Loading CHANGES +10 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,16 @@ Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] *) Add a ctrl to asn1 method to allow a public key algorithm to express a default digest type to use. In most cases this will be SHA1 but some algorithms (such as GOST) need to specify an alternative digest. The return value indicates how strong the prefernce is 1 means optional and 2 is mandatory (that is it is the only supported type). Modify ASN1_item_sign() to accept a NULL digest argument to indicate it should use the default md. Update openssl utilities to use the default digest type for signing if it is not explicitly indicated. [Steve Henson] *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant signing method from the key type. This effectively removes the link Loading apps/ca.c +11 −25 Original line number Diff line number Diff line Loading @@ -1016,6 +1016,17 @@ bad: goto err; } if (!strcmp(md, "default")) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { BIO_puts(bio_err,"no default digest\n"); goto err; } md = (char *)OBJ_nid2sn(def_nid); } if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); Loading Loading @@ -1412,17 +1423,6 @@ bad: /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); else #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst=EVP_ecdsa(); #endif #endif /* Add any extensions asked for */ Loading Loading @@ -2101,25 +2101,11 @@ again2: } } #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst = EVP_ecdsa(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif if (!X509_sign(ret,pkey,dgst)) goto err; Loading apps/openssl.cnf +1 −1 Original line number Diff line number Diff line Loading @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look Loading apps/req.c +2 −11 Original line number Diff line number Diff line Loading @@ -193,7 +193,7 @@ int MAIN(int argc, char **argv) char *p; char *subj = NULL; int multirdn = 0; const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); const EVP_MD *md_alg=NULL,*digest=NULL; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; Loading Loading @@ -894,16 +894,7 @@ loop: BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif if (req == NULL) { req=X509_REQ_new(); Loading apps/x509.c +7 −30 Original line number Diff line number Diff line Loading @@ -188,7 +188,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; const EVP_MD *md_alg,*digest=EVP_sha1(); const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; Loading Loading @@ -885,14 +885,18 @@ bad: int j; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *fdig = digest; if (!X509_digest(x,digest,md,&n)) if (!fdig) fdig = EVP_sha1(); if (!X509_digest(x,fdig,md,&n)) { BIO_printf(bio_err,"out of memory\n"); goto end; } BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(digest))); OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) { BIO_printf(STDout,"%02X%c",md[j], Loading @@ -912,16 +916,6 @@ bad: passin, e, "Private key"); if (Upkey == NULL) goto end; } #if 0 #ifndef OPENSSL_NO_DSA if (Upkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (Upkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, Loading @@ -938,14 +932,6 @@ bad: "CA Private Key"); if (CApkey == NULL) goto end; } #ifndef OPENSSL_NO_DSA if (CApkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (CApkey->type == EVP_PKEY_EC) digest = EVP_ecdsa(); #endif assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, Loading Loading @@ -973,15 +959,6 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); #ifndef OPENSSL_NO_DSA if (pk->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pk->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) Loading Loading
CHANGES +10 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,16 @@ Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] *) Add a ctrl to asn1 method to allow a public key algorithm to express a default digest type to use. In most cases this will be SHA1 but some algorithms (such as GOST) need to specify an alternative digest. The return value indicates how strong the prefernce is 1 means optional and 2 is mandatory (that is it is the only supported type). Modify ASN1_item_sign() to accept a NULL digest argument to indicate it should use the default md. Update openssl utilities to use the default digest type for signing if it is not explicitly indicated. [Steve Henson] *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant signing method from the key type. This effectively removes the link Loading
apps/ca.c +11 −25 Original line number Diff line number Diff line Loading @@ -1016,6 +1016,17 @@ bad: goto err; } if (!strcmp(md, "default")) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { BIO_puts(bio_err,"no default digest\n"); goto err; } md = (char *)OBJ_nid2sn(def_nid); } if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); Loading Loading @@ -1412,17 +1423,6 @@ bad: /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); else #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst=EVP_ecdsa(); #endif #endif /* Add any extensions asked for */ Loading Loading @@ -2101,25 +2101,11 @@ again2: } } #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst = EVP_ecdsa(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif if (!X509_sign(ret,pkey,dgst)) goto err; Loading
apps/openssl.cnf +1 −1 Original line number Diff line number Diff line Loading @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look Loading
apps/req.c +2 −11 Original line number Diff line number Diff line Loading @@ -193,7 +193,7 @@ int MAIN(int argc, char **argv) char *p; char *subj = NULL; int multirdn = 0; const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); const EVP_MD *md_alg=NULL,*digest=NULL; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; Loading Loading @@ -894,16 +894,7 @@ loop: BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif if (req == NULL) { req=X509_REQ_new(); Loading
apps/x509.c +7 −30 Original line number Diff line number Diff line Loading @@ -188,7 +188,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; const EVP_MD *md_alg,*digest=EVP_sha1(); const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; Loading Loading @@ -885,14 +885,18 @@ bad: int j; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *fdig = digest; if (!X509_digest(x,digest,md,&n)) if (!fdig) fdig = EVP_sha1(); if (!X509_digest(x,fdig,md,&n)) { BIO_printf(bio_err,"out of memory\n"); goto end; } BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(digest))); OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) { BIO_printf(STDout,"%02X%c",md[j], Loading @@ -912,16 +916,6 @@ bad: passin, e, "Private key"); if (Upkey == NULL) goto end; } #if 0 #ifndef OPENSSL_NO_DSA if (Upkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (Upkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, Loading @@ -938,14 +932,6 @@ bad: "CA Private Key"); if (CApkey == NULL) goto end; } #ifndef OPENSSL_NO_DSA if (CApkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (CApkey->type == EVP_PKEY_EC) digest = EVP_ecdsa(); #endif assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, Loading Loading @@ -973,15 +959,6 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); #ifndef OPENSSL_NO_DSA if (pk->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pk->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) Loading
