[openssl] master update
beldmit at gmail.com
beldmit at gmail.com
Sat Mar 7 10:10:26 UTC 2020
The branch master has been updated
via d462b5ff21e9fcdef98447c8f8d8c694b1e79602 (commit)
from 6bd4e3f231d74578b97821d981d42583fec5c2f3 (commit)
- Log -----------------------------------------------------------------
commit d462b5ff21e9fcdef98447c8f8d8c694b1e79602
Author: Rich Salz <rsalz at akamai.com>
Date: Wed Mar 4 14:41:53 2020 -0500
Add -section option to 'req' command
This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11249)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 1 +
apps/req.c | 40 +++++++++++++++++++++++-----------------
doc/man1/openssl-ca.pod.in | 5 ++++-
doc/man1/openssl-req.pod.in | 15 +++++++++++++--
test/recipes/25-test_req.t | 30 +++++++++++++++++++++++++++++-
test/test.cnf | 35 ++++++++++++++---------------------
6 files changed, 84 insertions(+), 42 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 84e1905d38..e3e2fd2e7e 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -177,6 +177,7 @@ const OPTIONS ca_options[] = {
OPT_SECTION("Configuration"),
{"config", OPT_CONFIG, 's', "A config file"},
{"name", OPT_NAME, 's', "The particular CA definition to use"},
+ {"section", OPT_NAME, 's', "An alias for -name"},
{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
OPT_SECTION("Certificate"),
diff --git a/apps/req.c b/apps/req.c
index dcad9dc238..5186017282 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -32,7 +32,6 @@
# include <openssl/dsa.h>
#endif
-#define SECTION "req"
#define BITS "default_bits"
#define KEYFILE "default_keyfile"
@@ -77,6 +76,8 @@ static int join(char buf[], size_t buf_size, const char *name,
static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
int *pkey_type, long *pkeylen,
char **palgnam, ENGINE *keygen_engine);
+
+static const char *section = "req";
static CONF *req_conf = NULL;
static CONF *addext_conf = NULL;
static int batch = 0;
@@ -91,6 +92,7 @@ typedef enum OPTION_choice {
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SM2ID, OPT_SM2HEXID,
+ OPT_SECTION,
OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -109,6 +111,7 @@ const OPTIONS req_options[] = {
OPT_SECTION("Certificate"),
{"new", OPT_NEW, '-', "New request"},
{"config", OPT_CONFIG, '<', "Request template file"},
+ {"section", OPT_SECTION, 's', "Config section to use (default \"req\")"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
{"reqopt", OPT_REQOPT, 's', "Various request text options"},
@@ -309,6 +312,9 @@ int req_main(int argc, char **argv)
case OPT_CONFIG:
template = opt_arg();
break;
+ case OPT_SECTION:
+ section = opt_arg();
+ break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
goto opthelp;
@@ -519,7 +525,7 @@ int req_main(int argc, char **argv)
goto end;
if (md_alg == NULL) {
- p = NCONF_get_string(req_conf, SECTION, "default_md");
+ p = NCONF_get_string(req_conf, section, "default_md");
if (p == NULL) {
ERR_clear_error();
} else {
@@ -530,7 +536,7 @@ int req_main(int argc, char **argv)
}
if (extensions == NULL) {
- extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+ extensions = NCONF_get_string(req_conf, section, V3_EXTENSIONS);
if (extensions == NULL)
ERR_clear_error();
}
@@ -558,19 +564,19 @@ int req_main(int argc, char **argv)
if (passin == NULL) {
passin = nofree_passin =
- NCONF_get_string(req_conf, SECTION, "input_password");
+ NCONF_get_string(req_conf, section, "input_password");
if (passin == NULL)
ERR_clear_error();
}
if (passout == NULL) {
passout = nofree_passout =
- NCONF_get_string(req_conf, SECTION, "output_password");
+ NCONF_get_string(req_conf, section, "output_password");
if (passout == NULL)
ERR_clear_error();
}
- p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
+ p = NCONF_get_string(req_conf, section, STRING_MASK);
if (p == NULL)
ERR_clear_error();
@@ -580,7 +586,7 @@ int req_main(int argc, char **argv)
}
if (chtype != MBSTRING_UTF8) {
- p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
+ p = NCONF_get_string(req_conf, section, UTF8_IN);
if (p == NULL)
ERR_clear_error();
else if (strcmp(p, "yes") == 0)
@@ -588,7 +594,7 @@ int req_main(int argc, char **argv)
}
if (req_exts == NULL) {
- req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
+ req_exts = NCONF_get_string(req_conf, section, REQ_EXTENSIONS);
if (req_exts == NULL)
ERR_clear_error();
}
@@ -611,14 +617,14 @@ int req_main(int argc, char **argv)
/* load_key() has already printed an appropriate message */
goto end;
} else {
- app_RAND_load_conf(req_conf, SECTION);
+ app_RAND_load_conf(req_conf, section);
}
}
if (newreq && (pkey == NULL)) {
- app_RAND_load_conf(req_conf, SECTION);
+ app_RAND_load_conf(req_conf, section);
- if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
+ if (!NCONF_get_number(req_conf, section, BITS, &newkey)) {
newkey = DEFAULT_KEY_LENGTH;
}
@@ -688,7 +694,7 @@ int req_main(int argc, char **argv)
genctx = NULL;
if (keyout == NULL) {
- keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
+ keyout = NCONF_get_string(req_conf, section, KEYFILE);
if (keyout == NULL)
ERR_clear_error();
}
@@ -701,10 +707,10 @@ int req_main(int argc, char **argv)
if (out == NULL)
goto end;
- p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
+ p = NCONF_get_string(req_conf, section, "encrypt_rsa_key");
if (p == NULL) {
ERR_clear_error();
- p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
+ p = NCONF_get_string(req_conf, section, "encrypt_key");
if (p == NULL)
ERR_clear_error();
}
@@ -1062,13 +1068,13 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
char *tmp, *dn_sect, *attr_sect;
- tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
+ tmp = NCONF_get_string(req_conf, section, PROMPT);
if (tmp == NULL)
ERR_clear_error();
if ((tmp != NULL) && strcmp(tmp, "no") == 0)
no_prompt = 1;
- dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
+ dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME);
if (dn_sect == NULL) {
BIO_printf(bio_err, "unable to find '%s' in config\n",
DISTINGUISHED_NAME);
@@ -1080,7 +1086,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
goto err;
}
- attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
+ attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES);
if (attr_sect == NULL) {
ERR_clear_error();
attr_sk = NULL;
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 8eef310ca4..a3c83d8076 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -12,6 +12,7 @@ B<openssl> B<ca>
[B<-verbose>]
[B<-config> I<filename>]
[B<-name> I<section>]
+[B<-section> I<section>]
[B<-gencrl>]
[B<-revoke> I<file>]
[B<-valid> I<file>]
@@ -94,7 +95,7 @@ Specifies the configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-name> I<section>
+=item B<-name> I<section>, B<-section> I<section>
Specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
@@ -772,6 +773,8 @@ seeding mechanism. The new seeding mechanism makes it unnecessary to
define a RANDFILE for saving and restoring randomness. This option is
retained mainly for compatibility reasons.
+The B<-section> option was added in OpenSSL 3.0.0.
+
=head1 SEE ALSO
L<openssl(1)>,
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 703a208bc1..7587cb5a71 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -30,6 +30,7 @@ B<openssl> B<req>
[B<-keygen_engine> I<id>]
[B<-I<digest>>]
[B<-config> I<filename>]
+[B<-section> I<name>]
[B<-multivalue-rdn>]
[B<-x509>]
[B<-days> I<n>]
@@ -206,6 +207,10 @@ This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
+=item B<-section> I<name>
+
+Specifies the name of the section to use; the default is B<req>.
+
=item B<-subj> I<arg>
Sets subject name for new request or supersedes the subject name
@@ -331,8 +336,10 @@ argument for this option is string of hexadecimal digits.
=head1 CONFIGURATION FILE FORMAT
The configuration options are specified in the B<req> section of
-the configuration file. As with all configuration files if no
-value is specified in the specific section (i.e. B<req>) then
+the configuration file. An alternate name be specified by using the
+B<-section> option.
+As with all configuration files, if no
+value is specified in the specific section then
the initial unnamed or B<default> section is searched too.
The options available are described in detail below.
@@ -678,6 +685,10 @@ L<openssl-gendsa(1)>,
L<config(5)>,
L<x509v3_config(5)>
+=head1 HISTORY
+
+The B<-section> option was added in OpenSSL 3.0.0.
+
=head1 COPYRIGHT
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 1a6efa8be2..662109c896 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_req");
-plan tests => 15;
+plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -42,6 +42,34 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
+subtest "generating alt certificate requests with RSA" => sub {
+ plan tests => 3;
+
+ SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 2
+ if disabled("rsa");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-section", "altreq",
+ "-new", "-out", "testreq-rsa.pem", "-utf8",
+ "-key", srctop_file("test", "testrsa.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsa.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-section", "altreq",
+ "-verify", "-in", "testreq-rsa.pem", "-noout"])),
+ "Verifying signature on request");
+ }
+};
+
+
subtest "generating certificate requests with RSA" => sub {
plan tests => 2;
diff --git a/test/test.cnf b/test/test.cnf
index 1e2fa31cce..a686c3d8bd 100644
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -1,7 +1,3 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
####################################################################
[ ca ]
@@ -58,28 +54,25 @@ default_keyfile = testkey.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
+# Make altreq be identical to req
+[ altreq ]
+default_bits = 2048
+default_keyfile = testkey.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName = C field
countryName_value = AU
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Queensland
+stateOrProvinceName = SP field
stateOrProvinceName_value =
-
-localityName = Locality Name (eg, city)
+localityName = L field
localityName_value = Brisbane
-
-organizationName = Organization Name (eg, company)
-organizationName_default =
+organizationName = O field
organizationName_value = CryptSoft Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-organizationalUnitName_default =
+organizationalUnitName = OU field
organizationalUnitName_value = .
-
-commonName = Common Name (eg, YOUR name)
+commonName = CN field
commonName_value = Eric Young
-
-emailAddress = Email Address
+emailAddress = email field
emailAddress_value = eay at mincom.oz.au
More information about the openssl-commits
mailing list