The branch master has been updated via d105a24c8987dde38595a2fa336057b141e5ddf3 (commit) via bee3f3890547cc7f349b69ef63665ebcc80d48ed (commit) via 3d1becd42aecbd00c2514bac7b5e8e33f097fdc2 (commit) via 0b294f5647a21a8762871b18f0cbbf96ce8cc68d (commit) via d382e79632677f2457025be3d820e08d7ea12d85 (commit) from b86fa8c55682169c88e14e616170d6caeb208865 (commit)
- Log ----------------------------------------------------------------- commit d105a24c8987dde38595a2fa336057b141e5ddf3 Author: Tomas Mraz <to...@openssl.org> Date: Mon May 3 14:40:06 2021 +0200 Add some tests for -inform/keyform enforcement Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100) commit bee3f3890547cc7f349b69ef63665ebcc80d48ed Author: Tomas Mraz <to...@openssl.org> Date: Mon May 3 14:15:26 2021 +0200 Document the behavior of the -inform and related options Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100) commit 3d1becd42aecbd00c2514bac7b5e8e33f097fdc2 Author: Tomas Mraz <to...@openssl.org> Date: Mon May 3 14:14:54 2021 +0200 provider-storemgmt: Document the input-type and properties parameters. Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100) commit 0b294f5647a21a8762871b18f0cbbf96ce8cc68d Author: Tomas Mraz <to...@openssl.org> Date: Mon May 3 08:45:52 2021 +0200 Update gost-engine to make it compatible with the added params Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100) commit d382e79632677f2457025be3d820e08d7ea12d85 Author: Tomas Mraz <to...@openssl.org> Date: Fri Apr 30 16:57:53 2021 +0200 Make the -inform option to be respected if possible Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called. The input type format is enforced only in case the file type file store is used. By default we use FORMAT_UNDEF meaning the input type is not enforced. Fixes #14569 Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 7 +++ apps/ca.c | 10 ++-- apps/cmp.c | 6 +-- apps/cms.c | 16 +++--- apps/crl.c | 6 +-- apps/dgst.c | 2 +- apps/dsa.c | 2 +- apps/dsaparam.c | 4 +- apps/ec.c | 2 +- apps/ecparam.c | 2 +- apps/gendsa.c | 2 +- apps/include/apps.h | 15 +++--- apps/lib/apps.c | 61 +++++++++++++++------ apps/lib/s_cb.c | 3 +- apps/ocsp.c | 12 ++--- apps/pkcs8.c | 9 ++-- apps/pkey.c | 2 +- apps/pkeyutl.c | 5 +- apps/req.c | 6 +-- apps/rsa.c | 4 +- apps/rsautl.c | 4 +- apps/s_client.c | 11 ++-- apps/s_server.c | 22 ++++---- apps/smime.c | 9 ++-- apps/spkac.c | 2 +- apps/storeutl.c | 2 +- apps/verify.c | 2 +- apps/x509.c | 8 +-- crypto/pem/pem_pkey.c | 2 +- crypto/store/store_lib.c | 68 ++++++++++++++---------- crypto/x509/by_store.c | 3 +- doc/man1/openssl-ca.pod.in | 19 +++---- doc/man1/openssl-cmp.pod.in | 3 +- doc/man1/openssl-cms.pod.in | 6 +-- doc/man1/openssl-crl.pod.in | 13 ++--- doc/man1/openssl-dgst.pod.in | 6 +-- doc/man1/openssl-dsa.pod.in | 9 +++- doc/man1/openssl-dsaparam.pod.in | 9 +++- doc/man1/openssl-ec.pod.in | 5 +- doc/man1/openssl-ecparam.pod.in | 9 +++- doc/man1/openssl-format-options.pod | 10 ++-- doc/man1/openssl-pkey.pod.in | 3 +- doc/man1/openssl-pkeyutl.pod.in | 9 +--- doc/man1/openssl-req.pod.in | 9 ++-- doc/man1/openssl-rsa.pod.in | 3 +- doc/man1/openssl-rsautl.pod.in | 6 +-- doc/man1/openssl-s_client.pod.in | 12 ++--- doc/man1/openssl-s_server.pod.in | 24 +++------ doc/man1/openssl-smime.pod.in | 6 +-- doc/man1/openssl-spkac.pod.in | 6 +-- doc/man1/openssl-x509.pod.in | 17 ++---- doc/man3/OSSL_STORE_attach.pod | 1 + doc/man3/OSSL_STORE_open.pod | 5 +- doc/man7/provider-storemgmt.pod | 10 ++++ gost-engine | 2 +- include/openssl/core_names.h | 2 + include/openssl/store.h | 2 + providers/fips-sources.checksums | 2 +- providers/fips.checksum | 2 +- providers/implementations/storemgmt/file_store.c | 33 +++++++----- test/ossl_store_test.c | 6 +-- test/recipes/20-test_pkeyutl.t | 12 ++++- test/recipes/25-test_crl.t | 8 +-- test/recipes/25-test_req.t | 12 ++++- test/recipes/25-test_x509.t | 16 +++++- 65 files changed, 342 insertions(+), 264 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5c696ff65a..9d557c5c53 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -51,6 +51,13 @@ OpenSSL 3.0 *Shane Lontis* + * The openssl commands that read keys, certificates, and CRLs now + automatically detect the PEM or DER format of the input files so it is not + necessary to explicitly specify the input format anymore. However if the + input format option is used the specified format will be required. + + *David von Oheimb, Richard Levitte, and Tomáš Mráz* + * Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX` and (where relevant) a property query. Other APIs which handle PKCS#7 and PKCS#8 objects have also been enhanced where required. This includes: diff --git a/apps/ca.c b/apps/ca.c index 9dd46e4f5c..923ede4cde 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -274,7 +274,7 @@ int ca_main(int argc, char **argv) char def_dgst[80] = ""; char *dgst = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; - int certformat = FORMAT_PEM, informat = FORMAT_PEM; + int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF; const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; char *passin = NULL; @@ -289,7 +289,7 @@ int ca_main(int argc, char **argv) size_t outdirlen = 0; int create_ser = 0, free_passin = 0, total = 0, total_done = 0; int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; - int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0; + int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; int rand_ser = 0, i, j, selfsign = 0, def_ret; char *crl_lastupdate = NULL, *crl_nextupdate = NULL; @@ -594,7 +594,7 @@ end_of_options: && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) goto end; - x509 = load_cert_pass(certfile, 1, passin, "CA certificate"); + x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate"); if (x509 == NULL) goto end; @@ -1287,7 +1287,7 @@ end_of_options: } else { X509 *revcert; - revcert = load_cert_pass(infile, 1, passin, + revcert = load_cert_pass(infile, informat, 1, passin, "certificate to be revoked"); if (revcert == NULL) goto end; @@ -1417,7 +1417,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, EVP_PKEY *pktmp = NULL; int ok = -1, i; - if ((template_cert = load_cert_pass(infile, 1, passin, + if ((template_cert = load_cert_pass(infile, certformat, 1, passin, "template certificate")) == NULL) goto end; if (verbose) diff --git a/apps/cmp.c b/apps/cmp.c index fdd0043311..f64cb8c813 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -131,8 +131,8 @@ static int opt_revreason = CRL_REASON_NONE; /* credentials format */ static char *opt_certform_s = "PEM"; static int opt_certform = FORMAT_PEM; -static char *opt_keyform_s = "PEM"; -static int opt_keyform = FORMAT_PEM; +static char *opt_keyform_s = NULL; +static int opt_keyform = FORMAT_UNDEF; static char *opt_otherpass = NULL; static char *opt_engine = NULL; @@ -635,7 +635,7 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc) X509 *cert; char *pass_string = get_passwd(pass, desc); - cert = load_cert_pass(uri, 0, pass_string, desc); + cert = load_cert_pass(uri, FORMAT_UNDEF, 0, pass_string, desc); clear_free(pass_string); return cert; } diff --git a/apps/cms.c b/apps/cms.c index e512f1d3e8..f40049edac 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -292,7 +292,7 @@ int cms_main(int argc, char **argv) int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1; - int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; + int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_UNDEF; size_t secret_keylen = 0, secret_keyidlen = 0; unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; unsigned char *secret_key = NULL, *secret_keyid = NULL; @@ -611,7 +611,8 @@ int cms_main(int argc, char **argv) if (operation == SMIME_ENCRYPT) { if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) goto end; - cert = load_cert(opt_arg(), "recipient certificate file"); + cert = load_cert(opt_arg(), FORMAT_UNDEF, + "recipient certificate file"); if (cert == NULL) goto end; sk_X509_push(encerts, cert); @@ -810,7 +811,8 @@ int cms_main(int argc, char **argv) if ((encerts = sk_X509_new_null()) == NULL) goto end; while (*argv) { - if ((cert = load_cert(*argv, "recipient certificate file")) == NULL) + if ((cert = load_cert(*argv, FORMAT_UNDEF, + "recipient certificate file")) == NULL) goto end; sk_X509_push(encerts, cert); cert = NULL; @@ -826,7 +828,7 @@ int cms_main(int argc, char **argv) } if (recipfile != NULL && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, + if ((recip = load_cert(recipfile, FORMAT_UNDEF, "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -834,7 +836,7 @@ int cms_main(int argc, char **argv) } if (originatorfile != NULL) { - if ((originator = load_cert(originatorfile, + if ((originator = load_cert(originatorfile, FORMAT_UNDEF, "originator certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -842,7 +844,7 @@ int cms_main(int argc, char **argv) } if (operation == SMIME_SIGN_RECEIPT) { - if ((signer = load_cert(signerfile, + if ((signer = load_cert(signerfile, FORMAT_UNDEF, "receipt signer certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -1048,7 +1050,7 @@ int cms_main(int argc, char **argv) signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, "signer certificate"); + signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) { ret = 2; goto end; diff --git a/apps/crl.c b/apps/crl.c index 8f1babde6f..8904cc08c7 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -88,7 +88,7 @@ int crl_main(int argc, char **argv) const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog; OPTION_CHOICE o; int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF; int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0; int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0; int i; @@ -211,7 +211,7 @@ int crl_main(int argc, char **argv) if (!opt_md(digestname, &digest)) goto opthelp; } - x = load_crl(infile, 1, "CRL"); + x = load_crl(infile, informat, 1, "CRL"); if (x == NULL) goto end; @@ -256,7 +256,7 @@ int crl_main(int argc, char **argv) BIO_puts(bio_err, "Missing CRL signing key\n"); goto end; } - newcrl = load_crl(crldiff, 0, "other CRL"); + newcrl = load_crl(crldiff, informat, 0, "other CRL"); if (!newcrl) goto end; pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); diff --git a/apps/dgst.c b/apps/dgst.c index fcc7fc8679..15f9e2e685 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -105,7 +105,7 @@ int dgst_main(int argc, char **argv) const char *sigfile = NULL; const char *md_name = NULL; OPTION_CHOICE o; - int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0; + int separator = 0, debug = 0, keyform = FORMAT_UNDEF, siglen = 0; int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0; int xoflen = 0; unsigned char *buf = NULL, *sigbuf = NULL; diff --git a/apps/dsa.c b/apps/dsa.c index c00673a8ac..abb422132a 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -83,7 +83,7 @@ int dsa_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0; int modulus = 0, pubin = 0, pubout = 0, ret = 1; int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH; int private = 0; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index c78d28ecb1..d7fb736b98 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -69,7 +69,7 @@ int dsaparam_main(int argc, char **argv) EVP_PKEY *params = NULL, *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; int numbits = -1, num = 0, genkey = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0; int ret = 1, i, text = 0, private = 0; char *infile = NULL, *outfile = NULL, *prog; OPTION_CHOICE o; @@ -181,7 +181,7 @@ int dsaparam_main(int argc, char **argv) goto end; } } else { - params = load_keyparams(infile, 1, "DSA", "DSA parameters"); + params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters"); } if (params == NULL) { /* Error message should already have been displayed */ diff --git a/apps/ec.c b/apps/ec.c index 379c6b6132..e3ce437076 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -73,7 +73,7 @@ int ec_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0; int check = 0; char *asn1_encoding = NULL; diff --git a/apps/ecparam.c b/apps/ecparam.c index e9e36d1d8b..a801ad69bf 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -240,7 +240,7 @@ int ecparam_main(int argc, char **argv) goto end; } } else { - params_key = load_keyparams(infile, 1, "EC", "EC parameters"); + params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters"); if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC")) goto end; if (point_format diff --git a/apps/gendsa.c b/apps/gendsa.c index 6d1c91d230..f4bd0fe09e 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -121,7 +121,7 @@ int gendsa_main(int argc, char **argv) goto end; } - pkey = load_keyparams(dsaparams, 1, "DSA", "DSA parameters"); + pkey = load_keyparams(dsaparams, FORMAT_UNDEF, 1, "DSA", "DSA parameters"); out = bio_open_owner(outfile, FORMAT_PEM, private); if (out == NULL) diff --git a/apps/include/apps.h b/apps/include/apps.h index a8556b8132..207ed41bc7 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -108,18 +108,19 @@ char *get_passwd(const char *pass, const char *desc); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int add_oid_section(CONF *conf); X509_REQ *load_csr(const char *file, int format, const char *desc); -X509 *load_cert_pass(const char *uri, int maybe_stdin, +X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc); -#define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc) -X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc); +#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) +X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, + const char *desc); void cleanse(char *str); void clear_free(char *str); EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); -EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype, - const char *desc); +EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin, + const char *keytype, const char *desc); char *next_item(char *opt); /* in list separated by comma and/or space */ int load_cert_certs(const char *uri, X509 **pcert, STACK_OF(X509) **pcerts, @@ -133,13 +134,13 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, const char *pass, const char *desc); int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc); -int load_key_certs_crls(const char *uri, int maybe_stdin, +int load_key_certs_crls(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, EVP_PKEY **pparams, X509 **pcert, STACK_OF(X509) **pcerts, X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls); -int load_key_cert_crl(const char *uri, int maybe_stdin, +int load_key_cert_crl(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, X509 **pcert, X509_CRL **pcrl); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index bfd938b555..f0a9ffc93a 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -38,6 +38,7 @@ #include <openssl/bn.h> #include <openssl/ssl.h> #include <openssl/store.h> +#include <openssl/core_names.h> #include "s_apps.h" #include "apps.h" @@ -478,7 +479,7 @@ CONF *app_load_config_modules(const char *configfile) #define IS_HTTPS(uri) ((uri) != NULL \ && strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) -X509 *load_cert_pass(const char *uri, int maybe_stdin, +X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc) { X509 *cert = NULL; @@ -490,7 +491,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, else if (IS_HTTP(uri)) cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */); else - (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, NULL, NULL, NULL, &cert, NULL, NULL, NULL); if (cert == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); @@ -499,7 +500,8 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, return cert; } -X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc) +X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, + const char *desc) { X509_CRL *crl = NULL; @@ -510,7 +512,7 @@ X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc) else if (IS_HTTP(uri)) crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */); else - (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, NULL, NULL, NULL, NULL, NULL, &crl, NULL); if (crl == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); @@ -524,6 +526,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) X509_REQ *req = NULL; BIO *in; + if (format == FORMAT_UNDEF) + format = FORMAT_PEM; if (desc == NULL) desc = "CSR"; in = bio_open_default(file, 'r', format); @@ -570,7 +574,7 @@ EVP_PKEY *load_key(const char *uri, int format, int may_stdin, if (format == FORMAT_ENGINE) { uri = allocated_uri = make_engine_uri(e, uri, desc); } - (void)load_key_certs_crls(uri, may_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, may_stdin, pass, desc, &pkey, NULL, NULL, NULL, NULL, NULL, NULL); OPENSSL_free(allocated_uri); @@ -589,22 +593,22 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, if (format == FORMAT_ENGINE) { uri = allocated_uri = make_engine_uri(e, uri, desc); } - (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, NULL, &pkey, NULL, NULL, NULL, NULL, NULL); OPENSSL_free(allocated_uri); return pkey; } -EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype, - const char *desc) +EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin, + const char *keytype, const char *desc) { EVP_PKEY *params = NULL; if (desc == NULL) desc = "key parameters"; - (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, NULL, NULL, ¶ms, NULL, NULL, NULL, NULL); if (params != NULL && keytype != NULL && !EVP_PKEY_is_a(params, keytype)) { BIO_printf(bio_err, @@ -698,7 +702,8 @@ int load_cert_certs(const char *uri, return ret; } pass_string = get_passwd(pass, desc); - ret = load_key_certs_crls(uri, 0, pass_string, desc, NULL, NULL, NULL, + ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc, + NULL, NULL, NULL, pcert, pcerts, NULL, NULL); clear_free(pass_string); @@ -800,7 +805,8 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, const char *pass, const char *desc) { int was_NULL = *certs == NULL; - int ret = load_key_certs_crls(uri, maybe_stdin, pass, desc, NULL, NULL, + int ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin, + pass, desc, NULL, NULL, NULL, NULL, certs, NULL, NULL); if (!ret && was_NULL) { @@ -818,7 +824,8 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc) { int was_NULL = *crls == NULL; - int ret = load_key_certs_crls(uri, 0, pass, desc, NULL, NULL, NULL, + int ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc, + NULL, NULL, NULL, NULL, NULL, NULL, crls); if (!ret && was_NULL) { @@ -828,6 +835,17 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, return ret; } +static const char *format2string(int format) +{ + switch(format) { + case FORMAT_PEM: + return "PEM"; + case FORMAT_ASN1: + return "DER"; + } + return NULL; +} + /* Set type expectation, but clear it if objects of different types expected. */ #define SET_EXPECT(val) expect = expect < 0 ? val : (expect == val ? val : 0); /* @@ -843,7 +861,7 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, * In any case (also on error) the caller is responsible for freeing all members * of *pcerts and *pcrls (as far as they are not NULL). */ -int load_key_certs_crls(const char *uri, int maybe_stdin, +int load_key_certs_crls(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, EVP_PKEY **pparams, @@ -863,6 +881,9 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, pcrls != NULL ? "CRLs" : NULL; int cnt_expectations = 0; int expect = -1; + const char *input_type; + OSSL_PARAM itp[2]; + const OSSL_PARAM *params = NULL; /* TODO make use of the engine reference 'eng' when loading pkeys */ if (ppkey != NULL) { @@ -915,6 +936,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, uidata.password = pass; uidata.prompt_info = uri; + if ((input_type = format2string(format)) != NULL) { + itp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE, + (char *)input_type, 0); + itp[1] = OSSL_PARAM_construct_end(); + params = itp; + } + if (uri == NULL) { BIO *bio; @@ -927,12 +955,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, bio = BIO_new_fp(stdin, 0); if (bio != NULL) { ctx = OSSL_STORE_attach(bio, "file", libctx, propq, - get_ui_method(), &uidata, NULL, NULL); + get_ui_method(), &uidata, params, + NULL, NULL); BIO_free(bio); } } else { ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata, - NULL, NULL); + params, NULL, NULL); } if (ctx == NULL) { BIO_printf(bio_err, "Could not open file or uri for loading"); @@ -2322,7 +2351,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp) DIST_POINT *dp = sk_DIST_POINT_value(crldp, i); urlptr = get_dp_url(dp); if (urlptr != NULL) - return load_crl(urlptr, 0, "CRL via CDP"); + return load_crl(urlptr, FORMAT_UNDEF, 0, "CRL via CDP"); } return NULL; } diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 6824567c70..0bb4b6c436 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1019,7 +1019,8 @@ int load_excert(SSL_EXCERT **pexc) BIO_printf(bio_err, "Missing filename\n"); return 0; } - exc->cert = load_cert(exc->certfile, "Server Certificate"); + exc->cert = load_cert(exc->certfile, exc->certform, + "Server Certificate"); if (exc->cert == NULL) return 0; if (exc->keyfile != NULL) { diff --git a/apps/ocsp.c b/apps/ocsp.c index d59cd1eb59..355b4127c8 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -402,7 +402,7 @@ int ocsp_main(int argc, char **argv) path = opt_arg(); break; case OPT_ISSUER: - issuer = load_cert(opt_arg(), "issuer certificate"); + issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate"); if (issuer == NULL) goto end; if (issuers == NULL) { @@ -414,7 +414,7 @@ int ocsp_main(int argc, char **argv) break; case OPT_CERT: X509_free(cert); - cert = load_cert(opt_arg(), "certificate"); + cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate"); if (cert == NULL) goto end; if (cert_id_md == NULL) @@ -565,7 +565,7 @@ int ocsp_main(int argc, char **argv) if (rsignfile != NULL) { if (rkeyfile == NULL) rkeyfile = rsignfile; - rsigner = load_cert(rsignfile, "responder certificate"); + rsigner = load_cert(rsignfile, FORMAT_UNDEF, "responder certificate"); if (rsigner == NULL) { BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; @@ -581,7 +581,7 @@ int ocsp_main(int argc, char **argv) BIO_printf(bio_err, "Error getting password\n"); goto end; } - rkey = load_key(rkeyfile, FORMAT_PEM, 0, passin, NULL, + rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL, "responder private key"); if (rkey == NULL) goto end; @@ -661,7 +661,7 @@ redo_accept: if (signfile != NULL) { if (keyfile == NULL) keyfile = signfile; - signer = load_cert(signfile, "signer certificate"); + signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) { BIO_printf(bio_err, "Error loading signer certificate\n"); goto end; @@ -671,7 +671,7 @@ redo_accept: "signer certificates")) goto end; } - key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, + key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL, "signer private key"); if (key == NULL) goto end; diff --git a/apps/pkcs8.c b/apps/pkcs8.c index d7cb2d6672..6b09b909eb 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -83,7 +83,7 @@ int pkcs8_main(int argc, char **argv) char *passin = NULL, *passout = NULL, *p8pass = NULL; OPTION_CHOICE o; int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; int private = 0, traditional = 0; #ifndef OPENSSL_NO_SCRYPT long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0; @@ -214,7 +214,8 @@ int pkcs8_main(int argc, char **argv) if ((pbe_nid == -1) && cipher == NULL) cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); - in = bio_open_default(infile, 'r', informat); + in = bio_open_default(infile, 'r', + informat == FORMAT_UNDEF ? FORMAT_PEM : informat); if (in == NULL) goto end; out = bio_open_owner(outfile, outformat, private); @@ -298,7 +299,7 @@ int pkcs8_main(int argc, char **argv) } if (nocrypt) { - if (informat == FORMAT_PEM) { + if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) { p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL); } else if (informat == FORMAT_ASN1) { p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); @@ -307,7 +308,7 @@ int pkcs8_main(int argc, char **argv) goto end; } } else { - if (informat == FORMAT_PEM) { + if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) { p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL); } else if (informat == FORMAT_ASN1) { p8 = d2i_PKCS8_bio(in, NULL); diff --git a/apps/pkey.c b/apps/pkey.c index d7e32b6e58..ddc3414d0c 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -75,7 +75,7 @@ int pkey_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog; OPTION_CHOICE o; - int informat = FORMAT_PEM, outformat = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM; int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1; int private = 0, traditional = 0, check = 0, pub_check = 0; #ifndef OPENSSL_NO_EC diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 3a26ec5ca7..0424e556c1 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -111,7 +111,8 @@ int pkeyutl_main(int argc, char **argv) char hexdump = 0, asn1parse = 0, rev = 0, *prog; unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; OPTION_CHOICE o; - int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = FORMAT_PEM; + int buf_inlen = 0, siglen = -1; + int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF; int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; int engine_impl = 0; int ret = 1, rv = -1; @@ -555,7 +556,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, break; case KEY_CERT: - x = load_cert(keyfile, "Certificate"); + x = load_cert(keyfile, keyform, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); diff --git a/apps/req.c b/apps/req.c index 6817a8bd54..d41b992e6d 100644 --- a/apps/req.c +++ b/apps/req.c @@ -256,7 +256,7 @@ int req_main(int argc, char **argv) int days = UNSET_DAYS; int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; int pkey_type = -1; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; long newkey_len = -1; @@ -762,7 +762,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Ignoring -CAkey option since no -CA option is given\n"); } else { - if ((CAkey = load_key(CAkeyfile, FORMAT_PEM, + if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 0, passin, e, "issuer private key")) == NULL) goto end; } @@ -777,7 +777,7 @@ int req_main(int argc, char **argv) "Need to give the -CAkey option if using -CA\n"); goto end; } - if ((CAcert = load_cert_pass(CAfile, 1, passin, + if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin, "issuer certificate")) == NULL) goto end; if (!X509_check_private_key(CAcert, CAkey)) { diff --git a/apps/rsa.c b/apps/rsa.c index 0ff6cf3266..83fd8350df 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -96,7 +96,7 @@ int rsa_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; int private = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, check = 0; int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1; int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH; OPTION_CHOICE o; @@ -204,7 +204,7 @@ int rsa_main(int argc, char **argv) } if (pubin) { - int tmpformat = -1; + int tmpformat = FORMAT_UNDEF; if (pubin == 2) { if (informat == FORMAT_PEM) diff --git a/apps/rsautl.c b/apps/rsautl.c index a8911ff206..c2bc1af89b 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -81,7 +81,7 @@ int rsautl_main(int argc, char **argv) char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING; size_t rsa_inlen, rsa_outlen = 0; - int keyformat = FORMAT_PEM, keysize, ret = 1, rv; + int keyformat = FORMAT_UNDEF, keysize, ret = 1, rv; int hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0; OPTION_CHOICE o; @@ -196,7 +196,7 @@ int rsautl_main(int argc, char **argv) break; case KEY_CERT: - x = load_cert(keyfile, "Certificate"); + x = load_cert(keyfile, FORMAT_UNDEF, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); diff --git a/apps/s_client.c b/apps/s_client.c index 3c62739698..1aa7a3b7de 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -815,15 +815,15 @@ int s_client_main(int argc, char **argv) struct timeval timeout, *timeoutp; fd_set readfds, writefds; int noCApath = 0, noCAfile = 0, noCAstore = 0; - int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM; - int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0; + int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_UNDEF; + int key_format = FORMAT_UNDEF, crlf = 0, full_log = 1, mbuf_len = 0; int prexit = 0; int sdebug = 0; int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0; int sbuf_len, sbuf_off, cmdletters = 1; int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0; - int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; + int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF, crl_download = 0; int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) int at_eof = 0; @@ -1620,7 +1620,8 @@ int s_client_main(int argc, char **argv) } if (cert_file != NULL) { - cert = load_cert_pass(cert_file, 1, pass, "client certificate"); + cert = load_cert_pass(cert_file, cert_format, 1, pass, + "client certificate"); if (cert == NULL) goto end; } @@ -1632,7 +1633,7 @@ int s_client_main(int argc, char **argv) if (crl_file != NULL) { X509_CRL *crl; - crl = load_crl(crl_file, 0, "CRL"); + crl = load_crl(crl_file, crl_format, 0, "CRL"); if (crl == NULL) goto end; crls = sk_X509_CRL_new_null(); diff --git a/apps/s_server.c b/apps/s_server.c index 6adee7ec6d..5d9e8cd568 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -978,11 +978,11 @@ int s_server_main(int argc, char *argv[]) int no_dhe = 0; int nocert = 0, ret = 1; int noCApath = 0, noCAfile = 0, noCAstore = 0; - int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; - int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; + int s_cert_format = FORMAT_UNDEF, s_key_format = FORMAT_UNDEF; + int s_dcert_format = FORMAT_UNDEF, s_dkey_format = FORMAT_UNDEF; int rev = 0, naccept = -1, sdebug = 0; int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0; - int state = 0, crl_format = FORMAT_PEM, crl_download = 0; + int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0; char *host = NULL; char *port = OPENSSL_strdup(PORT); unsigned char *context = NULL; @@ -1688,7 +1688,8 @@ int s_server_main(int argc, char *argv[]) if (s_key == NULL) goto end; - s_cert = load_cert_pass(s_cert_file, 1, pass, "server certificate"); + s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass, + "server certificate"); if (s_cert == NULL) goto end; @@ -1704,7 +1705,7 @@ int s_server_main(int argc, char *argv[]) if (s_key2 == NULL) goto end; - s_cert2 = load_cert_pass(s_cert_file2, 1, pass, + s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass, "second server certificate"); if (s_cert2 == NULL) @@ -1727,7 +1728,7 @@ int s_server_main(int argc, char *argv[]) if (crl_file != NULL) { X509_CRL *crl; - crl = load_crl(crl_file, 0, "CRL"); + crl = load_crl(crl_file, crl_format, 0, "CRL"); if (crl == NULL) goto end; crls = sk_X509_CRL_new_null(); @@ -1749,7 +1750,7 @@ int s_server_main(int argc, char *argv[]) if (s_dkey == NULL) goto end; - s_dcert = load_cert_pass(s_dcert_file, 1, dpass, + s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass, "second server certificate"); if (s_dcert == NULL) { @@ -1975,9 +1976,9 @@ int s_server_main(int argc, char *argv[]) EVP_PKEY *dhpkey = NULL; if (dhfile != NULL) - dhpkey = load_keyparams(dhfile, 0, "DH", "DH parameters"); + dhpkey = load_keyparams(dhfile, FORMAT_UNDEF, 0, "DH", "DH parameters"); else if (s_cert_file != NULL) - dhpkey = load_keyparams(s_cert_file, 0, "DH", "DH parameters"); + dhpkey = load_keyparams(s_cert_file, FORMAT_UNDEF, 0, "DH", "DH parameters"); if (dhpkey != NULL) { BIO_printf(bio_s_out, "Setting temp DH parameters\n"); @@ -2009,7 +2010,8 @@ int s_server_main(int argc, char *argv[]) if (ctx2 != NULL) { if (dhfile != NULL) { - EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, 0, "DH", + EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, FORMAT_UNDEF, + 0, "DH", "DH parameters"); if (dhpkey2 != NULL) { diff --git a/apps/smime.c b/apps/smime.c index 011dc99c4b..ea71121fb4 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -151,7 +151,7 @@ int smime_main(int argc, char **argv) int noCApath = 0, noCAfile = 0, noCAstore = 0; int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = - FORMAT_PEM; + FORMAT_UNDEF; int vpmtouched = 0, rv = 0; ENGINE *e = NULL; const char *mime_eol = "\n"; @@ -449,7 +449,8 @@ int smime_main(int argc, char **argv) if (encerts == NULL) goto end; while (*argv != NULL) { - cert = load_cert(*argv, "recipient certificate file"); + cert = load_cert(*argv, FORMAT_UNDEF, + "recipient certificate file"); if (cert == NULL) goto end; sk_X509_push(encerts, cert); @@ -466,7 +467,7 @@ int smime_main(int argc, char **argv) } if (recipfile != NULL && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, + if ((recip = load_cert(recipfile, FORMAT_UNDEF, "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -573,7 +574,7 @@ int smime_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, "signer certificate"); + signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) goto end; key = load_key(keyfile, keyform, 0, passin, e, "signing key"); diff --git a/apps/spkac.c b/apps/spkac.c index 9c12504b90..adc6f7372c 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -67,7 +67,7 @@ int spkac_main(int argc, char **argv) char *spkstr = NULL, *prog; const char *spkac = "SPKAC", *spksect = "default"; int i, ret = 1, verify = 0, noout = 0, pubkey = 0; - int keyformat = FORMAT_PEM; + int keyformat = FORMAT_UNDEF; OPTION_CHOICE o; prog = opt_init(argc, argv, spkac_options); diff --git a/apps/storeutl.c b/apps/storeutl.c index 3e7ab32b7a..1368caae92 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -358,7 +358,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata, int ret = 1, items = 0; if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata, - NULL, NULL)) + NULL, NULL, NULL)) == NULL) { BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri); ERR_print_errors(bio_err); diff --git a/apps/verify.c b/apps/verify.c index d66f137258..acf80c65c4 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -253,7 +253,7 @@ static int check(X509_STORE *ctx, const char *file, STACK_OF(X509) *chain = NULL; int num_untrusted; - x = load_cert(file, "certificate file"); + x = load_cert(file, FORMAT_UNDEF, "certificate file"); if (x == NULL) goto end; diff --git a/apps/x509.c b/apps/x509.c index a9c5d41096..9632d72260 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -266,9 +266,9 @@ int x509_main(int argc, char **argv) char *prog; int days = UNSET_DAYS; /* not explicitly set */ int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0; - int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; + int CAformat = FORMAT_UNDEF, CAkeyformat = FORMAT_UNDEF; int fingerprint = 0, reqfile = 0, checkend = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF; int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; int noout = 0, CA_createserial = 0, email = 0; int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; @@ -719,7 +719,7 @@ int x509_main(int argc, char **argv) } } } else { - x = load_cert_pass(infile, 1, passin, "certificate"); + x = load_cert_pass(infile, informat, 1, passin, "certificate"); if (x == NULL) goto end; } @@ -734,7 +734,7 @@ int x509_main(int argc, char **argv) goto end; if (CAfile != NULL) { - xca = load_cert_pass(CAfile, 1, passin, "CA certificate"); + xca = load_cert_pass(CAfile, CAformat, 1, passin, "CA certificate"); if (xca == NULL) goto end; } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index e5b740f214..3faca8d0ec 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -55,7 +55,7 @@ static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x, return NULL; if ((ctx = OSSL_STORE_attach(bp, "file", libctx, propq, ui_method, u, - NULL, NULL)) == NULL) + NULL, NULL, NULL)) == NULL) goto err; #ifndef OPENSSL_NO_SECURE_HEAP # ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index e7f5860604..158b7be79d 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -32,9 +32,37 @@ static int ossl_store_close_it(OSSL_STORE_CTX *ctx); +static int loader_set_params(OSSL_STORE_LOADER *loader, + OSSL_STORE_LOADER_CTX *loader_ctx, + const OSSL_PARAM params[], const char *propq) +{ + if (params != NULL) { + if (!loader->p_set_ctx_params(loader_ctx, params)) + return 0; + } + + if (propq != NULL) { + OSSL_PARAM propp[2]; + + if (OSSL_PARAM_locate_const(params, + OSSL_STORE_PARAM_PROPERTIES) != NULL) + /* use the propq from params */ + return 1; + + propp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_PROPERTIES, + (char *)propq, 0); + propp[1] = OSSL_PARAM_construct_end(); + + if (!loader->p_set_ctx_params(loader_ctx, propp)) + return 0; + } + return 1; +} + OSSL_STORE_CTX * OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { @@ -103,18 +131,11 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, if (loader_ctx == NULL) { OSSL_STORE_LOADER_free(fetched_loader); fetched_loader = NULL; - } else if (propq != NULL) { - OSSL_PARAM params[2]; - - params[0] = OSSL_PARAM_construct_utf8_string( - OSSL_STORE_PARAM_PROPERTIES, (char *)propq, 0); - params[1] = OSSL_PARAM_construct_end(); - - if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) { - (void)fetched_loader->p_close(loader_ctx); - OSSL_STORE_LOADER_free(fetched_loader); - fetched_loader = NULL; - } + } else if(!loader_set_params(fetched_loader, loader_ctx, + params, propq)) { + (void)fetched_loader->p_close(loader_ctx); + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; } loader = fetched_loader; } @@ -187,8 +208,8 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { - return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, post_process, - post_process_data); + return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, NULL, + post_process, post_process_data); } #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -927,6 +948,7 @@ const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion) OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { @@ -957,19 +979,11 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, || (loader_ctx = fetched_loader->p_attach(provctx, cbio)) == NULL) { OSSL_STORE_LOADER_free(fetched_loader); fetched_loader = NULL; - } else if (propq != NULL) { - OSSL_PARAM params[] = { - OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, - NULL, 0), - OSSL_PARAM_END - }; - - params[0].data = (void *)propq; - if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) { - (void)fetched_loader->p_close(loader_ctx); - OSSL_STORE_LOADER_free(fetched_loader); - fetched_loader = NULL; - } + } else if (!loader_set_params(fetched_loader, loader_ctx, + params, propq)) { + (void)fetched_loader->p_close(loader_ctx); + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; } loader = fetched_loader; ossl_core_bio_free(cbio); diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c index caccf38412..b9feb038b8 100644 --- a/crypto/x509/by_store.c +++ b/crypto/x509/by_store.c @@ -21,7 +21,8 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri, OSSL_STORE_CTX *ctx = NULL; X509_STORE *xstore = X509_LOOKUP_get_store(lctx); - if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL, NULL)) == NULL) + if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL, + NULL, NULL)) == NULL) return 0; /* diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 4e702f98c3..3e2708ae04 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -114,8 +114,9 @@ signed by the CA. =item B<-inform> B<DER>|B<PEM> -The format of the data in certificate request input files. -The default is PEM. +The format of the data in certificate request input files; +unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-ss_cert> I<filename> @@ -150,8 +151,8 @@ The CA certificate, which must match with B<-keyfile>. =item B<-certform> B<DER>|B<PEM>|B<P12> -The format of the data in certificate input files. -This option has no effect and is retained for backward compatibility only. +The format of the data in certificate input files; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-keyfile> I<filename>|I<uri> @@ -160,8 +161,7 @@ This must match with B<-cert>. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format of the private key input file; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The format of the private key input file; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-sigopt> I<nm>:I<v> @@ -818,11 +818,8 @@ retained mainly for compatibility reasons. The B<-section> option was added in OpenSSL 3.0.0. -The B<-certform> and B<-multivalue-rdn> options -have become obsolete in OpenSSL 3.0.0 and have no effect. - -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. +The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and +has no effect. The B<-engine> option was deprecated in OpenSSL 3.0. diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index f27443ca9c..28ea4ee6a5 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -732,8 +732,7 @@ Default value is PEM. =item B<-keyform> I<PEM|DER|P12|ENGINE> -The format of the key input. -The only value with effect is B<ENGINE>. +The format of the key input; unspecified by default. See L<openssl(1)/Format Options> for details. =item B<-otherpass> I<arg> diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 51aff981a5..0ec906cbc1 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -241,8 +241,7 @@ See L<openssl-format-options(1)> for details. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format of the private key file; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The format of the private key file; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-rctform> B<DER>|B<PEM>|B<SMIME> @@ -786,9 +785,6 @@ was added in OpenSSL 1.0.2. The -no_alt_chains option was added in OpenSSL 1.0.2b. -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-nameopt> option was added in OpenSSL 3.0.0. The B<-engine> option was deprecated in OpenSSL 3.0. diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index ccba7938a2..d00b80c862 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -47,8 +47,8 @@ Print out a usage message. =item B<-inform> B<DER>|B<PEM> -The CRL input format. -This option has no effect and is retained for backward compatibility only. +The CRL input format; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-outform> B<DER>|B<PEM> @@ -61,8 +61,8 @@ The private key to be used to sign the CRL. =item B<-keyform> B<DER>|B<PEM>|B<P12> -The format of the private key file. -This option has no effect and is retained for backward compatibility only. +The format of the private key file; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-in> I<filename> @@ -156,11 +156,6 @@ L<openssl-ca(1)>, L<openssl-x509(1)>, L<ossl_store-file(7)> -=head1 HISTORY - -The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0 -and have no effect. - =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index 4b0653912d..f493e83b41 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -108,8 +108,7 @@ command instead for this. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format of the key to sign with; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The format of the key to sign with; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-sigopt> I<nm>:I<v> @@ -256,9 +255,6 @@ L<openssl-mac(1)> The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. The FIPS-related options were removed in OpenSSL 1.1.0. -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in index 61f4b1f74b..116121caf2 100644 --- a/doc/man1/openssl-dsa.pod.in +++ b/doc/man1/openssl-dsa.pod.in @@ -55,9 +55,14 @@ applications should use the more secure PKCS#8 format using the B<pkcs8> Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM> -The input and formats; the default is B<PEM>. +The key input format; unspecified by default. +See L<openssl-format-options(1)> for details. + +=item B<-outform> B<DER>|B<PEM> + +The key output format; the default is B<PEM>. See L<openssl-format-options(1)> for details. Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>, diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in index 96c429cf94..6437707429 100644 --- a/doc/man1/openssl-dsaparam.pod.in +++ b/doc/man1/openssl-dsaparam.pod.in @@ -36,9 +36,14 @@ DSA parameters is often used to generate several distinct keys. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM> -This option has become obsolete. +The DSA parameters input format; unspecified by default. +See L<openssl-format-options(1)> for details. + +=item B<-outform> B<DER>|B<PEM> + +The DSA parameters output format; the default is B<PEM>. See L<openssl-format-options(1)> for details. Parameters are a sequence of B<ASN.1 INTEGER>s: B<p>, B<q>, and B<g>. diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index 06c225f11c..b3aabcb41a 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -53,13 +53,12 @@ Print out a usage message. =item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key input format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key input format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-outform> B<DER>|B<PEM> -The key output formats; the default is B<PEM>. +The key output format; the default is B<PEM>. See L<openssl-format-options(1)> for details. Private keys are an SEC1 private key or PKCS#8 format. diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in index ee5c021819..dd8f0f2c24 100644 --- a/doc/man1/openssl-ecparam.pod.in +++ b/doc/man1/openssl-ecparam.pod.in @@ -43,9 +43,14 @@ this command can only create EC parameters from known (named) curves. Print out a usage message. -=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> +=item B<-inform> B<DER>|B<PEM> -The input and formats; the default is B<PEM>. +The EC parameters input format; unspecified by default. +See L<openssl-format-options(1)> for details. + +=item B<-outform> B<DER>|B<PEM> + +The EC parameters output format; the default is B<PEM>. See L<openssl-format-options(1)> for details. Parameters are encoded as B<EcpkParameters> as specified in IETF RFC 3279. diff --git a/doc/man1/openssl-format-options.pod b/doc/man1/openssl-format-options.pod index 20b62f9b15..91058831cd 100644 --- a/doc/man1/openssl-format-options.pod +++ b/doc/man1/openssl-format-options.pod @@ -15,9 +15,13 @@ I<command> Several OpenSSL commands can take input or generate output in a variety of formats. + Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from -files in any of the B<DER>, B<PEM> or B<P12> formats, -while specifying their input format is no more needed. +files in any of the B<DER>, B<PEM> or B<P12> formats. Specifying their input +format is no more needed and the openssl commands will automatically try all +the possible formats. However if the B<DER> or B<PEM> input format is specified +it will be enforced. + In order to access a key via an engine the input format B<ENGINE> may be used; alternatively the key identifier in the <uri> argument of the respective key option may be preceded by C<org.openssl.engine:>. @@ -39,8 +43,6 @@ The format of the input or output streams. =item B<-keyform> I<format> Format of a private key input source. -The only value with effect is B<ENGINE>; all others have become obsolete. -See L<openssl(1)/Format Options> for details. =item B<-CRLform> I<format> diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index 004be5c132..d297b19638 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -78,8 +78,7 @@ a pass phrase will be prompted for. =item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key input format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key input format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-passin> I<arg> diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 26b9ed1e42..b57640992c 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -91,8 +91,7 @@ The input key, by default it should be a private key. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-passin> I<arg> @@ -106,8 +105,7 @@ The peer key file, used by key derivation (agreement) operations. =item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The peer key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The peer key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-pubin> @@ -410,9 +408,6 @@ L<EVP_PKEY_CTX_set_tls1_prf_md(3)>, =head1 HISTORY -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index a877140cdc..32ae4b2e32 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -74,7 +74,7 @@ Print out a usage message. =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> -The input and output formats; the default is B<PEM>. +The input and output formats; unspecified by default. See L<openssl-format-options(1)> for details. The data is a PKCS#10 object. @@ -197,8 +197,7 @@ It also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format of the private key; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The format of the private key; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-keyout> I<filename> @@ -737,8 +736,8 @@ L<x509v3_config(5)> The B<-section> option was added in OpenSSL 3.0.0. -All B<-keyform> values except B<ENGINE> and the B<-multivalue-rdn> option -have become obsolete in OpenSSL 3.0.0 and have no effect. +The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and +has no effect. The B<-engine> option was deprecated in OpenSSL 3.0. The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index 1d98caabb6..503b31a6d6 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -60,8 +60,7 @@ Print out a usage message. =item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key input format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key input format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-outform> B<DER>|B<PEM> diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index 62c39eb69e..a16c0bda15 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -73,8 +73,7 @@ The input key, by default it should be an RSA private key. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-pubin> @@ -231,9 +230,6 @@ L<openssl-genrsa(1)> This command was deprecated in OpenSSL 3.0. -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index e11df7a9ae..33e8f313b6 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -243,8 +243,8 @@ The chain for the client certificate may be specified using B<-cert_chain>. =item B<-certform> B<DER>|B<PEM>|B<P12> -The client certificate file format to use; the default is B<PEM>. -This option has no effect and is retained for backward compatibility only. +The client certificate file format to use; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-cert_chain> @@ -263,7 +263,7 @@ CRL file to use to check the server's certificate. =item B<-CRLform> B<DER>|B<PEM> -The CRL file format; the default is B<PEM>. +The CRL file format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-crl_download> @@ -277,8 +277,7 @@ If not specified then the certificate file will be used to read also the key. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-pass> I<arg> @@ -912,9 +911,6 @@ The B<-name> option was added in OpenSSL 1.1.1. The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index fa4190a869..f07e2ae3b4 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -225,8 +225,8 @@ The certificate file to use for servername; default is C<server2.pem>. =item B<-certform> B<DER>|B<PEM>|B<P12> -The server certificate file format. -This option has no effect and is retained for backward compatibility only. +The server certificate file format; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-cert_chain> @@ -258,8 +258,7 @@ The private Key file to use for servername if not given via B<-cert2>. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-pass> I<val> @@ -288,14 +287,13 @@ The input can be in PEM, DER, or PKCS#12 format. =item B<-dcertform> B<DER>|B<PEM>|B<P12> -The format of the additional certificate file. -This option has no effect and is retained for backward compatibility only. +The format of the additional certificate file; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format of the additional private key; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. -See L<openssl-format-options(1)>. +The format of the additional private key; unspecified by default. +See L<openssl-format-options(1)> for details. =item B<-dpass> I<val> @@ -333,7 +331,7 @@ The CRL file to use. =item B<-CRLform> B<DER>|B<PEM> -The CRL file format; the default is B<PEM>. +The CRL file format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-crl_download> @@ -844,12 +842,6 @@ The -no_alt_chains option was added in OpenSSL 1.1.0. The -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. -All B<-keyform> and B<-dkeyform> values except B<ENGINE> -have become obsolete in OpenSSL 3.0.0 and have no effect. - -The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 3c5859dc01..2fcf7020fe 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -127,8 +127,7 @@ See L<openssl-format-options(1)> for details. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-stream>, B<-indef>, B<-noindef> @@ -481,9 +480,6 @@ added in OpenSSL 1.0.0 The -no_alt_chains option was added in OpenSSL 1.1.0. -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in index f0ddd5179d..3de862e035 100644 --- a/doc/man1/openssl-spkac.pod.in +++ b/doc/man1/openssl-spkac.pod.in @@ -60,8 +60,7 @@ present. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-passin> I<arg> @@ -150,9 +149,6 @@ L<openssl-ca(1)> =head1 HISTORY -All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 -and have no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 7f42d45cf7..0dcad3fd9b 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -154,7 +154,7 @@ The B<-ext> option can be used to further restrict which extensions to copy. =item B<-inform> B<DER>|B<PEM> -The CSR input file format; the default is B<PEM>. +The input file format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-vfyopt> I<nm>:I<v> @@ -181,8 +181,7 @@ This option is an alias of B<-key>. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The key input format; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The key input format; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-out> I<filename> @@ -468,8 +467,8 @@ unless the B<-new> option is given, which generates a certificate from scratch. =item B<-CAform> B<DER>|B<PEM>|B<P12>, -The format for the CA certificate. -This option has no effect and is retained for backward compatibility. +The format for the CA certificate; unspecifed by default. +See L<openssl-format-options(1)> for details. =item B<-CAkey> I<filename>|I<uri> @@ -479,8 +478,7 @@ If this option is not provided then the key must be present in the B<-CA> input. =item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> -The format for the CA key; the default is B<PEM>. -The only value with effect is B<ENGINE>; all others have become obsolete. +The format for the CA key; unspecified by default. See L<openssl-format-options(1)> for details. =item B<-CAserial> I<filename> @@ -879,11 +877,6 @@ form must have their links rebuilt using L<openssl-rehash(1)> or similar. The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0, keeping the old name as an alias. -All B<-keyform> and B<-CAkeyform> values except B<ENGINE> -have become obsolete in OpenSSL 3.0.0 and have no effect. - -The B<-CAform> option has become obsolete in OpenSSL 3.0.0 and has no effect. - The B<-engine> option was deprecated in OpenSSL 3.0. The B<-C> option was removed in OpenSSL 3.0. diff --git a/doc/man3/OSSL_STORE_attach.pod b/doc/man3/OSSL_STORE_attach.pod index 9ad53af81a..f272961bac 100644 --- a/doc/man3/OSSL_STORE_attach.pod +++ b/doc/man3/OSSL_STORE_attach.pod @@ -11,6 +11,7 @@ OSSL_STORE_attach - Functions to read objects from a BIO OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index 3d6d03a990..39a795b0ef 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -24,6 +24,7 @@ OSSL_STORE_error, OSSL_STORE_close OSSL_STORE_CTX * OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); @@ -68,6 +69,8 @@ B<OSSL_STORE_CTX> with all necessary internal information. The given I<ui_method> and I<ui_data> will be reused by all functions that use B<OSSL_STORE_CTX> when interaction is needed, for instance to provide a password. +The auxiliary B<OSSL_PARAM> parameters in I<params> can be set to further +modify the store operation. The given I<post_process> and I<post_process_data> will be reused by OSSL_STORE_load() to manipulate or drop the value to be returned. The I<post_process> function drops values by returning NULL, which @@ -76,7 +79,7 @@ the next object, until I<post_process> returns something other than NULL, or the end of data is reached as indicated by OSSL_STORE_eof(). OSSL_STORE_open() is similar to OSSL_STORE_open_ex() but uses NULL for -the library context I<libctx> and property query I<propq>. +the I<params>, the library context I<libctx> and property query I<propq>. OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number I<cmd> and more arguments not specified here. diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod index 32f4e467ac..d34f0377ae 100644 --- a/doc/man7/provider-storemgmt.pod +++ b/doc/man7/provider-storemgmt.pod @@ -153,6 +153,16 @@ fingerprint, computed with the given digest. Indicates that the caller wants to search for an object with the given alias (some call it a "friendly name"). +=item "properties" (B<OSSL_STORE_PARAM_PROPERTIES) <utf8 string> + +Property string to use when querying for algorithms such as the B<OSSL_DECODER> +decoder implementations. + +=item "input-type" (B<OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string> + +Type of the input format as a hint to use when decoding the objects in the +store. + =back Several of these search criteria may be combined. For example, to diff --git a/gost-engine b/gost-engine index 28a0a19354..1b684f3f90 160000 --- a/gost-engine +++ b/gost-engine @@ -1 +1 @@ -Subproject commit 28a0a193549a9b778a14fade0219b9daa0e7c5db +Subproject commit 1b684f3f906bc81154ca1d5af7d6bc60199f1f9c diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 708f79d480..02476560f0 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -545,6 +545,8 @@ extern "C" { /* You may want to pass properties for the provider implementation to use */ #define OSSL_STORE_PARAM_PROPERTIES "properties" /* utf8_string */ +/* OSSL_DECODER input type if a decoder is used by the store */ +#define OSSL_STORE_PARAM_INPUT_TYPE "input-type" /* UTF8_STRING */ # ifdef __cplusplus } diff --git a/include/openssl/store.h b/include/openssl/store.h index f0c20e56fe..d5703d5040 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -59,6 +59,7 @@ OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, void *ui_data, OSSL_STORE_CTX * OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); @@ -131,6 +132,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx); OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index a7ee231b15..fc8d6362df 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -452,7 +452,7 @@ a7f16a6480f5051d1197b992e042a73535d0922bdd3c962d2a96af780994e858 providers/impl 1cb6ec2efb7b2bb131622aa95e245273f5967065eb0018392ed4ced50d0813b7 providers/implementations/signature/mac_legacy.c 25fe1a61578d54c3e67b60646f3fd3d0a47ff1d4cd620ef1f1fca3341f2662a2 providers/implementations/signature/rsa.c c0a862433e5da909cf0c614d3f982765b67821c7a4cc6257ceb8c490b4dcf732 providers/implementations/signature/sm2sig.c -c63cb744c26af304cf00006071d3ebd9325a4d65913b75a2bcb1d2e104c734fd providers/implementations/storemgmt/file_store.c +e2750b310565e74617310566c1ccfbd75559521117fd8936540fff54dd304902 providers/implementations/storemgmt/file_store.c 291288936fe321e3e85048366f790f6b7983561cd8f80eec4c0e01d7c43614ab providers/implementations/storemgmt/file_store_der2obj.c 04ea01e48b8fee822acb376ab8679b4c627b32ab75c137bf23ebb4fe2a1c0703 providers/prov_running.c 53a1e913fcc4a4e8e84009229cba60b9e29c7dc6536182fd290478331fad44b4 ssl/record/tls_pad.c diff --git a/providers/fips.checksum b/providers/fips.checksum index ff7a1c2c78..e28929484f 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -b998b19b940b606688e4711014407c48c3fca4c58b2fdc60ac64c1cef94861c1 providers/fips-sources.checksums +de031c8fbe10ee9b6447dd230956217e599cf923ff36a1026b515c2a22158b37 providers/fips-sources.checksums diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 033efb40ac..b9bb3b36c0 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -149,15 +149,11 @@ static OSSL_DECODER_CLEANUP file_load_cleanup; * */ static struct file_ctx_st *file_open_stream(BIO *source, const char *uri, - const char *input_type, void *provctx) { struct file_ctx_st *ctx; - if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL - || (input_type != NULL - && (ctx->_.file.input_type = - OPENSSL_strdup(input_type)) == NULL)) { + if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; } @@ -285,7 +281,7 @@ static void *file_open(void *provctx, const char *uri) if (S_ISDIR(st.st_mode)) ctx = file_open_dir(path, uri, provctx); else if ((bio = BIO_new_file(path, "rb")) == NULL - || (ctx = file_open_stream(bio, uri, NULL, provctx)) == NULL) + || (ctx = file_open_stream(bio, uri, provctx)) == NULL) BIO_free_all(bio); return ctx; @@ -299,7 +295,7 @@ void *file_attach(void *provctx, OSSL_CORE_BIO *cin) if (new_bio == NULL) return NULL; - ctx = file_open_stream(new_bio, NULL, NULL, provctx); + ctx = file_open_stream(new_bio, NULL, provctx); if (ctx == NULL) BIO_free(new_bio); return ctx; @@ -316,6 +312,7 @@ static const OSSL_PARAM *file_settable_ctx_params(void *provctx) OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_int(OSSL_STORE_PARAM_EXPECT, NULL), OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE, NULL, 0), OSSL_PARAM_END }; return known_settable_ctx_params; @@ -329,12 +326,22 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) if (params == NULL) return 1; - p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); - if (p != NULL) { - OPENSSL_free(ctx->_.file.propq); - ctx->_.file.propq = NULL; - if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0)) - return 0; + if (ctx->type != IS_DIR) { + /* these parameters are ignored for directories */ + p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); + if (p != NULL) { + OPENSSL_free(ctx->_.file.propq); + ctx->_.file.propq = NULL; + if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0)) + return 0; + } + p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_INPUT_TYPE); + if (p != NULL) { + OPENSSL_free(ctx->_.file.input_type); + ctx->_.file.input_type = NULL; + if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.input_type, 0)) + return 0; + } } p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_EXPECT); if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->expected_type)) diff --git a/test/ossl_store_test.c b/test/ossl_store_test.c index 7a5df01647..b9135cfcb3 100644 --- a/test/ossl_store_test.c +++ b/test/ossl_store_test.c @@ -47,7 +47,7 @@ static int test_store_open(void) && TEST_ptr(search = OSSL_STORE_SEARCH_by_alias("nothing")) && TEST_ptr(ui_method= UI_create_method("DummyUI")) && TEST_ptr(sctx = OSSL_STORE_open_ex(input, NULL, NULL, ui_method, - NULL, NULL, NULL)) + NULL, NULL, NULL, NULL)) && TEST_false(OSSL_STORE_find(sctx, NULL)) && TEST_true(OSSL_STORE_find(sctx, search)); UI_destroy_method(ui_method); @@ -75,7 +75,7 @@ static int get_params(const char *uri, const char *type) OSSL_STORE_INFO *info; int ret = 0; - ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL); + ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL, NULL); if (!TEST_ptr(ctx)) goto err; @@ -157,7 +157,7 @@ static int test_store_attach_unregistered_scheme(void) && TEST_ptr(provider = OSSL_PROVIDER_load(libctx, "default")) && TEST_ptr(bio = BIO_new_file(input, "r")) && TEST_ptr(store_ctx = OSSL_STORE_attach(bio, "file", libctx, NULL, - NULL, NULL, NULL, NULL)) + NULL, NULL, NULL, NULL, NULL)) && TEST_int_ne(ERR_GET_LIB(ERR_peek_error()), ERR_LIB_OSSL_STORE) && TEST_int_ne(ERR_GET_REASON(ERR_peek_error()), OSSL_STORE_R_UNREGISTERED_SCHEME); diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index 7f2ff029ba..5492baa551 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -80,7 +80,7 @@ sub tsignverify { my $sigfile = basename($privkey, '.pem') . '.sig'; my @args = (); - plan tests => 4; + plan tests => 5; @args = ('openssl', 'pkeyutl', '-sign', '-inkey', $privkey, @@ -90,6 +90,15 @@ sub tsignverify { ok(run(app([@args])), $testtext.": Generating signature"); + @args = ('openssl', 'pkeyutl', '-sign', + '-inkey', $privkey, + '-keyform', 'DER', + '-out', $sigfile, + '-in', $data_to_sign); + push(@args, @extraopts); + ok(!run(app([@args])), + $testtext.": Checking that mismatching keyform fails"); + @args = ('openssl', 'pkeyutl', '-verify', '-inkey', $privkey, '-sigfile', $sigfile, @@ -99,6 +108,7 @@ sub tsignverify { $testtext.": Verify signature with private key"); @args = ('openssl', 'pkeyutl', '-verify', + '-keyform', 'PEM', '-inkey', $pubkey, '-pubin', '-sigfile', $sigfile, '-in', $data_to_sign); diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t index 1d6200e6d4..c789da6aa6 100644 --- a/test/recipes/25-test_crl.t +++ b/test/recipes/25-test_crl.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_crl"); -plan tests => 9; +plan tests => 10; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -44,8 +44,10 @@ ok(compare1stline_stdin([qw{openssl crl -hash -noout}], '106cd822'), "crl piped input test"); -ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-out", $out, - "-nameopt", "utf8"]))); +ok(!run(app(["openssl", "crl", "-text", "-in", $pem, "-inform", "DER", + "-out", $out, "-nameopt", "utf8"]))); +ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-inform", "PEM", + "-out", $out, "-nameopt", "utf8"]))); is(cmp_text($out, srctop_file("test/certs", "cyrillic_crl.utf8")), 0, 'Comparing utf8 output'); diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index ab6c6e681b..30c1c43a7f 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -73,16 +73,24 @@ subtest "generating alt certificate requests with RSA" => sub { subtest "generating certificate requests with RSA" => sub { - plan tests => 2; + plan tests => 3; SKIP: { skip "RSA is not supported by this OpenSSL build", 2 if disabled("rsa"); + ok(!run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsa.pem", "-utf8", + "-key", srctop_file("test", "testrsa.pem"), + "-keyform", "DER"])), + "Checking that mismatching keyform fails"); + ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), "-new", "-out", "testreq-rsa.pem", "-utf8", - "-key", srctop_file("test", "testrsa.pem")])), + "-key", srctop_file("test", "testrsa.pem"), + "-keyform", "PEM"])), "Generating request"); ok(run(app(["openssl", "req", diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index ae934bf420..1324f754e9 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 15; +plan tests => 18; require_ok(srctop_file("test", "recipes", "tconversion.pl")); @@ -24,6 +24,8 @@ my @certs = qw(test certs); my $pem = srctop_file(@certs, "cyrillic.pem"); my $out_msb = "out-cyrillic.msb"; my $out_utf8 = "out-cyrillic.utf8"; +my $der = "cyrillic.der"; +my $der2 = "cyrillic.der"; my $msb = srctop_file(@certs, "cyrillic.msb"); my $utf = srctop_file(@certs, "cyrillic.utf8"); @@ -36,7 +38,7 @@ ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8, is(cmp_text($out_utf8, $utf), 0, 'Comparing utf8 output with cyrillic.utf8'); - SKIP: { +SKIP: { skip "DES disabled", 1 if disabled("des"); my $p12 = srctop_file("test", "shibboleth.pfx"); @@ -47,6 +49,16 @@ is(cmp_text($out_utf8, $utf), # not unlinking $out_pem } +ok(!run(app(["openssl", "x509", "-in", $pem, "-inform", "DER", + "-out", $der, "-outform", "DER"])), + "Checking failure of mismatching -inform DER"); +ok(run(app(["openssl", "x509", "-in", $pem, "-inform", "PEM", + "-out", $der, "-outform", "DER"])), + "Conversion to DER"); +ok(!run(app(["openssl", "x509", "-in", $der, "-inform", "PEM", + "-out", $der2, "-outform", "DER"])), + "Checking failure of mismatching -inform PEM"); + # producing and checking self-issued (but not self-signed) cert my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem my $extfile = srctop_file("test", "v3_ca_exts.cnf");