[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Tue Mar 15 17:54:57 UTC 2016
The branch master has been updated
via 08538fc0a57a9317da22958beeab3ff8af4b2ded (commit)
from 3ddd1d0458b4e90d34379a3019f092d6010e9710 (commit)
- Log -----------------------------------------------------------------
commit 08538fc0a57a9317da22958beeab3ff8af4b2ded
Author: fbroda <fbroda at ipb-halle.de>
Date: Tue Mar 15 10:08:49 2016 +0100
General verify options to openssl ts
This commit adds the general verify options of ocsp, verify,
cms, etc. to the openssl timestamping app as suggested by
Stephen N. Henson in [openssl.org #4287]. The conflicting
"-policy" option of "openssl ts" has been renamed to
"-tspolicy". Documentation and tests have been updated.
CAVE: This will break code, which currently uses the "-policy"
option.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ts.c | 61 ++++++++++++++++++++++++++++++++++-----------
doc/apps/ts.pod | 62 ++++++++++++++++++++++++++++++++++++++--------
test/recipes/80-test_tsa.t | 4 +--
3 files changed, 99 insertions(+), 28 deletions(-)
diff --git a/apps/ts.c b/apps/ts.c
index ee04bb5..b287e26 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -110,22 +110,25 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
/* Verify related functions. */
static int verify_command(char *data, char *digest, char *queryfile,
char *in, int token_in,
- char *CApath, char *CAfile, char *untrusted);
+ char *CApath, char *CAfile, char *untrusted,
+ X509_VERIFY_PARAM *vpm);
static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
char *queryfile,
char *CApath, char *CAfile,
- char *untrusted);
-static X509_STORE *create_cert_store(char *CApath, char *CAfile);
+ char *untrusted,
+ X509_VERIFY_PARAM *vpm);
+static X509_STORE *create_cert_store(char *CApath, char *CAfile,
+ X509_VERIFY_PARAM *vpm);
static int verify_cb(int ok, X509_STORE_CTX *ctx);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
- OPT_DIGEST, OPT_RAND, OPT_POLICY, OPT_NO_NONCE, OPT_CERT,
+ OPT_DIGEST, OPT_RAND, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED,
- OPT_MD
+ OPT_MD, OPT_V_ENUM
} OPTION_CHOICE;
OPTIONS ts_options[] = {
@@ -137,7 +140,7 @@ OPTIONS ts_options[] = {
{"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
{"rand", OPT_RAND, 's',
"Load the file(s) into the random number generator"},
- {"policy", OPT_POLICY, 's', "Policy OID to use"},
+ {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
{"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
{"cert", OPT_CERT, '-', "Put cert request into query"},
{"in", OPT_IN, '<', "Input file"},
@@ -159,6 +162,9 @@ OPTIONS ts_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
+ {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
+ OPT_V_OPTIONS,
+ {OPT_HELP_STR, 1, '-', "\n"},
{NULL}
};
@@ -168,13 +174,13 @@ OPTIONS ts_options[] = {
static char* opt_helplist[] = {
"Typical uses:",
"ts -query [-rand file...] [-config file] [-data file]",
- " [-digest hexstring] [-policy oid] [-no_nonce] [-cert]",
+ " [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
" [-in file] [-out file] [-text]",
" or",
"ts -reply [-config file] [-section tsa_section]",
" [-queryfile file] [-passin password]",
" [-signer tsa_cert.pem] [-inkey private_key.pem]",
- " [-chain certs_file.pem] [-policy oid]",
+ " [-chain certs_file.pem] [-tspolicy oid]",
" [-in file] [-token_in] [-out file] [-token_out]",
#ifndef OPENSSL_NO_ENGINE
" [-text]",
@@ -185,6 +191,7 @@ static char* opt_helplist[] = {
"ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
" [-data file] [-digest hexstring]",
" [-queryfile file] -in file [-token_in]",
+ " [[options specific to 'ts -verify']]",
NULL,
};
@@ -200,11 +207,16 @@ int ts_main(int argc, char **argv)
const EVP_MD *md = NULL;
OPTION_CHOICE o, mode = OPT_ERR;
int ret = 1, no_nonce = 0, cert = 0, text = 0;
+ int vpmtouched = 0;
+ X509_VERIFY_PARAM *vpm = NULL;
/* Input is ContentInfo instead of TimeStampResp. */
int token_in = 0;
/* Output is ContentInfo instead of TimeStampResp. */
int token_out = 0;
+ if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+ goto end;
+
prog = opt_init(argc, argv, ts_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
@@ -241,7 +253,7 @@ int ts_main(int argc, char **argv)
case OPT_RAND:
rnd = opt_arg();
break;
- case OPT_POLICY:
+ case OPT_TSPOLICY:
policy = opt_arg();
break;
case OPT_NO_NONCE:
@@ -296,9 +308,15 @@ int ts_main(int argc, char **argv)
if (!opt_md(opt_unknown(), &md))
goto opthelp;
break;
+ case OPT_V_CASES:
+ if (!opt_verify(o, vpm))
+ goto end;
+ vpmtouched++;
+ break;
}
}
argc = opt_num_rest();
+ argv = opt_rest();
if (mode == OPT_ERR || argc != 0)
goto opthelp;
@@ -328,12 +346,16 @@ int ts_main(int argc, char **argv)
case OPT_ERR:
goto opthelp;
case OPT_QUERY:
+ if (vpmtouched)
+ goto opthelp;
if ((data != NULL) && (digest != NULL))
goto opthelp;
ret = !query_command(data, digest, md, policy, no_nonce, cert,
in, out, text);
break;
case OPT_REPLY:
+ if (vpmtouched)
+ goto opthelp;
if ((in != NULL) && (queryfile != NULL))
goto opthelp;
if (in == NULL) {
@@ -348,10 +370,12 @@ int ts_main(int argc, char **argv)
if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
goto opthelp;
ret = !verify_command(data, digest, queryfile, in, token_in,
- CApath, CAfile, untrusted);
+ CApath, CAfile, untrusted,
+ vpmtouched ? vpm : NULL);
}
end:
+ X509_VERIFY_PARAM_free(vpm);
app_RAND_write_file(NULL);
NCONF_free(conf);
OPENSSL_free(password);
@@ -846,7 +870,8 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
static int verify_command(char *data, char *digest, char *queryfile,
char *in, int token_in,
- char *CApath, char *CAfile, char *untrusted)
+ char *CApath, char *CAfile, char *untrusted,
+ X509_VERIFY_PARAM *vpm)
{
BIO *in_bio = NULL;
PKCS7 *token = NULL;
@@ -865,7 +890,8 @@ static int verify_command(char *data, char *digest, char *queryfile,
}
if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
- CApath, CAfile, untrusted)) == NULL)
+ CApath, CAfile, untrusted,
+ vpm)) == NULL)
goto end;
ret = token_in
@@ -891,7 +917,8 @@ static int verify_command(char *data, char *digest, char *queryfile,
static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
char *queryfile,
char *CApath, char *CAfile,
- char *untrusted)
+ char *untrusted,
+ X509_VERIFY_PARAM *vpm)
{
TS_VERIFY_CTX *ctx = NULL;
BIO *input = NULL;
@@ -931,7 +958,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
/* Initialising the X509_STORE object. */
- if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile))
+ if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm))
== NULL)
goto err;
@@ -951,7 +978,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
return ctx;
}
-static X509_STORE *create_cert_store(char *CApath, char *CAfile)
+static X509_STORE *create_cert_store(char *CApath, char *CAfile, X509_VERIFY_PARAM *vpm)
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
@@ -984,6 +1011,10 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
goto err;
}
}
+
+ if (vpm != NULL)
+ X509_STORE_set1_param(cert_ctx, vpm);
+
return cert_ctx;
err:
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index c6adf52..93ea9e0 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -8,13 +8,12 @@ ts - Time Stamping Authority tool (client/server)
B<openssl> B<ts>
B<-query>
-[B<-help>]
[B<-rand> file:file...]
[B<-config> configfile]
[B<-data> file_to_hash]
[B<-digest> digest_bytes]
[B<-[digest]>]
-[B<-policy> object_id]
+[B<-tspolicy> object_id]
[B<-no_nonce>]
[B<-cert>]
[B<-in> request.tsq]
@@ -31,7 +30,7 @@ B<-reply>
[B<-inkey> private.pem]
[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
[B<-chain> certs_file.pem]
-[B<-policy> object_id]
+[B<-tspolicy> object_id]
[B<-in> response.tsr]
[B<-token_in>]
[B<-out> response.tsr]
@@ -49,6 +48,37 @@ B<-verify>
[B<-CApath> trusted_cert_path]
[B<-CAfile> trusted_certs.pem]
[B<-untrusted> cert_file.pem]
+[I<verify options>]
+
+I<verify options:>
+[-attime timestamp]
+[-check_ss_sig]
+[-crl_check]
+[-crl_check_all]
+[-explicit_policy]
+[-extended_crl]
+[-ignore_critical]
+[-inhibit_any]
+[-inhibit_map]
+[-issuer_checks]
+[-no_alt_chains]
+[-no_check_time]
+[-partial_chain]
+[-policy arg]
+[-policy_check]
+[-policy_print]
+[-purpose purpose]
+[-suiteB_128]
+[-suiteB_128_only]
+[-suiteB_192]
+[-trusted_first]
+[-use_deltas]
+[-verify_depth num]
+[-verify_email email]
+[-verify_hostname hostname]
+[-verify_ip ip]
+[-verify_name name]
+[-x509_strict]
=head1 DESCRIPTION
@@ -100,10 +130,6 @@ request with the following options:
=over 4
-=item B<-help>
-
-Print out a usage message.
-
=item B<-rand> file:file...
The files containing random data for seeding the random number
@@ -136,7 +162,7 @@ The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
The default is SHA-1. (Optional)
-=item B<-policy> object_id
+=item B<-tspolicy> object_id
The policy that the client expects the TSA to use for creating the
time stamp token. Either the dotted OID notation or OID names defined
@@ -235,7 +261,7 @@ contain the certificate chain for the signer certificate from its
issuer upwards. The B<-reply> command does not build a certificate
chain automatically. (Optional)
-=item B<-policy> object_id
+=item B<-tspolicy> object_id
The default policy to use for the response unless the client
explicitly requires a particular TSA policy. The OID can be specified
@@ -343,6 +369,20 @@ certificate. This file must contain the TSA signing certificate and
all intermediate CA certificates unless the response includes them.
(Optional)
+=item I<verify options>
+
+The options [-attime timestamp], [-check_ss_sig], [-crl_check],
+[-crl_check_all], [-explicit_policy], [-extended_crl],
+[-ignore_critical], [-inhibit_any], [-inhibit_map],
+[-issuer_checks], [-no_alt_chains], [-no_check_time],
+[-partial_chain], [-policy arg], [-policy_check],
+[-policy_print], [-purpose purpose], [-suiteB_128],
+[-suiteB_128_only], [-suiteB_192], [-trusted_first],
+[-use_deltas], [-verify_depth num], [-verify_email email],
+[-verify_hostname hostname], [-verify_ip ip], [-verify_name name],
+and [-x509_strict] can be used to control timestamp verification.
+See L<verify(1)>.
+
=back
=head1 CONFIGURATION FILE OPTIONS
@@ -415,7 +455,7 @@ B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
=item B<default_policy>
The default policy to use when the request does not mandate any
-policy. The same as the B<-policy> command line option. (Optional)
+policy. The same as the B<-tspolicy> command line option. (Optional)
=item B<other_policies>
@@ -501,7 +541,7 @@ specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
openssl ts -query -data design2.txt -md5 \
- -policy tsa_policy1 -cert -out design2.tsq
+ -tspolicy tsa_policy1 -cert -out design2.tsq
=head2 Time Stamp Response
diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t
index 229f17e..477de2d 100644
--- a/test/recipes/80-test_tsa.t
+++ b/test/recipes/80-test_tsa.t
@@ -98,7 +98,7 @@ indir "tsa" => sub
skip "failed", 16
unless ok(run(app([@RUN, "-query", "-data", $testtsa,
- "-policy", "tsa_policy1", "-cert",
+ "-tspolicy", "tsa_policy1", "-cert",
"-out", "req1.tsq"])),
'creating req1.req time stamp request for file testtsa');
@@ -132,7 +132,7 @@ indir "tsa" => sub
skip "failed", 10
unless ok(run(app([@RUN, "-query", "-data", $testtsa,
- "-policy", "tsa_policy2", "-no_nonce",
+ "-tspolicy", "tsa_policy2", "-no_nonce",
"-out", "req2.tsq"])),
'creating req2.req time stamp request for file testtsa');
More information about the openssl-commits
mailing list