APPS req: Extend the -keyout option to be respected also with -key

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)

diff --git a/apps/req.c b/apps/req.c
index 9edb1deb9642420ef59f05452aef370fdcca2d96..a9769b745271685b35997c3fcffcac0a367c9ed8 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -142,7 +142,7 @@ const OPTIONS req_options[] = {
     {"key", OPT_KEY, 's', "Private key to use"},
     {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
-    {"keyout", OPT_KEYOUT, '>', "File to save newly created private key"},
+    {"keyout", OPT_KEYOUT, '>', "File to write private key to"},
     {"passin", OPT_PASSIN, 's', "Private key and certificate password source"},
     {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
     {"newkey", OPT_NEWKEY, 's',
@@ -676,17 +676,21 @@ int req_main(int argc, char **argv)
 
         EVP_PKEY_CTX_free(genctx);
         genctx = NULL;
+    }
+    if (keyout == NULL) {
+        keyout = NCONF_get_string(req_conf, section, KEYFILE);
+        if (keyout == NULL)
+            ERR_clear_error();
+    }
 
-        if (keyout == NULL) {
-            keyout = NCONF_get_string(req_conf, section, KEYFILE);
+    if (pkey != NULL && (keyfile == NULL || keyout != NULL)) {
+        if (verbose) {
+            BIO_printf(bio_err, "Writing private key to ");
             if (keyout == NULL)
-                ERR_clear_error();
+                BIO_printf(bio_err, "stdout\n");
+            else
+                BIO_printf(bio_err, "'%s'\n", keyout);
         }
-
-        if (keyout == NULL)
-            BIO_printf(bio_err, "Writing new private key to stdout\n");
-        else
-            BIO_printf(bio_err, "Writing new private key to '%s'\n", keyout);
         out = bio_open_owner(keyout, outformat, newreq);
         if (out == NULL)
             goto end;
@@ -705,7 +709,6 @@ int req_main(int argc, char **argv)
 
         i = 0;
  loop:
-        assert(newreq);
         if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
                                       NULL, 0, NULL, passout)) {
             if ((ERR_GET_REASON(ERR_peek_error()) ==

diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 4cec47f02ce6f7ab337d583d0601de050e67f4e5..7897610818037ca7011da2c58f47797ae57455f1 100644 (file)
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -204,10 +204,12 @@ See L<openssl-format-options(1)> for details.
 
 =item B<-keyout> I<filename>
 
-This gives the filename to write any newly created private key to.
-If this option is not given then the filename specified in the configuration
-file with the B<default_keyfile> option is used if present,
-else the key is written to standard output.
+This gives the filename to write any private key to that has been newly created
+or read from B<-key>.
+If the B<-keyout> option is not given the filename specified in the
+configuration file with the B<default_keyfile> option is used, if present.
+If a new key is generated and no filename is specified
+the key is written to standard output.
 
 =item B<-noenc>