Initial trust code: allow setting of trust checking functions
in a table. Doesn't do too much yet.
Make the -<digestname> options in 'x509' affect all relevant
options.
Change the name of the 'notrust' options to 'reject' as this
causes less confusion and is a better description of the
effect.
A few constification changes.
diff --git a/CHANGES b/CHANGES
index 5aaed4a..3261ece 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,14 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
+ *) Fixes and enhancements to the 'x509' utility. It allowed a message
+ digest to be passed on the command line but it only used this
+ parameter when signing a certificate. Modified so all relevant
+ operations are affected by the digest parameter including the
+ -fingerprint and -x509toreq options. Also -x509toreq choked if a
+ DSA key was used because it didn't fix the digest.
+ [Steve Henson]
+
*) Very preliminary certificate chain verify code. Currently just tests
the untrusted certificates for consistency with the verify purpose
(which is set when the X509_STORE_CTX structure is set up) and checks
@@ -12,7 +20,7 @@
reject chains with invalid extensions whereas before it made no checks
at all.
- Still needs some trust checking code.
+ Preliminary untested trust code.
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
which should be used for version portability: especially since the
diff --git a/TABLE b/TABLE
index 2d86def..84be8c8 100644
--- a/TABLE
+++ b/TABLE
@@ -449,7 +449,7 @@
$thread_cflag = (unknown)
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
-$bn_obj =
+$bn_obj = asm/alpha.o
$des_obj =
$bf_obj =
$md5_obj =
@@ -466,7 +466,7 @@
$thread_cflag = (unknown)
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1
-$bn_obj =
+$bn_obj = asm/alpha.o
$des_obj =
$bf_obj =
$md5_obj =
@@ -483,7 +483,7 @@
$thread_cflag = (unknown)
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
-$bn_obj =
+$bn_obj = asm/alpha.o
$des_obj =
$bf_obj =
$md5_obj =
diff --git a/apps/x509.c b/apps/x509.c
index 6469761..8689608 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -107,9 +107,9 @@
" -noout - no certificate output\n",
" -trustout - output a \"trusted\" certificate\n",
" -clrtrust - clear all trusted purposes\n",
-" -clrnotrust - clear all untrusted purposes\n",
-" -addtrust arg - mark certificate as trusted for a given purpose\n",
-" -addnotrust arg - mark certificate as not trusted for a given purpose\n",
+" -clrreject - clear all rejected purposes\n",
+" -addtrust arg - trust certificate for a given purpose\n",
+" -addreject arg - reject certificate for a given purpose\n",
" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
" -signkey arg - self sign cert with arg\n",
@@ -122,7 +122,7 @@
" -CAserial - serial file\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
-" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
+" -md2/-md5/-sha1/-mdc2 - digest to use\n",
" -extfile - configuration file with X509V3 extensions to add\n",
" -extensions - section from config file with X509V3 extensions to add\n",
NULL
@@ -148,14 +148,14 @@
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
- STACK *trust = NULL, *notrust = NULL;
+ STACK *trust = NULL, *reject = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL, *trstr=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
- int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;
+ int trustout=0,clrtrust=0,clrreject=0,aliasout=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
int pprint = 0;
@@ -289,17 +289,17 @@
sk_push(trust, trstr);
trustout = 1;
}
- else if (strcmp(*argv,"-addnotrust") == 0)
+ else if (strcmp(*argv,"-addreject") == 0)
{
if (--argc < 1) goto bad;
trstr= *(++argv);
- if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {
+ if(!X509_reject_set_bit_asc(NULL, trstr, 0)) {
BIO_printf(bio_err,
"Unknown trust value %s\n", trstr);
goto bad;
}
- if(!notrust) notrust = sk_new_null();
- sk_push(notrust, trstr);
+ if(!reject) reject = sk_new_null();
+ sk_push(reject, trstr);
trustout = 1;
}
else if (strcmp(*argv,"-setalias") == 0)
@@ -351,13 +351,13 @@
trustout= 1;
else if (strcmp(*argv,"-clrtrust") == 0)
clrtrust= ++num;
- else if (strcmp(*argv,"-clrnotrust") == 0)
- clrnotrust= ++num;
+ else if (strcmp(*argv,"-clrreject") == 0)
+ clrreject= ++num;
else if (strcmp(*argv,"-alias") == 0)
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
- else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
@@ -551,7 +551,7 @@
if(alias) X509_alias_set(x, (unsigned char *)alias, -1);
if(clrtrust) X509_trust_set_bit(x, -1, 0);
- if(clrnotrust) X509_notrust_set_bit(x, -1, 0);
+ if(clrreject) X509_reject_set_bit(x, -1, 0);
if(trust) {
for(i = 0; i < sk_num(trust); i++) {
@@ -561,12 +561,12 @@
sk_free(trust);
}
- if(notrust) {
- for(i = 0; i < sk_num(notrust); i++) {
- trstr = sk_value(notrust, i);
- X509_notrust_set_bit_asc(x, trstr, 1);
+ if(reject) {
+ for(i = 0; i < sk_num(reject); i++) {
+ trstr = sk_value(reject, i);
+ X509_reject_set_bit_asc(x, trstr, 1);
}
- sk_free(notrust);
+ sk_free(reject);
}
if (num)
@@ -732,12 +732,13 @@
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- if (!X509_digest(x,EVP_md5(),md,&n))
+ if (!X509_digest(x,digest,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
- BIO_printf(STDout,"MD5 Fingerprint=");
+ BIO_printf(STDout,"%s Fingerprint=",
+ OBJ_nid2sn(EVP_MD_type(digest)));
for (j=0; j<(int)n; j++)
{
BIO_printf(STDout,"%02X%c",md[j],
@@ -801,7 +802,10 @@
BIO_printf(bio_err,"Generating certificate request\n");
- rq=X509_to_X509_REQ(x,pk,EVP_md5());
+ if (pk->type == EVP_PKEY_DSA)
+ digest=EVP_dss1();
+
+ rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk);
if (rq == NULL)
{
diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c
index c838f60..3370aae 100644
--- a/crypto/asn1/a_digest.c
+++ b/crypto/asn1/a_digest.c
@@ -69,8 +69,8 @@
#include <openssl/buffer.h>
#include <openssl/x509.h>
-int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md,
- unsigned int *len)
+int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
+ unsigned char *md, unsigned int *len)
{
EVP_MD_CTX ctx;
int i;
diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c
index ebd62f6..5c15d09 100644
--- a/crypto/asn1/t_x509a.c
+++ b/crypto/asn1/t_x509a.c
@@ -83,12 +83,12 @@
return 1;
}
-int X509_notrust_set_bit_asc(X509 *x, char *str, int value)
+int X509_reject_set_bit_asc(X509 *x, char *str, int value)
{
int bitnum;
bitnum = ASN1_BIT_STRING_num_asc(str, tbits);
if(bitnum < 0) return 0;
- if(x) return X509_notrust_set_bit(x, bitnum, value);
+ if(x) return X509_reject_set_bit(x, bitnum, value);
return 1;
}
@@ -102,9 +102,9 @@
BIO_printf(out, "%*sTrusted for:\n", indent, "");
ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2);
} else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, "");
- if(aux->notrust) {
+ if(aux->reject) {
BIO_printf(out, "%*sUntrusted for:\n", indent, "");
- ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2);
+ ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2);
} else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, "");
if(aux->othertrust) {
first = 1;
@@ -119,15 +119,15 @@
}
BIO_puts(out, "\n");
}
- if(aux->othernotrust) {
+ if(aux->otherreject) {
first = 1;
BIO_printf(out, "%*sOther Untrusted Uses:\n%*s",
indent, "", indent + 2, "");
- for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) {
+ for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) {
if(!first) BIO_puts(out, ", ");
else first = 0;
OBJ_obj2txt(oidstr, 80,
- sk_ASN1_OBJECT_value(aux->othernotrust, i), 0);
+ sk_ASN1_OBJECT_value(aux->otherreject, i), 0);
BIO_puts(out, oidstr);
}
BIO_puts(out, "\n");
diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c
index d8409fb..1b95764 100644
--- a/crypto/asn1/x_x509a.c
+++ b/crypto/asn1/x_x509a.c
@@ -80,12 +80,12 @@
M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING,
V_ASN1_BIT_STRING);
- M_ASN1_D2I_get_IMP_opt(ret->notrust, d2i_ASN1_BIT_STRING,0,
+ M_ASN1_D2I_get_IMP_opt(ret->reject, d2i_ASN1_BIT_STRING,0,
V_ASN1_BIT_STRING);
M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust,
d2i_ASN1_OBJECT, ASN1_OBJECT_free);
- M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->othernotrust,
+ M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->otherreject,
d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1);
M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE);
@@ -99,9 +99,9 @@
ASN1_CTX c;
M_ASN1_New_Malloc(ret, X509_CERT_AUX);
ret->trust = NULL;
- ret->notrust = NULL;
+ ret->reject = NULL;
ret->othertrust = NULL;
- ret->othernotrust = NULL;
+ ret->otherreject = NULL;
ret->alias = NULL;
ret->other = NULL;
return(ret);
@@ -112,9 +112,9 @@
{
if(a == NULL) return;
ASN1_BIT_STRING_free(a->trust);
- ASN1_BIT_STRING_free(a->notrust);
+ ASN1_BIT_STRING_free(a->reject);
sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free);
- sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free);
+ sk_ASN1_OBJECT_pop_free(a->otherreject, ASN1_OBJECT_free);
ASN1_UTF8STRING_free(a->alias);
ASN1_TYPE_free(a->other);
Free((char *)a);
@@ -125,10 +125,10 @@
M_ASN1_I2D_vars(a);
M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING);
- M_ASN1_I2D_len_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING);
+ M_ASN1_I2D_len_IMP_opt(a->reject, i2d_ASN1_BIT_STRING);
M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
- M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
+ M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE);
@@ -136,10 +136,10 @@
M_ASN1_I2D_seq_total();
M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING);
- M_ASN1_I2D_put_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING, 0);
+ M_ASN1_I2D_put_IMP_opt(a->reject, i2d_ASN1_BIT_STRING, 0);
M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT);
- M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1);
+ M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1);
M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE);
@@ -184,19 +184,19 @@
return ASN1_BIT_STRING_set_bit(aux->trust, bit, value);
}
-int X509_notrust_set_bit(X509 *x, int bit, int value)
+int X509_reject_set_bit(X509 *x, int bit, int value)
{
X509_CERT_AUX *aux;
if(bit == -1) {
- if(x->aux && x->aux->notrust) {
- ASN1_BIT_STRING_free(x->aux->notrust);
- x->aux->notrust = NULL;
+ if(x->aux && x->aux->reject) {
+ ASN1_BIT_STRING_free(x->aux->reject);
+ x->aux->reject = NULL;
}
return 1;
}
if(!(aux = aux_get(x))) return 0;
- if(!aux->notrust && !(aux->notrust = ASN1_BIT_STRING_new())) return 0;
- return ASN1_BIT_STRING_set_bit(aux->notrust, bit, value);
+ if(!aux->reject && !(aux->reject = ASN1_BIT_STRING_new())) return 0;
+ return ASN1_BIT_STRING_set_bit(aux->reject, bit, value);
}
int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj)
@@ -208,12 +208,12 @@
return sk_ASN1_OBJECT_push(aux->othertrust, obj);
}
-int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj)
+int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj)
{
X509_CERT_AUX *aux;
if(!(aux = aux_get(x))) return 0;
- if(!aux->othernotrust
- && !(aux->othernotrust = sk_ASN1_OBJECT_new_null())) return 0;
- return sk_ASN1_OBJECT_push(aux->othernotrust, obj);
+ if(!aux->otherreject
+ && !(aux->otherreject = sk_ASN1_OBJECT_new_null())) return 0;
+ return sk_ASN1_OBJECT_push(aux->otherreject, obj);
}
diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h
index c42bd6d..839439a 100644
--- a/crypto/pkcs7/pkcs7.h
+++ b/crypto/pkcs7/pkcs7.h
@@ -247,7 +247,7 @@
unsigned char **pp, long length);
#ifndef SSLEAY_MACROS
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
unsigned char *md,unsigned int *len);
#ifndef NO_FP_API
PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
diff --git a/crypto/x509/Makefile.ssl b/crypto/x509/Makefile.ssl
index f29efba..db2aa50 100644
--- a/crypto/x509/Makefile.ssl
+++ b/crypto/x509/Makefile.ssl
@@ -27,13 +27,13 @@
x509_set.c x509rset.c x509_err.c \
x509name.c x509_v3.c x509_ext.c \
x509type.c x509_lu.c x_all.c x509_txt.c \
- by_file.c by_dir.c
+ x509_trs.c by_file.c by_dir.c
LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
x509_obj.o x509_req.o x509spki.o x509_vfy.o \
x509_set.o x509rset.o x509_err.o \
x509name.o x509_v3.o x509_ext.o \
x509type.o x509_lu.o x_all.o x509_txt.o \
- by_file.o by_dir.o
+ x509_trs.o by_file.o by_dir.o
SRC= $(LIBSRC)
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index ed08dfb..227bbaf 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -236,7 +236,7 @@
* the end of the certificate itself
*/
-/* Bit values for trust/notrust */
+/* Bit values for trust/reject */
#define X509_TRUST_BIT_ALL 0
#define X509_TRUST_BIT_SSL_CLIENT 1
@@ -248,9 +248,9 @@
typedef struct x509_cert_aux_st
{
ASN1_BIT_STRING *trust; /* trusted uses */
- ASN1_BIT_STRING *notrust; /* rejected uses */
+ ASN1_BIT_STRING *reject; /* rejected uses */
STACK_OF(ASN1_OBJECT) *othertrust; /* extra uses */
- STACK_OF(ASN1_OBJECT) *othernotrust; /* extra rejected uses */
+ STACK_OF(ASN1_OBJECT) *otherreject; /* extra rejected uses */
ASN1_UTF8STRING *alias; /* "friendly name" */
ASN1_TYPE *other; /* other unspecified info */
} X509_CERT_AUX;
@@ -284,16 +284,29 @@
int trust_flags;
int (*check_trust)(struct x509_trust_st *, X509 *, int);
char *trust_name;
- int trust_bit;
- void *usr_data;
+ int arg1;
+ void *arg2;
} X509_TRUST;
-/* X509 trust ids */
+DECLARE_STACK_OF(X509_TRUST)
+
+/* standard trust ids */
#define X509_TRUST_ANY 1
#define X509_TRUST_SSL_CLIENT 2
#define X509_TRUST_SSL_SERVER 3
#define X509_TRUST_EMAIL 4
+#define X509_TRUST_OBJECT_SIGN 5
+
+/* trust_flags values */
+#define X509_TRUST_DYNAMIC 1
+#define X509_TRUST_DYNAMIC_NAME 2
+
+/* check_trust return codes */
+
+#define X509_TRUST_TRUSTED 1
+#define X509_TRUST_REJECTED 2
+#define X509_TRUST_UNTRUSTED 3
typedef struct X509_revoked_st
{
@@ -615,8 +628,8 @@
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
-int X509_digest(X509 *data,EVP_MD *type,unsigned char *md,unsigned int *len);
-int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
+int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
+int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
unsigned char *md,unsigned int *len);
#endif
@@ -701,7 +714,7 @@
const char * X509_get_default_cert_file_env(void );
const char * X509_get_default_private_dir(void );
-X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md);
+X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
void ERR_load_X509_strings(void );
@@ -803,12 +816,12 @@
int X509_alias_set(X509 *x, unsigned char *name, int len);
unsigned char * X509_alias_get(X509 *x, int *len);
int X509_trust_set_bit(X509 *x, int bit, int value);
-int X509_notrust_set_bit(X509 *x, int bit, int value);
+int X509_reject_set_bit(X509 *x, int bit, int value);
int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj);
-int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj);
+int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj);
int X509_trust_set_bit_asc(X509 *x, char *str, int value);
-int X509_notrust_set_bit_asc(X509 *x, char *str, int value);
+int X509_reject_set_bit_asc(X509 *x, char *str, int value);
X509_REVOKED * X509_REVOKED_new(void);
void X509_REVOKED_free(X509_REVOKED *a);
@@ -857,7 +870,7 @@
int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
-int ASN1_digest(int (*i2d)(),EVP_MD *type,char *data,
+int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
unsigned char *md,unsigned int *len);
int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
@@ -1040,6 +1053,17 @@
PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
+int X509_check_trust(X509 *x, int id, int flags);
+int X509_TRUST_get_count(void);
+X509_TRUST * X509_TRUST_iget(int idx);
+int X509_TRUST_get_by_id(int id);
+int X509_TRUST_add(X509_TRUST *xp);
+void X509_TRUST_cleanup(void);
+void X509_TRUST_add_standard(void);
+int X509_TRUST_get_id(X509_TRUST *xp);
+char *X509_TRUST_iget_name(X509_TRUST *xp);
+int X509_TRUST_get_trust(X509_TRUST *xp);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1077,6 +1101,7 @@
#define X509_F_X509_STORE_ADD_CERT 124
#define X509_F_X509_STORE_ADD_CRL 125
#define X509_F_X509_TO_X509_REQ 126
+#define X509_F_X509_TRUST_ADD 133
#define X509_F_X509_VERIFY_CERT 127
/* Reason codes. */
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 58e13c6..c185bc0 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -94,6 +94,7 @@
{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0), "X509_STORE_add_cert"},
{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0), "X509_STORE_add_crl"},
{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"},
+{ERR_PACK(0,X509_F_X509_TRUST_ADD,0), "X509_TRUST_ADD"},
{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"},
{0,NULL}
};
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index b52a59c..b20305c 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -66,7 +66,7 @@
#include <openssl/buffer.h>
#include <openssl/pem.h>
-X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md)
+X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
X509_REQ *ret;
X509_REQ_INFO *ri;
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 4973c18..e2db827 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -411,19 +411,19 @@
(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
}
-int X509_digest(X509 *data, EVP_MD *type, unsigned char *md,
+int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
unsigned int *len)
{
return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
}
-int X509_NAME_digest(X509_NAME *data, EVP_MD *type, unsigned char *md,
+int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
unsigned int *len)
{
return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
}
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, EVP_MD *type,
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,
diff --git a/doc/man/x509.pod b/doc/man/x509.pod
index 7e2036e..9f8c947 100644
--- a/doc/man/x509.pod
+++ b/doc/man/x509.pod
@@ -29,9 +29,9 @@
[B<-noout>]
[B<-trustout>]
[B<-clrtrust>]
-[B<-clrnotrust>]
+[B<-clrreject>]
[B<-addtrust arg>]
-[B<-addnotrust arg>]
+[B<-addreject arg>]
[B<-setalias arg>]
[B<-days arg>]
[B<-signkey filename>]
@@ -59,7 +59,7 @@
various sections.
-=head1 INPUT AND OUTPUT OPTIONS
+=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
=over 4
@@ -87,6 +87,14 @@
This specifies the output filename to write to or standard output by
default.
+=item B<-md2|-md5|-sha1|-mdc2>
+
+the digest to use. This affects any signing or display option that uses a message
+digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+specified then MD5 is used. If the key being used to sign with is a DSA key then
+this option has no effect: SHA1 is always used with DSA keys.
+
+
=back
=head1 DISPLAY OPTIONS
@@ -143,7 +151,7 @@
=item B<-fingerprint>
-prints out the MD5 digest of the whole certificate.
+prints out the digest of the DER encoded version of the whole certificate.
=item B<-C>
@@ -201,7 +209,7 @@
clears all the permitted or trusted uses of the certificate.
-=item B<-clrnotrust>
+=item B<-clrreject>
clears all the prohibited or untrusted uses of the certificate.
@@ -211,7 +219,7 @@
are all (any purpose), sslclient (SSL client use), sslserver
(SSL server use) email (S/MIME email) and objsign (Object signing).
-=item B<-addnotrust arg>
+=item B<-addreject arg>
adds a prohibited use. It accepts the same values as the B<-addtrust>
option.
@@ -311,11 +319,6 @@
it will contain the serial number "01". Normally if the B<-CA> option is
specified and the serial number file does not exist it is an error.
-=item B<-md2|-md5|-sha1|-mdc2>
-
-the digest to sign with. It affects all commands that sign a certificate
-or request.
-
=item B<-extfile filename>
file containing certificate extensions to use. If not specified then
@@ -339,10 +342,17 @@
openssl x509 -in cert.pem -noout -text
-Displa the certificate serial number:
+Display the certificate serial number:
openssl x509 -in cert.pem -noout -serial
+Display the certificate MD5 fingerprint:
+
+ openssl x509 -in cert.pem -noout -fingerprint
+
+Display the certificate SHA1 fingerprint:
+
+ openssl x509 -sha1 -in cert.pem -noout -fingerprint
Convert a certificate from PEM to DER format:
@@ -383,6 +393,18 @@
-----BEGIN X509 CERTIFICATE----
-----END X509 CERTIFICATE----
+Trusted certificates have the lines
+
+ -----BEGIN TRUSTED CERTIFICATE----
+ -----END TRUSTED CERTIFICATE----
+
+The B<-fingerprint> option takes the digest of the DER encoded certificate.
+This is commonly called a "fingerprint". Because of the nature of message
+digests the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
+
+The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
+
=head1 BUGS
The way DNs are printed is in a "historical SSLeay" format which doesn't
@@ -396,7 +418,7 @@
wrong private key or using inconsistent options in some cases: these should
be checked.
-There should be options to explicitly set such things are start and end
+There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.
The code to implement the verify behaviour described in the B<TRUST SETTINGS>
@@ -404,7 +426,6 @@
than the current behaviour. It is hoped that it will represent reality in
OpenSSL 0.9.5 and later.
-
=head1 SEE ALSO
req(1), ca(1), genrsa(1), gendsa(1)
