629a604490cf02cad769e286bde533ba8a0a7e54
[openssl.git] / apps / req.c
1 /* apps/req.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <time.h>
62 #include <string.h>
63 #ifdef OPENSSL_NO_STDIO
64 #define APPS_WIN16
65 #endif
66 #include "apps.h"
67 #include <openssl/bio.h>
68 #include <openssl/evp.h>
69 #include <openssl/conf.h>
70 #include <openssl/err.h>
71 #include <openssl/asn1.h>
72 #include <openssl/x509.h>
73 #include <openssl/x509v3.h>
74 #include <openssl/objects.h>
75 #include <openssl/pem.h>
76
77 #define SECTION         "req"
78
79 #define BITS            "default_bits"
80 #define KEYFILE         "default_keyfile"
81 #define PROMPT          "prompt"
82 #define DISTINGUISHED_NAME      "distinguished_name"
83 #define ATTRIBUTES      "attributes"
84 #define V3_EXTENSIONS   "x509_extensions"
85 #define REQ_EXTENSIONS  "req_extensions"
86 #define STRING_MASK     "string_mask"
87 #define UTF8_IN         "utf8"
88
89 #define DEFAULT_KEY_LENGTH      512
90 #define MIN_KEY_LENGTH          384
91
92 #undef PROG
93 #define PROG    req_main
94
95 /* -inform arg  - input format - default PEM (DER or PEM)
96  * -outform arg - output format - default PEM
97  * -in arg      - input file - default stdin
98  * -out arg     - output file - default stdout
99  * -verify      - check request signature
100  * -noout       - don't print stuff out.
101  * -text        - print out human readable text.
102  * -nodes       - no des encryption
103  * -config file - Load configuration file.
104  * -key file    - make a request using key in file (or use it for verification).
105  * -keyform arg - key file format.
106  * -rand file(s) - load the file(s) into the PRNG.
107  * -newkey      - make a key and a request.
108  * -modulus     - print RSA modulus.
109  * -pubkey      - output Public Key.
110  * -x509        - output a self signed X509 structure instead.
111  * -asn1-kludge - output new certificate request in a format that some CA's
112  *                require.  This format is wrong
113  */
114
115 static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int attribs,
116                 unsigned long chtype);
117 static int build_subject(X509_REQ *req, char *subj, unsigned long chtype);
118 static int prompt_info(X509_REQ *req,
119                 STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
120                 STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
121                 unsigned long chtype);
122 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
123                                 STACK_OF(CONF_VALUE) *attr, int attribs,
124                                 unsigned long chtype);
125 static int add_attribute_object(X509_REQ *req, char *text,
126                                 char *def, char *value, int nid, int n_min,
127                                 int n_max, unsigned long chtype);
128 static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
129         int nid,int n_min,int n_max, unsigned long chtype);
130 #ifndef OPENSSL_NO_RSA
131 static void MS_CALLBACK req_cb(int p,int n,void *arg);
132 #endif
133 static int req_check_len(int len,int n_min,int n_max);
134 static int check_end(char *str, char *end);
135 #ifndef MONOLITH
136 static char *default_config_file=NULL;
137 static CONF *config=NULL;
138 #endif
139 static CONF *req_conf=NULL;
140 static int batch=0;
141
142 #define TYPE_RSA        1
143 #define TYPE_DSA        2
144 #define TYPE_DH         3
145 #define TYPE_ECDSA      4
146
147 int MAIN(int, char **);
148
149 int MAIN(int argc, char **argv)
150         {
151         ENGINE *e = NULL;
152 #ifndef OPENSSL_NO_DSA
153         DSA *dsa_params=NULL;
154 #endif
155 #ifndef OPENSSL_NO_ECDSA
156         ECDSA *ecdsa_params = NULL;
157 #endif
158         unsigned long nmflag = 0;
159         int ex=1,x509=0,days=30;
160         X509 *x509ss=NULL;
161         X509_REQ *req=NULL;
162         EVP_PKEY *pkey=NULL;
163         int i=0,badops=0,newreq=0,verbose=0,pkey_type=TYPE_RSA;
164         long newkey = -1;
165         BIO *in=NULL,*out=NULL;
166         int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
167         int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
168         char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
169         char *engine=NULL;
170         char *extensions = NULL;
171         char *req_exts = NULL;
172         const EVP_CIPHER *cipher=NULL;
173         ASN1_INTEGER *serial = NULL;
174         int modulus=0;
175         char *inrand=NULL;
176         char *passargin = NULL, *passargout = NULL;
177         char *passin = NULL, *passout = NULL;
178         char *p;
179         char *subj = NULL;
180         const EVP_MD *md_alg=NULL,*digest=EVP_md5();
181         unsigned long chtype = MBSTRING_ASC;
182 #ifndef MONOLITH
183         MS_STATIC char config_name[256];
184         long errline;
185 #endif
186
187         req_conf = NULL;
188 #ifndef OPENSSL_NO_DES
189         cipher=EVP_des_ede3_cbc();
190 #endif
191         apps_startup();
192
193         if (bio_err == NULL)
194                 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
195                         BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
196
197         infile=NULL;
198         outfile=NULL;
199         informat=FORMAT_PEM;
200         outformat=FORMAT_PEM;
201
202         prog=argv[0];
203         argc--;
204         argv++;
205         while (argc >= 1)
206                 {
207                 if      (strcmp(*argv,"-inform") == 0)
208                         {
209                         if (--argc < 1) goto bad;
210                         informat=str2fmt(*(++argv));
211                         }
212                 else if (strcmp(*argv,"-outform") == 0)
213                         {
214                         if (--argc < 1) goto bad;
215                         outformat=str2fmt(*(++argv));
216                         }
217                 else if (strcmp(*argv,"-engine") == 0)
218                         {
219                         if (--argc < 1) goto bad;
220                         engine= *(++argv);
221                         }
222                 else if (strcmp(*argv,"-key") == 0)
223                         {
224                         if (--argc < 1) goto bad;
225                         keyfile= *(++argv);
226                         }
227                 else if (strcmp(*argv,"-pubkey") == 0)
228                         {
229                         pubkey=1;
230                         }
231                 else if (strcmp(*argv,"-new") == 0)
232                         {
233                         newreq=1;
234                         }
235                 else if (strcmp(*argv,"-config") == 0)
236                         {       
237                         if (--argc < 1) goto bad;
238                         template= *(++argv);
239                         }
240                 else if (strcmp(*argv,"-keyform") == 0)
241                         {
242                         if (--argc < 1) goto bad;
243                         keyform=str2fmt(*(++argv));
244                         }
245                 else if (strcmp(*argv,"-in") == 0)
246                         {
247                         if (--argc < 1) goto bad;
248                         infile= *(++argv);
249                         }
250                 else if (strcmp(*argv,"-out") == 0)
251                         {
252                         if (--argc < 1) goto bad;
253                         outfile= *(++argv);
254                         }
255                 else if (strcmp(*argv,"-keyout") == 0)
256                         {
257                         if (--argc < 1) goto bad;
258                         keyout= *(++argv);
259                         }
260                 else if (strcmp(*argv,"-passin") == 0)
261                         {
262                         if (--argc < 1) goto bad;
263                         passargin= *(++argv);
264                         }
265                 else if (strcmp(*argv,"-passout") == 0)
266                         {
267                         if (--argc < 1) goto bad;
268                         passargout= *(++argv);
269                         }
270                 else if (strcmp(*argv,"-rand") == 0)
271                         {
272                         if (--argc < 1) goto bad;
273                         inrand= *(++argv);
274                         }
275                 else if (strcmp(*argv,"-newkey") == 0)
276                         {
277                         int is_numeric;
278
279                         if (--argc < 1) goto bad;
280                         p= *(++argv);
281                         is_numeric = p[0] >= '0' && p[0] <= '9';
282                         if (strncmp("rsa:",p,4) == 0 || is_numeric)
283                                 {
284                                 pkey_type=TYPE_RSA;
285                                 if(!is_numeric)
286                                     p+=4;
287                                 newkey= atoi(p);
288                                 }
289                         else
290 #ifndef OPENSSL_NO_DSA
291                                 if (strncmp("dsa:",p,4) == 0)
292                                 {
293                                 X509 *xtmp=NULL;
294                                 EVP_PKEY *dtmp;
295
296                                 pkey_type=TYPE_DSA;
297                                 p+=4;
298                                 if ((in=BIO_new_file(p,"r")) == NULL)
299                                         {
300                                         perror(p);
301                                         goto end;
302                                         }
303                                 if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL)
304                                         {
305                                         ERR_clear_error();
306                                         (void)BIO_reset(in);
307                                         if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
308                                                 {
309                                                 BIO_printf(bio_err,"unable to load DSA parameters from file\n");
310                                                 goto end;
311                                                 }
312
313                                         if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
314                                         if (dtmp->type == EVP_PKEY_DSA)
315                                                 dsa_params=DSAparams_dup(dtmp->pkey.dsa);
316                                         EVP_PKEY_free(dtmp);
317                                         X509_free(xtmp);
318                                         if (dsa_params == NULL)
319                                                 {
320                                                 BIO_printf(bio_err,"Certificate does not contain DSA parameters\n");
321                                                 goto end;
322                                                 }
323                                         }
324                                 BIO_free(in);
325                                 in=NULL;
326                                 newkey=BN_num_bits(dsa_params->p);
327                                 }
328                         else 
329 #endif
330 #ifndef OPENSSL_NO_ECDSA
331                                 if (strncmp("ecdsa:",p,4) == 0)
332                                 {
333                                 X509 *xtmp=NULL;
334                                 EVP_PKEY *dtmp;
335
336                                 pkey_type=TYPE_ECDSA;
337                                 p+=6;
338                                 if ((in=BIO_new_file(p,"r")) == NULL)
339                                         {
340                                         perror(p);
341                                         goto end;
342                                         }
343                                 if ((ecdsa_params = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL)) == NULL)
344                                         {
345                                         ERR_clear_error();
346                                         (void)BIO_reset(in);
347                                         if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
348                                                 {       
349                                                 BIO_printf(bio_err,"unable to load ECDSA parameters from file\n");
350                                                 goto end;
351                                                 }
352
353                                         if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
354                                         if (dtmp->type == EVP_PKEY_ECDSA)
355                                                 ecdsa_params = ECDSAParameters_dup(dtmp->pkey.ecdsa);
356                                         EVP_PKEY_free(dtmp);
357                                         X509_free(xtmp);
358                                         if (ecdsa_params == NULL)
359                                                 {
360                                                 BIO_printf(bio_err,"Certificate does not contain ECDSA parameters\n");
361                                                 goto end;
362                                                 }
363                                         }
364
365                                 BIO_free(in);
366                                 in=NULL;
367                                 
368                                 {
369                                 BIGNUM *order = BN_new();
370                                 
371                                 if (!order)
372                                         goto end;
373                                 if (!EC_GROUP_get_order(ecdsa_params->group, order, NULL))
374                                         goto end;
375                                 newkey = BN_num_bits(order);
376                                 BN_free(order);
377                                 }
378
379                                 }
380                         else
381 #endif
382 #ifndef OPENSSL_NO_DH
383                                 if (strncmp("dh:",p,4) == 0)
384                                 {
385                                 pkey_type=TYPE_DH;
386                                 p+=3;
387                                 }
388                         else
389 #endif
390                                 pkey_type=TYPE_RSA;
391
392                         newreq=1;
393                         }
394                 else if (strcmp(*argv,"-batch") == 0)
395                         batch=1;
396                 else if (strcmp(*argv,"-newhdr") == 0)
397                         newhdr=1;
398                 else if (strcmp(*argv,"-modulus") == 0)
399                         modulus=1;
400                 else if (strcmp(*argv,"-verify") == 0)
401                         verify=1;
402                 else if (strcmp(*argv,"-nodes") == 0)
403                         nodes=1;
404                 else if (strcmp(*argv,"-noout") == 0)
405                         noout=1;
406                 else if (strcmp(*argv,"-verbose") == 0)
407                         verbose=1;
408                 else if (strcmp(*argv,"-utf8") == 0)
409                         chtype = MBSTRING_UTF8;
410                 else if (strcmp(*argv,"-nameopt") == 0)
411                         {
412                         if (--argc < 1) goto bad;
413                         if (!set_name_ex(&nmflag, *(++argv))) goto bad;
414                         }
415                 else if (strcmp(*argv,"-subject") == 0)
416                         subject=1;
417                 else if (strcmp(*argv,"-text") == 0)
418                         text=1;
419                 else if (strcmp(*argv,"-x509") == 0)
420                         x509=1;
421                 else if (strcmp(*argv,"-asn1-kludge") == 0)
422                         kludge=1;
423                 else if (strcmp(*argv,"-no-asn1-kludge") == 0)
424                         kludge=0;
425                 else if (strcmp(*argv,"-subj") == 0)
426                         {
427                         if (--argc < 1) goto bad;
428                         subj= *(++argv);
429                         }
430                 else if (strcmp(*argv,"-days") == 0)
431                         {
432                         if (--argc < 1) goto bad;
433                         days= atoi(*(++argv));
434                         if (days == 0) days=30;
435                         }
436                 else if (strcmp(*argv,"-set_serial") == 0)
437                         {
438                         if (--argc < 1) goto bad;
439                         serial = s2i_ASN1_INTEGER(NULL, *(++argv));
440                         if (!serial) goto bad;
441                         }
442                 else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
443                         {
444                         /* ok */
445                         digest=md_alg;
446                         }
447                 else if (strcmp(*argv,"-extensions") == 0)
448                         {
449                         if (--argc < 1) goto bad;
450                         extensions = *(++argv);
451                         }
452                 else if (strcmp(*argv,"-reqexts") == 0)
453                         {
454                         if (--argc < 1) goto bad;
455                         req_exts = *(++argv);
456                         }
457                 else
458                         {
459                         BIO_printf(bio_err,"unknown option %s\n",*argv);
460                         badops=1;
461                         break;
462                         }
463                 argc--;
464                 argv++;
465                 }
466
467         if (badops)
468                 {
469 bad:
470                 BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
471                 BIO_printf(bio_err,"where options  are\n");
472                 BIO_printf(bio_err," -inform arg    input format - DER or PEM\n");
473                 BIO_printf(bio_err," -outform arg   output format - DER or PEM\n");
474                 BIO_printf(bio_err," -in arg        input file\n");
475                 BIO_printf(bio_err," -out arg       output file\n");
476                 BIO_printf(bio_err," -text          text form of request\n");
477                 BIO_printf(bio_err," -pubkey        output public key\n");
478                 BIO_printf(bio_err," -noout         do not output REQ\n");
479                 BIO_printf(bio_err," -verify        verify signature on REQ\n");
480                 BIO_printf(bio_err," -modulus       RSA modulus\n");
481                 BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
482                 BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device\n");
483                 BIO_printf(bio_err," -subject       output the request's subject\n");
484                 BIO_printf(bio_err," -passin        private key password source\n");
485                 BIO_printf(bio_err," -key file      use the private key contained in file\n");
486                 BIO_printf(bio_err," -keyform arg   key file format\n");
487                 BIO_printf(bio_err," -keyout arg    file to send the key to\n");
488                 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
489                 BIO_printf(bio_err,"                load the file (or the files in the directory) into\n");
490                 BIO_printf(bio_err,"                the random number generator\n");
491                 BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
492                 BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
493                 BIO_printf(bio_err," -newkey ecdsa:file generate a new ECDSA key, parameters taken from CA in 'file'\n");
494                 BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
495                 BIO_printf(bio_err," -config file   request template file.\n");
496                 BIO_printf(bio_err," -subj arg      set or modify request subject\n");
497                 BIO_printf(bio_err," -new           new request.\n");
498                 BIO_printf(bio_err," -batch         do not ask anything during request generation\n");
499                 BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
500                 BIO_printf(bio_err," -days          number of days a certificate generated by -x509 is valid for.\n");
501                 BIO_printf(bio_err," -set_serial    serial number to use for a certificate generated by -x509.\n");
502                 BIO_printf(bio_err," -newhdr        output \"NEW\" in the header lines\n");
503                 BIO_printf(bio_err," -asn1-kludge   Output the 'request' in a format that is wrong but some CA's\n");
504                 BIO_printf(bio_err,"                have been reported as requiring\n");
505                 BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
506                 BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
507                 BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
508                 goto end;
509                 }
510
511         ERR_load_crypto_strings();
512         if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
513                 BIO_printf(bio_err, "Error getting passwords\n");
514                 goto end;
515         }
516
517 #ifndef MONOLITH /* else this has happened in openssl.c (global `config') */
518         /* Lets load up our environment a little */
519         p=getenv("OPENSSL_CONF");
520         if (p == NULL)
521                 p=getenv("SSLEAY_CONF");
522         if (p == NULL)
523                 {
524                 strcpy(config_name,X509_get_default_cert_area());
525 #ifndef OPENSSL_SYS_VMS
526                 strcat(config_name,"/");
527 #endif
528                 strcat(config_name,OPENSSL_CONF);
529                 p=config_name;
530                 }
531         default_config_file=p;
532         config=NCONF_new(NULL);
533         i=NCONF_load(config, p, &errline);
534 #endif
535
536         if (template != NULL)
537                 {
538                 long errline;
539
540                 if( verbose )
541                         BIO_printf(bio_err,"Using configuration from %s\n",template);
542                 req_conf=NCONF_new(NULL);
543                 i=NCONF_load(req_conf,template,&errline);
544                 if (i == 0)
545                         {
546                         BIO_printf(bio_err,"error on line %ld of %s\n",errline,template);
547                         goto end;
548                         }
549                 }
550         else
551                 {
552                 req_conf=config;
553                 if( verbose )
554                         BIO_printf(bio_err,"Using configuration from %s\n",
555                         default_config_file);
556                 if (req_conf == NULL)
557                         {
558                         BIO_printf(bio_err,"Unable to load config info\n");
559                         }
560                 }
561
562         if (req_conf != NULL)
563                 {
564                 if (!load_config(bio_err, req_conf))
565                         goto end;
566                 p=NCONF_get_string(req_conf,NULL,"oid_file");
567                 if (p == NULL)
568                         ERR_clear_error();
569                 if (p != NULL)
570                         {
571                         BIO *oid_bio;
572
573                         oid_bio=BIO_new_file(p,"r");
574                         if (oid_bio == NULL) 
575                                 {
576                                 /*
577                                 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
578                                 ERR_print_errors(bio_err);
579                                 */
580                                 }
581                         else
582                                 {
583                                 OBJ_create_objects(oid_bio);
584                                 BIO_free(oid_bio);
585                                 }
586                         }
587                 }
588         if(!add_oid_section(bio_err, req_conf)) goto end;
589
590         if (md_alg == NULL)
591                 {
592                 p=NCONF_get_string(req_conf,SECTION,"default_md");
593                 if (p == NULL)
594                         ERR_clear_error();
595                 if (p != NULL)
596                         {
597                         if ((md_alg=EVP_get_digestbyname(p)) != NULL)
598                                 digest=md_alg;
599                         }
600                 }
601
602         if (!extensions)
603                 {
604                 extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
605                 if (!extensions)
606                         ERR_clear_error();
607                 }
608         if (extensions) {
609                 /* Check syntax of file */
610                 X509V3_CTX ctx;
611                 X509V3_set_ctx_test(&ctx);
612                 X509V3_set_nconf(&ctx, req_conf);
613                 if(!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
614                         BIO_printf(bio_err,
615                          "Error Loading extension section %s\n", extensions);
616                         goto end;
617                 }
618         }
619
620         if(!passin)
621                 {
622                 passin = NCONF_get_string(req_conf, SECTION, "input_password");
623                 if (!passin)
624                         ERR_clear_error();
625                 }
626         
627         if(!passout)
628                 {
629                 passout = NCONF_get_string(req_conf, SECTION, "output_password");
630                 if (!passout)
631                         ERR_clear_error();
632                 }
633
634         p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
635         if (!p)
636                 ERR_clear_error();
637
638         if(p && !ASN1_STRING_set_default_mask_asc(p)) {
639                 BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
640                 goto end;
641         }
642
643         if (chtype != MBSTRING_UTF8)
644                 {
645                 p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
646                 if (!p)
647                         ERR_clear_error();
648                 else if (!strcmp(p, "yes"))
649                         chtype = MBSTRING_UTF8;
650                 }
651
652
653         if(!req_exts)
654                 {
655                 req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
656                 if (!req_exts)
657                         ERR_clear_error();
658                 }
659         if(req_exts) {
660                 /* Check syntax of file */
661                 X509V3_CTX ctx;
662                 X509V3_set_ctx_test(&ctx);
663                 X509V3_set_nconf(&ctx, req_conf);
664                 if(!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
665                         BIO_printf(bio_err,
666                          "Error Loading request extension section %s\n",
667                                                                 req_exts);
668                         goto end;
669                 }
670         }
671
672         in=BIO_new(BIO_s_file());
673         out=BIO_new(BIO_s_file());
674         if ((in == NULL) || (out == NULL))
675                 goto end;
676
677         e = setup_engine(bio_err, engine, 0);
678
679         if (keyfile != NULL)
680                 {
681                 pkey = load_key(bio_err, keyfile, keyform, passin, e,
682                         "Private Key");
683                 if (!pkey)
684                         {
685                         /* load_key() has already printed an appropriate
686                            message */
687                         goto end;
688                         }
689                 if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || EVP_PKEY_type(pkey->type) == EVP_PKEY_ECDSA)
690                         {
691                         char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
692                         if (randfile == NULL)
693                                 ERR_clear_error();
694                         app_RAND_load_file(randfile, bio_err, 0);
695                         }
696                 }
697
698         if (newreq && (pkey == NULL))
699                 {
700                 char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
701                 if (randfile == NULL)
702                         ERR_clear_error();
703                 app_RAND_load_file(randfile, bio_err, 0);
704                 if (inrand)
705                         app_RAND_load_files(inrand);
706         
707                 if (newkey <= 0)
708                         {
709                         if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
710                                 newkey=DEFAULT_KEY_LENGTH;
711                         }
712
713                 if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
714                 /* TODO: appropriate minimal keylength for the different algorithm (esp. ECDSA) */
715                         {
716                         BIO_printf(bio_err,"private key length is too short,\n");
717                         BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
718                         goto end;
719                         }
720                 BIO_printf(bio_err,"Generating a %d bit %s private key\n",
721                         newkey,(pkey_type == TYPE_RSA)?"RSA":(pkey_type == TYPE_DSA)?"DSA":"ECDSA");
722
723                 if ((pkey=EVP_PKEY_new()) == NULL) goto end;
724
725 #ifndef OPENSSL_NO_RSA
726                 if (pkey_type == TYPE_RSA)
727                         {
728                         if (!EVP_PKEY_assign_RSA(pkey,
729                                 RSA_generate_key(newkey,0x10001,
730                                         req_cb,bio_err)))
731                                 goto end;
732                         }
733                 else
734 #endif
735 #ifndef OPENSSL_NO_DSA
736                         if (pkey_type == TYPE_DSA)
737                         {
738                         if (!DSA_generate_key(dsa_params)) goto end;
739                         if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end;
740                         dsa_params=NULL;
741                         }
742 #endif
743 #ifndef OPENSSL_NO_ECDSA
744                         if (pkey_type == TYPE_ECDSA)
745                         {
746                         if (!ECDSA_generate_key(ecdsa_params)) goto end;
747                         if (!EVP_PKEY_assign_ECDSA(pkey, ecdsa_params)) goto end;
748                         ecdsa_params = NULL;
749                         }
750 #endif
751
752                 app_RAND_write_file(randfile, bio_err);
753
754                 if (pkey == NULL) goto end;
755
756                 if (keyout == NULL)
757                         {
758                         keyout=NCONF_get_string(req_conf,SECTION,KEYFILE);
759                         if (keyout == NULL)
760                                 ERR_clear_error();
761                         }
762                 
763                 if (keyout == NULL)
764                         {
765                         BIO_printf(bio_err,"writing new private key to stdout\n");
766                         BIO_set_fp(out,stdout,BIO_NOCLOSE);
767 #ifdef OPENSSL_SYS_VMS
768                         {
769                         BIO *tmpbio = BIO_new(BIO_f_linebuffer());
770                         out = BIO_push(tmpbio, out);
771                         }
772 #endif
773                         }
774                 else
775                         {
776                         BIO_printf(bio_err,"writing new private key to '%s'\n",keyout);
777                         if (BIO_write_filename(out,keyout) <= 0)
778                                 {
779                                 perror(keyout);
780                                 goto end;
781                                 }
782                         }
783
784                 p=NCONF_get_string(req_conf,SECTION,"encrypt_rsa_key");
785                 if (p == NULL)
786                         {
787                         ERR_clear_error();
788                         p=NCONF_get_string(req_conf,SECTION,"encrypt_key");
789                         if (p == NULL)
790                                 ERR_clear_error();
791                         }
792                 if ((p != NULL) && (strcmp(p,"no") == 0))
793                         cipher=NULL;
794                 if (nodes) cipher=NULL;
795                 
796                 i=0;
797 loop:
798                 if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
799                         NULL,0,NULL,passout))
800                         {
801                         if ((ERR_GET_REASON(ERR_peek_error()) ==
802                                 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
803                                 {
804                                 ERR_clear_error();
805                                 i++;
806                                 goto loop;
807                                 }
808                         goto end;
809                         }
810                 BIO_printf(bio_err,"-----\n");
811                 }
812
813         if (!newreq)
814                 {
815                 /* Since we are using a pre-existing certificate
816                  * request, the kludge 'format' info should not be
817                  * changed. */
818                 kludge= -1;
819                 if (infile == NULL)
820                         BIO_set_fp(in,stdin,BIO_NOCLOSE);
821                 else
822                         {
823                         if (BIO_read_filename(in,infile) <= 0)
824                                 {
825                                 perror(infile);
826                                 goto end;
827                                 }
828                         }
829
830                 if      (informat == FORMAT_ASN1)
831                         req=d2i_X509_REQ_bio(in,NULL);
832                 else if (informat == FORMAT_PEM)
833                         req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
834                 else
835                         {
836                         BIO_printf(bio_err,"bad input format specified for X509 request\n");
837                         goto end;
838                         }
839                 if (req == NULL)
840                         {
841                         BIO_printf(bio_err,"unable to load X509 request\n");
842                         goto end;
843                         }
844                 }
845
846         if (newreq || x509)
847                 {
848                 if (pkey == NULL)
849                         {
850                         BIO_printf(bio_err,"you need to specify a private key\n");
851                         goto end;
852                         }
853 #ifndef OPENSSL_NO_DSA
854                 if (pkey->type == EVP_PKEY_DSA)
855                         digest=EVP_dss1();
856 #endif
857 #ifndef OPENSSL_NO_ECDSA
858                 if (pkey->type == EVP_PKEY_ECDSA)
859                         digest=EVP_ecdsa();
860 #endif
861                 if (req == NULL)
862                         {
863                         req=X509_REQ_new();
864                         if (req == NULL)
865                                 {
866                                 goto end;
867                                 }
868
869                         i=make_REQ(req,pkey,subj,!x509, chtype);
870                         subj=NULL; /* done processing '-subj' option */
871                         if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes))
872                                 {
873                                 sk_X509_ATTRIBUTE_free(req->req_info->attributes);
874                                 req->req_info->attributes = NULL;
875                                 }
876                         if (!i)
877                                 {
878                                 BIO_printf(bio_err,"problems making Certificate Request\n");
879                                 goto end;
880                                 }
881                         }
882                 if (x509)
883                         {
884                         EVP_PKEY *tmppkey;
885                         X509V3_CTX ext_ctx;
886                         if ((x509ss=X509_new()) == NULL) goto end;
887
888                         /* Set version to V3 */
889                         if(!X509_set_version(x509ss, 2)) goto end;
890                         if (serial)
891                                 {
892                                 if (!X509_set_serialNumber(x509ss, serial)) goto end;
893                                 }
894                         else
895                                 {
896                                 if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end;
897                                 }
898
899                         if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
900                         if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
901                         if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end;
902                         if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
903                         tmppkey = X509_REQ_get_pubkey(req);
904                         if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
905                         EVP_PKEY_free(tmppkey);
906
907                         /* Set up V3 context struct */
908
909                         X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
910                         X509V3_set_nconf(&ext_ctx, req_conf);
911
912                         /* Add extensions */
913                         if(extensions && !X509V3_EXT_add_nconf(req_conf, 
914                                         &ext_ctx, extensions, x509ss))
915                                 {
916                                 BIO_printf(bio_err,
917                                         "Error Loading extension section %s\n",
918                                         extensions);
919                                 goto end;
920                                 }
921                         
922                         if (!(i=X509_sign(x509ss,pkey,digest)))
923                                 goto end;
924                         }
925                 else
926                         {
927                         X509V3_CTX ext_ctx;
928
929                         /* Set up V3 context struct */
930
931                         X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
932                         X509V3_set_nconf(&ext_ctx, req_conf);
933
934                         /* Add extensions */
935                         if(req_exts && !X509V3_EXT_REQ_add_nconf(req_conf, 
936                                         &ext_ctx, req_exts, req))
937                                 {
938                                 BIO_printf(bio_err,
939                                         "Error Loading extension section %s\n",
940                                         req_exts);
941                                 goto end;
942                                 }
943                         if (!(i=X509_REQ_sign(req,pkey,digest)))
944                                 goto end;
945                         }
946                 }
947
948         if (subj && x509)
949                 {
950                 BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
951                 goto end;
952                 }
953
954         if (subj && !x509)
955                 {
956                 if (verbose)
957                         {
958                         BIO_printf(bio_err, "Modifying Request's Subject\n");
959                         print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag);
960                         }
961
962                 if (build_subject(req, subj, chtype) == 0)
963                         {
964                         BIO_printf(bio_err, "ERROR: cannot modify subject\n");
965                         ex=1;
966                         goto end;
967                         }
968
969                 req->req_info->enc.modified = 1;
970
971                 if (verbose)
972                         {
973                         print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag);
974                         }
975                 }
976
977         if (verify && !x509)
978                 {
979                 int tmp=0;
980
981                 if (pkey == NULL)
982                         {
983                         pkey=X509_REQ_get_pubkey(req);
984                         tmp=1;
985                         if (pkey == NULL) goto end;
986                         }
987
988                 i=X509_REQ_verify(req,pkey);
989                 if (tmp) {
990                         EVP_PKEY_free(pkey);
991                         pkey=NULL;
992                 }
993
994                 if (i < 0)
995                         {
996                         goto end;
997                         }
998                 else if (i == 0)
999                         {
1000                         BIO_printf(bio_err,"verify failure\n");
1001                         ERR_print_errors(bio_err);
1002                         }
1003                 else /* if (i > 0) */
1004                         BIO_printf(bio_err,"verify OK\n");
1005                 }
1006
1007         if (noout && !text && !modulus && !subject && !pubkey)
1008                 {
1009                 ex=0;
1010                 goto end;
1011                 }
1012
1013         if (outfile == NULL)
1014                 {
1015                 BIO_set_fp(out,stdout,BIO_NOCLOSE);
1016 #ifdef OPENSSL_SYS_VMS
1017                 {
1018                 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
1019                 out = BIO_push(tmpbio, out);
1020                 }
1021 #endif
1022                 }
1023         else
1024                 {
1025                 if ((keyout != NULL) && (strcmp(outfile,keyout) == 0))
1026                         i=(int)BIO_append_filename(out,outfile);
1027                 else
1028                         i=(int)BIO_write_filename(out,outfile);
1029                 if (!i)
1030                         {
1031                         perror(outfile);
1032                         goto end;
1033                         }
1034                 }
1035
1036         if (pubkey)
1037                 {
1038                 EVP_PKEY *tpubkey; 
1039                 tpubkey=X509_REQ_get_pubkey(req);
1040                 if (tpubkey == NULL)
1041                         {
1042                         BIO_printf(bio_err,"Error getting public key\n");
1043                         ERR_print_errors(bio_err);
1044                         goto end;
1045                         }
1046                 PEM_write_bio_PUBKEY(out, tpubkey);
1047                 EVP_PKEY_free(tpubkey);
1048                 }
1049
1050         if (text)
1051                 {
1052                 if (x509)
1053                         X509_print(out,x509ss);
1054                 else    
1055                         X509_REQ_print(out,req);
1056                 }
1057
1058         if(subject) 
1059                 {
1060                 if(x509)
1061                         print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag);
1062                 else
1063                         print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag);
1064                 }
1065
1066         if (modulus)
1067                 {
1068                 EVP_PKEY *tpubkey;
1069
1070                 if (x509)
1071                         tpubkey=X509_get_pubkey(x509ss);
1072                 else
1073                         tpubkey=X509_REQ_get_pubkey(req);
1074                 if (tpubkey == NULL)
1075                         {
1076                         fprintf(stdout,"Modulus=unavailable\n");
1077                         goto end; 
1078                         }
1079                 fprintf(stdout,"Modulus=");
1080 #ifndef OPENSSL_NO_RSA
1081                 if (tpubkey->type == EVP_PKEY_RSA)
1082                         BN_print(out,tpubkey->pkey.rsa->n);
1083                 else
1084 #endif
1085                         fprintf(stdout,"Wrong Algorithm type");
1086                 EVP_PKEY_free(tpubkey);
1087                 fprintf(stdout,"\n");
1088                 }
1089
1090         if (!noout && !x509)
1091                 {
1092                 if      (outformat == FORMAT_ASN1)
1093                         i=i2d_X509_REQ_bio(out,req);
1094                 else if (outformat == FORMAT_PEM) {
1095                         if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req);
1096                         else i=PEM_write_bio_X509_REQ(out,req);
1097                 } else {
1098                         BIO_printf(bio_err,"bad output format specified for outfile\n");
1099                         goto end;
1100                         }
1101                 if (!i)
1102                         {
1103                         BIO_printf(bio_err,"unable to write X509 request\n");
1104                         goto end;
1105                         }
1106                 }
1107         if (!noout && x509 && (x509ss != NULL))
1108                 {
1109                 if      (outformat == FORMAT_ASN1)
1110                         i=i2d_X509_bio(out,x509ss);
1111                 else if (outformat == FORMAT_PEM)
1112                         i=PEM_write_bio_X509(out,x509ss);
1113                 else    {
1114                         BIO_printf(bio_err,"bad output format specified for outfile\n");
1115                         goto end;
1116                         }
1117                 if (!i)
1118                         {
1119                         BIO_printf(bio_err,"unable to write X509 certificate\n");
1120                         goto end;
1121                         }
1122                 }
1123         ex=0;
1124 end:
1125         if (ex)
1126                 {
1127                 ERR_print_errors(bio_err);
1128                 }
1129         if ((req_conf != NULL) && (req_conf != config)) NCONF_free(req_conf);
1130         BIO_free(in);
1131         BIO_free_all(out);
1132         EVP_PKEY_free(pkey);
1133         X509_REQ_free(req);
1134         X509_free(x509ss);
1135         ASN1_INTEGER_free(serial);
1136         if(passargin && passin) OPENSSL_free(passin);
1137         if(passargout && passout) OPENSSL_free(passout);
1138         OBJ_cleanup();
1139 #ifndef OPENSSL_NO_DSA
1140         if (dsa_params != NULL) DSA_free(dsa_params);
1141 #endif
1142 #ifndef OPENSSL_NO_ECDSA
1143         if (ecdsa_params != NULL) ECDSA_free(ecdsa_params);
1144 #endif
1145         apps_shutdown();
1146         EXIT(ex);
1147         }
1148
1149 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
1150                         unsigned long chtype)
1151         {
1152         int ret=0,i;
1153         char no_prompt = 0;
1154         STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
1155         char *tmp, *dn_sect,*attr_sect;
1156
1157         tmp=NCONF_get_string(req_conf,SECTION,PROMPT);
1158         if (tmp == NULL)
1159                 ERR_clear_error();
1160         if((tmp != NULL) && !strcmp(tmp, "no")) no_prompt = 1;
1161
1162         dn_sect=NCONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME);
1163         if (dn_sect == NULL)
1164                 {
1165                 BIO_printf(bio_err,"unable to find '%s' in config\n",
1166                         DISTINGUISHED_NAME);
1167                 goto err;
1168                 }
1169         dn_sk=NCONF_get_section(req_conf,dn_sect);
1170         if (dn_sk == NULL)
1171                 {
1172                 BIO_printf(bio_err,"unable to get '%s' section\n",dn_sect);
1173                 goto err;
1174                 }
1175
1176         attr_sect=NCONF_get_string(req_conf,SECTION,ATTRIBUTES);
1177         if (attr_sect == NULL)
1178                 {
1179                 ERR_clear_error();              
1180                 attr_sk=NULL;
1181                 }
1182         else
1183                 {
1184                 attr_sk=NCONF_get_section(req_conf,attr_sect);
1185                 if (attr_sk == NULL)
1186                         {
1187                         BIO_printf(bio_err,"unable to get '%s' section\n",attr_sect);
1188                         goto err;
1189                         }
1190                 }
1191
1192         /* setup version number */
1193         if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */
1194
1195         if (no_prompt) 
1196                 i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
1197         else 
1198                 {
1199                 if (subj)
1200                         i = build_subject(req, subj, chtype);
1201                 else
1202                         i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
1203                 }
1204         if(!i) goto err;
1205
1206         if (!X509_REQ_set_pubkey(req,pkey)) goto err;
1207
1208         ret=1;
1209 err:
1210         return(ret);
1211         }
1212
1213 static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
1214         {
1215         X509_NAME *n = NULL;
1216
1217         int i, nid, ne_num=0;
1218
1219         char *ne_name = NULL;
1220         char *ne_value = NULL;
1221
1222         char *tmp = NULL;
1223         char *p[2];
1224
1225         char *str_list[256];
1226        
1227         p[0] = ",/";
1228         p[1] = "=";
1229
1230         n = X509_NAME_new();
1231
1232         tmp = strtok(subject, p[0]);
1233         while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
1234                 {
1235                 char *token = tmp;
1236
1237                 while (token[0] == ' ')
1238                         token++;
1239                 str_list[ne_num] = token;
1240
1241                 tmp = strtok(NULL, p[0]);
1242                 ne_num++;
1243                 }
1244
1245         for(i = 0; i < ne_num; i++)
1246                 {
1247                 ne_name  = strtok(str_list[i], p[1]);
1248                 ne_value = strtok(NULL, p[1]);
1249
1250                 if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
1251                         {
1252                         BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
1253                         continue;
1254                         }
1255
1256                 if (ne_value == NULL)
1257                         {
1258                         BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
1259                         continue;
1260                         }
1261
1262                 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_value, -1,-1,0))
1263                         {
1264                         X509_NAME_free(n);
1265                         return 0;
1266                         }
1267                 }
1268
1269         if (!X509_REQ_set_subject_name(req, n))
1270                 return 0;
1271         X509_NAME_free(n);
1272         return 1;
1273 }
1274
1275
1276 static int prompt_info(X509_REQ *req,
1277                 STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
1278                 STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
1279                 unsigned long chtype)
1280         {
1281         int i;
1282         char *p,*q;
1283         char buf[100];
1284         int nid;
1285         long n_min,n_max;
1286         char *type,*def,*value;
1287         CONF_VALUE *v;
1288         X509_NAME *subj;
1289         subj = X509_REQ_get_subject_name(req);
1290
1291         if(!batch)
1292                 {
1293                 BIO_printf(bio_err,"You are about to be asked to enter information that will be incorporated\n");
1294                 BIO_printf(bio_err,"into your certificate request.\n");
1295                 BIO_printf(bio_err,"What you are about to enter is what is called a Distinguished Name or a DN.\n");
1296                 BIO_printf(bio_err,"There are quite a few fields but you can leave some blank\n");
1297                 BIO_printf(bio_err,"For some fields there will be a default value,\n");
1298                 BIO_printf(bio_err,"If you enter '.', the field will be left blank.\n");
1299                 BIO_printf(bio_err,"-----\n");
1300                 }
1301
1302
1303         if (sk_CONF_VALUE_num(dn_sk))
1304                 {
1305                 i= -1;
1306 start:          for (;;)
1307                         {
1308                         i++;
1309                         if (sk_CONF_VALUE_num(dn_sk) <= i) break;
1310
1311                         v=sk_CONF_VALUE_value(dn_sk,i);
1312                         p=q=NULL;
1313                         type=v->name;
1314                         if(!check_end(type,"_min") || !check_end(type,"_max") ||
1315                                 !check_end(type,"_default") ||
1316                                          !check_end(type,"_value")) continue;
1317                         /* Skip past any leading X. X: X, etc to allow for
1318                          * multiple instances 
1319                          */
1320                         for(p = v->name; *p ; p++) 
1321                                 if ((*p == ':') || (*p == ',') ||
1322                                                          (*p == '.')) {
1323                                         p++;
1324                                         if(*p) type = p;
1325                                         break;
1326                                 }
1327                         /* If OBJ not recognised ignore it */
1328                         if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
1329                         sprintf(buf,"%s_default",v->name);
1330                         if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
1331                                 {
1332                                 ERR_clear_error();
1333                                 def="";
1334                                 }
1335                                 
1336                         sprintf(buf,"%s_value",v->name);
1337                         if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
1338                                 {
1339                                 ERR_clear_error();
1340                                 value=NULL;
1341                                 }
1342
1343                         sprintf(buf,"%s_min",v->name);
1344                         if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
1345                                 n_min = -1;
1346
1347                         sprintf(buf,"%s_max",v->name);
1348                         if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
1349                                 n_max = -1;
1350
1351                         if (!add_DN_object(subj,v->value,def,value,nid,
1352                                 n_min,n_max, chtype))
1353                                 return 0;
1354                         }
1355                 if (X509_NAME_entry_count(subj) == 0)
1356                         {
1357                         BIO_printf(bio_err,"error, no objects specified in config file\n");
1358                         return 0;
1359                         }
1360
1361                 if (attribs)
1362                         {
1363                         if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && (!batch))
1364                                 {
1365                                 BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n");
1366                                 BIO_printf(bio_err,"to be sent with your certificate request\n");
1367                                 }
1368
1369                         i= -1;
1370 start2:                 for (;;)
1371                                 {
1372                                 i++;
1373                                 if ((attr_sk == NULL) ||
1374                                             (sk_CONF_VALUE_num(attr_sk) <= i))
1375                                         break;
1376
1377                                 v=sk_CONF_VALUE_value(attr_sk,i);
1378                                 type=v->name;
1379                                 if ((nid=OBJ_txt2nid(type)) == NID_undef)
1380                                         goto start2;
1381
1382                                 sprintf(buf,"%s_default",type);
1383                                 if ((def=NCONF_get_string(req_conf,attr_sect,buf))
1384                                         == NULL)
1385                                         {
1386                                         ERR_clear_error();
1387                                         def="";
1388                                         }
1389                                 
1390                                 
1391                                 sprintf(buf,"%s_value",type);
1392                                 if ((value=NCONF_get_string(req_conf,attr_sect,buf))
1393                                         == NULL)
1394                                         {
1395                                         ERR_clear_error();
1396                                         value=NULL;
1397                                         }
1398
1399                                 sprintf(buf,"%s_min",type);
1400                                 if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
1401                                         n_min = -1;
1402
1403                                 sprintf(buf,"%s_max",type);
1404                                 if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
1405                                         n_max = -1;
1406
1407                                 if (!add_attribute_object(req,
1408                                         v->value,def,value,nid,n_min,n_max, chtype))
1409                                         return 0;
1410                                 }
1411                         }
1412                 }
1413         else
1414                 {
1415                 BIO_printf(bio_err,"No template, please set one up.\n");
1416                 return 0;
1417                 }
1418
1419         return 1;
1420
1421         }
1422
1423 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
1424                         STACK_OF(CONF_VALUE) *attr_sk, int attribs, unsigned long chtype)
1425         {
1426         int i;
1427         char *p,*q;
1428         char *type;
1429         CONF_VALUE *v;
1430         X509_NAME *subj;
1431
1432         subj = X509_REQ_get_subject_name(req);
1433
1434         for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
1435                 {
1436                 v=sk_CONF_VALUE_value(dn_sk,i);
1437                 p=q=NULL;
1438                 type=v->name;
1439                 /* Skip past any leading X. X: X, etc to allow for
1440                  * multiple instances 
1441                  */
1442                 for(p = v->name; *p ; p++) 
1443 #ifndef CHARSET_EBCDIC
1444                         if ((*p == ':') || (*p == ',') || (*p == '.')) {
1445 #else
1446                         if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) {
1447 #endif
1448                                 p++;
1449                                 if(*p) type = p;
1450                                 break;
1451                         }
1452                 if (!X509_NAME_add_entry_by_txt(subj,type, chtype,
1453                                 (unsigned char *) v->value,-1,-1,0)) return 0;
1454
1455                 }
1456
1457                 if (!X509_NAME_entry_count(subj))
1458                         {
1459                         BIO_printf(bio_err,"error, no objects specified in config file\n");
1460                         return 0;
1461                         }
1462                 if (attribs)
1463                         {
1464                         for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++)
1465                                 {
1466                                 v=sk_CONF_VALUE_value(attr_sk,i);
1467                                 if(!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1468                                         (unsigned char *)v->value, -1)) return 0;
1469                                 }
1470                         }
1471         return 1;
1472         }
1473
1474
1475 static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
1476              int nid, int n_min, int n_max, unsigned long chtype)
1477         {
1478         int i,ret=0;
1479         MS_STATIC char buf[1024];
1480 start:
1481         if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def);
1482         (void)BIO_flush(bio_err);
1483         if(value != NULL)
1484                 {
1485                 strcpy(buf,value);
1486                 strcat(buf,"\n");
1487                 BIO_printf(bio_err,"%s\n",value);
1488                 }
1489         else
1490                 {
1491                 buf[0]='\0';
1492                 if (!batch)
1493                         {
1494                         fgets(buf,1024,stdin);
1495                         }
1496                 else
1497                         {
1498                         buf[0] = '\n';
1499                         buf[1] = '\0';
1500                         }
1501                 }
1502
1503         if (buf[0] == '\0') return(0);
1504         else if (buf[0] == '\n')
1505                 {
1506                 if ((def == NULL) || (def[0] == '\0'))
1507                         return(1);
1508                 strcpy(buf,def);
1509                 strcat(buf,"\n");
1510                 }
1511         else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
1512
1513         i=strlen(buf);
1514         if (buf[i-1] != '\n')
1515                 {
1516                 BIO_printf(bio_err,"weird input :-(\n");
1517                 return(0);
1518                 }
1519         buf[--i]='\0';
1520 #ifdef CHARSET_EBCDIC
1521         ebcdic2ascii(buf, buf, i);
1522 #endif
1523         if(!req_check_len(i, n_min, n_max)) goto start;
1524         if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
1525                                 (unsigned char *) buf, -1,-1,0)) goto err;
1526         ret=1;
1527 err:
1528         return(ret);
1529         }
1530
1531 static int add_attribute_object(X509_REQ *req, char *text,
1532                                 char *def, char *value, int nid, int n_min,
1533                                 int n_max, unsigned long chtype)
1534         {
1535         int i;
1536         static char buf[1024];
1537
1538 start:
1539         if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def);
1540         (void)BIO_flush(bio_err);
1541         if (value != NULL)
1542                 {
1543                 strcpy(buf,value);
1544                 strcat(buf,"\n");
1545                 BIO_printf(bio_err,"%s\n",value);
1546                 }
1547         else
1548                 {
1549                 buf[0]='\0';
1550                 if (!batch)
1551                         {
1552                         fgets(buf,1024,stdin);
1553                         }
1554                 else
1555                         {
1556                         buf[0] = '\n';
1557                         buf[1] = '\0';
1558                         }
1559                 }
1560
1561         if (buf[0] == '\0') return(0);
1562         else if (buf[0] == '\n')
1563                 {
1564                 if ((def == NULL) || (def[0] == '\0'))
1565                         return(1);
1566                 strcpy(buf,def);
1567                 strcat(buf,"\n");
1568                 }
1569         else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
1570
1571         i=strlen(buf);
1572         if (buf[i-1] != '\n')
1573                 {
1574                 BIO_printf(bio_err,"weird input :-(\n");
1575                 return(0);
1576                 }
1577         buf[--i]='\0';
1578 #ifdef CHARSET_EBCDIC
1579         ebcdic2ascii(buf, buf, i);
1580 #endif
1581         if(!req_check_len(i, n_min, n_max)) goto start;
1582
1583         if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1584                                         (unsigned char *)buf, -1)) {
1585                 BIO_printf(bio_err, "Error adding attribute\n");
1586                 ERR_print_errors(bio_err);
1587                 goto err;
1588         }
1589
1590         return(1);
1591 err:
1592         return(0);
1593         }
1594
1595 #ifndef OPENSSL_NO_RSA
1596 static void MS_CALLBACK req_cb(int p, int n, void *arg)
1597         {
1598         char c='*';
1599
1600         if (p == 0) c='.';
1601         if (p == 1) c='+';
1602         if (p == 2) c='*';
1603         if (p == 3) c='\n';
1604         BIO_write((BIO *)arg,&c,1);
1605         (void)BIO_flush((BIO *)arg);
1606 #ifdef LINT
1607         p=n;
1608 #endif
1609         }
1610 #endif
1611
1612 static int req_check_len(int len, int n_min, int n_max)
1613         {
1614         if ((n_min > 0) && (len < n_min))
1615                 {
1616                 BIO_printf(bio_err,"string is too short, it needs to be at least %d bytes long\n",n_min);
1617                 return(0);
1618                 }
1619         if ((n_max >= 0) && (len > n_max))
1620                 {
1621                 BIO_printf(bio_err,"string is too long, it needs to be less than  %d bytes long\n",n_max);
1622                 return(0);
1623                 }
1624         return(1);
1625         }
1626
1627 /* Check if the end of a string matches 'end' */
1628 static int check_end(char *str, char *end)
1629 {
1630         int elen, slen; 
1631         char *tmp;
1632         elen = strlen(end);
1633         slen = strlen(str);
1634         if(elen > slen) return 1;
1635         tmp = str + slen - elen;
1636         return strcmp(tmp, end);
1637 }