X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Freq.c;h=a47dfcffafced7878c5661be1e4b0a0a1f186dd4;hp=f1ee9515a44b62fea0e69784fe232df77053db8a;hb=f2582f08d5167ee84b7b313fd1435fe91ee44880;hpb=6b4a77f56e14c002ce3cf960f622682be3b8424b diff --git a/apps/req.c b/apps/req.c index f1ee9515a4..a47dfcffaf 100644 --- a/apps/req.c +++ b/apps/req.c @@ -46,11 +46,11 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, int attribs, unsigned long chtype); -static int build_subject(X509_REQ *req, char *subj, unsigned long chtype, +static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, int multirdn); static int prompt_info(X509_REQ *req, - STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect, - STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, + STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, + STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, int attribs, unsigned long chtype); static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, STACK_OF(CONF_VALUE) *attr, int attribs, @@ -79,10 +79,10 @@ typedef enum OPTION_choice { OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS, - OPT_REQEXTS, OPT_MD + OPT_REQEXTS, OPT_PRECERT, OPT_MD } OPTION_CHOICE; -OPTIONS req_options[] = { +const OPTIONS req_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, @@ -121,11 +121,12 @@ OPTIONS req_options[] = { {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', "Enable support for multivalued RDNs"}, {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, - {"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"}, + {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, {"extensions", OPT_EXTENSIONS, 's', "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, + {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, {"", OPT_MD, '-', "Any supported digest"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, @@ -160,10 +161,9 @@ int req_main(int argc, char **argv) int pkey_type = -1, private = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; - int nodes = 0, newhdr = 0, subject = 0, pubkey = 0; + int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; long newkey = -1; - unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0; - char nmflag_set = 0; + unsigned long chtype = MBSTRING_ASC, reqflag = 0; #ifndef OPENSSL_NO_DES cipher = EVP_des_ede3_cbc(); @@ -276,8 +276,7 @@ int req_main(int argc, char **argv) chtype = MBSTRING_UTF8; break; case OPT_NAMEOPT: - nmflag_set = 1; - if (!set_name_ex(&nmflag, opt_arg())) + if (!set_nameopt(opt_arg())) goto opthelp; break; case OPT_REQOPT: @@ -294,6 +293,10 @@ int req_main(int argc, char **argv) days = atoi(opt_arg()); break; case OPT_SET_SERIAL: + if (serial != NULL) { + BIO_printf(bio_err, "Serial number supplied twice\n"); + goto opthelp; + } serial = s2i_ASN1_INTEGER(NULL, opt_arg()); if (serial == NULL) goto opthelp; @@ -313,6 +316,9 @@ int req_main(int argc, char **argv) case OPT_REQEXTS: req_exts = opt_arg(); break; + case OPT_PRECERT: + newreq = precert = 1; + break; case OPT_MD: if (!opt_md(opt_unknown(), &md_alg)) goto opthelp; @@ -324,8 +330,8 @@ int req_main(int argc, char **argv) if (argc != 0) goto opthelp; - if (!nmflag_set) - nmflag = XN_FLAG_ONELINE; + if (x509 && infile == NULL) + newreq = 1; /* TODO: simplify this as pkey is still always NULL here */ private = newreq && (pkey == NULL) ? 1 : 0; @@ -616,9 +622,7 @@ int req_main(int argc, char **argv) if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; - if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0)) - goto end; - if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) + if (!set_cert_times(x509ss, NULL, NULL, days)) goto end; if (!X509_set_subject_name (x509ss, X509_REQ_get_subject_name(req))) @@ -641,6 +645,15 @@ int req_main(int argc, char **argv) goto end; } + /* If a pre-cert was requested, we need to add a poison extension */ + if (precert) { + if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) + != 1) { + BIO_printf(bio_err, "Error adding poison extension\n"); + goto end; + } + } + i = do_X509_sign(x509ss, pkey, digest, sigopts); if (!i) { ERR_print_errors(bio_err); @@ -679,7 +692,7 @@ int req_main(int argc, char **argv) if (verbose) { BIO_printf(bio_err, "Modifying Request's Subject\n"); print_name(bio_err, "old subject=", - X509_REQ_get_subject_name(req), nmflag); + X509_REQ_get_subject_name(req), get_nameopt()); } if (build_subject(req, subj, chtype, multirdn) == 0) { @@ -690,7 +703,7 @@ int req_main(int argc, char **argv) if (verbose) { print_name(bio_err, "new subject=", - X509_REQ_get_subject_name(req), nmflag); + X509_REQ_get_subject_name(req), get_nameopt()); } } @@ -727,40 +740,39 @@ int req_main(int argc, char **argv) goto end; if (pubkey) { - EVP_PKEY *tpubkey; - tpubkey = X509_REQ_get_pubkey(req); + EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req); + if (tpubkey == NULL) { BIO_printf(bio_err, "Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, tpubkey); - EVP_PKEY_free(tpubkey); } if (text) { if (x509) - X509_print_ex(out, x509ss, nmflag, reqflag); + X509_print_ex(out, x509ss, get_nameopt(), reqflag); else - X509_REQ_print_ex(out, req, nmflag, reqflag); + X509_REQ_print_ex(out, req, get_nameopt(), reqflag); } if (subject) { if (x509) print_name(out, "subject=", X509_get_subject_name(x509ss), - nmflag); + get_nameopt()); else print_name(out, "subject=", X509_REQ_get_subject_name(req), - nmflag); + get_nameopt()); } if (modulus) { EVP_PKEY *tpubkey; if (x509) - tpubkey = X509_get_pubkey(x509ss); + tpubkey = X509_get0_pubkey(x509ss); else - tpubkey = X509_REQ_get_pubkey(req); + tpubkey = X509_REQ_get0_pubkey(req); if (tpubkey == NULL) { fprintf(stdout, "Modulus=unavailable\n"); goto end; @@ -774,7 +786,6 @@ int req_main(int argc, char **argv) } else #endif fprintf(stdout, "Wrong Algorithm type"); - EVP_PKEY_free(tpubkey); fprintf(stdout, "\n"); } @@ -819,6 +830,7 @@ int req_main(int argc, char **argv) X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); + release_engine(e); if (passin != nofree_passin) OPENSSL_free(passin); if (passout != nofree_passout) @@ -890,7 +902,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, * subject is expected to be in the format /type0=value0/type1=value1/type2=... * where characters may be escaped by \ */ -static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, +static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, int multirdn) { X509_NAME *n; @@ -907,8 +919,8 @@ static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, } static int prompt_info(X509_REQ *req, - STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect, - STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, + STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, + STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, int attribs, unsigned long chtype) { int i; @@ -1271,7 +1283,7 @@ static int req_check_len(int len, int n_min, int n_max) } if ((n_max >= 0) && (len > n_max)) { BIO_printf(bio_err, - "string is too long, it needs to be less than %d bytes long\n", + "string is too long, it needs to be no more than %d bytes long\n", n_max); return (0); }