[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Wed Feb 22 15:47:44 UTC 2017 

The branch master has been updated
       via  65b3dff76b570dc0c893defa8014314c13c82c73 (commit)
       via  505fb9996483b92220a09595030603c0b1752579 (commit)
       via  7bb89f094de0fb544df77e5afca82ade9b413f7d (commit)
       via  caee75d2c66221a5c519f881ba216af9bd240c35 (commit)
       via  b6486bf749bf6246dbae7643c5fb7717cf388072 (commit)
      from  79020b27beff060d02830870fdfd821fe8cbd439 (commit)


- Log -----------------------------------------------------------------
commit 65b3dff76b570dc0c893defa8014314c13c82c73
Author: Rob Percival <robpercival at google.com>
Date:   Fri Jan 13 19:10:26 2017 +0000

    apps/req.c: flag "-new" is implied by "-precert"
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/843)

commit 505fb9996483b92220a09595030603c0b1752579
Author: Rob Percival <robpercival at google.com>
Date:   Fri Jan 13 19:06:03 2017 +0000

    Change CA.pl flag from --newprecert to --precert
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/843)

commit 7bb89f094de0fb544df77e5afca82ade9b413f7d
Author: Rob Percival <robpercival at google.com>
Date:   Thu Mar 10 20:32:16 2016 +0000

    Documentation for the -precert flag for "openssl req"
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/843)

commit caee75d2c66221a5c519f881ba216af9bd240c35
Author: Rob Percival <robpercival at google.com>
Date:   Thu Mar 10 20:26:34 2016 +0000

    Basic test for "openssl req -precert" via apps/CA.pl
    
    TODO(robpercival): Should actually test that the output certificate
    contains the poison extension.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/843)

commit b6486bf749bf6246dbae7643c5fb7717cf388072
Author: Rob Percival <robpercival at google.com>
Date:   Thu Mar 10 19:15:13 2016 +0000

    Adds a "-precert" flag to "openssl req" for creating pre-certificates
    
    This makes it a little easier to create a pre-certificate.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/843)

-----------------------------------------------------------------------

Summary of changes:
 apps/CA.pl.in             |  4 ++++
 apps/req.c                | 17 +++++++++++++++--
 doc/man1/req.pod          | 11 +++++++++++
 test/recipes/80-test_ca.t |  6 +++++-
 4 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index 11566df..ddbc70d 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -123,6 +123,10 @@ if ($WHAT eq '-newcert' ) {
     # create a certificate
     $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
     print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-precert' ) {
+    # create a pre-certificate
+    $RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
+    print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-newreq' ) {
     # create a certificate request
     $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
diff --git a/apps/req.c b/apps/req.c
index 766a27e..ddb0fdc 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -79,7 +79,7 @@ typedef enum OPTION_choice {
     OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
     OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
-    OPT_REQEXTS, OPT_MD
+    OPT_REQEXTS, OPT_PRECERT, OPT_MD
 } OPTION_CHOICE;
 
 const OPTIONS req_options[] = {
@@ -126,6 +126,7 @@ const OPTIONS req_options[] = {
      "Cert extension section (override value in config file)"},
     {"reqexts", OPT_REQEXTS, 's',
      "Request extension section (override value in config file)"},
+    {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -160,7 +161,7 @@ int req_main(int argc, char **argv)
     int pkey_type = -1, private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
     int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
-    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
+    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
     long newkey = -1;
     unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
     char nmflag_set = 0;
@@ -318,6 +319,9 @@ int req_main(int argc, char **argv)
         case OPT_REQEXTS:
             req_exts = opt_arg();
             break;
+        case OPT_PRECERT:
+            newreq = precert = 1;
+            break;
         case OPT_MD:
             if (!opt_md(opt_unknown(), &md_alg))
                 goto opthelp;
@@ -644,6 +648,15 @@ int req_main(int argc, char **argv)
                 goto end;
             }
 
+            /* If a pre-cert was requested, we need to add a poison extension */
+            if (precert) {
+                if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
+                    != 1) {
+                    BIO_printf(bio_err, "Error adding poison extension\n");
+                    goto end;
+                }
+            }
+
             i = do_X509_sign(x509ss, pkey, digest, sigopts);
             if (!i) {
                 ERR_print_errors(bio_err);
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 83b5704..641d8f6 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -37,6 +37,7 @@ B<openssl> B<req>
 [B<-newhdr>]
 [B<-extensions section>]
 [B<-reqexts section>]
+[B<-precert>]
 [B<-utf8>]
 [B<-nameopt>]
 [B<-reqopt>]
@@ -253,6 +254,16 @@ request extensions. This allows several different sections to
 be used in the same configuration file to specify requests for
 a variety of purposes.
 
+=item B<-precert>
+
+a poison extension will be added to the certificate, making it a
+"pre-certificate" (see RFC6962). This can be submitted to Certificate
+Transparency logs in order to obtain signed certificate timestamps (SCTs).
+These SCTs can then be embedded into the pre-certificate as an extension, before
+removing the poison and signing the certificate.
+
+This implies the B<-new> flag.
+
 =item B<-utf8>
 
 this option causes field values to be interpreted as UTF8 strings, by
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 28a090e..e9ff318 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -22,7 +22,7 @@ my $std_openssl_cnf =
 
 rmtree("demoCA", { safe => 0 });
 
-plan tests => 4;
+plan tests => 5;
  SKIP: {
      $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
      skip "failed creating CA structure", 3
@@ -41,6 +41,10 @@ plan tests => 4;
 
      ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
         'verifying new certificate');
+
+     $ENV{OPENSSL_CONFIG} = "-config ".srctop_file("test", "Uss.cnf");
+     ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
+        'creating new pre-certificate');
 }

More information about the openssl-commits mailing list