Initial trust code: allow setting of trust checking functions

in a table. Doesn't do too much yet.

Make the -<digestname> options in 'x509' affect all relevant
options.

Change the name of the 'notrust' options to 'reject' as this
causes less confusion and is a better description of the
effect.

A few constification changes.

CHANGES

@@ -4,6 +4,14 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Fixes and enhancements to the 'x509' utility. It allowed a message
+     digest to be passed on the command line but it only used this
+     parameter when signing a certificate. Modified so all relevant
+     operations are affected by the digest parameter including the
+     -fingerprint and -x509toreq options. Also -x509toreq choked if a
+     DSA key was used because it didn't fix the digest.
+     [Steve Henson]
+
   *) Very preliminary certificate chain verify code. Currently just tests
      the untrusted certificates for consistency with the verify purpose
      (which is set when the X509_STORE_CTX structure is set up) and checks
@@ -12,7 +20,7 @@
      reject chains with invalid extensions whereas before it made no checks
      at all.
 
-     Still needs some trust checking code.
+     Preliminary untested trust code. 
 
      Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
      which should be used for version portability: especially since the

TABLE

@@ -449,7 +449,7 @@ $unistd       =
 $thread_cflag = (unknown)
 $lflags       = 
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
-$bn_obj       = 
+$bn_obj       = asm/alpha.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
@@ -466,7 +466,7 @@ $unistd       =
 $thread_cflag = (unknown)
 $lflags       = 
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1
-$bn_obj       = 
+$bn_obj       = asm/alpha.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
@@ -483,7 +483,7 @@ $unistd       =
 $thread_cflag = (unknown)
 $lflags       = 
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
-$bn_obj       = 
+$bn_obj       = asm/alpha.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 

apps/x509.c

@@ -107,9 +107,9 @@ static char *x509_usage[]={
 " -noout          - no certificate output\n",
 " -trustout       - output a \"trusted\" certificate\n",
 " -clrtrust       - clear all trusted purposes\n",
-" -clrnotrust     - clear all untrusted purposes\n",
+" -clrreject      - clear all rejected purposes\n",
-" -addtrust arg   - mark certificate as trusted for a given purpose\n",
+" -addtrust arg   - trust certificate for a given purpose\n",
-" -addnotrust arg - mark certificate as not trusted for a given purpose\n",
+" -addreject arg  - reject certificate for a given purpose\n",
 " -setalias arg   - set certificate alias\n",
 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
 " -signkey arg    - self sign cert with arg\n",
@@ -122,7 +122,7 @@ static char *x509_usage[]={
 " -CAserial       - serial file\n",
 " -text           - print the certificate in text form\n",
 " -C              - print out C code forms\n",
-" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
+" -md2/-md5/-sha1/-mdc2 - digest to use\n",
 " -extfile        - configuration file with X509V3 extensions to add\n",
 " -extensions     - section from config file with X509V3 extensions to add\n",
 NULL
@@ -148,14 +148,14 @@ int MAIN(int argc, char **argv)
 	int i,num,badops=0;
 	BIO *out=NULL;
 	BIO *STDout=NULL;
-	STACK *trust = NULL, *notrust = NULL;
+	STACK *trust = NULL, *reject = NULL;
 	int informat,outformat,keyformat,CAformat,CAkeyformat;
 	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *alias=NULL, *trstr=NULL;
 	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
 	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
-	int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;
+	int trustout=0,clrtrust=0,clrreject=0,aliasout=0;
 	int C=0;
 	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
 	int pprint = 0;
@@ -289,17 +289,17 @@ int MAIN(int argc, char **argv)
 			sk_push(trust, trstr);
 			trustout = 1;
 			}
-		else if (strcmp(*argv,"-addnotrust") == 0)
+		else if (strcmp(*argv,"-addreject") == 0)
 			{
 			if (--argc < 1) goto bad;
 			trstr= *(++argv);
-			if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {
+			if(!X509_reject_set_bit_asc(NULL, trstr, 0)) {
 				BIO_printf(bio_err,
 					"Unknown trust value %s\n", trstr);
 				goto bad;
 			}
-			if(!notrust) notrust = sk_new_null();
+			if(!reject) reject = sk_new_null();
-			sk_push(notrust, trstr);
+			sk_push(reject, trstr);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-setalias") == 0)
@@ -351,13 +351,13 @@ int MAIN(int argc, char **argv)
 			trustout= 1;
 		else if (strcmp(*argv,"-clrtrust") == 0)
 			clrtrust= ++num;
-		else if (strcmp(*argv,"-clrnotrust") == 0)
+		else if (strcmp(*argv,"-clrreject") == 0)
-			clrnotrust= ++num;
+			clrreject= ++num;
 		else if (strcmp(*argv,"-alias") == 0)
 			aliasout= ++num;
 		else if (strcmp(*argv,"-CAcreateserial") == 0)
 			CA_createserial= ++num;
-		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
 			digest=md_alg;
@@ -551,7 +551,7 @@ bad:
 	if(alias) X509_alias_set(x, (unsigned char *)alias, -1);
 
 	if(clrtrust) X509_trust_set_bit(x, -1, 0);
-	if(clrnotrust) X509_notrust_set_bit(x, -1, 0);
+	if(clrreject) X509_reject_set_bit(x, -1, 0);
 
 	if(trust) {
 		for(i = 0; i < sk_num(trust); i++) {
@@ -561,12 +561,12 @@ bad:
 		sk_free(trust);
 	}
 
-	if(notrust) {
+	if(reject) {
-		for(i = 0; i < sk_num(notrust); i++) {
+		for(i = 0; i < sk_num(reject); i++) {
-			trstr = sk_value(notrust, i);
+			trstr = sk_value(reject, i);
-			X509_notrust_set_bit_asc(x, trstr, 1);
+			X509_reject_set_bit_asc(x, trstr, 1);
 		}
-		sk_free(notrust);
+		sk_free(reject);
 	}
 
 	if (num)
@@ -732,12 +732,13 @@ bad:
 				unsigned int n;
 				unsigned char md[EVP_MAX_MD_SIZE];
 
-				if (!X509_digest(x,EVP_md5(),md,&n))
+				if (!X509_digest(x,digest,md,&n))
 					{
 					BIO_printf(bio_err,"out of memory\n");
 					goto end;
 					}
-				BIO_printf(STDout,"MD5 Fingerprint=");
+				BIO_printf(STDout,"%s Fingerprint=",
+						OBJ_nid2sn(EVP_MD_type(digest)));
 				for (j=0; j<(int)n; j++)
 					{
 					BIO_printf(STDout,"%02X%c",md[j],
@@ -801,7 +802,10 @@ bad:
 
 				BIO_printf(bio_err,"Generating certificate request\n");
 
-				rq=X509_to_X509_REQ(x,pk,EVP_md5());
+		                if (pk->type == EVP_PKEY_DSA)
+		                        digest=EVP_dss1();
+
+				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
 				if (rq == NULL)
 					{

crypto/asn1/a_digest.c

@@ -69,8 +69,8 @@
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
 
-int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md,
+int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
-	     unsigned int *len)
+		unsigned char *md, unsigned int *len)
 	{
 	EVP_MD_CTX ctx;
 	int i;

crypto/asn1/t_x509a.c

@@ -83,12 +83,12 @@ int X509_trust_set_bit_asc(X509 *x, char *str, int value)
 	return 1;
 }
 
-int X509_notrust_set_bit_asc(X509 *x, char *str, int value)
+int X509_reject_set_bit_asc(X509 *x, char *str, int value)
 {
 	int bitnum;
 	bitnum = ASN1_BIT_STRING_num_asc(str, tbits);
 	if(bitnum < 0) return 0;
-	if(x) return X509_notrust_set_bit(x, bitnum, value);
+	if(x) return X509_reject_set_bit(x, bitnum, value);
 	return 1;
 }
 
@@ -102,9 +102,9 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
 		BIO_printf(out, "%*sTrusted for:\n", indent, "");
 		ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2);
 	} else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, "");
-	if(aux->notrust) {
+	if(aux->reject) {
 		BIO_printf(out, "%*sUntrusted for:\n", indent, "");
-		ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2);
+		ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2);
 	} else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, "");
 	if(aux->othertrust) {
 		first = 1;
@@ -119,15 +119,15 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
 		}
 		BIO_puts(out, "\n");
 	}
-	if(aux->othernotrust) {
+	if(aux->otherreject) {
 		first = 1;
 		BIO_printf(out, "%*sOther Untrusted Uses:\n%*s",
 						indent, "", indent + 2, "");
-		for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) {
+		for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) {
 			if(!first) BIO_puts(out, ", ");
 			else first = 0;
 			OBJ_obj2txt(oidstr, 80,
-				sk_ASN1_OBJECT_value(aux->othernotrust, i), 0);
+				sk_ASN1_OBJECT_value(aux->otherreject, i), 0);
 			BIO_puts(out, oidstr);
 		}
 		BIO_puts(out, "\n");

crypto/asn1/x_x509a.c

@@ -80,12 +80,12 @@ X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long len
 
 	M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING,
 							V_ASN1_BIT_STRING);
-	M_ASN1_D2I_get_IMP_opt(ret->notrust, d2i_ASN1_BIT_STRING,0,
+	M_ASN1_D2I_get_IMP_opt(ret->reject, d2i_ASN1_BIT_STRING,0,
 							V_ASN1_BIT_STRING);
 
 	M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust,
 					d2i_ASN1_OBJECT, ASN1_OBJECT_free);
-	M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->othernotrust,
+	M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->otherreject,
 					d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1);
 	M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
 	M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE);
@@ -99,9 +99,9 @@ X509_CERT_AUX *X509_CERT_AUX_new()
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, X509_CERT_AUX);
 	ret->trust = NULL;
-	ret->notrust = NULL;
+	ret->reject = NULL;
 	ret->othertrust = NULL;
-	ret->othernotrust = NULL;
+	ret->otherreject = NULL;
 	ret->alias = NULL;
 	ret->other = NULL;
 	return(ret);
@@ -112,9 +112,9 @@ void X509_CERT_AUX_free(X509_CERT_AUX *a)
 {
 	if(a == NULL) return;
 	ASN1_BIT_STRING_free(a->trust);
-	ASN1_BIT_STRING_free(a->notrust);
+	ASN1_BIT_STRING_free(a->reject);
 	sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free);
-	sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free);
+	sk_ASN1_OBJECT_pop_free(a->otherreject, ASN1_OBJECT_free);
 	ASN1_UTF8STRING_free(a->alias);
 	ASN1_TYPE_free(a->other);
 	Free((char *)a);
@@ -125,10 +125,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
 	M_ASN1_I2D_vars(a);
 
 	M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING);	
-	M_ASN1_I2D_len_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING);
+	M_ASN1_I2D_len_IMP_opt(a->reject, i2d_ASN1_BIT_STRING);
 
 	M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
-	M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
+	M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
 
 	M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
 	M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE);
@@ -136,10 +136,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
 	M_ASN1_I2D_seq_total();
 
 	M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING);	
-	M_ASN1_I2D_put_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING, 0);
+	M_ASN1_I2D_put_IMP_opt(a->reject, i2d_ASN1_BIT_STRING, 0);
 
 	M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
-	M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
+	M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
 
 	M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
 	M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE);
@@ -184,19 +184,19 @@ int X509_trust_set_bit(X509 *x, int bit, int value)
 	return ASN1_BIT_STRING_set_bit(aux->trust, bit, value);
 }
 
-int X509_notrust_set_bit(X509 *x, int bit, int value)
+int X509_reject_set_bit(X509 *x, int bit, int value)
 {
 	X509_CERT_AUX *aux;
 	if(bit == -1) {
-		if(x->aux && x->aux->notrust) {
+		if(x->aux && x->aux->reject) {
-			ASN1_BIT_STRING_free(x->aux->notrust);
+			ASN1_BIT_STRING_free(x->aux->reject);
-			x->aux->notrust = NULL;
+			x->aux->reject = NULL;
 		}
 		return 1;
 	}
 	if(!(aux = aux_get(x))) return 0;
-	if(!aux->notrust && !(aux->notrust = ASN1_BIT_STRING_new())) return 0;
+	if(!aux->reject && !(aux->reject = ASN1_BIT_STRING_new())) return 0;
-	return ASN1_BIT_STRING_set_bit(aux->notrust, bit, value);
+	return ASN1_BIT_STRING_set_bit(aux->reject, bit, value);
 }
 
 int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
@@ -208,12 +208,12 @@ int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
 	return sk_ASN1_OBJECT_push(aux->othertrust, obj);
 }
 
-int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj)
+int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj)
 {
 	X509_CERT_AUX *aux;
 	if(!(aux = aux_get(x))) return 0;
-	if(!aux->othernotrust
+	if(!aux->otherreject
-		&& !(aux->othernotrust = sk_ASN1_OBJECT_new_null())) return 0;
+		&& !(aux->otherreject = sk_ASN1_OBJECT_new_null())) return 0;
-	return sk_ASN1_OBJECT_push(aux->othernotrust, obj);
+	return sk_ASN1_OBJECT_push(aux->otherreject, obj);
 }
 

crypto/pkcs7/pkcs7.h

@@ -247,7 +247,7 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
 				unsigned char **pp, long length);
 
 #ifndef SSLEAY_MACROS
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #ifndef NO_FP_API
 PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);

crypto/x509/Makefile.ssl

@@ -27,13 +27,13 @@ LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
 	x509_set.c x509rset.c x509_err.c \
 	x509name.c x509_v3.c x509_ext.c \
 	x509type.c x509_lu.c x_all.c x509_txt.c \
-	by_file.c by_dir.c 
+	x509_trs.c by_file.c by_dir.c 
 LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
 	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
 	x509_set.o x509rset.o x509_err.o \
 	x509name.o x509_v3.o x509_ext.o \
 	x509type.o x509_lu.o x_all.o x509_txt.o \
-	by_file.o by_dir.o
+	x509_trs.o by_file.o by_dir.o
 
 SRC= $(LIBSRC)
 

crypto/x509/x509.h

@@ -236,7 +236,7 @@ typedef struct x509_cinf_st
  * the end of the certificate itself
  */
 
-/* Bit values for trust/notrust */
+/* Bit values for trust/reject */
 
 #define X509_TRUST_BIT_ALL			0
 #define X509_TRUST_BIT_SSL_CLIENT		1
@@ -248,9 +248,9 @@ typedef struct x509_cinf_st
 typedef struct x509_cert_aux_st
 	{
 	ASN1_BIT_STRING *trust;			/* trusted uses */
-	ASN1_BIT_STRING *notrust;		/* rejected uses */
+	ASN1_BIT_STRING *reject;		/* rejected uses */
 	STACK_OF(ASN1_OBJECT) *othertrust;	/* extra uses */
-	STACK_OF(ASN1_OBJECT) *othernotrust;	/* extra rejected uses */
+	STACK_OF(ASN1_OBJECT) *otherreject;	/* extra rejected uses */
 	ASN1_UTF8STRING *alias;			/* "friendly name" */
 	ASN1_TYPE *other;			/* other unspecified info */
 	} X509_CERT_AUX;
@@ -284,16 +284,29 @@ typedef struct x509_trust_st {
 	int trust_flags;
 	int (*check_trust)(struct x509_trust_st *, X509 *, int);
 	char *trust_name;
-	int trust_bit;
+	int arg1;
-	void *usr_data;
+	void *arg2;
 } X509_TRUST;
 
-/* X509 trust ids */
+DECLARE_STACK_OF(X509_TRUST)
+
+/* standard trust ids */
 
 #define X509_TRUST_ANY		1
 #define X509_TRUST_SSL_CLIENT	2
 #define X509_TRUST_SSL_SERVER	3
 #define X509_TRUST_EMAIL	4
+#define X509_TRUST_OBJECT_SIGN	5
+
+/* trust_flags values */
+#define	X509_TRUST_DYNAMIC 	1
+#define	X509_TRUST_DYNAMIC_NAME	2
+
+/* check_trust return codes */
+
+#define X509_TRUST_TRUSTED	1
+#define X509_TRUST_REJECTED	2
+#define X509_TRUST_UNTRUSTED	3
 
 typedef struct X509_revoked_st
 	{
@@ -615,8 +628,8 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
-int X509_digest(X509 *data,EVP_MD *type,unsigned char *md,unsigned int *len);
+int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
-int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
+int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #endif
 
@@ -701,7 +714,7 @@ const char *	X509_get_default_cert_dir_env(void );
 const char *	X509_get_default_cert_file_env(void );
 const char *	X509_get_default_private_dir(void );
 
-X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md);
+X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 X509 *		X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
 void ERR_load_X509_strings(void );
 
@@ -803,12 +816,12 @@ X509_CERT_AUX *	d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
 int X509_alias_set(X509 *x, unsigned char *name, int len);
 unsigned char * X509_alias_get(X509 *x, int *len);
 int X509_trust_set_bit(X509 *x, int bit, int value);
-int X509_notrust_set_bit(X509 *x, int bit, int value);
+int X509_reject_set_bit(X509 *x, int bit, int value);
 int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj);
-int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj);
+int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj);
 
 int X509_trust_set_bit_asc(X509 *x, char *str, int value);
-int X509_notrust_set_bit_asc(X509 *x, char *str, int value);
+int X509_reject_set_bit_asc(X509 *x, char *str, int value);
 
 X509_REVOKED *	X509_REVOKED_new(void);
 void		X509_REVOKED_free(X509_REVOKED *a);
@@ -857,7 +870,7 @@ char *		X509_NAME_oneline(X509_NAME *a,char *buf,int size);
 int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
 	ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
 
-int ASN1_digest(int (*i2d)(),EVP_MD *type,char *data,
+int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
 	unsigned char *md,unsigned int *len);
 
 int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
@@ -1040,6 +1053,17 @@ EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
 PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
 
+int X509_check_trust(X509 *x, int id, int flags);
+int X509_TRUST_get_count(void);
+X509_TRUST * X509_TRUST_iget(int idx);
+int X509_TRUST_get_by_id(int id);
+int X509_TRUST_add(X509_TRUST *xp);
+void X509_TRUST_cleanup(void);
+void X509_TRUST_add_standard(void);
+int X509_TRUST_get_id(X509_TRUST *xp);
+char *X509_TRUST_iget_name(X509_TRUST *xp);
+int X509_TRUST_get_trust(X509_TRUST *xp);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -1077,6 +1101,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
 #define X509_F_X509_STORE_ADD_CERT			 124
 #define X509_F_X509_STORE_ADD_CRL			 125
 #define X509_F_X509_TO_X509_REQ				 126
+#define X509_F_X509_TRUST_ADD				 133
 #define X509_F_X509_VERIFY_CERT				 127
 
 /* Reason codes. */

crypto/x509/x509_err.c

@@ -94,6 +94,7 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
+{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_ADD"},
 {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
 {0,NULL}
 	};

crypto/x509/x509_req.c

@@ -66,7 +66,7 @@
 #include <openssl/buffer.h>
 #include <openssl/pem.h>
 
-X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md)
+X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
 	X509_REQ *ret;
 	X509_REQ_INFO *ri;

crypto/x509/x_all.c

@@ -411,19 +411,19 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
 		(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
 	}
 
-int X509_digest(X509 *data, EVP_MD *type, unsigned char *md,
+int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
 	return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
 	}
 
-int X509_NAME_digest(X509_NAME *data, EVP_MD *type, unsigned char *md,
+int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
 	return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
 	}
 
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, EVP_MD *type,
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
 	     unsigned char *md, unsigned int *len)
 	{
 	return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,

doc/man/x509.pod

@@ -29,9 +29,9 @@ B<openssl> B<x509>
 [B<-noout>]
 [B<-trustout>]
 [B<-clrtrust>]
-[B<-clrnotrust>]
+[B<-clrreject>]
 [B<-addtrust arg>]
-[B<-addnotrust arg>]
+[B<-addreject arg>]
 [B<-setalias arg>]
 [B<-days arg>]
 [B<-signkey filename>]
@@ -59,7 +59,7 @@ Since there are a large number of options they will split up into
 various sections.
 
 
-=head1 INPUT AND OUTPUT OPTIONS
+=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
 
 =over 4
 
@@ -87,6 +87,14 @@ if this option is not specified.
 This specifies the output filename to write to or standard output by
 default.
 
+=item B<-md2|-md5|-sha1|-mdc2>
+
+the digest to use. This affects any signing or display option that uses a message
+digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+specified then MD5 is used. If the key being used to sign with is a DSA key then
+this option has no effect: SHA1 is always used with DSA keys.
+
+
 =back
 
 =head1 DISPLAY OPTIONS
@@ -143,7 +151,7 @@ prints out the start and expiry dates of a certificate.
 
 =item B<-fingerprint>
 
-prints out the MD5 digest of the whole certificate.
+prints out the digest of the DER encoded version of the whole certificate.
 
 =item B<-C>
 
@@ -201,7 +209,7 @@ outputs the certificate alias, if any.
 
 clears all the permitted or trusted uses of the certificate.
 
-=item B<-clrnotrust>
+=item B<-clrreject>
 
 clears all the prohibited or untrusted uses of the certificate.
 
@@ -211,7 +219,7 @@ adds a trusted certificate use. Currently acceptable values
 are all (any purpose), sslclient (SSL client use), sslserver
 (SSL server use) email (S/MIME email) and objsign (Object signing).
 
-=item B<-addnotrust arg>
+=item B<-addreject arg>
 
 adds a prohibited use. It accepts the same values as the B<-addtrust>
 option.
@@ -311,11 +319,6 @@ with this option the CA serial number file is created if it does not exist:
 it will contain the serial number "01". Normally if the B<-CA> option is
 specified and the serial number file does not exist it is an error.
 
-=item B<-md2|-md5|-sha1|-mdc2>
-
-the digest to sign with. It affects all commands that sign a certificate
-or request.
-
 =item B<-extfile filename>
 
 file containing certificate extensions to use. If not specified then
@@ -339,10 +342,17 @@ Display the contents of a certificate:
 
 	openssl x509 -in cert.pem -noout -text
 
-Displa the certificate serial number:
+Display the certificate serial number:
 
 	openssl x509 -in cert.pem -noout -serial
 
+Display the certificate MD5 fingerprint:
+
+	openssl x509 -in cert.pem -noout -fingerprint
+
+Display the certificate SHA1 fingerprint:
+
+	openssl x509 -sha1 -in cert.pem -noout -fingerprint
 
 Convert a certificate from PEM to DER format:
 
@@ -383,6 +393,18 @@ it will also handle files containing:
  -----BEGIN X509 CERTIFICATE----
  -----END X509 CERTIFICATE----
 
+Trusted certificates have the lines
+
+ -----BEGIN TRUSTED CERTIFICATE----
+ -----END TRUSTED CERTIFICATE----
+
+The B<-fingerprint> option takes the digest of the DER encoded certificate.
+This is commonly called a "fingerprint". Because of the nature of message
+digests the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
+
+The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
+
 =head1 BUGS
 
 The way DNs are printed is in a "historical SSLeay" format which doesn't
@@ -396,7 +418,7 @@ It is possible to produce invalid certificates or requests by specifying the
 wrong private key or using inconsistent options in some cases: these should
 be checked.
 
-There should be options to explicitly set such things are start and end
+There should be options to explicitly set such things as start and end
 dates rather than an offset from the current time.
 
 The code to implement the verify behaviour described in the B<TRUST SETTINGS>
@@ -404,7 +426,6 @@ is currently being developed. It thus describes the intended behavior rather
 than the current behaviour. It is hoped that it will represent reality in
 OpenSSL 0.9.5 and later.
 
-
 =head1 SEE ALSO
 
 req(1), ca(1), genrsa(1), gendsa(1)