req.c 55 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731
  1. /* apps/req.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /*
  59. * Until the key-gen callbacks are modified to use newer prototypes, we allow
  60. * deprecated functions for openssl-internal code
  61. */
  62. #ifdef OPENSSL_NO_DEPRECATED
  63. # undef OPENSSL_NO_DEPRECATED
  64. #endif
  65. #include <stdio.h>
  66. #include <stdlib.h>
  67. #include <time.h>
  68. #include <string.h>
  69. #ifdef OPENSSL_NO_STDIO
  70. # define APPS_WIN16
  71. #endif
  72. #include "apps.h"
  73. #include <openssl/bio.h>
  74. #include <openssl/evp.h>
  75. #include <openssl/conf.h>
  76. #include <openssl/err.h>
  77. #include <openssl/asn1.h>
  78. #include <openssl/x509.h>
  79. #include <openssl/x509v3.h>
  80. #include <openssl/objects.h>
  81. #include <openssl/pem.h>
  82. #include <openssl/bn.h>
  83. #ifndef OPENSSL_NO_RSA
  84. # include <openssl/rsa.h>
  85. #endif
  86. #ifndef OPENSSL_NO_DSA
  87. # include <openssl/dsa.h>
  88. #endif
  89. #define SECTION "req"
  90. #define BITS "default_bits"
  91. #define KEYFILE "default_keyfile"
  92. #define PROMPT "prompt"
  93. #define DISTINGUISHED_NAME "distinguished_name"
  94. #define ATTRIBUTES "attributes"
  95. #define V3_EXTENSIONS "x509_extensions"
  96. #define REQ_EXTENSIONS "req_extensions"
  97. #define STRING_MASK "string_mask"
  98. #define UTF8_IN "utf8"
  99. #define DEFAULT_KEY_LENGTH 2048
  100. #define MIN_KEY_LENGTH 512
  101. #undef PROG
  102. #define PROG req_main
  103. /*-
  104. * -inform arg - input format - default PEM (DER or PEM)
  105. * -outform arg - output format - default PEM
  106. * -in arg - input file - default stdin
  107. * -out arg - output file - default stdout
  108. * -verify - check request signature
  109. * -noout - don't print stuff out.
  110. * -text - print out human readable text.
  111. * -nodes - no des encryption
  112. * -config file - Load configuration file.
  113. * -key file - make a request using key in file (or use it for verification).
  114. * -keyform arg - key file format.
  115. * -rand file(s) - load the file(s) into the PRNG.
  116. * -newkey - make a key and a request.
  117. * -modulus - print RSA modulus.
  118. * -pubkey - output Public Key.
  119. * -x509 - output a self signed X509 structure instead.
  120. * -asn1-kludge - output new certificate request in a format that some CA's
  121. * require. This format is wrong
  122. */
  123. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
  124. int attribs, unsigned long chtype);
  125. static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
  126. int multirdn);
  127. static int prompt_info(X509_REQ *req,
  128. STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
  129. STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect,
  130. int attribs, unsigned long chtype);
  131. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
  132. STACK_OF(CONF_VALUE) *attr, int attribs,
  133. unsigned long chtype);
  134. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  135. char *value, int nid, int n_min, int n_max,
  136. unsigned long chtype);
  137. static int add_DN_object(X509_NAME *n, char *text, const char *def,
  138. char *value, int nid, int n_min, int n_max,
  139. unsigned long chtype, int mval);
  140. static int genpkey_cb(EVP_PKEY_CTX *ctx);
  141. static int req_check_len(int len, int n_min, int n_max);
  142. static int check_end(const char *str, const char *end);
  143. static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr,
  144. int *pkey_type, long *pkeylen,
  145. char **palgnam, ENGINE *keygen_engine);
  146. #ifndef MONOLITH
  147. static char *default_config_file = NULL;
  148. #endif
  149. static CONF *req_conf = NULL;
  150. static int batch = 0;
  151. int MAIN(int, char **);
  152. int MAIN(int argc, char **argv)
  153. {
  154. ENGINE *e = NULL, *gen_eng = NULL;
  155. unsigned long nmflag = 0, reqflag = 0;
  156. int ex = 1, x509 = 0, days = 30;
  157. X509 *x509ss = NULL;
  158. X509_REQ *req = NULL;
  159. EVP_PKEY_CTX *genctx = NULL;
  160. const char *keyalg = NULL;
  161. char *keyalgstr = NULL;
  162. STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
  163. EVP_PKEY *pkey = NULL;
  164. int i = 0, badops = 0, newreq = 0, verbose = 0, pkey_type = -1;
  165. long newkey = -1;
  166. BIO *in = NULL, *out = NULL;
  167. int informat, outformat, verify = 0, noout = 0, text = 0, keyform =
  168. FORMAT_PEM;
  169. int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
  170. char *infile, *outfile, *prog, *keyfile = NULL, *template =
  171. NULL, *keyout = NULL;
  172. char *engine = NULL;
  173. char *extensions = NULL;
  174. char *req_exts = NULL;
  175. const EVP_CIPHER *cipher = NULL;
  176. ASN1_INTEGER *serial = NULL;
  177. int modulus = 0;
  178. char *inrand = NULL;
  179. char *passargin = NULL, *passargout = NULL;
  180. char *passin = NULL, *passout = NULL;
  181. char *p;
  182. char *subj = NULL;
  183. int multirdn = 0;
  184. const EVP_MD *md_alg = NULL, *digest = NULL;
  185. unsigned long chtype = MBSTRING_ASC;
  186. #ifndef MONOLITH
  187. char *to_free;
  188. long errline;
  189. #endif
  190. req_conf = NULL;
  191. #ifndef OPENSSL_NO_DES
  192. cipher = EVP_des_ede3_cbc();
  193. #endif
  194. apps_startup();
  195. if (bio_err == NULL)
  196. if ((bio_err = BIO_new(BIO_s_file())) != NULL)
  197. BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
  198. infile = NULL;
  199. outfile = NULL;
  200. informat = FORMAT_PEM;
  201. outformat = FORMAT_PEM;
  202. prog = argv[0];
  203. argc--;
  204. argv++;
  205. while (argc >= 1) {
  206. if (strcmp(*argv, "-inform") == 0) {
  207. if (--argc < 1)
  208. goto bad;
  209. informat = str2fmt(*(++argv));
  210. } else if (strcmp(*argv, "-outform") == 0) {
  211. if (--argc < 1)
  212. goto bad;
  213. outformat = str2fmt(*(++argv));
  214. }
  215. #ifndef OPENSSL_NO_ENGINE
  216. else if (strcmp(*argv, "-engine") == 0) {
  217. if (--argc < 1)
  218. goto bad;
  219. engine = *(++argv);
  220. } else if (strcmp(*argv, "-keygen_engine") == 0) {
  221. if (--argc < 1)
  222. goto bad;
  223. gen_eng = ENGINE_by_id(*(++argv));
  224. if (gen_eng == NULL) {
  225. BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
  226. goto end;
  227. }
  228. }
  229. #endif
  230. else if (strcmp(*argv, "-key") == 0) {
  231. if (--argc < 1)
  232. goto bad;
  233. keyfile = *(++argv);
  234. } else if (strcmp(*argv, "-pubkey") == 0) {
  235. pubkey = 1;
  236. } else if (strcmp(*argv, "-new") == 0) {
  237. newreq = 1;
  238. } else if (strcmp(*argv, "-config") == 0) {
  239. if (--argc < 1)
  240. goto bad;
  241. template = *(++argv);
  242. } else if (strcmp(*argv, "-keyform") == 0) {
  243. if (--argc < 1)
  244. goto bad;
  245. keyform = str2fmt(*(++argv));
  246. } else if (strcmp(*argv, "-in") == 0) {
  247. if (--argc < 1)
  248. goto bad;
  249. infile = *(++argv);
  250. } else if (strcmp(*argv, "-out") == 0) {
  251. if (--argc < 1)
  252. goto bad;
  253. outfile = *(++argv);
  254. } else if (strcmp(*argv, "-keyout") == 0) {
  255. if (--argc < 1)
  256. goto bad;
  257. keyout = *(++argv);
  258. } else if (strcmp(*argv, "-passin") == 0) {
  259. if (--argc < 1)
  260. goto bad;
  261. passargin = *(++argv);
  262. } else if (strcmp(*argv, "-passout") == 0) {
  263. if (--argc < 1)
  264. goto bad;
  265. passargout = *(++argv);
  266. } else if (strcmp(*argv, "-rand") == 0) {
  267. if (--argc < 1)
  268. goto bad;
  269. inrand = *(++argv);
  270. } else if (strcmp(*argv, "-newkey") == 0) {
  271. if (--argc < 1)
  272. goto bad;
  273. keyalg = *(++argv);
  274. newreq = 1;
  275. } else if (strcmp(*argv, "-pkeyopt") == 0) {
  276. if (--argc < 1)
  277. goto bad;
  278. if (!pkeyopts)
  279. pkeyopts = sk_OPENSSL_STRING_new_null();
  280. if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
  281. goto bad;
  282. } else if (strcmp(*argv, "-sigopt") == 0) {
  283. if (--argc < 1)
  284. goto bad;
  285. if (!sigopts)
  286. sigopts = sk_OPENSSL_STRING_new_null();
  287. if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
  288. goto bad;
  289. } else if (strcmp(*argv, "-batch") == 0)
  290. batch = 1;
  291. else if (strcmp(*argv, "-newhdr") == 0)
  292. newhdr = 1;
  293. else if (strcmp(*argv, "-modulus") == 0)
  294. modulus = 1;
  295. else if (strcmp(*argv, "-verify") == 0)
  296. verify = 1;
  297. else if (strcmp(*argv, "-nodes") == 0)
  298. nodes = 1;
  299. else if (strcmp(*argv, "-noout") == 0)
  300. noout = 1;
  301. else if (strcmp(*argv, "-verbose") == 0)
  302. verbose = 1;
  303. else if (strcmp(*argv, "-utf8") == 0)
  304. chtype = MBSTRING_UTF8;
  305. else if (strcmp(*argv, "-nameopt") == 0) {
  306. if (--argc < 1)
  307. goto bad;
  308. if (!set_name_ex(&nmflag, *(++argv)))
  309. goto bad;
  310. } else if (strcmp(*argv, "-reqopt") == 0) {
  311. if (--argc < 1)
  312. goto bad;
  313. if (!set_cert_ex(&reqflag, *(++argv)))
  314. goto bad;
  315. } else if (strcmp(*argv, "-subject") == 0)
  316. subject = 1;
  317. else if (strcmp(*argv, "-text") == 0)
  318. text = 1;
  319. else if (strcmp(*argv, "-x509") == 0) {
  320. x509 = 1;
  321. } else if (strcmp(*argv, "-asn1-kludge") == 0)
  322. kludge = 1;
  323. else if (strcmp(*argv, "-no-asn1-kludge") == 0)
  324. kludge = 0;
  325. else if (strcmp(*argv, "-subj") == 0) {
  326. if (--argc < 1)
  327. goto bad;
  328. subj = *(++argv);
  329. } else if (strcmp(*argv, "-multivalue-rdn") == 0)
  330. multirdn = 1;
  331. else if (strcmp(*argv, "-days") == 0) {
  332. if (--argc < 1)
  333. goto bad;
  334. days = atoi(*(++argv));
  335. if (days == 0)
  336. days = 30;
  337. } else if (strcmp(*argv, "-set_serial") == 0) {
  338. if (--argc < 1)
  339. goto bad;
  340. serial = s2i_ASN1_INTEGER(NULL, *(++argv));
  341. if (!serial)
  342. goto bad;
  343. } else if (strcmp(*argv, "-extensions") == 0) {
  344. if (--argc < 1)
  345. goto bad;
  346. extensions = *(++argv);
  347. } else if (strcmp(*argv, "-reqexts") == 0) {
  348. if (--argc < 1)
  349. goto bad;
  350. req_exts = *(++argv);
  351. } else if ((md_alg = EVP_get_digestbyname(&((*argv)[1]))) != NULL) {
  352. /* ok */
  353. digest = md_alg;
  354. } else {
  355. BIO_printf(bio_err, "unknown option %s\n", *argv);
  356. badops = 1;
  357. break;
  358. }
  359. argc--;
  360. argv++;
  361. }
  362. if (badops) {
  363. bad:
  364. BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
  365. BIO_printf(bio_err, "where options are\n");
  366. BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
  367. BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
  368. BIO_printf(bio_err, " -in arg input file\n");
  369. BIO_printf(bio_err, " -out arg output file\n");
  370. BIO_printf(bio_err, " -text text form of request\n");
  371. BIO_printf(bio_err, " -pubkey output public key\n");
  372. BIO_printf(bio_err, " -noout do not output REQ\n");
  373. BIO_printf(bio_err, " -verify verify signature on REQ\n");
  374. BIO_printf(bio_err, " -modulus RSA modulus\n");
  375. BIO_printf(bio_err, " -nodes don't encrypt the output key\n");
  376. #ifndef OPENSSL_NO_ENGINE
  377. BIO_printf(bio_err,
  378. " -engine e use engine e, possibly a hardware device\n");
  379. #endif
  380. BIO_printf(bio_err, " -subject output the request's subject\n");
  381. BIO_printf(bio_err, " -passin private key password source\n");
  382. BIO_printf(bio_err,
  383. " -key file use the private key contained in file\n");
  384. BIO_printf(bio_err, " -keyform arg key file format\n");
  385. BIO_printf(bio_err, " -keyout arg file to send the key to\n");
  386. BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
  387. LIST_SEPARATOR_CHAR);
  388. BIO_printf(bio_err,
  389. " load the file (or the files in the directory) into\n");
  390. BIO_printf(bio_err, " the random number generator\n");
  391. BIO_printf(bio_err,
  392. " -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
  393. BIO_printf(bio_err,
  394. " -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
  395. #ifndef OPENSSL_NO_ECDSA
  396. BIO_printf(bio_err,
  397. " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
  398. #endif
  399. BIO_printf(bio_err,
  400. " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
  401. BIO_printf(bio_err, " -config file request template file.\n");
  402. BIO_printf(bio_err,
  403. " -subj arg set or modify request subject\n");
  404. BIO_printf(bio_err,
  405. " -multivalue-rdn enable support for multivalued RDNs\n");
  406. BIO_printf(bio_err, " -new new request.\n");
  407. BIO_printf(bio_err,
  408. " -batch do not ask anything during request generation\n");
  409. BIO_printf(bio_err,
  410. " -x509 output a x509 structure instead of a cert. req.\n");
  411. BIO_printf(bio_err,
  412. " -days number of days a certificate generated by -x509 is valid for.\n");
  413. BIO_printf(bio_err,
  414. " -set_serial serial number to use for a certificate generated by -x509.\n");
  415. BIO_printf(bio_err,
  416. " -newhdr output \"NEW\" in the header lines\n");
  417. BIO_printf(bio_err,
  418. " -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
  419. BIO_printf(bio_err,
  420. " have been reported as requiring\n");
  421. BIO_printf(bio_err,
  422. " -extensions .. specify certificate extension section (override value in config file)\n");
  423. BIO_printf(bio_err,
  424. " -reqexts .. specify request extension section (override value in config file)\n");
  425. BIO_printf(bio_err,
  426. " -utf8 input characters are UTF8 (default ASCII)\n");
  427. BIO_printf(bio_err,
  428. " -nameopt arg - various certificate name options\n");
  429. BIO_printf(bio_err,
  430. " -reqopt arg - various request text options\n\n");
  431. goto end;
  432. }
  433. if (x509 && infile == NULL)
  434. newreq = 1;
  435. ERR_load_crypto_strings();
  436. if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
  437. BIO_printf(bio_err, "Error getting passwords\n");
  438. goto end;
  439. }
  440. #ifndef MONOLITH /* else this has happened in openssl.c
  441. * (global `config') */
  442. /* Lets load up our environment a little */
  443. p = getenv("OPENSSL_CONF");
  444. if (p == NULL)
  445. p = getenv("SSLEAY_CONF");
  446. if (p == NULL)
  447. p = to_free = make_config_name();
  448. default_config_file = p;
  449. config = NCONF_new(NULL);
  450. i = NCONF_load(config, p, &errline);
  451. #endif
  452. if (template != NULL) {
  453. long errline = -1;
  454. if (verbose)
  455. BIO_printf(bio_err, "Using configuration from %s\n", template);
  456. req_conf = NCONF_new(NULL);
  457. i = NCONF_load(req_conf, template, &errline);
  458. if (i == 0) {
  459. BIO_printf(bio_err, "error on line %ld of %s\n", errline,
  460. template);
  461. goto end;
  462. }
  463. } else {
  464. req_conf = config;
  465. if (req_conf == NULL) {
  466. BIO_printf(bio_err, "Unable to load config info from %s\n",
  467. default_config_file);
  468. if (newreq)
  469. goto end;
  470. } else if (verbose)
  471. BIO_printf(bio_err, "Using configuration from %s\n",
  472. default_config_file);
  473. }
  474. if (req_conf != NULL) {
  475. if (!load_config(bio_err, req_conf))
  476. goto end;
  477. p = NCONF_get_string(req_conf, NULL, "oid_file");
  478. if (p == NULL)
  479. ERR_clear_error();
  480. if (p != NULL) {
  481. BIO *oid_bio;
  482. oid_bio = BIO_new_file(p, "r");
  483. if (oid_bio == NULL) {
  484. /*-
  485. BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
  486. ERR_print_errors(bio_err);
  487. */
  488. } else {
  489. OBJ_create_objects(oid_bio);
  490. BIO_free(oid_bio);
  491. }
  492. }
  493. }
  494. if (!add_oid_section(bio_err, req_conf))
  495. goto end;
  496. if (md_alg == NULL) {
  497. p = NCONF_get_string(req_conf, SECTION, "default_md");
  498. if (p == NULL)
  499. ERR_clear_error();
  500. if (p != NULL) {
  501. if ((md_alg = EVP_get_digestbyname(p)) != NULL)
  502. digest = md_alg;
  503. }
  504. }
  505. if (!extensions) {
  506. extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
  507. if (!extensions)
  508. ERR_clear_error();
  509. }
  510. if (extensions) {
  511. /* Check syntax of file */
  512. X509V3_CTX ctx;
  513. X509V3_set_ctx_test(&ctx);
  514. X509V3_set_nconf(&ctx, req_conf);
  515. if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
  516. BIO_printf(bio_err,
  517. "Error Loading extension section %s\n", extensions);
  518. goto end;
  519. }
  520. }
  521. if (!passin) {
  522. passin = NCONF_get_string(req_conf, SECTION, "input_password");
  523. if (!passin)
  524. ERR_clear_error();
  525. }
  526. if (!passout) {
  527. passout = NCONF_get_string(req_conf, SECTION, "output_password");
  528. if (!passout)
  529. ERR_clear_error();
  530. }
  531. p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
  532. if (!p)
  533. ERR_clear_error();
  534. if (p && !ASN1_STRING_set_default_mask_asc(p)) {
  535. BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
  536. goto end;
  537. }
  538. if (chtype != MBSTRING_UTF8) {
  539. p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
  540. if (!p)
  541. ERR_clear_error();
  542. else if (!strcmp(p, "yes"))
  543. chtype = MBSTRING_UTF8;
  544. }
  545. if (!req_exts) {
  546. req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
  547. if (!req_exts)
  548. ERR_clear_error();
  549. }
  550. if (req_exts) {
  551. /* Check syntax of file */
  552. X509V3_CTX ctx;
  553. X509V3_set_ctx_test(&ctx);
  554. X509V3_set_nconf(&ctx, req_conf);
  555. if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
  556. BIO_printf(bio_err,
  557. "Error Loading request extension section %s\n",
  558. req_exts);
  559. goto end;
  560. }
  561. }
  562. in = BIO_new(BIO_s_file());
  563. out = BIO_new(BIO_s_file());
  564. if ((in == NULL) || (out == NULL))
  565. goto end;
  566. e = setup_engine(bio_err, engine, 0);
  567. if (keyfile != NULL) {
  568. pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
  569. "Private Key");
  570. if (!pkey) {
  571. /*
  572. * load_key() has already printed an appropriate message
  573. */
  574. goto end;
  575. } else {
  576. char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
  577. if (randfile == NULL)
  578. ERR_clear_error();
  579. app_RAND_load_file(randfile, bio_err, 0);
  580. }
  581. }
  582. if (newreq && (pkey == NULL)) {
  583. char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
  584. if (randfile == NULL)
  585. ERR_clear_error();
  586. app_RAND_load_file(randfile, bio_err, 0);
  587. if (inrand)
  588. app_RAND_load_files(inrand);
  589. if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
  590. newkey = DEFAULT_KEY_LENGTH;
  591. }
  592. if (keyalg) {
  593. genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
  594. &keyalgstr, gen_eng);
  595. if (!genctx)
  596. goto end;
  597. }
  598. if (newkey < MIN_KEY_LENGTH
  599. && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
  600. BIO_printf(bio_err, "private key length is too short,\n");
  601. BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
  602. MIN_KEY_LENGTH, newkey);
  603. goto end;
  604. }
  605. if (!genctx) {
  606. genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
  607. &keyalgstr, gen_eng);
  608. if (!genctx)
  609. goto end;
  610. }
  611. if (pkeyopts) {
  612. char *genopt;
  613. for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
  614. genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
  615. if (pkey_ctrl_string(genctx, genopt) <= 0) {
  616. BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
  617. ERR_print_errors(bio_err);
  618. goto end;
  619. }
  620. }
  621. }
  622. BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
  623. newkey, keyalgstr);
  624. EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
  625. EVP_PKEY_CTX_set_app_data(genctx, bio_err);
  626. if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
  627. BIO_puts(bio_err, "Error Generating Key\n");
  628. goto end;
  629. }
  630. EVP_PKEY_CTX_free(genctx);
  631. genctx = NULL;
  632. app_RAND_write_file(randfile, bio_err);
  633. if (keyout == NULL) {
  634. keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
  635. if (keyout == NULL)
  636. ERR_clear_error();
  637. }
  638. if (keyout == NULL) {
  639. BIO_printf(bio_err, "writing new private key to stdout\n");
  640. BIO_set_fp(out, stdout, BIO_NOCLOSE);
  641. #ifdef OPENSSL_SYS_VMS
  642. {
  643. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  644. out = BIO_push(tmpbio, out);
  645. }
  646. #endif
  647. } else {
  648. BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
  649. if (BIO_write_filename(out, keyout) <= 0) {
  650. perror(keyout);
  651. goto end;
  652. }
  653. }
  654. p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
  655. if (p == NULL) {
  656. ERR_clear_error();
  657. p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
  658. if (p == NULL)
  659. ERR_clear_error();
  660. }
  661. if ((p != NULL) && (strcmp(p, "no") == 0))
  662. cipher = NULL;
  663. if (nodes)
  664. cipher = NULL;
  665. i = 0;
  666. loop:
  667. if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
  668. NULL, 0, NULL, passout)) {
  669. if ((ERR_GET_REASON(ERR_peek_error()) ==
  670. PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
  671. ERR_clear_error();
  672. i++;
  673. goto loop;
  674. }
  675. goto end;
  676. }
  677. BIO_printf(bio_err, "-----\n");
  678. }
  679. if (!newreq) {
  680. /*
  681. * Since we are using a pre-existing certificate request, the kludge
  682. * 'format' info should not be changed.
  683. */
  684. kludge = -1;
  685. if (infile == NULL)
  686. BIO_set_fp(in, stdin, BIO_NOCLOSE);
  687. else {
  688. if (BIO_read_filename(in, infile) <= 0) {
  689. perror(infile);
  690. goto end;
  691. }
  692. }
  693. if (informat == FORMAT_ASN1)
  694. req = d2i_X509_REQ_bio(in, NULL);
  695. else if (informat == FORMAT_PEM)
  696. req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
  697. else {
  698. BIO_printf(bio_err,
  699. "bad input format specified for X509 request\n");
  700. goto end;
  701. }
  702. if (req == NULL) {
  703. BIO_printf(bio_err, "unable to load X509 request\n");
  704. goto end;
  705. }
  706. }
  707. if (newreq || x509) {
  708. if (pkey == NULL) {
  709. BIO_printf(bio_err, "you need to specify a private key\n");
  710. goto end;
  711. }
  712. if (req == NULL) {
  713. req = X509_REQ_new();
  714. if (req == NULL) {
  715. goto end;
  716. }
  717. i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
  718. subj = NULL; /* done processing '-subj' option */
  719. if ((kludge > 0)
  720. && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
  721. sk_X509_ATTRIBUTE_free(req->req_info->attributes);
  722. req->req_info->attributes = NULL;
  723. }
  724. if (!i) {
  725. BIO_printf(bio_err, "problems making Certificate Request\n");
  726. goto end;
  727. }
  728. }
  729. if (x509) {
  730. EVP_PKEY *tmppkey;
  731. X509V3_CTX ext_ctx;
  732. if ((x509ss = X509_new()) == NULL)
  733. goto end;
  734. /* Set version to V3 */
  735. if (extensions && !X509_set_version(x509ss, 2))
  736. goto end;
  737. if (serial) {
  738. if (!X509_set_serialNumber(x509ss, serial))
  739. goto end;
  740. } else {
  741. if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
  742. goto end;
  743. }
  744. if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
  745. goto end;
  746. if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0))
  747. goto end;
  748. if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL))
  749. goto end;
  750. if (!X509_set_subject_name
  751. (x509ss, X509_REQ_get_subject_name(req)))
  752. goto end;
  753. tmppkey = X509_REQ_get_pubkey(req);
  754. if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
  755. goto end;
  756. EVP_PKEY_free(tmppkey);
  757. /* Set up V3 context struct */
  758. X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
  759. X509V3_set_nconf(&ext_ctx, req_conf);
  760. /* Add extensions */
  761. if (extensions && !X509V3_EXT_add_nconf(req_conf,
  762. &ext_ctx, extensions,
  763. x509ss)) {
  764. BIO_printf(bio_err, "Error Loading extension section %s\n",
  765. extensions);
  766. goto end;
  767. }
  768. i = do_X509_sign(bio_err, x509ss, pkey, digest, sigopts);
  769. if (!i) {
  770. ERR_print_errors(bio_err);
  771. goto end;
  772. }
  773. } else {
  774. X509V3_CTX ext_ctx;
  775. /* Set up V3 context struct */
  776. X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
  777. X509V3_set_nconf(&ext_ctx, req_conf);
  778. /* Add extensions */
  779. if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
  780. &ext_ctx, req_exts,
  781. req)) {
  782. BIO_printf(bio_err, "Error Loading extension section %s\n",
  783. req_exts);
  784. goto end;
  785. }
  786. i = do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
  787. if (!i) {
  788. ERR_print_errors(bio_err);
  789. goto end;
  790. }
  791. }
  792. }
  793. if (subj && x509) {
  794. BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
  795. goto end;
  796. }
  797. if (subj && !x509) {
  798. if (verbose) {
  799. BIO_printf(bio_err, "Modifying Request's Subject\n");
  800. print_name(bio_err, "old subject=",
  801. X509_REQ_get_subject_name(req), nmflag);
  802. }
  803. if (build_subject(req, subj, chtype, multirdn) == 0) {
  804. BIO_printf(bio_err, "ERROR: cannot modify subject\n");
  805. ex = 1;
  806. goto end;
  807. }
  808. req->req_info->enc.modified = 1;
  809. if (verbose) {
  810. print_name(bio_err, "new subject=",
  811. X509_REQ_get_subject_name(req), nmflag);
  812. }
  813. }
  814. if (verify && !x509) {
  815. int tmp = 0;
  816. if (pkey == NULL) {
  817. pkey = X509_REQ_get_pubkey(req);
  818. tmp = 1;
  819. if (pkey == NULL)
  820. goto end;
  821. }
  822. i = X509_REQ_verify(req, pkey);
  823. if (tmp) {
  824. EVP_PKEY_free(pkey);
  825. pkey = NULL;
  826. }
  827. if (i < 0) {
  828. goto end;
  829. } else if (i == 0) {
  830. BIO_printf(bio_err, "verify failure\n");
  831. ERR_print_errors(bio_err);
  832. } else /* if (i > 0) */
  833. BIO_printf(bio_err, "verify OK\n");
  834. }
  835. if (noout && !text && !modulus && !subject && !pubkey) {
  836. ex = 0;
  837. goto end;
  838. }
  839. if (outfile == NULL) {
  840. BIO_set_fp(out, stdout, BIO_NOCLOSE);
  841. #ifdef OPENSSL_SYS_VMS
  842. {
  843. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  844. out = BIO_push(tmpbio, out);
  845. }
  846. #endif
  847. } else {
  848. if ((keyout != NULL) && (strcmp(outfile, keyout) == 0))
  849. i = (int)BIO_append_filename(out, outfile);
  850. else
  851. i = (int)BIO_write_filename(out, outfile);
  852. if (!i) {
  853. perror(outfile);
  854. goto end;
  855. }
  856. }
  857. if (pubkey) {
  858. EVP_PKEY *tpubkey;
  859. tpubkey = X509_REQ_get_pubkey(req);
  860. if (tpubkey == NULL) {
  861. BIO_printf(bio_err, "Error getting public key\n");
  862. ERR_print_errors(bio_err);
  863. goto end;
  864. }
  865. PEM_write_bio_PUBKEY(out, tpubkey);
  866. EVP_PKEY_free(tpubkey);
  867. }
  868. if (text) {
  869. if (x509)
  870. X509_print_ex(out, x509ss, nmflag, reqflag);
  871. else
  872. X509_REQ_print_ex(out, req, nmflag, reqflag);
  873. }
  874. if (subject) {
  875. if (x509)
  876. print_name(out, "subject=", X509_get_subject_name(x509ss),
  877. nmflag);
  878. else
  879. print_name(out, "subject=", X509_REQ_get_subject_name(req),
  880. nmflag);
  881. }
  882. if (modulus) {
  883. EVP_PKEY *tpubkey;
  884. if (x509)
  885. tpubkey = X509_get_pubkey(x509ss);
  886. else
  887. tpubkey = X509_REQ_get_pubkey(req);
  888. if (tpubkey == NULL) {
  889. fprintf(stdout, "Modulus=unavailable\n");
  890. goto end;
  891. }
  892. fprintf(stdout, "Modulus=");
  893. #ifndef OPENSSL_NO_RSA
  894. if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
  895. BN_print(out, tpubkey->pkey.rsa->n);
  896. else
  897. #endif
  898. fprintf(stdout, "Wrong Algorithm type");
  899. EVP_PKEY_free(tpubkey);
  900. fprintf(stdout, "\n");
  901. }
  902. if (!noout && !x509) {
  903. if (outformat == FORMAT_ASN1)
  904. i = i2d_X509_REQ_bio(out, req);
  905. else if (outformat == FORMAT_PEM) {
  906. if (newhdr)
  907. i = PEM_write_bio_X509_REQ_NEW(out, req);
  908. else
  909. i = PEM_write_bio_X509_REQ(out, req);
  910. } else {
  911. BIO_printf(bio_err, "bad output format specified for outfile\n");
  912. goto end;
  913. }
  914. if (!i) {
  915. BIO_printf(bio_err, "unable to write X509 request\n");
  916. goto end;
  917. }
  918. }
  919. if (!noout && x509 && (x509ss != NULL)) {
  920. if (outformat == FORMAT_ASN1)
  921. i = i2d_X509_bio(out, x509ss);
  922. else if (outformat == FORMAT_PEM)
  923. i = PEM_write_bio_X509(out, x509ss);
  924. else {
  925. BIO_printf(bio_err, "bad output format specified for outfile\n");
  926. goto end;
  927. }
  928. if (!i) {
  929. BIO_printf(bio_err, "unable to write X509 certificate\n");
  930. goto end;
  931. }
  932. }
  933. ex = 0;
  934. end:
  935. #ifndef MONOLITH
  936. if (to_free)
  937. OPENSSL_free(to_free);
  938. #endif
  939. if (ex) {
  940. ERR_print_errors(bio_err);
  941. }
  942. if ((req_conf != NULL) && (req_conf != config))
  943. NCONF_free(req_conf);
  944. BIO_free(in);
  945. BIO_free_all(out);
  946. EVP_PKEY_free(pkey);
  947. if (genctx)
  948. EVP_PKEY_CTX_free(genctx);
  949. if (pkeyopts)
  950. sk_OPENSSL_STRING_free(pkeyopts);
  951. if (sigopts)
  952. sk_OPENSSL_STRING_free(sigopts);
  953. #ifndef OPENSSL_NO_ENGINE
  954. if (gen_eng)
  955. ENGINE_free(gen_eng);
  956. #endif
  957. if (keyalgstr)
  958. OPENSSL_free(keyalgstr);
  959. X509_REQ_free(req);
  960. X509_free(x509ss);
  961. ASN1_INTEGER_free(serial);
  962. release_engine(e);
  963. if (passargin && passin)
  964. OPENSSL_free(passin);
  965. if (passargout && passout)
  966. OPENSSL_free(passout);
  967. OBJ_cleanup();
  968. apps_shutdown();
  969. OPENSSL_EXIT(ex);
  970. }
  971. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
  972. int attribs, unsigned long chtype)
  973. {
  974. int ret = 0, i;
  975. char no_prompt = 0;
  976. STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
  977. char *tmp, *dn_sect, *attr_sect;
  978. tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
  979. if (tmp == NULL)
  980. ERR_clear_error();
  981. if ((tmp != NULL) && !strcmp(tmp, "no"))
  982. no_prompt = 1;
  983. dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
  984. if (dn_sect == NULL) {
  985. BIO_printf(bio_err, "unable to find '%s' in config\n",
  986. DISTINGUISHED_NAME);
  987. goto err;
  988. }
  989. dn_sk = NCONF_get_section(req_conf, dn_sect);
  990. if (dn_sk == NULL) {
  991. BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
  992. goto err;
  993. }
  994. attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
  995. if (attr_sect == NULL) {
  996. ERR_clear_error();
  997. attr_sk = NULL;
  998. } else {
  999. attr_sk = NCONF_get_section(req_conf, attr_sect);
  1000. if (attr_sk == NULL) {
  1001. BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
  1002. goto err;
  1003. }
  1004. }
  1005. /* setup version number */
  1006. if (!X509_REQ_set_version(req, 0L))
  1007. goto err; /* version 1 */
  1008. if (no_prompt)
  1009. i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
  1010. else {
  1011. if (subj)
  1012. i = build_subject(req, subj, chtype, multirdn);
  1013. else
  1014. i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
  1015. chtype);
  1016. }
  1017. if (!i)
  1018. goto err;
  1019. if (!X509_REQ_set_pubkey(req, pkey))
  1020. goto err;
  1021. ret = 1;
  1022. err:
  1023. return (ret);
  1024. }
  1025. /*
  1026. * subject is expected to be in the format /type0=value0/type1=value1/type2=...
  1027. * where characters may be escaped by \
  1028. */
  1029. static int build_subject(X509_REQ *req, char *subject, unsigned long chtype,
  1030. int multirdn)
  1031. {
  1032. X509_NAME *n;
  1033. if (!(n = parse_name(subject, chtype, multirdn)))
  1034. return 0;
  1035. if (!X509_REQ_set_subject_name(req, n)) {
  1036. X509_NAME_free(n);
  1037. return 0;
  1038. }
  1039. X509_NAME_free(n);
  1040. return 1;
  1041. }
  1042. static int prompt_info(X509_REQ *req,
  1043. STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
  1044. STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect,
  1045. int attribs, unsigned long chtype)
  1046. {
  1047. int i;
  1048. char *p, *q;
  1049. char buf[100];
  1050. int nid, mval;
  1051. long n_min, n_max;
  1052. char *type, *value;
  1053. const char *def;
  1054. CONF_VALUE *v;
  1055. X509_NAME *subj;
  1056. subj = X509_REQ_get_subject_name(req);
  1057. if (!batch) {
  1058. BIO_printf(bio_err,
  1059. "You are about to be asked to enter information that will be incorporated\n");
  1060. BIO_printf(bio_err, "into your certificate request.\n");
  1061. BIO_printf(bio_err,
  1062. "What you are about to enter is what is called a Distinguished Name or a DN.\n");
  1063. BIO_printf(bio_err,
  1064. "There are quite a few fields but you can leave some blank\n");
  1065. BIO_printf(bio_err,
  1066. "For some fields there will be a default value,\n");
  1067. BIO_printf(bio_err,
  1068. "If you enter '.', the field will be left blank.\n");
  1069. BIO_printf(bio_err, "-----\n");
  1070. }
  1071. if (sk_CONF_VALUE_num(dn_sk)) {
  1072. i = -1;
  1073. start:for (;;) {
  1074. i++;
  1075. if (sk_CONF_VALUE_num(dn_sk) <= i)
  1076. break;
  1077. v = sk_CONF_VALUE_value(dn_sk, i);
  1078. p = q = NULL;
  1079. type = v->name;
  1080. if (!check_end(type, "_min") || !check_end(type, "_max") ||
  1081. !check_end(type, "_default") || !check_end(type, "_value"))
  1082. continue;
  1083. /*
  1084. * Skip past any leading X. X: X, etc to allow for multiple
  1085. * instances
  1086. */
  1087. for (p = v->name; *p; p++)
  1088. if ((*p == ':') || (*p == ',') || (*p == '.')) {
  1089. p++;
  1090. if (*p)
  1091. type = p;
  1092. break;
  1093. }
  1094. if (*type == '+') {
  1095. mval = -1;
  1096. type++;
  1097. } else
  1098. mval = 0;
  1099. /* If OBJ not recognised ignore it */
  1100. if ((nid = OBJ_txt2nid(type)) == NID_undef)
  1101. goto start;
  1102. if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
  1103. >= (int)sizeof(buf)) {
  1104. BIO_printf(bio_err, "Name '%s' too long\n", v->name);
  1105. return 0;
  1106. }
  1107. if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
  1108. ERR_clear_error();
  1109. def = "";
  1110. }
  1111. BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
  1112. if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
  1113. ERR_clear_error();
  1114. value = NULL;
  1115. }
  1116. BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
  1117. if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
  1118. ERR_clear_error();
  1119. n_min = -1;
  1120. }
  1121. BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
  1122. if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
  1123. ERR_clear_error();
  1124. n_max = -1;
  1125. }
  1126. if (!add_DN_object(subj, v->value, def, value, nid,
  1127. n_min, n_max, chtype, mval))
  1128. return 0;
  1129. }
  1130. if (X509_NAME_entry_count(subj) == 0) {
  1131. BIO_printf(bio_err,
  1132. "error, no objects specified in config file\n");
  1133. return 0;
  1134. }
  1135. if (attribs) {
  1136. if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
  1137. && (!batch)) {
  1138. BIO_printf(bio_err,
  1139. "\nPlease enter the following 'extra' attributes\n");
  1140. BIO_printf(bio_err,
  1141. "to be sent with your certificate request\n");
  1142. }
  1143. i = -1;
  1144. start2: for (;;) {
  1145. i++;
  1146. if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
  1147. break;
  1148. v = sk_CONF_VALUE_value(attr_sk, i);
  1149. type = v->name;
  1150. if ((nid = OBJ_txt2nid(type)) == NID_undef)
  1151. goto start2;
  1152. if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
  1153. >= (int)sizeof(buf)) {
  1154. BIO_printf(bio_err, "Name '%s' too long\n", v->name);
  1155. return 0;
  1156. }
  1157. if ((def = NCONF_get_string(req_conf, attr_sect, buf))
  1158. == NULL) {
  1159. ERR_clear_error();
  1160. def = "";
  1161. }
  1162. BIO_snprintf(buf, sizeof buf, "%s_value", type);
  1163. if ((value = NCONF_get_string(req_conf, attr_sect, buf))
  1164. == NULL) {
  1165. ERR_clear_error();
  1166. value = NULL;
  1167. }
  1168. BIO_snprintf(buf, sizeof buf, "%s_min", type);
  1169. if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
  1170. ERR_clear_error();
  1171. n_min = -1;
  1172. }
  1173. BIO_snprintf(buf, sizeof buf, "%s_max", type);
  1174. if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
  1175. ERR_clear_error();
  1176. n_max = -1;
  1177. }
  1178. if (!add_attribute_object(req,
  1179. v->value, def, value, nid, n_min,
  1180. n_max, chtype))
  1181. return 0;
  1182. }
  1183. }
  1184. } else {
  1185. BIO_printf(bio_err, "No template, please set one up.\n");
  1186. return 0;
  1187. }
  1188. return 1;
  1189. }
  1190. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
  1191. STACK_OF(CONF_VALUE) *attr_sk, int attribs,
  1192. unsigned long chtype)
  1193. {
  1194. int i;
  1195. char *p, *q;
  1196. char *type;
  1197. CONF_VALUE *v;
  1198. X509_NAME *subj;
  1199. subj = X509_REQ_get_subject_name(req);
  1200. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
  1201. int mval;
  1202. v = sk_CONF_VALUE_value(dn_sk, i);
  1203. p = q = NULL;
  1204. type = v->name;
  1205. /*
  1206. * Skip past any leading X. X: X, etc to allow for multiple instances
  1207. */
  1208. for (p = v->name; *p; p++)
  1209. #ifndef CHARSET_EBCDIC
  1210. if ((*p == ':') || (*p == ',') || (*p == '.')) {
  1211. #else
  1212. if ((*p == os_toascii[':']) || (*p == os_toascii[','])
  1213. || (*p == os_toascii['.'])) {
  1214. #endif
  1215. p++;
  1216. if (*p)
  1217. type = p;
  1218. break;
  1219. }
  1220. #ifndef CHARSET_EBCDIC
  1221. if (*type == '+') {
  1222. #else
  1223. if (*type == os_toascii['+']) {
  1224. #endif
  1225. type++;
  1226. mval = -1;
  1227. } else
  1228. mval = 0;
  1229. if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
  1230. (unsigned char *)v->value, -1, -1,
  1231. mval))
  1232. return 0;
  1233. }
  1234. if (!X509_NAME_entry_count(subj)) {
  1235. BIO_printf(bio_err, "error, no objects specified in config file\n");
  1236. return 0;
  1237. }
  1238. if (attribs) {
  1239. for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
  1240. v = sk_CONF_VALUE_value(attr_sk, i);
  1241. if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
  1242. (unsigned char *)v->value, -1))
  1243. return 0;
  1244. }
  1245. }
  1246. return 1;
  1247. }
  1248. static int add_DN_object(X509_NAME *n, char *text, const char *def,
  1249. char *value, int nid, int n_min, int n_max,
  1250. unsigned long chtype, int mval)
  1251. {
  1252. int i, ret = 0;
  1253. MS_STATIC char buf[1024];
  1254. start:
  1255. if (!batch)
  1256. BIO_printf(bio_err, "%s [%s]:", text, def);
  1257. (void)BIO_flush(bio_err);
  1258. if (value != NULL) {
  1259. BUF_strlcpy(buf, value, sizeof buf);
  1260. BUF_strlcat(buf, "\n", sizeof buf);
  1261. BIO_printf(bio_err, "%s\n", value);
  1262. } else {
  1263. buf[0] = '\0';
  1264. if (!batch) {
  1265. if (!fgets(buf, sizeof buf, stdin))
  1266. return 0;
  1267. } else {
  1268. buf[0] = '\n';
  1269. buf[1] = '\0';
  1270. }
  1271. }
  1272. if (buf[0] == '\0')
  1273. return (0);
  1274. else if (buf[0] == '\n') {
  1275. if ((def == NULL) || (def[0] == '\0'))
  1276. return (1);
  1277. BUF_strlcpy(buf, def, sizeof buf);
  1278. BUF_strlcat(buf, "\n", sizeof buf);
  1279. } else if ((buf[0] == '.') && (buf[1] == '\n'))
  1280. return (1);
  1281. i = strlen(buf);
  1282. if (buf[i - 1] != '\n') {
  1283. BIO_printf(bio_err, "weird input :-(\n");
  1284. return (0);
  1285. }
  1286. buf[--i] = '\0';
  1287. #ifdef CHARSET_EBCDIC
  1288. ebcdic2ascii(buf, buf, i);
  1289. #endif
  1290. if (!req_check_len(i, n_min, n_max)) {
  1291. if (batch || value)
  1292. return 0;
  1293. goto start;
  1294. }
  1295. if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
  1296. (unsigned char *)buf, -1, -1, mval))
  1297. goto err;
  1298. ret = 1;
  1299. err:
  1300. return (ret);
  1301. }
  1302. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  1303. char *value, int nid, int n_min,
  1304. int n_max, unsigned long chtype)
  1305. {
  1306. int i;
  1307. static char buf[1024];
  1308. start:
  1309. if (!batch)
  1310. BIO_printf(bio_err, "%s [%s]:", text, def);
  1311. (void)BIO_flush(bio_err);
  1312. if (value != NULL) {
  1313. BUF_strlcpy(buf, value, sizeof buf);
  1314. BUF_strlcat(buf, "\n", sizeof buf);
  1315. BIO_printf(bio_err, "%s\n", value);
  1316. } else {
  1317. buf[0] = '\0';
  1318. if (!batch) {
  1319. if (!fgets(buf, sizeof buf, stdin))
  1320. return 0;
  1321. } else {
  1322. buf[0] = '\n';
  1323. buf[1] = '\0';
  1324. }
  1325. }
  1326. if (buf[0] == '\0')
  1327. return (0);
  1328. else if (buf[0] == '\n') {
  1329. if ((def == NULL) || (def[0] == '\0'))
  1330. return (1);
  1331. BUF_strlcpy(buf, def, sizeof buf);
  1332. BUF_strlcat(buf, "\n", sizeof buf);
  1333. } else if ((buf[0] == '.') && (buf[1] == '\n'))
  1334. return (1);
  1335. i = strlen(buf);
  1336. if (buf[i - 1] != '\n') {
  1337. BIO_printf(bio_err, "weird input :-(\n");
  1338. return (0);
  1339. }
  1340. buf[--i] = '\0';
  1341. #ifdef CHARSET_EBCDIC
  1342. ebcdic2ascii(buf, buf, i);
  1343. #endif
  1344. if (!req_check_len(i, n_min, n_max)) {
  1345. if (batch || value)
  1346. return 0;
  1347. goto start;
  1348. }
  1349. if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
  1350. (unsigned char *)buf, -1)) {
  1351. BIO_printf(bio_err, "Error adding attribute\n");
  1352. ERR_print_errors(bio_err);
  1353. goto err;
  1354. }
  1355. return (1);
  1356. err:
  1357. return (0);
  1358. }
  1359. static int req_check_len(int len, int n_min, int n_max)
  1360. {
  1361. if ((n_min > 0) && (len < n_min)) {
  1362. BIO_printf(bio_err,
  1363. "string is too short, it needs to be at least %d bytes long\n",
  1364. n_min);
  1365. return (0);
  1366. }
  1367. if ((n_max >= 0) && (len > n_max)) {
  1368. BIO_printf(bio_err,
  1369. "string is too long, it needs to be less than %d bytes long\n",
  1370. n_max);
  1371. return (0);
  1372. }
  1373. return (1);
  1374. }
  1375. /* Check if the end of a string matches 'end' */
  1376. static int check_end(const char *str, const char *end)
  1377. {
  1378. int elen, slen;
  1379. const char *tmp;
  1380. elen = strlen(end);
  1381. slen = strlen(str);
  1382. if (elen > slen)
  1383. return 1;
  1384. tmp = str + slen - elen;
  1385. return strcmp(tmp, end);
  1386. }
  1387. static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr,
  1388. int *pkey_type, long *pkeylen,
  1389. char **palgnam, ENGINE *keygen_engine)
  1390. {
  1391. EVP_PKEY_CTX *gctx = NULL;
  1392. EVP_PKEY *param = NULL;
  1393. long keylen = -1;
  1394. BIO *pbio = NULL;
  1395. const char *paramfile = NULL;
  1396. if (gstr == NULL) {
  1397. *pkey_type = EVP_PKEY_RSA;
  1398. keylen = *pkeylen;
  1399. } else if (gstr[0] >= '0' && gstr[0] <= '9') {
  1400. *pkey_type = EVP_PKEY_RSA;
  1401. keylen = atol(gstr);
  1402. *pkeylen = keylen;
  1403. } else if (!strncmp(gstr, "param:", 6))
  1404. paramfile = gstr + 6;
  1405. else {
  1406. const char *p = strchr(gstr, ':');
  1407. int len;
  1408. ENGINE *tmpeng;
  1409. const EVP_PKEY_ASN1_METHOD *ameth;
  1410. if (p)
  1411. len = p - gstr;
  1412. else
  1413. len = strlen(gstr);
  1414. /*
  1415. * The lookup of a the string will cover all engines so keep a note
  1416. * of the implementation.
  1417. */
  1418. ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
  1419. if (!ameth) {
  1420. BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
  1421. return NULL;
  1422. }
  1423. EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
  1424. #ifndef OPENSSL_NO_ENGINE
  1425. if (tmpeng)
  1426. ENGINE_finish(tmpeng);
  1427. #endif
  1428. if (*pkey_type == EVP_PKEY_RSA) {
  1429. if (p) {
  1430. keylen = atol(p + 1);
  1431. *pkeylen = keylen;
  1432. } else
  1433. keylen = *pkeylen;
  1434. } else if (p)
  1435. paramfile = p + 1;
  1436. }
  1437. if (paramfile) {
  1438. pbio = BIO_new_file(paramfile, "r");
  1439. if (!pbio) {
  1440. BIO_printf(err, "Can't open parameter file %s\n", paramfile);
  1441. return NULL;
  1442. }
  1443. param = PEM_read_bio_Parameters(pbio, NULL);
  1444. if (!param) {
  1445. X509 *x;
  1446. (void)BIO_reset(pbio);
  1447. x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
  1448. if (x) {
  1449. param = X509_get_pubkey(x);
  1450. X509_free(x);
  1451. }
  1452. }
  1453. BIO_free(pbio);
  1454. if (!param) {
  1455. BIO_printf(err, "Error reading parameter file %s\n", paramfile);
  1456. return NULL;
  1457. }
  1458. if (*pkey_type == -1)
  1459. *pkey_type = EVP_PKEY_id(param);
  1460. else if (*pkey_type != EVP_PKEY_base_id(param)) {
  1461. BIO_printf(err, "Key Type does not match parameters\n");
  1462. EVP_PKEY_free(param);
  1463. return NULL;
  1464. }
  1465. }
  1466. if (palgnam) {
  1467. const EVP_PKEY_ASN1_METHOD *ameth;
  1468. ENGINE *tmpeng;
  1469. const char *anam;
  1470. ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
  1471. if (!ameth) {
  1472. BIO_puts(err, "Internal error: can't find key algorithm\n");
  1473. return NULL;
  1474. }
  1475. EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
  1476. *palgnam = BUF_strdup(anam);
  1477. #ifndef OPENSSL_NO_ENGINE
  1478. if (tmpeng)
  1479. ENGINE_finish(tmpeng);
  1480. #endif
  1481. }
  1482. if (param) {
  1483. gctx = EVP_PKEY_CTX_new(param, keygen_engine);
  1484. *pkeylen = EVP_PKEY_bits(param);
  1485. EVP_PKEY_free(param);
  1486. } else
  1487. gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
  1488. if (!gctx) {
  1489. BIO_puts(err, "Error allocating keygen context\n");
  1490. ERR_print_errors(err);
  1491. return NULL;
  1492. }
  1493. if (EVP_PKEY_keygen_init(gctx) <= 0) {
  1494. BIO_puts(err, "Error initializing keygen context\n");
  1495. ERR_print_errors(err);
  1496. return NULL;
  1497. }
  1498. #ifndef OPENSSL_NO_RSA
  1499. if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
  1500. if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
  1501. BIO_puts(err, "Error setting RSA keysize\n");
  1502. ERR_print_errors(err);
  1503. EVP_PKEY_CTX_free(gctx);
  1504. return NULL;
  1505. }
  1506. }
  1507. #endif
  1508. return gctx;
  1509. }
  1510. static int genpkey_cb(EVP_PKEY_CTX *ctx)
  1511. {
  1512. char c = '*';
  1513. BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
  1514. int p;
  1515. p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
  1516. if (p == 0)
  1517. c = '.';
  1518. if (p == 1)
  1519. c = '+';
  1520. if (p == 2)
  1521. c = '*';
  1522. if (p == 3)
  1523. c = '\n';
  1524. BIO_write(b, &c, 1);
  1525. (void)BIO_flush(b);
  1526. #ifdef LINT
  1527. p = n;
  1528. #endif
  1529. return 1;
  1530. }
  1531. static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
  1532. const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
  1533. {
  1534. EVP_PKEY_CTX *pkctx = NULL;
  1535. int i;
  1536. EVP_MD_CTX_init(ctx);
  1537. if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
  1538. return 0;
  1539. for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
  1540. char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
  1541. if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
  1542. BIO_printf(err, "parameter error \"%s\"\n", sigopt);
  1543. ERR_print_errors(bio_err);
  1544. return 0;
  1545. }
  1546. }
  1547. return 1;
  1548. }
  1549. int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
  1550. STACK_OF(OPENSSL_STRING) *sigopts)
  1551. {
  1552. int rv;
  1553. EVP_MD_CTX mctx;
  1554. EVP_MD_CTX_init(&mctx);
  1555. rv = do_sign_init(err, &mctx, pkey, md, sigopts);
  1556. if (rv > 0)
  1557. rv = X509_sign_ctx(x, &mctx);
  1558. EVP_MD_CTX_cleanup(&mctx);
  1559. return rv > 0 ? 1 : 0;
  1560. }
  1561. int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
  1562. STACK_OF(OPENSSL_STRING) *sigopts)
  1563. {
  1564. int rv;
  1565. EVP_MD_CTX mctx;
  1566. EVP_MD_CTX_init(&mctx);
  1567. rv = do_sign_init(err, &mctx, pkey, md, sigopts);
  1568. if (rv > 0)
  1569. rv = X509_REQ_sign_ctx(x, &mctx);
  1570. EVP_MD_CTX_cleanup(&mctx);
  1571. return rv > 0 ? 1 : 0;
  1572. }
  1573. int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
  1574. STACK_OF(OPENSSL_STRING) *sigopts)
  1575. {
  1576. int rv;
  1577. EVP_MD_CTX mctx;
  1578. EVP_MD_CTX_init(&mctx);
  1579. rv = do_sign_init(err, &mctx, pkey, md, sigopts);
  1580. if (rv > 0)
  1581. rv = X509_CRL_sign_ctx(x, &mctx);
  1582. EVP_MD_CTX_cleanup(&mctx);
  1583. return rv > 0 ? 1 : 0;
  1584. }