From: Dr. Stephen Henson Date: Sat, 27 Nov 1999 01:14:04 +0000 (+0000) Subject: Initial trust code: allow setting of trust checking functions X-Git-Tag: OpenSSL_0_9_5beta1~408 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=9868232ae1c0aaac34e0f96643031d68a5e417d3 Initial trust code: allow setting of trust checking functions in a table. Doesn't do too much yet. Make the - options in 'x509' affect all relevant options. Change the name of the 'notrust' options to 'reject' as this causes less confusion and is a better description of the effect. A few constification changes. --- diff --git a/CHANGES b/CHANGES index 5aaed4a82b..3261ecea27 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,14 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Fixes and enhancements to the 'x509' utility. It allowed a message + digest to be passed on the command line but it only used this + parameter when signing a certificate. Modified so all relevant + operations are affected by the digest parameter including the + -fingerprint and -x509toreq options. Also -x509toreq choked if a + DSA key was used because it didn't fix the digest. + [Steve Henson] + *) Very preliminary certificate chain verify code. Currently just tests the untrusted certificates for consistency with the verify purpose (which is set when the X509_STORE_CTX structure is set up) and checks @@ -12,7 +20,7 @@ reject chains with invalid extensions whereas before it made no checks at all. - Still needs some trust checking code. + Preliminary untested trust code. Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions which should be used for version portability: especially since the diff --git a/TABLE b/TABLE index 2d86def069..84be8c8c13 100644 --- a/TABLE +++ b/TABLE @@ -449,7 +449,7 @@ $unistd = $thread_cflag = (unknown) $lflags = $bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK -$bn_obj = +$bn_obj = asm/alpha.o $des_obj = $bf_obj = $md5_obj = @@ -466,7 +466,7 @@ $unistd = $thread_cflag = (unknown) $lflags = $bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1 -$bn_obj = +$bn_obj = asm/alpha.o $des_obj = $bf_obj = $md5_obj = @@ -483,7 +483,7 @@ $unistd = $thread_cflag = (unknown) $lflags = $bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK -$bn_obj = +$bn_obj = asm/alpha.o $des_obj = $bf_obj = $md5_obj = diff --git a/apps/x509.c b/apps/x509.c index 6469761f9e..86896088fb 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -107,9 +107,9 @@ static char *x509_usage[]={ " -noout - no certificate output\n", " -trustout - output a \"trusted\" certificate\n", " -clrtrust - clear all trusted purposes\n", -" -clrnotrust - clear all untrusted purposes\n", -" -addtrust arg - mark certificate as trusted for a given purpose\n", -" -addnotrust arg - mark certificate as not trusted for a given purpose\n", +" -clrreject - clear all rejected purposes\n", +" -addtrust arg - trust certificate for a given purpose\n", +" -addreject arg - reject certificate for a given purpose\n", " -setalias arg - set certificate alias\n", " -days arg - How long till expiry of a signed certificate - def 30 days\n", " -signkey arg - self sign cert with arg\n", @@ -122,7 +122,7 @@ static char *x509_usage[]={ " -CAserial - serial file\n", " -text - print the certificate in text form\n", " -C - print out C code forms\n", -" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n", +" -md2/-md5/-sha1/-mdc2 - digest to use\n", " -extfile - configuration file with X509V3 extensions to add\n", " -extensions - section from config file with X509V3 extensions to add\n", NULL @@ -148,14 +148,14 @@ int MAIN(int argc, char **argv) int i,num,badops=0; BIO *out=NULL; BIO *STDout=NULL; - STACK *trust = NULL, *notrust = NULL; + STACK *trust = NULL, *reject = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; char *alias=NULL, *trstr=NULL; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0; - int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0; + int trustout=0,clrtrust=0,clrreject=0,aliasout=0; int C=0; int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; int pprint = 0; @@ -289,17 +289,17 @@ int MAIN(int argc, char **argv) sk_push(trust, trstr); trustout = 1; } - else if (strcmp(*argv,"-addnotrust") == 0) + else if (strcmp(*argv,"-addreject") == 0) { if (--argc < 1) goto bad; trstr= *(++argv); - if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) { + if(!X509_reject_set_bit_asc(NULL, trstr, 0)) { BIO_printf(bio_err, "Unknown trust value %s\n", trstr); goto bad; } - if(!notrust) notrust = sk_new_null(); - sk_push(notrust, trstr); + if(!reject) reject = sk_new_null(); + sk_push(reject, trstr); trustout = 1; } else if (strcmp(*argv,"-setalias") == 0) @@ -351,13 +351,13 @@ int MAIN(int argc, char **argv) trustout= 1; else if (strcmp(*argv,"-clrtrust") == 0) clrtrust= ++num; - else if (strcmp(*argv,"-clrnotrust") == 0) - clrnotrust= ++num; + else if (strcmp(*argv,"-clrreject") == 0) + clrreject= ++num; else if (strcmp(*argv,"-alias") == 0) aliasout= ++num; else if (strcmp(*argv,"-CAcreateserial") == 0) CA_createserial= ++num; - else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) + else if ((md_alg=EVP_get_digestbyname(*argv + 1))) { /* ok */ digest=md_alg; @@ -551,7 +551,7 @@ bad: if(alias) X509_alias_set(x, (unsigned char *)alias, -1); if(clrtrust) X509_trust_set_bit(x, -1, 0); - if(clrnotrust) X509_notrust_set_bit(x, -1, 0); + if(clrreject) X509_reject_set_bit(x, -1, 0); if(trust) { for(i = 0; i < sk_num(trust); i++) { @@ -561,12 +561,12 @@ bad: sk_free(trust); } - if(notrust) { - for(i = 0; i < sk_num(notrust); i++) { - trstr = sk_value(notrust, i); - X509_notrust_set_bit_asc(x, trstr, 1); + if(reject) { + for(i = 0; i < sk_num(reject); i++) { + trstr = sk_value(reject, i); + X509_reject_set_bit_asc(x, trstr, 1); } - sk_free(notrust); + sk_free(reject); } if (num) @@ -732,12 +732,13 @@ bad: unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - if (!X509_digest(x,EVP_md5(),md,&n)) + if (!X509_digest(x,digest,md,&n)) { BIO_printf(bio_err,"out of memory\n"); goto end; } - BIO_printf(STDout,"MD5 Fingerprint="); + BIO_printf(STDout,"%s Fingerprint=", + OBJ_nid2sn(EVP_MD_type(digest))); for (j=0; j<(int)n; j++) { BIO_printf(STDout,"%02X%c",md[j], @@ -801,7 +802,10 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); - rq=X509_to_X509_REQ(x,pk,EVP_md5()); + if (pk->type == EVP_PKEY_DSA) + digest=EVP_dss1(); + + rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) { diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c index c838f60b46..3370aae998 100644 --- a/crypto/asn1/a_digest.c +++ b/crypto/asn1/a_digest.c @@ -69,8 +69,8 @@ #include #include -int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md, - unsigned int *len) +int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data, + unsigned char *md, unsigned int *len) { EVP_MD_CTX ctx; int i; diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c index ebd62f6989..5c15d09e43 100644 --- a/crypto/asn1/t_x509a.c +++ b/crypto/asn1/t_x509a.c @@ -83,12 +83,12 @@ int X509_trust_set_bit_asc(X509 *x, char *str, int value) return 1; } -int X509_notrust_set_bit_asc(X509 *x, char *str, int value) +int X509_reject_set_bit_asc(X509 *x, char *str, int value) { int bitnum; bitnum = ASN1_BIT_STRING_num_asc(str, tbits); if(bitnum < 0) return 0; - if(x) return X509_notrust_set_bit(x, bitnum, value); + if(x) return X509_reject_set_bit(x, bitnum, value); return 1; } @@ -102,9 +102,9 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) BIO_printf(out, "%*sTrusted for:\n", indent, ""); ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2); } else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, ""); - if(aux->notrust) { + if(aux->reject) { BIO_printf(out, "%*sUntrusted for:\n", indent, ""); - ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2); + ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2); } else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, ""); if(aux->othertrust) { first = 1; @@ -119,15 +119,15 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) } BIO_puts(out, "\n"); } - if(aux->othernotrust) { + if(aux->otherreject) { first = 1; BIO_printf(out, "%*sOther Untrusted Uses:\n%*s", indent, "", indent + 2, ""); - for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) { + for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) { if(!first) BIO_puts(out, ", "); else first = 0; OBJ_obj2txt(oidstr, 80, - sk_ASN1_OBJECT_value(aux->othernotrust, i), 0); + sk_ASN1_OBJECT_value(aux->otherreject, i), 0); BIO_puts(out, oidstr); } BIO_puts(out, "\n"); diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index d8409fbbff..1b95764251 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -80,12 +80,12 @@ X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long len M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING, V_ASN1_BIT_STRING); - M_ASN1_D2I_get_IMP_opt(ret->notrust, d2i_ASN1_BIT_STRING,0, + M_ASN1_D2I_get_IMP_opt(ret->reject, d2i_ASN1_BIT_STRING,0, V_ASN1_BIT_STRING); M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust, d2i_ASN1_OBJECT, ASN1_OBJECT_free); - M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->othernotrust, + M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->otherreject, d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1); M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING); M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE); @@ -99,9 +99,9 @@ X509_CERT_AUX *X509_CERT_AUX_new() ASN1_CTX c; M_ASN1_New_Malloc(ret, X509_CERT_AUX); ret->trust = NULL; - ret->notrust = NULL; + ret->reject = NULL; ret->othertrust = NULL; - ret->othernotrust = NULL; + ret->otherreject = NULL; ret->alias = NULL; ret->other = NULL; return(ret); @@ -112,9 +112,9 @@ void X509_CERT_AUX_free(X509_CERT_AUX *a) { if(a == NULL) return; ASN1_BIT_STRING_free(a->trust); - ASN1_BIT_STRING_free(a->notrust); + ASN1_BIT_STRING_free(a->reject); sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free); - sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(a->otherreject, ASN1_OBJECT_free); ASN1_UTF8STRING_free(a->alias); ASN1_TYPE_free(a->other); Free((char *)a); @@ -125,10 +125,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp) M_ASN1_I2D_vars(a); M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_len_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING); + M_ASN1_I2D_len_IMP_opt(a->reject, i2d_ASN1_BIT_STRING); M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT); - M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1); + M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1); M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING); M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE); @@ -136,10 +136,10 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp) M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_put_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING, 0); + M_ASN1_I2D_put_IMP_opt(a->reject, i2d_ASN1_BIT_STRING, 0); M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT); - M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1); + M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1); M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING); M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE); @@ -184,19 +184,19 @@ int X509_trust_set_bit(X509 *x, int bit, int value) return ASN1_BIT_STRING_set_bit(aux->trust, bit, value); } -int X509_notrust_set_bit(X509 *x, int bit, int value) +int X509_reject_set_bit(X509 *x, int bit, int value) { X509_CERT_AUX *aux; if(bit == -1) { - if(x->aux && x->aux->notrust) { - ASN1_BIT_STRING_free(x->aux->notrust); - x->aux->notrust = NULL; + if(x->aux && x->aux->reject) { + ASN1_BIT_STRING_free(x->aux->reject); + x->aux->reject = NULL; } return 1; } if(!(aux = aux_get(x))) return 0; - if(!aux->notrust && !(aux->notrust = ASN1_BIT_STRING_new())) return 0; - return ASN1_BIT_STRING_set_bit(aux->notrust, bit, value); + if(!aux->reject && !(aux->reject = ASN1_BIT_STRING_new())) return 0; + return ASN1_BIT_STRING_set_bit(aux->reject, bit, value); } int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj) @@ -208,12 +208,12 @@ int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj) return sk_ASN1_OBJECT_push(aux->othertrust, obj); } -int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj) +int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; if(!(aux = aux_get(x))) return 0; - if(!aux->othernotrust - && !(aux->othernotrust = sk_ASN1_OBJECT_new_null())) return 0; - return sk_ASN1_OBJECT_push(aux->othernotrust, obj); + if(!aux->otherreject + && !(aux->otherreject = sk_ASN1_OBJECT_new_null())) return 0; + return sk_ASN1_OBJECT_push(aux->otherreject, obj); } diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index c42bd6d391..839439aae0 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -247,7 +247,7 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL( unsigned char **pp, long length); #ifndef SSLEAY_MACROS -int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type, +int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type, unsigned char *md,unsigned int *len); #ifndef NO_FP_API PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7); diff --git a/crypto/x509/Makefile.ssl b/crypto/x509/Makefile.ssl index f29efbaf9a..db2aa5057d 100644 --- a/crypto/x509/Makefile.ssl +++ b/crypto/x509/Makefile.ssl @@ -27,13 +27,13 @@ LIBSRC= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \ x509_set.c x509rset.c x509_err.c \ x509name.c x509_v3.c x509_ext.c \ x509type.c x509_lu.c x_all.c x509_txt.c \ - by_file.c by_dir.c + x509_trs.c by_file.c by_dir.c LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \ x509_obj.o x509_req.o x509spki.o x509_vfy.o \ x509_set.o x509rset.o x509_err.o \ x509name.o x509_v3.o x509_ext.o \ x509type.o x509_lu.o x_all.o x509_txt.o \ - by_file.o by_dir.o + x509_trs.o by_file.o by_dir.o SRC= $(LIBSRC) diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index ed08dfb74a..227bbaf1ca 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -236,7 +236,7 @@ typedef struct x509_cinf_st * the end of the certificate itself */ -/* Bit values for trust/notrust */ +/* Bit values for trust/reject */ #define X509_TRUST_BIT_ALL 0 #define X509_TRUST_BIT_SSL_CLIENT 1 @@ -248,9 +248,9 @@ typedef struct x509_cinf_st typedef struct x509_cert_aux_st { ASN1_BIT_STRING *trust; /* trusted uses */ - ASN1_BIT_STRING *notrust; /* rejected uses */ + ASN1_BIT_STRING *reject; /* rejected uses */ STACK_OF(ASN1_OBJECT) *othertrust; /* extra uses */ - STACK_OF(ASN1_OBJECT) *othernotrust; /* extra rejected uses */ + STACK_OF(ASN1_OBJECT) *otherreject; /* extra rejected uses */ ASN1_UTF8STRING *alias; /* "friendly name" */ ASN1_TYPE *other; /* other unspecified info */ } X509_CERT_AUX; @@ -284,16 +284,29 @@ typedef struct x509_trust_st { int trust_flags; int (*check_trust)(struct x509_trust_st *, X509 *, int); char *trust_name; - int trust_bit; - void *usr_data; + int arg1; + void *arg2; } X509_TRUST; -/* X509 trust ids */ +DECLARE_STACK_OF(X509_TRUST) + +/* standard trust ids */ #define X509_TRUST_ANY 1 #define X509_TRUST_SSL_CLIENT 2 #define X509_TRUST_SSL_SERVER 3 #define X509_TRUST_EMAIL 4 +#define X509_TRUST_OBJECT_SIGN 5 + +/* trust_flags values */ +#define X509_TRUST_DYNAMIC 1 +#define X509_TRUST_DYNAMIC_NAME 2 + +/* check_trust return codes */ + +#define X509_TRUST_TRUSTED 1 +#define X509_TRUST_REJECTED 2 +#define X509_TRUST_UNTRUSTED 3 typedef struct X509_revoked_st { @@ -615,8 +628,8 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); -int X509_digest(X509 *data,EVP_MD *type,unsigned char *md,unsigned int *len); -int X509_NAME_digest(X509_NAME *data,EVP_MD *type, +int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len); +int X509_NAME_digest(X509_NAME *data,const EVP_MD *type, unsigned char *md,unsigned int *len); #endif @@ -701,7 +714,7 @@ const char * X509_get_default_cert_dir_env(void ); const char * X509_get_default_cert_file_env(void ); const char * X509_get_default_private_dir(void ); -X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md); +X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey); void ERR_load_X509_strings(void ); @@ -803,12 +816,12 @@ X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp, int X509_alias_set(X509 *x, unsigned char *name, int len); unsigned char * X509_alias_get(X509 *x, int *len); int X509_trust_set_bit(X509 *x, int bit, int value); -int X509_notrust_set_bit(X509 *x, int bit, int value); +int X509_reject_set_bit(X509 *x, int bit, int value); int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj); -int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj); +int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj); int X509_trust_set_bit_asc(X509 *x, char *str, int value); -int X509_notrust_set_bit_asc(X509 *x, char *str, int value); +int X509_reject_set_bit_asc(X509 *x, char *str, int value); X509_REVOKED * X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *a); @@ -857,7 +870,7 @@ char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1, ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey); -int ASN1_digest(int (*i2d)(),EVP_MD *type,char *data, +int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data, unsigned char *md,unsigned int *len); int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, @@ -1040,6 +1053,17 @@ EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8); PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey); PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken); +int X509_check_trust(X509 *x, int id, int flags); +int X509_TRUST_get_count(void); +X509_TRUST * X509_TRUST_iget(int idx); +int X509_TRUST_get_by_id(int id); +int X509_TRUST_add(X509_TRUST *xp); +void X509_TRUST_cleanup(void); +void X509_TRUST_add_standard(void); +int X509_TRUST_get_id(X509_TRUST *xp); +char *X509_TRUST_iget_name(X509_TRUST *xp); +int X509_TRUST_get_trust(X509_TRUST *xp); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -1077,6 +1101,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken); #define X509_F_X509_STORE_ADD_CERT 124 #define X509_F_X509_STORE_ADD_CRL 125 #define X509_F_X509_TO_X509_REQ 126 +#define X509_F_X509_TRUST_ADD 133 #define X509_F_X509_VERIFY_CERT 127 /* Reason codes. */ diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 58e13c6c6b..c185bc02f8 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -94,6 +94,7 @@ static ERR_STRING_DATA X509_str_functs[]= {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0), "X509_STORE_add_cert"}, {ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0), "X509_STORE_add_crl"}, {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"}, +{ERR_PACK(0,X509_F_X509_TRUST_ADD,0), "X509_TRUST_ADD"}, {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"}, {0,NULL} }; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index b52a59c263..b20305c6ee 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -66,7 +66,7 @@ #include #include -X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md) +X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { X509_REQ *ret; X509_REQ_INFO *ri; diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 4973c18eae..e2db82780d 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -411,19 +411,19 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne) (char *(*)())d2i_X509_NAME_ENTRY,(char *)ne)); } -int X509_digest(X509 *data, EVP_MD *type, unsigned char *md, +int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len)); } -int X509_NAME_digest(X509_NAME *data, EVP_MD *type, unsigned char *md, +int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len)); } -int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, EVP_MD *type, +int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type, diff --git a/doc/man/x509.pod b/doc/man/x509.pod index 7e2036e65a..9f8c947612 100644 --- a/doc/man/x509.pod +++ b/doc/man/x509.pod @@ -29,9 +29,9 @@ B B [B<-noout>] [B<-trustout>] [B<-clrtrust>] -[B<-clrnotrust>] +[B<-clrreject>] [B<-addtrust arg>] -[B<-addnotrust arg>] +[B<-addreject arg>] [B<-setalias arg>] [B<-days arg>] [B<-signkey filename>] @@ -59,7 +59,7 @@ Since there are a large number of options they will split up into various sections. -=head1 INPUT AND OUTPUT OPTIONS +=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS =over 4 @@ -87,6 +87,14 @@ if this option is not specified. This specifies the output filename to write to or standard output by default. +=item B<-md2|-md5|-sha1|-mdc2> + +the digest to use. This affects any signing or display option that uses a message +digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not +specified then MD5 is used. If the key being used to sign with is a DSA key then +this option has no effect: SHA1 is always used with DSA keys. + + =back =head1 DISPLAY OPTIONS @@ -143,7 +151,7 @@ prints out the start and expiry dates of a certificate. =item B<-fingerprint> -prints out the MD5 digest of the whole certificate. +prints out the digest of the DER encoded version of the whole certificate. =item B<-C> @@ -201,7 +209,7 @@ outputs the certificate alias, if any. clears all the permitted or trusted uses of the certificate. -=item B<-clrnotrust> +=item B<-clrreject> clears all the prohibited or untrusted uses of the certificate. @@ -211,7 +219,7 @@ adds a trusted certificate use. Currently acceptable values are all (any purpose), sslclient (SSL client use), sslserver (SSL server use) email (S/MIME email) and objsign (Object signing). -=item B<-addnotrust arg> +=item B<-addreject arg> adds a prohibited use. It accepts the same values as the B<-addtrust> option. @@ -311,11 +319,6 @@ with this option the CA serial number file is created if it does not exist: it will contain the serial number "01". Normally if the B<-CA> option is specified and the serial number file does not exist it is an error. -=item B<-md2|-md5|-sha1|-mdc2> - -the digest to sign with. It affects all commands that sign a certificate -or request. - =item B<-extfile filename> file containing certificate extensions to use. If not specified then @@ -339,10 +342,17 @@ Display the contents of a certificate: openssl x509 -in cert.pem -noout -text -Displa the certificate serial number: +Display the certificate serial number: openssl x509 -in cert.pem -noout -serial +Display the certificate MD5 fingerprint: + + openssl x509 -in cert.pem -noout -fingerprint + +Display the certificate SHA1 fingerprint: + + openssl x509 -sha1 -in cert.pem -noout -fingerprint Convert a certificate from PEM to DER format: @@ -383,6 +393,18 @@ it will also handle files containing: -----BEGIN X509 CERTIFICATE---- -----END X509 CERTIFICATE---- +Trusted certificates have the lines + + -----BEGIN TRUSTED CERTIFICATE---- + -----END TRUSTED CERTIFICATE---- + +The B<-fingerprint> option takes the digest of the DER encoded certificate. +This is commonly called a "fingerprint". Because of the nature of message +digests the fingerprint of a certificate is unique to that certificate and +two certificates with the same fingerprint can be considered to be the same. + +The Netscape fingerprint uses MD5 whereas MSIE uses SHA1. + =head1 BUGS The way DNs are printed is in a "historical SSLeay" format which doesn't @@ -396,7 +418,7 @@ It is possible to produce invalid certificates or requests by specifying the wrong private key or using inconsistent options in some cases: these should be checked. -There should be options to explicitly set such things are start and end +There should be options to explicitly set such things as start and end dates rather than an offset from the current time. The code to implement the verify behaviour described in the B @@ -404,7 +426,6 @@ is currently being developed. It thus describes the intended behavior rather than the current behaviour. It is hoped that it will represent reality in OpenSSL 0.9.5 and later. - =head1 SEE ALSO req(1), ca(1), genrsa(1), gendsa(1)