8255853: Update all nroff manpages for JDK 16 release

Reviewed-by: erikj

src/java.base/share/man/keytool.1

@@ -1,4 +1,3 @@
-.\"t
 .\" Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
 .\" DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 .\"
@@ -8,7 +7,7 @@
 .\"
 .\" This code is distributed in the hope that it will be useful, but WITHOUT
 .\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-.\" FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+.\" FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 .\" version 2 for more details (a copy is included in the LICENSE file that
 .\" accompanied this code).
 .\"
@@ -20,9 +19,10 @@
 .\" or visit www.oracle.com if you need additional information or have any
 .\" questions.
 .\"
+.\"t
 .\" Automatically generated by Pandoc 2.3.1
 .\"
-.TH "KEYTOOL" "1" "2020" "JDK 15" "JDK Commands"
+.TH "KEYTOOL" "1" "2020" "JDK 16" "JDK Commands"
 .hy
 .SH NAME
 .PP
@@ -980,6 +980,28 @@ Sockets Layer (SSL) server host and port
 .IP \[bu] 2
 {\f[CB]\-jarfile\f[R] \f[I]JAR_file\f[R]}: Signed \f[CB]\&.jar\f[R] file
 .IP \[bu] 2
+{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name
+.IP \[bu] 2
+{\f[CB]\-trustcacerts\f[R]}: Trust certificates from cacerts
+.IP \[bu] 2
+[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password
+.IP \[bu] 2
+{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type
+.IP \[bu] 2
+{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name
+.IP \[bu] 2
+{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R]
+\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with
+an optional configure argument.
+.IP \[bu] 2
+{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R]
+\f[I]arg\f[R]]}: Add security provider by fully qualified class name with
+an optional configure argument.
+.IP \[bu] 2
+{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath
+.IP \[bu] 2
+{\f[CB]\-protected\f[R]}: Password is provided through protected mechanism
+.IP \[bu] 2
 {\f[CB]\-v\f[R]}: Verbose output
 .PP
 Use the \f[CB]\-printcert\f[R] command to read and print the certificate
@@ -1012,7 +1034,11 @@ command line for proxy tunneling.
 .PP
 \f[B]Note:\f[R]
 .PP
-This option can be used independently of a keystore.
+This command can be used independently of a keystore.
+This command does not check for the weakness of a certificate\[aq]s
+signature algorithm if it is a trusted certificate in the user keystore
+(specified by \f[CB]\-keystore\f[R]) or in the \f[CB]cacerts\f[R] keystore
+(if \f[CB]\-trustcacerts\f[R] is specified).
 .RE
 .TP
 .B \f[CB]\-printcertreq\f[R]
@@ -1038,6 +1064,28 @@ command:
 .IP \[bu] 2
 {\f[CB]\-file\ crl\f[R]}: Input file name
 .IP \[bu] 2
+{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name
+.IP \[bu] 2
+{\f[CB]\-trustcacerts\f[R]}: Trust certificates from cacerts
+.IP \[bu] 2
+[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password
+.IP \[bu] 2
+{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type
+.IP \[bu] 2
+{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name
+.IP \[bu] 2
+{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R]
+\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with
+an optional configure argument.
+.IP \[bu] 2
+{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R]
+\f[I]arg\f[R]]}: Add security provider by fully qualified class name with
+an optional configure argument.
+.IP \[bu] 2
+{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath
+.IP \[bu] 2
+{\f[CB]\-protected\f[R]}: Password is provided through protected mechanism
+.IP \[bu] 2
 {\f[CB]\-v\f[R]}: Verbose output
 .PP
 Use the \f[CB]\-printcrl\f[R] command to read the Certificate Revocation
@@ -1048,7 +1096,11 @@ The CA generates the \f[CB]crl\f[R] file.
 .PP
 \f[B]Note:\f[R]
 .PP
-This option can be used independently of a keystore.
+This command can be used independently of a keystore.
+This command attempts to verify the CRL using a certificate from the
+user keystore (specified by \f[CB]\-keystore\f[R]) or the \f[CB]cacerts\f[R]
+keystore (if \f[CB]\-trustcacerts\f[R] is specified), and will print out a
+warning if it cannot be verified.
 .RE
 .SH COMMANDS FOR MANAGING THE KEYSTORE
 .TP
@@ -1479,9 +1531,9 @@ The following examples show the defaults for various option values:
 \-alias\ "mykey"
 
 \-keysize
-\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "RSA")
-\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "DSA")
+\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "RSA",\ "DSA",\ or\ "RSASSA\-PSS")
 \ \ \ \ 256\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "EC")
+\ \ \ \ 255\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "EdDSA")
 \ \ \ \ 56\ (when\ using\ \-genseckey\ and\ \-keyalg\ is\ "DES")
 \ \ \ \ 168\ (when\ using\ \-genseckey\ and\ \-keyalg\ is\ "DESede")
 
@@ -1564,7 +1616,66 @@ T}@T{
 T}@T{
 SHA512withECDSA
 T}
+T{
+RSASSA\-PSS
+T}@T{
+<= 3072
+T}@T{
+RSASSA\-PSS (with SHA\-256)
+T}
+T{
+T}@T{
+<= 7680
+T}@T{
+RSASSA\-PSS (with SHA\-384)
+T}
+T{
+T}@T{
+> 7680
+T}@T{
+RSASSA\-PSS (with SHA\-512)
+T}
+T{
+EdDSA
+T}@T{
+255
+T}@T{
+Ed25519
+T}
+T{
+T}@T{
+448
+T}@T{
+Ed448
+T}
+T{
+Ed25519
+T}@T{
+255
+T}@T{
+Ed25519
+T}
+T{
+Ed448
+T}@T{
+448
+T}@T{
+Ed448
+T}
 .TE
+.IP \[bu] 2
+An RSASSA\-PSS signature algorithm uses a \f[CB]MessageDigest\f[R]
+algorithm as its hash and MGF1 algorithms.
+.IP \[bu] 2
+EdDSA supports 2 key sizes: Ed25519 and Ed448.
+When generating an EdDSA key pair using \f[CB]\-keyalg\ EdDSA\f[R], a user
+can specify \f[CB]\-keysize\ 255\f[R] or \f[CB]\-keysize\ 448\f[R] to
+generate Ed25519 or Ed448 key pairs.
+When no \f[CB]\-keysize\f[R] is specified, an Ed25519 key pair is
+generated.
+A user can also directly specify \f[CB]\-keyalg\ Ed25519\f[R] or
+\f[CB]\-keyalg\ Ed448\f[R] to generate a key pair with the expected key
+size.
 .PP
 \f[B]Note:\f[R]
 .PP