int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
static int certify_cert(X509 **xret, const char *infile, int informat,
- EVP_PKEY *pkey, X509 *x509,
+ const char *passin, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
- {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
+ {"passin", OPT_PASSIN, 's', "Key and cert input file pass phrase source"},
+ {"key", OPT_KEY, 's', "Key to decrypt key or cert files. Better use -passin"},
{"cert", OPT_CERT, '<', "The CA cert"},
{"certform", OPT_CERTFORM, 'F',
- "certificate input format (DER/PEM/P12); has no effect"},
+ "Certificate input format (DER/PEM/P12); has no effect"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
- {"vfyopt", OPT_SIGOPT, 's', "Verification parameter in n:v form"},
+ {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
OPT_SECTION("Revocation"),
{"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
const EVP_MD *dgst = NULL;
char *configfile = default_config_file, *section = NULL;
char *md = NULL, *policy = NULL, *keyfile = NULL;
- char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL;
+ char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
int certformat = FORMAT_PEM, informat = FORMAT_PEM;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
+ char *passin = NULL;
char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
const char *serialfile = NULL, *subj = NULL;
char *prog, *startdate = NULL, *enddate = NULL;
char *const *pp;
const char *p;
size_t outdirlen = 0;
- int create_ser = 0, free_key = 0, total = 0, total_done = 0;
+ int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
goto end;
break;
case OPT_KEY:
- key = opt_arg();
+ passin = opt_arg();
break;
case OPT_CERT:
certfile = opt_arg();
&& (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL)
goto end;
- if (key == NULL) {
- free_key = 1;
- if (!app_passwd(passinarg, NULL, &key, NULL)) {
+ if (passin == NULL) {
+ free_passin = 1;
+ if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
}
- pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key");
- cleanse(key);
+ pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key");
if (pkey == NULL)
/* load_key() has already printed an appropriate message */
goto end;
&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;
- x509 = load_cert(certfile, certformat, "CA certificate");
+ x509 = load_cert_pass(certfile, certformat, passin, "CA certificate");
if (x509 == NULL)
goto end;
}
if (ss_cert_file != NULL) {
total++;
- j = certify_cert(&x, ss_cert_file, certformat, pkey, x509, dgst,
- sigopts, vfyopts, attribs,
+ j = certify_cert(&x, ss_cert_file, certformat, passin, pkey,
+ x509, dgst, sigopts, vfyopts, attribs,
db, serial, subj, chtype, multirdn, email_dn,
startdate, enddate, days, batch, extensions,
conf, verbose, certopt, get_nameopt(), default_op,
goto end;
} else {
X509 *revcert;
- revcert = load_cert(infile, certformat, infile);
+
+ revcert = load_cert_pass(infile, certformat, passin, infile);
if (revcert == NULL)
goto end;
if (dorevoke == 2)
BIO_free_all(in);
sk_X509_pop_free(cert_sk, X509_free);
- if (free_key)
- OPENSSL_free(key);
+ cleanse(passin);
+ if (free_passin)
+ OPENSSL_free(passin);
BN_free(serial);
BN_free(crlnumber);
free_index(db);
}
static int certify_cert(X509 **xret, const char *infile, int certformat,
- EVP_PKEY *pkey, X509 *x509,
+ const char *passin, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((req = load_cert(infile, certformat, infile)) == NULL)
+ if ((req = load_cert_pass(infile, certformat, passin, infile)) == NULL)
goto end;
if (verbose)
X509_print(bio_err, req);
X509 *load_cert_pass(const char *uri, int maybe_stdin,
const char *pass, const char *desc);
/* the format parameter is meanwhile not needed anymore and thus ignored */
-X509 *load_cert(const char *uri, int format, const char *desc);
+#define load_cert(uri, format, desc) load_cert_pass(uri, 0, NULL, desc)
X509_CRL *load_crl(const char *uri, int format, const char *desc);
void cleanse(char *str);
void clear_free(char *str);
return cert;
}
-/* the format parameter is meanwhile not needed anymore and thus ignored */
-X509 *load_cert(const char *uri, int format, const char *desc)
-{
- return load_cert_pass(uri, 1, NULL, desc);
-}
-
/* the format parameter is meanwhile not needed anymore and thus ignored */
X509_CRL *load_crl(const char *uri, int format, const char *desc)
{
{"host", OPT_HOST, 's', "Use -connect instead"},
{"port", OPT_PORT, 'p', "Use -connect instead"},
{"connect", OPT_CONNECT, 's',
- "TCP/IP where to connect (default is :" PORT ")"},
+ "TCP/IP where to connect; default: " PORT ")"},
{"bind", OPT_BIND, 's', "bind local address for connection"},
{"proxy", OPT_PROXY, 's',
"Connect to via specified proxy to the real server"},
{"cert_chain", OPT_CERT_CHAIN, '<',
"Client certificate chain file (in PEM format)"},
{"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"},
- {"key", OPT_KEY, 's', "Private key file to use; default is: -cert file"},
+ {"key", OPT_KEY, 's', "Private key file to use; default: -cert file"},
{"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"},
- {"pass", OPT_PASS, 's', "Private key file pass phrase source"},
+ {"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"keymatexport", OPT_KEYMATEXPORT, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
- "Export len bytes of keying material (default 20)"},
+ "Export len bytes of keying material; default 20"},
{"security_debug", OPT_SECURITY_DEBUG, '-',
"Enable security debug messages"},
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
OPT_V_OPTIONS,
{"CRL", OPT_CRL, '<', "CRL file to use"},
{"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
- {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
+ {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER); default PEM"},
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
}
if (cert_file != NULL) {
- cert = load_cert(cert_file, cert_format, "client certificate file");
+ cert = load_cert_pass(cert_file, cert_format, pass, "client certificate file");
if (cert == NULL)
goto end;
}
{"Verify", OPT_UPPER_V_VERIFY, 'n',
"Turn on peer certificate verification, must have a cert"},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
- {"cert", OPT_CERT, '<', "Server certificate file to use; default is " TEST_CERT},
+ {"cert", OPT_CERT, '<', "Server certificate file to use; default " TEST_CERT},
{"cert2", OPT_CERT2, '<',
- "Certificate file to use for servername; default is" TEST_CERT2},
+ "Certificate file to use for servername; default " TEST_CERT2},
{"certform", OPT_CERTFORM, 'F',
"Server certificate file format (PEM/DER/P12); has no effect"},
{"cert_chain", OPT_CERT_CHAIN, '<',
{"key2", OPT_KEY2, '<',
"-Private Key file to use for servername if not in -cert2"},
{"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
- {"pass", OPT_PASS, 's', "Private key file pass phrase source"},
+ {"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
{"dcert", OPT_DCERT, '<',
"Second server certificate file to use (usually for DSA)"},
{"dcertform", OPT_DCERTFORM, 'F',
"Second private key file to use (usually for DSA)"},
{"dkeyform", OPT_DKEYFORM, 'F',
"Second key file format (ENGINE, other values ignored)"},
- {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
+ {"dpass", OPT_DPASS, 's', "Second private key and cert file pass phrase source"},
{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
{"servername", OPT_SERVERNAME, 's',
"Servername for HostName TLS extension"},
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
"mismatch send fatal alert (default warning alert)"},
-
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
-
{"quiet", OPT_QUIET, '-', "No server output"},
{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
"Disable caching and tickets if ephemeral (EC)DH is used"},
{"keymatexport", OPT_KEYMATEXPORT, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
- "Export len bytes of keying material (default 20)"},
+ "Export len bytes of keying material; default 20"},
{"CRL", OPT_CRL, '<', "CRL file to use"},
{"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"},
{"crl_download", OPT_CRL_DOWNLOAD, '-',
if (s_key == NULL)
goto end;
- s_cert = load_cert(s_cert_file, s_cert_format,
+ s_cert = load_cert_pass(s_cert_file, s_cert_format, pass,
"server certificate file");
if (s_cert == NULL)
if (s_key2 == NULL)
goto end;
- s_cert2 = load_cert(s_cert_file2, s_cert_format,
+ s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, pass,
"second server certificate file");
if (s_cert2 == NULL)
if (s_dkey == NULL)
goto end;
- s_dcert = load_cert(s_dcert_file, s_dcert_format,
+ s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, dpass,
"second server certificate file");
if (s_dcert == NULL) {
{"inform", OPT_INFORM, 'f',
"CSR input format (DER or PEM) - default PEM"},
{"in", OPT_IN, '<', "Input file - default stdin"},
- {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
+ {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
{"outform", OPT_OUTFORM, 'f',
"Output format (DER or PEM) - default PEM"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
goto end;
} else {
- x = load_cert(infile, FORMAT_UNDEF, "Certificate");
+ x = load_cert_pass(infile, FORMAT_UNDEF, passin, "Certificate");
if (x == NULL)
goto end;
if (fkey != NULL && !X509_set_pubkey(x, fkey))
}
if (CA_flag) {
- xca = load_cert(CAfile, CAformat, "CA Certificate");
+ xca = load_cert_pass(CAfile, CAformat, passin, "CA Certificate");
if (xca == NULL)
goto end;
}
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
ASN1_OBJECT_free(objtmp);
release_engine(e);
- OPENSSL_free(passin);
+ clear_free(passin);
return ret;
}
written to a filename consisting of the serial number in hex with
F<.pem> appended.
-=item B<-cert>
+=item B<-cert> I<filename>
The CA certificate, which must match with B<-keyfile>.
=item B<-passin> I<arg>
-The key password source. For more information about the format of B<arg>
+The key and certificate password source.
+For more information about the format of B<arg>
see L<openssl(1)/Pass Phrase Options>.
=item B<-notext>
ClientHello message. Cannot be used in conjunction with the B<-servername> or
<-dane_tlsa_domain> options.
-=item B<-cert> I<certname>
+=item B<-cert> I<filename>
The client certificate to use, if one is requested by the server.
The default is not to use a certificate.
=item B<-pass> I<arg>
-the private key password source. For more information about the format of I<arg>
+the private key and certifiate file password source.
+For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<depth>
=item B<-pass> I<val>
-The private key password source.
+The private key and certificate file password source.
For more information about the format of I<val>,
see L<openssl(1)/Pass Phrase Options>.
=item B<-dpass> I<val>
-The passphrase for the additional private key.
+The passphrase for the additional private key and certificate.
For more information about the format of I<val>,
see L<openssl(1)/Pass Phrase Options>.
=item B<-passin> I<arg>
-The key password source. For more information about the format of I<arg>
+The key and certificate file password source.
+For more information about the format of I<arg>
see L<openssl(1)/Pass Phrase Options>.
=item B<-clrext>
setup("test_x509");
-plan tests => 11;
+plan tests => 12;
require_ok(srctop_file('test','recipes','tconversion.pl'));
is(cmp_text($out_utf8, srctop_file("test/certs", "cyrillic.utf8")),
0, 'Comparing utf8 output');
+ SKIP: {
+ skip "DES disabled", 1 if disabled("des");
+
+ my $p12 = srctop_file("test", "shibboleth.pfx");
+ my $p12pass = "σύνθημα γνώρισμα";
+ my $out_pem = "out.pem";
+ ok(run(app(["openssl", "x509", "-text", "-in", $p12, "-out", $out_pem,
+ "-passin", "pass:$p12pass"])));
+ unlink $out_pem;
+}
+
SKIP: {
skip "EC disabled", 1 if disabled("ec");
projects / thirdparty / openssl.git / commitdiff
