X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Freq.c;h=edf998ba703a8b81fa5d5f2d31d184ecd2c03350;hp=d6d46a95ff8b65648f3e1d79f1ae19e21846ed54;hb=04f6b0fd9110c85c3c0d6d1172005d1c6755ac86;hpb=69ac182d15e964801a237f826d71fd4d77b4710f diff --git a/apps/req.c b/apps/req.c index d6d46a95ff..edf998ba70 100644 --- a/apps/req.c +++ b/apps/req.c @@ -89,8 +89,8 @@ #define STRING_MASK "string_mask" #define UTF8_IN "utf8" -#define DEFAULT_KEY_LENGTH 512 -#define MIN_KEY_LENGTH 384 +#define DEFAULT_KEY_LENGTH 2048 +#define MIN_KEY_LENGTH 512 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, int attribs, unsigned long chtype); @@ -136,19 +136,19 @@ OPTIONS req_options[] = { {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"in", OPT_IN, '<', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, - {"key", OPT_KEY, '<', "Use the private key contained in file"}, - {"keyform", OPT_KEYFORM, 'F', "Key file format"}, + {"key", OPT_KEY, 's', "Private key to use"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"new", OPT_NEW, '-', "New request"}, {"config", OPT_CONFIG, '<', "Request template file"}, {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, {"passin", OPT_PASSIN, 's', "Private key password source"}, - {"passout", OPT_PASSOUT, 's'}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, - {"pkeyopt", OPT_PKEYOPT, 's'}, - {"sigopt", OPT_SIGOPT, 's'}, + {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, {"batch", OPT_BATCH, '-', "Do not ask anything during request generation"}, {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, @@ -156,7 +156,7 @@ OPTIONS req_options[] = { {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, {"noout", OPT_NOOUT, '-', "Do not output REQ"}, - {"verbose", OPT_VERBOSE, '-'}, + {"verbose", OPT_VERBOSE, '-', "Verbose output"}, {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"reqopt", OPT_REQOPT, 's', "Various request text options"}, @@ -177,7 +177,8 @@ OPTIONS req_options[] = { {"", OPT_MD, '-', "Any supported digest"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"keygen_engine", OPT_KEYGEN_ENGINE, 's'}, + {"keygen_engine", OPT_KEYGEN_ENGINE, 's', + "Specify engine to be used for key generation operations"}, #endif {NULL} }; @@ -197,7 +198,9 @@ int req_main(int argc, char **argv) char *extensions = NULL, *infile = NULL; char *outfile = NULL, *keyfile = NULL, *inrand = NULL; char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; - char *passin = NULL, *passout = NULL, *req_exts = NULL, *subj = NULL; + char *passin = NULL, *passout = NULL; + char *nofree_passin = NULL, *nofree_passout = NULL; + char *req_exts = NULL, *subj = NULL; char *template = default_config_file, *keyout = NULL; const char *keyalg = NULL; OPTION_CHOICE o; @@ -235,7 +238,7 @@ int req_main(int argc, char **argv) goto opthelp; break; case OPT_ENGINE: - (void)setup_engine(opt_arg(), 0); + e = setup_engine(opt_arg(), 0); break; case OPT_KEYGEN_ENGINE: #ifndef OPENSSL_NO_ENGINE @@ -259,7 +262,7 @@ int req_main(int argc, char **argv) template = opt_arg(); break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) goto opthelp; break; case OPT_IN: @@ -366,7 +369,8 @@ int req_main(int argc, char **argv) } } argc = opt_num_rest(); - argv = opt_rest(); + if (argc != 0) + goto opthelp; if (!nmflag_set) nmflag = XN_FLAG_ONELINE; @@ -434,15 +438,17 @@ int req_main(int argc, char **argv) } } - if (!passin) { - passin = NCONF_get_string(req_conf, SECTION, "input_password"); - if (!passin) + if (passin == NULL) { + passin = nofree_passin = + NCONF_get_string(req_conf, SECTION, "input_password"); + if (passin == NULL) ERR_clear_error(); } - if (!passout) { - passout = NCONF_get_string(req_conf, SECTION, "output_password"); - if (!passout) + if (passout == NULL) { + passout = nofree_passout = + NCONF_get_string(req_conf, SECTION, "output_password"); + if (passout == NULL) ERR_clear_error(); } @@ -860,8 +866,10 @@ int req_main(int argc, char **argv) X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); - OPENSSL_free(passin); - OPENSSL_free(passout); + if (passin != nofree_passin) + OPENSSL_free(passin); + if (passout != nofree_passout) + OPENSSL_free(passout); OBJ_cleanup(); return (ret); } @@ -1118,7 +1126,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, STACK_OF(CONF_VALUE) *attr_sk, int attribs, unsigned long chtype) { - int i; + int i, spec_char, plus_char; char *p, *q; char *type; CONF_VALUE *v; @@ -1134,24 +1142,26 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, /* * Skip past any leading X. X: X, etc to allow for multiple instances */ - for (p = v->name; *p; p++) + for (p = v->name; *p; p++) { #ifndef CHARSET_EBCDIC - if ((*p == ':') || (*p == ',') || (*p == '.')) { + spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); #else - if ((*p == os_toascii[':']) || (*p == os_toascii[',']) - || (*p == os_toascii['.'])) { + spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) + || (*p == os_toascii['.'])); #endif + if (spec_char) { p++; if (*p) type = p; break; } + } #ifndef CHARSET_EBCDIC - if (*p == '+') + plus_char = (*p == '+'); #else - if (*p == os_toascii['+']) + plus_char = (*p == os_toascii['+']); #endif - { + if (plus_char) { p++; mval = -1; } else @@ -1372,8 +1382,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth); #ifndef OPENSSL_NO_ENGINE - if (tmpeng) - ENGINE_finish(tmpeng); + ENGINE_finish(tmpeng); #endif if (*pkey_type == EVP_PKEY_RSA) { if (p) { @@ -1430,8 +1439,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); *palgnam = OPENSSL_strdup(anam); #ifndef OPENSSL_NO_ENGINE - if (tmpeng) - ENGINE_finish(tmpeng); + ENGINE_finish(tmpeng); #endif } @@ -1515,13 +1523,9 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, EVP_MD_CTX *mctx = EVP_MD_CTX_new(); rv = do_sign_init(mctx, pkey, md, sigopts); - /* Note: X509_sign_ctx() calls ASN1_item_sign_ctx(), which destroys - * the EVP_MD_CTX we send it, so only destroy it here if the former - * isn't called */ if (rv > 0) rv = X509_sign_ctx(x, mctx); - else - EVP_MD_CTX_free(mctx); + EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } @@ -1531,13 +1535,9 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, int rv; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); rv = do_sign_init(mctx, pkey, md, sigopts); - /* Note: X509_REQ_sign_ctx() calls ASN1_item_sign_ctx(), which destroys - * the EVP_MD_CTX we send it, so only destroy it here if the former - * isn't called */ if (rv > 0) rv = X509_REQ_sign_ctx(x, mctx); - else - EVP_MD_CTX_free(mctx); + EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } @@ -1547,12 +1547,8 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, int rv; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); rv = do_sign_init(mctx, pkey, md, sigopts); - /* Note: X509_CRL_sign_ctx() calls ASN1_item_sign_ctx(), which destroys - * the EVP_MD_CTX we send it, so only destroy it here if the former - * isn't called */ if (rv > 0) rv = X509_CRL_sign_ctx(x, mctx); - else - EVP_MD_CTX_free(mctx); + EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; }