I'm honestly very unsure about this one.  After all, "openssl ca" 
already covers this, so I wonder why there's a need to create another 
way to do the same thing, and add to the confusion on how to do things..
.

[EMAIL PROTECTED] - Thu Apr 25 16:20:45 2002]:

> What about the patch below for 0.9.6d?  Doc patch as well:
> 
> --- x509.pod.orig       Mon Jan 14 12:03:55 2002
> +++ x509.pod    Mon Jan 14 12:03:35 2002
> @@ -43,6 +43,7 @@
>  [B<-CAkey filename>]
>  [B<-CAcreateserial>]
>  [B<-CAserial filename>]
> +[B<-noselfsign>]
>  [B<-text>]
>  [B<-C>]
>  [B<-md2|-md5|-sha1|-mdc2>]
> @@ -300,7 +301,8 @@
>  of the CA and it is digitally signed using the CAs private key.
> 
>  This option is normally combined with the B<-req> option. Without the
> -B<-req> option the input is a certificate which must be self signed.
> +B<-req> option the input is a certificate which must be self signed
> +(unless B<-noselfsign> is specified).
> 
>  =item B<-CAkey filename>
> 
> @@ -327,6 +329,11 @@
>  it will contain the serial number "02" and the certificate being
>    signed will
>  have the 1 as its serial number. Normally if the B<-CA> option is
>    specified
>  and the serial number file does not exist it is an error.
> +
> +=item B<-noselfsign>
> +
> +with this option the "mini CA" (see B<-CA>) will sign certificates
> +with unverified signatures.
> 
>  =item B<-extfile filename>
> 
> 
> 
> Simon Josefsson <[EMAIL PROTECTED]> writes:
> 
> > This patch that allows you to override the check for a valid self-
>    signed
> > certificate when signing certs using 'x509 -CA'.  I find this useful
>    for
> > those times when you edit certs with M-x hexl-mode.
> >
> > --- x509.c.orig     Mon Jan 14 11:41:05 2002
> > +++ x509.c  Mon Jan 14 11:41:41 2002
> > @@ -122,6 +122,7 @@
> >  "                   missing, it is assumed to be in the CA
>    file.\n",
> >  " -CAcreateserial - create serial number file if it does not
>    exist\n",
> >  " -CAserial       - serial file\n",
> > +" -noselfsign     - accept certificates that aren't self signed,
>    for -CA.\n",
> >  " -text           - print the certificate in text form\n",
> >  " -C              - print out C code forms\n",
> >  " -md2/-md5/-sha1/-mdc2 - digest to use\n",
> > @@ -137,7 +138,8 @@
> >                                             LHASH *conf, char *section);
> >  static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
>    *digest,
> >                      X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
> > -                    int create,int days, int clrext, LHASH *conf, char *section);
> > +                    int create,int days, int clrext, LHASH *conf,
> > +                    char *section, int noselfsign);
> >  static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
> >  static int reqfile=0;
> >
> > @@ -158,6 +160,7 @@
> >     char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
> >     char *CAkeyfile=NULL,*CAserial=NULL;
> >     char *alias=NULL;
> > +   int noselfsign=0;
> >     int
>    text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
> >     int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
> >     int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> > @@ -339,6 +342,8 @@
> >                     }
> >             else if (strcmp(*argv,"-C") == 0)
> >                     C= ++num;
> > +           else if (strcmp(*argv,"-noselfsign") == 0)
> > +                   noselfsign = ++num;
> >             else if (strcmp(*argv,"-email") == 0)
> >                     email= ++num;
> >             else if (strcmp(*argv,"-serial") == 0)
> > @@ -844,8 +849,8 @@
> >
> >                             assert(need_rand);
> >                             if (!x509_certify(ctx,CAfile,digest,x,xca,
> > -                                   CApkey, CAserial,CA_createserial,days, clrext,
> > -                                   extconf, extsect))
> > +                                   CApkey, CAserial,CA_createserial,days,
> > +                                   clrext, extconf, extsect, noselfsign))
> >                                     goto end;
> >                             }
> >                     else if (x509req == i)
> > @@ -966,7 +971,7 @@
> >
> >  static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD
>    *digest,
> >          X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int
>    create,
> > -        int days, int clrext, LHASH *conf, char *section)
> > +        int days, int clrext, LHASH *conf, char *section, int
>    noselfsign)
> >     {
> >     int ret=0;
> >     BIO *io=NULL;
> > @@ -1068,8 +1073,8 @@
> >     /* NOTE: this certificate can/should be self signed, unless it was
> >      * a certificate request in which case it is not. */
> >     X509_STORE_CTX_set_cert(&xsc,x);
> > -   if (!reqfile && !X509_verify_cert(&xsc))
> > -           goto end;
> > +   if (!reqfile && !noselfsign && !X509_verify_cert(&xsc))
> > +           goto end;
> >
> >     if (!X509_check_private_key(xca,pkey))
> >             {
> > @@ -1132,6 +1137,7 @@
> >     if (ok)
> >             {
> >             BIO_printf(bio_err,"error with certificate to be certified -
>    should be self signed\n");
> > +           BIO_printf(bio_err,"consider using -noselfsign\n");
> >             return 0;
> >             }
> >     else
> >
>    
______________________________________________________________________
> > OpenSSL Project
>    http://www.openssl.org
> > Development Mailing List                       openssl-
>    [EMAIL PROTECTED]
> > Automated List Manager
>    [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]


-- 
Richard Levitte
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to