source: EcnlProtoTool/trunk/openssl-1.1.0e/apps/req.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago

prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新
ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新
以下のOSSをアップデート
・mruby-1.3.0
・musl-1.1.18
・onigmo-6.1.3
・tcc-0.9.27
以下のOSSを追加
・openssl-1.1.0e
・curl-7.57.0
・zlib-1.2.11
以下のmrbgemsを追加
・iij/mruby-digest
・iij/mruby-env
・iij/mruby-errno
・iij/mruby-iijson
・iij/mruby-ipaddr
・iij/mruby-mock
・iij/mruby-require
・iij/mruby-tls-openssl
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc
File size: 45.6 KB
Line 
1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include <stdlib.h>
12#include <time.h>
13#include <string.h>
14#include "apps.h"
15#include <openssl/bio.h>
16#include <openssl/evp.h>
17#include <openssl/conf.h>
18#include <openssl/err.h>
19#include <openssl/asn1.h>
20#include <openssl/x509.h>
21#include <openssl/x509v3.h>
22#include <openssl/objects.h>
23#include <openssl/pem.h>
24#include <openssl/bn.h>
25#ifndef OPENSSL_NO_RSA
26# include <openssl/rsa.h>
27#endif
28#ifndef OPENSSL_NO_DSA
29# include <openssl/dsa.h>
30#endif
31
32#define SECTION "req"
33
34#define BITS "default_bits"
35#define KEYFILE "default_keyfile"
36#define PROMPT "prompt"
37#define DISTINGUISHED_NAME "distinguished_name"
38#define ATTRIBUTES "attributes"
39#define V3_EXTENSIONS "x509_extensions"
40#define REQ_EXTENSIONS "req_extensions"
41#define STRING_MASK "string_mask"
42#define UTF8_IN "utf8"
43
44#define DEFAULT_KEY_LENGTH 2048
45#define MIN_KEY_LENGTH 512
46
47static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
48 int attribs, unsigned long chtype);
49static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
50 int multirdn);
51static int prompt_info(X509_REQ *req,
52 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
53 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
54 int attribs, unsigned long chtype);
55static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
56 STACK_OF(CONF_VALUE) *attr, int attribs,
57 unsigned long chtype);
58static int add_attribute_object(X509_REQ *req, char *text, const char *def,
59 char *value, int nid, int n_min, int n_max,
60 unsigned long chtype);
61static int add_DN_object(X509_NAME *n, char *text, const char *def,
62 char *value, int nid, int n_min, int n_max,
63 unsigned long chtype, int mval);
64static int genpkey_cb(EVP_PKEY_CTX *ctx);
65static int req_check_len(int len, int n_min, int n_max);
66static int check_end(const char *str, const char *end);
67static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
68 int *pkey_type, long *pkeylen,
69 char **palgnam, ENGINE *keygen_engine);
70static CONF *req_conf = NULL;
71static int batch = 0;
72
73typedef enum OPTION_choice {
74 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
75 OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
76 OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
77 OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY,
78 OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
79 OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
80 OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
81 OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
82 OPT_REQEXTS, OPT_MD
83} OPTION_CHOICE;
84
85OPTIONS req_options[] = {
86 {"help", OPT_HELP, '-', "Display this summary"},
87 {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
88 {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
89 {"in", OPT_IN, '<', "Input file"},
90 {"out", OPT_OUT, '>', "Output file"},
91 {"key", OPT_KEY, 's', "Private key to use"},
92 {"keyform", OPT_KEYFORM, 'f', "Key file format"},
93 {"pubkey", OPT_PUBKEY, '-', "Output public key"},
94 {"new", OPT_NEW, '-', "New request"},
95 {"config", OPT_CONFIG, '<', "Request template file"},
96 {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
97 {"passin", OPT_PASSIN, 's', "Private key password source"},
98 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
99 {"rand", OPT_RAND, 's',
100 "Load the file(s) into the random number generator"},
101 {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
102 {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
103 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
104 {"batch", OPT_BATCH, '-',
105 "Do not ask anything during request generation"},
106 {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
107 {"modulus", OPT_MODULUS, '-', "RSA modulus"},
108 {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
109 {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
110 {"noout", OPT_NOOUT, '-', "Do not output REQ"},
111 {"verbose", OPT_VERBOSE, '-', "Verbose output"},
112 {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
113 {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
114 {"reqopt", OPT_REQOPT, 's', "Various request text options"},
115 {"text", OPT_TEXT, '-', "Text form of request"},
116 {"x509", OPT_X509, '-',
117 "Output a x509 structure instead of a cert request"},
118 {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
119 {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
120 {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
121 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
122 "Enable support for multivalued RDNs"},
123 {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
124 {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
125 {"extensions", OPT_EXTENSIONS, 's',
126 "Cert extension section (override value in config file)"},
127 {"reqexts", OPT_REQEXTS, 's',
128 "Request extension section (override value in config file)"},
129 {"", OPT_MD, '-', "Any supported digest"},
130#ifndef OPENSSL_NO_ENGINE
131 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
132 {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
133 "Specify engine to be used for key generation operations"},
134#endif
135 {NULL}
136};
137
138int req_main(int argc, char **argv)
139{
140 ASN1_INTEGER *serial = NULL;
141 BIO *in = NULL, *out = NULL;
142 ENGINE *e = NULL, *gen_eng = NULL;
143 EVP_PKEY *pkey = NULL;
144 EVP_PKEY_CTX *genctx = NULL;
145 STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
146 X509 *x509ss = NULL;
147 X509_REQ *req = NULL;
148 const EVP_CIPHER *cipher = NULL;
149 const EVP_MD *md_alg = NULL, *digest = NULL;
150 char *extensions = NULL, *infile = NULL;
151 char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
152 char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
153 char *passin = NULL, *passout = NULL;
154 char *nofree_passin = NULL, *nofree_passout = NULL;
155 char *req_exts = NULL, *subj = NULL;
156 char *template = default_config_file, *keyout = NULL;
157 const char *keyalg = NULL;
158 OPTION_CHOICE o;
159 int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0;
160 int pkey_type = -1, private = 0;
161 int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
162 int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
163 int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
164 long newkey = -1;
165 unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
166 char nmflag_set = 0;
167
168#ifndef OPENSSL_NO_DES
169 cipher = EVP_des_ede3_cbc();
170#endif
171
172 prog = opt_init(argc, argv, req_options);
173 while ((o = opt_next()) != OPT_EOF) {
174 switch (o) {
175 case OPT_EOF:
176 case OPT_ERR:
177 opthelp:
178 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
179 goto end;
180 case OPT_HELP:
181 opt_help(req_options);
182 ret = 0;
183 goto end;
184 case OPT_INFORM:
185 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
186 goto opthelp;
187 break;
188 case OPT_OUTFORM:
189 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
190 goto opthelp;
191 break;
192 case OPT_ENGINE:
193 e = setup_engine(opt_arg(), 0);
194 break;
195 case OPT_KEYGEN_ENGINE:
196#ifndef OPENSSL_NO_ENGINE
197 gen_eng = ENGINE_by_id(opt_arg());
198 if (gen_eng == NULL) {
199 BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
200 goto opthelp;
201 }
202#endif
203 break;
204 case OPT_KEY:
205 keyfile = opt_arg();
206 break;
207 case OPT_PUBKEY:
208 pubkey = 1;
209 break;
210 case OPT_NEW:
211 newreq = 1;
212 break;
213 case OPT_CONFIG:
214 template = opt_arg();
215 break;
216 case OPT_KEYFORM:
217 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
218 goto opthelp;
219 break;
220 case OPT_IN:
221 infile = opt_arg();
222 break;
223 case OPT_OUT:
224 outfile = opt_arg();
225 break;
226 case OPT_KEYOUT:
227 keyout = opt_arg();
228 break;
229 case OPT_PASSIN:
230 passargin = opt_arg();
231 break;
232 case OPT_PASSOUT:
233 passargout = opt_arg();
234 break;
235 case OPT_RAND:
236 inrand = opt_arg();
237 break;
238 case OPT_NEWKEY:
239 keyalg = opt_arg();
240 newreq = 1;
241 break;
242 case OPT_PKEYOPT:
243 if (!pkeyopts)
244 pkeyopts = sk_OPENSSL_STRING_new_null();
245 if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
246 goto opthelp;
247 break;
248 case OPT_SIGOPT:
249 if (!sigopts)
250 sigopts = sk_OPENSSL_STRING_new_null();
251 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
252 goto opthelp;
253 break;
254 case OPT_BATCH:
255 batch = 1;
256 break;
257 case OPT_NEWHDR:
258 newhdr = 1;
259 break;
260 case OPT_MODULUS:
261 modulus = 1;
262 break;
263 case OPT_VERIFY:
264 verify = 1;
265 break;
266 case OPT_NODES:
267 nodes = 1;
268 break;
269 case OPT_NOOUT:
270 noout = 1;
271 break;
272 case OPT_VERBOSE:
273 verbose = 1;
274 break;
275 case OPT_UTF8:
276 chtype = MBSTRING_UTF8;
277 break;
278 case OPT_NAMEOPT:
279 nmflag_set = 1;
280 if (!set_name_ex(&nmflag, opt_arg()))
281 goto opthelp;
282 break;
283 case OPT_REQOPT:
284 if (!set_cert_ex(&reqflag, opt_arg()))
285 goto opthelp;
286 break;
287 case OPT_TEXT:
288 text = 1;
289 break;
290 case OPT_X509:
291 x509 = 1;
292 newreq = 1;
293 break;
294 case OPT_DAYS:
295 days = atoi(opt_arg());
296 break;
297 case OPT_SET_SERIAL:
298 if (serial != NULL) {
299 BIO_printf(bio_err, "Serial number supplied twice\n");
300 goto opthelp;
301 }
302 serial = s2i_ASN1_INTEGER(NULL, opt_arg());
303 if (serial == NULL)
304 goto opthelp;
305 break;
306 case OPT_SUBJECT:
307 subject = 1;
308 break;
309 case OPT_SUBJ:
310 subj = opt_arg();
311 break;
312 case OPT_MULTIVALUE_RDN:
313 multirdn = 1;
314 break;
315 case OPT_EXTENSIONS:
316 extensions = opt_arg();
317 break;
318 case OPT_REQEXTS:
319 req_exts = opt_arg();
320 break;
321 case OPT_MD:
322 if (!opt_md(opt_unknown(), &md_alg))
323 goto opthelp;
324 digest = md_alg;
325 break;
326 }
327 }
328 argc = opt_num_rest();
329 if (argc != 0)
330 goto opthelp;
331
332 if (!nmflag_set)
333 nmflag = XN_FLAG_ONELINE;
334
335 /* TODO: simplify this as pkey is still always NULL here */
336 private = newreq && (pkey == NULL) ? 1 : 0;
337
338 if (!app_passwd(passargin, passargout, &passin, &passout)) {
339 BIO_printf(bio_err, "Error getting passwords\n");
340 goto end;
341 }
342
343 if (verbose)
344 BIO_printf(bio_err, "Using configuration from %s\n", template);
345 req_conf = app_load_config(template);
346 if (template != default_config_file && !app_load_modules(req_conf))
347 goto end;
348
349 if (req_conf != NULL) {
350 p = NCONF_get_string(req_conf, NULL, "oid_file");
351 if (p == NULL)
352 ERR_clear_error();
353 if (p != NULL) {
354 BIO *oid_bio;
355
356 oid_bio = BIO_new_file(p, "r");
357 if (oid_bio == NULL) {
358 /*-
359 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
360 ERR_print_errors(bio_err);
361 */
362 } else {
363 OBJ_create_objects(oid_bio);
364 BIO_free(oid_bio);
365 }
366 }
367 }
368 if (!add_oid_section(req_conf))
369 goto end;
370
371 if (md_alg == NULL) {
372 p = NCONF_get_string(req_conf, SECTION, "default_md");
373 if (p == NULL)
374 ERR_clear_error();
375 else {
376 if (!opt_md(p, &md_alg))
377 goto opthelp;
378 digest = md_alg;
379 }
380 }
381
382 if (!extensions) {
383 extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
384 if (!extensions)
385 ERR_clear_error();
386 }
387 if (extensions) {
388 /* Check syntax of file */
389 X509V3_CTX ctx;
390 X509V3_set_ctx_test(&ctx);
391 X509V3_set_nconf(&ctx, req_conf);
392 if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
393 BIO_printf(bio_err,
394 "Error Loading extension section %s\n", extensions);
395 goto end;
396 }
397 }
398
399 if (passin == NULL) {
400 passin = nofree_passin =
401 NCONF_get_string(req_conf, SECTION, "input_password");
402 if (passin == NULL)
403 ERR_clear_error();
404 }
405
406 if (passout == NULL) {
407 passout = nofree_passout =
408 NCONF_get_string(req_conf, SECTION, "output_password");
409 if (passout == NULL)
410 ERR_clear_error();
411 }
412
413 p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
414 if (!p)
415 ERR_clear_error();
416
417 if (p && !ASN1_STRING_set_default_mask_asc(p)) {
418 BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
419 goto end;
420 }
421
422 if (chtype != MBSTRING_UTF8) {
423 p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
424 if (!p)
425 ERR_clear_error();
426 else if (strcmp(p, "yes") == 0)
427 chtype = MBSTRING_UTF8;
428 }
429
430 if (!req_exts) {
431 req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
432 if (!req_exts)
433 ERR_clear_error();
434 }
435 if (req_exts) {
436 /* Check syntax of file */
437 X509V3_CTX ctx;
438 X509V3_set_ctx_test(&ctx);
439 X509V3_set_nconf(&ctx, req_conf);
440 if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
441 BIO_printf(bio_err,
442 "Error Loading request extension section %s\n",
443 req_exts);
444 goto end;
445 }
446 }
447
448 if (keyfile != NULL) {
449 pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
450 if (!pkey) {
451 /* load_key() has already printed an appropriate message */
452 goto end;
453 } else {
454 char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
455 if (randfile == NULL)
456 ERR_clear_error();
457 app_RAND_load_file(randfile, 0);
458 }
459 }
460
461 if (newreq && (pkey == NULL)) {
462 char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
463 if (randfile == NULL)
464 ERR_clear_error();
465 app_RAND_load_file(randfile, 0);
466 if (inrand)
467 app_RAND_load_files(inrand);
468
469 if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
470 newkey = DEFAULT_KEY_LENGTH;
471 }
472
473 if (keyalg) {
474 genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
475 &keyalgstr, gen_eng);
476 if (!genctx)
477 goto end;
478 }
479
480 if (newkey < MIN_KEY_LENGTH
481 && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
482 BIO_printf(bio_err, "private key length is too short,\n");
483 BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
484 MIN_KEY_LENGTH, newkey);
485 goto end;
486 }
487
488 if (!genctx) {
489 genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
490 &keyalgstr, gen_eng);
491 if (!genctx)
492 goto end;
493 }
494
495 if (pkeyopts) {
496 char *genopt;
497 for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
498 genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
499 if (pkey_ctrl_string(genctx, genopt) <= 0) {
500 BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
501 ERR_print_errors(bio_err);
502 goto end;
503 }
504 }
505 }
506
507 if (pkey_type == EVP_PKEY_EC) {
508 BIO_printf(bio_err, "Generating an EC private key\n");
509 } else {
510 BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
511 newkey, keyalgstr);
512 }
513
514 EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
515 EVP_PKEY_CTX_set_app_data(genctx, bio_err);
516
517 if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
518 BIO_puts(bio_err, "Error Generating Key\n");
519 goto end;
520 }
521
522 EVP_PKEY_CTX_free(genctx);
523 genctx = NULL;
524
525 app_RAND_write_file(randfile);
526
527 if (keyout == NULL) {
528 keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
529 if (keyout == NULL)
530 ERR_clear_error();
531 }
532
533 if (keyout == NULL)
534 BIO_printf(bio_err, "writing new private key to stdout\n");
535 else
536 BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
537 out = bio_open_owner(keyout, outformat, private);
538 if (out == NULL)
539 goto end;
540
541 p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
542 if (p == NULL) {
543 ERR_clear_error();
544 p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
545 if (p == NULL)
546 ERR_clear_error();
547 }
548 if ((p != NULL) && (strcmp(p, "no") == 0))
549 cipher = NULL;
550 if (nodes)
551 cipher = NULL;
552
553 i = 0;
554 loop:
555 assert(private);
556 if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
557 NULL, 0, NULL, passout)) {
558 if ((ERR_GET_REASON(ERR_peek_error()) ==
559 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
560 ERR_clear_error();
561 i++;
562 goto loop;
563 }
564 goto end;
565 }
566 BIO_free(out);
567 out = NULL;
568 BIO_printf(bio_err, "-----\n");
569 }
570
571 if (!newreq) {
572 in = bio_open_default(infile, 'r', informat);
573 if (in == NULL)
574 goto end;
575
576 if (informat == FORMAT_ASN1)
577 req = d2i_X509_REQ_bio(in, NULL);
578 else
579 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
580 if (req == NULL) {
581 BIO_printf(bio_err, "unable to load X509 request\n");
582 goto end;
583 }
584 }
585
586 if (newreq) {
587 if (pkey == NULL) {
588 BIO_printf(bio_err, "you need to specify a private key\n");
589 goto end;
590 }
591
592 if (req == NULL) {
593 req = X509_REQ_new();
594 if (req == NULL) {
595 goto end;
596 }
597
598 i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
599 subj = NULL; /* done processing '-subj' option */
600 if (!i) {
601 BIO_printf(bio_err, "problems making Certificate Request\n");
602 goto end;
603 }
604 }
605 if (x509) {
606 EVP_PKEY *tmppkey;
607 X509V3_CTX ext_ctx;
608 if ((x509ss = X509_new()) == NULL)
609 goto end;
610
611 /* Set version to V3 */
612 if (extensions && !X509_set_version(x509ss, 2))
613 goto end;
614 if (serial) {
615 if (!X509_set_serialNumber(x509ss, serial))
616 goto end;
617 } else {
618 if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
619 goto end;
620 }
621
622 if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
623 goto end;
624 if (!set_cert_times(x509ss, NULL, NULL, days))
625 goto end;
626 if (!X509_set_subject_name
627 (x509ss, X509_REQ_get_subject_name(req)))
628 goto end;
629 tmppkey = X509_REQ_get0_pubkey(req);
630 if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
631 goto end;
632
633 /* Set up V3 context struct */
634
635 X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
636 X509V3_set_nconf(&ext_ctx, req_conf);
637
638 /* Add extensions */
639 if (extensions && !X509V3_EXT_add_nconf(req_conf,
640 &ext_ctx, extensions,
641 x509ss)) {
642 BIO_printf(bio_err, "Error Loading extension section %s\n",
643 extensions);
644 goto end;
645 }
646
647 i = do_X509_sign(x509ss, pkey, digest, sigopts);
648 if (!i) {
649 ERR_print_errors(bio_err);
650 goto end;
651 }
652 } else {
653 X509V3_CTX ext_ctx;
654
655 /* Set up V3 context struct */
656
657 X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
658 X509V3_set_nconf(&ext_ctx, req_conf);
659
660 /* Add extensions */
661 if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
662 &ext_ctx, req_exts,
663 req)) {
664 BIO_printf(bio_err, "Error Loading extension section %s\n",
665 req_exts);
666 goto end;
667 }
668 i = do_X509_REQ_sign(req, pkey, digest, sigopts);
669 if (!i) {
670 ERR_print_errors(bio_err);
671 goto end;
672 }
673 }
674 }
675
676 if (subj && x509) {
677 BIO_printf(bio_err, "Cannot modify certificate subject\n");
678 goto end;
679 }
680
681 if (subj && !x509) {
682 if (verbose) {
683 BIO_printf(bio_err, "Modifying Request's Subject\n");
684 print_name(bio_err, "old subject=",
685 X509_REQ_get_subject_name(req), nmflag);
686 }
687
688 if (build_subject(req, subj, chtype, multirdn) == 0) {
689 BIO_printf(bio_err, "ERROR: cannot modify subject\n");
690 ret = 1;
691 goto end;
692 }
693
694 if (verbose) {
695 print_name(bio_err, "new subject=",
696 X509_REQ_get_subject_name(req), nmflag);
697 }
698 }
699
700 if (verify && !x509) {
701 EVP_PKEY *tpubkey = pkey;
702
703 if (tpubkey == NULL) {
704 tpubkey = X509_REQ_get0_pubkey(req);
705 if (tpubkey == NULL)
706 goto end;
707 }
708
709 i = X509_REQ_verify(req, tpubkey);
710
711 if (i < 0) {
712 goto end;
713 } else if (i == 0) {
714 BIO_printf(bio_err, "verify failure\n");
715 ERR_print_errors(bio_err);
716 } else /* if (i > 0) */
717 BIO_printf(bio_err, "verify OK\n");
718 }
719
720 if (noout && !text && !modulus && !subject && !pubkey) {
721 ret = 0;
722 goto end;
723 }
724
725 out = bio_open_default(outfile,
726 keyout != NULL && outfile != NULL &&
727 strcmp(keyout, outfile) == 0 ? 'a' : 'w',
728 outformat);
729 if (out == NULL)
730 goto end;
731
732 if (pubkey) {
733 EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
734
735 if (tpubkey == NULL) {
736 BIO_printf(bio_err, "Error getting public key\n");
737 ERR_print_errors(bio_err);
738 goto end;
739 }
740 PEM_write_bio_PUBKEY(out, tpubkey);
741 }
742
743 if (text) {
744 if (x509)
745 X509_print_ex(out, x509ss, nmflag, reqflag);
746 else
747 X509_REQ_print_ex(out, req, nmflag, reqflag);
748 }
749
750 if (subject) {
751 if (x509)
752 print_name(out, "subject=", X509_get_subject_name(x509ss),
753 nmflag);
754 else
755 print_name(out, "subject=", X509_REQ_get_subject_name(req),
756 nmflag);
757 }
758
759 if (modulus) {
760 EVP_PKEY *tpubkey;
761
762 if (x509)
763 tpubkey = X509_get0_pubkey(x509ss);
764 else
765 tpubkey = X509_REQ_get0_pubkey(req);
766 if (tpubkey == NULL) {
767 fprintf(stdout, "Modulus=unavailable\n");
768 goto end;
769 }
770 fprintf(stdout, "Modulus=");
771#ifndef OPENSSL_NO_RSA
772 if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
773 const BIGNUM *n;
774 RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
775 BN_print(out, n);
776 } else
777#endif
778 fprintf(stdout, "Wrong Algorithm type");
779 fprintf(stdout, "\n");
780 }
781
782 if (!noout && !x509) {
783 if (outformat == FORMAT_ASN1)
784 i = i2d_X509_REQ_bio(out, req);
785 else if (newhdr)
786 i = PEM_write_bio_X509_REQ_NEW(out, req);
787 else
788 i = PEM_write_bio_X509_REQ(out, req);
789 if (!i) {
790 BIO_printf(bio_err, "unable to write X509 request\n");
791 goto end;
792 }
793 }
794 if (!noout && x509 && (x509ss != NULL)) {
795 if (outformat == FORMAT_ASN1)
796 i = i2d_X509_bio(out, x509ss);
797 else
798 i = PEM_write_bio_X509(out, x509ss);
799 if (!i) {
800 BIO_printf(bio_err, "unable to write X509 certificate\n");
801 goto end;
802 }
803 }
804 ret = 0;
805 end:
806 if (ret) {
807 ERR_print_errors(bio_err);
808 }
809 NCONF_free(req_conf);
810 BIO_free(in);
811 BIO_free_all(out);
812 EVP_PKEY_free(pkey);
813 EVP_PKEY_CTX_free(genctx);
814 sk_OPENSSL_STRING_free(pkeyopts);
815 sk_OPENSSL_STRING_free(sigopts);
816#ifndef OPENSSL_NO_ENGINE
817 ENGINE_free(gen_eng);
818#endif
819 OPENSSL_free(keyalgstr);
820 X509_REQ_free(req);
821 X509_free(x509ss);
822 ASN1_INTEGER_free(serial);
823 release_engine(e);
824 if (passin != nofree_passin)
825 OPENSSL_free(passin);
826 if (passout != nofree_passout)
827 OPENSSL_free(passout);
828 return (ret);
829}
830
831static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
832 int attribs, unsigned long chtype)
833{
834 int ret = 0, i;
835 char no_prompt = 0;
836 STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
837 char *tmp, *dn_sect, *attr_sect;
838
839 tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
840 if (tmp == NULL)
841 ERR_clear_error();
842 if ((tmp != NULL) && strcmp(tmp, "no") == 0)
843 no_prompt = 1;
844
845 dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
846 if (dn_sect == NULL) {
847 BIO_printf(bio_err, "unable to find '%s' in config\n",
848 DISTINGUISHED_NAME);
849 goto err;
850 }
851 dn_sk = NCONF_get_section(req_conf, dn_sect);
852 if (dn_sk == NULL) {
853 BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
854 goto err;
855 }
856
857 attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
858 if (attr_sect == NULL) {
859 ERR_clear_error();
860 attr_sk = NULL;
861 } else {
862 attr_sk = NCONF_get_section(req_conf, attr_sect);
863 if (attr_sk == NULL) {
864 BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
865 goto err;
866 }
867 }
868
869 /* setup version number */
870 if (!X509_REQ_set_version(req, 0L))
871 goto err; /* version 1 */
872
873 if (subj)
874 i = build_subject(req, subj, chtype, multirdn);
875 else if (no_prompt)
876 i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
877 else
878 i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
879 chtype);
880 if (!i)
881 goto err;
882
883 if (!X509_REQ_set_pubkey(req, pkey))
884 goto err;
885
886 ret = 1;
887 err:
888 return (ret);
889}
890
891/*
892 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
893 * where characters may be escaped by \
894 */
895static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
896 int multirdn)
897{
898 X509_NAME *n;
899
900 if ((n = parse_name(subject, chtype, multirdn)) == NULL)
901 return 0;
902
903 if (!X509_REQ_set_subject_name(req, n)) {
904 X509_NAME_free(n);
905 return 0;
906 }
907 X509_NAME_free(n);
908 return 1;
909}
910
911static int prompt_info(X509_REQ *req,
912 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
913 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
914 int attribs, unsigned long chtype)
915{
916 int i;
917 char *p, *q;
918 char buf[100];
919 int nid, mval;
920 long n_min, n_max;
921 char *type, *value;
922 const char *def;
923 CONF_VALUE *v;
924 X509_NAME *subj;
925 subj = X509_REQ_get_subject_name(req);
926
927 if (!batch) {
928 BIO_printf(bio_err,
929 "You are about to be asked to enter information that will be incorporated\n");
930 BIO_printf(bio_err, "into your certificate request.\n");
931 BIO_printf(bio_err,
932 "What you are about to enter is what is called a Distinguished Name or a DN.\n");
933 BIO_printf(bio_err,
934 "There are quite a few fields but you can leave some blank\n");
935 BIO_printf(bio_err,
936 "For some fields there will be a default value,\n");
937 BIO_printf(bio_err,
938 "If you enter '.', the field will be left blank.\n");
939 BIO_printf(bio_err, "-----\n");
940 }
941
942 if (sk_CONF_VALUE_num(dn_sk)) {
943 i = -1;
944 start:for (;;) {
945 i++;
946 if (sk_CONF_VALUE_num(dn_sk) <= i)
947 break;
948
949 v = sk_CONF_VALUE_value(dn_sk, i);
950 p = q = NULL;
951 type = v->name;
952 if (!check_end(type, "_min") || !check_end(type, "_max") ||
953 !check_end(type, "_default") || !check_end(type, "_value"))
954 continue;
955 /*
956 * Skip past any leading X. X: X, etc to allow for multiple
957 * instances
958 */
959 for (p = v->name; *p; p++)
960 if ((*p == ':') || (*p == ',') || (*p == '.')) {
961 p++;
962 if (*p)
963 type = p;
964 break;
965 }
966 if (*type == '+') {
967 mval = -1;
968 type++;
969 } else
970 mval = 0;
971 /* If OBJ not recognised ignore it */
972 if ((nid = OBJ_txt2nid(type)) == NID_undef)
973 goto start;
974 if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
975 >= (int)sizeof(buf)) {
976 BIO_printf(bio_err, "Name '%s' too long\n", v->name);
977 return 0;
978 }
979
980 if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
981 ERR_clear_error();
982 def = "";
983 }
984
985 BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
986 if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
987 ERR_clear_error();
988 value = NULL;
989 }
990
991 BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
992 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
993 ERR_clear_error();
994 n_min = -1;
995 }
996
997 BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
998 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
999 ERR_clear_error();
1000 n_max = -1;
1001 }
1002
1003 if (!add_DN_object(subj, v->value, def, value, nid,
1004 n_min, n_max, chtype, mval))
1005 return 0;
1006 }
1007 if (X509_NAME_entry_count(subj) == 0) {
1008 BIO_printf(bio_err,
1009 "error, no objects specified in config file\n");
1010 return 0;
1011 }
1012
1013 if (attribs) {
1014 if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
1015 && (!batch)) {
1016 BIO_printf(bio_err,
1017 "\nPlease enter the following 'extra' attributes\n");
1018 BIO_printf(bio_err,
1019 "to be sent with your certificate request\n");
1020 }
1021
1022 i = -1;
1023 start2: for (;;) {
1024 i++;
1025 if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
1026 break;
1027
1028 v = sk_CONF_VALUE_value(attr_sk, i);
1029 type = v->name;
1030 if ((nid = OBJ_txt2nid(type)) == NID_undef)
1031 goto start2;
1032
1033 if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
1034 >= (int)sizeof(buf)) {
1035 BIO_printf(bio_err, "Name '%s' too long\n", v->name);
1036 return 0;
1037 }
1038
1039 if ((def = NCONF_get_string(req_conf, attr_sect, buf))
1040 == NULL) {
1041 ERR_clear_error();
1042 def = "";
1043 }
1044
1045 BIO_snprintf(buf, sizeof buf, "%s_value", type);
1046 if ((value = NCONF_get_string(req_conf, attr_sect, buf))
1047 == NULL) {
1048 ERR_clear_error();
1049 value = NULL;
1050 }
1051
1052 BIO_snprintf(buf, sizeof buf, "%s_min", type);
1053 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
1054 ERR_clear_error();
1055 n_min = -1;
1056 }
1057
1058 BIO_snprintf(buf, sizeof buf, "%s_max", type);
1059 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
1060 ERR_clear_error();
1061 n_max = -1;
1062 }
1063
1064 if (!add_attribute_object(req,
1065 v->value, def, value, nid, n_min,
1066 n_max, chtype))
1067 return 0;
1068 }
1069 }
1070 } else {
1071 BIO_printf(bio_err, "No template, please set one up.\n");
1072 return 0;
1073 }
1074
1075 return 1;
1076
1077}
1078
1079static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
1080 STACK_OF(CONF_VALUE) *attr_sk, int attribs,
1081 unsigned long chtype)
1082{
1083 int i, spec_char, plus_char;
1084 char *p, *q;
1085 char *type;
1086 CONF_VALUE *v;
1087 X509_NAME *subj;
1088
1089 subj = X509_REQ_get_subject_name(req);
1090
1091 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1092 int mval;
1093 v = sk_CONF_VALUE_value(dn_sk, i);
1094 p = q = NULL;
1095 type = v->name;
1096 /*
1097 * Skip past any leading X. X: X, etc to allow for multiple instances
1098 */
1099 for (p = v->name; *p; p++) {
1100#ifndef CHARSET_EBCDIC
1101 spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
1102#else
1103 spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
1104 || (*p == os_toascii['.']));
1105#endif
1106 if (spec_char) {
1107 p++;
1108 if (*p)
1109 type = p;
1110 break;
1111 }
1112 }
1113#ifndef CHARSET_EBCDIC
1114 plus_char = (*type == '+');
1115#else
1116 plus_char = (*type == os_toascii['+']);
1117#endif
1118 if (plus_char) {
1119 type++;
1120 mval = -1;
1121 } else
1122 mval = 0;
1123 if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
1124 (unsigned char *)v->value, -1, -1,
1125 mval))
1126 return 0;
1127
1128 }
1129
1130 if (!X509_NAME_entry_count(subj)) {
1131 BIO_printf(bio_err, "error, no objects specified in config file\n");
1132 return 0;
1133 }
1134 if (attribs) {
1135 for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
1136 v = sk_CONF_VALUE_value(attr_sk, i);
1137 if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1138 (unsigned char *)v->value, -1))
1139 return 0;
1140 }
1141 }
1142 return 1;
1143}
1144
1145static int add_DN_object(X509_NAME *n, char *text, const char *def,
1146 char *value, int nid, int n_min, int n_max,
1147 unsigned long chtype, int mval)
1148{
1149 int i, ret = 0;
1150 char buf[1024];
1151 start:
1152 if (!batch)
1153 BIO_printf(bio_err, "%s [%s]:", text, def);
1154 (void)BIO_flush(bio_err);
1155 if (value != NULL) {
1156 OPENSSL_strlcpy(buf, value, sizeof buf);
1157 OPENSSL_strlcat(buf, "\n", sizeof buf);
1158 BIO_printf(bio_err, "%s\n", value);
1159 } else {
1160 buf[0] = '\0';
1161 if (!batch) {
1162 if (!fgets(buf, sizeof buf, stdin))
1163 return 0;
1164 } else {
1165 buf[0] = '\n';
1166 buf[1] = '\0';
1167 }
1168 }
1169
1170 if (buf[0] == '\0')
1171 return (0);
1172 else if (buf[0] == '\n') {
1173 if ((def == NULL) || (def[0] == '\0'))
1174 return (1);
1175 OPENSSL_strlcpy(buf, def, sizeof buf);
1176 OPENSSL_strlcat(buf, "\n", sizeof buf);
1177 } else if ((buf[0] == '.') && (buf[1] == '\n'))
1178 return (1);
1179
1180 i = strlen(buf);
1181 if (buf[i - 1] != '\n') {
1182 BIO_printf(bio_err, "weird input :-(\n");
1183 return (0);
1184 }
1185 buf[--i] = '\0';
1186#ifdef CHARSET_EBCDIC
1187 ebcdic2ascii(buf, buf, i);
1188#endif
1189 if (!req_check_len(i, n_min, n_max)) {
1190 if (batch || value)
1191 return 0;
1192 goto start;
1193 }
1194
1195 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
1196 (unsigned char *)buf, -1, -1, mval))
1197 goto err;
1198 ret = 1;
1199 err:
1200 return (ret);
1201}
1202
1203static int add_attribute_object(X509_REQ *req, char *text, const char *def,
1204 char *value, int nid, int n_min,
1205 int n_max, unsigned long chtype)
1206{
1207 int i;
1208 static char buf[1024];
1209
1210 start:
1211 if (!batch)
1212 BIO_printf(bio_err, "%s [%s]:", text, def);
1213 (void)BIO_flush(bio_err);
1214 if (value != NULL) {
1215 OPENSSL_strlcpy(buf, value, sizeof buf);
1216 OPENSSL_strlcat(buf, "\n", sizeof buf);
1217 BIO_printf(bio_err, "%s\n", value);
1218 } else {
1219 buf[0] = '\0';
1220 if (!batch) {
1221 if (!fgets(buf, sizeof buf, stdin))
1222 return 0;
1223 } else {
1224 buf[0] = '\n';
1225 buf[1] = '\0';
1226 }
1227 }
1228
1229 if (buf[0] == '\0')
1230 return (0);
1231 else if (buf[0] == '\n') {
1232 if ((def == NULL) || (def[0] == '\0'))
1233 return (1);
1234 OPENSSL_strlcpy(buf, def, sizeof buf);
1235 OPENSSL_strlcat(buf, "\n", sizeof buf);
1236 } else if ((buf[0] == '.') && (buf[1] == '\n'))
1237 return (1);
1238
1239 i = strlen(buf);
1240 if (buf[i - 1] != '\n') {
1241 BIO_printf(bio_err, "weird input :-(\n");
1242 return (0);
1243 }
1244 buf[--i] = '\0';
1245#ifdef CHARSET_EBCDIC
1246 ebcdic2ascii(buf, buf, i);
1247#endif
1248 if (!req_check_len(i, n_min, n_max)) {
1249 if (batch || value)
1250 return 0;
1251 goto start;
1252 }
1253
1254 if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1255 (unsigned char *)buf, -1)) {
1256 BIO_printf(bio_err, "Error adding attribute\n");
1257 ERR_print_errors(bio_err);
1258 goto err;
1259 }
1260
1261 return (1);
1262 err:
1263 return (0);
1264}
1265
1266static int req_check_len(int len, int n_min, int n_max)
1267{
1268 if ((n_min > 0) && (len < n_min)) {
1269 BIO_printf(bio_err,
1270 "string is too short, it needs to be at least %d bytes long\n",
1271 n_min);
1272 return (0);
1273 }
1274 if ((n_max >= 0) && (len > n_max)) {
1275 BIO_printf(bio_err,
1276 "string is too long, it needs to be less than %d bytes long\n",
1277 n_max);
1278 return (0);
1279 }
1280 return (1);
1281}
1282
1283/* Check if the end of a string matches 'end' */
1284static int check_end(const char *str, const char *end)
1285{
1286 int elen, slen;
1287 const char *tmp;
1288 elen = strlen(end);
1289 slen = strlen(str);
1290 if (elen > slen)
1291 return 1;
1292 tmp = str + slen - elen;
1293 return strcmp(tmp, end);
1294}
1295
1296static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
1297 int *pkey_type, long *pkeylen,
1298 char **palgnam, ENGINE *keygen_engine)
1299{
1300 EVP_PKEY_CTX *gctx = NULL;
1301 EVP_PKEY *param = NULL;
1302 long keylen = -1;
1303 BIO *pbio = NULL;
1304 const char *paramfile = NULL;
1305
1306 if (gstr == NULL) {
1307 *pkey_type = EVP_PKEY_RSA;
1308 keylen = *pkeylen;
1309 } else if (gstr[0] >= '0' && gstr[0] <= '9') {
1310 *pkey_type = EVP_PKEY_RSA;
1311 keylen = atol(gstr);
1312 *pkeylen = keylen;
1313 } else if (strncmp(gstr, "param:", 6) == 0)
1314 paramfile = gstr + 6;
1315 else {
1316 const char *p = strchr(gstr, ':');
1317 int len;
1318 ENGINE *tmpeng;
1319 const EVP_PKEY_ASN1_METHOD *ameth;
1320
1321 if (p)
1322 len = p - gstr;
1323 else
1324 len = strlen(gstr);
1325 /*
1326 * The lookup of a the string will cover all engines so keep a note
1327 * of the implementation.
1328 */
1329
1330 ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1331
1332 if (!ameth) {
1333 BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
1334 return NULL;
1335 }
1336
1337 EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
1338#ifndef OPENSSL_NO_ENGINE
1339 ENGINE_finish(tmpeng);
1340#endif
1341 if (*pkey_type == EVP_PKEY_RSA) {
1342 if (p) {
1343 keylen = atol(p + 1);
1344 *pkeylen = keylen;
1345 } else
1346 keylen = *pkeylen;
1347 } else if (p)
1348 paramfile = p + 1;
1349 }
1350
1351 if (paramfile) {
1352 pbio = BIO_new_file(paramfile, "r");
1353 if (!pbio) {
1354 BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
1355 return NULL;
1356 }
1357 param = PEM_read_bio_Parameters(pbio, NULL);
1358
1359 if (!param) {
1360 X509 *x;
1361 (void)BIO_reset(pbio);
1362 x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1363 if (x) {
1364 param = X509_get_pubkey(x);
1365 X509_free(x);
1366 }
1367 }
1368
1369 BIO_free(pbio);
1370
1371 if (!param) {
1372 BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
1373 return NULL;
1374 }
1375 if (*pkey_type == -1)
1376 *pkey_type = EVP_PKEY_id(param);
1377 else if (*pkey_type != EVP_PKEY_base_id(param)) {
1378 BIO_printf(bio_err, "Key Type does not match parameters\n");
1379 EVP_PKEY_free(param);
1380 return NULL;
1381 }
1382 }
1383
1384 if (palgnam) {
1385 const EVP_PKEY_ASN1_METHOD *ameth;
1386 ENGINE *tmpeng;
1387 const char *anam;
1388 ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1389 if (!ameth) {
1390 BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
1391 return NULL;
1392 }
1393 EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1394 *palgnam = OPENSSL_strdup(anam);
1395#ifndef OPENSSL_NO_ENGINE
1396 ENGINE_finish(tmpeng);
1397#endif
1398 }
1399
1400 if (param) {
1401 gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1402 *pkeylen = EVP_PKEY_bits(param);
1403 EVP_PKEY_free(param);
1404 } else
1405 gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1406
1407 if (gctx == NULL) {
1408 BIO_puts(bio_err, "Error allocating keygen context\n");
1409 ERR_print_errors(bio_err);
1410 return NULL;
1411 }
1412
1413 if (EVP_PKEY_keygen_init(gctx) <= 0) {
1414 BIO_puts(bio_err, "Error initializing keygen context\n");
1415 ERR_print_errors(bio_err);
1416 EVP_PKEY_CTX_free(gctx);
1417 return NULL;
1418 }
1419#ifndef OPENSSL_NO_RSA
1420 if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
1421 if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
1422 BIO_puts(bio_err, "Error setting RSA keysize\n");
1423 ERR_print_errors(bio_err);
1424 EVP_PKEY_CTX_free(gctx);
1425 return NULL;
1426 }
1427 }
1428#endif
1429
1430 return gctx;
1431}
1432
1433static int genpkey_cb(EVP_PKEY_CTX *ctx)
1434{
1435 char c = '*';
1436 BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1437 int p;
1438 p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1439 if (p == 0)
1440 c = '.';
1441 if (p == 1)
1442 c = '+';
1443 if (p == 2)
1444 c = '*';
1445 if (p == 3)
1446 c = '\n';
1447 BIO_write(b, &c, 1);
1448 (void)BIO_flush(b);
1449 return 1;
1450}
1451
1452static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
1453 const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
1454{
1455 EVP_PKEY_CTX *pkctx = NULL;
1456 int i;
1457
1458 if (ctx == NULL)
1459 return 0;
1460 if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
1461 return 0;
1462 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1463 char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1464 if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1465 BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
1466 ERR_print_errors(bio_err);
1467 return 0;
1468 }
1469 }
1470 return 1;
1471}
1472
1473int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
1474 STACK_OF(OPENSSL_STRING) *sigopts)
1475{
1476 int rv;
1477 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1478
1479 rv = do_sign_init(mctx, pkey, md, sigopts);
1480 if (rv > 0)
1481 rv = X509_sign_ctx(x, mctx);
1482 EVP_MD_CTX_free(mctx);
1483 return rv > 0 ? 1 : 0;
1484}
1485
1486int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
1487 STACK_OF(OPENSSL_STRING) *sigopts)
1488{
1489 int rv;
1490 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1491 rv = do_sign_init(mctx, pkey, md, sigopts);
1492 if (rv > 0)
1493 rv = X509_REQ_sign_ctx(x, mctx);
1494 EVP_MD_CTX_free(mctx);
1495 return rv > 0 ? 1 : 0;
1496}
1497
1498int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
1499 STACK_OF(OPENSSL_STRING) *sigopts)
1500{
1501 int rv;
1502 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1503 rv = do_sign_init(mctx, pkey, md, sigopts);
1504 if (rv > 0)
1505 rv = X509_CRL_sign_ctx(x, mctx);
1506 EVP_MD_CTX_free(mctx);
1507 return rv > 0 ? 1 : 0;
1508}
Note: See TracBrowser for help on using the repository browser.