[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stdio.h>
|
---|
| 11 | #include <stdlib.h>
|
---|
| 12 | #include <time.h>
|
---|
| 13 | #include <string.h>
|
---|
| 14 | #include "apps.h"
|
---|
| 15 | #include <openssl/bio.h>
|
---|
| 16 | #include <openssl/evp.h>
|
---|
| 17 | #include <openssl/conf.h>
|
---|
| 18 | #include <openssl/err.h>
|
---|
| 19 | #include <openssl/asn1.h>
|
---|
| 20 | #include <openssl/x509.h>
|
---|
| 21 | #include <openssl/x509v3.h>
|
---|
| 22 | #include <openssl/objects.h>
|
---|
| 23 | #include <openssl/pem.h>
|
---|
| 24 | #include <openssl/bn.h>
|
---|
| 25 | #ifndef OPENSSL_NO_RSA
|
---|
| 26 | # include <openssl/rsa.h>
|
---|
| 27 | #endif
|
---|
| 28 | #ifndef OPENSSL_NO_DSA
|
---|
| 29 | # include <openssl/dsa.h>
|
---|
| 30 | #endif
|
---|
| 31 |
|
---|
| 32 | #define SECTION "req"
|
---|
| 33 |
|
---|
| 34 | #define BITS "default_bits"
|
---|
| 35 | #define KEYFILE "default_keyfile"
|
---|
| 36 | #define PROMPT "prompt"
|
---|
| 37 | #define DISTINGUISHED_NAME "distinguished_name"
|
---|
| 38 | #define ATTRIBUTES "attributes"
|
---|
| 39 | #define V3_EXTENSIONS "x509_extensions"
|
---|
| 40 | #define REQ_EXTENSIONS "req_extensions"
|
---|
| 41 | #define STRING_MASK "string_mask"
|
---|
| 42 | #define UTF8_IN "utf8"
|
---|
| 43 |
|
---|
| 44 | #define DEFAULT_KEY_LENGTH 2048
|
---|
| 45 | #define MIN_KEY_LENGTH 512
|
---|
| 46 |
|
---|
| 47 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
|
---|
| 48 | int attribs, unsigned long chtype);
|
---|
| 49 | static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
|
---|
| 50 | int multirdn);
|
---|
| 51 | static int prompt_info(X509_REQ *req,
|
---|
| 52 | STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
|
---|
| 53 | STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
|
---|
| 54 | int attribs, unsigned long chtype);
|
---|
| 55 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
|
---|
| 56 | STACK_OF(CONF_VALUE) *attr, int attribs,
|
---|
| 57 | unsigned long chtype);
|
---|
| 58 | static int add_attribute_object(X509_REQ *req, char *text, const char *def,
|
---|
| 59 | char *value, int nid, int n_min, int n_max,
|
---|
| 60 | unsigned long chtype);
|
---|
| 61 | static int add_DN_object(X509_NAME *n, char *text, const char *def,
|
---|
| 62 | char *value, int nid, int n_min, int n_max,
|
---|
| 63 | unsigned long chtype, int mval);
|
---|
| 64 | static int genpkey_cb(EVP_PKEY_CTX *ctx);
|
---|
| 65 | static int req_check_len(int len, int n_min, int n_max);
|
---|
| 66 | static int check_end(const char *str, const char *end);
|
---|
| 67 | static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
|
---|
| 68 | int *pkey_type, long *pkeylen,
|
---|
| 69 | char **palgnam, ENGINE *keygen_engine);
|
---|
| 70 | static CONF *req_conf = NULL;
|
---|
| 71 | static int batch = 0;
|
---|
| 72 |
|
---|
| 73 | typedef enum OPTION_choice {
|
---|
| 74 | OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
---|
| 75 | OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
|
---|
| 76 | OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
|
---|
| 77 | OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY,
|
---|
| 78 | OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
|
---|
| 79 | OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
|
---|
| 80 | OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
|
---|
| 81 | OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
|
---|
| 82 | OPT_REQEXTS, OPT_MD
|
---|
| 83 | } OPTION_CHOICE;
|
---|
| 84 |
|
---|
| 85 | OPTIONS req_options[] = {
|
---|
| 86 | {"help", OPT_HELP, '-', "Display this summary"},
|
---|
| 87 | {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
---|
| 88 | {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
---|
| 89 | {"in", OPT_IN, '<', "Input file"},
|
---|
| 90 | {"out", OPT_OUT, '>', "Output file"},
|
---|
| 91 | {"key", OPT_KEY, 's', "Private key to use"},
|
---|
| 92 | {"keyform", OPT_KEYFORM, 'f', "Key file format"},
|
---|
| 93 | {"pubkey", OPT_PUBKEY, '-', "Output public key"},
|
---|
| 94 | {"new", OPT_NEW, '-', "New request"},
|
---|
| 95 | {"config", OPT_CONFIG, '<', "Request template file"},
|
---|
| 96 | {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
|
---|
| 97 | {"passin", OPT_PASSIN, 's', "Private key password source"},
|
---|
| 98 | {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
---|
| 99 | {"rand", OPT_RAND, 's',
|
---|
| 100 | "Load the file(s) into the random number generator"},
|
---|
| 101 | {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
|
---|
| 102 | {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
|
---|
| 103 | {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
|
---|
| 104 | {"batch", OPT_BATCH, '-',
|
---|
| 105 | "Do not ask anything during request generation"},
|
---|
| 106 | {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
|
---|
| 107 | {"modulus", OPT_MODULUS, '-', "RSA modulus"},
|
---|
| 108 | {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
|
---|
| 109 | {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
|
---|
| 110 | {"noout", OPT_NOOUT, '-', "Do not output REQ"},
|
---|
| 111 | {"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
---|
| 112 | {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
|
---|
| 113 | {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
|
---|
| 114 | {"reqopt", OPT_REQOPT, 's', "Various request text options"},
|
---|
| 115 | {"text", OPT_TEXT, '-', "Text form of request"},
|
---|
| 116 | {"x509", OPT_X509, '-',
|
---|
| 117 | "Output a x509 structure instead of a cert request"},
|
---|
| 118 | {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
|
---|
| 119 | {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
|
---|
| 120 | {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
|
---|
| 121 | {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
|
---|
| 122 | "Enable support for multivalued RDNs"},
|
---|
| 123 | {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
|
---|
| 124 | {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
|
---|
| 125 | {"extensions", OPT_EXTENSIONS, 's',
|
---|
| 126 | "Cert extension section (override value in config file)"},
|
---|
| 127 | {"reqexts", OPT_REQEXTS, 's',
|
---|
| 128 | "Request extension section (override value in config file)"},
|
---|
| 129 | {"", OPT_MD, '-', "Any supported digest"},
|
---|
| 130 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 131 | {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
---|
| 132 | {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
|
---|
| 133 | "Specify engine to be used for key generation operations"},
|
---|
| 134 | #endif
|
---|
| 135 | {NULL}
|
---|
| 136 | };
|
---|
| 137 |
|
---|
| 138 | int req_main(int argc, char **argv)
|
---|
| 139 | {
|
---|
| 140 | ASN1_INTEGER *serial = NULL;
|
---|
| 141 | BIO *in = NULL, *out = NULL;
|
---|
| 142 | ENGINE *e = NULL, *gen_eng = NULL;
|
---|
| 143 | EVP_PKEY *pkey = NULL;
|
---|
| 144 | EVP_PKEY_CTX *genctx = NULL;
|
---|
| 145 | STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
|
---|
| 146 | X509 *x509ss = NULL;
|
---|
| 147 | X509_REQ *req = NULL;
|
---|
| 148 | const EVP_CIPHER *cipher = NULL;
|
---|
| 149 | const EVP_MD *md_alg = NULL, *digest = NULL;
|
---|
| 150 | char *extensions = NULL, *infile = NULL;
|
---|
| 151 | char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
|
---|
| 152 | char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
|
---|
| 153 | char *passin = NULL, *passout = NULL;
|
---|
| 154 | char *nofree_passin = NULL, *nofree_passout = NULL;
|
---|
| 155 | char *req_exts = NULL, *subj = NULL;
|
---|
| 156 | char *template = default_config_file, *keyout = NULL;
|
---|
| 157 | const char *keyalg = NULL;
|
---|
| 158 | OPTION_CHOICE o;
|
---|
| 159 | int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0;
|
---|
| 160 | int pkey_type = -1, private = 0;
|
---|
| 161 | int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
|
---|
| 162 | int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
|
---|
| 163 | int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
|
---|
| 164 | long newkey = -1;
|
---|
| 165 | unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
|
---|
| 166 | char nmflag_set = 0;
|
---|
| 167 |
|
---|
| 168 | #ifndef OPENSSL_NO_DES
|
---|
| 169 | cipher = EVP_des_ede3_cbc();
|
---|
| 170 | #endif
|
---|
| 171 |
|
---|
| 172 | prog = opt_init(argc, argv, req_options);
|
---|
| 173 | while ((o = opt_next()) != OPT_EOF) {
|
---|
| 174 | switch (o) {
|
---|
| 175 | case OPT_EOF:
|
---|
| 176 | case OPT_ERR:
|
---|
| 177 | opthelp:
|
---|
| 178 | BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
---|
| 179 | goto end;
|
---|
| 180 | case OPT_HELP:
|
---|
| 181 | opt_help(req_options);
|
---|
| 182 | ret = 0;
|
---|
| 183 | goto end;
|
---|
| 184 | case OPT_INFORM:
|
---|
| 185 | if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
|
---|
| 186 | goto opthelp;
|
---|
| 187 | break;
|
---|
| 188 | case OPT_OUTFORM:
|
---|
| 189 | if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
|
---|
| 190 | goto opthelp;
|
---|
| 191 | break;
|
---|
| 192 | case OPT_ENGINE:
|
---|
| 193 | e = setup_engine(opt_arg(), 0);
|
---|
| 194 | break;
|
---|
| 195 | case OPT_KEYGEN_ENGINE:
|
---|
| 196 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 197 | gen_eng = ENGINE_by_id(opt_arg());
|
---|
| 198 | if (gen_eng == NULL) {
|
---|
| 199 | BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
|
---|
| 200 | goto opthelp;
|
---|
| 201 | }
|
---|
| 202 | #endif
|
---|
| 203 | break;
|
---|
| 204 | case OPT_KEY:
|
---|
| 205 | keyfile = opt_arg();
|
---|
| 206 | break;
|
---|
| 207 | case OPT_PUBKEY:
|
---|
| 208 | pubkey = 1;
|
---|
| 209 | break;
|
---|
| 210 | case OPT_NEW:
|
---|
| 211 | newreq = 1;
|
---|
| 212 | break;
|
---|
| 213 | case OPT_CONFIG:
|
---|
| 214 | template = opt_arg();
|
---|
| 215 | break;
|
---|
| 216 | case OPT_KEYFORM:
|
---|
| 217 | if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
|
---|
| 218 | goto opthelp;
|
---|
| 219 | break;
|
---|
| 220 | case OPT_IN:
|
---|
| 221 | infile = opt_arg();
|
---|
| 222 | break;
|
---|
| 223 | case OPT_OUT:
|
---|
| 224 | outfile = opt_arg();
|
---|
| 225 | break;
|
---|
| 226 | case OPT_KEYOUT:
|
---|
| 227 | keyout = opt_arg();
|
---|
| 228 | break;
|
---|
| 229 | case OPT_PASSIN:
|
---|
| 230 | passargin = opt_arg();
|
---|
| 231 | break;
|
---|
| 232 | case OPT_PASSOUT:
|
---|
| 233 | passargout = opt_arg();
|
---|
| 234 | break;
|
---|
| 235 | case OPT_RAND:
|
---|
| 236 | inrand = opt_arg();
|
---|
| 237 | break;
|
---|
| 238 | case OPT_NEWKEY:
|
---|
| 239 | keyalg = opt_arg();
|
---|
| 240 | newreq = 1;
|
---|
| 241 | break;
|
---|
| 242 | case OPT_PKEYOPT:
|
---|
| 243 | if (!pkeyopts)
|
---|
| 244 | pkeyopts = sk_OPENSSL_STRING_new_null();
|
---|
| 245 | if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
|
---|
| 246 | goto opthelp;
|
---|
| 247 | break;
|
---|
| 248 | case OPT_SIGOPT:
|
---|
| 249 | if (!sigopts)
|
---|
| 250 | sigopts = sk_OPENSSL_STRING_new_null();
|
---|
| 251 | if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
|
---|
| 252 | goto opthelp;
|
---|
| 253 | break;
|
---|
| 254 | case OPT_BATCH:
|
---|
| 255 | batch = 1;
|
---|
| 256 | break;
|
---|
| 257 | case OPT_NEWHDR:
|
---|
| 258 | newhdr = 1;
|
---|
| 259 | break;
|
---|
| 260 | case OPT_MODULUS:
|
---|
| 261 | modulus = 1;
|
---|
| 262 | break;
|
---|
| 263 | case OPT_VERIFY:
|
---|
| 264 | verify = 1;
|
---|
| 265 | break;
|
---|
| 266 | case OPT_NODES:
|
---|
| 267 | nodes = 1;
|
---|
| 268 | break;
|
---|
| 269 | case OPT_NOOUT:
|
---|
| 270 | noout = 1;
|
---|
| 271 | break;
|
---|
| 272 | case OPT_VERBOSE:
|
---|
| 273 | verbose = 1;
|
---|
| 274 | break;
|
---|
| 275 | case OPT_UTF8:
|
---|
| 276 | chtype = MBSTRING_UTF8;
|
---|
| 277 | break;
|
---|
| 278 | case OPT_NAMEOPT:
|
---|
| 279 | nmflag_set = 1;
|
---|
| 280 | if (!set_name_ex(&nmflag, opt_arg()))
|
---|
| 281 | goto opthelp;
|
---|
| 282 | break;
|
---|
| 283 | case OPT_REQOPT:
|
---|
| 284 | if (!set_cert_ex(&reqflag, opt_arg()))
|
---|
| 285 | goto opthelp;
|
---|
| 286 | break;
|
---|
| 287 | case OPT_TEXT:
|
---|
| 288 | text = 1;
|
---|
| 289 | break;
|
---|
| 290 | case OPT_X509:
|
---|
| 291 | x509 = 1;
|
---|
| 292 | newreq = 1;
|
---|
| 293 | break;
|
---|
| 294 | case OPT_DAYS:
|
---|
| 295 | days = atoi(opt_arg());
|
---|
| 296 | break;
|
---|
| 297 | case OPT_SET_SERIAL:
|
---|
| 298 | if (serial != NULL) {
|
---|
| 299 | BIO_printf(bio_err, "Serial number supplied twice\n");
|
---|
| 300 | goto opthelp;
|
---|
| 301 | }
|
---|
| 302 | serial = s2i_ASN1_INTEGER(NULL, opt_arg());
|
---|
| 303 | if (serial == NULL)
|
---|
| 304 | goto opthelp;
|
---|
| 305 | break;
|
---|
| 306 | case OPT_SUBJECT:
|
---|
| 307 | subject = 1;
|
---|
| 308 | break;
|
---|
| 309 | case OPT_SUBJ:
|
---|
| 310 | subj = opt_arg();
|
---|
| 311 | break;
|
---|
| 312 | case OPT_MULTIVALUE_RDN:
|
---|
| 313 | multirdn = 1;
|
---|
| 314 | break;
|
---|
| 315 | case OPT_EXTENSIONS:
|
---|
| 316 | extensions = opt_arg();
|
---|
| 317 | break;
|
---|
| 318 | case OPT_REQEXTS:
|
---|
| 319 | req_exts = opt_arg();
|
---|
| 320 | break;
|
---|
| 321 | case OPT_MD:
|
---|
| 322 | if (!opt_md(opt_unknown(), &md_alg))
|
---|
| 323 | goto opthelp;
|
---|
| 324 | digest = md_alg;
|
---|
| 325 | break;
|
---|
| 326 | }
|
---|
| 327 | }
|
---|
| 328 | argc = opt_num_rest();
|
---|
| 329 | if (argc != 0)
|
---|
| 330 | goto opthelp;
|
---|
| 331 |
|
---|
| 332 | if (!nmflag_set)
|
---|
| 333 | nmflag = XN_FLAG_ONELINE;
|
---|
| 334 |
|
---|
| 335 | /* TODO: simplify this as pkey is still always NULL here */
|
---|
| 336 | private = newreq && (pkey == NULL) ? 1 : 0;
|
---|
| 337 |
|
---|
| 338 | if (!app_passwd(passargin, passargout, &passin, &passout)) {
|
---|
| 339 | BIO_printf(bio_err, "Error getting passwords\n");
|
---|
| 340 | goto end;
|
---|
| 341 | }
|
---|
| 342 |
|
---|
| 343 | if (verbose)
|
---|
| 344 | BIO_printf(bio_err, "Using configuration from %s\n", template);
|
---|
| 345 | req_conf = app_load_config(template);
|
---|
| 346 | if (template != default_config_file && !app_load_modules(req_conf))
|
---|
| 347 | goto end;
|
---|
| 348 |
|
---|
| 349 | if (req_conf != NULL) {
|
---|
| 350 | p = NCONF_get_string(req_conf, NULL, "oid_file");
|
---|
| 351 | if (p == NULL)
|
---|
| 352 | ERR_clear_error();
|
---|
| 353 | if (p != NULL) {
|
---|
| 354 | BIO *oid_bio;
|
---|
| 355 |
|
---|
| 356 | oid_bio = BIO_new_file(p, "r");
|
---|
| 357 | if (oid_bio == NULL) {
|
---|
| 358 | /*-
|
---|
| 359 | BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
|
---|
| 360 | ERR_print_errors(bio_err);
|
---|
| 361 | */
|
---|
| 362 | } else {
|
---|
| 363 | OBJ_create_objects(oid_bio);
|
---|
| 364 | BIO_free(oid_bio);
|
---|
| 365 | }
|
---|
| 366 | }
|
---|
| 367 | }
|
---|
| 368 | if (!add_oid_section(req_conf))
|
---|
| 369 | goto end;
|
---|
| 370 |
|
---|
| 371 | if (md_alg == NULL) {
|
---|
| 372 | p = NCONF_get_string(req_conf, SECTION, "default_md");
|
---|
| 373 | if (p == NULL)
|
---|
| 374 | ERR_clear_error();
|
---|
| 375 | else {
|
---|
| 376 | if (!opt_md(p, &md_alg))
|
---|
| 377 | goto opthelp;
|
---|
| 378 | digest = md_alg;
|
---|
| 379 | }
|
---|
| 380 | }
|
---|
| 381 |
|
---|
| 382 | if (!extensions) {
|
---|
| 383 | extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
|
---|
| 384 | if (!extensions)
|
---|
| 385 | ERR_clear_error();
|
---|
| 386 | }
|
---|
| 387 | if (extensions) {
|
---|
| 388 | /* Check syntax of file */
|
---|
| 389 | X509V3_CTX ctx;
|
---|
| 390 | X509V3_set_ctx_test(&ctx);
|
---|
| 391 | X509V3_set_nconf(&ctx, req_conf);
|
---|
| 392 | if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
|
---|
| 393 | BIO_printf(bio_err,
|
---|
| 394 | "Error Loading extension section %s\n", extensions);
|
---|
| 395 | goto end;
|
---|
| 396 | }
|
---|
| 397 | }
|
---|
| 398 |
|
---|
| 399 | if (passin == NULL) {
|
---|
| 400 | passin = nofree_passin =
|
---|
| 401 | NCONF_get_string(req_conf, SECTION, "input_password");
|
---|
| 402 | if (passin == NULL)
|
---|
| 403 | ERR_clear_error();
|
---|
| 404 | }
|
---|
| 405 |
|
---|
| 406 | if (passout == NULL) {
|
---|
| 407 | passout = nofree_passout =
|
---|
| 408 | NCONF_get_string(req_conf, SECTION, "output_password");
|
---|
| 409 | if (passout == NULL)
|
---|
| 410 | ERR_clear_error();
|
---|
| 411 | }
|
---|
| 412 |
|
---|
| 413 | p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
|
---|
| 414 | if (!p)
|
---|
| 415 | ERR_clear_error();
|
---|
| 416 |
|
---|
| 417 | if (p && !ASN1_STRING_set_default_mask_asc(p)) {
|
---|
| 418 | BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
|
---|
| 419 | goto end;
|
---|
| 420 | }
|
---|
| 421 |
|
---|
| 422 | if (chtype != MBSTRING_UTF8) {
|
---|
| 423 | p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
|
---|
| 424 | if (!p)
|
---|
| 425 | ERR_clear_error();
|
---|
| 426 | else if (strcmp(p, "yes") == 0)
|
---|
| 427 | chtype = MBSTRING_UTF8;
|
---|
| 428 | }
|
---|
| 429 |
|
---|
| 430 | if (!req_exts) {
|
---|
| 431 | req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
|
---|
| 432 | if (!req_exts)
|
---|
| 433 | ERR_clear_error();
|
---|
| 434 | }
|
---|
| 435 | if (req_exts) {
|
---|
| 436 | /* Check syntax of file */
|
---|
| 437 | X509V3_CTX ctx;
|
---|
| 438 | X509V3_set_ctx_test(&ctx);
|
---|
| 439 | X509V3_set_nconf(&ctx, req_conf);
|
---|
| 440 | if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
|
---|
| 441 | BIO_printf(bio_err,
|
---|
| 442 | "Error Loading request extension section %s\n",
|
---|
| 443 | req_exts);
|
---|
| 444 | goto end;
|
---|
| 445 | }
|
---|
| 446 | }
|
---|
| 447 |
|
---|
| 448 | if (keyfile != NULL) {
|
---|
| 449 | pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
|
---|
| 450 | if (!pkey) {
|
---|
| 451 | /* load_key() has already printed an appropriate message */
|
---|
| 452 | goto end;
|
---|
| 453 | } else {
|
---|
| 454 | char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
|
---|
| 455 | if (randfile == NULL)
|
---|
| 456 | ERR_clear_error();
|
---|
| 457 | app_RAND_load_file(randfile, 0);
|
---|
| 458 | }
|
---|
| 459 | }
|
---|
| 460 |
|
---|
| 461 | if (newreq && (pkey == NULL)) {
|
---|
| 462 | char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
|
---|
| 463 | if (randfile == NULL)
|
---|
| 464 | ERR_clear_error();
|
---|
| 465 | app_RAND_load_file(randfile, 0);
|
---|
| 466 | if (inrand)
|
---|
| 467 | app_RAND_load_files(inrand);
|
---|
| 468 |
|
---|
| 469 | if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
|
---|
| 470 | newkey = DEFAULT_KEY_LENGTH;
|
---|
| 471 | }
|
---|
| 472 |
|
---|
| 473 | if (keyalg) {
|
---|
| 474 | genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
|
---|
| 475 | &keyalgstr, gen_eng);
|
---|
| 476 | if (!genctx)
|
---|
| 477 | goto end;
|
---|
| 478 | }
|
---|
| 479 |
|
---|
| 480 | if (newkey < MIN_KEY_LENGTH
|
---|
| 481 | && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
|
---|
| 482 | BIO_printf(bio_err, "private key length is too short,\n");
|
---|
| 483 | BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
|
---|
| 484 | MIN_KEY_LENGTH, newkey);
|
---|
| 485 | goto end;
|
---|
| 486 | }
|
---|
| 487 |
|
---|
| 488 | if (!genctx) {
|
---|
| 489 | genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
|
---|
| 490 | &keyalgstr, gen_eng);
|
---|
| 491 | if (!genctx)
|
---|
| 492 | goto end;
|
---|
| 493 | }
|
---|
| 494 |
|
---|
| 495 | if (pkeyopts) {
|
---|
| 496 | char *genopt;
|
---|
| 497 | for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
|
---|
| 498 | genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
|
---|
| 499 | if (pkey_ctrl_string(genctx, genopt) <= 0) {
|
---|
| 500 | BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
|
---|
| 501 | ERR_print_errors(bio_err);
|
---|
| 502 | goto end;
|
---|
| 503 | }
|
---|
| 504 | }
|
---|
| 505 | }
|
---|
| 506 |
|
---|
| 507 | if (pkey_type == EVP_PKEY_EC) {
|
---|
| 508 | BIO_printf(bio_err, "Generating an EC private key\n");
|
---|
| 509 | } else {
|
---|
| 510 | BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
|
---|
| 511 | newkey, keyalgstr);
|
---|
| 512 | }
|
---|
| 513 |
|
---|
| 514 | EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
|
---|
| 515 | EVP_PKEY_CTX_set_app_data(genctx, bio_err);
|
---|
| 516 |
|
---|
| 517 | if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
|
---|
| 518 | BIO_puts(bio_err, "Error Generating Key\n");
|
---|
| 519 | goto end;
|
---|
| 520 | }
|
---|
| 521 |
|
---|
| 522 | EVP_PKEY_CTX_free(genctx);
|
---|
| 523 | genctx = NULL;
|
---|
| 524 |
|
---|
| 525 | app_RAND_write_file(randfile);
|
---|
| 526 |
|
---|
| 527 | if (keyout == NULL) {
|
---|
| 528 | keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
|
---|
| 529 | if (keyout == NULL)
|
---|
| 530 | ERR_clear_error();
|
---|
| 531 | }
|
---|
| 532 |
|
---|
| 533 | if (keyout == NULL)
|
---|
| 534 | BIO_printf(bio_err, "writing new private key to stdout\n");
|
---|
| 535 | else
|
---|
| 536 | BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
|
---|
| 537 | out = bio_open_owner(keyout, outformat, private);
|
---|
| 538 | if (out == NULL)
|
---|
| 539 | goto end;
|
---|
| 540 |
|
---|
| 541 | p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
|
---|
| 542 | if (p == NULL) {
|
---|
| 543 | ERR_clear_error();
|
---|
| 544 | p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
|
---|
| 545 | if (p == NULL)
|
---|
| 546 | ERR_clear_error();
|
---|
| 547 | }
|
---|
| 548 | if ((p != NULL) && (strcmp(p, "no") == 0))
|
---|
| 549 | cipher = NULL;
|
---|
| 550 | if (nodes)
|
---|
| 551 | cipher = NULL;
|
---|
| 552 |
|
---|
| 553 | i = 0;
|
---|
| 554 | loop:
|
---|
| 555 | assert(private);
|
---|
| 556 | if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
|
---|
| 557 | NULL, 0, NULL, passout)) {
|
---|
| 558 | if ((ERR_GET_REASON(ERR_peek_error()) ==
|
---|
| 559 | PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
|
---|
| 560 | ERR_clear_error();
|
---|
| 561 | i++;
|
---|
| 562 | goto loop;
|
---|
| 563 | }
|
---|
| 564 | goto end;
|
---|
| 565 | }
|
---|
| 566 | BIO_free(out);
|
---|
| 567 | out = NULL;
|
---|
| 568 | BIO_printf(bio_err, "-----\n");
|
---|
| 569 | }
|
---|
| 570 |
|
---|
| 571 | if (!newreq) {
|
---|
| 572 | in = bio_open_default(infile, 'r', informat);
|
---|
| 573 | if (in == NULL)
|
---|
| 574 | goto end;
|
---|
| 575 |
|
---|
| 576 | if (informat == FORMAT_ASN1)
|
---|
| 577 | req = d2i_X509_REQ_bio(in, NULL);
|
---|
| 578 | else
|
---|
| 579 | req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
---|
| 580 | if (req == NULL) {
|
---|
| 581 | BIO_printf(bio_err, "unable to load X509 request\n");
|
---|
| 582 | goto end;
|
---|
| 583 | }
|
---|
| 584 | }
|
---|
| 585 |
|
---|
| 586 | if (newreq) {
|
---|
| 587 | if (pkey == NULL) {
|
---|
| 588 | BIO_printf(bio_err, "you need to specify a private key\n");
|
---|
| 589 | goto end;
|
---|
| 590 | }
|
---|
| 591 |
|
---|
| 592 | if (req == NULL) {
|
---|
| 593 | req = X509_REQ_new();
|
---|
| 594 | if (req == NULL) {
|
---|
| 595 | goto end;
|
---|
| 596 | }
|
---|
| 597 |
|
---|
| 598 | i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
|
---|
| 599 | subj = NULL; /* done processing '-subj' option */
|
---|
| 600 | if (!i) {
|
---|
| 601 | BIO_printf(bio_err, "problems making Certificate Request\n");
|
---|
| 602 | goto end;
|
---|
| 603 | }
|
---|
| 604 | }
|
---|
| 605 | if (x509) {
|
---|
| 606 | EVP_PKEY *tmppkey;
|
---|
| 607 | X509V3_CTX ext_ctx;
|
---|
| 608 | if ((x509ss = X509_new()) == NULL)
|
---|
| 609 | goto end;
|
---|
| 610 |
|
---|
| 611 | /* Set version to V3 */
|
---|
| 612 | if (extensions && !X509_set_version(x509ss, 2))
|
---|
| 613 | goto end;
|
---|
| 614 | if (serial) {
|
---|
| 615 | if (!X509_set_serialNumber(x509ss, serial))
|
---|
| 616 | goto end;
|
---|
| 617 | } else {
|
---|
| 618 | if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
|
---|
| 619 | goto end;
|
---|
| 620 | }
|
---|
| 621 |
|
---|
| 622 | if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
|
---|
| 623 | goto end;
|
---|
| 624 | if (!set_cert_times(x509ss, NULL, NULL, days))
|
---|
| 625 | goto end;
|
---|
| 626 | if (!X509_set_subject_name
|
---|
| 627 | (x509ss, X509_REQ_get_subject_name(req)))
|
---|
| 628 | goto end;
|
---|
| 629 | tmppkey = X509_REQ_get0_pubkey(req);
|
---|
| 630 | if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
|
---|
| 631 | goto end;
|
---|
| 632 |
|
---|
| 633 | /* Set up V3 context struct */
|
---|
| 634 |
|
---|
| 635 | X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
|
---|
| 636 | X509V3_set_nconf(&ext_ctx, req_conf);
|
---|
| 637 |
|
---|
| 638 | /* Add extensions */
|
---|
| 639 | if (extensions && !X509V3_EXT_add_nconf(req_conf,
|
---|
| 640 | &ext_ctx, extensions,
|
---|
| 641 | x509ss)) {
|
---|
| 642 | BIO_printf(bio_err, "Error Loading extension section %s\n",
|
---|
| 643 | extensions);
|
---|
| 644 | goto end;
|
---|
| 645 | }
|
---|
| 646 |
|
---|
| 647 | i = do_X509_sign(x509ss, pkey, digest, sigopts);
|
---|
| 648 | if (!i) {
|
---|
| 649 | ERR_print_errors(bio_err);
|
---|
| 650 | goto end;
|
---|
| 651 | }
|
---|
| 652 | } else {
|
---|
| 653 | X509V3_CTX ext_ctx;
|
---|
| 654 |
|
---|
| 655 | /* Set up V3 context struct */
|
---|
| 656 |
|
---|
| 657 | X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
|
---|
| 658 | X509V3_set_nconf(&ext_ctx, req_conf);
|
---|
| 659 |
|
---|
| 660 | /* Add extensions */
|
---|
| 661 | if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
|
---|
| 662 | &ext_ctx, req_exts,
|
---|
| 663 | req)) {
|
---|
| 664 | BIO_printf(bio_err, "Error Loading extension section %s\n",
|
---|
| 665 | req_exts);
|
---|
| 666 | goto end;
|
---|
| 667 | }
|
---|
| 668 | i = do_X509_REQ_sign(req, pkey, digest, sigopts);
|
---|
| 669 | if (!i) {
|
---|
| 670 | ERR_print_errors(bio_err);
|
---|
| 671 | goto end;
|
---|
| 672 | }
|
---|
| 673 | }
|
---|
| 674 | }
|
---|
| 675 |
|
---|
| 676 | if (subj && x509) {
|
---|
| 677 | BIO_printf(bio_err, "Cannot modify certificate subject\n");
|
---|
| 678 | goto end;
|
---|
| 679 | }
|
---|
| 680 |
|
---|
| 681 | if (subj && !x509) {
|
---|
| 682 | if (verbose) {
|
---|
| 683 | BIO_printf(bio_err, "Modifying Request's Subject\n");
|
---|
| 684 | print_name(bio_err, "old subject=",
|
---|
| 685 | X509_REQ_get_subject_name(req), nmflag);
|
---|
| 686 | }
|
---|
| 687 |
|
---|
| 688 | if (build_subject(req, subj, chtype, multirdn) == 0) {
|
---|
| 689 | BIO_printf(bio_err, "ERROR: cannot modify subject\n");
|
---|
| 690 | ret = 1;
|
---|
| 691 | goto end;
|
---|
| 692 | }
|
---|
| 693 |
|
---|
| 694 | if (verbose) {
|
---|
| 695 | print_name(bio_err, "new subject=",
|
---|
| 696 | X509_REQ_get_subject_name(req), nmflag);
|
---|
| 697 | }
|
---|
| 698 | }
|
---|
| 699 |
|
---|
| 700 | if (verify && !x509) {
|
---|
| 701 | EVP_PKEY *tpubkey = pkey;
|
---|
| 702 |
|
---|
| 703 | if (tpubkey == NULL) {
|
---|
| 704 | tpubkey = X509_REQ_get0_pubkey(req);
|
---|
| 705 | if (tpubkey == NULL)
|
---|
| 706 | goto end;
|
---|
| 707 | }
|
---|
| 708 |
|
---|
| 709 | i = X509_REQ_verify(req, tpubkey);
|
---|
| 710 |
|
---|
| 711 | if (i < 0) {
|
---|
| 712 | goto end;
|
---|
| 713 | } else if (i == 0) {
|
---|
| 714 | BIO_printf(bio_err, "verify failure\n");
|
---|
| 715 | ERR_print_errors(bio_err);
|
---|
| 716 | } else /* if (i > 0) */
|
---|
| 717 | BIO_printf(bio_err, "verify OK\n");
|
---|
| 718 | }
|
---|
| 719 |
|
---|
| 720 | if (noout && !text && !modulus && !subject && !pubkey) {
|
---|
| 721 | ret = 0;
|
---|
| 722 | goto end;
|
---|
| 723 | }
|
---|
| 724 |
|
---|
| 725 | out = bio_open_default(outfile,
|
---|
| 726 | keyout != NULL && outfile != NULL &&
|
---|
| 727 | strcmp(keyout, outfile) == 0 ? 'a' : 'w',
|
---|
| 728 | outformat);
|
---|
| 729 | if (out == NULL)
|
---|
| 730 | goto end;
|
---|
| 731 |
|
---|
| 732 | if (pubkey) {
|
---|
| 733 | EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
|
---|
| 734 |
|
---|
| 735 | if (tpubkey == NULL) {
|
---|
| 736 | BIO_printf(bio_err, "Error getting public key\n");
|
---|
| 737 | ERR_print_errors(bio_err);
|
---|
| 738 | goto end;
|
---|
| 739 | }
|
---|
| 740 | PEM_write_bio_PUBKEY(out, tpubkey);
|
---|
| 741 | }
|
---|
| 742 |
|
---|
| 743 | if (text) {
|
---|
| 744 | if (x509)
|
---|
| 745 | X509_print_ex(out, x509ss, nmflag, reqflag);
|
---|
| 746 | else
|
---|
| 747 | X509_REQ_print_ex(out, req, nmflag, reqflag);
|
---|
| 748 | }
|
---|
| 749 |
|
---|
| 750 | if (subject) {
|
---|
| 751 | if (x509)
|
---|
| 752 | print_name(out, "subject=", X509_get_subject_name(x509ss),
|
---|
| 753 | nmflag);
|
---|
| 754 | else
|
---|
| 755 | print_name(out, "subject=", X509_REQ_get_subject_name(req),
|
---|
| 756 | nmflag);
|
---|
| 757 | }
|
---|
| 758 |
|
---|
| 759 | if (modulus) {
|
---|
| 760 | EVP_PKEY *tpubkey;
|
---|
| 761 |
|
---|
| 762 | if (x509)
|
---|
| 763 | tpubkey = X509_get0_pubkey(x509ss);
|
---|
| 764 | else
|
---|
| 765 | tpubkey = X509_REQ_get0_pubkey(req);
|
---|
| 766 | if (tpubkey == NULL) {
|
---|
| 767 | fprintf(stdout, "Modulus=unavailable\n");
|
---|
| 768 | goto end;
|
---|
| 769 | }
|
---|
| 770 | fprintf(stdout, "Modulus=");
|
---|
| 771 | #ifndef OPENSSL_NO_RSA
|
---|
| 772 | if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
|
---|
| 773 | const BIGNUM *n;
|
---|
| 774 | RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
|
---|
| 775 | BN_print(out, n);
|
---|
| 776 | } else
|
---|
| 777 | #endif
|
---|
| 778 | fprintf(stdout, "Wrong Algorithm type");
|
---|
| 779 | fprintf(stdout, "\n");
|
---|
| 780 | }
|
---|
| 781 |
|
---|
| 782 | if (!noout && !x509) {
|
---|
| 783 | if (outformat == FORMAT_ASN1)
|
---|
| 784 | i = i2d_X509_REQ_bio(out, req);
|
---|
| 785 | else if (newhdr)
|
---|
| 786 | i = PEM_write_bio_X509_REQ_NEW(out, req);
|
---|
| 787 | else
|
---|
| 788 | i = PEM_write_bio_X509_REQ(out, req);
|
---|
| 789 | if (!i) {
|
---|
| 790 | BIO_printf(bio_err, "unable to write X509 request\n");
|
---|
| 791 | goto end;
|
---|
| 792 | }
|
---|
| 793 | }
|
---|
| 794 | if (!noout && x509 && (x509ss != NULL)) {
|
---|
| 795 | if (outformat == FORMAT_ASN1)
|
---|
| 796 | i = i2d_X509_bio(out, x509ss);
|
---|
| 797 | else
|
---|
| 798 | i = PEM_write_bio_X509(out, x509ss);
|
---|
| 799 | if (!i) {
|
---|
| 800 | BIO_printf(bio_err, "unable to write X509 certificate\n");
|
---|
| 801 | goto end;
|
---|
| 802 | }
|
---|
| 803 | }
|
---|
| 804 | ret = 0;
|
---|
| 805 | end:
|
---|
| 806 | if (ret) {
|
---|
| 807 | ERR_print_errors(bio_err);
|
---|
| 808 | }
|
---|
| 809 | NCONF_free(req_conf);
|
---|
| 810 | BIO_free(in);
|
---|
| 811 | BIO_free_all(out);
|
---|
| 812 | EVP_PKEY_free(pkey);
|
---|
| 813 | EVP_PKEY_CTX_free(genctx);
|
---|
| 814 | sk_OPENSSL_STRING_free(pkeyopts);
|
---|
| 815 | sk_OPENSSL_STRING_free(sigopts);
|
---|
| 816 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 817 | ENGINE_free(gen_eng);
|
---|
| 818 | #endif
|
---|
| 819 | OPENSSL_free(keyalgstr);
|
---|
| 820 | X509_REQ_free(req);
|
---|
| 821 | X509_free(x509ss);
|
---|
| 822 | ASN1_INTEGER_free(serial);
|
---|
| 823 | release_engine(e);
|
---|
| 824 | if (passin != nofree_passin)
|
---|
| 825 | OPENSSL_free(passin);
|
---|
| 826 | if (passout != nofree_passout)
|
---|
| 827 | OPENSSL_free(passout);
|
---|
| 828 | return (ret);
|
---|
| 829 | }
|
---|
| 830 |
|
---|
| 831 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
|
---|
| 832 | int attribs, unsigned long chtype)
|
---|
| 833 | {
|
---|
| 834 | int ret = 0, i;
|
---|
| 835 | char no_prompt = 0;
|
---|
| 836 | STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
|
---|
| 837 | char *tmp, *dn_sect, *attr_sect;
|
---|
| 838 |
|
---|
| 839 | tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
|
---|
| 840 | if (tmp == NULL)
|
---|
| 841 | ERR_clear_error();
|
---|
| 842 | if ((tmp != NULL) && strcmp(tmp, "no") == 0)
|
---|
| 843 | no_prompt = 1;
|
---|
| 844 |
|
---|
| 845 | dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
|
---|
| 846 | if (dn_sect == NULL) {
|
---|
| 847 | BIO_printf(bio_err, "unable to find '%s' in config\n",
|
---|
| 848 | DISTINGUISHED_NAME);
|
---|
| 849 | goto err;
|
---|
| 850 | }
|
---|
| 851 | dn_sk = NCONF_get_section(req_conf, dn_sect);
|
---|
| 852 | if (dn_sk == NULL) {
|
---|
| 853 | BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
|
---|
| 854 | goto err;
|
---|
| 855 | }
|
---|
| 856 |
|
---|
| 857 | attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
|
---|
| 858 | if (attr_sect == NULL) {
|
---|
| 859 | ERR_clear_error();
|
---|
| 860 | attr_sk = NULL;
|
---|
| 861 | } else {
|
---|
| 862 | attr_sk = NCONF_get_section(req_conf, attr_sect);
|
---|
| 863 | if (attr_sk == NULL) {
|
---|
| 864 | BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
|
---|
| 865 | goto err;
|
---|
| 866 | }
|
---|
| 867 | }
|
---|
| 868 |
|
---|
| 869 | /* setup version number */
|
---|
| 870 | if (!X509_REQ_set_version(req, 0L))
|
---|
| 871 | goto err; /* version 1 */
|
---|
| 872 |
|
---|
| 873 | if (subj)
|
---|
| 874 | i = build_subject(req, subj, chtype, multirdn);
|
---|
| 875 | else if (no_prompt)
|
---|
| 876 | i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
|
---|
| 877 | else
|
---|
| 878 | i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
|
---|
| 879 | chtype);
|
---|
| 880 | if (!i)
|
---|
| 881 | goto err;
|
---|
| 882 |
|
---|
| 883 | if (!X509_REQ_set_pubkey(req, pkey))
|
---|
| 884 | goto err;
|
---|
| 885 |
|
---|
| 886 | ret = 1;
|
---|
| 887 | err:
|
---|
| 888 | return (ret);
|
---|
| 889 | }
|
---|
| 890 |
|
---|
| 891 | /*
|
---|
| 892 | * subject is expected to be in the format /type0=value0/type1=value1/type2=...
|
---|
| 893 | * where characters may be escaped by \
|
---|
| 894 | */
|
---|
| 895 | static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
|
---|
| 896 | int multirdn)
|
---|
| 897 | {
|
---|
| 898 | X509_NAME *n;
|
---|
| 899 |
|
---|
| 900 | if ((n = parse_name(subject, chtype, multirdn)) == NULL)
|
---|
| 901 | return 0;
|
---|
| 902 |
|
---|
| 903 | if (!X509_REQ_set_subject_name(req, n)) {
|
---|
| 904 | X509_NAME_free(n);
|
---|
| 905 | return 0;
|
---|
| 906 | }
|
---|
| 907 | X509_NAME_free(n);
|
---|
| 908 | return 1;
|
---|
| 909 | }
|
---|
| 910 |
|
---|
| 911 | static int prompt_info(X509_REQ *req,
|
---|
| 912 | STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
|
---|
| 913 | STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
|
---|
| 914 | int attribs, unsigned long chtype)
|
---|
| 915 | {
|
---|
| 916 | int i;
|
---|
| 917 | char *p, *q;
|
---|
| 918 | char buf[100];
|
---|
| 919 | int nid, mval;
|
---|
| 920 | long n_min, n_max;
|
---|
| 921 | char *type, *value;
|
---|
| 922 | const char *def;
|
---|
| 923 | CONF_VALUE *v;
|
---|
| 924 | X509_NAME *subj;
|
---|
| 925 | subj = X509_REQ_get_subject_name(req);
|
---|
| 926 |
|
---|
| 927 | if (!batch) {
|
---|
| 928 | BIO_printf(bio_err,
|
---|
| 929 | "You are about to be asked to enter information that will be incorporated\n");
|
---|
| 930 | BIO_printf(bio_err, "into your certificate request.\n");
|
---|
| 931 | BIO_printf(bio_err,
|
---|
| 932 | "What you are about to enter is what is called a Distinguished Name or a DN.\n");
|
---|
| 933 | BIO_printf(bio_err,
|
---|
| 934 | "There are quite a few fields but you can leave some blank\n");
|
---|
| 935 | BIO_printf(bio_err,
|
---|
| 936 | "For some fields there will be a default value,\n");
|
---|
| 937 | BIO_printf(bio_err,
|
---|
| 938 | "If you enter '.', the field will be left blank.\n");
|
---|
| 939 | BIO_printf(bio_err, "-----\n");
|
---|
| 940 | }
|
---|
| 941 |
|
---|
| 942 | if (sk_CONF_VALUE_num(dn_sk)) {
|
---|
| 943 | i = -1;
|
---|
| 944 | start:for (;;) {
|
---|
| 945 | i++;
|
---|
| 946 | if (sk_CONF_VALUE_num(dn_sk) <= i)
|
---|
| 947 | break;
|
---|
| 948 |
|
---|
| 949 | v = sk_CONF_VALUE_value(dn_sk, i);
|
---|
| 950 | p = q = NULL;
|
---|
| 951 | type = v->name;
|
---|
| 952 | if (!check_end(type, "_min") || !check_end(type, "_max") ||
|
---|
| 953 | !check_end(type, "_default") || !check_end(type, "_value"))
|
---|
| 954 | continue;
|
---|
| 955 | /*
|
---|
| 956 | * Skip past any leading X. X: X, etc to allow for multiple
|
---|
| 957 | * instances
|
---|
| 958 | */
|
---|
| 959 | for (p = v->name; *p; p++)
|
---|
| 960 | if ((*p == ':') || (*p == ',') || (*p == '.')) {
|
---|
| 961 | p++;
|
---|
| 962 | if (*p)
|
---|
| 963 | type = p;
|
---|
| 964 | break;
|
---|
| 965 | }
|
---|
| 966 | if (*type == '+') {
|
---|
| 967 | mval = -1;
|
---|
| 968 | type++;
|
---|
| 969 | } else
|
---|
| 970 | mval = 0;
|
---|
| 971 | /* If OBJ not recognised ignore it */
|
---|
| 972 | if ((nid = OBJ_txt2nid(type)) == NID_undef)
|
---|
| 973 | goto start;
|
---|
| 974 | if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
|
---|
| 975 | >= (int)sizeof(buf)) {
|
---|
| 976 | BIO_printf(bio_err, "Name '%s' too long\n", v->name);
|
---|
| 977 | return 0;
|
---|
| 978 | }
|
---|
| 979 |
|
---|
| 980 | if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
|
---|
| 981 | ERR_clear_error();
|
---|
| 982 | def = "";
|
---|
| 983 | }
|
---|
| 984 |
|
---|
| 985 | BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
|
---|
| 986 | if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
|
---|
| 987 | ERR_clear_error();
|
---|
| 988 | value = NULL;
|
---|
| 989 | }
|
---|
| 990 |
|
---|
| 991 | BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
|
---|
| 992 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
|
---|
| 993 | ERR_clear_error();
|
---|
| 994 | n_min = -1;
|
---|
| 995 | }
|
---|
| 996 |
|
---|
| 997 | BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
|
---|
| 998 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
|
---|
| 999 | ERR_clear_error();
|
---|
| 1000 | n_max = -1;
|
---|
| 1001 | }
|
---|
| 1002 |
|
---|
| 1003 | if (!add_DN_object(subj, v->value, def, value, nid,
|
---|
| 1004 | n_min, n_max, chtype, mval))
|
---|
| 1005 | return 0;
|
---|
| 1006 | }
|
---|
| 1007 | if (X509_NAME_entry_count(subj) == 0) {
|
---|
| 1008 | BIO_printf(bio_err,
|
---|
| 1009 | "error, no objects specified in config file\n");
|
---|
| 1010 | return 0;
|
---|
| 1011 | }
|
---|
| 1012 |
|
---|
| 1013 | if (attribs) {
|
---|
| 1014 | if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
|
---|
| 1015 | && (!batch)) {
|
---|
| 1016 | BIO_printf(bio_err,
|
---|
| 1017 | "\nPlease enter the following 'extra' attributes\n");
|
---|
| 1018 | BIO_printf(bio_err,
|
---|
| 1019 | "to be sent with your certificate request\n");
|
---|
| 1020 | }
|
---|
| 1021 |
|
---|
| 1022 | i = -1;
|
---|
| 1023 | start2: for (;;) {
|
---|
| 1024 | i++;
|
---|
| 1025 | if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
|
---|
| 1026 | break;
|
---|
| 1027 |
|
---|
| 1028 | v = sk_CONF_VALUE_value(attr_sk, i);
|
---|
| 1029 | type = v->name;
|
---|
| 1030 | if ((nid = OBJ_txt2nid(type)) == NID_undef)
|
---|
| 1031 | goto start2;
|
---|
| 1032 |
|
---|
| 1033 | if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
|
---|
| 1034 | >= (int)sizeof(buf)) {
|
---|
| 1035 | BIO_printf(bio_err, "Name '%s' too long\n", v->name);
|
---|
| 1036 | return 0;
|
---|
| 1037 | }
|
---|
| 1038 |
|
---|
| 1039 | if ((def = NCONF_get_string(req_conf, attr_sect, buf))
|
---|
| 1040 | == NULL) {
|
---|
| 1041 | ERR_clear_error();
|
---|
| 1042 | def = "";
|
---|
| 1043 | }
|
---|
| 1044 |
|
---|
| 1045 | BIO_snprintf(buf, sizeof buf, "%s_value", type);
|
---|
| 1046 | if ((value = NCONF_get_string(req_conf, attr_sect, buf))
|
---|
| 1047 | == NULL) {
|
---|
| 1048 | ERR_clear_error();
|
---|
| 1049 | value = NULL;
|
---|
| 1050 | }
|
---|
| 1051 |
|
---|
| 1052 | BIO_snprintf(buf, sizeof buf, "%s_min", type);
|
---|
| 1053 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
|
---|
| 1054 | ERR_clear_error();
|
---|
| 1055 | n_min = -1;
|
---|
| 1056 | }
|
---|
| 1057 |
|
---|
| 1058 | BIO_snprintf(buf, sizeof buf, "%s_max", type);
|
---|
| 1059 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
|
---|
| 1060 | ERR_clear_error();
|
---|
| 1061 | n_max = -1;
|
---|
| 1062 | }
|
---|
| 1063 |
|
---|
| 1064 | if (!add_attribute_object(req,
|
---|
| 1065 | v->value, def, value, nid, n_min,
|
---|
| 1066 | n_max, chtype))
|
---|
| 1067 | return 0;
|
---|
| 1068 | }
|
---|
| 1069 | }
|
---|
| 1070 | } else {
|
---|
| 1071 | BIO_printf(bio_err, "No template, please set one up.\n");
|
---|
| 1072 | return 0;
|
---|
| 1073 | }
|
---|
| 1074 |
|
---|
| 1075 | return 1;
|
---|
| 1076 |
|
---|
| 1077 | }
|
---|
| 1078 |
|
---|
| 1079 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
|
---|
| 1080 | STACK_OF(CONF_VALUE) *attr_sk, int attribs,
|
---|
| 1081 | unsigned long chtype)
|
---|
| 1082 | {
|
---|
| 1083 | int i, spec_char, plus_char;
|
---|
| 1084 | char *p, *q;
|
---|
| 1085 | char *type;
|
---|
| 1086 | CONF_VALUE *v;
|
---|
| 1087 | X509_NAME *subj;
|
---|
| 1088 |
|
---|
| 1089 | subj = X509_REQ_get_subject_name(req);
|
---|
| 1090 |
|
---|
| 1091 | for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
|
---|
| 1092 | int mval;
|
---|
| 1093 | v = sk_CONF_VALUE_value(dn_sk, i);
|
---|
| 1094 | p = q = NULL;
|
---|
| 1095 | type = v->name;
|
---|
| 1096 | /*
|
---|
| 1097 | * Skip past any leading X. X: X, etc to allow for multiple instances
|
---|
| 1098 | */
|
---|
| 1099 | for (p = v->name; *p; p++) {
|
---|
| 1100 | #ifndef CHARSET_EBCDIC
|
---|
| 1101 | spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
|
---|
| 1102 | #else
|
---|
| 1103 | spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
|
---|
| 1104 | || (*p == os_toascii['.']));
|
---|
| 1105 | #endif
|
---|
| 1106 | if (spec_char) {
|
---|
| 1107 | p++;
|
---|
| 1108 | if (*p)
|
---|
| 1109 | type = p;
|
---|
| 1110 | break;
|
---|
| 1111 | }
|
---|
| 1112 | }
|
---|
| 1113 | #ifndef CHARSET_EBCDIC
|
---|
| 1114 | plus_char = (*type == '+');
|
---|
| 1115 | #else
|
---|
| 1116 | plus_char = (*type == os_toascii['+']);
|
---|
| 1117 | #endif
|
---|
| 1118 | if (plus_char) {
|
---|
| 1119 | type++;
|
---|
| 1120 | mval = -1;
|
---|
| 1121 | } else
|
---|
| 1122 | mval = 0;
|
---|
| 1123 | if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
|
---|
| 1124 | (unsigned char *)v->value, -1, -1,
|
---|
| 1125 | mval))
|
---|
| 1126 | return 0;
|
---|
| 1127 |
|
---|
| 1128 | }
|
---|
| 1129 |
|
---|
| 1130 | if (!X509_NAME_entry_count(subj)) {
|
---|
| 1131 | BIO_printf(bio_err, "error, no objects specified in config file\n");
|
---|
| 1132 | return 0;
|
---|
| 1133 | }
|
---|
| 1134 | if (attribs) {
|
---|
| 1135 | for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
|
---|
| 1136 | v = sk_CONF_VALUE_value(attr_sk, i);
|
---|
| 1137 | if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
|
---|
| 1138 | (unsigned char *)v->value, -1))
|
---|
| 1139 | return 0;
|
---|
| 1140 | }
|
---|
| 1141 | }
|
---|
| 1142 | return 1;
|
---|
| 1143 | }
|
---|
| 1144 |
|
---|
| 1145 | static int add_DN_object(X509_NAME *n, char *text, const char *def,
|
---|
| 1146 | char *value, int nid, int n_min, int n_max,
|
---|
| 1147 | unsigned long chtype, int mval)
|
---|
| 1148 | {
|
---|
| 1149 | int i, ret = 0;
|
---|
| 1150 | char buf[1024];
|
---|
| 1151 | start:
|
---|
| 1152 | if (!batch)
|
---|
| 1153 | BIO_printf(bio_err, "%s [%s]:", text, def);
|
---|
| 1154 | (void)BIO_flush(bio_err);
|
---|
| 1155 | if (value != NULL) {
|
---|
| 1156 | OPENSSL_strlcpy(buf, value, sizeof buf);
|
---|
| 1157 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
| 1158 | BIO_printf(bio_err, "%s\n", value);
|
---|
| 1159 | } else {
|
---|
| 1160 | buf[0] = '\0';
|
---|
| 1161 | if (!batch) {
|
---|
| 1162 | if (!fgets(buf, sizeof buf, stdin))
|
---|
| 1163 | return 0;
|
---|
| 1164 | } else {
|
---|
| 1165 | buf[0] = '\n';
|
---|
| 1166 | buf[1] = '\0';
|
---|
| 1167 | }
|
---|
| 1168 | }
|
---|
| 1169 |
|
---|
| 1170 | if (buf[0] == '\0')
|
---|
| 1171 | return (0);
|
---|
| 1172 | else if (buf[0] == '\n') {
|
---|
| 1173 | if ((def == NULL) || (def[0] == '\0'))
|
---|
| 1174 | return (1);
|
---|
| 1175 | OPENSSL_strlcpy(buf, def, sizeof buf);
|
---|
| 1176 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
| 1177 | } else if ((buf[0] == '.') && (buf[1] == '\n'))
|
---|
| 1178 | return (1);
|
---|
| 1179 |
|
---|
| 1180 | i = strlen(buf);
|
---|
| 1181 | if (buf[i - 1] != '\n') {
|
---|
| 1182 | BIO_printf(bio_err, "weird input :-(\n");
|
---|
| 1183 | return (0);
|
---|
| 1184 | }
|
---|
| 1185 | buf[--i] = '\0';
|
---|
| 1186 | #ifdef CHARSET_EBCDIC
|
---|
| 1187 | ebcdic2ascii(buf, buf, i);
|
---|
| 1188 | #endif
|
---|
| 1189 | if (!req_check_len(i, n_min, n_max)) {
|
---|
| 1190 | if (batch || value)
|
---|
| 1191 | return 0;
|
---|
| 1192 | goto start;
|
---|
| 1193 | }
|
---|
| 1194 |
|
---|
| 1195 | if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
|
---|
| 1196 | (unsigned char *)buf, -1, -1, mval))
|
---|
| 1197 | goto err;
|
---|
| 1198 | ret = 1;
|
---|
| 1199 | err:
|
---|
| 1200 | return (ret);
|
---|
| 1201 | }
|
---|
| 1202 |
|
---|
| 1203 | static int add_attribute_object(X509_REQ *req, char *text, const char *def,
|
---|
| 1204 | char *value, int nid, int n_min,
|
---|
| 1205 | int n_max, unsigned long chtype)
|
---|
| 1206 | {
|
---|
| 1207 | int i;
|
---|
| 1208 | static char buf[1024];
|
---|
| 1209 |
|
---|
| 1210 | start:
|
---|
| 1211 | if (!batch)
|
---|
| 1212 | BIO_printf(bio_err, "%s [%s]:", text, def);
|
---|
| 1213 | (void)BIO_flush(bio_err);
|
---|
| 1214 | if (value != NULL) {
|
---|
| 1215 | OPENSSL_strlcpy(buf, value, sizeof buf);
|
---|
| 1216 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
| 1217 | BIO_printf(bio_err, "%s\n", value);
|
---|
| 1218 | } else {
|
---|
| 1219 | buf[0] = '\0';
|
---|
| 1220 | if (!batch) {
|
---|
| 1221 | if (!fgets(buf, sizeof buf, stdin))
|
---|
| 1222 | return 0;
|
---|
| 1223 | } else {
|
---|
| 1224 | buf[0] = '\n';
|
---|
| 1225 | buf[1] = '\0';
|
---|
| 1226 | }
|
---|
| 1227 | }
|
---|
| 1228 |
|
---|
| 1229 | if (buf[0] == '\0')
|
---|
| 1230 | return (0);
|
---|
| 1231 | else if (buf[0] == '\n') {
|
---|
| 1232 | if ((def == NULL) || (def[0] == '\0'))
|
---|
| 1233 | return (1);
|
---|
| 1234 | OPENSSL_strlcpy(buf, def, sizeof buf);
|
---|
| 1235 | OPENSSL_strlcat(buf, "\n", sizeof buf);
|
---|
| 1236 | } else if ((buf[0] == '.') && (buf[1] == '\n'))
|
---|
| 1237 | return (1);
|
---|
| 1238 |
|
---|
| 1239 | i = strlen(buf);
|
---|
| 1240 | if (buf[i - 1] != '\n') {
|
---|
| 1241 | BIO_printf(bio_err, "weird input :-(\n");
|
---|
| 1242 | return (0);
|
---|
| 1243 | }
|
---|
| 1244 | buf[--i] = '\0';
|
---|
| 1245 | #ifdef CHARSET_EBCDIC
|
---|
| 1246 | ebcdic2ascii(buf, buf, i);
|
---|
| 1247 | #endif
|
---|
| 1248 | if (!req_check_len(i, n_min, n_max)) {
|
---|
| 1249 | if (batch || value)
|
---|
| 1250 | return 0;
|
---|
| 1251 | goto start;
|
---|
| 1252 | }
|
---|
| 1253 |
|
---|
| 1254 | if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
|
---|
| 1255 | (unsigned char *)buf, -1)) {
|
---|
| 1256 | BIO_printf(bio_err, "Error adding attribute\n");
|
---|
| 1257 | ERR_print_errors(bio_err);
|
---|
| 1258 | goto err;
|
---|
| 1259 | }
|
---|
| 1260 |
|
---|
| 1261 | return (1);
|
---|
| 1262 | err:
|
---|
| 1263 | return (0);
|
---|
| 1264 | }
|
---|
| 1265 |
|
---|
| 1266 | static int req_check_len(int len, int n_min, int n_max)
|
---|
| 1267 | {
|
---|
| 1268 | if ((n_min > 0) && (len < n_min)) {
|
---|
| 1269 | BIO_printf(bio_err,
|
---|
| 1270 | "string is too short, it needs to be at least %d bytes long\n",
|
---|
| 1271 | n_min);
|
---|
| 1272 | return (0);
|
---|
| 1273 | }
|
---|
| 1274 | if ((n_max >= 0) && (len > n_max)) {
|
---|
| 1275 | BIO_printf(bio_err,
|
---|
| 1276 | "string is too long, it needs to be less than %d bytes long\n",
|
---|
| 1277 | n_max);
|
---|
| 1278 | return (0);
|
---|
| 1279 | }
|
---|
| 1280 | return (1);
|
---|
| 1281 | }
|
---|
| 1282 |
|
---|
| 1283 | /* Check if the end of a string matches 'end' */
|
---|
| 1284 | static int check_end(const char *str, const char *end)
|
---|
| 1285 | {
|
---|
| 1286 | int elen, slen;
|
---|
| 1287 | const char *tmp;
|
---|
| 1288 | elen = strlen(end);
|
---|
| 1289 | slen = strlen(str);
|
---|
| 1290 | if (elen > slen)
|
---|
| 1291 | return 1;
|
---|
| 1292 | tmp = str + slen - elen;
|
---|
| 1293 | return strcmp(tmp, end);
|
---|
| 1294 | }
|
---|
| 1295 |
|
---|
| 1296 | static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
|
---|
| 1297 | int *pkey_type, long *pkeylen,
|
---|
| 1298 | char **palgnam, ENGINE *keygen_engine)
|
---|
| 1299 | {
|
---|
| 1300 | EVP_PKEY_CTX *gctx = NULL;
|
---|
| 1301 | EVP_PKEY *param = NULL;
|
---|
| 1302 | long keylen = -1;
|
---|
| 1303 | BIO *pbio = NULL;
|
---|
| 1304 | const char *paramfile = NULL;
|
---|
| 1305 |
|
---|
| 1306 | if (gstr == NULL) {
|
---|
| 1307 | *pkey_type = EVP_PKEY_RSA;
|
---|
| 1308 | keylen = *pkeylen;
|
---|
| 1309 | } else if (gstr[0] >= '0' && gstr[0] <= '9') {
|
---|
| 1310 | *pkey_type = EVP_PKEY_RSA;
|
---|
| 1311 | keylen = atol(gstr);
|
---|
| 1312 | *pkeylen = keylen;
|
---|
| 1313 | } else if (strncmp(gstr, "param:", 6) == 0)
|
---|
| 1314 | paramfile = gstr + 6;
|
---|
| 1315 | else {
|
---|
| 1316 | const char *p = strchr(gstr, ':');
|
---|
| 1317 | int len;
|
---|
| 1318 | ENGINE *tmpeng;
|
---|
| 1319 | const EVP_PKEY_ASN1_METHOD *ameth;
|
---|
| 1320 |
|
---|
| 1321 | if (p)
|
---|
| 1322 | len = p - gstr;
|
---|
| 1323 | else
|
---|
| 1324 | len = strlen(gstr);
|
---|
| 1325 | /*
|
---|
| 1326 | * The lookup of a the string will cover all engines so keep a note
|
---|
| 1327 | * of the implementation.
|
---|
| 1328 | */
|
---|
| 1329 |
|
---|
| 1330 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
|
---|
| 1331 |
|
---|
| 1332 | if (!ameth) {
|
---|
| 1333 | BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
|
---|
| 1334 | return NULL;
|
---|
| 1335 | }
|
---|
| 1336 |
|
---|
| 1337 | EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
|
---|
| 1338 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 1339 | ENGINE_finish(tmpeng);
|
---|
| 1340 | #endif
|
---|
| 1341 | if (*pkey_type == EVP_PKEY_RSA) {
|
---|
| 1342 | if (p) {
|
---|
| 1343 | keylen = atol(p + 1);
|
---|
| 1344 | *pkeylen = keylen;
|
---|
| 1345 | } else
|
---|
| 1346 | keylen = *pkeylen;
|
---|
| 1347 | } else if (p)
|
---|
| 1348 | paramfile = p + 1;
|
---|
| 1349 | }
|
---|
| 1350 |
|
---|
| 1351 | if (paramfile) {
|
---|
| 1352 | pbio = BIO_new_file(paramfile, "r");
|
---|
| 1353 | if (!pbio) {
|
---|
| 1354 | BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
|
---|
| 1355 | return NULL;
|
---|
| 1356 | }
|
---|
| 1357 | param = PEM_read_bio_Parameters(pbio, NULL);
|
---|
| 1358 |
|
---|
| 1359 | if (!param) {
|
---|
| 1360 | X509 *x;
|
---|
| 1361 | (void)BIO_reset(pbio);
|
---|
| 1362 | x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
|
---|
| 1363 | if (x) {
|
---|
| 1364 | param = X509_get_pubkey(x);
|
---|
| 1365 | X509_free(x);
|
---|
| 1366 | }
|
---|
| 1367 | }
|
---|
| 1368 |
|
---|
| 1369 | BIO_free(pbio);
|
---|
| 1370 |
|
---|
| 1371 | if (!param) {
|
---|
| 1372 | BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
|
---|
| 1373 | return NULL;
|
---|
| 1374 | }
|
---|
| 1375 | if (*pkey_type == -1)
|
---|
| 1376 | *pkey_type = EVP_PKEY_id(param);
|
---|
| 1377 | else if (*pkey_type != EVP_PKEY_base_id(param)) {
|
---|
| 1378 | BIO_printf(bio_err, "Key Type does not match parameters\n");
|
---|
| 1379 | EVP_PKEY_free(param);
|
---|
| 1380 | return NULL;
|
---|
| 1381 | }
|
---|
| 1382 | }
|
---|
| 1383 |
|
---|
| 1384 | if (palgnam) {
|
---|
| 1385 | const EVP_PKEY_ASN1_METHOD *ameth;
|
---|
| 1386 | ENGINE *tmpeng;
|
---|
| 1387 | const char *anam;
|
---|
| 1388 | ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
|
---|
| 1389 | if (!ameth) {
|
---|
| 1390 | BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
|
---|
| 1391 | return NULL;
|
---|
| 1392 | }
|
---|
| 1393 | EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
|
---|
| 1394 | *palgnam = OPENSSL_strdup(anam);
|
---|
| 1395 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 1396 | ENGINE_finish(tmpeng);
|
---|
| 1397 | #endif
|
---|
| 1398 | }
|
---|
| 1399 |
|
---|
| 1400 | if (param) {
|
---|
| 1401 | gctx = EVP_PKEY_CTX_new(param, keygen_engine);
|
---|
| 1402 | *pkeylen = EVP_PKEY_bits(param);
|
---|
| 1403 | EVP_PKEY_free(param);
|
---|
| 1404 | } else
|
---|
| 1405 | gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
|
---|
| 1406 |
|
---|
| 1407 | if (gctx == NULL) {
|
---|
| 1408 | BIO_puts(bio_err, "Error allocating keygen context\n");
|
---|
| 1409 | ERR_print_errors(bio_err);
|
---|
| 1410 | return NULL;
|
---|
| 1411 | }
|
---|
| 1412 |
|
---|
| 1413 | if (EVP_PKEY_keygen_init(gctx) <= 0) {
|
---|
| 1414 | BIO_puts(bio_err, "Error initializing keygen context\n");
|
---|
| 1415 | ERR_print_errors(bio_err);
|
---|
| 1416 | EVP_PKEY_CTX_free(gctx);
|
---|
| 1417 | return NULL;
|
---|
| 1418 | }
|
---|
| 1419 | #ifndef OPENSSL_NO_RSA
|
---|
| 1420 | if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
|
---|
| 1421 | if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
|
---|
| 1422 | BIO_puts(bio_err, "Error setting RSA keysize\n");
|
---|
| 1423 | ERR_print_errors(bio_err);
|
---|
| 1424 | EVP_PKEY_CTX_free(gctx);
|
---|
| 1425 | return NULL;
|
---|
| 1426 | }
|
---|
| 1427 | }
|
---|
| 1428 | #endif
|
---|
| 1429 |
|
---|
| 1430 | return gctx;
|
---|
| 1431 | }
|
---|
| 1432 |
|
---|
| 1433 | static int genpkey_cb(EVP_PKEY_CTX *ctx)
|
---|
| 1434 | {
|
---|
| 1435 | char c = '*';
|
---|
| 1436 | BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
---|
| 1437 | int p;
|
---|
| 1438 | p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
---|
| 1439 | if (p == 0)
|
---|
| 1440 | c = '.';
|
---|
| 1441 | if (p == 1)
|
---|
| 1442 | c = '+';
|
---|
| 1443 | if (p == 2)
|
---|
| 1444 | c = '*';
|
---|
| 1445 | if (p == 3)
|
---|
| 1446 | c = '\n';
|
---|
| 1447 | BIO_write(b, &c, 1);
|
---|
| 1448 | (void)BIO_flush(b);
|
---|
| 1449 | return 1;
|
---|
| 1450 | }
|
---|
| 1451 |
|
---|
| 1452 | static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
|
---|
| 1453 | const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
| 1454 | {
|
---|
| 1455 | EVP_PKEY_CTX *pkctx = NULL;
|
---|
| 1456 | int i;
|
---|
| 1457 |
|
---|
| 1458 | if (ctx == NULL)
|
---|
| 1459 | return 0;
|
---|
| 1460 | if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
|
---|
| 1461 | return 0;
|
---|
| 1462 | for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
|
---|
| 1463 | char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
|
---|
| 1464 | if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
|
---|
| 1465 | BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
|
---|
| 1466 | ERR_print_errors(bio_err);
|
---|
| 1467 | return 0;
|
---|
| 1468 | }
|
---|
| 1469 | }
|
---|
| 1470 | return 1;
|
---|
| 1471 | }
|
---|
| 1472 |
|
---|
| 1473 | int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
|
---|
| 1474 | STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
| 1475 | {
|
---|
| 1476 | int rv;
|
---|
| 1477 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
| 1478 |
|
---|
| 1479 | rv = do_sign_init(mctx, pkey, md, sigopts);
|
---|
| 1480 | if (rv > 0)
|
---|
| 1481 | rv = X509_sign_ctx(x, mctx);
|
---|
| 1482 | EVP_MD_CTX_free(mctx);
|
---|
| 1483 | return rv > 0 ? 1 : 0;
|
---|
| 1484 | }
|
---|
| 1485 |
|
---|
| 1486 | int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
|
---|
| 1487 | STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
| 1488 | {
|
---|
| 1489 | int rv;
|
---|
| 1490 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
| 1491 | rv = do_sign_init(mctx, pkey, md, sigopts);
|
---|
| 1492 | if (rv > 0)
|
---|
| 1493 | rv = X509_REQ_sign_ctx(x, mctx);
|
---|
| 1494 | EVP_MD_CTX_free(mctx);
|
---|
| 1495 | return rv > 0 ? 1 : 0;
|
---|
| 1496 | }
|
---|
| 1497 |
|
---|
| 1498 | int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
|
---|
| 1499 | STACK_OF(OPENSSL_STRING) *sigopts)
|
---|
| 1500 | {
|
---|
| 1501 | int rv;
|
---|
| 1502 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
| 1503 | rv = do_sign_init(mctx, pkey, md, sigopts);
|
---|
| 1504 | if (rv > 0)
|
---|
| 1505 | rv = X509_CRL_sign_ctx(x, mctx);
|
---|
| 1506 | EVP_MD_CTX_free(mctx);
|
---|
| 1507 | return rv > 0 ? 1 : 0;
|
---|
| 1508 | }
|
---|