1 1.1 christos /* 2 1.1.1.2 christos * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 1.1.1.2 christos * 4 1.1.1.2 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1.1.2 christos * this file except in compliance with the License. You can obtain a copy 6 1.1.1.2 christos * in the file LICENSE in the source distribution or at 7 1.1.1.2 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1 christos #include <stdlib.h> 12 1.1 christos #include <time.h> 13 1.1 christos #include <string.h> 14 1.1.1.2 christos #include <ctype.h> 15 1.1 christos #include "apps.h" 16 1.1.1.2 christos #include "progs.h" 17 1.1 christos #include <openssl/bio.h> 18 1.1 christos #include <openssl/evp.h> 19 1.1 christos #include <openssl/conf.h> 20 1.1 christos #include <openssl/err.h> 21 1.1 christos #include <openssl/asn1.h> 22 1.1 christos #include <openssl/x509.h> 23 1.1 christos #include <openssl/x509v3.h> 24 1.1 christos #include <openssl/objects.h> 25 1.1 christos #include <openssl/pem.h> 26 1.1 christos #include <openssl/bn.h> 27 1.1.1.2 christos #include <openssl/lhash.h> 28 1.1 christos #ifndef OPENSSL_NO_RSA 29 1.1 christos # include <openssl/rsa.h> 30 1.1 christos #endif 31 1.1 christos #ifndef OPENSSL_NO_DSA 32 1.1 christos # include <openssl/dsa.h> 33 1.1 christos #endif 34 1.1 christos 35 1.1 christos #define SECTION "req" 36 1.1 christos 37 1.1 christos #define BITS "default_bits" 38 1.1 christos #define KEYFILE "default_keyfile" 39 1.1 christos #define PROMPT "prompt" 40 1.1 christos #define DISTINGUISHED_NAME "distinguished_name" 41 1.1 christos #define ATTRIBUTES "attributes" 42 1.1 christos #define V3_EXTENSIONS "x509_extensions" 43 1.1 christos #define REQ_EXTENSIONS "req_extensions" 44 1.1 christos #define STRING_MASK "string_mask" 45 1.1 christos #define UTF8_IN "utf8" 46 1.1 christos 47 1.1 christos #define DEFAULT_KEY_LENGTH 2048 48 1.1 christos #define MIN_KEY_LENGTH 512 49 1.1 christos 50 1.1 christos static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, 51 1.1 christos int attribs, unsigned long chtype); 52 1.1.1.2 christos static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, 53 1.1 christos int multirdn); 54 1.1 christos static int prompt_info(X509_REQ *req, 55 1.1.1.2 christos STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, 56 1.1.1.2 christos STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, 57 1.1 christos int attribs, unsigned long chtype); 58 1.1 christos static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, 59 1.1 christos STACK_OF(CONF_VALUE) *attr, int attribs, 60 1.1 christos unsigned long chtype); 61 1.1 christos static int add_attribute_object(X509_REQ *req, char *text, const char *def, 62 1.1 christos char *value, int nid, int n_min, int n_max, 63 1.1 christos unsigned long chtype); 64 1.1 christos static int add_DN_object(X509_NAME *n, char *text, const char *def, 65 1.1 christos char *value, int nid, int n_min, int n_max, 66 1.1 christos unsigned long chtype, int mval); 67 1.1 christos static int genpkey_cb(EVP_PKEY_CTX *ctx); 68 1.1.1.2 christos static int build_data(char *text, const char *def, 69 1.1.1.2 christos char *value, int n_min, int n_max, 70 1.1.1.2 christos char *buf, const int buf_size, 71 1.1.1.2 christos const char *desc1, const char *desc2 72 1.1.1.2 christos ); 73 1.1 christos static int req_check_len(int len, int n_min, int n_max); 74 1.1 christos static int check_end(const char *str, const char *end); 75 1.1.1.2 christos static int join(char buf[], size_t buf_size, const char *name, 76 1.1.1.2 christos const char *tail, const char *desc); 77 1.1.1.2 christos static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, 78 1.1 christos int *pkey_type, long *pkeylen, 79 1.1 christos char **palgnam, ENGINE *keygen_engine); 80 1.1 christos static CONF *req_conf = NULL; 81 1.1.1.2 christos static CONF *addext_conf = NULL; 82 1.1 christos static int batch = 0; 83 1.1 christos 84 1.1.1.2 christos typedef enum OPTION_choice { 85 1.1.1.2 christos OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 86 1.1.1.2 christos OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, 87 1.1.1.2 christos OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, 88 1.1.1.2 christos OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, 89 1.1.1.2 christos OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, 90 1.1.1.2 christos OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, 91 1.1.1.2 christos OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, 92 1.1.1.2 christos OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, 93 1.1.1.2 christos OPT_REQEXTS, OPT_PRECERT, OPT_MD, 94 1.1.1.2 christos OPT_R_ENUM 95 1.1.1.2 christos } OPTION_CHOICE; 96 1.1.1.2 christos 97 1.1.1.2 christos const OPTIONS req_options[] = { 98 1.1.1.2 christos {"help", OPT_HELP, '-', "Display this summary"}, 99 1.1.1.2 christos {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, 100 1.1.1.2 christos {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, 101 1.1.1.2 christos {"in", OPT_IN, '<', "Input file"}, 102 1.1.1.2 christos {"out", OPT_OUT, '>', "Output file"}, 103 1.1.1.2 christos {"key", OPT_KEY, 's', "Private key to use"}, 104 1.1.1.2 christos {"keyform", OPT_KEYFORM, 'f', "Key file format"}, 105 1.1.1.2 christos {"pubkey", OPT_PUBKEY, '-', "Output public key"}, 106 1.1.1.2 christos {"new", OPT_NEW, '-', "New request"}, 107 1.1.1.2 christos {"config", OPT_CONFIG, '<', "Request template file"}, 108 1.1.1.2 christos {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, 109 1.1.1.2 christos {"passin", OPT_PASSIN, 's', "Private key password source"}, 110 1.1.1.2 christos {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, 111 1.1.1.2 christos OPT_R_OPTIONS, 112 1.1.1.2 christos {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, 113 1.1.1.2 christos {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, 114 1.1.1.2 christos {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 115 1.1.1.2 christos {"batch", OPT_BATCH, '-', 116 1.1.1.2 christos "Do not ask anything during request generation"}, 117 1.1.1.2 christos {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, 118 1.1.1.2 christos {"modulus", OPT_MODULUS, '-', "RSA modulus"}, 119 1.1.1.2 christos {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, 120 1.1.1.2 christos {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, 121 1.1.1.2 christos {"noout", OPT_NOOUT, '-', "Do not output REQ"}, 122 1.1.1.2 christos {"verbose", OPT_VERBOSE, '-', "Verbose output"}, 123 1.1.1.2 christos {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, 124 1.1.1.2 christos {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, 125 1.1.1.2 christos {"reqopt", OPT_REQOPT, 's', "Various request text options"}, 126 1.1.1.2 christos {"text", OPT_TEXT, '-', "Text form of request"}, 127 1.1.1.2 christos {"x509", OPT_X509, '-', 128 1.1.1.2 christos "Output a x509 structure instead of a cert request"}, 129 1.1.1.2 christos {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, 130 1.1.1.2 christos {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, 131 1.1.1.2 christos {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, 132 1.1.1.2 christos {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', 133 1.1.1.2 christos "Enable support for multivalued RDNs"}, 134 1.1.1.2 christos {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, 135 1.1.1.2 christos {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, 136 1.1.1.2 christos {"addext", OPT_ADDEXT, 's', 137 1.1.1.2 christos "Additional cert extension key=value pair (may be given more than once)"}, 138 1.1.1.2 christos {"extensions", OPT_EXTENSIONS, 's', 139 1.1.1.2 christos "Cert extension section (override value in config file)"}, 140 1.1.1.2 christos {"reqexts", OPT_REQEXTS, 's', 141 1.1.1.2 christos "Request extension section (override value in config file)"}, 142 1.1.1.2 christos {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, 143 1.1.1.2 christos {"", OPT_MD, '-', "Any supported digest"}, 144 1.1.1.2 christos #ifndef OPENSSL_NO_ENGINE 145 1.1.1.2 christos {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 146 1.1.1.2 christos {"keygen_engine", OPT_KEYGEN_ENGINE, 's', 147 1.1.1.2 christos "Specify engine to be used for key generation operations"}, 148 1.1.1.2 christos #endif 149 1.1.1.2 christos {NULL} 150 1.1.1.2 christos }; 151 1.1.1.2 christos 152 1.1.1.2 christos 153 1.1.1.2 christos /* 154 1.1.1.2 christos * An LHASH of strings, where each string is an extension name. 155 1.1.1.2 christos */ 156 1.1.1.2 christos static unsigned long ext_name_hash(const OPENSSL_STRING *a) 157 1.1.1.2 christos { 158 1.1.1.2 christos return OPENSSL_LH_strhash((const char *)a); 159 1.1.1.2 christos } 160 1.1.1.2 christos 161 1.1.1.2 christos static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b) 162 1.1.1.2 christos { 163 1.1.1.2 christos return strcmp((const char *)a, (const char *)b); 164 1.1.1.2 christos } 165 1.1.1.2 christos 166 1.1.1.2 christos static void exts_cleanup(OPENSSL_STRING *x) 167 1.1.1.2 christos { 168 1.1.1.2 christos OPENSSL_free((char *)x); 169 1.1.1.2 christos } 170 1.1 christos 171 1.1.1.2 christos /* 172 1.1.1.2 christos * Is the |kv| key already duplicated? This is remarkably tricky to get 173 1.1.1.2 christos * right. Return 0 if unique, -1 on runtime error; 1 if found or a syntax 174 1.1.1.2 christos * error. 175 1.1.1.2 christos */ 176 1.1.1.2 christos static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) 177 1.1 christos { 178 1.1.1.2 christos char *p; 179 1.1.1.2 christos size_t off; 180 1.1.1.2 christos 181 1.1.1.2 christos /* Check syntax. */ 182 1.1.1.2 christos /* Skip leading whitespace, make a copy. */ 183 1.1.1.2 christos while (*kv && isspace((unsigned char)*kv)) 184 1.1.1.2 christos if (*++kv == '\0') 185 1.1.1.2 christos return 1; 186 1.1.1.2 christos if ((p = strchr(kv, '=')) == NULL) 187 1.1.1.2 christos return 1; 188 1.1.1.2 christos off = p - kv; 189 1.1.1.2 christos if ((kv = OPENSSL_strdup(kv)) == NULL) 190 1.1.1.2 christos return -1; 191 1.1.1.2 christos 192 1.1.1.2 christos /* Skip trailing space before the equal sign. */ 193 1.1.1.2 christos for (p = kv + off; p > kv; --p) 194 1.1.1.2 christos if (!isspace((unsigned char)p[-1])) 195 1.1.1.2 christos break; 196 1.1.1.2 christos if (p == kv) { 197 1.1.1.2 christos OPENSSL_free(kv); 198 1.1.1.2 christos return 1; 199 1.1.1.2 christos } 200 1.1.1.2 christos *p = '\0'; 201 1.1.1.2 christos 202 1.1.1.2 christos /* Finally have a clean "key"; see if it's there [by attempt to add it]. */ 203 1.1.1.2 christos p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv); 204 1.1.1.2 christos if (p != NULL) { 205 1.1.1.2 christos OPENSSL_free(p); 206 1.1.1.2 christos return 1; 207 1.1.1.2 christos } else if (lh_OPENSSL_STRING_error(addexts)) { 208 1.1.1.2 christos OPENSSL_free(kv); 209 1.1.1.2 christos return -1; 210 1.1.1.2 christos } 211 1.1.1.2 christos 212 1.1.1.2 christos return 0; 213 1.1.1.2 christos } 214 1.1.1.2 christos 215 1.1.1.2 christos int req_main(int argc, char **argv) 216 1.1.1.2 christos { 217 1.1.1.2 christos ASN1_INTEGER *serial = NULL; 218 1.1.1.2 christos BIO *in = NULL, *out = NULL; 219 1.1 christos ENGINE *e = NULL, *gen_eng = NULL; 220 1.1.1.2 christos EVP_PKEY *pkey = NULL; 221 1.1 christos EVP_PKEY_CTX *genctx = NULL; 222 1.1 christos STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; 223 1.1.1.2 christos LHASH_OF(OPENSSL_STRING) *addexts = NULL; 224 1.1.1.2 christos X509 *x509ss = NULL; 225 1.1.1.2 christos X509_REQ *req = NULL; 226 1.1 christos const EVP_CIPHER *cipher = NULL; 227 1.1 christos const EVP_MD *md_alg = NULL, *digest = NULL; 228 1.1.1.2 christos BIO *addext_bio = NULL; 229 1.1.1.2 christos char *extensions = NULL, *infile = NULL; 230 1.1.1.2 christos char *outfile = NULL, *keyfile = NULL; 231 1.1.1.2 christos char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; 232 1.1.1.2 christos char *passin = NULL, *passout = NULL; 233 1.1.1.2 christos char *nofree_passin = NULL, *nofree_passout = NULL; 234 1.1.1.2 christos char *req_exts = NULL, *subj = NULL; 235 1.1.1.2 christos char *template = default_config_file, *keyout = NULL; 236 1.1.1.2 christos const char *keyalg = NULL; 237 1.1.1.2 christos OPTION_CHOICE o; 238 1.1.1.2 christos int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0; 239 1.1.1.2 christos int pkey_type = -1, private = 0; 240 1.1.1.2 christos int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; 241 1.1.1.2 christos int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; 242 1.1.1.2 christos int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; 243 1.1.1.2 christos long newkey = -1; 244 1.1.1.2 christos unsigned long chtype = MBSTRING_ASC, reqflag = 0; 245 1.1 christos 246 1.1 christos #ifndef OPENSSL_NO_DES 247 1.1 christos cipher = EVP_des_ede3_cbc(); 248 1.1 christos #endif 249 1.1 christos 250 1.1.1.2 christos prog = opt_init(argc, argv, req_options); 251 1.1.1.2 christos while ((o = opt_next()) != OPT_EOF) { 252 1.1.1.2 christos switch (o) { 253 1.1.1.2 christos case OPT_EOF: 254 1.1.1.2 christos case OPT_ERR: 255 1.1.1.2 christos opthelp: 256 1.1.1.2 christos BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 257 1.1.1.2 christos goto end; 258 1.1.1.2 christos case OPT_HELP: 259 1.1.1.2 christos opt_help(req_options); 260 1.1.1.2 christos ret = 0; 261 1.1.1.2 christos goto end; 262 1.1.1.2 christos case OPT_INFORM: 263 1.1.1.2 christos if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) 264 1.1.1.2 christos goto opthelp; 265 1.1.1.2 christos break; 266 1.1.1.2 christos case OPT_OUTFORM: 267 1.1.1.2 christos if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) 268 1.1.1.2 christos goto opthelp; 269 1.1.1.2 christos break; 270 1.1.1.2 christos case OPT_ENGINE: 271 1.1.1.2 christos e = setup_engine(opt_arg(), 0); 272 1.1.1.2 christos break; 273 1.1.1.2 christos case OPT_KEYGEN_ENGINE: 274 1.1 christos #ifndef OPENSSL_NO_ENGINE 275 1.1.1.2 christos gen_eng = ENGINE_by_id(opt_arg()); 276 1.1 christos if (gen_eng == NULL) { 277 1.1 christos BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); 278 1.1.1.2 christos goto opthelp; 279 1.1 christos } 280 1.1 christos #endif 281 1.1.1.2 christos break; 282 1.1.1.2 christos case OPT_KEY: 283 1.1.1.2 christos keyfile = opt_arg(); 284 1.1.1.2 christos break; 285 1.1.1.2 christos case OPT_PUBKEY: 286 1.1 christos pubkey = 1; 287 1.1.1.2 christos break; 288 1.1.1.2 christos case OPT_NEW: 289 1.1 christos newreq = 1; 290 1.1.1.2 christos break; 291 1.1.1.2 christos case OPT_CONFIG: 292 1.1.1.2 christos template = opt_arg(); 293 1.1.1.2 christos break; 294 1.1.1.2 christos case OPT_KEYFORM: 295 1.1.1.2 christos if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) 296 1.1.1.2 christos goto opthelp; 297 1.1.1.2 christos break; 298 1.1.1.2 christos case OPT_IN: 299 1.1.1.2 christos infile = opt_arg(); 300 1.1.1.2 christos break; 301 1.1.1.2 christos case OPT_OUT: 302 1.1.1.2 christos outfile = opt_arg(); 303 1.1.1.2 christos break; 304 1.1.1.2 christos case OPT_KEYOUT: 305 1.1.1.2 christos keyout = opt_arg(); 306 1.1.1.2 christos break; 307 1.1.1.2 christos case OPT_PASSIN: 308 1.1.1.2 christos passargin = opt_arg(); 309 1.1.1.2 christos break; 310 1.1.1.2 christos case OPT_PASSOUT: 311 1.1.1.2 christos passargout = opt_arg(); 312 1.1.1.2 christos break; 313 1.1.1.2 christos case OPT_R_CASES: 314 1.1.1.2 christos if (!opt_rand(o)) 315 1.1.1.2 christos goto end; 316 1.1.1.2 christos break; 317 1.1.1.2 christos case OPT_NEWKEY: 318 1.1.1.2 christos keyalg = opt_arg(); 319 1.1 christos newreq = 1; 320 1.1.1.2 christos break; 321 1.1.1.2 christos case OPT_PKEYOPT: 322 1.1 christos if (!pkeyopts) 323 1.1 christos pkeyopts = sk_OPENSSL_STRING_new_null(); 324 1.1.1.2 christos if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg())) 325 1.1.1.2 christos goto opthelp; 326 1.1.1.2 christos break; 327 1.1.1.2 christos case OPT_SIGOPT: 328 1.1 christos if (!sigopts) 329 1.1 christos sigopts = sk_OPENSSL_STRING_new_null(); 330 1.1.1.2 christos if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 331 1.1.1.2 christos goto opthelp; 332 1.1.1.2 christos break; 333 1.1.1.2 christos case OPT_BATCH: 334 1.1 christos batch = 1; 335 1.1.1.2 christos break; 336 1.1.1.2 christos case OPT_NEWHDR: 337 1.1 christos newhdr = 1; 338 1.1.1.2 christos break; 339 1.1.1.2 christos case OPT_MODULUS: 340 1.1 christos modulus = 1; 341 1.1.1.2 christos break; 342 1.1.1.2 christos case OPT_VERIFY: 343 1.1 christos verify = 1; 344 1.1.1.2 christos break; 345 1.1.1.2 christos case OPT_NODES: 346 1.1 christos nodes = 1; 347 1.1.1.2 christos break; 348 1.1.1.2 christos case OPT_NOOUT: 349 1.1 christos noout = 1; 350 1.1.1.2 christos break; 351 1.1.1.2 christos case OPT_VERBOSE: 352 1.1 christos verbose = 1; 353 1.1.1.2 christos break; 354 1.1.1.2 christos case OPT_UTF8: 355 1.1 christos chtype = MBSTRING_UTF8; 356 1.1.1.2 christos break; 357 1.1.1.2 christos case OPT_NAMEOPT: 358 1.1.1.2 christos if (!set_nameopt(opt_arg())) 359 1.1.1.2 christos goto opthelp; 360 1.1.1.2 christos break; 361 1.1.1.2 christos case OPT_REQOPT: 362 1.1.1.2 christos if (!set_cert_ex(&reqflag, opt_arg())) 363 1.1.1.2 christos goto opthelp; 364 1.1.1.2 christos break; 365 1.1.1.2 christos case OPT_TEXT: 366 1.1 christos text = 1; 367 1.1.1.2 christos break; 368 1.1.1.2 christos case OPT_X509: 369 1.1 christos x509 = 1; 370 1.1.1.2 christos break; 371 1.1.1.2 christos case OPT_DAYS: 372 1.1.1.2 christos days = atoi(opt_arg()); 373 1.1.1.2 christos break; 374 1.1.1.2 christos case OPT_SET_SERIAL: 375 1.1.1.2 christos if (serial != NULL) { 376 1.1.1.2 christos BIO_printf(bio_err, "Serial number supplied twice\n"); 377 1.1.1.2 christos goto opthelp; 378 1.1.1.2 christos } 379 1.1.1.2 christos serial = s2i_ASN1_INTEGER(NULL, opt_arg()); 380 1.1.1.2 christos if (serial == NULL) 381 1.1.1.2 christos goto opthelp; 382 1.1.1.2 christos break; 383 1.1.1.2 christos case OPT_SUBJECT: 384 1.1.1.2 christos subject = 1; 385 1.1.1.2 christos break; 386 1.1.1.2 christos case OPT_SUBJ: 387 1.1.1.2 christos subj = opt_arg(); 388 1.1.1.2 christos break; 389 1.1.1.2 christos case OPT_MULTIVALUE_RDN: 390 1.1 christos multirdn = 1; 391 1.1.1.2 christos break; 392 1.1.1.2 christos case OPT_ADDEXT: 393 1.1.1.2 christos p = opt_arg(); 394 1.1.1.2 christos if (addexts == NULL) { 395 1.1.1.2 christos addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp); 396 1.1.1.2 christos addext_bio = BIO_new(BIO_s_mem()); 397 1.1.1.2 christos if (addexts == NULL || addext_bio == NULL) 398 1.1.1.2 christos goto end; 399 1.1.1.2 christos } 400 1.1.1.2 christos i = duplicated(addexts, p); 401 1.1.1.2 christos if (i == 1) 402 1.1.1.2 christos goto opthelp; 403 1.1.1.2 christos if (i < 0 || BIO_printf(addext_bio, "%s\n", opt_arg()) < 0) 404 1.1.1.2 christos goto end; 405 1.1.1.2 christos break; 406 1.1.1.2 christos case OPT_EXTENSIONS: 407 1.1.1.2 christos extensions = opt_arg(); 408 1.1.1.2 christos break; 409 1.1.1.2 christos case OPT_REQEXTS: 410 1.1.1.2 christos req_exts = opt_arg(); 411 1.1.1.2 christos break; 412 1.1.1.2 christos case OPT_PRECERT: 413 1.1.1.2 christos newreq = precert = 1; 414 1.1.1.2 christos break; 415 1.1.1.2 christos case OPT_MD: 416 1.1.1.2 christos if (!opt_md(opt_unknown(), &md_alg)) 417 1.1.1.2 christos goto opthelp; 418 1.1 christos digest = md_alg; 419 1.1 christos break; 420 1.1 christos } 421 1.1 christos } 422 1.1.1.2 christos argc = opt_num_rest(); 423 1.1.1.2 christos if (argc != 0) 424 1.1.1.2 christos goto opthelp; 425 1.1.1.2 christos 426 1.1.1.2 christos if (days && !x509) 427 1.1.1.2 christos BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n"); 428 1.1.1.2 christos if (x509 && infile == NULL) 429 1.1.1.2 christos newreq = 1; 430 1.1 christos 431 1.1.1.2 christos /* TODO: simplify this as pkey is still always NULL here */ 432 1.1.1.2 christos private = newreq && (pkey == NULL) ? 1 : 0; 433 1.1 christos 434 1.1.1.2 christos if (!app_passwd(passargin, passargout, &passin, &passout)) { 435 1.1 christos BIO_printf(bio_err, "Error getting passwords\n"); 436 1.1 christos goto end; 437 1.1 christos } 438 1.1 christos 439 1.1.1.2 christos if (verbose) 440 1.1.1.2 christos BIO_printf(bio_err, "Using configuration from %s\n", template); 441 1.1.1.2 christos if ((req_conf = app_load_config(template)) == NULL) 442 1.1.1.2 christos goto end; 443 1.1.1.2 christos if (addext_bio) { 444 1.1 christos if (verbose) 445 1.1.1.2 christos BIO_printf(bio_err, 446 1.1.1.2 christos "Using additional configuration from command line\n"); 447 1.1.1.2 christos if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL) 448 1.1 christos goto end; 449 1.1 christos } 450 1.1.1.2 christos if (template != default_config_file && !app_load_modules(req_conf)) 451 1.1.1.2 christos goto end; 452 1.1 christos 453 1.1 christos if (req_conf != NULL) { 454 1.1 christos p = NCONF_get_string(req_conf, NULL, "oid_file"); 455 1.1 christos if (p == NULL) 456 1.1 christos ERR_clear_error(); 457 1.1 christos if (p != NULL) { 458 1.1 christos BIO *oid_bio; 459 1.1 christos 460 1.1 christos oid_bio = BIO_new_file(p, "r"); 461 1.1 christos if (oid_bio == NULL) { 462 1.1 christos /*- 463 1.1 christos BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); 464 1.1 christos ERR_print_errors(bio_err); 465 1.1 christos */ 466 1.1 christos } else { 467 1.1 christos OBJ_create_objects(oid_bio); 468 1.1 christos BIO_free(oid_bio); 469 1.1 christos } 470 1.1 christos } 471 1.1 christos } 472 1.1.1.2 christos if (!add_oid_section(req_conf)) 473 1.1 christos goto end; 474 1.1 christos 475 1.1 christos if (md_alg == NULL) { 476 1.1 christos p = NCONF_get_string(req_conf, SECTION, "default_md"); 477 1.1.1.2 christos if (p == NULL) { 478 1.1 christos ERR_clear_error(); 479 1.1.1.2 christos } else { 480 1.1.1.2 christos if (!opt_md(p, &md_alg)) 481 1.1.1.2 christos goto opthelp; 482 1.1.1.2 christos digest = md_alg; 483 1.1 christos } 484 1.1 christos } 485 1.1 christos 486 1.1.1.2 christos if (extensions == NULL) { 487 1.1 christos extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); 488 1.1.1.2 christos if (extensions == NULL) 489 1.1 christos ERR_clear_error(); 490 1.1 christos } 491 1.1.1.2 christos if (extensions != NULL) { 492 1.1 christos /* Check syntax of file */ 493 1.1 christos X509V3_CTX ctx; 494 1.1 christos X509V3_set_ctx_test(&ctx); 495 1.1 christos X509V3_set_nconf(&ctx, req_conf); 496 1.1 christos if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { 497 1.1 christos BIO_printf(bio_err, 498 1.1 christos "Error Loading extension section %s\n", extensions); 499 1.1 christos goto end; 500 1.1 christos } 501 1.1 christos } 502 1.1.1.2 christos if (addext_conf != NULL) { 503 1.1.1.2 christos /* Check syntax of command line extensions */ 504 1.1.1.2 christos X509V3_CTX ctx; 505 1.1.1.2 christos X509V3_set_ctx_test(&ctx); 506 1.1.1.2 christos X509V3_set_nconf(&ctx, addext_conf); 507 1.1.1.2 christos if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { 508 1.1.1.2 christos BIO_printf(bio_err, "Error Loading command line extensions\n"); 509 1.1.1.2 christos goto end; 510 1.1.1.2 christos } 511 1.1.1.2 christos } 512 1.1 christos 513 1.1.1.2 christos if (passin == NULL) { 514 1.1.1.2 christos passin = nofree_passin = 515 1.1.1.2 christos NCONF_get_string(req_conf, SECTION, "input_password"); 516 1.1.1.2 christos if (passin == NULL) 517 1.1 christos ERR_clear_error(); 518 1.1 christos } 519 1.1 christos 520 1.1.1.2 christos if (passout == NULL) { 521 1.1.1.2 christos passout = nofree_passout = 522 1.1.1.2 christos NCONF_get_string(req_conf, SECTION, "output_password"); 523 1.1.1.2 christos if (passout == NULL) 524 1.1 christos ERR_clear_error(); 525 1.1 christos } 526 1.1 christos 527 1.1 christos p = NCONF_get_string(req_conf, SECTION, STRING_MASK); 528 1.1.1.2 christos if (p == NULL) 529 1.1 christos ERR_clear_error(); 530 1.1 christos 531 1.1.1.2 christos if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) { 532 1.1 christos BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); 533 1.1 christos goto end; 534 1.1 christos } 535 1.1 christos 536 1.1 christos if (chtype != MBSTRING_UTF8) { 537 1.1 christos p = NCONF_get_string(req_conf, SECTION, UTF8_IN); 538 1.1.1.2 christos if (p == NULL) 539 1.1 christos ERR_clear_error(); 540 1.1.1.2 christos else if (strcmp(p, "yes") == 0) 541 1.1 christos chtype = MBSTRING_UTF8; 542 1.1 christos } 543 1.1 christos 544 1.1.1.2 christos if (req_exts == NULL) { 545 1.1 christos req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); 546 1.1.1.2 christos if (req_exts == NULL) 547 1.1 christos ERR_clear_error(); 548 1.1 christos } 549 1.1.1.2 christos if (req_exts != NULL) { 550 1.1 christos /* Check syntax of file */ 551 1.1 christos X509V3_CTX ctx; 552 1.1 christos X509V3_set_ctx_test(&ctx); 553 1.1 christos X509V3_set_nconf(&ctx, req_conf); 554 1.1 christos if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { 555 1.1 christos BIO_printf(bio_err, 556 1.1 christos "Error Loading request extension section %s\n", 557 1.1 christos req_exts); 558 1.1 christos goto end; 559 1.1 christos } 560 1.1 christos } 561 1.1 christos 562 1.1 christos if (keyfile != NULL) { 563 1.1.1.2 christos pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); 564 1.1.1.2 christos if (pkey == NULL) { 565 1.1.1.2 christos /* load_key() has already printed an appropriate message */ 566 1.1 christos goto end; 567 1.1 christos } else { 568 1.1.1.2 christos app_RAND_load_conf(req_conf, SECTION); 569 1.1 christos } 570 1.1 christos } 571 1.1 christos 572 1.1 christos if (newreq && (pkey == NULL)) { 573 1.1.1.2 christos app_RAND_load_conf(req_conf, SECTION); 574 1.1 christos 575 1.1 christos if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) { 576 1.1 christos newkey = DEFAULT_KEY_LENGTH; 577 1.1 christos } 578 1.1 christos 579 1.1.1.2 christos if (keyalg != NULL) { 580 1.1.1.2 christos genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, 581 1.1 christos &keyalgstr, gen_eng); 582 1.1.1.2 christos if (genctx == NULL) 583 1.1 christos goto end; 584 1.1 christos } 585 1.1 christos 586 1.1 christos if (newkey < MIN_KEY_LENGTH 587 1.1 christos && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { 588 1.1 christos BIO_printf(bio_err, "private key length is too short,\n"); 589 1.1 christos BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", 590 1.1 christos MIN_KEY_LENGTH, newkey); 591 1.1 christos goto end; 592 1.1 christos } 593 1.1 christos 594 1.1.1.2 christos if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS) 595 1.1.1.2 christos BIO_printf(bio_err, 596 1.1.1.2 christos "Warning: It is not recommended to use more than %d bit for RSA keys.\n" 597 1.1.1.2 christos " Your key size is %ld! Larger key size may behave not as expected.\n", 598 1.1.1.2 christos OPENSSL_RSA_MAX_MODULUS_BITS, newkey); 599 1.1.1.2 christos 600 1.1.1.2 christos #ifndef OPENSSL_NO_DSA 601 1.1.1.2 christos if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS) 602 1.1.1.2 christos BIO_printf(bio_err, 603 1.1.1.2 christos "Warning: It is not recommended to use more than %d bit for DSA keys.\n" 604 1.1.1.2 christos " Your key size is %ld! Larger key size may behave not as expected.\n", 605 1.1.1.2 christos OPENSSL_DSA_MAX_MODULUS_BITS, newkey); 606 1.1.1.2 christos #endif 607 1.1.1.2 christos 608 1.1.1.2 christos if (genctx == NULL) { 609 1.1.1.2 christos genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, 610 1.1 christos &keyalgstr, gen_eng); 611 1.1 christos if (!genctx) 612 1.1 christos goto end; 613 1.1 christos } 614 1.1 christos 615 1.1.1.2 christos if (pkeyopts != NULL) { 616 1.1 christos char *genopt; 617 1.1 christos for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { 618 1.1 christos genopt = sk_OPENSSL_STRING_value(pkeyopts, i); 619 1.1 christos if (pkey_ctrl_string(genctx, genopt) <= 0) { 620 1.1 christos BIO_printf(bio_err, "parameter error \"%s\"\n", genopt); 621 1.1 christos ERR_print_errors(bio_err); 622 1.1 christos goto end; 623 1.1 christos } 624 1.1 christos } 625 1.1 christos } 626 1.1 christos 627 1.1.1.2 christos if (pkey_type == EVP_PKEY_EC) { 628 1.1.1.2 christos BIO_printf(bio_err, "Generating an EC private key\n"); 629 1.1.1.2 christos } else { 630 1.1.1.2 christos BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr); 631 1.1.1.2 christos } 632 1.1 christos 633 1.1 christos EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); 634 1.1 christos EVP_PKEY_CTX_set_app_data(genctx, bio_err); 635 1.1 christos 636 1.1 christos if (EVP_PKEY_keygen(genctx, &pkey) <= 0) { 637 1.1 christos BIO_puts(bio_err, "Error Generating Key\n"); 638 1.1 christos goto end; 639 1.1 christos } 640 1.1 christos 641 1.1 christos EVP_PKEY_CTX_free(genctx); 642 1.1 christos genctx = NULL; 643 1.1 christos 644 1.1 christos if (keyout == NULL) { 645 1.1 christos keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); 646 1.1 christos if (keyout == NULL) 647 1.1 christos ERR_clear_error(); 648 1.1 christos } 649 1.1 christos 650 1.1.1.2 christos if (keyout == NULL) 651 1.1 christos BIO_printf(bio_err, "writing new private key to stdout\n"); 652 1.1.1.2 christos else 653 1.1 christos BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); 654 1.1.1.2 christos out = bio_open_owner(keyout, outformat, private); 655 1.1.1.2 christos if (out == NULL) 656 1.1.1.2 christos goto end; 657 1.1 christos 658 1.1 christos p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key"); 659 1.1 christos if (p == NULL) { 660 1.1 christos ERR_clear_error(); 661 1.1 christos p = NCONF_get_string(req_conf, SECTION, "encrypt_key"); 662 1.1 christos if (p == NULL) 663 1.1 christos ERR_clear_error(); 664 1.1 christos } 665 1.1 christos if ((p != NULL) && (strcmp(p, "no") == 0)) 666 1.1 christos cipher = NULL; 667 1.1 christos if (nodes) 668 1.1 christos cipher = NULL; 669 1.1 christos 670 1.1 christos i = 0; 671 1.1 christos loop: 672 1.1.1.2 christos assert(private); 673 1.1 christos if (!PEM_write_bio_PrivateKey(out, pkey, cipher, 674 1.1 christos NULL, 0, NULL, passout)) { 675 1.1 christos if ((ERR_GET_REASON(ERR_peek_error()) == 676 1.1 christos PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) { 677 1.1 christos ERR_clear_error(); 678 1.1 christos i++; 679 1.1 christos goto loop; 680 1.1 christos } 681 1.1 christos goto end; 682 1.1 christos } 683 1.1.1.2 christos BIO_free(out); 684 1.1.1.2 christos out = NULL; 685 1.1 christos BIO_printf(bio_err, "-----\n"); 686 1.1 christos } 687 1.1 christos 688 1.1 christos if (!newreq) { 689 1.1.1.2 christos in = bio_open_default(infile, 'r', informat); 690 1.1.1.2 christos if (in == NULL) 691 1.1.1.2 christos goto end; 692 1.1 christos 693 1.1 christos if (informat == FORMAT_ASN1) 694 1.1 christos req = d2i_X509_REQ_bio(in, NULL); 695 1.1.1.2 christos else 696 1.1 christos req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); 697 1.1 christos if (req == NULL) { 698 1.1 christos BIO_printf(bio_err, "unable to load X509 request\n"); 699 1.1 christos goto end; 700 1.1 christos } 701 1.1 christos } 702 1.1 christos 703 1.1.1.2 christos if (newreq || x509) { 704 1.1 christos if (pkey == NULL) { 705 1.1 christos BIO_printf(bio_err, "you need to specify a private key\n"); 706 1.1 christos goto end; 707 1.1 christos } 708 1.1 christos 709 1.1 christos if (req == NULL) { 710 1.1 christos req = X509_REQ_new(); 711 1.1 christos if (req == NULL) { 712 1.1 christos goto end; 713 1.1 christos } 714 1.1 christos 715 1.1 christos i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); 716 1.1 christos subj = NULL; /* done processing '-subj' option */ 717 1.1 christos if (!i) { 718 1.1 christos BIO_printf(bio_err, "problems making Certificate Request\n"); 719 1.1 christos goto end; 720 1.1 christos } 721 1.1 christos } 722 1.1 christos if (x509) { 723 1.1 christos EVP_PKEY *tmppkey; 724 1.1 christos X509V3_CTX ext_ctx; 725 1.1 christos if ((x509ss = X509_new()) == NULL) 726 1.1 christos goto end; 727 1.1 christos 728 1.1 christos /* Set version to V3 */ 729 1.1.1.2 christos if ((extensions != NULL || addext_conf != NULL) 730 1.1.1.2 christos && !X509_set_version(x509ss, 2)) 731 1.1 christos goto end; 732 1.1.1.2 christos if (serial != NULL) { 733 1.1 christos if (!X509_set_serialNumber(x509ss, serial)) 734 1.1 christos goto end; 735 1.1 christos } else { 736 1.1 christos if (!rand_serial(NULL, X509_get_serialNumber(x509ss))) 737 1.1 christos goto end; 738 1.1 christos } 739 1.1 christos 740 1.1 christos if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) 741 1.1 christos goto end; 742 1.1.1.2 christos if (days == 0) { 743 1.1.1.2 christos /* set default days if it's not specified */ 744 1.1.1.2 christos days = 30; 745 1.1.1.2 christos } 746 1.1.1.2 christos if (!set_cert_times(x509ss, NULL, NULL, days)) 747 1.1 christos goto end; 748 1.1 christos if (!X509_set_subject_name 749 1.1 christos (x509ss, X509_REQ_get_subject_name(req))) 750 1.1 christos goto end; 751 1.1.1.2 christos tmppkey = X509_REQ_get0_pubkey(req); 752 1.1 christos if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) 753 1.1 christos goto end; 754 1.1 christos 755 1.1 christos /* Set up V3 context struct */ 756 1.1 christos 757 1.1 christos X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); 758 1.1 christos X509V3_set_nconf(&ext_ctx, req_conf); 759 1.1 christos 760 1.1 christos /* Add extensions */ 761 1.1.1.2 christos if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf, 762 1.1.1.2 christos &ext_ctx, extensions, 763 1.1.1.2 christos x509ss)) { 764 1.1 christos BIO_printf(bio_err, "Error Loading extension section %s\n", 765 1.1 christos extensions); 766 1.1 christos goto end; 767 1.1 christos } 768 1.1.1.2 christos if (addext_conf != NULL 769 1.1.1.2 christos && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default", 770 1.1.1.2 christos x509ss)) { 771 1.1.1.2 christos BIO_printf(bio_err, "Error Loading command line extensions\n"); 772 1.1.1.2 christos goto end; 773 1.1.1.2 christos } 774 1.1.1.2 christos 775 1.1.1.2 christos /* If a pre-cert was requested, we need to add a poison extension */ 776 1.1.1.2 christos if (precert) { 777 1.1.1.2 christos if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) 778 1.1.1.2 christos != 1) { 779 1.1.1.2 christos BIO_printf(bio_err, "Error adding poison extension\n"); 780 1.1.1.2 christos goto end; 781 1.1.1.2 christos } 782 1.1.1.2 christos } 783 1.1 christos 784 1.1.1.2 christos i = do_X509_sign(x509ss, pkey, digest, sigopts); 785 1.1 christos if (!i) { 786 1.1 christos ERR_print_errors(bio_err); 787 1.1 christos goto end; 788 1.1 christos } 789 1.1 christos } else { 790 1.1 christos X509V3_CTX ext_ctx; 791 1.1 christos 792 1.1 christos /* Set up V3 context struct */ 793 1.1 christos 794 1.1 christos X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); 795 1.1 christos X509V3_set_nconf(&ext_ctx, req_conf); 796 1.1 christos 797 1.1 christos /* Add extensions */ 798 1.1.1.2 christos if (req_exts != NULL 799 1.1.1.2 christos && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, 800 1.1.1.2 christos req_exts, req)) { 801 1.1 christos BIO_printf(bio_err, "Error Loading extension section %s\n", 802 1.1 christos req_exts); 803 1.1 christos goto end; 804 1.1 christos } 805 1.1.1.2 christos if (addext_conf != NULL 806 1.1.1.2 christos && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default", 807 1.1.1.2 christos req)) { 808 1.1.1.2 christos BIO_printf(bio_err, "Error Loading command line extensions\n"); 809 1.1.1.2 christos goto end; 810 1.1.1.2 christos } 811 1.1.1.2 christos i = do_X509_REQ_sign(req, pkey, digest, sigopts); 812 1.1 christos if (!i) { 813 1.1 christos ERR_print_errors(bio_err); 814 1.1 christos goto end; 815 1.1 christos } 816 1.1 christos } 817 1.1 christos } 818 1.1 christos 819 1.1 christos if (subj && x509) { 820 1.1.1.2 christos BIO_printf(bio_err, "Cannot modify certificate subject\n"); 821 1.1 christos goto end; 822 1.1 christos } 823 1.1 christos 824 1.1 christos if (subj && !x509) { 825 1.1 christos if (verbose) { 826 1.1 christos BIO_printf(bio_err, "Modifying Request's Subject\n"); 827 1.1 christos print_name(bio_err, "old subject=", 828 1.1.1.2 christos X509_REQ_get_subject_name(req), get_nameopt()); 829 1.1 christos } 830 1.1 christos 831 1.1 christos if (build_subject(req, subj, chtype, multirdn) == 0) { 832 1.1 christos BIO_printf(bio_err, "ERROR: cannot modify subject\n"); 833 1.1.1.2 christos ret = 1; 834 1.1 christos goto end; 835 1.1 christos } 836 1.1 christos 837 1.1 christos if (verbose) { 838 1.1 christos print_name(bio_err, "new subject=", 839 1.1.1.2 christos X509_REQ_get_subject_name(req), get_nameopt()); 840 1.1 christos } 841 1.1 christos } 842 1.1 christos 843 1.1 christos if (verify && !x509) { 844 1.1.1.2 christos EVP_PKEY *tpubkey = pkey; 845 1.1 christos 846 1.1.1.2 christos if (tpubkey == NULL) { 847 1.1.1.2 christos tpubkey = X509_REQ_get0_pubkey(req); 848 1.1.1.2 christos if (tpubkey == NULL) 849 1.1 christos goto end; 850 1.1 christos } 851 1.1 christos 852 1.1.1.2 christos i = X509_REQ_verify(req, tpubkey); 853 1.1 christos 854 1.1 christos if (i < 0) { 855 1.1 christos goto end; 856 1.1 christos } else if (i == 0) { 857 1.1 christos BIO_printf(bio_err, "verify failure\n"); 858 1.1 christos ERR_print_errors(bio_err); 859 1.1.1.2 christos } else { /* if (i > 0) */ 860 1.1 christos BIO_printf(bio_err, "verify OK\n"); 861 1.1.1.2 christos } 862 1.1 christos } 863 1.1 christos 864 1.1 christos if (noout && !text && !modulus && !subject && !pubkey) { 865 1.1.1.2 christos ret = 0; 866 1.1 christos goto end; 867 1.1 christos } 868 1.1 christos 869 1.1.1.2 christos out = bio_open_default(outfile, 870 1.1.1.2 christos keyout != NULL && outfile != NULL && 871 1.1.1.2 christos strcmp(keyout, outfile) == 0 ? 'a' : 'w', 872 1.1.1.2 christos outformat); 873 1.1.1.2 christos if (out == NULL) 874 1.1.1.2 christos goto end; 875 1.1 christos 876 1.1 christos if (pubkey) { 877 1.1.1.2 christos EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req); 878 1.1.1.2 christos 879 1.1 christos if (tpubkey == NULL) { 880 1.1 christos BIO_printf(bio_err, "Error getting public key\n"); 881 1.1 christos ERR_print_errors(bio_err); 882 1.1 christos goto end; 883 1.1 christos } 884 1.1 christos PEM_write_bio_PUBKEY(out, tpubkey); 885 1.1 christos } 886 1.1 christos 887 1.1 christos if (text) { 888 1.1 christos if (x509) 889 1.1.1.2 christos ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag); 890 1.1 christos else 891 1.1.1.2 christos ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag); 892 1.1.1.2 christos 893 1.1.1.2 christos if (ret == 0) { 894 1.1.1.2 christos if (x509) 895 1.1.1.2 christos BIO_printf(bio_err, "Error printing certificate\n"); 896 1.1.1.2 christos else 897 1.1.1.2 christos BIO_printf(bio_err, "Error printing certificate request\n"); 898 1.1.1.2 christos 899 1.1.1.2 christos ERR_print_errors(bio_err); 900 1.1.1.2 christos goto end; 901 1.1.1.2 christos } 902 1.1 christos } 903 1.1 christos 904 1.1 christos if (subject) { 905 1.1 christos if (x509) 906 1.1 christos print_name(out, "subject=", X509_get_subject_name(x509ss), 907 1.1.1.2 christos get_nameopt()); 908 1.1 christos else 909 1.1 christos print_name(out, "subject=", X509_REQ_get_subject_name(req), 910 1.1.1.2 christos get_nameopt()); 911 1.1 christos } 912 1.1 christos 913 1.1 christos if (modulus) { 914 1.1 christos EVP_PKEY *tpubkey; 915 1.1 christos 916 1.1 christos if (x509) 917 1.1.1.2 christos tpubkey = X509_get0_pubkey(x509ss); 918 1.1 christos else 919 1.1.1.2 christos tpubkey = X509_REQ_get0_pubkey(req); 920 1.1 christos if (tpubkey == NULL) { 921 1.1 christos fprintf(stdout, "Modulus=unavailable\n"); 922 1.1 christos goto end; 923 1.1 christos } 924 1.1 christos fprintf(stdout, "Modulus="); 925 1.1 christos #ifndef OPENSSL_NO_RSA 926 1.1.1.2 christos if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) { 927 1.1.1.2 christos const BIGNUM *n; 928 1.1.1.2 christos RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL); 929 1.1.1.2 christos BN_print(out, n); 930 1.1.1.2 christos } else 931 1.1 christos #endif 932 1.1 christos fprintf(stdout, "Wrong Algorithm type"); 933 1.1 christos fprintf(stdout, "\n"); 934 1.1 christos } 935 1.1 christos 936 1.1 christos if (!noout && !x509) { 937 1.1 christos if (outformat == FORMAT_ASN1) 938 1.1 christos i = i2d_X509_REQ_bio(out, req); 939 1.1.1.2 christos else if (newhdr) 940 1.1.1.2 christos i = PEM_write_bio_X509_REQ_NEW(out, req); 941 1.1.1.2 christos else 942 1.1.1.2 christos i = PEM_write_bio_X509_REQ(out, req); 943 1.1 christos if (!i) { 944 1.1 christos BIO_printf(bio_err, "unable to write X509 request\n"); 945 1.1 christos goto end; 946 1.1 christos } 947 1.1 christos } 948 1.1 christos if (!noout && x509 && (x509ss != NULL)) { 949 1.1 christos if (outformat == FORMAT_ASN1) 950 1.1 christos i = i2d_X509_bio(out, x509ss); 951 1.1.1.2 christos else 952 1.1 christos i = PEM_write_bio_X509(out, x509ss); 953 1.1 christos if (!i) { 954 1.1 christos BIO_printf(bio_err, "unable to write X509 certificate\n"); 955 1.1 christos goto end; 956 1.1 christos } 957 1.1 christos } 958 1.1.1.2 christos ret = 0; 959 1.1 christos end: 960 1.1.1.2 christos if (ret) { 961 1.1 christos ERR_print_errors(bio_err); 962 1.1 christos } 963 1.1.1.2 christos NCONF_free(req_conf); 964 1.1.1.2 christos NCONF_free(addext_conf); 965 1.1.1.2 christos BIO_free(addext_bio); 966 1.1 christos BIO_free(in); 967 1.1 christos BIO_free_all(out); 968 1.1 christos EVP_PKEY_free(pkey); 969 1.1.1.2 christos EVP_PKEY_CTX_free(genctx); 970 1.1.1.2 christos sk_OPENSSL_STRING_free(pkeyopts); 971 1.1.1.2 christos sk_OPENSSL_STRING_free(sigopts); 972 1.1.1.2 christos lh_OPENSSL_STRING_doall(addexts, exts_cleanup); 973 1.1.1.2 christos lh_OPENSSL_STRING_free(addexts); 974 1.1 christos #ifndef OPENSSL_NO_ENGINE 975 1.1.1.2 christos ENGINE_free(gen_eng); 976 1.1 christos #endif 977 1.1.1.2 christos OPENSSL_free(keyalgstr); 978 1.1 christos X509_REQ_free(req); 979 1.1 christos X509_free(x509ss); 980 1.1 christos ASN1_INTEGER_free(serial); 981 1.1 christos release_engine(e); 982 1.1.1.2 christos if (passin != nofree_passin) 983 1.1 christos OPENSSL_free(passin); 984 1.1.1.2 christos if (passout != nofree_passout) 985 1.1 christos OPENSSL_free(passout); 986 1.1.1.2 christos return ret; 987 1.1 christos } 988 1.1 christos 989 1.1 christos static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, 990 1.1 christos int attribs, unsigned long chtype) 991 1.1 christos { 992 1.1 christos int ret = 0, i; 993 1.1 christos char no_prompt = 0; 994 1.1 christos STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; 995 1.1 christos char *tmp, *dn_sect, *attr_sect; 996 1.1 christos 997 1.1 christos tmp = NCONF_get_string(req_conf, SECTION, PROMPT); 998 1.1 christos if (tmp == NULL) 999 1.1 christos ERR_clear_error(); 1000 1.1.1.2 christos if ((tmp != NULL) && strcmp(tmp, "no") == 0) 1001 1.1 christos no_prompt = 1; 1002 1.1 christos 1003 1.1 christos dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME); 1004 1.1 christos if (dn_sect == NULL) { 1005 1.1 christos BIO_printf(bio_err, "unable to find '%s' in config\n", 1006 1.1 christos DISTINGUISHED_NAME); 1007 1.1 christos goto err; 1008 1.1 christos } 1009 1.1 christos dn_sk = NCONF_get_section(req_conf, dn_sect); 1010 1.1 christos if (dn_sk == NULL) { 1011 1.1 christos BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect); 1012 1.1 christos goto err; 1013 1.1 christos } 1014 1.1 christos 1015 1.1 christos attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES); 1016 1.1 christos if (attr_sect == NULL) { 1017 1.1 christos ERR_clear_error(); 1018 1.1 christos attr_sk = NULL; 1019 1.1 christos } else { 1020 1.1 christos attr_sk = NCONF_get_section(req_conf, attr_sect); 1021 1.1 christos if (attr_sk == NULL) { 1022 1.1 christos BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect); 1023 1.1 christos goto err; 1024 1.1 christos } 1025 1.1 christos } 1026 1.1 christos 1027 1.1 christos /* setup version number */ 1028 1.1 christos if (!X509_REQ_set_version(req, 0L)) 1029 1.1 christos goto err; /* version 1 */ 1030 1.1 christos 1031 1.1.1.2 christos if (subj) 1032 1.1.1.2 christos i = build_subject(req, subj, chtype, multirdn); 1033 1.1.1.2 christos else if (no_prompt) 1034 1.1 christos i = auto_info(req, dn_sk, attr_sk, attribs, chtype); 1035 1.1.1.2 christos else 1036 1.1.1.2 christos i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, 1037 1.1.1.2 christos chtype); 1038 1.1 christos if (!i) 1039 1.1 christos goto err; 1040 1.1 christos 1041 1.1 christos if (!X509_REQ_set_pubkey(req, pkey)) 1042 1.1 christos goto err; 1043 1.1 christos 1044 1.1 christos ret = 1; 1045 1.1 christos err: 1046 1.1.1.2 christos return ret; 1047 1.1 christos } 1048 1.1 christos 1049 1.1 christos /* 1050 1.1 christos * subject is expected to be in the format /type0=value0/type1=value1/type2=... 1051 1.1 christos * where characters may be escaped by \ 1052 1.1 christos */ 1053 1.1.1.2 christos static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, 1054 1.1 christos int multirdn) 1055 1.1 christos { 1056 1.1 christos X509_NAME *n; 1057 1.1 christos 1058 1.1.1.2 christos if ((n = parse_name(subject, chtype, multirdn)) == NULL) 1059 1.1 christos return 0; 1060 1.1 christos 1061 1.1 christos if (!X509_REQ_set_subject_name(req, n)) { 1062 1.1 christos X509_NAME_free(n); 1063 1.1 christos return 0; 1064 1.1 christos } 1065 1.1 christos X509_NAME_free(n); 1066 1.1 christos return 1; 1067 1.1 christos } 1068 1.1 christos 1069 1.1 christos static int prompt_info(X509_REQ *req, 1070 1.1.1.2 christos STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, 1071 1.1.1.2 christos STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, 1072 1.1 christos int attribs, unsigned long chtype) 1073 1.1 christos { 1074 1.1 christos int i; 1075 1.1 christos char *p, *q; 1076 1.1 christos char buf[100]; 1077 1.1 christos int nid, mval; 1078 1.1 christos long n_min, n_max; 1079 1.1 christos char *type, *value; 1080 1.1 christos const char *def; 1081 1.1 christos CONF_VALUE *v; 1082 1.1 christos X509_NAME *subj; 1083 1.1 christos subj = X509_REQ_get_subject_name(req); 1084 1.1 christos 1085 1.1 christos if (!batch) { 1086 1.1 christos BIO_printf(bio_err, 1087 1.1 christos "You are about to be asked to enter information that will be incorporated\n"); 1088 1.1 christos BIO_printf(bio_err, "into your certificate request.\n"); 1089 1.1 christos BIO_printf(bio_err, 1090 1.1 christos "What you are about to enter is what is called a Distinguished Name or a DN.\n"); 1091 1.1 christos BIO_printf(bio_err, 1092 1.1 christos "There are quite a few fields but you can leave some blank\n"); 1093 1.1 christos BIO_printf(bio_err, 1094 1.1 christos "For some fields there will be a default value,\n"); 1095 1.1 christos BIO_printf(bio_err, 1096 1.1 christos "If you enter '.', the field will be left blank.\n"); 1097 1.1 christos BIO_printf(bio_err, "-----\n"); 1098 1.1 christos } 1099 1.1 christos 1100 1.1 christos if (sk_CONF_VALUE_num(dn_sk)) { 1101 1.1 christos i = -1; 1102 1.1.1.2 christos start: 1103 1.1.1.2 christos for ( ; ; ) { 1104 1.1 christos i++; 1105 1.1 christos if (sk_CONF_VALUE_num(dn_sk) <= i) 1106 1.1 christos break; 1107 1.1 christos 1108 1.1 christos v = sk_CONF_VALUE_value(dn_sk, i); 1109 1.1 christos p = q = NULL; 1110 1.1 christos type = v->name; 1111 1.1 christos if (!check_end(type, "_min") || !check_end(type, "_max") || 1112 1.1 christos !check_end(type, "_default") || !check_end(type, "_value")) 1113 1.1 christos continue; 1114 1.1 christos /* 1115 1.1 christos * Skip past any leading X. X: X, etc to allow for multiple 1116 1.1 christos * instances 1117 1.1 christos */ 1118 1.1 christos for (p = v->name; *p; p++) 1119 1.1 christos if ((*p == ':') || (*p == ',') || (*p == '.')) { 1120 1.1 christos p++; 1121 1.1 christos if (*p) 1122 1.1 christos type = p; 1123 1.1 christos break; 1124 1.1 christos } 1125 1.1 christos if (*type == '+') { 1126 1.1 christos mval = -1; 1127 1.1 christos type++; 1128 1.1.1.2 christos } else { 1129 1.1 christos mval = 0; 1130 1.1.1.2 christos } 1131 1.1 christos /* If OBJ not recognised ignore it */ 1132 1.1 christos if ((nid = OBJ_txt2nid(type)) == NID_undef) 1133 1.1 christos goto start; 1134 1.1.1.2 christos if (!join(buf, sizeof(buf), v->name, "_default", "Name")) 1135 1.1 christos return 0; 1136 1.1 christos if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { 1137 1.1 christos ERR_clear_error(); 1138 1.1 christos def = ""; 1139 1.1 christos } 1140 1.1 christos 1141 1.1.1.2 christos if (!join(buf, sizeof(buf), v->name, "_value", "Name")) 1142 1.1.1.2 christos return 0; 1143 1.1 christos if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { 1144 1.1 christos ERR_clear_error(); 1145 1.1 christos value = NULL; 1146 1.1 christos } 1147 1.1 christos 1148 1.1.1.2 christos if (!join(buf, sizeof(buf), v->name, "_min", "Name")) 1149 1.1.1.2 christos return 0; 1150 1.1 christos if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { 1151 1.1 christos ERR_clear_error(); 1152 1.1 christos n_min = -1; 1153 1.1 christos } 1154 1.1 christos 1155 1.1.1.2 christos 1156 1.1.1.2 christos if (!join(buf, sizeof(buf), v->name, "_max", "Name")) 1157 1.1.1.2 christos return 0; 1158 1.1 christos if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { 1159 1.1 christos ERR_clear_error(); 1160 1.1 christos n_max = -1; 1161 1.1 christos } 1162 1.1 christos 1163 1.1 christos if (!add_DN_object(subj, v->value, def, value, nid, 1164 1.1 christos n_min, n_max, chtype, mval)) 1165 1.1 christos return 0; 1166 1.1 christos } 1167 1.1 christos if (X509_NAME_entry_count(subj) == 0) { 1168 1.1 christos BIO_printf(bio_err, 1169 1.1 christos "error, no objects specified in config file\n"); 1170 1.1 christos return 0; 1171 1.1 christos } 1172 1.1 christos 1173 1.1 christos if (attribs) { 1174 1.1 christos if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) 1175 1.1 christos && (!batch)) { 1176 1.1 christos BIO_printf(bio_err, 1177 1.1 christos "\nPlease enter the following 'extra' attributes\n"); 1178 1.1 christos BIO_printf(bio_err, 1179 1.1 christos "to be sent with your certificate request\n"); 1180 1.1 christos } 1181 1.1 christos 1182 1.1 christos i = -1; 1183 1.1.1.2 christos start2: 1184 1.1.1.2 christos for ( ; ; ) { 1185 1.1 christos i++; 1186 1.1 christos if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) 1187 1.1 christos break; 1188 1.1 christos 1189 1.1 christos v = sk_CONF_VALUE_value(attr_sk, i); 1190 1.1 christos type = v->name; 1191 1.1 christos if ((nid = OBJ_txt2nid(type)) == NID_undef) 1192 1.1 christos goto start2; 1193 1.1 christos 1194 1.1.1.2 christos if (!join(buf, sizeof(buf), type, "_default", "Name")) 1195 1.1 christos return 0; 1196 1.1 christos if ((def = NCONF_get_string(req_conf, attr_sect, buf)) 1197 1.1 christos == NULL) { 1198 1.1 christos ERR_clear_error(); 1199 1.1 christos def = ""; 1200 1.1 christos } 1201 1.1 christos 1202 1.1.1.2 christos if (!join(buf, sizeof(buf), type, "_value", "Name")) 1203 1.1.1.2 christos return 0; 1204 1.1 christos if ((value = NCONF_get_string(req_conf, attr_sect, buf)) 1205 1.1 christos == NULL) { 1206 1.1 christos ERR_clear_error(); 1207 1.1 christos value = NULL; 1208 1.1 christos } 1209 1.1 christos 1210 1.1.1.2 christos if (!join(buf, sizeof(buf), type,"_min", "Name")) 1211 1.1.1.2 christos return 0; 1212 1.1 christos if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { 1213 1.1 christos ERR_clear_error(); 1214 1.1 christos n_min = -1; 1215 1.1 christos } 1216 1.1 christos 1217 1.1.1.2 christos if (!join(buf, sizeof(buf), type, "_max", "Name")) 1218 1.1.1.2 christos return 0; 1219 1.1 christos if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { 1220 1.1 christos ERR_clear_error(); 1221 1.1 christos n_max = -1; 1222 1.1 christos } 1223 1.1 christos 1224 1.1 christos if (!add_attribute_object(req, 1225 1.1 christos v->value, def, value, nid, n_min, 1226 1.1 christos n_max, chtype)) 1227 1.1 christos return 0; 1228 1.1 christos } 1229 1.1 christos } 1230 1.1 christos } else { 1231 1.1 christos BIO_printf(bio_err, "No template, please set one up.\n"); 1232 1.1 christos return 0; 1233 1.1 christos } 1234 1.1 christos 1235 1.1 christos return 1; 1236 1.1 christos 1237 1.1 christos } 1238 1.1 christos 1239 1.1 christos static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, 1240 1.1 christos STACK_OF(CONF_VALUE) *attr_sk, int attribs, 1241 1.1 christos unsigned long chtype) 1242 1.1 christos { 1243 1.1.1.2 christos int i, spec_char, plus_char; 1244 1.1 christos char *p, *q; 1245 1.1 christos char *type; 1246 1.1 christos CONF_VALUE *v; 1247 1.1 christos X509_NAME *subj; 1248 1.1 christos 1249 1.1 christos subj = X509_REQ_get_subject_name(req); 1250 1.1 christos 1251 1.1 christos for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { 1252 1.1 christos int mval; 1253 1.1 christos v = sk_CONF_VALUE_value(dn_sk, i); 1254 1.1 christos p = q = NULL; 1255 1.1 christos type = v->name; 1256 1.1 christos /* 1257 1.1 christos * Skip past any leading X. X: X, etc to allow for multiple instances 1258 1.1 christos */ 1259 1.1.1.2 christos for (p = v->name; *p; p++) { 1260 1.1 christos #ifndef CHARSET_EBCDIC 1261 1.1.1.2 christos spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); 1262 1.1 christos #else 1263 1.1.1.2 christos spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) 1264 1.1.1.2 christos || (*p == os_toascii['.'])); 1265 1.1 christos #endif 1266 1.1.1.2 christos if (spec_char) { 1267 1.1 christos p++; 1268 1.1 christos if (*p) 1269 1.1 christos type = p; 1270 1.1 christos break; 1271 1.1 christos } 1272 1.1.1.2 christos } 1273 1.1 christos #ifndef CHARSET_EBCDIC 1274 1.1.1.2 christos plus_char = (*type == '+'); 1275 1.1 christos #else 1276 1.1.1.2 christos plus_char = (*type == os_toascii['+']); 1277 1.1 christos #endif 1278 1.1.1.2 christos if (plus_char) { 1279 1.1 christos type++; 1280 1.1 christos mval = -1; 1281 1.1.1.2 christos } else { 1282 1.1 christos mval = 0; 1283 1.1.1.2 christos } 1284 1.1 christos if (!X509_NAME_add_entry_by_txt(subj, type, chtype, 1285 1.1 christos (unsigned char *)v->value, -1, -1, 1286 1.1 christos mval)) 1287 1.1 christos return 0; 1288 1.1 christos 1289 1.1 christos } 1290 1.1 christos 1291 1.1 christos if (!X509_NAME_entry_count(subj)) { 1292 1.1 christos BIO_printf(bio_err, "error, no objects specified in config file\n"); 1293 1.1 christos return 0; 1294 1.1 christos } 1295 1.1 christos if (attribs) { 1296 1.1 christos for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) { 1297 1.1 christos v = sk_CONF_VALUE_value(attr_sk, i); 1298 1.1 christos if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype, 1299 1.1 christos (unsigned char *)v->value, -1)) 1300 1.1 christos return 0; 1301 1.1 christos } 1302 1.1 christos } 1303 1.1 christos return 1; 1304 1.1 christos } 1305 1.1 christos 1306 1.1 christos static int add_DN_object(X509_NAME *n, char *text, const char *def, 1307 1.1 christos char *value, int nid, int n_min, int n_max, 1308 1.1 christos unsigned long chtype, int mval) 1309 1.1 christos { 1310 1.1.1.2 christos int ret = 0; 1311 1.1.1.2 christos char buf[1024]; 1312 1.1 christos 1313 1.1.1.2 christos ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), 1314 1.1.1.2 christos "DN value", "DN default"); 1315 1.1.1.2 christos if ((ret == 0) || (ret == 1)) 1316 1.1.1.2 christos return ret; 1317 1.1.1.2 christos ret = 1; 1318 1.1 christos 1319 1.1 christos if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 1320 1.1 christos (unsigned char *)buf, -1, -1, mval)) 1321 1.1.1.2 christos ret = 0; 1322 1.1.1.2 christos 1323 1.1.1.2 christos return ret; 1324 1.1 christos } 1325 1.1 christos 1326 1.1 christos static int add_attribute_object(X509_REQ *req, char *text, const char *def, 1327 1.1 christos char *value, int nid, int n_min, 1328 1.1 christos int n_max, unsigned long chtype) 1329 1.1 christos { 1330 1.1.1.2 christos int ret = 0; 1331 1.1.1.2 christos char buf[1024]; 1332 1.1.1.2 christos 1333 1.1.1.2 christos ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), 1334 1.1.1.2 christos "Attribute value", "Attribute default"); 1335 1.1.1.2 christos if ((ret == 0) || (ret == 1)) 1336 1.1.1.2 christos return ret; 1337 1.1.1.2 christos ret = 1; 1338 1.1 christos 1339 1.1.1.2 christos if (!X509_REQ_add1_attr_by_NID(req, nid, chtype, 1340 1.1.1.2 christos (unsigned char *)buf, -1)) { 1341 1.1.1.2 christos BIO_printf(bio_err, "Error adding attribute\n"); 1342 1.1.1.2 christos ERR_print_errors(bio_err); 1343 1.1.1.2 christos ret = 0; 1344 1.1.1.2 christos } 1345 1.1.1.2 christos 1346 1.1.1.2 christos return ret; 1347 1.1.1.2 christos } 1348 1.1.1.2 christos 1349 1.1.1.2 christos 1350 1.1.1.2 christos static int build_data(char *text, const char *def, 1351 1.1.1.2 christos char *value, int n_min, int n_max, 1352 1.1.1.2 christos char *buf, const int buf_size, 1353 1.1.1.2 christos const char *desc1, const char *desc2 1354 1.1.1.2 christos ) 1355 1.1.1.2 christos { 1356 1.1.1.2 christos int i; 1357 1.1 christos start: 1358 1.1 christos if (!batch) 1359 1.1 christos BIO_printf(bio_err, "%s [%s]:", text, def); 1360 1.1 christos (void)BIO_flush(bio_err); 1361 1.1 christos if (value != NULL) { 1362 1.1.1.2 christos if (!join(buf, buf_size, value, "\n", desc1)) 1363 1.1.1.2 christos return 0; 1364 1.1 christos BIO_printf(bio_err, "%s\n", value); 1365 1.1 christos } else { 1366 1.1 christos buf[0] = '\0'; 1367 1.1 christos if (!batch) { 1368 1.1.1.2 christos if (!fgets(buf, buf_size, stdin)) 1369 1.1 christos return 0; 1370 1.1 christos } else { 1371 1.1 christos buf[0] = '\n'; 1372 1.1 christos buf[1] = '\0'; 1373 1.1 christos } 1374 1.1 christos } 1375 1.1 christos 1376 1.1 christos if (buf[0] == '\0') 1377 1.1.1.2 christos return 0; 1378 1.1.1.2 christos if (buf[0] == '\n') { 1379 1.1 christos if ((def == NULL) || (def[0] == '\0')) 1380 1.1.1.2 christos return 1; 1381 1.1.1.2 christos if (!join(buf, buf_size, def, "\n", desc2)) 1382 1.1.1.2 christos return 0; 1383 1.1.1.2 christos } else if ((buf[0] == '.') && (buf[1] == '\n')) { 1384 1.1.1.2 christos return 1; 1385 1.1.1.2 christos } 1386 1.1 christos 1387 1.1 christos i = strlen(buf); 1388 1.1 christos if (buf[i - 1] != '\n') { 1389 1.1 christos BIO_printf(bio_err, "weird input :-(\n"); 1390 1.1.1.2 christos return 0; 1391 1.1 christos } 1392 1.1 christos buf[--i] = '\0'; 1393 1.1 christos #ifdef CHARSET_EBCDIC 1394 1.1 christos ebcdic2ascii(buf, buf, i); 1395 1.1 christos #endif 1396 1.1 christos if (!req_check_len(i, n_min, n_max)) { 1397 1.1 christos if (batch || value) 1398 1.1 christos return 0; 1399 1.1 christos goto start; 1400 1.1 christos } 1401 1.1.1.2 christos return 2; 1402 1.1 christos } 1403 1.1 christos 1404 1.1 christos static int req_check_len(int len, int n_min, int n_max) 1405 1.1 christos { 1406 1.1 christos if ((n_min > 0) && (len < n_min)) { 1407 1.1 christos BIO_printf(bio_err, 1408 1.1 christos "string is too short, it needs to be at least %d bytes long\n", 1409 1.1 christos n_min); 1410 1.1.1.2 christos return 0; 1411 1.1 christos } 1412 1.1 christos if ((n_max >= 0) && (len > n_max)) { 1413 1.1 christos BIO_printf(bio_err, 1414 1.1.1.2 christos "string is too long, it needs to be no more than %d bytes long\n", 1415 1.1 christos n_max); 1416 1.1.1.2 christos return 0; 1417 1.1 christos } 1418 1.1.1.2 christos return 1; 1419 1.1 christos } 1420 1.1 christos 1421 1.1 christos /* Check if the end of a string matches 'end' */ 1422 1.1 christos static int check_end(const char *str, const char *end) 1423 1.1 christos { 1424 1.1.1.2 christos size_t elen, slen; 1425 1.1 christos const char *tmp; 1426 1.1.1.2 christos 1427 1.1 christos elen = strlen(end); 1428 1.1 christos slen = strlen(str); 1429 1.1 christos if (elen > slen) 1430 1.1 christos return 1; 1431 1.1 christos tmp = str + slen - elen; 1432 1.1 christos return strcmp(tmp, end); 1433 1.1 christos } 1434 1.1 christos 1435 1.1.1.2 christos /* 1436 1.1.1.2 christos * Merge the two strings together into the result buffer checking for 1437 1.1.1.2 christos * overflow and producing an error message if there is. 1438 1.1.1.2 christos */ 1439 1.1.1.2 christos static int join(char buf[], size_t buf_size, const char *name, 1440 1.1.1.2 christos const char *tail, const char *desc) 1441 1.1.1.2 christos { 1442 1.1.1.2 christos const size_t name_len = strlen(name), tail_len = strlen(tail); 1443 1.1.1.2 christos 1444 1.1.1.2 christos if (name_len + tail_len + 1 > buf_size) { 1445 1.1.1.2 christos BIO_printf(bio_err, "%s '%s' too long\n", desc, name); 1446 1.1.1.2 christos return 0; 1447 1.1.1.2 christos } 1448 1.1.1.2 christos memcpy(buf, name, name_len); 1449 1.1.1.2 christos memcpy(buf + name_len, tail, tail_len + 1); 1450 1.1.1.2 christos return 1; 1451 1.1.1.2 christos } 1452 1.1.1.2 christos 1453 1.1.1.2 christos static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, 1454 1.1 christos int *pkey_type, long *pkeylen, 1455 1.1 christos char **palgnam, ENGINE *keygen_engine) 1456 1.1 christos { 1457 1.1 christos EVP_PKEY_CTX *gctx = NULL; 1458 1.1 christos EVP_PKEY *param = NULL; 1459 1.1 christos long keylen = -1; 1460 1.1 christos BIO *pbio = NULL; 1461 1.1 christos const char *paramfile = NULL; 1462 1.1 christos 1463 1.1 christos if (gstr == NULL) { 1464 1.1 christos *pkey_type = EVP_PKEY_RSA; 1465 1.1 christos keylen = *pkeylen; 1466 1.1 christos } else if (gstr[0] >= '0' && gstr[0] <= '9') { 1467 1.1 christos *pkey_type = EVP_PKEY_RSA; 1468 1.1 christos keylen = atol(gstr); 1469 1.1 christos *pkeylen = keylen; 1470 1.1.1.2 christos } else if (strncmp(gstr, "param:", 6) == 0) { 1471 1.1 christos paramfile = gstr + 6; 1472 1.1.1.2 christos } else { 1473 1.1 christos const char *p = strchr(gstr, ':'); 1474 1.1 christos int len; 1475 1.1 christos ENGINE *tmpeng; 1476 1.1 christos const EVP_PKEY_ASN1_METHOD *ameth; 1477 1.1 christos 1478 1.1.1.2 christos if (p != NULL) 1479 1.1 christos len = p - gstr; 1480 1.1 christos else 1481 1.1 christos len = strlen(gstr); 1482 1.1 christos /* 1483 1.1 christos * The lookup of a the string will cover all engines so keep a note 1484 1.1 christos * of the implementation. 1485 1.1 christos */ 1486 1.1 christos 1487 1.1 christos ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); 1488 1.1 christos 1489 1.1.1.2 christos if (ameth == NULL) { 1490 1.1.1.2 christos BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr); 1491 1.1 christos return NULL; 1492 1.1 christos } 1493 1.1 christos 1494 1.1 christos EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth); 1495 1.1 christos #ifndef OPENSSL_NO_ENGINE 1496 1.1.1.2 christos ENGINE_finish(tmpeng); 1497 1.1 christos #endif 1498 1.1 christos if (*pkey_type == EVP_PKEY_RSA) { 1499 1.1.1.2 christos if (p != NULL) { 1500 1.1 christos keylen = atol(p + 1); 1501 1.1 christos *pkeylen = keylen; 1502 1.1.1.2 christos } else { 1503 1.1 christos keylen = *pkeylen; 1504 1.1.1.2 christos } 1505 1.1.1.2 christos } else if (p != NULL) { 1506 1.1 christos paramfile = p + 1; 1507 1.1.1.2 christos } 1508 1.1 christos } 1509 1.1 christos 1510 1.1.1.2 christos if (paramfile != NULL) { 1511 1.1 christos pbio = BIO_new_file(paramfile, "r"); 1512 1.1.1.2 christos if (pbio == NULL) { 1513 1.1.1.2 christos BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); 1514 1.1 christos return NULL; 1515 1.1 christos } 1516 1.1 christos param = PEM_read_bio_Parameters(pbio, NULL); 1517 1.1 christos 1518 1.1.1.2 christos if (param == NULL) { 1519 1.1 christos X509 *x; 1520 1.1.1.2 christos 1521 1.1 christos (void)BIO_reset(pbio); 1522 1.1 christos x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); 1523 1.1.1.2 christos if (x != NULL) { 1524 1.1 christos param = X509_get_pubkey(x); 1525 1.1 christos X509_free(x); 1526 1.1 christos } 1527 1.1 christos } 1528 1.1 christos 1529 1.1 christos BIO_free(pbio); 1530 1.1 christos 1531 1.1.1.2 christos if (param == NULL) { 1532 1.1.1.2 christos BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile); 1533 1.1 christos return NULL; 1534 1.1 christos } 1535 1.1.1.2 christos if (*pkey_type == -1) { 1536 1.1 christos *pkey_type = EVP_PKEY_id(param); 1537 1.1.1.2 christos } else if (*pkey_type != EVP_PKEY_base_id(param)) { 1538 1.1.1.2 christos BIO_printf(bio_err, "Key Type does not match parameters\n"); 1539 1.1 christos EVP_PKEY_free(param); 1540 1.1 christos return NULL; 1541 1.1 christos } 1542 1.1 christos } 1543 1.1 christos 1544 1.1.1.2 christos if (palgnam != NULL) { 1545 1.1 christos const EVP_PKEY_ASN1_METHOD *ameth; 1546 1.1 christos ENGINE *tmpeng; 1547 1.1 christos const char *anam; 1548 1.1.1.2 christos 1549 1.1 christos ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); 1550 1.1.1.2 christos if (ameth == NULL) { 1551 1.1.1.2 christos BIO_puts(bio_err, "Internal error: can't find key algorithm\n"); 1552 1.1 christos return NULL; 1553 1.1 christos } 1554 1.1 christos EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); 1555 1.1.1.2 christos *palgnam = OPENSSL_strdup(anam); 1556 1.1 christos #ifndef OPENSSL_NO_ENGINE 1557 1.1.1.2 christos ENGINE_finish(tmpeng); 1558 1.1 christos #endif 1559 1.1 christos } 1560 1.1 christos 1561 1.1.1.2 christos if (param != NULL) { 1562 1.1 christos gctx = EVP_PKEY_CTX_new(param, keygen_engine); 1563 1.1 christos *pkeylen = EVP_PKEY_bits(param); 1564 1.1 christos EVP_PKEY_free(param); 1565 1.1.1.2 christos } else { 1566 1.1 christos gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); 1567 1.1.1.2 christos } 1568 1.1 christos 1569 1.1.1.2 christos if (gctx == NULL) { 1570 1.1.1.2 christos BIO_puts(bio_err, "Error allocating keygen context\n"); 1571 1.1.1.2 christos ERR_print_errors(bio_err); 1572 1.1 christos return NULL; 1573 1.1 christos } 1574 1.1 christos 1575 1.1 christos if (EVP_PKEY_keygen_init(gctx) <= 0) { 1576 1.1.1.2 christos BIO_puts(bio_err, "Error initializing keygen context\n"); 1577 1.1.1.2 christos ERR_print_errors(bio_err); 1578 1.1.1.2 christos EVP_PKEY_CTX_free(gctx); 1579 1.1 christos return NULL; 1580 1.1 christos } 1581 1.1 christos #ifndef OPENSSL_NO_RSA 1582 1.1 christos if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { 1583 1.1 christos if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { 1584 1.1.1.2 christos BIO_puts(bio_err, "Error setting RSA keysize\n"); 1585 1.1.1.2 christos ERR_print_errors(bio_err); 1586 1.1 christos EVP_PKEY_CTX_free(gctx); 1587 1.1 christos return NULL; 1588 1.1 christos } 1589 1.1 christos } 1590 1.1 christos #endif 1591 1.1 christos 1592 1.1 christos return gctx; 1593 1.1 christos } 1594 1.1 christos 1595 1.1 christos static int genpkey_cb(EVP_PKEY_CTX *ctx) 1596 1.1 christos { 1597 1.1 christos char c = '*'; 1598 1.1 christos BIO *b = EVP_PKEY_CTX_get_app_data(ctx); 1599 1.1 christos int p; 1600 1.1 christos p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); 1601 1.1 christos if (p == 0) 1602 1.1 christos c = '.'; 1603 1.1 christos if (p == 1) 1604 1.1 christos c = '+'; 1605 1.1 christos if (p == 2) 1606 1.1 christos c = '*'; 1607 1.1 christos if (p == 3) 1608 1.1 christos c = '\n'; 1609 1.1 christos BIO_write(b, &c, 1); 1610 1.1 christos (void)BIO_flush(b); 1611 1.1 christos return 1; 1612 1.1 christos } 1613 1.1 christos 1614 1.1.1.2 christos static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, 1615 1.1 christos const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) 1616 1.1 christos { 1617 1.1 christos EVP_PKEY_CTX *pkctx = NULL; 1618 1.1.1.2 christos int i, def_nid; 1619 1.1.1.2 christos 1620 1.1.1.2 christos if (ctx == NULL) 1621 1.1.1.2 christos return 0; 1622 1.1.1.2 christos /* 1623 1.1.1.2 christos * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory 1624 1.1.1.2 christos * for this algorithm. 1625 1.1.1.2 christos */ 1626 1.1.1.2 christos if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2 1627 1.1.1.2 christos && def_nid == NID_undef) { 1628 1.1.1.2 christos /* The signing algorithm requires there to be no digest */ 1629 1.1.1.2 christos md = NULL; 1630 1.1.1.2 christos } 1631 1.1 christos if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) 1632 1.1 christos return 0; 1633 1.1 christos for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { 1634 1.1 christos char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); 1635 1.1 christos if (pkey_ctrl_string(pkctx, sigopt) <= 0) { 1636 1.1.1.2 christos BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); 1637 1.1 christos ERR_print_errors(bio_err); 1638 1.1 christos return 0; 1639 1.1 christos } 1640 1.1 christos } 1641 1.1 christos return 1; 1642 1.1 christos } 1643 1.1 christos 1644 1.1.1.2 christos int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, 1645 1.1 christos STACK_OF(OPENSSL_STRING) *sigopts) 1646 1.1 christos { 1647 1.1 christos int rv; 1648 1.1.1.2 christos EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 1649 1.1.1.2 christos 1650 1.1.1.2 christos rv = do_sign_init(mctx, pkey, md, sigopts); 1651 1.1 christos if (rv > 0) 1652 1.1.1.2 christos rv = X509_sign_ctx(x, mctx); 1653 1.1.1.2 christos EVP_MD_CTX_free(mctx); 1654 1.1 christos return rv > 0 ? 1 : 0; 1655 1.1 christos } 1656 1.1 christos 1657 1.1.1.2 christos int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, 1658 1.1 christos STACK_OF(OPENSSL_STRING) *sigopts) 1659 1.1 christos { 1660 1.1 christos int rv; 1661 1.1.1.2 christos EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 1662 1.1.1.2 christos rv = do_sign_init(mctx, pkey, md, sigopts); 1663 1.1 christos if (rv > 0) 1664 1.1.1.2 christos rv = X509_REQ_sign_ctx(x, mctx); 1665 1.1.1.2 christos EVP_MD_CTX_free(mctx); 1666 1.1 christos return rv > 0 ? 1 : 0; 1667 1.1 christos } 1668 1.1 christos 1669 1.1.1.2 christos int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, 1670 1.1 christos STACK_OF(OPENSSL_STRING) *sigopts) 1671 1.1 christos { 1672 1.1 christos int rv; 1673 1.1.1.2 christos EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 1674 1.1.1.2 christos rv = do_sign_init(mctx, pkey, md, sigopts); 1675 1.1 christos if (rv > 0) 1676 1.1.1.2 christos rv = X509_CRL_sign_ctx(x, mctx); 1677 1.1.1.2 christos EVP_MD_CTX_free(mctx); 1678 1.1 christos return rv > 0 ? 1 : 0; 1679 1.1 christos } 1680
Indexes created Mon Mar 02 05:31:46 UTC 2026