[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Mon Aug 31 20:00:14 UTC 2015
The branch master has been updated
via 124055a96e8533735b32e6af0fa7913c100ffad2 (commit)
via bc3686dfb031445c5af9a256a46a57dc1277a190 (commit)
via d8c054f2dafbcc22dd8c38cd48ae45bb96dbd475 (commit)
from 36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e (commit)
- Log -----------------------------------------------------------------
commit 124055a96e8533735b32e6af0fa7913c100ffad2
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Aug 31 12:58:07 2015 +0100
make X509_REQ opaque
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit bc3686dfb031445c5af9a256a46a57dc1277a190
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Aug 31 12:16:52 2015 +0100
make X509_CERT_AUX opaque
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit d8c054f2dafbcc22dd8c38cd48ae45bb96dbd475
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Aug 31 18:27:57 2015 +0100
Remove asn1-kludge option.
Remove asn1-kludge option from the req utility. It was a decade old
workaround for CAs and software which required an invalid encoding
of PKCS#10 certificate requests: omitting the attributes field even
though it is not OPTIONAL.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 5 +----
apps/req.c | 27 +++------------------------
apps/x509.c | 13 ++-----------
crypto/asn1/t_req.c | 1 +
crypto/asn1/t_x509a.c | 1 +
crypto/asn1/x_req.c | 1 +
crypto/asn1/x_x509a.c | 1 +
crypto/include/internal/x509_int.h | 30 ++++++++++++++++++++++++++++++
crypto/x509/x509_r2x.c | 1 +
crypto/x509/x509_req.c | 11 +++++++++++
crypto/x509/x509_trs.c | 1 +
crypto/x509/x509rset.c | 4 ++++
crypto/x509/x_all.c | 1 +
crypto/x509v3/v3_skey.c | 1 +
crypto/x509v3/v3_utl.c | 1 +
doc/apps/req.pod | 22 ----------------------
include/openssl/x509.h | 34 +++++-----------------------------
17 files changed, 65 insertions(+), 90 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 0a8d7b7..b93cff5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1479,7 +1479,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto end;
}
X509_REQ_set_subject_name(req, n);
- req->req_info->enc.modified = 1;
X509_NAME_free(n);
}
@@ -1993,7 +1992,6 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
X509_REQ *req = NULL;
CONF_VALUE *cv = NULL;
NETSCAPE_SPKI *spki = NULL;
- X509_REQ_INFO *ri;
char *type, *buf;
EVP_PKEY *pktmp = NULL;
X509_NAME *n = NULL;
@@ -2037,8 +2035,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
/*
* Build up the subject name set.
*/
- ri = req->req_info;
- n = ri->subject;
+ n = X509_REQ_get_subject_name(req);
for (i = 0;; i++) {
if (sk_CONF_VALUE_num(sk) <= i)
diff --git a/apps/req.c b/apps/req.c
index a16febd..59cc6b4 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -126,8 +126,8 @@ typedef enum OPTION_choice {
OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
- OPT_ASN1_KLUDGE, OPT_NO_ASN1_KLUDGE, OPT_MULTIVALUE_RDN,
- OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS, OPT_REQEXTS, OPT_MD
+ OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
+ OPT_REQEXTS, OPT_MD
} OPTION_CHOICE;
OPTIONS req_options[] = {
@@ -163,10 +163,7 @@ OPTIONS req_options[] = {
{"text", OPT_TEXT, '-', "Text form of request"},
{"x509", OPT_X509, '-',
"Output a x509 structure instead of a cert request"},
- {"asn1-kludge", OPT_ASN1_KLUDGE, '-',
- "Output the request in a format that is wrong"},
{OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
- {"no-asn1-kludge", OPT_NO_ASN1_KLUDGE, '-'},
{"subj", OPT_SUBJ, 's', "Set or modify request subject"},
{"subject", OPT_SUBJECT, '-', "Output the request's subject"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
@@ -208,7 +205,7 @@ int req_main(int argc, char **argv)
int pkey_type = -1, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
- int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
+ int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
long newkey = -1;
unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
char nmflag_set = 0;
@@ -338,12 +335,6 @@ int req_main(int argc, char **argv)
case OPT_X509:
x509 = 1;
break;
- case OPT_ASN1_KLUDGE:
- kludge = 1;
- break;
- case OPT_NO_ASN1_KLUDGE:
- kludge = 0;
- break;
case OPT_DAYS:
days = atoi(opt_arg());
break;
@@ -610,11 +601,6 @@ int req_main(int argc, char **argv)
}
if (!newreq) {
- /*
- * Since we are using a pre-existing certificate request, the kludge
- * 'format' info should not be changed.
- */
- kludge = -1;
in = bio_open_default(infile, RB(informat));
if (in == NULL)
goto end;
@@ -643,11 +629,6 @@ int req_main(int argc, char **argv)
i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
subj = NULL; /* done processing '-subj' option */
- if ((kludge > 0)
- && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
- sk_X509_ATTRIBUTE_free(req->req_info->attributes);
- req->req_info->attributes = NULL;
- }
if (!i) {
BIO_printf(bio_err, "problems making Certificate Request\n");
goto end;
@@ -745,8 +726,6 @@ int req_main(int argc, char **argv)
goto end;
}
- req->req_info->enc.modified = 1;
-
if (verbose) {
print_name(bio_err, "new subject=",
X509_REQ_get_subject_name(req), nmflag);
diff --git a/apps/x509.c b/apps/x509.c
index 2fd92f4..6b41a75 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -567,15 +567,6 @@ int x509_main(int argc, char **argv)
goto end;
}
- if ((req->req_info == NULL) ||
- (req->req_info->pubkey == NULL) ||
- (req->req_info->pubkey->public_key == NULL) ||
- (req->req_info->pubkey->public_key->data == NULL)) {
- BIO_printf(bio_err,
- "The certificate request appears to corrupted\n");
- BIO_printf(bio_err, "It does not contain a public key\n");
- goto end;
- }
if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
@@ -611,9 +602,9 @@ int x509_main(int argc, char **argv)
} else if (!X509_set_serialNumber(x, sno))
goto end;
- if (!X509_set_issuer_name(x, req->req_info->subject))
+ if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
goto end;
- if (!X509_set_subject_name(x, req->req_info->subject))
+ if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req)))
goto end;
X509_gmtime_adj(X509_get_notBefore(x), 0);
diff --git a/crypto/asn1/t_req.c b/crypto/asn1/t_req.c
index fd83023..7d72e0a 100644
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -62,6 +62,7 @@
#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/x509v3.h>
#ifndef OPENSSL_NO_RSA
# include <openssl/rsa.h>
diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c
index 12fedb8..06b227e 100644
--- a/crypto/asn1/t_x509a.c
+++ b/crypto/asn1/t_x509a.c
@@ -62,6 +62,7 @@
#include <openssl/evp.h>
#include <openssl/asn1.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
/*
* X509_CERT_AUX and string set routines
diff --git a/crypto/asn1/x_req.c b/crypto/asn1/x_req.c
index 1679a56..102b1f6 100644
--- a/crypto/asn1/x_req.c
+++ b/crypto/asn1/x_req.c
@@ -60,6 +60,7 @@
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
/*-
* X509_REQ_INFO is handled in an unusual way to get round
diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c
index e299b1f..76608b6 100644
--- a/crypto/asn1/x_x509a.c
+++ b/crypto/asn1/x_x509a.c
@@ -62,6 +62,7 @@
#include <openssl/evp.h>
#include <openssl/asn1t.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
/*
* X509_CERT_AUX routines. These are used to encode additional user
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 761f702..70abb2c 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -75,3 +75,33 @@ struct X509_name_st {
unsigned char *canon_enc;
int canon_enclen;
} /* X509_NAME */ ;
+
+/*
+ * This stuff is certificate "auxiliary info" it contains details which are
+ * useful in certificate stores and databases. When used this is tagged onto
+ * the end of the certificate itself
+ */
+
+struct x509_cert_aux_st {
+ STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
+ STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
+ ASN1_UTF8STRING *alias; /* "friendly name" */
+ ASN1_OCTET_STRING *keyid; /* key id of private key */
+ STACK_OF(X509_ALGOR) *other; /* other unspecified info */
+};
+
+struct X509_req_info_st {
+ ASN1_ENCODING enc;
+ ASN1_INTEGER *version;
+ X509_NAME *subject;
+ X509_PUBKEY *pubkey;
+ /* d=2 hl=2 l= 0 cons: cont: 00 */
+ STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+};
+
+struct X509_req_st {
+ X509_REQ_INFO *req_info;
+ X509_ALGOR *sig_alg;
+ ASN1_BIT_STRING *signature;
+ int references;
+};
diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c
index d9c3cfd..abf75cd 100644
--- a/crypto/x509/x509_r2x.c
+++ b/crypto/x509/x509_r2x.c
@@ -62,6 +62,7 @@
#include <openssl/evp.h>
#include <openssl/asn1.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/objects.h>
#include <openssl/buffer.h>
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index b6c4698..70e27b8 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -63,6 +63,7 @@
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/objects.h>
#include <openssl/buffer.h>
#include <openssl/pem.h>
@@ -303,3 +304,13 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
return 1;
return 0;
}
+
+long X509_REQ_get_version(X509_REQ *req)
+{
+ return ASN1_INTEGER_get(req->req_info->version);
+}
+
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *req)
+{
+ return req->req_info->subject;
+}
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 1912c96..6e3616e 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -60,6 +60,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b);
static void trtable_free(X509_TRUST *p);
diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c
index cafaf75..cf9bdfb 100644
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@@ -62,11 +62,13 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
int X509_REQ_set_version(X509_REQ *x, long version)
{
if (x == NULL)
return (0);
+ x->req_info->enc.modified = 1;
return (ASN1_INTEGER_set(x->req_info->version, version));
}
@@ -74,6 +76,7 @@ int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
{
if ((x == NULL) || (x->req_info == NULL))
return (0);
+ x->req_info->enc.modified = 1;
return (X509_NAME_set(&x->req_info->subject, name));
}
@@ -81,5 +84,6 @@ int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
{
if ((x == NULL) || (x->req_info == NULL))
return (0);
+ x->req_info->enc.modified = 1;
return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));
}
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index a7ad148..591a951 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -63,6 +63,7 @@
#include <openssl/asn1.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/ocsp.h>
#ifndef OPENSSL_NO_RSA
# include <openssl/rsa.h>
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
index c0c71c0..a1167cc 100644
--- a/crypto/x509v3/v3_skey.c
+++ b/crypto/x509v3/v3_skey.c
@@ -60,6 +60,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, char *str);
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index cd8aff2..15029f9 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -63,6 +63,7 @@
#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include <openssl/bn.h>
static char *strip_spaces(char *name);
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 46bbfe6..ec19192 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -34,8 +34,6 @@ B<openssl> B<req>
[B<-x509>]
[B<-days n>]
[B<-set_serial n>]
-[B<-asn1-kludge>]
-[B<-no-asn1-kludge>]
[B<-newhdr>]
[B<-extensions section>]
[B<-reqexts section>]
@@ -274,26 +272,6 @@ a single option or multiple options separated by commas.
See discussion of the B<-certopt> parameter in the L<x509(1)>
command.
-
-=item B<-asn1-kludge>
-
-by default the B<req> command outputs certificate requests containing
-no attributes in the correct PKCS#10 format. However certain CAs will only
-accept requests containing no attributes in an invalid form: this
-option produces this invalid format.
-
-More precisely the B<Attributes> in a PKCS#10 certificate request
-are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so
-if no attributes are present then they should be encoded as an
-empty B<SET OF>. The invalid form does not include the empty
-B<SET OF> whereas the correct form does.
-
-It should be noted that very few CAs still require the use of this option.
-
-=item B<-no-asn1-kludge>
-
-Reverses effect of B<-asn1-kludge>
-
=item B<-newhdr>
Adds the word B<NEW> to the PEM file header and footer lines on the outputted
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 0c2d19a..dc96a2b 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -166,21 +166,9 @@ typedef struct x509_attributes_st X509_ATTRIBUTE;
DECLARE_STACK_OF(X509_ATTRIBUTE)
-typedef struct X509_req_info_st {
- ASN1_ENCODING enc;
- ASN1_INTEGER *version;
- X509_NAME *subject;
- X509_PUBKEY *pubkey;
- /* d=2 hl=2 l= 0 cons: cont: 00 */
- STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-} X509_REQ_INFO;
+typedef struct X509_req_info_st X509_REQ_INFO;
-typedef struct X509_req_st {
- X509_REQ_INFO *req_info;
- X509_ALGOR *sig_alg;
- ASN1_BIT_STRING *signature;
- int references;
-} X509_REQ;
+typedef struct X509_req_st X509_REQ;
typedef struct x509_cinf_st {
ASN1_INTEGER *version; /* [ 0 ] default of v1 */
@@ -196,19 +184,7 @@ typedef struct x509_cinf_st {
ASN1_ENCODING enc;
} X509_CINF;
-/*
- * This stuff is certificate "auxiliary info" it contains details which are
- * useful in certificate stores and databases. When used this is tagged onto
- * the end of the certificate itself
- */
-
-typedef struct x509_cert_aux_st {
- STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
- STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
- ASN1_UTF8STRING *alias; /* "friendly name" */
- ASN1_OCTET_STRING *keyid; /* key id of private key */
- STACK_OF(X509_ALGOR) *other; /* other unspecified info */
-} X509_CERT_AUX;
+typedef struct x509_cert_aux_st X509_CERT_AUX;
struct x509_st {
X509_CINF *cert_info;
@@ -520,8 +496,6 @@ extern "C" {
# define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
# define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
# define X509_extract_key(x) X509_get_pubkey(x)/*****/
-# define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
-# define X509_REQ_get_subject_name(x) ((x)->req_info->subject)
# define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
# define X509_name_cmp(a,b) X509_NAME_cmp((a),(b))
# define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
@@ -828,7 +802,9 @@ EVP_PKEY *X509_get_pubkey(X509 *x);
ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
+long X509_REQ_get_version(X509_REQ *req);
int X509_REQ_set_version(X509_REQ *x, long version);
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *req);
int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
More information about the openssl-commits
mailing list