apps: silent warning when loading CSR files with vfyopt option

When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

  Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)

diff --git a/apps/ca.c b/apps/ca.c
index 50bb944969346b8bd26024c40f91d38cc2b30070..5952e3320f74851cf96c94e7d8390a3293469802 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1375,7 +1375,7 @@ static int certify(X509 **xret, const char *infile, int informat,
     EVP_PKEY *pktmp = NULL;
     int ok = -1, i;
 
-    req = load_csr_autofmt(infile, informat, "certificate request");
+    req = load_csr_autofmt(infile, informat, vfyopts, "certificate request");
     if (req == NULL)
         goto end;
     if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {

diff --git a/apps/cmp.c b/apps/cmp.c
index 84c5d89d7a74f0cc0bbd18395a49684d60c0550a..6cd3d7e7c015e4e3371d559e4025c1ad0b0e086f 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1643,7 +1643,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         if (opt_cmd == CMP_GENM) {
             CMP_warn("-csr option is ignored for command 'genm'");
         } else {
-            csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, "PKCS#10 CSR");
+            csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, NULL, "PKCS#10 CSR");
             if (csr == NULL)
                 return 0;
             if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr))

diff --git a/apps/include/apps.h b/apps/include/apps.h
index e603d07868f13801a8d4c42f5b209de5d1829bf1..b48937a8c2aac9059ee5066ee38b69693636591b 100644 (file)
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -114,7 +114,8 @@ char *get_passwd(const char *pass, const char *desc);
 int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
 int add_oid_section(CONF *conf);
 X509_REQ *load_csr(const char *file, int format, const char *desc);
-X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc);
+X509_REQ *load_csr_autofmt(const char *infile, int format,
+                           STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc);
 X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
                      const char *pass, const char *desc);
 # define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 6f9bf4a6c8440edb1c2e72b1f49d42b9caf71b4d..701ed6d7dcc52bfecd8c410f943ef547d58922a0 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -527,7 +527,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
 }
 
 /* Better extend OSSL_STORE to support CSRs, see FR #15725 */
-X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc)
+X509_REQ *load_csr_autofmt(const char *infile, int format,
+                           STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc)
 {
     X509_REQ *csr;
 
@@ -550,12 +551,12 @@ X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc)
     }
     if (csr != NULL) {
         EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
-        int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
+        int ret = do_X509_REQ_verify(csr, pkey, vfyopts);
 
         if (pkey == NULL || ret < 0)
-            BIO_puts(bio_err, "Warning: error while verifying CSR self-signature");
+            BIO_puts(bio_err, "Warning: error while verifying CSR self-signature\n");
         else if (ret == 0)
-            BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents");
+            BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents\n");
         return csr;
     }
     return csr;

diff --git a/apps/req.c b/apps/req.c
index fa0c9a050ae09c10ecf39d18dd1244ef85ce5341..649ba99f0b0b66a295a3ab4cecf1030478ef5935 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -738,7 +738,7 @@ int req_main(int argc, char **argv)
             BIO_printf(bio_err,
                        "Warning: Not placing -key in cert or request since request is used\n");
         req = load_csr_autofmt(infile /* if NULL, reads from stdin */,
-                               informat, "X509 request");
+                               informat, vfyopts, "X509 request");
         if (req == NULL)
             goto end;
     } else if (infile != NULL) {

diff --git a/apps/x509.c b/apps/x509.c
index e10afc59f6df13ad1b6bf64fa384bc59f354cbf3..7a935e1f70b88c41256db268db9d1ad18e388eca 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -706,7 +706,8 @@ int x509_main(int argc, char **argv)
         if (infile == NULL)
             BIO_printf(bio_err,
                        "Warning: Reading cert request from stdin since no -in option is given\n");
-        req = load_csr_autofmt(infile, informat, "certificate request input");
+        req = load_csr_autofmt(infile, informat, vfyopts,
+                               "certificate request input");
         if (req == NULL)
             goto end;