Mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-18 17:11:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
38,783 Commits 37 Branches 420 Tags
master
Commit Graph

296 Commits

Author SHA1 Message Date
Bob Beck
4036f4b0e3 Add new public API for checking certificate times. 
Fixes: #1631

This changes the previously internal ossl_x509_check_certificate_times()
to be the public X509_check_certificate_times(). It adds documentation
for the new function and marks X509_cmp_time, X509_cmp_timeframe,
and X509_cmp_current_time as deprecated in 4.0, as discussed in #1631.

Since the function is now public, we can replace the remaining
uses of deprecated stuff with this function.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29152)
 2025-12-18 13:34:58 -05:00
Dr. David von Oheimb
c8073cac15 apps/x509.c: factor out add_object() for handling -addtrust and -addreject options 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/28371)
 2025-12-18 17:28:53 +01:00
Bob Beck
2fab90bb5e 4.0-POST-CLANG-FORMAT-WEBKIT 
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29242)
 2025-12-09 00:28:19 -07:00
Norbert Pocs
9425238145 apps/: Remove "-keyform engine" 
Resolves: https://github.com/openssl/project/issues/1354

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
 2025-12-04 07:31:06 -05:00
Norbert Pocs
26b1723ed4 apps/: Remove engines 
Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
 2025-12-04 07:31:05 -05:00
snowdroppe
679a10110e fix(x509.c): Fixed regression of openssl x509 -checkend return values 
Fixes #28928

Also adds functionality to -checkend to account for -multi behaviour.
Man page and unit tests updated accordingly.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29155)
 2025-12-01 11:46:49 +01:00
Eugene Syromiatnikov
f3a4d05c58 apps, fuzz, providers: use array memory (re)allocation routines 
Co-Authored-by: Alexandr Nedvedicky <sashan@openssl.org>
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28059)
 2025-08-08 12:22:10 -04:00
Tomas Mraz
c62cd07d14 apps: Silence warnings on Win64 builds 
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27806)
 2025-07-02 17:26:26 +02:00
Dr. David von Oheimb
ac85974bc3 apps/x509.c: re-add ERR queue printing on errors 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27739)
 2025-06-04 17:37:33 +02:00
Tomas Mraz
0eb9acc24f apps/x509.c: Fix the -addreject option adding trust instead of rejection 
Fixes CVE-2025-4575

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27672)
 2025-05-22 09:49:18 +02:00
Jeremy Doupe
dca67c0aa1 APPS/x509: add -multi option for outputting all certs found in input 
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27340)
 2025-05-14 12:51:42 +02:00
openssl-machine
0c679f5566 Copyright year updates 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
 2025-03-12 13:35:59 +00:00
Frederik Wedel-Heinen
c626fda8a6 Check returns of various sk_*_push functions 
Check returns of sk_POLICY_MAPPING_push, sk_GENERAL_NAME_push,
sk_ACCESS_DESCRIPTION_push, sk_X509_push, sk_X509_NAME_push,
sk_OPENSSL_CSTRING_push, sk_SCT_push, sk_DIST_POINT_push,
sk_OSSL_CMP_CRLSTATUS_push, sk_ASN1_UTF8STRING_push and
sk_ASN1_OBJECT_push and handle appropriately.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26240)
 2025-01-08 11:11:00 +01:00
Stephan Wurm
8120223773 apps: ca,req,x509: Add explicit start and end dates options 
- Added options `-not_before` (start date) and `-not-after` (end date)
  for explicit setting of the validity period of a certificate in the
  apps `ca`, `req` and `x509`
- The new options accept time strings or "today"
- In app `ca`, use the new options as aliases of the already existing
  options `-startdate` and `-enddate`
- When used in apps `req` and `x509`, the end date must be >= the start
  date, in app `ca` end date < start date is also accepted
- In any case, `-not-after` overrides the `-days` option
- Added helper function `check_cert_time_string` to validate given
  certificate time strings
- Use the new helper function in apps `ca`, `req` and `x509`
- Moved redundant code for time string checking into `set_cert_times`
  helper function.
- Added tests for explicit start and end dates in apps `req` and `x509`
- test: Added auxiliary functions for parsing fields from `-text`
  formatted output to `tconversion.pl`
- CHANGES: Added to new section 3.4

Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21716)
 2024-04-09 20:13:31 +02:00
Richard Levitte
b646179229 Copyright year updates 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)
 2024-04-09 13:43:26 +02:00
Tomas Mraz
5c846d32d4 apps/x509.c: No warning reading from stdin if redirected 
Fixes #22893

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23526)
 2024-03-15 09:07:51 +01:00
Job Snijders
4e5bf93313 Add apps/x509 -set_issuer & -set_subject option to override issuer & subject 
This changeset adds the counterpart to the '-subj' option to allow overriding
the Issuer. For consistency, the `-subj` option is aliased to `-set_subject`.

The issuer can be specified as following apps/openssl x509 -new -set_issuer
'/CN=example-nro-ta' -subj '/CN=2a7dd1d787d793e4c8af56e197d4eed92af6ba13' ...

This is useful in constructing specific test-cases or rechaining PKI trees

Joint work with George Michaelson (@geeohgeegeeoh)

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23257)
 2024-01-15 10:40:01 +01:00
Matt Caswell
da1c088f59 Copyright year updates 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
 2023-09-07 09:59:15 +01:00
Yannik Sembritzki
7f4cc3bc34 Remove restriction to only cross-sign self-signed certificates 
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21137)
 2023-06-20 16:38:33 +10:00
Dr. David von Oheimb
da7f81d393 APPS: replace awkward and error-prone pattern by calls to new app_conf_try_string() 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
 2023-05-25 09:04:35 +02:00
Tianjia Zhang
a75f707fca apps: silent warning when loading CSR files with vfyopt option 
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

  Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
 2023-05-03 09:48:17 +02:00
Dr. David von Oheimb
0e89b39619 apps/x509 etc.: allow private key input when public key is expected 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
 2023-03-14 17:26:49 +01:00
Dr. David von Oheimb
342e3652c7 APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
 2023-01-24 15:16:47 +01:00
Dr. David von Oheimb
200d844782 APPS: Move load_csr_autofmt() from apps/cmp.c to apps.c and use it also for apps, too 
Also add related references to FR #15725.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
 2022-09-20 20:59:50 +02:00
Dr. David von Oheimb
51024f7559 apps/x509.c: Remove legacy call to OBJ_create() 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
 2022-09-20 20:59:33 +02:00
Dr. David von Oheimb
c54a6a4b0e apps/x509: add warnings for options ignored when -CA is not specified 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
 2022-07-14 07:24:27 +01:00
Dr. David von Oheimb
ec8a340948 APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial. 
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
 2022-07-14 07:23:58 +01:00
Dr. David von Oheimb
10c7887330 apps/x509: Fix -CAfile option being neglected with -new or -in 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
 2022-07-14 07:23:58 +01:00
Matt Caswell
fecb3aae22 Update copyright year 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
 2022-05-03 13:34:51 +01:00
Tomas Mraz
e4cdcb8bc4 req, x509: Allow printing modulus of RSA-PSS keys 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17990)
 2022-04-01 09:37:05 +02:00
Daniel
2a6994cfa0 Send auxiliary messages to bio_err. 
Fixes openssl#17613.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17650)
 2022-02-09 10:37:19 +11:00
Dr. David von Oheimb
2c2724476e APPS: Add check for multiple 'unknown' options 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16416)
 2022-01-11 12:45:33 +01:00
Dr. David von Oheimb
d9f073575f APPS: Improve diagnostics on missing/extra args and unknown cipher/digest 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16450)
 2021-12-07 15:26:40 +01:00
Rami Khaldi
9567fd3819 x509: Return a nonzero exit code on error when checking ip/email/host 
In the x509 app when doing the ip/email/host validation of a
certificate we return nonzero exit code if the validation fails.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17022)
 2021-11-24 11:37:49 +01:00
Dr. David von Oheimb
adbd77f6d7 X509: Fix handling of AKID and SKID extensions according to configuration 
Fixes #16300

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
 2021-11-11 20:18:55 +01:00
Dr. David von Oheimb
9bf1061c44 APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID() 
Fixes #16300

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16442)
 2021-11-08 09:15:13 +01:00
Dr. David von Oheimb
18e0c544b0 apps/x509: Fix self-signed check to happen before setting issuer name 
Fixes #16720

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16747)
 2021-10-07 15:38:01 +02:00
Dr. David von Oheimb
611ef4f373 APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
 2021-09-11 22:59:56 +02:00
Dr. David von Oheimb
b4fec69b2a APPS/x509: fix -extfile option, which was ignored with -x509toreq 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16417)
 2021-08-26 17:43:48 +02:00
Christian Heimes
89fe295257 Fix segfault in openssl x509 -modulus 
The command ``openssl x509 -noout -modulus -in cert.pem`` used to segfaults
sometimes because an uninitialized variable was passed to
``BN_lebin2bn``. The bug triggered an assertion in bn_expand_internal().

Fixes: https://github.com/openssl/openssl/issues/15899
Signed-off-by: Christian Heimes <christian@python.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15900)
 2021-06-26 11:40:34 +10:00
Pauli
d4af922c58 apps: properly initialise arguments to EVP_PKEY_get_bn_param() 
This avoids use of uninitialised memory.

Follow on to #15900

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15908)
 2021-06-26 11:32:38 +10:00
Richard Levitte
e493d6e0ca APPS & TEST: Use ossl_[u]intmax_t rather than [u]intmax_t 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15825)
 2021-06-22 19:50:11 +10:00
William Edmisten
8c5bff2220 Add support for ISO 8601 datetime format 
Fixes #5430

Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
 2021-06-11 12:39:46 +02:00
Pauli
db70dc2cda apps: remove TODOs 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15539)
 2021-06-02 16:30:15 +10:00
Tomas Mraz
d382e79632 Make the -inform option to be respected if possible 
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.

The input type format is enforced only in case the file
type file store is used.

By default we use FORMAT_UNDEF meaning the input type
is not enforced.

Fixes #14569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
 2021-05-06 11:43:32 +01:00
Dr. David von Oheimb
b0f960189b APPS: Replace 'OPT_ERR = -1, OPT_EOF = 0, OPT_HELP' by OPT_COMMON macro 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
 2021-05-05 20:48:20 +02:00
Dr. David von Oheimb
284076982d APPS: Slightly extend and improve documentation of the opt_ API 
Also remove redundant opt_name() and make names of opt_{i,u}ntmax() consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
 2021-05-05 20:48:20 +02:00
Petr Gotthard
91034b68b3 apps/ca,req,x509: Switch to EVP_DigestSignInit_ex 
Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it
works with external providers.
Since EVP_DigestSignInit_ex requires a digest name instead of
an EVP_MD pointer, the apps using do_sign_init() had to be modified
to pass char* instead of EVP_MD*.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15014)
 2021-04-30 21:02:59 +02:00
Rich Salz
606a417fb2 Fetch and free cipher and md's 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
 2021-04-20 10:12:29 +02:00
Dr. David von Oheimb
3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14840)
 2021-04-14 16:48:27 +02:00