req.c 48 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  2. * All rights reserved.
  3. *
  4. * This package is an SSL implementation written
  5. * by Eric Young (eay@cryptsoft.com).
  6. * The implementation was written so as to conform with Netscapes SSL.
  7. *
  8. * This library is free for commercial and non-commercial use as long as
  9. * the following conditions are aheared to. The following conditions
  10. * apply to all code found in this distribution, be it the RC4, RSA,
  11. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  12. * included with this distribution is covered by the same copyright terms
  13. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  14. *
  15. * Copyright remains Eric Young's, and as such any Copyright notices in
  16. * the code are not to be removed.
  17. * If this package is used in a product, Eric Young should be given attribution
  18. * as the author of the parts of the library used.
  19. * This can be in the form of a textual message at program startup or
  20. * in documentation (online or textual) provided with the package.
  21. *
  22. * Redistribution and use in source and binary forms, with or without
  23. * modification, are permitted provided that the following conditions
  24. * are met:
  25. * 1. Redistributions of source code must retain the copyright
  26. * notice, this list of conditions and the following disclaimer.
  27. * 2. Redistributions in binary form must reproduce the above copyright
  28. * notice, this list of conditions and the following disclaimer in the
  29. * documentation and/or other materials provided with the distribution.
  30. * 3. All advertising materials mentioning features or use of this software
  31. * must display the following acknowledgement:
  32. * "This product includes cryptographic software written by
  33. * Eric Young (eay@cryptsoft.com)"
  34. * The word 'cryptographic' can be left out if the rouines from the library
  35. * being used are not cryptographic related :-).
  36. * 4. If you include any Windows specific code (or a derivative thereof) from
  37. * the apps directory (application code) you must include an acknowledgement:
  38. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  41. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  43. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  44. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  45. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  46. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  48. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  49. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  50. * SUCH DAMAGE.
  51. *
  52. * The licence and distribution terms for any publically available version or
  53. * derivative of this code cannot be changed. i.e. this code cannot simply be
  54. * copied and put under another distribution licence
  55. * [including the GNU Public Licence.]
  56. */
  57. #include <stdio.h>
  58. #include <stdlib.h>
  59. #include <time.h>
  60. #include <string.h>
  61. #include "apps.h"
  62. #include <openssl/bio.h>
  63. #include <openssl/evp.h>
  64. #include <openssl/conf.h>
  65. #include <openssl/err.h>
  66. #include <openssl/asn1.h>
  67. #include <openssl/x509.h>
  68. #include <openssl/x509v3.h>
  69. #include <openssl/objects.h>
  70. #include <openssl/pem.h>
  71. #include <openssl/bn.h>
  72. #ifndef OPENSSL_NO_RSA
  73. # include <openssl/rsa.h>
  74. #endif
  75. #ifndef OPENSSL_NO_DSA
  76. # include <openssl/dsa.h>
  77. #endif
  78. #define SECTION "req"
  79. #define BITS "default_bits"
  80. #define KEYFILE "default_keyfile"
  81. #define PROMPT "prompt"
  82. #define DISTINGUISHED_NAME "distinguished_name"
  83. #define ATTRIBUTES "attributes"
  84. #define V3_EXTENSIONS "x509_extensions"
  85. #define REQ_EXTENSIONS "req_extensions"
  86. #define STRING_MASK "string_mask"
  87. #define UTF8_IN "utf8"
  88. #define DEFAULT_KEY_LENGTH 512
  89. #define MIN_KEY_LENGTH 384
  90. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
  91. int attribs, unsigned long chtype);
  92. static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
  93. int multirdn);
  94. static int prompt_info(X509_REQ *req,
  95. STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
  96. STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect,
  97. int attribs, unsigned long chtype);
  98. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
  99. STACK_OF(CONF_VALUE) *attr, int attribs,
  100. unsigned long chtype);
  101. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  102. char *value, int nid, int n_min, int n_max,
  103. unsigned long chtype);
  104. static int add_DN_object(X509_NAME *n, char *text, const char *def,
  105. char *value, int nid, int n_min, int n_max,
  106. unsigned long chtype, int mval);
  107. static int genpkey_cb(EVP_PKEY_CTX *ctx);
  108. static int req_check_len(int len, int n_min, int n_max);
  109. static int check_end(const char *str, const char *end);
  110. static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
  111. int *pkey_type, long *pkeylen,
  112. char **palgnam, ENGINE *keygen_engine);
  113. static CONF *req_conf = NULL;
  114. static int batch = 0;
  115. typedef enum OPTION_choice {
  116. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  117. OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
  118. OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
  119. OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY,
  120. OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
  121. OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
  122. OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
  123. OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
  124. OPT_REQEXTS, OPT_MD
  125. } OPTION_CHOICE;
  126. OPTIONS req_options[] = {
  127. {"help", OPT_HELP, '-', "Display this summary"},
  128. {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
  129. {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
  130. {"in", OPT_IN, '<', "Input file"},
  131. {"out", OPT_OUT, '>', "Output file"},
  132. {"key", OPT_KEY, '<', "Use the private key contained in file"},
  133. {"keyform", OPT_KEYFORM, 'F', "Key file format"},
  134. {"pubkey", OPT_PUBKEY, '-', "Output public key"},
  135. {"new", OPT_NEW, '-', "New request"},
  136. {"config", OPT_CONFIG, '<', "Request template file"},
  137. {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
  138. {"passin", OPT_PASSIN, 's', "Private key password source"},
  139. {"passout", OPT_PASSOUT, 's'},
  140. {"rand", OPT_RAND, 's',
  141. "Load the file(s) into the random number generator"},
  142. {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
  143. {"pkeyopt", OPT_PKEYOPT, 's'},
  144. {"sigopt", OPT_SIGOPT, 's'},
  145. {"batch", OPT_BATCH, '-',
  146. "Do not ask anything during request generation"},
  147. {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
  148. {"modulus", OPT_MODULUS, '-', "RSA modulus"},
  149. {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
  150. {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
  151. {"noout", OPT_NOOUT, '-', "Do not output REQ"},
  152. {"verbose", OPT_VERBOSE, '-'},
  153. {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
  154. {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
  155. {"reqopt", OPT_REQOPT, 's', "Various request text options"},
  156. {"text", OPT_TEXT, '-', "Text form of request"},
  157. {"x509", OPT_X509, '-',
  158. "Output a x509 structure instead of a cert request"},
  159. {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
  160. {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
  161. {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
  162. {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
  163. "Enable support for multivalued RDNs"},
  164. {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
  165. {"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"},
  166. {"extensions", OPT_EXTENSIONS, 's',
  167. "Cert extension section (override value in config file)"},
  168. {"reqexts", OPT_REQEXTS, 's',
  169. "Request extension section (override value in config file)"},
  170. {"", OPT_MD, '-', "Any supported digest"},
  171. #ifndef OPENSSL_NO_ENGINE
  172. {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
  173. {"keygen_engine", OPT_KEYGEN_ENGINE, 's'},
  174. #endif
  175. {NULL}
  176. };
  177. int req_main(int argc, char **argv)
  178. {
  179. ASN1_INTEGER *serial = NULL;
  180. BIO *in = NULL, *out = NULL;
  181. ENGINE *e = NULL, *gen_eng = NULL;
  182. EVP_PKEY *pkey = NULL;
  183. EVP_PKEY_CTX *genctx = NULL;
  184. STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
  185. X509 *x509ss = NULL;
  186. X509_REQ *req = NULL;
  187. const EVP_CIPHER *cipher = NULL;
  188. const EVP_MD *md_alg = NULL, *digest = NULL;
  189. char *extensions = NULL, *infile = NULL;
  190. char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
  191. char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
  192. char *passin = NULL, *passout = NULL, *req_exts = NULL, *subj = NULL;
  193. char *template = default_config_file, *keyout = NULL;
  194. const char *keyalg = NULL;
  195. OPTION_CHOICE o;
  196. int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0;
  197. int pkey_type = -1, private = 0;
  198. int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
  199. int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
  200. int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
  201. long newkey = -1;
  202. unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
  203. char nmflag_set = 0;
  204. #ifndef OPENSSL_NO_DES
  205. cipher = EVP_des_ede3_cbc();
  206. #endif
  207. prog = opt_init(argc, argv, req_options);
  208. while ((o = opt_next()) != OPT_EOF) {
  209. switch (o) {
  210. case OPT_EOF:
  211. case OPT_ERR:
  212. opthelp:
  213. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  214. goto end;
  215. case OPT_HELP:
  216. opt_help(req_options);
  217. ret = 0;
  218. goto end;
  219. case OPT_INFORM:
  220. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
  221. goto opthelp;
  222. break;
  223. case OPT_OUTFORM:
  224. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
  225. goto opthelp;
  226. break;
  227. case OPT_ENGINE:
  228. (void)setup_engine(opt_arg(), 0);
  229. break;
  230. case OPT_KEYGEN_ENGINE:
  231. #ifndef OPENSSL_NO_ENGINE
  232. gen_eng = ENGINE_by_id(opt_arg());
  233. if (gen_eng == NULL) {
  234. BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
  235. goto opthelp;
  236. }
  237. #endif
  238. break;
  239. case OPT_KEY:
  240. keyfile = opt_arg();
  241. break;
  242. case OPT_PUBKEY:
  243. pubkey = 1;
  244. break;
  245. case OPT_NEW:
  246. newreq = 1;
  247. break;
  248. case OPT_CONFIG:
  249. template = opt_arg();
  250. break;
  251. case OPT_KEYFORM:
  252. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
  253. goto opthelp;
  254. break;
  255. case OPT_IN:
  256. infile = opt_arg();
  257. break;
  258. case OPT_OUT:
  259. outfile = opt_arg();
  260. break;
  261. case OPT_KEYOUT:
  262. keyout = opt_arg();
  263. break;
  264. case OPT_PASSIN:
  265. passargin = opt_arg();
  266. break;
  267. case OPT_PASSOUT:
  268. passargout = opt_arg();
  269. break;
  270. case OPT_RAND:
  271. inrand = opt_arg();
  272. break;
  273. case OPT_NEWKEY:
  274. keyalg = opt_arg();
  275. newreq = 1;
  276. break;
  277. case OPT_PKEYOPT:
  278. if (!pkeyopts)
  279. pkeyopts = sk_OPENSSL_STRING_new_null();
  280. if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
  281. goto opthelp;
  282. break;
  283. case OPT_SIGOPT:
  284. if (!sigopts)
  285. sigopts = sk_OPENSSL_STRING_new_null();
  286. if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
  287. goto opthelp;
  288. break;
  289. case OPT_BATCH:
  290. batch = 1;
  291. break;
  292. case OPT_NEWHDR:
  293. newhdr = 1;
  294. break;
  295. case OPT_MODULUS:
  296. modulus = 1;
  297. break;
  298. case OPT_VERIFY:
  299. verify = 1;
  300. break;
  301. case OPT_NODES:
  302. nodes = 1;
  303. break;
  304. case OPT_NOOUT:
  305. noout = 1;
  306. break;
  307. case OPT_VERBOSE:
  308. verbose = 1;
  309. break;
  310. case OPT_UTF8:
  311. chtype = MBSTRING_UTF8;
  312. break;
  313. case OPT_NAMEOPT:
  314. nmflag_set = 1;
  315. if (!set_name_ex(&nmflag, opt_arg()))
  316. goto opthelp;
  317. break;
  318. case OPT_REQOPT:
  319. if (!set_cert_ex(&reqflag, opt_arg()))
  320. goto opthelp;
  321. break;
  322. case OPT_TEXT:
  323. text = 1;
  324. break;
  325. case OPT_X509:
  326. x509 = 1;
  327. break;
  328. case OPT_DAYS:
  329. days = atoi(opt_arg());
  330. break;
  331. case OPT_SET_SERIAL:
  332. serial = s2i_ASN1_INTEGER(NULL, opt_arg());
  333. if (serial == NULL)
  334. goto opthelp;
  335. break;
  336. case OPT_SUBJECT:
  337. subject = 1;
  338. break;
  339. case OPT_SUBJ:
  340. subj = opt_arg();
  341. break;
  342. case OPT_MULTIVALUE_RDN:
  343. multirdn = 1;
  344. break;
  345. case OPT_EXTENSIONS:
  346. extensions = opt_arg();
  347. break;
  348. case OPT_REQEXTS:
  349. req_exts = opt_arg();
  350. break;
  351. case OPT_MD:
  352. if (!opt_md(opt_unknown(), &md_alg))
  353. goto opthelp;
  354. digest = md_alg;
  355. break;
  356. }
  357. }
  358. argc = opt_num_rest();
  359. argv = opt_rest();
  360. if (!nmflag_set)
  361. nmflag = XN_FLAG_ONELINE;
  362. private = newreq && (pkey == NULL) ? 1 : 0;
  363. if (!app_passwd(passargin, passargout, &passin, &passout)) {
  364. BIO_printf(bio_err, "Error getting passwords\n");
  365. goto end;
  366. }
  367. if (verbose)
  368. BIO_printf(bio_err, "Using configuration from %s\n", template);
  369. req_conf = app_load_config(template);
  370. if (!app_load_modules(req_conf))
  371. goto end;
  372. if (req_conf != NULL) {
  373. p = NCONF_get_string(req_conf, NULL, "oid_file");
  374. if (p == NULL)
  375. ERR_clear_error();
  376. if (p != NULL) {
  377. BIO *oid_bio;
  378. oid_bio = BIO_new_file(p, "r");
  379. if (oid_bio == NULL) {
  380. /*-
  381. BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
  382. ERR_print_errors(bio_err);
  383. */
  384. } else {
  385. OBJ_create_objects(oid_bio);
  386. BIO_free(oid_bio);
  387. }
  388. }
  389. }
  390. if (!add_oid_section(req_conf))
  391. goto end;
  392. if (md_alg == NULL) {
  393. p = NCONF_get_string(req_conf, SECTION, "default_md");
  394. if (p == NULL)
  395. ERR_clear_error();
  396. else {
  397. if (!opt_md(p, &md_alg))
  398. goto opthelp;
  399. digest = md_alg;
  400. }
  401. }
  402. if (!extensions) {
  403. extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
  404. if (!extensions)
  405. ERR_clear_error();
  406. }
  407. if (extensions) {
  408. /* Check syntax of file */
  409. X509V3_CTX ctx;
  410. X509V3_set_ctx_test(&ctx);
  411. X509V3_set_nconf(&ctx, req_conf);
  412. if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
  413. BIO_printf(bio_err,
  414. "Error Loading extension section %s\n", extensions);
  415. goto end;
  416. }
  417. }
  418. if (!passin) {
  419. passin = NCONF_get_string(req_conf, SECTION, "input_password");
  420. if (!passin)
  421. ERR_clear_error();
  422. }
  423. if (!passout) {
  424. passout = NCONF_get_string(req_conf, SECTION, "output_password");
  425. if (!passout)
  426. ERR_clear_error();
  427. }
  428. p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
  429. if (!p)
  430. ERR_clear_error();
  431. if (p && !ASN1_STRING_set_default_mask_asc(p)) {
  432. BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
  433. goto end;
  434. }
  435. if (chtype != MBSTRING_UTF8) {
  436. p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
  437. if (!p)
  438. ERR_clear_error();
  439. else if (strcmp(p, "yes") == 0)
  440. chtype = MBSTRING_UTF8;
  441. }
  442. if (!req_exts) {
  443. req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
  444. if (!req_exts)
  445. ERR_clear_error();
  446. }
  447. if (req_exts) {
  448. /* Check syntax of file */
  449. X509V3_CTX ctx;
  450. X509V3_set_ctx_test(&ctx);
  451. X509V3_set_nconf(&ctx, req_conf);
  452. if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
  453. BIO_printf(bio_err,
  454. "Error Loading request extension section %s\n",
  455. req_exts);
  456. goto end;
  457. }
  458. }
  459. if (keyfile != NULL) {
  460. pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
  461. if (!pkey) {
  462. /* load_key() has already printed an appropriate message */
  463. goto end;
  464. } else {
  465. char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
  466. if (randfile == NULL)
  467. ERR_clear_error();
  468. app_RAND_load_file(randfile, 0);
  469. }
  470. }
  471. if (newreq && (pkey == NULL)) {
  472. char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
  473. if (randfile == NULL)
  474. ERR_clear_error();
  475. app_RAND_load_file(randfile, 0);
  476. if (inrand)
  477. app_RAND_load_files(inrand);
  478. if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
  479. newkey = DEFAULT_KEY_LENGTH;
  480. }
  481. if (keyalg) {
  482. genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
  483. &keyalgstr, gen_eng);
  484. if (!genctx)
  485. goto end;
  486. }
  487. if (newkey < MIN_KEY_LENGTH
  488. && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
  489. BIO_printf(bio_err, "private key length is too short,\n");
  490. BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
  491. MIN_KEY_LENGTH, newkey);
  492. goto end;
  493. }
  494. if (!genctx) {
  495. genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
  496. &keyalgstr, gen_eng);
  497. if (!genctx)
  498. goto end;
  499. }
  500. if (pkeyopts) {
  501. char *genopt;
  502. for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
  503. genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
  504. if (pkey_ctrl_string(genctx, genopt) <= 0) {
  505. BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
  506. ERR_print_errors(bio_err);
  507. goto end;
  508. }
  509. }
  510. }
  511. BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
  512. newkey, keyalgstr);
  513. EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
  514. EVP_PKEY_CTX_set_app_data(genctx, bio_err);
  515. if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
  516. BIO_puts(bio_err, "Error Generating Key\n");
  517. goto end;
  518. }
  519. EVP_PKEY_CTX_free(genctx);
  520. genctx = NULL;
  521. app_RAND_write_file(randfile);
  522. if (keyout == NULL) {
  523. keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
  524. if (keyout == NULL)
  525. ERR_clear_error();
  526. }
  527. if (keyout == NULL)
  528. BIO_printf(bio_err, "writing new private key to stdout\n");
  529. else
  530. BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
  531. out = bio_open_owner(keyout, outformat, private);
  532. if (out == NULL)
  533. goto end;
  534. p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
  535. if (p == NULL) {
  536. ERR_clear_error();
  537. p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
  538. if (p == NULL)
  539. ERR_clear_error();
  540. }
  541. if ((p != NULL) && (strcmp(p, "no") == 0))
  542. cipher = NULL;
  543. if (nodes)
  544. cipher = NULL;
  545. i = 0;
  546. loop:
  547. assert(private);
  548. if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
  549. NULL, 0, NULL, passout)) {
  550. if ((ERR_GET_REASON(ERR_peek_error()) ==
  551. PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
  552. ERR_clear_error();
  553. i++;
  554. goto loop;
  555. }
  556. goto end;
  557. }
  558. BIO_free(out);
  559. out = NULL;
  560. BIO_printf(bio_err, "-----\n");
  561. }
  562. if (!newreq) {
  563. in = bio_open_default(infile, 'r', informat);
  564. if (in == NULL)
  565. goto end;
  566. if (informat == FORMAT_ASN1)
  567. req = d2i_X509_REQ_bio(in, NULL);
  568. else
  569. req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
  570. if (req == NULL) {
  571. BIO_printf(bio_err, "unable to load X509 request\n");
  572. goto end;
  573. }
  574. }
  575. if (newreq || x509) {
  576. if (pkey == NULL) {
  577. BIO_printf(bio_err, "you need to specify a private key\n");
  578. goto end;
  579. }
  580. if (req == NULL) {
  581. req = X509_REQ_new();
  582. if (req == NULL) {
  583. goto end;
  584. }
  585. i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
  586. subj = NULL; /* done processing '-subj' option */
  587. if (!i) {
  588. BIO_printf(bio_err, "problems making Certificate Request\n");
  589. goto end;
  590. }
  591. }
  592. if (x509) {
  593. EVP_PKEY *tmppkey;
  594. X509V3_CTX ext_ctx;
  595. if ((x509ss = X509_new()) == NULL)
  596. goto end;
  597. /* Set version to V3 */
  598. if (extensions && !X509_set_version(x509ss, 2))
  599. goto end;
  600. if (serial) {
  601. if (!X509_set_serialNumber(x509ss, serial))
  602. goto end;
  603. } else {
  604. if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
  605. goto end;
  606. }
  607. if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
  608. goto end;
  609. if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0))
  610. goto end;
  611. if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL))
  612. goto end;
  613. if (!X509_set_subject_name
  614. (x509ss, X509_REQ_get_subject_name(req)))
  615. goto end;
  616. tmppkey = X509_REQ_get_pubkey(req);
  617. if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
  618. goto end;
  619. EVP_PKEY_free(tmppkey);
  620. /* Set up V3 context struct */
  621. X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
  622. X509V3_set_nconf(&ext_ctx, req_conf);
  623. /* Add extensions */
  624. if (extensions && !X509V3_EXT_add_nconf(req_conf,
  625. &ext_ctx, extensions,
  626. x509ss)) {
  627. BIO_printf(bio_err, "Error Loading extension section %s\n",
  628. extensions);
  629. goto end;
  630. }
  631. i = do_X509_sign(x509ss, pkey, digest, sigopts);
  632. if (!i) {
  633. ERR_print_errors(bio_err);
  634. goto end;
  635. }
  636. } else {
  637. X509V3_CTX ext_ctx;
  638. /* Set up V3 context struct */
  639. X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
  640. X509V3_set_nconf(&ext_ctx, req_conf);
  641. /* Add extensions */
  642. if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
  643. &ext_ctx, req_exts,
  644. req)) {
  645. BIO_printf(bio_err, "Error Loading extension section %s\n",
  646. req_exts);
  647. goto end;
  648. }
  649. i = do_X509_REQ_sign(req, pkey, digest, sigopts);
  650. if (!i) {
  651. ERR_print_errors(bio_err);
  652. goto end;
  653. }
  654. }
  655. }
  656. if (subj && x509) {
  657. BIO_printf(bio_err, "Cannot modify certificate subject\n");
  658. goto end;
  659. }
  660. if (subj && !x509) {
  661. if (verbose) {
  662. BIO_printf(bio_err, "Modifying Request's Subject\n");
  663. print_name(bio_err, "old subject=",
  664. X509_REQ_get_subject_name(req), nmflag);
  665. }
  666. if (build_subject(req, subj, chtype, multirdn) == 0) {
  667. BIO_printf(bio_err, "ERROR: cannot modify subject\n");
  668. ret = 1;
  669. goto end;
  670. }
  671. if (verbose) {
  672. print_name(bio_err, "new subject=",
  673. X509_REQ_get_subject_name(req), nmflag);
  674. }
  675. }
  676. if (verify && !x509) {
  677. int tmp = 0;
  678. if (pkey == NULL) {
  679. pkey = X509_REQ_get_pubkey(req);
  680. tmp = 1;
  681. if (pkey == NULL)
  682. goto end;
  683. }
  684. i = X509_REQ_verify(req, pkey);
  685. if (tmp) {
  686. EVP_PKEY_free(pkey);
  687. pkey = NULL;
  688. }
  689. if (i < 0) {
  690. goto end;
  691. } else if (i == 0) {
  692. BIO_printf(bio_err, "verify failure\n");
  693. ERR_print_errors(bio_err);
  694. } else /* if (i > 0) */
  695. BIO_printf(bio_err, "verify OK\n");
  696. }
  697. if (noout && !text && !modulus && !subject && !pubkey) {
  698. ret = 0;
  699. goto end;
  700. }
  701. out = bio_open_default(outfile,
  702. keyout != NULL && outfile != NULL &&
  703. strcmp(keyout, outfile) == 0 ? 'a' : 'w',
  704. outformat);
  705. if (out == NULL)
  706. goto end;
  707. if (pubkey) {
  708. EVP_PKEY *tpubkey;
  709. tpubkey = X509_REQ_get_pubkey(req);
  710. if (tpubkey == NULL) {
  711. BIO_printf(bio_err, "Error getting public key\n");
  712. ERR_print_errors(bio_err);
  713. goto end;
  714. }
  715. PEM_write_bio_PUBKEY(out, tpubkey);
  716. EVP_PKEY_free(tpubkey);
  717. }
  718. if (text) {
  719. if (x509)
  720. X509_print_ex(out, x509ss, nmflag, reqflag);
  721. else
  722. X509_REQ_print_ex(out, req, nmflag, reqflag);
  723. }
  724. if (subject) {
  725. if (x509)
  726. print_name(out, "subject=", X509_get_subject_name(x509ss),
  727. nmflag);
  728. else
  729. print_name(out, "subject=", X509_REQ_get_subject_name(req),
  730. nmflag);
  731. }
  732. if (modulus) {
  733. EVP_PKEY *tpubkey;
  734. if (x509)
  735. tpubkey = X509_get_pubkey(x509ss);
  736. else
  737. tpubkey = X509_REQ_get_pubkey(req);
  738. if (tpubkey == NULL) {
  739. fprintf(stdout, "Modulus=unavailable\n");
  740. goto end;
  741. }
  742. fprintf(stdout, "Modulus=");
  743. #ifndef OPENSSL_NO_RSA
  744. if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
  745. BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n);
  746. else
  747. #endif
  748. fprintf(stdout, "Wrong Algorithm type");
  749. EVP_PKEY_free(tpubkey);
  750. fprintf(stdout, "\n");
  751. }
  752. if (!noout && !x509) {
  753. if (outformat == FORMAT_ASN1)
  754. i = i2d_X509_REQ_bio(out, req);
  755. else if (newhdr)
  756. i = PEM_write_bio_X509_REQ_NEW(out, req);
  757. else
  758. i = PEM_write_bio_X509_REQ(out, req);
  759. if (!i) {
  760. BIO_printf(bio_err, "unable to write X509 request\n");
  761. goto end;
  762. }
  763. }
  764. if (!noout && x509 && (x509ss != NULL)) {
  765. if (outformat == FORMAT_ASN1)
  766. i = i2d_X509_bio(out, x509ss);
  767. else
  768. i = PEM_write_bio_X509(out, x509ss);
  769. if (!i) {
  770. BIO_printf(bio_err, "unable to write X509 certificate\n");
  771. goto end;
  772. }
  773. }
  774. ret = 0;
  775. end:
  776. if (ret) {
  777. ERR_print_errors(bio_err);
  778. }
  779. NCONF_free(req_conf);
  780. BIO_free(in);
  781. BIO_free_all(out);
  782. EVP_PKEY_free(pkey);
  783. EVP_PKEY_CTX_free(genctx);
  784. sk_OPENSSL_STRING_free(pkeyopts);
  785. sk_OPENSSL_STRING_free(sigopts);
  786. #ifndef OPENSSL_NO_ENGINE
  787. ENGINE_free(gen_eng);
  788. #endif
  789. OPENSSL_free(keyalgstr);
  790. X509_REQ_free(req);
  791. X509_free(x509ss);
  792. ASN1_INTEGER_free(serial);
  793. OPENSSL_free(passin);
  794. OPENSSL_free(passout);
  795. OBJ_cleanup();
  796. return (ret);
  797. }
  798. static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
  799. int attribs, unsigned long chtype)
  800. {
  801. int ret = 0, i;
  802. char no_prompt = 0;
  803. STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
  804. char *tmp, *dn_sect, *attr_sect;
  805. tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
  806. if (tmp == NULL)
  807. ERR_clear_error();
  808. if ((tmp != NULL) && strcmp(tmp, "no") == 0)
  809. no_prompt = 1;
  810. dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
  811. if (dn_sect == NULL) {
  812. BIO_printf(bio_err, "unable to find '%s' in config\n",
  813. DISTINGUISHED_NAME);
  814. goto err;
  815. }
  816. dn_sk = NCONF_get_section(req_conf, dn_sect);
  817. if (dn_sk == NULL) {
  818. BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
  819. goto err;
  820. }
  821. attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
  822. if (attr_sect == NULL) {
  823. ERR_clear_error();
  824. attr_sk = NULL;
  825. } else {
  826. attr_sk = NCONF_get_section(req_conf, attr_sect);
  827. if (attr_sk == NULL) {
  828. BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
  829. goto err;
  830. }
  831. }
  832. /* setup version number */
  833. if (!X509_REQ_set_version(req, 0L))
  834. goto err; /* version 1 */
  835. if (subj)
  836. i = build_subject(req, subj, chtype, multirdn);
  837. else if (no_prompt)
  838. i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
  839. else
  840. i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
  841. chtype);
  842. if (!i)
  843. goto err;
  844. if (!X509_REQ_set_pubkey(req, pkey))
  845. goto err;
  846. ret = 1;
  847. err:
  848. return (ret);
  849. }
  850. /*
  851. * subject is expected to be in the format /type0=value0/type1=value1/type2=...
  852. * where characters may be escaped by \
  853. */
  854. static int build_subject(X509_REQ *req, char *subject, unsigned long chtype,
  855. int multirdn)
  856. {
  857. X509_NAME *n;
  858. if ((n = parse_name(subject, chtype, multirdn)) == NULL)
  859. return 0;
  860. if (!X509_REQ_set_subject_name(req, n)) {
  861. X509_NAME_free(n);
  862. return 0;
  863. }
  864. X509_NAME_free(n);
  865. return 1;
  866. }
  867. static int prompt_info(X509_REQ *req,
  868. STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
  869. STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect,
  870. int attribs, unsigned long chtype)
  871. {
  872. int i;
  873. char *p, *q;
  874. char buf[100];
  875. int nid, mval;
  876. long n_min, n_max;
  877. char *type, *value;
  878. const char *def;
  879. CONF_VALUE *v;
  880. X509_NAME *subj;
  881. subj = X509_REQ_get_subject_name(req);
  882. if (!batch) {
  883. BIO_printf(bio_err,
  884. "You are about to be asked to enter information that will be incorporated\n");
  885. BIO_printf(bio_err, "into your certificate request.\n");
  886. BIO_printf(bio_err,
  887. "What you are about to enter is what is called a Distinguished Name or a DN.\n");
  888. BIO_printf(bio_err,
  889. "There are quite a few fields but you can leave some blank\n");
  890. BIO_printf(bio_err,
  891. "For some fields there will be a default value,\n");
  892. BIO_printf(bio_err,
  893. "If you enter '.', the field will be left blank.\n");
  894. BIO_printf(bio_err, "-----\n");
  895. }
  896. if (sk_CONF_VALUE_num(dn_sk)) {
  897. i = -1;
  898. start:for (;;) {
  899. i++;
  900. if (sk_CONF_VALUE_num(dn_sk) <= i)
  901. break;
  902. v = sk_CONF_VALUE_value(dn_sk, i);
  903. p = q = NULL;
  904. type = v->name;
  905. if (!check_end(type, "_min") || !check_end(type, "_max") ||
  906. !check_end(type, "_default") || !check_end(type, "_value"))
  907. continue;
  908. /*
  909. * Skip past any leading X. X: X, etc to allow for multiple
  910. * instances
  911. */
  912. for (p = v->name; *p; p++)
  913. if ((*p == ':') || (*p == ',') || (*p == '.')) {
  914. p++;
  915. if (*p)
  916. type = p;
  917. break;
  918. }
  919. if (*type == '+') {
  920. mval = -1;
  921. type++;
  922. } else
  923. mval = 0;
  924. /* If OBJ not recognised ignore it */
  925. if ((nid = OBJ_txt2nid(type)) == NID_undef)
  926. goto start;
  927. if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
  928. >= (int)sizeof(buf)) {
  929. BIO_printf(bio_err, "Name '%s' too long\n", v->name);
  930. return 0;
  931. }
  932. if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
  933. ERR_clear_error();
  934. def = "";
  935. }
  936. BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
  937. if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
  938. ERR_clear_error();
  939. value = NULL;
  940. }
  941. BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
  942. if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
  943. ERR_clear_error();
  944. n_min = -1;
  945. }
  946. BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
  947. if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
  948. ERR_clear_error();
  949. n_max = -1;
  950. }
  951. if (!add_DN_object(subj, v->value, def, value, nid,
  952. n_min, n_max, chtype, mval))
  953. return 0;
  954. }
  955. if (X509_NAME_entry_count(subj) == 0) {
  956. BIO_printf(bio_err,
  957. "error, no objects specified in config file\n");
  958. return 0;
  959. }
  960. if (attribs) {
  961. if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
  962. && (!batch)) {
  963. BIO_printf(bio_err,
  964. "\nPlease enter the following 'extra' attributes\n");
  965. BIO_printf(bio_err,
  966. "to be sent with your certificate request\n");
  967. }
  968. i = -1;
  969. start2: for (;;) {
  970. i++;
  971. if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
  972. break;
  973. v = sk_CONF_VALUE_value(attr_sk, i);
  974. type = v->name;
  975. if ((nid = OBJ_txt2nid(type)) == NID_undef)
  976. goto start2;
  977. if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
  978. >= (int)sizeof(buf)) {
  979. BIO_printf(bio_err, "Name '%s' too long\n", v->name);
  980. return 0;
  981. }
  982. if ((def = NCONF_get_string(req_conf, attr_sect, buf))
  983. == NULL) {
  984. ERR_clear_error();
  985. def = "";
  986. }
  987. BIO_snprintf(buf, sizeof buf, "%s_value", type);
  988. if ((value = NCONF_get_string(req_conf, attr_sect, buf))
  989. == NULL) {
  990. ERR_clear_error();
  991. value = NULL;
  992. }
  993. BIO_snprintf(buf, sizeof buf, "%s_min", type);
  994. if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
  995. ERR_clear_error();
  996. n_min = -1;
  997. }
  998. BIO_snprintf(buf, sizeof buf, "%s_max", type);
  999. if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
  1000. ERR_clear_error();
  1001. n_max = -1;
  1002. }
  1003. if (!add_attribute_object(req,
  1004. v->value, def, value, nid, n_min,
  1005. n_max, chtype))
  1006. return 0;
  1007. }
  1008. }
  1009. } else {
  1010. BIO_printf(bio_err, "No template, please set one up.\n");
  1011. return 0;
  1012. }
  1013. return 1;
  1014. }
  1015. static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
  1016. STACK_OF(CONF_VALUE) *attr_sk, int attribs,
  1017. unsigned long chtype)
  1018. {
  1019. int i;
  1020. char *p, *q;
  1021. char *type;
  1022. CONF_VALUE *v;
  1023. X509_NAME *subj;
  1024. subj = X509_REQ_get_subject_name(req);
  1025. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
  1026. int mval;
  1027. v = sk_CONF_VALUE_value(dn_sk, i);
  1028. p = q = NULL;
  1029. type = v->name;
  1030. /*
  1031. * Skip past any leading X. X: X, etc to allow for multiple instances
  1032. */
  1033. for (p = v->name; *p; p++)
  1034. #ifndef CHARSET_EBCDIC
  1035. if ((*p == ':') || (*p == ',') || (*p == '.')) {
  1036. #else
  1037. if ((*p == os_toascii[':']) || (*p == os_toascii[','])
  1038. || (*p == os_toascii['.'])) {
  1039. #endif
  1040. p++;
  1041. if (*p)
  1042. type = p;
  1043. break;
  1044. }
  1045. #ifndef CHARSET_EBCDIC
  1046. if (*p == '+')
  1047. #else
  1048. if (*p == os_toascii['+'])
  1049. #endif
  1050. {
  1051. p++;
  1052. mval = -1;
  1053. } else
  1054. mval = 0;
  1055. if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
  1056. (unsigned char *)v->value, -1, -1,
  1057. mval))
  1058. return 0;
  1059. }
  1060. if (!X509_NAME_entry_count(subj)) {
  1061. BIO_printf(bio_err, "error, no objects specified in config file\n");
  1062. return 0;
  1063. }
  1064. if (attribs) {
  1065. for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
  1066. v = sk_CONF_VALUE_value(attr_sk, i);
  1067. if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
  1068. (unsigned char *)v->value, -1))
  1069. return 0;
  1070. }
  1071. }
  1072. return 1;
  1073. }
  1074. static int add_DN_object(X509_NAME *n, char *text, const char *def,
  1075. char *value, int nid, int n_min, int n_max,
  1076. unsigned long chtype, int mval)
  1077. {
  1078. int i, ret = 0;
  1079. char buf[1024];
  1080. start:
  1081. if (!batch)
  1082. BIO_printf(bio_err, "%s [%s]:", text, def);
  1083. (void)BIO_flush(bio_err);
  1084. if (value != NULL) {
  1085. OPENSSL_strlcpy(buf, value, sizeof buf);
  1086. OPENSSL_strlcat(buf, "\n", sizeof buf);
  1087. BIO_printf(bio_err, "%s\n", value);
  1088. } else {
  1089. buf[0] = '\0';
  1090. if (!batch) {
  1091. if (!fgets(buf, sizeof buf, stdin))
  1092. return 0;
  1093. } else {
  1094. buf[0] = '\n';
  1095. buf[1] = '\0';
  1096. }
  1097. }
  1098. if (buf[0] == '\0')
  1099. return (0);
  1100. else if (buf[0] == '\n') {
  1101. if ((def == NULL) || (def[0] == '\0'))
  1102. return (1);
  1103. OPENSSL_strlcpy(buf, def, sizeof buf);
  1104. OPENSSL_strlcat(buf, "\n", sizeof buf);
  1105. } else if ((buf[0] == '.') && (buf[1] == '\n'))
  1106. return (1);
  1107. i = strlen(buf);
  1108. if (buf[i - 1] != '\n') {
  1109. BIO_printf(bio_err, "weird input :-(\n");
  1110. return (0);
  1111. }
  1112. buf[--i] = '\0';
  1113. #ifdef CHARSET_EBCDIC
  1114. ebcdic2ascii(buf, buf, i);
  1115. #endif
  1116. if (!req_check_len(i, n_min, n_max)) {
  1117. if (batch || value)
  1118. return 0;
  1119. goto start;
  1120. }
  1121. if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
  1122. (unsigned char *)buf, -1, -1, mval))
  1123. goto err;
  1124. ret = 1;
  1125. err:
  1126. return (ret);
  1127. }
  1128. static int add_attribute_object(X509_REQ *req, char *text, const char *def,
  1129. char *value, int nid, int n_min,
  1130. int n_max, unsigned long chtype)
  1131. {
  1132. int i;
  1133. static char buf[1024];
  1134. start:
  1135. if (!batch)
  1136. BIO_printf(bio_err, "%s [%s]:", text, def);
  1137. (void)BIO_flush(bio_err);
  1138. if (value != NULL) {
  1139. OPENSSL_strlcpy(buf, value, sizeof buf);
  1140. OPENSSL_strlcat(buf, "\n", sizeof buf);
  1141. BIO_printf(bio_err, "%s\n", value);
  1142. } else {
  1143. buf[0] = '\0';
  1144. if (!batch) {
  1145. if (!fgets(buf, sizeof buf, stdin))
  1146. return 0;
  1147. } else {
  1148. buf[0] = '\n';
  1149. buf[1] = '\0';
  1150. }
  1151. }
  1152. if (buf[0] == '\0')
  1153. return (0);
  1154. else if (buf[0] == '\n') {
  1155. if ((def == NULL) || (def[0] == '\0'))
  1156. return (1);
  1157. OPENSSL_strlcpy(buf, def, sizeof buf);
  1158. OPENSSL_strlcat(buf, "\n", sizeof buf);
  1159. } else if ((buf[0] == '.') && (buf[1] == '\n'))
  1160. return (1);
  1161. i = strlen(buf);
  1162. if (buf[i - 1] != '\n') {
  1163. BIO_printf(bio_err, "weird input :-(\n");
  1164. return (0);
  1165. }
  1166. buf[--i] = '\0';
  1167. #ifdef CHARSET_EBCDIC
  1168. ebcdic2ascii(buf, buf, i);
  1169. #endif
  1170. if (!req_check_len(i, n_min, n_max)) {
  1171. if (batch || value)
  1172. return 0;
  1173. goto start;
  1174. }
  1175. if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
  1176. (unsigned char *)buf, -1)) {
  1177. BIO_printf(bio_err, "Error adding attribute\n");
  1178. ERR_print_errors(bio_err);
  1179. goto err;
  1180. }
  1181. return (1);
  1182. err:
  1183. return (0);
  1184. }
  1185. static int req_check_len(int len, int n_min, int n_max)
  1186. {
  1187. if ((n_min > 0) && (len < n_min)) {
  1188. BIO_printf(bio_err,
  1189. "string is too short, it needs to be at least %d bytes long\n",
  1190. n_min);
  1191. return (0);
  1192. }
  1193. if ((n_max >= 0) && (len > n_max)) {
  1194. BIO_printf(bio_err,
  1195. "string is too long, it needs to be less than %d bytes long\n",
  1196. n_max);
  1197. return (0);
  1198. }
  1199. return (1);
  1200. }
  1201. /* Check if the end of a string matches 'end' */
  1202. static int check_end(const char *str, const char *end)
  1203. {
  1204. int elen, slen;
  1205. const char *tmp;
  1206. elen = strlen(end);
  1207. slen = strlen(str);
  1208. if (elen > slen)
  1209. return 1;
  1210. tmp = str + slen - elen;
  1211. return strcmp(tmp, end);
  1212. }
  1213. static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
  1214. int *pkey_type, long *pkeylen,
  1215. char **palgnam, ENGINE *keygen_engine)
  1216. {
  1217. EVP_PKEY_CTX *gctx = NULL;
  1218. EVP_PKEY *param = NULL;
  1219. long keylen = -1;
  1220. BIO *pbio = NULL;
  1221. const char *paramfile = NULL;
  1222. if (gstr == NULL) {
  1223. *pkey_type = EVP_PKEY_RSA;
  1224. keylen = *pkeylen;
  1225. } else if (gstr[0] >= '0' && gstr[0] <= '9') {
  1226. *pkey_type = EVP_PKEY_RSA;
  1227. keylen = atol(gstr);
  1228. *pkeylen = keylen;
  1229. } else if (strncmp(gstr, "param:", 6) == 0)
  1230. paramfile = gstr + 6;
  1231. else {
  1232. const char *p = strchr(gstr, ':');
  1233. int len;
  1234. ENGINE *tmpeng;
  1235. const EVP_PKEY_ASN1_METHOD *ameth;
  1236. if (p)
  1237. len = p - gstr;
  1238. else
  1239. len = strlen(gstr);
  1240. /*
  1241. * The lookup of a the string will cover all engines so keep a note
  1242. * of the implementation.
  1243. */
  1244. ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
  1245. if (!ameth) {
  1246. BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
  1247. return NULL;
  1248. }
  1249. EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
  1250. #ifndef OPENSSL_NO_ENGINE
  1251. if (tmpeng)
  1252. ENGINE_finish(tmpeng);
  1253. #endif
  1254. if (*pkey_type == EVP_PKEY_RSA) {
  1255. if (p) {
  1256. keylen = atol(p + 1);
  1257. *pkeylen = keylen;
  1258. } else
  1259. keylen = *pkeylen;
  1260. } else if (p)
  1261. paramfile = p + 1;
  1262. }
  1263. if (paramfile) {
  1264. pbio = BIO_new_file(paramfile, "r");
  1265. if (!pbio) {
  1266. BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
  1267. return NULL;
  1268. }
  1269. param = PEM_read_bio_Parameters(pbio, NULL);
  1270. if (!param) {
  1271. X509 *x;
  1272. (void)BIO_reset(pbio);
  1273. x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
  1274. if (x) {
  1275. param = X509_get_pubkey(x);
  1276. X509_free(x);
  1277. }
  1278. }
  1279. BIO_free(pbio);
  1280. if (!param) {
  1281. BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
  1282. return NULL;
  1283. }
  1284. if (*pkey_type == -1)
  1285. *pkey_type = EVP_PKEY_id(param);
  1286. else if (*pkey_type != EVP_PKEY_base_id(param)) {
  1287. BIO_printf(bio_err, "Key Type does not match parameters\n");
  1288. EVP_PKEY_free(param);
  1289. return NULL;
  1290. }
  1291. }
  1292. if (palgnam) {
  1293. const EVP_PKEY_ASN1_METHOD *ameth;
  1294. ENGINE *tmpeng;
  1295. const char *anam;
  1296. ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
  1297. if (!ameth) {
  1298. BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
  1299. return NULL;
  1300. }
  1301. EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
  1302. *palgnam = OPENSSL_strdup(anam);
  1303. #ifndef OPENSSL_NO_ENGINE
  1304. if (tmpeng)
  1305. ENGINE_finish(tmpeng);
  1306. #endif
  1307. }
  1308. if (param) {
  1309. gctx = EVP_PKEY_CTX_new(param, keygen_engine);
  1310. *pkeylen = EVP_PKEY_bits(param);
  1311. EVP_PKEY_free(param);
  1312. } else
  1313. gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
  1314. if (gctx == NULL) {
  1315. BIO_puts(bio_err, "Error allocating keygen context\n");
  1316. ERR_print_errors(bio_err);
  1317. return NULL;
  1318. }
  1319. if (EVP_PKEY_keygen_init(gctx) <= 0) {
  1320. BIO_puts(bio_err, "Error initializing keygen context\n");
  1321. ERR_print_errors(bio_err);
  1322. return NULL;
  1323. }
  1324. #ifndef OPENSSL_NO_RSA
  1325. if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
  1326. if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
  1327. BIO_puts(bio_err, "Error setting RSA keysize\n");
  1328. ERR_print_errors(bio_err);
  1329. EVP_PKEY_CTX_free(gctx);
  1330. return NULL;
  1331. }
  1332. }
  1333. #endif
  1334. return gctx;
  1335. }
  1336. static int genpkey_cb(EVP_PKEY_CTX *ctx)
  1337. {
  1338. char c = '*';
  1339. BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
  1340. int p;
  1341. p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
  1342. if (p == 0)
  1343. c = '.';
  1344. if (p == 1)
  1345. c = '+';
  1346. if (p == 2)
  1347. c = '*';
  1348. if (p == 3)
  1349. c = '\n';
  1350. BIO_write(b, &c, 1);
  1351. (void)BIO_flush(b);
  1352. return 1;
  1353. }
  1354. static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
  1355. const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
  1356. {
  1357. EVP_PKEY_CTX *pkctx = NULL;
  1358. int i;
  1359. if (ctx == NULL)
  1360. return 0;
  1361. if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
  1362. return 0;
  1363. for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
  1364. char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
  1365. if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
  1366. BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
  1367. ERR_print_errors(bio_err);
  1368. return 0;
  1369. }
  1370. }
  1371. return 1;
  1372. }
  1373. int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
  1374. STACK_OF(OPENSSL_STRING) *sigopts)
  1375. {
  1376. int rv;
  1377. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  1378. rv = do_sign_init(mctx, pkey, md, sigopts);
  1379. /* Note: X509_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
  1380. * the EVP_MD_CTX we send it, so only destroy it here if the former
  1381. * isn't called */
  1382. if (rv > 0)
  1383. rv = X509_sign_ctx(x, mctx);
  1384. else
  1385. EVP_MD_CTX_free(mctx);
  1386. return rv > 0 ? 1 : 0;
  1387. }
  1388. int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
  1389. STACK_OF(OPENSSL_STRING) *sigopts)
  1390. {
  1391. int rv;
  1392. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  1393. rv = do_sign_init(mctx, pkey, md, sigopts);
  1394. /* Note: X509_REQ_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
  1395. * the EVP_MD_CTX we send it, so only destroy it here if the former
  1396. * isn't called */
  1397. if (rv > 0)
  1398. rv = X509_REQ_sign_ctx(x, mctx);
  1399. else
  1400. EVP_MD_CTX_free(mctx);
  1401. return rv > 0 ? 1 : 0;
  1402. }
  1403. int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
  1404. STACK_OF(OPENSSL_STRING) *sigopts)
  1405. {
  1406. int rv;
  1407. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  1408. rv = do_sign_init(mctx, pkey, md, sigopts);
  1409. /* Note: X509_CRL_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
  1410. * the EVP_MD_CTX we send it, so only destroy it here if the former
  1411. * isn't called */
  1412. if (rv > 0)
  1413. rv = X509_CRL_sign_ctx(x, mctx);
  1414. else
  1415. EVP_MD_CTX_free(mctx);
  1416. return rv > 0 ? 1 : 0;
  1417. }