Loading CHANGES +10 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,16 @@ Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] *) Add a ctrl to asn1 method to allow a public key algorithm to express a default digest type to use. In most cases this will be SHA1 but some algorithms (such as GOST) need to specify an alternative digest. The return value indicates how strong the prefernce is 1 means optional and 2 is mandatory (that is it is the only supported type). Modify ASN1_item_sign() to accept a NULL digest argument to indicate it should use the default md. Update openssl utilities to use the default digest type for signing if it is not explicitly indicated. [Steve Henson] *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant signing method from the key type. This effectively removes the link signing method from the key type. This effectively removes the link Loading apps/ca.c +11 −25 Original line number Original line Diff line number Diff line Loading @@ -1016,6 +1016,17 @@ bad: goto err; goto err; } } if (!strcmp(md, "default")) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { BIO_puts(bio_err,"no default digest\n"); goto err; } md = (char *)OBJ_nid2sn(def_nid); } if ((dgst=EVP_get_digestbyname(md)) == NULL) if ((dgst=EVP_get_digestbyname(md)) == NULL) { { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); Loading Loading @@ -1412,17 +1423,6 @@ bad: /* we now have a CRL */ /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); if (verbose) BIO_printf(bio_err,"signing CRL\n"); #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); else #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst=EVP_ecdsa(); #endif #endif /* Add any extensions asked for */ /* Add any extensions asked for */ Loading Loading @@ -2101,25 +2101,11 @@ again2: } } } } #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst = EVP_ecdsa(); pktmp=X509_get_pubkey(ret); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); EVP_PKEY_free(pktmp); #endif if (!X509_sign(ret,pkey,dgst)) if (!X509_sign(ret,pkey,dgst)) goto err; goto err; Loading apps/openssl.cnf +1 −1 Original line number Original line Diff line number Diff line Loading @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. default_md = default # use public key default MD preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # A few difference way of specifying how similar the request should look Loading apps/req.c +2 −11 Original line number Original line Diff line number Diff line Loading @@ -193,7 +193,7 @@ int MAIN(int argc, char **argv) char *p; char *p; char *subj = NULL; char *subj = NULL; int multirdn = 0; int multirdn = 0; const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); const EVP_MD *md_alg=NULL,*digest=NULL; unsigned long chtype = MBSTRING_ASC; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH #ifndef MONOLITH char *to_free; char *to_free; Loading Loading @@ -894,16 +894,7 @@ loop: BIO_printf(bio_err,"you need to specify a private key\n"); BIO_printf(bio_err,"you need to specify a private key\n"); goto end; goto end; } } #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif if (req == NULL) if (req == NULL) { { req=X509_REQ_new(); req=X509_REQ_new(); Loading apps/x509.c +7 −30 Original line number Original line Diff line number Diff line Loading @@ -188,7 +188,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; X509_REQ *rq=NULL; int fingerprint=0; int fingerprint=0; char buf[256]; char buf[256]; const EVP_MD *md_alg,*digest=EVP_sha1(); const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; int need_rand = 0; Loading Loading @@ -885,14 +885,18 @@ bad: int j; int j; unsigned int n; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *fdig = digest; if (!X509_digest(x,digest,md,&n)) if (!fdig) fdig = EVP_sha1(); if (!X509_digest(x,fdig,md,&n)) { { BIO_printf(bio_err,"out of memory\n"); BIO_printf(bio_err,"out of memory\n"); goto end; goto end; } } BIO_printf(STDout,"%s Fingerprint=", BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(digest))); OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) for (j=0; j<(int)n; j++) { { BIO_printf(STDout,"%02X%c",md[j], BIO_printf(STDout,"%02X%c",md[j], Loading @@ -912,16 +916,6 @@ bad: passin, e, "Private key"); passin, e, "Private key"); if (Upkey == NULL) goto end; if (Upkey == NULL) goto end; } } #if 0 #ifndef OPENSSL_NO_DSA if (Upkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (Upkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif assert(need_rand); assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, if (!sign(x,Upkey,days,clrext,digest, Loading @@ -938,14 +932,6 @@ bad: "CA Private Key"); "CA Private Key"); if (CApkey == NULL) goto end; if (CApkey == NULL) goto end; } } #ifndef OPENSSL_NO_DSA if (CApkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (CApkey->type == EVP_PKEY_EC) digest = EVP_ecdsa(); #endif assert(need_rand); assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, if (!x509_certify(ctx,CAfile,digest,x,xca, Loading Loading @@ -973,15 +959,6 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); BIO_printf(bio_err,"Generating certificate request\n"); #ifndef OPENSSL_NO_DSA if (pk->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pk->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif rq=X509_to_X509_REQ(x,pk,digest); rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); EVP_PKEY_free(pk); if (rq == NULL) if (rq == NULL) Loading Loading
CHANGES +10 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,16 @@ Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] *) Add a ctrl to asn1 method to allow a public key algorithm to express a default digest type to use. In most cases this will be SHA1 but some algorithms (such as GOST) need to specify an alternative digest. The return value indicates how strong the prefernce is 1 means optional and 2 is mandatory (that is it is the only supported type). Modify ASN1_item_sign() to accept a NULL digest argument to indicate it should use the default md. Update openssl utilities to use the default digest type for signing if it is not explicitly indicated. [Steve Henson] *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant signing method from the key type. This effectively removes the link signing method from the key type. This effectively removes the link Loading
apps/ca.c +11 −25 Original line number Original line Diff line number Diff line Loading @@ -1016,6 +1016,17 @@ bad: goto err; goto err; } } if (!strcmp(md, "default")) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { BIO_puts(bio_err,"no default digest\n"); goto err; } md = (char *)OBJ_nid2sn(def_nid); } if ((dgst=EVP_get_digestbyname(md)) == NULL) if ((dgst=EVP_get_digestbyname(md)) == NULL) { { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); Loading Loading @@ -1412,17 +1423,6 @@ bad: /* we now have a CRL */ /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); if (verbose) BIO_printf(bio_err,"signing CRL\n"); #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); else #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst=EVP_ecdsa(); #endif #endif /* Add any extensions asked for */ /* Add any extensions asked for */ Loading Loading @@ -2101,25 +2101,11 @@ again2: } } } } #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) dgst = EVP_ecdsa(); pktmp=X509_get_pubkey(ret); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); EVP_PKEY_free(pktmp); #endif if (!X509_sign(ret,pkey,dgst)) if (!X509_sign(ret,pkey,dgst)) goto err; goto err; Loading
apps/openssl.cnf +1 −1 Original line number Original line Diff line number Diff line Loading @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. default_md = default # use public key default MD preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # A few difference way of specifying how similar the request should look Loading
apps/req.c +2 −11 Original line number Original line Diff line number Diff line Loading @@ -193,7 +193,7 @@ int MAIN(int argc, char **argv) char *p; char *p; char *subj = NULL; char *subj = NULL; int multirdn = 0; int multirdn = 0; const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); const EVP_MD *md_alg=NULL,*digest=NULL; unsigned long chtype = MBSTRING_ASC; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH #ifndef MONOLITH char *to_free; char *to_free; Loading Loading @@ -894,16 +894,7 @@ loop: BIO_printf(bio_err,"you need to specify a private key\n"); BIO_printf(bio_err,"you need to specify a private key\n"); goto end; goto end; } } #if 0 #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif if (req == NULL) if (req == NULL) { { req=X509_REQ_new(); req=X509_REQ_new(); Loading
apps/x509.c +7 −30 Original line number Original line Diff line number Diff line Loading @@ -188,7 +188,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; X509_REQ *rq=NULL; int fingerprint=0; int fingerprint=0; char buf[256]; char buf[256]; const EVP_MD *md_alg,*digest=EVP_sha1(); const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; int need_rand = 0; Loading Loading @@ -885,14 +885,18 @@ bad: int j; int j; unsigned int n; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *fdig = digest; if (!X509_digest(x,digest,md,&n)) if (!fdig) fdig = EVP_sha1(); if (!X509_digest(x,fdig,md,&n)) { { BIO_printf(bio_err,"out of memory\n"); BIO_printf(bio_err,"out of memory\n"); goto end; goto end; } } BIO_printf(STDout,"%s Fingerprint=", BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(digest))); OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) for (j=0; j<(int)n; j++) { { BIO_printf(STDout,"%02X%c",md[j], BIO_printf(STDout,"%02X%c",md[j], Loading @@ -912,16 +916,6 @@ bad: passin, e, "Private key"); passin, e, "Private key"); if (Upkey == NULL) goto end; if (Upkey == NULL) goto end; } } #if 0 #ifndef OPENSSL_NO_DSA if (Upkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (Upkey->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif #endif assert(need_rand); assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, if (!sign(x,Upkey,days,clrext,digest, Loading @@ -938,14 +932,6 @@ bad: "CA Private Key"); "CA Private Key"); if (CApkey == NULL) goto end; if (CApkey == NULL) goto end; } } #ifndef OPENSSL_NO_DSA if (CApkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (CApkey->type == EVP_PKEY_EC) digest = EVP_ecdsa(); #endif assert(need_rand); assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, if (!x509_certify(ctx,CAfile,digest,x,xca, Loading Loading @@ -973,15 +959,6 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); BIO_printf(bio_err,"Generating certificate request\n"); #ifndef OPENSSL_NO_DSA if (pk->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif #ifndef OPENSSL_NO_ECDSA if (pk->type == EVP_PKEY_EC) digest=EVP_ecdsa(); #endif rq=X509_to_X509_REQ(x,pk,digest); rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); EVP_PKEY_free(pk); if (rq == NULL) if (rq == NULL) Loading