summaryrefslogtreecommitdiff
path: root/usr.bin/openssl
diff options
context:
space:
mode:
authorJob Snijders <job@cvs.openbsd.org>2024-08-12 15:34:59 +0000
committerJob Snijders <job@cvs.openbsd.org>2024-08-12 15:34:59 +0000
commit1ab2e11c01a2d3c7922165d0d3bedd1525c4a017 (patch)
treebe4aa60bd45a0310c8e4345d4dd7dd600511db87 /usr.bin/openssl
parentfd5255781c8206f7c0180e2e4920f3cb979b2753 (diff)
Add -CRLfile option to 'cms' sub command
This option allows to verify certs in a CMS object against additional CRLs. Ported from work by Tom Harrison from APNIC OK tb@
Diffstat (limited to 'usr.bin/openssl')
-rw-r--r--usr.bin/openssl/cms.c37
-rw-r--r--usr.bin/openssl/openssl.18
2 files changed, 38 insertions, 7 deletions
diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c
index b94e14675bb..7420d0ab8cc 100644
--- a/usr.bin/openssl/cms.c
+++ b/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.35 2023/11/21 17:56:19 tb Exp $ */
+/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
@@ -110,6 +110,7 @@ static struct {
X509 *cert;
char *certfile;
char *certsoutfile;
+ char *crlfile;
const EVP_CIPHER *cipher;
char *contfile;
ASN1_OBJECT *econtent_type;
@@ -548,6 +549,13 @@ static const struct option cms_options[] = {
.opt.arg = &cfg.CApath,
},
{
+ .name = "CRLfile",
+ .argname = "file",
+ .desc = "Other certificate revocation lists file",
+ .type = OPTION_ARG,
+ .opt.arg = &cfg.crlfile,
+ },
+ {
.name = "binary",
.desc = "Do not translate message to text",
.type = OPTION_VALUE_OR,
@@ -1111,10 +1119,10 @@ cms_usage(void)
"[-aes128 | -aes192 | -aes256 | -camellia128 |\n"
" -camellia192 | -camellia256 | -des | -des3 |\n"
" -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n"
- " [-CApath directory] [-binary] [-certfile file]\n"
- " [-certsout file] [-cmsout] [-compress] [-content file]\n"
- " [-crlfeol] [-data_create] [-data_out] [-debug_decrypt]\n"
- " [-decrypt] [-digest_create] [-digest_verify]\n"
+ " [-CApath directory] [-CRLfile file] [-binary]\n"
+ " [-certfile file] [-certsout file] [-cmsout] [-compress]\n"
+ " [-content file] [-crlfeol] [-data_create] [-data_out]\n"
+ " [-debug_decrypt] [-decrypt] [-digest_create] [-digest_verify]\n"
" [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n"
" [-EncryptedData_encrypt] [-from addr] [-in file]\n"
" [-inform der | pem | smime] [-inkey file]\n"
@@ -1158,6 +1166,7 @@ cms_main(int argc, char **argv)
X509 *recip = NULL, *signer = NULL;
EVP_PKEY *key = NULL;
STACK_OF(X509) *other = NULL;
+ STACK_OF(X509_CRL) *crls = NULL;
BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
int badarg = 0;
CMS_ReceiptRequest *rr = NULL;
@@ -1316,6 +1325,14 @@ cms_main(int argc, char **argv)
goto end;
}
}
+
+ if (cfg.crlfile != NULL) {
+ crls = load_crls(bio_err, cfg.crlfile, FORMAT_PEM, NULL,
+ "other CRLs");
+ if (crls == NULL)
+ goto end;
+ }
+
if (cfg.recipfile != NULL &&
(cfg.operation == SMIME_DECRYPT)) {
if ((recip = load_cert(bio_err, cfg.recipfile,
@@ -1677,6 +1694,15 @@ cms_main(int argc, char **argv)
cfg.secret_keylen, indata, out, cfg.flags))
goto end;
} else if (cfg.operation == SMIME_VERIFY) {
+ if (cfg.crlfile != NULL) {
+ int i;
+
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
+ X509_CRL *crl = sk_X509_CRL_value(crls, i);
+ if (!CMS_add1_crl(cms, crl))
+ goto end;
+ }
+ }
if (CMS_verify(cms, other, store, indata, out,
cfg.flags) > 0) {
BIO_printf(bio_err, "Verification successful\n");
@@ -1752,6 +1778,7 @@ cms_main(int argc, char **argv)
sk_X509_pop_free(cfg.encerts, X509_free);
sk_X509_pop_free(other, X509_free);
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
X509_VERIFY_PARAM_free(cfg.vpm);
sk_OPENSSL_STRING_free(cfg.sksigners);
sk_OPENSSL_STRING_free(cfg.skkeys);
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 90333098023..c185c7ebf79 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.157 2024/07/08 06:00:09 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.158 2024/08/12 15:34:58 job Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
@@ -110,7 +110,7 @@
.\" copied and put under another distribution licence
.\" [including the GNU Public Licence.]
.\"
-.Dd $Mdocdate: July 8 2024 $
+.Dd $Mdocdate: August 12 2024 $
.Dt OPENSSL 1
.Os
.Sh NAME
@@ -943,6 +943,7 @@ but without cipher suite codes.
.Oc
.Op Fl CAfile Ar file
.Op Fl CApath Ar directory
+.Op Fl CRLfile Ar file
.Op Fl binary
.Op Fl certfile Ar file
.Op Fl certsout Ar file
@@ -1133,6 +1134,9 @@ This directory must be a standard certificate directory: that is a hash
of each subject name (using
.Nm x509 Fl hash )
should be linked to each certificate.
+.It Fl CRLfile Ar file
+Allows additional certificate revocation lists to be specified for verification.
+The CRLs should be in PEM format.
.It Ar cert.pem ...
One or more certificates of message recipients: used when encrypting a message.
.It Fl certfile Ar file