871e10f17a
apps: remove atoi() calls.
...
Related to #8216
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com >
MergeDate: Mon Apr 13 09:30:21 2026
(Merged from https://github.com/openssl/openssl/pull/30476 )
2026-04-13 11:29:19 +02:00
8911fedcda
ca.c: Partially revert incorrect simplification of string check
...
Fixes 25c2ada89sashan@openssl.org >
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Wed Mar 18 13:32:01 2026
(Merged from https://github.com/openssl/openssl/pull/30460 )
2026-03-18 09:31:30 -04:00
25c2ada896
Clean up asn1/ca.c
...
Collapse a bunch of type calls down to a local variable
Fixes: 29974
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Mon Mar 16 11:27:08 2026
(Merged from https://github.com/openssl/openssl/pull/30397 )
2026-03-16 11:26:47 +00:00
c721580653
Copyright year updates
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
MergeDate: Tue Mar 10 14:37:54 2026
Release: yes
2026-03-10 14:37:52 +00:00
d6db530411
Coverity complains X509_REQ_set_subject_name() return value
...
is ignored.
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1201538
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Mon Mar 2 13:03:03 2026
(Merged from https://github.com/openssl/openssl/pull/30193 )
2026-03-02 08:02:56 -05:00
46dbd7faa0
Make ASN1_STRING opaque
...
This laudable goal, should it land, will be followed
with an issue raised to eat our own dogfood and find
every file with <crypto/asn1.h> added to it in this
commit, and change to the appropriate accessors,
which should be possible in most places we aren't
actually implementing things that change the values
Fixes: https://github.com/openssl/openssl/issues/29860
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Wed Feb 25 10:14:57 2026
(Merged from https://github.com/openssl/openssl/pull/29862 )
2026-02-25 11:12:51 +01:00
b0f2107b44
Constify X509_NAME
...
There are still a few casts away from const where things do not actually
end up mutating the object, we'll deal with that later.
Part of #28654 and #29117
Fixes openssl/project#1781
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Norbert Pocs <norbertp@openssl.org >
MergeDate: Wed Feb 25 09:58:35 2026
(Merged from https://github.com/openssl/openssl/pull/29468 )
2026-02-25 10:56:17 +01:00
1c34275e61
X509V3_set_nconf(): Improve error handling using this function, mostly in apps/
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Viktor Dukhovni <viktor@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/16998 )
2026-02-21 14:59:44 +01:00
d2ed55548d
Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex().
...
Fixes #21371
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Fri Feb 20 16:36:52 2026
(Merged from https://github.com/openssl/openssl/pull/30020 )
2026-02-20 11:36:37 -05:00
f0ec2581c4
Remove the "msie-hack" option from openssl ca
...
This has been documented as a deprecated option for
a long time, as we are not even certain this does what
was originally intended anymore, as it has no tests and
it's time of usefulness has long since past.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Thu Feb 19 10:09:33 2026
(Merged from https://github.com/openssl/openssl/pull/30033 )
2026-02-19 11:09:31 +01:00
7b6c638dd5
Cleanup of printing in apps
...
Don't use BIO_printf() where BIO_puts() will do.
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Shane Lontis <shane.lontis@oracle.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Fri Feb 13 15:05:38 2026
(Merged from https://github.com/openssl/openssl/pull/29677 )
2026-02-13 16:05:36 +01:00
2fab90bb5e
4.0-POST-CLANG-FORMAT-WEBKIT
...
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29242 )
2025-12-09 00:28:19 -07:00
9425238145
apps/: Remove "-keyform engine"
...
Resolves: https://github.com/openssl/project/issues/1354
Signed-off-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29305 )
2025-12-04 07:31:06 -05:00
26b1723ed4
apps/: Remove engines
...
Signed-off-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29305 )
2025-12-04 07:31:05 -05:00
d5af86a80b
const up various low hanging things
...
to move these symbols out of the .data section
remaining list approx-sorted by size with:
objdump -t libcrypto.so libssl.so | grep -v \\.data.rel.ro | grep \\.data | sort -r -k 4
Reviewed-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28588 )
2025-11-28 09:36:45 +01:00
ddee212bab
apps: use app_malloc_array()
...
Replace app_malloc() calls where app_malloc_array() ones where
appropriate.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Neil Horman <nhorman@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28444 )
2025-09-07 07:22:24 -04:00
e66332418f
Copyright year updates
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Release: yes
2025-09-02 13:05:45 +00:00
c62cd07d14
apps: Silence warnings on Win64 builds
...
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27806 )
2025-07-02 17:26:26 +02:00
23b795d34f
apps: directly inclusion of "e_os.h when needed
...
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/14344 )
2024-09-05 17:02:51 +02:00
7ed6de997f
Copyright year updates
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Release: yes
2024-09-05 09:35:49 +02:00
8120223773
apps: ca,req,x509: Add explicit start and end dates options
...
- Added options `-not_before` (start date) and `-not-after` (end date)
for explicit setting of the validity period of a certificate in the
apps `ca`, `req` and `x509`
- The new options accept time strings or "today"
- In app `ca`, use the new options as aliases of the already existing
options `-startdate` and `-enddate`
- When used in apps `req` and `x509`, the end date must be >= the start
date, in app `ca` end date < start date is also accepted
- In any case, `-not-after` overrides the `-days` option
- Added helper function `check_cert_time_string` to validate given
certificate time strings
- Use the new helper function in apps `ca`, `req` and `x509`
- Moved redundant code for time string checking into `set_cert_times`
helper function.
- Added tests for explicit start and end dates in apps `req` and `x509`
- test: Added auxiliary functions for parsing fields from `-text`
formatted output to `tconversion.pl`
- CHANGES: Added to new section 3.4
Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/21716 )
2024-04-09 20:13:31 +02:00
da1c088f59
Copyright year updates
...
Reviewed-by: Richard Levitte <levitte@openssl.org >
Release: yes
2023-09-07 09:59:15 +01:00
ccb2f3080d
Correct spelling of database
...
Apply normal sentence case to db update message
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com >
Reviewed-by: Todd Short <todd.short@me.com >
(Merged from https://github.com/openssl/openssl/pull/21535 )
2023-07-27 10:12:18 -04:00
af99d55078
apps/ca.c: Handle EVP_PKEY_get_default_digest_name() returning 1 with "UNDEF"
...
EVP_PKEY_get_default_digest_name() may return 1 with the returned digest
name "UNDEF". This case hasn't been documented, and the meaning has been
left undefined, until now.
Reviewed-by: Todd Short <todd.short@me.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/20460 )
2023-06-15 14:03:57 +02:00
b77826877b
APPS: replace awkward and error-prone pattern by calls to new app_conf_try_number()
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
(Merged from https://github.com/openssl/openssl/pull/20971 )
2023-05-25 09:04:35 +02:00
da7f81d393
APPS: replace awkward and error-prone pattern by calls to new app_conf_try_string()
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
(Merged from https://github.com/openssl/openssl/pull/20971 )
2023-05-25 09:04:35 +02:00
c8aec16383
APPS/ca: remove spurious errors when certain config file entries are not provided
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
(Merged from https://github.com/openssl/openssl/pull/20971 )
2023-05-25 09:04:35 +02:00
a75f707fca
apps: silent warning when loading CSR files with vfyopt option
...
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:
Warning: CSR self-signature does not match the contents
This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com >
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/20799 )
2023-05-03 09:48:17 +02:00
342e3652c7
APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Hugo Landau <hlandau@openssl.org >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
(Merged from https://github.com/openssl/openssl/pull/19271 )
2023-01-24 15:16:47 +01:00
200d844782
APPS: Move load_csr_autofmt() from apps/cmp.c to apps.c and use it also for apps, too
...
Also add related references to FR #15725 .
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
(Merged from https://github.com/openssl/openssl/pull/18900 )
2022-09-20 20:59:50 +02:00
ec8a340948
APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial.
...
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: Hugo Landau <hlandau@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/18373 )
2022-07-14 07:23:58 +01:00
c540a82767
Fix the checks of X509_REVOKED_add1_ext_i2d
...
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/18400 )
2022-06-23 12:42:25 +02:00
fba140c735
str[n]casecmp => OPENSSL_strncasecmp
...
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/18069 )
2022-04-22 11:34:41 +02:00
065121ff19
Add tests for do_updatedb
...
Fixes #13944
Moved "opt_printf_stderr" out of apps.c to avoid duplicate definition in tests.
Added function "asn1_string_to_time_t" including tests.
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/17645 )
2022-02-14 10:18:46 +01:00
a414fd6765
Add -verbose/-queit flags to dhparam
...
Allow dhparam to run quietly in scripts, etc.
For other commands that took a -verbose flag already, also support -quiet.
For genpkey which only supported -quiet, add the -verbose flag.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com >
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/17336 )
2022-01-28 15:24:41 +01:00
e52698f9e3
apps/ca: replace ;; with ; as statement separator
...
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/17528 )
2022-01-18 15:10:38 +11:00
79b2a2f2ee
add OSSL_STACK_OF_X509_free() for commonly used pattern
...
Reviewed-by: Paul Dale <pauli@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/17307 )
2021-12-21 12:11:49 +01:00
adbd77f6d7
X509: Fix handling of AKID and SKID extensions according to configuration
...
Fixes #16300
Reviewed-by: Viktor Dukhovni <viktor@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/16342 )
2021-11-11 20:18:55 +01:00
db226bf20f
Remove executable mode attributes of non-executable files
...
Remove the executable attributes of some C code files and key files,
change the file mode from 0755 to 0644.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com >
Reviewed-by: Richard Levitte <levitte@openssl.org >
Reviewed-by: Paul Dale <pauli@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/16045 )
2021-07-13 16:04:32 +10:00
8c5bff2220
Add support for ISO 8601 datetime format
...
Fixes #5430
Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: Shane Lontis <shane.lontis@oracle.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/14384 )
2021-06-11 12:39:46 +02:00
ca29cc1453
openssl ca: make index.txt parsing error more verbose
...
If index.txt exists but has some problems (like for example a single \n character in it) openssl will just exit without any error message.
Bug at least expirienced twice: https://superuser.com/questions/1327848/openssl-ca-fails-after-password-without-error-message
Reviewed-by: Paul Dale <pauli@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/15360 )
2021-05-24 14:36:59 +02:00
d382e79632
Make the -inform option to be respected if possible
...
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.
The input type format is enforced only in case the file
type file store is used.
By default we use FORMAT_UNDEF meaning the input type
is not enforced.
Fixes #14569
Reviewed-by: Paul Dale <pauli@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/15100 )
2021-05-06 11:43:32 +01:00
b0f960189b
APPS: Replace 'OPT_ERR = -1, OPT_EOF = 0, OPT_HELP' by OPT_COMMON macro
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/15111 )
2021-05-05 20:48:20 +02:00
91034b68b3
apps/ca,req,x509: Switch to EVP_DigestSignInit_ex
...
Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it
works with external providers.
Since EVP_DigestSignInit_ex requires a digest name instead of
an EVP_MD pointer, the apps using do_sign_init() had to be modified
to pass char* instead of EVP_MD*.
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/15014 )
2021-04-30 21:02:59 +02:00
cdf63a3736
Add X509 version constants.
...
The X509 version APIs return the numerical values of the version
numbers, which are one off from the names. This is a bit confusing.
Where they don't get it wrong (accidentally making an "X509v4"
certificate), callers tend to try commenting every call site to explain
the mismatch, including in OpenSSL itself.
Define constants for these values, so code can be self-documenting and
callers are nudged towards the right values.
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/14549 )
2021-04-28 11:40:06 +02:00
606a417fb2
Fetch and free cipher and md's
...
Reviewed-by: Richard Levitte <levitte@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/14219 )
2021-04-20 10:12:29 +02:00
3ad6030948
APPS: make apps strict on app_RAND_load() and app_RAND_write() failure
...
Reviewed-by: Paul Dale <pauli@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/14840 )
2021-04-14 16:48:27 +02:00
e6c2f96489
Fix more certificate related lib_ctx settings.
...
Fixes #13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/14752 )
2021-04-08 11:30:44 +10:00
5050fd5b3b
Avoid going through NID when unnecessary
...
Reviewed-by: Paul Dale <pauli@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/14703 )
2021-04-01 14:39:54 +02:00
d44a8a16c8
apps/ca.c: Make sure ext_ctx structure gets initialized
...
Fixes #14175
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/14181 )
2021-02-17 17:13:32 +01:00
Filipe R. Da Silva
Tomas Mraz
Bob Beck
openssl-machine
Alexandr Nedvedicky
Dr. David von Oheimb
Frederik Wedel-Heinen
Philip Prindeville
Norbert Pocs
Caolán McNamara
Eugene Syromiatnikov
Stephan Wurm
Matt Caswell
Fatih Arslan Tugay
Richard Levitte
Tianjia Zhang
Peiwei Hu
Dmitry Belyavskiy
Armin Fuerst
Pauli
William Edmisten
Florian Mickler
Petr Gotthard
David Benjamin
Rich Salz
Shane Lontis