[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu Aug 26 15:46:15 UTC 2021


The branch master has been updated
       via  4fdb0d2535323373650bd68e7a659f9320828857 (commit)
       via  f2b6edcfdd9ba0b17c8d6d6d76aa892fe76315fc (commit)
      from  b4fec69b2a8b5b93ec0e2603e4d27e5d722b87fc (commit)


- Log -----------------------------------------------------------------
commit 4fdb0d2535323373650bd68e7a659f9320828857
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Aug 25 12:21:06 2021 +0200

    APPS/req: Fix AKID generation in case -CA option is used
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16420)

commit f2b6edcfdd9ba0b17c8d6d6d76aa892fe76315fc
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Aug 25 12:11:38 2021 +0200

    APPS/req: Fix misconceptions on -CA, -CAkey, and -key options. -CA now implies -x509
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16420)

-----------------------------------------------------------------------

Summary of changes:
 apps/req.c                  | 51 ++++++++++++++++++++-------------------------
 doc/man1/openssl-req.pod.in | 31 ++++++++++++++-------------
 2 files changed, 40 insertions(+), 42 deletions(-)

diff --git a/apps/req.c b/apps/req.c
index a0ecda8225..6aa364fec5 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -116,10 +116,10 @@ const OPTIONS req_options[] = {
     {"reqopt", OPT_REQOPT, 's', "Various request text options"},
     {"text", OPT_TEXT, '-', "Text form of request"},
     {"x509", OPT_X509, '-',
-     "Output an x509 structure instead of a cert request"},
-    {"CA", OPT_CA, '<', "Issuer certificate to use with -x509"},
+     "Output an X.509 certificate structure instead of a cert request"},
+    {"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"},
     {"CAkey", OPT_CAKEY, 's',
-     "Issuer private key to use with -x509; default is -CA arg"},
+     "Issuer private key to use with -CA; default is -CA arg"},
     {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
     {"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"},
     {"subject", OPT_SUBJECT, '-',
@@ -139,7 +139,7 @@ const OPTIONS req_options[] = {
     {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
 
     OPT_SECTION("Keys and Signing"),
-    {"key", OPT_KEY, 's', "Private key to use"},
+    {"key", OPT_KEY, 's', "Key to include and to use for self-signature"},
     {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
     {"keyout", OPT_KEYOUT, '>', "File to write private key to"},
@@ -406,6 +406,7 @@ int req_main(int argc, char **argv)
             break;
         case OPT_CA:
             CAfile = opt_arg();
+            gen_x509 = 1;
             break;
         case OPT_CAKEY:
             CAkeyfile = opt_arg();
@@ -630,7 +631,6 @@ int req_main(int argc, char **argv)
             goto end;
         app_RAND_load_conf(req_conf, section);
     }
-
     if (newreq && pkey == NULL) {
         app_RAND_load_conf(req_conf, section);
 
@@ -755,28 +755,21 @@ int req_main(int argc, char **argv)
                        "Ignoring -CAkey option since no -CA option is given\n");
         } else {
             if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
-                                  0, passin, e, "issuer private key")) == NULL)
+                                  0, passin, e,
+                                  CAkeyfile != CAfile
+                                  ? "issuer private key from -CAkey arg"
+                                  : "issuer private key from -CA arg")) == NULL)
                 goto end;
         }
     }
     if (CAfile != NULL) {
-        if (!gen_x509) {
+        if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
+                                     "issuer cert from -CA arg")) == NULL)
+            goto end;
+        if (!X509_check_private_key(CAcert, CAkey)) {
             BIO_printf(bio_err,
-                       "Warning: Ignoring -CA option without -x509\n");
-        } else {
-            if (CAkeyfile == NULL) {
-                BIO_printf(bio_err,
-                           "Need to give the -CAkey option if using -CA\n");
-                goto end;
-            }
-            if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
-                                         "issuer certificate")) == NULL)
-                goto end;
-            if (!X509_check_private_key(CAcert, CAkey)) {
-                BIO_printf(bio_err,
-                           "Issuer certificate and key do not match\n");
-                goto end;
-            }
+                       "Issuer CA certificate and key do not match\n");
+            goto end;
         }
     }
     if (newreq || gen_x509) {
@@ -798,6 +791,7 @@ int req_main(int argc, char **argv)
         }
         if (gen_x509) {
             EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
+            EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey;
             X509V3_CTX ext_ctx;
             X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) :
                 X509_REQ_get_subject_name(req);
@@ -828,7 +822,8 @@ int req_main(int argc, char **argv)
             if (!pub_key || !X509_set_pubkey(new_x509, pub_key))
                 goto end;
             if (ext_copy == EXT_COPY_UNSET) {
-                BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n");
+                if (infile != NULL)
+                    BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n");
             } else if (!copy_extensions(new_x509, req, ext_copy)) {
                 BIO_printf(bio_err, "Error copying extensions from request\n");
                 goto end;
@@ -837,11 +832,12 @@ int req_main(int argc, char **argv)
             /* Set up V3 context struct */
             X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509,
                            new_x509, NULL, NULL, X509V3_CTX_REPLACE);
-            if (CAcert == NULL) { /* self-issued, possibly self-signed */
-                if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */
+            /* prepare fallback for AKID, but only if issuer cert == new_x509 */
+            if (CAcert == NULL) {
+                if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key))
                     goto end;
                 ERR_set_mark();
-                if (!X509_check_private_key(new_x509, pkey))
+                if (!X509_check_private_key(new_x509, issuer_key))
                     BIO_printf(bio_err,
                                "Warning: Signature key and public key of cert do not match\n");
                 ERR_pop_to_mark();
@@ -872,8 +868,7 @@ int req_main(int argc, char **argv)
                 }
             }
 
-            i = do_X509_sign(new_x509, CAcert != NULL ? CAkey : pkey,
-                             digest, sigopts, &ext_ctx);
+            i = do_X509_sign(new_x509, issuer_key, digest, sigopts, &ext_ctx);
             if (!i)
                 goto end;
         } else {
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 75d0da1743..9926901571 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -103,7 +103,7 @@ which supports both options for good reasons.
 
 =item B<-passin> I<arg>
 
-The password source for the request input file and the certificate input.
+The password source for private key and certificate input.
 For more information about the format of B<arg>
 see L<openssl-passphrase-options(1)>.
 
@@ -124,7 +124,7 @@ Prints out the certificate request in text form.
 =item B<-subject>
 
 Prints out the certificate request subject
-(or certificate subject if B<-x509> is specified).
+(or certificate subject if B<-x509> is in use).
 
 =item B<-pubkey>
 
@@ -193,8 +193,8 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
 
 =item B<-key> I<filename>|I<uri>
 
-This specifies the private key to use for request self-signature
-and signing certificates produced using the B<-x509> option.
+This specifies the key to include and to use for request self-signature
+and for self-signing certificates produced with the B<-x509> option.
 It also accepts PKCS#8 format private keys for PEM format files.
 
 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
@@ -266,6 +266,7 @@ This option has been deprecated and has no effect.
 
 This option outputs a certificate instead of a certificate request.
 This is typically used to generate test certificates.
+It is implied by the B<-CA> option.
 
 If an existing request is specified with the B<-in> option, it is converted
 to the a certificate; otherwise a request is created from scratch.
@@ -281,7 +282,8 @@ or using the B<-addext> option.
 
 =item B<-CA> I<filename>|I<uri>
 
-Specifies the "CA" certificate to be used for signing with the B<-x509> option.
+Specifies the "CA" certificate to be used for signing a new certificate
+and implies use of B<-x509>.
 When present, this behaves like a "micro CA" as follows:
 The subject name of the "CA" certificate is placed as issuer name in the new
 certificate, which is then signed using the "CA" key given as specified below.
@@ -294,7 +296,7 @@ If this option is not provided then the key must be present in the B<-CA> input.
 
 =item B<-days> I<n>
 
-When the B<-x509> option is being used this specifies the number of
+When B<-x509> is in use this specifies the number of
 days to certify the certificate for, otherwise it is ignored. I<n> should
 be a positive integer. The default is 30 days.
 
@@ -307,7 +309,7 @@ If not given, a large random number will be used.
 =item B<-copy_extensions> I<arg>
 
 Determines how X.509 extensions in certificate requests should be handled
-when B<-x509> is given.
+when B<-x509> is in use.
 If I<arg> is B<none> or this option is not present then extensions are ignored.
 If I<arg> is B<copy> or B<copyall> then
 all extensions in the request are copied to the certificate.
@@ -317,8 +319,8 @@ values for certain extensions such as subjectAltName.
 
 =item B<-addext> I<ext>
 
-Add a specific extension to the certificate (if the B<-x509> option is
-present) or certificate request.  The argument must have the form of
+Add a specific extension to the certificate (if B<-x509> is in use)
+or certificate request.  The argument must have the form of
 a key=value pair as it would appear in a config file.
 
 This option can be given multiple times.
@@ -328,8 +330,8 @@ This option can be given multiple times.
 =item B<-reqexts> I<section>
 
 These options specify alternative sections to include certificate
-extensions (if the B<-x509> option is present) or certificate
-request extensions. This allows several different sections to
+extensions (if B<-x509> is in use) or certificate request extensions.
+This allows several different sections to
 be used in the same configuration file to specify requests for
 a variety of purposes.
 
@@ -399,7 +401,8 @@ The options available are described in detail below.
 
 =over 4
 
-=item B<input_password output_password>
+=item B<input_password>
+=item B<output_password>
 
 The passwords for the input private key file (if present) and
 the output private key file (if one will be created). The
@@ -479,8 +482,8 @@ extension section format.
 =item B<x509_extensions>
 
 This specifies the configuration file section containing a list of
-extensions to add to certificate generated when the B<-x509> switch
-is used. It can be overridden by the B<-extensions> command line switch.
+extensions to add to certificate generated when B<-x509> is in use.
+It can be overridden by the B<-extensions> command line switch.
 
 =item B<prompt>
 


More information about the openssl-commits mailing list