[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat Sep 11 21:00:35 UTC 2021
The branch master has been updated
via cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821 (commit)
via 611ef4f3737cc5812bdefe381403fdf1bacfba06 (commit)
from 85efdaab4d068f7de354b0a18f70f1737941dc7f (commit)
- Log -----------------------------------------------------------------
commit cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Aug 25 12:30:09 2021 +0200
openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
commit 611ef4f3737cc5812bdefe381403fdf1bacfba06
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Aug 27 07:11:36 2021 +0200
APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
-----------------------------------------------------------------------
Summary of changes:
apps/req.c | 41 ++++++++++++++++++++++++++++++++++-------
apps/x509.c | 16 +++++++++++-----
doc/man1/openssl-req.pod.in | 29 +++++++++++++++++++++--------
doc/man1/openssl-x509.pod.in | 37 ++++++++++++++++++++++---------------
4 files changed, 88 insertions(+), 35 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index 6aa364fec5..f756c25b2a 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -103,7 +103,7 @@ const OPTIONS req_options[] = {
{"keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations"},
#endif
- {"in", OPT_IN, '<', "X.509 request input file"},
+ {"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},
@@ -136,10 +136,10 @@ const OPTIONS req_options[] = {
"Cert extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's',
"Request extension section (override value in config file)"},
- {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
+ {"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"},
OPT_SECTION("Keys and Signing"),
- {"key", OPT_KEY, 's', "Key to include and to use for self-signature"},
+ {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to write private key to"},
@@ -489,8 +489,13 @@ int req_main(int argc, char **argv)
if (ext_copy == EXT_COPY_NONE)
BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n");
}
- if (gen_x509 && infile == NULL)
- newreq = 1;
+ if (infile == NULL) {
+ if (gen_x509)
+ newreq = 1;
+ else
+ BIO_printf(bio_err,
+ "Warning: Will read cert request from stdin since no -in option is given\n");
+ }
if (!app_passwd(passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
@@ -631,6 +636,11 @@ int req_main(int argc, char **argv)
goto end;
app_RAND_load_conf(req_conf, section);
}
+ if (keyalg != NULL && pkey != NULL) {
+ BIO_printf(bio_err,
+ "Warning: Not generating key via given -newkey option since -key is given\n");
+ /* Better throw an error in this case */
+ }
if (newreq && pkey == NULL) {
app_RAND_load_conf(req_conf, section);
@@ -742,9 +752,17 @@ int req_main(int argc, char **argv)
goto end;
if (!newreq) {
- req = load_csr(infile, informat, "X509 request");
+ if (keyfile != NULL)
+ BIO_printf(bio_err,
+ "Warning: Not placing -key in cert or request since request is used\n");
+ req = load_csr(infile /* if NULL, reads from stdin */,
+ informat, "X509 request");
if (req == NULL)
goto end;
+ } else if (infile != NULL) {
+ BIO_printf(bio_err,
+ "Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
+ /* Better throw an error in this case, as done in the x509 app */
}
if (CAkeyfile == NULL)
@@ -752,7 +770,7 @@ int req_main(int argc, char **argv)
if (CAkeyfile != NULL) {
if (CAfile == NULL) {
BIO_printf(bio_err,
- "Ignoring -CAkey option since no -CA option is given\n");
+ "Warning: Ignoring -CAkey option since no -CA option is given\n");
} else {
if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e,
@@ -788,6 +806,7 @@ int req_main(int argc, char **argv)
BIO_printf(bio_err, "Error making certificate request\n");
goto end;
}
+ /* Note that -x509 can take over -key and -subj option values. */
}
if (gen_x509) {
EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
@@ -798,6 +817,10 @@ int req_main(int argc, char **argv)
X509_NAME *n_subj = fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req);
+ if (CAcert != NULL && keyfile != NULL)
+ BIO_printf(bio_err,
+ "Warning: Not using -key or -newkey for signing since -CA option is given\n");
+
if ((new_x509 = X509_new_ex(app_get0_libctx(),
app_get0_propq())) == NULL)
goto end;
@@ -874,6 +897,10 @@ int req_main(int argc, char **argv)
} else {
X509V3_CTX ext_ctx;
+ if (precert) {
+ BIO_printf(bio_err,
+ "Warning: Ignoring -precert flag since no cert is produced\n");
+ }
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
X509V3_set_nconf(&ext_ctx, req_conf);
diff --git a/apps/x509.c b/apps/x509.c
index 7236972c5b..65af7f0d06 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -61,7 +61,7 @@ const OPTIONS x509_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<',
- "Certificate input (default stdin), or CSR input file with -req"},
+ "Certificate input, or CSR input file with -req (default stdin)"},
{"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
{"new", OPT_NEW, '-', "Generate a certificate from scratch"},
{"x509toreq", OPT_X509TOREQ, '-',
@@ -73,7 +73,7 @@ const OPTIONS x509_options[] = {
"CSR input file format (DER or PEM) - default PEM"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
{"key", OPT_KEY, 's',
- "Key to be used in certificate or cert request"},
+ "Key for signing, and to include unless using -force_pubkey"},
{"signkey", OPT_SIGNKEY, 's',
"Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
@@ -630,7 +630,7 @@ int x509_main(int argc, char **argv)
}
if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
- "The -new option without -key requires using -force_pubkey\n");
+ "The -new option requires using the -key or -force_pubkey option\n");
goto end;
}
}
@@ -642,7 +642,7 @@ int x509_main(int argc, char **argv)
CAkeyfile = CAfile;
if (CAfile != NULL) {
if (privkeyfile != NULL) {
- BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
+ BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n");
goto end;
}
} else if (CAkeyfile != NULL) {
@@ -676,6 +676,9 @@ int x509_main(int argc, char **argv)
}
if (reqfile) {
+ if (infile == NULL)
+ BIO_printf(bio_err,
+ "Warning: Reading cert request from stdin since no -in option is given\n");
req = load_csr(infile, informat, "certificate request input");
if (req == NULL)
goto end;
@@ -725,6 +728,9 @@ int x509_main(int argc, char **argv)
}
}
} else {
+ if (infile == NULL)
+ BIO_printf(bio_err,
+ "Warning: Reading certificate from stdin since no -in option is given\n");
x = load_cert_pass(infile, informat, 1, passin, "certificate");
if (x == NULL)
goto end;
@@ -819,7 +825,7 @@ int x509_main(int argc, char **argv)
if (x509toreq) { /* also works in conjunction with -req */
if (privkey == NULL) {
- BIO_printf(bio_err, "Must specify request key using -key\n");
+ BIO_printf(bio_err, "Must specify request signing key using -key\n");
goto end;
}
if (clrext && ext_copy != EXT_COPY_NONE) {
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index e78b04c65b..a21c30ba47 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -79,9 +79,10 @@ The data is a PKCS#10 object.
=item B<-in> I<filename>
-This specifies the input filename to read a request from or standard input
-if this option is not specified. A request is only read if the creation
-options (B<-new> or B<-newkey>) are not specified.
+This specifies the input filename to read a request from.
+This defaults to standard input unless B<-x509> or B<-CA> is specified.
+A request is only read if the creation options
+(B<-new> or B<-newkey> or B<-precert>) are not specified.
=item B<-sigopt> I<nm>:I<v>
@@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length.
=item B<-newkey> I<arg>
-This option creates a new certificate request and a new private
-key. The argument takes one of several forms.
+This option is used to generate a new private key unless B<-key> is given.
+It is subsequently used as if it was given using the B<-key> option.
+
+This option implies the B<-new> flag to create a new certificate request
+or a new certificate in case B<-x509> is given.
+
+The argument takes one of several forms.
[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
@@ -193,9 +199,14 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
=item B<-key> I<filename>|I<uri>
-This specifies the key to include and to use for request self-signature
-and for self-signing certificates produced with the B<-x509> option.
-It also accepts PKCS#8 format private keys for PEM format files.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-in> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+For certificate signing this option is overridden by the B<-CA> option.
+
+This option also accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
@@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request.
This is typically used to generate test certificates.
It is implied by the B<-CA> option.
+This option implies the B<-new> flag if B<-in> is not given.
+
If an existing request is specified with the B<-in> option, it is converted
to the a certificate; otherwise a request is created from scratch.
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index 9c77a216c2..b86f409ce8 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -102,9 +102,11 @@ Print out a usage message.
=item B<-in> I<filename>|I<uri>
-If the B<-req> option is not used this specifies the input
-to read a certificate from or standard input if this option is not specified.
-With the B<-req> option this specifies a certificate request file.
+This specifies the input to read a certificate from
+or the input file for reading a certificate request if the B<-req> flag is used.
+In both cases this defaults to standard input.
+
+This option cannot be combined with the B<-new> flag.
=item B<-passin> I<arg>
@@ -118,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> option needs to be given.
The public key to include can be given with the B<-force_pubkey> option
-and defaults to the key given with the B<-key> option,
+and defaults to the key given with the B<-key> (or B<-signkey>) option,
which implies self-signature.
=item B<-x509toreq>
Output a PKCS#10 certificate request (rather than a certificate).
-The B<-key> option must be used to provide the private key for self-signing;
-the corresponding public key is placed in the subjectPKInfo field.
+The B<-key> (or B<-signkey>) option must be used to provide the private key for
+self-signing; the corresponding public key is placed in the subjectPKInfo field.
X.509 extensions included in a certificate input are not copied by default.
X.509 extensions to be added can be specified using the B<-extfile> option.
@@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific.
=item B<-key> I<filename>|I<uri>
-This option causes the new certificate or certificate request
-to be self-signed using the supplied private key.
-This cannot be used in conjunction with the B<-CA> option.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-force_pubkey> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+This option cannot be used in conjunction with the B<-CA> option.
It sets the issuer name to the subject name (i.e., makes it self-issued)
and changes the public key to the supplied value (unless overridden
@@ -355,8 +360,9 @@ Check that the certificate matches the specified IP address.
=item B<-set_serial> I<n>
-Specifies the serial number to use. This option can be used with either
-the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option
+Specifies the serial number to use.
+This option can be used with the B<-key>, B<-signkey>, or B<-CA> options.
+If used in conjunction with the B<-CA> option
the serial number file (as specified by the B<-CAserial> option) is not used.
The serial number can be decimal or hex (if preceded by C<0x>).
@@ -400,7 +406,8 @@ or certificate request.
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
-instead of the key contained in the input or given with the B<-key> option.
+instead of the key contained in the input
+or given with the B<-key> (or B<-signkey>) option.
This option is useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as DH.
@@ -446,7 +453,7 @@ for testing.
The digest to use.
This affects any signing or printing option that uses a message
-digest, such as the B<-fingerprint>, B<-key> and B<-CA> options.
+digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options.
Any digest supported by the L<openssl-dgst(1)> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
@@ -464,9 +471,9 @@ When present, this behaves like a "micro CA" as follows:
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as detailed below.
-This option cannot be used in conjunction with the B<-key> option.
+This option cannot be used in conjunction with B<-key> (or B<-signkey>).
This option is normally combined with the B<-req> option referencing a CSR.
-Without the B<-req> option the input must be a self-signed certificate
+Without the B<-req> option the input must be an existing certificate
unless the B<-new> option is given, which generates a certificate from scratch.
=item B<-CAform> B<DER>|B<PEM>|B<P12>,
More information about the openssl-commits
mailing list