diff options
| author | tb <> | 2025-07-01 06:46:39 +0000 |
|---|---|---|
| committer | tb <> | 2025-07-01 06:46:39 +0000 |
| commit | 2d7334951f32ea18e3958d784c639e9711a6dacb (patch) | |
| tree | 6feef260a9528776ed1649d160bffbd99a8e3ad0 /src | |
| parent | 7e2f8d41b93e8617fe00e76907f378da71693ea9 (diff) | |
| download | openbsd-2d7334951f32ea18e3958d784c639e9711a6dacb.tar.gz openbsd-2d7334951f32ea18e3958d784c639e9711a6dacb.tar.bz2 openbsd-2d7334951f32ea18e3958d784c639e9711a6dacb.zip | |
X509_print: emit UIDs unless X509_FLAG_NO_IDS is set
issuerUID and subjectUID are a curiosity introduced in X.509v2 before
extensions were a thing. Their purpose is to help distinguishing certs
with identical subject. They are rarely used and are MUST NOT use in
the CA/BF baseline requirements. They do occasionally show up in test
certificates and it is confusing that openssl x509 silently ignores
them. Their encoding also makes them relatively hard to spot in the
output of asn1 parsing tools.
The output is identical to OpenSSL < 3 and BoringSSL, but due to some
weird tweaks added leading up to OpenSSL 3 their output is no longer
compatible with that. It is not entirely correct anyway. Since it is
a (not further specified) bit string, you shouldn't be ignoring its
unused bits...
The X509_FLAG_NO_IDS flag has no effect for CSRs.
discussed with beck
ok job kenjiro (on an earlier version)
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/asn1/t_x509.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c index 89a9085249..71f97a8214 100644 --- a/src/lib/libcrypto/asn1/t_x509.c +++ b/src/lib/libcrypto/asn1/t_x509.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t_x509.c,v 1.53 2025/06/25 18:28:47 tb Exp $ */ | 1 | /* $OpenBSD: t_x509.c,v 1.54 2025/07/01 06:46:39 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -106,6 +106,28 @@ X509_print(BIO *bp, X509 *x) | |||
| 106 | } | 106 | } |
| 107 | LCRYPTO_ALIAS(X509_print); | 107 | LCRYPTO_ALIAS(X509_print); |
| 108 | 108 | ||
| 109 | static int | ||
| 110 | x509_print_uids(BIO *bp, const X509 *x, int indent) | ||
| 111 | { | ||
| 112 | const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL; | ||
| 113 | |||
| 114 | X509_get0_uids(x, &issuerUID, &subjectUID); | ||
| 115 | if (issuerUID != NULL) { | ||
| 116 | if (BIO_printf(bp, "%*sIssuer Unique ID: ", indent, "") <= 0) | ||
| 117 | return 0; | ||
| 118 | if (!X509_signature_dump(bp, issuerUID, indent + 4)) | ||
| 119 | return 0; | ||
| 120 | } | ||
| 121 | if (subjectUID != NULL) { | ||
| 122 | if (BIO_printf(bp, "%*sSubject Unique ID: ", indent, "") <= 0) | ||
| 123 | return 0; | ||
| 124 | if (!X509_signature_dump(bp, subjectUID, indent + 4)) | ||
| 125 | return 0; | ||
| 126 | } | ||
| 127 | |||
| 128 | return 1; | ||
| 129 | } | ||
| 130 | |||
| 109 | int | 131 | int |
| 110 | X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) | 132 | X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) |
| 111 | { | 133 | { |
| @@ -242,6 +264,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) | |||
| 242 | } | 264 | } |
| 243 | } | 265 | } |
| 244 | 266 | ||
| 267 | if (!(cflag & X509_FLAG_NO_IDS)) { | ||
| 268 | if (!x509_print_uids(bp, x, 8)) | ||
| 269 | goto err; | ||
| 270 | } | ||
| 271 | |||
| 245 | if (!(cflag & X509_FLAG_NO_EXTENSIONS)) | 272 | if (!(cflag & X509_FLAG_NO_EXTENSIONS)) |
| 246 | X509V3_extensions_print(bp, "X509v3 extensions", | 273 | X509V3_extensions_print(bp, "X509v3 extensions", |
| 247 | ci->extensions, cflag, 8); | 274 | ci->extensions, cflag, 8); |