This is an enhancement request that addresses an incompatibility introduced with the new SHA1-based hashing of the subject/issuer name defined in openssl 1.0.0. The necessary patches based on openssl 1.0.0-beta4 are attached.
Reason for the request: The change forces sites, that distribute information, e.g. links, based on the subject/issuer hash to sites using either 0.9.x or 1.x.x versions of openssl, to install both of these versions in order to be able to generate and display the hashes required for the 2 versions. Since the basic functions required for the generation of both hash types are anyhow present in openssl version 1.0.0+ only the integration of the old-style (MD5 based) hash in the x509 command as an additional display option for both the subject and the issuer hash is missing. The attached patches for apps/x509.c and crypto/x509/x509_cmp.c provide the necessary additions. Please add the requested feature to the final 1.0.0 release. Best regards Willy Weisz -- ----------------------------------------------------------- Willy Weisz European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 Mobile: +43 699 10109546 e-mail: we...@vcpc.univie.ac.a
--- apps/x509.c.orig 2009-10-18 16:42:26.000000000 +0200 +++ apps/x509.c 2010-01-10 01:20:45.000000000 +0100 @@ -99,7 +99,13 @@ " -passin arg - private key password source\n", " -serial - print serial number value\n", " -subject_hash - print subject hash value\n", +#ifndef OPENSSL_NO_MD5 +" -subject_hash_old - print old-style (MD5) subject hash value\n", +#endif " -issuer_hash - print issuer hash value\n", +#ifndef OPENSSL_NO_MD5 +" -issuer_hash_old - print old-style (MD5) issuer hash value\n", +#endif " -hash - synonym for -subject_hash\n", " -subject - print subject DN\n", " -issuer - print issuer DN\n", @@ -179,6 +185,9 @@ int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int next_serial=0; int subject_hash=0,issuer_hash=0,ocspid=0; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old=0,issuer_hash_old=0; +#endif int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -397,8 +406,16 @@ else if (strcmp(*argv,"-hash") == 0 || strcmp(*argv,"-subject_hash") == 0) subject_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-subject_hash_old") == 0) + subject_hash_old= ++num; +#endif else if (strcmp(*argv,"-issuer_hash") == 0) issuer_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-issuer_hash_old") == 0) + issuer_hash_old= ++num; +#endif else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) @@ -759,10 +776,22 @@ { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (subject_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); + } +#endif else if (issuer_hash == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (issuer_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); + } +#endif else if (pprint == i) { X509_PURPOSE *ptmp;
--- crypto/x509/x509_cmp.c.orig 2009-05-30 20:10:59.000000000 +0200 +++ crypto/x509/x509_cmp.c 2010-01-10 01:21:45.000000000 +0100 @@ -133,6 +133,13 @@ return(X509_NAME_hash(x->cert_info->issuer)); } +#ifndef OPENSSL_NO_MD5 +unsigned long X509_issuer_name_hash_old(X509 *x) + { + return(X509_NAME_hash_old(x->cert_info->issuer)); + } +#endif + X509_NAME *X509_get_subject_name(X509 *a) { return(a->cert_info->subject); @@ -148,6 +155,13 @@ return(X509_NAME_hash(x->cert_info->subject)); } +#ifndef OPENSSL_NO_MD5 +unsigned long X509_subject_name_hash_old(X509 *x) + { + return(X509_NAME_hash_old(x->cert_info->subject)); + } +#endif + #ifndef OPENSSL_NO_SHA /* Compare two certificates: they must be identical for * this to work. NB: Although "cmp" operations are generally