openssl.pod: Fix openSSL options doc

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.ohe

openssl.pod: Fix openSSL options doc

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13651)

show more ...

openssl.pod: Carve out Trusted Certificate, Pass Phrase, Name Format, and Format Options

Move detailed doc to specific new files in doc/man1/openssl-*-options.pod

Reviewed-by: Tomas

openssl.pod: Carve out Trusted Certificate, Pass Phrase, Name Format, and Format Options

Move detailed doc to specific new files in doc/man1/openssl-*-options.pod

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13315)

show more ...

openssl.pod: Move verification doc to new doc/man1/openssl-verification-options.pod

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull

openssl.pod: Move verification doc to new doc/man1/openssl-verification-options.pod

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13315)

show more ...

x509_vfy.c: Restore rejection of expired trusted (root) certificate

The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the t

x509_vfy.c: Restore rejection of expired trusted (root) certificate

The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it.

The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().

Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.

Fixes #13427

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13590)

show more ...

APPS: Adapt load_key() and load_pubkey() for the engine: loader

These two functions react when the FORMAT_ENGINE format is given, and
use the passed ENGINE |e| and the passed key argumen

APPS: Adapt load_key() and load_pubkey() for the engine: loader

These two functions react when the FORMAT_ENGINE format is given, and
use the passed ENGINE |e| and the passed key argument to form a URI
suitable for the engine: loader.

Co-authored-by: David von Oheimb <david.von.oheimb@siemens.com>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13570)

show more ...

DOC: Fixup the description of the -x509_strict option

POD commands must always be surrounded by blank lines

POD transformers read everything in paragraph mode. The following
li

DOC: Fixup the description of the -x509_strict option

POD commands must always be surrounded by blank lines

POD transformers read everything in paragraph mode. The following
lines become *one* command, where the second line becomes part of the
text of the first, including the command itself. In other words,
this:

=item something
=item something else

Translates to this in a man-page:

something =item something else

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13412)

show more ...

openssl.pod: Improve doc of -verify_email, -verify_hostname, and -verify_ip

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12932)

Improve doc of X509_verify_cert(), also in openssl.pod

in particular regarding the checks due to X509_V_FLAG_X509_STRICT/-x509_strict

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.or

Improve doc of X509_verify_cert(), also in openssl.pod

in particular regarding the checks due to X509_V_FLAG_X509_STRICT/-x509_strict

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13312)

show more ...

Remove openssl provider app

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)

Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c

add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error r

Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c

add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error reporting of X509v3_cache_extensions() in v3_purp.c
add error reporting to x509_init_sig_info() in x509_set.c
improve static setup_dp() and related functions in v3_purp.c and v3_crld.c
add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)

show more ...

Support writing RSA keys using the traditional format again

Fixes: #6855

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8743

Apps: change provider_path option to provider-path.

The applications use '-' in options not '_'.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.c

Apps: change provider_path option to provider-path.

The applications use '-' in options not '_'.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12662)

show more ...

Test RSA oaep in fips mode

Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
A

Test RSA oaep in fips mode

Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only),
that creates a non default library context.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11948)

show more ...

Align documentation with recommendations of Linux Documentation Project

This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. A

Align documentation with recommendations of Linux Documentation Project

This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. Additionally, util/find-doc-nits
was updated accordingly.

The change follows a suggestion of mspncp on https://github.com/openssl/openssl/pull/12370
and incoporates the requested changes on the pull request

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12460)

show more ...

x509_vfy.c: Improve key usage checks in internal_verify() of cert chains

If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE

x509_vfy.c: Improve key usage checks in internal_verify() of cert chains

If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.

Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)

show more ...

Fix typos and repeated words

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from ht

Fix typos and repeated words

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12320)

show more ...

Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verif

Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix

Fixes #1418

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

show more ...

Improve documentation, layout, and code comments regarding self-issued certs etc.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1

Improve documentation, layout, and code comments regarding self-issued certs etc.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

show more ...

APPS: Drop interactive mode in the 'openssl' program

This mode is severely untested and unmaintained, is seems not to be
used very much.

Closes #4679
Closes #6292

R

APPS: Drop interactive mode in the 'openssl' program

This mode is severely untested and unmaintained, is seems not to be
used very much.

Closes #4679
Closes #6292

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12023)

show more ...

doc: fix trace category names

The `ENGINE_CONF` and `PROVIDER_CONF` trace categories were merged
into a single `CONF` category (see bc362b9b7202 and 71849dff56d6).

Reviewed-by:

doc: fix trace category names

The `ENGINE_CONF` and `PROVIDER_CONF` trace categories were merged
into a single `CONF` category (see bc362b9b7202 and 71849dff56d6).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11806)

show more ...

Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c

This also adds the more flexible and general load_key_cert_crl()
as well as helper functions get_passwd(), cleanse(

Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c

This also adds the more flexible and general load_key_cert_crl()
as well as helper functions get_passwd(), cleanse(), and clear_free()
to be used also in apps/cmp.c etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)

show more ...

doc: Random spellchecking

A little spell checking.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Revi

doc: Random spellchecking

A little spell checking.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11644)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)

Fix descriptions of credentials and verification options for various apps

fix doc of s_client and s_server credentials and verification options
fix doc of verification options also for s

Fix descriptions of credentials and verification options for various apps

fix doc of s_client and s_server credentials and verification options
fix doc of verification options also for s_time, x509, crl, req, ts, and verify
correcting and extending texts regarding untrusted and trusted certs,
making the order of options in the docs and help texts more consistent,
etc.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)

show more ...

DOCS: Use "command" not "tool" or "utility"

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/

DOCS: Use "command" not "tool" or "utility"

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11123)

show more ...