New functions and option to use NEW in certificate requests.
This commit is contained in:
parent
5c2ec54f12
commit
8a208cba97
6
CHANGES
6
CHANGES
@ -4,6 +4,12 @@
|
|||||||
|
|
||||||
Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
|
Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
|
||||||
|
|
||||||
|
*) Add some PEM_write_X509_REQ_NEW() functions and a command line
|
||||||
|
argument to 'req'. This is not because the function is newer or
|
||||||
|
better than others it just uses the work 'NEW' in the certificate
|
||||||
|
request header lines. Some software needs this.
|
||||||
|
[Steve Henson]
|
||||||
|
|
||||||
*) Reorganise password command line arguments: now passwords can be
|
*) Reorganise password command line arguments: now passwords can be
|
||||||
obtained from various sources. Delete the PEM_cb function and make
|
obtained from various sources. Delete the PEM_cb function and make
|
||||||
it the default behaviour: i.e. if the callback is NULL and the
|
it the default behaviour: i.e. if the callback is NULL and the
|
||||||
|
12
apps/req.c
12
apps/req.c
@ -150,7 +150,7 @@ int MAIN(int argc, char **argv)
|
|||||||
int i,badops=0,newreq=0,newkey= -1,pkey_type=0;
|
int i,badops=0,newreq=0,newkey= -1,pkey_type=0;
|
||||||
BIO *in=NULL,*out=NULL;
|
BIO *in=NULL,*out=NULL;
|
||||||
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
|
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
|
||||||
int nodes=0,kludge=0;
|
int nodes=0,kludge=0,newhdr=0;
|
||||||
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
|
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
|
||||||
char *extensions = NULL;
|
char *extensions = NULL;
|
||||||
char *req_exts = NULL;
|
char *req_exts = NULL;
|
||||||
@ -306,6 +306,8 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
newreq=1;
|
newreq=1;
|
||||||
}
|
}
|
||||||
|
else if (strcmp(*argv,"-newhdr") == 0)
|
||||||
|
newhdr=1;
|
||||||
else if (strcmp(*argv,"-modulus") == 0)
|
else if (strcmp(*argv,"-modulus") == 0)
|
||||||
modulus=1;
|
modulus=1;
|
||||||
else if (strcmp(*argv,"-verify") == 0)
|
else if (strcmp(*argv,"-verify") == 0)
|
||||||
@ -378,6 +380,7 @@ bad:
|
|||||||
BIO_printf(bio_err," -new new request.\n");
|
BIO_printf(bio_err," -new new request.\n");
|
||||||
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
|
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
|
||||||
BIO_printf(bio_err," -days number of days a x509 generated by -x509 is valid for.\n");
|
BIO_printf(bio_err," -days number of days a x509 generated by -x509 is valid for.\n");
|
||||||
|
BIO_printf(bio_err," -newhdr output \"NEW\" in the header lines\n");
|
||||||
BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
|
BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
|
||||||
BIO_printf(bio_err," have been reported as requiring\n");
|
BIO_printf(bio_err," have been reported as requiring\n");
|
||||||
BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
|
BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
|
||||||
@ -834,9 +837,10 @@ loop:
|
|||||||
{
|
{
|
||||||
if (outformat == FORMAT_ASN1)
|
if (outformat == FORMAT_ASN1)
|
||||||
i=i2d_X509_REQ_bio(out,req);
|
i=i2d_X509_REQ_bio(out,req);
|
||||||
else if (outformat == FORMAT_PEM)
|
else if (outformat == FORMAT_PEM) {
|
||||||
i=PEM_write_bio_X509_REQ(out,req);
|
if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req);
|
||||||
else {
|
else i=PEM_write_bio_X509_REQ(out,req);
|
||||||
|
} else {
|
||||||
BIO_printf(bio_err,"bad output format specified for outfile\n");
|
BIO_printf(bio_err,"bad output format specified for outfile\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
@ -534,6 +534,7 @@ DECLARE_PEM_rw(X509, X509)
|
|||||||
DECLARE_PEM_rw(X509_AUX, X509)
|
DECLARE_PEM_rw(X509_AUX, X509)
|
||||||
|
|
||||||
DECLARE_PEM_rw(X509_REQ, X509_REQ)
|
DECLARE_PEM_rw(X509_REQ, X509_REQ)
|
||||||
|
DECLARE_PEM_write(X509_REQ_NEW, X509_REQ)
|
||||||
|
|
||||||
DECLARE_PEM_rw(X509_CRL, X509_CRL)
|
DECLARE_PEM_rw(X509_CRL, X509_CRL)
|
||||||
|
|
||||||
|
@ -78,6 +78,8 @@ IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
|
|||||||
|
|
||||||
IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
|
IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
|
||||||
|
|
||||||
|
IMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)
|
||||||
|
|
||||||
IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)
|
IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)
|
||||||
|
|
||||||
IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
|
IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
|
||||||
|
@ -29,7 +29,8 @@ B<openssl> B<req>
|
|||||||
[B<-config filename>]
|
[B<-config filename>]
|
||||||
[B<-x509>]
|
[B<-x509>]
|
||||||
[B<-days n>]
|
[B<-days n>]
|
||||||
[B<-noasn1-kludge>]
|
[B<-asn1-kludge>]
|
||||||
|
[B<-newhdr>]
|
||||||
[B<-extensions section>]
|
[B<-extensions section>]
|
||||||
[B<-reqexts section>]
|
[B<-reqexts section>]
|
||||||
|
|
||||||
@ -180,6 +181,11 @@ B<SET OF> whereas the correct form does.
|
|||||||
|
|
||||||
It should be noted that very few CAs still require the use of this option.
|
It should be noted that very few CAs still require the use of this option.
|
||||||
|
|
||||||
|
=item B<-newhdr>
|
||||||
|
|
||||||
|
Adds the word B<NEW> to the PEM file header and footer lines on the outputed
|
||||||
|
request. Some software (Netscape certificate server) and some CAs need this.
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
=head1 CONFIGURATION FILE FORMAT
|
=head1 CONFIGURATION FILE FORMAT
|
||||||
@ -302,9 +308,9 @@ just consist of field names and values: for example,
|
|||||||
|
|
||||||
This allows external programs (e.g. GUI based) to generate a template file
|
This allows external programs (e.g. GUI based) to generate a template file
|
||||||
with all the field names and values and just pass it to B<req>. An example
|
with all the field names and values and just pass it to B<req>. An example
|
||||||
of this kind of configuration files is contained in the B<EXAMPLES> section.
|
of this kind of configuration file is contained in the B<EXAMPLES> section.
|
||||||
|
|
||||||
Alternatively if the B<prompt> option is absent or not set to B<no> the the
|
Alternatively if the B<prompt> option is absent or not set to B<no> then the
|
||||||
file contains field prompting information. It consists of lines of the form:
|
file contains field prompting information. It consists of lines of the form:
|
||||||
|
|
||||||
fieldName="prompt"
|
fieldName="prompt"
|
||||||
@ -327,7 +333,7 @@ two characters long and must fit in a PrintableString).
|
|||||||
Some fields (such as organizationName) can be used more than once
|
Some fields (such as organizationName) can be used more than once
|
||||||
in a DN. This presents a problem because configuration files will
|
in a DN. This presents a problem because configuration files will
|
||||||
not recognize the same name occurring twice. To avoid this problem
|
not recognize the same name occurring twice. To avoid this problem
|
||||||
if the fieldName contains an some characters followed by a full stop
|
if the fieldName contains some characters followed by a full stop
|
||||||
they will be ignored. So for example a second organizationName can
|
they will be ignored. So for example a second organizationName can
|
||||||
be input by calling it "1.organizationName".
|
be input by calling it "1.organizationName".
|
||||||
|
|
||||||
@ -335,8 +341,7 @@ The actual permitted field names are any object identifier short or
|
|||||||
long names. These are compiled into OpenSSL and include the usual
|
long names. These are compiled into OpenSSL and include the usual
|
||||||
values such as commonName, countryName, localityName, organizationName,
|
values such as commonName, countryName, localityName, organizationName,
|
||||||
organizationUnitName, stateOrPrivinceName. Additionally emailAddress
|
organizationUnitName, stateOrPrivinceName. Additionally emailAddress
|
||||||
is include as well as name, surname, givenName initials and dnQualifier
|
is include as well as name, surname, givenName initials and dnQualifier.
|
||||||
are supported.
|
|
||||||
|
|
||||||
Additional object identifiers can be defined with the B<oid_file> or
|
Additional object identifiers can be defined with the B<oid_file> or
|
||||||
B<oid_section> options in the configuration file. Any additional fields
|
B<oid_section> options in the configuration file. Any additional fields
|
||||||
@ -439,7 +444,7 @@ Sample configuration containing all field values:
|
|||||||
|
|
||||||
=head1 NOTES
|
=head1 NOTES
|
||||||
|
|
||||||
The header and footer lines in the B<PEM> format are respectively:
|
The header and footer lines in the B<PEM> format are normally:
|
||||||
|
|
||||||
-----BEGIN CERTIFICATE REQUEST----
|
-----BEGIN CERTIFICATE REQUEST----
|
||||||
-----END CERTIFICATE REQUEST----
|
-----END CERTIFICATE REQUEST----
|
||||||
@ -449,7 +454,8 @@ some software (some versions of Netscape certificate server) instead needs:
|
|||||||
-----BEGIN NEW CERTIFICATE REQUEST----
|
-----BEGIN NEW CERTIFICATE REQUEST----
|
||||||
-----END NEW CERTIFICATE REQUEST----
|
-----END NEW CERTIFICATE REQUEST----
|
||||||
|
|
||||||
but is otherwise compatible. Either form is accepted on input.
|
which is produced with the B<-newhdr> option but is otherwise compatible.
|
||||||
|
Either form is accepted transparently on input.
|
||||||
|
|
||||||
The certificate requests generated by B<Xenroll> with MSIE have extensions
|
The certificate requests generated by B<Xenroll> with MSIE have extensions
|
||||||
added. It includes the B<keyUsage> extension which determines the type of
|
added. It includes the B<keyUsage> extension which determines the type of
|
||||||
|
@ -2222,3 +2222,5 @@ CRYPTO_dbg_get_options 2246
|
|||||||
AUTHORITY_INFO_ACCESS_new 2247
|
AUTHORITY_INFO_ACCESS_new 2247
|
||||||
CRYPTO_get_mem_debug_options 2248
|
CRYPTO_get_mem_debug_options 2248
|
||||||
des_crypt 2249
|
des_crypt 2249
|
||||||
|
PEM_write_bio_X509_REQ_NEW 2250
|
||||||
|
PEM_write_X509_REQ_NEW 2251
|
||||||
|
@ -301,6 +301,18 @@ sub do_defs
|
|||||||
}
|
}
|
||||||
$funcs{"PEM_read_bio_${1}"} = 1;
|
$funcs{"PEM_read_bio_${1}"} = 1;
|
||||||
$funcs{"PEM_write_bio_${1}"} = 1;
|
$funcs{"PEM_write_bio_${1}"} = 1;
|
||||||
|
} elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ ||
|
||||||
|
/^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) {
|
||||||
|
if($W32) {
|
||||||
|
$funcs{"PEM_write_${1}"} = 1;
|
||||||
|
}
|
||||||
|
$funcs{"PEM_write_bio_${1}"} = 1;
|
||||||
|
} elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ ||
|
||||||
|
/^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) {
|
||||||
|
if($W32) {
|
||||||
|
$funcs{"PEM_read_${1}"} = 1;
|
||||||
|
}
|
||||||
|
$funcs{"PEM_read_bio_${1}"} = 1;
|
||||||
} elsif (
|
} elsif (
|
||||||
($tag{'TRUE'} != -1) &&
|
($tag{'TRUE'} != -1) &&
|
||||||
($tag{'FreeBSD'} != 1) &&
|
($tag{'FreeBSD'} != 1) &&
|
||||||
|
Loading…
x
Reference in New Issue
Block a user