diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-08-26 20:40:48 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-03-14 17:26:49 +0100 |
| commit | 0e89b396197f75993c8d64c07b4af6aa2d97e2af (patch) | |
| tree | a79eb907eefb1c1cd5a84891564511e8e5f6879b /apps | |
| parent | b7cc2d2f295efc342cd46e7e59f93e0ac0472dc0 (diff) | |
| download | openssl-new-0e89b396197f75993c8d64c07b4af6aa2d97e2af.tar.gz | |
apps/x509 etc.: allow private key input when public key is expected
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/include/apps.h | 35 | ||||
| -rw-r--r-- | apps/lib/apps.c | 65 | ||||
| -rw-r--r-- | apps/pkeyutl.c | 4 | ||||
| -rw-r--r-- | apps/rsautl.c | 4 | ||||
| -rw-r--r-- | apps/x509.c | 16 |
5 files changed, 62 insertions, 62 deletions
diff --git a/apps/include/apps.h b/apps/include/apps.h index a8b63fea8d..e603d07868 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -66,8 +66,8 @@ BIO *bio_open_owner(const char *filename, int format, int private); BIO *bio_open_default(const char *filename, char mode, int format); BIO *bio_open_default_quiet(const char *filename, char mode, int format); CONF *app_load_config_bio(BIO *in, const char *filename); -#define app_load_config(filename) app_load_config_internal(filename, 0) -#define app_load_config_quiet(filename) app_load_config_internal(filename, 1) +# define app_load_config(filename) app_load_config_internal(filename, 0) +# define app_load_config_quiet(filename) app_load_config_internal(filename, 1) CONF *app_load_config_internal(const char *filename, int quiet); CONF *app_load_config_verbose(const char *filename, int verbose); int app_load_modules(const CONF *config); @@ -100,7 +100,7 @@ int progress_cb(EVP_PKEY_CTX *ctx); int chopup_args(ARGS *arg, char *buf); void dump_cert_text(BIO *out, X509 *x); void print_name(BIO *out, const char *title, const X509_NAME *nm); -void print_bignum_var(BIO *, const BIGNUM *, const char*, +void print_bignum_var(BIO *, const BIGNUM *, const char *, int, unsigned char *); void print_array(BIO *, const char *, int, const unsigned char *); int set_nameopt(const char *arg); @@ -117,13 +117,14 @@ X509_REQ *load_csr(const char *file, int format, const char *desc); X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc); X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc); -#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) +# define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, const char *desc); void cleanse(char *str); void clear_free(char *str); EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); +/* first try reading public key, on failure resort to loading private key */ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin, @@ -145,15 +146,11 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc); int load_key_certs_crls(const char *uri, int format, int maybe_stdin, - const char *pass, const char *desc, + const char *pass, const char *desc, int quiet, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, EVP_PKEY **pparams, X509 **pcert, STACK_OF(X509) **pcerts, X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls); -int load_key_cert_crl(const char *uri, int format, int maybe_stdin, - const char *pass, const char *desc, - EVP_PKEY **ppkey, EVP_PKEY **ppubkey, - X509 **pcert, X509_CRL **pcrl); X509_STORE *setup_verify(const char *CAfile, int noCAfile, const char *CApath, int noCApath, const char *CAstore, int noCAstore); @@ -199,10 +196,9 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, # define DB_type 0 # define DB_exp_date 1 # define DB_rev_date 2 -# define DB_serial 3 /* index - unique */ +# define DB_serial 3 /* index - unique */ # define DB_file 4 -# define DB_name 5 /* index - unique when active and not - * disabled */ +# define DB_name 5 /* index - unique when active and not disabled */ # define DB_NUMBER 6 # define DB_TYPE_REV 'R' /* Revoked */ @@ -243,8 +239,8 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix); void free_index(CA_DB *db); # define index_name_cmp_noconst(a, b) \ - index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ - (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) + index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ + (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); int parse_yesno(const char *str, int def); @@ -271,12 +267,11 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md, extern char *psk_key; - unsigned char *next_protos_parse(size_t *outlen, const char *in); int check_cert_attributes(BIO *bio, X509 *x, - const char *checkhost, - const char *checkemail, const char *checkip, int print); + const char *checkhost, const char *checkemail, + const char *checkip, int print); void store_setup_crl_download(X509_STORE *st); @@ -310,16 +305,16 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port, # define EXT_COPY_ADD 1 # define EXT_COPY_ALL 2 -# define NETSCAPE_CERT_HDR "certificate" +# define NETSCAPE_CERT_HDR "certificate" -# define APP_PASS_LEN 1024 +# define APP_PASS_LEN 1024 /* * IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits * so that the first bit will never be one, so that the DER encoding * rules won't force a leading octet. */ -# define SERIAL_RAND_BITS 159 +# define SERIAL_RAND_BITS 159 int app_isdir(const char *); int app_access(const char *, int flag); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 6b4f9e586a..69bf5b4e37 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -469,7 +469,7 @@ X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, BIO_printf(bio_err, "Unable to load %s from %s\n", desc, uri); } } else { - (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, 0, NULL, NULL, NULL, &cert, NULL, NULL, NULL); } return cert; @@ -491,7 +491,7 @@ X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, BIO_printf(bio_err, "Unable to load %s from %s\n", desc, uri); } } else { - (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, 0, NULL, NULL, NULL, NULL, NULL, &crl, NULL); } return crl; @@ -582,16 +582,16 @@ EVP_PKEY *load_key(const char *uri, int format, int may_stdin, if (desc == NULL) desc = "private key"; - if (format == FORMAT_ENGINE) { + if (format == FORMAT_ENGINE) uri = allocated_uri = make_engine_uri(e, uri, desc); - } - (void)load_key_certs_crls(uri, format, may_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, may_stdin, pass, desc, 0, &pkey, NULL, NULL, NULL, NULL, NULL, NULL); OPENSSL_free(allocated_uri); return pkey; } +/* first try reading public key, on failure resort to loading private key */ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc) { @@ -601,12 +601,13 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, if (desc == NULL) desc = "public key"; - if (format == FORMAT_ENGINE) { + if (format == FORMAT_ENGINE) uri = allocated_uri = make_engine_uri(e, uri, desc); - } - (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, 1, NULL, &pkey, NULL, NULL, NULL, NULL, NULL); - + if (pkey == NULL) + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, 0, + &pkey, NULL, NULL, NULL, NULL, NULL, NULL); OPENSSL_free(allocated_uri); return pkey; } @@ -616,13 +617,11 @@ EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin, int suppress_decode_errors) { EVP_PKEY *params = NULL; - BIO *bio_bak = bio_err; if (desc == NULL) desc = "key parameters"; - if (suppress_decode_errors) - bio_err = NULL; (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, + suppress_decode_errors, NULL, NULL, ¶ms, NULL, NULL, NULL, NULL); if (params != NULL && keytype != NULL && !EVP_PKEY_is_a(params, keytype)) { ERR_print_errors(bio_err); @@ -632,7 +631,6 @@ EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin, EVP_PKEY_free(params); params = NULL; } - bio_err = bio_bak; return params; } @@ -725,7 +723,7 @@ int load_cert_certs(const char *uri, return ret; } pass_string = get_passwd(pass, desc); - ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc, + ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc, 0, NULL, NULL, NULL, pcert, pcerts, NULL, NULL); clear_free(pass_string); @@ -833,7 +831,7 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, if (desc == NULL) desc = "certificates"; - ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin, pass, desc, + ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin, pass, desc, 0, NULL, NULL, NULL, NULL, certs, NULL, NULL); if (!ret && was_NULL) { @@ -854,7 +852,7 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, if (desc == NULL) desc = "CRLs"; - ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc, + ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc, 0, NULL, NULL, NULL, NULL, NULL, NULL, crls); if (!ret && was_NULL) { @@ -902,8 +900,9 @@ static const char *format2string(int format) * of *pcerts and *pcrls (as far as they are not NULL). */ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, - const char *pass, const char *desc, EVP_PKEY **ppkey, - EVP_PKEY **ppubkey, EVP_PKEY **pparams, + const char *pass, const char *desc, int quiet, + EVP_PKEY **ppkey, EVP_PKEY **ppubkey, + EVP_PKEY **pparams, X509 **pcert, STACK_OF(X509) **pcerts, X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls) { @@ -918,8 +917,9 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, const OSSL_PARAM *params = NULL; if (failed == NULL) { - BIO_printf(bio_err, "Internal error: nothing to load from %s\n", - uri != NULL ? uri : "<stdin>"); + if (!quiet) + BIO_printf(bio_err, "Internal error: nothing to load from %s\n", + uri != NULL ? uri : "<stdin>"); return 0; } ERR_set_mark(); @@ -930,7 +930,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, SET_EXPECT1(pcert, OSSL_STORE_INFO_CERT); if (pcerts != NULL) { if (*pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) { - BIO_printf(bio_err, "Out of memory loading"); + if (!quiet) + BIO_printf(bio_err, "Out of memory loading"); goto end; } SET_EXPECT(OSSL_STORE_INFO_CERT); @@ -938,7 +939,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, SET_EXPECT1(pcrl, OSSL_STORE_INFO_CRL); if (pcrls != NULL) { if (*pcrls == NULL && (*pcrls = sk_X509_CRL_new_null()) == NULL) { - BIO_printf(bio_err, "Out of memory loading"); + if (!quiet) + BIO_printf(bio_err, "Out of memory loading"); goto end; } SET_EXPECT(OSSL_STORE_INFO_CRL); @@ -958,7 +960,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, BIO *bio; if (!maybe_stdin) { - BIO_printf(bio_err, "No filename or uri specified for loading"); + if (!quiet) + BIO_printf(bio_err, "No filename or uri specified for loading"); goto end; } uri = "<stdin>"; @@ -975,7 +978,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, params, NULL, NULL); } if (ctx == NULL) { - BIO_printf(bio_err, "Could not open file or uri for loading"); + if (!quiet) + BIO_printf(bio_err, "Could not open file or uri for loading"); goto end; } if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) @@ -1057,7 +1061,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, OSSL_STORE_INFO_free(info); if (!ok) { failed = OSSL_STORE_INFO_type_string(type); - BIO_printf(bio_err, "Error reading"); + if (!quiet) + BIO_printf(bio_err, "Error reading"); break; } } @@ -1070,12 +1075,12 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, pcrls = NULL; if (failed == NULL) { failed = FAIL_NAME; - if (failed != NULL) + if (failed != NULL && !quiet) BIO_printf(bio_err, "Could not find"); - } else { + } else if (!quiet) { BIO_printf(bio_err, "Could not read"); } - if (failed != NULL) { + if (failed != NULL && !quiet) { unsigned long err = ERR_peek_last_error(); if (desc != NULL && strstr(desc, failed) != NULL) { @@ -1096,7 +1101,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, BIO_printf(bio_err, "\n"); ERR_print_errors(bio_err); } - if (bio_err == NULL || failed == NULL) + if (quiet || failed == NULL) /* clear any suppressed or spurious errors */ ERR_pop_to_mark(); else @@ -1373,7 +1378,7 @@ X509_STORE *setup_verify(const char *CAfile, int noCAfile, goto end; if (CAfile != NULL) { if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM, - libctx, propq) <= 0) { + libctx, propq) <= 0) { BIO_printf(bio_err, "Error loading file %s\n", CAfile); goto end; } diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index a11e1e7c8a..d8b2ad5f65 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -69,8 +69,8 @@ const OPTIONS pkeyutl_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file - default stdin"}, {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"}, - {"pubin", OPT_PUBIN, '-', "Input is a public key"}, - {"inkey", OPT_INKEY, 's', "Input private key file"}, + {"inkey", OPT_INKEY, 's', "Input key, by default private key"}, + {"pubin", OPT_PUBIN, '-', "Input key is a public key"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"}, {"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"}, diff --git a/apps/rsautl.c b/apps/rsautl.c index 2e3aa00307..ad5df2e36a 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -47,9 +47,9 @@ const OPTIONS rsautl_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, - {"inkey", OPT_INKEY, 's', "Input key"}, + {"inkey", OPT_INKEY, 's', "Input key, by default an RSA private key"}, {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"}, - {"pubin", OPT_PUBIN, '-', "Input is an RSA public"}, + {"pubin", OPT_PUBIN, '-', "Input key is an RSA public pkey"}, {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"}, {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, diff --git a/apps/x509.c b/apps/x509.c index b9087fc27a..e10afc59f6 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -87,7 +87,8 @@ const OPTIONS x509_options[] = { OPT_SECTION("Certificate printing"), {"text", OPT_TEXT, '-', "Print the certificate in text form"}, - {"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."}, + {"dateopt", OPT_DATEOPT, 's', + "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."}, {"certopt", OPT_CERTOPT, 's', "Various certificate text printing options"}, {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"}, {"alias", OPT_ALIAS, '-', "Print certificate alias"}, @@ -139,7 +140,7 @@ const OPTIONS x509_options[] = { "Preserve existing validity dates"}, {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"}, {"force_pubkey", OPT_FORCE_PUBKEY, '<', - "Place the given key in new certificate"}, + "Key to be placed in new certificate or certificate request"}, {"clrext", OPT_CLREXT, '-', "Do not take over any extensions from the source certificate or request"}, {"extfile", OPT_EXTFILE, '<', "Config file with X509V3 extensions to add"}, @@ -624,8 +625,7 @@ int x509_main(int argc, char **argv) goto err; } if (newcert && reqfile) { - BIO_printf(bio_err, - "The -req option cannot be used with -new\n"); + BIO_printf(bio_err, "The -req option cannot be used with -new\n"); goto err; } if (privkeyfile != NULL) { @@ -757,7 +757,7 @@ int x509_main(int argc, char **argv) } else { if (infile == NULL) BIO_printf(bio_err, - "Warning: Reading certificate from stdin since no -in option is given\n"); + "Warning: Reading certificate from stdin since no -in or -new option is given\n"); x = load_cert_pass(infile, informat, 1, passin, "certificate"); if (x == NULL) goto end; @@ -893,9 +893,6 @@ int x509_main(int argc, char **argv) } } noout = 1; - } else if (privkey != NULL) { - if (!do_X509_sign(x, 0, privkey, digest, sigopts, &ext_ctx)) - goto end; } else if (CAfile != NULL) { if ((CAkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA private key")) == NULL) @@ -908,6 +905,9 @@ int x509_main(int argc, char **argv) if (!do_X509_sign(x, 0, CAkey, digest, sigopts, &ext_ctx)) goto end; + } else if (privkey != NULL) { + if (!do_X509_sign(x, 0, privkey, digest, sigopts, &ext_ctx)) + goto end; } if (badsig) { const ASN1_BIT_STRING *signature; |