req.c@ 93560

最後變更在這個檔案從93560是 91772,由 vboxsync 提交於 3 年前
openssl-1.1.1l: Applied and adjusted our OpenSSL changes to 1.1.1l. bugref:10126
檔案大小: 51.5 KB

行
1	/*
2	* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <stdio.h>
11	#include <stdlib.h>
12	#include <time.h>
13	#include <string.h>
14	#include <ctype.h>
15	#include "apps.h"
16	#include "progs.h"
17	#include <openssl/bio.h>
18	#include <openssl/evp.h>
19	#include <openssl/conf.h>
20	#include <openssl/err.h>
21	#include <openssl/asn1.h>
22	#include <openssl/x509.h>
23	#include <openssl/x509v3.h>
24	#include <openssl/objects.h>
25	#include <openssl/pem.h>
26	#include <openssl/bn.h>
27	#include <openssl/lhash.h>
28	#ifndef OPENSSL_NO_RSA
29	# include <openssl/rsa.h>
30	#endif
31	#ifndef OPENSSL_NO_DSA
32	# include <openssl/dsa.h>
33	#endif
34
35	#define SECTION "req"
36
37	#define BITS "default_bits"
38	#define KEYFILE "default_keyfile"
39	#define PROMPT "prompt"
40	#define DISTINGUISHED_NAME "distinguished_name"
41	#define ATTRIBUTES "attributes"
42	#define V3_EXTENSIONS "x509_extensions"
43	#define REQ_EXTENSIONS "req_extensions"
44	#define STRING_MASK "string_mask"
45	#define UTF8_IN "utf8"
46
47	#define DEFAULT_KEY_LENGTH 2048
48	#define MIN_KEY_LENGTH 512
49
50	static int make_REQ(X509_REQ req, EVP_PKEY pkey, char *dn, int mutlirdn,
51	int attribs, unsigned long chtype);
52	static int build_subject(X509_REQ req, const char subj, unsigned long chtype,
53	int multirdn);
54	static int prompt_info(X509_REQ *req,
55	STACK_OF(CONF_VALUE) dn_sk, const char dn_sect,
56	STACK_OF(CONF_VALUE) attr_sk, const char attr_sect,
57	int attribs, unsigned long chtype);
58	static int auto_info(X509_REQ req, STACK_OF(CONF_VALUE) sk,
59	STACK_OF(CONF_VALUE) *attr, int attribs,
60	unsigned long chtype);
61	static int add_attribute_object(X509_REQ req, char text, const char *def,
62	char *value, int nid, int n_min, int n_max,
63	unsigned long chtype);
64	static int add_DN_object(X509_NAME n, char text, const char *def,
65	char *value, int nid, int n_min, int n_max,
66	unsigned long chtype, int mval);
67	static int genpkey_cb(EVP_PKEY_CTX *ctx);
68	static int build_data(char text, const char def,
69	char *value, int n_min, int n_max,
70	char *buf, const int buf_size,
71	const char desc1, const char desc2
72	);
73	static int req_check_len(int len, int n_min, int n_max);
74	static int check_end(const char str, const char end);
75	static int join(char buf[], size_t buf_size, const char *name,
76	const char tail, const char desc);
77	static EVP_PKEY_CTX set_keygen_ctx(const char gstr,
78	int pkey_type, long pkeylen,
79	char *palgnam, ENGINE keygen_engine);
80	static CONF *req_conf = NULL;
81	static CONF *addext_conf = NULL;
82	static int batch = 0;
83
84	typedef enum OPTION_choice {
85	OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
86	OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
87	OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
88	OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
89	OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
90	OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
91	OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
92	OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
93	OPT_REQEXTS, OPT_PRECERT, OPT_MD,
94	OPT_R_ENUM
95	} OPTION_CHOICE;
96
97	const OPTIONS req_options[] = {
98	{"help", OPT_HELP, '-', "Display this summary"},
99	{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
100	{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
101	{"in", OPT_IN, '<', "Input file"},
102	{"out", OPT_OUT, '>', "Output file"},
103	{"key", OPT_KEY, 's', "Private key to use"},
104	{"keyform", OPT_KEYFORM, 'f', "Key file format"},
105	{"pubkey", OPT_PUBKEY, '-', "Output public key"},
106	{"new", OPT_NEW, '-', "New request"},
107	{"config", OPT_CONFIG, '<', "Request template file"},
108	{"keyout", OPT_KEYOUT, '>', "File to send the key to"},
109	{"passin", OPT_PASSIN, 's', "Private key password source"},
110	{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
111	OPT_R_OPTIONS,
112	{"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
113	{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
114	{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
115	{"batch", OPT_BATCH, '-',
116	"Do not ask anything during request generation"},
117	{"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
118	{"modulus", OPT_MODULUS, '-', "RSA modulus"},
119	{"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
120	{"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
121	{"noout", OPT_NOOUT, '-', "Do not output REQ"},
122	{"verbose", OPT_VERBOSE, '-', "Verbose output"},
123	{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
124	{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
125	{"reqopt", OPT_REQOPT, 's', "Various request text options"},
126	{"text", OPT_TEXT, '-', "Text form of request"},
127	{"x509", OPT_X509, '-',
128	"Output a x509 structure instead of a cert request"},
129	{OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
130	{"subj", OPT_SUBJ, 's', "Set or modify request subject"},
131	{"subject", OPT_SUBJECT, '-', "Output the request's subject"},
132	{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
133	"Enable support for multivalued RDNs"},
134	{"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
135	{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
136	{"addext", OPT_ADDEXT, 's',
137	"Additional cert extension key=value pair (may be given more than once)"},
138	{"extensions", OPT_EXTENSIONS, 's',
139	"Cert extension section (override value in config file)"},
140	{"reqexts", OPT_REQEXTS, 's',
141	"Request extension section (override value in config file)"},
142	{"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
143	{"", OPT_MD, '-', "Any supported digest"},
144	#ifndef OPENSSL_NO_ENGINE
145	{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
146	{"keygen_engine", OPT_KEYGEN_ENGINE, 's',
147	"Specify engine to be used for key generation operations"},
148	#endif
149	{NULL}
150	};
151
152
153	/*
154	* An LHASH of strings, where each string is an extension name.
155	*/
156	static unsigned long ext_name_hash(const OPENSSL_STRING *a)
157	{
158	return OPENSSL_LH_strhash((const char *)a);
159	}
160
161	static int ext_name_cmp(const OPENSSL_STRING a, const OPENSSL_STRING b)
162	{
163	return strcmp((const char )a, (const char )b);
164	}
165
166	static void exts_cleanup(OPENSSL_STRING *x)
167	{
168	OPENSSL_free((char *)x);
169	}
170
171	/*
172	* Is the \|kv\| key already duplicated? This is remarkably tricky to get
173	* right. Return 0 if unique, -1 on runtime error; 1 if found or a syntax
174	* error.
175	*/
176	static int duplicated(LHASH_OF(OPENSSL_STRING) addexts, char kv)
177	{
178	char *p;
179	size_t off;
180
181	/* Check syntax. */
182	/* Skip leading whitespace, make a copy. */
183	while (kv && isspace(kv))
184	if (*++kv == '\0')
185	return 1;
186	if ((p = strchr(kv, '=')) == NULL)
187	return 1;
188	off = p - kv;
189	if ((kv = OPENSSL_strdup(kv)) == NULL)
190	return -1;
191
192	/* Skip trailing space before the equal sign. */
193	for (p = kv + off; p > kv; --p)
194	if (!isspace(p[-1]))
195	break;
196	if (p == kv) {
197	OPENSSL_free(kv);
198	return 1;
199	}
200	*p = '\0';
201
202	/* Finally have a clean "key"; see if it's there [by attempt to add it]. */
203	p = (char )lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING)kv);
204	if (p != NULL) {
205	OPENSSL_free(p);
206	return 1;
207	} else if (lh_OPENSSL_STRING_error(addexts)) {
208	OPENSSL_free(kv);
209	return -1;
210	}
211
212	return 0;
213	}
214
215	int req_main(int argc, char **argv)
216	{
217	ASN1_INTEGER *serial = NULL;
218	BIO in = NULL, out = NULL;
219	ENGINE e = NULL, gen_eng = NULL;
220	EVP_PKEY *pkey = NULL;
221	EVP_PKEY_CTX *genctx = NULL;
222	STACK_OF(OPENSSL_STRING) pkeyopts = NULL, sigopts = NULL;
223	LHASH_OF(OPENSSL_STRING) *addexts = NULL;
224	X509 *x509ss = NULL;
225	X509_REQ *req = NULL;
226	const EVP_CIPHER *cipher = NULL;
227	const EVP_MD md_alg = NULL, digest = NULL;
228	BIO *addext_bio = NULL;
229	char extensions = NULL, infile = NULL;
230	char outfile = NULL, keyfile = NULL;
231	char keyalgstr = NULL, p, prog, passargin = NULL, *passargout = NULL;
232	char passin = NULL, passout = NULL;
233	char nofree_passin = NULL, nofree_passout = NULL;
234	char req_exts = NULL, subj = NULL;
235	char template = default_config_file, keyout = NULL;
236	const char *keyalg = NULL;
237	OPTION_CHOICE o;
238	int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0;
239	int pkey_type = -1, private = 0;
240	int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
241	int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
242	int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
243	long newkey = -1;
244	unsigned long chtype = MBSTRING_ASC, reqflag = 0;
245
246	#ifndef OPENSSL_NO_DES
247	cipher = EVP_des_ede3_cbc();
248	#endif
249
250	prog = opt_init(argc, argv, req_options);
251	while ((o = opt_next()) != OPT_EOF) {
252	switch (o) {
253	case OPT_EOF:
254	case OPT_ERR:
255	opthelp:
256	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
257	goto end;
258	case OPT_HELP:
259	opt_help(req_options);
260	ret = 0;
261	goto end;
262	case OPT_INFORM:
263	if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
264	goto opthelp;
265	break;
266	case OPT_OUTFORM:
267	if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
268	goto opthelp;
269	break;
270	case OPT_ENGINE:
271	e = setup_engine(opt_arg(), 0);
272	break;
273	case OPT_KEYGEN_ENGINE:
274	#ifndef OPENSSL_NO_ENGINE
275	gen_eng = ENGINE_by_id(opt_arg());
276	if (gen_eng == NULL) {
277	BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
278	goto opthelp;
279	}
280	#endif
281	break;
282	case OPT_KEY:
283	keyfile = opt_arg();
284	break;
285	case OPT_PUBKEY:
286	pubkey = 1;
287	break;
288	case OPT_NEW:
289	newreq = 1;
290	break;
291	case OPT_CONFIG:
292	template = opt_arg();
293	break;
294	case OPT_KEYFORM:
295	if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
296	goto opthelp;
297	break;
298	case OPT_IN:
299	infile = opt_arg();
300	break;
301	case OPT_OUT:
302	outfile = opt_arg();
303	break;
304	case OPT_KEYOUT:
305	keyout = opt_arg();
306	break;
307	case OPT_PASSIN:
308	passargin = opt_arg();
309	break;
310	case OPT_PASSOUT:
311	passargout = opt_arg();
312	break;
313	case OPT_R_CASES:
314	if (!opt_rand(o))
315	goto end;
316	break;
317	case OPT_NEWKEY:
318	keyalg = opt_arg();
319	newreq = 1;
320	break;
321	case OPT_PKEYOPT:
322	if (!pkeyopts)
323	pkeyopts = sk_OPENSSL_STRING_new_null();
324	if (!pkeyopts \|\| !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
325	goto opthelp;
326	break;
327	case OPT_SIGOPT:
328	if (!sigopts)
329	sigopts = sk_OPENSSL_STRING_new_null();
330	if (!sigopts \|\| !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
331	goto opthelp;
332	break;
333	case OPT_BATCH:
334	batch = 1;
335	break;
336	case OPT_NEWHDR:
337	newhdr = 1;
338	break;
339	case OPT_MODULUS:
340	modulus = 1;
341	break;
342	case OPT_VERIFY:
343	verify = 1;
344	break;
345	case OPT_NODES:
346	nodes = 1;
347	break;
348	case OPT_NOOUT:
349	noout = 1;
350	break;
351	case OPT_VERBOSE:
352	verbose = 1;
353	break;
354	case OPT_UTF8:
355	chtype = MBSTRING_UTF8;
356	break;
357	case OPT_NAMEOPT:
358	if (!set_nameopt(opt_arg()))
359	goto opthelp;
360	break;
361	case OPT_REQOPT:
362	if (!set_cert_ex(&reqflag, opt_arg()))
363	goto opthelp;
364	break;
365	case OPT_TEXT:
366	text = 1;
367	break;
368	case OPT_X509:
369	x509 = 1;
370	break;
371	case OPT_DAYS:
372	days = atoi(opt_arg());
373	break;
374	case OPT_SET_SERIAL:
375	if (serial != NULL) {
376	BIO_printf(bio_err, "Serial number supplied twice\n");
377	goto opthelp;
378	}
379	serial = s2i_ASN1_INTEGER(NULL, opt_arg());
380	if (serial == NULL)
381	goto opthelp;
382	break;
383	case OPT_SUBJECT:
384	subject = 1;
385	break;
386	case OPT_SUBJ:
387	subj = opt_arg();
388	break;
389	case OPT_MULTIVALUE_RDN:
390	multirdn = 1;
391	break;
392	case OPT_ADDEXT:
393	p = opt_arg();
394	if (addexts == NULL) {
395	addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp);
396	addext_bio = BIO_new(BIO_s_mem());
397	if (addexts == NULL \|\| addext_bio == NULL)
398	goto end;
399	}
400	i = duplicated(addexts, p);
401	if (i == 1)
402	goto opthelp;
403	if (i < 0 \|\| BIO_printf(addext_bio, "%s\n", opt_arg()) < 0)
404	goto end;
405	break;
406	case OPT_EXTENSIONS:
407	extensions = opt_arg();
408	break;
409	case OPT_REQEXTS:
410	req_exts = opt_arg();
411	break;
412	case OPT_PRECERT:
413	newreq = precert = 1;
414	break;
415	case OPT_MD:
416	if (!opt_md(opt_unknown(), &md_alg))
417	goto opthelp;
418	digest = md_alg;
419	break;
420	}
421	}
422	argc = opt_num_rest();
423	if (argc != 0)
424	goto opthelp;
425
426	if (days && !x509)
427	BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n");
428	if (x509 && infile == NULL)
429	newreq = 1;
430
431	/* TODO: simplify this as pkey is still always NULL here */
432	private = newreq && (pkey == NULL) ? 1 : 0;
433
434	if (!app_passwd(passargin, passargout, &passin, &passout)) {
435	BIO_printf(bio_err, "Error getting passwords\n");
436	goto end;
437	}
438
439	if (verbose)
440	BIO_printf(bio_err, "Using configuration from %s\n", template);
441	if ((req_conf = app_load_config(template)) == NULL)
442	goto end;
443	if (addext_bio) {
444	if (verbose)
445	BIO_printf(bio_err,
446	"Using additional configuration from command line\n");
447	if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
448	goto end;
449	}
450	if (template != default_config_file && !app_load_modules(req_conf))
451	goto end;
452
453	if (req_conf != NULL) {
454	p = NCONF_get_string(req_conf, NULL, "oid_file");
455	if (p == NULL)
456	ERR_clear_error();
457	if (p != NULL) {
458	BIO *oid_bio;
459
460	oid_bio = BIO_new_file(p, "r");
461	if (oid_bio == NULL) {
462	/*-
463	BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
464	ERR_print_errors(bio_err);
465	*/
466	} else {
467	OBJ_create_objects(oid_bio);
468	BIO_free(oid_bio);
469	}
470	}
471	}
472	if (!add_oid_section(req_conf))
473	goto end;
474
475	if (md_alg == NULL) {
476	p = NCONF_get_string(req_conf, SECTION, "default_md");
477	if (p == NULL) {
478	ERR_clear_error();
479	} else {
480	if (!opt_md(p, &md_alg))
481	goto opthelp;
482	digest = md_alg;
483	}
484	}
485
486	if (extensions == NULL) {
487	extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
488	if (extensions == NULL)
489	ERR_clear_error();
490	}
491	if (extensions != NULL) {
492	/* Check syntax of file */
493	X509V3_CTX ctx;
494	X509V3_set_ctx_test(&ctx);
495	X509V3_set_nconf(&ctx, req_conf);
496	if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
497	BIO_printf(bio_err,
498	"Error Loading extension section %s\n", extensions);
499	goto end;
500	}
501	}
502	if (addext_conf != NULL) {
503	/* Check syntax of command line extensions */
504	X509V3_CTX ctx;
505	X509V3_set_ctx_test(&ctx);
506	X509V3_set_nconf(&ctx, addext_conf);
507	if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
508	BIO_printf(bio_err, "Error Loading command line extensions\n");
509	goto end;
510	}
511	}
512
513	if (passin == NULL) {
514	passin = nofree_passin =
515	NCONF_get_string(req_conf, SECTION, "input_password");
516	if (passin == NULL)
517	ERR_clear_error();
518	}
519
520	if (passout == NULL) {
521	passout = nofree_passout =
522	NCONF_get_string(req_conf, SECTION, "output_password");
523	if (passout == NULL)
524	ERR_clear_error();
525	}
526
527	p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
528	if (p == NULL)
529	ERR_clear_error();
530
531	if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) {
532	BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
533	goto end;
534	}
535
536	if (chtype != MBSTRING_UTF8) {
537	p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
538	if (p == NULL)
539	ERR_clear_error();
540	else if (strcmp(p, "yes") == 0)
541	chtype = MBSTRING_UTF8;
542	}
543
544	if (req_exts == NULL) {
545	req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
546	if (req_exts == NULL)
547	ERR_clear_error();
548	}
549	if (req_exts != NULL) {
550	/* Check syntax of file */
551	X509V3_CTX ctx;
552	X509V3_set_ctx_test(&ctx);
553	X509V3_set_nconf(&ctx, req_conf);
554	if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
555	BIO_printf(bio_err,
556	"Error Loading request extension section %s\n",
557	req_exts);
558	goto end;
559	}
560	}
561
562	if (keyfile != NULL) {
563	pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
564	if (pkey == NULL) {
565	/* load_key() has already printed an appropriate message */
566	goto end;
567	} else {
568	app_RAND_load_conf(req_conf, SECTION);
569	}
570	}
571
572	if (newreq && (pkey == NULL)) {
573	app_RAND_load_conf(req_conf, SECTION);
574
575	if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
576	newkey = DEFAULT_KEY_LENGTH;
577	}
578
579	if (keyalg != NULL) {
580	genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
581	&keyalgstr, gen_eng);
582	if (genctx == NULL)
583	goto end;
584	}
585
586	if (newkey < MIN_KEY_LENGTH
587	&& (pkey_type == EVP_PKEY_RSA \|\| pkey_type == EVP_PKEY_DSA)) {
588	BIO_printf(bio_err, "private key length is too short,\n");
589	BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
590	MIN_KEY_LENGTH, newkey);
591	goto end;
592	}
593
594	if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS)
595	BIO_printf(bio_err,
596	"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
597	" Your key size is %ld! Larger key size may behave not as expected.\n",
598	OPENSSL_RSA_MAX_MODULUS_BITS, newkey);
599
600	#ifndef OPENSSL_NO_DSA
601	if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS)
602	BIO_printf(bio_err,
603	"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
604	" Your key size is %ld! Larger key size may behave not as expected.\n",
605	OPENSSL_DSA_MAX_MODULUS_BITS, newkey);
606	#endif
607
608	if (genctx == NULL) {
609	genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
610	&keyalgstr, gen_eng);
611	if (!genctx)
612	goto end;
613	}
614
615	if (pkeyopts != NULL) {
616	char *genopt;
617	for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
618	genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
619	if (pkey_ctrl_string(genctx, genopt) <= 0) {
620	BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
621	ERR_print_errors(bio_err);
622	goto end;
623	}
624	}
625	}
626
627	if (pkey_type == EVP_PKEY_EC) {
628	BIO_printf(bio_err, "Generating an EC private key\n");
629	} else {
630	BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
631	}
632
633	EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
634	EVP_PKEY_CTX_set_app_data(genctx, bio_err);
635
636	if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
637	BIO_puts(bio_err, "Error Generating Key\n");
638	goto end;
639	}
640
641	EVP_PKEY_CTX_free(genctx);
642	genctx = NULL;
643
644	if (keyout == NULL) {
645	keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
646	if (keyout == NULL)
647	ERR_clear_error();
648	}
649
650	if (keyout == NULL)
651	BIO_printf(bio_err, "writing new private key to stdout\n");
652	else
653	BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
654	out = bio_open_owner(keyout, outformat, private);
655	if (out == NULL)
656	goto end;
657
658	p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
659	if (p == NULL) {
660	ERR_clear_error();
661	p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
662	if (p == NULL)
663	ERR_clear_error();
664	}
665	if ((p != NULL) && (strcmp(p, "no") == 0))
666	cipher = NULL;
667	if (nodes)
668	cipher = NULL;
669
670	i = 0;
671	loop:
672	assert(private);
673	if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
674	NULL, 0, NULL, passout)) {
675	if ((ERR_GET_REASON(ERR_peek_error()) ==
676	PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
677	ERR_clear_error();
678	i++;
679	goto loop;
680	}
681	goto end;
682	}
683	BIO_free(out);
684	out = NULL;
685	BIO_printf(bio_err, "-----\n");
686	}
687
688	if (!newreq) {
689	in = bio_open_default(infile, 'r', informat);
690	if (in == NULL)
691	goto end;
692
693	if (informat == FORMAT_ASN1)
694	req = d2i_X509_REQ_bio(in, NULL);
695	else
696	req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
697	if (req == NULL) {
698	BIO_printf(bio_err, "unable to load X509 request\n");
699	goto end;
700	}
701	}
702
703	if (newreq \|\| x509) {
704	if (pkey == NULL) {
705	BIO_printf(bio_err, "you need to specify a private key\n");
706	goto end;
707	}
708
709	if (req == NULL) {
710	req = X509_REQ_new();
711	if (req == NULL) {
712	goto end;
713	}
714
715	i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
716	subj = NULL; /* done processing '-subj' option */
717	if (!i) {
718	BIO_printf(bio_err, "problems making Certificate Request\n");
719	goto end;
720	}
721	}
722	if (x509) {
723	EVP_PKEY *tmppkey;
724	X509V3_CTX ext_ctx;
725	if ((x509ss = X509_new()) == NULL)
726	goto end;
727
728	/* Set version to V3 */
729	if ((extensions != NULL \|\| addext_conf != NULL)
730	&& !X509_set_version(x509ss, 2))
731	goto end;
732	if (serial != NULL) {
733	if (!X509_set_serialNumber(x509ss, serial))
734	goto end;
735	} else {
736	if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
737	goto end;
738	}
739
740	if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
741	goto end;
742	if (days == 0) {
743	/* set default days if it's not specified */
744	days = 30;
745	}
746	if (!set_cert_times(x509ss, NULL, NULL, days))
747	goto end;
748	if (!X509_set_subject_name
749	(x509ss, X509_REQ_get_subject_name(req)))
750	goto end;
751	tmppkey = X509_REQ_get0_pubkey(req);
752	if (!tmppkey \|\| !X509_set_pubkey(x509ss, tmppkey))
753	goto end;
754
755	/* Set up V3 context struct */
756
757	X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
758	X509V3_set_nconf(&ext_ctx, req_conf);
759
760	/* Add extensions */
761	if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf,
762	&ext_ctx, extensions,
763	x509ss)) {
764	BIO_printf(bio_err, "Error Loading extension section %s\n",
765	extensions);
766	goto end;
767	}
768	if (addext_conf != NULL
769	&& !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
770	x509ss)) {
771	BIO_printf(bio_err, "Error Loading command line extensions\n");
772	goto end;
773	}
774
775	/* If a pre-cert was requested, we need to add a poison extension */
776	if (precert) {
777	if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
778	!= 1) {
779	BIO_printf(bio_err, "Error adding poison extension\n");
780	goto end;
781	}
782	}
783
784	i = do_X509_sign(x509ss, pkey, digest, sigopts);
785	if (!i) {
786	ERR_print_errors(bio_err);
787	goto end;
788	}
789	} else {
790	X509V3_CTX ext_ctx;
791
792	/* Set up V3 context struct */
793
794	X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
795	X509V3_set_nconf(&ext_ctx, req_conf);
796
797	/* Add extensions */
798	if (req_exts != NULL
799	&& !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx,
800	req_exts, req)) {
801	BIO_printf(bio_err, "Error Loading extension section %s\n",
802	req_exts);
803	goto end;
804	}
805	if (addext_conf != NULL
806	&& !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
807	req)) {
808	BIO_printf(bio_err, "Error Loading command line extensions\n");
809	goto end;
810	}
811	i = do_X509_REQ_sign(req, pkey, digest, sigopts);
812	if (!i) {
813	ERR_print_errors(bio_err);
814	goto end;
815	}
816	}
817	}
818
819	if (subj && x509) {
820	BIO_printf(bio_err, "Cannot modify certificate subject\n");
821	goto end;
822	}
823
824	if (subj && !x509) {
825	if (verbose) {
826	BIO_printf(bio_err, "Modifying Request's Subject\n");
827	print_name(bio_err, "old subject=",
828	X509_REQ_get_subject_name(req), get_nameopt());
829	}
830
831	if (build_subject(req, subj, chtype, multirdn) == 0) {
832	BIO_printf(bio_err, "ERROR: cannot modify subject\n");
833	ret = 1;
834	goto end;
835	}
836
837	if (verbose) {
838	print_name(bio_err, "new subject=",
839	X509_REQ_get_subject_name(req), get_nameopt());
840	}
841	}
842
843	if (verify && !x509) {
844	EVP_PKEY *tpubkey = pkey;
845
846	if (tpubkey == NULL) {
847	tpubkey = X509_REQ_get0_pubkey(req);
848	if (tpubkey == NULL)
849	goto end;
850	}
851
852	i = X509_REQ_verify(req, tpubkey);
853
854	if (i < 0) {
855	goto end;
856	} else if (i == 0) {
857	BIO_printf(bio_err, "verify failure\n");
858	ERR_print_errors(bio_err);
859	} else { /* if (i > 0) */
860	BIO_printf(bio_err, "verify OK\n");
861	}
862	}
863
864	if (noout && !text && !modulus && !subject && !pubkey) {
865	ret = 0;
866	goto end;
867	}
868
869	out = bio_open_default(outfile,
870	keyout != NULL && outfile != NULL &&
871	strcmp(keyout, outfile) == 0 ? 'a' : 'w',
872	outformat);
873	if (out == NULL)
874	goto end;
875
876	if (pubkey) {
877	EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
878
879	if (tpubkey == NULL) {
880	BIO_printf(bio_err, "Error getting public key\n");
881	ERR_print_errors(bio_err);
882	goto end;
883	}
884	PEM_write_bio_PUBKEY(out, tpubkey);
885	}
886
887	if (text) {
888	if (x509)
889	ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
890	else
891	ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
892
893	if (ret == 0) {
894	if (x509)
895	BIO_printf(bio_err, "Error printing certificate\n");
896	else
897	BIO_printf(bio_err, "Error printing certificate request\n");
898
899	ERR_print_errors(bio_err);
900	goto end;
901	}
902	}
903
904	if (subject) {
905	if (x509)
906	print_name(out, "subject=", X509_get_subject_name(x509ss),
907	get_nameopt());
908	else
909	print_name(out, "subject=", X509_REQ_get_subject_name(req),
910	get_nameopt());
911	}
912
913	if (modulus) {
914	EVP_PKEY *tpubkey;
915
916	if (x509)
917	tpubkey = X509_get0_pubkey(x509ss);
918	else
919	tpubkey = X509_REQ_get0_pubkey(req);
920	if (tpubkey == NULL) {
921	fprintf(stdout, "Modulus=unavailable\n");
922	goto end;
923	}
924	fprintf(stdout, "Modulus=");
925	#ifndef OPENSSL_NO_RSA
926	if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
927	const BIGNUM *n;
928	RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
929	BN_print(out, n);
930	} else
931	#endif
932	fprintf(stdout, "Wrong Algorithm type");
933	fprintf(stdout, "\n");
934	}
935
936	if (!noout && !x509) {
937	if (outformat == FORMAT_ASN1)
938	i = i2d_X509_REQ_bio(out, req);
939	else if (newhdr)
940	i = PEM_write_bio_X509_REQ_NEW(out, req);
941	else
942	i = PEM_write_bio_X509_REQ(out, req);
943	if (!i) {
944	BIO_printf(bio_err, "unable to write X509 request\n");
945	goto end;
946	}
947	}
948	if (!noout && x509 && (x509ss != NULL)) {
949	if (outformat == FORMAT_ASN1)
950	i = i2d_X509_bio(out, x509ss);
951	else
952	i = PEM_write_bio_X509(out, x509ss);
953	if (!i) {
954	BIO_printf(bio_err, "unable to write X509 certificate\n");
955	goto end;
956	}
957	}
958	ret = 0;
959	end:
960	if (ret) {
961	ERR_print_errors(bio_err);
962	}
963	NCONF_free(req_conf);
964	NCONF_free(addext_conf);
965	BIO_free(addext_bio);
966	BIO_free(in);
967	BIO_free_all(out);
968	EVP_PKEY_free(pkey);
969	EVP_PKEY_CTX_free(genctx);
970	sk_OPENSSL_STRING_free(pkeyopts);
971	sk_OPENSSL_STRING_free(sigopts);
972	lh_OPENSSL_STRING_doall(addexts, exts_cleanup);
973	lh_OPENSSL_STRING_free(addexts);
974	#ifndef OPENSSL_NO_ENGINE
975	ENGINE_free(gen_eng);
976	#endif
977	OPENSSL_free(keyalgstr);
978	X509_REQ_free(req);
979	X509_free(x509ss);
980	ASN1_INTEGER_free(serial);
981	release_engine(e);
982	if (passin != nofree_passin)
983	OPENSSL_free(passin);
984	if (passout != nofree_passout)
985	OPENSSL_free(passout);
986	return ret;
987	}
988
989	static int make_REQ(X509_REQ req, EVP_PKEY pkey, char *subj, int multirdn,
990	int attribs, unsigned long chtype)
991	{
992	int ret = 0, i;
993	char no_prompt = 0;
994	STACK_OF(CONF_VALUE) dn_sk, attr_sk = NULL;
995	char tmp, dn_sect, *attr_sect;
996
997	tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
998	if (tmp == NULL)
999	ERR_clear_error();
1000	if ((tmp != NULL) && strcmp(tmp, "no") == 0)
1001	no_prompt = 1;
1002
1003	dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
1004	if (dn_sect == NULL) {
1005	BIO_printf(bio_err, "unable to find '%s' in config\n",
1006	DISTINGUISHED_NAME);
1007	goto err;
1008	}
1009	dn_sk = NCONF_get_section(req_conf, dn_sect);
1010	if (dn_sk == NULL) {
1011	BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
1012	goto err;
1013	}
1014
1015	attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
1016	if (attr_sect == NULL) {
1017	ERR_clear_error();
1018	attr_sk = NULL;
1019	} else {
1020	attr_sk = NCONF_get_section(req_conf, attr_sect);
1021	if (attr_sk == NULL) {
1022	BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
1023	goto err;
1024	}
1025	}
1026
1027	/* setup version number */
1028	if (!X509_REQ_set_version(req, 0L))
1029	goto err; /* version 1 */
1030
1031	if (subj)
1032	i = build_subject(req, subj, chtype, multirdn);
1033	else if (no_prompt)
1034	i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
1035	else
1036	i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
1037	chtype);
1038	if (!i)
1039	goto err;
1040
1041	if (!X509_REQ_set_pubkey(req, pkey))
1042	goto err;
1043
1044	ret = 1;
1045	err:
1046	return ret;
1047	}
1048
1049	/*
1050	* subject is expected to be in the format /type0=value0/type1=value1/type2=...
1051	* where characters may be escaped by \
1052	*/
1053	static int build_subject(X509_REQ req, const char subject, unsigned long chtype,
1054	int multirdn)
1055	{
1056	X509_NAME *n;
1057
1058	if ((n = parse_name(subject, chtype, multirdn)) == NULL)
1059	return 0;
1060
1061	if (!X509_REQ_set_subject_name(req, n)) {
1062	X509_NAME_free(n);
1063	return 0;
1064	}
1065	X509_NAME_free(n);
1066	return 1;
1067	}
1068
1069	static int prompt_info(X509_REQ *req,
1070	STACK_OF(CONF_VALUE) dn_sk, const char dn_sect,
1071	STACK_OF(CONF_VALUE) attr_sk, const char attr_sect,
1072	int attribs, unsigned long chtype)
1073	{
1074	int i;
1075	char p, q;
1076	char buf[100];
1077	int nid, mval;
1078	long n_min, n_max;
1079	char type, value;
1080	const char *def;
1081	CONF_VALUE *v;
1082	X509_NAME *subj;
1083	subj = X509_REQ_get_subject_name(req);
1084
1085	if (!batch) {
1086	BIO_printf(bio_err,
1087	"You are about to be asked to enter information that will be incorporated\n");
1088	BIO_printf(bio_err, "into your certificate request.\n");
1089	BIO_printf(bio_err,
1090	"What you are about to enter is what is called a Distinguished Name or a DN.\n");
1091	BIO_printf(bio_err,
1092	"There are quite a few fields but you can leave some blank\n");
1093	BIO_printf(bio_err,
1094	"For some fields there will be a default value,\n");
1095	BIO_printf(bio_err,
1096	"If you enter '.', the field will be left blank.\n");
1097	BIO_printf(bio_err, "-----\n");
1098	}
1099
1100	if (sk_CONF_VALUE_num(dn_sk)) {
1101	i = -1;
1102	start:
1103	for ( ; ; ) {
1104	i++;
1105	if (sk_CONF_VALUE_num(dn_sk) <= i)
1106	break;
1107
1108	v = sk_CONF_VALUE_value(dn_sk, i);
1109	p = q = NULL;
1110	type = v->name;
1111	if (!check_end(type, "_min") \|\| !check_end(type, "_max") \|\|
1112	!check_end(type, "_default") \|\| !check_end(type, "_value"))
1113	continue;
1114	/*
1115	* Skip past any leading X. X: X, etc to allow for multiple
1116	* instances
1117	*/
1118	for (p = v->name; *p; p++)
1119	if ((p == ':') \|\| (p == ',') \|\| (*p == '.')) {
1120	p++;
1121	if (*p)
1122	type = p;
1123	break;
1124	}
1125	if (*type == '+') {
1126	mval = -1;
1127	type++;
1128	} else {
1129	mval = 0;
1130	}
1131	/* If OBJ not recognised ignore it */
1132	if ((nid = OBJ_txt2nid(type)) == NID_undef)
1133	goto start;
1134	if (!join(buf, sizeof(buf), v->name, "_default", "Name"))
1135	return 0;
1136	if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1137	ERR_clear_error();
1138	def = "";
1139	}
1140
1141	if (!join(buf, sizeof(buf), v->name, "_value", "Name"))
1142	return 0;
1143	if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1144	ERR_clear_error();
1145	value = NULL;
1146	}
1147
1148	if (!join(buf, sizeof(buf), v->name, "_min", "Name"))
1149	return 0;
1150	if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
1151	ERR_clear_error();
1152	n_min = -1;
1153	}
1154
1155
1156	if (!join(buf, sizeof(buf), v->name, "_max", "Name"))
1157	return 0;
1158	if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
1159	ERR_clear_error();
1160	n_max = -1;
1161	}
1162
1163	if (!add_DN_object(subj, v->value, def, value, nid,
1164	n_min, n_max, chtype, mval))
1165	return 0;
1166	}
1167	if (X509_NAME_entry_count(subj) == 0) {
1168	BIO_printf(bio_err,
1169	"error, no objects specified in config file\n");
1170	return 0;
1171	}
1172
1173	if (attribs) {
1174	if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
1175	&& (!batch)) {
1176	BIO_printf(bio_err,
1177	"\nPlease enter the following 'extra' attributes\n");
1178	BIO_printf(bio_err,
1179	"to be sent with your certificate request\n");
1180	}
1181
1182	i = -1;
1183	start2:
1184	for ( ; ; ) {
1185	i++;
1186	if ((attr_sk == NULL) \|\| (sk_CONF_VALUE_num(attr_sk) <= i))
1187	break;
1188
1189	v = sk_CONF_VALUE_value(attr_sk, i);
1190	type = v->name;
1191	if ((nid = OBJ_txt2nid(type)) == NID_undef)
1192	goto start2;
1193
1194	if (!join(buf, sizeof(buf), type, "_default", "Name"))
1195	return 0;
1196	if ((def = NCONF_get_string(req_conf, attr_sect, buf))
1197	== NULL) {
1198	ERR_clear_error();
1199	def = "";
1200	}
1201
1202	if (!join(buf, sizeof(buf), type, "_value", "Name"))
1203	return 0;
1204	if ((value = NCONF_get_string(req_conf, attr_sect, buf))
1205	== NULL) {
1206	ERR_clear_error();
1207	value = NULL;
1208	}
1209
1210	if (!join(buf, sizeof(buf), type,"_min", "Name"))
1211	return 0;
1212	if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
1213	ERR_clear_error();
1214	n_min = -1;
1215	}
1216
1217	if (!join(buf, sizeof(buf), type, "_max", "Name"))
1218	return 0;
1219	if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
1220	ERR_clear_error();
1221	n_max = -1;
1222	}
1223
1224	if (!add_attribute_object(req,
1225	v->value, def, value, nid, n_min,
1226	n_max, chtype))
1227	return 0;
1228	}
1229	}
1230	} else {
1231	BIO_printf(bio_err, "No template, please set one up.\n");
1232	return 0;
1233	}
1234
1235	return 1;
1236
1237	}
1238
1239	static int auto_info(X509_REQ req, STACK_OF(CONF_VALUE) dn_sk,
1240	STACK_OF(CONF_VALUE) *attr_sk, int attribs,
1241	unsigned long chtype)
1242	{
1243	int i, spec_char, plus_char;
1244	char p, q;
1245	char *type;
1246	CONF_VALUE *v;
1247	X509_NAME *subj;
1248
1249	subj = X509_REQ_get_subject_name(req);
1250
1251	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1252	int mval;
1253	v = sk_CONF_VALUE_value(dn_sk, i);
1254	p = q = NULL;
1255	type = v->name;
1256	/*
1257	* Skip past any leading X. X: X, etc to allow for multiple instances
1258	*/
1259	for (p = v->name; *p; p++) {
1260	#ifndef CHARSET_EBCDIC
1261	spec_char = ((p == ':') \|\| (p == ',') \|\| (*p == '.'));
1262	#else
1263	spec_char = ((p == os_toascii[':']) \|\| (p == os_toascii[','])
1264	\|\| (*p == os_toascii['.']));
1265	#endif
1266	if (spec_char) {
1267	p++;
1268	if (*p)
1269	type = p;
1270	break;
1271	}
1272	}
1273	#ifndef CHARSET_EBCDIC
1274	plus_char = (*type == '+');
1275	#else
1276	plus_char = (*type == os_toascii['+']);
1277	#endif
1278	if (plus_char) {
1279	type++;
1280	mval = -1;
1281	} else {
1282	mval = 0;
1283	}
1284	if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
1285	(unsigned char *)v->value, -1, -1,
1286	mval))
1287	return 0;
1288
1289	}
1290
1291	if (!X509_NAME_entry_count(subj)) {
1292	BIO_printf(bio_err, "error, no objects specified in config file\n");
1293	return 0;
1294	}
1295	if (attribs) {
1296	for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
1297	v = sk_CONF_VALUE_value(attr_sk, i);
1298	if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1299	(unsigned char *)v->value, -1))
1300	return 0;
1301	}
1302	}
1303	return 1;
1304	}
1305
1306	static int add_DN_object(X509_NAME n, char text, const char *def,
1307	char *value, int nid, int n_min, int n_max,
1308	unsigned long chtype, int mval)
1309	{
1310	int ret = 0;
1311	char buf[1024];
1312
1313	ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
1314	"DN value", "DN default");
1315	if ((ret == 0) \|\| (ret == 1))
1316	return ret;
1317	ret = 1;
1318
1319	if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
1320	(unsigned char *)buf, -1, -1, mval))
1321	ret = 0;
1322
1323	return ret;
1324	}
1325
1326	static int add_attribute_object(X509_REQ req, char text, const char *def,
1327	char *value, int nid, int n_min,
1328	int n_max, unsigned long chtype)
1329	{
1330	int ret = 0;
1331	char buf[1024];
1332
1333	ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
1334	"Attribute value", "Attribute default");
1335	if ((ret == 0) \|\| (ret == 1))
1336	return ret;
1337	ret = 1;
1338
1339	if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1340	(unsigned char *)buf, -1)) {
1341	BIO_printf(bio_err, "Error adding attribute\n");
1342	ERR_print_errors(bio_err);
1343	ret = 0;
1344	}
1345
1346	return ret;
1347	}
1348
1349
1350	static int build_data(char text, const char def,
1351	char *value, int n_min, int n_max,
1352	char *buf, const int buf_size,
1353	const char desc1, const char desc2
1354	)
1355	{
1356	int i;
1357	start:
1358	if (!batch)
1359	BIO_printf(bio_err, "%s [%s]:", text, def);
1360	(void)BIO_flush(bio_err);
1361	if (value != NULL) {
1362	if (!join(buf, buf_size, value, "\n", desc1))
1363	return 0;
1364	BIO_printf(bio_err, "%s\n", value);
1365	} else {
1366	buf[0] = '\0';
1367	if (!batch) {
1368	if (!fgets(buf, buf_size, stdin))
1369	return 0;
1370	} else {
1371	buf[0] = '\n';
1372	buf[1] = '\0';
1373	}
1374	}
1375
1376	if (buf[0] == '\0')
1377	return 0;
1378	if (buf[0] == '\n') {
1379	if ((def == NULL) \|\| (def[0] == '\0'))
1380	return 1;
1381	if (!join(buf, buf_size, def, "\n", desc2))
1382	return 0;
1383	} else if ((buf[0] == '.') && (buf[1] == '\n')) {
1384	return 1;
1385	}
1386
1387	i = strlen(buf);
1388	if (buf[i - 1] != '\n') {
1389	BIO_printf(bio_err, "weird input :-(\n");
1390	return 0;
1391	}
1392	buf[--i] = '\0';
1393	#ifdef CHARSET_EBCDIC
1394	ebcdic2ascii(buf, buf, i);
1395	#endif
1396	if (!req_check_len(i, n_min, n_max)) {
1397	if (batch \|\| value)
1398	return 0;
1399	goto start;
1400	}
1401	return 2;
1402	}
1403
1404	static int req_check_len(int len, int n_min, int n_max)
1405	{
1406	if ((n_min > 0) && (len < n_min)) {
1407	BIO_printf(bio_err,
1408	"string is too short, it needs to be at least %d bytes long\n",
1409	n_min);
1410	return 0;
1411	}
1412	if ((n_max >= 0) && (len > n_max)) {
1413	BIO_printf(bio_err,
1414	"string is too long, it needs to be no more than %d bytes long\n",
1415	n_max);
1416	return 0;
1417	}
1418	return 1;
1419	}
1420
1421	/* Check if the end of a string matches 'end' */
1422	static int check_end(const char str, const char end)
1423	{
1424	size_t elen, slen;
1425	const char *tmp;
1426
1427	elen = strlen(end);
1428	slen = strlen(str);
1429	if (elen > slen)
1430	return 1;
1431	tmp = str + slen - elen;
1432	return strcmp(tmp, end);
1433	}
1434
1435	/*
1436	* Merge the two strings together into the result buffer checking for
1437	* overflow and producing an error message if there is.
1438	*/
1439	static int join(char buf[], size_t buf_size, const char *name,
1440	const char tail, const char desc)
1441	{
1442	const size_t name_len = strlen(name), tail_len = strlen(tail);
1443
1444	if (name_len + tail_len + 1 > buf_size) {
1445	BIO_printf(bio_err, "%s '%s' too long\n", desc, name);
1446	return 0;
1447	}
1448	memcpy(buf, name, name_len);
1449	memcpy(buf + name_len, tail, tail_len + 1);
1450	return 1;
1451	}
1452
1453	static EVP_PKEY_CTX set_keygen_ctx(const char gstr,
1454	int pkey_type, long pkeylen,
1455	char *palgnam, ENGINE keygen_engine)
1456	{
1457	EVP_PKEY_CTX *gctx = NULL;
1458	EVP_PKEY *param = NULL;
1459	long keylen = -1;
1460	BIO *pbio = NULL;
1461	const char *paramfile = NULL;
1462
1463	if (gstr == NULL) {
1464	*pkey_type = EVP_PKEY_RSA;
1465	keylen = *pkeylen;
1466	} else if (gstr[0] >= '0' && gstr[0] <= '9') {
1467	*pkey_type = EVP_PKEY_RSA;
1468	keylen = atol(gstr);
1469	*pkeylen = keylen;
1470	} else if (strncmp(gstr, "param:", 6) == 0) {
1471	paramfile = gstr + 6;
1472	} else {
1473	const char *p = strchr(gstr, ':');
1474	int len;
1475	ENGINE *tmpeng;
1476	const EVP_PKEY_ASN1_METHOD *ameth;
1477
1478	if (p != NULL)
1479	len = p - gstr;
1480	else
1481	len = strlen(gstr);
1482	/*
1483	* The lookup of a the string will cover all engines so keep a note
1484	* of the implementation.
1485	*/
1486
1487	ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1488
1489	if (ameth == NULL) {
1490	BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
1491	return NULL;
1492	}
1493
1494	EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
1495	#ifndef OPENSSL_NO_ENGINE
1496	ENGINE_finish(tmpeng);
1497	#endif
1498	if (*pkey_type == EVP_PKEY_RSA) {
1499	if (p != NULL) {
1500	keylen = atol(p + 1);
1501	*pkeylen = keylen;
1502	} else {
1503	keylen = *pkeylen;
1504	}
1505	} else if (p != NULL) {
1506	paramfile = p + 1;
1507	}
1508	}
1509
1510	if (paramfile != NULL) {
1511	pbio = BIO_new_file(paramfile, "r");
1512	if (pbio == NULL) {
1513	BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
1514	return NULL;
1515	}
1516	param = PEM_read_bio_Parameters(pbio, NULL);
1517
1518	if (param == NULL) {
1519	X509 *x;
1520
1521	(void)BIO_reset(pbio);
1522	x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1523	if (x != NULL) {
1524	param = X509_get_pubkey(x);
1525	X509_free(x);
1526	}
1527	}
1528
1529	BIO_free(pbio);
1530
1531	if (param == NULL) {
1532	BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
1533	return NULL;
1534	}
1535	if (*pkey_type == -1) {
1536	*pkey_type = EVP_PKEY_id(param);
1537	} else if (*pkey_type != EVP_PKEY_base_id(param)) {
1538	BIO_printf(bio_err, "Key Type does not match parameters\n");
1539	EVP_PKEY_free(param);
1540	return NULL;
1541	}
1542	}
1543
1544	if (palgnam != NULL) {
1545	const EVP_PKEY_ASN1_METHOD *ameth;
1546	ENGINE *tmpeng;
1547	const char *anam;
1548
1549	ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1550	if (ameth == NULL) {
1551	BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
1552	return NULL;
1553	}
1554	EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1555	*palgnam = OPENSSL_strdup(anam);
1556	#ifndef OPENSSL_NO_ENGINE
1557	ENGINE_finish(tmpeng);
1558	#endif
1559	}
1560
1561	if (param != NULL) {
1562	gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1563	*pkeylen = EVP_PKEY_bits(param);
1564	EVP_PKEY_free(param);
1565	} else {
1566	gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1567	}
1568
1569	if (gctx == NULL) {
1570	BIO_puts(bio_err, "Error allocating keygen context\n");
1571	ERR_print_errors(bio_err);
1572	return NULL;
1573	}
1574
1575	if (EVP_PKEY_keygen_init(gctx) <= 0) {
1576	BIO_puts(bio_err, "Error initializing keygen context\n");
1577	ERR_print_errors(bio_err);
1578	EVP_PKEY_CTX_free(gctx);
1579	return NULL;
1580	}
1581	#ifndef OPENSSL_NO_RSA
1582	if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
1583	if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
1584	BIO_puts(bio_err, "Error setting RSA keysize\n");
1585	ERR_print_errors(bio_err);
1586	EVP_PKEY_CTX_free(gctx);
1587	return NULL;
1588	}
1589	}
1590	#endif
1591
1592	return gctx;
1593	}
1594
1595	static int genpkey_cb(EVP_PKEY_CTX *ctx)
1596	{
1597	char c = '*';
1598	BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1599	int p;
1600	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1601	if (p == 0)
1602	c = '.';
1603	if (p == 1)
1604	c = '+';
1605	if (p == 2)
1606	c = '*';
1607	if (p == 3)
1608	c = '\n';
1609	BIO_write(b, &c, 1);
1610	(void)BIO_flush(b);
1611	return 1;
1612	}
1613
1614	static int do_sign_init(EVP_MD_CTX ctx, EVP_PKEY pkey,
1615	const EVP_MD md, STACK_OF(OPENSSL_STRING) sigopts)
1616	{
1617	EVP_PKEY_CTX *pkctx = NULL;
1618	int i, def_nid;
1619
1620	if (ctx == NULL)
1621	return 0;
1622	/*
1623	* EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory
1624	* for this algorithm.
1625	*/
1626	if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
1627	&& def_nid == NID_undef) {
1628	/* The signing algorithm requires there to be no digest */
1629	md = NULL;
1630	}
1631	if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
1632	return 0;
1633	for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1634	char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1635	if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1636	BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
1637	ERR_print_errors(bio_err);
1638	return 0;
1639	}
1640	}
1641	return 1;
1642	}
1643
1644	int do_X509_sign(X509 x, EVP_PKEY pkey, const EVP_MD *md,
1645	STACK_OF(OPENSSL_STRING) *sigopts)
1646	{
1647	int rv;
1648	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1649
1650	rv = do_sign_init(mctx, pkey, md, sigopts);
1651	if (rv > 0)
1652	rv = X509_sign_ctx(x, mctx);
1653	EVP_MD_CTX_free(mctx);
1654	return rv > 0 ? 1 : 0;
1655	}
1656
1657	int do_X509_REQ_sign(X509_REQ x, EVP_PKEY pkey, const EVP_MD *md,
1658	STACK_OF(OPENSSL_STRING) *sigopts)
1659	{
1660	int rv;
1661	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1662	rv = do_sign_init(mctx, pkey, md, sigopts);
1663	if (rv > 0)
1664	rv = X509_REQ_sign_ctx(x, mctx);
1665	EVP_MD_CTX_free(mctx);
1666	return rv > 0 ? 1 : 0;
1667	}
1668
1669	int do_X509_CRL_sign(X509_CRL x, EVP_PKEY pkey, const EVP_MD *md,
1670	STACK_OF(OPENSSL_STRING) *sigopts)
1671	{
1672	int rv;
1673	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1674	rv = do_sign_init(mctx, pkey, md, sigopts);
1675	if (rv > 0)
1676	rv = X509_CRL_sign_ctx(x, mctx);
1677	EVP_MD_CTX_free(mctx);
1678	return rv > 0 ? 1 : 0;
1679	}

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-1.1.1l/apps/req.c@ 93560

以其他格式下載: