diff options
| author | David von Oheimb <David.von.Oheimb@siemens.com> | 2019-02-03 07:57:59 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-02-25 10:26:23 +0000 |
| commit | 56a98c3efde3a49084a232a56aa666533362f1a2 (patch) | |
| tree | 5dab3ee66f97211b388460b8fb448bda016969fb /apps/x509.c | |
| parent | ef9f6066998718ae904fc10d46205d67aad9aebe (diff) | |
fix x509 -force_pubkey option to take effect with cert input or self-signing; improve its doc
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8165)
Diffstat (limited to 'apps/x509.c')
| -rw-r--r-- | apps/x509.c | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/apps/x509.c b/apps/x509.c index e9de4950f9..e4d5e079dd 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -33,7 +33,7 @@ #define DEF_DAYS 30 static int callb(int ok, X509_STORE_CTX *ctx); -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, +static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, const EVP_MD *digest, CONF *conf, const char *section, int preserve_dates); static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, @@ -132,7 +132,7 @@ const OPTIONS x509_options[] = { {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, - {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"}, {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, {"clrreject", OPT_CLRREJECT, '-', "Clears all the prohibited or rejected uses of the certificate"}, @@ -574,18 +574,16 @@ int x509_main(int argc, char **argv) if (!set_cert_times(x, NULL, NULL, days)) goto end; - if (fkey != NULL) { - X509_set_pubkey(x, fkey); - } else { - pkey = X509_REQ_get0_pubkey(req); - X509_set_pubkey(x, pkey); - } + if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req))) + goto end; } else { x = load_cert(infile, informat, "Certificate"); + if (x == NULL) + goto end; + if (fkey != NULL && !X509_set_pubkey(x, fkey)) + goto end; } - if (x == NULL) - goto end; if (CA_flag) { xca = load_cert(CAfile, CAformat, "CA Certificate"); if (xca == NULL) @@ -799,7 +797,8 @@ int x509_main(int argc, char **argv) goto end; } - if (!sign(x, Upkey, days, clrext, digest, extconf, extsect, preserve_dates)) + if (!sign(x, Upkey, fkey, days, clrext, digest, extconf, + extsect, preserve_dates)) goto end; } else if (CA_flag == i) { BIO_printf(bio_err, "Getting CA Private Key\n"); @@ -1054,8 +1053,8 @@ static int callb(int ok, X509_STORE_CTX *ctx) } } -/* self sign */ -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, +/* self-issue; self-sign unless a forced public key (fkey) is given */ +static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, const EVP_MD *digest, CONF *conf, const char *section, int preserve_dates) { @@ -1064,7 +1063,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, goto err; if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) goto err; - if (!X509_set_pubkey(x, pkey)) + if (fkey == NULL && !X509_set_pubkey(x, pkey)) goto err; if (clrext) { while (X509_get_ext_count(x) > 0) |