New functions and option to use NEW in certificate requests.
This commit is contained in:
Dr. Stephen Henson
6
CHANGES
6
CHANGES
@@ -4,6 +4,12 @@
|
||||
|
||||
Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
|
||||
|
||||
*) Add some PEM_write_X509_REQ_NEW() functions and a command line
|
||||
argument to 'req'. This is not because the function is newer or
|
||||
better than others it just uses the work 'NEW' in the certificate
|
||||
request header lines. Some software needs this.
|
||||
[Steve Henson]
|
||||
|
||||
*) Reorganise password command line arguments: now passwords can be
|
||||
obtained from various sources. Delete the PEM_cb function and make
|
||||
it the default behaviour: i.e. if the callback is NULL and the
|
||||
|
||||
12
apps/req.c
12
apps/req.c
@@ -150,7 +150,7 @@ int MAIN(int argc, char **argv)
|
||||
int i,badops=0,newreq=0,newkey= -1,pkey_type=0;
|
||||
BIO *in=NULL,*out=NULL;
|
||||
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
|
||||
int nodes=0,kludge=0;
|
||||
int nodes=0,kludge=0,newhdr=0;
|
||||
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
|
||||
char *extensions = NULL;
|
||||
char *req_exts = NULL;
|
||||
@@ -306,6 +306,8 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
newreq=1;
|
||||
}
|
||||
else if (strcmp(*argv,"-newhdr") == 0)
|
||||
newhdr=1;
|
||||
else if (strcmp(*argv,"-modulus") == 0)
|
||||
modulus=1;
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
@@ -378,6 +380,7 @@ bad:
|
||||
BIO_printf(bio_err," -new new request.\n");
|
||||
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
|
||||
BIO_printf(bio_err," -days number of days a x509 generated by -x509 is valid for.\n");
|
||||
BIO_printf(bio_err," -newhdr output \"NEW\" in the header lines\n");
|
||||
BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
|
||||
BIO_printf(bio_err," have been reported as requiring\n");
|
||||
BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
|
||||
@@ -834,9 +837,10 @@ loop:
|
||||
{
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i=i2d_X509_REQ_bio(out,req);
|
||||
else if (outformat == FORMAT_PEM)
|
||||
i=PEM_write_bio_X509_REQ(out,req);
|
||||
else {
|
||||
else if (outformat == FORMAT_PEM) {
|
||||
if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req);
|
||||
else i=PEM_write_bio_X509_REQ(out,req);
|
||||
} else {
|
||||
BIO_printf(bio_err,"bad output format specified for outfile\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
@@ -534,6 +534,7 @@ DECLARE_PEM_rw(X509, X509)
|
||||
DECLARE_PEM_rw(X509_AUX, X509)
|
||||
|
||||
DECLARE_PEM_rw(X509_REQ, X509_REQ)
|
||||
DECLARE_PEM_write(X509_REQ_NEW, X509_REQ)
|
||||
|
||||
DECLARE_PEM_rw(X509_CRL, X509_CRL)
|
||||
|
||||
|
||||
@@ -78,6 +78,8 @@ IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
|
||||
|
||||
IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
|
||||
|
||||
IMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)
|
||||
|
||||
IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)
|
||||
|
||||
IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
|
||||
|
||||
@@ -29,7 +29,8 @@ B<openssl> B<req>
|
||||
[B<-config filename>]
|
||||
[B<-x509>]
|
||||
[B<-days n>]
|
||||
[B<-noasn1-kludge>]
|
||||
[B<-asn1-kludge>]
|
||||
[B<-newhdr>]
|
||||
[B<-extensions section>]
|
||||
[B<-reqexts section>]
|
||||
|
||||
@@ -180,6 +181,11 @@ B<SET OF> whereas the correct form does.
|
||||
|
||||
It should be noted that very few CAs still require the use of this option.
|
||||
|
||||
=item B<-newhdr>
|
||||
|
||||
Adds the word B<NEW> to the PEM file header and footer lines on the outputed
|
||||
request. Some software (Netscape certificate server) and some CAs need this.
|
||||
|
||||
=back
|
||||
|
||||
=head1 CONFIGURATION FILE FORMAT
|
||||
@@ -302,9 +308,9 @@ just consist of field names and values: for example,
|
||||
|
||||
This allows external programs (e.g. GUI based) to generate a template file
|
||||
with all the field names and values and just pass it to B<req>. An example
|
||||
of this kind of configuration files is contained in the B<EXAMPLES> section.
|
||||
of this kind of configuration file is contained in the B<EXAMPLES> section.
|
||||
|
||||
Alternatively if the B<prompt> option is absent or not set to B<no> the the
|
||||
Alternatively if the B<prompt> option is absent or not set to B<no> then the
|
||||
file contains field prompting information. It consists of lines of the form:
|
||||
|
||||
fieldName="prompt"
|
||||
@@ -327,7 +333,7 @@ two characters long and must fit in a PrintableString).
|
||||
Some fields (such as organizationName) can be used more than once
|
||||
in a DN. This presents a problem because configuration files will
|
||||
not recognize the same name occurring twice. To avoid this problem
|
||||
if the fieldName contains an some characters followed by a full stop
|
||||
if the fieldName contains some characters followed by a full stop
|
||||
they will be ignored. So for example a second organizationName can
|
||||
be input by calling it "1.organizationName".
|
||||
|
||||
@@ -335,8 +341,7 @@ The actual permitted field names are any object identifier short or
|
||||
long names. These are compiled into OpenSSL and include the usual
|
||||
values such as commonName, countryName, localityName, organizationName,
|
||||
organizationUnitName, stateOrPrivinceName. Additionally emailAddress
|
||||
is include as well as name, surname, givenName initials and dnQualifier
|
||||
are supported.
|
||||
is include as well as name, surname, givenName initials and dnQualifier.
|
||||
|
||||
Additional object identifiers can be defined with the B<oid_file> or
|
||||
B<oid_section> options in the configuration file. Any additional fields
|
||||
@@ -439,7 +444,7 @@ Sample configuration containing all field values:
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
The header and footer lines in the B<PEM> format are respectively:
|
||||
The header and footer lines in the B<PEM> format are normally:
|
||||
|
||||
-----BEGIN CERTIFICATE REQUEST----
|
||||
-----END CERTIFICATE REQUEST----
|
||||
@@ -449,7 +454,8 @@ some software (some versions of Netscape certificate server) instead needs:
|
||||
-----BEGIN NEW CERTIFICATE REQUEST----
|
||||
-----END NEW CERTIFICATE REQUEST----
|
||||
|
||||
but is otherwise compatible. Either form is accepted on input.
|
||||
which is produced with the B<-newhdr> option but is otherwise compatible.
|
||||
Either form is accepted transparently on input.
|
||||
|
||||
The certificate requests generated by B<Xenroll> with MSIE have extensions
|
||||
added. It includes the B<keyUsage> extension which determines the type of
|
||||
|
||||
@@ -2222,3 +2222,5 @@ CRYPTO_dbg_get_options 2246
|
||||
AUTHORITY_INFO_ACCESS_new 2247
|
||||
CRYPTO_get_mem_debug_options 2248
|
||||
des_crypt 2249
|
||||
PEM_write_bio_X509_REQ_NEW 2250
|
||||
PEM_write_X509_REQ_NEW 2251
|
||||
|
||||
@@ -301,6 +301,18 @@ sub do_defs
|
||||
}
|
||||
$funcs{"PEM_read_bio_${1}"} = 1;
|
||||
$funcs{"PEM_write_bio_${1}"} = 1;
|
||||
} elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ ||
|
||||
/^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) {
|
||||
if($W32) {
|
||||
$funcs{"PEM_write_${1}"} = 1;
|
||||
}
|
||||
$funcs{"PEM_write_bio_${1}"} = 1;
|
||||
} elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ ||
|
||||
/^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) {
|
||||
if($W32) {
|
||||
$funcs{"PEM_read_${1}"} = 1;
|
||||
}
|
||||
$funcs{"PEM_read_bio_${1}"} = 1;
|
||||
} elsif (
|
||||
($tag{'TRUE'} != -1) &&
|
||||
($tag{'FreeBSD'} != 1) &&
|
||||
|
||||
Reference in New Issue
Block a user