[openssl] master update
Kurt Roeckx
kurt at openssl.org
Wed Sep 9 16:33:02 UTC 2020
The branch master has been updated
via 10203a34725ec75136b03d64fd2126b321419ac1 (commit)
from 8ae40cf57d2138af92a3479e23f35037ae8c5c30 (commit)
- Log -----------------------------------------------------------------
commit 10203a34725ec75136b03d64fd2126b321419ac1
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sat Apr 13 15:52:47 2019 +0200
Support writing RSA keys using the traditional format again
Fixes: #6855
Reviewed-by: Richard Levitte <levitte at openssl.org>
GH: #8743
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 4 ++--
apps/genrsa.c | 20 +++++++++++++++-----
apps/rsa.c | 17 ++++++++++++++---
doc/man1/openssl-genrsa.pod.in | 5 +++++
doc/man1/openssl-rsa.pod.in | 12 +++++-------
doc/man1/openssl.pod | 2 +-
test/testrsa.pem | 19 ++++++++++---------
7 files changed, 52 insertions(+), 27 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index c2bbf0d167..0f6880d716 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -353,8 +353,8 @@ OpenSSL 3.0
*Paul Dale*
* The command line utilities genrsa and rsa have been modified to use PKEY
- APIs These commands are now in maintenance mode and no new features will
- be added to them.
+ APIs. They now write PKCS#8 keys by default. These commands are now in
+ maintenance mode and no new features will be added to them.
*Paul Dale*
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 4f589e98c1..04315a559b 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -38,7 +38,7 @@ typedef enum OPTION_choice {
#endif
OPT_F4, OPT_ENGINE,
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE,
- OPT_R_ENUM, OPT_PROV_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS genrsa_options[] = {
@@ -62,6 +62,8 @@ const OPTIONS genrsa_options[] = {
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
+ {"traditional", OPT_TRADITIONAL, '-',
+ "Use traditional format for private keys"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
OPT_R_OPTIONS,
@@ -88,7 +90,7 @@ int genrsa_main(int argc, char **argv)
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
char *prog, *hexe, *dece;
OPTION_CHOICE o;
- unsigned char *ebuf = NULL;
+ int traditional = 0;
if (bn == NULL || cb == NULL)
goto end;
@@ -141,6 +143,9 @@ opthelp:
case OPT_VERBOSE:
verbose = 1;
break;
+ case OPT_TRADITIONAL:
+ traditional = 1;
+ break;
}
}
argc = opt_num_rest();
@@ -214,8 +219,14 @@ opthelp:
OPENSSL_free(hexe);
OPENSSL_free(dece);
}
- if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
- goto end;
+ if (traditional) {
+ if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
+ NULL, passout))
+ goto end;
+ } else {
+ if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
+ goto end;
+ }
ret = 0;
end:
@@ -226,7 +237,6 @@ opthelp:
BIO_free_all(out);
release_engine(eng);
OPENSSL_free(passout);
- OPENSSL_free(ebuf);
if (ret != 0)
ERR_print_errors(bio_err);
return ret;
diff --git a/apps/rsa.c b/apps/rsa.c
index 0464729f71..fdee96d570 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -31,7 +31,7 @@ typedef enum OPTION_choice {
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER,
- OPT_PROV_ENUM
+ OPT_PROV_ENUM, OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS rsa_options[] = {
@@ -59,6 +59,8 @@ const OPTIONS rsa_options[] = {
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
+ {"traditional", OPT_TRADITIONAL, '-',
+ "Use traditional format for private keys"},
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
OPT_SECTION("PVK"),
@@ -88,6 +90,7 @@ int rsa_main(int argc, char **argv)
int pvk_encr = 2;
#endif
OPTION_CHOICE o;
+ int traditional = 0;
prog = opt_init(argc, argv, rsa_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -163,6 +166,9 @@ int rsa_main(int argc, char **argv)
if (!opt_provider(o))
goto end;
break;
+ case OPT_TRADITIONAL:
+ traditional = 1;
+ break;
}
}
argc = opt_num_rest();
@@ -280,8 +286,13 @@ int rsa_main(int argc, char **argv)
i = PEM_write_bio_RSA_PUBKEY(out, rsa);
} else {
assert(private);
- i = PEM_write_bio_RSAPrivateKey(out, rsa,
- enc, NULL, 0, NULL, passout);
+ if (traditional) {
+ i = PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
+ NULL, passout);
+ } else {
+ i = PEM_write_bio_PrivateKey(out, pkey,
+ enc, NULL, 0, NULL, passout);
+ }
}
#ifndef OPENSSL_NO_DSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in
index 33aa60ca4e..3f81e29eb4 100644
--- a/doc/man1/openssl-genrsa.pod.in
+++ b/doc/man1/openssl-genrsa.pod.in
@@ -28,6 +28,7 @@ B<openssl> B<genrsa>
[B<-3>]
[B<-primes> I<num>]
[B<-verbose>]
+[B<-traditional>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
@@ -83,6 +84,10 @@ RSA key, which is defined in RFC 8017.
Print extra details about the operations being performed.
+=item B<-traditional>
+
+Write the key using the traditional PKCS#1 format instead of the PKCS#8 format.
+
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_engine_item -}
diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in
index 4f9c41d668..722e4d584c 100644
--- a/doc/man1/openssl-rsa.pod.in
+++ b/doc/man1/openssl-rsa.pod.in
@@ -34,6 +34,7 @@ B<openssl> B<rsa>
[B<-text>]
[B<-noout>]
[B<-modulus>]
+[B<-traditional>]
[B<-check>]
[B<-pubin>]
[B<-pubout>]
@@ -47,10 +48,7 @@ B<openssl> B<rsa>
=head1 DESCRIPTION
This command processes RSA keys. They can be converted between
-various forms and their components printed out. B<Note> this command uses the
-traditional SSLeay compatible format for private key encryption: newer
-applications should use the more secure PKCS#8 format using the
-L<openssl-pkcs8(1)> command.
+various forms and their components printed out.
=head1 OPTIONS
@@ -72,10 +70,10 @@ See L<openssl(1)/Format Options> for details.
The key output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-traditional>
-The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
-On input, PKCS#8 format private keys are also accepted.
+When writing a private key, use the traditional PKCS#1 format
+instead of the PKCS#8 format.
=item B<-in> I<filename>
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 2c56cc278c..1f344217a2 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -529,7 +529,7 @@ parameters start with a minus sign:
Several OpenSSL commands can take input or generate output in a variety
of formats.
Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
-files in any of the B<DER>, B<PEM>, or B<P12> formats,
+files in any of the B<DER>, B<PEM> or B<P12> formats,
while specifying their input format is no more needed.
The list of acceptable formats, and the default, is
diff --git a/test/testrsa.pem b/test/testrsa.pem
index aad21067a8..8648f10e37 100644
--- a/test/testrsa.pem
+++ b/test/testrsa.pem
@@ -1,9 +1,10 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I
-Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R
-rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy
-oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S
-mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz
-rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA
-mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAqtt6qS5GTxVxGZYW
+a0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO/Re1uwLKXdCjIoaGs4DLdG88rkzf
+yK5dPQIDAQABAkBndyfNodcz9vEZpHkJHVGsPWoUEBV+hAWI4f248mAxqgC6hASK
+w8dVxkMpw6/jASDr9MicAhcGcSKC2q9HO7KhAiEA9yBnNSrfJWigBqii/xRtc/Go
+eXCjoYEyqe/bTHOR/pkCIQCw/gGchpBMzxKa9ykdnBAl2Z0ceQYoCzfsN/GLrsdu
+RQIhAJ5kaWIdcVrTvUWnTpl5aVHYAOidNnOskGF1N7S/mkJ5AiEAhl+SIaAYFfhw
+i65yTMSbjeD1YxSPE//QaUrf28jKKHECIQCbKZ6EVFPQy+pbnEAoDHs+CS3wdUrB
+WFzYvAYocTQNkw==
+-----END PRIVATE KEY-----
More information about the openssl-commits
mailing list