Teach openssl ca about Ed25519 certificates

This adds a few logic curlies to end up setting the EVP_MD to EVP_md_null() as required by the API. This way ASN1_item_sign() now knows how to behave. "ok = (rv == 2);" beck
author: tb <> 2023-07-02 07:08:57 +0000
committer: tb <> 2023-07-02 07:08:57 +0000
commit: c6b15736ca3e92b4dda32d69c6f51ee388d687d9 (patch)
tree: 5fe0b1f580d84b57d56964269d33b393731d9b2b /src
parent: 1c37b7116876e1b0105564593ee03e36ae0a194e (diff)
download: openbsd-c6b15736ca3e92b4dda32d69c6f51ee388d687d9.tar.gz
openbsd-c6b15736ca3e92b4dda32d69c6f51ee388d687d9.tar.bz2
openbsd-c6b15736ca3e92b4dda32d69c6f51ee388d687d9.zip
1 files changed, 27 insertions, 18 deletions
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 369d11ead6..a93be88d5a 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.55 2023/03/06 14:32:05 tb Exp $ */
+/* $OpenBSD: ca.c,v 1.56 2023/07/02 07:08:57 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -654,7 +654,6 @@ ca_main(int argc, char **argv)
        int free_key = 0;
        int total = 0;
        int total_done = 0;
-        int ret = 1;
        long errorline = -1;
        EVP_PKEY *pkey = NULL;
        int output_der = 0;
@@ -684,6 +683,8 @@ ca_main(int argc, char **argv)
        STACK_OF(X509) *cert_sk = NULL;
        char *tofree = NULL;
        DB_ATTR db_attr;
+        int default_nid, rv;
+        int ret = 1;
        if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
                perror("pledge");
@@ -1050,26 +1051,34 @@ ca_main(int argc, char **argv)
                        BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
                }
        }
-        if ((cfg.md == NULL) &&
-            ((cfg.md = NCONF_get_string(conf, cfg.section,
+        rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid);
-            ENV_DEFAULT_MD)) == NULL)) {
+        if (rv == 2 && default_nid == NID_undef) {
-                lookup_fail(cfg.section, ENV_DEFAULT_MD);
+                /* The digest is required to be EVP_md_null() (EdDSA). */
-                goto err;
+                dgst = EVP_md_null();
-        }
+        } else {
-        if (strcmp(cfg.md, "default") == 0) {
+                /* Ignore rv unless we need a valid default_nid. */
-                int def_nid;
+                if (cfg.md == NULL)
-                if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
+                        cfg.md = NCONF_get_string(conf, cfg.section,
-                        BIO_puts(bio_err, "no default digest\n");
+                            ENV_DEFAULT_MD);
+                if (cfg.md == NULL) {
+                        lookup_fail(cfg.section, ENV_DEFAULT_MD);
                        goto err;
                }
-                cfg.md = (char *) OBJ_nid2sn(def_nid);
+                if (strcmp(cfg.md, "default") == 0) {
+                        if (rv <= 0) {
+                                BIO_puts(bio_err, "no default digest\n");
+                                goto err;
+                        }
+                        cfg.md = (char *)OBJ_nid2sn(default_nid);
+                }
                if (cfg.md == NULL)
                        goto err;
-        }
+                if ((dgst = EVP_get_digestbyname(cfg.md)) == NULL) {
-        if ((dgst = EVP_get_digestbyname(cfg.md)) == NULL) {
+                        BIO_printf(bio_err, "%s is an unsupported "
-                BIO_printf(bio_err,
+                            "message digest type\n", cfg.md);
-                    "%s is an unsupported message digest type\n", cfg.md);
+                        goto err;
-                goto err;
+                }
        }
        if (cfg.req) {
                if ((cfg.email_dn == 1) &&
author	tb <>	2023-07-02 07:08:57 +0000
committer	tb <>	2023-07-02 07:08:57 +0000
commit	c6b15736ca3e92b4dda32d69c6f51ee388d687d9 (patch)
tree	5fe0b1f580d84b57d56964269d33b393731d9b2b /src
parent	1c37b7116876e1b0105564593ee03e36ae0a194e (diff)
download	openbsd-c6b15736ca3e92b4dda32d69c6f51ee388d687d9.tar.gz openbsd-c6b15736ca3e92b4dda32d69c6f51ee388d687d9.tar.bz2 openbsd-c6b15736ca3e92b4dda32d69c6f51ee388d687d9.zip

diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c index 369d11ead6..a93be88d5a 100644 --- a/src/usr.bin/openssl/ca.c +++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ca.c,v 1.55 2023/03/06 14:32:05 tb Exp $ */	1	/* $OpenBSD: ca.c,v 1.56 2023/07/02 07:08:57 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -654,7 +654,6 @@ ca_main(int argc, char **argv)
654	int free_key = 0;	654	int free_key = 0;
655	int total = 0;	655	int total = 0;
656	int total_done = 0;	656	int total_done = 0;
657	int ret = 1;
658	long errorline = -1;	657	long errorline = -1;
659	EVP_PKEY *pkey = NULL;	658	EVP_PKEY *pkey = NULL;
660	int output_der = 0;	659	int output_der = 0;
@@ -684,6 +683,8 @@ ca_main(int argc, char **argv)
684	STACK_OF(X509) *cert_sk = NULL;	683	STACK_OF(X509) *cert_sk = NULL;
685	char *tofree = NULL;	684	char *tofree = NULL;
686	DB_ATTR db_attr;	685	DB_ATTR db_attr;
		686	int default_nid, rv;
		687	int ret = 1;
687		688
688	if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {	689	if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
689	perror("pledge");	690	perror("pledge");
@@ -1050,26 +1051,34 @@ ca_main(int argc, char **argv)
1050	BIO_set_fp(Sout, stdout, BIO_NOCLOSE \| BIO_FP_TEXT);	1051	BIO_set_fp(Sout, stdout, BIO_NOCLOSE \| BIO_FP_TEXT);
1051	}	1052	}
1052	}	1053	}
1053	if ((cfg.md == NULL) &&	1054
1054	((cfg.md = NCONF_get_string(conf, cfg.section,	1055	rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid);
1055	ENV_DEFAULT_MD)) == NULL)) {	1056	if (rv == 2 && default_nid == NID_undef) {
1056	lookup_fail(cfg.section, ENV_DEFAULT_MD);	1057	/* The digest is required to be EVP_md_null() (EdDSA). */
1057	goto err;	1058	dgst = EVP_md_null();
1058	}	1059	} else {
1059	if (strcmp(cfg.md, "default") == 0) {	1060	/* Ignore rv unless we need a valid default_nid. */
1060	int def_nid;	1061	if (cfg.md == NULL)
1061	if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {	1062	cfg.md = NCONF_get_string(conf, cfg.section,
1062	BIO_puts(bio_err, "no default digest\n");	1063	ENV_DEFAULT_MD);
		1064	if (cfg.md == NULL) {
		1065	lookup_fail(cfg.section, ENV_DEFAULT_MD);
1063	goto err;	1066	goto err;
1064	}	1067	}
1065	cfg.md = (char *) OBJ_nid2sn(def_nid);	1068	if (strcmp(cfg.md, "default") == 0) {
		1069	if (rv <= 0) {
		1070	BIO_puts(bio_err, "no default digest\n");
		1071	goto err;
		1072	}
		1073	cfg.md = (char *)OBJ_nid2sn(default_nid);
		1074	}
1066	if (cfg.md == NULL)	1075	if (cfg.md == NULL)
1067	goto err;	1076	goto err;
1068	}	1077	if ((dgst = EVP_get_digestbyname(cfg.md)) == NULL) {
1069	if ((dgst = EVP_get_digestbyname(cfg.md)) == NULL) {	1078	BIO_printf(bio_err, "%s is an unsupported "
1070	BIO_printf(bio_err,	1079	"message digest type\n", cfg.md);
1071	"%s is an unsupported message digest type\n", cfg.md);	1080	goto err;
1072	goto err;	1081	}
1073	}	1082	}
1074	if (cfg.req) {	1083	if (cfg.req) {
1075	if ((cfg.email_dn == 1) &&	1084	if ((cfg.email_dn == 1) &&