1 | /*
|
---|
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <stdio.h>
|
---|
11 | #include <stdlib.h>
|
---|
12 | #include <time.h>
|
---|
13 | #include <string.h>
|
---|
14 | #include "apps.h"
|
---|
15 | #include <openssl/bio.h>
|
---|
16 | #include <openssl/evp.h>
|
---|
17 | #include <openssl/conf.h>
|
---|
18 | #include <openssl/err.h>
|
---|
19 | #include <openssl/asn1.h>
|
---|
20 | #include <openssl/x509.h>
|
---|
21 | #include <openssl/x509v3.h>
|
---|
22 | #include <openssl/objects.h>
|
---|
23 | #include <openssl/pem.h>
|
---|
24 | #include <openssl/bn.h>
|
---|
25 | #ifndef OPENSSL_NO_RSA
|
---|
26 | # include <openssl/rsa.h>
|
---|
27 | #endif
|
---|
28 | #ifndef OPENSSL_NO_DSA
|
---|
29 | # include <openssl/dsa.h>
|
---|
30 | #endif
|
---|
31 |
|
---|
32 | #define SECTION "req"
|
---|
33 |
|
---|
34 | #define BITS "default_bits"
|
---|
35 | #define KEYFILE "default_keyfile"
|
---|
36 | #define PROMPT "prompt"
|
---|
37 | #define DISTINGUISHED_NAME "distinguished_name"
|
---|
38 | #define ATTRIBUTES "attributes"
|
---|
39 | #define V3_EXTENSIONS "x509_extensions"
|
---|
40 | #define REQ_EXTENSIONS "req_extensions"
|
---|
41 | #define STRING_MASK "string_mask"
|
---|
42 | #define UTF8_IN "utf8"
|
---|
43 |
|
---|
44 | #define DEFAULT_KEY_LENGTH 2048
|
---|
45 | #define MIN_KEY_LENGTH 512
|
---|
46 |
|
---|
47 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
|
---|
48 | int attribs, unsigned long chtype);
|
---|
49 | static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
|
---|
50 | int multirdn);
|
---|
51 | static int prompt_info(X509_REQ *req,
|
---|
52 | STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
|
---|
53 | STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
|
---|
54 | int attribs, unsigned long chtype);
|
---|
55 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
|
---|
56 | STACK_OF(CONF_VALUE) *attr, int attribs,
|
---|
57 | unsigned long chtype);
|
---|
58 | static int add_attribute_object(X509_REQ *req, char *text, const char *def,
|
---|
59 | char *value, int nid, int n_min, int n_max,
|
---|
60 | unsigned long chtype);
|
---|
61 | static int add_DN_object(X509_NAME *n, char *text, const char *def,
|
---|
62 | char *value, int nid, int n_min, int n_max,
|
---|
63 | unsigned long chtype, int mval);
|
---|
64 | static int genpkey_cb(EVP_PKEY_CTX *ctx);
|
---|
65 | static int req_check_len(int len, int n_min, int n_max);
|
---|
66 | static int check_end(const char *str, const char *end);
|
---|
67 | static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
|
---|
68 | int *pkey_type, long *pkeylen,
|
---|
69 | char **palgnam, ENGINE *keygen_engine);
|
---|
70 | static CONF *req_conf = NULL;
|
---|
71 | static int batch = 0;
|
---|
72 |
|
---|
73 | typedef enum OPTION_choice {
|
---|
74 | OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
---|
75 | OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
|
---|
76 | OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
|
---|
77 | OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY,
|
---|
78 | OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
|
---|
79 | OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
|
---|
80 | OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
|
---|
81 | OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
|
---|
82 | OPT_REQEXTS, OPT_MD
|
---|
83 | } OPTION_CHOICE;
|
---|
84 |
|
---|
85 | OPTIONS req_options[] = {
|
---|
86 | {"help", OPT_HELP, '-', "Display this summary"},
|
---|
87 | {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
---|
88 | {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
---|
89 | {"in", OPT_IN, '<', "Input file"},
|
---|
90 | {"out", OPT_OUT, '>', "Output file"},
|
---|
91 | {"key", OPT_KEY, 's', "Private key to use"},
|
---|
92 | {"keyform", OPT_KEYFORM, 'f', "Key file format"},
|
---|
93 | {"pubkey", OPT_PUBKEY, '-', "Output public key"},
|
---|
94 | {"new", OPT_NEW, '-', "New request"},
|
---|
95 | {"config", OPT_CONFIG, '<', "Request template file"},
|
---|
96 | {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
|
---|
97 | {"passin", OPT_PASSIN, 's', "Private key password source"},
|
---|
98 | {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
---|
99 | {"rand", OPT_RAND, 's',
|
---|
100 | "Load the file(s) into the random number generator"},
|
---|
101 | {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
|
---|
102 | {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
|
---|
103 | {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
|
---|
104 | {"batch", OPT_BATCH, '-',
|
---|
105 | "Do not ask anything during request generation"},
|
---|
106 | {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
|
---|
107 | {"modulus", OPT_MODULUS, '-', "RSA modulus"},
|
---|
108 | {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
|
---|
109 | {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
|
---|
110 | {"noout", OPT_NOOUT, '-', "Do not output REQ"},
|
---|
111 | {"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
---|
112 | {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
|
---|
113 | {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
|
---|
114 | {"reqopt", OPT_REQOPT, 's', "Various request text options"},
|
---|
115 | {"text", OPT_TEXT, '-', "Text form of request"},
|
---|
116 | {"x509", OPT_X509, '-',
|
---|
117 | "Output a x509 structure instead of a cert request"},
|
---|
118 | {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
|
---|
119 | {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
|
---|
120 | {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
|
---|
121 | {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
|
---|
122 | "Enable support for multivalued RDNs"},
|
---|
123 | {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
|
---|
124 | {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
|
---|
125 | {"extensions", OPT_EXTENSIONS, 's',
|
---|
126 | "Cert extension section (override value in config file)"},
|
---|
127 | {"reqexts", OPT_REQEXTS, 's',
|
---|
128 | "Request extension section (override value in config file)"},
|
---|
129 | {"", OPT_MD, '-', "Any supported digest"},
|
---|
130 | #ifndef OPENSSL_NO_ENGINE
|
---|
131 | {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
---|
132 | {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
|
---|
133 | "Specify engine to be used for key generation operations"},
|
---|
134 | #endif
|
---|
135 | {NULL}
|
---|
136 | };
|
---|
137 |
|
---|
138 | int req_main(int argc, char **argv)
|
---|
139 | {
|
---|
140 | ASN1_INTEGER *serial = NULL;
|
---|
141 | BIO *in = NULL, *out = NULL;
|
---|
142 | ENGINE *e = NULL, *gen_eng = NULL;
|
---|
143 | EVP_PKEY *pkey = NULL;
|
---|
144 | EVP_PKEY_CTX *genctx = NULL;
|
---|
145 | STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
|
---|
146 | X509 *x509ss = NULL;
|
---|
147 | X509_REQ *req = NULL;
|
---|
148 | const EVP_CIPHER *cipher = NULL;
|
---|
149 | const EVP_MD *md_alg = NULL, *digest = NULL;
|
---|
150 | char *extensions = NULL, *infile = NULL;
|
---|
151 | char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
|
---|
152 | char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
|
---|
153 | char *passin = NULL, *passout = NULL;
|
---|
154 | char *nofree_passin = NULL, *nofree_passout = NULL;
|
---|
155 | char *req_exts = NULL, *subj = NULL;
|
---|
156 | char *template = default_config_file, *keyout = NULL;
|
---|
157 | const char *keyalg = NULL;
|
---|
158 | OPTION_CHOICE o;
|
---|
159 | int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0;
|
---|
160 | int pkey_type = -1, private = 0;
|
---|
161 | int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
|
---|
162 | int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
|
---|
163 | int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
|
---|
164 | long newkey = -1;
|
---|
165 | unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
|
---|
166 | char nmflag_set = 0;
|
---|
167 |
|
---|
168 | #ifndef OPENSSL_NO_DES
|
---|
169 | cipher = EVP_des_ede3_cbc();
|
---|
170 | #endif
|
---|
171 |
|
---|
172 | prog = opt_init(argc, argv, req_options);
|
---|
173 | while ((o = opt_next()) != OPT_EOF) {
|
---|
174 | switch (o) {
|
---|
175 | case OPT_EOF:
|
---|
176 | case OPT_ERR:
|
---|
177 | opthelp:
|
---|
178 | BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
---|
179 | goto end;
|
---|
180 | case OPT_HELP:
|
---|
181 | opt_help(req_options);
|
---|
182 | ret = 0;
|
---|
183 | goto end;
|
---|
184 | case OPT_INFORM:
|
---|
185 | if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
|
---|
186 | goto opthelp;
|
---|
187 | break;
|
---|
188 | case OPT_OUTFORM:
|
---|
189 | if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
|
---|
190 | goto opthelp;
|
---|
191 | break;
|
---|
192 | case OPT_ENGINE:
|
---|
193 | e = setup_engine(opt_arg(), 0);
|
---|
194 | break;
|
---|
195 | case OPT_KEYGEN_ENGINE:
|
---|
196 | #ifndef OPENSSL_NO_ENGINE
|
---|
197 | gen_eng = ENGINE_by_id(opt_arg());
|
---|
198 | if (gen_eng == NULL) {
|
---|
199 | BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
|
---|
200 | goto opthelp;
|
---|
201 | }
|
---|
202 | #endif
|
---|
203 | break;
|
---|
204 | case OPT_KEY:
|
---|
205 | keyfile = opt_arg();
|
---|
206 | break;
|
---|
207 | case OPT_PUBKEY:
|
---|
208 | pubkey = 1;
|
---|
209 | break;
|
---|
210 | case OPT_NEW:
|
---|
211 | newreq = 1;
|
---|
212 | break;
|
---|
213 | case OPT_CONFIG:
|
---|
214 | template = opt_arg();
|
---|
215 | break;
|
---|
216 | case OPT_KEYFORM:
|
---|
217 | if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
|
---|
218 | goto opthelp;
|
---|
219 | break;
|
---|
220 | case OPT_IN:
|
---|
221 | infile = opt_arg();
|
---|
222 | break;
|
---|
223 | case OPT_OUT:
|
---|
224 | outfile = opt_arg();
|
---|
225 | break;
|
---|
226 | case OPT_KEYOUT:
|
---|
227 | keyout = opt_arg();
|
---|
228 | break;
|
---|
229 | case OPT_PASSIN:
|
---|
230 | passargin = opt_arg();
|
---|
231 | break;
|
---|
232 | case OPT_PASSOUT:
|
---|
233 | passargout = opt_arg();
|
---|
234 | break;
|
---|
235 | case OPT_RAND:
|
---|
236 | inrand = opt_arg();
|
---|
237 | break;
|
---|
238 | case OPT_NEWKEY:
|
---|
239 | keyalg = opt_arg();
|
---|
240 | newreq = 1;
|
---|
241 | break;
|
---|
242 | case OPT_PKEYOPT:
|
---|
243 | if (!pkeyopts)
|
---|
244 | pkeyopts = sk_OPENSSL_STRING_new_null();
|
---|
245 | if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
|
---|
246 | goto opthelp;
|
---|
247 | break;
|
---|
248 | case OPT_SIGOPT:
|
---|
249 | if (!sigopts)
|
---|
250 | sigopts = sk_OPENSSL_STRING_new_null();
|
---|
251 | if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
|
---|
252 | goto opthelp;
|
---|
253 | break;
|
---|
254 | case OPT_BATCH:
|
---|
255 | batch = 1;
|
---|
256 | break;
|
---|
257 | case OPT_NEWHDR:
|
---|
258 | newhdr = 1;
|
---|
259 | break;
|
---|
260 | case OPT_MODULUS:
|
---|
261 | modulus = 1;
|
---|
262 | break;
|
---|
263 | case OPT_VERIFY:
|
---|
264 | verify = 1;
|
---|
265 | break;
|
---|
266 | case OPT_NODES:
|
---|
267 | nodes = 1;
|
---|
268 | break;
|
---|
269 | case OPT_NOOUT:
|
---|
270 | noout = 1;
|
---|
271 | break;
|
---|
272 | case OPT_VERBOSE:
|
---|
273 | verbose = 1;
|
---|
274 | break;
|
---|
275 | case OPT_UTF8:
|
---|
276 | chtype = MBSTRING_UTF8;
|
---|
277 | break;
|
---|
278 | case OPT_NAMEOPT:
|
---|
279 | nmflag_set = 1;
|
---|
280 | if (!set_name_ex(&nmflag, opt_arg()))
|
---|
281 | goto opthelp;
|
---|
282 | break;
|
---|
283 | case OPT_REQOPT:
|
---|
284 | if (!set_cert_ex(&reqflag, opt_arg()))
|
---|
285 | goto opthelp;
|
---|
286 | break;
|
---|
287 | case OPT_TEXT:
|
---|
288 | text = 1;
|
---|
289 | break;
|
---|
290 | case OPT_X509:
|
---|
291 | x509 = 1;
|
---|
292 | newreq = 1;
|
---|
293 | break;
|
---|
294 | case OPT_DAYS:
|
---|
295 | days = atoi(opt_arg());
|
---|
296 | break;
|
---|
297 | case OPT_SET_SERIAL:
|
---|
298 | if (serial != NULL) {
|
---|
299 | BIO_printf(bio_err, "Serial number supplied twice\n");
|
---|
300 | goto opthelp;
|
---|
301 | }
|
---|
302 | serial = s2i_ASN1_INTEGER(NULL, opt_arg());
|
---|
303 | if (serial == NULL)
|
---|
304 | goto opthelp;
|
---|
305 | break;
|
---|
306 | case OPT_SUBJECT:
|
---|
307 | subject = 1;
|
---|
308 | break;
|
---|
309 | case OPT_SUBJ:
|
---|
310 | subj = opt_arg();
|
---|
311 | break;
|
---|
312 | case OPT_MULTIVALUE_RDN:
|
---|
313 | multirdn = 1;
|
---|
314 | break;
|
---|
315 | case OPT_EXTENSIONS:
|
---|
316 | extensions = opt_arg();
|
---|
317 | break;
|
---|
318 | case OPT_REQEXTS:
|
---|
319 | req_exts = opt_arg();
|
---|
320 | break;
|
---|
321 | case OPT_MD:
|
---|
322 | if (!opt_md(opt_unknown(), &md_alg))
|
---|
323 | goto opthelp;
|
---|
324 | digest = md_alg;
|
---|
325 | break;
|
---|
326 | }
|
---|
327 | }
|
---|
328 | argc = opt_num_rest();
|
---|
329 | if (argc != 0)
|
---|
330 | goto opthelp;
|
---|
331 |
|
---|
332 | if (!nmflag_set)
|
---|
333 | nmflag = XN_FLAG_ONELINE;
|
---|
334 |
|
---|
335 | /* TODO: simplify this as pkey is still always NULL here */
|
---|
336 | private = newreq && (pkey == NULL) ? 1 : 0;
|
---|
337 |
|
---|
338 | if (!app_passwd(passargin, passargout, &passin, &passout)) {
|
---|
339 | BIO_printf(bio_err, "Error getting passwords\n");
|
---|
340 | goto end;
|
---|
341 | }
|
---|
342 |
|
---|
343 | if (verbose)
|
---|
344 | BIO_printf(bio_err, "Using configuration from %s\n", template);
|
---|
345 | req_conf = app_load_config(template);
|
---|
346 | if (template != default_config_file && !app_load_modules(req_conf))
|
---|
347 | goto end;
|
---|
348 |
|
---|
349 | if (req_conf != NULL) {
|
---|
350 | p = NCONF_get_string(req_conf, NULL, "oid_file");
|
---|
351 | if (p == NULL)
|
---|
352 | ERR_clear_error();
|
---|
353 | if (p != NULL) {
|
---|
354 | BIO *oid_bio;
|
---|
355 |
|
---|
356 | oid_bio = BIO_new_file(p, "r");
|
---|
357 | if (oid_bio == NULL) {
|
---|
358 | /*-
|
---|
359 | BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
|
---|
360 | ERR_print_errors(bio_err);
|
---|
361 | */
|
---|
362 | } else {
|
---|
363 | OBJ_create_objects(oid_bio);
|
---|
364 | BIO_free(oid_bio);
|
---|
365 | }
|
---|
366 | }
|
---|
367 | }
|
---|
368 | if (!add_oid_section(req_conf))
|
---|
369 | goto end;
|
---|
370 |
|
---|
371 | if (md_alg == NULL) {
|
---|
372 | p = NCONF_get_string(req_conf, SECTION, "default_md");
|
---|
373 | if (p == NULL)
|
---|
374 | ERR_clear_error();
|
---|
375 | else {
|
---|
376 | if (!opt_md(p, &md_alg))
|
---|
377 | goto opthelp;
|
---|
378 | digest = md_alg;
|
---|
379 | }
|
---|
380 | }
|
---|
381 |
|
---|
382 | if (!extensions) {
|
---|
383 | extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
|
---|
384 | if (!extensions)
|
---|
385 | ERR_clear_error();
|
---|
386 | }
|
---|
387 | if (extensions) {
|
---|
388 | /* Check syntax of file */
|
---|
389 | X509V3_CTX ctx;
|
---|
390 | X509V3_set_ctx_test(&ctx);
|
---|
391 | X509V3_set_nconf(&ctx, req_conf);
|
---|
392 | if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
|
---|
393 | BIO_printf(bio_err,
|
---|
394 | "Error Loading extension section %s\n", extensions);
|
---|
395 | goto end;
|
---|
396 | }
|
---|
397 | }
|
---|
398 |
|
---|
399 | if (passin == NULL) {
|
---|
400 | passin = nofree_passin =
|
---|
401 | NCONF_get_string(req_conf, SECTION, "input_password");
|
---|
402 | if (passin == NULL)
|
---|
403 | ERR_clear_error();
|
---|
404 | }
|
---|
405 |
|
---|
406 | if (passout == NULL) {
|
---|
407 | passout = nofree_passout =
|
---|
408 | NCONF_get_string(req_conf, SECTION, "output_password");
|
---|
409 | if (passout == NULL)
|
---|
410 | ERR_clear_error();
|
---|
411 | }
|
---|
412 |
|
---|
413 | p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
|
---|
414 | if (!p)
|
---|
415 | ERR_clear_error();
|
---|
416 |
|
---|
417 | if (p && !ASN1_STRING_set_default_mask_asc(p)) {
|
---|
418 | BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
|
---|
419 | goto end;
|
---|
420 | }
|
---|
421 |
|
---|
422 | if (chtype != MBSTRING_UTF8) {
|
---|
423 | p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
|
---|
424 | if (!p)
|
---|
425 | ERR_clear_error();
|
---|
426 | else if (strcmp(p, "yes") == 0)
|
---|
427 | chtype = MBSTRING_UTF8;
|
---|
428 | }
|
---|
429 |
|
---|
430 | if (!req_exts) {
|
---|
431 | req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
|
---|
432 | if (!req_exts)
|
---|
433 | ERR_clear_error();
|
---|
434 | }
|
---|
435 | if (req_exts) {
|
---|
436 | /* Check syntax of file */
|
---|
437 | X509V3_CTX ctx;
|
---|
438 | X509V3_set_ctx_test(&ctx);
|
---|
439 | X509V3_set_nconf(&ctx, req_conf);
|
---|
440 | if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
|
---|
441 | BIO_printf(bio_err,
|
---|
442 | "Error Loading request extension section %s\n",
|
---|
443 | req_exts);
|
---|
444 | goto end;
|
---|
445 | }
|
---|
446 | }
|
---|
447 |
|
---|
448 | if (keyfile != NULL) {
|
---|
449 | pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
|
---|
450 | if (!pkey) {
|
---|
451 | /* load_key() has already printed an appropriate message */
|
---|
452 | goto end;
|
---|
453 | } else {
|
---|
454 | char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
|
---|
455 | if (randfile == NULL)
|
---|
456 | ERR_clear_error();
|
---|
457 | app_RAND_load_file(randfile, 0);
|
---|
458 | }
|
---|
459 | }
|
---|
460 |
|
---|
461 | if (newreq && (pkey == NULL)) {
|
---|
462 | char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
|
---|
463 | if (randfile == NULL)
|
---|
464 | ERR_clear_error();
|
---|
465 | app_RAND_load_file(randfile, 0);
|
---|
466 | if (inrand)
|
---|
467 | app_RAND_load_files(inrand);
|
---|
468 |
|
---|
469 | if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
|
---|
470 | newkey = DEFAULT_KEY_LENGTH;
|
---|
471 | }
|
---|
472 |
|
---|
473 | if (keyalg) {
|
---|
474 | genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
|
---|
475 | &keyalgstr, gen_eng);
|
---|
476 | if (!genctx)
|
---|
477 | goto end;
|
---|
478 | }
|
---|
479 |
|
---|
480 | if (newkey < MIN_KEY_LENGTH
|
---|
481 | && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
|
---|
482 | BIO_printf(bio_err, "private key length is too short,\n");
|
---|
483 | BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
|
---|
484 | MIN_KEY_LENGTH, newkey);
|
---|
485 | goto end;
|
---|
486 | }
|
---|
487 |
|
---|
488 | if (!genctx) {
|
---|
489 | genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
|
---|
490 | &keyalgstr, gen_eng);
|
---|
491 | if (!genctx)
|
---|
492 | goto end;
|
---|
493 | }
|
---|
494 |
|
---|
495 | if (pkeyopts) {
|
---|
496 | char *genopt;
|
---|
497 | for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
|
---|
498 | genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
|
---|
499 | if (pkey_ctrl_string(genctx, genopt) <= 0) {
|
---|
500 | BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
|
---|
501 | ERR_print_errors(bio_err);
|
---|
502 | goto end;
|
---|
503 | }
|
---|
504 | }
|
---|
505 | }
|
---|
506 |
|
---|
507 | if (pkey_type == EVP_PKEY_EC) {
|
---|
508 | BIO_printf(bio_err, "Generating an EC private key\n");
|
---|
509 | } else {
|
---|
510 | BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
|
---|
511 | newkey, keyalgstr);
|
---|
512 | }
|
---|
513 |
|
---|
514 | EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
|
---|
515 | EVP_PKEY_CTX_set_app_data(genctx, bio_err);
|
---|
516 |
|
---|
517 | if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
|
---|
518 | BIO_puts(bio_err, "Error Generating Key\n");
|
---|
519 | goto end;
|
---|
520 | }
|
---|
521 |
|
---|
522 | EVP_PKEY_CTX_free(genctx);
|
---|
523 | genctx = NULL;
|
---|
524 |
|
---|
525 | app_RAND_write_file(randfile);
|
---|
526 |
|
---|
527 | if (keyout == NULL) {
|
---|
528 | keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
|
---|
529 | if (keyout == NULL)
|
---|
530 | ERR_clear_error();
|
---|
531 | }
|
---|
532 |
|
---|
533 | if (keyout == NULL)
|
---|
534 | BIO_printf(bio_err, "writing new private key to stdout\n");
|
---|
535 | else
|
---|
536 | BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
|
---|
537 | out = bio_open_owner(keyout, outformat, private);
|
---|
538 | if (out == NULL)
|
---|
539 | goto end;
|
---|
540 |
|
---|
541 | p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
|
---|
542 | if (p == NULL) {
|
---|
543 | ERR_clear_error();
|
---|
544 | p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
|
---|
545 | if (p == NULL)
|
---|
546 | ERR_clear_error();
|
---|
547 | }
|
---|
548 | if ((p != NULL) && (strcmp(p, "no") == 0))
|
---|
549 | cipher = NULL;
|
---|
550 | if (nodes)
|
---|
551 | cipher = NULL;
|
---|
552 |
|
---|
553 | i = 0;
|
---|
554 | loop:
|
---|
555 | assert(private);
|
---|
556 | if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
|
---|
557 | NULL, 0, NULL, passout)) {
|
---|
558 | if ((ERR_GET_REASON(ERR_peek_error()) ==
|
---|
559 | PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
|
---|
560 | ERR_clear_error();
|
---|
561 | i++;
|
---|
562 | goto loop;
|
---|
563 | }
|
---|
564 | goto end;
|
---|
565 | }
|
---|
566 | BIO_free(out);
|
---|
567 | out = NULL;
|
---|
568 | BIO_printf(bio_err, "-----\n");
|
---|
569 | }
|
---|
570 |
|
---|
571 | if (!newreq) {
|
---|
572 | in = bio_open_default(infile, 'r', informat);
|
---|
573 | if (in == NULL)
|
---|
574 | goto end;
|
---|
575 |
|
---|
576 | if (informat == FORMAT_ASN1)
|
---|
577 | req = d2i_X509_REQ_bio(in, NULL);
|
---|
578 | else
|
---|
579 | req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
---|
580 | if (req == NULL) {
|
---|
581 | BIO_printf(bio_err, "unable to load X509 request\n");
|
---|
582 | goto end;
|
---|
583 | }
|
---|
584 | }
|
---|
585 |
|
---|
586 | if (newreq) {
|
---|
587 | if (pkey == NULL) {
|
---|
588 | BIO_printf(bio_err, "you need to specify a private key\n");
|
---|
589 | goto end;
|
---|
590 | }
|
---|
591 |
|
---|
592 | if (req == NULL) {
|
---|
593 | req = X509_REQ_new();
|
---|
594 | if (req == NULL) {
|
---|
595 | goto end;
|
---|
596 | }
|
---|
597 |
|
---|
598 | i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
|
---|
599 | subj = NULL; /* done processing '-subj' option */
|
---|
600 | if (!i) {
|
---|
601 | BIO_printf(bio_err, "problems making Certificate Request\n");
|
---|
602 | goto end;
|
---|
603 | }
|
---|
604 | }
|
---|
605 | if (x509) {
|
---|
606 | EVP_PKEY *tmppkey;
|
---|
607 | X509V3_CTX ext_ctx;
|
---|
608 | if ((x509ss = X509_new()) == NULL)
|
---|
609 | goto end;
|
---|
610 |
|
---|
611 | /* Set version to V3 */
|
---|
612 | if (extensions && !X509_set_version(x509ss, 2))
|
---|
613 | goto end;
|
---|
614 | if (serial) {
|
---|
615 | if (!X509_set_serialNumber(x509ss, serial))
|
---|
616 | goto end;
|
---|
617 | } else {
|
---|
618 | if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
|
---|
619 | goto end;
|
---|
620 | }
|
---|
621 |
|
---|
622 | if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
|
---|
623 | goto end;
|
---|
624 | if (!set_cert_times(x509ss, NULL, NULL, days))
|
---|
625 | goto end;
|
---|
626 | if (!X509_set_subject_name
|
---|
627 | (x509ss, X509_REQ_get_subject_name(req)))
|
---|
628 | goto end;
|
---|
629 | tmppkey = X509_REQ_get0_pubkey(req);
|
---|
630 | if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
|
---|
631 | goto end;
|
---|
632 |
|
---|
633 | /* Set up V3 context struct */
|
---|
634 |
|
---|
635 | X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
|
---|
636 | X509V3_set_nconf(&ext_ctx, req_conf);
|
---|
637 |
|
---|
638 | /* Add extensions */
|
---|
639 | if (extensions && !X509V3_EXT_add_nconf(req_conf,
|
---|
640 | &ext_ctx, extensions,
|
---|
641 | x509ss)) {
|
---|
642 | BIO_printf(bio_err, "Error Loading extension section %s\n",
|
---|
643 | extensions);
|
---|
644 | goto end;
|
---|
645 | }
|
---|
646 |
|
---|
647 | i = do_X509_sign(x509ss, pkey, digest, sigopts);
|
---|
648 | if (!i) {
|
---|
649 | ERR_print_errors(bio_err);
|
---|
650 | goto end;
|
---|
651 | }
|
---|
652 | } else {
|
---|
653 | X509V3_CTX ext_ctx;
|
---|
654 |
|
---|
655 | /* Set up V3 context struct */
|
---|
656 |
|
---|
657 | X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
|
---|
658 | X509V3_set_nconf(&ext_ctx, req_conf);
|
---|
659 |
|
---|
660 | /* Add extensions */
|
---|
661 | if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
|
---|
662 | &ext_ctx, req_exts,
|
---|
663 | req)) {
|
---|
664 | BIO_printf(bio_err, "Error Loading extension section %s\n",
|
---|
665 | req_exts);
|
---|
666 | goto end;
|
---|
667 | }
|
---|
668 | i = do_X509_REQ_sign(req, pkey, digest, sigopts);
|
---|
669 | if (!i) {
|
---|
670 | ERR_print_errors(bio_err);
|
---|
671 | goto end;
|
---|
672 | }
|
---|
673 | }
|
---|
674 | }
|
---|
675 |
|
---|
676 | if (subj && x509) {
|
---|
677 | BIO_printf(bio_err, "Cannot modify certificate subject\n");
|
---|
678 | goto end;
|
---|
679 | }
|
---|
680 |
|
---|
681 | if (subj && !x509) {
|
---|
682 | if (verbose) {
|
---|
683 | BIO_printf(bio_err, "Modifying Request's Subject\n");
|
---|
684 | print_name(bio_err, "old subject=",
|
---|
685 | X509_REQ_get_subject_name(req), nmflag);
|
---|
686 | }
|
---|
687 |
|
---|
688 | if (build_subject(req, subj, chtype, multirdn) == 0) {
|
---|
689 | BIO_printf(bio_err, "ERROR: cannot modify subject\n");
|
---|
690 | ret = 1;
|
---|
691 | goto end;
|
---|
692 | }
|
---|
693 |
|
---|
694 | if (verbose) {
|
---|
695 | print_name(bio_err, "new subject=",
|
---|
696 | X509_REQ_get_subject_name(req), nmflag);
|
---|
697 | }
|
---|
698 | }
|
---|
699 |
|
---|
700 | if (verify && !x509) {
|
---|
701 | EVP_PKEY *tpubkey = pkey;
|
---|
702 |
|
---|
703 | if (tpubkey == NULL) {
|
---|
704 | tpubkey = X509_REQ_get0_pubkey(req);
|
---|
705 | if (tpubkey == NULL)
|
---|
706 | goto end;
|
---|
707 | }
|
---|
708 |
|
---|
709 | i = X509_REQ_verify(req, tpubkey);
|
---|
710 |
|
---|
711 | if (i < 0) {
|
---|
712 | goto end;
|
---|
713 | } else if (i == 0) {
|
---|
714 | BIO_printf(bio_err, "verify failure\n");
|
---|
715 | ERR_print_errors(bio_err);
|
---|
716 | } else /* if (i > 0) */
|
---|
717 | BIO_printf(bio_err, "verify OK\n");
|
---|
718 | }
|
---|
719 |
|
---|
720 | if (noout && !text && !modulus && !subject && !pubkey) {
|
---|
721 | ret = 0;
|
---|
722 | goto end;
|
---|
723 | }
|
---|
724 |
|
---|
725 | out = bio_open_default(outfile,
|
---|
726 | keyout != NULL && outfile != NULL &&
|
---|
727 | strcmp(keyout, outfile) == 0 ? 'a' : 'w',
|
---|
728 | outformat);
|
---|
729 | if (out == NULL)
|
---|
730 | goto end;
|
---|
731 |
|
---|
732 | if (pubkey) {
|
---|
733 | EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
|
---|
734 |
|
---|
735 | if (tpubkey == NULL) {
|
---|
736 | BIO_printf(bio_err, "Error getting public key\n");
|
---|
737 | ERR_print_errors(bio_err);
|
---|
738 | goto end;
|
---|
739 | }
|
---|
740 | PEM_write_bio_PUBKEY(out, tpubkey);
|
---|
741 | }
|
---|
742 |
|
---|
743 | if (text) {
|
---|
744 | if (x509)
|
---|
745 | X509_print_ex(out, x509ss, nmflag, reqflag);
|
---|
746 | else
|
---|
747 | X509_REQ_print_ex(out, req, nmflag, reqflag);
|
---|
748 | }
|
---|
749 |
|
---|
750 | if (subject) {
|
---|
751 | if (x509)
|
---|
752 | print_name(out, "subject=", X509_get_subject_name(x509ss),
|
---|
753 | nmflag);
|
---|
754 | else
|
---|
755 | print_name(out, "subject=", X509_REQ_get_subject_name(req),
|
---|
756 | nmflag);
|
---|
757 | }
|
---|
758 |
|
---|
759 | if (modulus) {
|
---|
760 | EVP_PKEY *tpubkey;
|
---|
761 |
|
---|
762 | if (x509)
|
---|
763 | tpubkey = X509_get0_pubkey(x509ss);
|
---|
764 | else
|
---|
765 | tpubkey = X509_REQ_get0_pubkey(req);
|
---|
766 | if (tpubkey == NULL) {
|
---|
767 | fprintf(stdout, "Modulus=unavailable\n");
|
---|
768 | goto end;
|
---|
769 | }
|
---|
770 | fprintf(stdout, "Modulus=");
|
---|
771 | #ifndef OPENSSL_NO_RSA
|
---|
772 | if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
|
---|
773 | const BIGNUM *n;
|
---|
774 | RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
|
---|
775 | BN_print(out, n);
|
---|
776 | } else
|
---|
777 | #endif
|
---|
778 | fprintf(stdout, "Wrong Algorithm type");
|
---|
779 | fprintf(stdout, "\n");
|
---|
780 | }
|
---|
781 |
|
---|
782 | if (!noout && !x509) {
|
---|
783 | if (outformat == FORMAT_ASN1)
|
---|
784 | i = i2d_X509_REQ_bio(out, req);
|
---|
785 | else if (newhdr)
|
---|
786 | i = PEM_write_bio_X509_REQ_NEW(out, req);
|
---|
787 | else
|
---|
788 | i = PEM_write_bio_X509_REQ(out, req);
|
---|
789 | if (!i) {
|
---|
790 | BIO_printf(bio_err, "unable to write X509 request\n");
|
---|
791 | goto end;
|
---|
792 | }
|
---|
793 | }
|
---|
794 | if (!noout && x509 && (x509ss != NULL)) {
|
---|
795 | if (outformat == FORMAT_ASN1)
|
---|
796 | i = i2d_X509_bio(out, x509ss);
|
---|
797 | else
|
---|
798 | i = PEM_write_bio_X509(out, x509ss);
|
---|
799 | if (!i) {
|
---|
800 | BIO_printf(bio_err, "unable to write X509 certificate\n");
|
---|
801 | goto end;
|
---|
802 | }
|
---|
803 | }
|
---|
804 | ret = 0;
|
---|
805 | end:
|
---|
806 | if (ret) {
|
---|
807 | ERR_print_errors(bio_err);
|
---|
808 | }
|
---|
809 | NCONF_free(req_conf);
|
---|
810 | BIO_free(in);
|
---|
811 | BIO_free_all(out);
|
---|
812 | EVP_PKEY_free(pkey);
|
---|
813 | EVP_PKEY_CTX_free(genctx);
|
---|
814 | sk_OPENSSL_STRING_free(pkeyopts);
|
---|
815 | sk_OPENSSL_STRING_free(sigopts);
|
---|
816 | #ifndef OPENSSL_NO_ENGINE
|
---|
817 | ENGINE_free(gen_eng);
|
---|
818 | #endif
|
---|
819 | OPENSSL_free(keyalgstr);
|
---|
820 | X509_REQ_free(req);
|
---|
821 | X509_free(x509ss);
|
---|
822 | ASN1_INTEGER_free(serial);
|
---|
823 | release_engine(e);
|
---|
824 | if (passin != nofree_passin)
|
---|
825 | OPENSSL_free(passin);
|
---|
826 | if (passout != nofree_passout)
|
---|
827 | OPENSSL_free(passout);
|
---|
828 | return (ret);
|
---|
829 | }
|
---|
830 |
|
---|
831 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
|
---|
832 | int attribs, unsigned long chtype)
|
---|
833 | {
|
---|
834 | int ret = 0, i;
|
---|
835 | char no_prompt = 0;
|
---|
836 | STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
|
---|
837 | char *tmp, *dn_sect, *attr_sect;
|
---|
838 |
|
---|
839 | tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
|
---|
840 | if (tmp == NULL)
|
---|
841 | ERR_clear_error();
|
---|
842 | if ((tmp != NULL) && strcmp(tmp, "no") == 0)
|
---|
843 | no_prompt = 1;
|
---|
844 |
|
---|
845 | dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
|
---|
846 | if (dn_sect == NULL) {
|
---|
847 | BIO_printf(bio_err, "unable to find '%s' in config\n",
|
---|
848 | DISTINGUISHED_NAME);
|
---|
849 | goto err;
|
---|
850 | }
|
---|
851 | dn_sk = NCONF_get_section(req_conf, dn_sect);
|
---|
852 | if (dn_sk == NULL) {
|
---|
853 | BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
|
---|
854 | goto err;
|
---|
855 | }
|
---|
856 |
|
---|
857 | attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
|
---|
858 | if (attr_sect == NULL) {
|
---|
859 | ERR_clear_error();
|
---|
860 | attr_sk = NULL;
|
---|
861 | } else {
|
---|
862 | attr_sk = NCONF_get_section(req_conf, attr_sect);
|
---|
863 | if (attr_sk == NULL) {
|
---|
864 | BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
|
---|
865 | goto err;
|
---|
866 | }
|
---|
867 | }
|
---|
868 |
|
---|
869 | /* setup version number */
|
---|
870 | if (!X509_REQ_set_version(req, 0L))
|
---|
871 | goto err; /* version 1 */
|
---|
872 |
|
---|
873 | if (subj)
|
---|
874 | i = build_subject(req, subj, chtype, multirdn);
|
---|
875 | else if (no_prompt)
|
---|
876 | i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
|
---|
877 | else
|
---|
878 | i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
|
---|
879 | chtype);
|
---|
880 | if (!i)
|
---|
881 | goto err;
|
---|
882 |
|
---|
883 | if (!X509_REQ_set_pubkey(req, pkey))
|
---|
884 | goto err;
|
---|
885 |
|
---|
886 | ret = 1;
|
---|
887 | err:
|
---|
888 | return (ret);
|
---|
889 | }
|
---|
890 |
|
---|
891 | /*
|
---|
892 | * subject is expected to be in the format /type0=value0/type1=value1/type2=...
|
---|
893 | * where characters may be escaped by \
|
---|
894 | */
|
---|
895 | static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
|
---|
896 | int multirdn)
|
---|
897 | {
|
---|
898 | X509_NAME *n;
|
---|
899 |
|
---|
900 | if ((n = parse_name(subject, chtype, multirdn)) == NULL)
|
---|
901 | return 0;
|
---|
902 |
|
---|
903 | if (!X509_REQ_set_subject_name(req, n)) {
|
---|
904 | X509_NAME_free(n);
|
---|
905 | return 0;
|
---|
906 | }
|
---|
907 | X509_NAME_free(n);
|
---|
908 | return 1;
|
---|
909 | }
|
---|
910 |
|
---|
911 | static int prompt_info(X509_REQ *req,
|
---|
912 | STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
|
---|
913 | STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
|
---|
914 | int attribs, unsigned long chtype)
|
---|
915 | {
|
---|
916 | int i;
|
---|
917 | char *p, *q;
|
---|
918 | char buf[100];
|
---|
919 | int nid, mval;
|
---|
920 | long n_min, n_max;
|
---|
921 | char *type, *value;
|
---|
922 | const char *def;
|
---|
923 | CONF_VALUE *v;
|
---|
924 | X509_NAME *subj;
|
---|
925 | subj = X509_REQ_get_subject_name(req);
|
---|
926 |
|
---|
927 | if (!batch) {
|
---|
928 | BIO_printf(bio_err,
|
---|
929 | "You are about to be asked to enter information that will be incorporated\n");
|
---|
930 | BIO_printf(bio_err, "into your certificate request.\n");
|
---|
931 | BIO_printf(bio_err,
|
---|
932 | "What you are about to enter is what is called a Distinguished Name or a DN.\n");
|
---|
933 | BIO_printf(bio_err,
|
---|
934 | "There are quite a few fields but you can leave some blank\n");
|
---|
935 | BIO_printf(bio_err,
|
---|
936 | "For some fields there will be a default value,\n");
|
---|
937 | BIO_printf(bio_err,
|
---|
938 | "If you enter '.', the field will be left blank.\n");
|
---|
939 | BIO_printf(bio_err, "-----\n");
|
---|
940 | }
|
---|
941 |
|
---|
942 | if (sk_CONF_VALUE_num(dn_sk)) {
|
---|
943 | i = -1;
|
---|
944 | start:for (;;) {
|
---|
945 | i++;
|
---|
946 | if (sk_CONF_VALUE_num(dn_sk) <= i)
|
---|
947 | break;
|
---|
948 |
|
---|
949 | v = sk_CONF_VALUE_value(dn_sk, i);
|
---|
950 | p = q = NULL;
|
---|
951 | type = v->name;
|
---|
952 | if (!check_end(type, "_min") || !check_end(type, "_max") ||
|
---|
953 | !check_end(type, "_default") || !check_end(type, "_value"))
|
---|
954 | continue;
|
---|
955 | /*
|
---|
956 | * Skip past any leading X. X: X, etc to allow for multiple
|
---|
957 | * instances
|
---|
958 | */
|
---|
959 | for (p = v->name; *p; p++)
|
---|
960 | if ((*p == ':') || (*p == ',') || (*p == '.')) {
|
---|
961 | p++;
|
---|
962 | if (*p)
|
---|
963 | type = p;
|
---|
964 | break;
|
---|
965 | }
|
---|
966 | if (*type == '+') {
|
---|
967 | mval = -1;
|
---|
968 | type++;
|
---|
969 | } else
|
---|
970 | mval = 0;
|
---|
971 | /* If OBJ not recognised ignore it */
|
---|
972 | if ((nid = OBJ_txt2nid(type)) == NID_undef)
|
---|
973 | goto start;
|
---|
974 | if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
|
---|
975 | >= (int)sizeof(buf)) {
|
---|
976 | BIO_printf(bio_err, "Name '%s' too long\n", v->name);
|
---|
977 | return 0;
|
---|
978 | }
|
---|
979 |
|
---|
980 | if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
|
---|
981 | ERR_clear_error();
|
---|
982 | def = "";
|
---|
983 | }
|
---|
984 |
|
---|
985 | BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
|
---|
986 | if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
|
---|
987 | ERR_clear_error();
|
---|
988 | value = NULL;
|
---|
989 | }
|
---|
990 |
|
---|
991 | BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
|
---|
992 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
|
---|
993 | ERR_clear_error();
|
---|
994 | n_min = -1;
|
---|
995 | }
|
---|
996 |
|
---|
997 | BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
|
---|
998 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
|
---|
999 | ERR_clear_error();
|
---|
1000 | n_max = -1;
|
---|
1001 | }
|
---|
1002 |
|
---|
1003 | if (!add_DN_object(subj, v->value, def, value, nid,
|
---|
1004 | n_min, n_max, chtype, mval))
|
---|
1005 | return 0;
|
---|
1006 | }
|
---|
1007 | if (X509_NAME_entry_count(subj) == 0) {
|
---|
1008 | BIO_printf(bio_err,
|
---|
1009 | "error, no objects specified in config file\n");
|
---|
1010 | return 0;
|
---|
1011 | }
|
---|
1012 |
|
---|
1013 | if (attribs) {
|
---|
1014 | if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
|
---|
1015 | && (!batch)) {
|
---|
1016 | BIO_printf(bio_err,
|
---|
1017 | "\nPlease enter the following 'extra' attributes\n");
|
---|
1018 | BIO_printf(bio_err,
|
---|
1019 | "to be sent with your certificate request\n");
|
---|
1020 | }
|
---|
1021 |
|
---|
1022 | i = -1;
|
---|
1023 | start2: for (;;) {
|
---|
1024 | i++;
|
---|
1025 | if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
|
---|
1026 | break;
|
---|
1027 |
|
---|
1028 | v = sk_CONF_VALUE_value(attr_sk, i);
|
---|
1029 | type = v->name;
|
---|
1030 | if ((nid = OBJ_txt2nid(type)) == NID_undef)
|
---|
1031 | goto start2;
|
---|
1032 |
|
---|
1033 | if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
|
---|
1034 | >= (int)sizeof(buf)) {
|
---|
1035 | BIO_printf(bio_err, "Name '%s' too long\n", v->name);
|
---|
1036 | return 0;
|
---|
1037 | }
|
---|
1038 |
|
---|
1039 | if ((def = NCONF_get_string(req_conf, attr_sect, buf))
|
---|
1040 | == NULL) {
|
---|
1041 | ERR_clear_error();
|
---|
1042 | def = "";
|
---|
1043 | }
|
---|
1044 |
|
---|
1045 | BIO_snprintf(buf, sizeof buf, "%s_value", type);
|
---|
1046 | if ((value = NCONF_get_string(req_conf, attr_sect, buf))
|
---|
1047 | == NULL) {
|
---|
1048 | ERR_clear_error();
|
---|
1049 | value = NULL;
|
---|
1050 | }
|
---|
1051 |
|
---|
1052 | BIO_snprintf(buf, sizeof buf, "%s_min", type);
|
---|
1053 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
|
---|
1054 | ERR_clear_error();
|
---|
1055 | n_min = -1;
|
---|
1056 | }
|
---|
1057 |
|
---|
1058 | BIO_snprintf(buf, sizeof buf, "%s_max", type);
|
---|
1059 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
|
---|
1060 | ERR_clear_error();
|
---|
1061 | n_max = -1;
|
---|
1062 | }
|
---|
1063 |
|
---|
1064 | if (!add_attribute_object(req,
|
---|
1065 | v->value, def, value, nid, n_min,
|
---|
1066 | n_max, chtype))
|
---|
1067 | return 0;
|
---|
1068 | }
|
---|
1069 | }
|
---|
1070 | } else {
|
---|
1071 | BIO_printf(bio_err, "No template, please set one up.\n");
|
---|
1072 | return 0;
|
---|
1073 | }
|
---|
1074 |
|
---|
1075 | return 1;
|
---|
1076 |
|
---|
1077 | }
|
---|
1078 |
|
---|
1079 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
|
---|
1080 | STACK_OF(CONF_VALUE) *attr_sk, int attribs,
|
---|
1081 | unsigned long chtype)
|
---|
1082 | {
|
---|
1083 | int i, spec_char, plus_char;
|
---|
1084 | char *p, *q;
|
---|
1085 | char *type;
|
---|
1086 | CONF_VALUE *v;
|
---|
1087 | X509_NAME *subj;
|
---|
1088 |
|
---|
1089 | subj = X509_REQ_get_subject_name(req);
|
---|
1090 |
|
---|
1091 | for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
|
---|
1092 | int mval;
|
---|
1093 | v = sk_CONF_VALUE_value(dn_sk, i);
|
---|
1094 | p = q = NULL;
|
---|
1095 | type = v->name;
|
---|
1096 | /*
|
---|
1097 | * Skip past any leading X. X: X, etc to allow for multiple instances
|
---|
1098 | */
|
---|
1099 | for (p = v->name; *p; p++) {
|
---|
1100 | #ifndef CHARSET_EBCDIC
|
---|
1101 | spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
|
---|
1102 | #else
|
---|
1103 | spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
|
---|
1104 | || (*p == os_toascii['.']));
|
---|
1105 | #endif
|
---|
1106 | if (spec_char) {
|
---|
1107 | p++;
|
---|
1108 | if (*p)
|
---|
1109 | type = p;
|
---|
1110 | break;
|
---|
1111 | }
|
---|
1112 | }
|
---|
1113 | #ifndef CHARSET_EBCDIC
|
---|
1114 | plus_char = (*type == '+');
|
---|
1115 | #else
|
---|
1116 | plus_char = (*type == os_toascii['+']);
|
---|
1117 | #endif
|
---|
1118 | if (plus_char) {
|
---|
1119 | type++;
|
---|
1120 | mval = -1;
|
---|
1121 | } else
|
---|
1122 | mval = 0;
|
---|
1123 | if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
|
---|
1124 | (unsigned char *)v->value, -1, -1,
|
---|
1125 | mval))
|
---|
1126 | return 0;
|
---|
1127 |
|
---|
1128 | }
|
---|
1129 |
|
---|
1130 | if (!X509_NAME_entry_count(subj)) {
|
---|
1131 | BIO_printf(bio_err, "error, no objects specified in config file\n");
|
---|
1132 | return 0;
|
---|
1133 | }
|
---|
1134 | if (attribs) {
|
---|
1135 | for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
|
---|
1136 | v = sk_CONF_VALUE_value(attr_sk, i);
|
---|
1137 | if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
|
---|
1138 | (unsigned char *)v->value, -1))
|
---|
1139 | return 0;
|
---|
1140 | }
|
---|
1141 | }
|
---|
1142 | return 1;
|
---|
1143 | }
|
---|
1144 |
|
---|
1145 | static int add_DN_object(X509_NAME *n, char *text, const char *def,
|
---|
1146 | char *value, int nid, int n_min, int n_max,
|
---|
1147 | unsigned long chtype, int mval)
|
---|
1148 | {
|
---|
1149 | int i, ret = 0;
|
---|
1150 | char buf[1024];
|
---|
1151 | start:
|
---|
1152 | if (!batch)
|
---|
1153 | BIO_printf(bio_err, "%s [%s]:", text, def);
|
---|
1154 | (void)BIO_flush(bio_err);
|
---|
1155 | if (value != NULL) {
|
---|
1156 | OPENSSL_strlcpy(buf, value, sizeof buf);
|
---|
1157 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
1158 | BIO_printf(bio_err, "%s\n", value);
|
---|
1159 | } else {
|
---|
1160 | buf[0] = '\0';
|
---|
1161 | if (!batch) {
|
---|
1162 | if (!fgets(buf, sizeof buf, stdin))
|
---|
1163 | return 0;
|
---|
1164 | } else {
|
---|
1165 | buf[0] = '\n';
|
---|
1166 | buf[1] = '\0';
|
---|
1167 | }
|
---|
1168 | }
|
---|
1169 |
|
---|
1170 | if (buf[0] == '\0')
|
---|
1171 | return (0);
|
---|
1172 | else if (buf[0] == '\n') {
|
---|
1173 | if ((def == NULL) || (def[0] == '\0'))
|
---|
1174 | return (1);
|
---|
1175 | OPENSSL_strlcpy(buf, def, sizeof buf);
|
---|
1176 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
1177 | } else if ((buf[0] == '.') && (buf[1] == '\n'))
|
---|
1178 | return (1);
|
---|
1179 |
|
---|
1180 | i = strlen(buf);
|
---|
1181 | if (buf[i - 1] != '\n') {
|
---|
1182 | BIO_printf(bio_err, "weird input :-(\n");
|
---|
1183 | return (0);
|
---|
1184 | }
|
---|
1185 | buf[--i] = '\0';
|
---|
1186 | #ifdef CHARSET_EBCDIC
|
---|
1187 | ebcdic2ascii(buf, buf, i);
|
---|
1188 | #endif
|
---|
1189 | if (!req_check_len(i, n_min, n_max)) {
|
---|
1190 | if (batch || value)
|
---|
1191 | return 0;
|
---|
1192 | goto start;
|
---|
1193 | }
|
---|
1194 |
|
---|
1195 | if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
|
---|
1196 | (unsigned char *)buf, -1, -1, mval))
|
---|
1197 | goto err;
|
---|
1198 | ret = 1;
|
---|
1199 | err:
|
---|
1200 | return (ret);
|
---|
1201 | }
|
---|
1202 |
|
---|
1203 | static int add_attribute_object(X509_REQ *req, char *text, const char *def,
|
---|
1204 | char *value, int nid, int n_min,
|
---|
1205 | int n_max, unsigned long chtype)
|
---|
1206 | {
|
---|
1207 | int i;
|
---|
1208 | static char buf[1024];
|
---|
1209 |
|
---|
1210 | start:
|
---|
1211 | if (!batch)
|
---|
1212 | BIO_printf(bio_err, "%s [%s]:", text, def);
|
---|
1213 | (void)BIO_flush(bio_err);
|
---|
1214 | if (value != NULL) {
|
---|
1215 | OPENSSL_strlcpy(buf, value, sizeof buf);
|
---|
1216 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
1217 | BIO_printf(bio_err, "%s\n", value);
|
---|
1218 | } else {
|
---|
1219 | buf[0] = '\0';
|
---|
1220 | if (!batch) {
|
---|
1221 | if (!fgets(buf, sizeof buf, stdin))
|
---|
1222 | return 0;
|
---|
1223 | } else {
|
---|
1224 | buf[0] = '\n';
|
---|
1225 | buf[1] = '\0';
|
---|
1226 | }
|
---|
1227 | }
|
---|
1228 |
|
---|
1229 | if (buf[0] == '\0')
|
---|
1230 | return (0);
|
---|
1231 | else if (buf[0] == '\n') {
|
---|
1232 | if ((def == NULL) || (def[0] == '\0'))
|
---|
1233 | return (1);
|
---|
1234 | OPENSSL_strlcpy(buf, def, sizeof buf);
|
---|
1235 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
1236 | } else if ((buf[0] == '.') && (buf[1] == '\n'))
|
---|
1237 | return (1);
|
---|
1238 |
|
---|
1239 | i = strlen(buf);
|
---|
1240 | if (buf[i - 1] != '\n') {
|
---|
1241 | BIO_printf(bio_err, "weird input :-(\n");
|
---|
1242 | return (0);
|
---|
1243 | }
|
---|
1244 | buf[--i] = '\0';
|
---|
1245 | #ifdef CHARSET_EBCDIC
|
---|
1246 | ebcdic2ascii(buf, buf, i);
|
---|
1247 | #endif
|
---|
1248 | if (!req_check_len(i, n_min, n_max)) {
|
---|
1249 | if (batch || value)
|
---|
1250 | return 0;
|
---|
1251 | goto start;
|
---|
1252 | }
|
---|
1253 |
|
---|
1254 | if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
|
---|
1255 | (unsigned char *)buf, -1)) {
|
---|
1256 | BIO_printf(bio_err, "Error adding attribute\n");
|
---|
1257 | ERR_print_errors(bio_err);
|
---|
1258 | goto err;
|
---|
1259 | }
|
---|
1260 |
|
---|
1261 | return (1);
|
---|
1262 | err:
|
---|
1263 | return (0);
|
---|
1264 | }
|
---|
1265 |
|
---|
1266 | static int req_check_len(int len, int n_min, int n_max)
|
---|
1267 | {
|
---|
1268 | if ((n_min > 0) && (len < n_min)) {
|
---|
1269 | BIO_printf(bio_err,
|
---|
1270 | "string is too short, it needs to be at least %d bytes long\n",
|
---|
1271 | n_min);
|
---|
1272 | return (0);
|
---|
1273 | }
|
---|
1274 | if ((n_max >= 0) && (len > n_max)) {
|
---|
1275 | BIO_printf(bio_err,
|
---|
1276 | "string is too long, it needs to be less than %d bytes long\n",
|
---|
1277 | n_max);
|
---|
1278 | return (0);
|
---|
1279 | }
|
---|
1280 | return (1);
|
---|
1281 | }
|
---|
1282 |
|
---|
1283 | /* Check if the end of a string matches 'end' */
|
---|
1284 | static int check_end(const char *str, const char *end)
|
---|
1285 | {
|
---|
1286 | int elen, slen;
|
---|
1287 | const char *tmp;
|
---|
1288 | elen = strlen(end);
|
---|
1289 | slen = strlen(str);
|
---|
1290 | if (elen > slen)
|
---|
1291 | return 1;
|
---|
1292 | tmp = str + slen - elen;
|
---|
1293 | return strcmp(tmp, end);
|
---|
1294 | }
|
---|
1295 |
|
---|
1296 | static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
|
---|
1297 | int *pkey_type, long *pkeylen,
|
---|
1298 | char **palgnam, ENGINE *keygen_engine)
|
---|
1299 | {
|
---|
1300 | EVP_PKEY_CTX *gctx = NULL;
|
---|
1301 | EVP_PKEY *param = NULL;
|
---|
1302 | long keylen = -1;
|
---|
1303 | BIO *pbio = NULL;
|
---|
1304 | const char *paramfile = NULL;
|
---|
1305 |
|
---|
1306 | if (gstr == NULL) {
|
---|
1307 | *pkey_type = EVP_PKEY_RSA;
|
---|
1308 | keylen = *pkeylen;
|
---|
1309 | } else if (gstr[0] >= '0' && gstr[0] <= '9') {
|
---|
1310 | *pkey_type = EVP_PKEY_RSA;
|
---|
1311 | keylen = atol(gstr);
|
---|
1312 | *pkeylen = keylen;
|
---|
1313 | } else if (strncmp(gstr, "param:", 6) == 0)
|
---|
1314 | paramfile = gstr + 6;
|
---|
1315 | else {
|
---|
1316 | const char *p = strchr(gstr, ':');
|
---|
1317 | int len;
|
---|
1318 | ENGINE *tmpeng;
|
---|
1319 | const EVP_PKEY_ASN1_METHOD *ameth;
|
---|
1320 |
|
---|
1321 | if (p)
|
---|
1322 | len = p - gstr;
|
---|
1323 | else
|
---|
1324 | len = strlen(gstr);
|
---|
1325 | /*
|
---|
1326 | * The lookup of a the string will cover all engines so keep a note
|
---|
1327 | * of the implementation.
|
---|
1328 | */
|
---|
1329 |
|
---|
1330 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
|
---|
1331 |
|
---|
1332 | if (!ameth) {
|
---|
1333 | BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
|
---|
1334 | return NULL;
|
---|
1335 | }
|
---|
1336 |
|
---|
1337 | EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
|
---|
1338 | #ifndef OPENSSL_NO_ENGINE
|
---|
1339 | ENGINE_finish(tmpeng);
|
---|
1340 | #endif
|
---|
1341 | if (*pkey_type == EVP_PKEY_RSA) {
|
---|
1342 | if (p) {
|
---|
1343 | keylen = atol(p + 1);
|
---|
1344 | *pkeylen = keylen;
|
---|
1345 | } else
|
---|
1346 | keylen = *pkeylen;
|
---|
1347 | } else if (p)
|
---|
1348 | paramfile = p + 1;
|
---|
1349 | }
|
---|
1350 |
|
---|
1351 | if (paramfile) {
|
---|
1352 | pbio = BIO_new_file(paramfile, "r");
|
---|
1353 | if (!pbio) {
|
---|
1354 | BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
|
---|
1355 | return NULL;
|
---|
1356 | }
|
---|
1357 | param = PEM_read_bio_Parameters(pbio, NULL);
|
---|
1358 |
|
---|
1359 | if (!param) {
|
---|
1360 | X509 *x;
|
---|
1361 | (void)BIO_reset(pbio);
|
---|
1362 | x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
|
---|
1363 | if (x) {
|
---|
1364 | param = X509_get_pubkey(x);
|
---|
1365 | X509_free(x);
|
---|
1366 | }
|
---|
1367 | }
|
---|
1368 |
|
---|
1369 | BIO_free(pbio);
|
---|
1370 |
|
---|
1371 | if (!param) {
|
---|
1372 | BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
|
---|
1373 | return NULL;
|
---|
1374 | }
|
---|
1375 | if (*pkey_type == -1)
|
---|
1376 | *pkey_type = EVP_PKEY_id(param);
|
---|
1377 | else if (*pkey_type != EVP_PKEY_base_id(param)) {
|
---|
1378 | BIO_printf(bio_err, "Key Type does not match parameters\n");
|
---|
1379 | EVP_PKEY_free(param);
|
---|
1380 | return NULL;
|
---|
1381 | }
|
---|
1382 | }
|
---|
1383 |
|
---|
1384 | if (palgnam) {
|
---|
1385 | const EVP_PKEY_ASN1_METHOD *ameth;
|
---|
1386 | ENGINE *tmpeng;
|
---|
1387 | const char *anam;
|
---|
1388 | ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
|
---|
1389 | if (!ameth) {
|
---|
1390 | BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
|
---|
1391 | return NULL;
|
---|
1392 | }
|
---|
1393 | EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
|
---|
1394 | *palgnam = OPENSSL_strdup(anam);
|
---|
1395 | #ifndef OPENSSL_NO_ENGINE
|
---|
1396 | ENGINE_finish(tmpeng);
|
---|
1397 | #endif
|
---|
1398 | }
|
---|
1399 |
|
---|
1400 | if (param) {
|
---|
1401 | gctx = EVP_PKEY_CTX_new(param, keygen_engine);
|
---|
1402 | *pkeylen = EVP_PKEY_bits(param);
|
---|
1403 | EVP_PKEY_free(param);
|
---|
1404 | } else
|
---|
1405 | gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
|
---|
1406 |
|
---|
1407 | if (gctx == NULL) {
|
---|
1408 | BIO_puts(bio_err, "Error allocating keygen context\n");
|
---|
1409 | ERR_print_errors(bio_err);
|
---|
1410 | return NULL;
|
---|
1411 | }
|
---|
1412 |
|
---|
1413 | if (EVP_PKEY_keygen_init(gctx) <= 0) {
|
---|
1414 | BIO_puts(bio_err, "Error initializing keygen context\n");
|
---|
1415 | ERR_print_errors(bio_err);
|
---|
1416 | EVP_PKEY_CTX_free(gctx);
|
---|
1417 | return NULL;
|
---|
1418 | }
|
---|
1419 | #ifndef OPENSSL_NO_RSA
|
---|
1420 | if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
|
---|
1421 | if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
|
---|
1422 | BIO_puts(bio_err, "Error setting RSA keysize\n");
|
---|
1423 | ERR_print_errors(bio_err);
|
---|
1424 | EVP_PKEY_CTX_free(gctx);
|
---|
1425 | return NULL;
|
---|
1426 | }
|
---|
1427 | }
|
---|
1428 | #endif
|
---|
1429 |
|
---|
1430 | return gctx;
|
---|
1431 | }
|
---|
1432 |
|
---|
1433 | static int genpkey_cb(EVP_PKEY_CTX *ctx)
|
---|
1434 | {
|
---|
1435 | char c = '*';
|
---|
1436 | BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
---|
1437 | int p;
|
---|
1438 | p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
---|
1439 | if (p == 0)
|
---|
1440 | c = '.';
|
---|
1441 | if (p == 1)
|
---|
1442 | c = '+';
|
---|
1443 | if (p == 2)
|
---|
1444 | c = '*';
|
---|
1445 | if (p == 3)
|
---|
1446 | c = '\n';
|
---|
1447 | BIO_write(b, &c, 1);
|
---|
1448 | (void)BIO_flush(b);
|
---|
1449 | return 1;
|
---|
1450 | }
|
---|
1451 |
|
---|
1452 | static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
|
---|
1453 | const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
1454 | {
|
---|
1455 | EVP_PKEY_CTX *pkctx = NULL;
|
---|
1456 | int i;
|
---|
1457 |
|
---|
1458 | if (ctx == NULL)
|
---|
1459 | return 0;
|
---|
1460 | if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
|
---|
1461 | return 0;
|
---|
1462 | for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
|
---|
1463 | char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
|
---|
1464 | if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
|
---|
1465 | BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
|
---|
1466 | ERR_print_errors(bio_err);
|
---|
1467 | return 0;
|
---|
1468 | }
|
---|
1469 | }
|
---|
1470 | return 1;
|
---|
1471 | }
|
---|
1472 |
|
---|
1473 | int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
|
---|
1474 | STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
1475 | {
|
---|
1476 | int rv;
|
---|
1477 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
1478 |
|
---|
1479 | rv = do_sign_init(mctx, pkey, md, sigopts);
|
---|
1480 | if (rv > 0)
|
---|
1481 | rv = X509_sign_ctx(x, mctx);
|
---|
1482 | EVP_MD_CTX_free(mctx);
|
---|
1483 | return rv > 0 ? 1 : 0;
|
---|
1484 | }
|
---|
1485 |
|
---|
1486 | int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
|
---|
1487 | STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
1488 | {
|
---|
1489 | int rv;
|
---|
1490 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
1491 | rv = do_sign_init(mctx, pkey, md, sigopts);
|
---|
1492 | if (rv > 0)
|
---|
1493 | rv = X509_REQ_sign_ctx(x, mctx);
|
---|
1494 | EVP_MD_CTX_free(mctx);
|
---|
1495 | return rv > 0 ? 1 : 0;
|
---|
1496 | }
|
---|
1497 |
|
---|
1498 | int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
|
---|
1499 | STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
1500 | {
|
---|
1501 | int rv;
|
---|
1502 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
1503 | rv = do_sign_init(mctx, pkey, md, sigopts);
|
---|
1504 | if (rv > 0)
|
---|
1505 | rv = X509_CRL_sign_ctx(x, mctx);
|
---|
1506 | EVP_MD_CTX_free(mctx);
|
---|
1507 | return rv > 0 ? 1 : 0;
|
---|
1508 | }
|
---|