req.c 42 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750
  1. /* apps/req.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* Until the key-gen callbacks are modified to use newer prototypes, we allow
  59. * deprecated functions for openssl-internal code */
  60. #ifdef OPENSSL_NO_DEPRECATED
  61. #undef OPENSSL_NO_DEPRECATED
  62. #endif
  63. #include <stdio.h>
  64. #include <stdlib.h>
  65. #include <time.h>
  66. #include <string.h>
  67. #ifdef OPENSSL_NO_STDIO
  68. #define APPS_WIN16
  69. #endif
  70. #include "apps.h"
  71. #include <openssl/bio.h>
  72. #include <openssl/evp.h>
  73. #include <openssl/conf.h>
  74. #include <openssl/err.h>
  75. #include <openssl/asn1.h>
  76. #include <openssl/x509.h>
  77. #include <openssl/x509v3.h>
  78. #include <openssl/objects.h>
  79. #include <openssl/pem.h>
  80. #include <openssl/bn.h>
  81. #ifndef OPENSSL_NO_RSA
  82. #include <openssl/rsa.h>
  83. #endif
  84. #ifndef OPENSSL_NO_DSA
  85. #include <openssl/dsa.h>
  86. #endif
  87. #define SECTION "req"
  88. #define BITS "default_bits"
  89. #define KEYFILE "default_keyfile"
  90. #define PROMPT "prompt"
  91. #define DISTINGUISHED_NAME "distinguished_name"
  92. #define ATTRIBUTES "attributes"
  93. #define V3_EXTENSIONS "x509_extensions"
  94. #define REQ_EXTENSIONS "req_extensions"
  95. #define STRING_MASK "string_mask"
  96. #define UTF8_IN "utf8"
  97. #define DEFAULT_KEY_LENGTH 512
  98. #define MIN_KEY_LENGTH 384
  99. #undef PROG
  100. #define PROG req_main
  101. /* -inform arg - input format - default PEM (DER or PEM)
  102. * -outform arg - output format - default PEM
  103. * -in arg - input file - default stdin
  104. * -out arg - output file - default stdout
  105. * -verify - check request signature
  106. * -noout - don't print stuff out.
  107. * -text - print out human readable text.
  108. * -nodes - no des encryption
  109. * -config file - Load configuration file.
  110. * -key file - make a request using key in file (or use it for verification).
  111. * -keyform arg - key file format.
  112. * -rand file(s) - load the file(s) into the PRNG.
  113. * -newkey - make a key and a request.
  114. * -modulus - print RSA modulus.
  115. * -pubkey - output Public Key.
  116. * -x509 - output a self signed X509 structure instead.
  117. * -asn1-kludge - output new certificate request in a format that some CA's
  118. * require. This format is wrong
  119. */
  120. static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int mutlirdn,
  121. int attribs,unsigned long chtype);
  122. static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
  123. int multirdn);
  124. static int prompt_info(X509_REQ *req,
  125. STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
  126. STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
  127. unsigned long chtype);
  128. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
  129. STACK_OF(CONF_VALUE) *attr, int attribs,
  130. unsigned long chtype);
  131. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  132. char *value, int nid, int n_min,
  133. int n_max, unsigned long chtype);
  134. static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
  135. int nid,int n_min,int n_max, unsigned long chtype, int mval);
  136. static int genpkey_cb(EVP_PKEY_CTX *ctx);
  137. static int req_check_len(int len,int n_min,int n_max);
  138. static int check_end(const char *str, const char *end);
  139. static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
  140. long *pkeylen, char **palgnam,
  141. ENGINE *keygen_engine);
  142. #ifndef MONOLITH
  143. static char *default_config_file=NULL;
  144. #endif
  145. static CONF *req_conf=NULL;
  146. static int batch=0;
  147. int MAIN(int, char **);
  148. int MAIN(int argc, char **argv)
  149. {
  150. ENGINE *e = NULL, *gen_eng = NULL;
  151. unsigned long nmflag = 0, reqflag = 0;
  152. int ex=1,x509=0,days=30;
  153. X509 *x509ss=NULL;
  154. X509_REQ *req=NULL;
  155. EVP_PKEY_CTX *genctx = NULL;
  156. const char *keyalg = NULL;
  157. char *keyalgstr = NULL;
  158. STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
  159. EVP_PKEY *pkey=NULL;
  160. int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1;
  161. long newkey = -1;
  162. BIO *in=NULL,*out=NULL;
  163. int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
  164. int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
  165. char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
  166. #ifndef OPENSSL_NO_ENGINE
  167. char *engine=NULL;
  168. #endif
  169. char *extensions = NULL;
  170. char *req_exts = NULL;
  171. const EVP_CIPHER *cipher=NULL;
  172. ASN1_INTEGER *serial = NULL;
  173. int modulus=0;
  174. char *inrand=NULL;
  175. char *passargin = NULL, *passargout = NULL;
  176. char *passin = NULL, *passout = NULL;
  177. char *p;
  178. char *subj = NULL;
  179. int multirdn = 0;
  180. const EVP_MD *md_alg=NULL,*digest=NULL;
  181. unsigned long chtype = MBSTRING_ASC;
  182. #ifndef MONOLITH
  183. char *to_free;
  184. long errline;
  185. #endif
  186. req_conf = NULL;
  187. #ifndef OPENSSL_NO_DES
  188. cipher=EVP_des_ede3_cbc();
  189. #endif
  190. apps_startup();
  191. if (bio_err == NULL)
  192. if ((bio_err=BIO_new(BIO_s_file())) != NULL)
  193. BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
  194. infile=NULL;
  195. outfile=NULL;
  196. informat=FORMAT_PEM;
  197. outformat=FORMAT_PEM;
  198. prog=argv[0];
  199. argc--;
  200. argv++;
  201. while (argc >= 1)
  202. {
  203. if (strcmp(*argv,"-inform") == 0)
  204. {
  205. if (--argc < 1) goto bad;
  206. informat=str2fmt(*(++argv));
  207. }
  208. else if (strcmp(*argv,"-outform") == 0)
  209. {
  210. if (--argc < 1) goto bad;
  211. outformat=str2fmt(*(++argv));
  212. }
  213. #ifndef OPENSSL_NO_ENGINE
  214. else if (strcmp(*argv,"-engine") == 0)
  215. {
  216. if (--argc < 1) goto bad;
  217. engine= *(++argv);
  218. }
  219. else if (strcmp(*argv,"-keygen_engine") == 0)
  220. {
  221. if (--argc < 1) goto bad;
  222. gen_eng = ENGINE_by_id(*(++argv));
  223. if (gen_eng == NULL)
  224. {
  225. BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
  226. goto end;
  227. }
  228. }
  229. #endif
  230. else if (strcmp(*argv,"-key") == 0)
  231. {
  232. if (--argc < 1) goto bad;
  233. keyfile= *(++argv);
  234. }
  235. else if (strcmp(*argv,"-pubkey") == 0)
  236. {
  237. pubkey=1;
  238. }
  239. else if (strcmp(*argv,"-new") == 0)
  240. {
  241. newreq=1;
  242. }
  243. else if (strcmp(*argv,"-config") == 0)
  244. {
  245. if (--argc < 1) goto bad;
  246. template= *(++argv);
  247. }
  248. else if (strcmp(*argv,"-keyform") == 0)
  249. {
  250. if (--argc < 1) goto bad;
  251. keyform=str2fmt(*(++argv));
  252. }
  253. else if (strcmp(*argv,"-in") == 0)
  254. {
  255. if (--argc < 1) goto bad;
  256. infile= *(++argv);
  257. }
  258. else if (strcmp(*argv,"-out") == 0)
  259. {
  260. if (--argc < 1) goto bad;
  261. outfile= *(++argv);
  262. }
  263. else if (strcmp(*argv,"-keyout") == 0)
  264. {
  265. if (--argc < 1) goto bad;
  266. keyout= *(++argv);
  267. }
  268. else if (strcmp(*argv,"-passin") == 0)
  269. {
  270. if (--argc < 1) goto bad;
  271. passargin= *(++argv);
  272. }
  273. else if (strcmp(*argv,"-passout") == 0)
  274. {
  275. if (--argc < 1) goto bad;
  276. passargout= *(++argv);
  277. }
  278. else if (strcmp(*argv,"-rand") == 0)
  279. {
  280. if (--argc < 1) goto bad;
  281. inrand= *(++argv);
  282. }
  283. else if (strcmp(*argv,"-newkey") == 0)
  284. {
  285. if (--argc < 1)
  286. goto bad;
  287. keyalg = *(++argv);
  288. newreq=1;
  289. }
  290. else if (strcmp(*argv,"-pkeyopt") == 0)
  291. {
  292. if (--argc < 1)
  293. goto bad;
  294. if (!pkeyopts)
  295. pkeyopts = sk_OPENSSL_STRING_new_null();
  296. if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
  297. goto bad;
  298. }
  299. else if (strcmp(*argv,"-batch") == 0)
  300. batch=1;
  301. else if (strcmp(*argv,"-newhdr") == 0)
  302. newhdr=1;
  303. else if (strcmp(*argv,"-modulus") == 0)
  304. modulus=1;
  305. else if (strcmp(*argv,"-verify") == 0)
  306. verify=1;
  307. else if (strcmp(*argv,"-nodes") == 0)
  308. nodes=1;
  309. else if (strcmp(*argv,"-noout") == 0)
  310. noout=1;
  311. else if (strcmp(*argv,"-verbose") == 0)
  312. verbose=1;
  313. else if (strcmp(*argv,"-utf8") == 0)
  314. chtype = MBSTRING_UTF8;
  315. else if (strcmp(*argv,"-nameopt") == 0)
  316. {
  317. if (--argc < 1) goto bad;
  318. if (!set_name_ex(&nmflag, *(++argv))) goto bad;
  319. }
  320. else if (strcmp(*argv,"-reqopt") == 0)
  321. {
  322. if (--argc < 1) goto bad;
  323. if (!set_cert_ex(&reqflag, *(++argv))) goto bad;
  324. }
  325. else if (strcmp(*argv,"-subject") == 0)
  326. subject=1;
  327. else if (strcmp(*argv,"-text") == 0)
  328. text=1;
  329. else if (strcmp(*argv,"-x509") == 0)
  330. x509=1;
  331. else if (strcmp(*argv,"-asn1-kludge") == 0)
  332. kludge=1;
  333. else if (strcmp(*argv,"-no-asn1-kludge") == 0)
  334. kludge=0;
  335. else if (strcmp(*argv,"-subj") == 0)
  336. {
  337. if (--argc < 1) goto bad;
  338. subj= *(++argv);
  339. }
  340. else if (strcmp(*argv,"-multivalue-rdn") == 0)
  341. multirdn=1;
  342. else if (strcmp(*argv,"-days") == 0)
  343. {
  344. if (--argc < 1) goto bad;
  345. days= atoi(*(++argv));
  346. if (days == 0) days=30;
  347. }
  348. else if (strcmp(*argv,"-set_serial") == 0)
  349. {
  350. if (--argc < 1) goto bad;
  351. serial = s2i_ASN1_INTEGER(NULL, *(++argv));
  352. if (!serial) goto bad;
  353. }
  354. else if (strcmp(*argv,"-extensions") == 0)
  355. {
  356. if (--argc < 1) goto bad;
  357. extensions = *(++argv);
  358. }
  359. else if (strcmp(*argv,"-reqexts") == 0)
  360. {
  361. if (--argc < 1) goto bad;
  362. req_exts = *(++argv);
  363. }
  364. else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
  365. {
  366. /* ok */
  367. digest=md_alg;
  368. }
  369. else
  370. {
  371. BIO_printf(bio_err,"unknown option %s\n",*argv);
  372. badops=1;
  373. break;
  374. }
  375. argc--;
  376. argv++;
  377. }
  378. if (badops)
  379. {
  380. bad:
  381. BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
  382. BIO_printf(bio_err,"where options are\n");
  383. BIO_printf(bio_err," -inform arg input format - DER or PEM\n");
  384. BIO_printf(bio_err," -outform arg output format - DER or PEM\n");
  385. BIO_printf(bio_err," -in arg input file\n");
  386. BIO_printf(bio_err," -out arg output file\n");
  387. BIO_printf(bio_err," -text text form of request\n");
  388. BIO_printf(bio_err," -pubkey output public key\n");
  389. BIO_printf(bio_err," -noout do not output REQ\n");
  390. BIO_printf(bio_err," -verify verify signature on REQ\n");
  391. BIO_printf(bio_err," -modulus RSA modulus\n");
  392. BIO_printf(bio_err," -nodes don't encrypt the output key\n");
  393. #ifndef OPENSSL_NO_ENGINE
  394. BIO_printf(bio_err," -engine e use engine e, possibly a hardware device\n");
  395. #endif
  396. BIO_printf(bio_err," -subject output the request's subject\n");
  397. BIO_printf(bio_err," -passin private key password source\n");
  398. BIO_printf(bio_err," -key file use the private key contained in file\n");
  399. BIO_printf(bio_err," -keyform arg key file format\n");
  400. BIO_printf(bio_err," -keyout arg file to send the key to\n");
  401. BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
  402. BIO_printf(bio_err," load the file (or the files in the directory) into\n");
  403. BIO_printf(bio_err," the random number generator\n");
  404. BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
  405. BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
  406. #ifndef OPENSSL_NO_ECDSA
  407. BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
  408. #endif
  409. BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
  410. BIO_printf(bio_err," -config file request template file.\n");
  411. BIO_printf(bio_err," -subj arg set or modify request subject\n");
  412. BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
  413. BIO_printf(bio_err," -new new request.\n");
  414. BIO_printf(bio_err," -batch do not ask anything during request generation\n");
  415. BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
  416. BIO_printf(bio_err," -days number of days a certificate generated by -x509 is valid for.\n");
  417. BIO_printf(bio_err," -set_serial serial number to use for a certificate generated by -x509.\n");
  418. BIO_printf(bio_err," -newhdr output \"NEW\" in the header lines\n");
  419. BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
  420. BIO_printf(bio_err," have been reported as requiring\n");
  421. BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
  422. BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n");
  423. BIO_printf(bio_err," -utf8 input characters are UTF8 (default ASCII)\n");
  424. BIO_printf(bio_err," -nameopt arg - various certificate name options\n");
  425. BIO_printf(bio_err," -reqopt arg - various request text options\n\n");
  426. goto end;
  427. }
  428. ERR_load_crypto_strings();
  429. if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
  430. BIO_printf(bio_err, "Error getting passwords\n");
  431. goto end;
  432. }
  433. #ifndef MONOLITH /* else this has happened in openssl.c (global `config') */
  434. /* Lets load up our environment a little */
  435. p=getenv("OPENSSL_CONF");
  436. if (p == NULL)
  437. p=getenv("SSLEAY_CONF");
  438. if (p == NULL)
  439. p=to_free=make_config_name();
  440. default_config_file=p;
  441. config=NCONF_new(NULL);
  442. i=NCONF_load(config, p, &errline);
  443. #endif
  444. if (template != NULL)
  445. {
  446. long errline = -1;
  447. if( verbose )
  448. BIO_printf(bio_err,"Using configuration from %s\n",template);
  449. req_conf=NCONF_new(NULL);
  450. i=NCONF_load(req_conf,template,&errline);
  451. if (i == 0)
  452. {
  453. BIO_printf(bio_err,"error on line %ld of %s\n",errline,template);
  454. goto end;
  455. }
  456. }
  457. else
  458. {
  459. req_conf=config;
  460. if (req_conf == NULL)
  461. {
  462. BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file);
  463. if (newreq)
  464. goto end;
  465. }
  466. else if( verbose )
  467. BIO_printf(bio_err,"Using configuration from %s\n",
  468. default_config_file);
  469. }
  470. if (req_conf != NULL)
  471. {
  472. if (!load_config(bio_err, req_conf))
  473. goto end;
  474. p=NCONF_get_string(req_conf,NULL,"oid_file");
  475. if (p == NULL)
  476. ERR_clear_error();
  477. if (p != NULL)
  478. {
  479. BIO *oid_bio;
  480. oid_bio=BIO_new_file(p,"r");
  481. if (oid_bio == NULL)
  482. {
  483. /*
  484. BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
  485. ERR_print_errors(bio_err);
  486. */
  487. }
  488. else
  489. {
  490. OBJ_create_objects(oid_bio);
  491. BIO_free(oid_bio);
  492. }
  493. }
  494. }
  495. if(!add_oid_section(bio_err, req_conf)) goto end;
  496. if (md_alg == NULL)
  497. {
  498. p=NCONF_get_string(req_conf,SECTION,"default_md");
  499. if (p == NULL)
  500. ERR_clear_error();
  501. if (p != NULL)
  502. {
  503. if ((md_alg=EVP_get_digestbyname(p)) != NULL)
  504. digest=md_alg;
  505. }
  506. }
  507. if (!extensions)
  508. {
  509. extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
  510. if (!extensions)
  511. ERR_clear_error();
  512. }
  513. if (extensions) {
  514. /* Check syntax of file */
  515. X509V3_CTX ctx;
  516. X509V3_set_ctx_test(&ctx);
  517. X509V3_set_nconf(&ctx, req_conf);
  518. if(!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
  519. BIO_printf(bio_err,
  520. "Error Loading extension section %s\n", extensions);
  521. goto end;
  522. }
  523. }
  524. if(!passin)
  525. {
  526. passin = NCONF_get_string(req_conf, SECTION, "input_password");
  527. if (!passin)
  528. ERR_clear_error();
  529. }
  530. if(!passout)
  531. {
  532. passout = NCONF_get_string(req_conf, SECTION, "output_password");
  533. if (!passout)
  534. ERR_clear_error();
  535. }
  536. p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
  537. if (!p)
  538. ERR_clear_error();
  539. if(p && !ASN1_STRING_set_default_mask_asc(p)) {
  540. BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
  541. goto end;
  542. }
  543. if (chtype != MBSTRING_UTF8)
  544. {
  545. p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
  546. if (!p)
  547. ERR_clear_error();
  548. else if (!strcmp(p, "yes"))
  549. chtype = MBSTRING_UTF8;
  550. }
  551. if(!req_exts)
  552. {
  553. req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
  554. if (!req_exts)
  555. ERR_clear_error();
  556. }
  557. if(req_exts) {
  558. /* Check syntax of file */
  559. X509V3_CTX ctx;
  560. X509V3_set_ctx_test(&ctx);
  561. X509V3_set_nconf(&ctx, req_conf);
  562. if(!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
  563. BIO_printf(bio_err,
  564. "Error Loading request extension section %s\n",
  565. req_exts);
  566. goto end;
  567. }
  568. }
  569. in=BIO_new(BIO_s_file());
  570. out=BIO_new(BIO_s_file());
  571. if ((in == NULL) || (out == NULL))
  572. goto end;
  573. #ifndef OPENSSL_NO_ENGINE
  574. e = setup_engine(bio_err, engine, 0);
  575. #endif
  576. if (keyfile != NULL)
  577. {
  578. pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
  579. "Private Key");
  580. if (!pkey)
  581. {
  582. /* load_key() has already printed an appropriate
  583. message */
  584. goto end;
  585. }
  586. else
  587. {
  588. char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
  589. if (randfile == NULL)
  590. ERR_clear_error();
  591. app_RAND_load_file(randfile, bio_err, 0);
  592. }
  593. }
  594. if (newreq && (pkey == NULL))
  595. {
  596. char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
  597. if (randfile == NULL)
  598. ERR_clear_error();
  599. app_RAND_load_file(randfile, bio_err, 0);
  600. if (inrand)
  601. app_RAND_load_files(inrand);
  602. if (keyalg)
  603. {
  604. genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
  605. &keyalgstr, gen_eng);
  606. if (!genctx)
  607. goto end;
  608. }
  609. if (newkey <= 0)
  610. {
  611. if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
  612. newkey=DEFAULT_KEY_LENGTH;
  613. }
  614. if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
  615. {
  616. BIO_printf(bio_err,"private key length is too short,\n");
  617. BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey);
  618. goto end;
  619. }
  620. if (!genctx)
  621. {
  622. genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
  623. &keyalgstr, gen_eng);
  624. if (!genctx)
  625. goto end;
  626. }
  627. if (pkeyopts)
  628. {
  629. char *genopt;
  630. for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++)
  631. {
  632. genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
  633. if (pkey_ctrl_string(genctx, genopt) <= 0)
  634. {
  635. BIO_printf(bio_err,
  636. "parameter error \"%s\"\n",
  637. genopt);
  638. ERR_print_errors(bio_err);
  639. goto end;
  640. }
  641. }
  642. }
  643. BIO_printf(bio_err,"Generating a %ld bit %s private key\n",
  644. newkey, keyalgstr);
  645. EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
  646. EVP_PKEY_CTX_set_app_data(genctx, bio_err);
  647. if (EVP_PKEY_keygen(genctx, &pkey) <= 0)
  648. {
  649. BIO_puts(bio_err, "Error Generating Key\n");
  650. goto end;
  651. }
  652. EVP_PKEY_CTX_free(genctx);
  653. genctx = NULL;
  654. app_RAND_write_file(randfile, bio_err);
  655. if (keyout == NULL)
  656. {
  657. keyout=NCONF_get_string(req_conf,SECTION,KEYFILE);
  658. if (keyout == NULL)
  659. ERR_clear_error();
  660. }
  661. if (keyout == NULL)
  662. {
  663. BIO_printf(bio_err,"writing new private key to stdout\n");
  664. BIO_set_fp(out,stdout,BIO_NOCLOSE);
  665. #ifdef OPENSSL_SYS_VMS
  666. {
  667. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  668. out = BIO_push(tmpbio, out);
  669. }
  670. #endif
  671. }
  672. else
  673. {
  674. BIO_printf(bio_err,"writing new private key to '%s'\n",keyout);
  675. if (BIO_write_filename(out,keyout) <= 0)
  676. {
  677. perror(keyout);
  678. goto end;
  679. }
  680. }
  681. p=NCONF_get_string(req_conf,SECTION,"encrypt_rsa_key");
  682. if (p == NULL)
  683. {
  684. ERR_clear_error();
  685. p=NCONF_get_string(req_conf,SECTION,"encrypt_key");
  686. if (p == NULL)
  687. ERR_clear_error();
  688. }
  689. if ((p != NULL) && (strcmp(p,"no") == 0))
  690. cipher=NULL;
  691. if (nodes) cipher=NULL;
  692. i=0;
  693. loop:
  694. if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
  695. NULL,0,NULL,passout))
  696. {
  697. if ((ERR_GET_REASON(ERR_peek_error()) ==
  698. PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
  699. {
  700. ERR_clear_error();
  701. i++;
  702. goto loop;
  703. }
  704. goto end;
  705. }
  706. BIO_printf(bio_err,"-----\n");
  707. }
  708. if (!newreq)
  709. {
  710. /* Since we are using a pre-existing certificate
  711. * request, the kludge 'format' info should not be
  712. * changed. */
  713. kludge= -1;
  714. if (infile == NULL)
  715. BIO_set_fp(in,stdin,BIO_NOCLOSE);
  716. else
  717. {
  718. if (BIO_read_filename(in,infile) <= 0)
  719. {
  720. perror(infile);
  721. goto end;
  722. }
  723. }
  724. if (informat == FORMAT_ASN1)
  725. req=d2i_X509_REQ_bio(in,NULL);
  726. else if (informat == FORMAT_PEM)
  727. req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
  728. else
  729. {
  730. BIO_printf(bio_err,"bad input format specified for X509 request\n");
  731. goto end;
  732. }
  733. if (req == NULL)
  734. {
  735. BIO_printf(bio_err,"unable to load X509 request\n");
  736. goto end;
  737. }
  738. }
  739. if (newreq || x509)
  740. {
  741. if (pkey == NULL)
  742. {
  743. BIO_printf(bio_err,"you need to specify a private key\n");
  744. goto end;
  745. }
  746. if (req == NULL)
  747. {
  748. req=X509_REQ_new();
  749. if (req == NULL)
  750. {
  751. goto end;
  752. }
  753. i=make_REQ(req,pkey,subj,multirdn,!x509, chtype);
  754. subj=NULL; /* done processing '-subj' option */
  755. if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes))
  756. {
  757. sk_X509_ATTRIBUTE_free(req->req_info->attributes);
  758. req->req_info->attributes = NULL;
  759. }
  760. if (!i)
  761. {
  762. BIO_printf(bio_err,"problems making Certificate Request\n");
  763. goto end;
  764. }
  765. }
  766. if (x509)
  767. {
  768. EVP_PKEY *tmppkey;
  769. X509V3_CTX ext_ctx;
  770. if ((x509ss=X509_new()) == NULL) goto end;
  771. /* Set version to V3 */
  772. if(extensions && !X509_set_version(x509ss, 2)) goto end;
  773. if (serial)
  774. {
  775. if (!X509_set_serialNumber(x509ss, serial)) goto end;
  776. }
  777. else
  778. {
  779. if (!rand_serial(NULL,
  780. X509_get_serialNumber(x509ss)))
  781. goto end;
  782. }
  783. if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
  784. if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
  785. if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end;
  786. if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
  787. tmppkey = X509_REQ_get_pubkey(req);
  788. if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
  789. EVP_PKEY_free(tmppkey);
  790. /* Set up V3 context struct */
  791. X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
  792. X509V3_set_nconf(&ext_ctx, req_conf);
  793. /* Add extensions */
  794. if(extensions && !X509V3_EXT_add_nconf(req_conf,
  795. &ext_ctx, extensions, x509ss))
  796. {
  797. BIO_printf(bio_err,
  798. "Error Loading extension section %s\n",
  799. extensions);
  800. goto end;
  801. }
  802. if (!(i=X509_sign(x509ss,pkey,digest)))
  803. {
  804. ERR_print_errors(bio_err);
  805. goto end;
  806. }
  807. }
  808. else
  809. {
  810. X509V3_CTX ext_ctx;
  811. /* Set up V3 context struct */
  812. X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
  813. X509V3_set_nconf(&ext_ctx, req_conf);
  814. /* Add extensions */
  815. if(req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
  816. &ext_ctx, req_exts, req))
  817. {
  818. BIO_printf(bio_err,
  819. "Error Loading extension section %s\n",
  820. req_exts);
  821. goto end;
  822. }
  823. if (!(i=X509_REQ_sign(req,pkey,digest)))
  824. {
  825. ERR_print_errors(bio_err);
  826. goto end;
  827. }
  828. }
  829. }
  830. if (subj && x509)
  831. {
  832. BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
  833. goto end;
  834. }
  835. if (subj && !x509)
  836. {
  837. if (verbose)
  838. {
  839. BIO_printf(bio_err, "Modifying Request's Subject\n");
  840. print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag);
  841. }
  842. if (build_subject(req, subj, chtype, multirdn) == 0)
  843. {
  844. BIO_printf(bio_err, "ERROR: cannot modify subject\n");
  845. ex=1;
  846. goto end;
  847. }
  848. req->req_info->enc.modified = 1;
  849. if (verbose)
  850. {
  851. print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag);
  852. }
  853. }
  854. if (verify && !x509)
  855. {
  856. int tmp=0;
  857. if (pkey == NULL)
  858. {
  859. pkey=X509_REQ_get_pubkey(req);
  860. tmp=1;
  861. if (pkey == NULL) goto end;
  862. }
  863. i=X509_REQ_verify(req,pkey);
  864. if (tmp) {
  865. EVP_PKEY_free(pkey);
  866. pkey=NULL;
  867. }
  868. if (i < 0)
  869. {
  870. goto end;
  871. }
  872. else if (i == 0)
  873. {
  874. BIO_printf(bio_err,"verify failure\n");
  875. ERR_print_errors(bio_err);
  876. }
  877. else /* if (i > 0) */
  878. BIO_printf(bio_err,"verify OK\n");
  879. }
  880. if (noout && !text && !modulus && !subject && !pubkey)
  881. {
  882. ex=0;
  883. goto end;
  884. }
  885. if (outfile == NULL)
  886. {
  887. BIO_set_fp(out,stdout,BIO_NOCLOSE);
  888. #ifdef OPENSSL_SYS_VMS
  889. {
  890. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  891. out = BIO_push(tmpbio, out);
  892. }
  893. #endif
  894. }
  895. else
  896. {
  897. if ((keyout != NULL) && (strcmp(outfile,keyout) == 0))
  898. i=(int)BIO_append_filename(out,outfile);
  899. else
  900. i=(int)BIO_write_filename(out,outfile);
  901. if (!i)
  902. {
  903. perror(outfile);
  904. goto end;
  905. }
  906. }
  907. if (pubkey)
  908. {
  909. EVP_PKEY *tpubkey;
  910. tpubkey=X509_REQ_get_pubkey(req);
  911. if (tpubkey == NULL)
  912. {
  913. BIO_printf(bio_err,"Error getting public key\n");
  914. ERR_print_errors(bio_err);
  915. goto end;
  916. }
  917. PEM_write_bio_PUBKEY(out, tpubkey);
  918. EVP_PKEY_free(tpubkey);
  919. }
  920. if (text)
  921. {
  922. if (x509)
  923. X509_print_ex(out, x509ss, nmflag, reqflag);
  924. else
  925. X509_REQ_print_ex(out, req, nmflag, reqflag);
  926. }
  927. if(subject)
  928. {
  929. if(x509)
  930. print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag);
  931. else
  932. print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag);
  933. }
  934. if (modulus)
  935. {
  936. EVP_PKEY *tpubkey;
  937. if (x509)
  938. tpubkey=X509_get_pubkey(x509ss);
  939. else
  940. tpubkey=X509_REQ_get_pubkey(req);
  941. if (tpubkey == NULL)
  942. {
  943. fprintf(stdout,"Modulus=unavailable\n");
  944. goto end;
  945. }
  946. fprintf(stdout,"Modulus=");
  947. #ifndef OPENSSL_NO_RSA
  948. if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
  949. BN_print(out,tpubkey->pkey.rsa->n);
  950. else
  951. #endif
  952. fprintf(stdout,"Wrong Algorithm type");
  953. EVP_PKEY_free(tpubkey);
  954. fprintf(stdout,"\n");
  955. }
  956. if (!noout && !x509)
  957. {
  958. if (outformat == FORMAT_ASN1)
  959. i=i2d_X509_REQ_bio(out,req);
  960. else if (outformat == FORMAT_PEM) {
  961. if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req);
  962. else i=PEM_write_bio_X509_REQ(out,req);
  963. } else {
  964. BIO_printf(bio_err,"bad output format specified for outfile\n");
  965. goto end;
  966. }
  967. if (!i)
  968. {
  969. BIO_printf(bio_err,"unable to write X509 request\n");
  970. goto end;
  971. }
  972. }
  973. if (!noout && x509 && (x509ss != NULL))
  974. {
  975. if (outformat == FORMAT_ASN1)
  976. i=i2d_X509_bio(out,x509ss);
  977. else if (outformat == FORMAT_PEM)
  978. i=PEM_write_bio_X509(out,x509ss);
  979. else {
  980. BIO_printf(bio_err,"bad output format specified for outfile\n");
  981. goto end;
  982. }
  983. if (!i)
  984. {
  985. BIO_printf(bio_err,"unable to write X509 certificate\n");
  986. goto end;
  987. }
  988. }
  989. ex=0;
  990. end:
  991. #ifndef MONOLITH
  992. if(to_free)
  993. OPENSSL_free(to_free);
  994. #endif
  995. if (ex)
  996. {
  997. ERR_print_errors(bio_err);
  998. }
  999. if ((req_conf != NULL) && (req_conf != config)) NCONF_free(req_conf);
  1000. BIO_free(in);
  1001. BIO_free_all(out);
  1002. EVP_PKEY_free(pkey);
  1003. if (genctx)
  1004. EVP_PKEY_CTX_free(genctx);
  1005. if (pkeyopts)
  1006. sk_OPENSSL_STRING_free(pkeyopts);
  1007. #ifndef OPENSSL_NO_ENGINE
  1008. if (gen_eng)
  1009. ENGINE_free(gen_eng);
  1010. #endif
  1011. if (keyalgstr)
  1012. OPENSSL_free(keyalgstr);
  1013. X509_REQ_free(req);
  1014. X509_free(x509ss);
  1015. ASN1_INTEGER_free(serial);
  1016. if(passargin && passin) OPENSSL_free(passin);
  1017. if(passargout && passout) OPENSSL_free(passout);
  1018. OBJ_cleanup();
  1019. apps_shutdown();
  1020. OPENSSL_EXIT(ex);
  1021. }
  1022. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
  1023. int attribs, unsigned long chtype)
  1024. {
  1025. int ret=0,i;
  1026. char no_prompt = 0;
  1027. STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
  1028. char *tmp, *dn_sect,*attr_sect;
  1029. tmp=NCONF_get_string(req_conf,SECTION,PROMPT);
  1030. if (tmp == NULL)
  1031. ERR_clear_error();
  1032. if((tmp != NULL) && !strcmp(tmp, "no")) no_prompt = 1;
  1033. dn_sect=NCONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME);
  1034. if (dn_sect == NULL)
  1035. {
  1036. BIO_printf(bio_err,"unable to find '%s' in config\n",
  1037. DISTINGUISHED_NAME);
  1038. goto err;
  1039. }
  1040. dn_sk=NCONF_get_section(req_conf,dn_sect);
  1041. if (dn_sk == NULL)
  1042. {
  1043. BIO_printf(bio_err,"unable to get '%s' section\n",dn_sect);
  1044. goto err;
  1045. }
  1046. attr_sect=NCONF_get_string(req_conf,SECTION,ATTRIBUTES);
  1047. if (attr_sect == NULL)
  1048. {
  1049. ERR_clear_error();
  1050. attr_sk=NULL;
  1051. }
  1052. else
  1053. {
  1054. attr_sk=NCONF_get_section(req_conf,attr_sect);
  1055. if (attr_sk == NULL)
  1056. {
  1057. BIO_printf(bio_err,"unable to get '%s' section\n",attr_sect);
  1058. goto err;
  1059. }
  1060. }
  1061. /* setup version number */
  1062. if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */
  1063. if (no_prompt)
  1064. i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
  1065. else
  1066. {
  1067. if (subj)
  1068. i = build_subject(req, subj, chtype, multirdn);
  1069. else
  1070. i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
  1071. }
  1072. if(!i) goto err;
  1073. if (!X509_REQ_set_pubkey(req,pkey)) goto err;
  1074. ret=1;
  1075. err:
  1076. return(ret);
  1077. }
  1078. /*
  1079. * subject is expected to be in the format /type0=value0/type1=value1/type2=...
  1080. * where characters may be escaped by \
  1081. */
  1082. static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, int multirdn)
  1083. {
  1084. X509_NAME *n;
  1085. if (!(n = parse_name(subject, chtype, multirdn)))
  1086. return 0;
  1087. if (!X509_REQ_set_subject_name(req, n))
  1088. {
  1089. X509_NAME_free(n);
  1090. return 0;
  1091. }
  1092. X509_NAME_free(n);
  1093. return 1;
  1094. }
  1095. static int prompt_info(X509_REQ *req,
  1096. STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
  1097. STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
  1098. unsigned long chtype)
  1099. {
  1100. int i;
  1101. char *p,*q;
  1102. char buf[100];
  1103. int nid, mval;
  1104. long n_min,n_max;
  1105. char *type, *value;
  1106. const char *def;
  1107. CONF_VALUE *v;
  1108. X509_NAME *subj;
  1109. subj = X509_REQ_get_subject_name(req);
  1110. if(!batch)
  1111. {
  1112. BIO_printf(bio_err,"You are about to be asked to enter information that will be incorporated\n");
  1113. BIO_printf(bio_err,"into your certificate request.\n");
  1114. BIO_printf(bio_err,"What you are about to enter is what is called a Distinguished Name or a DN.\n");
  1115. BIO_printf(bio_err,"There are quite a few fields but you can leave some blank\n");
  1116. BIO_printf(bio_err,"For some fields there will be a default value,\n");
  1117. BIO_printf(bio_err,"If you enter '.', the field will be left blank.\n");
  1118. BIO_printf(bio_err,"-----\n");
  1119. }
  1120. if (sk_CONF_VALUE_num(dn_sk))
  1121. {
  1122. i= -1;
  1123. start: for (;;)
  1124. {
  1125. i++;
  1126. if (sk_CONF_VALUE_num(dn_sk) <= i) break;
  1127. v=sk_CONF_VALUE_value(dn_sk,i);
  1128. p=q=NULL;
  1129. type=v->name;
  1130. if(!check_end(type,"_min") || !check_end(type,"_max") ||
  1131. !check_end(type,"_default") ||
  1132. !check_end(type,"_value")) continue;
  1133. /* Skip past any leading X. X: X, etc to allow for
  1134. * multiple instances
  1135. */
  1136. for(p = v->name; *p ; p++)
  1137. if ((*p == ':') || (*p == ',') ||
  1138. (*p == '.')) {
  1139. p++;
  1140. if(*p) type = p;
  1141. break;
  1142. }
  1143. if (*type == '+')
  1144. {
  1145. mval = -1;
  1146. type++;
  1147. }
  1148. else
  1149. mval = 0;
  1150. /* If OBJ not recognised ignore it */
  1151. if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
  1152. if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name)
  1153. >= (int)sizeof(buf))
  1154. {
  1155. BIO_printf(bio_err,"Name '%s' too long\n",v->name);
  1156. return 0;
  1157. }
  1158. if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
  1159. {
  1160. ERR_clear_error();
  1161. def="";
  1162. }
  1163. BIO_snprintf(buf,sizeof buf,"%s_value",v->name);
  1164. if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
  1165. {
  1166. ERR_clear_error();
  1167. value=NULL;
  1168. }
  1169. BIO_snprintf(buf,sizeof buf,"%s_min",v->name);
  1170. if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
  1171. {
  1172. ERR_clear_error();
  1173. n_min = -1;
  1174. }
  1175. BIO_snprintf(buf,sizeof buf,"%s_max",v->name);
  1176. if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
  1177. {
  1178. ERR_clear_error();
  1179. n_max = -1;
  1180. }
  1181. if (!add_DN_object(subj,v->value,def,value,nid,
  1182. n_min,n_max, chtype, mval))
  1183. return 0;
  1184. }
  1185. if (X509_NAME_entry_count(subj) == 0)
  1186. {
  1187. BIO_printf(bio_err,"error, no objects specified in config file\n");
  1188. return 0;
  1189. }
  1190. if (attribs)
  1191. {
  1192. if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && (!batch))
  1193. {
  1194. BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n");
  1195. BIO_printf(bio_err,"to be sent with your certificate request\n");
  1196. }
  1197. i= -1;
  1198. start2: for (;;)
  1199. {
  1200. i++;
  1201. if ((attr_sk == NULL) ||
  1202. (sk_CONF_VALUE_num(attr_sk) <= i))
  1203. break;
  1204. v=sk_CONF_VALUE_value(attr_sk,i);
  1205. type=v->name;
  1206. if ((nid=OBJ_txt2nid(type)) == NID_undef)
  1207. goto start2;
  1208. if (BIO_snprintf(buf,sizeof buf,"%s_default",type)
  1209. >= (int)sizeof(buf))
  1210. {
  1211. BIO_printf(bio_err,"Name '%s' too long\n",v->name);
  1212. return 0;
  1213. }
  1214. if ((def=NCONF_get_string(req_conf,attr_sect,buf))
  1215. == NULL)
  1216. {
  1217. ERR_clear_error();
  1218. def="";
  1219. }
  1220. BIO_snprintf(buf,sizeof buf,"%s_value",type);
  1221. if ((value=NCONF_get_string(req_conf,attr_sect,buf))
  1222. == NULL)
  1223. {
  1224. ERR_clear_error();
  1225. value=NULL;
  1226. }
  1227. BIO_snprintf(buf,sizeof buf,"%s_min",type);
  1228. if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
  1229. n_min = -1;
  1230. BIO_snprintf(buf,sizeof buf,"%s_max",type);
  1231. if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
  1232. n_max = -1;
  1233. if (!add_attribute_object(req,
  1234. v->value,def,value,nid,n_min,n_max, chtype))
  1235. return 0;
  1236. }
  1237. }
  1238. }
  1239. else
  1240. {
  1241. BIO_printf(bio_err,"No template, please set one up.\n");
  1242. return 0;
  1243. }
  1244. return 1;
  1245. }
  1246. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
  1247. STACK_OF(CONF_VALUE) *attr_sk, int attribs, unsigned long chtype)
  1248. {
  1249. int i;
  1250. char *p,*q;
  1251. char *type;
  1252. CONF_VALUE *v;
  1253. X509_NAME *subj;
  1254. subj = X509_REQ_get_subject_name(req);
  1255. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
  1256. {
  1257. int mval;
  1258. v=sk_CONF_VALUE_value(dn_sk,i);
  1259. p=q=NULL;
  1260. type=v->name;
  1261. /* Skip past any leading X. X: X, etc to allow for
  1262. * multiple instances
  1263. */
  1264. for(p = v->name; *p ; p++)
  1265. #ifndef CHARSET_EBCDIC
  1266. if ((*p == ':') || (*p == ',') || (*p == '.')) {
  1267. #else
  1268. if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) {
  1269. #endif
  1270. p++;
  1271. if(*p) type = p;
  1272. break;
  1273. }
  1274. #ifndef CHARSET_EBCDIC
  1275. if (*p == '+')
  1276. #else
  1277. if (*p == os_toascii['+'])
  1278. #endif
  1279. {
  1280. p++;
  1281. mval = -1;
  1282. }
  1283. else
  1284. mval = 0;
  1285. if (!X509_NAME_add_entry_by_txt(subj,type, chtype,
  1286. (unsigned char *) v->value,-1,-1,mval)) return 0;
  1287. }
  1288. if (!X509_NAME_entry_count(subj))
  1289. {
  1290. BIO_printf(bio_err,"error, no objects specified in config file\n");
  1291. return 0;
  1292. }
  1293. if (attribs)
  1294. {
  1295. for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++)
  1296. {
  1297. v=sk_CONF_VALUE_value(attr_sk,i);
  1298. if(!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
  1299. (unsigned char *)v->value, -1)) return 0;
  1300. }
  1301. }
  1302. return 1;
  1303. }
  1304. static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
  1305. int nid, int n_min, int n_max, unsigned long chtype, int mval)
  1306. {
  1307. int i,ret=0;
  1308. MS_STATIC char buf[1024];
  1309. start:
  1310. if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def);
  1311. (void)BIO_flush(bio_err);
  1312. if(value != NULL)
  1313. {
  1314. BUF_strlcpy(buf,value,sizeof buf);
  1315. BUF_strlcat(buf,"\n",sizeof buf);
  1316. BIO_printf(bio_err,"%s\n",value);
  1317. }
  1318. else
  1319. {
  1320. buf[0]='\0';
  1321. if (!batch)
  1322. {
  1323. fgets(buf,sizeof buf,stdin);
  1324. }
  1325. else
  1326. {
  1327. buf[0] = '\n';
  1328. buf[1] = '\0';
  1329. }
  1330. }
  1331. if (buf[0] == '\0') return(0);
  1332. else if (buf[0] == '\n')
  1333. {
  1334. if ((def == NULL) || (def[0] == '\0'))
  1335. return(1);
  1336. BUF_strlcpy(buf,def,sizeof buf);
  1337. BUF_strlcat(buf,"\n",sizeof buf);
  1338. }
  1339. else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
  1340. i=strlen(buf);
  1341. if (buf[i-1] != '\n')
  1342. {
  1343. BIO_printf(bio_err,"weird input :-(\n");
  1344. return(0);
  1345. }
  1346. buf[--i]='\0';
  1347. #ifdef CHARSET_EBCDIC
  1348. ebcdic2ascii(buf, buf, i);
  1349. #endif
  1350. if(!req_check_len(i, n_min, n_max)) goto start;
  1351. if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
  1352. (unsigned char *) buf, -1,-1,mval)) goto err;
  1353. ret=1;
  1354. err:
  1355. return(ret);
  1356. }
  1357. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  1358. char *value, int nid, int n_min,
  1359. int n_max, unsigned long chtype)
  1360. {
  1361. int i;
  1362. static char buf[1024];
  1363. start:
  1364. if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def);
  1365. (void)BIO_flush(bio_err);
  1366. if (value != NULL)
  1367. {
  1368. BUF_strlcpy(buf,value,sizeof buf);
  1369. BUF_strlcat(buf,"\n",sizeof buf);
  1370. BIO_printf(bio_err,"%s\n",value);
  1371. }
  1372. else
  1373. {
  1374. buf[0]='\0';
  1375. if (!batch)
  1376. {
  1377. fgets(buf,sizeof buf,stdin);
  1378. }
  1379. else
  1380. {
  1381. buf[0] = '\n';
  1382. buf[1] = '\0';
  1383. }
  1384. }
  1385. if (buf[0] == '\0') return(0);
  1386. else if (buf[0] == '\n')
  1387. {
  1388. if ((def == NULL) || (def[0] == '\0'))
  1389. return(1);
  1390. BUF_strlcpy(buf,def,sizeof buf);
  1391. BUF_strlcat(buf,"\n",sizeof buf);
  1392. }
  1393. else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
  1394. i=strlen(buf);
  1395. if (buf[i-1] != '\n')
  1396. {
  1397. BIO_printf(bio_err,"weird input :-(\n");
  1398. return(0);
  1399. }
  1400. buf[--i]='\0';
  1401. #ifdef CHARSET_EBCDIC
  1402. ebcdic2ascii(buf, buf, i);
  1403. #endif
  1404. if(!req_check_len(i, n_min, n_max)) goto start;
  1405. if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
  1406. (unsigned char *)buf, -1)) {
  1407. BIO_printf(bio_err, "Error adding attribute\n");
  1408. ERR_print_errors(bio_err);
  1409. goto err;
  1410. }
  1411. return(1);
  1412. err:
  1413. return(0);
  1414. }
  1415. static int req_check_len(int len, int n_min, int n_max)
  1416. {
  1417. if ((n_min > 0) && (len < n_min))
  1418. {
  1419. BIO_printf(bio_err,"string is too short, it needs to be at least %d bytes long\n",n_min);
  1420. return(0);
  1421. }
  1422. if ((n_max >= 0) && (len > n_max))
  1423. {
  1424. BIO_printf(bio_err,"string is too long, it needs to be less than %d bytes long\n",n_max);
  1425. return(0);
  1426. }
  1427. return(1);
  1428. }
  1429. /* Check if the end of a string matches 'end' */
  1430. static int check_end(const char *str, const char *end)
  1431. {
  1432. int elen, slen;
  1433. const char *tmp;
  1434. elen = strlen(end);
  1435. slen = strlen(str);
  1436. if(elen > slen) return 1;
  1437. tmp = str + slen - elen;
  1438. return strcmp(tmp, end);
  1439. }
  1440. static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
  1441. long *pkeylen, char **palgnam,
  1442. ENGINE *keygen_engine)
  1443. {
  1444. EVP_PKEY_CTX *gctx = NULL;
  1445. EVP_PKEY *param = NULL;
  1446. long keylen = -1;
  1447. BIO *pbio = NULL;
  1448. const char *paramfile = NULL;
  1449. if (gstr == NULL)
  1450. {
  1451. *pkey_type = EVP_PKEY_RSA;
  1452. keylen = *pkeylen;
  1453. }
  1454. else if (gstr[0] >= '0' && gstr[0] <= '9')
  1455. {
  1456. *pkey_type = EVP_PKEY_RSA;
  1457. keylen = atol(gstr);
  1458. *pkeylen = keylen;
  1459. }
  1460. else if (!strncmp(gstr, "param:", 6))
  1461. paramfile = gstr + 6;
  1462. else
  1463. {
  1464. const char *p = strchr(gstr, ':');
  1465. int len;
  1466. ENGINE *tmpeng;
  1467. const EVP_PKEY_ASN1_METHOD *ameth;
  1468. if (p)
  1469. len = p - gstr;
  1470. else
  1471. len = strlen(gstr);
  1472. /* The lookup of a the string will cover all engines so
  1473. * keep a note of the implementation.
  1474. */
  1475. ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
  1476. if (!ameth)
  1477. {
  1478. BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
  1479. return NULL;
  1480. }
  1481. EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL,
  1482. ameth);
  1483. #ifndef OPENSSL_NO_ENGINE
  1484. if (tmpeng)
  1485. ENGINE_finish(tmpeng);
  1486. #endif
  1487. if (*pkey_type == EVP_PKEY_RSA)
  1488. {
  1489. if (p)
  1490. {
  1491. keylen = atol(p + 1);
  1492. *pkeylen = keylen;
  1493. }
  1494. }
  1495. else if (p)
  1496. paramfile = p + 1;
  1497. }
  1498. if (paramfile)
  1499. {
  1500. pbio = BIO_new_file(paramfile, "r");
  1501. if (!pbio)
  1502. {
  1503. BIO_printf(err, "Can't open parameter file %s\n",
  1504. paramfile);
  1505. return NULL;
  1506. }
  1507. param = PEM_read_bio_Parameters(pbio, NULL);
  1508. if (!param)
  1509. {
  1510. X509 *x;
  1511. (void)BIO_reset(pbio);
  1512. x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
  1513. if (x)
  1514. {
  1515. param = X509_get_pubkey(x);
  1516. X509_free(x);
  1517. }
  1518. }
  1519. BIO_free(pbio);
  1520. if (!param)
  1521. {
  1522. BIO_printf(err, "Error reading parameter file %s\n",
  1523. paramfile);
  1524. return NULL;
  1525. }
  1526. if (*pkey_type == -1)
  1527. *pkey_type = EVP_PKEY_id(param);
  1528. else if (*pkey_type != EVP_PKEY_base_id(param))
  1529. {
  1530. BIO_printf(err, "Key Type does not match parameters\n");
  1531. EVP_PKEY_free(param);
  1532. return NULL;
  1533. }
  1534. }
  1535. if (palgnam)
  1536. {
  1537. const EVP_PKEY_ASN1_METHOD *ameth;
  1538. ENGINE *tmpeng;
  1539. const char *anam;
  1540. ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
  1541. if (!ameth)
  1542. {
  1543. BIO_puts(err, "Internal error: can't find key algorithm\n");
  1544. return NULL;
  1545. }
  1546. EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
  1547. *palgnam = BUF_strdup(anam);
  1548. #ifndef OPENSSL_NO_ENGINE
  1549. if (tmpeng)
  1550. ENGINE_finish(tmpeng);
  1551. #endif
  1552. }
  1553. if (param)
  1554. {
  1555. gctx = EVP_PKEY_CTX_new(param, keygen_engine);
  1556. *pkeylen = EVP_PKEY_bits(param);
  1557. EVP_PKEY_free(param);
  1558. }
  1559. else
  1560. gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
  1561. if (!gctx)
  1562. {
  1563. BIO_puts(err, "Error allocating keygen context\n");
  1564. ERR_print_errors(err);
  1565. return NULL;
  1566. }
  1567. if (EVP_PKEY_keygen_init(gctx) <= 0)
  1568. {
  1569. BIO_puts(err, "Error initializing keygen context\n");
  1570. ERR_print_errors(err);
  1571. return NULL;
  1572. }
  1573. #ifndef OPENSSL_NO_RSA
  1574. if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1))
  1575. {
  1576. if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0)
  1577. {
  1578. BIO_puts(err, "Error setting RSA keysize\n");
  1579. ERR_print_errors(err);
  1580. EVP_PKEY_CTX_free(gctx);
  1581. return NULL;
  1582. }
  1583. }
  1584. #endif
  1585. return gctx;
  1586. }
  1587. static int genpkey_cb(EVP_PKEY_CTX *ctx)
  1588. {
  1589. char c='*';
  1590. BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
  1591. int p;
  1592. p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
  1593. if (p == 0) c='.';
  1594. if (p == 1) c='+';
  1595. if (p == 2) c='*';
  1596. if (p == 3) c='\n';
  1597. BIO_write(b,&c,1);
  1598. (void)BIO_flush(b);
  1599. #ifdef LINT
  1600. p=n;
  1601. #endif
  1602. return 1;
  1603. }