apps/req,crl: exit with 1 on verification failure

author Vladimir Kotal <vlada@kotalovi.cz>

Thu, 7 Mar 2024 16:00:07 +0000 (17:00 +0100)

committer Tomas Mraz <tomas@openssl.org>

Tue, 26 Mar 2024 14:08:36 +0000 (15:08 +0100)
author Vladimir Kotal <vlada@kotalovi.cz>
Thu, 7 Mar 2024 16:00:07 +0000 (17:00 +0100)
committer Tomas Mraz <tomas@openssl.org>
Tue, 26 Mar 2024 14:08:36 +0000 (15:08 +0100)
diff --git a/CHANGES.md b/CHANGES.md

index ddb2ba56a2854094c1d700436ca1bdc6c2108b0c..559a69f518740b0cb20b9f9565c44d5def6deef1 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,11 @@ OpenSSL 3.3
  
  ### Changes between 3.2 and 3.3 [xx XXX xxxx]
  
+ * The `-verify` option to the `openssl crl` and `openssl req` will make
+   the program exit with 1 on failure.
+
+   *Vladimír Kotal*
+
   * The BIO_get_new_index() function can only be called 127 times before it
     reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an
     error of -1 once it is exhausted. Users may need to reserve using this
diff --git a/apps/crl.c b/apps/crl.c

index 09aec81cf7e798b5fe7c3c9afd7bda93f73bfabe..53ece01594b298575fde695ab259ecfd3c6ff31b 100644 (file)
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -248,9 +248,10 @@ int crl_main(int argc, char **argv)
          EVP_PKEY_free(pkey);
          if (i < 0)
              goto end;
-        if (i == 0)
+        if (i == 0) {
              BIO_printf(bio_err, "verify failure\n");
-        else
+           goto end;
+        } else
              BIO_printf(bio_err, "verify OK\n");
      }
  
diff --git a/apps/req.c b/apps/req.c

index 00ef231e1157441490f37af413d5571317c90084..9b85600e104f83d6adc156fe24809288c23af824 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -918,9 +918,10 @@ int req_main(int argc, char **argv)
  
          if (i < 0)
              goto end;
-        if (i == 0)
+        if (i == 0) {
              BIO_printf(bio_err, "Certificate request self-signature verify failure\n");
-        else /* i > 0 */
+           goto end;
+        } else /* i > 0 */
              BIO_printf(bio_out, "Certificate request self-signature verify OK\n");
      }
  
diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in

index 7e15f6445a6f25efa19b995683a7c631519323db..f477cfd2362e8211675d88bed8788aba8ede7ed5 100644 (file)
--- a/doc/man1/openssl-crl.pod.in
+++ b/doc/man1/openssl-crl.pod.in
@@ -93,7 +93,9 @@ Print out the CRL in text form.
  
  =item B<-verify>
  
-Verify the signature in the CRL.
+Verify the signature in the CRL. If the verification fails,
+the program will immediately exit, i.e. further option processing
+(e.g. B<-gendelta>) is skipped.
  
  =item B<-noout>
  
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in

index c2232006e52c146224156fa10ae20828ca276543..d2de373e2ca2f0d4532021366b84d7bceb965bd6 100644 (file)
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -148,7 +148,9 @@ Prints out the value of the modulus of the public key contained in the request.
  
  =item B<-verify>
  
-Verifies the self-signature on the request.
+Verifies the self-signature on the request. If the verification fails,
+the program will immediately exit, i.e. further option processing
+(e.g. B<-text>) is skipped.
  
  =item B<-new>
author	Vladimir Kotal <vlada@kotalovi.cz>
	Thu, 7 Mar 2024 16:00:07 +0000 (17:00 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Tue, 26 Mar 2024 14:08:36 +0000 (15:08 +0100)
CHANGES.md		patch \| blob \| blame \| history
apps/crl.c		patch \| blob \| blame \| history
apps/req.c		patch \| blob \| blame \| history
doc/man1/openssl-crl.pod.in		patch \| blob \| blame \| history
doc/man1/openssl-req.pod.in		patch \| blob \| blame \| history