diff options
Diffstat (limited to 'usr/src/cmd')
| -rw-r--r-- | usr/src/cmd/cmd-crypto/pktool/export.c | 10 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/openssl_util.c | 2 | ||||
| -rw-r--r-- | usr/src/cmd/openssl/Makefile.com | 8 | ||||
| -rw-r--r-- | usr/src/cmd/openssl/openssl.cnf | 69 |
4 files changed, 71 insertions, 18 deletions
diff --git a/usr/src/cmd/cmd-crypto/pktool/export.c b/usr/src/cmd/cmd-crypto/pktool/export.c index 0e3f5e1acd..46fbccb37e 100644 --- a/usr/src/cmd/cmd-crypto/pktool/export.c +++ b/usr/src/cmd/cmd-crypto/pktool/export.c @@ -1051,8 +1051,8 @@ cvt_cert2x509(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj, X509 **c) /* Subject name (required) */ cryptodebug("calling d2i_X509_NAME for subject name"); - if ((ssl_subject = d2i_X509_NAME(NULL, &subject, subject_len)) == - NULL) { + if ((ssl_subject = d2i_X509_NAME(NULL, + (const unsigned char **) &subject, subject_len)) == NULL) { cryptoerror(LOG_STDERR, gettext( "Unable to convert certificate subject name.")); return (CKR_GENERAL_ERROR); @@ -1076,7 +1076,8 @@ cvt_cert2x509(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj, X509 **c) /* Issuer name (optional) */ cryptodebug("calling d2i_X509_NAME for issuer name"); - if ((ssl_issuer = d2i_X509_NAME(NULL, &issuer, issuer_len)) == NULL) { + if ((ssl_issuer = d2i_X509_NAME(NULL, (const unsigned char **) &issuer, + issuer_len)) == NULL) { cryptoerror(LOG_STDERR, gettext( "Unable to convert certificate issuer name.")); return (CKR_GENERAL_ERROR); @@ -1117,7 +1118,8 @@ cvt_cert2x509(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj, X509 **c) * if we started with CKA_VALUE that was saved originally. */ cryptodebug("calling d2i_X509 for cert value"); - if ((temp_cert = d2i_X509(NULL, &value, value_len)) == NULL) { + if ((temp_cert = d2i_X509(NULL, (const unsigned char **) &value, + value_len)) == NULL) { cryptoerror(LOG_STDERR, gettext( "Unable to convert main certificate values.")); return (CKR_GENERAL_ERROR); diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/openssl_util.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/openssl_util.c index 56097e3cb8..589bbb8576 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/openssl_util.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/openssl_util.c @@ -113,7 +113,7 @@ get_modulus(uchar_t *ber_buf, int buflen, int *modlen) BIGNUM *bn; uchar_t *m = NULL, *mptr; - x = d2i_X509(NULL, &ber_buf, buflen); + x = d2i_X509(NULL, (const unsigned char **) &ber_buf, buflen); if (x != NULL) { pkey = X509_get_pubkey(x); if (pkey == NULL) { diff --git a/usr/src/cmd/openssl/Makefile.com b/usr/src/cmd/openssl/Makefile.com index 4a1e0f0f24..6aaf9b3e0b 100644 --- a/usr/src/cmd/openssl/Makefile.com +++ b/usr/src/cmd/openssl/Makefile.com @@ -2,9 +2,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ # CDDL HEADER END # # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" @@ -56,6 +55,7 @@ OBJS = \ pkcs12.o \ pkcs7.o \ pkcs8.o \ + prime.o \ rand.o \ req.o \ rsa.o \ diff --git a/usr/src/cmd/openssl/openssl.cnf b/usr/src/cmd/openssl/openssl.cnf index b64999066d..83cb78478c 100644 --- a/usr/src/cmd/openssl/openssl.cnf +++ b/usr/src/cmd/openssl/openssl.cnf @@ -1,13 +1,9 @@ # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. -# # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -22,12 +18,16 @@ # # CDDL HEADER END # -# ident "%Z%%M% %I% %E% SMI" # # OpenSSL configuration file for Solaris. # This is based on the example openssl.cnf file. # # This is mostly being used for generation of certificate requests. +# +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +# ident "%Z%%M% %I% %E% SMI" # This definition stops the following lines choking if HOME isn't # defined. @@ -93,7 +93,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. +default_md = sha1 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -214,7 +214,7 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. @@ -285,4 +285,55 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |