summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl/ca.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove openssl ca -msie_hacktb12 days1-31/+2
| | | | | | The nineties called and wanted their garbage back. ok jsing
* openssl ca: use BN_bn2hex() rather than reimplementing ittb2025-02-251-28/+18
| | | | ok jsing
* Remove spkac handling from openssl(1) catb2024-07-081-187/+3
| | | | | | | This is very poorly written code and now the only consumer of some public API that should not have survived the turn of the millenium. ok jsing
* openssl ca: avoid double free for spkac files without default sectiontb2024-06-231-2/+1
| | | | ok jsing
* Zap a useless comment followed by a stray semicolontb2024-02-041-2/+1
| | | | Noticed by Christian Andersen
* Kill last user of ASN1_time_parse() in the treetb2023-11-131-23/+3
| | | | | | | | ASN1_time_parse() was useful while OpenSSL didn't have something sort of equivalent, but now they do. Let's retire ASN1_time_parse() to internal. This will require some patching in ports, but shrug. ok beck
* Teach openssl ca about Ed25519 certificatestb2023-07-021-18/+27
| | | | | | | This adds a few logic curlies to end up setting the EVP_MD to EVP_md_null() as required by the API. This way ASN1_item_sign() now knows how to behave. "ok = (rv == 2);" beck
* Rename struct ${app}_config to plain cfgtb2023-03-061-259/+259
| | | | | | | | | All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road. Discussed with jsing
* Remove the legacy interactive mode from openssl(1).joshua2022-11-111-6/+4
| | | | | | | | This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x. ok tb@ jsing@
* Use X509_*get0_pubkey() wherever possible to simplify and clean uptb2022-02-031-14/+6
| | | | | | the code. Also add error checking where possible. ok jsing
* Tweak for opaque EVP_MD: use EVP_MD_type(dgst) instead of dgst->type.tb2021-11-211-2/+2
|
* Stop reaching into structs that will become opaque in ca.ctb2021-10-231-5/+3
| | | | "just commit it" beck
* Stop setting enc.modified manually. It's no longer needed.tb2021-10-221-2/+1
|
* Remove unused variable tmptm in do_body of openssl(1) cainoguchi2021-09-051-8/+2
|
* Using serial number instead as subject if it is empty in openssl(1) cainoguchi2021-09-051-1/+30
| | | | | | | This allows multiple entries without a subject even if unique_subject == yes. Referred to OpenSSL commit 5af88441 and arranged for our codebase. ok tb@
* Check extensions before setting version to v3inoguchi2021-09-051-5/+10
| | | | | | Referred to OpenSSL commit 4881d849 and arranged for our codebase. comment and ok from tb@
* Use accessor method rather than direct X509 structure accessinoguchi2021-09-051-20/+10
| | | | | | Referred to OpenSSL commit a8d8e06b and arranged for our codebase. comment and ok from tb@
* Use defined constantsinoguchi2021-09-021-16/+16
|
* Move subject check process after the subject edit processinoguchi2021-09-021-105/+106
| | | | | | Referred to OpenSSL commit 2cedf794 and arranged for our codebase. ok tb@
* Clean up end of do_body in openssl(1) cainoguchi2021-08-301-6/+8
| | | | suggested from tb@
* Remove NULL check before free in openssl(1) cainoguchi2021-08-301-41/+25
| | | | ok tb@
* Check X509_get_notAfter return value in openssl(1) ca.cinoguchi2021-08-281-3/+5
|
* Use strndup instead of malloc, memcpy and NULL termination in openssl(1) ca.cinoguchi2021-08-281-11/+4
| | | | | suggested from tb@ for do_updatedb(), and applied the same for do_body() and do_revoke().
* Remove ASN1_TIME_new and use NULL for X509_gmtime_adj, free tmptm in err pathinoguchi2021-08-281-15/+7
| | | | comments from tb@
* Unwrap lines in openssl(1) ca.cinoguchi2021-08-281-5/+3
| | | | suggested from tb@
* Avoid leak with X509_REVOKED variable in openssl(1) ca.cinoguchi2021-08-281-1/+3
| | | | pointed out by tb@
* Checking the return value in openssl(1) ca.cinoguchi2021-08-281-41/+127
| | | | | | | | | Some functions are used without verifying the return value in openssl(1) ca. This diff adds checking for the function return value. With this diff, I changed return value of the write_new_certificate from void to int to return the condition to the caller. ok and comments from tb@
* Compare strcmp and strcasecmp return value with zeroinoguchi2021-07-241-6/+6
|
* Check pointer variable if it is NULL in ca.cinoguchi2021-07-201-2/+2
| | | | missed with r1.32
* Wrap over 80 long lines in ca.cinoguchi2021-07-151-83/+154
|
* Explicitly check pointer variable if it is NULL or not in ca.cinoguchi2021-07-151-58/+58
|
* Remove space between '*' and pointer variable in ca.cinoguchi2021-07-151-56/+56
|
* Use 'serial' rather than 'ser' in ca.cinoguchi2021-07-151-19/+19
| | | | input from jsing@
* Convert openssl(1) ca option handlinginoguchi2021-07-151-456/+643
| | | | | | | | | | | | | | New option handling for openssl(1) ca. This diff is just replacing with new option handling, no functional change. I'm using the word DN or RDN in description as manual uses them, rather than replacing with "Distinguished Name" or "Relative Distinguished Name". I would like to add another fixes below by follow-up diffs. - remove space between '*' and pointer variable - wrap 80+ long lines - explicitly check pointer variable if it is NULL or not comments and ok from jsing@
* Remove a redundant memset call.tb2020-12-161-2/+2
|
* snprintf/vsnprintf return < 0 on error, rather than -1.deraadt2019-07-031-2/+2
|
* Indent labels with a single space so that diff prototypes are more useful.jsing2018-02-071-12/+12
|
* simplify startdate/enddate validationbeck2017-05-081-27/+5
| | | | ok jsing@
* Fix the ca command so that certs it generates have RFC5280 conformant time.beck2017-05-041-16/+56
| | | | Problem noticed by Harald Dunkel <harald.dunkel@aixigo.de>
* rearrange pledge promises into the canonical order; easier to eyeballderaadt2017-01-201-2/+2
|
* We don't need any VMS access tricks.deraadt2016-08-311-27/+4
| | | | ok beck tedu
* buf[][] with strange use all over the place is ridiculous, especiallyderaadt2016-08-301-15/+14
| | | | | if buf[1] is never used. ok guenther beck
* more e-mail -> emailmmcc2015-12-241-2/+2
|
* Exit if a pledge call fails in non-interactive mode.doug2015-10-171-2/+4
| | | | ok semarie@
* add "tty" for several subcommands of opensslsemarie2015-10-171-2/+2
| | | | | | | | | | | it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@
* Initial support for pledges in openssl(1) commands.doug2015-10-101-1/+6
| | | | | | | | | | | | | | | | openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach.
* add a couple of missing NULL checksbcook2015-09-211-3/+3
| | | | noted by Bill Parker (dogbert2) on github
* remove vestigial bits of sha-0 and md2 from openssl(1)bcook2015-09-211-2/+2
| | | | | | | | Noted by kinichiro on github. We probably need a better way to indicate the list of message digests that are allowed, as the current ones are nowhere near exhaustive (sigh - guenther@) OK guenther@ jmc@
* Nuke SSLEAY_CONF -- a backwards compatibility environment variable thatlteo2015-09-121-3/+1
| | | | | | | | | | has been superseded by OPENSSL_CONF and discouraged from use for almost 16 years. "Definately ok" jsing@ "burn it" deraadt@ "Kill it with fire" miod@ "KILL IT WITH FIRE!!! BURN!!!!" beck@
* fix unchecked mallocs - coverity 130454 and 130455beck2015-09-111-6/+15
| | | | ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 00:20:08 +0000