Nuke the asn1-kludge. This was a workaround for CAs with broken PCKS#10

encoders many moons ago. OpenSSL removed it in 2015.

ok beck jsing

2 files changed, 5 insertions, 35 deletions

diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 5f7f2394f7f..05f7e21cc9f 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.132 2021/09/05 06:16:30 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.133 2021/10/23 11:36:44 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: September 5 2021 $
+.Dd $Mdocdate: October 23 2021 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -3649,7 +3649,6 @@ or standard output if not specified.
 .It Nm openssl req
 .Bk -words
 .Op Fl addext Ar ext
-.Op Fl asn1-kludge
 .Op Fl batch
 .Op Fl config Ar file
 .Op Fl days Ar n
@@ -3666,7 +3665,6 @@ or standard output if not specified.
 .Op Fl new
 .Op Fl newhdr
 .Op Fl newkey Ar arg
-.Op Fl no-asn1-kludge
 .Op Fl nodes
 .Op Fl noout
 .Op Fl out Ar file
@@ -3705,9 +3703,6 @@ option is present) or certificate request.
 The argument must have the form of a key=value pair as it would appear in a
 config file.
 This option can be given multiple times.
-.It Fl asn1-kludge
-Produce requests in an invalid format for certain picky CAs.
-Very few CAs still require the use of this option.
 .It Fl batch
 Non-interactive mode.
 .It Fl config Ar file
@@ -3819,9 +3814,6 @@ can be omitted,
 in which case any parameters can be specified via the
 .Fl pkeyopt
 option.
-.It Fl no-asn1-kludge
-Reverse the effect of
-.Fl asn1-kludge .
 .It Fl nodes
 Do not encrypt the private key.
 .It Fl noout
diff --git a/usr.bin/openssl/req.c b/usr.bin/openssl/req.c
index aaf3dceb306..4ab091a097e 100644
--- a/usr.bin/openssl/req.c
+++ b/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.20 2021/10/22 09:44:30 tb Exp $ */
+/* $OpenBSD: req.c,v 1.21 2021/10/23 11:36:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -143,7 +143,6 @@ struct {
 	char *keyfile;
 	int keyform;
 	char *keyout;
-	int kludge;
 	int modulus;
 	int multirdn;
 	int newhdr;
@@ -296,12 +295,6 @@ static const struct option req_options[] = {
 		.opt.argfunc = req_opt_addext,
 	},
 	{
-		.name = "asn1-kludge",
-		.type = OPTION_VALUE,
-		.opt.value = &req_config.kludge,
-		.value = 1,
-	},
-	{
 		.name = "batch",
 		.desc = "Operate in batch mode",
 		.type = OPTION_FLAG,
@@ -402,12 +395,6 @@ static const struct option req_options[] = {
 		.opt.argfunc = req_opt_newkey,
 	},
 	{
-		.name = "no-asn1-kludge",
-		.type = OPTION_VALUE,
-		.opt.value = &req_config.kludge,
-		.value = 0,
-	},
-	{
 		.name = "nodes",
 		.desc = "Do not encrypt output private key",
 		.type = OPTION_FLAG,
@@ -544,12 +531,12 @@ static void
 req_usage(void)
 {
 	fprintf(stderr,
-	    "usage: req [-addext ext] [-asn1-kludge] [-batch] [-config file]\n"
+	    "usage: req [-addext ext] [-batch] [-config file]\n"
 	    "    [-days n] [-extensions section] [-in file]\n"
 	    "    [-inform der | pem] [-key keyfile] [-keyform der | pem]\n"
 	    "    [-keyout file] [-md4 | -md5 | -sha1] [-modulus]\n"
 	    "    [-multivalue-rdn] [-nameopt option] [-new] [-newhdr]\n"
-	    "    [-newkey arg] [-no-asn1-kludge] [-nodes] [-noout]\n"
+	    "    [-newkey arg] [-nodes] [-noout]\n"
 	    "    [-out file] [-outform der | pem] [-passin arg]\n"
 	    "    [-passout arg] [-pkeyopt opt:value] [-pubkey]\n"
 	    "    [-reqexts section] [-reqopt option] [-set_serial n]\n"
@@ -851,11 +838,6 @@ req_main(int argc, char **argv)
 		BIO_printf(bio_err, "-----\n");
 	}
 	if (!req_config.newreq) {
-		/*
-		 * Since we are using a pre-existing certificate request, the
-		 * kludge 'format' info should not be changed.
-		 */
-		req_config.kludge = -1;
 		if (req_config.infile == NULL)
 			BIO_set_fp(in, stdin, BIO_NOCLOSE);
 		else {
@@ -890,10 +872,6 @@ req_main(int argc, char **argv)
 			}
 			i = make_REQ(req, pkey, req_config.subj, req_config.multirdn, !req_config.x509, req_config.chtype);
 			req_config.subj = NULL;	/* done processing '-subj' option */
-			if ((req_config.kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
-				sk_X509_ATTRIBUTE_free(req->req_info->attributes);
-				req->req_info->attributes = NULL;
-			}
 			if (!i) {
 				BIO_printf(bio_err, "problems making Certificate Request\n");
 				goto end;