QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-28 02:34:40 +00:00
Code Issues Projects Releases Wiki Activity

apps/x509.c: Rename -signkey to -key for consistency with the req app

Browse Source 
Also because this better reflects that usually also the public portion is used.
Retaining the old -signkey as an alias for backward compatibility.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14007)
This commit is contained in:
Dr. David von Oheimb 2021-01-06 15:01:46 +01:00 committed by Dr. David von Oheimb
parent 2de5d3b87a
commit 9293046fb4
2 changed files with 45 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
apps/x509.c
View File

@ -42,7 +42,7 @@ typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE,
OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_KEY, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ,
OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT,
OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL,
@ -72,8 +72,10 @@ const OPTIONS x509_options[] = {
{"inform", OPT_INFORM, 'f',
"CSR input file format (DER or PEM) - default PEM"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
{"key", OPT_KEY, 's',
"Key to be used in certificate or cert request"},
{"signkey", OPT_SIGNKEY, 's',
"Key used to self-sign certificate or cert request"},
"Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
"Key input format (ENGINE, other values ignored)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
@ -149,7 +151,7 @@ const OPTIONS x509_options[] = {
OPT_SECTION("Micro-CA"),
{"CA", OPT_CA, '<',
"Use the given CA certificate, conflicts with -signkey"},
"Use the given CA certificate, conflicts with -key"},
{"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
{"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"},
{"CAkeyform", OPT_CAKEYFORM, 'E',
@ -244,7 +246,7 @@ int x509_main(int argc, char **argv)
CONF *extconf = NULL;
int ext_copy = EXT_COPY_UNSET;
X509V3_CTX ext_ctx;
EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL;
EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL;
EVP_PKEY *pkey;
int newcert = 0;
char *subj = NULL, *digestname = NULL;
@ -261,7 +263,7 @@ int x509_main(int argc, char **argv)
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *ext_names = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
char *infile = NULL, *outfile = NULL, *signkeyfile = NULL, *CAfile = NULL;
char *infile = NULL, *outfile = NULL, *privkeyfile = NULL, *CAfile = NULL;
char *prog;
int days = UNSET_DAYS; /* not explicitly set */
int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0;
@ -374,8 +376,9 @@ int x509_main(int argc, char **argv)
case OPT_EXTENSIONS:
extsect = opt_arg();
break;
case OPT_KEY:
case OPT_SIGNKEY:
signkeyfile = opt_arg();
privkeyfile = opt_arg();
break;
case OPT_CA:
CAfile = opt_arg();
@ -605,9 +608,9 @@ int x509_main(int argc, char **argv)
"The -req option cannot be used with -new\n");
goto end;
}
if (signkeyfile != NULL) {
signkey = load_key(signkeyfile, keyformat, 0, passin, e, "private key");
if (signkey == NULL)
if (privkeyfile != NULL) {
privkey = load_key(privkeyfile, keyformat, 0, passin, e, "private key");
if (privkey == NULL)
goto end;
}
if (pubkeyfile != NULL) {
@ -622,9 +625,9 @@ int x509_main(int argc, char **argv)
"The -new option requires a subject to be set using -subj\n");
goto end;
}
if (signkeyfile == NULL && pubkeyfile == NULL) {
if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
"The -new option without -signkey requires using -force_pubkey\n");
"The -new option without -key requires using -force_pubkey\n");
goto end;
}
}
@ -635,8 +638,8 @@ int x509_main(int argc, char **argv)
if (CAkeyfile == NULL)
CAkeyfile = CAfile;
if (CAfile != NULL) {
if (signkeyfile != NULL) {
BIO_printf(bio_err, "Cannot use both -signkey and -CA option\n");
if (privkeyfile != NULL) {
BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
goto end;
}
} else if (CAkeyfile != NULL) {
@ -697,9 +700,9 @@ int x509_main(int argc, char **argv)
BIO_printf(bio_err,
"Warning: ignoring -preserve_dates option with -req or -new\n");
preserve_dates = 0;
if (signkeyfile == NULL && CAkeyfile == NULL) {
if (privkeyfile == NULL && CAkeyfile == NULL) {
BIO_printf(bio_err,
"We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n");
"We need a private key to sign with, use -key or -CAkey or -CA with private key\n");
goto end;
}
if ((x = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
@ -727,9 +730,9 @@ int x509_main(int argc, char **argv)
&& !X509_set_subject_name(x, fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req)))
goto end;
if ((pubkey != NULL || signkey != NULL || req != NULL)
if ((pubkey != NULL || privkey != NULL || req != NULL)
&& !X509_set_pubkey(x, pubkey != NULL ? pubkey :
signkey != NULL ? signkey :
privkey != NULL ? privkey :
X509_REQ_get0_pubkey(req)))
goto end;
@ -787,7 +790,7 @@ int x509_main(int argc, char **argv)
if (sno != NULL && !X509_set_serialNumber(x, sno))
goto end;
if (reqfile || newcert || signkey != NULL || CAfile != NULL) {
if (reqfile || newcert || privkey != NULL || CAfile != NULL) {
if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
goto end;
if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert)))
@ -813,15 +816,15 @@ int x509_main(int argc, char **argv)
}
if (x509toreq) { /* also works in conjunction with -req */
if (signkey == NULL) {
BIO_printf(bio_err, "Must specify request key using -signkey\n");
if (privkey == NULL) {
BIO_printf(bio_err, "Must specify request key using -key\n");
goto end;
}
if (clrext && ext_copy != EXT_COPY_NONE) {
BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");
goto end;
}
if ((rq = x509_to_req(x, signkey, digest, sigopts,
if ((rq = x509_to_req(x, privkey, digest, sigopts,
ext_copy, ext_names)) == NULL)
goto end;
if (!noout) {
@ -838,8 +841,8 @@ int x509_main(int argc, char **argv)
}
}
noout = 1;
} else if (signkey != NULL) {
if (!do_X509_sign(x, signkey, digest, sigopts, &ext_ctx))
} else if (privkey != NULL) {
if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx))
goto end;
} else if (CAfile != NULL) {
if (!reqfile && !newcert) { /* certificate should be self-signed */
@ -1030,7 +1033,7 @@ int x509_main(int argc, char **argv)
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
EVP_PKEY_free(signkey);
EVP_PKEY_free(privkey);
EVP_PKEY_free(CAkey);
EVP_PKEY_free(pubkey);
sk_OPENSSL_STRING_free(sigopts);

28
doc/man1/openssl-x509.pod.in
View File

@ -17,8 +17,9 @@ B<openssl> B<x509>
[B<-copy_extensions> I<arg>]
[B<-inform> B<DER>|B<PEM>]
[B<-vfyopt> I<nm>:I<v>]
[B<-signkey> I<filename>|I<uri>]
[B<-key> I<filename>|I<uri>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-signkey> I<filename>|I<uri>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-nocert>]
@ -118,13 +119,13 @@ Generate a certificate from scratch, not using an input certificate
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> option needs to be given.
The public key to include can be given with the B<-force_pubkey> option
and defaults to the key given with the B<-signkey> option,
and defaults to the key given with the B<-key> option,
which implies self-signature.
=item B<-x509toreq>
Output a PKCS#10 certificate request (rather than a certificate).
The B<-signkey> option must be used to provide the private key for self-signing;
The B<-key> option must be used to provide the private key for self-signing;
the corresponding public key is placed in the subjectPKInfo field.
X.509 extensions included in a certificate input are not copied by default.
@ -161,7 +162,7 @@ See L<openssl-format-options(1)> for details.
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
=item B<-signkey> I<filename>|I<uri>
=item B<-key> I<filename>|I<uri>
This option causes the new certificate or certificate request
to be self-signed using the supplied private key.
@ -174,6 +175,10 @@ Unless the B<-preserve_dates> option is supplied,
it sets the validity start date to the current time
and the end date to a value determined by the B<-days> option.
=item B<-signkey> I<filename>|I<uri>
This option is an alias of B<-key>.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key input format; the default is B<PEM>.
@ -348,7 +353,7 @@ Check that the certificate matches the specified IP address.
=item B<-set_serial> I<n>
Specifies the serial number to use. This option can be used with either
the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA> option
the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option
the serial number file (as specified by the B<-CAserial> option) is not used.
The serial number can be decimal or hex (if preceded by C<0x>).
@ -392,7 +397,7 @@ or certificate request.
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
instead of the key contained in the input or given with the B<-signkey> option.
instead of the key contained in the input or given with the B<-key> option.
This option is useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as DH.
@ -438,7 +443,7 @@ for testing.
The digest to use.
This affects any signing or printing option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
digest, such as the B<-fingerprint>, B<-key> and B<-CA> options.
Any digest supported by the L<openssl-dgst(1)> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
@ -456,7 +461,7 @@ When present, this behaves like a "micro CA" as follows:
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as detailed below.
This option cannot be used in conjunction with the B<-signkey> option.
This option cannot be used in conjunction with the B<-key> option.
This option is normally combined with the B<-req> option referencing a CSR.
Without the B<-req> option the input must be a self-signed certificate
unless the B<-new> option is given, which generates a certificate from scratch.
@ -700,13 +705,13 @@ Convert a certificate from PEM to DER format:
Convert a certificate to a certificate request:
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem
Convert a certificate request into a self-signed certificate using
extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
-key key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user
certificate extensions:
@ -871,6 +876,9 @@ of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
version of the DN using SHA1. This means that any directories using the old
form must have their links rebuilt using L<openssl-rehash(1)> or similar.
The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
keeping the old name as an alias.
All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
have become obsolete in OpenSSL 3.0.0 and have no effect.