diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-02 13:52:23 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-10 12:07:33 +0200 |
| commit | 5a0991d0d94b966e0621b8123873b132877dc9d3 (patch) | |
| tree | c4fd5cd639741a863010a23472cfc005556610cd | |
| parent | 5fdcde816f6ee9ef048977c14427e2b0b63f47b6 (diff) | |
Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, and x509 apps
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
| -rw-r--r-- | apps/ca.c | 6 | ||||
| -rw-r--r-- | apps/cmp.c | 2 | ||||
| -rw-r--r-- | apps/lib/apps.c | 7 | ||||
| -rw-r--r-- | apps/req.c | 6 | ||||
| -rw-r--r-- | apps/x509.c | 2 | ||||
| -rw-r--r-- | doc/man1/openssl-ca.pod.in | 20 | ||||
| -rw-r--r-- | doc/man1/openssl-cmp.pod.in | 23 | ||||
| -rw-r--r-- | doc/man1/openssl-req.pod.in | 22 | ||||
| -rw-r--r-- | doc/man1/openssl-storeutl.pod.in | 10 | ||||
| -rw-r--r-- | doc/man1/openssl-x509.pod.in | 12 |
10 files changed, 65 insertions, 45 deletions
@@ -200,7 +200,7 @@ const OPTIONS ca_options[] = { {"rand_serial", OPT_RAND_SERIAL, '-', "Always create a random serial; do not store it"}, {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', - "Enable support for multivalued RDNs"}, + "Deprecated; multi-valued RDNs support is always on."}, {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"}, {"enddate", OPT_ENDDATE, 's', "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, @@ -288,7 +288,7 @@ int ca_main(int argc, char **argv) size_t outdirlen = 0; int create_ser = 0, free_passin = 0, total = 0, total_done = 0; int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; - int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; + int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret; long crldays = 0, crlhours = 0, crlsec = 0, days = 0; @@ -344,7 +344,7 @@ opthelp: create_ser = 1; break; case OPT_MULTIVALUE_RDN: - multirdn = 1; + /* obsolete */ break; case OPT_STARTDATE: startdate = opt_arg(); diff --git a/apps/cmp.c b/apps/cmp.c index 1c3b592f7f..ce2513bd0d 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -893,7 +893,7 @@ static int set_name(const char *str, OSSL_CMP_CTX *ctx, const char *desc) { if (str != NULL) { - X509_NAME *n = parse_name(str, MBSTRING_ASC, 0, desc); + X509_NAME *n = parse_name(str, MBSTRING_ASC, 1, desc); if (n == NULL) return 0; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 878ec18f0b..d3f3f6d2b6 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1647,7 +1647,8 @@ int parse_yesno(const char *str, int def) /* * name is expected to be in the format /type0=value0/type1=value1/type2=... - * where characters may be escaped by \ + * where + can be used instead of / to form multi-valued RDNs if canmulti + * and characters may be escaped by \ */ X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const char *desc) @@ -1700,6 +1701,7 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti, /* Collect the value. */ valstr = (unsigned char *)bp; for (; *cp != '\0' && *cp != '/'; *bp++ = *cp++) { + /* unescaped '+' symbol string signals further member of multiRDN */ if (canmulti && *cp == '+') { nextismulti = 1; break; @@ -1723,6 +1725,9 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti, BIO_printf(bio_err, "%s: Skipping unknown %s name attribute \"%s\"\n", opt_getprog(), desc, typestr); + if (ismulti) + BIO_printf(bio_err, + "Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n"); continue; } if (*valstr == '\0') { diff --git a/apps/req.c b/apps/req.c index 46739554bd..2cc9ebf43d 100644 --- a/apps/req.c +++ b/apps/req.c @@ -127,7 +127,7 @@ const OPTIONS req_options[] = { {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', - "Enable support for multivalued RDNs"}, + "Deprecated; multi-valued RDNs support is always on."}, {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, {"addext", OPT_ADDEXT, 's', @@ -257,7 +257,7 @@ int req_main(int argc, char **argv) int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0; int pkey_type = -1, private = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; - int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; + int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; long newkey = -1; unsigned long chtype = MBSTRING_ASC, reqflag = 0; @@ -421,7 +421,7 @@ int req_main(int argc, char **argv) subj = opt_arg(); break; case OPT_MULTIVALUE_RDN: - multirdn = 1; + /* obsolete */ break; case OPT_ADDEXT: p = opt_arg(); diff --git a/apps/x509.c b/apps/x509.c index 64a1cadc97..169530f6d6 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -179,7 +179,7 @@ int x509_main(int argc, char **argv) char *subj = NULL; X509_NAME *fsubj = NULL; const unsigned long chtype = MBSTRING_ASC; - const int multirdn = 0; + const int multirdn = 1; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; X509 *x = NULL, *xca = NULL; diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 7d7f0752f3..d196565422 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -285,11 +285,17 @@ used). =item B<-subj> I<arg> Supersedes subject name given in the request. + The arg must be formatted as C</type0=value0/type1=value1/type2=...>. -Keyword characters may be escaped by C<\> (backslash), and whitespace is -retained. +Special characters may be escaped by C<\> (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate. +Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). +Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> +between the AttributeValueAssertions (AVAs) that specify the members of the set. +Example: + +C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> =item B<-utf8> @@ -313,12 +319,7 @@ This overrides any option or configuration to use a serial number file. =item B<-multivalue-rdn> -This option causes the -subj argument to be interpreted with full -support for multivalued RDNs. Example: - -C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> - -If B<-multi-rdn> is not used then the UID value is C<123456+CN=John Doe>. +This option has been deprecated and has no effect. {- $OpenSSL::safe::opt_r_item -} @@ -791,7 +792,8 @@ retained mainly for compatibility reasons. The B<-section> option was added in OpenSSL 3.0.0. -The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. +The B<-certform> and B<-multivalue-rdn> options +have become obsolete in OpenSSL 3.0.0 and have no effect. All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 and have no effect. diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 9389701893..44f71b8358 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -268,20 +268,24 @@ For KUR, it defaults to the subject DN of the reference certificate (see B<-oldcert>). This default is used for IR and CR only if no SANs are set. -The argument must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. - The subject DN is also used as fallback sender of outgoing CMP messages if no B<-cert> and no B<-oldcert> are given. +The argument must be formatted as I</type0=value0/type1=value1/type2=...>. +Special characters may be escaped by C<\> (backslash), whitespace is retained. +Empty values are permitted, but the corresponding type will not be included. +Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). +Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> +between the AttributeValueAssertions (AVAs) that specify the members of the set. +Example: + +C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> + =item B<-issuer> I<name> X509 issuer Distinguished Name (DN) of the CA server to place in the requested certificate template in IR/CR/KUR. -The argument must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. - If neither B<-srvcert> nor B<-recipient> is available, the name given in this option is also set as the recipient of the CMP message. @@ -519,10 +523,6 @@ and as default value for the expected sender of incoming CMP messages. Distinguished Name (DN) to use in the recipient field of CMP request messages, i.e., the CMP server (usually the addressed CA). -The argument must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. -The empty name (NULL-DN) can be given explicitly as a single slash: 'I</>'. - The recipient field in the header of a CMP message is mandatory. If not given explicitly the recipient is determined in the following order: the subject of the CMP server certificate given with the B<-srvcert> option, @@ -536,9 +536,6 @@ as far as any of those is present, else the NULL-DN as last resort. Distinguished Name (DN) expected in the sender field of incoming CMP messages. Defaults to the subject DN of the pinned B<-srvcert>, if any. -The argument must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. - This can be used to make sure that only a particular entity is accepted as CMP message signer, and attackers are not able to use arbitrary certificates of a trusted PKI hierarchy to fraudulently pose as a CMP server. diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 1af355b5b3..52b2326d78 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -32,7 +32,6 @@ B<openssl> B<req> [B<-I<digest>>] [B<-config> I<filename>] [B<-section> I<name>] -[B<-multivalue-rdn>] [B<-x509>] [B<-days> I<n>] [B<-set_serial> I<n>] @@ -45,6 +44,7 @@ B<openssl> B<req> [B<-reqopt>] [B<-subject>] [B<-subj> I<arg>] +[B<-multivalue-rdn>] [B<-sigopt> I<nm>:I<v>] [B<-vfyopt> I<nm>:I<v>] [B<-batch>] @@ -233,19 +233,21 @@ Specifies the name of the section to use; the default is B<req>. Sets subject name for new request or supersedes the subject name when processing a request. + The arg must be formatted as C</type0=value0/type1=value1/type2=...>. -Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Special characters may be escaped by C<\> (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the request. - -=item B<-multivalue-rdn> - -This option causes the -subj argument to be interpreted with full -support for multivalued RDNs. Example: +Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). +Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> +between the AttributeValueAssertions (AVAs) that specify the members of the set. +Example: C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> -If -multi-rdn is not used then the UID value is C<123456+CN=John Doe>. +=item B<-multivalue-rdn> + +This option has been deprecated and has no effect. =item B<-x509> @@ -697,8 +699,8 @@ L<x509v3_config(5)> The B<-section> option was added in OpenSSL 3.0.0. -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. +All B<-keyform> values except B<ENGINE> and the B<-multivalue-rdn> option +have become obsolete in OpenSSL 3.0.0 and have no effect. The B<-engine> option was deprecated in OpenSSL 3.0. The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. diff --git a/doc/man1/openssl-storeutl.pod.in b/doc/man1/openssl-storeutl.pod.in index 2c92f825a0..bc2eec17f7 100644 --- a/doc/man1/openssl-storeutl.pod.in +++ b/doc/man1/openssl-storeutl.pod.in @@ -80,11 +80,19 @@ returned. =item B<-subject> I<arg> Search for an object having the subject name I<arg>. + The arg must be formatted as C</type0=value0/type1=value1/type2=...>. -Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Special characters may be escaped by C<\> (backslash), whitespace is retained. Empty values are permitted but are ignored for the search. That is, a search with an empty value will have the same effect as not specifying the type at all. +Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). +Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> +between the AttributeValueAssertions (AVAs) that specify the members of the set. + +Example: + +C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> =item B<-issuer> I<arg> diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 8eb35e537e..fb4be2c264 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -517,11 +517,17 @@ generate a certificate containing any desired public key. =item B<-subj> I<arg> When a certificate is created set its subject name to the given value. + The arg must be formatted as C</type0=value0/type1=value1/type2=...>. -Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Special characters may be escaped by C<\> (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included -in the certificate. Giving a single C</> will lead to an empty sequence of RDNs -(a NULL subject DN). +in the certificate. +Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). +Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> +between the AttributeValueAssertions (AVAs) that specify the members of the set. +Example: + +C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> Unless the B<-CA> option is given the issuer is set to the same value. |