Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
791bd0cd
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
791bd0cd
编写于
3月 16, 2001
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add copy_extensions option to 'ca' utility.
上级
e890dcdb
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
145 addition
and
51 deletion
+145
-51
CHANGES
CHANGES
+4
-0
apps/apps.c
apps/apps.c
+56
-0
apps/apps.h
apps/apps.h
+6
-0
apps/ca.c
apps/ca.c
+37
-47
apps/openssl.cnf
apps/openssl.cnf
+3
-0
doc/apps/ca.pod
doc/apps/ca.pod
+39
-4
未找到文件。
CHANGES
浏览文件 @
791bd0cd
...
@@ -3,6 +3,10 @@
...
@@ -3,6 +3,10 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
*) Add a 'copy_extensions' option to the 'ca' utility. This copies
extensions from a certificate request to the certificate.
[Steve Henson]
*) Allow multiple 'certopt' and 'nameopt' options to be separated
*) Allow multiple 'certopt' and 'nameopt' options to be separated
by commas. Add 'namopt' and 'certopt' options to the 'ca' config
by commas. Add 'namopt' and 'certopt' options to the 'ca' config
file: this allows the display of the certificate about to be
file: this allows the display of the certificate about to be
...
...
apps/apps.c
浏览文件 @
791bd0cd
...
@@ -809,6 +809,62 @@ int set_name_ex(unsigned long *flags, const char *arg)
...
@@ -809,6 +809,62 @@ int set_name_ex(unsigned long *flags, const char *arg)
return
set_multi_opts
(
flags
,
arg
,
ex_tbl
);
return
set_multi_opts
(
flags
,
arg
,
ex_tbl
);
}
}
int
set_ext_copy
(
int
*
copy_type
,
const
char
*
arg
)
{
if
(
!
strcasecmp
(
arg
,
"none"
))
*
copy_type
=
EXT_COPY_NONE
;
else
if
(
!
strcasecmp
(
arg
,
"copy"
))
*
copy_type
=
EXT_COPY_ADD
;
else
if
(
!
strcasecmp
(
arg
,
"copyall"
))
*
copy_type
=
EXT_COPY_ALL
;
else
return
0
;
return
1
;
}
int
copy_extensions
(
X509
*
x
,
X509_REQ
*
req
,
int
copy_type
)
{
STACK_OF
(
X509_EXTENSION
)
*
exts
=
NULL
;
X509_EXTENSION
*
ext
,
*
tmpext
;
ASN1_OBJECT
*
obj
;
int
i
,
idx
,
ret
=
0
;
if
(
!
x
||
!
req
||
(
copy_type
==
EXT_COPY_NONE
))
return
1
;
exts
=
X509_REQ_get_extensions
(
req
);
for
(
i
=
0
;
i
<
sk_X509_EXTENSION_num
(
exts
);
i
++
)
{
ext
=
sk_X509_EXTENSION_value
(
exts
,
i
);
obj
=
X509_EXTENSION_get_object
(
ext
);
idx
=
X509_get_ext_by_OBJ
(
x
,
obj
,
-
1
);
/* Does extension exist? */
if
(
idx
!=
-
1
)
{
/* If normal copy don't override existing extension */
if
(
copy_type
==
EXT_COPY_ADD
)
continue
;
/* Delete all extensions of same type */
do
{
tmpext
=
X509_get_ext
(
x
,
idx
);
X509_delete_ext
(
x
,
idx
);
X509_EXTENSION_free
(
tmpext
);
idx
=
X509_get_ext_by_OBJ
(
x
,
obj
,
-
1
);
}
while
(
idx
!=
-
1
);
}
if
(
!
X509_add_ext
(
x
,
ext
,
-
1
))
goto
end
;
}
ret
=
1
;
end:
sk_X509_EXTENSION_pop_free
(
exts
,
X509_EXTENSION_free
);
return
ret
;
}
static
int
set_multi_opts
(
unsigned
long
*
flags
,
const
char
*
arg
,
const
NAME_EX_TBL
*
in_tbl
)
static
int
set_multi_opts
(
unsigned
long
*
flags
,
const
char
*
arg
,
const
NAME_EX_TBL
*
in_tbl
)
{
{
STACK_OF
(
CONF_VALUE
)
*
vals
;
STACK_OF
(
CONF_VALUE
)
*
vals
;
...
...
apps/apps.h
浏览文件 @
791bd0cd
...
@@ -153,6 +153,8 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags);
...
@@ -153,6 +153,8 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags);
#endif
#endif
int
set_cert_ex
(
unsigned
long
*
flags
,
const
char
*
arg
);
int
set_cert_ex
(
unsigned
long
*
flags
,
const
char
*
arg
);
int
set_name_ex
(
unsigned
long
*
flags
,
const
char
*
arg
);
int
set_name_ex
(
unsigned
long
*
flags
,
const
char
*
arg
);
int
set_ext_copy
(
int
*
copy_type
,
const
char
*
arg
);
int
copy_extensions
(
X509
*
x
,
X509_REQ
*
req
,
int
copy_type
);
int
app_passwd
(
BIO
*
err
,
char
*
arg1
,
char
*
arg2
,
char
**
pass1
,
char
**
pass2
);
int
app_passwd
(
BIO
*
err
,
char
*
arg1
,
char
*
arg2
,
char
**
pass1
,
char
**
pass2
);
int
add_oid_section
(
BIO
*
err
,
LHASH
*
conf
);
int
add_oid_section
(
BIO
*
err
,
LHASH
*
conf
);
X509
*
load_cert
(
BIO
*
err
,
char
*
file
,
int
format
);
X509
*
load_cert
(
BIO
*
err
,
char
*
file
,
int
format
);
...
@@ -170,6 +172,10 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
...
@@ -170,6 +172,10 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
#define FORMAT_SMIME 6
#define FORMAT_SMIME 6
#define FORMAT_ENGINE 7
#define FORMAT_ENGINE 7
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
#define EXT_COPY_ALL 2
#define NETSCAPE_CERT_HDR "certificate"
#define NETSCAPE_CERT_HDR "certificate"
#define APP_PASS_LEN 1024
#define APP_PASS_LEN 1024
...
...
apps/ca.c
浏览文件 @
791bd0cd
...
@@ -134,6 +134,7 @@
...
@@ -134,6 +134,7 @@
#define ENV_MSIE_HACK "msie_hack"
#define ENV_MSIE_HACK "msie_hack"
#define ENV_NAMEOPT "name_opt"
#define ENV_NAMEOPT "name_opt"
#define ENV_CERTOPT "cert_opt"
#define ENV_CERTOPT "cert_opt"
#define ENV_EXTCOPY "copy_extensions"
#define ENV_DATABASE "database"
#define ENV_DATABASE "database"
...
@@ -303,7 +304,7 @@ int MAIN(int argc, char **argv)
...
@@ -303,7 +304,7 @@ int MAIN(int argc, char **argv)
int
notext
=
0
;
int
notext
=
0
;
unsigned
long
nameopt
=
0
,
certopt
=
0
;
unsigned
long
nameopt
=
0
,
certopt
=
0
;
int
default_op
=
1
;
int
default_op
=
1
;
int
ext_copy
=
0
;
int
ext_copy
=
EXT_COPY_NONE
;
X509
*
x509
=
NULL
;
X509
*
x509
=
NULL
;
X509
*
x
=
NULL
;
X509
*
x
=
NULL
;
BIO
*
in
=
NULL
,
*
out
=
NULL
,
*
Sout
=
NULL
,
*
Cout
=
NULL
;
BIO
*
in
=
NULL
,
*
out
=
NULL
,
*
Sout
=
NULL
,
*
Cout
=
NULL
;
...
@@ -798,6 +799,18 @@ bad:
...
@@ -798,6 +799,18 @@ bad:
else
else
ERR_clear_error
();
ERR_clear_error
();
f
=
CONF_get_string
(
conf
,
section
,
ENV_EXTCOPY
);
if
(
f
)
{
if
(
!
set_ext_copy
(
&
ext_copy
,
f
))
{
BIO_printf
(
bio_err
,
"Invalid extension copy option:
\"
%s
\"\n
"
,
f
);
goto
err
;
}
}
else
ERR_clear_error
();
/*****************************************************************/
/*****************************************************************/
/* lookup where to write new certificates */
/* lookup where to write new certificates */
...
@@ -1944,40 +1957,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
...
@@ -1944,40 +1957,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
if
(
default_op
)
if
(
default_op
)
old_entry_print
(
bio_err
,
obj
,
str
);
old_entry_print
(
bio_err
,
obj
,
str
);
#if 0
j=i2a_ASN1_OBJECT(bio_err,obj);
pbuf=buf;
for (j=22-j; j>0; j--)
*(pbuf++)=' ';
*(pbuf++)=':';
*(pbuf++)='\0';
BIO_puts(bio_err,buf);
if (str->type == V_ASN1_PRINTABLESTRING)
BIO_printf(bio_err,"PRINTABLE:'");
else if (str->type == V_ASN1_T61STRING)
BIO_printf(bio_err,"T61STRING:'");
else if (str->type == V_ASN1_IA5STRING)
BIO_printf(bio_err,"IA5STRING:'");
else if (str->type == V_ASN1_UNIVERSALSTRING)
BIO_printf(bio_err,"UNIVERSALSTRING:'");
else
BIO_printf(bio_err,"ASN.1 %2d:'",str->type);
p=(char *)str->data;
for (j=str->length; j>0; j--)
{
if ((*p >= ' ') && (*p <= '~'))
BIO_printf(bio_err,"%c",*p);
else if (*p & 0x80)
BIO_printf(bio_err,"\\0x%02X",*p);
else if ((unsigned char)*p == 0xf7)
BIO_printf(bio_err,"^?");
else BIO_printf(bio_err,"^%c",*p+'@');
p++;
}
BIO_printf(bio_err,"'\n");
#endif
}
}
/* Ok, now we check the 'policy' stuff. */
/* Ok, now we check the 'policy' stuff. */
...
@@ -2171,7 +2150,6 @@ again2:
...
@@ -2171,7 +2150,6 @@ again2:
if
(
!
X509_set_issuer_name
(
ret
,
X509_get_subject_name
(
x509
)))
if
(
!
X509_set_issuer_name
(
ret
,
X509_get_subject_name
(
x509
)))
goto
err
;
goto
err
;
BIO_printf
(
bio_err
,
"Certificate is to be certified until "
);
if
(
strcmp
(
startdate
,
"today"
)
==
0
)
if
(
strcmp
(
startdate
,
"today"
)
==
0
)
X509_gmtime_adj
(
X509_get_notBefore
(
ret
),
0
);
X509_gmtime_adj
(
X509_get_notBefore
(
ret
),
0
);
else
ASN1_UTCTIME_set_string
(
X509_get_notBefore
(
ret
),
startdate
);
else
ASN1_UTCTIME_set_string
(
X509_get_notBefore
(
ret
),
startdate
);
...
@@ -2180,10 +2158,6 @@ again2:
...
@@ -2180,10 +2158,6 @@ again2:
X509_gmtime_adj
(
X509_get_notAfter
(
ret
),(
long
)
60
*
60
*
24
*
days
);
X509_gmtime_adj
(
X509_get_notAfter
(
ret
),(
long
)
60
*
60
*
24
*
days
);
else
ASN1_UTCTIME_set_string
(
X509_get_notAfter
(
ret
),
enddate
);
else
ASN1_UTCTIME_set_string
(
X509_get_notAfter
(
ret
),
enddate
);
ASN1_UTCTIME_print
(
bio_err
,
X509_get_notAfter
(
ret
));
if
(
days
)
BIO_printf
(
bio_err
,
" (%d days)"
,
days
);
BIO_printf
(
bio_err
,
"
\n
"
);
if
(
!
X509_set_subject_name
(
ret
,
subject
))
goto
err
;
if
(
!
X509_set_subject_name
(
ret
,
subject
))
goto
err
;
pktmp
=
X509_REQ_get_pubkey
(
req
);
pktmp
=
X509_REQ_get_pubkey
(
req
);
...
@@ -2251,16 +2225,32 @@ again2:
...
@@ -2251,16 +2225,32 @@ again2:
}
}
}
}
/* Copy extensions from request (if any) */
if
(
!
copy_extensions
(
ret
,
req
,
ext_copy
))
{
BIO_printf
(
bio_err
,
"ERROR: adding extensions from request
\n
"
);
ERR_print_errors
(
bio_err
);
goto
err
;
}
if
(
!
default_op
)
{
BIO_printf
(
bio_err
,
"Certificate Details:
\n
"
);
/* Never print signature details because signature not present */
certopt
|=
X509_FLAG_NO_SIGDUMP
|
X509_FLAG_NO_SIGNAME
;
X509_print_ex
(
bio_err
,
ret
,
nameopt
,
certopt
);
}
BIO_printf
(
bio_err
,
"Certificate is to be certified until "
);
ASN1_UTCTIME_print
(
bio_err
,
X509_get_notAfter
(
ret
));
if
(
days
)
BIO_printf
(
bio_err
,
" (%d days)"
,
days
);
BIO_printf
(
bio_err
,
"
\n
"
);
if
(
!
batch
)
if
(
!
batch
)
{
{
if
(
!
default_op
)
{
BIO_printf
(
bio_err
,
"Certificate Details:
\n
"
);
/* Never print signature details because signature not present */
certopt
|=
X509_FLAG_NO_SIGDUMP
|
X509_FLAG_NO_SIGNAME
;
X509_print_ex
(
bio_err
,
ret
,
nameopt
,
certopt
);
}
BIO_printf
(
bio_err
,
"Sign the certificate? [y/n]:"
);
BIO_printf
(
bio_err
,
"Sign the certificate? [y/n]:"
);
(
void
)
BIO_flush
(
bio_err
);
(
void
)
BIO_flush
(
bio_err
);
buf
[
0
]
=
'\0'
;
buf
[
0
]
=
'\0'
;
...
...
apps/openssl.cnf
浏览文件 @
791bd0cd
...
@@ -53,6 +53,9 @@ x509_extensions = usr_cert # The extentions to add to the cert
...
@@ -53,6 +53,9 @@ x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
# crl_extensions = crl_ext
...
...
doc/apps/ca.pod
浏览文件 @
791bd0cd
...
@@ -334,6 +334,20 @@ OpenSSL is used. Use of the old format is B<strongly> discouraged because
...
@@ -334,6 +334,20 @@ OpenSSL is used. Use of the old format is B<strongly> discouraged because
it only displays fields mentioned in the B<policy> section, mishandles
it only displays fields mentioned in the B<policy> section, mishandles
multicharacter string types and does not display extensions.
multicharacter string types and does not display extensions.
=item B<copy_extensions>
determines how extensions in certificate requests should be handled.
If set to B<none> or this option is not present then extensions are
ignored and not copied to the certificate. If set to B<copy> then any
extensions present in the request that are not already present are copied
to the certificate. If set to B<copyall> then all extensions in the
request are copied to the certificate: if the extension is already present
in the certificate it is deleted first. See the B<WARNINGS> section before
using this option.
The main use of this option is to allow a certificate request to supply
values for certain extensions such as subjectAltName.
=back
=back
=head1 POLICY FORMAT
=head1 POLICY FORMAT
...
@@ -426,6 +440,7 @@ A sample configuration file with the relevant sections for B<ca>:
...
@@ -426,6 +440,7 @@ A sample configuration file with the relevant sections for B<ca>:
nameopt = default_ca # Subject name display option
nameopt = default_ca # Subject name display option
certopt = default_ca # Certificate display option
certopt = default_ca # Certificate display option
copy_extensions = none # Don't copy extensions from request
[ policy_any ]
[ policy_any ]
countryName = supplied
countryName = supplied
...
@@ -491,10 +506,6 @@ The use of an in memory text database can cause problems when large
...
@@ -491,10 +506,6 @@ The use of an in memory text database can cause problems when large
numbers of certificates are present because, as the name implies
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
the database has to be kept in memory.
Certificate request extensions are ignored: some kind of "policy" should
be included to use certain static extensions and certain extensions
from the request.
It is not possible to certify two certificates with the same DN: this
It is not possible to certify two certificates with the same DN: this
is a side effect of how the text database is indexed and it cannot easily
is a side effect of how the text database is indexed and it cannot easily
be fixed without introducing other problems. Some S/MIME clients can use
be fixed without introducing other problems. Some S/MIME clients can use
...
@@ -513,6 +524,30 @@ The behaviour should be more friendly and configurable.
...
@@ -513,6 +524,30 @@ The behaviour should be more friendly and configurable.
Cancelling some commands by refusing to certify a certificate can
Cancelling some commands by refusing to certify a certificate can
create an empty file.
create an empty file.
=head1 WARNINGS
The B<copy_extensions> option should be used with caution. If care is
not taken then it can be a security risk. For example if a certificate
request contains a basicConstraints extension with CA:TRUE and the
B<copy_extensions> value is set to B<copyall> and the user does not spot
this when the certificate is displayed then this will hand the requestor
a valid CA certificate.
This situation can be avoided by setting B<copy_extensions> to B<copy>
and including basicConstraints with CA:FALSE in the configuration file.
Then if the request contains a basicConstraints extension it will be
ignored.
It is advisable to also include values for other extensions such
as B<keyUsage> to prevent a request supplying its own values.
Additional restrictions can be placed on the CA certificate itself.
For example if the CA certificate has:
basicConstraints = CA:TRUE, pathlen:0
then even if a certificate is issued with CA:TRUE it will not be valid.
=head1 SEE ALSO
=head1 SEE ALSO
L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录