I had occasion to check the dgst(1) manpage and found several minor flaws (in 1.0.1h, haven't tried 1.0.2 yet and don't do repository), a few of which
might benefit from discussion header and synopses: The list of alg names, (correctly) used as both dash-options and (sub)command-names, also used for manpage links, is outdated. md2 is no longer in the default config, sha224/256/384/512 gost whirlpool are, and dss1 is no longer needed (see more on this below). The second synopsis should start >openssl< [md5|md4...] to be consistent, and I think either it should repeat all the dash-options or (IMO better) add ellipsis [-c] [-d] >...< [file...] to show all options except dash-digestname are the same. Description is incomplete. I suggest: >The digest commands compute and display the digest(s) of a supplied file or files, or a Message Authentication Code, or generate and verify a digital signature on a digest.< I would also add here, or if not here in Notes: >dgst handles only an RSA, DSA or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as CMS/SMIME and X.509.< -r is missing, should be: print in the coreutils format traditional for separate programs like 'md5sum' or 'sha1sum' [only if hex] -non-fips-allow is missing, I think should be: enable use of non-FIPS algorithms like MD5 even in FIPS mode -fips-fingerprint is missing, I think should be: compute HMAC using a specific key for certain OpenSSL-FIPS operations -keyform applies to sign and verify and supports ENGINE PEM >and DER and P12< -macopt on the website the first entry is misformatted (body run-in with heading, all in bold) but my man display is good. Maybe because dgst.pod line 120 between =item B<key:string> and Specifies MAC key ... has a tab char whereas other 'blank' (empty) lines don't. Notes#1 is IMO stated a bit too strongly, and outdated. Suggest: When given a choice, for a new or agile application, SHA-1 is the most widely used digest but SHA-224/256/384/512 are also popular and considered more robust long-term, and there is still significant usage of other digests, particularly MD5. Notes#2 is obsolete, since 1.0.0 switched to EVP_DigestSign* etc instead of EVP_Sign*. Notes#3 I think should say ECDSA as well as DSA. END ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
