X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Freq.c;h=a47dfcffafced7878c5661be1e4b0a0a1f186dd4;hp=c4fc931a8e799d23134d96298f791a0e7ade18ae;hb=f2582f08d5167ee84b7b313fd1435fe91ee44880;hpb=dd1abd4462e4e4fa84b8f8de2ec70375f9b0e191

diff --git a/apps/req.c b/apps/req.c
index c4fc931a8e..a47dfcffaf 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -79,7 +79,7 @@ typedef enum OPTION_choice {
     OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
     OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
-    OPT_REQEXTS, OPT_MD
+    OPT_REQEXTS, OPT_PRECERT, OPT_MD
 } OPTION_CHOICE;
 
 const OPTIONS req_options[] = {
@@ -121,11 +121,12 @@ const OPTIONS req_options[] = {
     {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
      "Enable support for multivalued RDNs"},
     {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
-    {"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"},
+    {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
     {"extensions", OPT_EXTENSIONS, 's',
      "Cert extension section (override value in config file)"},
     {"reqexts", OPT_REQEXTS, 's',
      "Request extension section (override value in config file)"},
+    {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -160,10 +161,9 @@ int req_main(int argc, char **argv)
     int pkey_type = -1, private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
     int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
-    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
+    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
     long newkey = -1;
-    unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
-    char nmflag_set = 0;
+    unsigned long chtype = MBSTRING_ASC, reqflag = 0;
 
 #ifndef OPENSSL_NO_DES
     cipher = EVP_des_ede3_cbc();
@@ -276,8 +276,7 @@ int req_main(int argc, char **argv)
             chtype = MBSTRING_UTF8;
             break;
         case OPT_NAMEOPT:
-            nmflag_set = 1;
-            if (!set_name_ex(&nmflag, opt_arg()))
+            if (!set_nameopt(opt_arg()))
                 goto opthelp;
             break;
         case OPT_REQOPT:
@@ -289,7 +288,6 @@ int req_main(int argc, char **argv)
             break;
         case OPT_X509:
             x509 = 1;
-            newreq = 1;
             break;
         case OPT_DAYS:
             days = atoi(opt_arg());
@@ -318,6 +316,9 @@ int req_main(int argc, char **argv)
         case OPT_REQEXTS:
             req_exts = opt_arg();
             break;
+        case OPT_PRECERT:
+            newreq = precert = 1;
+            break;
         case OPT_MD:
             if (!opt_md(opt_unknown(), &md_alg))
                 goto opthelp;
@@ -329,8 +330,8 @@ int req_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    if (!nmflag_set)
-        nmflag = XN_FLAG_ONELINE;
+    if (x509 && infile == NULL)
+        newreq = 1;
 
     /* TODO: simplify this as pkey is still always NULL here */
     private = newreq && (pkey == NULL) ? 1 : 0;
@@ -583,7 +584,7 @@ int req_main(int argc, char **argv)
         }
     }
 
-    if (newreq) {
+    if (newreq || x509) {
         if (pkey == NULL) {
             BIO_printf(bio_err, "you need to specify a private key\n");
             goto end;
@@ -644,6 +645,15 @@ int req_main(int argc, char **argv)
                 goto end;
             }
 
+            /* If a pre-cert was requested, we need to add a poison extension */
+            if (precert) {
+                if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
+                    != 1) {
+                    BIO_printf(bio_err, "Error adding poison extension\n");
+                    goto end;
+                }
+            }
+
             i = do_X509_sign(x509ss, pkey, digest, sigopts);
             if (!i) {
                 ERR_print_errors(bio_err);
@@ -682,7 +692,7 @@ int req_main(int argc, char **argv)
         if (verbose) {
             BIO_printf(bio_err, "Modifying Request's Subject\n");
             print_name(bio_err, "old subject=",
-                       X509_REQ_get_subject_name(req), nmflag);
+                       X509_REQ_get_subject_name(req), get_nameopt());
         }
 
         if (build_subject(req, subj, chtype, multirdn) == 0) {
@@ -693,7 +703,7 @@ int req_main(int argc, char **argv)
 
         if (verbose) {
             print_name(bio_err, "new subject=",
-                       X509_REQ_get_subject_name(req), nmflag);
+                       X509_REQ_get_subject_name(req), get_nameopt());
         }
     }
 
@@ -742,18 +752,18 @@ int req_main(int argc, char **argv)
 
     if (text) {
         if (x509)
-            X509_print_ex(out, x509ss, nmflag, reqflag);
+            X509_print_ex(out, x509ss, get_nameopt(), reqflag);
         else
-            X509_REQ_print_ex(out, req, nmflag, reqflag);
+            X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
     }
 
     if (subject) {
         if (x509)
             print_name(out, "subject=", X509_get_subject_name(x509ss),
-                       nmflag);
+                       get_nameopt());
         else
             print_name(out, "subject=", X509_REQ_get_subject_name(req),
-                       nmflag);
+                       get_nameopt());
     }
 
     if (modulus) {
@@ -1273,7 +1283,7 @@ static int req_check_len(int len, int n_min, int n_max)
     }
     if ((n_max >= 0) && (len > n_max)) {
         BIO_printf(bio_err,
-                   "string is too long, it needs to be less than  %d bytes long\n",
+                   "string is too long, it needs to be no more than %d bytes long\n",
                    n_max);
         return (0);
     }