apps/pkcs12: Clean up the order in which many options are presented

Also do a minor extension on the documentation of the -passcerts option

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/4930)

apps/pkcs12.c

@@ -68,6 +68,17 @@ const OPTIONS pkcs12_options[] = {
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+    {"password", OPT_PASSWORD, 's', "Set import/export password source"},
+    {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
+
+    OPT_SECTION("Input"),
+    {"in", OPT_IN, '<', "Input file for PKCS12 parsing or certs and possibly key"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"},
+    {"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"},
+    {"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"},
+    {"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"},
+    {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
 
     OPT_SECTION("CA input for export with the -chain option"),
     {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
@@ -80,39 +91,27 @@ const OPTIONS pkcs12_options[] = {
     {"no-CAstore", OPT_NOCASTORE, '-',
      "Do not load certificates from the default certificates store"},
 
-    OPT_SECTION("Input"),
-    {"in", OPT_IN, '<', "Input file for PKCS12 parsing or certs and possibly key"},
-    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
-    {"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"},
-    {"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"},
-    {"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"},
-    {"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"},
-    {"name", OPT_NAME, 's', "Use name as friendly name"},
-    {"CSP", OPT_CSP, 's', "Microsoft CSP name"},
-    {"caname", OPT_CANAME, 's',
-     "Use name as CA friendly name (can be repeated)"},
-
     OPT_SECTION("Output"),
-    {"export", OPT_EXPORT, '-', "Output PKCS12 file"},
-    {"LMK", OPT_LMK, '-',
-     "Add local machine keyset attribute to private key"},
-    {"macalg", OPT_MACALG, 's',
-     "Digest algorithm to use in MAC (default SHA1)"},
-    {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
     {"out", OPT_OUT, '>', "Output filename"},
     {"passout", OPT_PASSOUT, 's', "Output pass phrase source"},
-    {"password", OPT_PASSWORD, 's', "Set import/export password source"},
+    {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
+    {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
     {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"},
     {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"},
     {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"},
     {"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"},
+
+    OPT_SECTION("PKCS12 output"),
+    {"export", OPT_EXPORT, '-', "Output PKCS12 file"},
     {"chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert,"},
     {OPT_MORE_STR, 0, 0,
-     "which is the 1st cert from -in matching the private key (if given)"},
-    {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
-    {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
-    {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
-    {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
+     "which is the 1st cert from -in matching the privte key (if given)"},
+    {"name", OPT_NAME, 's', "Use name as friendly name"},
+    {"CSP", OPT_CSP, 's', "Microsoft CSP name"},
+    {"caname", OPT_CANAME, 's',
+     "Use name as CA friendly name (can be repeated)"},
+    {"LMK", OPT_LMK, '-',
+     "Add local machine keyset attribute to private key"},
     {"keyex", OPT_KEYEX, '-', "Set key type to MS key exchange"},
     {"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"},
 
@@ -126,10 +125,13 @@ const OPTIONS pkcs12_options[] = {
     {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
     {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
 #endif
+    {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
     {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"},
     {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"},
     {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
     {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
+    {"macalg", OPT_MACALG, 's',
+     "Digest algorithm to use in MAC (default SHA1)"},
     {"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
     {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
     {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},

doc/man1/openssl-pkcs12.pod.in

@@ -11,9 +11,9 @@ B<openssl> B<pkcs12>
 [B<-help>]
 [B<-export>]
 [B<-chain>]
+[B<-untrusted> I<filename>]
 [B<-inkey> I<file_or_id>]
 [B<-certfile> I<filename>]
-[B<-untrusted> I<filename>]
 [B<-passcerts> I<arg>]
 [B<-name> I<name>]
 [B<-caname> I<name>]
@@ -231,7 +231,8 @@ Any certificates that are actually part of the chain are added to the output.
 
 =item B<-passcerts> I<arg>
 
-The password source for certificate input such as B<-certfile>.
+The password source for certificate input such as B<-certfile>
+and B<-untrusted>.
 For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.