[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat Mar 6 20:46:59 UTC 2021
The branch master has been updated
via 9293046fb447b1fd0ef1753017d9db4c3c333860 (commit)
from 2de5d3b87a7980efdb1c1e8350760b60d3d53e1e (commit)
- Log -----------------------------------------------------------------
commit 9293046fb447b1fd0ef1753017d9db4c3c333860
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Jan 6 15:01:46 2021 +0100
apps/x509.c: Rename -signkey to -key for consistency with the req app
Also because this better reflects that usually also the public portion is used.
Retaining the old -signkey as an alias for backward compatibility.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14007)
-----------------------------------------------------------------------
Summary of changes:
apps/x509.c | 51 +++++++++++++++++++++++---------------------
doc/man1/openssl-x509.pod.in | 28 +++++++++++++++---------
2 files changed, 45 insertions(+), 34 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 1108ff7ad4..163c1c8a67 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -42,7 +42,7 @@ typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE,
- OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
+ OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_KEY, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ,
OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT,
OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL,
@@ -72,8 +72,10 @@ const OPTIONS x509_options[] = {
{"inform", OPT_INFORM, 'f',
"CSR input file format (DER or PEM) - default PEM"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
+ {"key", OPT_KEY, 's',
+ "Key to be used in certificate or cert request"},
{"signkey", OPT_SIGNKEY, 's',
- "Key used to self-sign certificate or cert request"},
+ "Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
"Key input format (ENGINE, other values ignored)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
@@ -149,7 +151,7 @@ const OPTIONS x509_options[] = {
OPT_SECTION("Micro-CA"),
{"CA", OPT_CA, '<',
- "Use the given CA certificate, conflicts with -signkey"},
+ "Use the given CA certificate, conflicts with -key"},
{"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
{"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"},
{"CAkeyform", OPT_CAKEYFORM, 'E',
@@ -244,7 +246,7 @@ int x509_main(int argc, char **argv)
CONF *extconf = NULL;
int ext_copy = EXT_COPY_UNSET;
X509V3_CTX ext_ctx;
- EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL;
+ EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL;
EVP_PKEY *pkey;
int newcert = 0;
char *subj = NULL, *digestname = NULL;
@@ -261,7 +263,7 @@ int x509_main(int argc, char **argv)
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *ext_names = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
- char *infile = NULL, *outfile = NULL, *signkeyfile = NULL, *CAfile = NULL;
+ char *infile = NULL, *outfile = NULL, *privkeyfile = NULL, *CAfile = NULL;
char *prog;
int days = UNSET_DAYS; /* not explicitly set */
int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0;
@@ -374,8 +376,9 @@ int x509_main(int argc, char **argv)
case OPT_EXTENSIONS:
extsect = opt_arg();
break;
+ case OPT_KEY:
case OPT_SIGNKEY:
- signkeyfile = opt_arg();
+ privkeyfile = opt_arg();
break;
case OPT_CA:
CAfile = opt_arg();
@@ -605,9 +608,9 @@ int x509_main(int argc, char **argv)
"The -req option cannot be used with -new\n");
goto end;
}
- if (signkeyfile != NULL) {
- signkey = load_key(signkeyfile, keyformat, 0, passin, e, "private key");
- if (signkey == NULL)
+ if (privkeyfile != NULL) {
+ privkey = load_key(privkeyfile, keyformat, 0, passin, e, "private key");
+ if (privkey == NULL)
goto end;
}
if (pubkeyfile != NULL) {
@@ -622,9 +625,9 @@ int x509_main(int argc, char **argv)
"The -new option requires a subject to be set using -subj\n");
goto end;
}
- if (signkeyfile == NULL && pubkeyfile == NULL) {
+ if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
- "The -new option without -signkey requires using -force_pubkey\n");
+ "The -new option without -key requires using -force_pubkey\n");
goto end;
}
}
@@ -635,8 +638,8 @@ int x509_main(int argc, char **argv)
if (CAkeyfile == NULL)
CAkeyfile = CAfile;
if (CAfile != NULL) {
- if (signkeyfile != NULL) {
- BIO_printf(bio_err, "Cannot use both -signkey and -CA option\n");
+ if (privkeyfile != NULL) {
+ BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
goto end;
}
} else if (CAkeyfile != NULL) {
@@ -697,9 +700,9 @@ int x509_main(int argc, char **argv)
BIO_printf(bio_err,
"Warning: ignoring -preserve_dates option with -req or -new\n");
preserve_dates = 0;
- if (signkeyfile == NULL && CAkeyfile == NULL) {
+ if (privkeyfile == NULL && CAkeyfile == NULL) {
BIO_printf(bio_err,
- "We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n");
+ "We need a private key to sign with, use -key or -CAkey or -CA with private key\n");
goto end;
}
if ((x = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
@@ -727,9 +730,9 @@ int x509_main(int argc, char **argv)
&& !X509_set_subject_name(x, fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req)))
goto end;
- if ((pubkey != NULL || signkey != NULL || req != NULL)
+ if ((pubkey != NULL || privkey != NULL || req != NULL)
&& !X509_set_pubkey(x, pubkey != NULL ? pubkey :
- signkey != NULL ? signkey :
+ privkey != NULL ? privkey :
X509_REQ_get0_pubkey(req)))
goto end;
@@ -787,7 +790,7 @@ int x509_main(int argc, char **argv)
if (sno != NULL && !X509_set_serialNumber(x, sno))
goto end;
- if (reqfile || newcert || signkey != NULL || CAfile != NULL) {
+ if (reqfile || newcert || privkey != NULL || CAfile != NULL) {
if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
goto end;
if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert)))
@@ -813,15 +816,15 @@ int x509_main(int argc, char **argv)
}
if (x509toreq) { /* also works in conjunction with -req */
- if (signkey == NULL) {
- BIO_printf(bio_err, "Must specify request key using -signkey\n");
+ if (privkey == NULL) {
+ BIO_printf(bio_err, "Must specify request key using -key\n");
goto end;
}
if (clrext && ext_copy != EXT_COPY_NONE) {
BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");
goto end;
}
- if ((rq = x509_to_req(x, signkey, digest, sigopts,
+ if ((rq = x509_to_req(x, privkey, digest, sigopts,
ext_copy, ext_names)) == NULL)
goto end;
if (!noout) {
@@ -838,8 +841,8 @@ int x509_main(int argc, char **argv)
}
}
noout = 1;
- } else if (signkey != NULL) {
- if (!do_X509_sign(x, signkey, digest, sigopts, &ext_ctx))
+ } else if (privkey != NULL) {
+ if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx))
goto end;
} else if (CAfile != NULL) {
if (!reqfile && !newcert) { /* certificate should be self-signed */
@@ -1030,7 +1033,7 @@ int x509_main(int argc, char **argv)
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
- EVP_PKEY_free(signkey);
+ EVP_PKEY_free(privkey);
EVP_PKEY_free(CAkey);
EVP_PKEY_free(pubkey);
sk_OPENSSL_STRING_free(sigopts);
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index 77c5e64ee0..7f42d45cf7 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -17,8 +17,9 @@ B<openssl> B<x509>
[B<-copy_extensions> I<arg>]
[B<-inform> B<DER>|B<PEM>]
[B<-vfyopt> I<nm>:I<v>]
-[B<-signkey> I<filename>|I<uri>]
+[B<-key> I<filename>|I<uri>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-signkey> I<filename>|I<uri>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-nocert>]
@@ -118,13 +119,13 @@ Generate a certificate from scratch, not using an input certificate
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> option needs to be given.
The public key to include can be given with the B<-force_pubkey> option
-and defaults to the key given with the B<-signkey> option,
+and defaults to the key given with the B<-key> option,
which implies self-signature.
=item B<-x509toreq>
Output a PKCS#10 certificate request (rather than a certificate).
-The B<-signkey> option must be used to provide the private key for self-signing;
+The B<-key> option must be used to provide the private key for self-signing;
the corresponding public key is placed in the subjectPKInfo field.
X.509 extensions included in a certificate input are not copied by default.
@@ -161,7 +162,7 @@ See L<openssl-format-options(1)> for details.
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
-=item B<-signkey> I<filename>|I<uri>
+=item B<-key> I<filename>|I<uri>
This option causes the new certificate or certificate request
to be self-signed using the supplied private key.
@@ -174,6 +175,10 @@ Unless the B<-preserve_dates> option is supplied,
it sets the validity start date to the current time
and the end date to a value determined by the B<-days> option.
+=item B<-signkey> I<filename>|I<uri>
+
+This option is an alias of B<-key>.
+
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key input format; the default is B<PEM>.
@@ -348,7 +353,7 @@ Check that the certificate matches the specified IP address.
=item B<-set_serial> I<n>
Specifies the serial number to use. This option can be used with either
-the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA> option
+the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option
the serial number file (as specified by the B<-CAserial> option) is not used.
The serial number can be decimal or hex (if preceded by C<0x>).
@@ -392,7 +397,7 @@ or certificate request.
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
-instead of the key contained in the input or given with the B<-signkey> option.
+instead of the key contained in the input or given with the B<-key> option.
This option is useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as DH.
@@ -438,7 +443,7 @@ for testing.
The digest to use.
This affects any signing or printing option that uses a message
-digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
+digest, such as the B<-fingerprint>, B<-key> and B<-CA> options.
Any digest supported by the L<openssl-dgst(1)> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
@@ -456,7 +461,7 @@ When present, this behaves like a "micro CA" as follows:
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as detailed below.
-This option cannot be used in conjunction with the B<-signkey> option.
+This option cannot be used in conjunction with the B<-key> option.
This option is normally combined with the B<-req> option referencing a CSR.
Without the B<-req> option the input must be a self-signed certificate
unless the B<-new> option is given, which generates a certificate from scratch.
@@ -700,13 +705,13 @@ Convert a certificate from PEM to DER format:
Convert a certificate to a certificate request:
- openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
+ openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem
Convert a certificate request into a self-signed certificate using
extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
- -signkey key.pem -out cacert.pem
+ -key key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user
certificate extensions:
@@ -871,6 +876,9 @@ of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
version of the DN using SHA1. This means that any directories using the old
form must have their links rebuilt using L<openssl-rehash(1)> or similar.
+The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
+keeping the old name as an alias.
+
All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
have become obsolete in OpenSSL 3.0.0 and have no effect.
More information about the openssl-commits
mailing list