Merge pull request #3223 from Saurabh825/openssl

openssl: update to OpenSSL master

Author: rsteube

completers/common/openssl_completer/cmd/action/action.go

@@ -8,25 +8,6 @@ import (
 	"github.com/spf13/cobra"
 )
 
-// ActionEngines completes OpenSSL engines
-//
-//	dynamic (Dynamic engine loading support)
-//	rdrand (Intel RDRAND engine)
-func ActionEngines() carapace.Action {
-	return carapace.ActionExecCommand("openssl", "engine")(func(output []byte) carapace.Action {
-		re := regexp.MustCompile(`\(([^)]+)\)\s+(.+)`)
-		lines := strings.Split(string(output), "\n")
-
-		var values []string
-		for _, line := range lines {
-			if match := re.FindStringSubmatch(line); match != nil {
-				values = append(values, match[1], match[2])
-			}
-		}
-		return carapace.ActionValuesDescribed(values...)
-	})
-}
-
 // ActionDigestAlgorithms completes message digest algorithms
 //
 //	BLAKE2b512

completers/common/openssl_completer/cmd/ca.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
@@ -35,7 +34,6 @@ func init() {
 	caCmd.Flags().StringSliceS("dateopt", "dateopt", nil, "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822.")
 	caCmd.Flags().StringS("days", "days", "", "Number of days from today to certify the cert for")
 	caCmd.Flags().StringS("enddate", "enddate", "", "[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days")
-	caCmd.Flags().StringS("engine", "engine", "", "Use engine, possibly a hardware device")
 	caCmd.Flags().StringS("extensions", "extensions", "", "Extension section (override value in config file)")
 	caCmd.Flags().StringS("extfile", "extfile", "", "Configuration file with X509v3 extensions to add")
 	caCmd.Flags().BoolS("gencrl", "gencrl", false, "Generate a new CRL")
@@ -44,7 +42,7 @@ func init() {
 	caCmd.Flags().StringS("inform", "inform", "", "CSR input format to use (PEM or DER; by default try PEM first)")
 	caCmd.Flags().StringS("key", "key", "", "Key to decrypt the private key or cert files if encrypted. Better use -passin")
 	caCmd.Flags().StringS("keyfile", "keyfile", "", "The CA private key")
-	caCmd.Flags().StringS("keyform", "keyform", "", "Private key file format (ENGINE, other values ignored)")
+	caCmd.Flags().StringS("keyform", "keyform", "", "Private key file format (DER/PEM)")
 	caCmd.Flags().StringS("md", "md", "", "Digest to use, such as sha256")
 	caCmd.Flags().BoolS("msie_hack", "msie_hack", false, "msie modifications to handle all Universal Strings")
 	caCmd.Flags().BoolS("multivalue-rdn", "multivalue-rdn", false, "Deprecated; multi-valued RDNs support is always on.")
@@ -86,12 +84,11 @@ func init() {
 		"cert":     carapace.ActionFiles(),
 		"certform": carapace.ActionValues("DER", "PEM", "P12"),
 		"config":   carapace.ActionFiles(),
-		"engine":   action.ActionEngines(),
 		"extfile":  carapace.ActionFiles(),
 		"in":       carapace.ActionFiles(),
 		"inform":   carapace.ActionValues("DER", "PEM"),
 		"keyfile":  carapace.ActionFiles(),
-		"keyform":  carapace.ActionValues("ENGINE", "DER", "PEM", "P12"),
+		"keyform":  carapace.ActionValues("DER", "PEM", "P12"),
 		"out":      carapace.ActionFiles(),
 		"outdir":   carapace.ActionDirectories(),
 		"revoke":   carapace.ActionFiles(),

completers/common/openssl_completer/cmd/ciphers.go

@@ -22,7 +22,6 @@ func init() {
 	ciphersCmd.Flags().BoolS("psk", "psk", false, "Include ciphersuites requiring PSK")
 	ciphersCmd.Flags().BoolS("s", "s", false, "Only supported ciphers")
 	ciphersCmd.Flags().BoolS("srp", "srp", false, "(deprecated) Include ciphersuites requiring SRP")
-	ciphersCmd.Flags().BoolS("ssl3", "ssl3", false, "Ciphers compatible with SSL3")
 	ciphersCmd.Flags().BoolS("stdname", "stdname", false, "Show standard cipher names")
 	ciphersCmd.Flags().BoolS("tls1", "tls1", false, "Ciphers compatible with TLS1")
 	ciphersCmd.Flags().BoolS("tls1_1", "tls1_1", false, "Ciphers compatible with TLS1.1")

completers/common/openssl_completer/cmd/cmp.go

@@ -2,14 +2,13 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
 
 var cmpCmd = &cobra.Command{
 	Use:     "cmp",
-	Short:   "Certificate Management Protocol (CMP, RFC 4210) application",
+	Short:   "Certificate Management Protocol (CMP, RFCs 9810 and 9811) application",
 	GroupID: "standard",
 	Run:     func(cmd *cobra.Command, args []string) {},
 }
@@ -36,8 +35,7 @@ func init() {
 	cmpCmd.Flags().StringS("csr", "csr", "", "PKCS#10 CSR file in PEM or DER format to convert or to use in p10cr")
 	cmpCmd.Flags().StringS("days", "days", "", "Requested validity time of the new certificate in number of days")
 	cmpCmd.Flags().StringS("digest", "digest", "", "Digest to use in message protection and POPO signatures. Default \"sha256\"")
-	cmpCmd.Flags().BoolS("disable_confirm", "disable_confirm", false, "Do not confirm newly enrolled certificate w/o requesting implicit confirmation. WARNING: This leads to behavior violating RFC 4210")
-	cmpCmd.Flags().StringS("engine", "engine", "", "Use crypto engine with given identifier, possibly a hardware device. Engines may also be defined in OpenSSL config file engine section.")
+	cmpCmd.Flags().BoolS("disable_confirm", "disable_confirm", false, "Do not confirm newly enrolled certificate w/o requesting implicit confirmation. WARNING: This leads to behavior violating RFC 9810")
 	cmpCmd.Flags().StringS("expect_sender", "expect_sender", "", "DN of expected sender of responses. Defaults to subject of -srvcert, if any")
 	cmpCmd.Flags().StringS("extracerts", "extracerts", "", "Certificates to append in extraCerts field of outgoing messages. This can be used as the default CMP signer cert chain to include")
 	cmpCmd.Flags().StringS("extracertsout", "extracertsout", "", "File to save extra certificates received in the extraCerts field")
@@ -51,7 +49,7 @@ func init() {
 	cmpCmd.Flags().StringS("issuer", "issuer", "", "DN of the issuer to place in the certificate template of ir/cr/kur/rr; also used as recipient if neither -recipient nor -srvcert are given")
 	cmpCmd.Flags().StringS("keep_alive", "keep_alive", "", "Persistent HTTP connections. 0: no, 1 (the default): request, 2: require")
 	cmpCmd.Flags().StringS("key", "key", "", "CMP signer private key, not used when -secret given")
-	cmpCmd.Flags().StringS("keyform", "keyform", "", "Format of the key input (ENGINE, other values ignored)")
+	cmpCmd.Flags().StringS("keyform", "keyform", "", "Format of the key input (DER/PEM/P12)")
 	cmpCmd.Flags().StringS("keypass", "keypass", "", "Client private key (and cert and old cert) pass phrase source")
 	cmpCmd.Flags().StringS("keyspec", "keyspec", "", "Optional file to save Key specification received in genp of type certReqTemplate")
 	cmpCmd.Flags().StringS("mac", "mac", "", "MAC algorithm to use in PBM-based message protection. Default \"hmac-sha1\"")
@@ -107,7 +105,7 @@ func init() {
 	cmpCmd.Flags().StringS("secret", "secret", "", "Prefer PBM (over signatures) for protecting msgs with given password source")
 	cmpCmd.Flags().StringS("section", "section", "", "Section(s) in config file to get options from. \"\" = 'default'. Default 'cmp'")
 	cmpCmd.Flags().BoolS("send_error", "send_error", false, "Force server to reply with error message")
-	cmpCmd.Flags().BoolS("send_unprot_err", "send_unprot_err", false, "In case of negative responses, server shall send unprotected error messages, certificate responses (ip/cp/kup), and revocation responses (rp). WARNING: This setting leads to behavior violating RFC 4210")
+	cmpCmd.Flags().BoolS("send_unprot_err", "send_unprot_err", false, "In case of negative responses, server shall send unprotected error messages, certificate responses (ip/cp/kup), and revocation responses (rp). WARNING: This setting leads to behavior violating RFC 9810")
 	cmpCmd.Flags().BoolS("send_unprotected", "send_unprotected", false, "Send response messages without CMP-level protection")
 	cmpCmd.Flags().StringS("serial", "serial", "", "Serial number of certificate to be revoked in revocation request (rr)")
 	cmpCmd.Flags().StringS("server", "server", "", "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443. address may be a DNS name or an IP address; path can be overridden by -path")
@@ -122,6 +120,7 @@ func init() {
 	cmpCmd.Flags().StringS("srvcertout", "srvcertout", "", "File to save the server cert used and validated for CMP response protection")
 	cmpCmd.Flags().StringS("statusstring", "statusstring", "", "Status string to be included in server response")
 	cmpCmd.Flags().StringS("subject", "subject", "", "Distinguished Name (DN) of subject to use in the requested cert template For kur, default is subject of -csr arg or reference cert (see -oldcert) this default is used for ir and cr only if no Subject Alt Names are set")
+	cmpCmd.Flags().BoolS("ta_in_ip_extracerts", "ta_in_ip_extracerts", false, "Permit using self-issued certificates from the extraCerts in an IP message as trust anchors under conditions defined by 3GPP TS 33.310 WARNING: This setting leads to behavior allowing violation of RFC 9810")
 	cmpCmd.Flags().StringS("template", "template", "", "File to save certTemplate received in genp of type certReqTemplate")
 	cmpCmd.Flags().StringS("tls_cert", "tls_cert", "", "Client's TLS certificate. May include chain to be provided to TLS server")
 	cmpCmd.Flags().StringS("tls_extra", "tls_extra", "", "Extra certificates to provide to TLS server during TLS handshake")
@@ -132,7 +131,7 @@ func init() {
 	cmpCmd.Flags().BoolS("tls_used", "tls_used", false, "Enable using TLS (also when other TLS options are not set)")
 	cmpCmd.Flags().StringS("total_timeout", "total_timeout", "", "Overall time an enrollment incl. polling may take. Default 0 = infinite")
 	cmpCmd.Flags().StringS("trusted", "trusted", "", "Certificates to use as trust anchors when verifying signed CMP responses unless -srvcert is given")
-	cmpCmd.Flags().BoolS("unprotected_errors", "unprotected_errors", false, "Accept missing or invalid protection of regular error messages and negative certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf WARNING: This setting leads to behavior allowing violation of RFC 4210")
+	cmpCmd.Flags().BoolS("unprotected_errors", "unprotected_errors", false, "Accept missing or invalid protection of regular error messages and negative certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf WARNING: This setting leads to behavior allowing violation of RFC 9810")
 	cmpCmd.Flags().BoolS("unprotected_requests", "unprotected_requests", false, "Send request messages without CMP-level protection")
 	cmpCmd.Flags().StringS("untrusted", "untrusted", "", "Intermediate CA certs for chain construction for CMP/TLS/enrolled certs")
 	cmpCmd.Flags().BoolS("use_mock_srv", "use_mock_srv", false, "Use internal mock server at API level, bypassing socket-based HTTP")
@@ -161,11 +160,10 @@ func init() {
 		"crlform":        carapace.ActionValues("DER", "PEM"),
 		"crlout":         carapace.ActionFiles(),
 		"csr":            carapace.ActionFiles(),
-		"engine":         action.ActionEngines(),
 		"extracerts":     carapace.ActionFiles(),
 		"extracertsout":  carapace.ActionFiles(),
 		"key":            carapace.ActionFiles(),
-		"keyform":        carapace.ActionValues("ENGINE", "DER", "PEM", "P12"),
+		"keyform":        carapace.ActionValues("DER", "PEM", "P12"),
 		"keyspec":        carapace.ActionFiles(),
 		"newkey":         carapace.ActionFiles(),
 		"newkeyout":      carapace.ActionFiles(),

completers/common/openssl_completer/cmd/cms.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
@@ -46,14 +45,13 @@ func init() {
 	cmsCmd.Flags().BoolS("digest_verify", "digest_verify", false, "Verify a CMS \"DigestedData\" object and output it")
 	cmsCmd.Flags().StringS("econtent_type", "econtent_type", "", "OID for external content")
 	cmsCmd.Flags().BoolS("encrypt", "encrypt", false, "Encrypt message")
-	cmsCmd.Flags().StringS("engine", "engine", "", "Use engine e, possibly a hardware device")
 	cmsCmd.Flags().StringS("from", "from", "", "From address")
 	cmsCmd.Flags().StringS("in", "in", "", "Input file")
 	cmsCmd.Flags().BoolS("indef", "indef", false, "Same as -stream")
 	cmsCmd.Flags().StringS("inform", "inform", "", "Input format SMIME (default), PEM or DER")
 	cmsCmd.Flags().StringS("inkey", "inkey", "", "Input private key (if not signer or recipient)")
 	cmsCmd.Flags().StringS("kekcipher", "kekcipher", "", "The key encryption algorithm to use")
-	cmsCmd.Flags().StringS("keyform", "keyform", "", "Input private key format (ENGINE, other values ignored)")
+	cmsCmd.Flags().StringS("keyform", "keyform", "", "Input private key format (DER/PEM)")
 	cmsCmd.Flags().BoolS("keyid", "keyid", false, "Use subject key identifier")
 	cmsCmd.Flags().StringSliceS("keyopt", "keyopt", nil, "Set public key parameters as n:v pairs")
 	cmsCmd.Flags().StringS("md", "md", "", "Digest algorithm to use")
@@ -116,11 +114,10 @@ func init() {
 		"certsout":       carapace.ActionFiles(),
 		"config":         carapace.ActionFiles(),
 		"content":        carapace.ActionFiles(),
-		"engine":         action.ActionEngines(),
 		"in":             carapace.ActionFiles(),
 		"inform":         carapace.ActionValues("DER", "PEM", "SMIME"),
 		"inkey":          carapace.ActionFiles(),
-		"keyform":        carapace.ActionValues("ENGINE", "DER", "PEM", "P12"),
+		"keyform":        carapace.ActionValues("DER", "PEM", "P12"),
 		"originator":     carapace.ActionFiles(),
 		"out":            carapace.ActionFiles(),
 		"outform":        carapace.ActionValues("DER", "PEM", "SMIME"),

completers/common/openssl_completer/cmd/dgst.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
@@ -21,12 +20,12 @@ func init() {
 	dgstCmd.Flags().BoolS("c", "c", false, "Print the digest with separating colons")
 	dgstCmd.Flags().BoolS("d", "d", false, "Print debug info")
 	dgstCmd.Flags().BoolS("debug", "debug", false, "Print debug info")
-	dgstCmd.Flags().StringS("engine", "engine", "", "Use engine e, possibly a hardware device")
-	dgstCmd.Flags().BoolS("engine_impl", "engine_impl", false, "Also use engine given by -engine for digest operations")
 	dgstCmd.Flags().BoolS("fips-fingerprint", "fips-fingerprint", false, "Compute HMAC with the key used in OpenSSL-FIPS fingerprint")
 	dgstCmd.Flags().BoolS("hex", "hex", false, "Print as hex dump")
 	dgstCmd.Flags().StringS("hmac", "hmac", "", "Create hashed MAC with key")
-	dgstCmd.Flags().StringS("keyform", "keyform", "", "Key file format (ENGINE, other values ignored)")
+	dgstCmd.Flags().StringS("hmac-env", "hmac-env", "", "Create hashed MAC with key from environment variable")
+	dgstCmd.Flags().BoolS("hmac-stdin", "hmac-stdin", false, "Create hashed MAC with key from stdin")
+	dgstCmd.Flags().StringS("keyform", "keyform", "", "Key file format (DER/PEM)")
 	dgstCmd.Flags().BoolS("list", "list", false, "List digests")
 	dgstCmd.Flags().StringS("mac", "mac", "", "Create MAC (not necessarily HMAC)")
 	dgstCmd.Flags().StringSliceS("macopt", "macopt", nil, "MAC algorithm parameters in n:v form or key")
@@ -44,8 +43,7 @@ func init() {
 	rootCmd.AddCommand(dgstCmd)
 
 	carapace.Gen(dgstCmd).FlagCompletion(carapace.ActionMap{
-		"engine":    action.ActionEngines(),
-		"keyform":   carapace.ActionValues("ENGINE", "DER", "PEM", "P12"),
+		"keyform":   carapace.ActionValues("DER", "PEM", "P12"),
 		"out":       carapace.ActionFiles(),
 		"prverify":  carapace.ActionFiles(),
 		"sign":      carapace.ActionFiles(),

completers/common/openssl_completer/cmd/dhparam.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
@@ -22,7 +21,6 @@ func init() {
 	dhparamCmd.Flags().BoolS("5", "5", false, "Generate parameters using 5 as the generator value")
 	dhparamCmd.Flags().BoolS("check", "check", false, "Check the DH parameters")
 	dhparamCmd.Flags().BoolS("dsaparam", "dsaparam", false, "Read or generate DSA parameters, convert to DH")
-	dhparamCmd.Flags().StringS("engine", "engine", "", "Use engine e, possibly a hardware device")
 	dhparamCmd.Flags().StringS("in", "in", "", "Input file")
 	dhparamCmd.Flags().StringS("inform", "inform", "", "Input format, DER or PEM")
 	dhparamCmd.Flags().BoolS("noout", "noout", false, "Don't output any DH parameters")
@@ -36,7 +34,6 @@ func init() {
 	rootCmd.AddCommand(dhparamCmd)
 
 	carapace.Gen(dhparamCmd).FlagCompletion(carapace.ActionMap{
-		"engine":  action.ActionEngines(),
 		"in":      carapace.ActionFiles(),
 		"inform":  carapace.ActionValues("DER", "PEM"),
 		"out":     carapace.ActionFiles(),

completers/common/openssl_completer/cmd/dsa.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
@@ -17,7 +16,6 @@ var dsaCmd = &cobra.Command{
 func init() {
 	carapace.Gen(dsaCmd).Standalone()
 
-	dsaCmd.Flags().StringS("engine", "engine", "", "Use engine e, possibly a hardware device")
 	dsaCmd.Flags().StringS("in", "in", "", "Input key")
 	dsaCmd.Flags().StringS("inform", "inform", "", "Input format (DER/PEM/PVK); has no effect")
 	dsaCmd.Flags().BoolS("modulus", "modulus", false, "Print the DSA public value")
@@ -36,7 +34,6 @@ func init() {
 	rootCmd.AddCommand(dsaCmd)
 
 	carapace.Gen(dsaCmd).FlagCompletion(carapace.ActionMap{
-		"engine":  action.ActionEngines(),
 		"in":      carapace.ActionFiles(),
 		"inform":  carapace.ActionValues("DER", "PEM"),
 		"out":     carapace.ActionFiles(),

completers/common/openssl_completer/cmd/dsaparam.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"github.com/carapace-sh/carapace"
-	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/action"
 	"github.com/carapace-sh/carapace-bin/completers/common/openssl_completer/cmd/common"
 	"github.com/spf13/cobra"
 )
@@ -17,7 +16,6 @@ var dsaparamCmd = &cobra.Command{
 func init() {
 	carapace.Gen(dsaparamCmd).Standalone()
 
-	dsaparamCmd.Flags().StringS("engine", "engine", "", "Use engine e, possibly a hardware device")
 	dsaparamCmd.Flags().BoolS("genkey", "genkey", false, "Generate a DSA key")
 	dsaparamCmd.Flags().StringS("in", "in", "", "Input file")
 	dsaparamCmd.Flags().StringS("inform", "inform", "", "Input format - DER or PEM")
@@ -32,7 +30,6 @@ func init() {
 	rootCmd.AddCommand(dsaparamCmd)
 
 	carapace.Gen(dsaparamCmd).FlagCompletion(carapace.ActionMap{
-		"engine":  action.ActionEngines(),
 		"in":      carapace.ActionFiles(),
 		"inform":  carapace.ActionValues("DER", "PEM"),
 		"out":     carapace.ActionFiles(),