Commit Graph

71 Commits

Author SHA1 Message Date
Dr. Stephen Henson
3647bee263 Config code updates.
CONF_modules_unload() now calls CONF_modules_finish()
automatically.

Default use of section openssl_conf moved to
CONF_modules_load()

Load config file in several openssl utilities.

Most utilities now load modules from the config file,
though in a few (such as version) this isn't done
because it couldn't be used for anything.

In the case of ca and req the config file used is
the same as the utility itself: that is the -config
command line option can be used to specify an
alternative file.
2002-02-22 14:01:21 +00:00
Bodo Möller
4d94ae00d5 ECDSA support
Submitted by: Nils Larsch <nla@trustcenter.de>
2002-02-13 18:21:51 +00:00
Geoff Thorpe
1372965e2e Reduce the header dependencies on engine.h in apps/. 2001-09-12 02:39:06 +00:00
Geoff Thorpe
79aa04ef27 Make the necessary changes to work with the recent "ex_data" overhaul.
See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.
2001-09-01 20:02:13 +00:00
Dr. Stephen Henson
b7a26e6daf Modify apps to use NCONF code instead of old CONF code.
Add new extension functions which work with NCONF.

Tidy up extension config routines and remove redundant code.

Fix NCONF_get_number().

Todo: more testing of apps to see they still work...
2001-06-28 11:41:50 +00:00
Richard Levitte
c04f8cf44a Use apps_shutdown() in all applications, in case someone decides not
to go the monolith way (does anyone do that these days?).

NOTE: a few applications are missing in this commit.  I've a few more
changes in them that I haven't tested yet.
2001-06-23 16:37:32 +00:00
Richard Levitte
531d630b5c Provide an application-common setup function for engines and use it
everywhere.
2001-06-18 06:22:33 +00:00
Richard Levitte
30b4c2724e Extend all the loading functions to take an engine pointer, a pass
string (some engines may have certificates protected by a PIN!) and
a description to put into error messages.

Also, have our own password callback that we can send both a password
and some prompt info to.  The default password callback in EVP assumes
that the passed parameter is a password, which isn't always the right
thing, and the ENGINE code (at least the nCipher one) makes other
assumptions...

Also, in spite of having the functions to load keys, some utilities
did the loading all by themselves...  That's changed too.
2001-05-30 15:29:28 +00:00
Bodo Möller
a75d8bebd2 Bugfix: previously the serial number file could turn negative
because an incompletely initialized ASN1_INTEGER was used.
2001-03-08 19:13:24 +00:00
Richard Levitte
bc36ee6227 Use new-style system-id macros everywhere possible. I hope I haven't
missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
Ulf Möller
28143c66e1 Fix warning. 2001-02-20 00:43:03 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Dr. Stephen Henson
acba75c59d New -set_serial options to 'req' and 'x509'.
Remove the old broken bio read of serial numbers in the 'ca' index
file. This would choke if a revoked certificate was specified with
a negative serial number.

Fix typo in uid.c
2001-02-19 13:38:32 +00:00
Ulf Möller
4327aae816 format strings 2001-02-06 02:57:35 +00:00
Bodo Möller
2c0d10123e If CONF_get_string returns NULL and we want to tolerate this
(e.g., use a default), we have to call ERR_clear_error().
2000-12-15 16:59:49 +00:00
Richard Levitte
32d862ede4 Add the possibility to use keys handled by engines in more
applications.
2000-10-28 22:40:40 +00:00
Richard Levitte
eb64730b9c The majority of the OCSP code from CertCo. 2000-10-27 11:05:35 +00:00
Richard Levitte
5270e7025e Merge the engine branch into the main trunk. All conflicts resolved.
At the same time, add VMS support for Rijndael.
2000-10-26 21:07:28 +00:00
Dr. Stephen Henson
8ca533e378 More code for X509_print_ex() support. 2000-10-06 11:51:47 +00:00
Richard Levitte
645749ef98 On VMS, stdout may very well lead to a file that is written to in a
record-oriented fashion.  That means that every write() will write a
separate record, which will be read separately by the programs trying
to read from it.  This can be very confusing.

The solution is to put a BIO filter in the way that will buffer text
until a linefeed is reached, and then write everything a line at a
time, so every record written will be an actual line, not chunks of
lines and not (usually doesn't happen, but I've seen it once) several
lines in one record.  Voila, BIO_f_linebuffer() is born.

Since we're so close to release time, I'm making this VMS-only for
now, just to make sure no code is needlessly broken by this.  After
the release, this BIO method will be enabled on all other platforms as
well.
2000-09-20 13:55:50 +00:00
Bodo Möller
61f175f4ba Get rid of ASN1_UTCTIME_get, which cannot work with time_t
return type (on platforms where time_t is a 32 bit value).

New function ASN1_UTCTIME_cmp_time_t as a replacement
for use in apps/x509.c.
2000-09-06 15:40:52 +00:00
Dr. Stephen Henson
d428bf8c56 New option to CA.pl to sign request using CA extensions.
This allows intermediate CAs to be created more easily.

PKCS12_create() now checks private key matches certificate.

Fix typo in x509 app.

Update docs.

New function ASN1_STRING_to_UTF8() converts any ASN1_STRING
type to UTF8.
2000-08-24 23:24:18 +00:00
Dr. Stephen Henson
a657546f9c New ASN1_STRING_print_ex() and X509_NAME_print_ex()
functions. These are intended to be replacements
for the ancient ASN1_STRING_print() and X509_NAME_print()
functions.

The new functions support RFC2253 and various pretty
printing options. It is also possible to display
international characters if the terminal properly handles
UTF8 encoding (Linux seems to tolerate this if the
"unicode_start" script is run).

Still needs to be documented, integrated into other
utilities and extensively tested.
2000-07-28 01:58:15 +00:00
Richard Levitte
431b0cce7d Move add_oid_section to apps.c, so it can be shared by several
applications.  Also, have it and the certificate and key loading
functions take a BIO argument for error output.
2000-06-22 22:07:27 +00:00
Richard Levitte
90ae4673a5 Move the certificate and key loading functions to apps.c, so they can
be shared by several applications.
2000-06-22 17:42:50 +00:00
Dr. Stephen Henson
a91dedca48 Document EVP routines. Change EVP_SealInit() and EVP_OpenInit()
to support multiple calls.

New function to retrieve email address from certificates and
requests.
2000-06-11 12:18:15 +00:00
Richard Levitte
26a3a48d65 There have been a number of complaints from a number of sources that names
like Malloc, Realloc and especially Free conflict with already existing names
on some operating systems or other packages.  That is reason enough to change
the names of the OpenSSL memory allocation macros to something that has a
better chance of being unique, like prepending them with OPENSSL_.

This change includes all the name changes needed throughout all C files.
2000-06-01 22:19:21 +00:00
Ben Laurie
fd73a2121c Allow UTCTIME objects to be retrieved. Check for imminent cert expiry. 2000-05-14 12:39:53 +00:00
Bodo Möller
c4d0df0c4f Fix a memory leak, and don't generate inappropriate error message
when PEM_read_bio_X509_REQ fails.
2000-05-02 20:18:48 +00:00
Bodo Möller
3bc90f2373 Fix typo in -clrext option, but add a compatibility hack because
0.9.5a should not break anything that works in 0.9.5.
2000-03-27 18:10:08 +00:00
Bodo Möller
6d0d5431d4 More get0 et al. changes. Also provide fgrep targets in CHANGES
where the new functions are mentioned.
2000-02-26 08:36:46 +00:00
Dr. Stephen Henson
c7cb16a8ff Rename functions for new convention. 2000-02-26 01:55:33 +00:00
Dr. Stephen Henson
ae1bb4e572 Add -clrext option to 'x509' 2000-02-19 00:46:02 +00:00
Dr. Stephen Henson
a3fe382e2d Pass phrase reorganisation. 2000-02-16 23:16:01 +00:00
Ralf S. Engelschall
667ac4ec6a Make gcc 2.95.2 happy again, even under ``-Wall -Wshadow -Wpointer-arith -Wcast-align
-Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline''.
2000-02-11 09:47:18 +00:00
Ulf Möller
657e60fa00 ispell (and minor modifications) 2000-02-03 23:23:24 +00:00
Dr. Stephen Henson
8100490a72 Make -CAcreateserial start from 1 instead of 0 for
serial numbers.
2000-01-21 02:42:14 +00:00
Dr. Stephen Henson
35f4850ae0 More X509_ATTRIBUTE changes. 2000-01-07 00:55:54 +00:00
Dr. Stephen Henson
6447cce372 Simplify the trust structure: basically zap the bit strings and
represent everything by OIDs.
1999-12-29 00:40:28 +00:00
Dr. Stephen Henson
36217a9424 Allow passwords to be included on command line for a few
more utilities.
1999-12-24 23:53:57 +00:00
Dr. Stephen Henson
dd4134101f Change the trust and purpose code so it doesn't need init
either and has a static and dynamic mix.
1999-12-02 02:33:56 +00:00
Dr. Stephen Henson
13938aceca Add part of chain verify SSL support code: not complete or doing anything
yet.

Add a function X509_STORE_CTX_purpose_inherit() which implements the logic
of "inheriting" purpose and trust from a parent structure and using a default:
this will be used in the SSL code and possibly future S/MIME.

Partial documentation of the 'verify' utility. Still need to document how all
the extension checking works and the various error messages.
1999-11-29 01:09:25 +00:00
Dr. Stephen Henson
9868232ae1 Initial trust code: allow setting of trust checking functions
in a table. Doesn't do too much yet.

Make the -<digestname> options in 'x509' affect all relevant
options.

Change the name of the 'notrust' options to 'reject' as this
causes less confusion and is a better description of the
effect.

A few constification changes.
1999-11-27 01:14:04 +00:00
Dr. Stephen Henson
d4cec6a13d New options to the -verify program which can be used for chain verification.
Extend the X509_PURPOSE structure to include shortnames for purposed and default
trust ids.

Still need some extendable trust checking code and integration with the SSL and
S/MIME code.
1999-11-26 00:27:07 +00:00
Dr. Stephen Henson
52664f5081 Transparent support for PKCS#8 private keys in RSA/DSA.
New universal public key format.

Fix CRL+cert load problem in by_file.c

Make verify report errors when loading files or dirs
1999-11-21 22:28:31 +00:00
Dr. Stephen Henson
a0ad17bb6c Fix to the -revoke option in ca. It was leaking memory, crashing and just
plain not working :-(

Also fix some memory leaks in the new X509_NAME code.

Fix so new app_rand code doesn't crash 'x509' and move #include so it compiles
under Win32.
1999-11-08 13:58:08 +00:00
Dr. Stephen Henson
ce1b4fe146 Allow additional information to be attached to a
certificate: currently this includes trust settings
and a "friendly name".
1999-11-04 00:45:35 +00:00
Bodo Möller
a31011e8e0 Various randomness handling bugfixes and improvements --
some utilities that should have used RANDFILE did not,
and -rand handling was broken except in genrsa.
1999-10-26 01:56:29 +00:00
Bodo Möller
798757762a Improve support for running everything as a monolithic application.
Submitted by: Lennart Bång, Bodo Möller
1999-10-25 19:36:01 +00:00
Dr. Stephen Henson
673b102c5b Initial support for certificate purpose checking: this will
ultimately lead to certificate chain verification. It is
VERY EXPERIMENTAL at present though.
1999-10-13 01:11:56 +00:00