new option "openssl ciphers -V"
[openssl.git] / apps / req.c
index dc08d6d..f58e65e 100644 (file)
  * [including the GNU Public Licence.]
  */
 
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 #define SECTION                "req"
 
  * -rand file(s) - load the file(s) into the PRNG.
  * -newkey     - make a key and a request.
  * -modulus    - print RSA modulus.
+ * -pubkey     - output Public Key.
  * -x509       - output a self signed X509 structure instead.
  * -asn1-kludge        - output new certificate request in a format that some CA's
  *               require.  This format is wrong
  */
 
-static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int attribs,
-               unsigned long chtype);
-static int build_subject(X509_REQ *req, char *subj, unsigned long chtype);
+static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int mutlirdn,
+               int attribs,unsigned long chtype);
+static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
+               int multirdn);
 static int prompt_info(X509_REQ *req,
                STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
                STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
@@ -121,19 +136,18 @@ static int prompt_info(X509_REQ *req,
 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
                                STACK_OF(CONF_VALUE) *attr, int attribs,
                                unsigned long chtype);
-static int add_attribute_object(X509_REQ *req, char *text,
-                               char *def, char *value, int nid, int n_min,
+static int add_attribute_object(X509_REQ *req, char *text, const char *def,
+                               char *value, int nid, int n_min,
                                int n_max, unsigned long chtype);
-static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
-       int nid,int n_min,int n_max, unsigned long chtype);
+static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
+       int nid,int n_min,int n_max, unsigned long chtype, int mval);
 #ifndef OPENSSL_NO_RSA
-static void MS_CALLBACK req_cb(int p,int n,void *arg);
+static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb);
 #endif
 static int req_check_len(int len,int n_min,int n_max);
-static int check_end(char *str, char *end);
+static int check_end(const char *str, const char *end);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
-static CONF *config=NULL;
 #endif
 static CONF *req_conf=NULL;
 static int batch=0;
@@ -141,6 +155,7 @@ static int batch=0;
 #define TYPE_RSA       1
 #define TYPE_DSA       2
 #define TYPE_DH                3
+#define TYPE_EC                4
 
 int MAIN(int, char **);
 
@@ -150,7 +165,10 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
        DSA *dsa_params=NULL;
 #endif
-       unsigned long nmflag = 0;
+#ifndef OPENSSL_NO_ECDSA
+       EC_KEY *ec_params = NULL;
+#endif
+       unsigned long nmflag = 0, reqflag = 0;
        int ex=1,x509=0,days=30;
        X509 *x509ss=NULL;
        X509_REQ *req=NULL;
@@ -159,9 +177,11 @@ int MAIN(int argc, char **argv)
        long newkey = -1;
        BIO *in=NULL,*out=NULL;
        int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
-       int nodes=0,kludge=0,newhdr=0,subject=0;
+       int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
        char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+#ifndef OPENSSL_NO_ENGINE
        char *engine=NULL;
+#endif
        char *extensions = NULL;
        char *req_exts = NULL;
        const EVP_CIPHER *cipher=NULL;
@@ -172,10 +192,12 @@ int MAIN(int argc, char **argv)
        char *passin = NULL, *passout = NULL;
        char *p;
        char *subj = NULL;
-       const EVP_MD *md_alg=NULL,*digest=EVP_md5();
+       int multirdn = 0;
+       const EVP_MD *md_alg=NULL,*digest=EVP_sha1();
        unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
-       MS_STATIC char config_name[256];
+       char *to_free;
+       long errline;
 #endif
 
        req_conf = NULL;
@@ -208,16 +230,22 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        outformat=str2fmt(*(++argv));
                        }
+#ifndef OPENSSL_NO_ENGINE
                else if (strcmp(*argv,"-engine") == 0)
                        {
                        if (--argc < 1) goto bad;
                        engine= *(++argv);
                        }
+#endif
                else if (strcmp(*argv,"-key") == 0)
                        {
                        if (--argc < 1) goto bad;
                        keyfile= *(++argv);
                        }
+               else if (strcmp(*argv,"-pubkey") == 0)
+                       {
+                       pubkey=1;
+                       }
                else if (strcmp(*argv,"-new") == 0)
                        {
                        newreq=1;
@@ -300,7 +328,7 @@ int MAIN(int argc, char **argv)
                                                goto end;
                                                }
 
-                                       dtmp=X509_get_pubkey(xtmp);
+                                       if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
                                        if (dtmp->type == EVP_PKEY_DSA)
                                                dsa_params=DSAparams_dup(dtmp->pkey.dsa);
                                        EVP_PKEY_free(dtmp);
@@ -312,11 +340,64 @@ int MAIN(int argc, char **argv)
                                                }
                                        }
                                BIO_free(in);
-                               newkey=BN_num_bits(dsa_params->p);
                                in=NULL;
+                               newkey=BN_num_bits(dsa_params->p);
                                }
                        else 
 #endif
+#ifndef OPENSSL_NO_ECDSA
+                               if (strncmp("ec:",p,3) == 0)
+                               {
+                               X509 *xtmp=NULL;
+                               EVP_PKEY *dtmp;
+                               EC_GROUP *group;
+
+                               pkey_type=TYPE_EC;
+                               p+=3;
+                               if ((in=BIO_new_file(p,"r")) == NULL)
+                                       {
+                                       perror(p);
+                                       goto end;
+                                       }
+                               if ((ec_params = EC_KEY_new()) == NULL)
+                                       goto end;
+                               group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
+                               if (group == NULL)
+                                       {
+                                       EC_KEY_free(ec_params);
+                                       ERR_clear_error();
+                                       (void)BIO_reset(in);
+                                       if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
+                                               {       
+                                               BIO_printf(bio_err,"unable to load EC parameters from file\n");
+                                               goto end;
+                                               }
+
+                                       if ((dtmp=X509_get_pubkey(xtmp))==NULL)
+                                               goto end;
+                                       if (dtmp->type == EVP_PKEY_EC)
+                                               ec_params = EC_KEY_dup(dtmp->pkey.ec);
+                                       EVP_PKEY_free(dtmp);
+                                       X509_free(xtmp);
+                                       if (ec_params == NULL)
+                                               {
+                                               BIO_printf(bio_err,"Certificate does not contain EC parameters\n");
+                                               goto end;
+                                               }
+                                       }
+                               else
+                                       {
+                                       if (EC_KEY_set_group(ec_params, group) == 0)
+                                               goto end;
+                                       EC_GROUP_free(group);
+                                       }
+
+                               BIO_free(in);
+                               in=NULL;
+                               newkey = EC_GROUP_get_degree(EC_KEY_get0_group(ec_params));
+                               }
+                       else
+#endif
 #ifndef OPENSSL_NO_DH
                                if (strncmp("dh:",p,4) == 0)
                                {
@@ -325,7 +406,9 @@ int MAIN(int argc, char **argv)
                                }
                        else
 #endif
-                               pkey_type=TYPE_RSA;
+                               {
+                               goto bad;
+                               }
 
                        newreq=1;
                        }
@@ -350,6 +433,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        if (!set_name_ex(&nmflag, *(++argv))) goto bad;
                        }
+               else if (strcmp(*argv,"-reqopt") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       if (!set_cert_ex(&reqflag, *(++argv))) goto bad;
+                       }
                else if (strcmp(*argv,"-subject") == 0)
                        subject=1;
                else if (strcmp(*argv,"-text") == 0)
@@ -365,6 +453,8 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        subj= *(++argv);
                        }
+               else if (strcmp(*argv,"-multivalue-rdn") == 0)
+                       multirdn=1;
                else if (strcmp(*argv,"-days") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -412,11 +502,14 @@ bad:
                BIO_printf(bio_err," -in arg        input file\n");
                BIO_printf(bio_err," -out arg       output file\n");
                BIO_printf(bio_err," -text          text form of request\n");
+               BIO_printf(bio_err," -pubkey        output public key\n");
                BIO_printf(bio_err," -noout         do not output REQ\n");
                BIO_printf(bio_err," -verify        verify signature on REQ\n");
                BIO_printf(bio_err," -modulus       RSA modulus\n");
                BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
+#ifndef OPENSSL_NO_ENGINE
                BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device\n");
+#endif
                BIO_printf(bio_err," -subject       output the request's subject\n");
                BIO_printf(bio_err," -passin        private key password source\n");
                BIO_printf(bio_err," -key file      use the private key contained in file\n");
@@ -427,9 +520,13 @@ bad:
                BIO_printf(bio_err,"                the random number generator\n");
                BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
                BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
+#ifndef OPENSSL_NO_ECDSA
+               BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+#endif
                BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
                BIO_printf(bio_err," -config file   request template file.\n");
                BIO_printf(bio_err," -subj arg      set or modify request subject\n");
+               BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
                BIO_printf(bio_err," -new           new request.\n");
                BIO_printf(bio_err," -batch         do not ask anything during request generation\n");
                BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
@@ -441,6 +538,8 @@ bad:
                BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
                BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
                BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
+               BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
+               BIO_printf(bio_err," -reqopt arg    - various request text options\n\n");
                goto end;
                }
 
@@ -456,24 +555,18 @@ bad:
        if (p == NULL)
                p=getenv("SSLEAY_CONF");
        if (p == NULL)
-               {
-               strcpy(config_name,X509_get_default_cert_area());
-#ifndef OPENSSL_SYS_VMS
-               strcat(config_name,"/");
-#endif
-               strcat(config_name,OPENSSL_CONF);
-               p=config_name;
-               }
+               p=to_free=make_config_name();
        default_config_file=p;
        config=NCONF_new(NULL);
-       i=NCONF_load(config, p);
+       i=NCONF_load(config, p, &errline);
 #endif
 
        if (template != NULL)
                {
-               long errline;
+               long errline = -1;
 
-               BIO_printf(bio_err,"Using configuration from %s\n",template);
+               if( verbose )
+                       BIO_printf(bio_err,"Using configuration from %s\n",template);
                req_conf=NCONF_new(NULL);
                i=NCONF_load(req_conf,template,&errline);
                if (i == 0)
@@ -485,16 +578,22 @@ bad:
        else
                {
                req_conf=config;
-               BIO_printf(bio_err,"Using configuration from %s\n",
-                       default_config_file);
+
                if (req_conf == NULL)
                        {
-                       BIO_printf(bio_err,"Unable to load config info\n");
+                       BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file);
+                       if (newreq)
+                               goto end;
                        }
+               else if( verbose )
+                       BIO_printf(bio_err,"Using configuration from %s\n",
+                       default_config_file);
                }
 
        if (req_conf != NULL)
                {
+               if (!load_config(bio_err, req_conf))
+                       goto end;
                p=NCONF_get_string(req_conf,NULL,"oid_file");
                if (p == NULL)
                        ERR_clear_error();
@@ -606,11 +705,13 @@ bad:
        if ((in == NULL) || (out == NULL))
                goto end;
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
        if (keyfile != NULL)
                {
-               pkey = load_key(bio_err, keyfile, keyform, passin, e,
+               pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
                        "Private Key");
                if (!pkey)
                        {
@@ -618,7 +719,8 @@ bad:
                           message */
                        goto end;
                        }
-               if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
+               if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || 
+                       EVP_PKEY_type(pkey->type) == EVP_PKEY_EC)
                        {
                        char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
                        if (randfile == NULL)
@@ -629,6 +731,9 @@ bad:
 
        if (newreq && (pkey == NULL))
                {
+#ifndef OPENSSL_NO_RSA
+               BN_GENCB cb;
+#endif
                char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
                if (randfile == NULL)
                        ERR_clear_error();
@@ -642,24 +747,33 @@ bad:
                                newkey=DEFAULT_KEY_LENGTH;
                        }
 
-               if (newkey < MIN_KEY_LENGTH)
+               if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
                        {
                        BIO_printf(bio_err,"private key length is too short,\n");
-                       BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
+                       BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey);
                        goto end;
                        }
-               BIO_printf(bio_err,"Generating a %d bit %s private key\n",
-                       newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");
+               BIO_printf(bio_err,"Generating a %ld bit %s private key\n",
+                       newkey,(pkey_type == TYPE_RSA)?"RSA":
+                       (pkey_type == TYPE_DSA)?"DSA":"EC");
 
                if ((pkey=EVP_PKEY_new()) == NULL) goto end;
 
 #ifndef OPENSSL_NO_RSA
+               BN_GENCB_set(&cb, req_cb, bio_err);
                if (pkey_type == TYPE_RSA)
                        {
-                       if (!EVP_PKEY_assign_RSA(pkey,
-                               RSA_generate_key(newkey,0x10001,
-                                       req_cb,bio_err)))
+                       RSA *rsa = RSA_new();
+                       BIGNUM *bn = BN_new();
+                       if(!bn || !rsa || !BN_set_word(bn, 0x10001) ||
+                                       !RSA_generate_key_ex(rsa, newkey, bn, &cb) ||
+                                       !EVP_PKEY_assign_RSA(pkey, rsa))
+                               {
+                               if(bn) BN_free(bn);
+                               if(rsa) RSA_free(rsa);
                                goto end;
+                               }
+                       BN_free(bn);
                        }
                else
 #endif
@@ -671,6 +785,15 @@ bad:
                        dsa_params=NULL;
                        }
 #endif
+#ifndef OPENSSL_NO_ECDSA
+                       if (pkey_type == TYPE_EC)
+                       {
+                       if (!EC_KEY_generate_key(ec_params)) goto end;
+                       if (!EVP_PKEY_assign_EC_KEY(pkey, ec_params)) 
+                               goto end;
+                       ec_params = NULL;
+                       }
+#endif
 
                app_RAND_write_file(randfile, bio_err);
 
@@ -776,6 +899,10 @@ loop:
 #ifndef OPENSSL_NO_DSA
                if (pkey->type == EVP_PKEY_DSA)
                        digest=EVP_dss1();
+#endif
+#ifndef OPENSSL_NO_ECDSA
+               if (pkey->type == EVP_PKEY_EC)
+                       digest=EVP_ecdsa();
 #endif
                if (req == NULL)
                        {
@@ -785,7 +912,7 @@ loop:
                                goto end;
                                }
 
-                       i=make_REQ(req,pkey,subj,!x509, chtype);
+                       i=make_REQ(req,pkey,subj,multirdn,!x509, chtype);
                        subj=NULL; /* done processing '-subj' option */
                        if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes))
                                {
@@ -805,21 +932,24 @@ loop:
                        if ((x509ss=X509_new()) == NULL) goto end;
 
                        /* Set version to V3 */
-                       if(!X509_set_version(x509ss, 2)) goto end;
+                       if(extensions && !X509_set_version(x509ss, 2)) goto end;
                        if (serial)
-                               X509_set_serialNumber(x509ss, serial);
+                               {
+                               if (!X509_set_serialNumber(x509ss, serial)) goto end;
+                               }
                        else
-                               ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
-
-                       X509_set_issuer_name(x509ss,
-                               X509_REQ_get_subject_name(req));
-                       X509_gmtime_adj(X509_get_notBefore(x509ss),0);
-                       X509_gmtime_adj(X509_get_notAfter(x509ss),
-                               (long)60*60*24*days);
-                       X509_set_subject_name(x509ss,
-                               X509_REQ_get_subject_name(req));
+                               {
+                               if (!rand_serial(NULL,
+                                       X509_get_serialNumber(x509ss)))
+                                               goto end;
+                               }
+
+                       if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
+                       if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
+                       if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end;
+                       if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
                        tmppkey = X509_REQ_get_pubkey(req);
-                       X509_set_pubkey(x509ss,tmppkey);
+                       if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
                        EVP_PKEY_free(tmppkey);
 
                        /* Set up V3 context struct */
@@ -877,7 +1007,7 @@ loop:
                        print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag);
                        }
 
-               if (build_subject(req, subj, chtype) == 0)
+               if (build_subject(req, subj, chtype, multirdn) == 0)
                        {
                        BIO_printf(bio_err, "ERROR: cannot modify subject\n");
                        ex=1;
@@ -922,7 +1052,7 @@ loop:
                        BIO_printf(bio_err,"verify OK\n");
                }
 
-       if (noout && !text && !modulus && !subject)
+       if (noout && !text && !modulus && !subject && !pubkey)
                {
                ex=0;
                goto end;
@@ -951,12 +1081,26 @@ loop:
                        }
                }
 
+       if (pubkey)
+               {
+               EVP_PKEY *tpubkey; 
+               tpubkey=X509_REQ_get_pubkey(req);
+               if (tpubkey == NULL)
+                       {
+                       BIO_printf(bio_err,"Error getting public key\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               PEM_write_bio_PUBKEY(out, tpubkey);
+               EVP_PKEY_free(tpubkey);
+               }
+
        if (text)
                {
                if (x509)
-                       X509_print(out,x509ss);
+                       X509_print_ex(out, x509ss, nmflag, reqflag);
                else    
-                       X509_REQ_print(out,req);
+                       X509_REQ_print_ex(out, req, nmflag, reqflag);
                }
 
        if(subject) 
@@ -969,24 +1113,25 @@ loop:
 
        if (modulus)
                {
-               EVP_PKEY *pubkey;
+               EVP_PKEY *tpubkey;
 
                if (x509)
-                       pubkey=X509_get_pubkey(x509ss);
+                       tpubkey=X509_get_pubkey(x509ss);
                else
-                       pubkey=X509_REQ_get_pubkey(req);
-               if (pubkey == NULL)
+                       tpubkey=X509_REQ_get_pubkey(req);
+               if (tpubkey == NULL)
                        {
                        fprintf(stdout,"Modulus=unavailable\n");
                        goto end; 
                        }
                fprintf(stdout,"Modulus=");
 #ifndef OPENSSL_NO_RSA
-               if (pubkey->type == EVP_PKEY_RSA)
-                       BN_print(out,pubkey->pkey.rsa->n);
+               if (tpubkey->type == EVP_PKEY_RSA)
+                       BN_print(out,tpubkey->pkey.rsa->n);
                else
 #endif
                        fprintf(stdout,"Wrong Algorithm type");
+               EVP_PKEY_free(tpubkey);
                fprintf(stdout,"\n");
                }
 
@@ -1025,6 +1170,10 @@ loop:
                }
        ex=0;
 end:
+#ifndef MONOLITH
+       if(to_free)
+               OPENSSL_free(to_free);
+#endif
        if (ex)
                {
                ERR_print_errors(bio_err);
@@ -1041,13 +1190,16 @@ end:
        OBJ_cleanup();
 #ifndef OPENSSL_NO_DSA
        if (dsa_params != NULL) DSA_free(dsa_params);
+#endif
+#ifndef OPENSSL_NO_ECDSA
+       if (ec_params != NULL) EC_KEY_free(ec_params);
 #endif
        apps_shutdown();
-       EXIT(ex);
+       OPENSSL_EXIT(ex);
        }
 
-static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
-                       unsigned long chtype)
+static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
+                       int attribs, unsigned long chtype)
        {
        int ret=0,i;
        char no_prompt = 0;
@@ -1097,77 +1249,35 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
        else 
                {
                if (subj)
-                       i = build_subject(req, subj, chtype);
+                       i = build_subject(req, subj, chtype, multirdn);
                else
                        i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
                }
        if(!i) goto err;
 
-       X509_REQ_set_pubkey(req,pkey);
+       if (!X509_REQ_set_pubkey(req,pkey)) goto err;
 
        ret=1;
 err:
        return(ret);
        }
 
-static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, int multirdn)
        {
-       X509_NAME *n = NULL;
-
-       int i, nid, ne_num=0;
-
-       char *ne_name = NULL;
-       char *ne_value = NULL;
-
-       char *tmp = NULL;
-       char *p[2];
-
-       char *str_list[256];
-       
-       p[0] = ",/";
-        p[1] = "=";
-
-       n = X509_NAME_new();
-
-       tmp = strtok(subject, p[0]);
-       while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
-               {
-               char *token = tmp;
-
-               while (token[0] == ' ')
-                       token++;
-               str_list[ne_num] = token;
-
-               tmp = strtok(NULL, p[0]);
-               ne_num++;
-               }
+       X509_NAME *n;
 
-       for(i = 0; i < ne_num; i++)
-               {
-               ne_name  = strtok(str_list[i], p[1]);
-               ne_value = strtok(NULL, p[1]);
-
-               if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
-                       {
-                       BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
-                       continue;
-                       }
-
-               if (ne_value == NULL)
-                       {
-                       BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
-                       continue;
-                       }
-
-               if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_value, -1,-1,0))
-                       {
-                       X509_NAME_free(n);
-                       return 0;
-                       }
-               }
+       if (!(n = parse_name(subject, chtype, multirdn)))
+               return 0;
 
        if (!X509_REQ_set_subject_name(req, n))
+               {
+               X509_NAME_free(n);
                return 0;
+               }
        X509_NAME_free(n);
        return 1;
 }
@@ -1181,9 +1291,10 @@ static int prompt_info(X509_REQ *req,
        int i;
        char *p,*q;
        char buf[100];
-       int nid;
+       int nid, mval;
        long n_min,n_max;
-       char *type,*def,*value;
+       char *type, *value;
+       const char *def;
        CONF_VALUE *v;
        X509_NAME *subj;
        subj = X509_REQ_get_subject_name(req);
@@ -1224,32 +1335,51 @@ start:          for (;;)
                                        if(*p) type = p;
                                        break;
                                }
+                       if (*type == '+')
+                               {
+                               mval = -1;
+                               type++;
+                               }
+                       else
+                               mval = 0;
                        /* If OBJ not recognised ignore it */
                        if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
-                       sprintf(buf,"%s_default",v->name);
+                       if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name)
+                               >= (int)sizeof(buf))
+                          {
+                          BIO_printf(bio_err,"Name '%s' too long\n",v->name);
+                          return 0;
+                          }
+
                        if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
                                {
                                ERR_clear_error();
                                def="";
                                }
                                
-                       sprintf(buf,"%s_value",v->name);
+                       BIO_snprintf(buf,sizeof buf,"%s_value",v->name);
                        if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
                                {
                                ERR_clear_error();
                                value=NULL;
                                }
 
-                       sprintf(buf,"%s_min",v->name);
+                       BIO_snprintf(buf,sizeof buf,"%s_min",v->name);
                        if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
+                               {
+                               ERR_clear_error();
                                n_min = -1;
+                               }
 
-                       sprintf(buf,"%s_max",v->name);
+                       BIO_snprintf(buf,sizeof buf,"%s_max",v->name);
                        if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
+                               {
+                               ERR_clear_error();
                                n_max = -1;
+                               }
 
                        if (!add_DN_object(subj,v->value,def,value,nid,
-                               n_min,n_max, chtype))
+                               n_min,n_max, chtype, mval))
                                return 0;
                        }
                if (X509_NAME_entry_count(subj) == 0)
@@ -1279,7 +1409,13 @@ start2:                  for (;;)
                                if ((nid=OBJ_txt2nid(type)) == NID_undef)
                                        goto start2;
 
-                               sprintf(buf,"%s_default",type);
+                               if (BIO_snprintf(buf,sizeof buf,"%s_default",type)
+                                       >= (int)sizeof(buf))
+                                  {
+                                  BIO_printf(bio_err,"Name '%s' too long\n",v->name);
+                                  return 0;
+                                  }
+
                                if ((def=NCONF_get_string(req_conf,attr_sect,buf))
                                        == NULL)
                                        {
@@ -1288,7 +1424,7 @@ start2:                   for (;;)
                                        }
                                
                                
-                               sprintf(buf,"%s_value",type);
+                               BIO_snprintf(buf,sizeof buf,"%s_value",type);
                                if ((value=NCONF_get_string(req_conf,attr_sect,buf))
                                        == NULL)
                                        {
@@ -1296,11 +1432,11 @@ start2:                 for (;;)
                                        value=NULL;
                                        }
 
-                               sprintf(buf,"%s_min",type);
+                               BIO_snprintf(buf,sizeof buf,"%s_min",type);
                                if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
                                        n_min = -1;
 
-                               sprintf(buf,"%s_max",type);
+                               BIO_snprintf(buf,sizeof buf,"%s_max",type);
                                if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
                                        n_max = -1;
 
@@ -1333,6 +1469,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
 
        for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
                {
+               int mval;
                v=sk_CONF_VALUE_value(dn_sk,i);
                p=q=NULL;
                type=v->name;
@@ -1349,8 +1486,19 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
                                if(*p) type = p;
                                break;
                        }
+#ifndef CHARSET_EBCDIC
+               if (*p == '+')
+#else
+               if (*p == os_toascii['+'])
+#endif
+                       {
+                       p++;
+                       mval = -1;
+                       }
+               else
+                       mval = 0;
                if (!X509_NAME_add_entry_by_txt(subj,type, chtype,
-                               (unsigned char *) v->value,-1,-1,0)) return 0;
+                               (unsigned char *) v->value,-1,-1,mval)) return 0;
 
                }
 
@@ -1372,8 +1520,8 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
        }
 
 
-static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
-            int nid, int n_min, int n_max, unsigned long chtype)
+static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
+            int nid, int n_min, int n_max, unsigned long chtype, int mval)
        {
        int i,ret=0;
        MS_STATIC char buf[1024];
@@ -1382,8 +1530,8 @@ start:
        (void)BIO_flush(bio_err);
        if(value != NULL)
                {
-               strcpy(buf,value);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,value,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                BIO_printf(bio_err,"%s\n",value);
                }
        else
@@ -1391,7 +1539,7 @@ start:
                buf[0]='\0';
                if (!batch)
                        {
-                       fgets(buf,1024,stdin);
+                       fgets(buf,sizeof buf,stdin);
                        }
                else
                        {
@@ -1405,8 +1553,8 @@ start:
                {
                if ((def == NULL) || (def[0] == '\0'))
                        return(1);
-               strcpy(buf,def);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,def,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                }
        else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
 
@@ -1422,14 +1570,14 @@ start:
 #endif
        if(!req_check_len(i, n_min, n_max)) goto start;
        if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
-                               (unsigned char *) buf, -1,-1,0)) goto err;
+                               (unsigned char *) buf, -1,-1,mval)) goto err;
        ret=1;
 err:
        return(ret);
        }
 
-static int add_attribute_object(X509_REQ *req, char *text,
-                               char *def, char *value, int nid, int n_min,
+static int add_attribute_object(X509_REQ *req, char *text, const char *def,
+                               char *value, int nid, int n_min,
                                int n_max, unsigned long chtype)
        {
        int i;
@@ -1440,8 +1588,8 @@ start:
        (void)BIO_flush(bio_err);
        if (value != NULL)
                {
-               strcpy(buf,value);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,value,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                BIO_printf(bio_err,"%s\n",value);
                }
        else
@@ -1449,7 +1597,7 @@ start:
                buf[0]='\0';
                if (!batch)
                        {
-                       fgets(buf,1024,stdin);
+                       fgets(buf,sizeof buf,stdin);
                        }
                else
                        {
@@ -1463,8 +1611,8 @@ start:
                {
                if ((def == NULL) || (def[0] == '\0'))
                        return(1);
-               strcpy(buf,def);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,def,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                }
        else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
 
@@ -1493,7 +1641,7 @@ err:
        }
 
 #ifndef OPENSSL_NO_RSA
-static void MS_CALLBACK req_cb(int p, int n, void *arg)
+static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb)
        {
        char c='*';
 
@@ -1501,11 +1649,12 @@ static void MS_CALLBACK req_cb(int p, int n, void *arg)
        if (p == 1) c='+';
        if (p == 2) c='*';
        if (p == 3) c='\n';
-       BIO_write((BIO *)arg,&c,1);
-       (void)BIO_flush((BIO *)arg);
+       BIO_write(cb->arg,&c,1);
+       (void)BIO_flush(cb->arg);
 #ifdef LINT
        p=n;
 #endif
+       return 1;
        }
 #endif
 
@@ -1525,10 +1674,10 @@ static int req_check_len(int len, int n_min, int n_max)
        }
 
 /* Check if the end of a string matches 'end' */
-static int check_end(char *str, char *end)
+static int check_end(const char *str, const char *end)
 {
        int elen, slen; 
-       char *tmp;
+       const char *tmp;
        elen = strlen(end);
        slen = strlen(str);
        if(elen > slen) return 1;