diff options
| author | Tianjia Zhang <tianjia.zhang@linux.alibaba.com> | 2023-04-21 11:06:21 +0800 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-05-03 09:48:17 +0200 |
| commit | a75f707fcaaed5c9b26e0ddfc0e0529957a11a1d (patch) | |
| tree | 1fd68e3591800af1a7ee2038886ea38c8770fdac /apps | |
| parent | a8eb81ccd2d3daeb92c0842a02dc688eae298250 (diff) | |
| download | openssl-new-a75f707fcaaed5c9b26e0ddfc0e0529957a11a1d.tar.gz | |
apps: silent warning when loading CSR files with vfyopt option
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:
Warning: CSR self-signature does not match the contents
This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/ca.c | 2 | ||||
| -rw-r--r-- | apps/cmp.c | 2 | ||||
| -rw-r--r-- | apps/include/apps.h | 3 | ||||
| -rw-r--r-- | apps/lib/apps.c | 9 | ||||
| -rw-r--r-- | apps/req.c | 2 | ||||
| -rw-r--r-- | apps/x509.c | 3 |
6 files changed, 12 insertions, 9 deletions
@@ -1375,7 +1375,7 @@ static int certify(X509 **xret, const char *infile, int informat, EVP_PKEY *pktmp = NULL; int ok = -1, i; - req = load_csr_autofmt(infile, informat, "certificate request"); + req = load_csr_autofmt(infile, informat, vfyopts, "certificate request"); if (req == NULL) goto end; if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { diff --git a/apps/cmp.c b/apps/cmp.c index 84c5d89d7a..6cd3d7e7c0 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1643,7 +1643,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_cmd == CMP_GENM) { CMP_warn("-csr option is ignored for command 'genm'"); } else { - csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, "PKCS#10 CSR"); + csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, NULL, "PKCS#10 CSR"); if (csr == NULL) return 0; if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) diff --git a/apps/include/apps.h b/apps/include/apps.h index e603d07868..b48937a8c2 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -114,7 +114,8 @@ char *get_passwd(const char *pass, const char *desc); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int add_oid_section(CONF *conf); X509_REQ *load_csr(const char *file, int format, const char *desc); -X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc); +X509_REQ *load_csr_autofmt(const char *infile, int format, + STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc); X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc); # define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 6f9bf4a6c8..701ed6d7dc 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -527,7 +527,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) } /* Better extend OSSL_STORE to support CSRs, see FR #15725 */ -X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc) +X509_REQ *load_csr_autofmt(const char *infile, int format, + STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc) { X509_REQ *csr; @@ -550,12 +551,12 @@ X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc) } if (csr != NULL) { EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr); - int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */); + int ret = do_X509_REQ_verify(csr, pkey, vfyopts); if (pkey == NULL || ret < 0) - BIO_puts(bio_err, "Warning: error while verifying CSR self-signature"); + BIO_puts(bio_err, "Warning: error while verifying CSR self-signature\n"); else if (ret == 0) - BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents"); + BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents\n"); return csr; } return csr; diff --git a/apps/req.c b/apps/req.c index fa0c9a050a..649ba99f0b 100644 --- a/apps/req.c +++ b/apps/req.c @@ -738,7 +738,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Warning: Not placing -key in cert or request since request is used\n"); req = load_csr_autofmt(infile /* if NULL, reads from stdin */, - informat, "X509 request"); + informat, vfyopts, "X509 request"); if (req == NULL) goto end; } else if (infile != NULL) { diff --git a/apps/x509.c b/apps/x509.c index e10afc59f6..7a935e1f70 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -706,7 +706,8 @@ int x509_main(int argc, char **argv) if (infile == NULL) BIO_printf(bio_err, "Warning: Reading cert request from stdin since no -in option is given\n"); - req = load_csr_autofmt(infile, informat, "certificate request input"); + req = load_csr_autofmt(infile, informat, vfyopts, + "certificate request input"); if (req == NULL) goto end; |