This makes it a little easier to create a pre-certificate.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
# create a certificate
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
# create a certificate
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-newprecert' ) {
+ # create a pre-certificate
+ $RET = run("$REQ -new -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
+ print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT eq '-newreq' ) {
# create a certificate request
$RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
} elsif ($WHAT eq '-newreq' ) {
# create a certificate request
$RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
+ OPT_REQEXTS, OPT_PRECERT, OPT_MD
} OPTION_CHOICE;
const OPTIONS req_options[] = {
} OPTION_CHOICE;
const OPTIONS req_options[] = {
"Cert extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's',
"Request extension section (override value in config file)"},
"Cert extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's',
"Request extension section (override value in config file)"},
+ {"precert", OPT_PRECERT, '-', "Add a poison extension"},
{"", OPT_MD, '-', "Any supported digest"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"", OPT_MD, '-', "Any supported digest"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
long newkey = -1;
unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
char nmflag_set = 0;
long newkey = -1;
unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
char nmflag_set = 0;
case OPT_REQEXTS:
req_exts = opt_arg();
break;
case OPT_REQEXTS:
req_exts = opt_arg();
break;
+ case OPT_PRECERT:
+ precert = 1;
+ break;
case OPT_MD:
if (!opt_md(opt_unknown(), &md_alg))
goto opthelp;
case OPT_MD:
if (!opt_md(opt_unknown(), &md_alg))
goto opthelp;
+ /* If a pre-cert was requested, we need to add a poison extension */
+ if (precert) {
+ if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
+ != 1) {
+ BIO_printf(bio_err, "Error adding poison extension\n");
+ goto end;
+ }
+ }
+
i = do_X509_sign(x509ss, pkey, digest, sigopts);
if (!i) {
ERR_print_errors(bio_err);
i = do_X509_sign(x509ss, pkey, digest, sigopts);
if (!i) {
ERR_print_errors(bio_err);
projects / openssl.git / commitdiff