diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-07-06 12:28:22 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-09-20 20:59:50 +0200 |
| commit | 200d844782956b4c6db9bdd92a53113d9c2dc3c7 (patch) | |
| tree | 4243506395c1ceba9fc91335c916e02e64650c3a /apps | |
| parent | 51024f75591d00a52dd867906a763b4e2107e288 (diff) | |
APPS: Move load_csr_autofmt() from apps/cmp.c to apps.c and use it also for apps, too
Also add related references to FR #15725.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/ca.c | 5 | ||||
| -rw-r--r-- | apps/cmp.c | 31 | ||||
| -rw-r--r-- | apps/include/apps.h | 1 | ||||
| -rw-r--r-- | apps/lib/apps.c | 41 | ||||
| -rw-r--r-- | apps/req.c | 7 | ||||
| -rw-r--r-- | apps/x509.c | 4 |
6 files changed, 50 insertions, 39 deletions
@@ -168,7 +168,8 @@ const OPTIONS ca_options[] = { {"quiet", OPT_QUIET, '-', "Terse output during processing"}, {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, {"in", OPT_IN, '<', "The input cert request(s)"}, - {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"}, + {"inform", OPT_INFORM, 'F', + "CSR input format to use (PEM or DER; by default try PEM first)"}, {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, {"out", OPT_OUT, '>', "Where to put the output file(s)"}, {"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."}, @@ -1374,7 +1375,7 @@ static int certify(X509 **xret, const char *infile, int informat, EVP_PKEY *pktmp = NULL; int ok = -1, i; - req = load_csr(infile, informat, "certificate request"); + req = load_csr_autofmt(infile, informat, "certificate request"); if (req == NULL) goto end; if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { diff --git a/apps/cmp.c b/apps/cmp.c index ccfd7fcc23..bac54f1265 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -691,34 +691,6 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc) return cert; } -static X509_REQ *load_csr_autofmt(const char *infile, const char *desc) -{ - X509_REQ *csr; - BIO *bio_bak = bio_err; - - bio_err = NULL; /* do not show errors on more than one try */ - csr = load_csr(infile, FORMAT_PEM, desc); - bio_err = bio_bak; - if (csr == NULL) { - ERR_clear_error(); - csr = load_csr(infile, FORMAT_ASN1, desc); - } - if (csr == NULL) { - ERR_print_errors(bio_err); - BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc, - infile); - } else { - EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr); - int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */); - - if (pkey == NULL || ret < 0) - CMP_warn("error while verifying CSR self-signature"); - else if (ret == 0) - CMP_warn("CSR self-signature does not match the contents"); - } - return csr; -} - /* set expected hostname/IP addr and clears the email addr in the given ts */ static int truststore_set_host_etc(X509_STORE *ts, const char *host) { @@ -1641,7 +1613,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_cmd == CMP_GENM) { CMP_warn("-csr option is ignored for command 'genm'"); } else { - if ((csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR")) == NULL) + csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, "PKCS#10 CSR"); + if (csr == NULL) return 0; if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) goto oom; diff --git a/apps/include/apps.h b/apps/include/apps.h index 44892dc3e5..335e80775c 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -114,6 +114,7 @@ char *get_passwd(const char *pass, const char *desc); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int add_oid_section(CONF *conf); X509_REQ *load_csr(const char *file, int format, const char *desc); +X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc); X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc); #define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 0721120ab2..9d65797a91 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -496,6 +496,7 @@ X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, return crl; } +/* Could be simplified if OSSL_STORE supported CSRs, see FR #15725 */ X509_REQ *load_csr(const char *file, int format, const char *desc) { X509_REQ *req = NULL; @@ -503,8 +504,6 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) if (format == FORMAT_UNDEF) format = FORMAT_PEM; - if (desc == NULL) - desc = "CSR"; in = bio_open_default(file, 'r', format); if (in == NULL) goto end; @@ -519,12 +518,48 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) end: if (req == NULL) { ERR_print_errors(bio_err); - BIO_printf(bio_err, "Unable to load %s\n", desc); + if (desc != NULL) + BIO_printf(bio_err, "Unable to load %s\n", desc); } BIO_free(in); return req; } +/* Better extend OSSL_STORE to support CSRs, see FR #15725 */ +X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc) +{ + X509_REQ *csr; + + if (format != FORMAT_UNDEF) { + csr = load_csr(infile, format, desc); + } else { /* try PEM, then DER */ + BIO *bio_bak = bio_err; + + bio_err = NULL; /* do not show errors on more than one try */ + csr = load_csr(infile, FORMAT_PEM, NULL /* desc */); + bio_err = bio_bak; + if (csr == NULL) { + ERR_clear_error(); + csr = load_csr(infile, FORMAT_ASN1, NULL /* desc */); + } + if (csr == NULL) { + BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", + desc, infile); + } + } + if (csr != NULL) { + EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr); + int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */); + + if (pkey == NULL || ret < 0) + BIO_puts(bio_err, "Warning: error while verifying CSR self-signature"); + else if (ret == 0) + BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents"); + return csr; + } + return csr; +} + void cleanse(char *str) { if (str != NULL) diff --git a/apps/req.c b/apps/req.c index 3b24ca35b0..65dc6b8bb5 100644 --- a/apps/req.c +++ b/apps/req.c @@ -103,7 +103,8 @@ const OPTIONS req_options[] = { "Specify engine to be used for key generation operations"}, #endif {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, - {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"inform", OPT_INFORM, 'F', + "CSR input format to use (PEM or DER; by default try PEM first)"}, {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, OPT_SECTION("Certificate"), @@ -729,8 +730,8 @@ int req_main(int argc, char **argv) if (keyfile != NULL) BIO_printf(bio_err, "Warning: Not placing -key in cert or request since request is used\n"); - req = load_csr(infile /* if NULL, reads from stdin */, - informat, "X509 request"); + req = load_csr_autofmt(infile /* if NULL, reads from stdin */, + informat, "X509 request"); if (req == NULL) goto end; } else if (infile != NULL) { diff --git a/apps/x509.c b/apps/x509.c index a7b01edb09..71c622b8c6 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -70,7 +70,7 @@ const OPTIONS x509_options[] = { {"copy_extensions", OPT_COPY_EXTENSIONS, 's', "copy extensions when converting from CSR to x509 or vice versa"}, {"inform", OPT_INFORM, 'f', - "CSR input file format (DER or PEM) - default PEM"}, + "CSR input format to use (PEM or DER; by default try PEM first)"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, {"key", OPT_KEY, 's', "Key for signing, and to include unless using -force_pubkey"}, @@ -706,7 +706,7 @@ int x509_main(int argc, char **argv) if (infile == NULL) BIO_printf(bio_err, "Warning: Reading cert request from stdin since no -in option is given\n"); - req = load_csr(infile, informat, "certificate request input"); + req = load_csr_autofmt(infile, informat, "certificate request input"); if (req == NULL) goto end; |