Loading CHANGES +8 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,14 @@ Changes between 0.9.7d and 0.9.7e [XX xxx XXXX] *) *) Reduce the chances of duplicate issuer name and serial numbers (in violation of RFC3280) using the OpenSSL certificate creation utilities. This is done by creating a random 64 bit value for the initial serial number when a serial number file is created or when a self signed certificate is created using 'openssl req -x509'. The initial serial number file is created using 'openssl x509 -next_serial' in CA.pl rather than being initialized to 1. [Steve Henson] Changes between 0.9.7c and 0.9.7d [17 Mar 2004] Loading apps/CA.pl.in +4 −3 Original line number Diff line number Diff line Loading @@ -82,9 +82,6 @@ foreach (@ARGV) { mkdir "${CATOP}/crl", $DIRMODE ; mkdir "${CATOP}/newcerts", $DIRMODE; mkdir "${CATOP}/private", $DIRMODE; open OUT, ">${CATOP}/serial"; print OUT "01\n"; close OUT; open OUT, ">${CATOP}/index.txt"; close OUT; } Loading @@ -106,6 +103,10 @@ foreach (@ARGV) { $RET=$?; } } if (! -f "${CATOP}/serial" ) { system ("$X509 -in ${CATOP}/$CACERT -noout " . "-next_serial -out ${CATOP}/serial"); } } elsif (/^-pkcs12$/) { my $cname = $ARGV[1]; $cname = "My Certificate" unless defined $cname; Loading apps/apps.c +28 −4 Original line number Diff line number Diff line Loading @@ -1438,12 +1438,9 @@ BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) } else { ASN1_INTEGER_set(ai,1); ret=BN_new(); if (ret == NULL) if (ret == NULL || !rand_serial(ret, ai)) BIO_printf(bio_err, "Out of memory\n"); else BN_one(ret); } } else Loading Loading @@ -1605,6 +1602,33 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) return 0; } int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) { BIGNUM *btmp; int ret = 0; if (b) btmp = b; else btmp = BN_new(); if (!btmp) return 0; if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) goto error; if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) goto error; ret = 1; error: if (!b) BN_free(btmp); return ret; } CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) { CA_DB *retdb = NULL; Loading apps/apps.h +3 −0 Original line number Diff line number Diff line Loading @@ -307,6 +307,7 @@ typedef struct ca_db_st BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix); int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); int index_index(CA_DB *db); int save_index(char *dbfile, char *suffix, CA_DB *db); Loading Loading @@ -335,4 +336,6 @@ X509_NAME *do_subject(char *str, long chtype); #define APP_PASS_LEN 1024 #define SERIAL_RAND_BITS 64 #endif apps/ca.c +2 −1 Original line number Diff line number Diff line Loading @@ -238,6 +238,7 @@ int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *key=NULL,*passargin=NULL; int create_ser = 0; int free_key = 0; int total=0; int total_done=0; Loading Loading @@ -1098,7 +1099,7 @@ bad: goto err; } if ((serial=load_serial(serialfile, 0, NULL)) == NULL) if ((serial=load_serial(serialfile, create_ser, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; Loading Loading
CHANGES +8 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,14 @@ Changes between 0.9.7d and 0.9.7e [XX xxx XXXX] *) *) Reduce the chances of duplicate issuer name and serial numbers (in violation of RFC3280) using the OpenSSL certificate creation utilities. This is done by creating a random 64 bit value for the initial serial number when a serial number file is created or when a self signed certificate is created using 'openssl req -x509'. The initial serial number file is created using 'openssl x509 -next_serial' in CA.pl rather than being initialized to 1. [Steve Henson] Changes between 0.9.7c and 0.9.7d [17 Mar 2004] Loading
apps/CA.pl.in +4 −3 Original line number Diff line number Diff line Loading @@ -82,9 +82,6 @@ foreach (@ARGV) { mkdir "${CATOP}/crl", $DIRMODE ; mkdir "${CATOP}/newcerts", $DIRMODE; mkdir "${CATOP}/private", $DIRMODE; open OUT, ">${CATOP}/serial"; print OUT "01\n"; close OUT; open OUT, ">${CATOP}/index.txt"; close OUT; } Loading @@ -106,6 +103,10 @@ foreach (@ARGV) { $RET=$?; } } if (! -f "${CATOP}/serial" ) { system ("$X509 -in ${CATOP}/$CACERT -noout " . "-next_serial -out ${CATOP}/serial"); } } elsif (/^-pkcs12$/) { my $cname = $ARGV[1]; $cname = "My Certificate" unless defined $cname; Loading
apps/apps.c +28 −4 Original line number Diff line number Diff line Loading @@ -1438,12 +1438,9 @@ BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) } else { ASN1_INTEGER_set(ai,1); ret=BN_new(); if (ret == NULL) if (ret == NULL || !rand_serial(ret, ai)) BIO_printf(bio_err, "Out of memory\n"); else BN_one(ret); } } else Loading Loading @@ -1605,6 +1602,33 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) return 0; } int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) { BIGNUM *btmp; int ret = 0; if (b) btmp = b; else btmp = BN_new(); if (!btmp) return 0; if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) goto error; if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) goto error; ret = 1; error: if (!b) BN_free(btmp); return ret; } CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) { CA_DB *retdb = NULL; Loading
apps/apps.h +3 −0 Original line number Diff line number Diff line Loading @@ -307,6 +307,7 @@ typedef struct ca_db_st BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix); int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); int index_index(CA_DB *db); int save_index(char *dbfile, char *suffix, CA_DB *db); Loading Loading @@ -335,4 +336,6 @@ X509_NAME *do_subject(char *str, long chtype); #define APP_PASS_LEN 1024 #define SERIAL_RAND_BITS 64 #endif
apps/ca.c +2 −1 Original line number Diff line number Diff line Loading @@ -238,6 +238,7 @@ int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *key=NULL,*passargin=NULL; int create_ser = 0; int free_key = 0; int total=0; int total_done=0; Loading Loading @@ -1098,7 +1099,7 @@ bad: goto err; } if ((serial=load_serial(serialfile, 0, NULL)) == NULL) if ((serial=load_serial(serialfile, create_ser, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; Loading
