Subject DN and hash output from openssl req
Hello, I'm working on some scripts to enable users to request certs. For this purpose I've made a patch to the openssl req command, which enables the scripts to extract the subject DN and hash value (like in openssl x509 -subject -hash ...). In case this is of any interest for the public, I'm attaching the patch below. The patch is against SNAP-2615, but i suppose it will patch the current snapshot with a litlle fuzz. Regards, SSS --- req.c.orig Fri Jun 23 13:13:40 2000 +++ req.c Fri Jun 23 15:26:52 2000 @@ -104,6 +104,8 @@ * -keyform- key file format. * -newkey - make a key and a request. * -modulus- print RSA modulus. + * -subject - print subject DN. + * -hash- print hash value. * -x509 - output a self signed X509 structure instead. * -asn1-kludge- output new certificate request in a format that some CA's * require. This format is wrong @@ -155,7 +157,7 @@ char *extensions = NULL; char *req_exts = NULL; EVP_CIPHER *cipher=NULL; - int modulus=0; + int modulus=0, subject=0, hash=0; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *p; @@ -310,6 +312,10 @@ newhdr=1; else if (strcmp(*argv,"-modulus") == 0) modulus=1; +else if (strcmp(*argv,"-subject") == 0) +subject=1; +else if (strcmp(*argv,"-hash") == 0) +hash=1; else if (strcmp(*argv,"-verify") == 0) verify=1; else if (strcmp(*argv,"-nodes") == 0) @@ -367,7 +373,9 @@ BIO_printf(bio_err," -text text form of request\n"); BIO_printf(bio_err," -noout do not output REQ\n"); BIO_printf(bio_err," -verifyverify signature on REQ\n"); - BIO_printf(bio_err," -modulus RSA modulus\n"); + BIO_printf(bio_err," -modulus print RSA modulus\n"); + BIO_printf(bio_err," -subject print subject DN\n"); + BIO_printf(bio_err," -hash print hash value\n"); BIO_printf(bio_err," -nodes don't encrypt the output key\n"); BIO_printf(bio_err," -key file use the private key contained in file\n"); BIO_printf(bio_err," -keyform arg key file format\n"); @@ -781,7 +789,7 @@ BIO_printf(bio_err,"verify OK\n"); } - if (noout !text !modulus) + if (noout !text !modulus !subject !hash) { ex=0; goto end; @@ -832,6 +840,38 @@ fprintf(stdout,"Wrong Algorithm type"); fprintf(stdout,"\n"); } + +if (subject) +{ +char sn[256] = ""; + +if (x509) + X509_NAME_oneline(X509_get_subject_name(x509ss),sn,256); +else + X509_NAME_oneline(X509_REQ_get_subject_name(req),sn,256); +if (!*sn) +{ +fprintf(stdout,"subject=unavailable\n"); +goto end; +} +fprintf(stdout,"subject=%s\n",sn); +} + +if (hash) +{ +X509_NAME *xn; + +if (x509) +xn=X509_get_subject_name(x509ss); +else +xn=X509_REQ_get_subject_name(req); +if (xn == NULL) +{ +fprintf(stdout,"hash=unavailable\n"); +goto end; +} +fprintf(stdout,"hash=%08lx\n",X509_NAME_hash(xn)); +} if (!noout !x509) { __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem with command make.
I think openssl requires gnu make (its much better than most makes). You may need to download this or you may have it already under the name of gmake. Hope this helps, dgym bailey __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Subject DN and hash output from openssl req
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Svenning Sørensen Sent: Friday, June 23, 2000 4:38 PM To: [EMAIL PROTECTED] Subject: Subject DN and hash output from openssl req Argh! Having received my own mail from the list, I saw that the lines were wrapped, so here we go again, with an attachment this time... SSS req.c.diff
Re: problem with command make.
On Fri, Jun 23, 2000, James Bailey wrote: I think openssl requires gnu make (its much better than most makes). You may need to download this or you may have it already under the name of gmake. OpenSSL doesn't require GNU make. But if you want to build a library on Unix, you need "ar". __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem with command make.
Jesus Ferreira wrote: Dear all, We have Apache server 1.3.6 over a Solaris 2.6 systmen, and we are trying to install openssl and apache_1.3.6+ssl_1.39 but we have found problems when we tried to execute the "make" command. You have a problem with the "ar" command: ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o make[1]: ar: Command not found make[1]: *** [lib] Error 127 make[1]: Leaving directory `/opt/isroot4/openssl-0.9.5/crypto' make: *** [all] Error 1 make can't find it. check your PATH... By Goetz -- Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH]: session_cache_mode
This is a patch to openssl-0.9.5a that makes sure that the session_cache_mode is used to determine whether a session is resumed or renegotiated. Previously clients always attempted a session resume if the session id was non NULL. So now SSL_CTX_new sets the cache mode to client or server depending on whether the method is client or server. Also client_hello from s2_clnt.c and s3_clnt hello only attempt a session resume if the SSL_SESS_CACHE_CLIENT is set. nagendra diff -urN openssl-0.9.5a/ssl/s2_clnt.c openssl-0.9.5a-work/ssl/s2_clnt.c --- openssl-0.9.5a/ssl/s2_clnt.cThu Feb 3 15:23:22 2000 +++ openssl-0.9.5a-work/ssl/s2_clnt.c Tue Jun 20 18:07:57 2000 @@ -473,7 +473,8 @@ if (s-state == SSL2_ST_SEND_CLIENT_HELLO_A) { if ((s-session == NULL) || - (s-session-ssl_version != s-version)) + (s-session-ssl_version != s-version) || + !(s-ctx-session_cache_mode SSL_SESS_CACHE_CLIENT)) { if (!ssl_get_new_session(s,0)) { diff -urN openssl-0.9.5a/ssl/s3_clnt.c openssl-0.9.5a-work/ssl/s3_clnt.c --- openssl-0.9.5a/ssl/s3_clnt.cMon Mar 27 13:28:27 2000 +++ openssl-0.9.5a-work/ssl/s3_clnt.c Tue Jun 20 16:49:52 2000 @@ -456,7 +456,8 @@ { if ((s-session == NULL) || (s-session-ssl_version != s-version) || - (s-session-not_resumable)) + (s-session-not_resumable) || + !(s-ctx-session_cache_mode SSL_SESS_CACHE_CLIENT)) { if (!ssl_get_new_session(s,0)) goto err; diff -urN openssl-0.9.5a/ssl/ssl_lib.c openssl-0.9.5a-work/ssl/ssl_lib.c --- openssl-0.9.5a/ssl/ssl_lib.cMon Mar 27 13:28:28 2000 +++ openssl-0.9.5a-work/ssl/ssl_lib.c Tue Jun 20 16:53:22 2000 @@ -1108,7 +1108,12 @@ ret-method=meth; ret-cert_store=NULL; - ret-session_cache_mode=SSL_SESS_CACHE_SERVER; + + if(meth-ssl_accept == ssl_undefined_function) + ret-session_cache_mode=SSL_SESS_CACHE_CLIENT; + else + ret-session_cache_mode=SSL_SESS_CACHE_SERVER; + ret-session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; ret-session_cache_head=NULL; ret-session_cache_tail=NULL;
RE: Subject DN and hash output from openssl req
I'm really sorry bothering you again, but I realized that my previous patch was a bit clumsy. Mostly because it wasn't consistent with the way "openssl x509" and "openssl crl" prints the DN hash value, so it didn't fit too well into the convention of making symlink names based on the hash (I have now removed the leading "hash="). So I'm sending a new patch (this time against SNAP-2623), that I hope will be more useful. Regards, SSS req.c.diff