summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjob <>2024-08-12 15:34:58 +0000
committerjob <>2024-08-12 15:34:58 +0000
commite52a64d54a35f07cf3ec8d6e1d172633a1b67aea (patch)
tree830f44291a022df3c807e5d485e78f6112953725 /src
parentbe33cdebddbcda7d12a3d88ea90f6fa1ce95bdc4 (diff)
downloadopenbsd-e52a64d54a35f07cf3ec8d6e1d172633a1b67aea.tar.gz
openbsd-e52a64d54a35f07cf3ec8d6e1d172633a1b67aea.tar.bz2
openbsd-e52a64d54a35f07cf3ec8d6e1d172633a1b67aea.zip
Add -CRLfile option to 'cms' sub command
This option allows to verify certs in a CMS object against additional CRLs. Ported from work by Tom Harrison from APNIC OK tb@
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/cms.c37
-rw-r--r--src/usr.bin/openssl/openssl.18
2 files changed, 38 insertions, 7 deletions
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index b94e14675b..7420d0ab8c 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cms.c,v 1.35 2023/11/21 17:56:19 tb Exp $ */ 1/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -110,6 +110,7 @@ static struct {
110 X509 *cert; 110 X509 *cert;
111 char *certfile; 111 char *certfile;
112 char *certsoutfile; 112 char *certsoutfile;
113 char *crlfile;
113 const EVP_CIPHER *cipher; 114 const EVP_CIPHER *cipher;
114 char *contfile; 115 char *contfile;
115 ASN1_OBJECT *econtent_type; 116 ASN1_OBJECT *econtent_type;
@@ -548,6 +549,13 @@ static const struct option cms_options[] = {
548 .opt.arg = &cfg.CApath, 549 .opt.arg = &cfg.CApath,
549 }, 550 },
550 { 551 {
552 .name = "CRLfile",
553 .argname = "file",
554 .desc = "Other certificate revocation lists file",
555 .type = OPTION_ARG,
556 .opt.arg = &cfg.crlfile,
557 },
558 {
551 .name = "binary", 559 .name = "binary",
552 .desc = "Do not translate message to text", 560 .desc = "Do not translate message to text",
553 .type = OPTION_VALUE_OR, 561 .type = OPTION_VALUE_OR,
@@ -1111,10 +1119,10 @@ cms_usage(void)
1111 "[-aes128 | -aes192 | -aes256 | -camellia128 |\n" 1119 "[-aes128 | -aes192 | -aes256 | -camellia128 |\n"
1112 " -camellia192 | -camellia256 | -des | -des3 |\n" 1120 " -camellia192 | -camellia256 | -des | -des3 |\n"
1113 " -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n" 1121 " -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n"
1114 " [-CApath directory] [-binary] [-certfile file]\n" 1122 " [-CApath directory] [-CRLfile file] [-binary]\n"
1115 " [-certsout file] [-cmsout] [-compress] [-content file]\n" 1123 " [-certfile file] [-certsout file] [-cmsout] [-compress]\n"
1116 " [-crlfeol] [-data_create] [-data_out] [-debug_decrypt]\n" 1124 " [-content file] [-crlfeol] [-data_create] [-data_out]\n"
1117 " [-decrypt] [-digest_create] [-digest_verify]\n" 1125 " [-debug_decrypt] [-decrypt] [-digest_create] [-digest_verify]\n"
1118 " [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n" 1126 " [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n"
1119 " [-EncryptedData_encrypt] [-from addr] [-in file]\n" 1127 " [-EncryptedData_encrypt] [-from addr] [-in file]\n"
1120 " [-inform der | pem | smime] [-inkey file]\n" 1128 " [-inform der | pem | smime] [-inkey file]\n"
@@ -1158,6 +1166,7 @@ cms_main(int argc, char **argv)
1158 X509 *recip = NULL, *signer = NULL; 1166 X509 *recip = NULL, *signer = NULL;
1159 EVP_PKEY *key = NULL; 1167 EVP_PKEY *key = NULL;
1160 STACK_OF(X509) *other = NULL; 1168 STACK_OF(X509) *other = NULL;
1169 STACK_OF(X509_CRL) *crls = NULL;
1161 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; 1170 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
1162 int badarg = 0; 1171 int badarg = 0;
1163 CMS_ReceiptRequest *rr = NULL; 1172 CMS_ReceiptRequest *rr = NULL;
@@ -1316,6 +1325,14 @@ cms_main(int argc, char **argv)
1316 goto end; 1325 goto end;
1317 } 1326 }
1318 } 1327 }
1328
1329 if (cfg.crlfile != NULL) {
1330 crls = load_crls(bio_err, cfg.crlfile, FORMAT_PEM, NULL,
1331 "other CRLs");
1332 if (crls == NULL)
1333 goto end;
1334 }
1335
1319 if (cfg.recipfile != NULL && 1336 if (cfg.recipfile != NULL &&
1320 (cfg.operation == SMIME_DECRYPT)) { 1337 (cfg.operation == SMIME_DECRYPT)) {
1321 if ((recip = load_cert(bio_err, cfg.recipfile, 1338 if ((recip = load_cert(bio_err, cfg.recipfile,
@@ -1677,6 +1694,15 @@ cms_main(int argc, char **argv)
1677 cfg.secret_keylen, indata, out, cfg.flags)) 1694 cfg.secret_keylen, indata, out, cfg.flags))
1678 goto end; 1695 goto end;
1679 } else if (cfg.operation == SMIME_VERIFY) { 1696 } else if (cfg.operation == SMIME_VERIFY) {
1697 if (cfg.crlfile != NULL) {
1698 int i;
1699
1700 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1701 X509_CRL *crl = sk_X509_CRL_value(crls, i);
1702 if (!CMS_add1_crl(cms, crl))
1703 goto end;
1704 }
1705 }
1680 if (CMS_verify(cms, other, store, indata, out, 1706 if (CMS_verify(cms, other, store, indata, out,
1681 cfg.flags) > 0) { 1707 cfg.flags) > 0) {
1682 BIO_printf(bio_err, "Verification successful\n"); 1708 BIO_printf(bio_err, "Verification successful\n");
@@ -1752,6 +1778,7 @@ cms_main(int argc, char **argv)
1752 1778
1753 sk_X509_pop_free(cfg.encerts, X509_free); 1779 sk_X509_pop_free(cfg.encerts, X509_free);
1754 sk_X509_pop_free(other, X509_free); 1780 sk_X509_pop_free(other, X509_free);
1781 sk_X509_CRL_pop_free(crls, X509_CRL_free);
1755 X509_VERIFY_PARAM_free(cfg.vpm); 1782 X509_VERIFY_PARAM_free(cfg.vpm);
1756 sk_OPENSSL_STRING_free(cfg.sksigners); 1783 sk_OPENSSL_STRING_free(cfg.sksigners);
1757 sk_OPENSSL_STRING_free(cfg.skkeys); 1784 sk_OPENSSL_STRING_free(cfg.skkeys);
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 9033309802..c185c7ebf7 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: openssl.1,v 1.157 2024/07/08 06:00:09 tb Exp $ 1.\" $OpenBSD: openssl.1,v 1.158 2024/08/12 15:34:58 job Exp $
2.\" ==================================================================== 2.\" ====================================================================
3.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 3.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4.\" 4.\"
@@ -110,7 +110,7 @@
110.\" copied and put under another distribution licence 110.\" copied and put under another distribution licence
111.\" [including the GNU Public Licence.] 111.\" [including the GNU Public Licence.]
112.\" 112.\"
113.Dd $Mdocdate: July 8 2024 $ 113.Dd $Mdocdate: August 12 2024 $
114.Dt OPENSSL 1 114.Dt OPENSSL 1
115.Os 115.Os
116.Sh NAME 116.Sh NAME
@@ -943,6 +943,7 @@ but without cipher suite codes.
943.Oc 943.Oc
944.Op Fl CAfile Ar file 944.Op Fl CAfile Ar file
945.Op Fl CApath Ar directory 945.Op Fl CApath Ar directory
946.Op Fl CRLfile Ar file
946.Op Fl binary 947.Op Fl binary
947.Op Fl certfile Ar file 948.Op Fl certfile Ar file
948.Op Fl certsout Ar file 949.Op Fl certsout Ar file
@@ -1133,6 +1134,9 @@ This directory must be a standard certificate directory: that is a hash
1133of each subject name (using 1134of each subject name (using
1134.Nm x509 Fl hash ) 1135.Nm x509 Fl hash )
1135should be linked to each certificate. 1136should be linked to each certificate.
1137.It Fl CRLfile Ar file
1138Allows additional certificate revocation lists to be specified for verification.
1139The CRLs should be in PEM format.
1136.It Ar cert.pem ... 1140.It Ar cert.pem ...
1137One or more certificates of message recipients: used when encrypting a message. 1141One or more certificates of message recipients: used when encrypting a message.
1138.It Fl certfile Ar file 1142.It Fl certfile Ar file
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-18 05:44:17 +0000