The branch master has been updated via 91034b68b39e3525f09fb263b9272de410a3ba4c (commit) from 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (commit)
- Log ----------------------------------------------------------------- commit 91034b68b39e3525f09fb263b9272de410a3ba4c Author: Petr Gotthard <petr.gotth...@centrum.cz> Date: Sat Apr 24 12:40:36 2021 +0200 apps/ca,req,x509: Switch to EVP_DigestSignInit_ex Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it works with external providers. Since EVP_DigestSignInit_ex requires a digest name instead of an EVP_MD pointer, the apps using do_sign_init() had to be modified to pass char* instead of EVP_MD*. Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/15014) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 47 +++++++++++++++++++++-------------------------- apps/include/apps.h | 6 +++--- apps/lib/apps.c | 20 +++++++++++--------- apps/req.c | 19 +++++-------------- apps/x509.c | 32 ++++++++++++++++++-------------- 5 files changed, 58 insertions(+), 66 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 2476343fdd..4f125b22a9 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -90,7 +90,7 @@ static char *lookup_conf(const CONF *conf, const char *group, const char *tag); static int certify(X509 **xret, const char *infile, int informat, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -102,7 +102,7 @@ static int certify(X509 **xret, const char *infile, int informat, int default_op, int ext_copy, int selfsign); static int certify_cert(X509 **xret, const char *infile, int certformat, const char *passin, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -112,7 +112,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, - X509 *x509, const EVP_MD *dgst, + X509 *x509, const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, @@ -121,7 +121,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, int multirdn, int email_dn, const char *startdate, const char *enddate, long days, @@ -270,9 +270,9 @@ int ca_main(int argc, char **argv) STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; STACK_OF(X509) *cert_sk = NULL; X509_CRL *crl = NULL; - EVP_MD *dgst = NULL; char *configfile = default_config_file, *section = NULL; - char *md = NULL, *policy = NULL, *keyfile = NULL; + char def_dgst[80] = ""; + char *dgst = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; int certformat = FORMAT_PEM, informat = FORMAT_PEM; const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; @@ -291,7 +291,7 @@ int ca_main(int argc, char **argv) int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; - int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret; + int rand_ser = 0, i, j, selfsign = 0, def_ret; char *crl_lastupdate = NULL, *crl_nextupdate = NULL; long crldays = 0, crlhours = 0, crlsec = 0, days = 0; unsigned long chtype = MBSTRING_ASC, certopt = 0; @@ -358,7 +358,7 @@ opthelp: days = atoi(opt_arg()); break; case OPT_MD: - md = opt_arg(); + dgst = opt_arg(); break; case OPT_POLICY: policy = opt_arg(); @@ -788,28 +788,25 @@ end_of_options: } } - def_ret = EVP_PKEY_get_default_digest_nid(pkey, &def_nid); + def_ret = EVP_PKEY_get_default_digest_name(pkey, def_dgst, sizeof(def_dgst)); /* - * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is + * EVP_PKEY_get_default_digest_name() returns 2 if the digest is * mandatory for this algorithm. */ - if (def_ret == 2 && def_nid == NID_undef) { + if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) { /* The signing algorithm requires there to be no digest */ - dgst = (EVP_MD *)EVP_md_null(); - } else if (md == NULL - && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) { + dgst = NULL; + } else if (dgst == NULL + && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) { goto end; } else { - if (strcmp(md, "default") == 0) { + if (strcmp(dgst, "default") == 0) { if (def_ret <= 0) { BIO_puts(bio_err, "no default digest\n"); goto end; } - md = (char *)OBJ_nid2sn(def_nid); + dgst = def_dgst; } - - if (!opt_md(md, &dgst)) - goto end; } if (req) { @@ -821,8 +818,7 @@ end_of_options: email_dn = 0; } if (verbose) - BIO_printf(bio_err, "message digest is %s\n", - EVP_MD_name(dgst)); + BIO_printf(bio_err, "message digest is %s\n", dgst); if (policy == NULL && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL) goto end; @@ -1330,7 +1326,6 @@ end_of_options: sk_OPENSSL_STRING_free(sigopts); sk_OPENSSL_STRING_free(vfyopts); EVP_PKEY_free(pkey); - EVP_MD_free(dgst); X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); @@ -1349,7 +1344,7 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag) static int certify(X509 **xret, const char *infile, int informat, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -1407,7 +1402,7 @@ static int certify(X509 **xret, const char *infile, int informat, static int certify_cert(X509 **xret, const char *infile, int certformat, const char *passin, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -1463,7 +1458,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, int multirdn, int email_dn, const char *startdate, const char *enddate, long days, @@ -1964,7 +1959,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) } static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, - X509 *x509, const EVP_MD *dgst, + X509 *x509, const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, diff --git a/apps/include/apps.h b/apps/include/apps.h index 9532d396eb..a8556b8132 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -241,14 +241,14 @@ int x509_req_ctrl_string(X509_REQ *x, const char *value); int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param, OSSL_LIB_CTX *libctx, const char *propq); -int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx); int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); -int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts); int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); -int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts); extern char *psk_key; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index d715e25ff1..bfea59bdc8 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2152,23 +2152,25 @@ static int do_x509_req_init(X509_REQ *x, STACK_OF(OPENSSL_STRING) *opts) } static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, - const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) + const char *md, STACK_OF(OPENSSL_STRING) *sigopts) { EVP_PKEY_CTX *pkctx = NULL; - int def_nid; + char def_md[80]; if (ctx == NULL) return 0; /* - * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory + * EVP_PKEY_get_default_digest_name() returns 2 if the digest is mandatory * for this algorithm. */ - if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2 - && def_nid == NID_undef) { + if (EVP_PKEY_get_default_digest_name(pkey, def_md, sizeof(def_md)) == 2 + && strcmp(def_md, "UNDEF") == 0) { /* The signing algorithm requires there to be no digest */ md = NULL; } - return EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey) + + return EVP_DigestSignInit_ex(ctx, &pkctx, md, app_get0_libctx(), + app_get0_propq(), pkey, NULL) && do_pkey_ctx_init(pkctx, sigopts); } @@ -2201,7 +2203,7 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, } /* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ -int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) { const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); @@ -2240,7 +2242,7 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, } /* Sign the certificate request info */ -int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts) { int rv = 0; @@ -2253,7 +2255,7 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, } /* Sign the CRL info */ -int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts) { int rv = 0; diff --git a/apps/req.c b/apps/req.c index 0a524118f0..5408dc7505 100644 --- a/apps/req.c +++ b/apps/req.c @@ -240,12 +240,11 @@ int req_main(int argc, char **argv) X509 *new_x509 = NULL, *CAcert = NULL; X509_REQ *req = NULL; EVP_CIPHER *cipher = NULL; - EVP_MD *digest = NULL; int ext_copy = EXT_COPY_UNSET; BIO *addext_bio = NULL; char *extensions = NULL; const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL; - char *outfile = NULL, *keyfile = NULL, *digestname = NULL; + char *outfile = NULL, *keyfile = NULL, *digest = NULL; char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *nofree_passin = NULL, *nofree_passout = NULL; @@ -468,7 +467,7 @@ int req_main(int argc, char **argv) newreq = precert = 1; break; case OPT_MD: - digestname = opt_unknown(); + digest = opt_unknown(); break; } } @@ -481,11 +480,6 @@ int req_main(int argc, char **argv) if (!app_RAND_load()) goto end; - if (digestname != NULL) { - if (!opt_md(digestname, &digest)) - goto opthelp; - } - if (!gen_x509) { if (days != UNSET_DAYS) BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n"); @@ -537,12 +531,10 @@ int req_main(int argc, char **argv) if (digest == NULL) { p = NCONF_get_string(req_conf, section, "default_md"); - if (p == NULL) { + if (p == NULL) ERR_clear_error(); - } else { - if (!opt_md(p, &digest)) - goto opthelp; - } + else + digest = p; } if (extensions == NULL) { @@ -1056,7 +1048,6 @@ int req_main(int argc, char **argv) BIO_free(addext_bio); BIO_free_all(out); EVP_PKEY_free(pkey); - EVP_MD_free(digest); EVP_PKEY_CTX_free(genctx); sk_OPENSSL_STRING_free(pkeyopts); sk_OPENSSL_STRING_free(sigopts); diff --git a/apps/x509.c b/apps/x509.c index 3c67855e6a..50453c4b7c 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -189,7 +189,7 @@ static void warn_copying(ASN1_OBJECT *excluded, const char *names) sn); } -static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const EVP_MD *digest, +static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const char *digest, STACK_OF(OPENSSL_STRING) *sigopts, int ext_copy, const char *names) { @@ -249,7 +249,7 @@ int x509_main(int argc, char **argv) EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL; EVP_PKEY *pkey; int newcert = 0; - char *subj = NULL, *digestname = NULL; + char *subj = NULL, *digest = NULL; X509_NAME *fsubj = NULL; const unsigned long chtype = MBSTRING_ASC; const int multirdn = 1; @@ -258,7 +258,6 @@ int x509_main(int argc, char **argv) X509 *x = NULL, *xca = NULL, *issuer_cert; X509_REQ *req = NULL, *rq = NULL; X509_STORE *ctx = NULL; - EVP_MD *digest = NULL; char *CAkeyfile = NULL, *CAserial = NULL, *pubkeyfile = NULL, *alias = NULL; char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; char *ext_names = NULL; @@ -568,7 +567,7 @@ int x509_main(int argc, char **argv) preserve_dates = 1; break; case OPT_MD: - digestname = opt_unknown(); + digest = opt_unknown(); break; } } @@ -581,10 +580,6 @@ int x509_main(int argc, char **argv) if (!app_RAND_load()) goto end; - if (digestname != NULL) { - if (!opt_md(digestname, &digest)) - goto opthelp; - } if (preserve_dates && days != UNSET_DAYS) { BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n"); goto end; @@ -971,16 +966,26 @@ int x509_main(int argc, char **argv) } else if (i == fingerprint) { unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *fdig = digest; + const char *fdigname = digest; + EVP_MD *fdig; + int digres; - if (fdig == NULL) - fdig = EVP_sha1(); + if (fdigname == NULL) + fdigname = "SHA1"; - if (!X509_digest(x, fdig, md, &n)) { + if ((fdig = EVP_MD_fetch(app_get0_libctx(), fdigname, + app_get0_propq())) == NULL) { + BIO_printf(bio_err, "Unknown digest\n"); + goto end; + } + digres = X509_digest(x, fdig, md, &n); + EVP_MD_free(fdig); + if (!digres) { BIO_printf(bio_err, "Out of memory\n"); goto end; } - BIO_printf(out, "%s Fingerprint=", EVP_MD_name(fdig)); + + BIO_printf(out, "%s Fingerprint=", fdigname); for (j = 0; j < (int)n; j++) BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); } else if (i == ocspid) { @@ -1038,7 +1043,6 @@ int x509_main(int argc, char **argv) EVP_PKEY_free(privkey); EVP_PKEY_free(CAkey); EVP_PKEY_free(pubkey); - EVP_MD_free(digest); sk_OPENSSL_STRING_free(sigopts); sk_OPENSSL_STRING_free(vfyopts); X509_REQ_free(rq);