[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Jul 28 07:18:17 UTC 2020
The branch master has been updated
via ef8980176d53d85ff96d913a647c01d07e144c5d (commit)
from 846f96f821260ca83cc93bfa35207864b05abec5 (commit)
- Log -----------------------------------------------------------------
commit ef8980176d53d85ff96d913a647c01d07e144c5d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon May 11 15:41:08 2020 +0200
Deprecate -nodes in favor of -noenc in pkcs12 and req app
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12495)
-----------------------------------------------------------------------
Summary of changes:
apps/pkcs12.c | 6 ++++--
apps/req.c | 12 +++++++-----
doc/man1/openssl-pkcs12.pod.in | 10 ++++++++--
doc/man1/openssl-req.pod.in | 10 ++++++++--
test/certs/setup.sh | 2 +-
test/recipes/80-test_tsa.t | 2 +-
test/recipes/90-test_store.t | 2 +-
test/smime-certs/mksmime-certs.sh | 22 +++++++++++-----------
8 files changed, 41 insertions(+), 25 deletions(-)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 18f9550ded..ca83e2d1be 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -57,7 +57,7 @@ typedef enum OPTION_choice {
OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS,
OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER,
OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
- OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
+ OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
@@ -129,7 +129,8 @@ const OPTIONS pkcs12_options[] = {
{"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
{"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
{"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
- {"nodes", OPT_NODES, '-', "Don't encrypt private keys"},
+ {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
+ {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
OPT_R_OPTIONS,
@@ -240,6 +241,7 @@ int pkcs12_main(int argc, char **argv)
macalg = opt_arg();
break;
case OPT_NODES:
+ case OPT_NOENC:
enc = NULL;
break;
case OPT_CERTPBE:
diff --git a/apps/req.c b/apps/req.c
index bee0329b24..8931e9829f 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -93,7 +93,7 @@ typedef enum OPTION_choice {
OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
- OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
+ OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
OPT_REQEXTS, OPT_PRECERT, OPT_MD,
@@ -157,7 +157,8 @@ const OPTIONS req_options[] = {
{"batch", OPT_BATCH, '-',
"Do not ask anything during request generation"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
- {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
+ {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
+ {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
{"noout", OPT_NOOUT, '-', "Do not output REQ"},
{"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
{"modulus", OPT_MODULUS, '-', "RSA modulus"},
@@ -257,7 +258,7 @@ int req_main(int argc, char **argv)
int pkey_type = -1, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
- int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
+ int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
long newkey = -1;
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
@@ -375,7 +376,8 @@ int req_main(int argc, char **argv)
verify = 1;
break;
case OPT_NODES:
- nodes = 1;
+ case OPT_NOENC:
+ noenc = 1;
break;
case OPT_NOOUT:
noout = 1;
@@ -693,7 +695,7 @@ int req_main(int argc, char **argv)
}
if ((p != NULL) && (strcmp(p, "no") == 0))
cipher = NULL;
- if (nodes)
+ if (noenc)
cipher = NULL;
i = 0;
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 8c819c56f8..3a97a81517 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -36,6 +36,7 @@ B<openssl> B<pkcs12>
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
+[B<-noenc>]
[B<-nodes>]
[B<-iter> I<count>]
[B<-noiter>]
@@ -146,10 +147,14 @@ Use ARIA to encrypt private keys before outputting.
Use Camellia to encrypt private keys before outputting.
-=item B<-nodes>
+=item B<-noenc>
Don't encrypt the private keys at all.
+=item B<-nodes>
+
+This option is deprecated since OpenSSL 3.0; use B<-noenc> instead.
+
=item B<-nomacver>
Don't attempt to verify the integrity MAC before reading the file.
@@ -344,7 +349,7 @@ Output only client certificates to a file:
Don't encrypt the private key:
- openssl pkcs12 -in file.p12 -out file.pem -nodes
+ openssl pkcs12 -in file.p12 -out file.pem -noenc
Print some info about a PKCS#12 file:
@@ -368,6 +373,7 @@ L<ossl_store-file(7)>
=head1 HISTORY
The B<-engine> option was deprecated in OpenSSL 3.0.
+The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 07354453be..1af355b5b3 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -23,6 +23,7 @@ B<openssl> B<req>
[B<-new>]
[B<-newkey> I<arg>]
[B<-pkeyopt> I<opt>:I<value>]
+[B<-noenc>]
[B<-nodes>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
@@ -198,11 +199,15 @@ This gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
configuration file is used.
-=item B<-nodes>
+=item B<-noenc>
If this option is specified then if a private key is created it
will not be encrypted.
+=item B<-nodes>
+
+This option is deprecated since OpenSSL 3.0; use B<-noenc> instead.
+
=item B<-I<digest>>
This specifies the message digest to sign the request.
@@ -394,7 +399,7 @@ It is used for private key generation.
=item B<encrypt_key>
If this is set to B<no> then if a private key is generated it is
-B<not> encrypted. This is equivalent to the B<-nodes> command line
+B<not> encrypted. This is equivalent to the B<-noenc> command line
option. For compatibility B<encrypt_rsa_key> is an equivalent option.
=item B<default_md>
@@ -696,6 +701,7 @@ All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
and have no effect.
The B<-engine> option was deprecated in OpenSSL 3.0.
+The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
=head1 COPYRIGHT
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index d1c56bb56d..85ae5ed3c1 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -375,7 +375,7 @@ OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
server-ecdsa-brainpoolP256r1-cert rootkey rootcert
-openssl req -new -nodes -subj "/CN=localhost" \
+openssl req -new -noenc -subj "/CN=localhost" \
-newkey rsa-pss -keyout server-pss-restrict-key.pem \
-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t
index 859dacbdd1..3a4d729d0d 100644
--- a/test/recipes/80-test_tsa.t
+++ b/test/recipes/80-test_tsa.t
@@ -97,7 +97,7 @@ indir "tsa" => sub
$ENV{TSDNSECT} = "ts_ca_dn";
skip "failed", 19
unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
- "-new", "-x509", "-nodes",
+ "-new", "-x509", "-noenc",
"-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
'creating a new CA for the TSA tests');
diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t
index 9f4eaa2961..57c2e6e9c2 100644
--- a/test/recipes/90-test_store.t
+++ b/test/recipes/90-test_store.t
@@ -317,7 +317,7 @@ sub init {
}, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
# *-cert.pem (intermediary for the .p12 inits)
&& run(app(["openssl", "req", "-x509",
- "-config", $cnf, "-nodes",
+ "-config", $cnf, "-noenc",
"-key", $cakey, "-out", "cacert.pem"]))
&& runall(sub {
my $srckey = shift;
diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
index e6803ef74f..9316831d64 100644
--- a/test/smime-certs/mksmime-certs.sh
+++ b/test/smime-certs/mksmime-certs.sh
@@ -14,22 +14,22 @@ OPENSSL_CONF=./ca.cnf
export OPENSSL_CONF
# Root CA: create certificate directly
-CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \
+CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \
-keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650
# EE RSA certificates: create request first
-CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
-keyout smrsa1.pem -out req.pem -newkey rsa:2048
# Sign request: end entity extensions
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
-CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \
-keyout smrsa2.pem -out req.pem -newkey rsa:2048
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
-CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \
-keyout smrsa3.pem -out req.pem -newkey rsa:2048
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
@@ -38,15 +38,15 @@ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
$OPENSSL dsaparam -out dsap.pem 2048
-CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \
-keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
-CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \
-keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
-CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \
-keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
@@ -56,15 +56,15 @@ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
$OPENSSL ecparam -out ecp.pem -name P-256
$OPENSSL ecparam -out ecp2.pem -name K-283
-CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \
-keyout smec1.pem -out req.pem -newkey ec:ecp.pem
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
-CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \
-keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
-CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \
-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
@@ -75,7 +75,7 @@ $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \
$OPENSSL genpkey -paramfile dhp.pem -out smdh.pem
$OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem
# Generate dummy request.
-CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \
+CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \
-keyout smtmp.pem -out req.pem -newkey rsa:2048
# Sign request but force public key to DH
$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
More information about the openssl-commits
mailing list