Subject DN and hash output from openssl req

2000-06-23 Thread Svenning Sørensen

Hello,

I'm working on some scripts to enable users to request certs.
For this purpose I've made a patch to the openssl req command,
which enables the scripts to extract the subject DN and hash
value (like in openssl x509 -subject -hash ...).
In case this is of any interest for the public, I'm attaching
the patch below.
The patch is against SNAP-2615, but i suppose it will
patch the current snapshot with a litlle fuzz.

Regards,
SSS



--- req.c.orig  Fri Jun 23 13:13:40 2000
+++ req.c   Fri Jun 23 15:26:52 2000
@@ -104,6 +104,8 @@
  * -keyform- key file format.
  * -newkey - make a key and a request.
  * -modulus- print RSA modulus.
+ * -subject - print subject DN.
+ * -hash- print hash value.
  * -x509   - output a self signed X509 structure instead.
  * -asn1-kludge- output new certificate request in a format that
some CA's
  *   require.  This format is wrong
@@ -155,7 +157,7 @@
char *extensions = NULL;
char *req_exts = NULL;
EVP_CIPHER *cipher=NULL;
-   int modulus=0;
+   int modulus=0, subject=0, hash=0;
char *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
char *p;
@@ -310,6 +312,10 @@
newhdr=1;
else if (strcmp(*argv,"-modulus") == 0)
modulus=1;
+else if (strcmp(*argv,"-subject") == 0)
+subject=1;
+else if (strcmp(*argv,"-hash") == 0)
+hash=1;
else if (strcmp(*argv,"-verify") == 0)
verify=1;
else if (strcmp(*argv,"-nodes") == 0)
@@ -367,7 +373,9 @@
BIO_printf(bio_err," -text  text form of
request\n");
BIO_printf(bio_err," -noout do not output REQ\n");
BIO_printf(bio_err," -verifyverify signature on
REQ\n");
-   BIO_printf(bio_err," -modulus   RSA modulus\n");
+   BIO_printf(bio_err," -modulus   print RSA modulus\n");
+   BIO_printf(bio_err," -subject   print subject DN\n");
+   BIO_printf(bio_err," -hash  print hash value\n");
BIO_printf(bio_err," -nodes don't encrypt the output
key\n");
BIO_printf(bio_err," -key file  use the private key
contained in file\n");
BIO_printf(bio_err," -keyform arg   key file format\n");
@@ -781,7 +789,7 @@
BIO_printf(bio_err,"verify OK\n");
}

-   if (noout  !text  !modulus)
+   if (noout  !text  !modulus  !subject  !hash)
{
ex=0;
goto end;
@@ -832,6 +840,38 @@
fprintf(stdout,"Wrong Algorithm type");
fprintf(stdout,"\n");
}
+
+if (subject)
+{
+char sn[256] = "";
+
+if (x509)
+
X509_NAME_oneline(X509_get_subject_name(x509ss),sn,256);
+else
+
X509_NAME_oneline(X509_REQ_get_subject_name(req),sn,256);
+if (!*sn)
+{
+fprintf(stdout,"subject=unavailable\n");
+goto end;
+}
+fprintf(stdout,"subject=%s\n",sn);
+}
+
+if (hash)
+{
+X509_NAME *xn;
+
+if (x509)
+xn=X509_get_subject_name(x509ss);
+else
+xn=X509_REQ_get_subject_name(req);
+if (xn == NULL)
+{
+fprintf(stdout,"hash=unavailable\n");
+goto end;
+}
+fprintf(stdout,"hash=%08lx\n",X509_NAME_hash(xn));
+}

if (!noout  !x509)
{

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: problem with command make.

2000-06-23 Thread James Bailey

I think openssl requires gnu make (its much better than most makes). You
may need to download this or you may have it already under the name of
gmake.

Hope this helps,

dgym bailey
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Subject DN and hash output from openssl req

2000-06-23 Thread Svenning Sørensen

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Svenning Sørensen
 Sent: Friday, June 23, 2000 4:38 PM
 To: [EMAIL PROTECTED]
 Subject: Subject DN and hash output from openssl req

Argh! Having received my own mail from the list, I saw that the lines
were wrapped, so here we go again, with an attachment this time...

SSS


 req.c.diff


Re: problem with command make.

2000-06-23 Thread Ulf Moeller

On Fri, Jun 23, 2000, James Bailey wrote:

 I think openssl requires gnu make (its much better than most makes). You
 may need to download this or you may have it already under the name of
 gmake.

OpenSSL doesn't require GNU make.

But if you want to build a library on Unix, you need "ar".

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: problem with command make.

2000-06-23 Thread Goetz Babin-Ebell

Jesus Ferreira wrote:
 
 Dear all,
 We have Apache server 1.3.6 over a Solaris 2.6 systmen,  and we are
 trying to install openssl and apache_1.3.6+ssl_1.39 but we have found
 problems when we tried to execute the "make" command.

You have a problem with the "ar" command:

 ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o 
cpt_err.o ebcdic.o
 make[1]: ar: Command not found
 make[1]: *** [lib] Error 127
 make[1]: Leaving directory `/opt/isroot4/openssl-0.9.5/crypto'
 make: *** [all] Error 1

make can't find it.
check your PATH...

By

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



[PATCH]: session_cache_mode

2000-06-23 Thread nagendra


This is a patch to openssl-0.9.5a that makes sure that the
session_cache_mode is used to determine whether a session is resumed or
renegotiated. Previously clients always attempted a session resume if the
session id was non NULL.

So now SSL_CTX_new sets the cache mode to client or server depending on
whether the method is client or server. Also client_hello from s2_clnt.c
and s3_clnt hello only attempt a session resume if the
SSL_SESS_CACHE_CLIENT is set.

nagendra


diff -urN openssl-0.9.5a/ssl/s2_clnt.c openssl-0.9.5a-work/ssl/s2_clnt.c
--- openssl-0.9.5a/ssl/s2_clnt.cThu Feb  3 15:23:22 2000
+++ openssl-0.9.5a-work/ssl/s2_clnt.c   Tue Jun 20 18:07:57 2000
@@ -473,7 +473,8 @@
if (s-state == SSL2_ST_SEND_CLIENT_HELLO_A)
{
if ((s-session == NULL) ||
-   (s-session-ssl_version != s-version))
+   (s-session-ssl_version != s-version) ||
+   !(s-ctx-session_cache_mode  SSL_SESS_CACHE_CLIENT))
{
if (!ssl_get_new_session(s,0))
{
diff -urN openssl-0.9.5a/ssl/s3_clnt.c openssl-0.9.5a-work/ssl/s3_clnt.c
--- openssl-0.9.5a/ssl/s3_clnt.cMon Mar 27 13:28:27 2000
+++ openssl-0.9.5a-work/ssl/s3_clnt.c   Tue Jun 20 16:49:52 2000
@@ -456,7 +456,8 @@
{
if ((s-session == NULL) ||
(s-session-ssl_version != s-version) ||
-   (s-session-not_resumable))
+   (s-session-not_resumable) || 
+   !(s-ctx-session_cache_mode  SSL_SESS_CACHE_CLIENT))
{
if (!ssl_get_new_session(s,0))
goto err;
diff -urN openssl-0.9.5a/ssl/ssl_lib.c openssl-0.9.5a-work/ssl/ssl_lib.c
--- openssl-0.9.5a/ssl/ssl_lib.cMon Mar 27 13:28:28 2000
+++ openssl-0.9.5a-work/ssl/ssl_lib.c   Tue Jun 20 16:53:22 2000
@@ -1108,7 +1108,12 @@
ret-method=meth;
 
ret-cert_store=NULL;
-   ret-session_cache_mode=SSL_SESS_CACHE_SERVER;
+
+   if(meth-ssl_accept == ssl_undefined_function)
+   ret-session_cache_mode=SSL_SESS_CACHE_CLIENT;
+   else
+   ret-session_cache_mode=SSL_SESS_CACHE_SERVER;
+
ret-session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
ret-session_cache_head=NULL;
ret-session_cache_tail=NULL;



RE: Subject DN and hash output from openssl req

2000-06-23 Thread Svenning Sørensen

I'm really sorry bothering you again, but I realized that my previous
patch was a bit clumsy. Mostly because it wasn't consistent with the
way "openssl x509" and "openssl crl" prints the DN hash value, so it
didn't fit too well into the convention of making symlink names based
on the hash (I have now removed the leading "hash=").
So I'm sending a new patch (this time against SNAP-2623), that I
hope will be more useful.

Regards,
SSS


 req.c.diff