[openssl] OpenSSL_1_1_1-stable update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Thu Feb 27 11:18:27 UTC 2020 

The branch OpenSSL_1_1_1-stable has been updated
       via  3bd75cfafd94cb90b5422c69d45b1320802effac (commit)
      from  605a0c709f4d50497a1c49ee117a0ec4bb956d58 (commit)


- Log -----------------------------------------------------------------
commit 3bd75cfafd94cb90b5422c69d45b1320802effac
Author: Bastian Germann <bage at linutronix.de>
Date:   Mon Feb 17 12:50:08 2020 +0100

    apps x509: restrict CAkeyform option to OPT_FMT_PDE
    
    CAkeyform may be set to PEM, DER or ENGINE, but the current options
    are not using the proper optionformat 'E' (OPT_FMT_PDE) for this.
    
    Set the valtype for CAkeyform to 'E' and use OPT_FMT_PDE when extracting
    the option value.
    
    This amends bf4006a6f9 ("Fix regression on x509 keyform argument") which
    did the same thing for keyform and changed the manpage synopsis entries
    for both keyform and CAkeyform but did not change the option section.
    Hence, change the option section.
    
    CLA: trivial
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/11172)

-----------------------------------------------------------------------

Summary of changes:
 apps/x509.c       | 4 ++--
 doc/man1/x509.pod | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/x509.c b/apps/x509.c
index f81741f4e7..79518a4e62 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -130,7 +130,7 @@ const OPTIONS x509_options[] = {
     {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
     {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
     {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
-    {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"},
+    {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
     {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
     {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"},
     {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
@@ -225,7 +225,7 @@ int x509_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_CAKEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat))
                 goto opthelp;
             break;
         case OPT_OUT:
diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod
index a6cea337d2..e498aee4ff 100644
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -384,7 +384,7 @@ certificate is being created from another certificate (for example with
 the B<-signkey> or the B<-CA> options). Normally all extensions are
 retained.
 
-=item B<-keyform PEM|DER>
+=item B<-keyform PEM|DER|ENGINE>
 
 Specifies the format (DER or PEM) of the private key file used in the
 B<-signkey> option.

More information about the openssl-commits mailing list