From: Dr. David von Oheimb Date: Wed, 6 May 2020 11:51:50 +0000 (+0200) Subject: Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c X-Git-Tag: openssl-3.0.0-alpha3~103 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6d382c74b375f1f8c44f04ec3de95ff781598a3b;p=oweals%2Fopenssl.git Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c This also adds the more flexible and general load_key_cert_crl() as well as helper functions get_passwd(), cleanse(), and clear_free() to be used also in apps/cmp.c etc. Reviewed-by: Richard Levitte Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/11755) --- diff --git a/apps/ca.c b/apps/ca.c index a18ff0998e..d91b39c91c 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -215,12 +215,12 @@ const OPTIONS ca_options[] = { OPT_SECTION("Signing"), {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, {"keyfile", OPT_KEYFILE, 's', "Private key"}, - {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, + {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, {"cert", OPT_CERT, '<', "The CA cert"}, {"certform", OPT_CERTFORM, 'F', - "certificate input format (DER or PEM); default PEM"}, + "certificate input format (DER/PEM/P12); has no effect"}, {"selfsign", OPT_SELFSIGN, '-', "Sign a cert with the key associated with it"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, @@ -385,7 +385,7 @@ opthelp: certfile = opt_arg(); break; case OPT_CERTFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &certformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &certformat)) goto opthelp; break; case OPT_SELFSIGN: @@ -573,8 +573,7 @@ end_of_options: } } pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key"); - if (key != NULL) - OPENSSL_cleanse(key, strlen(key)); + cleanse(key); if (pkey == NULL) /* load_key() has already printed an appropriate message */ goto end; diff --git a/apps/cmp.c b/apps/cmp.c index 7375b795ca..7a2ce2963d 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -46,157 +46,6 @@ DEFINE_STACK_OF(X509) DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(OSSL_CMP_ITAV) -/* start TODO remove when PR #11755 is merged */ -static char *get_passwd(const char *pass, const char *desc) -{ - char *result = NULL; - - app_passwd(pass, NULL, &result, NULL); - return result; -} - -static void cleanse(char *str) -{ - if (str != NULL) - OPENSSL_cleanse(str, strlen(str)); -} - -static void clear_free(char *str) -{ - if (str != NULL) - OPENSSL_clear_free(str, strlen(str)); -} - -static int load_key_cert_crl(const char *uri, int maybe_stdin, - const char *pass, const char *desc, - EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl) -{ - PW_CB_DATA uidata; - OSSL_STORE_CTX *ctx = NULL; - int ret = 0; - - if (ppkey != NULL) - *ppkey = NULL; - if (pcert != NULL) - *pcert = NULL; - if (pcrl != NULL) - *pcrl = NULL; - - uidata.password = pass; - uidata.prompt_info = uri; - - ctx = OSSL_STORE_open(uri, get_ui_method(), &uidata, NULL, NULL); - if (ctx == NULL) { - BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n", - uri, desc); - goto end; - } - - for (;;) { - OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); - int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info); - const char *infostr = - info == NULL ? NULL : OSSL_STORE_INFO_type_string(type); - int err = 0; - - if (info == NULL) { - if (OSSL_STORE_eof(ctx)) - ret = 1; - break; - } - - switch (type) { - case OSSL_STORE_INFO_PKEY: - if (ppkey != NULL && *ppkey == NULL) - err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL); - break; - case OSSL_STORE_INFO_CERT: - if (pcert != NULL && *pcert == NULL) - err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL); - break; - case OSSL_STORE_INFO_CRL: - if (pcrl != NULL && *pcrl == NULL) - err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL); - break; - default: - /* skip any other type */ - break; - } - OSSL_STORE_INFO_free(info); - if (err) { - BIO_printf(bio_err, "Could not read %s of %s from %s\n", - infostr, desc, uri); - break; - } - } - - end: - if (ctx != NULL) - OSSL_STORE_close(ctx); - if (!ret) - ERR_print_errors(bio_err); - return ret; -} - -static -EVP_PKEY *load_key_preliminary(const char *uri, int format, int may_stdin, - const char *pass, ENGINE *e, const char *desc) -{ - EVP_PKEY *pkey = NULL; - - if (desc == NULL) - desc = "private key"; - - if (format == FORMAT_ENGINE) { - if (e == NULL) { - BIO_printf(bio_err, "No engine specified for loading %s\n", desc); - } else { -#ifndef OPENSSL_NO_ENGINE - PW_CB_DATA cb_data; - - cb_data.password = pass; - cb_data.prompt_info = uri; - if (ENGINE_init(e)) { - pkey = ENGINE_load_private_key(e, uri, - (UI_METHOD *)get_ui_method(), - &cb_data); - ENGINE_finish(e); - } - if (pkey == NULL) { - BIO_printf(bio_err, "Cannot load %s from engine\n", desc); - ERR_print_errors(bio_err); - } -#else - BIO_printf(bio_err, "Engines not supported for loading %s\n", desc); -#endif - } - } else { - (void)load_key_cert_crl(uri, may_stdin, pass, desc, &pkey, NULL, NULL); - } - - if (pkey == NULL) { - BIO_printf(bio_err, "Unable to load %s\n", desc); - ERR_print_errors(bio_err); - } - return pkey; -} - -static X509 *load_cert_pass(const char *uri, int maybe_stdin, - const char *pass, const char *desc) -{ - X509 *cert = NULL; - - if (desc == NULL) - desc = "certificate"; - (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, NULL, &cert, NULL); - if (cert == NULL) { - BIO_printf(bio_err, "Unable to load %s\n", desc); - ERR_print_errors(bio_err); - } - return cert; -} -/* end TODO remove when PR #11755 is merged */ - static char *opt_config = NULL; #define CMP_SECTION "cmp" #define SECTION_NAME_MAX 40 /* max length of section name */ @@ -832,7 +681,7 @@ static EVP_PKEY *load_key_pwd(const char *uri, int format, const char *pass, ENGINE *e, const char *desc) { char *pass_string = get_passwd(pass, desc); - EVP_PKEY *pkey = load_key_preliminary(uri, format, 0, pass_string, e, desc); + EVP_PKEY *pkey = load_key(uri, format, 0, pass_string, e, desc); clear_free(pass_string); return pkey; diff --git a/apps/cms.c b/apps/cms.c index 0c8af3dab7..6b5577ecee 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -196,7 +196,7 @@ const OPTIONS cms_options[] = { {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"inkey", OPT_INKEY, 's', "Input private key (if not signer or recipient)"}, - {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"}, {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, OPT_SECTION("Mail header"), @@ -576,7 +576,7 @@ int cms_main(int argc, char **argv) if (operation == SMIME_ENCRYPT) { if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) goto end; - cert = load_cert(opt_arg(), FORMAT_PEM, + cert = load_cert(opt_arg(), FORMAT_UNDEF, "recipient certificate file"); if (cert == NULL) goto end; @@ -756,7 +756,7 @@ int cms_main(int argc, char **argv) if ((encerts = sk_X509_new_null()) == NULL) goto end; while (*argv) { - if ((cert = load_cert(*argv, FORMAT_PEM, + if ((cert = load_cert(*argv, FORMAT_UNDEF, "recipient certificate file")) == NULL) goto end; sk_X509_push(encerts, cert); @@ -774,7 +774,7 @@ int cms_main(int argc, char **argv) } if (recipfile != NULL && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, FORMAT_PEM, + if ((recip = load_cert(recipfile, FORMAT_UNDEF, "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -782,7 +782,7 @@ int cms_main(int argc, char **argv) } if (originatorfile != NULL) { - if ((originator = load_cert(originatorfile, FORMAT_PEM, + if ((originator = load_cert(originatorfile, FORMAT_UNDEF, "originator certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -790,7 +790,7 @@ int cms_main(int argc, char **argv) } if (operation == SMIME_SIGN_RECEIPT) { - if ((signer = load_cert(signerfile, FORMAT_PEM, + if ((signer = load_cert(signerfile, FORMAT_UNDEF, "receipt signer certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -1019,7 +1019,8 @@ int cms_main(int argc, char **argv) signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, FORMAT_PEM, "signer certificate"); + signer = load_cert(signerfile, FORMAT_UNDEF, + "signer certificate"); if (signer == NULL) { ret = 2; goto end; diff --git a/apps/crl.c b/apps/crl.c index 8028fef5de..d417642cce 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -34,9 +34,9 @@ const OPTIONS crl_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file - default stdin"}, - {"inform", OPT_INFORM, 'F', "Input format; default PEM"}, + {"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"}, {"key", OPT_KEY, '<', "CRL signing Private key to use"}, - {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"}, + {"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"}, OPT_SECTION("Output"), {"out", OPT_OUT, '>', "output file - default stdout"}, @@ -122,7 +122,7 @@ int crl_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) goto opthelp; break; case OPT_KEY: diff --git a/apps/dgst.c b/apps/dgst.c index 90aaf982ae..da162e6ed6 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -64,7 +64,7 @@ const OPTIONS dgst_options[] = { {"c", OPT_C, '-', "Print the digest with separating colons"}, {"r", OPT_R, '-', "Print the digest in coreutils format"}, {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, - {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"hex", OPT_HEX, '-', "Print as hex dump"}, {"binary", OPT_BINARY, '-', "Print in binary form"}, {"d", OPT_DEBUG, '-', "Print debug info"}, diff --git a/apps/dsa.c b/apps/dsa.c index 65397ab053..8ef802e0da 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -48,7 +48,7 @@ const OPTIONS dsa_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input key"}, - {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"}, + {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, diff --git a/apps/ec.c b/apps/ec.c index 9cf6e1a545..43e2be1346 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -49,7 +49,7 @@ const OPTIONS ec_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input file"}, - {"inform", OPT_INFORM, 'f', "Input format - DER or PEM"}, + {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"check", OPT_CHECK, '-', "check key consistency"}, diff --git a/apps/enc.c b/apps/enc.c index d7e99b43e7..4d59391c22 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -538,7 +538,7 @@ int enc_main(int argc, char **argv) goto end; } /* wiping secret data as we no longer need it */ - OPENSSL_cleanse(hkey, strlen(hkey)); + cleanse(hkey); } if ((benc = BIO_new(BIO_f_cipher())) == NULL) diff --git a/apps/include/apps.h b/apps/include/apps.h index e168942e19..7789bd2b0a 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -102,19 +102,28 @@ int set_cert_ex(unsigned long *flags, const char *arg); int set_name_ex(unsigned long *flags, const char *arg); int set_ext_copy(int *copy_type, const char *arg); int copy_extensions(X509 *x, X509_REQ *req, int copy_type); +char *get_passwd(const char *pass, const char *desc); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int add_oid_section(CONF *conf); X509_REQ *load_csr(const char *file, int format, const char *desc); -X509 *load_cert(const char *file, int format, const char *desc); -X509_CRL *load_crl(const char *infile, int format, const char *desc); -EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, +X509 *load_cert_pass(const char *uri, int maybe_stdin, + const char *pass, const char *desc); +/* the format parameter is meanwhile not needed anymore and thus ignored */ +X509 *load_cert(const char *uri, int format, const char *desc); +X509_CRL *load_crl(const char *uri, int format, const char *desc); +void cleanse(char *str); +void clear_free(char *str); +EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); -EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, +EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); int load_certs(const char *file, STACK_OF(X509) **certs, int format, const char *pass, const char *desc); int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, const char *pass, const char *desc); +int load_key_cert_crl(const char *uri, int maybe_stdin, + const char *pass, const char *desc, + EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl); X509_STORE *setup_verify(const char *CAfile, int noCAfile, const char *CApath, int noCApath, const char *CAstore, int noCAstore); diff --git a/apps/include/opt.h b/apps/include/opt.h index b4753dc42e..5afbad1bbe 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -132,9 +132,9 @@ { "xchain_build", OPT_X_CHAIN_BUILD, '-', \ "build certificate chain for the extended certificates"}, \ { "xcertform", OPT_X_CERTFORM, 'F', \ - "format of Extended certificate (PEM or DER) PEM default " }, \ + "format of Extended certificate (PEM/DER/P12); has no effect" }, \ { "xkeyform", OPT_X_KEYFORM, 'F', \ - "format of Extended certificate's key (PEM or DER) PEM default"} + "format of Extended certificate's key (DER/PEM/P12); has no effect"} # define OPT_X_CASES \ OPT_X__FIRST: case OPT_X__LAST: break; \ diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 4b7201166c..8063a0e272 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -209,6 +210,24 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *userdata) static char *app_get_pass(const char *arg, int keepbio); +char *get_passwd(const char *pass, const char *desc) +{ + char *result = NULL; + + if (desc == NULL) + desc = ""; + if (!app_passwd(pass, NULL, &result, NULL)) + BIO_printf(bio_err, "Error getting password for %s\n", desc); + if (pass != NULL && result == NULL) { + BIO_printf(bio_err, + "Trying plain input string (better precede with 'pass:')\n"); + result = OPENSSL_strdup(pass); + if (result == NULL) + BIO_printf(bio_err, "Out of memory getting password for %s\n", desc); + } + return result; +} + int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2) { int same = arg1 != NULL && arg2 != NULL && strcmp(arg1, arg2) == 0; @@ -412,126 +431,44 @@ int add_oid_section(CONF *conf) return 1; } -static int load_pkcs12(BIO *in, const char *desc, - pem_password_cb *pem_cb, PW_CB_DATA *cb_data, - EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) +X509 *load_cert_pass(const char *uri, int maybe_stdin, + const char *pass, const char *desc) { - const char *pass; - char tpass[PEM_BUFSIZE]; - int len, ret = 0; - PKCS12 *p12; + X509 *cert = NULL; - p12 = d2i_PKCS12_bio(in, NULL); - if (p12 == NULL) { - if (desc != NULL) - BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc); - else - BIO_printf(bio_err, "Error loading PKCS12 file\n"); - goto die; - } - /* See if an empty password will do */ - if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) { - pass = ""; - } else { - if (pem_cb == NULL) - pem_cb = (pem_password_cb *)password_callback; - len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); - if (len < 0) { - BIO_printf(bio_err, "Passphrase callback error for %s\n", - desc != NULL ? desc : "PKCS12 input"); - goto die; - } - if (len < PEM_BUFSIZE) - tpass[len] = 0; - if (!PKCS12_verify_mac(p12, tpass, len)) { - BIO_printf(bio_err, - "Mac verify error (wrong password?) in PKCS12 file for %s\n", - desc != NULL ? desc : "PKCS12 input"); - goto die; - } - pass = tpass; - } - ret = PKCS12_parse(p12, pass, pkey, cert, ca); - die: - PKCS12_free(p12); - return ret; -} - -X509 *load_cert(const char *file, int format, const char *desc) -{ - X509 *x = NULL; - BIO *cert; - - if (format == FORMAT_HTTP) { -#if !defined(OPENSSL_NO_SOCK) - x = X509_load_http(file, NULL, NULL, 0 /* timeout */); -#endif - return x; - } - - if (file == NULL) { + if (desc == NULL) + desc = "certificate"; + if (uri == NULL) { unbuffer(stdin); - cert = dup_bio_in(format); - } else { - cert = bio_open_default(file, 'r', format); + uri = ""; } - if (cert == NULL) - goto end; - - if (format == FORMAT_ASN1) { - x = d2i_X509_bio(cert, NULL); - } else if (format == FORMAT_PEM) { - x = PEM_read_bio_X509_AUX(cert, NULL, - (pem_password_cb *)password_callback, NULL); - } else if (format == FORMAT_PKCS12) { - if (!load_pkcs12(cert, desc, NULL, NULL, NULL, &x, NULL)) - goto end; - } else { - print_format_error(format, -#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) - OPT_FMT_HTTP | -#endif - OPT_FMT_PEMDER | OPT_FMT_PKCS12); - } - - end: - if (x == NULL && desc != NULL) { + (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, NULL, &cert, NULL); + if (cert == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } - BIO_free(cert); - return x; + return cert; } -X509_CRL *load_crl(const char *infile, int format, const char *desc) +/* the format parameter is meanwhile not needed anymore and thus ignored */ +X509 *load_cert(const char *uri, int format, const char *desc) { - X509_CRL *x = NULL; - BIO *in = NULL; - - if (format == FORMAT_HTTP) { -#if !defined(OPENSSL_NO_SOCK) - x = X509_CRL_load_http(infile, NULL, NULL, 0 /* timeout */); -#endif - return x; - } + return load_cert_pass(uri, 0, NULL, desc); +} - in = bio_open_default(infile, 'r', format); - if (in == NULL) - goto end; - if (format == FORMAT_ASN1) { - x = d2i_X509_CRL_bio(in, NULL); - } else if (format == FORMAT_PEM) { - x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - } else - print_format_error(format, OPT_FMT_PEMDER); +/* the format parameter is meanwhile not needed anymore and thus ignored */ +X509_CRL *load_crl(const char *uri, int format, const char *desc) +{ + X509_CRL *crl = NULL; - end: - if (x == NULL && desc != NULL) { + if (desc == NULL) + desc = "CRL"; + (void)load_key_cert_crl(uri, 0, NULL, desc, NULL, NULL, &crl); + if (crl == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } - BIO_free(in); - return x; + return crl; } X509_REQ *load_csr(const char *file, int format, const char *desc) @@ -539,6 +476,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) X509_REQ *req = NULL; BIO *in; + if (desc == NULL) + desc = "CSR"; in = bio_open_default(file, 'r', format); if (in == NULL) goto end; @@ -551,7 +490,7 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) print_format_error(format, OPT_FMT_PEMDER); end: - if (req == NULL && desc != NULL) { + if (req == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } @@ -559,173 +498,92 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) return req; } -EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, +void cleanse(char *str) +{ + if (str != NULL) + OPENSSL_cleanse(str, strlen(str)); +} + +void clear_free(char *str) +{ + if (str != NULL) + OPENSSL_clear_free(str, strlen(str)); +} + +EVP_PKEY *load_key(const char *uri, int format, int may_stdin, const char *pass, ENGINE *e, const char *desc) { - BIO *key = NULL; EVP_PKEY *pkey = NULL; - PW_CB_DATA cb_data; - cb_data.password = pass; - cb_data.prompt_info = file; + if (desc == NULL) + desc = "private key"; - if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { - BIO_printf(bio_err, "No keyfile specified\n"); - goto end; - } if (format == FORMAT_ENGINE) { if (e == NULL) { - BIO_printf(bio_err, "No engine specified\n"); + BIO_printf(bio_err, "No engine specified for loading %s\n", desc); } else { #ifndef OPENSSL_NO_ENGINE + PW_CB_DATA cb_data; + + cb_data.password = pass; + cb_data.prompt_info = uri; if (ENGINE_init(e)) { - pkey = ENGINE_load_private_key(e, file, + pkey = ENGINE_load_private_key(e, uri, (UI_METHOD *)get_ui_method(), &cb_data); ENGINE_finish(e); } - if (pkey == NULL && desc != NULL) { + if (pkey == NULL) { BIO_printf(bio_err, "Cannot load %s from engine\n", desc); ERR_print_errors(bio_err); } #else - BIO_printf(bio_err, "Engines not supported\n"); + BIO_printf(bio_err, "Engines not supported for loading %s\n", desc); #endif } - goto end; - } - if (file == NULL && maybe_stdin) { - unbuffer(stdin); - key = dup_bio_in(format); - } else { - key = bio_open_default(file, 'r', format); - } - if (key == NULL) - goto end; - if (format == FORMAT_ASN1) { - pkey = d2i_PrivateKey_bio(key, NULL); - } else if (format == FORMAT_PEM) { - pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data); - } else if (format == FORMAT_PKCS12) { - if (!load_pkcs12(key, desc, - (pem_password_cb *)password_callback, &cb_data, - &pkey, NULL, NULL)) - goto end; -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) - } else if (format == FORMAT_MSBLOB) { - pkey = b2i_PrivateKey_bio(key); - } else if (format == FORMAT_PVK) { - pkey = b2i_PVK_bio(key, wrap_password_callback, &cb_data); -#endif } else { - print_format_error(format, OPT_FMT_PEMDER | OPT_FMT_PKCS12 -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) - | OPT_FMT_MSBLOB | FORMAT_PVK -#endif -#ifndef OPENSSL_NO_ENGINE - | OPT_FMT_ENGINE -#endif - ); + (void)load_key_cert_crl(uri, may_stdin, pass, desc, &pkey, NULL, NULL); } - end: - BIO_free(key); - if (pkey == NULL && desc != NULL) { + if (pkey == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } return pkey; } -EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, +EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc) { - BIO *key = NULL; EVP_PKEY *pkey = NULL; - PW_CB_DATA cb_data; - cb_data.password = pass; - cb_data.prompt_info = file; + if (desc == NULL) + desc = "public key"; - if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { - BIO_printf(bio_err, "No keyfile specified\n"); - goto end; - } if (format == FORMAT_ENGINE) { if (e == NULL) { - BIO_printf(bio_err, "No engine specified\n"); + BIO_printf(bio_err, "No engine specified for loading %s\n", desc); } else { #ifndef OPENSSL_NO_ENGINE - pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(), + PW_CB_DATA cb_data; + + cb_data.password = pass; + cb_data.prompt_info = uri; + pkey = ENGINE_load_public_key(e, uri, (UI_METHOD *)get_ui_method(), &cb_data); - if (pkey == NULL && desc != NULL) { + if (pkey == NULL) { BIO_printf(bio_err, "Cannot load %s from engine\n", desc); ERR_print_errors(bio_err); } #else - BIO_printf(bio_err, "Engines not supported\n"); + BIO_printf(bio_err, "Engines not supported for loading %s\n", desc); #endif } - goto end; - } - if (file == NULL && maybe_stdin) { - unbuffer(stdin); - key = dup_bio_in(format); } else { - key = bio_open_default(file, 'r', format); + (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, &pkey, + NULL, NULL); } - if (key == NULL) - goto end; - if (format == FORMAT_ASN1) { - pkey = d2i_PUBKEY_bio(key, NULL); - } else if (format == FORMAT_ASN1RSA) { -#ifndef OPENSSL_NO_RSA - RSA *rsa; - rsa = d2i_RSAPublicKey_bio(key, NULL); - if (rsa) { - pkey = EVP_PKEY_new(); - if (pkey != NULL) - EVP_PKEY_set1_RSA(pkey, rsa); - RSA_free(rsa); - } else -#else - BIO_printf(bio_err, "RSA keys not supported\n"); -#endif - pkey = NULL; - } else if (format == FORMAT_PEMRSA) { -#ifndef OPENSSL_NO_RSA - RSA *rsa; - rsa = PEM_read_bio_RSAPublicKey(key, NULL, - (pem_password_cb *)password_callback, - &cb_data); - if (rsa != NULL) { - pkey = EVP_PKEY_new(); - if (pkey != NULL) - EVP_PKEY_set1_RSA(pkey, rsa); - RSA_free(rsa); - } else -#else - BIO_printf(bio_err, "RSA keys not supported\n"); -#endif - pkey = NULL; - } else if (format == FORMAT_PEM) { - pkey = PEM_read_bio_PUBKEY(key, NULL, - (pem_password_cb *)password_callback, - &cb_data); -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) - } else if (format == FORMAT_MSBLOB) { - pkey = b2i_PublicKey_bio(key); -#endif - } else { - print_format_error(format, OPT_FMT_PEMDER -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) - | OPT_FMT_MSBLOB -#endif - ); - } - end: - BIO_free(key); - if (pkey == NULL && desc != NULL) { + if (pkey == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); } @@ -807,11 +665,8 @@ static int load_certs_crls(const char *file, int format, sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); *pcrls = NULL; } - if (desc != NULL) { - BIO_printf(bio_err, "Unable to load %s for %s\n", - pcerts ? "certificates" : "CRLs", desc); - ERR_print_errors(bio_err); - } + BIO_printf(bio_err, "Unable to load %s\n", desc != NULL ? desc : + pcerts != NULL ? "certificates" : "CRLs"); } return rv; } @@ -847,6 +702,102 @@ int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, return load_certs_crls(file, format, pass, desc, NULL, crls); } +/* + * Load those types of credentials for which the result pointer is not NULL. + * Reads from stdio if uri is NULL and maybe_stdin is nonzero. + * For each type the first credential found in the store is loaded. + * May yield partial result even if rv == 0. + */ +int load_key_cert_crl(const char *uri, int maybe_stdin, + const char *pass, const char *desc, + EVP_PKEY **ppkey, X509 **pcert, X509_CRL **pcrl) +{ + PW_CB_DATA uidata; + OSSL_STORE_CTX *ctx = NULL; + int ret = 0; + /* TODO make use of the engine reference 'eng' when loading pkeys */ + + if (ppkey != NULL) + *ppkey = NULL; + if (pcert != NULL) + *pcert = NULL; + if (pcrl != NULL) + *pcrl = NULL; + + if (desc == NULL) + desc = "key/certificate/CRL"; + uidata.password = pass; + uidata.prompt_info = uri; + + if (uri == NULL) { + BIO *bio; + + if (!maybe_stdin) { + BIO_printf(bio_err, "No filename or uri specified for loading %s\n", + desc); + goto end; + } + unbuffer(stdin); + bio = BIO_new_fp(stdin, 0); + if (bio != NULL) + ctx = OSSL_STORE_attach(bio, NULL, "file", NULL, + get_ui_method(), &uidata, NULL, NULL); + uri = ""; + } else { + ctx = OSSL_STORE_open(uri, get_ui_method(), &uidata, NULL, NULL); + } + if (ctx == NULL) { + BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n", + uri, desc); + goto end; + } + + for (;;) { + OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); + int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info); + const char *infostr = + info == NULL ? NULL : OSSL_STORE_INFO_type_string(type); + int err = 0; + + if (info == NULL) { + if (OSSL_STORE_eof(ctx)) + ret = 1; + break; + } + + switch (type) { + case OSSL_STORE_INFO_PKEY: + if (ppkey != NULL && *ppkey == NULL) + err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL); + break; + case OSSL_STORE_INFO_CERT: + if (pcert != NULL && *pcert == NULL) + err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL); + break; + case OSSL_STORE_INFO_CRL: + if (pcrl != NULL && *pcrl == NULL) + err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL); + break; + default: + /* skip any other type */ + break; + } + OSSL_STORE_INFO_free(info); + if (err) { + BIO_printf(bio_err, "Could not read %s of %s from %s\n", + infostr, desc, uri); + break; + } + } + + end: + OSSL_STORE_close(ctx); + if (!ret) + ERR_print_errors(bio_err); + return ret; +} + + #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) /* Return error for unknown extensions */ #define X509V3_EXT_DEFAULT 0 diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 5f2f2792fa..34bc4a9995 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1094,11 +1094,11 @@ int args_excert(int opt, SSL_EXCERT **pexc) exc->build_chain = 1; break; case OPT_X_CERTFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->certform)) return 0; break; case OPT_X_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->keyform)) return 0; break; } diff --git a/apps/ocsp.c b/apps/ocsp.c index 5f9c5cf326..fd03611fe9 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -404,7 +404,8 @@ int ocsp_main(int argc, char **argv) path = opt_arg(); break; case OPT_ISSUER: - issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate"); + issuer = load_cert(opt_arg(), FORMAT_UNDEF, + "issuer certificate"); if (issuer == NULL) goto end; if (issuers == NULL) { @@ -416,7 +417,7 @@ int ocsp_main(int argc, char **argv) break; case OPT_CERT: X509_free(cert); - cert = load_cert(opt_arg(), FORMAT_PEM, "certificate"); + cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate"); if (cert == NULL) goto end; if (cert_id_md == NULL) @@ -560,7 +561,8 @@ int ocsp_main(int argc, char **argv) if (rsignfile != NULL) { if (rkeyfile == NULL) rkeyfile = rsignfile; - rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate"); + rsigner = load_cert(rsignfile, FORMAT_UNDEF, + "responder certificate"); if (rsigner == NULL) { BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; @@ -653,7 +655,7 @@ redo_accept: if (signfile != NULL) { if (keyfile == NULL) keyfile = signfile; - signer = load_cert(signfile, FORMAT_PEM, "signer certificate"); + signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) { BIO_printf(bio_err, "Error loading signer certificate\n"); goto end; diff --git a/apps/pkey.c b/apps/pkey.c index ec68185663..8aafcb4277 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -57,7 +57,7 @@ const OPTIONS pkey_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input key"}, - {"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"}, + {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"pubin", OPT_PUBIN, '-', "Read public key from input (default is private key)"}, diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 1e3802045f..231547e291 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -71,11 +71,11 @@ const OPTIONS pkeyutl_options[] = { {"inkey", OPT_INKEY, 's', "Input private key file"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"}, - {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"}, + {"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"}, {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"}, {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"}, - {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, + {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"}, OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file - default stdout"}, @@ -157,11 +157,11 @@ int pkeyutl_main(int argc, char **argv) passinarg = opt_arg(); break; case OPT_PEERFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &peerform)) goto opthelp; break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) goto opthelp; break; case OPT_R_CASES: @@ -519,7 +519,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, break; case KEY_CERT: - x = load_cert(keyfile, keyform, "Certificate"); + x = load_cert(keyfile, FORMAT_UNDEF, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); diff --git a/apps/req.c b/apps/req.c index cba6952cad..a2212b988d 100644 --- a/apps/req.c +++ b/apps/req.c @@ -137,7 +137,7 @@ const OPTIONS req_options[] = { OPT_SECTION("Keys and Signing"), {"key", OPT_KEY, 's', "Private key to use"}, - {"keyform", OPT_KEYFORM, 'f', "Key file format"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, {"passin", OPT_PASSIN, 's', "Private key password source"}, diff --git a/apps/rsa.c b/apps/rsa.c index bb9bcb0bb2..9f91b72d20 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -45,7 +45,7 @@ const OPTIONS rsa_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input file"}, - {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"}, + {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, diff --git a/apps/rsautl.c b/apps/rsautl.c index f74ea3164f..0f9789c39c 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -51,7 +51,7 @@ const OPTIONS rsautl_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, {"inkey", OPT_INKEY, 's', "Input key"}, - {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, + {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"}, {"pubin", OPT_PUBIN, '-', "Input is an RSA public"}, {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"}, {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, @@ -101,7 +101,7 @@ int rsautl_main(int argc, char **argv) ret = 0; goto end; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) goto opthelp; break; case OPT_IN: @@ -197,7 +197,7 @@ int rsautl_main(int argc, char **argv) break; case KEY_CERT: - x = load_cert(keyfile, keyformat, "Certificate"); + x = load_cert(keyfile, FORMAT_UNDEF, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); diff --git a/apps/s_client.c b/apps/s_client.c index 875ebf2253..8bab4e2827 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -636,12 +636,12 @@ const OPTIONS s_client_options[] = { OPT_SECTION("Identity"), {"cert", OPT_CERT, '<', "Client certificate file to use"}, {"certform", OPT_CERTFORM, 'F', - "Client certificate file format (PEM or DER) PEM default"}, + "Client certificate file format (PEM/DER/P12); has no effect"}, {"cert_chain", OPT_CERT_CHAIN, '<', "Client certificate chain file (in PEM format)"}, {"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"}, {"key", OPT_KEY, 's', "Private key file to use; default is: -cert file"}, - {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"}, + {"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"}, {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, @@ -1144,7 +1144,7 @@ int s_client_main(int argc, char **argv) sess_in = opt_arg(); break; case OPT_CERTFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &cert_format)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &cert_format)) goto opthelp; break; case OPT_CRLFORM: @@ -1378,7 +1378,7 @@ int s_client_main(int argc, char **argv) fallback_scsv = 1; break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &key_format)) goto opthelp; break; case OPT_PASS: @@ -3137,8 +3137,7 @@ int s_client_main(int argc, char **argv) OPENSSL_clear_free(cbuf, BUFSIZZ); OPENSSL_clear_free(sbuf, BUFSIZZ); OPENSSL_clear_free(mbuf, BUFSIZZ); - if (proxypass != NULL) - OPENSSL_clear_free(proxypass, strlen(proxypass)); + clear_free(proxypass); release_engine(e); BIO_free(bio_c_out); bio_c_out = NULL; diff --git a/apps/s_server.c b/apps/s_server.c index 7ac4221860..bbc311befd 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -813,7 +813,7 @@ const OPTIONS s_server_options[] = { {"cert2", OPT_CERT2, '<', "Certificate file to use for servername; default is" TEST_CERT2}, {"certform", OPT_CERTFORM, 'F', - "Server certificate file format (PEM or DER) PEM default"}, + "Server certificate file format (PEM/DER/P12); has no effect"}, {"cert_chain", OPT_CERT_CHAIN, '<', "Server certificate chain file in PEM format"}, {"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"}, @@ -823,19 +823,18 @@ const OPTIONS s_server_options[] = { "Private key file to use; default is -cert file or else" TEST_CERT}, {"key2", OPT_KEY2, '<', "-Private Key file to use for servername if not in -cert2"}, - {"keyform", OPT_KEYFORM, 'f', - "Key format (PEM, DER or ENGINE) PEM default"}, + {"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"}, {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, {"dcert", OPT_DCERT, '<', "Second server certificate file to use (usually for DSA)"}, {"dcertform", OPT_DCERTFORM, 'F', - "Second server certificate file format (PEM or DER) PEM default"}, + "Second server certificate file format (PEM/DER/P12); has no effect"}, {"dcert_chain", OPT_DCERT_CHAIN, '<', "second server certificate chain file in PEM format"}, {"dkey", OPT_DKEY, '<', "Second private key file to use (usually for DSA)"}, {"dkeyform", OPT_DKEYFORM, 'F', - "Second key file format (PEM, DER or ENGINE) PEM default"}, + "Second key file format (ENGINE, other values ignored)"}, {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"}, {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"}, {"servername", OPT_SERVERNAME, 's', @@ -1246,14 +1245,14 @@ int s_server_main(int argc, char *argv[]) s_serverinfo_file = opt_arg(); break; case OPT_CERTFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_cert_format)) goto opthelp; break; case OPT_KEY: s_key_file = opt_arg(); break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_key_format)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format)) goto opthelp; break; case OPT_PASS: @@ -1268,14 +1267,14 @@ int s_server_main(int argc, char *argv[]) #endif break; case OPT_DCERTFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dcert_format)) goto opthelp; break; case OPT_DCERT: s_dcert_file = opt_arg(); break; case OPT_DKEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_dkey_format)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dkey_format)) goto opthelp; break; case OPT_DPASS: diff --git a/apps/smime.c b/apps/smime.c index 50f03fdc04..6b7d51b76a 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -63,7 +63,7 @@ const OPTIONS smime_options[] = { "Output format SMIME (default), PEM or DER"}, {"inkey", OPT_INKEY, 's', "Input private key (if not signer or recipient)"}, - {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -429,7 +429,7 @@ int smime_main(int argc, char **argv) if (encerts == NULL) goto end; while (*argv != NULL) { - cert = load_cert(*argv, FORMAT_PEM, + cert = load_cert(*argv, FORMAT_UNDEF, "recipient certificate file"); if (cert == NULL) goto end; @@ -448,7 +448,7 @@ int smime_main(int argc, char **argv) } if (recipfile != NULL && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, FORMAT_PEM, + if ((recip = load_cert(recipfile, FORMAT_UNDEF, "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -548,7 +548,7 @@ int smime_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, FORMAT_PEM, + signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) goto end; diff --git a/apps/spkac.c b/apps/spkac.c index 03cc3d9199..2b4009d457 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -40,7 +40,7 @@ const OPTIONS spkac_options[] = { OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, {"key", OPT_KEY, '<', "Create SPKAC using private key"}, - {"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"}, + {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"challenge", OPT_CHALLENGE, 's', "Challenge string"}, {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"}, diff --git a/apps/verify.c b/apps/verify.c index 558866806f..e0eaaabe20 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -256,7 +256,7 @@ static int check(X509_STORE *ctx, const char *file, STACK_OF(X509) *chain = NULL; int num_untrusted; - x = load_cert(file, FORMAT_PEM, "certificate file"); + x = load_cert(file, FORMAT_UNDEF, "certificate file"); if (x == NULL) goto end; diff --git a/apps/x509.c b/apps/x509.c index a2a52e41b1..ea083abc64 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -78,13 +78,13 @@ const OPTIONS x509_options[] = { #endif {"inform", OPT_INFORM, 'f', - "Input format - default PEM (one of DER or PEM)"}, + "CSR input format (DER or PEM) - default PEM"}, {"in", OPT_IN, '<', "Input file - default stdin"}, {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, {"outform", OPT_OUTFORM, 'f', - "Output format - default PEM (one of DER or PEM)"}, + "Output format (DER or PEM) - default PEM"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, - {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, + {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"}, {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"}, @@ -152,8 +152,8 @@ const OPTIONS x509_options[] = { {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, OPT_R_OPTIONS, OPT_PROV_OPTIONS, - {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, - {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"}, + {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"}, + {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format (ENGINE, other values ignored)"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, {"CAcreateserial", OPT_CACREATESERIAL, '-', "Create serial number file if it does not exist"}, @@ -228,7 +228,7 @@ int x509_main(int argc, char **argv) ret = 0; goto end; case OPT_INFORM: - if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) goto opthelp; break; case OPT_IN: @@ -239,15 +239,15 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) goto opthelp; break; case OPT_CAFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAformat)) goto opthelp; break; case OPT_CAKEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat)) goto opthelp; break; case OPT_OUT: @@ -631,7 +631,7 @@ int x509_main(int argc, char **argv) if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req))) goto end; } else { - x = load_cert(infile, informat, "Certificate"); + x = load_cert(infile, FORMAT_UNDEF, "Certificate"); if (x == NULL) goto end; if (fkey != NULL && !X509_set_pubkey(x, fkey)) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 15c0862019..e1fc591894 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -231,6 +231,8 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx) { int loader_ret; + if (ctx == NULL) + return 1; OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx); loader_ret = ctx->loader->close(ctx->loader_ctx); diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 0202661845..35b36afbb4 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -32,11 +32,11 @@ B B [B<-md> I] [B<-policy> I] [B<-keyfile> I] -[B<-keyform> B|B] +[B<-keyform> B|B|B|B] [B<-key> I] [B<-passin> I] [B<-cert> I] -[B<-certform> B|] +[B<-certform> B|B|B] [B<-selfsign>] [B<-in> I] [B<-inform> B|] @@ -142,18 +142,19 @@ F<.pem> appended. The CA certificate file. -=item B<-certform> B|B +=item B<-certform> B|B|B The format of the data in certificate input files. -The default is PEM. +This option has no effect and is retained for backward compatibility only. =item B<-keyfile> I The private key to sign requests with. -=item B<-keyform> B|B +=item B<-keyform> B|B|B|B -The format of the private key file; the default is B. +The format of the private key input file; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-sigopt> I:I @@ -788,6 +789,11 @@ retained mainly for compatibility reasons. The B<-section> option was added in OpenSSL 3.0.0. +The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. + +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 SEE ALSO L, diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 4fbb7c0e16..375d358703 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -36,7 +36,7 @@ B B [B<-inform> B|B|B] [B<-outform> B|B|B] [B<-rctform> B|B|B] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-stream>] [B<-indef>] [B<-noindef>] @@ -82,7 +82,7 @@ B B {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} -[I ...] +[I ...] =for openssl ifdef des-wrap engine @@ -235,9 +235,10 @@ The output format of the CMS structure (if one is being written); the default is B. See L for details. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The format of the private key file; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-rctform> B|B|B @@ -370,7 +371,7 @@ the MIME type multipart/signed is used. Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in PEM format. +the signers certificates. =item B<-certsout> I @@ -493,7 +494,7 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_provider_item -} -=item I ... +=item I ... One or more certificates of message recipients: used when encrypting a message. @@ -766,6 +767,9 @@ was added in OpenSSL 1.0.2. The -no_alt_chains option was added in OpenSSL 1.0.2b. +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index 409f0b6020..19e72f1b60 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -12,7 +12,7 @@ B B [B<-inform> B|B] [B<-outform> B|B] [B<-key> I] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B] [B<-text>] [B<-in> I] [B<-out> I] @@ -45,19 +45,24 @@ This command processes CRL files in DER or PEM format. Print out a usage message. -=item B<-inform> B|B, B<-outform> B|B +=item B<-inform> B|B -The input and output formats of the CRL; the default is B. +The CRL input format. +This option has no effect and is retained for backward compatibility only. + +=item B<-outform> B|B + +The CRL output format; the default is B. See L for details. =item B<-key> I The private key to be used to sign the CRL. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B -The format of the private key file; the default is B. -See L for details. +The format of the private key file. +This option has no effect and is retained for backward compatibility only. =item B<-in> I @@ -136,7 +141,7 @@ Convert a CRL file from PEM to DER: Output the text form of a DER encoded certificate: - openssl crl -in crl.der -inform DER -text -noout + openssl crl -in crl.der -text -noout =head1 BUGS @@ -151,6 +156,11 @@ L, L, L +=head1 HISTORY + +The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index 84bd133f84..22c07a5a7f 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -103,6 +103,7 @@ command instead for this. =item B<-keyform> B|B|B|B The format of the key to sign with; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-sigopt> I:I @@ -247,6 +248,9 @@ L The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. The FIPS-related options were removed in OpenSSL 1.1.0. +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index cad26289b4..c1e92ef51e 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -13,7 +13,7 @@ openssl-ec - EC key processing B B [B<-help>] -[B<-inform> B|B] +[B<-inform> B|B|B|B] [B<-outform> B|B] [B<-in> I] [B<-passin> I] @@ -52,9 +52,15 @@ PKCS#8 private key format use the L command. Print out a usage message. -=item B<-inform> B|B, B<-outform> B|B +=item B<-inform> B|B|B|B -The input and formats; the default is B. +The key input format; the default is B. +The only value with effect is B; all others have become obsolete. +See L for details. + +=item B<-outform> B|B + +The key output formats; the default is B. See L for details. Private keys are an SEC1 private key or PKCS#8 format. diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index e227f50e75..a738ddbdd7 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -103,8 +103,8 @@ specify output filename, default is standard output. =item B<-issuer> I This specifies the current issuer certificate. This option can be used -multiple times. The certificate specified in I must be in -PEM format. This option B come before any B<-cert> options. +multiple times. +This option B come before any B<-cert> options. =item B<-cert> I diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index a678bd7516..de1bef954c 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -13,7 +13,7 @@ openssl-pkey - public or private key processing command B B [B<-help>] -[B<-inform> B|B] +[B<-inform> B|B|B|B] [B<-outform> B|B] [B<-in> I] [B<-passin> I] @@ -48,9 +48,15 @@ converted between various forms and their components printed out. Print out a usage message. -=item B<-inform> B|B, B<-outform> B|B +=item B<-inform> B|B|B|B -The input and formats; the default is B. +The key input format; the default is B. +The only value with effect is B; all others have become obsolete. +See L for details. + +=item B<-outform> B|B + +The key output formats; the default is B. See L for details. =item B<-in> I diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 0a65f6acc5..d823f0b851 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -15,10 +15,10 @@ B B [B<-out> I] [B<-sigfile> I] [B<-inkey> I] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-passin> I] [B<-peerkey> I] -[B<-peerform> B|B|B] +[B<-peerform> B|B|B|B] [B<-pubin>] [B<-certin>] [B<-rev>] @@ -89,9 +89,10 @@ Signature file, required for B<-verify> operations only The input key file, by default it should be a private key. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-passin> I @@ -103,9 +104,10 @@ see L. The peer key file, used by key derivation (agreement) operations. -=item B<-peerform> B|B|B +=item B<-peerform> B|B|B|B The peer key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-pubin> @@ -402,6 +404,10 @@ L L, L, +=head1 HISTORY + +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. =head1 COPYRIGHT diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 397bf552ad..ab6b3d78a2 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -25,7 +25,7 @@ B B [B<-pkeyopt> I:I] [B<-nodes>] [B<-key> I] -[B<-keyform> B|B] +[B<-keyform> B|B|B|B] [B<-keyout> I] [B<-keygen_engine> I] [B<-I>] @@ -186,9 +186,10 @@ See L for more details. This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEM format files. -=item B<-keyform> B|B +=item B<-keyform> B|B|B|B The format of the private key; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-keyout> I @@ -691,6 +692,9 @@ L The B<-section> option was added in OpenSSL 3.0.0. +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index 5dacdf9313..b2477b2b2c 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -13,7 +13,7 @@ openssl-rsa - RSA key processing command B B [B<-help>] -[B<-inform> B|B] +[B<-inform> B|B|B|B] [B<-outform> B|B] [B<-in> I] [B<-passin> I] @@ -61,9 +61,15 @@ L command. Print out a usage message. -=item B<-inform> B|B, B<-outform> B|B +=item B<-inform> B|B|B|B -The input and formats; the default is B. +The key input format; the default is B. +The only value with effect is B; all others have become obsolete. +See L for details. + +=item B<-outform> B|B + +The key output format; the default is B. See L for details. =item B<-inform> B|B diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index 2461db537d..5383fe2116 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -14,7 +14,7 @@ B B [B<-rev>] [B<-out> I] [B<-inkey> I] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-pubin>] [B<-certin>] [B<-sign>] @@ -76,9 +76,10 @@ default. The input key file, by default it should be an RSA private key. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-pubin> @@ -237,6 +238,9 @@ L This command was deprecated in OpenSSL 3.0. +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 5f04358a84..4d6b54a5e3 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -29,14 +29,14 @@ B B [B<-verifyCApath> I] [B<-verifyCAstore> I] [B<-cert> I] -[B<-certform> B|B] +[B<-certform> B|B|B] [B<-cert_chain> I] [B<-build_chain>] [B<-CRL> I] [B<-CRLform> B|B] [B<-crl_download>] [B<-key> I] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-pass> I] [B<-chainCAfile> I] [B<-chainCApath> I] @@ -240,10 +240,10 @@ The default is not to use a certificate. The chain for the client certificate may be specified using B<-cert_chain>. -=item B<-certform> B|B +=item B<-certform> B|B|B The client certificate file format to use; the default is B. -see L. +This option has no effect and is retained for backward compatibility only. =item B<-cert_chain> @@ -273,9 +273,10 @@ Download CRL from distribution points in the certificate. The client private key file to use. If not specified then the certificate file will be used to read also the key. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-pass> I @@ -894,6 +895,11 @@ L The B<-no_alt_chains> option was added in OpenSSL 1.1.0. The B<-name> option was added in OpenSSL 1.1.1. +The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. + +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index c9f4bfc11b..8e5da51c40 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -20,19 +20,19 @@ B B [B<-Verify> I] [B<-cert> I] [B<-cert2> I] -[B<-certform> B|B] +[B<-certform> B|B|B] [B<-cert_chain> I] [B<-build_chain>] [B<-serverinfo> I] [B<-key> I] [B<-key2> I] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-pass> I] [B<-dcert> I] -[B<-dcertform> B|B] +[B<-dcertform> B|B|B] [B<-dcert_chain> I] [B<-dkey> I] -[B<-dkeyform> B|B|B] +[B<-dkeyform> B|B|B|B] [B<-dpass> I] [B<-nbio_test>] [B<-crlf>] @@ -220,10 +220,10 @@ certificate and some require a certificate with a certain public key type: for example the DSS cipher suites require a certificate containing a DSS (DSA) key. If not specified then the filename F will be used. -=item B<-certform> B|B +=item B<-certform> B|B|B -The server certificate file format; the default is B. -See L for details. +The server certificate file format. +This option has no effect and is retained for backward compatibility only. =item B<-cert_chain> @@ -248,9 +248,10 @@ ServerHello extension will be returned. The private key to use. If not specified then the certificate file will be used. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-pass> I @@ -276,14 +277,15 @@ A file containing untrusted certificates to use when attempting to build the server certificate chain when a certificate specified via the B<-dcert> option is in use. -=item B<-dcertform> B|B +=item B<-dcertform> B|B|B -The format of the additional certificate file; the default is B. -See L. +The format of the additional certificate file. +This option has no effect and is retained for backward compatibility only. -=item B<-dkeyform> B|B|B +=item B<-dkeyform> B|B|B|B The format of the additional private key; the default is B. +The only value with effect is B; all others have become obsolete. See L. =item B<-dpass> I @@ -822,6 +824,12 @@ The -no_alt_chains option was added in OpenSSL 1.1.0. The -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. +All B<-keyform> and B<-dkeyform> values except B +have become obsolete in OpenSSL 3.0.0 and have no effect. + +The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 13a0e4a47e..4dce01a46e 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -32,7 +32,7 @@ B B [B<-recip> I< file>] [B<-inform> B|B|B] [B<-outform> B|B|B] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-passin> I] [B<-inkey> I] [B<-out> I] @@ -50,7 +50,7 @@ B B {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} -I ... +I ... =for openssl ifdef engine @@ -125,9 +125,10 @@ The output format of the PKCS#7 (S/MIME) structure (if one is being written); the default is B. See L for details. -=item B<-keyform> B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-stream>, B<-indef>, B<-noindef> @@ -235,7 +236,7 @@ option is present B is used instead. Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for -the signers certificates. The certificates should be in PEM format. +the signers certificates. =item B<-signer> I @@ -291,7 +292,7 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_provider_item -} -=item I ... +=item I ... One or more certificates of message recipients, used when encrypting a message. @@ -479,6 +480,9 @@ added in OpenSSL 1.0.0 The -no_alt_chains option was added in OpenSSL 1.1.0. +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in index 72e4788fd1..ca7d097d85 100644 --- a/doc/man1/openssl-spkac.pod.in +++ b/doc/man1/openssl-spkac.pod.in @@ -16,7 +16,7 @@ B B [B<-in> I] [B<-out> I] [B<-key> I] -[B<-keyform> B|B|B] +[B<-keyform> B|B|B|B] [B<-passin> I] [B<-challenge> I] [B<-pubkey>] @@ -59,9 +59,10 @@ Create an SPKAC file using the private key in I. The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if present. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-passin> I @@ -148,6 +149,11 @@ to be used in a "replay attack". L, L +=head1 HISTORY + +All B<-keyform> values except B have become obsolete in OpenSSL 3.0.0 +and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index e4e394faa6..7271efe833 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -99,7 +99,6 @@ with a B<->. One or more certificates to verify. If no certificates are given, this command will attempt to read a certificate from standard input. -Certificates must be in PEM format. If a certificate chain has multiple problems, this program tries to display all of them. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index b8fd2a4041..918c91b34b 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -11,9 +11,9 @@ B B [B<-help>] [B<-inform> B|B] [B<-outform> B|B] -[B<-keyform> B|B|B] -[B<-CAform> B|B] -[B<-CAkeyform> B|B|B] +[B<-keyform> B|B|B|B] +[B<-CAform> B|B|B] +[B<-CAkeyform> B|B|B|B] [B<-in> I] [B<-out> I] [B<-serial>] @@ -100,13 +100,18 @@ various sections. Print out a usage message. -=item B<-inform> B|B, B<-outform> B|B +=item B<-inform> B|B -The input and formats; the default is B. +The CSR input format; the default is B. See L for details. -The input is normally an X.509 certificate, but this can change if other -options such as B<-req> are used. +The input is normally an X.509 certificate file of any format, +but this can change if other options such as B<-req> are used. + +B<-outform> B|B + +The output format; the default is B. +See L for details. =item B<-in> I @@ -355,8 +360,7 @@ can thus behave like a "mini CA". =item B<-signkey> I This option causes the input file to be self signed using the supplied -private key or engine. The private key's format is specified with the -B<-keyform> option. +private key or engine. It sets the issuer name to the subject name (i.e., makes it self-issued) and changes the public key to the supplied value (unless overridden by @@ -392,14 +396,21 @@ certificate is being created from another certificate (for example with the B<-signkey> or the B<-CA> options). Normally all extensions are retained. -=item B<-keyform> B|B|B +=item B<-keyform> B|B|B|B The key format; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. -=item B<-CAform> B|B, B<-CAkeyform> B|B|B +=item B<-CAform> B|B|B, + +The format for the CA certificate. +This option has no effect and is retained for backward compatibility. -The format for the CA certificate and key; the default is B. +=item B<-CAkeyform> B|B|B|B + +The format for the CA key; the default is B. +The only value with effect is B; all others have become obsolete. See L for details. =item B<-days> I @@ -502,8 +513,6 @@ self-signed, for instance when the key cannot be used for signing, such as DH. It can also be used in conjunction with b<-new> and B<-subj> to directly generate a certificate containing any desired public key. -The format of the key file can be specified using the B<-keyform> option. - =item B<-subj> I When a certificate is created set its subject name to the given value. @@ -821,6 +830,11 @@ of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using L or similar. +All B<-keyform> and B<-CAkeyform> values except B +have become obsolete in OpenSSL 3.0.0 and have no effect. + +The B<-CAform> option has become obsolete in OpenSSL 3.0.0 and has no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 1cdcd8b8bb..7170a98448 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -525,7 +525,12 @@ parameters start with a minus sign: =head2 Format Options Several OpenSSL commands can take input or generate output in a variety -of formats. The list of acceptable formats, and the default, is +of formats. +Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from +files in any of the B, B, or B formats, +while specifying their input format is no more needed. + +The list of acceptable formats, and the default, is described in each command documentation. The list of formats is described below. Both uppercase and lowercase are accepted. @@ -618,6 +623,8 @@ The format of the input or output streams. =item B<-keyform> I Format of a private key input source. +The only value with effect is B; all others have become obsolete. +See L for details. =item B<-CRLform> I @@ -789,12 +796,6 @@ OpenSSL command to generate an alternative chain. =over 4 -=item B<-xchain_build> - -Specify whether the application should build the certificate chain to be -provided to the server for the extra certificates via the B<-xkey>, -B<-xcert>, and B<-xchain> options. - =item B<-xkey> I, B<-xcert> I, B<-xchain> Specify an extra certificate, private key and certificate chain. These behave @@ -802,21 +803,21 @@ in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When specified, the callback returning the first valid chain will be in use by the client. -=item B<-xcertform> B|B, B<-xkeyform> B|B - -The input format for the extra certificate and key, respectively. -See L for details. - =item B<-xchain_build> Specify whether the application should build the certificate chain to be provided to the server for the extra certificates via the B<-xkey>, B<-xcert>, and B<-xchain> options. -=item B<-xcertform> B|B, B<-xkeyform> B|B +=item B<-xcertform> B|B|B -The input format for the extra certificate and key, respectively. -See L for details. +The input format for the extra certificate. +This option has no effect and is retained for backward compatibility only. + +=item B<-xkeyform> B|B|B + +The input format for the extra key. +This option has no effect and is retained for backward compatibility only. =back @@ -1403,6 +1404,9 @@ manual pages. The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and is silently ignored. +The B<-xcertform> and B<-xkeyform> options +are obsolete since OpenSSL 3.0.0 and have no effect. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.