2
0

req.c 48 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <time.h>
  12. #include <string.h>
  13. #include "apps.h"
  14. #include "progs.h"
  15. #include <openssl/bio.h>
  16. #include <openssl/evp.h>
  17. #include <openssl/conf.h>
  18. #include <openssl/err.h>
  19. #include <openssl/asn1.h>
  20. #include <openssl/x509.h>
  21. #include <openssl/x509v3.h>
  22. #include <openssl/objects.h>
  23. #include <openssl/pem.h>
  24. #include <openssl/bn.h>
  25. #ifndef OPENSSL_NO_RSA
  26. # include <openssl/rsa.h>
  27. #endif
  28. #ifndef OPENSSL_NO_DSA
  29. # include <openssl/dsa.h>
  30. #endif
  31. #define SECTION "req"
  32. #define BITS "default_bits"
  33. #define KEYFILE "default_keyfile"
  34. #define PROMPT "prompt"
  35. #define DISTINGUISHED_NAME "distinguished_name"
  36. #define ATTRIBUTES "attributes"
  37. #define V3_EXTENSIONS "x509_extensions"
  38. #define REQ_EXTENSIONS "req_extensions"
  39. #define STRING_MASK "string_mask"
  40. #define UTF8_IN "utf8"
  41. #define DEFAULT_KEY_LENGTH 2048
  42. #define MIN_KEY_LENGTH 512
  43. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
  44. int attribs, unsigned long chtype);
  45. static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
  46. int multirdn);
  47. static int prompt_info(X509_REQ *req,
  48. STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
  49. STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
  50. int attribs, unsigned long chtype);
  51. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
  52. STACK_OF(CONF_VALUE) *attr, int attribs,
  53. unsigned long chtype);
  54. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  55. char *value, int nid, int n_min, int n_max,
  56. unsigned long chtype);
  57. static int add_DN_object(X509_NAME *n, char *text, const char *def,
  58. char *value, int nid, int n_min, int n_max,
  59. unsigned long chtype, int mval);
  60. static int genpkey_cb(EVP_PKEY_CTX *ctx);
  61. static int build_data(char *text, const char *def,
  62. char *value, int n_min, int n_max,
  63. char *buf, const int buf_size,
  64. const char *desc1, const char *desc2
  65. );
  66. static int req_check_len(int len, int n_min, int n_max);
  67. static int check_end(const char *str, const char *end);
  68. static int join(char buf[], size_t buf_size, const char *name,
  69. const char *tail, const char *desc);
  70. static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
  71. int *pkey_type, long *pkeylen,
  72. char **palgnam, ENGINE *keygen_engine);
  73. static CONF *req_conf = NULL;
  74. static CONF *addext_conf = NULL;
  75. static int batch = 0;
  76. typedef enum OPTION_choice {
  77. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  78. OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
  79. OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
  80. OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
  81. OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
  82. OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
  83. OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
  84. OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
  85. OPT_REQEXTS, OPT_PRECERT, OPT_MD,
  86. OPT_R_ENUM
  87. } OPTION_CHOICE;
  88. const OPTIONS req_options[] = {
  89. {"help", OPT_HELP, '-', "Display this summary"},
  90. {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
  91. {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
  92. {"in", OPT_IN, '<', "Input file"},
  93. {"out", OPT_OUT, '>', "Output file"},
  94. {"key", OPT_KEY, 's', "Private key to use"},
  95. {"keyform", OPT_KEYFORM, 'f', "Key file format"},
  96. {"pubkey", OPT_PUBKEY, '-', "Output public key"},
  97. {"new", OPT_NEW, '-', "New request"},
  98. {"config", OPT_CONFIG, '<', "Request template file"},
  99. {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
  100. {"passin", OPT_PASSIN, 's', "Private key password source"},
  101. {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
  102. OPT_R_OPTIONS,
  103. {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
  104. {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
  105. {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
  106. {"batch", OPT_BATCH, '-',
  107. "Do not ask anything during request generation"},
  108. {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
  109. {"modulus", OPT_MODULUS, '-', "RSA modulus"},
  110. {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
  111. {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
  112. {"noout", OPT_NOOUT, '-', "Do not output REQ"},
  113. {"verbose", OPT_VERBOSE, '-', "Verbose output"},
  114. {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
  115. {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
  116. {"reqopt", OPT_REQOPT, 's', "Various request text options"},
  117. {"text", OPT_TEXT, '-', "Text form of request"},
  118. {"x509", OPT_X509, '-',
  119. "Output a x509 structure instead of a cert request"},
  120. {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
  121. {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
  122. {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
  123. {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
  124. "Enable support for multivalued RDNs"},
  125. {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
  126. {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
  127. {"addext", OPT_ADDEXT, 's',
  128. "Additional cert extension key=value pair (may be given more than once)"},
  129. {"extensions", OPT_EXTENSIONS, 's',
  130. "Cert extension section (override value in config file)"},
  131. {"reqexts", OPT_REQEXTS, 's',
  132. "Request extension section (override value in config file)"},
  133. {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
  134. {"", OPT_MD, '-', "Any supported digest"},
  135. #ifndef OPENSSL_NO_ENGINE
  136. {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
  137. {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
  138. "Specify engine to be used for key generation operations"},
  139. #endif
  140. {NULL}
  141. };
  142. int req_main(int argc, char **argv)
  143. {
  144. ASN1_INTEGER *serial = NULL;
  145. BIO *in = NULL, *out = NULL;
  146. ENGINE *e = NULL, *gen_eng = NULL;
  147. EVP_PKEY *pkey = NULL;
  148. EVP_PKEY_CTX *genctx = NULL;
  149. STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
  150. X509 *x509ss = NULL;
  151. X509_REQ *req = NULL;
  152. const EVP_CIPHER *cipher = NULL;
  153. const EVP_MD *md_alg = NULL, *digest = NULL;
  154. BIO *addext_bio = NULL;
  155. char *extensions = NULL, *infile = NULL;
  156. char *outfile = NULL, *keyfile = NULL;
  157. char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
  158. char *passin = NULL, *passout = NULL;
  159. char *nofree_passin = NULL, *nofree_passout = NULL;
  160. char *req_exts = NULL, *subj = NULL;
  161. char *template = default_config_file, *keyout = NULL;
  162. const char *keyalg = NULL;
  163. OPTION_CHOICE o;
  164. int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0;
  165. int pkey_type = -1, private = 0;
  166. int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
  167. int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
  168. int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
  169. long newkey = -1;
  170. unsigned long chtype = MBSTRING_ASC, reqflag = 0;
  171. #ifndef OPENSSL_NO_DES
  172. cipher = EVP_des_ede3_cbc();
  173. #endif
  174. prog = opt_init(argc, argv, req_options);
  175. while ((o = opt_next()) != OPT_EOF) {
  176. switch (o) {
  177. case OPT_EOF:
  178. case OPT_ERR:
  179. opthelp:
  180. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  181. goto end;
  182. case OPT_HELP:
  183. opt_help(req_options);
  184. ret = 0;
  185. goto end;
  186. case OPT_INFORM:
  187. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
  188. goto opthelp;
  189. break;
  190. case OPT_OUTFORM:
  191. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
  192. goto opthelp;
  193. break;
  194. case OPT_ENGINE:
  195. e = setup_engine(opt_arg(), 0);
  196. break;
  197. case OPT_KEYGEN_ENGINE:
  198. #ifndef OPENSSL_NO_ENGINE
  199. gen_eng = ENGINE_by_id(opt_arg());
  200. if (gen_eng == NULL) {
  201. BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
  202. goto opthelp;
  203. }
  204. #endif
  205. break;
  206. case OPT_KEY:
  207. keyfile = opt_arg();
  208. break;
  209. case OPT_PUBKEY:
  210. pubkey = 1;
  211. break;
  212. case OPT_NEW:
  213. newreq = 1;
  214. break;
  215. case OPT_CONFIG:
  216. template = opt_arg();
  217. break;
  218. case OPT_KEYFORM:
  219. if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
  220. goto opthelp;
  221. break;
  222. case OPT_IN:
  223. infile = opt_arg();
  224. break;
  225. case OPT_OUT:
  226. outfile = opt_arg();
  227. break;
  228. case OPT_KEYOUT:
  229. keyout = opt_arg();
  230. break;
  231. case OPT_PASSIN:
  232. passargin = opt_arg();
  233. break;
  234. case OPT_PASSOUT:
  235. passargout = opt_arg();
  236. break;
  237. case OPT_R_CASES:
  238. if (!opt_rand(o))
  239. goto end;
  240. break;
  241. case OPT_NEWKEY:
  242. keyalg = opt_arg();
  243. newreq = 1;
  244. break;
  245. case OPT_PKEYOPT:
  246. if (!pkeyopts)
  247. pkeyopts = sk_OPENSSL_STRING_new_null();
  248. if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
  249. goto opthelp;
  250. break;
  251. case OPT_SIGOPT:
  252. if (!sigopts)
  253. sigopts = sk_OPENSSL_STRING_new_null();
  254. if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
  255. goto opthelp;
  256. break;
  257. case OPT_BATCH:
  258. batch = 1;
  259. break;
  260. case OPT_NEWHDR:
  261. newhdr = 1;
  262. break;
  263. case OPT_MODULUS:
  264. modulus = 1;
  265. break;
  266. case OPT_VERIFY:
  267. verify = 1;
  268. break;
  269. case OPT_NODES:
  270. nodes = 1;
  271. break;
  272. case OPT_NOOUT:
  273. noout = 1;
  274. break;
  275. case OPT_VERBOSE:
  276. verbose = 1;
  277. break;
  278. case OPT_UTF8:
  279. chtype = MBSTRING_UTF8;
  280. break;
  281. case OPT_NAMEOPT:
  282. if (!set_nameopt(opt_arg()))
  283. goto opthelp;
  284. break;
  285. case OPT_REQOPT:
  286. if (!set_cert_ex(&reqflag, opt_arg()))
  287. goto opthelp;
  288. break;
  289. case OPT_TEXT:
  290. text = 1;
  291. break;
  292. case OPT_X509:
  293. x509 = 1;
  294. break;
  295. case OPT_DAYS:
  296. days = atoi(opt_arg());
  297. break;
  298. case OPT_SET_SERIAL:
  299. if (serial != NULL) {
  300. BIO_printf(bio_err, "Serial number supplied twice\n");
  301. goto opthelp;
  302. }
  303. serial = s2i_ASN1_INTEGER(NULL, opt_arg());
  304. if (serial == NULL)
  305. goto opthelp;
  306. break;
  307. case OPT_SUBJECT:
  308. subject = 1;
  309. break;
  310. case OPT_SUBJ:
  311. subj = opt_arg();
  312. break;
  313. case OPT_MULTIVALUE_RDN:
  314. multirdn = 1;
  315. break;
  316. case OPT_ADDEXT:
  317. if (addext_bio == NULL) {
  318. addext_bio = BIO_new(BIO_s_mem());
  319. }
  320. if (addext_bio == NULL
  321. || BIO_printf(addext_bio, "%s\n", opt_arg()) < 0)
  322. goto end;
  323. break;
  324. case OPT_EXTENSIONS:
  325. extensions = opt_arg();
  326. break;
  327. case OPT_REQEXTS:
  328. req_exts = opt_arg();
  329. break;
  330. case OPT_PRECERT:
  331. newreq = precert = 1;
  332. break;
  333. case OPT_MD:
  334. if (!opt_md(opt_unknown(), &md_alg))
  335. goto opthelp;
  336. digest = md_alg;
  337. break;
  338. }
  339. }
  340. argc = opt_num_rest();
  341. if (argc != 0)
  342. goto opthelp;
  343. if (days && !x509)
  344. BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n");
  345. if (x509 && infile == NULL)
  346. newreq = 1;
  347. /* TODO: simplify this as pkey is still always NULL here */
  348. private = newreq && (pkey == NULL) ? 1 : 0;
  349. if (!app_passwd(passargin, passargout, &passin, &passout)) {
  350. BIO_printf(bio_err, "Error getting passwords\n");
  351. goto end;
  352. }
  353. if (verbose)
  354. BIO_printf(bio_err, "Using configuration from %s\n", template);
  355. req_conf = app_load_config(template);
  356. if (addext_bio) {
  357. if (verbose)
  358. BIO_printf(bio_err,
  359. "Using additional configuraton from command line\n");
  360. addext_conf = app_load_config_bio(addext_bio, NULL);
  361. }
  362. if (template != default_config_file && !app_load_modules(req_conf))
  363. goto end;
  364. if (req_conf != NULL) {
  365. p = NCONF_get_string(req_conf, NULL, "oid_file");
  366. if (p == NULL)
  367. ERR_clear_error();
  368. if (p != NULL) {
  369. BIO *oid_bio;
  370. oid_bio = BIO_new_file(p, "r");
  371. if (oid_bio == NULL) {
  372. /*-
  373. BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
  374. ERR_print_errors(bio_err);
  375. */
  376. } else {
  377. OBJ_create_objects(oid_bio);
  378. BIO_free(oid_bio);
  379. }
  380. }
  381. }
  382. if (!add_oid_section(req_conf))
  383. goto end;
  384. if (md_alg == NULL) {
  385. p = NCONF_get_string(req_conf, SECTION, "default_md");
  386. if (p == NULL) {
  387. ERR_clear_error();
  388. } else {
  389. if (!opt_md(p, &md_alg))
  390. goto opthelp;
  391. digest = md_alg;
  392. }
  393. }
  394. if (extensions == NULL) {
  395. extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
  396. if (extensions == NULL)
  397. ERR_clear_error();
  398. }
  399. if (extensions != NULL) {
  400. /* Check syntax of file */
  401. X509V3_CTX ctx;
  402. X509V3_set_ctx_test(&ctx);
  403. X509V3_set_nconf(&ctx, req_conf);
  404. if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
  405. BIO_printf(bio_err,
  406. "Error Loading extension section %s\n", extensions);
  407. goto end;
  408. }
  409. }
  410. if (addext_conf != NULL) {
  411. /* Check syntax of command line extensions */
  412. X509V3_CTX ctx;
  413. X509V3_set_ctx_test(&ctx);
  414. X509V3_set_nconf(&ctx, addext_conf);
  415. if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
  416. BIO_printf(bio_err, "Error Loading command line extensions\n");
  417. goto end;
  418. }
  419. }
  420. if (passin == NULL) {
  421. passin = nofree_passin =
  422. NCONF_get_string(req_conf, SECTION, "input_password");
  423. if (passin == NULL)
  424. ERR_clear_error();
  425. }
  426. if (passout == NULL) {
  427. passout = nofree_passout =
  428. NCONF_get_string(req_conf, SECTION, "output_password");
  429. if (passout == NULL)
  430. ERR_clear_error();
  431. }
  432. p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
  433. if (p == NULL)
  434. ERR_clear_error();
  435. if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) {
  436. BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
  437. goto end;
  438. }
  439. if (chtype != MBSTRING_UTF8) {
  440. p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
  441. if (p == NULL)
  442. ERR_clear_error();
  443. else if (strcmp(p, "yes") == 0)
  444. chtype = MBSTRING_UTF8;
  445. }
  446. if (req_exts == NULL) {
  447. req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
  448. if (req_exts == NULL)
  449. ERR_clear_error();
  450. }
  451. if (req_exts != NULL) {
  452. /* Check syntax of file */
  453. X509V3_CTX ctx;
  454. X509V3_set_ctx_test(&ctx);
  455. X509V3_set_nconf(&ctx, req_conf);
  456. if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
  457. BIO_printf(bio_err,
  458. "Error Loading request extension section %s\n",
  459. req_exts);
  460. goto end;
  461. }
  462. }
  463. if (keyfile != NULL) {
  464. pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
  465. if (pkey == NULL) {
  466. /* load_key() has already printed an appropriate message */
  467. goto end;
  468. } else {
  469. app_RAND_load_conf(req_conf, SECTION);
  470. }
  471. }
  472. if (newreq && (pkey == NULL)) {
  473. app_RAND_load_conf(req_conf, SECTION);
  474. if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
  475. newkey = DEFAULT_KEY_LENGTH;
  476. }
  477. if (keyalg != NULL) {
  478. genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
  479. &keyalgstr, gen_eng);
  480. if (genctx == NULL)
  481. goto end;
  482. }
  483. if (newkey < MIN_KEY_LENGTH
  484. && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
  485. BIO_printf(bio_err, "private key length is too short,\n");
  486. BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
  487. MIN_KEY_LENGTH, newkey);
  488. goto end;
  489. }
  490. if (genctx == NULL) {
  491. genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
  492. &keyalgstr, gen_eng);
  493. if (!genctx)
  494. goto end;
  495. }
  496. if (pkeyopts != NULL) {
  497. char *genopt;
  498. for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
  499. genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
  500. if (pkey_ctrl_string(genctx, genopt) <= 0) {
  501. BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
  502. ERR_print_errors(bio_err);
  503. goto end;
  504. }
  505. }
  506. }
  507. if (pkey_type == EVP_PKEY_EC) {
  508. BIO_printf(bio_err, "Generating an EC private key\n");
  509. } else {
  510. BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
  511. newkey, keyalgstr);
  512. }
  513. EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
  514. EVP_PKEY_CTX_set_app_data(genctx, bio_err);
  515. if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
  516. BIO_puts(bio_err, "Error Generating Key\n");
  517. goto end;
  518. }
  519. EVP_PKEY_CTX_free(genctx);
  520. genctx = NULL;
  521. if (keyout == NULL) {
  522. keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
  523. if (keyout == NULL)
  524. ERR_clear_error();
  525. }
  526. if (keyout == NULL)
  527. BIO_printf(bio_err, "writing new private key to stdout\n");
  528. else
  529. BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
  530. out = bio_open_owner(keyout, outformat, private);
  531. if (out == NULL)
  532. goto end;
  533. p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
  534. if (p == NULL) {
  535. ERR_clear_error();
  536. p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
  537. if (p == NULL)
  538. ERR_clear_error();
  539. }
  540. if ((p != NULL) && (strcmp(p, "no") == 0))
  541. cipher = NULL;
  542. if (nodes)
  543. cipher = NULL;
  544. i = 0;
  545. loop:
  546. assert(private);
  547. if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
  548. NULL, 0, NULL, passout)) {
  549. if ((ERR_GET_REASON(ERR_peek_error()) ==
  550. PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
  551. ERR_clear_error();
  552. i++;
  553. goto loop;
  554. }
  555. goto end;
  556. }
  557. BIO_free(out);
  558. out = NULL;
  559. BIO_printf(bio_err, "-----\n");
  560. }
  561. if (!newreq) {
  562. in = bio_open_default(infile, 'r', informat);
  563. if (in == NULL)
  564. goto end;
  565. if (informat == FORMAT_ASN1)
  566. req = d2i_X509_REQ_bio(in, NULL);
  567. else
  568. req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
  569. if (req == NULL) {
  570. BIO_printf(bio_err, "unable to load X509 request\n");
  571. goto end;
  572. }
  573. }
  574. if (newreq || x509) {
  575. if (pkey == NULL) {
  576. BIO_printf(bio_err, "you need to specify a private key\n");
  577. goto end;
  578. }
  579. if (req == NULL) {
  580. req = X509_REQ_new();
  581. if (req == NULL) {
  582. goto end;
  583. }
  584. i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
  585. subj = NULL; /* done processing '-subj' option */
  586. if (!i) {
  587. BIO_printf(bio_err, "problems making Certificate Request\n");
  588. goto end;
  589. }
  590. }
  591. if (x509) {
  592. EVP_PKEY *tmppkey;
  593. X509V3_CTX ext_ctx;
  594. if ((x509ss = X509_new()) == NULL)
  595. goto end;
  596. /* Set version to V3 */
  597. if ((extensions != NULL || addext_conf != NULL)
  598. && !X509_set_version(x509ss, 2))
  599. goto end;
  600. if (serial != NULL) {
  601. if (!X509_set_serialNumber(x509ss, serial))
  602. goto end;
  603. } else {
  604. if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
  605. goto end;
  606. }
  607. if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
  608. goto end;
  609. if (days == 0) {
  610. /* set default days if it's not specified */
  611. days = 30;
  612. }
  613. if (!set_cert_times(x509ss, NULL, NULL, days))
  614. goto end;
  615. if (!X509_set_subject_name
  616. (x509ss, X509_REQ_get_subject_name(req)))
  617. goto end;
  618. tmppkey = X509_REQ_get0_pubkey(req);
  619. if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
  620. goto end;
  621. /* Set up V3 context struct */
  622. X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
  623. X509V3_set_nconf(&ext_ctx, req_conf);
  624. /* Add extensions */
  625. if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf,
  626. &ext_ctx, extensions,
  627. x509ss)) {
  628. BIO_printf(bio_err, "Error Loading extension section %s\n",
  629. extensions);
  630. goto end;
  631. }
  632. if (addext_conf != NULL
  633. && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
  634. x509ss)) {
  635. BIO_printf(bio_err, "Error Loading command line extensions\n");
  636. goto end;
  637. }
  638. /* If a pre-cert was requested, we need to add a poison extension */
  639. if (precert) {
  640. if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
  641. != 1) {
  642. BIO_printf(bio_err, "Error adding poison extension\n");
  643. goto end;
  644. }
  645. }
  646. i = do_X509_sign(x509ss, pkey, digest, sigopts);
  647. if (!i) {
  648. ERR_print_errors(bio_err);
  649. goto end;
  650. }
  651. } else {
  652. X509V3_CTX ext_ctx;
  653. /* Set up V3 context struct */
  654. X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
  655. X509V3_set_nconf(&ext_ctx, req_conf);
  656. /* Add extensions */
  657. if (req_exts != NULL
  658. && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx,
  659. req_exts, req)) {
  660. BIO_printf(bio_err, "Error Loading extension section %s\n",
  661. req_exts);
  662. goto end;
  663. }
  664. if (addext_conf != NULL
  665. && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
  666. req)) {
  667. BIO_printf(bio_err, "Error Loading command line extensions\n");
  668. goto end;
  669. }
  670. i = do_X509_REQ_sign(req, pkey, digest, sigopts);
  671. if (!i) {
  672. ERR_print_errors(bio_err);
  673. goto end;
  674. }
  675. }
  676. }
  677. if (subj && x509) {
  678. BIO_printf(bio_err, "Cannot modify certificate subject\n");
  679. goto end;
  680. }
  681. if (subj && !x509) {
  682. if (verbose) {
  683. BIO_printf(bio_err, "Modifying Request's Subject\n");
  684. print_name(bio_err, "old subject=",
  685. X509_REQ_get_subject_name(req), get_nameopt());
  686. }
  687. if (build_subject(req, subj, chtype, multirdn) == 0) {
  688. BIO_printf(bio_err, "ERROR: cannot modify subject\n");
  689. ret = 1;
  690. goto end;
  691. }
  692. if (verbose) {
  693. print_name(bio_err, "new subject=",
  694. X509_REQ_get_subject_name(req), get_nameopt());
  695. }
  696. }
  697. if (verify && !x509) {
  698. EVP_PKEY *tpubkey = pkey;
  699. if (tpubkey == NULL) {
  700. tpubkey = X509_REQ_get0_pubkey(req);
  701. if (tpubkey == NULL)
  702. goto end;
  703. }
  704. i = X509_REQ_verify(req, tpubkey);
  705. if (i < 0) {
  706. goto end;
  707. } else if (i == 0) {
  708. BIO_printf(bio_err, "verify failure\n");
  709. ERR_print_errors(bio_err);
  710. } else { /* if (i > 0) */
  711. BIO_printf(bio_err, "verify OK\n");
  712. }
  713. }
  714. if (noout && !text && !modulus && !subject && !pubkey) {
  715. ret = 0;
  716. goto end;
  717. }
  718. out = bio_open_default(outfile,
  719. keyout != NULL && outfile != NULL &&
  720. strcmp(keyout, outfile) == 0 ? 'a' : 'w',
  721. outformat);
  722. if (out == NULL)
  723. goto end;
  724. if (pubkey) {
  725. EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
  726. if (tpubkey == NULL) {
  727. BIO_printf(bio_err, "Error getting public key\n");
  728. ERR_print_errors(bio_err);
  729. goto end;
  730. }
  731. PEM_write_bio_PUBKEY(out, tpubkey);
  732. }
  733. if (text) {
  734. if (x509)
  735. X509_print_ex(out, x509ss, get_nameopt(), reqflag);
  736. else
  737. X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
  738. }
  739. if (subject) {
  740. if (x509)
  741. print_name(out, "subject=", X509_get_subject_name(x509ss),
  742. get_nameopt());
  743. else
  744. print_name(out, "subject=", X509_REQ_get_subject_name(req),
  745. get_nameopt());
  746. }
  747. if (modulus) {
  748. EVP_PKEY *tpubkey;
  749. if (x509)
  750. tpubkey = X509_get0_pubkey(x509ss);
  751. else
  752. tpubkey = X509_REQ_get0_pubkey(req);
  753. if (tpubkey == NULL) {
  754. fprintf(stdout, "Modulus=unavailable\n");
  755. goto end;
  756. }
  757. fprintf(stdout, "Modulus=");
  758. #ifndef OPENSSL_NO_RSA
  759. if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
  760. const BIGNUM *n;
  761. RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
  762. BN_print(out, n);
  763. } else
  764. #endif
  765. fprintf(stdout, "Wrong Algorithm type");
  766. fprintf(stdout, "\n");
  767. }
  768. if (!noout && !x509) {
  769. if (outformat == FORMAT_ASN1)
  770. i = i2d_X509_REQ_bio(out, req);
  771. else if (newhdr)
  772. i = PEM_write_bio_X509_REQ_NEW(out, req);
  773. else
  774. i = PEM_write_bio_X509_REQ(out, req);
  775. if (!i) {
  776. BIO_printf(bio_err, "unable to write X509 request\n");
  777. goto end;
  778. }
  779. }
  780. if (!noout && x509 && (x509ss != NULL)) {
  781. if (outformat == FORMAT_ASN1)
  782. i = i2d_X509_bio(out, x509ss);
  783. else
  784. i = PEM_write_bio_X509(out, x509ss);
  785. if (!i) {
  786. BIO_printf(bio_err, "unable to write X509 certificate\n");
  787. goto end;
  788. }
  789. }
  790. ret = 0;
  791. end:
  792. if (ret) {
  793. ERR_print_errors(bio_err);
  794. }
  795. NCONF_free(req_conf);
  796. BIO_free(addext_bio);
  797. BIO_free(in);
  798. BIO_free_all(out);
  799. EVP_PKEY_free(pkey);
  800. EVP_PKEY_CTX_free(genctx);
  801. sk_OPENSSL_STRING_free(pkeyopts);
  802. sk_OPENSSL_STRING_free(sigopts);
  803. #ifndef OPENSSL_NO_ENGINE
  804. ENGINE_free(gen_eng);
  805. #endif
  806. OPENSSL_free(keyalgstr);
  807. X509_REQ_free(req);
  808. X509_free(x509ss);
  809. ASN1_INTEGER_free(serial);
  810. release_engine(e);
  811. if (passin != nofree_passin)
  812. OPENSSL_free(passin);
  813. if (passout != nofree_passout)
  814. OPENSSL_free(passout);
  815. return ret;
  816. }
  817. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
  818. int attribs, unsigned long chtype)
  819. {
  820. int ret = 0, i;
  821. char no_prompt = 0;
  822. STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
  823. char *tmp, *dn_sect, *attr_sect;
  824. tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
  825. if (tmp == NULL)
  826. ERR_clear_error();
  827. if ((tmp != NULL) && strcmp(tmp, "no") == 0)
  828. no_prompt = 1;
  829. dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
  830. if (dn_sect == NULL) {
  831. BIO_printf(bio_err, "unable to find '%s' in config\n",
  832. DISTINGUISHED_NAME);
  833. goto err;
  834. }
  835. dn_sk = NCONF_get_section(req_conf, dn_sect);
  836. if (dn_sk == NULL) {
  837. BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
  838. goto err;
  839. }
  840. attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
  841. if (attr_sect == NULL) {
  842. ERR_clear_error();
  843. attr_sk = NULL;
  844. } else {
  845. attr_sk = NCONF_get_section(req_conf, attr_sect);
  846. if (attr_sk == NULL) {
  847. BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
  848. goto err;
  849. }
  850. }
  851. /* setup version number */
  852. if (!X509_REQ_set_version(req, 0L))
  853. goto err; /* version 1 */
  854. if (subj)
  855. i = build_subject(req, subj, chtype, multirdn);
  856. else if (no_prompt)
  857. i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
  858. else
  859. i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
  860. chtype);
  861. if (!i)
  862. goto err;
  863. if (!X509_REQ_set_pubkey(req, pkey))
  864. goto err;
  865. ret = 1;
  866. err:
  867. return ret;
  868. }
  869. /*
  870. * subject is expected to be in the format /type0=value0/type1=value1/type2=...
  871. * where characters may be escaped by \
  872. */
  873. static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
  874. int multirdn)
  875. {
  876. X509_NAME *n;
  877. if ((n = parse_name(subject, chtype, multirdn)) == NULL)
  878. return 0;
  879. if (!X509_REQ_set_subject_name(req, n)) {
  880. X509_NAME_free(n);
  881. return 0;
  882. }
  883. X509_NAME_free(n);
  884. return 1;
  885. }
  886. static int prompt_info(X509_REQ *req,
  887. STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
  888. STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
  889. int attribs, unsigned long chtype)
  890. {
  891. int i;
  892. char *p, *q;
  893. char buf[100];
  894. int nid, mval;
  895. long n_min, n_max;
  896. char *type, *value;
  897. const char *def;
  898. CONF_VALUE *v;
  899. X509_NAME *subj;
  900. subj = X509_REQ_get_subject_name(req);
  901. if (!batch) {
  902. BIO_printf(bio_err,
  903. "You are about to be asked to enter information that will be incorporated\n");
  904. BIO_printf(bio_err, "into your certificate request.\n");
  905. BIO_printf(bio_err,
  906. "What you are about to enter is what is called a Distinguished Name or a DN.\n");
  907. BIO_printf(bio_err,
  908. "There are quite a few fields but you can leave some blank\n");
  909. BIO_printf(bio_err,
  910. "For some fields there will be a default value,\n");
  911. BIO_printf(bio_err,
  912. "If you enter '.', the field will be left blank.\n");
  913. BIO_printf(bio_err, "-----\n");
  914. }
  915. if (sk_CONF_VALUE_num(dn_sk)) {
  916. i = -1;
  917. start:
  918. for ( ; ; ) {
  919. i++;
  920. if (sk_CONF_VALUE_num(dn_sk) <= i)
  921. break;
  922. v = sk_CONF_VALUE_value(dn_sk, i);
  923. p = q = NULL;
  924. type = v->name;
  925. if (!check_end(type, "_min") || !check_end(type, "_max") ||
  926. !check_end(type, "_default") || !check_end(type, "_value"))
  927. continue;
  928. /*
  929. * Skip past any leading X. X: X, etc to allow for multiple
  930. * instances
  931. */
  932. for (p = v->name; *p; p++)
  933. if ((*p == ':') || (*p == ',') || (*p == '.')) {
  934. p++;
  935. if (*p)
  936. type = p;
  937. break;
  938. }
  939. if (*type == '+') {
  940. mval = -1;
  941. type++;
  942. } else {
  943. mval = 0;
  944. }
  945. /* If OBJ not recognised ignore it */
  946. if ((nid = OBJ_txt2nid(type)) == NID_undef)
  947. goto start;
  948. if (!join(buf, sizeof(buf), v->name, "_default", "Name"))
  949. return 0;
  950. if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
  951. ERR_clear_error();
  952. def = "";
  953. }
  954. if (!join(buf, sizeof(buf), v->name, "_value", "Name"))
  955. return 0;
  956. if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
  957. ERR_clear_error();
  958. value = NULL;
  959. }
  960. if (!join(buf, sizeof(buf), v->name, "_min", "Name"))
  961. return 0;
  962. if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
  963. ERR_clear_error();
  964. n_min = -1;
  965. }
  966. if (!join(buf, sizeof(buf), v->name, "_max", "Name"))
  967. return 0;
  968. if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
  969. ERR_clear_error();
  970. n_max = -1;
  971. }
  972. if (!add_DN_object(subj, v->value, def, value, nid,
  973. n_min, n_max, chtype, mval))
  974. return 0;
  975. }
  976. if (X509_NAME_entry_count(subj) == 0) {
  977. BIO_printf(bio_err,
  978. "error, no objects specified in config file\n");
  979. return 0;
  980. }
  981. if (attribs) {
  982. if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
  983. && (!batch)) {
  984. BIO_printf(bio_err,
  985. "\nPlease enter the following 'extra' attributes\n");
  986. BIO_printf(bio_err,
  987. "to be sent with your certificate request\n");
  988. }
  989. i = -1;
  990. start2:
  991. for ( ; ; ) {
  992. i++;
  993. if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
  994. break;
  995. v = sk_CONF_VALUE_value(attr_sk, i);
  996. type = v->name;
  997. if ((nid = OBJ_txt2nid(type)) == NID_undef)
  998. goto start2;
  999. if (!join(buf, sizeof(buf), type, "_default", "Name"))
  1000. return 0;
  1001. if ((def = NCONF_get_string(req_conf, attr_sect, buf))
  1002. == NULL) {
  1003. ERR_clear_error();
  1004. def = "";
  1005. }
  1006. if (!join(buf, sizeof(buf), type, "_value", "Name"))
  1007. return 0;
  1008. if ((value = NCONF_get_string(req_conf, attr_sect, buf))
  1009. == NULL) {
  1010. ERR_clear_error();
  1011. value = NULL;
  1012. }
  1013. if (!join(buf, sizeof(buf), type,"_min", "Name"))
  1014. return 0;
  1015. if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
  1016. ERR_clear_error();
  1017. n_min = -1;
  1018. }
  1019. if (!join(buf, sizeof(buf), type, "_max", "Name"))
  1020. return 0;
  1021. if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
  1022. ERR_clear_error();
  1023. n_max = -1;
  1024. }
  1025. if (!add_attribute_object(req,
  1026. v->value, def, value, nid, n_min,
  1027. n_max, chtype))
  1028. return 0;
  1029. }
  1030. }
  1031. } else {
  1032. BIO_printf(bio_err, "No template, please set one up.\n");
  1033. return 0;
  1034. }
  1035. return 1;
  1036. }
  1037. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
  1038. STACK_OF(CONF_VALUE) *attr_sk, int attribs,
  1039. unsigned long chtype)
  1040. {
  1041. int i, spec_char, plus_char;
  1042. char *p, *q;
  1043. char *type;
  1044. CONF_VALUE *v;
  1045. X509_NAME *subj;
  1046. subj = X509_REQ_get_subject_name(req);
  1047. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
  1048. int mval;
  1049. v = sk_CONF_VALUE_value(dn_sk, i);
  1050. p = q = NULL;
  1051. type = v->name;
  1052. /*
  1053. * Skip past any leading X. X: X, etc to allow for multiple instances
  1054. */
  1055. for (p = v->name; *p; p++) {
  1056. #ifndef CHARSET_EBCDIC
  1057. spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
  1058. #else
  1059. spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
  1060. || (*p == os_toascii['.']));
  1061. #endif
  1062. if (spec_char) {
  1063. p++;
  1064. if (*p)
  1065. type = p;
  1066. break;
  1067. }
  1068. }
  1069. #ifndef CHARSET_EBCDIC
  1070. plus_char = (*type == '+');
  1071. #else
  1072. plus_char = (*type == os_toascii['+']);
  1073. #endif
  1074. if (plus_char) {
  1075. type++;
  1076. mval = -1;
  1077. } else {
  1078. mval = 0;
  1079. }
  1080. if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
  1081. (unsigned char *)v->value, -1, -1,
  1082. mval))
  1083. return 0;
  1084. }
  1085. if (!X509_NAME_entry_count(subj)) {
  1086. BIO_printf(bio_err, "error, no objects specified in config file\n");
  1087. return 0;
  1088. }
  1089. if (attribs) {
  1090. for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
  1091. v = sk_CONF_VALUE_value(attr_sk, i);
  1092. if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
  1093. (unsigned char *)v->value, -1))
  1094. return 0;
  1095. }
  1096. }
  1097. return 1;
  1098. }
  1099. static int add_DN_object(X509_NAME *n, char *text, const char *def,
  1100. char *value, int nid, int n_min, int n_max,
  1101. unsigned long chtype, int mval)
  1102. {
  1103. int ret = 0;
  1104. char buf[1024];
  1105. ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
  1106. "DN value", "DN default");
  1107. if ((ret == 0) || (ret == 1))
  1108. return ret;
  1109. ret = 1;
  1110. if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
  1111. (unsigned char *)buf, -1, -1, mval))
  1112. ret = 0;
  1113. return ret;
  1114. }
  1115. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  1116. char *value, int nid, int n_min,
  1117. int n_max, unsigned long chtype)
  1118. {
  1119. int ret = 0;
  1120. char buf[1024];
  1121. ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
  1122. "Attribute value", "Attribute default");
  1123. if ((ret == 0) || (ret == 1))
  1124. return ret;
  1125. ret = 1;
  1126. if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
  1127. (unsigned char *)buf, -1)) {
  1128. BIO_printf(bio_err, "Error adding attribute\n");
  1129. ERR_print_errors(bio_err);
  1130. ret = 0;
  1131. }
  1132. return ret;
  1133. }
  1134. static int build_data(char *text, const char *def,
  1135. char *value, int n_min, int n_max,
  1136. char *buf, const int buf_size,
  1137. const char *desc1, const char *desc2
  1138. )
  1139. {
  1140. int i;
  1141. start:
  1142. if (!batch)
  1143. BIO_printf(bio_err, "%s [%s]:", text, def);
  1144. (void)BIO_flush(bio_err);
  1145. if (value != NULL) {
  1146. if (!join(buf, buf_size, value, "\n", desc1))
  1147. return 0;
  1148. BIO_printf(bio_err, "%s\n", value);
  1149. } else {
  1150. buf[0] = '\0';
  1151. if (!batch) {
  1152. if (!fgets(buf, buf_size, stdin))
  1153. return 0;
  1154. } else {
  1155. buf[0] = '\n';
  1156. buf[1] = '\0';
  1157. }
  1158. }
  1159. if (buf[0] == '\0')
  1160. return 0;
  1161. if (buf[0] == '\n') {
  1162. if ((def == NULL) || (def[0] == '\0'))
  1163. return 1;
  1164. if (!join(buf, buf_size, def, "\n", desc2))
  1165. return 0;
  1166. } else if ((buf[0] == '.') && (buf[1] == '\n')) {
  1167. return 1;
  1168. }
  1169. i = strlen(buf);
  1170. if (buf[i - 1] != '\n') {
  1171. BIO_printf(bio_err, "weird input :-(\n");
  1172. return 0;
  1173. }
  1174. buf[--i] = '\0';
  1175. #ifdef CHARSET_EBCDIC
  1176. ebcdic2ascii(buf, buf, i);
  1177. #endif
  1178. if (!req_check_len(i, n_min, n_max)) {
  1179. if (batch || value)
  1180. return 0;
  1181. goto start;
  1182. }
  1183. return 2;
  1184. }
  1185. static int req_check_len(int len, int n_min, int n_max)
  1186. {
  1187. if ((n_min > 0) && (len < n_min)) {
  1188. BIO_printf(bio_err,
  1189. "string is too short, it needs to be at least %d bytes long\n",
  1190. n_min);
  1191. return 0;
  1192. }
  1193. if ((n_max >= 0) && (len > n_max)) {
  1194. BIO_printf(bio_err,
  1195. "string is too long, it needs to be no more than %d bytes long\n",
  1196. n_max);
  1197. return 0;
  1198. }
  1199. return 1;
  1200. }
  1201. /* Check if the end of a string matches 'end' */
  1202. static int check_end(const char *str, const char *end)
  1203. {
  1204. size_t elen, slen;
  1205. const char *tmp;
  1206. elen = strlen(end);
  1207. slen = strlen(str);
  1208. if (elen > slen)
  1209. return 1;
  1210. tmp = str + slen - elen;
  1211. return strcmp(tmp, end);
  1212. }
  1213. /*
  1214. * Merge the two strings together into the result buffer checking for
  1215. * overflow and producing an error message if there is.
  1216. */
  1217. static int join(char buf[], size_t buf_size, const char *name,
  1218. const char *tail, const char *desc)
  1219. {
  1220. const size_t name_len = strlen(name), tail_len = strlen(tail);
  1221. if (name_len + tail_len + 1 > buf_size) {
  1222. BIO_printf(bio_err, "%s '%s' too long\n", desc, name);
  1223. return 0;
  1224. }
  1225. memcpy(buf, name, name_len);
  1226. memcpy(buf + name_len, tail, tail_len + 1);
  1227. return 1;
  1228. }
  1229. static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
  1230. int *pkey_type, long *pkeylen,
  1231. char **palgnam, ENGINE *keygen_engine)
  1232. {
  1233. EVP_PKEY_CTX *gctx = NULL;
  1234. EVP_PKEY *param = NULL;
  1235. long keylen = -1;
  1236. BIO *pbio = NULL;
  1237. const char *paramfile = NULL;
  1238. if (gstr == NULL) {
  1239. *pkey_type = EVP_PKEY_RSA;
  1240. keylen = *pkeylen;
  1241. } else if (gstr[0] >= '0' && gstr[0] <= '9') {
  1242. *pkey_type = EVP_PKEY_RSA;
  1243. keylen = atol(gstr);
  1244. *pkeylen = keylen;
  1245. } else if (strncmp(gstr, "param:", 6) == 0) {
  1246. paramfile = gstr + 6;
  1247. } else {
  1248. const char *p = strchr(gstr, ':');
  1249. int len;
  1250. ENGINE *tmpeng;
  1251. const EVP_PKEY_ASN1_METHOD *ameth;
  1252. if (p != NULL)
  1253. len = p - gstr;
  1254. else
  1255. len = strlen(gstr);
  1256. /*
  1257. * The lookup of a the string will cover all engines so keep a note
  1258. * of the implementation.
  1259. */
  1260. ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
  1261. if (ameth == NULL) {
  1262. BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
  1263. return NULL;
  1264. }
  1265. EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
  1266. #ifndef OPENSSL_NO_ENGINE
  1267. ENGINE_finish(tmpeng);
  1268. #endif
  1269. if (*pkey_type == EVP_PKEY_RSA) {
  1270. if (p != NULL) {
  1271. keylen = atol(p + 1);
  1272. *pkeylen = keylen;
  1273. } else {
  1274. keylen = *pkeylen;
  1275. }
  1276. } else if (p != NULL) {
  1277. paramfile = p + 1;
  1278. }
  1279. }
  1280. if (paramfile != NULL) {
  1281. pbio = BIO_new_file(paramfile, "r");
  1282. if (pbio == NULL) {
  1283. BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
  1284. return NULL;
  1285. }
  1286. param = PEM_read_bio_Parameters(pbio, NULL);
  1287. if (param == NULL) {
  1288. X509 *x;
  1289. (void)BIO_reset(pbio);
  1290. x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
  1291. if (x != NULL) {
  1292. param = X509_get_pubkey(x);
  1293. X509_free(x);
  1294. }
  1295. }
  1296. BIO_free(pbio);
  1297. if (param == NULL) {
  1298. BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
  1299. return NULL;
  1300. }
  1301. if (*pkey_type == -1) {
  1302. *pkey_type = EVP_PKEY_id(param);
  1303. } else if (*pkey_type != EVP_PKEY_base_id(param)) {
  1304. BIO_printf(bio_err, "Key Type does not match parameters\n");
  1305. EVP_PKEY_free(param);
  1306. return NULL;
  1307. }
  1308. }
  1309. if (palgnam != NULL) {
  1310. const EVP_PKEY_ASN1_METHOD *ameth;
  1311. ENGINE *tmpeng;
  1312. const char *anam;
  1313. ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
  1314. if (ameth == NULL) {
  1315. BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
  1316. return NULL;
  1317. }
  1318. EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
  1319. *palgnam = OPENSSL_strdup(anam);
  1320. #ifndef OPENSSL_NO_ENGINE
  1321. ENGINE_finish(tmpeng);
  1322. #endif
  1323. }
  1324. if (param != NULL) {
  1325. gctx = EVP_PKEY_CTX_new(param, keygen_engine);
  1326. *pkeylen = EVP_PKEY_bits(param);
  1327. EVP_PKEY_free(param);
  1328. } else {
  1329. gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
  1330. }
  1331. if (gctx == NULL) {
  1332. BIO_puts(bio_err, "Error allocating keygen context\n");
  1333. ERR_print_errors(bio_err);
  1334. return NULL;
  1335. }
  1336. if (EVP_PKEY_keygen_init(gctx) <= 0) {
  1337. BIO_puts(bio_err, "Error initializing keygen context\n");
  1338. ERR_print_errors(bio_err);
  1339. EVP_PKEY_CTX_free(gctx);
  1340. return NULL;
  1341. }
  1342. #ifndef OPENSSL_NO_RSA
  1343. if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
  1344. if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
  1345. BIO_puts(bio_err, "Error setting RSA keysize\n");
  1346. ERR_print_errors(bio_err);
  1347. EVP_PKEY_CTX_free(gctx);
  1348. return NULL;
  1349. }
  1350. }
  1351. #endif
  1352. return gctx;
  1353. }
  1354. static int genpkey_cb(EVP_PKEY_CTX *ctx)
  1355. {
  1356. char c = '*';
  1357. BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
  1358. int p;
  1359. p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
  1360. if (p == 0)
  1361. c = '.';
  1362. if (p == 1)
  1363. c = '+';
  1364. if (p == 2)
  1365. c = '*';
  1366. if (p == 3)
  1367. c = '\n';
  1368. BIO_write(b, &c, 1);
  1369. (void)BIO_flush(b);
  1370. return 1;
  1371. }
  1372. static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
  1373. const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
  1374. {
  1375. EVP_PKEY_CTX *pkctx = NULL;
  1376. int i;
  1377. if (ctx == NULL)
  1378. return 0;
  1379. if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
  1380. return 0;
  1381. for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
  1382. char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
  1383. if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
  1384. BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
  1385. ERR_print_errors(bio_err);
  1386. return 0;
  1387. }
  1388. }
  1389. return 1;
  1390. }
  1391. int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
  1392. STACK_OF(OPENSSL_STRING) *sigopts)
  1393. {
  1394. int rv;
  1395. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  1396. rv = do_sign_init(mctx, pkey, md, sigopts);
  1397. if (rv > 0)
  1398. rv = X509_sign_ctx(x, mctx);
  1399. EVP_MD_CTX_free(mctx);
  1400. return rv > 0 ? 1 : 0;
  1401. }
  1402. int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
  1403. STACK_OF(OPENSSL_STRING) *sigopts)
  1404. {
  1405. int rv;
  1406. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  1407. rv = do_sign_init(mctx, pkey, md, sigopts);
  1408. if (rv > 0)
  1409. rv = X509_REQ_sign_ctx(x, mctx);
  1410. EVP_MD_CTX_free(mctx);
  1411. return rv > 0 ? 1 : 0;
  1412. }
  1413. int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
  1414. STACK_OF(OPENSSL_STRING) *sigopts)
  1415. {
  1416. int rv;
  1417. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  1418. rv = do_sign_init(mctx, pkey, md, sigopts);
  1419. if (rv > 0)
  1420. rv = X509_CRL_sign_ctx(x, mctx);
  1421. EVP_MD_CTX_free(mctx);
  1422. return rv > 0 ? 1 : 0;
  1423. }