summaryrefslogtreecommitdiff
path: root/deps/openssl/openssl/apps/x509.c
diff options
context:
space:
mode:
Diffstat (limited to 'deps/openssl/openssl/apps/x509.c')
-rw-r--r--deps/openssl/openssl/apps/x509.c74
1 files changed, 67 insertions, 7 deletions
diff --git a/deps/openssl/openssl/apps/x509.c b/deps/openssl/openssl/apps/x509.c
index 929359b0da..864a60dda2 100644
--- a/deps/openssl/openssl/apps/x509.c
+++ b/deps/openssl/openssl/apps/x509.c
@@ -150,6 +150,9 @@ static const char *x509_usage[] = {
" -engine e - use engine e, possibly a hardware device.\n",
#endif
" -certopt arg - various certificate text options\n",
+ " -checkhost host - check certificate matches \"host\"\n",
+ " -checkemail email - check certificate matches \"email\"\n",
+ " -checkip ipaddr - check certificate matches \"ipaddr\"\n",
NULL
};
@@ -163,6 +166,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile = 0;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+static int force_version = 2;
+#endif
int MAIN(int, char **);
@@ -174,15 +180,16 @@ int MAIN(int argc, char **argv)
X509 *x = NULL, *xca = NULL;
ASN1_OBJECT *objtmp;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
- EVP_PKEY *Upkey = NULL, *CApkey = NULL;
+ EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
ASN1_INTEGER *sno = NULL;
- int i, num, badops = 0;
+ int i, num, badops = 0, badsig = 0;
BIO *out = NULL;
BIO *STDout = NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
int informat, outformat, keyformat, CAformat, CAkeyformat;
char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
char *CAkeyfile = NULL, *CAserial = NULL;
+ char *fkeyfile = NULL;
char *alias = NULL;
int text = 0, serial = 0, subject = 0, issuer = 0, startdate =
0, enddate = 0;
@@ -208,6 +215,9 @@ int MAIN(int argc, char **argv)
int need_rand = 0;
int checkend = 0, checkoffset = 0;
unsigned long nmflag = 0, certflag = 0;
+ char *checkhost = NULL;
+ char *checkemail = NULL;
+ char *checkip = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
#endif
@@ -274,7 +284,15 @@ int MAIN(int argc, char **argv)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
- } else if (strcmp(*argv, "-days") == 0) {
+ }
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ else if (strcmp(*argv, "-force_version") == 0) {
+ if (--argc < 1)
+ goto bad;
+ force_version = atoi(*(++argv)) - 1;
+ }
+#endif
+ else if (strcmp(*argv, "-days") == 0) {
if (--argc < 1)
goto bad;
days = atoi(*(++argv));
@@ -327,6 +345,10 @@ int MAIN(int argc, char **argv)
goto bad;
if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
goto bad;
+ } else if (strcmp(*argv, "-force_pubkey") == 0) {
+ if (--argc < 1)
+ goto bad;
+ fkeyfile = *(++argv);
} else if (strcmp(*argv, "-addtrust") == 0) {
if (--argc < 1)
goto bad;
@@ -424,6 +446,18 @@ int MAIN(int argc, char **argv)
goto bad;
checkoffset = atoi(*(++argv));
checkend = 1;
+ } else if (strcmp(*argv, "-checkhost") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkhost = *(++argv);
+ } else if (strcmp(*argv, "-checkemail") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkemail = *(++argv);
+ } else if (strcmp(*argv, "-checkip") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkip = *(++argv);
} else if (strcmp(*argv, "-noout") == 0)
noout = ++num;
else if (strcmp(*argv, "-trustout") == 0)
@@ -447,6 +481,8 @@ int MAIN(int argc, char **argv)
#endif
else if (strcmp(*argv, "-ocspid") == 0)
ocspid = ++num;
+ else if (strcmp(*argv, "-badsig") == 0)
+ badsig = 1;
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
/* ok */
digest = md_alg;
@@ -484,6 +520,13 @@ int MAIN(int argc, char **argv)
goto end;
}
+ if (fkeyfile) {
+ fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
+ NULL, e, "Forced key");
+ if (fkey == NULL)
+ goto end;
+ }
+
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
CAkeyfile = CAfile;
} else if ((CA_flag) && (CAkeyfile == NULL)) {
@@ -605,10 +648,13 @@ int MAIN(int argc, char **argv)
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
-
- pkey = X509_REQ_get_pubkey(req);
- X509_set_pubkey(x, pkey);
- EVP_PKEY_free(pkey);
+ if (fkey)
+ X509_set_pubkey(x, fkey);
+ else {
+ pkey = X509_REQ_get_pubkey(req);
+ X509_set_pubkey(x, pkey);
+ EVP_PKEY_free(pkey);
+ }
} else
x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
@@ -937,11 +983,16 @@ int MAIN(int argc, char **argv)
goto end;
}
+ print_cert_checks(STDout, x, checkhost, checkemail, checkip);
+
if (noout) {
ret = 0;
goto end;
}
+ if (badsig)
+ x->signature->data[x->signature->length - 1] ^= 0x1;
+
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
else if (outformat == FORMAT_PEM) {
@@ -982,6 +1033,7 @@ int MAIN(int argc, char **argv)
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
+ EVP_PKEY_free(fkey);
if (sigopts)
sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
@@ -1101,7 +1153,11 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
if (conf) {
X509V3_CTX ctx2;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ X509_set_version(x, force_version);
+#else
X509_set_version(x, 2); /* version 3 certificate */
+#endif
X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx2, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1186,7 +1242,11 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
}
if (conf) {
X509V3_CTX ctx;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ X509_set_version(x, force_version);
+#else
X509_set_version(x, 2); /* version 3 certificate */
+#endif
X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-03 02:04:10 +0000