mirror of
https://github.com/openssl/openssl.git
synced 2025-01-19 00:13:33 +08:00
Initial trust code: allow setting of trust checking functions
in a table. Doesn't do too much yet. Make the -<digestname> options in 'x509' affect all relevant options. Change the name of the 'notrust' options to 'reject' as this causes less confusion and is a better description of the effect. A few constification changes.
This commit is contained in:
parent
d4cec6a13d
commit
9868232ae1
10
CHANGES
10
CHANGES
@ -4,6 +4,14 @@
|
||||
|
||||
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
|
||||
|
||||
*) Fixes and enhancements to the 'x509' utility. It allowed a message
|
||||
digest to be passed on the command line but it only used this
|
||||
parameter when signing a certificate. Modified so all relevant
|
||||
operations are affected by the digest parameter including the
|
||||
-fingerprint and -x509toreq options. Also -x509toreq choked if a
|
||||
DSA key was used because it didn't fix the digest.
|
||||
[Steve Henson]
|
||||
|
||||
*) Very preliminary certificate chain verify code. Currently just tests
|
||||
the untrusted certificates for consistency with the verify purpose
|
||||
(which is set when the X509_STORE_CTX structure is set up) and checks
|
||||
@ -12,7 +20,7 @@
|
||||
reject chains with invalid extensions whereas before it made no checks
|
||||
at all.
|
||||
|
||||
Still needs some trust checking code.
|
||||
Preliminary untested trust code.
|
||||
|
||||
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
|
||||
which should be used for version portability: especially since the
|
||||
|
6
TABLE
6
TABLE
@ -449,7 +449,7 @@ $unistd =
|
||||
$thread_cflag = (unknown)
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
|
||||
$bn_obj =
|
||||
$bn_obj = asm/alpha.o
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
@ -466,7 +466,7 @@ $unistd =
|
||||
$thread_cflag = (unknown)
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1
|
||||
$bn_obj =
|
||||
$bn_obj = asm/alpha.o
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
@ -483,7 +483,7 @@ $unistd =
|
||||
$thread_cflag = (unknown)
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
|
||||
$bn_obj =
|
||||
$bn_obj = asm/alpha.o
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
|
48
apps/x509.c
48
apps/x509.c
@ -107,9 +107,9 @@ static char *x509_usage[]={
|
||||
" -noout - no certificate output\n",
|
||||
" -trustout - output a \"trusted\" certificate\n",
|
||||
" -clrtrust - clear all trusted purposes\n",
|
||||
" -clrnotrust - clear all untrusted purposes\n",
|
||||
" -addtrust arg - mark certificate as trusted for a given purpose\n",
|
||||
" -addnotrust arg - mark certificate as not trusted for a given purpose\n",
|
||||
" -clrreject - clear all rejected purposes\n",
|
||||
" -addtrust arg - trust certificate for a given purpose\n",
|
||||
" -addreject arg - reject certificate for a given purpose\n",
|
||||
" -setalias arg - set certificate alias\n",
|
||||
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
|
||||
" -signkey arg - self sign cert with arg\n",
|
||||
@ -122,7 +122,7 @@ static char *x509_usage[]={
|
||||
" -CAserial - serial file\n",
|
||||
" -text - print the certificate in text form\n",
|
||||
" -C - print out C code forms\n",
|
||||
" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
|
||||
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
|
||||
" -extfile - configuration file with X509V3 extensions to add\n",
|
||||
" -extensions - section from config file with X509V3 extensions to add\n",
|
||||
NULL
|
||||
@ -148,14 +148,14 @@ int MAIN(int argc, char **argv)
|
||||
int i,num,badops=0;
|
||||
BIO *out=NULL;
|
||||
BIO *STDout=NULL;
|
||||
STACK *trust = NULL, *notrust = NULL;
|
||||
STACK *trust = NULL, *reject = NULL;
|
||||
int informat,outformat,keyformat,CAformat,CAkeyformat;
|
||||
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
|
||||
char *CAkeyfile=NULL,*CAserial=NULL;
|
||||
char *alias=NULL, *trstr=NULL;
|
||||
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
|
||||
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
|
||||
int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;
|
||||
int trustout=0,clrtrust=0,clrreject=0,aliasout=0;
|
||||
int C=0;
|
||||
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
|
||||
int pprint = 0;
|
||||
@ -289,17 +289,17 @@ int MAIN(int argc, char **argv)
|
||||
sk_push(trust, trstr);
|
||||
trustout = 1;
|
||||
}
|
||||
else if (strcmp(*argv,"-addnotrust") == 0)
|
||||
else if (strcmp(*argv,"-addreject") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
trstr= *(++argv);
|
||||
if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {
|
||||
if(!X509_reject_set_bit_asc(NULL, trstr, 0)) {
|
||||
BIO_printf(bio_err,
|
||||
"Unknown trust value %s\n", trstr);
|
||||
goto bad;
|
||||
}
|
||||
if(!notrust) notrust = sk_new_null();
|
||||
sk_push(notrust, trstr);
|
||||
if(!reject) reject = sk_new_null();
|
||||
sk_push(reject, trstr);
|
||||
trustout = 1;
|
||||
}
|
||||
else if (strcmp(*argv,"-setalias") == 0)
|
||||
@ -351,13 +351,13 @@ int MAIN(int argc, char **argv)
|
||||
trustout= 1;
|
||||
else if (strcmp(*argv,"-clrtrust") == 0)
|
||||
clrtrust= ++num;
|
||||
else if (strcmp(*argv,"-clrnotrust") == 0)
|
||||
clrnotrust= ++num;
|
||||
else if (strcmp(*argv,"-clrreject") == 0)
|
||||
clrreject= ++num;
|
||||
else if (strcmp(*argv,"-alias") == 0)
|
||||
aliasout= ++num;
|
||||
else if (strcmp(*argv,"-CAcreateserial") == 0)
|
||||
CA_createserial= ++num;
|
||||
else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
|
||||
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
|
||||
{
|
||||
/* ok */
|
||||
digest=md_alg;
|
||||
@ -551,7 +551,7 @@ bad:
|
||||
if(alias) X509_alias_set(x, (unsigned char *)alias, -1);
|
||||
|
||||
if(clrtrust) X509_trust_set_bit(x, -1, 0);
|
||||
if(clrnotrust) X509_notrust_set_bit(x, -1, 0);
|
||||
if(clrreject) X509_reject_set_bit(x, -1, 0);
|
||||
|
||||
if(trust) {
|
||||
for(i = 0; i < sk_num(trust); i++) {
|
||||
@ -561,12 +561,12 @@ bad:
|
||||
sk_free(trust);
|
||||
}
|
||||
|
||||
if(notrust) {
|
||||
for(i = 0; i < sk_num(notrust); i++) {
|
||||
trstr = sk_value(notrust, i);
|
||||
X509_notrust_set_bit_asc(x, trstr, 1);
|
||||
if(reject) {
|
||||
for(i = 0; i < sk_num(reject); i++) {
|
||||
trstr = sk_value(reject, i);
|
||||
X509_reject_set_bit_asc(x, trstr, 1);
|
||||
}
|
||||
sk_free(notrust);
|
||||
sk_free(reject);
|
||||
}
|
||||
|
||||
if (num)
|
||||
@ -732,12 +732,13 @@ bad:
|
||||
unsigned int n;
|
||||
unsigned char md[EVP_MAX_MD_SIZE];
|
||||
|
||||
if (!X509_digest(x,EVP_md5(),md,&n))
|
||||
if (!X509_digest(x,digest,md,&n))
|
||||
{
|
||||
BIO_printf(bio_err,"out of memory\n");
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(STDout,"MD5 Fingerprint=");
|
||||
BIO_printf(STDout,"%s Fingerprint=",
|
||||
OBJ_nid2sn(EVP_MD_type(digest)));
|
||||
for (j=0; j<(int)n; j++)
|
||||
{
|
||||
BIO_printf(STDout,"%02X%c",md[j],
|
||||
@ -801,7 +802,10 @@ bad:
|
||||
|
||||
BIO_printf(bio_err,"Generating certificate request\n");
|
||||
|
||||
rq=X509_to_X509_REQ(x,pk,EVP_md5());
|
||||
if (pk->type == EVP_PKEY_DSA)
|
||||
digest=EVP_dss1();
|
||||
|
||||
rq=X509_to_X509_REQ(x,pk,digest);
|
||||
EVP_PKEY_free(pk);
|
||||
if (rq == NULL)
|
||||
{
|
||||
|
@ -69,8 +69,8 @@
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/x509.h>
|
||||
|
||||
int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md,
|
||||
unsigned int *len)
|
||||
int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
|
||||
unsigned char *md, unsigned int *len)
|
||||
{
|
||||
EVP_MD_CTX ctx;
|
||||
int i;
|
||||
|
@ -83,12 +83,12 @@ int X509_trust_set_bit_asc(X509 *x, char *str, int value)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int X509_notrust_set_bit_asc(X509 *x, char *str, int value)
|
||||
int X509_reject_set_bit_asc(X509 *x, char *str, int value)
|
||||
{
|
||||
int bitnum;
|
||||
bitnum = ASN1_BIT_STRING_num_asc(str, tbits);
|
||||
if(bitnum < 0) return 0;
|
||||
if(x) return X509_notrust_set_bit(x, bitnum, value);
|
||||
if(x) return X509_reject_set_bit(x, bitnum, value);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -102,9 +102,9 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
|
||||
BIO_printf(out, "%*sTrusted for:\n", indent, "");
|
||||
ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2);
|
||||
} else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, "");
|
||||
if(aux->notrust) {
|
||||
if(aux->reject) {
|
||||
BIO_printf(out, "%*sUntrusted for:\n", indent, "");
|
||||
ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2);
|
||||
ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2);
|
||||
} else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, "");
|
||||
if(aux->othertrust) {
|
||||
first = 1;
|
||||
@ -119,15 +119,15 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
|
||||
}
|
||||
BIO_puts(out, "\n");
|
||||
}
|
||||
if(aux->othernotrust) {
|
||||
if(aux->otherreject) {
|
||||
first = 1;
|
||||
BIO_printf(out, "%*sOther Untrusted Uses:\n%*s",
|
||||
indent, "", indent + 2, "");
|
||||
for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) {
|
||||
for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) {
|
||||
if(!first) BIO_puts(out, ", ");
|
||||
else first = 0;
|
||||
OBJ_obj2txt(oidstr, 80,
|
||||
sk_ASN1_OBJECT_value(aux->othernotrust, i), 0);
|
||||
sk_ASN1_OBJECT_value(aux->otherreject, i), 0);
|
||||
BIO_puts(out, oidstr);
|
||||
}
|
||||
BIO_puts(out, "\n");
|
||||
|
@ -80,12 +80,12 @@ X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long len
|
||||
|
||||
M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING,
|
||||
V_ASN1_BIT_STRING);
|
||||
M_ASN1_D2I_get_IMP_opt(ret->notrust, d2i_ASN1_BIT_STRING,0,
|
||||
M_ASN1_D2I_get_IMP_opt(ret->reject, d2i_ASN1_BIT_STRING,0,
|
||||
V_ASN1_BIT_STRING);
|
||||
|
||||
M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust,
|
||||
d2i_ASN1_OBJECT, ASN1_OBJECT_free);
|
||||
M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->othernotrust,
|
||||
M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->otherreject,
|
||||
d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1);
|
||||
M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
|
||||
M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE);
|
||||
@ -99,9 +99,9 @@ X509_CERT_AUX *X509_CERT_AUX_new()
|
||||
ASN1_CTX c;
|
||||
M_ASN1_New_Malloc(ret, X509_CERT_AUX);
|
||||
ret->trust = NULL;
|
||||
ret->notrust = NULL;
|
||||
ret->reject = NULL;
|
||||
ret->othertrust = NULL;
|
||||
ret->othernotrust = NULL;
|
||||
ret->otherreject = NULL;
|
||||
ret->alias = NULL;
|
||||
ret->other = NULL;
|
||||
return(ret);
|
||||
@ -112,9 +112,9 @@ void X509_CERT_AUX_free(X509_CERT_AUX *a)
|
||||
{
|
||||
if(a == NULL) return;
|
||||
ASN1_BIT_STRING_free(a->trust);
|
||||
ASN1_BIT_STRING_free(a->notrust);
|
||||
ASN1_BIT_STRING_free(a->reject);
|
||||
sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free);
|
||||
sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free);
|
||||
sk_ASN1_OBJECT_pop_free(a->otherreject, ASN1_OBJECT_free);
|
||||
ASN1_UTF8STRING_free(a->alias);
|
||||
ASN1_TYPE_free(a->other);
|
||||
Free((char *)a);
|
||||
@ -125,10 +125,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
|
||||
M_ASN1_I2D_vars(a);
|
||||
|
||||
M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING);
|
||||
M_ASN1_I2D_len_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING);
|
||||
M_ASN1_I2D_len_IMP_opt(a->reject, i2d_ASN1_BIT_STRING);
|
||||
|
||||
M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
|
||||
M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
|
||||
M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
|
||||
|
||||
M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
|
||||
M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE);
|
||||
@ -136,10 +136,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
|
||||
M_ASN1_I2D_seq_total();
|
||||
|
||||
M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING);
|
||||
M_ASN1_I2D_put_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING, 0);
|
||||
M_ASN1_I2D_put_IMP_opt(a->reject, i2d_ASN1_BIT_STRING, 0);
|
||||
|
||||
M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
|
||||
M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
|
||||
M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
|
||||
|
||||
M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
|
||||
M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE);
|
||||
@ -184,19 +184,19 @@ int X509_trust_set_bit(X509 *x, int bit, int value)
|
||||
return ASN1_BIT_STRING_set_bit(aux->trust, bit, value);
|
||||
}
|
||||
|
||||
int X509_notrust_set_bit(X509 *x, int bit, int value)
|
||||
int X509_reject_set_bit(X509 *x, int bit, int value)
|
||||
{
|
||||
X509_CERT_AUX *aux;
|
||||
if(bit == -1) {
|
||||
if(x->aux && x->aux->notrust) {
|
||||
ASN1_BIT_STRING_free(x->aux->notrust);
|
||||
x->aux->notrust = NULL;
|
||||
if(x->aux && x->aux->reject) {
|
||||
ASN1_BIT_STRING_free(x->aux->reject);
|
||||
x->aux->reject = NULL;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
if(!(aux = aux_get(x))) return 0;
|
||||
if(!aux->notrust && !(aux->notrust = ASN1_BIT_STRING_new())) return 0;
|
||||
return ASN1_BIT_STRING_set_bit(aux->notrust, bit, value);
|
||||
if(!aux->reject && !(aux->reject = ASN1_BIT_STRING_new())) return 0;
|
||||
return ASN1_BIT_STRING_set_bit(aux->reject, bit, value);
|
||||
}
|
||||
|
||||
int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
|
||||
@ -208,12 +208,12 @@ int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
|
||||
return sk_ASN1_OBJECT_push(aux->othertrust, obj);
|
||||
}
|
||||
|
||||
int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj)
|
||||
int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj)
|
||||
{
|
||||
X509_CERT_AUX *aux;
|
||||
if(!(aux = aux_get(x))) return 0;
|
||||
if(!aux->othernotrust
|
||||
&& !(aux->othernotrust = sk_ASN1_OBJECT_new_null())) return 0;
|
||||
return sk_ASN1_OBJECT_push(aux->othernotrust, obj);
|
||||
if(!aux->otherreject
|
||||
&& !(aux->otherreject = sk_ASN1_OBJECT_new_null())) return 0;
|
||||
return sk_ASN1_OBJECT_push(aux->otherreject, obj);
|
||||
}
|
||||
|
||||
|
@ -247,7 +247,7 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
|
||||
unsigned char **pp, long length);
|
||||
|
||||
#ifndef SSLEAY_MACROS
|
||||
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
|
||||
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
|
||||
unsigned char *md,unsigned int *len);
|
||||
#ifndef NO_FP_API
|
||||
PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
|
||||
|
@ -27,13 +27,13 @@ LIBSRC= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
|
||||
x509_set.c x509rset.c x509_err.c \
|
||||
x509name.c x509_v3.c x509_ext.c \
|
||||
x509type.c x509_lu.c x_all.c x509_txt.c \
|
||||
by_file.c by_dir.c
|
||||
x509_trs.c by_file.c by_dir.c
|
||||
LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
|
||||
x509_obj.o x509_req.o x509spki.o x509_vfy.o \
|
||||
x509_set.o x509rset.o x509_err.o \
|
||||
x509name.o x509_v3.o x509_ext.o \
|
||||
x509type.o x509_lu.o x_all.o x509_txt.o \
|
||||
by_file.o by_dir.o
|
||||
x509_trs.o by_file.o by_dir.o
|
||||
|
||||
SRC= $(LIBSRC)
|
||||
|
||||
|
@ -236,7 +236,7 @@ typedef struct x509_cinf_st
|
||||
* the end of the certificate itself
|
||||
*/
|
||||
|
||||
/* Bit values for trust/notrust */
|
||||
/* Bit values for trust/reject */
|
||||
|
||||
#define X509_TRUST_BIT_ALL 0
|
||||
#define X509_TRUST_BIT_SSL_CLIENT 1
|
||||
@ -248,9 +248,9 @@ typedef struct x509_cinf_st
|
||||
typedef struct x509_cert_aux_st
|
||||
{
|
||||
ASN1_BIT_STRING *trust; /* trusted uses */
|
||||
ASN1_BIT_STRING *notrust; /* rejected uses */
|
||||
ASN1_BIT_STRING *reject; /* rejected uses */
|
||||
STACK_OF(ASN1_OBJECT) *othertrust; /* extra uses */
|
||||
STACK_OF(ASN1_OBJECT) *othernotrust; /* extra rejected uses */
|
||||
STACK_OF(ASN1_OBJECT) *otherreject; /* extra rejected uses */
|
||||
ASN1_UTF8STRING *alias; /* "friendly name" */
|
||||
ASN1_TYPE *other; /* other unspecified info */
|
||||
} X509_CERT_AUX;
|
||||
@ -284,16 +284,29 @@ typedef struct x509_trust_st {
|
||||
int trust_flags;
|
||||
int (*check_trust)(struct x509_trust_st *, X509 *, int);
|
||||
char *trust_name;
|
||||
int trust_bit;
|
||||
void *usr_data;
|
||||
int arg1;
|
||||
void *arg2;
|
||||
} X509_TRUST;
|
||||
|
||||
/* X509 trust ids */
|
||||
DECLARE_STACK_OF(X509_TRUST)
|
||||
|
||||
/* standard trust ids */
|
||||
|
||||
#define X509_TRUST_ANY 1
|
||||
#define X509_TRUST_SSL_CLIENT 2
|
||||
#define X509_TRUST_SSL_SERVER 3
|
||||
#define X509_TRUST_EMAIL 4
|
||||
#define X509_TRUST_OBJECT_SIGN 5
|
||||
|
||||
/* trust_flags values */
|
||||
#define X509_TRUST_DYNAMIC 1
|
||||
#define X509_TRUST_DYNAMIC_NAME 2
|
||||
|
||||
/* check_trust return codes */
|
||||
|
||||
#define X509_TRUST_TRUSTED 1
|
||||
#define X509_TRUST_REJECTED 2
|
||||
#define X509_TRUST_UNTRUSTED 3
|
||||
|
||||
typedef struct X509_revoked_st
|
||||
{
|
||||
@ -615,8 +628,8 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
|
||||
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
|
||||
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
|
||||
|
||||
int X509_digest(X509 *data,EVP_MD *type,unsigned char *md,unsigned int *len);
|
||||
int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
|
||||
int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
|
||||
int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
|
||||
unsigned char *md,unsigned int *len);
|
||||
#endif
|
||||
|
||||
@ -701,7 +714,7 @@ const char * X509_get_default_cert_dir_env(void );
|
||||
const char * X509_get_default_cert_file_env(void );
|
||||
const char * X509_get_default_private_dir(void );
|
||||
|
||||
X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md);
|
||||
X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
|
||||
X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
|
||||
void ERR_load_X509_strings(void );
|
||||
|
||||
@ -803,12 +816,12 @@ X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
|
||||
int X509_alias_set(X509 *x, unsigned char *name, int len);
|
||||
unsigned char * X509_alias_get(X509 *x, int *len);
|
||||
int X509_trust_set_bit(X509 *x, int bit, int value);
|
||||
int X509_notrust_set_bit(X509 *x, int bit, int value);
|
||||
int X509_reject_set_bit(X509 *x, int bit, int value);
|
||||
int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj);
|
||||
int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj);
|
||||
int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj);
|
||||
|
||||
int X509_trust_set_bit_asc(X509 *x, char *str, int value);
|
||||
int X509_notrust_set_bit_asc(X509 *x, char *str, int value);
|
||||
int X509_reject_set_bit_asc(X509 *x, char *str, int value);
|
||||
|
||||
X509_REVOKED * X509_REVOKED_new(void);
|
||||
void X509_REVOKED_free(X509_REVOKED *a);
|
||||
@ -857,7 +870,7 @@ char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
|
||||
int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
|
||||
ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
|
||||
|
||||
int ASN1_digest(int (*i2d)(),EVP_MD *type,char *data,
|
||||
int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
|
||||
unsigned char *md,unsigned int *len);
|
||||
|
||||
int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
|
||||
@ -1040,6 +1053,17 @@ EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
|
||||
PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
|
||||
PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
|
||||
|
||||
int X509_check_trust(X509 *x, int id, int flags);
|
||||
int X509_TRUST_get_count(void);
|
||||
X509_TRUST * X509_TRUST_iget(int idx);
|
||||
int X509_TRUST_get_by_id(int id);
|
||||
int X509_TRUST_add(X509_TRUST *xp);
|
||||
void X509_TRUST_cleanup(void);
|
||||
void X509_TRUST_add_standard(void);
|
||||
int X509_TRUST_get_id(X509_TRUST *xp);
|
||||
char *X509_TRUST_iget_name(X509_TRUST *xp);
|
||||
int X509_TRUST_get_trust(X509_TRUST *xp);
|
||||
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
@ -1077,6 +1101,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
|
||||
#define X509_F_X509_STORE_ADD_CERT 124
|
||||
#define X509_F_X509_STORE_ADD_CRL 125
|
||||
#define X509_F_X509_TO_X509_REQ 126
|
||||
#define X509_F_X509_TRUST_ADD 133
|
||||
#define X509_F_X509_VERIFY_CERT 127
|
||||
|
||||
/* Reason codes. */
|
||||
|
@ -94,6 +94,7 @@ static ERR_STRING_DATA X509_str_functs[]=
|
||||
{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0), "X509_STORE_add_cert"},
|
||||
{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0), "X509_STORE_add_crl"},
|
||||
{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"},
|
||||
{ERR_PACK(0,X509_F_X509_TRUST_ADD,0), "X509_TRUST_ADD"},
|
||||
{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"},
|
||||
{0,NULL}
|
||||
};
|
||||
|
@ -66,7 +66,7 @@
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md)
|
||||
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
|
||||
{
|
||||
X509_REQ *ret;
|
||||
X509_REQ_INFO *ri;
|
||||
|
@ -411,19 +411,19 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
|
||||
(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
|
||||
}
|
||||
|
||||
int X509_digest(X509 *data, EVP_MD *type, unsigned char *md,
|
||||
int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
|
||||
unsigned int *len)
|
||||
{
|
||||
return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
|
||||
}
|
||||
|
||||
int X509_NAME_digest(X509_NAME *data, EVP_MD *type, unsigned char *md,
|
||||
int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
|
||||
unsigned int *len)
|
||||
{
|
||||
return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
|
||||
}
|
||||
|
||||
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, EVP_MD *type,
|
||||
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
|
||||
unsigned char *md, unsigned int *len)
|
||||
{
|
||||
return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,
|
||||
|
@ -29,9 +29,9 @@ B<openssl> B<x509>
|
||||
[B<-noout>]
|
||||
[B<-trustout>]
|
||||
[B<-clrtrust>]
|
||||
[B<-clrnotrust>]
|
||||
[B<-clrreject>]
|
||||
[B<-addtrust arg>]
|
||||
[B<-addnotrust arg>]
|
||||
[B<-addreject arg>]
|
||||
[B<-setalias arg>]
|
||||
[B<-days arg>]
|
||||
[B<-signkey filename>]
|
||||
@ -59,7 +59,7 @@ Since there are a large number of options they will split up into
|
||||
various sections.
|
||||
|
||||
|
||||
=head1 INPUT AND OUTPUT OPTIONS
|
||||
=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
|
||||
|
||||
=over 4
|
||||
|
||||
@ -87,6 +87,14 @@ if this option is not specified.
|
||||
This specifies the output filename to write to or standard output by
|
||||
default.
|
||||
|
||||
=item B<-md2|-md5|-sha1|-mdc2>
|
||||
|
||||
the digest to use. This affects any signing or display option that uses a message
|
||||
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
|
||||
specified then MD5 is used. If the key being used to sign with is a DSA key then
|
||||
this option has no effect: SHA1 is always used with DSA keys.
|
||||
|
||||
|
||||
=back
|
||||
|
||||
=head1 DISPLAY OPTIONS
|
||||
@ -143,7 +151,7 @@ prints out the start and expiry dates of a certificate.
|
||||
|
||||
=item B<-fingerprint>
|
||||
|
||||
prints out the MD5 digest of the whole certificate.
|
||||
prints out the digest of the DER encoded version of the whole certificate.
|
||||
|
||||
=item B<-C>
|
||||
|
||||
@ -201,7 +209,7 @@ outputs the certificate alias, if any.
|
||||
|
||||
clears all the permitted or trusted uses of the certificate.
|
||||
|
||||
=item B<-clrnotrust>
|
||||
=item B<-clrreject>
|
||||
|
||||
clears all the prohibited or untrusted uses of the certificate.
|
||||
|
||||
@ -211,7 +219,7 @@ adds a trusted certificate use. Currently acceptable values
|
||||
are all (any purpose), sslclient (SSL client use), sslserver
|
||||
(SSL server use) email (S/MIME email) and objsign (Object signing).
|
||||
|
||||
=item B<-addnotrust arg>
|
||||
=item B<-addreject arg>
|
||||
|
||||
adds a prohibited use. It accepts the same values as the B<-addtrust>
|
||||
option.
|
||||
@ -311,11 +319,6 @@ with this option the CA serial number file is created if it does not exist:
|
||||
it will contain the serial number "01". Normally if the B<-CA> option is
|
||||
specified and the serial number file does not exist it is an error.
|
||||
|
||||
=item B<-md2|-md5|-sha1|-mdc2>
|
||||
|
||||
the digest to sign with. It affects all commands that sign a certificate
|
||||
or request.
|
||||
|
||||
=item B<-extfile filename>
|
||||
|
||||
file containing certificate extensions to use. If not specified then
|
||||
@ -339,10 +342,17 @@ Display the contents of a certificate:
|
||||
|
||||
openssl x509 -in cert.pem -noout -text
|
||||
|
||||
Displa the certificate serial number:
|
||||
Display the certificate serial number:
|
||||
|
||||
openssl x509 -in cert.pem -noout -serial
|
||||
|
||||
Display the certificate MD5 fingerprint:
|
||||
|
||||
openssl x509 -in cert.pem -noout -fingerprint
|
||||
|
||||
Display the certificate SHA1 fingerprint:
|
||||
|
||||
openssl x509 -sha1 -in cert.pem -noout -fingerprint
|
||||
|
||||
Convert a certificate from PEM to DER format:
|
||||
|
||||
@ -383,6 +393,18 @@ it will also handle files containing:
|
||||
-----BEGIN X509 CERTIFICATE----
|
||||
-----END X509 CERTIFICATE----
|
||||
|
||||
Trusted certificates have the lines
|
||||
|
||||
-----BEGIN TRUSTED CERTIFICATE----
|
||||
-----END TRUSTED CERTIFICATE----
|
||||
|
||||
The B<-fingerprint> option takes the digest of the DER encoded certificate.
|
||||
This is commonly called a "fingerprint". Because of the nature of message
|
||||
digests the fingerprint of a certificate is unique to that certificate and
|
||||
two certificates with the same fingerprint can be considered to be the same.
|
||||
|
||||
The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
The way DNs are printed is in a "historical SSLeay" format which doesn't
|
||||
@ -396,7 +418,7 @@ It is possible to produce invalid certificates or requests by specifying the
|
||||
wrong private key or using inconsistent options in some cases: these should
|
||||
be checked.
|
||||
|
||||
There should be options to explicitly set such things are start and end
|
||||
There should be options to explicitly set such things as start and end
|
||||
dates rather than an offset from the current time.
|
||||
|
||||
The code to implement the verify behaviour described in the B<TRUST SETTINGS>
|
||||
@ -404,7 +426,6 @@ is currently being developed. It thus describes the intended behavior rather
|
||||
than the current behaviour. It is hoped that it will represent reality in
|
||||
OpenSSL 0.9.5 and later.
|
||||
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
req(1), ca(1), genrsa(1), gendsa(1)
|
||||
|
Loading…
Reference in New Issue
Block a user