Re: [patch] Sign certs that aren't self signed for x509 -CA

Thu, 18 Apr 2002 09:14:58 -0700 

What about the patch below for 0.9.6d?  Doc patch as well:

--- x509.pod.orig       Mon Jan 14 12:03:55 2002
+++ x509.pod    Mon Jan 14 12:03:35 2002
@@ -43,6 +43,7 @@
 [B<-CAkey filename>]
 [B<-CAcreateserial>]
 [B<-CAserial filename>]
+[B<-noselfsign>]
 [B<-text>]
 [B<-C>]
 [B<-md2|-md5|-sha1|-mdc2>]
@@ -300,7 +301,8 @@
 of the CA and it is digitally signed using the CAs private key.
 
 This option is normally combined with the B<-req> option. Without the
-B<-req> option the input is a certificate which must be self signed.
+B<-req> option the input is a certificate which must be self signed
+(unless B<-noselfsign> is specified).
 
 =item B<-CAkey filename>
 
@@ -327,6 +329,11 @@
 it will contain the serial number "02" and the certificate being signed will
 have the 1 as its serial number. Normally if the B<-CA> option is specified
 and the serial number file does not exist it is an error.
+
+=item B<-noselfsign>
+
+with this option the "mini CA" (see B<-CA>) will sign certificates
+with unverified signatures.
 
 =item B<-extfile filename>
 


Simon Josefsson <[EMAIL PROTECTED]> writes:

> This patch that allows you to override the check for a valid self-signed
> certificate when signing certs using 'x509 -CA'.  I find this useful for 
> those times when you edit certs with M-x hexl-mode.
>
> --- x509.c.orig       Mon Jan 14 11:41:05 2002
> +++ x509.c    Mon Jan 14 11:41:41 2002
> @@ -122,6 +122,7 @@
>  "                   missing, it is assumed to be in the CA file.\n",
>  " -CAcreateserial - create serial number file if it does not exist\n",
>  " -CAserial       - serial file\n",
> +" -noselfsign     - accept certificates that aren't self signed, for -CA.\n",
>  " -text           - print the certificate in text form\n",
>  " -C              - print out C code forms\n",
>  " -md2/-md5/-sha1/-mdc2 - digest to use\n",
> @@ -137,7 +138,8 @@
>                                               LHASH *conf, char *section);
>  static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
>                        X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
> -                      int create,int days, int clrext, LHASH *conf, char *section);
> +                      int create,int days, int clrext, LHASH *conf,
> +                      char *section, int noselfsign);
>  static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
>  static int reqfile=0;
>  
> @@ -158,6 +160,7 @@
>       char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
>       char *CAkeyfile=NULL,*CAserial=NULL;
>       char *alias=NULL;
> +     int noselfsign=0;
>       int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
>       int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
>       int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> @@ -339,6 +342,8 @@
>                       }
>               else if (strcmp(*argv,"-C") == 0)
>                       C= ++num;
> +             else if (strcmp(*argv,"-noselfsign") == 0)
> +                     noselfsign = ++num;
>               else if (strcmp(*argv,"-email") == 0)
>                       email= ++num;
>               else if (strcmp(*argv,"-serial") == 0)
> @@ -844,8 +849,8 @@
>                               
>                               assert(need_rand);
>                               if (!x509_certify(ctx,CAfile,digest,x,xca,
> -                                     CApkey, CAserial,CA_createserial,days, clrext,
> -                                     extconf, extsect))
> +                                     CApkey, CAserial,CA_createserial,days,
> +                                     clrext, extconf, extsect, noselfsign))
>                                       goto end;
>                               }
>                       else if (x509req == i)
> @@ -966,7 +971,7 @@
>  
>  static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
>            X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
> -          int days, int clrext, LHASH *conf, char *section)
> +          int days, int clrext, LHASH *conf, char *section, int noselfsign)
>       {
>       int ret=0;
>       BIO *io=NULL;
> @@ -1068,8 +1073,8 @@
>       /* NOTE: this certificate can/should be self signed, unless it was
>        * a certificate request in which case it is not. */
>       X509_STORE_CTX_set_cert(&xsc,x);
> -     if (!reqfile && !X509_verify_cert(&xsc))
> -             goto end;
> +     if (!reqfile && !noselfsign && !X509_verify_cert(&xsc))
> +             goto end;
>  
>       if (!X509_check_private_key(xca,pkey))
>               {
> @@ -1132,6 +1137,7 @@
>       if (ok)
>               {
>               BIO_printf(bio_err,"error with certificate to be certified - should be 
>self signed\n");
> +             BIO_printf(bio_err,"consider using -noselfsign\n");
>               return 0;
>               }
>       else
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to