[openssl] master update
dev at ddvo.net
dev at ddvo.net
Mon Jan 11 18:36:08 UTC 2021
The branch master has been updated
via 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 (commit)
via 1f7643e86e7dfdc559092fe4a467bad2ce86f6f2 (commit)
via 475d10028e57ae0987911af580f0de8d701325ec (commit)
via 400e2acfe0bae9aec1f9df50fa51f6b7cf8ad779 (commit)
from e211d949cd5737e53cd3399e6a88453930768b98 (commit)
- Log -----------------------------------------------------------------
commit 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Dec 22 10:28:03 2020 +0100
apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
commit 1f7643e86e7dfdc559092fe4a467bad2ce86f6f2
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Dec 22 08:37:03 2020 +0100
apps/pkey.c: Re-order help output and option documentation
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
commit 475d10028e57ae0987911af580f0de8d701325ec
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Dec 15 14:30:38 2020 +0100
apps/pkey.c: Make clear that -passout is not supported for DER output
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
commit 400e2acfe0bae9aec1f9df50fa51f6b7cf8ad779
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Dec 10 17:10:52 2020 +0100
apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
-----------------------------------------------------------------------
Summary of changes:
apps/lib/apps.c | 8 +--
apps/pkey.c | 94 ++++++++++++++++++-----------
doc/man1/openssl-pkey.pod.in | 141 ++++++++++++++++++++++++++-----------------
3 files changed, 147 insertions(+), 96 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 1998a8bc2f..457dac87bc 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -469,10 +469,10 @@ CONF *app_load_config_modules(const char *configfile)
return conf;
}
-#define IS_HTTP(uri) \
- (strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0)
-#define IS_HTTPS(uri) \
- (strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0)
+#define IS_HTTP(uri) ((uri) != NULL \
+ && strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0)
+#define IS_HTTPS(uri) ((uri) != NULL \
+ && strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0)
X509 *load_cert_pass(const char *uri, int maybe_stdin,
const char *pass, const char *desc)
diff --git a/apps/pkey.c b/apps/pkey.c
index 67dc8c012c..5d12cc059a 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -36,7 +36,7 @@ typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
- OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
+ OPT_TEXT, OPT_NOOUT, OPT_CIPHER, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM,
OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -47,33 +47,36 @@ const OPTIONS pkey_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
+ OPT_PROV_OPTIONS,
+
{"check", OPT_CHECK, '-', "Check key consistency"},
{"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
- {"", OPT_MD, '-', "Any supported cipher"},
- {"ec_param_enc", OPT_EC_PARAM_ENC, 's',
- "Specifies the way the ec parameters are encoded"},
- {"ec_conv_form", OPT_EC_CONV_FORM, 's',
- "Specifies the point conversion form "},
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
- {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"inform", OPT_INFORM, 'f',
+ "Key input format (ENGINE, other values ignored)"},
+ {"passin", OPT_PASSIN, 's', "Key input pass phrase source"},
{"pubin", OPT_PUBIN, '-',
- "Read public key from input (default is private key)"},
- {"traditional", OPT_TRADITIONAL, '-',
- "Use traditional format for private keys"},
+ "Read only public components from key input"},
OPT_SECTION("Output"),
- {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
- {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"out", OPT_OUT, '>', "Output file"},
- {"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
- {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"},
- {"text", OPT_TEXT, '-', "Output in plaintext as well"},
- {"noout", OPT_NOOUT, '-', "Don't output the key"},
+ {"out", OPT_OUT, '>', "Output file for encoded and/or text output"},
+ {"outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)"},
+ {"", OPT_CIPHER, '-', "Any supported cipher to be used for encryption"},
+ {"passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source"},
+ {"traditional", OPT_TRADITIONAL, '-',
+ "Use traditional format for private key PEM output"},
+ {"pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components"},
+ {"noout", OPT_NOOUT, '-', "Do not output the key in encoded form"},
+ {"text", OPT_TEXT, '-', "Output key components in plaintext"},
+ {"text_pub", OPT_TEXT_PUB, '-',
+ "Output only public key components in text form"},
+ {"ec_conv_form", OPT_EC_CONV_FORM, 's',
+ "Specifies the EC point conversion form in the encoding"},
+ {"ec_param_enc", OPT_EC_PARAM_ENC, 's',
+ "Specifies the way the EC parameters are encoded"},
- OPT_PROV_OPTIONS,
{NULL}
};
@@ -88,7 +91,7 @@ int pkey_main(int argc, char **argv)
char *passinarg = NULL, *passoutarg = NULL, *prog;
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM;
- int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
+ int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
int private = 0, traditional = 0, check = 0, pub_check = 0;
#ifndef OPENSSL_NO_EC
EC_KEY *eckey;
@@ -133,13 +136,13 @@ int pkey_main(int argc, char **argv)
outfile = opt_arg();
break;
case OPT_PUBIN:
- pubin = pubout = pubtext = 1;
+ pubin = pubout = 1;
break;
case OPT_PUBOUT:
pubout = 1;
break;
case OPT_TEXT_PUB:
- pubtext = text = 1;
+ text_pub = 1;
break;
case OPT_TEXT:
text = 1;
@@ -156,7 +159,7 @@ int pkey_main(int argc, char **argv)
case OPT_PUB_CHECK:
pub_check = 1;
break;
- case OPT_MD:
+ case OPT_CIPHER:
if (!opt_cipher(opt_unknown(), &cipher))
goto opthelp;
break;
@@ -192,10 +195,28 @@ int pkey_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
- private = !noout && !pubout ? 1 : 0;
- if (text && !pubtext)
- private = 1;
+ if (noout && pubout)
+ BIO_printf(bio_err,
+ "Warning: The -pubout option is ignored with -noout\n");
+ if (text && text_pub)
+ BIO_printf(bio_err,
+ "Warning: The -text option is ignored with -text_pub\n");
+ if (traditional && (noout || outformat != FORMAT_PEM))
+ BIO_printf(bio_err,
+ "Warning: The -traditional is ignored since there is no PEM output\n");
+ private = (!noout && !pubout) || (text && !text_pub);
+ if (cipher == NULL) {
+ if (passoutarg != NULL)
+ BIO_printf(bio_err,
+ "Warning: The -passout option is ignored without a cipher option\n");
+ } else {
+ if (noout || outformat != FORMAT_PEM) {
+ BIO_printf(bio_err,
+ "Error: Cipher options are supported only for PEM output\n");
+ goto end;
+ }
+ }
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
@@ -283,6 +304,11 @@ int pkey_main(int argc, char **argv)
}
}
} else if (outformat == FORMAT_ASN1) {
+ if (text || text_pub) {
+ BIO_printf(bio_err,
+ "Error: Text output cannot be combined with DER output\n");
+ goto end;
+ }
if (pubout) {
if (!i2d_PUBKEY_bio(out, pkey))
goto end;
@@ -297,15 +323,13 @@ int pkey_main(int argc, char **argv)
}
}
- if (text) {
- if (pubtext) {
- if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
- goto end;
- } else {
- assert(private);
- if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)
- goto end;
- }
+ if (text_pub) {
+ if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
+ goto end;
+ } else if (text) {
+ assert(private);
+ if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)
+ goto end;
}
ret = 0;
diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in
index 86597c9e36..df031fb258 100644
--- a/doc/man1/openssl-pkey.pod.in
+++ b/doc/man1/openssl-pkey.pod.in
@@ -13,118 +13,149 @@ openssl-pkey - public or private key processing command
B<openssl> B<pkey>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
-[B<-outform> B<DER>|B<PEM>]
+{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+[B<-check>]
+[B<-pubcheck>]
[B<-in> I<filename>|I<uri>]
+[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
+[B<-pubin>]
[B<-out> I<filename>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-I<cipher>>]
[B<-passout> I<arg>]
[B<-traditional>]
-[B<-I<cipher>>]
+[B<-pubout>]
+[B<-noout>]
[B<-text>]
[B<-text_pub>]
-[B<-noout>]
-[B<-pubin>]
-[B<-pubout>]
-[B<-check>]
-[B<-pubcheck>]
[B<-ec_conv_form> I<arg>]
[B<-ec_param_enc> I<arg>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
=head1 DESCRIPTION
This command processes public or private keys. They can be
-converted between various forms and their components printed out.
+converted between various forms and their components printed.
=head1 OPTIONS
+=head2 General options
+
=over 4
=item B<-help>
Print out a usage message.
+{- $OpenSSL::safe::opt_engine_item -}
+
+{- $OpenSSL::safe::opt_provider_item -}
+
+=item B<-check>
+
+This option checks the consistency of a key pair for both public and private
+components.
+
+=item B<-pubcheck>
+
+This option checks the correctness of either a public key
+or the public component of a key pair.
+
+=back
+
+=head2 Input options
+
+=over 4
+
+=item B<-in> I<filename>|I<uri>
+
+This specifies the input to read a key from
+or standard input if this option is not specified.
+If the key input is encrypted and B<-passin> is not given
+a pass phrase will be prompted for.
+
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key input format; the default is B<PEM>.
The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl-format-options(1)> for details.
-=item B<-outform> B<DER>|B<PEM>
+=item B<-passin> I<arg>
-The key output formats; the default is B<PEM>.
-See L<openssl-format-options(1)> for details.
+The password source for the key input.
-=item B<-in> I<filename>|I<uri>
+For more information about the format of B<arg>
+see L<openssl-passphrase-options(1)>.
-This specifies the input to read a key from or standard input if this
-option is not specified. If the key is encrypted a pass phrase will be
-prompted for.
+=item B<-pubin>
-=item B<-passin> I<arg>, B<-passout> I<arg>
+By default a private key is read from the input.
+With this option only the public components are read.
-The password source for the input and output file.
-For more information about the format of B<arg>
-see L<openssl-passphrase-options(1)>.
+=back
+
+=head2 Output options
+
+=over 4
=item B<-out> I<filename>
-This specifies the output filename to write a key to or standard output if this
-option is not specified. If any encryption options are set then a pass phrase
-will be prompted for. The output filename should B<not> be the same as the input
-filename.
+This specifies the output filename to save the encoded and/or text output of key
+or standard output if this option is not specified.
+If any cipher option is set but no B<-passout> is given
+then a pass phrase will be prompted for.
+The output filename should B<not> be the same as the input filename.
-=item B<-traditional>
+=item B<-outform> B<DER>|B<PEM>
-Normally a private key is written using standard format: this is PKCS#8 form
-with the appropriate encryption algorithm (if any). If the B<-traditional>
-option is specified then the older "traditional" format is used instead.
+The key output format; the default is B<PEM>.
+See L<openssl-format-options(1)> for details.
=item B<-I<cipher>>
-These options encrypt the private key with the supplied cipher. Any algorithm
-name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
+Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
+name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
+Encryption is not supported for DER output.
-=item B<-text>
-
-Prints out the various public or private key components in
-plain text in addition to the encoded version.
+=item B<-passout> I<arg>
-=item B<-text_pub>
+The password source for the output file.
-Print out only public key components even if a private key is being processed.
+For more information about the format of B<arg>
+see L<openssl-passphrase-options(1)>.
-=item B<-noout>
+=item B<-traditional>
-Do not output the encoded version of the key.
+Normally a private key is written using standard format: this is PKCS#8 form
+with the appropriate encryption algorithm (if any). If the B<-traditional>
+option is specified then the older "traditional" format is used instead.
-=item B<-pubin>
+=item B<-pubout>
-By default a private key is read from the input file: with this
-option a public key is read instead.
+By default the encoded private and public key is output;
+this option restricts the encoded output to the public components.
+This option is automatically set if the input is a public key.
-=item B<-pubout>
+=item B<-noout>
-By default a private key is output: with this option a public
-key will be output instead. This option is automatically set if
-the input is a public key.
+Do not output the key in encoded form.
-=item B<-check>
+=item B<-text>
-This option checks the consistency of a key pair for both public and private
-components.
+Output the various key components in plain text
+(possibly in addition to the PEM encoded form).
+This cannot be combined with encoded output in DER format.
-=item B<-pubcheck>
+=item B<-text_pub>
-This option checks the correctness of either a public key or the public component
-of a key pair.
+Output in text form only the public key components (also for private keys).
+This cannot be combined with encoded output in DER format.
=item B<-ec_conv_form> I<arg>
-This option only applies to elliptic curve based public and private keys.
+This option only applies to elliptic-curve based keys.
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
@@ -146,10 +177,6 @@ EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in OpenSSL.
-{- $OpenSSL::safe::opt_engine_item -}
-
-{- $OpenSSL::safe::opt_provider_item -}
-
=back
=head1 EXAMPLES
More information about the openssl-commits
mailing list