PR: 2136
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at> Add options to output hash using older algorithm compatible with OpenSSL versions before 1.0.0
This commit is contained in:
Dr. Stephen Henson
parent
423c66f10e
commit
0e0c6821fa
5 changed files with 68 additions and 0 deletions
4
CHANGES
4
CHANGES
|
|
@ -44,6 +44,10 @@
|
|||
|
||||
Changes between 0.9.8m (?) and 1.0.0 [xx XXX xxxx]
|
||||
|
||||
*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
|
||||
output hashes compatible with older versions of OpenSSL.
|
||||
[Willy Weisz <weisz@vcpc.univie.ac.at>]
|
||||
|
||||
*) Fix compression algorithm handling: if resuming a session use the
|
||||
compression algorithm of the resumed session instead of determining
|
||||
it from client hello again. Don't allow server to change algorithm.
|
||||
|
|
|
|||
29
apps/x509.c
29
apps/x509.c
|
|
@ -99,7 +99,13 @@ static const char *x509_usage[]={
|
|||
" -passin arg - private key password source\n",
|
||||
" -serial - print serial number value\n",
|
||||
" -subject_hash - print subject hash value\n",
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
" -subject_hash_old - print old-style (MD5) subject hash value\n",
|
||||
#endif
|
||||
" -issuer_hash - print issuer hash value\n",
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
" -issuer_hash_old - print old-style (MD5) issuer hash value\n",
|
||||
#endif
|
||||
" -hash - synonym for -subject_hash\n",
|
||||
" -subject - print subject DN\n",
|
||||
" -issuer - print issuer DN\n",
|
||||
|
|
@ -179,6 +185,9 @@ int MAIN(int argc, char **argv)
|
|||
int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
|
||||
int next_serial=0;
|
||||
int subject_hash=0,issuer_hash=0,ocspid=0;
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
int subject_hash_old=0,issuer_hash_old=0;
|
||||
#endif
|
||||
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
|
||||
int ocsp_uri=0;
|
||||
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
|
||||
|
|
@ -397,8 +406,16 @@ int MAIN(int argc, char **argv)
|
|||
else if (strcmp(*argv,"-hash") == 0
|
||||
|| strcmp(*argv,"-subject_hash") == 0)
|
||||
subject_hash= ++num;
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
else if (strcmp(*argv,"-subject_hash_old") == 0)
|
||||
subject_hash_old= ++num;
|
||||
#endif
|
||||
else if (strcmp(*argv,"-issuer_hash") == 0)
|
||||
issuer_hash= ++num;
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
else if (strcmp(*argv,"-issuer_hash_old") == 0)
|
||||
issuer_hash_old= ++num;
|
||||
#endif
|
||||
else if (strcmp(*argv,"-subject") == 0)
|
||||
subject= ++num;
|
||||
else if (strcmp(*argv,"-issuer") == 0)
|
||||
|
|
@ -759,10 +776,22 @@ bad:
|
|||
{
|
||||
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
|
||||
}
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
else if (subject_hash_old == i)
|
||||
{
|
||||
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));
|
||||
}
|
||||
#endif
|
||||
else if (issuer_hash == i)
|
||||
{
|
||||
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
|
||||
}
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
else if (issuer_hash_old == i)
|
||||
{
|
||||
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));
|
||||
}
|
||||
#endif
|
||||
else if (pprint == i)
|
||||
{
|
||||
X509_PURPOSE *ptmp;
|
||||
|
|
|
|||
|
|
@ -961,6 +961,11 @@ unsigned long X509_issuer_name_hash(X509 *a);
|
|||
int X509_subject_name_cmp(const X509 *a, const X509 *b);
|
||||
unsigned long X509_subject_name_hash(X509 *x);
|
||||
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
unsigned long X509_issuer_name_hash_old(X509 *a);
|
||||
unsigned long X509_subject_name_hash_old(X509 *x);
|
||||
#endif
|
||||
|
||||
int X509_cmp(const X509 *a, const X509 *b);
|
||||
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
|
||||
unsigned long X509_NAME_hash(X509_NAME *x);
|
||||
|
|
|
|||
|
|
@ -138,6 +138,13 @@ unsigned long X509_issuer_name_hash(X509 *x)
|
|||
return(X509_NAME_hash(x->cert_info->issuer));
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
unsigned long X509_issuer_name_hash_old(X509 *x)
|
||||
{
|
||||
return(X509_NAME_hash_old(x->cert_info->issuer));
|
||||
}
|
||||
#endif
|
||||
|
||||
X509_NAME *X509_get_subject_name(X509 *a)
|
||||
{
|
||||
return(a->cert_info->subject);
|
||||
|
|
@ -153,6 +160,13 @@ unsigned long X509_subject_name_hash(X509 *x)
|
|||
return(X509_NAME_hash(x->cert_info->subject));
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
unsigned long X509_subject_name_hash_old(X509 *x)
|
||||
{
|
||||
return(X509_NAME_hash_old(x->cert_info->subject));
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SHA
|
||||
/* Compare two certificates: they must be identical for
|
||||
* this to work. NB: Although "cmp" operations are generally
|
||||
|
|
|
|||
|
|
@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name.
|
|||
|
||||
synonym for "-subject_hash" for backward compatibility reasons.
|
||||
|
||||
=item B<-subject_hash_old>
|
||||
|
||||
outputs the "hash" of the certificate subject name using the older algorithm
|
||||
as used by OpenSSL versions before 1.0.0.
|
||||
|
||||
=item B<-issuer_hash_old>
|
||||
|
||||
outputs the "hash" of the certificate issuer name using the older algorithm
|
||||
as used by OpenSSL versions before 1.0.0.
|
||||
|
||||
=item B<-subject>
|
||||
|
||||
outputs the subject name.
|
||||
|
|
@ -837,4 +847,10 @@ L<x509v3_config(5)|x509v3_config(5)>
|
|||
|
||||
Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
|
||||
|
||||
The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
|
||||
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
|
||||
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
|
||||
canonical version of the DN using SHA1. This means that any directories using
|
||||
the old form must have their links rebuilt using B<c_rehash> or similar.
|
||||
|
||||
=cut
|
||||
|
|
|
|||
Loading…
Reference in a new issue