*Tim Perry*
+ * Added support for requesting CRL in CMP.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
* Added Attribute Certificate (RFC 5755) support. Attribute
Certificates can be created, parsed, modified and printed via the
public API. There is no command-line tool support at this time.
*Neil Horman*
- * Added support for requesting CRL in CMP.
-
- *Rajeev Ranjan, Siemens AG*
-
* Added `-set_issuer` and `-set_subject` options to `openssl x509` to
override the Issuer and Subject when creating a certificate. The `-subj`
option now is an alias for `-set_subject`.
/* credentials format */
static char *opt_certform_s = "PEM";
static int opt_certform = FORMAT_PEM;
+/*
+ * DER format is the preferred choice for saving a CRL because it allows for
+ * more efficient storage, especially when dealing with large CRLs.
+ */
static char *opt_crlform_s = "DER";
static int opt_crlform = FORMAT_ASN1;
static char *opt_keyform_s = NULL;
if ((sk = sk_ASN1_UTF8STRING_new_reserve(NULL, 1)) == NULL)
return 0;
- if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
- goto err;
- if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) {
- ASN1_STRING_free(utf8string);
- goto err;
- }
- /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */
- (void)sk_ASN1_UTF8STRING_push(sk, utf8string);
- if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL)
- goto err;
- if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav))
- return 1;
- OSSL_CMP_ITAV_free(itav);
- return 0;
+ if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
+ goto err;
+ if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) {
+ ASN1_STRING_free(utf8string);
+ goto err;
+ }
+ /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */
+ (void)sk_ASN1_UTF8STRING_push(sk, utf8string);
+ if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL)
+ goto err;
+ if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav))
+ return 1;
+ OSSL_CMP_ITAV_free(itav);
+ return 0;
err:
sk_ASN1_UTF8STRING_pop_free(sk, ASN1_UTF8STRING_free);
if (*ptr != '\0') {
if (*ptr != ',') {
CMP_err1("Missing ',' or end of -geninfo arg after int at %.40s",
- ptr);
+ ptr);
goto err;
}
ptr++;
if (opt_reqout_only != NULL) {
const char *msg = "option is ignored since -reqout_only option is given";
-#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
if (opt_server != NULL)
CMP_warn1("-server %s", msg);
-#endif
+# endif
if (opt_use_mock_srv)
CMP_warn1("-use_mock_srv %s", msg);
if (opt_reqout != NULL)
const X509_CRL *crl)
{
OSSL_CMP_CRLSTATUS *crlstatus;
- DIST_POINT_NAME *dpn;
- GENERAL_NAMES *issuer;
+ DIST_POINT_NAME *dpn = NULL;
+ GENERAL_NAMES *issuer = NULL;
ASN1_TIME *thisupd = NULL;
if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
break;
case NID_id_it_crlStatusList:
{
- STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist;
+ STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
int res = 0;
if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
OSSL_CMP_CRLSTATUS *status = NULL;
STACK_OF(OSSL_CMP_CRLSTATUS) *list = NULL;
OSSL_CMP_ITAV *req = NULL, *itav = NULL;
- STACK_OF(X509_CRL) *crls;
+ STACK_OF(X509_CRL) *crls = NULL;
int res = 0;
if (crl == NULL) {
{
GENERAL_NAME *name;
- if (tgt == NULL){
+ if (tgt == NULL) {
ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
return 0;
}
File format to use when saving a CRL to a file.
Default value is DER.
+DER format is preferred because it enables more efficient storage
+of large CRLs.
=item B<-keyform> I<PEM|DER|P12|ENGINE>
The B<-engine> option was deprecated in OpenSSL 3.0.
-B<-profile>, B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
-and B<-rsp_crl> options were added in OpenSSL 3.3.
+The B<-profile> option was added in OpenSSL 3.3.
+
+B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
+and B<-rsp_crl> options were added in OpenSSL 3.4.
=head1 COPYRIGHT
=head1 HISTORY
-GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.3.
+GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.4.
=head1 COPYRIGHT
OSSL_CMP_CRLSTATUS_new1(), OSSL_CMP_CRLSTATUS_create(),
OSSL_CMP_CRLSTATUS_get0(), OSSL_CMP_ITAV_new0_crlStatusList(),
OSSL_CMP_ITAV_get0_crlStatusList(), OSSL_CMP_ITAV_new_crls()
-and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.3.
+and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.4.
=head1 COPYRIGHT
OSSL_CMP_get1_caCerts() and OSSL_CMP_get1_rootCaKeyUpdate()
were added in OpenSSL 3.2.
-OSSL_CMP_get1_crlUpdate() and support for delayed delivery
-of all types of response messages was added in OpenSSL 3.3.
+Support for delayed delivery of all types of response messages
+was added in OpenSSL 3.3.
+
+OSSL_CMP_get1_crlUpdate() was added in OpenSSL 3.4.
=head1 COPYRIGHT
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
-DIST_POINT_NAME_dup ? 3_3_0 EXIST::FUNCTION:
-GENERAL_NAME_set1_X509_NAME ? 3_3_0 EXIST::FUNCTION:
OSSL_CMP_CTX_get0_geninfo_ITAVs 5667 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_HDR_get0_geninfo_ITAVs 5668 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_ITAV_new0_certProfile 5669 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_ITAV_get0_certProfile 5670 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_MSG_get0_certreq_publickey 5671 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_SRV_CTX_init_trans 5672 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_create ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_free ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_get0 ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_new1 ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_get0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_get0_crls ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_new0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_new_crls ? 3_3_0 EXIST::FUNCTION:CMP
-OSSL_CMP_get1_crlUpdate ? 3_3_0 EXIST::FUNCTION:CMP
EVP_DigestSqueeze 5673 3_3_0 EXIST::FUNCTION:
ERR_pop 5674 3_3_0 EXIST::FUNCTION:
X509_STORE_get1_objects 5675 3_3_0 EXIST::FUNCTION:
OPENSSL_LH_set_thunks 5676 3_3_0 EXIST::FUNCTION:
OPENSSL_LH_doall_arg_thunk 5677 3_3_0 EXIST::FUNCTION:
OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines 5678 3_3_0 EXIST::FUNCTION:HTTP
+DIST_POINT_NAME_dup ? 3_4_0 EXIST::FUNCTION:
+GENERAL_NAME_set1_X509_NAME ? 3_4_0 EXIST::FUNCTION:
+OSSL_CMP_CRLSTATUS_create ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_free ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_get0 ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_new1 ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_crlStatusList ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_crls ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_new0_crlStatusList ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_new_crls ? 3_4_0 EXIST::FUNCTION:CMP
+OSSL_CMP_get1_crlUpdate ? 3_4_0 EXIST::FUNCTION:CMP
CRYPTO_atomic_store ? 3_4_0 EXIST::FUNCTION:
CRYPTO_aligned_alloc ? 3_4_0 EXIST::FUNCTION:
d2i_X509_ACERT ? 3_4_0 EXIST::FUNCTION: