The branch master has been updated via 01c12100f7d54db29da3fd47dc40c9d0e08c0ab0 (commit) via 3ee4e8cea72056ea56fdbfff8bb1b6daf2276933 (commit) via 51c833ac2d46653c8124a25def4df0b3d1a832b5 (commit) via 9d5aca655323d795ad8c28fa6be47250a08c18c7 (commit) from 852c2ed260860b6b85c84f9fe96fb4d23d49c9f2 (commit)
- Log ----------------------------------------------------------------- commit 01c12100f7d54db29da3fd47dc40c9d0e08c0ab0 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Wed Apr 22 14:58:41 2020 +0200 Clean up the use of ERR_print_errors() in apps.c and in four apps Also make sure that all error messages in apps.c consistently begin upper-case. Changed files: apps/lib/apps.c and apps/{req.c,s_client.c,s_server.c,x509.c} Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> (Merged from https://github.com/openssl/openssl/pull/4940) commit 3ee4e8cea72056ea56fdbfff8bb1b6daf2276933 Author: David von Oheimb <david.von.ohe...@siemens.com> Date: Tue Dec 26 19:33:04 2017 +0100 Remove a bad 'goto end' and a few superfluous ones in apps/lib/apps.c Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> (Merged from https://github.com/openssl/openssl/pull/4940) commit 51c833ac2d46653c8124a25def4df0b3d1a832b5 Author: David von Oheimb <david.von.ohe...@siemens.com> Date: Fri Dec 22 19:50:17 2017 +0100 Improve feedback on wrong format with new print_format_error() in apps/lib/opt.c Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> (Merged from https://github.com/openssl/openssl/pull/4940) commit 9d5aca655323d795ad8c28fa6be47250a08c18c7 Author: David von Oheimb <david.von.ohe...@siemens.com> Date: Fri Dec 15 20:50:37 2017 +0100 Add function load_csr(file,format,desc) to apps/lib/apps.c Make use of new load_csr() in 'ca', 'req', and 'x509' app Add '-inform' and '-certform' option to 'ca' app Add 'desc' parameter to load_crl() function defined in apps/lib/apps.c Allow 'desc' parameter to be NULL (gives option to suppress error output) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> (Merged from https://github.com/openssl/openssl/pull/4940) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 59 ++++++++------ apps/crl.c | 4 +- apps/include/apps.h | 13 +-- apps/include/opt.h | 2 + apps/lib/apps.c | 193 ++++++++++++++++++++++++++++----------------- apps/lib/opt.c | 35 ++++++++ apps/req.c | 25 ++---- apps/s_client.c | 15 +--- apps/s_server.c | 27 ++----- apps/x509.c | 12 +-- doc/man1/openssl-ca.pod.in | 12 +++ test/recipes/80-test_ca.t | 8 +- 12 files changed, 237 insertions(+), 168 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index e2fb43fd7e..a18ff0998e 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -93,7 +93,8 @@ typedef enum { static char *lookup_conf(const CONF *conf, const char *group, const char *tag); -static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, +static int certify(X509 **xret, const char *infile, int informat, + EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, @@ -104,7 +105,8 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, long days, int batch, const char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, int selfsign); -static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, +static int certify_cert(X509 **xret, const char *infile, int informat, + EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, @@ -150,7 +152,8 @@ typedef enum OPTION_choice { OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, - OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT, + OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN, + OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT, OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN, OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, @@ -168,7 +171,8 @@ const OPTIONS ca_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"}, {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, - {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"}, + {"in", OPT_IN, '<', "The input cert request(s)"}, + {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"}, {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, {"out", OPT_OUT, '>', "Where to put the output file(s)"}, {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, @@ -190,7 +194,7 @@ const OPTIONS ca_options[] = { OPT_SECTION("Certificate"), {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, - {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, + {"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"}, {"create_serial", OPT_CREATE_SERIAL, '-', "If reading serial fails, create a new random serial"}, {"rand_serial", OPT_RAND_SERIAL, '-', @@ -215,6 +219,8 @@ const OPTIONS ca_options[] = { {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, {"cert", OPT_CERT, '<', "The CA cert"}, + {"certform", OPT_CERTFORM, 'F', + "certificate input format (DER or PEM); default PEM"}, {"selfsign", OPT_SELFSIGN, '-', "Sign a cert with the key associated with it"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, @@ -267,6 +273,7 @@ int ca_main(int argc, char **argv) char *configfile = default_config_file, *section = NULL; char *md = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL; + int certformat = FORMAT_PEM, informat = FORMAT_PEM; const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; @@ -306,6 +313,10 @@ opthelp: req = 1; infile = opt_arg(); break; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; case OPT_OUT: outfile = opt_arg(); break; @@ -373,6 +384,10 @@ opthelp: case OPT_CERT: certfile = opt_arg(); break; + case OPT_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &certformat)) + goto opthelp; + break; case OPT_SELFSIGN: selfsign = 1; break; @@ -571,7 +586,7 @@ end_of_options: && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) goto end; - x509 = load_cert(certfile, FORMAT_PEM, "CA certificate"); + x509 = load_cert(certfile, certformat, "CA certificate"); if (x509 == NULL) goto end; @@ -926,7 +941,7 @@ end_of_options: } if (ss_cert_file != NULL) { total++; - j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, + j = certify_cert(&x, ss_cert_file, certformat, pkey, x509, dgst, sigopts, vfyopts, attribs, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, extensions, @@ -947,8 +962,8 @@ end_of_options: } if (infile != NULL) { total++; - j = certify(&x, infile, pkey, x509p, dgst, sigopts, vfyopts, - attribs, db, + j = certify(&x, infile, informat, pkey, x509p, dgst, + sigopts, vfyopts, attribs, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, extensions, conf, verbose, certopt, get_nameopt(), default_op, ext_copy, selfsign); @@ -967,7 +982,8 @@ end_of_options: } for (i = 0; i < argc; i++) { total++; - j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, vfyopts, + j = certify(&x, argv[i], informat, pkey, x509p, dgst, + sigopts, vfyopts, attribs, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, extensions, conf, verbose, @@ -1247,7 +1263,7 @@ end_of_options: goto end; } else { X509 *revcert; - revcert = load_cert(infile, FORMAT_PEM, infile); + revcert = load_cert(infile, certformat, infile); if (revcert == NULL) goto end; if (dorevoke == 2) @@ -1300,7 +1316,8 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag) return entry; } -static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, +static int certify(X509 **xret, const char *infile, int informat, + EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, @@ -1313,20 +1330,12 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, int default_op, int ext_copy, int selfsign) { X509_REQ *req = NULL; - BIO *in = NULL; EVP_PKEY *pktmp = NULL; int ok = -1, i; - in = BIO_new_file(infile, "r"); - if (in == NULL) { - ERR_print_errors(bio_err); + req = load_csr(infile, informat, "certificate request"); + if (req == NULL) goto end; - } - if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) { - BIO_printf(bio_err, "Error reading certificate request in %s\n", - infile); - goto end; - } if (verbose) X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT); @@ -1367,11 +1376,11 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, end: X509_REQ_free(req); - BIO_free(in); return ok; } -static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, +static int certify_cert(X509 **xret, const char *infile, int certformat, + EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, @@ -1387,7 +1396,7 @@ static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x EVP_PKEY *pktmp = NULL; int ok = -1, i; - if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL) + if ((req = load_cert(infile, certformat, infile)) == NULL) goto end; if (verbose) X509_print(bio_err, req); diff --git a/apps/crl.c b/apps/crl.c index 8b5a36322a..8028fef5de 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -205,7 +205,7 @@ int crl_main(int argc, char **argv) if (argc != 0) goto opthelp; - x = load_crl(infile, informat); + x = load_crl(infile, informat, "CRL"); if (x == NULL) goto end; @@ -250,7 +250,7 @@ int crl_main(int argc, char **argv) BIO_puts(bio_err, "Missing CRL signing key\n"); goto end; } - newcrl = load_crl(crldiff, informat); + newcrl = load_crl(crldiff, informat, "other CRL"); if (!newcrl) goto end; pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); diff --git a/apps/include/apps.h b/apps/include/apps.h index f9049f060f..e168942e19 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -104,16 +104,17 @@ int set_ext_copy(int *copy_type, const char *arg); int copy_extensions(X509 *x, X509_REQ *req, int copy_type); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int add_oid_section(CONF *conf); -X509 *load_cert(const char *file, int format, const char *cert_descrip); -X509_CRL *load_crl(const char *infile, int format); +X509_REQ *load_csr(const char *file, int format, const char *desc); +X509 *load_cert(const char *file, int format, const char *desc); +X509_CRL *load_crl(const char *infile, int format, const char *desc); EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *key_descrip); + const char *pass, ENGINE *e, const char *desc); EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *key_descrip); + const char *pass, ENGINE *e, const char *desc); int load_certs(const char *file, STACK_OF(X509) **certs, int format, - const char *pass, const char *cert_descrip); + const char *pass, const char *desc); int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, - const char *pass, const char *cert_descrip); + const char *pass, const char *desc); X509_STORE *setup_verify(const char *CAfile, int noCAfile, const char *CApath, int noCApath, const char *CAstore, int noCAstore); diff --git a/apps/include/opt.h b/apps/include/opt.h index 1a26f34649..1bf46215d5 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -342,6 +342,7 @@ char *opt_init(int ac, char **av, const OPTIONS * o); int opt_next(void); void opt_begin(void); int opt_format(const char *s, unsigned long flags, int *result); +const char *format2str(int format); int opt_int(const char *arg, int *result); int opt_ulong(const char *arg, unsigned long *result); int opt_long(const char *arg, long *result); @@ -370,6 +371,7 @@ int opt_provider(int i); void opt_help(const OPTIONS * list); void opt_print(const OPTIONS * opt, int doingparams, int width); int opt_format_error(const char *s, unsigned long flags); +void print_format_error(int format, unsigned long flags); int opt_isdir(const char *name); int opt_printf_stderr(const char *fmt, ...); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 5395d842eb..1a23ae0846 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -421,7 +421,7 @@ static int load_pkcs12(BIO *in, const char *desc, int len, ret = 0; PKCS12 *p12; p12 = d2i_PKCS12_bio(in, NULL); - if (p12 == NULL) { + if (p12 == NULL && desc != NULL) { BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc); goto die; } @@ -433,7 +433,8 @@ static int load_pkcs12(BIO *in, const char *desc, pem_cb = (pem_password_cb *)password_callback; len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); if (len < 0) { - BIO_printf(bio_err, "Passphrase callback error for %s\n", desc); + BIO_printf(bio_err, "Passphrase callback error for %s\n", + desc != NULL ? desc : "PKCS12 input"); goto die; } if (len < PEM_BUFSIZE) @@ -441,7 +442,7 @@ static int load_pkcs12(BIO *in, const char *desc, if (!PKCS12_verify_mac(p12, tpass, len)) { BIO_printf(bio_err, "Mac verify error (wrong password?) in PKCS12 file for %s\n", - desc); + desc != NULL ? desc : "PKCS12 input"); goto die; } pass = tpass; @@ -452,7 +453,7 @@ static int load_pkcs12(BIO *in, const char *desc, return ret; } -X509 *load_cert(const char *file, int format, const char *cert_descrip) +X509 *load_cert(const char *file, int format, const char *desc) { X509 *x = NULL; BIO *cert; @@ -479,22 +480,26 @@ X509 *load_cert(const char *file, int format, const char *cert_descrip) x = PEM_read_bio_X509_AUX(cert, NULL, (pem_password_cb *)password_callback, NULL); } else if (format == FORMAT_PKCS12) { - if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL)) + if (!load_pkcs12(cert, desc, NULL, NULL, NULL, &x, NULL)) goto end; } else { - BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip); - goto end; + print_format_error(format, +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) + OPT_FMT_HTTP | +#endif + OPT_FMT_PEMDER | OPT_FMT_PKCS12); } + end: - if (x == NULL) { - BIO_printf(bio_err, "unable to load certificate\n"); + if (x == NULL && desc != NULL) { + BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } BIO_free(cert); return x; } -X509_CRL *load_crl(const char *infile, int format) +X509_CRL *load_crl(const char *infile, int format, const char *desc) { X509_CRL *x = NULL; BIO *in = NULL; @@ -513,23 +518,45 @@ X509_CRL *load_crl(const char *infile, int format) x = d2i_X509_CRL_bio(in, NULL); } else if (format == FORMAT_PEM) { x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - } else { - BIO_printf(bio_err, "bad input format specified for input crl\n"); - goto end; - } - if (x == NULL) { - BIO_printf(bio_err, "unable to load CRL\n"); + } else + print_format_error(format, OPT_FMT_PEMDER); + + end: + if (x == NULL && desc != NULL) { + BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); - goto end; } + BIO_free(in); + return x; +} + +X509_REQ *load_csr(const char *file, int format, const char *desc) +{ + X509_REQ *req = NULL; + BIO *in; + + in = bio_open_default(file, 'r', format); + if (in == NULL) + goto end; + + if (format == FORMAT_ASN1) + req = d2i_X509_REQ_bio(in, NULL); + else if (format == FORMAT_PEM) + req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); + else + print_format_error(format, OPT_FMT_PEMDER); end: + if (req == NULL && desc != NULL) { + BIO_printf(bio_err, "Unable to load %s\n", desc); + ERR_print_errors(bio_err); + } BIO_free(in); - return x; + return req; } EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *key_descrip) + const char *pass, ENGINE *e, const char *desc) { BIO *key = NULL; EVP_PKEY *pkey = NULL; @@ -539,12 +566,12 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, cb_data.prompt_info = file; if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { - BIO_printf(bio_err, "no keyfile specified\n"); + BIO_printf(bio_err, "No keyfile specified\n"); goto end; } if (format == FORMAT_ENGINE) { if (e == NULL) { - BIO_printf(bio_err, "no engine specified\n"); + BIO_printf(bio_err, "No engine specified\n"); } else { #ifndef OPENSSL_NO_ENGINE if (ENGINE_init(e)) { @@ -553,12 +580,12 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, &cb_data); ENGINE_finish(e); } - if (pkey == NULL) { - BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + if (pkey == NULL && desc != NULL) { + BIO_printf(bio_err, "Cannot load %s from engine\n", desc); ERR_print_errors(bio_err); } #else - BIO_printf(bio_err, "engines not supported\n"); + BIO_printf(bio_err, "Engines not supported\n"); #endif } goto end; @@ -576,7 +603,8 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, } else if (format == FORMAT_PEM) { pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data); } else if (format == FORMAT_PKCS12) { - if (!load_pkcs12(key, key_descrip, wrap_password_callback, &cb_data, + if (!load_pkcs12(key, desc, + (pem_password_cb *)password_callback, &cb_data, &pkey, NULL, NULL)) goto end; #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) @@ -586,20 +614,27 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, pkey = b2i_PVK_bio(key, wrap_password_callback, &cb_data); #endif } else { - BIO_printf(bio_err, "bad input format specified for key file\n"); - goto end; + print_format_error(format, OPT_FMT_PEMDER | OPT_FMT_PKCS12 +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) + | OPT_FMT_MSBLOB | FORMAT_PVK +#endif +#ifndef OPENSSL_NO_ENGINE + | OPT_FMT_ENGINE +#endif + ); } + end: BIO_free(key); - if (pkey == NULL) { - BIO_printf(bio_err, "unable to load %s\n", key_descrip); + if (pkey == NULL && desc != NULL) { + BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } return pkey; } EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *key_descrip) + const char *pass, ENGINE *e, const char *desc) { BIO *key = NULL; EVP_PKEY *pkey = NULL; @@ -609,22 +644,22 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, cb_data.prompt_info = file; if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { - BIO_printf(bio_err, "no keyfile specified\n"); + BIO_printf(bio_err, "No keyfile specified\n"); goto end; } if (format == FORMAT_ENGINE) { if (e == NULL) { - BIO_printf(bio_err, "no engine specified\n"); + BIO_printf(bio_err, "No engine specified\n"); } else { #ifndef OPENSSL_NO_ENGINE pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(), &cb_data); - if (pkey == NULL) { - BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + if (pkey == NULL && desc != NULL) { + BIO_printf(bio_err, "Cannot load %s from engine\n", desc); ERR_print_errors(bio_err); } #else - BIO_printf(bio_err, "engines not supported\n"); + BIO_printf(bio_err, "Engines not supported\n"); #endif } goto end; @@ -677,11 +712,19 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, } else if (format == FORMAT_MSBLOB) { pkey = b2i_PublicKey_bio(key); #endif + } else { + print_format_error(format, OPT_FMT_PEMDER +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) + | OPT_FMT_MSBLOB +#endif + ); } end: BIO_free(key); - if (pkey == NULL) - BIO_printf(bio_err, "unable to load %s\n", key_descrip); + if (pkey == NULL && desc != NULL) { + BIO_printf(bio_err, "Unable to load %s\n", desc); + ERR_print_errors(bio_err); + } return pkey; } @@ -701,7 +744,7 @@ static int load_certs_crls(const char *file, int format, cb_data.prompt_info = file; if (format != FORMAT_PEM) { - BIO_printf(bio_err, "bad input format specified for %s\n", desc); + BIO_printf(bio_err, "Bad input format specified for %s\n", desc); return 0; } @@ -760,9 +803,11 @@ static int load_certs_crls(const char *file, int format, sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); *pcrls = NULL; } - BIO_printf(bio_err, "unable to load %s\n", - pcerts ? "certificates" : "CRLs"); - ERR_print_errors(bio_err); + if (desc != NULL) { + BIO_printf(bio_err, "Unable to load %s for %s\n", + pcerts ? "certificates" : "CRLs", desc); + ERR_print_errors(bio_err); + } } return rv; } @@ -1094,6 +1139,7 @@ X509_STORE *setup_verify(const char *CAfile, int noCAfile, ERR_clear_error(); return store; end: + ERR_print_errors(bio_err); X509_STORE_free(store); return NULL; } @@ -1121,13 +1167,13 @@ ENGINE *setup_engine(const char *engine, int debug) #ifndef OPENSSL_NO_ENGINE if (engine != NULL) { if (strcmp(engine, "auto") == 0) { - BIO_printf(bio_err, "enabling auto ENGINE support\n"); + BIO_printf(bio_err, "Enabling auto ENGINE support\n"); ENGINE_register_all_complete(); return NULL; } if ((e = ENGINE_by_id(engine)) == NULL && (e = try_load_engine(engine)) == NULL) { - BIO_printf(bio_err, "invalid engine \"%s\"\n", engine); + BIO_printf(bio_err, "Invalid engine \"%s\"\n", engine); ERR_print_errors(bio_err); return NULL; } @@ -1137,13 +1183,13 @@ ENGINE *setup_engine(const char *engine, int debug) ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, (void *)get_ui_method(), 0, 1); if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { - BIO_printf(bio_err, "can't use that engine\n"); + BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e)); ERR_print_errors(bio_err); ENGINE_free(e); return NULL; } - BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e)); + BIO_printf(bio_err, "Engine \"%s\" set.\n", ENGINE_get_id(e)); } #endif return e; @@ -1222,14 +1268,13 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) BIO_printf(bio_err, "Out of memory\n"); } else { if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { - BIO_printf(bio_err, "unable to load number from %s\n", + BIO_printf(bio_err, "Unable to load number from %s\n", serialfile); goto err; } ret = ASN1_INTEGER_to_BN(ai, NULL); if (ret == NULL) { - BIO_printf(bio_err, - "error converting number from bin to BIGNUM\n"); + BIO_printf(bio_err, "Error converting number from bin to BIGNUM\n"); goto err; } } @@ -1239,6 +1284,7 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) ai = NULL; } err: + ERR_print_errors(bio_err); BIO_free(in); ASN1_INTEGER_free(ai); return ret; @@ -1258,7 +1304,7 @@ int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial else j = strlen(serialfile) + strlen(suffix) + 1; if (j >= BSIZE) { - BIO_printf(bio_err, "file name too long\n"); + BIO_printf(bio_err, "File name too long\n"); goto err; } @@ -1273,7 +1319,6 @@ int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial } out = BIO_new_file(buf[0], "w"); if (out == NULL) { - ERR_print_errors(bio_err); goto err; } @@ -1289,6 +1334,8 @@ int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial ai = NULL; } err: + if (!ret) + ERR_print_errors(bio_err); BIO_free_all(out); ASN1_INTEGER_free(ai); return ret; @@ -1305,7 +1352,7 @@ int rotate_serial(const char *serialfile, const char *new_suffix, if (i > j) j = i; if (j + 1 >= BSIZE) { - BIO_printf(bio_err, "file name too long\n"); + BIO_printf(bio_err, "File name too long\n"); goto err; } #ifndef OPENSSL_SYS_VMS @@ -1321,19 +1368,20 @@ int rotate_serial(const char *serialfile, const char *new_suffix, #endif ) { BIO_printf(bio_err, - "unable to rename %s to %s\n", serialfile, buf[1]); + "Unable to rename %s to %s\n", serialfile, buf[1]); perror("reason"); goto err; } if (rename(buf[0], serialfile) < 0) { BIO_printf(bio_err, - "unable to rename %s to %s\n", buf[0], serialfile); + "Unable to rename %s to %s\n", buf[0], serialfile); perror("reason"); rename(buf[1], serialfile); goto err; } return 1; err: + ERR_print_errors(bio_err); return 0; } @@ -1374,17 +1422,14 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr) #endif in = BIO_new_file(dbfile, "r"); - if (in == NULL) { - ERR_print_errors(bio_err); + if (in == NULL) goto err; - } #ifndef OPENSSL_NO_POSIX_IO BIO_get_fp(in, &dbfp); if (fstat(fileno(dbfp), &dbst) == -1) { ERR_raise_data(ERR_LIB_SYS, errno, "calling fstat(%s)", dbfile); - ERR_print_errors(bio_err); goto err; } #endif @@ -1421,6 +1466,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr) #endif err: + ERR_print_errors(bio_err); NCONF_free(dbattr_conf); TXT_DB_free(tmpdb); BIO_free_all(in); @@ -1436,20 +1482,23 @@ int index_index(CA_DB *db) LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) { BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", + "Error creating serial number index:(%ld,%ld,%ld)\n", db->db->error, db->db->arg1, db->db->arg2); - return 0; + goto err; } if (db->attributes.unique_subject && !TXT_DB_create_index(db->db, DB_name, index_name_qual, LHASH_HASH_FN(index_name), LHASH_COMP_FN(index_name))) { - BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n", + BIO_printf(bio_err, "Error creating name index:(%ld,%ld,%ld)\n", db->db->error, db->db->arg1, db->db->arg2); - return 0; + goto err; } return 1; + err: + ERR_print_errors(bio_err); + return 0; } int save_index(const char *dbfile, const char *suffix, CA_DB *db) @@ -1460,7 +1509,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) j = strlen(dbfile) + strlen(suffix); if (j + 6 >= BSIZE) { - BIO_printf(bio_err, "file name too long\n"); + BIO_printf(bio_err, "File name too long\n"); goto err; } #ifndef OPENSSL_SYS_VMS @@ -1475,7 +1524,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) out = BIO_new_file(buf[0], "w"); if (out == NULL) { perror(dbfile); - BIO_printf(bio_err, "unable to open '%s'\n", dbfile); + BIO_printf(bio_err, "Unable to open '%s'\n", dbfile); goto err; } j = TXT_DB_write(out, db->db); @@ -1486,7 +1535,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) out = BIO_new_file(buf[1], "w"); if (out == NULL) { perror(buf[2]); - BIO_printf(bio_err, "unable to open '%s'\n", buf[2]); + BIO_printf(bio_err, "Unable to open '%s'\n", buf[2]); goto err; } BIO_printf(out, "unique_subject = %s\n", @@ -1495,6 +1544,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) return 1; err: + ERR_print_errors(bio_err); return 0; } @@ -1509,7 +1559,7 @@ int rotate_index(const char *dbfile, const char *new_suffix, if (i > j) j = i; if (j + 6 >= BSIZE) { - BIO_printf(bio_err, "file name too long\n"); + BIO_printf(bio_err, "File name too long\n"); goto err; } #ifndef OPENSSL_SYS_VMS @@ -1530,12 +1580,12 @@ int rotate_index(const char *dbfile, const char *new_suffix, && errno != ENOTDIR #endif ) { - BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]); + BIO_printf(bio_err, "Unable to rename %s to %s\n", dbfile, buf[1]); perror("reason"); goto err; } if (rename(buf[0], dbfile) < 0) { - BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile); + BIO_printf(bio_err, "Unable to rename %s to %s\n", buf[0], dbfile); perror("reason"); rename(buf[1], dbfile); goto err; @@ -1545,14 +1595,14 @@ int rotate_index(const char *dbfile, const char *new_suffix, && errno != ENOTDIR #endif ) { - BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]); + BIO_printf(bio_err, "Unable to rename %s to %s\n", buf[4], buf[3]); perror("reason"); rename(dbfile, buf[0]); rename(buf[1], dbfile); goto err; } if (rename(buf[2], buf[4]) < 0) { - BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]); + BIO_printf(bio_err, "Unable to rename %s to %s\n", buf[2], buf[4]); perror("reason"); rename(buf[3], buf[4]); rename(dbfile, buf[0]); @@ -1561,6 +1611,7 @@ int rotate_index(const char *dbfile, const char *new_suffix, } return 1; err: + ERR_print_errors(bio_err); return 0; } @@ -1651,7 +1702,7 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) } if (*cp == '\\' && *++cp == '\0') { BIO_printf(bio_err, - "%s: escape character at end of string\n", + "%s: Escape character at end of string\n", opt_getprog()); goto err; } @@ -1900,7 +1951,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp) DIST_POINT *dp = sk_DIST_POINT_value(crldp, i); urlptr = get_dp_url(dp); if (urlptr) - return load_crl(urlptr, FORMAT_HTTP); + return load_crl(urlptr, FORMAT_HTTP, "CRL via CDP"); } return NULL; } diff --git a/apps/lib/opt.c b/apps/lib/opt.c index d335d8e9db..566de8ab7d 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -282,6 +282,41 @@ int opt_format(const char *s, unsigned long flags, int *result) return 1; } +/* Return string representing the given format. */ +const char *format2str(int format) +{ + switch (format) { + default: + return "(undefined)"; + case FORMAT_PEM: + return "PEM"; + case FORMAT_ASN1: + return "DER"; + case FORMAT_TEXT: + return "TEXT"; + case FORMAT_NSS: + return "NSS"; + case FORMAT_SMIME: + return "SMIME"; + case FORMAT_MSBLOB: + return "MSBLOB"; + case FORMAT_ENGINE: + return "ENGINE"; + case FORMAT_HTTP: + return "HTTP"; + case FORMAT_PKCS12: + return "P12"; + case FORMAT_PVK: + return "PVK"; + } +} + +/* Print an error message about unsuitable/unsupported format requested. */ +void print_format_error(int format, unsigned long flags) +{ + (void)opt_format_error(format2str(format), flags); +} + /* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */ int opt_cipher(const char *name, const EVP_CIPHER **cipherp) { diff --git a/apps/req.c b/apps/req.c index 9ab120c34f..cba6952cad 100644 --- a/apps/req.c +++ b/apps/req.c @@ -230,7 +230,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) int req_main(int argc, char **argv) { ASN1_INTEGER *serial = NULL; - BIO *in = NULL, *out = NULL; + BIO *out = NULL; ENGINE *e = NULL, *gen_eng = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *genctx = NULL; @@ -469,7 +469,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Using configuration from %s\n", template); if ((req_conf = app_load_config(template)) == NULL) goto end; - if (addext_bio) { + if (addext_bio != NULL) { if (verbose) BIO_printf(bio_err, "Using additional configuration from command line\n"); @@ -590,12 +590,9 @@ int req_main(int argc, char **argv) if (keyfile != NULL) { pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); - if (pkey == NULL) { - /* load_key() has already printed an appropriate message */ + if (pkey == NULL) goto end; - } else { - app_RAND_load_conf(req_conf, section); - } + app_RAND_load_conf(req_conf, section); } if (newreq && (pkey == NULL)) { @@ -715,18 +712,9 @@ int req_main(int argc, char **argv) } if (!newreq) { - in = bio_open_default(infile, 'r', informat); - if (in == NULL) + req = load_csr(infile, informat, "X509 request"); + if (req == NULL) goto end; - - if (informat == FORMAT_ASN1) - req = d2i_X509_REQ_bio(in, NULL); - else - req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); - if (req == NULL) { - BIO_printf(bio_err, "unable to load X509 request\n"); - goto end; - } } if (newreq || x509) { @@ -992,7 +980,6 @@ int req_main(int argc, char **argv) NCONF_free(req_conf); NCONF_free(addext_conf); BIO_free(addext_bio); - BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(genctx); diff --git a/apps/s_client.c b/apps/s_client.c index a28b2867a3..eb4dbdcaa2 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1714,18 +1714,14 @@ int s_client_main(int argc, char **argv) if (key_file != NULL) { key = load_key(key_file, key_format, 0, pass, e, "client certificate private key file"); - if (key == NULL) { - ERR_print_errors(bio_err); + if (key == NULL) goto end; - } } if (cert_file != NULL) { cert = load_cert(cert_file, cert_format, "client certificate file"); - if (cert == NULL) { - ERR_print_errors(bio_err); + if (cert == NULL) goto end; - } } if (chain_file != NULL) { @@ -1736,12 +1732,9 @@ int s_client_main(int argc, char **argv) if (crl_file != NULL) { X509_CRL *crl; - crl = load_crl(crl_file, crl_format); - if (crl == NULL) { - BIO_puts(bio_err, "Error loading CRL\n"); - ERR_print_errors(bio_err); + crl = load_crl(crl_file, crl_format, "CRL"); + if (crl == NULL) goto end; - } crls = sk_X509_CRL_new_null(); if (crls == NULL || !sk_X509_CRL_push(crls, crl)) { BIO_puts(bio_err, "Error adding CRL\n"); diff --git a/apps/s_server.c b/apps/s_server.c index 14550aebc2..23c762ba9f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1736,18 +1736,14 @@ int s_server_main(int argc, char *argv[]) if (nocert == 0) { s_key = load_key(s_key_file, s_key_format, 0, pass, engine, "server certificate private key file"); - if (s_key == NULL) { - ERR_print_errors(bio_err); + if (s_key == NULL) goto end; - } s_cert = load_cert(s_cert_file, s_cert_format, "server certificate file"); - if (s_cert == NULL) { - ERR_print_errors(bio_err); + if (s_cert == NULL) goto end; - } if (s_chain_file != NULL) { if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, "server certificate chain")) @@ -1757,18 +1753,14 @@ int s_server_main(int argc, char *argv[]) if (tlsextcbp.servername != NULL) { s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine, "second server certificate private key file"); - if (s_key2 == NULL) { - ERR_print_errors(bio_err); + if (s_key2 == NULL) goto end; - } s_cert2 = load_cert(s_cert_file2, s_cert_format, "second server certificate file"); - if (s_cert2 == NULL) { - ERR_print_errors(bio_err); + if (s_cert2 == NULL) goto end; - } } } #if !defined(OPENSSL_NO_NEXTPROTONEG) @@ -1787,12 +1779,9 @@ int s_server_main(int argc, char *argv[]) if (crl_file != NULL) { X509_CRL *crl; - crl = load_crl(crl_file, crl_format); - if (crl == NULL) { - BIO_puts(bio_err, "Error loading CRL\n"); - ERR_print_errors(bio_err); + crl = load_crl(crl_file, crl_format, "CRL"); + if (crl == NULL) goto end; - } crls = sk_X509_CRL_new_null(); if (crls == NULL || !sk_X509_CRL_push(crls, crl)) { BIO_puts(bio_err, "Error adding CRL\n"); @@ -1809,10 +1798,8 @@ int s_server_main(int argc, char *argv[]) s_dkey = load_key(s_dkey_file, s_dkey_format, 0, dpass, engine, "second certificate private key file"); - if (s_dkey == NULL) { - ERR_print_errors(bio_err); + if (s_dkey == NULL) goto end; - } s_dcert = load_cert(s_dcert_file, s_dcert_format, "second server certificate file"); diff --git a/apps/x509.c b/apps/x509.c index 16c1f95754..a2a52e41b1 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -572,18 +572,10 @@ int x509_main(int argc, char **argv) if (reqfile) { EVP_PKEY *pkey; - BIO *in; - in = bio_open_default(infile, 'r', informat); - if (in == NULL) + req = load_csr(infile, informat, "certificate request input"); + if (req == NULL) goto end; - req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); - BIO_free(in); - - if (req == NULL) { - ERR_print_errors(bio_err); - goto end; - } if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index d561101d80..0202661845 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -36,8 +36,10 @@ B<openssl> B<ca> [B<-key> I<arg>] [B<-passin> I<arg>] [B<-cert> I<file>] +[B<-certform> B<DER>|<PEM>] [B<-selfsign>] [B<-in> I<file>] +[B<-inform> B<DER>|<PEM>] [B<-out> I<file>] [B<-notext>] [B<-outdir> I<dir>] @@ -104,6 +106,11 @@ B<default_ca> in the B<ca> section). An input filename containing a single certificate request to be signed by the CA. +=item B<-inform> B<DER>|B<PEM> + +The format of the data in CSR input files. +The default is PEM. + =item B<-ss_cert> I<filename> A single self-signed certificate to be signed by the CA. @@ -135,6 +142,11 @@ F<.pem> appended. The CA certificate file. +=item B<-certform> B<DER>|B<PEM> + +The format of the data in certificate input files. +The default is PEM. + =item B<-keyfile> I<filename> The private key to sign requests with. diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index 3b36a2bfd9..3d4dfcd060 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -32,12 +32,12 @@ plan tests => 6; $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; skip "failed creating new certificate request", 3 - if !ok(run(perlapp(["CA.pl","-newreq"])), + if !ok(run(perlapp(["CA.pl","-newreq", + "-extra-req","-outform DER"])), 'creating certificate request'); - - $ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"'; + $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"'; skip "failed to sign certificate request", 2 - if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, + if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0, 'signing certificate request'); ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),