PR: 2136
authorDr. Stephen Henson <steve@openssl.org>
Tue, 12 Jan 2010 17:29:34 +0000 (17:29 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 12 Jan 2010 17:29:34 +0000 (17:29 +0000)
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0

CHANGES
apps/x509.c
crypto/x509/x509.h
crypto/x509/x509_cmp.c
doc/apps/x509.pod

diff --git a/CHANGES b/CHANGES
index 5a67bf0..ca5075c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
 
  Changes between 0.9.8m (?) and 1.0.0  [xx XXX xxxx]
 
+  *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
+     output hashes compatible with older versions of OpenSSL.
+     [Willy Weisz <weisz@vcpc.univie.ac.at>]
+
   *) Fix compression algorithm handling: if resuming a session use the
      compression algorithm of the resumed session instead of determining
      it from client hello again. Don't allow server to change algorithm.
index 0be3414..e7e46d7 100644 (file)
@@ -99,7 +99,13 @@ static const char *x509_usage[]={
 " -passin arg     - private key password source\n",
 " -serial         - print serial number value\n",
 " -subject_hash   - print subject hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -subject_hash_old   - print old-style (MD5) subject hash value\n",
+#endif
 " -issuer_hash    - print issuer hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -issuer_hash_old    - print old-style (MD5) issuer hash value\n",
+#endif
 " -hash           - synonym for -subject_hash\n",
 " -subject        - print subject DN\n",
 " -issuer         - print issuer DN\n",
@@ -179,6 +185,9 @@ int MAIN(int argc, char **argv)
        int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
        int next_serial=0;
        int subject_hash=0,issuer_hash=0,ocspid=0;
+#ifndef OPENSSL_NO_MD5
+       int subject_hash_old=0,issuer_hash_old=0;
+#endif
        int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
        int ocsp_uri=0;
        int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
@@ -397,8 +406,16 @@ int MAIN(int argc, char **argv)
                else if (strcmp(*argv,"-hash") == 0
                        || strcmp(*argv,"-subject_hash") == 0)
                        subject_hash= ++num;
+#ifndef OPENSSL_NO_MD5
+               else if (strcmp(*argv,"-subject_hash_old") == 0)
+                       subject_hash_old= ++num;
+#endif
                else if (strcmp(*argv,"-issuer_hash") == 0)
                        issuer_hash= ++num;
+#ifndef OPENSSL_NO_MD5
+               else if (strcmp(*argv,"-issuer_hash_old") == 0)
+                       issuer_hash_old= ++num;
+#endif
                else if (strcmp(*argv,"-subject") == 0)
                        subject= ++num;
                else if (strcmp(*argv,"-issuer") == 0)
@@ -759,10 +776,22 @@ bad:
                                {
                                BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
                                }
+#ifndef OPENSSL_NO_MD5
+                       else if (subject_hash_old == i)
+                               {
+                               BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));
+                               }
+#endif
                        else if (issuer_hash == i)
                                {
                                BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
                                }
+#ifndef OPENSSL_NO_MD5
+                       else if (issuer_hash_old == i)
+                               {
+                               BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));
+                               }
+#endif
                        else if (pprint == i)
                                {
                                X509_PURPOSE *ptmp;
index 25f536d..a2383b3 100644 (file)
@@ -961,6 +961,11 @@ unsigned long      X509_issuer_name_hash(X509 *a);
 int            X509_subject_name_cmp(const X509 *a, const X509 *b);
 unsigned long  X509_subject_name_hash(X509 *x);
 
+#ifndef OPENSSL_NO_MD5
+unsigned long  X509_issuer_name_hash_old(X509 *a);
+unsigned long  X509_subject_name_hash_old(X509 *x);
+#endif
+
 int            X509_cmp(const X509 *a, const X509 *b);
 int            X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long  X509_NAME_hash(X509_NAME *x);
index dd55b6e..a75876e 100644 (file)
@@ -138,6 +138,13 @@ unsigned long X509_issuer_name_hash(X509 *x)
        return(X509_NAME_hash(x->cert_info->issuer));
        }
 
+#ifndef OPENSSL_NO_MD5
+unsigned long X509_issuer_name_hash_old(X509 *x)
+       {
+       return(X509_NAME_hash_old(x->cert_info->issuer));
+       }
+#endif
+
 X509_NAME *X509_get_subject_name(X509 *a)
        {
        return(a->cert_info->subject);
@@ -153,6 +160,13 @@ unsigned long X509_subject_name_hash(X509 *x)
        return(X509_NAME_hash(x->cert_info->subject));
        }
 
+#ifndef OPENSSL_NO_MD5
+unsigned long X509_subject_name_hash_old(X509 *x)
+       {
+       return(X509_NAME_hash_old(x->cert_info->subject));
+       }
+#endif
+
 #ifndef OPENSSL_NO_SHA
 /* Compare two certificates: they must be identical for
  * this to work. NB: Although "cmp" operations are generally
index 09aaed4..3002b08 100644 (file)
@@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name.
 
 synonym for "-subject_hash" for backward compatibility reasons.
 
+=item B<-subject_hash_old>
+
+outputs the "hash" of the certificate subject name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
+=item B<-issuer_hash_old>
+
+outputs the "hash" of the certificate issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-subject>
 
 outputs the subject name.
@@ -837,4 +847,10 @@ L<x509v3_config(5)|x509v3_config(5)>
 
 Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
 
+The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
+before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
+canonical version of the DN using SHA1. This means that any directories using
+the old form must have their links rebuilt using B<c_rehash> or similar. 
+
 =cut