diff options
author | Job Snijders <job@cvs.openbsd.org> | 2024-08-12 15:34:59 +0000 |
---|---|---|
committer | Job Snijders <job@cvs.openbsd.org> | 2024-08-12 15:34:59 +0000 |
commit | 1ab2e11c01a2d3c7922165d0d3bedd1525c4a017 (patch) | |
tree | be4aa60bd45a0310c8e4345d4dd7dd600511db87 /usr.bin/openssl | |
parent | fd5255781c8206f7c0180e2e4920f3cb979b2753 (diff) |
Add -CRLfile option to 'cms' sub command
This option allows to verify certs in a CMS object against additional
CRLs.
Ported from work by Tom Harrison from APNIC
OK tb@
Diffstat (limited to 'usr.bin/openssl')
-rw-r--r-- | usr.bin/openssl/cms.c | 37 | ||||
-rw-r--r-- | usr.bin/openssl/openssl.1 | 8 |
2 files changed, 38 insertions, 7 deletions
diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c index b94e14675bb..7420d0ab8cc 100644 --- a/usr.bin/openssl/cms.c +++ b/usr.bin/openssl/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.35 2023/11/21 17:56:19 tb Exp $ */ +/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -110,6 +110,7 @@ static struct { X509 *cert; char *certfile; char *certsoutfile; + char *crlfile; const EVP_CIPHER *cipher; char *contfile; ASN1_OBJECT *econtent_type; @@ -548,6 +549,13 @@ static const struct option cms_options[] = { .opt.arg = &cfg.CApath, }, { + .name = "CRLfile", + .argname = "file", + .desc = "Other certificate revocation lists file", + .type = OPTION_ARG, + .opt.arg = &cfg.crlfile, + }, + { .name = "binary", .desc = "Do not translate message to text", .type = OPTION_VALUE_OR, @@ -1111,10 +1119,10 @@ cms_usage(void) "[-aes128 | -aes192 | -aes256 | -camellia128 |\n" " -camellia192 | -camellia256 | -des | -des3 |\n" " -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n" - " [-CApath directory] [-binary] [-certfile file]\n" - " [-certsout file] [-cmsout] [-compress] [-content file]\n" - " [-crlfeol] [-data_create] [-data_out] [-debug_decrypt]\n" - " [-decrypt] [-digest_create] [-digest_verify]\n" + " [-CApath directory] [-CRLfile file] [-binary]\n" + " [-certfile file] [-certsout file] [-cmsout] [-compress]\n" + " [-content file] [-crlfeol] [-data_create] [-data_out]\n" + " [-debug_decrypt] [-decrypt] [-digest_create] [-digest_verify]\n" " [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n" " [-EncryptedData_encrypt] [-from addr] [-in file]\n" " [-inform der | pem | smime] [-inkey file]\n" @@ -1158,6 +1166,7 @@ cms_main(int argc, char **argv) X509 *recip = NULL, *signer = NULL; EVP_PKEY *key = NULL; STACK_OF(X509) *other = NULL; + STACK_OF(X509_CRL) *crls = NULL; BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; int badarg = 0; CMS_ReceiptRequest *rr = NULL; @@ -1316,6 +1325,14 @@ cms_main(int argc, char **argv) goto end; } } + + if (cfg.crlfile != NULL) { + crls = load_crls(bio_err, cfg.crlfile, FORMAT_PEM, NULL, + "other CRLs"); + if (crls == NULL) + goto end; + } + if (cfg.recipfile != NULL && (cfg.operation == SMIME_DECRYPT)) { if ((recip = load_cert(bio_err, cfg.recipfile, @@ -1677,6 +1694,15 @@ cms_main(int argc, char **argv) cfg.secret_keylen, indata, out, cfg.flags)) goto end; } else if (cfg.operation == SMIME_VERIFY) { + if (cfg.crlfile != NULL) { + int i; + + for (i = 0; i < sk_X509_CRL_num(crls); i++) { + X509_CRL *crl = sk_X509_CRL_value(crls, i); + if (!CMS_add1_crl(cms, crl)) + goto end; + } + } if (CMS_verify(cms, other, store, indata, out, cfg.flags) > 0) { BIO_printf(bio_err, "Verification successful\n"); @@ -1752,6 +1778,7 @@ cms_main(int argc, char **argv) sk_X509_pop_free(cfg.encerts, X509_free); sk_X509_pop_free(other, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); X509_VERIFY_PARAM_free(cfg.vpm); sk_OPENSSL_STRING_free(cfg.sksigners); sk_OPENSSL_STRING_free(cfg.skkeys); diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 90333098023..c185c7ebf79 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.157 2024/07/08 06:00:09 tb Exp $ +.\" $OpenBSD: openssl.1,v 1.158 2024/08/12 15:34:58 job Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: July 8 2024 $ +.Dd $Mdocdate: August 12 2024 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -943,6 +943,7 @@ but without cipher suite codes. .Oc .Op Fl CAfile Ar file .Op Fl CApath Ar directory +.Op Fl CRLfile Ar file .Op Fl binary .Op Fl certfile Ar file .Op Fl certsout Ar file @@ -1133,6 +1134,9 @@ This directory must be a standard certificate directory: that is a hash of each subject name (using .Nm x509 Fl hash ) should be linked to each certificate. +.It Fl CRLfile Ar file +Allows additional certificate revocation lists to be specified for verification. +The CRLs should be in PEM format. .It Ar cert.pem ... One or more certificates of message recipients: used when encrypting a message. .It Fl certfile Ar file |