From: Richard Levitte Date: Sat, 9 Sep 2000 07:03:02 +0000 (+0000) Subject: Merge of main trunk, no conflicts this time X-Git-Tag: OpenSSL-engine-0_9_6-beta1~7 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=06b71aec85503e8ba77f0277a2e58655622d5bb8;p=oweals%2Fopenssl.git Merge of main trunk, no conflicts this time --- diff --git a/CHANGES b/CHANGES index 5ada535aba..dcb354f88f 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,15 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) Add two demo programs for PKCS12_parse() and PKCS12_create(). + Update PKCS12_parse() so it copies the friendlyName and the + keyid to the certificates aux info. + [Steve Henson] + + *) Fix bug in PKCS7_verify() which caused an infinite loop + if there was more than one signature. + [Sven Uszpelkat ] + *) Major change in util/mkdef.pl to include extra information about each symbol, as well as presentig variables as well as functions. This change means that there's n more need diff --git a/FAQ b/FAQ index 6e34953c11..4497b1c7f4 100644 --- a/FAQ +++ b/FAQ @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why does the linker complain about undefined symbols? * Where can I get a compiled version of OpenSSL? * I've compiled a program under Windows and it crashes: why? +* I've tried using and I get errors why? * I've called and it fails, why? * I just get a load of numbers for the error output, what do they mean? * Why do I get errors about unknown algorithms? @@ -181,6 +182,17 @@ otherwise the conflict will cause a program to crash: typically on the first BIO related read or write operation. +* I've tried using and I get errors why? + +This usually happens when you try compiling something using the PKCS#12 +macros with a C++ compiler. There is hardly ever any need to use the +PKCS#12 macros in a program, it is much easier to parse and create +PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions +documented in doc/openssl.txt and with examples in demos/pkcs12. The +'pkcs12' application has to use the macros because it prints out +debugging information. + + * I've called and it fails, why? Before submitting a report or asking in one of the mailing lists, you diff --git a/apps/makeapps.com b/apps/makeapps.com index 94acbf8219..7e9d0ac8d6 100644 --- a/apps/makeapps.com +++ b/apps/makeapps.com @@ -154,13 +154,13 @@ $! Define The Application Files. $! $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+- "CA;PKCS7;CRL2P7;CRL;"+- - "RSA;DSA;DSAPARAM;"+- + "RSA;RSAUTL;DSA;DSAPARAM;"+- "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+- "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+- "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND" $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,- CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,- - RSA.OBJ,DSA.OBJ,DSAPARAM.OBJ,- + RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,- X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,- S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,- CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ diff --git a/apps/verify.c b/apps/verify.c index e2f571032e..f384de6d29 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -73,7 +73,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx); static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose); static STACK_OF(X509) *load_untrusted(char *file); -static int v_verbose=0; +static int v_verbose=0, issuer_checks = 0; int MAIN(int, char **); @@ -147,6 +147,8 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-help") == 0) goto end; + else if (strcmp(*argv,"-issuer_checks") == 0) + issuer_checks=1; else if (strcmp(*argv,"-verbose") == 0) v_verbose=1; else if (argv[0][0] == '-') @@ -284,6 +286,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X X509_STORE_CTX_init(csc,ctx,x,uchain); if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose); + if(issuer_checks) + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CB_ISSUER_CHECK); i=X509_verify_cert(csc); X509_STORE_CTX_free(csc); diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 6dfd4fa76e..3346377527 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -67,9 +67,7 @@ #include #include -#ifdef VMS -#include -#endif +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c index a18ebb586c..f06af5b576 100644 --- a/crypto/asn1/t_x509a.c +++ b/crypto/asn1/t_x509a.c @@ -98,5 +98,13 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data); + if(aux->keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); + for(i = 0; i < aux->keyid->length; i++) + BIO_printf(out, "%s%02X", + i ? ":" : "", + aux->keyid->data[i]); + BIO_write(out,"\n",1); + } return 1; } diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 42807cd334..ebcce87bf2 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -153,6 +153,14 @@ int X509_alias_set1(X509 *x, unsigned char *name, int len) return ASN1_STRING_set(aux->alias, name, len); } +int X509_keyid_set1(X509 *x, unsigned char *id, int len) +{ + X509_CERT_AUX *aux; + if(!(aux = aux_get(x))) return 0; + if(!aux->keyid && !(aux->keyid = ASN1_OCTET_STRING_new())) return 0; + return ASN1_STRING_set(aux->keyid, id, len); +} + unsigned char *X509_alias_get0(X509 *x, int *len) { if(!x->aux || !x->aux->alias) return NULL; diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h index 0e1a16ce62..fd23a15bc0 100644 --- a/crypto/bio/bio.h +++ b/crypto/bio/bio.h @@ -524,6 +524,7 @@ BIO * BIO_push(BIO *b,BIO *append); BIO * BIO_pop(BIO *b); void BIO_free_all(BIO *a); BIO * BIO_find_type(BIO *b,int bio_type); +BIO * BIO_next(BIO *b); BIO * BIO_get_retry_BIO(BIO *bio, int *reason); int BIO_get_retry_reason(BIO *bio); BIO * BIO_dup_chain(BIO *in); diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index ffdec3725d..381afc9b8e 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -418,6 +418,7 @@ BIO *BIO_find_type(BIO *bio, int type) { int mt,mask; + if(!bio) return NULL; mask=type&0xff; do { if (bio->method != NULL) @@ -436,6 +437,12 @@ BIO *BIO_find_type(BIO *bio, int type) return(NULL); } +BIO *BIO_next(BIO *b) + { + if(!b) return NULL; + return b->next_bio; + } + void BIO_free_all(BIO *bio) { BIO *b; diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index 031d7f0bdd..024474d861 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -204,7 +204,7 @@ $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ - "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null" $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl" $ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err" -$ LIB_DSO = "dso_err,dso_lib,dso_null,dso_openssl,dso_vms" +$ LIB_DSO = "dso_err,dso_lib,dso_null,dso_openssl" ! + ",dso_vms" $ LIB_BUFFER = "buffer,buf_err" $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - "bss_mem,bss_null,bss_fd,"+ - @@ -220,15 +220,15 @@ $ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ - "e_des,e_bf,e_idea,e_des3,"+ - "e_rc4,names,"+ - "e_xcbc_d,e_rc2,e_cast,e_rc5," -$ LIB_EVP_2 = "m_null,m_md2,m_md5,m_sha,m_sha1,m_dss,m_dss1,m_mdc2,"+ - - "m_ripemd,"+ - +$ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + - + "m_dss,m_dss1,m_mdc2,m_ripemd,"+ - "p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ - "bio_md,bio_b64,bio_enc,evp_err,e_null,"+ - "c_all,c_allc,c_alld,evp_lib,bio_ok,"+- "evp_pkey,evp_pbe,p5_crpt,p5_crpt2" $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ - "a_null,a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,a_bmp,"+ - - "a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,a_mbstr,"+ - + "a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ - "x_algor,x_val,x_pubkey,x_sig,x_req,x_attrib,"+ - "x_name,x_cinf,x_x509,x_x509a,x_crl,x_info,x_spki,nsseq,"+ - "d2i_r_pr,i2d_r_pr,d2i_r_pu,i2d_r_pu,"+ - diff --git a/crypto/engine/hw_ncipher.c b/crypto/engine/hw_ncipher.c index 2ff8dd64a8..8485a27dca 100644 --- a/crypto/engine/hw_ncipher.c +++ b/crypto/engine/hw_ncipher.c @@ -216,7 +216,7 @@ struct HWCryptoHook_CallerContextValue #define BN2MPI(mp, bn) \ {mp.size = bn->top * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;} #define MPI2BN(bn, mp) \ - {mp.size = bn->max * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;} + {mp.size = bn->dmax * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;} #if 0 /* Card and password management is not yet supported */ /* HWCryptoHook callbacks. insert_card() and get_pass() are not yet diff --git a/crypto/install.com b/crypto/install.com index b0fca36b27..ea97665471 100644 --- a/crypto/install.com +++ b/crypto/install.com @@ -32,14 +32,14 @@ $ IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN - $ IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN - CREATE/DIR/LOG WRK_SSLINCLUDE: $ -$ SDIRS := ,MD2,MD5,SHA,MDC2,HMAC,RIPEMD,- +$ SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,- DES,RC2,RC4,RC5,IDEA,BF,CAST,- - BN,RSA,DSA,DH,- + BN,RSA,DSA,DH,DSO,ENGINE,- BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,- - EVP,ASN1,PEM,X509,X509V3,- - CONF,TXT_DB,PKCS7,PKCS12,COMP + EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP $ EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,symhacks.h $ EXHEADER_MD2 := md2.h +$ EXHEADER_MD4 := md4.h $ EXHEADER_MD5 := md5.h $ EXHEADER_SHA := sha.h $ EXHEADER_MDC2 := mdc2.h @@ -56,13 +56,15 @@ $ EXHEADER_BN := bn.h $ EXHEADER_RSA := rsa.h $ EXHEADER_DSA := dsa.h $ EXHEADER_DH := dh.h +$ EXHEADER_DSO := dso.h +$ EXHEADER_ENGINE := engine.h $ EXHEADER_BUFFER := buffer.h $ EXHEADER_BIO := bio.h $ EXHEADER_STACK := stack.h,safestack.h $ EXHEADER_LHASH := lhash.h $ EXHEADER_RAND := rand.h $ EXHEADER_ERR := err.h -$ EXHEADER_OBJECTS := objects.h +$ EXHEADER_OBJECTS := objects.h,obj_mac.h $ EXHEADER_EVP := evp.h $ EXHEADER_ASN1 := asn1.h,asn1_mac.h $ EXHEADER_PEM := pem.h,pem2.h diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index 3b36cfa46c..368c98765c 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -86,21 +86,18 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, /* Check for NULL PKCS12 structure */ - if(!p12) - { + if(!p12) { PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER); return 0; - } + } /* Allocate stack for ca certificates if needed */ - if ((ca != NULL) && (*ca == NULL)) - { - if (!(*ca = sk_X509_new(NULL))) - { + if ((ca != NULL) && (*ca == NULL)) { + if (!(*ca = sk_X509_new(NULL))) { PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE); return 0; - } } + } if(pkey) *pkey = NULL; if(cert) *cert = NULL; @@ -206,12 +203,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, { PKCS8_PRIV_KEY_INFO *p8; X509 *x509; - ASN1_OCTET_STRING *lkey = NULL; + ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL; ASN1_TYPE *attrib; + ASN1_BMPSTRING *fname = NULL; + if ((attrib = PKCS12_get_attr (bag, NID_friendlyName))) + fname = attrib->value.bmpstring; - if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) - lkey = attrib->value.octet_string; + if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) { + lkey = attrib->value.octet_string; + ckid = lkey; + } /* Check for any local key id matching (if needed) */ if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) { @@ -247,6 +249,18 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) return 1; if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0; + if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length); + if(fname) { + int len; + unsigned char *data; + len = ASN1_STRING_to_UTF8(&data, fname); + if(len > 0) { + X509_alias_set1(x509, data, len); + OPENSSL_free(data); + } + } + + if (lkey) { *keymatch |= MATCH_CERT; if (cert) *cert = x509; diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 7acd11e057..2768247818 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -534,7 +534,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if (EVP_MD_CTX_type(mdc) == j) break; else - btmp=btmp->next_bio; + btmp=BIO_next(btmp); } /* We now have the EVP_MD_CTX, lets do the @@ -726,7 +726,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } if (EVP_MD_CTX_type(mdc) == md_type) break; - btmp=btmp->next_bio; + btmp=BIO_next(btmp); } /* mdc is the digest ctx that we want, unless there are attributes, diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 19e0b28a39..c8cd5a7f73 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; char buf[4096]; - int i, j=0; + int i, j=0, k; BIO *p7bio; BIO *tmpout; @@ -193,8 +193,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, /* Now verify the certificates */ - if (!(flags & PKCS7_NOVERIFY)) for (i = 0; i < sk_X509_num(signers); i++) { - signer = sk_X509_value (signers, i); + if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) { + signer = sk_X509_value (signers, k); if (!(flags & PKCS7_NOCHAIN)) { X509_STORE_CTX_init(&cert_ctx, store, signer, p7->d.sign->cert); diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index 556e84cf21..1b817e605d 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -62,9 +62,7 @@ #include #include -#ifdef VMS -#include -#endif +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index ae0ebd89d7..813c8adffd 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -912,6 +912,7 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp); X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp, long length); int X509_alias_set1(X509 *x, unsigned char *name, int len); +int X509_keyid_set1(X509 *x, unsigned char *id, int len); unsigned char * X509_alias_get0(X509 *x, int *len); int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index eee9d049ca..4ab53322c5 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -23,6 +23,7 @@ B B [B<-recip file>] [B<-in file>] [B<-inform SMIME|PEM|DER>] +[B<-passin arg>] [B<-inkey file>] [B<-out file>] [B<-outform SMIME|PEM|DER>] @@ -203,6 +204,11 @@ corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the B<-recip> or B<-signer> file. +=item B<-passin arg> + +the private key password source. For more information about the format of B +see the B section in L. + =item B<-rand file(s)> a file or files containing random data used to seed the random number diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index b2d207c296..90455525d1 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -12,6 +12,7 @@ B B [B<-purpose purpose>] [B<-untrusted file>] [B<-help>] +[B<-issuer_checks>] [B<-verbose>] [B<->] [certificates] @@ -57,6 +58,14 @@ prints out a usage message. print extra information about the operations being performed. +=item B<-issuer_checks> + +print out diagnostics relating to searches for the issuer certificate +of the current certificate. This shows why each candidate issuer +certificate was rejected. However the presence of rejection messages +does not itself imply that anything is wrong: during the normal +verify process several rejections may take place. + =item B<-> marks the last option. All arguments following this are assumed to be @@ -88,9 +97,21 @@ The verify operation consists of a number of separate steps. Firstly a certificate chain is built up starting from the supplied certificate and ending in the root CA. It is an error if the whole chain cannot be built -up. The chain is built up by looking up a certificate whose subject name -matches the issuer name of the current certificate. If a certificate is found -whose subject and issuer names are identical it is assumed to be the root CA. +up. The chain is built up by looking up the issuers certificate of the current +certificate. If a certificate is found which is its own issuer it is assumed +to be the root CA. + +The process of 'looking up the issuers certificate' itself involves a number +of steps. In versions of OpenSSL before 0.9.5a the first certificate whose +subject name matched the issuer of the current certificate was assumed to be +the issuers certificate. In OpenSSL 0.9.6 and later all certificates +whose subject name matches the issuer name of the current certificate are +subject to further tests. The relevant authority key identifier components +of the current certificate (if present) must match the subject key identifier +(if present) and issuer and serial number of the candidate issuer, in addition +the keyUsage extension of the candidate issuer (if present) must permit +certificate signing. + The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root CA is always looked up in the trusted certificate list: if the certificate to @@ -260,12 +281,46 @@ the root CA is not marked as trusted for the specified purpose. the root CA is marked to reject the specified purpose. +=item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch> + +the current candidate issuer certificate was rejected because its subject name +did not match the issuer name of the current certificate. Only displayed when +the B<-issuer_checks> option is set. + +=item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch> + +the current candidate issuer certificate was rejected because its subject key +identifier was present and did not match the authority key identifier current +certificate. Only displayed when the B<-issuer_checks> option is set. + +=item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch> + +the current candidate issuer certificate was rejected because its issuer name +and serial number was present and did not match the authority key identifier +of the current certificate. Only displayed when the B<-issuer_checks> option is set. + +=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing> + +the current candidate issuer certificate was rejected because its keyUsage extension +does not permit certificate signing. + =item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> an application specific error. Unused. =back +=head1 BUGS + +Although the issuer checks are a considerably improvement over the old technique they still +suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that +trusted certificates with matching subject name must either appear in a file (as specified by the +B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only +the certificates in the file will be recognised. + +Previous versions of OpenSSL assume certificates with matching subject name are identical and +mishandled them. + =head1 SEE ALSO L diff --git a/makevms.com b/makevms.com index d0194e7153..f55231e2a0 100755 --- a/makevms.com +++ b/makevms.com @@ -316,7 +316,11 @@ $! Tell The User We Are Partly Rebuilding The [.TEST] Directory. $! $ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD5.C' And '[.APPS]RMD160.C' Files." $! -$ DELETE SYS$DISK:[.APPS]MD5.C;*,RMD160.C;* +$ DELETE SYS$DISK:[.APPS]MD4.C;*,MD5.C;*,RMD160.C;* +$! +$! Copy MD4.C from [.CRYPTO.MD4] into [.APPS] +$! +$ COPY SYS$DISK:[.CRYPTO.MD4]MD4.C SYS$DISK:[.APPS] $! $! Copy MD5.C from [.CRYPTO.MD5] into [.APPS] $! @@ -359,14 +363,14 @@ $ COPY 'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL] $! $! Copy All The ".H" Files From The [.CRYPTO] Directory Tree. $! -$ SDIRS := ,MD2,MD5,SHA,MDC2,HMAC,RIPEMD,- +$ SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,- DES,RC2,RC4,RC5,IDEA,BF,CAST,- - BN,RSA,DSA,DH,- + BN,RSA,DSA,DH,DSO,ENGINE,- BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,- - EVP,ASN1,PEM,X509,X509V3,- - CONF,TXT_DB,PKCS7,PKCS12,COMP + EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP $ EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,symhacks.h $ EXHEADER_MD2 := md2.h +$ EXHEADER_MD4 := md4.h $ EXHEADER_MD5 := md5.h $ EXHEADER_SHA := sha.h $ EXHEADER_MDC2 := mdc2.h @@ -383,13 +387,15 @@ $ EXHEADER_BN := bn.h $ EXHEADER_RSA := rsa.h $ EXHEADER_DSA := dsa.h $ EXHEADER_DH := dh.h +$ EXHEADER_DSO := dso.h +$ EXHEADER_ENGINE := engine.h $ EXHEADER_BUFFER := buffer.h $ EXHEADER_BIO := bio.h $ EXHEADER_STACK := stack.h,safestack.h $ EXHEADER_LHASH := lhash.h $ EXHEADER_RAND := rand.h $ EXHEADER_ERR := err.h -$ EXHEADER_OBJECTS := objects.h +$ EXHEADER_OBJECTS := objects.h,obj_mac.h $ EXHEADER_EVP := evp.h $ EXHEADER_ASN1 := asn1.h,asn1_mac.h $ EXHEADER_PEM := pem.h,pem2.h diff --git a/test/maketests.com b/test/maketests.com index 1246d9a077..135e0bfeb9 100644 --- a/test/maketests.com +++ b/test/maketests.com @@ -143,7 +143,7 @@ $ GOSUB CHECK_OPT_FILE $! $! Define The TEST Files. $! -$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD5TEST,HMACTEST,"+ - +$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD4TEST,MD5TEST,HMACTEST,"+ - "RC2TEST,RC4TEST,RC5TEST,"+ - "DESTEST,SHATEST,SHA1TEST,MDC2TEST,RMDTEST,"+ - "RANDTEST,DHTEST,"+ - diff --git a/test/tests.com b/test/tests.com index 4237b330ba..df8f46e75d 100644 --- a/test/tests.com +++ b/test/tests.com @@ -19,7 +19,8 @@ $ then $ tests = p1 $ else $ tests := - - test_des,test_idea,test_sha,test_md5,test_hmac,test_md2,test_mdc2,- + test_des,test_idea,test_sha,test_md4,test_md5,test_hmac,- + test_md2,test_mdc2,- test_rmd,test_rc2,test_rc4,test_rc5,test_bf,test_cast,- test_rand,test_bn,test_enc,test_x509,test_rsa,test_crl,test_sid,- test_gen,test_req,test_pkcs7,test_verify,test_dh,test_dsa,- @@ -35,6 +36,7 @@ $ SHA1TEST := sha1test $ MDC2TEST := mdc2test $ RMDTEST := rmdtest $ MD2TEST := md2test +$ MD4TEST := md4test $ MD5TEST := md5test $ HMACTEST := hmactest $ RC2TEST := rc2test @@ -74,6 +76,9 @@ $ return $ test_md5: $ mcr 'texe_dir''md5test' $ return +$ test_md4: +$ mcr 'texe_dir''md4test' +$ return $ test_hmac: $ mcr 'texe_dir''hmactest' $ return