#endif
{"inform", OPT_INFORM, 'f',
- "Input format - default PEM (one of DER or PEM)"},
+ "CSR input format (DER or PEM) - default PEM"},
{"in", OPT_IN, '<', "Input file - default stdin"},
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
{"outform", OPT_OUTFORM, 'f',
- "Output format - default PEM (one of DER or PEM)"},
+ "Output format (DER or PEM) - default PEM"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
- {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
+ {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
{"C", OPT_C, '-', "Print out C code forms"},
#ifndef OPENSSL_NO_MD5
{"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
- "Print old-style (MD5) issuer hash value"},
- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) subject hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
#endif
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
{"days", OPT_DAYS, 'n',
"How long till expiry of a signed certificate - def 30 days"},
- {"signkey", OPT_SIGNKEY, 's', "Self sign cert with arg"},
+ {"signkey", OPT_SIGNKEY, 's', "Self-sign cert with arg"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"},
{"certopt", OPT_CERTOPT, 's', "Various certificate text options"},
{"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
- {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
- {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
+ {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
+ {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format (ENGINE, other values ignored)"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"CAcreateserial", OPT_CACREATESERIAL, '-',
"Create serial number file if it does not exist"},
ret = 0;
goto end;
case OPT_INFORM:
- if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
+ if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
goto opthelp;
break;
case OPT_IN:
goto opthelp;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAformat))
goto opthelp;
break;
case OPT_CAKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:
goto end;
}
- if (!X509_STORE_set_default_paths(ctx)) {
+ if (!X509_STORE_set_default_paths_with_libctx(ctx, app_get0_libctx(),
+ app_get0_propq())) {
ERR_print_errors(bio_err);
goto end;
}
"We need a private key to sign with, use -signkey or -CAkey or -CA <file> with private key\n");
goto end;
}
- if ((x = X509_new()) == NULL)
+ if ((x = X509_new_with_libctx(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
if (sno == NULL) {
if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
goto end;
} else {
- x = load_cert(infile, informat, "Certificate");
+ x = load_cert(infile, FORMAT_UNDEF, "Certificate");
if (x == NULL)
goto end;
if (fkey != NULL && !X509_set_pubkey(x, fkey))
X509_get_subject_name(x), get_nameopt());
} else if (serial == i) {
BIO_printf(out, "serial=");
- i2a_ASN1_INTEGER(out, X509_get_serialNumber(x));
+ i2a_ASN1_INTEGER(out, X509_get0_serialNumber(x));
BIO_printf(out, "\n");
} else if (next_serial == i) {
ASN1_INTEGER *ser = X509_get_serialNumber(x);
goto end;
/*
- * NOTE: this certificate can/should be self signed, unless it was a
+ * NOTE: this certificate can/should be self-signed, unless it was a
* certificate request in which case it is not.
*/
X509_STORE_CTX_set_cert(xsc, x);
X509 *err_cert;
/*
- * it is ok to use a self signed certificate This case will catch both
- * the initial ok == 0 and the final ok == 1 calls to this function
+ * It is ok to use a self-signed certificate. This case will catch both
+ * the initial ok == 0 and the final ok == 1 calls to this function.
*/
err = X509_STORE_CTX_get_error(ctx);
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
*/
if (ok) {
BIO_printf(bio_err,
- "error with certificate to be certified - should be self signed\n");
+ "error with certificate to be certified - should be self-signed\n");
return 0;
} else {
err_cert = X509_STORE_CTX_get_current_cert(ctx);