This is an enhancement request that addresses an incompatibility
introduced with the new SHA1-based hashing of the subject/issuer name
defined in openssl 1.0.0. The necessary patches based on openssl
1.0.0-beta4 are attached.
Reason for the request:
The change forces sites, that distribute information, e.g. links, based
on the subject/issuer hash to sites using either 0.9.x or 1.x.x versions
of openssl, to install both of these versions in order to be able to
generate and display the hashes required for the 2 versions.
Since the basic functions required for the generation of both hash types
are anyhow present in openssl version 1.0.0+ only the integration of the
old-style (MD5 based) hash in the x509 command as an additional display
option for both the subject and the issuer hash is missing. The attached
patches for apps/x509.c and crypto/x509/x509_cmp.c provide the necessary
additions.
Please add the requested feature to the final 1.0.0 release.
Best regards
Willy Weisz
--
-----------------------------------------------------------
Willy Weisz
European Centre for Parallel Computing at Vienna (VCPC)
Computational Science Center
Nordbergstrasse 15/C312
A-1090 Wien
Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394
Mobile: +43 699 10109546 e-mail: we...@vcpc.univie.ac.a
--- apps/x509.c.orig 2009-10-18 16:42:26.000000000 +0200
+++ apps/x509.c 2010-01-10 01:20:45.000000000 +0100
@@ -99,7 +99,13 @@
" -passin arg - private key password source\n",
" -serial - print serial number value\n",
" -subject_hash - print subject hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -subject_hash_old - print old-style (MD5) subject hash value\n",
+#endif
" -issuer_hash - print issuer hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -issuer_hash_old - print old-style (MD5) issuer hash value\n",
+#endif
" -hash - synonym for -subject_hash\n",
" -subject - print subject DN\n",
" -issuer - print issuer DN\n",
@@ -179,6 +185,9 @@
int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
int next_serial=0;
int subject_hash=0,issuer_hash=0,ocspid=0;
+#ifndef OPENSSL_NO_MD5
+ int subject_hash_old=0,issuer_hash_old=0;
+#endif
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
@@ -397,8 +406,16 @@
else if (strcmp(*argv,"-hash") == 0
|| strcmp(*argv,"-subject_hash") == 0)
subject_hash= ++num;
+#ifndef OPENSSL_NO_MD5
+ else if (strcmp(*argv,"-subject_hash_old") == 0)
+ subject_hash_old= ++num;
+#endif
else if (strcmp(*argv,"-issuer_hash") == 0)
issuer_hash= ++num;
+#ifndef OPENSSL_NO_MD5
+ else if (strcmp(*argv,"-issuer_hash_old") == 0)
+ issuer_hash_old= ++num;
+#endif
else if (strcmp(*argv,"-subject") == 0)
subject= ++num;
else if (strcmp(*argv,"-issuer") == 0)
@@ -759,10 +776,22 @@
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
}
+#ifndef OPENSSL_NO_MD5
+ else if (subject_hash_old == i)
+ {
+
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));
+ }
+#endif
else if (issuer_hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
}
+#ifndef OPENSSL_NO_MD5
+ else if (issuer_hash_old == i)
+ {
+
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));
+ }
+#endif
else if (pprint == i)
{
X509_PURPOSE *ptmp;
--- crypto/x509/x509_cmp.c.orig 2009-05-30 20:10:59.000000000 +0200
+++ crypto/x509/x509_cmp.c 2010-01-10 01:21:45.000000000 +0100
@@ -133,6 +133,13 @@
return(X509_NAME_hash(x->cert_info->issuer));
}
+#ifndef OPENSSL_NO_MD5
+unsigned long X509_issuer_name_hash_old(X509 *x)
+ {
+ return(X509_NAME_hash_old(x->cert_info->issuer));
+ }
+#endif
+
X509_NAME *X509_get_subject_name(X509 *a)
{
return(a->cert_info->subject);
@@ -148,6 +155,13 @@
return(X509_NAME_hash(x->cert_info->subject));
}
+#ifndef OPENSSL_NO_MD5
+unsigned long X509_subject_name_hash_old(X509 *x)
+ {
+ return(X509_NAME_hash_old(x->cert_info->subject));
+ }
+#endif
+
#ifndef OPENSSL_NO_SHA
/* Compare two certificates: they must be identical for
* this to work. NB: Although "cmp" operations are generally
