Add support for using engine-backed keys in spkac

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3599)

diff --git a/apps/spkac.c b/apps/spkac.c
index 871b4f06f8bad80f3d6ec0cadf8a2d2d37ed49e2..efd4ea2305dcd55b40f7c1eebb21525507572577 100644 (file)
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -24,7 +24,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT,
     OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC,
-    OPT_SPKSECT
+    OPT_SPKSECT, OPT_KEYFORM
 } OPTION_CHOICE;
 
 const OPTIONS spkac_options[] = {
@@ -32,6 +32,7 @@ const OPTIONS spkac_options[] = {
     {"in", OPT_IN, '<', "Input file"},
     {"out", OPT_OUT, '>', "Output file"},
     {"key", OPT_KEY, '<', "Create SPKAC using private key"},
+    {"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"},
     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
     {"challenge", OPT_CHALLENGE, 's', "Challenge string"},
     {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
@@ -58,6 +59,7 @@ int spkac_main(int argc, char **argv)
     char *spkstr = NULL, *prog;
     const char *spkac = "SPKAC", *spksect = "default";
     int i, ret = 1, verify = 0, noout = 0, pubkey = 0;
+    int keyformat = FORMAT_PEM;
     OPTION_CHOICE o;
 
     prog = opt_init(argc, argv, spkac_options);
@@ -93,6 +95,10 @@ int spkac_main(int argc, char **argv)
         case OPT_KEY:
             keyfile = opt_arg();
             break;
+        case OPT_KEYFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
+                goto opthelp;
+           break;
         case OPT_CHALLENGE:
             challenge = opt_arg();
             break;
@@ -118,7 +124,7 @@ int spkac_main(int argc, char **argv)
 
     if (keyfile) {
         pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL,
-                        FORMAT_PEM, 1, passin, e, "private key");
+                        keyformat, 1, passin, e, "private key");
         if (!pkey) {
             goto end;
         }

diff --git a/doc/man1/spkac.pod b/doc/man1/spkac.pod
index d4b896a1a60486804dce4842be1488a01d7d9016..14fdd0bcc83e6872b1cff4ef2f4040ea3f6b2a91 100644 (file)
--- a/doc/man1/spkac.pod
+++ b/doc/man1/spkac.pod
@@ -11,6 +11,7 @@ B<openssl> B<spkac>
 [B<-in filename>]
 [B<-out filename>]
 [B<-key keyfile>]
+[B<-keyform PEM|DER|ENGINE>]
 [B<-passin arg>]
 [B<-challenge string>]
 [B<-pubkey>]
@@ -50,6 +51,11 @@ Create an SPKAC file using the private key in B<keyfile>. The
 B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
 present.
 
+=item B<-keyform PEM|DER|ENGINE>
+
+Whether the key format is PEM, DER, or an engine-backed key.
+The default is PEM.
+
 =item B<-passin password>
 
 The input file password source. For more information about the format of B<arg>