From 77fb829e28a4fec2a4425ebefffdd6a01266b315 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 8 Jul 2024 05:56:17 +0000 Subject: [PATCH] Remove spkac handling from openssl(1) ca This is very poorly written code and now the only consumer of some public API that should not have survived the turn of the millenium. ok jsing --- usr.bin/openssl/ca.c | 190 +------------------------------------------ 1 file changed, 3 insertions(+), 187 deletions(-) diff --git a/usr.bin/openssl/ca.c b/usr.bin/openssl/ca.c index c0e011e7ad8..80561712ffc 100644 --- a/usr.bin/openssl/ca.c +++ b/usr.bin/openssl/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.59 2024/06/23 07:50:52 tb Exp $ */ +/* $OpenBSD: ca.c,v 1.60 2024/07/08 05:56:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -135,12 +135,6 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, char *enddate, long days, int batch, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, - X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, - STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, - unsigned long chtype, int multirdn, int email_dn, char *startdate, - char *enddate, long days, char *ext_sect, CONF *conf, int verbose, - unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, @@ -202,7 +196,6 @@ static struct { char *section; int selfsign; STACK_OF(OPENSSL_STRING) *sigopts; - char *spkac_file; char *ss_cert_file; char *startdate; char *subj; @@ -288,14 +281,6 @@ ca_opt_sigopt(char *arg) return (0); } -static int -ca_opt_spkac(char *arg) -{ - cfg.spkac_file = arg; - cfg.req = 1; - return (0); -} - static int ca_opt_ss_cert(char *arg) { @@ -551,13 +536,6 @@ static const struct option ca_options[] = { .type = OPTION_ARG_FUNC, .opt.argfunc = ca_opt_sigopt, }, - { - .name = "spkac", - .argname = "file", - .desc = "File contains DN and signed public key and challenge", - .type = OPTION_ARG_FUNC, - .opt.argfunc = ca_opt_spkac, - }, { .name = "ss_cert", .argname = "file", @@ -621,7 +599,7 @@ ca_usage(void) " [-md alg] [-multivalue-rdn] [-name section]\n" " [-noemailDN] [-notext] [-out file] [-outdir directory]\n" " [-passin arg] [-policy name] [-preserveDN] [-revoke file]\n" - " [-selfsign] [-sigopt nm:v] [-spkac file] [-ss_cert file]\n" + " [-selfsign] [-sigopt nm:v] [-ss_cert file]\n" " [-startdate date] [-status serial] [-subj arg] [-updatedb]\n" " [-utf8] [-verbose]\n\n"); options_usage(ca_options); @@ -824,8 +802,7 @@ ca_main(int argc, char **argv) } /*****************************************************************/ /* we need a certificate */ - if (!cfg.selfsign || cfg.spkac_file != NULL || - cfg.ss_cert_file != NULL || cfg.gencrl) { + if (!cfg.selfsign || cfg.ss_cert_file != NULL || cfg.gencrl) { if ((cfg.certfile == NULL) && ((cfg.certfile = NCONF_get_string(conf, cfg.section, ENV_CERTIFICATE)) == NULL)) { @@ -1163,34 +1140,6 @@ ca_main(int argc, char **argv) BIO_printf(bio_err, "Memory allocation failure\n"); goto err; } - if (cfg.spkac_file != NULL) { - total++; - j = certify_spkac(&x, cfg.spkac_file, pkey, x509, - dgst, cfg.sigopts, attribs, db, serial, - cfg.subj, cfg.chtype, - cfg.multirdn, cfg.email_dn, - cfg.startdate, cfg.enddate, - cfg.days, cfg.extensions, conf, - cfg.verbose, certopt, nameopt, default_op, - ext_copy); - if (j < 0) - goto err; - if (j > 0) { - total_done++; - BIO_printf(bio_err, "\n"); - if (!BN_add_word(serial, 1)) - goto err; - if (!sk_X509_push(cert_sk, x)) { - BIO_printf(bio_err, - "Memory allocation failure\n"); - goto err; - } - if (cfg.outfile != NULL) { - output_der = 1; - cfg.batch = 1; - } - } - } if (cfg.ss_cert_file != NULL) { total++; j = certify_cert(&x, cfg.ss_cert_file, pkey, x509, @@ -2294,139 +2243,6 @@ write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) return PEM_write_bio_X509(bp, x); } -static int -certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, - STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, - unsigned long chtype, int multirdn, int email_dn, char *startdate, - char *enddate, long days, char *ext_sect, CONF *lconf, int verbose, - unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) -{ - STACK_OF(CONF_VALUE) *sk = NULL; - LHASH_OF(CONF_VALUE) *parms = NULL; - X509_REQ *req = NULL; - CONF_VALUE *cv = NULL; - NETSCAPE_SPKI *spki = NULL; - char *type, *buf; - EVP_PKEY *pktmp = NULL; - X509_NAME *n = NULL; - int ok = -1, i, j; - long errline; - int nid; - - /* - * Load input file into a hash table. (This is just an easy - * way to read and parse the file, then put it into a convenient - * STACK format). - */ - parms = CONF_load(NULL, infile, &errline); - if (parms == NULL) { - BIO_printf(bio_err, "error on line %ld of %s\n", - errline, infile); - ERR_print_errors(bio_err); - goto err; - } - sk = CONF_get_section(parms, "default"); - if (sk_CONF_VALUE_num(sk) == 0) { - BIO_printf(bio_err, "no name/value pairs found in %s\n", - infile); - goto err; - } - /* - * Now create a dummy X509 request structure. We don't actually - * have an X509 request, but we have many of the components - * (a public key, various DN components). The idea is that we - * put these components into the right X509 request structure - * and we can use the same code as if you had a real X509 request. - */ - req = X509_REQ_new(); - if (req == NULL) { - ERR_print_errors(bio_err); - goto err; - } - /* - * Build up the subject name set. - */ - n = X509_REQ_get_subject_name(req); - - for (i = 0;; i++) { - if (sk_CONF_VALUE_num(sk) <= i) - break; - - cv = sk_CONF_VALUE_value(sk, i); - type = cv->name; - /* - * Skip past any leading X. X: X, etc to allow for multiple - * instances - */ - for (buf = cv->name; *buf; buf++) { - if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { - buf++; - if (*buf) - type = buf; - break; - } - } - - buf = cv->value; - if ((nid = OBJ_txt2nid(type)) == NID_undef) { - if (strcmp(type, "SPKAC") == 0) { - spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); - if (spki == NULL) { - BIO_printf(bio_err, - "unable to load Netscape SPKAC structure\n"); - ERR_print_errors(bio_err); - goto err; - } - } - continue; - } - if (!X509_NAME_add_entry_by_NID(n, nid, chtype, - (unsigned char *)buf, -1, -1, 0)) - goto err; - } - if (spki == NULL) { - BIO_printf(bio_err, - "Netscape SPKAC structure not found in %s\n", infile); - goto err; - } - /* - * Now extract the key from the SPKI structure. - */ - - BIO_printf(bio_err, - "Check that the SPKAC request matches the signature\n"); - - if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { - BIO_printf(bio_err, "error unpacking SPKAC public key\n"); - goto err; - } - j = NETSCAPE_SPKI_verify(spki, pktmp); - if (j <= 0) { - BIO_printf(bio_err, - "signature verification failed on SPKAC public key\n"); - goto err; - } - BIO_printf(bio_err, "Signature ok\n"); - - if (!X509_REQ_set_pubkey(req, pktmp)) { - EVP_PKEY_free(pktmp); - goto err; - } - EVP_PKEY_free(pktmp); - ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, - subj, chtype, multirdn, email_dn, startdate, enddate, days, 1, - verbose, req, ext_sect, lconf, certopt, nameopt, default_op, - ext_copy, 0); - - err: - X509_REQ_free(req); - CONF_free(parms); - NETSCAPE_SPKI_free(spki); - - return (ok); -} - static int check_time_format(const char *str) { -- 2.20.1