Fixes#13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)
Since SSL_MODE_AUTO_RETRY is enabled by default, no need to set
it explicitly.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14742)
With new provided algorithms added, we'd rather rely on the names and
descriptions that we get from the providers.
Specifically with the 'openssl list' command, we now display the
description of all algorithms. For '-public-key-algorithms', we
additionally print key type information a bit more like we do for
legacy methods.
We also add descriptions to all our keymgmt functions, because the
built in EVP_PKEY_ASN1_METHODs had them.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)
This partially reverts the output format change for
openssl crl -hash output.
Fixes#14546
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14553)
The load_key_certs_crls tried to read the whole input stream
instead of returning once expected data is obtained.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)
This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)
All pkeyopt's must have a ":" and a value for the option. Not supplying
one can cause a crash
Fixes#14494
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14496)
Use the modern defaults as now set in the pkcs12 app. This also
allows modifying the application to not override the default values
when calling the API.
Fixes#14034
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14450)
Report error message with hint to use -nomacver if
MAC verification is not required.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
The MAC requires PKCS12KDF support which is not present
in FIPS provider as it is not an approved KDF algorithm.
Suggest using -nomac if MAC is not required.
Fixes#14057
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
Also because this better reflects that usually also the public portion is used.
Retaining the old -signkey as an alias for backward compatibility.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14007)
The actual output of the 'fipsinstall' is the config file it outputs.
It should be possible to output that to standard output, and diverse
notification messages shouldn't be mixed in. Therefore, we output
them to standard error instead.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
Also improve diagnostics on inconsistent cert request input in apps/cmp.c,
add trace output for transactionIDs on new sessions,
and update the documentation in openssl-cmp.pod.in.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14018)
Now handle [http[s]://][userinfo@]host[:port][/path][?query][#frag]
by optionally providing any userinfo, query, and frag components.
All usages of this function, which are client-only,
silently ignore userinfo and frag components,
while the query component is taken as part of the path.
Update and extend the unit tests and all affected documentation.
Document and deprecat OCSP_parse_url().
Fixes an issue that came up when discussing FR #14001.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14009)
We don't want to hold a read lock when calling a user supplied callback.
That callback could do anything so the risk of a deadlock is high.
Instead we collect all the names first inside the read lock, and then
subsequently call the user callback outside the read lock.
Fixes#14225
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14250)
Also correction of some code format issues.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
