Allows PKCS#12 password to be placed on command line and add allow config

file name for 'ca' to come from the environment.
1999-05-08 12:59:50 +00:00 · 1999-05-08 12:59:50 +00:00 · e40b7abeed
commit e40b7abeed
parent 7e797a06c3
5 changed files with 96 additions and 20 deletions
--- a/12
+++ b/12
@ -5,6 +5,18 @@
 Changes between 0.9.2b and 0.9.3
  *) Allow PKCS#12 password to be set from the command line or the
     environment. Let 'ca' get its config file name from the environment
     variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
     and 'x509').
     [Steve Henson]
  *) Allow certificate policies extension to use an IA5STRING for the
     organization field. This is contrary to the PKIX definition but
     VeriSign uses it and IE5 only recognises this form. Document 'x509'
     extension option.
     [Steve Henson]
  *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
     without disallowing inline assembler and the like for non-pedantic builds.
     [Ben Laurie]
--- a/apps/ca.c
+++ b/apps/ca.c
@ -390,6 +390,8 @@ bad:
 	ERR_load_crypto_strings();
 	/*****************************************************************/
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
 	if (configfile == NULL)
 		{
 		/* We will just use 'buf[0]' as a temporary buffer.  */
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@ -105,7 +105,9 @@ int MAIN(int argc, char **argv)
    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
    int ret = 1;
    int macver = 1;
    int noprompt = 0;
    STACK *canames = NULL;
    char *cpass = NULL, *mpass = NULL;
    apps_startup();
@ -170,6 +172,22 @@ int MAIN(int argc, char **argv)
 			args++;	
 			outfile = *args;
 		    } else badarg = 1;
 		} else if (!strcmp (*args, "-envpass")) {
 		    if (args[1]) {
 			args++;	
 			if(!(cpass = getenv(*args))) {
 				BIO_printf(bio_err,
 				 "Can't read environment variable %s\n", *args);
 				goto end;
 			}
 			noprompt = 1;
 		    } else badarg = 1;
 		} else if (!strcmp (*args, "-password")) {
 		    if (args[1]) {
 			args++;	
 			cpass = *args;
 		    	noprompt = 1;
 		    } else badarg = 1;
 		} else badarg = 1;
 	} else badarg = 1;
@ -206,9 +224,17 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
 	BIO_printf (bio_err, "-keyex        set MS key exchange type\n");
 	BIO_printf (bio_err, "-keysig       set MS key signature type\n");
 	BIO_printf (bio_err, "-password p   set import/export password (NOT RECOMMENDED)\n");
 	BIO_printf (bio_err, "-envpass p    set import/export password from environment\n");
    	goto end;
    }
    if(cpass) mpass = cpass;
    else {
 	cpass = pass;
 	mpass = macpass;
    }
    ERR_load_crypto_strings();
    in = BIO_new (BIO_s_file());
@ -344,13 +370,14 @@ if (export_cert) {
 	if (canames) sk_free(canames);
-	if(EVP_read_pw_string (pass, 50, "Enter Export Password:", 1)) {
+	if(!noprompt &&
 		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
 	    BIO_printf (bio_err, "Can't read Password\n");
 	    goto end;
        }
 	if (!twopass) strcpy(macpass, pass);
 	/* Turn certbags into encrypted authsafe */
-	authsafe = PKCS12_pack_p7encdata (cert_pbe, pass, -1, NULL, 0,
+	authsafe = PKCS12_pack_p7encdata (cert_pbe, cpass, -1, NULL, 0,
 								 iter, bags);
 	sk_pop_free(bags, PKCS12_SAFEBAG_free);
@ -367,7 +394,7 @@ if (export_cert) {
 	EVP_PKEY_free(key);
 	if(keytype) PKCS8_add_keyusage(p8, keytype);
 	bag = PKCS12_MAKE_SHKEYBAG (NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
-			pass, -1, NULL, 0, iter, p8);
+			cpass, -1, NULL, 0, iter, p8);
 	PKCS8_PRIV_KEY_INFO_free(p8);
        if (name) PKCS12_add_friendlyname (bag, name, -1);
 	PKCS12_add_localkeyid (bag, keyid, keyidlen);
@ -384,7 +411,7 @@ if (export_cert) {
 	sk_pop_free(safes, PKCS7_free);
-	PKCS12_set_mac (p12, macpass, -1, NULL, 0, maciter, NULL);
+	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
 	i2d_PKCS12_bio (out, p12);
@ -400,7 +427,7 @@ if (export_cert) {
 	goto end;
    }
-    if(EVP_read_pw_string (pass, 50, "Enter Import Password:", 0)) {
+    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
 	BIO_printf (bio_err, "Can't read Password\n");
 	goto end;
    }
@ -409,14 +436,14 @@ if (export_cert) {
    if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
    if(macver) {
-	if (!PKCS12_verify_mac (p12, macpass, -1)) {
+	if (!PKCS12_verify_mac (p12, mpass, -1)) {
 	    BIO_printf (bio_err, "Mac verify errror: invalid password?\n");
 	    ERR_print_errors (bio_err);
 	    goto end;
 	} else BIO_printf (bio_err, "MAC verified OK\n");
    }
-    if (!dump_certs_keys_p12 (out, p12, pass, -1, options)) {
+    if (!dump_certs_keys_p12 (out, p12, cpass, -1, options)) {
 	BIO_printf(bio_err, "Error outputting keys and certificates\n");
 	ERR_print_errors (bio_err);
 	goto end;
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@ -69,8 +69,8 @@ static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO
 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
 static void print_notice(BIO *out, USERNOTICE *notice, int indent);
-static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs);
+static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs, int ia5org);
-static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot);
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot, int ia5org);
 static STACK *nref_nos(STACK *nos);
 X509V3_EXT_METHOD v3_cpols = {
@ -96,9 +96,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	ASN1_OBJECT *pobj;
 	STACK *vals;
 	CONF_VALUE *cnf;
-	int i;
+	int i, ia5org;
 	pols = sk_POLICYINFO_new_null();
 	vals =  X509V3_parse_list(value);
 	ia5org = 0;
 	for(i = 0; i < sk_num(vals); i++) {
 		cnf = (CONF_VALUE *)sk_value(vals, i);
 		if(cnf->value || !cnf->name ) {
@ -107,7 +108,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 			goto err;
 		}
 		pstr = cnf->name;
-		if(*pstr == '@') {
+		if(!strcmp(pstr,"ia5org")) {
 			ia5org = 1;
 			continue;
 		} else if(*pstr == '@') {
 			STACK *polsect;
 			polsect = X509V3_get_section(ctx, pstr + 1);
 			if(!polsect) {
@ -116,7 +120,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 				X509V3_conf_err(cnf);
 				goto err;
 			}
-			pol = policy_section(ctx, polsect);
+			pol = policy_section(ctx, polsect, ia5org);
 			X509V3_section_free(ctx, polsect);
 			if(!pol) goto err;
 		} else {
@ -137,7 +141,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	return NULL;
 }
-static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs)
+static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs, int ia5org)
 {
 	int i;
 	CONF_VALUE *cnf;
@ -179,7 +183,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs)
 				X509V3_conf_err(cnf);
 				goto err;
 			}
-			qual = notice_section(ctx, unot);
+			qual = notice_section(ctx, unot, ia5org);
 			X509V3_section_free(ctx, unot);
 			if(!qual) goto err;
 			if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
@ -208,7 +212,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs)
 }
-static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot, int ia5org)
 {
 	int i;
 	CONF_VALUE *cnf;
@ -230,7 +234,8 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
 				if(!(nref = NOTICEREF_new())) goto merr;
 				not->noticeref = nref;
 			} else nref = not->noticeref;
-			nref->organization = ASN1_VISIBLESTRING_new();
+			if(ia5org) nref->organization = ASN1_IA5STRING_new();
 			else nref->organization = ASN1_VISIBLESTRING_new();
 			if(!ASN1_STRING_set(nref->organization, cnf->value,
 						 strlen(cnf->value))) goto merr;
 		} else if(!strcmp(cnf->name, "noticeNumbers")) {
--- a/doc/openssl.txt
+++ b/doc/openssl.txt
@ -98,6 +98,15 @@ indicates which section contains the extensions. In the case of 'req' the
 extension section is used when the -x509 option is present to create a
 self signed root certificate.
 The 'x509' utility also supports extensions when it signs a certificate.
 The -config option is used to set the configuration file containing the
 extensions. In this case a line with:
 extensions = extension_section
 in the nameless (default) section is used. If no such line is include then
 it uses the default section.
 You can also add extensions to CRLs: a line
 crl_extensions = crl_extension_section
@ -108,6 +117,17 @@ issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
 CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
 CRL entry extensions can be displayed.
 NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL
 you should comment out the crl_extensions line in the configuration file.
 As with all configuration files you can use the inbuilt environment expansion
 to allow the values to be passed in the environment. Therefore if you have
 several extension sections used for different purposes you can have a line:
 x509_extensions = $ENV::ENV_EXT
 and set the ENV_EXT environment variable before calling the relevant utility.
 EXTENSION SYNTAX.
 Extensions have the basic form:
@ -298,7 +318,10 @@ This is a RAW extension. It attempts to display the contents of this extension:
 unfortuntately this extension is often improperly encoded.
 The certificate policies extension will rarely be used in practice: few
-software packages interpret it correctly or at all.
+software packages interpret it correctly or at all. IE5 does partially
 support this extension: but it needs the 'ia5org' option because it will
 only correctly support a broken encoding. Of the options below only the
 policy OID, explicitText and CPS options are displayed with IE5.
 All the fields of this extension can be set by using the appropriate syntax.
@ -325,11 +348,13 @@ The value of the userNotice qualifier is specified in the relevant section. This
 section can include explicitText, organization and noticeNumbers options. 
 explicitText and organization are text strings, noticeNumbers is a comma
 separated list of numbers. The organization and noticeNumbers options (if
-included) must BOTH be present.
+included) must BOTH be present. If you use the userNotice option with IE5 then
 you need the 'ia5org' option at the top level to modify the encoding: otherwise
 it will not be interpreted properly.
 Example:
-certificatePolicies=1.2.3.4,1.5.6.7.8,@polsect
+certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
 [polsect]
@ -344,6 +369,10 @@ explicitText="Explicit Text Here"
 organization="Organisation Name"
 noticeNumbers=1,2,3,4
 TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field,
 according to PKIX it should be of type DisplayText but Verisign uses an 
 IA5STRING and IE5 needs this too.
 Display only extensions.
 Some extensions are only partially supported and currently are only displayed
@ -374,7 +403,8 @@ private key and certificate pair.
 No special initialisation is needed for the internal PKCS#12 library: the 
 standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to
-add all algorithms then you can manually initialise the PKCS#12 library with:
+add all algorithms (you should at least add SHA1 though) then you can manually
 initialise the PKCS#12 library with:
 PKSC12_PBE_add();