The point of the patch is to re-sign hand modified certs using a
specific key, for debugging purposes. Naturally, in a real
environment you should require POP before generating a cert, but I
find the patch quite useful at times. Note that my patch does not
change the default behaviour. Perhaps it is more acceptable if the
documentation is more clear that the user will lose security if she
doesn't understand what she is doing? (Altough this is true in
general, if the user is clueless, there will be no security, so I
don't see how this particular option is more harmful than others.)
"Richard Levitte via RT" <[EMAIL PROTECTED]> writes:
> I came to think that a better solution would be to allow an option
> where the certificates leading from the given CA certificate up to
> the root could be given.
>
> I'm a little dubious about using unverified certificates. On the
> other hand, "openssl ca" does exactly that, so perhaps one should
> default to what this patch is suggesting as an option.
>
> Ideas?
>
> [levitte - Wed May 8 16:47:23 2002]:
>
>> [[EMAIL PROTECTED] - Thu Apr 25 16:20:45 2002]:
>>
>> Well, 0.9.6 gets changed for small patches only. I believe this
>> constitutes something bigger, so it'll go to 0.9.7 (possibly) or
>> 0.9.8 (quite certainly), unless someone in the team is very much
>> against...
>>
>> > What about the patch below for 0.9.6d? Doc patch as well:
>> >
>> > --- x509.pod.orig Mon Jan 14 12:03:55 2002
>> > +++ x509.pod Mon Jan 14 12:03:35 2002
>> > @@ -43,6 +43,7 @@
>> > [B<-CAkey filename>]
>> > [B<-CAcreateserial>]
>> > [B<-CAserial filename>]
>> > +[B<-noselfsign>]
>> > [B<-text>]
>> > [B<-C>]
>> > [B<-md2|-md5|-sha1|-mdc2>]
>> > @@ -300,7 +301,8 @@
>> > of the CA and it is digitally signed using the CAs private key.
>> >
>> > This option is normally combined with the B<-req> option.
> Without
>> the
>> > -B<-req> option the input is a certificate which must be self
>> signed.
>> > +B<-req> option the input is a certificate which must be self
>> signed
>> > +(unless B<-noselfsign> is specified).
>> >
>> > =item B<-CAkey filename>
>> >
>> > @@ -327,6 +329,11 @@
>> > it will contain the serial number "02" and the certificate being
>> > signed will
>> > have the 1 as its serial number. Normally if the B<-CA> option
> is
>> > specified
>> > and the serial number file does not exist it is an error.
>> > +
>> > +=item B<-noselfsign>
>> > +
>> > +with this option the "mini CA" (see B<-CA>) will sign
> certificates
>> > +with unverified signatures.
>> >
>> > =item B<-extfile filename>
>> >
>> >
>> >
>> > Simon Josefsson <[EMAIL PROTECTED]> writes:
>> >
>> > > This patch that allows you to override the check for a valid
>> self-
>> > signed
>> > > certificate when signing certs using 'x509 -CA'. I find this
>> useful
>> > for
>> > > those times when you edit certs with M-x hexl-mode.
>> > >
>> > > --- x509.c.orig Mon Jan 14 11:41:05 2002
>> > > +++ x509.c Mon Jan 14 11:41:41 2002
>> > > @@ -122,6 +122,7 @@
>> > > " missing, it is assumed to be in the CA
>> > file.\n",
>> > > " -CAcreateserial - create serial number file if it does not
>> > exist\n",
>> > > " -CAserial - serial file\n",
>> > > +" -noselfsign - accept certificates that aren't self
> signed,
>> > for -CA.\n",
>> > > " -text - print the certificate in text form\n",
>> > > " -C - print out C code forms\n",
>> > > " -md2/-md5/-sha1/-mdc2 - digest to use\n",
>> > > @@ -137,7 +138,8 @@
>> > > LHASH *conf, char
>> *section);
>> > > static int x509_certify (X509_STORE *ctx,char *CAfile,const
>> EVP_MD
>> > *digest,
>> > > X509 *x,X509 *xca,EVP_PKEY *pkey,char
>> *serial,
>> > > - int create,int days, int clrext, LHASH
>> *conf, char *section);
>> > > + int create,int days, int clrext, LHASH
>> *conf,
>> > > + char *section, int noselfsign);
>> > > static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE
>> *pt);
>> > > static int reqfile=0;
>> > >
>> > > @@ -158,6 +160,7 @@
>> > > char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
>> > > char *CAkeyfile=NULL,*CAserial=NULL;
>> > > char *alias=NULL;
>> > > + int noselfsign=0;
>> > > int
>> > text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
>> > > int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
>> > > int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
>> > > @@ -339,6 +342,8 @@
>> > > }
>> > > else if (strcmp(*argv,"-C") == 0)
>> > > C= ++num;
>> > > + else if (strcmp(*argv,"-noselfsign") == 0)
>> > > + noselfsign = ++num;
>> > > else if (strcmp(*argv,"-email") == 0)
>> > > email= ++num;
>> > > else if (strcmp(*argv,"-serial") == 0)
>> > > @@ -844,8 +849,8 @@
>> > >
>> > > assert(need_rand);
>> > > if
>> (!x509_certify(ctx,CAfile,digest,x,xca,
>> > > - CApkey,
>> CAserial,CA_createserial,days, clrext,
>> > > - extconf, extsect))
>> > > + CApkey,
>> CAserial,CA_createserial,days,
>> > > + clrext, extconf, extsect,
>> noselfsign))
>> > > goto end;
>> > > }
>> > > else if (x509req == i)
>> > > @@ -966,7 +971,7 @@
>> > >
>> > > static int x509_certify(X509_STORE *ctx, char *CAfile, const
>> EVP_MD
>> > *digest,
>> > > X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile,
>> int
>> > create,
>> > > - int days, int clrext, LHASH *conf, char *section)
>> > > + int days, int clrext, LHASH *conf, char *section, int
>> > noselfsign)
>> > > {
>> > > int ret=0;
>> > > BIO *io=NULL;
>> > > @@ -1068,8 +1073,8 @@
>> > > /* NOTE: this certificate can/should be self signed, unless
>> it was
>> > > * a certificate request in which case it is not. */
>> > > X509_STORE_CTX_set_cert(&xsc,x);
>> > > - if (!reqfile && !X509_verify_cert(&xsc))
>> > > - goto end;
>> > > + if (!reqfile && !noselfsign && !X509_verify_cert(&xsc))
>> > > + goto end;
>> > >
>> > > if (!X509_check_private_key(xca,pkey))
>> > > {
>> > > @@ -1132,6 +1137,7 @@
>> > > if (ok)
>> > > {
>> > > BIO_printf(bio_err,"error with certificate to be
>> certified -
>> > should be self signed\n");
>> > > + BIO_printf(bio_err,"consider using -noselfsign\n");
>> > > return 0;
>> > > }
>> > > else
>> > >
>> >
>>
> ______________________________________________________________________
>> > > OpenSSL Project
>> > http://www.openssl.org
>> > > Development Mailing List openssl-
>> > [EMAIL PROTECTED]
>> > > Automated List Manager
>> > [EMAIL PROTECTED]
>> >
>>
> ______________________________________________________________________
>> > OpenSSL Project
>> http://www.openssl.org
>> > Development Mailing List
>> [EMAIL PROTECTED]
>> > Automated List Manager
>> [EMAIL PROTECTED]
>>
>
>
> --
> Richard Levitte
> [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
