Merge of main trunk, no conflicts this time
This commit is contained in:
parent
527cc9841c
commit
06b71aec85
22 changed files with 180 additions and 46 deletions
9
CHANGES
9
CHANGES
|
@ -4,6 +4,15 @@
|
|||
|
||||
Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
|
||||
|
||||
*) Add two demo programs for PKCS12_parse() and PKCS12_create().
|
||||
Update PKCS12_parse() so it copies the friendlyName and the
|
||||
keyid to the certificates aux info.
|
||||
[Steve Henson]
|
||||
|
||||
*) Fix bug in PKCS7_verify() which caused an infinite loop
|
||||
if there was more than one signature.
|
||||
[Sven Uszpelkat <su@celocom.de>]
|
||||
|
||||
*) Major change in util/mkdef.pl to include extra information
|
||||
about each symbol, as well as presentig variables as well
|
||||
as functions. This change means that there's n more need
|
||||
|
|
12
FAQ
12
FAQ
|
@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions
|
|||
* Why does the linker complain about undefined symbols?
|
||||
* Where can I get a compiled version of OpenSSL?
|
||||
* I've compiled a program under Windows and it crashes: why?
|
||||
* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
|
||||
* I've called <some function> and it fails, why?
|
||||
* I just get a load of numbers for the error output, what do they mean?
|
||||
* Why do I get errors about unknown algorithms?
|
||||
|
@ -181,6 +182,17 @@ otherwise the conflict will cause a program to crash: typically on the
|
|||
first BIO related read or write operation.
|
||||
|
||||
|
||||
* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
|
||||
|
||||
This usually happens when you try compiling something using the PKCS#12
|
||||
macros with a C++ compiler. There is hardly ever any need to use the
|
||||
PKCS#12 macros in a program, it is much easier to parse and create
|
||||
PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
|
||||
documented in doc/openssl.txt and with examples in demos/pkcs12. The
|
||||
'pkcs12' application has to use the macros because it prints out
|
||||
debugging information.
|
||||
|
||||
|
||||
* I've called <some function> and it fails, why?
|
||||
|
||||
Before submitting a report or asking in one of the mailing lists, you
|
||||
|
|
|
@ -154,13 +154,13 @@ $! Define The Application Files.
|
|||
$!
|
||||
$ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
|
||||
"CA;PKCS7;CRL2P7;CRL;"+-
|
||||
"RSA;DSA;DSAPARAM;"+-
|
||||
"RSA;RSAUTL;DSA;DSAPARAM;"+-
|
||||
"X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
|
||||
"S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
|
||||
"CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND"
|
||||
$ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,-
|
||||
CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
|
||||
RSA.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
|
||||
RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
|
||||
X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
|
||||
S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
|
||||
CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ
|
||||
|
|
|
@ -73,7 +73,7 @@
|
|||
static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
|
||||
static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose);
|
||||
static STACK_OF(X509) *load_untrusted(char *file);
|
||||
static int v_verbose=0;
|
||||
static int v_verbose=0, issuer_checks = 0;
|
||||
|
||||
int MAIN(int, char **);
|
||||
|
||||
|
@ -147,6 +147,8 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
else if (strcmp(*argv,"-help") == 0)
|
||||
goto end;
|
||||
else if (strcmp(*argv,"-issuer_checks") == 0)
|
||||
issuer_checks=1;
|
||||
else if (strcmp(*argv,"-verbose") == 0)
|
||||
v_verbose=1;
|
||||
else if (argv[0][0] == '-')
|
||||
|
@ -284,6 +286,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X
|
|||
X509_STORE_CTX_init(csc,ctx,x,uchain);
|
||||
if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
|
||||
if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
|
||||
if(issuer_checks)
|
||||
X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CB_ISSUER_CHECK);
|
||||
i=X509_verify_cert(csc);
|
||||
X509_STORE_CTX_free(csc);
|
||||
|
||||
|
|
|
@ -67,9 +67,7 @@
|
|||
#include <openssl/stack.h>
|
||||
#include <openssl/safestack.h>
|
||||
|
||||
#ifdef VMS
|
||||
#include <openssl/vms_idhacks.h>
|
||||
#endif
|
||||
#include <openssl/symhacks.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
|
|
@ -98,5 +98,13 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
|
|||
} else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
|
||||
if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "",
|
||||
aux->alias->data);
|
||||
if(aux->keyid) {
|
||||
BIO_printf(out, "%*sKey Id: ", indent, "");
|
||||
for(i = 0; i < aux->keyid->length; i++)
|
||||
BIO_printf(out, "%s%02X",
|
||||
i ? ":" : "",
|
||||
aux->keyid->data[i]);
|
||||
BIO_write(out,"\n",1);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -153,6 +153,14 @@ int X509_alias_set1(X509 *x, unsigned char *name, int len)
|
|||
return ASN1_STRING_set(aux->alias, name, len);
|
||||
}
|
||||
|
||||
int X509_keyid_set1(X509 *x, unsigned char *id, int len)
|
||||
{
|
||||
X509_CERT_AUX *aux;
|
||||
if(!(aux = aux_get(x))) return 0;
|
||||
if(!aux->keyid && !(aux->keyid = ASN1_OCTET_STRING_new())) return 0;
|
||||
return ASN1_STRING_set(aux->keyid, id, len);
|
||||
}
|
||||
|
||||
unsigned char *X509_alias_get0(X509 *x, int *len)
|
||||
{
|
||||
if(!x->aux || !x->aux->alias) return NULL;
|
||||
|
|
|
@ -524,6 +524,7 @@ BIO * BIO_push(BIO *b,BIO *append);
|
|||
BIO * BIO_pop(BIO *b);
|
||||
void BIO_free_all(BIO *a);
|
||||
BIO * BIO_find_type(BIO *b,int bio_type);
|
||||
BIO * BIO_next(BIO *b);
|
||||
BIO * BIO_get_retry_BIO(BIO *bio, int *reason);
|
||||
int BIO_get_retry_reason(BIO *bio);
|
||||
BIO * BIO_dup_chain(BIO *in);
|
||||
|
|
|
@ -418,6 +418,7 @@ BIO *BIO_find_type(BIO *bio, int type)
|
|||
{
|
||||
int mt,mask;
|
||||
|
||||
if(!bio) return NULL;
|
||||
mask=type&0xff;
|
||||
do {
|
||||
if (bio->method != NULL)
|
||||
|
@ -436,6 +437,12 @@ BIO *BIO_find_type(BIO *bio, int type)
|
|||
return(NULL);
|
||||
}
|
||||
|
||||
BIO *BIO_next(BIO *b)
|
||||
{
|
||||
if(!b) return NULL;
|
||||
return b->next_bio;
|
||||
}
|
||||
|
||||
void BIO_free_all(BIO *bio)
|
||||
{
|
||||
BIO *b;
|
||||
|
|
|
@ -204,7 +204,7 @@ $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
|
|||
"rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null"
|
||||
$ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
|
||||
$ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err"
|
||||
$ LIB_DSO = "dso_err,dso_lib,dso_null,dso_openssl,dso_vms"
|
||||
$ LIB_DSO = "dso_err,dso_lib,dso_null,dso_openssl" ! + ",dso_vms"
|
||||
$ LIB_BUFFER = "buffer,buf_err"
|
||||
$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
|
||||
"bss_mem,bss_null,bss_fd,"+ -
|
||||
|
@ -220,15 +220,15 @@ $ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ -
|
|||
"e_des,e_bf,e_idea,e_des3,"+ -
|
||||
"e_rc4,names,"+ -
|
||||
"e_xcbc_d,e_rc2,e_cast,e_rc5,"
|
||||
$ LIB_EVP_2 = "m_null,m_md2,m_md5,m_sha,m_sha1,m_dss,m_dss1,m_mdc2,"+ -
|
||||
"m_ripemd,"+ -
|
||||
$ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + -
|
||||
"m_dss,m_dss1,m_mdc2,m_ripemd,"+ -
|
||||
"p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ -
|
||||
"bio_md,bio_b64,bio_enc,evp_err,e_null,"+ -
|
||||
"c_all,c_allc,c_alld,evp_lib,bio_ok,"+-
|
||||
"evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
|
||||
$ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
|
||||
"a_null,a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,a_bmp,"+ -
|
||||
"a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,a_mbstr,"+ -
|
||||
"a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ -
|
||||
"x_algor,x_val,x_pubkey,x_sig,x_req,x_attrib,"+ -
|
||||
"x_name,x_cinf,x_x509,x_x509a,x_crl,x_info,x_spki,nsseq,"+ -
|
||||
"d2i_r_pr,i2d_r_pr,d2i_r_pu,i2d_r_pu,"+ -
|
||||
|
|
|
@ -216,7 +216,7 @@ struct HWCryptoHook_CallerContextValue
|
|||
#define BN2MPI(mp, bn) \
|
||||
{mp.size = bn->top * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
|
||||
#define MPI2BN(bn, mp) \
|
||||
{mp.size = bn->max * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
|
||||
{mp.size = bn->dmax * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
|
||||
|
||||
#if 0 /* Card and password management is not yet supported */
|
||||
/* HWCryptoHook callbacks. insert_card() and get_pass() are not yet
|
||||
|
|
|
@ -32,14 +32,14 @@ $ IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN -
|
|||
$ IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
|
||||
CREATE/DIR/LOG WRK_SSLINCLUDE:
|
||||
$
|
||||
$ SDIRS := ,MD2,MD5,SHA,MDC2,HMAC,RIPEMD,-
|
||||
$ SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,-
|
||||
DES,RC2,RC4,RC5,IDEA,BF,CAST,-
|
||||
BN,RSA,DSA,DH,-
|
||||
BN,RSA,DSA,DH,DSO,ENGINE,-
|
||||
BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,-
|
||||
EVP,ASN1,PEM,X509,X509V3,-
|
||||
CONF,TXT_DB,PKCS7,PKCS12,COMP
|
||||
EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP
|
||||
$ EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,symhacks.h
|
||||
$ EXHEADER_MD2 := md2.h
|
||||
$ EXHEADER_MD4 := md4.h
|
||||
$ EXHEADER_MD5 := md5.h
|
||||
$ EXHEADER_SHA := sha.h
|
||||
$ EXHEADER_MDC2 := mdc2.h
|
||||
|
@ -56,13 +56,15 @@ $ EXHEADER_BN := bn.h
|
|||
$ EXHEADER_RSA := rsa.h
|
||||
$ EXHEADER_DSA := dsa.h
|
||||
$ EXHEADER_DH := dh.h
|
||||
$ EXHEADER_DSO := dso.h
|
||||
$ EXHEADER_ENGINE := engine.h
|
||||
$ EXHEADER_BUFFER := buffer.h
|
||||
$ EXHEADER_BIO := bio.h
|
||||
$ EXHEADER_STACK := stack.h,safestack.h
|
||||
$ EXHEADER_LHASH := lhash.h
|
||||
$ EXHEADER_RAND := rand.h
|
||||
$ EXHEADER_ERR := err.h
|
||||
$ EXHEADER_OBJECTS := objects.h
|
||||
$ EXHEADER_OBJECTS := objects.h,obj_mac.h
|
||||
$ EXHEADER_EVP := evp.h
|
||||
$ EXHEADER_ASN1 := asn1.h,asn1_mac.h
|
||||
$ EXHEADER_PEM := pem.h,pem2.h
|
||||
|
|
|
@ -86,17 +86,14 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
|
|||
|
||||
/* Check for NULL PKCS12 structure */
|
||||
|
||||
if(!p12)
|
||||
{
|
||||
if(!p12) {
|
||||
PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Allocate stack for ca certificates if needed */
|
||||
if ((ca != NULL) && (*ca == NULL))
|
||||
{
|
||||
if (!(*ca = sk_X509_new(NULL)))
|
||||
{
|
||||
if ((ca != NULL) && (*ca == NULL)) {
|
||||
if (!(*ca = sk_X509_new(NULL))) {
|
||||
PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
@ -206,12 +203,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
|
|||
{
|
||||
PKCS8_PRIV_KEY_INFO *p8;
|
||||
X509 *x509;
|
||||
ASN1_OCTET_STRING *lkey = NULL;
|
||||
ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL;
|
||||
ASN1_TYPE *attrib;
|
||||
ASN1_BMPSTRING *fname = NULL;
|
||||
|
||||
if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))
|
||||
fname = attrib->value.bmpstring;
|
||||
|
||||
if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
|
||||
if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) {
|
||||
lkey = attrib->value.octet_string;
|
||||
ckid = lkey;
|
||||
}
|
||||
|
||||
/* Check for any local key id matching (if needed) */
|
||||
if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
|
||||
|
@ -247,6 +249,18 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
|
|||
if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
|
||||
return 1;
|
||||
if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
|
||||
if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length);
|
||||
if(fname) {
|
||||
int len;
|
||||
unsigned char *data;
|
||||
len = ASN1_STRING_to_UTF8(&data, fname);
|
||||
if(len > 0) {
|
||||
X509_alias_set1(x509, data, len);
|
||||
OPENSSL_free(data);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (lkey) {
|
||||
*keymatch |= MATCH_CERT;
|
||||
if (cert) *cert = x509;
|
||||
|
|
|
@ -534,7 +534,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
|||
if (EVP_MD_CTX_type(mdc) == j)
|
||||
break;
|
||||
else
|
||||
btmp=btmp->next_bio;
|
||||
btmp=BIO_next(btmp);
|
||||
}
|
||||
|
||||
/* We now have the EVP_MD_CTX, lets do the
|
||||
|
@ -726,7 +726,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
|
|||
}
|
||||
if (EVP_MD_CTX_type(mdc) == md_type)
|
||||
break;
|
||||
btmp=btmp->next_bio;
|
||||
btmp=BIO_next(btmp);
|
||||
}
|
||||
|
||||
/* mdc is the digest ctx that we want, unless there are attributes,
|
||||
|
|
|
@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
|
|||
PKCS7_SIGNER_INFO *si;
|
||||
X509_STORE_CTX cert_ctx;
|
||||
char buf[4096];
|
||||
int i, j=0;
|
||||
int i, j=0, k;
|
||||
BIO *p7bio;
|
||||
BIO *tmpout;
|
||||
|
||||
|
@ -193,8 +193,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
|
|||
|
||||
/* Now verify the certificates */
|
||||
|
||||
if (!(flags & PKCS7_NOVERIFY)) for (i = 0; i < sk_X509_num(signers); i++) {
|
||||
signer = sk_X509_value (signers, i);
|
||||
if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) {
|
||||
signer = sk_X509_value (signers, k);
|
||||
if (!(flags & PKCS7_NOCHAIN)) {
|
||||
X509_STORE_CTX_init(&cert_ctx, store, signer,
|
||||
p7->d.sign->cert);
|
||||
|
|
|
@ -62,9 +62,7 @@
|
|||
#include <openssl/bio.h>
|
||||
#include <openssl/x509.h>
|
||||
|
||||
#ifdef VMS
|
||||
#include <openssl/vms_idhacks.h>
|
||||
#endif
|
||||
#include <openssl/symhacks.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
|
|
@ -912,6 +912,7 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
|
|||
X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
|
||||
long length);
|
||||
int X509_alias_set1(X509 *x, unsigned char *name, int len);
|
||||
int X509_keyid_set1(X509 *x, unsigned char *id, int len);
|
||||
unsigned char * X509_alias_get0(X509 *x, int *len);
|
||||
int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
|
||||
int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
|
||||
|
|
|
@ -23,6 +23,7 @@ B<openssl> B<smime>
|
|||
[B<-recip file>]
|
||||
[B<-in file>]
|
||||
[B<-inform SMIME|PEM|DER>]
|
||||
[B<-passin arg>]
|
||||
[B<-inkey file>]
|
||||
[B<-out file>]
|
||||
[B<-outform SMIME|PEM|DER>]
|
||||
|
@ -203,6 +204,11 @@ corresponding certificate. If this option is not specified then the
|
|||
private key must be included in the certificate file specified with
|
||||
the B<-recip> or B<-signer> file.
|
||||
|
||||
=item B<-passin arg>
|
||||
|
||||
the private key password source. For more information about the format of B<arg>
|
||||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
|
||||
|
||||
=item B<-rand file(s)>
|
||||
|
||||
a file or files containing random data used to seed the random number
|
||||
|
|
|
@ -12,6 +12,7 @@ B<openssl> B<verify>
|
|||
[B<-purpose purpose>]
|
||||
[B<-untrusted file>]
|
||||
[B<-help>]
|
||||
[B<-issuer_checks>]
|
||||
[B<-verbose>]
|
||||
[B<->]
|
||||
[certificates]
|
||||
|
@ -57,6 +58,14 @@ prints out a usage message.
|
|||
|
||||
print extra information about the operations being performed.
|
||||
|
||||
=item B<-issuer_checks>
|
||||
|
||||
print out diagnostics relating to searches for the issuer certificate
|
||||
of the current certificate. This shows why each candidate issuer
|
||||
certificate was rejected. However the presence of rejection messages
|
||||
does not itself imply that anything is wrong: during the normal
|
||||
verify process several rejections may take place.
|
||||
|
||||
=item B<->
|
||||
|
||||
marks the last option. All arguments following this are assumed to be
|
||||
|
@ -88,9 +97,21 @@ The verify operation consists of a number of separate steps.
|
|||
|
||||
Firstly a certificate chain is built up starting from the supplied certificate
|
||||
and ending in the root CA. It is an error if the whole chain cannot be built
|
||||
up. The chain is built up by looking up a certificate whose subject name
|
||||
matches the issuer name of the current certificate. If a certificate is found
|
||||
whose subject and issuer names are identical it is assumed to be the root CA.
|
||||
up. The chain is built up by looking up the issuers certificate of the current
|
||||
certificate. If a certificate is found which is its own issuer it is assumed
|
||||
to be the root CA.
|
||||
|
||||
The process of 'looking up the issuers certificate' itself involves a number
|
||||
of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
|
||||
subject name matched the issuer of the current certificate was assumed to be
|
||||
the issuers certificate. In OpenSSL 0.9.6 and later all certificates
|
||||
whose subject name matches the issuer name of the current certificate are
|
||||
subject to further tests. The relevant authority key identifier components
|
||||
of the current certificate (if present) must match the subject key identifier
|
||||
(if present) and issuer and serial number of the candidate issuer, in addition
|
||||
the keyUsage extension of the candidate issuer (if present) must permit
|
||||
certificate signing.
|
||||
|
||||
The lookup first looks in the list of untrusted certificates and if no match
|
||||
is found the remaining lookups are from the trusted certificates. The root CA
|
||||
is always looked up in the trusted certificate list: if the certificate to
|
||||
|
@ -260,12 +281,46 @@ the root CA is not marked as trusted for the specified purpose.
|
|||
|
||||
the root CA is marked to reject the specified purpose.
|
||||
|
||||
=item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
|
||||
|
||||
the current candidate issuer certificate was rejected because its subject name
|
||||
did not match the issuer name of the current certificate. Only displayed when
|
||||
the B<-issuer_checks> option is set.
|
||||
|
||||
=item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
|
||||
|
||||
the current candidate issuer certificate was rejected because its subject key
|
||||
identifier was present and did not match the authority key identifier current
|
||||
certificate. Only displayed when the B<-issuer_checks> option is set.
|
||||
|
||||
=item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
|
||||
|
||||
the current candidate issuer certificate was rejected because its issuer name
|
||||
and serial number was present and did not match the authority key identifier
|
||||
of the current certificate. Only displayed when the B<-issuer_checks> option is set.
|
||||
|
||||
=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
|
||||
|
||||
the current candidate issuer certificate was rejected because its keyUsage extension
|
||||
does not permit certificate signing.
|
||||
|
||||
=item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
|
||||
|
||||
an application specific error. Unused.
|
||||
|
||||
=back
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
Although the issuer checks are a considerably improvement over the old technique they still
|
||||
suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
|
||||
trusted certificates with matching subject name must either appear in a file (as specified by the
|
||||
B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
|
||||
the certificates in the file will be recognised.
|
||||
|
||||
Previous versions of OpenSSL assume certificates with matching subject name are identical and
|
||||
mishandled them.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<x509(1)|x509(1)>
|
||||
|
|
18
makevms.com
18
makevms.com
|
@ -316,7 +316,11 @@ $! Tell The User We Are Partly Rebuilding The [.TEST] Directory.
|
|||
$!
|
||||
$ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD5.C' And '[.APPS]RMD160.C' Files."
|
||||
$!
|
||||
$ DELETE SYS$DISK:[.APPS]MD5.C;*,RMD160.C;*
|
||||
$ DELETE SYS$DISK:[.APPS]MD4.C;*,MD5.C;*,RMD160.C;*
|
||||
$!
|
||||
$! Copy MD4.C from [.CRYPTO.MD4] into [.APPS]
|
||||
$!
|
||||
$ COPY SYS$DISK:[.CRYPTO.MD4]MD4.C SYS$DISK:[.APPS]
|
||||
$!
|
||||
$! Copy MD5.C from [.CRYPTO.MD5] into [.APPS]
|
||||
$!
|
||||
|
@ -359,14 +363,14 @@ $ COPY 'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL]
|
|||
$!
|
||||
$! Copy All The ".H" Files From The [.CRYPTO] Directory Tree.
|
||||
$!
|
||||
$ SDIRS := ,MD2,MD5,SHA,MDC2,HMAC,RIPEMD,-
|
||||
$ SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,-
|
||||
DES,RC2,RC4,RC5,IDEA,BF,CAST,-
|
||||
BN,RSA,DSA,DH,-
|
||||
BN,RSA,DSA,DH,DSO,ENGINE,-
|
||||
BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,-
|
||||
EVP,ASN1,PEM,X509,X509V3,-
|
||||
CONF,TXT_DB,PKCS7,PKCS12,COMP
|
||||
EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP
|
||||
$ EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,symhacks.h
|
||||
$ EXHEADER_MD2 := md2.h
|
||||
$ EXHEADER_MD4 := md4.h
|
||||
$ EXHEADER_MD5 := md5.h
|
||||
$ EXHEADER_SHA := sha.h
|
||||
$ EXHEADER_MDC2 := mdc2.h
|
||||
|
@ -383,13 +387,15 @@ $ EXHEADER_BN := bn.h
|
|||
$ EXHEADER_RSA := rsa.h
|
||||
$ EXHEADER_DSA := dsa.h
|
||||
$ EXHEADER_DH := dh.h
|
||||
$ EXHEADER_DSO := dso.h
|
||||
$ EXHEADER_ENGINE := engine.h
|
||||
$ EXHEADER_BUFFER := buffer.h
|
||||
$ EXHEADER_BIO := bio.h
|
||||
$ EXHEADER_STACK := stack.h,safestack.h
|
||||
$ EXHEADER_LHASH := lhash.h
|
||||
$ EXHEADER_RAND := rand.h
|
||||
$ EXHEADER_ERR := err.h
|
||||
$ EXHEADER_OBJECTS := objects.h
|
||||
$ EXHEADER_OBJECTS := objects.h,obj_mac.h
|
||||
$ EXHEADER_EVP := evp.h
|
||||
$ EXHEADER_ASN1 := asn1.h,asn1_mac.h
|
||||
$ EXHEADER_PEM := pem.h,pem2.h
|
||||
|
|
|
@ -143,7 +143,7 @@ $ GOSUB CHECK_OPT_FILE
|
|||
$!
|
||||
$! Define The TEST Files.
|
||||
$!
|
||||
$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD5TEST,HMACTEST,"+ -
|
||||
$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD4TEST,MD5TEST,HMACTEST,"+ -
|
||||
"RC2TEST,RC4TEST,RC5TEST,"+ -
|
||||
"DESTEST,SHATEST,SHA1TEST,MDC2TEST,RMDTEST,"+ -
|
||||
"RANDTEST,DHTEST,"+ -
|
||||
|
|
|
@ -19,7 +19,8 @@ $ then
|
|||
$ tests = p1
|
||||
$ else
|
||||
$ tests := -
|
||||
test_des,test_idea,test_sha,test_md5,test_hmac,test_md2,test_mdc2,-
|
||||
test_des,test_idea,test_sha,test_md4,test_md5,test_hmac,-
|
||||
test_md2,test_mdc2,-
|
||||
test_rmd,test_rc2,test_rc4,test_rc5,test_bf,test_cast,-
|
||||
test_rand,test_bn,test_enc,test_x509,test_rsa,test_crl,test_sid,-
|
||||
test_gen,test_req,test_pkcs7,test_verify,test_dh,test_dsa,-
|
||||
|
@ -35,6 +36,7 @@ $ SHA1TEST := sha1test
|
|||
$ MDC2TEST := mdc2test
|
||||
$ RMDTEST := rmdtest
|
||||
$ MD2TEST := md2test
|
||||
$ MD4TEST := md4test
|
||||
$ MD5TEST := md5test
|
||||
$ HMACTEST := hmactest
|
||||
$ RC2TEST := rc2test
|
||||
|
@ -74,6 +76,9 @@ $ return
|
|||
$ test_md5:
|
||||
$ mcr 'texe_dir''md5test'
|
||||
$ return
|
||||
$ test_md4:
|
||||
$ mcr 'texe_dir''md4test'
|
||||
$ return
|
||||
$ test_hmac:
|
||||
$ mcr 'texe_dir''hmactest'
|
||||
$ return
|
||||
|
|
Loading…
Reference in a new issue