1 | #include <machine/rtems-bsd-user-space.h> |
---|
2 | |
---|
3 | /* |
---|
4 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
---|
5 | * |
---|
6 | * Licensed under the OpenSSL license (the "License"). You may not use |
---|
7 | * this file except in compliance with the License. You can obtain a copy |
---|
8 | * in the file LICENSE in the source distribution or at |
---|
9 | * https://www.openssl.org/source/license.html |
---|
10 | */ |
---|
11 | |
---|
12 | #include <stdio.h> |
---|
13 | #include <stdlib.h> |
---|
14 | #include <time.h> |
---|
15 | #include <string.h> |
---|
16 | #include <ctype.h> |
---|
17 | #include "apps.h" |
---|
18 | #include "progs.h" |
---|
19 | #include <openssl/bio.h> |
---|
20 | #include <openssl/evp.h> |
---|
21 | #include <openssl/conf.h> |
---|
22 | #include <openssl/err.h> |
---|
23 | #include <openssl/asn1.h> |
---|
24 | #include <openssl/x509.h> |
---|
25 | #include <openssl/x509v3.h> |
---|
26 | #include <openssl/objects.h> |
---|
27 | #include <openssl/pem.h> |
---|
28 | #include <openssl/bn.h> |
---|
29 | #include <openssl/lhash.h> |
---|
30 | #ifndef OPENSSL_NO_RSA |
---|
31 | # include <openssl/rsa.h> |
---|
32 | #endif |
---|
33 | #ifndef OPENSSL_NO_DSA |
---|
34 | # include <openssl/dsa.h> |
---|
35 | #endif |
---|
36 | |
---|
37 | #define SECTION "req" |
---|
38 | |
---|
39 | #define BITS "default_bits" |
---|
40 | #define KEYFILE "default_keyfile" |
---|
41 | #define PROMPT "prompt" |
---|
42 | #define DISTINGUISHED_NAME "distinguished_name" |
---|
43 | #define ATTRIBUTES "attributes" |
---|
44 | #define V3_EXTENSIONS "x509_extensions" |
---|
45 | #define REQ_EXTENSIONS "req_extensions" |
---|
46 | #define STRING_MASK "string_mask" |
---|
47 | #define UTF8_IN "utf8" |
---|
48 | |
---|
49 | #define DEFAULT_KEY_LENGTH 2048 |
---|
50 | #define MIN_KEY_LENGTH 512 |
---|
51 | |
---|
52 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, |
---|
53 | int attribs, unsigned long chtype); |
---|
54 | static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, |
---|
55 | int multirdn); |
---|
56 | static int prompt_info(X509_REQ *req, |
---|
57 | STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, |
---|
58 | STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, |
---|
59 | int attribs, unsigned long chtype); |
---|
60 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, |
---|
61 | STACK_OF(CONF_VALUE) *attr, int attribs, |
---|
62 | unsigned long chtype); |
---|
63 | static int add_attribute_object(X509_REQ *req, char *text, const char *def, |
---|
64 | char *value, int nid, int n_min, int n_max, |
---|
65 | unsigned long chtype); |
---|
66 | static int add_DN_object(X509_NAME *n, char *text, const char *def, |
---|
67 | char *value, int nid, int n_min, int n_max, |
---|
68 | unsigned long chtype, int mval); |
---|
69 | static int genpkey_cb(EVP_PKEY_CTX *ctx); |
---|
70 | static int build_data(char *text, const char *def, |
---|
71 | char *value, int n_min, int n_max, |
---|
72 | char *buf, const int buf_size, |
---|
73 | const char *desc1, const char *desc2 |
---|
74 | ); |
---|
75 | static int req_check_len(int len, int n_min, int n_max); |
---|
76 | static int check_end(const char *str, const char *end); |
---|
77 | static int join(char buf[], size_t buf_size, const char *name, |
---|
78 | const char *tail, const char *desc); |
---|
79 | static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, |
---|
80 | int *pkey_type, long *pkeylen, |
---|
81 | char **palgnam, ENGINE *keygen_engine); |
---|
82 | static CONF *req_conf = NULL; |
---|
83 | static CONF *addext_conf = NULL; |
---|
84 | static int batch = 0; |
---|
85 | |
---|
86 | typedef enum OPTION_choice { |
---|
87 | OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, |
---|
88 | OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, |
---|
89 | OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, |
---|
90 | OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, |
---|
91 | OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, |
---|
92 | OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, |
---|
93 | OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, |
---|
94 | OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, |
---|
95 | OPT_REQEXTS, OPT_PRECERT, OPT_MD, |
---|
96 | OPT_R_ENUM |
---|
97 | } OPTION_CHOICE; |
---|
98 | |
---|
99 | const OPTIONS req_options[] = { |
---|
100 | {"help", OPT_HELP, '-', "Display this summary"}, |
---|
101 | {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, |
---|
102 | {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, |
---|
103 | {"in", OPT_IN, '<', "Input file"}, |
---|
104 | {"out", OPT_OUT, '>', "Output file"}, |
---|
105 | {"key", OPT_KEY, 's', "Private key to use"}, |
---|
106 | {"keyform", OPT_KEYFORM, 'f', "Key file format"}, |
---|
107 | {"pubkey", OPT_PUBKEY, '-', "Output public key"}, |
---|
108 | {"new", OPT_NEW, '-', "New request"}, |
---|
109 | {"config", OPT_CONFIG, '<', "Request template file"}, |
---|
110 | {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, |
---|
111 | {"passin", OPT_PASSIN, 's', "Private key password source"}, |
---|
112 | {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, |
---|
113 | OPT_R_OPTIONS, |
---|
114 | {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, |
---|
115 | {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, |
---|
116 | {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, |
---|
117 | {"batch", OPT_BATCH, '-', |
---|
118 | "Do not ask anything during request generation"}, |
---|
119 | {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, |
---|
120 | {"modulus", OPT_MODULUS, '-', "RSA modulus"}, |
---|
121 | {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, |
---|
122 | {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, |
---|
123 | {"noout", OPT_NOOUT, '-', "Do not output REQ"}, |
---|
124 | {"verbose", OPT_VERBOSE, '-', "Verbose output"}, |
---|
125 | {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, |
---|
126 | {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, |
---|
127 | {"reqopt", OPT_REQOPT, 's', "Various request text options"}, |
---|
128 | {"text", OPT_TEXT, '-', "Text form of request"}, |
---|
129 | {"x509", OPT_X509, '-', |
---|
130 | "Output a x509 structure instead of a cert request"}, |
---|
131 | {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, |
---|
132 | {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, |
---|
133 | {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, |
---|
134 | {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', |
---|
135 | "Enable support for multivalued RDNs"}, |
---|
136 | {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, |
---|
137 | {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, |
---|
138 | {"addext", OPT_ADDEXT, 's', |
---|
139 | "Additional cert extension key=value pair (may be given more than once)"}, |
---|
140 | {"extensions", OPT_EXTENSIONS, 's', |
---|
141 | "Cert extension section (override value in config file)"}, |
---|
142 | {"reqexts", OPT_REQEXTS, 's', |
---|
143 | "Request extension section (override value in config file)"}, |
---|
144 | {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, |
---|
145 | {"", OPT_MD, '-', "Any supported digest"}, |
---|
146 | #ifndef OPENSSL_NO_ENGINE |
---|
147 | {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, |
---|
148 | {"keygen_engine", OPT_KEYGEN_ENGINE, 's', |
---|
149 | "Specify engine to be used for key generation operations"}, |
---|
150 | #endif |
---|
151 | {NULL} |
---|
152 | }; |
---|
153 | |
---|
154 | |
---|
155 | /* |
---|
156 | * An LHASH of strings, where each string is an extension name. |
---|
157 | */ |
---|
158 | static unsigned long ext_name_hash(const OPENSSL_STRING *a) |
---|
159 | { |
---|
160 | return OPENSSL_LH_strhash((const char *)a); |
---|
161 | } |
---|
162 | |
---|
163 | static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b) |
---|
164 | { |
---|
165 | return strcmp((const char *)a, (const char *)b); |
---|
166 | } |
---|
167 | |
---|
168 | static void exts_cleanup(OPENSSL_STRING *x) |
---|
169 | { |
---|
170 | OPENSSL_free((char *)x); |
---|
171 | } |
---|
172 | |
---|
173 | /* |
---|
174 | * Is the |kv| key already duplicated? This is remarkably tricky to get |
---|
175 | * right. Return 0 if unique, -1 on runtime error; 1 if found or a syntax |
---|
176 | * error. |
---|
177 | */ |
---|
178 | static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) |
---|
179 | { |
---|
180 | char *p; |
---|
181 | size_t off; |
---|
182 | |
---|
183 | /* Check syntax. */ |
---|
184 | /* Skip leading whitespace, make a copy. */ |
---|
185 | while (*kv && isspace(*kv)) |
---|
186 | if (*++kv == '\0') |
---|
187 | return 1; |
---|
188 | if ((p = strchr(kv, '=')) == NULL) |
---|
189 | return 1; |
---|
190 | off = p - kv; |
---|
191 | if ((kv = OPENSSL_strdup(kv)) == NULL) |
---|
192 | return -1; |
---|
193 | |
---|
194 | /* Skip trailing space before the equal sign. */ |
---|
195 | for (p = kv + off; p > kv; --p) |
---|
196 | if (!isspace(p[-1])) |
---|
197 | break; |
---|
198 | if (p == kv) { |
---|
199 | OPENSSL_free(kv); |
---|
200 | return 1; |
---|
201 | } |
---|
202 | *p = '\0'; |
---|
203 | |
---|
204 | /* Finally have a clean "key"; see if it's there [by attempt to add it]. */ |
---|
205 | if ((p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv)) |
---|
206 | != NULL || lh_OPENSSL_STRING_error(addexts)) { |
---|
207 | OPENSSL_free(p != NULL ? p : kv); |
---|
208 | return -1; |
---|
209 | } |
---|
210 | |
---|
211 | return 0; |
---|
212 | } |
---|
213 | |
---|
214 | int req_main(int argc, char **argv) |
---|
215 | { |
---|
216 | ASN1_INTEGER *serial = NULL; |
---|
217 | BIO *in = NULL, *out = NULL; |
---|
218 | ENGINE *e = NULL, *gen_eng = NULL; |
---|
219 | EVP_PKEY *pkey = NULL; |
---|
220 | EVP_PKEY_CTX *genctx = NULL; |
---|
221 | STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; |
---|
222 | LHASH_OF(OPENSSL_STRING) *addexts = NULL; |
---|
223 | X509 *x509ss = NULL; |
---|
224 | X509_REQ *req = NULL; |
---|
225 | const EVP_CIPHER *cipher = NULL; |
---|
226 | const EVP_MD *md_alg = NULL, *digest = NULL; |
---|
227 | BIO *addext_bio = NULL; |
---|
228 | char *extensions = NULL, *infile = NULL; |
---|
229 | char *outfile = NULL, *keyfile = NULL; |
---|
230 | char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; |
---|
231 | char *passin = NULL, *passout = NULL; |
---|
232 | char *nofree_passin = NULL, *nofree_passout = NULL; |
---|
233 | char *req_exts = NULL, *subj = NULL; |
---|
234 | char *template = default_config_file, *keyout = NULL; |
---|
235 | const char *keyalg = NULL; |
---|
236 | OPTION_CHOICE o; |
---|
237 | int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0; |
---|
238 | int pkey_type = -1, private = 0; |
---|
239 | int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; |
---|
240 | int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; |
---|
241 | int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; |
---|
242 | long newkey = -1; |
---|
243 | unsigned long chtype = MBSTRING_ASC, reqflag = 0; |
---|
244 | |
---|
245 | #ifndef OPENSSL_NO_DES |
---|
246 | cipher = EVP_des_ede3_cbc(); |
---|
247 | #endif |
---|
248 | |
---|
249 | prog = opt_init(argc, argv, req_options); |
---|
250 | while ((o = opt_next()) != OPT_EOF) { |
---|
251 | switch (o) { |
---|
252 | case OPT_EOF: |
---|
253 | case OPT_ERR: |
---|
254 | opthelp: |
---|
255 | BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); |
---|
256 | goto end; |
---|
257 | case OPT_HELP: |
---|
258 | opt_help(req_options); |
---|
259 | ret = 0; |
---|
260 | goto end; |
---|
261 | case OPT_INFORM: |
---|
262 | if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) |
---|
263 | goto opthelp; |
---|
264 | break; |
---|
265 | case OPT_OUTFORM: |
---|
266 | if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) |
---|
267 | goto opthelp; |
---|
268 | break; |
---|
269 | case OPT_ENGINE: |
---|
270 | e = setup_engine(opt_arg(), 0); |
---|
271 | break; |
---|
272 | case OPT_KEYGEN_ENGINE: |
---|
273 | #ifndef OPENSSL_NO_ENGINE |
---|
274 | gen_eng = ENGINE_by_id(opt_arg()); |
---|
275 | if (gen_eng == NULL) { |
---|
276 | BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); |
---|
277 | goto opthelp; |
---|
278 | } |
---|
279 | #endif |
---|
280 | break; |
---|
281 | case OPT_KEY: |
---|
282 | keyfile = opt_arg(); |
---|
283 | break; |
---|
284 | case OPT_PUBKEY: |
---|
285 | pubkey = 1; |
---|
286 | break; |
---|
287 | case OPT_NEW: |
---|
288 | newreq = 1; |
---|
289 | break; |
---|
290 | case OPT_CONFIG: |
---|
291 | template = opt_arg(); |
---|
292 | break; |
---|
293 | case OPT_KEYFORM: |
---|
294 | if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) |
---|
295 | goto opthelp; |
---|
296 | break; |
---|
297 | case OPT_IN: |
---|
298 | infile = opt_arg(); |
---|
299 | break; |
---|
300 | case OPT_OUT: |
---|
301 | outfile = opt_arg(); |
---|
302 | break; |
---|
303 | case OPT_KEYOUT: |
---|
304 | keyout = opt_arg(); |
---|
305 | break; |
---|
306 | case OPT_PASSIN: |
---|
307 | passargin = opt_arg(); |
---|
308 | break; |
---|
309 | case OPT_PASSOUT: |
---|
310 | passargout = opt_arg(); |
---|
311 | break; |
---|
312 | case OPT_R_CASES: |
---|
313 | if (!opt_rand(o)) |
---|
314 | goto end; |
---|
315 | break; |
---|
316 | case OPT_NEWKEY: |
---|
317 | keyalg = opt_arg(); |
---|
318 | newreq = 1; |
---|
319 | break; |
---|
320 | case OPT_PKEYOPT: |
---|
321 | if (!pkeyopts) |
---|
322 | pkeyopts = sk_OPENSSL_STRING_new_null(); |
---|
323 | if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg())) |
---|
324 | goto opthelp; |
---|
325 | break; |
---|
326 | case OPT_SIGOPT: |
---|
327 | if (!sigopts) |
---|
328 | sigopts = sk_OPENSSL_STRING_new_null(); |
---|
329 | if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) |
---|
330 | goto opthelp; |
---|
331 | break; |
---|
332 | case OPT_BATCH: |
---|
333 | batch = 1; |
---|
334 | break; |
---|
335 | case OPT_NEWHDR: |
---|
336 | newhdr = 1; |
---|
337 | break; |
---|
338 | case OPT_MODULUS: |
---|
339 | modulus = 1; |
---|
340 | break; |
---|
341 | case OPT_VERIFY: |
---|
342 | verify = 1; |
---|
343 | break; |
---|
344 | case OPT_NODES: |
---|
345 | nodes = 1; |
---|
346 | break; |
---|
347 | case OPT_NOOUT: |
---|
348 | noout = 1; |
---|
349 | break; |
---|
350 | case OPT_VERBOSE: |
---|
351 | verbose = 1; |
---|
352 | break; |
---|
353 | case OPT_UTF8: |
---|
354 | chtype = MBSTRING_UTF8; |
---|
355 | break; |
---|
356 | case OPT_NAMEOPT: |
---|
357 | if (!set_nameopt(opt_arg())) |
---|
358 | goto opthelp; |
---|
359 | break; |
---|
360 | case OPT_REQOPT: |
---|
361 | if (!set_cert_ex(&reqflag, opt_arg())) |
---|
362 | goto opthelp; |
---|
363 | break; |
---|
364 | case OPT_TEXT: |
---|
365 | text = 1; |
---|
366 | break; |
---|
367 | case OPT_X509: |
---|
368 | x509 = 1; |
---|
369 | break; |
---|
370 | case OPT_DAYS: |
---|
371 | days = atoi(opt_arg()); |
---|
372 | break; |
---|
373 | case OPT_SET_SERIAL: |
---|
374 | if (serial != NULL) { |
---|
375 | BIO_printf(bio_err, "Serial number supplied twice\n"); |
---|
376 | goto opthelp; |
---|
377 | } |
---|
378 | serial = s2i_ASN1_INTEGER(NULL, opt_arg()); |
---|
379 | if (serial == NULL) |
---|
380 | goto opthelp; |
---|
381 | break; |
---|
382 | case OPT_SUBJECT: |
---|
383 | subject = 1; |
---|
384 | break; |
---|
385 | case OPT_SUBJ: |
---|
386 | subj = opt_arg(); |
---|
387 | break; |
---|
388 | case OPT_MULTIVALUE_RDN: |
---|
389 | multirdn = 1; |
---|
390 | break; |
---|
391 | case OPT_ADDEXT: |
---|
392 | p = opt_arg(); |
---|
393 | if (addexts == NULL) { |
---|
394 | addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp); |
---|
395 | addext_bio = BIO_new(BIO_s_mem()); |
---|
396 | if (addexts == NULL || addext_bio == NULL) |
---|
397 | goto end; |
---|
398 | } |
---|
399 | i = duplicated(addexts, p); |
---|
400 | if (i == 1) |
---|
401 | goto opthelp; |
---|
402 | if (i < 0 || BIO_printf(addext_bio, "%s\n", opt_arg()) < 0) |
---|
403 | goto end; |
---|
404 | break; |
---|
405 | case OPT_EXTENSIONS: |
---|
406 | extensions = opt_arg(); |
---|
407 | break; |
---|
408 | case OPT_REQEXTS: |
---|
409 | req_exts = opt_arg(); |
---|
410 | break; |
---|
411 | case OPT_PRECERT: |
---|
412 | newreq = precert = 1; |
---|
413 | break; |
---|
414 | case OPT_MD: |
---|
415 | if (!opt_md(opt_unknown(), &md_alg)) |
---|
416 | goto opthelp; |
---|
417 | digest = md_alg; |
---|
418 | break; |
---|
419 | } |
---|
420 | } |
---|
421 | argc = opt_num_rest(); |
---|
422 | if (argc != 0) |
---|
423 | goto opthelp; |
---|
424 | |
---|
425 | if (days && !x509) |
---|
426 | BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n"); |
---|
427 | if (x509 && infile == NULL) |
---|
428 | newreq = 1; |
---|
429 | |
---|
430 | /* TODO: simplify this as pkey is still always NULL here */ |
---|
431 | private = newreq && (pkey == NULL) ? 1 : 0; |
---|
432 | |
---|
433 | if (!app_passwd(passargin, passargout, &passin, &passout)) { |
---|
434 | BIO_printf(bio_err, "Error getting passwords\n"); |
---|
435 | goto end; |
---|
436 | } |
---|
437 | |
---|
438 | if (verbose) |
---|
439 | BIO_printf(bio_err, "Using configuration from %s\n", template); |
---|
440 | req_conf = app_load_config(template); |
---|
441 | if (addext_bio) { |
---|
442 | if (verbose) |
---|
443 | BIO_printf(bio_err, |
---|
444 | "Using additional configuration from command line\n"); |
---|
445 | addext_conf = app_load_config_bio(addext_bio, NULL); |
---|
446 | } |
---|
447 | if (template != default_config_file && !app_load_modules(req_conf)) |
---|
448 | goto end; |
---|
449 | |
---|
450 | if (req_conf != NULL) { |
---|
451 | p = NCONF_get_string(req_conf, NULL, "oid_file"); |
---|
452 | if (p == NULL) |
---|
453 | ERR_clear_error(); |
---|
454 | if (p != NULL) { |
---|
455 | BIO *oid_bio; |
---|
456 | |
---|
457 | oid_bio = BIO_new_file(p, "r"); |
---|
458 | if (oid_bio == NULL) { |
---|
459 | /*- |
---|
460 | BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); |
---|
461 | ERR_print_errors(bio_err); |
---|
462 | */ |
---|
463 | } else { |
---|
464 | OBJ_create_objects(oid_bio); |
---|
465 | BIO_free(oid_bio); |
---|
466 | } |
---|
467 | } |
---|
468 | } |
---|
469 | if (!add_oid_section(req_conf)) |
---|
470 | goto end; |
---|
471 | |
---|
472 | if (md_alg == NULL) { |
---|
473 | p = NCONF_get_string(req_conf, SECTION, "default_md"); |
---|
474 | if (p == NULL) { |
---|
475 | ERR_clear_error(); |
---|
476 | } else { |
---|
477 | if (!opt_md(p, &md_alg)) |
---|
478 | goto opthelp; |
---|
479 | digest = md_alg; |
---|
480 | } |
---|
481 | } |
---|
482 | |
---|
483 | if (extensions == NULL) { |
---|
484 | extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); |
---|
485 | if (extensions == NULL) |
---|
486 | ERR_clear_error(); |
---|
487 | } |
---|
488 | if (extensions != NULL) { |
---|
489 | /* Check syntax of file */ |
---|
490 | X509V3_CTX ctx; |
---|
491 | X509V3_set_ctx_test(&ctx); |
---|
492 | X509V3_set_nconf(&ctx, req_conf); |
---|
493 | if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { |
---|
494 | BIO_printf(bio_err, |
---|
495 | "Error Loading extension section %s\n", extensions); |
---|
496 | goto end; |
---|
497 | } |
---|
498 | } |
---|
499 | if (addext_conf != NULL) { |
---|
500 | /* Check syntax of command line extensions */ |
---|
501 | X509V3_CTX ctx; |
---|
502 | X509V3_set_ctx_test(&ctx); |
---|
503 | X509V3_set_nconf(&ctx, addext_conf); |
---|
504 | if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { |
---|
505 | BIO_printf(bio_err, "Error Loading command line extensions\n"); |
---|
506 | goto end; |
---|
507 | } |
---|
508 | } |
---|
509 | |
---|
510 | if (passin == NULL) { |
---|
511 | passin = nofree_passin = |
---|
512 | NCONF_get_string(req_conf, SECTION, "input_password"); |
---|
513 | if (passin == NULL) |
---|
514 | ERR_clear_error(); |
---|
515 | } |
---|
516 | |
---|
517 | if (passout == NULL) { |
---|
518 | passout = nofree_passout = |
---|
519 | NCONF_get_string(req_conf, SECTION, "output_password"); |
---|
520 | if (passout == NULL) |
---|
521 | ERR_clear_error(); |
---|
522 | } |
---|
523 | |
---|
524 | p = NCONF_get_string(req_conf, SECTION, STRING_MASK); |
---|
525 | if (p == NULL) |
---|
526 | ERR_clear_error(); |
---|
527 | |
---|
528 | if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) { |
---|
529 | BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); |
---|
530 | goto end; |
---|
531 | } |
---|
532 | |
---|
533 | if (chtype != MBSTRING_UTF8) { |
---|
534 | p = NCONF_get_string(req_conf, SECTION, UTF8_IN); |
---|
535 | if (p == NULL) |
---|
536 | ERR_clear_error(); |
---|
537 | else if (strcmp(p, "yes") == 0) |
---|
538 | chtype = MBSTRING_UTF8; |
---|
539 | } |
---|
540 | |
---|
541 | if (req_exts == NULL) { |
---|
542 | req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); |
---|
543 | if (req_exts == NULL) |
---|
544 | ERR_clear_error(); |
---|
545 | } |
---|
546 | if (req_exts != NULL) { |
---|
547 | /* Check syntax of file */ |
---|
548 | X509V3_CTX ctx; |
---|
549 | X509V3_set_ctx_test(&ctx); |
---|
550 | X509V3_set_nconf(&ctx, req_conf); |
---|
551 | if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { |
---|
552 | BIO_printf(bio_err, |
---|
553 | "Error Loading request extension section %s\n", |
---|
554 | req_exts); |
---|
555 | goto end; |
---|
556 | } |
---|
557 | } |
---|
558 | |
---|
559 | if (keyfile != NULL) { |
---|
560 | pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); |
---|
561 | if (pkey == NULL) { |
---|
562 | /* load_key() has already printed an appropriate message */ |
---|
563 | goto end; |
---|
564 | } else { |
---|
565 | app_RAND_load_conf(req_conf, SECTION); |
---|
566 | } |
---|
567 | } |
---|
568 | |
---|
569 | if (newreq && (pkey == NULL)) { |
---|
570 | app_RAND_load_conf(req_conf, SECTION); |
---|
571 | |
---|
572 | if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) { |
---|
573 | newkey = DEFAULT_KEY_LENGTH; |
---|
574 | } |
---|
575 | |
---|
576 | if (keyalg != NULL) { |
---|
577 | genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, |
---|
578 | &keyalgstr, gen_eng); |
---|
579 | if (genctx == NULL) |
---|
580 | goto end; |
---|
581 | } |
---|
582 | |
---|
583 | if (newkey < MIN_KEY_LENGTH |
---|
584 | && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { |
---|
585 | BIO_printf(bio_err, "private key length is too short,\n"); |
---|
586 | BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", |
---|
587 | MIN_KEY_LENGTH, newkey); |
---|
588 | goto end; |
---|
589 | } |
---|
590 | |
---|
591 | if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS) |
---|
592 | BIO_printf(bio_err, |
---|
593 | "Warning: It is not recommended to use more than %d bit for RSA keys.\n" |
---|
594 | " Your key size is %ld! Larger key size may behave not as expected.\n", |
---|
595 | OPENSSL_RSA_MAX_MODULUS_BITS, newkey); |
---|
596 | |
---|
597 | #ifndef OPENSSL_NO_DSA |
---|
598 | if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS) |
---|
599 | BIO_printf(bio_err, |
---|
600 | "Warning: It is not recommended to use more than %d bit for DSA keys.\n" |
---|
601 | " Your key size is %ld! Larger key size may behave not as expected.\n", |
---|
602 | OPENSSL_DSA_MAX_MODULUS_BITS, newkey); |
---|
603 | #endif |
---|
604 | |
---|
605 | if (genctx == NULL) { |
---|
606 | genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, |
---|
607 | &keyalgstr, gen_eng); |
---|
608 | if (!genctx) |
---|
609 | goto end; |
---|
610 | } |
---|
611 | |
---|
612 | if (pkeyopts != NULL) { |
---|
613 | char *genopt; |
---|
614 | for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { |
---|
615 | genopt = sk_OPENSSL_STRING_value(pkeyopts, i); |
---|
616 | if (pkey_ctrl_string(genctx, genopt) <= 0) { |
---|
617 | BIO_printf(bio_err, "parameter error \"%s\"\n", genopt); |
---|
618 | ERR_print_errors(bio_err); |
---|
619 | goto end; |
---|
620 | } |
---|
621 | } |
---|
622 | } |
---|
623 | |
---|
624 | if (pkey_type == EVP_PKEY_EC) { |
---|
625 | BIO_printf(bio_err, "Generating an EC private key\n"); |
---|
626 | } else { |
---|
627 | BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr); |
---|
628 | } |
---|
629 | |
---|
630 | EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); |
---|
631 | EVP_PKEY_CTX_set_app_data(genctx, bio_err); |
---|
632 | |
---|
633 | if (EVP_PKEY_keygen(genctx, &pkey) <= 0) { |
---|
634 | BIO_puts(bio_err, "Error Generating Key\n"); |
---|
635 | goto end; |
---|
636 | } |
---|
637 | |
---|
638 | EVP_PKEY_CTX_free(genctx); |
---|
639 | genctx = NULL; |
---|
640 | |
---|
641 | if (keyout == NULL) { |
---|
642 | keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); |
---|
643 | if (keyout == NULL) |
---|
644 | ERR_clear_error(); |
---|
645 | } |
---|
646 | |
---|
647 | if (keyout == NULL) |
---|
648 | BIO_printf(bio_err, "writing new private key to stdout\n"); |
---|
649 | else |
---|
650 | BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); |
---|
651 | out = bio_open_owner(keyout, outformat, private); |
---|
652 | if (out == NULL) |
---|
653 | goto end; |
---|
654 | |
---|
655 | p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key"); |
---|
656 | if (p == NULL) { |
---|
657 | ERR_clear_error(); |
---|
658 | p = NCONF_get_string(req_conf, SECTION, "encrypt_key"); |
---|
659 | if (p == NULL) |
---|
660 | ERR_clear_error(); |
---|
661 | } |
---|
662 | if ((p != NULL) && (strcmp(p, "no") == 0)) |
---|
663 | cipher = NULL; |
---|
664 | if (nodes) |
---|
665 | cipher = NULL; |
---|
666 | |
---|
667 | i = 0; |
---|
668 | loop: |
---|
669 | assert(private); |
---|
670 | if (!PEM_write_bio_PrivateKey(out, pkey, cipher, |
---|
671 | NULL, 0, NULL, passout)) { |
---|
672 | if ((ERR_GET_REASON(ERR_peek_error()) == |
---|
673 | PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) { |
---|
674 | ERR_clear_error(); |
---|
675 | i++; |
---|
676 | goto loop; |
---|
677 | } |
---|
678 | goto end; |
---|
679 | } |
---|
680 | BIO_free(out); |
---|
681 | out = NULL; |
---|
682 | BIO_printf(bio_err, "-----\n"); |
---|
683 | } |
---|
684 | |
---|
685 | if (!newreq) { |
---|
686 | in = bio_open_default(infile, 'r', informat); |
---|
687 | if (in == NULL) |
---|
688 | goto end; |
---|
689 | |
---|
690 | if (informat == FORMAT_ASN1) |
---|
691 | req = d2i_X509_REQ_bio(in, NULL); |
---|
692 | else |
---|
693 | req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); |
---|
694 | if (req == NULL) { |
---|
695 | BIO_printf(bio_err, "unable to load X509 request\n"); |
---|
696 | goto end; |
---|
697 | } |
---|
698 | } |
---|
699 | |
---|
700 | if (newreq || x509) { |
---|
701 | if (pkey == NULL) { |
---|
702 | BIO_printf(bio_err, "you need to specify a private key\n"); |
---|
703 | goto end; |
---|
704 | } |
---|
705 | |
---|
706 | if (req == NULL) { |
---|
707 | req = X509_REQ_new(); |
---|
708 | if (req == NULL) { |
---|
709 | goto end; |
---|
710 | } |
---|
711 | |
---|
712 | i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); |
---|
713 | subj = NULL; /* done processing '-subj' option */ |
---|
714 | if (!i) { |
---|
715 | BIO_printf(bio_err, "problems making Certificate Request\n"); |
---|
716 | goto end; |
---|
717 | } |
---|
718 | } |
---|
719 | if (x509) { |
---|
720 | EVP_PKEY *tmppkey; |
---|
721 | X509V3_CTX ext_ctx; |
---|
722 | if ((x509ss = X509_new()) == NULL) |
---|
723 | goto end; |
---|
724 | |
---|
725 | /* Set version to V3 */ |
---|
726 | if ((extensions != NULL || addext_conf != NULL) |
---|
727 | && !X509_set_version(x509ss, 2)) |
---|
728 | goto end; |
---|
729 | if (serial != NULL) { |
---|
730 | if (!X509_set_serialNumber(x509ss, serial)) |
---|
731 | goto end; |
---|
732 | } else { |
---|
733 | if (!rand_serial(NULL, X509_get_serialNumber(x509ss))) |
---|
734 | goto end; |
---|
735 | } |
---|
736 | |
---|
737 | if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) |
---|
738 | goto end; |
---|
739 | if (days == 0) { |
---|
740 | /* set default days if it's not specified */ |
---|
741 | days = 30; |
---|
742 | } |
---|
743 | if (!set_cert_times(x509ss, NULL, NULL, days)) |
---|
744 | goto end; |
---|
745 | if (!X509_set_subject_name |
---|
746 | (x509ss, X509_REQ_get_subject_name(req))) |
---|
747 | goto end; |
---|
748 | tmppkey = X509_REQ_get0_pubkey(req); |
---|
749 | if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) |
---|
750 | goto end; |
---|
751 | |
---|
752 | /* Set up V3 context struct */ |
---|
753 | |
---|
754 | X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); |
---|
755 | X509V3_set_nconf(&ext_ctx, req_conf); |
---|
756 | |
---|
757 | /* Add extensions */ |
---|
758 | if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf, |
---|
759 | &ext_ctx, extensions, |
---|
760 | x509ss)) { |
---|
761 | BIO_printf(bio_err, "Error Loading extension section %s\n", |
---|
762 | extensions); |
---|
763 | goto end; |
---|
764 | } |
---|
765 | if (addext_conf != NULL |
---|
766 | && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default", |
---|
767 | x509ss)) { |
---|
768 | BIO_printf(bio_err, "Error Loading command line extensions\n"); |
---|
769 | goto end; |
---|
770 | } |
---|
771 | |
---|
772 | /* If a pre-cert was requested, we need to add a poison extension */ |
---|
773 | if (precert) { |
---|
774 | if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) |
---|
775 | != 1) { |
---|
776 | BIO_printf(bio_err, "Error adding poison extension\n"); |
---|
777 | goto end; |
---|
778 | } |
---|
779 | } |
---|
780 | |
---|
781 | i = do_X509_sign(x509ss, pkey, digest, sigopts); |
---|
782 | if (!i) { |
---|
783 | ERR_print_errors(bio_err); |
---|
784 | goto end; |
---|
785 | } |
---|
786 | } else { |
---|
787 | X509V3_CTX ext_ctx; |
---|
788 | |
---|
789 | /* Set up V3 context struct */ |
---|
790 | |
---|
791 | X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); |
---|
792 | X509V3_set_nconf(&ext_ctx, req_conf); |
---|
793 | |
---|
794 | /* Add extensions */ |
---|
795 | if (req_exts != NULL |
---|
796 | && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, |
---|
797 | req_exts, req)) { |
---|
798 | BIO_printf(bio_err, "Error Loading extension section %s\n", |
---|
799 | req_exts); |
---|
800 | goto end; |
---|
801 | } |
---|
802 | if (addext_conf != NULL |
---|
803 | && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default", |
---|
804 | req)) { |
---|
805 | BIO_printf(bio_err, "Error Loading command line extensions\n"); |
---|
806 | goto end; |
---|
807 | } |
---|
808 | i = do_X509_REQ_sign(req, pkey, digest, sigopts); |
---|
809 | if (!i) { |
---|
810 | ERR_print_errors(bio_err); |
---|
811 | goto end; |
---|
812 | } |
---|
813 | } |
---|
814 | } |
---|
815 | |
---|
816 | if (subj && x509) { |
---|
817 | BIO_printf(bio_err, "Cannot modify certificate subject\n"); |
---|
818 | goto end; |
---|
819 | } |
---|
820 | |
---|
821 | if (subj && !x509) { |
---|
822 | if (verbose) { |
---|
823 | BIO_printf(bio_err, "Modifying Request's Subject\n"); |
---|
824 | print_name(bio_err, "old subject=", |
---|
825 | X509_REQ_get_subject_name(req), get_nameopt()); |
---|
826 | } |
---|
827 | |
---|
828 | if (build_subject(req, subj, chtype, multirdn) == 0) { |
---|
829 | BIO_printf(bio_err, "ERROR: cannot modify subject\n"); |
---|
830 | ret = 1; |
---|
831 | goto end; |
---|
832 | } |
---|
833 | |
---|
834 | if (verbose) { |
---|
835 | print_name(bio_err, "new subject=", |
---|
836 | X509_REQ_get_subject_name(req), get_nameopt()); |
---|
837 | } |
---|
838 | } |
---|
839 | |
---|
840 | if (verify && !x509) { |
---|
841 | EVP_PKEY *tpubkey = pkey; |
---|
842 | |
---|
843 | if (tpubkey == NULL) { |
---|
844 | tpubkey = X509_REQ_get0_pubkey(req); |
---|
845 | if (tpubkey == NULL) |
---|
846 | goto end; |
---|
847 | } |
---|
848 | |
---|
849 | i = X509_REQ_verify(req, tpubkey); |
---|
850 | |
---|
851 | if (i < 0) { |
---|
852 | goto end; |
---|
853 | } else if (i == 0) { |
---|
854 | BIO_printf(bio_err, "verify failure\n"); |
---|
855 | ERR_print_errors(bio_err); |
---|
856 | } else { /* if (i > 0) */ |
---|
857 | BIO_printf(bio_err, "verify OK\n"); |
---|
858 | } |
---|
859 | } |
---|
860 | |
---|
861 | if (noout && !text && !modulus && !subject && !pubkey) { |
---|
862 | ret = 0; |
---|
863 | goto end; |
---|
864 | } |
---|
865 | |
---|
866 | out = bio_open_default(outfile, |
---|
867 | keyout != NULL && outfile != NULL && |
---|
868 | strcmp(keyout, outfile) == 0 ? 'a' : 'w', |
---|
869 | outformat); |
---|
870 | if (out == NULL) |
---|
871 | goto end; |
---|
872 | |
---|
873 | if (pubkey) { |
---|
874 | EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req); |
---|
875 | |
---|
876 | if (tpubkey == NULL) { |
---|
877 | BIO_printf(bio_err, "Error getting public key\n"); |
---|
878 | ERR_print_errors(bio_err); |
---|
879 | goto end; |
---|
880 | } |
---|
881 | PEM_write_bio_PUBKEY(out, tpubkey); |
---|
882 | } |
---|
883 | |
---|
884 | if (text) { |
---|
885 | if (x509) |
---|
886 | X509_print_ex(out, x509ss, get_nameopt(), reqflag); |
---|
887 | else |
---|
888 | X509_REQ_print_ex(out, req, get_nameopt(), reqflag); |
---|
889 | } |
---|
890 | |
---|
891 | if (subject) { |
---|
892 | if (x509) |
---|
893 | print_name(out, "subject=", X509_get_subject_name(x509ss), |
---|
894 | get_nameopt()); |
---|
895 | else |
---|
896 | print_name(out, "subject=", X509_REQ_get_subject_name(req), |
---|
897 | get_nameopt()); |
---|
898 | } |
---|
899 | |
---|
900 | if (modulus) { |
---|
901 | EVP_PKEY *tpubkey; |
---|
902 | |
---|
903 | if (x509) |
---|
904 | tpubkey = X509_get0_pubkey(x509ss); |
---|
905 | else |
---|
906 | tpubkey = X509_REQ_get0_pubkey(req); |
---|
907 | if (tpubkey == NULL) { |
---|
908 | fprintf(stdout, "Modulus=unavailable\n"); |
---|
909 | goto end; |
---|
910 | } |
---|
911 | fprintf(stdout, "Modulus="); |
---|
912 | #ifndef OPENSSL_NO_RSA |
---|
913 | if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) { |
---|
914 | const BIGNUM *n; |
---|
915 | RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL); |
---|
916 | BN_print(out, n); |
---|
917 | } else |
---|
918 | #endif |
---|
919 | fprintf(stdout, "Wrong Algorithm type"); |
---|
920 | fprintf(stdout, "\n"); |
---|
921 | } |
---|
922 | |
---|
923 | if (!noout && !x509) { |
---|
924 | if (outformat == FORMAT_ASN1) |
---|
925 | i = i2d_X509_REQ_bio(out, req); |
---|
926 | else if (newhdr) |
---|
927 | i = PEM_write_bio_X509_REQ_NEW(out, req); |
---|
928 | else |
---|
929 | i = PEM_write_bio_X509_REQ(out, req); |
---|
930 | if (!i) { |
---|
931 | BIO_printf(bio_err, "unable to write X509 request\n"); |
---|
932 | goto end; |
---|
933 | } |
---|
934 | } |
---|
935 | if (!noout && x509 && (x509ss != NULL)) { |
---|
936 | if (outformat == FORMAT_ASN1) |
---|
937 | i = i2d_X509_bio(out, x509ss); |
---|
938 | else |
---|
939 | i = PEM_write_bio_X509(out, x509ss); |
---|
940 | if (!i) { |
---|
941 | BIO_printf(bio_err, "unable to write X509 certificate\n"); |
---|
942 | goto end; |
---|
943 | } |
---|
944 | } |
---|
945 | ret = 0; |
---|
946 | end: |
---|
947 | if (ret) { |
---|
948 | ERR_print_errors(bio_err); |
---|
949 | } |
---|
950 | NCONF_free(req_conf); |
---|
951 | NCONF_free(addext_conf); |
---|
952 | BIO_free(addext_bio); |
---|
953 | BIO_free(in); |
---|
954 | BIO_free_all(out); |
---|
955 | EVP_PKEY_free(pkey); |
---|
956 | EVP_PKEY_CTX_free(genctx); |
---|
957 | sk_OPENSSL_STRING_free(pkeyopts); |
---|
958 | sk_OPENSSL_STRING_free(sigopts); |
---|
959 | lh_OPENSSL_STRING_doall(addexts, exts_cleanup); |
---|
960 | lh_OPENSSL_STRING_free(addexts); |
---|
961 | #ifndef OPENSSL_NO_ENGINE |
---|
962 | ENGINE_free(gen_eng); |
---|
963 | #endif |
---|
964 | OPENSSL_free(keyalgstr); |
---|
965 | X509_REQ_free(req); |
---|
966 | X509_free(x509ss); |
---|
967 | ASN1_INTEGER_free(serial); |
---|
968 | release_engine(e); |
---|
969 | if (passin != nofree_passin) |
---|
970 | OPENSSL_free(passin); |
---|
971 | if (passout != nofree_passout) |
---|
972 | OPENSSL_free(passout); |
---|
973 | return ret; |
---|
974 | } |
---|
975 | |
---|
976 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, |
---|
977 | int attribs, unsigned long chtype) |
---|
978 | { |
---|
979 | int ret = 0, i; |
---|
980 | char no_prompt = 0; |
---|
981 | STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; |
---|
982 | char *tmp, *dn_sect, *attr_sect; |
---|
983 | |
---|
984 | tmp = NCONF_get_string(req_conf, SECTION, PROMPT); |
---|
985 | if (tmp == NULL) |
---|
986 | ERR_clear_error(); |
---|
987 | if ((tmp != NULL) && strcmp(tmp, "no") == 0) |
---|
988 | no_prompt = 1; |
---|
989 | |
---|
990 | dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME); |
---|
991 | if (dn_sect == NULL) { |
---|
992 | BIO_printf(bio_err, "unable to find '%s' in config\n", |
---|
993 | DISTINGUISHED_NAME); |
---|
994 | goto err; |
---|
995 | } |
---|
996 | dn_sk = NCONF_get_section(req_conf, dn_sect); |
---|
997 | if (dn_sk == NULL) { |
---|
998 | BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect); |
---|
999 | goto err; |
---|
1000 | } |
---|
1001 | |
---|
1002 | attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES); |
---|
1003 | if (attr_sect == NULL) { |
---|
1004 | ERR_clear_error(); |
---|
1005 | attr_sk = NULL; |
---|
1006 | } else { |
---|
1007 | attr_sk = NCONF_get_section(req_conf, attr_sect); |
---|
1008 | if (attr_sk == NULL) { |
---|
1009 | BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect); |
---|
1010 | goto err; |
---|
1011 | } |
---|
1012 | } |
---|
1013 | |
---|
1014 | /* setup version number */ |
---|
1015 | if (!X509_REQ_set_version(req, 0L)) |
---|
1016 | goto err; /* version 1 */ |
---|
1017 | |
---|
1018 | if (subj) |
---|
1019 | i = build_subject(req, subj, chtype, multirdn); |
---|
1020 | else if (no_prompt) |
---|
1021 | i = auto_info(req, dn_sk, attr_sk, attribs, chtype); |
---|
1022 | else |
---|
1023 | i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, |
---|
1024 | chtype); |
---|
1025 | if (!i) |
---|
1026 | goto err; |
---|
1027 | |
---|
1028 | if (!X509_REQ_set_pubkey(req, pkey)) |
---|
1029 | goto err; |
---|
1030 | |
---|
1031 | ret = 1; |
---|
1032 | err: |
---|
1033 | return ret; |
---|
1034 | } |
---|
1035 | |
---|
1036 | /* |
---|
1037 | * subject is expected to be in the format /type0=value0/type1=value1/type2=... |
---|
1038 | * where characters may be escaped by \ |
---|
1039 | */ |
---|
1040 | static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, |
---|
1041 | int multirdn) |
---|
1042 | { |
---|
1043 | X509_NAME *n; |
---|
1044 | |
---|
1045 | if ((n = parse_name(subject, chtype, multirdn)) == NULL) |
---|
1046 | return 0; |
---|
1047 | |
---|
1048 | if (!X509_REQ_set_subject_name(req, n)) { |
---|
1049 | X509_NAME_free(n); |
---|
1050 | return 0; |
---|
1051 | } |
---|
1052 | X509_NAME_free(n); |
---|
1053 | return 1; |
---|
1054 | } |
---|
1055 | |
---|
1056 | static int prompt_info(X509_REQ *req, |
---|
1057 | STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, |
---|
1058 | STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, |
---|
1059 | int attribs, unsigned long chtype) |
---|
1060 | { |
---|
1061 | int i; |
---|
1062 | char *p, *q; |
---|
1063 | char buf[100]; |
---|
1064 | int nid, mval; |
---|
1065 | long n_min, n_max; |
---|
1066 | char *type, *value; |
---|
1067 | const char *def; |
---|
1068 | CONF_VALUE *v; |
---|
1069 | X509_NAME *subj; |
---|
1070 | subj = X509_REQ_get_subject_name(req); |
---|
1071 | |
---|
1072 | if (!batch) { |
---|
1073 | BIO_printf(bio_err, |
---|
1074 | "You are about to be asked to enter information that will be incorporated\n"); |
---|
1075 | BIO_printf(bio_err, "into your certificate request.\n"); |
---|
1076 | BIO_printf(bio_err, |
---|
1077 | "What you are about to enter is what is called a Distinguished Name or a DN.\n"); |
---|
1078 | BIO_printf(bio_err, |
---|
1079 | "There are quite a few fields but you can leave some blank\n"); |
---|
1080 | BIO_printf(bio_err, |
---|
1081 | "For some fields there will be a default value,\n"); |
---|
1082 | BIO_printf(bio_err, |
---|
1083 | "If you enter '.', the field will be left blank.\n"); |
---|
1084 | BIO_printf(bio_err, "-----\n"); |
---|
1085 | } |
---|
1086 | |
---|
1087 | if (sk_CONF_VALUE_num(dn_sk)) { |
---|
1088 | i = -1; |
---|
1089 | start: |
---|
1090 | for ( ; ; ) { |
---|
1091 | i++; |
---|
1092 | if (sk_CONF_VALUE_num(dn_sk) <= i) |
---|
1093 | break; |
---|
1094 | |
---|
1095 | v = sk_CONF_VALUE_value(dn_sk, i); |
---|
1096 | p = q = NULL; |
---|
1097 | type = v->name; |
---|
1098 | if (!check_end(type, "_min") || !check_end(type, "_max") || |
---|
1099 | !check_end(type, "_default") || !check_end(type, "_value")) |
---|
1100 | continue; |
---|
1101 | /* |
---|
1102 | * Skip past any leading X. X: X, etc to allow for multiple |
---|
1103 | * instances |
---|
1104 | */ |
---|
1105 | for (p = v->name; *p; p++) |
---|
1106 | if ((*p == ':') || (*p == ',') || (*p == '.')) { |
---|
1107 | p++; |
---|
1108 | if (*p) |
---|
1109 | type = p; |
---|
1110 | break; |
---|
1111 | } |
---|
1112 | if (*type == '+') { |
---|
1113 | mval = -1; |
---|
1114 | type++; |
---|
1115 | } else { |
---|
1116 | mval = 0; |
---|
1117 | } |
---|
1118 | /* If OBJ not recognised ignore it */ |
---|
1119 | if ((nid = OBJ_txt2nid(type)) == NID_undef) |
---|
1120 | goto start; |
---|
1121 | if (!join(buf, sizeof(buf), v->name, "_default", "Name")) |
---|
1122 | return 0; |
---|
1123 | if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { |
---|
1124 | ERR_clear_error(); |
---|
1125 | def = ""; |
---|
1126 | } |
---|
1127 | |
---|
1128 | if (!join(buf, sizeof(buf), v->name, "_value", "Name")) |
---|
1129 | return 0; |
---|
1130 | if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { |
---|
1131 | ERR_clear_error(); |
---|
1132 | value = NULL; |
---|
1133 | } |
---|
1134 | |
---|
1135 | if (!join(buf, sizeof(buf), v->name, "_min", "Name")) |
---|
1136 | return 0; |
---|
1137 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { |
---|
1138 | ERR_clear_error(); |
---|
1139 | n_min = -1; |
---|
1140 | } |
---|
1141 | |
---|
1142 | |
---|
1143 | if (!join(buf, sizeof(buf), v->name, "_max", "Name")) |
---|
1144 | return 0; |
---|
1145 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { |
---|
1146 | ERR_clear_error(); |
---|
1147 | n_max = -1; |
---|
1148 | } |
---|
1149 | |
---|
1150 | if (!add_DN_object(subj, v->value, def, value, nid, |
---|
1151 | n_min, n_max, chtype, mval)) |
---|
1152 | return 0; |
---|
1153 | } |
---|
1154 | if (X509_NAME_entry_count(subj) == 0) { |
---|
1155 | BIO_printf(bio_err, |
---|
1156 | "error, no objects specified in config file\n"); |
---|
1157 | return 0; |
---|
1158 | } |
---|
1159 | |
---|
1160 | if (attribs) { |
---|
1161 | if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) |
---|
1162 | && (!batch)) { |
---|
1163 | BIO_printf(bio_err, |
---|
1164 | "\nPlease enter the following 'extra' attributes\n"); |
---|
1165 | BIO_printf(bio_err, |
---|
1166 | "to be sent with your certificate request\n"); |
---|
1167 | } |
---|
1168 | |
---|
1169 | i = -1; |
---|
1170 | start2: |
---|
1171 | for ( ; ; ) { |
---|
1172 | i++; |
---|
1173 | if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) |
---|
1174 | break; |
---|
1175 | |
---|
1176 | v = sk_CONF_VALUE_value(attr_sk, i); |
---|
1177 | type = v->name; |
---|
1178 | if ((nid = OBJ_txt2nid(type)) == NID_undef) |
---|
1179 | goto start2; |
---|
1180 | |
---|
1181 | if (!join(buf, sizeof(buf), type, "_default", "Name")) |
---|
1182 | return 0; |
---|
1183 | if ((def = NCONF_get_string(req_conf, attr_sect, buf)) |
---|
1184 | == NULL) { |
---|
1185 | ERR_clear_error(); |
---|
1186 | def = ""; |
---|
1187 | } |
---|
1188 | |
---|
1189 | if (!join(buf, sizeof(buf), type, "_value", "Name")) |
---|
1190 | return 0; |
---|
1191 | if ((value = NCONF_get_string(req_conf, attr_sect, buf)) |
---|
1192 | == NULL) { |
---|
1193 | ERR_clear_error(); |
---|
1194 | value = NULL; |
---|
1195 | } |
---|
1196 | |
---|
1197 | if (!join(buf, sizeof(buf), type,"_min", "Name")) |
---|
1198 | return 0; |
---|
1199 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { |
---|
1200 | ERR_clear_error(); |
---|
1201 | n_min = -1; |
---|
1202 | } |
---|
1203 | |
---|
1204 | if (!join(buf, sizeof(buf), type, "_max", "Name")) |
---|
1205 | return 0; |
---|
1206 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { |
---|
1207 | ERR_clear_error(); |
---|
1208 | n_max = -1; |
---|
1209 | } |
---|
1210 | |
---|
1211 | if (!add_attribute_object(req, |
---|
1212 | v->value, def, value, nid, n_min, |
---|
1213 | n_max, chtype)) |
---|
1214 | return 0; |
---|
1215 | } |
---|
1216 | } |
---|
1217 | } else { |
---|
1218 | BIO_printf(bio_err, "No template, please set one up.\n"); |
---|
1219 | return 0; |
---|
1220 | } |
---|
1221 | |
---|
1222 | return 1; |
---|
1223 | |
---|
1224 | } |
---|
1225 | |
---|
1226 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, |
---|
1227 | STACK_OF(CONF_VALUE) *attr_sk, int attribs, |
---|
1228 | unsigned long chtype) |
---|
1229 | { |
---|
1230 | int i, spec_char, plus_char; |
---|
1231 | char *p, *q; |
---|
1232 | char *type; |
---|
1233 | CONF_VALUE *v; |
---|
1234 | X509_NAME *subj; |
---|
1235 | |
---|
1236 | subj = X509_REQ_get_subject_name(req); |
---|
1237 | |
---|
1238 | for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { |
---|
1239 | int mval; |
---|
1240 | v = sk_CONF_VALUE_value(dn_sk, i); |
---|
1241 | p = q = NULL; |
---|
1242 | type = v->name; |
---|
1243 | /* |
---|
1244 | * Skip past any leading X. X: X, etc to allow for multiple instances |
---|
1245 | */ |
---|
1246 | for (p = v->name; *p; p++) { |
---|
1247 | #ifndef CHARSET_EBCDIC |
---|
1248 | spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); |
---|
1249 | #else |
---|
1250 | spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) |
---|
1251 | || (*p == os_toascii['.'])); |
---|
1252 | #endif |
---|
1253 | if (spec_char) { |
---|
1254 | p++; |
---|
1255 | if (*p) |
---|
1256 | type = p; |
---|
1257 | break; |
---|
1258 | } |
---|
1259 | } |
---|
1260 | #ifndef CHARSET_EBCDIC |
---|
1261 | plus_char = (*type == '+'); |
---|
1262 | #else |
---|
1263 | plus_char = (*type == os_toascii['+']); |
---|
1264 | #endif |
---|
1265 | if (plus_char) { |
---|
1266 | type++; |
---|
1267 | mval = -1; |
---|
1268 | } else { |
---|
1269 | mval = 0; |
---|
1270 | } |
---|
1271 | if (!X509_NAME_add_entry_by_txt(subj, type, chtype, |
---|
1272 | (unsigned char *)v->value, -1, -1, |
---|
1273 | mval)) |
---|
1274 | return 0; |
---|
1275 | |
---|
1276 | } |
---|
1277 | |
---|
1278 | if (!X509_NAME_entry_count(subj)) { |
---|
1279 | BIO_printf(bio_err, "error, no objects specified in config file\n"); |
---|
1280 | return 0; |
---|
1281 | } |
---|
1282 | if (attribs) { |
---|
1283 | for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) { |
---|
1284 | v = sk_CONF_VALUE_value(attr_sk, i); |
---|
1285 | if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype, |
---|
1286 | (unsigned char *)v->value, -1)) |
---|
1287 | return 0; |
---|
1288 | } |
---|
1289 | } |
---|
1290 | return 1; |
---|
1291 | } |
---|
1292 | |
---|
1293 | static int add_DN_object(X509_NAME *n, char *text, const char *def, |
---|
1294 | char *value, int nid, int n_min, int n_max, |
---|
1295 | unsigned long chtype, int mval) |
---|
1296 | { |
---|
1297 | int ret = 0; |
---|
1298 | char buf[1024]; |
---|
1299 | |
---|
1300 | ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), |
---|
1301 | "DN value", "DN default"); |
---|
1302 | if ((ret == 0) || (ret == 1)) |
---|
1303 | return ret; |
---|
1304 | ret = 1; |
---|
1305 | |
---|
1306 | if (!X509_NAME_add_entry_by_NID(n, nid, chtype, |
---|
1307 | (unsigned char *)buf, -1, -1, mval)) |
---|
1308 | ret = 0; |
---|
1309 | |
---|
1310 | return ret; |
---|
1311 | } |
---|
1312 | |
---|
1313 | static int add_attribute_object(X509_REQ *req, char *text, const char *def, |
---|
1314 | char *value, int nid, int n_min, |
---|
1315 | int n_max, unsigned long chtype) |
---|
1316 | { |
---|
1317 | int ret = 0; |
---|
1318 | char buf[1024]; |
---|
1319 | |
---|
1320 | ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), |
---|
1321 | "Attribute value", "Attribute default"); |
---|
1322 | if ((ret == 0) || (ret == 1)) |
---|
1323 | return ret; |
---|
1324 | ret = 1; |
---|
1325 | |
---|
1326 | if (!X509_REQ_add1_attr_by_NID(req, nid, chtype, |
---|
1327 | (unsigned char *)buf, -1)) { |
---|
1328 | BIO_printf(bio_err, "Error adding attribute\n"); |
---|
1329 | ERR_print_errors(bio_err); |
---|
1330 | ret = 0; |
---|
1331 | } |
---|
1332 | |
---|
1333 | return ret; |
---|
1334 | } |
---|
1335 | |
---|
1336 | |
---|
1337 | static int build_data(char *text, const char *def, |
---|
1338 | char *value, int n_min, int n_max, |
---|
1339 | char *buf, const int buf_size, |
---|
1340 | const char *desc1, const char *desc2 |
---|
1341 | ) |
---|
1342 | { |
---|
1343 | int i; |
---|
1344 | start: |
---|
1345 | if (!batch) |
---|
1346 | BIO_printf(bio_err, "%s [%s]:", text, def); |
---|
1347 | (void)BIO_flush(bio_err); |
---|
1348 | if (value != NULL) { |
---|
1349 | if (!join(buf, buf_size, value, "\n", desc1)) |
---|
1350 | return 0; |
---|
1351 | BIO_printf(bio_err, "%s\n", value); |
---|
1352 | } else { |
---|
1353 | buf[0] = '\0'; |
---|
1354 | if (!batch) { |
---|
1355 | if (!fgets(buf, buf_size, stdin)) |
---|
1356 | return 0; |
---|
1357 | } else { |
---|
1358 | buf[0] = '\n'; |
---|
1359 | buf[1] = '\0'; |
---|
1360 | } |
---|
1361 | } |
---|
1362 | |
---|
1363 | if (buf[0] == '\0') |
---|
1364 | return 0; |
---|
1365 | if (buf[0] == '\n') { |
---|
1366 | if ((def == NULL) || (def[0] == '\0')) |
---|
1367 | return 1; |
---|
1368 | if (!join(buf, buf_size, def, "\n", desc2)) |
---|
1369 | return 0; |
---|
1370 | } else if ((buf[0] == '.') && (buf[1] == '\n')) { |
---|
1371 | return 1; |
---|
1372 | } |
---|
1373 | |
---|
1374 | i = strlen(buf); |
---|
1375 | if (buf[i - 1] != '\n') { |
---|
1376 | BIO_printf(bio_err, "weird input :-(\n"); |
---|
1377 | return 0; |
---|
1378 | } |
---|
1379 | buf[--i] = '\0'; |
---|
1380 | #ifdef CHARSET_EBCDIC |
---|
1381 | ebcdic2ascii(buf, buf, i); |
---|
1382 | #endif |
---|
1383 | if (!req_check_len(i, n_min, n_max)) { |
---|
1384 | if (batch || value) |
---|
1385 | return 0; |
---|
1386 | goto start; |
---|
1387 | } |
---|
1388 | return 2; |
---|
1389 | } |
---|
1390 | |
---|
1391 | static int req_check_len(int len, int n_min, int n_max) |
---|
1392 | { |
---|
1393 | if ((n_min > 0) && (len < n_min)) { |
---|
1394 | BIO_printf(bio_err, |
---|
1395 | "string is too short, it needs to be at least %d bytes long\n", |
---|
1396 | n_min); |
---|
1397 | return 0; |
---|
1398 | } |
---|
1399 | if ((n_max >= 0) && (len > n_max)) { |
---|
1400 | BIO_printf(bio_err, |
---|
1401 | "string is too long, it needs to be no more than %d bytes long\n", |
---|
1402 | n_max); |
---|
1403 | return 0; |
---|
1404 | } |
---|
1405 | return 1; |
---|
1406 | } |
---|
1407 | |
---|
1408 | /* Check if the end of a string matches 'end' */ |
---|
1409 | static int check_end(const char *str, const char *end) |
---|
1410 | { |
---|
1411 | size_t elen, slen; |
---|
1412 | const char *tmp; |
---|
1413 | |
---|
1414 | elen = strlen(end); |
---|
1415 | slen = strlen(str); |
---|
1416 | if (elen > slen) |
---|
1417 | return 1; |
---|
1418 | tmp = str + slen - elen; |
---|
1419 | return strcmp(tmp, end); |
---|
1420 | } |
---|
1421 | |
---|
1422 | /* |
---|
1423 | * Merge the two strings together into the result buffer checking for |
---|
1424 | * overflow and producing an error message if there is. |
---|
1425 | */ |
---|
1426 | static int join(char buf[], size_t buf_size, const char *name, |
---|
1427 | const char *tail, const char *desc) |
---|
1428 | { |
---|
1429 | const size_t name_len = strlen(name), tail_len = strlen(tail); |
---|
1430 | |
---|
1431 | if (name_len + tail_len + 1 > buf_size) { |
---|
1432 | BIO_printf(bio_err, "%s '%s' too long\n", desc, name); |
---|
1433 | return 0; |
---|
1434 | } |
---|
1435 | memcpy(buf, name, name_len); |
---|
1436 | memcpy(buf + name_len, tail, tail_len + 1); |
---|
1437 | return 1; |
---|
1438 | } |
---|
1439 | |
---|
1440 | static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, |
---|
1441 | int *pkey_type, long *pkeylen, |
---|
1442 | char **palgnam, ENGINE *keygen_engine) |
---|
1443 | { |
---|
1444 | EVP_PKEY_CTX *gctx = NULL; |
---|
1445 | EVP_PKEY *param = NULL; |
---|
1446 | long keylen = -1; |
---|
1447 | BIO *pbio = NULL; |
---|
1448 | const char *paramfile = NULL; |
---|
1449 | |
---|
1450 | if (gstr == NULL) { |
---|
1451 | *pkey_type = EVP_PKEY_RSA; |
---|
1452 | keylen = *pkeylen; |
---|
1453 | } else if (gstr[0] >= '0' && gstr[0] <= '9') { |
---|
1454 | *pkey_type = EVP_PKEY_RSA; |
---|
1455 | keylen = atol(gstr); |
---|
1456 | *pkeylen = keylen; |
---|
1457 | } else if (strncmp(gstr, "param:", 6) == 0) { |
---|
1458 | paramfile = gstr + 6; |
---|
1459 | } else { |
---|
1460 | const char *p = strchr(gstr, ':'); |
---|
1461 | int len; |
---|
1462 | ENGINE *tmpeng; |
---|
1463 | const EVP_PKEY_ASN1_METHOD *ameth; |
---|
1464 | |
---|
1465 | if (p != NULL) |
---|
1466 | len = p - gstr; |
---|
1467 | else |
---|
1468 | len = strlen(gstr); |
---|
1469 | /* |
---|
1470 | * The lookup of a the string will cover all engines so keep a note |
---|
1471 | * of the implementation. |
---|
1472 | */ |
---|
1473 | |
---|
1474 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); |
---|
1475 | |
---|
1476 | if (ameth == NULL) { |
---|
1477 | BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr); |
---|
1478 | return NULL; |
---|
1479 | } |
---|
1480 | |
---|
1481 | EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth); |
---|
1482 | #ifndef OPENSSL_NO_ENGINE |
---|
1483 | ENGINE_finish(tmpeng); |
---|
1484 | #endif |
---|
1485 | if (*pkey_type == EVP_PKEY_RSA) { |
---|
1486 | if (p != NULL) { |
---|
1487 | keylen = atol(p + 1); |
---|
1488 | *pkeylen = keylen; |
---|
1489 | } else { |
---|
1490 | keylen = *pkeylen; |
---|
1491 | } |
---|
1492 | } else if (p != NULL) { |
---|
1493 | paramfile = p + 1; |
---|
1494 | } |
---|
1495 | } |
---|
1496 | |
---|
1497 | if (paramfile != NULL) { |
---|
1498 | pbio = BIO_new_file(paramfile, "r"); |
---|
1499 | if (pbio == NULL) { |
---|
1500 | BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); |
---|
1501 | return NULL; |
---|
1502 | } |
---|
1503 | param = PEM_read_bio_Parameters(pbio, NULL); |
---|
1504 | |
---|
1505 | if (param == NULL) { |
---|
1506 | X509 *x; |
---|
1507 | |
---|
1508 | (void)BIO_reset(pbio); |
---|
1509 | x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); |
---|
1510 | if (x != NULL) { |
---|
1511 | param = X509_get_pubkey(x); |
---|
1512 | X509_free(x); |
---|
1513 | } |
---|
1514 | } |
---|
1515 | |
---|
1516 | BIO_free(pbio); |
---|
1517 | |
---|
1518 | if (param == NULL) { |
---|
1519 | BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile); |
---|
1520 | return NULL; |
---|
1521 | } |
---|
1522 | if (*pkey_type == -1) { |
---|
1523 | *pkey_type = EVP_PKEY_id(param); |
---|
1524 | } else if (*pkey_type != EVP_PKEY_base_id(param)) { |
---|
1525 | BIO_printf(bio_err, "Key Type does not match parameters\n"); |
---|
1526 | EVP_PKEY_free(param); |
---|
1527 | return NULL; |
---|
1528 | } |
---|
1529 | } |
---|
1530 | |
---|
1531 | if (palgnam != NULL) { |
---|
1532 | const EVP_PKEY_ASN1_METHOD *ameth; |
---|
1533 | ENGINE *tmpeng; |
---|
1534 | const char *anam; |
---|
1535 | |
---|
1536 | ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); |
---|
1537 | if (ameth == NULL) { |
---|
1538 | BIO_puts(bio_err, "Internal error: can't find key algorithm\n"); |
---|
1539 | return NULL; |
---|
1540 | } |
---|
1541 | EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); |
---|
1542 | *palgnam = OPENSSL_strdup(anam); |
---|
1543 | #ifndef OPENSSL_NO_ENGINE |
---|
1544 | ENGINE_finish(tmpeng); |
---|
1545 | #endif |
---|
1546 | } |
---|
1547 | |
---|
1548 | if (param != NULL) { |
---|
1549 | gctx = EVP_PKEY_CTX_new(param, keygen_engine); |
---|
1550 | *pkeylen = EVP_PKEY_bits(param); |
---|
1551 | EVP_PKEY_free(param); |
---|
1552 | } else { |
---|
1553 | gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); |
---|
1554 | } |
---|
1555 | |
---|
1556 | if (gctx == NULL) { |
---|
1557 | BIO_puts(bio_err, "Error allocating keygen context\n"); |
---|
1558 | ERR_print_errors(bio_err); |
---|
1559 | return NULL; |
---|
1560 | } |
---|
1561 | |
---|
1562 | if (EVP_PKEY_keygen_init(gctx) <= 0) { |
---|
1563 | BIO_puts(bio_err, "Error initializing keygen context\n"); |
---|
1564 | ERR_print_errors(bio_err); |
---|
1565 | EVP_PKEY_CTX_free(gctx); |
---|
1566 | return NULL; |
---|
1567 | } |
---|
1568 | #ifndef OPENSSL_NO_RSA |
---|
1569 | if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { |
---|
1570 | if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { |
---|
1571 | BIO_puts(bio_err, "Error setting RSA keysize\n"); |
---|
1572 | ERR_print_errors(bio_err); |
---|
1573 | EVP_PKEY_CTX_free(gctx); |
---|
1574 | return NULL; |
---|
1575 | } |
---|
1576 | } |
---|
1577 | #endif |
---|
1578 | |
---|
1579 | return gctx; |
---|
1580 | } |
---|
1581 | |
---|
1582 | static int genpkey_cb(EVP_PKEY_CTX *ctx) |
---|
1583 | { |
---|
1584 | char c = '*'; |
---|
1585 | BIO *b = EVP_PKEY_CTX_get_app_data(ctx); |
---|
1586 | int p; |
---|
1587 | p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); |
---|
1588 | if (p == 0) |
---|
1589 | c = '.'; |
---|
1590 | if (p == 1) |
---|
1591 | c = '+'; |
---|
1592 | if (p == 2) |
---|
1593 | c = '*'; |
---|
1594 | if (p == 3) |
---|
1595 | c = '\n'; |
---|
1596 | BIO_write(b, &c, 1); |
---|
1597 | (void)BIO_flush(b); |
---|
1598 | return 1; |
---|
1599 | } |
---|
1600 | |
---|
1601 | static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, |
---|
1602 | const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) |
---|
1603 | { |
---|
1604 | EVP_PKEY_CTX *pkctx = NULL; |
---|
1605 | int i, def_nid; |
---|
1606 | |
---|
1607 | if (ctx == NULL) |
---|
1608 | return 0; |
---|
1609 | /* |
---|
1610 | * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory |
---|
1611 | * for this algorithm. |
---|
1612 | */ |
---|
1613 | if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2 |
---|
1614 | && def_nid == NID_undef) { |
---|
1615 | /* The signing algorithm requires there to be no digest */ |
---|
1616 | md = NULL; |
---|
1617 | } |
---|
1618 | if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) |
---|
1619 | return 0; |
---|
1620 | for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { |
---|
1621 | char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); |
---|
1622 | if (pkey_ctrl_string(pkctx, sigopt) <= 0) { |
---|
1623 | BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); |
---|
1624 | ERR_print_errors(bio_err); |
---|
1625 | return 0; |
---|
1626 | } |
---|
1627 | } |
---|
1628 | return 1; |
---|
1629 | } |
---|
1630 | |
---|
1631 | int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, |
---|
1632 | STACK_OF(OPENSSL_STRING) *sigopts) |
---|
1633 | { |
---|
1634 | int rv; |
---|
1635 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); |
---|
1636 | |
---|
1637 | rv = do_sign_init(mctx, pkey, md, sigopts); |
---|
1638 | if (rv > 0) |
---|
1639 | rv = X509_sign_ctx(x, mctx); |
---|
1640 | EVP_MD_CTX_free(mctx); |
---|
1641 | return rv > 0 ? 1 : 0; |
---|
1642 | } |
---|
1643 | |
---|
1644 | int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, |
---|
1645 | STACK_OF(OPENSSL_STRING) *sigopts) |
---|
1646 | { |
---|
1647 | int rv; |
---|
1648 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); |
---|
1649 | rv = do_sign_init(mctx, pkey, md, sigopts); |
---|
1650 | if (rv > 0) |
---|
1651 | rv = X509_REQ_sign_ctx(x, mctx); |
---|
1652 | EVP_MD_CTX_free(mctx); |
---|
1653 | return rv > 0 ? 1 : 0; |
---|
1654 | } |
---|
1655 | |
---|
1656 | int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, |
---|
1657 | STACK_OF(OPENSSL_STRING) *sigopts) |
---|
1658 | { |
---|
1659 | int rv; |
---|
1660 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); |
---|
1661 | rv = do_sign_init(mctx, pkey, md, sigopts); |
---|
1662 | if (rv > 0) |
---|
1663 | rv = X509_CRL_sign_ctx(x, mctx); |
---|
1664 | EVP_MD_CTX_free(mctx); |
---|
1665 | return rv > 0 ? 1 : 0; |
---|
1666 | } |
---|