generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PR: 2136

Browse Source 
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
This commit is contained in:
Dr. Stephen Henson 2010-01-12 17:27:11 +00:00
parent 23c3bee970
commit 93fac08ec3
5 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -4,6 +4,10 @@
Changes between 0.9.8m (?) and 1.0.0 [xx XXX xxxx] Changes between 0.9.8m (?) and 1.0.0 [xx XXX xxxx]
*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
output hashes compatible with older versions of OpenSSL.
[Willy Weisz <weisz@vcpc.univie.ac.at>]
*) Fix compression algorithm handling: if resuming a session use the *) Fix compression algorithm handling: if resuming a session use the
compression algorithm of the resumed session instead of determining compression algorithm of the resumed session instead of determining
it from client hello again. Don't allow server to change algorithm. it from client hello again. Don't allow server to change algorithm.

29
apps/x509.c
View File

@ -99,7 +99,13 @@ static const char *x509_usage[]={
" -passin arg - private key password source\n", " -passin arg - private key password source\n",
" -serial - print serial number value\n", " -serial - print serial number value\n",
" -subject_hash - print subject hash value\n", " -subject_hash - print subject hash value\n",
#ifndef OPENSSL_NO_MD5
" -subject_hash_old - print old-style (MD5) subject hash value\n",
#endif
" -issuer_hash - print issuer hash value\n", " -issuer_hash - print issuer hash value\n",
#ifndef OPENSSL_NO_MD5
" -issuer_hash_old - print old-style (MD5) issuer hash value\n",
#endif
" -hash - synonym for -subject_hash\n", " -hash - synonym for -subject_hash\n",
" -subject - print subject DN\n", " -subject - print subject DN\n",
" -issuer - print issuer DN\n", " -issuer - print issuer DN\n",
@ -179,6 +185,9 @@ int MAIN(int argc, char **argv)
int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
int next_serial=0; int next_serial=0;
int subject_hash=0,issuer_hash=0,ocspid=0; int subject_hash=0,issuer_hash=0,ocspid=0;
#ifndef OPENSSL_NO_MD5
int subject_hash_old=0,issuer_hash_old=0;
#endif
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int ocsp_uri=0; int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
@ -397,8 +406,16 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-hash") == 0 else if (strcmp(*argv,"-hash") == 0
|| strcmp(*argv,"-subject_hash") == 0) || strcmp(*argv,"-subject_hash") == 0)
subject_hash= ++num; subject_hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-subject_hash_old") == 0)
subject_hash_old= ++num;
#endif
else if (strcmp(*argv,"-issuer_hash") == 0) else if (strcmp(*argv,"-issuer_hash") == 0)
issuer_hash= ++num; issuer_hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-issuer_hash_old") == 0)
issuer_hash_old= ++num;
#endif
else if (strcmp(*argv,"-subject") == 0) else if (strcmp(*argv,"-subject") == 0)
subject= ++num; subject= ++num;
else if (strcmp(*argv,"-issuer") == 0) else if (strcmp(*argv,"-issuer") == 0)
@ -759,10 +776,22 @@ bad:
{ {
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
} }
#ifndef OPENSSL_NO_MD5
else if (subject_hash_old == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));
}
#endif
else if (issuer_hash == i) else if (issuer_hash == i)
{ {
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
} }
#ifndef OPENSSL_NO_MD5
else if (issuer_hash_old == i)
{
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));
}
#endif
else if (pprint == i) else if (pprint == i)
{ {
X509_PURPOSE *ptmp; X509_PURPOSE *ptmp;

5
crypto/x509/x509.h
View File

@ -961,6 +961,11 @@ unsigned long X509_issuer_name_hash(X509 *a);
int X509_subject_name_cmp(const X509 *a, const X509 *b); int X509_subject_name_cmp(const X509 *a, const X509 *b);
unsigned long X509_subject_name_hash(X509 *x); unsigned long X509_subject_name_hash(X509 *x);
#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_name_hash_old(X509 *a);
unsigned long X509_subject_name_hash_old(X509 *x);
#endif
int X509_cmp(const X509 *a, const X509 *b); int X509_cmp(const X509 *a, const X509 *b);
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
unsigned long X509_NAME_hash(X509_NAME *x); unsigned long X509_NAME_hash(X509_NAME *x);

14
crypto/x509/x509_cmp.c
View File

@ -133,6 +133,13 @@ unsigned long X509_issuer_name_hash(X509 *x)
return(X509_NAME_hash(x->cert_info->issuer)); return(X509_NAME_hash(x->cert_info->issuer));
} }
#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_name_hash_old(X509 *x)
{
return(X509_NAME_hash_old(x->cert_info->issuer));
}
#endif
X509_NAME *X509_get_subject_name(X509 *a) X509_NAME *X509_get_subject_name(X509 *a)
{ {
return(a->cert_info->subject); return(a->cert_info->subject);
@ -148,6 +155,13 @@ unsigned long X509_subject_name_hash(X509 *x)
return(X509_NAME_hash(x->cert_info->subject)); return(X509_NAME_hash(x->cert_info->subject));
} }
#ifndef OPENSSL_NO_MD5
unsigned long X509_subject_name_hash_old(X509 *x)
{
return(X509_NAME_hash_old(x->cert_info->subject));
}
#endif
#ifndef OPENSSL_NO_SHA #ifndef OPENSSL_NO_SHA
/* Compare two certificates: they must be identical for /* Compare two certificates: they must be identical for
* this to work. NB: Although "cmp" operations are generally * this to work. NB: Although "cmp" operations are generally

16
doc/apps/x509.pod
View File

@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name.
synonym for "-subject_hash" for backward compatibility reasons. synonym for "-subject_hash" for backward compatibility reasons.
=item B<-subject_hash_old>
outputs the "hash" of the certificate subject name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-issuer_hash_old>
outputs the "hash" of the certificate issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-subject> =item B<-subject>
outputs the subject name. outputs the subject name.
@ -837,4 +847,10 @@ L<x509v3_config(5)|x509v3_config(5)>
Before OpenSSL 0.9.8, the default digest for RSA keys was MD5. Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
canonical version of the DN using SHA1. This means that any directories using
the old form must have their links rebuilt using B<c_rehash> or similar.
=cut =cut