This patch that allows you to override the check for a valid self-signed
certificate when signing certs using 'x509 -CA'. I find this useful for
those times when you edit certs with M-x hexl-mode.
--- x509.c.orig Mon Jan 14 11:41:05 2002
+++ x509.c Mon Jan 14 11:41:41 2002
@@ -122,6 +122,7 @@
" missing, it is assumed to be in the CA file.\n",
" -CAcreateserial - create serial number file if it does not exist\n",
" -CAserial - serial file\n",
+" -noselfsign - accept certificates that aren't self signed, for -CA.\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
@@ -137,7 +138,8 @@
LHASH *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
- int create,int days, int clrext, LHASH *conf, char *section);
+ int create,int days, int clrext, LHASH *conf,
+ char *section, int noselfsign);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -158,6 +160,7 @@
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL;
+ int noselfsign=0;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
@@ -339,6 +342,8 @@
}
else if (strcmp(*argv,"-C") == 0)
C= ++num;
+ else if (strcmp(*argv,"-noselfsign") == 0)
+ noselfsign = ++num;
else if (strcmp(*argv,"-email") == 0)
email= ++num;
else if (strcmp(*argv,"-serial") == 0)
@@ -844,8 +849,8 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
- CApkey, CAserial,CA_createserial,days, clrext,
- extconf, extsect))
+ CApkey, CAserial,CA_createserial,days,
+ clrext, extconf, extsect, noselfsign))
goto end;
}
else if (x509req == i)
@@ -966,7 +971,7 @@
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
- int days, int clrext, LHASH *conf, char *section)
+ int days, int clrext, LHASH *conf, char *section, int noselfsign)
{
int ret=0;
BIO *io=NULL;
@@ -1068,8 +1073,8 @@
/* NOTE: this certificate can/should be self signed, unless it was
* a certificate request in which case it is not. */
X509_STORE_CTX_set_cert(&xsc,x);
- if (!reqfile && !X509_verify_cert(&xsc))
- goto end;
+ if (!reqfile && !noselfsign && !X509_verify_cert(&xsc))
+ goto end;
if (!X509_check_private_key(xca,pkey))
{
@@ -1132,6 +1137,7 @@
if (ok)
{
BIO_printf(bio_err,"error with certificate to be certified - should be
self signed\n");
+ BIO_printf(bio_err,"consider using -noselfsign\n");
return 0;
}
else
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
