[openssl] master update
Matt Caswell
matt at openssl.org
Thu May 6 10:59:34 UTC 2021
The branch master has been updated
via d105a24c8987dde38595a2fa336057b141e5ddf3 (commit)
via bee3f3890547cc7f349b69ef63665ebcc80d48ed (commit)
via 3d1becd42aecbd00c2514bac7b5e8e33f097fdc2 (commit)
via 0b294f5647a21a8762871b18f0cbbf96ce8cc68d (commit)
via d382e79632677f2457025be3d820e08d7ea12d85 (commit)
from b86fa8c55682169c88e14e616170d6caeb208865 (commit)
- Log -----------------------------------------------------------------
commit d105a24c8987dde38595a2fa336057b141e5ddf3
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon May 3 14:40:06 2021 +0200
Add some tests for -inform/keyform enforcement
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
commit bee3f3890547cc7f349b69ef63665ebcc80d48ed
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon May 3 14:15:26 2021 +0200
Document the behavior of the -inform and related options
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
commit 3d1becd42aecbd00c2514bac7b5e8e33f097fdc2
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon May 3 14:14:54 2021 +0200
provider-storemgmt: Document the input-type and properties parameters.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
commit 0b294f5647a21a8762871b18f0cbbf96ce8cc68d
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon May 3 08:45:52 2021 +0200
Update gost-engine to make it compatible with the added params
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
commit d382e79632677f2457025be3d820e08d7ea12d85
Author: Tomas Mraz <tomas at openssl.org>
Date: Fri Apr 30 16:57:53 2021 +0200
Make the -inform option to be respected if possible
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.
The input type format is enforced only in case the file
type file store is used.
By default we use FORMAT_UNDEF meaning the input type
is not enforced.
Fixes #14569
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 7 +++
apps/ca.c | 10 ++--
apps/cmp.c | 6 +--
apps/cms.c | 16 +++---
apps/crl.c | 6 +--
apps/dgst.c | 2 +-
apps/dsa.c | 2 +-
apps/dsaparam.c | 4 +-
apps/ec.c | 2 +-
apps/ecparam.c | 2 +-
apps/gendsa.c | 2 +-
apps/include/apps.h | 15 +++---
apps/lib/apps.c | 61 +++++++++++++++------
apps/lib/s_cb.c | 3 +-
apps/ocsp.c | 12 ++---
apps/pkcs8.c | 9 ++--
apps/pkey.c | 2 +-
apps/pkeyutl.c | 5 +-
apps/req.c | 6 +--
apps/rsa.c | 4 +-
apps/rsautl.c | 4 +-
apps/s_client.c | 11 ++--
apps/s_server.c | 22 ++++----
apps/smime.c | 9 ++--
apps/spkac.c | 2 +-
apps/storeutl.c | 2 +-
apps/verify.c | 2 +-
apps/x509.c | 8 +--
crypto/pem/pem_pkey.c | 2 +-
crypto/store/store_lib.c | 68 ++++++++++++++----------
crypto/x509/by_store.c | 3 +-
doc/man1/openssl-ca.pod.in | 19 +++----
doc/man1/openssl-cmp.pod.in | 3 +-
doc/man1/openssl-cms.pod.in | 6 +--
doc/man1/openssl-crl.pod.in | 13 ++---
doc/man1/openssl-dgst.pod.in | 6 +--
doc/man1/openssl-dsa.pod.in | 9 +++-
doc/man1/openssl-dsaparam.pod.in | 9 +++-
doc/man1/openssl-ec.pod.in | 5 +-
doc/man1/openssl-ecparam.pod.in | 9 +++-
doc/man1/openssl-format-options.pod | 10 ++--
doc/man1/openssl-pkey.pod.in | 3 +-
doc/man1/openssl-pkeyutl.pod.in | 9 +---
doc/man1/openssl-req.pod.in | 9 ++--
doc/man1/openssl-rsa.pod.in | 3 +-
doc/man1/openssl-rsautl.pod.in | 6 +--
doc/man1/openssl-s_client.pod.in | 12 ++---
doc/man1/openssl-s_server.pod.in | 24 +++------
doc/man1/openssl-smime.pod.in | 6 +--
doc/man1/openssl-spkac.pod.in | 6 +--
doc/man1/openssl-x509.pod.in | 17 ++----
doc/man3/OSSL_STORE_attach.pod | 1 +
doc/man3/OSSL_STORE_open.pod | 5 +-
doc/man7/provider-storemgmt.pod | 10 ++++
gost-engine | 2 +-
include/openssl/core_names.h | 2 +
include/openssl/store.h | 2 +
providers/fips-sources.checksums | 2 +-
providers/fips.checksum | 2 +-
providers/implementations/storemgmt/file_store.c | 33 +++++++-----
test/ossl_store_test.c | 6 +--
test/recipes/20-test_pkeyutl.t | 12 ++++-
test/recipes/25-test_crl.t | 8 +--
test/recipes/25-test_req.t | 12 ++++-
test/recipes/25-test_x509.t | 16 +++++-
65 files changed, 342 insertions(+), 264 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 5c696ff65a..9d557c5c53 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -51,6 +51,13 @@ OpenSSL 3.0
*Shane Lontis*
+ * The openssl commands that read keys, certificates, and CRLs now
+ automatically detect the PEM or DER format of the input files so it is not
+ necessary to explicitly specify the input format anymore. However if the
+ input format option is used the specified format will be required.
+
+ *David von Oheimb, Richard Levitte, and Tomáš Mráz*
+
* Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX`
and (where relevant) a property query. Other APIs which handle PKCS#7 and
PKCS#8 objects have also been enhanced where required. This includes:
diff --git a/apps/ca.c b/apps/ca.c
index 9dd46e4f5c..923ede4cde 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -274,7 +274,7 @@ int ca_main(int argc, char **argv)
char def_dgst[80] = "";
char *dgst = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
- int certformat = FORMAT_PEM, informat = FORMAT_PEM;
+ int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
char *passin = NULL;
@@ -289,7 +289,7 @@ int ca_main(int argc, char **argv)
size_t outdirlen = 0;
int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
- int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
+ int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
int rand_ser = 0, i, j, selfsign = 0, def_ret;
char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
@@ -594,7 +594,7 @@ end_of_options:
&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;
- x509 = load_cert_pass(certfile, 1, passin, "CA certificate");
+ x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate");
if (x509 == NULL)
goto end;
@@ -1287,7 +1287,7 @@ end_of_options:
} else {
X509 *revcert;
- revcert = load_cert_pass(infile, 1, passin,
+ revcert = load_cert_pass(infile, informat, 1, passin,
"certificate to be revoked");
if (revcert == NULL)
goto end;
@@ -1417,7 +1417,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((template_cert = load_cert_pass(infile, 1, passin,
+ if ((template_cert = load_cert_pass(infile, certformat, 1, passin,
"template certificate")) == NULL)
goto end;
if (verbose)
diff --git a/apps/cmp.c b/apps/cmp.c
index fdd0043311..f64cb8c813 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -131,8 +131,8 @@ static int opt_revreason = CRL_REASON_NONE;
/* credentials format */
static char *opt_certform_s = "PEM";
static int opt_certform = FORMAT_PEM;
-static char *opt_keyform_s = "PEM";
-static int opt_keyform = FORMAT_PEM;
+static char *opt_keyform_s = NULL;
+static int opt_keyform = FORMAT_UNDEF;
static char *opt_otherpass = NULL;
static char *opt_engine = NULL;
@@ -635,7 +635,7 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc)
X509 *cert;
char *pass_string = get_passwd(pass, desc);
- cert = load_cert_pass(uri, 0, pass_string, desc);
+ cert = load_cert_pass(uri, FORMAT_UNDEF, 0, pass_string, desc);
clear_free(pass_string);
return cert;
}
diff --git a/apps/cms.c b/apps/cms.c
index e512f1d3e8..f40049edac 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -292,7 +292,7 @@ int cms_main(int argc, char **argv)
int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1;
- int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
+ int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_UNDEF;
size_t secret_keylen = 0, secret_keyidlen = 0;
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
unsigned char *secret_key = NULL, *secret_keyid = NULL;
@@ -611,7 +611,8 @@ int cms_main(int argc, char **argv)
if (operation == SMIME_ENCRYPT) {
if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
goto end;
- cert = load_cert(opt_arg(), "recipient certificate file");
+ cert = load_cert(opt_arg(), FORMAT_UNDEF,
+ "recipient certificate file");
if (cert == NULL)
goto end;
sk_X509_push(encerts, cert);
@@ -810,7 +811,8 @@ int cms_main(int argc, char **argv)
if ((encerts = sk_X509_new_null()) == NULL)
goto end;
while (*argv) {
- if ((cert = load_cert(*argv, "recipient certificate file")) == NULL)
+ if ((cert = load_cert(*argv, FORMAT_UNDEF,
+ "recipient certificate file")) == NULL)
goto end;
sk_X509_push(encerts, cert);
cert = NULL;
@@ -826,7 +828,7 @@ int cms_main(int argc, char **argv)
}
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
- if ((recip = load_cert(recipfile,
+ if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -834,7 +836,7 @@ int cms_main(int argc, char **argv)
}
if (originatorfile != NULL) {
- if ((originator = load_cert(originatorfile,
+ if ((originator = load_cert(originatorfile, FORMAT_UNDEF,
"originator certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -842,7 +844,7 @@ int cms_main(int argc, char **argv)
}
if (operation == SMIME_SIGN_RECEIPT) {
- if ((signer = load_cert(signerfile,
+ if ((signer = load_cert(signerfile, FORMAT_UNDEF,
"receipt signer certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -1048,7 +1050,7 @@ int cms_main(int argc, char **argv)
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, "signer certificate");
+ signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate");
if (signer == NULL) {
ret = 2;
goto end;
diff --git a/apps/crl.c b/apps/crl.c
index 8f1babde6f..8904cc08c7 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -88,7 +88,7 @@ int crl_main(int argc, char **argv)
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
OPTION_CHOICE o;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF;
int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0;
int i;
@@ -211,7 +211,7 @@ int crl_main(int argc, char **argv)
if (!opt_md(digestname, &digest))
goto opthelp;
}
- x = load_crl(infile, 1, "CRL");
+ x = load_crl(infile, informat, 1, "CRL");
if (x == NULL)
goto end;
@@ -256,7 +256,7 @@ int crl_main(int argc, char **argv)
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
- newcrl = load_crl(crldiff, 0, "other CRL");
+ newcrl = load_crl(crldiff, informat, 0, "other CRL");
if (!newcrl)
goto end;
pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
diff --git a/apps/dgst.c b/apps/dgst.c
index fcc7fc8679..15f9e2e685 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -105,7 +105,7 @@ int dgst_main(int argc, char **argv)
const char *sigfile = NULL;
const char *md_name = NULL;
OPTION_CHOICE o;
- int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
+ int separator = 0, debug = 0, keyform = FORMAT_UNDEF, siglen = 0;
int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
int xoflen = 0;
unsigned char *buf = NULL, *sigbuf = NULL;
diff --git a/apps/dsa.c b/apps/dsa.c
index c00673a8ac..abb422132a 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -83,7 +83,7 @@ int dsa_main(int argc, char **argv)
char *infile = NULL, *outfile = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
OPTION_CHOICE o;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
int modulus = 0, pubin = 0, pubout = 0, ret = 1;
int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
int private = 0;
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index c78d28ecb1..d7fb736b98 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -69,7 +69,7 @@ int dsaparam_main(int argc, char **argv)
EVP_PKEY *params = NULL, *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
int numbits = -1, num = 0, genkey = 0;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0;
int ret = 1, i, text = 0, private = 0;
char *infile = NULL, *outfile = NULL, *prog;
OPTION_CHOICE o;
@@ -181,7 +181,7 @@ int dsaparam_main(int argc, char **argv)
goto end;
}
} else {
- params = load_keyparams(infile, 1, "DSA", "DSA parameters");
+ params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters");
}
if (params == NULL) {
/* Error message should already have been displayed */
diff --git a/apps/ec.c b/apps/ec.c
index 379c6b6132..e3ce437076 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -73,7 +73,7 @@ int ec_main(int argc, char **argv)
char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
OPTION_CHOICE o;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0;
int check = 0;
char *asn1_encoding = NULL;
diff --git a/apps/ecparam.c b/apps/ecparam.c
index e9e36d1d8b..a801ad69bf 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -240,7 +240,7 @@ int ecparam_main(int argc, char **argv)
goto end;
}
} else {
- params_key = load_keyparams(infile, 1, "EC", "EC parameters");
+ params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters");
if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC"))
goto end;
if (point_format
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 6d1c91d230..f4bd0fe09e 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -121,7 +121,7 @@ int gendsa_main(int argc, char **argv)
goto end;
}
- pkey = load_keyparams(dsaparams, 1, "DSA", "DSA parameters");
+ pkey = load_keyparams(dsaparams, FORMAT_UNDEF, 1, "DSA", "DSA parameters");
out = bio_open_owner(outfile, FORMAT_PEM, private);
if (out == NULL)
diff --git a/apps/include/apps.h b/apps/include/apps.h
index a8556b8132..207ed41bc7 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -108,18 +108,19 @@ char *get_passwd(const char *pass, const char *desc);
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc);
-X509 *load_cert_pass(const char *uri, int maybe_stdin,
+X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc);
-#define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc)
-X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc);
+#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
+X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
+ const char *desc);
void cleanse(char *str);
void clear_free(char *str);
EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
-EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype,
- const char *desc);
+EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
+ const char *keytype, const char *desc);
char *next_item(char *opt); /* in list separated by comma and/or space */
int load_cert_certs(const char *uri,
X509 **pcert, STACK_OF(X509) **pcerts,
@@ -133,13 +134,13 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
const char *pass, const char *desc);
int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
const char *pass, const char *desc);
-int load_key_certs_crls(const char *uri, int maybe_stdin,
+int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
EVP_PKEY **pparams,
X509 **pcert, STACK_OF(X509) **pcerts,
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
-int load_key_cert_crl(const char *uri, int maybe_stdin,
+int load_key_cert_crl(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
X509 **pcert, X509_CRL **pcrl);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index bfd938b555..f0a9ffc93a 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -38,6 +38,7 @@
#include <openssl/bn.h>
#include <openssl/ssl.h>
#include <openssl/store.h>
+#include <openssl/core_names.h>
#include "s_apps.h"
#include "apps.h"
@@ -478,7 +479,7 @@ CONF *app_load_config_modules(const char *configfile)
#define IS_HTTPS(uri) ((uri) != NULL \
&& strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0)
-X509 *load_cert_pass(const char *uri, int maybe_stdin,
+X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc)
{
X509 *cert = NULL;
@@ -490,7 +491,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
else if (IS_HTTP(uri))
cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */);
else
- (void)load_key_certs_crls(uri, maybe_stdin, pass, desc,
+ (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc,
NULL, NULL, NULL, &cert, NULL, NULL, NULL);
if (cert == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
@@ -499,7 +500,8 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
return cert;
}
-X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc)
+X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
+ const char *desc)
{
X509_CRL *crl = NULL;
@@ -510,7 +512,7 @@ X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc)
else if (IS_HTTP(uri))
crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */);
else
- (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc,
+ (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc,
NULL, NULL, NULL, NULL, NULL, &crl, NULL);
if (crl == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
@@ -524,6 +526,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
X509_REQ *req = NULL;
BIO *in;
+ if (format == FORMAT_UNDEF)
+ format = FORMAT_PEM;
if (desc == NULL)
desc = "CSR";
in = bio_open_default(file, 'r', format);
@@ -570,7 +574,7 @@ EVP_PKEY *load_key(const char *uri, int format, int may_stdin,
if (format == FORMAT_ENGINE) {
uri = allocated_uri = make_engine_uri(e, uri, desc);
}
- (void)load_key_certs_crls(uri, may_stdin, pass, desc,
+ (void)load_key_certs_crls(uri, format, may_stdin, pass, desc,
&pkey, NULL, NULL, NULL, NULL, NULL, NULL);
OPENSSL_free(allocated_uri);
@@ -589,22 +593,22 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
if (format == FORMAT_ENGINE) {
uri = allocated_uri = make_engine_uri(e, uri, desc);
}
- (void)load_key_certs_crls(uri, maybe_stdin, pass, desc,
+ (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc,
NULL, &pkey, NULL, NULL, NULL, NULL, NULL);
OPENSSL_free(allocated_uri);
return pkey;
}
-EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype,
- const char *desc)
+EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
+ const char *keytype, const char *desc)
{
EVP_PKEY *params = NULL;
if (desc == NULL)
desc = "key parameters";
- (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc,
+ (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc,
NULL, NULL, ¶ms, NULL, NULL, NULL, NULL);
if (params != NULL && keytype != NULL && !EVP_PKEY_is_a(params, keytype)) {
BIO_printf(bio_err,
@@ -698,7 +702,8 @@ int load_cert_certs(const char *uri,
return ret;
}
pass_string = get_passwd(pass, desc);
- ret = load_key_certs_crls(uri, 0, pass_string, desc, NULL, NULL, NULL,
+ ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc,
+ NULL, NULL, NULL,
pcert, pcerts, NULL, NULL);
clear_free(pass_string);
@@ -800,7 +805,8 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
const char *pass, const char *desc)
{
int was_NULL = *certs == NULL;
- int ret = load_key_certs_crls(uri, maybe_stdin, pass, desc, NULL, NULL,
+ int ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin,
+ pass, desc, NULL, NULL,
NULL, NULL, certs, NULL, NULL);
if (!ret && was_NULL) {
@@ -818,7 +824,8 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
const char *pass, const char *desc)
{
int was_NULL = *crls == NULL;
- int ret = load_key_certs_crls(uri, 0, pass, desc, NULL, NULL, NULL,
+ int ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc,
+ NULL, NULL, NULL,
NULL, NULL, NULL, crls);
if (!ret && was_NULL) {
@@ -828,6 +835,17 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
return ret;
}
+static const char *format2string(int format)
+{
+ switch(format) {
+ case FORMAT_PEM:
+ return "PEM";
+ case FORMAT_ASN1:
+ return "DER";
+ }
+ return NULL;
+}
+
/* Set type expectation, but clear it if objects of different types expected. */
#define SET_EXPECT(val) expect = expect < 0 ? val : (expect == val ? val : 0);
/*
@@ -843,7 +861,7 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
* In any case (also on error) the caller is responsible for freeing all members
* of *pcerts and *pcrls (as far as they are not NULL).
*/
-int load_key_certs_crls(const char *uri, int maybe_stdin,
+int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
EVP_PKEY **pparams,
@@ -863,6 +881,9 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
pcrls != NULL ? "CRLs" : NULL;
int cnt_expectations = 0;
int expect = -1;
+ const char *input_type;
+ OSSL_PARAM itp[2];
+ const OSSL_PARAM *params = NULL;
/* TODO make use of the engine reference 'eng' when loading pkeys */
if (ppkey != NULL) {
@@ -915,6 +936,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
uidata.password = pass;
uidata.prompt_info = uri;
+ if ((input_type = format2string(format)) != NULL) {
+ itp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE,
+ (char *)input_type, 0);
+ itp[1] = OSSL_PARAM_construct_end();
+ params = itp;
+ }
+
if (uri == NULL) {
BIO *bio;
@@ -927,12 +955,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
bio = BIO_new_fp(stdin, 0);
if (bio != NULL) {
ctx = OSSL_STORE_attach(bio, "file", libctx, propq,
- get_ui_method(), &uidata, NULL, NULL);
+ get_ui_method(), &uidata, params,
+ NULL, NULL);
BIO_free(bio);
}
} else {
ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
- NULL, NULL);
+ params, NULL, NULL);
}
if (ctx == NULL) {
BIO_printf(bio_err, "Could not open file or uri for loading");
@@ -2322,7 +2351,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
urlptr = get_dp_url(dp);
if (urlptr != NULL)
- return load_crl(urlptr, 0, "CRL via CDP");
+ return load_crl(urlptr, FORMAT_UNDEF, 0, "CRL via CDP");
}
return NULL;
}
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 6824567c70..0bb4b6c436 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -1019,7 +1019,8 @@ int load_excert(SSL_EXCERT **pexc)
BIO_printf(bio_err, "Missing filename\n");
return 0;
}
- exc->cert = load_cert(exc->certfile, "Server Certificate");
+ exc->cert = load_cert(exc->certfile, exc->certform,
+ "Server Certificate");
if (exc->cert == NULL)
return 0;
if (exc->keyfile != NULL) {
diff --git a/apps/ocsp.c b/apps/ocsp.c
index d59cd1eb59..355b4127c8 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -402,7 +402,7 @@ int ocsp_main(int argc, char **argv)
path = opt_arg();
break;
case OPT_ISSUER:
- issuer = load_cert(opt_arg(), "issuer certificate");
+ issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
if (issuer == NULL)
goto end;
if (issuers == NULL) {
@@ -414,7 +414,7 @@ int ocsp_main(int argc, char **argv)
break;
case OPT_CERT:
X509_free(cert);
- cert = load_cert(opt_arg(), "certificate");
+ cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate");
if (cert == NULL)
goto end;
if (cert_id_md == NULL)
@@ -565,7 +565,7 @@ int ocsp_main(int argc, char **argv)
if (rsignfile != NULL) {
if (rkeyfile == NULL)
rkeyfile = rsignfile;
- rsigner = load_cert(rsignfile, "responder certificate");
+ rsigner = load_cert(rsignfile, FORMAT_UNDEF, "responder certificate");
if (rsigner == NULL) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
@@ -581,7 +581,7 @@ int ocsp_main(int argc, char **argv)
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
- rkey = load_key(rkeyfile, FORMAT_PEM, 0, passin, NULL,
+ rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL,
"responder private key");
if (rkey == NULL)
goto end;
@@ -661,7 +661,7 @@ redo_accept:
if (signfile != NULL) {
if (keyfile == NULL)
keyfile = signfile;
- signer = load_cert(signfile, "signer certificate");
+ signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate");
if (signer == NULL) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
@@ -671,7 +671,7 @@ redo_accept:
"signer certificates"))
goto end;
}
- key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
+ key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL,
"signer private key");
if (key == NULL)
goto end;
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index d7cb2d6672..6b09b909eb 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -83,7 +83,7 @@ int pkcs8_main(int argc, char **argv)
char *passin = NULL, *passout = NULL, *p8pass = NULL;
OPTION_CHOICE o;
int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
int private = 0, traditional = 0;
#ifndef OPENSSL_NO_SCRYPT
long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
@@ -214,7 +214,8 @@ int pkcs8_main(int argc, char **argv)
if ((pbe_nid == -1) && cipher == NULL)
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
- in = bio_open_default(infile, 'r', informat);
+ in = bio_open_default(infile, 'r',
+ informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
if (in == NULL)
goto end;
out = bio_open_owner(outfile, outformat, private);
@@ -298,7 +299,7 @@ int pkcs8_main(int argc, char **argv)
}
if (nocrypt) {
- if (informat == FORMAT_PEM) {
+ if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) {
p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
} else if (informat == FORMAT_ASN1) {
p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
@@ -307,7 +308,7 @@ int pkcs8_main(int argc, char **argv)
goto end;
}
} else {
- if (informat == FORMAT_PEM) {
+ if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) {
p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
} else if (informat == FORMAT_ASN1) {
p8 = d2i_PKCS8_bio(in, NULL);
diff --git a/apps/pkey.c b/apps/pkey.c
index d7e32b6e58..ddc3414d0c 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -75,7 +75,7 @@ int pkey_main(int argc, char **argv)
char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog;
OPTION_CHOICE o;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM;
int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
int private = 0, traditional = 0, check = 0, pub_check = 0;
#ifndef OPENSSL_NO_EC
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 3a26ec5ca7..0424e556c1 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -111,7 +111,8 @@ int pkeyutl_main(int argc, char **argv)
char hexdump = 0, asn1parse = 0, rev = 0, *prog;
unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
OPTION_CHOICE o;
- int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = FORMAT_PEM;
+ int buf_inlen = 0, siglen = -1;
+ int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
int engine_impl = 0;
int ret = 1, rv = -1;
@@ -555,7 +556,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
break;
case KEY_CERT:
- x = load_cert(keyfile, "Certificate");
+ x = load_cert(keyfile, keyform, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
diff --git a/apps/req.c b/apps/req.c
index 6817a8bd54..d41b992e6d 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -256,7 +256,7 @@ int req_main(int argc, char **argv)
int days = UNSET_DAYS;
int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0;
int pkey_type = -1;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF;
int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0;
int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
long newkey_len = -1;
@@ -762,7 +762,7 @@ int req_main(int argc, char **argv)
BIO_printf(bio_err,
"Ignoring -CAkey option since no -CA option is given\n");
} else {
- if ((CAkey = load_key(CAkeyfile, FORMAT_PEM,
+ if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e, "issuer private key")) == NULL)
goto end;
}
@@ -777,7 +777,7 @@ int req_main(int argc, char **argv)
"Need to give the -CAkey option if using -CA\n");
goto end;
}
- if ((CAcert = load_cert_pass(CAfile, 1, passin,
+ if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
"issuer certificate")) == NULL)
goto end;
if (!X509_check_private_key(CAcert, CAkey)) {
diff --git a/apps/rsa.c b/apps/rsa.c
index 0ff6cf3266..83fd8350df 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -96,7 +96,7 @@ int rsa_main(int argc, char **argv)
char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
int private = 0;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, check = 0;
int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
OPTION_CHOICE o;
@@ -204,7 +204,7 @@ int rsa_main(int argc, char **argv)
}
if (pubin) {
- int tmpformat = -1;
+ int tmpformat = FORMAT_UNDEF;
if (pubin == 2) {
if (informat == FORMAT_PEM)
diff --git a/apps/rsautl.c b/apps/rsautl.c
index a8911ff206..c2bc1af89b 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -81,7 +81,7 @@ int rsautl_main(int argc, char **argv)
char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING;
size_t rsa_inlen, rsa_outlen = 0;
- int keyformat = FORMAT_PEM, keysize, ret = 1, rv;
+ int keyformat = FORMAT_UNDEF, keysize, ret = 1, rv;
int hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
OPTION_CHOICE o;
@@ -196,7 +196,7 @@ int rsautl_main(int argc, char **argv)
break;
case KEY_CERT:
- x = load_cert(keyfile, "Certificate");
+ x = load_cert(keyfile, FORMAT_UNDEF, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
diff --git a/apps/s_client.c b/apps/s_client.c
index 3c62739698..1aa7a3b7de 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -815,15 +815,15 @@ int s_client_main(int argc, char **argv)
struct timeval timeout, *timeoutp;
fd_set readfds, writefds;
int noCApath = 0, noCAfile = 0, noCAstore = 0;
- int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
- int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
+ int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_UNDEF;
+ int key_format = FORMAT_UNDEF, crlf = 0, full_log = 1, mbuf_len = 0;
int prexit = 0;
int sdebug = 0;
int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0;
int sbuf_len, sbuf_off, cmdletters = 1;
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
- int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
+ int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF, crl_download = 0;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
int at_eof = 0;
@@ -1620,7 +1620,8 @@ int s_client_main(int argc, char **argv)
}
if (cert_file != NULL) {
- cert = load_cert_pass(cert_file, 1, pass, "client certificate");
+ cert = load_cert_pass(cert_file, cert_format, 1, pass,
+ "client certificate");
if (cert == NULL)
goto end;
}
@@ -1632,7 +1633,7 @@ int s_client_main(int argc, char **argv)
if (crl_file != NULL) {
X509_CRL *crl;
- crl = load_crl(crl_file, 0, "CRL");
+ crl = load_crl(crl_file, crl_format, 0, "CRL");
if (crl == NULL)
goto end;
crls = sk_X509_CRL_new_null();
diff --git a/apps/s_server.c b/apps/s_server.c
index 6adee7ec6d..5d9e8cd568 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -978,11 +978,11 @@ int s_server_main(int argc, char *argv[])
int no_dhe = 0;
int nocert = 0, ret = 1;
int noCApath = 0, noCAfile = 0, noCAstore = 0;
- int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
- int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
+ int s_cert_format = FORMAT_UNDEF, s_key_format = FORMAT_UNDEF;
+ int s_dcert_format = FORMAT_UNDEF, s_dkey_format = FORMAT_UNDEF;
int rev = 0, naccept = -1, sdebug = 0;
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
- int state = 0, crl_format = FORMAT_PEM, crl_download = 0;
+ int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0;
char *host = NULL;
char *port = OPENSSL_strdup(PORT);
unsigned char *context = NULL;
@@ -1688,7 +1688,8 @@ int s_server_main(int argc, char *argv[])
if (s_key == NULL)
goto end;
- s_cert = load_cert_pass(s_cert_file, 1, pass, "server certificate");
+ s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
+ "server certificate");
if (s_cert == NULL)
goto end;
@@ -1704,7 +1705,7 @@ int s_server_main(int argc, char *argv[])
if (s_key2 == NULL)
goto end;
- s_cert2 = load_cert_pass(s_cert_file2, 1, pass,
+ s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
"second server certificate");
if (s_cert2 == NULL)
@@ -1727,7 +1728,7 @@ int s_server_main(int argc, char *argv[])
if (crl_file != NULL) {
X509_CRL *crl;
- crl = load_crl(crl_file, 0, "CRL");
+ crl = load_crl(crl_file, crl_format, 0, "CRL");
if (crl == NULL)
goto end;
crls = sk_X509_CRL_new_null();
@@ -1749,7 +1750,7 @@ int s_server_main(int argc, char *argv[])
if (s_dkey == NULL)
goto end;
- s_dcert = load_cert_pass(s_dcert_file, 1, dpass,
+ s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
"second server certificate");
if (s_dcert == NULL) {
@@ -1975,9 +1976,9 @@ int s_server_main(int argc, char *argv[])
EVP_PKEY *dhpkey = NULL;
if (dhfile != NULL)
- dhpkey = load_keyparams(dhfile, 0, "DH", "DH parameters");
+ dhpkey = load_keyparams(dhfile, FORMAT_UNDEF, 0, "DH", "DH parameters");
else if (s_cert_file != NULL)
- dhpkey = load_keyparams(s_cert_file, 0, "DH", "DH parameters");
+ dhpkey = load_keyparams(s_cert_file, FORMAT_UNDEF, 0, "DH", "DH parameters");
if (dhpkey != NULL) {
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
@@ -2009,7 +2010,8 @@ int s_server_main(int argc, char *argv[])
if (ctx2 != NULL) {
if (dhfile != NULL) {
- EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, 0, "DH",
+ EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, FORMAT_UNDEF,
+ 0, "DH",
"DH parameters");
if (dhpkey2 != NULL) {
diff --git a/apps/smime.c b/apps/smime.c
index 011dc99c4b..ea71121fb4 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -151,7 +151,7 @@ int smime_main(int argc, char **argv)
int noCApath = 0, noCAfile = 0, noCAstore = 0;
int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
- FORMAT_PEM;
+ FORMAT_UNDEF;
int vpmtouched = 0, rv = 0;
ENGINE *e = NULL;
const char *mime_eol = "\n";
@@ -449,7 +449,8 @@ int smime_main(int argc, char **argv)
if (encerts == NULL)
goto end;
while (*argv != NULL) {
- cert = load_cert(*argv, "recipient certificate file");
+ cert = load_cert(*argv, FORMAT_UNDEF,
+ "recipient certificate file");
if (cert == NULL)
goto end;
sk_X509_push(encerts, cert);
@@ -466,7 +467,7 @@ int smime_main(int argc, char **argv)
}
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
- if ((recip = load_cert(recipfile,
+ if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -573,7 +574,7 @@ int smime_main(int argc, char **argv)
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, "signer certificate");
+ signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate");
if (signer == NULL)
goto end;
key = load_key(keyfile, keyform, 0, passin, e, "signing key");
diff --git a/apps/spkac.c b/apps/spkac.c
index 9c12504b90..adc6f7372c 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -67,7 +67,7 @@ int spkac_main(int argc, char **argv)
char *spkstr = NULL, *prog;
const char *spkac = "SPKAC", *spksect = "default";
int i, ret = 1, verify = 0, noout = 0, pubkey = 0;
- int keyformat = FORMAT_PEM;
+ int keyformat = FORMAT_UNDEF;
OPTION_CHOICE o;
prog = opt_init(argc, argv, spkac_options);
diff --git a/apps/storeutl.c b/apps/storeutl.c
index 3e7ab32b7a..1368caae92 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -358,7 +358,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
int ret = 1, items = 0;
if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata,
- NULL, NULL))
+ NULL, NULL, NULL))
== NULL) {
BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri);
ERR_print_errors(bio_err);
diff --git a/apps/verify.c b/apps/verify.c
index d66f137258..acf80c65c4 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -253,7 +253,7 @@ static int check(X509_STORE *ctx, const char *file,
STACK_OF(X509) *chain = NULL;
int num_untrusted;
- x = load_cert(file, "certificate file");
+ x = load_cert(file, FORMAT_UNDEF, "certificate file");
if (x == NULL)
goto end;
diff --git a/apps/x509.c b/apps/x509.c
index a9c5d41096..9632d72260 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -266,9 +266,9 @@ int x509_main(int argc, char **argv)
char *prog;
int days = UNSET_DAYS; /* not explicitly set */
int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0;
- int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
+ int CAformat = FORMAT_UNDEF, CAkeyformat = FORMAT_UNDEF;
int fingerprint = 0, reqfile = 0, checkend = 0;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
+ int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF;
int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0;
int noout = 0, CA_createserial = 0, email = 0;
int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
@@ -719,7 +719,7 @@ int x509_main(int argc, char **argv)
}
}
} else {
- x = load_cert_pass(infile, 1, passin, "certificate");
+ x = load_cert_pass(infile, informat, 1, passin, "certificate");
if (x == NULL)
goto end;
}
@@ -734,7 +734,7 @@ int x509_main(int argc, char **argv)
goto end;
if (CAfile != NULL) {
- xca = load_cert_pass(CAfile, 1, passin, "CA certificate");
+ xca = load_cert_pass(CAfile, CAformat, 1, passin, "CA certificate");
if (xca == NULL)
goto end;
}
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index e5b740f214..3faca8d0ec 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -55,7 +55,7 @@ static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x,
return NULL;
if ((ctx = OSSL_STORE_attach(bp, "file", libctx, propq, ui_method, u,
- NULL, NULL)) == NULL)
+ NULL, NULL, NULL)) == NULL)
goto err;
#ifndef OPENSSL_NO_SECURE_HEAP
# ifndef OPENSSL_NO_DEPRECATED_3_0
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index e7f5860604..158b7be79d 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -32,9 +32,37 @@
static int ossl_store_close_it(OSSL_STORE_CTX *ctx);
+static int loader_set_params(OSSL_STORE_LOADER *loader,
+ OSSL_STORE_LOADER_CTX *loader_ctx,
+ const OSSL_PARAM params[], const char *propq)
+{
+ if (params != NULL) {
+ if (!loader->p_set_ctx_params(loader_ctx, params))
+ return 0;
+ }
+
+ if (propq != NULL) {
+ OSSL_PARAM propp[2];
+
+ if (OSSL_PARAM_locate_const(params,
+ OSSL_STORE_PARAM_PROPERTIES) != NULL)
+ /* use the propq from params */
+ return 1;
+
+ propp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
+ (char *)propq, 0);
+ propp[1] = OSSL_PARAM_construct_end();
+
+ if (!loader->p_set_ctx_params(loader_ctx, propp))
+ return 0;
+ }
+ return 1;
+}
+
OSSL_STORE_CTX *
OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
const UI_METHOD *ui_method, void *ui_data,
+ const OSSL_PARAM params[],
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data)
{
@@ -103,18 +131,11 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
if (loader_ctx == NULL) {
OSSL_STORE_LOADER_free(fetched_loader);
fetched_loader = NULL;
- } else if (propq != NULL) {
- OSSL_PARAM params[2];
-
- params[0] = OSSL_PARAM_construct_utf8_string(
- OSSL_STORE_PARAM_PROPERTIES, (char *)propq, 0);
- params[1] = OSSL_PARAM_construct_end();
-
- if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) {
- (void)fetched_loader->p_close(loader_ctx);
- OSSL_STORE_LOADER_free(fetched_loader);
- fetched_loader = NULL;
- }
+ } else if(!loader_set_params(fetched_loader, loader_ctx,
+ params, propq)) {
+ (void)fetched_loader->p_close(loader_ctx);
+ OSSL_STORE_LOADER_free(fetched_loader);
+ fetched_loader = NULL;
}
loader = fetched_loader;
}
@@ -187,8 +208,8 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri,
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data)
{
- return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, post_process,
- post_process_data);
+ return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, NULL,
+ post_process, post_process_data);
}
#ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -927,6 +948,7 @@ const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion)
OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
OSSL_LIB_CTX *libctx, const char *propq,
const UI_METHOD *ui_method, void *ui_data,
+ const OSSL_PARAM params[],
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data)
{
@@ -957,19 +979,11 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
|| (loader_ctx = fetched_loader->p_attach(provctx, cbio)) == NULL) {
OSSL_STORE_LOADER_free(fetched_loader);
fetched_loader = NULL;
- } else if (propq != NULL) {
- OSSL_PARAM params[] = {
- OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
- NULL, 0),
- OSSL_PARAM_END
- };
-
- params[0].data = (void *)propq;
- if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) {
- (void)fetched_loader->p_close(loader_ctx);
- OSSL_STORE_LOADER_free(fetched_loader);
- fetched_loader = NULL;
- }
+ } else if (!loader_set_params(fetched_loader, loader_ctx,
+ params, propq)) {
+ (void)fetched_loader->p_close(loader_ctx);
+ OSSL_STORE_LOADER_free(fetched_loader);
+ fetched_loader = NULL;
}
loader = fetched_loader;
ossl_core_bio_free(cbio);
diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c
index caccf38412..b9feb038b8 100644
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -21,7 +21,8 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri,
OSSL_STORE_CTX *ctx = NULL;
X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
- if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL, NULL)) == NULL)
+ if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
+ NULL, NULL)) == NULL)
return 0;
/*
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 4e702f98c3..3e2708ae04 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -114,8 +114,9 @@ signed by the CA.
=item B<-inform> B<DER>|B<PEM>
-The format of the data in certificate request input files.
-The default is PEM.
+The format of the data in certificate request input files;
+unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-ss_cert> I<filename>
@@ -150,8 +151,8 @@ The CA certificate, which must match with B<-keyfile>.
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The format of the data in certificate input files.
-This option has no effect and is retained for backward compatibility only.
+The format of the data in certificate input files; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-keyfile> I<filename>|I<uri>
@@ -160,8 +161,7 @@ This must match with B<-cert>.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key input file; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the private key input file; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-sigopt> I<nm>:I<v>
@@ -818,11 +818,8 @@ retained mainly for compatibility reasons.
The B<-section> option was added in OpenSSL 3.0.0.
-The B<-certform> and B<-multivalue-rdn> options
-have become obsolete in OpenSSL 3.0.0 and have no effect.
-
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
+The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
+has no effect.
The B<-engine> option was deprecated in OpenSSL 3.0.
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index f27443ca9c..28ea4ee6a5 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -732,8 +732,7 @@ Default value is PEM.
=item B<-keyform> I<PEM|DER|P12|ENGINE>
-The format of the key input.
-The only value with effect is B<ENGINE>.
+The format of the key input; unspecified by default.
See L<openssl(1)/Format Options> for details.
=item B<-otherpass> I<arg>
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index 51aff981a5..0ec906cbc1 100644
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -241,8 +241,7 @@ See L<openssl-format-options(1)> for details.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key file; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the private key file; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
@@ -786,9 +785,6 @@ was added in OpenSSL 1.0.2.
The -no_alt_chains option was added in OpenSSL 1.0.2b.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-nameopt> option was added in OpenSSL 3.0.0.
The B<-engine> option was deprecated in OpenSSL 3.0.
diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in
index ccba7938a2..d00b80c862 100644
--- a/doc/man1/openssl-crl.pod.in
+++ b/doc/man1/openssl-crl.pod.in
@@ -47,8 +47,8 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
-The CRL input format.
-This option has no effect and is retained for backward compatibility only.
+The CRL input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>
@@ -61,8 +61,8 @@ The private key to be used to sign the CRL.
=item B<-keyform> B<DER>|B<PEM>|B<P12>
-The format of the private key file.
-This option has no effect and is retained for backward compatibility only.
+The format of the private key file; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-in> I<filename>
@@ -156,11 +156,6 @@ L<openssl-ca(1)>,
L<openssl-x509(1)>,
L<ossl_store-file(7)>
-=head1 HISTORY
-
-The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in
index 4b0653912d..f493e83b41 100644
--- a/doc/man1/openssl-dgst.pod.in
+++ b/doc/man1/openssl-dgst.pod.in
@@ -108,8 +108,7 @@ command instead for this.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the key to sign with; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the key to sign with; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-sigopt> I<nm>:I<v>
@@ -256,9 +255,6 @@ L<openssl-mac(1)>
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in
index 61f4b1f74b..116121caf2 100644
--- a/doc/man1/openssl-dsa.pod.in
+++ b/doc/man1/openssl-dsa.pod.in
@@ -55,9 +55,14 @@ applications should use the more secure PKCS#8 format using the B<pkcs8>
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and formats; the default is B<PEM>.
+The key input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in
index 96c429cf94..6437707429 100644
--- a/doc/man1/openssl-dsaparam.pod.in
+++ b/doc/man1/openssl-dsaparam.pod.in
@@ -36,9 +36,14 @@ DSA parameters is often used to generate several distinct keys.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-This option has become obsolete.
+The DSA parameters input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The DSA parameters output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Parameters are a sequence of B<ASN.1 INTEGER>s: B<p>, B<q>, and B<g>.
diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in
index 06c225f11c..b3aabcb41a 100644
--- a/doc/man1/openssl-ec.pod.in
+++ b/doc/man1/openssl-ec.pod.in
@@ -53,13 +53,12 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>
-The key output formats; the default is B<PEM>.
+The key output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Private keys are an SEC1 private key or PKCS#8 format.
diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in
index ee5c021819..dd8f0f2c24 100644
--- a/doc/man1/openssl-ecparam.pod.in
+++ b/doc/man1/openssl-ecparam.pod.in
@@ -43,9 +43,14 @@ this command can only create EC parameters from known (named) curves.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and formats; the default is B<PEM>.
+The EC parameters input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The EC parameters output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Parameters are encoded as B<EcpkParameters> as specified in IETF RFC 3279.
diff --git a/doc/man1/openssl-format-options.pod b/doc/man1/openssl-format-options.pod
index 20b62f9b15..91058831cd 100644
--- a/doc/man1/openssl-format-options.pod
+++ b/doc/man1/openssl-format-options.pod
@@ -15,9 +15,13 @@ I<command>
Several OpenSSL commands can take input or generate output in a variety
of formats.
+
Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
-files in any of the B<DER>, B<PEM> or B<P12> formats,
-while specifying their input format is no more needed.
+files in any of the B<DER>, B<PEM> or B<P12> formats. Specifying their input
+format is no more needed and the openssl commands will automatically try all
+the possible formats. However if the B<DER> or B<PEM> input format is specified
+it will be enforced.
+
In order to access a key via an engine the input format B<ENGINE> may be used;
alternatively the key identifier in the <uri> argument of the respective key
option may be preceded by C<org.openssl.engine:>.
@@ -39,8 +43,6 @@ The format of the input or output streams.
=item B<-keyform> I<format>
Format of a private key input source.
-The only value with effect is B<ENGINE>; all others have become obsolete.
-See L<openssl(1)/Format Options> for details.
=item B<-CRLform> I<format>
diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in
index 004be5c132..d297b19638 100644
--- a/doc/man1/openssl-pkey.pod.in
+++ b/doc/man1/openssl-pkey.pod.in
@@ -78,8 +78,7 @@ a pass phrase will be prompted for.
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-passin> I<arg>
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index 26b9ed1e42..b57640992c 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -91,8 +91,7 @@ The input key, by default it should be a private key.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-passin> I<arg>
@@ -106,8 +105,7 @@ The peer key file, used by key derivation (agreement) operations.
=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The peer key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The peer key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pubin>
@@ -410,9 +408,6 @@ L<EVP_PKEY_CTX_set_tls1_prf_md(3)>,
=head1 HISTORY
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index a877140cdc..32ae4b2e32 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -74,7 +74,7 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-The input and output formats; the default is B<PEM>.
+The input and output formats; unspecified by default.
See L<openssl-format-options(1)> for details.
The data is a PKCS#10 object.
@@ -197,8 +197,7 @@ It also accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the private key; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-keyout> I<filename>
@@ -737,8 +736,8 @@ L<x509v3_config(5)>
The B<-section> option was added in OpenSSL 3.0.0.
-All B<-keyform> values except B<ENGINE> and the B<-multivalue-rdn> option
-have become obsolete in OpenSSL 3.0.0 and have no effect.
+The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
+has no effect.
The B<-engine> option was deprecated in OpenSSL 3.0.
The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in
index 1d98caabb6..503b31a6d6 100644
--- a/doc/man1/openssl-rsa.pod.in
+++ b/doc/man1/openssl-rsa.pod.in
@@ -60,8 +60,7 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>
diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
index 62c39eb69e..a16c0bda15 100644
--- a/doc/man1/openssl-rsautl.pod.in
+++ b/doc/man1/openssl-rsautl.pod.in
@@ -73,8 +73,7 @@ The input key, by default it should be an RSA private key.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pubin>
@@ -231,9 +230,6 @@ L<openssl-genrsa(1)>
This command was deprecated in OpenSSL 3.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index e11df7a9ae..33e8f313b6 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -243,8 +243,8 @@ The chain for the client certificate may be specified using B<-cert_chain>.
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The client certificate file format to use; the default is B<PEM>.
-This option has no effect and is retained for backward compatibility only.
+The client certificate file format to use; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-cert_chain>
@@ -263,7 +263,7 @@ CRL file to use to check the server's certificate.
=item B<-CRLform> B<DER>|B<PEM>
-The CRL file format; the default is B<PEM>.
+The CRL file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-crl_download>
@@ -277,8 +277,7 @@ If not specified then the certificate file will be used to read also the key.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pass> I<arg>
@@ -912,9 +911,6 @@ The B<-name> option was added in OpenSSL 1.1.1.
The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index fa4190a869..f07e2ae3b4 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -225,8 +225,8 @@ The certificate file to use for servername; default is C<server2.pem>.
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The server certificate file format.
-This option has no effect and is retained for backward compatibility only.
+The server certificate file format; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-cert_chain>
@@ -258,8 +258,7 @@ The private Key file to use for servername if not given via B<-cert2>.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pass> I<val>
@@ -288,14 +287,13 @@ The input can be in PEM, DER, or PKCS#12 format.
=item B<-dcertform> B<DER>|B<PEM>|B<P12>
-The format of the additional certificate file.
-This option has no effect and is retained for backward compatibility only.
+The format of the additional certificate file; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the additional private key; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
-See L<openssl-format-options(1)>.
+The format of the additional private key; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-dpass> I<val>
@@ -333,7 +331,7 @@ The CRL file to use.
=item B<-CRLform> B<DER>|B<PEM>
-The CRL file format; the default is B<PEM>.
+The CRL file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-crl_download>
@@ -844,12 +842,6 @@ The -no_alt_chains option was added in OpenSSL 1.1.0.
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
-All B<-keyform> and B<-dkeyform> values except B<ENGINE>
-have become obsolete in OpenSSL 3.0.0 and have no effect.
-
-The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in
index 3c5859dc01..2fcf7020fe 100644
--- a/doc/man1/openssl-smime.pod.in
+++ b/doc/man1/openssl-smime.pod.in
@@ -127,8 +127,7 @@ See L<openssl-format-options(1)> for details.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-stream>, B<-indef>, B<-noindef>
@@ -481,9 +480,6 @@ added in OpenSSL 1.0.0
The -no_alt_chains option was added in OpenSSL 1.1.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in
index f0ddd5179d..3de862e035 100644
--- a/doc/man1/openssl-spkac.pod.in
+++ b/doc/man1/openssl-spkac.pod.in
@@ -60,8 +60,7 @@ present.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-passin> I<arg>
@@ -150,9 +149,6 @@ L<openssl-ca(1)>
=head1 HISTORY
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index 7f42d45cf7..0dcad3fd9b 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -154,7 +154,7 @@ The B<-ext> option can be used to further restrict which extensions to copy.
=item B<-inform> B<DER>|B<PEM>
-The CSR input file format; the default is B<PEM>.
+The input file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-vfyopt> I<nm>:I<v>
@@ -181,8 +181,7 @@ This option is an alias of B<-key>.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-out> I<filename>
@@ -468,8 +467,8 @@ unless the B<-new> option is given, which generates a certificate from scratch.
=item B<-CAform> B<DER>|B<PEM>|B<P12>,
-The format for the CA certificate.
-This option has no effect and is retained for backward compatibility.
+The format for the CA certificate; unspecifed by default.
+See L<openssl-format-options(1)> for details.
=item B<-CAkey> I<filename>|I<uri>
@@ -479,8 +478,7 @@ If this option is not provided then the key must be present in the B<-CA> input.
=item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format for the CA key; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format for the CA key; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-CAserial> I<filename>
@@ -879,11 +877,6 @@ form must have their links rebuilt using L<openssl-rehash(1)> or similar.
The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
keeping the old name as an alias.
-All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
-have become obsolete in OpenSSL 3.0.0 and have no effect.
-
-The B<-CAform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
The B<-C> option was removed in OpenSSL 3.0.
diff --git a/doc/man3/OSSL_STORE_attach.pod b/doc/man3/OSSL_STORE_attach.pod
index 9ad53af81a..f272961bac 100644
--- a/doc/man3/OSSL_STORE_attach.pod
+++ b/doc/man3/OSSL_STORE_attach.pod
@@ -11,6 +11,7 @@ OSSL_STORE_attach - Functions to read objects from a BIO
OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme,
OSSL_LIB_CTX *libctx, const char *propq,
const UI_METHOD *ui_method, void *ui_data,
+ const OSSL_PARAM params[],
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data);
diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod
index 3d6d03a990..39a795b0ef 100644
--- a/doc/man3/OSSL_STORE_open.pod
+++ b/doc/man3/OSSL_STORE_open.pod
@@ -24,6 +24,7 @@ OSSL_STORE_error, OSSL_STORE_close
OSSL_STORE_CTX *
OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
const UI_METHOD *ui_method, void *ui_data,
+ const OSSL_PARAM params[],
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data);
@@ -68,6 +69,8 @@ B<OSSL_STORE_CTX> with all necessary internal information.
The given I<ui_method> and I<ui_data> will be reused by all
functions that use B<OSSL_STORE_CTX> when interaction is needed,
for instance to provide a password.
+The auxiliary B<OSSL_PARAM> parameters in I<params> can be set to further
+modify the store operation.
The given I<post_process> and I<post_process_data> will be reused by
OSSL_STORE_load() to manipulate or drop the value to be returned.
The I<post_process> function drops values by returning NULL, which
@@ -76,7 +79,7 @@ the next object, until I<post_process> returns something other than
NULL, or the end of data is reached as indicated by OSSL_STORE_eof().
OSSL_STORE_open() is similar to OSSL_STORE_open_ex() but uses NULL for
-the library context I<libctx> and property query I<propq>.
+the I<params>, the library context I<libctx> and property query I<propq>.
OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number I<cmd> and
more arguments not specified here.
diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod
index 32f4e467ac..d34f0377ae 100644
--- a/doc/man7/provider-storemgmt.pod
+++ b/doc/man7/provider-storemgmt.pod
@@ -153,6 +153,16 @@ fingerprint, computed with the given digest.
Indicates that the caller wants to search for an object with the given
alias (some call it a "friendly name").
+=item "properties" (B<OSSL_STORE_PARAM_PROPERTIES) <utf8 string>
+
+Property string to use when querying for algorithms such as the B<OSSL_DECODER>
+decoder implementations.
+
+=item "input-type" (B<OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string>
+
+Type of the input format as a hint to use when decoding the objects in the
+store.
+
=back
Several of these search criteria may be combined. For example, to
diff --git a/gost-engine b/gost-engine
index 28a0a19354..1b684f3f90 160000
--- a/gost-engine
+++ b/gost-engine
@@ -1 +1 @@
-Subproject commit 28a0a193549a9b778a14fade0219b9daa0e7c5db
+Subproject commit 1b684f3f906bc81154ca1d5af7d6bc60199f1f9c
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 708f79d480..02476560f0 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -545,6 +545,8 @@ extern "C" {
/* You may want to pass properties for the provider implementation to use */
#define OSSL_STORE_PARAM_PROPERTIES "properties" /* utf8_string */
+/* OSSL_DECODER input type if a decoder is used by the store */
+#define OSSL_STORE_PARAM_INPUT_TYPE "input-type" /* UTF8_STRING */
# ifdef __cplusplus
}
diff --git a/include/openssl/store.h b/include/openssl/store.h
index f0c20e56fe..d5703d5040 100644
--- a/include/openssl/store.h
+++ b/include/openssl/store.h
@@ -59,6 +59,7 @@ OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, void *ui_data,
OSSL_STORE_CTX *
OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
const UI_METHOD *ui_method, void *ui_data,
+ const OSSL_PARAM params[],
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data);
@@ -131,6 +132,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx);
OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme,
OSSL_LIB_CTX *libctx, const char *propq,
const UI_METHOD *ui_method, void *ui_data,
+ const OSSL_PARAM params[],
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data);
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index a7ee231b15..fc8d6362df 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -452,7 +452,7 @@ a7f16a6480f5051d1197b992e042a73535d0922bdd3c962d2a96af780994e858 providers/impl
1cb6ec2efb7b2bb131622aa95e245273f5967065eb0018392ed4ced50d0813b7 providers/implementations/signature/mac_legacy.c
25fe1a61578d54c3e67b60646f3fd3d0a47ff1d4cd620ef1f1fca3341f2662a2 providers/implementations/signature/rsa.c
c0a862433e5da909cf0c614d3f982765b67821c7a4cc6257ceb8c490b4dcf732 providers/implementations/signature/sm2sig.c
-c63cb744c26af304cf00006071d3ebd9325a4d65913b75a2bcb1d2e104c734fd providers/implementations/storemgmt/file_store.c
+e2750b310565e74617310566c1ccfbd75559521117fd8936540fff54dd304902 providers/implementations/storemgmt/file_store.c
291288936fe321e3e85048366f790f6b7983561cd8f80eec4c0e01d7c43614ab providers/implementations/storemgmt/file_store_der2obj.c
04ea01e48b8fee822acb376ab8679b4c627b32ab75c137bf23ebb4fe2a1c0703 providers/prov_running.c
53a1e913fcc4a4e8e84009229cba60b9e29c7dc6536182fd290478331fad44b4 ssl/record/tls_pad.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index ff7a1c2c78..e28929484f 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-b998b19b940b606688e4711014407c48c3fca4c58b2fdc60ac64c1cef94861c1 providers/fips-sources.checksums
+de031c8fbe10ee9b6447dd230956217e599cf923ff36a1026b515c2a22158b37 providers/fips-sources.checksums
diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c
index 033efb40ac..b9bb3b36c0 100644
--- a/providers/implementations/storemgmt/file_store.c
+++ b/providers/implementations/storemgmt/file_store.c
@@ -149,15 +149,11 @@ static OSSL_DECODER_CLEANUP file_load_cleanup;
*
*/
static struct file_ctx_st *file_open_stream(BIO *source, const char *uri,
- const char *input_type,
void *provctx)
{
struct file_ctx_st *ctx;
- if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL
- || (input_type != NULL
- && (ctx->_.file.input_type =
- OPENSSL_strdup(input_type)) == NULL)) {
+ if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -285,7 +281,7 @@ static void *file_open(void *provctx, const char *uri)
if (S_ISDIR(st.st_mode))
ctx = file_open_dir(path, uri, provctx);
else if ((bio = BIO_new_file(path, "rb")) == NULL
- || (ctx = file_open_stream(bio, uri, NULL, provctx)) == NULL)
+ || (ctx = file_open_stream(bio, uri, provctx)) == NULL)
BIO_free_all(bio);
return ctx;
@@ -299,7 +295,7 @@ void *file_attach(void *provctx, OSSL_CORE_BIO *cin)
if (new_bio == NULL)
return NULL;
- ctx = file_open_stream(new_bio, NULL, NULL, provctx);
+ ctx = file_open_stream(new_bio, NULL, provctx);
if (ctx == NULL)
BIO_free(new_bio);
return ctx;
@@ -316,6 +312,7 @@ static const OSSL_PARAM *file_settable_ctx_params(void *provctx)
OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
OSSL_PARAM_int(OSSL_STORE_PARAM_EXPECT, NULL),
OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE, NULL, 0),
OSSL_PARAM_END
};
return known_settable_ctx_params;
@@ -329,12 +326,22 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
if (params == NULL)
return 1;
- p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
- if (p != NULL) {
- OPENSSL_free(ctx->_.file.propq);
- ctx->_.file.propq = NULL;
- if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0))
- return 0;
+ if (ctx->type != IS_DIR) {
+ /* these parameters are ignored for directories */
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
+ if (p != NULL) {
+ OPENSSL_free(ctx->_.file.propq);
+ ctx->_.file.propq = NULL;
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0))
+ return 0;
+ }
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_INPUT_TYPE);
+ if (p != NULL) {
+ OPENSSL_free(ctx->_.file.input_type);
+ ctx->_.file.input_type = NULL;
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.input_type, 0))
+ return 0;
+ }
}
p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_EXPECT);
if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->expected_type))
diff --git a/test/ossl_store_test.c b/test/ossl_store_test.c
index 7a5df01647..b9135cfcb3 100644
--- a/test/ossl_store_test.c
+++ b/test/ossl_store_test.c
@@ -47,7 +47,7 @@ static int test_store_open(void)
&& TEST_ptr(search = OSSL_STORE_SEARCH_by_alias("nothing"))
&& TEST_ptr(ui_method= UI_create_method("DummyUI"))
&& TEST_ptr(sctx = OSSL_STORE_open_ex(input, NULL, NULL, ui_method,
- NULL, NULL, NULL))
+ NULL, NULL, NULL, NULL))
&& TEST_false(OSSL_STORE_find(sctx, NULL))
&& TEST_true(OSSL_STORE_find(sctx, search));
UI_destroy_method(ui_method);
@@ -75,7 +75,7 @@ static int get_params(const char *uri, const char *type)
OSSL_STORE_INFO *info;
int ret = 0;
- ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL);
+ ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
if (!TEST_ptr(ctx))
goto err;
@@ -157,7 +157,7 @@ static int test_store_attach_unregistered_scheme(void)
&& TEST_ptr(provider = OSSL_PROVIDER_load(libctx, "default"))
&& TEST_ptr(bio = BIO_new_file(input, "r"))
&& TEST_ptr(store_ctx = OSSL_STORE_attach(bio, "file", libctx, NULL,
- NULL, NULL, NULL, NULL))
+ NULL, NULL, NULL, NULL, NULL))
&& TEST_int_ne(ERR_GET_LIB(ERR_peek_error()), ERR_LIB_OSSL_STORE)
&& TEST_int_ne(ERR_GET_REASON(ERR_peek_error()),
OSSL_STORE_R_UNREGISTERED_SCHEME);
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 7f2ff029ba..5492baa551 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -80,7 +80,7 @@ sub tsignverify {
my $sigfile = basename($privkey, '.pem') . '.sig';
my @args = ();
- plan tests => 4;
+ plan tests => 5;
@args = ('openssl', 'pkeyutl', '-sign',
'-inkey', $privkey,
@@ -90,6 +90,15 @@ sub tsignverify {
ok(run(app([@args])),
$testtext.": Generating signature");
+ @args = ('openssl', 'pkeyutl', '-sign',
+ '-inkey', $privkey,
+ '-keyform', 'DER',
+ '-out', $sigfile,
+ '-in', $data_to_sign);
+ push(@args, @extraopts);
+ ok(!run(app([@args])),
+ $testtext.": Checking that mismatching keyform fails");
+
@args = ('openssl', 'pkeyutl', '-verify',
'-inkey', $privkey,
'-sigfile', $sigfile,
@@ -99,6 +108,7 @@ sub tsignverify {
$testtext.": Verify signature with private key");
@args = ('openssl', 'pkeyutl', '-verify',
+ '-keyform', 'PEM',
'-inkey', $pubkey, '-pubin',
'-sigfile', $sigfile,
'-in', $data_to_sign);
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index 1d6200e6d4..c789da6aa6 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_crl");
-plan tests => 9;
+plan tests => 10;
require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -44,8 +44,10 @@ ok(compare1stline_stdin([qw{openssl crl -hash -noout}],
'106cd822'),
"crl piped input test");
-ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-out", $out,
- "-nameopt", "utf8"])));
+ok(!run(app(["openssl", "crl", "-text", "-in", $pem, "-inform", "DER",
+ "-out", $out, "-nameopt", "utf8"])));
+ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-inform", "PEM",
+ "-out", $out, "-nameopt", "utf8"])));
is(cmp_text($out, srctop_file("test/certs", "cyrillic_crl.utf8")),
0, 'Comparing utf8 output');
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index ab6c6e681b..30c1c43a7f 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -73,16 +73,24 @@ subtest "generating alt certificate requests with RSA" => sub {
subtest "generating certificate requests with RSA" => sub {
- plan tests => 2;
+ plan tests => 3;
SKIP: {
skip "RSA is not supported by this OpenSSL build", 2
if disabled("rsa");
+ ok(!run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsa.pem", "-utf8",
+ "-key", srctop_file("test", "testrsa.pem"),
+ "-keyform", "DER"])),
+ "Checking that mismatching keyform fails");
+
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq-rsa.pem", "-utf8",
- "-key", srctop_file("test", "testrsa.pem")])),
+ "-key", srctop_file("test", "testrsa.pem"),
+ "-keyform", "PEM"])),
"Generating request");
ok(run(app(["openssl", "req",
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index ae934bf420..1324f754e9 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_x509");
-plan tests => 15;
+plan tests => 18;
require_ok(srctop_file("test", "recipes", "tconversion.pl"));
@@ -24,6 +24,8 @@ my @certs = qw(test certs);
my $pem = srctop_file(@certs, "cyrillic.pem");
my $out_msb = "out-cyrillic.msb";
my $out_utf8 = "out-cyrillic.utf8";
+my $der = "cyrillic.der";
+my $der2 = "cyrillic.der";
my $msb = srctop_file(@certs, "cyrillic.msb");
my $utf = srctop_file(@certs, "cyrillic.utf8");
@@ -36,7 +38,7 @@ ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
is(cmp_text($out_utf8, $utf),
0, 'Comparing utf8 output with cyrillic.utf8');
- SKIP: {
+SKIP: {
skip "DES disabled", 1 if disabled("des");
my $p12 = srctop_file("test", "shibboleth.pfx");
@@ -47,6 +49,16 @@ is(cmp_text($out_utf8, $utf),
# not unlinking $out_pem
}
+ok(!run(app(["openssl", "x509", "-in", $pem, "-inform", "DER",
+ "-out", $der, "-outform", "DER"])),
+ "Checking failure of mismatching -inform DER");
+ok(run(app(["openssl", "x509", "-in", $pem, "-inform", "PEM",
+ "-out", $der, "-outform", "DER"])),
+ "Conversion to DER");
+ok(!run(app(["openssl", "x509", "-in", $der, "-inform", "PEM",
+ "-out", $der2, "-outform", "DER"])),
+ "Checking failure of mismatching -inform PEM");
+
# producing and checking self-issued (but not self-signed) cert
my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem
my $extfile = srctop_file("test", "v3_ca_exts.cnf");
More information about the openssl-commits
mailing list