From: Bastian Germann Date: Mon, 17 Feb 2020 11:50:08 +0000 (+0100) Subject: apps x509: restrict CAkeyform option to OPT_FMT_PDE X-Git-Tag: OpenSSL_1_1_1e~26 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=3bd75cfafd94cb90b5422c69d45b1320802effac;p=oweals%2Fopenssl.git apps x509: restrict CAkeyform option to OPT_FMT_PDE CAkeyform may be set to PEM, DER or ENGINE, but the current options are not using the proper optionformat 'E' (OPT_FMT_PDE) for this. Set the valtype for CAkeyform to 'E' and use OPT_FMT_PDE when extracting the option value. This amends bf4006a6f9 ("Fix regression on x509 keyform argument") which did the same thing for keyform and changed the manpage synopsis entries for both keyform and CAkeyform but did not change the option section. Hence, change the option section. CLA: trivial Reviewed-by: Matthias St. Pierre Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11172) --- diff --git a/apps/x509.c b/apps/x509.c index f81741f4e7..79518a4e62 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -130,7 +130,7 @@ const OPTIONS x509_options[] = { {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, - {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"}, + {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"}, {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, @@ -225,7 +225,7 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_CAKEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat)) + if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat)) goto opthelp; break; case OPT_OUT: diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index a6cea337d2..e498aee4ff 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -384,7 +384,7 @@ certificate is being created from another certificate (for example with the B<-signkey> or the B<-CA> options). Normally all extensions are retained. -=item B<-keyform PEM|DER> +=item B<-keyform PEM|DER|ENGINE> Specifies the format (DER or PEM) of the private key file used in the B<-signkey> option.