I came to think that a better solution would be to allow an option
where the certificates leading from the given CA certificate up to
the root could be given.
I'm a little dubious about using unverified certificates. On the
other hand, "openssl ca" does exactly that, so perhaps one should
default to what this patch is suggesting as an option.
Ideas?
[levitte - Wed May 8 16:47:23 2002]:
> [[EMAIL PROTECTED] - Thu Apr 25 16:20:45 2002]:
>
> Well, 0.9.6 gets changed for small patches only. I believe this
> constitutes something bigger, so it'll go to 0.9.7 (possibly) or
> 0.9.8 (quite certainly), unless someone in the team is very much
> against...
>
> > What about the patch below for 0.9.6d? Doc patch as well:
> >
> > --- x509.pod.orig Mon Jan 14 12:03:55 2002
> > +++ x509.pod Mon Jan 14 12:03:35 2002
> > @@ -43,6 +43,7 @@
> > [B<-CAkey filename>]
> > [B<-CAcreateserial>]
> > [B<-CAserial filename>]
> > +[B<-noselfsign>]
> > [B<-text>]
> > [B<-C>]
> > [B<-md2|-md5|-sha1|-mdc2>]
> > @@ -300,7 +301,8 @@
> > of the CA and it is digitally signed using the CAs private key.
> >
> > This option is normally combined with the B<-req> option.
Without
> the
> > -B<-req> option the input is a certificate which must be self
> signed.
> > +B<-req> option the input is a certificate which must be self
> signed
> > +(unless B<-noselfsign> is specified).
> >
> > =item B<-CAkey filename>
> >
> > @@ -327,6 +329,11 @@
> > it will contain the serial number "02" and the certificate being
> > signed will
> > have the 1 as its serial number. Normally if the B<-CA> option
is
> > specified
> > and the serial number file does not exist it is an error.
> > +
> > +=item B<-noselfsign>
> > +
> > +with this option the "mini CA" (see B<-CA>) will sign
certificates
> > +with unverified signatures.
> >
> > =item B<-extfile filename>
> >
> >
> >
> > Simon Josefsson <[EMAIL PROTECTED]> writes:
> >
> > > This patch that allows you to override the check for a valid
> self-
> > signed
> > > certificate when signing certs using 'x509 -CA'. I find this
> useful
> > for
> > > those times when you edit certs with M-x hexl-mode.
> > >
> > > --- x509.c.orig Mon Jan 14 11:41:05 2002
> > > +++ x509.c Mon Jan 14 11:41:41 2002
> > > @@ -122,6 +122,7 @@
> > > " missing, it is assumed to be in the CA
> > file.\n",
> > > " -CAcreateserial - create serial number file if it does not
> > exist\n",
> > > " -CAserial - serial file\n",
> > > +" -noselfsign - accept certificates that aren't self
signed,
> > for -CA.\n",
> > > " -text - print the certificate in text form\n",
> > > " -C - print out C code forms\n",
> > > " -md2/-md5/-sha1/-mdc2 - digest to use\n",
> > > @@ -137,7 +138,8 @@
> > > LHASH *conf, char
> *section);
> > > static int x509_certify (X509_STORE *ctx,char *CAfile,const
> EVP_MD
> > *digest,
> > > X509 *x,X509 *xca,EVP_PKEY *pkey,char
> *serial,
> > > - int create,int days, int clrext, LHASH
> *conf, char *section);
> > > + int create,int days, int clrext, LHASH
> *conf,
> > > + char *section, int noselfsign);
> > > static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE
> *pt);
> > > static int reqfile=0;
> > >
> > > @@ -158,6 +160,7 @@
> > > char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
> > > char *CAkeyfile=NULL,*CAserial=NULL;
> > > char *alias=NULL;
> > > + int noselfsign=0;
> > > int
> > text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
> > > int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
> > > int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> > > @@ -339,6 +342,8 @@
> > > }
> > > else if (strcmp(*argv,"-C") == 0)
> > > C= ++num;
> > > + else if (strcmp(*argv,"-noselfsign") == 0)
> > > + noselfsign = ++num;
> > > else if (strcmp(*argv,"-email") == 0)
> > > email= ++num;
> > > else if (strcmp(*argv,"-serial") == 0)
> > > @@ -844,8 +849,8 @@
> > >
> > > assert(need_rand);
> > > if
> (!x509_certify(ctx,CAfile,digest,x,xca,
> > > - CApkey,
> CAserial,CA_createserial,days, clrext,
> > > - extconf, extsect))
> > > + CApkey,
> CAserial,CA_createserial,days,
> > > + clrext, extconf, extsect,
> noselfsign))
> > > goto end;
> > > }
> > > else if (x509req == i)
> > > @@ -966,7 +971,7 @@
> > >
> > > static int x509_certify(X509_STORE *ctx, char *CAfile, const
> EVP_MD
> > *digest,
> > > X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile,
> int
> > create,
> > > - int days, int clrext, LHASH *conf, char *section)
> > > + int days, int clrext, LHASH *conf, char *section, int
> > noselfsign)
> > > {
> > > int ret=0;
> > > BIO *io=NULL;
> > > @@ -1068,8 +1073,8 @@
> > > /* NOTE: this certificate can/should be self signed, unless
> it was
> > > * a certificate request in which case it is not. */
> > > X509_STORE_CTX_set_cert(&xsc,x);
> > > - if (!reqfile && !X509_verify_cert(&xsc))
> > > - goto end;
> > > + if (!reqfile && !noselfsign && !X509_verify_cert(&xsc))
> > > + goto end;
> > >
> > > if (!X509_check_private_key(xca,pkey))
> > > {
> > > @@ -1132,6 +1137,7 @@
> > > if (ok)
> > > {
> > > BIO_printf(bio_err,"error with certificate to be
> certified -
> > should be self signed\n");
> > > + BIO_printf(bio_err,"consider using -noselfsign\n");
> > > return 0;
> > > }
> > > else
> > >
> >
>
______________________________________________________________________
> > > OpenSSL Project
> > http://www.openssl.org
> > > Development Mailing List openssl-
> > [EMAIL PROTECTED]
> > > Automated List Manager
> > [EMAIL PROTECTED]
> >
>
______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > Development Mailing List
> [EMAIL PROTECTED]
> > Automated List Manager
> [EMAIL PROTECTED]
>
--
Richard Levitte
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
