From 6869ac5c06fa73704fa0d9fc2929273b41046a95 Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 23 Oct 2021 11:36:44 +0000 Subject: [PATCH] Nuke the asn1-kludge. This was a workaround for CAs with broken PCKS#10 encoders many moons ago. OpenSSL removed it in 2015. ok beck jsing --- usr.bin/openssl/openssl.1 | 12 ++---------- usr.bin/openssl/req.c | 28 +++------------------------- 2 files changed, 5 insertions(+), 35 deletions(-) diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 5f7f2394f7f..05f7e21cc9f 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.132 2021/09/05 06:16:30 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.133 2021/10/23 11:36:44 tb Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: September 5 2021 $ +.Dd $Mdocdate: October 23 2021 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -3649,7 +3649,6 @@ or standard output if not specified. .It Nm openssl req .Bk -words .Op Fl addext Ar ext -.Op Fl asn1-kludge .Op Fl batch .Op Fl config Ar file .Op Fl days Ar n @@ -3666,7 +3665,6 @@ or standard output if not specified. .Op Fl new .Op Fl newhdr .Op Fl newkey Ar arg -.Op Fl no-asn1-kludge .Op Fl nodes .Op Fl noout .Op Fl out Ar file @@ -3705,9 +3703,6 @@ option is present) or certificate request. The argument must have the form of a key=value pair as it would appear in a config file. This option can be given multiple times. -.It Fl asn1-kludge -Produce requests in an invalid format for certain picky CAs. -Very few CAs still require the use of this option. .It Fl batch Non-interactive mode. .It Fl config Ar file @@ -3819,9 +3814,6 @@ can be omitted, in which case any parameters can be specified via the .Fl pkeyopt option. -.It Fl no-asn1-kludge -Reverse the effect of -.Fl asn1-kludge . .It Fl nodes Do not encrypt the private key. .It Fl noout diff --git a/usr.bin/openssl/req.c b/usr.bin/openssl/req.c index aaf3dceb306..4ab091a097e 100644 --- a/usr.bin/openssl/req.c +++ b/usr.bin/openssl/req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: req.c,v 1.20 2021/10/22 09:44:30 tb Exp $ */ +/* $OpenBSD: req.c,v 1.21 2021/10/23 11:36:44 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -143,7 +143,6 @@ struct { char *keyfile; int keyform; char *keyout; - int kludge; int modulus; int multirdn; int newhdr; @@ -295,12 +294,6 @@ static const struct option req_options[] = { .type = OPTION_ARG_FUNC, .opt.argfunc = req_opt_addext, }, - { - .name = "asn1-kludge", - .type = OPTION_VALUE, - .opt.value = &req_config.kludge, - .value = 1, - }, { .name = "batch", .desc = "Operate in batch mode", @@ -401,12 +394,6 @@ static const struct option req_options[] = { .type = OPTION_ARG_FUNC, .opt.argfunc = req_opt_newkey, }, - { - .name = "no-asn1-kludge", - .type = OPTION_VALUE, - .opt.value = &req_config.kludge, - .value = 0, - }, { .name = "nodes", .desc = "Do not encrypt output private key", @@ -544,12 +531,12 @@ static void req_usage(void) { fprintf(stderr, - "usage: req [-addext ext] [-asn1-kludge] [-batch] [-config file]\n" + "usage: req [-addext ext] [-batch] [-config file]\n" " [-days n] [-extensions section] [-in file]\n" " [-inform der | pem] [-key keyfile] [-keyform der | pem]\n" " [-keyout file] [-md4 | -md5 | -sha1] [-modulus]\n" " [-multivalue-rdn] [-nameopt option] [-new] [-newhdr]\n" - " [-newkey arg] [-no-asn1-kludge] [-nodes] [-noout]\n" + " [-newkey arg] [-nodes] [-noout]\n" " [-out file] [-outform der | pem] [-passin arg]\n" " [-passout arg] [-pkeyopt opt:value] [-pubkey]\n" " [-reqexts section] [-reqopt option] [-set_serial n]\n" @@ -851,11 +838,6 @@ req_main(int argc, char **argv) BIO_printf(bio_err, "-----\n"); } if (!req_config.newreq) { - /* - * Since we are using a pre-existing certificate request, the - * kludge 'format' info should not be changed. - */ - req_config.kludge = -1; if (req_config.infile == NULL) BIO_set_fp(in, stdin, BIO_NOCLOSE); else { @@ -890,10 +872,6 @@ req_main(int argc, char **argv) } i = make_REQ(req, pkey, req_config.subj, req_config.multirdn, !req_config.x509, req_config.chtype); req_config.subj = NULL; /* done processing '-subj' option */ - if ((req_config.kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) { - sk_X509_ATTRIBUTE_free(req->req_info->attributes); - req->req_info->attributes = NULL; - } if (!i) { BIO_printf(bio_err, "problems making Certificate Request\n"); goto end; -- 2.20.1