DSA signatures always use SHA1.
 .It Fl modulus
 Print the value of the modulus of the public key contained in the request.
+.It Fl multivalue-rdn
+This option causes the
+.Fl subj
+argument to be interpreted with full support for multivalued RDNs,
+for example
+.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" .
+If
+.Fl multivalue-rdn
+is not used, the UID value is set to
+.Qq "123456+CN=John Doe" .
 .It Fl nameopt Ar option , Fl reqopt Ar option
 Determine how the subject or issuer names are displayed.
 .Ar option
@@ -3112,6 +3147,11 @@
 The key password source.
 .It Fl passout Ar arg
 The output file password source.
+.It Fl pkeyopt Ar opt:value
+Set the public key algorithm option
+.Ar opt
+to
+.Ar value .
 .It Fl pubkey
 Output the public key.
 .It Fl reqopt Ar option
@@ -3130,6 +3170,9 @@
 This may be specified as a decimal value or a hex value if preceded by
 .Sq 0x .
 It is possible to use negative serial numbers but this is not recommended.
+.It Fl sigopt Ar nm:v
+Pass options to the signature algorithm during sign operation.
+The names and values of these options are algorithm-specific.
 .It Fl subj Ar arg
 Replaces the subject field of an input request
 with the specified data and output the modified request.
@@ -4920,6 +4963,7 @@
 .Op Fl CAfile Ar file
 .Op Fl CApath Ar directory
 .Op Fl check_ss_sig
+.Op Fl CRLfile Ar file
 .Op Fl crl_check
 .Op Fl crl_check_all
 .Op Fl explicit_policy
@@ -4931,6 +4975,7 @@
 .Op Fl issuer_checks
 .Op Fl policy_check
 .Op Fl purpose Ar purpose
+.Op Fl trusted Ar file
 .Op Fl untrusted Ar file
 .Op Fl verbose
 .Op Fl x509_strict
@@ -4943,10 +4988,6 @@
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl check_ss_sig
-Verify the signature on the self-signed root CA.
-This is disabled by default
-because it doesn't add any security.
 .It Fl CAfile Ar file
 A
 .Ar file
@@ -4969,6 +5010,14 @@
 option of the
 .Nm x509
 utility).
+.It Fl check_ss_sig
+Verify the signature on the self-signed root CA.
+This is disabled by default
+because it doesn't add any security.
+.It Fl CRLfile Ar file
+The
+.Ar file
+should contain one or more CRLs in PEM format.
 .It Fl crl_check
 Check end entity certificate validity by attempting to look up a valid CRL.
 If a valid CRL cannot be found an error occurs.
@@ -5007,6 +5056,13 @@
 .Cm any ,
 and
 .Cm ocsphelper .
+.It Fl trusted Ar file
+A
+.Ar file
+of trusted certificates.
+The
+.Ar file
+should contain multiple certificates.
 .It Fl untrusted Ar file
 A
 .Ar file
@@ -5292,6 +5348,7 @@
 .Op Fl md5 | sha1
 .Op Fl modulus
 .Op Fl nameopt Ar option
+.Op Fl next_serial
 .Op Fl noout
 .Op Fl ocsp_uri
 .Op Fl ocspid
@@ -5305,6 +5362,7 @@
 .Op Fl set_serial Ar n
 .Op Fl setalias Ar arg
 .Op Fl signkey Ar file
+.Op Fl sigopt Ar nm:v
 .Op Fl startdate
 .Op Fl subject
 .Op Fl subject_hash
@@ -5572,6 +5630,8 @@
 for 32 bits,
 and any UTF8Strings are converted to their character form first.
 .El
+.It Fl next_serial
+Print the next serial number.
 .It Fl noout
 Do not output the encoded version of the request.
 .It Fl ocsp_uri
@@ -5582,6 +5642,9 @@
 Print the public key.
 .It Fl serial
 Print the certificate serial number.
+.It Fl sigopt Ar nm:v
+Pass options to the signature algorithm during sign or certify operations.
+The names and values of these options are algorithm-specific.
 .It Fl startdate
 Print the start date of the certificate; that is, the
 .Cm notBefore