root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

apps: silent warning when loading CSR files with vfyopt option 

When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

  Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
This commit is contained in:
Tianjia Zhang 2023-04-21 11:06:21 +08:00 committed by Tomas Mraz
parent a8eb81ccd2
commit a75f707fca
6 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/ca.c
View File

@ -1375,7 +1375,7 @@ static int certify(X509 **xret, const char *infile, int informat,
EVP_PKEY *pktmp = NULL; EVP_PKEY *pktmp = NULL;
int ok = -1, i; int ok = -1, i;
req = load_csr_autofmt(infile, informat, "certificate request"); req = load_csr_autofmt(infile, informat, vfyopts, "certificate request");
if (req == NULL) if (req == NULL)
goto end; goto end;
if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {

2
apps/cmp.c
View File

@ -1643,7 +1643,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_cmd == CMP_GENM) { if (opt_cmd == CMP_GENM) {
CMP_warn("-csr option is ignored for command 'genm'"); CMP_warn("-csr option is ignored for command 'genm'");
} else { } else {
csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, "PKCS#10 CSR"); csr = load_csr_autofmt(opt_csr, FORMAT_UNDEF, NULL, "PKCS#10 CSR");
if (csr == NULL) if (csr == NULL)
return 0; return 0;
if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr))

3
apps/include/apps.h
View File

@ -114,7 +114,8 @@ char *get_passwd(const char *pass, const char *desc);
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf); int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc); X509_REQ *load_csr(const char *file, int format, const char *desc);
X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc); X509_REQ *load_csr_autofmt(const char *infile, int format,
STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc);
X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc); const char *pass, const char *desc);
# define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) # define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)

9
apps/lib/apps.c
View File

@ -527,7 +527,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
} }
/* Better extend OSSL_STORE to support CSRs, see FR #15725 */ /* Better extend OSSL_STORE to support CSRs, see FR #15725 */
X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc) X509_REQ *load_csr_autofmt(const char *infile, int format,
STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc)
{ {
X509_REQ *csr; X509_REQ *csr;
@ -550,12 +551,12 @@ X509_REQ *load_csr_autofmt(const char *infile, int format, const char *desc)
} }
if (csr != NULL) { if (csr != NULL) {
EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr); EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */); int ret = do_X509_REQ_verify(csr, pkey, vfyopts);
if (pkey == NULL || ret < 0) if (pkey == NULL || ret < 0)
BIO_puts(bio_err, "Warning: error while verifying CSR self-signature"); BIO_puts(bio_err, "Warning: error while verifying CSR self-signature\n");
else if (ret == 0) else if (ret == 0)
BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents"); BIO_puts(bio_err, "Warning: CSR self-signature does not match the contents\n");
return csr; return csr;
} }
return csr; return csr;

2
apps/req.c
View File

@ -738,7 +738,7 @@ int req_main(int argc, char **argv)
BIO_printf(bio_err, BIO_printf(bio_err,
"Warning: Not placing -key in cert or request since request is used\n"); "Warning: Not placing -key in cert or request since request is used\n");
req = load_csr_autofmt(infile /* if NULL, reads from stdin */, req = load_csr_autofmt(infile /* if NULL, reads from stdin */,
informat, "X509 request"); informat, vfyopts, "X509 request");
if (req == NULL) if (req == NULL)
goto end; goto end;
} else if (infile != NULL) { } else if (infile != NULL) {

3
apps/x509.c
View File

@ -706,7 +706,8 @@ int x509_main(int argc, char **argv)
if (infile == NULL) if (infile == NULL)
BIO_printf(bio_err, BIO_printf(bio_err,
"Warning: Reading cert request from stdin since no -in option is given\n"); "Warning: Reading cert request from stdin since no -in option is given\n");
req = load_csr_autofmt(infile, informat, "certificate request input"); req = load_csr_autofmt(infile, informat, vfyopts,
"certificate request input");
if (req == NULL) if (req == NULL)
goto end; goto end;