[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu Oct 7 14:05:47 UTC 2021
The branch master has been updated
via 18e0c544b01ed61e7eab61a6cd187c2f4eaa78bd (commit)
from e8655e16cab9cd14ebfe9f2214c2f2aa39c67a26 (commit)
- Log -----------------------------------------------------------------
commit 18e0c544b01ed61e7eab61a6cd187c2f4eaa78bd
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Oct 5 12:54:15 2021 +0200
apps/x509: Fix self-signed check to happen before setting issuer name
Fixes #16720
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16747)
-----------------------------------------------------------------------
Summary of changes:
apps/x509.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 65af7f0d06..1f8a157c0e 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -235,6 +235,21 @@ static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names)
return NULL;
}
+static int self_signed(X509_STORE *ctx, X509 *cert)
+{
+ X509_STORE_CTX *xsc = X509_STORE_CTX_new();
+ int ret = 0;
+
+ if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, cert, NULL)) {
+ BIO_printf(bio_err, "Error initialising X509 store\n");
+ } else {
+ X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
+ ret = X509_verify_cert(xsc) > 0;
+ }
+ X509_STORE_CTX_free(xsc);
+ return ret;
+}
+
int x509_main(int argc, char **argv)
{
ASN1_INTEGER *sno = NULL;
@@ -793,6 +808,8 @@ int x509_main(int argc, char **argv)
sno = x509_load_serial(CAfile, CAserial, CA_createserial);
if (sno == NULL)
goto end;
+ if (!x509toreq && !reqfile && !newcert && !self_signed(ctx, x))
+ goto end;
}
if (sno != NULL && !X509_set_serialNumber(x, sno))
@@ -862,21 +879,6 @@ int x509_main(int argc, char **argv)
if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx))
goto end;
} else if (CAfile != NULL) {
- if (!reqfile && !newcert) { /* certificate should be self-signed */
- X509_STORE_CTX *xsc = X509_STORE_CTX_new();
-
- if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) {
- BIO_printf(bio_err, "Error initialising X509 store\n");
- X509_STORE_CTX_free(xsc);
- goto end;
- }
- X509_STORE_CTX_set_cert(xsc, x);
- X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
- i = X509_verify_cert(xsc);
- X509_STORE_CTX_free(xsc);
- if (i <= 0)
- goto end;
- }
if ((CAkey = load_key(CAkeyfile, CAkeyformat,
0, passin, e, "CA private key")) == NULL)
goto end;
More information about the openssl-commits
mailing list