From 0e0c6821fab18a7d180d3c8dfe18e34fdd2afc54 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 12 Jan 2010 17:29:34 +0000 Subject: [PATCH] PR: 2136 Submitted by: Willy Weisz Add options to output hash using older algorithm compatible with OpenSSL versions before 1.0.0 --- CHANGES | 4 ++++ apps/x509.c | 29 +++++++++++++++++++++++++++++ crypto/x509/x509.h | 5 +++++ crypto/x509/x509_cmp.c | 14 ++++++++++++++ doc/apps/x509.pod | 16 ++++++++++++++++ 5 files changed, 68 insertions(+) diff --git a/CHANGES b/CHANGES index 5a67bf02c7..ca5075cc23 100644 --- a/CHANGES +++ b/CHANGES @@ -44,6 +44,10 @@ Changes between 0.9.8m (?) and 1.0.0 [xx XXX xxxx] + *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to + output hashes compatible with older versions of OpenSSL. + [Willy Weisz ] + *) Fix compression algorithm handling: if resuming a session use the compression algorithm of the resumed session instead of determining it from client hello again. Don't allow server to change algorithm. diff --git a/apps/x509.c b/apps/x509.c index 0be3414d34..e7e46d7b63 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -99,7 +99,13 @@ static const char *x509_usage[]={ " -passin arg - private key password source\n", " -serial - print serial number value\n", " -subject_hash - print subject hash value\n", +#ifndef OPENSSL_NO_MD5 +" -subject_hash_old - print old-style (MD5) subject hash value\n", +#endif " -issuer_hash - print issuer hash value\n", +#ifndef OPENSSL_NO_MD5 +" -issuer_hash_old - print old-style (MD5) issuer hash value\n", +#endif " -hash - synonym for -subject_hash\n", " -subject - print subject DN\n", " -issuer - print issuer DN\n", @@ -179,6 +185,9 @@ int MAIN(int argc, char **argv) int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int next_serial=0; int subject_hash=0,issuer_hash=0,ocspid=0; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old=0,issuer_hash_old=0; +#endif int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -397,8 +406,16 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-hash") == 0 || strcmp(*argv,"-subject_hash") == 0) subject_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-subject_hash_old") == 0) + subject_hash_old= ++num; +#endif else if (strcmp(*argv,"-issuer_hash") == 0) issuer_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-issuer_hash_old") == 0) + issuer_hash_old= ++num; +#endif else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) @@ -759,10 +776,22 @@ bad: { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (subject_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); + } +#endif else if (issuer_hash == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (issuer_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); + } +#endif else if (pprint == i) { X509_PURPOSE *ptmp; diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 25f536d068..a2383b387a 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -961,6 +961,11 @@ unsigned long X509_issuer_name_hash(X509 *a); int X509_subject_name_cmp(const X509 *a, const X509 *b); unsigned long X509_subject_name_hash(X509 *x); +#ifndef OPENSSL_NO_MD5 +unsigned long X509_issuer_name_hash_old(X509 *a); +unsigned long X509_subject_name_hash_old(X509 *x); +#endif + int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); unsigned long X509_NAME_hash(X509_NAME *x); diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index dd55b6e165..a75876edbb 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -138,6 +138,13 @@ unsigned long X509_issuer_name_hash(X509 *x) return(X509_NAME_hash(x->cert_info->issuer)); } +#ifndef OPENSSL_NO_MD5 +unsigned long X509_issuer_name_hash_old(X509 *x) + { + return(X509_NAME_hash_old(x->cert_info->issuer)); + } +#endif + X509_NAME *X509_get_subject_name(X509 *a) { return(a->cert_info->subject); @@ -153,6 +160,13 @@ unsigned long X509_subject_name_hash(X509 *x) return(X509_NAME_hash(x->cert_info->subject)); } +#ifndef OPENSSL_NO_MD5 +unsigned long X509_subject_name_hash_old(X509 *x) + { + return(X509_NAME_hash_old(x->cert_info->subject)); + } +#endif + #ifndef OPENSSL_NO_SHA /* Compare two certificates: they must be identical for * this to work. NB: Although "cmp" operations are generally diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 09aaed421e..3002b08123 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name. synonym for "-subject_hash" for backward compatibility reasons. +=item B<-subject_hash_old> + +outputs the "hash" of the certificate subject name using the older algorithm +as used by OpenSSL versions before 1.0.0. + +=item B<-issuer_hash_old> + +outputs the "hash" of the certificate issuer name using the older algorithm +as used by OpenSSL versions before 1.0.0. + =item B<-subject> outputs the subject name. @@ -837,4 +847,10 @@ L Before OpenSSL 0.9.8, the default digest for RSA keys was MD5. +The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options +before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding +of the distinguished name. In OpenSSL 1.0.0 and later it is based on a +canonical version of the DN using SHA1. This means that any directories using +the old form must have their links rebuilt using B or similar. + =cut