• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1  /*
2   * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3   *
4   * Licensed under the OpenSSL license (the "License").  You may not use
5   * this file except in compliance with the License.  You can obtain a copy
6   * in the file LICENSE in the source distribution or at
7   * https://www.openssl.org/source/license.html
8   */
9  
10  #include <stdio.h>
11  #include <stdlib.h>
12  #include <time.h>
13  #include <string.h>
14  #include <ctype.h>
15  #include "apps.h"
16  #include "progs.h"
17  #include <openssl/bio.h>
18  #include <openssl/evp.h>
19  #include <openssl/conf.h>
20  #include <openssl/err.h>
21  #include <openssl/asn1.h>
22  #include <openssl/x509.h>
23  #include <openssl/x509v3.h>
24  #include <openssl/objects.h>
25  #include <openssl/pem.h>
26  #include <openssl/bn.h>
27  #include <openssl/lhash.h>
28  #ifndef OPENSSL_NO_RSA
29  # include <openssl/rsa.h>
30  #endif
31  #ifndef OPENSSL_NO_DSA
32  # include <openssl/dsa.h>
33  #endif
34  
35  #define SECTION         "req"
36  
37  #define BITS            "default_bits"
38  #define KEYFILE         "default_keyfile"
39  #define PROMPT          "prompt"
40  #define DISTINGUISHED_NAME      "distinguished_name"
41  #define ATTRIBUTES      "attributes"
42  #define V3_EXTENSIONS   "x509_extensions"
43  #define REQ_EXTENSIONS  "req_extensions"
44  #define STRING_MASK     "string_mask"
45  #define UTF8_IN         "utf8"
46  
47  #define DEFAULT_KEY_LENGTH      2048
48  #define MIN_KEY_LENGTH          512
49  
50  static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
51                      int attribs, unsigned long chtype);
52  static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
53                           int multirdn);
54  static int prompt_info(X509_REQ *req,
55                         STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
56                         STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
57                         int attribs, unsigned long chtype);
58  static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
59                       STACK_OF(CONF_VALUE) *attr, int attribs,
60                       unsigned long chtype);
61  static int add_attribute_object(X509_REQ *req, char *text, const char *def,
62                                  char *value, int nid, int n_min, int n_max,
63                                  unsigned long chtype);
64  static int add_DN_object(X509_NAME *n, char *text, const char *def,
65                           char *value, int nid, int n_min, int n_max,
66                           unsigned long chtype, int mval);
67  static int genpkey_cb(EVP_PKEY_CTX *ctx);
68  static int build_data(char *text, const char *def,
69                        char *value, int n_min, int n_max,
70                        char *buf, const int buf_size,
71                        const char *desc1, const char *desc2
72                        );
73  static int req_check_len(int len, int n_min, int n_max);
74  static int check_end(const char *str, const char *end);
75  static int join(char buf[], size_t buf_size, const char *name,
76                  const char *tail, const char *desc);
77  static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
78                                      int *pkey_type, long *pkeylen,
79                                      char **palgnam, ENGINE *keygen_engine);
80  static CONF *req_conf = NULL;
81  static CONF *addext_conf = NULL;
82  static int batch = 0;
83  
84  typedef enum OPTION_choice {
85      OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
86      OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
87      OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
88      OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
89      OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
90      OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
91      OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
92      OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
93      OPT_REQEXTS, OPT_PRECERT, OPT_MD,
94      OPT_R_ENUM
95  } OPTION_CHOICE;
96  
97  const OPTIONS req_options[] = {
98      {"help", OPT_HELP, '-', "Display this summary"},
99      {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
100      {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
101      {"in", OPT_IN, '<', "Input file"},
102      {"out", OPT_OUT, '>', "Output file"},
103      {"key", OPT_KEY, 's', "Private key to use"},
104      {"keyform", OPT_KEYFORM, 'f', "Key file format"},
105      {"pubkey", OPT_PUBKEY, '-', "Output public key"},
106      {"new", OPT_NEW, '-', "New request"},
107      {"config", OPT_CONFIG, '<', "Request template file"},
108      {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
109      {"passin", OPT_PASSIN, 's', "Private key password source"},
110      {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
111      OPT_R_OPTIONS,
112      {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
113      {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
114      {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
115      {"batch", OPT_BATCH, '-',
116       "Do not ask anything during request generation"},
117      {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
118      {"modulus", OPT_MODULUS, '-', "RSA modulus"},
119      {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
120      {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
121      {"noout", OPT_NOOUT, '-', "Do not output REQ"},
122      {"verbose", OPT_VERBOSE, '-', "Verbose output"},
123      {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
124      {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
125      {"reqopt", OPT_REQOPT, 's', "Various request text options"},
126      {"text", OPT_TEXT, '-', "Text form of request"},
127      {"x509", OPT_X509, '-',
128       "Output a x509 structure instead of a cert request"},
129      {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
130      {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
131      {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
132      {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
133       "Enable support for multivalued RDNs"},
134      {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
135      {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
136      {"addext", OPT_ADDEXT, 's',
137       "Additional cert extension key=value pair (may be given more than once)"},
138      {"extensions", OPT_EXTENSIONS, 's',
139       "Cert extension section (override value in config file)"},
140      {"reqexts", OPT_REQEXTS, 's',
141       "Request extension section (override value in config file)"},
142      {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
143      {"", OPT_MD, '-', "Any supported digest"},
144  #ifndef OPENSSL_NO_ENGINE
145      {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
146      {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
147       "Specify engine to be used for key generation operations"},
148  #endif
149      {NULL}
150  };
151  
152  
153  /*
154   * An LHASH of strings, where each string is an extension name.
155   */
ext_name_hash(const OPENSSL_STRING * a)156  static unsigned long ext_name_hash(const OPENSSL_STRING *a)
157  {
158      return OPENSSL_LH_strhash((const char *)a);
159  }
160  
ext_name_cmp(const OPENSSL_STRING * a,const OPENSSL_STRING * b)161  static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b)
162  {
163      return strcmp((const char *)a, (const char *)b);
164  }
165  
exts_cleanup(OPENSSL_STRING * x)166  static void exts_cleanup(OPENSSL_STRING *x)
167  {
168      OPENSSL_free((char *)x);
169  }
170  
171  /*
172   * Is the |kv| key already duplicated?  This is remarkably tricky to get
173   * right.  Return 0 if unique, -1 on runtime error; 1 if found or a syntax
174   * error.
175   */
duplicated(LHASH_OF (OPENSSL_STRING)* addexts,char * kv)176  static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
177  {
178      char *p;
179      size_t off;
180  
181      /* Check syntax. */
182      /* Skip leading whitespace, make a copy. */
183      while (*kv && isspace(*kv))
184          if (*++kv == '\0')
185              return 1;
186      if ((p = strchr(kv, '=')) == NULL)
187          return 1;
188      off = p - kv;
189      if ((kv = OPENSSL_strdup(kv)) == NULL)
190          return -1;
191  
192      /* Skip trailing space before the equal sign. */
193      for (p = kv + off; p > kv; --p)
194          if (!isspace(p[-1]))
195              break;
196      if (p == kv) {
197          OPENSSL_free(kv);
198          return 1;
199      }
200      *p = '\0';
201  
202      /* Finally have a clean "key"; see if it's there [by attempt to add it]. */
203      p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv);
204      if (p != NULL) {
205          OPENSSL_free(p);
206          return 1;
207      } else if (lh_OPENSSL_STRING_error(addexts)) {
208          OPENSSL_free(kv);
209          return -1;
210      }
211  
212      return 0;
213  }
214  
req_main(int argc,char ** argv)215  int req_main(int argc, char **argv)
216  {
217      ASN1_INTEGER *serial = NULL;
218      BIO *in = NULL, *out = NULL;
219      ENGINE *e = NULL, *gen_eng = NULL;
220      EVP_PKEY *pkey = NULL;
221      EVP_PKEY_CTX *genctx = NULL;
222      STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
223      LHASH_OF(OPENSSL_STRING) *addexts = NULL;
224      X509 *x509ss = NULL;
225      X509_REQ *req = NULL;
226      const EVP_CIPHER *cipher = NULL;
227      const EVP_MD *md_alg = NULL, *digest = NULL;
228      BIO *addext_bio = NULL;
229      char *extensions = NULL, *infile = NULL;
230      char *outfile = NULL, *keyfile = NULL;
231      char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
232      char *passin = NULL, *passout = NULL;
233      char *nofree_passin = NULL, *nofree_passout = NULL;
234      char *req_exts = NULL, *subj = NULL;
235      char *template = default_config_file, *keyout = NULL;
236      const char *keyalg = NULL;
237      OPTION_CHOICE o;
238      int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0;
239      int pkey_type = -1, private = 0;
240      int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
241      int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
242      int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
243      long newkey = -1;
244      unsigned long chtype = MBSTRING_ASC, reqflag = 0;
245  
246  #ifndef OPENSSL_NO_DES
247      cipher = EVP_des_ede3_cbc();
248  #endif
249  
250      prog = opt_init(argc, argv, req_options);
251      while ((o = opt_next()) != OPT_EOF) {
252          switch (o) {
253          case OPT_EOF:
254          case OPT_ERR:
255   opthelp:
256              BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
257              goto end;
258          case OPT_HELP:
259              opt_help(req_options);
260              ret = 0;
261              goto end;
262          case OPT_INFORM:
263              if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
264                  goto opthelp;
265              break;
266          case OPT_OUTFORM:
267              if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
268                  goto opthelp;
269              break;
270          case OPT_ENGINE:
271              e = setup_engine(opt_arg(), 0);
272              break;
273          case OPT_KEYGEN_ENGINE:
274  #ifndef OPENSSL_NO_ENGINE
275              gen_eng = ENGINE_by_id(opt_arg());
276              if (gen_eng == NULL) {
277                  BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
278                  goto opthelp;
279              }
280  #endif
281              break;
282          case OPT_KEY:
283              keyfile = opt_arg();
284              break;
285          case OPT_PUBKEY:
286              pubkey = 1;
287              break;
288          case OPT_NEW:
289              newreq = 1;
290              break;
291          case OPT_CONFIG:
292              template = opt_arg();
293              break;
294          case OPT_KEYFORM:
295              if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
296                  goto opthelp;
297              break;
298          case OPT_IN:
299              infile = opt_arg();
300              break;
301          case OPT_OUT:
302              outfile = opt_arg();
303              break;
304          case OPT_KEYOUT:
305              keyout = opt_arg();
306              break;
307          case OPT_PASSIN:
308              passargin = opt_arg();
309              break;
310          case OPT_PASSOUT:
311              passargout = opt_arg();
312              break;
313          case OPT_R_CASES:
314              if (!opt_rand(o))
315                  goto end;
316              break;
317          case OPT_NEWKEY:
318              keyalg = opt_arg();
319              newreq = 1;
320              break;
321          case OPT_PKEYOPT:
322              if (!pkeyopts)
323                  pkeyopts = sk_OPENSSL_STRING_new_null();
324              if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
325                  goto opthelp;
326              break;
327          case OPT_SIGOPT:
328              if (!sigopts)
329                  sigopts = sk_OPENSSL_STRING_new_null();
330              if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
331                  goto opthelp;
332              break;
333          case OPT_BATCH:
334              batch = 1;
335              break;
336          case OPT_NEWHDR:
337              newhdr = 1;
338              break;
339          case OPT_MODULUS:
340              modulus = 1;
341              break;
342          case OPT_VERIFY:
343              verify = 1;
344              break;
345          case OPT_NODES:
346              nodes = 1;
347              break;
348          case OPT_NOOUT:
349              noout = 1;
350              break;
351          case OPT_VERBOSE:
352              verbose = 1;
353              break;
354          case OPT_UTF8:
355              chtype = MBSTRING_UTF8;
356              break;
357          case OPT_NAMEOPT:
358              if (!set_nameopt(opt_arg()))
359                  goto opthelp;
360              break;
361          case OPT_REQOPT:
362              if (!set_cert_ex(&reqflag, opt_arg()))
363                  goto opthelp;
364              break;
365          case OPT_TEXT:
366              text = 1;
367              break;
368          case OPT_X509:
369              x509 = 1;
370              break;
371          case OPT_DAYS:
372              days = atoi(opt_arg());
373              break;
374          case OPT_SET_SERIAL:
375              if (serial != NULL) {
376                  BIO_printf(bio_err, "Serial number supplied twice\n");
377                  goto opthelp;
378              }
379              serial = s2i_ASN1_INTEGER(NULL, opt_arg());
380              if (serial == NULL)
381                  goto opthelp;
382              break;
383          case OPT_SUBJECT:
384              subject = 1;
385              break;
386          case OPT_SUBJ:
387              subj = opt_arg();
388              break;
389          case OPT_MULTIVALUE_RDN:
390              multirdn = 1;
391              break;
392          case OPT_ADDEXT:
393              p = opt_arg();
394              if (addexts == NULL) {
395                  addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp);
396                  addext_bio = BIO_new(BIO_s_mem());
397                  if (addexts == NULL || addext_bio == NULL)
398                      goto end;
399              }
400              i = duplicated(addexts, p);
401              if (i == 1)
402                  goto opthelp;
403              if (i < 0 || BIO_printf(addext_bio, "%s\n", opt_arg()) < 0)
404                  goto end;
405              break;
406          case OPT_EXTENSIONS:
407              extensions = opt_arg();
408              break;
409          case OPT_REQEXTS:
410              req_exts = opt_arg();
411              break;
412          case OPT_PRECERT:
413              newreq = precert = 1;
414              break;
415          case OPT_MD:
416              if (!opt_md(opt_unknown(), &md_alg))
417                  goto opthelp;
418              digest = md_alg;
419              break;
420          }
421      }
422      argc = opt_num_rest();
423      if (argc != 0)
424          goto opthelp;
425  
426      if (days && !x509)
427          BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n");
428      if (x509 && infile == NULL)
429          newreq = 1;
430  
431      /* TODO: simplify this as pkey is still always NULL here */
432      private = newreq && (pkey == NULL) ? 1 : 0;
433  
434      if (!app_passwd(passargin, passargout, &passin, &passout)) {
435          BIO_printf(bio_err, "Error getting passwords\n");
436          goto end;
437      }
438  
439      if (verbose)
440          BIO_printf(bio_err, "Using configuration from %s\n", template);
441      if ((req_conf = app_load_config(template)) == NULL)
442          goto end;
443      if (addext_bio) {
444          if (verbose)
445              BIO_printf(bio_err,
446                         "Using additional configuration from command line\n");
447          if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
448              goto end;
449      }
450      if (template != default_config_file && !app_load_modules(req_conf))
451          goto end;
452  
453      if (req_conf != NULL) {
454          p = NCONF_get_string(req_conf, NULL, "oid_file");
455          if (p == NULL)
456              ERR_clear_error();
457          if (p != NULL) {
458              BIO *oid_bio;
459  
460              oid_bio = BIO_new_file(p, "r");
461              if (oid_bio == NULL) {
462                  /*-
463                  BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
464                  ERR_print_errors(bio_err);
465                  */
466              } else {
467                  OBJ_create_objects(oid_bio);
468                  BIO_free(oid_bio);
469              }
470          }
471      }
472      if (!add_oid_section(req_conf))
473          goto end;
474  
475      if (md_alg == NULL) {
476          p = NCONF_get_string(req_conf, SECTION, "default_md");
477          if (p == NULL) {
478              ERR_clear_error();
479          } else {
480              if (!opt_md(p, &md_alg))
481                  goto opthelp;
482              digest = md_alg;
483          }
484      }
485  
486      if (extensions == NULL) {
487          extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
488          if (extensions == NULL)
489              ERR_clear_error();
490      }
491      if (extensions != NULL) {
492          /* Check syntax of file */
493          X509V3_CTX ctx;
494          X509V3_set_ctx_test(&ctx);
495          X509V3_set_nconf(&ctx, req_conf);
496          if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
497              BIO_printf(bio_err,
498                         "Error Loading extension section %s\n", extensions);
499              goto end;
500          }
501      }
502      if (addext_conf != NULL) {
503          /* Check syntax of command line extensions */
504          X509V3_CTX ctx;
505          X509V3_set_ctx_test(&ctx);
506          X509V3_set_nconf(&ctx, addext_conf);
507          if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
508              BIO_printf(bio_err, "Error Loading command line extensions\n");
509              goto end;
510          }
511      }
512  
513      if (passin == NULL) {
514          passin = nofree_passin =
515              NCONF_get_string(req_conf, SECTION, "input_password");
516          if (passin == NULL)
517              ERR_clear_error();
518      }
519  
520      if (passout == NULL) {
521          passout = nofree_passout =
522              NCONF_get_string(req_conf, SECTION, "output_password");
523          if (passout == NULL)
524              ERR_clear_error();
525      }
526  
527      p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
528      if (p == NULL)
529          ERR_clear_error();
530  
531      if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) {
532          BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
533          goto end;
534      }
535  
536      if (chtype != MBSTRING_UTF8) {
537          p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
538          if (p == NULL)
539              ERR_clear_error();
540          else if (strcmp(p, "yes") == 0)
541              chtype = MBSTRING_UTF8;
542      }
543  
544      if (req_exts == NULL) {
545          req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
546          if (req_exts == NULL)
547              ERR_clear_error();
548      }
549      if (req_exts != NULL) {
550          /* Check syntax of file */
551          X509V3_CTX ctx;
552          X509V3_set_ctx_test(&ctx);
553          X509V3_set_nconf(&ctx, req_conf);
554          if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
555              BIO_printf(bio_err,
556                         "Error Loading request extension section %s\n",
557                         req_exts);
558              goto end;
559          }
560      }
561  
562      if (keyfile != NULL) {
563          pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
564          if (pkey == NULL) {
565              /* load_key() has already printed an appropriate message */
566              goto end;
567          } else {
568              app_RAND_load_conf(req_conf, SECTION);
569          }
570      }
571  
572      if (newreq && (pkey == NULL)) {
573          app_RAND_load_conf(req_conf, SECTION);
574  
575          if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
576              newkey = DEFAULT_KEY_LENGTH;
577          }
578  
579          if (keyalg != NULL) {
580              genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
581                                      &keyalgstr, gen_eng);
582              if (genctx == NULL)
583                  goto end;
584          }
585  
586          if (newkey < MIN_KEY_LENGTH
587              && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
588              BIO_printf(bio_err, "private key length is too short,\n");
589              BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
590                         MIN_KEY_LENGTH, newkey);
591              goto end;
592          }
593  
594          if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS)
595              BIO_printf(bio_err,
596                         "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
597                         "         Your key size is %ld! Larger key size may behave not as expected.\n",
598                         OPENSSL_RSA_MAX_MODULUS_BITS, newkey);
599  
600  #ifndef OPENSSL_NO_DSA
601          if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS)
602              BIO_printf(bio_err,
603                         "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
604                         "         Your key size is %ld! Larger key size may behave not as expected.\n",
605                         OPENSSL_DSA_MAX_MODULUS_BITS, newkey);
606  #endif
607  
608          if (genctx == NULL) {
609              genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
610                                      &keyalgstr, gen_eng);
611              if (!genctx)
612                  goto end;
613          }
614  
615          if (pkeyopts != NULL) {
616              char *genopt;
617              for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
618                  genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
619                  if (pkey_ctrl_string(genctx, genopt) <= 0) {
620                      BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
621                      ERR_print_errors(bio_err);
622                      goto end;
623                  }
624              }
625          }
626  
627          if (pkey_type == EVP_PKEY_EC) {
628              BIO_printf(bio_err, "Generating an EC private key\n");
629          } else {
630              BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
631          }
632  
633          EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
634          EVP_PKEY_CTX_set_app_data(genctx, bio_err);
635  
636          if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
637              BIO_puts(bio_err, "Error Generating Key\n");
638              goto end;
639          }
640  
641          EVP_PKEY_CTX_free(genctx);
642          genctx = NULL;
643  
644          if (keyout == NULL) {
645              keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
646              if (keyout == NULL)
647                  ERR_clear_error();
648          }
649  
650          if (keyout == NULL)
651              BIO_printf(bio_err, "writing new private key to stdout\n");
652          else
653              BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
654          out = bio_open_owner(keyout, outformat, private);
655          if (out == NULL)
656              goto end;
657  
658          p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
659          if (p == NULL) {
660              ERR_clear_error();
661              p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
662              if (p == NULL)
663                  ERR_clear_error();
664          }
665          if ((p != NULL) && (strcmp(p, "no") == 0))
666              cipher = NULL;
667          if (nodes)
668              cipher = NULL;
669  
670          i = 0;
671   loop:
672          assert(private);
673          if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
674                                        NULL, 0, NULL, passout)) {
675              if ((ERR_GET_REASON(ERR_peek_error()) ==
676                   PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
677                  ERR_clear_error();
678                  i++;
679                  goto loop;
680              }
681              goto end;
682          }
683          BIO_free(out);
684          out = NULL;
685          BIO_printf(bio_err, "-----\n");
686      }
687  
688      if (!newreq) {
689          in = bio_open_default(infile, 'r', informat);
690          if (in == NULL)
691              goto end;
692  
693          if (informat == FORMAT_ASN1)
694              req = d2i_X509_REQ_bio(in, NULL);
695          else
696              req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
697          if (req == NULL) {
698              BIO_printf(bio_err, "unable to load X509 request\n");
699              goto end;
700          }
701      }
702  
703      if (newreq || x509) {
704          if (pkey == NULL) {
705              BIO_printf(bio_err, "you need to specify a private key\n");
706              goto end;
707          }
708  
709          if (req == NULL) {
710              req = X509_REQ_new();
711              if (req == NULL) {
712                  goto end;
713              }
714  
715              i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
716              subj = NULL;        /* done processing '-subj' option */
717              if (!i) {
718                  BIO_printf(bio_err, "problems making Certificate Request\n");
719                  goto end;
720              }
721          }
722          if (x509) {
723              EVP_PKEY *tmppkey;
724              X509V3_CTX ext_ctx;
725              if ((x509ss = X509_new()) == NULL)
726                  goto end;
727  
728              /* Set version to V3 */
729              if ((extensions != NULL || addext_conf != NULL)
730                  && !X509_set_version(x509ss, 2))
731                  goto end;
732              if (serial != NULL) {
733                  if (!X509_set_serialNumber(x509ss, serial))
734                      goto end;
735              } else {
736                  if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
737                      goto end;
738              }
739  
740              if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
741                  goto end;
742              if (days == 0) {
743                  /* set default days if it's not specified */
744                  days = 30;
745              }
746              if (!set_cert_times(x509ss, NULL, NULL, days))
747                  goto end;
748              if (!X509_set_subject_name
749                  (x509ss, X509_REQ_get_subject_name(req)))
750                  goto end;
751              tmppkey = X509_REQ_get0_pubkey(req);
752              if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
753                  goto end;
754  
755              /* Set up V3 context struct */
756  
757              X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
758              X509V3_set_nconf(&ext_ctx, req_conf);
759  
760              /* Add extensions */
761              if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf,
762                                                              &ext_ctx, extensions,
763                                                              x509ss)) {
764                  BIO_printf(bio_err, "Error Loading extension section %s\n",
765                             extensions);
766                  goto end;
767              }
768              if (addext_conf != NULL
769                  && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
770                                           x509ss)) {
771                  BIO_printf(bio_err, "Error Loading command line extensions\n");
772                  goto end;
773              }
774  
775              /* If a pre-cert was requested, we need to add a poison extension */
776              if (precert) {
777                  if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
778                      != 1) {
779                      BIO_printf(bio_err, "Error adding poison extension\n");
780                      goto end;
781                  }
782              }
783  
784              i = do_X509_sign(x509ss, pkey, digest, sigopts);
785              if (!i) {
786                  ERR_print_errors(bio_err);
787                  goto end;
788              }
789          } else {
790              X509V3_CTX ext_ctx;
791  
792              /* Set up V3 context struct */
793  
794              X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
795              X509V3_set_nconf(&ext_ctx, req_conf);
796  
797              /* Add extensions */
798              if (req_exts != NULL
799                  && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx,
800                                               req_exts, req)) {
801                  BIO_printf(bio_err, "Error Loading extension section %s\n",
802                             req_exts);
803                  goto end;
804              }
805              if (addext_conf != NULL
806                  && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
807                                               req)) {
808                  BIO_printf(bio_err, "Error Loading command line extensions\n");
809                  goto end;
810              }
811              i = do_X509_REQ_sign(req, pkey, digest, sigopts);
812              if (!i) {
813                  ERR_print_errors(bio_err);
814                  goto end;
815              }
816          }
817      }
818  
819      if (subj && x509) {
820          BIO_printf(bio_err, "Cannot modify certificate subject\n");
821          goto end;
822      }
823  
824      if (subj && !x509) {
825          if (verbose) {
826              BIO_printf(bio_err, "Modifying Request's Subject\n");
827              print_name(bio_err, "old subject=",
828                         X509_REQ_get_subject_name(req), get_nameopt());
829          }
830  
831          if (build_subject(req, subj, chtype, multirdn) == 0) {
832              BIO_printf(bio_err, "ERROR: cannot modify subject\n");
833              ret = 1;
834              goto end;
835          }
836  
837          if (verbose) {
838              print_name(bio_err, "new subject=",
839                         X509_REQ_get_subject_name(req), get_nameopt());
840          }
841      }
842  
843      if (verify && !x509) {
844          EVP_PKEY *tpubkey = pkey;
845  
846          if (tpubkey == NULL) {
847              tpubkey = X509_REQ_get0_pubkey(req);
848              if (tpubkey == NULL)
849                  goto end;
850          }
851  
852          i = X509_REQ_verify(req, tpubkey);
853  
854          if (i < 0) {
855              goto end;
856          } else if (i == 0) {
857              BIO_printf(bio_err, "verify failure\n");
858              ERR_print_errors(bio_err);
859          } else {                 /* if (i > 0) */
860              BIO_printf(bio_err, "verify OK\n");
861          }
862      }
863  
864      if (noout && !text && !modulus && !subject && !pubkey) {
865          ret = 0;
866          goto end;
867      }
868  
869      out = bio_open_default(outfile,
870                             keyout != NULL && outfile != NULL &&
871                             strcmp(keyout, outfile) == 0 ? 'a' : 'w',
872                             outformat);
873      if (out == NULL)
874          goto end;
875  
876      if (pubkey) {
877          EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
878  
879          if (tpubkey == NULL) {
880              BIO_printf(bio_err, "Error getting public key\n");
881              ERR_print_errors(bio_err);
882              goto end;
883          }
884          PEM_write_bio_PUBKEY(out, tpubkey);
885      }
886  
887      if (text) {
888          if (x509)
889              ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
890          else
891              ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
892  
893          if (ret == 0) {
894              if (x509)
895                BIO_printf(bio_err, "Error printing certificate\n");
896              else
897                BIO_printf(bio_err, "Error printing certificate request\n");
898  
899              ERR_print_errors(bio_err);
900              goto end;
901          }
902      }
903  
904      if (subject) {
905          if (x509)
906              print_name(out, "subject=", X509_get_subject_name(x509ss),
907                         get_nameopt());
908          else
909              print_name(out, "subject=", X509_REQ_get_subject_name(req),
910                         get_nameopt());
911      }
912  
913      if (modulus) {
914          EVP_PKEY *tpubkey;
915  
916          if (x509)
917              tpubkey = X509_get0_pubkey(x509ss);
918          else
919              tpubkey = X509_REQ_get0_pubkey(req);
920          if (tpubkey == NULL) {
921              fprintf(stdout, "Modulus=unavailable\n");
922              goto end;
923          }
924          fprintf(stdout, "Modulus=");
925  #ifndef OPENSSL_NO_RSA
926          if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
927              const BIGNUM *n;
928              RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
929              BN_print(out, n);
930          } else
931  #endif
932              fprintf(stdout, "Wrong Algorithm type");
933          fprintf(stdout, "\n");
934      }
935  
936      if (!noout && !x509) {
937          if (outformat == FORMAT_ASN1)
938              i = i2d_X509_REQ_bio(out, req);
939          else if (newhdr)
940              i = PEM_write_bio_X509_REQ_NEW(out, req);
941          else
942              i = PEM_write_bio_X509_REQ(out, req);
943          if (!i) {
944              BIO_printf(bio_err, "unable to write X509 request\n");
945              goto end;
946          }
947      }
948      if (!noout && x509 && (x509ss != NULL)) {
949          if (outformat == FORMAT_ASN1)
950              i = i2d_X509_bio(out, x509ss);
951          else
952              i = PEM_write_bio_X509(out, x509ss);
953          if (!i) {
954              BIO_printf(bio_err, "unable to write X509 certificate\n");
955              goto end;
956          }
957      }
958      ret = 0;
959   end:
960      if (ret) {
961          ERR_print_errors(bio_err);
962      }
963      NCONF_free(req_conf);
964      NCONF_free(addext_conf);
965      BIO_free(addext_bio);
966      BIO_free(in);
967      BIO_free_all(out);
968      EVP_PKEY_free(pkey);
969      EVP_PKEY_CTX_free(genctx);
970      sk_OPENSSL_STRING_free(pkeyopts);
971      sk_OPENSSL_STRING_free(sigopts);
972      lh_OPENSSL_STRING_doall(addexts, exts_cleanup);
973      lh_OPENSSL_STRING_free(addexts);
974  #ifndef OPENSSL_NO_ENGINE
975      ENGINE_free(gen_eng);
976  #endif
977      OPENSSL_free(keyalgstr);
978      X509_REQ_free(req);
979      X509_free(x509ss);
980      ASN1_INTEGER_free(serial);
981      release_engine(e);
982      if (passin != nofree_passin)
983          OPENSSL_free(passin);
984      if (passout != nofree_passout)
985          OPENSSL_free(passout);
986      return ret;
987  }
988  
make_REQ(X509_REQ * req,EVP_PKEY * pkey,char * subj,int multirdn,int attribs,unsigned long chtype)989  static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
990                      int attribs, unsigned long chtype)
991  {
992      int ret = 0, i;
993      char no_prompt = 0;
994      STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
995      char *tmp, *dn_sect, *attr_sect;
996  
997      tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
998      if (tmp == NULL)
999          ERR_clear_error();
1000      if ((tmp != NULL) && strcmp(tmp, "no") == 0)
1001          no_prompt = 1;
1002  
1003      dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
1004      if (dn_sect == NULL) {
1005          BIO_printf(bio_err, "unable to find '%s' in config\n",
1006                     DISTINGUISHED_NAME);
1007          goto err;
1008      }
1009      dn_sk = NCONF_get_section(req_conf, dn_sect);
1010      if (dn_sk == NULL) {
1011          BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
1012          goto err;
1013      }
1014  
1015      attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
1016      if (attr_sect == NULL) {
1017          ERR_clear_error();
1018          attr_sk = NULL;
1019      } else {
1020          attr_sk = NCONF_get_section(req_conf, attr_sect);
1021          if (attr_sk == NULL) {
1022              BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
1023              goto err;
1024          }
1025      }
1026  
1027      /* setup version number */
1028      if (!X509_REQ_set_version(req, 0L))
1029          goto err;               /* version 1 */
1030  
1031      if (subj)
1032          i = build_subject(req, subj, chtype, multirdn);
1033      else if (no_prompt)
1034          i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
1035      else
1036          i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
1037                          chtype);
1038      if (!i)
1039          goto err;
1040  
1041      if (!X509_REQ_set_pubkey(req, pkey))
1042          goto err;
1043  
1044      ret = 1;
1045   err:
1046      return ret;
1047  }
1048  
1049  /*
1050   * subject is expected to be in the format /type0=value0/type1=value1/type2=...
1051   * where characters may be escaped by \
1052   */
build_subject(X509_REQ * req,const char * subject,unsigned long chtype,int multirdn)1053  static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
1054                           int multirdn)
1055  {
1056      X509_NAME *n;
1057  
1058      if ((n = parse_name(subject, chtype, multirdn)) == NULL)
1059          return 0;
1060  
1061      if (!X509_REQ_set_subject_name(req, n)) {
1062          X509_NAME_free(n);
1063          return 0;
1064      }
1065      X509_NAME_free(n);
1066      return 1;
1067  }
1068  
prompt_info(X509_REQ * req,STACK_OF (CONF_VALUE)* dn_sk,const char * dn_sect,STACK_OF (CONF_VALUE)* attr_sk,const char * attr_sect,int attribs,unsigned long chtype)1069  static int prompt_info(X509_REQ *req,
1070                         STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
1071                         STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
1072                         int attribs, unsigned long chtype)
1073  {
1074      int i;
1075      char *p, *q;
1076      char buf[100];
1077      int nid, mval;
1078      long n_min, n_max;
1079      char *type, *value;
1080      const char *def;
1081      CONF_VALUE *v;
1082      X509_NAME *subj;
1083      subj = X509_REQ_get_subject_name(req);
1084  
1085      if (!batch) {
1086          BIO_printf(bio_err,
1087                     "You are about to be asked to enter information that will be incorporated\n");
1088          BIO_printf(bio_err, "into your certificate request.\n");
1089          BIO_printf(bio_err,
1090                     "What you are about to enter is what is called a Distinguished Name or a DN.\n");
1091          BIO_printf(bio_err,
1092                     "There are quite a few fields but you can leave some blank\n");
1093          BIO_printf(bio_err,
1094                     "For some fields there will be a default value,\n");
1095          BIO_printf(bio_err,
1096                     "If you enter '.', the field will be left blank.\n");
1097          BIO_printf(bio_err, "-----\n");
1098      }
1099  
1100      if (sk_CONF_VALUE_num(dn_sk)) {
1101          i = -1;
1102   start:
1103          for ( ; ; ) {
1104              i++;
1105              if (sk_CONF_VALUE_num(dn_sk) <= i)
1106                  break;
1107  
1108              v = sk_CONF_VALUE_value(dn_sk, i);
1109              p = q = NULL;
1110              type = v->name;
1111              if (!check_end(type, "_min") || !check_end(type, "_max") ||
1112                  !check_end(type, "_default") || !check_end(type, "_value"))
1113                  continue;
1114              /*
1115               * Skip past any leading X. X: X, etc to allow for multiple
1116               * instances
1117               */
1118              for (p = v->name; *p; p++)
1119                  if ((*p == ':') || (*p == ',') || (*p == '.')) {
1120                      p++;
1121                      if (*p)
1122                          type = p;
1123                      break;
1124                  }
1125              if (*type == '+') {
1126                  mval = -1;
1127                  type++;
1128              } else {
1129                  mval = 0;
1130              }
1131              /* If OBJ not recognised ignore it */
1132              if ((nid = OBJ_txt2nid(type)) == NID_undef)
1133                  goto start;
1134              if (!join(buf, sizeof(buf), v->name, "_default", "Name"))
1135                  return 0;
1136              if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1137                  ERR_clear_error();
1138                  def = "";
1139              }
1140  
1141              if (!join(buf, sizeof(buf), v->name, "_value", "Name"))
1142                  return 0;
1143              if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1144                  ERR_clear_error();
1145                  value = NULL;
1146              }
1147  
1148              if (!join(buf, sizeof(buf), v->name, "_min", "Name"))
1149                  return 0;
1150              if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
1151                  ERR_clear_error();
1152                  n_min = -1;
1153              }
1154  
1155  
1156              if (!join(buf, sizeof(buf), v->name, "_max", "Name"))
1157                  return 0;
1158              if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
1159                  ERR_clear_error();
1160                  n_max = -1;
1161              }
1162  
1163              if (!add_DN_object(subj, v->value, def, value, nid,
1164                                 n_min, n_max, chtype, mval))
1165                  return 0;
1166          }
1167          if (X509_NAME_entry_count(subj) == 0) {
1168              BIO_printf(bio_err,
1169                         "error, no objects specified in config file\n");
1170              return 0;
1171          }
1172  
1173          if (attribs) {
1174              if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
1175                  && (!batch)) {
1176                  BIO_printf(bio_err,
1177                             "\nPlease enter the following 'extra' attributes\n");
1178                  BIO_printf(bio_err,
1179                             "to be sent with your certificate request\n");
1180              }
1181  
1182              i = -1;
1183   start2:
1184              for ( ; ; ) {
1185                  i++;
1186                  if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
1187                      break;
1188  
1189                  v = sk_CONF_VALUE_value(attr_sk, i);
1190                  type = v->name;
1191                  if ((nid = OBJ_txt2nid(type)) == NID_undef)
1192                      goto start2;
1193  
1194                  if (!join(buf, sizeof(buf), type, "_default", "Name"))
1195                      return 0;
1196                  if ((def = NCONF_get_string(req_conf, attr_sect, buf))
1197                      == NULL) {
1198                      ERR_clear_error();
1199                      def = "";
1200                  }
1201  
1202                  if (!join(buf, sizeof(buf), type, "_value", "Name"))
1203                      return 0;
1204                  if ((value = NCONF_get_string(req_conf, attr_sect, buf))
1205                      == NULL) {
1206                      ERR_clear_error();
1207                      value = NULL;
1208                  }
1209  
1210                  if (!join(buf, sizeof(buf), type,"_min", "Name"))
1211                      return 0;
1212                  if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
1213                      ERR_clear_error();
1214                      n_min = -1;
1215                  }
1216  
1217                  if (!join(buf, sizeof(buf), type, "_max", "Name"))
1218                      return 0;
1219                  if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
1220                      ERR_clear_error();
1221                      n_max = -1;
1222                  }
1223  
1224                  if (!add_attribute_object(req,
1225                                            v->value, def, value, nid, n_min,
1226                                            n_max, chtype))
1227                      return 0;
1228              }
1229          }
1230      } else {
1231          BIO_printf(bio_err, "No template, please set one up.\n");
1232          return 0;
1233      }
1234  
1235      return 1;
1236  
1237  }
1238  
auto_info(X509_REQ * req,STACK_OF (CONF_VALUE)* dn_sk,STACK_OF (CONF_VALUE)* attr_sk,int attribs,unsigned long chtype)1239  static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
1240                       STACK_OF(CONF_VALUE) *attr_sk, int attribs,
1241                       unsigned long chtype)
1242  {
1243      int i, spec_char, plus_char;
1244      char *p, *q;
1245      char *type;
1246      CONF_VALUE *v;
1247      X509_NAME *subj;
1248  
1249      subj = X509_REQ_get_subject_name(req);
1250  
1251      for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1252          int mval;
1253          v = sk_CONF_VALUE_value(dn_sk, i);
1254          p = q = NULL;
1255          type = v->name;
1256          /*
1257           * Skip past any leading X. X: X, etc to allow for multiple instances
1258           */
1259          for (p = v->name; *p; p++) {
1260  #ifndef CHARSET_EBCDIC
1261              spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
1262  #else
1263              spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
1264                      || (*p == os_toascii['.']));
1265  #endif
1266              if (spec_char) {
1267                  p++;
1268                  if (*p)
1269                      type = p;
1270                  break;
1271              }
1272          }
1273  #ifndef CHARSET_EBCDIC
1274          plus_char = (*type == '+');
1275  #else
1276          plus_char = (*type == os_toascii['+']);
1277  #endif
1278          if (plus_char) {
1279              type++;
1280              mval = -1;
1281          } else {
1282              mval = 0;
1283          }
1284          if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
1285                                          (unsigned char *)v->value, -1, -1,
1286                                          mval))
1287              return 0;
1288  
1289      }
1290  
1291      if (!X509_NAME_entry_count(subj)) {
1292          BIO_printf(bio_err, "error, no objects specified in config file\n");
1293          return 0;
1294      }
1295      if (attribs) {
1296          for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
1297              v = sk_CONF_VALUE_value(attr_sk, i);
1298              if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1299                                             (unsigned char *)v->value, -1))
1300                  return 0;
1301          }
1302      }
1303      return 1;
1304  }
1305  
add_DN_object(X509_NAME * n,char * text,const char * def,char * value,int nid,int n_min,int n_max,unsigned long chtype,int mval)1306  static int add_DN_object(X509_NAME *n, char *text, const char *def,
1307                           char *value, int nid, int n_min, int n_max,
1308                           unsigned long chtype, int mval)
1309  {
1310      int ret = 0;
1311      char buf[1024];
1312  
1313      ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
1314                       "DN value", "DN default");
1315      if ((ret == 0) || (ret == 1))
1316          return ret;
1317      ret = 1;
1318  
1319      if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
1320                                      (unsigned char *)buf, -1, -1, mval))
1321          ret = 0;
1322  
1323      return ret;
1324  }
1325  
add_attribute_object(X509_REQ * req,char * text,const char * def,char * value,int nid,int n_min,int n_max,unsigned long chtype)1326  static int add_attribute_object(X509_REQ *req, char *text, const char *def,
1327                                  char *value, int nid, int n_min,
1328                                  int n_max, unsigned long chtype)
1329  {
1330      int ret = 0;
1331      char buf[1024];
1332  
1333      ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
1334                       "Attribute value", "Attribute default");
1335      if ((ret == 0) || (ret == 1))
1336          return ret;
1337      ret = 1;
1338  
1339      if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1340                                     (unsigned char *)buf, -1)) {
1341          BIO_printf(bio_err, "Error adding attribute\n");
1342          ERR_print_errors(bio_err);
1343          ret = 0;
1344      }
1345  
1346      return ret;
1347  }
1348  
1349  
build_data(char * text,const char * def,char * value,int n_min,int n_max,char * buf,const int buf_size,const char * desc1,const char * desc2)1350  static int build_data(char *text, const char *def,
1351                           char *value, int n_min, int n_max,
1352                           char *buf, const int buf_size,
1353                           const char *desc1, const char *desc2
1354                           )
1355  {
1356      int i;
1357   start:
1358      if (!batch)
1359          BIO_printf(bio_err, "%s [%s]:", text, def);
1360      (void)BIO_flush(bio_err);
1361      if (value != NULL) {
1362          if (!join(buf, buf_size, value, "\n", desc1))
1363              return 0;
1364          BIO_printf(bio_err, "%s\n", value);
1365      } else {
1366          buf[0] = '\0';
1367          if (!batch) {
1368              if (!fgets(buf, buf_size, stdin))
1369                  return 0;
1370          } else {
1371              buf[0] = '\n';
1372              buf[1] = '\0';
1373          }
1374      }
1375  
1376      if (buf[0] == '\0')
1377          return 0;
1378      if (buf[0] == '\n') {
1379          if ((def == NULL) || (def[0] == '\0'))
1380              return 1;
1381          if (!join(buf, buf_size, def, "\n", desc2))
1382              return 0;
1383      } else if ((buf[0] == '.') && (buf[1] == '\n')) {
1384          return 1;
1385      }
1386  
1387      i = strlen(buf);
1388      if (buf[i - 1] != '\n') {
1389          BIO_printf(bio_err, "weird input :-(\n");
1390          return 0;
1391      }
1392      buf[--i] = '\0';
1393  #ifdef CHARSET_EBCDIC
1394      ebcdic2ascii(buf, buf, i);
1395  #endif
1396      if (!req_check_len(i, n_min, n_max)) {
1397          if (batch || value)
1398              return 0;
1399          goto start;
1400      }
1401      return 2;
1402  }
1403  
req_check_len(int len,int n_min,int n_max)1404  static int req_check_len(int len, int n_min, int n_max)
1405  {
1406      if ((n_min > 0) && (len < n_min)) {
1407          BIO_printf(bio_err,
1408                     "string is too short, it needs to be at least %d bytes long\n",
1409                     n_min);
1410          return 0;
1411      }
1412      if ((n_max >= 0) && (len > n_max)) {
1413          BIO_printf(bio_err,
1414                     "string is too long, it needs to be no more than %d bytes long\n",
1415                     n_max);
1416          return 0;
1417      }
1418      return 1;
1419  }
1420  
1421  /* Check if the end of a string matches 'end' */
check_end(const char * str,const char * end)1422  static int check_end(const char *str, const char *end)
1423  {
1424      size_t elen, slen;
1425      const char *tmp;
1426  
1427      elen = strlen(end);
1428      slen = strlen(str);
1429      if (elen > slen)
1430          return 1;
1431      tmp = str + slen - elen;
1432      return strcmp(tmp, end);
1433  }
1434  
1435  /*
1436   * Merge the two strings together into the result buffer checking for
1437   * overflow and producing an error message if there is.
1438   */
join(char buf[],size_t buf_size,const char * name,const char * tail,const char * desc)1439  static int join(char buf[], size_t buf_size, const char *name,
1440                  const char *tail, const char *desc)
1441  {
1442      const size_t name_len = strlen(name), tail_len = strlen(tail);
1443  
1444      if (name_len + tail_len + 1 > buf_size) {
1445          BIO_printf(bio_err, "%s '%s' too long\n", desc, name);
1446          return 0;
1447      }
1448      memcpy(buf, name, name_len);
1449      memcpy(buf + name_len, tail, tail_len + 1);
1450      return 1;
1451  }
1452  
set_keygen_ctx(const char * gstr,int * pkey_type,long * pkeylen,char ** palgnam,ENGINE * keygen_engine)1453  static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
1454                                      int *pkey_type, long *pkeylen,
1455                                      char **palgnam, ENGINE *keygen_engine)
1456  {
1457      EVP_PKEY_CTX *gctx = NULL;
1458      EVP_PKEY *param = NULL;
1459      long keylen = -1;
1460      BIO *pbio = NULL;
1461      const char *paramfile = NULL;
1462  
1463      if (gstr == NULL) {
1464          *pkey_type = EVP_PKEY_RSA;
1465          keylen = *pkeylen;
1466      } else if (gstr[0] >= '0' && gstr[0] <= '9') {
1467          *pkey_type = EVP_PKEY_RSA;
1468          keylen = atol(gstr);
1469          *pkeylen = keylen;
1470      } else if (strncmp(gstr, "param:", 6) == 0) {
1471          paramfile = gstr + 6;
1472      } else {
1473          const char *p = strchr(gstr, ':');
1474          int len;
1475          ENGINE *tmpeng;
1476          const EVP_PKEY_ASN1_METHOD *ameth;
1477  
1478          if (p != NULL)
1479              len = p - gstr;
1480          else
1481              len = strlen(gstr);
1482          /*
1483           * The lookup of a the string will cover all engines so keep a note
1484           * of the implementation.
1485           */
1486  
1487          ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1488  
1489          if (ameth == NULL) {
1490              BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
1491              return NULL;
1492          }
1493  
1494          EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
1495  #ifndef OPENSSL_NO_ENGINE
1496          ENGINE_finish(tmpeng);
1497  #endif
1498          if (*pkey_type == EVP_PKEY_RSA) {
1499              if (p != NULL) {
1500                  keylen = atol(p + 1);
1501                  *pkeylen = keylen;
1502              } else {
1503                  keylen = *pkeylen;
1504              }
1505          } else if (p != NULL) {
1506              paramfile = p + 1;
1507          }
1508      }
1509  
1510      if (paramfile != NULL) {
1511          pbio = BIO_new_file(paramfile, "r");
1512          if (pbio == NULL) {
1513              BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
1514              return NULL;
1515          }
1516          param = PEM_read_bio_Parameters(pbio, NULL);
1517  
1518          if (param == NULL) {
1519              X509 *x;
1520  
1521              (void)BIO_reset(pbio);
1522              x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1523              if (x != NULL) {
1524                  param = X509_get_pubkey(x);
1525                  X509_free(x);
1526              }
1527          }
1528  
1529          BIO_free(pbio);
1530  
1531          if (param == NULL) {
1532              BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
1533              return NULL;
1534          }
1535          if (*pkey_type == -1) {
1536              *pkey_type = EVP_PKEY_id(param);
1537          } else if (*pkey_type != EVP_PKEY_base_id(param)) {
1538              BIO_printf(bio_err, "Key Type does not match parameters\n");
1539              EVP_PKEY_free(param);
1540              return NULL;
1541          }
1542      }
1543  
1544      if (palgnam != NULL) {
1545          const EVP_PKEY_ASN1_METHOD *ameth;
1546          ENGINE *tmpeng;
1547          const char *anam;
1548  
1549          ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1550          if (ameth == NULL) {
1551              BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
1552              return NULL;
1553          }
1554          EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1555          *palgnam = OPENSSL_strdup(anam);
1556  #ifndef OPENSSL_NO_ENGINE
1557          ENGINE_finish(tmpeng);
1558  #endif
1559      }
1560  
1561      if (param != NULL) {
1562          gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1563          *pkeylen = EVP_PKEY_bits(param);
1564          EVP_PKEY_free(param);
1565      } else {
1566          gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1567      }
1568  
1569      if (gctx == NULL) {
1570          BIO_puts(bio_err, "Error allocating keygen context\n");
1571          ERR_print_errors(bio_err);
1572          return NULL;
1573      }
1574  
1575      if (EVP_PKEY_keygen_init(gctx) <= 0) {
1576          BIO_puts(bio_err, "Error initializing keygen context\n");
1577          ERR_print_errors(bio_err);
1578          EVP_PKEY_CTX_free(gctx);
1579          return NULL;
1580      }
1581  #ifndef OPENSSL_NO_RSA
1582      if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
1583          if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
1584              BIO_puts(bio_err, "Error setting RSA keysize\n");
1585              ERR_print_errors(bio_err);
1586              EVP_PKEY_CTX_free(gctx);
1587              return NULL;
1588          }
1589      }
1590  #endif
1591  
1592      return gctx;
1593  }
1594  
genpkey_cb(EVP_PKEY_CTX * ctx)1595  static int genpkey_cb(EVP_PKEY_CTX *ctx)
1596  {
1597      char c = '*';
1598      BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1599      int p;
1600      p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1601      if (p == 0)
1602          c = '.';
1603      if (p == 1)
1604          c = '+';
1605      if (p == 2)
1606          c = '*';
1607      if (p == 3)
1608          c = '\n';
1609      BIO_write(b, &c, 1);
1610      (void)BIO_flush(b);
1611      return 1;
1612  }
1613  
do_sign_init(EVP_MD_CTX * ctx,EVP_PKEY * pkey,const EVP_MD * md,STACK_OF (OPENSSL_STRING)* sigopts)1614  static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
1615                          const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
1616  {
1617      EVP_PKEY_CTX *pkctx = NULL;
1618      int i, def_nid;
1619  
1620      if (ctx == NULL)
1621          return 0;
1622      /*
1623       * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory
1624       * for this algorithm.
1625       */
1626      if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
1627              && def_nid == NID_undef) {
1628          /* The signing algorithm requires there to be no digest */
1629          md = NULL;
1630      }
1631      if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
1632          return 0;
1633      for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1634          char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1635          if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1636              BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
1637              ERR_print_errors(bio_err);
1638              return 0;
1639          }
1640      }
1641      return 1;
1642  }
1643  
do_X509_sign(X509 * x,EVP_PKEY * pkey,const EVP_MD * md,STACK_OF (OPENSSL_STRING)* sigopts)1644  int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
1645                   STACK_OF(OPENSSL_STRING) *sigopts)
1646  {
1647      int rv;
1648      EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1649  
1650      rv = do_sign_init(mctx, pkey, md, sigopts);
1651      if (rv > 0)
1652          rv = X509_sign_ctx(x, mctx);
1653      EVP_MD_CTX_free(mctx);
1654      return rv > 0 ? 1 : 0;
1655  }
1656  
do_X509_REQ_sign(X509_REQ * x,EVP_PKEY * pkey,const EVP_MD * md,STACK_OF (OPENSSL_STRING)* sigopts)1657  int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
1658                       STACK_OF(OPENSSL_STRING) *sigopts)
1659  {
1660      int rv;
1661      EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1662      rv = do_sign_init(mctx, pkey, md, sigopts);
1663      if (rv > 0)
1664          rv = X509_REQ_sign_ctx(x, mctx);
1665      EVP_MD_CTX_free(mctx);
1666      return rv > 0 ? 1 : 0;
1667  }
1668  
do_X509_CRL_sign(X509_CRL * x,EVP_PKEY * pkey,const EVP_MD * md,STACK_OF (OPENSSL_STRING)* sigopts)1669  int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
1670                       STACK_OF(OPENSSL_STRING) *sigopts)
1671  {
1672      int rv;
1673      EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1674      rv = do_sign_init(mctx, pkey, md, sigopts);
1675      if (rv > 0)
1676          rv = X509_CRL_sign_ctx(x, mctx);
1677      EVP_MD_CTX_free(mctx);
1678      return rv > 0 ? 1 : 0;
1679  }
1680