{"rand_serial", OPT_RAND_SERIAL, '-',
"Always create a random serial; do not store it"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
- "Enable support for multivalued RDNs"},
+ "Deprecated; multi-valued RDNs support is always on."},
{"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
{"enddate", OPT_ENDDATE, 's',
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
size_t outdirlen = 0;
int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
- int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
+ int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
create_ser = 1;
break;
case OPT_MULTIVALUE_RDN:
- multirdn = 1;
+ /* obsolete */
break;
case OPT_STARTDATE:
startdate = opt_arg();
OSSL_CMP_CTX *ctx, const char *desc)
{
if (str != NULL) {
- X509_NAME *n = parse_name(str, MBSTRING_ASC, 0, desc);
+ X509_NAME *n = parse_name(str, MBSTRING_ASC, 1, desc);
if (n == NULL)
return 0;
/*
* name is expected to be in the format /type0=value0/type1=value1/type2=...
- * where characters may be escaped by \
+ * where + can be used instead of / to form multi-valued RDNs if canmulti
+ * and characters may be escaped by \
*/
X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
const char *desc)
/* Collect the value. */
valstr = (unsigned char *)bp;
for (; *cp != '\0' && *cp != '/'; *bp++ = *cp++) {
+ /* unescaped '+' symbol string signals further member of multiRDN */
if (canmulti && *cp == '+') {
nextismulti = 1;
break;
BIO_printf(bio_err,
"%s: Skipping unknown %s name attribute \"%s\"\n",
opt_getprog(), desc, typestr);
+ if (ismulti)
+ BIO_printf(bio_err,
+ "Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n");
continue;
}
if (*valstr == '\0') {
{"subj", OPT_SUBJ, 's', "Set or modify request subject"},
{"subject", OPT_SUBJECT, '-', "Output the request's subject"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
- "Enable support for multivalued RDNs"},
+ "Deprecated; multi-valued RDNs support is always on."},
{"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"addext", OPT_ADDEXT, 's',
int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0;
int pkey_type = -1, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
- int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
+ int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0;
int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
long newkey = -1;
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
subj = opt_arg();
break;
case OPT_MULTIVALUE_RDN:
- multirdn = 1;
+ /* obsolete */
break;
case OPT_ADDEXT:
p = opt_arg();
char *subj = NULL;
X509_NAME *fsubj = NULL;
const unsigned long chtype = MBSTRING_ASC;
- const int multirdn = 0;
+ const int multirdn = 1;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL;
X509 *x = NULL, *xca = NULL;
=item B<-subj> I<arg>
Supersedes subject name given in the request.
+
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
-Keyword characters may be escaped by C<\> (backslash), and whitespace is
-retained.
+Special characters may be escaped by C<\> (backslash), whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
+Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
=item B<-utf8>
=item B<-multivalue-rdn>
-This option causes the -subj argument to be interpreted with full
-support for multivalued RDNs. Example:
-
-C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-
-If B<-multi-rdn> is not used then the UID value is C<123456+CN=John Doe>.
+This option has been deprecated and has no effect.
{- $OpenSSL::safe::opt_r_item -}
The B<-section> option was added in OpenSSL 3.0.0.
-The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+The B<-certform> and B<-multivalue-rdn> options
+have become obsolete in OpenSSL 3.0.0 and have no effect.
All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
and have no effect.
(see B<-oldcert>).
This default is used for IR and CR only if no SANs are set.
-The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
-
The subject DN is also used as fallback sender of outgoing CMP messages
if no B<-cert> and no B<-oldcert> are given.
+The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
+Special characters may be escaped by C<\> (backslash), whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included.
+Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
=item B<-issuer> I<name>
X509 issuer Distinguished Name (DN) of the CA server
to place in the requested certificate template in IR/CR/KUR.
-The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
-
If neither B<-srvcert> nor B<-recipient> is available,
the name given in this option is also set as the recipient of the CMP message.
Distinguished Name (DN) to use in the recipient field of CMP request messages,
i.e., the CMP server (usually the addressed CA).
-The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
-The empty name (NULL-DN) can be given explicitly as a single slash: 'I</>'.
-
The recipient field in the header of a CMP message is mandatory.
If not given explicitly the recipient is determined in the following order:
the subject of the CMP server certificate given with the B<-srvcert> option,
Distinguished Name (DN) expected in the sender field of incoming CMP messages.
Defaults to the subject DN of the pinned B<-srvcert>, if any.
-The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
-
This can be used to make sure that only a particular entity is accepted as
CMP message signer, and attackers are not able to use arbitrary certificates
of a trusted PKI hierarchy to fraudulently pose as a CMP server.
[B<-I<digest>>]
[B<-config> I<filename>]
[B<-section> I<name>]
-[B<-multivalue-rdn>]
[B<-x509>]
[B<-days> I<n>]
[B<-set_serial> I<n>]
[B<-reqopt>]
[B<-subject>]
[B<-subj> I<arg>]
+[B<-multivalue-rdn>]
[B<-sigopt> I<nm>:I<v>]
[B<-vfyopt> I<nm>:I<v>]
[B<-batch>]
Sets subject name for new request or supersedes the subject name
when processing a request.
+
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
-Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Special characters may be escaped by C<\> (backslash), whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
-
-=item B<-multivalue-rdn>
-
-This option causes the -subj argument to be interpreted with full
-support for multivalued RDNs. Example:
+Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-If -multi-rdn is not used then the UID value is C<123456+CN=John Doe>.
+=item B<-multivalue-rdn>
+
+This option has been deprecated and has no effect.
=item B<-x509>
The B<-section> option was added in OpenSSL 3.0.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
+All B<-keyform> values except B<ENGINE> and the B<-multivalue-rdn> option
+have become obsolete in OpenSSL 3.0.0 and have no effect.
The B<-engine> option was deprecated in OpenSSL 3.0.
The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
=item B<-subject> I<arg>
Search for an object having the subject name I<arg>.
+
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
-Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Special characters may be escaped by C<\> (backslash), whitespace is retained.
Empty values are permitted but are ignored for the search. That is,
a search with an empty value will have the same effect as not specifying
the type at all.
+Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+
+Example:
+
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
=item B<-issuer> I<arg>
=item B<-subj> I<arg>
When a certificate is created set its subject name to the given value.
+
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
-Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Special characters may be escaped by C<\> (backslash), whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
-in the certificate. Giving a single C</> will lead to an empty sequence of RDNs
-(a NULL subject DN).
+in the certificate.
+Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
Unless the B<-CA> option is given the issuer is set to the same value.
projects / thirdparty / openssl.git / commitdiff
