diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-11 15:41:08 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-28 09:17:56 +0200 |
commit | ef8980176d53d85ff96d913a647c01d07e144c5d (patch) | |
tree | 489ddabbd96ef452c16b004018390000e9f9fed4 | |
parent | 846f96f821260ca83cc93bfa35207864b05abec5 (diff) |
Deprecate -nodes in favor of -noenc in pkcs12 and req app
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12495)
-rw-r--r-- | apps/pkcs12.c | 6 | ||||
-rw-r--r-- | apps/req.c | 12 | ||||
-rw-r--r-- | doc/man1/openssl-pkcs12.pod.in | 10 | ||||
-rw-r--r-- | doc/man1/openssl-req.pod.in | 10 | ||||
-rwxr-xr-x | test/certs/setup.sh | 2 | ||||
-rw-r--r-- | test/recipes/80-test_tsa.t | 2 | ||||
-rw-r--r-- | test/recipes/90-test_store.t | 2 | ||||
-rw-r--r-- | test/smime-certs/mksmime-certs.sh | 22 |
8 files changed, 41 insertions, 25 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 18f9550ded..ca83e2d1be 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -57,7 +57,7 @@ typedef enum OPTION_choice { OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, - OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, + OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, @@ -129,7 +129,8 @@ const OPTIONS pkcs12_options[] = { {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"}, {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, - {"nodes", OPT_NODES, '-', "Don't encrypt private keys"}, + {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"}, + {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_R_OPTIONS, @@ -240,6 +241,7 @@ int pkcs12_main(int argc, char **argv) macalg = opt_arg(); break; case OPT_NODES: + case OPT_NOENC: enc = NULL; break; case OPT_CERTPBE: diff --git a/apps/req.c b/apps/req.c index bee0329b24..8931e9829f 100644 --- a/apps/req.c +++ b/apps/req.c @@ -93,7 +93,7 @@ typedef enum OPTION_choice { OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, - OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, + OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, OPT_REQEXTS, OPT_PRECERT, OPT_MD, @@ -157,7 +157,8 @@ const OPTIONS req_options[] = { {"batch", OPT_BATCH, '-', "Do not ask anything during request generation"}, {"verbose", OPT_VERBOSE, '-', "Verbose output"}, - {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, + {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"}, + {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"}, {"noout", OPT_NOOUT, '-', "Do not output REQ"}, {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, {"modulus", OPT_MODULUS, '-', "RSA modulus"}, @@ -257,7 +258,7 @@ int req_main(int argc, char **argv) int pkey_type = -1, private = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; - int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; + int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; long newkey = -1; unsigned long chtype = MBSTRING_ASC, reqflag = 0; @@ -375,7 +376,8 @@ int req_main(int argc, char **argv) verify = 1; break; case OPT_NODES: - nodes = 1; + case OPT_NOENC: + noenc = 1; break; case OPT_NOOUT: noout = 1; @@ -693,7 +695,7 @@ int req_main(int argc, char **argv) } if ((p != NULL) && (strcmp(p, "no") == 0)) cipher = NULL; - if (nodes) + if (noenc) cipher = NULL; i = 0; diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 8c819c56f8..3a97a81517 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -36,6 +36,7 @@ B<openssl> B<pkcs12> [B<-camellia128>] [B<-camellia192>] [B<-camellia256>] +[B<-noenc>] [B<-nodes>] [B<-iter> I<count>] [B<-noiter>] @@ -146,10 +147,14 @@ Use ARIA to encrypt private keys before outputting. Use Camellia to encrypt private keys before outputting. -=item B<-nodes> +=item B<-noenc> Don't encrypt the private keys at all. +=item B<-nodes> + +This option is deprecated since OpenSSL 3.0; use B<-noenc> instead. + =item B<-nomacver> Don't attempt to verify the integrity MAC before reading the file. @@ -344,7 +349,7 @@ Output only client certificates to a file: Don't encrypt the private key: - openssl pkcs12 -in file.p12 -out file.pem -nodes + openssl pkcs12 -in file.p12 -out file.pem -noenc Print some info about a PKCS#12 file: @@ -368,6 +373,7 @@ L<ossl_store-file(7)> =head1 HISTORY The B<-engine> option was deprecated in OpenSSL 3.0. +The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. =head1 COPYRIGHT diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 07354453be..1af355b5b3 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -23,6 +23,7 @@ B<openssl> B<req> [B<-new>] [B<-newkey> I<arg>] [B<-pkeyopt> I<opt>:I<value>] +[B<-noenc>] [B<-nodes>] [B<-key> I<filename>] [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] @@ -198,11 +199,15 @@ This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used. -=item B<-nodes> +=item B<-noenc> If this option is specified then if a private key is created it will not be encrypted. +=item B<-nodes> + +This option is deprecated since OpenSSL 3.0; use B<-noenc> instead. + =item B<-I<digest>> This specifies the message digest to sign the request. @@ -394,7 +399,7 @@ It is used for private key generation. =item B<encrypt_key> If this is set to B<no> then if a private key is generated it is -B<not> encrypted. This is equivalent to the B<-nodes> command line +B<not> encrypted. This is equivalent to the B<-noenc> command line option. For compatibility B<encrypt_rsa_key> is an equivalent option. =item B<default_md> @@ -696,6 +701,7 @@ All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 and have no effect. The B<-engine> option was deprecated in OpenSSL 3.0. +The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. =head1 COPYRIGHT diff --git a/test/certs/setup.sh b/test/certs/setup.sh index d1c56bb56d..85ae5ed3c1 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -375,7 +375,7 @@ OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \ "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \ server-ecdsa-brainpoolP256r1-cert rootkey rootcert -openssl req -new -nodes -subj "/CN=localhost" \ +openssl req -new -noenc -subj "/CN=localhost" \ -newkey rsa-pss -keyout server-pss-restrict-key.pem \ -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \ ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \ diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t index 859dacbdd1..3a4d729d0d 100644 --- a/test/recipes/80-test_tsa.t +++ b/test/recipes/80-test_tsa.t @@ -97,7 +97,7 @@ indir "tsa" => sub $ENV{TSDNSECT} = "ts_ca_dn"; skip "failed", 19 unless ok(run(app(["openssl", "req", "-config", $openssl_conf, - "-new", "-x509", "-nodes", + "-new", "-x509", "-noenc", "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), 'creating a new CA for the TSA tests'); diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 9f4eaa2961..57c2e6e9c2 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -317,7 +317,7 @@ sub init { }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) # *-cert.pem (intermediary for the .p12 inits) && run(app(["openssl", "req", "-x509", - "-config", $cnf, "-nodes", + "-config", $cnf, "-noenc", "-key", $cakey, "-out", "cacert.pem"])) && runall(sub { my $srckey = shift; diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh index e6803ef74f..9316831d64 100644 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -14,22 +14,22 @@ OPENSSL_CONF=./ca.cnf export OPENSSL_CONF # Root CA: create certificate directly -CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \ +CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650 # EE RSA certificates: create request first -CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ -keyout smrsa1.pem -out req.pem -newkey rsa:2048 # Sign request: end entity extensions $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem -CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \ -keyout smrsa2.pem -out req.pem -newkey rsa:2048 $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem -CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \ -keyout smrsa3.pem -out req.pem -newkey rsa:2048 $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem @@ -38,15 +38,15 @@ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ $OPENSSL dsaparam -out dsap.pem 2048 -CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \ -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem -CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \ -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem -CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \ -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem @@ -56,15 +56,15 @@ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ $OPENSSL ecparam -out ecp.pem -name P-256 $OPENSSL ecparam -out ecp2.pem -name K-283 -CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \ -keyout smec1.pem -out req.pem -newkey ec:ecp.pem $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem -CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \ -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem -CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ -keyout smec3.pem -out req.pem -newkey ec:ecp.pem $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem @@ -75,7 +75,7 @@ $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \ $OPENSSL genpkey -paramfile dhp.pem -out smdh.pem $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem # Generate dummy request. -CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \ +CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \ -keyout smtmp.pem -out req.pem -newkey rsa:2048 # Sign request but force public key to DH $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ |