diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-07 19:37:46 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-10 15:19:55 +0100 |
| commit | 1a683b80dc9ad4dcbf206a0617364a9d614a9883 (patch) | |
| tree | 489d4cc0bfbb0664cd692e95ab0c175aa8b3ebd3 /apps/x509.c | |
| parent | 98ba251fe6f49fc2ee310f6e559c3431922fa16d (diff) | |
apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances
This includes a general correction in the code (now using the X509V3_CTX_REPLACE flag)
and adding a prominent clarification in the documentation:
If multiple entries are processed for the same extension name,
later entries override earlier ones with the same name.
This is due to an RFC 5280 requirement - the intro of its section 4.2 says:
A certificate MUST NOT include more than one instance of a particular extension.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Diffstat (limited to 'apps/x509.c')
| -rw-r--r-- | apps/x509.c | 40 |
1 files changed, 19 insertions, 21 deletions
diff --git a/apps/x509.c b/apps/x509.c index 42ef448416..8cd84f5afe 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -465,7 +465,7 @@ int x509_main(int argc, char **argv) goto opthelp; checkoffset = (time_t)temp; if ((intmax_t)checkoffset != temp) { - BIO_printf(bio_err, "%s: checkend time out of range %s\n", + BIO_printf(bio_err, "%s: Checkend time out of range %s\n", prog, opt_arg()); goto opthelp; } @@ -536,11 +536,11 @@ int x509_main(int argc, char **argv) CAkeyfile = CAfile; } else if (CA_flag && CAkeyfile == NULL) { BIO_printf(bio_err, - "need to specify a CAkey if using the CA command\n"); + "Need to specify a CAkey if using the CA command\n"); goto end; } else if (!CA_flag && CAkeyfile != NULL) { BIO_printf(bio_err, - "ignoring -CAkey option since no -CA option is given\n"); + "Ignoring -CAkey option since no -CA option is given\n"); } if (extfile != NULL) { @@ -558,7 +558,7 @@ int x509_main(int argc, char **argv) X509V3_set_nconf(&ctx2, extconf); if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { BIO_printf(bio_err, - "Error Loading extension section %s\n", extsect); + "Error checking extension section %s\n", extsect); ERR_print_errors(bio_err); goto end; } @@ -572,7 +572,7 @@ int x509_main(int argc, char **argv) goto end; if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { - BIO_printf(bio_err, "error unpacking public key\n"); + BIO_printf(bio_err, "Error unpacking public key\n"); goto end; } i = do_X509_REQ_verify(req, pkey, vfyopts); @@ -807,7 +807,7 @@ int x509_main(int argc, char **argv) fdig = EVP_sha1(); if (!X509_digest(x, fdig, md, &n)) { - BIO_printf(bio_err, "out of memory\n"); + BIO_printf(bio_err, "Out of memory\n"); goto end; } BIO_printf(out, "%s Fingerprint=", @@ -820,7 +820,6 @@ int x509_main(int argc, char **argv) /* should be in the library */ else if (sign_flag == i && x509req == 0) { - BIO_printf(bio_err, "Getting Private key\n"); if (Upkey == NULL) { Upkey = load_key(keyfile, keyformat, 0, passin, e, "private key"); @@ -835,7 +834,6 @@ int x509_main(int argc, char **argv) goto end; } } else if (CA_flag == i) { - BIO_printf(bio_err, "Getting CA Private Key\n"); if (CAkeyfile != NULL) { CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA private key"); @@ -851,9 +849,8 @@ int x509_main(int argc, char **argv) } else if (x509req == i) { EVP_PKEY *pk; - BIO_printf(bio_err, "Getting request Private Key\n"); if (keyfile == NULL) { - BIO_printf(bio_err, "no request key file specified\n"); + BIO_printf(bio_err, "No request key file specified\n"); goto end; } else { pk = load_key(keyfile, keyformat, 0, @@ -862,8 +859,6 @@ int x509_main(int argc, char **argv) goto end; } - BIO_printf(bio_err, "Generating certificate request\n"); - rq = X509_to_X509_REQ(x, pk, digest); EVP_PKEY_free(pk); if (rq == NULL) { @@ -911,11 +906,11 @@ int x509_main(int argc, char **argv) else i = PEM_write_bio_X509(out, x); } else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); + BIO_printf(bio_err, "Bad output format specified for outfile\n"); goto end; } if (!i) { - BIO_printf(bio_err, "unable to write certificate\n"); + BIO_printf(bio_err, "Unable to write certificate\n"); ERR_print_errors(bio_err); goto end; } @@ -965,7 +960,7 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, goto end; if (!BN_add_word(serial, 1)) { - BIO_printf(bio_err, "add_word failure\n"); + BIO_printf(bio_err, "Serial number increment failure\n"); goto end; } @@ -1059,13 +1054,13 @@ static int callb(int ok, X509_STORE_CTX *ctx) */ if (ok) { BIO_printf(bio_err, - "error with certificate to be certified - should be self-signed\n"); + "Error with certificate to be certified - should be self-signed\n"); return 0; } else { err_cert = X509_STORE_CTX_get_current_cert(ctx); print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); BIO_printf(bio_err, - "error with certificate - error %d at depth %d\n%s\n", err, + "Error with certificate - error %d at depth %d\n%s\n", err, X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(err)); return 1; @@ -1089,12 +1084,15 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, X509_delete_ext(x, 0); } if (conf != NULL) { - X509V3_CTX ctx; + X509V3_CTX ext_ctx; - X509V3_set_ctx(&ctx, issuer, x, NULL, NULL, 0); - X509V3_set_nconf(&ctx, conf); - if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) + X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); + X509V3_set_nconf(&ext_ctx, conf); + if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) { + BIO_printf(bio_err, + "Error adding extensions from section %s\n", section); return 0; + } } return do_X509_sign(x, pkey, digest, sigopts); } |