Also add related references to FR #15725.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
{"quiet", OPT_QUIET, '-', "Terse output during processing"},
{"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
{"in", OPT_IN, '<', "The input cert request(s)"},
- {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
+ {"inform", OPT_INFORM, 'F',
+ "CSR input format to use (PEM or DER; by default try PEM first)"},
{"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
{"out", OPT_OUT, '>', "Where to put the output file(s)"},
{"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- req = load_csr(infile, informat, "certificate request");
+ req = load_csr_autofmt(infile, informat, "certificate request");
if (req == NULL)
goto end;
if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
return cert;
}
-static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
-{
- X509_REQ *csr;
- BIO *bio_bak = bio_err;
-
- bio_err = NULL; /* do not show errors on more than one try */
- csr = load_csr(infile, FORMAT_PEM, desc);
- bio_err = bio_bak;
- if (csr == NULL) {
- ERR_clear_error();
- csr = load_csr(infile, FORMAT_ASN1, desc);
- }
- if (csr == NULL) {
- ERR_print_errors(bio_err);
- BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc,
- infile);
- } else {
- EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
- int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
-
- if (pkey == NULL || ret < 0)
- CMP_warn("error while verifying CSR self-signature");
- else if (ret == 0)
- CMP_warn("CSR self-signature does not match the contents");
- }
- return csr;
-}
-
/* set expected hostname/IP addr and clears the email addr in the given ts */
static int truststore_set_host_etc(X509_STORE *ts, const char *host)
{
if (opt_cmd == CMP_GENM) {
CMP_warn("-csr option is ignored for command 'genm'");
} else {
- if ((csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR")) == NULL)
+ csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, "PKCS#10 CSR");
+ if (csr == NULL)
return 0;
if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr))
goto oom;
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc);
+X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc);
X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc);
#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
return crl;
}
+/* Could be simplified if OSSL_STORE supported CSRs, see FR #15725 */
X509_REQ *load_csr(const char *file, int format, const char *desc)
{
X509_REQ *req = NULL;
if (format == FORMAT_UNDEF)
format = FORMAT_PEM;
- if (desc == NULL)
- desc = "CSR";
in = bio_open_default(file, 'r', format);
if (in == NULL)
goto end;
end:
if (req == NULL) {
ERR_print_errors(bio_err);
- BIO_printf(bio_err, "Unable to load %s\n", desc);
+ if (desc != NULL)
+ BIO_printf(bio_err, "Unable to load %s\n", desc);
}
BIO_free(in);
return req;
}
+/* Better extend OSSL_STORE to support CSRs, see FR #15725 */
+X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc)
+{
+ X509_REQ *csr;
+
+ if (format != FORMAT_UNDEF) {
+ csr = load_csr(infile, format, desc);
+ } else { /* try PEM, then DER */
+ BIO *bio_bak = bio_err;
+
+ bio_err = NULL; /* do not show errors on more than one try */
+ csr = load_csr(infile, FORMAT_PEM, NULL /* desc */);
+ bio_err = bio_bak;
+ if (csr == NULL) {
+ ERR_clear_error();
+ csr = load_csr(infile, FORMAT_ASN1, NULL /* desc */);
+ }
+ if (csr == NULL) {
+ BIO_printf(bio_err, "error: unable to load %s from file '%s'\n",
+ desc, infile);
+ }
+ }
+ if (csr != NULL) {
+ EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
+ int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
+
+ if (pkey == NULL || ret < 0)
+ BIO_puts(bio_err, "Warning: error while verifying CSR self-signature");
+ else if (ret == 0)
+ BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents");
+ return csr;
+ }
+ return csr;
+}
+
void cleanse(char *str)
{
if (str != NULL)
"Specify engine to be used for key generation operations"},
#endif
{"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
- {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+ {"inform", OPT_INFORM, 'F',
+ "CSR input format to use (PEM or DER; by default try PEM first)"},
{"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},
OPT_SECTION("Certificate"),
if (keyfile != NULL)
BIO_printf(bio_err,
"Warning: Not placing -key in cert or request since request is used\n");
- req = load_csr(infile /* if NULL, reads from stdin */,
- informat, "X509 request");
+ req = load_csr_autofmt(infile /* if NULL, reads from stdin */,
+ informat, "X509 request");
if (req == NULL)
goto end;
} else if (infile != NULL) {
{"copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions when converting from CSR to x509 or vice versa"},
{"inform", OPT_INFORM, 'f',
- "CSR input file format (DER or PEM) - default PEM"},
+ "CSR input format to use (PEM or DER; by default try PEM first)"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
{"key", OPT_KEY, 's',
"Key for signing, and to include unless using -force_pubkey"},
if (infile == NULL)
BIO_printf(bio_err,
"Warning: Reading cert request from stdin since no -in option is given\n");
- req = load_csr(infile, informat, "certificate request input");
+ req = load_csr_autofmt(infile, informat, "certificate request input");
if (req == NULL)
goto end;
=item B<-inform> B<DER>|B<PEM>
-The format of the data in certificate request input files;
-unspecified by default.
+The format to use when loading certificate request (CSR) input files;
+by default PEM is tried first.
See L<openssl-format-options(1)> for details.
=item B<-ss_cert> I<filename>
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and output formats; unspecified by default.
+The CSR input file format to use; by default PEM is tried first.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The output format; unspecified by default.
See L<openssl-format-options(1)> for details.
The data is a PKCS#10 object.
=item B<-inform> B<DER>|B<PEM>
-The input file format; unspecified by default.
+The input file format to use; by default PEM is tried first.
See L<openssl-format-options(1)> for details.
=item B<-vfyopt> I<nm>:I<v>