]> git.ipfire.org Git - thirdparty/openssl.git/blob - apps/req.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Constify command options
[thirdparty/openssl.git] / apps / req.c
1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <time.h>
13 #include <string.h>
14 #include "apps.h"
15 #include <openssl/bio.h>
16 #include <openssl/evp.h>
17 #include <openssl/conf.h>
18 #include <openssl/err.h>
19 #include <openssl/asn1.h>
20 #include <openssl/x509.h>
21 #include <openssl/x509v3.h>
22 #include <openssl/objects.h>
23 #include <openssl/pem.h>
24 #include <openssl/bn.h>
25 #ifndef OPENSSL_NO_RSA
26 # include <openssl/rsa.h>
27 #endif
28 #ifndef OPENSSL_NO_DSA
29 # include <openssl/dsa.h>
30 #endif
31
32 #define SECTION "req"
33
34 #define BITS "default_bits"
35 #define KEYFILE "default_keyfile"
36 #define PROMPT "prompt"
37 #define DISTINGUISHED_NAME "distinguished_name"
38 #define ATTRIBUTES "attributes"
39 #define V3_EXTENSIONS "x509_extensions"
40 #define REQ_EXTENSIONS "req_extensions"
41 #define STRING_MASK "string_mask"
42 #define UTF8_IN "utf8"
43
44 #define DEFAULT_KEY_LENGTH 2048
45 #define MIN_KEY_LENGTH 512
46
47 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
48 int attribs, unsigned long chtype);
49 static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
50 int multirdn);
51 static int prompt_info(X509_REQ *req,
52 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
53 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
54 int attribs, unsigned long chtype);
55 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
56 STACK_OF(CONF_VALUE) *attr, int attribs,
57 unsigned long chtype);
58 static int add_attribute_object(X509_REQ *req, char *text, const char *def,
59 char *value, int nid, int n_min, int n_max,
60 unsigned long chtype);
61 static int add_DN_object(X509_NAME *n, char *text, const char *def,
62 char *value, int nid, int n_min, int n_max,
63 unsigned long chtype, int mval);
64 static int genpkey_cb(EVP_PKEY_CTX *ctx);
65 static int req_check_len(int len, int n_min, int n_max);
66 static int check_end(const char *str, const char *end);
67 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
68 int *pkey_type, long *pkeylen,
69 char **palgnam, ENGINE *keygen_engine);
70 static CONF *req_conf = NULL;
71 static int batch = 0;
72
73 typedef enum OPTION_choice {
74 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
75 OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
76 OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
77 OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY,
78 OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
79 OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
80 OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
81 OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
82 OPT_REQEXTS, OPT_MD
83 } OPTION_CHOICE;
84
85 const OPTIONS req_options[] = {
86 {"help", OPT_HELP, '-', "Display this summary"},
87 {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
88 {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
89 {"in", OPT_IN, '<', "Input file"},
90 {"out", OPT_OUT, '>', "Output file"},
91 {"key", OPT_KEY, 's', "Private key to use"},
92 {"keyform", OPT_KEYFORM, 'f', "Key file format"},
93 {"pubkey", OPT_PUBKEY, '-', "Output public key"},
94 {"new", OPT_NEW, '-', "New request"},
95 {"config", OPT_CONFIG, '<', "Request template file"},
96 {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
97 {"passin", OPT_PASSIN, 's', "Private key password source"},
98 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
99 {"rand", OPT_RAND, 's',
100 "Load the file(s) into the random number generator"},
101 {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
102 {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
103 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
104 {"batch", OPT_BATCH, '-',
105 "Do not ask anything during request generation"},
106 {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
107 {"modulus", OPT_MODULUS, '-', "RSA modulus"},
108 {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
109 {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
110 {"noout", OPT_NOOUT, '-', "Do not output REQ"},
111 {"verbose", OPT_VERBOSE, '-', "Verbose output"},
112 {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
113 {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
114 {"reqopt", OPT_REQOPT, 's', "Various request text options"},
115 {"text", OPT_TEXT, '-', "Text form of request"},
116 {"x509", OPT_X509, '-',
117 "Output a x509 structure instead of a cert request"},
118 {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
119 {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
120 {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
121 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
122 "Enable support for multivalued RDNs"},
123 {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
124 {"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"},
125 {"extensions", OPT_EXTENSIONS, 's',
126 "Cert extension section (override value in config file)"},
127 {"reqexts", OPT_REQEXTS, 's',
128 "Request extension section (override value in config file)"},
129 {"", OPT_MD, '-', "Any supported digest"},
130 #ifndef OPENSSL_NO_ENGINE
131 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
132 {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
133 "Specify engine to be used for key generation operations"},
134 #endif
135 {NULL}
136 };
137
138 int req_main(int argc, char **argv)
139 {
140 ASN1_INTEGER *serial = NULL;
141 BIO *in = NULL, *out = NULL;
142 ENGINE *e = NULL, *gen_eng = NULL;
143 EVP_PKEY *pkey = NULL;
144 EVP_PKEY_CTX *genctx = NULL;
145 STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
146 X509 *x509ss = NULL;
147 X509_REQ *req = NULL;
148 const EVP_CIPHER *cipher = NULL;
149 const EVP_MD *md_alg = NULL, *digest = NULL;
150 char *extensions = NULL, *infile = NULL;
151 char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
152 char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
153 char *passin = NULL, *passout = NULL;
154 char *nofree_passin = NULL, *nofree_passout = NULL;
155 char *req_exts = NULL, *subj = NULL;
156 char *template = default_config_file, *keyout = NULL;
157 const char *keyalg = NULL;
158 OPTION_CHOICE o;
159 int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0;
160 int pkey_type = -1, private = 0;
161 int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
162 int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
163 int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
164 long newkey = -1;
165 unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
166 char nmflag_set = 0;
167
168 #ifndef OPENSSL_NO_DES
169 cipher = EVP_des_ede3_cbc();
170 #endif
171
172 prog = opt_init(argc, argv, req_options);
173 while ((o = opt_next()) != OPT_EOF) {
174 switch (o) {
175 case OPT_EOF:
176 case OPT_ERR:
177 opthelp:
178 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
179 goto end;
180 case OPT_HELP:
181 opt_help(req_options);
182 ret = 0;
183 goto end;
184 case OPT_INFORM:
185 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
186 goto opthelp;
187 break;
188 case OPT_OUTFORM:
189 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
190 goto opthelp;
191 break;
192 case OPT_ENGINE:
193 e = setup_engine(opt_arg(), 0);
194 break;
195 case OPT_KEYGEN_ENGINE:
196 #ifndef OPENSSL_NO_ENGINE
197 gen_eng = ENGINE_by_id(opt_arg());
198 if (gen_eng == NULL) {
199 BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
200 goto opthelp;
201 }
202 #endif
203 break;
204 case OPT_KEY:
205 keyfile = opt_arg();
206 break;
207 case OPT_PUBKEY:
208 pubkey = 1;
209 break;
210 case OPT_NEW:
211 newreq = 1;
212 break;
213 case OPT_CONFIG:
214 template = opt_arg();
215 break;
216 case OPT_KEYFORM:
217 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
218 goto opthelp;
219 break;
220 case OPT_IN:
221 infile = opt_arg();
222 break;
223 case OPT_OUT:
224 outfile = opt_arg();
225 break;
226 case OPT_KEYOUT:
227 keyout = opt_arg();
228 break;
229 case OPT_PASSIN:
230 passargin = opt_arg();
231 break;
232 case OPT_PASSOUT:
233 passargout = opt_arg();
234 break;
235 case OPT_RAND:
236 inrand = opt_arg();
237 break;
238 case OPT_NEWKEY:
239 keyalg = opt_arg();
240 newreq = 1;
241 break;
242 case OPT_PKEYOPT:
243 if (!pkeyopts)
244 pkeyopts = sk_OPENSSL_STRING_new_null();
245 if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
246 goto opthelp;
247 break;
248 case OPT_SIGOPT:
249 if (!sigopts)
250 sigopts = sk_OPENSSL_STRING_new_null();
251 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
252 goto opthelp;
253 break;
254 case OPT_BATCH:
255 batch = 1;
256 break;
257 case OPT_NEWHDR:
258 newhdr = 1;
259 break;
260 case OPT_MODULUS:
261 modulus = 1;
262 break;
263 case OPT_VERIFY:
264 verify = 1;
265 break;
266 case OPT_NODES:
267 nodes = 1;
268 break;
269 case OPT_NOOUT:
270 noout = 1;
271 break;
272 case OPT_VERBOSE:
273 verbose = 1;
274 break;
275 case OPT_UTF8:
276 chtype = MBSTRING_UTF8;
277 break;
278 case OPT_NAMEOPT:
279 nmflag_set = 1;
280 if (!set_name_ex(&nmflag, opt_arg()))
281 goto opthelp;
282 break;
283 case OPT_REQOPT:
284 if (!set_cert_ex(&reqflag, opt_arg()))
285 goto opthelp;
286 break;
287 case OPT_TEXT:
288 text = 1;
289 break;
290 case OPT_X509:
291 x509 = 1;
292 newreq = 1;
293 break;
294 case OPT_DAYS:
295 days = atoi(opt_arg());
296 break;
297 case OPT_SET_SERIAL:
298 if (serial != NULL) {
299 BIO_printf(bio_err, "Serial number supplied twice\n");
300 goto opthelp;
301 }
302 serial = s2i_ASN1_INTEGER(NULL, opt_arg());
303 if (serial == NULL)
304 goto opthelp;
305 break;
306 case OPT_SUBJECT:
307 subject = 1;
308 break;
309 case OPT_SUBJ:
310 subj = opt_arg();
311 break;
312 case OPT_MULTIVALUE_RDN:
313 multirdn = 1;
314 break;
315 case OPT_EXTENSIONS:
316 extensions = opt_arg();
317 break;
318 case OPT_REQEXTS:
319 req_exts = opt_arg();
320 break;
321 case OPT_MD:
322 if (!opt_md(opt_unknown(), &md_alg))
323 goto opthelp;
324 digest = md_alg;
325 break;
326 }
327 }
328 argc = opt_num_rest();
329 if (argc != 0)
330 goto opthelp;
331
332 if (!nmflag_set)
333 nmflag = XN_FLAG_ONELINE;
334
335 /* TODO: simplify this as pkey is still always NULL here */
336 private = newreq && (pkey == NULL) ? 1 : 0;
337
338 if (!app_passwd(passargin, passargout, &passin, &passout)) {
339 BIO_printf(bio_err, "Error getting passwords\n");
340 goto end;
341 }
342
343 if (verbose)
344 BIO_printf(bio_err, "Using configuration from %s\n", template);
345 req_conf = app_load_config(template);
346 if (template != default_config_file && !app_load_modules(req_conf))
347 goto end;
348
349 if (req_conf != NULL) {
350 p = NCONF_get_string(req_conf, NULL, "oid_file");
351 if (p == NULL)
352 ERR_clear_error();
353 if (p != NULL) {
354 BIO *oid_bio;
355
356 oid_bio = BIO_new_file(p, "r");
357 if (oid_bio == NULL) {
358 /*-
359 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
360 ERR_print_errors(bio_err);
361 */
362 } else {
363 OBJ_create_objects(oid_bio);
364 BIO_free(oid_bio);
365 }
366 }
367 }
368 if (!add_oid_section(req_conf))
369 goto end;
370
371 if (md_alg == NULL) {
372 p = NCONF_get_string(req_conf, SECTION, "default_md");
373 if (p == NULL)
374 ERR_clear_error();
375 else {
376 if (!opt_md(p, &md_alg))
377 goto opthelp;
378 digest = md_alg;
379 }
380 }
381
382 if (!extensions) {
383 extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
384 if (!extensions)
385 ERR_clear_error();
386 }
387 if (extensions) {
388 /* Check syntax of file */
389 X509V3_CTX ctx;
390 X509V3_set_ctx_test(&ctx);
391 X509V3_set_nconf(&ctx, req_conf);
392 if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
393 BIO_printf(bio_err,
394 "Error Loading extension section %s\n", extensions);
395 goto end;
396 }
397 }
398
399 if (passin == NULL) {
400 passin = nofree_passin =
401 NCONF_get_string(req_conf, SECTION, "input_password");
402 if (passin == NULL)
403 ERR_clear_error();
404 }
405
406 if (passout == NULL) {
407 passout = nofree_passout =
408 NCONF_get_string(req_conf, SECTION, "output_password");
409 if (passout == NULL)
410 ERR_clear_error();
411 }
412
413 p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
414 if (!p)
415 ERR_clear_error();
416
417 if (p && !ASN1_STRING_set_default_mask_asc(p)) {
418 BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
419 goto end;
420 }
421
422 if (chtype != MBSTRING_UTF8) {
423 p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
424 if (!p)
425 ERR_clear_error();
426 else if (strcmp(p, "yes") == 0)
427 chtype = MBSTRING_UTF8;
428 }
429
430 if (!req_exts) {
431 req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
432 if (!req_exts)
433 ERR_clear_error();
434 }
435 if (req_exts) {
436 /* Check syntax of file */
437 X509V3_CTX ctx;
438 X509V3_set_ctx_test(&ctx);
439 X509V3_set_nconf(&ctx, req_conf);
440 if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
441 BIO_printf(bio_err,
442 "Error Loading request extension section %s\n",
443 req_exts);
444 goto end;
445 }
446 }
447
448 if (keyfile != NULL) {
449 pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
450 if (!pkey) {
451 /* load_key() has already printed an appropriate message */
452 goto end;
453 } else {
454 char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
455 if (randfile == NULL)
456 ERR_clear_error();
457 app_RAND_load_file(randfile, 0);
458 }
459 }
460
461 if (newreq && (pkey == NULL)) {
462 char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
463 if (randfile == NULL)
464 ERR_clear_error();
465 app_RAND_load_file(randfile, 0);
466 if (inrand)
467 app_RAND_load_files(inrand);
468
469 if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
470 newkey = DEFAULT_KEY_LENGTH;
471 }
472
473 if (keyalg) {
474 genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
475 &keyalgstr, gen_eng);
476 if (!genctx)
477 goto end;
478 }
479
480 if (newkey < MIN_KEY_LENGTH
481 && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
482 BIO_printf(bio_err, "private key length is too short,\n");
483 BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
484 MIN_KEY_LENGTH, newkey);
485 goto end;
486 }
487
488 if (!genctx) {
489 genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
490 &keyalgstr, gen_eng);
491 if (!genctx)
492 goto end;
493 }
494
495 if (pkeyopts) {
496 char *genopt;
497 for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
498 genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
499 if (pkey_ctrl_string(genctx, genopt) <= 0) {
500 BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
501 ERR_print_errors(bio_err);
502 goto end;
503 }
504 }
505 }
506
507 if (pkey_type == EVP_PKEY_EC) {
508 BIO_printf(bio_err, "Generating an EC private key\n");
509 } else {
510 BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
511 newkey, keyalgstr);
512 }
513
514 EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
515 EVP_PKEY_CTX_set_app_data(genctx, bio_err);
516
517 if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
518 BIO_puts(bio_err, "Error Generating Key\n");
519 goto end;
520 }
521
522 EVP_PKEY_CTX_free(genctx);
523 genctx = NULL;
524
525 app_RAND_write_file(randfile);
526
527 if (keyout == NULL) {
528 keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
529 if (keyout == NULL)
530 ERR_clear_error();
531 }
532
533 if (keyout == NULL)
534 BIO_printf(bio_err, "writing new private key to stdout\n");
535 else
536 BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
537 out = bio_open_owner(keyout, outformat, private);
538 if (out == NULL)
539 goto end;
540
541 p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
542 if (p == NULL) {
543 ERR_clear_error();
544 p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
545 if (p == NULL)
546 ERR_clear_error();
547 }
548 if ((p != NULL) && (strcmp(p, "no") == 0))
549 cipher = NULL;
550 if (nodes)
551 cipher = NULL;
552
553 i = 0;
554 loop:
555 assert(private);
556 if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
557 NULL, 0, NULL, passout)) {
558 if ((ERR_GET_REASON(ERR_peek_error()) ==
559 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
560 ERR_clear_error();
561 i++;
562 goto loop;
563 }
564 goto end;
565 }
566 BIO_free(out);
567 out = NULL;
568 BIO_printf(bio_err, "-----\n");
569 }
570
571 if (!newreq) {
572 in = bio_open_default(infile, 'r', informat);
573 if (in == NULL)
574 goto end;
575
576 if (informat == FORMAT_ASN1)
577 req = d2i_X509_REQ_bio(in, NULL);
578 else
579 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
580 if (req == NULL) {
581 BIO_printf(bio_err, "unable to load X509 request\n");
582 goto end;
583 }
584 }
585
586 if (newreq) {
587 if (pkey == NULL) {
588 BIO_printf(bio_err, "you need to specify a private key\n");
589 goto end;
590 }
591
592 if (req == NULL) {
593 req = X509_REQ_new();
594 if (req == NULL) {
595 goto end;
596 }
597
598 i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
599 subj = NULL; /* done processing '-subj' option */
600 if (!i) {
601 BIO_printf(bio_err, "problems making Certificate Request\n");
602 goto end;
603 }
604 }
605 if (x509) {
606 EVP_PKEY *tmppkey;
607 X509V3_CTX ext_ctx;
608 if ((x509ss = X509_new()) == NULL)
609 goto end;
610
611 /* Set version to V3 */
612 if (extensions && !X509_set_version(x509ss, 2))
613 goto end;
614 if (serial) {
615 if (!X509_set_serialNumber(x509ss, serial))
616 goto end;
617 } else {
618 if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
619 goto end;
620 }
621
622 if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
623 goto end;
624 if (!set_cert_times(x509ss, NULL, NULL, days))
625 goto end;
626 if (!X509_set_subject_name
627 (x509ss, X509_REQ_get_subject_name(req)))
628 goto end;
629 tmppkey = X509_REQ_get0_pubkey(req);
630 if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
631 goto end;
632
633 /* Set up V3 context struct */
634
635 X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
636 X509V3_set_nconf(&ext_ctx, req_conf);
637
638 /* Add extensions */
639 if (extensions && !X509V3_EXT_add_nconf(req_conf,
640 &ext_ctx, extensions,
641 x509ss)) {
642 BIO_printf(bio_err, "Error Loading extension section %s\n",
643 extensions);
644 goto end;
645 }
646
647 i = do_X509_sign(x509ss, pkey, digest, sigopts);
648 if (!i) {
649 ERR_print_errors(bio_err);
650 goto end;
651 }
652 } else {
653 X509V3_CTX ext_ctx;
654
655 /* Set up V3 context struct */
656
657 X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
658 X509V3_set_nconf(&ext_ctx, req_conf);
659
660 /* Add extensions */
661 if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
662 &ext_ctx, req_exts,
663 req)) {
664 BIO_printf(bio_err, "Error Loading extension section %s\n",
665 req_exts);
666 goto end;
667 }
668 i = do_X509_REQ_sign(req, pkey, digest, sigopts);
669 if (!i) {
670 ERR_print_errors(bio_err);
671 goto end;
672 }
673 }
674 }
675
676 if (subj && x509) {
677 BIO_printf(bio_err, "Cannot modify certificate subject\n");
678 goto end;
679 }
680
681 if (subj && !x509) {
682 if (verbose) {
683 BIO_printf(bio_err, "Modifying Request's Subject\n");
684 print_name(bio_err, "old subject=",
685 X509_REQ_get_subject_name(req), nmflag);
686 }
687
688 if (build_subject(req, subj, chtype, multirdn) == 0) {
689 BIO_printf(bio_err, "ERROR: cannot modify subject\n");
690 ret = 1;
691 goto end;
692 }
693
694 if (verbose) {
695 print_name(bio_err, "new subject=",
696 X509_REQ_get_subject_name(req), nmflag);
697 }
698 }
699
700 if (verify && !x509) {
701 EVP_PKEY *tpubkey = pkey;
702
703 if (tpubkey == NULL) {
704 tpubkey = X509_REQ_get0_pubkey(req);
705 if (tpubkey == NULL)
706 goto end;
707 }
708
709 i = X509_REQ_verify(req, tpubkey);
710
711 if (i < 0) {
712 goto end;
713 } else if (i == 0) {
714 BIO_printf(bio_err, "verify failure\n");
715 ERR_print_errors(bio_err);
716 } else /* if (i > 0) */
717 BIO_printf(bio_err, "verify OK\n");
718 }
719
720 if (noout && !text && !modulus && !subject && !pubkey) {
721 ret = 0;
722 goto end;
723 }
724
725 out = bio_open_default(outfile,
726 keyout != NULL && outfile != NULL &&
727 strcmp(keyout, outfile) == 0 ? 'a' : 'w',
728 outformat);
729 if (out == NULL)
730 goto end;
731
732 if (pubkey) {
733 EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
734
735 if (tpubkey == NULL) {
736 BIO_printf(bio_err, "Error getting public key\n");
737 ERR_print_errors(bio_err);
738 goto end;
739 }
740 PEM_write_bio_PUBKEY(out, tpubkey);
741 }
742
743 if (text) {
744 if (x509)
745 X509_print_ex(out, x509ss, nmflag, reqflag);
746 else
747 X509_REQ_print_ex(out, req, nmflag, reqflag);
748 }
749
750 if (subject) {
751 if (x509)
752 print_name(out, "subject=", X509_get_subject_name(x509ss),
753 nmflag);
754 else
755 print_name(out, "subject=", X509_REQ_get_subject_name(req),
756 nmflag);
757 }
758
759 if (modulus) {
760 EVP_PKEY *tpubkey;
761
762 if (x509)
763 tpubkey = X509_get0_pubkey(x509ss);
764 else
765 tpubkey = X509_REQ_get0_pubkey(req);
766 if (tpubkey == NULL) {
767 fprintf(stdout, "Modulus=unavailable\n");
768 goto end;
769 }
770 fprintf(stdout, "Modulus=");
771 #ifndef OPENSSL_NO_RSA
772 if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
773 const BIGNUM *n;
774 RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
775 BN_print(out, n);
776 } else
777 #endif
778 fprintf(stdout, "Wrong Algorithm type");
779 fprintf(stdout, "\n");
780 }
781
782 if (!noout && !x509) {
783 if (outformat == FORMAT_ASN1)
784 i = i2d_X509_REQ_bio(out, req);
785 else if (newhdr)
786 i = PEM_write_bio_X509_REQ_NEW(out, req);
787 else
788 i = PEM_write_bio_X509_REQ(out, req);
789 if (!i) {
790 BIO_printf(bio_err, "unable to write X509 request\n");
791 goto end;
792 }
793 }
794 if (!noout && x509 && (x509ss != NULL)) {
795 if (outformat == FORMAT_ASN1)
796 i = i2d_X509_bio(out, x509ss);
797 else
798 i = PEM_write_bio_X509(out, x509ss);
799 if (!i) {
800 BIO_printf(bio_err, "unable to write X509 certificate\n");
801 goto end;
802 }
803 }
804 ret = 0;
805 end:
806 if (ret) {
807 ERR_print_errors(bio_err);
808 }
809 NCONF_free(req_conf);
810 BIO_free(in);
811 BIO_free_all(out);
812 EVP_PKEY_free(pkey);
813 EVP_PKEY_CTX_free(genctx);
814 sk_OPENSSL_STRING_free(pkeyopts);
815 sk_OPENSSL_STRING_free(sigopts);
816 #ifndef OPENSSL_NO_ENGINE
817 ENGINE_free(gen_eng);
818 #endif
819 OPENSSL_free(keyalgstr);
820 X509_REQ_free(req);
821 X509_free(x509ss);
822 ASN1_INTEGER_free(serial);
823 if (passin != nofree_passin)
824 OPENSSL_free(passin);
825 if (passout != nofree_passout)
826 OPENSSL_free(passout);
827 return (ret);
828 }
829
830 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
831 int attribs, unsigned long chtype)
832 {
833 int ret = 0, i;
834 char no_prompt = 0;
835 STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
836 char *tmp, *dn_sect, *attr_sect;
837
838 tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
839 if (tmp == NULL)
840 ERR_clear_error();
841 if ((tmp != NULL) && strcmp(tmp, "no") == 0)
842 no_prompt = 1;
843
844 dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
845 if (dn_sect == NULL) {
846 BIO_printf(bio_err, "unable to find '%s' in config\n",
847 DISTINGUISHED_NAME);
848 goto err;
849 }
850 dn_sk = NCONF_get_section(req_conf, dn_sect);
851 if (dn_sk == NULL) {
852 BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
853 goto err;
854 }
855
856 attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
857 if (attr_sect == NULL) {
858 ERR_clear_error();
859 attr_sk = NULL;
860 } else {
861 attr_sk = NCONF_get_section(req_conf, attr_sect);
862 if (attr_sk == NULL) {
863 BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
864 goto err;
865 }
866 }
867
868 /* setup version number */
869 if (!X509_REQ_set_version(req, 0L))
870 goto err; /* version 1 */
871
872 if (subj)
873 i = build_subject(req, subj, chtype, multirdn);
874 else if (no_prompt)
875 i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
876 else
877 i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
878 chtype);
879 if (!i)
880 goto err;
881
882 if (!X509_REQ_set_pubkey(req, pkey))
883 goto err;
884
885 ret = 1;
886 err:
887 return (ret);
888 }
889
890 /*
891 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
892 * where characters may be escaped by \
893 */
894 static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
895 int multirdn)
896 {
897 X509_NAME *n;
898
899 if ((n = parse_name(subject, chtype, multirdn)) == NULL)
900 return 0;
901
902 if (!X509_REQ_set_subject_name(req, n)) {
903 X509_NAME_free(n);
904 return 0;
905 }
906 X509_NAME_free(n);
907 return 1;
908 }
909
910 static int prompt_info(X509_REQ *req,
911 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
912 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
913 int attribs, unsigned long chtype)
914 {
915 int i;
916 char *p, *q;
917 char buf[100];
918 int nid, mval;
919 long n_min, n_max;
920 char *type, *value;
921 const char *def;
922 CONF_VALUE *v;
923 X509_NAME *subj;
924 subj = X509_REQ_get_subject_name(req);
925
926 if (!batch) {
927 BIO_printf(bio_err,
928 "You are about to be asked to enter information that will be incorporated\n");
929 BIO_printf(bio_err, "into your certificate request.\n");
930 BIO_printf(bio_err,
931 "What you are about to enter is what is called a Distinguished Name or a DN.\n");
932 BIO_printf(bio_err,
933 "There are quite a few fields but you can leave some blank\n");
934 BIO_printf(bio_err,
935 "For some fields there will be a default value,\n");
936 BIO_printf(bio_err,
937 "If you enter '.', the field will be left blank.\n");
938 BIO_printf(bio_err, "-----\n");
939 }
940
941 if (sk_CONF_VALUE_num(dn_sk)) {
942 i = -1;
943 start:for (;;) {
944 i++;
945 if (sk_CONF_VALUE_num(dn_sk) <= i)
946 break;
947
948 v = sk_CONF_VALUE_value(dn_sk, i);
949 p = q = NULL;
950 type = v->name;
951 if (!check_end(type, "_min") || !check_end(type, "_max") ||
952 !check_end(type, "_default") || !check_end(type, "_value"))
953 continue;
954 /*
955 * Skip past any leading X. X: X, etc to allow for multiple
956 * instances
957 */
958 for (p = v->name; *p; p++)
959 if ((*p == ':') || (*p == ',') || (*p == '.')) {
960 p++;
961 if (*p)
962 type = p;
963 break;
964 }
965 if (*type == '+') {
966 mval = -1;
967 type++;
968 } else
969 mval = 0;
970 /* If OBJ not recognised ignore it */
971 if ((nid = OBJ_txt2nid(type)) == NID_undef)
972 goto start;
973 if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
974 >= (int)sizeof(buf)) {
975 BIO_printf(bio_err, "Name '%s' too long\n", v->name);
976 return 0;
977 }
978
979 if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
980 ERR_clear_error();
981 def = "";
982 }
983
984 BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
985 if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
986 ERR_clear_error();
987 value = NULL;
988 }
989
990 BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
991 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
992 ERR_clear_error();
993 n_min = -1;
994 }
995
996 BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
997 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
998 ERR_clear_error();
999 n_max = -1;
1000 }
1001
1002 if (!add_DN_object(subj, v->value, def, value, nid,
1003 n_min, n_max, chtype, mval))
1004 return 0;
1005 }
1006 if (X509_NAME_entry_count(subj) == 0) {
1007 BIO_printf(bio_err,
1008 "error, no objects specified in config file\n");
1009 return 0;
1010 }
1011
1012 if (attribs) {
1013 if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
1014 && (!batch)) {
1015 BIO_printf(bio_err,
1016 "\nPlease enter the following 'extra' attributes\n");
1017 BIO_printf(bio_err,
1018 "to be sent with your certificate request\n");
1019 }
1020
1021 i = -1;
1022 start2: for (;;) {
1023 i++;
1024 if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
1025 break;
1026
1027 v = sk_CONF_VALUE_value(attr_sk, i);
1028 type = v->name;
1029 if ((nid = OBJ_txt2nid(type)) == NID_undef)
1030 goto start2;
1031
1032 if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
1033 >= (int)sizeof(buf)) {
1034 BIO_printf(bio_err, "Name '%s' too long\n", v->name);
1035 return 0;
1036 }
1037
1038 if ((def = NCONF_get_string(req_conf, attr_sect, buf))
1039 == NULL) {
1040 ERR_clear_error();
1041 def = "";
1042 }
1043
1044 BIO_snprintf(buf, sizeof buf, "%s_value", type);
1045 if ((value = NCONF_get_string(req_conf, attr_sect, buf))
1046 == NULL) {
1047 ERR_clear_error();
1048 value = NULL;
1049 }
1050
1051 BIO_snprintf(buf, sizeof buf, "%s_min", type);
1052 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
1053 ERR_clear_error();
1054 n_min = -1;
1055 }
1056
1057 BIO_snprintf(buf, sizeof buf, "%s_max", type);
1058 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
1059 ERR_clear_error();
1060 n_max = -1;
1061 }
1062
1063 if (!add_attribute_object(req,
1064 v->value, def, value, nid, n_min,
1065 n_max, chtype))
1066 return 0;
1067 }
1068 }
1069 } else {
1070 BIO_printf(bio_err, "No template, please set one up.\n");
1071 return 0;
1072 }
1073
1074 return 1;
1075
1076 }
1077
1078 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
1079 STACK_OF(CONF_VALUE) *attr_sk, int attribs,
1080 unsigned long chtype)
1081 {
1082 int i, spec_char, plus_char;
1083 char *p, *q;
1084 char *type;
1085 CONF_VALUE *v;
1086 X509_NAME *subj;
1087
1088 subj = X509_REQ_get_subject_name(req);
1089
1090 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1091 int mval;
1092 v = sk_CONF_VALUE_value(dn_sk, i);
1093 p = q = NULL;
1094 type = v->name;
1095 /*
1096 * Skip past any leading X. X: X, etc to allow for multiple instances
1097 */
1098 for (p = v->name; *p; p++) {
1099 #ifndef CHARSET_EBCDIC
1100 spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
1101 #else
1102 spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
1103 || (*p == os_toascii['.']));
1104 #endif
1105 if (spec_char) {
1106 p++;
1107 if (*p)
1108 type = p;
1109 break;
1110 }
1111 }
1112 #ifndef CHARSET_EBCDIC
1113 plus_char = (*type == '+');
1114 #else
1115 plus_char = (*type == os_toascii['+']);
1116 #endif
1117 if (plus_char) {
1118 type++;
1119 mval = -1;
1120 } else
1121 mval = 0;
1122 if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
1123 (unsigned char *)v->value, -1, -1,
1124 mval))
1125 return 0;
1126
1127 }
1128
1129 if (!X509_NAME_entry_count(subj)) {
1130 BIO_printf(bio_err, "error, no objects specified in config file\n");
1131 return 0;
1132 }
1133 if (attribs) {
1134 for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
1135 v = sk_CONF_VALUE_value(attr_sk, i);
1136 if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1137 (unsigned char *)v->value, -1))
1138 return 0;
1139 }
1140 }
1141 return 1;
1142 }
1143
1144 static int add_DN_object(X509_NAME *n, char *text, const char *def,
1145 char *value, int nid, int n_min, int n_max,
1146 unsigned long chtype, int mval)
1147 {
1148 int i, ret = 0;
1149 char buf[1024];
1150 start:
1151 if (!batch)
1152 BIO_printf(bio_err, "%s [%s]:", text, def);
1153 (void)BIO_flush(bio_err);
1154 if (value != NULL) {
1155 OPENSSL_strlcpy(buf, value, sizeof buf);
1156 OPENSSL_strlcat(buf, "\n", sizeof buf);
1157 BIO_printf(bio_err, "%s\n", value);
1158 } else {
1159 buf[0] = '\0';
1160 if (!batch) {
1161 if (!fgets(buf, sizeof buf, stdin))
1162 return 0;
1163 } else {
1164 buf[0] = '\n';
1165 buf[1] = '\0';
1166 }
1167 }
1168
1169 if (buf[0] == '\0')
1170 return (0);
1171 else if (buf[0] == '\n') {
1172 if ((def == NULL) || (def[0] == '\0'))
1173 return (1);
1174 OPENSSL_strlcpy(buf, def, sizeof buf);
1175 OPENSSL_strlcat(buf, "\n", sizeof buf);
1176 } else if ((buf[0] == '.') && (buf[1] == '\n'))
1177 return (1);
1178
1179 i = strlen(buf);
1180 if (buf[i - 1] != '\n') {
1181 BIO_printf(bio_err, "weird input :-(\n");
1182 return (0);
1183 }
1184 buf[--i] = '\0';
1185 #ifdef CHARSET_EBCDIC
1186 ebcdic2ascii(buf, buf, i);
1187 #endif
1188 if (!req_check_len(i, n_min, n_max)) {
1189 if (batch || value)
1190 return 0;
1191 goto start;
1192 }
1193
1194 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
1195 (unsigned char *)buf, -1, -1, mval))
1196 goto err;
1197 ret = 1;
1198 err:
1199 return (ret);
1200 }
1201
1202 static int add_attribute_object(X509_REQ *req, char *text, const char *def,
1203 char *value, int nid, int n_min,
1204 int n_max, unsigned long chtype)
1205 {
1206 int i;
1207 static char buf[1024];
1208
1209 start:
1210 if (!batch)
1211 BIO_printf(bio_err, "%s [%s]:", text, def);
1212 (void)BIO_flush(bio_err);
1213 if (value != NULL) {
1214 OPENSSL_strlcpy(buf, value, sizeof buf);
1215 OPENSSL_strlcat(buf, "\n", sizeof buf);
1216 BIO_printf(bio_err, "%s\n", value);
1217 } else {
1218 buf[0] = '\0';
1219 if (!batch) {
1220 if (!fgets(buf, sizeof buf, stdin))
1221 return 0;
1222 } else {
1223 buf[0] = '\n';
1224 buf[1] = '\0';
1225 }
1226 }
1227
1228 if (buf[0] == '\0')
1229 return (0);
1230 else if (buf[0] == '\n') {
1231 if ((def == NULL) || (def[0] == '\0'))
1232 return (1);
1233 OPENSSL_strlcpy(buf, def, sizeof buf);
1234 OPENSSL_strlcat(buf, "\n", sizeof buf);
1235 } else if ((buf[0] == '.') && (buf[1] == '\n'))
1236 return (1);
1237
1238 i = strlen(buf);
1239 if (buf[i - 1] != '\n') {
1240 BIO_printf(bio_err, "weird input :-(\n");
1241 return (0);
1242 }
1243 buf[--i] = '\0';
1244 #ifdef CHARSET_EBCDIC
1245 ebcdic2ascii(buf, buf, i);
1246 #endif
1247 if (!req_check_len(i, n_min, n_max)) {
1248 if (batch || value)
1249 return 0;
1250 goto start;
1251 }
1252
1253 if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1254 (unsigned char *)buf, -1)) {
1255 BIO_printf(bio_err, "Error adding attribute\n");
1256 ERR_print_errors(bio_err);
1257 goto err;
1258 }
1259
1260 return (1);
1261 err:
1262 return (0);
1263 }
1264
1265 static int req_check_len(int len, int n_min, int n_max)
1266 {
1267 if ((n_min > 0) && (len < n_min)) {
1268 BIO_printf(bio_err,
1269 "string is too short, it needs to be at least %d bytes long\n",
1270 n_min);
1271 return (0);
1272 }
1273 if ((n_max >= 0) && (len > n_max)) {
1274 BIO_printf(bio_err,
1275 "string is too long, it needs to be less than %d bytes long\n",
1276 n_max);
1277 return (0);
1278 }
1279 return (1);
1280 }
1281
1282 /* Check if the end of a string matches 'end' */
1283 static int check_end(const char *str, const char *end)
1284 {
1285 int elen, slen;
1286 const char *tmp;
1287 elen = strlen(end);
1288 slen = strlen(str);
1289 if (elen > slen)
1290 return 1;
1291 tmp = str + slen - elen;
1292 return strcmp(tmp, end);
1293 }
1294
1295 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
1296 int *pkey_type, long *pkeylen,
1297 char **palgnam, ENGINE *keygen_engine)
1298 {
1299 EVP_PKEY_CTX *gctx = NULL;
1300 EVP_PKEY *param = NULL;
1301 long keylen = -1;
1302 BIO *pbio = NULL;
1303 const char *paramfile = NULL;
1304
1305 if (gstr == NULL) {
1306 *pkey_type = EVP_PKEY_RSA;
1307 keylen = *pkeylen;
1308 } else if (gstr[0] >= '0' && gstr[0] <= '9') {
1309 *pkey_type = EVP_PKEY_RSA;
1310 keylen = atol(gstr);
1311 *pkeylen = keylen;
1312 } else if (strncmp(gstr, "param:", 6) == 0)
1313 paramfile = gstr + 6;
1314 else {
1315 const char *p = strchr(gstr, ':');
1316 int len;
1317 ENGINE *tmpeng;
1318 const EVP_PKEY_ASN1_METHOD *ameth;
1319
1320 if (p)
1321 len = p - gstr;
1322 else
1323 len = strlen(gstr);
1324 /*
1325 * The lookup of a the string will cover all engines so keep a note
1326 * of the implementation.
1327 */
1328
1329 ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1330
1331 if (!ameth) {
1332 BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
1333 return NULL;
1334 }
1335
1336 EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
1337 #ifndef OPENSSL_NO_ENGINE
1338 ENGINE_finish(tmpeng);
1339 #endif
1340 if (*pkey_type == EVP_PKEY_RSA) {
1341 if (p) {
1342 keylen = atol(p + 1);
1343 *pkeylen = keylen;
1344 } else
1345 keylen = *pkeylen;
1346 } else if (p)
1347 paramfile = p + 1;
1348 }
1349
1350 if (paramfile) {
1351 pbio = BIO_new_file(paramfile, "r");
1352 if (!pbio) {
1353 BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
1354 return NULL;
1355 }
1356 param = PEM_read_bio_Parameters(pbio, NULL);
1357
1358 if (!param) {
1359 X509 *x;
1360 (void)BIO_reset(pbio);
1361 x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1362 if (x) {
1363 param = X509_get_pubkey(x);
1364 X509_free(x);
1365 }
1366 }
1367
1368 BIO_free(pbio);
1369
1370 if (!param) {
1371 BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
1372 return NULL;
1373 }
1374 if (*pkey_type == -1)
1375 *pkey_type = EVP_PKEY_id(param);
1376 else if (*pkey_type != EVP_PKEY_base_id(param)) {
1377 BIO_printf(bio_err, "Key Type does not match parameters\n");
1378 EVP_PKEY_free(param);
1379 return NULL;
1380 }
1381 }
1382
1383 if (palgnam) {
1384 const EVP_PKEY_ASN1_METHOD *ameth;
1385 ENGINE *tmpeng;
1386 const char *anam;
1387 ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1388 if (!ameth) {
1389 BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
1390 return NULL;
1391 }
1392 EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1393 *palgnam = OPENSSL_strdup(anam);
1394 #ifndef OPENSSL_NO_ENGINE
1395 ENGINE_finish(tmpeng);
1396 #endif
1397 }
1398
1399 if (param) {
1400 gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1401 *pkeylen = EVP_PKEY_bits(param);
1402 EVP_PKEY_free(param);
1403 } else
1404 gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1405
1406 if (gctx == NULL) {
1407 BIO_puts(bio_err, "Error allocating keygen context\n");
1408 ERR_print_errors(bio_err);
1409 return NULL;
1410 }
1411
1412 if (EVP_PKEY_keygen_init(gctx) <= 0) {
1413 BIO_puts(bio_err, "Error initializing keygen context\n");
1414 ERR_print_errors(bio_err);
1415 EVP_PKEY_CTX_free(gctx);
1416 return NULL;
1417 }
1418 #ifndef OPENSSL_NO_RSA
1419 if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
1420 if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
1421 BIO_puts(bio_err, "Error setting RSA keysize\n");
1422 ERR_print_errors(bio_err);
1423 EVP_PKEY_CTX_free(gctx);
1424 return NULL;
1425 }
1426 }
1427 #endif
1428
1429 return gctx;
1430 }
1431
1432 static int genpkey_cb(EVP_PKEY_CTX *ctx)
1433 {
1434 char c = '*';
1435 BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1436 int p;
1437 p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1438 if (p == 0)
1439 c = '.';
1440 if (p == 1)
1441 c = '+';
1442 if (p == 2)
1443 c = '*';
1444 if (p == 3)
1445 c = '\n';
1446 BIO_write(b, &c, 1);
1447 (void)BIO_flush(b);
1448 return 1;
1449 }
1450
1451 static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
1452 const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
1453 {
1454 EVP_PKEY_CTX *pkctx = NULL;
1455 int i;
1456
1457 if (ctx == NULL)
1458 return 0;
1459 if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
1460 return 0;
1461 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1462 char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1463 if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1464 BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
1465 ERR_print_errors(bio_err);
1466 return 0;
1467 }
1468 }
1469 return 1;
1470 }
1471
1472 int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
1473 STACK_OF(OPENSSL_STRING) *sigopts)
1474 {
1475 int rv;
1476 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1477
1478 rv = do_sign_init(mctx, pkey, md, sigopts);
1479 if (rv > 0)
1480 rv = X509_sign_ctx(x, mctx);
1481 EVP_MD_CTX_free(mctx);
1482 return rv > 0 ? 1 : 0;
1483 }
1484
1485 int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
1486 STACK_OF(OPENSSL_STRING) *sigopts)
1487 {
1488 int rv;
1489 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1490 rv = do_sign_init(mctx, pkey, md, sigopts);
1491 if (rv > 0)
1492 rv = X509_REQ_sign_ctx(x, mctx);
1493 EVP_MD_CTX_free(mctx);
1494 return rv > 0 ? 1 : 0;
1495 }
1496
1497 int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
1498 STACK_OF(OPENSSL_STRING) *sigopts)
1499 {
1500 int rv;
1501 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1502 rv = do_sign_init(mctx, pkey, md, sigopts);
1503 if (rv > 0)
1504 rv = X509_CRL_sign_ctx(x, mctx);
1505 EVP_MD_CTX_free(mctx);
1506 return rv > 0 ? 1 : 0;
1507 }
A mirror of the official openssl repository