I'm honestly very unsure about this one. After all, "openssl ca"
already covers this, so I wonder why there's a need to create another
way to do the same thing, and add to the confusion on how to do things..
.
[EMAIL PROTECTED] - Thu Apr 25 16:20:45 2002]:
> What about the patch below for 0.9.6d? Doc patch as well:
>
> --- x509.pod.orig Mon Jan 14 12:03:55 2002
> +++ x509.pod Mon Jan 14 12:03:35 2002
> @@ -43,6 +43,7 @@
> [B<-CAkey filename>]
> [B<-CAcreateserial>]
> [B<-CAserial filename>]
> +[B<-noselfsign>]
> [B<-text>]
> [B<-C>]
> [B<-md2|-md5|-sha1|-mdc2>]
> @@ -300,7 +301,8 @@
> of the CA and it is digitally signed using the CAs private key.
>
> This option is normally combined with the B<-req> option. Without the
> -B<-req> option the input is a certificate which must be self signed.
> +B<-req> option the input is a certificate which must be self signed
> +(unless B<-noselfsign> is specified).
>
> =item B<-CAkey filename>
>
> @@ -327,6 +329,11 @@
> it will contain the serial number "02" and the certificate being
> signed will
> have the 1 as its serial number. Normally if the B<-CA> option is
> specified
> and the serial number file does not exist it is an error.
> +
> +=item B<-noselfsign>
> +
> +with this option the "mini CA" (see B<-CA>) will sign certificates
> +with unverified signatures.
>
> =item B<-extfile filename>
>
>
>
> Simon Josefsson <[EMAIL PROTECTED]> writes:
>
> > This patch that allows you to override the check for a valid self-
> signed
> > certificate when signing certs using 'x509 -CA'. I find this useful
> for
> > those times when you edit certs with M-x hexl-mode.
> >
> > --- x509.c.orig Mon Jan 14 11:41:05 2002
> > +++ x509.c Mon Jan 14 11:41:41 2002
> > @@ -122,6 +122,7 @@
> > " missing, it is assumed to be in the CA
> file.\n",
> > " -CAcreateserial - create serial number file if it does not
> exist\n",
> > " -CAserial - serial file\n",
> > +" -noselfsign - accept certificates that aren't self signed,
> for -CA.\n",
> > " -text - print the certificate in text form\n",
> > " -C - print out C code forms\n",
> > " -md2/-md5/-sha1/-mdc2 - digest to use\n",
> > @@ -137,7 +138,8 @@
> > LHASH *conf, char *section);
> > static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
> *digest,
> > X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
> > - int create,int days, int clrext, LHASH *conf, char *section);
> > + int create,int days, int clrext, LHASH *conf,
> > + char *section, int noselfsign);
> > static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
> > static int reqfile=0;
> >
> > @@ -158,6 +160,7 @@
> > char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
> > char *CAkeyfile=NULL,*CAserial=NULL;
> > char *alias=NULL;
> > + int noselfsign=0;
> > int
> text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
> > int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
> > int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> > @@ -339,6 +342,8 @@
> > }
> > else if (strcmp(*argv,"-C") == 0)
> > C= ++num;
> > + else if (strcmp(*argv,"-noselfsign") == 0)
> > + noselfsign = ++num;
> > else if (strcmp(*argv,"-email") == 0)
> > email= ++num;
> > else if (strcmp(*argv,"-serial") == 0)
> > @@ -844,8 +849,8 @@
> >
> > assert(need_rand);
> > if (!x509_certify(ctx,CAfile,digest,x,xca,
> > - CApkey, CAserial,CA_createserial,days, clrext,
> > - extconf, extsect))
> > + CApkey, CAserial,CA_createserial,days,
> > + clrext, extconf, extsect, noselfsign))
> > goto end;
> > }
> > else if (x509req == i)
> > @@ -966,7 +971,7 @@
> >
> > static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD
> *digest,
> > X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int
> create,
> > - int days, int clrext, LHASH *conf, char *section)
> > + int days, int clrext, LHASH *conf, char *section, int
> noselfsign)
> > {
> > int ret=0;
> > BIO *io=NULL;
> > @@ -1068,8 +1073,8 @@
> > /* NOTE: this certificate can/should be self signed, unless it was
> > * a certificate request in which case it is not. */
> > X509_STORE_CTX_set_cert(&xsc,x);
> > - if (!reqfile && !X509_verify_cert(&xsc))
> > - goto end;
> > + if (!reqfile && !noselfsign && !X509_verify_cert(&xsc))
> > + goto end;
> >
> > if (!X509_check_private_key(xca,pkey))
> > {
> > @@ -1132,6 +1137,7 @@
> > if (ok)
> > {
> > BIO_printf(bio_err,"error with certificate to be certified -
> should be self signed\n");
> > + BIO_printf(bio_err,"consider using -noselfsign\n");
> > return 0;
> > }
> > else
> >
>
______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > Development Mailing List openssl-
> [EMAIL PROTECTED]
> > Automated List Manager
> [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Richard Levitte
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]