summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl/x509.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* openssl x509: zap extra whitespace in usagetb2025-01-191-2/+2
|
* Remove -C option from "apps"tb2025-01-191-90/+2
| | | | | | | | As far as I can tell, this way of generating "C code" was only used to add stuff to pretty regress and even prettier speed "app" and otherwise it just served to make the library maintainer's lives even more miserable. ok jsing
* Fix up authority and subject key identifiers in force pubkey modetb2024-12-041-8/+133
| | | | | | | | | | | | Upstream decided that this nonsense was worth an ABI break and added stuff to the X509_CTX so they could hang the issuer's public key off it so that they could adjust the key identifiers as needed. Let's avoid that and do it the slightly less nasty way by updating the AKI and SKI as needed. We only do this when force pubkey is in place so we don't change the semantics of the batshit crazy config language that nobody understands. ok job
* openssl x509: rename pub_key to dsa_pub_keytb2024-05-271-4/+4
| | | | suggested by jsing
* openssl: avoid shadowed pkeys in x509.ctb2024-05-271-12/+10
| | | | ok job jsing
* Add 'openssl x509 -new' functionality to the libcrypto CLI utilityjob2024-01-261-12/+50
| | | | | | | | | The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
* Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 appjob2024-01-121-23/+108
| | | | | | | | The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
* Make a few purpose things consttb2023-11-211-5/+5
| | | | | This should allow us to constify a sizable table in libcrypto in an upcoming bump.
* Check notBefore/notAfter validity with ASN1_TIME_to_tm(3)tb2023-11-131-5/+3
| | | | ok beck
* Fix double free in error path in openssl(1) x509tb2023-04-141-4/+2
| | | | | | | | A conversion from X509_REQ_get_pubkey() to X509_REQ_get0_pubkey() missed one free of pkey in an unlikely error path. After the conversion pkey is no longer owned by us, so we mustn't free it. ok jsing
* Minor code cleanuptb2023-04-091-42/+31
| | | | | | Unwrap a few awkwardly wrapped lines, drop redundant parentheses and add empty lines after some variable declarations. No change in the generated assembly.
* Rename struct ${app}_config to plain cfgtb2023-03-061-224/+224
| | | | | | | | | All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road. Discussed with jsing
* Remove the legacy interactive mode from openssl(1).joshua2022-11-111-6/+4
| | | | | | | | This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x. ok tb@ jsing@
* A few more simplifications using get0_pubkey instead of get_pubkey + free.tb2021-12-121-9/+5
|
* Simplify x509.c slightly by using X509_get0_pubkey() instead oftb2021-12-121-5/+3
| | | | | | X509_get_pubkey() ok inoguchi
* Make x509.c compile with opaque EVP_PKEY.tb2021-12-121-7/+15
| | | | ok inoguchi
* openssl(1): drop support for netscape certificates and server gated keys.tb2021-11-261-11/+1
| | | | ok inoguchi jsing
* Preapre x509.c for upcoming libcrypto bumptb2021-10-231-19/+11
| | | | ok beck jsing
* Do not call X509_alias_get0(3) with NULL as the second argument.schwarze2021-08-291-5/+7
| | | | | | | | | | | | | | | | | | | Even if the buffer is guaranteed to be NUL-terminated in a particular case, it is still setting a bad example. Besides, it is unclear to me whether there is any such guarantee in the case at hand. Checking that would require auditing all of d2i_X509_bio(3), ASN1_item_d2i_bio(&NETSCAPE_X509_it, ...), PEM_read_bio_X509_AUX(3), and PKCS12_parse(3), since no such guarantee is documented for any of these functions, and even then it would remain fragile with respect to later changes of implementation details. In the worst case, this could potentially result in a read buffer overrun. OK tb@ on an earlier version of this patch. While we are here, deraadt@ requested to not use the word "string" in the name of a variable that is not a string in the sense of the C language.
* Check function return value in openssl(1) x509.cinoguchi2021-04-071-24/+71
| | | | input from bcook@, ok and comments from tb@
* Avoid leak in error pathinoguchi2021-04-071-3/+7
| | | | ok and input from tb@
* Compare the pointer variable explicitly with NULL in if conditioninoguchi2021-04-011-18/+17
|
* Sort header files and wrap long lines in x509.cinoguchi2021-03-261-67/+110
|
* Convert openssl(1) x509 option handlinginoguchi2021-03-241-414/+747
| | | | | | | | | | | | | Apply new option handling to openssl(1) x509. To handle incremental order value, using newly added OPTION_ORDER. I left the descriptions for -CAform, -inform, and -outform as it was, for now. These description would be fixed. And digest option handler could be consolidated to one between some subcommands in the future. ok and comments from tb@, and "I'd move forward with your current plan." from jsing@
* Make openssl X509 handle the failure case return code from X509_time_cmp.beck2020-05-101-5/+16
| | | | | | While we are in here also make it notice if time values in a certificate are bogus, and say so in the output. ok bcook@ jsing@
* change the default digest used byjsg2019-01-191-2/+2
| | | | | | | | openssl x509 -fingerprint openssl crl -fingerprint from sha1 to sha256 ok jsing@
* Indent labels with a single space so that diff prototypes are more useful.jsing2018-02-071-6/+6
|
* Remove guards around *_free() calls since these functions handle NULL.jsing2018-02-071-3/+2
|
* rearrange pledge promises into the canonical order; easier to eyeballderaadt2017-01-201-2/+2
|
* Expand ASN1_ITEM_rptr macros here as well... used with NETSCAPE_X509 of alljsing2016-12-301-2/+2
| | | | things...
* Exit if a pledge call fails in non-interactive mode.doug2015-10-171-2/+4
| | | | ok semarie@
* add "tty" for several subcommands of opensslsemarie2015-10-171-2/+2
| | | | | | | | | | | it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@
* Initial support for pledges in openssl(1) commands.doug2015-10-101-1/+6
| | | | | | | | | | | | | | | | openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach.
* Another s/M_ASN1_INTEGER_free/ASN1_INTEGER_free/.jsing2015-10-011-2/+2
| | | | Found the hard way by Mark Patruck.
* add a missing NULL checkbcook2015-09-211-1/+5
| | | | noted by Bill Parker (dogbert2) on github
* remove vestigial bits of sha-0 and md2 from openssl(1)bcook2015-09-211-2/+2
| | | | | | | | Noted by kinichiro on github. We probably need a better way to indicate the list of message digests that are allowed, as the current ones are nowhere near exhaustive (sigh - guenther@) OK guenther@ jmc@
* Remove engine command and parameters from openssl(1).bcook2015-09-111-24/+6
| | | | | | | We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all. ok jsing@
* Remove all duplicate prototypes for *_main functions (these are alreadyjsing2015-08-221-3/+1
| | | | | | | | | provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere). ok deraadt@ doug@
* Free variable before potentially reusing.doug2015-07-191-1/+2
| | | | | | Fixes coverity 78824. ok bcook@ miod@
* Remove obsolete MDC-2DES from libcrypto.doug2015-06-201-2/+2
| | | | ok deraadt@ jsing@ miod@
* openssl_setup() calls SSL_load_error_strings(), which happens to calljsing2014-08-281-3/+1
| | | | | ERR_load_crypto_strings() - as such, we do not need to call the same function from most of the applications.
* Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is notjsing2014-08-261-0/+1160
a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl. ok deraadt@ miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 00:20:11 +0000