Initial trust code: allow setting of trust checking functions

in a table. Doesn't do too much yet.

Make the -<digestname> options in 'x509' affect all relevant
options.

Change the name of the 'notrust' options to 'reject' as this
causes less confusion and is a better description of the
effect.

A few constification changes.
This commit is contained in:
Dr. Stephen Henson 1999-11-27 01:14:04 +00:00
parent d4cec6a13d
commit 9868232ae1
13 changed files with 148 additions and 89 deletions

10
CHANGES
View File

@ -4,6 +4,14 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
*) Fixes and enhancements to the 'x509' utility. It allowed a message
digest to be passed on the command line but it only used this
parameter when signing a certificate. Modified so all relevant
operations are affected by the digest parameter including the
-fingerprint and -x509toreq options. Also -x509toreq choked if a
DSA key was used because it didn't fix the digest.
[Steve Henson]
*) Very preliminary certificate chain verify code. Currently just tests
the untrusted certificates for consistency with the verify purpose
(which is set when the X509_STORE_CTX structure is set up) and checks
@ -12,7 +20,7 @@
reject chains with invalid extensions whereas before it made no checks
at all.
Still needs some trust checking code.
Preliminary untested trust code.
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
which should be used for version portability: especially since the

6
TABLE
View File

@ -449,7 +449,7 @@ $unistd =
$thread_cflag = (unknown)
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
$bn_obj =
$bn_obj = asm/alpha.o
$des_obj =
$bf_obj =
$md5_obj =
@ -466,7 +466,7 @@ $unistd =
$thread_cflag = (unknown)
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1
$bn_obj =
$bn_obj = asm/alpha.o
$des_obj =
$bf_obj =
$md5_obj =
@ -483,7 +483,7 @@ $unistd =
$thread_cflag = (unknown)
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
$bn_obj =
$bn_obj = asm/alpha.o
$des_obj =
$bf_obj =
$md5_obj =

View File

@ -107,9 +107,9 @@ static char *x509_usage[]={
" -noout - no certificate output\n",
" -trustout - output a \"trusted\" certificate\n",
" -clrtrust - clear all trusted purposes\n",
" -clrnotrust - clear all untrusted purposes\n",
" -addtrust arg - mark certificate as trusted for a given purpose\n",
" -addnotrust arg - mark certificate as not trusted for a given purpose\n",
" -clrreject - clear all rejected purposes\n",
" -addtrust arg - trust certificate for a given purpose\n",
" -addreject arg - reject certificate for a given purpose\n",
" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
" -signkey arg - self sign cert with arg\n",
@ -122,7 +122,7 @@ static char *x509_usage[]={
" -CAserial - serial file\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
" -extfile - configuration file with X509V3 extensions to add\n",
" -extensions - section from config file with X509V3 extensions to add\n",
NULL
@ -148,14 +148,14 @@ int MAIN(int argc, char **argv)
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
STACK *trust = NULL, *notrust = NULL;
STACK *trust = NULL, *reject = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL, *trstr=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
int pprint = 0;
@ -289,17 +289,17 @@ int MAIN(int argc, char **argv)
sk_push(trust, trstr);
trustout = 1;
}
else if (strcmp(*argv,"-addnotrust") == 0)
else if (strcmp(*argv,"-addreject") == 0)
{
if (--argc < 1) goto bad;
trstr= *(++argv);
if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {
if(!X509_reject_set_bit_asc(NULL, trstr, 0)) {
BIO_printf(bio_err,
"Unknown trust value %s\n", trstr);
goto bad;
}
if(!notrust) notrust = sk_new_null();
sk_push(notrust, trstr);
if(!reject) reject = sk_new_null();
sk_push(reject, trstr);
trustout = 1;
}
else if (strcmp(*argv,"-setalias") == 0)
@ -351,13 +351,13 @@ int MAIN(int argc, char **argv)
trustout= 1;
else if (strcmp(*argv,"-clrtrust") == 0)
clrtrust= ++num;
else if (strcmp(*argv,"-clrnotrust") == 0)
clrnotrust= ++num;
else if (strcmp(*argv,"-clrreject") == 0)
clrreject= ++num;
else if (strcmp(*argv,"-alias") == 0)
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
@ -551,7 +551,7 @@ bad:
if(alias) X509_alias_set(x, (unsigned char *)alias, -1);
if(clrtrust) X509_trust_set_bit(x, -1, 0);
if(clrnotrust) X509_notrust_set_bit(x, -1, 0);
if(clrreject) X509_reject_set_bit(x, -1, 0);
if(trust) {
for(i = 0; i < sk_num(trust); i++) {
@ -561,12 +561,12 @@ bad:
sk_free(trust);
}
if(notrust) {
for(i = 0; i < sk_num(notrust); i++) {
trstr = sk_value(notrust, i);
X509_notrust_set_bit_asc(x, trstr, 1);
if(reject) {
for(i = 0; i < sk_num(reject); i++) {
trstr = sk_value(reject, i);
X509_reject_set_bit_asc(x, trstr, 1);
}
sk_free(notrust);
sk_free(reject);
}
if (num)
@ -732,12 +732,13 @@ bad:
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_digest(x,EVP_md5(),md,&n))
if (!X509_digest(x,digest,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
BIO_printf(STDout,"MD5 Fingerprint=");
BIO_printf(STDout,"%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j=0; j<(int)n; j++)
{
BIO_printf(STDout,"%02X%c",md[j],
@ -801,7 +802,10 @@ bad:
BIO_printf(bio_err,"Generating certificate request\n");
rq=X509_to_X509_REQ(x,pk,EVP_md5());
if (pk->type == EVP_PKEY_DSA)
digest=EVP_dss1();
rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk);
if (rq == NULL)
{

View File

@ -69,8 +69,8 @@
#include <openssl/buffer.h>
#include <openssl/x509.h>
int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md,
unsigned int *len)
int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
unsigned char *md, unsigned int *len)
{
EVP_MD_CTX ctx;
int i;

View File

@ -83,12 +83,12 @@ int X509_trust_set_bit_asc(X509 *x, char *str, int value)
return 1;
}
int X509_notrust_set_bit_asc(X509 *x, char *str, int value)
int X509_reject_set_bit_asc(X509 *x, char *str, int value)
{
int bitnum;
bitnum = ASN1_BIT_STRING_num_asc(str, tbits);
if(bitnum < 0) return 0;
if(x) return X509_notrust_set_bit(x, bitnum, value);
if(x) return X509_reject_set_bit(x, bitnum, value);
return 1;
}
@ -102,9 +102,9 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
BIO_printf(out, "%*sTrusted for:\n", indent, "");
ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2);
} else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, "");
if(aux->notrust) {
if(aux->reject) {
BIO_printf(out, "%*sUntrusted for:\n", indent, "");
ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2);
ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2);
} else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, "");
if(aux->othertrust) {
first = 1;
@ -119,15 +119,15 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
}
BIO_puts(out, "\n");
}
if(aux->othernotrust) {
if(aux->otherreject) {
first = 1;
BIO_printf(out, "%*sOther Untrusted Uses:\n%*s",
indent, "", indent + 2, "");
for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) {
for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) {
if(!first) BIO_puts(out, ", ");
else first = 0;
OBJ_obj2txt(oidstr, 80,
sk_ASN1_OBJECT_value(aux->othernotrust, i), 0);
sk_ASN1_OBJECT_value(aux->otherreject, i), 0);
BIO_puts(out, oidstr);
}
BIO_puts(out, "\n");

View File

@ -80,12 +80,12 @@ X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long len
M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING,
V_ASN1_BIT_STRING);
M_ASN1_D2I_get_IMP_opt(ret->notrust, d2i_ASN1_BIT_STRING,0,
M_ASN1_D2I_get_IMP_opt(ret->reject, d2i_ASN1_BIT_STRING,0,
V_ASN1_BIT_STRING);
M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust,
d2i_ASN1_OBJECT, ASN1_OBJECT_free);
M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->othernotrust,
M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->otherreject,
d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1);
M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE);
@ -99,9 +99,9 @@ X509_CERT_AUX *X509_CERT_AUX_new()
ASN1_CTX c;
M_ASN1_New_Malloc(ret, X509_CERT_AUX);
ret->trust = NULL;
ret->notrust = NULL;
ret->reject = NULL;
ret->othertrust = NULL;
ret->othernotrust = NULL;
ret->otherreject = NULL;
ret->alias = NULL;
ret->other = NULL;
return(ret);
@ -112,9 +112,9 @@ void X509_CERT_AUX_free(X509_CERT_AUX *a)
{
if(a == NULL) return;
ASN1_BIT_STRING_free(a->trust);
ASN1_BIT_STRING_free(a->notrust);
ASN1_BIT_STRING_free(a->reject);
sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(a->otherreject, ASN1_OBJECT_free);
ASN1_UTF8STRING_free(a->alias);
ASN1_TYPE_free(a->other);
Free((char *)a);
@ -125,10 +125,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
M_ASN1_I2D_vars(a);
M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING);
M_ASN1_I2D_len_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING);
M_ASN1_I2D_len_IMP_opt(a->reject, i2d_ASN1_BIT_STRING);
M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE);
@ -136,10 +136,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
M_ASN1_I2D_seq_total();
M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING);
M_ASN1_I2D_put_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING, 0);
M_ASN1_I2D_put_IMP_opt(a->reject, i2d_ASN1_BIT_STRING, 0);
M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE);
@ -184,19 +184,19 @@ int X509_trust_set_bit(X509 *x, int bit, int value)
return ASN1_BIT_STRING_set_bit(aux->trust, bit, value);
}
int X509_notrust_set_bit(X509 *x, int bit, int value)
int X509_reject_set_bit(X509 *x, int bit, int value)
{
X509_CERT_AUX *aux;
if(bit == -1) {
if(x->aux && x->aux->notrust) {
ASN1_BIT_STRING_free(x->aux->notrust);
x->aux->notrust = NULL;
if(x->aux && x->aux->reject) {
ASN1_BIT_STRING_free(x->aux->reject);
x->aux->reject = NULL;
}
return 1;
}
if(!(aux = aux_get(x))) return 0;
if(!aux->notrust && !(aux->notrust = ASN1_BIT_STRING_new())) return 0;
return ASN1_BIT_STRING_set_bit(aux->notrust, bit, value);
if(!aux->reject && !(aux->reject = ASN1_BIT_STRING_new())) return 0;
return ASN1_BIT_STRING_set_bit(aux->reject, bit, value);
}
int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
@ -208,12 +208,12 @@ int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
return sk_ASN1_OBJECT_push(aux->othertrust, obj);
}
int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj)
int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj)
{
X509_CERT_AUX *aux;
if(!(aux = aux_get(x))) return 0;
if(!aux->othernotrust
&& !(aux->othernotrust = sk_ASN1_OBJECT_new_null())) return 0;
return sk_ASN1_OBJECT_push(aux->othernotrust, obj);
if(!aux->otherreject
&& !(aux->otherreject = sk_ASN1_OBJECT_new_null())) return 0;
return sk_ASN1_OBJECT_push(aux->otherreject, obj);
}

View File

@ -247,7 +247,7 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
unsigned char **pp, long length);
#ifndef SSLEAY_MACROS
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
unsigned char *md,unsigned int *len);
#ifndef NO_FP_API
PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);

View File

@ -27,13 +27,13 @@ LIBSRC= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
x509_set.c x509rset.c x509_err.c \
x509name.c x509_v3.c x509_ext.c \
x509type.c x509_lu.c x_all.c x509_txt.c \
by_file.c by_dir.c
x509_trs.c by_file.c by_dir.c
LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
x509_obj.o x509_req.o x509spki.o x509_vfy.o \
x509_set.o x509rset.o x509_err.o \
x509name.o x509_v3.o x509_ext.o \
x509type.o x509_lu.o x_all.o x509_txt.o \
by_file.o by_dir.o
x509_trs.o by_file.o by_dir.o
SRC= $(LIBSRC)

View File

@ -236,7 +236,7 @@ typedef struct x509_cinf_st
* the end of the certificate itself
*/
/* Bit values for trust/notrust */
/* Bit values for trust/reject */
#define X509_TRUST_BIT_ALL 0
#define X509_TRUST_BIT_SSL_CLIENT 1
@ -248,9 +248,9 @@ typedef struct x509_cinf_st
typedef struct x509_cert_aux_st
{
ASN1_BIT_STRING *trust; /* trusted uses */
ASN1_BIT_STRING *notrust; /* rejected uses */
ASN1_BIT_STRING *reject; /* rejected uses */
STACK_OF(ASN1_OBJECT) *othertrust; /* extra uses */
STACK_OF(ASN1_OBJECT) *othernotrust; /* extra rejected uses */
STACK_OF(ASN1_OBJECT) *otherreject; /* extra rejected uses */
ASN1_UTF8STRING *alias; /* "friendly name" */
ASN1_TYPE *other; /* other unspecified info */
} X509_CERT_AUX;
@ -284,16 +284,29 @@ typedef struct x509_trust_st {
int trust_flags;
int (*check_trust)(struct x509_trust_st *, X509 *, int);
char *trust_name;
int trust_bit;
void *usr_data;
int arg1;
void *arg2;
} X509_TRUST;
/* X509 trust ids */
DECLARE_STACK_OF(X509_TRUST)
/* standard trust ids */
#define X509_TRUST_ANY 1
#define X509_TRUST_SSL_CLIENT 2
#define X509_TRUST_SSL_SERVER 3
#define X509_TRUST_EMAIL 4
#define X509_TRUST_OBJECT_SIGN 5
/* trust_flags values */
#define X509_TRUST_DYNAMIC 1
#define X509_TRUST_DYNAMIC_NAME 2
/* check_trust return codes */
#define X509_TRUST_TRUSTED 1
#define X509_TRUST_REJECTED 2
#define X509_TRUST_UNTRUSTED 3
typedef struct X509_revoked_st
{
@ -615,8 +628,8 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_digest(X509 *data,EVP_MD *type,unsigned char *md,unsigned int *len);
int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
unsigned char *md,unsigned int *len);
#endif
@ -701,7 +714,7 @@ const char * X509_get_default_cert_dir_env(void );
const char * X509_get_default_cert_file_env(void );
const char * X509_get_default_private_dir(void );
X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md);
X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
void ERR_load_X509_strings(void );
@ -803,12 +816,12 @@ X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
int X509_alias_set(X509 *x, unsigned char *name, int len);
unsigned char * X509_alias_get(X509 *x, int *len);
int X509_trust_set_bit(X509 *x, int bit, int value);
int X509_notrust_set_bit(X509 *x, int bit, int value);
int X509_reject_set_bit(X509 *x, int bit, int value);
int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj);
int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj);
int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj);
int X509_trust_set_bit_asc(X509 *x, char *str, int value);
int X509_notrust_set_bit_asc(X509 *x, char *str, int value);
int X509_reject_set_bit_asc(X509 *x, char *str, int value);
X509_REVOKED * X509_REVOKED_new(void);
void X509_REVOKED_free(X509_REVOKED *a);
@ -857,7 +870,7 @@ char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
int ASN1_digest(int (*i2d)(),EVP_MD *type,char *data,
int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
unsigned char *md,unsigned int *len);
int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
@ -1040,6 +1053,17 @@ EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
int X509_check_trust(X509 *x, int id, int flags);
int X509_TRUST_get_count(void);
X509_TRUST * X509_TRUST_iget(int idx);
int X509_TRUST_get_by_id(int id);
int X509_TRUST_add(X509_TRUST *xp);
void X509_TRUST_cleanup(void);
void X509_TRUST_add_standard(void);
int X509_TRUST_get_id(X509_TRUST *xp);
char *X509_TRUST_iget_name(X509_TRUST *xp);
int X509_TRUST_get_trust(X509_TRUST *xp);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@ -1077,6 +1101,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
#define X509_F_X509_STORE_ADD_CERT 124
#define X509_F_X509_STORE_ADD_CRL 125
#define X509_F_X509_TO_X509_REQ 126
#define X509_F_X509_TRUST_ADD 133
#define X509_F_X509_VERIFY_CERT 127
/* Reason codes. */

View File

@ -94,6 +94,7 @@ static ERR_STRING_DATA X509_str_functs[]=
{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0), "X509_STORE_add_cert"},
{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0), "X509_STORE_add_crl"},
{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"},
{ERR_PACK(0,X509_F_X509_TRUST_ADD,0), "X509_TRUST_ADD"},
{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"},
{0,NULL}
};

View File

@ -66,7 +66,7 @@
#include <openssl/buffer.h>
#include <openssl/pem.h>
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md)
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
X509_REQ *ret;
X509_REQ_INFO *ri;

View File

@ -411,19 +411,19 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
}
int X509_digest(X509 *data, EVP_MD *type, unsigned char *md,
int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
unsigned int *len)
{
return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
}
int X509_NAME_digest(X509_NAME *data, EVP_MD *type, unsigned char *md,
int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
unsigned int *len)
{
return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
}
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, EVP_MD *type,
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,

View File

@ -29,9 +29,9 @@ B<openssl> B<x509>
[B<-noout>]
[B<-trustout>]
[B<-clrtrust>]
[B<-clrnotrust>]
[B<-clrreject>]
[B<-addtrust arg>]
[B<-addnotrust arg>]
[B<-addreject arg>]
[B<-setalias arg>]
[B<-days arg>]
[B<-signkey filename>]
@ -59,7 +59,7 @@ Since there are a large number of options they will split up into
various sections.
=head1 INPUT AND OUTPUT OPTIONS
=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
=over 4
@ -87,6 +87,14 @@ if this option is not specified.
This specifies the output filename to write to or standard output by
default.
=item B<-md2|-md5|-sha1|-mdc2>
the digest to use. This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
specified then MD5 is used. If the key being used to sign with is a DSA key then
this option has no effect: SHA1 is always used with DSA keys.
=back
=head1 DISPLAY OPTIONS
@ -143,7 +151,7 @@ prints out the start and expiry dates of a certificate.
=item B<-fingerprint>
prints out the MD5 digest of the whole certificate.
prints out the digest of the DER encoded version of the whole certificate.
=item B<-C>
@ -201,7 +209,7 @@ outputs the certificate alias, if any.
clears all the permitted or trusted uses of the certificate.
=item B<-clrnotrust>
=item B<-clrreject>
clears all the prohibited or untrusted uses of the certificate.
@ -211,7 +219,7 @@ adds a trusted certificate use. Currently acceptable values
are all (any purpose), sslclient (SSL client use), sslserver
(SSL server use) email (S/MIME email) and objsign (Object signing).
=item B<-addnotrust arg>
=item B<-addreject arg>
adds a prohibited use. It accepts the same values as the B<-addtrust>
option.
@ -311,11 +319,6 @@ with this option the CA serial number file is created if it does not exist:
it will contain the serial number "01". Normally if the B<-CA> option is
specified and the serial number file does not exist it is an error.
=item B<-md2|-md5|-sha1|-mdc2>
the digest to sign with. It affects all commands that sign a certificate
or request.
=item B<-extfile filename>
file containing certificate extensions to use. If not specified then
@ -339,10 +342,17 @@ Display the contents of a certificate:
openssl x509 -in cert.pem -noout -text
Displa the certificate serial number:
Display the certificate serial number:
openssl x509 -in cert.pem -noout -serial
Display the certificate MD5 fingerprint:
openssl x509 -in cert.pem -noout -fingerprint
Display the certificate SHA1 fingerprint:
openssl x509 -sha1 -in cert.pem -noout -fingerprint
Convert a certificate from PEM to DER format:
@ -383,6 +393,18 @@ it will also handle files containing:
-----BEGIN X509 CERTIFICATE----
-----END X509 CERTIFICATE----
Trusted certificates have the lines
-----BEGIN TRUSTED CERTIFICATE----
-----END TRUSTED CERTIFICATE----
The B<-fingerprint> option takes the digest of the DER encoded certificate.
This is commonly called a "fingerprint". Because of the nature of message
digests the fingerprint of a certificate is unique to that certificate and
two certificates with the same fingerprint can be considered to be the same.
The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
=head1 BUGS
The way DNs are printed is in a "historical SSLeay" format which doesn't
@ -396,7 +418,7 @@ It is possible to produce invalid certificates or requests by specifying the
wrong private key or using inconsistent options in some cases: these should
be checked.
There should be options to explicitly set such things are start and end
There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.
The code to implement the verify behaviour described in the B<TRUST SETTINGS>
@ -404,7 +426,6 @@ is currently being developed. It thus describes the intended behavior rather
than the current behaviour. It is hoped that it will represent reality in
OpenSSL 0.9.5 and later.
=head1 SEE ALSO
req(1), ca(1), genrsa(1), gendsa(1)