Commit 0e0c6821 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

PR: 2136 

Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
parent 423c66f1

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -44,6 +44,10 @@ 


 Changes between 0.9.8m (?) and 1.0.0  [xx XXX xxxx]



  *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to

     output hashes compatible with older versions of OpenSSL.

     [Willy Weisz <weisz@vcpc.univie.ac.at>]



  *) Fix compression algorithm handling: if resuming a session use the

     compression algorithm of the resumed session instead of determining

     it from client hello again. Don't allow server to change algorithm.

apps/x509.c

+29 −0
Original line number Diff line number Diff line
@@ -99,7 +99,13 @@ static const char *x509_usage[]={ 
" -passin arg     - private key password source\n",

" -serial         - print serial number value\n",

" -subject_hash   - print subject hash value\n",

#ifndef OPENSSL_NO_MD5

" -subject_hash_old   - print old-style (MD5) subject hash value\n",

#endif

" -issuer_hash    - print issuer hash value\n",

#ifndef OPENSSL_NO_MD5

" -issuer_hash_old    - print old-style (MD5) issuer hash value\n",

#endif

" -hash           - synonym for -subject_hash\n",

" -subject        - print subject DN\n",

" -issuer         - print issuer DN\n",
@@ -179,6 +185,9 @@ int MAIN(int argc, char **argv) 
	int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;

	int next_serial=0;

	int subject_hash=0,issuer_hash=0,ocspid=0;

#ifndef OPENSSL_NO_MD5

	int subject_hash_old=0,issuer_hash_old=0;

#endif

	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;

	int ocsp_uri=0;

	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
@@ -397,8 +406,16 @@ int MAIN(int argc, char **argv) 
		else if (strcmp(*argv,"-hash") == 0

			|| strcmp(*argv,"-subject_hash") == 0)

			subject_hash= ++num;

#ifndef OPENSSL_NO_MD5

		else if (strcmp(*argv,"-subject_hash_old") == 0)

			subject_hash_old= ++num;

#endif

		else if (strcmp(*argv,"-issuer_hash") == 0)

			issuer_hash= ++num;

#ifndef OPENSSL_NO_MD5

		else if (strcmp(*argv,"-issuer_hash_old") == 0)

			issuer_hash_old= ++num;

#endif

		else if (strcmp(*argv,"-subject") == 0)

			subject= ++num;

		else if (strcmp(*argv,"-issuer") == 0)
@@ -759,10 +776,22 @@ bad: 
				{

				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));

				}

#ifndef OPENSSL_NO_MD5

			else if (subject_hash_old == i)

				{

				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));

				}

#endif

			else if (issuer_hash == i)

				{

				BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));

				}

#ifndef OPENSSL_NO_MD5

			else if (issuer_hash_old == i)

				{

				BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));

				}

#endif

			else if (pprint == i)

				{

				X509_PURPOSE *ptmp;

crypto/x509/x509.h

+5 −0
Original line number Diff line number Diff line
@@ -961,6 +961,11 @@ unsigned long X509_issuer_name_hash(X509 *a); 
int		X509_subject_name_cmp(const X509 *a, const X509 *b);

unsigned long	X509_subject_name_hash(X509 *x);



#ifndef OPENSSL_NO_MD5

unsigned long	X509_issuer_name_hash_old(X509 *a);

unsigned long	X509_subject_name_hash_old(X509 *x);

#endif



int		X509_cmp(const X509 *a, const X509 *b);

int		X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);

unsigned long	X509_NAME_hash(X509_NAME *x);

crypto/x509/x509_cmp.c

+14 −0
Original line number Diff line number Diff line
@@ -138,6 +138,13 @@ unsigned long X509_issuer_name_hash(X509 *x) 
	return(X509_NAME_hash(x->cert_info->issuer));

	}



#ifndef OPENSSL_NO_MD5

unsigned long X509_issuer_name_hash_old(X509 *x)

	{

	return(X509_NAME_hash_old(x->cert_info->issuer));

	}

#endif



X509_NAME *X509_get_subject_name(X509 *a)

	{

	return(a->cert_info->subject);
@@ -153,6 +160,13 @@ unsigned long X509_subject_name_hash(X509 *x) 
	return(X509_NAME_hash(x->cert_info->subject));

	}



#ifndef OPENSSL_NO_MD5

unsigned long X509_subject_name_hash_old(X509 *x)

	{

	return(X509_NAME_hash_old(x->cert_info->subject));

	}

#endif



#ifndef OPENSSL_NO_SHA

/* Compare two certificates: they must be identical for

 * this to work. NB: Although "cmp" operations are generally

doc/apps/x509.pod

+16 −0
Original line number Diff line number Diff line
@@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name. 


synonym for "-subject_hash" for backward compatibility reasons.



=item B<-subject_hash_old>



outputs the "hash" of the certificate subject name using the older algorithm

as used by OpenSSL versions before 1.0.0.



=item B<-issuer_hash_old>



outputs the "hash" of the certificate issuer name using the older algorithm

as used by OpenSSL versions before 1.0.0.



=item B<-subject>



outputs the subject name.
@@ -837,4 +847,10 @@ L<x509v3_config(5)|x509v3_config(5)> 


Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.



The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options

before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding

of the distinguished name. In OpenSSL 1.0.0 and later it is based on a

canonical version of the DN using SHA1. This means that any directories using

the old form must have their links rebuilt using B<c_rehash> or similar. 



=cut