From: Dr. David von Oheimb Date: Fri, 27 Aug 2021 05:11:36 +0000 (+0200) Subject: APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options X-Git-Tag: openssl-3.2.0-alpha1~3574 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=611ef4f3737cc5812bdefe381403fdf1bacfba06;p=thirdparty%2Fopenssl.git APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16440) --- diff --git a/apps/req.c b/apps/req.c index 6aa364fec50..f756c25b2a4 100644 --- a/apps/req.c +++ b/apps/req.c @@ -103,7 +103,7 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif - {"in", OPT_IN, '<', "X.509 request input file"}, + {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, @@ -136,10 +136,10 @@ const OPTIONS req_options[] = { "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, - {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, + {"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"}, OPT_SECTION("Keys and Signing"), - {"key", OPT_KEY, 's', "Key to include and to use for self-signature"}, + {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"keyout", OPT_KEYOUT, '>', "File to write private key to"}, @@ -489,8 +489,13 @@ int req_main(int argc, char **argv) if (ext_copy == EXT_COPY_NONE) BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n"); } - if (gen_x509 && infile == NULL) - newreq = 1; + if (infile == NULL) { + if (gen_x509) + newreq = 1; + else + BIO_printf(bio_err, + "Warning: Will read cert request from stdin since no -in option is given\n"); + } if (!app_passwd(passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -631,6 +636,11 @@ int req_main(int argc, char **argv) goto end; app_RAND_load_conf(req_conf, section); } + if (keyalg != NULL && pkey != NULL) { + BIO_printf(bio_err, + "Warning: Not generating key via given -newkey option since -key is given\n"); + /* Better throw an error in this case */ + } if (newreq && pkey == NULL) { app_RAND_load_conf(req_conf, section); @@ -742,9 +752,17 @@ int req_main(int argc, char **argv) goto end; if (!newreq) { - req = load_csr(infile, informat, "X509 request"); + if (keyfile != NULL) + BIO_printf(bio_err, + "Warning: Not placing -key in cert or request since request is used\n"); + req = load_csr(infile /* if NULL, reads from stdin */, + informat, "X509 request"); if (req == NULL) goto end; + } else if (infile != NULL) { + BIO_printf(bio_err, + "Warning: Ignoring -in option since -new or -newkey or -precert is given\n"); + /* Better throw an error in this case, as done in the x509 app */ } if (CAkeyfile == NULL) @@ -752,7 +770,7 @@ int req_main(int argc, char **argv) if (CAkeyfile != NULL) { if (CAfile == NULL) { BIO_printf(bio_err, - "Ignoring -CAkey option since no -CA option is given\n"); + "Warning: Ignoring -CAkey option since no -CA option is given\n"); } else { if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 0, passin, e, @@ -788,6 +806,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Error making certificate request\n"); goto end; } + /* Note that -x509 can take over -key and -subj option values. */ } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); @@ -798,6 +817,10 @@ int req_main(int argc, char **argv) X509_NAME *n_subj = fsubj != NULL ? fsubj : X509_REQ_get_subject_name(req); + if (CAcert != NULL && keyfile != NULL) + BIO_printf(bio_err, + "Warning: Not using -key or -newkey for signing since -CA option is given\n"); + if ((new_x509 = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) goto end; @@ -874,6 +897,10 @@ int req_main(int argc, char **argv) } else { X509V3_CTX ext_ctx; + if (precert) { + BIO_printf(bio_err, + "Warning: Ignoring -precert flag since no cert is produced\n"); + } /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); X509V3_set_nconf(&ext_ctx, req_conf); diff --git a/apps/x509.c b/apps/x509.c index 7236972c5bf..65af7f0d06e 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -61,7 +61,7 @@ const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"in", OPT_IN, '<', - "Certificate input (default stdin), or CSR input file with -req"}, + "Certificate input, or CSR input file with -req (default stdin)"}, {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"}, {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, {"x509toreq", OPT_X509TOREQ, '-', @@ -73,7 +73,7 @@ const OPTIONS x509_options[] = { "CSR input file format (DER or PEM) - default PEM"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, {"key", OPT_KEY, 's', - "Key to be used in certificate or cert request"}, + "Key for signing, and to include unless using -force_pubkey"}, {"signkey", OPT_SIGNKEY, 's', "Same as -key"}, {"keyform", OPT_KEYFORM, 'E', @@ -630,7 +630,7 @@ int x509_main(int argc, char **argv) } if (privkeyfile == NULL && pubkeyfile == NULL) { BIO_printf(bio_err, - "The -new option without -key requires using -force_pubkey\n"); + "The -new option requires using the -key or -force_pubkey option\n"); goto end; } } @@ -642,7 +642,7 @@ int x509_main(int argc, char **argv) CAkeyfile = CAfile; if (CAfile != NULL) { if (privkeyfile != NULL) { - BIO_printf(bio_err, "Cannot use both -key and -CA option\n"); + BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n"); goto end; } } else if (CAkeyfile != NULL) { @@ -676,6 +676,9 @@ int x509_main(int argc, char **argv) } if (reqfile) { + if (infile == NULL) + BIO_printf(bio_err, + "Warning: Reading cert request from stdin since no -in option is given\n"); req = load_csr(infile, informat, "certificate request input"); if (req == NULL) goto end; @@ -725,6 +728,9 @@ int x509_main(int argc, char **argv) } } } else { + if (infile == NULL) + BIO_printf(bio_err, + "Warning: Reading certificate from stdin since no -in option is given\n"); x = load_cert_pass(infile, informat, 1, passin, "certificate"); if (x == NULL) goto end; @@ -819,7 +825,7 @@ int x509_main(int argc, char **argv) if (x509toreq) { /* also works in conjunction with -req */ if (privkey == NULL) { - BIO_printf(bio_err, "Must specify request key using -key\n"); + BIO_printf(bio_err, "Must specify request signing key using -key\n"); goto end; } if (clrext && ext_copy != EXT_COPY_NONE) { diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index e78b04c65ba..a21c30ba47f 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -79,9 +79,10 @@ The data is a PKCS#10 object. =item B<-in> I -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (B<-new> or B<-newkey>) are not specified. +This specifies the input filename to read a request from. +This defaults to standard input unless B<-x509> or B<-CA> is specified. +A request is only read if the creation options +(B<-new> or B<-newkey> or B<-precert>) are not specified. =item B<-sigopt> I:I @@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length. =item B<-newkey> I -This option creates a new certificate request and a new private -key. The argument takes one of several forms. +This option is used to generate a new private key unless B<-key> is given. +It is subsequently used as if it was given using the B<-key> option. + +This option implies the B<-new> flag to create a new certificate request +or a new certificate in case B<-x509> is given. + +The argument takes one of several forms. [B]I generates an RSA key I in size. If I is omitted, i.e., B<-newkey> B is specified, @@ -193,9 +199,14 @@ See L for more details. =item B<-key> I|I -This specifies the key to include and to use for request self-signature -and for self-signing certificates produced with the B<-x509> option. -It also accepts PKCS#8 format private keys for PEM format files. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-in> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +For certificate signing this option is overridden by the B<-CA> option. + +This option also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B|B|B @@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request. This is typically used to generate test certificates. It is implied by the B<-CA> option. +This option implies the B<-new> flag if B<-in> is not given. + If an existing request is specified with the B<-in> option, it is converted to the a certificate; otherwise a request is created from scratch. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 9c77a216c22..a20f605e031 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -102,9 +102,11 @@ Print out a usage message. =item B<-in> I|I -If the B<-req> option is not used this specifies the input -to read a certificate from or standard input if this option is not specified. -With the B<-req> option this specifies a certificate request file. +This specifies the input to read a certificate from +or the input file for reading a certificate request if the B<-req> flag is used. +In both cases this defaults to standard input. + +This option cannot be combined with the B<-new> flag. =item B<-passin> I @@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific. =item B<-key> I|I -This option causes the new certificate or certificate request -to be self-signed using the supplied private key. -This cannot be used in conjunction with the B<-CA> option. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-force_pubkey> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +This option cannot be used in conjunction with the B<-CA> option. It sets the issuer name to the subject name (i.e., makes it self-issued) and changes the public key to the supplied value (unless overridden @@ -466,7 +471,7 @@ certificate, which is then signed using the "CA" key given as detailed below. This option cannot be used in conjunction with the B<-key> option. This option is normally combined with the B<-req> option referencing a CSR. -Without the B<-req> option the input must be a self-signed certificate +Without the B<-req> option the input must be an existing certificate unless the B<-new> option is given, which generates a certificate from scratch. =item B<-CAform> B|B|B,