Add -section option to 'req' command

This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11249)

diff --git a/apps/ca.c b/apps/ca.c
index 84e1905d3847455cac4585398505b655068477a1..e3e2fd2e7e5f7479360c420d59ad2f548adde1bb 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -177,6 +177,7 @@ const OPTIONS ca_options[] = {
     OPT_SECTION("Configuration"),
     {"config", OPT_CONFIG, 's', "A config file"},
     {"name", OPT_NAME, 's', "The particular CA definition to use"},
+    {"section", OPT_NAME, 's', "An alias for -name"},
     {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
 
     OPT_SECTION("Certificate"),

diff --git a/apps/req.c b/apps/req.c
index dcad9dc2383db123caefce8c7e48f63d7be519da..518601728276778d0c461eb593293712029faf16 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -32,7 +32,6 @@
 # include <openssl/dsa.h>
 #endif
 
-#define SECTION         "req"
 
 #define BITS            "default_bits"
 #define KEYFILE         "default_keyfile"
@@ -77,6 +76,8 @@ static int join(char buf[], size_t buf_size, const char *name,
 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
                                     int *pkey_type, long *pkeylen,
                                     char **palgnam, ENGINE *keygen_engine);
+
+static const char *section = "req";
 static CONF *req_conf = NULL;
 static CONF *addext_conf = NULL;
 static int batch = 0;
@@ -91,6 +92,7 @@ typedef enum OPTION_choice {
     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
     OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
     OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SM2ID, OPT_SM2HEXID,
+    OPT_SECTION,
     OPT_R_ENUM, OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -109,6 +111,7 @@ const OPTIONS req_options[] = {
     OPT_SECTION("Certificate"),
     {"new", OPT_NEW, '-', "New request"},
     {"config", OPT_CONFIG, '<', "Request template file"},
+    {"section", OPT_SECTION, 's', "Config section to use (default \"req\")"},
     {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
     {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
     {"reqopt", OPT_REQOPT, 's', "Various request text options"},
@@ -309,6 +312,9 @@ int req_main(int argc, char **argv)
         case OPT_CONFIG:
             template = opt_arg();
             break;
+        case OPT_SECTION:
+            section = opt_arg();
+            break;
         case OPT_KEYFORM:
             if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
                 goto opthelp;
@@ -519,7 +525,7 @@ int req_main(int argc, char **argv)
         goto end;
 
     if (md_alg == NULL) {
-        p = NCONF_get_string(req_conf, SECTION, "default_md");
+        p = NCONF_get_string(req_conf, section, "default_md");
         if (p == NULL) {
             ERR_clear_error();
         } else {
@@ -530,7 +536,7 @@ int req_main(int argc, char **argv)
     }
 
     if (extensions == NULL) {
-        extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+        extensions = NCONF_get_string(req_conf, section, V3_EXTENSIONS);
         if (extensions == NULL)
             ERR_clear_error();
     }
@@ -558,19 +564,19 @@ int req_main(int argc, char **argv)
 
     if (passin == NULL) {
         passin = nofree_passin =
-            NCONF_get_string(req_conf, SECTION, "input_password");
+            NCONF_get_string(req_conf, section, "input_password");
         if (passin == NULL)
             ERR_clear_error();
     }
 
     if (passout == NULL) {
         passout = nofree_passout =
-            NCONF_get_string(req_conf, SECTION, "output_password");
+            NCONF_get_string(req_conf, section, "output_password");
         if (passout == NULL)
             ERR_clear_error();
     }
 
-    p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
+    p = NCONF_get_string(req_conf, section, STRING_MASK);
     if (p == NULL)
         ERR_clear_error();
 
@@ -580,7 +586,7 @@ int req_main(int argc, char **argv)
     }
 
     if (chtype != MBSTRING_UTF8) {
-        p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
+        p = NCONF_get_string(req_conf, section, UTF8_IN);
         if (p == NULL)
             ERR_clear_error();
         else if (strcmp(p, "yes") == 0)
@@ -588,7 +594,7 @@ int req_main(int argc, char **argv)
     }
 
     if (req_exts == NULL) {
-        req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
+        req_exts = NCONF_get_string(req_conf, section, REQ_EXTENSIONS);
         if (req_exts == NULL)
             ERR_clear_error();
     }
@@ -611,14 +617,14 @@ int req_main(int argc, char **argv)
             /* load_key() has already printed an appropriate message */
             goto end;
         } else {
-            app_RAND_load_conf(req_conf, SECTION);
+            app_RAND_load_conf(req_conf, section);
         }
     }
 
     if (newreq && (pkey == NULL)) {
-        app_RAND_load_conf(req_conf, SECTION);
+        app_RAND_load_conf(req_conf, section);
 
-        if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
+        if (!NCONF_get_number(req_conf, section, BITS, &newkey)) {
             newkey = DEFAULT_KEY_LENGTH;
         }
 
@@ -688,7 +694,7 @@ int req_main(int argc, char **argv)
         genctx = NULL;
 
         if (keyout == NULL) {
-            keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
+            keyout = NCONF_get_string(req_conf, section, KEYFILE);
             if (keyout == NULL)
                 ERR_clear_error();
         }
@@ -701,10 +707,10 @@ int req_main(int argc, char **argv)
         if (out == NULL)
             goto end;
 
-        p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
+        p = NCONF_get_string(req_conf, section, "encrypt_rsa_key");
         if (p == NULL) {
             ERR_clear_error();
-            p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
+            p = NCONF_get_string(req_conf, section, "encrypt_key");
             if (p == NULL)
                 ERR_clear_error();
         }
@@ -1062,13 +1068,13 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
     STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
     char *tmp, *dn_sect, *attr_sect;
 
-    tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
+    tmp = NCONF_get_string(req_conf, section, PROMPT);
     if (tmp == NULL)
         ERR_clear_error();
     if ((tmp != NULL) && strcmp(tmp, "no") == 0)
         no_prompt = 1;
 
-    dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
+    dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME);
     if (dn_sect == NULL) {
         BIO_printf(bio_err, "unable to find '%s' in config\n",
                    DISTINGUISHED_NAME);
@@ -1080,7 +1086,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
         goto err;
     }
 
-    attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
+    attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES);
     if (attr_sect == NULL) {
         ERR_clear_error();
         attr_sk = NULL;

diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 8eef310ca4292e4a5e22b8580ecd014cecc55e3a..a3c83d807639e4218656410661218d3c05a095a8 100644 (file)
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -12,6 +12,7 @@ B<openssl> B<ca>
 [B<-verbose>]
 [B<-config> I<filename>]
 [B<-name> I<section>]
+[B<-section> I<section>]
 [B<-gencrl>]
 [B<-revoke> I<file>]
 [B<-valid> I<file>]
@@ -94,7 +95,7 @@ Specifies the configuration file to use.
 Optional; for a description of the default value,
 see L<openssl(1)/COMMAND SUMMARY>.
 
-=item B<-name> I<section>
+=item B<-name> I<section>, B<-section> I<section>
 
 Specifies the configuration file section to use (overrides
 B<default_ca> in the B<ca> section).
@@ -772,6 +773,8 @@ seeding mechanism. The new seeding mechanism makes it unnecessary to
 define a RANDFILE for saving and restoring randomness. This option is
 retained mainly for compatibility reasons.
 
+The B<-section> option was added in OpenSSL 3.0.0.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,

diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 703a208bc1d3d12ecf53bca74d1f4fb5615b2b3e..7587cb5a71556a812d54341cd11c29904e74daae 100644 (file)
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -30,6 +30,7 @@ B<openssl> B<req>
 [B<-keygen_engine> I<id>]
 [B<-I<digest>>]
 [B<-config> I<filename>]
+[B<-section> I<name>]
 [B<-multivalue-rdn>]
 [B<-x509>]
 [B<-days> I<n>]
@@ -206,6 +207,10 @@ This allows an alternative configuration file to be specified.
 Optional; for a description of the default value,
 see L<openssl(1)/COMMAND SUMMARY>.
 
+=item B<-section> I<name>
+
+Specifies the name of the section to use; the default is B<req>.
+
 =item B<-subj> I<arg>
 
 Sets subject name for new request or supersedes the subject name
@@ -331,8 +336,10 @@ argument for this option is string of hexadecimal digits.
 =head1 CONFIGURATION FILE FORMAT
 
 The configuration options are specified in the B<req> section of
-the configuration file. As with all configuration files if no
-value is specified in the specific section (i.e. B<req>) then
+the configuration file. An alternate name be specified by using the
+B<-section> option.
+As with all configuration files, if no
+value is specified in the specific section then
 the initial unnamed or B<default> section is searched too.
 
 The options available are described in detail below.
@@ -678,6 +685,10 @@ L<openssl-gendsa(1)>,
 L<config(5)>,
 L<x509v3_config(5)>
 
+=head1 HISTORY
+
+The B<-section> option was added in OpenSSL 3.0.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 1a6efa8be2cbb92f5fb3629943b67d6b8434c765..662109c896b22ddb79719e281859eeb220394bc7 100644 (file)
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_req");
 
-plan tests => 15;
+plan tests => 16;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
@@ -42,6 +42,34 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
 ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
 
+subtest "generating alt certificate requests with RSA" => sub {
+    plan tests => 3;
+
+    SKIP: {
+        skip "RSA is not supported by this OpenSSL build", 2
+            if disabled("rsa");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-section", "altreq",
+                    "-new", "-out", "testreq-rsa.pem", "-utf8",
+                    "-key", srctop_file("test", "testrsa.pem")])),
+           "Generating request");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-verify", "-in", "testreq-rsa.pem", "-noout"])),
+           "Verifying signature on request");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-section", "altreq",
+                    "-verify", "-in", "testreq-rsa.pem", "-noout"])),
+           "Verifying signature on request");
+    }
+};
+
+
 subtest "generating certificate requests with RSA" => sub {
     plan tests => 2;
 

diff --git a/test/test.cnf b/test/test.cnf
index 1e2fa31cce62d0d595d2e613f7c795a1e8d69129..a686c3d8bd74f37b0b8a54877fd9f7a4439dd5ed 100644 (file)
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -1,7 +1,3 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
 
 ####################################################################
 [ ca ]
@@ -58,28 +54,25 @@ default_keyfile     = testkey.pem
 distinguished_name     = req_distinguished_name
 encrypt_rsa_key                = no
 
+# Make altreq be identical to req
+[ altreq ]
+default_bits           = 2048
+default_keyfile        = testkey.pem
+distinguished_name     = req_distinguished_name
+encrypt_rsa_key                = no
+
 [ req_distinguished_name ]
-countryName                    = Country Name (2 letter code)
-countryName_default            = AU
+countryName                    = C field
 countryName_value              = AU
-
-stateOrProvinceName            = State or Province Name (full name)
-stateOrProvinceName_default    = Queensland
+stateOrProvinceName            = SP field
 stateOrProvinceName_value      =
-
-localityName                   = Locality Name (eg, city)
+localityName                   = L field
 localityName_value             = Brisbane
-
-organizationName               = Organization Name (eg, company)
-organizationName_default       = 
+organizationName               = O field
 organizationName_value         = CryptSoft Pty Ltd
-
-organizationalUnitName         = Organizational Unit Name (eg, section)
-organizationalUnitName_default =
+organizationalUnitName         = OU field
 organizationalUnitName_value   = .
-
-commonName                     = Common Name (eg, YOUR name)
+commonName                     = CN field
 commonName_value               = Eric Young
-
-emailAddress                   = Email Address
+emailAddress                   = email field
 emailAddress_value             = eay@mincom.oz.au