diff options
author | Richard Levitte <levitte@openssl.org> | 2020-03-10 23:08:59 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2020-03-15 19:42:05 +0100 |
commit | 2292c8e17f0b870b48bb7a5f8ed8c37dfb36580f (patch) | |
tree | a1cc84c4ddd4f8eb4850c75f46b815ac0d7e81e7 /apps/x509.c | |
parent | aba9bca31cc2507671e25f7ca8e642fce5e38671 (diff) |
APPS: Remove all traces of special SM2 treatment.
SM2 IDs are now passed entirely as '-pkeyopt', '-sigopt' or '-vfyopt'
values, just like any other valid option.
Fixes #11293
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)
Diffstat (limited to 'apps/x509.c')
-rw-r--r-- | apps/x509.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/apps/x509.c b/apps/x509.c index 3176cf528c..e2a68828e3 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -33,7 +33,9 @@ #define DEF_DAYS 30 static int callb(int ok, X509_STORE_CTX *ctx); -static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, +static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, + STACK_OF(OPENSSL_STRING) *sigopts, + int days, int clrext, const EVP_MD *digest, CONF *conf, const char *section, int preserve_dates); static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, @@ -48,7 +50,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *exts); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, - OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, + OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ, OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, @@ -80,6 +82,7 @@ const OPTIONS x509_options[] = { {"out", OPT_OUT, '>', "Output file - default stdout"}, {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, + {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"}, OPT_SECTION("Output"), {"serial", OPT_SERIAL, '-', "Print serial number value"}, @@ -174,7 +177,7 @@ int x509_main(int argc, char **argv) const unsigned long chtype = MBSTRING_ASC; const int multirdn = 0; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; - STACK_OF(OPENSSL_STRING) *sigopts = NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; X509 *x = NULL, *xca = NULL; X509_REQ *req = NULL, *rq = NULL; X509_STORE *ctx = NULL; @@ -256,6 +259,12 @@ int x509_main(int argc, char **argv) if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) goto opthelp; break; + case OPT_VFYOPT: + if (!vfyopts) + vfyopts = sk_OPENSSL_STRING_new_null(); + if (!vfyopts || !sk_OPENSSL_STRING_push(vfyopts, opt_arg())) + goto opthelp; + break; case OPT_DAYS: if (preserve_dates) goto opthelp; @@ -576,7 +585,7 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "error unpacking public key\n"); goto end; } - i = X509_REQ_verify(req, pkey); + i = do_X509_REQ_verify(req, pkey, vfyopts); if (i < 0) { BIO_printf(bio_err, "Request self-signature verification error\n"); ERR_print_errors(bio_err); @@ -848,8 +857,8 @@ int x509_main(int argc, char **argv) goto end; } - if (!sign(x, Upkey, fkey, days, clrext, digest, extconf, - extsect, preserve_dates)) + if (!sign(x, Upkey, fkey, sigopts, days, clrext, digest, + extconf, extsect, preserve_dates)) goto end; } else if (CA_flag == i) { BIO_printf(bio_err, "Getting CA Private Key\n"); @@ -949,6 +958,7 @@ int x509_main(int argc, char **argv) EVP_PKEY_free(CApkey); EVP_PKEY_free(fkey); sk_OPENSSL_STRING_free(sigopts); + sk_OPENSSL_STRING_free(vfyopts); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); @@ -1106,11 +1116,12 @@ static int callb(int ok, X509_STORE_CTX *ctx) } /* self-issue; self-sign unless a forced public key (fkey) is given */ -static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, +static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, + STACK_OF(OPENSSL_STRING) *sigopts, + int days, int clrext, const EVP_MD *digest, CONF *conf, const char *section, int preserve_dates) { - if (!X509_set_issuer_name(x, X509_get_subject_name(x))) goto err; if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) @@ -1129,7 +1140,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err; } - if (!X509_sign(x, pkey, digest)) + if (!do_X509_sign(x, pkey, digest, sigopts)) goto err; return 1; err: |