mirror of https://github.com/openssl/openssl
Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, and x509 apps
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
This commit is contained in:
parent
5fdcde816f
commit
5a0991d0d9
|
@ -200,7 +200,7 @@ const OPTIONS ca_options[] = {
|
|||
{"rand_serial", OPT_RAND_SERIAL, '-',
|
||||
"Always create a random serial; do not store it"},
|
||||
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
|
||||
"Enable support for multivalued RDNs"},
|
||||
"Deprecated; multi-valued RDNs support is always on."},
|
||||
{"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
|
||||
{"enddate", OPT_ENDDATE, 's',
|
||||
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
|
||||
|
@ -288,7 +288,7 @@ int ca_main(int argc, char **argv)
|
|||
size_t outdirlen = 0;
|
||||
int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
|
||||
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
|
||||
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
|
||||
int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
|
||||
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
|
||||
int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
|
||||
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
|
||||
|
@ -344,7 +344,7 @@ opthelp:
|
|||
create_ser = 1;
|
||||
break;
|
||||
case OPT_MULTIVALUE_RDN:
|
||||
multirdn = 1;
|
||||
/* obsolete */
|
||||
break;
|
||||
case OPT_STARTDATE:
|
||||
startdate = opt_arg();
|
||||
|
|
|
@ -893,7 +893,7 @@ static int set_name(const char *str,
|
|||
OSSL_CMP_CTX *ctx, const char *desc)
|
||||
{
|
||||
if (str != NULL) {
|
||||
X509_NAME *n = parse_name(str, MBSTRING_ASC, 0, desc);
|
||||
X509_NAME *n = parse_name(str, MBSTRING_ASC, 1, desc);
|
||||
|
||||
if (n == NULL)
|
||||
return 0;
|
||||
|
|
|
@ -1647,7 +1647,8 @@ int parse_yesno(const char *str, int def)
|
|||
|
||||
/*
|
||||
* name is expected to be in the format /type0=value0/type1=value1/type2=...
|
||||
* where characters may be escaped by \
|
||||
* where + can be used instead of / to form multi-valued RDNs if canmulti
|
||||
* and characters may be escaped by \
|
||||
*/
|
||||
X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
|
||||
const char *desc)
|
||||
|
@ -1700,6 +1701,7 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
|
|||
/* Collect the value. */
|
||||
valstr = (unsigned char *)bp;
|
||||
for (; *cp != '\0' && *cp != '/'; *bp++ = *cp++) {
|
||||
/* unescaped '+' symbol string signals further member of multiRDN */
|
||||
if (canmulti && *cp == '+') {
|
||||
nextismulti = 1;
|
||||
break;
|
||||
|
@ -1723,6 +1725,9 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
|
|||
BIO_printf(bio_err,
|
||||
"%s: Skipping unknown %s name attribute \"%s\"\n",
|
||||
opt_getprog(), desc, typestr);
|
||||
if (ismulti)
|
||||
BIO_printf(bio_err,
|
||||
"Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n");
|
||||
continue;
|
||||
}
|
||||
if (*valstr == '\0') {
|
||||
|
|
|
@ -127,7 +127,7 @@ const OPTIONS req_options[] = {
|
|||
{"subj", OPT_SUBJ, 's', "Set or modify request subject"},
|
||||
{"subject", OPT_SUBJECT, '-', "Output the request's subject"},
|
||||
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
|
||||
"Enable support for multivalued RDNs"},
|
||||
"Deprecated; multi-valued RDNs support is always on."},
|
||||
{"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
|
||||
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
|
||||
{"addext", OPT_ADDEXT, 's',
|
||||
|
@ -257,7 +257,7 @@ int req_main(int argc, char **argv)
|
|||
int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0;
|
||||
int pkey_type = -1, private = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
|
||||
int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
|
||||
int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0;
|
||||
int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
|
||||
long newkey = -1;
|
||||
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
||||
|
@ -421,7 +421,7 @@ int req_main(int argc, char **argv)
|
|||
subj = opt_arg();
|
||||
break;
|
||||
case OPT_MULTIVALUE_RDN:
|
||||
multirdn = 1;
|
||||
/* obsolete */
|
||||
break;
|
||||
case OPT_ADDEXT:
|
||||
p = opt_arg();
|
||||
|
|
|
@ -179,7 +179,7 @@ int x509_main(int argc, char **argv)
|
|||
char *subj = NULL;
|
||||
X509_NAME *fsubj = NULL;
|
||||
const unsigned long chtype = MBSTRING_ASC;
|
||||
const int multirdn = 0;
|
||||
const int multirdn = 1;
|
||||
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
|
||||
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL;
|
||||
X509 *x = NULL, *xca = NULL;
|
||||
|
|
|
@ -285,11 +285,17 @@ used).
|
|||
=item B<-subj> I<arg>
|
||||
|
||||
Supersedes subject name given in the request.
|
||||
|
||||
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by C<\> (backslash), and whitespace is
|
||||
retained.
|
||||
Special characters may be escaped by C<\> (backslash), whitespace is retained.
|
||||
Empty values are permitted, but the corresponding type will not be included
|
||||
in the resulting certificate.
|
||||
Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
|
||||
Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
|
||||
between the AttributeValueAssertions (AVAs) that specify the members of the set.
|
||||
Example:
|
||||
|
||||
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
|
||||
|
||||
=item B<-utf8>
|
||||
|
||||
|
@ -313,12 +319,7 @@ This overrides any option or configuration to use a serial number file.
|
|||
|
||||
=item B<-multivalue-rdn>
|
||||
|
||||
This option causes the -subj argument to be interpreted with full
|
||||
support for multivalued RDNs. Example:
|
||||
|
||||
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
|
||||
|
||||
If B<-multi-rdn> is not used then the UID value is C<123456+CN=John Doe>.
|
||||
This option has been deprecated and has no effect.
|
||||
|
||||
{- $OpenSSL::safe::opt_r_item -}
|
||||
|
||||
|
@ -791,7 +792,8 @@ retained mainly for compatibility reasons.
|
|||
|
||||
The B<-section> option was added in OpenSSL 3.0.0.
|
||||
|
||||
The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
|
||||
The B<-certform> and B<-multivalue-rdn> options
|
||||
have become obsolete in OpenSSL 3.0.0 and have no effect.
|
||||
|
||||
All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
|
||||
and have no effect.
|
||||
|
|
|
@ -268,20 +268,24 @@ For KUR, it defaults to the subject DN of the reference certificate
|
|||
(see B<-oldcert>).
|
||||
This default is used for IR and CR only if no SANs are set.
|
||||
|
||||
The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
|
||||
|
||||
The subject DN is also used as fallback sender of outgoing CMP messages
|
||||
if no B<-cert> and no B<-oldcert> are given.
|
||||
|
||||
The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
|
||||
Special characters may be escaped by C<\> (backslash), whitespace is retained.
|
||||
Empty values are permitted, but the corresponding type will not be included.
|
||||
Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
|
||||
Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
|
||||
between the AttributeValueAssertions (AVAs) that specify the members of the set.
|
||||
Example:
|
||||
|
||||
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
|
||||
|
||||
=item B<-issuer> I<name>
|
||||
|
||||
X509 issuer Distinguished Name (DN) of the CA server
|
||||
to place in the requested certificate template in IR/CR/KUR.
|
||||
|
||||
The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
|
||||
|
||||
If neither B<-srvcert> nor B<-recipient> is available,
|
||||
the name given in this option is also set as the recipient of the CMP message.
|
||||
|
||||
|
@ -519,10 +523,6 @@ and as default value for the expected sender of incoming CMP messages.
|
|||
Distinguished Name (DN) to use in the recipient field of CMP request messages,
|
||||
i.e., the CMP server (usually the addressed CA).
|
||||
|
||||
The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
|
||||
The empty name (NULL-DN) can be given explicitly as a single slash: 'I</>'.
|
||||
|
||||
The recipient field in the header of a CMP message is mandatory.
|
||||
If not given explicitly the recipient is determined in the following order:
|
||||
the subject of the CMP server certificate given with the B<-srvcert> option,
|
||||
|
@ -536,9 +536,6 @@ as far as any of those is present, else the NULL-DN as last resort.
|
|||
Distinguished Name (DN) expected in the sender field of incoming CMP messages.
|
||||
Defaults to the subject DN of the pinned B<-srvcert>, if any.
|
||||
|
||||
The argument must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped.
|
||||
|
||||
This can be used to make sure that only a particular entity is accepted as
|
||||
CMP message signer, and attackers are not able to use arbitrary certificates
|
||||
of a trusted PKI hierarchy to fraudulently pose as a CMP server.
|
||||
|
|
|
@ -32,7 +32,6 @@ B<openssl> B<req>
|
|||
[B<-I<digest>>]
|
||||
[B<-config> I<filename>]
|
||||
[B<-section> I<name>]
|
||||
[B<-multivalue-rdn>]
|
||||
[B<-x509>]
|
||||
[B<-days> I<n>]
|
||||
[B<-set_serial> I<n>]
|
||||
|
@ -45,6 +44,7 @@ B<openssl> B<req>
|
|||
[B<-reqopt>]
|
||||
[B<-subject>]
|
||||
[B<-subj> I<arg>]
|
||||
[B<-multivalue-rdn>]
|
||||
[B<-sigopt> I<nm>:I<v>]
|
||||
[B<-vfyopt> I<nm>:I<v>]
|
||||
[B<-batch>]
|
||||
|
@ -233,19 +233,21 @@ Specifies the name of the section to use; the default is B<req>.
|
|||
|
||||
Sets subject name for new request or supersedes the subject name
|
||||
when processing a request.
|
||||
|
||||
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
|
||||
Special characters may be escaped by C<\> (backslash), whitespace is retained.
|
||||
Empty values are permitted, but the corresponding type will not be included
|
||||
in the request.
|
||||
|
||||
=item B<-multivalue-rdn>
|
||||
|
||||
This option causes the -subj argument to be interpreted with full
|
||||
support for multivalued RDNs. Example:
|
||||
Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
|
||||
Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
|
||||
between the AttributeValueAssertions (AVAs) that specify the members of the set.
|
||||
Example:
|
||||
|
||||
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
|
||||
|
||||
If -multi-rdn is not used then the UID value is C<123456+CN=John Doe>.
|
||||
=item B<-multivalue-rdn>
|
||||
|
||||
This option has been deprecated and has no effect.
|
||||
|
||||
=item B<-x509>
|
||||
|
||||
|
@ -697,8 +699,8 @@ L<x509v3_config(5)>
|
|||
|
||||
The B<-section> option was added in OpenSSL 3.0.0.
|
||||
|
||||
All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
|
||||
and have no effect.
|
||||
All B<-keyform> values except B<ENGINE> and the B<-multivalue-rdn> option
|
||||
have become obsolete in OpenSSL 3.0.0 and have no effect.
|
||||
|
||||
The B<-engine> option was deprecated in OpenSSL 3.0.
|
||||
The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
|
||||
|
|
|
@ -80,11 +80,19 @@ returned.
|
|||
=item B<-subject> I<arg>
|
||||
|
||||
Search for an object having the subject name I<arg>.
|
||||
|
||||
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
|
||||
Special characters may be escaped by C<\> (backslash), whitespace is retained.
|
||||
Empty values are permitted but are ignored for the search. That is,
|
||||
a search with an empty value will have the same effect as not specifying
|
||||
the type at all.
|
||||
Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
|
||||
Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
|
||||
between the AttributeValueAssertions (AVAs) that specify the members of the set.
|
||||
|
||||
Example:
|
||||
|
||||
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
|
||||
|
||||
=item B<-issuer> I<arg>
|
||||
|
||||
|
|
|
@ -517,11 +517,17 @@ generate a certificate containing any desired public key.
|
|||
=item B<-subj> I<arg>
|
||||
|
||||
When a certificate is created set its subject name to the given value.
|
||||
|
||||
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
|
||||
Special characters may be escaped by C<\> (backslash), whitespace is retained.
|
||||
Empty values are permitted, but the corresponding type will not be included
|
||||
in the certificate. Giving a single C</> will lead to an empty sequence of RDNs
|
||||
(a NULL subject DN).
|
||||
in the certificate.
|
||||
Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
|
||||
Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
|
||||
between the AttributeValueAssertions (AVAs) that specify the members of the set.
|
||||
Example:
|
||||
|
||||
C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
|
||||
|
||||
Unless the B<-CA> option is given the issuer is set to the same value.
|
||||
|
||||
|
|
Loading…
Reference in New Issue