diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-09-24 23:59:12 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-01-24 15:16:47 +0100 |
commit | 342e3652c791bdb06e08abcc169b4456c83ccd00 (patch) | |
tree | 87190b58432cd73cc8dd1d4bfd9dfd027f2f236f /apps | |
parent | 66fc90f18c44cdac0126c35ffedb99ba7a8b9825 (diff) | |
download | openssl-new-342e3652c791bdb06e08abcc169b4456c83ccd00.tar.gz |
APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ca.c | 2 | ||||
-rw-r--r-- | apps/include/apps.h | 2 | ||||
-rw-r--r-- | apps/lib/apps.c | 6 | ||||
-rw-r--r-- | apps/req.c | 13 | ||||
-rw-r--r-- | apps/x509.c | 4 |
5 files changed, 15 insertions, 12 deletions
@@ -1926,7 +1926,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp, pkey); - if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx)) + if (!do_X509_sign(ret, 0, pkey, dgst, sigopts, &ext_ctx)) goto end; /* We now just add it to the database as DB_TYPE_VAL('V') */ diff --git a/apps/include/apps.h b/apps/include/apps.h index 335e80775c..a8b63fea8d 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -259,7 +259,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param, OSSL_LIB_CTX *libctx, const char *propq); int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey); -int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md, +int do_X509_sign(X509 *x, int force_v1, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx); int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md, diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 4bd2ab964d..16d0cf9a85 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2289,16 +2289,14 @@ int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey) } /* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ -int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md, +int do_X509_sign(X509 *cert, int force_v1, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) { - const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); EVP_MD_CTX *mctx = EVP_MD_CTX_new(); int self_sign; int rv = 0; - if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) { - /* Prevent X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 */ + if (!force_v1) { if (!X509_set_version(cert, X509_VERSION_3)) goto end; diff --git a/apps/req.c b/apps/req.c index 1e97c1d914..fa0c9a050a 100644 --- a/apps/req.c +++ b/apps/req.c @@ -85,8 +85,8 @@ typedef enum OPTION_choice { OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, - OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, - OPT_CA, OPT_CAKEY, + OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, + OPT_X509, OPT_X509V1, OPT_CA, OPT_CAKEY, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_COPY_EXTENSIONS, OPT_EXTENSIONS, OPT_REQEXTS, OPT_ADDEXT, OPT_PRECERT, OPT_MD, @@ -117,6 +117,7 @@ const OPTIONS req_options[] = { {"text", OPT_TEXT, '-', "Text form of request"}, {"x509", OPT_X509, '-', "Output an X.509 certificate structure instead of a cert request"}, + {"x509v1", OPT_X509V1, '-', "Request cert generation with X.509 version 1"}, {"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"}, {"CAkey", OPT_CAKEY, 's', "Issuer private key to use with -CA; default is -CA arg"}, @@ -261,7 +262,7 @@ int req_main(int argc, char **argv) int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; - int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; + int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0, x509v1 = 0; long newkey_len = -1; unsigned long chtype = MBSTRING_ASC, reqflag = 0; @@ -403,6 +404,9 @@ int req_main(int argc, char **argv) case OPT_TEXT: text = 1; break; + case OPT_X509V1: + x509v1 = 1; + /* fall thru */ case OPT_X509: gen_x509 = 1; break; @@ -867,7 +871,8 @@ int req_main(int argc, char **argv) } } - i = do_X509_sign(new_x509, issuer_key, digest, sigopts, &ext_ctx); + i = do_X509_sign(new_x509, x509v1, issuer_key, digest, sigopts, + &ext_ctx); if (!i) goto end; } else { diff --git a/apps/x509.c b/apps/x509.c index 71c622b8c6..b9087fc27a 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -894,7 +894,7 @@ int x509_main(int argc, char **argv) } noout = 1; } else if (privkey != NULL) { - if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx)) + if (!do_X509_sign(x, 0, privkey, digest, sigopts, &ext_ctx)) goto end; } else if (CAfile != NULL) { if ((CAkey = load_key(CAkeyfile, CAkeyformat, @@ -906,7 +906,7 @@ int x509_main(int argc, char **argv) goto err; } - if (!do_X509_sign(x, CAkey, digest, sigopts, &ext_ctx)) + if (!do_X509_sign(x, 0, CAkey, digest, sigopts, &ext_ctx)) goto end; } if (badsig) { |