summaryrefslogtreecommitdiffstats
path: root/apps/ca.c
Commit message (Collapse)AuthorAgeFilesLines
* Allow the ca application to use EdDSAMatt Caswell2018-05-181-9/+13
| | | | | | | | | | | Using the ca application to sign certificates with EdDSA failed because it is not possible to set the digest to "null". This adds the capability and updates the documentation accordingly. Fixes #6201 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6286)
* Fix memory leaks in CA related functions.Pavel Kopyl2018-05-021-1/+4
| | | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4700)
* Fix openssl ca, to correctly make output file binary when using -spkacRichard Levitte2018-04-231-6/+6
| | | | | | | On Unix, this doesn't matter, but on other platforms, it may. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6050)
* Add missing index_index() when reloading OCSP responderViktor Dukhovni2018-04-181-2/+2
| | | | | | | Also, future-proof index_index() return codes by requiring success to return a positive value. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix a memory leak in the ca applicationMatt Caswell2018-03-151-2/+2
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5444)
* Allow multiple entries without a Subject even if unique_subject == yesMatt Caswell2018-03-151-0/+19
| | | | | | | | | | It is quite likely for there to be multiple certificates with empty subjects, which are still distinct because of subjectAltName. Therefore we allow multiple certificates with an empty Subject even if unique_subject is set to yes. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5444)
* Report a readable error on a duplicate cert in ca appMatt Caswell2018-03-151-105/+103
| | | | | | | | | | | | | | | | | | | | | | | | Commit 87e8feca (16 years ago!) introduced a bug where if we are attempting to insert a cert with a duplicate subject name, and duplicate subject names are not allowed (which is the default), then we get an unhelpful error message back (error number 2). Prior to that commit we got a helpful error message which displayed details of the conflicting entry in the database. That commit was itself attempting to fix a bug with the noemailDN option where we were setting the subject field in the database too early (before extensions had made any amendments to it). This PR moves the check for a conflicting Subject name until after all changes to the Subject have been made by extensions etc. This also, co-incidentally fixes the ca crashing bug described in issue 5109. Fixes #5109 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5444)
* Revert "Don't allow an empty Subject when creating a Certificate"Matt Caswell2018-03-151-10/+0
| | | | | | | | | This reverts commit e505f1e86874acfd98826d64c53bf2ddfd9c1399. Empty Subjects should be permissible. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5444)
* Revert "Don't crash on a missing Subject in index.txt"Matt Caswell2018-03-151-4/+0
| | | | | | | | | This reverts commit 1e05c6d07ff963107286d028f6778d2ccc863a9a. Empty subjects should be permissible. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5444)
* do_body: fix heap-use-after-free.Pavel Kopyl2018-02-211-1/+0
| | | | | | | | | | The memory pointed to by the 'push' is freed by the X509_NAME_ENTRY_free() in do_body(). The second time it is referenced to (indirectly) in certify_cert:X509_REQ_free(). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4698)
* Check the return code from ASN1_TIME_diff()Matt Caswell2018-02-151-1/+3
| | | | | | | | | The function can fail so we should check the return code. Found by Coverity Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5339)
* The function X509_gmtime_adj() can failMatt Caswell2018-02-151-7/+10
| | | | | | | | | Check for a failure and free a_tm as appropriate. Found by Coverity Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5339)
* Update copyright yearMatt Caswell2018-02-131-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* apps: Don't include progs.h in apps.hRichard Levitte2018-01-311-0/+1
| | | | | | | | | | | | | Everything in apps includes apps.h, because that one declares apps internal library routines. However, progs.h doesn't declare library routines, but rather the main commands and their options, and there's no reason why the library modules should include it. So, remove the inclusion of progs.h from apps.h and add that inclusion in all command source files. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5222)
* Don't crash on a missing Subject in index.txtMatt Caswell2018-01-221-0/+4
| | | | | | | | | | An index.txt entry which has an empty Subject name field will cause ca to crash. Therefore check it when we load it to make sure its not empty. Fixes #5109 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114)
* Don't allow an empty Subject when creating a CertificateMatt Caswell2018-01-221-0/+10
| | | | | | | | | Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114)
* Useless conf != NULL testFdaSilvaYY2017-12-091-21/+14
| | | | | | | | | check is already made 10 line above. clean commented code Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4885)
* Remove parentheses of return.KaoruToda2017-10-181-8/+8
| | | | | | | | | Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
* Some cleanups to apps/ca.cFdaSilvaYY2017-10-161-56/+34
| | | | | | | | | | | | | Few code format fixup Fix limit computation; was too strict by 2 bytes. Simplify computation of buffer limits Checking is strictly same as sizeof(".pem") == 5 Simplify loop of code for certificate filename creation Fix MAX_PATH usage Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1936)
* Remove email addresses from source code.Rich Salz2017-10-131-3/+0
| | | | | | | | | | Names were not removed. Some comments were updated. Replace Andy's address with openssl.org Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4516)
* Make sure that a cert with extensions gets version number 2 (v3)Richard Levitte2017-09-261-1/+9
| | | | | | | Fixes #4419 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4420)
* Remove the X_OK define, it is unused.Pauli2017-08-301-1/+0
| | | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
* Add random serial# support.Rich Salz2017-08-221-21/+41
| | | | | | | | | | Add -rand_serial to CA command and "serial_rand" config option. Up RAND_BITS to 159, and comment why: now confirms to CABForum guidelines (Ballot 164) as well as IETF RFC 5280 (PKIX). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4185)
* Standardize apps use of -rand, etc.Rich Salz2017-07-161-6/+8
| | | | | | | | | | | | | | | | | | | | Standardized the -rand flag and added a new one: -rand file... Always reads the specified files -writerand file Always writes to the file on exit For apps that use a config file, the RANDFILE config parameter reads the file at startup (to seed the RNG) and write to it on exit if the -writerand flag isn't used. Ensured that every app that took -rand also took -writerand, and made sure all of that agreed with all the documentation. Fix error reporting in write_file and -rand Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3862)
* Clean up a bundle of codingstyle stuff in apps directoryPaul Yang2017-06-121-38/+42
| | | | | | | | | Mostly braces and NULL pointer check and also copyright year bump Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3657)
* Introduce ASN1_TIME_set_string_X509 APIRich Salz2017-06-111-2/+2
| | | | | | | | | | | | | | | | | | | | Make funcs to deal with non-null-term'd string in both asn1_generalizedtime_to_tm() and asn1_utctime_to_tm(). Fixes issue #3444. This one is used to enforce strict format (RFC 5280) check and to convert GeneralizedTime to UTCTime. apps/ca has been changed to use the new API. Test cases and documentation are updated/added Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3566)
* Fix a bundle of trailing spaces in several filesPaul Yang2017-06-091-1/+1
| | | | | | | | Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3622)
* Switch command-line utils to new nameopt API.Dmitry Belyavskiy2017-04-251-10/+7
| | | | | | | | | | | | | | | | | The CA names should be printed according to user's decision print_name instead of set of BIO_printf dump_cert_text instead of set of BIO_printf Testing cyrillic output of X509_CRL_print_ex Write and use X509_CRL_print_ex Reduce usage of X509_NAME_online Using X509_REQ_print_ex instead of X509_REQ_print Fix nameopt processing. Make dump_cert_text nameopt-friendly Move nameopt getter/setter to apps/apps.c Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3262)
* Remove some commented out code in the appsMatt Caswell2017-02-281-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2774)
* Code health: Remove obvious VAX C fixupsRichard Levitte2017-02-281-5/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2775)
* Fix some more memory leaks with TXT_DB_insert.Bernd Edlinger2017-02-211-5/+11
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2684)
* Fix a few memleaks in TXT_DB.Bernd Edlinger2017-02-211-5/+7
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2684)
* Add Sieve support (RFC 5804) to s_client ("-starttls sieve")Robert Scheck2017-02-141-2/+1
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2300)
* Fix some style and indent issueFdaSilvaYY2017-01-251-21/+16
| | | | | | | simplify some code. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1618)
* Fix use before assignmentFdaSilvaYY2017-01-231-5/+4
| | | | | | | it was getting the SerialNumber of a previous cert. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2272)
* Introduce PATH_MAX and NAME_MAXFdaSilvaYY2016-11-151-4/+12
| | | | | | | to define the certificate filename storage buffer. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1569)
* Simplify and fix usage of three string array variable...FdaSilvaYY2016-11-151-15/+15
| | | | | | | | | using two separated local variables. buf[1] was unused. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1569)
* Fix a double free in ca command lineMatt Caswell2016-10-281-1/+0
| | | | | | | | Providing a spkac file with no default section causes a double free. Thanks to Brian Carpenter for reporting this issue. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* If an engine comes up explicitely, it must also come down explicitelyRichard Levitte2016-10-191-0/+1
| | | | | | | | | | | | | In apps/apps.c, one can set up an engine with setup_engine(). However, we freed the structural reference immediately, which means that for engines that don't already have a structural reference somewhere else (because it's a built in engine), we end up returning an invalid reference. Instead, the function release_engine() is added, and called at the end of the routines that call setup_engine(). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1643)
* Constify command optionsFdaSilvaYY2016-10-141-1/+1
| | | | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1694)
* Fix some magic values about revocation info type...FdaSilvaYY2016-09-131-52/+47
| | | | | | | | | Add comments, document -valid option. Add some const qualifiers. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1560)
* Closing output file from inside the loop who open itFdaSilvaYY2016-08-221-2/+3
| | | | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1471
* Constify certificate and CRL time routines.Dr. Stephen Henson2016-08-191-8/+8
| | | | | | Update certificate and CRL time routines to match new standard. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Set certificate times in one function.Dr. Stephen Henson2016-08-191-8/+3
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Small nits and cleanupsFdaSilvaYY2016-08-171-2/+2
| | | | | | | | | using util/openssl-format-source on s_derver, s_client, ca.c, speed.c only... Fix/merge some #ifndef Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Constify char* input parameters in apps codeFdaSilvaYY2016-08-171-40/+45
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* two typo fixesFdaSilvaYY2016-08-161-1/+1
| | | | | Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1461)
* Add ASN1_STRING_get0_data(), deprecate ASN1_STRING_data().Dr. Stephen Henson2016-08-161-1/+1
| | | | | | | | Deprecate the function ASN1_STRING_data() and replace with a new function ASN1_STRING_get0_data() which returns a constant pointer. Update library to use new function. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix doc and help about ca -valid optionFdaSilvaYY2016-08-111-1/+2
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Constify two internal methodsFdaSilvaYY2016-08-041-2/+2
| | | | | | | | - append_ia5 - old_entry_print Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-09 23:32:49 +0000