X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Freq.c;h=85526581cefed10a9ec539cac8b9a04568a754f9;hp=a0eca519af1c272f5287419704f06a3daa0a3363;hb=f7ac0ec89d0daefdea2956c55c17f1246e81c0a6;hpb=01b8b3c7d2d8f835257ac1cb2512273aa27bfba8 diff --git a/apps/req.c b/apps/req.c index a0eca519af..85526581ce 100644 --- a/apps/req.c +++ b/apps/req.c @@ -144,7 +144,7 @@ static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, static int genpkey_cb(EVP_PKEY_CTX *ctx); static int req_check_len(int len,int n_min,int n_max); static int check_end(const char *str, const char *end); -static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, long *pkeylen, char **palgnam, ENGINE *keygen_engine); #ifndef MONOLITH @@ -165,9 +165,9 @@ int MAIN(int argc, char **argv) EVP_PKEY_CTX *genctx = NULL; const char *keyalg = NULL; char *keyalgstr = NULL; - STACK *pkeyopts = NULL; + STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; EVP_PKEY *pkey=NULL; - int i=0,badops=0,newreq=0,verbose=0,pkey_type=EVP_PKEY_RSA; + int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1; long newkey = -1; BIO *in=NULL,*out=NULL; int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; @@ -306,8 +306,17 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; if (!pkeyopts) - pkeyopts = sk_new_null(); - if (!pkeyopts || !sk_push(pkeyopts, *(++argv))) + pkeyopts = sk_OPENSSL_STRING_new_null(); + if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) + goto bad; + } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + goto bad; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) goto bad; } else if (strcmp(*argv,"-batch") == 0) @@ -365,11 +374,6 @@ int MAIN(int argc, char **argv) serial = s2i_ASN1_INTEGER(NULL, *(++argv)); if (!serial) goto bad; } - else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) - { - /* ok */ - digest=md_alg; - } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; @@ -380,6 +384,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; req_exts = *(++argv); } + else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) + { + /* ok */ + digest=md_alg; + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -617,8 +626,7 @@ bad: message */ goto end; } - if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || - EVP_PKEY_type(pkey->type) == EVP_PKEY_EC) + else { char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); if (randfile == NULL) @@ -638,7 +646,7 @@ bad: if (keyalg) { - genctx = set_keygen_ctx(bio_err, keyalg, &newkey, + genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, &keyalgstr, gen_eng); if (!genctx) goto end; @@ -659,7 +667,7 @@ bad: if (!genctx) { - genctx = set_keygen_ctx(bio_err, NULL, &newkey, + genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, &keyalgstr, gen_eng); if (!genctx) goto end; @@ -668,9 +676,9 @@ bad: if (pkeyopts) { char *genopt; - for (i = 0; i < sk_num(pkeyopts); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { - genopt = sk_value(pkeyopts, i); + genopt = sk_OPENSSL_STRING_value(pkeyopts, i); if (pkey_ctrl_string(genctx, genopt) <= 0) { BIO_printf(bio_err, @@ -839,7 +847,7 @@ loop: if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end; - if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end; + if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end; if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; tmppkey = X509_REQ_get_pubkey(req); if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end; @@ -859,8 +867,9 @@ loop: extensions); goto end; } - - if (!(i=X509_sign(x509ss,pkey,digest))) + + i=do_X509_sign(bio_err, x509ss, pkey, digest, sigopts); + if (!i) { ERR_print_errors(bio_err); goto end; @@ -884,7 +893,8 @@ loop: req_exts); goto end; } - if (!(i=X509_REQ_sign(req,pkey,digest))) + i=do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts); + if (!i) { ERR_print_errors(bio_err); goto end; @@ -1084,7 +1094,9 @@ end: if (genctx) EVP_PKEY_CTX_free(genctx); if (pkeyopts) - sk_free(pkeyopts); + sk_OPENSSL_STRING_free(pkeyopts); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); #ifndef OPENSSL_NO_ENGINE if (gen_eng) ENGINE_free(gen_eng); @@ -1337,11 +1349,17 @@ start2: for (;;) BIO_snprintf(buf,sizeof buf,"%s_min",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) + { + ERR_clear_error(); n_min = -1; + } BIO_snprintf(buf,sizeof buf,"%s_max",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) + { + ERR_clear_error(); n_max = -1; + } if (!add_attribute_object(req, v->value,def,value,nid,n_min,n_max, chtype)) @@ -1442,7 +1460,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { @@ -1500,7 +1519,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { @@ -1570,25 +1590,24 @@ static int check_end(const char *str, const char *end) return strcmp(tmp, end); } -static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, long *pkeylen, char **palgnam, ENGINE *keygen_engine) { EVP_PKEY_CTX *gctx = NULL; EVP_PKEY *param = NULL; long keylen = -1; - int pkey_type = -1; BIO *pbio = NULL; const char *paramfile = NULL; if (gstr == NULL) { - pkey_type = EVP_PKEY_RSA; + *pkey_type = EVP_PKEY_RSA; keylen = *pkeylen; } else if (gstr[0] >= '0' && gstr[0] <= '9') { - pkey_type = EVP_PKEY_RSA; + *pkey_type = EVP_PKEY_RSA; keylen = atol(gstr); *pkeylen = keylen; } @@ -1617,13 +1636,13 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, return NULL; } - EVP_PKEY_asn1_get0_info(NULL, &pkey_type, NULL, NULL, NULL, + EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth); #ifndef OPENSSL_NO_ENGINE if (tmpeng) ENGINE_finish(tmpeng); #endif - if (pkey_type == EVP_PKEY_RSA) + if (*pkey_type == EVP_PKEY_RSA) { if (p) { @@ -1649,7 +1668,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, if (!param) { X509 *x; - BIO_reset(pbio); + (void)BIO_reset(pbio); x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); if (x) { @@ -1666,9 +1685,9 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, paramfile); return NULL; } - if (pkey_type == -1) - pkey_type = EVP_PKEY_id(param); - else if (pkey_type != EVP_PKEY_base_id(param)) + if (*pkey_type == -1) + *pkey_type = EVP_PKEY_id(param); + else if (*pkey_type != EVP_PKEY_base_id(param)) { BIO_printf(err, "Key Type does not match parameters\n"); EVP_PKEY_free(param); @@ -1681,7 +1700,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, const EVP_PKEY_ASN1_METHOD *ameth; ENGINE *tmpeng; const char *anam; - ameth = EVP_PKEY_asn1_find(&tmpeng, pkey_type); + ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); if (!ameth) { BIO_puts(err, "Internal error: can't find key algorithm\n"); @@ -1702,7 +1721,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, EVP_PKEY_free(param); } else - gctx = EVP_PKEY_CTX_new_id(pkey_type, keygen_engine); + gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); if (!gctx) { @@ -1717,8 +1736,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, ERR_print_errors(err); return NULL; } - - if ((pkey_type == EVP_PKEY_RSA) && (keylen != -1)) +#ifndef OPENSSL_NO_RSA + if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { @@ -1728,6 +1747,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, return NULL; } } +#endif return gctx; } @@ -1749,3 +1769,68 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx) #endif return 1; } + +static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey, + const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) + { + EVP_PKEY_CTX *pkctx = NULL; + int i; + EVP_MD_CTX_init(ctx); + if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) + return 0; + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) + { + char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pkctx, sigopt) <= 0) + { + BIO_printf(err, "parameter error \"%s\"\n", sigopt); + ERR_print_errors(bio_err); + return 0; + } + } + return 1; + } + +int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) + { + int rv; + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + rv = do_sign_init(err, &mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_sign_ctx(x, &mctx); + EVP_MD_CTX_cleanup(&mctx); + return rv > 0 ? 1 : 0; + } + + +int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) + { + int rv; + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + rv = do_sign_init(err, &mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_REQ_sign_ctx(x, &mctx); + EVP_MD_CTX_cleanup(&mctx); + return rv > 0 ? 1 : 0; + } + + + +int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) + { + int rv; + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + rv = do_sign_init(err, &mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_CRL_sign_ctx(x, &mctx); + EVP_MD_CTX_cleanup(&mctx); + return rv > 0 ? 1 : 0; + } + +